插件开发学习第5套。前置文章:
【BurpSuite】插件开发学习之Log4shell
【BurpSuite】插件开发学习之Software Vulnerability Scanner
【BurpSuite】插件开发学习之dotnet-Beautifier
【BurpSuite】插件开发学习之active-scan-plus-plus
https://github.com/PortSwigger/j2ee-scan.git
逻辑代码在
|____src
| |____main
| | |____java
| | | |____burp
| | | | |____HTTPMatcher.java
| | | | |____J2EELFIRetriever.java
| | | | |____SoftwareVersions.java
| | | | |____WeakPasswordBruteforcer.java
| | | | |____j2ee
| | | | | |____PassiveScanner.java
| | | | | |____Confidence.java
| | | | | |____annotation
| | | | | | |____RunOnlyOnce.java
| | | | | | |____RunOnlyOnceForApplicationContext.java
| | | | | |____Risk.java
| | | | | |____passive
| | | | | | |____SessionFixation.java
| | | | | | |____ApacheStrutsS2023Rule.java
| | | | | | |____JettyRule.java
| | | | | | |____HttpServerHeaderRule.java
| | | | | | |____SqlQueryRule.java
| | | | | | |____PassiveRule.java
| | | | | | |____strutstoken
| | | | | | | |____StrutsTokenCracker.java
| | | | | | | |____ReplayRandom.java
| | | | | | |____ApacheTomcatRule.java
| | | | | | |____SessionIDInURL.java
| | | | | | |____JSPostMessage.java
| | | | | | |____ExceptionRule.java
| | | | | |____IssuesHandler.java
| | | | | |____lib
| | | | | | |____TesterAjpMessage.java
| | | | | | |____SimpleAjpClient.java
| | | | | |____issues
| | | | | | |____impl
| | | | | | | |____OracleEBSSSRF.java
| | | | | | | |____OracleEBSSSRFLCMServiceController.java
| | | | | | | |____ApacheStrutsS2032.java
| | | | | | | |____NodeJSRedirect.java
| | | | | | | |____ApacheRollerOGNLInjection.java
| | | | | | | |____ApacheStrutsDebugMode.java
| | | | | | | |____ApacheAxis.java
| | | | | | | |____HTTPWeakPassword.java
| | | | | | | |____HTTPProxy.java
| | | | | | | |____PrimeFacesELInjection.java
| | | | | | | |____WeblogicUDDIExplorer.java
| | | | | | | |____ApacheStrutsS2052.java
| | | | | | | |____JBossWebConsole.java
| | | | | | | |____EL3Injection.java
| | | | | | | |____XXEParameterModule.java
| | | | | | | |____UndertowTraversal.java
| | | | | | | |____LFIModule.java
| | | | | | | |____ApacheStrutsS2043.java
| | | | | | | |____FastJsonRCE.java
| | | | | | | |____OracleReportService.java
| | | | | | | |____SnoopResource.java
| | | | | | | |____JBossJMXReadOnly.java
| | | | | | | |____WebInfInformationDisclosure.java
| | | | | | | |____XInclude.java
| | | | | | | |____JavaServerFacesTraversal.java
| | | | | | | |____Seam2RCE.java
| | | | | | | |____WeblogicConsole.java
| | | | | | | |____RESTAPISwagger.java
| | | | | | | |____JettyRemoteLeakage.java
| | | | | | | |____JBossJMXInvoker.java
| | | | | | | |____OASConfigFilesDisclosure.java
| | | | | | | |____JacksonDataBindCVE20177525.java
| | | | | | | |____XXEModule.java
| | | | | | | |____WeblogicCVE20192725.java
| | | | | | | |____WeblogicWebServiceTestPageCVE20182894.java
| | | | | | | |____JKStatus.java
| | | | | | | |____WeblogicCVE201710271.java
| | | | | | | |____LFIAbsoluteModule.java
| | | | | | | |____ApacheStrutsS2016.java
| | | | | | | |____ApacheStrutsShowcase.java
| | | | | | | |____ApacheStrutsWebConsole.java
| | | | | | | |____ApacheStrutsS2020.java
| | | | | | | |____StatusServlet.java
| | | | | | | |____UTF8ResponseSplitting.java
| | | | | | | |____TomcatHostManager.java
| | | | | | | |____SpringBootRestRCE.java
| | | | | | | |____PivotalSpringTraversalCVE20143625.java
| | | | | | | |____Htaccess.java
| | | | | | | |____JBossjBPMAdminConsole.java
| | | | | | | |____ELInjection.java
| | | | | | | |____NodeJSPathTraversal.java
| | | | | | | |____ApacheStrutsS2017.java
| | | | | | | |____ApacheSolrXXE.java
| | | | | | | |____OASSqlnetLogDisclosure.java
| | | | | | | |____NodeJSResponseSplitting.java
| | | | | | | |____URINormalizationTomcat.java
| | | | | | | |____JBossWS.java
| | | | | | | |____SpringCloudConfigPathTraversal.java
| | | | | | | |____InfrastructurePathTraversal.java
| | | | | | | |____AJPDetector.java
| | | | | | | |____JBossAdminConsole.java
| | | | | | | |____SSRFScanner.java
| | | | | | | |____SpringDataCommonRCE.java
| | | | | | | |____JavascriptSSRF.java
| | | | | | | |____ApacheWicketArbitraryResourceAccess.java
| | | | | | | |____SpringBootActuator.java
| | | | | | | |____IDocInjection.java
| | | | | | | |____TomcatManager.java
| | | | | | | |____NextFrameworkPathTraversal.java
| | | | | | | |____OracleCGIPrintEnv.java
| | | | | | | |____JBossJuddi.java
| | | | | | | |____AJP_Tomcat_GhostCat.java
| | | | | | | |____SpringWebFlowDataBindExpressionCVE20174971.java
| | | | | | |____IModule.java
| | | | | |____CustomScanIssue.java
| | | | |____J2EELocalAssessment.java
| | | | |____WeakPassword.java
| | | | |____HTTPParser.java
| | | | |____CustomHttpRequestResponse.java
| | | | |____BurpExtender.java
这个代码是基于java写的
老样子,继承BurpExtender
class BurpExtender(IBurpExtender):
基本信息也和java差不多
public void registerExtenderCallbacks(final IBurpExtenderCallbacks callbacks) {
// keep a reference to our callbacks object
this.callbacks = callbacks;
this.callbacks.registerExtensionStateListener(this);
// obtain an extension helpers object
helpers = callbacks.getHelpers();
// obtain our output stream
stdout = new PrintWriter(callbacks.getStdout(), true);
stderr = new PrintWriter(callbacks.getStderr(), true);
// set our extension name
callbacks.setExtensionName("J2EE Advanced Tests");
然后创建了一个临时数据库文件并连接了
j2eeDBState = File.createTempFile("burpsuite-j2eescan-state", ".db");
stdout.println("Using temporary db state file: " + j2eeDBState.getAbsolutePath());
stdout.println("This internal state is used to avoid duplicate infrastructure security "
+ "checks on the same host, improving the scan performance");
connectToDatabase(j2eeDBState.getAbsolutePath());
初始化的数据库表executed_plugins
String fields = "plugin, host, port";
conn.createStatement().executeUpdate("CREATE TABLE IF NOT EXISTS executed_plugins ("
+ " plugin TEXT PRIMARY KEY,"
+ " host TEXT,"
+ " port INTEGER,"
+ " UNIQUE(" + fields + "))");
重写了被动扫描,在PassiveScanner这个类里。
PassiveScanner.scanVulnerabilities(baseRequestResponse, callbacks);
遍历如下规则进行扫描
static PassiveRule[] PASSIVE_RULES = {
new ApacheTomcatRule(),
new ExceptionRule(),
new HttpServerHeaderRule(),
new SqlQueryRule(),
new ApacheStrutsS2023Rule(),
new JettyRule(),
new SessionIDInURL(),
new JSPostMessage(),
new SessionFixation()
};
一个一个看,
Risk.Low
Pattern.compile("Apache Tomcat/([\\d\\.]+)"
Risk.Information
Pattern.compile("\">(1\\.\\d\\.[\\w\\-\\_\\.]+)<"
判断struts是开发环境还是dev环境
Risk.Low
"Struts Problem Report ".getBytes();
Risk.Low
byte[] tapestryException = "An unexpected application exception has occurred.
".getBytes();
Risk.Low
byte[] grailsException = "Grails Runtime Exception
".getBytes();
Risk.Low
byte[] gwtException = "com.google.gwt.http.client.RequestException".getBytes();
Risk.Low
List<byte[]> javaxServletExceptions = Arrays.asList(
"javax.servlet.ServletException".getBytes(),
"οnclick=\"toggle('full exception chain stacktrace".getBytes(),
"at org.apache.catalina".getBytes(),
"at org.apache.coyote.".getBytes(),
"at org.jboss.seam.".getBytes(),
"at org.apache.tomcat.".getBytes(),
"JSP Processing Error ".getBytes(), // WAS
"The full stack trace of the root cause is available in".getBytes());
"com.sun.facelets.FaceletException"
.getBytes(),
"Generated by MyFaces - for information on disabling".getBytes(),
"Error - org.apache.myfaces"</span><span class="token punctuation">.</span><span class="token function">getBytes</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">,</span>
<span class="token string">"org.primefaces.webapp"</span><span class="token punctuation">.</span><span class="token function">getBytes</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<div class="hljs-button signin" data-title="登录后复制" data-report-click="{"spm":"1001.2101.3001.4334"}"></div></code><ul class="pre-numbering" style=""><li style="color: rgb(153, 153, 153);">1</li><li style="color: rgb(153, 153, 153);">2</li><li style="color: rgb(153, 153, 153);">3</li><li style="color: rgb(153, 153, 153);">4</li><li style="color: rgb(153, 153, 153);">5</li><li style="color: rgb(153, 153, 153);">6</li><li style="color: rgb(153, 153, 153);">7</li><li style="color: rgb(153, 153, 153);">8</li><li style="color: rgb(153, 153, 153);">9</li><li style="color: rgb(153, 153, 153);">10</li><li style="color: rgb(153, 153, 153);">11</li><li style="color: rgb(153, 153, 153);">12</li><li style="color: rgb(153, 153, 153);">13</li></ul></pre>
<h4><a name="t5"></a><a id="HttpServerHeaderRule_255"></a>HttpServerHeaderRule</h4>
<p>http 头泄露应用版本号</p>
<h5><a id="8JavaJetty_GlassFishWeblogic_257"></a>【8】Java&Jetty &GlassFish&Weblogic</h5>
<pre data-index="14" class="set-code-show prettyprint"><code class="prism language-java has-numbering" onclick="mdcp.signin(event)" style="position: unset;"><span class="token class-name">Pattern</span><span class="token punctuation">.</span><span class="token function">compile</span><span class="token punctuation">(</span><span class="token string">"java\\/([\\d\\.\\_]+)"</span>
<span class="token class-name">Pattern</span><span class="token punctuation">.</span><span class="token function">compile</span><span class="token punctuation">(</span><span class="token string">"Jetty.([\\d\\.]+)"</span>
<span class="token class-name">Pattern</span><span class="token punctuation">.</span><span class="token function">compile</span><span class="token punctuation">(</span><span class="token string">"GlassFish Server Open Source Edition ([\\d\\.]+)"</span>
<span class="token class-name">Pattern</span><span class="token punctuation">.</span><span class="token function">compile</span><span class="token punctuation">(</span><span class="token string">"WebLogic (:?Server )?([\\d\\.]+)"</span>
<div class="hljs-button signin" data-title="登录后复制" data-report-click="{"spm":"1001.2101.3001.4334"}"></div></code><ul class="pre-numbering" style=""><li style="color: rgb(153, 153, 153);">1</li><li style="color: rgb(153, 153, 153);">2</li><li style="color: rgb(153, 153, 153);">3</li><li style="color: rgb(153, 153, 153);">4</li></ul></pre>
<h5><a id="10_oracle_265"></a>【10】 oracle</h5>
<pre data-index="15" class="set-code-show prettyprint"><code class="prism language-java has-numbering" onclick="mdcp.signin(event)" style="position: unset;">ORACLE_APPLICATION_SERVER_RE<span class="token punctuation">.</span><span class="token function">add</span><span class="token punctuation">(</span><span class="token class-name">Pattern</span><span class="token punctuation">.</span><span class="token function">compile</span><span class="token punctuation">(</span><span class="token string">"Oracle Application Server Containers for J2EE 10g \\(([\\d\\.]+)\\)"</span><span class="token punctuation">,</span> <span class="token class-name">Pattern</span><span class="token punctuation">.</span>DOTALL<span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
ORACLE_APPLICATION_SERVER_RE<span class="token punctuation">.</span><span class="token function">add</span><span class="token punctuation">(</span><span class="token class-name">Pattern</span><span class="token punctuation">.</span><span class="token function">compile</span><span class="token punctuation">(</span><span class="token string">"Oracle.Application.Server.10g\\/([\\d\\.]+)"</span><span class="token punctuation">,</span> <span class="token class-name">Pattern</span><span class="token punctuation">.</span>DOTALL<span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
ORACLE_APPLICATION_SERVER_RE<span class="token punctuation">.</span><span class="token function">add</span><span class="token punctuation">(</span><span class="token class-name">Pattern</span><span class="token punctuation">.</span><span class="token function">compile</span><span class="token punctuation">(</span><span class="token string">"Oracle Application Server\\/([\\d\\.]+)"</span><span class="token punctuation">,</span> <span class="token class-name">Pattern</span><span class="token punctuation">.</span>DOTALL<span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
ORACLE_APPLICATION_SERVER_RE<span class="token punctuation">.</span><span class="token function">add</span><span class="token punctuation">(</span><span class="token class-name">Pattern</span><span class="token punctuation">.</span><span class="token function">compile</span><span class="token punctuation">(</span><span class="token string">"Oracle9iAS\\/([\\d\\.]+)"</span><span class="token punctuation">,</span> <span class="token class-name">Pattern</span><span class="token punctuation">.</span>DOTALL<span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<div class="hljs-button signin" data-title="登录后复制" data-report-click="{"spm":"1001.2101.3001.4334"}"></div></code><ul class="pre-numbering" style=""><li style="color: rgb(153, 153, 153);">1</li><li style="color: rgb(153, 153, 153);">2</li><li style="color: rgb(153, 153, 153);">3</li><li style="color: rgb(153, 153, 153);">4</li></ul></pre>
<h5><a id="11nodejs_274"></a>【11】nodejs</h5>
<pre data-index="16" class="set-code-show prettyprint"><code class="prism language-java has-numbering" onclick="mdcp.signin(event)" style="position: unset;"><span class="token keyword">if</span> <span class="token punctuation">(</span>xPoweredByHeader<span class="token punctuation">.</span><span class="token function">trim</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">.</span><span class="token function">equals</span><span class="token punctuation">(</span><span class="token string">"Express"</span><span class="token punctuation">)</span><span class="token punctuation">)</span> <span class="token punctuation">{<!-- --></span>
<div class="hljs-button signin" data-title="登录后复制" data-report-click="{"spm":"1001.2101.3001.4334"}"></div></code><ul class="pre-numbering" style=""><li style="color: rgb(153, 153, 153);">1</li></ul></pre>
<h4><a name="t6"></a><a id="SqlQueryRule_279"></a>SqlQueryRule</h4>
<h5><a id="12SQL_exception_281"></a>【12】SQL exception</h5>
<pre data-index="17" class="set-code-show prettyprint"><code class="prism language-java has-numbering" onclick="mdcp.signin(event)" style="position: unset;">SQL_QUERIES_RE<span class="token punctuation">.</span><span class="token function">add</span><span class="token punctuation">(</span><span class="token class-name">Pattern</span><span class="token punctuation">.</span><span class="token function">compile</span><span class="token punctuation">(</span><span class="token string">"select "</span><span class="token punctuation">,</span> <span class="token class-name">Pattern</span><span class="token punctuation">.</span>CASE_INSENSITIVE <span class="token operator">|</span> <span class="token class-name">Pattern</span><span class="token punctuation">.</span>DOTALL <span class="token operator">|</span> <span class="token class-name">Pattern</span><span class="token punctuation">.</span>MULTILINE<span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
SQL_QUERIES_RE<span class="token punctuation">.</span><span class="token function">add</span><span class="token punctuation">(</span><span class="token class-name">Pattern</span><span class="token punctuation">.</span><span class="token function">compile</span><span class="token punctuation">(</span><span class="token string">"IS NOT NULL"</span><span class="token punctuation">,</span> <span class="token class-name">Pattern</span><span class="token punctuation">.</span>CASE_INSENSITIVE <span class="token operator">|</span> <span class="token class-name">Pattern</span><span class="token punctuation">.</span>DOTALL <span class="token operator">|</span> <span class="token class-name">Pattern</span><span class="token punctuation">.</span>MULTILINE<span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<div class="hljs-button signin" data-title="登录后复制" data-report-click="{"spm":"1001.2101.3001.4334"}"></div></code><ul class="pre-numbering" style=""><li style="color: rgb(153, 153, 153);">1</li><li style="color: rgb(153, 153, 153);">2</li></ul></pre>
<h4><a name="t7"></a><a id="ApacheStrutsS2023Rule_286"></a>ApacheStrutsS2023Rule</h4>
<h6><a id="13StrutsTokenCracker_288"></a>【13】StrutsTokenCracker</h6>
<p>提取token</p>
<pre data-index="18" class="set-code-show prettyprint"><code class="prism language-java has-numbering" onclick="mdcp.signin(event)" style="position: unset;"> <span class="token keyword">private</span> <span class="token keyword">final</span> <span class="token class-name">Pattern</span> TOKEN_FIELD_PATTERN <span class="token operator">=</span> <span class="token class-name">Pattern</span><span class="token punctuation">.</span><span class="token function">compile</span><span class="token punctuation">(</span><span class="token string">"<input type=\"hidden\" name=\"token\" value=\"([^\"]+)\""</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<div class="hljs-button signin" data-title="登录后复制" data-report-click="{"spm":"1001.2101.3001.4334"}"></div></code><ul class="pre-numbering" style=""><li style="color: rgb(153, 153, 153);">1</li><li style="color: rgb(153, 153, 153);">2</li></ul></pre>
<p>转int,按固定长度切割</p>
<pre data-index="19" class="set-code-show prettyprint"><code class="prism language-java has-numbering" onclick="mdcp.signin(event)" style="position: unset;"> <span class="token keyword">int</span><span class="token punctuation">[</span><span class="token punctuation">]</span> tokenInts <span class="token operator">=</span> <span class="token function">bytesToInt</span><span class="token punctuation">(</span><span class="token function">bigIntToByte</span><span class="token punctuation">(</span>token<span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<div class="hljs-button signin" data-title="登录后复制" data-report-click="{"spm":"1001.2101.3001.4334"}"></div></code><ul class="pre-numbering" style=""><li style="color: rgb(153, 153, 153);">1</li></ul></pre>
<p>根据int找到seed</p>
<pre data-index="20" class="set-code-show prettyprint"><code class="prism language-java has-numbering" onclick="mdcp.signin(event)" style="position: unset;"> <span class="token keyword">long</span> seed <span class="token operator">=</span> <span class="token function">findSeed</span><span class="token punctuation">(</span><span class="token function">reverseByteOrder</span><span class="token punctuation">(</span>tokenInts<span class="token punctuation">[</span><span class="token number">1</span><span class="token punctuation">]</span><span class="token punctuation">)</span><span class="token punctuation">,</span> <span class="token function">reverseByteOrder</span><span class="token punctuation">(</span>tokenInts<span class="token punctuation">[</span><span class="token number">2</span><span class="token punctuation">]</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<div class="hljs-button signin" data-title="登录后复制" data-report-click="{"spm":"1001.2101.3001.4334"}"></div></code><ul class="pre-numbering" style=""><li style="color: rgb(153, 153, 153);">1</li><li style="color: rgb(153, 153, 153);">2</li></ul></pre>
<p>根据种子预测随机数,和就token匹配,如果能匹配上,说明种子是对的,也就是说明token可预测。</p>
<pre data-index="21" class="set-code-show prettyprint"><code class="prism language-java has-numbering" onclick="mdcp.signin(event)" style="position: unset;"><span class="token keyword">int</span><span class="token punctuation">[</span><span class="token punctuation">]</span> nextInts <span class="token operator">=</span> <span class="token keyword">new</span> <span class="token keyword">int</span><span class="token punctuation">[</span><span class="token number">4</span><span class="token punctuation">]</span><span class="token punctuation">;</span>
<span class="token keyword">for</span><span class="token punctuation">(</span><span class="token keyword">int</span> i<span class="token operator">=</span><span class="token number">0</span><span class="token punctuation">;</span>i<span class="token operator"><</span>nextInts<span class="token punctuation">.</span>length<span class="token punctuation">;</span>i<span class="token operator">++</span><span class="token punctuation">)</span> <span class="token punctuation">{<!-- --></span>
nextInts<span class="token punctuation">[</span>i<span class="token punctuation">]</span> <span class="token operator">=</span> <span class="token function">reverseByteOrder</span><span class="token punctuation">(</span>random<span class="token punctuation">.</span><span class="token function">nextInt</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token punctuation">}</span>
<span class="token keyword">boolean</span> match1 <span class="token operator">=</span> tokenInts<span class="token punctuation">[</span><span class="token number">2</span><span class="token punctuation">]</span> <span class="token operator">==</span> nextInts<span class="token punctuation">[</span><span class="token number">0</span><span class="token punctuation">]</span><span class="token punctuation">;</span>
<span class="token keyword">boolean</span> match2 <span class="token operator">=</span> tokenInts<span class="token punctuation">[</span><span class="token number">3</span><span class="token punctuation">]</span> <span class="token operator">==</span> nextInts<span class="token punctuation">[</span><span class="token number">1</span><span class="token punctuation">]</span><span class="token punctuation">;</span>
<span class="token keyword">boolean</span> match3 <span class="token operator">=</span> tokenInts<span class="token punctuation">[</span><span class="token number">4</span><span class="token punctuation">]</span> <span class="token operator">==</span> nextInts<span class="token punctuation">[</span><span class="token number">2</span><span class="token punctuation">]</span><span class="token punctuation">;</span>
<div class="hljs-button signin" data-title="登录后复制" data-report-click="{"spm":"1001.2101.3001.4334"}"></div></code><ul class="pre-numbering" style=""><li style="color: rgb(153, 153, 153);">1</li><li style="color: rgb(153, 153, 153);">2</li><li style="color: rgb(153, 153, 153);">3</li><li style="color: rgb(153, 153, 153);">4</li><li style="color: rgb(153, 153, 153);">5</li><li style="color: rgb(153, 153, 153);">6</li><li style="color: rgb(153, 153, 153);">7</li><li style="color: rgb(153, 153, 153);">8</li><li style="color: rgb(153, 153, 153);">9</li></ul></pre>
<h4><a name="t8"></a><a id="JettyRule_319"></a>JettyRule</h4>
<h5><a id="14Jetty_320"></a>【14】Jetty发现</h5>
<pre data-index="22" class="set-code-show prettyprint"><code class="prism language-java has-numbering" onclick="mdcp.signin(event)" style="position: unset;"> <span class="token keyword">private</span> <span class="token keyword">static</span> <span class="token keyword">final</span> <span class="token class-name">Pattern</span> JETTY_PATTERN <span class="token operator">=</span> <span class="token class-name">Pattern</span><span class="token punctuation">.</span><span class="token function">compile</span><span class="token punctuation">(</span><span class="token string">"><small>Powered by Jetty"</span><span class="token punctuation">,</span> <span class="token class-name">Pattern</span><span class="token punctuation">.</span>DOTALL <span class="token operator">|</span> <span class="token class-name">Pattern</span><span class="token punctuation">.</span>MULTILINE<span class="token punctuation">)</span><span class="token punctuation">;</span>
<div class="hljs-button signin" data-title="登录后复制" data-report-click="{"spm":"1001.2101.3001.4334"}"></div></code><ul class="pre-numbering" style=""><li style="color: rgb(153, 153, 153);">1</li><li style="color: rgb(153, 153, 153);">2</li></ul></pre>
<h4><a name="t9"></a><a id="SessionIDInURL_326"></a>SessionIDInURL</h4>
<h5><a id="15Session_Token_in_URL_327"></a>【15】Session Token in URL</h5>
<pre data-index="23" class="set-code-show prettyprint"><code class="prism language-java has-numbering" onclick="mdcp.signin(event)" style="position: unset;"> <span class="token keyword">private</span> <span class="token keyword">static</span> <span class="token keyword">final</span> <span class="token class-name">List</span><span class="token generics"><span class="token punctuation"><</span><span class="token class-name">String</span><span class="token punctuation">></span></span> <span class="token class-name">SESSIONIDs</span> <span class="token operator">=</span> <span class="token keyword">new</span> <span class="token class-name">ArrayList</span><span class="token generics"><span class="token punctuation"><</span><span class="token punctuation">></span></span><span class="token punctuation">(</span><span class="token class-name">Arrays</span><span class="token punctuation">.</span><span class="token function">asList</span><span class="token punctuation">(</span><span class="token string">";jsessionid"</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<div class="hljs-button signin" data-title="登录后复制" data-report-click="{"spm":"1001.2101.3001.4334"}"></div></code><ul class="pre-numbering" style=""><li style="color: rgb(153, 153, 153);">1</li></ul></pre>
<h4><a name="t10"></a><a id="JSPostMessage_332"></a>JSPostMessage</h4>
<h5><a id="16JSPostMessage_333"></a>【16】JSPostMessage函数</h5>
<p>js的<a href="https://so.csdn.net/so/search?q=%E8%B7%A8%E5%9F%9F&spm=1001.2101.3001.7020" target="_blank" class="hl hl-1" data-report-view="{"spm":"1001.2101.3001.7020","dest":"https://so.csdn.net/so/search?q=%E8%B7%A8%E5%9F%9F&spm=1001.2101.3001.7020","extra":"{\"searchword\":\"跨域\"}"}" data-report-click="{"spm":"1001.2101.3001.7020","dest":"https://so.csdn.net/so/search?q=%E8%B7%A8%E5%9F%9F&spm=1001.2101.3001.7020","extra":"{\"searchword\":\"跨域\"}"}" data-tit="跨域" data-pretit="跨域">跨域</a>信息通信的函数。</p>
<pre data-index="24" class="set-code-show prettyprint"><code class="prism language-java has-numbering" onclick="mdcp.signin(event)" style="position: unset;">POSTMESSAGE_PATTERNS<span class="token punctuation">.</span><span class="token function">add</span><span class="token punctuation">(</span><span class="token class-name">Pattern</span><span class="token punctuation">.</span><span class="token function">compile</span><span class="token punctuation">(</span><span class="token string">".addEventListener\\(\"message"</span><span class="token punctuation">,</span> <span class="token class-name">Pattern</span><span class="token punctuation">.</span>CASE_INSENSITIVE <span class="token operator">|</span> <span class="token class-name">Pattern</span><span class="token punctuation">.</span>DOTALL <span class="token operator">|</span> <span class="token class-name">Pattern</span><span class="token punctuation">.</span>MULTILINE<span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
POSTMESSAGE_PATTERNS<span class="token punctuation">.</span><span class="token function">add</span><span class="token punctuation">(</span><span class="token class-name">Pattern</span><span class="token punctuation">.</span><span class="token function">compile</span><span class="token punctuation">(</span><span class="token string">"window\\).on\\(\"message"</span><span class="token punctuation">,</span> <span class="token class-name">Pattern</span><span class="token punctuation">.</span>CASE_INSENSITIVE <span class="token operator">|</span> <span class="token class-name">Pattern</span><span class="token punctuation">.</span>MULTILINE<span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
POSTMESSAGE_PATTERNS<span class="token punctuation">.</span><span class="token function">add</span><span class="token punctuation">(</span><span class="token class-name">Pattern</span><span class="token punctuation">.</span><span class="token function">compile</span><span class="token punctuation">(</span><span class="token string">".postMessage\\("</span><span class="token punctuation">,</span> <span class="token class-name">Pattern</span><span class="token punctuation">.</span>CASE_INSENSITIVE <span class="token operator">|</span> <span class="token class-name">Pattern</span><span class="token punctuation">.</span>MULTILINE<span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<div class="hljs-button signin" data-title="登录后复制" data-report-click="{"spm":"1001.2101.3001.4334"}"></div></code><ul class="pre-numbering" style=""><li style="color: rgb(153, 153, 153);">1</li><li style="color: rgb(153, 153, 153);">2</li><li style="color: rgb(153, 153, 153);">3</li></ul></pre>
<h4><a name="t11"></a><a id="SessionFixation_341"></a>SessionFixation</h4>
<h5><a id="17session_fixation_attack_342"></a>【17】session fixation attack(固定会话攻击)</h5>
<p>先检查url,这个检查很粗糙,直接判断后缀,还是黑名单,没有后缀就默认通过</p>
<pre data-index="25" class="set-code-show prettyprint"><code class="prism language-java has-numbering" onclick="mdcp.signin(event)" style="position: unset;"><span class="token function">isJavaApplicationByURL</span><span class="token punctuation">(</span>curURL<span class="token punctuation">)</span>
<div class="hljs-button signin" data-title="登录后复制" data-report-click="{"spm":"1001.2101.3001.4334"}"></div></code><ul class="pre-numbering" style=""><li style="color: rgb(153, 153, 153);">1</li></ul></pre>
<p><img src="https://1000bd.com/contentImg/2023/10/29/165310714.png" alt="在这里插入图片描述"></p>
<p>然后条件是请求包有<a href="https://so.csdn.net/so/search?q=JSESSIONID&spm=1001.2101.3001.7020" target="_blank" class="hl hl-1" data-report-view="{"spm":"1001.2101.3001.7020","dest":"https://so.csdn.net/so/search?q=JSESSIONID&spm=1001.2101.3001.7020","extra":"{\"searchword\":\"JSESSIONID\"}"}" data-report-click="{"spm":"1001.2101.3001.7020","dest":"https://so.csdn.net/so/search?q=JSESSIONID&spm=1001.2101.3001.7020","extra":"{\"searchword\":\"JSESSIONID\"}"}" data-tit="JSESSIONID" data-pretit="jsessionid">JSESSIONID</a>且返回包含有账号等信息</p>
<pre data-index="26" class="set-code-show prettyprint"><code class="prism language-java has-numbering" onclick="mdcp.signin(event)" style="position: unset;"><span class="token keyword">if</span> <span class="token punctuation">(</span>requestCookie <span class="token operator">!=</span> <span class="token keyword">null</span> <span class="token operator">&&</span> requestCookie<span class="token punctuation">.</span><span class="token function">contains</span><span class="token punctuation">(</span><span class="token string">"JSESSIONID"</span><span class="token punctuation">)</span><span class="token punctuation">)</span> <span class="token punctuation">{<!-- --></span>
<span class="token class-name">String</span> reqBodyLowercase <span class="token operator">=</span> reqBody<span class="token punctuation">.</span><span class="token function">toLowerCase</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token keyword">if</span> <span class="token punctuation">(</span>reqBodyLowercase <span class="token operator">!=</span> <span class="token keyword">null</span>
<span class="token operator">&&</span> <span class="token punctuation">(</span>reqBodyLowercase<span class="token punctuation">.</span><span class="token function">contains</span><span class="token punctuation">(</span><span class="token string">"password"</span><span class="token punctuation">)</span> <span class="token operator">||</span> reqBodyLowercase<span class="token punctuation">.</span><span class="token function">contains</span><span class="token punctuation">(</span><span class="token string">"pwd"</span><span class="token punctuation">)</span> <span class="token operator">||</span> reqBodyLowercase<span class="token punctuation">.</span><span class="token function">contains</span><span class="token punctuation">(</span><span class="token string">"passw"</span><span class="token punctuation">)</span><span class="token punctuation">)</span>
<span class="token operator">&&</span> <span class="token punctuation">(</span>reqBodyLowercase<span class="token punctuation">.</span><span class="token function">contains</span><span class="token punctuation">(</span><span class="token string">"user"</span><span class="token punctuation">)</span> <span class="token operator">||</span> reqBodyLowercase<span class="token punctuation">.</span><span class="token function">contains</span><span class="token punctuation">(</span><span class="token string">"uid"</span><span class="token punctuation">)</span> <span class="token operator">||</span> reqBodyLowercase<span class="token punctuation">.</span><span class="token function">contains</span><span class="token punctuation">(</span><span class="token string">"mail"</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">)</span> <span class="token punctuation">{<!-- --></span>
<div class="hljs-button signin" data-title="登录后复制" data-report-click="{"spm":"1001.2101.3001.4334"}"></div></code><ul class="pre-numbering" style=""><li style="color: rgb(153, 153, 153);">1</li><li style="color: rgb(153, 153, 153);">2</li><li style="color: rgb(153, 153, 153);">3</li><li style="color: rgb(153, 153, 153);">4</li><li style="color: rgb(153, 153, 153);">5</li><li style="color: rgb(153, 153, 153);">6</li><li style="color: rgb(153, 153, 153);">7</li></ul></pre>
<p>并且返回包没有setcookie(说明固定了会话),或者setcookie字段里包含JSESSIONID<br> 这种校验比较粗糙,注释也说了</p>
<p>Due to the nature of the vulnerability, this check is prone to False Positives and must be manually confirmed<br> <img src="https://1000bd.com/contentImg/2023/10/29/165310730.png" alt="在这里插入图片描述"></p>
<h4><a name="t12"></a><a id="_364"></a>后话</h4>
<p>主动扫描有点多,放在一个文章显得有点重,拆成两个。</p>
</div>
</div>
</li>
<li class="list-group-item ul-li">
<b>相关阅读:</b><br>
<nobr>
<a href="/Article/Index/859262">智慧综合体建设方案 51页</a> <br />
<a href="/Article/Index/1540206">简易线程池实现</a> <br />
<a href="/Article/Index/1366068">STM32简介</a> <br />
<a href="/Article/Index/1325178">[WPF]浅析依赖属性(DependencyProperty)</a> <br />
<a href="/Article/Index/1321873">9.23/24数电</a> <br />
<a href="/Article/Index/1653607">cleanmyMac有必要吗,什么软件可以替代clean my mac</a> <br />
<a href="/Article/Index/1045259">shell基础语法总结</a> <br />
<a href="/Article/Index/839710">编写一个简单的Linux内核模块</a> <br />
<a href="/Article/Index/787157">兼容并蓄广纳百川,Go lang1.18入门精炼教程,由白丁入鸿儒,go lang复合容器类型的声明和使用EP04</a> <br />
<a href="/Article/Index/1357331">ESP32网络开发实例-WebSocket服务器</a> <br />
</nobr>
</li>
<li class="list-group-item from-a mb-2">
原文地址:https://blog.csdn.net/xiru9972/article/details/126527296
</li>
</ul>
</div>
<div class="col-lg-4 col-sm-12">
<ul class="list-group" style="word-break:break-all;">
<li class="list-group-item ul-li-bg" aria-current="true">
最新文章
</li>
<li class="list-group-item ul-li">
<nobr>
<a href="/Article/Index/1484446">攻防演习之三天拿下官网站群</a> <br />
<a href="/Article/Index/1515268">数据安全治理学习——前期安全规划和安全管理体系建设</a> <br />
<a href="/Article/Index/1759065">企业安全 | 企业内一次钓鱼演练准备过程</a> <br />
<a href="/Article/Index/1485036">内网渗透测试 | Kerberos协议及其部分攻击手法</a> <br />
<a href="/Article/Index/1877332">0day的产生 | 不懂代码的"代码审计"</a> <br />
<a href="/Article/Index/1887576">安装scrcpy-client模块av模块异常,环境问题解决方案</a> <br />
<a href="/Article/Index/1887578">leetcode hot100【LeetCode 279. 完全平方数】java实现</a> <br />
<a href="/Article/Index/1887512">OpenWrt下安装Mosquitto</a> <br />
<a href="/Article/Index/1887520">AnatoMask论文汇总</a> <br />
<a href="/Article/Index/1887496">【AI日记】24.11.01 LangChain、openai api和github copilot</a> <br />
</nobr>
</li>
</ul>
<ul class="list-group pt-2" style="word-break:break-all;">
<li class="list-group-item ul-li-bg" aria-current="true">
热门文章
</li>
<li class="list-group-item ul-li">
<nobr>
<a href="/Article/Index/888177">十款代码表白小特效 一个比一个浪漫 赶紧收藏起来吧!!!</a> <br />
<a href="/Article/Index/797680">奉劝各位学弟学妹们,该打造你的技术影响力了!</a> <br />
<a href="/Article/Index/888183">五年了,我在 CSDN 的两个一百万。</a> <br />
<a href="/Article/Index/888179">Java俄罗斯方块,老程序员花了一个周末,连接中学年代!</a> <br />
<a href="/Article/Index/797730">面试官都震惊,你这网络基础可以啊!</a> <br />
<a href="/Article/Index/797725">你真的会用百度吗?我不信 — 那些不为人知的搜索引擎语法</a> <br />
<a href="/Article/Index/797702">心情不好的时候,用 Python 画棵樱花树送给自己吧</a> <br />
<a href="/Article/Index/797709">通宵一晚做出来的一款类似CS的第一人称射击游戏Demo!原来做游戏也不是很难,连憨憨学妹都学会了!</a> <br />
<a href="/Article/Index/797716">13 万字 C 语言从入门到精通保姆级教程2021 年版</a> <br />
<a href="/Article/Index/888192">10行代码集2000张美女图,Python爬虫120例,再上征途</a> <br />
</nobr>
</li>
</ul>
</div>
</div>
</div>
<!-- 主体 -->
<!--body结束-->
<!--这里是footer模板-->
<!--footer-->
<nav class="navbar navbar-inverse navbar-fixed-bottom">
<div class="container">
<div class="row">
<div class="col-md-12">
<div class="text-muted center foot-height">
Copyright © 2022 侵权请联系<a href="mailto:2656653265@qq.com">2656653265@qq.com</a>
<a href="https://beian.miit.gov.cn/" target="_blank">京ICP备2022015340号-1</a>
</div>
<div style="width:300px;margin:0 auto; padding:0px 5px;">
<a href="/regex.html">正则表达式工具</a>
<a href="/cron.html">cron表达式工具</a>
<a href="/pwdcreator.html">密码生成工具</a>
</div>
<div style="width:300px;margin:0 auto; padding:5px 0;">
<a target="_blank" href="http://www.beian.gov.cn/portal/registerSystemInfo?recordcode=11010502049817" style="display:inline-block;text-decoration:none;height:20px;line-height:20px;">
<img src="" style="float:left;" /><p style="float:left;height:20px;line-height:20px;margin: 0px 0px 0px 5px; color:#939393;">京公网安备 11010502049817号</p></a>
</div>
</div>
</div>
</div>
</nav>
<!--footer-->
<!--footer模板结束-->
<script src="/js/plugins/jquery/jquery.js"></script>
<script src="/js/bootstrap.min.js"></script>
<!--这里是scripts模板-->
<!--scripts模板结束-->
</body>
</html>