0x00背景

最近开始搞哈java了。想把weblogic、shiro、struts2的漏洞原理搞清楚。

0x01开始

IDEA:

实用的快捷键:双击shift  打开项目文件夹快速搜索

1624549814617

定位函数:ctrl+左键
ctrl+alt+L  格式化代码:把代码格式自动对齐
好用的缩写:psvm创建主函数
sout 输出函数

Java基础

java平台平成三个主要版本:

Java SE(java platform,Standard Edition),java平台标准版
Java EE(java platform Enterprise Edition,java平台企业版)
Java ME(java platform,micro Edition,java平台微型版)

java SE是JDK自带的标准API。

Java-Security

刷题:Java Sec Code:

1.CommandInject.java

package org.joychou.controller;

import org.joychou.security.SecurityUtil;
import org.joychou.util.WebUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;

import javax.servlet.http.HttpServletRequest;
import java.io.IOException;

@RestController
public class CommandInject {

    protected final Logger logger = LoggerFactory.getLogger(this.getClass());

    /**
     * http://localhost:8080/codeinject?filepath=/tmp;cat /etc/passwd
     *
     * @param filepath filepath
     * @return result
     */
    @GetMapping("/codeinject")
    public String codeInject(String filepath) throws IOException {

        String[] cmdList = new String[]{"sh", "-c", "ls -la " + filepath};
        ProcessBuilder builder = new ProcessBuilder(cmdList);
        builder.redirectErrorStream(true);
        Process process = builder.start();
        return WebUtils.convertStreamToString(process.getInputStream());
    }

    /**
     * Host Injection
     * Host: hacked by joychou;cat /etc/passwd
     * http://localhost:8080/codeinject/host
     */
    @GetMapping("/codeinject/host")
    public String codeInjectHost(HttpServletRequest request) throws IOException {

        String host = request.getHeader("host");
        logger.info(host);
        String[] cmdList = new String[]{"sh", "-c", "curl " + host};
        ProcessBuilder builder = new ProcessBuilder(cmdList);
        builder.redirectErrorStream(true);
        Process process = builder.start();
        return WebUtils.convertStreamToString(process.getInputStream());
    }

    @GetMapping("/codeinject/sec")
    public String codeInjectSec(String filepath) throws IOException {
        String filterFilePath = SecurityUtil.cmdFilter(filepath);
        if (null == filterFilePath) {
            return "Bad boy. I got u.";
        }
        String[] cmdList = new String[]{"sh", "-c", "ls -la " + filterFilePath};
        ProcessBuilder builder = new ProcessBuilder(cmdList);
        builder.redirectErrorStream(true);
        Process process = builder.start();
        return WebUtils.convertStreamToString(process.getInputStream());
    }
}

这个其实挺简单的,get输入的filepath直接拼接到了:

String[] cmdList = new String[]{"sh", "-c", "ls -la " + filepath};

简单试验下使用;截断执行两个命令:

1625311417822

sh -c就是执行命令前缀。可加可不加。

其实代码里面也有提示:

http://localhost:8080/codeinject?filepath=/tmp;cat /etc/passwd
。这儿其实跟php的RCE写的有些类似了。没有感受出来一些java的特性。
核心思想还是用户可控的参数直接拼接导致。