Shulou(Shulou.com)05/31 Report--

Today, I will talk to you about the example analysis of jsp webshell bypass in java dynamic loading features, which may not be well understood by many people. in order to make you understand better, the editor has summarized the following content for you. I hope you can get something according to this article.

Overall introduction

A total of four jsp webshell were used to participate in the Qingteng webshell bypass event at that time. The main idea is to find dynamic characteristics in static: jdk built-in javascript engine, class bytecode loading

0.jsp webshell streaking

The most direct way to write directly over. In addition, it was found that the native PC windows defender also killed 0.jsp.

1.jsp began to be dynamic for the first time with the help of JavaScript engine

Jdk has a built-in javascript engine, and the default implementation from jdk1.6 is: nashorn after Rhino jdk,jdk 1.8. 1.jsp has adapted to different versions of jdk.

2.jsp based on dynamic deformation

Only the js engine is used in 1.jsp, but the ability to obfuscate and transform dynamic scripts has not been fully utilized. 2.jsp tries to do simple replacement transformations. We know that the challenge of xss protection to regular detection is great, personal feeling is that xss is often accompanied by the mixing of html and JavaScript, and the variety of JavaScript is easy to confuse the further detection difficulty, here we achieve a similar idea: with the mixture of java and JavaScript, the dynamic and changeable ability of JavaScript can still be used, so both regular and static parsing detection methods should bring some obstacles.

3.jsp bytecode dynamic loading 2) {throw new NumberFormatException ("Invalid octet length");} data [I] = Integer.valueOf (octets [I], 16). ByteValue ();} L l = new L (); l.defineClass0 ("A", data); Class classA = l.loadClass ("A") Method m = classA.getDeclaredMethod ("F", String.class); m.invoke (null, n);}% >

3.jsp is based on defineClass0 loading bytecode to bypass. At that time, the idea is that previous hackers like to use base64 to do some bypass, java can dynamically load bytecode, bytecode hexadecimal transmission is difficult to be caught by regular waf. Later in the study of "ice crab", we saw that the defineclass method was also used.

Fragile JEP proposal brought by built-in JavaScript engine, developer's and security's feelings

Whether to build a JavaScript engine in jdk is debatable. It is true that java developers have a strong need for dynamic scripts. For example, I do some rule engines myself, which are often used when configuring the system. Such requirements groovy is a good example, provided by third-party jar packages. In reality, the built-in javascript engine may not meet the application requirements, such as jdk changing the implementation from 1.8 to nashorn, and there is a proposal to replace nashorn in the jdk15 proposal. And when I was studying Baidu openrasp, I could see that the rule engine corresponding to the earliest version of java was provided by jdk built-in, but in the end it was switched to V8 engine because of performance problems.

Solr configuration script RCE

Remember another solr CVE-2019-0193 remote code execution vulnerability. I remember that when this 0day was exposed, Party B's poc article mosaic payload. Combined with official documents, we already guessed that it was caused by the dynamic configuration of javascript, and immediately verified that this was true. There is a "default" here, and vulnerability is immediately apparent.

In a word, it is up to the user to decide which javascript engine is strong.

Compare with other webshell tools

When I finished writing the webshell of jsp above, I communicated with my colleagues in the department that he mentioned an "ice crab". In the past, the understanding of webshell tools focused more on automation and convenience, such as "Chinese kitchen knife". But "Ice Crab" is different. He borrows the logic of protocol interactive conversation to enhance the ability of bypass, which broadens the way of thinking.

What can RASP do?

Take Baidu rasp as an example, for ice crabs, how to match the webshell of javascript dynamic scripts?

Function validate_stack_java (stacks) {var known = {'com.thoughtworks.xstream.XStream.unmarshal': "Using xstream library",' java.beans.XMLDecoder.readObject': "Using WebLogic XMLDecoder library" 'org.apache.commons.collections4.functors.InvokerTransformer.transform': "Using Transformer library (v4)", 'org.apache.commons.collections.functors.InvokerTransformer.transform': "Using Transformer library",' org.apache.commons.collections.functors.ChainedTransformer.transform': "Using Transformer library", 'org.jolokia.jsr160.Jsr160RequestDispatcher.dispatchRequest': "Using JNDI library (JSR 160)" 'com.sun.jndi.rmi.registry.RegistryContext.lookup': "Using JNDI registry service", 'org.apache.xbean.propertyeditor.JndiConverter': "Using JNDI binding class", "com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig':" Using JTA transaction manager " 'com.sun.jndi.url.ldap.ldapURLContext.lookup': "Using LDAP factory service", 'com.alibaba.fastjson.JSON.parseObject': "Using fastjson library", "org.springframework.expression.spel.support.ReflectiveMethodExecutor.execute':" Using SpEL expressions " 'freemarker.template.utility.Execute.exec': "Using FreeMarker template", 'org.jboss.el.util.ReflectionUtil.invokeMethod': "Using JBoss EL method", "org.codehaus.groovy.runtime.ProcessGroovyMethods.execute':" Using Groovy library " 'bsh.Reflect.invokeMethod': "Using BeanShell library",' jdk.scripting.nashorn/jdk.nashorn.internal.runtime.ScriptFunction.invoke': "Using Nashorn engine", 'org.apache.shiro.io.DefaultSerializer.deserialize': "Using Shiro framework (DefaultSerializer)"} var userCode = false, reachedInvoke = false I = 0, message = undefined / / v1.1.1 requires that com.baidu.openrasp-related classes be filtered in the stack An extra reflection stack is generated because it is not implemented correctly, which needs to be compatible to prevent false positives / / v1.1.2 fixed this problem. That is, at the top of the stack is the method if (stacks.length > 3 & & stacks [0] .startsWith ('sun.reflect.GeneratedMethodAccessor') & & stacks [1] =' sun.reflect.GeneratedMethodAccessorImpl.invoke' & & stacks [2] = = 'java.lang.reflect.Method.invoke') {I = 3} for I

Whether the user code if (! ReachedInvoke) {if (method = = 'java.lang.reflect.Method.invoke') {reachedInvoke = true} / / user code, that is, the non-JDK, com.baidu.openrasp-related function if (! Method.startsWith ('java.') & &! method.startsWith (' sun.') & &! method.startsWith ('com.sun.') & &! method.startsWith (' com.baidu.openrasp.')) {userCode = true}} if (method.startsWith (' Ysoserial.Pwner') {message = "Using YsoSerial tool" break} if (method.startsWith ('net.rebeyond.behinder')) {message = "Using BeHinder defineClass webshell" break} if (method.startsWith (' com.fasterxml.jackson.databind.')) {message = "Using Jackson deserialze method" Break} / / for the following type of reflection call: / / 1. Intercept / / 2 only if the command comes directly from the reflection call. If a class is generated by reflection and the class actively executes the command, the if (! UserCode) {if (method = = 'ognl.OgnlRuntime.invokeMethod') {message = "Using OGNL library" break} else if (method = =' java.lang.reflect.Method.invoke') {message = "Unknown vulnerability detected"}} if (known [method]) { Message = known [method]}} return message}

We can see that rasp will hook java stacks messages and match them with known blacklist libraries, such as javascript engine tricks (keyword nashorn) and ice crabs (keyword behinder) mentioned above. It has to be said that rasp is more accurate in using the call stack as context detection, but the life cycle of the software is iterative and the antagonistic approach is upgraded.

For example, the javascript engine changes with the iteration of the jdk version, and the Rhino way before jdk 1.8 is missing from the policy script. For the ice crab keyword "behinder" matching can prevent tool boys, although the ice crab author has not released the source code, but to such tools to change the package name is not difficult, so as to escape the inspection of rasp.

After reading the above, do you have any further understanding of the example analysis that implements jsp webshell bypass in the java dynamic loading feature? If you want to know more knowledge or related content, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.