优化a=json时的漏洞扫描,建议升级

pmiaowu · Dec 15, 2021 · d160bf2 · d160bf2
1 parent 4a004e2
commit d160bf2
Show file tree

Hide file tree

Showing 5 changed files with 90 additions and 3 deletions.
diff --git a/README.md b/README.md
@@ -21,6 +21,7 @@ log4jScan 一个用于企业内部排查log4j漏洞的插件
 
 # 检测规则
 
+```
 暂时只支持以下类型,进行扫描log4j的jndi漏洞
 
 - GET
@@ -30,6 +31,8 @@ log4jScan 一个用于企业内部排查log4j漏洞的插件
 - Xml
 - Body
 - Header
+- 参数为json的字符串,例如:test={"a":1,"b":"b2","c":[{"cc1":"aa123","cc2":123}]}
+```
 
 # 请注意!!!!
 

diff --git a/pom.xml b/pom.xml
@@ -6,7 +6,7 @@
 
     <groupId>com.github.pmiaowu</groupId>
     <artifactId>log4j2Scan</artifactId>
-    <version>1.3.0</version>
+    <version>1.4.0</version>
 
     <dependencies>
         <!-- https://mvnrepository.com/artifact/net.portswigger.burp.extender/burp-extender-api -->
@@ -29,6 +29,13 @@
             <artifactId>snakeyaml</artifactId>
             <version>1.29</version>
         </dependency>
+
+        <!-- https://mvnrepository.com/artifact/com.alibaba/fastjson -->
+        <dependency>
+            <groupId>com.alibaba</groupId>
+            <artifactId>fastjson</artifactId>
+            <version>1.2.78</version>
+        </dependency>
     </dependencies>
 
     <build>

diff --git a/src/main/java/burp/Application/RemoteCmdExtension/ExtensionMethod/RemoteCmdScan.java b/src/main/java/burp/Application/RemoteCmdExtension/ExtensionMethod/RemoteCmdScan.java
@@ -135,8 +135,26 @@ private void remoteCmdDetection(IParameter parameter, String payload) {
             }
         }
 
+        String newPayload = "";
+        if (CustomHelpers.isJson(parameter.getValue())) {
+            // 参数为json时的payload构造方法
+            // 例如: a={"a":1,"b":"ccccc"}
+            String jsonPayload = CustomHelpers.jsonStringValueReplace(parameter.getValue(), payload);
+            String[] jsonPayloadList = jsonPayload.split("dnslog-url");
+            for (int i = 0; i < jsonPayloadList.length; i++) {
+                if (jsonPayloadList.length != (i + 1)) {
+                    newPayload += jsonPayloadList[i] + (i + 1) + "." + "json" + "." + dnsLogUrl;
+                } else {
+                    newPayload += jsonPayloadList[i];
+                }
+            }
+        } else {
+            // 构造普通参数的payload
+            newPayload = payload.replace("dnslog-url", dnsLogUrl);
+        }
+
         // 发送请求
-        IHttpRequestResponse newHttpRequestResponse = analyzedRequest.makeHttpRequest(parameter, payload.replace("dnslog-url", dnsLogUrl), newHeaders);
+        IHttpRequestResponse newHttpRequestResponse = analyzedRequest.makeHttpRequest(parameter, newPayload, newHeaders);
 
         // 相关变量设置
         this.keyArrayList.add(key);

diff --git a/src/main/java/burp/Bootstrap/CustomHelpers.java b/src/main/java/burp/Bootstrap/CustomHelpers.java
@@ -2,6 +2,10 @@
 
 import java.util.*;
 
+import com.alibaba.fastjson.JSONArray;
+import com.alibaba.fastjson.JSONObject;
+import com.alibaba.fastjson.parser.ParserConfig;
+
 public class CustomHelpers {
     /**
      * 随机取若干个字符
@@ -132,4 +136,59 @@ public static String getParam(final String d, final String paramName) {
     public static String substringReplace(String val1, int val2, int val3, String val4) {
         return val1.substring(0, val2) + val4 + val1.substring(val3);
     }
+
+    /**
+     * 判断是否为json
+     *
+     * @param str
+     * @return
+     */
+    public static boolean isJson(String str) {
+        // 防止被日,一定要开
+        ParserConfig.getGlobalInstance().setSafeMode(true);
+        try {
+            // 替换特殊字符,
+            String randomStr = "$" + randomStr(20) + "$";
+            str = str.replace("@", randomStr);
+            JSONObject.parseObject(str);
+            return true;
+        } catch (Exception e) {
+            return false;
+        }
+    }
+
+    /**
+     * json字符串值替换
+     * 该功能会递归将所有json的value替换成指定字符串
+     *
+     * @param var1 json字符串
+     * @param var2 要被替换的内容
+     * @return
+     */
+    public static String jsonStringValueReplace(String var1, String var2) {
+        // 防止被日,一定要开
+        ParserConfig.getGlobalInstance().setSafeMode(true);
+
+        // 替换特殊字符,
+        String randomStr = "$" + randomStr(20) + "$";
+        var1 = var1.replace("@", randomStr);
+
+        // 开始正式替换
+        JSONObject jsonObject = JSONObject.parseObject(var1);
+        for (String k : jsonObject.keySet()) {
+            if (jsonObject.get(k) instanceof JSONArray) {
+                JSONArray arr = JSONObject.parseArray(jsonObject.getString(k));
+                for (int i = 0; i < arr.size(); i++) {
+                    Object o = arr.get(i);
+                    arr.set(i, jsonStringValueReplace(o.toString(), var2));
+                }
+                jsonObject.put(k, arr);
+            } else {
+                jsonObject.put(k, var2);
+            }
+        }
+
+        // 返回,并且把前面的特殊字符,替换回来
+        return jsonObject.toJSONString().replace(randomStr, "@");
+    }
 }
diff --git a/src/main/java/burp/BurpExtender.java b/src/main/java/burp/BurpExtender.java
@@ -15,7 +15,7 @@
 
 public class BurpExtender implements IBurpExtender, IScannerCheck {
     public static String NAME = "log4j2Scan";
-    public static String VERSION = "1.3.0";
+    public static String VERSION = "1.4.0";
 
     private IBurpExtenderCallbacks callbacks;
     private IExtensionHelpers helpers;
-Original file line number
+Diff line change
@@ Expand Up / @@ -21,6 +21,7 @@ log4jScan 一个用于企业内部排查log4j漏洞的插件 @@
     # 检测规则
+    ```
     暂时只支持以下类型,进行扫描log4j的jndi漏洞
     - GET
@@ Expand All / @@ -30,6 +31,8 @@ log4jScan 一个用于企业内部排查log4j漏洞的插件 @@
     - Xml
     - Body
     - Header
+    - 参数为json的字符串,例如:test={"a":1,"b":"b2","c":[{"cc1":"aa123","cc2":123}]}
+    ```
     # 请注意!!!!
@@ Expand Down @@