{"id":1063,"date":"2025-03-29T06:22:05","date_gmt":"2025-03-29T06:22:05","guid":{"rendered":"http:\/\/www.nokws.top\/?p=1063"},"modified":"2025-03-29T07:16:14","modified_gmt":"2025-03-29T07:16:14","slug":"conglingkaishiderasphuanjingdajianyi","status":"publish","type":"post","link":"http:\/\/www.nokws.top\/index.php\/2025\/03\/29\/conglingkaishiderasphuanjingdajianyi\/","title":{"rendered":"\u4ece\u96f6\u5f00\u59cb\u7684Rasp\u2014\u2014\u73af\u5883\u642d\u5efa"},"content":{"rendered":"\n

0x01 \u73af\u5883\u642d\u5efa<\/h2>\n\n\n\n

\u53c2\u8003\u4e00\u4e0b\u6587\u7ae0<\/p>\n\n\n\n

\u6d45\u8c08RASP\u6280\u672f\u653b\u9632\u4e4b\u5b9e\u6218[\u73af\u5883\u914d\u7f6e\u7bc7]-\u5148\u77e5\u793e\u533a<\/a><\/p>\n\n\n\n

RASP\u4ece0\u52301-\u5148\u77e5\u793e\u533a<\/a><\/p>\n\n\n\n

\u6587\u7ae0\u73af\u5883\u914d\u7f6e\uff1a<\/p>\n\n\n\n

Tomcat 8.5.56<\/p>\n\n\n\n

Java 1.8<\/p>\n\n\n\n

\"\"<\/div><\/figure>\n\n\n\n

0x02 \u642d\u5efa\u4e2d\u7684\u95ee\u9898<\/h2>\n\n\n\n

IDEA\u542f\u52a8\u914d\u7f6e\u95ee\u9898<\/strong><\/p>\n\n\n\n

Tomcat \u53c2\u6570
Configurations-Server-VM options\uff1a
-Dlog4j.debug
-Dfile.encoding=UTF-8
-noverify
-Xbootclasspath\/p:Agent.jar(\u540e\u7eed\u68c0\u6d4b\u7684\u4ee3\u7406jar\u5305)
-javaagent:Agent.jar(\u540e\u7eed\u68c0\u6d4b\u7684\u4ee3\u7406jar\u5305)
Configurations-Deployment\uff1a
\u6ce8\u610fwar\u5305\u548cApplication context<\/p>\n\n\n\n

\u4f9d\u8d56\u7248\u672c\u95ee\u9898\uff1a<\/strong><\/p>\n\n\n\n

\u53c2\u8003\u7684\u6587\u7ae02019\uff0c\u65f6\u95f4\u4e45\u8fdc\uff0c\u6709\u90e8\u5206\u4f9d\u8d56\u5df2\u7ecf\u5347\u7ea7<\/p>\n\n\n\n

        <dependency>\n            <groupId>org.ow2.asm<\/groupId>\n            <artifactId>asm<\/artifactId>\n            <version>9.7.1<\/version>\n        <\/dependency>\n        <dependency>\n            <groupId>org.ow2.asm<\/groupId>\n            <artifactId>asm-commons<\/artifactId>\n            <version>9.7.1<\/version> \n        <\/dependency><\/pre>\n\n\n\n
\u540c\u65f6\uff0c\u4fee\u6539\u6587\u7ae0\u4e2d\u7684TestClassVistor<\/p>\n\n\n\n
import org.objectweb.asm.ClassVisitor;\nimport org.objectweb.asm.Label;\nimport org.objectweb.asm.MethodVisitor;\nimport org.objectweb.asm.Opcodes;\nimport org.objectweb.asm.commons.AdviceAdapter;\n\npublic class TestClassVisitor extends ClassVisitor implements Opcodes {\n\n    public TestClassVisitor(ClassVisitor cv) {\n        super(Opcodes.ASM5, cv);\n    }\n\n    @Override\n    public MethodVisitor visitMethod(int access, String name, String desc, String signature, String[] exceptions) {\n        MethodVisitor mv = super.visitMethod(access, name, desc, signature, exceptions);\n\n        if (\"start\".equals(name) && \"()Ljava\/lang\/Process;\".equals(desc)) {\n            System.out.println(name + \"\u65b9\u6cd5\u7684\u63cf\u8ff0\u7b26\u662f\uff1a\" + desc);\n\n            return new AdviceAdapter(Opcodes.ASM5, mv, access, name, desc) {\n                @Override\n                public void visitCode() {\n                    \/\/ \u8fd9\u91cc\u4f7f\u7528 AdviceAdapter \u81ea\u8eab\u7684\u65b9\u6cd5\u6765\u64cd\u4f5c\u5b57\u8282\u7801\uff0c\u907f\u514d\u76f4\u63a5\u4f7f\u7528 mv\n                    this.visitVarInsn(ALOAD, 0);\n                    this.visitFieldInsn(GETFIELD, \"java\/lang\/ProcessBuilder\", \"command\", \"Ljava\/util\/List;\");\n                    this.visitMethodInsn(INVOKESTATIC, \"cn\/org\/javaweb\/agent\/ProcessBuilderHook\", \"start\", \"(Ljava\/util\/List;)Z\", false);\n                    Label l1 = new Label();\n                    this.visitLabel(l1);\n                    super.visitCode();\n                }\n            };\n        }\n        return mv;\n    }\n}<\/pre>\n\n\n\n
0x03 \u9879\u76ee\u7ed3\u6784<\/h2>\n\n\n\n
\u6574\u4e2a\u9879\u76ee\u5206\u4e3a2\u4e2a\u90e8\u5206\uff0cagent\u548cWeb\u3002
agent \u540e\u7eed\u8ba1\u5212\u662f\u7528\u4e8e\u68c0\u6d4b\u653b\u51fb\uff0c\u4fee\u6539\u5b57\u8282\u7801\u7b49\u64cd\u4f5c\u3002
Web\u642d\u5efa\u4e00\u4e9bCVE\u6f0f\u6d1e\u7684\u9776\u573a\uff0c\u76ee\u524d\u5df2\u7ecf\u52a0\u5165\u4e86log4j2\u3002<\/p>\n\n\n\n
Web\u4e2d\u76ee\u524d\u4e0d\u8ba1\u5212\u52a0\u5165\u7684\uff1a
XSS\u3001SQL\uff0c
\u539f\u56e0\uff1a
1\u3001\u901a\u8fc7\u68c0\u6d4b\u662f\u5426\u8c03\u7528JDBC\u7c7b\u6216\u8005\u5176\u4ed6\u6570\u636e\u5e93\u76f8\u5173\u7c7b\uff0c\u6765\u963b\u65adSQL\u6ce8\u5165\uff0c\u4e0d\u73b0\u5b9e\uff1b
2\u3001\u5982\u679c\u662f\u901a\u8fc7\u6b63\u5219\u53bb\u5224\u65ad\uff0c\u4e0d\u5982\u4f7f\u7528WAF\uff1b
3\u3001\u4e2a\u4eba\u8ba4\u4e3aRASP\u4e0d\u80fd\u4f5c\u4e3a\u552f\u4e00\u7684\u9632\u62a4\u624b\u6bb5\uff1aa.Rasp\u505a\u4e0d\u4e86\u6297D\uff0cb.\u76ee\u524d\u901a\u8fc7\u6b63\u5219\u7b49\u65b9\u5f0f\u62e6\u622aSQL\u3001\u4fe1\u606f\u6cc4\u9732\u8bef\u62a5\u7387\u8f83\u9ad8\uff0c\u4e14\u6570\u91cf\u8f83\u591a\uff0c\u4ece\u4fee\u6539\u7b56\u7565\u3001\u670d\u52a1\u5668\u8d1f\u8f7d\u7b49\u65b9\u9762\u6765\u770bwaf\u66f4\u5bb9\u6613\uff0cc.\u5982\u679c\u9632\u62a4\u8bbe\u5907\u51fa\u73b0\u95ee\u9898\uff0cwaf\u7684\u90e8\u7f72\u8c03\u6574\u66f4\u5bb9\u6613\u3002<\/p>\n\n\n\n
\u251c\u2500agent\n\u2502  \u251c\u2500src\n\u2502  \u2502  \u251c\u2500main\n\u2502  \u2502  \u2502  \u251c\u2500java\n\u2502  \u2502  \u2502  \u2502  \u2514\u2500cn\n\u2502  \u2502  \u2502  \u2502      \u2514\u2500JavaStudy\n\u2502  \u2502  \u2502  \u2502          \u2514\u2500Rasp\n\u2502  \u2502  \u2502  \u2502              \u2514\u2500agent\n\u2502  \u2502  \u2502  \u2514\u2500resources\n\u2502  \u2502  \u2502      \u2514\u2500META-INF\n\u2502  \u2502  \u2514\u2500test\n\u2502  \u2502      \u2514\u2500java\n\u2502  \u2514\u2500target\n\u2502      \u251c\u2500classes\n\u2502      \u2502  \u251c\u2500cn\n\u2502      \u2502  \u2502  \u2514\u2500JavaStudy\n\u2502      \u2502  \u2502      \u2514\u2500Rasp\n\u2502      \u2502  \u2502          \u2514\u2500agent\n\u2502      \u2502  \u2514\u2500META-INF\n\u2502      \u251c\u2500generated-sources\n\u2502      \u2502  \u2514\u2500annotations\n\u2502      \u251c\u2500generated-test-sources\n\u2502      \u2502  \u2514\u2500test-annotations\n\u2502      \u251c\u2500maven-archiver\n\u2502      \u251c\u2500maven-status\n\u2502      \u2502  \u2514\u2500maven-compiler-plugin\n\u2502      \u2502      \u251c\u2500compile\n\u2502      \u2502      \u2502  \u2514\u2500default-compile\n\u2502      \u2502      \u2514\u2500testCompile\n\u2502      \u2502          \u2514\u2500default-testCompile\n\u2502      \u2514\u2500test-classes\n\u2514\u2500Web\n    \u251c\u2500src\n    \u2502  \u251c\u2500main\n    \u2502  \u2502  \u251c\u2500java\n    \u2502  \u2502  \u2502  \u2514\u2500Cve\n    \u2502  \u2502  \u2502      \u2514\u2500Log4j2\n    \u2502  \u2502  \u251c\u2500resources\n    \u2502  \u2502  \u2514\u2500webapp\n    \u2502  \u2502      \u2514\u2500WEB-INF\n    \u2502  \u2514\u2500test\n    \u2502      \u2514\u2500java\n    \u2514\u2500target\n        \u251c\u2500archive-tmp\n        \u251c\u2500classes\n        \u2502  \u2514\u2500Cve\n        \u2502      \u2514\u2500Log4j2\n        \u251c\u2500generated-sources\n        \u2502  \u2514\u2500annotations\n        \u251c\u2500maven-archiver\n        \u251c\u2500maven-status\n        \u2502  \u2514\u2500maven-compiler-plugin\n        \u2502      \u251c\u2500compile\n        \u2502      \u2502  \u2514\u2500default-compile\n        \u2502      \u2514\u2500testCompile\n        \u2502          \u2514\u2500default-testCompile\n        \u2514\u2500web\n            \u251c\u2500META-INF\n            \u2514\u2500WEB-INF\n                \u251c\u2500classes\n                \u2502  \u2514\u2500Cve\n                \u2502      \u2514\u2500Log4j2\n                \u2514\u2500lib\n<\/pre>\n\n\n\n
<\/p>\n","protected":false},"excerpt":{"rendered":"
0x01 \u73af\u5883\u642d\u5efa \u53c2\u8003\u4e00\u4e0b\u6587\u7ae0 \u6d45\u8c08RASP\u6280\u672f\u653b\u9632\u4e4b\u5b9e\u6218[\u73af\u5883\u914d\u7f6e\u7bc7]-\u5148\u77e5\u793e\u533a RASP\u4ece0\u52301-\u5148\u77e5\u793e […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-1063","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"jetpack_featured_media_url":"","_links":{"self":[{"href":"http:\/\/www.nokws.top\/index.php\/wp-json\/wp\/v2\/posts\/1063","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.nokws.top\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.nokws.top\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.nokws.top\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.nokws.top\/index.php\/wp-json\/wp\/v2\/comments?post=1063"}],"version-history":[{"count":4,"href":"http:\/\/www.nokws.top\/index.php\/wp-json\/wp\/v2\/posts\/1063\/revisions"}],"predecessor-version":[{"id":1082,"href":"http:\/\/www.nokws.top\/index.php\/wp-json\/wp\/v2\/posts\/1063\/revisions\/1082"}],"wp:attachment":[{"href":"http:\/\/www.nokws.top\/index.php\/wp-json\/wp\/v2\/media?parent=1063"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.nokws.top\/index.php\/wp-json\/wp\/v2\/categories?post=1063"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.nokws.top\/index.php\/wp-json\/wp\/v2\/tags?post=1063"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}