编写struts漏洞、Java反序列化的suricata规则-测试(9004216-9004234)
1.Struts OGNL注入
1.ELK主机开启监听 nc -lkvp 80 >/dev/null 2.suricata主机发送请求 import socket import time DST_IP = "10.10.10.1" DST_PORT = 80 TIMEOUT = 2.0 CASES = [ ("9004221", '${java.lang.Runtime@getRuntime().exec("id")'), ("9004222", '${java.lang.Runtime%40getRuntime().exec("id")'), ("9004223", '${java.lang.Runtime%2540getRuntime().exec("id")'), ("9004224", '${java.lang.Runtime%u0040getRuntime().exec("id")'), ("9004225", '${java.lang.ProcessBuilder("sh","-c","id").start'), ("9004226", '${ScriptEngineManager.getEngineByName("js")'), ("9004227", '${ScriptEngineManager.eval("1+1")'), ("9004228", '${Class.forName("java.lang.Runtime")'), ("9004229", '${getMethod("exec")'), ("9004230", '${invoke("id")'), ("9004231", '${java.io.FileOutputStream.write sun.misc.BASE64Decoder'), ("9004232", '${java.io.FileOutputStream.write java.util.Base64'), ("9004233", '${java.nio.file.Files.write sun.misc.BASE64Decoder'), ("9004234", '${java.nio.file.Files.write java.util.Base64'), ] def send_one(tag: str, payload: str): req = ( f"POST /test?sid={tag} HTTP/1.1\r\n" f"Host: {DST_IP}\r\n" f"User-Agent: ognl-test\r\n" f"Content-Length: {len(payload)}\r\n" f"\r\n" f"{payload}" ).encode("utf-8", errors="ignore") s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.settimeout(TIMEOUT) s.connect((DST_IP, DST_PORT)) s.sendall(req) try: s.recv(1024) except Exception: pass s.close() if __name__ == "__main__": for sid, payload in CASES: print(f"[*] sending SID {sid}") send_one(sid, payload) time.sleep(1.0) print("[*] done") 3.Linux主机查看告警 grep -oP '(?<=\[).*(?=\])' fast.log | sort | uniq -c | sort -nr 4.ELK主机查看告警 event_type : "alert" and alert.signature_id >= 9004221 and alert.signature_id <= 9004234
2.Java 反序列化
1.ELK主机开启监听 nc -lkvp 80 >/dev/null 2.suricata主机发送请求 import socket import time DST_IP = "10.10.10.1" DST_PORT = 80 TIMEOUT = 2.0 ACED = b"\xAC\xED\x00\x05" # Java serialization stream header def send_raw(payload: bytes): s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.settimeout(TIMEOUT) s.connect((DST_IP, DST_PORT)) s.sendall(payload) try: s.recv(1024) except Exception: pass s.close() cases = [ # 触发 9004237–9004245(binary marker + gadget strings) ("9004237", ACED + b"xxxx commons.collections yyyy"), ("9004239", ACED + b"xxxx org.apache.commons.beanutils yyyy"), ("9004240", ACED + b"xxxx com.mchange.v2.c3p0 yyyy"), ("9004241", ACED + b"xxxx TemplatesImpl yyyy"), ("9004242", ACED + b"xxxx com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl yyyy"), ("9004243", ACED + b"xxxx javax.management.BadAttributeValueExpException yyyy"), ("9004244", ACED + b"xxxx org.codehaus.groovy.runtime yyyy"), ("9004245", ACED + b"xxxx org.springframework yyyy"), # 触发 9004238(base64 marker + base64('commons.collections')) ("9004238", b"rO0AB" + b"xxxx jb21tb25zLmNvbGxlY3Rpb25z yyyy"), # 触发 9004246(HTTP 入口:Content-Type + ACED within 4000) ("9004246", ( b"POST / HTTP/1.1\r\n" b"Host: 10.10.10.1\r\n" b"Content-Type: application/x-java-serialized-object\r\n" b"Content-Length: 8\r\n\r\n" + ACED + b"ABCD" )), # 触发 9004247/9004248(hessian + gadget string) ("9004247", ( b"POST /h HTTP/1.1\r\nHost: 10.10.10.1\r\n" b"Content-Type: application/x-hessian\r\nContent-Length: 40\r\n\r\n" b"xxxx commons.collections yyyy" )), ("9004248", ( b"POST /h HTTP/1.1\r\nHost: 10.10.10.1\r\n" b"Content-Type: application/x-hessian\r\nContent-Length: 40\r\n\r\n" b"xxxx TemplatesImpl yyyy" )), # 触发 9004249(AMF + commons.collections) ("9004249", ( b"POST /a HTTP/1.1\r\nHost: 10.10.10.1\r\n" b"Content-Type: application/x-amf\r\nContent-Length: 40\r\n\r\n" b"xxxx commons.collections yyyy" )), # 触发 9004250(protobuf + commons.collections) ("9004250", ( b"POST /p HTTP/1.1\r\nHost: 10.10.10.1\r\n" b"Content-Type: application/x-protobuf\r\nContent-Length: 40\r\n\r\n" b"xxxx commons.collections yyyy" )), ] if __name__ == "__main__": for sid, payload in cases: print(f"[*] sending case for SID {sid}") send_raw(payload) time.sleep(1.0) print("[*] done") 3.Linux主机查看告警 grep -oP '(?<=\[).*(?=\])' fast.log | sort | uniq -c | sort -nr 4.ELK主机查看告警 (event.type: "alert" or event_type: "alert") and alert.signature_id >= 9004237 and alert.signature_id <= 9004250
浙公网安备 33010602011771号