-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
- Loading branch information
There are no files selected for viewing
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,2 +1,19 @@ | ||
# cve-2022-42889-intercept | ||
### cve-2022-42889-intercept | ||
|
||
通过 jvm 启动参数 以及 jps pid进行拦截非法参数 | ||
|
||
|
||
#### quick start | ||
|
||
|
||
```bash | ||
|
||
-----------------------load...... | ||
cve-2022-42889 check start | ||
cve-2022-42889 is_deep_match org.apache.commons.text.StringSubstitutor | ||
md.getReturnType().getActualName() java.lang.String | ||
[cve-2022-42899] class found!: class org.apache.commons.text.StringSubstitutor | ||
(StringSubstitutor replace disabled) | ||
[CVE 2022-42889] StringSubstitutorclass org.apache.commons.text.StringSubstitutor: (sanitized) PoC Output: %_script:javascript:195 + 324_ | ||
by arksec.cn | ||
``` |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,88 @@ | ||
<?xml version="1.0" encoding="UTF-8"?> | ||
<project xmlns="http://maven.apache.org/POM/4.0.0" | ||
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | ||
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> | ||
<modelVersion>4.0.0</modelVersion> | ||
|
||
<groupId>org.example</groupId> | ||
<artifactId>CVE-2022-42889-Agent</artifactId> | ||
<version>1.0-SNAPSHOT</version> | ||
|
||
<properties> | ||
<maven.compiler.source>19</maven.compiler.source> | ||
<maven.compiler.target>19</maven.compiler.target> | ||
</properties> | ||
<dependencies> | ||
<!-- https://mvnrepository.com/artifact/net.bytebuddy/byte-buddy --> | ||
<dependency> | ||
<groupId>net.bytebuddy</groupId> | ||
<artifactId>byte-buddy</artifactId> | ||
<version>1.12.18</version> | ||
</dependency> | ||
<dependency> | ||
<groupId>org.apache.commons</groupId> | ||
<artifactId>commons-text</artifactId> | ||
<version>1.9</version> | ||
</dependency> | ||
</dependencies> | ||
|
||
<build> | ||
<plugins> | ||
<plugin> | ||
<groupId>org.apache.maven.plugins</groupId> | ||
<artifactId>maven-dependency-plugin</artifactId> | ||
<executions> | ||
<execution> | ||
<id>copy-dependencies</id> | ||
<phase>package</phase> | ||
<goals> | ||
<goal>copy-dependencies</goal> | ||
</goals> | ||
<configuration> | ||
<outputDirectory>${project.build.directory}/lib</outputDirectory> | ||
<overWriteReleases>false</overWriteReleases> | ||
<overWriteSnapshots>false</overWriteSnapshots> | ||
<overWriteIfNewer>true</overWriteIfNewer> | ||
</configuration> | ||
</execution> | ||
</executions> | ||
</plugin> | ||
<plugin> | ||
<artifactId>maven-assembly-plugin</artifactId> | ||
<configuration> | ||
<archive> | ||
<manifest> | ||
<addClasspath>true</addClasspath> | ||
</manifest> | ||
<manifestEntries> | ||
<Premain-Class>cn.arksec.java.agent.PreMain</Premain-Class> | ||
<Can-Redefine-Classes>true</Can-Redefine-Classes> | ||
<Can-Retransform-Classes>true</Can-Retransform-Classes> | ||
<Can-Set-Native-Method-Prefix>true</Can-Set-Native-Method-Prefix> | ||
</manifestEntries> | ||
</archive> | ||
<descriptorRefs> | ||
<descriptorRef>jar-with-dependencies</descriptorRef> | ||
</descriptorRefs> | ||
</configuration> | ||
<executions> | ||
<execution> | ||
<id>make-assembly</id> | ||
<phase>package</phase> | ||
<goals> | ||
<goal>single</goal> | ||
</goals> | ||
</execution> | ||
</executions> | ||
</plugin> | ||
<plugin> | ||
<groupId>org.apache.maven.plugins</groupId> | ||
<artifactId>maven-compiler-plugin</artifactId> | ||
<configuration> | ||
<source>1.8</source> | ||
<target>1.8</target> | ||
</configuration> | ||
</plugin> | ||
</plugins> | ||
</build> | ||
</project> |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,62 @@ | ||
package cn.arksec.java.agent; | ||
|
||
import cn.arksec.java.agent.hooks.Cve202242889; | ||
|
||
import java.lang.instrument.Instrumentation; | ||
|
||
import java.util.HashMap; | ||
|
||
/** | ||
* @auther firsh.me | ||
* @2022-10-210 | ||
*/ | ||
@SuppressWarnings("unused") | ||
public class Agent { | ||
|
||
public static void load(String _args, Instrumentation inst) { | ||
System.out.println("-----------------------load......"); | ||
boolean deep_match = true; | ||
|
||
try { | ||
HashMap<String, String> args = new HashMap<String, String>(); | ||
if (_args != null && !"".equals(_args)) { | ||
String[] pairs = _args.split("$"); | ||
for (String pair : pairs) { | ||
int epos = pair.indexOf("="); | ||
if (epos == -1) { | ||
System.err.println("[cve-2022-42889] ignoring invalid agent argument: " + pair); | ||
continue; | ||
} | ||
String k = pair.substring(0, epos); | ||
String v = pair.substring(epos + 1, pair.length()); | ||
if (v.indexOf("=") != -1) { | ||
System.err.println("[cve-2022-42889] ignoring invalid agent argument: " + pair); | ||
continue; | ||
} | ||
args.put(k, v); | ||
} | ||
|
||
String structureMatch = null; | ||
if (args.containsKey("structureMatch")) { | ||
structureMatch = args.get("structureMatch"); | ||
} else { | ||
structureMatch = "1"; | ||
} | ||
if ("0".equals(structureMatch)) { | ||
deep_match = false; | ||
} else if (!"1".equals(structureMatch)) { | ||
System.err.println("[cve-2022-42889] ignoring invalid structureMatch argument: " + structureMatch); | ||
} | ||
} | ||
|
||
if (deep_match) { | ||
Cve202242889.hook_deep_match(inst); | ||
} else { | ||
Cve202242889.hook(inst); | ||
} | ||
} catch (Throwable t) { | ||
System.err.println("[cve-2022-42889] Exception raised in agent."); | ||
t.printStackTrace(); | ||
} | ||
} | ||
} |