请教一个问题 自己写了一个简单得hook,当请求靶机得时候,hook那边并没打印日志, 还有,2群满了
yangdonbin opened this issue · 0 comments
yangdonbin commented
hook代码
package com.baidu.openrasp.hook.ldap;
import com.baidu.openrasp.hook.AbstractClassHook;
import com.baidu.openrasp.plugin.checker.CheckParameter;
import com.baidu.openrasp.tool.annotation.HookAnnotation;
import javassist.CannotCompileException;
import javassist.CtClass;
import javassist.NotFoundException;
import org.apache.log4j.Logger;
import java.io.IOException;
import java.util.HashMap;
import static com.baidu.openrasp.HookHandler.doCheck;
/**
* 针对LDAP查询的hook
*/
@HookAnnotation
public class LdapHook extends AbstractClassHook {
public static final Logger LOGGER = Logger.getLogger(LdapHook.class.getName());
@Override
public boolean isClassMatched(String className) {
System.out.println("className: " + className);
//java标准库
if ("javax/naming/directory/InitialDirContext".equals(className)) {
LOGGER.info("--------------------------------------------------------1");
return true;
}
return false;
}
@Override
public String getType() {
LOGGER.info("--------------------------------------------------------2");
return "ldap";
}
@Override
protected void hookMethod(CtClass ctClass) throws IOException, CannotCompileException, NotFoundException {
LOGGER.info("--------------------------------------------------------3");
// 在LDAP查询方法中进行hook,
String src = getInvokeStaticSrc(LdapHook.class, "checkLdapInjection","$0", Object.class);
insertBefore(ctClass, "search", "(Ljava/lang/String;Ljava/lang/String;Ljavax/naming/directory/SearchControls;)Ljava/util/NamingEnumeration;", src);
}
public static void checkLdapInjection(Object userInput) {
LOGGER.info("--------------------------------------------------------4");
HashMap<String, Object> params = new HashMap<String, Object>();
params.put("query", userInput);
System.out.println("userInput: " + userInput);
doCheck(CheckParameter.Type.LDAP, params);
}
}
靶机代码
@PostMapping("/search")
public String search(Model model, @RequestBody String search) {
if(search == null || search.isEmpty()){
return "search is not null";
}
System.out.println("-------------------------------------------------");
System.out.println(getTime());
System.out.println("search: " + search);
String ldapURL = "ldap://192.168.10.72:389";
String adminDN = "cn=admin,dc=ydb,dc=com";
String adminPassword = "123456";
// 设置LDAP连接属性
Hashtable<String, String> env = new Hashtable<>();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, ldapURL);
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL, adminDN);
env.put(Context.SECURITY_CREDENTIALS, adminPassword);
try {
// 连接LDAP服务器
DirContext context = new InitialDirContext(env);
System.out.println("LDAP连接成功");
// 在这里可以执行LDAP操作,例如搜索、添加、修改等
String baseDN = "dc=ydb,dc=com";
String filter = "(uid=$)";
filter = filter.replace("$", search);
System.out.println("filter: " + filter);
System.out.println("-------------------------------------------------");
SearchControls controls = new SearchControls();
controls.setSearchScope(SearchControls.SUBTREE_SCOPE);
NamingEnumeration<SearchResult> results = context.search(baseDN, filter, controls);
// 处理查询结果
while (results.hasMore()) {
SearchResult result = results.next();
Attributes attributes = result.getAttributes();
// 处理属性值
// 例如,获取cn属性值
Attribute cnAttribute = attributes.get("cn");
String cnValue = (String) cnAttribute.get();
System.out.println("CN: " + cnValue);
}
// 关闭LDAP连接
context.close();
} catch (NamingException e) {
System.err.println("LDAP连接失败: " + e.getMessage());
}
return "post search";
}