To record, a problem that was dealt with recently,
Describe the problem, there are two tomcat applications, first call it A system. Provide the user and permission modules of our system. Some tomcat vulnerabilities were scanned during the test. The tester said that because the software requirements indicate that the connection is all https, and the current A system is http, tomcat can be changed to https, but because the A system initially passed the Level 3 test of the Chinese Academy of Electrical Engineering, many restrictions were added. Plus people who don’t know their project team, so I have to find a way by myself.
First of all, I thought of using nginx to change the http of system A to https. This is not difficult. After a while, I have configured nginx to jump (the Windows version configuration file is not available for Linux configuration, and do not use the default port to jump. Turn... ), but when I enter the login address, there is no error but a blank page. I took a look at the background and found that the logs printed in the background indicate illegal addresses. This is because A system has made a whitelist restriction. I need to open the jar with a compression tool to modify its configuration information, and add an ip:port (nginx ip and The listening port must also be configured, because if you use nginx as a proxy, your server address will become nginx's ip and Duaokou), I entered the login address again, and there was no error or a blank page. I took a look at the background, and found that the background printing log indicated that the request header was an illegal field. . . I recently used a decompiler tool to troubleshoot problems. I want to look at its source code. First of all, I will know that its judgment is in the filter or interceptor. I opened the webapp program under tomcat with a decompiler tool, it is some connection information, there is a good jar in it, opened with a decompiler tool and finally found it, so this is by luck. . . Also write programs, you can add some confusion, or the name of the class is easy to guess what it does. Is the following
This is the whitelist judgment. Look at the composite whitelist list. If the judgment is true, it jumps out of the current method, that is, it is not allowed to go down. Don't worry about this, look down
That's it. I don't know what information it carries in the header. Okay, change its source code and remove return.
Compiling it with javac always reports errors. How does this work. I have thought of packaging it with development tools. First put the original jar under lib and create a path with the same package name as that class. Create a .java file in that path and copy the contents of the class file
Remove it
Pack it, open it with a decompression tool, and overwrite this class file to its place in the A system.
At this moment. I logged into the https address of the nginx proxy, and the page was displayed. This is just display. If other system calls are made, https will report an error and the session will time out. So enable the firewall on linux,
This is my note, add the port and enable the firewall. 7Open by default 22.. Add another whitelist
firewall-cmd --permanent --add-rich-rule 'rule family=ipv4 source address=10.126.109.121 port port=9000 protocol=tcp accept'
This firewall command only allows this IP and port to pass through. What I added only allows the application server to access this service. Okay. Restart the firewall.
You're done