Linux deployment jar package, hidden command line parameters

The latest project security inspection found that the database password in the configuration file and the redis password are still processed in plain text,
so I compiled an article: SpringBoot integrates jasypt, encrypts the yml configuration file: https://blog.csdn.net/qq_38254635/article/details/132026841
The process is quite tortuous, and the error has been reported: Failed to bind properties under 'spring.datasource.password' to java.lang.String
So I compiled an article: https://blog.csdn.net/qq_38254635/article/details/132027639

Everything is configured, and a fatal problem is found. Using ps -ef | grep java can clearly see the secret key, it is cracked!

1. Background requirements

1. Do not change any code.
2. Hide the configuration parameters in the nohup startup command.

2. Access information

Most of them are processed according to the idea of ​​C, and the configuration parameters are written into the memory in advance, and then when starting, point to the corresponding configuration through the pointer to achieve the purpose of hiding the configuration.
According to this link, I learned a bit: https://zhuanlan.zhihu.com/p/610215116?utm_id=0

Third, realize the hidden library

create a new directory

cd /
mkdir test
cd test

3.1, test test.c

Add test file

touch test.c

Test program: test.c

#include <stdio.h>

int main(int argc,char **argv){
    
    
	printf("argc=%d\n",argc);
	printf("argv[0]=%s\n",argv[0]);
	printf("argv[1]=%s\n",argv[1]);
	printf("argv[2]=%s\n",argv[2]);
	getchar();
	return 0;
}

Compile the test program

gcc test.c

run test program

./a.out 123 456

view progress

ps -ef

The viewing results of the process, directly run the command line parameters and print them out directly with the ps command.
All that needs to be done now is to hide the following parameters.

3.2, set hidden library

Hidden library program hide.c

touch hide.c

Write the code hide.c

#define _GNU_SOURCE
#include <dlfcn.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

int (*main_bak) (int, char **, char **);
/*
 * 所有的argv指向的内存先备份，然后全部改为*,再将argv指针指向备份内存
 */
static int mymain(int argc, char **argv, char **env) {
    
    
	int ret = 0,i = 0,len = 0;
	char **argvbak = NULL;
	if(argc > 1){
    
    
		argvbak=(char **)calloc(argc,sizeof(char *));
		for(i = 1;i < argc;i++){
    
    
			len = strlen(argv[i]);
			argvbak[i] = (char *)calloc(len,sizeof(char));
			strcpy(argvbak[i],argv[i]);
			strncpy(argv[i],"*",strlen(argv[i]));
			argv[i] = argvbak[i];
		}
	}
	ret = main_bak(argc, argv, env);
	if(argc > 1){
    
    
		for(i = 1;i < argc;i++){
    
    
			free(argvbak[i]);
		}
		free(argvbak);
	}
	return ret;
}
int (*__next_libc_start_main)(int (*main)(int, char **, char **),
	    int argc,
	    char **argv,
	    void (*init) (void),
	    void (*fini) (void),
	    void (*_fini) (void),
	    void (*stack_end));
int __libc_start_main(int (*main)(int, char **, char **),
		     int argc, char **argv,
		     void (*init)(void),
		     void (*fini)(void),
		     void (*_fini)(void),
		     void (*stack_end))
{
    
    
	__next_libc_start_main = dlsym(RTLD_NEXT, "__libc_start_main");
	main_bak = main;
	return __next_libc_start_main(mymain, argc, argv, init, fini, _fini, stack_end);
}

compile code hide.c

gcc -O2 -fPIC -shared -o hide.so hide.c -ldl

3.3. Verification

Run the program with parameter hiding

LD_PRELOAD=./hide.so ./a.out 111 222

View process

The above is hidden

Fourth, the application jar start command

The startup command of the original project:

nohup java -jar -Djasypt.encryptor.password='1234qwer' /app/web.jar --server.port=8080 --spring.config.location=/app/web.yml >> /app/web.out 2>&1 &

On this basis, you can use the hidden library, and add LD_PRELOAD before the command, as follows:

LD_PRELOAD=./hide.so nohup java -jar -Djasypt.encryptor.password='1234qwer' /app/web.jar --server.port=8080 --spring.config.location=/app/web.yml >> /app/web.out 2>&1 &

If you start it elsewhere, you can use an absolute path:

LD_PRELOAD=/test/hide.so nohup java -jar -Djasypt.encryptor.password='1234qwer' /app/web.jar --server.port=8080 --spring.config.location=/app/web.yml >> /app/web.out 2>&1 &

After the execution is complete, view the project progress

ps -ef |grep java

5. Direct application of results

1. Directly download the .so file
CSDN address: https://download.csdn.net/download/qq_38254635/88140515
Baidu network disk address: https://pan.baidu.com/s/1HcPlHjRpBsmUTU8GnAhKfg?pwd=dge1
Extraction code: dge1

2. Put it in the server and add the following command before starting the command.

LD_PRELOAD=/my/hide.so 

The address needs to be adjusted according to the location of the server.

Reference link:
Java program hides command line parameters: https://www.5axxw.com/wenku/pg/5100338h.html
How to hide process startup parameters? : https://www.zhihu.com/question/27518530
Linux small coup - hide command line parameters (do not modify the source code): https://zhuanlan.zhihu.com/p/610215116?utm_id=0