Batch analysis jar packages using Golang
Use to detect security vulnerabilities
This will be much simpler and faster than Java ASM
The tool is an auxiliary tool that can help security researchers analyze jar files quickly, especially for some closed source projects
The advantage of using this is that it is easy to start and efficient detection
The disadvantage of using this is that it cannot be customized too much, and there is the possibility of false positives in the case of multiple instructions
accelerator need a rule file (default: rule.txt)
Enter a directory of jar files, accelerator will scan all jar files and extract them
./accelerator -rule your_rule_file -jars your_jar_dirIn the writing of rule, only INVOKE instruction is supported at present
INVOKEVIRTUAL ... *
If a single instruction is written, the detection is successful if the corresponding instruction in a method
Usually, the desc attribute is not easy to remember, so wildcards such as * are supported
INVOKEVIRTUAL [first rule] *
INVOKEVIRTUAL [next rule] *
...
Rules that support multiple INVOKE instructions at the same time
If the instruction set in the target method matches the calling order of multiple instructions, it is considered to match
(1) Unzip the jar file to get all the class files
(2) The class file is parsed according to the Oracle Java Specification
(3) Parse all methods in the method area of all classes to obtain the instruction set
(4) Improve instruction content by finding constant pool
(5) Parse the user rule and match it with the current method instruction set
Native SQL Inject Rule
INVOKEVIRTUAL java/lang/StringBuilder.append *
INVOKEINTERFACE java/sql/Statement.executeQuery *
SQL Inject JdbcTemplate Rule
INVOKEVIRTUAL java/lang/StringBuilder.append *
INVOKEVIRTUAL org/springframework/jdbc/core/JdbcTemplate.query *
Simple RCE Rule
INVOKEVIRTUAL java/lang/Runtime.exec *
Simple RCE Rule (Command Inject)
INVOKEVIRTUAL java/lang/StringBuilder.append *
INVOKEVIRTUAL java/lang/Runtime.exec *
Some SSRF Rule
- INVOKEVIRTUAL java/net/URL.openConnection *
- INVOKEVIRTUAL org/apache/http/impl/client/CloseableHttpClient.execute *
- INVOKEINTERFACE okhttp3/Call.execute *
Rule
INVOKEINTERFACE javax/naming/Context.lookup *
Result
org/apache/logging/log4j/core/net/JndiManager lookup
Rule
INVOKEINTERFACE org/springframework/expression/Expression.getValue *
Result
org/springframework/cloud/gateway/discovery/DiscoveryClientRouteDefinitionLocator buildRouteDefinition
org/springframework/cloud/gateway/discovery/DiscoveryClientRouteDefinitionLocator getValueFromExpr
org/springframework/cloud/gateway/discovery/DiscoveryClientRouteDefinitionLocator lambda$getRouteDefinitions$2
org/springframework/cloud/gateway/support/ShortcutConfigurable getValue
Rule
INVOKESPECIAL org/springframework/expression/spel/support/StandardEvaluationContext.<init> *
INVOKEVIRTUAL org/springframework/expression/spel/standard/SpelExpressionParser.parseExpression *
INVOKEINTERFACE org/springframework/expression/Expression.getValue *
Result
org/springframework/cloud/gateway/support/ShortcutConfigurable getValue
Rule
INVOKEINTERFACE org/springframework/expression/Expression.getValue *
Result
org/springframework/cloud/function/context/catalog/SimpleFunctionRegistry$FunctionInvocationWrapper parseMultipleValueArguments
org/springframework/cloud/function/context/config/RoutingFunction functionFromExpression
Rule
INVOKESPECIAL org/springframework/expression/spel/support/StandardEvaluationContext.<init> *
Result
org/springframework/cloud/function/context/config/RoutingFunction <init>