From 3d388c14051927ae3b8e0ab6a936883ee0ef8f83 Mon Sep 17 00:00:00 2001
From: c0ny1 <1627639645@qq.com>
Date: Wed, 3 Nov 2021 13:05:32 +0800
Subject: [PATCH] =?UTF-8?q?=E5=A2=9E=E5=BC=BAsocket=E5=8F=91=E5=8C=85?=
 =?UTF-8?q?=E8=8E=B7=E5=8F=96=E5=AE=8C=E6=95=B4=E5=93=8D=E5=BA=94=E5=8C=85?=
 =?UTF-8?q?,=E8=BF=9B=E4=B8=80=E6=AD=A5=E6=8F=90=E9=AB=98t3=E5=8D=8F?=
 =?UTF-8?q?=E8=AE=AE=E7=9A=84=E8=AF=86=E5=88=AB=E7=B2=BE=E5=BA=A6?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .gitignore                                    |   4 +-
 src/main/java/infodetec/AllInfoDetector.java  |   2 +-
 .../infodetec/WeblogicInfoDetectorPlugin.java |  35 ++-
 src/main/java/infodetec/WeblogicInfoUtil.java | 270 +++++++-----------
 .../java/infodetec/X509TrustManagerImpl.java  |  22 ++
 5 files changed, 156 insertions(+), 177 deletions(-)
 create mode 100644 src/main/java/infodetec/X509TrustManagerImpl.java

diff --git a/.gitignore b/.gitignore
index 2787e60..e4708d4 100644
--- a/.gitignore
+++ b/.gitignore
@@ -25,4 +25,6 @@
 hs_err_pid*
 
 .idea
-.DS_Store
\ No newline at end of file
+.DS_Store
+
+T3SendTest.java
\ No newline at end of file
diff --git a/src/main/java/infodetec/AllInfoDetector.java b/src/main/java/infodetec/AllInfoDetector.java
index 34c91e6..0f29a88 100644
--- a/src/main/java/infodetec/AllInfoDetector.java
+++ b/src/main/java/infodetec/AllInfoDetector.java
@@ -14,7 +14,7 @@ public void InfoDetectorPluginMain(InfoDetectorPluginCallbacks infoDetectorPlugi
         this.pluginHelper = infoDetecPluginCallbacks.getPluginHelper();
         this.infoDetecPluginCallbacks.setInfoDetectorPluginName("weblogic infodetector");
         this.infoDetecPluginCallbacks.setInfoDetectorPluginAuthor("c0ny1");
-        this.infoDetecPluginCallbacks.setInfoDetectorPluginVersion("0.2.1");
+        this.infoDetecPluginCallbacks.setInfoDetectorPluginVersion("0.2.3");
         this.infoDetecPluginCallbacks.setInfoDetectorPluginDescription("description");
         List<InfoDetector> infoDetecs = new ArrayList<InfoDetector>();
         infoDetecs.add(new WeblogicInfoDetectorPlugin());
diff --git a/src/main/java/infodetec/WeblogicInfoDetectorPlugin.java b/src/main/java/infodetec/WeblogicInfoDetectorPlugin.java
index be2b654..13cb322 100644
--- a/src/main/java/infodetec/WeblogicInfoDetectorPlugin.java
+++ b/src/main/java/infodetec/WeblogicInfoDetectorPlugin.java
@@ -4,10 +4,11 @@
 import me.gv7.woodpecker.requests.RawResponse;
 import me.gv7.woodpecker.requests.Requests;
 
+import java.net.Socket;
 import java.util.LinkedHashMap;
 import java.util.Map;
 
-import static infodetec.WeblogicInfoUtil.isT3FilterEnable;
+
 
 public class WeblogicInfoDetectorPlugin implements InfoDetector {
     public static String weblogic_version;
@@ -37,12 +38,17 @@ public IArgsUsageBinder getInfoDetectorCustomArgs() {
     }
 
     public LinkedHashMap<String, String> doDetect(ITarget target, Map<String, Object> map, IResultOutput resultOutput) throws Throwable {
-        LinkedHashMap<String,String> infos = new LinkedHashMap<String, String>();
-
         String targetURL = target.getAddress();
+        String host = target.getHost();
+        int port = target.getPort();
+        boolean isSSL = false;
+        if(target.getProtocol().equalsIgnoreCase("https")){
+            isSSL = true;
+        }
+
+        LinkedHashMap<String,String> infos = new LinkedHashMap<String, String>();
         // 探测版本
         weblogic_version = WeblogicInfoUtil.getWeblogicVersion(targetURL);
-
         if(weblogic_version != null){
             infos.put("version",weblogic_version);
             resultOutput.successPrintln("version: " + weblogic_version);
@@ -52,18 +58,23 @@ public LinkedHashMap<String, String> doDetect(ITarget target, Map<String, Object
 
         // 探测协议
         try {
-            if (WeblogicInfoUtil.checkT3(targetURL)) {
+            String t3HelloInfo = WeblogicInfoUtil.getT3HelloInfo(host,port,isSSL);
+            if (t3HelloInfo.startsWith("HELO:") && t3HelloInfo.contains("AS:") && t3HelloInfo.contains("HL:")) {
                 isT3Open = true;
-                if(isT3FilterEnable(targetURL)){
-                    resultOutput.errorPrintln("T3 is open,but filter enable");
-                }else{
-                    resultOutput.successPrintln("T3 is open");
-                    infos.put("t3","true");
-                }
+                resultOutput.successPrintln("T3 is open");
+                infos.put("t3","true");
+            }else if((t3HelloInfo.contains("Connection rejected")
+                    || t3HelloInfo.contains("filter blocked Socket"))
+                    && t3HelloInfo.contains("weblogic.security.net.FilterException")
+                    && t3HelloInfo.contains("Security:090220")){
+                isT3Open = false;
+                resultOutput.errorPrintln("T3 is open,but filter enable");
             }else{
+                isT3Open = false;
                 resultOutput.failPrintln("T3 is close");
             }
-            if (WeblogicInfoUtil.checkIIOP(targetURL)) {
+
+            if (WeblogicInfoUtil.checkIIOP(host,port,isSSL)) {
                 isIIOPOpen = true;
                 resultOutput.successPrintln("IIOP is open");
                 infos.put("iiop","true");
diff --git a/src/main/java/infodetec/WeblogicInfoUtil.java b/src/main/java/infodetec/WeblogicInfoUtil.java
index 67a8da4..875061c 100644
--- a/src/main/java/infodetec/WeblogicInfoUtil.java
+++ b/src/main/java/infodetec/WeblogicInfoUtil.java
@@ -1,11 +1,9 @@
 package infodetec;
 
-import javax.naming.Context;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.TrustManager;
 import java.io.*;
-import java.lang.reflect.Field;
-import java.lang.reflect.Method;
 import java.net.*;
-import java.util.Arrays;
 import java.util.HashMap;
 import java.util.Map;
 import java.util.regex.Matcher;
@@ -13,7 +11,6 @@
 
 public class WeblogicInfoUtil {
     private static final Integer SOCKET_TIME_OUT = Integer.valueOf(15000);
-    public static String VERSION_T3 = "74332031322e322e310a41533a3235350a484c3a31390a4d533a31303030303030300a50553a74333a2f2f75732d6c2d627265656e733a373030310a0a";
 
     public static String getWeblogicVersion(String url){
         String version = null;
@@ -61,146 +58,65 @@ public static String getVersionByHttp(String url) {
 
     public static String getVersionByT3(String url) {
         try {
+            boolean isSSL = false;
             URL targetURL = new URL(url);
             String ip = targetURL.getHost();
             Integer port = targetURL.getPort();
             if(port == -1){
                 if(url.contains("https")){
                     port = 443;
+                    isSSL = true;
                 }else{
                     port = 80;
                 }
             }
-            return getVersionByT3(ip,port);
+            return getVersionByT3(ip,port,isSSL);
         }catch (Exception e){
             e.printStackTrace();
         }
         return null;
     }
 
-    public static String getVersionByT3(String ip, Integer port) {
+    public static String getVersionByT3(String ip, int port,boolean isSSL) throws Exception {
         String version = null;
-        try {
-            Socket socket = new Socket(ip, port.intValue());
-            byte[] rspByte = send(VERSION_T3, socket);
-            socket.close();
-            String rspStr = new String(rspByte);
-            String pattern = "HELO:(.*?)\\.false";
-            Pattern r = Pattern.compile(pattern);
-            Matcher m = r.matcher(rspStr);
-            if (m.find()) {
-                version = m.group(1);
-            }
-        } catch (Exception e) {
-            e.printStackTrace();
+        String rspStr = getT3HelloInfo(ip,port,isSSL);
+        String pattern = "HELO:(.*?)\\.false";
+        Pattern r = Pattern.compile(pattern);
+        Matcher m = r.matcher(rspStr);
+        if (m.find()) {
+            version = m.group(1);
         }
         return version;
     }
 
-    public static Map<String, Object> getWeblogicNATInfo(Context context){
-        Map<String, Object> natInfo = new HashMap<String, Object>();
-        try {
-            Field _defaultInitCtx = context.getClass().getDeclaredField("defaultInitCtx");
-            _defaultInitCtx.setAccessible(true);
-            Object defaultInitCtx = _defaultInitCtx.get(context);
-            Field _ctx = defaultInitCtx.getClass().getDeclaredField("ctx");
-            _ctx.setAccessible(true);
-            Object ctx = _ctx.get(defaultInitCtx);
-            Field __delegate = ctx.getClass().getSuperclass().getDeclaredField("__delegate");
-            __delegate.setAccessible(true);
-            Object delegate = __delegate.get(ctx);
-            Field _ior = delegate.getClass().getSuperclass().getDeclaredField("ior");
-            _ior.setAccessible(true);
-            Object ior = _ior.get(delegate);
-            Field _iopProfile = ior.getClass().getDeclaredField("iopProfile");
-            _iopProfile.setAccessible(true);
-            Object iopProfile = _iopProfile.get(ior);
-            Field _host = iopProfile.getClass().getDeclaredField("host");
-            _host.setAccessible(true);
-            String host = (String)_host.get(iopProfile);
-
-            Field _port = iopProfile.getClass().getDeclaredField("port");
-            _port.setAccessible(true);
-            Integer port = (Integer) _port.get(iopProfile);
-
-            natInfo.put("host",host);
-            natInfo.put("port",port);
-        }catch (Exception e){
-            e.printStackTrace();
-        }
-        return natInfo;
-    }
-
-    public static boolean setWeblogicNATInfo(Context context,String host,Integer port){
-        Map<String, Object> natInfo = new HashMap<String, Object>();
-        try {
-            Field _defaultInitCtx = context.getClass().getDeclaredField("defaultInitCtx");
-            _defaultInitCtx.setAccessible(true);
-            Object defaultInitCtx = _defaultInitCtx.get(context);
-            Field _ctx = defaultInitCtx.getClass().getDeclaredField("ctx");
-            _ctx.setAccessible(true);
-            Object ctx = _ctx.get(defaultInitCtx);
-            Field __delegate = ctx.getClass().getSuperclass().getDeclaredField("__delegate");
-            __delegate.setAccessible(true);
-            Object delegate = __delegate.get(ctx);
-            Field _ior = delegate.getClass().getSuperclass().getDeclaredField("ior");
-            _ior.setAccessible(true);
-            Object ior = _ior.get(delegate);
-            Field _iopProfile = ior.getClass().getDeclaredField("iopProfile");
-            _iopProfile.setAccessible(true);
-            Object iopProfile = _iopProfile.get(ior);
-            Field _host = iopProfile.getClass().getDeclaredField("host");
-            _host.setAccessible(true);
-            _host.set(iopProfile,host);
-
-            Field _port = iopProfile.getClass().getDeclaredField("port");
-            _port.setAccessible(true);
-            _port.set(iopProfile,port);
-
-
-            Method _getHostAddress =  iopProfile.getClass().getDeclaredMethod("getHostAddress");
-            _getHostAddress.setAccessible(true);
-            _getHostAddress.invoke(iopProfile,null);
-
-            Method _getConnectionKey =  iopProfile.getClass().getDeclaredMethod("getConnectionKey");
-            _getConnectionKey.setAccessible(true);
-            _getConnectionKey.invoke(iopProfile,null);
-
-            return true;
-        }catch (Exception e){
-            e.printStackTrace();
-            return false;
-        }
-    }
-
-
-
-    public static Socket getSocket(String target) throws Exception {
-        URL url = new URL(target);
-        int port = 0;
-
-        if(url.getPort() != -1){
-            port = url.getPort();
-        }else if(target.startsWith("https://")){
-            port = 443;
-        }else if(target.startsWith("http://")){
-            port = 80;
+    public static Socket initSocket(String host,int port,boolean isSSL) throws Exception {
+        InetSocketAddress socketAddress = new InetSocketAddress(host, port);
+        Socket socket = new Socket();;
+
+        if (isSSL) {
+            X509TrustManagerImpl x509m = new X509TrustManagerImpl();
+            // 获取一个SSLContext实例
+            SSLContext sslContext = SSLContext.getInstance("SSL");
+            // 初始化SSLContext实例
+            sslContext.init(null, new TrustManager[]{x509m}, new java.security.SecureRandom());
+            socket.connect(socketAddress);
+            socket.setSoTimeout(SOCKET_TIME_OUT.intValue());
+            socket.setKeepAlive(true);
+            socket = sslContext.getSocketFactory().createSocket(socket, socketAddress.getHostName(), socketAddress.getPort(), true);
         }else{
-            throw new Exception("unkown port");
+            socket.connect(socketAddress, SOCKET_TIME_OUT.intValue());
+            socket.setSoTimeout(SOCKET_TIME_OUT.intValue());
+            socket.setKeepAlive(true);
         }
 
-        String host = url.getHost();
-        SocketAddress socketAddress = new InetSocketAddress(host, port);
-        Socket socket = new Socket();
-        socket.connect(socketAddress, SOCKET_TIME_OUT.intValue());
-        socket.setSoTimeout(SOCKET_TIME_OUT.intValue());
         return socket;
     }
 
-    public static boolean checkIIOP(String target) throws Exception{
-        Socket socket = getSocket(target);
+
+    public static boolean checkIIOP(String host,int port,boolean isSSL) throws Exception{
+        Socket socket = initSocket(host,port,isSSL);
         try {
-            byte[] rspByte = send("47494f50010200030000001700000002000000000000000b4e616d6553657276696365", socket);
+            byte[] rspByte = send(hexStrToBinaryStr("47494f50010200030000001700000002000000000000000b4e616d6553657276696365"), socket);
             String rsp = new String(rspByte);
             if (!rsp.contains("NamingContextAny") && !rsp.contains("weblogic") && !rsp.contains("corba")) {
                 return false;
@@ -215,61 +131,91 @@ public static boolean checkIIOP(String target) throws Exception{
         return true;
     }
 
-
-
-
-    public static boolean checkT3(String target) throws Exception {
-        Socket socket = getSocket(target);
-        try {
-            byte[] rspByte = send(VERSION_T3, socket);
-            String rsp = new String(rspByte);
-            if (rsp.contains("<title>") || rsp.contains("<html>") || rsp.contains("400") || rsp.contains("403")) {
-                return false;
-            }
-        } catch (Exception e) {
-            e.printStackTrace();
-            return false;
-        } finally {
-            socket.close();
-        }
-        return true;
-    }
-
-    public static boolean isT3FilterEnable(String target) throws Exception {
-        Socket socket = getSocket(target);
+    public static String getT3HelloInfo(String host,int port,boolean isSSL) throws Exception {
+        String hello = null;
+        Socket socket = initSocket(host,port,isSSL);
         try {
-            byte[] rspByte = send(VERSION_T3, socket);
-            String rsp = new String(rspByte);
+            String str = "t3 10.3.1\nAS:255\nHL:19\n\n";
+            byte[] t3Response = WeblogicInfoUtil.send(str.getBytes(), socket);
+            hello = new String(t3Response);
+        } catch (Throwable t){
 
-            if((rsp.contains("Connection rejected") || rsp.contains("filter blocked Socket")) && rsp.contains("weblogic.security.net.FilterException") && rsp.contains("Security:090220")){
-                return true;
-            }
-        } catch (Exception e) {
-            return false;
-        } finally {
+        }finally {
             socket.close();
         }
-        return false;
+        return hello;
     }
 
-    public static byte[] send(String msg, Socket socket) throws Exception {
+
+    public static byte[] send(byte[] msg, Socket socket) throws Exception {
+        byte[] readedContent = null;
         OutputStream out = socket.getOutputStream();
         InputStream is = socket.getInputStream();
-        out.write(hexStrToBinaryStr(msg));
+        out.write(msg);
         out.flush();
         byte[] buffer = new byte[1];
-//        int length = is.read(bytes);
-//        if(length == -1){
-//            return Arrays.copyOfRange(bytes, 0, length);
-//        }else{
-//            return new byte[0];
-//        }
+
         ByteArrayOutputStream outputStream = new ByteArrayOutputStream();
-        while (is.read(buffer) != -1){
-            outputStream.write(buffer);
-            outputStream.flush();
+        boolean proccessedHeader = false;
+        boolean isChunked = false;
+        int contentLength = 0;
+        int acceptedLength = 0;
+        while (true){
+            try {
+                int flag = is.read(buffer);
+                outputStream.write(buffer);
+                outputStream.flush();
+                readedContent = outputStream.toByteArray();
+                String res = new String(readedContent);
+
+                // t3协议
+                if (res.startsWith("HELO:") && res.contains("AS:") && res.contains("HL:")) {
+                    if (res.endsWith("\n\n")) {
+                        break;
+                    }
+                }
+
+                // http协议
+                if (res.startsWith("HTTP/")) {
+                    // 读取http协议header
+                    if(!proccessedHeader && res.endsWith("\r\n\r\n")){
+                        Map headers = new HashMap<String,String>();
+                        for(String header:res.split("\r\n")){
+                            if(header.contains(":")){
+                                String reqHeaderKey = header.substring(0,header.indexOf(":")).trim();
+                                String reqHeaderValue = header.substring(header.indexOf(":")+1,header.length()).trim();
+                                headers.put(reqHeaderKey,reqHeaderValue);
+                            }
+                        }
+
+                        if(headers.containsKey("Content-Length")){
+                            contentLength = Integer.valueOf((String)headers.get("Content-Length"));
+                        }else if(headers.containsKey("Transfer-Encoding") && headers.get("Transfer-Encoding").equals("chunked")){
+                            isChunked = true;
+                        }
+                        proccessedHeader = true;
+                    }
+
+                    if(isChunked && res.endsWith("\r\n0\r\n\r\n")){
+                        break;
+                    }else if(contentLength != 0){
+                        if(acceptedLength == contentLength){
+                            break;
+                        }
+                        acceptedLength++;
+                    }
+                }
+
+                //未知协议
+                if (flag == -1) {
+                    break;
+                }
+            }catch (Throwable t){
+                t.printStackTrace();
+                break;
+            }
         }
-        return outputStream.toByteArray();
+        return readedContent;
     }
 
     public static byte[] hexStrToBinaryStr(String hexString) {
@@ -285,8 +231,6 @@ public static byte[] hexStrToBinaryStr(String hexString) {
         return bytes;
     }
 
-    public static void main(String[] args) throws Exception {
-        checkIIOP("http://220.182.2.171:8167/");
-    }
+
 
 }
diff --git a/src/main/java/infodetec/X509TrustManagerImpl.java b/src/main/java/infodetec/X509TrustManagerImpl.java
new file mode 100644
index 0000000..f943c7f
--- /dev/null
+++ b/src/main/java/infodetec/X509TrustManagerImpl.java
@@ -0,0 +1,22 @@
+package infodetec;
+
+import javax.net.ssl.X509TrustManager;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+
+public class X509TrustManagerImpl implements X509TrustManager {
+    @Override
+    public X509Certificate[] getAcceptedIssuers() {
+        return null;
+    }
+
+    @Override
+    public void checkServerTrusted(X509Certificate[] chain,
+                                   String authType) throws CertificateException {
+    }
+
+    @Override
+    public void checkClientTrusted(X509Certificate[] chain,
+                                   String authType) throws CertificateException {
+    }
+}