Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
java -jar RaspInstall.jar -install <tomcat_root> -backendurl http://XXX -appsecret XXX -appid XXXjava -jar RaspInstall.jar -install <wildfly_root> -backendurl http://XXX -appsecret XXX -appid XXXjava -jar RaspInstall.jar -install <wildfly_root>cp -R ~/Downloads/rasp-20170721/rasp .java -jar RaspInstall.jar -install <jboss_root> -backendurl http://XXX -appsecret XXX -appid XXXjava -jar RaspInstall.jar -install <jboss_root>java -jar RaspInstall.jar -install <resin_root> -backendurl http://XXX -appsecret XXX -appid XXXjava -jar RaspInstall.jar -install <resin_root>
ps aux | grep rasp-cloud 找到后台进程 PID
PHP Warning: scandir(): open_basedir restriction in effect. File(/www/rasp/logs/alarm/alarm.log.2018-07-26) is not within the allowed path(s)php install.php -d /opt/rasp --backend-url http://myserver:port --app-secret XXX --app-id XXXXphp install.php -d /opt/raspmv /usr/lib64/php/modules/openrasp.so /usr/lib64/php/modules/openrasp.so.bakcp openrasp.so /usr/lib64/php/modules/openrasp.soPHP-FPM 服务器
killall -USR2 php-fpm
Apache HTTPD 服务器
apachectl -k reload<?php phpinfo();?> cp php/linux-php5.4-x86_64/openrasp.so /usr/lib/php/20151012
chmod 755 /usr/lib/php/20151012/openrasp.somkdir -p /opt/rasp
chmod 777 -R /opt/rasp; BEGIN OPENRASP
[openrasp]
extension=openrasp.so
openrasp.root_dir=/opt/rasp
; 远程管理配置,不需要不用配置
; openrasp.backend_url=
; openrasp.app_id=
; openrasp.app_secret=
; openrasp.remote_management_enable=1
; END OPENRASPLimitStack=163840PHP Warning: PHP Startup: Unable to load dynamic library '/usr/lib64/php/modules/openrasp.so' - /usr/lib64/php/modules/openrasp.so: undefined symbol: php_json_encode in Unknown on line 0ln -s /lib64/ld-linux-x64-64.so.2 /lib/php -r "var_dump(ZEND_THREAD_SAFE);"<?php echo var_dump(ZEND_THREAD_SAFE); ?>java -jar RaspInstall.jar -install <tomcat_root># <server_pid> 为 tomcat 进程 id
# $JAVA_HOME 为 jdk 根目录环境变量,如果未指定该环境变量,替换为 jdk 的完整根目录
java -Xbootclasspath/a:$JAVA_HOME/lib/tools.jar -jar RaspInstall.jar -install <tomcat_root> -pid <server_pid>Jan 12, 2018 6:11:55 PM org.apache.catalina.core.StandardWrapper unload
INFO: Waiting for 1 instance(s) to be deallocated for Servlet [jsp]
Jan 12, 2018 6:11:56 PM org.apache.catalina.core.StandardWrapper unload
INFO: Waiting for 1 instance(s) to be deallocated for Servlet [jsp]
Jan 12, 2018 6:11:57 PM org.apache.catalina.loader.WebappClassLoaderBase clearReferencesThreadscp -R ~/Downloads/rasp-20170721/rasp .chmod 777 -R raspcom.baidu.openrasp.exception.ConfigLoadException: Fail to extract rasp-log4j.xml, because of: /usr/share/tomcat8/rasp/conf/rasp-log4j.xml (Permission denied)
at com.baidu.openrasp.messaging.LogConfig.extractLogConfigFile(LogConfig.java:153)
at com.baidu.openrasp.messaging.LogConfig.completeLogConfig(LogConfig.java:72)
at com.baidu.openrasp.Agent.loadConfig(Agent.java:91)
at com.baidu.openrasp.Agent.premain(Agent.java:66)elif [ "$1" = "start" ] ; then
if [ ! -z "$CATALINA_PID" ]; thenelif [ "$1" = "start" ]; then
JAVA_OPTS="-javaagent:${CATALINA_HOME}/rasp/rasp.jar ${JAVA_OPTS}"
if [ ! -z "$CATALINA_PID" ]; thenJAVA_OPTS="-javaagent:${CATALINA_HOME}/rasp/rasp.jar ${JAVA_OPTS}"JAVA_OPTS="--add-opens=java.base/jdk.internal.loader=ALL-UNNAMED ${JAVA_OPTS}"
JAVA_OPTS="--add-opens=java.base/java.net=ALL-UNNAMED ${JAVA_OPTS}"
JAVA_OPTS="-javaagent:${CATALINA_HOME}/rasp/rasp.jar ${JAVA_OPTS}"# 云控配置
cloud.enable: true
cloud.backend_url: xxx
cloud.app_id: xxx
cloud.app_secret: xxx
cloud.heartbeat_interval: 180%> curl -v 127.0.0.1:8080
...
X-Protected-By: OpenRASP
X-Request-ID: eb3b8e287de8406bb4bdb9d86bd31f99
...%> grep OpenRASP -ir rasp/logs/
rasp/logs/rasp/rasp.log:2018-05-22 16:13:25,842 INFO [main][com.baidu.openrasp.Agent] OpenRASP Engine Initialized [1.0-SNAPSHOT (build: GitCommit=3da661734e3ad7641cd98e83f32950deaefcacac date=2017-08-14T03:34:41Z)]-javaagent:C:\Program Files\Apache Software Foundation\Tomcat 7.0\rasp\rasp.jar--add-opens=java.base/jdk.internal.loader=ALL-UNNAMED
--add-opens=java.base/java.net=ALL-UNNAMED:setArgs
if ""%1""=="""" goto doneSetArgs
set CMD_LINE_ARGS=%CMD_LINE_ARGS% %1:setArgs
if "%ACTION%" == "start" set JAVA_OPTS=-javaagent:%CATALINA_HOME%\rasp\rasp.jar %JAVA_OPTS%
if ""%1""=="""" goto doneSetArgs
set CMD_LINE_ARGS=%CMD_LINE_ARGS% %1:setArgs
if "%ACTION%" == "start" set JAVA_OPTS=-javaagent:%CATALINA_HOME%\rasp\rasp.jar --add-opens=java.base/jdk.internal.loader=ALL-UNNAMED --add-opens=java.base/java.net=ALL-UNNAMED %JAVA_OPTS%
if ""%1""=="""" goto doneSetArgs
set CMD_LINE_ARGS=%CMD_LINE_ARGS% %1chmod 777 -R /opt/tongweb安装目录/rasp-javaagent:${TongWeb_Home}/rasp/rasp.jar-javaagent:${TongWeb_Home}/rasp/rasp.jarcp -R ~/Downloads/rasp-20170721/rasp .chmod 777 -R rasp# Display our environmentJAVA_OPTS="$JAVA_OPTS -javaagent:$JBOSS_HOME/rasp/rasp.jar"<jvm-options>
<option value="-javaagent:<wildfly_root>/rasp/rasp.jar"/>
</jvm-options><jvm name="default">
<jvm-options>
<option value="-javaagent:<wildfly_root>/rasp/rasp.jar"/>
</jvm-options>
</jvm># 云控配置
cloud.enable=true
cloud.backend_url=http://XXXX
cloud.app_id=XXXX
cloud.app_secret=XXXX%> grep OpenRASP -ir rasp/logs/
rasp/logs/rasp/rasp.log:2018-05-22 16:13:25,842 INFO [main][com.baidu.openrasp.Agent] OpenRASP Engine Initialized [1.0-SNAPSHOT (build: GitCommit=3da661734e3ad7641cd98e83f32950deaefcacac date=2017-08-14T03:34:41Z)]%> curl -v 127.0.0.1:8080
...
X-Protected-By: OpenRASP
X-Request-ID: eb3b8e287de8406bb4bdb9d86bd31f99
...set JAVA_OPTS=%JAVA_OPTS% -javaagent:%JBOSS_HOME%/rasp/rasp.jarchmod 777 -R raspjava -javaagent:/opt/jetty/rasp/rasp.jar -jar start.jar-javaagent:D:\jetty\rasp\rasp.jar[prod]
EsAddr = http://127.0.0.1:9200
EsUser =
EsPwd =
MongoDBAddr = 127.0.0.1:27017
MongoDBUser =
MongoDBPwd =./rasp-cloud -d./rasp-cloud -type=panel -d./rasp-cloud -type=agent -dEnableHTTPS = true
EnableHttpTLS = true
HttpsPort = 443
HTTPSCertFile = "cert.pem"
HTTPSKeyFile = "cert.key"./rasp-cloud -type=reset%> ./rasp-cloud -s status
/rasp-cloud/
2020/02/11 18:13:39 The rasp-cloud is running!%> ./rasp-cloud -version
/rasp-cloud/
Version: 1.3
Build Time: 2020-02-11 17:56:52
Git Commit ID: d6902d60f8874e7255562544041edbd340e6b676real-openrasp-report-data-{appid}
real-openrasp-attack-alarm-{appid}
real-openrasp-policy-alarm-{appid}
real-openrasp-error-alarm-{appid}
real-openrasp-dependency-data-{appid}input{
file{
path=>[
## 1. 修改该处,将 $cloud-agent-home 替换为部署的 agent 模式后台的根目录
"$cloud-agent-home/openrasp-logs/attack-alarm/attack.log"
]
start_position => "beginning"
type => "attack-alarm"
codec => "json"
}
file{
path=>[
## 2. 修改该处,将 $cloud-agent-home 替换为部署的 agent 模式后台的根目录
"$cloud-agent-home/openrasp-logs/policy-alarm/policy.log"
]
start_position => "beginning"
type => "policy-alarm"
codec => "json"
}
}
output {
if [type] == "attack-alarm" {
elasticsearch {
## 3. 修改 ES 地址
hosts => "0.0.0.0:9200"
index => 'real-openrasp-%{type}-%{[app_id]}'
timeout => 30
document_type => '%{type}'
}
}
if [type] == "policy-alarm"{
elasticsearch {
## 4. 修改 ES 地址
hosts => "0.0.0.0:8200"
index => 'real-openrasp-%{type}-%{[app_id]}'
timeout => 30
document_type => '%{type}'
action => 'update'
document_id => '%{[upsert_id]}'
doc_as_upsert => true
}
}
}2018/12/14 09:55:11.393 [I] [environment.go:62] ===== start type: default =====
2018/12/14 09:55:11.408 [E] [mongo.go:54] [30002] init mongodb failed: no reachable servers127.0.0.1 myhostnameiptables -I INPUT -p tcp --dport 8086 -j ACCEPThttp://elasticsearch_hostname:port/_cat/indices?v
http://elasticsearch_hostname:port/_cat/alias?vblocked by: [FORBIDDEN/12/index read-only / allow delete (api)]server {
listen 84;
location / {
proxy_set_header Host $http_host;
proxy_pass http://172.17.0.4;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}2020/02/07 11:37:47.784 [E] [iast.go:147] upgrade err: websocket: the client is not using the websocket protocol: 'upgrade' token not found in 'Connection' header# <server_pid> 为 jboss 进程 id
# $JAVA_HOME 为 jdk 根目录环境变量,如果未指定该环境变量,替换为 jdk 的完整根目录
java -Xbootclasspath/a:$JAVA_HOME/lib/tools.jar -jar RaspInstall.jar -install <jboss_root> -pid <server_pid>cp -R ~/Downloads/rasp-20170721/rasp .chmod 777 -R rasp# Setup JBoss specific properties
JAVA_OPTS="-Dprogram.name=$PROGNAME $JAVA_OPTS"# Setup JBoss specific properties
JAVA_OPTS="-Dprogram.name=$PROGNAME $JAVA_OPTS"
JAVA_OPTS="-javaagent:${JBOSS_HOME}/rasp/rasp.jar ${JAVA_OPTS}"JAVA_OPTS="${JAVA_OPTS} -javaagent:${JBOSS_HOME}/rasp/rasp.jar"<jvm-options>
<option value="-javaagent:<jboss_root>/rasp/rasp.jar"/>
</jvm-options><jvm name="default">
<jvm-options>
<option value="-javaagent:<jboss_root>/rasp/rasp.jar"/>
</jvm-options>
</jvm>set JAVA_OPTS=%JAVA_OPTS% -Dprogram.name=%PROGNAME%set JAVA_OPTS=%JAVA_OPTS% -Dprogram.name=%PROGNAME%
set JAVA_OPTS=-javaagent:%JBOSS_HOME%\rasp\rasp.jar %JAVA_OPTS%set "JAVA_OPTS=%JAVA_OPTS% -javaagent:%JBOSS_HOME%\rasp\rasp.jar"14:27:19,691 ERROR [org.jboss.as.controller.management-operation] (ServerService Thread Pool -- 11) JBAS014612: Operation ("add") failed - address: ([
("subsystem" => "logging"),
("console-handler" => "CONSOLE")
]): java.lang.ClassCastException: org.jboss.logmanager.PropertyConfigurator cannot be cast to org.jboss.as.logging.logmanager.ConfigurationPersistence
at org.jboss.as.logging.logmanager.ConfigurationPersistence.getOrCreateConfigurationPersistence(ConfigurationPersistence.java:93)
at org.jboss.as.logging.logmanager.ConfigurationPersistence.getOrCreateConfigurationPersistence(ConfigurationPersistence.java:81)
at org.jboss.as.logging.LoggingOperations$LoggingOperationStepHandler.execute(LoggingOperations.java:154)
at org.jboss.as.controller.AbstractOperationContext.executeStep(AbstractOperationContext.java:440) [jboss-as-controller-7.2.0.Final-redhat-8.jar:7.2.0.Final-redhat-8]
at org.jboss.as.controller.AbstractOperationContext.doCompleteStep(AbstractOperationContext.java:322) [jboss-as-controller-7.2.0.Final-redhat-8.jar:7.2.0.Final-redhat-8]
at org.jboss.as.controller.AbstractOperationContext.completeStepInternal(AbstractOperationContext.java:229) [jboss-as-controller-7.2.0.Final-redhat-8.jar:7.2.0.Final-redhat-8]
at org.jboss.as.controller.AbstractOperationContext.executeOperation(AbstractOperationContext.java:224) [jboss-as-controller-7.2.0.Final-redhat-8.jar:7.2.0.Final-redhat-8]
at org.jboss.as.controller.ParallelBootOperationStepHandler$ParallelBootTask.run(ParallelBootOperationStepHandler.java:334) [jboss-as-controller-7.2.0.Final-redhat-8.jar:7.2.0.Final-redhat-8]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) [rt.jar:1.7.0_79]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) [rt.jar:1.7.0_79]
at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_79]
at org.jboss.threads.JBossThread.run(JBossThread.java:122) [jboss-threads-2.1.0.Final-redhat-1.jar:2.1.0.Final-redhat-1]Unable to extract jnotify library (rasp/libjnotify_64bit.so):
java.io.FileNotFoundException: /data/w/tomcat/rasp/libjnotify_64bit.so (Permission denied)
at java.io.FileOutputStream.open0(Native Method)
at java.io.FileOutputStream.open(FileOutputStream.java:270)
at java.io.FileOutputStream.<init>(FileOutputStream.java:213)
at java.io.FileOutputStream.<init>(FileOutputStream.java:101)$ java -jar RaspInstall.jar -install /usr/local/tomcat/
Error: Could not find or load main class com.baidu.rasp.App--add-opens=java.base/jdk.internal.loader=ALL-UNNAMED
--add-opens=java.base/java.net=ALL-UNNAMEDjava.lang.ExceptionInInitializerError
at org.scijava.nativelib.NativeLoader.<clinit>(NativeLoader.java:107)
at com.baidu.openrasp.v8.V8.Load(V8.java:25)
at com.baidu.openrasp.plugin.js.JS.Initialize(JS.java:44)
at com.baidu.openrasp.EngineBoot.start(EngineBoot.java:56)
at com.baidu.openrasp.ModuleContainer.start(ModuleContainer.java:78)
at com.baidu.openrasp.ModuleLoader.<init>(ModuleLoader.java:74)
at com.baidu.openrasp.ModuleLoader.load(ModuleLoader.java:103)
at com.baidu.openrasp.Agent.init(Agent.java:93)
at com.baidu.openrasp.Agent.premain(Agent.java:70)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at sun.instrument.InstrumentationImpl.loadClassAndStartAgent(InstrumentationImpl.java:382)
at sun.instrument.InstrumentationImpl.loadClassAndCallPremain(InstrumentationImpl.java:397)
Caused by: java.io.IOException: Permission denied
at java.io.UnixFileSystem.createFileExclusively(Native Method)
at java.io.File.createTempFile(File.java:2001)
at java.io.File.createTempFile(File.java:2047)
at org.scijava.nativelib.BaseJniExtractor.getTempDir(BaseJniExtractor.java:123)
at org.scijava.nativelib.WebappJniExtractor.<init>(WebappJniExtractor.java:69)
at org.scijava.nativelib.NativeLoader.<clinit>(NativeLoader.java:103)
... 14 morejava.lang.UnsatisfiedLinkError: /var/cache/tomcat/temp/nativelib-loader_4485267645656510327/Classloader.1658314629304.0/libopenrasp_v8_java.so: /var/cache/tomcat/temp/nativelib-loader_4485267645656510327/Classloader.1658314629304.0/libopenrasp_v8_java.so: failed to map segment from shared object: Permission denied
at java.lang.ClassLoader$NativeLibrary.load(Native Method)
at java.lang.ClassLoader.loadLibrary0(ClassLoader.java:1934)
at java.lang.ClassLoader.loadLibrary(ClassLoader.java:1817)
at java.lang.Runtime.load0(Runtime.java:810)
at java.lang.System.load(System.java:1088)
at com.baidu.openrasp.nativelib.NativeLibraryUtil.loadNativeLibrary(NativeLibraryUtil.java:340)
at com.baidu.openrasp.nativelib.NativeLoader.loadLibrary(NativeLoader.java:136)
at com.baidu.openrasp.v8.Loader.load(Loader.java:12)
at com.baidu.openrasp.EngineBoot.start(EngineBoot.java:57)
at com.baidu.openrasp.ModuleContainer.start(ModuleContainer.java:78)
at com.baidu.openrasp.ModuleLoader.<init>(ModuleLoader.java:89)
at com.baidu.openrasp.ModuleLoader.load(ModuleLoader.java:117)
at com.baidu.openrasp.Agent.init(Agent.java:94)
at com.baidu.openrasp.Agent.premain(Agent.java:71)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at sun.instrument.InstrumentationImpl.loadClassAndStartAgent(InstrumentationImpl.java:386)
at sun.instrument.InstrumentationImpl.loadClassAndCallPremain(InstrumentationImpl.java:401)INFO: Couldn't find resource META-INF/lib/linux_arm64/libopenrasp_v8_java.so
[OpenRASP] Failed to load native library, please refer to https://rasp.baidu.com/doc/install/software.html#faq-v8-load for possible solutions.
java.io.IOException: Couldn't load library openrasp_v8_java
at com.baidu.openrasp.nativelib.NativeLoader.loadLibrary(NativeLoader.java:138)
at com.baidu.openrasp.v8.Loader.load(Loader.java:12)
at com.baidu.openrasp.EngineBoot.start(EngineBoot.java:57)
at com.baidu.openrasp.ModuleContainer.start(ModuleContainer.java:78)
at com.baidu.openrasp.ModuleLoader.<init>(ModuleLoader.java:89)
at com.baidu.openrasp.ModuleLoader.load(ModuleLoader.java:118)ava.io.IOException: Couldn't load library library openrasp_v8_java
at org.scijava.nativelib.NativeLoader.loadLibrary(NativeLoader.java:141)
at com.baidu.openrasp.v8.V8.Load(V8.java:25)
at com.baidu.openrasp.plugin.js.JS.Initialize(JS.java:44)
at com.baidu.openrasp.EngineBoot.start(EngineBoot.java:56)
at com.baidu.openrasp.ModuleContainer.start(ModuleContainer.java:78)
at com.baidu.openrasp.ModuleLoader.<init>(ModuleLoader.java:74)
at com.baidu.openrasp.ModuleLoader.load(ModuleLoader.java:103)
at com.baidu.openrasp.Agent.init(Agent.java:93)
at com.baidu.openrasp.Agent.premain(Agent.java:70)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at sun.instrument.InstrumentationImpl.loadClassAndStartAgent(InstrumentationImpl.java:382)
at sun.instrument.InstrumentationImpl.loadClassAndCallPremain(InstrumentationImpl.java:397)
Caused by: java.lang.UnsatisfiedLinkError: no openrasp_v8_java in java.library.path
at java.lang.ClassLoader.loadLibrary(ClassLoader.java:1886)
at java.lang.Runtime.loadLibrary0(Runtime.java:849)
at java.lang.System.loadLibrary(System.java:1088)
at org.scijava.nativelib.NativeLoader.loadLibrary(NativeLoader.java:136)
... 14 moreStack: [0x00007f3951edb000,0x00007f3951fdc000], sp=0x00007f3951fda2d8, free space=1020k
Native frames: (J=compiled Java code, j=interpreted, Vv=VM code, C=native code)
C [libc.so.6+0x15a00b] __memmove_ssse3_back+0x6cb
C [libzip.so+0x12b33] ZIP_GetNextEntry+0x53
J 5497 java.util.zip.ZipFile.getNextEntry(JI)J (0 bytes) @ 0x00007f3a15da3c76 [0x00007f3a15da3bc0+0xb6]
J 5495 C1 java.util.zip.ZipFile$ZipEntryIterator.next()Ljava/util/zip/ZipEntry; (212 bytes) @ 0x00007f3a15daebec [0x00007f3a15dae940+0x2ac]-Dsun.zip.disableMemoryMapping=truecp -R ~/Downloads/rasp-20170721/rasp .chmod 777 -R rasp<jvm-arg>-Xmx256m</jvm-arg>
<jvm-arg>-Xss1m</jvm-arg>
<jvm-arg>-Xdebug</jvm-arg>
<jvm-arg>-Dcom.sun.management.jmxremote</jvm-arg><jvm-arg>-javaagent:/opt/resin/rasp/rasp.jar</jvm-arg><jvm-arg-line>${jvm_args}</jvm-arg-line>
<jvm-mode>${jvm_mode}</jvm-mode><jvm-arg>-javaagent:/opt/resin/rasp/rasp.jar</jvm-arg>java -jar RaspInstall.jar -nodetect -install <spring_boot_folder> -backendurl http://XXX -appsecret XXX -appid XXXjava -jar RaspInstall.jar -nodetect -install <spring_boot_folder>java -javaagent:/opt/spring-boot/rasp/rasp.jar -jar XXX.jarjava --add-opens=java.base/jdk.internal.loader=ALL-UNNAMED --add-opens=java.base/java.net=ALL-UNNAMED -javaagent:/opt/spring-boot/rasp/rasp.jar -jar XXX.jarcp -R ~/Downloads/rasp-20170721/rasp .chmod 777 -R raspjava -javaagent:/opt/spring-boot/rasp/rasp.jar -jar XXX.jarjava --add-opens java.base/jdk.internal.loader=ALL-UNNAMED -javaagent:/opt/spring-boot/rasp/rasp.jar -jar XXX.jarjava -jar RaspInstall.jar -install <weblogic_domain_home> -backendurl http://XXX -appsecret XXX -appid XXXjava -jar RaspInstall.jar -install <weblogic_domain_home>
Content-Type 为 text/html,且状态码为 200# <server_pid> 为 weblogic 进程 id
# $JAVA_HOME 为 jdk 根目录环境变量,如果未指定该环境变量,替换为 jdk 的完整根目录
java -Xbootclasspath/a:$JAVA_HOME/lib/tools.jar -jar RaspInstall.jar -install <weblogic_domain_home> -pid <server_pid>cp -R ~/Downloads/rasp-20170721/rasp .chmod 777 -R raspJAVA_OPTIONS="-javaagent:${DOMAIN_HOME}/rasp/rasp.jar ${JAVA_OPTIONS}"-javaagent:<agent_directory_full_path>/rasp/rasp.jar<server>
<server-start>
<arguments>-javaagent:/PATH/TO/DOMAIN_HOME/rasp/rasp.jar</arguments>
</server-start>
</server>${DOMAIN_HOME}/servers/<安装rasp的server名字>/logsset JAVA_OPTIONS=-javaagent:%DOMAIN_HOME%\rasp\rasp.jar %JAVA_OPTIONS%${DOMAIN_HOME}/servers/<安装rasp的server名字>/logsyum install -y ligbcc.i686Error: Multilib version problems found. This often means that the root
cause is something else and multilib version checking is just
pointing out that there is a problem. Eg.:
Protected multilib versions: libgcc-4.8.2-8.el6.x86_64 != libgcc-4.4.7-11.el6.i686yum install -y libgcc
yum install -y ligbcc.i686chmod 777 -R /opt/bes/rasp-javaagent:${BES_HOME}\rasp\rasp.jar-javaagent:${BES_HOME}/rasp/rasp.jar<jvm-options>-javaagent:/opt/bes/rasp/rasp.jar</jvm-options>sudo sysctl -w vm.max_map_count=262144git clone https://github.com/baidu-security/openrasp-iast.git
cd openrasp-iast/docker/iast-cloud
docker-compose uppip3 install --upgrade git+https://github.com/baidu-security/openrasp-iastwget https://packages.baidu.com/app/openrasp/openrasp-iast-latest -O /usr/local/bin/openrasp-iast# 如果是 MySQL 8.X 以及更高版本
DROP DATABASE IF EXISTS openrasp;
CREATE DATABASE openrasp default charset utf8mb4 COLLATE utf8mb4_general_ci;
CREATE user 'rasp'@'%' identified with mysql_native_password by 'rasp123';
grant all privileges on openrasp.* to 'rasp'@'%' with grant option;
grant all privileges on openrasp.* to 'rasp'@'localhost' with grant option;
# 如果是低版本 MySQL
DROP DATABASE IF EXISTS openrasp;
CREATE DATABASE openrasp default charset utf8mb4 COLLATE utf8mb4_general_ci;
grant all privileges on openrasp.* to 'rasp'@'%' identified by 'rasp123';
grant all privileges on openrasp.* to 'rasp'@'localhost' identified by 'rasp123';pip3 install --upgrade git+https://github.com/baidu-security/openrasp-iast@v1.2http://IAST服务器地址:25931/openrasp-resultopenrasp-iast config -a APP_ID -b APP_SECRET -c BACKEND_URL -m mysql://rasp:rasp123@127.0.0.1/openraspopenrasp-iast start -fopenrasp-iast start^/logout\.php.*RUN apk add --no-cache gcompat libcurl libstdc++ln -s /lib64/ld-linux-x86-64.so.2 /lib/ld-linux-x86-64.so.2ADD https://packages.baidu.com/app/openrasp/release/latest/rasp-java.tar.gz /tmp
RUN cd /tmp \
&& tar -xf rasp-java.tar.* \
&& /jdk/bin/java -jar rasp-*/RaspInstall.jar -install /tomcat/ -appid XXX -appsecret XXX -backendurl XXX \
&& rm -rf rasp-*ADD https://packages.baidu.com/app/openrasp/release/latest/rasp-java.tar.gz /tmp
RUN cd /tmp \
&& tar -xf rasp-java.tar.* \
&& mv rasp-*/rasp/ /rasp/ \
&& rm -f rasp-java.tar.gz
RUN echo "cloud.enable: true" >> /rasp/conf/openrasp.yml \
&& echo "cloud.backend_url: XXX" >> /rasp/conf/openrasp.yml \
&& echo "cloud.app_id: XXX" >> /rasp/conf/openrasp.yml \
&& echo "cloud.app_secret: XXX" >> /rasp/conf/openrasp.yml
RUN java -javaagent:"/rasp/rasp.jar" -jar /springboot.jarADD https://packages.baidu.com/app/openrasp/release/latest/rasp-php-linux.tar.bz2 /tmp/
RUN cd /tmp \
&& tar -xf rasp-php-linux.tar.bz2 \
&& php rasp-php-*/install.php -d /opt/rasp/ --backend-url XXX --app-id XXX --app-secret XXX \
&& rm -rf rasp-php*proxy_set_header ClientIP $remote_addr;[openrasp]
BREAK_ONLY_BEFORE = \d\d?:\d\d:\d\d
SEDCMD-StripHeader = s/^[^{]+//
KV_MODE = json
pulldown_type = true
# Change the default maximum line length (in bytes)
TRUNCATE = 320000export OPENRASP_V8_OPTIONS="--max-old-space-size=20 --max-semi-space-size=2"#!/bin/sh
export OPENRASP_V8_OPTIONS="--max-old-space-size=20 --max-semi-space-size=2"
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.export OPENRASP_V8_OPTIONS="--max-old-space-size=20 --max-semi-space-size=2"
java -jar XXX.jar [其他参数]chmod 777 -R /opt/inforsuiteas/rasp-javaagent:${com.cvicse.loong.las.installRoot}\rasp\rasp.jar-javaagent:${com.cvicse.loong.las.installRoot}/rasp/rasp.jar<jvm-options>-javaagent:${com.cvicse.loong.las.installRoot}/rasp/rasp.jar</jvm-options>chmod 777 -R /opt/IBM/WebSphere/AppServer/rasp-javaagent:${WAS_INSTALL_ROOT}\rasp\rasp.jar-javaagent:${WAS_INSTALL_ROOT}/rasp/rasp.jar************ Start Display Current Environment ************
Log file started at: [18-11-13 20:10:08:993 CST]
************* End Display Current Environment *************
Exception in thread "Thread-8" java.security.AccessControlException: Access denied (java.lang.RuntimePermission accessDeclaredMembers)
at java.security.AccessController.checkPermission(AccessController.java:132)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:544)
at java.lang.SecurityManager.checkMemberAccess(SecurityManager.java:1689)
at java.lang.Class.checkMemberAccess(Class.java:117)
at java.lang.Class.getDeclaredConstructor(Class.java:465)
at com.baidu.openrasp.gson.internal.ConstructorConstructor.newDefaultConstructor(ConstructorConstructor.java:82)
at com.baidu.openrasp.gson.internal.ConstructorConstructor.get(ConstructorConstructor.java:66)
at com.baidu.openrasp.gson.internal.bind.MapTypeAdapterFactory.create(MapTypeAdapterFactory.java:128)
at com.baidu.openrasp.gson.Gson.getAdapter(Gson.java:349)
at com.baidu.openrasp.gson.Gson.toJson(Gson.java:574)
at com.baidu.openrasp.gson.Gson.toJson(Gson.java:561)
at com.baidu.openrasp.gson.Gson.toJson(Gson.java:516)
at com.baidu.openrasp.gson.Gson.toJson(Gson.java:496)
at com.baidu.openrasp.cloud.Register$RegisterThread.run(Register.java:50)
at java.lang.Thread.run(Thread.java:773)grant codeBase "file:${was.install.root}/rasp/*" {
permission java.security.AllPermission;
};chmod 777 -R /opt/PAS安装目录/rasp -javaagent:${PAS_Home}/rasp/rasp.jar -javaagent:${PAS_Home}/rasp/rasp.jar input {
file {
path => ["/home/tomcat/rasp/logs/alarm/*.log*"]
start_position => "beginning"
}
}
filter {
json {
source => "message"
}
}
output {
stdout {
codec => rubydebug
}
}
output {
elasticsearch {
hosts => ["192.168.154.200:9200"]
index => "rasp-%{+YYYY.MM.dd}"
}
}curl '192.168.154.200:9200/rasp-*/_count'{"count":420,"_shards":{"total":5,"successful":5,"failed":0}}{"error":"IndexMissingException[[attack] missing]","status":404}openrasp-iast config -o /path/to/config.yaml -a X -b Y -c Z -m mysql://xxxopenrasp-iast start -f -c /path/to/config.yamljava -jar RaspInstall.jar -uninstall <app_home># <server_pid> 为服务器进程 id
# $JAVA_HOME 为 jdk 根目录环境变量,如果未指定该环境变量,替换为 jdk 的完整根目录
java -Xbootclasspath/a:$JAVA_HOME/lib/tools.jar -jar RaspInstall.jar -uninstall <app_home> -pid <server_pid># <server_pid> 为服务器进程 id
java -jar RaspInstall.jar -uninstall <app_home> -pid <server_pid>php uninstall.php -d <openrasp_rootdir>extension=openrasp.so
openrasp.root_dir=/opt/rasp
...both
tomcat
admin
123456<servlet>
<servlet-name>default</servlet-name>
<servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
<init-param>
<param-name>debug</param-name>
<param-value>0</param-value>
</init-param>
<init-param>
<!-- 如下就开启了 default sevelet 的 Directory Listing 功能-->
<param-name>listings</param-name>
<param-value>true</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>include("http://xxxxx")X-Powered-By: PHP/5.1.2-1wp_config.php - wordpress 安装时需要写配置文件,如果是安装好的可忽略
201704_cplog.php - discuz 错误日志,经常更新
runtime/cache/ - thinkphp 框架页面缓存
...GET /download.php?file=./../..///././../../etc/resolv.confvar forcefulBrowsing = {
...
// 目录探针 - webshell 查看频次最高的目录
unwantedDirectory: [
],
// 文件探针 - webshell 查看频次最高的文件
absolutePaths: [
]
...
} function_count: {
chr: 5,
char: 5
}GET /ssrf.php?url=http://test.baidu.com<!-- Added by OpenRASP -->
<script type="text/javascript">
alert('Hello from OpenRASP - https://rasp.baidu.com');
</script>
<!-- End added by OpenRASP -->hooks.ignore: http_output<!-- Added by OpenRASP -->
<script type="text/javascript">
alert('Hello from OpenRASP - https://rasp.baidu.com');
</script>
<!-- End added by OpenRASP -->hook.white:
"*":
- "ssrf"
"www.baidu.com":
- "all"
"pma.baidu.com/phpmyadmin/":
- "sql"{
...
"attack_type": "readFile",
...
}var algorithmConfig = {
// 快速设置
meta: {
// 若 all_log 开启,表示为观察模式,会将所有的 block 都改为 log
all_log: true,
// 若 is_dev 开启,表示为线下环境,将开启更多消耗性能的检测算法
is_dev: false,
// schema 版本
schema_version: 1
},
...var algorithmConfig = {
...
xss_userinput: {
name: '算法2 - 拦截输出在响应里的反射 XSS',
action: 'block',
filter_regex: "<![\\-\\[A-Za-z]|<([A-Za-z]{1,12})[\\/ >]",
min_length: 15,
},
...
}var algorithmConfig = {
// 快速设置
meta: {
// 若 all_log 开启,表示为观察模式,会将所有的 block 都改为 log
all_log: true,
// 若 is_dev 开启,表示为线下环境,将开启更多消耗性能的检测算法
is_dev: false,
// 若 log_event 开启,将打印应用行为信息到 plugin.log
log_event: false,
// schema 版本
schema_version: 1
},
...2022-03-07 15:05:56,658 INFO [http-nio-8080-exec-1][com.baidu.openrasp.plugin.js.log] http://127.0.0.1:8080/ [official] JNDI lookup: ldap://127.0.0.1:1389/a [ 'com.sun.jndi.toolkit.url.GenericURLContext.lookup',
'com.sun.jndi.url.ldap.ldapURLContext.lookup',
'javax.naming.InitialContext.lookup',
'org.apache.logging.log4j.core.net.JndiManager.lookup',
'org.apache.logging.log4j.core.lookup.JndiLookup.lookup',
'org.apache.logging.log4j.core.lookup.Interpolator.lookup',
...]plugin.log('初始化成功')2017-10-18 17:30:34,781 INFO [main][com.baidu.openrasp.plugin.log] [offical] 初始化成功2017-10-18 17:40:01,402 INFO [main][com.baidu.openrasp.plugin.log] org.mozilla.javascript.EvaluatorException: unterminated string literal (plugin.js#335)inject.custom_headers:
X-Protected-By: OpenRASP
# X-Content-Type-Options: nosniff
# X-Frame-Options: deny
# X-XSS-Protection: 1; mode=block
# X-Download-Options: noopeninject.custom_headers:
# X-Protected-By: OpenRASP
# X-Content-Type-Options: nosniff
# X-Frame-Options: deny
# X-XSS-Protection: 1; mode=block
# X-Download-Options: noopen
/tomcat/rasp/logs/alarm/alarm.log
/tomcat/rasp/logs/alarm/alarm.log.2018-12-04
.../opt/rasp/logs/alarm/alarm.log.2018-12-16{
"@timestamp": 1618894722217,
"app_id": "88cce00aa5a5207f2d13250f892bdcb96c46f080",
"app_name": "Demo App",
"attack_count": 2,
"attack_location": {
"latitude": 0,
"location_en": "-",
"location_zh_cn": "-",
"longitude": 0
},
"attack_params": {
"command": "cmd /c calc",
"env": [],
"stack": [
"java.base/java.lang.ProcessImpl.<init>(ProcessImpl.java)",
"java.base/java.lang.ProcessImpl.start(ProcessImpl.java:244)",
"java.base/java.lang.ProcessBuilder.start(ProcessBuilder.java:1109)",
"java.base/java.lang.ProcessBuilder.start(ProcessBuilder.java:1073)",
"java.base/java.lang.Runtime.exec(Runtime.java:590)",
"java.base/java.lang.Runtime.exec(Runtime.java:414)",
"java.base/java.lang.Runtime.exec(Runtime.java:311)",
"org.apache.jsp._004_002dcommand_002d1_jsp._jspService(_004_002dcommand_002d1_jsp.java:136)",
"org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)",
"javax.servlet.http.HttpServlet.service(HttpServlet.java:741)",
"org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:476)",
"org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:386)",
"org.apache.jasper.servlet.JspServlet.service(JspServlet.java:330)",
"javax.servlet.http.HttpServlet.service(HttpServlet.java:741)",
"org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)",
"org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)",
"org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)",
"org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)",
"org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)",
"org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)",
"org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)",
"org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:490)",
"org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139)",
"org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)",
"org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:668)",
"org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)",
"org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)",
"org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:408)",
"org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)",
"org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:834)",
"org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1417)",
"org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)",
"java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130)",
"java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630)",
"org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)",
"java.base/java.lang.Thread.run(Thread.java:831)"
]
},
"attack_source": "127.0.0.1",
"attack_type": "command",
"body": "",
"client_ip": "",
"event_level": "critical",
"event_time": "2021-04-20T12:58:42+0800",
"event_type": "attack",
"header": {
"accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
"accept-encoding": "gzip, deflate, br",
"accept-language": "en,zh-CN;q=0.9,zh;q=0.8,la;q=0.7",
"connection": "keep-alive",
"cookie": "JSESSIONID=FA7196A1FDE61D1795DCEB3280890E14",
"dnt": "1",
"host": "127.0.0.1:8080",
"referer": "http://127.0.0.1:8080/vulns/004-command-1.jsp",
"upgrade-insecure-requests": "1",
"user-agent": "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0"
},
"id": "5f425ea2234ca4d4bcd991108affff8c",
"intercept_state": "log",
"parameter": {
"form": "{\"cmd\":[\"cmd /c calc\"]}",
"json": "{}",
"multipart": "[]"
},
"path": "/vulns/004-command-1.jsp",
"plugin_algorithm": "command_other",
"plugin_confidence": 90,
"plugin_message": "Command execution - Logging all command execution by default, command is cmd /c calc",
"plugin_name": "official",
"rasp_id": "520d19c523509c53025d66e67e394ab2",
"rasp_version": "1.3.6",
"request_id": "c7229f3f91e34e95902c7ada3b17865d",
"request_method": "get",
"server_hostname": "YOUR_COMPUTER",
"server_ip": "127.0.0.1",
"server_nic": [
{
"ip": "192.168.154.1",
"name": "vmnet8"
},
{
"ip": "172.16.177.1",
"name": "vmnet1"
},
{
"ip": "172.24.172.41",
"name": "en0"
}
],
"server_type": "tomcat",
"server_version": "9.0.14.0",
"source_code": "",
"stack_md5": "c0eccc0d41f14fcef3f0a6d7521d0875",
"target": "127.0.0.1",
"upsert_id": "5f425ea2234ca4d4bcd991108affff8c",
"url": "http://127.0.0.1:8080/vulns/004-command-1.jsp?cmd=cmd+/c+calc"
}{
"event_type": "security_policy",
"event_time" : "2017-04-01T08:00:00Z",
"policy_id": "3002",
"server_hostname": "my-bloodly-hostname",
"server_nic": {
{
"name": "eth0",
"ip": "10.10.1.131"
},
{
"name": "eth0",
"ip": "192.168.1.150"
}
},
"server_type": "Tomcat",
"stack_trace": "org.apache.catalina.startup.Catalina.start(Catalina.java)\nsun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)\nsun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)\nsun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)\njava.lang.reflect.Method.invoke(Method.java:606)\norg.apache.catalina.startup.Bootstrap.start(Bootstrap.java:294)\norg.apache.catalina.startup.Bootstrap.main(Bootstrap.java:428)\n"
"server_version": "7.0.15",
"message": "Tomcat 不应该以root权限启动",
"policy_params": {
"pid": 1023
}
}2021-01-04 10:11:39,627 INFO [http-bio-8080-exec-2][com.baidu.openrasp.plugin.js.log] http://127.0.0.1:8080/vulns/004-command-1.jsp [official] Read file: /usr/local/apache-tomcat-7.0.78/webapps/vulns/004-command-1.jsp
2021-01-04 10:11:40,882 INFO [http-bio-8080-exec-1][com.baidu.openrasp.plugin.js.log] http://127.0.0.1:8080/vulns/004-command-1.jsp [official] Execute command: cp /etc/passwd /tmp/ [ 'java.lang.UNIXProcess.<init>',
'java.lang.ProcessImpl.start',
'java.lang.ProcessBuilder.start',
'java.lang.Runtime.exec',
'java.lang.Runtime.exec',
'java.lang.Runtime.exec',
'org.apache.jsp._004_002dcommand_002d1_jsp._jspService',
'org.apache.jasper.runtime.HttpJspBase.service',
'javax.servlet.http.HttpServlet.service',
'org.apache.jasper.servlet.JspServletWrapper.service',
'org.apache.jasper.servlet.JspServlet.serviceJspFile',
'org.apache.jasper.servlet.JspServlet.service',
'javax.servlet.http.HttpServlet.service',
'org.apache.catalina.core.ApplicationFilterChain.internalDoFilter',
'org.apache.catalina.core.ApplicationFilterChain.doFilter',
'org.apache.tomcat.websocket.server.WsFilter.doFilter',
'org.apache.catalina.core.ApplicationFilterChain.internalDoFilter',
'org.apache.catalina.core.ApplicationFilterChain.doFilter',
'org.apache.catalina.core.StandardWrapperValve.invoke',
'org.apache.catalina.core.StandardContextValve.invoke',
'org.apache.catalina.authenticator.AuthenticatorBase.invoke',
'org.apache.catalina.core.StandardHostValve.invoke',
'org.apache.catalina.valves.ErrorReportValve.invoke',
'org.apache.catalina.valves.AccessLogValve.invoke',
'org.apache.catalina.core.StandardEngineValve.invoke',
'org.apache.catalina.connector.CoyoteAdapter.service',
'org.apache.coyote.http11.AbstractHttp11Processor.process',
'org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process',
'org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run',
'java.util.concurrent.ThreadPoolExecutor.runWorker',
'java.util.concurrent.ThreadPoolExecutor$Worker.run',
'org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run',
'java.lang.Thread.run' ]{
"page":1,
"perpage":10,
"data":{
"version":"official-101"
}
}5%,请参考性能调试 文档,采集调试数据,然后加⼊QQ群联系群主。我们会在第⼀时间进⾏分析,并尽快解决问题。
# 使用 JDK6 + maven 3.2.3 编译 Java agent
make -C src/openrasp-buildenv compile_java
# 使用 CentOS 6 + gcc 4.9 编译 PHP agent 5.3~5.6, 7.0-7.2 等多个版本
make -C src/openrasp-buildenv compile_php
# 使用 CentOS 6 + go + nodejs 编译管理后台
make -C src/openrasp-buildenv compile_panel
# 执行上面所有步骤
make -C src/openrasp-buildenv compileJAVA_OPTS="-javaagent:\"${CATALINA_HOME}/rasp/rasp.jar\" ${JAVA_OPTS}"
JAVA_OPTS="-agentlib:jdwp=transport=dt_socket,address=1043,server=y,suspend=y ${JAVA_OPTS}"if "%ACTION%" == "start" set JAVA_OPTS="-javaagent:%CATALINA_HOME%\rasp\rasp.jar" %JAVA_OPTS%
if "%ACTION%" == "start" set JAVA_OPTS=-agentlib:jdwp=transport=dt_socket,address=1043,server=y,suspend=y %JAVA_OPTS%
2018-01-18 20:06:37,075 INFO [http-bio-8080-exec-1][com.baidu.openrasp.HookHandler] request_id=27d98d7827f04892b31bb6fe7a0fa4f0 type=request time=0
2018-01-18 20:06:37,079 INFO [http-bio-8080-exec-1][com.baidu.openrasp.HookHandler] request_id=27d98d7827f04892b31bb6fe7a0fa4f0 type=readFile time=3
2018-01-18 20:06:37,553 INFO [http-bio-8080-exec-1][com.baidu.openrasp.HookHandler] request_id=754515705fd942708efafe7c66d955be type=request time=0
2018-01-18 20:06:38,843 INFO [http-bio-8080-exec-1][com.baidu.openrasp.HookHandler] request_id=2cc0377881cd42a09868d017a276c405 type=request time=02018-07-25T16:28:14+08:00 [event-logger] 999-event-logger: 初始化成功
2018-07-25T16:28:19+08:00 [event-logger] 读取文件: /etc/hostsgdb php -ex "run -S 0.0.0.0:8123"{
"page": 1,
"perpage": 10,
"total": 1,
"total_page": 1,
"status":0,
"description":"ok",
"data":{
"version":"official-101"
}
}{
"data": {},
"description": "ok",
"status": 0
}{
"data": {
"version": "1.3.5",
"build_time": "2020-09-02 17:35:04",
"commit_id": "055ddf48c789cd776c06c52307c716156b9f6048"
},
"description": "ok",
"status": 0
}{
"username":"openrasp",
"password":"admin@123"
}{
"data": {},
"description": "ok",
"status": 0
}{
"data": {},
"description": "ok",
"status": 0
}{
"data": {},
"description": "ok",
"status": 0
}{
"data": {
"is_default":true,
},
"description": "ok",
"status": 0
}{
"old_password":"admin@123",
"new_password":"admin*123"
}{
"data": {},
"description": "ok",
"status": 0
}{
"data": {
"id": "c593342c72eb78fc8e7393d0a87b8f3fc54dfbec8835250641a6dbd9973ae981b4b7abc4",
"app_id": "c593342c72eb78fc8e7393d0a87b8f3fc54dfbec",
"upload_time": 1542177395622,
"version": "'2018-1025-1600'",
"name": "official",
"md5": "8835250641a6dbd9973ae981b4b7abc4",
"plugin": "/*js plugin content*/",
"algorithm_config": {
"command_other": {
"action": "log"
},
"command_reflect": {
"action": "block"
},
"fileUpload_multipart_script": {
"action": "block"
},
"fileUpload_webdav": {
"action": "block"
}
},
"description": "ok",
"status": 0
}{
"id":"47af9da31ec3f233f35a25776f5e06086ebf239ff60a021ada4750b65640d0d24b9ae382"
}{
"data": {
"id": "7c70d5ba5547e77a6f9ad5d376b92fe7e47da7c4",
"app_id": "fcbc4d8ac6bcaac27b1cc4703e5339a4aa6e8a1c",
"name": "official",
"upload_time": 1546595795342,
"version": "2018-1227-1200",
"md5": "4259002c18ff3a9f40b44e91824ba0cf",
"algorithm_config": {
"xxe_file": {
"action": "log",
"name": "算法2 - 使用 file:// 协议读取文件",
"reference": "https://rasp.baidu.com/doc/dev/official.html#case-xxe"
},
"xxe_protocol": {
"action": "block",
"name": "算法1 - 使用 ftp:// 等异常协议加载外部实体",
"protocols": ["ftp", "dict", "gopher", "jar", "netdoc"]
}
... 忽略
}
},
"description": "ok",
"status": 0
}{
"id":"47af9da31ec3f233f35a25776f5e06086ebf239f3f35a25776f5e06086ebf239f",
"config":{
"xxe_file": {
"action": "log",
"name": "算法2 - 使用 file:// 协议读取文件",
"reference": "https://rasp.baidu.com/doc/dev/official.html#case-xxe"
},
"xxe_protocol": {
"action": "block",
"name": "算法1 - 使用 ftp:// 等异常协议加载外部实体",
"protocols": ["ftp", "dict", "gopher", "jar", "netdoc"]
}
... 忽略
}
}{
"data": {},
"description": "ok",
"status": 0
}{
"id":"47af9da31ec3f233f35a25776f5e06086ebf239ff60a021ada4750b65640d0d24b9ae382"
}{
"data": {},
"description": "ok",
"status": 0
}{
"id":"47af9da31ec3f233f35a25776f5e06086ebf239ff60a021ada4750b65640d0d24b9ae382"
}{
"data": {},
"description": "ok",
"status": 0
}{
"name":"Java 测试",
"language":"java",
"description":"openrasp protected",
"selected_plugin_id":"47af9da31ec3f233f35a25776f5e0608w6ebf239ff60a021ada4750b65640d0d24b9ae382"
}{
"data": {
"id": "1107158fb4cd0a901de850b2c64fab5faf0837d3",
"name": "Java 测试",
"language":"java",
"create_time":1545984191,
"secret":"SFklSJ5_DF125IKn15SDF-1SD141Af1",
"description": "openrasp protected",
"config_time": 0,
"general_config": {
"block.content.html": "</script><script>\n location.href=\"https://rasp.baidu.com/blocked2/?request_id=%request_id%\"\n </script>",
"block.content_json": "{\"error\":true,\"reason\": \"Request blocked by OpenRASP\",\"request_id\": \"%request_id%\"}",
"block.content_xml": "<?xml version=\"1.0\"?>\n\t\t\t\t\t\t\t <doc>\n\t\t\t\t\t\t\t <error>true</error>\n\t\t\t\t\t\t\t <reason>Request blocked by OpenRASP</reason>\n\t\t\t\t\t\t\t <request_id>%request_id%</request_id>\n\t\t\t\t\t\t\t </doc>",
"block.redirect_url": "https://rasp.baidu.com/blocked/?request_id=%request_id%",
"block.status_code": 302,
"body.maxbytes": 4096,
"clientip.header": "ClientIP",
"ognl.expression.minlength": 30,
"plugin.filter": true,
"plugin.maxstack": 100,
"plugin.timeout.millis": 100
},
"whitelist_config": {},
"selected_plugin_id": "",
"email_alarm_conf": {
"enable": false,
"tls_enable": false,
"server_addr": "",
"username": "",
"password": "",
"subject": "",
"recv_addr": []
},
"ding_alarm_conf": {
"enable": false,
"agent_id": "",
"corp_id": "",
"corp_secret": "",
"recv_user": [],
"recv_party": []
},
"http_alarm_conf": {
"enable": false,
"recv_addr": []
},
"attack_type_alarm_conf":null,
"algorithm_config":{}
},
"description": "ok",
"status": 0
}{
"id":"a8604735911f1866029401c6766ba87f685ff037"
}{
"data": {},
"description": "ok",
"status": 0
}{
"app_id":"569e8ea7a16123492b5878920fd36985"
}{
"app_name": "示例"
}{
"page":1,
"perpage":10
}{
"status":0,
"description":"ok",
"data":{
"id":"569e8ea7a16123492b5878920fd36985"
"name":"Java 测试",
"description":"openrasp protected",
"config_time":155536548555,
"create_time":154598419100,
"language":"java",
"general_config":{
"plugin.timeout.millis":500,
"security.enforce_policy":true,
...
}
...
}
}{
"status":0,
"description":"ok",
"page": 1,
"perpage": 10,
"total": 1,
"total_page": 1,
"data":[
{
"id":"569e8ea7a16123492b5878920fd36985"
"name":"Java 测试",
"description":"openrasp protected",
"config_time":155536548555,
"create_time":154598419100,
"language":"java",
"general_config":{
"plugin.timeout.millis":500,
"security.enforce_policy":true,
...
}
}
]
}{
"app_id": "47af9da31ec3f233f35a25776f5e06086ebf239f",
"config": {
"block.content_html": "</script><script>location.href=\"https://rasp.baidu.com/blocked2/?request_id=%request_id%\"</script>",
"block.content_json": "{\"error\":true,\"reason\": \"Request blocked by OpenRASP\",\"request_id\": \"%request_id%\"}",
"block.content_xml": "<?xml version=\"1.0\"?><doc><error>true</error><reason>Request blocked by OpenRASP</reason><request_id>%request_id%</request_id></doc>",
"block.redirect_url": "https://rasp.baidu.com/blocked/?request_id=%request_id%",
"block.status_code": 403,
"body.maxbytes": 12288,
"clientip.header": "ClientIP",
"cpu.usage.enable": false,
"cpu.usage.interval": 5,
"cpu.usage.percent": 90,
"debug.level": 0,
"decompile.enable": false,
"dependency_check.interval": 100,
"fileleak_scan.interval": 21600,
"fileleak_scan.limit": 100,
"fileleak_scan.name": "\\.(git|svn|tar|gz|rar|zip|sql|log)$",
"inject.custom_headers": {
"X-Protected-By": "OpenRASP"
},
"log.maxbackup": 30,
"log.maxburst": 100,
"log.maxstack": 100,
"lru.compare_enable": false,
"lru.compare_limit": 10240,
"lru.max_size": 1000,
"ognl.expression.minlength": 30,
"plugin.filter": true,
"plugin.maxstack": 100,
"plugin.timeout.millis": 100,
"request.param_encoding": "openrasp",
"response.sampler_burst": 5,
"response.sampler_interval": 60,
"security.weak_passwords": [],
"syslog.enable": false,
"syslog.facility": 1,
"syslog.tag": "OpenRASP",
"syslog.url": ""
}
}{
"app_id":"e64071cf900944b701213a6f17d36e0d18d8b6ab",
"config":[
{
"url":"www.asod.com/sss/sss",
"hook":{
"sql":true,
"ssrf":false
},
"description":""
}
]
}{
"app_id":"47af9da31ec3f233f35a25776f5e06086ebf239f",
"attack_type_alarm_conf":{
"sql":["email","ding","http"],
"xxe":["email"]
},
"email_alarm_conf": {
"enable":false,
"tls_enable":false,
"server_addr":"email.qq.com:445",
"username":"123456789@qq.com",
"password":"4354edfwe",
"subject":"openrasp alarm",
"recv_addr":["165165@163.com"]
},
"ding_alarm_conf": {
"enable":false,
"agent_id":"1s6ef5w1ef6",
"corp_id":"1r5thnb5",
"corp_secret":"d512c5f5fg546sdg5",
"recv_user":["5sdf5","87njy7uoi"],
"recv_party":["8ik44ws"]
},
"http_alarm_conf": {
"enable":false,
"recv_addr":["www.opff.com"]
},
"general_alarm_conf":{
"alarm_check_interval":120
},
"kafka_alarm_conf":{
"url":"1.1.1.1:6666",
"user":"",
"pwd":"",
"enable":true,
"topic":"OpenRASP"
}
}{
"app_id":"47af9da31ec3f233f35a25776f5e06086ebf239f",
"name":"myapp",
"language":"php",
"description":"php应用"
}{
"app_id":"47af9da31ec3f233f35a25776f5e06086ebf239f",
"page":1,
"perpage":15
}{
"data": {
"page": 1,
"perpage": 15,
"total": 2,
"total_page": 1,
"data": [
{
"id": "47af9da31ec3f233f35a25776f5e06086ebf239ff60a021ada4750b65640d0d24b9ae382",
"app_id": "47af9da31ec3f233f35a25776f5e06086ebf239f",
"upload_time": 1540992061040,
"version": "2018-1016-1000",
"md5": "f60a021ada4750b65640d0d24b9ae382"
...
},
{
"id": "47af9da31ec3f233f35a25776f5e06086ebf239f914450bbf9309777723f38facfa8183f",
"app_id": "47af9da31ec3f233f35a25776f5e06086ebf239f",
"upload_time": 1540979046327,
"version": "2018-1016-0000",
"md5": "914450bbf9309777723f38facfa8183f"
...
}
]
},
"description": "ok",
"status": 0
}{
"app_id": "47af9da31ec3f233f35a25776f5e06086ebf239f"
}{
"data": {
"id": "47af9da31ec3f233f35a25776f5e06086ebf239ff60a021ada4750b65640d0d24b9ae382",
"app_id": "47af9da31ec3f233f35a25776f5e06086ebf239f",
"upload_time": 1540985045544,
"version": "2018-1016-1000",
"md5": "f60a021ada4750b65640d0d24b9ae382"
...
},
"description": "ok",
"status": 0
}{
"app_id": "47af9da31ec3f233f35a25776f5e06086ebf239f",
"plugin_id":"47af9da31ec3f233f35a25776f5e06086ebf239ff60a021ada4750b65640d0d24b9ae382"
}{
"data": {},
"description": "ok",
"status": 0
}{
"app_id": "47af9da31ec3f233f35a25776f5e06086ebf239f"
}{
"data": {},
"description": "ok",
"status": 0
}{
"app_id": "47af9da31ec3f233f35a25776f5e06086ebf239f"
}{
"data": {},
"description": "ok",
"status": 0
}{
"app_id": "47af9da31ec3f233f35a25776f5e06086ebf239f"
}{
"data": {},
"description": "ok",
"status": 0
}{
"app_id": "47af9da31ec3f233f35a25776f5e06086ebf239f"
}{
"data": {},
"description": "ok",
"status": 0
}{
"app_id": "47af9da31ec3f233f35a25776f5e06086ebf239f"
}{
"data": {
"is_latest": false,
"selected_version": "2019-0606-1802",
"latest_version": "2019-0606-1803"
},
"description": "ok",
"status": 0
}{
"page":1,
"perpage":10,
"data": {
"id": "426199dc7a15cce89b0c937a65a24a23",
"app_id": "fcbc4d8ac6bcaac27b1cc4703e5339a4aa6e8a1c",
"version": "1.0.0-RC1",
"hostname": "820c2691f452",
"register_ip": "172.17.0.2",
"language": "java",
"language_version": "1.7.0_17",
"server_type": "tomcat",
"server_version": "7.0.78.0",
"rasp_home": "/tomcat/rasp",
"plugin_version": "2018-1227-1200",
"heartbeat_interval": 180,
"online": false,
"register_time": 1546595808,
"host_type": "docker"
}
}{
"data": {
"page": 1,
"perpage": 10,
"total": 2,
"total_page": 1,
"data": [
{
"id": "426199dc7a15cce89b0c937a65a24a23",
"app_id": "fcbc4d8ac6bcaac27b1cc4703e5339a4aa6e8a1c",
"version": "1.0.0-RC1",
"hostname": "820c2691f452",
"register_ip": "172.17.0.2",
"language": "java",
"language_version": "1.7.0_17",
"server_type": "tomcat",
"server_version": "7.0.78.0",
"rasp_home": "/tomcat/rasp",
"plugin_version": "2018-1227-1200",
"heartbeat_interval": 180,
"online": false,
"last_heartbeat_time": 1546597790,
"register_time": 1546595808,
"host_type": "docker",
"environ": {
"COLORTERM": "gnome-terminal",
"DISPLAY": ":0",
}
]
},
"description": "ok",
"status": 0
}{
"data":{
"app_id":"fcbc4d8ac6bcaac27b1cc4703e5339a4aa6e8a1c",
"version":"1.3.0"
},
"page":1,
"perpage":10
}{
"data": {
"data": [
{
"version": "1.3.0",
"count": 1
}
],
"page": 1,
"perpage": 10,
"total": 1,
"total_page": 1
},
"description": "ok",
"status": 0
}{
"app_id":"94892d14c8f1dfcedb63af258cc008929c3ef4f5",
"id": "47af9da31ec3f233f35a25776f5e06086ebf239f",
"register_ip":"126.23.3.63",
"expire_time": 604800,
"host_type": "docker"
}{
"data": {
"count":1
},
"description": "ok",
"status": 0
}{
"app_id":"94892d14c8f1dfcedb63af258cc008929c3ef4f5",
"ids": [
"47af9da31ec3f233f35a25776f5e06086ebf239f",
"d64g58d4gc3fs58745sdfgd5g5s7f54e5f4s585s",
"net1d5ns8bad6584thg1s5dnbs8gbs8af5RFG415"
]
}{
"data": {
"count":1
},
"description": "ok",
"status": 0
}{
"id": "47af9da31ec3f233f35a25776f5e06086ebf239f",
"description": "this is a description"
}{
"data": {
},
"description": "ok",
"status": 0
}{
"data":{
"app_id":"f284baaeb786a8285bd1dde04a3dd7502c766c8a"
},
"page":1,
"perpage":10
}{
"data": {
"page": 1,
"perpage": 10,
"total": 1,
"total_page": 1,
"data": [
{
@timestamp: 1579597454365,
app_id: "4a335d670ec7c9353d3cf7480e68614dda087ded",
hostname: "d2e69eebfa7b",
id: "d1dd52ff8c82becccf9678b6ed09eca0",
path: ["/tomcat/bin/bootstrap.jar"],
product: "Apache Tomcat Bootstrap",
rasp_count: 1,
rasp_id: "3089c8d2672efd1ef5c3e322d9e8fcb1",
register_ip: "172.17.0.2",
search_string: "Apache Tomcat Bootstrap8.0.5",
source: "manifest_implementation",
tag: "Apache Software Foundation:Apache Tomcat Bootstrap:8.0.5",
vendor: "Apache Software Foundation",
version: "8.0.5"
}
]
},
"description": "ok",
"status": 0
}{
"data":{
"app_id":"0d46b13c2f25722e542b1a89817e1163e190fce1",
"tag":"org.apache.struts.xwork:xwork-core:2.3.14.2",
"key_word":"",
"hostname":""
},
"page":1,
"perpage":10
}{
"data": {
"page": 1,
"perpage": 10,
"total": 1,
"total_page": 1,
"data": [
{
@timestamp: 1579612005801,
app_id: "0d46b13c2f25722e542b1a89817e1163e190fce1",
hostname: "cq02-scloud-docker-trial",
id: "148f69b483fff233ee4d4f9fffbfd478",
path: ["/tomcat/bin/bootstrap.jar"],
product: "xwork-core",
rasp_count: 1,
rasp_id: "3089c8d2672efd1ef5c3e322d9e8fcb1",
register_ip: "10.58.119.17",
search_string: "Apache Tomcat Bootstrap8.0.5",
source: "manifest_implementation",
tag: "Apache Software Foundation:Apache Tomcat Bootstrap:8.0.5",
vendor: "Apache Software Foundation",
version: "2.3.14.2"
}
]
},
"description": "ok",
"status": 0
}{
"description":"xxx 认证 token"
}{
"token":"44b2b50665c9f11c73090b19c3dd787031611e80",
"description":"啄木鸟微服务认证token"
}{
"data": {
"token": "44b2b50665c9f11c73090b19c3dd787031611e80",
"description": "扫描器"
},
"description": "ok",
"status": 0
}{
"page":1,
"perpage":10
}{
"data": {
"page": 1,
"perpage": 10,
"total": 5,
"total_page": 1,
"data": [
{
"token": "349532e57aa36ee9b72a62fec8907109a016f348",
"description": "a token"
},
{
"token": "f284baaeb786a8285bd1dde04a3dd7502c766c8a",
"description": "b token"
}
]
},
"description": "ok",
"status": 0
}{
"token":"f284baaeb786a8285bd1dde04a3dd7502c766c8a"
}{
"data": {
},
"description": "ok",
"status": 0
}{
"data":{
"id": "389fdbeb0aceb154d5d5d26eba28fea9f402c945",
"type_id": 1010,
"app_id": "e64071cf900944b701213a6f17d36e0d18d8b6ab",
"user": "admin",
"ip": "127.0.0.1"
},
"start_time":1,
"end_time":1542807647000,
"page":1,
"perpage":15
}{
"data": {
"data": [
{
"id": "389fdbeb0aceb154d5d5d26eba28fea9f402c945",
"type_id": 1010,
"app_id": "e64071cf900944b701213a6f17d36e0d18d8b6ab",
"time": 1542807647000,
"user": "admin",
"content": "uploaded the plugin: ba41c57afab600c39dba7398987b159d648d0836",
"ip": "127.0.0.1"
}
],
"page": 1,
"perpage": 15,
"total": 1,
"total_page": 1
},
"description": "ok",
"status": 0
}{
"data":{
"panel_url":"126.56.23.5:8086",
"agent_url":[
"126.56.23.5:8086",
"10.23.36.122:8086",
"172.23.233.192:8086"
]
},
"description": "ok",
"status": 0
}{
"panel_url":"126.56.23.5:8086",
"agent_urls":[
"126.56.23.5:8086",
"10.23.36.122:8086",
"172.23.233.192:8086"
]
}{
"data":{
"panel_url":"126.56.23.5:8086",
"agent_urls":[
"126.56.23.5:8086",
"10.23.36.122:8086",
"172.23.233.192:8086"
]
},
"description": "ok",
"status": 0
}{
"app_id":"e64071cf900944b701213a6f17d36e0d18d8b6ab"
}{
"data": {},
"description": "ok",
"status": 0
}{
"app_id":"f284baaeb786a8285bd1dde04a3dd7502c766c8a",
"start_time":1523264521321212,
"end_time":1523267821321000,
"interval":"hour",
"time_zone":"+08:00"
}{
"data":[
{
"start_time":1523264521321212,
"request_sum":10000
},
{
"start_time":1523264521340000,
"request_sum":87
}
],
"description": "ok",
"status": 0
}{
"app_id":"f284baaeb786a8285bd1dde04a3dd7502c766c8a",
"start_time":1535600036,
"end_time":1546140836,
"interval":"month",
"time_zone":"+08:00"
}{
"data": {
"data": [
[
0,
0,
0,
1,
0
],
[
0,
0,
0,
0,
0
]
],
"labels": [
1533052800000,
1535731200000,
1538323200000,
1541001600000,
1543593600000
]
},
"description": "ok",
"status": 0
}{
"app_id":"f284baaeb786a8285bd1dde04a3dd7502c766c8a",
"start_time":1535600036,
"end_time":1546140836,
"size":10
}{
"data":[
[
"sql", 156
],
[
"xxe", 156
]
],
"description": "ok",
"status": 0
}{
"app_id":"f284baaeb786a8285bd1dde04a3dd7502c766c8a",
"start_time":1535600036,
"end_time":1546140836,
"size":10
}{
data:[
[
"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36", 156
],
[
"Chrome/5.0 (X11; Linux x86_64) AppleWebKit/537.36", 156
]
],
"description": "ok",
"status": 0
}{
"data":{
"attack_type":["directory","sql"],
"app_id":"f284baaeb786a8285bd1dde04a3dd7502c766c8a",
"start_time":1523264521321,
"end_time":1523264521421
}
"page":1,
"perpage":10
}{
"data": {
"page": 1,
"perpage": 10,
"total": 500,
"total_page": 50,
"data":[
{
"attack_type":"directory",
"stack_md5":"1111121637821204cwwd2e52d62d0aa8",
"event_time":"2019-01-27T23:51:15+0800",
...
}
...
]
},
"description": "ok",
"status": 0
}{
"data":{
"attack_type":["directory","sql"],
"app_id":"f284baaeb786a8285bd1dde04a3dd7502c766c8a",
"start_time":"1523264521321",
"end_time":"1523264521421"
}
"page":1,
"perpage":10
}{
"data": {
"page": 1,
"perpage": 10,
"total": 500,
"total_page": 50,
"data":[
{
"attack_type":"directory",
"intercept_state":"block",
"plugin_confidence":100
...
}
...
]
},
"description": "ok",
"status": 0
}{
"data":{
"_id": "3456789cb45678",
"app_id":"f284baaeb786a8285bd1dde04a3dd7502c766c8a",
"start_time":"1523264521321",
"end_time":"1523264521421",
"hostname": "127.0.0.1",
"language": "java",
"rasp_id": "3089c8d2672efd1ef5c3e322d9e8fcb1",
"crash_message": "crash"
},
"page":1,
"perpage":10
}{
"data": {
"page": 1,
"perpage": 10,
"total": 500,
"total_page": 50,
"data":[
{
"language":"PHP",
... // 此处省略
},
... // 此处省略
]
},
"description": "ok",
"status": 0
}{
"data":{
"policy_id":["3004","3003"],
"app_id":"f284baaeb786a8285bd1dde04a3dd7502c766c8a",
"server_hostname":"nmg01.xx.cq",
"local_ip":"172.36.2.6",
"start_time":"1523264521321",
"end_time":"1523264521421"
},
"page":1,
"perpage":10
}{
"data": {
"page": 1,
"perpage": 10,
"total": 500,
"total_page": 50,
"data":[
{
"policy_id":"3004",
... // 此处省略
},
... // 此处省略
]
},
"description": "ok",
"status": 0
}{
"data":{
"app_id":"f284baaeb786a8285bd1dde04a3dd7502c766c8a",
"server_hostname":"nmg01.xx.cq",
"local_ip":"172.36.2.6",
"start_time":"1523264521321",
"end_time":"1523264521421"
},
"page":1,
"perpage":10
}{
"data": {
"page": 1,
"perpage": 10,
"total": 500,
"total_page": 50,
"data":[
{
"message": "HTTP request to http://scloud.baidu.com:8086/v1/agent/rasp failed:",
"server_nic": [{
"name": "en0",
"ip": "172.24.182.127"
}],
"stack_trace": "sun.reflect.NativeConstructorAccessorImpl.newInstance0(NativeMethod)",
"level": "WARN",
"event_time": "2019-01-11T13:36:46+0800",
"app_id": "9b3554a97673f1f8f5c929310298037a660d3b7a",
"pid": 58353,
"server_hostname": "localhost",
"rasp_id": "3089c8d2672efd1ef5c3e322d9e8fcb1"
}
]
},
"description": "ok",
"status": 0
}{
"id":"569e8ea7a16123492b5878920fd36985",
"version" :"v3.2",
"hostname":"tyy-OptiPlex-9020",
"register_ip":"127.56.23.4",
"language" :"java",
"language_version":"8.1" ,
"server_type":"tomcat",
"server_version":"8.5.1" ,
"heartbeat_interval":60,
"rasp_home":"/home/work/tomcat8/rasp",
"host_type":"docker",
"environ":{
"JAVA_HOME":"/home/java/jdk-7.0.25"
}
}{
"status":0,
"description":"ok",
"data":{
"id":"569e8ea7a16123492b5878920fd36985",
"app_id":"023e68ea7a12564492b5878920fd630c8",
"version" :"v3.2",
"hostname":"tyy-OptiPlex-9020",
"register_ip":"127.56.23.4",
"language" :"java",
"language_version":"8.1" ,
"server_type":"tomcat",
"server_version":"8.5.1" ,
"heartbeat_interval":60,
"rasp_home" :"/home/work/tomcat8/rasp",
"last_heartbeat_time":"15425645253",
"online":true,
"host_type":"docker",
"plugin_version":"",
"plugin_name":"",
"plugin_md5":"",
"environ":{
"JAVA_HOME":"/home/java/jdk-7.0.25"
},
"register_time":"15425645253"
}
}{
"rasp_id":"47af9da31ec3f233f35a25776f5e06086ebf239f",
"plugin_md5":"47af9da31ec3f2ebf239f",
"plugin_version":"2018-08-15 11:11:12",
"config_time":1536302712000,
"hostname":"rasp-host"
}{
"status":0,
"description":"ok",
"data":{
"plugin":{
"version":"2018-08-15 11:11:12"
"md5":"569e8ea7a16123492b5878920fd36985",
"plugin":"/*javascript*/"
},
"config_time":1536303412000,
"config":{
"block.content_html": "</script><script>location.href=\"https://rasp.baidu.com/blocked2/?request_id=%request_id%\"</script>",
"block.content_json": "{\"xxxx\":\"xxxxxx\"}",
"block.content_xml": "<?xml version=\"1.0\"?><doc><error>true</error><reason>Request blocked by OpenRASP</reason><request_id>%request_id%</request_id></doc>",
"block.redirect_url": "https://rasp.baidu.com/blocked/?request_id=%request_id%",
"block.status_code": 302,
"body.maxbytes": 4096,
"clientip.header": "ClientIP",
"debug.level": 0,
"decompile.enable": true,
"inject.custom_headers": {},
"log.maxbackup": 30,
"log.maxburst": 100,
"ognl.expression.minlength": 30,
"plugin.filter": true,
"plugin.maxstack": 100,
"plugin.timeout.millis": 100,
"syslog.enable": false,
"syslog.facility": 1,
"syslog.tag": "OpenRASP",
"syslog.url": "",
"hook.white":{
"www.test.com/test1":[sql,ssrf],
"www.test.com/test2":[sql,ssrf],
"*":[all]
}
}
}
}{
"rasp_id":"569e8ea7a16123492b5878920fd36985",
"time":15665422321,
"request_sum":10000
}{
"status":0,
"description":"ok",
"data":{}
}{
"status":0,
"description":"ok",
"data":{}
}[
{
"rasp_id":"545e8336cf5b612f358ae51ff0466476",
"app_id":"5f1b8ba39b85e2f857f6b219156470e648fd2b4f",
"server_nic": [{
"name": "cscotun0",
"ip": "172.23.232.63"
}, {
"name": "vmnet8",
"ip": "172.16.75.1"
}, {
"name": "docker0",
"ip": "172.17.0.1"
}, {
"name": "eno1",
"ip": "172.20.94.78"
}],
"event_type": "attack",
"attack_source": "127.0.0.1",
"attack_type": "command",
"plugin_name": "official",
"url": "http://127.0.0.1:8396/vulns/004-command-1.jsp?cmd\u003dcp+/etc/passwd+/tmp/",
"header": {
"cookie": "JSESSIONID\u003dF11746396310A9E88FF1C44F98B958EE; ADMINCONSOLESESSION\u003dv165dQlfGTrfpxDBdDkhTHmqVR2gYbMP57pJyRvyKsD4RcTC12N0!2052002414; JSESSIONID\u003dTkSZdRVGCnpRjYwp15dtrlnZRcFrq2q2qQ2H1fchYLstJX1BkvpF!-354254474",
"connection": "keep-alive",
"accept-language": "zh,en-US;q\u003d0.9,en;q\u003d0.8,zh-CN;q\u003d0.7",
"host": "127.0.0.1:8396",
"sec-fetch-mode": "navigate",
"accept": "text/html,application/xhtml+xml,application/xml;q\u003d0.9,image/webp,image/apng,*/*;q\u003d0.8,application/signed-exchange;v\u003db3",
"user-agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/76.0.3809.87 Chrome/76.0.3809.87 Safari/537.36",
"accept-encoding": "gzip, deflate, br",
"referer": "http://127.0.0.1:8396/vulns/004-command-1.jsp",
"sec-fetch-site": "same-origin",
"upgrade-insecure-requests": "1"
},
"server_type": "tomcat",
"client_ip": "",
"server_hostname": "tyy-work",
"source_code": "",
"request_method": "get",
"plugin_confidence": 90,
"request_id": "d65f0a1cf2e24951b3eb34ed25378e75",
"intercept_state": "block",
"server_version": "8.5.30.0",
"server_ip": "127.0.0.1",
"attack_params": {
"command": "cp /etc/passwd /tmp/",
"stack": ["java.lang.UNIXProcess.\u003cinit\u003e", "java.lang.ProcessImpl.start", "java.lang.ProcessBuilder.start", "java.lang.Runtime.exec", "java.lang.Runtime.exec", "java.lang.Runtime.exec", "org.apache.jsp._004_002dcommand_002d1_jsp._jspService", "org.apache.jasper.runtime.HttpJspBase.service", "javax.servlet.http.HttpServlet.service", "org.apache.jasper.servlet.JspServletWrapper.service", "org.apache.jasper.servlet.JspServlet.serviceJspFile", "org.apache.jasper.servlet.JspServlet.service", "javax.servlet.http.HttpServlet.service", "org.apache.catalina.core.ApplicationFilterChain.internalDoFilter", "org.apache.catalina.core.ApplicationFilterChain.doFilter", "org.apache.tomcat.websocket.server.WsFilter.doFilter", "org.apache.catalina.core.ApplicationFilterChain.internalDoFilter", "org.apache.catalina.core.ApplicationFilterChain.doFilter", "org.apache.catalina.core.StandardWrapperValve.invoke", "org.apache.catalina.core.StandardContextValve.invoke", "org.apache.catalina.authenticator.AuthenticatorBase.invoke", "org.apache.catalina.core.StandardHostValve.invoke", "org.apache.catalina.valves.ErrorReportValve.invoke", "org.apache.catalina.valves.AbstractAccessLogValve.invoke", "org.apache.catalina.core.StandardEngineValve.invoke", "org.apache.catalina.connector.CoyoteAdapter.service", "org.apache.coyote.http11.Http11Processor.service", "org.apache.coyote.AbstractProcessorLight.process", "org.apache.coyote.AbstractProtocol$ConnectionHandler.process", "org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun", "org.apache.tomcat.util.net.SocketProcessorBase.run", "java.util.concurrent.ThreadPoolExecutor.runWorker", "java.util.concurrent.ThreadPoolExecutor$Worker.run", "org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run", "java.lang.Thread.run"]
},
"plugin_message": "WebShell detected - Executing command: cp /etc/passwd /tmp/",
"path": "/vulns/004-command-1.jsp",
"target": "127.0.0.1",
"event_time": "2019-08-13T20:24:51+0800",
"plugin_algorithm": "command_userinput",
"body":"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
}
]{
"status":0,
"description":"ok",
"data":{
"count":1
}
}{
"dependency": [{
"product": "rasp-engine",
"version": "1.3.0",
"vendor": "com.baidu.openrasp",
"path": "/home/work/rasp/rasp-engine.jar",
"source": "pom"
}, {
"product": "rasp-engine",
"version": "7.0.78",
"vendor": "Apache Software Foundation",
"path": "/home/work/rasp/rasp-engine.jar",
"source": "manifest_implementation"
}, {
"product": "Bootstrap",
"version": "7.0.78",
"vendor": "Apache Software Foundation",
"path": "/home/work/rasp/bin/bootstrap.jar",
"source": "manifest_implementation"
}],
"rasp_id": "3089c8d2672efd1ef5c3e322d9e8fcb1"
}{
"data": {
},
"description": "ok",
"status": 0
}[
{
"app_id": "fcbc4d8ac6bcaac27b1cc4703e5339a4aa6e8a1c",
"rasp_id": "426199dc7a15cce89b0c937a65a24a23",
"event_time": "2019-01-04T09:56:48+0000",
"event_type": "security_policy",
"message": "Java security baseline - should not start application server with root account",
"policy_id": "3002",
"policy_params": {
"pid": 431,
"stack":["java.lang.UNIXProcess.\u003cinit\u003e", "java.lang.ProcessImpl.start", "java.lang.ProcessBuilder.start", "java.lang.Runtime.exec", "java.lang.Runtime.exec", "java.lang.Runtime.exec", "org.apache.jsp._004_002dcommand_002d1_jsp._jspService", "org.apache.jasper.runtime.HttpJspBase.service", "javax.servlet.http.HttpServlet.service", "org.apache.jasper.servlet.JspServletWrapper.service", "org.apache.jasper.servlet.JspServlet.serviceJspFile", "org.apache.jasper.servlet.JspServlet.service", "javax.servlet.http.HttpServlet.service", "org.apache.catalina.core.ApplicationFilterChain.internalDoFilter", "org.apache.catalina.core.ApplicationFilterChain.doFilter", "org.apache.tomcat.websocket.server.WsFilter.doFilter", "org.apache.catalina.core.ApplicationFilterChain.internalDoFilter", "org.apache.catalina.core.ApplicationFilterChain.doFilter", "org.apache.catalina.core.StandardWrapperValve.invoke", "org.apache.catalina.core.StandardContextValve.invoke", "org.apache.catalina.authenticator.AuthenticatorBase.invoke", "org.apache.catalina.core.StandardHostValve.invoke", "org.apache.catalina.valves.ErrorReportValve.invoke", "org.apache.catalina.valves.AbstractAccessLogValve.invoke", "org.apache.catalina.core.StandardEngineValve.invoke", "org.apache.catalina.connector.CoyoteAdapter.service", "org.apache.coyote.http11.Http11Processor.service", "org.apache.coyote.AbstractProcessorLight.process", "org.apache.coyote.AbstractProtocol$ConnectionHandler.process", "org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun", "org.apache.tomcat.util.net.SocketProcessorBase.run", "java.util.concurrent.ThreadPoolExecutor.runWorker", "java.util.concurrent.ThreadPoolExecutor$Worker.run", "org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run", "java.lang.Thread.run"]
},
"server_hostname": "820c2691f452",
"server_nic": [{
"ip": "172.17.0.2",
"name": "eth0"
}],
"server_type": "tomcat",
"server_version": "7.0.78.0"
}
]{
"status":0,
"description":"ok",
"data":{
"count":1
}
}[
{
"message": "HTTP request to http://scloud.baidu.com:8086/v1/agent/rasp failed:",
"server_nic": [{
"name": "en0",
"ip": "172.24.182.127"
}],
"stack_trace": "sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)\nsun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)\nsun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)\njava.lang.reflect.Constructor.newInstance(Constructor.java:526)\nsun.net.www.protocol.http.HttpURLConnection$6.run(HttpURLConnection.java:1676)\nsun.net.www.protocol.http.HttpURLConnection$6.run(HttpURLConnection.java:1674)\njava.security.AccessController.doPrivileged(Native Method)\nsun.net.www.protocol.http.HttpURLConnection.getChainedException(HttpURLConnection.java:1672)\nsun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1245)\ncom.baidu.openrasp.cloud.CloudHttp.request(CloudHttp.java:64)\ncom.baidu.openrasp.cloud.Register$RegisterThread.run(Register.java:54)\njava.lang.Thread.run(Thread.java:745)\n",
"level": "WARN",
"event_time": "2019-01-11T13:36:46+0800",
"app_id": "9b3554a97673f1f8f5c929310298037a660d3b7a",
"pid": 58353,
"server_hostname": "localhost",
"rasp_id": "3089c8d2672efd1ef5c3e322d9e8fcb1"
}
]{
"status":0,
"description":"ok",
"data":{
"count":1
}
}{
"status":0,
"description":"ok"
}{
"order":"startTask",
"data":{
.....
}
}{
"data":{
"data":{
"app_id":"593342c72eb78fc8e7393d0a87b8f3fc54dfbec"
},
"description":"ok",
"register":2,
"status":0
},
"description":"ok",
"status":0
}{
"data":{
"version":"1.3"
},
"description":"ok",
"status":0
}{
"order":"startTask",
"data":{
"host":"1.2.3.4",
"port": 80,
"app_id":"593342c72eb78fc8e7393d0a87b8f3fc54dfbec"
}
}{
"data":{
"data":{
"app_id":"593342c72eb78fc8e7393d0a87b8f3fc54dfbec"
},
"description":"ok",
"register":2,
"status":0
},
"description":"ok",
"status":0
}{
"order":"setConfig",
"data":{
"host":"1.2.3.4",
"port":80,
"app_id":"593342c72eb78fc8e7393d0a87b8f3fc54dfbec",
"config":{
"scan_plugin_status":{
"command_basic":{
"description":"基础命令注入漏洞检测插件",
"enable":true,
"show_name":"命令注入检测插件"
},
...
},
"scan_rate":{
"max_concurrent_request":20,
"max_request_interval":1000,
"min_request_interval":0
},
"white_url_reg":"^/path/eg",
"scan_proxy":"http://127.0.0.1:8080"
}
}
}{
"data":{
"data":{
"app_id":"593342c72eb78fc8e7393d0a87b8f3fc54dfbec"
},
"description":"ok",
"register":2,
"status":0
},
"description":"ok",
"status":0
}{
"order":"getConfig",
"data":{
"host":"1.2.3.4",
"port": 80,
"app_id":"593342c72eb78fc8e7393d0a87b8f3fc54dfbec"
}
}{
"data":{
"data":{
"app_id":"593342c72eb78fc8e7393d0a87b8f3fc54dfbec",
"scan_plugin_status":{
"command_basic":{
"enable":true,
"show_name":"命令注入检测插件",
"description":"xxxx"
}
},
"scan_rate":{
"max_concurrent_request":10,
"max_request_interval":1000,
"min_request_interval":0
},
"white_url_reg":"^/logout"
},
"description":"ok",
"register":2,
"status":0
},
"description":"ok",
"status":0
}{
"order":"stopTask",
"data":{
"scanner_id":0,
"app_id":"593342c72eb78fc8e7393d0a87b8f3fc54dfbec"
}
}{
"data":{
"data":{
"app_id":"593342c72eb78fc8e7393d0a87b8f3fc54dfbec"
},
"description":"ok",
"register":2,
"status":0
},
"description":"ok",
"status":0
}{
"order":"getAllTasks",
"data":{
"page":1,
"app_id":"593342c72eb78fc8e7393d0a87b8f3fc54dfbec"
}
}{
"status":0,
"description":"ok",
"data":{
"total":0,
"app_id":"593342c72eb78fc8e7393d0a87b8f3fc54dfbec",
"result":[
{
"host":"127.0.0.1",
"port":8010,
"total":2,
"scanned":0,
"failed":0,
"last_time":1571303703
}
]
}
}{
"order":"cleanTask",
"data":{
"host":"1.2.3.4",
"port":80,
"url_only":true,
"app_id":"593342c72eb78fc8e7393d0a87b8f3fc54dfbec"
}
}{
"data":{
"data":{
"app_id":"593342c72eb78fc8e7393d0a87b8f3fc54dfbec"
},
"description":"ok",
"register":2,
"status":0
},
"description":"ok",
"status":0
}package com.baidu.openrasp.hook;
import com.baidu.openrasp.HookHandler;
import javassist.CannotCompileException;
import javassist.CtClass;
import javassist.NotFoundException;
import java.io.IOException;
/**
* 自定义hook点继承自AbstractClassHook
*/
public class MyHook extends AbstractClassHook {
/**
* 返回自定义的hook点类型名称
*/
@Override
public String getType() {
return "string_replace";
}
@Override
protected void hookMethod(CtClass ctClass) throws IOException, CannotCompileException, NotFoundException {
/*
* 获取要插入函数开始的代码
* 参数 "$0,$1,$2" 表示获取带插入函数的 this,第一个参数以及第二个参数
* 然后用获取的参数调用HookHandler.checkStringReplaceEnter这个静态方法
* 最后三个参数代表HookHandler.checkStringReplaceEnter方法的参数类型
*/
String srcBefore = getInvokeStaticSrc(HookHandler.class, "checkStringReplaceEnter",
"$0,$1,$2", String.class, String.class, String.class);
// 在String.replace函数开始的地方,插入刚才获取的代码片段,第三个个参数为函数签名信息
insertBefore(ctClass, "replace", "(Ljava/lang/String;Ljava/lang/String;)Ljava/lang/String;", srcBefore);
/*
* 获取要插入函数结束的代码
* 参数 "$_" 代表获取待插入函数的返回值
* 最后用获取的内容调用HookHandler.checkStringReplaceExit这个静态方法
*/
String srcAfter = getInvokeStaticSrc(HookHandler.class, "checkStringReplaceExit", "$_", String.class);
/*
* 在String.replace函数结束的地方,插入刚才获取的代码片段,第三个个参数为函数签名信息
* 最后一个参数为true代表在异常退出的地方异常会插入响应的代码段
*/
insertAfter(ctClass, "replace", "(Ljava/lang/String;Ljava/lang/String;)Ljava/lang/String;", srcAfter, true);
}
/**
* 匹配需要hook的类名
*/
@Override
public boolean isClassMatched(String className) {
return "java.lang.String".equals(className);//该hook点hook的是java.lang.String类
}
}public CustomClassTransformer() {
hooks = new HashSet<AbstractClassHook>();
addHook(new MyHook()); // 将hook点加入transformer
}public enum Type {
// 添加相应的检测类型,checker使用JsChecker代表该hook点的参数使用js插件检测
// 除了JsChecker之外还可以根据com.baidu.openrasp.plugin.checker包下面的其他checker进行自定义checker
// 第一个参数是检测类型名称,第二个是检测使用的checker
REPLACE("replace", new JsChecker()),
String name;
Checker checker;
Type(String name, Checker checker) {
this.name = name;
this.checker = checker;
}
@Override
public String toString() {
return name;
}
}public static void checkStringReplaceEnter(String str,String regex,String replacement){
// 如下是构造参数并进入checker的操作
// 构造参数
HashMap<String, Object> param = new HashMap<String, Object>();
param.put("str",str);
param.put("regex", regex);
param.put("replacement", replacement);
// 进入第三步中设置的checker,第一个参数是检测类型名称,第二个参数是检测参数map
doCheck(CheckParameter.Type.REPLACE, param);
}#include "openrasp_hook.h"
HOOK_FUNCTION_EX(hook_function, hook_class, hook_type);
void pre_hook_class_hook_function_hook_type(OPENRASP_INTERNAL_FUNCTION_PARAMETERS)
{
//do something
...
}
void post_hook_class_hook_function_hook_type(OPENRASP_INTERNAL_FUNCTION_PARAMETERS)
{
//do something
...
}into outfileclass_table
2017-10-13 17:10:05,254 INFO [http-bio-8080-exec-3][com.baidu.openrasp.plugin.log]
ReferenceError: "abc" is not defined.
at official.js:407 (test)
at official.js:412 (anonymous)2018-07-25T16:28:14+08:00 [event-logger] 999-event-logger: 初始化成功
2018-07-25T16:28:19+08:00 [event-logger] 读取文件: /etc/hostsnpm install -g openraspconst plugin_version = '2018-1000-1000'
const plugin_name = 'test-plugin'
'use strict'
var plugin = new RASP(plugin_name)
const clean = {
action: 'ignore',
message: 'Looks fine to me',
confidence: 0
}
// BEGIN ALGORITHM CONFIG //
var algorithmConfig = {}
// END ALGORITHM CONFIG //
plugin.register('sql', function (params, context) {
plugin.log('SQL query: ' + params.query)
return clean
})
plugin.log('plugin-demo: plugin loaded')plugin.register('sql', function (params, context) {
plugin.log('SQL tokens ', RASP.sql_tokenize(params.query, params.server))
return clean
})plugin.register('sql', function (params, context) {
plugin.log('SQL tokens ', RASP.sql_tokenize(params.query, params.server))
if (/union.*select.*from.*information_schema/.test(params.query)) {
return {
action: 'block',
message: '拦截SQL查询,因为XXX',
confidence: 90
}
}
return clean
})var plugin = new RASP('demo')var name = plugin.get_version()
// 返回 1.2.0var name = plugin.get_jsengine()
// 返回 rhino / v8var body = {
"name": "openrasp"
}
var req = {
"method": "post",
"url": "http://127.0.0.1/test",
"data": data,
"maxRedirects": 0,
"timeout": 30,
"headers": {
"content-type": "application/json"
},
}
RASP.request(req)plugin.register('sql', function(params, context) {
// 在这里实现检测逻辑
// 并返回结果
return {
action: 'ignore',
message: '无风险'
}
})RASP.sql_tokenize('SELECT * FROM users WHERE id = -1 union/*!50000select*/1,2,3', 'mysql')
// [
// { text: 'SELECT', start: 0, stop: 5 },
// { text: '*', start: 7, stop: 7 },
// ...
// ]RASP.cmd_tokenize('/bin/bash -c ls')
// [
// { text: '/bin/bash', stop: 8, start: 0 },
// { text: '-c', stop: 11, start: 10 },
// { text: 'ls', stop: 14, start: 13 }
// ]plugin.log('hello', 'openrasp')
// 将会在日志里输出 [demo] hellp openraspvar name = plugin.name
// => 'demo'var params = {
'query': 'select * from users',
'server': 'mysql'
}
var checkContext = new Context()
RASP.check('sql', params, context)
// => [{
// 'action': 'block',
// 'message': 'attack',
// 'name': 'demo'
// }]git clone https://github.com/baidu/openrasp.gitnpm install
npm run buildexport GOPATH=$(pwd)
go get -u github.com/beego/beerm -rf dist
cp -R ../../../rasp-vue/dist .export PATH=$PATH:$GOPATH/bin
bee packexport https_proxy=XXXX
export http_proxy=XXXX
go get -u XXXXcontext.path
// => '/my/article.jsp'context.querystring
// => 'offset=10&size=10'context.method
// => 'get'context.protocol
// => 'https'context.header
// => {
// 'user-agent': 'Chrome',
// 'content-type': 'application/json'
// ...
// }context.body
// => ArrayBuffercontext.json
// => {
// 'field': 'Value',
// ...
// }// context.querystring = 'offset=10&size=10'
// context.body = 'filter=odd'
context.parameter
// => {
// 'offset': ['10'],
// 'size': ['10'],
// 'filter': ['odd']
// }context.remoteAddr
// => '2.3.3.3'context.server
// {
// 'name': 'Tomcat / JBoss / Jetty',
// 'version': '8',
// 'os': 'Linux',
// 'language': 'java / php'
// }context.appBasePath
// => '/home/tomcat/webapps'var context = new Context()
// 自定义 method 参数信息
var context = new Context({
getMethod: function() {
return 'get'
}
})var context = new Context({
getPath: function(){},
getQuerystring: function(){},
getMethod: function(){},
getProtocol: function(){},
getHeader: function(){},
getParameter: function(){},
getBody: function(){},
getRemoteAddr: function(){},
getServer: function(){}
})$ rasp check
OpenRASP plugin devtool - https://rasp.baidu.com
Usage: rasp-check
Options:
-d, --case-dir <dir> specify a testcases directory
-p, --plugin-file <plugin> specify a javascript plugin file
-h, --help output usage information [{
"id": "ssrf_userinput_intranet",
"name": "ssrf",
"action": "block",
"params": {
"hostname": "172.16.177.120",
"ip": ["172.16.177.120"],
"url": "http://172.16.177.120/hello.action?redirect=123"
},
"context": {
"parameter": {
"url": ["http://172.16.177.120/hello.action?redirect=123"]
}
},
"description": "SSRF userinput match test"
}]$ rasp check -d ~/openrasp/agent/java/engine/src/test/resources/pluginUnitTest/unitCases/ -p ~/openrasp/plugins/official/plugin.js
[offical] OpenRASP official plugin: Initialized, version 2018-1010-1600
✓ sql.json Simple userinput match test: 9ms
✓ sql.json SQL injection with hex values: 1ms
✓ sql.json SQL injection with datetime methods: 2ms
✓ ssrf.json SSRF userinput match test: 2ms
✓ ssrf.json SSRF false positive test: 1ms
5 passing (26ms)yum install -y centos-release-scl vim-common
yum install -y devtoolset-4-gcc-c++yum install -y php-develscl enable devtoolset-4 bash# 下载并解压到 /tmp,避免与已有 cmake 冲突
curl -L https://github.com/Kitware/CMake/releases/download/v3.15.3/cmake-3.15.3-Linux-x86_64.tar.gz | tar zx -C /tmp
# 增加临时 PATH
export PATH=/tmp/cmake-3.15.3-Linux-x86_64/bin:$PATH# 更新 git submodule
git submodule update --init
# 编译 openrasp-v8
mkdir -p openrasp-v8/build && cd openrasp-v8/build
cmake -DCMAKE_BUILD_TYPE=RelWithDebInfo -DENABLE_LANGUAGES=php ..
make# 如果之前编译过,清理下临时文件
phpize --clean
# 生成 configure 文件
phpize
# 生成 makefile
./configure --with-openrasp-v8=../../openrasp-v8/ --with-gettext --enable-openrasp-remote-manager
# 编译
makeJDK 6 进行编译git clone https://github.com/baidu/openrasp.gityum install -y centos-release-scl
yum install -y devtoolset-4-gcc-c++scl enable devtoolset-4 bash# 下载并解压到 /tmp,避免与已有 cmake 冲突
curl -L https://github.com/Kitware/CMake/releases/download/v3.15.3/cmake-3.15.3-Linux-x86_64.tar.gz | tar zx -C /tmp
# 增加临时 PATH
export PATH=/tmp/cmake-3.15.3-Linux-x86_64/bin:$PATH# 更新 git submodule
git submodule update --init
# 编译 openrasp-v8
mkdir -p openrasp-v8/build64 && cd openrasp-v8/build64
cmake -DCMAKE_BUILD_TYPE=RelWithDebInfo -DENABLE_LANGUAGES=java ..
make
# 复制动态链接库到 resources 目录
mkdir -p ../java/src/main/resources/natives/linux_64 && cp java/libopenrasp_v8_java.so $_
# 编译 v8-1.0-SNAPSHOT.jar,安装 v8-1.0-SNAPSHOT.jar 到 maven 本地仓库
cd ../java
mvn install<settings xmlns="http://maven.apache.org/SETTINGS/1.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.0.0
http://maven.apache.org/xsd/settings-1.0.0.xsd">
<localRepository/>
<interactiveMode/>
<usePluginRegistry/>
<offline/>
<pluginGroups/>
<servers/>
<mirrors>
<mirror>
<id>aliyunmaven</id>
<mirrorOf>central</mirrorOf>
<name>阿里云公共仓库</name>
<url>https://maven.aliyun.com/repository/central</url>
</mirror>
<mirror>
<id>repo1</id>
<mirrorOf>central</mirrorOf>
<name>central repo</name>
<url>http://repo1.maven.org/maven2/</url>
</mirror>
<mirror>
<id>aliyunmaven</id>
<mirrorOf>apache snapshots</mirrorOf>
<name>阿里云阿帕奇仓库</name>
<url>https://maven.aliyun.com/repository/apache-snapshots</url>
</mirror>
</mirrors>
<proxies/>
<activeProfiles/>
<profiles>
<profile>
<repositories>
<repository>
<id>aliyunmaven</id>
<name>aliyunmaven</name>
<url>https://maven.aliyun.com/repository/public</url>
<layout>default</layout>
<releases>
<enabled>true</enabled>
</releases>
<snapshots>
<enabled>true</enabled>
</snapshots>
</repository>
<repository>
<id>MavenCentral</id>
<url>http://repo1.maven.org/maven2/</url>
</repository>
<repository>
<id>aliyunmavenApache</id>
<url>https://maven.aliyun.com/repository/apache-snapshots</url>
</repository>
</repositories>
</profile>
</profiles>
</settings><?xml version="1.0"?>
<settings>
<mirrors>
<mirror>
<id>central-no-ssl</id>
<name>Central without ssl</name>
<url>http://repo.maven.apache.org/maven2</url>
<mirrorOf>central</mirrorOf>
</mirror>
</mirrors>
</settings>plugin.register('sql', function(params, context) {
// 实现你的检测逻辑
})type = sql
params = {
"server": "mysql / oracle / pgsql / mssql / sqlite",
"query": "select * from users",
}type = directory
params = {
"path": "/home/servers/tomcat/webapps/mywar/../../../../../../../../../etc/",
"realpath": "/etc/",
"stack": [
"java.lang.ProcessBuilder.start",
"sun.reflect.NativeMethodAccessorImpl.invoke0",
"sun.reflect.NativeMethodAccessorImpl.invoke",
"sun.reflect.DelegatingMethodAccessorImpl.invoke",
...
]
}type = request
params = {}type = readFile
params = {
"path": "/home/servers/tomcat/webapps/mywar/../../../../../../../../../etc/hosts",
"realpath": "/etc/hosts"
}type = writeFile
params = {
"path": "abc.jsp",
"realpath": "/home/tomcat/webapps/ROOT/abc.jsp",
"stack": [
...
]
}type = deleteFile
params = {
"path": "/home/servers/tomcat/webapps/mywar/../../../../../../../../../tmp/testfile",
"realpath": "/tmp/testfile"
}# Java 示例
type = include,
params = {
url: "file:///etc/passwd",
function: "jstl_import",
realpath: "/etc/passwd"
}
# PHP 示例
type = include,
params = {
url: "/home/webroot/footer/../../../../../../../../../etc/passwd",
function: "require_once",
realpath: "/etc/passwd"
}type = webdav,
params = {
"source": "/home/rsync/apache-tomcat-7.0.78/webapps/webdav/1.txt",
"dest": "/home/rsync/apache-tomcat-7.0.78/webapps/webdav/1.jsp"
}type = fileUpload
params = {
"name": "file",
"filename": "a.jsp",
"content": "<% ... %>",
"dest_path": "upload/a.jpg", # v1.2 加入
"dest_realpath": "/home/www/upload/a.jpg" # v1.2 加入
}type = rename,
params = {
"source": "/var/www/html/uploads/hello.txt",
"dest": "/var/www/html/uploads/hello.php"
}type = command,
params = {
"stack": [
"java.lang.ProcessBuilder.start",
"sun.reflect.NativeMethodAccessorImpl.invoke0",
"sun.reflect.NativeMethodAccessorImpl.invoke",
"sun.reflect.DelegatingMethodAccessorImpl.invoke",
...
]
"command": "/bin/sh -c 'whoami; ls; '"
}type = xxe
params = {
"entity": "file:///etc/passwd"
}type = ognl
params = {
"expression": "_memberAccess" //ognl表达式
}type = deserialization
params = {
"clazz": "InvokerTransformer" //被反序列化对象的类型
}type = ssrf
params = {
"url": "http://0x7f.0x0.0x0.0x1:8080/v1/api/get", // http 请求的 url
"hostname": "0x7f.0x0.0x0.0x1" // http 请求的 hostname
"ip": ["1.1.1.1", "2.2.2.2"] // 无法解析则为空;目前只解析 IPv4 地址
"port": "8080", // 未提供端口为空。对于http模式是80,https默认是443的情况,如果没指定也是空
"function": "commons_http_client"
}type = ssrfRedirect
params = {
"url": "http://0x7f.0x0.0x0.0x1:8080/v1/api/get", // 原始请求的 URL
"hostname": "0x7f.0x0.0x0.0x1" // 原始请求的域名
"ip": ["1.1.1.1", "2.2.2.2"] // 原始请求目标 IP
"port": "8080", // 原始请求的端口,未提供端口为空。对于http模式是80,https默认是443的情况,如果没指定也是空
"url2": "http://127.0.0.1:8080/v1/api/get", // 重定向后的 URL
"hostname2": "0x7f.0x0.0x0.0x1" // 重定向后的域名
"ip2": ["1.1.1.1", "2.2.2.2"] // 重定向后目标 IP
"port2": "8080", // 重定向后的端口,说明同上
"function": "commons_http_client"
}type = eval
params = {
"function": "eval",
"code": "gzuncompress(base64_decode(...));"
"stack": [
...
]
}type = loadlibrary
params = {
"function": "System.load",
"path": "\\8.8.8.8\test.dll",
"realpath": "xxxx"
}type = response
params = {
"content_type": "text/html",
"content": "<h1>xxxx</h1>"
}#!/usr/bin/env python3
# -*- coding: UTF-8 -*-
# 导入去重插件基类
from plugin.deduplicate import DedupPluginBase
# 插件类必须命名为dedupPlugin,并继承自DedupPluginBase.DedupPluginBase
class dedupPlugin(DedupPluginBase.DedupPluginBase):
# 实现get_hash函数,返回hash字符串
def get_hash(self, rasp_result_ins):
return self.get_hash_default(rasp_result_ins)import hashlib
# 计算urlpath、参数、堆栈等数据的hash,连接后生成结果hash
def get_hash_default(self, rasp_result_ins):
path_str = rasp_result_ins.get_path()
stack_hash = rasp_result_ins.get_all_stack_hash()
param_keys = "".join(rasp_result_ins.get_parameters().keys())
query_keys = "".join(rasp_result_ins.get_query_parameters().keys())
json_struct = rasp_result_ins.get_json_struct()
contact_str = "".join([path_str, stack_hash, param_keys, json_struct, query_keys]).encode("utf-8")
return hashlib.md5(contact_str).hexdigest()git clone https://github.com/baidu-security/openrasp-iast.git
cd openrasp-iast
python3 openrasp_iast/main.py start -f#!/usr/bin/env python3
# -*- coding: UTF-8 -*-
# 导入scanner插件基类
class ScanPlugin(scan_plugin_base.ScanPluginBase):
plugin_info = {
"name": "name",
"show_name": "plugin",
"description": "des"
}
# 用于生成测试向量
def mutant(self, rasp_result_ins):
pass
# 用于检测测试结果
def check(self, request_data_list):
pass
plugin_info = {
"name": "sql_basic", # 插件文件名去除扩展名.py后的部分
"show_name": "SQL注入检测插件", # 插件在后台显示的名称
"description": "基础sql注入漏洞检测插件" # 插件功能描述
}def mutant(self, rasp_result_ins):
# 首先判断是否需要扫描
if not rasp_result_ins.has_hook_type("sql"):
return
payload_list = [("1'openrasp", "1'openrasp"),
("1\"openrasp", "1\"openrasp"),
("`a openrasp", "`a openrasp")]
# 获取所有待测试参数
request_data_ins = self.new_request_data(rasp_result_ins)
test_params = self.mutant_helper.get_params_list(request_data_ins, ["get", "post", "json", "headers", "cookies"])
# 生成测试向量的逻辑,返回必须是一个iterable
for param in test_params:
# 只测试包含sql类型hook的请求
if not request_data_ins.is_param_concat_in_hook("sql", param["value"]):
continue
# 每个测试点(参数)生成一个payload_seq,防止重复报警,含有相同payload_seq的测试请求仅保留产生的第一个报警
payload_seq = self.gen_payload_seq()
for payload in payload_list:
# 基于RaspResult类的实例生成测试请求RequestData类的实例
request_data_ins = self.new_request_data(rasp_result_ins, payload_seq, payload[1])
request_data_ins.set_param(param["type"], param["name"], payload[0])
request_data_list = [request_data_ins]
# 每次迭代返回的应该是一个由RequestData类的实例组成的list, 该list中的每个RequestData实例都会被作为测试请求依次发送
yield request_data_listdef check(self, request_data_list):
# 当前插件每个请求序列仅包含1个请求,取[0]
request_data_ins = request_data_list[0]
# 获取检测特征和请求结果
feature = request_data_ins.get_payload_info()["feature"]
rasp_result_ins = request_data_ins.get_rasp_result()
# 检测是否触发sql注入,直接使用checker检测
if self.checker.check_concat_in_hook(rasp_result_ins, "sql" , feature):
# 存在漏洞,返回漏洞描述字符串
return "sql语句逻辑可被用户输入控制"
else:
# 不存在漏洞,返回None
return Nonefor hook_item in rasp_result_ins.get_hook_info():
if has_vuln(hook_item):
rasp_result_ins.set_vuln_hook(hook_item)import asyncio
try:
# do something...
except asyncio.CancelledError as e:
raise e
except Exception as e:
# do something...
cd <openrasp_path>/agent/java
mvn versions:use-latest-releases -Dincludes=com.baidu.openrasp:sqlparser
mvn clean package