Java Source Code Review
Post

Java Source Code Review

Java Reconnaissance

A quick Google search leads us to a file extensions explanation page, which states that the .do extension is typically a URL mapping scheme for compiled Java code.

HTTP Routing (web.xml)

Java web applications use a deployment descriptor file named web.xml to determine how URLs map to servlets, which URLs require authentication, and other information. This file is essential when we look for the implementations of any given functionality exposed by the web application. Within the working directory, we see a WEB-INF folder, which is the Java’s default configuration folder path where we can find the web.xml file. This file contains a number of servlet names to servlet classes as well as the servlet name to URL mappings. Information like this will become useful once we know exactly which class we are targeting, since it will tell us how to reach it.

1
2
3
4
5
6
7
8
9
10
<!-- SubscriptionHandler-->
<servlet id="SubscriptionHandler">
  <servlet-name>SubscriptionHandler</servlet-name>
  <servlet-class>org.opencrx.kernel.workflow.servlet.SubscriptionHandlerServlet</servlet-class>
	</servlet>
...
<servlet-mapping>
  <servlet-name>SubscriptionHandler</servlet-name>
	<url-pattern>/SubscriptionHandler/*</url-pattern>
</servlet-mapping>

In this example, the web.xml file defines a servlet with the “SubscriptionHandler” id for the org.opencrx.kernel.workflow.servlet.SubscriptionHandlerServlet class. A “servlet-mapping” entry maps the /SubscriptionHandler/* URL to the SubscriptionHandler. The star character indicates a wildcard. The servlet class is responsible for parsing the URL path and deciding what to do with HTTP requests.

Java Path Finding

A natural question at this point might be: how do we know which Java process to target? In this case, we are fortunate as there is only one Java process running on our vulnerable machine. Some applications use multiple Java process instances though. In such cases, we can check any given process properties in Process Explorer by right-clicking on the process name and choosing Properties

Interesting paths

1
2
C:\Program Files\ManageEngine\AppManager12\working # This path contains the web.xml file
C:\Program Files (x86)\ManageEngine\AppManager12\working\WEB-INF\lib # This path contains the .java files

JD-GUI

Excellent tool for decompile .jar files JD-GUI

We first need to save the decompiled source code into human-readable .java files. JD-GUI allows us to do that via the File > Save All Sources menu. A tool for search strings Notepad++ which is already installed on our VM and could help us navigate this code base in a much easier way. JD-GUI-Decompiler

It is important to know that in a typical Java servlet, we can easily identify the HTTP request handler functions that handle each HTTP request type due to their constant and unique names.

These methods are named as follows:

  • doGet
  • doPost
  • doPut
  • doDelete
  • doCopy
  • doOptions