Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fail to parse json file which contains character \" #6

Closed
jekkay opened this issue Mar 19, 2020 · 5 comments
Closed

fail to parse json file which contains character \" #6

jekkay opened this issue Mar 19, 2020 · 5 comments

Comments

@jekkay
Copy link

jekkay commented Mar 19, 2020
edited
Loading 


// written by mastiff automatically, please don't edit this file

{
  "pluginId": "osquery",
  "enable": true,
  "type": "pluginConfig",
  "hash": "6c3a3f6a22161912facd77a75d0e6346",
  "config": {
    "rules": [
      {
        "content": "{\n  \"query\": \"SELECT p.pid, p.name, p.cmdline, p.path FROM processes p JOIN process_open_files pf USING(pid) WHERE pf.path = '/dev/tty' AND p.cmdline LIKE '%sh -i';\",\n  \"interval\": 600,\n  \"descirption\": \"通过 fifo 管道实现反弹 shell(间接重定向)\"\n}",
        "ruleId": "reverse_shell_with_fifo_pipe_tty"
      },
      {
        "content": "{\n  \"query\": \"SELECT pid, name, cmdline, path as pipepath FROM (SELECT p.pid, p.name, p.cmdline, pf.path FROM process_open_files pf JOIN processes p USING(pid) WHERE p.name IN ('bash', 'sh')) bf JOIN file USING(path) WHERE type = 'fifo';\",\n  \"interval\": 600,\n  \"descirption\": \"通过 fifo 管道实现反弹 shell(直接重定向)\"\n}",
        "ruleId": "reverse_shell_with_fifo_pipe"
      },
      {
        "content": "{\n    \"query\":\"SELECT p.pid, p.name, p.cmdline, p.path FROM processes p JOIN process_open_sockets s ON p.pid = s.pid WHERE p.pid = (SELECT parent FROM processes WHERE name = 'sh') AND s.state = 'ESTABLISHED' AND p.cmdline LIKE 'python -c exec(%';\",\n    \"interval\":600,\n    \"descirption\":\"通过 socket 实现反弹 shell(Python)\"\n}",
        "ruleId": "reverse_shell_with_socket_python"
      }
    ]
  }
}
@jekkay
Copy link
Author

jekkay commented Mar 19, 2020

我目前的临时方案是用占位符占据特殊字符,转换之后再换回来

// 读取json内容,并且去除注释
func ReadPureJsonFromFile(path string) ([]byte, error) {
	if len(path) <= 0 {
		return nil, errors.New("no local client information file path configured")
	}
	// 此函数有bug,临时方案
	// origin, pure, err := jsonc.ReadFromFile(path)
	// ------ 临时方案 {{ -------
	data, err := ioutil.ReadFile(path)
	if err != nil {
		return nil, err
	}
	// 判定是否含有特殊转义字符
	qus := "\\\""

	var pure []byte
	if strings.Index(string(data), qus) < 0 {
		pure = jsonc.ToJSON(data)
	} else {
		holder := "!临^^时^占^^位^^^符!"
		origin := strings.ReplaceAll(string(data), qus, holder)
		pure = []byte(strings.ReplaceAll(string(jsonc.ToJSON([]byte(origin))), holder, qus))
	}
	// ------ 临时方案 }} ------

	if !json.Valid(pure) {
		// 判断语法是否有效
		return nil, errors.New(fmt.Sprintf("%s is not valid json format", path))
	}
	return pure, nil
}

@muhammadmuzzammil1998
Copy link
Owner

Kindly use English. Apologies if this sounds rude but I don't know Chinese.

@jekkay
Copy link
Author

jekkay commented Mar 20, 2020
edited
Loading

Kindly use English. Apologies if this sounds rude but I don't know Chinese.

Sorry, i thought u r chinese.

  • the first post is the json file content which can not be parsed correctly. the json content contains specail character like \"

  • the second post is my temporary ticky solution, replace the \" with special placeholder before translate, and restore the pure json content by replacing placeholder after jsonc.ToJSON(data)

@jekkay jekkay changed the title 此json文件解析出错 fail to parse json file which contains character \" Mar 20, 2020
@muhammadmuzzammil1998
Copy link
Owner

Apologies for replying so late.
I'll look into it now and will try to fix it.

Thanks.

@muhammadmuzzammil1998
Copy link
Owner

Hello,
I am unable to recreate this error with the current commit (1e787b5). Even in an earlier commit (1265e9b) which fixed the issue #5 it is outputting a valid JSON. Can you please recheck and reopen this issue to let me know if the issue is still there? I have attached the output below.

{
	"pluginId": "osquery",
	"enable": true,
	"type": "pluginConfig",
	"hash": "6c3a3f6a22161912facd77a75d0e6346",
	"config": {
		"rules": [{
				"content": "{\n  \"query\": \"SELECT p.pid, p.name, p.cmdline, p.path FROM processes p JOIN process_open_files pf USING(pid) WHERE pf.path = '/dev/tty' AND p.cmdline LIKE '%sh -i';\",\n  \"interval\": 600,\n  \"descirption\": \"通过 fifo 管道实现反弹 shell(间接重定向)\"\n}",
				"ruleId": "reverse_shell_with_fifo_pipe_tty"
			},
			{
				"content": "{\n  \"query\": \"SELECT pid, name, cmdline, path as pipepath FROM (SELECT p.pid, p.name, p.cmdline, pf.path FROM process_open_files pf JOIN processes p USING(pid) WHERE p.name IN ('bash', 'sh')) bf JOIN file USING(path) WHERE type = 'fifo';\",\n  \"interval\": 600,\n  \"descirption\": \"通过 fifo 管道实现反弹 shell(直接重定向)\"\n}",
				"ruleId": "reverse_shell_with_fifo_pipe"
			},
			{
				"content": "{\n    \"query\":\"SELECT p.pid, p.name, p.cmdline, p.path FROM processes p JOIN process_open_sockets s ON p.pid = s.pid WHERE p.pid = (SELECT parent FROM processes WHERE name = 'sh') AND s.state = 'ESTABLISHED' AND p.cmdline LIKE 'python -c exec(%';\",\n    \"interval\":600,\n    \"descirption\":\"通过 socket 实现反弹 shell(Python)\"\n}",
				"ruleId": "reverse_shell_with_socket_python"
			}
		]
	}
}

Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jekkay @muhammadmuzzammil1998