{"id":1026,"date":"2024-11-17T04:53:10","date_gmt":"2024-11-17T04:53:10","guid":{"rendered":"http:\/\/www.nokws.top\/?p=1026"},"modified":"2024-11-17T05:10:42","modified_gmt":"2024-11-17T05:10:42","slug":"javassistxuexier","status":"publish","type":"post","link":"http:\/\/www.nokws.top\/index.php\/2024\/11\/17\/javassistxuexier\/","title":{"rendered":"Javassist\u5b66\u4e60\uff08\u4e8c\uff09"},"content":{"rendered":"\n<p><strong>0x01 \u52a8\u6001\u751f\u6210\u7c7b<\/strong><\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"java\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">import javassist.*;\nimport java.util.Scanner;\n\npublic class JavassistTest {\n    public static void main(String[] args) throws Exception {\n        ClassPool pool = ClassPool.getDefault();\n\n        Scanner scanner = new Scanner(System.in);\n        \/\/ \u83b7\u53d6\u7c7b\u540d\n        System.out.print(\"\u8f93\u5165\u7c7b\u7684\u540d\u5b57: \");\n        String classname = scanner.nextLine();\n        CtClass ctClass = pool.makeClass(classname);\n        \n        \/\/\"public void Hello() { System.out.println(\\\"Hello, World!\\\"); }\"\n        \/\/\u6ce8\u610f\u8f6c\u4e49\n\n        \/\/ \u83b7\u53d6\u65b9\u6cd5\n        System.out.print(\"\u8f93\u5165\u7c7b\u7684\u65b9\u6cd5: \");\n        String classmethod = scanner.nextLine();\n        CtMethod method = CtNewMethod.make(classmethod, ctClass);\n        ctClass.addMethod(method);\n        \/\/\u5c06\u7c7b\u52a0\u8f7d\u5230JVM\n        Class&lt;?> clazz = ctClass.toClass();\n        Object instance = clazz.getDeclaredConstructor().newInstance();\n        \/\/\u83b7\u53d6\u5e76\u8c03\u7528\u65b9\u6cd5\n        System.out.print(\"\u8f93\u5165\u65b9\u6cd5\u540d: \");\n        String classmethod_name = scanner.nextLine();\n\n        clazz.getMethod(classmethod_name).invoke(instance);\n    }\n}<\/pre>\n\n\n\n<p><strong>0x02 \u52a0\u8f7d\u5df2\u6709\u7c7b<\/strong><\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"java\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">import javassist.*;\nimport java.io.IOException;\nimport java.io.InputStream;\nimport java.lang.reflect.Constructor;\nimport java.lang.reflect.InvocationTargetException;\nimport java.lang.reflect.Method;\nimport org.apache.commons.io.IOUtils;\n\nimport java.util.Base64;\nimport java.util.Scanner;\n\npublic class webshelltest {\n    public static void main(String[] args) throws ClassNotFoundException, NoSuchMethodException, IllegalAccessException, InvocationTargetException, InstantiationException, IOException {\n\n        Scanner scanner = new Scanner(System.in);\n        \/\/ \u83b7\u53d6\u547d\u4ee4\n        System.out.print(\"\u8f93\u5165\u6267\u884c\u7684\u547d\u4ee4: \");\n        String command = scanner.nextLine();\n        \n\n        \/*byte[] rtn = new byte[]{106, 97, 118, 97, 46, 108, 97, 110, 103, 46, 82, 117, 110, 116, 105, 109, 101};\/\/java.lang.Runtime\n        \/\/String javaruntime = \"java.lang.Runtime\";\n        String run_base64 = Base64.getEncoder().encodeToString(rtn);\n        String run = new String(Base64.getDecoder().decode(run_base64));\n        byte[] b2 = new byte[]{101, 120, 101, 99}; \/\/exec\n        String cm = new String(b2);*\/\n\n        String run = \"java.lang.Runtime\"; \/\/ \u53ef\u4ee5\u66ff\u6362\u4e3a\u5b9e\u9645\u7684\u7c7b\u540d\n        String cm = \"exec\"; \/\/ exec \u65b9\u6cd5\u540d\n\n        try {\n            \/\/ \u52a8\u6001\u52a0\u8f7d\u7c7b\n            Class&lt;?> shellClass = Class.forName(run);\/\/\u52a0\u8f7d\u5df2\u6709\u7c7b\n            Constructor&lt;?> declaredConstructor = shellClass.getDeclaredConstructor();\/\/\u83b7\u53d6\u6784\u9020\u5668\n            declaredConstructor.setAccessible(true);\/\/\u786e\u4fdd\u6784\u9020\u5668\u53ef\u4ee5\u8bbf\u95ee\n            Object o = declaredConstructor.newInstance();\/\/\u5b9e\u4f8b\u5316\n\n            \/\/ \u83b7\u53d6\u65b9\u6cd5\n            Method exec = shellClass.getMethod(cm, String.class);\n            Process process = (Process) exec.invoke(o, command);\n\n            \/\/ \u83b7\u53d6\u8fdb\u7a0b\u8f93\u51fa\u6d41\n            InputStream inputStream = process.getInputStream();\n            String output = IOUtils.toString(inputStream, \"gbk\");\n\n            \/\/ \u8f93\u51fa\u547d\u4ee4\u7ed3\u679c\n            System.out.println(output);\n        } catch (Exception e) {\n            e.printStackTrace(); \/\/ \u5f02\u5e38\u5904\u7406\n        }\n    }\n}\n<\/pre>\n\n\n\n<p>PS. exec \u65b9\u6cd5\u5165\u53c2\u662f \u5355\u4e2aString []\u7c7b\u578b\uff0c\u4f46\u662f\u5b9e\u9645\u7684\u5165\u53c2\u7c7b\u578b\u53ef\u80fd\u591a\u4e2a\u662f String[]\uff08\u4f8b\u5982ping 1.1.1.1\uff09\uff0c\u8fd9\u91cc\u91cd\u5199\u4e86exec\u65b9\u6cd5\u7684\u7b7e\u540d\uff0c\u6216\u8bb8\u8fd8\u53ef\u4ee5\u901a\u8fc7\u62c6\u5206String\uff0c\u518d\u5f3a\u5236\u7c7b\u578b\u8f6c\u6362\u4e3aobject\u3002<\/p>\n\n\n\n<p>\u5b9e\u9645\u5728\u6d4b\u8bd5\u7684\u8fc7\u7a0b\u4e2d\uff0c\u6709\u8fd9\u51e0\u4e2a\u95ee\u9898\uff1a<br>1\u3001\u5982\u679c\u662f\u4e3a\u4e86\u7ed5\u8fc7waf\uff0c\u662f\u4e0d\u662f\u5e94\u8be5\u5c1d\u8bd5\u4f20\u53c2\u7684\u65f6\u5019\u4f7f\u7528base64\u6216\u8005\u5176\u4ed6\u7684\u65b9\u5f0f\u52a0\u5bc6\u4e00\u4e0b\uff0c\u6267\u884c\u7684\u65f6\u5019\u518d\u89e3\u5bc6<br>2\u3001\u5982\u679c\u662f\u91c7\u7528\u8fd9\u79cd\u65b9\u5f0f\uff0c\u5982\u4f55\u7ed5\u8fc7rasp\u6216\u8005edr\u4e4b\u7c7b\u7684\uff1f\u611f\u89c9\u7ed5\u8fc7\u8fd9\u4e24\u4e2a\u9760\u52a0\u89e3\u5bc6\u662f\u4e0d\u884c\u7684\u3002<br>3\u3001\u5b9e\u9645\u73af\u5883\u4e0d\u592a\u53ef\u80fd\u6709javassist<\/p>\n","protected":false},"excerpt":{"rendered":"<p>0x01 \u52a8\u6001\u751f\u6210\u7c7b 0x02 \u52a0\u8f7d\u5df2\u6709\u7c7b PS. exec \u65b9\u6cd5\u5165\u53c2\u662f \u5355\u4e2aString []\u7c7b\u578b\uff0c\u4f46\u662f\u5b9e\u9645 [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-1026","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"jetpack_featured_media_url":"","_links":{"self":[{"href":"http:\/\/www.nokws.top\/index.php\/wp-json\/wp\/v2\/posts\/1026","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.nokws.top\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.nokws.top\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.nokws.top\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.nokws.top\/index.php\/wp-json\/wp\/v2\/comments?post=1026"}],"version-history":[{"count":2,"href":"http:\/\/www.nokws.top\/index.php\/wp-json\/wp\/v2\/posts\/1026\/revisions"}],"predecessor-version":[{"id":1031,"href":"http:\/\/www.nokws.top\/index.php\/wp-json\/wp\/v2\/posts\/1026\/revisions\/1031"}],"wp:attachment":[{"href":"http:\/\/www.nokws.top\/index.php\/wp-json\/wp\/v2\/media?parent=1026"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.nokws.top\/index.php\/wp-json\/wp\/v2\/categories?post=1026"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.nokws.top\/index.php\/wp-json\/wp\/v2\/tags?post=1026"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}