Comments (8)
不出网目前还是通过回显的方式来解决吧,这2天会更新一个新版本,增加更多的回显方式。
写shell的函数可以通过简单修改 ysoserial.payloads.util.Gadgets.createTemplatesImpl 方法来实现
from shiroexploit-deprecated.
嗯,看到师傅的代码了。有些是spring-boot的没法写js到目录。看到一个师傅的回显项目不错,师傅可以参考下“https://blog.csdn.net/fnmsd/article/details/106709736?from=timeline”
from shiroexploit-deprecated.
你讲的很对,spring-boot不行,你给出的这个参考链接我试过,在 readme 里面有提及。我采用的方式是(1)在本地读取class文件,写入到 classpath 下面(https://github.com/feihong-cs/deserizationEcho/blob/master/%E5%85%A8%E8%87%AA%E5%8A%A8%E6%8C%96%E6%8E%98%20request%20%E5%9B%9E%E6%98%BE/code/Step1.jsp) (2)利用发射 Class.forName().newInstance() 去执行(https://github.com/feihong-cs/deserizationEcho/blob/master/%E5%85%A8%E8%87%AA%E5%8A%A8%E6%8C%96%E6%8E%98%20request%20%E5%9B%9E%E6%98%BE/code/Step1.jsp)。之前测试的时候发现效果不好,不知道是不是由于后面作者自己说的没有考虑到 response 和 request 对应的问题,作者后面改了下代码,改好过后的我还没测试过。但是我的这种方法似乎也没法适用于 spring-boot,师傅可有好的思路可以借鉴下?
from shiroexploit-deprecated.
可能没啥好办法了,只能上内存shell感觉师傅
from shiroexploit-deprecated.
目前发布了一个新版本,目前支持了多种回显方式,其中包括 Spring 回显,师傅可以帮忙测试看看
from shiroexploit-deprecated.
即将关闭此issue
from shiroexploit-deprecated.
师傅牛逼。这边看到有师傅发了针对不出网的key检测方式。key正确情况下不返回 deleteMe ,key错误情况下返回deleteMe。感觉可行,参考https://mp.weixin.qq.com/s/do88_4Td1CSeKLmFqhGCuQ,具体代码没看懂,感觉师傅应该可以。
from shiroexploit-deprecated.
看到师傅已经增加,tql了
from shiroexploit-deprecated.
Related Issues (20)
- 跑key遇到意外错误 HOT 8
- 希望新增功能——支持http代理选项 HOT 2
- 请问能添加自定义gadget功能吗?
- 使用jetty回显碰到[invalid type code: CA] HOT 3
- 您输入的http请求解析后无法正常访问
- 建议增加判断回显的方式
- 能够检测到key值,但是无法回显执行命令的结果。 HOT 1
- 原因: java.lang.NoClassDefFoundError: javafx/application/Application HOT 2
- 代理设置
- 怎么用了
- 现在shiro新版本加密方式变了,能升级下么;支持AES.MODE_GCM加密 HOT 2
- 这要怎么解决Exception running application com.shiroexploit.gui.StartPane HOT 1
- 目标机是Win时,执行有空格的命令(如dir "c:\Program Files"),无响应
- 721爆破时报错
- 721爆破有个不当之处可否修复
- Exception running application com.shiroexploit.gui.StartPane HOT 4
- 使用工具测试本地项目没有漏洞.但是通过域名测试就有漏洞这是啥情况? HOT 1
- openjdk version "1.8.0_312"出现错误: 找不到或无法加载主类 com.shiroexploit.gui.StartPane
- 回显方式跟JRMP方式之间的联系
- cc10 无回显 webshell连接密码
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from shiroexploit-deprecated.