pen4uin / java-memshell-generator

一款支持自定义的 Java 内存马生成工具|A customizable Java in-memory webshell generation tool.
1.65k stars 185 forks source link

内存马注入不生效 #25

Open sevck opened 3 months ago

sevck commented 3 months ago

目标:spring-boot,内置tomcat8 生产方式:jar包 测试工具:冰鞋、哥斯拉 中间件:spring MVC 、Tomcat 组件类型:Listenter 注入方式:本地jar -jar toos.jar pid

root@36e5248b2ca4 webapps]# java -jar demo.jar
[*] Found pid 839 ——> [user--1.6.jar]
[*] Found pid 889 ——> [demo.jar]
[root@36e5248b2ca4 webapps]# java -jar demo.jar 839
[*] Current agent path: /home/webapps/demo.jar
[*] Attaching to target JVM with PID: 839
[+] Attached to target JVM and loaded agent successfully
[root@36e5248b2ca4 webapps]# java -jar demo.jar 839
[*] Current agent path: /home/webapps/demo.jar
[*] Attaching to target JVM with PID: 839
[+] Attached to target JVM and loaded agent successfully
[root@36e5248b2ca4 webapps]#

提示注入成功, 按照对应路径和请求头访问,然后再用哥斯拉和冰鞋都无法访问

pen4uin commented 3 months ago

有携带 magic 参数触发内存马注入吗?

image
sevck commented 3 months ago

试了,感觉没触发,按照文档:https://github.com/pen4uin/java-memshell-generator/tree/main/jmg-docs/1.0.8 1、生成: image 2.服务端启动spring项目 3.进行注入:提示成功: image 4.触发内存注入:

image

5.根据生成配置

image

6.访问:

image

7.对应服务端日志: image

sevck commented 3 months ago

和启动方式有关吗? java -jar user-xxx.jar 项目是spring cloud,服务是spring boot启动的

pen4uin commented 3 months ago

user-xxx.jar 是本地起来测试的?如果初始环境,需要访问一下,因为存在懒加载问题,attach 时可能找不到对应的类。

sevck commented 3 months ago

刚刚试了下, 1、user-xxx.jar是本地起的,启动方式为java -jar user-xxx.jar (spring cloud 项目,spring-boot工程) 2、访问服务的接口 3、agent本地注入,注入方式

[root@36e5248b2ca4 webapps]# java -jar demo.jar
[*] Found pid 445 ——> [demo.jar]
[*] Found pid 397 ——> [user-xxx.jar]
[root@36e5248b2ca4 webapps]# java -jar demo.jar 397
[*] Current agent path: /home/webapps/demo.jar
[*] Attaching to target JVM with PID: 397
[+] Attached to target JVM and loaded agent successfully
[root@36e5248b2ca4 webapps]# java -jar demo.jar 397
[*] Current agent path: /home/webapps/demo.jar
[*] Attaching to target JVM with PID: 397
[+] Attached to target JVM and loaded agent successfully
[root@36e5248b2ca4 webapps]# java -jar demo.jar 397
[*] Current agent path: /home/webapps/demo.jar
[*] Attaching to target JVM with PID: 397
[+] Attached to target JVM and loaded agent successfully

4、访问magic 5、访问冰蝎shell,还是404.. 不知道是不是我的姿势问题

sevck commented 3 months ago

抱歉,之前tomcat版本有误 08/01-07:09:32 INFO org.apache.catalina.core.StandardService- Starting service [Tomcat] 08/01-07:09:32 INFO org.apache.catalina.core.StandardEngine- Starting Servlet Engine: Apache Tomcat/9.0.12 会不会tomcat版本比较高的原因?