java-memshell-generator-release icon indicating copy to clipboard operation
java-memshell-generator-release copied to clipboard

Published 20 hours ago verified publisher icon pen4uin

内存马注入不生效

Open sevck opened this issue 1 year ago • 8 comments
trafficstars

目标:spring-boot,内置tomcat8 生产方式:jar包 测试工具:冰鞋、哥斯拉 中间件:spring MVC 、Tomcat 组件类型:Listenter 注入方式:本地jar -jar toos.jar pid

root@36e5248b2ca4 webapps]# java -jar demo.jar
[*] Found pid 839 ——> [user--1.6.jar]
[*] Found pid 889 ——> [demo.jar]
[root@36e5248b2ca4 webapps]# java -jar demo.jar 839
[*] Current agent path: /home/webapps/demo.jar
[*] Attaching to target JVM with PID: 839
[+] Attached to target JVM and loaded agent successfully
[root@36e5248b2ca4 webapps]# java -jar demo.jar 839
[*] Current agent path: /home/webapps/demo.jar
[*] Attaching to target JVM with PID: 839
[+] Attached to target JVM and loaded agent successfully
[root@36e5248b2ca4 webapps]#

提示注入成功, 按照对应路径和请求头访问,然后再用哥斯拉和冰鞋都无法访问

sevck avatar Jul 29 '24 10:07 sevck

有携带 magic 参数触发内存马注入吗? image

pen4uin avatar Jul 29 '24 12:07 pen4uin

试了,感觉没触发,按照文档:https://github.com/pen4uin/java-memshell-generator/tree/main/jmg-docs/1.0.8 1、生成: image 2.服务端启动spring项目 3.进行注入:提示成功: image 4.触发内存注入: image 5.根据生成配置 image 6.访问: image 7.对应服务端日志: image

sevck avatar Jul 30 '24 02:07 sevck

和启动方式有关吗? java -jar user-xxx.jar 项目是spring cloud,服务是spring boot启动的

sevck avatar Jul 30 '24 02:07 sevck

user-xxx.jar 是本地起来测试的?如果初始环境,需要访问一下,因为存在懒加载问题,attach 时可能找不到对应的类。

pen4uin avatar Jul 30 '24 07:07 pen4uin

刚刚试了下, 1、user-xxx.jar是本地起的,启动方式为java -jar user-xxx.jar (spring cloud 项目,spring-boot工程) 2、访问服务的接口 3、agent本地注入,注入方式

[root@36e5248b2ca4 webapps]# java -jar demo.jar
[*] Found pid 445 ——> [demo.jar]
[*] Found pid 397 ——> [user-xxx.jar]
[root@36e5248b2ca4 webapps]# java -jar demo.jar 397
[*] Current agent path: /home/webapps/demo.jar
[*] Attaching to target JVM with PID: 397
[+] Attached to target JVM and loaded agent successfully
[root@36e5248b2ca4 webapps]# java -jar demo.jar 397
[*] Current agent path: /home/webapps/demo.jar
[*] Attaching to target JVM with PID: 397
[+] Attached to target JVM and loaded agent successfully
[root@36e5248b2ca4 webapps]# java -jar demo.jar 397
[*] Current agent path: /home/webapps/demo.jar
[*] Attaching to target JVM with PID: 397
[+] Attached to target JVM and loaded agent successfully

4、访问magic 5、访问冰蝎shell,还是404.. 不知道是不是我的姿势问题

sevck avatar Aug 01 '24 07:08 sevck

抱歉,之前tomcat版本有误 08/01-07:09:32 INFO org.apache.catalina.core.StandardService- Starting service [Tomcat] 08/01-07:09:32 INFO org.apache.catalina.core.StandardEngine- Starting Servlet Engine: Apache Tomcat/9.0.12 会不会tomcat版本比较高的原因?

sevck avatar Aug 01 '24 07:08 sevck

测试tomcat-9.0.78,同样注入不生效

Image

Image

fullstcat avatar Apr 02 '25 07:04 fullstcat

sorry 解决了,确实是上面提到初始环境懒加载问题,先访问下,然后再注入就ok,但测试哥斯拉马还是不行,冰蝎马可以

测试tomcat-9.0.78,同样注入不生效

Image

Image

fullstcat avatar Apr 02 '25 07:04 fullstcat