Tomcat内存马注入技术详解：Upgrade\/Executor\/WebSocket<\/h1>

1. Upgrade内存马技术<\/h2>

1.1 原理分析<\/h3>

Upgrade内存马利用了Tomcat的HTTP协议升级机制，通过注入恶意的UpgradeProtocol实现持久化后门：<\/p>

处理流程<\/strong>：<\/p>

Http11Processor.service()调用isConnectionToken检查Connection:upgrade请求头<\/li>
存在时取出Upgrade请求头对应的对象名<\/li>
通过getUpgradeProtocol获取UpgradeProtocol实例<\/li>
调用该对象的accept方法<\/li> <\/ul> <\/li>

关键点<\/strong>：<\/p>

httpUpgradeProtocols在Tomcat启动时通过AbstractHttp11Protocol.init初始化<\/li>
初始upgradeProtocols为空，为注入提供了稳定空间<\/li> <\/ul> <\/li> <\/ol>
1.2 注入实现<\/h3>

恶意代码位置<\/strong>：<\/p>

写入恶意UpgradeProtocol，在accept方法中实现恶意功能<\/li>
accept方法的request参数是org.apache.coyote.Request<\/li> <\/ul> <\/li>

获取httpUpgradeProtocols<\/strong>：<\/p>
RequestFacade.request.connector.protocolHandler.httpUpgradeProtocols <\/code><\/pre> <\/li> Payload示例<\/strong>：<\/p> \/\/ 通过全局global获取request姿势拼接的Upgrade内存马 <\/span><\/span><\/span>\/\/ 注意执行命令需要带上Connection: Upgrade和Upgrade请求头 <\/span><\/span><\/span><\/code><\/pre><\/li> <\/ol> 1.3 特点<\/h3> 作用于connector内的Http11Processor<\/li> 需要特殊请求头触发：Connection: Upgrade和Upgrade<\/li> 在反向代理环境下仍可工作<\/li> <\/ul> 2. Executor内存马技术<\/h2> 2.1 Tomcat请求处理架构<\/h3> 核心组件<\/strong>：<\/p> Endpoint<\/strong>：监听端口、接收连接、分发socket给Processor NioEndpoint：基于Java NIO<\/li> AprEndpoint：基于APR<\/li> JIoEndpoint：基于BIO<\/li> <\/ul> <\/li> Processor<\/strong>：真正处理请求的逻辑(Http11Processor)<\/li> Executor<\/strong>：线程池管理<\/li> <\/ul> <\/li> 请求处理流程<\/strong>：<\/p> Connector初始化ProtocolHandler<\/li> ProtocolHandler持有Endpoint<\/li> Endpoint启动监听端口<\/li> 连接到来： Endpoint分配线程<\/li> 调用Processor处理请求<\/li> <\/ul> <\/li> <\/ol> <\/li> <\/ol> 2.2 Executor注入点<\/h3> 调用链<\/strong>：<\/p> NioEndpoint$Poller.run()<\/li> processKey()<\/li> processSocket()<\/li> getExecutor().execute()<\/li> <\/ul> <\/li> 注入方法<\/strong>：<\/p> 通过NioEndpoint.setExecutor()设置自定义Executor<\/li> 将内置executor置空<\/li> <\/ul> <\/li> 查找NioEndpoint<\/strong>：<\/p> 使用java-object-searcher工具<\/li> 通过线程名"ClientPoller-*"定位<\/li> <\/ul> <\/li> <\/ol> 2.3 回显问题与局限<\/h3> 问题<\/strong>：<\/p> Executor阶段request未完全解析，内容为空<\/li> 修改Executor可能导致正常业务崩溃<\/li> 稳定性差，复现困难<\/li> <\/ul> <\/li> 不稳定回显方案<\/strong>：<\/p> 尝试从channel读取：command.socketWrapper.socket.appReadBufHandler.byteBuffer.hb<\/li> 自定义Header匹配（如cmd:whoami\r）<\/li> <\/ul> <\/li> 局限<\/strong>：<\/p> 需要继承ThreadPoolExecutor，限制利用方式<\/li> 业务影响大，易导致服务不可用<\/li> <\/ul> <\/li> <\/ol> 3. WebSocket内存马技术<\/h2> 3.1 WebSocket实现机制<\/h3> 注解实现<\/strong>：<\/p> @ServerEndpoint创建WebSocket端点<\/li> 生命周期注解： @OnOpen<\/li> @OnMessage<\/li> @OnClose<\/li> @OnError<\/li> <\/ul> <\/li> <\/ul> <\/li> 手动实现<\/strong>：<\/p> 继承Endpoint类<\/li> 实现MessageHandler.Whole<\/li> <\/ul> <\/li> 注册流程<\/strong>：<\/p> WsSci.onStartup()初始化<\/li> 扫描@ServerEndpoint和Endpoint子类<\/li> WsServerContainer.addEndpoint注册<\/li> <\/ul> <\/li> <\/ol> 3.2 内存马实现<\/h3> 获取WsServerContainer<\/strong>：<\/p> 从StandardContext属性获取："javax.websocket.server.ServerContainer"<\/li> 反射路径：StandardContext→ApplicationContext→attributes<\/li> <\/ul> <\/li> 注入步骤<\/strong>：<\/p> 获取StandardContext<\/li> 获取WsServerContainer<\/li> 创建ServerEndpointConfig<\/li> 调用addEndpoint注册恶意Endpoint<\/li> <\/ol> <\/li> 恶意Endpoint示例<\/strong>：<\/p> public<\/span> class<\/span> EvilServerWebSocket<\/span> extends<\/span> Endpoint implements<\/span> MessageHandler.<\/span>Whole<\/span><<\/span>String><\/span> {<\/span> <\/span><\/span> @Override<\/span> <\/span><\/span> public<\/span> void<\/span> onOpen<\/span>(<\/span>Session session,<\/span> EndpointConfig config)<\/span> {<\/span> <\/span><\/span> session.<\/span>addMessageHandler<\/span>(<\/span>this<\/span>);<\/span> <\/span><\/span> }<\/span> <\/span><\/span> <\/span><\/span> @Override<\/span> <\/span><\/span> public<\/span> void<\/span> onMessage<\/span>(<\/span>String message)<\/span> {<\/span> <\/span><\/span> \/\/ 恶意代码逻辑 <\/span><\/span><\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ol> 3.3 特点与工具<\/h3> 建立独立ws TCP通道，绕过部分检测<\/li> 已有开源利用工具：wsMemShell<\/li> 需要配套客户端连接<\/li> <\/ul> 4. 综合对比与防御<\/h2> 4.1 技术对比<\/h3> 类型<\/th> 注入点<\/th> 触发条件<\/th> 稳定性<\/th> 隐蔽性<\/th> 适用场景<\/th> <\/tr> <\/thead> Upgrade<\/td> Http11Processor<\/td> 特殊HTTP头<\/td> 高<\/td> 中<\/td> 常规Web环境<\/td> <\/tr> Executor<\/td> NioEndpoint<\/td> 所有请求<\/td> 低<\/td> 高<\/td> 无防护设备环境<\/td> <\/tr> WebSocket<\/td> WsServerContainer<\/td> WebSocket连接<\/td> 高<\/td> 高<\/td> 长期控制通道<\/td> <\/tr> <\/tbody> <\/table> 4.2 防御建议<\/h3> 检测<\/strong>：<\/p> 监控非常规协议升级请求<\/li> 检查WebSocket端点注册<\/li> 线程池实现类验证<\/li> <\/ul> <\/li> 防护<\/strong>：<\/p> 限制协议升级功能<\/li> WebSocket端点白名单<\/li> RASP防护关键API调用<\/li> <\/ul> <\/li> 加固<\/strong>：<\/p> 禁用不必要的SCI<\/li> 定期内存马扫描<\/li> 更新Tomcat版本<\/li> <\/ul> <\/li> <\/ol> 5. 参考资源<\/h2> 测试环境与代码： https:\/\/github.com\/godownio\/TomcatMemshell<\/p> <\/li> WebSocket内存马工具： https:\/\/github.com\/veo\/wsMemShell<\/p> <\/li> 相关技术文章：<\/p> https:\/\/mp.weixin.qq.com\/s\/RuP8cfjUXnLVJezBBBqsYw<\/li> https:\/\/xz.aliyun.com\/news\/11012<\/li> https:\/\/wileysec.github.io\/fee784a451d7.html<\/li> <\/ul> <\/li> Java对象搜索技术： https:\/\/godownio.github.io\/2025\/04\/09\/li-yong-java-object-searcher-gou-jian-tomcat-xian-cheng-hui-xian\/<\/p> <\/li> StandardContext获取方法： https:\/\/godownio.github.io\/2025\/02\/26\/tomcat-xia-huo-qu-standardcontext-de-fang-fa-jsp-zhuan-java-nei-cun-ma\/<\/p> <\/li> SPI机制解析： https:\/\/godownio.github.io\/2024\/10\/28\/snakeyaml\/#SPI-%E6%9C%BA%E5%88%B6<\/p> <\/li> <\/ol>

类型<\/th>	注入点<\/th>	触发条件<\/th>	稳定性<\/th>	隐蔽性<\/th>	适用场景<\/th> <\/tr> <\/thead>
Upgrade<\/td>	Http11Processor<\/td>	特殊HTTP头<\/td>	高<\/td>	中<\/td>	常规Web环境<\/td> <\/tr>
Executor<\/td>	NioEndpoint<\/td>	所有请求<\/td>	低<\/td>	高<\/td>	无防护设备环境<\/td> <\/tr>
WebSocket<\/td>	WsServerContainer<\/td>	WebSocket连接<\/td>	高<\/td>	高<\/td>	长期控制通道<\/td> <\/tr> <\/tbody> <\/table> 4.2 防御建议<\/h3> 检测<\/strong>：<\/p> 监控非常规协议升级请求<\/li> 检查WebSocket端点注册<\/li> 线程池实现类验证<\/li> <\/ul> <\/li> 防护<\/strong>：<\/p> 限制协议升级功能<\/li> WebSocket端点白名单<\/li> RASP防护关键API调用<\/li> <\/ul> <\/li> 加固<\/strong>：<\/p> 禁用不必要的SCI<\/li> 定期内存马扫描<\/li> 更新Tomcat版本<\/li> <\/ul> <\/li> <\/ol> 5. 参考资源<\/h2> 测试环境与代码： https:\/\/github.com\/godownio\/TomcatMemshell<\/p> <\/li> WebSocket内存马工具： https:\/\/github.com\/veo\/wsMemShell<\/p> <\/li> 相关技术文章：<\/p> https:\/\/mp.weixin.qq.com\/s\/RuP8cfjUXnLVJezBBBqsYw<\/li> https:\/\/xz.aliyun.com\/news\/11012<\/li> https:\/\/wileysec.github.io\/fee784a451d7.html<\/li> <\/ul> <\/li> Java对象搜索技术： https:\/\/godownio.github.io\/2025\/04\/09\/li-yong-java-object-searcher-gou-jian-tomcat-xian-cheng-hui-xian\/<\/p> <\/li> StandardContext获取方法： https:\/\/godownio.github.io\/2025\/02\/26\/tomcat-xia-huo-qu-standardcontext-de-fang-fa-jsp-zhuan-java-nei-cun-ma\/<\/p> <\/li> SPI机制解析： https:\/\/godownio.github.io\/2024\/10\/28\/snakeyaml\/#SPI-%E6%9C%BA%E5%88%B6<\/p> <\/li> <\/ol>