首页
社区
课程
招聘
[原创]Java内存马 Filter调用链分析
发表于: 2024-8-17 18:58 6565

[原创]Java内存马 Filter调用链分析

2024-8-17 18:58
6565

完成上述步骤,即可以debug模式启动项目。

将断点打至doFilter方法

观察调用堆栈,doFilter方式是由ApplicationFilterChain的internalDoFilter方法调用的:

按ctrl点filter变量跳转到它的定义:

可见其是由filterConfig得到的,filterConfig是从数组filters中获取的一个元素,于是可以得到一个结论:在filters数组中放置一个filterConfig对象即可调用到其对应的doFilter方法。
现在反推第一个问题:filters数组从哪里赋值?
按ctrl点filters,寻找其赋值操作:

倒数第三个动作是给数组元素赋值,点击进去,然后在这里下个断点,重启tomcat,在浏览器中访问http://localhost:8080/MemoryTrojan/hello触发HelloFilter的执行,断点停在这里,filters数组元素被赋值为一个filterConfig变量,而filterConfig是由addFilter方法的参数传入的:

点击上一层栈帧,跟踪filterConfig从何而来:

是由一个StandardContext对象调用findFilterConfig方法获取的,而这个方法传入了一个String类型的name,该name是由filterMap获得的。
可以看看filterMap都包含了哪些信息:

主要就两点信息,一是urlPatterns,咱们在代码注解中配置的"/hello",另外一个是filterName,默认取全类名。
接下来反推第二个问题:filterMap从何而来?
继续按ctrl点击filterMap跳转至定义:

可见filterMap是数组filterMaps的一个元素:

filterMaps是StandardContext类型对象调用findFilterMaps方法获取的,

findFilterMaps方法又使用了一个StandardContext对象的私有属性也叫filterMaps:

于是接下来,继续寻找这个filterMaps在哪里有赋值动作:

第一个动作就是,点进去下个断点,重启tomcat,代码停留在断点处:

这里可以得到第二个结论:tomcat调用了StandardContext对象的addFilterMap方法添加了filterMap。
分析完filterMap后,我们再回到此处,分析StandardContext对象的findFilterConfig方法:

点击进去发现用到了一个filterConfigs,

跳转到其定义发现是一个HashMap

按ctrl寻找给该map put值的地方,在此下个断点,重启tomcat,代码停留在断点处:

这里new了一个ApplicationFilterConfig对象,而这个对象构造方法的第二个参数是一个FilterDef类型的对象,FilterDef主要包含的信息有:filterClass,也就是过滤器类,以及filterName。
至此可以得到第三个结论:构造一个ApplicationFilterConfig类型的对象filterConfig,并传入一个包含过滤器类型的filterDef,再将filterConfig放入HashMap类型的对象filterConfigs中,tomcat即可获取到该filterConfig。

先梳理一下上面的分析过程:

依据这条路线来编写poc,在webapp目录下新建poc.jsp。

接下来访问http://localhost:8080/MemoryTrojan/poc.jsp,此时filter已经被注入到tomcat中,
然后访问http://localhost:8080/MemoryTrojan/?cmd=calc,即可执行系统命令弹出计算器:

Java安全学习——内存马

<?xml version="1.0" encoding="UTF-8"?>
 
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
  <modelVersion>4.0.0</modelVersion>
 
  <groupId>com.milon</groupId>
  <artifactId>MemoryTrojan</artifactId>
  <version>1.0-SNAPSHOT</version>
  <packaging>war</packaging>
 
  <name>MemoryTrojan Maven Webapp</name>
 
  <properties>
    <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
    <maven.compiler.source>1.8</maven.compiler.source>
    <maven.compiler.target>1.8</maven.compiler.target>
  </properties>
 
  <dependencies>
    <dependency>
      <groupId>javax.servlet</groupId>
      <artifactId>javax.servlet-api</artifactId>
      <version>4.0.1</version>
      <scope>compile</scope>
    </dependency>
    <dependency>
      <groupId>javax.servlet.jsp</groupId>
      <artifactId>jsp-api</artifactId>
      <version>2.1</version>
      <scope>provided</scope>
    </dependency>
 
    <!--引入tomcat是为了调试源码-->
    <dependency>
      <groupId>org.apache.tomcat</groupId>
      <artifactId>tomcat-catalina</artifactId>
      <version>8.5.100</version>
      <scope>provided</scope>
    </dependency>
 
  </dependencies>
 
 
  <build>
    <finalName>MemoryTrojan</finalName>
    <pluginManagement><!-- lock down plugins versions to avoid using Maven defaults (may be moved to parent pom) -->
      <plugins>
        <plugin>
          <artifactId>maven-clean-plugin</artifactId>
          <version>3.1.0</version>
        </plugin>
        <!-- see http://maven.apache.org/ref/current/maven-core/default-bindings.html#Plugin_bindings_for_war_packaging -->
        <plugin>
          <artifactId>maven-resources-plugin</artifactId>
          <version>3.0.2</version>
        </plugin>
        <plugin>
          <artifactId>maven-compiler-plugin</artifactId>
          <version>3.8.0</version>
        </plugin>
        <plugin>
          <artifactId>maven-surefire-plugin</artifactId>
          <version>2.22.1</version>
        </plugin>
        <plugin>
          <artifactId>maven-war-plugin</artifactId>
          <version>3.2.2</version>
        </plugin>
        <plugin>
          <artifactId>maven-install-plugin</artifactId>
          <version>2.5.2</version>
        </plugin>
        <plugin>
          <artifactId>maven-deploy-plugin</artifactId>
          <version>2.8.2</version>
        </plugin>
      </plugins>
    </pluginManagement>
  </build>
</project>
<?xml version="1.0" encoding="UTF-8"?>
 
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
  <modelVersion>4.0.0</modelVersion>
 
  <groupId>com.milon</groupId>
  <artifactId>MemoryTrojan</artifactId>
  <version>1.0-SNAPSHOT</version>
  <packaging>war</packaging>
 
  <name>MemoryTrojan Maven Webapp</name>
 
  <properties>
    <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
    <maven.compiler.source>1.8</maven.compiler.source>
    <maven.compiler.target>1.8</maven.compiler.target>
  </properties>
 
  <dependencies>
    <dependency>
      <groupId>javax.servlet</groupId>
      <artifactId>javax.servlet-api</artifactId>
      <version>4.0.1</version>
      <scope>compile</scope>
    </dependency>
    <dependency>
      <groupId>javax.servlet.jsp</groupId>
      <artifactId>jsp-api</artifactId>
      <version>2.1</version>
      <scope>provided</scope>
    </dependency>
 
    <!--引入tomcat是为了调试源码-->
    <dependency>
      <groupId>org.apache.tomcat</groupId>
      <artifactId>tomcat-catalina</artifactId>
      <version>8.5.100</version>
      <scope>provided</scope>
    </dependency>
 
  </dependencies>
 
 
  <build>
    <finalName>MemoryTrojan</finalName>
    <pluginManagement><!-- lock down plugins versions to avoid using Maven defaults (may be moved to parent pom) -->
      <plugins>
        <plugin>
          <artifactId>maven-clean-plugin</artifactId>
          <version>3.1.0</version>
        </plugin>
        <!-- see http://maven.apache.org/ref/current/maven-core/default-bindings.html#Plugin_bindings_for_war_packaging -->
        <plugin>
          <artifactId>maven-resources-plugin</artifactId>
          <version>3.0.2</version>
        </plugin>
        <plugin>
          <artifactId>maven-compiler-plugin</artifactId>
          <version>3.8.0</version>
        </plugin>
        <plugin>
          <artifactId>maven-surefire-plugin</artifactId>
          <version>2.22.1</version>
        </plugin>
        <plugin>
          <artifactId>maven-war-plugin</artifactId>
          <version>3.2.2</version>
        </plugin>
        <plugin>
          <artifactId>maven-install-plugin</artifactId>
          <version>2.5.2</version>
        </plugin>
        <plugin>
          <artifactId>maven-deploy-plugin</artifactId>
          <version>2.8.2</version>
        </plugin>
      </plugins>
    </pluginManagement>
  </build>
</project>
@WebServlet("/hello")
public class HelloServlet extends HttpServlet {
    @Override
    protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
        resp.getWriter().write("HelloServlet doGet...");
    }
}
@WebServlet("/hello")
public class HelloServlet extends HttpServlet {
    @Override
    protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
        resp.getWriter().write("HelloServlet doGet...");
    }
}
@WebFilter(urlPatterns = "/hello")
public class HelloFilter implements Filter {
    @Override
    public void init(FilterConfig filterConfig) {
        System.out.println("HelloFilter init");
    }
 
    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
            throws IOException, ServletException {
        System.out.println("HelloFilter doFilter");
        chain.doFilter(request, response);
    }
 
    @Override
    public void destroy() {
        System.out.println("HelloFilter destory");
    }
}
@WebFilter(urlPatterns = "/hello")
public class HelloFilter implements Filter {
    @Override
    public void init(FilterConfig filterConfig) {
        System.out.println("HelloFilter init");

[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

最后于 2024-8-18 11:03 被米龙·0xFFFE编辑 ,原因: 附带参考链接
收藏
免费 1
支持
分享
最新回复 (0)
游客
登录 | 注册 方可回帖
返回
//