-
-
[原创]Java内存马 Filter调用链分析
-
发表于: 2024-8-17 18:58 6565
-
完成上述步骤,即可以debug模式启动项目。
将断点打至doFilter方法
观察调用堆栈,doFilter方式是由ApplicationFilterChain的internalDoFilter方法调用的:
按ctrl点filter变量跳转到它的定义:
可见其是由filterConfig得到的,filterConfig是从数组filters中获取的一个元素,于是可以得到一个结论:在filters数组中放置一个filterConfig对象即可调用到其对应的doFilter方法。
现在反推第一个问题:filters数组从哪里赋值?
按ctrl点filters,寻找其赋值操作:
倒数第三个动作是给数组元素赋值,点击进去,然后在这里下个断点,重启tomcat,在浏览器中访问http://localhost:8080/MemoryTrojan/hello
触发HelloFilter的执行,断点停在这里,filters数组元素被赋值为一个filterConfig变量,而filterConfig是由addFilter方法的参数传入的:
点击上一层栈帧,跟踪filterConfig从何而来:
是由一个StandardContext对象调用findFilterConfig方法获取的,而这个方法传入了一个String类型的name,该name是由filterMap获得的。
可以看看filterMap都包含了哪些信息:
主要就两点信息,一是urlPatterns,咱们在代码注解中配置的"/hello",另外一个是filterName,默认取全类名。
接下来反推第二个问题:filterMap从何而来?
继续按ctrl点击filterMap跳转至定义:
可见filterMap是数组filterMaps的一个元素:
filterMaps是StandardContext类型对象调用findFilterMaps方法获取的,
findFilterMaps方法又使用了一个StandardContext对象的私有属性也叫filterMaps:
于是接下来,继续寻找这个filterMaps在哪里有赋值动作:
第一个动作就是,点进去下个断点,重启tomcat,代码停留在断点处:
这里可以得到第二个结论:tomcat调用了StandardContext对象的addFilterMap方法添加了filterMap。
分析完filterMap后,我们再回到此处,分析StandardContext对象的findFilterConfig方法:
点击进去发现用到了一个filterConfigs,
跳转到其定义发现是一个HashMap
按ctrl寻找给该map put值的地方,在此下个断点,重启tomcat,代码停留在断点处:
这里new了一个ApplicationFilterConfig对象,而这个对象构造方法的第二个参数是一个FilterDef类型的对象,FilterDef主要包含的信息有:filterClass,也就是过滤器类,以及filterName。
至此可以得到第三个结论:构造一个ApplicationFilterConfig类型的对象filterConfig,并传入一个包含过滤器类型的filterDef,再将filterConfig放入HashMap类型的对象filterConfigs中,tomcat即可获取到该filterConfig。
先梳理一下上面的分析过程:
依据这条路线来编写poc,在webapp目录下新建poc.jsp。
接下来访问http://localhost:8080/MemoryTrojan/poc.jsp
,此时filter已经被注入到tomcat中,
然后访问http://localhost:8080/MemoryTrojan/?cmd=calc
,即可执行系统命令弹出计算器:
<?
xml
version
=
"1.0"
encoding
=
"UTF-8"
?>
<
project
xmlns
=
"http://maven.apache.org/POM/4.0.0"
xmlns:xsi
=
"http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation
=
"http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"
>
<
modelVersion
>4.0.0</
modelVersion
>
<
groupId
>com.milon</
groupId
>
<
artifactId
>MemoryTrojan</
artifactId
>
<
version
>1.0-SNAPSHOT</
version
>
<
packaging
>war</
packaging
>
<
name
>MemoryTrojan Maven Webapp</
name
>
<
properties
>
<
project.build.sourceEncoding
>UTF-8</
project.build.sourceEncoding
>
<
maven.compiler.source
>1.8</
maven.compiler.source
>
<
maven.compiler.target
>1.8</
maven.compiler.target
>
</
properties
>
<
dependencies
>
<
dependency
>
<
groupId
>javax.servlet</
groupId
>
<
artifactId
>javax.servlet-api</
artifactId
>
<
version
>4.0.1</
version
>
<
scope
>compile</
scope
>
</
dependency
>
<
dependency
>
<
groupId
>javax.servlet.jsp</
groupId
>
<
artifactId
>jsp-api</
artifactId
>
<
version
>2.1</
version
>
<
scope
>provided</
scope
>
</
dependency
>
<!--引入tomcat是为了调试源码-->
<
dependency
>
<
groupId
>org.apache.tomcat</
groupId
>
<
artifactId
>tomcat-catalina</
artifactId
>
<
version
>8.5.100</
version
>
<
scope
>provided</
scope
>
</
dependency
>
</
dependencies
>
<
build
>
<
finalName
>MemoryTrojan</
finalName
>
<
pluginManagement
>
<!-- lock down plugins versions to avoid using Maven defaults (may be moved to parent pom) -->
<
plugins
>
<
plugin
>
<
artifactId
>maven-clean-plugin</
artifactId
>
<
version
>3.1.0</
version
>
</
plugin
>
<!-- see http://maven.apache.org/ref/current/maven-core/default-bindings.html#Plugin_bindings_for_war_packaging -->
<
plugin
>
<
artifactId
>maven-resources-plugin</
artifactId
>
<
version
>3.0.2</
version
>
</
plugin
>
<
plugin
>
<
artifactId
>maven-compiler-plugin</
artifactId
>
<
version
>3.8.0</
version
>
</
plugin
>
<
plugin
>
<
artifactId
>maven-surefire-plugin</
artifactId
>
<
version
>2.22.1</
version
>
</
plugin
>
<
plugin
>
<
artifactId
>maven-war-plugin</
artifactId
>
<
version
>3.2.2</
version
>
</
plugin
>
<
plugin
>
<
artifactId
>maven-install-plugin</
artifactId
>
<
version
>2.5.2</
version
>
</
plugin
>
<
plugin
>
<
artifactId
>maven-deploy-plugin</
artifactId
>
<
version
>2.8.2</
version
>
</
plugin
>
</
plugins
>
</
pluginManagement
>
</
build
>
</
project
>
<?
xml
version
=
"1.0"
encoding
=
"UTF-8"
?>
<
project
xmlns
=
"http://maven.apache.org/POM/4.0.0"
xmlns:xsi
=
"http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation
=
"http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"
>
<
modelVersion
>4.0.0</
modelVersion
>
<
groupId
>com.milon</
groupId
>
<
artifactId
>MemoryTrojan</
artifactId
>
<
version
>1.0-SNAPSHOT</
version
>
<
packaging
>war</
packaging
>
<
name
>MemoryTrojan Maven Webapp</
name
>
<
properties
>
<
project.build.sourceEncoding
>UTF-8</
project.build.sourceEncoding
>
<
maven.compiler.source
>1.8</
maven.compiler.source
>
<
maven.compiler.target
>1.8</
maven.compiler.target
>
</
properties
>
<
dependencies
>
<
dependency
>
<
groupId
>javax.servlet</
groupId
>
<
artifactId
>javax.servlet-api</
artifactId
>
<
version
>4.0.1</
version
>
<
scope
>compile</
scope
>
</
dependency
>
<
dependency
>
<
groupId
>javax.servlet.jsp</
groupId
>
<
artifactId
>jsp-api</
artifactId
>
<
version
>2.1</
version
>
<
scope
>provided</
scope
>
</
dependency
>
<!--引入tomcat是为了调试源码-->
<
dependency
>
<
groupId
>org.apache.tomcat</
groupId
>
<
artifactId
>tomcat-catalina</
artifactId
>
<
version
>8.5.100</
version
>
<
scope
>provided</
scope
>
</
dependency
>
</
dependencies
>
<
build
>
<
finalName
>MemoryTrojan</
finalName
>
<
pluginManagement
>
<!-- lock down plugins versions to avoid using Maven defaults (may be moved to parent pom) -->
<
plugins
>
<
plugin
>
<
artifactId
>maven-clean-plugin</
artifactId
>
<
version
>3.1.0</
version
>
</
plugin
>
<!-- see http://maven.apache.org/ref/current/maven-core/default-bindings.html#Plugin_bindings_for_war_packaging -->
<
plugin
>
<
artifactId
>maven-resources-plugin</
artifactId
>
<
version
>3.0.2</
version
>
</
plugin
>
<
plugin
>
<
artifactId
>maven-compiler-plugin</
artifactId
>
<
version
>3.8.0</
version
>
</
plugin
>
<
plugin
>
<
artifactId
>maven-surefire-plugin</
artifactId
>
<
version
>2.22.1</
version
>
</
plugin
>
<
plugin
>
<
artifactId
>maven-war-plugin</
artifactId
>
<
version
>3.2.2</
version
>
</
plugin
>
<
plugin
>
<
artifactId
>maven-install-plugin</
artifactId
>
<
version
>2.5.2</
version
>
</
plugin
>
<
plugin
>
<
artifactId
>maven-deploy-plugin</
artifactId
>
<
version
>2.8.2</
version
>
</
plugin
>
</
plugins
>
</
pluginManagement
>
</
build
>
</
project
>
@WebServlet
(
"/hello"
)
public
class
HelloServlet
extends
HttpServlet {
@Override
protected
void
doGet(HttpServletRequest req, HttpServletResponse resp)
throws
IOException {
resp.getWriter().write(
"HelloServlet doGet..."
);
}
}
@WebServlet
(
"/hello"
)
public
class
HelloServlet
extends
HttpServlet {
@Override
protected
void
doGet(HttpServletRequest req, HttpServletResponse resp)
throws
IOException {
resp.getWriter().write(
"HelloServlet doGet..."
);
}
}
@WebFilter
(urlPatterns =
"/hello"
)
public
class
HelloFilter
implements
Filter {
@Override
public
void
init(FilterConfig filterConfig) {
System.out.println(
"HelloFilter init"
);
}
@Override
public
void
doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws
IOException, ServletException {
System.out.println(
"HelloFilter doFilter"
);
chain.doFilter(request, response);
}
@Override
public
void
destroy() {
System.out.println(
"HelloFilter destory"
);
}
}
@WebFilter
(urlPatterns =
"/hello"
)
public
class
HelloFilter
implements
Filter {
@Override
public
void
init(FilterConfig filterConfig) {
System.out.println(
"HelloFilter init"
);
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
赞赏
- [原创]【Golang】interpolateParams参数导致的宽字节注入 1161
- [原创]从底层视角看面向对象 6939
- [原创]C语言的文件与缓冲区 5225
- [原创]CC1利用链分析 5471
- [原创]VC++6调试状态下的堆结构 5290