Java安全之Tomcat6 Filter内存马
2022/11/6 1:23:59
本文主要是介绍Java安全之Tomcat6 Filter内存马,对大家解决编程问题具有一定的参考价值,需要的程序猿们随着小编来一起学习吧!
ApplicationFilterConfig
包含了FilterDef
对象
构造方法如下,如果当前filter属性为null会从FilterDef
取filter的实例对象
ApplicationFilterConfig(Context context, FilterDef filterDef) throws ClassCastException, ClassNotFoundException, IllegalAccessException, InstantiationException, ServletException, InvocationTargetException, NamingException, IllegalArgumentException, NoSuchMethodException, SecurityException { this.context = context; this.filterDef = filterDef; if (filterDef.getFilter() == null) { this.getFilter(); } else { this.filter = filterDef.getFilter(); this.getInstanceManager().newInstance(this.filter); this.initFilter(); } }
FilterDef
中存储了filterClass
/ filterName
/ filter
属性
public class FilterDef implements Serializable { private static final long serialVersionUID = 1L; private static final StringManager sm; private String description = null; private String displayName = null; private transient Filter filter = null; private String filterClass = null; private String filterName = null; private String largeIcon = null; private final Map<String, String> parameters = new HashMap(); private String smallIcon = null; private String asyncSupported = null; public FilterDef() { }
再有就是createFilterChain
中还涉及到filterMap
FilterMap
里主要存放urlpatterner和filterName的映射
public class FilterMap extends XmlEncodingBase implements Serializable { private static final long serialVersionUID = 1L; public static final int ERROR = 1; public static final int FORWARD = 2; public static final int INCLUDE = 4; public static final int REQUEST = 8; public static final int ASYNC = 16; private static final int NOT_SET = 0; private int dispatcherMapping = 0; private String filterName = null; private String[] servletNames = new String[0]; private boolean matchAllUrlPatterns = false; private boolean matchAllServletNames = false; private String[] urlPatterns = new String[0];
-
tomcat8下注入filter内存马流程如下:
-
FilterDef: 设置
setFilter(Filter filter)
setFilterName(String filterName)
setFilterClass(String filterClass)
这里filterName和filterClass应该不是一个东西,最后调用StandardContext#addFilterDef
将该恶意filterdef put到this.filterDefs
-
FilterMap:
addURLPattern("/*")
setFilterName(String filterName)
setDispatcher(DispatcherType.REQUEST.name())
,最后调用StandardContext#addFilterMapBefore(filtermap)
添加到this.filterMaps
中 -
ApplicationFilterConfig: 调用有参构造将
FilterDef
作为参数传递进去后调有参构造实例化一个ApplicationFilterConfig
,最终put进standardcontext的属性里去。
探索Tomcat6与Tomcat8之间的区别#
主要看下tomcat6和tomcat8之间createFilterChain
不相同的地方 看到ApplicationFilterFactory#createFilterChain
跟进getFilter
主要代码如下:
所以这里构造filterDef
的时候filterClass
为evilfilter的全类名即可
这篇关于Java安全之Tomcat6 Filter内存马的文章就介绍到这儿,希望我们推荐的文章对大家有所帮助,也希望大家多多支持为之网!
- 2024-05-15鸿蒙生态设备数量超8亿台
- 2024-05-13TiDB + ES:转转业财系统亿级数据存储优化实践
- 2024-05-09“2024鸿蒙零基础快速实战-仿抖音App开发(ArkTS版)”实战课程已上线
- 2024-05-09聊聊如何通过arthas-tunnel-server来远程管理所有需要arthas监控的应用
- 2024-05-09log4j2这么配就对了
- 2024-05-09nginx修改Content-Type
- 2024-05-09Redis多数据源,看这篇就够了
- 2024-05-09Google Chrome驱动程序 124.0.6367.62(正式版本)去哪下载?
- 2024-05-09有没有大佬知道这种数据应该怎么抓取呀?
- 2024-05-09这种运行结果里的10.100000001,怎么能最快改成10.1?