Java安全之Tomcat6 Filter内存马
2022/11/6 1:23:59
本文主要是介绍Java安全之Tomcat6 Filter内存马,对大家解决编程问题具有一定的参考价值,需要的程序猿们随着小编来一起学习吧!
ApplicationFilterConfig包含了FilterDef对象
构造方法如下,如果当前filter属性为null会从FilterDef取filter的实例对象
ApplicationFilterConfig(Context context, FilterDef filterDef) throws ClassCastException, ClassNotFoundException, IllegalAccessException, InstantiationException, ServletException, InvocationTargetException, NamingException, IllegalArgumentException, NoSuchMethodException, SecurityException {
this.context = context;
this.filterDef = filterDef;
if (filterDef.getFilter() == null) {
this.getFilter();
} else {
this.filter = filterDef.getFilter();
this.getInstanceManager().newInstance(this.filter);
this.initFilter();
}
}
FilterDef中存储了filterClass / filterName / filter 属性
public class FilterDef implements Serializable {
private static final long serialVersionUID = 1L;
private static final StringManager sm;
private String description = null;
private String displayName = null;
private transient Filter filter = null;
private String filterClass = null;
private String filterName = null;
private String largeIcon = null;
private final Map<String, String> parameters = new HashMap();
private String smallIcon = null;
private String asyncSupported = null;
public FilterDef() {
}
再有就是createFilterChain中还涉及到filterMap
FilterMap里主要存放urlpatterner和filterName的映射
public class FilterMap extends XmlEncodingBase implements Serializable {
private static final long serialVersionUID = 1L;
public static final int ERROR = 1;
public static final int FORWARD = 2;
public static final int INCLUDE = 4;
public static final int REQUEST = 8;
public static final int ASYNC = 16;
private static final int NOT_SET = 0;
private int dispatcherMapping = 0;
private String filterName = null;
private String[] servletNames = new String[0];
private boolean matchAllUrlPatterns = false;
private boolean matchAllServletNames = false;
private String[] urlPatterns = new String[0];
-
tomcat8下注入filter内存马流程如下:
-
FilterDef: 设置
setFilter(Filter filter)setFilterName(String filterName)setFilterClass(String filterClass)这里filterName和filterClass应该不是一个东西,最后调用StandardContext#addFilterDef将该恶意filterdef put到this.filterDefs -
FilterMap:
addURLPattern("/*")setFilterName(String filterName)setDispatcher(DispatcherType.REQUEST.name()),最后调用StandardContext#addFilterMapBefore(filtermap)添加到this.filterMaps中 -
ApplicationFilterConfig: 调用有参构造将
FilterDef作为参数传递进去后调有参构造实例化一个ApplicationFilterConfig,最终put进standardcontext的属性里去。
探索Tomcat6与Tomcat8之间的区别#
主要看下tomcat6和tomcat8之间createFilterChain不相同的地方 看到ApplicationFilterFactory#createFilterChain
跟进getFilter
主要代码如下:
所以这里构造filterDef的时候filterClass为evilfilter的全类名即可
这篇关于Java安全之Tomcat6 Filter内存马的文章就介绍到这儿,希望我们推荐的文章对大家有所帮助,也希望大家多多支持为之网!
- 2024-05-15鸿蒙生态设备数量超8亿台
- 2024-05-13TiDB + ES:转转业财系统亿级数据存储优化实践
- 2024-05-09“2024鸿蒙零基础快速实战-仿抖音App开发(ArkTS版)”实战课程已上线
- 2024-05-09聊聊如何通过arthas-tunnel-server来远程管理所有需要arthas监控的应用
- 2024-05-09log4j2这么配就对了
- 2024-05-09nginx修改Content-Type
- 2024-05-09Redis多数据源,看这篇就够了
- 2024-05-09Google Chrome驱动程序 124.0.6367.62(正式版本)去哪下载?
- 2024-05-09有没有大佬知道这种数据应该怎么抓取呀?
- 2024-05-09这种运行结果里的10.100000001,怎么能最快改成10.1?
