Tomcat XML解析机制与Webshell构造技术分析<\/h1>

1. Tomcat XML解析机制分析<\/h2>

1.1 核心解析流程<\/h3>

Tomcat通过Digester<\/code>组件解析XML配置文件，主要流程如下：<\/p>



初始化阶段<\/strong>：<\/p>

从Bootstrap#main<\/code>启动，反射调用Catalina#load<\/code>创建Server实例<\/li>
创建Digester<\/code>对象并获取server.xml<\/code>输入流<\/li>
调用Digester#parse<\/code>解析文件内容<\/li>
<\/ul>
<\/li>

标签处理三步骤<\/strong>：<\/p>

实例化阶段<\/strong>：匹配标签的classname<\/code>属性值，调用ObjectCreateRule<\/code>规则实例化类并加入digester栈<\/li>
属性赋值阶段<\/strong>：调用SetPropertiesRule#begin<\/code>，通过IntrospectionUtils#setProperty<\/code>进行属性赋值

属性名与"set"拼接形成setter方法名<\/li>
反射查找并调用对应setter方法<\/li>
setProperty<\/code>方法调用时invokeSetProperty<\/code>恒为true，可导致系统属性覆盖<\/li>
<\/ul>
<\/li>
后续处理阶段<\/strong>：调用SetNextRule#begin<\/code>（默认未实现）<\/li>
<\/ul>
<\/li>
<\/ol>
1.2 应用部署机制<\/h3>
Tomcat启动后通过deployApps<\/code>部署应用，包含三种方式：<\/p>


deployDescriptors<\/strong>：<\/p>

解析conf\/Catalina\/localhost\/<\/code>下的XML文件<\/li>
创建DeployDescriptor<\/code>加入线程池执行<\/li>
核心调用HostConfig#deployDescriptor<\/code>处理<\/li>
<\/ul>
<\/li>

deployWARs<\/strong>：<\/p>

部署webapps\/<\/code>下的WAR包<\/li>
创建DeployWar<\/code>对象加入线程池<\/li>
若开启deployThisXML<\/code>会解析WAR包中的META-INF\/context.xml<\/code><\/li>
<\/ul>
<\/li>

deployDirectories<\/strong>：<\/p>

部署webapps\/<\/code>下已解压的项目<\/li>
优先使用webapps\/xx\/<\/code>下的content.xml<\/code><\/li>
不存在则使用默认conf\/context.xml<\/code><\/li>
<\/ul>
<\/li>
<\/ol>
1.3 动态加载机制<\/h3>
ContainerBase#startInternal<\/code>创建后台线程定期检查应用变动：<\/p>

默认开启auto deploy<\/code>机制（appBase<\/code>为目录时）<\/li>
通过热部署机制可动态加载恶意XML文件<\/li>
扫描的XML文件包括：

web.xml<\/code><\/li>
conf\/Catalina\/localhost\/xxx.xml<\/code><\/li>
conf\/context.xml<\/code><\/li>
webapps\/xx\/META-INF\/context.xml<\/code><\/li>
webapps\/xx.war#META-INF\/context.xml<\/code><\/li>
<\/ul>
<\/li>
<\/ul>
2. Webshell构造技术<\/h2>
2.1 基本构造原理<\/h3>
利用Tomcat解析XML时自动调用setter方法的特性：<\/p>


核心解析步骤<\/strong>：<\/p>

配置XML解析规则<\/li>
获取待解析的XML输入流<\/li>
使用Digester#parse<\/code>解析（触发setter方法调用）<\/li>
<\/ul>
<\/li>

实现方式<\/strong>：<\/p>

模拟ContextConfig<\/code>对象处理方式<\/li>
通过JSP的request<\/code>域获取StandardContext<\/code>对象<\/li>
设置defaultContextXml<\/code>指向恶意XML位置<\/li>
创建Digester<\/code>对象并设置标签规则<\/li>
反射调用contextConfig<\/code>方法解析恶意XML<\/li>
<\/ul>
<\/li>
<\/ol>
2.2 优化版Webshell构造<\/h3>


简化解析流程<\/strong>：<\/p>
\/\/ 直接使用Digester.parse(InputStream)
<\/span><\/span><\/span><\/span>Digester digester =<\/span> new<\/span> Digester();<\/span>
<\/span><\/span>InputStream is =<\/span> new<\/span> ByteArrayInputStream(<\/span>xmlContent.<\/span>getBytes<\/span>());<\/span>
<\/span><\/span>digester.<\/span>parse<\/span>(<\/span>is);<\/span>
<\/span><\/span><\/code><\/pre><\/li>

输入流获取优化<\/strong>：<\/p>

使用Base64编码传输文件内容<\/li>
封装为输入流类进行解析<\/li>
<\/ul>
<\/li>

自定义解析规则<\/strong>：<\/p>
\/\/ 自定义RuleSet
<\/span><\/span><\/span><\/span>digester.<\/span>addRuleSet<\/span>(<\/span>new<\/span> RuleSet()<\/span> {<\/span>
<\/span><\/span>    public<\/span> void<\/span> addRuleInstances<\/span>(<\/span>Digester digester)<\/span> {<\/span>
<\/span><\/span>        \/\/ 自定义标签\/属性规则
<\/span><\/span><\/span><\/span>        digester.<\/span>addObjectCreate<\/span>(<\/span>"Test\/Loader"<\/span>,<\/span> "恶意类名"<\/span>,<\/span> "className"<\/span>);<\/span>
<\/span><\/span>        digester.<\/span>addSetProperties<\/span>(<\/span>"Test\/Loader"<\/span>);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>});<\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
2.3 恶意XML示例<\/h3>
<Context><\/span>
<\/span><\/span>    <Loader<\/span> className=<\/span>"恶意类名"<\/span> \/><\/span>
<\/span><\/span><\/Context><\/span>
<\/span><\/span><\/code><\/pre>或使用自定义标签：<\/p>
<Test><\/span>
<\/span><\/span>    <Loader<\/span> className=<\/span>"恶意类名"<\/span> \/><\/span>
<\/span><\/span><\/Test><\/span>
<\/span><\/span><\/code><\/pre>3. 防御建议<\/h2>


权限控制<\/strong>：<\/p>

限制对conf\/Catalina\/localhost\/<\/code>目录的写入权限<\/li>
限制对webapps\/<\/code>目录下文件的修改权限<\/li>
<\/ul>
<\/li>

配置加固<\/strong>：<\/p>

关闭不必要的热部署功能(autoDeploy="false"<\/code>)<\/li>
使用安全管理器限制敏感操作<\/li>
<\/ul>
<\/li>

监控措施<\/strong>：<\/p>

监控可疑的XML文件上传行为<\/li>
审计Digester<\/code>解析日志<\/li>
<\/ul>
<\/li>

代码层面<\/strong>：<\/p>

重写关键setter方法添加安全校验<\/li>
限制反射调用的权限<\/li>
<\/ul>
<\/li>
<\/ol>
4. 测试验证<\/h2>
测试环境：<\/p>

Tomcat 8.5.60\/9.x<\/li>
通过上传恶意XML文件或直接传入XML内容<\/li>
使用自定义标签可避免错误回显，隐蔽性更好<\/li>
<\/ul>
5. 参考资源<\/h2>

Tomcat下的文件上传RCE姿势<\/a><\/li>
JSP新Webshell的探索之旅<\/a><\/li>
Tomcat XML解析机制分析<\/a><\/li>
<\/ol>

Tomcat XML解析机制与Webshell构造技术分析<\/h1>

1. Tomcat XML解析机制分析<\/h2>

2. Webshell构造技术<\/h2>

5. 参考资源<\/h2> Tomcat下的文件上传RCE姿势<\/a><\/li> JSP新Webshell的探索之旅<\/a><\/li> Tomcat XML解析机制分析<\/a><\/li> <\/ol>

5. 参考资源<\/h2>

Tomcat下的文件上传RCE姿势<\/a><\/li>
JSP新Webshell的探索之旅<\/a><\/li>
Tomcat XML解析机制分析<\/a><\/li> <\/ol>