tomcat-memshell-killer

"); 51 | sb.append("| path |").append("\t").append("\t").append("| info |").append("\n"); 52 | for(Map.Entry entry:registry.entrySet()){ 53 | sb.append("--------------------------------------------"); 54 | sb.append("\n"); 55 | RequestMappingInfo key = (RequestMappingInfo) entry.getKey(); 56 | List tempList = new ArrayList<>(key.getPatternsCondition().getPatterns()); 57 | sb.append(tempList.get(0)).append("\t").append("-->").append("\t"); 58 | Field _handlerMethod = mappingRegistrationClazz.getDeclaredField("handlerMethod"); 59 | _handlerMethod.setAccessible(true); 60 | HandlerMethod handlerMethod = (HandlerMethod) _handlerMethod.get(entry.getValue()); 61 | 62 | Field _desc = handlerMethod.getClass().getDeclaredField("description"); 63 | _desc.setAccessible(true); 64 | String desc = (String) _desc.get(handlerMethod); 65 | sb.append(desc); 66 | sb.append("\n"); 67 | } 68 | sb.append("

"); 107 | java.io.InputStreamReader resultReader = new java.io.InputStreamReader(process.getInputStream()); 108 | java.io.BufferedReader stdInput = new java.io.BufferedReader(resultReader); 109 | String s = null; 110 | while ((s = stdInput.readLine()) != null) { 111 | outStr.append(s).append("\n"); 112 | } 113 | outStr.append("

20 | <%! 21 | public Object getStandardContext(HttpServletRequest request) throws NoSuchFieldException, IllegalAccessException { 22 | Object context = request.getSession().getServletContext(); 23 | Field _context = context.getClass().getDeclaredField("context"); 24 | _context.setAccessible(true); 25 | Object appContext = _context.get(context); 26 | Field __context = appContext.getClass().getDeclaredField("context"); 27 | __context.setAccessible(true); 28 | Object standardContext = __context.get(appContext); 29 | return standardContext; 30 | } 31 | 32 | public HashMap getFilterConfig(HttpServletRequest request) throws Exception { 33 | Object standardContext = getStandardContext(request); 34 | Field _filterConfigs = standardContext.getClass().getDeclaredField("filterConfigs"); 35 | _filterConfigs.setAccessible(true); 36 | HashMap filterConfigs = (HashMap) _filterConfigs.get(standardContext); 37 | return filterConfigs; 38 | } 39 | 40 | // FilterMap[] 41 | public Object[] getFilterMaps(HttpServletRequest request) throws Exception { 42 | Object standardContext = getStandardContext(request); 43 | Field _filterMaps = standardContext.getClass().getDeclaredField("filterMaps"); 44 | _filterMaps.setAccessible(true); 45 | Object filterMaps = _filterMaps.get(standardContext); 46 | 47 | Object[] filterArray = null; 48 | try { // tomcat 789 49 | Field _array = filterMaps.getClass().getDeclaredField("array"); 50 | _array.setAccessible(true); 51 | filterArray = (Object[]) _array.get(filterMaps); 52 | } catch (Exception e) { // tomcat 6 53 | filterArray = (Object[]) filterMaps; 54 | } 55 | 56 | return filterArray; 57 | } 58 | 59 | /** 60 | * 遗留问题,getFilterConfig()依然存在2个 61 | * @param request 62 | * @param filterName 63 | * @throws Exception 64 | */ 65 | public synchronized void deleteFilter(HttpServletRequest request, String filterName) throws Exception { 66 | Object standardContext = getStandardContext(request); 67 | // org.apache.catalina.core.StandardContext#removeFilterDef 68 | HashMap filterConfig = getFilterConfig(request); 69 | Object appFilterConfig = filterConfig.get(filterName); 70 | Field _filterDef = appFilterConfig.getClass().getDeclaredField("filterDef"); 71 | _filterDef.setAccessible(true); 72 | Object filterDef = _filterDef.get(appFilterConfig); 73 | Class clsFilterDef = null; 74 | try { 75 | // Tomcat 8 76 | clsFilterDef = Class.forName("org.apache.tomcat.util.descriptor.web.FilterDef"); 77 | } catch (Exception e) { 78 | // Tomcat 7 79 | clsFilterDef = Class.forName("org.apache.catalina.deploy.FilterDef"); 80 | } 81 | Method removeFilterDef = standardContext.getClass().getDeclaredMethod("removeFilterDef", new Class[]{clsFilterDef}); 82 | removeFilterDef.setAccessible(true); 83 | removeFilterDef.invoke(standardContext, filterDef); 84 | 85 | // org.apache.catalina.core.StandardContext#removeFilterMap 86 | Class clsFilterMap = null; 87 | try { 88 | // Tomcat 8 89 | clsFilterMap = Class.forName("org.apache.tomcat.util.descriptor.web.FilterMap"); 90 | } catch (Exception e) { 91 | // Tomcat 7 92 | clsFilterMap = Class.forName("org.apache.catalina.deploy.FilterMap"); 93 | } 94 | Object[] filterMaps = getFilterMaps(request); 95 | for (Object filterMap : filterMaps) { 96 | Field _filterName = filterMap.getClass().getDeclaredField("filterName"); 97 | _filterName.setAccessible(true); 98 | String filterName0 = (String) _filterName.get(filterMap); 99 | if (filterName0.equals(filterName)) { 100 | Method removeFilterMap = standardContext.getClass().getDeclaredMethod("removeFilterMap", new Class[]{clsFilterMap}); 101 | removeFilterDef.setAccessible(true); 102 | removeFilterMap.invoke(standardContext, filterMap); 103 | } 104 | } 105 | } 106 | 107 | public synchronized void deleteServlet(HttpServletRequest request, String servletName) throws Exception { 108 | HashMap childs = getChildren(request); 109 | Object objChild = childs.get(servletName); 110 | String urlPattern = null; 111 | HashMap servletMaps = getServletMaps(request); 112 | for (Map.Entry servletMap : servletMaps.entrySet()) { 113 | if (servletMap.getValue().equals(servletName)) { 114 | urlPattern = servletMap.getKey(); 115 | break; 116 | } 117 | } 118 | 119 | if (urlPattern != null) { 120 | // 反射调用 org.apache.catalina.core.StandardContext#removeServletMapping 121 | Object standardContext = getStandardContext(request); 122 | Method removeServletMapping = standardContext.getClass().getDeclaredMethod("removeServletMapping", new Class[]{String.class}); 123 | removeServletMapping.setAccessible(true); 124 | removeServletMapping.invoke(standardContext, urlPattern); 125 | // Tomcat 6必须removeChild 789可以不用 126 | // 反射调用 org.apache.catalina.core.StandardContext#removeChild 127 | Method removeChild = standardContext.getClass().getDeclaredMethod("removeChild", new Class[]{org.apache.catalina.Container.class}); 128 | removeChild.setAccessible(true); 129 | removeChild.invoke(standardContext, objChild); 130 | } 131 | } 132 | 133 | public synchronized HashMap getChildren(HttpServletRequest request) throws Exception { 134 | Object standardContext = getStandardContext(request); 135 | Field _children = standardContext.getClass().getSuperclass().getDeclaredField("children"); 136 | _children.setAccessible(true); 137 | HashMap children = (HashMap) _children.get(standardContext); 138 | return children; 139 | } 140 | 141 | 142 | public synchronized HashMap getServletMaps(HttpServletRequest request) throws Exception { 143 | Object standardContext = getStandardContext(request); 144 | Field _servletMappings = standardContext.getClass().getDeclaredField("servletMappings"); 145 | _servletMappings.setAccessible(true); 146 | HashMap servletMappings = (HashMap) _servletMappings.get(standardContext); 147 | return servletMappings; 148 | } 149 | 150 | public synchronized List

Tomcat memshell scanner 0.1.0

Filter scan result

Servlet scan result

Listener scan result