Tomcat8 回显

作者: print("") 分类: Java学习发布时间: 2021-12-22 23:17 阅读次数: 5,624 次

<%@ page import="java.lang.reflect.Field" %>
<%@ page import="org.apache.coyote.RequestInfo" %>
<%@ page import="java.util.ArrayList" %>
<%@ page import="java.util.Iterator" %>
<%@ page import="org.apache.coyote.Request" %>
<%@ page import="org.apache.tomcat.util.buf.ByteChunk" %>
<%@ page import="java.lang.reflect.Method" %>
<html>
<body>
<%
    ThreadGroup threadGroup  = (ThreadGroup)Thread.currentThread().getThreadGroup();
    Field threadField = threadGroup.getClass().getDeclaredField("threads");
    threadField.setAccessible(true);
    Thread[] threads = (Thread[])threadField.get(threadGroup);
    for(Thread thread:threads){
        if (thread != null){
            String threadName = thread.getName();
            if (threadName.contains("http-nio") && threadName.contains("AsyncTimeout")){
                Field target_pp = thread.getClass().getDeclaredField("target");
                target_pp.setAccessible(true);
                Object target = target_pp.get(thread);
                Field this0F = target.getClass().getDeclaredField("this$0");
                this0F.setAccessible(true);
                Object this0 = this0F.get(target);
                Field handlerF = this0.getClass().getSuperclass().getSuperclass().getSuperclass().getDeclaredField("handler");
                handlerF.setAccessible(true);
                Object handler = handlerF.get(this0);
                Field globalF = handler.getClass().getDeclaredField("global");
                globalF.setAccessible(true);
                Object global = globalF.get(handler);
                Field processorsF = global.getClass().getDeclaredField("processors");
                processorsF.setAccessible(true);
                ArrayList<RequestInfo> reqs = (ArrayList<RequestInfo>)processorsF.get(global);
                Iterator i = reqs.iterator();
                System.out.println(11);
                while(i.hasNext()){
                    RequestInfo req = (RequestInfo) i.next();
                    System.out.println(req);
                    Field workerThreadName = req.getClass().getDeclaredField("workerThreadName");
                    workerThreadName.setAccessible(true);
                    String workerThreadName_name = (String)workerThreadName.get(req);
                    if (workerThreadName_name !=null && workerThreadName_name.equals(Thread.currentThread().getName())){
                        System.out.println(req);
                        Field req_req= req.getClass().getDeclaredField("req");
                        req_req.setAccessible(true);
                        Request request1 = (Request) req_req.get(req);
                        byte[] buf ="1111122222222".getBytes();
                        ByteChunk bc = ByteChunk.class.newInstance();
                        Method setBytes = bc.getClass().getMethod("setBytes",new Class[]{byte[].class,int.class,int.class});
                        setBytes.invoke(bc,new Object[]{buf,0,buf.length});
                        request1.getResponse().doWrite(bc);
                    }
                }
            }
        }
    }
%>
</body>
</html>

反射—>反射–>再反射–>

Thread.currentThread().getThreadGroup().threads –>循环threads 获取名字。threads.target—>反射threads.target

–>this$0 –>handler –>global –>workerThreadName –>获取request 对象—>获取Request 对象–>通过getResponse.doWrite 写入到页面中

如果觉得我的文章对您有用，请随意打赏。您的支持将鼓励我继续创作！

Tomcat8 回显

发表回复 取消回复

发表回复取消回复