ysoserial icon indicating copy to clipboard operation
ysoserial copied to clipboard

Published 20 hours ago verified publisher icon Litch1-v

WebappClassLoaderBase#getResources返回null

Open Eleina-233 opened this issue 2 years ago • 1 comments

师傅您好,我在看tomcat通用回显的内存马源码的时候看到这两句

(org.apache.catalina.loader.WebappClassLoaderBase) Thread.currentThread().getContextClassLoader();\n" + " org.apache.catalina.core.ApplicationContext applicationContext = (org.apache.catalina.core.ApplicationContext) contextField.get(webappClassLoaderBase.getResources().getContext()); 本地环境tomcat8.5.78中的getResources返回值是null,导致这一句抛出异常 image

image image

Eleina-233 avatar May 13 '22 10:05 Eleina-233

因为8.5.78里的getResourses被废弃了,所以调用getResources直接返回null,可以对获取resources的方式做以下修改:

Field resources = webappClassLoaderBase.getClass().getSuperclass().getDeclaredField("resources");
resources.setAccessible(true);
StandardRoot standardRoot = (StandardRoot) resources.get(webappClassLoaderBase);
org.apache.catalina.core.ApplicationContext applicationContext= (org.apache.catalina.core.ApplicationContext) contextField.get(standardRoot.getContext())

同样也是8.5.78版本 image 实测可行: image

LxxxSec avatar Nov 15 '22 08:11 LxxxSec