feat: support filterProbe for WebLogic

ReaJason · ReaJason · commit 050a1832bc39 · 2026-01-10T11:14:17.000+08:00
diff --git a/generator/src/main/java/com/reajason/javaweb/probe/payload/filter/WebLogicFilterProbe.java b/generator/src/main/java/com/reajason/javaweb/probe/payload/filter/WebLogicFilterProbe.java
@@ -0,0 +1,223 @@
+package com.reajason.javaweb.probe.payload.filter;
+
+import javax.management.MBeanServer;
+import java.io.ByteArrayOutputStream;
+import java.io.PrintStream;
+import java.lang.management.ManagementFactory;
+import java.lang.reflect.Field;
+import java.lang.reflect.Method;
+import java.util.*;
+
+/**
+ * @author ReaJason
+ */
+public class WebLogicFilterProbe {
+
+    @Override
+    public String toString() {
+        String msg = "";
+        Map<String, List<Map<String, String>>> allFiltersData = new LinkedHashMap<String, List<Map<String, String>>>();
+        Set<Object> contexts = null;
+        try {
+            contexts = getContext();
+        } catch (Throwable throwable) {
+            msg += "context error: " + getErrorMessage(throwable);
+        }
+        if (contexts == null || contexts.isEmpty()) {
+            msg += "context not found\n";
+        } else {
+            for (Object context : contexts) {
+                String contextRoot = getContextRoot(context);
+                List<Map<String, String>> filters = collectFiltersData(context);
+                allFiltersData.put(contextRoot, filters);
+            }
+            msg += formatFiltersData(allFiltersData);
+        }
+        return msg;
+    }
+
+    private List<Map<String, String>> collectFiltersData(Object context) {
+        List<Map<String, String>> result = new ArrayList<>();
+        try {
+            Object filterManager = getFieldValue(context, "filterManager");
+            Map<String, Object> filters = (Map<String, Object>) getFieldValue(filterManager, "filters");
+            List<Object> filterPatternList = (ArrayList<Object>) getFieldValue(filterManager, "filterPatternList");
+            if (filterPatternList == null || filterPatternList.isEmpty()) {
+                return Collections.emptyList();
+            }
+            for (Object filterInfo : filterPatternList) {
+                Map<String, String> info = new HashMap<>();
+                Object urlMap = getFieldValue(filterInfo, "map");
+                String filterName = (String) getFieldValue(filterInfo, "filterName");
+                if (filterName == null) {
+                    // WebLogic 10.3.6
+                    Object[] mapValues = (Object[]) invokeMethod(urlMap, "values", null, null);
+                    filterName = ((String) mapValues[0]);
+                }
+                Object filterWrapper = filters.get(filterName);
+                String filterClassName = null;
+                try {
+                    filterClassName = (String) getFieldValue(filterWrapper, "filterClassName");
+                } catch (NoSuchFieldException e) {
+                    // WebLogic 10.3.6
+                    filterClassName = (String) getFieldValue(filterWrapper, "filterclass");
+                }
+                if (filterClassName == null) {
+                    Object filter = getFieldValue(filterWrapper, "filter");
+                    if (filter != null) {
+                        filterClassName = filter.getClass().getName();
+                    }
+                }
+                info.put("filterName", filterName);
+                info.put("filterClass", filterClassName);
+                String[] urlPatterns = (String[]) invokeMethod(urlMap, "keys", null, null);
+                info.put("urlPatterns", Arrays.toString(urlPatterns));
+                result.add(info);
+            }
+        } catch (Exception e) {
+            e.printStackTrace();
+        }
+        return result;
+    }
+
+    @SuppressWarnings("all")
+    private String formatFiltersData(Map<String, List<Map<String, String>>> allFiltersData) {
+        StringBuilder output = new StringBuilder();
+        for (Map.Entry<String, List<Map<String, String>>> entry : allFiltersData.entrySet()) {
+            String context = entry.getKey();
+            List<Map<String, String>> filters = entry.getValue();
+            output.append("Context: ").append(context).append("\n");
+            if (filters.isEmpty()) {
+                output.append("No filters found\n");
+            } else if (filters.size() == 1 && filters.get(0).containsKey("error")) {
+                output.append(filters.get(0).get("error")).append("\n");
+            } else {
+                for (Map<String, String> info : filters) {
+                    appendIfPresent(output, "", info.get("filterName"), "");
+                    appendIfPresent(output, " -> ", info.get("filterClass"), "");
+                    appendIfPresent(output, " -> URL:", info.get("urlPatterns"), "");
+                    output.append("\n");
+                }
+            }
+        }
+        return output.toString();
+    }
+
+    private void appendIfPresent(StringBuilder sb, String prefix, String value, String suffix) {
+        if (value != null && !value.isEmpty()) {
+            sb.append(prefix).append(value).append(suffix);
+        }
+    }
+
+    @SuppressWarnings("all")
+    private String getContextRoot(Object context) {
+        String r = null;
+        try {
+            r = (String) invokeMethod(context, "getContextPath", null, null);
+        } catch (Exception ignored) {
+        }
+        String c = context.getClass().getName();
+        if (r == null) {
+            return c;
+        }
+        if (r.isEmpty()) {
+            return c + "(/)";
+        }
+        return c + "(" + r + ")";
+    }
+
+
+    /**
+     * weblogic.servlet.internal.WebAppServletContext
+     * /opt/oracle/wls1036/server/lib/weblogic.jar
+     * /u01/oracle/wlserver/modules/com.oracle.weblogic.servlet.jar
+     */
+    public static Set<Object> getContext() throws Exception {
+        Set<Object> webappContexts = new HashSet<Object>();
+        MBeanServer platformMBeanServer = ManagementFactory.getPlatformMBeanServer();
+        Map<String, Object> objectsByObjectName = (Map<String, Object>) getFieldValue(platformMBeanServer, "objectsByObjectName");
+        for (Map.Entry<String, Object> entry : objectsByObjectName.entrySet()) {
+            String key = entry.getKey();
+            if (key.contains("Type=WebAppComponentRuntime")) {
+                Object value = entry.getValue();
+                Object managedResource = getFieldValue(value, "managedResource");
+                if (managedResource != null && managedResource.getClass().getSimpleName().equals("WebAppRuntimeMBeanImpl")) {
+                    webappContexts.add(getFieldValue(managedResource, "context"));
+                }
+            }
+        }
+        try {
+            Object workEntry = getFieldValue(Thread.currentThread(), "workEntry");
+            Object request = null;
+            try {
+                Object connectionHandler = getFieldValue(workEntry, "connectionHandler");
+                request = getFieldValue(connectionHandler, "request");
+            } catch (Exception x) {
+                // WebLogic 10.3.6
+                request = workEntry;
+            }
+            if (request != null) {
+                webappContexts.add(getFieldValue(request, "context"));
+            }
+        } catch (Throwable ignored) {
+        }
+        return webappContexts;
+    }
+
+    @SuppressWarnings("all")
+    public static Object invokeMethod(Object obj, String methodName, Class<?>[] paramClazz, Object[] param) {
+        try {
+            Class<?> clazz = (obj instanceof Class) ? (Class<?>) obj : obj.getClass();
+            Method method = null;
+            while (clazz != null && method == null) {
+                try {
+                    if (paramClazz == null) {
+                        method = clazz.getDeclaredMethod(methodName);
+                    } else {
+                        method = clazz.getDeclaredMethod(methodName, paramClazz);
+                    }
+                } catch (NoSuchMethodException e) {
+                    clazz = clazz.getSuperclass();
+                }
+            }
+            if (method == null) {
+                throw new NoSuchMethodException("Method not found: " + methodName);
+            }
+
+            method.setAccessible(true);
+            return method.invoke(obj instanceof Class ? null : obj, param);
+        } catch (Exception e) {
+            throw new RuntimeException("Error invoking method: " + methodName, e);
+        }
+    }
+
+    @SuppressWarnings("all")
+    public static Object getFieldValue(Object obj, String name) throws Exception {
+        Class<?> clazz = obj.getClass();
+        while (clazz != Object.class) {
+            try {
+                Field field = clazz.getDeclaredField(name);
+                field.setAccessible(true);
+                return field.get(obj);
+            } catch (NoSuchFieldException var5) {
+                clazz = clazz.getSuperclass();
+            }
+        }
+        throw new NoSuchFieldException(obj.getClass().getName() + " Field not found: " + name);
+    }
+
+    @SuppressWarnings("all")
+    private String getErrorMessage(Throwable throwable) {
+        PrintStream printStream = null;
+        try {
+            ByteArrayOutputStream outputStream = new ByteArrayOutputStream();
+            printStream = new PrintStream(outputStream);
+            throwable.printStackTrace(printStream);
+            return outputStream.toString();
+        } finally {
+            if (printStream != null) {
+                printStream.close();
+            }
+        }
+    }
+}
diff --git a/integration-test/src/test/java/com/reajason/javaweb/integration/probe/DetectionTool.java b/integration-test/src/test/java/com/reajason/javaweb/integration/probe/DetectionTool.java
@@ -58,4 +58,8 @@ public static String getGlassFishFilterProbe() {
     public static String getApusicFilterProbe() {
         return getBase64Class(ApusicFilterProbe.class);
     }
+
+    public static String getWebLogicFilterProbe() {
+        return getBase64Class(WebLogicFilterProbe.class);
+    }
 }
diff --git a/integration-test/src/test/java/com/reajason/javaweb/integration/probe/weblogic/WebLogic1036ContainerTest.java b/integration-test/src/test/java/com/reajason/javaweb/integration/probe/weblogic/WebLogic1036ContainerTest.java
@@ -4,9 +4,14 @@
 import com.reajason.javaweb.integration.ProbeAssertion;
 import com.reajason.javaweb.integration.VulTool;
 import com.reajason.javaweb.integration.probe.DetectionTool;
+import com.reajason.javaweb.memshell.ShellTool;
+import com.reajason.javaweb.memshell.ShellType;
+import com.reajason.javaweb.packer.Packers;
+import com.reajason.javaweb.utils.CommonUtil;
 import lombok.SneakyThrows;
 import lombok.extern.slf4j.Slf4j;
 import net.bytebuddy.jar.asm.Opcodes;
+import org.junit.jupiter.api.AfterAll;
 import org.junit.jupiter.api.Test;
 import org.testcontainers.containers.GenericContainer;
 import org.testcontainers.containers.wait.strategy.Wait;
@@ -15,9 +20,13 @@
 
 import java.nio.file.Files;
 import java.nio.file.Paths;
+import java.util.List;
 
 import static com.reajason.javaweb.integration.ContainerTool.getUrlFromWebLogic;
 import static com.reajason.javaweb.integration.ContainerTool.warFile;
+import static com.reajason.javaweb.integration.ShellAssertion.shellInjectIsOk;
+import static org.hamcrest.CoreMatchers.*;
+import static org.hamcrest.MatcherAssert.assertThat;
 import static org.junit.jupiter.api.Assertions.assertEquals;
 
 /**
@@ -34,6 +43,11 @@ public class WebLogic1036ContainerTest {
             .waitingFor(Wait.forHttp("/app"))
             .withExposedPorts(7001);
 
+    @AfterAll
+    public static void tearDown() {
+        log.info(container.getLogs());
+    }
+
     @Test
     void testJDK() {
         String url = getUrlFromWebLogic(container);
@@ -69,4 +83,25 @@ void testBytecodeReqParamResponseBody() {
         String url = getUrlFromWebLogic(container);
         ProbeAssertion.responseBytecodeIsOk(url, Server.WebLogic, Opcodes.V1_8);
     }
+
+    @Test
+    void testFilterProbe() {
+        String url = getUrlFromWebLogic(container);
+        String data = VulTool.post(url + "/b64", DetectionTool.getWebLogicFilterProbe());
+        System.out.println(data);
+        assertThat(data, anyOf(
+                containsString("Context: ")
+        ));
+    }
+
+    @Test
+    void testFilterFirstInject() {
+        String url = getUrlFromWebLogic(container);
+        shellInjectIsOk(url, Server.WebLogic, ShellType.FILTER, ShellTool.Command, org.objectweb.asm.Opcodes.V1_6, Packers.BigInteger, container);
+        String data = VulTool.post(url + "/b64", DetectionTool.getWebLogicFilterProbe());
+        log.info(data);
+        List<String> filter = ProbeAssertion.getFiltersForContext(data, "/app");
+        String filterName = ProbeAssertion.extractFilterName(filter.get(0));
+        assertThat(filterName, anyOf(startsWith(CommonUtil.getWebPackageNameForServer(Server.WebLogic))));
+    }
 }
diff --git a/integration-test/src/test/java/com/reajason/javaweb/integration/probe/weblogic/WebLogic12214ContainerTest.java b/integration-test/src/test/java/com/reajason/javaweb/integration/probe/weblogic/WebLogic12214ContainerTest.java
@@ -4,6 +4,10 @@
 import com.reajason.javaweb.integration.ProbeAssertion;
 import com.reajason.javaweb.integration.VulTool;
 import com.reajason.javaweb.integration.probe.DetectionTool;
+import com.reajason.javaweb.memshell.ShellTool;
+import com.reajason.javaweb.memshell.ShellType;
+import com.reajason.javaweb.packer.Packers;
+import com.reajason.javaweb.utils.CommonUtil;
 import lombok.SneakyThrows;
 import lombok.extern.slf4j.Slf4j;
 import net.bytebuddy.jar.asm.Opcodes;
@@ -16,9 +20,13 @@
 
 import java.nio.file.Files;
 import java.nio.file.Paths;
+import java.util.List;
 
 import static com.reajason.javaweb.integration.ContainerTool.getUrlFromWebLogic;
 import static com.reajason.javaweb.integration.ContainerTool.warFile;
+import static com.reajason.javaweb.integration.ShellAssertion.shellInjectIsOk;
+import static org.hamcrest.CoreMatchers.*;
+import static org.hamcrest.MatcherAssert.assertThat;
 import static org.junit.jupiter.api.Assertions.assertEquals;
 
 /**
@@ -75,4 +83,24 @@ void testBytecodeReqParamResponseBody() {
         String url = getUrlFromWebLogic(container);
         ProbeAssertion.responseBytecodeIsOk(url, Server.WebLogic, Opcodes.V1_8);
     }
+
+    @Test
+    void testFilterProbe() {
+        String url = getUrlFromWebLogic(container);
+        String data = VulTool.post(url + "/b64", DetectionTool.getWebLogicFilterProbe());
+        System.out.println(data);
+        assertThat(data, anyOf(
+                containsString("Context: ")
+        ));
+    }
+
+    @Test
+    void testFilterFirstInject() {
+        String url = getUrlFromWebLogic(container);
+        shellInjectIsOk(url, Server.WebLogic, ShellType.FILTER, ShellTool.Command, org.objectweb.asm.Opcodes.V1_6, Packers.BigInteger, container);
+        String data = VulTool.post(url + "/b64", DetectionTool.getWebLogicFilterProbe());
+        List<String> filter = ProbeAssertion.getFiltersForContext(data, "/app");
+        String filterName = ProbeAssertion.extractFilterName(filter.get(0));
+        assertThat(filterName, anyOf(startsWith(CommonUtil.getWebPackageNameForServer(Server.WebLogic))));
+    }
 }
diff --git a/integration-test/src/test/java/com/reajason/javaweb/integration/probe/weblogic/WebLogic14110ContainerTest.java b/integration-test/src/test/java/com/reajason/javaweb/integration/probe/weblogic/WebLogic14110ContainerTest.java

Original file line number	Diff line number	Diff line change
`@@ -58,4 +58,8 @@ public static String getGlassFishFilterProbe() {`
`58`	`58`	`public static String getApusicFilterProbe() {`
`59`	`59`	`return getBase64Class(ApusicFilterProbe.class);`
`60`	`60`	`}`
	`61`	`+`
	`62`	`+ public static String getWebLogicFilterProbe() {`
	`63`	`+ return getBase64Class(WebLogicFilterProbe.class);`
	`64`	`+ }`
`61`	`65`	`}`