Spring AOP 原生链挖掘思路分析<\/h1>

前言<\/h2>
本文详细分析Spring AOP原生链的挖掘思路，该链在Java安全攻防赛中表现出色，能够绕过多种类过滤限制。我们将从发现者视角完整剖析这条链的挖掘过程。<\/p>

Sink点分析：AbstractAspectJAdvice<\/h2>

关键方法分析<\/h3>
在AbstractAspectJAdvice<\/code>类中，我们发现以下关键方法：<\/p>
public<\/span> Object invoke<\/span>(<\/span>MethodInvocation mi)<\/span> throws<\/span> Throwable {<\/span>
<\/span><\/span>    if<\/span> (!(<\/span>mi instanceof<\/span> ProxyMethodInvocation))<\/span> {<\/span>
<\/span><\/span>        throw<\/span> new<\/span> IllegalStateException(<\/span>"MethodInvocation is not a Spring ProxyMethodInvocation: "<\/span> +<\/span> mi);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    ProxyMethodInvocation pmi =<\/span> (<\/span>ProxyMethodInvocation)<\/span> mi;<\/span>
<\/span><\/span>    return<\/span> invokeAdviceMethod(<\/span>pmi,<\/span> null<\/span>,<\/span> null<\/span>);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>以及：<\/p>
protected<\/span> Object invokeAdviceMethodWithGivenArgs<\/span>(<\/span>Object[]<\/span> args)<\/span> throws<\/span> Throwable {<\/span>
<\/span><\/span>    Object[]<\/span> actualArgs =<\/span> args;<\/span>
<\/span><\/span>    if<\/span> (<\/span>this<\/span>.<\/span>aspectJAdviceMethod<\/span>.<\/span>getParameterCount<\/span>()<\/span> ==<\/span> 0<\/span>)<\/span> {<\/span>
<\/span><\/span>        actualArgs =<\/span> null<\/span>;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    try<\/span> {<\/span>
<\/span><\/span>        ReflectionUtils.<\/span>makeAccessible<\/span>(<\/span>this<\/span>.<\/span>aspectJAdviceMethod<\/span>);<\/span>
<\/span><\/span>        return<\/span> this<\/span>.<\/span>aspectJAdviceMethod<\/span>.<\/span>invoke<\/span>(<\/span>
<\/span><\/span>            this<\/span>.<\/span>aspectInstanceFactory<\/span>.<\/span>getAspectInstance<\/span>(),<\/span> actualArgs);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    catch<\/span> (<\/span>IllegalArgumentException ex)<\/span> {<\/span>
<\/span><\/span>        throw<\/span> new<\/span> AopInvocationException(<\/span>"Mismatch on arguments to advice method ["<\/span> +<\/span>
<\/span><\/span>            this<\/span>.<\/span>aspectJAdviceMethod<\/span> +<\/span> "]; pointcut expression ["<\/span> +<\/span>
<\/span><\/span>            this<\/span>.<\/span>getPointcutExpression<\/span>()<\/span> +<\/span> "]"<\/span>,<\/span> ex);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    catch<\/span> (<\/span>InvocationTargetException ex)<\/span> {<\/span>
<\/span><\/span>        throw<\/span> ex.<\/span>getTargetException<\/span>();<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>利用条件<\/h3>
要实现利用，需要控制以下关键点：<\/p>

aspectJAdviceMethod<\/strong>：需要能够控制要调用的方法<\/li>
aspectInstanceFactory.getAspectInstance()<\/strong>：需要能够控制方法调用的目标对象<\/li>
<\/ol>
AspectInstanceFactory分析<\/h3>
AspectInstanceFactory<\/code>有以下实现类：<\/p>

SingletonAspectInstanceFactory<\/code>：直接返回aspectInstance对象<\/li>
SimpleAspectInstanceFactory<\/code>：通过反射创建实例<\/li>
PrototypeAspectInstanceFactory<\/code>：每次调用都创建新实例<\/li>
<\/ul>
其中SingletonAspectInstanceFactory<\/code>的getAspectInstance<\/code>方法直接返回对象：<\/p>
public<\/span> Object getAspectInstance<\/span>()<\/span> {<\/span>
<\/span><\/span>    return<\/span> this<\/span>.<\/span>aspectInstance<\/span>;<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>我们可以通过反射控制这个aspectInstance，测试证明可以使用TemplatesImpl<\/code>类成功实现任意代码执行。<\/p>
利用链构建<\/h2>
ReflectiveMethodInvocation分析<\/h3>
我们需要向上寻找调用链，发现ReflectiveMethodInvocation<\/code>类的proceed<\/code>方法：<\/p>
public<\/span> Object proceed<\/span>()<\/span> throws<\/span> Throwable {<\/span>
<\/span><\/span>    if<\/span> (<\/span>this<\/span>.<\/span>currentInterceptorIndex<\/span> ==<\/span> this<\/span>.<\/span>interceptorsAndDynamicMethodMatchers<\/span>.<\/span>size<\/span>()<\/span> -<\/span> 1<\/span>)<\/span> {<\/span>
<\/span><\/span>        return<\/span> invokeJoinpoint();<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    Object interceptorOrInterceptionAdvice =<\/span>
<\/span><\/span>        this<\/span>.<\/span>interceptorsAndDynamicMethodMatchers<\/span>.<\/span>get<\/span>(++<\/span>this<\/span>.<\/span>currentInterceptorIndex<\/span>);<\/span>
<\/span><\/span>    if<\/span> (<\/span>interceptorOrInterceptionAdvice instanceof<\/span> InterceptorAndDynamicMethodMatcher)<\/span> {<\/span>
<\/span><\/span>        InterceptorAndDynamicMethodMatcher dm =<\/span>
<\/span><\/span>            (<\/span>InterceptorAndDynamicMethodMatcher)<\/span> interceptorOrInterceptionAdvice;<\/span>
<\/span><\/span>        if<\/span> (<\/span>dm.<\/span>methodMatcher<\/span>.<\/span>matches<\/span>(<\/span>this<\/span>.<\/span>method<\/span>,<\/span> this<\/span>.<\/span>targetClass<\/span>,<\/span> this<\/span>.<\/span>arguments<\/span>))<\/span> {<\/span>
<\/span><\/span>            return<\/span> dm.<\/span>interceptor<\/span>.<\/span>invoke<\/span>(<\/span>this<\/span>);<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>        else<\/span> {<\/span>
<\/span><\/span>            return<\/span> proceed();<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    else<\/span> {<\/span>
<\/span><\/span>        return<\/span> ((<\/span>MethodInterceptor)<\/span> interceptorOrInterceptionAdvice).<\/span>invoke<\/span>(<\/span>this<\/span>);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>要利用这个方法，需要控制interceptorOrInterceptionAdvice<\/code>对象为AspectJAroundAdvice<\/code>。<\/p>
控制interceptorsAndDynamicMethodMatchers<\/h3>
interceptorsAndDynamicMethodMatchers<\/code>是从List<\/code>中获取的，但ReflectiveMethodInvocation<\/code>没有实现Serializable<\/code>接口，无法直接序列化控制。<\/p>
解决方案是寻找动态创建ReflectiveMethodInvocation<\/code>对象的地方，且该创建者类需要实现Serializable<\/code>接口。<\/p>
JdkDynamicAopProxy<\/h3>
JdkDynamicAopProxy<\/code>类满足上述条件：<\/p>

实现了Serializable<\/code>接口<\/li>
在invoke<\/code>方法中实例化ReflectiveMethodInvocation<\/code>对象<\/li>
<\/ol>
public<\/span> Object invoke<\/span>(<\/span>Object proxy,<\/span> Method method,<\/span> Object[]<\/span> args)<\/span> throws<\/span> Throwable {<\/span>
<\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>    List<<\/span>Object><\/span> chain =<\/span> this<\/span>.<\/span>advised<\/span>.<\/span>getInterceptorsAndDynamicInterceptionAdvice<\/span>(<\/span>method,<\/span> targetClass);<\/span>
<\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>    retVal =<\/span> new<\/span> ReflectiveMethodInvocation(<\/span>proxy,<\/span> target,<\/span> method,<\/span> args,<\/span> targetClass,<\/span> chain).<\/span>proceed<\/span>();<\/span>
<\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>控制chain<\/h3>
chain<\/code>是通过getInterceptorsAndDynamicInterceptionAdvice<\/code>方法获取的，该方法有两种获取方式：<\/p>

从methodCache<\/code>中直接获取<\/li>
从工厂类重新创建<\/li>
<\/ol>
我们需要关注第一种方式，通过控制AdvisedSupport<\/code>对象来影响chain的生成。<\/p>
getInterceptors方法分析<\/h3>
getInterceptors<\/code>方法最终从advice<\/code>获取拦截器：<\/p>
public<\/span> static<\/span> MethodInterceptor[]<\/span> getInterceptors<\/span>(<\/span>Advisor advisor)<\/span> throws<\/span> UnknownAdviceTypeException {<\/span>
<\/span><\/span>    List<<\/span>MethodInterceptor><\/span> interceptors =<\/span> new<\/span> ArrayList<>(<\/span>3<\/span>);<\/span>
<\/span><\/span>    Advice advice =<\/span> advisor.<\/span>getAdvice<\/span>();<\/span>
<\/span><\/span>    if<\/span> (<\/span>advice instanceof<\/span> MethodInterceptor)<\/span> {<\/span>
<\/span><\/span>        interceptors.<\/span>add<\/span>((<\/span>MethodInterceptor)<\/span> advice);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    for<\/span> (<\/span>AdvisorAdapter adapter :<\/span> ADAPTERS)<\/span> {<\/span>
<\/span><\/span>        if<\/span> (<\/span>adapter.<\/span>supportsAdvice<\/span>(<\/span>advice))<\/span> {<\/span>
<\/span><\/span>            interceptors.<\/span>add<\/span>(<\/span>adapter.<\/span>getInterceptor<\/span>(<\/span>advisor));<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    if<\/span> (<\/span>interceptors.<\/span>isEmpty<\/span>())<\/span> {<\/span>
<\/span><\/span>        throw<\/span> new<\/span> UnknownAdviceTypeException(<\/span>advisor.<\/span>getAdvice<\/span>());<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    return<\/span> interceptors.<\/span>toArray<\/span>(<\/span>new<\/span> MethodInterceptor[<\/span>0<\/span>]);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>要利用这个方法，需要传入的对象同时实现Advice<\/code>和MethodInterceptor<\/code>接口。<\/p>
突破Advice限制<\/h3>
虽然AspectJAroundAdvice<\/code>实现了MethodInterceptor<\/code>接口但没有实现Advice<\/code>接口，我们可以使用JdkDynamicAopProxy<\/code>代理这两个接口，设置target为AspectJAroundAdvice<\/code>。<\/p>
Source点分析<\/h2>
要触发整个利用链，需要找到一个readObject<\/code>方法中调用任意对象方法的点。BadAttributeValueExpException<\/code>类完美满足这个需求：<\/p>
private<\/span> void<\/span> readObject<\/span>(<\/span>ObjectInputStream ois)<\/span> throws<\/span> IOException,<\/span> ClassNotFoundException {<\/span>
<\/span><\/span>    ObjectInputStream.<\/span>GetField<\/span> gf =<\/span> ois.<\/span>readFields<\/span>();<\/span>
<\/span><\/span>    Object valObj =<\/span> gf.<\/span>get<\/span>(<\/span>"val"<\/span>,<\/span> null<\/span>);<\/span>
<\/span><\/span>    
<\/span><\/span>    if<\/span> (<\/span>valObj ==<\/span> null<\/span>)<\/span> {<\/span>
<\/span><\/span>        val =<\/span> null<\/span>;<\/span>
<\/span><\/span>    }<\/span> else<\/span> if<\/span> (<\/span>valObj instanceof<\/span> String)<\/span> {<\/span>
<\/span><\/span>        val=<\/span> valObj;<\/span>
<\/span><\/span>    }<\/span> else<\/span> if<\/span> (<\/span>System.<\/span>getSecurityManager<\/span>()<\/span> ==<\/span> null<\/span>
<\/span><\/span>            ||<\/span> valObj instanceof<\/span> Long
<\/span><\/span>            ||<\/span> valObj instanceof<\/span> Integer
<\/span><\/span>            ||<\/span> valObj instanceof<\/span> Float
<\/span><\/span>            ||<\/span> valObj instanceof<\/span> Double
<\/span><\/span>            ||<\/span> valObj instanceof<\/span> Byte
<\/span><\/span>            ||<\/span> valObj instanceof<\/span> Short
<\/span><\/span>            ||<\/span> valObj instanceof<\/span> Boolean)<\/span> {<\/span>
<\/span><\/span>        val =<\/span> valObj.<\/span>toString<\/span>();<\/span>
<\/span><\/span>    }<\/span> else<\/span> {<\/span> \/\/ the serialized object is from a version without JDK-8019292 fix
<\/span><\/span><\/span><\/span>        val =<\/span> System.<\/span>identityHashCode<\/span>(<\/span>valObj)<\/span> +<\/span> "@"<\/span> +<\/span> valObj.<\/span>getClass<\/span>().<\/span>getName<\/span>();<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>通过控制valObj<\/code>触发其toString<\/code>方法，进而触发代理类的invoke<\/code>方法，完成整个利用链的闭环。<\/p>
完整利用链<\/h2>

BadAttributeValueExpException.readObject()<\/code> 触发 toString()<\/code><\/li>
代理对象 toString()<\/code> 触发 JdkDynamicAopProxy.invoke()<\/code><\/li>
JdkDynamicAopProxy.invoke()<\/code> 创建并调用 ReflectiveMethodInvocation.proceed()<\/code><\/li>
ReflectiveMethodInvocation.proceed()<\/code> 调用 AspectJAroundAdvice.invoke()<\/code><\/li>
AspectJAroundAdvice.invoke()<\/code> 调用 AbstractAspectJAdvice.invokeAdviceMethodWithGivenArgs()<\/code><\/li>
AbstractAspectJAdvice.invokeAdviceMethodWithGivenArgs()<\/code> 反射调用任意方法<\/li>
<\/ol>
总结<\/h2>
这条Spring AOP原生链的挖掘过程展示了从sink点向上寻找调用链的完整思路，通过分析各个关键类的交互关系和接口实现情况，最终构建出一条完整的利用链。该链的特别之处在于：<\/p>

利用了Spring AOP的核心机制<\/li>
能够绕过常见的类过滤限制<\/li>
结合了动态代理和反射机制<\/li>
通过BadAttributeValueExpException<\/code>触发，兼容性高<\/li>
<\/ol>
这种挖掘思路可以应用于其他框架的链挖掘中，重点关注框架核心组件的交互方式和接口实现情况。<\/p>
Spring AOP 原生链挖掘思路分析<\/h1>

前言<\/h2> 本文详细分析Spring AOP原生链的挖掘思路，该链在Java安全攻防赛中表现出色，能够绕过多种类过滤限制。我们将从发现者视角完整剖析这条链的挖掘过程。<\/p>

Sink点分析：AbstractAspectJAdvice<\/h2>

前言<\/h2>
本文详细分析Spring AOP原生链的挖掘思路，该链在Java安全攻防赛中表现出色，能够绕过多种类过滤限制。我们将从发现者视角完整剖析这条链的挖掘过程。<\/p>
