结果命令行大大的问号?然后想到了这是最新版修复了之前的问题
文章插图
根据报错内容的显示,接下来我们看看具体做的哪些限制,可以看到够恶心的不能是下面这么多类的实例???并且能调用FORBIDDEN_METHODS 当中的方法,特别是判断是否为Class实例将我们反射的路给断掉了(在这个模板语法当中只能通过xx.class.forName去获取其他对象) ,剩下代码也很简单就不带着读了
public class BlacklistMethodAccessValidator implements MethodAccessValidator {private static final String[] FORBIDDEN_METHODS = new String[]{"getClass", "wait", "notify", "notifyAll"};public BlacklistMethodAccessValidator() {}public boolean isMethodAccessAllowed(Object object, Method method) {boolean methodForbidden = object instanceof Class || object instanceof Runtime || object instanceof Thread || object instanceof ThreadGroup || object instanceof System || object instanceof AccessibleObject || this.isUnsafeMethod(method);return !methodForbidden;}private boolean isUnsafeMethod(Method member) {return this.isAnyOfMethods(member, FORBIDDEN_METHODS);}private boolean isAnyOfMethods(Method member, String... methods) {String[] var3 = methods;int var4 = methods.length;for(int var5 = 0; var5 < var4; ++var5) {String method = var3[var5];if (this.isMethodWithName(member, method)) {return true;}}return false;}private boolean isMethodWithName(Method member, String method) {return member.getName().equals(method);}}如何绕过限制加载任意Class对象我们也知道Spring 应用程序的许多实例都隐式注册为bean,因此我们能不能从bean当中找到一个对象而这个对象当中保存了classloader对象,通过获取到它我们就能通过执行loadClass加载到任意对象既然如此,第一反应其实就是想到去上下文中看看有没有这些bean对象,而pebble在初始化上下文时是在
com.mitchellbosecke.pebble.template.PebbleTemplateImpl#evaluate(java.io.Writer, java.util.Map<java.lang.String,java.lang.Object>, java.util.Locale) 当中
可以看到这个map当中存了beans对象,而这个beans对象当中存的是那些bean对象,一方面我们可以直接遍历输出到控制台
文章插图
另一方面我们也可以直接在代码当中看一眼,反正不费事往上看看,可以看到是在
com.mitchellbosecke.pebble.spring.servlet.PebbleView#addVariablesToModel
当中,获取了spring的应用程序上下文并添加到beans属性当中
private void addVariablesToModel(Map<String, Object> model, HttpServletRequest request, HttpServletResponse response) {model.put("beans", new Beans(this.getApplicationContext()));model.put("request", request);model.put("response", response);model.put("session", request.getSession(false));}因此我们可以通过表达式获取到这个上下文当中注册的bean,去尝试寻找一些其他的属性来绕过限制,因此为了方便遍历bean当中的类,我们在原路由前加上获取上下文的部分代码
@RequestMapping({"/"})public String getTemplate(@RequestParam("x") Optional<String> template, Model model) {ServletContext sss = ((ServletRequestAttributes) RequestContextHolder.getRequestAttributes()).getRequest().getSession().getServletContext();org.springframework.web.context.WebApplicationContext context= org.springframework.web.context.support.WebApplicationContextUtils.getWebApplicationContext(sss);String[] beanDefinitionNames = context.getBeanDefinitionNames();for (String o:beanDefinitionNames) {System.out.println(o.toString());}return (String)template.orElse("home.pebble");}重新启动项目并访问可以得到控制台输出//输出org.springframework.context.annotation.internalConfigurationAnnotationProcessororg.springframework.context.annotation.internalAutowiredAnnotationProcessororg.springframework.context.annotation.internalCommonAnnotationProcessororg.springframework.context.event.internalEventListenerProcessororg.springframework.context.event.internalEventListenerFactoryspoinkApplicationorg.springframework.boot.autoconfigure.internalCachingMetadataReaderFactoryhomeControllerpebbleLoaderorg.springframework.boot.autoconfigure.AutoConfigurationPackagesorg.springframework.boot.autoconfigure.context.PropertyPlaceholderAutoConfigurationpropertySourcesPlaceholderConfigurerorg.springframework.boot.autoconfigure.websocket.servlet.WebSocketServletAutoConfiguration$TomcatWebSocketConfigurationwebsocketServletWebServerCustomizerorg.springframework.boot.autoconfigure.websocket.servlet.WebSocketServletAutoConfigurationorg.springframework.boot.autoconfigure.web.servlet.ServletWebServerFactoryConfiguration$EmbeddedTomcattomcatServletWebServerFactoryorg.springframework.boot.autoconfigure.web.servlet.ServletWebServerFactoryAutoConfigurationservletWebServerFactoryCustomizertomcatServletWebServerFactoryCustomizerorg.springframework.boot.context.properties.ConfigurationPropertiesBindingPostProcessororg.springframework.boot.context.internalConfigurationPropertiesBinderFactoryorg.springframework.boot.context.internalConfigurationPropertiesBinderorg.springframework.boot.context.properties.BoundConfigurationPropertiesorg.springframework.boot.context.properties.EnableConfigurationPropertiesRegistrar.methodValidationExcludeFilterserver-org.springframework.boot.autoconfigure.web.ServerPropertieswebServerFactoryCustomizerBeanPostProcessorerrorPageRegistrarBeanPostProcessororg.springframework.boot.autoconfigure.web.servlet.DispatcherServletAutoConfiguration$DispatcherServletConfigurationdispatcherServletspring.mvc-org.springframework.boot.autoconfigure.web.servlet.WebMvcPropertiesorg.springframework.boot.autoconfigure.web.servlet.DispatcherServletAutoConfiguration$DispatcherServletRegistrationConfigurationdispatcherServletRegistrationorg.springframework.boot.autoconfigure.web.servlet.DispatcherServletAutoConfigurationorg.springframework.boot.autoconfigure.task.TaskExecutionAutoConfigurationtaskExecutorBuilderapplicationTaskExecutorspring.task.execution-org.springframework.boot.autoconfigure.task.TaskExecutionPropertiesorg.springframework.boot.autoconfigure.web.servlet.error.ErrorMvcAutoConfiguration$WhitelabelErrorViewConfigurationerrorbeanNameViewResolverorg.springframework.boot.autoconfigure.web.servlet.error.ErrorMvcAutoConfiguration$DefaultErrorViewResolverConfigurationconventionErrorViewResolverspring.web-org.springframework.boot.autoconfigure.web.WebPropertiesorg.springframework.boot.autoconfigure.web.servlet.error.ErrorMvcAutoConfigurationerrorAttributesbasicErrorControllererrorPageCustomizerpreserveErrorControllerTargetClassPostProcessororg.springframework.boot.autoconfigure.web.servlet.WebMvcAutoConfiguration$EnableWebMvcConfigurationrequestMappingHandlerAdapterrequestMappingHandlerMappingwelcomePageHandlerMappinglocaleResolverthemeResolverflashMapManagermvcConversionServicemvcValidatormvcContentNegotiationManagermvcPatternParsermvcUrlPathHelpermvcPathMatcherviewControllerHandlerMappingbeanNameHandlerMappingrouterFunctionMappingresourceHandlerMappingmvcResourceUrlProviderdefaultServletHandlerMappinghandlerFunctionAdaptermvcUriComponentsContributorhttpRequestHandlerAdaptersimpleControllerHandlerAdapterhandlerExceptionResolvermvcViewResolvermvcHandlerMappingIntrospectorviewNameTranslatororg.springframework.boot.autoconfigure.web.servlet.WebMvcAutoConfiguration$WebMvcAutoConfigurationAdapterdefaultViewResolverviewResolverrequestContextFilterorg.springframework.boot.autoconfigure.web.servlet.WebMvcAutoConfigurationformContentFiltercom.mitchellbosecke.pebble.boot.autoconfigure.PebbleServletWebConfigurationpebbleViewResolvercom.mitchellbosecke.pebble.boot.autoconfigure.PebbleAutoConfigurationspringExtensionpebbleEnginepebble-com.mitchellbosecke.pebble.boot.autoconfigure.PebblePropertiesorg.springframework.boot.autoconfigure.jmx.JmxAutoConfigurationmbeanExporterobjectNamingStrategymbeanServerorg.springframework.boot.autoconfigure.admin.SpringApplicationAdminJmxAutoConfigurationspringApplicationAdminRegistrarorg.springframework.boot.autoconfigure.aop.AopAutoConfiguration$ClassProxyingConfigurationforceAutoProxyCreatorToUseClassProxyingorg.springframework.boot.autoconfigure.aop.AopAutoConfigurationorg.springframework.boot.autoconfigure.availability.ApplicationAvailabilityAutoConfigurationapplicationAvailabilityorg.springframework.boot.autoconfigure.jackson.JacksonAutoConfiguration$Jackson2ObjectMapperBuilderCustomizerConfigurationstandardJacksonObjectMapperBuilderCustomizerspring.jackson-org.springframework.boot.autoconfigure.jackson.JacksonPropertiesorg.springframework.boot.autoconfigure.jackson.JacksonAutoConfiguration$JacksonObjectMapperBuilderConfigurationjacksonObjectMapperBuilderorg.springframework.boot.autoconfigure.jackson.JacksonAutoConfiguration$ParameterNamesModuleConfigurationparameterNamesModuleorg.springframework.boot.autoconfigure.jackson.JacksonAutoConfiguration$JacksonObjectMapperConfigurationjacksonObjectMapperorg.springframework.boot.autoconfigure.jackson.JacksonAutoConfigurationjsonComponentModuleorg.springframework.boot.autoconfigure.context.ConfigurationPropertiesAutoConfigurationorg.springframework.boot.autoconfigure.context.LifecycleAutoConfigurationlifecycleProcessorspring.lifecycle-org.springframework.boot.autoconfigure.context.LifecyclePropertiesorg.springframework.boot.autoconfigure.http.HttpMessageConvertersAutoConfiguration$StringHttpMessageConverterConfigurationstringHttpMessageConverterorg.springframework.boot.autoconfigure.http.JacksonHttpMessageConvertersConfiguration$MappingJackson2HttpMessageConverterConfigurationmappingJackson2HttpMessageConverterorg.springframework.boot.autoconfigure.http.JacksonHttpMessageConvertersConfigurationorg.springframework.boot.autoconfigure.http.HttpMessageConvertersAutoConfigurationmessageConvertersorg.springframework.boot.autoconfigure.info.ProjectInfoAutoConfigurationspring.info-org.springframework.boot.autoconfigure.info.ProjectInfoPropertiesorg.springframework.boot.autoconfigure.sql.init.SqlInitializationAutoConfigurationspring.sql.init-org.springframework.boot.autoconfigure.sql.init.SqlInitializationPropertiesorg.springframework.boot.sql.init.dependency.DatabaseInitializationDependencyConfigurer$DependsOnDatabaseInitializationPostProcessororg.springframework.boot.autoconfigure.task.TaskSchedulingAutoConfigurationscheduledBeanLazyInitializationExcludeFiltertaskSchedulerBuilderspring.task.scheduling-org.springframework.boot.autoconfigure.task.TaskSchedulingPropertiesorg.springframework.boot.autoconfigure.web.client.RestTemplateAutoConfigurationrestTemplateBuilderConfigurerrestTemplateBuilderorg.springframework.boot.autoconfigure.web.embedded.EmbeddedWebServerFactoryCustomizerAutoConfiguration$TomcatWebServerFactoryCustomizerConfigurationtomcatWebServerFactoryCustomizerorg.springframework.boot.autoconfigure.web.embedded.EmbeddedWebServerFactoryCustomizerAutoConfigurationorg.springframework.boot.autoconfigure.web.servlet.HttpEncodingAutoConfigurationcharacterEncodingFilterlocaleCharsetMappingsCustomizerorg.springframework.boot.autoconfigure.web.servlet.MultipartAutoConfigurationmultipartConfigElementmultipartResolverspring.servlet.multipart-org.springframework.boot.autoconfigure.web.servlet.MultipartPropertiesorg.springframework.aop.config.internalAutoProxyCreator
推荐阅读
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- 军棋的规则和走法 军棋的下法
- 通草鸡汤下奶吗
- 袁泉|袁泉,终于从神坛上 下来了
- 防晒|马化腾的企鹅“瘦身了”,收入下滑,但是员工平均工资8.5万以上
- 登月|中国长征系列火箭创下新纪录:2030年左右载人登月!
- |职场上为什么看似和颜悦色,其实心思已经在暗处下套
- 有品位的女人,有以下几种行为 品味女人
- 乾隆谕旨下的锡伯族西迁史 锡伯族西迁
- 如何下载滴滴出行?网约车司机端下载方法对比,总有一种你可以下载
- 滴滴出行司机端安卓和苹果的都是这样下载的,只是你没找对注册方法。
