By thanks
Imagine that you are a hacker, and we use spring mvc + velocity to build a system. Even if the door is open to allow jsp uploads, can you use shell?
We know that the conditions that webshell can run are nothing more than 1. It can parse 2. It can execute and complete some functional tasks, such as reading files.
Now let's look at web mvc. The essence of mvc lies in "decentralization" (this word is edited by me). What I want to express is: he can remove all data access logic, process control logic, business logic, and view display logic. This helps developers to make the system clearer and easier to maintain; in terms of security, using mvc also greatly improves security, that is, you do not have the "right" to do more things on the view layer. Let's take jsp webshell as an example.
First, why can jsp write webshells?
One major difference between jsp and other template technologies is that it is finally compiled into servlet for running. In short, you can understand that jsp is a servlet. This feature gives jsp more energy than other template technologies. You can directly write java code and execute anything you want in jsp without configuring the web. xml and jsp directly complete all servlet tasks through links. This "overclock" makes jsp basically the same as php and asp, and java's rigorous mvc "authority" is completely destroyed, at this time, jsp webshell naturally came into being.
The emergence of spring mvc solved this problem very well. We re-let the rendering layer continue to do rendering through permission assignment, so we were happy with development and security engineers.
A complete interaction process is like this.
1. User requests
2. web Container matching ing, such as capturing the *. htm to the third step
3. The matched ing is sent to the corresponding controller for processing.
4. View parsing (including obtaining models and obtaining template files such as vm \ jsp \ xls). Generally, viewResolver is configured in the framework. For example, if you configure a bean to use vm for rendering
5. Output
Let's see where the process is secure.
1. We successfully uploaded a jsp webshell and accessed this address (assuming that the address is obtained, just assumed). The configuration does not contain *. jsp, And the ing cannot be found in step 1.
2. We have successfully uploaded a jsp webshell and accessed this address. The configuration contains *. jsp. The controller cannot be found in step 2.
3. We successfully uploaded a jsp webshell and accessed this address. The configuration contains *. jsp, which corresponds to the controller in step 3rd, and the jsp is not configured in step 4th viewResolver. An error occurred.
There is basically no possibility of implementing the above three steps, because if you want to change my configuration and modify the java file, you don't need webshell at all :)
At this point, you may think that I don't have to use jsp to write shell. Can the vm also write?
First of all, vm is much weaker than jsp. It can be said that it was a pure rendering layer from its birth.
Kxlzx has suggested using it # set ($ exec =
"Kxlzx") $ exec. class. forName ("java. lang. Runtime" cmd.getruntime(cmd.exe c ("calc") to execute system-level commands,
But in the same way, his parsing relies on the controller. without the support of java files, you won't parse this vm, and you can only output this sentence in the form of text. I have tested this.
During the test, I found that direct access to unparsed vm files has a feature
Under Chrome
IE
I am at a limited level. If you are not talking about it, please discuss and correct it.