大学渗透测试实战：从源码泄露到Shiro反序列化漏洞利用<\/h1>

1. 信息收集阶段<\/h2>

1.1 初始发现<\/h3>
目标URL：http:\/\/xxx.xxx.edu.cn\/trp\/file\/desc?fileId=438<\/code><\/li>
发现该接口返回文件下载地址（内网地址）<\/li>
通过相似路由测试确认可访问性<\/li>
<\/ul>
1.2 文件泄露测试<\/h3>

对fileId参数进行爆破（000-999）<\/li>
搜索响应中包含.zip<\/code>和.rar<\/code>的结果<\/li>
成功获取源码压缩包（war格式）<\/li>
<\/ul>
2. 源码审计流程<\/h2>
2.1 工具准备<\/h3>

JD-GUI：用于反编译Java字节码<\/li>
VS Code：用于代码搜索和分析<\/li>
反编译技巧：Ctrl+Alt+S保存所有反编译源码<\/li>
<\/ul>
2.2 技术栈分析<\/h3>

框架识别：

MyBatis-Plus（ORM框架）<\/li>
Shiro（权限控制框架）<\/li>
Jackson（JSON处理）<\/li>
Thymeleaf（模板引擎）<\/li>
<\/ul>
<\/li>
<\/ul>
2.3 审计重点方向<\/h3>

权限配置检查<\/strong><\/li>
SQL注入漏洞<\/strong><\/li>
SSRF漏洞<\/strong><\/li>
第三方依赖漏洞<\/strong><\/li>
敏感信息泄露<\/strong><\/li>
密码\/密钥硬编码<\/strong><\/li>
<\/ol>
3. 漏洞发现与分析<\/h2>
3.1 权限配置不当<\/h3>

发现未授权访问接口：\/trp\/getTeacher<\/code>

泄露8000+条教师信息（姓名、工号、出生日期）<\/li>
<\/ul>
<\/li>
权限注解缺失：

缺少@RequiresPermissions<\/code>注解的路由可匿名访问<\/li>
示例：可匿名删除CmsArticle<\/code>内容<\/li>
<\/ul>
<\/li>
<\/ul>
3.2 SQL注入潜在风险<\/h3>

MyBatis-Plus中发现${content.conName}<\/code>动态SQL拼接<\/li>
注入条件：

能控制文章标题（conName）<\/li>
访问\/trp\/cmsDefContenadd\/list<\/code>路由<\/li>
<\/ul>
<\/li>
限制：

创建\/修改操作受权限控制，无法直接利用<\/li>
<\/ul>
<\/li>
<\/ul>
3.3 Shiro反序列化漏洞<\/h3>
3.3.1 版本确认<\/h4>

Shiro版本：1.4.0<\/li>
默认密钥生成机制存在风险<\/li>
<\/ul>
3.3.2 密钥硬编码<\/h4>

发现默认密钥配置：rememberMe_shiro_key<\/code><\/li>
密钥处理代码：<\/li>
<\/ul>
byte<\/span>[]<\/span> encryptKeyBytes =<\/span> "rememberMe_shiro_key"<\/span>.<\/span>getBytes<\/span>(<\/span>StandardCharsets.<\/span>UTF_8<\/span>);<\/span>
<\/span><\/span>String rememberKey =<\/span> Base64.<\/span>getEncoder<\/span>().<\/span>encodeToString<\/span>(<\/span>Arrays.<\/span>copyOf<\/span>(<\/span>encryptKeyBytes,<\/span> 16<\/span>));<\/span>
<\/span><\/span><\/code><\/pre>3.3.3 漏洞利用<\/h4>

使用上述代码生成Base64编码的AES密钥<\/li>
利用Shiro反序列化工具（如ysoserial）进行攻击<\/li>
通过RememberMe Cookie实现远程代码执行<\/li>
<\/ol>
4. 渗透测试方法论总结<\/h2>
4.1 系统化测试流程<\/h3>

全面信息收集<\/strong>：不放过任何可能暴露信息的接口<\/li>
参数爆破<\/strong>：针对ID类参数进行系统化测试<\/li>
源码深度审计<\/strong>：从配置文件到业务逻辑的全面检查<\/li>
<\/ol>
4.2 重点检查项<\/h3>

权限配置<\/strong>：检查所有Controller的访问控制<\/li>
SQL注入<\/strong>：搜索${}<\/code>和动态SQL拼接<\/li>
框架漏洞<\/strong>：确认第三方库版本和配置<\/li>
密钥管理<\/strong>：检查硬编码密钥和加密配置<\/li>
<\/ul>
4.3 防御建议<\/h3>

避免使用动态SQL拼接，使用预编译语句<\/li>
为所有业务接口配置明确的权限控制<\/li>
自定义Shiro加密密钥，避免使用默认值<\/li>
定期进行依赖库版本更新和安全审计<\/li>
<\/ol>
附录：关键代码片段<\/h2>
Shiro密钥生成代码<\/h3>
import<\/span> java.util.Arrays;<\/span>
<\/span><\/span>import<\/span> java.nio.charset.StandardCharsets;<\/span>
<\/span><\/span>import<\/span> java.util.Base64;<\/span>
<\/span><\/span>import<\/span> org.apache.shiro.crypto.AesCipherService;<\/span>
<\/span><\/span>import<\/span> org.apache.shiro.util.ByteSource;<\/span>
<\/span><\/span>
<\/span><\/span>public<\/span> class<\/span> ShiroAESencode<\/span> {<\/span>
<\/span><\/span>    public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>        byte<\/span>[]<\/span> encryptKeyBytes =<\/span> "rememberMe_shiro_key"<\/span>.<\/span>getBytes<\/span>(<\/span>StandardCharsets.<\/span>UTF_8<\/span>);<\/span>
<\/span><\/span>        String rememberKey =<\/span> Base64.<\/span>getEncoder<\/span>().<\/span>encodeToString<\/span>(<\/span>Arrays.<\/span>copyOf<\/span>(<\/span>encryptKeyBytes,<\/span> 16<\/span>));<\/span>
<\/span><\/span>        System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>rememberKey);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>MyBatis-Plus潜在注入点<\/h3>
<!-- mapper.xml 文件 --><\/span>
<\/span><\/span><select<\/span> id=<\/span>"findListBySiteCode"<\/span> resultType=<\/span>"xxx"<\/span>><\/span>
<\/span><\/span>    SELECT * FROM table WHERE conName = '${content.conName}'
<\/span><\/span><\/select><\/span>
<\/span><\/span><\/code><\/pre>通过系统化的渗透测试方法，即使是教育类网站也可能存在严重的安全隐患，开发人员和安全团队应重视每个环节的安全防护。<\/p>