Java代码审计实战：StudentManager系统漏洞分析与修复指南<\/h1>

一、系统概述<\/h2>
StudentManager是一个基于Java Web的学生管理系统，使用Servlet+JSP架构，存在多处严重安全漏洞。本指南将详细分析这些漏洞的原理、危害及修复方案。<\/p>

二、SQL注入漏洞<\/h2>

1. 漏洞位置与原理<\/h3>

系统在多个DAO类中直接拼接SQL语句，未使用预编译：<\/p>

StudentD.java<\/strong><\/p>

public<\/span> Student checkAccount<\/span>(<\/span>String user,<\/span> String password)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>    initConnection();<\/span>
<\/span><\/span>    Statement stat =<\/span> conn.<\/span>createStatement<\/span>();<\/span>
<\/span><\/span>    String sql =<\/span> "select * from student where id = '"<\/span> +<\/span> user +<\/span> "' and password = '"<\/span> +<\/span> password +<\/span> "'"<\/span>;<\/span>
<\/span><\/span>    ResultSet rs =<\/span> stat.<\/span>executeQuery<\/span>(<\/span>sql);<\/span>
<\/span><\/span>    Student stu =<\/span> getStudent(<\/span>rs);<\/span>
<\/span><\/span>    closeConnection();<\/span>
<\/span><\/span>    return<\/span> stu;<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>TeacherD.java<\/strong><\/p>
public<\/span> Teacher checkAccount<\/span>(<\/span>String id,<\/span> String password)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>    initConnection();<\/span>
<\/span><\/span>    Statement stat =<\/span> conn.<\/span>createStatement<\/span>();<\/span>
<\/span><\/span>    String sql =<\/span> "select * from teacher where id = '"<\/span> +<\/span> id +<\/span> "' and password = '"<\/span> +<\/span> password +<\/span> "'"<\/span>;<\/span>
<\/span><\/span>    ResultSet rs =<\/span> stat.<\/span>executeQuery<\/span>(<\/span>sql);<\/span>
<\/span><\/span>    Teacher tea =<\/span> getTeacher(<\/span>rs);<\/span>
<\/span><\/span>    closeConnection();<\/span>
<\/span><\/span>    return<\/span> tea;<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>2. 漏洞利用方式<\/h3>
登录处注入Payload：<\/p>
用户名：admin'or 1=1#
密码：任意值
<\/code><\/pre>
3. 影响范围<\/h3>


StudentD类中的方法：<\/p>

checkAccount<\/li>
findWithId<\/li>
findWithName<\/li>
deleteStudent<\/li>
<\/ul>
<\/li>

TeacherD类中的方法：<\/p>

checkAccount<\/li>
findWithId<\/li>
<\/ul>
<\/li>
<\/ul>
4. 修复方案<\/h3>
使用PreparedStatement进行参数化查询：<\/p>
public<\/span> Student checkAccount<\/span>(<\/span>String user,<\/span> String password)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>    initConnection();<\/span>
<\/span><\/span>    String sql =<\/span> "select * from student where id = ? and password = ?"<\/span>;<\/span>
<\/span><\/span>    PreparedStatement ps =<\/span> conn.<\/span>prepareStatement<\/span>(<\/span>sql);<\/span>
<\/span><\/span>    ps.<\/span>setString<\/span>(<\/span>1<\/span>,<\/span> user);<\/span>
<\/span><\/span>    ps.<\/span>setString<\/span>(<\/span>2<\/span>,<\/span> password);<\/span>
<\/span><\/span>    ResultSet rs =<\/span> ps.<\/span>executeQuery<\/span>();<\/span>
<\/span><\/span>    Student stu =<\/span> getStudent(<\/span>rs);<\/span>
<\/span><\/span>    closeConnection();<\/span>
<\/span><\/span>    return<\/span> stu;<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>三、越权访问漏洞<\/h2>
1. 漏洞位置<\/h3>
在main.jsp页面中仅简单获取session信息，未进行权限验证：<\/p>
student\/main.jsp<\/strong><\/p>
<% Student student = (Student) session.getAttribute("info");%>
<\/code><\/pre>
teacher\/main.jsp<\/strong><\/p>
<% Teacher teacher = (Teacher) session.getAttribute("info"); 
   ArrayList<Student> stus = (ArrayList<Student>) session.getAttribute("onePageStudent"); 
   int sumIndex = (int) session.getAttribute("sumIndex");%>
<\/code><\/pre>
2. 漏洞危害<\/h3>
攻击者无需登录即可直接访问敏感页面，虽然会报500错误，但仍暴露系统结构信息。<\/p>
3. 修复方案<\/h3>
添加权限验证过滤器：<\/p>
public<\/span> class<\/span> AuthFilter<\/span> implements<\/span> Filter {<\/span>
<\/span><\/span>    public<\/span> void<\/span> doFilter<\/span>(<\/span>ServletRequest request,<\/span> ServletResponse response,<\/span> FilterChain chain)<\/span> 
<\/span><\/span>        throws<\/span> IOException,<\/span> ServletException {<\/span>
<\/span><\/span>        HttpServletRequest req =<\/span> (<\/span>HttpServletRequest)<\/span> request;<\/span>
<\/span><\/span>        HttpServletResponse res =<\/span> (<\/span>HttpServletResponse)<\/span> response;<\/span>
<\/span><\/span>        HttpSession session =<\/span> req.<\/span>getSession<\/span>(<\/span>false<\/span>);<\/span>
<\/span><\/span>        
<\/span><\/span>        if<\/span> (<\/span>session ==<\/span> null<\/span> ||<\/span> session.<\/span>getAttribute<\/span>(<\/span>"info"<\/span>)<\/span> ==<\/span> null<\/span>)<\/span> {<\/span>
<\/span><\/span>            res.<\/span>sendRedirect<\/span>(<\/span>req.<\/span>getContextPath<\/span>()<\/span> +<\/span> "\/login.jsp"<\/span>);<\/span>
<\/span><\/span>            return<\/span>;<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>        chain.<\/span>doFilter<\/span>(<\/span>request,<\/span> response);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>在web.xml中配置过滤器：<\/p>
<filter><\/span>
<\/span><\/span>    <filter-name><\/span>AuthFilter<\/filter-name><\/span>
<\/span><\/span>    <filter-class><\/span>com.example.AuthFilter<\/filter-class><\/span>
<\/span><\/span><\/filter><\/span>
<\/span><\/span><filter-mapping><\/span>
<\/span><\/span>    <filter-name><\/span>AuthFilter<\/filter-name><\/span>
<\/span><\/span>    <url-pattern><\/span>\/student\/*<\/url-pattern><\/span>
<\/span><\/span>    <url-pattern><\/span>\/teacher\/*<\/url-pattern><\/span>
<\/span><\/span><\/filter-mapping><\/span>
<\/span><\/span><\/code><\/pre>四、密码重置漏洞<\/h2>
1. 漏洞位置<\/h3>
update_student_security servlet<\/strong><\/p>
String id =<\/span> request.<\/span>getParameter<\/span>(<\/span>"id"<\/span>);<\/span>
<\/span><\/span>String email =<\/span> request.<\/span>getParameter<\/span>(<\/span>"email"<\/span>);<\/span>
<\/span><\/span>String password =<\/span> request.<\/span>getParameter<\/span>(<\/span>"password"<\/span>);<\/span>
<\/span><\/span>try<\/span> {<\/span>
<\/span><\/span>    studentD.<\/span>updateStudentSecurity<\/span>(<\/span>id,<\/span> email,<\/span> password);<\/span>
<\/span><\/span><\/code><\/pre>2. 漏洞利用<\/h3>
直接访问URL修改任意用户密码：<\/p>
http:\/\/localhost:8081\/web\/update_student_security?id=20162430646&email=&password=123456
<\/code><\/pre>
3. 修复方案<\/h3>

检查当前用户是否有权修改目标账号<\/li>
强制验证原密码<\/li>
<\/ol>
修改后的代码：<\/p>
String currentId =<\/span> ((<\/span>Student)<\/span>session.<\/span>getAttribute<\/span>(<\/span>"info"<\/span>)).<\/span>getId<\/span>();<\/span>
<\/span><\/span>String id =<\/span> request.<\/span>getParameter<\/span>(<\/span>"id"<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>if<\/span>(!<\/span>currentId.<\/span>equals<\/span>(<\/span>id))<\/span> {<\/span>
<\/span><\/span>    throw<\/span> new<\/span> SecurityException(<\/span>"无权修改其他用户密码"<\/span>);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 继续执行修改逻辑
<\/span><\/span><\/span><\/code><\/pre>五、验证码重用漏洞<\/h2>
1. 漏洞位置<\/h3>
check_register servlet<\/strong><\/p>
String randStr =<\/span> (<\/span>String)<\/span> session.<\/span>getAttribute<\/span>(<\/span>"randStr"<\/span>);<\/span>
<\/span><\/span>if<\/span> (!<\/span>code.<\/span>equals<\/span>(<\/span>randStr))<\/span> {<\/span>
<\/span><\/span>    out.<\/span>print<\/span>(<\/span>"<script>alert(\"验证码错误!\");location.href = \"register.jsp\";<\/script>"<\/span>);<\/span>
<\/span><\/span>}<\/span> else<\/span> {<\/span>
<\/span><\/span>    \/\/ 验证通过后未清除验证码
<\/span><\/span><\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>2. 漏洞危害<\/h3>
攻击者可重复使用同一验证码进行注册。<\/p>
3. 修复方案<\/h3>
验证通过后立即清除session中的验证码：<\/p>
if<\/span> (!<\/span>code.<\/span>equals<\/span>(<\/span>randStr))<\/span> {<\/span>
<\/span><\/span>    \/\/ 错误处理
<\/span><\/span><\/span><\/span>}<\/span> else<\/span> {<\/span>
<\/span><\/span>    session.<\/span>removeAttribute<\/span>(<\/span>"randStr"<\/span>);<\/span> \/\/ 清除验证码
<\/span><\/span><\/span><\/span>    \/\/ 继续注册流程
<\/span><\/span><\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>六、目录穿越漏洞<\/h2>
1. 漏洞位置<\/h3>
upload_studentImg servlet<\/strong><\/p>
String id =<\/span> rq.<\/span>getParameter<\/span>(<\/span>"id"<\/span>);<\/span>
<\/span><\/span>File smartFile =<\/span> smartUpload.<\/span>getFiles<\/span>().<\/span>getFile<\/span>(<\/span>0<\/span>);<\/span>
<\/span><\/span>smartFile.<\/span>saveAs<\/span>(<\/span>"\/userImg\/"<\/span>+<\/span>id+<\/span>".jpeg"<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>2. 漏洞利用<\/h3>
通过构造恶意id参数实现目录穿越：<\/p>
id=..\/..\/..\/path\/to\/sensitive\/file
<\/code><\/pre>
3. 修复方案<\/h3>

校验id参数格式<\/li>
规范化路径<\/li>
<\/ol>
\/\/ 校验id是否为数字
<\/span><\/span><\/span><\/span>if<\/span>(!<\/span>id.<\/span>matches<\/span>(<\/span>"\\d+"<\/span>))<\/span> {<\/span>
<\/span><\/span>    throw<\/span> new<\/span> IllegalArgumentException(<\/span>"非法ID格式"<\/span>);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 使用Paths规范化路径
<\/span><\/span><\/span><\/span>Path destination =<\/span> Paths.<\/span>get<\/span>(<\/span>"\/userImg"<\/span>).<\/span>resolve<\/span>(<\/span>id +<\/span> ".jpeg"<\/span>).<\/span>normalize<\/span>();<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 确保路径仍在允许的目录内
<\/span><\/span><\/span><\/span>if<\/span>(!<\/span>destination.<\/span>startsWith<\/span>(<\/span>"\/userImg"<\/span>))<\/span> {<\/span>
<\/span><\/span>    throw<\/span> new<\/span> SecurityException(<\/span>"非法文件路径"<\/span>);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span>
<\/span><\/span>smartFile.<\/span>saveAs<\/span>(<\/span>destination.<\/span>toString<\/span>());<\/span>
<\/span><\/span><\/code><\/pre>七、XSS漏洞<\/h2>
1. 漏洞位置<\/h3>
多处JSP页面直接输出用户输入：<\/p>
<td><%=stu.getId()%><\/td>
<input value="<%=stu.getDatabase()%>" name="database">
<\/code><\/pre>
2. 漏洞危害<\/h3>
攻击者可注入恶意脚本：<\/p>
"><script<\/span>>alert<\/span>(1<\/span>)<\/script<\/span>><<\/span>"
<\/span><\/span><\/code><\/pre>3. 修复方案<\/h3>

使用JSTL的c:out标签<\/li>
或使用HTML编码函数<\/li>
<\/ol>
方案一：<\/p>
<%@ taglib prefix="c" uri="http:\/\/java.sun.com\/jsp\/jstl\/core" %>
<td><c:out value="${stu.id}"\/><\/td>
<\/code><\/pre>
方案二：<\/p>
<td><%=HtmlEncoder.encode(stu.getId())%><\/td>
<\/code><\/pre>
其中HtmlEncoder实现：<\/p>
public<\/span> class<\/span> HtmlEncoder<\/span> {<\/span>
<\/span><\/span>    public<\/span> static<\/span> String encode<\/span>(<\/span>String input)<\/span> {<\/span>
<\/span><\/span>        if<\/span>(<\/span>input ==<\/span> null<\/span>)<\/span> return<\/span> ""<\/span>;<\/span>
<\/span><\/span>        return<\/span> input.<\/span>replace<\/span>(<\/span>"&"<\/span>,<\/span> "&amp;"<\/span>)<\/span>
<\/span><\/span>                   .<\/span>replace<\/span>(<\/span>"<"<\/span>,<\/span> "&lt;"<\/span>)<\/span>
<\/span><\/span>                   .<\/span>replace<\/span>(<\/span>">"<\/span>,<\/span> "&gt;"<\/span>)<\/span>
<\/span><\/span>                   .<\/span>replace<\/span>(<\/span>"\""<\/span>,<\/span> "&quot;"<\/span>)<\/span>
<\/span><\/span>                   .<\/span>replace<\/span>(<\/span>"'"<\/span>,<\/span> "&#39;"<\/span>);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>八、安全开发建议<\/h2>

输入验证<\/strong>：对所有用户输入进行严格验证<\/li>
参数化查询<\/strong>：始终使用PreparedStatement<\/li>
最小权限原则<\/strong>：数据库连接使用最低必要权限<\/li>
输出编码<\/strong>：所有动态内容输出前进行编码<\/li>
会话管理<\/strong>：合理设置session超时时间<\/li>
错误处理<\/strong>：避免暴露系统敏感信息的错误消息<\/li>
安全框架<\/strong>：考虑使用Spring Security等安全框架<\/li>
定期审计<\/strong>：建立代码审计机制，定期检查安全漏洞<\/li>
<\/ol>
九、总结<\/h2>
StudentManager系统存在SQL注入、越权访问、密码重置、验证码重用、目录穿越和XSS等多类漏洞，主要原因是缺乏对用户输入的有效验证和不安全的编码实践。通过实施参数化查询、输入验证、输出编码和权限控制等措施，可显著提升系统安全性。<\/p>

Java代码审计实战：StudentManager系统漏洞分析与修复指南<\/h1>

一、系统概述<\/h2> StudentManager是一个基于Java Web的学生管理系统，使用Servlet+JSP架构，存在多处严重安全漏洞。本指南将详细分析这些漏洞的原理、危害及修复方案。<\/p>

二、SQL注入漏洞<\/h2>

三、越权访问漏洞<\/h2>

2. 漏洞危害<\/h3> 攻击者无需登录即可直接访问敏感页面，虽然会报500错误，但仍暴露系统结构信息。<\/p>

四、密码重置漏洞<\/h2>

五、验证码重用漏洞<\/h2>

2. 漏洞危害<\/h3> 攻击者可重复使用同一验证码进行注册。<\/p>

六、目录穿越漏洞<\/h2>

七、XSS漏洞<\/h2>

一、系统概述<\/h2>
StudentManager是一个基于Java Web的学生管理系统，使用Servlet+JSP架构，存在多处严重安全漏洞。本指南将详细分析这些漏洞的原理、危害及修复方案。<\/p>

2. 漏洞危害<\/h3>
攻击者无需登录即可直接访问敏感页面，虽然会报500错误，但仍暴露系统结构信息。<\/p>

2. 漏洞危害<\/h3>
攻击者可重复使用同一验证码进行注册。<\/p>