Java FTP CRLF注入漏洞分析与利用<\/h1>

0x00 漏洞概述<\/h2>
Java在处理FTP协议流时存在CRLF（回车换行）注入漏洞，类似于Python urllib库的头注入漏洞（CVE-2016-5699）。攻击者可以利用此漏洞在多种场景下实施攻击，其中最经典的应用是欺骗防火墙规则。<\/p>

0x01 FTP基础知识<\/h2>

FTP连接模式<\/h3>

FTP协议使用两种连接：<\/p>

控制连接(Control Connection)<\/strong>：默认端口21，用于传输命令<\/li>

数据连接(Data Connection)<\/strong>：默认端口20，用于实际数据传输<\/li> <\/ul>
工作模式<\/h3>

主动模式(Active Mode)<\/strong>：<\/p>

客户端从任意端口N(≥1024)连接服务端21端口建立控制连接<\/li>
客户端发送PORT指令，通知服务端自己监听的数据连接端口为N+1<\/li>
服务端从20端口连接客户端的N+1端口建立数据连接<\/li> <\/ul> <\/li>

被动模式(Passive Mode)<\/strong>：<\/p>

客户端从任意端口N(≥1024)连接服务端21端口建立控制连接<\/li>
客户端发送PASV指令，通知服务端采用被动模式<\/li>
服务端从任意端口M(≥1024)监听数据连接<\/li>
客户端从端口N+1连接服务端M端口建立数据连接<\/li> <\/ul> <\/li> <\/ol>
PORT指令格式<\/h3>
PORT h1,h2,h3,h4,p1,p2<\/code><\/p>
h1-h4：IP地址的4个8位组（如10,1,2,4表示10.1.2.4）<\/li> p1,p2：端口号，计算方式为port = p1 * 256 + p2<\/code><\/li> <\/ul> 0x02 漏洞原理<\/h2> 防火墙欺骗机制<\/h3> 在主动模式下，当客户端前面有防火墙时：<\/p> 防火墙会跟踪FTP连接状态<\/li> 识别出客户端监听的端口是用于FTP数据连接<\/li> 为此临时建立NAT规则，允许FTP服务端连接客户端指定端口<\/li> <\/ol> 攻击思路<\/h3> 如果攻击者能控制受害客户端发送PORT指令并指定特定端口X：<\/p> 防火墙会被欺骗建立NAT规则<\/li> 受害客户端的X端口将对外开放<\/li> 如果X端口运行着未加固的敏感服务（如Redis、Memcached等），可进一步攻击<\/li> <\/ol> 0x03 技术细节<\/h2> 获取内网IP地址<\/h3> 攻击需要知道客户端内网IP，可通过以下方式获取：<\/p> 诱使客户端连接攻击者的FTP服务器<\/li> 客户端首先尝试被动模式(PASV)<\/li> 服务端拒绝PASV命令（返回非229\/227状态码）<\/li> 客户端回退到主动模式，发送PORT\/EPRT指令<\/li> 指令中包含客户端内网IP<\/li> <\/ol> 关键代码分析（Java FTP客户端实现）：<\/p> private<\/span> Socket openDataConnection<\/span>(<\/span>String var1)<\/span> throws<\/span> FtpProtocolException,<\/span> IOException {<\/span> <\/span><\/span> try<\/span> {<\/span> <\/span><\/span> return<\/span> this<\/span>.<\/span>openPassiveDataConnection<\/span>(<\/span>var1);<\/span> <\/span><\/span> }<\/span> catch<\/span> (<\/span>FtpProtocolException var14)<\/span> {<\/span> <\/span><\/span> String var4 =<\/span> var14.<\/span>getMessage<\/span>();<\/span> <\/span><\/span> if<\/span> (!<\/span>var4.<\/span>startsWith<\/span>(<\/span>"PASV"<\/span>)<\/span> &&<\/span> !<\/span>var4.<\/span>startsWith<\/span>(<\/span>"EPSV"<\/span>))<\/span> {<\/span> <\/span><\/span> throw<\/span> var14;<\/span> <\/span><\/span> }<\/span> else<\/span> if<\/span> (<\/span>this<\/span>.<\/span>proxy<\/span> !=<\/span> null<\/span> &&<\/span> this<\/span>.<\/span>proxy<\/span>.<\/span>type<\/span>()<\/span> ==<\/span> Type.<\/span>SOCKS<\/span>)<\/span> {<\/span> <\/span><\/span> throw<\/span> new<\/span> FtpProtocolException(<\/span>"Passive mode failed"<\/span>);<\/span> <\/span><\/span> }<\/span> else<\/span> {<\/span> <\/span><\/span> ServerSocket var3 =<\/span> new<\/span> ServerSocket(<\/span>0<\/span>,<\/span> 1<\/span>,<\/span> this<\/span>.<\/span>server<\/span>.<\/span>getLocalAddress<\/span>());<\/span> <\/span><\/span> Socket var2;<\/span> <\/span><\/span> try<\/span> {<\/span> <\/span><\/span> InetAddress var15 =<\/span> var3.<\/span>getInetAddress<\/span>();<\/span> \/\/ 获取IP地址 <\/span><\/span><\/span><\/span> if<\/span> (<\/span>var15.<\/span>isAnyLocalAddress<\/span>())<\/span> {<\/span> <\/span><\/span> var15 =<\/span> this<\/span>.<\/span>server<\/span>.<\/span>getLocalAddress<\/span>();<\/span> <\/span><\/span> }<\/span> <\/span><\/span> String var5 =<\/span> "EPRT |"<\/span> +<\/span> (<\/span>var15 instanceof<\/span> Inet6Address ?<\/span> "2"<\/span> :<\/span> "1"<\/span>)<\/span> +<\/span> "|"<\/span> +<\/span> <\/span><\/span> var15.<\/span>getHostAddress<\/span>()<\/span> +<\/span> "|"<\/span> +<\/span> var3.<\/span>getLocalPort<\/span>()<\/span> +<\/span> "|"<\/span>;<\/span> \/\/ 拼接EPRT命令 <\/span><\/span><\/span><\/span> \/\/ ...省略后续代码... <\/span><\/span><\/span><\/span> }<\/span> <\/span><\/span> }<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>报文对齐问题<\/h3> FTP是基于行的同步协议，每条命令必须独占一个报文。要实现注入需要：<\/p> 使注入的PORT命令正好位于报文的起始位置<\/li> 两种实现方式：使用足够长的路径名填充，将PORT命令"挤"到下一个报文<\/li> 控制FTP服务端的MTU设置较小，减少所需填充量<\/li> <\/ul> <\/li> <\/ol> 示例注入URL： ftp:\/\/u:p@evil.com\/foodir%0APORT%2010,1,1,1,5,57\/z.txt<\/code><\/p> 实际发送的命令序列：<\/p> USER u PASS p TYPE I CWD foodir PORT 10,1,1,1,5,57 <\/code><\/pre> 0x04 攻击场景<\/h2> 防火墙规则欺骗<\/strong>：开放内网敏感服务端口<\/li> 内网IP泄露<\/strong>：获取客户端内网IP地址<\/li> 端口扫描<\/strong>：探测内网开放的服务<\/li> 服务劫持<\/strong>：结合其他漏洞实现完整攻击链<\/li> <\/ol> 0x05 防御措施<\/h2> 升级Java到最新版本<\/li> 在网络边界限制FTP协议的使用<\/li> 防火墙配置严格规则，不信任客户端PORT指令<\/li> 对FTP流量进行深度检测，过滤异常命令<\/li> 内网服务实施最小权限原则和网络隔离<\/li> <\/ol> 0x06 参考链接<\/h2> 原文博客：http:\/\/blog.blindspotsecurity.com\/<\/li> Python urllib头注入漏洞：CVE-2016-5699<\/li> FTP协议RFC文档：RFC 959<\/li> <\/ol>

Java FTP CRLF注入漏洞分析与利用<\/h1>

0x00 漏洞概述<\/h2> Java在处理FTP协议流时存在CRLF（回车换行）注入漏洞，类似于Python urllib库的头注入漏洞（CVE-2016-5699）。攻击者可以利用此漏洞在多种场景下实施攻击，其中最经典的应用是欺骗防火墙规则。<\/p>

0x01 FTP基础知识<\/h2>

0x02 漏洞原理<\/h2>

0x03 技术细节<\/h2>

0x06 参考链接<\/h2> 原文博客：http:\/\/blog.blindspotsecurity.com\/<\/li> Python urllib头注入漏洞：CVE-2016-5699<\/li> FTP协议RFC文档：RFC 959<\/li> <\/ol>

0x00 漏洞概述<\/h2>
Java在处理FTP协议流时存在CRLF（回车换行）注入漏洞，类似于Python urllib库的头注入漏洞（CVE-2016-5699）。攻击者可以利用此漏洞在多种场景下实施攻击，其中最经典的应用是欺骗防火墙规则。<\/p>

0x06 参考链接<\/h2>

原文博客：http:\/\/blog.blindspotsecurity.com\/<\/li>
Python urllib头注入漏洞：CVE-2016-5699<\/li>
FTP协议RFC文档：RFC 959<\/li> <\/ol>