Java Web应用安全审计实战：StudentManager项目漏洞分析与挖掘<\/h1>

1. 项目概述与环境搭建<\/h2>

1.1 项目简介<\/h3>

StudentManager是一个基于Spring MVC的学生管理系统，适合Java审计新手练习。项目采用以下技术栈：<\/p>

JDK 1.8<\/li>
MySQL 5.5<\/li>
Tomcat 7<\/li>

MyBatis作为ORM框架<\/li> <\/ul>

1.2 环境搭建步骤<\/h3>

数据库配置：<\/p>

使用Navicat创建数据库<\/li>
字符集选择utf8，排序规则选择utf8_bin<\/li>
导入项目中的sql.sql文件<\/li> <\/ul> <\/li>

配置文件修改：<\/p>

修改application.yml中的数据库连接信息<\/li> <\/ul> <\/li>

启动项目：<\/p>

通过StudentmanagerApplication.java启动<\/li>

默认端口8080<\/li> <\/ul> <\/li> <\/ol>

2. 安全审计方法论<\/h2>

本次审计采用半黑盒+半白盒<\/strong>的方法：<\/p>

首先审查pom.xml了解项目依赖<\/li>
全局搜索常见危险模式<\/li>
功能点测试与代码审计结合<\/li>
重点关注：

SQL注入<\/li>
XSS漏洞<\/li>
文件上传漏洞<\/li>
CSRF漏洞<\/li>
权限绕过<\/li> <\/ul> <\/li> <\/ol>
3. 漏洞分析与挖掘<\/h2>
3.1 SQL注入审计<\/h3>
审计过程<\/strong>：<\/p>

检查MyBatis使用方式<\/li>
全局搜索${<\/code>符号（MyBatis未预处理的危险字符）<\/li>
检查SQL映射文件<\/li> <\/ol> 结论<\/strong>：<\/p> 所有SQL语句都使用#{}<\/code>进行参数绑定<\/li> 不存在SQL注入漏洞<\/li> <\/ul> 3.2 拦截器与权限控制<\/h3> 关键文件<\/strong>：<\/p> LoginInterceptor.java<\/code>：登录检测拦截器<\/li> SpringmvcConfig.java<\/code>：配置拦截规则<\/li> <\/ul> 拦截器逻辑<\/strong>：<\/p> public<\/span> boolean<\/span> preHandle<\/span>(<\/span>HttpServletRequest request,<\/span> HttpServletResponse response,<\/span> Object handler)<\/span> throws<\/span> Exception {<\/span> <\/span><\/span> HttpSession session =<\/span> request.<\/span>getSession<\/span>();<\/span> <\/span><\/span> if<\/span>(<\/span>session.<\/span>getAttribute<\/span>(<\/span>"userInfo"<\/span>)<\/span> ==<\/span> null<\/span>){<\/span> <\/span><\/span> response.<\/span>sendRedirect<\/span>(<\/span>request.<\/span>getContextPath<\/span>()<\/span> +<\/span> "\/system\/login"<\/span>);<\/span> <\/span><\/span> return<\/span> false<\/span>;<\/span> <\/span><\/span> }<\/span> <\/span><\/span> return<\/span> true<\/span>;<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>拦截器配置<\/strong>：<\/p> 排除路径：\/upload\/**<\/code><\/li> 尝试绕过：\/upload\/..\/任意路由<\/code> → 失败（Spring MVC会自动规范化路径）<\/li> <\/ul> 结论<\/strong>：<\/p> 拦截器实现正确，无法直接绕过<\/li> <\/ul> 3.3 XSS漏洞<\/h3> 发现点<\/strong>：<\/p> 学生信息修改页面的"姓名"字段<\/li> 教师课程管理中的"课程名称"字段<\/li> <\/ol> 测试payload<\/strong>：<\/p> <script<\/span>>alert<\/span>(1<\/span>)<\/script<\/span>> <\/span><\/span><\/code><\/pre>漏洞特点<\/strong>：<\/p> 存储型XSS<\/li> 但输入长度受限（32字符）<\/li> 危害有限，仅能实现弹窗<\/li> <\/ul> 3.4 任意文件上传漏洞<\/h3> 发现位置<\/strong>：<\/p> \/student\/editStudent<\/code>路由<\/li> StudentController.java<\/code>中的editStudent<\/code>方法<\/li> <\/ul> 漏洞特征<\/strong>：<\/p> 无文件类型检查<\/li> 无内容校验<\/li> 仅对文件名进行随机化处理<\/li> <\/ol> 限制<\/strong>：<\/p> 无法上传JSP木马（纯Spring MVC不解析JSP）<\/li> <\/ul> 利用方式<\/strong>：<\/p> 上传恶意HTML文件实现重定向 <script<\/span>>window.location<\/span>.href<\/span>=<\/span>"https:\/\/www.baidu.com"<\/span><\/script<\/span>> <\/span><\/span><\/code><\/pre><\/li> 需要重启项目后才能访问（静态资源编译时加载）<\/li> <\/ol> 3.5 CSRF漏洞<\/h3> 发现位置<\/strong>：<\/p> 添加学生功能(\/student\/addStudent<\/code>)<\/li> 无CSRF防护机制<\/li> <\/ul> 利用链<\/strong>：<\/p> 通过XSS或文件上传植入恶意HTML<\/li> 构造CSRF POC： <html<\/span>> <\/span><\/span> <body<\/span>> <\/span><\/span> <form<\/span> action<\/span>=<\/span>"http:\/\/target\/student\/addStudent"<\/span> method<\/span>=<\/span>"POST"<\/span>> <\/span><\/span> <input<\/span> type<\/span>=<\/span>"hidden"<\/span> name<\/span>=<\/span>"name"<\/span> value<\/span>=<\/span>"attacker"<\/span> \/> <\/span><\/span> <input<\/span> type<\/span>=<\/span>"hidden"<\/span> name<\/span>=<\/span>"clazzId"<\/span> value<\/span>=<\/span>"1"<\/span> \/> <\/span><\/span> <\/span> <\/span><\/span> <\/form<\/span>> <\/span><\/span> <script<\/span>>document.forms<\/span>[0<\/span>].submit<\/span>();<\/script<\/span>> <\/span><\/span> <\/body<\/span>> <\/span><\/span><\/html<\/span>> <\/span><\/span><\/code><\/pre><\/li> 教师查看学生信息时自动触发<\/li> <\/ol> 触发条件<\/strong>：<\/p> 需要用户点击查看包含恶意代码的图片\/页面<\/li> <\/ul> 影响范围<\/strong>：<\/p> 学生↔教师<\/li> 教师↔管理员<\/li> 多种操作（添加、删除等）<\/li> <\/ul> 3.6 垂直越权漏洞<\/h3> 发现位置<\/strong>：<\/p> StudentController.java<\/code>中的addStudent<\/code>方法<\/li> 请假审批功能(LeaveController.java<\/code>中的checkLeave<\/code>方法)<\/li> <\/ol> 漏洞特征<\/strong>：<\/p> 部分方法缺少身份验证<\/li> 仅依赖session存在性，不验证角色<\/li> <\/ul> 测试步骤<\/strong>：<\/p> 使用学生账号捕获教师操作请求<\/li> 修改cookie为学生session<\/li> 成功执行教师权限操作<\/li> <\/ol> 关键代码<\/strong>：<\/p> \/\/ 添加学生方法（无权限检查） <\/span><\/span><\/span><\/span>@RequestMapping<\/span>(<\/span>"\/addStudent"<\/span>)<\/span> <\/span><\/span>public<\/span> String addStudent<\/span>(<\/span>Student student)<\/span> {<\/span> <\/span><\/span> \/\/ 直接处理，不验证调用者身份 <\/span><\/span><\/span><\/span>}<\/span> <\/span><\/span> <\/span><\/span>\/\/ 获取学生列表（有权限检查） <\/span><\/span><\/span><\/span>@RequestMapping<\/span>(<\/span>"\/getStudentList"<\/span>)<\/span> <\/span><\/span>public<\/span> String getStudentList<\/span>(<\/span>HttpServletRequest request,<\/span> Model model)<\/span> {<\/span> <\/span><\/span> User user =<\/span> (<\/span>User)<\/span> request.<\/span>getSession<\/span>().<\/span>getAttribute<\/span>(<\/span>"userInfo"<\/span>);<\/span> <\/span><\/span> if<\/span>(<\/span>user.<\/span>getUserType<\/span>().<\/span>equals<\/span>(<\/span>"teacher"<\/span>)){<\/span> <\/span><\/span> \/\/ 教师逻辑 <\/span><\/span><\/span><\/span> }<\/span> else<\/span> {<\/span> <\/span><\/span> \/\/ 学生逻辑 <\/span><\/span><\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>注意事项<\/strong>：<\/p> 操作期间不能退出账号（session会失效）<\/li> <\/ul> 4. 漏洞修复建议<\/h2> 4.1 XSS防御<\/h3> 对所有用户输入进行HTML编码<\/li> 使用框架提供的防护机制（如Spring的<c:out><\/code>）<\/li> 设置合理的输入长度限制<\/li> <\/ol> 4.2 文件上传安全<\/h3> 实施白名单文件类型检查<\/li> 验证文件内容（如图片必须可解析）<\/li> 设置独立的文件存储域<\/li> 禁用HTML文件上传<\/li> <\/ol> 4.3 CSRF防护<\/h3> 添加CSRF Token机制<\/li> 关键操作使用POST请求<\/li> 检查Referer头<\/li> <\/ol> 4.4 权限控制<\/h3> 统一权限验证框架（如Spring Security）<\/li> 方法级权限注解（如@PreAuthorize<\/code>）<\/li> 最小权限原则<\/li> <\/ol> 4.5 会话管理<\/h3> 设置合理的会话超时<\/li> 敏感操作重新认证<\/li> 防止会话固定<\/li> <\/ol> 5. 审计经验总结<\/h2> 审计顺序建议<\/strong>：<\/p> 先查pom.xml了解技术栈<\/li> 检查安全相关配置<\/li> 从高危漏洞开始（SQL注入→XSS→越权等）<\/li> 最后检查业务逻辑漏洞<\/li> <\/ul> <\/li> MyBatis审计要点<\/strong>：<\/p> 区分#{}<\/code>和${}<\/code>使用<\/li> 检查动态SQL拼接<\/li> 关注order by等特殊场景<\/li> <\/ul> <\/li> Spring MVC审计要点<\/strong>：<\/p> 拦截器配置<\/li> 静态资源处理<\/li> 参数绑定方式<\/li> <\/ul> <\/li> 漏洞联动思维<\/strong>：<\/p> XSS+CSRF组合利用<\/li> 文件上传+XSS组合<\/li> 越权+信息泄露组合<\/li> <\/ul> <\/li> 工具辅助<\/strong>：<\/p> 使用IDE全局搜索功能<\/li> Burp Suite抓包分析<\/li> 代码静态分析工具<\/li> <\/ul> <\/li> <\/ol> 6. 扩展思考<\/h2> 如何自动化发现类似漏洞？<\/li> 业务逻辑漏洞的深度挖掘方法<\/li> 微服务架构下的安全审计差异<\/li> 前端框架(如Vue\/React)对传统Web漏洞的影响<\/li> <\/ol> 通过本案例的系统审计，可以建立起基础的Java Web应用安全审计方法论，为更复杂项目的安全评估打下坚实基础。<\/p>