Go语言代码审计之HRMS未授权漏洞分析<\/h1>

漏洞概述<\/h2>
HRMS系统存在未授权获取用户信息漏洞，该漏洞是由于系统在数据库查询时权限验证存在缺陷，攻击者通过构造特定的cookies可以绕过权限验证，导致未经授权访问敏感信息。<\/p>

漏洞影响范围<\/h2>

所有使用HrmsDB<\/code>方法进行数据库查询的功能模块均受影响，包括但不限于：<\/p>


账号密码查询<\/li>
薪资查询<\/li>
员工信息查询<\/li>
部门信息查询<\/li>
<\/ul>
漏洞详细分析<\/h2>
1. 漏洞路由定位<\/h3>
漏洞存在于密码管理相关的查询路由：<\/p>
passwordGroup<\/span>.GET<\/span>("\/query\/:staff_id"<\/span>, handler<\/span>.PasswordQuery<\/span>)
<\/span><\/span><\/code><\/pre>2. 核心漏洞函数分析<\/h3>
PasswordQuery函数<\/h4>
func<\/span> PasswordQuery<\/span>(c<\/span> *<\/span>gin<\/span>.Context<\/span>) {
<\/span><\/span>    var<\/span> total<\/span> int64<\/span> = 1<\/span>
<\/span><\/span>    \/\/ 分页处理
<\/span><\/span><\/span><\/span>    start<\/span>, limit<\/span> :=<\/span> service<\/span>.AcceptPage<\/span>(c<\/span>)
<\/span><\/span>    code<\/span> :=<\/span> 2000<\/span>
<\/span><\/span>    staffId<\/span> :=<\/span> c<\/span>.Param<\/span>("staff_id"<\/span>)
<\/span><\/span>    var<\/span> psws<\/span> []model<\/span>.PasswordQueryVO<\/span>
<\/span><\/span>    
<\/span><\/span>    result<\/span>, err<\/span> :=<\/span> buildPasswordQueryResult<\/span>(c<\/span>, staffId<\/span>, start<\/span>, limit<\/span>)
<\/span><\/span>    if<\/span> err<\/span> !=<\/span> nil<\/span> {
<\/span><\/span>        c<\/span>.JSON<\/span>(http<\/span>.StatusInternalServerError<\/span>, gin<\/span>.H<\/span>{
<\/span><\/span>            "status"<\/span>: 5000<\/span>,
<\/span><\/span>            "total"<\/span>:  0<\/span>,
<\/span><\/span>            "msg"<\/span>:    err<\/span>,
<\/span><\/span>        })
<\/span><\/span>        return<\/span>
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    \/\/ 总记录数
<\/span><\/span><\/span><\/span>    resource<\/span>.HrmsDB<\/span>(c<\/span>).Where<\/span>("staff_id != 'root' and staff_id != 'admin'"<\/span>).Model<\/span>(&<\/span>model<\/span>.Staff<\/span>{}).Count<\/span>(&<\/span>total<\/span>)
<\/span><\/span>    psws<\/span> = result<\/span>
<\/span><\/span>    
<\/span><\/span>    c<\/span>.JSON<\/span>(http<\/span>.StatusOK<\/span>, gin<\/span>.H<\/span>{
<\/span><\/span>        "status"<\/span>: code<\/span>,
<\/span><\/span>        "total"<\/span>:  total<\/span>,
<\/span><\/span>        "msg"<\/span>:    psws<\/span>,
<\/span><\/span>    })
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>buildPasswordQueryResult函数<\/h4>
该方法是一个数据库查询方法，当staffId<\/code>为"all"时，会通过用户验证后获取非管理员用户的账号及密码信息。<\/p>
关键漏洞点 - HrmsDB函数<\/h4>
func<\/span> HrmsDB<\/span>(c<\/span> *<\/span>gin<\/span>.Context<\/span>) *<\/span>gorm<\/span>.DB<\/span> {
<\/span><\/span>    cookie<\/span>, err<\/span> :=<\/span> c<\/span>.Cookie<\/span>("user_cookie"<\/span>)
<\/span><\/span>    if<\/span> err<\/span> !=<\/span> nil<\/span> ||<\/span> cookie<\/span> ==<\/span> ""<\/span> {
<\/span><\/span>        c<\/span>.HTML<\/span>(http<\/span>.StatusOK<\/span>, "login.html"<\/span>, nil<\/span>)
<\/span><\/span>        return<\/span> nil<\/span>
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    branchId<\/span> :=<\/span> strings<\/span>.Split<\/span>(cookie<\/span>, "_"<\/span>)[2<\/span>]
<\/span><\/span>    dbName<\/span> :=<\/span> fmt<\/span>.Sprintf<\/span>("hrms_%v"<\/span>, branchId<\/span>)
<\/span><\/span>    
<\/span><\/span>    if<\/span> db<\/span>, ok<\/span> :=<\/span> DbMapper<\/span>[dbName<\/span>]; ok<\/span> {
<\/span><\/span>        return<\/span> db<\/span>
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    c<\/span>.HTML<\/span>(http<\/span>.StatusOK<\/span>, "login.html"<\/span>, nil<\/span>)
<\/span><\/span>    return<\/span> nil<\/span>
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>3. 漏洞成因<\/h3>

权限验证缺失<\/strong>：HrmsDB<\/code>函数仅验证了cookie中的数据库信息，没有进行用户身份验证<\/li>
构造简单<\/strong>：攻击者只需构造一个由"_"分隔且第三个部分为数据库名称的user_cookie<\/code>即可绕过验证<\/li>
影响广泛<\/strong>：所有使用HrmsDB<\/code>方法进行数据库查询的功能都受影响<\/li>
<\/ol>
漏洞验证方法<\/h2>
攻击步骤<\/h3>


构造特定的cookie格式：a_b_C001<\/code>或a_b_C002<\/code>等<\/p>

其中第三个部分(C001<\/code>\/C002<\/code>)为目标数据库名称<\/li>
<\/ul>
<\/li>

访问以下接口获取敏感信息：<\/p>

账号密码查询<\/li>
薪资查询<\/li>
员工信息查询<\/li>
部门信息查询<\/li>
<\/ul>
<\/li>
<\/ol>
示例攻击请求<\/h3>
GET<\/span> \/password\/query\/all HTTP<\/span>\/<\/span>1.1<\/span>
<\/span><\/span>Host:<\/span> target.com<\/span>
<\/span><\/span>Cookie:<\/span> user_cookie=a_b_C001<\/span>
<\/span><\/span><\/code><\/pre>修复建议<\/h2>


完善身份验证<\/strong>：<\/p>
func<\/span> HrmsDB<\/span>(c<\/span> *<\/span>gin<\/span>.Context<\/span>) *<\/span>gorm<\/span>.DB<\/span> {
<\/span><\/span>    \/\/ 验证用户是否登录
<\/span><\/span><\/span><\/span>    if<\/span> !checkUserLogin<\/span>(c<\/span>) {
<\/span><\/span>        c<\/span>.HTML<\/span>(http<\/span>.StatusOK<\/span>, "login.html"<\/span>, nil<\/span>)
<\/span><\/span>        return<\/span> nil<\/span>
<\/span><\/span>    }
<\/span><\/span>
<\/span><\/span>    cookie<\/span>, err<\/span> :=<\/span> c<\/span>.Cookie<\/span>("user_cookie"<\/span>)
<\/span><\/span>    if<\/span> err<\/span> !=<\/span> nil<\/span> ||<\/span> cookie<\/span> ==<\/span> ""<\/span> {
<\/span><\/span>        c<\/span>.HTML<\/span>(http<\/span>.StatusOK<\/span>, "login.html"<\/span>, nil<\/span>)
<\/span><\/span>        return<\/span> nil<\/span>
<\/span><\/span>    }
<\/span><\/span>
<\/span><\/span>    \/\/ 验证cookie有效性
<\/span><\/span><\/span><\/span>    if<\/span> !validateCookie<\/span>(cookie<\/span>) {
<\/span><\/span>        c<\/span>.HTML<\/span>(http<\/span>.StatusOK<\/span>, "login.html"<\/span>, nil<\/span>)
<\/span><\/span>        return<\/span> nil<\/span>
<\/span><\/span>    }
<\/span><\/span>
<\/span><\/span>    branchId<\/span> :=<\/span> strings<\/span>.Split<\/span>(cookie<\/span>, "_"<\/span>)[2<\/span>]
<\/span><\/span>    dbName<\/span> :=<\/span> fmt<\/span>.Sprintf<\/span>("hrms_%v"<\/span>, branchId<\/span>)
<\/span><\/span>
<\/span><\/span>    if<\/span> db<\/span>, ok<\/span> :=<\/span> DbMapper<\/span>[dbName<\/span>]; ok<\/span> {
<\/span><\/span>        return<\/span> db<\/span>
<\/span><\/span>    }
<\/span><\/span>
<\/span><\/span>    c<\/span>.HTML<\/span>(http<\/span>.StatusOK<\/span>, "login.html"<\/span>, nil<\/span>)
<\/span><\/span>    return<\/span> nil<\/span>
<\/span><\/span>}
<\/span><\/span><\/code><\/pre><\/li>

增加权限检查<\/strong>：在每个敏感操作前验证用户权限<\/p>
<\/li>

使用安全的会话管理<\/strong>：<\/p>

使用加密的会话令牌<\/li>
实现CSRF防护<\/li>
设置合理的会话过期时间<\/li>
<\/ul>
<\/li>

最小权限原则<\/strong>：确保数据库用户仅具有必要的最小权限<\/p>
<\/li>
<\/ol>
总结<\/h2>
该漏洞展示了在Go Web应用中由于权限验证不完善可能导致的安全风险。开发人员应当：<\/p>

对所有敏感操作实施严格的权限验证<\/li>
避免仅依赖简单的字符串解析进行身份验证<\/li>
遵循最小权限原则设计系统权限模型<\/li>
对用户输入进行严格验证<\/li>
<\/ol>

Go语言代码审计之HRMS未授权漏洞分析<\/h1>

漏洞概述<\/h2> HRMS系统存在未授权获取用户信息漏洞，该漏洞是由于系统在数据库查询时权限验证存在缺陷，攻击者通过构造特定的cookies可以绕过权限验证，导致未经授权访问敏感信息。<\/p>

漏洞详细分析<\/h2>

2. 核心漏洞函数分析<\/h3>

buildPasswordQueryResult函数<\/h4> 该方法是一个数据库查询方法，当staffId<\/code>为"all"时，会通过用户验证后获取非管理员用户的账号及密码信息。<\/p>

漏洞验证方法<\/h2>

漏洞概述<\/h2>
HRMS系统存在未授权获取用户信息漏洞，该漏洞是由于系统在数据库查询时权限验证存在缺陷，攻击者通过构造特定的cookies可以绕过权限验证，导致未经授权访问敏感信息。<\/p>

buildPasswordQueryResult函数<\/h4>
该方法是一个数据库查询方法，当`staffId<\/code>为"all"时，会通过用户验证后获取非管理员用户的账号及密码信息。<\/p>`