基于CodeQL的Litemall漏洞挖掘教学文档<\/h1>

1. 项目介绍<\/h2>

目标项目<\/strong>: litemall
项目地址<\/strong>: https:\/\/github.com\/linlinjava\/litemall
项目特点<\/strong>:<\/p>

19.8k star的开源小商场系统<\/li>
技术栈:

后端: Spring Boot<\/li>
前端:

管理员端: Vue<\/li>
用户端: 微信小程序 + Vue移动端<\/li> <\/ul> <\/li> <\/ul> <\/li> <\/ul>
2. CodeQL基础准备<\/h2>
2.1 建立CodeQL数据库<\/h3>
codeql database create litemall-db --language=<\/span>java --command=<\/span>"mvn clean install"<\/span> --source-root=<\/span>\/path\/to\/litemall <\/span><\/span><\/code><\/pre>2.2 使用CodeQL自带模板扫描<\/h3> codeql database analyze litemall-db codeql\/java\/ql\/src\/codeql-suites\/java-security-and-quality.qls --format=<\/span>csv --output=<\/span>results.csv <\/span><\/span><\/code><\/pre>3. 漏洞挖掘实战<\/h2> 3.1 硬编码JWT Secret漏洞<\/h3> 漏洞位置<\/strong>: JWT密钥硬编码 CWE分类<\/strong>: CWE-798 (硬编码凭证) 风险等级<\/strong>: 高危<\/p> 代码分析<\/strong>:<\/p> SECRET =<\/span> "X-Litemall-Token"<\/span> <\/span><\/span><\/code><\/pre>问题描述<\/strong>:<\/p> JWT密钥直接硬编码在源代码中<\/li> 未通过配置文件注入<\/li> 未在初始化时进行随机生成<\/li> <\/ul> 修复建议<\/strong>:<\/p> 将密钥移至配置文件中<\/li> 使用环境变量注入<\/li> 或使用密钥管理系统<\/li> <\/ol> 3.2 任意文件删除漏洞<\/h3> 漏洞位置<\/strong>: 文件删除功能未做过滤风险等级<\/strong>: 高危<\/p> 调用链分析<\/strong>:<\/p> AdminStorageController.java<\/code> 暴露路由<\/li> 调用 StorageService.java<\/code> 的服务方法<\/li> 最终执行文件删除操作<\/li> <\/ol> 关键代码<\/strong>:<\/p> \/\/ 删除方法无过滤 <\/span><\/span><\/span><\/span>public<\/span> void<\/span> delete<\/span>(<\/span>String keyName)<\/span> {<\/span> <\/span><\/span> storage.<\/span>delete<\/span>(<\/span>keyName);<\/span> <\/span><\/span>}<\/span> <\/span><\/span> <\/span><\/span>\/\/ 控制器暴露接口 <\/span><\/span><\/span><\/span>@PostMapping<\/span>(<\/span>"\/delete"<\/span>)<\/span> <\/span><\/span>public<\/span> Object delete<\/span>(<\/span>@RequestBody<\/span> String body)<\/span> {<\/span> <\/span><\/span> \/\/ 直接传递文件名，无过滤 <\/span><\/span><\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>利用方式<\/strong>: 构造恶意请求，通过文件名参数删除系统任意文件<\/p> 修复建议<\/strong>:<\/p> 对文件名进行严格校验<\/li> 限制可删除的文件路径范围<\/li> 添加权限验证<\/li> <\/ol> 3.3 文件上传漏洞<\/h3> 漏洞位置<\/strong>: WxStorageController.java<\/code> 和 AdminStorageController.java<\/code> 风险等级<\/strong>: 高危<\/p> 代码分析<\/strong>:<\/p> \/\/ 文件上传端点 <\/span><\/span><\/span><\/span>@PostMapping<\/span>(<\/span>"\/upload"<\/span>)<\/span> <\/span><\/span>public<\/span> Object upload<\/span>(<\/span>@RequestParam<\/span>(<\/span>"file"<\/span>)<\/span> MultipartFile file)<\/span> {<\/span> <\/span><\/span> String url =<\/span> storageService.<\/span>store<\/span>(<\/span>file.<\/span>getInputStream<\/span>(),<\/span> file.<\/span>getSize<\/span>(),<\/span> file.<\/span>getContentType<\/span>(),<\/span> file.<\/span>getOriginalFilename<\/span>());<\/span> <\/span><\/span> return<\/span> ResponseUtil.<\/span>ok<\/span>(<\/span>url);<\/span> <\/span><\/span>}<\/span> <\/span><\/span> <\/span><\/span>\/\/ 存储服务方法 <\/span><\/span><\/span><\/span>public<\/span> String store<\/span>(<\/span>InputStream inputStream,<\/span> long<\/span> contentLength,<\/span> String contentType,<\/span> String fileName)<\/span> {<\/span> <\/span><\/span> \/\/ 无文件扩展名校验 <\/span><\/span><\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>漏洞利用<\/strong>:<\/p> 可上传任意文件类型(如HTML、PDF)<\/li> 可能导致存储型XSS或服务端漏洞<\/li> <\/ul> 修复建议<\/strong>:<\/p> 严格校验文件扩展名和MIME类型<\/li> 使用白名单机制限制可上传文件类型<\/li> 对上传文件重命名<\/li> 设置文件内容扫描<\/li> <\/ol> 3.4 SQL注入漏洞<\/h3> 漏洞位置<\/strong>: OrderMapper.xml<\/code> 和 LitemallOrderService.java<\/code> CVE编号<\/strong>: CVE-2024-24323 风险等级<\/strong>: 严重<\/p> 代码分析<\/strong>:<\/p> <\/span> <\/span><\/span><select<\/span> id=<\/span>"getOrderIds"<\/span> resultType=<\/span>"java.lang.Integer"<\/span>><\/span> <\/span><\/span> SELECT id FROM litemall_order <\/span><\/span> WHERE user_id = #{userId} <\/span><\/span> <if<\/span> test=<\/span>"query != null and query != ''"<\/span>><\/span> <\/span><\/span> AND order_sn LIKE CONCAT('%', #{query}, '%') <\/span><\/span> OR user_id LIKE CONCAT('%', #{query}, '%') <\/span><\/span> <\/if><\/span> <\/span><\/span><\/select><\/span> <\/span><\/span><\/code><\/pre>问题点<\/strong>:<\/p> 使用字符串拼接而非参数化查询<\/li> 查询条件直接拼接SQL语句<\/li> <\/ol> 调用链<\/strong>:<\/p> AdminOrderController.java<\/code> 接收用户输入<\/li> 调用 AdminOrderService.java<\/code> 的服务方法<\/li> 最终执行拼接的SQL查询<\/li> <\/ol> 修复建议<\/strong>:<\/p> 使用MyBatis的参数化查询(#{}替代${})<\/li> 对用户输入进行严格过滤<\/li> 使用ORM框架的安全查询方法<\/li> <\/ol> 4. CodeQL自定义规则开发<\/h2> 4.1 文件上传漏洞检测规则<\/h3> import java from MethodAccess ma, Method m, Parameter p where m.getName() = "store" and m.getDeclaringType().getName() = "StorageService" and ma.getMethod() = m and p.getCallable() = ma.getEnclosingCallable() and p.getType().getName() = "String" and p.getName() = "fileName" select ma, "Potential file upload vulnerability without proper file extension validation" <\/code><\/pre> 4.2 SQL注入检测规则<\/h3> import java import semmle.code.java.frameworks.MyBatis from MyBatisMapperMethod mapperMethod, Expr arg where mapperMethod.usesStringConcatenation() and arg = mapperMethod.getConcatenatedArgument() and not arg.isConstant() select mapperMethod, "Potential SQL injection in MyBatis mapper due to string concatenation" <\/code><\/pre> 5. 漏洞挖掘方法论<\/h2> 优先扫描已知漏洞模式<\/strong>:<\/p> 硬编码凭证<\/li> 文件操作未过滤<\/li> SQL注入<\/li> 文件上传漏洞<\/li> <\/ul> <\/li> 关注关键组件<\/strong>:<\/p> 认证授权相关代码<\/li> 文件操作服务<\/li> 数据库访问层<\/li> 用户输入处理点<\/li> <\/ul> <\/li> 调用链分析<\/strong>:<\/p> 从Controller入口开始<\/li> 跟踪Service层处理<\/li> 最终到达底层操作<\/li> <\/ul> <\/li> 自定义规则开发<\/strong>:<\/p> 针对项目特有架构<\/li> 补充标准规则集的不足<\/li> 聚焦业务逻辑漏洞<\/li> <\/ul> <\/li> <\/ol> 6. 经验总结<\/h2> 竞争问题<\/strong>:<\/p> 发现漏洞后应及时提交<\/li> 热门项目漏洞容易被抢先报告<\/li> <\/ul> <\/li> 重复漏洞<\/strong>:<\/p> 扫描前检查已知漏洞列表<\/li> 避免重复劳动<\/li> <\/ul> <\/li> 审计效率<\/strong>:<\/p> 大型Java项目适合使用CodeQL<\/li> 人工审计与工具扫描结合<\/li> <\/ul> <\/li> 报告撰写<\/strong>:<\/p> 清晰描述漏洞位置<\/li> 提供完整调用链<\/li> 包含验证POC<\/li> 给出修复建议<\/li> <\/ul> <\/li> <\/ol> 7. 参考资料<\/h2> CodeQL官方文档<\/li> OWASP Top 10漏洞类型<\/li> CWE漏洞分类<\/li> MyBatis安全编程指南<\/li> Spring Boot安全最佳实践<\/li> <\/ol>