Java代码审计入门：SSRF漏洞详解与实战指南<\/h1>

一、SSRF漏洞基础概念<\/h2>

1.1 什么是SSRF漏洞<\/h3>
SSRF（Server-Side Request Forgery，服务端请求伪造）是一种Web安全漏洞，攻击者能够诱使服务器端应用程序向非预期目标发起请求。该漏洞的主要危害在于可以攻击从外网无法直接访问的内网系统。<\/p>

1.2 SSRF漏洞的危害范围<\/h3>

探测内网服务<\/strong>：通过响应差异判断服务存活状态<\/li>
端口扫描<\/strong>：识别内网开放端口<\/li>
文件读取<\/strong>：利用file协议读取本地文件<\/li>
协议利用<\/strong>：配合gopher协议攻击Redis等内网服务<\/li>

内网系统攻击<\/strong>：访问和攻击内部网络中的敏感系统<\/li> <\/ul>
1.3 常见出现场景<\/h3>

社交分享功能（获取超链接标题）<\/li>
网页转码服务（移动端适配）<\/li>
在线翻译功能<\/li>
图片加载\/下载功能<\/li>
内容采集功能<\/li>
云服务存活检测<\/li>
邮件系统接收处理<\/li>
文件处理功能（FFmpeg、ImageMagick等）<\/li> <\/ol>
二、Java网络请求支持的协议<\/h2>
Java原生支持以下协议：<\/p>

http \/ https<\/li>
file（文件读取）<\/li>
ftp<\/li>
mailto<\/li>
jar<\/li>
netdoc<\/li> <\/ul>
三、SSRF漏洞代码实例分析<\/h2>
3.1 HttpClient方式漏洞示例<\/h3>
Maven依赖：<\/strong><\/p>
<dependency><\/span> <\/span><\/span> <groupId><\/span>org.apache.httpcomponents<\/groupId><\/span> <\/span><\/span> <artifactId><\/span>httpclient<\/artifactId><\/span> <\/span><\/span> <version><\/span>4.5.12<\/version><\/span> <\/span><\/span><\/dependency><\/span> <\/span><\/span><\/code><\/pre>漏洞代码：<\/strong><\/p> @RestController<\/span> <\/span><\/span>@RequestMapping<\/span>(<\/span>"\/ssrfvul"<\/span>)<\/span> <\/span><\/span>public<\/span> class<\/span> HttpClientController<\/span> {<\/span> <\/span><\/span> <\/span><\/span> @GetMapping<\/span>(<\/span>"\/httpclient\/vul"<\/span>)<\/span> <\/span><\/span> public<\/span> String HttpClientDemo<\/span>(<\/span>@RequestParam<\/span> String url)<\/span> throws<\/span> IOException {<\/span> <\/span><\/span> StringBuilder result =<\/span> new<\/span> StringBuilder();<\/span> <\/span><\/span> CloseableHttpClient client =<\/span> HttpClients.<\/span>createDefault<\/span>();<\/span> <\/span><\/span> HttpGet httpGet =<\/span> new<\/span> HttpGet(<\/span>url);<\/span> \/\/ 直接使用用户输入 <\/span><\/span><\/span><\/span> HttpResponse httpResponse =<\/span> client.<\/span>execute<\/span>(<\/span>httpGet);<\/span> <\/span><\/span> \/\/ ... 处理响应 <\/span><\/span><\/span><\/span> return<\/span> result.<\/span>toString<\/span>();<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>攻击向量：<\/strong><\/p> http:\/\/127.0.0.1:8088\/ssrfvul\/httpclient\/vul?url=http:\/\/www.baidu.com http:\/\/127.0.0.1:8088\/ssrfvul\/httpclient\/vul?url=file:\/\/\/c:\/windows\/win.ini <\/code><\/pre> 3.2 HttpURLConnection方式漏洞示例<\/h3> 漏洞代码：<\/strong><\/p> @RestController<\/span> <\/span><\/span>@RequestMapping<\/span>(<\/span>"\/ssrfvul"<\/span>)<\/span> <\/span><\/span>public<\/span> class<\/span> UrlConnectionController<\/span> {<\/span> <\/span><\/span> <\/span><\/span> @GetMapping<\/span>(<\/span>"\/urlconnection\/vul"<\/span>)<\/span> <\/span><\/span> public<\/span> String UrlConnectionDemo<\/span>(<\/span>@RequestParam<\/span> String url)<\/span> throws<\/span> IOException {<\/span> <\/span><\/span> StringBuilder result =<\/span> new<\/span> StringBuilder();<\/span> <\/span><\/span> URL url1 =<\/span> new<\/span> URL(<\/span>url);<\/span> \/\/ 直接使用用户输入 <\/span><\/span><\/span><\/span> URLConnection urlConn =<\/span> url1.<\/span>openConnection<\/span>();<\/span> <\/span><\/span> urlConn.<\/span>connect<\/span>();<\/span> <\/span><\/span> \/\/ ... 处理响应 <\/span><\/span><\/span><\/span> return<\/span> result.<\/span>toString<\/span>();<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>四、实战漏洞案例分析<\/h2> 4.1 环境搭建与漏洞定位<\/h3> 搭建目标系统环境（数据库+Maven配置）<\/li> 全局搜索关键函数：openConnection<\/code><\/li> 定位漏洞触发点：ueditorCatchImage<\/code>方法<\/li> <\/ul> 4.2 漏洞代码分析<\/h3> protected<\/span> void<\/span> ueditorCatchImage<\/span>(<\/span>Site site,<\/span> HttpServletRequest request,<\/span> <\/span><\/span> HttpServletResponse response)<\/span> throws<\/span> IOException {<\/span> <\/span><\/span> String[]<\/span> source =<\/span> request.<\/span>getParameterValues<\/span>(<\/span>"source[]"<\/span>);<\/span> \/\/ 用户可控输入 <\/span><\/span><\/span><\/span> for<\/span> (<\/span>int<\/span> i =<\/span> 0<\/span>;<\/span> i <<\/span> source.<\/span>length<\/span>;<\/span> i++)<\/span> {<\/span> <\/span><\/span> String src =<\/span> source[<\/span>i];<\/span> <\/span><\/span> \/\/ 格式验证（仅检查扩展名，存在绕过可能） <\/span><\/span><\/span><\/span> String extension =<\/span> FilenameUtils.<\/span>getExtension<\/span>(<\/span>src);<\/span> <\/span><\/span> if<\/span> (!<\/span>gu.<\/span>isExtensionValid<\/span>(<\/span>extension,<\/span> Uploader.<\/span>IMAGE<\/span>))<\/span> {<\/span> <\/span><\/span> continue<\/span>;<\/span> <\/span><\/span> }<\/span> <\/span><\/span> \/\/ 设置不跟随重定向（但存在其他绕过方式） <\/span><\/span><\/span><\/span> HttpURLConnection.<\/span>setFollowRedirects<\/span>(<\/span>false<\/span>);<\/span> <\/span><\/span> \/\/ 漏洞触发点 <\/span><\/span><\/span><\/span> HttpURLConnection conn =<\/span> (<\/span>HttpURLConnection)<\/span> new<\/span> URL(<\/span>src).<\/span>openConnection<\/span>();<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>4.3 漏洞利用方式<\/h3> 触发URL：<\/strong><\/p> http:\/\/127.0.0.1:8080\/cmscp\/core\/ueditor.do?action=catchimage&source[]=http:\/\/www.baidu.com\/ <\/code><\/pre> 内网探测：<\/strong><\/p> 开放端口（3306）：正常响应<\/li> 关闭端口（3307）：异常响应（500错误）<\/li> <\/ul> 五、高级利用技巧<\/h2> 5.1 Gopher协议利用<\/h3> 配合Redis进行RCE攻击：<\/p> curl -v 'http:\/\/target\/xx.php?url=gopher:\/\/172.21.0.2:6379\/_*1%250d%250a%248%250d%250aflushall%250d%250a...'<\/span> <\/span><\/span><\/code><\/pre>攻击流程：<\/strong><\/p> 通过SSRF访问内网Redis服务<\/li> 发送特定格式的Redis命令<\/li> 实现命令执行和权限获取<\/li> <\/ol> 5.2 文件读取利用<\/h3> 读取系统配置文件：file:\/\/\/c:\/windows\/win.ini<\/code><\/li> 读取应用配置文件（如向日葵配置）<\/li> 结合信息泄露进一步渗透<\/li> <\/ul> 六、SSRF漏洞修复方案<\/h2> 6.1 白名单域名校验（推荐）<\/h3> public<\/span> static<\/span> boolean<\/span> checkSSRFByWhitehosts<\/span>(<\/span>String url)<\/span> {<\/span> <\/span><\/span> return<\/span> SSRFChecker.<\/span>checkURLFckSSRF<\/span>(<\/span>url);<\/span> <\/span><\/span>}<\/span> <\/span><\/span> <\/span><\/span>public<\/span> static<\/span> boolean<\/span> isHttp<\/span>(<\/span>String url)<\/span> {<\/span> <\/span><\/span> return<\/span> url.<\/span>startsWith<\/span>(<\/span>"http:\/\/"<\/span>)<\/span> ||<\/span> url.<\/span>startsWith<\/span>(<\/span>"https:\/\/"<\/span>);<\/span> <\/span><\/span>}<\/span> <\/span><\/span> <\/span><\/span>public<\/span> static<\/span> String gethost<\/span>(<\/span>String url)<\/span> {<\/span> <\/span><\/span> try<\/span> {<\/span> <\/span><\/span> URI uri =<\/span> new<\/span> URI(<\/span>url);<\/span> <\/span><\/span> return<\/span> uri.<\/span>getHost<\/span>().<\/span>toLowerCase<\/span>();<\/span> <\/span><\/span> }<\/span> catch<\/span> (<\/span>URISyntaxException e)<\/span> {<\/span> <\/span><\/span> return<\/span> ""<\/span>;<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>6.2 内网IP检测<\/h3> public<\/span> static<\/span> boolean<\/span> isIntranet<\/span>(<\/span>String url)<\/span> {<\/span> <\/span><\/span> Pattern reg =<\/span> Pattern.<\/span>compile<\/span>(<\/span>"^(127\\.0\\.0\\.1)|(localhost)|(10\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})|(172\\.((1[6-9])|(2\\d)|(3[01]))\\.\\d{1,3}\\.\\d{1,3})|(192\\.168\\.\\d{1,3}\\.\\d{1,3})$"<\/span>);<\/span> <\/span><\/span> Matcher match =<\/span> reg.<\/span>matcher<\/span>(<\/span>url);<\/span> <\/span><\/span> return<\/span> match.<\/span>find<\/span>();<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>6.3 完整安全校验方案<\/h3> public<\/span> static<\/span> String checkURL<\/span>(<\/span>String url)<\/span> {<\/span> <\/span><\/span> if<\/span> (<\/span>null<\/span> ==<\/span> url)<\/span> return<\/span> null<\/span>;<\/span> <\/span><\/span> <\/span><\/span> ArrayList<<\/span>String><\/span> safeDomains =<\/span> WebConfig.<\/span>getSafeDomains<\/span>();<\/span> <\/span><\/span> ArrayList<<\/span>String><\/span> blockDomains =<\/span> WebConfig.<\/span>getBlockDomains<\/span>();<\/span> <\/span><\/span> <\/span><\/span> try<\/span> {<\/span> <\/span><\/span> String host =<\/span> gethost(<\/span>url);<\/span> <\/span><\/span> <\/span><\/span> \/\/ 协议校验 <\/span><\/span><\/span><\/span> if<\/span> (!<\/span>isHttp(<\/span>url))<\/span> return<\/span> null<\/span>;<\/span> <\/span><\/span> <\/span><\/span> \/\/ 黑名单检测 <\/span><\/span><\/span><\/span> if<\/span> (<\/span>blockDomains.<\/span>contains<\/span>(<\/span>host))<\/span> return<\/span> null<\/span>;<\/span> <\/span><\/span> for<\/span>(<\/span>String blockDomain:<\/span> blockDomains)<\/span> {<\/span> <\/span><\/span> if<\/span>(<\/span>host.<\/span>endsWith<\/span>(<\/span>"."<\/span> +<\/span> blockDomain))<\/span> return<\/span> null<\/span>;<\/span> <\/span><\/span> }<\/span> <\/span><\/span> <\/span><\/span> \/\/ 白名单检测（支持多级域名） <\/span><\/span><\/span><\/span> if<\/span> (<\/span>safeDomains.<\/span>contains<\/span>(<\/span>host))<\/span> return<\/span> url;<\/span> <\/span><\/span> for<\/span>(<\/span>String safedomain:<\/span> safeDomains)<\/span> {<\/span> <\/span><\/span> if<\/span>(<\/span>host.<\/span>endsWith<\/span>(<\/span>"."<\/span> +<\/span> safedomain))<\/span> return<\/span> url;<\/span> <\/span><\/span> }<\/span> <\/span><\/span> return<\/span> null<\/span>;<\/span> <\/span><\/span> }<\/span> catch<\/span> (<\/span>NullPointerException e)<\/span> {<\/span> <\/span><\/span> return<\/span> null<\/span>;<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>6.4 其他防护措施<\/h3> 禁用重定向<\/strong>：<\/li> <\/ol> HttpURLConnection conn =<\/span> (<\/span>HttpURLConnection)<\/span> u.<\/span>openConnection<\/span>();<\/span> <\/span><\/span>conn.<\/span>setInstanceFollowRedirects<\/span>(<\/span>false<\/span>);<\/span> <\/span><\/span><\/code><\/pre> Socket Hook监控<\/strong>：<\/li> <\/ol> \/\/ 开启监控 <\/span><\/span><\/span><\/span>SecurityUtil.<\/span>startSSRFHook<\/span>();<\/span> <\/span><\/span>\/\/ 业务逻辑 <\/span><\/span><\/span>\/\/ 关闭监控 <\/span><\/span><\/span><\/span>SecurityUtil.<\/span>stopSSRFHook<\/span>();<\/span> <\/span><\/span><\/code><\/pre> 输入过滤<\/strong>：<\/li> <\/ol> public<\/span> static<\/span> String replaceSpecialStr<\/span>(<\/span>String str)<\/span> {<\/span> <\/span><\/span> StringBuilder sb =<\/span> new<\/span> StringBuilder();<\/span> <\/span><\/span> str =<\/span> str.<\/span>toLowerCase<\/span>();<\/span> <\/span><\/span> for<\/span>(<\/span>int<\/span> i =<\/span> 0<\/span>;<\/span> i <<\/span> str.<\/span>length<\/span>();<\/span> i++)<\/span> {<\/span> <\/span><\/span> char<\/span> ch =<\/span> str.<\/span>charAt<\/span>(<\/span>i);<\/span> <\/span><\/span> if<\/span> ((<\/span>ch >=<\/span> 48<\/span> &&<\/span> ch <=<\/span> 57<\/span>)<\/span> ||<\/span> \/\/ 数字 <\/span><\/span><\/span><\/span> (<\/span>ch >=<\/span> 97<\/span> &&<\/span> ch <=<\/span> 122<\/span>)<\/span> ||<\/span> \/\/ 字母 <\/span><\/span><\/span><\/span> ch ==<\/span> '\/'<\/span> ||<\/span> ch ==<\/span> '.'<\/span> ||<\/span> ch ==<\/span> '-'<\/span>)<\/span> {<\/span> <\/span><\/span> sb.<\/span>append<\/span>(<\/span>ch);<\/span> <\/span><\/span> }<\/span> <\/span><\/span> }<\/span> <\/span><\/span> return<\/span> sb.<\/span>toString<\/span>();<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>七、代码审计要点总结<\/h2> 7.1 关键函数识别<\/h3> URL.openConnection()<\/code><\/li> HttpClient.execute()<\/code><\/li> Request.Get().execute()<\/code><\/li> 其他HTTP客户端库的请求方法<\/li> <\/ul> 7.2 参数追踪<\/h3> 关注用户可控的URL参数<\/li> 检查参数是否经过严格校验<\/li> 验证重定向处理逻辑<\/li> <\/ul> 7.3 测试验证<\/h3> 尝试不同协议（http、file、gopher等）<\/li> 测试内网地址访问<\/li> 验证防护措施的有效性<\/li> <\/ul> 通过以上详细的代码审计指南，安全人员可以系统性地识别、验证和修复Java应用中的SSRF漏洞，有效提升应用程序的安全性。<\/p>

Java代码审计入门：SSRF漏洞详解与实战指南<\/h1>

一、SSRF漏洞基础概念<\/h2>

1.1 什么是SSRF漏洞<\/h3> SSRF（Server-Side Request Forgery，服务端请求伪造）是一种Web安全漏洞，攻击者能够诱使服务器端应用程序向非预期目标发起请求。该漏洞的主要危害在于可以攻击从外网无法直接访问的内网系统。<\/p>

三、SSRF漏洞代码实例分析<\/h2>

四、实战漏洞案例分析<\/h2>

五、高级利用技巧<\/h2>

六、SSRF漏洞修复方案<\/h2>

七、代码审计要点总结<\/h2>

1.1 什么是SSRF漏洞<\/h3>
SSRF（Server-Side Request Forgery，服务端请求伪造）是一种Web安全漏洞，攻击者能够诱使服务器端应用程序向非预期目标发起请求。该漏洞的主要危害在于可以攻击从外网无法直接访问的内网系统。<\/p>