Java代码审计实战教学：租车系统漏洞分析与挖掘<\/h1>

1. 系统概述<\/h2>

1.1 系统简介<\/h3>

基于租车业务场景的O2O服务平台<\/li>
功能包括：商务租车、接送机、旅游租车、企业租车、自驾租车、婚庆用车等<\/li>

后台管理模块：车辆库管理、门店管理、员工管理、司机管理、订单管理、活动管理、评价管理、财务管理、统计等<\/li> <\/ul>

1.2 技术栈<\/h3>

未使用Struts2或Spring框架的传统JAVA WEB项目<\/li>
数据库：MySQL<\/li>

部署环境：Tomcat 8.5<\/li> <\/ul>

2. 代码审计方法论<\/h2>

2.1 审计流程<\/h3>

功能点梳理<\/strong>：先浏览系统功能，不直接看代码<\/li>
潜在漏洞预测<\/strong>：根据功能点推测可能存在的漏洞类型<\/li>
代码回溯<\/strong>：通过功能点定位到具体代码实现<\/li>

漏洞验证<\/strong>：通过测试验证推测的漏洞<\/li> <\/ol>
2.2 常用审计技巧<\/h3>

使用全局搜索功能快速定位代码（如Eclipse的Search功能）<\/li>
关注用户输入点和数据处理流程<\/li>
重点检查敏感操作（如订单处理、支付逻辑等）<\/li> <\/ul>
3. 漏洞挖掘实战<\/h2>
3.1 用户注册功能审计<\/h3>
3.1.1 短信验证码功能<\/h4>

功能点<\/strong>：获取手机动态码<\/li>
潜在风险<\/strong>：短信炸弹漏洞<\/li>
审计发现<\/strong>：缺少频率限制和验证机制<\/li> <\/ul>
3.1.2 密码重置功能<\/h4>

审计发现<\/strong>：功能被阉割，无法测试<\/li> <\/ul>
3.2 用户资料修改功能<\/h3>
3.2.1 存储型XSS漏洞<\/h4>

漏洞位置<\/strong>：基本资料修改、收货地址修改<\/li>
测试方法<\/strong>：
\/\/ 测试payload <\/span><\/span><\/span><\/span>woaini"<\/span><><\/span> <\/span><\/span><\/code><\/pre><\/li> 漏洞确认<\/strong>：输入未经任何过滤直接存储和显示<\/li> 攻击场景<\/strong>：管理员查看用户信息时触发XSS<\/li> <\/ul> 3.2.2 SQL注入审计<\/h4> 代码分析<\/strong>： public<\/span> Integer addAddress<\/span>(<\/span>Integer userId,<\/span> String name,<\/span> String tel,<\/span> String address)<\/span> {<\/span> <\/span><\/span> Object args[]<\/span> =<\/span> {<\/span> name,<\/span> tel,<\/span> address,<\/span> userId };<\/span> <\/span><\/span> String sql =<\/span> "insert into user_address (user_address_name,user_address_tel,user_address_content,user_address_user) values(?,?,?,?)"<\/span>;<\/span> <\/span><\/span> Serializable flag =<\/span> jdbc.<\/span>insertBackId<\/span>(<\/span>sql,<\/span> args);<\/span> \/\/ 采用预编译 <\/span><\/span><\/span><\/span> jdbc.<\/span>close<\/span>();<\/span> <\/span><\/span> return<\/span> Integer.<\/span>valueOf<\/span>(<\/span>flag.<\/span>hashCode<\/span>());<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre><\/li> 审计结论<\/strong>：使用预编译语句，不存在SQL注入漏洞<\/li> <\/ul> 3.3 订单功能审计<\/h3> 3.3.1 价格参数篡改漏洞<\/h4> 漏洞位置<\/strong>：订单提交功能<\/li> 关键代码<\/strong>： public<\/span> void<\/span> addGoodsOrder<\/span>(<\/span>HttpServletRequest request,<\/span> HttpServletResponse response)<\/span> throws<\/span> ServletException,<\/span>IOException {<\/span> <\/span><\/span> \/\/ ... <\/span><\/span><\/span><\/span> String price=<\/span>request.<\/span>getParameter<\/span>(<\/span>"price"<\/span>);<\/span> \/\/ 直接获取未校验 <\/span><\/span><\/span><\/span> \/\/ ... <\/span><\/span><\/span><\/span> order_id=<\/span>ss.<\/span>addGoodsOrder<\/span>(...,<\/span> price,<\/span> ...);<\/span> <\/span><\/span> \/\/ ... <\/span><\/span><\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre><\/li> 漏洞利用方式<\/strong>：抓包直接修改price参数<\/li> 修改页面表单中的hidden字段value值<\/li> <\/ol> <\/li> 风险<\/strong>：可任意修改订单价格<\/li> <\/ul> 3.3.2 订单越权访问审计<\/h4> 代码分析<\/strong>： \/\/ 订单取消功能 <\/span><\/span><\/span><\/span>if<\/span>(<\/span>输入的订单与用户自身订单匹配<\/span>)<\/span> {<\/span> <\/span><\/span> \/\/ 执行取消操作 <\/span><\/span><\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre><\/li> 审计结论<\/strong>：有用户归属校验，不存在越权漏洞<\/li> <\/ul> 3.3.3 积分支付逻辑审计<\/h4> 潜在风险<\/strong>：负积分导致积分反增不减<\/li> 审计发现<\/strong>：积分从session获取，未发现明显漏洞<\/li> <\/ul> 4. 审计总结与防御建议<\/h2> 4.1 发现漏洞汇总<\/h3> 存储型XSS漏洞（用户资料修改处）<\/li> 价格参数篡改漏洞（订单提交处）<\/li> 短信炸弹漏洞（验证码获取处）<\/li> <\/ol> 4.2 修复建议<\/h3> 4.2.1 XSS防御<\/h4> \/\/ 对所有用户输入进行HTML编码 <\/span><\/span><\/span><\/span>import<\/span> org.apache.commons.lang3.StringEscapeUtils;<\/span> <\/span><\/span>String safeInput =<\/span> StringEscapeUtils.<\/span>escapeHtml4<\/span>(<\/span>userInput);<\/span> <\/span><\/span><\/code><\/pre>4.2.2 价格参数校验<\/h4> \/\/ 添加价格校验逻辑 <\/span><\/span><\/span><\/span>try<\/span> {<\/span> <\/span><\/span> double<\/span> priceValue =<\/span> Double.<\/span>parseDouble<\/span>(<\/span>price);<\/span> <\/span><\/span> if<\/span>(<\/span>priceValue <=<\/span> 0<\/span> ||<\/span> priceValue ><\/span> MAX_ALLOWED_PRICE)<\/span> {<\/span> <\/span><\/span> throw<\/span> new<\/span> IllegalArgumentException(<\/span>"Invalid price"<\/span>);<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> catch<\/span>(<\/span>NumberFormatException e)<\/span> {<\/span> <\/span><\/span> \/\/ 处理非法输入 <\/span><\/span><\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>4.2.3 短信验证码防护<\/h4> \/\/ 添加频率限制 <\/span><\/span><\/span><\/span>String ip =<\/span> request.<\/span>getRemoteAddr<\/span>();<\/span> <\/span><\/span>if<\/span>(<\/span>rateLimiter.<\/span>exceedsLimit<\/span>(<\/span>ip))<\/span> {<\/span> <\/span><\/span> return<\/span> "请求过于频繁"<\/span>;<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>4.3 通用安全建议<\/h3> 所有用户输入必须进行验证和过滤<\/li> 敏感操作（如支付）必须在服务端进行严格校验<\/li> 使用预编译SQL语句防止SQL注入<\/li> 实施CSRF防护机制<\/li> 关键业务操作添加日志记录<\/li> <\/ol> 5. 审计经验分享<\/h2> 功能导向审计<\/strong>：先梳理功能再分析代码，效率更高<\/li> 敏感点关注<\/strong>：重点关注用户输入、支付逻辑、权限控制等关键环节<\/li> 漏洞关联思考<\/strong>：一个功能点可能关联多种漏洞类型<\/li> 测试验证<\/strong>：审计发现必须通过实际测试验证<\/li> 框架特性了解<\/strong>：了解不同框架的安全机制和常见漏洞<\/li> <\/ol> 通过本案例可以掌握基本的Java代码审计方法和常见漏洞挖掘技巧，适用于中小型Java Web项目的安全审计工作。<\/p>