RuoYi框架安全演练学习笔记<\/h1>

1. RuoYi框架简介<\/h2>
RuoYi是一款基于Spring Boot和Apache Shiro的快速开发框架，广泛应用于企业级管理系统开发。该框架提供了完善的权限管理、代码生成、监控管理等功能模块。<\/p>

2. RuoYi常见安全漏洞分析<\/h2>

2.1 默认凭证漏洞<\/h3>

问题描述<\/strong>：早期版本存在默认管理员账号admin\/admin123<\/li>
影响版本<\/strong>：v3.x及以下版本<\/li>

修复方案<\/strong>：

升级到最新版本<\/li>
首次安装后强制修改默认密码<\/li>
部署时检查并删除默认账户<\/li> <\/ul> <\/li> <\/ul>
2.2 SQL注入漏洞<\/h3>

漏洞位置<\/strong>：部分动态SQL拼接处<\/li>
攻击示例<\/strong>：
\/\/ 错误示例 <\/span><\/span><\/span><\/span>String sql =<\/span> "SELECT * FROM sys_user WHERE username = '"<\/span> +<\/span> username +<\/span> "'"<\/span>;<\/span> <\/span><\/span> <\/span><\/span>\/\/ 正确写法应使用预编译 <\/span><\/span><\/span><\/span>String sql =<\/span> "SELECT * FROM sys_user WHERE username = ?"<\/span>;<\/span> <\/span><\/span><\/code><\/pre><\/li> 修复方案<\/strong>：使用MyBatis的#{}占位符而非${}拼接<\/li> 启用MyBatis的SQL注入防护<\/li> 对用户输入进行严格过滤<\/li> <\/ul> <\/li> <\/ul> 2.3 XSS漏洞<\/h3> 漏洞位置<\/strong>：未转义的用户输入展示点<\/li> 攻击示例<\/strong>： <script<\/span>>alert<\/span>('xss'<\/span>)<\/script<\/span>> <\/span><\/span><\/code><\/pre><\/li> 修复方案<\/strong>：前端使用Vue的v-html指令自动转义<\/li> 后端使用HtmlUtils.htmlEscape进行转义<\/li> 设置HTTP头X-XSS-Protection<\/li> <\/ul> <\/li> <\/ul> 2.4 CSRF防护缺陷<\/h3> 问题描述<\/strong>：早期版本未启用CSRF防护或实现不完善<\/li> 修复方案<\/strong>：启用Shiro的CSRF防护<\/li> 确保表单包含_csrf令牌<\/li> 检查请求头X-Requested-With<\/li> <\/ul> <\/li> <\/ul> 2.5 权限绕过漏洞<\/h3> 漏洞类型<\/strong>：注解配置不当导致的权限校验缺失<\/li> URL路径权限配置遗漏<\/li> <\/ul> <\/li> 修复方案<\/strong>：检查所有Controller方法的@RequiresPermissions注解<\/li> 定期审计权限配置表(sys_menu)<\/li> 实现权限的自动扫描校验机制<\/li> <\/ul> <\/li> <\/ul> 3. RuoYi安全加固指南<\/h2> 3.1 认证安全<\/h3> 密码策略<\/strong>：<\/p> 启用复杂度要求(大小写、数字、特殊字符)<\/li> 实现密码历史记录防止重复使用<\/li> 设置密码有效期(如90天)<\/li> <\/ul> <\/li> 多因素认证<\/strong>：<\/p> 集成Google Authenticator<\/li> 实现短信\/邮件验证码<\/li> <\/ul> <\/li> 会话管理<\/strong>：<\/p> 设置会话超时(30分钟无操作)<\/li> 限制并发登录<\/li> 实现登录失败锁定(5次失败后锁定15分钟)<\/li> <\/ul> <\/li> <\/ol> 3.2 数据安全<\/h3> 敏感数据保护<\/strong>：<\/p> 数据库加密：使用AES加密敏感字段<\/li> 日志脱敏：手机号、身份证号等<\/li> 传输加密：强制HTTPS<\/li> <\/ul> <\/li> 审计日志<\/strong>：<\/p> 记录关键操作(登录、权限变更、数据删除)<\/li> 实现日志防篡改机制<\/li> 定期备份审计日志<\/li> <\/ul> <\/li> <\/ol> 3.3 安全配置<\/h3> 依赖安全<\/strong>：<\/p> <\/span> <\/span><\/span><dependency><\/span> <\/span><\/span> <groupId><\/span>org.apache.shiro<\/groupId><\/span> <\/span><\/span> <artifactId><\/span>shiro-core<\/artifactId><\/span> <\/span><\/span> <version><\/span>1.11.0<\/version><\/span> <\/span> <\/span><\/span><\/dependency><\/span> <\/span><\/span><\/code><\/pre><\/li> HTTP安全头<\/strong>：<\/p> \/\/ Spring Security配置示例 <\/span><\/span><\/span><\/span>http.<\/span>headers<\/span>()<\/span> <\/span><\/span> .<\/span>contentSecurityPolicy<\/span>(<\/span>"default-src 'self'"<\/span>)<\/span> <\/span><\/span> .<\/span>xssProtection<\/span>().<\/span>block<\/span>(<\/span>true<\/span>)<\/span> <\/span><\/span> .<\/span>and<\/span>()<\/span> <\/span><\/span> .<\/span>httpStrictTransportSecurity<\/span>()<\/span> <\/span><\/span> .<\/span>includeSubDomains<\/span>(<\/span>true<\/span>)<\/span> <\/span><\/span> .<\/span>maxAgeInSeconds<\/span>(<\/span>31536000<\/span>);<\/span> <\/span><\/span><\/code><\/pre><\/li> 生产环境配置<\/strong>：<\/p> 禁用Swagger等开发工具<\/li> 关闭调试模式(spring.profiles.active=prod)<\/li> 修改默认错误页面避免信息泄露<\/li> <\/ul> <\/li> <\/ol> 4. RuoYi渗透测试要点<\/h2> 4.1 信息收集<\/h3> 指纹识别<\/strong>：<\/p> 检查\/login路径<\/li> 识别RuoYi特有的静态资源路径<\/li> 分析HTTP响应头中的Server\/X-Powered-By<\/li> <\/ul> <\/li> 版本识别<\/strong>：<\/p> 检查HTML注释中的版本信息<\/li> 通过\/js\/ruoyi.js的修改时间判断<\/li> 访问\/actuator\/info(如果开启)<\/li> <\/ul> <\/li> <\/ol> 4.2 漏洞利用<\/h3> 未授权访问测试<\/strong>：<\/p> 尝试直接访问管理接口<\/li> 测试API权限控制<\/li> 检查跨目录访问<\/li> <\/ul> <\/li> 接口安全测试<\/strong>：<\/p> # 使用Burp Suite测试接口<\/span> <\/span><\/span>POST \/system\/user\/list HTTP\/1.1 <\/span><\/span>Content-Type: application\/json <\/span><\/span> <\/span><\/span>{<\/span>"pageSize"<\/span>:10, "pageNum"<\/span>:1}<\/span> <\/span><\/span><\/code><\/pre> 测试参数注入<\/li> 检查越权访问<\/li> 验证分页参数安全<\/li> <\/ul> <\/li> 文件上传测试<\/strong>：<\/p> 尝试绕过上传限制<\/li> 测试Webshell上传<\/li> 检查文件类型校验逻辑<\/li> <\/ul> <\/li> <\/ol> 4.3 后渗透测试<\/h3> 权限提升<\/strong>：<\/p> 分析权限设计缺陷<\/li> 测试垂直\/水平越权<\/li> 尝试获取管理员会话<\/li> <\/ul> <\/li> 数据泄露测试<\/strong>：<\/p> 检查敏感接口的数据返回<\/li> 测试SQL注入获取数据<\/li> 分析备份文件泄露<\/li> <\/ul> <\/li> <\/ol> 5. RuoYi安全开发规范<\/h2> 5.1 安全编码实践<\/h3> 输入验证<\/strong>：<\/p> \/\/ 使用Hibernate Validator进行输入验证 <\/span><\/span><\/span><\/span>@NotBlank<\/span>(<\/span>message =<\/span> "用户名不能为空"<\/span>)<\/span> <\/span><\/span>@Size<\/span>(<\/span>min =<\/span> 4<\/span>,<\/span> max =<\/span> 20<\/span>,<\/span> message =<\/span> "用户名长度必须在4-20之间"<\/span>)<\/span> <\/span><\/span>private<\/span> String username;<\/span> <\/span><\/span><\/code><\/pre><\/li> 输出编码<\/strong>：<\/p> \/\/ 使用Spring的HtmlUtils进行输出编码 <\/span><\/span><\/span><\/span>model.<\/span>addAttribute<\/span>(<\/span>"safeContent"<\/span>,<\/span> HtmlUtils.<\/span>htmlEscape<\/span>(<\/span>userInput));<\/span> <\/span><\/span><\/code><\/pre><\/li> 安全查询<\/strong>：<\/p> \/\/ 使用MyBatis预编译 <\/span><\/span><\/span><\/span>@Select<\/span>(<\/span>"SELECT * FROM sys_user WHERE username = #{username}"<\/span>)<\/span> <\/span><\/span>SysUser selectByUsername<\/span>(<\/span>@Param<\/span>(<\/span>"username"<\/span>)<\/span> String username);<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ol> 5.2 权限设计规范<\/h3> RBAC模型<\/strong>：<\/p> 角色继承关系清晰<\/li> 最小权限原则<\/li> 定期权限审计<\/li> <\/ul> <\/li> 权限注解使用<\/strong>：<\/p> \/\/ 控制器方法权限控制 <\/span><\/span><\/span><\/span>@RequiresPermissions<\/span>(<\/span>"system:user:view"<\/span>)<\/span> <\/span><\/span>@GetMapping<\/span>(<\/span>"\/list"<\/span>)<\/span> <\/span><\/span>public<\/span> TableDataInfo list<\/span>(<\/span>SysUser user)<\/span> {<\/span> <\/span><\/span> \/\/ ... <\/span><\/span><\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre><\/li> 数据权限<\/strong>：<\/p> 实现部门数据过滤<\/li> 防止横向越权<\/li> 敏感操作二次确认<\/li> <\/ul> <\/li> <\/ol> 6. 应急响应与修复<\/h2> 6.1 漏洞修复流程<\/h3> 确认漏洞<\/strong>：<\/p> 复现漏洞场景<\/li> 确定影响范围<\/li> 评估风险等级<\/li> <\/ul> <\/li> 临时解决方案<\/strong>：<\/p> WAF规则拦截<\/li> 禁用相关功能<\/li> 权限临时调整<\/li> <\/ul> <\/li> 永久修复<\/strong>：<\/p> 代码层面修复<\/li> 安全测试验证<\/li> 版本更新发布<\/li> <\/ul> <\/li> <\/ol> 6.2 安全监控<\/h3> 异常检测<\/strong>：<\/p> 监控失败登录尝试<\/li> 检测敏感操作<\/li> 审计权限变更<\/li> <\/ul> <\/li> 入侵检测<\/strong>：<\/p> 部署RASP防护<\/li> 分析请求日志<\/li> 监控Webshell行为<\/li> <\/ul> <\/li> <\/ol> 7. 总结与最佳实践<\/h2> 定期安全评估<\/strong>：<\/p> 每季度进行安全审计<\/li> 依赖组件漏洞扫描<\/li> 渗透测试<\/li> <\/ul> <\/li> 安全开发生命周期<\/strong>：<\/p> 需求阶段考虑安全<\/li> 设计阶段威胁建模<\/li> 编码阶段安全审查<\/li> 测试阶段安全测试<\/li> <\/ul> <\/li> 持续安全改进<\/strong>：<\/p> 跟踪安全公告<\/li> 参与安全社区<\/li> 建立安全知识库<\/li> <\/ul> <\/li> <\/ol> 通过以上全面的安全措施，可以显著提升RuoYi框架应用的安全性，有效防御常见Web攻击，保障企业管理系统安全稳定运行。<\/p>

RuoYi框架安全演练学习笔记<\/h1>

1. RuoYi框架简介<\/h2> RuoYi是一款基于Spring Boot和Apache Shiro的快速开发框架，广泛应用于企业级管理系统开发。该框架提供了完善的权限管理、代码生成、监控管理等功能模块。<\/p>

2. RuoYi常见安全漏洞分析<\/h2>

3. RuoYi安全加固指南<\/h2>

4. RuoYi渗透测试要点<\/h2>

5. RuoYi安全开发规范<\/h2>

6. 应急响应与修复<\/h2>

1. RuoYi框架简介<\/h2>
RuoYi是一款基于Spring Boot和Apache Shiro的快速开发框架，广泛应用于企业级管理系统开发。该框架提供了完善的权限管理、代码生成、监控管理等功能模块。<\/p>