JFinalCMS代码审计报告<\/h1>

1. 系统概述<\/h2>

JFinalCMS是一款轻量级CMS系统，具有以下特点：<\/p>

小巧、灵活、简单、易用<\/li>
支持动态添加字段和自定义标签<\/li>
支持动态创建数据库表并CRUD数据<\/li>
提供数据库备份\/还原功能<\/li>
支持多站点功能<\/li>

支持一键生成模板代码<\/li> <\/ul>

2. 安全漏洞分析<\/h2>

2.1 SQL注入漏洞<\/h3>

漏洞位置<\/strong>：\/search<\/code>路由<\/p>

漏洞分析<\/strong>：<\/p>

请求流程：ActionHandler<\/code> → render<\/code> → exec<\/code> → findPage<\/code><\/li> 关键问题：keyword<\/code>参数未经过任何过滤和转义，直接使用字符串拼接方式构造SQL语句<\/li> 调试关键点：需在statArray[21]<\/code>时跟进，其他元素仅执行模板文件读取和渲染<\/li> <\/ol> 漏洞验证<\/strong>：<\/p> \/<\/span>search<\/span>?<\/span>keyword=<\/span>test' AND 1=CONVERT(int,(SELECT table_name FROM information_schema.tables))-- <\/span><\/span><\/span><\/code><\/pre>2.2 任意文件读取漏洞<\/h3> 漏洞位置<\/strong>：\/common\/down\/file<\/code>路由<\/p> 漏洞分析<\/strong>：<\/p> 获取fileKey<\/code>参数时未过滤..\/<\/code>等目录遍历字符<\/li> 文件路径构造方式：PathKit.getWebRootPath() + fileKey<\/code><\/li> 即使返回404状态码，文件读取操作仍会执行<\/li> <\/ol> 漏洞验证<\/strong>：<\/p> \/common\/down\/file?fileKey=\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/windows\/win.ini <\/code><\/pre> 2.3 存储型XSS漏洞<\/h3> 漏洞位置<\/strong>：留言板功能(\/guestbook<\/code>)<\/p> 漏洞分析<\/strong>：<\/p> 数据处理流程： Guestbook guestbook =<\/span> getModel(<\/span>Guestbook.<\/span>class<\/span>,<\/span>""<\/span>,<\/span>true<\/span>);<\/span> <\/span><\/span>\/\/ 最终调用save()方法直接存入数据库 <\/span><\/span><\/span><\/code><\/pre><\/li> getModel<\/code>方法内部调用injectModel<\/code>，通过反射将请求参数映射到模型对象<\/li> 开发者预留了filter<\/code>方法但未实现任何过滤逻辑<\/li> 前端展示时未进行输出编码<\/li> <\/ol> 漏洞验证<\/strong>：<\/p> <\/span><\/span><\/code><\/pre>2.4 CSRF漏洞<\/h3> 漏洞位置<\/strong>：后台管理员添加功能(\/admin\/admin\/save<\/code>)<\/p> 漏洞分析<\/strong>：<\/p> 关键缺失：无Referer检查<\/li> 无CSRF Token验证<\/li> <\/ul> <\/li> 前端表单未包含任何防CSRF措施<\/li> <\/ol> 漏洞验证POC<\/strong>：<\/p> <html<\/span>> <\/span><\/span> <body<\/span>> <\/span><\/span> <form<\/span> action<\/span>=<\/span>"http:\/\/localhost:8080\/admin\/admin\/save"<\/span> method<\/span>=<\/span>"POST"<\/span>> <\/span><\/span> <input<\/span> type<\/span>=<\/span>"hidden"<\/span> name<\/span>=<\/span>"username"<\/span> value<\/span>=<\/span>"attacker"<\/span>\/> <\/span><\/span> <input<\/span> type<\/span>=<\/span>"hidden"<\/span> name<\/span>=<\/span>"password"<\/span> value<\/span>=<\/span>"attacker"<\/span>\/> <\/span><\/span> <input<\/span> type<\/span>=<\/span>"hidden"<\/span> name<\/span>=<\/span>"rePassword"<\/span> value<\/span>=<\/span>"attacker"<\/span>\/> <\/span><\/span> <input<\/span> type<\/span>=<\/span>"hidden"<\/span> name<\/span>=<\/span>"name"<\/span> value<\/span>=<\/span>"attacker"<\/span>\/> <\/span><\/span> <input<\/span> type<\/span>=<\/span>"hidden"<\/span> name<\/span>=<\/span>"roleIds"<\/span> value<\/span>=<\/span>"1"<\/span>\/> <\/span><\/span> <input<\/span> type<\/span>=<\/span>"submit"<\/span> value<\/span>=<\/span>"Submit"<\/span>\/> <\/span><\/span> <\/form<\/span>> <\/span><\/span> <script<\/span>>history<\/span>.pushState<\/span>(''<\/span>, ''<\/span>, '\/'<\/span>);<\/script<\/span>> <\/span><\/span> <\/body<\/span>> <\/span><\/span><\/html<\/span>> <\/span><\/span><\/code><\/pre>3. 代码审计方法论<\/h2> 3.1 审计技巧<\/h3> 入口点分析<\/strong>：<\/p> 首先检查web.xml<\/code>中的过滤器配置<\/li> 关注JFinalFilter<\/code>等核心过滤器的限制规则<\/li> <\/ul> <\/li> 参数传递跟踪<\/strong>：<\/p> 从Controller基类(BaseController<\/code>)开始分析<\/li> 重点关注参数获取方法(getPara<\/code>系列方法)<\/li> <\/ul> <\/li> SQL注入检测<\/strong>：<\/p> 查找直接拼接SQL语句的位置<\/li> 检查参数是否经过预编译或转义处理<\/li> <\/ul> <\/li> 文件操作检测<\/strong>：<\/p> 查找文件路径拼接操作<\/li> 检查是否对..\/<\/code>等特殊字符进行过滤<\/li> <\/ul> <\/li> XSS检测<\/strong>：<\/p> 检查输入输出是否经过过滤或编码<\/li> 特别关注存储型XSS的数据持久化路径<\/li> <\/ul> <\/li> <\/ol> 3.2 调试技巧<\/h3> 关键断点设置<\/strong>：<\/p> ActionHandler<\/code>的render<\/code>方法<\/li> SQL执行前的参数构造阶段<\/li> 文件操作前的路径拼接阶段<\/li> <\/ul> <\/li> 404页面处理<\/strong>：<\/p> 即使返回404也要检查是否执行了敏感操作<\/li> 404页面本身可能存在XSS或URL跳转漏洞<\/li> <\/ul> <\/li> <\/ol> 4. 修复建议<\/h2> 4.1 SQL注入修复<\/h3> 使用预编译语句：<\/li> <\/ol> Db.<\/span>find<\/span>(<\/span>"SELECT * FROM table WHERE name = ?"<\/span>,<\/span> keyword);<\/span> <\/span><\/span><\/code><\/pre> 添加参数过滤：<\/li> <\/ol> String safeKeyword =<\/span> SqlFilter.<\/span>filter<\/span>(<\/span>keyword);<\/span> <\/span><\/span><\/code><\/pre>4.2 任意文件读取修复<\/h3> 路径规范化检查：<\/li> <\/ol> Path normalizedPath =<\/span> Paths.<\/span>get<\/span>(<\/span>basePath).<\/span>normalize<\/span>();<\/span> <\/span><\/span>if<\/span>(!<\/span>normalizedPath.<\/span>startsWith<\/span>(<\/span>basePath))<\/span> {<\/span> <\/span><\/span> throw<\/span> new<\/span> SecurityException(<\/span>"Invalid file path"<\/span>);<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre> 文件扩展名白名单：<\/li> <\/ol> String[]<\/span> allowedExtensions =<\/span> {<\/span>".txt"<\/span>,<\/span> ".pdf"<\/span>,<\/span> ".doc"<\/span>};<\/span> <\/span><\/span>\/\/ 检查文件扩展名是否在白名单内 <\/span><\/span><\/span><\/code><\/pre>4.3 XSS修复<\/h3> 输入过滤：<\/li> <\/ol> public<\/span> String filter<\/span>(<\/span>String input)<\/span> {<\/span> <\/span><\/span> return<\/span> HtmlUtils.<\/span>htmlEscape<\/span>(<\/span>input);<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre> 输出编码：<\/li> <\/ol> <c:out value="${userContent}" \/> <\/code><\/pre> 4.4 CSRF修复<\/h3> 添加CSRF Token：<\/li> <\/ol> \/\/ 生成Token <\/span><\/span><\/span><\/span>String token =<\/span> UUID.<\/span>randomUUID<\/span>().<\/span>toString<\/span>();<\/span> <\/span><\/span>session.<\/span>setAttribute<\/span>(<\/span>"csrfToken"<\/span>,<\/span> token);<\/span> <\/span><\/span> <\/span><\/span>\/\/ 验证Token <\/span><\/span><\/span><\/span>if<\/span>(!<\/span>request.<\/span>getParameter<\/span>(<\/span>"csrfToken"<\/span>).<\/span>equals<\/span>(<\/span>session.<\/span>getAttribute<\/span>(<\/span>"csrfToken"<\/span>)))<\/span> {<\/span> <\/span><\/span> throw<\/span> new<\/span> SecurityException(<\/span>"CSRF token validation failed"<\/span>);<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre> 同源检查：<\/li> <\/ol> String referer =<\/span> request.<\/span>getHeader<\/span>(<\/span>"Referer"<\/span>);<\/span> <\/span><\/span>if<\/span>(<\/span>referer ==<\/span> null<\/span> ||<\/span> !<\/span>referer.<\/span>startsWith<\/span>(<\/span>"https:\/\/yourdomain.com"<\/span>))<\/span> {<\/span> <\/span><\/span> throw<\/span> new<\/span> SecurityException(<\/span>"Invalid Referer"<\/span>);<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>5. 经验总结<\/h2> 全面性<\/strong>：不要忽略任何页面，包括错误页面<\/li> 深入性<\/strong>：漏洞往往存在于多层调用之后，需要耐心跟踪<\/li> 关联性<\/strong>：发现一个漏洞后，应检查类似功能的代码是否存在相同问题<\/li> 防御性<\/strong>：安全措施应该层层设防，不能依赖单一防护手段<\/li> <\/ol> 通过本次审计，我们不仅发现了具体漏洞，更重要的是建立了系统的代码审计方法论，这对未来审计其他系统具有重要指导意义。<\/p>