基于DWR框架的漏洞探测与利用实战指南<\/h1>

1. DWR框架简介<\/h2>
DWR (Direct Web Remoting) 是一个用于改善Web页面与Java类交互的AJAX框架，允许JavaScript直接调用Java方法。由于其设计特性，DWR框架可能存在多种安全风险。<\/p>

2. DWR框架常见漏洞<\/h2>

2.1 文件上传漏洞<\/h3>

漏洞代码示例<\/strong>：<\/p>

public<\/span> String upload<\/span>(<\/span>InputStream is,<\/span> String fileName)<\/span> {<\/span>
<\/span><\/span>    String fileUploadPath =<\/span> getFileUploadPath();<\/span>
<\/span><\/span>    String file =<\/span> String.<\/span>valueOf<\/span>(<\/span>fileUploadPath)<\/span> +<\/span> "\/"<\/span> +<\/span> IDCreator.<\/span>getRandom<\/span>()<\/span> +<\/span> "\/"<\/span> +<\/span> fileName;<\/span>
<\/span><\/span>    String fileExtName =<\/span> FilenameUtils.<\/span>getExtension<\/span>(<\/span>fileName);<\/span>
<\/span><\/span>    File f =<\/span> new<\/span> File(<\/span>file);<\/span>
<\/span><\/span>    Properties pro =<\/span> new<\/span> Properties();<\/span>
<\/span><\/span>    try<\/span> {<\/span>
<\/span><\/span>      long<\/span> size =<\/span> is.<\/span>available<\/span>();<\/span>
<\/span><\/span>      FileUtils.<\/span>copyInputStreamToFile<\/span>(<\/span>is,<\/span> f);<\/span>
<\/span><\/span>      pro.<\/span>put<\/span>(<\/span>"extName"<\/span>,<\/span> fileExtName);<\/span>
<\/span><\/span>      pro.<\/span>put<\/span>(<\/span>"originName"<\/span>,<\/span> fileName);<\/span>
<\/span><\/span>      pro.<\/span>put<\/span>(<\/span>"url"<\/span>,<\/span> file);<\/span>
<\/span><\/span>      pro.<\/span>put<\/span>(<\/span>"size"<\/span>,<\/span> Long.<\/span>valueOf<\/span>(<\/span>size));<\/span>
<\/span><\/span>    }<\/span> catch<\/span> (<\/span>IOException e)<\/span> {<\/span>
<\/span><\/span>      e.<\/span>printStackTrace<\/span>();<\/span>
<\/span><\/span>      log.<\/span>error<\/span>(<\/span>"+ e);
<\/span><\/span><\/span>      return WebTools.getCallBackJSON(0, "<\/span>);<\/span>
<\/span><\/span>    }<\/span> 
<\/span><\/span>    return<\/span> WebTools.<\/span>getCallBackJSON<\/span>(<\/span>1<\/span>,<\/span> JSON.<\/span>toJSONString<\/span>(<\/span>pro));<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>漏洞分析<\/strong>：<\/p>

未对文件类型进行校验<\/li>
直接使用用户提供的文件名<\/li>
未限制上传路径<\/li>
<\/ul>
2.2 信息泄露漏洞<\/h3>
DWR框架默认提供DEBUG页面，路径通常为：<\/p>
http:\/\/target\/dwr\/index.html
<\/code><\/pre>
该页面会显示所有可用的DWR接口和方法，类似于.NET平台的ASMX接口文件。<\/p>
3. DWR请求结构分析<\/h2>
DWR框架的AJAX请求具有特殊格式：<\/p>
POST \/dwr\/call\/plaincall\/ExtAjax.upload.dwr HTTP\/1.1
Host: target
Content-Type: text\/plain

callCount=1
page=\/somepage.jsp
httpSessionId=
scriptSessionId=${DWRSESSIONID}
c0-scriptName=ExtAjax
c0-methodName=upload
c0-id=0
c0-param0=string:test
batchId=0
<\/code><\/pre>
关键参数说明<\/strong>：<\/p>

scriptSessionId<\/code>: 通常对应Cookie中的DWRSESSIONID<\/li>
c0-scriptName<\/code>: 对应dwr.xml中的javascript属性<\/li>
c0-methodName<\/code>: 类中的方法名<\/li>
c0-param0<\/code>: 第一个参数，依次类推(c0-param1, c0-param2等)<\/li>
<\/ul>
4. 文件上传漏洞利用<\/h2>
4.1 环境搭建<\/h3>
所需JAR包<\/strong>：<\/p>

commons-logging-1.1.1.jar<\/li>
dwr.jar<\/li>
commons-fileupload-1.3.1.jar<\/li>
commons-io-2.4.jar<\/li>
<\/ul>
示例Upload类<\/strong>：<\/p>
package<\/span> com.ajax;<\/span>
<\/span><\/span>
<\/span><\/span>import<\/span> java.io.File;<\/span>
<\/span><\/span>import<\/span> java.io.IOException;<\/span>
<\/span><\/span>import<\/span> java.io.InputStream;<\/span>
<\/span><\/span>import<\/span> javax.servlet.http.HttpServletRequest;<\/span>
<\/span><\/span>import<\/span> org.apache.commons.io.FileUtils;<\/span>
<\/span><\/span>import<\/span> org.apache.commons.io.FilenameUtils;<\/span>
<\/span><\/span>import<\/span> org.directwebremoting.WebContext;<\/span>
<\/span><\/span>import<\/span> org.directwebremoting.WebContextFactory;<\/span>
<\/span><\/span>
<\/span><\/span>public<\/span> class<\/span> Upload<\/span> {<\/span>
<\/span><\/span>    public<\/span> String upload<\/span>(<\/span>InputStream is,<\/span> String fileName)<\/span> throws<\/span> IOException{<\/span>
<\/span><\/span>        WebContext wc =<\/span> WebContextFactory.<\/span>get<\/span>();<\/span>
<\/span><\/span>        HttpServletRequest req =<\/span> wc.<\/span>getHttpServletRequest<\/span>();<\/span>
<\/span><\/span>        String realpath =<\/span> req.<\/span>getSession<\/span>().<\/span>getServletContext<\/span>().<\/span>getRealPath<\/span>(<\/span>"upload"<\/span>);<\/span>
<\/span><\/span>        String fn =<\/span> FilenameUtils.<\/span>getName<\/span>(<\/span>fileName);<\/span>
<\/span><\/span>        String filepath =<\/span> realpath +<\/span> "\/"<\/span> +<\/span> fn;<\/span>
<\/span><\/span>        FileUtils.<\/span>copyInputStreamToFile<\/span>(<\/span>is,<\/span> new<\/span> File(<\/span>filepath));<\/span>
<\/span><\/span>        return<\/span> filepath;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>web.xml配置<\/strong>：<\/p>
<servlet><\/span>
<\/span><\/span>    <servlet-name><\/span>dwr-invoker<\/servlet-name><\/span>
<\/span><\/span>    <servlet-class><\/span>org.directwebremoting.servlet.DwrServlet<\/servlet-class><\/span>
<\/span><\/span>    <init-param><\/span>
<\/span><\/span>        <param-name><\/span>debug<\/param-name><\/span>
<\/span><\/span>        <param-value><\/span>true<\/param-value><\/span>
<\/span><\/span>    <\/init-param><\/span>
<\/span><\/span><\/servlet><\/span>
<\/span><\/span><servlet-mapping><\/span>
<\/span><\/span>    <servlet-name><\/span>dwr-invoker<\/servlet-name><\/span>
<\/span><\/span>    <url-pattern><\/span>\/dwr\/*<\/url-pattern><\/span>
<\/span><\/span><\/servlet-mapping><\/span>
<\/span><\/span><\/code><\/pre>dwr.xml配置<\/strong>：<\/p>
<dwr><\/span>
<\/span><\/span>    <allow><\/span>
<\/span><\/span>        <create<\/span> creator=<\/span>"new"<\/span> javascript=<\/span>"Upload"<\/span>><\/span>
<\/span><\/span>            <param<\/span> name=<\/span>"class"<\/span> value=<\/span>"com.ajax.Upload"<\/span> \/><\/span>
<\/span><\/span>        <\/create><\/span>
<\/span><\/span>    <\/allow><\/span>
<\/span><\/span><\/dwr><\/span>
<\/span><\/span><\/code><\/pre>4.2 漏洞利用步骤<\/h3>

通过Burp Suite拦截正常上传请求<\/li>
分析请求结构，确定scriptName和methodName<\/li>
构造恶意上传请求，上传Webshell<\/li>
<\/ol>
5. 黑盒测试方法<\/h2>
5.1 信息收集<\/h3>

检查HTML\/JSP源代码中是否包含DWR相关引用<\/li>
尝试访问默认DEBUG页面：
\/dwr\/index.html
<\/code><\/pre>
<\/li>
手动收集接口信息，查找路径为：
\/dwr\/interface\/*.js
<\/code><\/pre>
<\/li>
<\/ol>
5.2 SQL注入测试<\/h3>
测试请求格式<\/strong>：<\/p>
POST \/dwr\/call\/plaincall\/{{scriptName}}.{{methodName}}.dwr HTTP\/1.1
Host: target
Content-Type: text\/plain

callCount=1
page=\/somepage.jsp
httpSessionId=
scriptSessionId=${DWRSESSIONID}
c0-scriptName={{scriptName}}
c0-methodName={{methodName}}
c0-id=0
c0-param0=string:test'
batchId=0
<\/code><\/pre>
错误判断<\/strong>：<\/p>

单引号导致错误<\/li>
双引号返回正常<\/li>
<\/ul>
使用SQLMap<\/strong>：<\/p>
sqlmap -u "http:\/\/target\/dwr\/call\/plaincall\/ExtAjax.method.dwr" --data="callCount=1&page=\/&httpSessionId=&scriptSessionId=...&c0-scriptName=ExtAjax&c0-methodName=method&c0-id=0&c0-param0=string:1&batchId=0" --level=3
<\/code><\/pre>
6. 防御建议<\/h2>


禁用DWR DEBUG页面：<\/p>
<init-param><\/span>
<\/span><\/span>    <param-name><\/span>debug<\/param-name><\/span>
<\/span><\/span>    <param-value><\/span>false<\/param-value><\/span>
<\/span><\/span><\/init-param><\/span>
<\/span><\/span><\/code><\/pre><\/li>

严格限制DWR暴露的类和方法<\/p>
<\/li>

对文件上传功能实施严格校验：<\/p>

文件类型白名单<\/li>
文件名随机化<\/li>
限制上传目录<\/li>
<\/ul>
<\/li>

对所有输入参数进行严格过滤<\/p>
<\/li>

定期更新DWR框架到最新版本<\/p>
<\/li>
<\/ol>
7. 总结<\/h2>
DWR框架由于其设计特性，容易存在文件上传、SQL注入等安全风险。渗透测试时应重点关注：<\/p>

DWR DEBUG页面的信息泄露<\/li>
文件上传接口的安全性<\/li>
所有暴露方法的输入验证情况<\/li>
接口的认证授权机制<\/li>
<\/ul>
通过系统化的测试方法，可以有效发现和利用DWR框架中的安全漏洞。<\/p>

基于DWR框架的漏洞探测与利用实战指南<\/h1>

1. DWR框架简介<\/h2> DWR (Direct Web Remoting) 是一个用于改善Web页面与Java类交互的AJAX框架，允许JavaScript直接调用Java方法。由于其设计特性，DWR框架可能存在多种安全风险。<\/p>

2. DWR框架常见漏洞<\/h2>

4. 文件上传漏洞利用<\/h2>

5. 黑盒测试方法<\/h2>

1. DWR框架简介<\/h2>
DWR (Direct Web Remoting) 是一个用于改善Web页面与Java类交互的AJAX框架，允许JavaScript直接调用Java方法。由于其设计特性，DWR框架可能存在多种安全风险。<\/p>