JFinal框架下ofcms v1.1.3代码审计教学文档<\/h1>

一、项目概述<\/h2>
ofcms是基于JFinal框架开发的内容管理系统，版本v1.1.3存在多个安全漏洞。本教学文档将详细分析这些漏洞的发现过程和原理。<\/p>

二、审计环境准备<\/h2>

项目地址：https:\/\/gitee.com\/oufu\/ofcms\/tree\/V1.1.3\/<\/li>
依赖分析：通过pom.xml查看项目依赖<\/li>

配置文件路径：ofcms-V1.1.3\ofcms-admin\src\main\webapp\WEB-INF\web.xml<\/li> <\/ol>

三、JFinal框架数据库操作基础<\/h2>

3.1 JFinal ORM操作简介<\/h3>

JFinal使用Db类执行SQL语句，主要方法：<\/p>

Db.save<\/strong>：插入记录<\/p>

Record user =<\/span> new<\/span> Record().<\/span>set<\/span>(<\/span>"name"<\/span>,<\/span> "Alice"<\/span>).<\/span>set<\/span>(<\/span>"age"<\/span>,<\/span> 25<\/span>);<\/span>
<\/span><\/span>Db.<\/span>save<\/span>(<\/span>"user"<\/span>,<\/span> user);<\/span>
<\/span><\/span><\/code><\/pre><\/li>

Db.find<\/strong>：查询多条记录<\/p>
List<<\/span>Record><\/span> users =<\/span> Db.<\/span>find<\/span>(<\/span>"SELECT * FROM user"<\/span>);<\/span>
<\/span><\/span><\/code><\/pre><\/li>

Db.findFirst<\/strong>：查询单条记录<\/p>
Record user =<\/span> Db.<\/span>findFirst<\/span>(<\/span>"SELECT * FROM user WHERE id = ?"<\/span>,<\/span> 1<\/span>);<\/span>
<\/span><\/span><\/code><\/pre><\/li>

Db.query<\/strong>：查询单个字段<\/p>
String name =<\/span> Db.<\/span>queryStr<\/span>(<\/span>"SELECT name FROM user WHERE id = ?"<\/span>,<\/span> 1<\/span>);<\/span>
<\/span><\/span><\/code><\/pre><\/li>

Db.update<\/strong>：更新记录<\/p>
int<\/span> updatedRows =<\/span> Db.<\/span>update<\/span>(<\/span>"UPDATE user SET age = ? WHERE id = ?"<\/span>,<\/span> 30<\/span>,<\/span> 1<\/span>);<\/span>
<\/span><\/span><\/code><\/pre><\/li>

Db.delete<\/strong>：删除记录<\/p>
int<\/span> deletedRows =<\/span> Db.<\/span>delete<\/span>(<\/span>"DELETE FROM user WHERE id = ?"<\/span>,<\/span> 1<\/span>);<\/span>
<\/span><\/span><\/code><\/pre><\/li>

Db.tx<\/strong>：事务操作<\/p>
boolean<\/span> success =<\/span> Db.<\/span>tx<\/span>(()<\/span> -><\/span> {<\/span>
<\/span><\/span>    Db.<\/span>update<\/span>(<\/span>"UPDATE user SET age = ? WHERE id = ?"<\/span>,<\/span> 30<\/span>,<\/span> 1<\/span>);<\/span>
<\/span><\/span>    return<\/span> true<\/span>;<\/span>
<\/span><\/span>});<\/span>
<\/span><\/span><\/code><\/pre><\/li>

Db.batch<\/strong>：批量操作<\/p>
int<\/span>[]<\/span> results =<\/span> Db.<\/span>batchSave<\/span>(<\/span>"user"<\/span>,<\/span> users,<\/span> 100<\/span>);<\/span>
<\/span><\/span><\/code><\/pre><\/li>

Db.getSqlPara<\/strong>：安全SQL执行（防注入）<\/p>
SqlPara sqlPara =<\/span> Db.<\/span>getSqlPara<\/span>(<\/span>"findUserById"<\/span>,<\/span> params);<\/span>
<\/span><\/span>List<<\/span>Record><\/span> users =<\/span> Db.<\/span>find<\/span>(<\/span>sqlPara);<\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
3.2 数据库配置<\/h3>
数据库配置位于JFWebConfig.java<\/code>中的ADMIN_CONFIG<\/code>，指定了数据库配置文件位置。<\/p>
四、SQL注入漏洞分析<\/h2>
4.1 漏洞发现方法<\/h3>

搜索关键字：Db.(find|findFirst|update|delete|save|batch)\s*\(<\/code><\/li>
重点关注未使用预编译或Db.getSqlPara<\/code>的SQL语句<\/li>
<\/ol>
4.2 漏洞实例分析<\/h3>
发现一处直接使用getPara<\/code>传参的SQL执行：<\/p>
\/\/ 漏洞代码示例
<\/span><\/span><\/span><\/span>String sql =<\/span> "UPDATE of_cms_link SET link_name='"<\/span> +<\/span> getPara(<\/span>"link_name"<\/span>)<\/span> +<\/span> "' WHERE link_id="<\/span> +<\/span> getPara(<\/span>"link_id"<\/span>);<\/span>
<\/span><\/span>Db.<\/span>update<\/span>(<\/span>sql);<\/span>
<\/span><\/span><\/code><\/pre>漏洞利用<\/strong>：<\/p>
payload: update of_cms_link set link_name=updatexml(1,concat(0x7e,(user())),0) where link_id = 4
<\/code><\/pre>
4.3 漏洞修复建议<\/h3>

使用预编译参数：
Db.<\/span>update<\/span>(<\/span>"UPDATE of_cms_link SET link_name=? WHERE link_id=?"<\/span>,<\/span> getPara(<\/span>"link_name"<\/span>),<\/span> getPara(<\/span>"link_id"<\/span>));<\/span>
<\/span><\/span><\/code><\/pre><\/li>
或使用Db.getSqlPara<\/code><\/li>
<\/ol>
五、XSS漏洞分析<\/h2>
5.1 漏洞发现方法<\/h3>

寻找"输入点"和"输出点"<\/li>
搜索关键字：

输入点：getParameter<\/code>, getPara<\/code>, getRequestParameter<\/code><\/li>
输出点：render<\/code>, setAttr<\/code>, JSP\/HTML中的${}<\/code>表达式<\/li>
<\/ul>
<\/li>
<\/ol>
5.2 常见XSS场景<\/h3>

用户输入直接输出到页面<\/li>
富文本编辑器未过滤危险标签<\/li>
反射型XSS在错误消息、搜索结果等处<\/li>
<\/ol>
六、其他潜在漏洞<\/h2>
6.1 文件上传漏洞<\/h3>
检查文件上传功能：<\/p>

是否验证文件类型<\/li>
是否限制文件大小<\/li>
是否使用随机文件名<\/li>
<\/ol>
6.2 CSRF漏洞<\/h3>
检查：<\/p>

关键操作是否有CSRF token保护<\/li>
是否使用jfinal.extras.interceptor.CSRFInterceptor<\/code><\/li>
<\/ol>
6.3 权限控制漏洞<\/h3>
检查：<\/p>

管理后台URL是否可被普通用户访问<\/li>
权限验证是否全面<\/li>
<\/ol>
七、审计工具推荐<\/h2>


静态分析工具<\/strong>：<\/p>

FindBugs<\/li>
SonarQube<\/li>
Fortify<\/li>
<\/ul>
<\/li>

动态测试工具<\/strong>：<\/p>

Burp Suite<\/li>
OWASP ZAP<\/li>
<\/ul>
<\/li>

正则表达式搜索<\/strong>：<\/p>

预定义的安全敏感模式搜索<\/li>
<\/ul>
<\/li>
<\/ol>
八、总结<\/h2>

JFinal框架应用需特别注意SQL注入防护<\/li>
审计时应重点关注直接拼接SQL的代码段<\/li>
XSS漏洞需结合输入输出点分析<\/li>
建议建立安全检查清单，覆盖常见漏洞类型<\/li>
<\/ol>
附录：参考文章<\/h2>

https:\/\/www.yijinglab.com\/specialized\/20220526170417<\/li>
https:\/\/mp.weixin.qq.com\/s\/dZAqUVpKr6fA_Lq7nJTmbw<\/li>
https:\/\/mp.weixin.qq.com\/s\/1agUDocOUbFgbiO83Qz5-w<\/li>
<\/ol>

JFinal框架下ofcms v1.1.3代码审计教学文档<\/h1>

一、项目概述<\/h2> ofcms是基于JFinal框架开发的内容管理系统，版本v1.1.3存在多个安全漏洞。本教学文档将详细分析这些漏洞的发现过程和原理。<\/p>

三、JFinal框架数据库操作基础<\/h2>

3.2 数据库配置<\/h3> 数据库配置位于JFWebConfig.java<\/code>中的ADMIN_CONFIG<\/code>，指定了数据库配置文件位置。<\/p>

五、XSS漏洞分析<\/h2>

六、其他潜在漏洞<\/h2>

附录：参考文章<\/h2> https:\/\/www.yijinglab.com\/specialized\/20220526170417<\/li> https:\/\/mp.weixin.qq.com\/s\/dZAqUVpKr6fA_Lq7nJTmbw<\/li> https:\/\/mp.weixin.qq.com\/s\/1agUDocOUbFgbiO83Qz5-w<\/li> <\/ol>

一、项目概述<\/h2>
ofcms是基于JFinal框架开发的内容管理系统，版本v1.1.3存在多个安全漏洞。本教学文档将详细分析这些漏洞的发现过程和原理。<\/p>

3.2 数据库配置<\/h3>
数据库配置位于`JFWebConfig.java<\/code>中的ADMIN_CONFIG<\/code>，指定了数据库配置文件位置。<\/p>`

附录：参考文章<\/h2>

https:\/\/www.yijinglab.com\/specialized\/20220526170417<\/li>
https:\/\/mp.weixin.qq.com\/s\/dZAqUVpKr6fA_Lq7nJTmbw<\/li>
https:\/\/mp.weixin.qq.com\/s\/1agUDocOUbFgbiO83Qz5-w<\/li> <\/ol>