{"id":735,"date":"2024-09-10T00:36:42","date_gmt":"2024-09-09T16:36:42","guid":{"rendered":"https:\/\/www.nightying.com\/?p=735"},"modified":"2024-09-30T11:05:53","modified_gmt":"2024-09-30T03:05:53","slug":"java_sec_code","status":"publish","type":"post","link":"https:\/\/www.nightying.com\/index.php\/2024\/09\/10\/java_sec_code\/","title":{"rendered":"JAVA\u4ee3\u7801\u5ba1\u8ba1"},"content":{"rendered":"\n

\u6587\u4ef6\u4e0a\u4f20<\/h2>\n\n\n\n
java\u4e2d\uff0c\u6587\u4ef6\u4e0a\u4f20\u51fd\u6570\u4e3a\uff1a\nMultipartFile\n\u4ee3\u7801\u5ba1\u8ba1\u601d\u8def\uff0c\u5168\u5c40\u67e5\u627eMultiparFile\u51fd\u6570\uff0c\u7136\u540e\u67e5\u770b\u4e0a\u4e0b\u6587\u6709\u6ca1\u6709\u5bf9\u4e0a\u4f20\u6587\u4ef6\u8fdb\u884c\u9650\u5236\uff0c\u6709\u6ca1\u6709\u529e\u6cd5\u7ed5\u8fc7\u9650\u5236\uff0c\u4ece\u800c\u505a\u5230\u4efb\u610f\u6587\u4ef6\u4e0a\u4f20\uff08\u6682\u4e0d\u8003\u8651\u4ee3\u7801\u7279\u6027\uff09<\/code><\/pre>\n\n\n\n
containns\u80fd\u9632\u6b62text\/html;charset=UTF-8\u7ed5\u8fc7\n\nfor (String blackMimeType : mimeTypeBlackList) {\n            if (SecurityUtil.replaceSpecialStr(mimeType).toLowerCase().contains(blackMimeType)) {\n                logger.error(\"[-] Mime type error: \" + mimeType);\n                deleteFile(filePath);\n                return \"Upload failed. Illeagl picture.\";\n            }\n        }<\/code><\/pre>\n\n\n\n
\u6587\u4ef6\u4e0a\u4f20\u65e0\u975e\u5c31\u662f5\u4e2a\u62e6\u622a\u70b9\uff1a<\/p>\n\n\n\n
1\u3001\u4e0a\u4f20\u6210\u529f\u662f\u5426\u91cd\u547d\u540d\u6587\u4ef6<\/p>\n\n\n\n
2\u3001MIME\u662f\u5426\u68c0\u6d4b<\/p>\n\n\n\n
3\u3001\u662f\u5426\u8bfb\u53d6\u6587\u4ef6\u5185\u5bb9\u5224\u65ad\u6587\u4ef6\u662f\u5426\u6b63\u5e38<\/p>\n\n\n\n
4\u3001\u662f\u5426\u9650\u5236\u4e0a\u4f20\u540e\u7f00<\/p>\n\n\n\n
5\u3001\u8bed\u8a00\u7248\u672c\u662f\u5426\u5b58\u5728\u7279\u6b8a\u622a\u65ad\u5b57\u7b26<\/p>\n\n\n\n
<\/p>\n\n\n\n
SQL\u6ce8\u5165<\/h2>\n\n\n\n
java\u4e2d\uff0cSQL\u8bed\u53e5\u4e2d\u4e00\u822c\u5e26\u6709select<\/strong>\uff0cDriver<\/strong>\uff0c\u53ef\u4ee5\u901a\u8fc7\u5168\u5c40\u67e5\u627e\u6765\u5feb\u901f\u5b9a\u4f4d
\u5982\u679cSQL\u8bed\u53e5\u4e2d\uff0c\u53c2\u6570\u7531\u7528\u6237\u81ea\u884c\u51b3\u5b9a\uff0c\u5219\u5b58\u5728SQL\u6ce8\u5165\uff0c\u4f8b\u5982\uff1a<\/p>\n\n\n\n
String sql = \"select * from users where username = '\" + username<\/strong> + \"'\"; \nlogger.info(sql);           \/\/\u5728\u65e5\u5fd7\u4e2d\u8bb0\u5f55\u8bed\u53e5\nResultSet rs = statement.executeQuery(sql);         \/\/\u6267\u884c\u8bed\u53e5<\/code><\/pre>\n\n\n\n
\u4f46\u662f\u53ef\u4ee5\u4f7f\u7528\uff1f\u4f5c\u4e3a\u5360\u4f4d\u7b26\uff0cprepareStatement<\/strong>\u51fd\u6570\u9632\u6b62SQL\u6ce8\u5165\uff0c\u5e76\u4f7f\u7528setString<\/strong>\u63d2\u5165\u4f20\u53c2\uff0c\u4f8b\u5982\uff1a<\/p>\n\n\n\n
String sql = \"select * from users where username = ?\";      \/\/\u4f7f\u7528\uff1f\u4f5c\u4e3a\u5360\u4f4d\u7b26\nPreparedStatement st = con.prepareStatement<\/strong>(sql);  \/\/prepareStatement\u9632\u6b62SQL\u6ce8\u5165\nst.setString<\/strong>(1, username);   \/\/setString\u5b89\u5168\u7684\u63d2\u5165\u53c2\u6570\nlogger.info(st.toString());  \/\/ sql after prepare statement\nResultSet rs = st.executeQuery();<\/code><\/pre>\n\n\n\n
\u4f46\u662fprepareStatement<\/strong>\u51fd\u6570\u4e5f\u5b58\u5728\u4e00\u4e2a\u9519\u8bef\u7528\u6cd5\uff0c\u4e0d\u4f7f\u7528\uff1f\u4f5c\u4e3a\u5360\u4f4d\u7b26\uff0c\u800c\u662f\u76f4\u63a5\u5c06\u53c2\u6570\u4f20\u5165SQL\u8bed\u53e5\u4e2d\uff0c\u8fd8\u662f\u4f1a\u5b58\u5728SQL\u6ce8\u5165\uff1a<\/p>\n\n\n\n
String sql = \"select * from users where username = '\" + username<\/strong> + \"'\";\nPreparedStatement st = con.prepareStatement(sql);\nlogger.info(st.toString());\nResultSet rs = st.executeQuery();\n<\/code><\/pre>\n\n\n\n
\u8fd8\u6709\u4e00\u79cdSQL\u5199\u6cd5\u662fMyBatis<\/strong>\uff08\u52a8\u6001\u6784\u5efaSQL\u8bed\u53e5\uff09<\/p>\n\n\n\n
@Resource\n    private UserMapper userMapper;          \/\/\u6ce8\u5165\u5b9e\u4f8b\uff0c\u7528\u4e8e\u6267\u884cMyBatis\u7684\u6570\u636e\u5e93\u64cd\u4f5c\u3002\n\n@Mapper\npublic interface UserMapper {\n\n    \/**\n     * If using simple sql, we can use annotation. Such as @Select @Update.\n     * If using ${username}, application will send a error.\n     *\/\n    @Select(\"select * from users where username = #{username}\")\n    User findByUserName(@Param(\"username\") String username);\n\n    @Select(\"select * from users where username = '${username}'\")\n    List<User> findByUserNameVuln01(@Param(\"username\") String username);\n\n    List<User> findByUserNameVuln02(String username);\n    List<User> findByUserNameVuln03(@Param(\"order\") String order);\n\n    User findById(Integer id);\n\n    User OrderByUsername();\n\n}<\/code><\/pre>\n\n\n\n
XML\u5185\u5bb9\uff1a<\/strong>\n<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<!DOCTYPE mapper PUBLIC \"-\/\/mybatis.org\/\/DTD Mapper 3.0\/\/EN\" \"http:\/\/mybatis.org\/dtd\/mybatis-3-mapper.dtd\">\n\n<mapper namespace=\"org.joychou.mapper.UserMapper\">\n\n    <resultMap type=\"org.joychou.dao.User\" id=\"User\">\n        <id column=\"id\" property=\"id\" javaType=\"java.lang.Integer\" jdbcType=\"NUMERIC\"\/>\n        <id column=\"username\" property=\"username\" javaType=\"java.lang.String\" jdbcType=\"VARCHAR\"\/>\n        <id column=\"password\" property=\"password\" javaType=\"java.lang.String\" jdbcType=\"VARCHAR\"\/>\n    <\/resultMap>\n\n    <!--<select id=\"findByUserName\" resultMap=\"User\">-->\n\t    <!--select * from users where username = #{username}-->\n    <!--<\/select>-->\n\n    <select id=\"findByUserNameVuln02\" parameterType=\"String\" resultMap=\"User\">\n        select * from users where username like '%${_parameter}%'\n    <\/select>\n\n    <select id=\"findByUserNameVuln03\" parameterType=\"String\" resultMap=\"User\">\n        select * from users\n        <if test=\"order != null\">\n            order by ${order} asc\n        <\/if>\n    <\/select>\n\n    <select id=\"findById\" resultMap=\"User\">\n        select * from users where id = #{id}\n    <\/select>\n\n\n    <select id=\"OrderByUsername\" resultMap=\"User\">\n        select * from users order by id asc limit 1\n    <\/select>\n<\/mapper><\/code><\/pre>\n\n\n\n
\u4f7f\u7528${username}<\/strong>\u63d2\u5165\u53c2\u6570\uff0c\u662f\u4f1a\u5b58\u5728SQL\u6ce8\u5165\u7684<\/p>\n\n\n\n
\u8c03\u7528\u51fd\u6570\u90e8\u5206\uff1a<\/strong>\n@GetMapping(\"\/mybatis\/vuln01\")\n    public List<User> mybatisVuln01(@RequestParam(\"username\") String username) {\n        return userMapper.findByUserNameVuln01(username);\n    }\n\nUserMapper\u7684\u4e00\u90e8\u5206\uff1a<\/strong>\n@Select(\"select * from users where username = '${username}<\/strong>'\")\n    List<User> findByUserNameVuln01(@Param(\"username\") String username);<\/code><\/pre>\n\n\n\n
\u4f7f\u7528%${_parameter}%<\/strong>\u63d2\u5165\u53c2\u6570\u4e5f\u4f1a\u5b58\u5728SQL\u6ce8\u5165<\/p>\n\n\n\n
XML\u6587\u4ef6\u5185\u5bb9\uff1a<\/strong>\n<select id=\"findByUserNameVuln02\" parameterType=\"String\" resultMap=\"User\">\n        select * from users where username like '%${_parameter}%<\/strong>'\n    <\/select>\n\n\n\u8c03\u7528\u51fd\u6570\u90e8\u5206\uff1a<\/strong>\n@GetMapping(\"\/mybatis\/vuln02\")\n    public List<User> mybatisVuln02(@RequestParam(\"username\") String username) {\n        return userMapper.findByUserNameVuln02(username);\n    }\n\nMapper\u90e8\u5206\uff1a<\/strong>\nList<User> findByUserNameVuln02(String username);<\/code><\/pre>\n\n\n\n
\u5728mybatis<\/strong>\u7684order by<\/strong>\u8bed\u53e5\u4e2d\u4e0d\u80fd<\/strong>\u4f7f\u7528#<\/strong>\uff0c\u6240\u4ee5${order}<\/strong>\u4f1a\u5bfc\u81f4SQL\u6ce8\u5165\uff0c\u9700\u8981\u5bf9\u8f93\u5165\u7684\u5185\u5bb9\u8fdb\u884c\u4e00\u6b21\u8fc7\u6ee4<\/strong><\/p>\n\n\n\n
\u51fd\u6570\u8c03\u7528\u90e8\u5206\uff1a<\/strong>\n@GetMapping(\"\/mybatis\/sec03\")\n    public User mybatisSec03() {\n        return userMapper.OrderByUsername();\n    }\n\nXML\u90e8\u5206\uff1a<\/strong>\n<select id=\"findByUserNameVuln03\" parameterType=\"String\" resultMap=\"User\">\n        select * from users\n        <if test=\"order != null\">\n            order by ${order}<\/strong> asc\n        <\/if>\n    <\/select>\n\nMapper\u90e8\u5206\uff1a<\/strong>\nList<User> findByUserNameVuln03(@Param(\"order\") String order);<\/code><\/pre>\n\n\n\n
\u53ea\u8981\u4f7f\u7528${}\u4f5c\u4e3a\u63d2\u5165\u53c2\u6570\uff0c\u5e76\u4e14\u53c2\u6570\u503c\u7531\u7528\u6237\u81ea\u5df1\u51b3\u5b9a\uff0c\u8be5\u90e8\u5206\u5c31\u4f1a\u5b58\u5728SQL\u6ce8\u5165\uff0c\u89e3\u51b3\u529e\u6cd5\u662f\u66ff\u6362\u4e3a#{}<\/p>\n\n\n\n
\u8fd8\u9700\u8981\u770b\u662f\u5426\u5b58\u5728\u76f8\u5173\u8fc7\u6ee4\uff0c\u6bd4\u5982\u53c2\u6570\u8f93\u5165\u7684\u9ed1\u540d\u5355\u5339\u914d\uff0c\u9884\u5904\u7406\u7b49\u64cd\u4f5c\u3002<\/p>\n\n\n\n
\u4f8b\u5982\u4f7f\u7528SecurityUtil.sqlFilter<\/strong>(sort)\u51fd\u6570\uff08\u8be5\u51fd\u6570\u662f\u81ea\u5df1\u5199\u7684\uff09\u8fc7\u6ee4<\/p>\n\n\n\n
\/**\n     * \u8fc7\u6ee4mybatis\u4e2dorder by\u4e0d\u80fd\u7528#\u7684\u60c5\u51b5\u3002\n     * \u4e25\u683c\u9650\u5236\u7528\u6237\u8f93\u5165\u53ea\u80fd\u5305\u542b<code>a-zA-Z0-9_-.<\/code>\u5b57\u7b26\u3002<\/strong>\n     *\n     * @param sql sql\n     * @return \u5b89\u5168sql\uff0c\u5426\u5219\u8fd4\u56denull\n     *\/\n    public static String sqlFilter(String sql) {\n        if (!FILTER_PATTERN.matcher(sql).matches()) {\n            return null;\n        }\n        return sql;\n    }\n\u9700\u8981\u786e\u4fdd\u8fc7\u6ee4\u903b\u8f91\u662f\u8db3\u591f\u4e25\u683c\u7684\uff0c\u624d\u80fd\u9632\u6b62\u7ed5\u8fc7<\/strong><\/code><\/pre>\n\n\n\n
XSS\u8de8\u7ad9\u811a\u672c\u653b\u51fb<\/h2>\n\n\n\n
XSS\u6ce8\u5165\u7684\u672c\u8d28\u5176\u5b9e\u5c31\u662f\u540e\u7aef\u8f93\u51fa\u7684\u5185\u5bb9\u6ca1\u6709\u8fdb\u884c\u8fc7\u6ee4\uff0c\u5bfc\u81f4\u524d\u7aef\u8bfb\u53d6\u5230\u8fd9\u79cd\u5185\u5bb9\u4ece\u800c\u52a0\u8f7d\u6210html\u6216JavaScript\uff0c\u5bfc\u81f4\u6267\u884cXSS\u6076\u610f\u6307\u4ee4\uff08\u867d\u7136\uff0cXSS\u5229\u7528\u771f\u7684\u4e0d\u591a\uff0c\u52a0\u4e0a\u76ee\u524d\u7684\u524d\u7aef\u6846\u67b6\u5347\u7ea7\uff0c\u65b0\u6846\u67b6\u57fa\u672c\u4e0a\u4e0d\u5b58\u5728XSS\u4e86\uff09<\/p>\n\n\n\n
\u5728\u524d\u540e\u7aef\u4e00\u4f53\u5316\u7684\u67b6\u6784\u4e2d\uff0c\u5982\u679c\u540e\u7aef\u4ee3\u7801\u76f4\u63a5\u8fd4\u56de\u7528\u6237\u7684\u8f93\u5165\u6570\u636e\u800c\u672a\u8fdb\u884c\u9002\u5f53\u7684\u5904\u7406\uff0cXSS\u662f\u5f88\u5bb9\u6613\u89e6\u53d1\u7684\u3002<\/p>\n\n\n\n
\u56e0\u4e3a\u5728\u524d\u540e\u7aef\u4e00\u4f53\u5316\u7684\u67b6\u6784\u4e2d\uff0c\u540e\u7aef\u8d1f\u8d23\u751f\u6210\u548c\u8fd4\u56de\u9875\u9762\u5185\u5bb9\uff08HTML\u3001JSON\u3001\u6587\u672c\u7b49\uff09\u76f4\u63a5\u7ed9\u524d\u7aef\u3002\u5982\u679c\u540e\u7aef\u76f4\u63a5\u901a\u8fc7return<\/code>\u8fd4\u56de\u6570\u636e\uff0c\u901a\u5e38\u610f\u5473\u7740\u5b83\u4f1a\u76f4\u63a5\u4f20\u9012\u7ed9\u524d\u7aef\uff0c\u800c\u4e0d\u4f1a\u518d\u7ecf\u8fc7\u524d\u7aef\u7684\u989d\u5916\u5904\u7406<\/strong>\u3002<\/p>\n\n\n\n
\u5728Spring MVC\u6846\u67b6<\/strong>\u4e2d\uff0c\u4f7f\u7528@ResponseBody<\/strong><\/code>\u6ce8\u89e3\u7684\u63a7\u5236\u5668\u65b9\u6cd5\u4f1a\u76f4\u63a5\u5c06\u65b9\u6cd5\u8fd4\u56de\u503c\u4f5c\u4e3aHTTP\u54cd\u5e94\u7684\u5185\u5bb9\u3002\u8fd9\u4ee3\u8868\u8fd4\u56de\u7684\u6570\u636e\u4f1a\u76f4\u63a5\u53d1\u7ed9\u524d\u7aef<\/strong>\uff0c\u800c\u4e0d\u662f\u6e32\u67d3\u6a21\u677f\u6216\u7ecf\u8fc7\u8fdb\u4e00\u6b65\u5904\u7406\u3002<\/p>\n\n\n\n
\u8fd9\u5c31\u5bfc\u81f4\u8fd9\u4e00\u6bb5\u4ee3\u7801\uff0c\u901a\u8fc7reflect\u63a5\u6536\u53c2\u6570xss\uff0c\u7136\u540e\u76f4\u63a5\u8fd4\u56de\u7ed9\u524d\u7aef\uff0c\u7167\u6210\u53cd\u5c04\u578bXSS\u6ce8\u5165<\/strong><\/p>\n\n\n\n
@RequestMapping(\"\/reflect\")\n    @ResponseBody\n    public static String reflect(String xss) {\n        return xss;\n    }<\/code><\/pre>\n\n\n\n
\u4e5f\u5c31\u662f\u5728spring MVC\u6846\u67b6<\/strong>\u4e2d\uff0c\u5feb\u901f\u67e5\u627e<\/p>\n\n\n\n
request.getParameter\nrequest.getQueryString\nrequest.getHeader\nrequest.getCookies\nHttpServletResponse.getWriter()\nresponse.setHeader()\nreturn(\u4e0e@RestController\u6216@ResponseBody\u4e00\u8d77\u4f7f\u7528\uff09<\/code><\/pre>\n\n\n\n
\u67e5\u770b\u4e0a\u4e0b\u6587\u662f\u5426\u5b58\u5728\u8fc7\u6ee4\u53ef\u4ee5\u5224\u65ad\u662f\u5426\u5b58\u5728XSS\uff0c\u4f46\u662f\u5982\u679c\u662f\u524d\u540e\u7aef\u5206\u79bb\u7684\u60c5\u51b5\uff0c\u8fd8\u9700\u8981\u67e5\u770b\u524d\u7aef\u5bf9\u5e94\u4ee3\u7801\u662f\u5426\u5bf9\u540e\u7aef\u4f20\u5165\u7684\u6570\u636e\u8fdb\u884c\u76f8\u5e94\u7684\u89e3\u6790<\/p>\n\n\n\n
\u4e0b\u9762\u8fd9\u4e00\u6bb5\u4ee3\u7801\u5c06\u7528\u6237\u8f93\u5165\u7684\u5185\u5bb9\u5b58\u50a8\u8fdb\u5165cookie\u4e2d\uff0c\u5e76\u5728\u53e6\u4e00\u4e2a\u8def\u7531\u4e2d\u8bfb\u53d6\u51fa\u6765\uff0c\u8fd9\u4f1a\u9020\u6210\u5b58\u50a8\u578bXSS\u6ce8\u5165<\/strong><\/p>\n\n\n\n
\n@RequestMapping(\"\/stored\/store\")\n    @ResponseBody\n    public String store(String xss, HttpServletResponse response) {\n        Cookie cookie = new Cookie(\"xss\", xss);\n        response.addCookie(cookie);\n        return \"Set param into cookie\";\n    }\n\n@RequestMapping(\"\/stored\/show\")\n    @ResponseBody\n    public String show(@CookieValue(\"xss\") String xss) {\n        return xss;\n    }<\/code><\/pre>\n\n\n\n
<\/p>\n\n\n\n
\u800c\u4f7f\u7528@ResponseBody<\/strong>\u63a7\u5236\u5668+return<\/strong>\u8fd8\u60f3\u8981\u89e3\u51b3XSS\u7684\u95ee\u9898\uff0c\u53ea\u9700\u8981\u8fdb\u884c\u4e25\u683c\u8fc7\u6ee4\u6216\u8f6c\u4e49\u5373\u53ef<\/p>\n\n\n\n
@RequestMapping(\"\/safe\")\n    @ResponseBody\n    public static String safe(String xss) {\n        return encode(xss);\n    }\n\n    private static String encode(String origin) {\n        origin = StringUtils.replace(origin, \"&\", \"&amp;\");\n        origin = StringUtils.replace(origin, \"<\", \"&lt;\");\n        origin = StringUtils.replace(origin, \">\", \"&gt;\");\n        origin = StringUtils.replace(origin, \"\\\"\", \"&quot;\");\n        origin = StringUtils.replace(origin, \"'\", \"&#x27;\");\n        origin = StringUtils.replace(origin, \"\/\", \"&#x2F;\");\n        return origin;\n    }<\/code><\/pre>\n\n\n\n
\u5176\u4e2dsafe\u548cencode\u4ee5\u53careflect\u65b9\u6cd5\uff08\u51fd\u6570\uff09\u4f7f\u7528static\uff08\u9759\u6001\uff09\u7684\u539f\u56e0\uff0c\u662f\u56e0\u4e3a\u4ee3\u7801\u6ca1\u6709\u8c03\u7528\u590d\u6742\u5185\u5bb9\uff0c\u6d89\u53ca\u4efb\u4f55\u5b9e\u4f8b\u53d8\u91cf\u6216\u5b9e\u4f8b\u65b9\u6cd5\u7684\u8c03\u7528\uff0c\u8fd9\u6837\u5199\u53ef\u4ee5\u8282\u7701\u5185\u5b58\uff0c\u4f18\u5316\u6027\u80fd\u3002
\u800cstore\u548cshow\u65b9\u6cd5\uff08\u51fd\u6570\uff09\u4e0d\u4f7f\u7528static\uff08\u9759\u6001\uff09\u7684\u539f\u56e0\u662f\u56e0\u4e3a\u8c03\u7528\u4e86\u5b9e\u4f8b\uff1aHttpServletResponse<\/strong><\/code>\u548c@CookieValue<\/strong>\uff0c\u4ece\u800c\u4e0d\u9002\u7528static<\/p>\n\n\n\n
@Controller<\/strong>\u4f1a\u6e32\u67d3\u89c6\u56fe\uff0c\u4f7f\u7528\u89c6\u56fe\u89e3\u6790\u5668\u6e32\u67d3 HTML \u6216\u5176\u4ed6\u9875\u9762\u3002\uff08\u52a0\u4e0a@ResponseBody<\/strong>\u63a7\u5236\u5668\u540e\u8fd4\u56de\u7684\u5c31\u662fjson\u6216XML\u4e86\uff0c\u4e5f\u5c31\u662f@RestController=@Controller+@ResponseBody<\/strong>\uff09\u800c@RestController<\/code><\/strong>\u9ed8\u8ba4\u8fd4\u56de\u5bf9\u8c61\u6216\u6570\u636e\uff0c\u5e76\u4e14\u5c06\u6570\u636e\u76f4\u63a5\u5199\u5165 HTTP \u54cd\u5e94\u4f53\uff08\u901a\u5e38\u8fd4\u56de JSON \u6216 XML \u683c\u5f0f\u7684\u54cd\u5e94\uff09\u3002<\/p>\n\n\n\n
<\/p>\n\n\n\n
CORS\u914d\u7f6e\u9519\u8bef<\/h2>\n\n\n\n
\u7b80\u5355\u8bb2\u89e3\u4e00\u4e0bCORS\u914d\u7f6e\u9519\u8bef\uff0c\u5982\u679c\u4e00\u4e2a\u7f51\u7ad9\u5b58\u5728CORS\u914d\u7f6e\u9519\u8bef\u6f0f\u6d1e\uff0c\u90a3\u4e48\u653b\u51fb\u8005\u5c31\u53ef\u4ee5\u8fdb\u884cCSRF\u653b\u51fb<\/p>\n\n\n\n
\u53d7\u5bb3\u8005\u767b\u5f55a.com\uff0c\u5e76\u4fdd\u7559\u4e86\u767b\u5f55\u51ed\u8bc1\uff08Cookie\uff09\u3002\n\u653b\u51fb\u8005\u5f15\u8bf1\u53d7\u5bb3\u8005\u8bbf\u95ee\u4e86b.com\u3002\nb.com \u5411 a.com \u53d1\u9001\u4e86\u4e00\u4e2a\u8bf7\u6c42\uff1aa.com\/act=xx\u3002\u6d4f\u89c8\u5668\u4f1a\u9ed8\u8ba4\u643a\u5e26a.com\u7684Cookie\u3002\na.com\u63a5\u6536\u5230\u8bf7\u6c42\u540e\uff0c\u5bf9\u8bf7\u6c42\u8fdb\u884c\u9a8c\u8bc1\uff0c\u5e76\u786e\u8ba4\u662f\u53d7\u5bb3\u8005\u7684\u51ed\u8bc1\uff0c\u8bef\u4ee5\u4e3a\u662f\u53d7\u5bb3\u8005\u81ea\u5df1\u53d1\u9001\u7684\u8bf7\u6c42\u3002\na.com\u4ee5\u53d7\u5bb3\u8005\u7684\u540d\u4e49\u6267\u884c\u4e86act=xx\u3002\n\u653b\u51fb\u5b8c\u6210\uff0c\u653b\u51fb\u8005\u5728\u53d7\u5bb3\u8005\u4e0d\u77e5\u60c5\u7684\u60c5\u51b5\u4e0b\uff0c\u5192\u5145\u53d7\u5bb3\u8005\uff0c\u8ba9a.com\u6267\u884c\u4e86\u81ea\u5df1\u5b9a\u4e49\u7684\u64cd\u4f5c\uff08\u4f8b\u5982\u8f6c\u94b1\uff0c\u8d2d\u4e70\u5546\u54c1\u7b49\u64cd\u4f5c\uff09\u3002<\/code><\/pre>\n\n\n\n
\u770b\u4ee3\u7801\uff1a<\/p>\n\n\n\n
\u8fd9\u4e2a\u662f\u4e00\u4e2a\u5178\u578b\u7684CORS\u914d\u7f6e\u9519\u8bef\u6f0f\u6d1e\uff0c\u901a\u8fc7\u83b7\u53d6\u8bf7\u6c42\u5305\u4e2d\u7684origin\u5b57\u6bb5\u5185\u5bb9\u4f5c\u4e3aAccess-Control-Allow-Origin\u54cd\u5e94\u5934\uff0c\u8fd9\u4f1a\u5bfc\u81f4\u653b\u51fb\u8005\u53ef\u4ee5\u81ea\u884c\u7f16\u8f91origin\u5185\u5bb9\uff0c\u4ece\u800c\u7ed5\u8fc7CORS\u9650\u5236\uff0c\u4e14response.setHeader(“Access-Control-Allow-Credentials”, “true”);\u5141\u8bb8Cookie\u4f20\u9012\uff0c\u8fd9\u5c31\u5bfc\u81f4\u4f1a\u51fa\u73b0CSRF\u6f0f\u6d1e<\/p>\n\n\n\n
@RequestMapping(\"\/vuln\/origin\")\n    public static String vuls1(HttpServletRequest request, HttpServletResponse response) {\n        String origin = request.getHeader(\"origin\");\n        response.setHeader(\"Access-Control-Allow-Origin\", origin); \/\/ \u8bbe\u7f6eOrigin\u503c\u4e3aHeader\u4e2d\u83b7\u53d6\u5230\u7684\n        response.setHeader(\"Access-Control-Allow-Credentials\", \"true\");  \/\/ cookie\n        return info;\n    }<\/code><\/pre>\n\n\n\n
\u7b2c\u4e8c\u4e2a\u4ee3\u7801\uff1a<\/p>\n\n\n\n
\u867d\u7136\u8fd9\u79cd\u65b9\u5f0f\u653e\u5bbd\u4e86\u8de8\u57df\u9650\u5236\uff0c\u4f46\u5982\u679c\u524d\u7aef\u540c\u65f6\u8bbe\u7f6e withCredentials<\/code>\uff08\u8868\u793a\u53d1\u9001\u8bf7\u6c42\u65f6\u643a\u5e26Cookie\u7b49\u51ed\u636e\uff09\uff0c\u4f1a\u5bfc\u81f4\u8bf7\u6c42\u5931\u8d25\u3002\u56e0\u4e3a Access-Control-Allow-Origin<\/code> \u4e3a *<\/code> \u65f6\uff0c\u4e0d\u5141\u8bb8\u540c\u65f6\u8bbe\u7f6e Access-Control-Allow-Credentials<\/code> \u4e3a true<\/code>\u3002\u8fd9\u662f\u4e00\u4e2a\u8de8\u57df\u7b56\u7565\u4e2d\u7684\u8bef\u914d\u7f6e\u95ee\u9898\uff0c\u53ef\u80fd\u5f71\u54cd\u90e8\u5206\u5e94\u7528\u3002<\/p>\n\n\n\n
@RequestMapping(\"\/vuln\/setHeader\")\n    public static String vuls2(HttpServletResponse response) {\n        \/\/ \u540e\u7aef\u8bbe\u7f6eAccess-Control-Allow-Origin\u4e3a*\u7684\u60c5\u51b5\u4e0b\uff0c\u8de8\u57df\u7684\u65f6\u5019\u524d\u7aef\u5982\u679c\u8bbe\u7f6ewithCredentials\u4e3atrue\u4f1a\u5f02\u5e38\n        response.setHeader(\"Access-Control-Allow-Origin\", \"*\");\n        return info;\n    }<\/code><\/pre>\n\n\n\n
\u7b2c\u4e09\u4e2a\u4ee3\u7801\uff1a<\/p>\n\n\n\n
\u8fd9\u4e5f\u662f\u4e00\u79cd\u653e\u5bbdCORS\u7b56\u7565\u7684\u65b9\u5f0f\uff0c\u5141\u8bb8\u4efb\u4f55\u57df\u53d1\u8d77\u8de8\u57df\u8bf7\u6c42\uff0c\u53ef\u80fd\u5e26\u6765\u5b89\u5168\u98ce\u9669\uff08\u4f8b\u5982 CSRF \u653b\u51fb\uff09\u3002\u867d\u7136\u8fd9\u79cd\u65b9\u5f0f\u914d\u7f6e\u7b80\u5355\uff0c\u4f46\u8fc7\u4e8e\u5bbd\u677e\u7684\u8de8\u57df\u7b56\u7565\u53ef\u80fd\u5141\u8bb8\u6076\u610f\u7f51\u7ad9\u8bfb\u53d6\u654f\u611f\u6570\u636e\u3002<\/p>\n\n\n\n
@CrossOrigin(\"*\")\n    @RequestMapping(\"\/vuln\/crossOrigin\")\n    public static String vuls3() {\n        return info;\n    }<\/code><\/pre>\n\n\n\n
\u5bf9\u4e8e\u7b2c\u4e00\u4e2a\u4ee3\u7801\u7684\u4fee\u590d\uff1a<\/p>\n\n\n\n
\u901a\u8fc7 @CrossOrigin<\/code> \u6ce8\u89e3\u9650\u5236\u5141\u8bb8\u7684\u8de8\u57df\u8bf7\u6c42\u57df\u540d\u4e3a joychou.org<\/code> \u548c test.joychou.me<\/code>\uff0c\u9650\u5236\u4e86\u53ef\u4ee5\u8bbf\u95ee\u8fd9\u4e2a\u63a5\u53e3\u7684\u57df\u3002<\/p>\n\n\n\n
@CrossOrigin(origins = {\"joychou.org\", \"http:\/\/test.joychou.me\"})\n    @RequestMapping(\"\/sec\/crossOrigin\")\n    public static String secCrossOrigin() {\n        return info;\n    }<\/code><\/pre>\n\n\n\n
\u4e5f\u53ef\u4ee5\u76f4\u63a5\u4f7f\u7528spring\u63d0\u4f9b\u7684\u9632\u6b62\u8de8\u7ad9\u653b\u51fb\u7684\u5bf9\u8c61<\/p>\n\n\n\n
\u8fd9\u4e2a\u65b9\u6cd5\u5bf9\u5e94 Spring \u7684 Web MVC \u914d\u7f6e\u5668\uff08webMvcConfigurer<\/code>\uff09\uff0c\u8fd9\u91cc\u5904\u7406\u4e86 CSRF token \u7684\u83b7\u53d6\uff0c\u5e76\u4e14\u53ef\u80fd\u4e0e MVC \u5c42\u7684\u914d\u7f6e\u76f8\u5173\u3002<\/p>\n\n\n\n
@RequestMapping(\"\/sec\/webMvcConfigurer\")\n    public CsrfToken getCsrfToken_01(CsrfToken token) {\n        return token;\n    }<\/code><\/pre>\n\n\n\n
\u8fd9\u4e2a\u65b9\u6cd5\u8bf4\u660e\u4e86 Spring Security \u5904\u7406\u8de8\u57df\u8d44\u6e90\u5171\u4eab (CORS) \u8bbe\u7f6e\u7684\u573a\u666f\uff0c\u5e76\u6307\u51fa\u5728 Spring Security \u5904\u7406 CORS \u7684\u573a\u666f\u4e0b\uff0c\u4e0d\u652f\u6301\u81ea\u5b9a\u4e49 checkOrigin<\/code>\u3002<\/p>\n\n\n\n
@RequestMapping(\"\/sec\/httpCors\")\n    public CsrfToken getCsrfToken_02(CsrfToken token) {\n        return token;\n    }<\/code><\/pre>\n\n\n\n
\u8fd9\u4e2a\u65b9\u6cd5\u8868\u793a\u4f7f\u7528\u81ea\u5b9a\u4e49\u7684 Filter \u6765\u5904\u7406 CORS\uff0c\u5728\u8fd9\u79cd\u60c5\u51b5\u4e0b\uff0c\u5141\u8bb8\u81ea\u5b9a\u4e49 checkOrigin<\/code>\u3002<\/p>\n\n\n\n
@RequestMapping(\"\/sec\/originFilter\")\n    public CsrfToken getCsrfToken_03(CsrfToken token) {\n        return token;\n    }<\/code><\/pre>\n\n\n\n
\u8fd9\u4e2a\u65b9\u6cd5\u901a\u8fc7 CorsFilter \u5904\u7406 CORS \u8bf7\u6c42\uff0c\u4f46\u4e0d\u652f\u6301\u81ea\u5b9a\u4e49 checkOrigin<\/code>\u3002<\/p>\n\n\n\n
@RequestMapping(\"\/sec\/corsFilter\")\n    public CsrfToken getCsrfToken_04(CsrfToken token) {\n        return token;\n    }<\/code><\/pre>\n\n\n\n
\u8fd9\u4e2a\u65b9\u6cd5\u662f\u7528\u6765\u68c0\u67e5\u8bf7\u6c42\u7684\u6765\u6e90\u662f\u5426\u5b89\u5168\u3002\u5982\u679c\u8bf7\u6c42\u7684 Origin<\/code> \u4e0d\u5728\u767d\u540d\u5355\u4e2d\uff0c\u5c31\u8ba4\u5b9a\u4e3a\u4e0d\u5b89\u5168\u3002\u8fd9\u4e2a\u65b9\u6cd5\u4f1a\u6839\u636e\u8bf7\u6c42\u5934\u4e2d\u7684 Origin<\/code> \u5b57\u6bb5\uff0c\u68c0\u67e5\u5176\u662f\u5426\u5728\u5b89\u5168\u767d\u540d\u5355\u4e2d\uff0c\u5e76\u76f8\u5e94\u8bbe\u7f6e Access-Control-Allow-Origin<\/code> \u7b49 CORS \u54cd\u5e94\u5934\u3002<\/p>\n\n\n\n
@RequestMapping(\"\/sec\/checkOrigin\")\n    public String seccode(HttpServletRequest request, HttpServletResponse response) {\n        String origin = request.getHeader(\"Origin\");\n\n        \/\/ \u5982\u679corigin\u4e0d\u4e3a\u7a7a\u5e76\u4e14origin\u4e0d\u5728\u767d\u540d\u5355\u5185\uff0c\u8ba4\u5b9a\u4e3a\u4e0d\u5b89\u5168\u3002\n        \/\/ \u5982\u679corigin\u4e3a\u7a7a\uff0c\u8868\u793a\u662f\u540c\u57df\u8fc7\u6765\u7684\u8bf7\u6c42\u6216\u8005\u6d4f\u89c8\u5668\u76f4\u63a5\u53d1\u8d77\u7684\u8bf7\u6c42\u3002\n        if (origin != null && SecurityUtil.checkURL(origin) == null) {\n            return \"Origin is not safe.\";\n        }\n        response.setHeader(\"Access-Control-Allow-Origin\", origin);\n        response.setHeader(\"Access-Control-Allow-Credentials\", \"true\");\n        return LoginUtils.getUserInfo2JsonStr(request);\n    }<\/code><\/pre>\n\n\n\n
\u547d\u4ee4\u6ce8\u5165\uff08Command Injection\uff09<\/h2>\n\n\n\n
\u547d\u4ee4\u6ce8\u5165\u4e00\u822c\u51fa\u73b0\u5728\u529f\u80fd\u9700\u8981\u8c03\u7528\u7cfb\u7edf\u547d\u4ee4\u7684\u5730\u65b9\uff0c\u4f8b\u5982\uff0c\u67e5\u770b\u5f53\u524d\u76ee\u5f55\u4e0b\u6709\u54ea\u4e9b\u6587\u4ef6\uff0c\u53c8\u6216\u8005\u8bf7\u6c42\u67d0\u4e2aIP\u6216\u8005\u57df\u540d\u67e5\u770b\u662f\u5426\u80fd\u591f\u8bbf\u95ee\u3002<\/p>\n\n\n\n
\u5982\u4e0b\u4ee3\u7801\uff0c\u5c31\u662f\u67e5\u8be2\u547d\u4ee4\uff0c\u7531\u7528\u6237\u8f93\u5165\u7684\u53c2\u6570filepath\u62fc\u63a5\u67e5\u8be2\uff0c\u4f46\u662f\u6ca1\u6709\u8fdb\u884c\u4efb\u4f55\u8fc7\u6ee4\uff0c\u8fd9\u4f1a\u5bfc\u81f4\u653b\u51fb\u8005\u53ef\u4ee5\u901a\u8fc7;\u7b49\u65b9\u5f0f\u62fc\u63a5\u547d\u4ee4\uff0c\u4ece\u800c\u5b9e\u73b0\u4efb\u610f\u547d\u4ee4\u6267\u884c\uff0c\u5728\u53ef\u901a\u7f51\u7684\u60c5\u51b5\u4e0b\uff0c\u8fd8\u80fd\u591f\u901a\u8fc7nc\u53cd\u5f39shell\u81f3VPS\u4e2d<\/p>\n\n\n\n
 @GetMapping(\"\/codeinject\")\n    public String codeInject(String filepath) throws IOException {\n\n        String[] cmdList = new String[]{\"sh\", \"-c\", \"ls -la \" + filepath};\n        ProcessBuilder builder = new ProcessBuilder(cmdList);   \/\/\u6267\u884c\u547d\u4ee4\n        builder.redirectErrorStream(true);\n        Process process = builder.start();\n        return WebUtils.convertStreamToString(process.getInputStream());\n    }<\/code><\/pre>\n\n\n\n
\u53c8\u6bd4\u5982\u8fd9\u4e2a\u4ee3\u7801\uff1a<\/p>\n\n\n\n
\u4ece\u7528\u6237\u53d1\u8d77\u7684\u6570\u636e\u5305\u4e2d\u62fc\u63a5\u4e86host\uff0c\u800c\u8fd9\u4e2ahost\u662f\u53ef\u4ee5\u88ab\u7528\u6237\u6539\u52a8\u7684\uff0c\u800c\u4ee3\u7801\u5e76\u6ca1\u6709\u8fdb\u884c\u4efb\u4f55\u76f8\u5173\u8fc7\u6ee4\uff0c\u4ece\u800c\u51fa\u73b0\u4e86\u547d\u4ee4\u6ce8\u5165<\/p>\n\n\n\n
@GetMapping(\"\/codeinject\/host\")\n    public String codeInjectHost(HttpServletRequest request) throws IOException {\n\n        String host = request.getHeader(\"host\");        \/\/\u4ece\u8bf7\u6c42\u5934\u4e2dgethost\n        logger.info(host);\n        String[] cmdList = new String[]{\"sh\", \"-c\", \"curl \" + host};\n        ProcessBuilder builder = new ProcessBuilder(cmdList);\n        builder.redirectErrorStream(true);\n        Process process = builder.start();\n        return WebUtils.convertStreamToString(process.getInputStream());\n    }<\/code><\/pre>\n\n\n\n
\u4fee\u590d\u8fd9\u4e2a\u95ee\u9898\u7684\u6700\u597d\u529e\u6cd5\u5c31\u662f\u6dfb\u52a0\u8fc7\u6ee4\uff1a<\/p>\n\n\n\n
\u4e0b\u9762\u4ee3\u7801\u901a\u8fc7\u5224\u65ad\u7528\u6237\u8f93\u5165\u7684\u5185\u5bb9\u4e2d\u662f\u5426\u5c5e\u4e8e\u6b63\u5219\u5339\u914d\u7684[a-zA-Z0-9_\/\\\\.-]+$],\u5982\u679c\u4e0d\u662f\uff0c\u5219\u8bbe\u7f6e\u4e3a\u7a7a\uff0c\u7136\u540e\u5224\u65adfilterFilePath\u662f\u5426\u4e3a\u7a7a\uff0c\u4e3a\u7a7a\u5219\u4e0d\u6267\u884c\u547d\u4ee4\uff0c\u8fd9\u4f1a\u4f7f\u5f97\u547d\u4ee4\u6267\u884c\u4ec5\u4ec5\u9650\u5236\u5728\u8fd9\u4e2a\u547d\u4ee4\u4e4b\u4e2d\uff0c\u800c\u65e0\u6cd5\u6ce8\u5165\u5176\u4ed6\u7684\u547d\u4ee4\u3002\uff08\u5b9e\u9645\u7684\u4ee3\u7801\u5ba1\u8ba1\u4e2d\u5e94\u8be5\u8003\u8651\u7684\u662f\u7ed5\u8fc7\u90e8\u5206\u662f\u5426\u8db3\u591f\u4e25\u683c\uff0c\u5e38\u89c4\u6765\u8bf4\u5f88\u96be\u51fa\u73b0\u65e0\u8fc7\u6ee4\u60c5\u51b5\uff09<\/p>\n\n\n\n
private static final Pattern FILTER_PATTERN = Pattern.compile(\"^[a-zA-Z0-9_\/\\\\.-]+$\");\n\npublic static String cmdFilter(String input) {\n        if (!FILTER_PATTERN.matcher(input).matches()) {\n            return null;\n        }\n\n        return input;\n    }\n\n\n@GetMapping(\"\/codeinject\/sec\")\n    public String codeInjectSec(String filepath) throws IOException {\n        String filterFilePath = SecurityUtil.cmdFilter(filepath);   \/\/\u8fc7\u6ee4SecurityUtil.cmdFilter\n        if (null == filterFilePath) {\n            return \"Bad boy. I got u.\";\n        }\n        String[] cmdList = new String[]{\"sh\", \"-c\", \"ls -la \" + filterFilePath};\n        ProcessBuilder builder = new ProcessBuilder(cmdList);\n        builder.redirectErrorStream(true);\n        Process process = builder.start();\n        return WebUtils.convertStreamToString(process.getInputStream());\n    }<\/code><\/pre>\n\n\n\n
\u5feb\u901f\u5b9a\u4f4d\uff1a<\/p>\n\n\n\n
Runtime.exec()\u3001ProcessBuilde\u3001getParameter()\u3001getHeader()<\/p>\n\n\n\n
<\/p>\n","protected":false},"excerpt":{"rendered":"
\u6587\u4ef6\u4e0a\u4f20 \u6587\u4ef6\u4e0a\u4f20\u65e0\u975e\u5c31\u662f5\u4e2a\u62e6\u622a\u70b9\uff1a 1\u3001\u4e0a\u4f20\u6210\u529f\u662f\u5426\u91cd\u547d\u540d\u6587\u4ef6 2\u3001MIME\u662f\u5426\u68c0\u6d4b 3\u3001\u662f\u5426\u8bfb\u53d6\u6587\u4ef6\u5185\u5bb9 […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[10],"tags":[],"class_list":["post-735","post","type-post","status-publish","format-standard","hentry","category-stcsdmsj"],"_links":{"self":[{"href":"https:\/\/www.nightying.com\/index.php\/wp-json\/wp\/v2\/posts\/735","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.nightying.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.nightying.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.nightying.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.nightying.com\/index.php\/wp-json\/wp\/v2\/comments?post=735"}],"version-history":[{"count":32,"href":"https:\/\/www.nightying.com\/index.php\/wp-json\/wp\/v2\/posts\/735\/revisions"}],"predecessor-version":[{"id":1143,"href":"https:\/\/www.nightying.com\/index.php\/wp-json\/wp\/v2\/posts\/735\/revisions\/1143"}],"wp:attachment":[{"href":"https:\/\/www.nightying.com\/index.php\/wp-json\/wp\/v2\/media?parent=735"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.nightying.com\/index.php\/wp-json\/wp\/v2\/categories?post=735"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.nightying.com\/index.php\/wp-json\/wp\/v2\/tags?post=735"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}