java代码审计关键字讲解

fastjson反序列化

1
2
3
json.parseObject
JSONObject.parseObject
@RequestBody

其他反序列化

1
2
3
4
5
6
7
8
9
10
11
request.getinputstream
ObjectInputStream
.readObject()
deserialize
Serialize
@RequestBody
ObjectInputStream.readUnshared
XMLDecoder.readObject
Yaml.load
XStream.fromXML
ObjectMapper.readValue

文件上传

1
2
3
4
/upload
/file
/save
/add

命令执行

1
2
3
4
Runtime.getRuntime().exec
case shell
ShellProcessor
processor

SQL注入

1
2
3
4
5
6
order by
= '"+
query(queryList)
like "%
.call
${

文件下载

1
2
3
4
/down
/file
/export
/file

越权(信息泄露)

直接看业务逻辑,看有无对登陆/权限的校验

目录遍历/ssrf

1
2
3
"url"
filepath
fileurlpath

文件包含(jsp文件)

1
include

XXE

1
2
parseX
parseT

引用的接口:

1
2
3
4
5
6
7
8
9
10
11
12
13
javax.xml.parsers.DocumentBuilder
javax.xml.stream.XMLInputFactoryr
org.jdom.input.SAXBuilder
org.jdom2.input.SAXBuilder
javax.xml.parsers.SAXParser
org.dom4j.io.SAXReader 
org.xml.sax.XMLReader
javax.xml.transform.sax.SAXSource 
javax.xml.transform.TransformerFactory 
javax.xml.transform.sax.SAXTransformerFactory 
javax.xml.validation.SchemaFactory
javax.xml.bind.Unmarshaller
javax.xml.xpath.XPathExpression

修复写法:

javax.xml.parsers.DocumentBuilder

1
2
3
4
5
6
7
8
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
dbf.setAttribute("http://apache.org/xml/features/disallow-doctype-decl", true);
dbf.setAttribute("http://xml.org/sax/features/external-general-entities", false);
dbf.setAttribute("http://xml.org/sax/features/external-parameter-entities", false);
dbf.setAttribute("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
dbf.setAttribute(XMLConstants.FEATURE_SECURE_PROCESSING, true);
dbf.setExpandEntityReferences(false);
DocumentBuilder db = dbf.newDocumentBuilder();

javax.xml.stream.XMLInputFactory

1
2
3
4
5
6
7
8
9
10
XMLInputFactory xif = XMLInputFactory.newInstance();
xif.setProperty(XMLInputFactory.SUPPORT_DTD, false);
xif.setProperty("javax.xml.stream.isSupportingExternalEntities", false);
XMLStreamReader reader = xif.createXMLStreamReader(new FileInputStream(new File(path)));
org.jdom.input.SAXBuilder
SAXBuilder saxBuilder = new SAXBuilder();
saxBuilder.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
saxBuilder.setFeature("http://xml.org/sax/features/external-general-entities", false);
saxBuilder.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
org.jdom2.Document build = saxBuilder.build(new File(path));

javax.xml.parsers.SAXParser

1
2
3
4
5
6
SAXParserFactory spf =SAXParserFactory.newInstance();
spf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
spf.setFeature("http://xml.org/sax/features/external-general-entities", false);
spf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
SAXParser parser =spf.newSAXParser();
MyDefaultHandler myHandler = new MyDefaultHandler();

org.xml.sax.XMLReader

1
2
3
4
5
6
FileReader  fileReader = new FileReader(path);
XMLReader parser = XMLReaderFactory.createXMLReader();
parser.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
parser.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
parser.setFeature("http://xml.org/sax/features/external-general-entities", false);
parser.setFeature("http://xml.org/sax/features/external-parameter-entities", false);

xml反序列化写法

1
2
3
4
5
6
7
8
9
10
11
12
public void XMLDecoder(String path) {
try {
File file = new File(path);
FileInputStream fis = new FileInputStream(file);
BufferedInputStream bis = new BufferedInputStream(fis);
XMLDecoder xd = new XMLDecoder(bis);
xd.readObject();
xd.close();
} catch (FileNotFoundException e) {
e.printStackTrace();
}
}

业务逻辑漏洞

走if的时候根据判断status是否等于true来进行流程,比如status/resultCode==0时允许进行下一步
示例:

1
2
3
4
// 0:成功 1:失败
        if ("0".equals(resultCode)) {

}

密码硬编码

1
password

springmvc业务逻辑

1
*Controller.java

tapestry框架业务逻辑

1
extends BusiPage

实现

1
implemtns

CORS

1
CrossOrigin

配置文件

1
.application

接口

1
interface
代码审计
java审计 审计思路

声明:
本文章用于学习交流,严禁用于非法操作,出现后果一切自行承担,阅读此文章表示你已同意本声明。

Disclaimer:
This article is for study and communication. It is strictly forbidden to use it for illegal operations. All consequences shall be borne by yourself. Reading this article means that you have agreed to this statement.