Java EE代码审计实例及漏洞修复

一、程序源码下载

双鱼林SSM图书管理系统 v1.0

二、漏洞细节

这里可能是我本地Eclipse的问题,导入下载的源码后,发现源码并不是Dynamic Web Project项目,所以我新建了一个WEB项目,然后直接复制下载的源码和jar包,目录结构如下图所示: 下辈子想做头猪的博客 在BookController类中有两个方法存在文件上传@RequestMapping(value = "/add", method = RequestMethod.POST)@RequestMapping(value = "/{barcode}/update", method = RequestMethod.POST) 下辈子想做头猪的博客 跟进具体的上传文件方法handlePhotoFileUpload 下辈子想做头猪的博客 发现该方法直接将前端传入的photoBookFile字段的文件用UUID的形式重命名,并未对文件格式做任何过滤处理,所以这里只需要上传一个jsp格式文件即可获取一个webshell 下辈子想做头猪的博客

三、漏洞修复

spring-mvc.xml文件中添加一个拦截器

     <mvc:interceptors>
       <mvc:interceptor>
        <mvc:mapping path="/Book/*/update" />
        <mvc:mapping path="/Book/add"/>
        <bean class="com.zhutougg.interceptor.FileUploadInterceptor" />
       </mvc:interceptor>
     </mvc:interceptors>

然后新建一个com.zhutougg.interceptor.FileUploadInterceptor类实现HandlerInterceptor

public class FileUploadInterceptor implements HandlerInterceptor {

    @Override
    public void afterCompletion(HttpServletRequest arg0,
            HttpServletResponse arg1, Object arg2, Exception arg3)
            throws Exception {
    }

    @Override
    public void postHandle(HttpServletRequest arg0, HttpServletResponse arg1,
            Object arg2, ModelAndView arg3) throws Exception {
    }

    @Override
    public boolean preHandle(HttpServletRequest request, HttpServletResponse response,
            Object handler) throws Exception {

        HttpServletRequest req=(HttpServletRequest)request;  
        MultipartResolver res=new org.springframework.web.multipart.commons.CommonsMultipartResolver();  
        if(res.isMultipart(req)){ 
            // 上传文件的请求
            MultipartHttpServletRequest  multipartRequest=(MultipartHttpServletRequest) req;  
            Map<String, MultipartFile> files= multipartRequest.getFileMap();  
            Iterator<String> iterator = files.keySet().iterator(); 
            while (iterator.hasNext()) {  
                String formKey = (String) iterator.next(); 
                MultipartFile multipartFile = multipartRequest.getFile(formKey);
                String filename = multipartFile.getOriginalFilename();
                if(checkFile(filename)){  
                    return true;  
                }else{
                    response.getWriter().print(new String("file name error"));
                    return false;
                }
            }
        }
        return true;
    }
    private boolean checkFile(String filename) {
        boolean flag=false;  
        String suffixList="xls,xlsx,jpg,gif,png,ico,bmp,jpeg";  
        //获取文件后缀  
        String suffix=filename.substring(filename.lastIndexOf(".")+1, filename.length());  
        if(suffixList.contains(suffix.trim().toLowerCase())){  
            flag=true;  
        }  
        return flag; 
    }
}

重启服务器,再次上传jsp文件 下辈子想做头猪的博客

最后

欢迎大家加入我的小密圈,一起交流进步 下辈子想做头猪的博客

zhutougg

继续阅读此作者的更多文章