文章來源:https://xz.aliyun.com/t/1633
最近在先知上看到之前有篇關於java代碼審計的文章總結的蠻好,記錄以下特征函數,方便查閱,同時自己也會將在平時代碼審計過程中積累的函數補充在這篇文章中。(雖然作者已經很貼心的提供了腳本)。
1.xxe
常見解析xml的類有如下:
javax.xml.parsers.DocumentBuilder
javax.xml.stream.XMLStreamReader
org.jdom.input.SAXBuilder
org.jdom2.input.SAXBuilder
javax.xml.parsers.SAXParser
org.dom4j.io.SAXReader
org.xml.sax.XMLReader
javax.xml.transform.sax.SAXSource
javax.xml.transform.TransformerFactory
javax.xml.transform.sax.SAXTransformerFactory
javax.xml.validation.SchemaFactory
javax.xml.bind.Unmarshaller
javax.xml.xpath.XPathExpression
1)javax.xml.parsers.DocumentBuilder (原生dom解析xml)
例子:
DocumentBuilderFactory doc=DocumentBuilderFactory.newInstance();
DocumentBuilder db=doc.newDocumentBuilder();
InputStream is= new FileInputStream("test.xml");
Document doc=dombuilder.parse(is); //sink點
Element rootElement = document.getDocumentElement();
2)javax.xml.stream.XMLStreamReader (StAX解析器,可讀可寫)
例子:
XMLInputFactory factory = XMLInputFactory.newFactory();
InputStream stream = XmlInputFactory.class.getClassLoader().getResourceAsStream("webService/xml/users.xml");
XMLStreamReader reader = factory.createXMLStreamReader(stream); //sink點
while (reader.hasNext()) {...}
3)javax.xml.parsers.SAXParser / org.xml.sax.XMLReader (原生SAX解析xml)
例子:
SAXParserFactory factory = SAXParserFactory.newInstance();
SAXParser parser = factory.newSAXParser();
XMLReader reader = parser.getXMLReader(); //reader.setContentHandler(new MyContentHandler());
reader.parse(xmlPath); //sink點
4)org.jdom.input.SAXBuilder / org.jdom2.input.SAXBuilder (jdom解析xml)
例子:
SAXBuilder sax = new SAXBuilder();
Document doc = sax.build("src/config.xml"); //sink點
5)org.dom4j.io.SAXReader (dom4j解析xml)
例子:
InputStream fis=new FileInputStream("G:\\eclipsewk\\SDK201702\\Test-Pack\\package\\work\\before\\AndroidManifest.xml");
Document document = new SAXReader().read(fis); //sink點
6)javax.xml.validation.SchemaFactory (校驗xml)
例子:
File xsdfile=new File("xml/orders.xsd");
File xmlfile=new File("xml/orders.xml");
Handler errorHandler=new Handler();
SchemaFactory schemafactory=SchemaFactory.newInstance("http://www.w3.org/2001/XMLSchema"); //
Schema schema=schemafactory.newSchema(xsdfile);
Validator vaildator=schema.newValidator();
vaildator.setErrorHandler((ErrorHandler) errorHandler);
vaildator.validate(new StreamSource(xmlfile)); //sink點
7)javax.xml.bind.Unmarshaller (JAXB解析xml,也是實現java和xml的轉換)
例子:
JAXBContext jc = JAXBContext.newInstance(clazz);
Unmarshaller u = jc.createUnmarshaller();
u.unmarshal(new File(xmlstr)); //sink點
修復方法:
-
xif.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
-
xif.setProperty(XMLInputFactory.SUPPORT_DTD, true);
8)javax.xml.xpath.XPathExpression (XPath查詢)
DocumentBuilderFactory df = DocumentBuilderFactory.newInstance();
DocumentBuilder builder = df.newDocumentBuilder();
String result = new XPathExpression().evaluate(builder.parse(new ByteArrayInputStream(xml.getBytes())));
值得注意的是:javax.xml.xpath.XPathExpression類似於Unmarshaller,它無法自行安全地配置,因此必須首先通過另一個安全的XML解析器解析不受信任的數據
9)javax.xml.transform.sax.SAXSource / javax.xml.transform.TransformerFactory / javax.xml.transform.sax.SAXTransformerFactory (生成和轉換xml)
10)Apache Commons Configuration讀取xml配置
XMLConfiguration.load
代碼審計的時候感覺一個個搜索也很麻煩,在使用腳本前可以先全局搜索下DocumentBuilder、sax、Unmarshaller 、XPath、XMLInputFactory等字眼。
2.反序列化漏洞
反序列化操作一般在導入模版文件、網絡通信、數據傳輸、日志格式化存儲、對象數據落磁盤或DB存儲等業務場景,在代碼審計時可重點關注一些反序列化操作函數並判斷輸入是否可控,如下:
1)ObjectInputStream.readObject //最常見的反序列化sink點,將流轉化為object對象
2)ObjectInputStream.readUnshared //使用較少,和readobject有些區別
readUnshared()方法來讀取對象,readUnshared()不允許后續的readObject和readUnshared調用引用這次調用反序列化得到的對象,而readObject讀取的對象可以。
3)XMLDecoder.readObject //讀取xml轉化為object,嘗試了一下不能進行xxe,不過這個xml反序列化漏洞不用像其他反序列化那樣構造很麻煩,可以直接使用下面的poc執行命令。
<java>
<object class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="1" >
<void index="0">
<string>c:\\windows\\system32\\calc.exe</string>
</void>
</array>
<void method="start"/>
</object>
</java>
4)XStream.fromXML //XStream用於java object與xml的相互轉換,XStream.toXML(將java轉換為xml)
String payload = "<map><entry><jdk.nashorn.internal.objects.NativeString> <flags>0</flags> <value class=\"com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data\"> <dataHandler> <dataSource class=\"com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource\"> <is class=\"javax.crypto.CipherInputStream\"> <cipher class=\"javax.crypto.NullCipher\"> <initialized>false</initialized> <opmode>0</opmode> <serviceIterator class=\"javax.imageio.spi.FilterIterator\"> <iter class=\"javax.imageio.spi.FilterIterator\"> <iter class=\"java.util.Collections$EmptyIterator\"/> <next class=\"java.lang.ProcessBuilder\"> <command><string>calc</string> </command> <redirectErrorStream>false</redirectErrorStream> </next> </iter> <filter class=\"javax.imageio.ImageIO$ContainsFilter\"> <method> <class>java.lang.ProcessBuilder</class> <name>start</name> <parameter-types/> </method> <name>foo</name> </filter> <next class=\"string\">foo</next> </serviceIterator> <lock/> </cipher> <input class=\"java.lang.ProcessBuilder$NullInputStream\"/> <ibuffer></ibuffer> <done>false</done> <ostart>0</ostart> <ofinish>0</ofinish> <closed>false</closed> </is> <consumed>false</consumed> </dataSource> <transferFlavors/> </dataHandler> <dataLen>0</dataLen> </value> </jdk.nashorn.internal.objects.NativeString> <jdk.nashorn.internal.objects.NativeString reference=\"../jdk.nashorn.internal.objects.NativeString\"/> </entry> <entry> <jdk.nashorn.internal.objects.NativeString reference=\"../../entry/jdk.nashorn.internal.objects.NativeString\"/> <jdk.nashorn.internal.objects.NativeString reference=\"../../entry/jdk.nashorn.internal.objects.NativeString\"/></entry></map>";
5)一些第三方jar包中的,這些第三方jar包歷史版本中存在序列化漏洞
ObjectMapper.readValue jackson中的api
JSON.parseObject fastjson中的api
6)Yaml.load
審計的時候搜索readobject、readUnshared、fromXML這些關鍵api
3.SSRF(服務器端請求偽造)
HttpClient.execute
HttpClient.executeMethod
HttpURLConnection/URLConnection
new HttpGet(url)
OkHttpClient()
URL:URL url = new URL();
1) url.openStream 2)ImageIO.read(url)
其他
審計的時候搜索new URL、HttpClient、HttpURLConnection
4.文件上傳
審計的時候搜索MultipartFile
5.Autobinding //參數自動綁定漏洞,在php中叫object注入漏洞,json注入也屬於其中一種
審計的時候搜索@SessionAttributes和@ModelAttribute,屬於SpringMVC框架
6.URL跳轉漏洞
1.response.sendRedirect //重定向
2.response.setHeader("Location", "http://www.baidu.com"); // 也是重定向
3.request.getRequestDispatcher("/success.html").forward(request, response); //請求轉發
7.命令執行
1).Runtime.exec //Runtime.getRuntime().exec(command)
2).ProcessBuilder.start //new ProcessBuilder(cmdArray).start(),取代了Process
3).GroovyShell.evaluate //主要用於在java中運行Groovy腳本
shell.evaluate("
static void main(String[]args){
Runtime.getRuntime().exec(command);
}
");
類似的還有GroovyClassLoader 、ScriptEngine
8.和文件操作相關的漏洞,例如任意文件讀取、刪除等等
1)最常見的就是JDK原始的java.io.FileInputStream類
2)JDK1.7新增的基於NIO讀取文件的java.nio.file.Files類。常用方法如:Files.readAllBytes、Files.readAllLines
3)JDK原始的java.io.RandomAccessFile類
4)Apache Commons IO提供的org.apache.commons.io.FileUtils類
5)JDK1.7新增的基於NIO非阻塞異步讀取文件的java.nio.channels.AsynchronousFileChannel類
9.json注入(有點類似參數自動綁定)
1)json-lib框架中的JSONObject ,JSONArray
2)Jackson框架中的JsonGenerator、Object(Mapper|Reader|Codec|Writer)|TreeCodec、JsonParser
JsonGenerator.writeObject等 write(NumberField|Raw|RawUTF8String|RawValue|String|UTF8String)等
ObjectMapper.writeValue()、ObjectMapper.writeTree()等
3)Gson
Gson.toJson() Gson.fromJson() JsonWriter.name|value() JsonReader JsonStreamParser JsonParser.parse
4)javax.json
JsonWriter.write(Array|Object) JsonParserFactory.createParser() JsonGenerator
5)fastjson
10.ldap注入
審計過程中可以直接搜索ldap字符初略的進行定位
常見sink點:
javax.naming.directory
DirContext.search
org.springframework.ldap
LdapTemplate.search
LdapOperations.search
netscape.ldap
LDAPAsynchronousConnection|LDAPv2.search
LDAPGetEntries.getEntries
LDAPGetProperty.getProperty
最后是大佬的自動化腳本:https://github.com/Cryin/JavaID
腳本還沒用過。。。有機會看看效果。