Java-Sec-Code代码审计-CodeInject篇

前言

​ 👴的算法设计能过吗,👴的数据结构能过吗,👴的期末考试都可以过吗?

可以,一定可以。。。。。。。。。。

CommandInject

codeinject

​ 源码粘贴出来

1
2
3
4
5
6
7
8
9
@GetMapping("/codeinject")
public String codeInject(String filepath) throws IOException {

String[] cmdList = new String[]{"sh", "-c", "ls -la " + filepath};
ProcessBuilder builder = new ProcessBuilder(cmdList);
builder.redirectErrorStream(true);
Process process = builder.start();
return WebUtils.convertStreamToString(process.getInputStream());
}

漏洞点一眼便知,filepath可控,通过构造可以达到任意命令执行的目的

paylaod

1
?filepath=/;ls /

成功执行,呃呃呃,感觉也没啥好写的。

host

源码

1
2
3
4
5
6
7
8
9
10
public String codeInjectHost(HttpServletRequest request) throws IOException {

String host = request.getHeader("host");
logger.info(host);
String[] cmdList = new String[]{"sh", "-c", "curl " + host};
ProcessBuilder builder = new ProcessBuilder(cmdList);
builder.redirectErrorStream(true);
Process process = builder.start();
return WebUtils.convertStreamToString(process.getInputStream());
}

看到源码,其实漏洞点也很轻易的就能够看出来,curl+host,而且对host参数并没有任何过滤,所以可以尝试构造payload

1
host: localhost&ls

即可。

sec

​ 加入了参数过滤方法,点击打开cmdFilter方法进一步跟踪,找到在安全方法中声明的静态常量FILTER_PATTERN,常量为正在表达式对象,匹配模式只匹配大小写字母数字等几种字符,特殊字符都不会匹配成功,当出现命令注入时匹配到特殊字符后返回值为空,方法执行返回失败提示。

1
2
3
4
5
6
7
8
9
10
11
12
13
@GetMapping("/codeinject/sec")
public String codeInjectSec(String filepath) throws IOException {
String filterFilePath = SecurityUtil.cmdFilter(filepath);
if (null == filterFilePath) {
return "Bad boy. I got u.";
}
String[] cmdList = new String[]{"sh", "-c", "ls -la " + filterFilePath};
ProcessBuilder builder = new ProcessBuilder(cmdList);
builder.redirectErrorStream(true);
Process process = builder.start();
return WebUtils.convertStreamToString(process.getInputStream());
}
}

也就是这一句

1
String filterFilePath = SecurityUtil.cmdFilter(filepath);