cnccms代码审计
环境搭建
- 下载源码,导入idea
- 修改
WEB-INF/classes/db.properties - 数据库创建cncsnet,执行文件夹里的sql
- tomcat配置添加文件夹,修改
Application context为/,可以解决一些报错和图片不加载等问题
代码审计
前台
大致浏览了一些功能点,发现只有作品展示和团队新闻可能存在sql注入,别的地方都没有什么可以交互的地方。
发现使用的是mybatis,并且不存在${}这样进行sql拼接的地方,包括像like语句,所以基本上没有sql注入了,参考Mybatis框架下SQL注入漏洞面面观
//and member_name like #{member_name}
tempUser.setUsername("%" + ccUsers.getUsername() + "%");
后台
admin/ningyang登录后台
xss
WEB-INF/classes/cn/cncsnet/controller/WorkController.class
WEB-INF/classes/cn/cncsnet/controller/LoadIndex.class
这两处分别是前台和后台作品展示处,都是直接从数据库获取数据,不经过编码直接输出
@RequestMapping({"work"})
public ModelAndView work(@RequestParam(defaultValue = "1",required = true) Integer page, @RequestParam(defaultValue = "1",required = true) Integer juan) {
Integer pagesize = 8;
PageInfo<CcWorks> pageinfo = this.loadIndexService.selecWork(page, pagesize);
List<CcWorks> list = pageinfo.getList();
ModelAndView mlv = new ModelAndView("forward:worklist.jsp");
mlv.addObject("datalist", list);
mlv.addObject("page", page);
mlv.addObject("juan", juan);
mlv.addObject("juansum", pageinfo.getPages() % 5 == 0 ? pageinfo.getPages() / 5 : pageinfo.getPages() / 5 + 1);
mlv.addObject("pages", pageinfo.getPages());
mlv.addObject("loadok", "ok");
mlv.addObject("pagesize", pagesize);
mlv.addObject("total", pageinfo.getTotal());
return mlv;
}
public ModelAndView showwork(HttpServletRequest request, @RequestParam(defaultValue = "1",required = true) Integer page, Integer user_id, @RequestParam(defaultValue = "1",required = true) Integer juan, CcWorks ccWorks) {
Integer pagesize = 5;
CcWorks temp = new CcWorks();
temp.setWork_id(ccWorks.getWork_id());
if (ccWorks.getWork_name() != null && !"".equals(ccWorks.getWork_name())) {
temp.setWork_name("%" + ccWorks.getWork_name() + "%");
}
temp.setWork_date((Date)ccWorks.getWork_date());
temp.setWork_image(ccWorks.getWork_image());
temp.setWork_value(ccWorks.getWork_value());
List<CcUsers> selectusers = this.workService.selectusers();
CcUsers tempuser = new CcUsers();
tempuser.setUser_id(user_id);
temp.setWork_member(tempuser);
PageInfo<CcWorks> pageinfo = this.workService.selectpage(page, pagesize, temp);
List<CcWorks> dataList = pageinfo.getList();
ModelAndView mlv = new ModelAndView("showwork");
mlv.addObject("page", page);
mlv.addObject("pagesize", pagesize);
mlv.addObject("total", pageinfo.getTotal());
mlv.addObject("pages", pageinfo.getPages());
mlv.addObject("juan", juan);
mlv.addObject("juansum", pageinfo.getPages() % 5 == 0 ? pageinfo.getPages() / 5 : pageinfo.getPages() / 5 + 1);
mlv.addObject("datalist", dataList);
mlv.addObject("oladstop", "ok");
mlv.addObject("condition", ccWorks);
mlv.addObject("selectusers", selectusers);
mlv.addObject("user_id", user_id);
return mlv;
}
再看一下,写入输入库时:Integer updatework = this.workService.updatework(ccworks);,直接update
文件上传
后台有许多上传点,不过都没有限制措施
@RequestMapping({"/WEB-INF/admin/addwork"})
public String addwork(@RequestParam("wrok_image") MultipartFile wrok_image, CcWorks ccWorks, HttpServletResponse response, HttpServletRequest request) {
System.out.println("图片名称" + wrok_image.getOriginalFilename());
ccWorks.setWork_date(new Date((new java.util.Date()).getTime()));
HttpSession session = request.getSession();
CcUsers admin = (CcUsers)session.getAttribute("admin");
ccWorks.setWork_member(admin);
String realPath = request.getRealPath("/img/work/");
String imagename = (new java.util.Date()).getTime() + wrok_image.getOriginalFilename().substring(wrok_image.getOriginalFilename().lastIndexOf("."));
System.out.println(imagename);
InputStream inputStream = null;
FileOutputStream outputStream = null;
File file = null;
System.out.println(realPath);
try {
inputStream = wrok_image.getInputStream();
} catch (IOException var29) {
var29.printStackTrace();
}
if (inputStream != null) {
try {
file = new File(realPath + "\\" + imagename);
if (!file.exists()) {
file.createNewFile();
}
ccWorks.setWork_image("/img/work/" + imagename);
} catch (FileNotFoundException var27) {
var27.printStackTrace();
} catch (IOException var28) {
var28.printStackTrace();
}
}
Integer insertwork = this.workService.insertwork(ccWorks);
try {
if (insertwork < 1) {
response.setContentType("text/html;charset=utf-8");
PrintWriter writer = response.getWriter();
writer.print("<script type='text/javascript'>alert('添加失败');history.go(-1);</script>");
writer.close();
} else {
outputStream = new FileOutputStream(file);
IOUtils.copy(inputStream, outputStream);
}
} catch (IOException var25) {
var25.printStackTrace();
} finally {
try {
if (inputStream != null) {
inputStream.close();
}
if (outputStream != null) {
outputStream.close();
}
} catch (IOException var24) {
var24.printStackTrace();
}
return "redirect:showwork.jsp";
}
}
不过这里多加了一个\,可能是系统原因?
file = new File(realPath + "\\" + imagename);