Xcon2012攻击JAVA WEB议题_WEB安全_Java_其他

<html xmlns="http://www.w3.org/1999/xhtml"><head><meta charset="utf-8"><meta name="generator" content="pdf2htmlEX"><meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"><link rel="stylesheet" href="https://csdnimg.cn/release/download_crawler_static/css/base.min.css"><link rel="stylesheet" href="https://csdnimg.cn/release/download_crawler_static/css/fancy.min.css"><link rel="stylesheet" href="https://csdnimg.cn/release/download_crawler_static/4578571/raw.css"><script src="https://csdnimg.cn/release/download_crawler_static/js/compatibility.min.js"></script><script src="https://csdnimg.cn/release/download_crawler_static/js/pdf2htmlEX.min.js"></script><script>try{pdf2htmlEX.defaultViewer = new pdf2htmlEX.Viewer({});}catch(e){}</script><title></title></head><body><div id="sidebar" style="display: none"><div id="outline"></div></div><div id="pf1" class="pf w0 h0" data-page-no="1"><div class="pc pc1 w0 h0"><img class="bi x0 y0 w1 h1" alt="" src="https://csdnimg.cn/release/download_crawler_static/4578571/bg1.jpg"><div class="c x1 y1 w2 h2"><div class="t m0 x2 h3 y2 ff1 fs0 fc0 sc0 ls0 ws0">攻击<span class="_ _0"> </span><span class="ff2 sc1 ls1">JAVA$WEB<span class="_"> </span><span class="ls2">$</span></span></div><div class="t m0 x2 h4 y3 ff3 fs1 fc0 sc1 ls3 ws0">个人介绍以及议题说明<span class="ls2"></span></div><div class="t m0 x2 h4 y4 ff3 fs1 fc0 sc1 ls3 ws0">周拓<span class="ls2"></span></div><div class="t m0 x2 h4 y5 ff3 fs1 fc0 sc1 ls3 ws0">网名：<span class="_ _1"></span>空虚浪子心<span class="ls2">，</span>缩写<span class="_ _2"> </span><span class="ls4">kxlzx<span class="ls5">，中<span class="_ _3"></span>国<span class="_ _4"> </span><span class="ls2">X<span class="_ _5"> </span></span></span></span>黑客小组核心成员。<span class="_ _1"></span>目前在阿里巴巴集团安全中心</div><div class="t m0 x2 h4 y6 ff3 fs1 fc0 sc1 ls3 ws0">供职，专注<span class="_"> </span><span class="ls6">WEB<span class="_"> </span></span>安全<span class="ls2">、<span class="_ _3"></span><span class="ls6">WAP<span class="_"> </span></span></span>安全<span class="ls2">，</span>负责制定和更新<span class="ls2">《<span class="_ _3"></span></span>阿里巴巴集团<span class="_"> </span><span class="ls6">WEB<span class="_"> </span></span>安全标准<span class="ls7">》，<span class="_ _6"> </span>负</span></div><div class="t m0 x2 h4 y7 ff3 fs1 fc0 sc1 ls3 ws0">责阿里巴巴<span class="_"> </span><span class="ls6">WEB<span class="_"> </span></span>框架安全。<span class="ls2"></span></div><div class="t m0 x2 h4 y8 ff3 fs1 fc0 sc1 ls3 ws0">个人<span class="_"> </span><span class="ls8">BLOG<span class="ls2">：<span class="fc1 ls9">http://www.inbreak.net<span class="_ _1"></span>/<span class="fc0 ls2"><span class="_"> </span><span class="ls3">亚马逊镜像：</span></span>htt<span class="_ _1"></span>p://amazon.inbreak.net/<span class="_ _1"></span><span class="fc0 ls2"></span></span></span></span></div><div class="t m0 x2 h4 y9 ff3 fs1 fc0 sc1 ls2 ws0">《<span class="ls3">攻击<span class="_"> </span><span class="lsa">JAVA<span class="_ _3"></span>WEB</span></span>》<span class="_ _3"></span></div><div class="t m0 x2 h4 ya ff3 fs1 fc0 sc1 ls2 ws0">在<span class="ls3">攻击<span class="_"> </span><span class="lsa">JAVA<span class="_ _5"> </span></span>网站</span>，<span class="_ _7"></span><span class="ls3">最常见的还是常规型<span class="_"> </span><span class="lsb">SQL<span class="_"> </span></span>注入、<span class="_ _8"></span>上传、<span class="_ _8"></span>猜后台<span class="lsc">、拿<span class="_ _5"> </span>工<span class="_ _5"> </span>具<span class="_ _5"> </span>扫<span class="_ _4"> </span></span>等等通用<span class="_"> </span><span class="lsd">web</span></span></div><div class="t m0 x2 h4 yb ff3 fs1 fc0 sc1 ls3 ws0">攻击<span class="ls2">。<span class="_ _9"></span><span class="ls3">本议题试图告诉大家，<span class="_ _9"></span><span class="lsa">JAVA<span class="_"> </span><span class="ls3">网站不应该只是这么玩<span class="ls2">。<span class="_ _9"></span><span class="ls3">议题会讲<span class="_"> </span><span class="lsa">JAVA<span class="_"> </span></span>框架指纹确认，</span></span></span></span></span></span></div><div class="t m0 x2 h4 yc ff3 fs1 fc0 sc1 ls3 ws0">框架漏洞的利用<span class="ls2">，</span>与相关漏洞发现思路。<span class="ls2"></span></div><div class="t m0 x2 h5 yd ff1 fs2 fc2 sc2 lse ws0">目录<span class="ff4 sc1 ls2">!</span></div><div class="t m0 x2 h6 ye ff1 fs1 fc0 sc1 ls3 ws0">攻击<span class="_ _2"> </span><span class="ff5 lsf">!"<span class="_"> </span>#<span class="_"> </span>"$%<span class="_ _3"></span>&'<span class="ls2">$<span class="_ _a"></span><span class="ls10">((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((<span class="ls2">$)$</span></span></span></span></div><div class="t m0 x3 h6 yf ff1 fs1 fc0 sc1 ls3 ws0">简介：<span class="ff5 ls2">$<span class="_ _1"></span><span class="ls10">(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((<span class="ls2">$<span class="_"> </span>*<span class="_ _3"></span>$</span></span></span></div><div class="t m0 x3 h6 y10 ff1 fs1 fc0 sc1 ls3 ws0">正文：<span class="ff5 ls2">$<span class="_ _1"></span><span class="ls10">(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((<span class="ls2">$<span class="_"> </span>*<span class="_ _3"></span>$</span></span></span></div><div class="t m0 x3 h6 y11 ff1 fs1 fc0 sc1 ls3 ws0">刺探信息<span class="ff5 ls2">$<span class="ls10">((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((</span>($+$</span></div><div class="t m0 x4 h6 y12 ff1 fs1 fc0 sc1 ls3 ws0">框架指纹的手工确认<span class="ff5 ls2">$<span class="_ _a"></span><span class="ls10">((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((<span class="ls2">$+$</span></span></span></div><div class="t m0 x4 h6 y13 ff1 fs1 fc0 sc1 ls3 ws0">默认扩展名<span class="ff5 ls2">$<span class="ls10">(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((</span>$,<span class="_ _3"></span>$</span></div><div class="t m0 x4 h6 y14 ff1 fs1 fc0 sc1 ls3 ws0">参数处理方式<span class="ff5 ls2">$<span class="ls10">((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((<span class="_"> </span>(((((((((((((((((</span>$<span class="_ _3"></span>-$</span></div><div class="t m0 x4 h6 y15 ff1 fs1 fc0 sc1 ls3 ws0">默认<span class="_ _2"> </span><span class="ff5 ls11">./0<span class="_ _5"> </span></span>处理逻辑<span class="ff5 ls2">$<span class="_ _1"></span><span class="ls10">(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((<span class="ls2">$<span class="ls12">)*</span>$</span></span></span></div><div class="t m0 x4 h6 y16 ff1 fs1 fc0 sc1 ls3 ws0">默认开发命名<span class="ff5 ls2">$<span class="ls10">((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((<span class="_"> </span>(((((((((((((((</span>$<span class="_ _3"></span><span class="ls12">)+</span>$</span></div><div class="t m0 x4 h6 y17 ff1 fs1 fc0 sc1 ls3 ws0">所有框架的绝杀<span class="ff5 ls2">$<span class="_ _5"> </span>1$<span class="_ _3"></span>1$<span class="_ _5"> </span></span>让它出错<span class="ff5 ls2">$<span class="ls10">((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((</span>$<span class="_ _3"></span><span class="ls12">),</span>$</span></div><div class="t m0 x4 h6 y18 ff1 fs1 fc0 sc1 ls3 ws0">万能<span class="_ _2"> </span><span class="ff5 ls13">23<span class="_"> </span>3245<span class="ls2">$<span class="_ _a"></span><span class="ls10">((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((<span class="ls2">$<span class="ls12">)6</span>$</span></span></span></span></div><div class="t m0 x4 h6 y19 ff1 fs1 fc0 sc1 ls3 ws0">环境的影响<span class="ff5 ls2">$<span class="ls10">(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((</span>$<span class="ls12">*)</span>$</span></div><div class="t m0 x4 h6 y1a ff1 fs1 fc0 sc1 ls3 ws0">可能的位置<span class="ff5 ls2">$<span class="ls10">(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((</span>$<span class="ls12">*)</span>$</span></div><div class="t m0 x4 h6 y1b ff1 fs1 fc0 sc1 ls3 ws0">其他地方<span class="ff5 ls2">$<span class="ls10">(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((</span>$<span class="ls12">**</span>$</span></div><div class="t m0 x3 h6 y1c ff1 fs1 fc0 sc1 ls3 ws0">有多少拒绝服务<span class="ff5 ls2">$<span class="ls10">(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((</span>$<span class="ls12">*+</span>$</span></div><div class="t m0 x4 h6 y1d ff5 fs1 fc0 sc1 ls14 ws0">789:8;*$<=7<span class="_ _2"> </span><span class="ff1 ls3">漏洞</span><span class="ls2">$<span class="_ _b"></span><span class="ls10">(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((<span class="ls2">$<span class="ls12">*+</span>$</span></span></span></div></div></div><div class="pi" data-data='{"ctm":[1.611639,0.000000,0.000000,1.611639,0.000000,0.000000]}'></div></div></body></html>

<div id="pf2" class="pf w0 h0" data-page-no="2"><div class="pc pc2 w0 h0"><img class="bi x0 y0 w1 h1" alt="" src="https://csdnimg.cn/release/download_crawler_static/4578571/bg2.jpg"><div class="c x1 y1 w2 h2"><div class="t m0 x4 h7 y1e ff5 fs1 fc0 sc1 lsa ws0">;>9?@2$ABC$D3;<span class="ls2">$<span class="_ _1"></span><span class="ls10">(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((<span class="ls2">$<span class="ls12">*,</span>$</span></span></span></div><div class="t m0 x4 h6 y1f ff1 fs1 fc0 sc1 ls3 ws0">邪恶的<span class="_ _2"> </span><span class="ff5 lsf">!"<span class="_"> </span>#<span class="_"> </span>"$E<span class="_"> </span>"<span class="_"> </span>7E<span class="_"> </span>$<<span class="_"> </span>=<span class="_"> </span>7<span class="_ _5"> </span></span>攻击<span class="ff5 ls2">$<span class="_ _a"></span><span class="ls10">((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((<span class="ls2">$<span class="_ _3"></span><span class="ls12">*F</span>$</span></span></span></div><div class="t m0 x4 h6 y20 ff5 fs1 fc0 sc1 ls15 ws0"><%/$<=7<span class="_ _2"> </span><span class="ff1 ls3">攻击</span><span class="ls2">$<span class="_ _3"></span><span class="ls10">((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((</span>$<span class="ls12">*G</span>$</span></div><div class="t m0 x3 h6 y21 ff1 fs1 fc0 sc1 ls3 ws0">鸡肋变绝杀<span class="ff5 ls2">$<span class="ls10">(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((</span>$<span class="ls12">*-</span>$</span></div><div class="t m0 x4 h6 y22 ff1 fs1 fc0 sc1 ls3 ws0">提高<span class="_ _2"> </span><span class="ff5 lsa">;89:8;*<span class="_ _5"> </span></span>自定的页面漏洞的发现率<span class="ff5 ls2">$<span class="_ _a"></span><span class="ls10">(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((<span class="ls2">$<span class="ls12">*-</span>$</span></span></span></div><div class="t m0 x4 h6 y23 ff5 fs1 fc0 sc1 ls16 ws0">B543C?8H<span class="_ _2"> </span><span class="ff1 ls3">本地变远程</span><span class="ls2">$<span class="_ _b"></span><span class="ls10">((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((<span class="ls2">$<span class="ls12">*6</span>$</span></span></span></div><div class="t m0 x3 h6 y24 ff1 fs1 fc0 sc1 ls2 ws0">从<span class="_ _5"> </span><span class="ff5 ls17">I4598<span class="_ _2"> </span></span><span class="ls3">到完美和谐的<span class="_ _5"> </span><span class="ff5 lsa">;J544C3D5<span class="ls2">$<span class="_ _c"></span><span class="ls10">((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((<span class="ls2">$<span class="ls12">+*</span>$</span></span></span></span></span></div><div class="t m0 x4 h6 y25 ff5 fs1 fc0 sc1 lsa ws0">;89:8;<span class="ls2">*<span class="_ _5"> </span><span class="ff1 ls3">远程代码执行（</span><span class="ls18">K#&</span>1<span class="ls12">*L))</span>1<span class="ls12">+6*+<span class="ff1 ls3">）的局限</span></span>$<span class="_ _d"></span><span class="ls10">(((((((((((((((((((((((((((((((((((((((((((((((((((((((<span class="ls2">$<span class="ls12">+*</span>$</span></span></span></div><div class="t m0 x4 h6 y26 ff5 fs1 fc0 sc1 lsa ws0">;J544C3D5<span class="_ _5"> </span><span class="ff1 ls3">无法回显</span><span class="ls2">$<span class="_ _b"></span><span class="ls10">(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((<span class="ls2">$<span class="ls12">+,</span>$</span></span></span></div><div class="t m0 x3 h6 y27 ff1 fs1 fc0 sc1 ls3 ws0">写教程让那群傻<span class="_ _2"> </span><span class="ff5 ls2">M<span class="_ _5"> </span></span>跟着做<span class="ff5 ls2">$<span class="_ _a"></span><span class="ls10">((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((<span class="ls2">$<span class="ls12">,*</span>$</span></span></span></div><div class="t m0 x4 h6 y28 ff5 fs1 fc0 sc1 ls19 ws0">NO3;;<span class="_ _5"> </span><span class="ff1 ls3">漏洞的中文版</span><span class="ls2">$<span class="_ _1"></span><span class="ls10">((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((<span class="ls2">$<span class="ls12">,+</span>$</span></span></span></div><div class="t m0 x3 h6 y29 ff5 fs1 fc0 sc1 ls14 ws0">789:8;*<span class="_ _2"> </span><span class="ff1 ls3">远程代码执行</span><span class="ls2">$<span class="_ _e"></span><span class="ls10">(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((<span class="ls2">$<span class="ls12">,G</span>$</span></span></span></div><div class="t m0 x4 h6 y2a ff5 fs1 fc0 sc1 ls14 ws0">789:8;*<span class="_ _2"> </span><span class="ff1 ls3">远程代码执行技术（</span><span class="ls1a">PQ39R*()(*<span class="_ _5"> </span><span class="ff1 ls3">以上）</span><span class="ls2">$<span class="ls10">((((((((((((((((((((((((((((((((((((((((((((((((((((((((</span>$<span class="ls12">,S</span>$</span></span></div><div class="t m0 x4 h6 y2b ff5 fs1 fc0 sc1 ls14 ws0">789:8;*<span class="_ _2"> </span><span class="ff1 ls3">远程代码执行技术（</span><span class="ls1a">PQ39R)(L(+<span class="ff1 ls2">）<span class="_ _3"></span><span class="ff5">$<span class="ls10">((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((</span>($<span class="ls12">FL</span>$</span></span></span></div><div class="t m0 x4 h6 y2c ff5 fs1 fc0 sc1 ls1b ws0">"84I;;?I@$<span class="_ _1"></span>K3@T4:5@C5<span class="_ _2"> </span><span class="ff1 ls3">远程代码执行技术</span><span class="ls2">$<span class="_ _b"></span><span class="ls10">(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((<span class="ls2">$<span class="ls12">F)</span>$</span></span></span></div><div class="t m0 x3 h6 y2d ff1 fs1 fc0 sc1 ls3 ws0">预见未来<span class="ff5 ls2">$<span class="ls10">(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((</span>$<span class="ls12">F,</span>$</span></div><div class="t m0 x2 h7 y2e ff5 fs1 fc0 sc1 ls2 ws0">$</div><div class="t m0 x2 h4 y2f ff3 fs1 fc0 sc1 ls2 ws0"></div><div class="t m0 x2 h8 y30 ff1 fs3 fc0 sc0 ls1c ws0">简介：<span class="ff4 sc1 ls2">!</span></div><div class="t m0 x2 h4 y31 ff3 fs1 fc0 sc1 ls3 ws0">本次议题，主要讲解对<span class="_"> </span><span class="ls1d">java<span class="_"> </span></span>网站的攻击，会讲到一些相关漏洞的利用的艺术，<span class="_ _3"></span><span class="ls1d">java<span class="_"> </span></span>框架指</div><div class="t m0 x2 h4 y32 ff3 fs1 fc0 sc1 ls3 ws0">纹，剩下的是漏洞发现思路，利用漏洞的技术<span class="ls2">。</span></div><div class="t m0 x2 h4 y33 ff3 fs1 fc0 sc1 ls3 ws0">本次议题面向各位实战派攻击技术爱好者，让大家能用好相关技术<span class="ls2">。</span></div><div class="t m0 x2 h4 y34 ff3 fs1 fc0 sc1 ls3 ws0">本次议题面向各位安全人员，让大家知道框架安全的脆弱。<span class="ls2"></span></div><div class="t m0 x2 h4 y35 ff3 fs1 fc0 sc1 ls3 ws0">本次议题面向<span class="_"> </span><span class="ls1d">java<span class="_"> </span></span>开发人员，他们总是找借口，我不会这样<span class="ls2">做<span class="_ _3"></span></span>，不可能有人这样做<span class="ls2">。</span></div><div class="t m0 x2 h4 y36 ff3 fs1 fc0 sc1 ls3 ws0">本次议题面向安全扫描工具开发人员，你们的工具过时了<span class="ls2">，</span>期待自动化工具出现。<span class="ls2"></span></div><div class="t m0 x2 h4 y37 ff3 fs1 fc0 sc1 ls3 ws0">本次议题面向各位理论派研究人员，这里有东西可挖，期待你们的加入。<span class="ls2"></span></div><div class="t m0 x2 h4 y38 ff3 fs1 fc0 sc1 ls2 ws0"></div><div class="t m0 x2 h8 y39 ff1 fs3 fc0 sc0 ls1c ws0">正文：<span class="ff4 sc1 ls2">!</span></div><div class="t m0 x2 h4 y3a ff3 fs1 fc0 sc1 ls3 ws0">最早的<span class="_"> </span><span class="ls1d">java<span class="ls2"><span class="_"> </span><span class="lsd">web</span></span></span>，是由<span class="_ _2"> </span><span class="ls1d">jsp<span class="_"> </span><span class="ls2">和<span class="_ _5"> </span><span class="ls1e">se<span class="_ _3"></span>rvlet<span class="_"> </span></span></span></span>组成的，但是讲这个没用，现在已经是<span class="_"> </span><span class="ls1d">java<span class="_"> </span></span>框架的</div></div></div><div class="pi" data-data='{"ctm":[1.611639,0.000000,0.000000,1.611639,0.000000,0.000000]}'></div></div>

<div id="pf3" class="pf w0 h0" data-page-no="3"><div class="pc pc3 w0 h0"><img class="bi x0 y0 w1 h1" alt="" src="https://csdnimg.cn/release/download_crawler_static/4578571/bg3.jpg"><div class="c x1 y1 w2 h2"><div class="t m0 x2 h4 y3b ff3 fs1 fc0 sc1 ls3 ws0">时代，一个正常的<span class="_"> </span><span class="ls1d">javaweb</span>，总是会由一个一个的<span class="_"> </span><span class="ls1d">j2ee<span class="_"> </span></span>框架拼接而成，这是<span class="_"> </span><span class="ls1d">jav<span class="_ _3"></span>a<span class="_ _1"></span>web<span class="_ _5"> </span><span class="ls2">的</span></span></div><div class="t m0 x2 h4 y3c ff3 fs1 fc0 sc1 ls3 ws0">必备元素<span class="ls2">。<span class="_ _b"></span><span class="ls3">从黑客攻击的角度，<span class="_ _b"></span>可以这样认为，<span class="_ _e"></span><span class="ls1d">jav<span class="_ _3"></span>a<span class="_ _1"></span>web<span class="_"> </span><span class="ls3">应用程序，<span class="_ _b"></span>已经被<span class="_"> </span><span class="ls1d">j2ee<span class="_ _5"> </span></span>框架牢牢</span></span></span></span></div><div class="t m0 x2 h4 y3d ff3 fs1 fc0 sc1 ls3 ws0">的包了起来<span class="ls2">，<span class="_ _8"></span><span class="ls3">它们一起跑在<span class="_"> </span><span class="lsd">web<span class="_"> </span></span>容器里。<span class="_ _8"></span><span class="ls2">J<span class="ls1f">ava<span class="_"> </span><span class="ls3">框架种类繁多，<span class="_ _8"></span>流行的已经到达上百种，<span class="_ _f"></span><span class="ls1d">java</span></span></span></span></span></span></div><div class="t m0 x2 h4 y3e ff3 fs1 fc0 sc1 ls3 ws0">开源，任何一个<span class="_ _10"> </span><span class="ls2">1<span class="_ _10"> </span></span>年以上工作经历的开发人员，都可以轻易写出一个稳定可用的框架，<span class="ls2">所</span></div><div class="t m0 x2 h4 y3f ff3 fs1 fc0 sc1 ls3 ws0">以当一个朋友问我要<span class="_ _11"> </span><span class="ls1d">java<span class="_ _11"> </span></span>安全规范的时候，总是无从讲起，你只能针对某个框架，做一份</div><div class="t m0 x2 h4 y40 ff3 fs1 fc0 sc1 ls3 ws0">安全规范来<span class="ls2">。</span>从几年的<span class="_"> </span><span class="ls1d">java<span class="_ _3"></span><span class="_ _12"></span>web<span class="_ _5"> </span></span>安全经验来看，做<span class="_"> </span><span class="ls1d">java<span class="_ _12"></span>w<span class="_ _3"></span>eb<span class="_"> </span></span>安全，必须先做框架安全，</div><div class="t m0 x2 h4 y41 ff3 fs1 fc0 sc1 ls2 ws0">而<span class="ls3">攻击<span class="_"> </span><span class="ls1d">jav<span class="_ _3"></span>a<span class="_ _2"> </span>web</span></span>，<span class="ls3">只有深入框架，才能做到得心应手，游刃有余。</span>讲<span class="_ _4"> </span><span class="ls1d">java<span class="_ _2"> </span>web<span class="_"> </span><span class="ls3">安全，除</span></span></div><div class="t m0 x2 h4 y42 ff3 fs1 fc0 sc1 ls3 ws0">了常规的<span class="_ _11"> </span><span class="lsd">web<span class="_ _4"> </span></span>漏洞外<span class="ls2">，<span class="_ _3"></span><span class="ls1d">j2ee<span class="_ _11"> </span></span></span>框架漏洞是一大特色，基于这个理由，本文只会讲<span class="_ _11"> </span><span class="ls1d">j2ee<span class="_ _11"> </span></span>框架</div><div class="t m0 x2 h4 y43 ff3 fs1 fc0 sc1 ls2 ws0">和<span class="_ _4"> </span><span class="lsd">web<span class="_ _5"> </span><span class="ls3">容器的安全，由于框架太多，所以会提出比较流行，常见的几个框架，无法把上百</span></span></div><div class="t m0 x2 h4 y44 ff3 fs1 fc0 sc1 ls3 ws0">个框架都覆盖。希望大家能有收获。<span class="ls2"></span></div><div class="t m0 x2 h4 y45 ff3 fs1 fc0 sc1 ls3 ws0">在开始前，<span class="_ _e"></span>我必须提醒<span class="ls2">非</span>实战派攻击技术爱好者，<span class="_ _e"></span>任何攻击技术，<span class="_ _e"></span>技术都是有限的，<span class="_ _e"></span>这次议</div><div class="t m0 x2 h4 y46 ff3 fs1 fc0 sc1 ls3 ws0">题讲了<span class="_"> </span><span class="ls1d">j2e<span class="_ _3"></span>e<span class="_ _5"> </span></span>框架相关内容，并非是<span class="ls2">在<span class="_ _3"></span></span>主导大家看见<span class="_"> </span><span class="lsa">JAV<span class="_ _3"></span>A<span class="_ _5"> </span></span>网站，只去攻击框架<span class="ls2">，<span class="_ _3"></span>而</span>其他的</div><div class="t m0 x2 h4 y47 ff3 fs1 fc0 sc1 ls3 ws0">手段都会鄙视。<span class="_ _e"></span>它只是一条路而已，<span class="_ _b"></span>通往我们的目的，<span class="_ _e"></span>有很多条路，<span class="_ _b"></span>这一条，<span class="_ _e"></span>可能大家之前</div><div class="t m0 x2 h4 y48 ff3 fs1 fc0 sc1 ls3 ws0">并不熟悉，所以我才讲一讲。<span class="ls2"></span></div><div class="t m0 x2 h8 y49 ff1 fs3 fc0 sc0 ls1c ws0">刺探信息<span class="ff4 sc1 ls2">!</span></div><div class="t m0 x2 h4 y4a ff3 fs1 fc0 sc1 ls3 ws0">就像其他黑客技术的实际应用一样，<span class="_ _c"></span>在攻击进行前，<span class="_ _c"></span>首要判断目的网站的架构是什么，<span class="_ _c"></span>是什</div><div class="t m0 x2 h4 y4b ff3 fs1 fc0 sc1 ls3 ws0">么框架，是什么版本，然后才进行下一步操作。<span class="ls2"></span></div><div class="t m0 x2 h8 y4c ff1 fs3 fc0 sc0 ls1c ws0">框架指纹的手工确认<span class="ff2 sc1 ls2">$</span></div><div class="t m0 x2 h4 y4d ff3 fs1 fc0 sc1 ls3 ws0">我曾和阿里的某<span class="_ _13"> </span><span class="ls2">N<span class="_ _13"> </span>个<span class="_ _3"></span></span>架构师谈过这一点<span class="ls7">：“<span class="_ _10"> </span></span>我们现在使用了这个<span class="_ _13"> </span><span class="ls20">XX<span class="_ _13"> </span></span>框架，你有没有办法，</div><div class="t m0 x2 h4 y4e ff3 fs1 fc0 sc1 ls3 ws0">在不知道源码的情况下，<span class="_ _e"></span>从外部判断出，<span class="_ _e"></span>我们的系统，<span class="_ _e"></span>使用了什么框架呢？<span class="ls2">”<span class="_ _e"></span><span class="ls3">他们都表示<span class="ls2">了</span></span></span></div></div></div><div class="pi" data-data='{"ctm":[1.611639,0.000000,0.000000,1.611639,0.000000,0.000000]}'></div></div>

<div id="pf4" class="pf w0 h0" data-page-no="4"><div class="pc pc4 w0 h0"><img class="bi x0 y0 w1 h1" alt="" src="https://csdnimg.cn/release/download_crawler_static/4578571/bg4.jpg"><div class="c x1 y1 w2 h2"><div class="t m0 x2 h4 y3b ff3 fs1 fc0 sc1 ls3 ws0">一个意思<span class="ls21">：“<span class="_ _0"> </span></span>这绝不可能，<span class="_ _b"></span>外面不可能发现的，<span class="_ _e"></span>我们的<span class="_"> </span><span class="ls22">URL<span class="_"> </span></span>扩展名什么的，<span class="_ _b"></span>都是自己想配置</div><div class="t m0 x2 h4 y3c ff3 fs1 fc0 sc1 ls3 ws0">成什么，<span class="_ _e"></span>就配置成什么，<span class="_ _e"></span>如果连这一点，<span class="_ _e"></span>都被人轻易的看出来，<span class="_ _c"></span>那么哪里还会有安全性可言</div><div class="t m0 x2 h4 y3d ff3 fs1 fc0 sc1 ls3 ws0">呢？<span class="ls2">”<span class="_ _14"></span>。</span></div><div class="t m0 x2 h4 y3e ff3 fs1 fc0 sc1 lsa ws0">JAVA<span class="_ _15"> </span><span class="ls3">框架就有这个好处，鼓励框架的使用者，自己定义<span class="_ _15"> </span><span class="ls22">URL<span class="_ _13"> </span></span>的扩展名，你可以把它定为</span></div><div class="t m0 x2 h4 y3f ff3 fs1 fc0 sc1 ls2 ws0">“<span class="ls23">.d<span class="_ _3"></span>o<span class="ls7">”、<span class="_ _c"></span>“<span class="_ _6"> </span><span class="ls23">.htm</span>”、<span class="_ _e"></span>“<span class="_ _10"> </span><span class="ls23">.html<span class="ls24">”等<span class="_ _16"> </span>等<span class="_ _16"> </span>，甚<span class="_"> </span>至<span class="_ _16"> </span>去<span class="_"> </span>做<span class="_ _16"> </span><span class="ls3">一些有趣的<span class="_"> </span><span class="ls22">URL<span class="_ _b"></span>mapping<span class="ls24">，可<span class="_"> </span>以<span class="_ _16"> </span>给<span class="_ _13"> </span><span class="lsb">SEO<span class="_ _5"> </span><span class="ls3">加分。</span></span></span></span></span></span></span></span></span></div><div class="t m0 x2 h4 y40 ff3 fs1 fc0 sc1 ls3 ws0">在这样复杂情况下，<span class="_ _c"></span>架构师甚至认为会对安全有帮助，<span class="_ _c"></span>外部根本无法确认我在做什么，<span class="_ _c"></span>那又</div><div class="t m0 x2 h4 y41 ff3 fs1 fc0 sc1 ls25 ws0">谈何攻击呢？事实上，他们这样认为，是因为他们没有站在攻击的角度上，<span class="ls2">想</span>过这件事情。<span class="_ _14"></span><span class="ls2"></span></div><div class="t m0 x2 h4 y42 ff3 fs1 fc0 sc1 ls3 ws0">这当然是有很多痕迹可循的，有些手段，可以百分百确认框架，有些手段，可以百分之<span class="_ _13"> </span><span class="ls26">80</span></div><div class="t m0 x2 h4 y43 ff3 fs1 fc0 sc1 ls3 ws0">确认，把这些手段都统计出来，在实际应用中，就是一个很了厉害的手段了。<span class="ls2"></span></div><div class="t m0 x2 h4 y44 ff3 fs1 fc0 sc1 ls3 ws0">下面，我会给各个手段，给出一个理想的分值，以方便大家判断。<span class="ls2"></span></div><div class="t m0 x2 h8 y4f ff1 fs3 fc0 sc0 ls1c ws0">默认扩展名<span class="ff2 sc1 ls2">$</span></div><div class="t m0 x2 h4 y50 ff3 fs1 fc0 sc1 ls3 ws0">有部分框架，从<span class="_"> </span><span class="ls22">URL<span class="_"> </span></span>的扩展名上，就已经可以<span class="_"> </span><span class="ls26">99%</span>的确认框架了。<span class="ls2"></span></div><div class="t m0 x2 h5 y51 ff1 fs2 fc0 sc0 lse ws0">扩展名为<span class="ls2">“<span class="_ _17"></span><span class="ff4 sc1 ls27">*.action</span>”<span class="_ _17"></span><span class="ff4 sc1">!<span class="_ _11"> </span>!</span></span></div><div class="t m0 x2 h4 y52 ff3 fs1 fc0 sc1 ls3 ws0">判断为<span class="_"> </span><span class="ls1e">struts2<span class="_"> </span><span class="ls2">或<span class="_ _5"> </span><span class="lsd">webwork</span>，</span></span>得分：<span class="ls26">90%<span class="ls2"></span></span></div><div class="t m0 x2 h4 y53 ff3 fs1 fc0 sc1 ls3 ws0">举例：<span class="ls2"></span></div><div class="t m0 x2 h4 y54 ff3 fs1 fc0 sc1 ls9 ws0">http://www.i<span class="_ _1"></span>nbreak.net/index<span class="ls23">.action<span class="ls2"></span></span></div><div class="t m0 x2 h4 y55 ff3 fs1 fc0 sc1 ls3 ws0">这个扩展名，<span class="_ _b"></span>是所有<span class="_"> </span><span class="ls1e">struts2<span class="_"> </span></span>以及<span class="_"> </span><span class="lsd">webwor<span class="_ _1"></span>k<span class="_"> </span><span class="ls3">框架的标签，<span class="_ _b"></span>遇见<span class="_"> </span><span class="ls1f">action<span class="ls28">，基<span class="_ _12"></span>本<span class="_ _12"></span>上<span class="_ _12"></span>就<span class="_ _18"></span>可<span class="_ _18"></span>以<span class="_ _12"></span>确<span class="_ _12"></span>认</span></span></span></span></div><div class="t m0 x2 h4 y56 ff3 fs1 fc0 sc1 ls3 ws0">是这两个框架之一，那么接下来，拿着之前出的漏洞，打上去就是了。<span class="ls2"></span></div><div class="t m0 x2 h4 y57 ff3 fs1 fc0 sc1 ls3 ws0">市面上可见的，官方推荐，用户手册，官方<span class="_"> </span><span class="ls29">DEMO</span>，以及国内<span class="_"> </span><span class="ls1e">struts<span class="_ _5"> </span></span>大师写的几本书里，</div><div class="t m0 x2 h4 y58 ff3 fs1 fc0 sc1 ls3 ws0">都会用这个扩展名。<span class="_ _e"></span>这对架构师以及程序员的影响，<span class="_ _b"></span>是巨大的。<span class="_ _e"></span>重要是，<span class="_ _b"></span>其他的框架，<span class="_ _e"></span>几乎</div></div></div><div class="pi" data-data='{"ctm":[1.611639,0.000000,0.000000,1.611639,0.000000,0.000000]}'></div></div>

<div id="pf5" class="pf w0 h0" data-page-no="5"><div class="pc pc5 w0 h0"><img class="bi x0 y0 w1 h1" alt="" src="https://csdnimg.cn/release/download_crawler_static/4578571/bg5.jpg"><div class="c x1 y1 w2 h2"><div class="t m0 x2 h4 y3b ff3 fs1 fc0 sc1 ls3 ws0">没见过用这个扩展名的。<span class="ls2"></span></div><div class="t m0 x2 h5 y59 ff1 fs2 fc0 sc0 lse ws0">扩展名为“<span class="ff4 sc1 ls27">*.do</span><span class="ls2">“<span class="_ _17"></span><span class="ff4 sc1 ls2a">!!<span class="ls2">!</span></span></span></div><div class="t m0 x2 h4 y5a ff3 fs1 fc0 sc1 ls3 ws0">判断为<span class="_"> </span><span class="ls1e">springmvc</span>，得分<span class="_"> </span><span class="ls26">50%<span class="ls2"></span></span></div><div class="t m0 x2 h4 y5b ff3 fs1 fc0 sc1 ls3 ws0">举例：<span class="ls2"></span></div><div class="t m0 x2 h4 y5c ff3 fs1 fc0 sc1 ls9 ws0">http://www.i<span class="_ _1"></span>nbreak.net/index<span class="ls2">.<span class="ls11">do</span></span></div><div class="t m0 x2 h4 y5d ff3 fs1 fc0 sc1 ls3 ws0">可以看到，<span class="_ _d"></span>这是一个很低的分值，<span class="_ _d"></span>这样的低分值，<span class="_ _d"></span>只能给我们一个方向性判断，<span class="_ _c"></span><span class="ls1e">spring<span class="_ _1"></span>mvc</span></div><div class="t m0 x2 h4 y5e ff3 fs1 fc0 sc1 ls3 ws0">的官方文档，<span class="_ _f"></span>以及非常多的教程里，<span class="_ _f"></span>都是以<span class="ls23">.do<span class="_"> </span></span>结尾的扩展名。<span class="_ _f"></span>但是问题是，<span class="_ _f"></span>还有很多框架，</div><div class="t m0 x2 h4 y5f ff3 fs1 fc0 sc1 ls3 ws0">也喜欢用这个扩展名，比如<span class="_"> </span><span class="ls1e">struts1<span class="_"> </span></span>等。所以才会有<span class="_"> </span><span class="ls26">50%</span>的判断。<span class="ls2"></span></div><div class="t m0 x2 h5 y60 ff4 fs2 fc0 sc1 ls2b ws0">URL<span class="_ _13"> </span><span class="ff1 sc0 lse">路径“</span><span class="ls2c">/action/<span class="ls2d">xxxx<span class="ff1 sc0 ls2">“<span class="_ _17"></span></span><span class="ls2">!</span></span></span></div><div class="t m0 x2 h4 y61 ff3 fs1 fc0 sc1 ls3 ws0">判断为<span class="_"> </span><span class="ls1e">struts2</span>，得分<span class="ls2"><span class="_ _2"> </span><span class="ls26">70%</span></span></div><div class="t m0 x2 h4 y62 ff3 fs1 fc0 sc1 ls3 ws0">举例：<span class="ls2"></span></div><div class="t m0 x2 h4 y63 ff3 fs1 fc0 sc1 ls9 ws0">http://www.i<span class="_ _1"></span>nbreak.net/action/index<span class="_ _1"></span><span class="ls2"></span></div><div class="t m0 x2 h4 y64 ff3 fs1 fc0 sc1 ls3 ws0">这也是<span class="_"> </span><span class="ls1e">struts<span class="_"> </span></span>官方手册里的一种推荐，但是比较少人用。<span class="ls2"></span></div><div class="t m0 x2 h5 y65 ff1 fs2 fc0 sc0 lse ws0">扩展名为“<span class="ff4 sc1 ls2">*<span class="ls2e">.form</span></span><span class="ls2">“<span class="_ _17"></span><span class="ff4 sc1">!</span></span></div><div class="t m0 x2 h4 y66 ff3 fs1 fc0 sc1 ls3 ws0">并且打开页面后，看到一个表单<span class="ls2f"></span>判断为<span class="_"> </span><span class="ls1e">springmvc</span>，得分<span class="_"> </span><span class="ls2">6<span class="ls26">0%</span></span></div><div class="t m0 x2 h4 y67 ff3 fs1 fc0 sc1 ls3 ws0">举例：<span class="ls2"></span></div><div class="t m0 x2 h7 y68 ff5 fs1 fc1 sc1 ls30 ws0">J88>UVVQQQ(;?@2<span class="_ _1"></span>I>395I?9(C3AV;WK39>39I85/5<span class="_ _1"></span>2?;89I8?3@(T39<span class="_ _1"></span>A<span class="fc0 ls2">$</span></div></div></div><div class="pi" data-data='{"ctm":[1.611639,0.000000,0.000000,1.611639,0.000000,0.000000]}'></div></div>