JAVA代码审计关键字汇总

SQL注入

• 动态拼接

Select
insert
update
delete
order

java.sql.Connection
.getConnection(
Statement
.execute(
.executeQuery(
PreparedStatement
jdbcTemplate
queryForInt
queryForObject
queryForMap

• 预编译处理不当

%和_处理不当
setObject()
setInt()
setString()
setSQLXML()

• 框架使用不当

Hibernate

$
#

Mybatis

Mysql:
$      (在idea搜索框全局搜 *mapper.xml或者 *Dao.java)
+     (在idea的搜索框中全局搜 *Dao.java)

Oracle:
like '%$id$%'
like '%'||'$id$'||'%'

框架定位关键字：

createQuery
session.save
session.update
session.delete

SSRF

.openStream(
.openConnection(
.getContent(    大部分情况为httpResponse.getContent(
HttpURLConnection
ImageIO.read(

Request.Get(
Request.Post(
HttpClient
.execute(

share
wap
url
link
src
source
target
u
3g
display
sourceURl
imageURL
domain

HttpServletRequest
getParamet
Okhttp

URL跳转

response.sendRedirct
request.getRequestDispatcher
response.setHeader
jsp:forward

XXE

• 常见XML解析接口

javax.xml.parsers.DocumentBuilder
org.dom4j.io.SAXReader
org.jdom.input.SAXBuilder
org.jdom2.input.SAXBuilder
javax.xml.parsers.SAXParser
org.apache.commons.digester3.Digester
org.dom4j.DocumentHelper
javax.xml.stream.XMLStreamReader

org.xml.sax.XMLReader
javax.xml.transform.sax.SAXSource
javax.xml.transform.TransformerFactory
javax.xml.transform.sax.SAXTransformerFactory
javax.xml.validation.SchemaFactory
javax.xml.bind.Unmarshaller
javax.xml.xpath.XPathExpression

• 常见关键字

Dom：         DocumentBuilderFactory
Dom4j:        SAXReader
SAX：         SAXParser、SAXParserFactory、XMLReader
jDom：        SAXBuilder
StAX：        XMInputFactory
xerces：      DocumentBuilderFacyoryImpl、DocumentBuilderImpl、SAXParserFactoryImpl、SAXParserImpl、DOMParserImpl、DOMParser、SAXParser、XMLParser
SchemaFactory： SchemaFactory
Validator：    Validator
TransformerFactory：TransformerFactory
SAXTransformerFactory：SAXTransformerFactory
XPathExpression：XPathExpression

reqXml
getInputStream
XMLReaderFactory
.newInstance
javax.xml.bind
XmlUtils.get

命令执行/代码执行

• OS命令注入

getRuntime()
.exec(
passthru
popen
shell_exec
eval    (ScriptEngine接口)
preg_replace
str_replace
call_user_func

system
execlp
execvp
ShellExecute
wsystem
popen(

ProcessBuilder
ProcessBuilder.start
execfile
input
Shell
ShellExecuteForExplore(
ShellExecute
execute
/bin/sh、/bin/bash
cmd

• 代码注入

Groovy

groovy.util.Eval.me
groovy.lang.GroovyShell.parse|evaluate
groovy.lang.Script.run
groovy.lang.GroovyClassLoader.parseClass
org.codehaus.groovy.runtime.InvokerHelper.newScript|createScript|runScript
org.codehaus.groovy.runtime.MethodClosure.MethodClosure

• 模板注入

freemarker

freemarker.template.Template.process
freemarker.core.Environment.process
freemarker.template.TemplateMethodModel.exec
freemarker.template.utility.Execute.exec

• 表达式注入

Fel

import com.greenpineyu.fel

MVEL

org.mvel2.MVEL.eval
org.mvel2.MVELInterpretedRuntime.parse
org.mvel2.ast.ASTNode.getReducedValue
org.mvel2.PropertyAccessor.get
org.mvel2.MVEL.execute
org.mvel2.compiler.ExecutableStatement.getValue
org.mvel2.compiler.ExecutableAccesso
org.mvel2.ast.NewObjectNode.getReducedValueAccelerated
org.mvel2.optimizers.AccessorOptimizer|org.mvel2.optimizers.dynamic.DynamicOptimizer.optimizeObjectCreation

OGNL

import ognl.*

SpEL

org.springframework.expression
parseExpression
getValue
getValueType
value="#{*}

反序列化

ObjectInputStream.readObject
ObjectInputStream.readUnshared
.readExternal(
readObjectNoData
XMLDecoder.readObject
Yaml.load
XStream.fromXML    (版本要求<=1.4.17，大于这个版本的话要看白名单配置是否合理。)
ObjectMapper.readValue      jackson漏洞
JSON.parseObject            fastjson漏洞
Serializable

• 常见可利用库

commons-io 2.4
commons-collections 3.1
commons-logging 1.2
commons-beanutils 1.9.2
org.slf4j:slf4j-api 1.7.21
com.mchange:mchange-commons-java 0.2.11
org.apache.commons:commons-collections 4.0
com.mchange:c3p0 0.9.5.2
org.beanshell:bsh 2.0b5
org.codehaus.groovy:groovy 2.3.9
org.springframework:spring-aop4.1.4.RELEASE

文件操作

JDK原始的java.io.FileInputStream类
JDK原始的java.io.RandomAccessFile类
Apache Commons IO提供的org.apache.commons.io.FileUtils类
JDK1.7新增的基于NIO非阻塞异步读取文件的java.nio.channels.AsynchronousFileChannel类。
JDK1.7新增的基于NIO读取文件的java.nio.file.Files类。常用方法如:Files.readAllBytes、Files.readAllLines
FileInputStream
FileOutputStream
File
FileUtil
IOUtils
BufferedReader
ServletFileUpload
MultipartFile
CommonsMultipartFile
PrintWriter
ZipInputStream
ZipEntry.getSize

日志打印漏洞

log.debug
log.error
log.info
log.warn
logger.severe
logger.error

硬编码

pass
password
pwd
passwd
pswd
checkpwd
crypto
cardno
PINNUMBER
admin
DEFAULT_PWD
PASSWORD
key
sharekey
encrypt
enc
dec
decrypt
user
operator
login
name
root

其他

lookup   （JNDI、LDAP）
.invoke(    方法调用