动态拼接
Select
insert
update
delete
order
java.sql.Connection
.getConnection(
Statement
.execute(
.executeQuery(
PreparedStatement
jdbcTemplate
queryForInt
queryForObject
queryForMap
预编译处理不当
%和_处理不当
setObject()
setInt()
setString()
setSQLXML()
框架使用不当
Hibernate
$
#
Mybatis
Mysql:
$ (在idea搜索框全局搜 *mapper.xml或者 *Dao.java)
+ (在idea的搜索框中全局搜 *Dao.java)
Oracle:
like '%$id$%'
like '%'||'$id$'||'%'
框架定位关键字:
createQuery
session.save
session.update
session.delete
.openStream(
.openConnection(
.getContent( 大部分情况为httpResponse.getContent(
HttpURLConnection
ImageIO.read(
Request.Get(
Request.Post(
HttpClient
.execute(
share
wap
url
link
src
source
target
u
3g
display
sourceURl
imageURL
domain
HttpServletRequest
getParamet
Okhttp
response.sendRedirct
request.getRequestDispatcher
response.setHeader
jsp:forward
常见XML解析接口
javax.xml.parsers.DocumentBuilder
org.dom4j.io.SAXReader
org.jdom.input.SAXBuilder
org.jdom2.input.SAXBuilder
javax.xml.parsers.SAXParser
org.apache.commons.digester3.Digester
org.dom4j.DocumentHelper
javax.xml.stream.XMLStreamReader
org.xml.sax.XMLReader
javax.xml.transform.sax.SAXSource
javax.xml.transform.TransformerFactory
javax.xml.transform.sax.SAXTransformerFactory
javax.xml.validation.SchemaFactory
javax.xml.bind.Unmarshaller
javax.xml.xpath.XPathExpression
常见关键字
Dom: DocumentBuilderFactory
Dom4j: SAXReader
SAX: SAXParser、SAXParserFactory、XMLReader
jDom: SAXBuilder
StAX: XMInputFactory
xerces: DocumentBuilderFacyoryImpl、DocumentBuilderImpl、SAXParserFactoryImpl、SAXParserImpl、DOMParserImpl、DOMParser、SAXParser、XMLParser
SchemaFactory: SchemaFactory
Validator: Validator
TransformerFactory:TransformerFactory
SAXTransformerFactory:SAXTransformerFactory
XPathExpression:XPathExpression
reqXml
getInputStream
XMLReaderFactory
.newInstance
javax.xml.bind
XmlUtils.get
getRuntime()
.exec(
passthru
popen
shell_exec
eval (ScriptEngine接口)
preg_replace
str_replace
call_user_func
system
execlp
execvp
ShellExecute
wsystem
popen(
ProcessBuilder
ProcessBuilder.start
execfile
input
Shell
ShellExecuteForExplore(
ShellExecute
execute
/bin/sh、/bin/bash
cmd
Groovy
groovy.util.Eval.me
groovy.lang.GroovyShell.parse|evaluate
groovy.lang.Script.run
groovy.lang.GroovyClassLoader.parseClass
org.codehaus.groovy.runtime.InvokerHelper.newScript|createScript|runScript
org.codehaus.groovy.runtime.MethodClosure.MethodClosure
freemarker
freemarker.template.Template.process
freemarker.core.Environment.process
freemarker.template.TemplateMethodModel.exec
freemarker.template.utility.Execute.exec
Fel
import com.greenpineyu.fel
MVEL
org.mvel2.MVEL.eval
org.mvel2.MVELInterpretedRuntime.parse
org.mvel2.ast.ASTNode.getReducedValue
org.mvel2.PropertyAccessor.get
org.mvel2.MVEL.execute
org.mvel2.compiler.ExecutableStatement.getValue
org.mvel2.compiler.ExecutableAccesso
org.mvel2.ast.NewObjectNode.getReducedValueAccelerated
org.mvel2.optimizers.AccessorOptimizer|org.mvel2.optimizers.dynamic.DynamicOptimizer.optimizeObjectCreation
OGNL
import ognl.*
SpEL
org.springframework.expression
parseExpression
getValue
getValueType
value="#{*}
ObjectInputStream.readObject
ObjectInputStream.readUnshared
.readExternal(
readObjectNoData
XMLDecoder.readObject
Yaml.load
XStream.fromXML (版本要求<=1.4.17,大于这个版本的话要看白名单配置是否合理。)
ObjectMapper.readValue jackson漏洞
JSON.parseObject fastjson漏洞
Serializable
常见可利用库
commons-io 2.4
commons-collections 3.1
commons-logging 1.2
commons-beanutils 1.9.2
org.slf4j:slf4j-api 1.7.21
com.mchange:mchange-commons-java 0.2.11
org.apache.commons:commons-collections 4.0
com.mchange:c3p0 0.9.5.2
org.beanshell:bsh 2.0b5
org.codehaus.groovy:groovy 2.3.9
org.springframework:spring-aop4.1.4.RELEASE
JDK原始的java.io.FileInputStream类
JDK原始的java.io.RandomAccessFile类
Apache Commons IO提供的org.apache.commons.io.FileUtils类
JDK1.7新增的基于NIO非阻塞异步读取文件的java.nio.channels.AsynchronousFileChannel类。
JDK1.7新增的基于NIO读取文件的java.nio.file.Files类。常用方法如:Files.readAllBytes、Files.readAllLines
FileInputStream
FileOutputStream
File
FileUtil
IOUtils
BufferedReader
ServletFileUpload
MultipartFile
CommonsMultipartFile
PrintWriter
ZipInputStream
ZipEntry.getSize
log.debug
log.error
log.info
log.warn
logger.severe
logger.error
pass
password
pwd
passwd
pswd
checkpwd
crypto
cardno
PINNUMBER
admin
DEFAULT_PWD
PASSWORD
key
sharekey
encrypt
enc
dec
decrypt
user
operator
login
name
root
lookup (JNDI、LDAP)
.invoke( 方法调用