springbootp0eo6代码审计

UWI Lv3
  2025-08-21 21:11:19 2025-08-21 21:11:19 Created   2025-08-22 15:07:18 2025-08-22 15:07:18 Updated      

sql注入漏洞

发现他的mybaits基本全是拼接注入因该有十几处 这里就随便找一个

image-20250822131906835

跟踪 发现getoption 在getOption函数中被调用

image-20250822132011810

getOption在/option/{tableName}/{columnName} 这个接口中被调用 而且参数tableName columnName 我们可控

image-20250822132127450

可以直接造成sql注入

image-20250822140127178

任意文件下载

没有做任何拦截

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
@IgnoreAuth
	@RequestMapping("/download")
	public ResponseEntity<byte[]> download(@RequestParam String fileName) {
		try {
			File path = new File(ResourceUtils.getURL("classpath:static").getPath());
			if(!path.exists()) {
			    path = new File("");
			}
			File upload = new File(path.getAbsolutePath(),"/upload/");
			if(!upload.exists()) {
			    upload.mkdirs();
			}
			File file = new File(upload.getAbsolutePath()+"/"+fileName);
			if(file.exists()){
				/*if(!fileService.canRead(file, SessionManager.getSessionUser())){
					getResponse().sendError(403);
				}*/
				HttpHeaders headers = new HttpHeaders();
			    headers.setContentType(MediaType.APPLICATION_OCTET_STREAM);    
			    headers.setContentDispositionFormData("attachment", fileName);    
			    return new ResponseEntity<byte[]>(FileUtils.readFileToByteArray(file),headers, HttpStatus.CREATED);
			}
		} catch (IOException e) {
			e.printStackTrace();
		}
		return new ResponseEntity<byte[]>(HttpStatus.INTERNAL_SERVER_ERROR);
	}

image-20250822144813205

  • Title: springbootp0eo6代码审计
  • Author: UWI
  • Created at : 2025-08-21 21:11:19
  • Updated at : 2025-08-22 15:07:18
  • Link: https://nbwsws.github.io/2025/08/21/代码审计/springbootp0eo6代码审计/
  • License: This work is licensed under CC BY-NC-SA 4.0.
Comments
On this page
springbootp0eo6代码审计
  1. sql注入漏洞
  2. 任意文件下载