XSS audit points of Java audit

0x00 Preface

The previous article talked about a simple audit of XSS. This article can review the content of the previous article, give a detailed description on the basis of the previous article, and some other audit postures.

Launch: XSS of Java audit

0x01 audit process

To summarize from the previous article, we first searched request globally SetAttribute, a method shared to the request field, checks its value passing type, tracks it to its entity class, and checks where string variables are in the entity class. Only string type. After querying, you need to check which methods are called and which methods are added to our XSS payload. Later, you can trace back to the Dao layer to check whether they are added to the database. In the method of querying and inserting content, you need to pay attention to whether there is filtering.

0x02 modelandview details

When the view interpreter resolves modelandview, the model nativity is a subclass of the implementation class of map. The view parser passes each element in the model through request setAttribute(name,value); Add request to the request domain. In this way, the corresponding value can be obtained through El expression in JSP page. In fact, it is a simple package, which is convenient for us to use.

Method 1:

Define format:

public ModelAndView addObject(String attributeName,Object attributeValue)

example:

1 ModelAndView mav=new ModelAndView("hello");
2 mav.addObject("time",new Date());

Share an object into a domain

Method 2:

mav.getModel().put("name","xiaoming");

0x03 CMS audit

If a new object is required to use modelandview, we can directly search new modelandview globally to find the keyword.

Click a class with this keyword to jump to this class.

An object called model is instantiated here. Track which methods are called by the model. If addObject is called to share in the domain, see if it calls the filter method. If not, we can track the values to be shared. Where can I insert the paylaod of XSS.

Locate where the typelist variable comes from

Here you can see the websiteimagestypeservice that called the websiteimagestypeservice Returned by queryalltypelist() method and stored in a list collection of websiteimagestype type.

Then go to the websiteimagestype entity class to see what properties are available and whether there are string variables.

The typename is of type string. You can insert XSS payload.

Return to the controller to view the called method typelist value and get the called method.

CTRL + left click websiteimagestypeservice to jump to this interface.

Select an interface and Ctrl + H to view its implementation class.

Click the implementation class to track

Here you can see the queryalltypelist of the service layer. It will call the queryalltypelist() query of websiteimagestypedao to return without filtering, and continue to track Dao.

If you see that annotations are not used for configuration, you must use XML files for configuration.

Search the name of Dao globally and specify the XML file. In development, the XML Mapping file will be the same as the name of Dao interface, and then add a mapper.

Click to jump in

After you get here, you can see that the content will be from the edu of the database_ WEBSITE_ IMAGES_ Value in the type table and return.

The next step is to see where the data will be written.

Return to the controller and see the following update method, which can insert data.

After calling the websiteimagestypeservice method, jump to the implementation class to see if the filtering method is called.

Instead of calling the filter method, websiteimagestypedao. Com is called directly Updatetype directly passes in the value. In fact, it is unnecessary to trace back from the update method of the controller, because when we track the service interface of the query method, we have already seen the method of adding, deleting, modifying and querying. This is just to make the logic clearer.

After tracking the updatetype method, query the mapping file. In fact, the file is still in the file when locating the query method

Here we know that the statement will take the values of typename and typeID from websiteimagestype to fill in the update statement. If we insert XSS in the corresponding location, the payload will be stored in the typename of websiteimagestype, and then brought to the Dao layer to write to the database. After the writing is completed, if the query method is executed by the access page server, the value of XSS will be returned. At this time, the input and output are output directly without filtering, which leads to the generation of XSS.

Let's start the environment and test it.

View vulnerability address

http://127.0.0.1:82/admin/imagetype/getlist

Click Modify name to modify.

XSS executed, but failed to close when closing, and the plug collapsed. The back buttons are covered.

Go to the database and delete the data.

Open it again.

How to construct XSS payload will not be described here.

</td><script>alert("1")</script>

0x04 end

When auditing the code, you will find some interesting things, such as the addition, deletion, modification and query methods in the service interface just viewed. If any method in the interface is not filtered, other methods will not be filtered. What I just audited is just an update method to insert XSS, but what if it is an added method?, Of course. However, the code addition method here is not to make a setting directly, but to add a new and empty data, which needs to be modified to the desired data later. In this case, the location of the vulnerability is still on the modified method, not the added method.