先读取Tomcat容器的web.xml(因为你们网站web服务器架构基本都是Nginx + Tomcat),以便了解应用框架类型及结构:
里面一共有两个struts1的配置文件:
/WEB-INF/struts-config.xml,/WEB-INF/struts-front-config.xml
一个是管理应用的配置文件;另一个用户应用的配置文件
只看管理应用的配置文件:struts-config.xml,这样我们就可以遍历所有的class文件了,找到登录Action的class文件(所以重构这个小应用系统就轻松加愉快了!
Action(反编译)、DTO(配置文件中字段及反编译dto类均可获得,涛涛电脑知识网,)、DAO(不喜欢用hibernate,可自己写jdbc)整个工程就出来了!哈哈!
):
下载该类文件并反编译:
package com.qunar.affiliate.actions;
import com.qunar.affiliate.controller.UserController;
import com.qunar.affiliate.model.User;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.apache.struts.action.Action;
import org.apache.struts.action.ActionForm;
import org.apache.struts.action.ActionForward;
import org.apache.struts.action.ActionMapping;
import org.apache.struts.action.DynaActionForm;
public class LogonAction extends Action
{
static final String logon_user = "affiliate_user";
public ActionForward execute(ActionMapping arg0, ActionForm arg1, HttpServletRequest arg2, HttpServletResponse arg3)
throws Exception
{
DynaActionForm aform = (DynaActionForm)arg1;
UserController uc = new UserController();
User user = uc.validateUser(aform.getString("name"), aform.getString("password"));
if (user != null)
{
arg2.getSession().setAttribute("affiliate_user", user);
return arg0.findForward("success");
}
return arg0.findForward("failed");
}
}
然后,找到UserController这个类文件并反编译,得到了惊喜:
package com.qunar.affiliate.controller;
import com.qunar.affiliate.model.User;
import com.qunar.affiliate.util.Encrypt;
import com.qunar.affiliate.util.HibernateUtil;
import org.apache.log4j.Logger;
import org.hibernate.Criteria;
import org.hibernate.SessionFactory;
import org.hibernate.Transaction;
import org.hibernate.classic.Session;
import org.hibernate.criterion.Example;
public class UserController
{
static Logger logger = Logger.getLogger(UserController.class);
public static void main(String[] args)
{
UserController controller = new UserController();
if (args[0].equals("store")) {
controller.createAndStoreUser("jingyi.zhang", "密码隐藏");
}
else if (args[0].equals("list"))
{
User localUser = controller.validateUser("qiang.zhou", "密码隐藏");
}
}
public User createAndStoreUser(String name, String password)
{
Session session = null;
try {
session = HibernateUtil.getSessionFactory().openSession();
session.beginTransaction();
User user = new User();
user.setName(name);
user.setHashed_password(Encrypt.change("SHA", password));
session.save(user);
session.getTransaction().commit();
User localUser1 = user;
return localUser1;
}
finally {
if (session != null) try { session.close(); } catch (Throwable t) { logger.error("UserController close session failed!", t); }
}
throw localObject;
}
public User validateUser(String name, String password) {
Session session = null;
try {
session = HibernateUtil.getSessionFactory().openSession();
session.beginTransaction();
User user = new User();
user.setName(name);
user.setHashed_password(Encrypt.change("SHA", password));
User vu = (User)session.createCriteria(User.class).add(Example.create(user)).uniqueResult();
session.getTransaction().commit();
User localUser1 = vu;
return localUser1;
}
finally {
if (session != null) try { session.close(); } catch (Throwable t) { logger.error("UserController close session failed!", t); }
}
throw localObject;
}
}
调试用的两个管理员帐号都在里面,未去掉!
进入去哪儿联盟推广管理页面,只看图,危害自己看:
(这要是拿去挂点什么就挣了!开个玩笑!)
我们继续!
同时又发现了这行代码,数据层用的是hibernate框架:
session = HibernateUtil.getSessionFactory().openSession();
那数据库配置就暴露了,根据通常hibernate配置文件位置习惯找到了它:
<hibernate-configuration>
<session-factory>
<!-- Database connection settings -->
<property name="connection.driver_class">com.mysql.jdbc.Driver</property>
<property name="connection.url">jdbc:mysql://l-aff2.隐藏.隐藏.qunar.com/affiliate?characterEncoding=utf-8</property>
<property name="connection.username">affiliate_new</property>
<property name="connection.password">密码隐藏</property>
<!-- JDBC connection pool (use the built-in) -->
<!--<property name="connection.pool_size">10</property>-->
<!-- hibernate c3p0 -->
<property name="hibernate.connection.provider_class">org.hibernate.connection.C3P0ConnectionProvider</property>
<property name="hibernate.c3p0.max_size">10</property>
<property name="hibernate.c3p0.min_size">2</property>
<property name="hibernate.c3p0.timeout">1800</property>
<property name="hibernate.c3p0.max_statements">100</property><property name="hibernate.c3p0.idle_test_period">3000</property><property name="hibernate.c3p0.acquire_increment">2</property>
<!-- SQL dialect -->
<property name="dialect">org.hibernate.dialect.MySQLDialect</property>
<!-- Enable Hibernate's automatic session context management -->
<property name="current_session_context_class">thread</property>
<!-- Disable the second-level cache -->
<property name="cache.provider_class">org.hibernate.cache.NoCacheProvider</property>
<!-- Echo all executed SQL to stdout -->
<property name="show_sql">true</property>
<!-- Drop and re-create the database schema on startup -->
<!--<property name="hbm2ddl.auto">create</property>-->
<mapping resource="com/qunar/affiliate/model/user.hbm.xml"/>
</session-factory>
</hibernate-configuration>
不过数据连接域名指向的是内网,让哥失望了:
没什么技巧,不了解j2ee体系的可以普及一下!
另外,www.www.xuhantao.com,附带几处小问题:
1、页面访问权限控制问题
2、又一处test站长弱口令:
test test
3、一处js回调时xss
修复方案:
发现你们应用层的安全问题很严重(整体安全架构相对还可以),开发及维护人员都要普及一下安全意识!
这次准备送什么礼物了(上次听说有别的东西送的)?
作者 shine
