[Summary of Introduction to Network Security]—Summary of commonly used penetration vulnerabilities in the Java language

Introduction

Servlet (Server Applet) is the abbreviation of Java Servlet, called servlet or service connector. It is a server-side program written in Java. Its main function is to interactively browse and modify data and generate dynamic Web content.

Servlet in the narrow sense refers to an interface implemented by the Java language, and Servlet in the broad sense refers to any class that implements the Servlet interface. In general, people understand Servlet as the latter. Servlets run on application servers that support Java. In principle, servlets can respond to any type of request, but in most cases, servlets are only used to extend web servers based on the HTTP protocol.

The life cycle is

The client requests the servlet

Load the servlet class into memory

Instantiate and call the init() method to initialize the servlet

service() (Called according to the request method doGet()/ doPost()/ ... /destroy()

interface

init()

在 Servlet 的生命期中，仅执行一次 init() 方法，在服务器装入 Servlet 时执行。

service()

service() 方法是 Servlet 的核心。每当一个客户请求一个HttpServlet对象，该对象的 service() 方法就要被调用，而且传递给这个方法一个"请求"(ServletRequest)对象和一个"响应"(ServletResponse)对象作为参数。

Struts 2

. Introduction

Struts2 is a Web application framework based on the MVC design pattern, which is essentially equivalent to a servlet. In the MVC design pattern, Struts2 acts as a controller (Controller) to establish the data interaction between the model and the view.

请求流程

    客户端发送请求的tomcat服务器
    请求经过一系列过滤器
    FilterDispatcher调用ActionMapper来决定这个请求是否要调用某个Action
    ActionMppaer决定调用某个ActionFilterDispatcher把请求给ActionProxy
    ActionProxy通过Configuration Manager查看structs.xml，找到对应的Action类
    ActionProxy创建一个ActionInvocation对象
    ActionInvocation对象回调Action的execute方法
    Action执行完毕后，ActionInvocation根据返回的字符串，找到相应的result，通过HttpServletResponse返回给服务器

Related CVEs

CVE-2016-3081 (S2-032)

CVE-2016-3687 (S2-033)

CVE-2016-4438 (S2-037)

CVE-2017-5638

CVE-2017-7672

CVE-2017-9787

CVE-2017-9793

CVE-2017-9804

CVE-2017-9805

CVE-2017-12611

CVE-2017-15707

CVE-2018-1327

CVE-2018-11776

Spring

Introduction

Spring generally refers to the Spring Framework, a lightweight Java application open source framework that provides an easy way to develop.

Spring MVC

Spring MVC is an MVC framework designed according to the Spring pattern, which is mainly used to develop Web applications and simplify development.

Spring Boot

Spring was relatively cumbersome at the beginning of its launch, so Spring Boot was provided as an automated configuration tool to reduce the complexity of project construction.

 请求流程

    用户发送请求给服务器
    服务器收到请求，使用DispatchServlet处理
    Dispatch使用HandleMapping检查url是否有对应的Controller，如果有，执行
    如果Controller返回字符串，ViewResolver将字符串转换成相应的视图对象
    DispatchServlet将视图对象中的数据，输出给服务器
    服务器将数据输出给客户端

Overview of CVEs

CVE-2018-1270
- Spring Websocket Remote Code Execution Vulnerability
- Spring Framework 5.0 - 5.0.5
- Spring Framework 4.3 - 4.3.15
CVE-2018-1273
- Spring Data Remote Code Execution Vulnerability
- Spring Data Commons 1.13 - 1.13.10
- Spring Data Commons 2.0 - 2.0.5
- Spring Data REST 2.6 - 2.6.10
- Spring Data REST 3.0 - 3.0.5
CVE-2017-8046
- Spring Data REST Remote Code Execution Vulnerability
CVE-2017-4971
- Spring Web Flow Remote Code Execution Vulnerability

Shiro

Introduction

Apache Shiro is a powerful and easy-to-use Java security framework with features including authentication, authorization, encryption and session management.

Overview of CVEs

CVE-2020-13933

    Apache Shiro < 1.6.0
    身份验证绕过漏洞

CVE-2020-11989

    SHIRO-782
    Apache Shiro < 1.5.3
    身份验证绕过漏洞

CVE-2020-1957

    SHIRO-682
    Apache Shiro < 1.5.2
    身份验证绕过漏洞

CVE-2019-12422

    SHIRO-721
    Apache Shiro < 1.4.2
    Padding Oracle Attack 远程代码执行漏洞

CVE-2016-4437

    SHIRO-550
    Apache Shiro <= 1.2.4
    反序列化远程代码执行漏洞

CVE-2014-0074

    SHIRO-460
    Apache Shiro < 1.2.3
    身份验证绕过漏洞

CVE-2020-13933

Before Apache Shiro 1.6.0, because the matching process between Shiro interceptor and requestURI is different from the matching process of web framework interceptor, an attacker constructs a special http request, which can bypass Shiro's authentication, and unauthorized access is sensitive. path.

CVE-2020-11989

In versions prior to Apache Shiro 1.5.3, since the matching process between Shiro interceptors and requestURIs is different from that of web framework interceptors, an attacker constructs a special http request to bypass Shiro's authentication, and unauthorized access is sensitive. path. There are two attack methods for this vulnerability.

CVE-2020-1957

In versions prior to Apache Shiro 1.5.2, since the matching process between Shiro interceptors and requestURIs is different from that of web framework interceptors, an attacker constructs a special http request to bypass Shiro's authentication, and unauthorized access is sensitive. path.

CVE-2019-12422

Apache Shiro versions prior to 1.4.2 use AES/CBC/PKCS5Paddingmode . The Shiro component with the RememberMe function enabled will allow remote attackers to construct serialized data and blast through Padding Oracle Attack, even if the secret key is unknown. Execute any command on it.

CVE-2016-4437

Before Apache Shiro 1.2.5 org.apache.shiro.mgt.AbstractRememberMeManager, there is a default AES key kPH+bIxk5D2deZiIxcaaaA==in . The Shiro component with the RememberMe function enabled will allow remote attackers to construct serialized data and execute arbitrary commands on the target server.

ok~~~ see you next time

[Summary of Introduction to Network Security]—Summary of commonly used penetration vulnerabilities in the Java language

Class is in~ Class is in~

Servlet

Introduction

The life cycle is

interface

Struts 2

. Introduction

Related CVEs

​

Spring

Introduction

Spring MVC

Spring Boot

Overview of CVEs

​

Shiro

Introduction

Overview of CVEs

CVE-2020-13933

CVE-2020-11989

CVE-2020-1957

CVE-2019-12422

CVE-2016-4437

Guess you like