Xcheck Java engine vulnerability Mining & Protection Identification

Tencent code security check xcheck 2022-06-24 07:29:42 阅读数:1,008


0x00 Vulnerability mining

Add two CNVD

In the near future , Used Xcheck Java The engine checks some open source website systems , Finally, ruoyi management system and MCMS There are two security vulnerabilities in the system .

Ruoyi management system (https://gitee.com/y_project/RuoYi)

Vulnerability mining process

Xcheck Check Use Xcheck It's very easy to exploit the loopholes , After downloading the project source code , Uploaded to the Xcheck Inspection , The skill of drinking water , That's the result .

xcheck Examination result

Result analysis

Here is a simple analysis of the vulnerabilities found in the ruoyi management system : From the overview of the inspection results, it can be seen that two high-risk SQL Inject holes , One of the loopholes contaminates the chain as follows ( The code details in the report are not shown ), In the end in mybatis SQL Trigger... In file SQL Inject holes

xcheck Overview of inspection results
SQL Inject loopholes into the pollution chain

Vulnerability verification

Set up the test environment locally , The verification results are as follows :

Obtain database version information through error reporting injection
Successfully obtained the database version number

0x01 Protection identification

Protection identification means Xcheck It can identify the user-defined security code , During the inspection, the protected vulnerability will not be reported as a risk . Here's the picture , In the inspection results of the ruoyi management system , Three security vulnerabilities have been found (confidence by 0). The protection information is displayed in CommonController.java in 46 The bank has made safety protection .

To verify whether the protection identified by the lower inspector is correct , You can see in the CommonController.java46 OK, the validity of the file name is judged .

By judging whether the file name contains ..

Tool class StringUtils Inherited from apache Library StringUtils class

therefore , The security protection identified by the inspector is accurate . It can be seen that ,Xcheck Can be adapted without advance , Take the initiative to identify user-defined security protection logic , Thus reducing false positives !

Want to know Xcheck For more information or code security audit related technologies, please pay attention to xcheck official account ~

copyright:author[Tencent code security check xcheck],Please bring the original link to reprint, thank you. https://en.javamana.com/2022/175/20210701201142697X.html