来源:自学PHP网 时间:2015-04-17 13:03 作者: 阅读:次
[导读] 可读取到WEB-INF目录下文件,那么这个系统结构基本就明朗了(同时分层结构的缺点也体现出来了!)先读取Tomcat容器的web.xml(因为你们网站web服务器架构基本都是Nginx + Tomcat),以便了解...
可读取到WEB-INF目录下文件,那么这个系统结构基本就明朗了(同时分层结构的缺点也体现出来了!)
先读取Tomcat容器的web.xml(因为你们网站web服务器架构基本都是Nginx + Tomcat),以便了解应用框架类型及结构: http://affiliate.qunar.com/affiliate/WEB-INF/web.xml 里面一共有两个struts1的配置文件: /WEB-INF/struts-config.xml,/WEB-INF/struts-front-config.xml 一个是管理应用的配置文件;另一个用户应用的配置文件 只看管理应用的配置文件:struts-config.xml,这样我们就可以遍历所有的class文件了,找到登录Action的class文件(所以重构这个小应用系统就轻松加愉快了! Action(反编译)、DTO(配置文件中字段及反编译dto类均可获得,)、DAO(不喜欢用hibernate,可自己写jdbc)整个工程就出来了!哈哈! ): http://affiliate.qunar.com/affiliate/WEB-INF/struts-config.xml 下载该类文件并反编译: www.2cto.com http://affiliate.qunar.com/affiliate/WEB-INF/classes/com/qunar/affiliate/actions/LogonAction.class package com.qunar.affiliate.actions; import com.qunar.affiliate.controller.UserController; import com.qunar.affiliate.model.User; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; import org.apache.struts.action.Action; import org.apache.struts.action.ActionForm; import org.apache.struts.action.ActionForward; import org.apache.struts.action.ActionMapping; import org.apache.struts.action.DynaActionForm; public class LogonAction extends Action { static final String logon_user = "affiliate_user"; public ActionForward execute(ActionMapping arg0, ActionForm arg1, HttpServletRequest arg2, HttpServletResponse arg3) throws Exception { DynaActionForm aform = (DynaActionForm)arg1; UserController uc = new UserController(); User user = uc.validateUser(aform.getString("name"), aform.getString("password")); if (user != null) { arg2.getSession().setAttribute("affiliate_user", user); return arg0.findForward("success"); } return arg0.findForward("failed"); } } 然后,找到UserController这个类文件并反编译,得到了惊喜: package com.qunar.affiliate.controller; import com.qunar.affiliate.model.User; import com.qunar.affiliate.util.Encrypt; import com.qunar.affiliate.util.HibernateUtil; import org.apache.log4j.Logger; import org.hibernate.Criteria; import org.hibernate.SessionFactory; import org.hibernate.Transaction; import org.hibernate.classic.Session; import org.hibernate.criterion.Example; public class UserController { static Logger logger = Logger.getLogger(UserController.class); public static void main(String[] args) { UserController controller = new UserController(); if (args[0].equals("store")) { controller.createAndStoreUser("jingyi.zhang", "密码隐藏"); } else if (args[0].equals("list")) { User localUser = controller.validateUser("qiang.zhou", "密码隐藏"); } } public User createAndStoreUser(String name, String password) { Session session = null; try { session = HibernateUtil.getSessionFactory().openSession(); session.beginTransaction(); User user = new User(); user.setName(name); user.setHashed_password(Encrypt.change("SHA", password)); session.save(user); session.getTransaction().commit(); User localUser1 = user; return localUser1; } finally { if (session != null) try { session.close(); } catch (Throwable t) { logger.error("UserController close session failed!", t); } } throw localObject; } public User validateUser(String name, String password) { Session session = null; try { session = HibernateUtil.getSessionFactory().openSession(); session.beginTransaction(); User user = new User(); user.setName(name); user.setHashed_password(Encrypt.change("SHA", password)); User vu = (User)session.createCriteria(User.class).add(Example.create(user)).uniqueResult(); session.getTransaction().commit(); User localUser1 = vu; return localUser1; } finally { if (session != null) try { session.close(); } catch (Throwable t) { logger.error("UserController close session failed!", t); } } throw localObject; } } 调试用的两个管理员帐号都在里面,未去掉! 进入去哪儿联盟推广管理页面,只看图,危害自己看: http://affiliate.qunar.com/affiliate/logon.jsp (这要是拿去挂点什么就挣了!开个玩笑!) 我们继续! 同时又发现了这行代码,数据层用的是hibernate框架: session = HibernateUtil.getSessionFactory().openSession(); 那数据库配置就暴露了,根据通常hibernate配置文件位置习惯找到了它: http://affiliate.qunar.com/affiliate/WEB-INF/classes/hibernate.cfg.xml <hibernate-configuration> <session-factory> <!-- Database connection settings --> <property name="connection.driver_class">com.mysql.jdbc.Driver</property> <property name="connection.url">jdbc:mysql://l-aff2.隐藏.隐藏.qunar.com/affiliate?characterEncoding=utf-8</property> <property name="connection.username">affiliate_new</property> <property name="connection.password">密码隐藏</property> <!-- JDBC connection pool (use the built-in) --> <!--<property name="connection.pool_size">10</property>--> <!-- hibernate c3p0 --> <property name="hibernate.connection.provider_class">org.hibernate.connection.C3P0ConnectionProvider</property> <property name="hibernate.c3p0.max_size">10</property> <property name="hibernate.c3p0.min_size">2</property> <property name="hibernate.c3p0.timeout">1800</property> <property name="hibernate.c3p0.max_statements">100</property><property name="hibernate.c3p0.idle_test_period">3000</property><property name="hibernate.c3p0.acquire_increment">2</property> <!-- SQL dialect --> <property name="dialect">org.hibernate.dialect.MySQLDialect</property> <!-- Enable Hibernate's automatic session context management --> <property name="current_session_context_class">thread</property> <!-- Disable the second-level cache --> <property name="cache.provider_class">org.hibernate.cache.NoCacheProvider</property> <!-- Echo all executed SQL to stdout --> <property name="show_sql">true</property> <!-- Drop and re-create the database schema on startup --> <!--<property name="hbm2ddl.auto">create</property>--> <mapping resource="com/qunar/affiliate/model/user.hbm.xml"/> </session-factory> </hibernate-configuration> 不过数据连接域名指向的是内网,让哥失望了: 没什么技巧,不了解j2ee体系的可以普及一下! 另外,附带几处小问题: 1、页面访问权限控制问题 http://u.qunar.com/left.jsp http://u.qunar.com/direct/regUnion.jsp 2、又一处test站长弱口令: test test 3、一处js回调时xss 修复方案: 发现你们应用层的安全问题很严重(整体安全架构相对还可以),开发及维护人员都要普及一下安全意识! 这次准备送什么礼物了(上次听说有别的东西送的)? 作者 shine |
自学PHP网专注网站建设学习,PHP程序学习,平面设计学习,以及操作系统学习
京ICP备14009008号-1@版权所有www.zixuephp.com
网站声明:本站所有视频,教程都由网友上传,站长收集和分享给大家学习使用,如由牵扯版权问题请联系站长邮箱904561283@qq.com