728x90
package secure.ch03.ex01.controller;
import java.io.IOException;
import java.io.InputStream;
import java.util.Scanner;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.ResponseBody;
@Controller
@RequestMapping("/ch03/ex01/os")
public class OSController {
@RequestMapping(method=RequestMethod.GET)
public void main(){}
@RequestMapping(method=RequestMethod.POST)
@ResponseBody
public String testCommandInjection(HttpServletRequest request, HttpSession session){
String job=request.getParameter("job");
if(job != null && job.equals("type")) {
job = job + " "
+ session.getServletContext().getRealPath("/WEB-INF/views/ch03/ex01/")
+ "hello.txt";
System.out.println("ch03.ex01: " + job);
}
Process process;
String osName = System.getProperty("os.name");
String[] cmd;
if(osName.toLowerCase().startsWith("window")) {
cmd = new String[]{"cmd.exe", "/c", job};
System.out.print("ch03.ex01: ");
for(String s : cmd) System.out.print(s+" ");
System.out.println();
}else cmd = new String[]{"/bin/sh",job};
StringBuffer buffer=new StringBuffer();
try {
process = Runtime.getRuntime().exec(cmd);
InputStream in = process.getInputStream();
Scanner sc = new Scanner(in,"utf-8");
buffer.append("<b>RESULT: </b>");
while(sc.hasNextLine() == true)
buffer.append(sc.nextLine());
}catch(IOException e){
buffer.append("ERROR!");
e.printStackTrace();
}
return buffer.toString();
}
}/WEB-INF/views/ch03/ex01/hello.txt
Hello, I love You./WEB-INF/views/ch03/ex01/os.jsp
<%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%>
<script src="//code.jquery.com/jquery-3.1.1.min.js"></script>
<script>
$(function(){
$("button").bind("click", function() {
var formArr = $("form").serializeArray();
$("#result").empty();
$.ajax({
data: formArr,
method: "post",
success: function(result){
$("#result").append(result);
},
error: function(a, b, errMsg){
$("#result").append(errMsg);
}
});
});
});
</script>
<form>
작업선택:
<select name="job">
<option value="type">-- type hello.txt --</option>
<option value="dir">-- dir --</option>
</select>
<button type="button">제출</button>
</form>
<p id="result"></p>package secure.ch03.ex02.controller;
import java.io.IOException;
import java.io.InputStream;
import java.util.Scanner;
import javax.servlet.http.HttpSession;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.ResponseBody;
@Controller("ch03.ex02.osController")
@RequestMapping("/ch03/ex02/os")
public class OSController {
@RequestMapping(method=RequestMethod.GET)
public void main(){}
@RequestMapping(method=RequestMethod.POST)
@ResponseBody
public String testCommandInjection(String job, HttpSession session){
String result = "REJECTED.";
String[] allowedCmds = {"type", "dir"};
boolean isAllowed = false;
for(String cmd:allowedCmds) if(cmd.equals(job)) isAllowed = true;
if(isAllowed){
if(job != null && job.equals("type")) {
job = job + " "
+ session.getServletContext().getRealPath("/WEB-INF/views/ch03/ex01/")
+ "hello.txt";
System.out.println("ch03.ex01: " + job);
}
Process process;
String osName = System.getProperty("os.name");
String[] cmd;
if(osName.toLowerCase().startsWith("window")) {
cmd = new String[]{"cmd.exe", "/c", job};
System.out.print("ch03.ex01: ");
for(String s : cmd) System.out.print(s+" ");
System.out.println();
}else cmd = new String[]{"/bin/sh",job};
StringBuffer buffer=new StringBuffer();
try {
process = Runtime.getRuntime().exec(cmd);
InputStream in = process.getInputStream();
Scanner sc = new Scanner(in,"utf-8");
buffer.append("<b>RESULT: </b>");
while(sc.hasNextLine() == true)
buffer.append(sc.nextLine());
}catch(IOException e){
buffer.append("ERROR!");
e.printStackTrace();
}
result = buffer.toString();
}
return result;
}
}/WEB-INF/views/ch03/ex02/os.jsp
<%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%>
<script src="//code.jquery.com/jquery-3.1.1.min.js"></script>
<script>
$(function(){
$("button").bind("click", function() {
var formArr = $("form").serializeArray();
$("#result").empty();
$.ajax({
data: formArr,
method: "post",
success: function(result){
$("#result").append(result);
},
error: function(a, b, errMsg){
$("#result").append(errMsg);
}
});
});
});
</script>
<form>
작업선택:
<select name="job">
<option value="type">-- type --</option>
<option value="dir">-- dir --</option>
<option value="del">-- del --</option>
</select>
<button type="button">제출</button>
</form>
<p id="result"></p>
728x90
'SKILL > Security' 카테고리의 다른 글
| LETSENCRYPT 에서 SSL 인증서를 무료로 발급 받아 웹 서버에 적용하기 (0) | 2018.05.17 |
|---|---|
| SSL 보안 인증서 발급 - CSR 발급 (0) | 2018.05.17 |
| [SPRING] ch04. 로그인 (0) | 2017.09.21 |
| [SPRING] ch02. SQL Injection - 방어 (0) | 2017.09.21 |
| [SPRING] ch01.SQL Injection - 공격 (0) | 2017.09.21 |
댓글