Java Gson库注释符漏洞

2023-05-02 11:19:46 浏览数 (2)

本文最后更新于 453 天前,其中的信息可能已经有所发展或是发生改变。

前言

这是在刷题期间碰到的一个知识点,懒得写wp了就写一篇文章来记录一下这个知识点。

正文

代码语言:javascript复制
import com.google.gson.Gson;
import com.mysql.cj.util.StringUtils;
import com.web.dao.Person;
import com.web.dao.baseDao;
import java.io.IOException;
import java.sql.Connection;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

public class registerServlet
  extends HttpServlet {
  protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
    resp.setContentType("text/html;charset=UTF-8");
    req.setAttribute("error", "<script>alert('Not Allowed')</script>");
    req.getRequestDispatcher("WEB-INF/register.jsp").forward((ServletRequest)req, (ServletResponse)resp);
  }

  protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
    resp.setCharacterEncoding("UTF-8");
    Integer res = Integer.valueOf(0);
    String role = "";
    Gson gson = new Gson();
    Person person = new Person();
    Connection connection = null;
    String var = req.getParameter("data").replaceAll(" ", "").replace("'", """);  //把传进来的单引号替换成双引号

    Pattern pattern = Pattern.compile(""role":"(.*?)"");     //定义一个正则的编译表示,适配传进来的role这个字段
    Matcher matcher = pattern.matcher(var);               
    while (matcher.find()) {
      role = matcher.group();
    }

    if (!StringUtils.isNullOrEmpty(role)) {
      var = var.replace(role, ""role":"guest"");         //注册时把传进来的role一律替换成guest。
      person = (Person)gson.fromJson(var, Person.class);    //把传入的json字符串解析成对象
    } else {
      person = (Person)gson.fromJson(var, Person.class);
      person.setRole("guest");
    } 
    System.out.println(person);
    if (person.getUsername() == null || person.getPassword() == null) resp.sendError(500, "); 
    person.setPic("/static/cat.gif");
    try {
      connection = baseDao.getConnection();
    } catch (Exception e) {
      e.printStackTrace();
    } 
    if (connection != null) {
      String sql_query = "select * from ctf where username=?";
      Object[] params1 = { person.getUsername() };
      try {
        ResultSet rs = baseDao.execute(connection, sql_query, params1);

        if (rs.next()) {
          System.out.println(rs.next());
          resp.sendError(500, "user already exists!");
        } else {
          String sql = "insert into ctf (username,password,role,pic) values (?,?,?,?)";
          Object[] params2 = { person.getUsername(), person.getPassword(), person.getRole(), person.getPic() };
          res = Integer.valueOf(baseDao.Update(connection, sql, params2));
        } 
      } catch (SQLException e) {
        e.printStackTrace();
      } 
      baseDao.closeResource(connection, null, null);
    } 
    if (res.intValue() == 1)
      resp.getWriter().write("register success!"); 
  }
}

Gson库在进行解析json时可以进行多行注释,这一般人还真不知道这个知识点

正常json:{"username":"admin", "password":"123456","role":"admin"} 注释过的json:{"username":"admin", "password":"123456","role":"admin"/,"role":"test"/}

我这写个demo来实际测试一下就很明显了

写在最后

也没啥好说的,一个小知识点罢了。

浏览量: 236

0 人点赞