Java Gson库注释符漏洞
本文最后更新于 453 天前,其中的信息可能已经有所发展或是发生改变。
前言
这是在刷题期间碰到的一个知识点,懒得写wp了就写一篇文章来记录一下这个知识点。
正文
import com.google.gson.Gson;
import com.mysql.cj.util.StringUtils;
import com.web.dao.Person;
import com.web.dao.baseDao;
import java.io.IOException;
import java.sql.Connection;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
public class registerServlet
extends HttpServlet {
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
resp.setContentType("text/html;charset=UTF-8");
req.setAttribute("error", "<script>alert('Not Allowed')</script>");
req.getRequestDispatcher("WEB-INF/register.jsp").forward((ServletRequest)req, (ServletResponse)resp);
}
protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
resp.setCharacterEncoding("UTF-8");
Integer res = Integer.valueOf(0);
String role = "";
Gson gson = new Gson();
Person person = new Person();
Connection connection = null;
String var = req.getParameter("data").replaceAll(" ", "").replace("'", "\""); //把传进来的单引号替换成双引号
Pattern pattern = Pattern.compile("\"role\":\"(.*?)\""); //定义一个正则的编译表示,适配传进来的role这个字段
Matcher matcher = pattern.matcher(var);
while (matcher.find()) {
role = matcher.group();
}
if (!StringUtils.isNullOrEmpty(role)) {
var = var.replace(role, "\"role\":\"guest\""); //注册时把传进来的role一律替换成guest。
person = (Person)gson.fromJson(var, Person.class); //把传入的json字符串解析成对象
} else {
person = (Person)gson.fromJson(var, Person.class);
person.setRole("guest");
}
System.out.println(person);
if (person.getUsername() == null || person.getPassword() == null) resp.sendError(500, ");
person.setPic("/static/cat.gif");
try {
connection = baseDao.getConnection();
} catch (Exception e) {
e.printStackTrace();
}
if (connection != null) {
String sql_query = "select * from ctf where username=?";
Object[] params1 = { person.getUsername() };
try {
ResultSet rs = baseDao.execute(connection, sql_query, params1);
if (rs.next()) {
System.out.println(rs.next());
resp.sendError(500, "user already exists!");
} else {
String sql = "insert into ctf (username,password,role,pic) values (?,?,?,?)";
Object[] params2 = { person.getUsername(), person.getPassword(), person.getRole(), person.getPic() };
res = Integer.valueOf(baseDao.Update(connection, sql, params2));
}
} catch (SQLException e) {
e.printStackTrace();
}
baseDao.closeResource(connection, null, null);
}
if (res.intValue() == 1)
resp.getWriter().write("register success!");
}
}Gson库在进行解析json时可以进行多行注释,这一般人还真不知道这个知识点
正常json:{"username":"admin", "password":"123456","role":"admin"} 注释过的json:{"username":"admin", "password":"123456","role":"admin"/,"role":"test"/}
我这写个demo来实际测试一下就很明显了
写在最后
也没啥好说的,一个小知识点罢了。
浏览量: 236
本文参与 腾讯云自媒体同步曝光计划,分享自作者个人站点/博客。
原始发表:2022-1-28 1,如有侵权请联系 cloudcommunity@tencent.com 删除
评论
登录后参与评论
推荐阅读
目录
腾讯云开发者
