├── CSRF
    └── ~
├── Dos
    └── ReDos
    │   └── ~
├── IP伪造
    └── ~
├── README.md
├── SQL注入
    ├── 1-动态拼接
    │   └── 常见关键字
    ├── 2-预编译处理不当
    │   ├── %和_处理不当
    │   └── 常见关键字
    ├── 3-框架使用不当
    │   ├── Hibernate
    │   │   └── 常见关键字
    │   ├── Mybatis
    │   │   └── 常见关键字
    │   └── 框架定位关键字
    └── 4-黑白名单|filter绕过
    │   └── ~
├── SSRF
    └── 常见关键字
├── URL跳转
    └── 常见关键字
├── XXE
    ├── 常见XML解析接口
    └── 常见关键字
├── 任意代码|命令执行
    ├── OS命令注入
    │   └── 常见关键字
    ├── 代码注入
    │   ├── Groovy
    │   │   └── 常见关键字
    │   ├── JavascriptEngine（ScriptEngineManager
    │   │   └── 常见关键字
    │   └── Jython
    │   │   └── 常见关键字
    ├── 模板注入
    │   ├── Freemarker
    │   │   └── 常见关键字
    │   └── Velocity
    │   │   └── 常见关键字
    └── 表达式注入
    │   ├── Fel
    │       └── 常见关键字
    │   ├── MVEL
    │       └── 常见关键字
    │   ├── OGNL
    │       └── 常见关键字
    │   └── SpEL
    │       └── 常见关键字
├── 任意文件读取
    └── %c0%ae安全模式绕过
    │   └── ~
├── 反序列化
    ├── 常见关键字
    └── 常见可利用基础库
├── 文件相关
    └── 常见类
├── 日志打印漏洞
    └── 常见关键字
├── 硬编码
    └── 常见关键字
└── 越权
    └── ~


/CSRF/~:
--------------------------------------------------------------------------------
1 | ~
2 | 


--------------------------------------------------------------------------------
/Dos/ReDos/~:
--------------------------------------------------------------------------------
1 | ~
2 | 


--------------------------------------------------------------------------------
/IP伪造/~:
--------------------------------------------------------------------------------
1 | ~
2 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # --Java
2 | 代码审计知识点整理-Java
3 | 


--------------------------------------------------------------------------------
/SQL注入/1-动态拼接/常见关键字:
--------------------------------------------------------------------------------
1 | Select|insert|update|delete|java.sql.Connection|Statement|.execute|.executeQuery|jdbcTemplate|queryForInt|queryForObject|queryForMap|getConnection|PreparedStatement|Statement|execute|jdbcTemplate|queryForInt|queryForObject|queryForMap|executeQuery|getConnection
2 | 


--------------------------------------------------------------------------------
/SQL注入/2-预编译处理不当/%和_处理不当:
--------------------------------------------------------------------------------
1 | ~
2 | 


--------------------------------------------------------------------------------
/SQL注入/2-预编译处理不当/常见关键字:
--------------------------------------------------------------------------------
1 | setObject()
2 | setInt()
3 | setString()
4 | setSQLXML()
5 | 


--------------------------------------------------------------------------------
/SQL注入/3-框架使用不当/Hibernate/常见关键字:
--------------------------------------------------------------------------------
1 | $
2 | #
3 | 


--------------------------------------------------------------------------------
/SQL注入/3-框架使用不当/Mybatis/常见关键字:
--------------------------------------------------------------------------------
1 | Mysql:
2 | order by ${id} asc
3 | in (${id})
4 | like '%${id}%'
5 | 
6 | Oracle:
7 | like '%$id$%'
8 | like '%'||'$id$'||'%'
9 | 


--------------------------------------------------------------------------------
/SQL注入/3-框架使用不当/框架定位关键字:
--------------------------------------------------------------------------------
1 | createQuery
2 | session.save
3 | session.update
4 | session.delete
5 | 


--------------------------------------------------------------------------------
/SQL注入/4-黑白名单|filter绕过/~:
--------------------------------------------------------------------------------
1 | ~
2 | 


--------------------------------------------------------------------------------
/SSRF/常见关键字:
--------------------------------------------------------------------------------
1 | share|wap|url|link|src|source|target|u|3g|display|sourceURl|imageURL|domain
2 | HttpClient.execute|HttpURLConnection|URL.openStream|HttpServletRequest|getParamet|URL|HttpClient|Request|Okhttp|ImageIO.read
3 | 


--------------------------------------------------------------------------------
/URL跳转/常见关键字:
--------------------------------------------------------------------------------
1 | response.sendRedirct
2 | request.getRequestDispatcher
3 | response.setHeader
4 | jsp:forward
5 | 


--------------------------------------------------------------------------------
/XXE/常见XML解析接口:
--------------------------------------------------------------------------------
1 | javax.xml.parsers.DocumentBuilderjavax.xml.stream.XMLStreamReaderorg.jdom.input.SAXBuilderorg.jdom2.input.SAXBuilderjavax.xml.parsers.SAXParserorg.dom4j.io.SAXReaderorg.xml.sax.XMLReaderjavax.xml.transform.sax.SAXSourcejavax.xml.transform.TransformerFactoryjavax.xml.transform.sax.SAXTransformerFactoryjavax.xml.validation.SchemaFactoryjavax.xml.bind.Unmarshallerjavax.xml.xpath.XPathExpressionorg.apache.commons.digester3.Digester
2 | 


--------------------------------------------------------------------------------
/XXE/常见关键字:
--------------------------------------------------------------------------------
1 | Documentbuilder|DocumentBuilderFactory|SAXReader|SAXParser|SAXParserFactory|SAXBuilder|TransformerFactory|reqXml|getInputStream|XMLReaderFactory|.newInstance|SchemaFactory|SAXTransformerFactory|javax.xml.bind|XMLReader|XmlUtils.get|Validator
2 | 


--------------------------------------------------------------------------------
/任意代码|命令执行/OS命令注入/常见关键字:
--------------------------------------------------------------------------------
1 | System|exec|passthru|popen|shell_exec|eval|preg_replace|str_replace|call_user_func|getRuntime().exec|system|execlp|execvp|ShellExecute|wsystem|popen(|getRuntime|ProcessBuilder|execfile|input|Shell|ShellExecuteForExplore(|ShellExecute|execute|.exec|/bin/sh、/bin/bash|cmd
2 | 


--------------------------------------------------------------------------------
/任意代码|命令执行/代码注入/Groovy/常见关键字:
--------------------------------------------------------------------------------
1 | groovy.util.Eval.me
2 | groovy.lang.GroovyShell.parse|evaluate
3 | groovy.lang.Script.run
4 | groovy.lang.GroovyClassLoader.parseClass
5 | org.codehaus.groovy.runtime.InvokerHelper.newScript|createScript|runScript
6 | org.codehaus.groovy.runtime.MethodClosure.MethodClosure
7 | 


--------------------------------------------------------------------------------
/任意代码|命令执行/代码注入/JavascriptEngine（ScriptEngineManager/常见关键字:
--------------------------------------------------------------------------------
1 | ~
2 | 


--------------------------------------------------------------------------------
/任意代码|命令执行/代码注入/Jython/常见关键字:
--------------------------------------------------------------------------------
1 | ~
2 | 


--------------------------------------------------------------------------------
/任意代码|命令执行/模板注入/Freemarker/常见关键字:
--------------------------------------------------------------------------------
1 | freemarker.template.Template.process
2 | freemarker.core.Environment.process
3 | freemarker.template.TemplateMethodModel.exec
4 | freemarker.template.utility.Execute.exec
5 | 


--------------------------------------------------------------------------------
/任意代码|命令执行/模板注入/Velocity/常见关键字:
--------------------------------------------------------------------------------
1 | ~
2 | 


--------------------------------------------------------------------------------
/任意代码|命令执行/表达式注入/Fel/常见关键字:
--------------------------------------------------------------------------------
1 | import com.greenpineyu.fel
2 | 


--------------------------------------------------------------------------------
/任意代码|命令执行/表达式注入/MVEL/常见关键字:
--------------------------------------------------------------------------------
 1 | org.mvel2.MVEL.eval
 2 | org.mvel2.MVELInterpretedRuntime.parse
 3 | org.mvel2.ast.ASTNode.getReducedValue
 4 | org.mvel2.PropertyAccessor.get
 5 | org.mvel2.MVEL.execute
 6 | org.mvel2.compiler.ExecutableStatement.getValue
 7 | org.mvel2.compiler.ExecutableAccesso
 8 | org.mvel2.ast.NewObjectNode.getReducedValueAccelerated
 9 | org.mvel2.optimizers.AccessorOptimizer|org.mvel2.optimizers.dynamic.DynamicOptimizer.optimizeObjectCreation
10 | 


--------------------------------------------------------------------------------
/任意代码|命令执行/表达式注入/OGNL/常见关键字:
--------------------------------------------------------------------------------
1 | import ognl.*
2 | 


--------------------------------------------------------------------------------
/任意代码|命令执行/表达式注入/SpEL/常见关键字:
--------------------------------------------------------------------------------
1 | org.springframework.expression|parseExpression|getValue|getValueType|value="#{*}
2 | 


--------------------------------------------------------------------------------
/任意文件读取/%c0%ae安全模式绕过/~:
--------------------------------------------------------------------------------
1 | ~
2 | 


--------------------------------------------------------------------------------
/反序列化/常见关键字:
--------------------------------------------------------------------------------
1 | ObjectInputStream.readObject
2 | ObjectInputStream.readUnshared
3 | XMLDecoder.readObject
4 | Yaml.load
5 | XStream.fromXML
6 | ObjectMapper.readValue
7 | JSON.parseObject
8 | Serializable
9 | 


--------------------------------------------------------------------------------
/反序列化/常见可利用基础库:
--------------------------------------------------------------------------------
 1 | commons-io 2.4
 2 | commons-collections 3.1
 3 | commons-logging 1.2
 4 | commons-beanutils 1.9.2
 5 | org.slf4j:slf4j-api 1.7.21
 6 | com.mchange:mchange-commons-java 0.2.11
 7 | org.apache.commons:commons-collections 4.0
 8 | com.mchange:c3p0 0.9.5.2
 9 | org.beanshell:bsh 2.0b5
10 | org.codehaus.groovy:groovy 2.3.9
11 | org.springframework:spring-aop4.1.4.RELEASE
12 | 


--------------------------------------------------------------------------------
/文件相关/常见类:
--------------------------------------------------------------------------------
 1 | 1.JDK原始的java.io.FileInputStream类
 2 |  
 3 | 2.JDK原始的java.io.RandomAccessFile类
 4 | 
 5 | 3.Apache Commons IO提供的org.apache.commons.io.FileUtils类
 6 | 
 7 | 4.JDK1.7新增的基于NIO非阻塞异步读取文件的java.nio.channels.AsynchronousFileChannel类。
 8 | 
 9 | 5.JDK1.7新增的基于NIO读取文件的java.nio.file.Files类。常用方法如:Files.readAllBytes、Files.readAllLines
10 | 
11 | FileInputStream
12 | FileOutputStream
13 | File
14 | FileUtils
15 | IOUtils
16 | BufferedReader
17 | ServletFileUpload
18 | MultipartFile
19 | CommonsMultipartFile
20 | PrintWriter
21 | ZipInputStream
22 | ZipEntry.getSize
23 | 


--------------------------------------------------------------------------------
/日志打印漏洞/常见关键字:
--------------------------------------------------------------------------------
1 | log.debug
2 | log.error
3 | log.info
4 | log.warn
5 | logger.severe
6 | logger.error
7 | 


--------------------------------------------------------------------------------
/硬编码/常见关键字:
--------------------------------------------------------------------------------
1 | pass|password|pwd|passwd|pswd|key|sharekey|checkpwd|crypto|cardno|PINNUMBER|admin|DEFAULT_PWD|PASSWORD|
2 | key|sharekey|encrypt|enc|dec|decrypt
3 | user|admin|operator|login|name|root
4 | 


--------------------------------------------------------------------------------
/越权/~:
--------------------------------------------------------------------------------
1 | ~
2 | 


--------------------------------------------------------------------------------