Preface

       Enterprise level purchase, sale and inventory management system , use SpringBoot+Shiro+MyBatis+EasyUI To write ,Maven structure . The source code is accessible github download ：https://github.com/wangjiangfei/JXC.

One 、 Local project deployment

      1） this paper IDEA by 2021.3 edition , After downloading and decompressing the project, it is shown in the following figure ：

      2） Because the project is based on SpringBoot Developed by the system , So you just need to import the database . Use of this project phpstudy Turn on mysql5.7.

      3） Connect to database .

      4） establish jxc Database and use .

      5） take jxc.sql File import to jxc In the database , Pay attention to the use of forward slashes .

      6） Use IDEA open jxc project , Note that the opening is jxc Folder is not jxc-master, And then wait Maven Automatically load dependencies , If pom.xml File error , Dependency was not successfully installed , See the figure below maven How to configure , It may not be configured properly maven Environmental Science .
      7） modify application.properties Profile contents , It should be noted that the comments of the source code are garbled , So you need to configure utf-8 Adding notes , And the project has no write port , You also need to add it yourself .

      8） Start the project in both ways .


      9） Visit the project , The project address of this article is ：http://192.168.205.112:25001/login.html, According to the instructions, the account password is ：admin/admin123

Two 、 Vulnerability mining

1. Stock in - Note storage type exists XSS

      1）XSS Just insert the frame , So this article is finished with this one .

      2） Pop up at the purchase document query .

      3） Repeat the first step to capture the package when saving finally , In the code through purchaseListGoods Find the mapping address , Global search （ctrl+shift+R） Mainly looking for belt @RequestMapping Annotated .

      4） Discovery is through @Autowired Automatically inject the obtained value and then save it directly , There are no filtering and interception settings in the automatic injection process .

2.Fortity Scan results

3、 ... and 、 summary

      1） You can check it first pom.xml File to see what components are used , Is there a loophole , found shiro-core Dependency package , First think about whether there is default key, You can see shiro Interceptor in the configuration file of .

      2） If you want to use rememberMe function ,shiro Filter Must be set to /** = user, This item is set to authc 了 , So there is no .

      3） stay SpringBoot In the frame , Usually the process is controller The layer receives the front-end request and then calls service layer ,serveice Layer business logic to call dao Visit the database to add, delete, modify and check ,dao Calling sources The corresponding of .xml Make specific documents SQL sentence ,sql The sentences are all in .xml It's written in the document , Not in Java Use directly in code connection Connect to the database for query , This level is clearer , The code is also easier to maintain . Because of the concrete SQL Statements are in .xml In file , So it can be .xml Search for $ Symbol , Quickly find out whether it exists SQL Inject holes , because ${} Splicer , Strings are spliced as is , The projects in this article all use #{} Placeholder does not exist SQL Inject .