add deserialize

Author: JoyChou93

java-sec-code.iml

@@ -12,7 +12,7 @@
       </configuration>
     </facet>
   </component>
-  <component name="NewModuleRootManager" LANGUAGE_LEVEL="JDK_1_6">
+  <component name="NewModuleRootManager" LANGUAGE_LEVEL="JDK_1_8">
     <output url="file://$MODULE_DIR$/target/classes" />
     <output-test url="file://$MODULE_DIR$/target/test-classes" />
     <content url="file://$MODULE_DIR$">

src/main/java/org/joychou/controller/Deserialize.java

@@ -1,35 +1,99 @@
 package org.joychou.controller;
 
-
-import org.springframework.stereotype.Controller;
+import org.apache.commons.lang.StringUtils;
+import org.joychou.security.AntObjectInputStream;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.bind.annotation.RestController;
 
+import javax.servlet.http.Cookie;
 import javax.servlet.http.HttpServletRequest;
-import java.io.InputStream;
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
 import java.io.ObjectInputStream;
+import java.util.Base64;
 
 /**
- * @author JoyChou ([email protected])
- * @Date   2018年06月14日
- * @Desc   该应用必须有Commons-Collections包才能利用反序列化命令执行。
+ * Deserialize RCE using Commons-Collections gadget.
+ *
+ * @author JoyChou @2018-06-14
  */
-
-@Controller
+@RestController
 @RequestMapping("/deserialize")
 public class Deserialize {
 
-    @RequestMapping("/test")
-    @ResponseBody
-    public static String deserialize_test(HttpServletRequest request) throws Exception{
-        try {
-            InputStream iii = request.getInputStream();
-            ObjectInputStream in = new ObjectInputStream(iii);
-            in.readObject();  // 触发漏洞
-            in.close();
-            return "test";
-        }catch (Exception e){
-            return "exception";
+
+    private static Logger logger= LoggerFactory.getLogger(Deserialize.class);
+
+    /**
+     * java -jar ysoserial.jar CommonsCollections5 "open -a Calculator" | base64
+     * Add the result to rememberMe cookie.
+     *
+     * http://localhost:8080/deserialize/rememberMe/vul
+     */
+    @RequestMapping("/rememberMe/vul")
+    public static String rememberMeVul(HttpServletRequest request)
+            throws IOException, ClassNotFoundException {
+
+        Cookie[] cookies = request.getCookies();
+        String rememberMe = "";
+
+        if (null == cookies) {
+            logger.info("No cookies.");
+        } else {
+            for (Cookie cookie : cookies) {
+                if ( cookie.getName().equals("rememberMe") ) {
+                    rememberMe = cookie.getValue();
+                }
+            }
+        }
+
+        if (StringUtils.isBlank(rememberMe) ) {
+            return "No rememberMe cookie. Right?";
         }
+
+        byte[] decoded = Base64.getDecoder().decode(rememberMe);
+        ByteArrayInputStream bytes = new ByteArrayInputStream(decoded);
+        ObjectInputStream in = new ObjectInputStream(bytes);
+        in.readObject();
+        in.close();
+
+        return "Are u ok?";
+    }
+
+    /**
+     * Check deserialize class using black list.
+     *
+     * http://localhost:8080/deserialize/rememberMe/security
+     */
+    @RequestMapping("/rememberMe/security")
+    public static String rememberMeBlackClassCheck(HttpServletRequest request)
+            throws IOException, ClassNotFoundException {
+
+        Cookie[] cookies = request.getCookies();
+        String rememberMe = "";
+
+        if (null == cookies) {
+            logger.info("No cookies in /rememberMe/security");
+        } else {
+            for (Cookie cookie : cookies) {
+                if ( cookie.getName().equals("rememberMe") ) {
+                    rememberMe = cookie.getValue();
+                }
+            }
+        }
+
+        if (StringUtils.isBlank(rememberMe) ) {
+            return "No rememberMe cookie. Right?";
+        }
+
+        byte[] decoded = Base64.getDecoder().decode(rememberMe);
+        ByteArrayInputStream bytes = new ByteArrayInputStream(decoded);
+        AntObjectInputStream in = new AntObjectInputStream(bytes);
+        in.readObject();
+        in.close();
+
+        return "I'm very OK.";
     }
 }

src/main/java/org/joychou/controller/SSRF.java

@@ -103,6 +103,9 @@ public static String ssrf_Request(HttpServletRequest request)
      * Download the url file.
      * http://localhost:8080/ssrf/openStream?url=file:///etc/passwd
      *
+     * new URL(String url).openConnection()
+     * new URL(String url).openStream()
+     * new URL(String url).getContent()
      */
     @RequestMapping("/openStream")
     @ResponseBody

src/main/java/org/joychou/security/AntObjectInputStream.java

@@ -36,7 +36,9 @@ protected Class<?> resolveClass(final ObjectStreamClass desc)
         // Deserialize class name: org.joychou.security.AntObjectInputStream$MyObject
         logger.info("Deserialize class name: " + className);
 
-        String[] denyClasses = {"java.net.InetAddress", "org.apache.commons.collections.Transformer"};
+        String[] denyClasses = {"java.net.InetAddress",
+                                "org.apache.commons.collections.Transformer",
+                                "org.apache.commons.collections.functors"};
 
         for (String denyClass : denyClasses) {
             if (className.startsWith(denyClass)) {