Conanjun
diff --git a/‎.gitignore‎
Lines changed: 5 additions & 1 deletion b/‎.gitignore‎
Lines changed: 5 additions & 1 deletion
diff --git a/‎README.md‎
Lines changed: 155 additions & 58 deletions b/‎README.md‎
Lines changed: 155 additions & 58 deletions
@@ -2,4 +2,8 @@
 .DS_Store
 target/
 other-vuls/
-*.iml
+docker/
+poc/
+src/main/java/org/joychou/test/
+*.iml
+docker_jdk_build.sh
@@ -1,109 +1,206 @@
-# Java Security Code
+# Java Sec Code
 
-## 介绍
 
-该项目也可以叫做Java Vulnerability Code(Java漏洞代码)。
+Java sec code is a very powerful and friendly project for learning Java vulnerability code.
 
-每个漏洞类型代码默认存在安全漏洞（除非本身不存在漏洞），相关修复代码在注释里。具体可查看每个漏洞代码和注释。
+[中文文档](https://github.com/JoyChou93/java-sec-code/blob/master/README_zh.md)
 
-## 漏洞代码
+## Introduce
 
-- [XXE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/XXE.java)
+This project can also be called Java vulnerability code. 
+
+Each vulnerability type code has a security vulnerability by default unless there is no vulnerability. The relevant fix code is in the comments or code. Specifically, you can view each vulnerability code and comments.
+
+[Online demo](http://118.25.15.216:8080)
+
+Login username & password:
+
+```
+admin/admin123
+joychou/joychou123
+```
+
+
+## Vulnerability Code
+
+Sort by letter.
+
+- [Actuators to RCE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/resources/logback-online.xml)
+- [CommandInject](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/CommandInject.java)
+- [CORS](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/CORS.java)
+- [CRLF Injection](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/CRLFInjection.java)
+- [CSRF](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/security/WebSecurityConfig.java)
+- [Deserialize](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Deserialize.java)
+- [Fastjson](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Fastjson.java)
+- [File Upload](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/FileUpload.java)
+- [GetRequestURI](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/GetRequestURI.java)
+- [IP Forge](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/IPForge.java)
+- [Java RMI](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/RMI/Server.java)
+- [JSONP](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Jsonp.java)
+- [ooxmlXXE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/othervulns/ooxmlXXE.java)
+- [PathTraversal](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/PathTraversal.java)
+- [RCE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Rce.java)
+- [Swagger](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/config/SwaggerConfig.java)
+- [SpEL](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SpEL.java)
+- [SQL Injection](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SQLI.java)
 - [SSRF](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SSRF.java)
-- [URL重定向](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/URLRedirect.java)
-- [IP伪造](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/IPForge.java)
+- [SSTI](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SSTI.java)
+- [URL Redirect](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/URLRedirect.java)
+- [URL whitelist Bypass](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/URLWhiteList.java)
+- [xlsxStreamerXXE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/othervulns/xlsxStreamerXXE.java)
 - [XSS](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/XSS.java)
-- [CRLF注入](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/CRLFInjection.java)
-- [远程命令执行](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Rce.java)
-- [反序列化](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Deserialize.java)
-- [文件上传](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/FileUpload.java)
-- [SQL注入](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SQLI.java)
-- [URL白名单Bypass](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/URLWhiteList.java)
-- [Java RMI](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/RMI/Server.java)
-- [Fastjson](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Fastjson.java)
-- [CORS](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/CORS.java)
-- [JSONP](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/JSONP.java)
-- [SPEL](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SPEL.java)
-- [Actuators to RCE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/resources/logback.xml)
+- [XStream](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/XStreamRce.java)
+- [XXE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/XXE.java)
 
-## 漏洞说明
 
-- [Java RMI](https://github.com/JoyChou93/java-sec-code/wiki/Java-RMI)
-- [XXE](https://github.com/JoyChou93/java-sec-code/wiki/XXE)
-- [SQLI](https://github.com/JoyChou93/java-sec-code/wiki/SQL-Inject)
-- [Fastjson](https://github.com/JoyChou93/java-sec-code/wiki/Fastjson)
+
+## Vulnerability Description
+
+- [Actuators to RCE](https://github.com/JoyChou93/java-sec-code/wiki/Actuators-to-RCE)
 - [CORS](https://github.com/JoyChou93/java-sec-code/wiki/CORS)
 - [CSRF](https://github.com/JoyChou93/java-sec-code/wiki/CSRF)
+- [Deserialize](https://github.com/JoyChou93/java-sec-code/wiki/Deserialize)
+- [Fastjson](https://github.com/JoyChou93/java-sec-code/wiki/Fastjson)
+- [Java RMI](https://github.com/JoyChou93/java-sec-code/wiki/Java-RMI)
 - [JSONP](https://github.com/JoyChou93/java-sec-code/wiki/JSONP)
-- [Actuators to RCE](https://github.com/JoyChou93/java-sec-code/wiki/Actuators-to-RCE)
+- [POI-OOXML XXE](https://github.com/JoyChou93/java-sec-code/wiki/Poi-ooxml-XXE)
+- [SQLI](https://github.com/JoyChou93/java-sec-code/wiki/SQL-Inject)
+- [SSRF](https://github.com/JoyChou93/java-sec-code/wiki/SSRF)
+- [SSTI](https://github.com/JoyChou93/java-sec-code/wiki/SSTI)
+- [URL whitelist Bypass](https://github.com/JoyChou93/java-sec-code/wiki/URL-whtielist-Bypass)
+- [XXE](https://github.com/JoyChou93/java-sec-code/wiki/XXE)
 - [Others](https://github.com/JoyChou93/java-sec-code/wiki/others)
 
+## How to run
 
-## 如何运行
+The application will use mybatis auto-injection. Please run mysql server ahead of time and configure the mysql server database's name and username/password except docker environment.
 
+``` 
+spring.datasource.url=jdbc:mysql://127.0.0.1:3306/java_sec_code
+spring.datasource.username=root
+spring.datasource.password=woshishujukumima
+```
 
-### Tomcat
+- Docker
+- IDEA
+- Tomcat
+- JAR
 
-1. 生成war包 `mvn clean package`
-2. 将target目录的war包，cp到Tomcat的webapps目录
-3. 重启Tomcat应用
+### Docker
 
 
-```
-http://localhost:8080/java-sec-code-1.0.0/rce/exec?cmd=whoami
-```
- 
-返回
+Start docker:
 
 ``` 
-Viarus
+docker-compose pull
+docker-compose up
 ```
 
-### IDEA
 
-如果想在IDEA中直接运行，需要在IDEA中添加Tomcat配置，步骤如下：
+Stop docker:
 
 ```
-Run -> Edit Configurations -> 添加TomcatServer(Local) -> Server中配置Tomcat路径 -> Deployment中添加Artifact选择java-sec-code:war exploded
+docker-compose down
 ```
 
-![tomcat](https://github.com/JoyChou93/java-sec-code/raw/master/idea-tomcat.png)
+Docker's environment:
 
-配置完成后，右上角直接点击run，即可运行。
+- Java 1.8.0_102
+- Mysql 8.0.17
+- Tomcat 8.5.11
+
+
+### IDEA
+
+- `git clone https://github.com/JoyChou93/java-sec-code`
+- Open in IDEA and click `run` button.
+
+Example:
 
 ```
 http://localhost:8080/rce/exec?cmd=whoami
 ```
- 
-返回
 
-``` 
+return:
+
+```
 Viarus
 ```
 
----
+### Tomcat
 
-有人反馈不想额外下载Tomcat，想使用SpringBoot自带的Tomcat，所以额外说明。
+- `git clone https://github.com/JoyChou93/java-sec-code` & `cd java-sec-code`
+- Build war package by `mvn clean package`.
+- Copy war package to tomcat webapps directory.
+- Start tomcat application.
 
-具体操作：执行`cp pom-idea.xml pom.xml`后，最后在IDEA中右键`Run Application`。
+Example:
 
-### Jar包
+```
+http://localhost:8080/java-sec-code-1.0.0/rce/exec?cmd=whoami
+```
 
+return:
 
-有人反馈想直接打Jar包运行。具体操作：
+```
+Viarus
+```
 
-先修改pom.xml里的配置，将war改成jar
 
-``` 
-    <groupId>sec</groupId>
-    <artifactId>java-sec-code</artifactId>
-    <version>1.0.0</version>
-    <packaging>war</packaging>
+### JAR
+
+Change `war` to `jar` in `pom.xml`.
+
+```xml
+<groupId>sec</groupId>
+<artifactId>java-sec-code</artifactId>
+<version>1.0.0</version>
+<packaging>war</packaging>
 ```
 
-再打包运行即可。
+Build package and run.
 
 ```
+git clone https://github.com/JoyChou93/java-sec-code
+cd java-sec-code
 mvn clean package -DskipTests 
-java -jar 打包后的jar包路径
+java -jar target/java-sec-code-1.0.0.jar
+```
+
+## Authenticate
+
+### Login
+
+[http://localhost:8080/login](http://localhost:8080/login)
+
+If you are not logged in, accessing any page will redirect you to the login page. The username & password are as follows.
+
 ```
+admin/admin123
+joychou/joychou123
+```
+
+### Logout
+
+[http://localhost:8080/logout](http://localhost:8080/logout)
+
+### RememberMe
+
+Tomcat's default JSESSION session is valid for 30 minutes, so a 30-minute non-operational session will expire. In order to solve this problem, the rememberMe function is introduced, and the default expiration time is 2 weeks.
+
+
+## Contributors
+
+Core developers : [JoyChou](https://github.com/JoyChou93), [liergou9981](https://github.com/liergou9981)
+Other developers: [lightless](https://github.com/lightless233),  [Anemone95](https://github.com/Anemone95), [waderwu](https://github.com/waderwu). 
+
+
+## Donate
+
+If you like the poject, you can donate to support me. With your support, I will be able to make `Java sec code` better 😎.
+
+### Alipay
+
+Scan the QRcode to support `Java sec code`.
+
+<img title="Alipay QRcode" src="https://aliyun-testaaa.oss-cn-shanghai.aliyuncs.com/alipay_qr.png" width="200">