Skip to content

Commit 85ca363

Browse files
JoyChou93JoyChou93
committed
update readme
1 parent 0e4f22e commit 85ca363

File tree

4 files changed

+40
-29
lines changed

4 files changed

+40
-29
lines changed

README.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -44,6 +44,7 @@ Sort by letter.
4444
- [Java RMI](https://github.com/JoyChou93/java-sec-code/wiki/Java-RMI)
4545
- [JSONP](https://github.com/JoyChou93/java-sec-code/wiki/JSONP)
4646
- [SQLI](https://github.com/JoyChou93/java-sec-code/wiki/SQL-Inject)
47+
- [SSRF](https://github.com/JoyChou93/java-sec-code/wiki/SSRF)
4748
- [URL whitelist Bypass](https://github.com/JoyChou93/java-sec-code/wiki/URL-whtielist-Bypass)
4849
- [XXE](https://github.com/JoyChou93/java-sec-code/wiki/XXE)
4950
- [Others](https://github.com/JoyChou93/java-sec-code/wiki/others)

README_zh.md

Lines changed: 22 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -12,36 +12,38 @@
1212

1313
## 漏洞代码
1414

15-
- [XXE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/XXE.java)
16-
- [SSRF](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SSRF.java)
17-
- [URL重定向](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/URLRedirect.java)
18-
- [IP伪造](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/IPForge.java)
19-
- [XSS](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/XSS.java)
20-
- [CRLF注入](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/CRLFInjection.java)
21-
- [远程命令执行](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Rce.java)
22-
- [反序列化](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Deserialize.java)
23-
- [文件上传](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/FileUpload.java)
24-
- [SQL注入](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SQLI.java)
25-
- [URL白名单Bypass](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/URLWhiteList.java)
26-
- [Java RMI](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/RMI/Server.java)
27-
- [Fastjson](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Fastjson.java)
15+
- [Actuators to RCE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/resources/logback.xml)
2816
- [CORS](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/CORS.java)
17+
- [CRLF Injection](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/CRLFInjection.java)
18+
- [CSRF](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/WebSecurityConfig.java)
19+
- [Deserialize](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Deserialize.java)
20+
- [Fastjson](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Fastjson.java)
21+
- [File Upload](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/FileUpload.java)
22+
- [IP Forge](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/IPForge.java)
23+
- [Java RMI](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/RMI/Server.java)
2924
- [JSONP](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/JSONP.java)
25+
- [RCE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Rce.java)
3026
- [SPEL](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SPEL.java)
31-
- [Actuators to RCE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/resources/logback.xml)
32-
- [CSRF](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/WebSecurityConfig.java)
27+
- [SQL Injection](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SQLI.java)
28+
- [SSRF](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SSRF.java)
29+
- [URL Redirect](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/URLRedirect.java)
30+
- [URL whitelist Bypass](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/URLWhiteList.java)
31+
- [XSS](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/XSS.java)
32+
- [XXE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/XXE.java)
33+
3334

3435
## 漏洞说明
3536

36-
- [Java RMI](https://github.com/JoyChou93/java-sec-code/wiki/Java-RMI)
37-
- [XXE](https://github.com/JoyChou93/java-sec-code/wiki/XXE)
38-
- [SQLI](https://github.com/JoyChou93/java-sec-code/wiki/SQL-Inject)
39-
- [Fastjson](https://github.com/JoyChou93/java-sec-code/wiki/Fastjson)
37+
- [Actuators to RCE](https://github.com/JoyChou93/java-sec-code/wiki/Actuators-to-RCE)
4038
- [CORS](https://github.com/JoyChou93/java-sec-code/wiki/CORS)
4139
- [CSRF](https://github.com/JoyChou93/java-sec-code/wiki/CSRF)
40+
- [Fastjson](https://github.com/JoyChou93/java-sec-code/wiki/Fastjson)
41+
- [Java RMI](https://github.com/JoyChou93/java-sec-code/wiki/Java-RMI)
4242
- [JSONP](https://github.com/JoyChou93/java-sec-code/wiki/JSONP)
43-
- [Actuators to RCE](https://github.com/JoyChou93/java-sec-code/wiki/Actuators-to-RCE)
43+
- [SQLI](https://github.com/JoyChou93/java-sec-code/wiki/SQL-Inject)
44+
- [SSRF](https://github.com/JoyChou93/java-sec-code/wiki/SSRF)
4445
- [URL whitelist Bypass](https://github.com/JoyChou93/java-sec-code/wiki/URL-whtielist-Bypass)
46+
- [XXE](https://github.com/JoyChou93/java-sec-code/wiki/XXE)
4547
- [Others](https://github.com/JoyChou93/java-sec-code/wiki/others)
4648

4749

src/main/java/org/joychou/controller/SSRF.java

Lines changed: 14 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -99,6 +99,11 @@ public static String ssrf_Request(HttpServletRequest request)
9999
}
100100

101101

102+
/**
103+
* Download the url file.
104+
* http://localhost:8080/ssrf/openStream?url=file:///etc/passwd
105+
*
106+
*/
102107
@RequestMapping("/openStream")
103108
@ResponseBody
104109
public static void ssrf_openStream (HttpServletRequest request, HttpServletResponse response) throws IOException {
@@ -155,6 +160,11 @@ public static void ssrf_okhttp(HttpServletRequest request) throws IOException {
155160
}
156161

157162

163+
/**
164+
* http://localhost:8080/ssrf/HttpClient?url=http://www.baidu.com
165+
*
166+
* @return The response of url param.
167+
*/
158168
@RequestMapping("/HttpClient")
159169
@ResponseBody
160170
public static String ssrf_HttpClient(HttpServletRequest request) {
@@ -180,10 +190,9 @@ public static String ssrf_HttpClient(HttpServletRequest request) {
180190

181191

182192
/**
183-
* Safe code: http://localhost:8080/ssrf/commonsHttpClient?url=http://www.baidu.com
193+
* Safe code.
194+
* http://localhost:8080/ssrf/commonsHttpClient?url=http://www.baidu.com
184195
*
185-
* @param request
186-
* @return
187196
*/
188197
@RequestMapping("/commonsHttpClient")
189198
@ResponseBody
@@ -229,10 +238,9 @@ public static String commonsHttpClient(HttpServletRequest request) {
229238

230239

231240
/**
232-
* http://localhost:8080/ssrf/ImageIO_safe?url=
241+
* Safe code.
242+
* http://localhost:8080/ssrf/ImageIO_safe?url=http://www.baidu.com
233243
*
234-
* @param request
235-
* @return
236244
*/
237245
@RequestMapping("/ImageIO_safe")
238246
@ResponseBody

src/main/java/org/joychou/controller/XXE.java

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -22,9 +22,9 @@
2222

2323

2424
/**
25-
* @author JoyChou ([email protected])
26-
* @date 2017.12.22
27-
* @desc Java XXE vul code.
25+
* Java xxe vul and safe code.
26+
*
27+
* @author JoyChou @2017-12-22
2828
*/
2929

3030
@Controller

0 commit comments

Comments
 (0)