add sqli

Author: JoyChou93

README.md

@@ -104,3 +104,83 @@ if __name__ == '__main__':
 
 访问`http://localhost:8080/file/`进行文件上传，上传成功后，再访问`http://localhost:8080/image/上传的文件名`可访问上传后的文件。
 
+## XXE
+
+2018年08月22日更新支持XInclude的XXE漏洞代码，详情见代码。
+
+POC
+
+```xml
+<?xml version="1.0" ?>
+<root xmlns:xi="http://www.w3.org/2001/XInclude">
+ <xi:include href="file:///etc/passwd" parse="text"/>
+</root>
+```
+
+URL编码后
+
+``` 
+http://localhost:8080/xxe/DocumentBuilder_xinclude?xml=%3C%3fxml+version%3d%221.0%22+%3f%3E%0d%0a%3Croot+xmlns%3axi%3d%22http%3a%2f%2fwww.w3.org%2f2001%2fXInclude%22%3E%0d%0a+%3Cxi%3ainclude+href%3d%22file%3a%2f%2f%2fetc%2fpasswd%22+parse%3d%22text%22%2f%3E%0d%0a%3C%2froot%3E
+```
+
+## SQL注入
+
+POC
+
+``` 
+http://localhost:8080/sqli/jdbc?name=joychou' or 'a'='a
+```
+
+返回`joychou: 123 wilson: 456 lightless: 789`
+
+正常访问`http://localhost:8080/sqli/jdbc?name=joychou`，返回`joychou: 123`
+
+数据库配置：
+
+```sql
+/*
+ Navicat Premium Data Transfer
+
+ Source Server         : localhost
+ Source Server Type    : MySQL
+ Source Server Version : 80012
+ Source Host           : localhost:3306
+ Source Schema         : sectest
+
+ Target Server Type    : MySQL
+ Target Server Version : 80012
+ File Encoding         : 65001
+
+ Date: 22/08/2018 21:09:57
+*/
+
+SET NAMES utf8mb4;
+SET FOREIGN_KEY_CHECKS = 0;
+
+-- ----------------------------
+-- Table structure for users
+-- ----------------------------
+DROP TABLE IF EXISTS `users`;
+CREATE TABLE `users` (
+  `name` varchar(255) NOT NULL,
+  `password` varchar(255) NOT NULL,
+  `isAdmin` varchar(255) NOT NULL
+) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci;
+
+-- ----------------------------
+-- Records of users
+-- ----------------------------
+BEGIN;
+INSERT INTO `users` VALUES ('joychou', '123', '1');
+INSERT INTO `users` VALUES ('wilson', '456', '0');
+INSERT INTO `users` VALUES ('lightless', '789', '0');
+COMMIT;
+
+SET FOREIGN_KEY_CHECKS = 1;
+
+```
+
+说明：
+
+SQL注入修复方式采用预处理方式，修复见代码。
+Mybatis的`#{}`也是预处理方式处理SQL注入。

java-sec-code.iml

@@ -12,7 +12,7 @@
       </configuration>
     </facet>
   </component>
-  <component name="NewModuleRootManager" LANGUAGE_LEVEL="JDK_1_8">
+  <component name="NewModuleRootManager" LANGUAGE_LEVEL="JDK_1_6">
     <output url="file://$MODULE_DIR$/target/classes" />
     <output-test url="file://$MODULE_DIR$/target/test-classes" />
     <content url="file://$MODULE_DIR$">
@@ -57,6 +57,9 @@
     <orderEntry type="library" name="Maven: org.slf4j:slf4j-api:1.7.22" level="project" />
     <orderEntry type="library" name="Maven: nz.net.ultraq.thymeleaf:thymeleaf-layout-dialect:1.4.0" level="project" />
     <orderEntry type="library" name="Maven: org.codehaus.groovy:groovy:2.4.7" level="project" />
+    <orderEntry type="library" name="Maven: mysql:mysql-connector-java:8.0.12" level="project" />
+    <orderEntry type="library" name="Maven: com.google.protobuf:protobuf-java:2.6.0" level="project" />
+    <orderEntry type="library" name="Maven: com.alibaba:fastjson:1.2.49" level="project" />
     <orderEntry type="library" name="Maven: com.google.guava:guava:21.0" level="project" />
     <orderEntry type="library" name="Maven: commons-collections:commons-collections:3.1" level="project" />
     <orderEntry type="library" name="Maven: commons-lang:commons-lang:2.4" level="project" />

pom.xml

@@ -43,6 +43,20 @@
             <artifactId>spring-boot-starter-thymeleaf</artifactId>
         </dependency>
 
+        <!-- 处理jdbc的mysql连接-->
+        <dependency>
+            <groupId>mysql</groupId>
+            <artifactId>mysql-connector-java</artifactId>
+            <version>8.0.12</version>
+        </dependency>
+
+        <!-- 处理json数据 -->
+        <dependency>
+            <groupId>com.alibaba</groupId>
+            <artifactId>fastjson</artifactId>
+            <version>1.2.49</version>
+        </dependency>
+
 
         <dependency>
             <groupId>com.google.guava</groupId>

src/main/java/org/joychou/controller/SQLI.java

@@ -0,0 +1,80 @@
+package org.joychou.controller;
+
+
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.ResponseBody;
+
+import javax.servlet.http.HttpServletRequest;
+import java.sql.*;
+
+
+/**
+ * Date：2018年08月22日
+ * Author: JoyChou
+ * Desc: SQL注入漏洞
+ */
+
+@Controller
+@RequestMapping("/sqli")
+public class SQLI {
+
+    @RequestMapping("/jdbc")
+    @ResponseBody
+    public static String jdbc_sqli(HttpServletRequest request){
+
+        String name = request.getParameter("name");
+        String driver = "com.mysql.jdbc.Driver";
+        String url = "jdbc:mysql://localhost:3306/sectest";
+        String user = "root";
+        String password = "woshishujukumima";
+        String result = "";
+        try {
+            Class.forName(driver);
+            Connection con = DriverManager.getConnection(url,user,password);
+
+            if(!con.isClosed())
+                System.out.println("Connecting to Database successfully.");
+
+            // sqli vuln code 漏洞代码
+             Statement statement = con.createStatement();
+             String sql = "select * from users where name = '" + name + "'";
+             System.out.println(sql);
+             ResultSet rs = statement.executeQuery(sql);
+
+            // fix code 用预处理修复SQL注入
+//            String sql = "select * from users where name = ?";
+//            PreparedStatement st = con.prepareStatement(sql);
+//            st.setString(1, name);
+//            System.out.println(st.toString());  // 预处理后的sql
+//            ResultSet rs = st.executeQuery();
+
+            System.out.println("-----------------");
+
+            while(rs.next()){
+                String res_name = rs.getString("name");
+                String res_pwd = rs.getString("password");
+                result +=  res_name + ": " + res_pwd + "\n";
+                System.out.println(res_name + ": " + res_pwd);
+
+            }
+            rs.close();
+            con.close();
+
+
+        }catch (ClassNotFoundException e) {
+            System.out.println("Sorry,can`t find the Driver!");
+            e.printStackTrace();
+        }catch (SQLException e) {
+            e.printStackTrace();
+        }catch (Exception e) {
+            e.printStackTrace();
+
+        }finally{
+            System.out.println("-----------------");
+            System.out.println("Connect database done.");
+        }
+        return result;
+    }
+
+}

src/main/java/org/joychou/controller/XXE.java

@@ -4,6 +4,8 @@
 import org.springframework.web.bind.annotation.*;
 import javax.servlet.http.HttpServletRequest;
 import org.w3c.dom.Document;
+import org.w3c.dom.Node;
+import org.w3c.dom.NodeList;
 import org.xml.sax.helpers.XMLReaderFactory;
 import org.xml.sax.XMLReader;
 import java.io.StringReader;
@@ -32,7 +34,6 @@ public static String xxe_xmlReader(HttpServletRequest request) {
             String xml_con = request.getParameter("xml").toString();
             System.out.println(xml_con);
             XMLReader xmlReader = XMLReaderFactory.createXMLReader();
-
             // fix code start
 
 //            xmlReader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
@@ -128,5 +129,50 @@ public static String xxe_DocumentBuilder(HttpServletRequest request) {
     }
 
 
+    @RequestMapping("/DocumentBuilder_xinclude")
+    @ResponseBody
+    public static String xxe_xinclude_DocumentBuilder(HttpServletRequest request) {
+        try {
+            String xml_con = request.getParameter("xml").toString();
+            System.out.println(xml_con);
+            DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+
+            dbf.setXIncludeAware(true);   // 支持XInclude
+            dbf.setNamespaceAware(true);
+
+            // fix code start
+
+//            dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+//            dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
+//            dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+
+            // fix code end
+
+            DocumentBuilder db = dbf.newDocumentBuilder();
+            StringReader sr = new StringReader(xml_con);
+            InputSource is = new InputSource(sr);
+            Document document = db.parse(is);  // parse xml
+
+            NodeList rootNodeList = document.getChildNodes();
+
+            for (int i = 0; i < rootNodeList.getLength(); i++) {
+                Node rootNode = rootNodeList.item(i);
+                NodeList xxe = rootNode.getChildNodes();
+                for (int j = 0; j < xxe.getLength(); j++) {
+                    Node xxeNode = xxe.item(j);
+                    System.out.println("xxeNode: " + xxeNode.getNodeValue());  // 回显
+                }
+
+            }
+
+            sr.close();
+            return "test";
+        } catch (Exception e) {
+            System.out.println(e);
+            return "except";
+        }
+    }
+
+
 
 }