update mybatis sql injection

Author: JoyChou93

pom.xml

@@ -7,7 +7,7 @@
     <groupId>sec</groupId>
     <artifactId>java-sec-code</artifactId>
     <version>1.0.0</version>
-    <packaging>jar</packaging>
+    <packaging>war</packaging>
 
     <properties>
         <maven.compiler.source>1.8</maven.compiler.source> <!-- mvn clean package-->

src/main/java/org/joychou/controller/FileUpload.java

@@ -4,10 +4,7 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.stereotype.Controller;
-import org.springframework.web.bind.annotation.GetMapping;
-import org.springframework.web.bind.annotation.PostMapping;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.bind.annotation.*;
 import org.springframework.web.multipart.MultipartFile;
 import org.springframework.web.servlet.mvc.support.RedirectAttributes;
 
@@ -21,6 +18,8 @@
 import java.nio.file.Paths;
 import java.util.UUID;
 
+import org.joychou.security.SecurityUtil;
+
 
 /**
  * @author  JoyChou ([email protected])
@@ -35,6 +34,7 @@ public class FileUpload {
     // Save the uploaded file to this folder
     private static String UPLOADED_FOLDER = "/tmp/";
     private final Logger logger= LoggerFactory.getLogger(this.getClass());
+    private final String mimeChars = "/abcdefghijklmnopqrstuvwxyz-.0123456789";
 
     @GetMapping("/")
     public String index() {
@@ -73,55 +73,62 @@ public String singleFileUpload(@RequestParam("file") MultipartFile file,
         return "redirect:/file/status";
     }
 
+
     // only upload picture
     @PostMapping("/upload/picture")
-    public String uploadPicture(@RequestParam("file") MultipartFile multifile,
-                                   RedirectAttributes redirectAttributes) throws Exception{
+    @ResponseBody
+    public String uploadPicture(@RequestParam("file") MultipartFile multifile) throws Exception{
         if (multifile.isEmpty()) {
-            // 赋值给uploadStatus.html里的动态参数message
-            redirectAttributes.addFlashAttribute("message", "Please select a file to upload");
-            return "redirect:/file/status";
+            return "Please select a file to upload";
         }
 
         String fileName = multifile.getOriginalFilename();
         String Suffix = fileName.substring(fileName.lastIndexOf(".")); // 获取文件后缀名
         String mimeType = multifile.getContentType(); // 获取MIME类型
         File excelFile = convert(multifile);
 
-        // 判断文件后缀名是否在白名单内
-        String picSuffixList[] = {".jpg", ".png", ".jpeg", ".gif", ".bmp"};  // 后缀名白名单
-        Boolean suffixFlag = false;
+
+        // 判断文件后缀名是否在白名单内  校验1
+        String picSuffixList[] = {".jpg", ".png", ".jpeg", ".gif", ".bmp", ".ico"};
+        boolean suffixFlag = false;
         for (String white_suffix : picSuffixList) {
             if (Suffix.toLowerCase().equals(white_suffix)) {
                 suffixFlag = true;
                 break;
             }
         }
-
         if (!suffixFlag) {
             logger.error("[-] Suffix error: " + Suffix);
+            deleteFile(excelFile);
+            return "Upload failed. Illeagl picture.";
         }
 
-        String mimeTypeBlackList[] = {"text/html"}; // 不允许传html
 
-        Boolean mimeBlackFlag = false;
+        // 判断MIME类型是否在黑名单内 校验2
+        String mimeTypeBlackList[] = {
+                "text/html",
+                "text/javascript",
+                "application/javascript",
+                "application/ecmascript",
+                "text/xml",
+                "application/xml"
+        };
         for (String blackMimeType : mimeTypeBlackList) {
-            if (mimeType.equalsIgnoreCase(blackMimeType) ) {
-                mimeBlackFlag = true;
+            // 用contains是为了防止text/html;charset=UTF-8绕过
+            if (SecurityUtil.replaceSpecialStr(mimeType).toLowerCase().contains(blackMimeType) ) {
                 logger.error("[-] Mime type error: " + mimeType);
-                break;
+                deleteFile(excelFile);
+                return "Upload failed. Illeagl picture.";
             }
         }
 
+        // 判断文件内容是否是图片 校验3
         boolean isImageFlag = isImage(excelFile);
 
-        if( !isImageFlag ){
+        if( !isImage(excelFile) ){
             logger.error("[-] File is not Image");
-        }
-        if ( !suffixFlag || mimeBlackFlag || !isImageFlag ) {
-            redirectAttributes.addFlashAttribute("message", "illeagl picture");
             deleteFile(excelFile);
-            return "redirect:/file/status";
+            return "Upload failed. Illeagl picture.";
         }
 
 
@@ -130,24 +137,16 @@ public String uploadPicture(@RequestParam("file") MultipartFile multifile,
             byte[] bytes = multifile.getBytes();
             Path path = Paths.get(UPLOADED_FOLDER + multifile.getOriginalFilename());
             Files.write(path, bytes);
-
-            redirectAttributes.addFlashAttribute("message",
-                    "You successfully uploaded '" + UPLOADED_FOLDER + multifile.getOriginalFilename() + "'");
-
         } catch (IOException e) {
-            redirectAttributes.addFlashAttribute("message", "upload failed");
-            e.printStackTrace();
+            logger.error(e.toString());
             deleteFile(excelFile);
-            return "redirect:/file/status";
+            return "Upload failed";
         }
 
         deleteFile(excelFile);
-        return "redirect:/file/status";
-    }
-
-    @GetMapping("/status")
-    public String uploadStatus() {
-        return "uploadStatus";
+        logger.info("[+] Safe file. Suffix: {}, MIME: {}", Suffix, mimeType);
+        logger.info("[+] Successfully uploaded {}{}", UPLOADED_FOLDER, multifile.getOriginalFilename());
+        return "Upload success";
     }
 
     private void deleteFile(File... files) {

src/main/java/org/joychou/controller/SQLI.java

@@ -3,6 +3,9 @@
 
 import org.joychou.mapper.UserMapper;
 import org.joychou.dao.User;
+import org.joychou.security.SecurityUtil;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.web.bind.annotation.*;
@@ -12,21 +15,24 @@
 
 
 /**
- * @author  JoyChou ([email protected])
- * @date    2018.08.22
- * @desc    SQL Injection
+ * SQL Injection
+ * @author  JoyChou @2018.08.22
  */
 
 @SuppressWarnings("Duplicates")
 @RestController
 @RequestMapping("/sqli")
 public class SQLI {
 
+    private static Logger logger = LoggerFactory.getLogger(SQLI.class);
     private static String driver = "com.mysql.jdbc.Driver";
+
     @Value("${spring.datasource.url}")
     private String url;
+
     @Value("${spring.datasource.username}")
     private String user;
+
     @Value("${spring.datasource.password}")
     private String password;
 
@@ -35,12 +41,12 @@ public class SQLI {
 
 
     /**
-     * Vul Code.
+     * Vuln Code.
      * http://localhost:8080/sqli/jdbc/vul?username=joychou
      *
      * @param username username
      */
-    @RequestMapping("/jdbc/vul")
+    @RequestMapping("/jdbc/vuln")
     public String jdbc_sqli_vul(@RequestParam("username") String username){
         String result = "";
         try {
@@ -50,37 +56,28 @@ public String jdbc_sqli_vul(@RequestParam("username") String username){
             if(!con.isClosed())
                 System.out.println("Connecting to Database successfully.");
 
-            // sqli vuln code 漏洞代码
+            // sqli vuln code
              Statement statement = con.createStatement();
              String sql = "select * from users where username = '" + username + "'";
-             System.out.println(sql);
+             logger.info(sql);
              ResultSet rs = statement.executeQuery(sql);
 
-
-            System.out.println("-----------------");
-
             while(rs.next()){
                 String res_name = rs.getString("username");
                 String res_pwd = rs.getString("password");
                 result +=  res_name + ": " + res_pwd + "\n";
-                System.out.println(res_name + ": " + res_pwd);
-
+                logger.info(res_name + ": " + res_pwd);
             }
             rs.close();
             con.close();
 
 
         }catch (ClassNotFoundException e) {
-            System.out.println("Sorry,can`t find the Driver!");
-            e.printStackTrace();
+            logger.error("Sorry,can`t find the Driver!");
         }catch (SQLException e) {
-            e.printStackTrace();
+            logger.error(e.toString());
         }catch (Exception e) {
-            e.printStackTrace();
-
-        }finally{
-            System.out.println("-----------------");
-            System.out.println("Connect database done.");
+            logger.error(e.toString());
         }
         return result;
     }
@@ -103,62 +100,60 @@ public String jdbc_sqli_sec(@RequestParam("username") String username){
             if(!con.isClosed())
                 System.out.println("Connecting to Database successfully.");
 
-
             // fix code
             String sql = "select * from users where username = ?";
             PreparedStatement st = con.prepareStatement(sql);
             st.setString(1, username);
-            System.out.println(st.toString());  // sql after prepare statement
+            logger.info(st.toString());  // sql after prepare statement
             ResultSet rs = st.executeQuery();
 
-            System.out.println("-----------------");
-
             while(rs.next()){
                 String res_name = rs.getString("username");
                 String res_pwd = rs.getString("password");
                 result +=  res_name + ": " + res_pwd + "\n";
-                System.out.println(res_name + ": " + res_pwd);
-
+                logger.info(res_name + ": " + res_pwd);
             }
+
             rs.close();
             con.close();
 
-
         }catch (ClassNotFoundException e) {
-            System.out.println("Sorry,can`t find the Driver!");
+            logger.error("Sorry,can`t find the Driver!");
             e.printStackTrace();
         }catch (SQLException e) {
-            e.printStackTrace();
+            logger.error(e.toString());
         }catch (Exception e) {
-            e.printStackTrace();
-
-        }finally{
-            System.out.println("-----------------");
-            System.out.println("Connect database done.");
+            logger.error(e.toString());
         }
         return result;
     }
 
     /**
-     * vul code
-     * http://localhost:8080/sqli/mybatis/vul01?username=joychou' or '1'='1
+     * vuln code
+     * http://localhost:8080/sqli/mybatis/vuln01?username=joychou' or '1'='1
      *
      * @param username username
      */
-    @GetMapping("/mybatis/vul01")
-    public List<User> mybatis_vul1(@RequestParam("username") String username) {
-        return userMapper.findByUserNameVul(username);
+    @GetMapping("/mybatis/vuln01")
+    public List<User> mybatisVuln01(@RequestParam("username") String username) {
+        return userMapper.findByUserNameVuln01(username);
     }
 
     /**
      * vul code
-     * http://localhost:8080/sqli/mybatis/vul02?username=joychou' or '1'='1' %23
+     * http://localhost:8080/sqli/mybatis/vuln02?username=joychou' or '1'='1' %23
      *
      * @param username username
      */
-    @GetMapping("/mybatis/vul02")
-    public List<User> mybatis_vul2(@RequestParam("username") String username) {
-        return userMapper.findByUserNameVul2(username);
+    @GetMapping("/mybatis/vuln02")
+    public List<User> mybatisVuln02(@RequestParam("username") String username) {
+        return userMapper.findByUserNameVuln02(username);
+    }
+
+    // http://localhost:8080/sqli/mybatis/orderby/vuln03?sort=1 desc%23
+    @GetMapping("/mybatis/orderby/vuln03")
+    public List<User> mybatisVuln03(@RequestParam("sort") String sort) {
+        return userMapper.findByUserNameVuln03(sort);
     }
 
 
@@ -169,7 +164,7 @@ public List<User> mybatis_vul2(@RequestParam("username") String username) {
      * @param username username
      */
     @GetMapping("/mybatis/sec01")
-    public User mybatis_sec1(@RequestParam("username") String username) {
+    public User mybatisSec01(@RequestParam("username") String username) {
         return userMapper.findByUserName(username);
     }
 
@@ -180,7 +175,7 @@ public User mybatis_sec1(@RequestParam("username") String username) {
      * @param id id
      */
     @GetMapping("/mybatis/sec02")
-    public User mybatis_sec2(@RequestParam("id") Integer id) {
+    public User mybatisSec02(@RequestParam("id") Integer id) {
         return userMapper.findById(id);
     }
 
@@ -190,9 +185,14 @@ public User mybatis_sec2(@RequestParam("id") Integer id) {
      * http://localhost:8080/sqli/mybatis/sec03
      **/
     @GetMapping("/mybatis/sec03")
-    public User mybatis_sec3() {
+    public User mybatisSec03() {
         return userMapper.OrderByUsername();
     }
 
 
+    @GetMapping("/mybatis/orderby/sec04")
+    public List<User> mybatisOrderBySec04(@RequestParam("sort") String sort) {
+        return userMapper.findByUserNameVuln03(SecurityUtil.sqlFilter(sort));
+    }
+
 }

src/main/java/org/joychou/controller/SSRF.java

@@ -195,9 +195,10 @@ public static String ssrf_HttpClient(@RequestParam String url) {
 
 
     /**
-     * Safe code.
-     * http://localhost:8080/ssrf/commonsHttpClient/sec?url=http://www.baidu.com
+     * https://mvnrepository.com/artifact/commons-httpclient/commons-httpclient
+     * UserAgent: Jakarta Commons-HttpClient/3.1 (2007.08 publish)
      *
+     * http://localhost:8080/ssrf/commonsHttpClient/sec?url=http://www.baidu.com
      */
     @RequestMapping("/commonsHttpClient/sec")
     @ResponseBody

src/main/java/org/joychou/controller/URLWhiteList.java

@@ -212,4 +212,5 @@ public String sec_array_indexOf(@RequestParam("url") String url) throws Exceptio
         }
         return "Bad url.";
     }
+
 }

src/main/java/org/joychou/dao/User.java

@@ -15,15 +15,13 @@ public void setId(Integer id) {
         this.id = id;
     }
 
-
     public String getUsername() {
         return username;
     }
     public void setUsername(String username) {
         this.username = username;
     }
 
-
     public String getPassword() {
         return password;
     }