add a xxe sink code

JoyChou93 · JoyChou93 · commit ea74d170f1f0 · 2019-07-30T14:07:09.000+08:00
diff --git a/README.md b/README.md
@@ -11,6 +11,11 @@ This project can also be called Java vulnerability code.
 
 Each vulnerability type code has a security vulnerability by default unless there is no vulnerability. The relevant fix code is in the comments or code. Specifically, you can view each vulnerability code and comments.
 
+[Online demo](http://118.25.15.216:8080)
+
+
+
+
 
 ## Vulnerability Code
 
@@ -73,11 +78,20 @@ spring.datasource.password=woshishujukumima
 ### Docker
 
 
+Start docker:
 
 ``` 
+docker-compose pull
 docker-compose up
 ```
 
+
+Stop docker:
+
+```
+docker-compose down
+```
+
 Docker's environment:
 
 - Java 1.8.0_102
diff --git a/README_zh.md b/README_zh.md
@@ -10,6 +10,8 @@
 
 每个漏洞类型代码默认存在安全漏洞（除非本身不存在漏洞），相关修复代码在注释里。具体可查看每个漏洞代码和注释。
 
+[在线Demo](http://118.25.15.216:8080)
+
 
 ## 漏洞代码
 
@@ -70,10 +72,19 @@ spring.datasource.password=woshishujukumima
 
 ### Docker
 
+开启应用：
+
 ``` 
+docker-compose pull
 docker-compose up
 ```
 
+关闭应用：
+
+```
+docker-compose down
+```
+
 Docker环境：
 
 - Java 1.8.0_102
diff --git a/src/main/java/org/joychou/controller/SQLI.java b/src/main/java/org/joychou/controller/SQLI.java
@@ -21,7 +21,7 @@
 public class SQLI {
 
     private static String driver = "com.mysql.jdbc.Driver";
-    private static String url = "jdbc:mysql://localhost:3306/java_sec_code";
+    private static String url = "jdbc:mysql://127.0.0.1:3306/java_sec_code";
     private static String user = "root";
     private static String password = "woshishujukumima";
 
diff --git a/src/main/java/org/joychou/controller/XXE.java b/src/main/java/org/joychou/controller/XXE.java
@@ -2,7 +2,6 @@
 
 
 import org.dom4j.io.SAXReader;
-import org.springframework.stereotype.*;
 import org.springframework.web.bind.annotation.*;
 import javax.servlet.http.HttpServletRequest;
 import org.w3c.dom.Document;
@@ -28,12 +27,11 @@
  * @author JoyChou @2017-12-22
  */
 
-@Controller
+@RestController
 @RequestMapping("/xxe")
 public class XXE {
 
     @RequestMapping(value = "/xmlReader", method = RequestMethod.POST)
-    @ResponseBody
     public String xxe_xmlReader(HttpServletRequest request) {
         try {
             String xml_con = Tools.getBody(request);
@@ -49,7 +47,6 @@ public String xxe_xmlReader(HttpServletRequest request) {
 
 
     @RequestMapping(value = "/xmlReader_fix", method = RequestMethod.POST)
-    @ResponseBody
     public  String xxe_xmlReader_fix(HttpServletRequest request) {
         try {
             String xml_con = Tools.getBody(request);
@@ -72,7 +69,6 @@ public  String xxe_xmlReader_fix(HttpServletRequest request) {
 
 
     @RequestMapping(value = "/SAXBuilder", method = RequestMethod.POST)
-    @ResponseBody
     public  String xxe_SAXBuilder(HttpServletRequest request) {
         try {
             String xml_con = Tools.getBody(request);
@@ -88,7 +84,6 @@ public  String xxe_SAXBuilder(HttpServletRequest request) {
     }
 
     @RequestMapping(value = "/SAXBuilder_fix", method = RequestMethod.POST)
-    @ResponseBody
     public  String xxe_SAXBuilder_fix(HttpServletRequest request) {
         try {
             String xml_con = Tools.getBody(request);
@@ -107,7 +102,6 @@ public  String xxe_SAXBuilder_fix(HttpServletRequest request) {
     }
 
     @RequestMapping(value = "/SAXReader", method = RequestMethod.POST)
-    @ResponseBody
     public  String xxe_SAXReader(HttpServletRequest request) {
         try {
             String xml_con = Tools.getBody(request);
@@ -124,7 +118,6 @@ public  String xxe_SAXReader(HttpServletRequest request) {
     }
 
     @RequestMapping(value = "/SAXReader_fix", method = RequestMethod.POST)
-    @ResponseBody
     public  String xxe_SAXReader_fix(HttpServletRequest request) {
         try {
             String xml_con = Tools.getBody(request);
@@ -144,7 +137,6 @@ public  String xxe_SAXReader_fix(HttpServletRequest request) {
     }
 
     @RequestMapping(value = "/SAXParser", method = RequestMethod.POST)
-    @ResponseBody
     public String xxe_SAXParser(HttpServletRequest request) {
         try {
             String xml_con = Tools.getBody(request);
@@ -163,7 +155,6 @@ public String xxe_SAXParser(HttpServletRequest request) {
 
 
     @RequestMapping(value = "/SAXParser_fix", method = RequestMethod.POST)
-    @ResponseBody
     public String xxe_SAXParser_fix(HttpServletRequest request) {
         try {
             String xml_con = Tools.getBody(request);
@@ -184,7 +175,6 @@ public String xxe_SAXParser_fix(HttpServletRequest request) {
 
 
     @RequestMapping(value = "/Digester", method = RequestMethod.POST)
-    @ResponseBody
     public String xxe_Digester(HttpServletRequest request) {
         try {
             String xml_con = Tools.getBody(request);
@@ -201,7 +191,6 @@ public String xxe_Digester(HttpServletRequest request) {
     }
 
     @RequestMapping(value = "/Digester_fix", method = RequestMethod.POST)
-    @ResponseBody
     public String xxe_Digester_fix(HttpServletRequest request) {
         try {
             String xml_con = Tools.getBody(request);
@@ -223,7 +212,6 @@ public String xxe_Digester_fix(HttpServletRequest request) {
 
     // 有回显的XXE
     @RequestMapping(value = "/DocumentBuilder_return", method = RequestMethod.POST)
-    @ResponseBody
     public String xxeDocumentBuilderReturn(HttpServletRequest request) {
         try {
             String xml_con = Tools.getBody(request);
@@ -257,7 +245,6 @@ public String xxeDocumentBuilderReturn(HttpServletRequest request) {
 
 
     @RequestMapping(value = "/DocumentBuilder", method = RequestMethod.POST)
-    @ResponseBody
     public String DocumentBuilder(HttpServletRequest request) {
         try {
             String xml_con = Tools.getBody(request);
@@ -294,7 +281,6 @@ public String DocumentBuilder(HttpServletRequest request) {
 
 
     @RequestMapping(value = "/DocumentBuilder_fix", method = RequestMethod.POST)
-    @ResponseBody
     public String xxe_DocumentBuilder_fix(HttpServletRequest request) {
         try {
             String xml_con = Tools.getBody(request);
@@ -319,7 +305,6 @@ public String xxe_DocumentBuilder_fix(HttpServletRequest request) {
 
 
     @RequestMapping(value = "/DocumentBuilder_xinclude", method = RequestMethod.POST)
-    @ResponseBody
     public String xxe_xinclude_DocumentBuilder(HttpServletRequest request) {
         try {
             String xml_con = Tools.getBody(request);
@@ -356,7 +341,6 @@ public String xxe_xinclude_DocumentBuilder(HttpServletRequest request) {
 
 
     @RequestMapping(value = "/DocumentBuilder_xinclude_fix", method = RequestMethod.POST)
-    @ResponseBody
     public String xxe_xinclude_DocumentBuilder_fix(HttpServletRequest request) {
         try {
             String xml_con = Tools.getBody(request);
@@ -395,4 +379,40 @@ public String xxe_xinclude_DocumentBuilder_fix(HttpServletRequest request) {
     }
 
 
+    @PostMapping("/XMLReader/vul")
+    public String XMLReaderVul(HttpServletRequest request) {
+        try {
+            String xml_con = Tools.getBody(request);
+            System.out.println(xml_con);
+            SAXParserFactory spf = SAXParserFactory.newInstance();
+            SAXParser saxParser = spf.newSAXParser();
+            XMLReader xmlReader = saxParser.getXMLReader();
+            xmlReader.parse( new InputSource(new StringReader(xml_con)) );
+            return "test";
+        } catch (Exception e) {
+            System.out.println(e.toString());
+            return "except";
+        }
+    }
+
+
+    @PostMapping("/XMLReader/fixed")
+    public String XMLReaderSec(HttpServletRequest request) {
+        try {
+            String xml_con = Tools.getBody(request);
+            System.out.println(xml_con);
+            SAXParserFactory spf = SAXParserFactory.newInstance();
+            SAXParser saxParser = spf.newSAXParser();
+            XMLReader xmlReader = saxParser.getXMLReader();
+            xmlReader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+            xmlReader.setFeature("http://xml.org/sax/features/external-general-entities", false);
+            xmlReader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+            xmlReader.parse( new InputSource(new StringReader(xml_con)) );
+            return "test";
+        } catch (Exception e) {
+            System.out.println(e.toString());
+            return "except";
+        }
+    }
+
 }
diff --git a/src/main/java/org/joychou/controller/jsonp/JSONP.java b/src/main/java/org/joychou/controller/jsonp/JSONP.java
@@ -2,10 +2,13 @@
 
 import com.alibaba.fastjson.JSON;
 import com.alibaba.fastjson.JSONObject;
+
 import org.joychou.security.SecurityUtil;
 import org.springframework.http.MediaType;
 import org.springframework.security.web.csrf.CsrfToken;
+import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.*;
+
 import javax.servlet.http.HttpServletRequest;
 import java.security.Principal;
 import java.util.HashMap;
@@ -35,11 +38,11 @@ public static String getUserInfo(HttpServletRequest request) {
 
         return JSON.toJSONString(m);
     }
+
     /**
      * Set the response content-type to application/javascript.
-     *
+     * <p>
      * http://localhost:8080/jsonp/referer?callback=test
-     *
      */
     @RequestMapping(value = "/referer", produces = "application/javascript")
     private String referer(HttpServletRequest request) {
@@ -50,9 +53,8 @@ private String referer(HttpServletRequest request) {
     /**
      * Direct access does not check Referer, non-direct access check referer.
      * Developer like to do jsonp testing like this.
-     *
+     * <p>
      * http://localhost:8080/jsonp/emptyReferer?callback=test
-     *
      */
     @RequestMapping(value = "/emptyReferer", produces = "application/javascript")
     private String emptyReferer(HttpServletRequest request) {
@@ -72,7 +74,7 @@ private String emptyReferer(HttpServletRequest request) {
      * http://localhost:8080/jsonp/advice?_callback=test
      *
      * @return Only return object, AbstractJsonpResponseBodyAdvice can be used successfully.
-     *         Such as JSONOjbect or JavaBean. String type cannot be used.
+     * Such as JSONOjbect or JavaBean. String type cannot be used.
      */
     @RequestMapping(value = "/advice", produces = MediaType.APPLICATION_JSON_VALUE)
     public JSONObject advice(HttpServletRequest request) {
@@ -99,13 +101,12 @@ private String safecode(HttpServletRequest request) {
 
     /**
      * http://localhost:8080/jsonp/getToken
-     * @return token {"token":"115329a7-3a85-4c31-9c02-02fa1bd1fdf8","parameterName":"_csrf","headerName":"X-XSRF-TOKEN"}
      *
+     * @return token {"token":"115329a7-3a85-4c31-9c02-02fa1bd1fdf8","parameterName":"_csrf","headerName":"X-XSRF-TOKEN"}
      */
     @RequestMapping("/getToken")
     public CsrfToken csrf(CsrfToken token) {
         return token;
     }
 
-
 }
diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties
@@ -1,5 +1,5 @@
 
-spring.datasource.url=jdbc:mysql://127.0.0.1:3306/java_sec_code?useUnicode=true&characterEncoding=utf8&AllowPublicKeyRetrieval=True&useSSL=false&serverTimezone=GMT%2B8
+spring.datasource.url=jdbc:mysql://127.0.0.1:3306/java_sec_code?useUnicode=true&characterEncoding=utf8&AllowPublicKeyRetrieval=true&useSSL=false&serverTimezone=GMT%2B8
 spring.datasource.username=root
 spring.datasource.password=woshishujukumima
 spring.datasource.driver-class-name=com.mysql.cj.jdbc.Driver
