添加反序列化漏洞接口

JoyChou93 · JoyChou93 · commit dbe5d64da7c0 · 2018-06-14T22:26:16.000+08:00
diff --git a/README.md b/README.md
@@ -1,4 +1,4 @@
-## Java Security Code
+# Java Security Code
 
 
 - [XMLInject](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/XMLInjection.java)
@@ -8,10 +8,13 @@
 - [XSS](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/XSS.java)
 - [CRLFInjection](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/CRLFInjection.java)
 - [RCE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Rce.java)
+- [Deserialize](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/deserialize.java)
 
-### Usage
+## Usage
 
 
+### Tomcat
+
 1. 生成war包 `mvn clean package`
 2. 将target目录的war包，cp到Tomcat的webapps目录
 3. 重启Tomcat应用
@@ -25,4 +28,11 @@ http://localhost:8080/java-sec-code-1.0.0/rce/exec?cmd=whoami
 
 ``` 
 Viarus
-```
+```
+
+### IDEA
+
+如果想在IDEA中直接运运行，需要进行两个操作:
+
+1. 覆盖适配IDEA的pom.xml `mv pom.xml.idea pom.xml`
+2. 覆盖适配IDEA的Application.java文件 `mv Application.java.idea Application.java`
diff --git a/java-sec-code.iml b/java-sec-code.iml
@@ -73,6 +73,7 @@
     <orderEntry type="library" name="Maven: org.springframework:spring-expression:4.3.6.RELEASE" level="project" />
     <orderEntry type="library" scope="PROVIDED" name="Maven: org.apache.tomcat:tomcat-servlet-api:8.0.36" level="project" />
     <orderEntry type="library" name="Maven: com.google.guava:guava:21.0" level="project" />
+    <orderEntry type="library" name="Maven: commons-collections:commons-collections:3.1" level="project" />
     <orderEntry type="library" name="Maven: commons-lang:commons-lang:2.4" level="project" />
     <orderEntry type="library" name="Maven: org.apache.httpcomponents:httpclient:4.3.6" level="project" />
     <orderEntry type="library" name="Maven: org.apache.httpcomponents:httpcore:4.4.6" level="project" />
@@ -87,6 +88,5 @@
     <orderEntry type="library" name="Maven: cglib:cglib:2.2.2" level="project" />
     <orderEntry type="library" name="Maven: asm:asm:3.3.1" level="project" />
     <orderEntry type="library" name="Maven: commons-beanutils:commons-beanutils:1.9.3" level="project" />
-    <orderEntry type="library" name="Maven: commons-collections:commons-collections:3.2.2" level="project" />
   </component>
 </module>
diff --git a/poc b/poc
diff --git a/pom.xml b/pom.xml
@@ -42,6 +42,12 @@
             <version>21.0</version>
         </dependency>
 
+        <dependency>
+            <groupId>commons-collections</groupId>
+            <artifactId>commons-collections</artifactId>
+            <version>3.1</version>
+        </dependency>
+
         <dependency>
             <groupId>commons-lang</groupId>
             <artifactId>commons-lang</artifactId>
diff --git a/pom.xml.idea b/pom.xml.idea
@@ -0,0 +1,77 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+
+    <groupId>sec</groupId>
+    <artifactId>java-sec-code</artifactId>
+    <version>1.0.0</version>
+
+
+
+    <parent>
+        <groupId>org.springframework.boot</groupId>
+        <artifactId>spring-boot-starter-parent</artifactId>
+        <version>1.5.1.RELEASE</version>
+    </parent>
+
+    <dependencies>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-web</artifactId>
+        </dependency>
+
+        <dependency>
+            <groupId>com.google.guava</groupId>
+            <artifactId>guava</artifactId>
+            <version>21.0</version>
+        </dependency>
+
+        <dependency>
+            <groupId>commons-lang</groupId>
+            <artifactId>commons-lang</artifactId>
+            <version>2.4</version> </dependency>
+
+        <dependency>
+            <groupId>org.apache.httpcomponents</groupId>
+            <artifactId>httpclient</artifactId>
+            <version>4.3.6</version>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.httpcomponents</groupId>
+            <artifactId>fluent-hc</artifactId>
+            <version>4.3.6</version>
+        </dependency>
+
+
+        <dependency>
+            <groupId>org.apache.logging.log4j</groupId>
+            <artifactId>log4j-core</artifactId>
+            <version>2.8.2</version>
+        </dependency>
+
+        <dependency>
+            <groupId>com.squareup.okhttp</groupId>
+            <artifactId>okhttp</artifactId>
+            <version>2.5.0</version>
+        </dependency>
+
+        <dependency>
+            <groupId>commons-collections</groupId>
+            <artifactId>commons-collections</artifactId>
+            <version>3.1</version>
+        </dependency>
+
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-digester3</artifactId>
+            <version>3.2</version>
+        </dependency>
+
+    </dependencies>
+
+
+
+
+</project>
diff --git a/src/main/java/org/joychou/Application.java b/src/main/java/org/joychou/Application.java
@@ -18,4 +18,4 @@ public static void main(String[] args) throws Exception {
         SpringApplication.run(Application.class, args);
     }
 
-}
+}
diff --git a/src/main/java/org/joychou/Application.java.idea b/src/main/java/org/joychou/Application.java.idea
@@ -0,0 +1,12 @@
+package org.joychou;
+
+import org.springframework.boot.SpringApplication;
+import org.springframework.boot.autoconfigure.SpringBootApplication;
+
+@SpringBootApplication
+public class Application {
+
+    public static void main(String[] args) throws Exception {
+        SpringApplication.run(Application.class, args);
+    }
+}
diff --git a/src/main/java/org/joychou/controller/Deserialize.java b/src/main/java/org/joychou/controller/Deserialize.java
@@ -0,0 +1,35 @@
+package org.joychou.controller;
+
+
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.ResponseBody;
+
+import javax.servlet.http.HttpServletRequest;
+import java.io.FileInputStream;
+import java.io.ObjectInputStream;
+
+/**
+ * @author: JoyChou
+ * @Date: 2018年06月14日
+ * @Desc：将根目录的poc放到/tmp/poc就能在mac上弹计算器。该应用必须有Commons-Collections包才能利用反序列化。
+ */
+
+@Controller
+@RequestMapping("/deserialize")
+public class Deserialize {
+
+    @RequestMapping("/test")
+    @ResponseBody
+    public static String deserialize_test(HttpServletRequest request) throws Exception{
+        try {
+            ObjectInputStream in = new ObjectInputStream(new FileInputStream("/tmp/poc"));
+            in.readObject();  // 触发漏洞
+            in.close();
+            return "test";
+        }catch (Exception e){
+            return "exception";
+        }
+
+    }
+}
diff --git a/src/main/java/org/joychou/controller/Rce.java b/src/main/java/org/joychou/controller/Rce.java
@@ -22,7 +22,7 @@ public class Rce {
 
     @RequestMapping("/exec")
     @ResponseBody
-    public String CommandExec(HttpServletRequest request){
+    public String CommandExec(HttpServletRequest request) {
         String cmd = request.getParameter("cmd").toString();
         Runtime run = Runtime.getRuntime();
         String lineStr = "";

Original file line number	Diff line number	Diff line change
`@@ -18,4 +18,4 @@ public static void main(String[] args) throws Exception {`
`18`	`18`	`SpringApplication.run(Application.class, args);`
`19`	`19`	`}`
`20`	`20`
`21`		`-}`
	`21`	`+}`