Java Sec Code

Java sec code is a very powerful and friendly project for learning Java vulnerability code.

中文文档

Introduce

This project can also be called Java vulnerability code.

Each vulnerability type code has a security vulnerability by default unless there is no vulnerability. The relevant fix code is in the comments or code. Specifically, you can view each vulnerability code and comments.

Authenticate

Login

http://localhost:8080/login

If you are not logged in, accessing any page will redirect you to the login page. The username & password are as follows.

admin/admin123
joychou/joychou123

Logout

http://localhost:8080/logout

RememberMe

Tomcat's default JSESSION session is valid for 30 minutes, so a 30-minute non-operational session will expire. In order to solve this problem, the rememberMe function is introduced, and the default expiration time is 2 weeks.

Vulnerability Code

Sort by letter.

• Actuators to RCE
• CORS
• CRLF Injection
• CSRF
• Deserialize
• Fastjson
• File Upload
• IP Forge
• Java RMI
• JSONP
• RCE
• SPEL
• SQL Injection
• SSRF
• SSTI
• URL Redirect
• URL whitelist Bypass
• XSS
• XXE

Vulnerability Description

• Actuators to RCE
• CORS
• CSRF
• Deserialize
• Fastjson
• Java RMI
• JSONP
• SQLI
• SSRF
• SSTI
• URL whitelist Bypass
• XXE
• Others

How to run

The application will use mybatis auto-injection. Please run mysql ahead of time and configure the mysql database.

spring.datasource.url=jdbc:mysql://127.0.0.1:3306/java_sec_code
spring.datasource.username=root
spring.datasource.password=woshishujukumima

• Tomcat
• IDEA
• JAR

Tomcat

• Exclude tomcat in pom.xml.

  <dependency>
      <groupId>org.springframework.boot</groupId>
      <artifactId>spring-boot-starter-web</artifactId>
      <exclusions>
          <exclusion>
              <groupId>org.springframework.boot</groupId>
              <artifactId>spring-boot-starter-tomcat</artifactId>
          </exclusion>
      </exclusions>
  </dependency>

• Build war package by mvn clean package.

• Copy war package to tomcat webapps directory.

• Start tomcat application.

Example:

http://localhost:8080/java-sec-code-1.0.0/rce/exec?cmd=whoami

return:

Viarus

IDEA

Click run button.

Example:

http://localhost:8080/rce/exec?cmd=whoami

return:

Viarus

JAR

Change war to jar in pom.xml.

<groupId>sec</groupId>
<artifactId>java-sec-code</artifactId>
<version>1.0.0</version>
<packaging>war</packaging>

Build package and run.

mvn clean package -DskipTests 
java -jar target/java-sec-code-1.0.0.jar

Donate

If you like the poject, you can donate to support me. With your support, I will be able to make Java sec code better 😎.

Alipay

Scan the QRcode to support Java sec code.