add docker env & add xtream rce vuln

JoyChou93 · JoyChou93 · commit 467b74fc6f65 · 2019-07-29T10:19:28.000+08:00
diff --git a/.gitignore b/.gitignore
@@ -2,4 +2,7 @@
 .DS_Store
 target/
 other-vuls/
+docker/
+poc/
+src/main/java/org/joychou/test/
 *.iml
diff --git a/README.md b/README.md
@@ -56,18 +56,33 @@ Sort by letter.
 
 ## How to run
 
-The application will use mybatis auto-injection. Please run mysql server ahead of time and configure the mysql server database's name and username/password.
+The application will use mybatis auto-injection. Please run mysql server ahead of time and configure the mysql server database's name and username/password except docker environment.
 
 ``` 
 spring.datasource.url=jdbc:mysql://127.0.0.1:3306/java_sec_code
 spring.datasource.username=root
 spring.datasource.password=woshishujukumima
 ```
 
+- Docker
 - IDEA
 - Tomcat
 - JAR
 
+### Docker
+
+
+
+``` 
+docker-compose up
+```
+
+Docker's environment:
+
+- Java 1.8.0_102
+- Mysql 8.0.17
+- Tomcat 8.5.11
+
 
 ### IDEA
 
diff --git a/README_zh.md b/README_zh.md
@@ -54,19 +54,30 @@
 
 ## 如何运行
 
-应用会用到mybatis自动注入，请提前运行mysql服务，并且配置mysql服务的数据库名称和用户名密码。
+应用会用到mybatis自动注入，请提前运行mysql服务，并且配置mysql服务的数据库名称和用户名密码(除非是Docker环境)。
 
 ``` 
 spring.datasource.url=jdbc:mysql://127.0.0.1:3306/java_sec_code
 spring.datasource.username=root
 spring.datasource.password=woshishujukumima
 ```
 
+- Docker
 - IDEA
 - Tomcat
 - JAR
 
+### Docker
 
+``` 
+docker-compose up
+```
+
+Docker环境：
+
+- Java 1.8.0_102
+- Mysql 8.0.17
+- Tomcat 8.5.11
 
 ### IDEA
 
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -0,0 +1,13 @@
+version : '2'
+services:
+    jsc:
+        image: joychou/jsc:1.0
+        ports:
+            - "8080:8080"
+        links:
+            - j_mysql
+
+    j_mysql:
+        image: joychou/jsc_mysql:1.0
+        ports:
+            - "3306:3306"
diff --git a/java-sec-code.iml b/java-sec-code.iml
@@ -155,9 +155,6 @@
     <orderEntry type="library" scope="RUNTIME" name="Maven: com.netflix.netflix-commons:netflix-statistics:0.1.1" level="project" />
     <orderEntry type="library" name="Maven: io.reactivex:rxjava:1.1.10" level="project" />
     <orderEntry type="library" name="Maven: com.netflix.ribbon:ribbon-eureka:2.2.0" level="project" />
-    <orderEntry type="library" name="Maven: com.thoughtworks.xstream:xstream:1.4.9" level="project" />
-    <orderEntry type="library" name="Maven: xmlpull:xmlpull:1.1.3.1" level="project" />
-    <orderEntry type="library" name="Maven: xpp3:xpp3_min:1.1.4c" level="project" />
     <orderEntry type="library" name="Maven: com.fasterxml.uuid:java-uuid-generator:3.1.4" level="project" />
     <orderEntry type="library" name="Maven: org.springframework.security:spring-security-web:4.2.12.RELEASE" level="project" />
     <orderEntry type="library" name="Maven: aopalliance:aopalliance:1.0" level="project" />
@@ -181,5 +178,8 @@
     <orderEntry type="library" name="Maven: org.mybatis:mybatis:3.4.6" level="project" />
     <orderEntry type="library" name="Maven: org.mybatis:mybatis-spring:1.3.2" level="project" />
     <orderEntry type="library" name="Maven: org.apache.velocity:velocity:1.7" level="project" />
+    <orderEntry type="library" name="Maven: com.thoughtworks.xstream:xstream:1.4.10" level="project" />
+    <orderEntry type="library" name="Maven: xmlpull:xmlpull:1.1.3.1" level="project" />
+    <orderEntry type="library" name="Maven: xpp3:xpp3_min:1.1.4c" level="project" />
   </component>
 </module>
diff --git a/pom.xml b/pom.xml
@@ -189,6 +189,13 @@
             <version>1.7</version>
         </dependency>
 
+        <!-- rce -->
+        <dependency>
+            <groupId>com.thoughtworks.xstream</groupId>
+            <artifactId>xstream</artifactId>
+            <version>1.4.10</version>
+        </dependency>
+
     </dependencies>
 
     <dependencyManagement>
diff --git a/src/main/java/org/joychou/controller/XStreamRce.java b/src/main/java/org/joychou/controller/XStreamRce.java
@@ -0,0 +1,43 @@
+package org.joychou.controller;
+
+import com.thoughtworks.xstream.XStream;
+import com.thoughtworks.xstream.io.xml.DomDriver;
+import org.joychou.dao.User;
+import org.joychou.utils.Tools;
+import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.bind.annotation.RestController;
+
+import javax.servlet.http.HttpServletRequest;
+
+
+@RestController
+public class XStreamRce {
+
+    /**
+     * Fix method: update xstream to 1.4.11
+     * Xstream affected version: 1.4.10 or <= 1.4.6
+     * Set Content-Type: application/xml
+     *
+     * @author JoyChou @2019-07-26
+     */
+    @PostMapping("/xstream")
+    public String parseXml(HttpServletRequest request) throws Exception{
+        String xml = Tools.getBody(request);
+        XStream xstream = new XStream(new DomDriver());
+        xstream.fromXML(xml);
+        return "xstream";
+    }
+
+    public static void main(String[] args) throws Exception {
+        User user = new User();
+        user.setId(0);
+        user.setUsername("admin");
+
+        XStream xstream = new XStream(new DomDriver());
+        String xml = xstream.toXML(user); // Serialize
+        System.out.println(xml);
+
+        user = (User)xstream.fromXML(xml); // Deserialize
+        System.out.println(user.getId() + ": " + user.getUsername() );
+    }
+}
diff --git a/src/main/java/org/joychou/controller/XXE.java b/src/main/java/org/joychou/controller/XXE.java
@@ -12,14 +12,15 @@
 import org.xml.sax.XMLReader;
 import java.io.*;
 import org.xml.sax.InputSource;
+
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.SAXParserFactory;
 import javax.xml.parsers.SAXParser;
 import org.xml.sax.helpers.DefaultHandler;
 import org.apache.commons.digester3.Digester;
 import org.jdom2.input.SAXBuilder;
-
+import org.joychou.utils.Tools;
 
 /**
  * Java xxe vul and safe code.
@@ -33,9 +34,9 @@ public class XXE {
 
     @RequestMapping(value = "/xmlReader", method = RequestMethod.POST)
     @ResponseBody
-    public  String xxe_xmlReader(HttpServletRequest request) {
+    public String xxe_xmlReader(HttpServletRequest request) {
         try {
-            String xml_con = getBody(request);
+            String xml_con = Tools.getBody(request);
             System.out.println(xml_con);
             XMLReader xmlReader = XMLReaderFactory.createXMLReader();
             xmlReader.parse( new InputSource(new StringReader(xml_con)) );  // parse xml
@@ -51,7 +52,7 @@ public  String xxe_xmlReader(HttpServletRequest request) {
     @ResponseBody
     public  String xxe_xmlReader_fix(HttpServletRequest request) {
         try {
-            String xml_con = getBody(request);
+            String xml_con = Tools.getBody(request);
             System.out.println(xml_con);
 
             XMLReader xmlReader = XMLReaderFactory.createXMLReader();
@@ -74,7 +75,7 @@ public  String xxe_xmlReader_fix(HttpServletRequest request) {
     @ResponseBody
     public  String xxe_SAXBuilder(HttpServletRequest request) {
         try {
-            String xml_con = getBody(request);
+            String xml_con = Tools.getBody(request);
             System.out.println(xml_con);
 
             SAXBuilder builder = new SAXBuilder();
@@ -90,7 +91,7 @@ public  String xxe_SAXBuilder(HttpServletRequest request) {
     @ResponseBody
     public  String xxe_SAXBuilder_fix(HttpServletRequest request) {
         try {
-            String xml_con = getBody(request);
+            String xml_con = Tools.getBody(request);
             System.out.println(xml_con);
 
             SAXBuilder builder = new SAXBuilder();
@@ -109,7 +110,7 @@ public  String xxe_SAXBuilder_fix(HttpServletRequest request) {
     @ResponseBody
     public  String xxe_SAXReader(HttpServletRequest request) {
         try {
-            String xml_con = getBody(request);
+            String xml_con = Tools.getBody(request);
             System.out.println(xml_con);
 
             SAXReader reader = new SAXReader();
@@ -126,7 +127,7 @@ public  String xxe_SAXReader(HttpServletRequest request) {
     @ResponseBody
     public  String xxe_SAXReader_fix(HttpServletRequest request) {
         try {
-            String xml_con = getBody(request);
+            String xml_con = Tools.getBody(request);
             System.out.println(xml_con);
 
             SAXReader reader = new SAXReader();
@@ -146,7 +147,7 @@ public  String xxe_SAXReader_fix(HttpServletRequest request) {
     @ResponseBody
     public String xxe_SAXParser(HttpServletRequest request) {
         try {
-            String xml_con = getBody(request);
+            String xml_con = Tools.getBody(request);
             System.out.println(xml_con);
 
             SAXParserFactory spf = SAXParserFactory.newInstance();
@@ -165,7 +166,7 @@ public String xxe_SAXParser(HttpServletRequest request) {
     @ResponseBody
     public String xxe_SAXParser_fix(HttpServletRequest request) {
         try {
-            String xml_con = getBody(request);
+            String xml_con = Tools.getBody(request);
             System.out.println(xml_con);
 
             SAXParserFactory spf = SAXParserFactory.newInstance();
@@ -186,7 +187,7 @@ public String xxe_SAXParser_fix(HttpServletRequest request) {
     @ResponseBody
     public String xxe_Digester(HttpServletRequest request) {
         try {
-            String xml_con = getBody(request);
+            String xml_con = Tools.getBody(request);
             System.out.println(xml_con);
 
             Digester digester = new Digester();
@@ -203,7 +204,7 @@ public String xxe_Digester(HttpServletRequest request) {
     @ResponseBody
     public String xxe_Digester_fix(HttpServletRequest request) {
         try {
-            String xml_con = getBody(request);
+            String xml_con = Tools.getBody(request);
             System.out.println(xml_con);
 
             Digester digester = new Digester();
@@ -225,7 +226,7 @@ public String xxe_Digester_fix(HttpServletRequest request) {
     @ResponseBody
     public String xxeDocumentBuilderReturn(HttpServletRequest request) {
         try {
-            String xml_con = getBody(request);
+            String xml_con = Tools.getBody(request);
             System.out.println(xml_con);
 
             DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
@@ -259,7 +260,7 @@ public String xxeDocumentBuilderReturn(HttpServletRequest request) {
     @ResponseBody
     public String DocumentBuilder(HttpServletRequest request) {
         try {
-            String xml_con = getBody(request);
+            String xml_con = Tools.getBody(request);
             System.out.println(xml_con);
 
             DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
@@ -296,7 +297,7 @@ public String DocumentBuilder(HttpServletRequest request) {
     @ResponseBody
     public String xxe_DocumentBuilder_fix(HttpServletRequest request) {
         try {
-            String xml_con = getBody(request);
+            String xml_con = Tools.getBody(request);
             System.out.println(xml_con);
 
             DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
@@ -321,7 +322,7 @@ public String xxe_DocumentBuilder_fix(HttpServletRequest request) {
     @ResponseBody
     public String xxe_xinclude_DocumentBuilder(HttpServletRequest request) {
         try {
-            String xml_con = getBody(request);
+            String xml_con = Tools.getBody(request);
             System.out.println(xml_con);
 
             DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
@@ -358,7 +359,7 @@ public String xxe_xinclude_DocumentBuilder(HttpServletRequest request) {
     @ResponseBody
     public String xxe_xinclude_DocumentBuilder_fix(HttpServletRequest request) {
         try {
-            String xml_con = getBody(request);
+            String xml_con = Tools.getBody(request);
             System.out.println(xml_con);
             DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
 
@@ -393,22 +394,5 @@ public String xxe_xinclude_DocumentBuilder_fix(HttpServletRequest request) {
         }
     }
 
-    // 获取body数据
-    private String getBody(HttpServletRequest request) throws IOException {
-        InputStream in = request.getInputStream();
-        BufferedReader br = new BufferedReader(new InputStreamReader(in));
-        StringBuffer sb = new StringBuffer("");
-        String temp;
-        while ((temp = br.readLine()) != null) {
-            sb.append(temp);
-        }
-        if (in != null) {
-            in.close();
-        }
-        if (br != null) {
-            br.close();
-        }
-        return sb.toString();
-    }
 
 }
diff --git a/src/main/java/org/joychou/controller/jsonp/JSONP.java b/src/main/java/org/joychou/controller/jsonp/JSONP.java
@@ -4,6 +4,7 @@
 import com.alibaba.fastjson.JSONObject;
 import org.joychou.security.SecurityUtil;
 import org.springframework.http.MediaType;
+import org.springframework.security.web.csrf.CsrfToken;
 import org.springframework.web.bind.annotation.*;
 import javax.servlet.http.HttpServletRequest;
 import java.security.Principal;
@@ -96,5 +97,15 @@ private String safecode(HttpServletRequest request) {
     }
 
 
+    /**
+     * http://localhost:8080/jsonp/getToken
+     * @return token {"token":"115329a7-3a85-4c31-9c02-02fa1bd1fdf8","parameterName":"_csrf","headerName":"X-XSRF-TOKEN"}
+     *
+     */
+    @RequestMapping("/getToken")
+    public CsrfToken csrf(CsrfToken token) {
+        return token;
+    }
+
 
 }
diff --git a/src/main/java/org/joychou/security/CsrfAccessDeniedHandler.java b/src/main/java/org/joychou/security/CsrfAccessDeniedHandler.java
@@ -25,7 +25,9 @@ public class CsrfAccessDeniedHandler implements AccessDeniedHandler {
     public void handle(HttpServletRequest request, HttpServletResponse response,
                        AccessDeniedException accessDeniedException) throws IOException, ServletException {
 
-        logger.info("[-] URL: " + request.getRequestURL() + "?" + request.getQueryString() + "\t" + "Referer: " + request.getHeader("referer"));
+        logger.info("[-] URL: " + request.getRequestURL() + "?" + request.getQueryString() + "\t" +
+                "Referer: " + request.getHeader("referer"));
+
         response.setContentType(MediaType.TEXT_HTML_VALUE); // content-type: text/html
         response.setStatus(HttpServletResponse.SC_FORBIDDEN); // 403 forbidden
         response.getWriter().write("CSRF check failed by JoyChou.");  // response contents
diff --git a/src/main/java/org/joychou/security/HttpFilter.java b/src/main/java/org/joychou/security/HttpFilter.java
@@ -56,7 +56,8 @@ public void doFilter(ServletRequest req, ServletResponse res, FilterChain filter
                     if (request.getMethod().equals("GET") && StringUtils.isNotBlank(request.getParameter(callback)) ){
                         // If the check of referer fails, a 403 forbidden error page will be returned.
                         if (!SecurityUtil.checkURLbyEndsWith(refer, WebConfig.getReferWhitelist())){
-                            logger.info("[-] URL: " + request.getRequestURL() + "?" + request.getQueryString() + "\t" + "Referer: " + refer);
+                            logger.info("[-] URL: " + request.getRequestURL() + "?" + request.getQueryString() + "\t"
+                                    + "Referer: " + refer);
                             response.sendRedirect("https://test.joychou.org/error3.html");
                             return;
                         }
diff --git a/src/main/java/org/joychou/utils/Tools.java b/src/main/java/org/joychou/utils/Tools.java
diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties
diff --git a/src/main/resources/static/js/jquery-1.11.1.min.js b/src/main/resources/static/js/jquery-1.11.1.min.js
diff --git a/src/main/resources/templates/form.html b/src/main/resources/templates/form.html
diff --git a/src/main/resources/templates/login.html b/src/main/resources/templates/login.html
