update deserialize getcookie method

JoyChou93 · JoyChou93 · commit d0ece30140e9 · 2019-09-16T11:48:30.000+08:00
diff --git a/src/main/java/org/joychou/controller/CommandInject.java b/src/main/java/org/joychou/controller/CommandInject.java
@@ -1,7 +1,7 @@
 package org.joychou.controller;
 
 import org.joychou.security.SecurityUtil;
-import org.joychou.utils.Tools;
+import org.joychou.util.WebUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.web.bind.annotation.GetMapping;
@@ -28,7 +28,7 @@ public static String codeInject(String filepath) throws IOException {
         ProcessBuilder builder = new ProcessBuilder(cmdList);
         builder.redirectErrorStream(true);
         Process process = builder.start();
-        return Tools.convertStreamToString(process.getInputStream());
+        return WebUtils.convertStreamToString(process.getInputStream());
     }
 
     /**
@@ -46,7 +46,7 @@ public String codeInjectHost(HttpServletRequest request) throws IOException {
         ProcessBuilder builder = new ProcessBuilder(cmdList);
         builder.redirectErrorStream(true);
         Process process = builder.start();
-        return Tools.convertStreamToString(process.getInputStream());
+        return WebUtils.convertStreamToString(process.getInputStream());
     }
 
     @GetMapping("/codeinject/sec")
@@ -59,6 +59,6 @@ public static String codeInjectSec(String filepath) throws IOException {
         ProcessBuilder builder = new ProcessBuilder(cmdList);
         builder.redirectErrorStream(true);
         Process process = builder.start();
-        return Tools.convertStreamToString(process.getInputStream());
+        return WebUtils.convertStreamToString(process.getInputStream());
     }
 }
diff --git a/src/main/java/org/joychou/controller/Deserialize.java b/src/main/java/org/joychou/controller/Deserialize.java
@@ -1,6 +1,5 @@
 package org.joychou.controller;
 
-import org.apache.commons.lang.StringUtils;
 import org.joychou.security.AntObjectInputStream;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -11,9 +10,12 @@
 import javax.servlet.http.HttpServletRequest;
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
+import java.io.InvalidClassException;
 import java.io.ObjectInputStream;
 import java.util.Base64;
 
+import static org.springframework.web.util.WebUtils.getCookie;
+
 /**
  * Deserialize RCE using Commons-Collections gadget.
  *
@@ -23,8 +25,8 @@
 @RequestMapping("/deserialize")
 public class Deserialize {
 
-
-    private static Logger logger= LoggerFactory.getLogger(Deserialize.class);
+    private static String cookieName = "rememberMe";
+    protected final Logger logger = LoggerFactory.getLogger(this.getClass());
 
     /**
      * java -jar ysoserial.jar CommonsCollections5 "open -a Calculator" | base64
@@ -33,27 +35,18 @@ public class Deserialize {
      * http://localhost:8080/deserialize/rememberMe/vul
      */
     @RequestMapping("/rememberMe/vul")
-    public static String rememberMeVul(HttpServletRequest request)
+    public String rememberMeVul(HttpServletRequest request)
             throws IOException, ClassNotFoundException {
 
-        Cookie[] cookies = request.getCookies();
-        String rememberMe = "";
-
-        if (null == cookies) {
-            logger.info("No cookies.");
-        } else {
-            for (Cookie cookie : cookies) {
-                if ( cookie.getName().equals("rememberMe") ) {
-                    rememberMe = cookie.getValue();
-                }
-            }
-        }
+        Cookie cookie = getCookie(request, cookieName);
 
-        if (StringUtils.isBlank(rememberMe) ) {
+        if (null == cookie){
             return "No rememberMe cookie. Right?";
         }
 
+        String rememberMe = cookie.getValue();
         byte[] decoded = Base64.getDecoder().decode(rememberMe);
+
         ByteArrayInputStream bytes = new ByteArrayInputStream(decoded);
         ObjectInputStream in = new ObjectInputStream(bytes);
         in.readObject();
@@ -68,32 +61,29 @@ public static String rememberMeVul(HttpServletRequest request)
      * http://localhost:8080/deserialize/rememberMe/security
      */
     @RequestMapping("/rememberMe/security")
-    public static String rememberMeBlackClassCheck(HttpServletRequest request)
+    public String rememberMeBlackClassCheck(HttpServletRequest request)
             throws IOException, ClassNotFoundException {
 
-        Cookie[] cookies = request.getCookies();
-        String rememberMe = "";
-
-        if (null == cookies) {
-            logger.info("No cookies in /rememberMe/security");
-        } else {
-            for (Cookie cookie : cookies) {
-                if ( cookie.getName().equals("rememberMe") ) {
-                    rememberMe = cookie.getValue();
-                }
-            }
-        }
+        Cookie cookie = getCookie(request, cookieName);
 
-        if (StringUtils.isBlank(rememberMe) ) {
+        if (null == cookie){
             return "No rememberMe cookie. Right?";
         }
-
+        String rememberMe = cookie.getValue();
         byte[] decoded = Base64.getDecoder().decode(rememberMe);
+
         ByteArrayInputStream bytes = new ByteArrayInputStream(decoded);
-        AntObjectInputStream in = new AntObjectInputStream(bytes);
-        in.readObject();
-        in.close();
+
+        try{
+            AntObjectInputStream in = new AntObjectInputStream(bytes);  // throw InvalidClassException
+            in.readObject();
+            in.close();
+        } catch (InvalidClassException e) {
+            logger.info(e.toString());
+            return e.toString();
+        }
 
         return "I'm very OK.";
     }
+
 }
diff --git a/src/main/java/org/joychou/controller/XStreamRce.java b/src/main/java/org/joychou/controller/XStreamRce.java
@@ -3,7 +3,7 @@
 import com.thoughtworks.xstream.XStream;
 import com.thoughtworks.xstream.io.xml.DomDriver;
 import org.joychou.dao.User;
-import org.joychou.utils.Tools;
+import org.joychou.util.WebUtils;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RestController;
 
@@ -22,7 +22,7 @@ public class XStreamRce {
      */
     @PostMapping("/xstream")
     public String parseXml(HttpServletRequest request) throws Exception{
-        String xml = Tools.getRequestBody(request);
+        String xml = WebUtils.getRequestBody(request);
         XStream xstream = new XStream(new DomDriver());
         xstream.fromXML(xml);
         return "xstream";
diff --git a/src/main/java/org/joychou/controller/XXE.java b/src/main/java/org/joychou/controller/XXE.java
@@ -19,7 +19,7 @@
 import org.xml.sax.helpers.DefaultHandler;
 import org.apache.commons.digester3.Digester;
 import org.jdom2.input.SAXBuilder;
-import org.joychou.utils.Tools;
+import org.joychou.util.WebUtils;
 
 /**
  * Java xxe vul and safe code.
@@ -34,7 +34,7 @@ public class XXE {
     @RequestMapping(value = "/xmlReader", method = RequestMethod.POST)
     public String xxe_xmlReader(HttpServletRequest request) {
         try {
-            String xml_con = Tools.getRequestBody(request);
+            String xml_con = WebUtils.getRequestBody(request);
             System.out.println(xml_con);
             XMLReader xmlReader = XMLReaderFactory.createXMLReader();
             xmlReader.parse(new InputSource(new StringReader(xml_con)));  // parse xml
@@ -49,7 +49,7 @@ public String xxe_xmlReader(HttpServletRequest request) {
     @RequestMapping(value = "/xmlReader_fix", method = RequestMethod.POST)
     public String xxe_xmlReader_fix(HttpServletRequest request) {
         try {
-            String xml_con = Tools.getRequestBody(request);
+            String xml_con = WebUtils.getRequestBody(request);
             System.out.println(xml_con);
 
             XMLReader xmlReader = XMLReaderFactory.createXMLReader();
@@ -71,7 +71,7 @@ public String xxe_xmlReader_fix(HttpServletRequest request) {
     @RequestMapping(value = "/SAXBuilder", method = RequestMethod.POST)
     public String xxe_SAXBuilder(HttpServletRequest request) {
         try {
-            String xml_con = Tools.getRequestBody(request);
+            String xml_con = WebUtils.getRequestBody(request);
             System.out.println(xml_con);
 
             SAXBuilder builder = new SAXBuilder();
@@ -86,7 +86,7 @@ public String xxe_SAXBuilder(HttpServletRequest request) {
     @RequestMapping(value = "/SAXBuilder_fix", method = RequestMethod.POST)
     public String xxe_SAXBuilder_fix(HttpServletRequest request) {
         try {
-            String xml_con = Tools.getRequestBody(request);
+            String xml_con = WebUtils.getRequestBody(request);
             System.out.println(xml_con);
 
             SAXBuilder builder = new SAXBuilder();
@@ -104,7 +104,7 @@ public String xxe_SAXBuilder_fix(HttpServletRequest request) {
     @RequestMapping(value = "/SAXReader", method = RequestMethod.POST)
     public String xxe_SAXReader(HttpServletRequest request) {
         try {
-            String xml_con = Tools.getRequestBody(request);
+            String xml_con = WebUtils.getRequestBody(request);
             System.out.println(xml_con);
 
             SAXReader reader = new SAXReader();
@@ -120,7 +120,7 @@ public String xxe_SAXReader(HttpServletRequest request) {
     @RequestMapping(value = "/SAXReader_fix", method = RequestMethod.POST)
     public String xxe_SAXReader_fix(HttpServletRequest request) {
         try {
-            String xml_con = Tools.getRequestBody(request);
+            String xml_con = WebUtils.getRequestBody(request);
             System.out.println(xml_con);
 
             SAXReader reader = new SAXReader();
@@ -139,7 +139,7 @@ public String xxe_SAXReader_fix(HttpServletRequest request) {
     @RequestMapping(value = "/SAXParser", method = RequestMethod.POST)
     public String xxe_SAXParser(HttpServletRequest request) {
         try {
-            String xml_con = Tools.getRequestBody(request);
+            String xml_con = WebUtils.getRequestBody(request);
             System.out.println(xml_con);
 
             SAXParserFactory spf = SAXParserFactory.newInstance();
@@ -157,7 +157,7 @@ public String xxe_SAXParser(HttpServletRequest request) {
     @RequestMapping(value = "/SAXParser_fix", method = RequestMethod.POST)
     public String xxe_SAXParser_fix(HttpServletRequest request) {
         try {
-            String xml_con = Tools.getRequestBody(request);
+            String xml_con = WebUtils.getRequestBody(request);
             System.out.println(xml_con);
 
             SAXParserFactory spf = SAXParserFactory.newInstance();
@@ -177,7 +177,7 @@ public String xxe_SAXParser_fix(HttpServletRequest request) {
     @RequestMapping(value = "/Digester", method = RequestMethod.POST)
     public String xxe_Digester(HttpServletRequest request) {
         try {
-            String xml_con = Tools.getRequestBody(request);
+            String xml_con = WebUtils.getRequestBody(request);
             System.out.println(xml_con);
 
             Digester digester = new Digester();
@@ -193,7 +193,7 @@ public String xxe_Digester(HttpServletRequest request) {
     @RequestMapping(value = "/Digester_fix", method = RequestMethod.POST)
     public String xxe_Digester_fix(HttpServletRequest request) {
         try {
-            String xml_con = Tools.getRequestBody(request);
+            String xml_con = WebUtils.getRequestBody(request);
             System.out.println(xml_con);
 
             Digester digester = new Digester();
@@ -214,7 +214,7 @@ public String xxe_Digester_fix(HttpServletRequest request) {
     @RequestMapping(value = "/DocumentBuilder_return", method = RequestMethod.POST)
     public String xxeDocumentBuilderReturn(HttpServletRequest request) {
         try {
-            String xml_con = Tools.getRequestBody(request);
+            String xml_con = WebUtils.getRequestBody(request);
             System.out.println(xml_con);
 
             DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
@@ -247,7 +247,7 @@ public String xxeDocumentBuilderReturn(HttpServletRequest request) {
     @RequestMapping(value = "/DocumentBuilder", method = RequestMethod.POST)
     public String DocumentBuilder(HttpServletRequest request) {
         try {
-            String xml_con = Tools.getRequestBody(request);
+            String xml_con = WebUtils.getRequestBody(request);
             System.out.println(xml_con);
 
             DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
@@ -283,7 +283,7 @@ public String DocumentBuilder(HttpServletRequest request) {
     @RequestMapping(value = "/DocumentBuilder_fix", method = RequestMethod.POST)
     public String xxe_DocumentBuilder_fix(HttpServletRequest request) {
         try {
-            String xml_con = Tools.getRequestBody(request);
+            String xml_con = WebUtils.getRequestBody(request);
             System.out.println(xml_con);
 
             DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
@@ -307,7 +307,7 @@ public String xxe_DocumentBuilder_fix(HttpServletRequest request) {
     @RequestMapping(value = "/DocumentBuilder_xinclude", method = RequestMethod.POST)
     public String xxe_xinclude_DocumentBuilder(HttpServletRequest request) {
         try {
-            String xml_con = Tools.getRequestBody(request);
+            String xml_con = WebUtils.getRequestBody(request);
             System.out.println(xml_con);
 
             DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
@@ -343,7 +343,7 @@ public String xxe_xinclude_DocumentBuilder(HttpServletRequest request) {
     @RequestMapping(value = "/DocumentBuilder_xinclude_fix", method = RequestMethod.POST)
     public String xxe_xinclude_DocumentBuilder_fix(HttpServletRequest request) {
         try {
-            String xml_con = Tools.getRequestBody(request);
+            String xml_con = WebUtils.getRequestBody(request);
             System.out.println(xml_con);
             DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
 
@@ -382,7 +382,7 @@ public String xxe_xinclude_DocumentBuilder_fix(HttpServletRequest request) {
     @PostMapping("/XMLReader/vul")
     public String XMLReaderVul(HttpServletRequest request) {
         try {
-            String xml_con = Tools.getRequestBody(request);
+            String xml_con = WebUtils.getRequestBody(request);
             System.out.println(xml_con);
             SAXParserFactory spf = SAXParserFactory.newInstance();
             SAXParser saxParser = spf.newSAXParser();
@@ -399,7 +399,7 @@ public String XMLReaderVul(HttpServletRequest request) {
     @PostMapping("/XMLReader/fixed")
     public String XMLReaderSec(HttpServletRequest request) {
         try {
-            String xml_con = Tools.getRequestBody(request);
+            String xml_con = WebUtils.getRequestBody(request);
             System.out.println(xml_con);
             SAXParserFactory spf = SAXParserFactory.newInstance();
             SAXParser saxParser = spf.newSAXParser();
diff --git a/src/main/java/org/joychou/util/WebUtils.java b/src/main/java/org/joychou/util/WebUtils.java
@@ -1,10 +1,10 @@
-package org.joychou.utils;
+package org.joychou.util;
 
 import javax.servlet.http.HttpServletRequest;
 import java.io.IOException;
 import java.io.InputStream;
 
-public class Tools {
+public class WebUtils {
 
     // Get request body.
     public static String getRequestBody(HttpServletRequest request) throws IOException {
