💥 Java Sec

Author: j3ers3

README.md

@@ -16,7 +16,7 @@
 - [x] SSRF
 - [x] Directory Traversal
 - [x] Redirect
-- [ ] CSRF
+- [x] CSRF
 - [x] File Upload
 - [x] XXE
 - [x] Actuator
@@ -27,13 +27,13 @@
 - [x] Dos
 - [x] Xpath
 - [x] Jwt
-- [ ] more
+- [ ] more and more
 
 ![](media/16304936834843.jpg)
 
 ## Run
 ### IDEA
-配置数据库连接，数据库文件`db.sql`
+配置数据库连接，数据库文件`src/main/resources/db.sql`
 ```
 spring.datasource.url=jdbc:mysql://127.0.0.1:3306/test
 spring.datasource.username=root

pom.xml

@@ -11,7 +11,7 @@
 
     <groupId>com.best</groupId>
     <artifactId>javasec</artifactId>
-    <version>1.10</version>
+    <version>1.11</version>
     <name>hello java sec</name>
     <description>Java Sec</description>
     <packaging>jar</packaging>
@@ -149,7 +149,7 @@
         <dependency>
             <groupId>org.jsoup</groupId>
             <artifactId>jsoup</artifactId>
-            <version>1.12.2</version>
+            <version>1.15.4</version>
         </dependency>
 
         <!-- LDAP -->
@@ -211,6 +211,12 @@
             <version>2.2.0.0</version>
         </dependency>
 
+        <dependency>
+            <groupId>org.owasp.encoder</groupId>
+            <artifactId>encoder</artifactId>
+            <version>1.2.3</version>
+        </dependency>
+
         <!-- log4Shell -->
         <dependency>
             <groupId>org.apache.logging.log4j</groupId>
@@ -275,6 +281,19 @@
             <version>0.9.5.2</version>
         </dependency>
 
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-csv</artifactId>
+            <version>1.9.0</version>
+        </dependency>
+
+        <!-- 解决JDK高版本JAXB API依赖缺失 -->
+        <dependency>
+            <groupId>javax.xml.bind</groupId>
+            <artifactId>jaxb-api</artifactId>
+            <version>2.3.1</version>
+        </dependency>
+
     </dependencies>
 
 

src/main/java/com/best/hello/config/MvcConfig.java

@@ -12,7 +12,8 @@ public void addViewControllers(ViewControllerRegistry registry) {
         registry.addViewController("/").setViewName("index");
         registry.addViewController("/login").setViewName("login");
         registry.addViewController("/index").setViewName("index");
-        registry.addViewController("/index/xss").setViewName("xss");
+        registry.addViewController("/index/xss").setViewName("xss_reflect");
+        registry.addViewController("/index/xss/store").setViewName("xss_store");
         registry.addViewController("/index/rce").setViewName("rce");
         registry.addViewController("/index/spel").setViewName("spel");
         registry.addViewController("/index/ssti").setViewName("ssti");
@@ -40,6 +41,7 @@ public void addViewControllers(ViewControllerRegistry registry) {
         registry.addViewController("/index/swagger").setViewName("swagger");
         registry.addViewController("/index/jwt").setViewName("jwt");
         registry.addViewController("/index/xpath").setViewName("xpath");
+        registry.addViewController("/index/csv").setViewName("csv_injection");
 
     }
 

src/main/java/com/best/hello/controller/CSRF.java

@@ -1,12 +1,89 @@
 package com.best.hello.controller;
 
 import io.swagger.annotations.Api;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.RestController;
+import io.swagger.annotations.ApiOperation;
+import org.springframework.ui.Model;
+import org.springframework.web.bind.annotation.*;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpSession;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.UUID;
 
 @Api("跨站请求伪造")
 @RestController
 @RequestMapping("/CSRF")
 public class CSRF {
+    @ApiOperation(value = "vul: 危险的转账")
+    @GetMapping("/transfer/vul")
+    public Map<String, Object> transferMoney(HttpServletRequest request, HttpServletResponse response, HttpSession session) {
+        // 从请求中获取转账金额和接收者
+        String from = (String) session.getAttribute("LoginUser");
+        String amount = request.getParameter("amount");
+        String receiver = request.getParameter("receiver");
+
+        Map<String, Object> result = new HashMap<>();
+        result.put("from", from);
+        result.put("receiver", receiver);
+        result.put("amount", amount);
+        result.put("success", true);
+        return result;
+    }
+
+    @ApiOperation(value = "vul: referer绕过", notes = "通过referer限制，只允许本站发起的请求，但是referer可以伪造")
+    @GetMapping("/transfer/referer")
+    public Map<String, Object> transferMoneySafe(HttpServletRequest request, HttpServletResponse response, HttpSession session) {
+        String from = (String) session.getAttribute("LoginUser");
+        String amount = request.getParameter("amount");
+        String receiver = request.getParameter("receiver");
+        Map<String, Object> result = new HashMap<>();
+        // 校验Referer 判断请求是否来自本站
+        String referer = request.getHeader("referer");
+        if (referer == null || !referer.startsWith("http://baidu.com")) {
+            result.put("success", false);
+            result.put("message", "referer is not valid");
+            return result;
+        }
+        result.put("from", from);
+        result.put("receiver", receiver);
+        result.put("amount", amount);
+        result.put("success", true);
+        return result;
+    }
+
+    @GetMapping("/transfer/genCSRFToken")
+    public Map<String, Object> genCSRFToken(HttpSession session, Model model) {
+        String token = UUID.randomUUID().toString();
+        session.setAttribute("csrfToken", token);
+        Map<String, Object> result = new HashMap<>();
+        result.put("csrfToken", token);
+        return result;
+    }
+
+    @PostMapping("/transfer/doTransferToken")
+    public Map<String, Object> doTransferToken(HttpServletRequest request, HttpSession session) {
+        String token = request.getParameter("csrfToken");
+        String sessionToken = (String) session.getAttribute("csrfToken");
+        String from = (String) session.getAttribute("LoginUser");
+        String amount = request.getParameter("amount");
+        String receiver = request.getParameter("receiver");
+        Map<String, Object> result = new HashMap<>();
+
+        // 校验CSRF Token
+        if (!token.equals(sessionToken)) {
+            result.put("success", false);
+            result.put("message", "token is not valid");
+            return result;
+        }
+
+        result.put("from", from);
+        result.put("receiver", receiver);
+        result.put("amount", amount);
+        result.put("csrfToken", token);
+        result.put("success", true);
+        return result;
+    }
 
 }

src/main/java/com/best/hello/controller/CSVInjection.java

@@ -0,0 +1,93 @@
+package com.best.hello.controller;
+
+import com.best.hello.entity.XSSEntity;
+import com.best.hello.mapper.XSSMapper;
+import io.swagger.annotations.Api;
+import org.apache.commons.csv.CSVFormat;
+import org.apache.commons.csv.CSVPrinter;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RestController;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpSession;
+import java.io.IOException;
+import java.text.SimpleDateFormat;
+import java.util.Date;
+import java.util.List;
+
+@Api("CSV注入漏洞")
+@RestController
+@RequestMapping("/CSVInjection")
+public class CSVInjection {
+    @Autowired
+    private XSSMapper xssMapper;
+
+    @PostMapping("/save")
+    public String save(HttpServletRequest request, HttpSession session) {
+        String content = request.getParameter("content");
+        SimpleDateFormat df = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss");
+        String date = df.format(new Date());
+        String user = session.getAttribute("LoginUser").toString();
+        xssMapper.add(user, content, date);
+        return "success";
+    }
+
+    @GetMapping("/getData")
+    public List getData() {
+        return xssMapper.list();
+    }
+
+    @GetMapping("/delete")
+    public String delete(int id) {
+        xssMapper.deleteFeedById(id);
+        return "success";
+    }
+
+    @GetMapping("/exportVul")
+    public void exportVul(HttpServletResponse response) throws Exception {
+        exportCSV(response, false);
+    }
+
+    @GetMapping("/exportSafe")
+    public void exportSafe(HttpServletResponse response) throws Exception {
+        exportCSV(response, true);
+    }
+
+    /**
+     * 导出 CSV 文件
+     */
+    private void exportCSV(HttpServletResponse response, boolean safe) throws IOException {
+        List<XSSEntity> data = xssMapper.list();
+
+        String fileName = "csv_injection.csv";
+        response.setContentType("text/csv");
+        response.setHeader("Content-Disposition", "attachment; filename=" + fileName);
+
+        CSVPrinter csvPrinter = new CSVPrinter(response.getWriter(), CSVFormat.DEFAULT
+                .withHeader("ID", "用户名", "内容", "时间"));
+
+        for (XSSEntity x : data) {
+            String content = safe ? filterCSVInjection(x.getContent()) : x.getContent();
+            csvPrinter.printRecord(x.getId(), x.getUser(), content, x.getDate());
+        }
+        csvPrinter.flush();
+    }
+
+    private String filterCSVInjection(String input) {
+        // 定义需要过滤的特殊字符
+        String[] forbiddenChars = {"=", "+", "-", "@"};
+
+        // 遍历特殊字符，将其替换为空字符串
+        for (String forbiddenChar : forbiddenChars) {
+            input = input.replace(forbiddenChar, "");
+        }
+
+        return input;
+    }
+
+
+}