Skip to content

Dev fix #96

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 115 commits into
base: dev
Choose a base branch
from
Open

Dev fix #96

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
115 commits
Select commit Hold shift + click to select a range
4cffffd
fix cors sec code
JoyChou93 Oct 25, 2018
571e0c3
bug fix
JoyChou93 Oct 26, 2018
e35f30e
add url whitelist vul code
JoyChou93 Oct 31, 2018
ea9ad0e
udpate cors
JoyChou93 Nov 22, 2018
76da576
update cors
JoyChou93 Nov 25, 2018
ca00956
update readme
JoyChou93 Nov 25, 2018
2f6c3cf
add spel, fixes #5
JoyChou93 Jan 17, 2019
56d5ba1
update readme
JoyChou93 Jan 17, 2019
48e347c
add emptyReferer of jsonp
JoyChou93 Jan 28, 2019
674f2f1
适配在IDEA中右键直接运行应用
JoyChou93 Feb 26, 2019
453e194
add jar configure
JoyChou93 Feb 27, 2019
d1963da
Actuators to RCE
JoyChou93 Mar 4, 2019
af76c38
update readme
JoyChou93 Mar 4, 2019
4c21c97
bypass using URL class to getHost
JoyChou93 Mar 6, 2019
3cd29c1
fix bug
JoyChou93 Mar 6, 2019
d1b3d6b
update jsonp
JoyChou93 Apr 9, 2019
5b60e15
add upload file only picture
JoyChou93 Apr 23, 2019
590891b
add csrf
JoyChou93 May 31, 2019
dd3792d
update readme
JoyChou93 May 31, 2019
72a54fa
add csrf whitelist uri and req method
JoyChou93 May 31, 2019
2e542b6
update readme
JoyChou93 May 31, 2019
4a02175
update csrf allowedMethods code
JoyChou93 May 31, 2019
9bed870
csrf in upload file html
JoyChou93 Jun 5, 2019
86d2551
diy csrf error code
JoyChou93 Jun 10, 2019
f0cb9a4
add filter to check referer
JoyChou93 Jun 18, 2019
0746f9d
redirect 403 forbidden page
JoyChou93 Jun 19, 2019
10e0345
add ssrf checker
JoyChou93 Jun 21, 2019
2e91353
update readme
JoyChou93 Jun 21, 2019
a605b1e
update readme
JoyChou93 Jun 21, 2019
edfc1fc
udpate readme
JoyChou93 Jun 21, 2019
12ab307
update readme
JoyChou93 Jun 21, 2019
0e4f22e
Add httpclient SSRF vul code
JoyChou93 Jun 25, 2019
85ca363
update readme
JoyChou93 Jun 28, 2019
6844b0a
add configure code of json to jsonp
JoyChou93 Jul 3, 2019
f37f9b2
add csrf switch
JoyChou93 Jul 3, 2019
d330c45
fix bug
JoyChou93 Jul 3, 2019
f24df6f
add json to jsonp
JoyChou93 Jul 8, 2019
cc94639
add mybatis sql
JoyChou93 Jul 17, 2019
839f532
Add ssti & resolveClass blacklist
JoyChou93 Jul 19, 2019
cc99e47
udpate readme
JoyChou93 Jul 19, 2019
31f5170
add deserialize
JoyChou93 Jul 20, 2019
0a9c978
update readme
JoyChou93 Jul 20, 2019
4763a3a
update readme
JoyChou93 Jul 20, 2019
8a9977d
add auth
JoyChou93 Jul 21, 2019
3e06b52
add index html page
JoyChou93 Jul 22, 2019
a2a5eee
update mybatis readme
JoyChou93 Jul 22, 2019
720da39
add pathTraversal
JoyChou93 Jul 23, 2019
179f45e
update readme
JoyChou93 Jul 23, 2019
6b8b1d1
closes #6
JoyChou93 Jul 24, 2019
a169c10
update readme
JoyChou93 Jul 24, 2019
a0e66f2
update readme
JoyChou93 Jul 24, 2019
467b74f
add docker env & add xtream rce vuln
JoyChou93 Jul 29, 2019
0a9f1ec
update readme
JoyChou93 Jul 29, 2019
ea74d17
add a xxe sink code
JoyChou93 Jul 30, 2019
40cf83b
add command inject
JoyChou93 Jul 31, 2019
301ffa6
update readme
JoyChou93 Jul 31, 2019
1f57fae
fix bug 0.0.0.0 can bypass SSRFChecker
waderwu Sep 3, 2019
1e991c1
Merge remote-tracking branch 'upstream/master'
waderwu Sep 3, 2019
40d64c1
Merge pull request #7 from waderwu/master
JoyChou93 Sep 4, 2019
1cd9a71
add xxe
JoyChou93 Sep 4, 2019
0ece942
Merge pull request #8 from JoyChou93/dev01
JoyChou93 Sep 4, 2019
39f07ff
update readme
JoyChou93 Sep 4, 2019
27df4d1
update readme
JoyChou93 Sep 5, 2019
562b956
add a jsonp case
JoyChou93 Sep 12, 2019
d0ece30
update deserialize getcookie method
JoyChou93 Sep 16, 2019
59a72ef
19/10/15 add more xss&sql vuln code
Oct 15, 2019
da5ea84
19/10/15 rm unuseful code
Oct 15, 2019
05ae55e
Merge pull request #9 from Anemone95/master
JoyChou93 Oct 24, 2019
9821216
add xxe return back filecontent
JoyChou93 Nov 2, 2019
22f0ecd
add cors security code
JoyChou93 Dec 9, 2019
6ae0527
add filter cors fix code
JoyChou93 Dec 19, 2019
85eb3b9
update cors security code
JoyChou93 Dec 26, 2019
9dd930e
update some bugs
JoyChou93 Jan 17, 2020
7b187f2
Add XXE & SSRF Vuln Code
JoyChou93 Feb 14, 2020
0d99385
update mybatis sql injection
JoyChou93 Mar 25, 2020
db6bff2
Bug fix.The method of fix ssrf can cause dos.
JoyChou93 Mar 26, 2020
fc1be1b
Add bean to parse safedomain
JoyChou93 Mar 27, 2020
89cb9d8
fix #13
JoyChou93 Mar 31, 2020
039d0f1
bug fix
JoyChou93 Mar 31, 2020
33748f3
bug fix
JoyChou93 Apr 3, 2020
fa48bad
增加socket hook模块 实现socket层拦截SSRF
liergou9981 Apr 3, 2020
d170c8f
Merge pull request #15 from liergou9981/master
JoyChou93 Apr 4, 2020
335bfef
fix hook socket's bug
JoyChou93 Apr 4, 2020
2aa0b91
bug fix
JoyChou93 Apr 6, 2020
f296f0d
add swagger-ui & ssrf of httpsyncclient
JoyChou93 Apr 10, 2020
ab69c0b
bug fix
JoyChou93 Aug 3, 2020
30dd98b
fixes #23
JoyChou93 Aug 3, 2020
37925a8
add fastjsonp
JoyChou93 Feb 5, 2021
bb94a99
fixes #31
JoyChou93 Feb 25, 2021
1f9da36
add rce
JoyChou93 Mar 26, 2021
ed28104
add log4j
JoyChou93 Mar 31, 2022
707d395
add jwt
JoyChou93 Sep 21, 2022
e4190d6
Add RestTemplate SSRF
JoyChou93 Oct 21, 2022
9acefb2
add jwt
JoyChou93 Nov 21, 2022
da04ccc
add CVE-2022-22978
JoyChou93 Jan 16, 2023
9d66a88
add alibaba security purple team recruitment
JoyChou93 Jan 17, 2023
c3c41b4
fix #25
JoyChou93 Feb 23, 2023
621c300
Add XXE
JoyChou93 Mar 15, 2023
cab74a4
fix #70
JoyChou93 Mar 24, 2023
4ede83a
add jdbc & actuator ak_secret
JoyChou93 Apr 28, 2023
0c253ad
Update index.html
May 24, 2023
8604af5
Merge pull request #76 from wzqs/patch-1
JoyChou93 Jun 7, 2023
920bd93
fix #78
Dec 27, 2023
7bf927a
Merge remote-tracking branch 'origin/master'
Dec 27, 2023
457d703
Add qlexpress and some test cases.
Dec 28, 2023
1d06b16
Add alibaba recruitment.
Jun 28, 2024
4711f4e
Add alibaba recruitment.
Jun 28, 2024
9eb8d69
Set up CI with Azure Pipelines
autumn0914 Apr 10, 2025
bdd032c
Update azure-pipelines.yml for Azure Pipelines
autumn0914 Apr 10, 2025
02d6141
Update azure-pipelines.yml for Azure Pipelines
autumn0914 Apr 10, 2025
18cdd33
Update azure-pipelines.yml for Azure Pipelines
autumn0914 Apr 10, 2025
048cee5
Update azure-pipelines.yml for Azure Pipelines
autumn0914 Apr 10, 2025
5511840
Update azure-pipelines.yml for Azure Pipelines
autumn0914 Apr 10, 2025
d16e5fc
mysql fix
autumn0914 Apr 10, 2025
1722b02
mysql fix
autumn0914 Apr 10, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Bug fix.The method of fix ssrf can cause dos.
  • Loading branch information
@JoyChou93
JoyChou93 committed Mar 26, 2020
commit db6bff2fc2d87b53ab1821cd88bd807e19aeba25
50 changes: 23 additions & 27 deletions src/main/java/org/joychou/controller/SSRF.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,16 +23,15 @@


import javax.imageio.ImageIO;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.*;
import java.net.*;


/**
* @author JoyChou ([email protected])
* @date 2017.12.28
* @desc Java ssrf vuls code.
* Java SSRF vuln or security code.
*
* @author JoyChou @2017-12-28
*/

@RestController
Expand All @@ -42,62 +41,59 @@ public class SSRF {
private static Logger logger = LoggerFactory.getLogger(SSRF.class);

@RequestMapping("/urlConnection")
public static String ssrf_URLConnection(HttpServletRequest request)
public static String ssrf_URLConnection(@RequestParam String url)
{
try {
String url = request.getParameter("url");
URL u = new URL(url);
URLConnection urlConnection = u.openConnection();
BufferedReader in = new BufferedReader(new InputStreamReader(urlConnection.getInputStream())); //send request
String inputLine;
StringBuffer html = new StringBuffer();
StringBuilder html = new StringBuilder();

while ((inputLine = in.readLine()) != null) {
html.append(inputLine);
}
in.close();
return html.toString();
}catch(Exception e) {
e.printStackTrace();
logger.error(e.toString());
return "fail";
}
}


@RequestMapping("/HttpURLConnection")
@ResponseBody
public static String ssrf_httpURLConnection(HttpServletRequest request)
public static String ssrf_httpURLConnection(@RequestParam String url)
{
try {
String url = request.getParameter("url");
URL u = new URL(url);
URLConnection urlConnection = u.openConnection();
HttpURLConnection httpUrl = (HttpURLConnection)urlConnection;
BufferedReader in = new BufferedReader(new InputStreamReader(httpUrl.getInputStream())); //send request
String inputLine;
StringBuffer html = new StringBuffer();
StringBuilder html = new StringBuilder();

while ((inputLine = in.readLine()) != null) {
html.append(inputLine);
}
in.close();
return html.toString();
}catch(Exception e) {
e.printStackTrace();
logger.error(e.toString());
return "fail";
}
}


@RequestMapping("/Request")
@ResponseBody
public static String ssrf_Request(HttpServletRequest request)
public static String ssrf_Request(@RequestParam String url)
{
try {
String url = request.getParameter("url");
return Request.Get(url).execute().returnContent().toString();
}catch(Exception e) {
e.printStackTrace();
logger.error(e.toString());
return "fail";
}
}
Expand All @@ -113,10 +109,9 @@ public static String ssrf_Request(HttpServletRequest request)
*/
@RequestMapping("/openStream")
@ResponseBody
public static void ssrf_openStream (HttpServletRequest request, HttpServletResponse response) throws IOException {
public static void ssrf_openStream (@RequestParam String url, HttpServletResponse response) throws IOException {
InputStream inputStream = null;
OutputStream outputStream = null;
String url = request.getParameter("url");
try {
String downLoadImgFileName = Files.getNameWithoutExtension(url) + "." + Files.getFileExtension(url);
// download
Expand All @@ -132,7 +127,7 @@ public static void ssrf_openStream (HttpServletRequest request, HttpServletRespo
}

}catch (Exception e) {
e.printStackTrace();
logger.error(e.toString());
}finally {
if (inputStream != null) {
inputStream.close();
Expand All @@ -147,20 +142,19 @@ public static void ssrf_openStream (HttpServletRequest request, HttpServletRespo

@RequestMapping("/ImageIO")
@ResponseBody
public static void ssrf_ImageIO(HttpServletRequest request) {
String url = request.getParameter("url");
public static void ssrf_ImageIO(@RequestParam String url) {
try {
URL u = new URL(url);
ImageIO.read(u); // send request
} catch (Exception e) {
logger.error(e.toString());
}
}


@RequestMapping("/okhttp")
@ResponseBody
public static void ssrf_okhttp(HttpServletRequest request) throws IOException {
String url = request.getParameter("url");
public static void ssrf_okhttp(@RequestParam String url) throws IOException {
OkHttpClient client = new OkHttpClient();
com.squareup.okhttp.Request ok_http = new com.squareup.okhttp.Request.Builder().url(url).build();
client.newCall(ok_http).execute();
Expand All @@ -180,8 +174,8 @@ public static String ssrf_HttpClient(@RequestParam String url) {
try {
HttpResponse httpResponse = client.execute(httpGet); // send request
BufferedReader rd = new BufferedReader(new InputStreamReader(httpResponse.getEntity().getContent()));
StringBuffer result = new StringBuffer();
String line = "";
StringBuilder result = new StringBuilder();
String line = null;
while ((line = rd.readLine()) != null) {
result.append(line);
}
Expand Down Expand Up @@ -236,8 +230,8 @@ public static String commonsHttpClient(@RequestParam String url) {

/**
* jsoup是一款Java的HTML解析器,可直接解析某个URL地址、HTML文本内容。
* http://localhost:8080/ssrf/Jsoup?url=http://www.baidu.com
*
* http://localhost:8080/ssrf/Jsoup?url=http://www.baidu.com
*/
@RequestMapping("/Jsoup")
@ResponseBody
Expand All @@ -251,9 +245,11 @@ public static String Jsoup(@RequestParam String url) {
.cookie("name", "joychou") // request请求带的cookie
.followRedirects(false)
.execute().parse();
logger.info(doc.html());
} catch (MalformedURLException e) {
return "exception: " + e.toString();
} catch (Exception e) {
} catch (IOException e) {
logger.error(e.toString());
return "exception: " + e.toString();
}

Expand All @@ -271,7 +267,7 @@ public static String Jsoup(@RequestParam String url) {
public static String IOUtils(@RequestParam String url) {
try {
// IOUtils.toByteArray内部用URLConnection进行了封装
byte[] b = IOUtils.toByteArray(URI.create(url));
IOUtils.toByteArray(URI.create(url));
} catch (Exception e) {
return "exception: " + e.toString();
}
Expand Down
20 changes: 5 additions & 15 deletions src/main/java/org/joychou/controller/XSS.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,35 +1,24 @@
package org.joychou.controller;

import org.apache.commons.lang.StringUtils;
import org.joychou.dao.User;
import org.joychou.mapper.UserMapper;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.CookieValue;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody;

import javax.annotation.Resource;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.Statement;


/**
* @author JoyChou ([email protected])
* @date 2018.01.02
* @desc XSS vuls code
* @author JoyChou @2018-01-02
*/

@Controller
@RequestMapping("/xss")
public class XSS {

/**
* Vul Code.
* Vuln Code.
* ReflectXSS
* http://localhost:8080/xss/reflect?xss=<script>alert(1)</script>
*
Expand Down Expand Up @@ -71,6 +60,7 @@ public String show(@CookieValue("xss") String xss)
{
return xss;
}

/**
* safe Code.
* http://localhost:8080/xss/safe
Expand All @@ -82,7 +72,7 @@ public static String safe(String xss){
return encode(xss);
}

public static String encode(String origin) {
private static String encode(String origin) {
origin = StringUtils.replace(origin, "&", "&amp;");
origin = StringUtils.replace(origin, "<", "&lt;");
origin = StringUtils.replace(origin, ">", "&gt;");
Expand Down
17 changes: 12 additions & 5 deletions src/main/java/org/joychou/security/SSRFChecker.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,21 +8,24 @@
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

public class SSRFChecker {
class SSRFChecker {

private static int connectTime = 5*1000; // 设置连接超时时间5s
private static Logger logger = LoggerFactory.getLogger(SSRFChecker.class);

/**
* 解析url的ip,判断ip是否是内网ip,所以TTL设置为0的情况不适用。
* url只允许https或者http,并且设置默认连接超时时间。
* 该修复方案会主动请求重定向后的链接。最好用Hook方式获取到所有url后,进行判断,代码待续…
*
* @param url check的url
* @param checkTimes 设置重定向检测的最大次数,建议设置为10次
* @return 安全返回true,危险返回false
*/
public static Boolean checkSSRF(String url) {
static Boolean checkSSRF(String url, int checkTimes) {

HttpURLConnection connection;
int connectTime = 5*1000; // 设置连接超时时间5s
int i = 1;
String finalUrl = url;
try {
do {
Expand All @@ -45,7 +48,11 @@ public static Boolean checkSSRF(String url) {
if (null == redirectedUrl)
break;
finalUrl = redirectedUrl;
// System.out.println("redirected url: " + finalUrl);
i += 1; // 重定向次数加1
logger.info("redirected url: " + finalUrl);
if(i == checkTimes) {
return false;
}
} else
break;
} while (connection.getResponseCode() != HttpURLConnection.HTTP_OK);
Expand All @@ -62,7 +69,7 @@ public static Boolean checkSSRF(String url) {
*
* @return 如果是内网IP,返回true;非内网IP,返回false。
*/
public static Boolean isInnerIPByUrl(String url) {
static Boolean isInnerIPByUrl(String url) {
String host = url2host(url);
if (host.equals("")) {
return true; // 异常URL当成内网IP等非法URL处理
Expand Down
9 changes: 3 additions & 6 deletions src/main/java/org/joychou/security/SecurityUtil.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -91,11 +91,8 @@ public static String checkUrlByGuava(String url, String[] urlwhitelist){
* @return 安全返回true,危险返回false
*/
public static Boolean checkSSRF(String url) {
if (SSRFChecker.checkSSRF(url)) {
return true;
} else {
return false;
}
int checkTimes = 10;
return SSRFChecker.checkSSRF(url, checkTimes);
}


Expand Down Expand Up @@ -143,7 +140,7 @@ public static String pathFilter(String filepath) {
}
}

if (temp.indexOf("..") != -1 || temp.charAt(0) == '/') {
if (temp.contains("..") || temp.charAt(0) == '/') {
return null;
}

Expand Down
7 changes: 4 additions & 3 deletions src/main/java/org/joychou/security/WebSecurityConfig.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,7 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
public boolean matches(HttpServletRequest request) {

// 配置需要CSRF校验的请求方式,
HashSet<String> allowedMethods = new HashSet<String>(Arrays.asList(csrfMethod));
HashSet<String> allowedMethods = new HashSet<>(Arrays.asList(csrfMethod));
// return false表示不校验csrf
if (!csrfEnabled) {
return false;
Expand Down Expand Up @@ -74,7 +74,8 @@ protected void configure(HttpSecurity http) throws Exception {
.successHandler(new LoginSuccessHandler())
.failureHandler(new LoginFailureHandler()).and()
.logout().logoutUrl("/logout").permitAll().and()
.rememberMe(); // tomcat默认JSESSION会话有效时间为30分钟,所以30分钟不操作会话将过期。为了解决这一问题,引入rememberMe功能。
// tomcat默认JSESSION会话有效时间为30分钟,所以30分钟不操作会话将过期。为了解决这一问题,引入rememberMe功能。
.rememberMe();
}

/**
Expand All @@ -84,7 +85,7 @@ protected void configure(HttpSecurity http) throws Exception {
CorsConfigurationSource corsConfigurationSource()
{
// Set cors origin white list
ArrayList<String> allowOrigins = new ArrayList<String>();
ArrayList<String> allowOrigins = new ArrayList<>();
allowOrigins.add("joychou.org");
allowOrigins.add("https://test.joychou.me"); // 区分http和https,并且默认不会拦截同域请求。

Expand Down