Merge pull request JoyChou93#9 from Anemone95/master

Add more vulnerable code snippets about SQLi(mybatis) and XSS(reflect, stored)

Author: JoyChou93

src/main/java/org/joychou/controller/SQLI.java

@@ -4,10 +4,11 @@
 import org.joychou.mapper.UserMapper;
 import org.joychou.dao.User;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.web.bind.annotation.*;
 
-import javax.servlet.http.HttpServletRequest;
 import java.sql.*;
+import java.util.List;
 
 
 /**
@@ -16,14 +17,18 @@
  * @desc    SQL Injection
  */
 
+@SuppressWarnings("Duplicates")
 @RestController
 @RequestMapping("/sqli")
 public class SQLI {
 
     private static String driver = "com.mysql.jdbc.Driver";
-    private static String url = "jdbc:mysql://localhost:3306/java_sec_code";
-    private static String user = "root";
-    private static String password = "woshishujukumima";
+    @Value("${spring.datasource.url}")
+    private String url;
+    @Value("${spring.datasource.username}")
+    private String user;
+    @Value("${spring.datasource.password}")
+    private String password;
 
     @Autowired
     private UserMapper userMapper;
@@ -36,7 +41,7 @@ public class SQLI {
      * @param username username
      */
     @RequestMapping("/jdbc/vul")
-    public static String jdbc_sqli_vul(@RequestParam("username") String username){
+    public String jdbc_sqli_vul(@RequestParam("username") String username){
         String result = "";
         try {
             Class.forName(driver);
@@ -88,7 +93,7 @@ public static String jdbc_sqli_vul(@RequestParam("username") String username){
      * @param username username
      */
     @RequestMapping("/jdbc/sec")
-    public static String jdbc_sqli_sec(@RequestParam("username") String username){
+    public String jdbc_sqli_sec(@RequestParam("username") String username){
 
         String result = "";
         try {
@@ -134,6 +139,28 @@ public static String jdbc_sqli_sec(@RequestParam("username") String username){
         return result;
     }
 
+    /**
+     * vul code
+     * http://localhost:8080/sqli/mybatis/vul01?username=joychou' or '1'='1
+     *
+     * @param username username
+     */
+    @GetMapping("/mybatis/vul01")
+    public List<User> mybatis_vul1(@RequestParam("username") String username) {
+        return userMapper.findByUserNameVul(username);
+    }
+
+    /**
+     * vul code
+     * http://localhost:8080/sqli/mybatis/vul02?username=joychou' or '1'='1' %23
+     *
+     * @param username username
+     */
+    @GetMapping("/mybatis/vul02")
+    public List<User> mybatis_vul2(@RequestParam("username") String username) {
+        return userMapper.findByUserNameVul2(username);
+    }
+
 
     /**
      * security code
@@ -142,20 +169,18 @@ public static String jdbc_sqli_sec(@RequestParam("username") String username){
      * @param username username
      */
     @GetMapping("/mybatis/sec01")
-    public User mybatis_vul1(@RequestParam("username") String username) {
+    public User mybatis_sec1(@RequestParam("username") String username) {
         return userMapper.findByUserName(username);
     }
 
-
-
     /**
      * security code
      * http://localhost:8080/sqli/mybatis/sec02?id=1
      *
      * @param id id
      */
     @GetMapping("/mybatis/sec02")
-    public User mybatis_v(@RequestParam("id") Integer id) {
+    public User mybatis_sec2(@RequestParam("id") Integer id) {
         return userMapper.findById(id);
     }
 
@@ -165,7 +190,7 @@ public User mybatis_v(@RequestParam("id") Integer id) {
      * http://localhost:8080/sqli/mybatis/sec03
      **/
     @GetMapping("/mybatis/sec03")
-    public User mybatis_vul2() {
+    public User mybatis_sec3() {
         return userMapper.OrderByUsername();
     }
 

src/main/java/org/joychou/controller/XSS.java

@@ -1,11 +1,22 @@
 package org.joychou.controller;
 
 import org.apache.commons.lang.StringUtils;
+import org.joychou.dao.User;
+import org.joychou.mapper.UserMapper;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.CookieValue;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.ResponseBody;
 
+import javax.annotation.Resource;
+import javax.servlet.http.Cookie;
 import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.sql.Connection;
+import java.sql.DriverManager;
+import java.sql.Statement;
 
 /**
  * @author   JoyChou ([email protected])
@@ -16,15 +27,59 @@
 @Controller
 @RequestMapping("/xss")
 public class XSS {
-    @RequestMapping("/print")
+
+    /**
+     * Vul Code.
+     * ReflectXSS
+     * http://localhost:8080/xss/reflect?xss=<script>alert(1)</script>
+     *
+     * @param xss unescape string
+     */
+    @RequestMapping("/reflect")
+    @ResponseBody
+    public static String reflect(String xss)
+    {
+        return xss;
+    }
+
+    /**
+     * Vul Code.
+     * StoredXSS Step1
+     * http://localhost:8080/xss/stored/store?xss=<script>alert(1)</script>
+     *
+     * @param xss unescape string
+     */
+    @RequestMapping("/stored/store")
     @ResponseBody
-    public static String ssrf_URLConnection(HttpServletRequest request)
+    public String store(String xss, HttpServletResponse response)
     {
-        String con = request.getParameter("con");
-        return con;
+        Cookie cookie = new Cookie("xss", xss);
+        response.addCookie(cookie);
+        return "Set param into cookie";
+    }
 
-        // fix code
-        // return encode(con);
+    /**
+     * Vul Code.
+     * StoredXSS Step2
+     * http://localhost:8080/xss/stored/show
+     *
+     * @param xss unescape string
+     */
+    @RequestMapping("/stored/show")
+    @ResponseBody
+    public String show(@CookieValue("xss") String xss)
+    {
+        return xss;
+    }
+    /**
+     * safe Code.
+     * http://localhost:8080/xss/safe
+     *
+     */
+    @RequestMapping("/safe")
+    @ResponseBody
+    public static String safe(String xss){
+        return encode(xss);
     }
 
     public static String encode(String origin) {

src/main/java/org/joychou/mapper/UserMapper.java

@@ -5,6 +5,8 @@
 import org.apache.ibatis.annotations.Select;
 import org.joychou.dao.User;
 
+import java.util.List;
+
 @Mapper
 public interface UserMapper {
 
@@ -15,7 +17,13 @@ public interface UserMapper {
     @Select("select * from users where username = #{username}")
     User findByUserName(@Param("username") String username);
 
+    @Select("select * from users where username = '${username}'")
+    List<User> findByUserNameVul(@Param("username") String username);
+
+    List<User> findByUserNameVul2(String username);
+
     User findById(Integer id);
 
     User OrderByUsername();
+
 }

src/main/resources/application.properties

@@ -1,11 +1,10 @@
 
-spring.datasource.url=jdbc:mysql://localhost:3306/java_sec_code?AllowPublicKeyRetrieval=true&useSSL=false
+spring.datasource.url=jdbc:mysql://localhost:3306/java_sec_code?AllowPublicKeyRetrieval=true&useSSL=false&serverTimezone=UTC
 spring.datasource.username=root
 spring.datasource.password=woshishujukumima
 spring.datasource.driver-class-name=com.mysql.cj.jdbc.Driver
 mybatis.mapper-locations=classpath:mapper/*.xml
 
-
 # Spring Boot Actuator Vulnerable Config
 management.security.enabled=false
 # logging.config=classpath:logback-online.xml

src/main/resources/create_db.sql

@@ -0,0 +1,9 @@
+USE `java_sec_code`;
+CREATE TABLE IF NOT EXISTS `users`(
+   `id` INT UNSIGNED AUTO_INCREMENT,
+   `username` VARCHAR(255) NOT NULL,
+   `password` VARCHAR(255) NOT NULL,
+   PRIMARY KEY (`id`)
+)ENGINE=InnoDB DEFAULT CHARSET=utf8;
+INSERT INTO `users` VALUES (1, 'admin', 'admin123');
+INSERT INTO `users` VALUES (2, 'joychou', 'joychou123');

src/main/resources/mapper/UserMapper.xml

@@ -13,10 +13,15 @@
 	    <!--select * from users where username = #{username}-->
     <!--</select>-->
 
+    <select id="findByUserNameVul2" parameterType="String" resultMap="User">
+        select * from users where username like '%${_parameter}%'
+    </select>
+
     <select id="findById" resultMap="User">
         select * from users where id = #{id}
     </select>
 
+
     <select id="OrderByUsername" resultMap="User">
         select * from users order by id asc limit 1
     </select>