Add XXE & SSRF Vuln Code

Author: JoyChou93

java-sec-code.iml

@@ -67,8 +67,13 @@
     <orderEntry type="library" name="Maven: com.google.protobuf:protobuf-java:2.6.0" level="project" />
     <orderEntry type="library" name="Maven: com.alibaba:fastjson:1.2.24" level="project" />
     <orderEntry type="library" name="Maven: org.jdom:jdom2:2.0.6" level="project" />
-    <orderEntry type="library" name="Maven: org.dom4j:dom4j:2.1.1" level="project" />
-    <orderEntry type="library" name="Maven: com.google.guava:guava:21.0" level="project" />
+    <orderEntry type="library" name="Maven: org.dom4j:dom4j:2.1.0" level="project" />
+    <orderEntry type="library" name="Maven: jaxen:jaxen:1.1.6" level="project" />
+    <orderEntry type="library" name="Maven: com.google.guava:guava:23.0" level="project" />
+    <orderEntry type="library" name="Maven: com.google.code.findbugs:jsr305:1.3.9" level="project" />
+    <orderEntry type="library" name="Maven: com.google.errorprone:error_prone_annotations:2.0.18" level="project" />
+    <orderEntry type="library" name="Maven: com.google.j2objc:j2objc-annotations:1.1" level="project" />
+    <orderEntry type="library" name="Maven: org.codehaus.mojo:animal-sniffer-annotations:1.14" level="project" />
     <orderEntry type="library" name="Maven: commons-collections:commons-collections:3.1" level="project" />
     <orderEntry type="library" name="Maven: commons-lang:commons-lang:2.4" level="project" />
     <orderEntry type="library" name="Maven: org.apache.httpcomponents:httpclient:4.3.6" level="project" />
@@ -193,5 +198,7 @@
     <orderEntry type="library" name="Maven: xml-resolver:xml-resolver:1.2" level="project" />
     <orderEntry type="library" name="Maven: xml-apis:xml-apis:1.4.01" level="project" />
     <orderEntry type="library" name="Maven: org.slf4j:slf4j-api:1.7.22" level="project" />
+    <orderEntry type="library" name="Maven: org.jsoup:jsoup:1.10.2" level="project" />
+    <orderEntry type="library" name="Maven: commons-io:commons-io:2.5" level="project" />
   </component>
 </module>

pom.xml

@@ -62,15 +62,15 @@
         <dependency>
             <groupId>org.dom4j</groupId>
             <artifactId>dom4j</artifactId>
-            <version>2.1.1</version>
+            <version>2.1.0</version>
         </dependency>
 
 
         <!-- 获取url根域名-->
         <dependency>
             <groupId>com.google.guava</groupId>
             <artifactId>guava</artifactId>
-            <version>21.0</version>
+            <version>23.0</version>
         </dependency>
 
         <dependency>
@@ -215,7 +215,19 @@
             <version>2.0.0</version>
         </dependency>
 
+        <!-- ssrf -->
+        <dependency>
+            <groupId>org.jsoup</groupId>
+            <artifactId>jsoup</artifactId>
+            <version>1.10.2</version>
+        </dependency>
 
+        <!-- ssrf -->
+        <dependency>
+            <groupId>commons-io</groupId>
+            <artifactId>commons-io</artifactId>
+            <version>2.5</version>
+        </dependency>
     </dependencies>
 
     <dependencyManagement>

src/main/java/org/joychou/controller/SSRF.java

@@ -4,25 +4,29 @@
 import com.squareup.okhttp.OkHttpClient;
 import org.apache.commons.httpclient.HttpClient;
 import org.apache.commons.httpclient.methods.GetMethod;
+import org.apache.commons.io.IOUtils;
 import org.apache.http.HttpResponse;
 import org.apache.http.HttpStatus;
 import org.apache.http.client.fluent.Request;
 import org.apache.http.client.methods.HttpGet;
 import org.apache.http.impl.client.CloseableHttpClient;
 import org.apache.http.impl.client.HttpClients;
 import org.joychou.security.SecurityUtil;
-import org.springframework.stereotype.Controller;
+import org.jsoup.Jsoup;
+import org.jsoup.nodes.Document;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.bind.annotation.RestController;
 
 
 import javax.imageio.ImageIO;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import java.io.*;
-import java.net.URL;
-import java.net.URLConnection;
-import java.net.HttpURLConnection;
+import java.net.*;
 
 
 /**
@@ -31,12 +35,13 @@
  * @desc    Java ssrf vuls code.
  */
 
-@Controller
+@RestController
 @RequestMapping("/ssrf")
 public class SSRF {
 
+    private static Logger logger = LoggerFactory.getLogger(SSRF.class);
+
     @RequestMapping("/urlConnection")
-    @ResponseBody
     public static String ssrf_URLConnection(HttpServletRequest request)
     {
         try {
@@ -169,9 +174,7 @@ public static void ssrf_okhttp(HttpServletRequest request) throws IOException {
      */
     @RequestMapping("/HttpClient")
     @ResponseBody
-    public static String ssrf_HttpClient(HttpServletRequest request) {
-
-        String url = request.getParameter("url");
+    public static String ssrf_HttpClient(@RequestParam String url) {
         CloseableHttpClient client = HttpClients.createDefault();
         HttpGet httpGet = new HttpGet(url);
         try {
@@ -193,26 +196,18 @@ public static String ssrf_HttpClient(HttpServletRequest request) {
 
     /**
      * Safe code.
-     * http://localhost:8080/ssrf/commonsHttpClient?url=http://www.baidu.com
+     * http://localhost:8080/ssrf/commonsHttpClient/sec?url=http://www.baidu.com
      *
      */
-    @RequestMapping("/commonsHttpClient")
+    @RequestMapping("/commonsHttpClient/sec")
     @ResponseBody
-    public static String commonsHttpClient(HttpServletRequest request) {
-
-        String url = request.getParameter("url");
-
-        // Security check
+    public static String commonsHttpClient(@RequestParam String url) {
         if (!SecurityUtil.checkSSRFWithoutRedirect(url)) {
             return "Bad man. I got u.";
         }
-        // Create an instance of HttpClient.
-        HttpClient client = new HttpClient();
 
-        // Create a method instance.
+        HttpClient client = new HttpClient();
         GetMethod method = new GetMethod(url);
-
-        // forbid 302 redirection
         method.setFollowRedirects(false);
 
         try {
@@ -238,19 +233,63 @@ public static String commonsHttpClient(HttpServletRequest request) {
 
     }
 
+    /**
+     * jsoup是一款Java的HTML解析器，可直接解析某个URL地址、HTML文本内容。
+     * http://localhost:8080/ssrf/Jsoup?url=http://www.baidu.com
+     *
+     */
+    @RequestMapping("/Jsoup")
+    @ResponseBody
+    public static String Jsoup(@RequestParam String url) {
+        try {
+            Document doc = Jsoup.connect(url)
+                    .userAgent(
+                            "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) "
+                                    + "Chrome/64.0.3282.167 Safari/537.36")
+                    .timeout(3000)
+                    .cookie("name", "joychou") // request请求带的cookie
+                    .followRedirects(false)
+                    .execute().parse();
+        } catch (MalformedURLException e) {
+            return "exception: " + e.toString();
+        } catch (Exception e) {
+            return "exception: " + e.toString();
+        }
+
+        return "Jsoup ssrf";
+    }
+
+
+    /**
+     * 用途：IOUtils可远程获取URL图片
+     * 默认重定向：是
+     * 封装类：URLConnection
+     * http://localhost:8080/ssrf/IOUtils?url=http://www.baidu.com
+     */
+    @RequestMapping("/IOUtils")
+    public static String IOUtils(@RequestParam String url) {
+        try {
+            // IOUtils.toByteArray内部用URLConnection进行了封装
+            byte[] b = IOUtils.toByteArray(URI.create(url));
+        } catch (Exception e) {
+            return "exception: " + e.toString();
+        }
+
+        return "IOUtils ssrf";
+    }
+
 
     /**
      * Safe code.
-     * http://localhost:8080/ssrf/ImageIO_safe?url=http://www.baidu.com
+     * http://localhost:8080/ssrf/ImageIO/sec?url=http://www.baidu.com
      *
      */
-    @RequestMapping("/ImageIO_safe")
-    @ResponseBody
-    public static String ssrf_ImageIO_safecode(HttpServletRequest request) {
-        String url = request.getParameter("url");
+    @RequestMapping("/ImageIO/sec")
+    public static String ImageIOSec(@RequestParam String url) {
         try {
             URL u = new URL(url);
             if (!SecurityUtil.checkSSRF(url)) {
+                logger.error("[-] SSRF check failed. Original Url: "+ url);
                 return "SSRF check failed.";
             }
             ImageIO.read(u); // send request

src/main/java/org/joychou/controller/SpEL.java

@@ -1,6 +1,5 @@
 package org.joychou.controller;
 
-import org.springframework.expression.EvaluationContext;
 import org.springframework.expression.ExpressionParser;
 import org.springframework.expression.spel.standard.SpelExpressionParser;
 import org.springframework.web.bind.annotation.RequestMapping;