From 1cd9a71fc42d92c3397e4f3a4561e817ef46fce0 Mon Sep 17 00:00:00 2001 From: JoyChou Date: Wed, 4 Sep 2019 15:47:32 +0800 Subject: [PATCH] add xxe --- java-sec-code.iml | 16 +++- poc.xlsx | Bin 0 -> 8334 bytes pom.xml | 20 +++++ .../org/joychou/controller/CommandInject.java | 4 +- src/main/java/org/joychou/controller/XXE.java | 39 +++++---- .../controller/othervulns/ooxmlXXE.java | 79 ++++++++++++++++++ .../othervulns/xlsxStreamerXXE.java | 44 ++++++++++ .../joychou/security/LoginSuccessHandler.java | 20 ++++- src/main/resources/templates/index.html | 3 +- src/main/resources/templates/login.html | 4 +- src/main/resources/templates/xxe_upload.html | 14 ++++ xxe.xlsx | Bin 0 -> 9049 bytes 12 files changed, 217 insertions(+), 26 deletions(-) create mode 100644 poc.xlsx create mode 100644 src/main/java/org/joychou/controller/othervulns/ooxmlXXE.java create mode 100644 src/main/java/org/joychou/controller/othervulns/xlsxStreamerXXE.java create mode 100644 src/main/resources/templates/xxe_upload.html create mode 100644 xxe.xlsx diff --git a/java-sec-code.iml b/java-sec-code.iml index 1f7ef7b5..0140638a 100644 --- a/java-sec-code.iml +++ b/java-sec-code.iml @@ -61,7 +61,6 @@ - @@ -101,7 +100,7 @@ - + @@ -181,5 +180,18 @@ + + + + + + + + + + + + + \ No newline at end of file diff --git a/poc.xlsx b/poc.xlsx new file mode 100644 index 0000000000000000000000000000000000000000..19ef11a5e33e97c5c18eec4a00ae0dad3122a4ef GIT binary patch literal 8334 zcmbuE1ys~s*Y=0*8c`60p*y8(NC5$95b16hx&%=e>5v*)x8nO9)4~k9Kns%p#J%r~f zd37YEmh~8=JCscqm`cNSVwZd_Q$7S^-xnw;c2^EzO;1pKRoZ!A2k6(@E+fQIsf`B~ zp=v*Wj<-;&dOpdtG*SCPTtmJJ;K_AozPDEhQAWU(-1zPjsCEg9nG)$`qdc%Jvzy#4 zoUDkD3E76}o^HHNp0CQjNQR-=r?yVyI}ZLYWH9trA+7o+y)rk#18j4tn(|={E1kVc zpm@+cd*~>gjOv$q-kX*NCE74TVk(Ak96(jItj#dfGV0fhv9POCzE)D>2kxH%f{mXwoP~qYjIGNcxvwzoPOVwVF z_wRaq8~;OG0DuxurNKeH2_LV32moOH9MATR@*VP&=N(W``|qMg4_LQzU_agUZ}J~* zQkiZe&QfGI8JZ!ULb9yhmjw1r+Q&D4ZET-J)Y~wU=^M#Yl9-tj4*%3mdA!73910{9 zqONu?38?wvc?4jhbAm}b7B9Xfa2wwqIF6H%t7C9$ieysL9UID70TE zpe{%?El-8#IV=X1d5t!ZI{M_EG}24HX_Q*d;C4Lp{Z(D2S!d*c z@KPXjQP1?$t*rw`J?+o)jRBu8Q;3PO6U5=)O!;g1yk@@>EJNefh@0B$hNHkyca~7(YQ$w0m~CK` zUT+Ma@$Hl@F%lCPjV;R~$(8jKnQ=obM_4EC18XAfboBrnch{1e`a(yOnY2$}>qK{I zpw(|ajYay|mh$g@tjdg2YijXmnLo>>?}$5*W==np_bk$I7#@$E^BaNb+P*%~c`m)j z_<*M8W?@&l6}@v?UXB(cN3E<#SYDOdkLr{uQFv&f?`#H-ecE(mNn26Zh zd95BnbP|?w5jz9y$x~VJ%d@kuC#9vnEno4yw{RTfQjNcA-a?{$Wq4C~wDCsf0 zP-mwc^2H`nYxhUvEw8o4FYs90-5U{|#+vXdV-y8vMovG8aDTG>>e=3lHAl5#5_GK` zlrXDE9LE@Ml+gnsoJkx_w0C{tz9=W>YVjQ%ETV%4Myr7@7Y1cm(*VEb6N)sHSQIYq zV|YFhTo=~_;$-%Vy1z-y@Mt~xb`HXTU6d=y9-rh~QbEa?XT7iPVA?axKVNad;swzR z+h5IB&(!14dpw$77xo#XJaftV^pP|rUYaO~hA~9UnL1nlre$41#|^@>)=I;wVdZpI z4{p}dQYU*xK3x5j@&!L+P!-)aV-1RSpdn-D%TjU9v`VObdoO>7#QBEiLNnH&{4kF-(MrhxHjx(<=>L?V$LXGiOxz|Wcrx?)aUYWx|BqIZY~6g$+?Zuz17cgRoBU)u|VQbS0h@o@^Hb)Tf$|c zI1%sQcrOmwvE{4HN4|vJhx0vRQg#~kI$JLq!^z2sxYW%V>q1BGr_8aTXJm1bDS_+B zEe>Qdrmt4gI>XGNKqq5i^xo!^GiOHM?@IjG8KvQ6>-x@!1Xset_Q$r!4c`)fGxvYV z_-*iu2hU>6;Q0wJfdIT8gWVxcHpUQ$%})`(fxf-}cfHflgJkg&`hcu1k^H$Mk&{aS zGcJUPmed0>mB~U)$3AVpd(-+>PBa;wNk(%#;RaDA>Fy+DJS*n*K3<9!%0s+lV4nVoUcJ}YF3xb zd(OfUytM^xSNCLQ;zUt5XRsC**IEW4sukPS5yZy6&Q#~A+NL0!#4#$VlL_jO=Qy?Q zz)afDw6QEYrto_&CC+Qw!RsVu6B6IbBQ@(nTC^~LN&zc2|MUutCpAHMWTt$b|x1N_#*b@{sr+Av8Y_zjuozcz=}A~J`wg7gUN$d z)8Q?qq9O5D2zQvG!#n2T3+g13muV$h4_dY%e&W2zgW1Dzg%7gmRLyABDpL|nIL=_; zB>XwL4J{m0X-YSR^9zP`ETdSLd-d9^PbUF*5#sm)&Bw?_3O4ud$rGl2)_jKR8?)xM z^{9i=WjXqCD`nCYNcAUoel2PYY=*ju-PFf z`#vUFsSiyR=t{_Afo>^-g-DK=<7FNw1Nq^~Elfl+cDxhUS6n-nmRJPKpq4#s+B1)^ z;_d+v<}}Z!xLR?`4B@ogg5~ow?mE7s)KDx%K@GByj12nRb&-n0;H`k0VM`Hl^dv1q zi{&q^0@n4>ip}=Ihf9PDB$7LKgly!SQxjexan9kuh@Mt$hwm1vkH2+k>=t_W_5M^n zV)NvIqz@7_%hL+1#+NA2UEWB6SzNGLrwMhkUA<54wZlRdm^gD#4#NK=&wVI8!+a?h z$=P`1`XP^)kbINtZR1;!H)SOht_YYDdb`BND^k<`J7Y2hU&!BfJS9IKatWgvlt|pv z(I*zTHRM#B7%!M8`fh~f^RDl@P}zjX#RB=Qn*`RBvW`d}s^#nDg0cnq$?*5QWqCih zBiD%y_c_{o@=It&BfnhDtJ{op6zsdWkkSln@uK}OwBxRpDOj7DhYh+ zP>jS4Vjl&+u&CK>uL#VXlvG`4ILG^QQO5l%Tb(V<%v}CWWp*dSn|Fb4-2Es30P){A z-*KEj)BjHuI#v%d{cR7Y-xk$s4y5UX`aKPi81~|{nqIGRykpE$%{Ak#K6-f`aYI&3 z`$4`cdbQI0dSi8@NRvn*aQnII$j94?UpS>DoMY}cr7nU#Of->(rC11>00e$oi-4E&#k~DmpoOpT-;ksrheb!M-)W9yQ?1Zse zN`);R?3nfF(6~h*+DZt8W^BK|@5AoiRI3mJf3<$_P9Zs8A>vzU*of%3au{Knux(Yj zt=gN$NDQ+(WURu-PyC&eye>58XzO_1tu*7U#H>$@f@GG1KEn>ZE*}~JF|o?xjgZn* zR#Jfj^A7>@J^1@1*KkV!|1(TOBlCf+U z2&b6?-S~r|Zk}PYNB4v*Sb|G#T*NLd2->YottB&{oFF>U5I^6aB|aeb!{Z=C8XgBB zQ~9?vX@$H--ot0QaE~z|21>D3&44X*CdLmsGI5-Zt$Gda9-w4H{bPbtw&kwI?|?Dt zScSuK5xO62eBx78o!B81;$Mv{kIyq9_)omxQeNlimfY4zN{_R1GS1)X} zD5~LLU|GTa#icZ0wPaG$+uV)0N;0RL(ry-HWST5kFf*_2idAi4B5XTY_pr4b$a}bO zXSMUxnci0CG2Y-6!e6!P+mT-PYGkKJy@ zfzL0uM&!A3cl#yDm-B}>+G7i4tvaVwe84`_yY;(9Qm1VNy)zQJ%nq6K^VB2YPc(oa6CUb&Y zC^x2Eany7iCMrF|zm`@c=jA2eOY;IikmHkSA>OoU$!zsT<;mbW`o>Hu^0X&PFfh==8Gr=tzCKx3A zB^PTKV#mto+{BOBsXsVZM6EY0CMeAIco5b-T0skSBqvManycm@qn{BS*f zBEExuEd#$fPHsO^3Z0QAY$5tW2HlA;)!9#@oj2@rk(uWh*&M>*^KJ!4|AV@ zipeVGC^KZ!#!GDE1ger)re}y8Hn_-3Bs~cN_grxwGfdGWzZj_sFG)OW;%o8T9Z0s= zSjt&`K@ymN^(HeZvBfYMHNyKn^>DiR{8pv&%~5>dJrSu#P@6Smtb>uYyfj@Y(z~sc zykcM=X}&qCY6LHf{OM5mTNK_m1Yt+F@uHw~AT5!I2r-CkiJx73F@97xHx;4Z^xTuQ z)5+7#ja~L;-^2AL_5~CBck7laryE^(`99e^Ap|n@0JXNzLyB<#h!}Q74jTdF-L4NqKsPh-;o${)Xh^j_{gqsRJyFa zs#&0+{ZSs!ePWd38UD_x&DngC(9)}5c#efH)DtCb#6Y)wV(zqLAymGxA^=j;l!K#| zzLC=q;7&R&tv0^P_Bn^gd+HTm>T5qGF$CIS2OPVGoJ>B0ZNw1^7kRAGdc_9agtmAF z=9_wIXR_uU+CjL)5F`pmwrHBWE2hx%ZnTs@h7BiU+Zb`cGd>A|8$)(PTh)5d-P3KF zhru$#sM3rZR`Klb>y5zydjhw6l00u#CNXwb)1`SIDFjfj5s=Rw~u7iSRPM!6<+OP_<&vzV?ya-XxMu0Rrx)GT|F zc}mJ#ovz-dvxbx`%3KIL`+PAUk%Jh341jFZ$>?W@jbL&0KpVqxXbrz9CfVNpsn}vY zXs?`xWTA>e{i#scFzWL3s&44I9J|FGoWqy{M-q3W49U6K`4E4dWdf-1aKRyB@z8A6 zf*p4&0ZdxBGl1CUt^JM6N!P&B6pZ)rop#3Da0Rm^>s8q+?@8?SNy*^rmQ0$j!-fsj z^O}S4G-zzGq+FReHTpenhtpzKg{jDncH7Y)k@bAVIJxPMh4GTyus2K-4=W>PYW2qR z9iDCuubSPV`}tILG?HXaq?|Bm-l-uhW&RN-I+Yil`UH~bDyCbU1+;BrWWbs>JceGE z6IQ>~WV_Ae7tan6fRSN!_VR|gJ6#yt)WvH0>lx8{n<nn%Z;A3Wwcg%1$2JeN-R`9$La3Wq8^*<$`J7s^VnlKqpFlcM@+1J-3IR3;V6Ykr**G zUAoI%E?4@T3I185CMyV7w50$8QI_pI<1pz&GJ`I!DQACwXHLRrgd~U?fltND3s}&j z4!nmG?DW}%X8-t6dA_xl`hKagQBEUbV9c|nnWa};X2^@Elyjk9x#Q9vpY)5Qnkl$W zp$zO7zDxAfri{Ymi<4r)M&cLNY#5xJ7%!Y3M_~X)Uy8ag={~LoJ7!3C8=fQ3XDB= zJ2GB({PL8=qD1ia$@ygbZIM2@um^FLG9L);@J$lS?xHnOXUTV6pdw1vt$N$Gk`p)? z4UjJuEa+=H(&`OVXYQAo)!ic?L$P$r%#JxDe5uR+G5dWKhn`+s4wsSp5I9ur*i6huHCC5&8>%Nz}+Vl+4&lWV!eN#eFgFWX5rvtYNm0B$6DDedMJm;FlL2zpS%Q^b5HiNtEo&`Q_ z78xDUf|GL4nDvu0znwE5dU8G-L|B~~Q)N+ybyjTAtxkFvhkf`{hngLF*Le;4QZ8|*mDpZg zBK~@AuVf-S@P=E5$ME?h{Li`F(#XloRL#Z7%HHDF50LK1s`99#H$Wz%WcqQj)japCk!WG{Bl?D{=uz?e0D?F z)%J2qduhp*fQA*3=NO$9+Ef@e4U|>2((w_RPO{B`yjW)c+j|vq93ySuOv8?Z#PlFV8D-()G*#U{T z`(lMgkMjaFudF4rsxvtK-IYAn#r*q+W>nx z{Xa~ILVG0B(p)_^X>n-m15`x9!*+`?$9P!FY2T!G&)jQ0%{P$BS~xheT6Dg%KSK_h z?MQWSa=uW3&_9#}d(Xe?YI7Yqx$z+~$-ifjf*kZYRGRQGx)0ofv)q|%i79(=`fl(Y z3KJ$MZ$xW=t}TJ;{v);{R`)t3==9{C8>o zYhAt`CjC#(>3<6MFQtC1Ti5xPw|^-0_bT=$G75Z&f7{OR0n+efyi5A+*Z%{( CcS!R9 literal 0 HcmV?d00001 diff --git a/pom.xml b/pom.xml index 5f39a0bc..65c1d5bf 100644 --- a/pom.xml +++ b/pom.xml @@ -196,6 +196,26 @@ 1.4.10 + + org.apache.poi + poi + 3.10-FINAL + + + + + org.apache.poi + poi-ooxml + 3.10-FINAL + + + + com.monitorjbl + xlsx-streamer + 2.0.0 + + + diff --git a/src/main/java/org/joychou/controller/CommandInject.java b/src/main/java/org/joychou/controller/CommandInject.java index 758df64a..bf4f6515 100644 --- a/src/main/java/org/joychou/controller/CommandInject.java +++ b/src/main/java/org/joychou/controller/CommandInject.java @@ -16,7 +16,7 @@ public class CommandInject { protected final Logger logger = LoggerFactory.getLogger(this.getClass()); /** - * http://localhost:8080/codeinject?filepath=/tmp;pwd + * http://localhost:8080/codeinject?filepath=/tmp;cat /etc/passwd * * @param filepath filepath * @return result @@ -33,7 +33,7 @@ public static String codeInject(String filepath) throws IOException { /** * Host Injection - * host: Host: hacked by joychou;curl ssrf.http.joychou.org + * Host: hacked by joychou;cat /etc/passwd * http://localhost:8080/codeinject/host * */ diff --git a/src/main/java/org/joychou/controller/XXE.java b/src/main/java/org/joychou/controller/XXE.java index e5ea009e..79133f16 100644 --- a/src/main/java/org/joychou/controller/XXE.java +++ b/src/main/java/org/joychou/controller/XXE.java @@ -1,9 +1,9 @@ package org.joychou.controller; - import org.dom4j.io.SAXReader; import org.springframework.web.bind.annotation.*; import javax.servlet.http.HttpServletRequest; + import org.w3c.dom.Document; import org.w3c.dom.Node; import org.w3c.dom.NodeList; @@ -37,7 +37,7 @@ public String xxe_xmlReader(HttpServletRequest request) { String xml_con = Tools.getRequestBody(request); System.out.println(xml_con); XMLReader xmlReader = XMLReaderFactory.createXMLReader(); - xmlReader.parse( new InputSource(new StringReader(xml_con)) ); // parse xml + xmlReader.parse(new InputSource(new StringReader(xml_con))); // parse xml return "ok"; } catch (Exception e) { System.out.println(e); @@ -47,7 +47,7 @@ public String xxe_xmlReader(HttpServletRequest request) { @RequestMapping(value = "/xmlReader_fix", method = RequestMethod.POST) - public String xxe_xmlReader_fix(HttpServletRequest request) { + public String xxe_xmlReader_fix(HttpServletRequest request) { try { String xml_con = Tools.getRequestBody(request); System.out.println(xml_con); @@ -58,7 +58,7 @@ public String xxe_xmlReader_fix(HttpServletRequest request) { xmlReader.setFeature("http://xml.org/sax/features/external-general-entities", false); xmlReader.setFeature("http://xml.org/sax/features/external-parameter-entities", false); //fix code end - xmlReader.parse( new InputSource(new StringReader(xml_con)) ); // parse xml + xmlReader.parse(new InputSource(new StringReader(xml_con))); // parse xml return "ok"; } catch (Exception e) { @@ -69,13 +69,13 @@ public String xxe_xmlReader_fix(HttpServletRequest request) { @RequestMapping(value = "/SAXBuilder", method = RequestMethod.POST) - public String xxe_SAXBuilder(HttpServletRequest request) { + public String xxe_SAXBuilder(HttpServletRequest request) { try { String xml_con = Tools.getRequestBody(request); System.out.println(xml_con); SAXBuilder builder = new SAXBuilder(); - org.jdom2.Document document = builder.build( new InputSource(new StringReader(xml_con)) ); // cause xxe + org.jdom2.Document document = builder.build(new InputSource(new StringReader(xml_con))); // cause xxe return "ok"; } catch (Exception e) { System.out.println(e); @@ -84,7 +84,7 @@ public String xxe_SAXBuilder(HttpServletRequest request) { } @RequestMapping(value = "/SAXBuilder_fix", method = RequestMethod.POST) - public String xxe_SAXBuilder_fix(HttpServletRequest request) { + public String xxe_SAXBuilder_fix(HttpServletRequest request) { try { String xml_con = Tools.getRequestBody(request); System.out.println(xml_con); @@ -93,7 +93,7 @@ public String xxe_SAXBuilder_fix(HttpServletRequest request) { builder.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); builder.setFeature("http://xml.org/sax/features/external-general-entities", false); builder.setFeature("http://xml.org/sax/features/external-parameter-entities", false); - org.jdom2.Document document = builder.build( new InputSource(new StringReader(xml_con)) ); + org.jdom2.Document document = builder.build(new InputSource(new StringReader(xml_con))); return "ok"; } catch (Exception e) { @@ -102,13 +102,13 @@ public String xxe_SAXBuilder_fix(HttpServletRequest request) { } @RequestMapping(value = "/SAXReader", method = RequestMethod.POST) - public String xxe_SAXReader(HttpServletRequest request) { + public String xxe_SAXReader(HttpServletRequest request) { try { String xml_con = Tools.getRequestBody(request); System.out.println(xml_con); SAXReader reader = new SAXReader(); - org.dom4j.Document document = reader.read( new InputSource(new StringReader(xml_con)) ); // cause xxe + org.dom4j.Document document = reader.read(new InputSource(new StringReader(xml_con))); // cause xxe return "ok"; } catch (Exception e) { @@ -118,7 +118,7 @@ public String xxe_SAXReader(HttpServletRequest request) { } @RequestMapping(value = "/SAXReader_fix", method = RequestMethod.POST) - public String xxe_SAXReader_fix(HttpServletRequest request) { + public String xxe_SAXReader_fix(HttpServletRequest request) { try { String xml_con = Tools.getRequestBody(request); System.out.println(xml_con); @@ -127,7 +127,7 @@ public String xxe_SAXReader_fix(HttpServletRequest request) { reader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); reader.setFeature("http://xml.org/sax/features/external-general-entities", false); reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false); - org.dom4j.Document document = reader.read( new InputSource(new StringReader(xml_con)) ); + org.dom4j.Document document = reader.read(new InputSource(new StringReader(xml_con))); return "ok"; } catch (Exception e) { @@ -231,7 +231,7 @@ public String xxeDocumentBuilderReturn(HttpServletRequest request) { NodeList child = rootNode.getChildNodes(); for (int j = 0; j < child.getLength(); j++) { Node node = child.item(j); - buf.append( node.getNodeName() + ": " + node.getTextContent() + "\n" ); + buf.append(node.getNodeName() + ": " + node.getTextContent() + "\n"); } } sr.close(); @@ -265,8 +265,8 @@ public String DocumentBuilder(HttpServletRequest request) { for (int j = 0; j < child.getLength(); j++) { Node node = child.item(j); // 正常解析XML,需要判断是否是ELEMENT_NODE类型。否则会出现多余的的节点。 - if(child.item(j).getNodeType() == Node.ELEMENT_NODE) { - result.append( node.getNodeName() + ": " + node.getFirstChild().getNodeValue() + "\n" ); + if (child.item(j).getNodeType() == Node.ELEMENT_NODE) { + result.append(node.getNodeName() + ": " + node.getFirstChild().getNodeValue() + "\n"); } } } @@ -387,7 +387,7 @@ public String XMLReaderVul(HttpServletRequest request) { SAXParserFactory spf = SAXParserFactory.newInstance(); SAXParser saxParser = spf.newSAXParser(); XMLReader xmlReader = saxParser.getXMLReader(); - xmlReader.parse( new InputSource(new StringReader(xml_con)) ); + xmlReader.parse(new InputSource(new StringReader(xml_con))); return "test"; } catch (Exception e) { System.out.println(e.toString()); @@ -407,7 +407,7 @@ public String XMLReaderSec(HttpServletRequest request) { xmlReader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); xmlReader.setFeature("http://xml.org/sax/features/external-general-entities", false); xmlReader.setFeature("http://xml.org/sax/features/external-parameter-entities", false); - xmlReader.parse( new InputSource(new StringReader(xml_con)) ); + xmlReader.parse(new InputSource(new StringReader(xml_con))); return "test"; } catch (Exception e) { System.out.println(e.toString()); @@ -415,4 +415,9 @@ public String XMLReaderSec(HttpServletRequest request) { } } + + public static void main(String[] args) throws Exception { + + } + } \ No newline at end of file diff --git a/src/main/java/org/joychou/controller/othervulns/ooxmlXXE.java b/src/main/java/org/joychou/controller/othervulns/ooxmlXXE.java new file mode 100644 index 00000000..6a17e366 --- /dev/null +++ b/src/main/java/org/joychou/controller/othervulns/ooxmlXXE.java @@ -0,0 +1,79 @@ +package org.joychou.controller.othervulns; + +import org.apache.poi.xssf.usermodel.XSSFCell; +import org.apache.poi.xssf.usermodel.XSSFRow; +import org.apache.poi.xssf.usermodel.XSSFSheet; +import org.apache.poi.xssf.usermodel.XSSFWorkbook; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.stereotype.Controller; +import org.springframework.web.bind.annotation.GetMapping; +import org.springframework.web.bind.annotation.PostMapping; +import org.springframework.web.bind.annotation.RequestMapping; +import org.springframework.web.bind.annotation.ResponseBody; +import org.springframework.web.multipart.MultipartFile; + +import java.io.IOException; +import java.util.Iterator; + +import static org.apache.commons.lang.StringUtils.isBlank; + +/** + * Desc: poi-ooxml xxe vuln code + * Usage: [Content_Type].xml + * Ref: https://www.itread01.com/hkpcyyp.html + * Fix: Update poi-ooxml to 3.15 or above. + * Vuln: 3.10 or below exist xxe vuln. 3.14 or above exist dos vuln. So 3.15 or above is safe version. + * + * @author JoyChou @2019-09-05 + */ +@Controller +@RequestMapping("ooxml") +public class ooxmlXXE { + + + private final Logger logger = LoggerFactory.getLogger(this.getClass()); + + + @GetMapping("/upload") + public String index() { + return "xxe_upload"; // return xxe_upload.html page + } + + + @PostMapping("/readxlsx") + @ResponseBody + public String ooxml_xxe(MultipartFile file)throws IOException { + XSSFWorkbook wb = new XSSFWorkbook(file.getInputStream()); // xxe vuln + + XSSFSheet sheet = wb.getSheetAt(0); + XSSFRow row; + XSSFCell cell; + + Iterator rows = sheet.rowIterator(); + String result = ""; + + while (rows.hasNext()) + { + row=(XSSFRow) rows.next(); + Iterator cells = row.cellIterator(); + while (cells.hasNext()) + { + cell=(XSSFCell) cells.next(); + + if (cell.getCellType() == XSSFCell.CELL_TYPE_STRING) { + result += cell.getStringCellValue()+ " "; + } else if(cell.getCellType() == XSSFCell.CELL_TYPE_NUMERIC) { + result += cell.getNumericCellValue()+ " "; + } else { + logger.info("errors"); + } + } + } + if ( isBlank(result) ){ + result = "xxe test"; + } + + return result; + } +} diff --git a/src/main/java/org/joychou/controller/othervulns/xlsxStreamerXXE.java b/src/main/java/org/joychou/controller/othervulns/xlsxStreamerXXE.java new file mode 100644 index 00000000..4ca4bf2f --- /dev/null +++ b/src/main/java/org/joychou/controller/othervulns/xlsxStreamerXXE.java @@ -0,0 +1,44 @@ +package org.joychou.controller.othervulns; + +import com.monitorjbl.xlsx.StreamingReader; +import org.apache.poi.ss.usermodel.Workbook; + +import org.springframework.stereotype.Controller; +import org.springframework.web.bind.annotation.GetMapping; +import org.springframework.web.bind.annotation.PostMapping; +import org.springframework.web.bind.annotation.RequestMapping; +import org.springframework.web.multipart.MultipartFile; + +import java.io.FileInputStream; +import java.io.IOException; + + +/** + * Desc: xlsx-streamer xxe vuln code + * Usage: xl/workbook.xml + * Ref: https://www.itread01.com/hkpcyyp.html + * Fix: update xlsx-streamer to 2.1.0 or above + * + * @author JoyChou @2019-09-05 + */ +@Controller +@RequestMapping("xlsx-streamer") +public class xlsxStreamerXXE { + + + @GetMapping("/upload") + public String index() { + return "xxe_upload"; // return xxe_upload.html page + } + + + @PostMapping("/readxlsx") + public void xllx_streamer_xxe(MultipartFile file)throws IOException { + Workbook wb = StreamingReader.builder().open(file.getInputStream()); + } + + + public static void main(String[] args) throws Exception { + Workbook wb = StreamingReader.builder().open((new FileInputStream("poc.xlsx"))); + } +} diff --git a/src/main/java/org/joychou/security/LoginSuccessHandler.java b/src/main/java/org/joychou/security/LoginSuccessHandler.java index 2a81afa2..75765b02 100644 --- a/src/main/java/org/joychou/security/LoginSuccessHandler.java +++ b/src/main/java/org/joychou/security/LoginSuccessHandler.java @@ -1,15 +1,22 @@ package org.joychou.security; +import com.alibaba.fastjson.JSON; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.http.MediaType; import org.springframework.security.core.Authentication; import org.springframework.security.web.authentication.AuthenticationSuccessHandler; +import org.springframework.security.web.savedrequest.DefaultSavedRequest; +import org.springframework.security.web.savedrequest.HttpSessionRequestCache; +import org.springframework.security.web.savedrequest.SavedRequest; + import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import java.io.IOException; - +import java.net.URI; +import java.util.HashMap; +import java.util.Map; public class LoginSuccessHandler implements AuthenticationSuccessHandler { @@ -23,8 +30,17 @@ public void onAuthenticationSuccess(HttpServletRequest request, logger.info("USER " + authentication.getName()+ " LOGIN SUCCESS."); + SavedRequest savedRequest = new HttpSessionRequestCache().getRequest(request, response); + if (savedRequest != null) { + logger.info("Original url is: " + savedRequest.getRedirectUrl()); + } + + Map content = new HashMap<>(); + content.put("code", "0"); + content.put("message", "Login success"); + // google ajax and sendRedirect response.setContentType(MediaType.APPLICATION_JSON_VALUE); - response.getWriter().write("{\"code\":0, \"message\":\"Login success\"}"); + response.getWriter().write(JSON.toJSONString(content)); } } diff --git a/src/main/resources/templates/index.html b/src/main/resources/templates/index.html index 15b78a69..cab90aad 100644 --- a/src/main/resources/templates/index.html +++ b/src/main/resources/templates/index.html @@ -8,7 +8,7 @@

Hello .

Welcome to login java-sec-code application. Application Infomation

- CmdInject   + CmdInject   JSONP   PathTraversal   SqlInject   @@ -17,5 +17,6 @@

...

logout + \ No newline at end of file diff --git a/src/main/resources/templates/login.html b/src/main/resources/templates/login.html index f5c4f7f2..1b069872 100644 --- a/src/main/resources/templates/login.html +++ b/src/main/resources/templates/login.html @@ -51,9 +51,9 @@ data: { "username": username, "password": password, "remember-me": remember_me}, dataType: "json", success: function (r) { - if (r.code == 0) { + if (r.code == "0") { // alert(r.message); - location.href = ctx + 'index'; + location.href = ctx + "index"; } else { alert(r.message); } diff --git a/src/main/resources/templates/xxe_upload.html b/src/main/resources/templates/xxe_upload.html new file mode 100644 index 00000000..d58426f0 --- /dev/null +++ b/src/main/resources/templates/xxe_upload.html @@ -0,0 +1,14 @@ + + + + +

xlsx xxe test page

+ +
+

+ + +
+ + + diff --git a/xxe.xlsx b/xxe.xlsx new file mode 100644 index 0000000000000000000000000000000000000000..1146b47842890899263e3f551cdd0805b45fd6c1 GIT binary patch literal 9049 zcmeHtg;yNe_I2a#?(Q@e+$DiP;}(Jj_r~2xLK8H&Yp~$K-JReN+(U5JAmP`UdGpOo zX1>4Rz3R29Rp_128$turh=J0N%p`0C)goSUnjB zu&X)P)kxFJ(cHy=!_(f5Iu{<6IU4{AJ^z2(fAJG2jUQI-=E8n<{rq0$D^OvnN)nmx zFt{I=RZYC3C$6v9R4>!o`Z4p}9kz51fsMc?+_5Dep3@PlDzJTBaA;q%I(m4}K!=tg znE+>R{{cfg5lO7G?#ttBd@@OH5+kEXi!?y8Q+>BO@6&ZDg;G*00z&b?&5VV9ZJgD< zM)YFcBB6oB&NXH26&%5#k5ky26L`}$)+|1T=bJ!z_;6aEB|>+@d{r794HgsiM(5ik zP@4;L!;_g;rm!nqA@5r;mq%9-o7)5^m3T?3K89Ts>-N33Wo!4<_w{aPjtaj}y=~$r zurdPbWl9Fo1W(QZRBgj+2+MfDV}3mn1RoTKPr9g=?-xQhX$3Uk+Zp-3n$0V{r}|nU#!8u z+lrqofBo9O4oaE+-ELlu2SR_yqMivqghKD zigG}Mt8}tcr%yj&k8!*pMZwD_4QMg_NsxGa(mC{rG(kl|3P6VO zwB!6;Cms&Ywk8e^wm;qL56!?pEesmvzk4fHR|55LVYj0FfN*)Fxf9^byK>SVXzgPm z57w|OGSWQpzgQ(>Z8FgL0^)>o2=O`|>36^8!`y(wyX<5u3d4o>#y{IP6Nl@fPF}wg1JJU35H=WO}kk4A~ zEtI@QZ96~QqHmFxfGCUk#C$_ssUZV$Q~@lpE?c=N&05FnuF`iyEbWVD?86tw7GDSZ zXI7yj{ZGmiXzm-zzySaiNB{s9^b9Cv{z{foEj5QUVPe0mn#aI<-H(Vo5^sH{pT(-T>592zrLq&4vy)D zD10$#7#yE1nT(8iV#7aO8V5HvE=Dy0slGl|u2)|+1bOWPI=C!~X1wFPS9EGyEH~dR zoxspWYKl#9X$q_~sHM-C4mTc&jP(nic{3u`$UUF2b^%ma|3*DfYk_@ox zwMd`1-Q#l<)2N^7D>G|{3ALR-@pF)hnR>DNeT15z`AG6A>dmNfCqZY{E35nOO4#0~ z#fF*+QB@O6fWt%i_HmU;xq)inT@0M3hZj3YL19!r~p2x~ue36DU^)gI3Z7ocFW}GE!5;}2OvK2_d z*Lhdh?cqpZ){H}soCLV*?OvwmokZ?PC_y!|5N|O75z2dF)`VCpEVH-g&YwEKxbf4# z7rajA)L{ntiNm=k-Ie;^+9e~xCKamW>mmANJLqb+ka5epG&=agxFRZR(Y5X|z6Xa9 z@;h_*G>yZwwZ+p30*jr4w(y+9MRWvltEMbD-r$KZA#LHh^(1H3($OwdjSbd8oH@pJ ztdieDUW8Dd@C>{VzcL_Yh-pT*T4QXW2d5-)V`%r%8X_e|U%z=TCKi-@n9(WxBV0%g zg?y@@UN3??A=RVkJarC#G+L{)q+`9H8qGBLp{I0B2TaMX~!%^Cx1yeey z@7*yhaMfU<%Lo$g_Gwfmj>6@(@Ufr7N-T3Ui=ey8T)~J%d%3HBCssg+tW()Xs^gkv zUNpjm9Pmsxb~2y76PzhGjSG>X-Til=AKw_U<|BNnoB^$t@-gH) z$p_!5VMq8%CHDZkH1PxAXhVNgzVvyEYilwe>}27AK`5J>YzWMsH0zYIp}>?6+H=gK z)7%%6$Mfr;)5%FtOAv$8H_{?t+mUI+3)qO;2!$U|kwG<;2vxSJxWtPIX)DnCcF_G& zoy8i1by{`-U(SFU^jWTkf&3t{GK=Buh5{WLhg6(2QOwivtDcAJifak~CY@*So6YzQK*E^@Va6H6Jft1{h@vm|3L%2YM3P~saR|Z%)`}WKr!7_H|qL)0hyYyPtPZ<((T+OFhzQ4RZz*S20$Uxd){T=jjB zI@od|9+B&wH&5>uJ3Pfh(p`fXi;!mAc-o|7rw_Ki@PXW_aiP>jEu>EVi`gWXN3Ca8v8fXakVnHH|P9q&;3&h2QT%)$prBIIWHv8&yQ~SH-~W@PWcwi z1W;Zw&R&BV8Nb&`cPesw>b7@#> zw~p~J!a*#QH#|&A9F9n_NH>`;KJ^KG=9U@_Qw0;GTL6EKSmg{ zJm&0pex>#y$BX7*MdD?rt~6t=q8B_{La0^72?jP{D4?$e`r#AyeMkUR$uN3((Z=L; z6jCW34;%)hbkAlpQmKs*)h>ASB-VVXkEo9`4%rgBp}D{abZc`W9ojD;@nV_8PCRkI zM;@z7jDbzLXyv0vPv^(NI4lX##zzDGdTsN;!)!B~p@+-M!hnF&pzCccqaT-R)vkL} zp2izlzIPLGSpj~j-a1Z4Vf|SFk6-(bsU+^dMmtan*3=6LbFItZnywr4_ODvmGmF(T3Yg=ornt zV7#;&$Y#UQ-QDfQNTi$%b?d3?2!Pl5tZ+$i&d zo6N1&A?=0_Wia5~M8bcwRn{pcwes+XwoPQvmS%q~%$a zFucgw#3_Z?UWtx<=W=HeTEr)n$t44i5E2fS>Ol?Q$Q{)J@_P&^9Vn$iU{L8wR^G{< zecssCoX7hiVjkTbDD*nGzwAa!Awwy?%B8qt{>>d$BA*zqO1Y_^{1>79mSUj_oBKyU zt!it|tXZDz+Rt9VP47EzV6CEIo1}T1hnMRZ)5_dg3bw-aR`7;FPO~`did7#R@$@0{ za-4oGz!JyzGpQmWcqk_ER50!shvZPs3b8Dw3j9j>S%Eie3klvh_hfg|hcK1hFMfqy zE&YAgh1L4n1|!pNVF!I%@XPyhKnxnLWtkqw+IwyiuEouzAh`I0aAIRc3oI-XjA3UTcG##74(!`yFqGxVzsIv5{_Ck0@88!H+~f z6MU0ooJc}c1$i1TtRJU5gvcF}>=WMuGy(=BVDL_m=i0Nq2*h5|*-VvWb4YczgZUavhGd0#_jHle8ng^lbNn!%?Cdy1D(rlIT|r>XS@_dH>drg;5xa0 zS)X~7UbZNAhgDarE!I3?M@Cnf=D)FblNA&@tzwcG$QadilVsml$hf)vw$w6Xfm9zP z>g^aHSg5|E+Lgg4r+Seu@SerKgRqgVniNOe%SBoD$FlkyW>Z3?9y4E;KTQ#0zBHZP z3$#P7(!@LC#_4^{qs~s+4-Mo6^;d8WUD@FWM~2ZA%d7pvdZ}o1ghVNAS)4ZAmk)l8 z8%^z0#c5uvbdtgzwh2n z`!N#tTiH7X>1%5}w!W5cSqU$mQE)R?2>#fFMnDPwWUAW6`h09mnAcTk`ogoHkw3NI^Hs-y-vle>D2Sk-PQ^4*aiK zD54NIlgp82dDGAf1~2$29hfP~cZ^!nw{hL)Jl;ky6W$1?lxZj?o_~>$$QN8#Ar`88 zU}Wvg2qZ<3UCGodJAQz8V21@w)KPiL_GO5MCKRz!QwDVhKuGC~0$mAiH$k;ZwmY1N z_9+Bx1`n}~Y&rDg>H7F~MvWD>H}V4pyVR*((&cQD-4ez55@u^acT`q5PtnM#h`yJo z>NhLG21Yt#CxACV>!1^H#5Jy{A6Pk-$Sq^<&CZ11z$e%r+kTsK24CO=F-eu%Crhjk zMs%?{Q?-OJUsxLZ>-4!e2j*{VFDXeRiH?-rHeOhRm&eQvq5`9o(QAH$5r?{)gpBoE zxLl+p`-3kO6&LCfMfb3TgN3?a`55%yDLZq?Fe~$QWvy%v>DhK|x=QZmcIZ zyaVO5&+~fw?D@#~vYoQ900k*qmi(kpbvAV@bza%Lo#7qE5xs`owm_j#^z+k^=n3ts z^x~RuQ5(F{*LJdqxLt%S3k{{O%SLLyGf=BpY~;RVAl`jNrB-S3S%HkDx)Tmz9PTN3+`CCOnLY0T_DNLf&mX%GUXDuj*KogQSMOFt@}i!pY}Jq{ z38>9cTO3dBY-Vb4$(FLP0zV_>T3k5E!|k+dW%do~xiZLkJILDEZV9lmI`O%KaCz;V zS93VD<^}bPa1|F$+>91W8cg9<(V~a77{EtF-#+6-6*tNv6z`{LKRoR;SVCbE=%>1L zcjo)ry?y9QuFvErar#gsluVAfaf;J!^;C+p@!))s3*7RqAh0L;`2IjYJNLwib>!o` zxlo1K_LjMpLA;BXo0^t$SZoOK_v@CKOn47#YKdrUH@QJ;TkSl)YYAff09)UGEmk7P zz9CkG{^A22G#qHL(#*kB)!D((h11l*+5A6kw*S>Ap=^$bRReW%;lEu)c$69RNh=@| zmRSrM$|OexGq=6{>W;=QFQ2>oqt&{3W)R<3akSBBw2?mRSd+pp*lltLHirHgjurUL zbQ)~gi*U~n+U*p=Qhrj@8YIZKt*vLHWJ8f}nQTcb4THmB`E1tuw(G&=pG#nB=2?t@qM52Q`H^81e+E~1zlmry;*ap zKq^_PfNOQ$(40I@8{fsgjtAaQM;&FvefVU*n3r+EE$ts{l!P_rH>0x$enGC9f~MSv z@GTOU6sxzXxb>mGIF>xO7A|cQPp*C>Rj3_3yn;S-@xe%DyYEEZ$j%ev=PD+$Poz!HYjTD{xnsAxDwvVCFDMZSFiWZ=Fv7 zd7o`FVM0bwNDt{?rg;(t;su8L!eVI$rD;uM!RW#im_A@*n<;G1WVWHSJK65!ZSt6N zOpZWKjlW)K+6W}hC58dkC>V_r?NdKJ$Ho2&8v>c|81{k)pfBrFrD={l#ezP>$q4f? z1p*Ve9_ytcRjn^;=3E{a-m!&V{)|p?J0NzIh1WU66hssc71kt*V@Y6vyTqVc@7cOh zQfmMFwmQZTeAc1zP8}7Rnfbd6slu-{O5EF|BL+1!vyHJ+nq?S*`e(=nL7<|q8d3%{ z7yEiak@6)`gcPKx+@LEq&J#_uEE;1h?NH2I1QqnT`p7}-W`4D4EQx^oAD4$?*FFp{ zscdBg?KAqW$}+Jq$jJq+5b2Q6`rnX&FsBM_5Mm4gnJPg@AvhjAFK0t}N7K(RIKRn1 zdUDE41+P{+hKlPxGA!4mIikFYUKHghcEi8{{Rr%?!$NTD4UZ@nc==_mUPt^&l<1bN zfkMS#Y|P?&T6(*iy2jaV(WMb|fPS|_7+4_G`u_bThChb!kK@0*(x3|Zdw{>UTmJz5 zJSIW4@|Wi8ufV^zp#BPMfmS^K{|%{M&94#u yZm)mh0RU?<0N@{H`z!qKQ{!LZ2NZvS|7W691tCC37XUzoegdI>-c9}U+y4Q6@3kHP literal 0 HcmV?d00001