Skip to content

Commit d0ece30

Browse files
JoyChou93JoyChou93
committed
update deserialize getcookie method
1 parent 562b956 commit d0ece30

File tree

5 files changed

+51
-61
lines changed

5 files changed

+51
-61
lines changed

src/main/java/org/joychou/controller/CommandInject.java

+4-4
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
package org.joychou.controller;
22

33
import org.joychou.security.SecurityUtil;
4-
import org.joychou.utils.Tools;
4+
import org.joychou.util.WebUtils;
55
import org.slf4j.Logger;
66
import org.slf4j.LoggerFactory;
77
import org.springframework.web.bind.annotation.GetMapping;
@@ -28,7 +28,7 @@ public static String codeInject(String filepath) throws IOException {
2828
ProcessBuilder builder = new ProcessBuilder(cmdList);
2929
builder.redirectErrorStream(true);
3030
Process process = builder.start();
31-
return Tools.convertStreamToString(process.getInputStream());
31+
return WebUtils.convertStreamToString(process.getInputStream());
3232
}
3333

3434
/**
@@ -46,7 +46,7 @@ public String codeInjectHost(HttpServletRequest request) throws IOException {
4646
ProcessBuilder builder = new ProcessBuilder(cmdList);
4747
builder.redirectErrorStream(true);
4848
Process process = builder.start();
49-
return Tools.convertStreamToString(process.getInputStream());
49+
return WebUtils.convertStreamToString(process.getInputStream());
5050
}
5151

5252
@GetMapping("/codeinject/sec")
@@ -59,6 +59,6 @@ public static String codeInjectSec(String filepath) throws IOException {
5959
ProcessBuilder builder = new ProcessBuilder(cmdList);
6060
builder.redirectErrorStream(true);
6161
Process process = builder.start();
62-
return Tools.convertStreamToString(process.getInputStream());
62+
return WebUtils.convertStreamToString(process.getInputStream());
6363
}
6464
}

src/main/java/org/joychou/controller/Deserialize.java

+25-35
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,5 @@
11
package org.joychou.controller;
22

3-
import org.apache.commons.lang.StringUtils;
43
import org.joychou.security.AntObjectInputStream;
54
import org.slf4j.Logger;
65
import org.slf4j.LoggerFactory;
@@ -11,9 +10,12 @@
1110
import javax.servlet.http.HttpServletRequest;
1211
import java.io.ByteArrayInputStream;
1312
import java.io.IOException;
13+
import java.io.InvalidClassException;
1414
import java.io.ObjectInputStream;
1515
import java.util.Base64;
1616

17+
import static org.springframework.web.util.WebUtils.getCookie;
18+
1719
/**
1820
* Deserialize RCE using Commons-Collections gadget.
1921
*
@@ -23,8 +25,8 @@
2325
@RequestMapping("/deserialize")
2426
public class Deserialize {
2527

26-
27-
private static Logger logger= LoggerFactory.getLogger(Deserialize.class);
28+
private static String cookieName = "rememberMe";
29+
protected final Logger logger = LoggerFactory.getLogger(this.getClass());
2830

2931
/**
3032
* java -jar ysoserial.jar CommonsCollections5 "open -a Calculator" | base64
@@ -33,27 +35,18 @@ public class Deserialize {
3335
* http://localhost:8080/deserialize/rememberMe/vul
3436
*/
3537
@RequestMapping("/rememberMe/vul")
36-
public static String rememberMeVul(HttpServletRequest request)
38+
public String rememberMeVul(HttpServletRequest request)
3739
throws IOException, ClassNotFoundException {
3840

39-
Cookie[] cookies = request.getCookies();
40-
String rememberMe = "";
41-
42-
if (null == cookies) {
43-
logger.info("No cookies.");
44-
} else {
45-
for (Cookie cookie : cookies) {
46-
if ( cookie.getName().equals("rememberMe") ) {
47-
rememberMe = cookie.getValue();
48-
}
49-
}
50-
}
41+
Cookie cookie = getCookie(request, cookieName);
5142

52-
if (StringUtils.isBlank(rememberMe) ) {
43+
if (null == cookie){
5344
return "No rememberMe cookie. Right?";
5445
}
5546

47+
String rememberMe = cookie.getValue();
5648
byte[] decoded = Base64.getDecoder().decode(rememberMe);
49+
5750
ByteArrayInputStream bytes = new ByteArrayInputStream(decoded);
5851
ObjectInputStream in = new ObjectInputStream(bytes);
5952
in.readObject();
@@ -68,32 +61,29 @@ public static String rememberMeVul(HttpServletRequest request)
6861
* http://localhost:8080/deserialize/rememberMe/security
6962
*/
7063
@RequestMapping("/rememberMe/security")
71-
public static String rememberMeBlackClassCheck(HttpServletRequest request)
64+
public String rememberMeBlackClassCheck(HttpServletRequest request)
7265
throws IOException, ClassNotFoundException {
7366

74-
Cookie[] cookies = request.getCookies();
75-
String rememberMe = "";
76-
77-
if (null == cookies) {
78-
logger.info("No cookies in /rememberMe/security");
79-
} else {
80-
for (Cookie cookie : cookies) {
81-
if ( cookie.getName().equals("rememberMe") ) {
82-
rememberMe = cookie.getValue();
83-
}
84-
}
85-
}
67+
Cookie cookie = getCookie(request, cookieName);
8668

87-
if (StringUtils.isBlank(rememberMe) ) {
69+
if (null == cookie){
8870
return "No rememberMe cookie. Right?";
8971
}
90-
72+
String rememberMe = cookie.getValue();
9173
byte[] decoded = Base64.getDecoder().decode(rememberMe);
74+
9275
ByteArrayInputStream bytes = new ByteArrayInputStream(decoded);
93-
AntObjectInputStream in = new AntObjectInputStream(bytes);
94-
in.readObject();
95-
in.close();
76+
77+
try{
78+
AntObjectInputStream in = new AntObjectInputStream(bytes); // throw InvalidClassException
79+
in.readObject();
80+
in.close();
81+
} catch (InvalidClassException e) {
82+
logger.info(e.toString());
83+
return e.toString();
84+
}
9685

9786
return "I'm very OK.";
9887
}
88+
9989
}

src/main/java/org/joychou/controller/XStreamRce.java

+2-2
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,7 @@
33
import com.thoughtworks.xstream.XStream;
44
import com.thoughtworks.xstream.io.xml.DomDriver;
55
import org.joychou.dao.User;
6-
import org.joychou.utils.Tools;
6+
import org.joychou.util.WebUtils;
77
import org.springframework.web.bind.annotation.PostMapping;
88
import org.springframework.web.bind.annotation.RestController;
99

@@ -22,7 +22,7 @@ public class XStreamRce {
2222
*/
2323
@PostMapping("/xstream")
2424
public String parseXml(HttpServletRequest request) throws Exception{
25-
String xml = Tools.getRequestBody(request);
25+
String xml = WebUtils.getRequestBody(request);
2626
XStream xstream = new XStream(new DomDriver());
2727
xstream.fromXML(xml);
2828
return "xstream";

src/main/java/org/joychou/controller/XXE.java

+18-18
Original file line numberDiff line numberDiff line change
@@ -19,7 +19,7 @@
1919
import org.xml.sax.helpers.DefaultHandler;
2020
import org.apache.commons.digester3.Digester;
2121
import org.jdom2.input.SAXBuilder;
22-
import org.joychou.utils.Tools;
22+
import org.joychou.util.WebUtils;
2323

2424
/**
2525
* Java xxe vul and safe code.
@@ -34,7 +34,7 @@ public class XXE {
3434
@RequestMapping(value = "/xmlReader", method = RequestMethod.POST)
3535
public String xxe_xmlReader(HttpServletRequest request) {
3636
try {
37-
String xml_con = Tools.getRequestBody(request);
37+
String xml_con = WebUtils.getRequestBody(request);
3838
System.out.println(xml_con);
3939
XMLReader xmlReader = XMLReaderFactory.createXMLReader();
4040
xmlReader.parse(new InputSource(new StringReader(xml_con))); // parse xml
@@ -49,7 +49,7 @@ public String xxe_xmlReader(HttpServletRequest request) {
4949
@RequestMapping(value = "/xmlReader_fix", method = RequestMethod.POST)
5050
public String xxe_xmlReader_fix(HttpServletRequest request) {
5151
try {
52-
String xml_con = Tools.getRequestBody(request);
52+
String xml_con = WebUtils.getRequestBody(request);
5353
System.out.println(xml_con);
5454

5555
XMLReader xmlReader = XMLReaderFactory.createXMLReader();
@@ -71,7 +71,7 @@ public String xxe_xmlReader_fix(HttpServletRequest request) {
7171
@RequestMapping(value = "/SAXBuilder", method = RequestMethod.POST)
7272
public String xxe_SAXBuilder(HttpServletRequest request) {
7373
try {
74-
String xml_con = Tools.getRequestBody(request);
74+
String xml_con = WebUtils.getRequestBody(request);
7575
System.out.println(xml_con);
7676

7777
SAXBuilder builder = new SAXBuilder();
@@ -86,7 +86,7 @@ public String xxe_SAXBuilder(HttpServletRequest request) {
8686
@RequestMapping(value = "/SAXBuilder_fix", method = RequestMethod.POST)
8787
public String xxe_SAXBuilder_fix(HttpServletRequest request) {
8888
try {
89-
String xml_con = Tools.getRequestBody(request);
89+
String xml_con = WebUtils.getRequestBody(request);
9090
System.out.println(xml_con);
9191

9292
SAXBuilder builder = new SAXBuilder();
@@ -104,7 +104,7 @@ public String xxe_SAXBuilder_fix(HttpServletRequest request) {
104104
@RequestMapping(value = "/SAXReader", method = RequestMethod.POST)
105105
public String xxe_SAXReader(HttpServletRequest request) {
106106
try {
107-
String xml_con = Tools.getRequestBody(request);
107+
String xml_con = WebUtils.getRequestBody(request);
108108
System.out.println(xml_con);
109109

110110
SAXReader reader = new SAXReader();
@@ -120,7 +120,7 @@ public String xxe_SAXReader(HttpServletRequest request) {
120120
@RequestMapping(value = "/SAXReader_fix", method = RequestMethod.POST)
121121
public String xxe_SAXReader_fix(HttpServletRequest request) {
122122
try {
123-
String xml_con = Tools.getRequestBody(request);
123+
String xml_con = WebUtils.getRequestBody(request);
124124
System.out.println(xml_con);
125125

126126
SAXReader reader = new SAXReader();
@@ -139,7 +139,7 @@ public String xxe_SAXReader_fix(HttpServletRequest request) {
139139
@RequestMapping(value = "/SAXParser", method = RequestMethod.POST)
140140
public String xxe_SAXParser(HttpServletRequest request) {
141141
try {
142-
String xml_con = Tools.getRequestBody(request);
142+
String xml_con = WebUtils.getRequestBody(request);
143143
System.out.println(xml_con);
144144

145145
SAXParserFactory spf = SAXParserFactory.newInstance();
@@ -157,7 +157,7 @@ public String xxe_SAXParser(HttpServletRequest request) {
157157
@RequestMapping(value = "/SAXParser_fix", method = RequestMethod.POST)
158158
public String xxe_SAXParser_fix(HttpServletRequest request) {
159159
try {
160-
String xml_con = Tools.getRequestBody(request);
160+
String xml_con = WebUtils.getRequestBody(request);
161161
System.out.println(xml_con);
162162

163163
SAXParserFactory spf = SAXParserFactory.newInstance();
@@ -177,7 +177,7 @@ public String xxe_SAXParser_fix(HttpServletRequest request) {
177177
@RequestMapping(value = "/Digester", method = RequestMethod.POST)
178178
public String xxe_Digester(HttpServletRequest request) {
179179
try {
180-
String xml_con = Tools.getRequestBody(request);
180+
String xml_con = WebUtils.getRequestBody(request);
181181
System.out.println(xml_con);
182182

183183
Digester digester = new Digester();
@@ -193,7 +193,7 @@ public String xxe_Digester(HttpServletRequest request) {
193193
@RequestMapping(value = "/Digester_fix", method = RequestMethod.POST)
194194
public String xxe_Digester_fix(HttpServletRequest request) {
195195
try {
196-
String xml_con = Tools.getRequestBody(request);
196+
String xml_con = WebUtils.getRequestBody(request);
197197
System.out.println(xml_con);
198198

199199
Digester digester = new Digester();
@@ -214,7 +214,7 @@ public String xxe_Digester_fix(HttpServletRequest request) {
214214
@RequestMapping(value = "/DocumentBuilder_return", method = RequestMethod.POST)
215215
public String xxeDocumentBuilderReturn(HttpServletRequest request) {
216216
try {
217-
String xml_con = Tools.getRequestBody(request);
217+
String xml_con = WebUtils.getRequestBody(request);
218218
System.out.println(xml_con);
219219

220220
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
@@ -247,7 +247,7 @@ public String xxeDocumentBuilderReturn(HttpServletRequest request) {
247247
@RequestMapping(value = "/DocumentBuilder", method = RequestMethod.POST)
248248
public String DocumentBuilder(HttpServletRequest request) {
249249
try {
250-
String xml_con = Tools.getRequestBody(request);
250+
String xml_con = WebUtils.getRequestBody(request);
251251
System.out.println(xml_con);
252252

253253
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
@@ -283,7 +283,7 @@ public String DocumentBuilder(HttpServletRequest request) {
283283
@RequestMapping(value = "/DocumentBuilder_fix", method = RequestMethod.POST)
284284
public String xxe_DocumentBuilder_fix(HttpServletRequest request) {
285285
try {
286-
String xml_con = Tools.getRequestBody(request);
286+
String xml_con = WebUtils.getRequestBody(request);
287287
System.out.println(xml_con);
288288

289289
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
@@ -307,7 +307,7 @@ public String xxe_DocumentBuilder_fix(HttpServletRequest request) {
307307
@RequestMapping(value = "/DocumentBuilder_xinclude", method = RequestMethod.POST)
308308
public String xxe_xinclude_DocumentBuilder(HttpServletRequest request) {
309309
try {
310-
String xml_con = Tools.getRequestBody(request);
310+
String xml_con = WebUtils.getRequestBody(request);
311311
System.out.println(xml_con);
312312

313313
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
@@ -343,7 +343,7 @@ public String xxe_xinclude_DocumentBuilder(HttpServletRequest request) {
343343
@RequestMapping(value = "/DocumentBuilder_xinclude_fix", method = RequestMethod.POST)
344344
public String xxe_xinclude_DocumentBuilder_fix(HttpServletRequest request) {
345345
try {
346-
String xml_con = Tools.getRequestBody(request);
346+
String xml_con = WebUtils.getRequestBody(request);
347347
System.out.println(xml_con);
348348
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
349349

@@ -382,7 +382,7 @@ public String xxe_xinclude_DocumentBuilder_fix(HttpServletRequest request) {
382382
@PostMapping("/XMLReader/vul")
383383
public String XMLReaderVul(HttpServletRequest request) {
384384
try {
385-
String xml_con = Tools.getRequestBody(request);
385+
String xml_con = WebUtils.getRequestBody(request);
386386
System.out.println(xml_con);
387387
SAXParserFactory spf = SAXParserFactory.newInstance();
388388
SAXParser saxParser = spf.newSAXParser();
@@ -399,7 +399,7 @@ public String XMLReaderVul(HttpServletRequest request) {
399399
@PostMapping("/XMLReader/fixed")
400400
public String XMLReaderSec(HttpServletRequest request) {
401401
try {
402-
String xml_con = Tools.getRequestBody(request);
402+
String xml_con = WebUtils.getRequestBody(request);
403403
System.out.println(xml_con);
404404
SAXParserFactory spf = SAXParserFactory.newInstance();
405405
SAXParser saxParser = spf.newSAXParser();

src/main/java/org/joychou/utils/Tools.java renamed to src/main/java/org/joychou/util/WebUtils.java

+2-2
Original file line numberDiff line numberDiff line change
@@ -1,10 +1,10 @@
1-
package org.joychou.utils;
1+
package org.joychou.util;
22

33
import javax.servlet.http.HttpServletRequest;
44
import java.io.IOException;
55
import java.io.InputStream;
66

7-
public class Tools {
7+
public class WebUtils {
88

99
// Get request body.
1010
public static String getRequestBody(HttpServletRequest request) throws IOException {

0 commit comments

Comments
 (0)