add command inject

JoyChou93 · JoyChou93 · commit 40cf83ba473e · 2019-07-31T21:28:43.000+08:00
diff --git a/.gitignore b/.gitignore
@@ -5,4 +5,5 @@ other-vuls/
 docker/
 poc/
 src/main/java/org/joychou/test/
-*.iml
+*.iml
+docker_jdk_build.sh
diff --git a/README.md b/README.md
@@ -13,8 +13,12 @@ Each vulnerability type code has a security vulnerability by default unless ther
 
 [Online demo](http://118.25.15.216:8080)
 
+Login username & password:
 
-
+```
+admin/admin123
+joychou/joychou123
+```
 
 
 ## Vulnerability Code
diff --git a/README_zh.md b/README_zh.md
@@ -12,6 +12,12 @@
 
 [在线Demo](http://118.25.15.216:8080)
 
+登录用户名密码：
+
+```
+admin/admin123
+joychou/joychou123
+```
 
 ## 漏洞代码
 
diff --git a/src/main/java/org/joychou/controller/CommandInject.java b/src/main/java/org/joychou/controller/CommandInject.java
@@ -0,0 +1,64 @@
+package org.joychou.controller;
+
+import org.joychou.security.SecurityUtil;
+import org.joychou.utils.Tools;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RestController;
+
+import javax.servlet.http.HttpServletRequest;
+import java.io.IOException;
+
+@RestController
+public class CommandInject {
+
+    protected final Logger logger = LoggerFactory.getLogger(this.getClass());
+
+    /**
+     * http://localhost:8080/codeinject?filepath=/tmp;pwd
+     *
+     * @param filepath filepath
+     * @return result
+     */
+    @GetMapping("/codeinject")
+    public static String codeInject(String filepath) throws IOException {
+
+        String[] cmdList = new String[]{"sh", "-c", "ls -la " + filepath};
+        ProcessBuilder builder = new ProcessBuilder(cmdList);
+        builder.redirectErrorStream(true);
+        Process process = builder.start();
+        return Tools.convertStreamToString(process.getInputStream());
+    }
+
+    /**
+     * Host Injection
+     * host: Host: hacked by joychou;curl ssrf.http.joychou.org
+     * http://localhost:8080/codeinject/host
+     *
+     */
+    @GetMapping("/codeinject/host")
+    public String codeInjectHost(HttpServletRequest request) throws IOException {
+
+        String host = request.getHeader("host");
+        logger.info(host);
+        String[] cmdList = new String[]{"sh", "-c", "curl " + host};
+        ProcessBuilder builder = new ProcessBuilder(cmdList);
+        builder.redirectErrorStream(true);
+        Process process = builder.start();
+        return Tools.convertStreamToString(process.getInputStream());
+    }
+
+    @GetMapping("/codeinject/sec")
+    public static String codeInjectSec(String filepath) throws IOException {
+        String filterFilePath = SecurityUtil.cmdFilter(filepath);
+        if (null == filterFilePath) {
+            return "Bad boy. I got u.";
+        }
+        String[] cmdList = new String[]{"sh", "-c", "ls -la " + filterFilePath};
+        ProcessBuilder builder = new ProcessBuilder(cmdList);
+        builder.redirectErrorStream(true);
+        Process process = builder.start();
+        return Tools.convertStreamToString(process.getInputStream());
+    }
+}
diff --git a/src/main/java/org/joychou/controller/SQLI.java b/src/main/java/org/joychou/controller/SQLI.java
@@ -21,7 +21,7 @@
 public class SQLI {
 
     private static String driver = "com.mysql.jdbc.Driver";
-    private static String url = "jdbc:mysql://127.0.0.1:3306/java_sec_code";
+    private static String url = "jdbc:mysql://localhost:3306/java_sec_code";
     private static String user = "root";
     private static String password = "woshishujukumima";
 
diff --git a/src/main/java/org/joychou/controller/XStreamRce.java b/src/main/java/org/joychou/controller/XStreamRce.java
@@ -22,7 +22,7 @@ public class XStreamRce {
      */
     @PostMapping("/xstream")
     public String parseXml(HttpServletRequest request) throws Exception{
-        String xml = Tools.getBody(request);
+        String xml = Tools.getRequestBody(request);
         XStream xstream = new XStream(new DomDriver());
         xstream.fromXML(xml);
         return "xstream";
diff --git a/src/main/java/org/joychou/controller/XXE.java b/src/main/java/org/joychou/controller/XXE.java
@@ -34,7 +34,7 @@ public class XXE {
     @RequestMapping(value = "/xmlReader", method = RequestMethod.POST)
     public String xxe_xmlReader(HttpServletRequest request) {
         try {
-            String xml_con = Tools.getBody(request);
+            String xml_con = Tools.getRequestBody(request);
             System.out.println(xml_con);
             XMLReader xmlReader = XMLReaderFactory.createXMLReader();
             xmlReader.parse( new InputSource(new StringReader(xml_con)) );  // parse xml
@@ -49,7 +49,7 @@ public String xxe_xmlReader(HttpServletRequest request) {
     @RequestMapping(value = "/xmlReader_fix", method = RequestMethod.POST)
     public  String xxe_xmlReader_fix(HttpServletRequest request) {
         try {
-            String xml_con = Tools.getBody(request);
+            String xml_con = Tools.getRequestBody(request);
             System.out.println(xml_con);
 
             XMLReader xmlReader = XMLReaderFactory.createXMLReader();
@@ -71,7 +71,7 @@ public  String xxe_xmlReader_fix(HttpServletRequest request) {
     @RequestMapping(value = "/SAXBuilder", method = RequestMethod.POST)
     public  String xxe_SAXBuilder(HttpServletRequest request) {
         try {
-            String xml_con = Tools.getBody(request);
+            String xml_con = Tools.getRequestBody(request);
             System.out.println(xml_con);
 
             SAXBuilder builder = new SAXBuilder();
@@ -86,7 +86,7 @@ public  String xxe_SAXBuilder(HttpServletRequest request) {
     @RequestMapping(value = "/SAXBuilder_fix", method = RequestMethod.POST)
     public  String xxe_SAXBuilder_fix(HttpServletRequest request) {
         try {
-            String xml_con = Tools.getBody(request);
+            String xml_con = Tools.getRequestBody(request);
             System.out.println(xml_con);
 
             SAXBuilder builder = new SAXBuilder();
@@ -104,7 +104,7 @@ public  String xxe_SAXBuilder_fix(HttpServletRequest request) {
     @RequestMapping(value = "/SAXReader", method = RequestMethod.POST)
     public  String xxe_SAXReader(HttpServletRequest request) {
         try {
-            String xml_con = Tools.getBody(request);
+            String xml_con = Tools.getRequestBody(request);
             System.out.println(xml_con);
 
             SAXReader reader = new SAXReader();
@@ -120,7 +120,7 @@ public  String xxe_SAXReader(HttpServletRequest request) {
     @RequestMapping(value = "/SAXReader_fix", method = RequestMethod.POST)
     public  String xxe_SAXReader_fix(HttpServletRequest request) {
         try {
-            String xml_con = Tools.getBody(request);
+            String xml_con = Tools.getRequestBody(request);
             System.out.println(xml_con);
 
             SAXReader reader = new SAXReader();
@@ -139,7 +139,7 @@ public  String xxe_SAXReader_fix(HttpServletRequest request) {
     @RequestMapping(value = "/SAXParser", method = RequestMethod.POST)
     public String xxe_SAXParser(HttpServletRequest request) {
         try {
-            String xml_con = Tools.getBody(request);
+            String xml_con = Tools.getRequestBody(request);
             System.out.println(xml_con);
 
             SAXParserFactory spf = SAXParserFactory.newInstance();
@@ -157,7 +157,7 @@ public String xxe_SAXParser(HttpServletRequest request) {
     @RequestMapping(value = "/SAXParser_fix", method = RequestMethod.POST)
     public String xxe_SAXParser_fix(HttpServletRequest request) {
         try {
-            String xml_con = Tools.getBody(request);
+            String xml_con = Tools.getRequestBody(request);
             System.out.println(xml_con);
 
             SAXParserFactory spf = SAXParserFactory.newInstance();
@@ -177,7 +177,7 @@ public String xxe_SAXParser_fix(HttpServletRequest request) {
     @RequestMapping(value = "/Digester", method = RequestMethod.POST)
     public String xxe_Digester(HttpServletRequest request) {
         try {
-            String xml_con = Tools.getBody(request);
+            String xml_con = Tools.getRequestBody(request);
             System.out.println(xml_con);
 
             Digester digester = new Digester();
@@ -193,7 +193,7 @@ public String xxe_Digester(HttpServletRequest request) {
     @RequestMapping(value = "/Digester_fix", method = RequestMethod.POST)
     public String xxe_Digester_fix(HttpServletRequest request) {
         try {
-            String xml_con = Tools.getBody(request);
+            String xml_con = Tools.getRequestBody(request);
             System.out.println(xml_con);
 
             Digester digester = new Digester();
@@ -214,7 +214,7 @@ public String xxe_Digester_fix(HttpServletRequest request) {
     @RequestMapping(value = "/DocumentBuilder_return", method = RequestMethod.POST)
     public String xxeDocumentBuilderReturn(HttpServletRequest request) {
         try {
-            String xml_con = Tools.getBody(request);
+            String xml_con = Tools.getRequestBody(request);
             System.out.println(xml_con);
 
             DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
@@ -247,7 +247,7 @@ public String xxeDocumentBuilderReturn(HttpServletRequest request) {
     @RequestMapping(value = "/DocumentBuilder", method = RequestMethod.POST)
     public String DocumentBuilder(HttpServletRequest request) {
         try {
-            String xml_con = Tools.getBody(request);
+            String xml_con = Tools.getRequestBody(request);
             System.out.println(xml_con);
 
             DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
@@ -283,7 +283,7 @@ public String DocumentBuilder(HttpServletRequest request) {
     @RequestMapping(value = "/DocumentBuilder_fix", method = RequestMethod.POST)
     public String xxe_DocumentBuilder_fix(HttpServletRequest request) {
         try {
-            String xml_con = Tools.getBody(request);
+            String xml_con = Tools.getRequestBody(request);
             System.out.println(xml_con);
 
             DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
@@ -307,7 +307,7 @@ public String xxe_DocumentBuilder_fix(HttpServletRequest request) {
     @RequestMapping(value = "/DocumentBuilder_xinclude", method = RequestMethod.POST)
     public String xxe_xinclude_DocumentBuilder(HttpServletRequest request) {
         try {
-            String xml_con = Tools.getBody(request);
+            String xml_con = Tools.getRequestBody(request);
             System.out.println(xml_con);
 
             DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
@@ -343,7 +343,7 @@ public String xxe_xinclude_DocumentBuilder(HttpServletRequest request) {
     @RequestMapping(value = "/DocumentBuilder_xinclude_fix", method = RequestMethod.POST)
     public String xxe_xinclude_DocumentBuilder_fix(HttpServletRequest request) {
         try {
-            String xml_con = Tools.getBody(request);
+            String xml_con = Tools.getRequestBody(request);
             System.out.println(xml_con);
             DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
 
@@ -382,7 +382,7 @@ public String xxe_xinclude_DocumentBuilder_fix(HttpServletRequest request) {
     @PostMapping("/XMLReader/vul")
     public String XMLReaderVul(HttpServletRequest request) {
         try {
-            String xml_con = Tools.getBody(request);
+            String xml_con = Tools.getRequestBody(request);
             System.out.println(xml_con);
             SAXParserFactory spf = SAXParserFactory.newInstance();
             SAXParser saxParser = spf.newSAXParser();
@@ -399,7 +399,7 @@ public String XMLReaderVul(HttpServletRequest request) {
     @PostMapping("/XMLReader/fixed")
     public String XMLReaderSec(HttpServletRequest request) {
         try {
-            String xml_con = Tools.getBody(request);
+            String xml_con = Tools.getRequestBody(request);
             System.out.println(xml_con);
             SAXParserFactory spf = SAXParserFactory.newInstance();
             SAXParser saxParser = spf.newSAXParser();
@@ -415,4 +415,4 @@ public String XMLReaderSec(HttpServletRequest request) {
         }
     }
 
-}
+}
diff --git a/src/main/java/org/joychou/controller/jsonp/JSONP.java b/src/main/java/org/joychou/controller/jsonp/JSONP.java
@@ -6,7 +6,6 @@
 import org.joychou.security.SecurityUtil;
 import org.springframework.http.MediaType;
 import org.springframework.security.web.csrf.CsrfToken;
-import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.*;
 
 import javax.servlet.http.HttpServletRequest;
diff --git a/src/main/java/org/joychou/security/SecurityUtil.java b/src/main/java/org/joychou/security/SecurityUtil.java
@@ -6,9 +6,12 @@
 import java.io.UnsupportedEncodingException;
 import java.net.URI;
 import java.net.URLDecoder;
+import java.util.regex.Pattern;
 
 public class SecurityUtil {
 
+    private static final Pattern FILTER_PATTERN = Pattern.compile("^[a-zA-Z0-9_/\\.-]+$") ;
+
     protected static Logger logger = LoggerFactory.getLogger(SecurityUtil.class);
     /**
      * 通过endsWith判断URL是否合法
@@ -106,4 +109,13 @@ public static String pathFilter(String filepath) {
 
         return filepath;
     }
+
+
+    public static String cmdFilter(String input) {
+        if (!FILTER_PATTERN.matcher(input).matches()) {
+            return null;
+        }
+
+        return input;
+    }
 }
diff --git a/src/main/java/org/joychou/utils/Tools.java b/src/main/java/org/joychou/utils/Tools.java
@@ -1,29 +1,20 @@
 package org.joychou.utils;
 
 import javax.servlet.http.HttpServletRequest;
-import java.io.BufferedReader;
 import java.io.IOException;
 import java.io.InputStream;
-import java.io.InputStreamReader;
 
 public class Tools {
 
-    // get body
-    public static String getBody(HttpServletRequest request) throws IOException {
+    // Get request body.
+    public static String getRequestBody(HttpServletRequest request) throws IOException {
         InputStream in = request.getInputStream();
-        BufferedReader br = new BufferedReader(new InputStreamReader(in));
-        StringBuffer sb = new StringBuffer("");
-        String temp;
-        while ((temp = br.readLine()) != null) {
-            sb.append(temp);
-        }
-        if (in != null) {
-            in.close();
-        }
-        if (br != null) {
-            br.close();
-        }
-        return sb.toString();
+        return convertStreamToString(in);
     }
 
+    // https://stackoverflow.com/questions/309424/how-do-i-read-convert-an-inputstream-into-a-string-in-java
+    public static String convertStreamToString(java.io.InputStream is) {
+        java.util.Scanner s = new java.util.Scanner(is).useDelimiter("\\A");
+        return s.hasNext() ? s.next() : "";
+    }
 }
diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties
@@ -1,5 +1,5 @@
 
-spring.datasource.url=jdbc:mysql://127.0.0.1:3306/java_sec_code?useUnicode=true&characterEncoding=utf8&AllowPublicKeyRetrieval=true&useSSL=false&serverTimezone=GMT%2B8
+spring.datasource.url=jdbc:mysql://localhost:3306/java_sec_code?AllowPublicKeyRetrieval=true&useSSL=false
 spring.datasource.username=root
 spring.datasource.password=woshishujukumima
 spring.datasource.driver-class-name=com.mysql.cj.jdbc.Driver
diff --git a/src/main/resources/templates/index.html b/src/main/resources/templates/index.html
@@ -7,6 +7,15 @@
 <body>
     <p>Hello <span th:text="${user}"></span>.</p>
     <p>Welcome to login java-sec-code application. <a th:href="@{/appInfo}">Application Infomation</a></p>
+    <p>
+        <a th:href="@{/codeinject?filepath=/tmp;pwd}">CmdInject</a>&nbsp;&nbsp;
+        <a th:href="@{/jsonp/getToken?_callback=test}">JSONP</a>&nbsp;&nbsp;
+        <a th:href="@{/path_traversal/vul?filepath=../../../../../etc/passwd}">PathTraversal</a>&nbsp;&nbsp;
+        <a th:href="@{/sqli/jdbc/vul?username=joychou}">SqlInject</a>&nbsp;&nbsp;
+        <a th:href="@{/ssrf/urlConnection?url=file:///etc/passwd}">SSRF</a>&nbsp;&nbsp;
+        <a th:href="@{/rce/exec?cmd=whoami}">RCE</a>
+    </p>
+    <p>...</p>
     <a th:href="@{/logout}">logout</a>
 </body>
 </html>
