Skip to content

Commit 27df4d1

Browse files
JoyChou93JoyChou93
committed
update readme
1 parent 39f07ff commit 27df4d1

File tree

4 files changed

+12
-9
lines changed

4 files changed

+12
-9
lines changed

README.md

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -36,6 +36,7 @@ Sort by letter.
3636
- [IP Forge](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/IPForge.java)
3737
- [Java RMI](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/RMI/Server.java)
3838
- [JSONP](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/jsonp/JSONP.java)
39+
- [ooxmlXXE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/othervulns/ooxmlXXE.java)
3940
- [PathTraversal](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/PathTraversal.java)
4041
- [RCE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Rce.java)
4142
- [SpEL](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SpEL.java)
@@ -44,11 +45,10 @@ Sort by letter.
4445
- [SSTI](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SSTI.java)
4546
- [URL Redirect](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/URLRedirect.java)
4647
- [URL whitelist Bypass](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/URLWhiteList.java)
48+
- [xlsxStreamerXXE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/othervulns/xlsxStreamerXXE.java)
4749
- [XSS](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/XSS.java)
4850
- [XStream](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/XStreamRce.java)
4951
- [XXE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/XXE.java)
50-
- [ooxmlXXE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/othervulns/ooxmlXXE.java)
51-
- [xlsxStreamerXXE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/othervulns/xlsxStreamerXXE.java)
5252

5353

5454

@@ -61,6 +61,7 @@ Sort by letter.
6161
- [Fastjson](https://github.com/JoyChou93/java-sec-code/wiki/Fastjson)
6262
- [Java RMI](https://github.com/JoyChou93/java-sec-code/wiki/Java-RMI)
6363
- [JSONP](https://github.com/JoyChou93/java-sec-code/wiki/JSONP)
64+
- [POI-OOXML XXE](https://github.com/JoyChou93/java-sec-code/wiki/Poi-ooxml-XXE)
6465
- [SQLI](https://github.com/JoyChou93/java-sec-code/wiki/SQL-Inject)
6566
- [SSRF](https://github.com/JoyChou93/java-sec-code/wiki/SSRF)
6667
- [SSTI](https://github.com/JoyChou93/java-sec-code/wiki/SSTI)
@@ -189,7 +190,7 @@ Tomcat's default JSESSION session is valid for 30 minutes, so a 30-minute non-op
189190
## Contributors
190191

191192
Core developers : [JoyChou](https://github.com/JoyChou93).
192-
Other developers: [lightless](https://github.com/lightless233), [Anemone95](https://github.com/Anemone95).
193+
Other developers: [lightless](https://github.com/lightless233), [Anemone95](https://github.com/Anemone95), [waderwu](https://github.com/waderwu).
193194

194195

195196
## Donate

README_zh.md

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -32,6 +32,7 @@ joychou/joychou123
3232
- [IP Forge](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/IPForge.java)
3333
- [Java RMI](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/RMI/Server.java)
3434
- [JSONP](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/jsonp/JSONP.java)
35+
- [ooxmlXXE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/othervulns/ooxmlXXE.java)
3536
- [PathTraversal](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/PathTraversal.java)
3637
- [RCE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Rce.java)
3738
- [SpEL](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SpEL.java)
@@ -40,12 +41,10 @@ joychou/joychou123
4041
- [SSTI](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SSTI.java)
4142
- [URL Redirect](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/URLRedirect.java)
4243
- [URL whitelist Bypass](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/URLWhiteList.java)
44+
- [xlsxStreamerXXE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/othervulns/xlsxStreamerXXE.java)
4345
- [XSS](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/XSS.java)
4446
- [XStream](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/XStreamRce.java)
4547
- [XXE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/XXE.java)
46-
- [ooxmlXXE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/othervulns/ooxmlXXE.java)
47-
- [xlsxStreamerXXE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/othervulns/xlsxStreamerXXE.java)
48-
4948

5049

5150
## 漏洞说明
@@ -57,6 +56,7 @@ joychou/joychou123
5756
- [Fastjson](https://github.com/JoyChou93/java-sec-code/wiki/Fastjson)
5857
- [Java RMI](https://github.com/JoyChou93/java-sec-code/wiki/Java-RMI)
5958
- [JSONP](https://github.com/JoyChou93/java-sec-code/wiki/JSONP)
59+
- [POI-OOXML XXE](https://github.com/JoyChou93/java-sec-code/wiki/Poi-ooxml-XXE)
6060
- [SQLI](https://github.com/JoyChou93/java-sec-code/wiki/SQL-Inject)
6161
- [SSRF](https://github.com/JoyChou93/java-sec-code/wiki/SSRF)
6262
- [SSTI](https://github.com/JoyChou93/java-sec-code/wiki/SSTI)

src/main/java/org/joychou/controller/othervulns/ooxmlXXE.java

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -20,10 +20,10 @@
2020

2121
/**
2222
* Desc: poi-ooxml xxe vuln code
23-
* Usage: [Content_Type].xml
23+
* Usage: [Content_Type].xml http://localhost:8080/ooxml/upload
2424
* Ref: https://www.itread01.com/hkpcyyp.html
2525
* Fix: Update poi-ooxml to 3.15 or above.
26-
* Vuln: 3.10 or below exist xxe vuln. 3.14 or above exist dos vuln. So 3.15 or above is safe version.
26+
* Vuln: 3.10 or below exist xxe vuln. 3.14 or below exist dos vuln. So 3.15 or above is safe version.
2727
*
2828
* @author JoyChou @2019-09-05
2929
*/

src/main/resources/templates/index.html

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -13,7 +13,9 @@
1313
<a th:href="@{/path_traversal/vul?filepath=../../../../../etc/passwd}">PathTraversal</a>&nbsp;&nbsp;
1414
<a th:href="@{/sqli/jdbc/vul?username=joychou}">SqlInject</a>&nbsp;&nbsp;
1515
<a th:href="@{/ssrf/urlConnection?url=file:///etc/passwd}">SSRF</a>&nbsp;&nbsp;
16-
<a th:href="@{/rce/exec?cmd=whoami}">RCE</a>
16+
<a th:href="@{/rce/exec?cmd=whoami}">RCE</a>&nbsp;&nbsp;
17+
<a th:href="@{/ooxml/upload}">ooxml XXE</a>&nbsp;&nbsp;
18+
<a th:href="@{/xlsx-streamer/upload}">xlsx-streamer XXE</a>
1719
</p>
1820
<p>...</p>
1921
<a th:href="@{/logout}">logout</a>

0 commit comments

Comments
 (0)