Add XXE

Author: JoyChou93

docker-compose.yml

@@ -1,9 +1,11 @@
-version : '2'
+version : '3'
 services:
     jsc:
         image: joychou/jsc:latest
+        command: ["java", "-Xdebug", "-Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=0.0.0.0:8000", "-jar", "jsc.jar"]
         ports:
             - "8080:8080"
+            - "8000:8000"
         links:
             - j_mysql
 

java-sec-code.iml

@@ -38,13 +38,13 @@
     <orderEntry type="library" name="Maven: org.springframework.boot:spring-boot-starter-logging:1.5.1.RELEASE" level="project" />
     <orderEntry type="library" name="Maven: ch.qos.logback:logback-classic:1.1.9" level="project" />
     <orderEntry type="library" name="Maven: ch.qos.logback:logback-core:1.1.9" level="project" />
-    <orderEntry type="library" name="Maven: org.slf4j:jcl-over-slf4j:1.7.22" level="project" />
     <orderEntry type="library" name="Maven: org.slf4j:jul-to-slf4j:1.7.22" level="project" />
     <orderEntry type="library" name="Maven: org.slf4j:log4j-over-slf4j:1.7.22" level="project" />
     <orderEntry type="library" name="Maven: org.springframework.boot:spring-boot-starter-tomcat:1.5.1.RELEASE" level="project" />
-    <orderEntry type="library" name="Maven: org.apache.tomcat.embed:tomcat-embed-core:8.5.11" level="project" />
-    <orderEntry type="library" name="Maven: org.apache.tomcat.embed:tomcat-embed-el:8.5.11" level="project" />
-    <orderEntry type="library" name="Maven: org.apache.tomcat.embed:tomcat-embed-websocket:8.5.11" level="project" />
+    <orderEntry type="library" name="Maven: org.apache.tomcat.embed:tomcat-embed-core:8.5.85" level="project" />
+    <orderEntry type="library" name="Maven: org.apache.tomcat:tomcat-annotations-api:8.5.85" level="project" />
+    <orderEntry type="library" name="Maven: org.apache.tomcat.embed:tomcat-embed-el:8.5.85" level="project" />
+    <orderEntry type="library" name="Maven: org.apache.tomcat.embed:tomcat-embed-websocket:8.5.85" level="project" />
     <orderEntry type="library" name="Maven: org.hibernate:hibernate-validator:5.3.4.Final" level="project" />
     <orderEntry type="library" name="Maven: javax.validation:validation-api:1.1.0.Final" level="project" />
     <orderEntry type="library" name="Maven: org.jboss.logging:jboss-logging:3.3.0.Final" level="project" />
@@ -127,7 +127,7 @@
     <orderEntry type="library" scope="RUNTIME" name="Maven: com.google.inject.extensions:guice-multibindings:4.0" level="project" />
     <orderEntry type="library" scope="RUNTIME" name="Maven: com.google.inject.extensions:guice-grapher:4.0" level="project" />
     <orderEntry type="library" scope="RUNTIME" name="Maven: com.google.inject.extensions:guice-assistedinject:4.0" level="project" />
-    <orderEntry type="library" scope="RUNTIME" name="Maven: org.ow2.asm:asm:5.0.4" level="project" />
+    <orderEntry type="library" name="Maven: org.ow2.asm:asm:5.0.4" level="project" />
     <orderEntry type="library" scope="RUNTIME" name="Maven: org.codehaus.woodstox:woodstox-core-asl:4.4.1" level="project" />
     <orderEntry type="library" scope="RUNTIME" name="Maven: javax.xml.stream:stax-api:1.0-2" level="project" />
     <orderEntry type="library" scope="RUNTIME" name="Maven: org.codehaus.woodstox:stax2-api:3.1.4" level="project" />
@@ -170,8 +170,8 @@
     <orderEntry type="library" name="Maven: commons-httpclient:commons-httpclient:3.1" level="project" />
     <orderEntry type="library" name="Maven: org.mybatis.spring.boot:mybatis-spring-boot-starter:1.3.2" level="project" />
     <orderEntry type="library" name="Maven: org.springframework.boot:spring-boot-starter-jdbc:1.5.1.RELEASE" level="project" />
-    <orderEntry type="library" name="Maven: org.apache.tomcat:tomcat-jdbc:8.5.11" level="project" />
-    <orderEntry type="library" name="Maven: org.apache.tomcat:tomcat-juli:8.5.11" level="project" />
+    <orderEntry type="library" name="Maven: org.apache.tomcat:tomcat-jdbc:8.5.85" level="project" />
+    <orderEntry type="library" name="Maven: org.apache.tomcat:tomcat-juli:8.5.85" level="project" />
     <orderEntry type="library" name="Maven: org.springframework:spring-jdbc:4.3.6.RELEASE" level="project" />
     <orderEntry type="library" name="Maven: org.springframework:spring-tx:4.3.6.RELEASE" level="project" />
     <orderEntry type="library" name="Maven: org.mybatis.spring.boot:mybatis-spring-boot-autoconfigure:1.3.2" level="project" />
@@ -222,5 +222,11 @@
     <orderEntry type="library" name="Maven: com.auth0:java-jwt:4.0.0" level="project" />
     <orderEntry type="library" name="Maven: cn.hutool:hutool-all:5.8.10" level="project" />
     <orderEntry type="library" name="Maven: org.javassist:javassist:3.27.0-GA" level="project" />
+    <orderEntry type="library" name="Maven: org.springframework.data:spring-data-commons:1.13.11.RELEASE" level="project" />
+    <orderEntry type="library" name="Maven: org.slf4j:jcl-over-slf4j:1.7.22" level="project" />
+    <orderEntry type="library" name="Maven: com.jayway.jsonpath:json-path:2.2.0" level="project" />
+    <orderEntry type="library" name="Maven: net.minidev:json-smart:2.2.1" level="project" />
+    <orderEntry type="library" name="Maven: net.minidev:accessors-smart:1.1" level="project" />
+    <orderEntry type="library" name="Maven: org.xmlbeam:xmlprojector:1.4.13" level="project" />
   </component>
 </module>

pom.xml

@@ -12,6 +12,7 @@
     <properties>
         <maven.compiler.source>1.8</maven.compiler.source> <!-- mvn clean package-->
         <maven.compiler.target>1.8</maven.compiler.target>
+        <tomcat.version>8.5.85</tomcat.version>
     </properties>
 
 
@@ -312,6 +313,23 @@
             <version>3.27.0-GA</version>
         </dependency>
 
+        <dependency>
+            <groupId>org.springframework.data</groupId>
+            <artifactId>spring-data-commons</artifactId>
+            <version>1.13.11.RELEASE</version>
+        </dependency>
+
+        <dependency>
+            <groupId>com.jayway.jsonpath</groupId>
+            <artifactId>json-path</artifactId>
+        </dependency>
+
+        <dependency>
+            <groupId>org.xmlbeam</groupId>
+            <artifactId>xmlprojector</artifactId>
+            <version>1.4.13</version>
+        </dependency>
+
     </dependencies>
 
     <dependencyManagement>

src/main/java/org/joychou/controller/URLWhiteList.java

@@ -6,7 +6,8 @@
 import org.slf4j.LoggerFactory;
 import org.springframework.web.bind.annotation.*;
 
-import java.net.MalformedURLException;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
 import java.net.URL;
 import java.util.ArrayList;
 import java.util.regex.Matcher;
@@ -86,20 +87,21 @@ public String regex(@RequestParam("url") String url) {
 
 
     /**
-     * The bypass of using <code>java.net.URL</code> to getHost.
+     * The bypass of using {@link java.net.URL} to getHost.
      * <p>
-     * Bypass poc1: curl -v 'http://localhost:8080/url/vuln/url_bypass?url=http://evel.com%[email protected]/a.html'
-     * Bypass poc2: curl -v 'http://localhost:8080/url/vuln/url_bypass?url=http://evil.com%5cwww.joychou.org/a.html'
+     * <a href="http://localhost:8080/url/vuln/url_bypass?url=http://evil.com%[email protected]/a.html">bypass 1</a>
+     * <a href="http://localhost:8080/url/vuln/url_bypass?url=http://evil.com%5cwww.joychou.org/a.html">bypass 2</a>
+     *
      * <p>
-     * More details: https://github.com/JoyChou93/java-sec-code/wiki/URL-whtielist-Bypass
+     * <a href="https://github.com/JoyChou93/java-sec-code/wiki/URL-whtielist-Bypass">More details</a>
      */
     @GetMapping("/vuln/url_bypass")
-    public String url_bypass(String url) throws MalformedURLException {
+    public void url_bypass(String url, HttpServletResponse res) throws IOException {
 
         logger.info("url:  " + url);
 
         if (!SecurityUtil.isHttp(url)) {
-            return "Url is not http or https";
+            return;
         }
 
         URL u = new URL(url);
@@ -109,11 +111,10 @@ public String url_bypass(String url) throws MalformedURLException {
         // endsWith .
         for (String domain : domainwhitelist) {
             if (host.endsWith("." + domain)) {
-                return "Good url.";
+                res.sendRedirect(url);
             }
         }
 
-        return "Bad url.";
     }
 
 

src/main/java/org/joychou/controller/XXE.java

@@ -4,6 +4,9 @@
 import org.dom4j.io.SAXReader;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
+import org.springframework.data.web.ProjectedPayload;
+import org.springframework.http.HttpEntity;
+import org.springframework.http.ResponseEntity;
 import org.springframework.web.bind.annotation.*;
 
 import javax.servlet.http.HttpServletRequest;
@@ -27,6 +30,7 @@
 import org.apache.commons.digester3.Digester;
 import org.jdom2.input.SAXBuilder;
 import org.joychou.util.WebUtils;
+import org.xmlbeam.annotation.XBRead;
 
 /**
  * Java xxe vuln and security code.
@@ -38,8 +42,8 @@
 @RequestMapping("/xxe")
 public class XXE {
 
-    private static Logger logger = LoggerFactory.getLogger(XXE.class);
-    private static String EXCEPT = "xxe except";
+    private static final Logger logger = LoggerFactory.getLogger(XXE.class);
+    private static final String EXCEPT = "xxe except";
 
     @PostMapping("/xmlReader/vuln")
     public String xmlReaderVuln(HttpServletRequest request) {
@@ -226,16 +230,15 @@ public String DigesterSec(HttpServletRequest request) {
     }
 
 
-    // 有回显
-    @RequestMapping(value = "/DocumentBuilder/vuln01", method = RequestMethod.POST)
+    /**
+     * Use request.getInputStream to support UTF16 encoding.
+     */
+    @RequestMapping(value = "/DocumentBuilder/vuln", method = RequestMethod.POST)
     public String DocumentBuilderVuln01(HttpServletRequest request) {
         try {
-            String body = WebUtils.getRequestBody(request);
-            logger.info(body);
             DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
             DocumentBuilder db = dbf.newDocumentBuilder();
-            StringReader sr = new StringReader(body);
-            InputSource is = new InputSource(sr);
+            InputSource is = new InputSource(request.getInputStream());
             Document document = db.parse(is);  // parse xml
 
             // 遍历xml节点name和value
@@ -249,7 +252,6 @@ public String DocumentBuilderVuln01(HttpServletRequest request) {
                     buf.append(String.format("%s: %s\n", node.getNodeName(), node.getTextContent()));
                 }
             }
-            sr.close();
             return buf.toString();
         } catch (Exception e) {
             e.printStackTrace();
@@ -258,43 +260,6 @@ public String DocumentBuilderVuln01(HttpServletRequest request) {
         }
     }
 
-
-    // 有回显
-    @RequestMapping(value = "/DocumentBuilder/vuln02", method = RequestMethod.POST)
-    public String DocumentBuilderVuln02(HttpServletRequest request) {
-        try {
-            String body = WebUtils.getRequestBody(request);
-            logger.info(body);
-
-            DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
-            DocumentBuilder db = dbf.newDocumentBuilder();
-            StringReader sr = new StringReader(body);
-            InputSource is = new InputSource(sr);
-            Document document = db.parse(is);  // parse xml
-
-            // 遍历xml节点name和value
-            StringBuilder result = new StringBuilder();
-            NodeList rootNodeList = document.getChildNodes();
-            for (int i = 0; i < rootNodeList.getLength(); i++) {
-                Node rootNode = rootNodeList.item(i);
-                NodeList child = rootNode.getChildNodes();
-                for (int j = 0; j < child.getLength(); j++) {
-                    Node node = child.item(j);
-                    // 正常解析XML，需要判断是否是ELEMENT_NODE类型。否则会出现多余的的节点。
-                    if (child.item(j).getNodeType() == Node.ELEMENT_NODE) {
-                        result.append(String.format("%s: %s\n", node.getNodeName(), node.getFirstChild()));
-                    }
-                }
-            }
-            sr.close();
-            return result.toString();
-        } catch (Exception e) {
-            logger.error(e.toString());
-            return EXCEPT;
-        }
-    }
-
-
     @RequestMapping(value = "/DocumentBuilder/Sec", method = RequestMethod.POST)
     public String DocumentBuilderSec(HttpServletRequest request) {
         try {
@@ -447,6 +412,31 @@ private static void response(NodeList rootNodeList){
         }
     }
 
+        /**
+         * Receiving POST requests supporting both JSON and XML.
+         * CVE-2018-1259
+         */
+        @PostMapping(value = "/xmlbeam/vuln")
+        HttpEntity<String> post(@RequestBody UserPayload user) {
+            try {
+                logger.info(user.toString());
+                return ResponseEntity.ok(String.format("hello, %s!", user.getUserName()));
+            }catch (Exception e){
+                e.printStackTrace();
+                return ResponseEntity.ok("error");
+            }
+        }
+
+        /**
+         * The projection interface using XPath and JSON Path expression to selectively pick elements from the payload.
+         */
+        @ProjectedPayload
+        public interface UserPayload {
+            @XBRead("//userName")
+            String getUserName();
+        }
+
+
     public static void main(String[] args)  {
     }
 

src/main/java/org/joychou/security/ssrf/SSRFChecker.java

@@ -157,7 +157,6 @@ public static boolean isInternalIp(String strIP) {
      * <p>Normal:</p>
      * <ul>
      *    <li>69299689 to 10.23.78.233</li>
-     *    <li>69299689 to 10.23.78.233 </li>
      *    <li>012.0x17.78.233 to 10.23.78.233 </li>
      *    <li>012.027.0116.0351 to 10.23.78.233</li>
      *    <li>127.0.0.1.xip.io to 127.0.0.1</li>
@@ -166,8 +165,10 @@ public static boolean isInternalIp(String strIP) {
 
      * <p>Bypass: </p>
      * <ul>
-     *     <li>01205647351 to 71.220.183.247, actually 10.23.78.233</li>
-     *     <li>012.23.78.233 to 12.23.78.233, actually 10.23.78.233</li>
+     *     <li>01205647351 {@link InetAddress#getHostAddress()} result is 71.220.183.247, actually 10.23.78.233</li>
+     *     <li>012.23.78.233 {@link InetAddress#getHostAddress()} result is 12.23.78.233, actually 10.23.78.233</li>
+     *     <li>012.23.233 {@link InetAddress#getHostAddress()} result is  12.23.0.233, actually 10.23.0.233</li>
+     *     <li>012.233 {@link InetAddress#getHostAddress()} result is 12.0.0.233, actually 10.0.0.233</li>
      * </ul>
      * @return decimal ip
      */
@@ -177,13 +178,14 @@ public static String host2ip(String host) {
             return "";
         }
 
-        // convert octal to decimal
+         // convert octal to decimal
          if(isOctalIP(host)) {
              host = decimalIp;
          }
 
         try {
-            InetAddress IpAddress = InetAddress.getByName(host); //  send dns request
+            // send dns request
+            InetAddress IpAddress = InetAddress.getByName(host);
             return IpAddress.getHostAddress();
         } catch (Exception e) {
             return "";
@@ -203,30 +205,31 @@ public static boolean isOctalIP(String host) {
         // Octal ip only has number and dot character.
         if (isNumberOrDot(host)) {
 
-            if (ipParts.length != 1 && ipParts.length != 4) {
-                return false;
+            // not support ipv6
+            if (ipParts.length > 4) {
+                throw new SSRFException("Illegal ipv4: " + host);
             }
 
-            // 000000001205647351
+            // 01205647351
             if( ipParts.length == 1 && host.startsWith("0") ) {
                 decimalIp = Integer.valueOf(host, 8).toString();
                 return true;
             }
 
-            // 0000012.23.78.233
+            // 012.23.78.233
             for(String ip : ipParts) {
                 if (!isNumber(ip)){
-                    throw new SSRFException("Illegal host: " + host + ".");
+                    throw new SSRFException("Illegal ipv4: " + host);
                 }
                 if (ip.startsWith("0")) {
                     if (Integer.valueOf(ip, 8) >= 256){
-                        throw new SSRFException("Illegal host: " + host + ".\t" + ip + " is above 255.");
+                        throw new SSRFException("Illegal ipv4: " + host);
                     }
                     newDecimalIP.append(Integer.valueOf(ip, 8)).append(".");
                     is_octal = true;
                 }else{
                     if (Integer.valueOf(ip, 10) >= 256) {
-                        throw new SSRFException("Illegal host: " + host + ".\t" + ip + " is above 255.");
+                        throw new SSRFException("Illegal ipv4: " + host);
                     }
                     newDecimalIP.append(ip).append(".");
                 }
@@ -246,7 +249,7 @@ private static boolean isNumber(String str) {
         }
         for (int i = 0; i < str.length(); i++) {
             char ch = str.charAt(i);
-            if (ch < 48 || ch > 57) {
+            if (ch < '0' || ch > '9') {
                 return false;
             }
         }
@@ -261,7 +264,7 @@ private static boolean isNumber(String str) {
     private static boolean isNumberOrDot(String s) {
         for (int i = 0; i < s.length(); i++) {
             char ch = s.charAt(i);
-            if ((ch < 48 || ch > 57) && ch != 46){
+            if ((ch < '0' || ch > '9') && ch != '.'){
                 return false;
             }
         }

src/main/java/org/joychou/util/HttpUtils.java

@@ -94,7 +94,6 @@ public static String URLConnection(String url) {
             URL u = new URL(url);
             URLConnection urlConnection = u.openConnection();
             BufferedReader in = new BufferedReader(new InputStreamReader(urlConnection.getInputStream())); //send request
-            // BufferedReader in = new BufferedReader(new InputStreamReader(u.openConnection().getInputStream()));
             String inputLine;
             StringBuilder html = new StringBuilder();