Skip to content

Dev fix #96

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 115 commits into
base: dev
Choose a base branch
from
Open

Dev fix #96

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
115 commits
Select commit Hold shift + click to select a range
4cffffd
fix cors sec code
JoyChou93 Oct 25, 2018
571e0c3
bug fix
JoyChou93 Oct 26, 2018
e35f30e
add url whitelist vul code
JoyChou93 Oct 31, 2018
ea9ad0e
udpate cors
JoyChou93 Nov 22, 2018
76da576
update cors
JoyChou93 Nov 25, 2018
ca00956
update readme
JoyChou93 Nov 25, 2018
2f6c3cf
add spel, fixes #5
JoyChou93 Jan 17, 2019
56d5ba1
update readme
JoyChou93 Jan 17, 2019
48e347c
add emptyReferer of jsonp
JoyChou93 Jan 28, 2019
674f2f1
适配在IDEA中右键直接运行应用
JoyChou93 Feb 26, 2019
453e194
add jar configure
JoyChou93 Feb 27, 2019
d1963da
Actuators to RCE
JoyChou93 Mar 4, 2019
af76c38
update readme
JoyChou93 Mar 4, 2019
4c21c97
bypass using URL class to getHost
JoyChou93 Mar 6, 2019
3cd29c1
fix bug
JoyChou93 Mar 6, 2019
d1b3d6b
update jsonp
JoyChou93 Apr 9, 2019
5b60e15
add upload file only picture
JoyChou93 Apr 23, 2019
590891b
add csrf
JoyChou93 May 31, 2019
dd3792d
update readme
JoyChou93 May 31, 2019
72a54fa
add csrf whitelist uri and req method
JoyChou93 May 31, 2019
2e542b6
update readme
JoyChou93 May 31, 2019
4a02175
update csrf allowedMethods code
JoyChou93 May 31, 2019
9bed870
csrf in upload file html
JoyChou93 Jun 5, 2019
86d2551
diy csrf error code
JoyChou93 Jun 10, 2019
f0cb9a4
add filter to check referer
JoyChou93 Jun 18, 2019
0746f9d
redirect 403 forbidden page
JoyChou93 Jun 19, 2019
10e0345
add ssrf checker
JoyChou93 Jun 21, 2019
2e91353
update readme
JoyChou93 Jun 21, 2019
a605b1e
update readme
JoyChou93 Jun 21, 2019
edfc1fc
udpate readme
JoyChou93 Jun 21, 2019
12ab307
update readme
JoyChou93 Jun 21, 2019
0e4f22e
Add httpclient SSRF vul code
JoyChou93 Jun 25, 2019
85ca363
update readme
JoyChou93 Jun 28, 2019
6844b0a
add configure code of json to jsonp
JoyChou93 Jul 3, 2019
f37f9b2
add csrf switch
JoyChou93 Jul 3, 2019
d330c45
fix bug
JoyChou93 Jul 3, 2019
f24df6f
add json to jsonp
JoyChou93 Jul 8, 2019
cc94639
add mybatis sql
JoyChou93 Jul 17, 2019
839f532
Add ssti & resolveClass blacklist
JoyChou93 Jul 19, 2019
cc99e47
udpate readme
JoyChou93 Jul 19, 2019
31f5170
add deserialize
JoyChou93 Jul 20, 2019
0a9c978
update readme
JoyChou93 Jul 20, 2019
4763a3a
update readme
JoyChou93 Jul 20, 2019
8a9977d
add auth
JoyChou93 Jul 21, 2019
3e06b52
add index html page
JoyChou93 Jul 22, 2019
a2a5eee
update mybatis readme
JoyChou93 Jul 22, 2019
720da39
add pathTraversal
JoyChou93 Jul 23, 2019
179f45e
update readme
JoyChou93 Jul 23, 2019
6b8b1d1
closes #6
JoyChou93 Jul 24, 2019
a169c10
update readme
JoyChou93 Jul 24, 2019
a0e66f2
update readme
JoyChou93 Jul 24, 2019
467b74f
add docker env & add xtream rce vuln
JoyChou93 Jul 29, 2019
0a9f1ec
update readme
JoyChou93 Jul 29, 2019
ea74d17
add a xxe sink code
JoyChou93 Jul 30, 2019
40cf83b
add command inject
JoyChou93 Jul 31, 2019
301ffa6
update readme
JoyChou93 Jul 31, 2019
1f57fae
fix bug 0.0.0.0 can bypass SSRFChecker
waderwu Sep 3, 2019
1e991c1
Merge remote-tracking branch 'upstream/master'
waderwu Sep 3, 2019
40d64c1
Merge pull request #7 from waderwu/master
JoyChou93 Sep 4, 2019
1cd9a71
add xxe
JoyChou93 Sep 4, 2019
0ece942
Merge pull request #8 from JoyChou93/dev01
JoyChou93 Sep 4, 2019
39f07ff
update readme
JoyChou93 Sep 4, 2019
27df4d1
update readme
JoyChou93 Sep 5, 2019
562b956
add a jsonp case
JoyChou93 Sep 12, 2019
d0ece30
update deserialize getcookie method
JoyChou93 Sep 16, 2019
59a72ef
19/10/15 add more xss&sql vuln code
Anemone95 Oct 15, 2019
da5ea84
19/10/15 rm unuseful code
Anemone95 Oct 15, 2019
05ae55e
Merge pull request #9 from Anemone95/master
JoyChou93 Oct 24, 2019
9821216
add xxe return back filecontent
JoyChou93 Nov 2, 2019
22f0ecd
add cors security code
JoyChou93 Dec 9, 2019
6ae0527
add filter cors fix code
JoyChou93 Dec 19, 2019
85eb3b9
update cors security code
JoyChou93 Dec 26, 2019
9dd930e
update some bugs
JoyChou93 Jan 17, 2020
7b187f2
Add XXE & SSRF Vuln Code
JoyChou93 Feb 14, 2020
0d99385
update mybatis sql injection
JoyChou93 Mar 25, 2020
db6bff2
Bug fix.The method of fix ssrf can cause dos.
JoyChou93 Mar 26, 2020
fc1be1b
Add bean to parse safedomain
JoyChou93 Mar 27, 2020
89cb9d8
fix #13
JoyChou93 Mar 31, 2020
039d0f1
bug fix
JoyChou93 Mar 31, 2020
33748f3
bug fix
JoyChou93 Apr 3, 2020
fa48bad
增加socket hook模块 实现socket层拦截SSRF
liergou9981 Apr 3, 2020
d170c8f
Merge pull request #15 from liergou9981/master
JoyChou93 Apr 4, 2020
335bfef
fix hook socket's bug
JoyChou93 Apr 4, 2020
2aa0b91
bug fix
JoyChou93 Apr 6, 2020
f296f0d
add swagger-ui & ssrf of httpsyncclient
JoyChou93 Apr 10, 2020
ab69c0b
bug fix
JoyChou93 Aug 3, 2020
30dd98b
fixes #23
JoyChou93 Aug 3, 2020
37925a8
add fastjsonp
JoyChou93 Feb 5, 2021
bb94a99
fixes #31
JoyChou93 Feb 25, 2021
1f9da36
add rce
JoyChou93 Mar 26, 2021
ed28104
add log4j
JoyChou93 Mar 31, 2022
707d395
add jwt
JoyChou93 Sep 21, 2022
e4190d6
Add RestTemplate SSRF
JoyChou93 Oct 21, 2022
9acefb2
add jwt
JoyChou93 Nov 21, 2022
da04ccc
add CVE-2022-22978
JoyChou93 Jan 16, 2023
9d66a88
add alibaba security purple team recruitment
JoyChou93 Jan 17, 2023
c3c41b4
fix #25
JoyChou93 Feb 23, 2023
621c300
Add XXE
JoyChou93 Mar 15, 2023
cab74a4
fix #70
JoyChou93 Mar 24, 2023
4ede83a
add jdbc & actuator ak_secret
JoyChou93 Apr 28, 2023
0c253ad
Update index.html
wzqs May 24, 2023
8604af5
Merge pull request #76 from wzqs/patch-1
JoyChou93 Jun 7, 2023
920bd93
fix #78
Dec 27, 2023
7bf927a
Merge remote-tracking branch 'origin/master'
Dec 27, 2023
457d703
Add qlexpress and some test cases.
Dec 28, 2023
1d06b16
Add alibaba recruitment.
Jun 28, 2024
4711f4e
Add alibaba recruitment.
Jun 28, 2024
9eb8d69
Set up CI with Azure Pipelines
autumn0914 Apr 10, 2025
bdd032c
Update azure-pipelines.yml for Azure Pipelines
autumn0914 Apr 10, 2025
02d6141
Update azure-pipelines.yml for Azure Pipelines
autumn0914 Apr 10, 2025
18cdd33
Update azure-pipelines.yml for Azure Pipelines
autumn0914 Apr 10, 2025
048cee5
Update azure-pipelines.yml for Azure Pipelines
autumn0914 Apr 10, 2025
5511840
Update azure-pipelines.yml for Azure Pipelines
autumn0914 Apr 10, 2025
d16e5fc
mysql fix
autumn0914 Apr 10, 2025
1722b02
mysql fix
autumn0914 Apr 10, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 5 additions & 1 deletion .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,4 +2,8 @@
.DS_Store
target/
other-vuls/
*.iml
docker/
poc/
src/main/java/org/joychou/test/
*.iml
docker_jdk_build.sh
217 changes: 177 additions & 40 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,78 +1,215 @@
# Java Security Code
# Java Sec Code

## 介绍

该项目也可以叫做Java Vulnerability Code(Java漏洞代码)。
Java sec code is a very powerful and friendly project for learning Java vulnerability code.

每个漏洞类型代码默认存在安全漏洞(除非本身不存在漏洞),相关修复代码在注释里。具体可查看每个漏洞代码和注释。
[中文文档](https://github.com/JoyChou93/java-sec-code/blob/master/README_zh.md) 😋

## 漏洞代码
## Recruitment

- [XXE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/XXE.java)
[Alibaba-Security attack and defense/research(P5-P7)](https://github.com/JoyChou93/java-sec-code/wiki/Alibaba-Purple-Team-Job-Description)


## Introduce

This project can also be called Java vulnerability code.

Each vulnerability type code has a security vulnerability by default unless there is no vulnerability. The relevant fix code is in the comments or code. Specifically, you can view each vulnerability code and comments.

Due to the server expiration, the online demo site had to go offline.

Login username & password:

```
admin/admin123
joychou/joychou123
```


## Vulnerability Code

Sort by letter.

- [Actuators to RCE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/resources/logback-online.xml)
- [CommandInject](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/CommandInject.java)
- [CORS](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/CORS.java)
- [CRLF Injection](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/CRLFInjection.java)
- [CSRF](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/security/WebSecurityConfig.java)
- [CVE-2022-22978](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/security/WebSecurityConfig.java)
- [Deserialize](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Deserialize.java)
- [Fastjson](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Fastjson.java)
- [File Upload](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/FileUpload.java)
- [GetRequestURI](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/GetRequestURI.java)
- [IP Forge](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/IPForge.java)
- [Java RMI](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/RMI/Server.java)
- [JSONP](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Jsonp.java)
- [Log4j](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Log4j.java)
- [ooxmlXXE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/othervulns/ooxmlXXE.java)
- [PathTraversal](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/PathTraversal.java)
- [QLExpress](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/QLExpress.java)
- [RCE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Rce.java)
- Runtime
- ProcessBuilder
- ScriptEngine
- Yaml Deserialize
- Groovy
- [Shiro](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Shiro.java)
- [Swagger](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/config/SwaggerConfig.java)
- [SpEL](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SpEL.java)
- [SQL Injection](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SQLI.java)
- [SSRF](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SSRF.java)
- [URL重定向](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/URLRedirect.java)
- [IP伪造](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/IPForge.java)
- [SSTI](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SSTI.java)
- [URL Redirect](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/URLRedirect.java)
- [URL whitelist Bypass](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/URLWhiteList.java)
- [xlsxStreamerXXE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/othervulns/xlsxStreamerXXE.java)
- [XSS](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/XSS.java)
- [CRLF注入](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/CRLFInjection.java)
- [远程命令执行](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Rce.java)
- [反序列化](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Deserialize.java)
- [文件上传](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/FileUpload.java)
- [SQL注入](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SQLI.java)
- [URL白名单Bypass](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/URLWhiteList.java)
- [Java RMI](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/RMI/Server.java)
- [Fastjson](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Fastjson.java)
- [CORS](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/CORS.java)
- [JSONP](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/JSONP.java)
- [XStream](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/XStreamRce.java)
- [XXE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/XXE.java)
- [JWT](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Jwt.java)


## 漏洞说明
## Vulnerability Description

- [Actuators to RCE](https://github.com/JoyChou93/java-sec-code/wiki/Actuators-to-RCE)
- [CORS](https://github.com/JoyChou93/java-sec-code/wiki/CORS)
- [CSRF](https://github.com/JoyChou93/java-sec-code/wiki/CSRF)
- [Deserialize](https://github.com/JoyChou93/java-sec-code/wiki/Deserialize)
- [Fastjson](https://github.com/JoyChou93/java-sec-code/wiki/Fastjson)
- [Java RMI](https://github.com/JoyChou93/java-sec-code/wiki/Java-RMI)
- [XXE](https://github.com/JoyChou93/java-sec-code/wiki/XXE)
- [JSONP](https://github.com/JoyChou93/java-sec-code/wiki/JSONP)
- [POI-OOXML XXE](https://github.com/JoyChou93/java-sec-code/wiki/Poi-ooxml-XXE)
- [SQLI](https://github.com/JoyChou93/java-sec-code/wiki/SQL-Inject)
- [Fastjson](https://github.com/JoyChou93/java-sec-code/wiki/Fastjson)
- [SSRF](https://github.com/JoyChou93/java-sec-code/wiki/SSRF)
- [SSTI](https://github.com/JoyChou93/java-sec-code/wiki/SSTI)
- [URL whitelist Bypass](https://github.com/JoyChou93/java-sec-code/wiki/URL-whtielist-Bypass)
- [XXE](https://github.com/JoyChou93/java-sec-code/wiki/XXE)
- [JWT](https://github.com/JoyChou93/java-sec-code/wiki/JWT)
- [Others](https://github.com/JoyChou93/java-sec-code/wiki/others)

## How to run

## 如何运行
The application will use mybatis auto-injection. Please run mysql server ahead of time and configure the mysql server database's name and username/password except docker environment.

```
spring.datasource.url=jdbc:mysql://127.0.0.1:3306/java_sec_code
spring.datasource.username=root
spring.datasource.password=woshishujukumima
```

### Tomcat
- Docker
- IDEA
- Tomcat
- JAR

1. 生成war包 `mvn clean package`
2. 将target目录的war包,cp到Tomcat的webapps目录
3. 重启Tomcat应用
### Docker


```
http://localhost:8080/java-sec-code-1.0.0/rce/exec?cmd=whoami
```

返回
Start docker:

```
Viarus
docker-compose pull
docker-compose up
```

### IDEA

如果想在IDEA中直接运行,需要在IDEA中添加Tomcat配置,步骤如下:
Stop docker:

```
Run -> Edit Configurations -> 添加TomcatServer(Local) -> Server中配置Tomcat路径 -> Deployment中添加Artifact选择java-sec-code:war exploded
docker-compose down
```

![tomcat](https://github.com/JoyChou93/java-sec-code/raw/master/idea-tomcat.png)
Docker's environment:

- Java 1.8.0_102
- Mysql 8.0.17
- Tomcat 8.5.11

配置完成后,右上角直接点击run,即可运行。

### IDEA

- `git clone https://github.com/JoyChou93/java-sec-code`
- Open in IDEA and click `run` button.

Example:

```
http://localhost:8080/rce/exec?cmd=whoami
```

返回

```
return:

```
Viarus
```

### Tomcat

- `git clone https://github.com/JoyChou93/java-sec-code` & `cd java-sec-code`
- Build war package by `mvn clean package`.
- Copy war package to tomcat webapps directory.
- Start tomcat application.

Example:

```
http://localhost:8080/java-sec-code-1.0.0/rce/runtime/exec?cmd=whoami
```

return:

```
Viarus
```


### JAR

Change `war` to `jar` in `pom.xml`.

```xml
<groupId>sec</groupId>
<artifactId>java-sec-code</artifactId>
<version>1.0.0</version>
<packaging>war</packaging>
```

Build package and run.

```
git clone https://github.com/JoyChou93/java-sec-code
cd java-sec-code
mvn clean package -DskipTests
java -jar target/java-sec-code-1.0.0.jar
```

## Authenticate

### Login

[http://localhost:8080/login](http://localhost:8080/login)

If you are not logged in, accessing any page will redirect you to the login page. The username & password are as follows.

```
admin/admin123
joychou/joychou123
```

### Logout

[http://localhost:8080/logout](http://localhost:8080/logout)

### RememberMe

Tomcat's default JSESSION session is valid for 30 minutes, so a 30-minute non-operational session will expire. In order to solve this problem, the rememberMe function is introduced, and the default expiration time is 2 weeks.


## Contributors

Core developers : [JoyChou](https://github.com/JoyChou93), [liergou9981](https://github.com/liergou9981)
Other developers: [lightless](https://github.com/lightless233), [Anemone95](https://github.com/Anemone95), [waderwu](https://github.com/waderwu).


## Support

If you like the poject, you can star java-sec-code project to support me. With your support, I will be able to make `Java sec code` better 😎.
Loading