🍺 Java Sec 1.15

Author: j3ers3

Dockerfile

@@ -2,7 +2,7 @@ FROM java:8
 
 VOLUME /tmp
 
-ADD ./target/javasec-1.7.jar app.jar
+ADD ./target/javasec-1.15.jar app.jar
 
 EXPOSE 8888
 

README.md

@@ -1,19 +1,21 @@
-# ☕️ Hello Java Sec ![Stage](https://img.shields.io/badge/Release-DEV-brightgreen.svg) ![Build Status](https://img.shields.io/badge/Version-1.11-red.svg)
-> Java漏洞平台，结合漏洞代码和安全编码，帮助研发同学理解和减少漏洞，代码仅供参考
+# ☕️ Hello Java Sec ![Stage](https://img.shields.io/badge/Release-DEV-brightgreen.svg) ![Build Status](https://img.shields.io/badge/Version-1.15-red.svg)
 
-![](media/16304933749187.jpg)
+> Hello Java Security 通过结合漏洞场景和安全编码，帮助安全和研发团队理解漏洞原理，从而减少漏洞的产生，代码仅供参考 :)
 
+![](media/1.png)
 
 - 默认账号：admin/admin
 
 ## Vulnerability
+
 - [x] SQLi
 - [x] XSS
 - [x] RCE
-- [x] Deserialize
+- [x] Deserialization
 - [x] SSTI
 - [x] SpEL
 - [x] SSRF
+- [x] IDOR
 - [x] Directory Traversal
 - [x] Redirect
 - [x] CSRF
@@ -26,39 +28,50 @@
 - [x] JNDI
 - [x] Dos
 - [x] Xpath
+- [x] IPForgery
 - [x] Jwt
+- [x] Password Reset
 - [ ] more and more
 
 ![](media/16304936834843.jpg)
 
 ## Run
-### IDEA
-配置数据库连接，数据库文件`src/main/resources/db.sql`
+
+### 配置数据库
+
+导入数据库文件 `src/main/resources/db.sql`
+
+配置数据库连接 `src/main/application.properties`
+
 ```
 spring.datasource.url=jdbc:mysql://127.0.0.1:3306/test
 spring.datasource.username=root
 spring.datasource.password=1234567
 ```
 
 ### Jar运行
-> JDK 1.8环境
+
+> JDK 1.8环境，高版本会报错
+
 ```
 git clone https://github.com/j3ers3/Hello-Java-Sec
 cd Hello-Java-Sec
 mvn clean package -DskipTests
-java -jar target/hello-1.0.0-SNAPSHOT.jar
+java -jar target/javasec-x.x.jar
 ```
 
 ### Docker运行
+
 ```
 mvn clean package
 ./deploy.sh
 ```
-![](media/16512152886514.jpg)
 
+![](media/16512152886514.jpg)
 
 ## 技术架构
+
 - Java 1.8
-- SpringBoot 4.0
+- SpringBoot 2.4.1
 - Bootstrap 4.6.0
 - Codemirror 5.62.0

media/1.png

@@ -11,7 +11,7 @@
 
     <groupId>com.best</groupId>
     <artifactId>javasec</artifactId>
-    <version>1.11</version>
+    <version>1.15</version>
     <name>hello java sec</name>
     <description>Java Sec</description>
     <packaging>jar</packaging>
@@ -315,25 +315,6 @@
                 </configuration>
             </plugin>
 
-            <plugin>
-                <!-- OWASP 生成物料清单SBOM，提供Dependency Track分析 -->
-                <groupId>org.cyclonedx</groupId>
-                <artifactId>cyclonedx-maven-plugin</artifactId>
-                <version>2.7.2</version>
-                <executions>
-                    <execution>
-                        <phase>compile</phase>
-                        <goals>
-                            <goal>makeAggregateBom</goal>
-                        </goals>
-                    </execution>
-                </executions>
-                <configuration>
-                    <outputFormat>xml</outputFormat>
-                </configuration>
-            </plugin>
-
-
         </plugins>
     </build>
 

pom.xml

@@ -22,14 +22,16 @@ public void addViewControllers(ViewControllerRegistry registry) {
         registry.addViewController("/index/ssrf").setViewName("ssrf");
         registry.addViewController("/index/traversal").setViewName("traversal");
         registry.addViewController("/index/xxe").setViewName("xxe");
-        registry.addViewController("/index/deserialize").setViewName("deserialize");
+        registry.addViewController("/index/deserialization").setViewName("deserialization");
         registry.addViewController("/index/redirect").setViewName("redirect");
         registry.addViewController("/index/actuator").setViewName("actuator");
-        registry.addViewController("/index/idor").setViewName("idor");
+        registry.addViewController("/index/idor").setViewName("idor/idor_horizontal");
+        registry.addViewController("/index/idor/horizontal").setViewName("idor/idor_horizontal");
+        registry.addViewController("/index/idor/vertical").setViewName("idor/idor_vertical");
         registry.addViewController("/index/upload").setViewName("upload");
         registry.addViewController("/index/xstream").setViewName("xstream");
         registry.addViewController("/index/fastjson").setViewName("fastjson");
-        registry.addViewController("/index/xff").setViewName("xff");
+        registry.addViewController("/index/ipforgery").setViewName("ip_forgery");
         registry.addViewController("/index/unauth").setViewName("unauth");
         registry.addViewController("/index/jackson").setViewName("jackson");
         registry.addViewController("/index/log4j").setViewName("log4j");
@@ -42,6 +44,8 @@ public void addViewControllers(ViewControllerRegistry registry) {
         registry.addViewController("/index/jwt").setViewName("jwt");
         registry.addViewController("/index/xpath").setViewName("xpath");
         registry.addViewController("/index/csv").setViewName("csv_injection");
+        registry.addViewController("/index/shiro").setViewName("shiro");
+        registry.addViewController("/index/passwordreset").setViewName("logicflaw/passwordreset");
 
     }
 
@@ -50,6 +54,6 @@ public void addViewControllers(ViewControllerRegistry registry) {
     public void addInterceptors(InterceptorRegistry registry) {
         registry.addInterceptor(new LoginHandlerInterceptor())
                 .addPathPatterns("/**")
-                .excludePathPatterns("/user/login", "/user/ldap", "/login", "/css/**", "/js/**", "/img/**", "/Unauth/**", "/captcha");
+                .excludePathPatterns("/user/login", "/user/ldap", "/login", "/css/**", "/js/**", "/img/**", "/video/**", "/vulnapi/unauth/**", "/captcha");
     }
 }

src/main/java/com/best/hello/config/MvcConfig.java

@@ -5,6 +5,8 @@
 import lombok.extern.slf4j.Slf4j;
 import org.apache.catalina.util.ServerInfo;
 
+import org.springframework.boot.SpringBootVersion;
+import org.springframework.core.SpringVersion;
 import org.springframework.stereotype.Controller;
 
 import org.springframework.web.bind.annotation.*;
@@ -19,16 +21,18 @@
 public class Admin {
 
     @ApiOperation(value = "查询系统基本信息")
-    @GetMapping("/info")
+    @GetMapping("/sysinfo")
     @ResponseBody
     public String sysInfo() {
         Map<String, String> m = new HashMap<>();
-
         m.put("app", "Hello Java SEC");
         m.put("author", "nul1");
+        m.put("github", "https://github.com/j3ers3/Hello-Java-Sec");
         m.put("tomcat_version", ServerInfo.getServerInfo());
         m.put("java_version", System.getProperty("java.version"));
         m.put("fastjson_version", JSON.VERSION);
+        m.put("springboot_version", SpringBootVersion.getVersion());
+        m.put("spring_version", SpringVersion.getVersion());
 
         return JSON.toJSONString(m);
     }

src/main/java/com/best/hello/controller/Admin.java

@@ -12,7 +12,7 @@
 
 @Api("跨域资源伪造漏洞")
 @RestController
-@RequestMapping("/CORS")
+@RequestMapping("/vulnapi/cors")
 public class CORS {
 
     /**
@@ -34,9 +34,9 @@ public String corsVul(HttpServletRequest request, HttpServletResponse response)
     @ApiOperation(value = "safe：白名单判断Origin")
     @CrossOrigin(origins = {"127.0.0.1", "http://127.0.0.1", "https://127.0.0.1"})
     @GetMapping("/safe")
-    public String corsSafe(HttpServletRequest request, HttpServletResponse response) {
+    public String corsSafe(HttpServletResponse response) {
         response.setHeader("Access-Control-Allow-Credentials", "true");
+        response.setHeader("Access-Control-Allow-Methods", "GET,POST");
         return "cors safe";
     }
-
 }

src/main/java/com/best/hello/controller/BAC.java

@@ -14,7 +14,7 @@
 
 @Api("跨站请求伪造")
 @RestController
-@RequestMapping("/CSRF")
+@RequestMapping("/vulnapi/CSRF")
 public class CSRF {
     @ApiOperation(value = "vul: 危险的转账")
     @GetMapping("/transfer/vul")

src/main/java/com/best/hello/controller/CORS.java

@@ -21,7 +21,7 @@
 
 @Api("CSV注入漏洞")
 @RestController
-@RequestMapping("/CSVInjection")
+@RequestMapping("/vulnapi/CSVInjection")
 public class CSVInjection {
     @Autowired
     private XSSMapper xssMapper;

src/main/java/com/best/hello/controller/CSRF.java

@@ -3,6 +3,7 @@
 import com.alibaba.fastjson.JSON;
 import com.alibaba.fastjson.JSONObject;
 import io.swagger.annotations.Api;
+import io.swagger.annotations.ApiOperation;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -17,19 +18,29 @@
 @Api("Fastjson反序列化漏洞")
 @Slf4j
 @RestController
-@RequestMapping("/Fastjson")
+@RequestMapping("/vulnapi/Fastjson")
 public class FastjsonVul {
 
     @RequestMapping(value = "/vul", method = {RequestMethod.POST})
     public String vul(@RequestBody String content) {
-
         try {
-            // 转换成object
-            JSONObject jsonToObject = JSON.parseObject(content);
-            log.info("[vul] Fastjson");
-
-            return jsonToObject.get("name").toString();
+            Object obj = JSON.parse(content);
+            return obj.toString();
+        } catch (Exception e) {
+            return e.toString();
+        }
+    }
 
+    @ApiOperation(value = "safe: safeMode")
+    @RequestMapping(value = "/safeMode", method = {RequestMethod.POST})
+    public String safeMode(@RequestBody String content) {
+        try {
+            /*
+             开启safeMode特性，（这里低版本就注释了）
+             ParserConfig.getGlobalInstance().setSafeMode(true);
+             Object obj = JSON.parse(content);
+            */
+            return "safeMode";
         } catch (Exception e) {
             return e.toString();
         }

src/main/java/com/best/hello/controller/CSVInjection.java

@@ -8,7 +8,7 @@
 
 @Api("Jackson反序列化漏洞")
 @RestController
-@RequestMapping("/Jackson")
+@RequestMapping("/vulnapi/Jackson")
 public class JacksonVul {
 
     @RequestMapping("/vul")

src/main/java/com/best/hello/controller/ComponentsVul/FastjsonVul.java

@@ -8,7 +8,7 @@
 
 @Api("Log4j2 反序列化漏洞")
 @RestController
-@RequestMapping("/Log4j")
+@RequestMapping("/vulnapi/Log4j")
 public class Log4jVul {
 
     private static final Logger logger = LogManager.getLogger(Log4jVul.class);