:new:更新 Java XXE 以及学习路线 · liulonghai/JavaSecurityLearning@bcd9ca3 · GitHub
Skip to content

Commit bcd9ca3

Browse files
committed
🆕更新 Java XXE 以及学习路线
1 parent 22560e2 commit bcd9ca3

33 files changed

Lines changed: 1194 additions & 46 deletions

File tree

-1.99 KB
Binary file not shown.
Lines changed: 26 additions & 0 deletions
Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,15 @@
1+
package com.drunkbaby;
2+
3+
import org.mybatis.spring.annotation.MapperScan;
4+
import org.springframework.boot.SpringApplication;
5+
import org.springframework.boot.autoconfigure.SpringBootApplication;
6+
7+
@SpringBootApplication
8+
@MapperScan("com.drunkbaby.mapper")
9+
public class MybatiSqliApplication {
10+
11+
public static void main(String[] args) {
12+
SpringApplication.run(MybatiSqliApplication.class, args);
13+
}
14+
15+
}
Lines changed: 216 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,216 @@
1+
package com.drunkbaby.controller;
2+
3+
import com.drunkbaby.mapper.UserMapper;
4+
import com.drunkbaby.pojo.User;
5+
import org.slf4j.Logger;
6+
import org.slf4j.LoggerFactory;
7+
import org.springframework.beans.factory.annotation.Autowired;
8+
import org.springframework.beans.factory.annotation.Value;
9+
import org.springframework.web.bind.annotation.*;
10+
import com.drunkbaby.utils.SqliFilterUtil;
11+
12+
import java.sql.*;
13+
import java.util.List;
14+
15+
16+
/**
17+
* SQL Injection
18+
*
19+
* @author Drunkbaby @2022.08.22
20+
*/
21+
22+
@SuppressWarnings("Duplicates")
23+
@RestController
24+
@RequestMapping("/sqli")
25+
public class SQLI {
26+
27+
private static Logger logger = LoggerFactory.getLogger(SQLI.class);
28+
private static String driver = "com.mysql.jdbc.Driver";
29+
30+
@Value("${spring.datasource.url}")
31+
private String url;
32+
33+
@Value("${spring.datasource.username}")
34+
private String user;
35+
36+
@Value("${spring.datasource.password}")
37+
private String password;
38+
39+
@Autowired
40+
private UserMapper userMapper;
41+
42+
43+
/**
44+
* Vuln Code.
45+
* http://localhost:8080/sqli/jdbc/vuln?username=joychou
46+
*
47+
* @param username username
48+
*/
49+
@RequestMapping("/jdbc/vuln")
50+
public String jdbc_sqli_vul(@RequestParam("username") String username) {
51+
52+
StringBuilder result = new StringBuilder();
53+
54+
try {
55+
Class.forName(driver);
56+
Connection con = DriverManager.getConnection(url, user, password);
57+
58+
if (!con.isClosed())
59+
System.out.println("Connect to database successfully.");
60+
61+
// sqli vuln code
62+
Statement statement = con.createStatement();
63+
String sql = "select * from users where username = '" + username + "'";
64+
logger.info(sql);
65+
ResultSet rs = statement.executeQuery(sql);
66+
67+
while (rs.next()) {
68+
String res_name = rs.getString("username");
69+
String res_pwd = rs.getString("password");
70+
String info = String.format("%s: %s\n", res_name, res_pwd);
71+
result.append(info);
72+
logger.info(info);
73+
}
74+
rs.close();
75+
con.close();
76+
77+
78+
} catch (ClassNotFoundException e) {
79+
logger.error("Sorry,can`t find the Driver!");
80+
} catch (SQLException e) {
81+
logger.error(e.toString());
82+
}
83+
return result.toString();
84+
}
85+
86+
87+
/**
88+
* Security Code.
89+
* http://localhost:8080/sqli/jdbc/sec?username=joychou
90+
*
91+
* @param username username
92+
*/
93+
@RequestMapping("/jdbc/sec")
94+
public String jdbc_sqli_sec(@RequestParam("username") String username) {
95+
96+
StringBuilder result = new StringBuilder();
97+
try {
98+
Class.forName(driver);
99+
Connection con = DriverManager.getConnection(url, user, password);
100+
101+
if (!con.isClosed())
102+
System.out.println("Connecting to Database successfully.");
103+
104+
// fix code
105+
String sql = "select * from users where username = ?";
106+
PreparedStatement st = con.prepareStatement(sql);
107+
st.setString(1, username);
108+
109+
logger.info(st.toString()); // sql after prepare statement
110+
ResultSet rs = st.executeQuery();
111+
112+
while (rs.next()) {
113+
String res_name = rs.getString("username");
114+
String res_pwd = rs.getString("password");
115+
String info = String.format("%s: %s\n", res_name, res_pwd);
116+
result.append(info);
117+
logger.info(info);
118+
}
119+
120+
rs.close();
121+
con.close();
122+
123+
} catch (ClassNotFoundException e) {
124+
logger.error("Sorry, can`t find the Driver!");
125+
e.printStackTrace();
126+
} catch (SQLException e) {
127+
logger.error(e.toString());
128+
}
129+
return result.toString();
130+
}
131+
132+
/**
133+
* vuln code
134+
* http://localhost:8080/sqli/mybatis/vuln01?username=joychou' or '1'='1
135+
*
136+
* @param username username
137+
*/
138+
@GetMapping("/mybatis/vuln01")
139+
public List<User> mybatisVuln01(@RequestParam("username") String username) {
140+
return userMapper.findByUserNameVuln01(username);
141+
}
142+
143+
/**
144+
* vul code
145+
* http://localhost:8080/sqli/mybatis/vuln02?username=joychou' or '1'='1' %23
146+
*
147+
* @param username username
148+
*/
149+
@GetMapping("/mybatis/vuln02")
150+
public List<User> mybatisVuln02(@RequestParam("username") String username) {
151+
return userMapper.findByUserNameVuln02(username);
152+
}
153+
154+
// http://localhost:8080/sqli/mybatis/orderby/vuln03?sort=1 desc%23
155+
@GetMapping("/mybatis/orderby/vuln03")
156+
public List<User> mybatisVuln03(@RequestParam("sort") String sort) {
157+
return userMapper.findByUserNameVuln03(sort);
158+
}
159+
160+
/**
161+
* vul code,对应解决 in 漏洞
162+
* http://localhost:8080/sqli/mybatis/vuln04?id=1)%20or%201=1%23
163+
*
164+
* @param id
165+
*/
166+
167+
@GetMapping("/mybatis/vuln04")
168+
public List<User> mybatisVuln04(@RequestParam("id") String id){
169+
return userMapper.findByIdVuln04(id);
170+
}
171+
172+
/**
173+
* security code
174+
* http://localhost:8080/sqli/mybatis/sec01?username=joychou
175+
*
176+
* @param username username
177+
*/
178+
@GetMapping("/mybatis/sec01")
179+
public User mybatisSec01(@RequestParam("username") String username) {
180+
return userMapper.findByUserName(username);
181+
}
182+
183+
/**
184+
* http://localhost:8080/sqli/mybatis/sec02?id=1
185+
*
186+
* @param id id
187+
*/
188+
@GetMapping("/mybatis/sec02")
189+
public User mybatisSec02(@RequestParam("id") Integer id) {
190+
return userMapper.findById(id);
191+
}
192+
193+
194+
/**
195+
* http://localhost:8080/sqli/mybatis/sec03
196+
*/
197+
@GetMapping("/mybatis/sec03")
198+
public User mybatisSec03() {
199+
return userMapper.OrderByUsername();
200+
}
201+
202+
203+
@GetMapping("/mybatis/orderby/sec04")
204+
public List<User> mybatisOrderBySec04(@RequestParam("sort") String sort) {
205+
return userMapper.findByUserNameVuln03(SqliFilterUtil.sqlFilter(sort));
206+
}
207+
208+
/**
209+
* http://localhost:8080/sqli/mybatis/sec04
210+
*/
211+
@GetMapping("/mybatis/sec04")
212+
public List<User> mybatisSec04(@RequestParam("id") List id){
213+
return userMapper.findByIdSec04(id);
214+
}
215+
216+
}
Lines changed: 36 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,36 @@
1+
package com.drunkbaby.mapper;
2+
3+
import com.drunkbaby.pojo.User;
4+
import org.apache.ibatis.annotations.Mapper;
5+
import org.apache.ibatis.annotations.Param;
6+
import org.apache.ibatis.annotations.Select;
7+
import org.springframework.stereotype.Repository;
8+
9+
import java.util.List;
10+
11+
@Mapper
12+
public interface UserMapper {
13+
14+
/**
15+
* If using simple sql, we can use annotation. Such as @Select @Update.
16+
* If using ${username}, application will send a error.
17+
*/
18+
19+
@Select("select * from users where username = #{username}")
20+
User findByUserName(@Param("username") String username);
21+
22+
@Select("select * from users where username = '${username}'")
23+
List<User> findByUserNameVuln01(@Param("username") String username);
24+
25+
List<User> findByUserNameVuln02(String username);
26+
List<User> findByUserNameVuln03(@Param("order") String order);
27+
28+
List<User> findByIdVuln04(@Param("id") String id);
29+
30+
List<User> findByIdSec04(@Param("id") List id);
31+
32+
33+
User findById(Integer id);
34+
35+
User OrderByUsername();
36+
}
Lines changed: 33 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,33 @@
1+
package com.drunkbaby.pojo;
2+
3+
4+
import java.io.Serializable;
5+
6+
public class User implements Serializable {
7+
private static final long serialVersionUID = 1L;
8+
private Integer id;
9+
private String username;
10+
private String password;
11+
12+
public Integer getId() {
13+
return id;
14+
}
15+
public void setId(Integer id) {
16+
this.id = id;
17+
}
18+
19+
public String getUsername() {
20+
return username;
21+
}
22+
public void setUsername(String username) {
23+
this.username = username;
24+
}
25+
26+
public String getPassword() {
27+
return password;
28+
}
29+
public void setPassword(String password) {
30+
this.password = password;
31+
}
32+
33+
}
Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,15 @@
1+
package com.drunkbaby.utils;
2+
3+
import java.util.regex.Pattern;
4+
5+
public class SqliFilterUtil {
6+
7+
private static final Pattern FILTER_PATTERN = Pattern.compile("^[a-zA-Z0-9_/\\.-]+$");
8+
9+
public static String sqlFilter(String sql) {
10+
if (!FILTER_PATTERN.matcher(sql).matches()) {
11+
return null;
12+
}
13+
return sql;
14+
}
15+
}
Lines changed: 6 additions & 0 deletions

0 commit comments

Comments
 (0)