joychou93 / java-sec-code Goto Github PK
View Code? Open in Web Editor NEWJava web common vulnerabilities and security code which is base on springboot and spring security
java-sec-code's Issues
docker 安装启动后,端口访问不到。
启动成功了,但是本地无法访问
CRLF无法复现?
%0d%0a会被替换成20
文件上传中/file/目录下上传文件跳转页面不存在
大佬你好。文件上传中/file/目录下上传任意文件后按照代码会跳转到/file/status页面,但实际上却没有这个页面。请问您实际上是想跳转到别的页面还是页面丢失还是有别的什么意图。
Java 1.7/1.8 no CRLF vulns (test in Java 1.7/1.8)
Yes, I apply it in Java 11, and it still can not work. Can you help me?
Java 1.7/1.8 no CRLF vulns (test in Java 1.7/1.8)
Originally posted by @JoyChou93 in #34 (comment)
docker 环境mysql 连接 报错 Public Key Retrieval is not allowed
Public Key Retrieval is not allowed
Dependency org.apache.tomcat.embed:tomcat-embed-core, leading to CVE problem
Hi,,there is a dependency **org.apache.tomcat.embed:tomcat-embed-core:8.5.11
** that calls the risk method.
The scope of this CVE affected version is [9.0.0.M1, 9.0.30),[8.5.0,8.5.50),[,7.0.99)
After further analysis, in this project, the main Api called is org.apache.catalina.authenticator.AuthenticatorBase: register(org.apache.catalina.connector.Request,javax.servlet.http.HttpServletResponse,java.security.Principal,java.lang.String,java.lang.String,java.lang.String,boolean,boolean)
Risk method repair link : GitHub
CVE Bug Invocation Path--
Path Length : 6
org.joychou.controller.Index: appInfo(javax.servlet.http.HttpServletRequest)Ljava.lang.String; .m2/repository/org/springframework/security/spring-security-rsa/1.0.3.RELEASE/spring-security-rsa-1.0.3.RELEASE.jar
org.apache.catalina.connector.Request: getUserPrincipal()Ljava.security.Principal; .m2/repository/org/springframework/security/spring-security-rsa/1.0.3.RELEASE/spring-security-rsa-1.0.3.RELEASE.jar
org.apache.catalina.connector.Request: logout() .m2/repository/org/springframework/security/spring-security-rsa/1.0.3.RELEASE/spring-security-rsa-1.0.3.RELEASE.jar
org.apache.catalina.authenticator.AuthenticatorBase: logout(org.apache.catalina.connector.Request) .m2/repository/org/springframework/security/spring-security-rsa/1.0.3.RELEASE/spring-security-rsa-1.0.3.RELEASE.jar
org.apache.catalina.authenticator.AuthenticatorBase: register(org.apache.catalina.connector.Request,javax.servlet.http.HttpServletResponse,java.security.Principal,java.lang.String,java.lang.String,java.lang.String) .m2/repository/org/springframework/security/spring-security-rsa/1.0.3.RELEASE/spring-security-rsa-1.0.3.RELEASE.jar
org.apache.catalina.authenticator.AuthenticatorBase: register(org.apache.catalina.connector.Request,javax.servlet.http.HttpServletResponse,java.security.Principal,java.lang.String,java.lang.String,java.lang.String,boolean,boolean)
Dependency tree--
[INFO] sec:java-sec-code:jar:1.0.0
[INFO] +- org.springframework.boot:spring-boot-starter-web:jar:1.5.1.RELEASE:compile
[INFO] | +- org.springframework.boot:spring-boot-starter:jar:1.5.1.RELEASE:compile
[INFO] | | +- org.springframework.boot:spring-boot:jar:1.5.1.RELEASE:compile
[INFO] | | +- org.springframework.boot:spring-boot-autoconfigure:jar:1.5.1.RELEASE:compile
[INFO] | | \- org.springframework.boot:spring-boot-starter-logging:jar:1.5.1.RELEASE:compile
[INFO] | | +- ch.qos.logback:logback-classic:jar:1.1.9:compile
[INFO] | | | \- ch.qos.logback:logback-core:jar:1.1.9:compile
[INFO] | | +- org.slf4j:jcl-over-slf4j:jar:1.7.22:compile
[INFO] | | +- org.slf4j:jul-to-slf4j:jar:1.7.22:compile
[INFO] | | \- org.slf4j:log4j-over-slf4j:jar:1.7.22:compile
[INFO] | +- org.springframework.boot:spring-boot-starter-tomcat:jar:1.5.1.RELEASE:compile
[INFO] | | +- org.apache.tomcat.embed:tomcat-embed-core:jar:8.5.11:compile
[INFO] | | +- org.apache.tomcat.embed:tomcat-embed-el:jar:8.5.11:compile
[INFO] | | \- org.apache.tomcat.embed:tomcat-embed-websocket:jar:8.5.11:compile
[INFO] | +- org.hibernate:hibernate-validator:jar:5.3.4.Final:compile
[INFO] | | +- javax.validation:validation-api:jar:1.1.0.Final:compile
[INFO] | | \- org.jboss.logging:jboss-logging:jar:3.3.0.Final:compile
[INFO] | +- com.fasterxml.jackson.core:jackson-databind:jar:2.8.6:compile
[INFO] | | +- com.fasterxml.jackson.core:jackson-annotations:jar:2.8.0:compile
[INFO] | | \- com.fasterxml.jackson.core:jackson-core:jar:2.8.6:compile
[INFO] | +- org.springframework:spring-web:jar:4.3.6.RELEASE:compile
[INFO] | \- org.springframework:spring-webmvc:jar:4.3.6.RELEASE:compile
[INFO] +- org.springframework.boot:spring-boot-starter-thymeleaf:jar:1.5.1.RELEASE:compile
[INFO] | +- org.thymeleaf:thymeleaf-spring4:jar:2.1.5.RELEASE:compile
[INFO] | | \- org.thymeleaf:thymeleaf:jar:2.1.5.RELEASE:compile
[INFO] | | +- ognl:ognl:jar:3.0.8:compile
[INFO] | | +- org.javassist:javassist:jar:3.21.0-GA:compile
[INFO] | | \- org.unbescape:unbescape:jar:1.1.0.RELEASE:compile
[INFO] | \- nz.net.ultraq.thymeleaf:thymeleaf-layout-dialect:jar:1.4.0:compile
[INFO] | \- org.codehaus.groovy:groovy:jar:2.4.7:compile
[INFO] +- mysql:mysql-connector-java:jar:8.0.12:compile
[INFO] | \- com.google.protobuf:protobuf-java:jar:2.6.0:compile
[INFO] +- com.alibaba:fastjson:jar:1.2.24:compile
[INFO] +- org.jdom:jdom2:jar:2.0.6:compile
[INFO] +- org.dom4j:dom4j:jar:2.1.0:compile
[INFO] | \- jaxen:jaxen:jar:1.1.6:compile
[INFO] +- com.google.guava:guava:jar:23.0:compile
[INFO] | +- com.google.code.findbugs:jsr305:jar:1.3.9:compile
[INFO] | +- com.google.errorprone:error_prone_annotations:jar:2.0.18:compile
[INFO] | +- com.google.j2objc:j2objc-annotations:jar:1.1:compile
[INFO] | \- org.codehaus.mojo:animal-sniffer-annotations:jar:1.14:compile
[INFO] +- commons-collections:commons-collections:jar:3.1:compile
[INFO] +- commons-lang:commons-lang:jar:2.4:compile
[INFO] +- org.apache.httpcomponents:httpclient:jar:4.5.12:compile
[INFO] | +- org.apache.httpcomponents:httpcore:jar:4.4.6:compile
[INFO] | \- commons-codec:commons-codec:jar:1.10:compile
[INFO] +- org.apache.httpcomponents:fluent-hc:jar:4.3.6:compile
[INFO] | \- commons-logging:commons-logging:jar:1.1.3:compile
[INFO] +- org.apache.logging.log4j:log4j-core:jar:2.9.1:compile
[INFO] +- org.apache.logging.log4j:log4j-api:jar:2.9.1:compile
[INFO] +- com.squareup.okhttp:okhttp:jar:2.5.0:compile
[INFO] | \- com.squareup.okio:okio:jar:1.6.0:compile
[INFO] +- org.apache.commons:commons-digester3:jar:3.2:compile
[INFO] | \- cglib:cglib:jar:2.2.2:compile
[INFO] | \- asm:asm:jar:3.3.1:compile
[INFO] +- org.jolokia:jolokia-core:jar:1.6.0:compile
[INFO] | \- com.googlecode.json-simple:json-simple:jar:1.1.1:compile
[INFO] +- org.springframework.boot:spring-boot-starter-actuator:jar:1.5.1.RELEASE:compile
[INFO] | \- org.springframework.boot:spring-boot-actuator:jar:1.5.1.RELEASE:compile
[INFO] +- org.springframework.cloud:spring-cloud-starter-netflix-eureka-client:jar:1.4.0.RELEASE:compile
[INFO] | +- org.springframework.cloud:spring-cloud-starter:jar:1.1.3.RELEASE:compile
[INFO] | | +- org.springframework.cloud:spring-cloud-context:jar:1.1.3.RELEASE:compile
[INFO] | | | \- org.springframework.security:spring-security-crypto:jar:4.2.1.RELEASE:compile
[INFO] | | +- org.springframework.cloud:spring-cloud-commons:jar:1.1.3.RELEASE:compile
[INFO] | | \- org.springframework.security:spring-security-rsa:jar:1.0.3.RELEASE:compile
[INFO] | | \- org.bouncycastle:bcpkix-jdk15on:jar:1.55:compile
[INFO] | | \- org.bouncycastle:bcprov-jdk15on:jar:1.55:compile
[INFO] | +- org.springframework.cloud:spring-cloud-netflix-core:jar:1.2.0.RELEASE:compile
[INFO] | +- org.springframework.cloud:spring-cloud-netflix-eureka-client:jar:1.2.0.RELEASE:compile
[INFO] | +- com.netflix.eureka:eureka-client:jar:1.4.11:compile
[INFO] | | +- org.codehaus.jettison:jettison:jar:1.3.7:runtime
[INFO] | | | \- stax:stax-api:jar:1.0.1:compile
[INFO] | | +- com.netflix.netflix-commons:netflix-eventbus:jar:0.3.0:runtime
[INFO] | | | +- com.netflix.netflix-commons:netflix-infix:jar:0.3.0:runtime
[INFO] | | | | +- commons-jxpath:commons-jxpath:jar:1.3:runtime
[INFO] | | | | +- joda-time:joda-time:jar:2.9.7:runtime
[INFO] | | | | +- org.antlr:antlr-runtime:jar:3.4:runtime
[INFO] | | | | | +- org.antlr:stringtemplate:jar:3.2.1:runtime
[INFO] | | | | | \- antlr:antlr:jar:2.7.7:runtime
[INFO] | | | | \- com.google.code.gson:gson:jar:2.8.0:runtime
[INFO] | | | \- org.apache.commons:commons-math:jar:2.2:runtime
[INFO] | | +- com.netflix.archaius:archaius-core:jar:0.7.4:compile
[INFO] | | +- javax.ws.rs:jsr311-api:jar:1.1.1:runtime
[INFO] | | +- com.netflix.servo:servo-core:jar:0.10.1:runtime
[INFO] | | | \- com.netflix.servo:servo-internal:jar:0.10.1:runtime
[INFO] | | +- com.sun.jersey:jersey-core:jar:1.19.1:runtime
[INFO] | | +- com.sun.jersey:jersey-client:jar:1.19.1:runtime
[INFO] | | +- com.sun.jersey.contribs:jersey-apache-client4:jar:1.19.1:runtime
[INFO] | | +- com.google.inject:guice:jar:4.0:runtime
[INFO] | | | \- javax.inject:javax.inject:jar:1:runtime
[INFO] | | \- com.netflix.governator:governator-api:jar:1.12.10:runtime
[INFO] | +- com.netflix.eureka:eureka-core:jar:1.4.11:compile
[INFO] | | +- com.netflix.governator:governator:jar:1.12.10:runtime
[INFO] | | | +- com.netflix.governator:governator-core:jar:1.12.10:runtime
[INFO] | | | | +- com.google.inject.extensions:guice-multibindings:jar:4.0:runtime
[INFO] | | | | \- com.google.inject.extensions:guice-grapher:jar:4.0:runtime
[INFO] | | | | \- com.google.inject.extensions:guice-assistedinject:jar:4.0:runtime
[INFO] | | | \- org.ow2.asm:asm:jar:5.0.4:runtime
[INFO] | | \- org.codehaus.woodstox:woodstox-core-asl:jar:4.4.1:runtime
[INFO] | | +- javax.xml.stream:stax-api:jar:1.0-2:runtime
[INFO] | | \- org.codehaus.woodstox:stax2-api:jar:3.1.4:runtime
[INFO] | +- org.springframework.cloud:spring-cloud-starter-netflix-archaius:jar:1.4.0.RELEASE:compile
[INFO] | | \- commons-configuration:commons-configuration:jar:1.8:compile
[INFO] | +- org.springframework.cloud:spring-cloud-starter-netflix-ribbon:jar:1.4.0.RELEASE:compile
[INFO] | | +- com.netflix.ribbon:ribbon:jar:2.2.0:compile
[INFO] | | | +- com.netflix.ribbon:ribbon-transport:jar:2.2.0:runtime
[INFO] | | | | +- io.reactivex:rxnetty-contexts:jar:0.4.9:runtime
[INFO] | | | | \- io.reactivex:rxnetty-servo:jar:0.4.9:runtime
[INFO] | | | +- com.netflix.hystrix:hystrix-core:jar:1.5.5:runtime
[INFO] | | | | \- org.hdrhistogram:HdrHistogram:jar:2.1.9:runtime
[INFO] | | | \- io.reactivex:rxnetty:jar:0.4.9:runtime
[INFO] | | | +- io.netty:netty-codec-http:jar:4.0.27.Final:runtime
[INFO] | | | | +- io.netty:netty-codec:jar:4.0.27.Final:runtime
[INFO] | | | | \- io.netty:netty-handler:jar:4.0.27.Final:runtime
[INFO] | | | \- io.netty:netty-transport-native-epoll:jar:4.0.27.Final:runtime
[INFO] | | | +- io.netty:netty-common:jar:4.0.27.Final:runtime
[INFO] | | | +- io.netty:netty-buffer:jar:4.0.27.Final:runtime
[INFO] | | | \- io.netty:netty-transport:jar:4.0.27.Final:runtime
[INFO] | | +- com.netflix.ribbon:ribbon-core:jar:2.2.0:compile
[INFO] | | +- com.netflix.ribbon:ribbon-httpclient:jar:2.2.0:compile
[INFO] | | | \- com.netflix.netflix-commons:netflix-commons-util:jar:0.1.1:runtime
[INFO] | | +- com.netflix.ribbon:ribbon-loadbalancer:jar:2.2.0:compile
[INFO] | | | \- com.netflix.netflix-commons:netflix-statistics:jar:0.1.1:runtime
[INFO] | | \- io.reactivex:rxjava:jar:1.1.10:compile
[INFO] | \- com.netflix.ribbon:ribbon-eureka:jar:2.2.0:compile
[INFO] +- com.fasterxml.uuid:java-uuid-generator:jar:3.1.4:compile
[INFO] +- org.springframework.security:spring-security-web:jar:4.2.12.RELEASE:compile
[INFO] | +- aopalliance:aopalliance:jar:1.0:compile
[INFO] | +- org.springframework.security:spring-security-core:jar:4.2.1.RELEASE:compile
[INFO] | +- org.springframework:spring-beans:jar:4.3.6.RELEASE:compile
[INFO] | +- org.springframework:spring-context:jar:4.3.6.RELEASE:compile
[INFO] | +- org.springframework:spring-core:jar:4.3.6.RELEASE:compile
[INFO] | \- org.springframework:spring-expression:jar:4.3.6.RELEASE:compile
[INFO] +- org.springframework.security:spring-security-config:jar:4.2.12.RELEASE:compile
[INFO] | \- org.springframework:spring-aop:jar:4.3.6.RELEASE:compile
[INFO] +- org.springframework.boot:spring-boot-starter-security:jar:2.1.5.RELEASE:compile
[INFO] +- commons-net:commons-net:jar:3.6:compile
[INFO] +- commons-httpclient:commons-httpclient:jar:3.1:compile
[INFO] +- org.mybatis.spring.boot:mybatis-spring-boot-starter:jar:1.3.2:compile
[INFO] | +- org.springframework.boot:spring-boot-starter-jdbc:jar:1.5.1.RELEASE:compile
[INFO] | | +- org.apache.tomcat:tomcat-jdbc:jar:8.5.11:compile
[INFO] | | | \- org.apache.tomcat:tomcat-juli:jar:8.5.11:compile
[INFO] | | \- org.springframework:spring-jdbc:jar:4.3.6.RELEASE:compile
[INFO] | | \- org.springframework:spring-tx:jar:4.3.6.RELEASE:compile
[INFO] | +- org.mybatis.spring.boot:mybatis-spring-boot-autoconfigure:jar:1.3.2:compile
[INFO] | +- org.mybatis:mybatis:jar:3.4.6:compile
[INFO] | \- org.mybatis:mybatis-spring:jar:1.3.2:compile
[INFO] +- org.apache.velocity:velocity:jar:1.7:compile
[INFO] +- com.thoughtworks.xstream:xstream:jar:1.4.10:compile
[INFO] | +- xmlpull:xmlpull:jar:1.1.3.1:compile
[INFO] | \- xpp3:xpp3_min:jar:1.1.4c:compile
[INFO] +- org.apache.poi:poi:jar:3.10-FINAL:compile
[INFO] +- org.apache.poi:poi-ooxml:jar:3.9:compile
[INFO] | +- org.apache.poi:poi-ooxml-schemas:jar:3.9:compile
[INFO] | | \- org.apache.xmlbeans:xmlbeans:jar:2.3.0:compile
[INFO] | \- dom4j:dom4j:jar:1.6.1:compile
[INFO] +- com.monitorjbl:xlsx-streamer:jar:2.0.0:compile
[INFO] | +- com.rackspace.apache:xerces2-xsd11:jar:2.11.1:compile
[INFO] | | +- com.rackspace.eclipse.webtools.sourceediting:org.eclipse.wst.xml.xpath2.processor:jar:2.1.100:compile
[INFO] | | | +- edu.princeton.cup:java-cup:jar:10k:compile
[INFO] | | | \- com.ibm.icu:icu4j:jar:4.6:compile
[INFO] | | \- xml-resolver:xml-resolver:jar:1.2:compile
[INFO] | +- xml-apis:xml-apis:jar:1.4.01:compile
[INFO] | \- org.slf4j:slf4j-api:jar:1.7.22:compile
[INFO] +- org.jsoup:jsoup:jar:1.10.2:compile
[INFO] +- commons-io:commons-io:jar:2.5:compile
[INFO] +- org.apache.httpcomponents:httpasyncclient:jar:4.1.4:compile
[INFO] | \- org.apache.httpcomponents:httpcore-nio:jar:4.4.10:compile
[INFO] +- io.springfox:springfox-swagger2:jar:2.9.2:compile
[INFO] | +- io.swagger:swagger-annotations:jar:1.5.20:compile
[INFO] | +- io.swagger:swagger-models:jar:1.5.20:compile
[INFO] | +- io.springfox:springfox-spi:jar:2.9.2:compile
[INFO] | | \- io.springfox:springfox-core:jar:2.9.2:compile
[INFO] | | \- net.bytebuddy:byte-buddy:jar:1.8.12:compile
[INFO] | +- io.springfox:springfox-schema:jar:2.9.2:compile
[INFO] | +- io.springfox:springfox-swagger-common:jar:2.9.2:compile
[INFO] | +- io.springfox:springfox-spring-web:jar:2.9.2:compile
[INFO] | +- com.fasterxml:classmate:jar:1.3.3:compile
[INFO] | +- org.springframework.plugin:spring-plugin-core:jar:1.2.0.RELEASE:compile
[INFO] | +- org.springframework.plugin:spring-plugin-metadata:jar:1.2.0.RELEASE:compile
[INFO] | \- org.mapstruct:mapstruct:jar:1.2.0.Final:compile
[INFO] +- io.springfox:springfox-swagger-ui:jar:2.9.2:compile
[INFO] +- org.projectlombok:lombok:jar:1.18.16:provided
[INFO] +- org.yaml:snakeyaml:jar:1.21:compile
[INFO] +- org.springframework:spring-test:jar:4.3.6.RELEASE:compile
[INFO] +- junit:junit:jar:4.12:compile
[INFO] | \- org.hamcrest:hamcrest-core:jar:1.3:compile
[INFO] +- commons-beanutils:commons-beanutils:jar:1.9.4:compile
[INFO] +- io.jsonwebtoken:jjwt:jar:0.9.1:compile
[INFO] \- com.auth0:java-jwt:jar:4.0.0:compile
Suggested solutions:
Update dependency version
Thank you very much.
文件上传功能,跳转到upload页面路径错误。
file上传页面
跳转后项目名丢失。
修改/java-sec-code-master/src/main/resources/templates/upload.html 代码,删除/file/
Dependency org.jolokia:jolokia-core, leading to CVE problem
Hi,,there is a dependency **org.jolokia:jolokia-core:1.6.0
** that calls the risk method.
The scope of this CVE affected version is [1.2.0,1.6.1)
After further analysis, in this project, the main Api called is org.jolokia.http.AgentServlet: doOptions(javax.servlet.http.HttpServletRequest,javax.servlet.http.HttpServletResponse)
Risk method repair link : GitHub
CVE Bug Invocation Path--
Path Length : 10
org.joychou.controller.URLRedirect: forward(javax.servlet.http.HttpServletRequest,javax.servlet.http.HttpServletResponse) .m2/repository/org/springframework/security/spring-security-rsa/1.0.3.RELEASE/spring-security-rsa-1.0.3.RELEASE.jar
org.apache.catalina.core.ApplicationDispatcher: forward(javax.servlet.ServletRequest,javax.servlet.ServletResponse) .m2/repository/org/springframework/security/spring-security-rsa/1.0.3.RELEASE/spring-security-rsa-1.0.3.RELEASE.jar
org.apache.catalina.core.ApplicationDispatcher: doForward(javax.servlet.ServletRequest,javax.servlet.ServletResponse) .m2/repository/org/springframework/security/spring-security-rsa/1.0.3.RELEASE/spring-security-rsa-1.0.3.RELEASE.jar
org.apache.catalina.core.ApplicationDispatcher: processRequest(javax.servlet.ServletRequest,javax.servlet.ServletResponse,org.apache.catalina.core.ApplicationDispatcher$State) .m2/repository/org/springframework/security/spring-security-rsa/1.0.3.RELEASE/spring-security-rsa-1.0.3.RELEASE.jar
org.apache.catalina.core.ApplicationDispatcher: invoke(javax.servlet.ServletRequest,javax.servlet.ServletResponse,org.apache.catalina.core.ApplicationDispatcher$State) .m2/repository/org/springframework/security/spring-security-rsa/1.0.3.RELEASE/spring-security-rsa-1.0.3.RELEASE.jar
org.apache.catalina.core.ApplicationFilterChain: doFilter(javax.servlet.ServletRequest,javax.servlet.ServletResponse) .m2/repository/org/springframework/security/spring-security-rsa/1.0.3.RELEASE/spring-security-rsa-1.0.3.RELEASE.jar
org.apache.catalina.core.ApplicationFilterChain: internalDoFilter(javax.servlet.ServletRequest,javax.servlet.ServletResponse) .m2/repository/org/springframework/security/spring-security-rsa/1.0.3.RELEASE/spring-security-rsa-1.0.3.RELEASE.jar
javax.servlet.http.HttpServlet: service(javax.servlet.ServletRequest,javax.servlet.ServletResponse) .m2/repository/org/springframework/security/spring-security-rsa/1.0.3.RELEASE/spring-security-rsa-1.0.3.RELEASE.jar
javax.servlet.http.HttpServlet: service(javax.servlet.http.HttpServletRequest,javax.servlet.http.HttpServletResponse) .m2/repository/org/springframework/security/spring-security-rsa/1.0.3.RELEASE/spring-security-rsa-1.0.3.RELEASE.jar
org.jolokia.http.AgentServlet: doOptions(javax.servlet.http.HttpServletRequest,javax.servlet.http.HttpServletResponse)
Dependency tree--
[INFO] sec:java-sec-code:jar:1.0.0
[INFO] +- org.springframework.boot:spring-boot-starter-web:jar:1.5.1.RELEASE:compile
[INFO] | +- org.springframework.boot:spring-boot-starter:jar:1.5.1.RELEASE:compile
[INFO] | | +- org.springframework.boot:spring-boot:jar:1.5.1.RELEASE:compile
[INFO] | | +- org.springframework.boot:spring-boot-autoconfigure:jar:1.5.1.RELEASE:compile
[INFO] | | \- org.springframework.boot:spring-boot-starter-logging:jar:1.5.1.RELEASE:compile
[INFO] | | +- ch.qos.logback:logback-classic:jar:1.1.9:compile
[INFO] | | | \- ch.qos.logback:logback-core:jar:1.1.9:compile
[INFO] | | +- org.slf4j:jcl-over-slf4j:jar:1.7.22:compile
[INFO] | | +- org.slf4j:jul-to-slf4j:jar:1.7.22:compile
[INFO] | | \- org.slf4j:log4j-over-slf4j:jar:1.7.22:compile
[INFO] | +- org.springframework.boot:spring-boot-starter-tomcat:jar:1.5.1.RELEASE:compile
[INFO] | | +- org.apache.tomcat.embed:tomcat-embed-core:jar:8.5.11:compile
[INFO] | | +- org.apache.tomcat.embed:tomcat-embed-el:jar:8.5.11:compile
[INFO] | | \- org.apache.tomcat.embed:tomcat-embed-websocket:jar:8.5.11:compile
[INFO] | +- org.hibernate:hibernate-validator:jar:5.3.4.Final:compile
[INFO] | | +- javax.validation:validation-api:jar:1.1.0.Final:compile
[INFO] | | \- org.jboss.logging:jboss-logging:jar:3.3.0.Final:compile
[INFO] | +- com.fasterxml.jackson.core:jackson-databind:jar:2.8.6:compile
[INFO] | | +- com.fasterxml.jackson.core:jackson-annotations:jar:2.8.0:compile
[INFO] | | \- com.fasterxml.jackson.core:jackson-core:jar:2.8.6:compile
[INFO] | +- org.springframework:spring-web:jar:4.3.6.RELEASE:compile
[INFO] | \- org.springframework:spring-webmvc:jar:4.3.6.RELEASE:compile
[INFO] +- org.springframework.boot:spring-boot-starter-thymeleaf:jar:1.5.1.RELEASE:compile
[INFO] | +- org.thymeleaf:thymeleaf-spring4:jar:2.1.5.RELEASE:compile
[INFO] | | \- org.thymeleaf:thymeleaf:jar:2.1.5.RELEASE:compile
[INFO] | | +- ognl:ognl:jar:3.0.8:compile
[INFO] | | +- org.javassist:javassist:jar:3.21.0-GA:compile
[INFO] | | \- org.unbescape:unbescape:jar:1.1.0.RELEASE:compile
[INFO] | \- nz.net.ultraq.thymeleaf:thymeleaf-layout-dialect:jar:1.4.0:compile
[INFO] | \- org.codehaus.groovy:groovy:jar:2.4.7:compile
[INFO] +- mysql:mysql-connector-java:jar:8.0.12:compile
[INFO] | \- com.google.protobuf:protobuf-java:jar:2.6.0:compile
[INFO] +- com.alibaba:fastjson:jar:1.2.24:compile
[INFO] +- org.jdom:jdom2:jar:2.0.6:compile
[INFO] +- org.dom4j:dom4j:jar:2.1.0:compile
[INFO] | \- jaxen:jaxen:jar:1.1.6:compile
[INFO] +- com.google.guava:guava:jar:23.0:compile
[INFO] | +- com.google.code.findbugs:jsr305:jar:1.3.9:compile
[INFO] | +- com.google.errorprone:error_prone_annotations:jar:2.0.18:compile
[INFO] | +- com.google.j2objc:j2objc-annotations:jar:1.1:compile
[INFO] | \- org.codehaus.mojo:animal-sniffer-annotations:jar:1.14:compile
[INFO] +- commons-collections:commons-collections:jar:3.1:compile
[INFO] +- commons-lang:commons-lang:jar:2.4:compile
[INFO] +- org.apache.httpcomponents:httpclient:jar:4.5.12:compile
[INFO] | +- org.apache.httpcomponents:httpcore:jar:4.4.6:compile
[INFO] | \- commons-codec:commons-codec:jar:1.10:compile
[INFO] +- org.apache.httpcomponents:fluent-hc:jar:4.3.6:compile
[INFO] | \- commons-logging:commons-logging:jar:1.1.3:compile
[INFO] +- org.apache.logging.log4j:log4j-core:jar:2.9.1:compile
[INFO] +- org.apache.logging.log4j:log4j-api:jar:2.9.1:compile
[INFO] +- com.squareup.okhttp:okhttp:jar:2.5.0:compile
[INFO] | \- com.squareup.okio:okio:jar:1.6.0:compile
[INFO] +- org.apache.commons:commons-digester3:jar:3.2:compile
[INFO] | \- cglib:cglib:jar:2.2.2:compile
[INFO] | \- asm:asm:jar:3.3.1:compile
[INFO] +- org.jolokia:jolokia-core:jar:1.6.0:compile
[INFO] | \- com.googlecode.json-simple:json-simple:jar:1.1.1:compile
[INFO] +- org.springframework.boot:spring-boot-starter-actuator:jar:1.5.1.RELEASE:compile
[INFO] | \- org.springframework.boot:spring-boot-actuator:jar:1.5.1.RELEASE:compile
[INFO] +- org.springframework.cloud:spring-cloud-starter-netflix-eureka-client:jar:1.4.0.RELEASE:compile
[INFO] | +- org.springframework.cloud:spring-cloud-starter:jar:1.1.3.RELEASE:compile
[INFO] | | +- org.springframework.cloud:spring-cloud-context:jar:1.1.3.RELEASE:compile
[INFO] | | | \- org.springframework.security:spring-security-crypto:jar:4.2.1.RELEASE:compile
[INFO] | | +- org.springframework.cloud:spring-cloud-commons:jar:1.1.3.RELEASE:compile
[INFO] | | \- org.springframework.security:spring-security-rsa:jar:1.0.3.RELEASE:compile
[INFO] | | \- org.bouncycastle:bcpkix-jdk15on:jar:1.55:compile
[INFO] | | \- org.bouncycastle:bcprov-jdk15on:jar:1.55:compile
[INFO] | +- org.springframework.cloud:spring-cloud-netflix-core:jar:1.2.0.RELEASE:compile
[INFO] | +- org.springframework.cloud:spring-cloud-netflix-eureka-client:jar:1.2.0.RELEASE:compile
[INFO] | +- com.netflix.eureka:eureka-client:jar:1.4.11:compile
[INFO] | | +- org.codehaus.jettison:jettison:jar:1.3.7:runtime
[INFO] | | | \- stax:stax-api:jar:1.0.1:compile
[INFO] | | +- com.netflix.netflix-commons:netflix-eventbus:jar:0.3.0:runtime
[INFO] | | | +- com.netflix.netflix-commons:netflix-infix:jar:0.3.0:runtime
[INFO] | | | | +- commons-jxpath:commons-jxpath:jar:1.3:runtime
[INFO] | | | | +- joda-time:joda-time:jar:2.9.7:runtime
[INFO] | | | | +- org.antlr:antlr-runtime:jar:3.4:runtime
[INFO] | | | | | +- org.antlr:stringtemplate:jar:3.2.1:runtime
[INFO] | | | | | \- antlr:antlr:jar:2.7.7:runtime
[INFO] | | | | \- com.google.code.gson:gson:jar:2.8.0:runtime
[INFO] | | | \- org.apache.commons:commons-math:jar:2.2:runtime
[INFO] | | +- com.netflix.archaius:archaius-core:jar:0.7.4:compile
[INFO] | | +- javax.ws.rs:jsr311-api:jar:1.1.1:runtime
[INFO] | | +- com.netflix.servo:servo-core:jar:0.10.1:runtime
[INFO] | | | \- com.netflix.servo:servo-internal:jar:0.10.1:runtime
[INFO] | | +- com.sun.jersey:jersey-core:jar:1.19.1:runtime
[INFO] | | +- com.sun.jersey:jersey-client:jar:1.19.1:runtime
[INFO] | | +- com.sun.jersey.contribs:jersey-apache-client4:jar:1.19.1:runtime
[INFO] | | +- com.google.inject:guice:jar:4.0:runtime
[INFO] | | | \- javax.inject:javax.inject:jar:1:runtime
[INFO] | | \- com.netflix.governator:governator-api:jar:1.12.10:runtime
[INFO] | +- com.netflix.eureka:eureka-core:jar:1.4.11:compile
[INFO] | | +- com.netflix.governator:governator:jar:1.12.10:runtime
[INFO] | | | +- com.netflix.governator:governator-core:jar:1.12.10:runtime
[INFO] | | | | +- com.google.inject.extensions:guice-multibindings:jar:4.0:runtime
[INFO] | | | | \- com.google.inject.extensions:guice-grapher:jar:4.0:runtime
[INFO] | | | | \- com.google.inject.extensions:guice-assistedinject:jar:4.0:runtime
[INFO] | | | \- org.ow2.asm:asm:jar:5.0.4:runtime
[INFO] | | \- org.codehaus.woodstox:woodstox-core-asl:jar:4.4.1:runtime
[INFO] | | +- javax.xml.stream:stax-api:jar:1.0-2:runtime
[INFO] | | \- org.codehaus.woodstox:stax2-api:jar:3.1.4:runtime
[INFO] | +- org.springframework.cloud:spring-cloud-starter-netflix-archaius:jar:1.4.0.RELEASE:compile
[INFO] | | \- commons-configuration:commons-configuration:jar:1.8:compile
[INFO] | +- org.springframework.cloud:spring-cloud-starter-netflix-ribbon:jar:1.4.0.RELEASE:compile
[INFO] | | +- com.netflix.ribbon:ribbon:jar:2.2.0:compile
[INFO] | | | +- com.netflix.ribbon:ribbon-transport:jar:2.2.0:runtime
[INFO] | | | | +- io.reactivex:rxnetty-contexts:jar:0.4.9:runtime
[INFO] | | | | \- io.reactivex:rxnetty-servo:jar:0.4.9:runtime
[INFO] | | | +- com.netflix.hystrix:hystrix-core:jar:1.5.5:runtime
[INFO] | | | | \- org.hdrhistogram:HdrHistogram:jar:2.1.9:runtime
[INFO] | | | \- io.reactivex:rxnetty:jar:0.4.9:runtime
[INFO] | | | +- io.netty:netty-codec-http:jar:4.0.27.Final:runtime
[INFO] | | | | +- io.netty:netty-codec:jar:4.0.27.Final:runtime
[INFO] | | | | \- io.netty:netty-handler:jar:4.0.27.Final:runtime
[INFO] | | | \- io.netty:netty-transport-native-epoll:jar:4.0.27.Final:runtime
[INFO] | | | +- io.netty:netty-common:jar:4.0.27.Final:runtime
[INFO] | | | +- io.netty:netty-buffer:jar:4.0.27.Final:runtime
[INFO] | | | \- io.netty:netty-transport:jar:4.0.27.Final:runtime
[INFO] | | +- com.netflix.ribbon:ribbon-core:jar:2.2.0:compile
[INFO] | | +- com.netflix.ribbon:ribbon-httpclient:jar:2.2.0:compile
[INFO] | | | \- com.netflix.netflix-commons:netflix-commons-util:jar:0.1.1:runtime
[INFO] | | +- com.netflix.ribbon:ribbon-loadbalancer:jar:2.2.0:compile
[INFO] | | | \- com.netflix.netflix-commons:netflix-statistics:jar:0.1.1:runtime
[INFO] | | \- io.reactivex:rxjava:jar:1.1.10:compile
[INFO] | \- com.netflix.ribbon:ribbon-eureka:jar:2.2.0:compile
[INFO] +- com.fasterxml.uuid:java-uuid-generator:jar:3.1.4:compile
[INFO] +- org.springframework.security:spring-security-web:jar:4.2.12.RELEASE:compile
[INFO] | +- aopalliance:aopalliance:jar:1.0:compile
[INFO] | +- org.springframework.security:spring-security-core:jar:4.2.1.RELEASE:compile
[INFO] | +- org.springframework:spring-beans:jar:4.3.6.RELEASE:compile
[INFO] | +- org.springframework:spring-context:jar:4.3.6.RELEASE:compile
[INFO] | +- org.springframework:spring-core:jar:4.3.6.RELEASE:compile
[INFO] | \- org.springframework:spring-expression:jar:4.3.6.RELEASE:compile
[INFO] +- org.springframework.security:spring-security-config:jar:4.2.12.RELEASE:compile
[INFO] | \- org.springframework:spring-aop:jar:4.3.6.RELEASE:compile
[INFO] +- org.springframework.boot:spring-boot-starter-security:jar:2.1.5.RELEASE:compile
[INFO] +- commons-net:commons-net:jar:3.6:compile
[INFO] +- commons-httpclient:commons-httpclient:jar:3.1:compile
[INFO] +- org.mybatis.spring.boot:mybatis-spring-boot-starter:jar:1.3.2:compile
[INFO] | +- org.springframework.boot:spring-boot-starter-jdbc:jar:1.5.1.RELEASE:compile
[INFO] | | +- org.apache.tomcat:tomcat-jdbc:jar:8.5.11:compile
[INFO] | | | \- org.apache.tomcat:tomcat-juli:jar:8.5.11:compile
[INFO] | | \- org.springframework:spring-jdbc:jar:4.3.6.RELEASE:compile
[INFO] | | \- org.springframework:spring-tx:jar:4.3.6.RELEASE:compile
[INFO] | +- org.mybatis.spring.boot:mybatis-spring-boot-autoconfigure:jar:1.3.2:compile
[INFO] | +- org.mybatis:mybatis:jar:3.4.6:compile
[INFO] | \- org.mybatis:mybatis-spring:jar:1.3.2:compile
[INFO] +- org.apache.velocity:velocity:jar:1.7:compile
[INFO] +- com.thoughtworks.xstream:xstream:jar:1.4.10:compile
[INFO] | +- xmlpull:xmlpull:jar:1.1.3.1:compile
[INFO] | \- xpp3:xpp3_min:jar:1.1.4c:compile
[INFO] +- org.apache.poi:poi:jar:3.10-FINAL:compile
[INFO] +- org.apache.poi:poi-ooxml:jar:3.9:compile
[INFO] | +- org.apache.poi:poi-ooxml-schemas:jar:3.9:compile
[INFO] | | \- org.apache.xmlbeans:xmlbeans:jar:2.3.0:compile
[INFO] | \- dom4j:dom4j:jar:1.6.1:compile
[INFO] +- com.monitorjbl:xlsx-streamer:jar:2.0.0:compile
[INFO] | +- com.rackspace.apache:xerces2-xsd11:jar:2.11.1:compile
[INFO] | | +- com.rackspace.eclipse.webtools.sourceediting:org.eclipse.wst.xml.xpath2.processor:jar:2.1.100:compile
[INFO] | | | +- edu.princeton.cup:java-cup:jar:10k:compile
[INFO] | | | \- com.ibm.icu:icu4j:jar:4.6:compile
[INFO] | | \- xml-resolver:xml-resolver:jar:1.2:compile
[INFO] | +- xml-apis:xml-apis:jar:1.4.01:compile
[INFO] | \- org.slf4j:slf4j-api:jar:1.7.22:compile
[INFO] +- org.jsoup:jsoup:jar:1.10.2:compile
[INFO] +- commons-io:commons-io:jar:2.5:compile
[INFO] +- org.apache.httpcomponents:httpasyncclient:jar:4.1.4:compile
[INFO] | \- org.apache.httpcomponents:httpcore-nio:jar:4.4.10:compile
[INFO] +- io.springfox:springfox-swagger2:jar:2.9.2:compile
[INFO] | +- io.swagger:swagger-annotations:jar:1.5.20:compile
[INFO] | +- io.swagger:swagger-models:jar:1.5.20:compile
[INFO] | +- io.springfox:springfox-spi:jar:2.9.2:compile
[INFO] | | \- io.springfox:springfox-core:jar:2.9.2:compile
[INFO] | | \- net.bytebuddy:byte-buddy:jar:1.8.12:compile
[INFO] | +- io.springfox:springfox-schema:jar:2.9.2:compile
[INFO] | +- io.springfox:springfox-swagger-common:jar:2.9.2:compile
[INFO] | +- io.springfox:springfox-spring-web:jar:2.9.2:compile
[INFO] | +- com.fasterxml:classmate:jar:1.3.3:compile
[INFO] | +- org.springframework.plugin:spring-plugin-core:jar:1.2.0.RELEASE:compile
[INFO] | +- org.springframework.plugin:spring-plugin-metadata:jar:1.2.0.RELEASE:compile
[INFO] | \- org.mapstruct:mapstruct:jar:1.2.0.Final:compile
[INFO] +- io.springfox:springfox-swagger-ui:jar:2.9.2:compile
[INFO] +- org.projectlombok:lombok:jar:1.18.16:provided
[INFO] +- org.yaml:snakeyaml:jar:1.21:compile
[INFO] +- org.springframework:spring-test:jar:4.3.6.RELEASE:compile
[INFO] +- junit:junit:jar:4.12:compile
[INFO] | \- org.hamcrest:hamcrest-core:jar:1.3:compile
[INFO] +- commons-beanutils:commons-beanutils:jar:1.9.4:compile
[INFO] +- io.jsonwebtoken:jjwt:jar:0.9.1:compile
[INFO] \- com.auth0:java-jwt:jar:4.0.0:compile
Suggested solutions:
Update dependency version
Thank you very much.
Apologies!
Apologies!
I accidentally edited the pom.xml in the master and not in my fork!
Please ignore.
I have fixed my code to respect the beautiful ZH characters in the pom.xml, so no need to make any changes.
Best regards.
jolokia/list访问不到
那个,在复现actualtor漏洞,xxx/jolokia/list访问为啥没正确页面呢?jdk版本没问题的。
[Bug] Codeinject的host部分由于pom.xml更新了tomcat 版本导致打不通
对于接口/codeinject/host,预期是通过修改host命令注入。
pom.xml中由于此Commit https://github.com/JoyChou93/java-sec-code/commit/621c30050f82379afe1e2e6d4ff66c1234f33913,本地启动项目的话tomcat是8.5.85 的版本。这个版本的tomcat会对host的格式做检验,对于例如host: localhost;cat /flag的host值,会认为; /这些字符不符合,从而导致打不通。
8.5.85
tomcat是8.5.11的话,可以正常打通。
无法使用
老哥你这个,是我不会配还是怎么的,就是很奇怪,
你这个必须登录嘛,要不就会一直在login
但是你那个在线的地址,和docker 我都试了一下,admin都登陆不了,不能用,我看下源码,登陆功能是空的,有点不懂
自动化渗透获取token方法
原理
-
- 首先GET访问 /login 后签发了一个cookie其中涵盖了 xsrf-token 字段,这个字段会加入到请求头信息中。
-
- 接着POST访问 /login 时候,讲上面获取的
xsrf-token的信息添加到X-CSRF-TOKEN的请求头字段中进行表单提交即可。
- 接着POST访问 /login 时候,讲上面获取的
-
- 验证 token 有效的方法
/swagger-ui.html是需要登录的,关闭重定向后如果能访问成功说明token有效。
- 验证 token 有效的方法
# coding:utf-8
import os
import re
from urllib.parse import urlencode
import requests
try:
from lib.web_sdk.logger import Log
logging = Log(log_flag='java_code_sec')
except:
import logging
default_header = {
"User-Agent": "DEFAULT-SecurityLab-Tool-FOR-JAVA-SEC"
}
DATA_DIR = os.path.join(os.path.dirname(os.path.abspath(__file__)), 'data')
if not os.path.exists(DATA_DIR):
os.makedirs(DATA_DIR)
cookie_save_path = os.path.join(DATA_DIR, 'cookie.txt')
def get_cookie_token(login_url='http://10.27.106.240/login'):
headers = {}
res = requests.get(login_url, headers=headers)
cookie = [(';'.join(['='.join(item) for item in res.cookies.items()]))][0]
# user_token = re.findall("name='user_token' value='(\w+)' />", res.text)[0]
csrf_token = res.headers
return cookie, csrf_token
def get_javacodesec_cookie(
host_root_dir='http://10.27.106.240',
username='admin',
password='admin123',
write_local=True):
login_url = host_root_dir + '/login'
_cookie, xsrf_token = get_cookie_token(login_url=login_url)
# TODO 注意这里的登录使用的是 headers:X-XSRF-TOKEN 校验 而不是 `headers:XSRF-TOKEN`
headers = {
'Cookie': _cookie,
'X-XSRF-TOKEN': re.match('XSRF-TOKEN=([0-9a-z-]+)', str(_cookie)).group(1),
'Content-Type': 'application/x-www-form-urlencoded'
}
values = {'username': username,
'password': password,
**{"remember-me": "false"}
}
response = requests.post(login_url, data=urlencode(values), headers=headers)
cookie = [(';'.join(['='.join(item) for item in response.cookies.items()]))][0]
# TODO 注意这里是登录成功后使用重新签发的 token 进行下面一系列的操作
try:
return cookie
finally:
if write_local:
FileManager(path=cookie_save_path).write(cookie)
class FileManager:
def __init__(self, path):
self.path = path
def read(self):
with open(self.path, 'rb') as f:
_txt = f.read().decode()
f.close()
return _txt
def write(self, s: str):
with open(self.path, 'wb') as f:
f.write(s.encode())
f.close()
def load_cookie_from_local():
return FileManager(path=cookie_save_path).read()
def valid_cookie(host_root_dir='http://10.27.106.240', url='/swagger-ui.html'):
if os.path.exists(cookie_save_path):
current_cookie = load_cookie_from_local()
headers = dict(default_header, **{"Cookie": load_cookie_from_local()})
response = requests.get(url=host_root_dir + url, allow_redirects=False, headers=headers)
if response.status_code != 200:
logging.warn('重新校验 - 失效')
return get_javacodesec_cookie()
logging.warn('校验通过- Cookie 有效')
return current_cookie
else:
logging.warn('校验 - 首次获取')
return get_javacodesec_cookie()
def get_cookie_headers(host_root_dir='http://10.27.106.240/'):
cookie = valid_cookie(host_root_dir=host_root_dir)
return dict(default_header, **{"Cookie": cookie})
if __name__ == '__main__':
valid_cookie()sqli的url有点小问题,应当是jdbc/vuln?username=
应当是http://localhost:8080/sqli/jdbc/vuln?username=joychou
源代码:
/**
* Vuln Code.
* http://localhost:8080/sqli/jdbc/vul?username=joychou
*
* @param username username
*/
@RequestMapping("/jdbc/vuln")
Jsonp的Referer拦截比较粗暴
问题
目前只要带有callback的get请求都会进行Referer判断。
比如 http://localhost:8080/index?callback=123
解决
加一层判断,判断请求是否返回真的Jsonp格式。
Please update lombok
Please consider upgrading lombok from version 1.18.16 to version 1.18.20
I get a compiler error:
"Fatal error compiling: java.lang.IllegalAccessError: class lombok.javac.apt.LombokProcessor (in unnamed module @0x3816efab) cannot access class com.sun.tools.javac.processing.JavacProcessingEnvironment (in module jdk.compiler) because module jdk.compiler does not export com.sun.tools.javac.processing to unnamed module @0x3816efab"
SSRF的代码感觉有些问题
/HttpURLConnection
访问:http://localhost:8080/ssrf/HttpURLConnection?url=file:///etc/passwd
会报异常:java.lang.ClassCastException: sun.net.www.protocol.file.FileURLConnection cannot be cast to java.net.HttpURLConnection
修改添加代码:
URL u = new URL(null,url,new sun.net.www.protocol.file.Handler());
任然报错,请作者指点一二
RCE的链接无法访问,其他的漏洞可以正常访问
RCE的链接无法访问,其他的漏洞可以正常访问,大佬麻烦帮忙看下,感谢!
Springboot的Filter拦截器中使用@value获取值为null
单独在tomcat中使用存在@value获取值为null的情况。
MySQL commands to support running JavaSecCode
Please consider using some account other than 'root', such as 'joychou'. I use MySQL to support a number of services.
The following are commands I use to create the environment to support running JavaSecCode. This list may not be complete.
-- MySQL dump 10.13 Distrib 5.7.31, for Linux (x86_64)
-- Host: localhost Database: java_sec_code
-- Server version 5.7.31-0ubuntu0.18.04.1
--
-- Pedantic, aren't we
USE mysql;
--
-- Remove, create user, Super User
DROP USER IF EXISTS joychou@localhost;
CREATE USER 'joychou'@'localhost' IDENTIFIED BY 'woshishujukumima';
GRANT ALL PRIVILEGES ON . TO 'joychou'@'localhost' IDENTIFIED BY 'woshishujukumima';
--
-- Remove, create database
DROP DATABASE IF EXISTS java_sec_code;
CREATE DATABASE java_sec_code;
USE java_sec_code;
--
-- Table structure for table users
DROP TABLE IF EXISTS java_sec_code.users;
CREATE TABLE users (
id int(11) NOT NULL,
username varchar(16) NOT NULL,
password varchar(32) NOT NULL,
PRIMARY KEY (id)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
--
-- Dumping data for table users
LOCK TABLES users WRITE;
INSERT INTO users VALUES (1,'joychou','password');
UNLOCK TABLES;
Dependency org.apache.httpcomponents:httpclient, leading to CVE problem
Hi,there is a dependency **org.apache.httpcomponents:httpclient:4.5.12
** that calls the risk method.
The scope of this CVE affected version is [,4.5.13)
After further analysis, in this project, the main Api called is org.apache.http.client.utils.URIUtils: extractHost(java.net.URI)Lorg.apache.http.HttpHost
Risk method repair link : GitHub
CVE Bug Invocation Path--
Path Length : 5
org.joychou.util.HttpUtils: httpClient(java.lang.String)Ljava.lang.String; .m2/repository/org/springframework/security/spring-security-rsa/1.0.3.RELEASE/spring-security-rsa-1.0.3.RELEASE.jar
org.apache.http.impl.client.CloseableHttpClient: execute(org.apache.http.client.methods.HttpUriRequest)Lorg.apache.http.client.methods.CloseableHttpResponse; .m2/repository/org/springframework/security/spring-security-rsa/1.0.3.RELEASE/spring-security-rsa-1.0.3.RELEASE.jar
org.apache.http.impl.client.CloseableHttpClient: execute(org.apache.http.client.methods.HttpUriRequest,org.apache.http.protocol.HttpContext)Lorg.apache.http.client.methods.CloseableHttpResponse; .m2/repository/org/springframework/security/spring-security-rsa/1.0.3.RELEASE/spring-security-rsa-1.0.3.RELEASE.jar
org.apache.http.impl.client.CloseableHttpClient: determineTarget(org.apache.http.client.methods.HttpUriRequest)Lorg.apache.http.HttpHost; .m2/repository/org/springframework/security/spring-security-rsa/1.0.3.RELEASE/spring-security-rsa-1.0.3.RELEASE.jar
org.apache.http.client.utils.URIUtils: extractHost(java.net.URI)Lorg.apache.http.HttpHost;
Dependency tree--
[INFO] sec:java-sec-code:jar:1.0.0
[INFO] +- org.springframework.boot:spring-boot-starter-web:jar:1.5.1.RELEASE:compile
[INFO] | +- org.springframework.boot:spring-boot-starter:jar:1.5.1.RELEASE:compile
[INFO] | | +- org.springframework.boot:spring-boot:jar:1.5.1.RELEASE:compile
[INFO] | | +- org.springframework.boot:spring-boot-autoconfigure:jar:1.5.1.RELEASE:compile
[INFO] | | \- org.springframework.boot:spring-boot-starter-logging:jar:1.5.1.RELEASE:compile
[INFO] | | +- ch.qos.logback:logback-classic:jar:1.1.9:compile
[INFO] | | | \- ch.qos.logback:logback-core:jar:1.1.9:compile
[INFO] | | +- org.slf4j:jcl-over-slf4j:jar:1.7.22:compile
[INFO] | | +- org.slf4j:jul-to-slf4j:jar:1.7.22:compile
[INFO] | | \- org.slf4j:log4j-over-slf4j:jar:1.7.22:compile
[INFO] | +- org.springframework.boot:spring-boot-starter-tomcat:jar:1.5.1.RELEASE:compile
[INFO] | | +- org.apache.tomcat.embed:tomcat-embed-core:jar:8.5.11:compile
[INFO] | | +- org.apache.tomcat.embed:tomcat-embed-el:jar:8.5.11:compile
[INFO] | | \- org.apache.tomcat.embed:tomcat-embed-websocket:jar:8.5.11:compile
[INFO] | +- org.hibernate:hibernate-validator:jar:5.3.4.Final:compile
[INFO] | | +- javax.validation:validation-api:jar:1.1.0.Final:compile
[INFO] | | \- org.jboss.logging:jboss-logging:jar:3.3.0.Final:compile
[INFO] | +- com.fasterxml.jackson.core:jackson-databind:jar:2.8.6:compile
[INFO] | | +- com.fasterxml.jackson.core:jackson-annotations:jar:2.8.0:compile
[INFO] | | \- com.fasterxml.jackson.core:jackson-core:jar:2.8.6:compile
[INFO] | +- org.springframework:spring-web:jar:4.3.6.RELEASE:compile
[INFO] | \- org.springframework:spring-webmvc:jar:4.3.6.RELEASE:compile
[INFO] +- org.springframework.boot:spring-boot-starter-thymeleaf:jar:1.5.1.RELEASE:compile
[INFO] | +- org.thymeleaf:thymeleaf-spring4:jar:2.1.5.RELEASE:compile
[INFO] | | \- org.thymeleaf:thymeleaf:jar:2.1.5.RELEASE:compile
[INFO] | | +- ognl:ognl:jar:3.0.8:compile
[INFO] | | +- org.javassist:javassist:jar:3.21.0-GA:compile
[INFO] | | \- org.unbescape:unbescape:jar:1.1.0.RELEASE:compile
[INFO] | \- nz.net.ultraq.thymeleaf:thymeleaf-layout-dialect:jar:1.4.0:compile
[INFO] | \- org.codehaus.groovy:groovy:jar:2.4.7:compile
[INFO] +- mysql:mysql-connector-java:jar:8.0.12:compile
[INFO] | \- com.google.protobuf:protobuf-java:jar:2.6.0:compile
[INFO] +- com.alibaba:fastjson:jar:1.2.24:compile
[INFO] +- org.jdom:jdom2:jar:2.0.6:compile
[INFO] +- org.dom4j:dom4j:jar:2.1.0:compile
[INFO] | \- jaxen:jaxen:jar:1.1.6:compile
[INFO] +- com.google.guava:guava:jar:23.0:compile
[INFO] | +- com.google.code.findbugs:jsr305:jar:1.3.9:compile
[INFO] | +- com.google.errorprone:error_prone_annotations:jar:2.0.18:compile
[INFO] | +- com.google.j2objc:j2objc-annotations:jar:1.1:compile
[INFO] | \- org.codehaus.mojo:animal-sniffer-annotations:jar:1.14:compile
[INFO] +- commons-collections:commons-collections:jar:3.1:compile
[INFO] +- commons-lang:commons-lang:jar:2.4:compile
[INFO] +- org.apache.httpcomponents:httpclient:jar:4.5.12:compile
[INFO] | +- org.apache.httpcomponents:httpcore:jar:4.4.6:compile
[INFO] | \- commons-codec:commons-codec:jar:1.10:compile
[INFO] +- org.apache.httpcomponents:fluent-hc:jar:4.3.6:compile
[INFO] | \- commons-logging:commons-logging:jar:1.1.3:compile
[INFO] +- org.apache.logging.log4j:log4j-core:jar:2.9.1:compile
[INFO] +- org.apache.logging.log4j:log4j-api:jar:2.9.1:compile
[INFO] +- com.squareup.okhttp:okhttp:jar:2.5.0:compile
[INFO] | \- com.squareup.okio:okio:jar:1.6.0:compile
[INFO] +- org.apache.commons:commons-digester3:jar:3.2:compile
[INFO] | \- cglib:cglib:jar:2.2.2:compile
[INFO] | \- asm:asm:jar:3.3.1:compile
[INFO] +- org.jolokia:jolokia-core:jar:1.6.0:compile
[INFO] | \- com.googlecode.json-simple:json-simple:jar:1.1.1:compile
[INFO] +- org.springframework.boot:spring-boot-starter-actuator:jar:1.5.1.RELEASE:compile
[INFO] | \- org.springframework.boot:spring-boot-actuator:jar:1.5.1.RELEASE:compile
[INFO] +- org.springframework.cloud:spring-cloud-starter-netflix-eureka-client:jar:1.4.0.RELEASE:compile
[INFO] | +- org.springframework.cloud:spring-cloud-starter:jar:1.1.3.RELEASE:compile
[INFO] | | +- org.springframework.cloud:spring-cloud-context:jar:1.1.3.RELEASE:compile
[INFO] | | | \- org.springframework.security:spring-security-crypto:jar:4.2.1.RELEASE:compile
[INFO] | | +- org.springframework.cloud:spring-cloud-commons:jar:1.1.3.RELEASE:compile
[INFO] | | \- org.springframework.security:spring-security-rsa:jar:1.0.3.RELEASE:compile
[INFO] | | \- org.bouncycastle:bcpkix-jdk15on:jar:1.55:compile
[INFO] | | \- org.bouncycastle:bcprov-jdk15on:jar:1.55:compile
[INFO] | +- org.springframework.cloud:spring-cloud-netflix-core:jar:1.2.0.RELEASE:compile
[INFO] | +- org.springframework.cloud:spring-cloud-netflix-eureka-client:jar:1.2.0.RELEASE:compile
[INFO] | +- com.netflix.eureka:eureka-client:jar:1.4.11:compile
[INFO] | | +- org.codehaus.jettison:jettison:jar:1.3.7:runtime
[INFO] | | | \- stax:stax-api:jar:1.0.1:compile
[INFO] | | +- com.netflix.netflix-commons:netflix-eventbus:jar:0.3.0:runtime
[INFO] | | | +- com.netflix.netflix-commons:netflix-infix:jar:0.3.0:runtime
[INFO] | | | | +- commons-jxpath:commons-jxpath:jar:1.3:runtime
[INFO] | | | | +- joda-time:joda-time:jar:2.9.7:runtime
[INFO] | | | | +- org.antlr:antlr-runtime:jar:3.4:runtime
[INFO] | | | | | +- org.antlr:stringtemplate:jar:3.2.1:runtime
[INFO] | | | | | \- antlr:antlr:jar:2.7.7:runtime
[INFO] | | | | \- com.google.code.gson:gson:jar:2.8.0:runtime
[INFO] | | | \- org.apache.commons:commons-math:jar:2.2:runtime
[INFO] | | +- com.netflix.archaius:archaius-core:jar:0.7.4:compile
[INFO] | | +- javax.ws.rs:jsr311-api:jar:1.1.1:runtime
[INFO] | | +- com.netflix.servo:servo-core:jar:0.10.1:runtime
[INFO] | | | \- com.netflix.servo:servo-internal:jar:0.10.1:runtime
[INFO] | | +- com.sun.jersey:jersey-core:jar:1.19.1:runtime
[INFO] | | +- com.sun.jersey:jersey-client:jar:1.19.1:runtime
[INFO] | | +- com.sun.jersey.contribs:jersey-apache-client4:jar:1.19.1:runtime
[INFO] | | +- com.google.inject:guice:jar:4.0:runtime
[INFO] | | | \- javax.inject:javax.inject:jar:1:runtime
[INFO] | | \- com.netflix.governator:governator-api:jar:1.12.10:runtime
[INFO] | +- com.netflix.eureka:eureka-core:jar:1.4.11:compile
[INFO] | | +- com.netflix.governator:governator:jar:1.12.10:runtime
[INFO] | | | +- com.netflix.governator:governator-core:jar:1.12.10:runtime
[INFO] | | | | +- com.google.inject.extensions:guice-multibindings:jar:4.0:runtime
[INFO] | | | | \- com.google.inject.extensions:guice-grapher:jar:4.0:runtime
[INFO] | | | | \- com.google.inject.extensions:guice-assistedinject:jar:4.0:runtime
[INFO] | | | \- org.ow2.asm:asm:jar:5.0.4:runtime
[INFO] | | \- org.codehaus.woodstox:woodstox-core-asl:jar:4.4.1:runtime
[INFO] | | +- javax.xml.stream:stax-api:jar:1.0-2:runtime
[INFO] | | \- org.codehaus.woodstox:stax2-api:jar:3.1.4:runtime
[INFO] | +- org.springframework.cloud:spring-cloud-starter-netflix-archaius:jar:1.4.0.RELEASE:compile
[INFO] | | \- commons-configuration:commons-configuration:jar:1.8:compile
[INFO] | +- org.springframework.cloud:spring-cloud-starter-netflix-ribbon:jar:1.4.0.RELEASE:compile
[INFO] | | +- com.netflix.ribbon:ribbon:jar:2.2.0:compile
[INFO] | | | +- com.netflix.ribbon:ribbon-transport:jar:2.2.0:runtime
[INFO] | | | | +- io.reactivex:rxnetty-contexts:jar:0.4.9:runtime
[INFO] | | | | \- io.reactivex:rxnetty-servo:jar:0.4.9:runtime
[INFO] | | | +- com.netflix.hystrix:hystrix-core:jar:1.5.5:runtime
[INFO] | | | | \- org.hdrhistogram:HdrHistogram:jar:2.1.9:runtime
[INFO] | | | \- io.reactivex:rxnetty:jar:0.4.9:runtime
[INFO] | | | +- io.netty:netty-codec-http:jar:4.0.27.Final:runtime
[INFO] | | | | +- io.netty:netty-codec:jar:4.0.27.Final:runtime
[INFO] | | | | \- io.netty:netty-handler:jar:4.0.27.Final:runtime
[INFO] | | | \- io.netty:netty-transport-native-epoll:jar:4.0.27.Final:runtime
[INFO] | | | +- io.netty:netty-common:jar:4.0.27.Final:runtime
[INFO] | | | +- io.netty:netty-buffer:jar:4.0.27.Final:runtime
[INFO] | | | \- io.netty:netty-transport:jar:4.0.27.Final:runtime
[INFO] | | +- com.netflix.ribbon:ribbon-core:jar:2.2.0:compile
[INFO] | | +- com.netflix.ribbon:ribbon-httpclient:jar:2.2.0:compile
[INFO] | | | \- com.netflix.netflix-commons:netflix-commons-util:jar:0.1.1:runtime
[INFO] | | +- com.netflix.ribbon:ribbon-loadbalancer:jar:2.2.0:compile
[INFO] | | | \- com.netflix.netflix-commons:netflix-statistics:jar:0.1.1:runtime
[INFO] | | \- io.reactivex:rxjava:jar:1.1.10:compile
[INFO] | \- com.netflix.ribbon:ribbon-eureka:jar:2.2.0:compile
[INFO] +- com.fasterxml.uuid:java-uuid-generator:jar:3.1.4:compile
[INFO] +- org.springframework.security:spring-security-web:jar:4.2.12.RELEASE:compile
[INFO] | +- aopalliance:aopalliance:jar:1.0:compile
[INFO] | +- org.springframework.security:spring-security-core:jar:4.2.1.RELEASE:compile
[INFO] | +- org.springframework:spring-beans:jar:4.3.6.RELEASE:compile
[INFO] | +- org.springframework:spring-context:jar:4.3.6.RELEASE:compile
[INFO] | +- org.springframework:spring-core:jar:4.3.6.RELEASE:compile
[INFO] | \- org.springframework:spring-expression:jar:4.3.6.RELEASE:compile
[INFO] +- org.springframework.security:spring-security-config:jar:4.2.12.RELEASE:compile
[INFO] | \- org.springframework:spring-aop:jar:4.3.6.RELEASE:compile
[INFO] +- org.springframework.boot:spring-boot-starter-security:jar:2.1.5.RELEASE:compile
[INFO] +- commons-net:commons-net:jar:3.6:compile
[INFO] +- commons-httpclient:commons-httpclient:jar:3.1:compile
[INFO] +- org.mybatis.spring.boot:mybatis-spring-boot-starter:jar:1.3.2:compile
[INFO] | +- org.springframework.boot:spring-boot-starter-jdbc:jar:1.5.1.RELEASE:compile
[INFO] | | +- org.apache.tomcat:tomcat-jdbc:jar:8.5.11:compile
[INFO] | | | \- org.apache.tomcat:tomcat-juli:jar:8.5.11:compile
[INFO] | | \- org.springframework:spring-jdbc:jar:4.3.6.RELEASE:compile
[INFO] | | \- org.springframework:spring-tx:jar:4.3.6.RELEASE:compile
[INFO] | +- org.mybatis.spring.boot:mybatis-spring-boot-autoconfigure:jar:1.3.2:compile
[INFO] | +- org.mybatis:mybatis:jar:3.4.6:compile
[INFO] | \- org.mybatis:mybatis-spring:jar:1.3.2:compile
[INFO] +- org.apache.velocity:velocity:jar:1.7:compile
[INFO] +- com.thoughtworks.xstream:xstream:jar:1.4.10:compile
[INFO] | +- xmlpull:xmlpull:jar:1.1.3.1:compile
[INFO] | \- xpp3:xpp3_min:jar:1.1.4c:compile
[INFO] +- org.apache.poi:poi:jar:3.10-FINAL:compile
[INFO] +- org.apache.poi:poi-ooxml:jar:3.9:compile
[INFO] | +- org.apache.poi:poi-ooxml-schemas:jar:3.9:compile
[INFO] | | \- org.apache.xmlbeans:xmlbeans:jar:2.3.0:compile
[INFO] | \- dom4j:dom4j:jar:1.6.1:compile
[INFO] +- com.monitorjbl:xlsx-streamer:jar:2.0.0:compile
[INFO] | +- com.rackspace.apache:xerces2-xsd11:jar:2.11.1:compile
[INFO] | | +- com.rackspace.eclipse.webtools.sourceediting:org.eclipse.wst.xml.xpath2.processor:jar:2.1.100:compile
[INFO] | | | +- edu.princeton.cup:java-cup:jar:10k:compile
[INFO] | | | \- com.ibm.icu:icu4j:jar:4.6:compile
[INFO] | | \- xml-resolver:xml-resolver:jar:1.2:compile
[INFO] | +- xml-apis:xml-apis:jar:1.4.01:compile
[INFO] | \- org.slf4j:slf4j-api:jar:1.7.22:compile
[INFO] +- org.jsoup:jsoup:jar:1.10.2:compile
[INFO] +- commons-io:commons-io:jar:2.5:compile
[INFO] +- org.apache.httpcomponents:httpasyncclient:jar:4.1.4:compile
[INFO] | \- org.apache.httpcomponents:httpcore-nio:jar:4.4.10:compile
[INFO] +- io.springfox:springfox-swagger2:jar:2.9.2:compile
[INFO] | +- io.swagger:swagger-annotations:jar:1.5.20:compile
[INFO] | +- io.swagger:swagger-models:jar:1.5.20:compile
[INFO] | +- io.springfox:springfox-spi:jar:2.9.2:compile
[INFO] | | \- io.springfox:springfox-core:jar:2.9.2:compile
[INFO] | | \- net.bytebuddy:byte-buddy:jar:1.8.12:compile
[INFO] | +- io.springfox:springfox-schema:jar:2.9.2:compile
[INFO] | +- io.springfox:springfox-swagger-common:jar:2.9.2:compile
[INFO] | +- io.springfox:springfox-spring-web:jar:2.9.2:compile
[INFO] | +- com.fasterxml:classmate:jar:1.3.3:compile
[INFO] | +- org.springframework.plugin:spring-plugin-core:jar:1.2.0.RELEASE:compile
[INFO] | +- org.springframework.plugin:spring-plugin-metadata:jar:1.2.0.RELEASE:compile
[INFO] | \- org.mapstruct:mapstruct:jar:1.2.0.Final:compile
[INFO] +- io.springfox:springfox-swagger-ui:jar:2.9.2:compile
[INFO] +- org.projectlombok:lombok:jar:1.18.16:provided
[INFO] +- org.yaml:snakeyaml:jar:1.21:compile
[INFO] +- org.springframework:spring-test:jar:4.3.6.RELEASE:compile
[INFO] +- junit:junit:jar:4.12:compile
[INFO] | \- org.hamcrest:hamcrest-core:jar:1.3:compile
[INFO] +- commons-beanutils:commons-beanutils:jar:1.9.4:compile
[INFO] +- io.jsonwebtoken:jjwt:jar:0.9.1:compile
[INFO] \- com.auth0:java-jwt:jar:4.0.0:compile
Suggested solutions:
Update dependency version
Thank you very much.
直接将该项目import进IDEA后,运行时报错
org.springframework.context.ApplicationContextException: Unable to start EmbeddedWebApplicationContext due to missing EmbeddedServletContainerFactory bean. 对于该错误,我尝试了多种方法都无效
crlf injection is wrong
Hello, when I learn it, I found that CRLF Injection did not work, as follows:
Can you help me?
目前针对DnsRebind的问题无法解决
可考虑使用Hook TCP,获取到IP后进行IP黑名单判断。todo
执行rm -rf /*之后系统不能用了
RCE的链接无法访问,其他的漏洞可以正常访问
RCE的链接无法访问,其他的漏洞可以正常访问,大佬麻烦帮忙看下,感谢!
关于Cookies部分意图的疑问
大佬你好,我想请问一下Cookies部分代码的意图是什么,左思右想也没有想到 = =,希望大佬能指点一二
ssrf这个怎么使用
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.