git clone https://github.com/JoyChou93/java-sec-code&cd java-sec-code Build war package bymvn clean package. Copy war package to tomcat webapps directory. Start tomcat application. Example: http://localhost:8080
Code This branch is up to date withdr0op/java-sec-code:master. Java Security Code 介绍 该项目也可以叫做Java Vulnerability Code(Java漏洞代码)。 每个漏洞类型代码默认存在安全漏洞(除非本身不存在漏洞),相关修复代码在注释里。具体可查看每个漏洞代码和注释。
http://localhost:8080/java-sec-code-1.0.0/rce/exec?cmd=whoami 返回: Viarus JAR包 先修改pom.xml里的配置,将war改成jar。 <groupId>sec</groupId> <artifactId>java-sec-code</artifactId> <version>1.0.0</version> <packaging>war</packaging> 再打包运行即可。 git clone https://github.com/Jo...
import java.util.ArrayList; import java.util.HashMap; import java.util.List; import java.util.Map; import javax.servlet.http.HttpServletRequest; import org.sotower.bpm.api.data.BPMCreateOption; import org.sotower.bpm.api.data.FinishOption; import org.springframework.beans.factory.annotation.Autow...
obj.setFeature("http://xml.org/sax/features/external-parameter-entities",false); 0x02 参考链接 JAVA代码审计之XXE与SSRF https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/XXE.java
若业务需求和请求来源并非固定,那么可以自己写一个 ssrfCheck 函数,如:https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/security/SSRFChecker.java 0x04 实际案例(CVE-2019-9827)分析 1、案例介绍 CVE 地址:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-982...
以下代码均出于:java-sec-code/XXE.java at master · JoyChou93/java-sec-code (github.com) 6.1 XMLReader try {String body = WebUtils . getRequestBody ( request );logger . info ( body );XMLReader xmlReader = XMLReaderFactory . createXMLReader ();xmlReader . parse ( new InputSource ( ne...
Start Time: 1657529930 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: yes 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. 19. 20. 21. 22. 23. 24. 25. 26. 27. 28. 29. 30. 31. 32. 33. 34. 35. 36. 37. 38....
以下代码均出于:java-sec-code/XXE.java at master · JoyChou93/java-sec-code (github.com) XMLReader 代码语言:txt AI代码解释 try { String body = WebUtils.getRequestBody(request); logger.info(body); XMLReader xmlReader = XMLReaderFactory.createXMLReader(); ...
---根目录在:Javaweb-sec-master ---设置jdk的版本和语言 ---modules中设置:deploymentdescriptors路径为网站的web.XML ---modules中设置:webresorce directiories路径为网站的webApp目录 ---libraries自动导入的maven包 ---maven规定的目录结构 ---我的网站的目录 2.找到...