Skip to content

Add more vulnerable code snippets about SQLi(mybatis) and XSS(reflect, stored) #9

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
JoyChou93 merged 2 commits into from
Oct 24, 2019
Merged

Add more vulnerable code snippets about SQLi(mybatis) and XSS(reflect, stored) #9

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
59a72ef
19/10/15 add more xss&sql vuln code
Oct 15, 2019
da5ea84
19/10/15 rm unuseful code
Oct 15, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
47 changes: 36 additions & 11 deletions src/main/java/org/joychou/controller/SQLI.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,10 +4,11 @@
import org.joychou.mapper.UserMapper;
import org.joychou.dao.User;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.web.bind.annotation.*;

import javax.servlet.http.HttpServletRequest;
import java.sql.*;
import java.util.List;


/**
Expand All @@ -16,14 +17,18 @@
* @desc SQL Injection
*/

@SuppressWarnings("Duplicates")
@RestController
@RequestMapping("/sqli")
public class SQLI {

private static String driver = "com.mysql.jdbc.Driver";
private static String url = "jdbc:mysql://localhost:3306/java_sec_code";
private static String user = "root";
private static String password = "woshishujukumima";
@Value("${spring.datasource.url}")
private String url;
@Value("${spring.datasource.username}")
private String user;
@Value("${spring.datasource.password}")
private String password;

@Autowired
private UserMapper userMapper;
Expand All @@ -36,7 +41,7 @@ public class SQLI {
* @param username username
*/
@RequestMapping("/jdbc/vul")
public static String jdbc_sqli_vul(@RequestParam("username") String username){
public String jdbc_sqli_vul(@RequestParam("username") String username){
String result = "";
try {
Class.forName(driver);
Expand Down Expand Up @@ -88,7 +93,7 @@ public static String jdbc_sqli_vul(@RequestParam("username") String username){
* @param username username
*/
@RequestMapping("/jdbc/sec")
public static String jdbc_sqli_sec(@RequestParam("username") String username){
public String jdbc_sqli_sec(@RequestParam("username") String username){

String result = "";
try {
Expand Down Expand Up @@ -134,6 +139,28 @@ public static String jdbc_sqli_sec(@RequestParam("username") String username){
return result;
}

/**
* vul code
* http://localhost:8080/sqli/mybatis/vul01?username=joychou' or '1'='1
*
* @param username username
*/
@GetMapping("/mybatis/vul01")
public List<User> mybatis_vul1(@RequestParam("username") String username) {
return userMapper.findByUserNameVul(username);
}

/**
* vul code
* http://localhost:8080/sqli/mybatis/vul02?username=joychou' or '1'='1' %23
*
* @param username username
*/
@GetMapping("/mybatis/vul02")
public List<User> mybatis_vul2(@RequestParam("username") String username) {
return userMapper.findByUserNameVul2(username);
}


/**
* security code
Expand All @@ -142,20 +169,18 @@ public static String jdbc_sqli_sec(@RequestParam("username") String username){
* @param username username
*/
@GetMapping("/mybatis/sec01")
public User mybatis_vul1(@RequestParam("username") String username) {
public User mybatis_sec1(@RequestParam("username") String username) {
return userMapper.findByUserName(username);
}



/**
* security code
* http://localhost:8080/sqli/mybatis/sec02?id=1
*
* @param id id
*/
@GetMapping("/mybatis/sec02")
public User mybatis_v(@RequestParam("id") Integer id) {
public User mybatis_sec2(@RequestParam("id") Integer id) {
return userMapper.findById(id);
}

Expand All @@ -165,7 +190,7 @@ public User mybatis_v(@RequestParam("id") Integer id) {
* http://localhost:8080/sqli/mybatis/sec03
**/
@GetMapping("/mybatis/sec03")
public User mybatis_vul2() {
public User mybatis_sec3() {
return userMapper.OrderByUsername();
}

Expand Down
67 changes: 61 additions & 6 deletions src/main/java/org/joychou/controller/XSS.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,11 +1,22 @@
package org.joychou.controller;

import org.apache.commons.lang.StringUtils;
import org.joychou.dao.User;
import org.joychou.mapper.UserMapper;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.CookieValue;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody;

import javax.annotation.Resource;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.Statement;

/**
* @author JoyChou (joychou@joychou.org)
Expand All @@ -16,15 +27,59 @@
@Controller
@RequestMapping("/xss")
public class XSS {
@RequestMapping("/print")

/**
* Vul Code.
* ReflectXSS
* http://localhost:8080/xss/reflect?xss=<script>alert(1)</script>
*
* @param xss unescape string
*/
@RequestMapping("/reflect")
@ResponseBody
public static String reflect(String xss)
{
return xss;
}

/**
* Vul Code.
* StoredXSS Step1
* http://localhost:8080/xss/stored/store?xss=<script>alert(1)</script>
*
* @param xss unescape string
*/
@RequestMapping("/stored/store")
@ResponseBody
public static String ssrf_URLConnection(HttpServletRequest request)
public String store(String xss, HttpServletResponse response)
{
String con = request.getParameter("con");
return con;
Cookie cookie = new Cookie("xss", xss);
response.addCookie(cookie);
return "Set param into cookie";
}

// fix code
// return encode(con);
/**
* Vul Code.
* StoredXSS Step2
* http://localhost:8080/xss/stored/show
*
* @param xss unescape string
*/
@RequestMapping("/stored/show")
@ResponseBody
public String show(@CookieValue("xss") String xss)
{
return xss;
}
/**
* safe Code.
* http://localhost:8080/xss/safe
*
*/
@RequestMapping("/safe")
@ResponseBody
public static String safe(String xss){
return encode(xss);
}

public static String encode(String origin) {
Expand Down
8 changes: 8 additions & 0 deletions src/main/java/org/joychou/mapper/UserMapper.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,8 @@
import org.apache.ibatis.annotations.Select;
import org.joychou.dao.User;

import java.util.List;

@Mapper
public interface UserMapper {

Expand All @@ -15,7 +17,13 @@ public interface UserMapper {
@Select("select * from users where username = #{username}")
User findByUserName(@Param("username") String username);

@Select("select * from users where username = '${username}'")
List<User> findByUserNameVul(@Param("username") String username);

List<User> findByUserNameVul2(String username);

User findById(Integer id);

User OrderByUsername();

}
3 changes: 1 addition & 2 deletions src/main/resources/application.properties
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,11 +1,10 @@

spring.datasource.url=jdbc:mysql://localhost:3306/java_sec_code?AllowPublicKeyRetrieval=true&useSSL=false
spring.datasource.url=jdbc:mysql://localhost:3306/java_sec_code?AllowPublicKeyRetrieval=true&useSSL=false&serverTimezone=UTC
spring.datasource.username=root
spring.datasource.password=woshishujukumima
spring.datasource.driver-class-name=com.mysql.cj.jdbc.Driver
mybatis.mapper-locations=classpath:mapper/*.xml


# Spring Boot Actuator Vulnerable Config
management.security.enabled=false
# logging.config=classpath:logback-online.xml
Expand Down
9 changes: 9 additions & 0 deletions src/main/resources/create_db.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
USE `java_sec_code`;
CREATE TABLE IF NOT EXISTS `users`(
`id` INT UNSIGNED AUTO_INCREMENT,
`username` VARCHAR(255) NOT NULL,
`password` VARCHAR(255) NOT NULL,
PRIMARY KEY (`id`)
)ENGINE=InnoDB DEFAULT CHARSET=utf8;
INSERT INTO `users` VALUES (1, 'admin', 'admin123');
INSERT INTO `users` VALUES (2, 'joychou', 'joychou123');
5 changes: 5 additions & 0 deletions src/main/resources/mapper/UserMapper.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,10 +13,15 @@
<!--select * from users where username = #{username}-->
<!--</select>-->

<select id="findByUserNameVul2" parameterType="String" resultMap="User">
select * from users where username like '%${_parameter}%'
</select>

<select id="findById" resultMap="User">
select * from users where id = #{id}
</select>


<select id="OrderByUsername" resultMap="User">
select * from users order by id asc limit 1
</select>
Expand Down