add spel

ops733769 · Jul 15, 2021 · b8017f0 · b8017f0
1 parent 7acf054
commit b8017f0
Show file tree

Hide file tree

Showing 9 changed files with 109 additions and 35 deletions.
diff --git a/README.md b/README.md
@@ -2,44 +2,40 @@
 <div align="center">
 
 ![SecExample](https://socialify.git.ci/tangxiaofeng7/SecExample/image?description=1&descriptionEditable=Vulnerability%20environment%20for%20Java&font=Raleway&forks=1&issues=1&pattern=Overlapping%20Hexagons&stargazers=1&theme=Dark)
-Use secexample to study Web security vulnerabilities
+JAVA 漏洞靶场
 <br>
 https://github.com/tangxiaofeng7/SecExample
 <br>
 </div>
 
 
-# Introduce
+# 介绍
 | Name               | Star |
 | ---------------------- | ---- |
-| [SQLI]         | 🌟🌟  |
-| [XSS]             | 🌟    |
-| [CSRF]             | 🌟    |
-| [SSRF]            | 🌟🌟  |
-| [CORS]             | 🌟🌟    |
-| [RCE]             | 🌟🌟  |
-| [Fastjson] | 🌟🌟🌟🌟 |
-| [Verification] | 🌟🌟 |
+| [注入漏洞-SQL注入]         | 🌟🌟🌟  |
+| [注入漏洞-命令注入]             | 🌟    |
+| [注入漏洞-spel表达式注入]             | 🌟🌟🌟    |
+| [XSS漏洞]            | 🌟  |
+| [CSRF漏洞]             | 🌟🌟    |
+| [SSRF漏洞]             | 🌟🌟  |
+| [CORS漏洞] | 🌟🌟🌟🌟 |
+| [反序列化漏洞-Fastjson反序列化] | 🌟🌟🌟🌟 |
+| [验证码相关漏洞] | 🌟🌟 |
 
 
-### Installation
+### 安装
 
 ```
 git clone https://github.com/tangxiaofeng7/SecExample.git
 cd SecExample
 docker-compose up -d
 ```
 
-view: http://localhost:8080
+访问: http://localhost:8080
 
 [![asciicast](https://asciinema.org/a/gcuay3zNoRUZ85BTPgjpGukuC.svg)](https://asciinema.org/a/gcuay3zNoRUZ85BTPgjpGukuC)
 
 
-### Screenshot
+### 截图
 
 ![index.png](images/index.png)
-
-# Contributors
-
-<a href="https://github.com/tangxiaofeng7" target="_blank">
-    <img width=50 src="https://avatars.githubusercontent.com/u/45926593?s=60&v=4"></a>
diff --git a/images/index.png b/images/index.png
diff --git a/src/main/java/com/suyu/secexample/rce/controller/rcecontroller.java b/src/main/java/com/suyu/secexample/rce/controller/rcecontroller.java
@@ -23,6 +23,9 @@ public String input(){
 
     @PostMapping("/rceoutput")
     public String index(@RequestParam("command") String command, Model model){
+        if(command=="" | command==null){
+            command= "whoami";
+        }
         Process p = null;
         String result = null;
         try {

diff --git a/src/main/java/com/suyu/secexample/xxe/controller/xxecontroller.java b/src/main/java/com/suyu/secexample/xxe/controller/xxecontroller.java
@@ -0,0 +1,14 @@
+package com.suyu.secexample.xxe.controller;
+
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.GetMapping;
+
+@Controller
+public class xxecontroller {
+
+    @GetMapping("/xxe")
+    public String input(){
+        return "xxe/xxe";
+    }
+
+}
diff --git a/src/main/resources/application.yml b/src/main/resources/application.yml
@@ -2,8 +2,8 @@ spring:
   datasource:
     username: root
     password: woaini520
-#    url: jdbc:mysql://localhost:3306/mybatis?serverTimezone=UTC&useSSL=false
-    url: jdbc:mysql://mysql-db:3306/mybatis?serverTimezone=UTC&useSSL=false&allowPublicKeyRetrieval=true
+    url: jdbc:mysql://localhost:3306/mybatis?serverTimezone=UTC&useSSL=false
+#    url: jdbc:mysql://mysql-db:3306/mybatis?serverTimezone=UTC&useSSL=false&allowPublicKeyRetrieval=true
 #    driver-class-name: com.mysql.jdbc.Driver
     driver-class-name: com.mysql.cj.jdbc.Driver
 #  thymeleaf:

diff --git a/src/main/resources/templates/index.html b/src/main/resources/templates/index.html
@@ -24,63 +24,73 @@ <h1>Java漏洞演示平台</h1>
             <div class="description">SQL注入通过把SQL命令插入到Web表单提交或输入域名或页面请求的查询字符串，最终达到欺骗服务器执行指定的SQL语句</div>
         </div>
         <a  class="ui bottom attached button" th:href="@{/sql}" ><i class="add icon"></i>测试漏洞</a>
+    </div>
 
+    <div class="card">
+        <div class="content">
+            <div class="header">注入漏洞-命令注入</div>
+            <div class="description">RCE (remote code execution):指用户通过浏览器提交执行命令，由于服务器端没有针对执行函数做过滤，导致在没有指定绝对路径的情况下就执行命令，可能会允许攻击者通过改变 $PATH 或程序执行环境的其他方面来执行一个恶意构造的代码。</div>
+        </div>
+        <a  class="ui bottom attached button" th:href="@{/rce}" ><i class="add icon"></i>测试漏洞</a>
+    </div>
+
+    <div class="card">
+        <div class="content">
+            <div class="header">注入漏洞-spel表达式注入</div>
+            <div class="description">spel表达式注入 (Spring Expression Language):是一种功能强大的表达式语言，用于在运行时查询和操作对象图；语法上称为Unified EL，但提供了更多的特性，特别是方法调用和基本字符SpEL的生成是为了给Spring社区提供一种能够与Spring生态系统所有产品无缝对接，能提供一站式支持的表达式语言。</div>
+        </div>
+        <a  class="ui bottom attached button" th:href="@{/spel}" ><i class="add icon"></i>测试漏洞</a>
     </div>
     <div class="card">
         <div class="content">
             <div class="header">XSS漏洞</div>
             <div class="description">XSS(Cross Site Scripting):跨站脚本攻击是指恶意攻击者往Web页面里插入恶意Script代码,当用户浏览该页之时,嵌入其中Web里面的Script代码会被执行,从而达到恶意攻击用户的目的</div>
         </div>
         <a  class="ui bottom attached button" th:href="@{/xss}" ><i class="add icon"></i>测试漏洞</a>
-
     </div>
+
     <div class="card">
         <div class="content">
             <div class="header">CSRF漏洞</div>
             <div class="description">CSRF(Cross-site request forgery):CSRF，跨站请求伪造，在受害者通过浏览器登录某个恶意URL的时候，通过伪造请求达到跨站请求伪造（常见于商城类网站或者自己开发的会员系统）</div>
         </div>
         <a  class="ui bottom attached button" th:href="@{/csrf}" ><i class="add icon"></i>测试漏洞</a>
-
     </div>
+
     <div class="card">
         <div class="content">
             <div class="header">SSRF漏洞</div>
             <div class="description">SSRF(Server-Side Request Forgery):服务器端请求伪造是一种由攻击者构造形成由服务端发起请求的一个安全漏洞。一般情况下，SSRF攻击的目标是从外网无法访问的内部系统。</div>
         </div>
         <a  class="ui bottom attached button" th:href="@{/ssrf}" ><i class="add icon"></i>测试漏洞</a>
-
     </div>
+
     <div class="card">
         <div class="content">
             <div class="header">CORS漏洞</div>
-            <div class="description">CORS(Cross-origin resource sharing)。因为出于安全的考虑, 浏览器不允许Ajax调用当前源之外的资源.，即浏览器的同源策略，但一个请求url的协议、域名、端口三者之间任意一个与当前页面不同即为跨域、它允许阅览器向跨源服务器发送XMLHttpRequest请求，从而克服AJAX只能同源使用的限制
-</div>
+            <div class="description">CORS(Cross-origin resource sharing)。因为出于安全的考虑, 浏览器不允许Ajax调用当前源之外的资源.，即浏览器的同源策略，但一个请求url的协议、域名、端口三者之间任意一个与当前页面不同即为跨域、它允许阅览器向跨源服务器发送XMLHttpRequest请求，从而克服AJAX只能同源使用的限制</div>
         </div>
         <a  class="ui bottom attached button" th:href="@{/cors1}" ><i class="add icon"></i>测试漏洞</a>
-
     </div>
-    <div class="card">
-        <div class="content">
-            <div class="header">RCE漏洞</div>
-            <div class="description">RCE (remote code execution):指用户通过浏览器提交执行命令，由于服务器端没有针对执行函数做过滤，导致在没有指定绝对路径的情况下就执行命令，可能会允许攻击者通过改变 $PATH 或程序执行环境的其他方面来执行一个恶意构造的代码。</div>
-        </div>
-        <a  class="ui bottom attached button" th:href="@{/rce}" ><i class="add icon"></i>测试漏洞</a>
 
-    </div>
     <div class="card">
         <div class="content">
             <div class="header">反序列化漏洞-Fastjson反序列化</div>
             <div class="description">序列化和反序列化本身并不存在问题。但当输入的反序列化的数据可被用户控制，那么攻击者即可通过构造恶意输入，让反序列化产生非预期的对象，在此过程中执行构造的任意代码。</div>
         </div>
         <a  class="ui bottom attached button" th:href="@{/fastjson}" ><i class="add icon"></i>测试漏洞</a>
     </div>
+
+
+
     <div class="card">
         <div class="content">
             <div class="header">验证码相关漏洞</div>
             <div class="description">短信回显<br>短信轰炸<br>前端绕过验证<br>验证码爆破</div>
         </div>
         <a  class="ui bottom attached button" th:href="@{/messageecho}" ><i class="add icon"></i>测试漏洞</a>
     </div>
+
 </div>
 
 

diff --git a/src/main/resources/templates/spel/spel.html b/src/main/resources/templates/spel/spel.html
@@ -0,0 +1,28 @@
+<!DOCTYPE html>
+<html lang="en" xmlns:th="http://www.thymeleaf.org">
+<head>
+    <meta charset="UTF-8">
+    <title>Java漏洞靶场</title>
+    <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/[email protected]/dist/semantic.min.css">
+</head>
+<body>
+
+<div style="padding: 40px;
+    text-align: center;
+    background: #1abc9c;
+    color: white;">
+    <h1>Java漏洞演示平台</h1>
+    <button class="ui inverted secondary basic button"><a style="color: white" th:href="home">回到首页</a></button>
+</div>
+
+<form th:action="@{/speloutput}" method="post" style="text-align: center;margin: 0px auto;
+     margin-top: 50px;"  border="10">
+    <input type="text" name="selector" placeholder="请输入用户名查找">
+    <input type="submit" value="提交">
+    <p></p>
+    <p>提示：T(java.lang.Runtime).getRuntime().exec('open -a Calculator.app')</p>
+</form>
+
+
+</body>
+</html>
diff --git a/src/main/resources/templates/spel/speloutput.html b/src/main/resources/templates/spel/speloutput.html
@@ -0,0 +1,22 @@
+<!DOCTYPE html>
+<html lang="en" xmlns:th="http://www.thymeleaf.org">
+<head>
+  <meta charset="UTF-8">
+  <title>Java漏洞靶场</title>
+  <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/[email protected]/dist/semantic.min.css">
+</head>
+<body>
+
+<div style="padding: 40px;
+    text-align: center;
+    background: #1abc9c;
+    color: white;">
+  <h1>Java漏洞演示平台</h1>
+  <button class="ui inverted secondary basic button"><a style="color: white" th:href="home">回到首页</a></button>
+</div>
+<div style="text-align: center;margin: 0px auto;
+     margin-top: 50px;">
+您请求的结果为：<p th:text="${selector}"></p>
+</div>
+</body>
+</html>
diff --git a/src/main/resources/templates/ssrf/ssrfoutput.html b/src/main/resources/templates/ssrf/ssrfoutput.html
@@ -15,8 +15,9 @@ <h1>Java漏洞演示平台</h1>
     <button class="ui inverted secondary basic button"><a style="color: white" th:href="home">回到首页</a></button>
 </div>
 
-
+<div style="text-align: center;margin: 0px auto;
+     margin-top: 50px;">
 您请求的结果为：<p th:text="${result}"></p>
-
+</div>
 </body>
 </html>