fix hook socket's bug

JoyChou93 · Apr 4, 2020 · 335bfef · 335bfef
1 parent d170c8f
commit 335bfef
Show file tree

Hide file tree

Showing 43 changed files with 747 additions and 778 deletions.
diff --git a/README.md b/README.md
@@ -190,7 +190,7 @@ Tomcat's default JSESSION session is valid for 30 minutes, so a 30-minute non-op
 
 ## Contributors
 
-Core developers : [JoyChou](https://github.com/JoyChou93).
+Core developers : [JoyChou](https://github.com/JoyChou93), [liergou9981](https://github.com/liergou9981)
 Other developers: [lightless](https://github.com/lightless233),  [Anemone95](https://github.com/Anemone95), [waderwu](https://github.com/waderwu). 
 
 

diff --git a/src/main/java/org/joychou/config/Constants.java b/src/main/java/org/joychou/config/Constants.java
@@ -2,7 +2,8 @@
 
 public class Constants {
 
-    private Constants(){}
+    private Constants() {
+    }
 
     public static final String REMEMBER_ME_COOKIE = "rememberMe";
 }
diff --git a/src/main/java/org/joychou/config/SafeDomainParser.java b/src/main/java/org/joychou/config/SafeDomainParser.java
@@ -14,9 +14,9 @@
 
 public class SafeDomainParser {
 
-    private static Logger logger= LoggerFactory.getLogger(SafeDomainParser.class);
+    private static Logger logger = LoggerFactory.getLogger(SafeDomainParser.class);
 
-    public SafeDomainParser(){
+    public SafeDomainParser() {
 
         String rootTag = "domains";
         String safeDomainTag = "safedomains";
@@ -38,8 +38,8 @@ public SafeDomainParser(){
             NodeList rootNode = doc.getElementsByTagName(rootTag);  // 解析根节点domains
             Node domainsNode = rootNode.item(0);
             NodeList child = domainsNode.getChildNodes();
-            
-            for (int i = 0; i < child.getLength(); i++){
+
+            for (int i = 0; i < child.getLength(); i++) {
                 Node node = child.item(i);
                 // 解析safeDomains节点
                 if (node.getNodeName().equals(safeDomainTag)) {
@@ -51,7 +51,7 @@ public SafeDomainParser(){
                             safeDomains.add(finalTagNode.getTextContent());
                         }
                     }
-                }else if (node.getNodeName().equals(blockDomainTag)) {
+                } else if (node.getNodeName().equals(blockDomainTag)) {
                     NodeList finalTagNode = node.getChildNodes();
                     for (int j = 0; j < finalTagNode.getLength(); j++) {
                         Node tagNode = finalTagNode.item(j);
@@ -62,7 +62,7 @@ public SafeDomainParser(){
                     }
                 }
             }
-        }catch (Exception e){
+        } catch (Exception e) {
             logger.error(e.toString());
         }
 
@@ -96,7 +96,7 @@ public SafeDomainParser(){
             Node domainsNode = rootNode.item(0);
             NodeList child = domainsNode.getChildNodes();
 
-            for (int i = 0; i < child.getLength(); i++){
+            for (int i = 0; i < child.getLength(); i++) {
                 Node node = child.item(i);
                 // 解析safeDomains节点
                 if (node.getNodeName().equals(ssrfSafeDomainTag)) {
@@ -107,15 +107,15 @@ public SafeDomainParser(){
                             ssrfSafeDomains.add(tagFinalNode.getTextContent());
                         }
                     }
-                }else if (node.getNodeName().equals(ssrfBlockDomainTag)) {
+                } else if (node.getNodeName().equals(ssrfBlockDomainTag)) {
                     NodeList tagChild = node.getChildNodes();
                     for (int j = 0; j < tagChild.getLength(); j++) {
                         Node tagFinalNode = tagChild.item(j);
                         if (tagFinalNode.getNodeName().equals(ssrfFinalTag)) {
                             ssrfBlockDomains.add(tagFinalNode.getTextContent());
                         }
                     }
-                }else if(node.getNodeName().equals(ssrfBlockIpsTag)){
+                } else if (node.getNodeName().equals(ssrfBlockIpsTag)) {
                     NodeList tagChild = node.getChildNodes();
                     for (int j = 0; j < tagChild.getLength(); j++) {
                         Node tagFinalNode = tagChild.item(j);
@@ -126,7 +126,7 @@ public SafeDomainParser(){
                     }
                 }
             }
-        }catch (Exception e){
+        } catch (Exception e) {
             logger.error(e.toString());
         }
 

diff --git a/src/main/java/org/joychou/config/WebConfig.java b/src/main/java/org/joychou/config/WebConfig.java
@@ -15,112 +15,124 @@
 public class WebConfig {
 
     private static String[] callbacks;
-    private static Boolean  jsonpReferCheckEnabled = false;
+    private static Boolean jsonpReferCheckEnabled = false;
     private static String[] jsonpRefererHost;
     private static String[] referWhitelist;
     private static String[] referUris;
     private static Boolean referSecEnabled = false;
     private static String businessCallback;
-    private static ArrayList<String> safeDomains= new ArrayList<>();
-    private static ArrayList<String> blockDomains= new ArrayList<>();
+    private static ArrayList<String> safeDomains = new ArrayList<>();
+    private static ArrayList<String> blockDomains = new ArrayList<>();
     private static ArrayList<String> ssrfSafeDomains = new ArrayList<>();
-    private static ArrayList<String> ssrfBlockDomains= new ArrayList<>();
+    private static ArrayList<String> ssrfBlockDomains = new ArrayList<>();
     private static ArrayList<String> ssrfBlockIps = new ArrayList<>();
+
     /**
      * application.properties里object自动转jsonp的referer校验开关
+     *
      * @param jsonpReferCheckEnabled jsonp校验开关
      */
     @Value("${joychou.security.jsonp.referer.check.enabled}")
-    public void setJsonpReferCheckEnabled(Boolean jsonpReferCheckEnabled){
+    public void setJsonpReferCheckEnabled(Boolean jsonpReferCheckEnabled) {
         WebConfig.jsonpReferCheckEnabled = jsonpReferCheckEnabled;
     }
-    public static Boolean getJsonpReferCheckEnabled(){
+
+    public static Boolean getJsonpReferCheckEnabled() {
         return jsonpReferCheckEnabled;
     }
 
 
     @Value("${joychou.security.jsonp.callback}")
-    public void setJsonpCallbacks(String[] callbacks){
+    public void setJsonpCallbacks(String[] callbacks) {
         WebConfig.callbacks = callbacks;
     }
-    public static String[] getJsonpCallbacks(){
+
+    public static String[] getJsonpCallbacks() {
         return callbacks;
     }
 
 
     @Value("${joychou.security.referer.enabled}")
-    public void setReferSecEnabled(Boolean referSecEnabled){
+    public void setReferSecEnabled(Boolean referSecEnabled) {
         WebConfig.referSecEnabled = referSecEnabled;
     }
-    public static Boolean getReferSecEnabled(){
+
+    public static Boolean getReferSecEnabled() {
         return referSecEnabled;
     }
 
 
     @Value("${joychou.security.referer.host}")
-    public void setReferWhitelist(String[] referWhitelist){
+    public void setReferWhitelist(String[] referWhitelist) {
         WebConfig.referWhitelist = referWhitelist;
     }
-    public static String[] getReferWhitelist(){
+
+    public static String[] getReferWhitelist() {
         return referWhitelist;
     }
 
 
     @Value("${joychou.security.referer.uri}")
-    public void setReferUris(String[] referUris)
-    {
+    public void setReferUris(String[] referUris) {
         WebConfig.referUris = referUris;
     }
-    public static String[] getReferUris(){
+
+    public static String[] getReferUris() {
         return referUris;
     }
 
 
     @Value("${joychou.business.callback}")
-    public void setBusinessCallback(String businessCallback){
+    public void setBusinessCallback(String businessCallback) {
         WebConfig.businessCallback = businessCallback;
     }
-    public static String getBusinessCallback(){
+
+    public static String getBusinessCallback() {
         return businessCallback;
     }
 
 
-    void setSafeDomains(ArrayList<String> safeDomains){
+    void setSafeDomains(ArrayList<String> safeDomains) {
         WebConfig.safeDomains = safeDomains;
     }
-    public static ArrayList<String> getSafeDomains(){
+
+    public static ArrayList<String> getSafeDomains() {
         return safeDomains;
     }
 
 
-    void setBlockDomains(ArrayList<String> blockDomains){
+    void setBlockDomains(ArrayList<String> blockDomains) {
         WebConfig.blockDomains = blockDomains;
     }
-    public static ArrayList<String> getBlockDomains(){
+
+    public static ArrayList<String> getBlockDomains() {
         return blockDomains;
     }
 
 
-    void setSsrfSafeDomains(ArrayList<String> ssrfSafeDomains){
+    void setSsrfSafeDomains(ArrayList<String> ssrfSafeDomains) {
         WebConfig.ssrfSafeDomains = ssrfSafeDomains;
     }
-    public static ArrayList<String> getSsrfSafeDomains(){
+
+    public static ArrayList<String> getSsrfSafeDomains() {
         return ssrfSafeDomains;
     }
 
 
-    void setSsrfBlockDomains(ArrayList<String> ssrfBlockDomains){
+    void setSsrfBlockDomains(ArrayList<String> ssrfBlockDomains) {
         WebConfig.ssrfBlockDomains = ssrfBlockDomains;
     }
-    public static ArrayList<String> getSsrfBlockDomainsDomains(){
+
+    public static ArrayList<String> getSsrfBlockDomainsDomains() {
         return ssrfBlockDomains;
     }
 
 
-    void setSsrfBlockIps(ArrayList<String> ssrfBlockIps){
+    void setSsrfBlockIps(ArrayList<String> ssrfBlockIps) {
         WebConfig.ssrfBlockIps = ssrfBlockIps;
     }
-    public static ArrayList<String> getSsrfBlockIps(){
+
+    public static ArrayList<String> getSsrfBlockIps() {
         return ssrfBlockIps;
     }
 }
diff --git a/src/main/java/org/joychou/controller/CRLFInjection.java b/src/main/java/org/joychou/controller/CRLFInjection.java
@@ -11,7 +11,7 @@
 /**
  * Java 1.7/1.8 no CRLF vulns (test in Java 1.7/1.8)
  *
- * @author  JoyChou ([email protected]) @2018-01-03
+ * @author JoyChou ([email protected]) @2018-01-03
  */
 @Controller
 @RequestMapping("/crlf")

diff --git a/src/main/java/org/joychou/controller/CSRF.java b/src/main/java/org/joychou/controller/CSRF.java
@@ -10,7 +10,7 @@
  * check csrf using spring-security
  * Access http://localhost:8080/csrf/ -> click submit
  *
- * @author  JoyChou ([email protected]) @2019-05-31
+ * @author JoyChou ([email protected]) @2019-05-31
  */
 @Controller
 @RequestMapping("/csrf")

diff --git a/src/main/java/org/joychou/controller/CommandInject.java b/src/main/java/org/joychou/controller/CommandInject.java
@@ -35,7 +35,6 @@ public String codeInject(String filepath) throws IOException {
      * Host Injection
      * Host: hacked by joychou;cat /etc/passwd
      * http://localhost:8080/codeinject/host
-     *
      */
     @GetMapping("/codeinject/host")
     public String codeInjectHost(HttpServletRequest request) throws IOException {

diff --git a/src/main/java/org/joychou/controller/Cookies.java b/src/main/java/org/joychou/controller/Cookies.java
@@ -5,8 +5,10 @@
 
 import javax.servlet.http.Cookie;
 import javax.servlet.http.HttpServletRequest;
+
 import org.joychou.util.WebUtils;
 import org.springframework.web.bind.annotation.RestController;
+
 import static org.springframework.web.util.WebUtils.getCookie;
 
 @RestController
@@ -43,7 +45,7 @@ public String vuln03(HttpServletRequest req) {
             for (Cookie cookie : cookies) {
                 // key code. Equals can also be equalsIgnoreCase.
                 if (NICK.equals(cookie.getName())) {
-                    nick =  cookie.getValue();
+                    nick = cookie.getValue();
                 }
             }
         }
@@ -58,15 +60,14 @@ public String vuln04(HttpServletRequest req) {
         if (cookies != null) {
             for (Cookie cookie : cookies) {
                 if (cookie.getName().equalsIgnoreCase(NICK)) {  // key code
-                    nick =  cookie.getValue();
+                    nick = cookie.getValue();
                 }
             }
         }
         return "Cookie nick: " + nick;
     }
 
 
-
     @RequestMapping(value = "/vuln05")
     public String vuln05(@CookieValue("nick") String nick) {
         return "Cookie nick: " + nick;

diff --git a/src/main/java/org/joychou/controller/Cors.java b/src/main/java/org/joychou/controller/Cors.java
@@ -11,7 +11,7 @@
 import javax.servlet.http.HttpServletResponse;
 
 /**
- * @author  JoyChou ([email protected]) @2018.10.24
+ * @author JoyChou ([email protected]) @2018.10.24
  * https://github.com/JoyChou93/java-sec-code/wiki/CORS
  */
 
@@ -106,7 +106,7 @@ public String seccode(HttpServletRequest request, HttpServletResponse response)
 
         // 如果origin不为空并且origin不在白名单内，认定为不安全。
         // 如果origin为空，表示是同域过来的请求或者浏览器直接发起的请求。
-        if ( origin != null && SecurityUtil.checkURL(origin) == null ) {
+        if (origin != null && SecurityUtil.checkURL(origin) == null) {
             return "Origin is not safe.";
         }
         response.setHeader("Access-Control-Allow-Origin", origin);

diff --git a/src/main/java/org/joychou/controller/Deserialize.java b/src/main/java/org/joychou/controller/Deserialize.java
@@ -31,7 +31,7 @@ public class Deserialize {
     /**
      * java -jar ysoserial.jar CommonsCollections5 "open -a Calculator" | base64
      * Add the result to rememberMe cookie.
-     *
+     * <p>
      * http://localhost:8080/deserialize/rememberMe/vuln
      */
     @RequestMapping("/rememberMe/vuln")
@@ -40,7 +40,7 @@ public String rememberMeVul(HttpServletRequest request)
 
         Cookie cookie = getCookie(request, Constants.REMEMBER_ME_COOKIE);
 
-        if (null == cookie){
+        if (null == cookie) {
             return "No rememberMe cookie. Right?";
         }
 
@@ -57,7 +57,7 @@ public String rememberMeVul(HttpServletRequest request)
 
     /**
      * Check deserialize class using black list.
-     *
+     * <p>
      * http://localhost:8080/deserialize/rememberMe/security
      */
     @RequestMapping("/rememberMe/security")
@@ -66,15 +66,15 @@ public String rememberMeBlackClassCheck(HttpServletRequest request)
 
         Cookie cookie = getCookie(request, Constants.REMEMBER_ME_COOKIE);
 
-        if (null == cookie){
+        if (null == cookie) {
             return "No rememberMe cookie. Right?";
         }
         String rememberMe = cookie.getValue();
         byte[] decoded = Base64.getDecoder().decode(rememberMe);
 
         ByteArrayInputStream bytes = new ByteArrayInputStream(decoded);
 
-        try{
+        try {
             AntObjectInputStream in = new AntObjectInputStream(bytes);  // throw InvalidClassException
             in.readObject();
             in.close();