update

Author: bewhale

src/main/java/org/bewhale/javasec/controller/AdminController.java

@@ -1,32 +1,121 @@
 package org.bewhale.javasec.controller;
 
+import com.wf.captcha.utils.CaptchaUtil;
 import org.bewhale.javasec.model.Admin;
 import org.bewhale.javasec.service.AdminService;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Controller;
+import org.springframework.ui.Model;
 import org.springframework.web.bind.annotation.*;
 
-@RequestMapping("/admin")
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpSession;
+import java.text.SimpleDateFormat;
+import java.util.Date;
+import java.util.Map;
+
 @Controller
 public class AdminController {
-    @GetMapping("")
-    public String index() {
-        return "admin/adminlogin";
-    }
-
     @Autowired
     @SuppressWarnings("all")
     AdminService adminService;
 
+    @RequestMapping({"/", "/index", "/login", "/admin"})
+    public String index(HttpSession session) {
+        if (session.getAttribute("username") != null) {
+            return "redirect:/home";
+        }
+        return "redirect:/admin/login";
+    }
+
+    @GetMapping("/home")
+    public String home(HttpSession session, Model model) {
+        model.addAttribute("results", session.getAttribute("username"));
+        return "/admin/home";
+    }
+
+    @GetMapping("/admin/logout")
     @ResponseBody
-    @PostMapping("/login")
-    public String login(@RequestParam(name="username", required =true) String username,
-                        @RequestParam(name="password", required = true) String password){
+    public String logout(HttpSession session) {
+        session.invalidate();
+        return "注销成功，请重新登录！";
+    }
+
+    @RequestMapping("/admin/login")
+    public String login(String username, String password,
+//                        @RequestParam(name = "password", required = true) String password,
+                        String captcha, String path,
+                        HttpSession session, HttpServletRequest request, Model model) {
 
-        Admin admin = adminService.login(username, password);//调用service层抽象类方法,返回一个承接了数据库返回值的实体类
-        if (admin != null) {//很简单的逻辑,返回的只要不是空值就说明是存在的,ok
-            return "welcome adminster!" + admin;//返回一段文本
+        if (request.getMethod().equals("GET"))
+            return "login";
+
+        if (!CaptchaUtil.ver(captcha, request)) {
+            CaptchaUtil.clear(request);
+            model.addAttribute("msg", "验证码不正确");
+            return "login";
+        }
+        Admin admin = adminService.login(username, password);
+        if (admin != null) {
+            session.setAttribute("username", username);
+            if (path != null) {
+                return "redirect:" + path;
+            }
+            return "redirect:/home";
+        } else {
+            model.addAttribute("msg", "用户名或密码错误");
+            return "login";
         }
-        return "/err";//返回到另一个界面,但是目前还没做
+    }
+
+    @GetMapping("/captcha")
+    public void captcha(HttpServletRequest request, HttpServletResponse response) throws Exception {
+        CaptchaUtil.out(request, response);
+    }
+
+    @GetMapping("/admin/password")
+    public String chPwdView() {
+        return "/admin/password";
+    }
+
+    @PostMapping("/admin/chpwd")
+    @ResponseBody
+    public String changePassword(@RequestBody Map<String, String> map, HttpSession session) {
+        String old_password = map.get("old_password");
+        String new_password = map.get("new_password");
+        String again_password = map.get("again_password");
+        String username = (String) session.getAttribute("username");
+        if (old_password == null || new_password == null || again_password == null) {
+            return "输入不能为空!";
+        }
+        if (old_password.equals(new_password)) {
+            return "新密码不能与旧密码一致!";
+        }
+        if (!new_password.equals(again_password)) {
+            return "新密码两次输入不一致!";
+        }
+        Admin admin = adminService.login(username, old_password);
+        if (admin != null) {
+            if (adminService.updatePWD(username, new_password) != 0) {
+                session.invalidate();
+                return "密码修改成功!";
+            } else {
+                return "密码修改失败!";
+            }
+        } else {
+            return "旧密码输入错误!";
+        }
+    }
+
+    @RequestMapping("/admin/index")
+    public String adminIndex(Model model , HttpSession session) {
+        Date day=new Date();
+        SimpleDateFormat df = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss");
+        model.addAttribute("date",  df.format(day));
+        model.addAttribute("username", session.getAttribute("username"));
+        model.addAttribute("os",  System.getProperty("os.name"));
+        model.addAttribute("java",   System.getProperty("java.version"));
+        return "admin/index";
     }
 }

src/main/java/org/bewhale/javasec/controller/basevul/CORSVul.java

@@ -0,0 +1,32 @@
+package org.bewhale.javasec.controller.basevul;
+
+import org.bewhale.javasec.model.Admin;
+import org.bewhale.javasec.service.AdminService;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RestController;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpSession;
+
+@RestController
+@RequestMapping("/home/cors")
+public class CORSVul {
+
+    @Autowired
+    @SuppressWarnings("all")
+    AdminService adminService;
+
+    @GetMapping("")
+    public String corsVul(HttpServletRequest request, HttpServletResponse response, HttpSession httpSession) {
+        // origin头可控
+        String origin = request.getHeader("origin");
+        response.setHeader("Access-Control-Allow-Origin", origin);
+        response.setHeader("Access-Control-Allow-Credentials", "true");
+        response.setHeader("Access-Control-Allow-Methods", "GET,POST,PUT,DELETE,OPTIONS");
+        String username = (String) httpSession.getAttribute("username");
+        Admin admin = adminService.getInfoByUserName(username);
+        return "登录用户名: " + admin.getUsername() + ", 密码: " + admin.getPassword();
+    }
+}

src/main/java/org/bewhale/javasec/controller/basevul/RedirectVul.java

@@ -0,0 +1,25 @@
+package org.bewhale.javasec.controller.basevul;
+
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.servlet.ModelAndView;
+
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+
+@Controller
+@RequestMapping("/home/redirect")
+public class RedirectVul {
+    @RequestMapping("")
+    public String redirect(String url) {
+        return "redirect:" + url;
+    }
+
+////    public ModelAndView redirect(String url) {
+////        return new ModelAndView("redirect://" + url);
+////    }
+//
+//    public void redirect(String url, HttpServletResponse response) throws IOException {
+//        response.sendRedirect(url);
+//    }
+}

src/main/java/org/bewhale/javasec/controller/basevul/SPELVul.java

@@ -0,0 +1,36 @@
+package org.bewhale.javasec.controller.basevul;
+
+import com.sun.deploy.net.HttpUtils;
+import org.springframework.expression.EvaluationContext;
+import org.springframework.expression.EvaluationException;
+import org.springframework.expression.ExpressionParser;
+import org.springframework.expression.ParseException;
+import org.springframework.expression.spel.standard.SpelExpressionParser;
+import org.springframework.expression.spel.support.StandardEvaluationContext;
+import org.springframework.stereotype.Controller;
+import org.springframework.ui.Model;
+import org.springframework.web.bind.annotation.RequestMapping;
+
+@Controller
+@RequestMapping("/home/spel")
+public class SPELVul {
+
+    @RequestMapping("")
+    public String spelVul(String exp, Model model) {
+        try {
+            // 1. 创建解析器：SpEL使用ExpressionParser接口表示解析器，提供SpelExpressionParser默认实现
+            ExpressionParser parser = new SpelExpressionParser();
+            // StandardEvaluationContext权限过大，可以执行任意代码
+            EvaluationContext evaluationContext = new StandardEvaluationContext();
+
+            // 2. 解析表达式: 使用ExpressionParser的parseExpression来解析相应的表达式为Expression对象
+            // 3. 求值：通过 Expression 接口的 getValue 方法根据上下文获得表达式值
+            String result = parser.parseExpression(exp).getValue(evaluationContext).toString();
+            model.addAttribute("results", result);
+        } catch (ParseException e) {
+            e.printStackTrace();
+            model.addAttribute("results", e.toString());
+        }
+        return "/basevul/spel/spel";
+    }
+}

src/main/java/org/bewhale/javasec/controller/basevul/SSRFVul.java

@@ -0,0 +1,36 @@
+package org.bewhale.javasec.controller.basevul;
+
+import org.bewhale.javasec.util.HTTP;
+import org.bewhale.javasec.util.Security;
+import org.springframework.stereotype.Controller;
+import org.springframework.ui.Model;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.bind.annotation.RestController;
+
+@RestController
+@RequestMapping("/home/ssrf")
+public class SSRFVul {
+
+    @RequestMapping("")
+    public String urlConnection(@RequestParam String url, String isHttp, String isIntranet) {
+        if (url.equals("")) {
+            return "请输入url";
+        }
+
+        if (isHttp != null && isHttp.equals("true")) {
+            if (!Security.isHttp(url)) {
+                return "不允许非http/https协议!!!";
+            }
+        }
+        if (isIntranet != null && isIntranet.equals("true")) {
+            if (Security.isIntranet(url)) {
+                return "不允许访问内网!!!";
+            }
+        }
+
+        String results = HTTP.URLConnection(url);
+
+        return results;
+    }
+}

src/main/java/org/bewhale/javasec/controller/basevul/SSTIVul.java

@@ -0,0 +1,19 @@
+package org.bewhale.javasec.controller.basevul;
+
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.RequestMapping;
+
+@Controller
+@RequestMapping("/home/ssti")
+public class SSTIVul {
+
+    @RequestMapping("/thymeleaf")
+    public String thymeleaf(String content) {
+        return "user/" + content + "/welcome"; //template path is tainted
+    }
+
+    @RequestMapping("/noreturn/{content}")
+    public void noReturn(String content) {
+        System.out.println("ok");
+    }
+}

src/main/java/org/bewhale/javasec/controller/basevul/UnauthVul.java

@@ -0,0 +1,39 @@
+package org.bewhale.javasec.controller.basevul;
+
+import org.bewhale.javasec.model.Admin;
+import org.bewhale.javasec.service.AdminService;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.apache.commons.lang.StringUtils;
+import org.springframework.ui.Model;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RestController;
+
+import java.util.ArrayList;
+
+
+@RestController
+@RequestMapping("/unauth")
+public class UnauthVul {
+    @Autowired
+    @SuppressWarnings("all")
+    AdminService adminService;
+
+    @RequestMapping("/userinfo")
+    public String adminInfo(String username) {
+        ArrayList<Admin> userInfo = new ArrayList<>();
+        System.out.println(username);
+        if (username.equals("")) {
+            return "请输入用户名！";
+        }
+        if (username.equals("all")) {
+            userInfo = adminService.getAllInfo();
+        } else {
+            Admin admin = adminService.getInfoByUserName(username);
+            if (admin == null) {
+                return "用户不存在!";
+            }
+            userInfo.add(admin);
+        }
+        return (StringUtils.strip(userInfo.toString(), "[]")).replace(", ", "");
+    }
+}

src/main/java/org/bewhale/javasec/controller/basevul/XFFVul.java

@@ -0,0 +1,24 @@
+package org.bewhale.javasec.controller.basevul;
+
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RestController;
+
+import javax.servlet.http.HttpServletRequest;
+
+@RestController
+@RequestMapping("/home/xff")
+public class XFFVul {
+
+    @RequestMapping("")
+    public String xffVul(HttpServletRequest request,String xff) {
+        String ip = request.getRemoteAddr();
+        if (xff.equals("true")) {
+            ip = request.getHeader("X-Forwarded-For");
+        }
+        if (ip != null && ip.equals("10.0.0.1")) {
+            return "你的ip为: " + ip +", 访问成功。";
+        }
+        return "你的ip为: " + ip +", 本资源仅允许 10.0.0.1 访问。";
+
+    }
+}

src/main/java/org/bewhale/javasec/controller/basevul/XSSVul.java

@@ -0,0 +1,46 @@
+package org.bewhale.javasec.controller.basevul;
+
+import org.bewhale.javasec.model.Xss;
+import org.bewhale.javasec.service.XssService;
+import org.springframework.stereotype.Controller;
+import org.springframework.ui.Model;
+import org.springframework.web.bind.annotation.RequestMapping;
+
+import java.util.List;
+
+@Controller
+@RequestMapping("/home/xss")
+public class XSSVul {
+    final XssService xssService;
+
+    public XSSVul(XssService xssService) {
+        this.xssService = xssService;
+    }
+
+    @RequestMapping("/reflect")
+    public String xssReflect(String content, Model model) {
+        model.addAttribute("results", content);
+        return "/basevul/xss/reflect";
+    }
+
+    @RequestMapping("/store")
+    public String xssInsert(String content, String clear, Model model) {
+        try {
+            if (clear != null) {
+                xssService.clear();
+                model.addAttribute("results", "清除成功");
+                return "/basevul/xss/store";
+            }
+            if (content !=null && !content.equals("")) {
+                xssService.setContent(new Xss(content));
+                model.addAttribute("results", "添加成功");
+            }
+            List<String> list = xssService.getContent();
+            model.addAttribute("list", list);
+        } catch (Exception e) {
+            e.printStackTrace();
+            model.addAttribute("results", e.toString());
+        }
+        return "/basevul/xss/store";
+    }
+}