🍺 Java Sec

.gitignore

@@ -2,11 +2,12 @@
 .vscode
 /logs/
 /target/
+/out
 .apt_generated
 .classpath
 .factorypath
 .project
 .settings
 .springBeans
 .sts4-cache
-.DS_Store
+.DS_Store

Dockerfile

@@ -0,0 +1,11 @@
+FROM java:8
+
+VOLUME /tmp
+
+ADD hello-1.0.0-SNAPSHOT.jar app.jar
+
+EXPOSE 8888
+
+RUN sh -c 'touch /app.jar'
+
+ENTRYPOINT ["java","-Djava.security.egd=file:/dev/./urandom","-jar","/app.jar"]

META-INF/MANIFEST.MF

@@ -0,0 +1,50 @@
+Manifest-Version: 1.0
+Main-Class: 
+Class-Path: groovy-console-2.5.14.jar ant-antlr-1.9.15.jar mybatis-sprin
+ g-boot-starter-2.1.4.jar springfox-core-2.9.2.jar jcommander-1.72.jar f
+ astjson-1.2.24.jar log4j-core-2.13.3.jar LatencyUtils-2.0.3.jar HdrHist
+ ogram-2.1.12.jar swagger-models-1.5.20.jar spring-core-5.3.2.jar unbesc
+ ape-1.1.6.RELEASE.jar logback-core-1.2.3.jar spring-aop-5.3.2.jar sprin
+ gfox-spring-web-2.9.2.jar jsoup-1.12.2.jar jackson-databind-2.11.3.jar 
+ groovy-json-2.5.14.jar groovy-nio-2.5.14.jar picocli-4.3.2.jar spring-c
+ ontext-5.3.2.jar jdom2-2.0.6.jar commons-lang-2.4.jar spring-boot-start
+ er-json-2.4.1.jar springfox-swagger-common-2.9.2.jar groovy-sql-2.5.14.
+ jar junit-4.13.1.jar jakarta.el-3.0.3.jar groovy-testng-2.5.14.jar guav
+ a-20.0.jar json-simple-1.1.1.jar thymeleaf-extras-java8time-3.0.4.RELEA
+ SE.jar spring-boot-starter-logging-2.4.1.jar mybatis-spring-boot-autoco
+ nfigure-2.1.4.jar groovy-cli-commons-2.5.14.jar groovy-datetime-2.5.14.
+ jar byte-buddy-1.10.18.jar groovy-2.5.14.jar junit-jupiter-api-5.7.0.ja
+ r jakarta.annotation-api-1.3.5.jar testng-6.13.1.jar jackson-core-2.11.
+ 3.jar springfox-spi-2.9.2.jar groovy-jmx-2.5.14.jar spring-beans-5.3.2.
+ jar junit-platform-commons-1.7.0.jar HikariCP-3.4.5.jar jackson-datatyp
+ e-jsr310-2.11.3.jar swagger-annotations-1.5.20.jar log4j-api-2.13.3.jar
+  tomcat-embed-websocket-9.0.41.jar classmate-1.5.1.jar junit-platform-e
+ ngine-1.7.0.jar commons-collections-3.2.1.jar groovy-docgenerator-2.5.1
+ 4.jar jul-to-slf4j-1.7.30.jar spring-boot-starter-2.4.1.jar spring-jcl-
+ 5.3.2.jar ant-junit-1.9.15.jar groovy-ant-2.5.14.jar springfox-swagger-
+ ui-2.10.5.jar groovy-groovydoc-2.5.14.jar jackson-module-parameter-name
+ s-2.11.3.jar commons-cli-1.4.jar spring-boot-devtools-2.4.1.jar snakeya
+ ml-1.27.jar groovy-cli-picocli-2.5.14.jar logback-classic-1.2.3.jar thy
+ meleaf-spring5-3.0.11.RELEASE.jar mapstruct-1.2.0.Final.jar jackson-dat
+ atype-jdk8-2.11.3.jar micrometer-core-1.6.2.jar log4j-to-slf4j-2.13.3.j
+ ar spring-boot-actuator-2.4.1.jar attoparser-2.0.5.RELEASE.jar hamcrest
+ -core-2.2.jar spring-tx-5.3.2.jar spring-web-5.3.2.jar groovy-macro-2.5
+ .14.jar groovy-xml-2.5.14.jar junit-platform-launcher-1.7.0.jar xpp3_mi
+ n-1.1.4c.jar groovy-test-2.5.14.jar spring-boot-starter-jdbc-2.4.1.jar 
+ ant-launcher-1.9.15.jar spring-boot-starter-thymeleaf-2.4.1.jar spring-
+ webmvc-5.3.2.jar tomcat-embed-core-9.0.41.jar spring-boot-autoconfigure
+ -2.4.1.jar spring-boot-2.4.1.jar slf4j-api-1.7.30.jar ant-1.9.15.jar my
+ batis-spring-2.0.6.jar thymeleaf-3.0.11.RELEASE.jar groovy-swing-2.5.14
+ .jar dom4j-2.1.3.jar apiguardian-api-1.1.0.jar jolokia-core-1.4.0.jar x
+ mlprojector-1.4.14.jar xstream-1.4.10.jar groovy-jsr223-2.5.14.jar spri
+ ngfox-swagger2-2.9.2.jar junit-jupiter-engine-5.7.0.jar groovy-servlet-
+ 2.5.14.jar groovy-groovysh-2.5.14.jar spring-plugin-core-1.2.0.RELEASE.
+ jar spring-boot-starter-actuator-2.4.1.jar velocity-1.7.jar mysql-conne
+ ctor-java-8.0.22.jar spring-boot-actuator-autoconfigure-2.4.1.jar sprin
+ g-boot-starter-tomcat-2.4.1.jar spring-expression-5.3.2.jar spring-plug
+ in-metadata-1.2.0.RELEASE.jar groovy-templates-2.5.14.jar spring-jdbc-5
+ .3.2.jar hamcrest-2.2.jar jackson-annotations-2.11.3.jar groovy-test-ju
+ nit5-2.5.14.jar springfox-schema-2.9.2.jar jline-2.14.6.jar xmlpull-1.1
+ .3.1.jar spring-boot-starter-web-2.4.1.jar qdox-1.12.1.jar opentest4j-1
+ .2.0.jar mybatis-3.5.6.jar
+

README.md

@@ -1,23 +1,24 @@
 # ☕️ Hello Java Sec ![Stage](https://img.shields.io/badge/Release-DEV-brightgreen.svg)
-> 学习 Java 漏洞，记录一下代码
+> Java漏洞平台，结合漏洞代码和安全编码，帮助研发同学理解和减少漏洞
 
-![](media/16261597400147.jpg)
+![](media/16278906186353.jpg)
 
 
 - 默认账号：admin/admin
 
 ## Vulnerability
-- [ ] SQLi
+- [x] SQLi
 - [x] XSS
 - [x] RCE
+- [x] Deserialize
 - [x] SSTI
 - [x] SpEL
 - [x] SSRF
-- [ ] Directory Traversal
+- [x] Directory Traversal
 - [x] Redirect
 - [ ] CSRF
 - [ ] File Upload
-- [ ] XXE
+- [x] XXE
 - [x] Actuator
 - [ ] Fastjson
 
@@ -33,8 +34,9 @@ spring.datasource.password=1234567
 ### Jar
 ```
 git clone https://github.com/j3ers3/Hello-Java-Sec
+cd Hello-Java-Sec
 mvn clean package -DskipTests
-java -jar hello-0.0.1-SNAPSHOT.jar
+java -jar target/hello-1.0.0-SNAPSHOT.jar
 ```
 
 
@@ -43,4 +45,4 @@ java -jar hello-0.0.1-SNAPSHOT.jar
 - SpringBoot 4.0
 - Bootstrap 4.6.0
 - Codemirror 5.62.0
-- Fastjson 1.2.24
+- Fastjson 1.2.24

hello.iml

@@ -31,12 +31,10 @@
     <orderEntry type="library" name="Maven: ch.qos.logback:logback-classic:1.2.3" level="project" />
     <orderEntry type="library" name="Maven: ch.qos.logback:logback-core:1.2.3" level="project" />
     <orderEntry type="library" name="Maven: org.apache.logging.log4j:log4j-to-slf4j:2.13.3" level="project" />
-    <orderEntry type="library" name="Maven: org.apache.logging.log4j:log4j-api:2.13.3" level="project" />
     <orderEntry type="library" name="Maven: org.slf4j:jul-to-slf4j:1.7.30" level="project" />
     <orderEntry type="library" name="Maven: jakarta.annotation:jakarta.annotation-api:1.3.5" level="project" />
     <orderEntry type="library" name="Maven: org.yaml:snakeyaml:1.27" level="project" />
     <orderEntry type="library" name="Maven: com.zaxxer:HikariCP:3.4.5" level="project" />
-    <orderEntry type="library" name="Maven: org.slf4j:slf4j-api:1.7.30" level="project" />
     <orderEntry type="library" name="Maven: org.springframework:spring-jdbc:5.3.2" level="project" />
     <orderEntry type="library" name="Maven: org.springframework:spring-beans:5.3.2" level="project" />
     <orderEntry type="library" name="Maven: org.springframework:spring-tx:5.3.2" level="project" />
@@ -64,17 +62,17 @@
     <orderEntry type="library" scope="TEST" name="Maven: jakarta.xml.bind:jakarta.xml.bind-api:2.3.3" level="project" />
     <orderEntry type="library" scope="TEST" name="Maven: jakarta.activation:jakarta.activation-api:1.2.2" level="project" />
     <orderEntry type="library" scope="TEST" name="Maven: org.assertj:assertj-core:3.18.1" level="project" />
-    <orderEntry type="library" scope="TEST" name="Maven: org.hamcrest:hamcrest:2.2" level="project" />
+    <orderEntry type="library" name="Maven: org.hamcrest:hamcrest:2.2" level="project" />
     <orderEntry type="library" scope="TEST" name="Maven: org.junit.jupiter:junit-jupiter:5.7.0" level="project" />
-    <orderEntry type="library" scope="TEST" name="Maven: org.junit.jupiter:junit-jupiter-api:5.7.0" level="project" />
-    <orderEntry type="library" scope="TEST" name="Maven: org.apiguardian:apiguardian-api:1.1.0" level="project" />
-    <orderEntry type="library" scope="TEST" name="Maven: org.opentest4j:opentest4j:1.2.0" level="project" />
-    <orderEntry type="library" scope="TEST" name="Maven: org.junit.platform:junit-platform-commons:1.7.0" level="project" />
+    <orderEntry type="library" name="Maven: org.junit.jupiter:junit-jupiter-api:5.7.0" level="project" />
+    <orderEntry type="library" name="Maven: org.apiguardian:apiguardian-api:1.1.0" level="project" />
+    <orderEntry type="library" name="Maven: org.opentest4j:opentest4j:1.2.0" level="project" />
+    <orderEntry type="library" name="Maven: org.junit.platform:junit-platform-commons:1.7.0" level="project" />
     <orderEntry type="library" scope="TEST" name="Maven: org.junit.jupiter:junit-jupiter-params:5.7.0" level="project" />
-    <orderEntry type="library" scope="TEST" name="Maven: org.junit.jupiter:junit-jupiter-engine:5.7.0" level="project" />
-    <orderEntry type="library" scope="TEST" name="Maven: org.junit.platform:junit-platform-engine:1.7.0" level="project" />
+    <orderEntry type="library" scope="RUNTIME" name="Maven: org.junit.jupiter:junit-jupiter-engine:5.7.0" level="project" />
+    <orderEntry type="library" name="Maven: org.junit.platform:junit-platform-engine:1.7.0" level="project" />
     <orderEntry type="library" scope="TEST" name="Maven: org.mockito:mockito-core:3.6.28" level="project" />
-    <orderEntry type="library" scope="TEST" name="Maven: net.bytebuddy:byte-buddy:1.10.18" level="project" />
+    <orderEntry type="library" name="Maven: net.bytebuddy:byte-buddy:1.10.18" level="project" />
     <orderEntry type="library" scope="TEST" name="Maven: net.bytebuddy:byte-buddy-agent:1.10.18" level="project" />
     <orderEntry type="library" scope="TEST" name="Maven: org.objenesis:objenesis:3.1" level="project" />
     <orderEntry type="library" scope="TEST" name="Maven: org.mockito:mockito-junit-jupiter:3.6.28" level="project" />
@@ -87,7 +85,6 @@
     <orderEntry type="library" name="Maven: org.springframework.boot:spring-boot-starter-web:2.4.1" level="project" />
     <orderEntry type="library" name="Maven: org.springframework.boot:spring-boot-starter-json:2.4.1" level="project" />
     <orderEntry type="library" name="Maven: com.fasterxml.jackson.core:jackson-databind:2.11.3" level="project" />
-    <orderEntry type="library" name="Maven: com.fasterxml.jackson.core:jackson-annotations:2.11.3" level="project" />
     <orderEntry type="library" name="Maven: com.fasterxml.jackson.core:jackson-core:2.11.3" level="project" />
     <orderEntry type="library" name="Maven: com.fasterxml.jackson.datatype:jackson-datatype-jdk8:2.11.3" level="project" />
     <orderEntry type="library" name="Maven: com.fasterxml.jackson.datatype:jackson-datatype-jsr310:2.11.3" level="project" />
@@ -102,7 +99,10 @@
     <orderEntry type="library" name="Maven: org.springframework:spring-context:5.3.2" level="project" />
     <orderEntry type="library" name="Maven: org.springframework:spring-expression:5.3.2" level="project" />
     <orderEntry type="library" name="Maven: com.alibaba:fastjson:1.2.24" level="project" />
-    <orderEntry type="library" name="Maven: org.springframework.boot:spring-boot-devtools:2.4.1" level="project" />
+    <orderEntry type="library" name="Maven: com.thoughtworks.xstream:xstream:1.4.10" level="project" />
+    <orderEntry type="library" name="Maven: xmlpull:xmlpull:1.1.3.1" level="project" />
+    <orderEntry type="library" name="Maven: xpp3:xpp3_min:1.1.4c" level="project" />
+    <orderEntry type="library" scope="RUNTIME" name="Maven: org.springframework.boot:spring-boot-devtools:2.4.1" level="project" />
     <orderEntry type="library" name="Maven: org.springframework.boot:spring-boot:2.4.1" level="project" />
     <orderEntry type="library" name="Maven: org.springframework.boot:spring-boot-autoconfigure:2.4.1" level="project" />
     <orderEntry type="library" name="Maven: org.springframework.boot:spring-boot-starter-actuator:2.4.1" level="project" />
@@ -113,5 +113,62 @@
     <orderEntry type="library" scope="RUNTIME" name="Maven: org.latencyutils:LatencyUtils:2.0.3" level="project" />
     <orderEntry type="library" name="Maven: org.jolokia:jolokia-core:1.4.0" level="project" />
     <orderEntry type="library" name="Maven: com.googlecode.json-simple:json-simple:1.1.1" level="project" />
+    <orderEntry type="library" name="Maven: org.apache.logging.log4j:log4j-core:2.13.3" level="project" />
+    <orderEntry type="library" name="Maven: org.apache.logging.log4j:log4j-api:2.13.3" level="project" />
+    <orderEntry type="library" name="Maven: org.codehaus.groovy:groovy:2.5.14" level="project" />
+    <orderEntry type="library" name="Maven: org.codehaus.groovy:groovy-ant:2.5.14" level="project" />
+    <orderEntry type="library" name="Maven: org.apache.ant:ant:1.9.15" level="project" />
+    <orderEntry type="library" scope="RUNTIME" name="Maven: org.apache.ant:ant-junit:1.9.15" level="project" />
+    <orderEntry type="library" name="Maven: org.apache.ant:ant-launcher:1.9.15" level="project" />
+    <orderEntry type="library" scope="RUNTIME" name="Maven: org.apache.ant:ant-antlr:1.9.15" level="project" />
+    <orderEntry type="library" name="Maven: org.codehaus.groovy:groovy-cli-commons:2.5.14" level="project" />
+    <orderEntry type="library" name="Maven: commons-cli:commons-cli:1.4" level="project" />
+    <orderEntry type="library" name="Maven: org.codehaus.groovy:groovy-cli-picocli:2.5.14" level="project" />
+    <orderEntry type="library" name="Maven: info.picocli:picocli:4.3.2" level="project" />
+    <orderEntry type="library" name="Maven: org.codehaus.groovy:groovy-console:2.5.14" level="project" />
+    <orderEntry type="library" name="Maven: org.codehaus.groovy:groovy-datetime:2.5.14" level="project" />
+    <orderEntry type="library" name="Maven: org.codehaus.groovy:groovy-docgenerator:2.5.14" level="project" />
+    <orderEntry type="library" name="Maven: com.thoughtworks.qdox:qdox:1.12.1" level="project" />
+    <orderEntry type="library" name="Maven: org.codehaus.groovy:groovy-groovydoc:2.5.14" level="project" />
+    <orderEntry type="library" name="Maven: org.codehaus.groovy:groovy-groovysh:2.5.14" level="project" />
+    <orderEntry type="library" name="Maven: jline:jline:2.14.6" level="project" />
+    <orderEntry type="library" name="Maven: org.codehaus.groovy:groovy-jmx:2.5.14" level="project" />
+    <orderEntry type="library" name="Maven: org.codehaus.groovy:groovy-json:2.5.14" level="project" />
+    <orderEntry type="library" name="Maven: org.codehaus.groovy:groovy-jsr223:2.5.14" level="project" />
+    <orderEntry type="library" name="Maven: org.codehaus.groovy:groovy-macro:2.5.14" level="project" />
+    <orderEntry type="library" name="Maven: org.codehaus.groovy:groovy-nio:2.5.14" level="project" />
+    <orderEntry type="library" name="Maven: org.codehaus.groovy:groovy-servlet:2.5.14" level="project" />
+    <orderEntry type="library" name="Maven: org.codehaus.groovy:groovy-sql:2.5.14" level="project" />
+    <orderEntry type="library" name="Maven: org.codehaus.groovy:groovy-swing:2.5.14" level="project" />
+    <orderEntry type="library" name="Maven: org.codehaus.groovy:groovy-templates:2.5.14" level="project" />
+    <orderEntry type="library" name="Maven: org.codehaus.groovy:groovy-test:2.5.14" level="project" />
+    <orderEntry type="library" name="Maven: junit:junit:4.13.1" level="project" />
+    <orderEntry type="library" name="Maven: org.hamcrest:hamcrest-core:2.2" level="project" />
+    <orderEntry type="library" name="Maven: org.codehaus.groovy:groovy-test-junit5:2.5.14" level="project" />
+    <orderEntry type="library" name="Maven: org.junit.platform:junit-platform-launcher:1.7.0" level="project" />
+    <orderEntry type="library" name="Maven: org.codehaus.groovy:groovy-testng:2.5.14" level="project" />
+    <orderEntry type="library" scope="RUNTIME" name="Maven: org.testng:testng:6.13.1" level="project" />
+    <orderEntry type="library" scope="RUNTIME" name="Maven: com.beust:jcommander:1.72" level="project" />
+    <orderEntry type="library" name="Maven: org.codehaus.groovy:groovy-xml:2.5.14" level="project" />
+    <orderEntry type="library" name="Maven: org.dom4j:dom4j:2.1.3" level="project" />
+    <orderEntry type="library" name="Maven: org.jdom:jdom2:2.0.6" level="project" />
+    <orderEntry type="library" name="Maven: org.xmlbeam:xmlprojector:1.4.14" level="project" />
+    <orderEntry type="library" name="Maven: io.springfox:springfox-swagger-ui:2.10.5" level="project" />
+    <orderEntry type="library" name="Maven: io.springfox:springfox-swagger2:2.9.2" level="project" />
+    <orderEntry type="library" name="Maven: io.swagger:swagger-annotations:1.5.20" level="project" />
+    <orderEntry type="library" name="Maven: io.swagger:swagger-models:1.5.20" level="project" />
+    <orderEntry type="library" name="Maven: com.fasterxml.jackson.core:jackson-annotations:2.11.3" level="project" />
+    <orderEntry type="library" name="Maven: io.springfox:springfox-spi:2.9.2" level="project" />
+    <orderEntry type="library" name="Maven: io.springfox:springfox-core:2.9.2" level="project" />
+    <orderEntry type="library" name="Maven: io.springfox:springfox-schema:2.9.2" level="project" />
+    <orderEntry type="library" name="Maven: io.springfox:springfox-swagger-common:2.9.2" level="project" />
+    <orderEntry type="library" name="Maven: io.springfox:springfox-spring-web:2.9.2" level="project" />
+    <orderEntry type="library" name="Maven: com.google.guava:guava:20.0" level="project" />
+    <orderEntry type="library" name="Maven: com.fasterxml:classmate:1.5.1" level="project" />
+    <orderEntry type="library" name="Maven: org.slf4j:slf4j-api:1.7.30" level="project" />
+    <orderEntry type="library" name="Maven: org.springframework.plugin:spring-plugin-core:1.2.0.RELEASE" level="project" />
+    <orderEntry type="library" name="Maven: org.springframework.plugin:spring-plugin-metadata:1.2.0.RELEASE" level="project" />
+    <orderEntry type="library" name="Maven: org.mapstruct:mapstruct:1.2.0.Final" level="project" />
+    <orderEntry type="library" name="Maven: org.jsoup:jsoup:1.12.2" level="project" />
   </component>
 </module>

pom.xml

@@ -11,7 +11,7 @@
 
     <groupId>com.best</groupId>
     <artifactId>hello</artifactId>
-    <version>0.0.1-SNAPSHOT</version>
+    <version>1.0.0-SNAPSHOT</version>
     <name>hello java sec</name>
     <description>Java Sec</description>
     <packaging>jar</packaging>
@@ -72,11 +72,17 @@
             <version>1.2.24</version>
         </dependency>
 
+        <dependency>
+            <groupId>com.thoughtworks.xstream</groupId>
+            <artifactId>xstream</artifactId>
+            <version>1.4.10</version>
+        </dependency>
+
         <!-- 热启动 -->
         <dependency>
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-devtools</artifactId>
-            <optional>true</optional>
+            <scope>runtime</scope>
         </dependency>
 
         <!-- actuator监控 -->
@@ -91,16 +97,66 @@
             <version>1.4.0</version>
         </dependency>
 
+        <dependency>
+            <groupId>org.apache.logging.log4j</groupId>
+            <artifactId>log4j-core</artifactId>
+        </dependency>
+
+        <!-- 引入groovy 来执行命令 -->
+        <dependency>
+            <groupId>org.codehaus.groovy</groupId>
+            <artifactId>groovy-all</artifactId>
+            <version>2.5.6</version>
+            <type>pom</type>
+        </dependency>
+
+        <!-- 开源的xml解析包 -->
+        <dependency>
+            <groupId>org.dom4j</groupId>
+            <artifactId>dom4j</artifactId>
+            <version>2.1.3</version>
+        </dependency>
+
+        <dependency>
+            <groupId>org.jdom</groupId>
+            <artifactId>jdom2</artifactId>
+            <version>2.0.6</version>
+        </dependency>
+
+        <!-- xmlbeam xxe漏洞 -->
+        <dependency>
+            <groupId>org.xmlbeam</groupId>
+            <artifactId>xmlprojector</artifactId>
+            <version>1.4.14</version>
+        </dependency>
+
+        <dependency>
+            <groupId>io.springfox</groupId>
+            <artifactId>springfox-swagger-ui</artifactId>
+            <version>2.10.5</version>
+        </dependency>
+        <dependency>
+            <groupId>io.springfox</groupId>
+            <artifactId>springfox-swagger2</artifactId>
+            <version>2.9.2</version>
+        </dependency>
+        <dependency>
+            <groupId>org.jsoup</groupId>
+            <artifactId>jsoup</artifactId>
+            <version>1.12.2</version>
+        </dependency>
 
     </dependencies>
 
     <build>
         <plugins>
+            <!-- 用于maven构建 -->
             <plugin>
                 <groupId>org.springframework.boot</groupId>
                 <artifactId>spring-boot-maven-plugin</artifactId>
             </plugin>
         </plugins>
     </build>
 
+
 </project>