add dos module

Author: whgojp

pom.xml

@@ -289,6 +289,18 @@
         </plugins>
     </build>
     <repositories>
+        <repository>
+            <id>central</id>
+            <url>https://repo.maven.apache.org/maven2</url>
+        </repository>
+        <repository>
+            <id>spring-milestone</id>
+            <url>https://repo.spring.io/milestone</url>
+        </repository>
+        <repository>
+            <id>spring-release</id>
+            <url>https://repo.spring.io/release</url>
+        </repository>
         <repository>
             <id>acfunnexus</id>
             <url>https://maven.aliyun.com/repository/public/</url>

src/main/java/top/whgojp/Application.java

@@ -4,7 +4,6 @@
 import org.springframework.boot.SpringApplication;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
 
-
 import java.io.IOException;
 
 

src/main/java/top/whgojp/common/config/WebConfig.java

@@ -3,13 +3,12 @@
 import lombok.SneakyThrows;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.context.annotation.ComponentScan;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.web.servlet.config.annotation.*;
 import top.whgojp.common.constant.SysConstant;
 
 /**
- * @description <功能描述>
+ * @description 自定义静态资源的访问路径、文件映射
  * @author: whgojp
  * @email: whgojp@foxmail.com
  * @Date: 2024/5/23 18:58

src/main/java/top/whgojp/modules/components/jackson/controller/JacksonController.java

@@ -28,39 +28,37 @@ public String jackson() {
         return "vul/components/jackson";
     }
 
-    @PostMapping("/vul")
-    @ResponseBody
-    public String vulJackson(@RequestBody String content) {
+    @RequestMapping("/vul")
+    public String vul(@RequestBody String content) {
         try {
-            return new ObjectMapper()
-                    .enableDefaultTyping()
-                    .writeValueAsString(
-                            new ObjectMapper().enableDefaultTyping().readValue(content, Object.class)
-                    );
+            ObjectMapper mapper = new ObjectMapper();
+            mapper.enableDefaultTyping(); // 启用多态类型处理
+
+            // 反序列化接收的JSON数据，触发漏洞
+            Object obj = mapper.readValue(content, Object.class);
+            return "[+]Jackson 反序列化: " + obj.toString();
         } catch (Exception e) {
-            return "Jackson RCE Error";
+            e.printStackTrace();
+            return "[-]Jackson反序列化失败";
         }
     }
 
 
     @PostMapping("/safe")
     @ResponseBody
-    public String safeJackson(@RequestBody String content) {
+    public String safeJackson(@RequestBody String payload) {
         try {
-            // 使用安全的 ObjectMapper 配置
             ObjectMapper mapper = new ObjectMapper();
-            // 禁用潜在的危险功能
-            mapper.disableDefaultTyping();
-            // 安全配置：只允许反序列化指定类型（如自定义的类或简单数据类型）
+
+            // 启用安全的类型验证
             mapper.activateDefaultTyping(
                     LaissezFaireSubTypeValidator.instance,
                     ObjectMapper.DefaultTyping.NON_FINAL
             );
-            // 示例：仅允许特定的受信任类反序列化（可以根据需求自定义）
             mapper.configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, true);
 
-            // 将 JSON 字符串安全地反序列化为指定的 POJO 类型
-            Map<String, Object> safePayload = mapper.readValue(content, new TypeReference<Map<String, Object>>() {});
+            // 反序列化传入的JSON数据
+            Map<String, Object> safePayload = mapper.readValue(payload, Map.class);
             return mapper.writeValueAsString(safePayload);
         } catch (Exception e) {
             e.printStackTrace();
@@ -69,7 +67,6 @@ public String safeJackson(@RequestBody String content) {
     }
 
 
-
     /**
      * CVE-2020-35728
      * com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool组件库存在不安全的反序列化

src/main/java/top/whgojp/modules/deserialize/readobject/controller/ReadObjectController.java

@@ -30,9 +30,9 @@ public String readObject(){
         return "vul/deserialize/readObject";
     }
 
-    @RequestMapping("/vulReadObject")
+    @RequestMapping("/vul")
     @ResponseBody
-    public R vulReadObject(String payload) {
+    public R vul(String payload) {
         System.setProperty("org.apache.commons.collections.enableUnsafeSerialization", "true");
         log.info("Java反序列化："+payload);
         try {
@@ -47,9 +47,9 @@ public R vulReadObject(String payload) {
             return R.error("[-]请输入正确的Payload！\n"+e.getMessage());
         }
     }
-    @RequestMapping("/safeReadObject1")
+    @RequestMapping("/safe1")
     @ResponseBody
-    public R safeReadObject1(String payload) {
+    public R safe1(String payload) {
         // 安全措施：禁用不安全的反序列化
         System.setProperty("org.apache.commons.collections.enableUnsafeSerialization", "false");
         log.info("Java反序列化："+payload);
@@ -65,9 +65,9 @@ public R safeReadObject1(String payload) {
             return R.error("[-]请输入正确的Payload！\n"+e.getMessage());
         }
     }
-    @RequestMapping("/safeReadObject2")
+    @RequestMapping("/safe2")
     @ResponseBody
-    public R safeReadObject2(String payload) {
+    public R safe2(String payload) {
         log.info("Java反序列化："+payload);
         try {
             payload = payload.replace(" ", "+");

src/main/java/top/whgojp/modules/deserialize/snakeyaml/controller/controller/SnakeYamlController.java

@@ -29,20 +29,21 @@ public String snakeYaml(){
         return "vul/deserialize/snakeYaml";
     }
 
-    @RequestMapping("/vulSnakeYaml")
+    @RequestMapping("/vul")
     @ResponseBody
-    public R vulSnakeYaml(String payload) {
+    public R vul(String payload) {
         Yaml y = new Yaml();
         y.load(payload);
         return R.ok("[+]Java反序列化：SnakeYaml原生漏洞");
     }
 
-    @PostMapping("/safeSnakeYaml")
-    public R safeSnakeYaml(String payload) {
+    @PostMapping("/safe")
+    @ResponseBody
+    public R safe(String payload) {
         try {
             Yaml y = new Yaml(new SafeConstructor());
             y.load(payload);
-            return R.ok("[-]Java反序列化：SnakeYaml安全构造");
+            return R.ok("[+]Java反序列化：SnakeYaml安全构造");
         } catch (Exception e) {
             return R.error("[-]Java反序列化：SnakeYaml反序列化失败");
         }

src/main/java/top/whgojp/modules/deserialize/xmldecoder/controller/XMLDecoderController.java

@@ -1,21 +1,22 @@
 package top.whgojp.modules.deserialize.xmldecoder.controller;
 
 import io.swagger.annotations.Api;
-import io.swagger.annotations.ApiOperation;
+
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.stereotype.Controller;
-import org.springframework.ui.Model;
-import org.springframework.web.bind.annotation.CrossOrigin;
-import org.springframework.web.bind.annotation.GetMapping;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.bind.annotation.*;
 import top.whgojp.common.utils.R;
 
-import java.beans.XMLDecoder;
-import java.beans.XMLEncoder;
-import java.io.*;
+import javax.xml.parsers.SAXParser;
+import javax.xml.parsers.SAXParserFactory;
+import java.io.ByteArrayInputStream;
 import java.nio.charset.StandardCharsets;
-import java.util.HashMap;
+import java.util.ArrayList;
+import java.util.List;
+import org.xml.sax.InputSource;
+import org.xml.sax.Attributes;
+import org.xml.sax.SAXException;
+import org.xml.sax.helpers.DefaultHandler;
 
 /**
  * @description 反序列化 - XMLDecoder
@@ -34,9 +35,9 @@ public String xmlDecoder() {
         return "vul/deserialize/xmlDecoder";
     }
 
-    @RequestMapping("/vulXmlDecoder")
+    @RequestMapping("/vul")
     @ResponseBody
-    public R vulXmlDecoder(String payload) {
+    public R vul(String payload) {
         String[] strCmd = payload.split(" ");
         StringBuilder xml = new StringBuilder()
                 .append("<?xml version=\"1.0\" encoding=\"UTF-8\"?>")
@@ -51,11 +52,80 @@ public R vulXmlDecoder(String payload) {
         try {
             new java.beans.XMLDecoder(new ByteArrayInputStream(xml.toString().getBytes(StandardCharsets.UTF_8)))
                     .readObject().toString();
-            return R.ok("命令执行成功");
+            return R.ok("[+]命令执行成功");
         } catch (Exception e) {
-            return R.error("命令执行失败: " + e.getMessage());
+            return R.error("[-]命令执行失败: " + e.getMessage());
         }
     }
 
 
+    @RequestMapping("/safe")
+    @ResponseBody
+    public R safe(@RequestParam String payload) {
+        try {
+            // 构建 XML 字符串
+            StringBuilder xml = new StringBuilder()
+                    .append("<?xml version=\"1.0\" encoding=\"UTF-8\"?>")
+                    .append("<java version=\"1.8.0_151\" class=\"java.beans.XMLDecoder\">")
+                    .append("<object class=\"java.lang.ProcessBuilder\">")
+                    .append("<array class=\"java.lang.String\" length=\"").append(payload.split(" ").length).append("\">");
+
+            for (int i = 0; i < payload.split(" ").length; i++) {
+                xml.append("<void index=\"").append(i).append("\"><string>")
+                        .append(payload.split(" ")[i]).append("</string></void>");
+            }
+
+            xml.append("</array><void method=\"start\" /></object></java>");
+
+            // 使用 SAX 解析器解析 XML
+            SAXParserFactory factory = SAXParserFactory.newInstance();
+            SAXParser saxParser = factory.newSAXParser();
+            CommandHandler handler = new CommandHandler();
+
+            // 将 ByteArrayInputStream 包装成 InputSource
+            InputSource inputSource = new InputSource(new ByteArrayInputStream(xml.toString().getBytes(StandardCharsets.UTF_8)));
+            saxParser.parse(inputSource, handler);
+
+            // 获取解析后的命令参数
+            List<String> args = handler.getArgs();
+
+            // 处理解析后的命令参数
+            System.out.println("Parsed command: " + String.join(" ", args));
+
+            return R.ok("[+]命令解析成功:"+String.join(" ", args));
+        } catch (Exception e) {
+            return R.error("[-]命令解析失败: " + e.getMessage());
+        }
+    }
+
+    // SAX 处理器
+    static class CommandHandler extends DefaultHandler {
+        private List<String> args = new ArrayList<>();
+        private boolean inString = false;
+
+        @Override
+        public void startElement(String uri, String localName, String qName, Attributes attributes) throws SAXException {
+            if ("string".equals(qName)) {
+                inString = true;
+            }
+        }
+
+        @Override
+        public void characters(char[] ch, int start, int length) throws SAXException {
+            if (inString) {
+                args.add(new String(ch, start, length));
+            }
+        }
+
+        @Override
+        public void endElement(String uri, String localName, String qName) throws SAXException {
+            if ("string".equals(qName)) {
+                inString = false;
+            }
+        }
+
+        public List<String> getArgs() {
+            return args;
+        }
+    }
 }

src/main/java/top/whgojp/modules/other/controller/DosController.java

@@ -0,0 +1,56 @@
+package top.whgojp.modules.other.controller;
+
+import cn.hutool.captcha.CaptchaUtil;
+import cn.hutool.captcha.ShearCaptcha;
+import io.swagger.annotations.Api;
+import io.swagger.annotations.ApiOperation;
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.CrossOrigin;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestParam;
+
+import javax.imageio.ImageIO;
+import javax.servlet.http.HttpServletResponse;
+import java.awt.*;
+import java.awt.image.BufferedImage;
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+
+/**
+ * @description 其他漏洞-Dos攻击
+ * @author: whgojp
+ * @email: whgojp@foxmail.com
+ * @Date: 2024/10/28 23:04
+ */
+@Slf4j
+@Api(value = "DosController", tags = "其他漏洞-Dos攻击")
+@Controller
+@CrossOrigin(origins = "*")
+@RequestMapping("/other/dos")
+public class DosController {
+    @RequestMapping("")
+    public String dos() {
+        return "vul/other/dos";
+    }
+
+    @RequestMapping("/vul")
+    public void vul(@RequestParam Integer width, @RequestParam Integer height, HttpServletResponse response) throws IOException {
+        response.setContentType("image/jpeg");
+        response.setHeader("Pragma", "no-cache");
+        response.setHeader("Cache-Control", "no-cache");
+        // 验证码参数可控 造成拒绝服务攻击
+        ShearCaptcha shearCaptcha = CaptchaUtil.createShearCaptcha(width, height,4,3);
+        try {
+            shearCaptcha.write(response.getOutputStream());
+        } catch (IOException e) {
+            throw new RuntimeException(e);
+        }
+    }
+    @RequestMapping("/vul2")
+    public String vul2() {
+
+        return "";
+    }
+
+}

src/main/java/top/whgojp/modules/spel/controller/SPELController.java

@@ -36,7 +36,7 @@ public String spel() {
     @ResponseBody
     @ApiImplicitParam(name = "ex", value = "表达式", dataType = "String", paramType = "query", dataTypeClass = String.class)
     @GetMapping("/vul-raw")
-    public R spelVul(@ApiParam(name = "ex", value = "表达式", required = true) @RequestParam String ex) {
+    public R vul(@ApiParam(name = "ex", value = "表达式", required = true) @RequestParam String ex) {
         // 创建SpEL解析器，ExpressionParser接口用于表示解析器，SpelExpressionParser为默认实现
         ExpressionParser parser = new SpelExpressionParser();
 //        Expression expression = parser.parseExpression(ex);
@@ -47,20 +47,20 @@ public R spelVul(@ApiParam(name = "ex", value = "表达式", required = true) @R
         Expression exp = parser.parseExpression(ex);
         // 通过上下文计算表达式的值，并将结果转换为字符串
         String result = exp.getValue(evaluationContext).toString();
-        log.info("[漏洞代码]SPEL表达式注入："+ex);
+        log.info("[+]SPEL表达式注入："+ex);
         return R.ok(result);
     }
 
     @ResponseBody
     @ApiImplicitParam(name = "ex", value = "表达式", dataType = "String", paramType = "query", dataTypeClass = String.class)
     @GetMapping("/safe")
-    public R spelSafe(@ApiParam(name = "ex", value = "表达式", required = true) @RequestParam String ex) {
+    public R safe(@ApiParam(name = "ex", value = "表达式", required = true) @RequestParam String ex) {
         // 使用 SimpleEvaluationContext 限制表达式功能(Java类型引用、构造函数调用、Bean引用)，防止危险的操作
         ExpressionParser parser = new SpelExpressionParser();
         EvaluationContext simpleContext = SimpleEvaluationContext.forReadOnlyDataBinding().build();
         Expression exp = parser.parseExpression(ex);
         String result = exp.getValue(simpleContext).toString();
-        log.info("[安全代码]SPEL表达式注入："+ex);
+        log.info("[-]SPEL表达式注入："+ex);
         return R.ok(result);
     }