FilesExpand file tree

 main

/

staticcode.js

Copy path

BlameMore file actions

BlameMore file actions

Latest commit

 

History

History

History

2077 lines (2005 loc) · 101 KB

 main

/

staticcode.js

Top

File metadata and controls

• Code
• Blame

2077 lines (2005 loc) · 101 KB

Raw

Copy raw file

Download raw file

Open symbols panel

Edit and raw actions

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

316

317

318

319

320

321

322

323

324

325

326

327

328

329

330

331

332

333

334

335

336

337

338

339

340

341

342

343

344

345

346

347

348

349

350

351

352

353

354

355

356

357

358

359

360

361

362

363

364

365

366

367

368

369

370

371

372

373

374

375

376

377

378

379

380

381

382

383

384

385

386

387

388

389

390

391

392

393

394

395

396

397

398

399

400

401

402

403

404

405

406

407

408

409

410

411

412

413

414

415

416

417

418

419

420

421

422

423

424

425

426

427

428

429

430

431

432

433

434

435

436

437

438

439

440

441

442

443

444

445

446

447

448

449

450

451

452

453

454

455

456

457

458

459

460

461

462

463

464

465

466

467

468

469

470

471

472

473

474

475

476

477

478

479

480

481

482

483

484

485

486

487

488

489

490

491

492

493

494

495

496

497

498

499

500

501

502

503

504

505

506

507

508

509

510

511

512

513

514

515

516

517

518

519

520

521

522

523

524

525

526

527

528

529

530

531

532

533

534

535

536

537

538

539

540

541

542

543

544

545

546

547

548

549

550

551

552

553

554

555

556

557

558

559

560

561

562

563

564

565

566

567

568

569

570

571

572

573

574

575

576

577

578

579

580

581

582

583

584

585

586

587

588

589

590

591

592

593

594

595

596

597

598

599

600

601

602

603

604

605

606

607

608

609

610

611

612

613

614

615

616

617

618

619

620

621

622

623

624

625

626

627

628

629

630

631

632

633

634

635

636

637

638

639

640

641

642

643

644

645

646

647

648

649

650

651

652

653

654

655

656

657

658

659

660

661

662

663

664

665

666

667

668

669

670

671

672

673

674

675

676

677

678

679

680

681

682

683

684

685

686

687

688

689

690

691

692

693

694

695

696

697

698

699

700

701

702

703

704

705

706

707

708

709

710

711

712

713

714

715

716

717

718

719

720

721

722

723

724

725

726

727

728

729

730

731

732

733

734

735

736

737

738

739

740

741

742

743

744

745

746

747

748

749

750

751

752

753

754

755

756

757

758

759

760

761

762

763

764

765

766

767

768

769

770

771

772

773

774

775

776

777

778

779

780

781

782

783

784

785

786

787

788

789

790

791

792

793

794

795

796

797

798

799

800

801

802

803

804

805

806

807

808

809

810

811

812

813

814

815

816

817

818

819

820

821

822

823

824

825

826

827

828

829

830

831

832

833

834

835

836

837

838

839

840

841

842

843

844

845

846

847

848

849

850

851

852

853

854

855

856

857

858

859

860

861

862

863

864

865

866

867

868

869

870

871

872

873

874

875

876

877

878

879

880

881

882

883

884

885

886

887

888

889

890

891

892

893

894

895

896

897

898

899

900

901

902

903

904

905

906

907

908

909

910

911

912

913

914

915

916

917

918

919

920

921

922

923

924

925

926

927

928

929

930

931

932

933

934

935

936

937

938

939

940

941

942

943

944

945

946

947

948

949

950

951

952

953

954

955

956

957

958

959

960

961

962

963

964

965

966

967

968

969

970

971

972

973

974

975

976

977

978

979

980

981

982

983

984

985

986

987

988

989

990

991

992

993

994

995

996

997

998

999

1000

/**

* @description 存放静态代码

* @author: whgojp

* @email: whgojp@foxmail.com

* @Date: 2024/5/19 19:03

*/

const vul1ReflectRaw = "// 原生漏洞场景,未加任何过滤，Controller接口返回Json类型结果\n" +

"public R vul1(String content) {\n" +

" return R.ok(content);\n" +

"}\n" +

"// R 是对返回结果的封装工具util\n" +

"// 返回结果：\n" +

"// {\n" +

"// \"msg\": \"<script>alert(document.cookie)</script>\",\n" +

"// \"code\": 0\n" +

"// }\n" +

"// payload在json中是不会触发xss的 需要解析到页面中\n" +

"\n" +

"// 原生漏洞场景,未加任何过滤，Controller接口返回String类型结果\n" +

"public String vul2(String content) {\n" +

" return content;\n" +

"}"

const vul2ReflectContentType = "// Tomcat内置HttpServletResponse，Content-Type导致反射XSS\n" +

"public void vul3(String type,String content, HttpServletResponse response) {\n" +

" switch (type) {\n" +

" case \"html\":\n" +

" response.getWriter().print(content);\n" +

" response.setContentType(\"text/html;charset=utf-8\");\n" +

" response.getWriter().flush();\n" +

" break;\n" +

" case \"plain\":\n" +

" response.getWriter().print(content);\n" +

" response.setContentType(\"text/plain;charset=utf-8\");\n" +

" response.getWriter().flush();\n" +

" ...\n" +

" }\n" +

"}"

const safe1CheckUserInput = "// 对用户输入的数据进行验证和过滤，确保不包含恶意代码。使用白名单过滤，只允许特定类型的输入，如纯文本或指定格式的数据\n" +

"// 前端校验代码\n" +

"var whitelistRegex = /^[a-zA-Z0-9_\\s]+$/;\n" +

"\n" +

"// 检查输入值是否符合白名单要求\n" +

"if (!whitelistRegex.test(value)) {\n" +

"\tlayer.msg('输入内容包含非法字符，请检查输入', {icon: 2, offset: '10px'});\n" +

"\treturn false; // 取消表单提交\n" +

" } else {\n" +

" \t// 正常发送请求\n" +

" }\n" +

"\n" +

"// 后端校验代码\n" +

"private static final String WHITELIST_REGEX = \"^[a-zA-Z0-9_\\\\s]+$\";\n" +

"private static final Pattern pattern = Pattern.compile(WHITELIST_REGEX);\n" +

"\n" +

"Matcher matcher = pattern.matcher(content);\n" +

"if (matcher.matches()){\n" +

" return R.ok(content);\n" +

"}else return R.error(\"输入内容包含非法字符，请检查输入\");"

const safe2CSP = "// 内容安全策略（Content Security Policy）是一种由浏览器实施的安全机制，旨在减少和防范跨站脚本攻击（XSS）等安全威胁。它通过允许网站管理员定义哪些内容来源是可信任的，从而防止恶意内容的加载和执行\n" +

"// 前端Meta配置\n" +

"<meta http-equiv=\"Content-Security-Policy\" content=\"default-src 'self'; script-src 'self' https://apis.example.com; style-src 'self' https://fonts.googleapis.com; img-src 'self' data: https://*.example.com;\">\n" +

"\n" +

"\n" +

"// 后端Header配置\n" +

"public String safe2(String content,HttpServletResponse response) {\n" +

" response.setHeader(\"Content-Security-Policy\",\"default-src self\");\n" +

" return content;\n" +

"}"

const safe3EntityEscape = '// 特殊字符实体转义是一种将HTML中的特殊字符转换为预定义实体表示的过程\n' +

'// 这种转义是为了确保在HTML页面中正确显示特定字符，同时避免它们被浏览器误解为HTML标签或JavaScript代码的一部分，从而导致页面结构混乱或安全漏洞\n' +

'public R safe3(@ApiParam(String type, String content) {\n' +

' String filterContented = "";\n' +

' switch (type){\n' +

' case "manual":\n' +

' content = StringUtils.replace(content, "&", "&amp;");\n' +

' content = StringUtils.replace(content, "<", "&lt;");\n' +

' content = StringUtils.replace(content, ">", "&gt;");\n' +

' content = StringUtils.replace(content, "\\"", "&quot;");\n' +

' content = StringUtils.replace(content, "\'", "&#x27;");\n' +

' content = StringUtils.replace(content, "/", "&#x2F;");\n' +

' filterContented = content;\n' +

' break;\n' +

' case "spring":\n' +

' filterContented = HtmlUtils.htmlEscape(content);\n' +

' break;\n' +

' ...\n' +

' }\n' +

'}'

const safe4HttpOnly = "// HttpOnly是HTTP响应头属性，用于增强Web应用程序安全性。它防止客户端脚本访问(只能通过http/https协议访问)带有HttpOnly标记的 cookie，从而减少跨站点脚本攻击（XSS）的风险\n" +

"// 单个接口配置\n" +

"public R safe4(String content, HttpServletRequest request,HttpServletResponse response) {\n" +

" Cookie cookie = request.getCookies()[ueditor];\n" +

" cookie.setHttpOnly(true); // 设置为 HttpOnly\n" +

" cookie.setMaxAge(600); // 这里设置生效时间为十分钟\n" +

" cookie.setPath(\"/\");\n" +

" response.addCookie(cookie);\n" +

" return R.ok(content);\n" +

"}\n" +

"\n" +

"// 全局配置\n" +

"// ueditor、application.yml配置\n" +

"server:\n" +

" servlet:\n" +

" session:\n" +

" cookie:\n" +

" http-only: true\n" +

"\n" +

"// 2、Springboot配置类\n" +

"@Configuration\n" +

"public class ServerConfig {\n" +

" @Bean\n" +

" public WebServerFactoryCustomizer<ConfigurableWebServerFactory> webServerFactoryCustomizer() {\n" +

" return factory -> {\n" +

" Session session = new Session();\n" +

" session.getCookie().setHttpOnly(true);\n" +

" factory.setSession(session);\n" +

" ...\n" +

"}"

const vul1StoreRaw = "// 原生漏洞场景,未加任何过滤，将用户输入存储到数据库中\n" +

"// Controller层\n" +

"public R vul(String content,HttpServletRequest request) {\n" +

" String ua = request.getHeader(\"User-Agent\");\n" +

" final int code = xssService.insertOne(content,ua);\n" +

" ...\n" +

"}\n" +

"// Service层\n" +

"public int insertOne(String content, String ua) {\n" +

" final int code = xssMapper.insertAll(content,ua,DateUtil.now());\n" +

" return code;\n" +

"}\n" +

"// Mapper层\n" +

"int insertAll(String content,String ua,String date);\n" +

"\n" +

"<insert id=\"insertAll\">\n" +

" insert into xss\n" +

" (content,ua, date)\n" +

" values (#{content,jdbcType=VARCHAR},#{ua,jdbcType=VARCHAR}, #{date,jdbcType=VARCHAR})\n" +

"</insert>"

const safe1StoreEntityEscape = "// 表格数据渲染\n" +

"table.render({\n" +

"\t...\n" +

" cols: [\n" +

" {field: 'id', title: 'ID', sort: true, width: '60', fixed: 'left'},\n" +

" {field: 'content', title: 'Content', width: '200', templet: function(d){\n" +

" return escapeHtml(d.content); \n" +

" }},\n" +

" {field: 'ua', title: 'User-Agent', width: '200', templet: function(d){\n" +

" return escapeHtml(d.ua); \n" +

" }},\n" +

" \t...\n" +

"// 方法一、HTML 实体转义函数\n" +

"function escapeHtml(html) {\n" +

" var text = document.createElement(\"textarea\");\n" +

" text.textContent = html;\n" +

" return text.innerHTML;\n" +

"}\n" +

"// 方法二、JavaScript的文本节点\n" +

"var textNode = document.createTextNode(htmlContent);\n" +

"element.appendChild(textNode);\n" +

"// 方法三、jQuery的text()方法\n" +

"$('#element').text(htmlContent);\n"

const vul1DomRaw = "// innerHTML\n" +

"form.on('submit(vul1-dom-raw)', function (data) {\n" +

" var userInput = document.getElementById('vul1-dom-raw-input').value;\n" +

" var outputDiv = document.getElementById('vul-dom-raw-result');\n" +

" outputDiv.innerHTML = userInput;\n" +

" return false;\n" +

"});\n" +

"\n" +

"// href跳转场景\n" +

"var hash = location.hash;\n" +

"if(hash){\n" +

" var url = hash.substring(ueditor);\n" +

" console.log(url);\n" +

" location.href = url;\n" +

"}\n" +

"\n" +

"// DOM存储注入\n" +

"form.on('submit(vul3-dom-raw-submit)', function (data) {\n" +

" localStorage.setItem('vul4-dom-raw', document.getElementById('vul4-dom-raw-input').value);\n" +

" var storedData = localStorage.getItem('vul4-dom-raw');\n" +

" document.getElementById('vul-dom-raw-result').innerHTML = storedData;\n" +

" return false;\n" +

"})"

const vul1OtherUpload = "public String uploadFile(MultipartFile file, String suffix,String path) throws IOException {\n" +

" String uploadFolderPath = sysConstant.getUploadFolder();\n" +

" try {\n" +

" String fileName = +DateUtil.current() + \".\"+suffix;\n" +

" String newFilePath = uploadFolderPath + \"/\" + fileName;\n" +

"\n" +

" file.transferTo(new File(newFilePath)); // 将文件保存到指定路径\n" +

" log.info(\"上传文件成功，文件路径：\" + newFilePath);\n" +

" return \"上传文件成功，文件路径：\" + path + fileName;\n" +

" } catch (IOException e) {\n" +

" e.printStackTrace(); // 打印异常堆栈信息\n" +

" log.info(\"文件上传失败\" + e.getMessage());\n" +

" return \"文件上传失败\" + e.getMessage();\n" +

" }\n" +

"}"

const vul2OtherTemplate = "public String handleTemplateInjection(String content,String type, Model model) {\n" +

" if (\"html\".equals(type)) {\n" +

" model.addAttribute(\"html\", content);\n" +

" } else if (\"text\".equals(type)) {\n" +

" model.addAttribute(\"text\", content);\n" +

" }\n" +

" return \"vul/xss/other\";\n" +

"}\n" +

"\n" +

"<div class=\"layui-card-body layui-text layadmin-text\" style=\"color: red;font-size: 15px;\">\n" +

" <p th:utext=\"${html}\"></p>\n" +

" <p th:text=\"${text}\"></p>\n" +

"</div>"

const vul3SCMSec = "// jQuery依赖\n" +

"<head>\n" +

" <meta charset=\"utf-8\">\n" +

" <title>jQuery XSS Examples (CVE-2020-11022/CVE-2020-11023)</title>\n" +

" <!-- 测试JQuery -->\n" +

" <script src=\"/lib/jquery-1.6.1.js\"></script>\n" +

" <!-- <script src=\"./jquery.min.js\"></script> -->\n" +

"</head>\n" +

"\n" +

"<!--swagger依赖-->\n" +

"<dependency>\n" +

" <groupId>io.springfox</groupId>\n" +

" <artifactId>springfox-boot-starter</artifactId>\n" +

" <version>3.0.0</version>\t// 该版本存在xss\n" +

"</dependency>\n" +

"\n" +

"// Ueditor编辑器未做任何限制 抓上传数据包后，可以上传任意类型文件";

const vul1RawJoint = "// 原生sql语句动态拼接 参数未进行任何处理\n" +

"public R vul1(String type,String id,String username,String password) {\n" +

" //注册数据库驱动类\n" +

" Class.forName(\"com.mysql.cj.jdbc.Driver\");\n" +

"\n" +

" //调用DriverManager.getConnection()方法创建Connection连接到数据库\n" +

" Connection conn = DriverManager.getConnection(dbUrl, dbUser, dbPass);\n" +

"\n" +

" //调用Connection的createStatement()或prepareStatement()方法 创建Statement对象\n" +

" Statement stmt = conn.createStatement();\n" +

" switch (type) {\n" +

" case \"add\":\n" +

" //这里没有标识id id自增长\n" +

" sql = \"INSERT INTO sqli (username, password) VALUES ('\" + username + \"', '\" + password + \"')\";\n" +

" //通过Statement对象执行SQL语句，得到ResultSet对象-查询结果集\n" +

" // 这里注意一下 insert、update、delete 语句应使用executeUpdate()\n" +

" rowsAffected = stmt.executeUpdate(sql);\n" +

" //关闭ResultSet结果集 Statement对象 以及数据库Connection对象 释放资源\n" +

" stmt.close();\n" +

" conn.close();\n" +

" return R.ok(message);\n" +

" case \"delete\":\n" +

" sql = \"DELETE FROM users WHERE id = '\" + id + \"'\";\n" +

" rowsAffected = stmt.executeUpdate(sql);\n" +

" ...\n" +

" case \"update\":\n" +

" sql = \"UPDATE sqli SET password = '\" + password + \"', username = '\" + username + \"' WHERE id = '\" + id + \"'\";\n" +

" rowsAffected = stmt.executeUpdate(sql);\n" +

" ...\n" +

" case \"select\":\n" +

" sql = \"SELECT * FROM users WHERE id = \" + id;\n" +

" ResultSet rs = stmt.executeQuery(sql);\n" +

" ...\n" +

" }\n" +

"}"

const vul2prepareStatementJoint = "// 虽然使用了conn.prepareStatement(sql)创建了一个PreparedStatement对象，但在执行 stmt.executeUpdate(sql)时，却是传递了完整的SQL语句作为参数，而不是使用了预编译的功能\n" +

"public R vul2(String type,String id,String username,String password) {\n" +

" Class.forName(\"com.mysql.cj.jdbc.Driver\");\n" +

" Connection conn = DriverManager.getConnection(dbUrl, dbUser, dbPass);\n" +

" PreparedStatement stmt;\n" +

" switch (type) {\n" +

" case \"add\":\n" +

" sql = \"INSERT INTO sqli (username, password) VALUES ('\" + username + \"', '\" + password + \"')\";\n" +

" stmt = conn.prepareStatement(sql);\n" +

" rowsAffected = stmt.executeUpdate(sql);\n" +

" ...\n" +

" case \"delete\":\n" +

" sql = \"DELETE FROM users WHERE id = '\" + id + \"'\";\n" +

" stmt = conn.prepareStatement(sql);\n" +

" rowsAffected = stmt.executeUpdate(sql);\n" +

" ...\n" +

" case \"update\":\n" +

" sql = \"UPDATE sqli SET username = '\" + username + \"', password = '\" + password + \"' WHERE id = '\" + id + \"'\";\n" +

" stmt = conn.prepareStatement(sql);\n" +

" rowsAffected = stmt.executeUpdate(sql);\n" +

" ...\n" +

" case \"select\":\n" +

" sql = \"SELECT * FROM users WHERE id = \" + id;\n" +

" stmt = conn.prepareStatement(sql);\n" +

" ResultSet rs = stmt.executeQuery(sql);\n" +

" ...\n" +

" }\n" +

"}"

const vul3JdbcTemplateJoint = "// JDBCTemplate是Spring对JDBC的封装，底层实现实际上还是JDBC\n" +

"public R vul3(String type,String id,String username,String password) {\n" +

" DriverManagerDataSource dataSource = new DriverManagerDataSource();\n" +

" dataSource.setDriverClassName(\"com.mysql.cj.jdbc.Driver\");\n" +

" dataSource.setUrl(dbUrl);\n" +

" dataSource.setUsername(dbUser);\n" +

" dataSource.setPassword(dbPass);\n" +

" JdbcTemplate jdbctemplate = new JdbcTemplate(dataSource);\n" +

" switch (type) {\n" +

" case \"add\":\n" +

" sql = \"INSERT INTO sqli (username, password) VALUES ('\" + username + \"', '\" + password + \"')\";\n" +

" //Spring的JdbcTemplate会自动管理连接的获取和释放，不需要手动关闭连接\n" +

" rowsAffected = jdbctemplate.update(sql);\n" +

" ...\n" +

" case \"delete\":\n" +

" sql = \"DELETE FROM users WHERE id = '\" + id + \"'\";\n" +

" rowsAffected = jdbctemplate.update(sql);\n" +

" ...\n" +

" case \"update\":\n" +

" sql = \"UPDATE sqli SET username = '\" + username + \"', password = '\" + password + \"' WHERE id = '\" + id + \"'\";\n" +

" rowsAffected = jdbctemplate.update(sql);\n" +

" ...\n" +

" case \"select\":\n" +

" sql = \"SELECT * FROM users WHERE id = \" + id;\n" +

" stringObjectMap = jdbctemplate.queryForMap(sql);\n" +

" ...\n" +

" }\n" +

"}"

const safe1PrepareStatementParametric = "// 采用预编译的方法，使用?占位，也叫参数化的SQL\n" +

"public R safe1(String type,String id,String username,String password) {\n" +

" Class.forName(\"com.mysql.cj.jdbc.Driver\");\n" +

" Connection conn = DriverManager.getConnection(dbUrl, dbUser, dbPass);\n" +

" PreparedStatement stmt;\n" +

" switch (type) {\n" +

" case \"add\":\n" +

" // 这里可以看到使用了?占位符 sql语句和参数进行分离\n" +

" sql = \"INSERT INTO users (username, password) VALUES (?, ?)\"; \n" +

" stmt = conn.prepareStatement(sql);\n" +

" // 参数化处理\n" +

" stmt.setString(ueditor, username); \n" +

" stmt.setString(2, password);\n" +

" // 使用预编译时 不需要传递sql语句\n" +

" rowsAffected = stmt.executeUpdate();\n" +

" case \"delete\":\n" +

" sql = \"DELETE FROM users WHERE id = ?\";\n" +

" stmt = conn.prepareStatement(sql);\n" +

" stmt.setString(ueditor, id);\n" +

" rowsAffected = stmt.executeUpdate();\n" +

" ...\n" +

" case \"update\":\n" +

" sql = \"UPDATE sqli SET username = ?, password = ? WHERE id = ?\";\n" +

" stmt = conn.prepareStatement(sql);\n" +

" stmt.setString(1, username); \n" +

" stmt.setString(2, password);\n" +

" stmt.setString(3, id);\n" +

" stmt.executeUpdate();\n" +

" ...\n" +

" case \"select\":\n" +

" sql = \"SELECT * FROM users WHERE id = ?\";\n" +

" stmt = conn.prepareStatement(sql);\n" +

" stmt.setString(ueditor, id);\n" +

" ResultSet rs = stmt.executeQuery();\n" +

" ...\n" +

" }\n" +

"}"

const safe2JdbcTemplatePrepareStatementParametric = "// JDBCTemplate预编译 此时在常规DML场景有效的防止了SQL注入攻击的发生\n" +

"public R safe2(String type,String id,String username,String password) {\n" +

" DriverManagerDataSource dataSource = new DriverManagerDataSource();\n" +

" dataSource.setDriverClassName(\"com.mysql.cj.jdbc.Driver\");\n" +

" dataSource.setUrl(dbUrl);\n" +

" dataSource.setUsername(dbUser);\n" +

" dataSource.setPassword(dbPass);\n" +

" JdbcTemplate jdbctemplate = new JdbcTemplate(dataSource);\n" +

" switch (type) {\n" +

" case \"add\":\n" +

" sql = \"INSERT INTO sqli (username, password) VALUES (?,?)\";\n" +

" rowsAffected = jdbctemplate.update(sql, username, password);\n" +

" ...\n" +

" case \"delete\":\n" +

" sql = \"DELETE FROM users WHERE id = ?\";\n" +

" rowsAffected = jdbctemplate.update(sql, id);\n" +

" ...\n" +

" case \"update\":\n" +

" sql = \"UPDATE sqli SET username = ?, password = ? WHERE id = ?\";\n" +

" rowsAffected = jdbctemplate.update(sql, username, id);\n" +

" ...\n" +

" case \"select\":\n" +

" sql = \"SELECT * FROM users WHERE id = ?\";\n" +

" stringObjectMap = jdbctemplate.queryForMap(sql, id);\n" +

" ...\n" +

" }\n" +

"}\n"

const safe3BlacklistcheckSqlBlackList = "// 检测用户输入是否存在敏感字符：'、;、--、+、,、%、=、>、<、*、(、)、and、or、exeinsert、select、delete、update、count、drop、chr、midmaster、truncate、char、declare\n" +

"public R safe3(String type,String id,String username,String password) {\n" +

" Class.forName(\"com.mysql.cj.jdbc.Driver\");\n" +

" Connection conn = DriverManager.getConnection(dbUrl, dbUser, dbPass);\n" +

" Statement stmt = conn.createStatement();\n" +

" switch (type) {\n" +

" case \"add\":\n" +

" if (checkUserInput.checkSqlBlackList(username) || checkUserInput.checkSqlBlackList(password)) {\n" +

" return R.error(\"黑名单检测到非法SQL注入!\");\n" +

" } else {\n" +

" sql = \"INSERT INTO users (username, password) VALUES ('\" + username + \"', '\" + password + \"')\";\n" +

" rowsAffected = stmt.executeUpdate(sql);\n" +

" ...\n" +

" case \"delete\":\n" +

" if (checkUserInput.checkSqlBlackList(id)) {\n" +

" return R.error(\"黑名单检测到非法SQL注入!\");\n" +

" } else {\n" +

" sql = \"DELETE FROM users WHERE id = '\" + id + \"'\";\n" +

" rowsAffected = stmt.executeUpdate(sql);\n" +

" ...\n" +

" case \"update\":\n" +

" if (checkUserInput.checkSqlBlackList(id) || checkUserInput.checkSqlBlackList(username) || checkUserInput.checkSqlBlackList(password)) {\n" +

" return R.error(\"黑名单检测到非法SQL注入!\");\n" +

" } else {\n" +

" sql = \"UPDATE users SET password = '\" + password + \"', username = '\" + username + \"' WHERE id = '\" + id + \"'\";\n" +

" rowsAffected = stmt.executeUpdate(sql);\n" +

" ...\n" +

" case \"select\":\n" +

" if (checkUserInput.checkSqlBlackList(id)) {\n" +

" return R.error(\"黑名单检测到非法SQL注入!\");\n" +

" } else {\n" +

" sql = \"SELECT * FROM users WHERE id = \" + id;\n" +

" ResultSet rs = stmt.executeQuery(sql);\n" +

" ...\n" +

" }\n" +

"}\n"

const safe4RequestRarameterValidate = "// 强制类型转换 对用户请求参数进行校验\n" +

"public R safe4(Integer id) {\n" +

" Class.forName(\"com.mysql.cj.jdbc.Driver\");\n" +

" Connection conn = DriverManager.getConnection(dbUrl, dbUser, dbPass);\n" +

" Statement stmt = conn.createStatement();\n" +

" message = checkUserInput.checkUser(id);\n" +

" if (!message.isEmpty()) return R.error(message);\n" +

" sql = \"SELECT * FROM users WHERE id = \" + id;\n" +

" ResultSet rs = stmt.executeQuery(sql);\n" +

" ...\n" +

"}"

const safe4EASAPIFilter = "// ESAPI提供了多种输入验证API，提供对XSS攻击和SQL注入攻击等的防护\n" +

"public R safe4(String id) {\n" +

" Codec<Character> oracleCodec = new OracleCodec();\n" +

" Class.forName(\"com.mysql.cj.jdbc.Driver\");\n" +

" Connection conn = DriverManager.getConnection(dbUrl, dbUser, dbPass);\n" +

"\n" +

" Statement stmt = conn.createStatement();\n" +

" // 使用了 Oracle 的编解码器 OracleCodec 和 ESAPI 库来对 ID 进行编码，以防止 SQL 注入攻击。\n" +

" String sql = \"select * from sqli where id = '\" + ESAPI.encoder().encodeForSQL(oracleCodec, id) + \"'\";\n" +

" // String sql = \"select * from sqli where id = '\" + id + \"'\";\n" +

" String sql = \"select * from users where id = '\" + id + \"'\";\n" +

" ResultSet rs = stmt.executeQuery(sql);\n" +

"}"

const special1OrderBy = "// ORDER BY关键字用于按升序或降序对结果集进行排序。 由于order by后面需要紧跟column_name，而预编译是参数化字符串，而order by后面紧跟字符串就会不支持原有功能 使用默认排序，因此通常防御order by注入需要使用白名单的方式\n" +

"public R special1OrderBy(String type,String field) {\n" +

" Class.forName(\"com.mysql.cj.jdbc.Driver\");\n" +

" Connection conn = DriverManager.getConnection(dbUrl, dbUser, dbPass);\n" +

" PreparedStatement preparedStatement;\n" +

" switch (type) {\n" +

" case \"raw\":\n" +

" sql = \"SELECT * FROM users ORDER BY \" + field;\n" +

" preparedStatement = conn.prepareStatement(sql);\n" +

" rs = preparedStatement.executeQuery();\n" +

" ...\n" +

" case \"prepareStatement\":\n" +

" // 可以测试下 预编译没有报错 不过插入语句不生效 默认使用主键升序\n" +

" sql = \"select * from users order by ?\";\n" +

" preparedStatement = conn.prepareStatement(sql);\n" +

" preparedStatement.setString(ueditor, field);\n" +

" rs = preparedStatement.executeQuery();\n" +

" ...\n" +

" case \"writeList\":\n" +

" sql = \"SELECT * FROM users ORDER BY \" + field;\n" +

" if (checkUserInput.chechSqlWhiteList(field)) {\n" +

" return R.error(\"field字段不合法！\");\n" +

" }\n" +

" preparedStatement = conn.prepareStatement(sql);\n" +

" rs = preparedStatement.executeQuery();\n" +

" }\n" +

"}\n" +

"/**\n" +

" * SQL注入关键词白名单\n" +

" */\n" +

"public boolean checkSqlWhiteList(String content) {\n" +

" String[] white_list = {\"id\", \"username\", \"password\"};\n" +

" for (String s : white_list) {\n" +

" if (content.toLowerCase().equals(s)) {\n" +

" return true;\n" +

" }\n" +

" }\n" +

" return false;\n" +

"}"

const special2Like = "public R special2Like(String type,String keyword) {\n" +

" Class.forName(\"com.mysql.cj.jdbc.Driver\");\n" +

" Connection conn = DriverManager.getConnection(dbUrl, dbUser, dbPass);\n" +

" ...\n" +

" switch (type) {\n" +

" case \"raw\": // 查询语句拼接\n" +

"// sql = \"SELECT * FROM sqli WHERE username LIKE '%\" + keyword + \"%'\";\n" +

" sql = \"SELECT * FROM sqli WHERE username LIKE concat('%', '\" + keyword + \"', '%')\";\n" +

" rs = stmt.executeQuery(sql);\n" +

" ...\n" +

" case \"prepareStatement\": // 使用预编译\n" +

" sql = \"SELECT * FROM sqli WHERE username LIKE ?\";\n" +

" preparedStatement = conn.prepareStatement(sql);\n" +

" preparedStatement.setString(1, \"%\" + keyword + \"%\");\n" +

" rs = preparedStatement.executeQuery();\n" +

" ...\n" +

" }\n" +

"}"

const special3Limit = "public R special3Limit(String type,String size) {\n" +

" Class.forName(\"com.mysql.cj.jdbc.Driver\");\n" +

" Connection conn = DriverManager.getConnection(dbUrl, dbUser, dbPass);\n" +

" ...\n" +

" switch (type) {\n" +

" case \"raw\":\n" +

" sql = \"SELECT * FROM sqli ORDER BY id DESC LIMIT \" + size;\n" +

" rs = stmt.executeQuery(sql);\n" +

" ...\n" +

" // 使用预编译\n" +

" case \"prepareStatement\":\n" +

" sql = \"SELECT * FROM sqli ORDER BY id DESC LIMIT ?\";\n" +

" preparedStatement = conn.prepareStatement(sql);\n" +

" preparedStatement.setString(1, size);\n" +

" rs = preparedStatement.executeQuery();\n" +

" ...\n" +

" }\n" +

"}"

// MyBatis

const vul1CustomMethod = "vul1CustomMethod"

const safe1NativeMethod = "// 这里以增加功能为例\n" +

"// Controller层\n" +

"public R safe1(\n" +

"switch (type) {\n" +

" case \"add\":\n" +

" rowsAffected = sqliService.nativeInsert(new Sqli(id, username, password));\n" +

" message = (rowsAffected > 0) ? \"数据插入成功 username:\" + username + \" password:\" + password : \"数据插入失败\";\n" +

" return R.ok(message);\n" +

" ...\n" +

"}\n" +

"// Service层\n" +

"@Override\n" +

"public int nativeInsert(Sqli user) {\n" +

" return sqliMapper.insert(user);\n" +

"}\n" +

"\n" +

"// Mapper层\n" +

"int insert(T entity); \n"

const safe2CustomMethod = "// 这里以增加功能为例\n" +

"// Controller层\n" +

"public R safe2( \n" +

"switch (type) {\n" +

" case \"add\":\n" +

" //这里插入数据使用MyBatiX插件生成的方法\n" +

" rowsAffected = sqliService.customInsert(new Sqli(id, username, password));\n" +

" message = (rowsAffected > 0) ? \"数据插入成功 username:\" + username + \" password:\" + password : \"数据插入失败\";\n" +

" return R.ok(message);\n" +

" ...\n" +

"}\n" +

"// Service层\n" +

"//自定义SQL-使用#{}\n" +

"@Override\n" +

"public int customInsert(Sqli user) {\n" +

" return sqliMapper.customInsert(user);\n" +

"}\n" +

"\n" +

"// Mapper层\n" +

"<insert id=\"customInsert\">\n" +

" insert into sqli (id,username,password) values (#{id,jdbcType=INTEGER},#{username,jdbcType=VARCHAR},#{password,jdbcType=VARCHAR})\n" +

"</insert>"

const mybatisSpecial1OrderBy =

"// Controller层\n" +

"public R special1OrderBy() {\n" +

" List<Sqli> sqlis = new ArrayList<>();\n" +

" switch (type) {\n" +

" case \"raw\":\n" +

" sqlis = sqliService.orderByVul(field);\n" +

" break;\n" +

" case \"prepareStatement\":\n" +

" sqlis = sqliService.orderByPrepareStatement(field);\n" +

" break;\n" +

" case \"writeList\":\n" +

" sqlis = sqliService.orderByWriteList(field);\n" +

" ...\n" +

"// Service层\n" +

"//自定义SQL-使用#{}\n" +

"@Override\n" +

"public List<Sqli> orderByVul(String field) {\n" +

" return sqliMapper.orderByVul(field);\n" +

"}\n" +

"@Override\n" +

"public List<Sqli> orderByPrepareStatement(String field) {\n" +

" return sqliMapper.orderByPrepareStatement(field);\n" +

"}\n" +

"@Override\n" +

"public List<Sqli> orderByWriteList(String field) {\n" +

" return sqliMapper.orderByWriteList(field);\n" +

"}\n" +

"// Mapper层\n" +

"<!-- Order by下的${}拼接注入问题-->\n" +

"<select id=\"orderByVul\" resultType=\"top.whgojp.modules.sqli.entity.Sqli\">\n" +

" SELECT * FROM sqli\n" +

" <if test=\"field != null and field != ''\">\n" +

" ORDER BY ${field}\n" +

" </if>\n" +

"</select>\n" +

"<!-- Order by下的#{}写法 排序不生效-->\n" +

"<select id=\"orderByPrepareStatement\" resultType=\"top.whgojp.modules.sqli.entity.Sqli\">\n" +

" SELECT * FROM sqli\n" +

" <if test=\"field != null and field != ''\">\n" +

" ORDER BY #{field}\n" +

" </if>\n" +

"</select>\n" +

"<!-- Order by下的安全写法 白名单-->\n" +

"<select id=\"orderByWriteList\" resultType=\"top.whgojp.modules.sqli.entity.Sqli\">\n" +

" SELECT * FROM sqli\n" +

" <if test=\"field != null and field != ''\">\n" +

" <choose>\n" +

" <!-- 排序列名白名单 -->\n" +

" <when test=\"field == 'id' or field == 'username' or field == 'password'\">\n" +

" ORDER BY ${field}\n" +

" </when>\n" +

" <otherwise>\n" +

" <!-- 默认使用id进行排序 -->\n" +

" ORDER BY id\n" +

" </otherwise>\n" +

" </choose>\n" +

" </if>\n" +

"</select>"

const mybatisSpecial2Like = "// Controller层\n" +

"public R special1OrderBy() {\n" +

"@PostMapping(\"/special2-Like\")\n" +

"public R special2Like(String type,String keyword) {\n" +

" List<Sqli> sqlis = new ArrayList<>();\n" +

" switch (type) {\n" +

" case \"raw\":\n" +

" sqlis = sqliService.likeVul(keyword);\n" +

" break;\n" +

" case \"prepareStatement\":\n" +

" sqlis = sqliService.likePrepareStatement(keyword);\n" +

" break;\n" +

" ...\n" +

"// Service层\n" +

"@Override\n" +

"public List<Sqli> orderByWriteList(String field) {\n" +

" return sqliMapper.orderByWriteList(field);\n" +

"}\n" +

"@Override\n" +

"public List<Sqli> likeVul(String keyword) {\n" +

" return sqliMapper.likeVul(keyword);\n" +

"}\n" +

"// Mapper层\n" +

"<!-- 模糊查询-->\n" +

"<select id=\"likeVul\" resultType=\"top.whgojp.modules.sqli.entity.Sqli\">\n" +

" SELECT * FROM sqli WHERE username LIKE '%${keyword}%'\n" +

"</select>\n" +

"<select id=\"likePrepareStatement\" resultType=\"top.whgojp.modules.sqli.entity.Sqli\">\n" +

" SELECT * FROM sqli WHERE username LIKE CONCAT('%', #{keyword}, '%')\n" +

"</select>"

const mybatisSpecial3In = "// Controller层\n" +

"public R special3In(String type,String scope) {\n" +

" switch (type) {\n" +

" case \"raw\":\n" +

" sqlis = sqliService.inVul(scope);\n" +

" break;\n" +

" case \"prepareStatement\":\n" +

" sqlis = sqliService.inPrepareStatement(scope);\n" +

" break;\n" +

" case \"Foreach\":\n" +

"\n" +

" sqlis = sqliService.inSafeForeach(parseInputToList(scope));\n" +

" break;\n" +

" ...\n" +

"// Service层\n" +

"@Override\n" +

"public List<Sqli> inVul(String scope) {\n" +

" return sqliMapper.inVul(scope);\n" +

"}\n" +

"@Override\n" +

"public List<Sqli> inPrepareStatement(String scope) {\n" +

" return sqliMapper.inPrepareStatement(scope);\n" +

"}\n" +

"@Override\n" +

"public List<Sqli> inSafeForeach(List<Integer> scope) {\n" +

" return sqliMapper.inSafeForeach(scope);\n" +

"}\n" +

"// Mapper层\n" +

"<select id=\"inVul\" resultType=\"top.whgojp.modules.sqli.entity.Sqli\">\n" +

" select * from sqli where id in (${id})\n" +

"</select>\n" +

"\n" +

"<select id=\"inPrepareStatement\" resultType=\"top.whgojp.modules.sqli.entity.Sqli\">\n" +

" select * from sqli where id in (#{id})\n" +

"</select>\n" +

"<select id=\"inSafeForeach\" resultType=\"top.whgojp.modules.sqli.entity.Sqli\">\n" +

" SELECT * FROM sqli WHERE id IN\n" +

" <foreach collection=\"scope\" item=\"id\" open=\"(\" separator=\",\" close=\")\">\n" +

" #{id}\n" +

" </foreach>\n" +

"</select>"

const vulHibernate = "vulHibernate"

const safeHibernate = "safeHibernate"

const vulJPA = "vulJPA"

const safeJPA = "safeJPA"

// 任意文件类-文件上传

const anyFileUploadCode = "// 原生漏洞场景，未做任何限制\n" +

"public R vul(MultipartFile file, HttpServletRequest request) {\n" +

" String res;\n" +

" String suffix = FilenameUtils.getExtension(\n" +

" // 查找文件名中最后一个点（.）之后的字符串\n" +

" file.getOriginalFilename()); \n" +

" String path = request.getScheme() + \"://\" + request.getServerName() + \":\" + request.getServerPort() + \"/file/\";\n" +

" res = uploadUtil.uploadFile(file, suffix, path);\n" +

" return R.ok(res);\n" +

"}\n" +

"// uploadFile方法详见文件上传导致XSS模块\n"

const anyFileUploadWhiteCode = "// 检测文件后缀，做白名单过滤\n" +

"if (!checkUserInput.checkFileSuffixWhiteList(suffix)){\n" +

" return R.error(\"只能上传图片哦！\");\n" +

"}\n" +

"\n" +

"public boolean checkFileSuffixWhiteList(String suffix) {\n" +

" String[] white_list = {\"jpg\", \"png\", \"gif\",\"jpeg\",\"bmp\",\"ico\"};\n" +

" for (String s : white_list) {\n" +

" if (suffix.toLowerCase().contains(s)) {\n" +

" return true;\n" +

" }\n" +

" }\n" +

" return false;\n" +

"}"

// 任意文件类型-文件删除

const deleteFile = "public String vul(String filePath) {\n" +

" String currentPath = System.getProperty(\"user.dir\");\n" +

" File file = new File(filePath);\n" +

" boolean deleted = false;\n" +

" if (file.exists()) {\n" +

" deleted = file.delete();\n" +

" }\n" +

" if (deleted) {\n" +

" return \"当前路径:\"+currentPath+\"<br/>文件删除成功: \" + filePath;\n" +

" } else {\n" +

" return \"当前路径:\"+currentPath+\"<br/>文件删除失败或文件不存在: \" + filePath;\n" +

" }\n" +

"}"

const safeDeleteFile = "public String safe(String fileName) {\n" +

" // 限制删除文件所在目录为 /static/upload/下\n" +

" String baseDir = sysConstant.getUploadFolder(); \n" +

" File file = new File(baseDir, fileName);\n" +

" boolean deleted = false;\n" +

" if (file.exists() && file.getCanonicalPath().startsWith(new File(baseDir).getCanonicalPath())) {\n" +

" deleted = file.delete();\n" +

" }\n" +

" if (deleted) {\n" +

" return \"文件删除成功: \" + fileName;\n" +

" } else {\n" +

" return \"文件删除失败或文件不存在: \" + fileName;\n" +

" }\n" +

"}"

// 任意文件类型-文件读取

const readFile = "public String vul(String fileName) throws IOException {\n" +

" String currentPath = System.getProperty(\"user.dir\");\n" +

" log.info(currentPath);\n" +

" File file = new File(fileName);\n" +

" if (file.exists() && file.isFile()) {\n" +

" Path filePath = file.toPath();\n" +

" // 使用 BufferedReader 和流 API 逐行读取文件\n" +

" try (var lines = Files.lines(filePath)) {\n" +

" return lines\n" +

" .map(line -> line + \"<br/>\")\n" +

" .collect(Collectors.joining());\n" +

" }\n" +

" } else {\n" +

" return \"当前路径：\"+currentPath+\"<br/>文件不存在或路径不正确：\" + fileName;\n" +

" }"

const safeReadFile = "public String safe(String fileName) throws IOException {\n" +

" String baseDir = sysConstant.getUploadFolder(); \n" +

" Path filePath = Paths.get(baseDir, fileName).normalize(); \n" +

" // 确保文件路径在允许的目录中\n" +

" if (!filePath.startsWith(Paths.get(baseDir))) {\n" +

" return \"访问被拒绝：文件路径不合法\";\n" +

" }\n" +

" File file = filePath.toFile();\n" +

" if (file.exists() && file.isFile()) {\n" +

" return new String(Files.readAllBytes(file.toPath()));\n" +

" } else {\n" +

" return \"文件不存在或路径不正确：\" + fileName;\n" +

" }\n" +

"}"

// 任意文件类型-文件下载

const downloadFile = 'public void vul(String fileName, HttpServletResponse response) throws IOException {\n' +

' File file = new File(fileName);\n' +

'\n' +

' if (file.exists() && file.isFile()) {\n' +

' response.setContentType("application/octet-stream");\n' +

' response.setHeader("Content-Disposition", "attachment; filename=\\"" + file.getName() + "\\"");\n' +

' try (FileInputStream fis = new FileInputStream(file);\n' +

' OutputStream os = response.getOutputStream()) {\n' +

' StreamUtils.copy(fis, os);\n' +

' os.flush();\n' +

' ...\n' +

' } else {\n' +

' response.sendError(HttpServletResponse.SC_NOT_FOUND, "文件不存在：" + fileName);\n' +

' }\n' +

'}'

const safeDownloadFile = 'public void safe(String fileName,HttpServletResponse response) throws IOException {\n' +

' String baseDir = sysConstant.getUploadFolder();\n' +

' if (!isValidFileName(fileName)) {\n' +

' response.sendError(HttpServletResponse.SC_BAD_REQUEST, "非法文件名：" + fileName);\n' +

' return;\n' +

' }\n' +

' File file = new File(baseDir, fileName);\n' +

'\n' +

' if (file.exists() && file.isFile()) {\n' +

' response.setContentType("application/octet-stream");\n' +

' response.setHeader("Content-Disposition", "attachment; filename=\\"" + file.getName() + "\\"");\n' +

' try (FileInputStream fis = new FileInputStream(file);\n' +

' OutputStream os = response.getOutputStream()) {\n' +

' StreamUtils.copy(fis, os);\n' +

' os.flush();\n' +

' ...\n' +

' } else {\n' +

' response.sendError(HttpServletResponse.SC_NOT_FOUND, "文件不存在：" + fileName);\n' +

' }\n' +

'}'

// ssrf-服务端请求伪造

const vul1URLConnection = "public String vul(String url) {\n" +

" try {\n" +

" URL u = new URL(url);\n" +

" // 这里以URLConnection作为演示\n" +

" URLConnection conn = u.openConnection();\n" +

" BufferedReader reader = new BufferedReader(new InputStreamReader(conn.getInputStream()));\n" +

" String content;\n" +

" StringBuilder html = new StringBuilder();\n" +

" html.append(\"<pre>\");\n" +

" while ((content = reader.readLine()) != null) {\n" +

" html.append(content).append(\"\\n\");\n" +

" }\n" +

" html.append(\"</pre>\");\n" +

" reader.close();\n" +

" return html.toString();\n" +

" } catch (Exception e) {\n" +

" return e.getMessage();\n" +

" }\n" +

"}"

const safe1WhiteList = "public String safe(String url) {\n" +

" if (!checkUserInput.isHttp(url)) {\n" +

" return \"检测到不是http(s)协议！\";\n" +

" } else if (!checkUserInput.ssrfWhiteList(url)) {\n" +

" return \"非白名单域名！\";\n" +

" } else {\n" +

" ...\n" +

" }\n" +

"}\n" +

"// ssrf：判断http(s)协议\n" +

"public boolean isHttp(String url){\n" +

" return url.startsWith(\"http://\") || url.startsWith(\"https://\");\n" +

"}\n" +

"// ssrf：请求域名白名单\n" +

"public boolean ssrfWhiteList(String url) {\n" +

" List<String> urlList = new ArrayList<>(Arrays.asList(\"baidu.com\", \"www.baidu.com\", \"whgojp.top\"));\n" +

" try {\n" +

" URI uri = new URI(url.toLowerCase());\n" +

" String host = uri.getHost();\n" +

" return urlList.contains(host);\n" +

" } catch (URISyntaxException e) {\n" +

" System.out.println(e);\n" +

" return false;\n" +

" }\n" +

"}"

// RCE

const vulProcessBuilder = "public R vul1(String payload) throws IOException {\n" +

" String[] command = {\"sh\", \"-c\",payload};\n" +

"\n" +

" ProcessBuilder pb = new ProcessBuilder(command);\n" +

" pb.redirectErrorStream(true);\n" +

" Process process = pb.start();\n" +

" InputStream inputStream = process.getInputStream();\n" +

" BufferedReader reader = new BufferedReader(new InputStreamReader(inputStream));\n" +

" String line;\n" +

" StringBuilder output = new StringBuilder();\n" +

" while ((line = reader.readLine()) != null) {\n" +

" output.append(line).append(\"\\n\");\n" +

" }\n" +

" return R.ok(output.toString());\n" +

"}"

const vulGetRuntime = "public R vul2(String payload) throws IOException {\n" +

" StringBuilder sb = new StringBuilder();\n" +

" String line;\n" +

" Process proc = Runtime.getRuntime().exec(payload);\n" +

" InputStream inputStream = proc.getInputStream();\n" +

" InputStreamReader isr = new InputStreamReader(inputStream);\n" +

" BufferedReader br = new BufferedReader(isr);\n" +

" while ((line = br.readLine()) != null) {\n" +

" sb.append(line);\n" +

" }\n" +

" return R.ok(sb.toString());\n" +

"}"

const vulProcessImpl = "public R vul3(String payload) throws Exception {\n" +

" // 获取 ProcessImpl 类对象\n" +

" Class<?> clazz = Class.forName(\"java.lang.ProcessImpl\");\n" +

"\n" +

" // 获取 start 方法\n" +

" Method method = clazz.getDeclaredMethod(\"start\", String[].class, Map.class, String.class, ProcessBuilder.Redirect[].class, boolean.class);\n" +

" method.setAccessible(true);\n" +

"\n" +

" Process process = (Process) method.invoke(null, new String[]{payload}, null, null, null, false);\n" +

" try (BufferedReader reader = new BufferedReader(new InputStreamReader(process.getInputStream()))) {\n" +

" StringBuilder output = new StringBuilder();\n" +

" String line;\n" +

" while ((line = reader.readLine()) != null) {\n" +

" output.append(line).append(\"\\n\");\n" +

" }\n" +

" return R.ok(output.toString());\n" +

" }\n" +

"}"

const safeProcessBuilder = "// 验证命令是否在允许的列表中\n" +

"if (!ALLOWED_COMMANDS.contains(payload)) {\n" +

" return R.error(\"不允许执行该命令！\");\n" +

"}\n" +

"\n" +

"// 可执行命令白名单\n" +

"private static final List<String> ALLOWED_COMMANDS = Arrays.asList(\"ls\", \"date\");"

const vulGroovy = "public R vulGroovy(String payload) {\n" +

" try {\n" +

" GroovyShell shell = new GroovyShell();\n" +

" Object result = shell.evaluate(payload); \n" +

" if (result instanceof Process) {\n" +

" Process process = (Process) result;\n" +

" String output = getProcessOutput(process);\n" +

" return R.ok(\"[+] Groovy代码执行，结果：\" + output);\n" +

" } else {\n" +

" return R.ok(\"[+] Groovy代码执行，结果：\" + result.toString());\n" +

" }\n" +

" } catch (Exception e) {\n" +

" return R.error(e.getMessage());\n" +

" }\n" +

"}\n" +

"private String getProcessOutput(Process process) {\n" +

" StringBuilder output = new StringBuilder();\n" +

" try (BufferedReader reader = new BufferedReader(new InputStreamReader(process.getInputStream()))) {\n" +

" String line;\n" +

" while ((line = reader.readLine()) != null) {\n" +

" output.append(line).append(\"\\n\");\n" +

" }\n" +

" } catch (Exception e) {\n" +

" return \"读取输出失败: \" + e.getMessage();\n" +

" }\n" +

" return output.toString();\n" +

"}"

const safeGroovy = 'public R safeGroovy(String payload) {\n' +

' List<String> trustedScripts = Arrays.asList(\n' +

' "\\"id\\".execute()",\n' +

' "\\"ls\\".execute()",\n' +

' "\\"whoami\\".execute()"\n' +

' );\n' +

' if (!isTrustedScript(payload, trustedScripts)) {\n' +

' return R.error("非法的脚本输入！");\n' +

' }\n' +

' try {\n' +

' GroovyShell shell = new GroovyShell();\n' +

' Object result = shell.evaluate(payload); \n' +

' if (result instanceof Process) {\n' +

' Process process = (Process) result;\n' +

' String output = getProcessOutput(process);\n' +

' return R.ok("[+] 执行受信任的脚本，结果：" + output);\n' +

' } else {\n' +

' return R.ok("[+] 执行受信任的脚本，结果：" + result.toString());\n' +

' }\n' +

' } catch (Exception e) {\n' +

' return R.error(e.getMessage());\n' +

' }\n' +

'}\n' +

'private boolean isTrustedScript(String script, List<String> trustedScripts) {\n' +

' return trustedScripts.contains(script);\n' +

'}'

// XXE

const vulXMLReader = "public String vul1(String payload) {\n" +

" try {\n" +

" XMLReader xmlReader = XMLReaderFactory.createXMLReader();\n" +

" StringWriter stringWriter = new StringWriter();\n" +

" xmlReader.setContentHandler(new DefaultHandler() {\n" +

" public void characters(char[] ch, int start, int length) {\n" +

View remainder of file in raw view