V1.4

Author: whgojp

.gitignore

@@ -36,4 +36,5 @@ build/
 
 /logs/
 /.idea/
-/src/test/
+/src/test/
+src/main/resources/application-aliyun.yml

Dockerfile

@@ -3,7 +3,7 @@ FROM openjdk:8
 WORKDIR /work
 
 LABEL maintainer="whgojp@foxmail.com"
-LABEL version="1.3"
+LABEL version="1.4"
 LABEL description="I think therefore I am."
 
 COPY target/JavaSecLab.jar /work/JavaSecLab.jar

pom.xml

@@ -8,14 +8,14 @@
     <artifactId>JavaSecLab</artifactId>
     <version>1.3.0</version>
     <name>Java综合漏洞平台</name>
-    <description>hello JavaSec!</description>
+    <description>hello JavaSecLab!</description>
     <parent>
         <groupId>org.springframework.boot</groupId>
         <artifactId>spring-boot-starter-parent</artifactId>
         <!--        springboot 高版本不存在thymeleaf模板注入漏洞-->
-<!--                <version>2.7.14</version>-->
-            <version>2.4.1</version>
-<!--        <version>2.5.6</version>-->
+        <!--                <version>2.7.14</version>-->
+        <version>2.4.1</version>
+<!--                <version>2.5.6</version>-->
         <relativePath/>
     </parent>
     <properties>
@@ -26,9 +26,10 @@
         <hutool.version>5.8.21</hutool.version>
         <lombok.version>1.18.4</lombok.version>
         <mybatis-plus.version>3.5.1</mybatis-plus.version>
-        <mysql.version>8.0.33</mysql.version>
+<!--        <mysql.version>8.0.33</mysql.version>-->
+        <mysql.version>8.0.14</mysql.version>
         <esapi.version>2.2.0.0</esapi.version>
-        <jwt.version>0.10.7</jwt.version>
+        <jwt.version>0.11.5</jwt.version>
     </properties>
     <dependencies>
         <!-- Spring Boot Starters -->
@@ -106,12 +107,18 @@
         <!--        </dependency>-->
 
         <!-- 数据库 -->
+<!--        <dependency>-->
+<!--            <groupId>com.mysql</groupId>-->
+<!--            <artifactId>mysql-connector-j</artifactId>-->
+<!--            <version>${mysql.version}</version>-->
+<!--        </dependency>-->
         <dependency>
-            <groupId>com.mysql</groupId>
-            <artifactId>mysql-connector-j</artifactId>
-            <version>${mysql.version}</version>
+            <groupId>mysql</groupId>
+            <artifactId>mysql-connector-java</artifactId>
+            <version>8.0.14</version>  <!-- 可尝试 8.0.19 或更高版本 -->
         </dependency>
 
+
         <!-- MyBatis Plus -->
         <dependency>
             <groupId>com.baomidou</groupId>
@@ -271,7 +278,23 @@
             <version>1.70</version>
         </dependency>
 
+        <dependency>
+            <groupId>ognl</groupId>
+            <artifactId>ognl</artifactId>
+            <version>3.3.1</version>
+        </dependency>
 
+        <dependency>
+            <groupId>commons-collections</groupId>
+            <artifactId>commons-collections</artifactId>
+            <version>3.2.1</version>
+        </dependency>
+
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-websocket</artifactId>
+            <version>2.4.1</version>
+        </dependency>
 
     </dependencies>
     <build>
@@ -296,29 +319,16 @@
             </plugin>
         </plugins>
     </build>
+
     <repositories>
         <repository>
-            <id>central</id>
-            <url>https://repo.maven.apache.org/maven2</url>
-        </repository>
-        <repository>
-            <id>spring-milestone</id>
-            <url>https://repo.spring.io/milestone</url>
-        </repository>
-        <repository>
-            <id>spring-release</id>
-            <url>https://repo.spring.io/release</url>
+            <id>aliyun-central</id>
+            <url>https://maven.aliyun.com/repository/central</url>
         </repository>
         <repository>
-            <id>acfunnexus</id>
-            <url>https://maven.aliyun.com/repository/public/</url>
-            <layout>default</layout>
-            <releases>
-                <enabled>true</enabled>
-            </releases>
-            <snapshots>
-                <enabled>true</enabled>
-            </snapshots>
+            <id>aliyun-public</id>
+            <url>https://maven.aliyun.com/repository/public</url>
         </repository>
     </repositories>
+
 </project>

sql/JavaSecLab.sql

@@ -1,5 +1,5 @@
 /*
- Navicat Premium Data Transfer
+ Navicat Premium Dump SQL
 
  Source Server         : mysql_docker_mac
  Source Server Type    : MySQL
@@ -11,10 +11,8 @@
  Target Server Version : 80200 (8.2.0)
  File Encoding         : 65001
 
- Date: 10/11/2024 13:17:18
+ Date: 21/03/2025 16:51:30
 */
-CREATE DATABASE IF NOT EXISTS JavaSecLab;
-USE JavaSecLab;
 
 SET NAMES utf8mb4;
 SET FOREIGN_KEY_CHECKS = 0;
@@ -25,8 +23,8 @@ SET FOREIGN_KEY_CHECKS = 0;
 DROP TABLE IF EXISTS `hsqli`;
 CREATE TABLE `hsqli` (
   `id` bigint NOT NULL AUTO_INCREMENT,
-  `password` varchar(255) COLLATE utf8mb4_general_ci DEFAULT NULL,
-  `username` varchar(255) COLLATE utf8mb4_general_ci DEFAULT NULL,
+  `password` varchar(255) CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci DEFAULT NULL,
+  `username` varchar(255) CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci DEFAULT NULL,
   PRIMARY KEY (`id`)
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_general_ci;
 
@@ -41,11 +39,11 @@ COMMIT;
 -- ----------------------------
 DROP TABLE IF EXISTS `log`;
 CREATE TABLE `log` (
-  `logId` varchar(255) COLLATE utf8mb4_general_ci NOT NULL COMMENT 'log_id',
-  `username` varchar(255) COLLATE utf8mb4_general_ci DEFAULT NULL COMMENT '用户名',
-  `optionName` varchar(255) COLLATE utf8mb4_general_ci DEFAULT NULL COMMENT '用户操作',
-  `optionTerminal` varchar(255) COLLATE utf8mb4_general_ci DEFAULT NULL COMMENT '操作终端',
-  `optionIp` varchar(255) COLLATE utf8mb4_general_ci DEFAULT NULL COMMENT 'Ip地址',
+  `logId` varchar(255) CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci NOT NULL COMMENT 'log_id',
+  `username` varchar(255) CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci DEFAULT NULL COMMENT '用户名',
+  `optionName` varchar(255) CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci DEFAULT NULL COMMENT '用户操作',
+  `optionTerminal` varchar(255) CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci DEFAULT NULL COMMENT '操作终端',
+  `optionIp` varchar(255) CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci DEFAULT NULL COMMENT 'Ip地址',
   `optionTime` date DEFAULT NULL COMMENT '创建时间',
   PRIMARY KEY (`logId`)
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_general_ci;
@@ -56,14 +54,31 @@ CREATE TABLE `log` (
 BEGIN;
 COMMIT;
 
+-- ----------------------------
+-- Table structure for objects
+-- ----------------------------
+DROP TABLE IF EXISTS `objects`;
+CREATE TABLE `objects` (
+  `id` int NOT NULL,
+  `malicious_object` blob,
+  PRIMARY KEY (`id`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci;
+
+-- ----------------------------
+-- Records of objects
+-- ----------------------------
+BEGIN;
+INSERT INTO `objects` (`id`, `malicious_object`) VALUES (1, 0xACED000573720034746F702E7768676F6A702E6D6F64756C65732E737072696E67626F6F742E656E746974792E4D616C6963696F75734F626A656374C007A841C29C41060200014C0007636F6D6D616E647400124C6A6176612F6C616E672F537472696E673B78707400126F70656E202D612043616C63756C61746F72);
+COMMIT;
+
 -- ----------------------------
 -- Table structure for sqli
 -- ----------------------------
 DROP TABLE IF EXISTS `sqli`;
 CREATE TABLE `sqli` (
   `id` int NOT NULL AUTO_INCREMENT,
-  `username` varchar(255) COLLATE utf8mb4_general_ci NOT NULL COMMENT '用户名',
-  `password` varchar(255) COLLATE utf8mb4_general_ci NOT NULL COMMENT '密码',
+  `username` varchar(255) CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci NOT NULL COMMENT '用户名',
+  `password` varchar(255) CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci NOT NULL COMMENT '密码',
   PRIMARY KEY (`id`) USING BTREE
 ) ENGINE=InnoDB AUTO_INCREMENT=2 DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_general_ci;
 
@@ -79,8 +94,8 @@ COMMIT;
 -- ----------------------------
 DROP TABLE IF EXISTS `user`;
 CREATE TABLE `user` (
-  `username` varchar(255) COLLATE utf8mb4_general_ci NOT NULL COMMENT '用户名',
-  `password` varchar(255) COLLATE utf8mb4_general_ci NOT NULL COMMENT '密码',
+  `username` varchar(255) CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci NOT NULL COMMENT '用户名',
+  `password` varchar(255) CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci NOT NULL COMMENT '密码',
   PRIMARY KEY (`username`)
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_general_ci;
 
@@ -99,11 +114,11 @@ COMMIT;
 DROP TABLE IF EXISTS `xss`;
 CREATE TABLE `xss` (
   `id` int NOT NULL AUTO_INCREMENT COMMENT '主键id',
-  `content` text COLLATE utf8mb4_general_ci NOT NULL COMMENT '插入内容',
+  `content` text CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci NOT NULL COMMENT '插入内容',
   `ua` varchar(255) CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci NOT NULL COMMENT 'User-Agent',
-  `date` varchar(255) COLLATE utf8mb4_general_ci NOT NULL COMMENT '插入时间',
+  `date` varchar(255) CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci NOT NULL COMMENT '插入时间',
   PRIMARY KEY (`id`)
-) ENGINE=InnoDB AUTO_INCREMENT=82 DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_general_ci;
+) ENGINE=InnoDB AUTO_INCREMENT=84 DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_general_ci;
 
 -- ----------------------------
 -- Records of xss

src/main/java/top/whgojp/common/utils/CheckUserInput.java

@@ -1,12 +1,13 @@
 package top.whgojp.common.utils;
 
 import org.springframework.stereotype.Component;
-
+import org.springframework.web.util.HtmlUtils;
 import java.net.URI;
 import java.net.URISyntaxException;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.List;
+import java.util.regex.Pattern;
 
 /**
  * @description 用户输入数据校验
@@ -16,6 +17,30 @@
  */
 @Component
 public class CheckUserInput {
+    private static final Pattern SCRIPT_PATTERN = Pattern.compile("<script[^>]*>.*?</script>", Pattern.CASE_INSENSITIVE | Pattern.DOTALL);
+    private static final Pattern EVENT_PATTERN = Pattern.compile("on\\w+\\s*=", Pattern.CASE_INSENSITIVE);
+    private static final Pattern JAVASCRIPT_PATTERN = Pattern.compile("javascript:", Pattern.CASE_INSENSITIVE);
+
+    public String filter(String input) {
+        if (input == null) {
+            return "";
+        }
+        
+        // 基本HTML转义
+        String filtered = HtmlUtils.htmlEscape(input);
+        
+        // 移除script标签
+        filtered = SCRIPT_PATTERN.matcher(filtered).replaceAll("");
+        
+        // 移除事件处理器
+        filtered = EVENT_PATTERN.matcher(filtered).replaceAll("");
+        
+        // 移除javascript:协议
+        filtered = JAVASCRIPT_PATTERN.matcher(filtered).replaceAll("");
+        
+        return filtered;
+    }
+
     public String checkUser(String username, String password, Integer id) {
         String message = "";
         if (username == null || username.isEmpty()) {

src/main/java/top/whgojp/modules/components/fastjson/controller/FastjsonController.java

@@ -38,6 +38,11 @@ public String vul(@RequestBody String content) {
         }
     }
 
+    public String vul2(){
+
+        return "";
+    }
+
     @PostMapping("/safe")
     @ResponseBody
     public String safe(@RequestBody String content) {

src/main/java/top/whgojp/modules/deserialize/readobject/controller/ReadObjectController.java

@@ -8,6 +8,9 @@
 import org.springframework.web.bind.annotation.*;
 import top.whgojp.common.utils.R;
 import top.whgojp.modules.sqli.entity.Sqli;
+import java.io.ByteArrayInputStream;
+import java.io.ObjectInputStream;
+
 
 import java.io.ByteArrayInputStream;
 import java.util.Base64;
@@ -30,23 +33,46 @@ public String readObject(){
         return "vul/deserialize/readObject";
     }
 
+//    @RequestMapping("/vul")
+//    @ResponseBody
+//    public R vul(String payload) {
+//        System.setProperty("org.apache.commons.collections.enableUnsafeSerialization", "true");
+//        log.info("Java反序列化："+payload);
+//        try {
+//            payload = payload.replace(" ", "+");
+//            byte[] bytes = Base64.getDecoder().decode(payload);
+//            ByteArrayInputStream stream = new ByteArrayInputStream(bytes);
+//            java.io.ObjectInputStream in = new java.io.ObjectInputStream(stream);
+//            in.readObject();
+//            in.close();
+//            return R.ok("[+]Java反序列化：ObjectInputStream.readObject()");
+//        } catch (Exception e) {
+//            return R.error("[-]请输入正确的Payload！\n"+e.getMessage());
+//        }
+//    }
     @RequestMapping("/vul")
     @ResponseBody
     public R vul(String payload) {
         System.setProperty("org.apache.commons.collections.enableUnsafeSerialization", "true");
-        log.info("Java反序列化："+payload);
+        log.info("Java反序列化：" + payload);
         try {
             payload = payload.replace(" ", "+");
             byte[] bytes = Base64.getDecoder().decode(payload);
             ByteArrayInputStream stream = new ByteArrayInputStream(bytes);
-            java.io.ObjectInputStream in = new java.io.ObjectInputStream(stream);
-            in.readObject();
+            ObjectInputStream in = new ObjectInputStream(stream);
+
+            Object obj = in.readObject();
+            log.info("反序列化对象：" + obj.toString());
+
             in.close();
-            return R.ok("[+]Java反序列化：ObjectInputStream.readObject()");
+            return R.ok("[+]Java反序列化："+obj);
         } catch (Exception e) {
-            return R.error("[-]请输入正确的Payload！\n"+e.getMessage());
+            return R.error("[-] 请输入正确的 Payload！\n" + e.getMessage());
         }
     }
+
+
+
     @RequestMapping("/safe1")
     @ResponseBody
     public R safe1(String payload) {

src/main/java/top/whgojp/modules/deserialize/snakeyaml/controller/controller/SnakeYamlController.java

@@ -32,6 +32,7 @@ public String snakeYaml(){
     @RequestMapping("/vul")
     @ResponseBody
     public R vul(String payload) {
+        log.info("payload："+payload);
         Yaml y = new Yaml();
         y.load(payload);
         return R.ok("[+]Java反序列化：SnakeYaml原生漏洞");

src/main/java/top/whgojp/modules/funny/controller/HijackController.java

@@ -0,0 +1,26 @@
+package top.whgojp.modules.funny.controller;
+
+import io.swagger.annotations.Api;
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.CrossOrigin;
+import org.springframework.web.bind.annotation.RequestMapping;
+
+/**
+ * @description <功能描述>
+ * @author: whgojp
+ * @email: whgojp@foxmail.com
+ * @Date: 2025/1/17 16:31
+ */
+@Slf4j
+@Api(value = "HijackController", tags = "劫持模块")
+@Controller
+@CrossOrigin(origins = "*")
+@RequestMapping("/funny/hijack")
+public class HijackController {
+    @RequestMapping()
+    public String hijack(){
+        return "/vul/funny/hijack";
+    }
+
+}