whgojp
diff --git a/‎.gitignore‎
Lines changed: 3 additions & 1 deletion b/‎.gitignore‎
Lines changed: 3 additions & 1 deletion
diff --git a/‎CHANGELOG.md‎
Lines changed: 28 additions & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 28 additions & 0 deletions
diff --git a/‎Dockerfile‎
Lines changed: 4 additions & 3 deletions b/‎Dockerfile‎
Lines changed: 4 additions & 3 deletions
diff --git a/‎README.md‎
Lines changed: 21 additions & 7 deletions b/‎README.md‎
Lines changed: 21 additions & 7 deletions
diff --git a/‎docker-compose.yml‎
Lines changed: 4 additions & 6 deletions b/‎docker-compose.yml‎
Lines changed: 4 additions & 6 deletions
diff --git a/‎pic/group.png‎
12.7 KB b/‎pic/group.png‎
12.7 KB
diff --git a/‎pic/home.png‎
16.3 KB b/‎pic/home.png‎
16.3 KB
diff --git a/‎pom.xml‎
Lines changed: 1 addition & 1 deletion b/‎pom.xml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/main/java/top/whgojp/common/constant/SysConstant.java‎
Lines changed: 18 additions & 5 deletions b/‎src/main/java/top/whgojp/common/constant/SysConstant.java‎
Lines changed: 18 additions & 5 deletions
diff --git a/‎src/main/java/top/whgojp/common/utils/UploadUtil.java‎
Lines changed: 15 additions & 22 deletions b/‎src/main/java/top/whgojp/common/utils/UploadUtil.java‎
Lines changed: 15 additions & 22 deletions
@@ -34,4 +34,6 @@ build/
 ### Mac OS ###
 .DS_Store
 
-/logs/
+/logs/
+/.idea/
+/src/test/
@@ -0,0 +1,28 @@
+# 更新记录✨
+
+## V1.2 - 2024-11-17
+
+- 修复已知问题
+  - 多Session会话共存
+  - 文件上传bug修复
+- 新增漏洞模块：验证码安全(图形验证码、短信验证码)
+
+## V1.1 - 2024-11-10
+
+- 修复已知问题
+- 平台页面UI：简化对应缺陷/安全代码、优化DashBoard页面
+- 新增漏洞模块：IDOR(水平/垂直越权)、拒绝服务、XPATH注入
+
+## V1.0 - 2024-10
+- 初始功能实现：跨站脚本（XSS）、SQL 注入、任意文件上传、SSRF、XXE、CSRF、CORS、JSONP、RCE、URL 重定向、XFF 伪造、敏感信息泄漏、SPEL 注入、SSTI 注入、反序列化、组件漏洞等。
+
+## 系统设计 - 2024-05
+
+- 完成系统技术选型、架构设计、相关靶场项目调研……
+- 技术栈：**SpringBoot+Spring Security+MyBatis+Thymeleaf+Layui**
+- 这里暂时只做了简单认证实现、权限分级/人员管理等复杂鉴权功能后续待实现……
+- 架构设计：前后端不分离，在通用后端管理框架基础上，添加一个个漏洞模块……
+- 参考项目：[Hello-Java-Sec](https://github.com/j3ers3/Hello-Java-Sec) [JavaSec](https://github.com/j3ers3/Hello-Java-Sec)
+
+## 灵感来源 - 2024-03
+- 一个想法💡
@@ -3,13 +3,14 @@ FROM openjdk:8
 WORKDIR /work
 
 LABEL maintainer="whgojp@foxmail.com"
-LABEL version="1.0"
+LABEL version="1.2"
 LABEL description="I think therefore I am."
 
 COPY target/JavaSecLab.jar /work/JavaSecLab.jar
 
-EXPOSE 8080
-EXPOSE 9090
+RUN mkdir -p /tmp/upload && chmod -R 777 /tmp/upload
+
+EXPOSE 80
 
 ENV IMAGE_NAME=JavaSecLab
 
 
@@ -1,12 +1,14 @@
-[//]: # (# <img src="./pic/logo.png" alt="logo" style="zoom:5%;" />JavaSecLab 一款综合Java漏洞平台)
 # JavaSecLab 一款综合Java漏洞平台
 
-<p align="center">
-<a href="https://www.apache.org/licenses/LICENSE-2.0.html"><img src="https://img.shields.io/github/license/alibaba/transmittable-thread-local?color=4D7A97&logo=apache" alt="License"></a>
-<img src="https://img.shields.io/badge/Release-DEV-brightgreen.svg" alt="Release">
-<a href="https://github.com/whgojp/JavaSecLab"><img src="https://img.shields.io/badge/Version-1.1-red.svg" alt="Version"></a>
-<a href="https://blog.csdn.net/weixin_53009585"><img src="https://img.shields.io/badge/Developed%20by-whgojp-blue.svg" alt="Developed by whgojp"></a>
-</p>
+<div style="text-align: center;">
+  <a href="https://www.apache.org/licenses/LICENSE-2.0.html"><img src="https://img.shields.io/github/license/alibaba/transmittable-thread-local?color=4D7A97&logo=apache" alt="License"></a>
+  <img src="https://img.shields.io/badge/Release-DEV-brightgreen.svg" alt="Release">
+  <a href="https://github.com/whgojp/JavaSecLab"><img src="https://img.shields.io/badge/Version-1.2-red.svg" alt="Version"></a>
+  <a href="https://blog.csdn.net/weixin_53009585"><img src="https://img.shields.io/badge/Developed%20by-whgojp-blue.svg" alt="Developed by whgojp"></a>
+  <img src="https://img.shields.io/github/stars/whgojp/JavaSecLab?color=green&style=flat-square" alt="GitHub Repo stars">
+  <img src="https://img.shields.io/github/forks/whgojp/JavaSecLab?style=flat-square" alt="GitHub forks">
+</div>
+
 
 ----------------------------------------
 
@@ -23,6 +25,13 @@
 - 甲方安全方面：可作为开发安全培训演示，友好的交互方式，帮助研发同学更容易理解漏洞
 - 安全研究方面：各种漏洞的不同触发场景，可用于xAST等安全工具测试
 
+## 支持漏洞模块
+
+- 跨站脚本攻击、跨站请求伪造、CORS、JSONP、URL重定向、XFF伪造、拒绝服务、XPATH注入
+- SQL注入、任意文件系列、跨服务端请求伪造、XML实体注入、RCE
+- 逻辑漏洞(IDOR、验证码安全、支付安全、并发安全)、敏感信息泄漏系列、登录框对抗系列
+- SPEL注入、SSTI注入、反序列化、组件漏洞
+
 ## 在线环境体验
 
 http://whgojp.top/
@@ -112,6 +121,10 @@ docker-compose -p javaseclab up -d
 
 本项目遵循 [Apache License 2.0](http://www.apache.org/licenses/LICENSE-2.0) 协议，详细的许可证内容请参见项目中的 [LICENSE](./LICENSE) 文件。
 
+## 更新记录
+
+项目的详细更新记录请参阅 [CHANGELOG.md](./CHANGELOG.md)
+
 ## 一些Tips🙋
 
 1. 安全问题：由于是漏洞靶场，因此不建议搭建在公网上使用
@@ -129,3 +142,4 @@ docker-compose -p javaseclab up -d
     <img src="./pic/wechat.png" alt="description" width="271" height="366" />
     <img src="./pic/group.png" alt="description" width="271" height="366" />
 </div>
+
@@ -15,26 +15,24 @@ services:
       - JavaSecLabNet
 
   JavaSecLab:
-    image: javaseclab:1.1
+    image: javaseclab:1.2
     container_name: Container-JavaSecLab
     restart: always
     build: .
     ports:
       - 80:80
-      - 8080:8080
-      - 9090:9090
     environment:
-      - TZ=Asia/Shanghai  # 设置时区为上海（GMT+8）
+      - TZ=Asia/Shanghai  # 设置时区上海（GMT+8）
     depends_on:
       - mysql
     volumes:
       - ./logs:/logs      # 记录日志信息
+
     networks:
       - JavaSecLabNet
 
-  # 密码 admin@portainer.com
   portainer:
-    image: portainer/portainer-ce
+    image: portainer/portainer-ce:latest
     container_name: portainer
     restart: always
     ports:
 
@@ -6,7 +6,7 @@
 
     <groupId>top.whgojp</groupId>
     <artifactId>JavaSecLab</artifactId>
-    <version>1.1.0</version>
+    <version>1.2.0</version>
     <name>Java综合漏洞平台</name>
     <description>hello JavaSec!</description>
     <parent>
 
@@ -1,12 +1,13 @@
 package top.whgojp.common.constant;
 
 import lombok.Data;
-import lombok.SneakyThrows;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.core.io.ResourceLoader;
 import org.springframework.stereotype.Component;
 
 import javax.annotation.PostConstruct;
+import java.io.File;
 import java.io.IOException;
 
 /**
@@ -36,20 +37,32 @@ public class SysConstant {
     @Autowired
     private ResourceLoader resourceLoader;
 
+    @Value("${upload.folder:/tmp/upload}") // 容器内部固定路径，默认值为/tmp/upload
     private String uploadFolder;
+
     private String staticFolder;
 
+    public SysConstant(ResourceLoader resourceLoader) {
+        this.resourceLoader = resourceLoader;
+    }
+
+
     @PostConstruct
     public void init() throws IOException {
         // 获取资源对象
-        Resource uploadResource = resourceLoader.getResource("classpath:/static/upload/");
+        File uploadDir = new File(uploadFolder);
+        if (!uploadDir.exists()) {
+            if (!uploadDir.mkdirs()) {
+                throw new IOException("Failed to create upload directory: " + uploadFolder);
+            }
+        }
+
+//        Resource uploadResource = resourceLoader.getResource("classpath:/static/upload/");
         Resource staticResource = resourceLoader.getResource("classpath:/static/");
-        if (uploadResource.exists() && staticResource.exists()) {
+        if (staticResource.exists()) {
             try {
-                this.uploadFolder = uploadResource.getFile().getPath();  // 仅在资源存在于文件系统中时有效
                 this.staticFolder = staticResource.getFile().getPath();
             } catch (IOException e) {
-                this.uploadFolder = uploadResource.getURL().toString(); // 获取资源的URL
                 this.staticFolder = staticResource.getURL().toString();
             }
         } else {
 
@@ -1,20 +1,13 @@
 package top.whgojp.common.utils;
 
-import cn.hutool.core.date.DateUtil;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.core.io.ResourceLoader;
 import org.springframework.stereotype.Component;
-import org.springframework.util.StringUtils;
 import org.springframework.web.multipart.MultipartFile;
 import top.whgojp.common.constant.SysConstant;
 
 import java.io.File;
 import java.io.IOException;
-import java.nio.file.Files;
-import java.nio.file.Path;
-import java.nio.file.Paths;
-import java.util.Objects;
 
 @Slf4j
 @Component
@@ -23,26 +16,26 @@ public class UploadUtil {
     @Autowired
     private SysConstant sysConstant;
 
-
-    private static final String UPLOAD_DIR = "uploads"; // 可以改成配置文件中的路径
-
-    public String uploadFile(MultipartFile file, String suffix,String path) throws IOException {
-
+    public String uploadFile(MultipartFile file, String suffix, String path) throws IOException {
+        // 从配置中获取上传目录
         String uploadFolderPath = sysConstant.getUploadFolder();
-
         try {
-
-            String fileName = +DateUtil.current() + "."+suffix;
-            String newFilePath = uploadFolderPath + "/" + fileName;
-
-            file.transferTo(new File(newFilePath)); // 将文件保存到指定路径
+            // 确保目录存在
+            File uploadDir = new File(uploadFolderPath);
+            if (!uploadDir.exists() && !uploadDir.mkdirs()) {
+                throw new IOException("Failed to create upload directory: " + uploadFolderPath);
+            }
+            // 构建文件路径
+            String fileName = System.currentTimeMillis() + "." + suffix;
+            String newFilePath = uploadFolderPath + File.separator + fileName;
+            // 保存文件
+            file.transferTo(new File(newFilePath));
             log.info("上传文件成功，文件路径：" + newFilePath);
             return "上传文件成功，文件路径：" + path + fileName;
         } catch (IOException e) {
-            e.printStackTrace(); // 打印异常堆栈信息
-            log.info("文件上传失败" + e.getMessage());
-            return "文件上传失败" + e.getMessage();
+            log.error("文件上传失败：{}", e.getMessage(), e);
+            throw e; // 重新抛出异常供上层处理
         }
-
     }
+
 }