Merge branch 'master' of github.com:baidu-security/openrasp-testcases

baidu-security · Dec 14, 2021 · a26a155 · a26a155
2 parents 3aa04ca + 16e28ee
commit a26a155
Show file tree

Hide file tree

Showing 7 changed files with 240 additions and 12 deletions.
diff --git a/java/vulns-servlet/src/webapp/index.jsp b/java/vulns-servlet/src/webapp/index.jsp
@@ -69,6 +69,8 @@
                 {"name": "011 - SSRF - OKHTTP 方式", "path": '011-ssrf-okhttp.jsp'},
                 {"name": "011 - SSRF - OKHTTP3 方式", "path": '011-ssrf-okhttp3.jsp'},
                 {"name": "012 - SQLi - MySQL JDBC executeQuery 方式", "path": '012-jdbc-mysql.jsp'},
+                {"name": "012 - SQLi - MySQL 8.X JDBC 驱动 + executeQuery 方式", "path": '012-jdbc-mysql8.jsp'},
+                {"name": "012 - SQLi - MySQL 8.X JDBC 驱动 + preparedStatement 方式", "path": '012-jdbc-mysql8-prepared.jsp'},
                 {"name": "013 - SQLi - JDBC multipart 请求格式", "path": '013-multipart-mysql.jsp'},
                 {"name": "014 - SQLi - Sql Exception", "path": '014-sql-exception.jsp'},
                 {"name": "015 - SQLi - Sql Access", "path": '015-sql-access.jsp'},

diff --git a/java/vulns/src/main/webapp/011-ssrf-okhttp.jsp b/java/vulns/src/main/webapp/011-ssrf-okhttp.jsp
@@ -1,6 +1,8 @@
 <%@ page import="com.squareup.okhttp.OkHttpClient"%>
 <%@ page import="com.squareup.okhttp.Request"%>
 <%@ page import="com.squareup.okhttp.Response"%>
+<%@ page import="org.apache.commons.lang.StringUtils" %>
+<%@ page import="org.apache.commons.lang.exception.ExceptionUtils" %>
 <%--
   Created by IntelliJ IDEA.
   User: anyang
@@ -25,9 +27,8 @@
             Response response = client.newCall(request).execute();
             result = response.body().string();
         } catch (Exception e) {
-            out.print("<pre>");
-            e.printStackTrace(response.getWriter());
-            out.print("</pre>");
+            String[] rootCauseStackTrace = ExceptionUtils.getRootCauseStackTrace(e);
+            result = StringUtils.join(rootCauseStackTrace,System.lineSeparator());
         }
         return result;
     }
@@ -39,7 +40,7 @@
         String result = httpGet(urlString);
         result = result.replace("<", "&lt;");
         result = result.replace(">", "&gt;");
-        out.println(result);
+        out.println("<pre>" +result+ "</pre>");
     }
 %>
 <p>okhttp 调用方式: </p>

diff --git a/java/vulns/src/main/webapp/011-ssrf-okhttp3.jsp b/java/vulns/src/main/webapp/011-ssrf-okhttp3.jsp
@@ -1,6 +1,9 @@
 <%@ page import="okhttp3.OkHttpClient" %>
 <%@ page import="okhttp3.Request" %>
 <%@ page import="okhttp3.Response" %>
+<%@ page import="org.apache.commons.lang.exception.ExceptionUtils" %>
+<%@ page import="org.apache.commons.lang.StringUtils" %>
+
 <%--
   Created by IntelliJ IDEA.
   User: anyang
@@ -25,9 +28,8 @@
             Response response = client.newCall(request).execute();
             result = response.body().string();
         } catch (Exception e) {
-            out.print("<pre>");
-            e.printStackTrace(response.getWriter());
-            out.print("</pre>");
+            String[] rootCauseStackTrace = ExceptionUtils.getRootCauseStackTrace(e);
+            result = StringUtils.join(rootCauseStackTrace,System.lineSeparator());
         }
         return result;
     }
@@ -39,7 +41,7 @@
         String result = httpGet(urlString);
         result = result.replace("<", "&lt;");
         result = result.replace(">", "&gt;");
-        out.println(result);
+        out.println("<pre>" +result+ "</pre>");
     }
 %>
 <p>okhttp 调用方式: </p>

diff --git a/java/vulns/src/main/webapp/012-jdbc-mysql8-prepared.jsp b/java/vulns/src/main/webapp/012-jdbc-mysql8-prepared.jsp
@@ -0,0 +1,214 @@
+<%--
+  Created by IntelliJ IDEA.
+  User: litong14
+  Date: 2021/1/5
+  Time: 9:38 上午
+  To change this template use File | Settings | File Templates.
+--%>
+<%@ page contentType="text/html;charset=UTF-8" pageEncoding="UTF-8"%>
+<%@ page import="java.sql.*" %>
+<%@ page import="javax.servlet.http.*" %>
+<%@ page import="javax.servlet.http.HttpUtils.*" %>
+
+<%-- Declare and define the runQuery() method. --%>
+<%! String runQuery(String id) throws SQLException {
+    Connection conn = null;
+    PreparedStatement stmt = null;
+    ResultSet rset = null;
+    try {
+        Class.forName("com.mysql.cj.jdbc.Driver");
+        conn = DriverManager.getConnection("jdbc:mysql://localhost:3306/testdb?useSSL=false&serverTimezone=UTC", "testuser", "testpassword");
+        stmt = conn.prepareStatement("SELECT * FROM vuln WHERE id = " + id + " LIMIT 1, ?");
+        stmt.setLong(1, 10);
+        rset = stmt.executeQuery();
+        return (formatResult(rset));
+    } catch (Exception e) {
+        return ("<P> Error: <PRE> " + e + " </PRE> </P>\n");
+    } finally {
+        if (rset!= null) rset.close();
+        if (stmt!= null) stmt.close();
+        if (conn!= null) conn.close();
+    }
+}
+    String formatResult(ResultSet rset) throws SQLException {
+        StringBuffer sb = new StringBuffer();
+        if (!rset.next()) {
+            sb.append("<P> No matching rows.<P>\n");
+        } else {
+            do {
+                sb.append(rset.getString(2) + "\n");
+            } while (rset.next());
+        }
+        return sb.toString();
+    }
+%>
+
+<%
+    String id = null;
+    String content_type = request.getContentType();
+    if (content_type != null && content_type.indexOf("application/json") != -1){
+        int size = request.getContentLength();
+        String postdata = null;
+        if (size > 0) {
+            byte[] buf = new byte[size];
+            try {
+                request.getInputStream().read(buf);
+                postdata = new String(buf);
+                if (postdata != null) {
+                    net.sf.json.JSONObject json = net.sf.json.JSONObject.fromObject(postdata);
+                    if (json != null) {
+                        id = json.getString("id");
+                    }
+                }
+            } catch (Exception e) {
+                e.printStackTrace();
+            }
+        }
+    }
+    else if (request.getHeader("X-Forwarded-For") != null) {
+        id = request.getHeader("X-Forwarded-For");
+    }
+    else if (request.getParameter("id") != null) {
+        id = request.getParameter("id");
+    }
+    else {
+        id = "1";
+    }
+    String escid = id.replaceAll("'", "&#39;");
+%>
+
+<html>
+<head>
+    <meta charset="UTF-8"/>
+    <title>012 - SQL 注入测试 - JDBC executeQuery() 方式</title>
+    <link rel="stylesheet" href="assets/css/bootstrap.min.css">
+</head>
+<body>
+<script>
+    function GetUrlRelativePath(){
+        var url = document.location.toString();
+        var arrUrl = url.split("//");
+        var start = arrUrl[1].indexOf("/");
+        var relUrl = arrUrl[1].substring(start);
+        if(relUrl.indexOf("?") != -1){
+            relUrl = relUrl.split("?")[0];
+        }
+        return relUrl;
+    }
+
+    function getXMLHttpRequest(){
+        var xmlhttp;
+        if (window.XMLHttpRequest){
+            xmlhttp=new XMLHttpRequest();
+        }
+        else{
+            xmlhttp=new ActiveXObject("Microsoft.XMLHTTP");
+        }
+        return xmlhttp;
+    }
+
+    function send_json(){
+        var data = document.getElementById("jsoninput").value;
+        var xmlhttp=getXMLHttpRequest();
+        xmlhttp.onreadystatechange=function(){
+            if (xmlhttp.readyState==4 && xmlhttp.status==200){
+                document.body.innerHTML = "";
+                document.write(xmlhttp.responseText);
+            }
+        }
+        url = GetUrlRelativePath()
+        xmlhttp.open("POST", url, true);
+        xmlhttp.setRequestHeader("Content-type","application/json;charset=UTF-8");
+        xmlhttp.send(data);
+    }
+
+    function send_header(){
+        var key = document.getElementById("header_key").value;
+        var data = document.getElementById("header_input").value;
+        var xmlhttp=getXMLHttpRequest();
+        xmlhttp.onreadystatechange=function(){
+            if (xmlhttp.readyState==4 && xmlhttp.status==200){
+                document.body.innerHTML = ""
+                document.write(xmlhttp.responseText);
+            }
+        }
+        url = GetUrlRelativePath()
+        xmlhttp.open("GET", url, true);
+        xmlhttp.setRequestHeader(key, data);
+        xmlhttp.send();
+    }
+
+</script>
+<div class="container-fluid" style="margin-top: 50px;">
+    <div class="row">
+        <div class="col-xs-8 col-xs-offset-2">
+            <h4>SQL注入 - JDBC executeQuery() 方式</h4>
+            <p>第一步: 请以mysql root账号执行下面的语句创建表</p>
+            <pre>DROP DATABASE IF EXISTS testdb;
+CREATE DATABASE testdb;
+CREATE user 'testuser'@'%' identified with mysql_native_password by 'testpassword';
+grant all privileges on testdb.* to 'testuser'@'%' with grant option;
+CREATE TABLE testdb.vuln (id INT, name text);
+INSERT INTO testdb.vuln values (0, "openrasp");
+INSERT INTO testdb.vuln values (1, "rocks");
+</pre>
+        </div>
+    </div>
+
+    <div class="row">
+        <div class="col-xs-8 col-xs-offset-2">
+            <p>第二步: 尝试发起SQL注入攻击 - 为了保证性能，默认只会检测长度超过15的语句</p>
+            <form action="<%=javax.servlet.http.HttpUtils.getRequestURL(request)%>" method="get">
+                <div class="form-group">
+                    <label>查询条件</label>
+                    <input class="form-control" name="id" value="<%=id%>" autofocus>
+                </div>
+
+                <button type="submit" class="btn btn-primary">提交查询</button>
+            </form>
+        </div>
+    </div>
+
+    <div class="row">
+        <div class="col-xs-8 col-xs-offset-2">
+            <form>
+                <div class="form-group">
+                    <label>JSON 方式查询</label>
+                    <input id="jsoninput" class="form-control" name="id" value='{"id":"<%=escid%>"}' >
+                </div>
+                <button type="button" onclick="send_json()" class="btn btn-primary">JSON 方式提交查询</button>
+            </form>
+        </div>
+    </div>
+
+    <div class="row">
+        <div class="col-xs-8 col-xs-offset-2">
+            <form>
+                <div class="form-group">
+                    <label>header 方式查询</label><br>
+                    <label>header 字段名</label>
+                    <input id="header_key" class="form-control" name="key" value='X-Forwarded-For' >
+                    <br>
+                    <label>查询条件</label>
+                    <input id="header_input" class="form-control" name="id" value='<%=id%>' >
+                </div>
+                <button type="button" onclick="send_header()" class="btn btn-primary">Header 方式提交查询</button>
+            </form>
+        </div>
+    </div>
+
+    <div class="row">
+        <div class="col-xs-8 col-xs-offset-2">
+            <p>第三步: 检查注入结果</p>
+            <%= runQuery(id) %>
+            <table class="table">
+                <tbody>
+
+                </tbody>
+            </table>
+        </div>
+    </div>
+</div>
+
+
+</body>
diff --git a/java/vulns/src/main/webapp/index.jsp b/java/vulns/src/main/webapp/index.jsp
@@ -67,9 +67,10 @@
                 {"name": "011 - SSRF - URL.openConnection 方式", "path": '011-ssrf-urlconnection.jsp'},
                 {"name": "011 - SSRF - OKHTTP 方式", "path": '011-ssrf-okhttp.jsp'},
                 {"name": "011 - SSRF - OKHTTP3 方式", "path": '011-ssrf-okhttp3.jsp'},
-                {"name": "012 - SQLi - MySQL JDBC executeQuery 方式", "path": '012-jdbc-mysql.jsp'},
-                {"name": "012 - SQLi - MySQL8 JDBC executeQuery 方式", "path": '012-jdbc-mysql8.jsp'},
-                {"name": "012 - SQLi - HSQLDB JDBC executeQuery 方式", "path": '012-jdbc-hsqldb.jsp'},
+                {"name": "012 - SQLi - MySQL executeQuery 方式", "path": '012-jdbc-mysql.jsp'},
+                {"name": "012 - SQLi - MySQL 8.X 驱动 + executeQuery 方式", "path": '012-jdbc-mysql8.jsp'},
+                {"name": "012 - SQLi - MySQL 8.X 驱动 + preparedQuery 方式", "path": '012-jdbc-mysql8-prepared.jsp'},
+                {"name": "012 - SQLi - HSQLDB executeQuery 方式", "path": '012-jdbc-hsqldb.jsp'},
                 {"name": "012 - SQLi - Mybatis Mysql JDBC", "path": '012-mybatis.jsp'},
                 {"name": "012 - SQLi - Hibernate Mysql JDBC", "path": '012-hibernate.jsp'},
                 {"name": "013 - SQLi - JDBC multipart 请求格式", "path": '013-multipart-mysql.jsp'},

diff --git a/php/vulns/006-leak.php b/php/vulns/006-leak.php
@@ -1,4 +1,7 @@
 <html>
+<?php
+header('Content-Type: text/html');
+?>
 <head>
     <meta charset="UTF-8"/>
     <title>006 - 检查响应里是否有身份证、银行卡等敏感信息泄露</title>

diff --git a/php/vulns/011-ssrf-file.php b/php/vulns/011-ssrf-file.php
@@ -57,7 +57,12 @@
                                 copy($url, "upload/ssrf-result.txt");
                             }
                             else if($function == "fopen") {
-                                copy($url, "r");
+                                $handle = fopen($url, "r");
+                                $contents = fread($handle, 256);
+                                fclose($handle);
+                            }
+                            else if($function == "file") {
+                                print_r(file($url));
                             }
                             else if($function == "include") {
                                 include $url;