Java sec code is a very powerful and friendly project for learning Java vulnerability code.
This project can also be called Java vulnerability code.
Each vulnerability type code has a security vulnerability by default unless there is no vulnerability. The relevant fix code is in the comments or code. Specifically, you can view each vulnerability code and comments.
Login username & password:
admin/admin123
joychou/joychou123
Sort by letter.
- Actuators to RCE
- CommandInject
- CORS
- CRLF Injection
- CSRF
- Deserialize
- Fastjson
- File Upload
- GetRequestURI
- IP Forge
- Java RMI
- JSONP
- ooxmlXXE
- PathTraversal
- RCE
- Swagger
- SpEL
- SQL Injection
- SSRF
- SSTI
- URL Redirect
- URL whitelist Bypass
- xlsxStreamerXXE
- XSS
- XStream
- XXE
- Actuators to RCE
- CORS
- CSRF
- Deserialize
- Fastjson
- Java RMI
- JSONP
- POI-OOXML XXE
- SQLI
- SSRF
- SSTI
- URL whitelist Bypass
- XXE
- Others
The application will use mybatis auto-injection. Please run mysql server ahead of time and configure the mysql server database's name and username/password except docker environment.
spring.datasource.url=jdbc:mysql://127.0.0.1:3306/java_sec_code
spring.datasource.username=root
spring.datasource.password=woshishujukumima
- Docker
- IDEA
- Tomcat
- JAR
Start docker:
docker-compose pull
docker-compose up
Stop docker:
docker-compose down
Docker's environment:
- Java 1.8.0_102
- Mysql 8.0.17
- Tomcat 8.5.11
git clone https://github.com/JoyChou93/java-sec-code- Open in IDEA and click
runbutton.
Example:
http://localhost:8080/rce/exec?cmd=whoami
return:
Viarus
git clone https://github.com/JoyChou93/java-sec-code&cd java-sec-code- Build war package by
mvn clean package. - Copy war package to tomcat webapps directory.
- Start tomcat application.
Example:
http://localhost:8080/java-sec-code-1.0.0/rce/exec?cmd=whoami
return:
Viarus
Change war to jar in pom.xml.
<groupId>sec</groupId>
<artifactId>java-sec-code</artifactId>
<version>1.0.0</version>
<packaging>war</packaging>Build package and run.
git clone https://github.com/JoyChou93/java-sec-code
cd java-sec-code
mvn clean package -DskipTests
java -jar target/java-sec-code-1.0.0.jar
If you are not logged in, accessing any page will redirect you to the login page. The username & password are as follows.
admin/admin123
joychou/joychou123
Tomcat's default JSESSION session is valid for 30 minutes, so a 30-minute non-operational session will expire. In order to solve this problem, the rememberMe function is introduced, and the default expiration time is 2 weeks.
Core developers : JoyChou, liergou9981 Other developers: lightless, Anemone95, waderwu.
If you like the poject, you can donate to support me. With your support, I will be able to make Java sec code better 😎.
Scan the QRcode to support Java sec code.
