bug fix

Author: JoyChou93

src/main/java/org/joychou/controller/SSRF.java

@@ -1,28 +1,16 @@
 package org.joychou.controller;
 
-import com.squareup.okhttp.OkHttpClient;
-import org.apache.commons.httpclient.HttpClient;
-import org.apache.commons.httpclient.methods.GetMethod;
-import org.apache.commons.io.IOUtils;
-import org.apache.http.HttpResponse;
-import org.apache.http.HttpStatus;
-import org.apache.http.client.fluent.Request;
-import org.apache.http.client.methods.HttpGet;
-import org.apache.http.impl.client.CloseableHttpClient;
-import org.apache.http.impl.client.HttpClients;
 import org.joychou.security.SecurityUtil;
+import org.joychou.security.ssrf.SSRFException;
+import org.joychou.util.HttpUtils;
 import org.joychou.util.WebUtils;
-import org.jsoup.Jsoup;
-import org.jsoup.nodes.Document;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
 
-
-import javax.imageio.ImageIO;
 import javax.servlet.http.HttpServletResponse;
 import java.io.*;
 import java.net.*;
@@ -40,58 +28,58 @@ public class SSRF {
 
     private static Logger logger = LoggerFactory.getLogger(SSRF.class);
 
-    @RequestMapping("/urlConnection")
-    public static String ssrf_URLConnection(@RequestParam String url) {
-        try {
-            URL u = new URL(url);
-            URLConnection urlConnection = u.openConnection();
-            BufferedReader in = new BufferedReader(new InputStreamReader(urlConnection.getInputStream())); //send request
-            String inputLine;
-            StringBuilder html = new StringBuilder();
 
-            while ((inputLine = in.readLine()) != null) {
-                html.append(inputLine);
-            }
-            in.close();
-            return html.toString();
-        } catch (Exception e) {
-            logger.error(e.toString());
-            return "fail";
+    @RequestMapping("/urlConnection/vuln")
+    public static String URLConnectionVuln(String url) {
+        return HttpUtils.URLConnection(url);
+    }
+
+
+    @RequestMapping("/urlConnection/sec")
+    public static String URLConnectionSec(String url) {
+
+        // Decline not http/https protocol
+        if (!url.startsWith("http://") && !url.startsWith("https://")) {
+            return "[-] SSRF check failed";
         }
+
+        try {
+            SecurityUtil.startSSRFHook();
+            return HttpUtils.URLConnection(url);
+        } catch (SSRFException | IOException e) {
+            return e.getMessage();
+        } finally {
+            SecurityUtil.stopSSRFHook();
+        }
+
     }
 
 
-    @RequestMapping("/HttpURLConnection")
+    @RequestMapping("/HttpURLConnection/sec")
     @ResponseBody
-    public static String ssrf_httpURLConnection(@RequestParam String url) {
+    public static String httpURLConnection(@RequestParam String url) {
         try {
-            URL u = new URL(url);
-            URLConnection urlConnection = u.openConnection();
-            HttpURLConnection httpUrl = (HttpURLConnection) urlConnection;
-            BufferedReader in = new BufferedReader(new InputStreamReader(httpUrl.getInputStream())); //send request
-            String inputLine;
-            StringBuilder html = new StringBuilder();
-
-            while ((inputLine = in.readLine()) != null) {
-                html.append(inputLine);
-            }
-            in.close();
-            return html.toString();
-        } catch (Exception e) {
-            logger.error(e.toString());
-            return "fail";
+            SecurityUtil.startSSRFHook();
+            return HttpUtils.HTTPURLConnection(url);
+        } catch (SSRFException | IOException e) {
+            return e.getMessage();
+        } finally {
+            SecurityUtil.stopSSRFHook();
         }
     }
 
 
-    @RequestMapping("/Request")
+    // http://localhost:8080/ssrf/request/sec?url=http://www.baidu.com
+    @RequestMapping("/request/sec")
     @ResponseBody
-    public static String ssrf_Request(@RequestParam String url) {
+    public static String request(@RequestParam String url) {
         try {
-            return Request.Get(url).execute().returnContent().toString();
-        } catch (Exception e) {
-            logger.error(e.toString());
-            return "fail";
+            SecurityUtil.startSSRFHook();
+            return HttpUtils.request(url);
+        } catch (SSRFException | IOException e) {
+            return e.getMessage();
+        } finally {
+            SecurityUtil.stopSSRFHook();
         }
     }
 
@@ -106,7 +94,7 @@ public static String ssrf_Request(@RequestParam String url) {
      */
     @RequestMapping("/openStream")
     @ResponseBody
-    public static void ssrf_openStream(@RequestParam String url, HttpServletResponse response) throws IOException {
+    public static void openStream(@RequestParam String url, HttpServletResponse response) throws IOException {
         InputStream inputStream = null;
         OutputStream outputStream = null;
         try {
@@ -136,164 +124,112 @@ public static void ssrf_openStream(@RequestParam String url, HttpServletResponse
     }
 
 
-    @RequestMapping("/ImageIO")
+    @RequestMapping("/ImageIO/sec")
     @ResponseBody
-    public static void ssrf_ImageIO(@RequestParam String url) {
+    public static String ImageIO(@RequestParam String url) {
         try {
-            URL u = new URL(url);
-            ImageIO.read(u); // send request
-        } catch (Exception e) {
-            logger.error(e.toString());
+            SecurityUtil.startSSRFHook();
+            HttpUtils.imageIO(url);
+        } catch (SSRFException | IOException e) {
+            return e.getMessage();
+        } finally {
+            SecurityUtil.stopSSRFHook();
         }
+
+        return "ImageIO ssrf test";
     }
 
 
-    @RequestMapping("/okhttp")
+    @RequestMapping("/okhttp/sec")
     @ResponseBody
-    public static void ssrf_okhttp(@RequestParam String url) throws IOException {
-        OkHttpClient client = new OkHttpClient();
-        com.squareup.okhttp.Request ok_http = new com.squareup.okhttp.Request.Builder().url(url).build();
-        client.newCall(ok_http).execute();
+    public static String okhttp(@RequestParam String url) {
+
+        try {
+            SecurityUtil.startSSRFHook();
+            HttpUtils.okhttp(url);
+        } catch (SSRFException | IOException e) {
+            return e.getMessage();
+        } finally {
+            SecurityUtil.stopSSRFHook();
+        }
+
+        return "okhttp ssrf test";
     }
 
 
     /**
-     * http://localhost:8080/ssrf/HttpClient/sec?url=http://www.baidu.com
-     *
-     * @return The response of url param.
+     * http://localhost:8080/ssrf/httpclient/sec?url=http://www.baidu.com
      */
-    @RequestMapping("/HttpClient/sec")
+    @RequestMapping("/httpclient/sec")
     @ResponseBody
-    public static String ssrf_HttpClient(@RequestParam String url) {
-        StringBuilder result = new StringBuilder();
+    public static String HttpClient(@RequestParam String url) {
+
         try {
             SecurityUtil.startSSRFHook();
-            CloseableHttpClient client = HttpClients.createDefault();
-            HttpGet httpGet = new HttpGet(url);
-            HttpResponse httpResponse = client.execute(httpGet); // send request
-            BufferedReader rd = new BufferedReader(new InputStreamReader(httpResponse.getEntity().getContent()));
-
-            String line;
-            while ((line = rd.readLine()) != null) {
-                result.append(line);
-            }
-
-            // SecurityUtil.stopSSRFHook();
-            return result.toString();
-
-        } catch (Exception e) {
-            return e.toString();
+            return HttpUtils.httpClient(url);
+        } catch (SSRFException | IOException e) {
+            return e.getMessage();
         } finally {
             SecurityUtil.stopSSRFHook();
         }
+
     }
 
 
     /**
-     * https://mvnrepository.com/artifact/commons-httpclient/commons-httpclient
-     * UserAgent: Jakarta Commons-HttpClient/3.1 (2007.08 publish)
-     * <p>
      * http://localhost:8080/ssrf/commonsHttpClient/sec?url=http://www.baidu.com
      */
     @RequestMapping("/commonsHttpClient/sec")
     @ResponseBody
     public static String commonsHttpClient(@RequestParam String url) {
-        if (!SecurityUtil.checkSSRFByWhitehosts(url)) {
-            return "Bad man. I got u.";
-        }
-
-        HttpClient client = new HttpClient();
-        GetMethod method = new GetMethod(url);
-        method.setFollowRedirects(false);
 
         try {
-            // Send http request.
-            int status_code = client.executeMethod(method);
-
-            // Only allow the url that status_code is 200.
-            if (status_code != HttpStatus.SC_OK) {
-                return "Method failed: " + method.getStatusLine();
-            }
-
-            // Read the response body.
-            byte[] resBody = method.getResponseBody();
-            return new String(resBody);
-
-        } catch (IOException e) {
-            return "Error: " + e.getMessage();
+            SecurityUtil.startSSRFHook();
+            return HttpUtils.commonHttpClient(url);
+        } catch (SSRFException | IOException e) {
+            return e.getMessage();
         } finally {
-            // Release the connection.
-            method.releaseConnection();
+            SecurityUtil.stopSSRFHook();
         }
 
-
     }
 
     /**
-     * jsoup是一款Java的HTML解析器，可直接解析某个URL地址、HTML文本内容。
-     * <p>
      * http://localhost:8080/ssrf/Jsoup?url=http://www.baidu.com
      */
-    @RequestMapping("/Jsoup")
+    @RequestMapping("/Jsoup/sec")
     @ResponseBody
     public static String Jsoup(@RequestParam String url) {
+
         try {
-            Document doc = Jsoup.connect(url)
-                    .userAgent(
-                            "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) "
-                                    + "Chrome/64.0.3282.167 Safari/537.36")
-                    .timeout(3000)
-                    .cookie("name", "joychou") // request请求带的cookie
-                    .followRedirects(false)
-                    .execute().parse();
-            logger.info(doc.html());
-        } catch (MalformedURLException e) {
-            return "exception: " + e.toString();
-        } catch (IOException e) {
-            logger.error(e.toString());
-            return "exception: " + e.toString();
+            SecurityUtil.startSSRFHook();
+            return HttpUtils.Jsoup(url);
+        } catch (SSRFException | IOException e) {
+            return e.getMessage();
+        } finally {
+            SecurityUtil.stopSSRFHook();
         }
 
-        return "Jsoup ssrf";
     }
 
 
     /**
-     * 用途：IOUtils可远程获取URL图片
-     * 默认重定向：是
-     * 封装类：URLConnection
-     * http://localhost:8080/ssrf/IOUtils?url=http://www.baidu.com
+     * http://localhost:8080/ssrf/IOUtils/sec?url=http://www.baidu.com
      */
-    @RequestMapping("/IOUtils")
-    public static String IOUtils(@RequestParam String url) {
+    @RequestMapping("/IOUtils/sec")
+    public static String IOUtils(String url) {
+
         try {
-            // IOUtils.toByteArray内部用URLConnection进行了封装
-            IOUtils.toByteArray(URI.create(url));
-        } catch (Exception e) {
-            return "exception: " + e.toString();
+            SecurityUtil.startSSRFHook();
+            HttpUtils.IOUtils(url);
+        } catch (SSRFException | IOException e) {
+            return e.getMessage();
+        } finally {
+            SecurityUtil.stopSSRFHook();
         }
 
-        return "IOUtils ssrf";
+        return "IOUtils ssrf test";
     }
 
 
-    /**
-     * Safe code.
-     * http://localhost:8080/ssrf/ImageIO/sec?url=http://www.baidu.com
-     */
-    @RequestMapping("/ImageIO/sec")
-    public static String ImageIOSec(@RequestParam String url) {
-        try {
-            URL u = new URL(url);
-            if (!SecurityUtil.checkSSRFWithoutRedirect(url)) {
-                logger.error("[-] SSRF check failed. Original Url: " + url);
-                return "SSRF check failed.";
-            }
-            ImageIO.read(u); // send request
-        } catch (Exception e) {
-            return e.toString();
-        }
-
-        return "ImageIO ssrf safe code.";
-    }
 }

src/main/java/org/joychou/security/SecurityUtil.java

@@ -126,7 +126,7 @@ public static boolean checkSSRFWithoutRedirect(String url) {
      *
      * @author liergou @ 2020-04-04 02:15
      */
-    public static void startSSRFHook() throws NoSuchFieldException, IOException {
+    public static void startSSRFHook() throws IOException {
         SocketHook.startHook();
     }
 

src/main/java/org/joychou/security/ssrf/SSRFChecker.java

@@ -132,7 +132,6 @@ static boolean isInternalIp(String strIP) {
         }
 
         ArrayList<String> blackSubnets = WebConfig.getSsrfBlockIps();
-        blackSubnets.add("10.0.0.0/8");
         for (String subnet : blackSubnets) {
             SubnetUtils utils = new SubnetUtils(subnet);
             if (utils.getInfo().isInRange(strIP)) {

src/main/java/org/joychou/security/ssrf/SSRFException.java

@@ -6,7 +6,7 @@
  *
  * @author JoyChou @2020-04-04
  */
-class SSRFException extends RuntimeException {
+public class SSRFException extends RuntimeException {
 
     SSRFException(String s) {
         super(s);

src/main/java/org/joychou/security/ssrf/SocketHook.java

@@ -12,7 +12,7 @@
  */
 public class SocketHook {
 
-    public static void startHook() throws NoSuchFieldException, IOException {
+    public static void startHook() throws IOException {
         SocketHookFactory.initSocket();
         SocketHookFactory.setHook(true);
         try{