Add a code injection servlet

k-tamura · Feb 19, 2017 · f4bf6ba · f4bf6ba
1 parent 59ebdc1
commit f4bf6ba
Show file tree

Hide file tree

Showing 6 changed files with 105 additions and 0 deletions.
diff --git a/src/main/java/org/t246osslab/easybuggy/vulnerabilities/CodeInjectionServlet.java b/src/main/java/org/t246osslab/easybuggy/vulnerabilities/CodeInjectionServlet.java
@@ -0,0 +1,80 @@
+package org.t246osslab.easybuggy.vulnerabilities;
+
+import java.io.IOException;
+import java.io.PrintWriter;
+import java.util.Locale;
+
+import javax.script.ScriptEngine;
+import javax.script.ScriptEngineManager;
+import javax.script.ScriptException;
+import javax.servlet.ServletException;
+import javax.servlet.annotation.WebServlet;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.t246osslab.easybuggy.utils.Closer;
+import org.t246osslab.easybuggy.utils.HTTPResponseCreator;
+import org.t246osslab.easybuggy.utils.MessageUtils;
+
+@SuppressWarnings("serial")
+@WebServlet(urlPatterns = { "/codeijc" })
+public class CodeInjectionServlet extends HttpServlet {
+
+    private static Logger log = LoggerFactory.getLogger(CodeInjectionServlet.class);
+
+    protected void service(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException {
+
+        PrintWriter writer = null;
+        try {
+            String jsonString = req.getParameter("jsonString");
+            Locale locale = req.getLocale();
+
+            StringBuilder bodyHtml = new StringBuilder();
+
+            bodyHtml.append("<form action=\"codeijc\" method=\"post\">");
+            bodyHtml.append(MessageUtils.getMsg("description.parse.json", locale));
+            bodyHtml.append("<br><br>");
+            bodyHtml.append(MessageUtils.getMsg("label.json.string", locale) + ": ");
+            bodyHtml.append("<textarea name=\"jsonString\" cols=\"80\" lows=\"10\"></textarea>");
+            bodyHtml.append("<br><br>");
+            bodyHtml.append("<input type=\"submit\" value=\"" + MessageUtils.getMsg("label.submit", locale) + "\">");
+            bodyHtml.append("<br><br>");
+
+            if (jsonString != null && !jsonString.equals("")) {
+                jsonString = jsonString.replaceAll(" ", "");
+                jsonString = jsonString.replaceAll("\r\n", "");
+                jsonString = jsonString.replaceAll("\n", "");
+                try {
+                    ScriptEngineManager manager = new ScriptEngineManager();
+                    ScriptEngine scriptEngine = manager.getEngineByName("JavaScript");
+                    scriptEngine.eval("JSON.parse('" + jsonString + "')");
+                    bodyHtml.append(MessageUtils.getMsg("msg.valid.json", locale));
+                } catch (ScriptException e) {
+                    bodyHtml.append(MessageUtils.getMsg("msg.invalid.json", locale) + " : ");
+                    bodyHtml.append(e.getMessage());
+                }
+            } else {
+                bodyHtml.append(MessageUtils.getMsg("msg.enter.json.string", locale));
+            }
+            bodyHtml.append("<br><br>");
+            bodyHtml.append(MessageUtils.getMsg("msg.note.code.injection", locale));
+            bodyHtml.append("</form>");
+
+            HTTPResponseCreator.createSimpleResponse(res, MessageUtils.getMsg("title.parse.json", locale),
+                    bodyHtml.toString());
+        } catch (Exception e) {
+            log.error("Exception occurs: ", e);
+        } finally {
+            Closer.close(writer);
+        }
+    }
+
+    public String getReverseName(String name) {
+        StringBuffer sb = new StringBuffer(name);
+        name = sb.reverse().toString();
+        return name;
+    }
+}
diff --git a/src/main/resources/indexpage_en.properties b/src/main/resources/indexpage_en.properties
@@ -43,6 +43,8 @@ function.name.sql.injection=SQL Injection
 function.description.sql.injection=SQL injection occurs when entering a vulnerable string.
 function.name.ldap.injection=LDAP Injection
 function.description.ldap.injection=LDAP injection occurs after entering a vulnerable string.
+function.name.code.injection=Code Injection
+function.description.code.injection=Code injection occurs after entering a vulnerable string.
 
 
 section.errors=Errors

diff --git a/src/main/resources/indexpage_ja.properties b/src/main/resources/indexpage_ja.properties
@@ -44,6 +44,8 @@ function.name.sql.injection=SQL\u30a4\u30f3\u30b8\u30a7\u30af\u30b7\u30e7\u30f3
 function.description.sql.injection=\u8106\u5f31\u306a\u6587\u5b57\u5217\u3092\u5165\u529b\u3059\u308b\u3068\u3001SQL\u30a4\u30f3\u30b8\u30a7\u30af\u30b7\u30e7\u30f3\u304c\u767a\u751f\u3057\u307e\u3059\u3002
 function.name.ldap.injection=LDAP\u30a4\u30f3\u30b8\u30a7\u30af\u30b7\u30e7\u30f3
 function.description.ldap.injection=\u8106\u5f31\u306a\u6587\u5b57\u5217\u3092\u5165\u529b\u3059\u308b\u3068\u3001LDAP\u30a4\u30f3\u30b8\u30a7\u30af\u30b7\u30e7\u30f3\u304c\u767a\u751f\u3057\u307e\u3059\u3002
+function.name.code.injection=\u30b3\u30fc\u30c9\u30a4\u30f3\u30b8\u30a7\u30af\u30b7\u30e7\u30f3
+function.description.code.injection=\u8106\u5f31\u306a\u6587\u5b57\u5217\u3092\u5165\u529b\u3059\u308b\u3068\u3001\u30b3\u30fc\u30c9\u30a4\u30f3\u30b8\u30a7\u30af\u30b7\u30e7\u30f3\u304c\u767a\u751f\u3057\u307e\u3059\u3002
 
 
 section.errors=\u30a8\u30e9\u30fc

diff --git a/src/main/resources/messages_en.properties b/src/main/resources/messages_en.properties
@@ -1,10 +1,12 @@
 description.endless.waiting=If you enter a character count, then a batch, including echo characters of the count, is created and executed.
+description.parse.json=If you enter a JSON string, then a result checked by JSON.parse() of JavaScript is shown.
 description.reverse.name=If you enter your name, then the reversed name is shown.
 label.asc=asc
 label.calculate=Calculate
 label.character.count=Character Count
 label.desc=desc
 label.execution.result=Execution Result: 
+label.json.string=JSON String
 label.name=Name
 label.multiplication.sign=*
 label.obelus=/
@@ -20,6 +22,7 @@ msg.db.connection.leak.occur=DB connection leak occurs every time you load this
 msg.dead.lock.not.occur=Dead Lock does not occur.
 msg.dead.lock.occur=Dead Lock occurs after loading this page few times.
 msg.deadlock.occurs=A lock could not be obtained due to a deadlock.
+msg.enter.json.string=Please enter JSON string.
 msg.enter.name.and.passwd=If you enter your name and password, then your secret number is shown.
 msg.enter.name=Please enter your name.
 msg.enter.positive.number=Please enter a positive number.
@@ -29,8 +32,11 @@ msg.example.name.and.passwd=For example, Mark and password
 msg.executed.batch=Created and executed the batch: 
 msg.file.descriptor.leak.occur=File descriptor leak occurs every time you load this page.
 msg.info.jvm.not.crash=JVM crash only occurs if using Oracle JDK 6 or 7.
+msg.invalid.json=Invalid JSON!
 msg.java.heap.space.leak.occur=Memory leak occurs in Java heap space every time you load this page.<BR><BR> \
 <span class="glyphicon glyphicon-info-sign"></span>&nbsp; If keeping on loading this page, OutOfMemoryError is finally thrown.
+msg.note.code.injection=<span class="glyphicon glyphicon-info-sign"></span>&nbsp; \
+If you enter {}');java.lang.System.exit(0);// , then JavaVM is forcibly finished due to code injection.
 msg.note.enter.count=<span class="glyphicon glyphicon-info-sign"></span>&nbsp; \
 If you enter a large character count, then an endless waiting process occurs.
 msg.note.enter.one=<span class="glyphicon glyphicon-info-sign"></span>&nbsp; \
@@ -56,11 +62,13 @@ msg.socket.leak.occur=Network socket leak occurs every time you load this page.
 msg.unknown.exception.occur=Unknown exception occurs.
 msg.update.records=Updated {0} records.
 msg.select.asc.or.desc=You can update recordes, inserted in a table of RDBMS, in ascending or descending order of ID.
+msg.valid.json=Valid JSON!
 msg.warn.select.asc.or.desc=Please select "asc" or "desc" and click the Update button.
 msg.warn.enter.name.and.passwd=Please enter your name and password.
 title.endless.waiting.page=Execute batch
 title.integer.overflow.page=Convert days to hours
 title.loss.of.trailing.digits.page=Decimal addition
+title.parse.json=Parse JSON
 title.round.off.error.page=Easy subtraction
 title.sql.injection.page=Search your secret number
 title.truncation.error.page=Decimal division

diff --git a/src/main/resources/messages_ja.properties b/src/main/resources/messages_ja.properties
@@ -1,10 +1,12 @@
 description.endless.waiting=\u6587\u5b57\u6570\u3092\u5165\u529b\u3059\u308b\u3068\u3001\u305d\u306e\u6587\u5b57\u6570\u5206\u306eecho\u3092\u5b9f\u884c\u3059\u308b\u30d0\u30c3\u30c1\u3092\u4f5c\u6210\u3001\u5b9f\u884c\u3057\u307e\u3059\u3002
+description.parse.json=JSON\u6587\u5b57\u5217\u3092\u5165\u529b\u3059\u308b\u3068\u3001JavaScript\u306eJSON.parse()\u3067\u691c\u8a3c\u3057\u305f\u7d50\u679c\u304c\u8868\u793a\u3055\u308c\u307e\u3059\u3002
 description.reverse.name=\u540d\u524d\u3092\u5165\u529b\u3059\u308b\u3068\u3001\u540d\u524d\u304c\u9006\u8ee2\u3057\u3066\u8868\u793a\u3055\u308c\u307e\u3059\u3002
 label.asc=\u6607\u9806
 label.calculate=\u8a08\u7b97\u3059\u308b
 label.character.count=\u6587\u5b57\u6570
 label.desc=\u964d\u9806
 label.execution.result=\u5b9f\u884c\u7d50\u679c: 
+label.json.string=JSON\u6587\u5b57\u5217
 label.name=\u540d\u524d
 label.multiplication.sign=\u00d7
 label.obelus=\u00f7
@@ -20,6 +22,7 @@ msg.db.connection.leak.occur=\u3053\u306e\u30da\u30fc\u30b8\u3092\u8aad\u307f\u8
 msg.dead.lock.not.occur=\u30c7\u30c3\u30c9\u30ed\u30c3\u30af\u306f\u767a\u751f\u3057\u307e\u305b\u3093\u3067\u3057\u305f\u3002
 msg.dead.lock.occur=\u3053\u306e\u30da\u30fc\u30b8\u3092\u6570\u56de\u30ed\u30fc\u30c9\u3059\u308b\u3068\u3001\u30c7\u30c3\u30c9\u30ed\u30c3\u30af\u304c\u767a\u751f\u3057\u307e\u3059\u3002
 msg.deadlock.occurs=\u30c7\u30c3\u30c9\u30ed\u30c3\u30af\u306b\u3088\u308a\u30ed\u30c3\u30af\u3092\u53d6\u5f97\u3067\u304d\u307e\u305b\u3093\u3067\u3057\u305f\u3002
+msg.enter.json.string=JSON\u6587\u5b57\u5217\u3092\u5165\u529b\u3057\u3066\u4e0b\u3055\u3044\u3002
 msg.enter.name.and.passwd=\u540d\u524d\u3068\u30d1\u30b9\u30ef\u30fc\u30c9\u3092\u5165\u529b\u3059\u308b\u3068\u3001\u6697\u8a3c\u756a\u53f7\u304c\u8868\u793a\u3055\u308c\u307e\u3059\u3002
 msg.enter.name=\u540d\u524d\u3092\u5165\u529b\u3057\u3066\u4e0b\u3055\u3044\u3002
 msg.enter.positive.number=\u6b63\u306e\u6574\u6570\u3092\u5165\u529b\u3057\u3066\u4e0b\u3055\u3044\u3002
@@ -29,8 +32,11 @@ msg.example.name.and.passwd=\u4f8b\u3048\u3070\u3001Mark \u3068 password
 msg.executed.batch=\u30d0\u30c3\u30c1\u3092\u4f5c\u6210\u3001\u5b9f\u884c\u3057\u307e\u3057\u305f: 
 msg.file.descriptor.leak.occur=\u3053\u306e\u30da\u30fc\u30b8\u3092\u8aad\u307f\u8fbc\u3080\u305f\u3073\u306b\u3001\u30d5\u30a1\u30a4\u30eb\u30c7\u30a3\u30b9\u30af\u30ea\u30d7\u30bf\u30ea\u30fc\u30af\u304c\u767a\u751f\u3057\u307e\u3059\u3002
 msg.info.jvm.not.crash=JVM\u30af\u30e9\u30c3\u30b7\u30e5\u306f\u3001Oracle JDK 6\u307e\u305f\u306f7\u3092\u4f7f\u7528\u3057\u3066\u3044\u308b\u5834\u5408\u306b\u306e\u307f\u767a\u751f\u3057\u307e\u3059\u3002
+msg.invalid.json=JSON\u3068\u3057\u3066\u4e0d\u6b63\u306a\u5f62\u5f0f\u3067\u3059\u3002
 msg.java.heap.space.leak.occur=\u3053\u306e\u30da\u30fc\u30b8\u3092\u8aad\u307f\u8fbc\u3080\u305f\u3073\u306b\u3001Java\u30d2\u30fc\u30d7\u9818\u57df\u306e\u30e1\u30e2\u30ea\u30ea\u30fc\u30af\u304c\u767a\u751f\u3057\u307e\u3059\u3002<BR><BR> \
 <span class="glyphicon glyphicon-info-sign"></span>&nbsp; \u753b\u9762\u3092\u30ed\u30fc\u30c9\u3057\u7d9a\u3051\u308b\u3068\u3001\u6700\u7d42\u7684\u306bOutOfMemoryError\u304c\u30b9\u30ed\u30fc\u3055\u308c\u307e\u3059\u3002
+msg.note.code.injection=<span class="glyphicon glyphicon-info-sign"></span>&nbsp; \
+\u300c{}');java.lang.System.exit(0);//\u300d\u3092\u5165\u529b\u3059\u308b\u3068\u3001\u30b3\u30fc\u30c9\u30a4\u30f3\u30b8\u30a7\u30af\u30b7\u30e7\u30f3\u3067 JavaVM\u304c\u5f37\u5236\u7d42\u4e86\u3057\u307e\u3059\u3002
 msg.note.enter.count=<span class="glyphicon glyphicon-info-sign"></span>&nbsp; \
 \u5927\u304d\u306a\u6587\u5b57\u6570\u3092\u5165\u529b\u3059\u308b\u3068\u3001\u5b8c\u4e86\u3057\u306a\u3044\u30d7\u30ed\u30bb\u30b9\u306e\u5f85\u6a5f\u304c\u767a\u751f\u3057\u307e\u3059\u3002
 msg.note.enter.one=<span class="glyphicon glyphicon-info-sign"></span>&nbsp; \
@@ -56,11 +62,13 @@ msg.socket.leak.occur=\u3053\u306e\u30da\u30fc\u30b8\u3092\u8aad\u307f\u8fbc\u30
 msg.unknown.exception.occur=\u4e0d\u660e\u306a\u4f8b\u5916\u304c\u767a\u751f\u3057\u307e\u3057\u305f\u3002
 msg.update.records={0}\u4ef6\u66f4\u65b0\u3057\u307e\u3057\u305f\u3002
 msg.select.asc.or.desc=RDBMS\u306e\u30c6\u30fc\u30d6\u30eb\u3067\u7ba1\u7406\u3055\u308c\u305f\u30ec\u30b3\u30fc\u30c9\u3092\u3001ID\u306e\u300c\u6607\u9806\u300d\u307e\u305f\u306f\u300c\u964d\u9806\u300d\u3067\u9806\u6b21\u66f4\u65b0\u3057\u307e\u3059\u3002
+msg.valid.json=JSON\u3068\u3057\u3066\u6b63\u3057\u3044\u5f62\u5f0f\u3067\u3059\u3002
 msg.warn.select.asc.or.desc=\u300c\u6607\u9806\u300d\u307e\u305f\u306f\u300c\u964d\u9806\u300d\u3092\u9078\u629e\u3057\u3066\u3001\u66f4\u65b0\u30dc\u30bf\u30f3\u3092\u30af\u30ea\u30c3\u30af\u4e0b\u3055\u3044\u3002
 msg.warn.enter.name.and.passwd=\u540d\u524d\u3068\u30d1\u30b9\u30ef\u30fc\u30c9\u3092\u5165\u529b\u3057\u3066\u4e0b\u3055\u3044\u3002
 title.endless.waiting.page=\u30d0\u30c3\u30c1\u306e\u5b9f\u884c
 title.integer.overflow.page=\u65e5\u2192\u6642\u9593\u5909\u63db
 title.loss.of.trailing.digits.page=\u5c0f\u6570\u306e\u8db3\u3057\u7b97
+title.parse.json=JSON\u306e\u89e3\u6790
 title.round.off.error.page=\u7c21\u5358\u306a\u5f15\u304d\u7b97
 title.sql.injection.page=\u6697\u8a3c\u756a\u53f7\u691c\u7d22
 title.truncation.error.page=\u5c0f\u6570\u306e\u5272\u308a\u7b97

diff --git a/src/main/webapp/index.jsp b/src/main/webapp/index.jsp
@@ -108,6 +108,11 @@
 						key="function.name.ldap.injection" /></a>:
 			<fmt:message key="function.description.ldap.injection" />
 		</p></li>
+		<li><p>
+			<a href="codeijc" target="_blank"><fmt:message
+						key="function.name.code.injection" /></a>:
+			<fmt:message key="function.description.code.injection" />
+		</p></li>
 	</ul>
 
 	<h2>