diff --git a/.idea/libraries/Maven__commons_codec_commons_codec_1_6.xml b/.idea/libraries/Maven__commons_codec_commons_codec_1_6.xml
new file mode 100644
index 0000000..e8a6a9f
--- /dev/null
+++ b/.idea/libraries/Maven__commons_codec_commons_codec_1_6.xml
@@ -0,0 +1,13 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/.idea/libraries/Maven__commons_logging_commons_logging_1_1_3.xml b/.idea/libraries/Maven__commons_logging_commons_logging_1_1_3.xml
new file mode 100644
index 0000000..01c7b8e
--- /dev/null
+++ b/.idea/libraries/Maven__commons_logging_commons_logging_1_1_3.xml
@@ -0,0 +1,13 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/.idea/libraries/Maven__org_apache_httpcomponents_fluent_hc_4_3_6.xml b/.idea/libraries/Maven__org_apache_httpcomponents_fluent_hc_4_3_6.xml
new file mode 100644
index 0000000..9773cee
--- /dev/null
+++ b/.idea/libraries/Maven__org_apache_httpcomponents_fluent_hc_4_3_6.xml
@@ -0,0 +1,13 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/.idea/libraries/Maven__org_apache_httpcomponents_httpclient_4_3_6.xml b/.idea/libraries/Maven__org_apache_httpcomponents_httpclient_4_3_6.xml
new file mode 100644
index 0000000..04cad1e
--- /dev/null
+++ b/.idea/libraries/Maven__org_apache_httpcomponents_httpclient_4_3_6.xml
@@ -0,0 +1,13 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/.idea/libraries/Maven__org_apache_httpcomponents_httpcore_4_3_3.xml b/.idea/libraries/Maven__org_apache_httpcomponents_httpcore_4_3_3.xml
new file mode 100644
index 0000000..a821fc2
--- /dev/null
+++ b/.idea/libraries/Maven__org_apache_httpcomponents_httpcore_4_3_3.xml
@@ -0,0 +1,13 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/.idea/workspace.xml b/.idea/workspace.xml
index 0f140c5..ceecfd0 100644
--- a/.idea/workspace.xml
+++ b/.idea/workspace.xml
@@ -2,7 +2,14 @@
+
+
+
+
+
+
+
@@ -13,14 +20,26 @@
+
+
+
+
+
+
+
+
+
+
+
+
-
-
+
+
@@ -30,8 +49,8 @@
-
-
+
+
@@ -39,11 +58,11 @@
-
+
-
-
+
+
@@ -52,12 +71,14 @@
-
+
-
-
-
+
+
+
+
+
@@ -74,6 +95,7 @@
print
+ dns
@@ -87,11 +109,11 @@
@@ -102,10 +124,10 @@
DEFINITION_ORDER
-
-
-
-
+
+
+
+
@@ -117,7 +139,7 @@
- Spelling
+ Android
@@ -206,15 +228,15 @@
-
+
-
+
1504604417100
-
+
+
-
+
+
+
+
+
+
+
+
+
+
-
+
@@ -693,8 +725,9 @@
-
+
+
@@ -707,38 +740,37 @@
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -756,6 +788,46 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -779,7 +851,9 @@
-
+
+
+
@@ -794,19 +868,11 @@
+
-
-
-
-
-
-
-
-
-
-
-
+
+
@@ -814,8 +880,8 @@
-
-
+
+
@@ -824,8 +890,8 @@
-
-
+
+
@@ -833,5 +899,15 @@
+
+
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/README.md b/README.md
index 21761e4..0152b4a 100644
--- a/README.md
+++ b/README.md
@@ -1,4 +1,4 @@
-# Trident (三叉戟)
+# Trident(三叉戟)
> Java Code Security Component (JAVA代码安全组件)
@@ -27,16 +27,6 @@ Boolean ret = checkUrl.checkUrlWlist("http://test.joychou.me", urlWList);
## checkSSRF
-JAVA默认DNS请求会有30s的缓存,所以默认不存在DNS Rebind问题。除非重新设置TTL为0。
-
-如果有大佬能绕过,麻烦提个ISSUE或者PR。
-
-我自己测试,以下方法均没绕过。但是,用DNS Rebind方法在调试的时候,均可以测试成功,所以我怀疑设置TTL为0未成功。
-
-- DNS Rebind(手动设置JAVA的TTL为0)
-- 域名解析2个A记录地址(外网+内网)
-
-
### 验证逻辑
@@ -52,6 +42,22 @@ JAVA默认DNS请求会有30s的缓存,所以默认不存在DNS Rebind问题。
URL只支持HTTP协议。
```java
-security checkUrl = new security();
-ret = checkUrl.checkSSRF("http://127.0.0.1");
+String url = "http://dns_rebind.joychou.me";
+ret = checkUrl.checkSSRF(url);
+if (ret){
+ # curl url
+}
+else {
+ System.out.println("Bad boy. The url is illegal");
+}
```
+
+### 绕过姿势
+
+
+以上代码在设置TTL为0的情况,可以用以下方法绕过 :
+
+1. DNS Rebind(手动设置JAVA的TTL为0)
+2. 域名解析2个A记录地址(分别为外网和内网)
+
+也就是说,只要Java不设置TTL为0,该代码逻辑上不存在被绕过风险。
\ No newline at end of file
diff --git a/pom.xml b/pom.xml
index e15928a..a8c10cc 100644
--- a/pom.xml
+++ b/pom.xml
@@ -14,5 +14,12 @@
guava
21.0
+
+
+ org.apache.httpcomponents
+ fluent-hc
+ 4.3.6
+
+
\ No newline at end of file
diff --git a/src/main/java/security.java b/src/main/java/security.java
index 4ee8fcb..c870cbe 100644
--- a/src/main/java/security.java
+++ b/src/main/java/security.java
@@ -85,7 +85,7 @@ public class security {
connection.setUseCaches(false); // 设置为false,手动处理跳转,可以拿到每个跳转的URL
connection.setConnectTimeout(3*1000); // 设置连接超时时间为3s
//connection.setRequestMethod("GET");
- connection.connect(); // 会解析dns
+ connection.connect(); // send dns request
int responseCode = connection.getResponseCode(); // 发起网络请求
if (responseCode >= 300 && responseCode < 400) {
String redirectedUrl = connection.getHeaderField("Location");
@@ -136,7 +136,7 @@ public class security {
*/
public static String DomainToIP(String domain) throws IOException{
try {
- InetAddress IpAddress = InetAddress.getByName(domain);
+ InetAddress IpAddress = InetAddress.getByName(domain); // send dns request
return IpAddress.getHostAddress();
}
catch (Exception e) {
diff --git a/src/main/java/test.java b/src/main/java/test.java
index 4f0284b..cda3bc5 100644
--- a/src/main/java/test.java
+++ b/src/main/java/test.java
@@ -3,6 +3,7 @@
* Mail: viarus#qq.com
* Date: 2017.09.05
*/
+import org.apache.http.client.fluent.Request;
public class test {
public static void main(String[] args) throws Exception {
@@ -14,8 +15,14 @@ public class test {
System.out.println(ret);
// SSRF组件测试
-
- ret = checkUrl.checkSSRF("http://127.0.0.1");
- System.out.println(ret);
+ String url = "http://dns_rebind.joychou.me";
+ ret = checkUrl.checkSSRF(url);
+ if (ret){
+ String con = Request.Get(url).execute().returnContent().toString();
+ System.out.println(con);
+ }
+ else {
+ System.out.println("Bad boy. The url is illegal");
+ }
}
}
diff --git a/target/classes/security.class b/target/classes/security.class
deleted file mode 100644
index 1206b8e..0000000
Binary files a/target/classes/security.class and /dev/null differ
diff --git a/target/classes/test.class b/target/classes/test.class
deleted file mode 100644
index de8c665..0000000
Binary files a/target/classes/test.class and /dev/null differ
diff --git a/trident.iml b/trident.iml
index e24b78b..0f7d7fa 100644
--- a/trident.iml
+++ b/trident.iml
@@ -12,5 +12,10 @@
+
+
+
+
+
\ No newline at end of file