{"id":13843175,"url":"https://github.com/l4yn3/micro_service_seclab","last_synced_at":"2025-07-11T18:30:41.710Z","repository":{"id":48519052,"uuid":"393833030","full_name":"l4yn3/micro_service_seclab","owner":"l4yn3","description":"Java漏洞靶场","archived":false,"fork":false,"pushed_at":"2023-12-25T01:45:21.000Z","size":1818,"stargazers_count":314,"open_issues_count":2,"forks_count":63,"subscribers_count":4,"default_branch":"main","last_synced_at":"2024-11-21T14:38:40.145Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/l4yn3.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2021-08-08T02:05:24.000Z","updated_at":"2024-11-20T06:23:44.000Z","dependencies_parsed_at":"2023-12-25T02:49:39.493Z","dependency_job_id":null,"html_url":"https://github.com/l4yn3/micro_service_seclab","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/l4yn3/micro_service_seclab","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/l4yn3%2Fmicro_service_seclab","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/l4yn3%2Fmicro_service_seclab/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/l4yn3%2Fmicro_service_seclab/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/l4yn3%2Fmicro_service_seclab/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/l4yn3","download_url":"https://codeload.github.com/l4yn3/micro_service_seclab/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/l4yn3%2Fmicro_service_seclab/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":264869981,"owners_count":23676139,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-04T17:01:56.730Z","updated_at":"2025-07-11T18:30:41.013Z","avatar_url":"https://github.com/l4yn3.png","language":"Java","funding_links":[],"categories":["漏洞库、漏洞靶场","Java"],"sub_categories":["网络服务_其他"],"readme":"# micro_service_seclab\n这是一个Java漏洞靶场\n\n这个Java漏洞靶场是基于SpringBoot开发，目的是用来检测SAST工具的准确性(关注漏报和误报问题)的。\n\n如果想学习使用`CodeQL`检测漏洞，可根据文章[《CodeQL从入门到放弃》](https://www.freebuf.com/articles/web/283795.html) 结合此项目进行学习。\n\n可以用此靶场测试(CodeQL, CheckMarx, Fortify SCA)白盒检测工具，根据预先埋点的漏洞，与测试结果进行对比，\n\n判断在什么地方存在误报和漏报的问题。\n\n当然，你也可以用这个靶场做黑盒测试，所有漏洞都提供了数据库文件。\n\n### 支持的漏洞\n#### 1). SQL注入\nSQL注入这部分，会出现很多不同白盒写法导致的SQL注入。\n\n种类 | 解释 | 伪代码\n---|---|---\nString Source | 输入点是字符串类型 | ` one(@RequestParam(value = \"username\") String username) `\nList\\\u003cLong\\\u003e | 输入点是Long泛型(用来测试误报) | ` longin(@RequestBody List\u003cLong\u003e user_list) `\nOptional\\\u003cString\\\u003e | 新特性 | `  optionalLike(@RequestParam(value = \"username\") Optional\u003cString\u003e optinal_username)  `\nList\\\u003cString\\\u003e Source | 输入点是String泛型 | ` in(@RequestBody List\u003cString\u003e user_list) `\nObject Source | 对象类型 | ` objectParam(@RequestBody Student user) `\nMyBatis注入 | XML分离SQL检测 | `myBatis(@RequestParam(value = \"name\") String name)`\nIn类型注入 | In类型注入 | 参照代码\nLike类型 | Like类型注入 | 参照代码\nLombok | Lombok对注入漏洞的影响 | 参照代码\nMyBatis注解方式注入 | MyBatis注解方式注入 | 参照代码\nSpring Data JPA | JPA 方式 | 参照代码\n\n#### 2). RCE命令执行\n\n种类 | 解释 | 伪代码\n---|---|---\nprocessBuilder|processBuilder导致的RCE| --\nRuntime.getRuntime().exec(args)|Runtime.getRuntime().exec(args)导致的RCE|--\n\n#### 3). FastJson反序列化漏洞\n提供`1.2.31`版本的Fastjson供进行测试。\n```\n@RestController\n@RequestMapping(value = \"/fastjson\")\npublic class FastJsonController {\n\n    @PostMapping(value = \"/create\")\n    public Teacher createActivity(@RequestBody String applyData,\n                                  HttpServletRequest request, HttpServletResponse response){\n        Teacher teachVO = JSON.parseObject(applyData, Teacher.class);\n        return teachVO;\n    }\n\n}\n```\n#### 4. SSRF漏洞\n种类 | 解释 | 伪代码\n---|---|---\nurl.openConnection()| url.openConnection()引起的SSRF| 参照代码\nRequest.Get() | Request.Get()引起的SSRF | 参照代码\nOkHttpClient | OkHttpClient引起的SSRF | 参照代码\nDefaultHttpClient| DefaultHttpClient引起的SSRF |参照代码\nurl.openStream()| url.openStream()引起的SSRF | 参照代码\n#### 5. XXE\n种类 | 解释 | 伪代码\n---|---|---\nDocumentBuilderFactory| DocumentBuilderFactory引起的SSRF | 参照代码\n\n#### 6. 反序列化漏洞\n持续添加中\n\n#### 7. 逻辑漏洞\n添加中\n\n#### 欢迎大家提交漏洞代码....\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fl4yn3%2Fmicro_service_seclab","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fl4yn3%2Fmicro_service_seclab","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fl4yn3%2Fmicro_service_seclab/lists"}