XxE of Java audit

Java

XxE of Java audit

0x00 Preface

In the past, I didn't know much about xxE vulnerabilities, but I had a preliminary understanding and encountered them in the target. Let's have an in-depth understanding of the generation and utilization of this vulnerability.

0x01 xxE vulnerability

When the program parses XML input, it is allowed to reference external entities, resulting in the ability to reference an external malicious file, which can lead to the execution of system commands, intranet port detection, file reading, attacks on intranet services, DoS attacks, etc.

In the process of parsing external entities, The XML parser can query various network protocols and services according to the scheme (Protocol) specified in the URL (DNS, FTP, HTTP, SMB, etc.). External entities are very useful for creating dynamic references in documents, so that any changes made to referenced resources will be automatically updated in the documents. However, when dealing with external entities, many attacks can be launched against applications. These attacks include the disclosure of local system files, which may contain passwords and private users According to such sensitive data, or use the network access function of various schemes to manipulate internal applications. By combining these attacks with other implementation flaws, the scope of these attacks can be extended to client memory corruption, arbitrary code execution, and even service interruption, depending on the context of these attacks.

Specific utilization method reference: an article takes you to deeply understand the xxE vulnerability

0x02 generation of xxE in Java

In fact, to put it bluntly, it is also allowed to reference external entities when accepting and parsing XML in web applications. XML that needs to be parsed in web applications needs to be controllable.

Let's take a look at the code generated by the vulnerability. I thought I was going to write an xxE vulnerability code myself, but I found that I reported all kinds of errors when I wrote it. Refer to the code of other articles, and I still reported errors after debugging for a long time. So I'll borrow master joychou's open source Java sec code project for a demonstration.

Project address: https://github.com/JoyChou93/java-sec-code/

DocumentBuilder

Documentbuilder class is a JDK built-in class. The xxE vulnerability generated by class parsing is echoed.

public String DocumentBuilderVuln01(HttpServletRequest request) {
        try {
            String body = WebUtils.getRequestBody(request);
            logger.info(body);
            DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
            DocumentBuilder db = dbf.newDocumentBuilder();
            StringReader sr = new StringReader(body);
            InputSource is = new InputSource(sr);
            Document document = db.parse(is);  // parse xml

            // 遍历xml节点name和value
            StringBuilder buf = new StringBuilder();
            NodeList rootNodeList = document.getChildNodes();
            for (int i = 0; i < rootNodeList.getLength(); i++) {
                Node rootNode = rootNodeList.item(i);
                NodeList child = rootNode.getChildNodes();
                for (int j = 0; j < child.getLength(); j++) {
                    Node node = child.item(j);
                    buf.append(String.format("%s: %s\n",node.getNodeName(),node.getTextContent()));
                }
            }
            sr.close();
            return buf.toString();
        } catch (Exception e) {
            logger.error(e.toString());
            return EXCEPT;
        }

saxReader

Saxreader is a third-party library. This class has no echo

public String SAXReaderVuln(HttpServletRequest request) {
        try {
            String body = WebUtils.getRequestBody(request);
            logger.info(body);

            SAXReader reader = new SAXReader();
            // org.dom4j.Document document
            reader.read(new InputSource(new StringReader(body))); // cause xxe

        } catch (Exception e) {
            logger.error(e.toString());
            return EXCEPT;
        }

SAXBuilder

Third party Library

  public String SAXBuilderVuln(HttpServletRequest request) {
        try {
            String body = WebUtils.getRequestBody(request);
            logger.info(body);

            SAXBuilder builder = new SAXBuilder();
            // org.jdom2.Document document
            builder.build(new InputSource(new StringReader(body)));  // cause xxe
            return "SAXBuilder xxe vuln code";
        } catch (Exception e) {
            logger.error(e.toString());
            return EXCEPT;

SAXParserFactory

This class is also a built-in class in JDK, but it cannot echo content. It can be used with the help of dnslog platform

public String SAXParserVuln(HttpServletRequest request) {
        try {
            String body = WebUtils.getRequestBody(request);
            logger.info(body);

            SAXParserFactory spf = SAXParserFactory.newInstance();
            SAXParser parser = spf.newSAXParser();
            parser.parse(new InputSource(new StringReader(body)),new DefaultHandler());  // parse xml

            return "SAXParser xxe vuln code";
        } catch (Exception e) {
            logger.error(e.toString());
            return EXCEPT;
        }
    }

XMLReaderFactory

 public String xmlReaderVuln(HttpServletRequest request) {
        try {
            String body = WebUtils.getRequestBody(request);
            logger.info(body);
            XMLReader xmlReader = XMLReaderFactory.createXMLReader();
            xmlReader.parse(new InputSource(new StringReader(body)));  // parse xml
            return "xmlReader xxe vuln code";
        } catch (Exception e) {
            logger.error(e.toString());
            return EXCEPT;
        }

Digester

 public String DigesterVuln(HttpServletRequest request) {
        try {
            String body = WebUtils.getRequestBody(request);
            logger.info(body);

            Digester digester = new Digester();
            digester.parse(new StringReader(body));  // parse xml
        } catch (Exception e) {
            logger.error(e.toString());
            return EXCEPT;
        }
        return "Digester xxe vuln code";

public String XMLReaderVuln(HttpServletRequest request) {
        try {
            String body = WebUtils.getRequestBody(request);
            logger.info(body);

            SAXParserFactory spf = SAXParserFactory.newInstance();
            SAXParser saxParser = spf.newSAXParser();
            XMLReader xmlReader = saxParser.getXMLReader();
            xmlReader.parse(new InputSource(new StringReader(body)));

        } catch (Exception e) {
            logger.error(e.toString());
            return EXCEPT;
        }

        return "XMLReader xxe vuln code";
    }

Repair method

DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl",true);
dbf.setFeature("http://xml.org/sax/features/external-general-entities",false);
dbf.setFeature("http://xml.org/sax/features/external-parameter-entities",false);

0x03 end

As a record, there are many classes that can parse xxE in Java. Because in Java, configuration files are frequently used to XML files or data transfer. XxE vulnerabilities may occur more frequently than in other languages (nonsense). During the audit, you can check whether the set methods have been repaired. If not, there can be xxE. Of course, you should also check which class is used for parsing and whether there is echo. If there is echo, you can go out of the network. If you can go out of the network, you can use the dnslog platform for echo.

The content of this article comes from the network collection of netizens. It is used as a learning reference. The copyright belongs to the original author.
THE END
分享
二维码
< <上一篇
下一篇>>