add SAXReader && SAXBuilder

JoyChou93 · JoyChou93 · commit 685c658324c2 · 2018-09-19T22:05:45.000+08:00
diff --git a/java-sec-code.iml b/java-sec-code.iml
@@ -60,6 +60,8 @@
     <orderEntry type="library" name="Maven: mysql:mysql-connector-java:8.0.12" level="project" />
     <orderEntry type="library" name="Maven: com.google.protobuf:protobuf-java:2.6.0" level="project" />
     <orderEntry type="library" name="Maven: com.alibaba:fastjson:1.2.49" level="project" />
+    <orderEntry type="library" name="Maven: org.jdom:jdom2:2.0.4" level="project" />
+    <orderEntry type="library" name="Maven: org.dom4j:dom4j:2.1.1" level="project" />
     <orderEntry type="library" name="Maven: com.google.guava:guava:21.0" level="project" />
     <orderEntry type="library" name="Maven: commons-collections:commons-collections:3.1" level="project" />
     <orderEntry type="library" name="Maven: commons-lang:commons-lang:2.4" level="project" />
diff --git a/pom.xml b/pom.xml
@@ -57,6 +57,22 @@
             <version>1.2.49</version>
         </dependency>
 
+        <!-- jdom解析xml 最新版本为2.0.6 时间为2015-02-28 https://github.com/hunterhacker/jdom/releases-->
+        <!-- https://mvnrepository.com/artifact/org.jdom/jdom2 -->
+        <dependency>
+            <groupId>org.jdom</groupId>
+            <artifactId>jdom2</artifactId>
+            <version>2.0.6</version>
+        </dependency>
+
+        <!-- https://mvnrepository.com/artifact/org.dom4j/dom4j -->
+        <dependency>
+            <groupId>org.dom4j</groupId>
+            <artifactId>dom4j</artifactId>
+            <version>2.1.1</version>
+        </dependency>
+
+
         <!-- 获取url根域名-->
         <dependency>
             <groupId>com.google.guava</groupId>
diff --git a/src/main/java/org/joychou/controller/XXE.java b/src/main/java/org/joychou/controller/XXE.java
@@ -1,6 +1,7 @@
 package org.joychou.controller;
 
 
+import org.dom4j.io.SAXReader;
 import org.springframework.stereotype.*;
 import org.springframework.web.bind.annotation.*;
 import javax.servlet.http.HttpServletRequest;
@@ -17,6 +18,8 @@
 import javax.xml.parsers.SAXParser;
 import org.xml.sax.helpers.DefaultHandler;
 import org.apache.commons.digester3.Digester;
+import org.jdom2.input.SAXBuilder;
+
 
 /**
  * @author: JoyChou (joychou@joychou.org)
@@ -35,16 +38,104 @@ public  String xxe_xmlReader(HttpServletRequest request) {
             String xml_con = getBody(request);
             System.out.println(xml_con);
             XMLReader xmlReader = XMLReaderFactory.createXMLReader();
+            xmlReader.parse( new InputSource(new StringReader(xml_con)) );  // parse xml
+            return "ok";
+        } catch (Exception e) {
+            System.out.println(e);
+            return "except";
+        }
+    }
 
-            // fix code start
 
-//            xmlReader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
-//            xmlReader.setFeature("http://xml.org/sax/features/external-general-entities", false);
-//            xmlReader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+    @RequestMapping(value = "/xmlReader_fix", method = RequestMethod.POST)
+    @ResponseBody
+    public  String xxe_xmlReader_fix(HttpServletRequest request) {
+        try {
+            String xml_con = getBody(request);
+            System.out.println(xml_con);
 
+            XMLReader xmlReader = XMLReaderFactory.createXMLReader();
+            // fix code start
+            xmlReader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+            xmlReader.setFeature("http://xml.org/sax/features/external-general-entities", false);
+            xmlReader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
             //fix code end
-
             xmlReader.parse( new InputSource(new StringReader(xml_con)) );  // parse xml
+
+            return "ok";
+        } catch (Exception e) {
+            System.out.println(e);
+            return "except";
+        }
+    }
+
+
+    @RequestMapping(value = "/SAXBuilder", method = RequestMethod.POST)
+    @ResponseBody
+    public  String xxe_SAXBuilder(HttpServletRequest request) {
+        try {
+            String xml_con = getBody(request);
+            System.out.println(xml_con);
+
+            SAXBuilder builder = new SAXBuilder();
+            org.jdom2.Document document = builder.build( new InputSource(new StringReader(xml_con)) );  // case xxe
+            return "ok";
+        } catch (Exception e) {
+            System.out.println(e);
+            return "except";
+        }
+    }
+
+    @RequestMapping(value = "/SAXBuilder_fix", method = RequestMethod.POST)
+    @ResponseBody
+    public  String xxe_SAXBuilder_fix(HttpServletRequest request) {
+        try {
+            String xml_con = getBody(request);
+            System.out.println(xml_con);
+
+            SAXBuilder builder = new SAXBuilder();
+            builder.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+            builder.setFeature("http://xml.org/sax/features/external-general-entities", false);
+            builder.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+            org.jdom2.Document document = builder.build( new InputSource(new StringReader(xml_con)) );
+
+            return "ok";
+        } catch (Exception e) {
+            System.out.println(e);
+            return "except";
+        }
+    }
+
+    @RequestMapping(value = "/SAXReader", method = RequestMethod.POST)
+    @ResponseBody
+    public  String xxe_SAXReader(HttpServletRequest request) {
+        try {
+            String xml_con = getBody(request);
+            System.out.println(xml_con);
+
+            SAXReader reader = new SAXReader();
+            org.dom4j.Document document = reader.read(  new InputSource(new StringReader(xml_con)) ); // case xxe
+
+            return "ok";
+        } catch (Exception e) {
+            System.out.println(e);
+            return "except";
+        }
+    }
+
+    @RequestMapping(value = "/SAXReader_fix", method = RequestMethod.POST)
+    @ResponseBody
+    public  String xxe_SAXReader_fix(HttpServletRequest request) {
+        try {
+            String xml_con = getBody(request);
+            System.out.println(xml_con);
+
+            SAXReader reader = new SAXReader();
+            reader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+            reader.setFeature("http://xml.org/sax/features/external-general-entities", false);
+            reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+            org.dom4j.Document document = reader.read(  new InputSource(new StringReader(xml_con)) );
+
             return "ok";
         } catch (Exception e) {
             System.out.println(e);
@@ -58,16 +149,30 @@ public String xxe_SAXParser(HttpServletRequest request) {
         try {
             String xml_con = getBody(request);
             System.out.println(xml_con);
+
             SAXParserFactory spf = SAXParserFactory.newInstance();
+            SAXParser parser = spf.newSAXParser();
+            parser.parse(new InputSource(new StringReader(xml_con)), new DefaultHandler());  // parse xml
 
-            // fix code start
+            return "test";
+        } catch (Exception e) {
+            System.out.println(e);
+            return "except";
+        }
+    }
 
-//            spf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
-//            spf.setFeature("http://xml.org/sax/features/external-general-entities", false);
-//            spf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
 
-            // fix code end
+    @RequestMapping(value = "/SAXParser_fix", method = RequestMethod.POST)
+    @ResponseBody
+    public String xxe_SAXParser_fix(HttpServletRequest request) {
+        try {
+            String xml_con = getBody(request);
+            System.out.println(xml_con);
 
+            SAXParserFactory spf = SAXParserFactory.newInstance();
+            spf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+            spf.setFeature("http://xml.org/sax/features/external-general-entities", false);
+            spf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
             SAXParser parser = spf.newSAXParser();
             parser.parse(new InputSource(new StringReader(xml_con)), new DefaultHandler());  // parse xml
             return "test";
@@ -77,52 +182,83 @@ public String xxe_SAXParser(HttpServletRequest request) {
         }
     }
 
+
     @RequestMapping(value = "/Digester", method = RequestMethod.POST)
     @ResponseBody
     public String xxe_Digester(HttpServletRequest request) {
         try {
             String xml_con = getBody(request);
             System.out.println(xml_con);
-            Digester digester = new Digester();
 
-            // fix code start
+            Digester digester = new Digester();
+            digester.parse(new StringReader(xml_con));  // parse xml
 
-//            digester.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
-//            digester.setFeature("http://xml.org/sax/features/external-general-entities", false);
-//            digester.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+            return "test";
+        } catch (Exception e) {
+            System.out.println(e);
+            return "except";
+        }
+    }
 
-            // fix code end
+    @RequestMapping(value = "/Digester_fix", method = RequestMethod.POST)
+    @ResponseBody
+    public String xxe_Digester_fix(HttpServletRequest request) {
+        try {
+            String xml_con = getBody(request);
+            System.out.println(xml_con);
 
+            Digester digester = new Digester();
+            digester.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+            digester.setFeature("http://xml.org/sax/features/external-general-entities", false);
+            digester.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
             digester.parse(new StringReader(xml_con));  // parse xml
+
             return "test";
         } catch (Exception e) {
             System.out.println(e);
             return "except";
         }
     }
 
-
     @RequestMapping(value = "/DocumentBuilder", method = RequestMethod.POST)
     @ResponseBody
     public String xxe_DocumentBuilder(HttpServletRequest request) {
         try {
             String xml_con = getBody(request);
             System.out.println(xml_con);
+
             DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+            DocumentBuilder db = dbf.newDocumentBuilder();
+            StringReader sr = new StringReader(xml_con);
+            InputSource is = new InputSource(sr);
+            Document document = db.parse(is);  // parse xml
+            sr.close();
 
-            // fix code start
+            return "test";
+        } catch (Exception e) {
+            System.out.println(e);
+            return "except";
+        }
+    }
 
-//            dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
-//            dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
-//            dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
 
-            // fix code end
+    @RequestMapping(value = "/DocumentBuilder_fix", method = RequestMethod.POST)
+    @ResponseBody
+    public String xxe_DocumentBuilder_fix(HttpServletRequest request) {
+        try {
+            String xml_con = getBody(request);
+            System.out.println(xml_con);
 
+            DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+            dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+            dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
+            dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
             DocumentBuilder db = dbf.newDocumentBuilder();
             StringReader sr = new StringReader(xml_con);
             InputSource is = new InputSource(sr);
             Document document = db.parse(is);  // parse xml
             sr.close();
+
             return "test";
         } catch (Exception e) {
             System.out.println(e);
@@ -137,19 +273,50 @@ public String xxe_xinclude_DocumentBuilder(HttpServletRequest request) {
         try {
             String xml_con = getBody(request);
             System.out.println(xml_con);
-            DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
 
+            DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
             dbf.setXIncludeAware(true);   // 支持XInclude
             dbf.setNamespaceAware(true);  // 支持XInclude
+            DocumentBuilder db = dbf.newDocumentBuilder();
+            StringReader sr = new StringReader(xml_con);
+            InputSource is = new InputSource(sr);
+            Document document = db.parse(is);  // parse xml
 
-            // fix code start
+            NodeList rootNodeList = document.getChildNodes();
+
+            for (int i = 0; i < rootNodeList.getLength(); i++) {
+                Node rootNode = rootNodeList.item(i);
+                NodeList xxe = rootNode.getChildNodes();
+                for (int j = 0; j < xxe.getLength(); j++) {
+                    Node xxeNode = xxe.item(j);
+                    // 测试不能blind xxe，所以强行加了一个回显
+                    System.out.println("xxeNode: " + xxeNode.getNodeValue());
+                }
 
-//            dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
-//            dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
-//            dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+            }
 
-            // fix code end
+            sr.close();
+            return "test";
+        } catch (Exception e) {
+            System.out.println(e);
+            return "except";
+        }
+    }
 
+
+    @RequestMapping(value = "/DocumentBuilder_xinclude_fix", method = RequestMethod.POST)
+    @ResponseBody
+    public String xxe_xinclude_DocumentBuilder_fix(HttpServletRequest request) {
+        try {
+            String xml_con = getBody(request);
+            System.out.println(xml_con);
+            DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+
+            dbf.setXIncludeAware(true);   // 支持XInclude
+            dbf.setNamespaceAware(true);  // 支持XInclude
+            dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+            dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
+            dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
             DocumentBuilder db = dbf.newDocumentBuilder();
             StringReader sr = new StringReader(xml_con);
             InputSource is = new InputSource(sr);
@@ -162,7 +329,8 @@ public String xxe_xinclude_DocumentBuilder(HttpServletRequest request) {
                 NodeList xxe = rootNode.getChildNodes();
                 for (int j = 0; j < xxe.getLength(); j++) {
                     Node xxeNode = xxe.item(j);
-                    System.out.println("xxeNode: " + xxeNode.getNodeValue());  // 回显
+                    // 测试不能blind xxe，所以强行加了一个回显
+                    System.out.println("xxeNode: " + xxeNode.getNodeValue());
                 }
 
             }
