@@ -78,7 +78,7 @@ public String xxe_SAXBuilder(HttpServletRequest request) {
7878 System .out .println (xml_con );
7979
8080 SAXBuilder builder = new SAXBuilder ();
81- org .jdom2 .Document document = builder .build ( new InputSource (new StringReader (xml_con )) ); // case xxe
81+ org .jdom2 .Document document = builder .build ( new InputSource (new StringReader (xml_con )) ); // cause xxe
8282 return "ok" ;
8383 } catch (Exception e ) {
8484 System .out .println (e );
@@ -114,7 +114,7 @@ public String xxe_SAXReader(HttpServletRequest request) {
114114 System .out .println (xml_con );
115115
116116 SAXReader reader = new SAXReader ();
117- org .dom4j .Document document = reader .read ( new InputSource (new StringReader (xml_con )) ); // case xxe
117+ org .dom4j .Document document = reader .read ( new InputSource (new StringReader (xml_con )) ); // cause xxe
118118
119119 return "ok" ;
120120 } catch (Exception e ) {
@@ -220,9 +220,11 @@ public String xxe_Digester_fix(HttpServletRequest request) {
220220 }
221221 }
222222
223- @ RequestMapping (value = "/DocumentBuilder" , method = RequestMethod .POST )
223+
224+ // 有回显的XXE
225+ @ RequestMapping (value = "/DocumentBuilder_return" , method = RequestMethod .POST )
224226 @ ResponseBody
225- public String xxe_DocumentBuilder (HttpServletRequest request ) {
227+ public String xxeDocumentBuilderReturn (HttpServletRequest request ) {
226228 try {
227229 String xml_con = getBody (request );
228230 System .out .println (xml_con );
@@ -232,9 +234,58 @@ public String xxe_DocumentBuilder(HttpServletRequest request) {
232234 StringReader sr = new StringReader (xml_con );
233235 InputSource is = new InputSource (sr );
234236 Document document = db .parse (is ); // parse xml
237+
238+ // 遍历xml节点name和value
239+ StringBuffer buf = new StringBuffer ();
240+ NodeList rootNodeList = document .getChildNodes ();
241+ for (int i = 0 ; i < rootNodeList .getLength (); i ++) {
242+ Node rootNode = rootNodeList .item (i );
243+ NodeList child = rootNode .getChildNodes ();
244+ for (int j = 0 ; j < child .getLength (); j ++) {
245+ Node node = child .item (j );
246+ buf .append ( node .getNodeName () + ": " + node .getTextContent () + "\n " );
247+ }
248+ }
235249 sr .close ();
250+ System .out .println (buf .toString ());
251+ return buf .toString ();
252+ } catch (Exception e ) {
253+ System .out .println (e );
254+ return "except" ;
255+ }
256+ }
236257
237- return "test" ;
258+
259+ @ RequestMapping (value = "/DocumentBuilder" , method = RequestMethod .POST )
260+ @ ResponseBody
261+ public String DocumentBuilder (HttpServletRequest request ) {
262+ try {
263+ String xml_con = getBody (request );
264+ System .out .println (xml_con );
265+
266+ DocumentBuilderFactory dbf = DocumentBuilderFactory .newInstance ();
267+ DocumentBuilder db = dbf .newDocumentBuilder ();
268+ StringReader sr = new StringReader (xml_con );
269+ InputSource is = new InputSource (sr );
270+ Document document = db .parse (is ); // parse xml
271+
272+ // 遍历xml节点name和value
273+ StringBuffer result = new StringBuffer ();
274+ NodeList rootNodeList = document .getChildNodes ();
275+ for (int i = 0 ; i < rootNodeList .getLength (); i ++) {
276+ Node rootNode = rootNodeList .item (i );
277+ NodeList child = rootNode .getChildNodes ();
278+ for (int j = 0 ; j < child .getLength (); j ++) {
279+ Node node = child .item (j );
280+ // 正常解析XML,需要判断是否是ELEMENT_NODE类型。否则会出现多余的的节点。
281+ if (child .item (j ).getNodeType () == Node .ELEMENT_NODE ) {
282+ result .append ( node .getNodeName () + ": " + node .getFirstChild ().getNodeValue () + "\n " );
283+ }
284+ }
285+ }
286+ sr .close ();
287+ System .out .println (result .toString ());
288+ return result .toString ();
238289 } catch (Exception e ) {
239290 System .out .println (e );
240291 return "except" ;
0 commit comments