XML外部实体注入
XXE (XML External Entity Injection), XML外部实体注入,当应用是通过用户上传的XML文件或POST请求进行数据的传输,并且应用没有禁止XML引用外部实体,也没有过滤用户提交的XML数据,那么就会产生XML外部实体注入漏洞
运行
漏洞代码 - XMLReader
@RequestMapping(value = "/XMLReader") public String XMLReader(@RequestBody String content) { try { XMLReader xmlReader = XMLReaderFactory.createXMLReader(); // 修复:禁用外部实体 // xmlReader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); xmlReader.parse(new InputSource(new StringReader(content))); return "XMLReader XXE"; } catch (Exception e) { return e.toString(); } }
运行
漏洞代码 - SAXReader
SAXReader sax = new SAXReader(); // 修复:禁用外部实体 // sax.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); sax.read(new InputSource(new StringReader(content)));
运行
漏洞代码 - SAXBuilder
@RequestMapping(value = "/SAXBuilder") public String SAXBuilder(@RequestBody String content) { try { SAXBuilder saxbuilder = new SAXBuilder(); // fixed: saxbuilder.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); saxbuilder.build(new InputSource(new StringReader(content))); return "SAXBuilder XXE"; } catch (Exception e) { return e.toString(); } }
运行
漏洞代码 - DocumentBuilder
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); // fixed: dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); DocumentBuilder builder = factory.newDocumentBuilder();
编码建议
禁用外部实体 xxx.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);