add xxe

java-sec-code.iml

@@ -61,7 +61,6 @@
     <orderEntry type="library" name="Maven: ognl:ognl:3.0.8" level="project" />
     <orderEntry type="library" name="Maven: org.javassist:javassist:3.21.0-GA" level="project" />
     <orderEntry type="library" name="Maven: org.unbescape:unbescape:1.1.0.RELEASE" level="project" />
-    <orderEntry type="library" name="Maven: org.slf4j:slf4j-api:1.7.22" level="project" />
     <orderEntry type="library" name="Maven: nz.net.ultraq.thymeleaf:thymeleaf-layout-dialect:1.4.0" level="project" />
     <orderEntry type="library" name="Maven: org.codehaus.groovy:groovy:2.4.7" level="project" />
     <orderEntry type="library" name="Maven: mysql:mysql-connector-java:8.0.12" level="project" />
@@ -101,7 +100,7 @@
     <orderEntry type="library" name="Maven: org.springframework.cloud:spring-cloud-netflix-eureka-client:1.2.0.RELEASE" level="project" />
     <orderEntry type="library" name="Maven: com.netflix.eureka:eureka-client:1.4.11" level="project" />
     <orderEntry type="library" scope="RUNTIME" name="Maven: org.codehaus.jettison:jettison:1.3.7" level="project" />
-    <orderEntry type="library" scope="RUNTIME" name="Maven: stax:stax-api:1.0.1" level="project" />
+    <orderEntry type="library" name="Maven: stax:stax-api:1.0.1" level="project" />
     <orderEntry type="library" scope="RUNTIME" name="Maven: com.netflix.netflix-commons:netflix-eventbus:0.3.0" level="project" />
     <orderEntry type="library" scope="RUNTIME" name="Maven: com.netflix.netflix-commons:netflix-infix:0.3.0" level="project" />
     <orderEntry type="library" scope="RUNTIME" name="Maven: commons-jxpath:commons-jxpath:1.3" level="project" />
@@ -181,5 +180,18 @@
     <orderEntry type="library" name="Maven: com.thoughtworks.xstream:xstream:1.4.10" level="project" />
     <orderEntry type="library" name="Maven: xmlpull:xmlpull:1.1.3.1" level="project" />
     <orderEntry type="library" name="Maven: xpp3:xpp3_min:1.1.4c" level="project" />
+    <orderEntry type="library" name="Maven: org.apache.poi:poi:3.10-FINAL" level="project" />
+    <orderEntry type="library" name="Maven: org.apache.poi:poi-ooxml:3.10-FINAL" level="project" />
+    <orderEntry type="library" name="Maven: org.apache.poi:poi-ooxml-schemas:3.10-FINAL" level="project" />
+    <orderEntry type="library" name="Maven: org.apache.xmlbeans:xmlbeans:2.3.0" level="project" />
+    <orderEntry type="library" name="Maven: dom4j:dom4j:1.6.1" level="project" />
+    <orderEntry type="library" name="Maven: com.monitorjbl:xlsx-streamer:2.0.0" level="project" />
+    <orderEntry type="library" name="Maven: com.rackspace.apache:xerces2-xsd11:2.11.1" level="project" />
+    <orderEntry type="library" name="Maven: com.rackspace.eclipse.webtools.sourceediting:org.eclipse.wst.xml.xpath2.processor:2.1.100" level="project" />
+    <orderEntry type="library" name="Maven: edu.princeton.cup:java-cup:10k" level="project" />
+    <orderEntry type="library" name="Maven: com.ibm.icu:icu4j:4.6" level="project" />
+    <orderEntry type="library" name="Maven: xml-resolver:xml-resolver:1.2" level="project" />
+    <orderEntry type="library" name="Maven: xml-apis:xml-apis:1.4.01" level="project" />
+    <orderEntry type="library" name="Maven: org.slf4j:slf4j-api:1.7.22" level="project" />
   </component>
 </module>

pom.xml

@@ -196,6 +196,26 @@
             <version>1.4.10</version>
         </dependency>
 
+        <dependency>
+            <groupId>org.apache.poi</groupId>
+            <artifactId>poi</artifactId>
+            <version>3.10-FINAL</version>
+        </dependency>
+
+        <!-- vuln maven jar. Solve xlsx.-->
+        <dependency>
+            <groupId>org.apache.poi</groupId>
+            <artifactId>poi-ooxml</artifactId>
+            <version>3.10-FINAL</version>
+        </dependency>
+
+        <dependency>
+            <groupId>com.monitorjbl</groupId>
+            <artifactId>xlsx-streamer</artifactId>
+            <version>2.0.0</version>
+        </dependency>
+
+
     </dependencies>
 
     <dependencyManagement>

src/main/java/org/joychou/controller/CommandInject.java

@@ -16,7 +16,7 @@ public class CommandInject {
     protected final Logger logger = LoggerFactory.getLogger(this.getClass());
 
     /**
-     * http://localhost:8080/codeinject?filepath=/tmp;pwd
+     * http://localhost:8080/codeinject?filepath=/tmp;cat /etc/passwd
      *
      * @param filepath filepath
      * @return result
@@ -33,7 +33,7 @@ public static String codeInject(String filepath) throws IOException {
 
     /**
      * Host Injection
-     * host: Host: hacked by joychou;curl ssrf.http.joychou.org
+     * Host: hacked by joychou;cat /etc/passwd
      * http://localhost:8080/codeinject/host
      *
      */

src/main/java/org/joychou/controller/XXE.java

@@ -1,9 +1,9 @@
 package org.joychou.controller;
 
-
 import org.dom4j.io.SAXReader;
 import org.springframework.web.bind.annotation.*;
 import javax.servlet.http.HttpServletRequest;
+
 import org.w3c.dom.Document;
 import org.w3c.dom.Node;
 import org.w3c.dom.NodeList;
@@ -37,7 +37,7 @@ public String xxe_xmlReader(HttpServletRequest request) {
             String xml_con = Tools.getRequestBody(request);
             System.out.println(xml_con);
             XMLReader xmlReader = XMLReaderFactory.createXMLReader();
-            xmlReader.parse( new InputSource(new StringReader(xml_con)) );  // parse xml
+            xmlReader.parse(new InputSource(new StringReader(xml_con)));  // parse xml
             return "ok";
         } catch (Exception e) {
             System.out.println(e);
@@ -47,7 +47,7 @@ public String xxe_xmlReader(HttpServletRequest request) {
 
 
     @RequestMapping(value = "/xmlReader_fix", method = RequestMethod.POST)
-    public  String xxe_xmlReader_fix(HttpServletRequest request) {
+    public String xxe_xmlReader_fix(HttpServletRequest request) {
         try {
             String xml_con = Tools.getRequestBody(request);
             System.out.println(xml_con);
@@ -58,7 +58,7 @@ public  String xxe_xmlReader_fix(HttpServletRequest request) {
             xmlReader.setFeature("http://xml.org/sax/features/external-general-entities", false);
             xmlReader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
             //fix code end
-            xmlReader.parse( new InputSource(new StringReader(xml_con)) );  // parse xml
+            xmlReader.parse(new InputSource(new StringReader(xml_con)));  // parse xml
 
             return "ok";
         } catch (Exception e) {
@@ -69,13 +69,13 @@ public  String xxe_xmlReader_fix(HttpServletRequest request) {
 
 
     @RequestMapping(value = "/SAXBuilder", method = RequestMethod.POST)
-    public  String xxe_SAXBuilder(HttpServletRequest request) {
+    public String xxe_SAXBuilder(HttpServletRequest request) {
         try {
             String xml_con = Tools.getRequestBody(request);
             System.out.println(xml_con);
 
             SAXBuilder builder = new SAXBuilder();
-            org.jdom2.Document document = builder.build( new InputSource(new StringReader(xml_con)) );  // cause xxe
+            org.jdom2.Document document = builder.build(new InputSource(new StringReader(xml_con)));  // cause xxe
             return "ok";
         } catch (Exception e) {
             System.out.println(e);
@@ -84,7 +84,7 @@ public  String xxe_SAXBuilder(HttpServletRequest request) {
     }
 
     @RequestMapping(value = "/SAXBuilder_fix", method = RequestMethod.POST)
-    public  String xxe_SAXBuilder_fix(HttpServletRequest request) {
+    public String xxe_SAXBuilder_fix(HttpServletRequest request) {
         try {
             String xml_con = Tools.getRequestBody(request);
             System.out.println(xml_con);
@@ -93,7 +93,7 @@ public  String xxe_SAXBuilder_fix(HttpServletRequest request) {
             builder.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
             builder.setFeature("http://xml.org/sax/features/external-general-entities", false);
             builder.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
-            org.jdom2.Document document = builder.build( new InputSource(new StringReader(xml_con)) );
+            org.jdom2.Document document = builder.build(new InputSource(new StringReader(xml_con)));
 
             return "ok";
         } catch (Exception e) {
@@ -102,13 +102,13 @@ public  String xxe_SAXBuilder_fix(HttpServletRequest request) {
     }
 
     @RequestMapping(value = "/SAXReader", method = RequestMethod.POST)
-    public  String xxe_SAXReader(HttpServletRequest request) {
+    public String xxe_SAXReader(HttpServletRequest request) {
         try {
             String xml_con = Tools.getRequestBody(request);
             System.out.println(xml_con);
 
             SAXReader reader = new SAXReader();
-            org.dom4j.Document document = reader.read(  new InputSource(new StringReader(xml_con)) ); // cause xxe
+            org.dom4j.Document document = reader.read(new InputSource(new StringReader(xml_con))); // cause xxe
 
             return "ok";
         } catch (Exception e) {
@@ -118,7 +118,7 @@ public  String xxe_SAXReader(HttpServletRequest request) {
     }
 
     @RequestMapping(value = "/SAXReader_fix", method = RequestMethod.POST)
-    public  String xxe_SAXReader_fix(HttpServletRequest request) {
+    public String xxe_SAXReader_fix(HttpServletRequest request) {
         try {
             String xml_con = Tools.getRequestBody(request);
             System.out.println(xml_con);
@@ -127,7 +127,7 @@ public  String xxe_SAXReader_fix(HttpServletRequest request) {
             reader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
             reader.setFeature("http://xml.org/sax/features/external-general-entities", false);
             reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
-            org.dom4j.Document document = reader.read(  new InputSource(new StringReader(xml_con)) );
+            org.dom4j.Document document = reader.read(new InputSource(new StringReader(xml_con)));
 
             return "ok";
         } catch (Exception e) {
@@ -231,7 +231,7 @@ public String xxeDocumentBuilderReturn(HttpServletRequest request) {
                 NodeList child = rootNode.getChildNodes();
                 for (int j = 0; j < child.getLength(); j++) {
                     Node node = child.item(j);
-                    buf.append( node.getNodeName() + ": " + node.getTextContent() + "\n" );
+                    buf.append(node.getNodeName() + ": " + node.getTextContent() + "\n");
                 }
             }
             sr.close();
@@ -265,8 +265,8 @@ public String DocumentBuilder(HttpServletRequest request) {
                 for (int j = 0; j < child.getLength(); j++) {
                     Node node = child.item(j);
                     // 正常解析XML，需要判断是否是ELEMENT_NODE类型。否则会出现多余的的节点。
-                    if(child.item(j).getNodeType() == Node.ELEMENT_NODE) {
-                        result.append( node.getNodeName() + ": " + node.getFirstChild().getNodeValue() + "\n" );
+                    if (child.item(j).getNodeType() == Node.ELEMENT_NODE) {
+                        result.append(node.getNodeName() + ": " + node.getFirstChild().getNodeValue() + "\n");
                     }
                 }
             }
@@ -387,7 +387,7 @@ public String XMLReaderVul(HttpServletRequest request) {
             SAXParserFactory spf = SAXParserFactory.newInstance();
             SAXParser saxParser = spf.newSAXParser();
             XMLReader xmlReader = saxParser.getXMLReader();
-            xmlReader.parse( new InputSource(new StringReader(xml_con)) );
+            xmlReader.parse(new InputSource(new StringReader(xml_con)));
             return "test";
         } catch (Exception e) {
             System.out.println(e.toString());
@@ -407,12 +407,17 @@ public String XMLReaderSec(HttpServletRequest request) {
             xmlReader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
             xmlReader.setFeature("http://xml.org/sax/features/external-general-entities", false);
             xmlReader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
-            xmlReader.parse( new InputSource(new StringReader(xml_con)) );
+            xmlReader.parse(new InputSource(new StringReader(xml_con)));
             return "test";
         } catch (Exception e) {
             System.out.println(e.toString());
             return "except";
         }
     }
 
+
+    public static void main(String[] args) throws Exception {
+
+    }
+
 }

src/main/java/org/joychou/controller/othervulns/ooxmlXXE.java

@@ -0,0 +1,79 @@
+package org.joychou.controller.othervulns;
+
+import org.apache.poi.xssf.usermodel.XSSFCell;
+import org.apache.poi.xssf.usermodel.XSSFRow;
+import org.apache.poi.xssf.usermodel.XSSFSheet;
+import org.apache.poi.xssf.usermodel.XSSFWorkbook;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.multipart.MultipartFile;
+
+import java.io.IOException;
+import java.util.Iterator;
+
+import static org.apache.commons.lang.StringUtils.isBlank;
+
+/**
+ * Desc:   poi-ooxml xxe vuln code
+ * Usage:  [Content_Type].xml
+ * Ref:    https://www.itread01.com/hkpcyyp.html
+ * Fix:    Update poi-ooxml to 3.15 or above.
+ * Vuln:   3.10 or below exist xxe vuln. 3.14 or above exist dos vuln. So 3.15 or above is safe version.
+ *
+ * @author JoyChou @2019-09-05
+ */
+@Controller
+@RequestMapping("ooxml")
+public class ooxmlXXE {
+
+
+    private final Logger logger = LoggerFactory.getLogger(this.getClass());
+
+
+    @GetMapping("/upload")
+    public String index() {
+        return "xxe_upload"; // return xxe_upload.html page
+    }
+
+
+    @PostMapping("/readxlsx")
+    @ResponseBody
+    public String ooxml_xxe(MultipartFile file)throws IOException {
+        XSSFWorkbook wb = new XSSFWorkbook(file.getInputStream()); // xxe vuln
+
+        XSSFSheet sheet = wb.getSheetAt(0);
+        XSSFRow row;
+        XSSFCell cell;
+
+        Iterator rows = sheet.rowIterator();
+        String result = "";
+
+        while (rows.hasNext())
+        {
+            row=(XSSFRow) rows.next();
+            Iterator cells = row.cellIterator();
+            while (cells.hasNext())
+            {
+                cell=(XSSFCell) cells.next();
+
+                if (cell.getCellType() == XSSFCell.CELL_TYPE_STRING) {
+                    result += cell.getStringCellValue()+ " ";
+                } else if(cell.getCellType() == XSSFCell.CELL_TYPE_NUMERIC) {
+                    result += cell.getNumericCellValue()+ " ";
+                } else {
+                    logger.info("errors");
+                }
+            }
+        }
+        if ( isBlank(result) ){
+            result = "xxe test";
+        }
+
+        return result;
+    }
+}

src/main/java/org/joychou/controller/othervulns/xlsxStreamerXXE.java

@@ -0,0 +1,44 @@
+package org.joychou.controller.othervulns;
+
+import com.monitorjbl.xlsx.StreamingReader;
+import org.apache.poi.ss.usermodel.Workbook;
+
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.multipart.MultipartFile;
+
+import java.io.FileInputStream;
+import java.io.IOException;
+
+
+/**
+ * Desc:  xlsx-streamer xxe vuln code
+ * Usage: xl/workbook.xml
+ * Ref:   https://www.itread01.com/hkpcyyp.html
+ * Fix:   update xlsx-streamer to 2.1.0 or above
+ *
+ * @author JoyChou @2019-09-05
+ */
+@Controller
+@RequestMapping("xlsx-streamer")
+public class xlsxStreamerXXE {
+
+
+    @GetMapping("/upload")
+    public String index() {
+        return "xxe_upload"; // return xxe_upload.html page
+    }
+
+
+    @PostMapping("/readxlsx")
+    public void xllx_streamer_xxe(MultipartFile file)throws IOException {
+        Workbook wb = StreamingReader.builder().open(file.getInputStream());
+    }
+
+
+    public static void main(String[] args) throws Exception {
+        Workbook wb = StreamingReader.builder().open((new FileInputStream("poc.xlsx")));
+    }
+}