Skip to content

Commit 0ece942

Browse files
JoyChou93JoyChou93
authored
Merge pull request JoyChou93#8 from JoyChou93/dev01
add xxe
2 parents 40d64c1 + 1cd9a71 commit 0ece942

File tree

12 files changed

+217
-26
lines changed

12 files changed

+217
-26
lines changed

java-sec-code.iml

+14-2
Original file line numberDiff line numberDiff line change
@@ -61,7 +61,6 @@
6161
<orderEntry type="library" name="Maven: ognl:ognl:3.0.8" level="project" />
6262
<orderEntry type="library" name="Maven: org.javassist:javassist:3.21.0-GA" level="project" />
6363
<orderEntry type="library" name="Maven: org.unbescape:unbescape:1.1.0.RELEASE" level="project" />
64-
<orderEntry type="library" name="Maven: org.slf4j:slf4j-api:1.7.22" level="project" />
6564
<orderEntry type="library" name="Maven: nz.net.ultraq.thymeleaf:thymeleaf-layout-dialect:1.4.0" level="project" />
6665
<orderEntry type="library" name="Maven: org.codehaus.groovy:groovy:2.4.7" level="project" />
6766
<orderEntry type="library" name="Maven: mysql:mysql-connector-java:8.0.12" level="project" />
@@ -101,7 +100,7 @@
101100
<orderEntry type="library" name="Maven: org.springframework.cloud:spring-cloud-netflix-eureka-client:1.2.0.RELEASE" level="project" />
102101
<orderEntry type="library" name="Maven: com.netflix.eureka:eureka-client:1.4.11" level="project" />
103102
<orderEntry type="library" scope="RUNTIME" name="Maven: org.codehaus.jettison:jettison:1.3.7" level="project" />
104-
<orderEntry type="library" scope="RUNTIME" name="Maven: stax:stax-api:1.0.1" level="project" />
103+
<orderEntry type="library" name="Maven: stax:stax-api:1.0.1" level="project" />
105104
<orderEntry type="library" scope="RUNTIME" name="Maven: com.netflix.netflix-commons:netflix-eventbus:0.3.0" level="project" />
106105
<orderEntry type="library" scope="RUNTIME" name="Maven: com.netflix.netflix-commons:netflix-infix:0.3.0" level="project" />
107106
<orderEntry type="library" scope="RUNTIME" name="Maven: commons-jxpath:commons-jxpath:1.3" level="project" />
@@ -181,5 +180,18 @@
181180
<orderEntry type="library" name="Maven: com.thoughtworks.xstream:xstream:1.4.10" level="project" />
182181
<orderEntry type="library" name="Maven: xmlpull:xmlpull:1.1.3.1" level="project" />
183182
<orderEntry type="library" name="Maven: xpp3:xpp3_min:1.1.4c" level="project" />
183+
<orderEntry type="library" name="Maven: org.apache.poi:poi:3.10-FINAL" level="project" />
184+
<orderEntry type="library" name="Maven: org.apache.poi:poi-ooxml:3.10-FINAL" level="project" />
185+
<orderEntry type="library" name="Maven: org.apache.poi:poi-ooxml-schemas:3.10-FINAL" level="project" />
186+
<orderEntry type="library" name="Maven: org.apache.xmlbeans:xmlbeans:2.3.0" level="project" />
187+
<orderEntry type="library" name="Maven: dom4j:dom4j:1.6.1" level="project" />
188+
<orderEntry type="library" name="Maven: com.monitorjbl:xlsx-streamer:2.0.0" level="project" />
189+
<orderEntry type="library" name="Maven: com.rackspace.apache:xerces2-xsd11:2.11.1" level="project" />
190+
<orderEntry type="library" name="Maven: com.rackspace.eclipse.webtools.sourceediting:org.eclipse.wst.xml.xpath2.processor:2.1.100" level="project" />
191+
<orderEntry type="library" name="Maven: edu.princeton.cup:java-cup:10k" level="project" />
192+
<orderEntry type="library" name="Maven: com.ibm.icu:icu4j:4.6" level="project" />
193+
<orderEntry type="library" name="Maven: xml-resolver:xml-resolver:1.2" level="project" />
194+
<orderEntry type="library" name="Maven: xml-apis:xml-apis:1.4.01" level="project" />
195+
<orderEntry type="library" name="Maven: org.slf4j:slf4j-api:1.7.22" level="project" />
184196
</component>
185197
</module>

poc.xlsx

8.14 KB
Binary file not shown.

pom.xml

+20
Original file line numberDiff line numberDiff line change
@@ -196,6 +196,26 @@
196196
<version>1.4.10</version>
197197
</dependency>
198198

199+
<dependency>
200+
<groupId>org.apache.poi</groupId>
201+
<artifactId>poi</artifactId>
202+
<version>3.10-FINAL</version>
203+
</dependency>
204+
205+
<!-- vuln maven jar. Solve xlsx.-->
206+
<dependency>
207+
<groupId>org.apache.poi</groupId>
208+
<artifactId>poi-ooxml</artifactId>
209+
<version>3.10-FINAL</version>
210+
</dependency>
211+
212+
<dependency>
213+
<groupId>com.monitorjbl</groupId>
214+
<artifactId>xlsx-streamer</artifactId>
215+
<version>2.0.0</version>
216+
</dependency>
217+
218+
199219
</dependencies>
200220

201221
<dependencyManagement>

src/main/java/org/joychou/controller/CommandInject.java

+2-2
Original file line numberDiff line numberDiff line change
@@ -16,7 +16,7 @@ public class CommandInject {
1616
protected final Logger logger = LoggerFactory.getLogger(this.getClass());
1717

1818
/**
19-
* http://localhost:8080/codeinject?filepath=/tmp;pwd
19+
* http://localhost:8080/codeinject?filepath=/tmp;cat /etc/passwd
2020
*
2121
* @param filepath filepath
2222
* @return result
@@ -33,7 +33,7 @@ public static String codeInject(String filepath) throws IOException {
3333

3434
/**
3535
* Host Injection
36-
* host: Host: hacked by joychou;curl ssrf.http.joychou.org
36+
* Host: hacked by joychou;cat /etc/passwd
3737
* http://localhost:8080/codeinject/host
3838
*
3939
*/

src/main/java/org/joychou/controller/XXE.java

+22-17
Original file line numberDiff line numberDiff line change
@@ -1,9 +1,9 @@
11
package org.joychou.controller;
22

3-
43
import org.dom4j.io.SAXReader;
54
import org.springframework.web.bind.annotation.*;
65
import javax.servlet.http.HttpServletRequest;
6+
77
import org.w3c.dom.Document;
88
import org.w3c.dom.Node;
99
import org.w3c.dom.NodeList;
@@ -37,7 +37,7 @@ public String xxe_xmlReader(HttpServletRequest request) {
3737
String xml_con = Tools.getRequestBody(request);
3838
System.out.println(xml_con);
3939
XMLReader xmlReader = XMLReaderFactory.createXMLReader();
40-
xmlReader.parse( new InputSource(new StringReader(xml_con)) ); // parse xml
40+
xmlReader.parse(new InputSource(new StringReader(xml_con))); // parse xml
4141
return "ok";
4242
} catch (Exception e) {
4343
System.out.println(e);
@@ -47,7 +47,7 @@ public String xxe_xmlReader(HttpServletRequest request) {
4747

4848

4949
@RequestMapping(value = "/xmlReader_fix", method = RequestMethod.POST)
50-
public String xxe_xmlReader_fix(HttpServletRequest request) {
50+
public String xxe_xmlReader_fix(HttpServletRequest request) {
5151
try {
5252
String xml_con = Tools.getRequestBody(request);
5353
System.out.println(xml_con);
@@ -58,7 +58,7 @@ public String xxe_xmlReader_fix(HttpServletRequest request) {
5858
xmlReader.setFeature("http://xml.org/sax/features/external-general-entities", false);
5959
xmlReader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
6060
//fix code end
61-
xmlReader.parse( new InputSource(new StringReader(xml_con)) ); // parse xml
61+
xmlReader.parse(new InputSource(new StringReader(xml_con))); // parse xml
6262

6363
return "ok";
6464
} catch (Exception e) {
@@ -69,13 +69,13 @@ public String xxe_xmlReader_fix(HttpServletRequest request) {
6969

7070

7171
@RequestMapping(value = "/SAXBuilder", method = RequestMethod.POST)
72-
public String xxe_SAXBuilder(HttpServletRequest request) {
72+
public String xxe_SAXBuilder(HttpServletRequest request) {
7373
try {
7474
String xml_con = Tools.getRequestBody(request);
7575
System.out.println(xml_con);
7676

7777
SAXBuilder builder = new SAXBuilder();
78-
org.jdom2.Document document = builder.build( new InputSource(new StringReader(xml_con)) ); // cause xxe
78+
org.jdom2.Document document = builder.build(new InputSource(new StringReader(xml_con))); // cause xxe
7979
return "ok";
8080
} catch (Exception e) {
8181
System.out.println(e);
@@ -84,7 +84,7 @@ public String xxe_SAXBuilder(HttpServletRequest request) {
8484
}
8585

8686
@RequestMapping(value = "/SAXBuilder_fix", method = RequestMethod.POST)
87-
public String xxe_SAXBuilder_fix(HttpServletRequest request) {
87+
public String xxe_SAXBuilder_fix(HttpServletRequest request) {
8888
try {
8989
String xml_con = Tools.getRequestBody(request);
9090
System.out.println(xml_con);
@@ -93,7 +93,7 @@ public String xxe_SAXBuilder_fix(HttpServletRequest request) {
9393
builder.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
9494
builder.setFeature("http://xml.org/sax/features/external-general-entities", false);
9595
builder.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
96-
org.jdom2.Document document = builder.build( new InputSource(new StringReader(xml_con)) );
96+
org.jdom2.Document document = builder.build(new InputSource(new StringReader(xml_con)));
9797

9898
return "ok";
9999
} catch (Exception e) {
@@ -102,13 +102,13 @@ public String xxe_SAXBuilder_fix(HttpServletRequest request) {
102102
}
103103

104104
@RequestMapping(value = "/SAXReader", method = RequestMethod.POST)
105-
public String xxe_SAXReader(HttpServletRequest request) {
105+
public String xxe_SAXReader(HttpServletRequest request) {
106106
try {
107107
String xml_con = Tools.getRequestBody(request);
108108
System.out.println(xml_con);
109109

110110
SAXReader reader = new SAXReader();
111-
org.dom4j.Document document = reader.read( new InputSource(new StringReader(xml_con)) ); // cause xxe
111+
org.dom4j.Document document = reader.read(new InputSource(new StringReader(xml_con))); // cause xxe
112112

113113
return "ok";
114114
} catch (Exception e) {
@@ -118,7 +118,7 @@ public String xxe_SAXReader(HttpServletRequest request) {
118118
}
119119

120120
@RequestMapping(value = "/SAXReader_fix", method = RequestMethod.POST)
121-
public String xxe_SAXReader_fix(HttpServletRequest request) {
121+
public String xxe_SAXReader_fix(HttpServletRequest request) {
122122
try {
123123
String xml_con = Tools.getRequestBody(request);
124124
System.out.println(xml_con);
@@ -127,7 +127,7 @@ public String xxe_SAXReader_fix(HttpServletRequest request) {
127127
reader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
128128
reader.setFeature("http://xml.org/sax/features/external-general-entities", false);
129129
reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
130-
org.dom4j.Document document = reader.read( new InputSource(new StringReader(xml_con)) );
130+
org.dom4j.Document document = reader.read(new InputSource(new StringReader(xml_con)));
131131

132132
return "ok";
133133
} catch (Exception e) {
@@ -231,7 +231,7 @@ public String xxeDocumentBuilderReturn(HttpServletRequest request) {
231231
NodeList child = rootNode.getChildNodes();
232232
for (int j = 0; j < child.getLength(); j++) {
233233
Node node = child.item(j);
234-
buf.append( node.getNodeName() + ": " + node.getTextContent() + "\n" );
234+
buf.append(node.getNodeName() + ": " + node.getTextContent() + "\n");
235235
}
236236
}
237237
sr.close();
@@ -265,8 +265,8 @@ public String DocumentBuilder(HttpServletRequest request) {
265265
for (int j = 0; j < child.getLength(); j++) {
266266
Node node = child.item(j);
267267
// 正常解析XML,需要判断是否是ELEMENT_NODE类型。否则会出现多余的的节点。
268-
if(child.item(j).getNodeType() == Node.ELEMENT_NODE) {
269-
result.append( node.getNodeName() + ": " + node.getFirstChild().getNodeValue() + "\n" );
268+
if (child.item(j).getNodeType() == Node.ELEMENT_NODE) {
269+
result.append(node.getNodeName() + ": " + node.getFirstChild().getNodeValue() + "\n");
270270
}
271271
}
272272
}
@@ -387,7 +387,7 @@ public String XMLReaderVul(HttpServletRequest request) {
387387
SAXParserFactory spf = SAXParserFactory.newInstance();
388388
SAXParser saxParser = spf.newSAXParser();
389389
XMLReader xmlReader = saxParser.getXMLReader();
390-
xmlReader.parse( new InputSource(new StringReader(xml_con)) );
390+
xmlReader.parse(new InputSource(new StringReader(xml_con)));
391391
return "test";
392392
} catch (Exception e) {
393393
System.out.println(e.toString());
@@ -407,12 +407,17 @@ public String XMLReaderSec(HttpServletRequest request) {
407407
xmlReader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
408408
xmlReader.setFeature("http://xml.org/sax/features/external-general-entities", false);
409409
xmlReader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
410-
xmlReader.parse( new InputSource(new StringReader(xml_con)) );
410+
xmlReader.parse(new InputSource(new StringReader(xml_con)));
411411
return "test";
412412
} catch (Exception e) {
413413
System.out.println(e.toString());
414414
return "except";
415415
}
416416
}
417417

418+
419+
public static void main(String[] args) throws Exception {
420+
421+
}
422+
418423
}

src/main/java/org/joychou/controller/othervulns/ooxmlXXE.java

+79
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,79 @@
1+
package org.joychou.controller.othervulns;
2+
3+
import org.apache.poi.xssf.usermodel.XSSFCell;
4+
import org.apache.poi.xssf.usermodel.XSSFRow;
5+
import org.apache.poi.xssf.usermodel.XSSFSheet;
6+
import org.apache.poi.xssf.usermodel.XSSFWorkbook;
7+
import org.slf4j.Logger;
8+
import org.slf4j.LoggerFactory;
9+
import org.springframework.stereotype.Controller;
10+
import org.springframework.web.bind.annotation.GetMapping;
11+
import org.springframework.web.bind.annotation.PostMapping;
12+
import org.springframework.web.bind.annotation.RequestMapping;
13+
import org.springframework.web.bind.annotation.ResponseBody;
14+
import org.springframework.web.multipart.MultipartFile;
15+
16+
import java.io.IOException;
17+
import java.util.Iterator;
18+
19+
import static org.apache.commons.lang.StringUtils.isBlank;
20+
21+
/**
22+
* Desc: poi-ooxml xxe vuln code
23+
* Usage: [Content_Type].xml
24+
* Ref: https://www.itread01.com/hkpcyyp.html
25+
* Fix: Update poi-ooxml to 3.15 or above.
26+
* Vuln: 3.10 or below exist xxe vuln. 3.14 or above exist dos vuln. So 3.15 or above is safe version.
27+
*
28+
* @author JoyChou @2019-09-05
29+
*/
30+
@Controller
31+
@RequestMapping("ooxml")
32+
public class ooxmlXXE {
33+
34+
35+
private final Logger logger = LoggerFactory.getLogger(this.getClass());
36+
37+
38+
@GetMapping("/upload")
39+
public String index() {
40+
return "xxe_upload"; // return xxe_upload.html page
41+
}
42+
43+
44+
@PostMapping("/readxlsx")
45+
@ResponseBody
46+
public String ooxml_xxe(MultipartFile file)throws IOException {
47+
XSSFWorkbook wb = new XSSFWorkbook(file.getInputStream()); // xxe vuln
48+
49+
XSSFSheet sheet = wb.getSheetAt(0);
50+
XSSFRow row;
51+
XSSFCell cell;
52+
53+
Iterator rows = sheet.rowIterator();
54+
String result = "";
55+
56+
while (rows.hasNext())
57+
{
58+
row=(XSSFRow) rows.next();
59+
Iterator cells = row.cellIterator();
60+
while (cells.hasNext())
61+
{
62+
cell=(XSSFCell) cells.next();
63+
64+
if (cell.getCellType() == XSSFCell.CELL_TYPE_STRING) {
65+
result += cell.getStringCellValue()+ " ";
66+
} else if(cell.getCellType() == XSSFCell.CELL_TYPE_NUMERIC) {
67+
result += cell.getNumericCellValue()+ " ";
68+
} else {
69+
logger.info("errors");
70+
}
71+
}
72+
}
73+
if ( isBlank(result) ){
74+
result = "xxe test";
75+
}
76+
77+
return result;
78+
}
79+
}

src/main/java/org/joychou/controller/othervulns/xlsxStreamerXXE.java

+44
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,44 @@
1+
package org.joychou.controller.othervulns;
2+
3+
import com.monitorjbl.xlsx.StreamingReader;
4+
import org.apache.poi.ss.usermodel.Workbook;
5+
6+
import org.springframework.stereotype.Controller;
7+
import org.springframework.web.bind.annotation.GetMapping;
8+
import org.springframework.web.bind.annotation.PostMapping;
9+
import org.springframework.web.bind.annotation.RequestMapping;
10+
import org.springframework.web.multipart.MultipartFile;
11+
12+
import java.io.FileInputStream;
13+
import java.io.IOException;
14+
15+
16+
/**
17+
* Desc: xlsx-streamer xxe vuln code
18+
* Usage: xl/workbook.xml
19+
* Ref: https://www.itread01.com/hkpcyyp.html
20+
* Fix: update xlsx-streamer to 2.1.0 or above
21+
*
22+
* @author JoyChou @2019-09-05
23+
*/
24+
@Controller
25+
@RequestMapping("xlsx-streamer")
26+
public class xlsxStreamerXXE {
27+
28+
29+
@GetMapping("/upload")
30+
public String index() {
31+
return "xxe_upload"; // return xxe_upload.html page
32+
}
33+
34+
35+
@PostMapping("/readxlsx")
36+
public void xllx_streamer_xxe(MultipartFile file)throws IOException {
37+
Workbook wb = StreamingReader.builder().open(file.getInputStream());
38+
}
39+
40+
41+
public static void main(String[] args) throws Exception {
42+
Workbook wb = StreamingReader.builder().open((new FileInputStream("poc.xlsx")));
43+
}
44+
}

0 commit comments

Comments
 (0)