xxe demo

.gitignore

@@ -0,0 +1,34 @@
+HELP.md
+target/
+!.mvn/wrapper/maven-wrapper.jar
+.mvn
+mvnw
+mvnw.cmd
+!**/src/main/**
+!**/src/test/**
+
+### STS ###
+.apt_generated
+.classpath
+.factorypath
+.project
+.settings
+.springBeans
+.sts4-cache
+
+### IntelliJ IDEA ###
+.idea
+*.iws
+*.iml
+*.ipr
+
+### NetBeans ###
+/nbproject/private/
+/nbbuild/
+/dist/
+/nbdist/
+/.nb-gradle/
+build/
+
+### VS Code ###
+.vscode/

README.md

@@ -0,0 +1,33 @@
+# XXE 
+## 项目说明
+本项目为XXE测试demo。项目代码中包含禁止外部实体的代码。
+## XXE使用的方法及对应的访问地址
+| CODE | URL|
+|  --- | ---|
+| DocumentBuilderFactory | localhost:8080/xxe/xxe1|
+| SAXBuilder|localhost:8080/xxe/xxe2|
+|SAXParserFactory|localhost:8080/xxe/xxe3|
+| SAXReader|localhost:8080/xxe/xxe4|
+| SAXTransformerFactory|localhost:8080/xxe/xxe5|
+| SchemaFactory|localhost:8080/xxe/xxe6|
+| TransformerFactory|localhost:8080/xxe/xxe7|
+| SchemaFactory|localhost:8080/xxe/xxe8|
+| XMLInputFactory|localhost:8080/xxe/xxe9|
+| XMLReader |localhost:8080/xxe/xxe10|
+
+## 项目运行
+`mvn clean package`
+或者直接下载release jar包
+
+## 内部poc
+```xml
+<?xml version="1.0" encoding="ISO-8859-1" ?>
+        <!DOCTYPE example [
+                <!ELEMENT example ANY >
+                <!ENTITY file SYSTEM "http://localhost:10000" >
+                ]>
+<example>&file;</example>
+```
+需要本地监听10000端口
+
+

pom.xml

@@ -0,0 +1,67 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <parent>
+        <groupId>org.springframework.boot</groupId>
+        <artifactId>spring-boot-starter-parent</artifactId>
+        <version>2.2.5.RELEASE</version>
+        <relativePath/> <!-- lookup parent from repository -->
+    </parent>
+    <groupId>cn.com.x1001</groupId>
+    <artifactId>xxedemo</artifactId>
+    <version>1.0</version>
+    <name>xxedemo</name>
+    <description>Demo project for Spring Boot</description>
+
+    <properties>
+        <java.version>1.8</java.version>
+    </properties>
+
+    <dependencies>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-web</artifactId>
+        </dependency>
+
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-test</artifactId>
+            <scope>test</scope>
+            <exclusions>
+                <exclusion>
+                    <groupId>org.junit.vintage</groupId>
+                    <artifactId>junit-vintage-engine</artifactId>
+                </exclusion>
+            </exclusions>
+        </dependency>
+        <!-- https://mvnrepository.com/artifact/org.jdom/jdom2 -->
+        <dependency>
+            <groupId>org.jdom</groupId>
+            <artifactId>jdom2</artifactId>
+            <version>2.0.6</version>
+        </dependency>
+        <!-- https://mvnrepository.com/artifact/org.apache.poi/poi-ooxml -->
+        <dependency>
+            <groupId>org.apache.poi</groupId>
+            <artifactId>poi-ooxml</artifactId>
+            <version>3.9</version>
+        </dependency>
+        <!-- https://mvnrepository.com/artifact/dom4j/dom4j -->
+        <dependency>
+            <groupId>dom4j</groupId>
+            <artifactId>dom4j</artifactId>
+            <version>1.6.1</version>
+        </dependency>
+    </dependencies>
+
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>org.springframework.boot</groupId>
+                <artifactId>spring-boot-maven-plugin</artifactId>
+            </plugin>
+        </plugins>
+    </build>
+
+</project>

src/main/java/cn/com/x1001/xxedemo/XxedemoApplication.java

@@ -0,0 +1,13 @@
+package cn.com.x1001.xxedemo;
+
+import org.springframework.boot.SpringApplication;
+import org.springframework.boot.autoconfigure.SpringBootApplication;
+
+@SpringBootApplication
+public class XxedemoApplication {
+
+    public static void main(String[] args) {
+        SpringApplication.run(XxedemoApplication.class, args);
+    }
+
+}

src/main/java/cn/com/x1001/xxedemo/main/XXEControl.java

@@ -0,0 +1,226 @@
+package cn.com.x1001.xxedemo.main;
+
+import org.jdom2.Document;
+import org.jdom2.JDOMException;
+import org.jdom2.input.SAXBuilder;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.*;
+import org.xml.sax.HandlerBase;
+import org.xml.sax.InputSource;
+import org.xml.sax.SAXException;
+import org.xml.sax.XMLReader;
+import org.xml.sax.helpers.XMLReaderFactory;
+import javax.servlet.http.HttpServletRequest;
+import javax.xml.parsers.*;
+import javax.xml.stream.XMLInputFactory;
+import javax.xml.stream.XMLStreamConstants;
+import javax.xml.stream.XMLStreamException;
+import javax.xml.stream.XMLStreamReader;
+import javax.xml.transform.TransformerConfigurationException;
+import javax.xml.transform.TransformerException;
+import javax.xml.transform.TransformerFactory;
+import javax.xml.transform.dom.DOMResult;
+import javax.xml.transform.sax.SAXTransformerFactory;
+import javax.xml.transform.stream.StreamSource;
+import javax.xml.validation.Schema;
+import javax.xml.validation.SchemaFactory;
+import javax.xml.validation.Validator;
+import java.io.IOException;
+
+
+@Controller
+@RequestMapping("/xxe")
+public class XXEControl {
+
+    /**
+     * DocumentBuilderFactory
+     */
+    @RequestMapping(value = "/xxe1", method = RequestMethod.POST,produces = "text/html")
+    public void xxe1(HttpServletRequest request)  {
+        DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+//        String FEATURE = null;
+//        FEATURE = "http://apache.org/xml/features/disallow-doctype-decl";
+//        dbf.setFeature(FEATURE, true);
+//        FEATURE = "http://xml.org/sax/features/external-general-entities";
+//        dbf.setFeature(FEATURE, false);
+//        FEATURE = "http://xml.org/sax/features/external-parameter-entities";
+//        dbf.setFeature(FEATURE, false);
+//        FEATURE = "http://apache.org/xml/features/nonvalidating/load-external-dtd";
+//        dbf.setFeature(FEATURE, false);
+//        dbf.setXIncludeAware(false);
+
+//        dbf.setExpandEntityReferences无法防止xxe
+        dbf.setExpandEntityReferences(false);
+        try {
+            DocumentBuilder documentBuilder = dbf.newDocumentBuilder();
+            documentBuilder.parse(request.getInputStream());
+        } catch (ParserConfigurationException | IOException | SAXException e) {
+            e.printStackTrace();
+        }
+    }
+    /**
+     * SAXBuilder
+     */
+    @RequestMapping(value = "/xxe2", method = RequestMethod.POST,produces = "text/html")
+    public void xxe2(HttpServletRequest request)  {
+        SAXBuilder sb = new SAXBuilder();
+//        sb.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+//        sb.setFeature("http://xml.org/sax/features/external-general-entities", false);
+//        sb.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+//        sb.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+        try {
+            Document doc = sb.build(request.getInputStream());
+        } catch (JDOMException | IOException e) {
+            e.printStackTrace();
+        }
+    }
+    /**
+     * SAXParserFactory
+     */
+    @RequestMapping(value = "/xxe3", method = RequestMethod.POST,produces = "text/html")
+    public void xxe3(HttpServletRequest request)  {
+        SAXParserFactory spf = SAXParserFactory.newInstance();
+//        spf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+//        spf.setFeature("http://xml.org/sax/features/external-general-entities", false);
+//        spf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+//        spf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+
+        try {
+            SAXParser parser = spf.newSAXParser();
+            parser.parse(request.getInputStream(), (HandlerBase) null);
+        } catch (SAXException | ParserConfigurationException | IOException e) {
+            e.printStackTrace();
+        }
+    }
+    /**
+     * SAXReader
+     */
+    @RequestMapping(value = "/xxe4", method = RequestMethod.POST,produces = "text/html")
+    public void xxe4(HttpServletRequest request)  {
+        SAXBuilder sb = new SAXBuilder();
+//        sb.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+//        sb.setFeature("http://xml.org/sax/features/external-general-entities", false);
+//        sb.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+//        sb.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+        try {
+            Document doc = sb.build(request.getInputStream());
+        } catch (JDOMException | IOException e) {
+            e.printStackTrace();
+        }
+    }
+    /**
+     * SAXTransformerFactory
+     */
+    @RequestMapping(value = "/xxe5", method = RequestMethod.POST,produces = "text/html")
+    public void xxe5(HttpServletRequest request)  {
+        StreamSource source = null;
+        try {
+            source = new StreamSource(request.getInputStream());
+            SAXTransformerFactory sf = (SAXTransformerFactory) SAXTransformerFactory.newInstance();
+//        sf.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+//        sf.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
+            sf.newTransformerHandler(source);
+        } catch (IOException | TransformerConfigurationException e) {
+            e.printStackTrace();
+        }
+    }
+    /**
+     * SchemaFactory
+     */
+    @RequestMapping(value = "/xxe6", method = RequestMethod.POST,produces = "text/html")
+    public void xxe6(HttpServletRequest request)  {
+        SchemaFactory factory = SchemaFactory.newInstance("http://www.w3.org/2001/XMLSchema");
+//        factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+//        factory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
+        try {
+            StreamSource source = new StreamSource(request.getInputStream());
+            Schema schema = factory.newSchema(source);
+        } catch (SAXException | IOException e) {
+            e.printStackTrace();
+        }
+    }
+    /**
+     * TransformerFactory
+     */
+    @RequestMapping(value = "/xxe7", method = RequestMethod.POST,produces = "text/html")
+    public void xxe7(HttpServletRequest request)  {
+        TransformerFactory tf = TransformerFactory.newInstance();
+//        tf.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+//        tf.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
+        try {
+            StreamSource source = new StreamSource(request.getInputStream());
+            tf.newTransformer().transform(source, new DOMResult());
+        } catch (TransformerException | IOException e) {
+            e.printStackTrace();
+        }
+    }
+    /**
+     * SchemaFactory
+     */
+    @RequestMapping(value = "/xxe8", method = RequestMethod.POST,produces = "text/html")
+    public void xxe8(HttpServletRequest request)  {
+        SchemaFactory factory = SchemaFactory.newInstance("http://www.w3.org/2001/XMLSchema");
+        Schema schema = null;
+        try {
+            schema = factory.newSchema();
+            Validator validator = schema.newValidator();
+//        validator.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+//        validator.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
+            StreamSource source = new StreamSource(request.getInputStream());
+            validator.validate(source);
+        } catch (SAXException | IOException e) {
+            e.printStackTrace();
+        }
+    }
+    /**
+     * XMLInputFactory
+     */
+    @RequestMapping(value = "/xxe9", method = RequestMethod.POST,produces = "text/html")
+    public void xxe9(HttpServletRequest request)  {
+        XMLInputFactory xmlInputFactory = XMLInputFactory.newFactory();
+//        xmlInputFactory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
+//        xmlInputFactory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
+        XMLStreamReader reader = null;
+        try {
+            reader = xmlInputFactory.createXMLStreamReader(request.getInputStream());
+        } catch (XMLStreamException | IOException e) {
+            e.printStackTrace();
+        }
+        try {
+            assert reader != null;
+            while (reader.hasNext()) {
+                int type = reader.next();
+                if (type == XMLStreamConstants.START_ELEMENT) {//开始节点
+                    System.out.print(reader.getName());
+                } else if (type == XMLStreamConstants.CHARACTERS) {//表示事件字符
+                    System.out.println("type" + type);
+                } else if (type == XMLStreamConstants.END_ELEMENT) {//结束节点
+                    System.out.println(reader.getName());
+                }
+            }
+            reader.close();
+        } catch (Exception e) {
+            e.printStackTrace();
+        }
+    }
+    /**
+     * XMLReader
+     */
+    @RequestMapping(value = "/xxe10", method = RequestMethod.POST,produces = "text/html")
+    public void xxe10(HttpServletRequest request)  {
+        XMLReader reader = null;
+        try {
+            reader = XMLReaderFactory.createXMLReader();
+//        reader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+//        reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+//        reader.setFeature("http://xml.org/sax/features/external-general-entities", false);
+//        reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+            reader.parse(new InputSource(request.getInputStream()));
+        } catch (SAXException | IOException e) {
+            e.printStackTrace();
+        }
+
+    }
+
+}
+

src/main/resources/application.properties

@@ -0,0 +1 @@
+

src/main/resources/poc.xml

@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="ISO-8859-1" ?>
+        <!DOCTYPE example [
+                <!ELEMENT example ANY >
+                <!ENTITY file SYSTEM "http://localhost:10000" >
+                ]>
+<example>&file;</example>