• Apache Roller 5.0.3 XXE漏洞分析


    下载5.0.2的版本来分析

    5.0.2的war包地址 http://archive.apache.org/dist/roller/roller-5/v5.0.2/bin/roller-weblogger-5.0.2-for-javaee.zip

    从web.xml入手分析,可以看到如下servlet映射

        <servlet>
            <servlet-name>XmlRpcServlet</servlet-name>
            <servlet-class>org.apache.xmlrpc.webserver.XmlRpcServlet</servlet-class>
            <init-param>
                <description>
                    Sets, whether the servlet supports vendor extensions for XML-RPC.
                </description>
                <param-name>enabledForExtensions</param-name>
                <param-value>true</param-value>
            </init-param>
        </servlet>

    指向org.apache.xmlrpc.webserver.XmlRpcServlet的类。

    从doPost看起

        public void doPost(HttpServletRequest pRequest, HttpServletResponse pResponse) throws IOException, ServletException {
            private XmlRpcServletServer server;
            server.execute(pRequest, pResponse);
        }

    指向org.apache.xmlrpc.webserver.XmlRpcServletServer

    	public void execute(HttpServletRequest pRequest, HttpServletResponse pResponse)
    			throws ServletException, IOException {
    		XmlRpcHttpRequestConfigImpl config = getConfig(pRequest);
    		ServletStreamConnection ssc = newStreamConnection(pRequest, pResponse);
    		try {
    			super.execute(config, ssc);
    		} catch (XmlRpcException e) {
    			throw new ServletException(e);
    		}
    	}
    

      

    看到super.execute(config, ssc); 这行指向父类的execute方法

    public class XmlRpcServletServer extends XmlRpcHttpServer
    

      父类为XmlRpcHttpServer,在父类中没找到execute方法,继续向上调用XmlRpcStreamServer类

    public abstract class XmlRpcHttpServer extends XmlRpcStreamServer
    

      

    在XmlRpcStreamServer类存在execute方法

    	public void execute(XmlRpcStreamRequestConfig pConfig,
    						ServerStreamConnection pConnection)
    			throws XmlRpcException {
    		log.debug("execute: ->");
    		try {
    			Object result;
    			Throwable error;
    			InputStream istream = null;
    			try {
    				istream = getInputStream(pConfig, pConnection);
    				XmlRpcRequest request = getRequest(pConfig, istream);
    				result = execute(request);
    				istream.close();
    				istream = null;
    				error = null;
    				log.debug("execute: Request performed successfully");
    			} catch (Throwable t) {
    				logError(t);
    				result = null;
    				error = t;
    			} finally {
    				if (istream != null) { try { istream.close(); } catch (Throwable ignore) {} }
    			}
          .......//省略后面无关代码
          }

      

    看到其中的 XmlRpcRequest request = getRequest(pConfig, istream); ,调用当前类的getRequest方法。

    	protected XmlRpcRequest getRequest(final XmlRpcStreamRequestConfig pConfig,
    									   InputStream pStream) throws XmlRpcException {
    		final XmlRpcRequestParser parser = new XmlRpcRequestParser(pConfig, getTypeFactory());
    		final XMLReader xr = SAXParsers.newXMLReader();
    		xr.setContentHandler(parser);
            .....//省略后面无关代码
            }        
    

      

    在getRequest()方法中有这么一句:XMLReader xr = SAXParsers.newXMLReader();

    public class SAXParsers {
    	private static final SAXParserFactory spf;
    	static {
    		spf = SAXParserFactory.newInstance();
    		spf.setNamespaceAware(true);
    		spf.setValidating(false);
    	}
    
    	/** Creates a new instance of {@link XMLReader}.
    	 */
    	public static XMLReader newXMLReader() throws XmlRpcException {
    		try {
    			return spf.newSAXParser().getXMLReader();
    		} catch (ParserConfigurationException e) {
    			throw new XmlRpcException("Unable to create XML parser: " + e.getMessage(), e);
    		} catch (SAXException e) {
    			throw new XmlRpcException("Unable to create XML parser: " + e.getMessage(), e);
    		}
    	}
    }
    

      其中:

    		spf = SAXParserFactory.newInstance();
    		spf.setNamespaceAware(true);
    		spf.setValidating(false);
    

      

    直接引用xml文档,没做访问限制,所有造成了xxe漏洞

    修复方式:

  • 相关阅读:
    POJ 1061 青蛙的约会(扩展欧几里得)
    贝祖定理(裴蜀定理)
    C语言 gets()和scanf()函数的区别
    非递归方式遍历二叉树
    zip包的解压
    八大基础排序中(直接插入排序,希尔排序,冒泡排序, 快速排序,归并排序,简单选择排序)
    数字反序与数字的和
    合并两个有序数组,合并后数组仍有序
    使用递归方式和非递归方式求斐波那契数
    求100到999之内的水仙花数
  • 原文地址:https://www.cnblogs.com/yangxiaodi/p/9685357.html
Copyright © 2020-2023  润新知