XXe vulnerability Test in SPRINGMVC

The SPRINGMVC framework supports XML to object mapping, internally using two global interfaces Marshaller and Unmarshaller, an implementation that is implemented using the Jaxb2marshaller class, which naturally implements two global interfaces, Used to parse XML and object in a two-way way. And the XML file can be a DOM document, an input output stream, or a sax handler.

SPRINGMVC is popular with annotations for rapid development, in which JAXB annotations can annotate where XML is needed to be transformed in JavaBean. For example, to implement the mapping of an XML file to a user object, use the JAXB annotation in the user object:

When using JAXB to implement XML and Java Bean Mapping in SPRINGMVC, it can cause XXe vulnerabilities, because the XML in the request body can also be parsed in Springmvc, which is the principle in annotation mode, With the annotation @requestbody, the request body of the HTTP request can be introduced into our controller method, which is generally used as a parameter to the method. When Annotation-driven is turned on, Httpmessageconverter initializes 7 converters to the Annotationmethodhandleradapter. As for how spring chooses the right converter, there is no read source, and the guesses should be judged by accept or content-type headers.

If the application does not do an effective processing, then by constructing the request body, we can implement the injection of external entities. For example, when using XML to pass data in a Web application, there is no restriction on references to external entities, and it is possible to import external entities, resulting in arbitrary file reads.

In a test vulnerability, you only need to configure the annotation driver and viewresolver in the configuration file,

When normal request:

Indicate the submission of a application/xml type in the request and submit an XML in the requested body, which is name=exploit. Submit request, turn to page index.jsp, of course, in controller we do some processing, the converted user passed to JSP to render, the code is:

As you can see, the console prints the contents of the ToString Method:

index.jsp results are as follows:

The following introduces an external entity to submit:

<?xml version= "1.0" encoding= "UTF-8"?> <!
DOCTYPE any[
<! ENTITY shit SYSTEM  "file:///c:/1.txt" >]>
<user><name>&shit;</name></user >

This is different from the above, introducing a malicious external entity shit, and using the entity in the Echo location <name>, the effect is to read 1.txt below the C disk with a string of "2", and the result is as follows:

As you can see, external entities are introduced and parsed successfully, resulting in XXe vulnerabilities.

Therefore, the converter (Converter) used to handle the request body of the XML type in SPRINGMVC is the default support for external entity references, which can be resolved through an official website solution:

https://jira.spring.io/browse/SPR-10806