Shulou(Shulou.com)05/31 Report--

This article shows you what are the restrictions on the use of XXE in Java. The content is concise and easy to understand. It will definitely brighten your eyes. I hope you can get something through the detailed introduction of this article.

Generally speaking, encounter XXE in Java, if there is an echo, it is naturally easy to do, if there is no echo, then we need to construct a channel to take the data out. In the past, in the use of XXE, if you simply use the HTTP protocol (in addition to the ending CRLF, separate CR or LF characters are not allowed), you cannot read files with line breaks.

For example, win.ini files that are often used for verification have line breaks.

If you want to transfer the file, you will get an error Illegal character in URL

In line 420 in rt.jar!\ sun\ net\ www\ http\ HttpClient.class, there is a judgment for line breaks

If (var1.indexOf (10) =-1) {return var1;} else {throw new MalformedURLException ("Illegal character in URL");}

At this time, if it is a PHP environment, it is easy to do. Encode the data and bring it out smoothly, such as base64.

Dtd;%send;] >

In this way, even if the file exists in Illegal character, it can be taken out, but Java does not have the relevant coding protocol. At this time, we often use FTP protocol to transfer data to the outside. The data itself may contain\ r,\ n and other characters.

It looks good, and the problem has been solved, but we often encounter some unexpected situations. What if there are the following characters in the file?

'"

&

You will get the following error: the declaration of the entity XXX must end with >

The dtd file is as follows:

% payload

This is because xml will replace the entity when parsing. After the contents of the file with single quotation marks are concatenated into the string, the single quotation marks are closed with the single quotation marks of the send entity, and then the subsequent data becomes invalid data.

If the single quotation mark in the file is followed by a character other than the closing angle bracket >, an error is reported that the declaration of the entity XXX must end in >

If the single quotation mark happens to be followed by a closing angle bracket, that won't work either. You still have junk data behind you, so you can change it by mistake at most.

Is there any way to read this kind of special files at this time?

Xml takes this situation into account when designing, although in general xml requires that these symbols are best replaced by corresponding entity references, but if you have to use them, you can use the CDATA method to read them.

CDATA refers to text data (Unparsed Character Data) that should not be parsed by the XML parser, and everything in the CDATA section is ignored by the parser. The CDATA section ends with:

Let's make some changes to payload:

Dtd

Payload

Asd;%c;%rrr;] >

But in fact, this method is impossible, because it still needs to be concatenated into url and will still be closed with external single quotes, such as

However, the CDATA method can be used in situations where xxe is echoed, which is also a good method.

Normal read cannot be read

Use the CDATA method to read, but please note that this is still not perfect, at least for individual & symbols

Unless it constitutes a complete entity reference format

In addition, the version change of JDK has an impact on the technique of using FTP as an information transmission channel, which is why higher versions cannot use FTP to read multiline files, because var0.toExternalForm (). IndexOf (10) >-1 in the static method checkURL in FtpURLConnection.class, where the URL is parsed and checked for the existence of a newline character (ascii is 10) in the URL, and if so, an exception is thrown

In which version of checkURL starts to check line breaks, the author does not have a look at them. Interested readers can look for them.

Rt.jar!\ sun\ net\ www\ protocol\ ftp\ FtpURLConnection.class

Static URL checkURL (URL var0) throws IllegalArgumentException {if (var0! = null & & var0.toExternalForm (). IndexOf (10) >-1) {MalformedURLException var3 = new MalformedURLException ("Illegal character in URL"); throw new IllegalArgumentException (var3.getMessage (), var3);} else {String var1 = IPAddressUtil.checkAuthority (var0); if (var1! = null) {MalformedURLException var2 = new MalformedURLException (var1) Throw new IllegalArgumentException (var2.getMessage (), var2);} else {return var0;}}

Generally speaking, if it is a php environment, then everything will be fine, but in a java environment, if

Echo (do not need to be taken out through URL):

1. Ordinary file-> directly read back to show 2. With newline file-> directly read back to show 3. Files with special characters-> CDATA echo

3. Contains special characters and has newline files-> CDATA echo

No echo:

1. Ordinary files-> HTTP or FTP can be brought out 2. Bring out 3 with newline file-> FTP. File with special characters->. There is no good way for the time being. Files with special characters and line breaks->. There is no good way for the time being.

In addition, you need to pay attention to the impact of the JDK version.

The above is about what are the restrictions on the use of XXE in Java. Have you learned any knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.