Skip to content
Permalink
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

Urule XXE Author:idam0n

The interface for saving decision flow does not disable external entity parsing when parsing xml data, resulting in the possibility of submitting malicious data for injection of xml external entities, reading arbitrary files in the operating system, and causing ssrf to detect intranet information by writing a large number of cyclically called entities Carry out dos attacks, etc.

The vulnerable code at file:com\bstek\urule\console\servlet\flow\RuleFlowDesignerServletHandler.java method:com.bstek.urule.console.servlet.flow.parseXml as the picture: image

It is found that the program directly reads the xml information, and it is not configured to prohibit external entity references, resulting in xxe

Reproduce the local build environment: Use idea to build a Springboot demo project and introduce urule: image

Exploiting the Vulnerability

save a decision flow image

the http message: image

now repeat the reqeust and add the xxe payload to post program 'content'

the xml content with payload: image

access the interface /urule/ruleflowdesigner/loadFlowDefinition to load the xml file submit just now the http message: image

the content of file:///c:/windows/system.ini was load image

And for more, An XML External Entity (XXE) can also cause ssrf and dos