1、XXE代码部分
<%@ page contentType="text/html; charset=UTF-8" %>
<%@ page import="org.w3c.dom.*, javax.xml.parsers.*" %>
<%@ page import="org.xml.sax.InputSource" %>
<%@ page import="java.io.StringReader" %>
<%
String data = request.getParameter("data");
String tmp = "";
if (data != null) {
try {
DocumentBuilderFactory docFactory = DocumentBuilderFactory.newInstance();
DocumentBuilder docBuilder = docFactory.newDocumentBuilder();
Document doc = docBuilder.parse(new InputSource(new StringReader(request.getParameter("data"))));
NodeList RegistrationNo = doc.getElementsByTagName("foo");
tmp = RegistrationNo.item(0).getFirstChild().getNodeValue();
} catch (Exception e) {
out.print("<pre>");
e.printStackTrace(response.getWriter());
out.print("</pre>");
}
}
%>
2、审计思路,全局搜索关键字,打开相关对应的文件。
javax.xml.parsers.*
org.xml.sax.InputSource
java.io.StringReader
3.创建xml解析工厂
创建xml解析对象
获取参数data,通过inputSource进行提取的信息,进行外部实体解析。
DocumentBuilderFactory docFactory = DocumentBuilderFactory.newInstance();
DocumentBuilder docBuilder = docFactory.newDocumentBuilder();
Document doc = docBuilder.parse(new InputSource(new
StringReader(request.getParameter("data"))));
NodeList RegistrationNo = doc.getElementsByTagName("foo");
tmp = RegistrationNo.item(0).getFirstChild().getNodeValue();