问题: xxe是xml为载体,xlsx就是含有xml的
构造的是一个带有攻击代码的xlsx文件,里面带有一个我自定义的域名,后台解析后,访问了我指定的这个域名,说明注入成功
解决: poi之前是3.9 升级到3.15以上
所需jar oftenUsed ('org.apache.poi:poi:3.17') { transitive = false }
oftenUsed ('org.apache.poi:poi-ooxml:3.17') { transitive = false }
oftenUsed ('org.apache.poi:poi-ooxml-schemas:3.17') { transitive = false }
apacheCommons ('org.apache.commons:commons-collections4:4.1') { transitive = false }
public static Workbook create(InputStream in) throws
IOException,InvalidFormatException {
if (!in.markSupported()) {
in = new PushbackInputStream(in, 8);
}
InputStream is = FileMagic.prepareToCheckMagic(in);
FileMagic fm = FileMagic.valueOf(is);
switch(fm) {
case OLE2:
return new HSSFWorkbook(in);
case OOXML:
return new XSSFWorkbook(OPCPackage.open(is));
default:
throw new IllegalArgumentException("你的excel版本目前poi解析不了");
}
}