官方公众号企业安全新浪微博
FreeBuf.COM网络安全行业门户,每日发布专业的安全资讯、技术剖析。
FreeBuf+小程序
针对某系统XXE漏洞分析
- 关注
针对某系统XXE漏洞分析
1.XXE分析
某系统XXE漏洞分析,去年的东西,目前补丁以及新版本已经修复。
由于网上文章调用栈不全,为此分析
首先在Filter中CTPSecurityFilter中有校验
完整doFilter如下:
public void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain) throws IOException, ServletException {
CanalMapMonitor.startMonitor((HttpServletRequest)request);
try {
TraceFilter.insertIntoMDC((HttpServletRequest)request);
String queryString = ((HttpServletRequest)request).getQueryString();
if (null != queryString) {
Matcher matcher = this.pattern.matcher(queryString);
if (matcher.find()) {
securityLogger.info("url包含敏感信息:" + ((HttpServletRequest)request).getRequestURL() + "?" + queryString);
}
}
String tenantId;
if (SystemEnvironment.isCloudDeployMode()) {
StringBuffer url = ((HttpServletRequest)request).getRequestURL();
String uri = ((HttpServletRequest)request).getRequestURI();
String scheme = request.getScheme() + "://";
String contextUrl = url.substring(scheme.length(), url.length() - uri.length());
tenantId = MultiTenantConfigInitializer.getTenantIdByDomainName(contextUrl);
} else {
if (contextName == null) {
contextName = SystemEnvironment.getContextPath().substring(1);
}
tenantId = contextName;
}
AppContext.removeThreadContext("REQUIRE_CHECK_GUEST");
AppContext.removeThreadContext("REQUIRE_VALIDATE_USER_ROLE");
AppContext.setCurrentTenantId(tenantId);
CTPSecurityFilter.Result result = authenticate(request, response);
if (result.getAuthenticator().directReturn((HttpServletRequest)request)) {
return;
}
User currentUser = AppContext.getCurrentUser();
if (currentUser != null) {
try {
LoginOpt.refreshOnlineUser(currentUser);
} catch (BusinessException var34) {
logger.error("", var34);
}
}
if (result.getResult()) {
StringBuilder resourceKey = new StringBuilder();
if (this.isProtectedUri((HttpServletRequest)request, resourceKey)) {
try {
Entry entry = SphU.entry(resourceKey.toString());
Throwable var10 = null;
try {
filterChain.doFilter(request, response);
} catch (Throwable var33) {
var10 = var33;
throw var33;
} finally {
if (entry != null) {
if (var10 != null) {
try {
entry.close();
} catch (Throwable var31) {
var10.addSuppressed(var31);
}
} else {
entry.close();
}
}
}
} catch (BlockException var36) {
this.sendErrorWhenNotHttp(response);
}
} else {
filterChain.doFilter(request, response);
}
} else if (response instanceof HttpServletResponse) {
try {
result.getAuthenticator().afterFailure((HttpServletRequest)request, (HttpServletResponse)response);
} catch (Exception var) {
throw new IOException(var);
}
} else {
this.sendErrorWhenNotHttp(response);
}
} finally {
AppContext.removeCurrentTenantId();
AppContext.clearThreadContext();
TraceFilter.clearMDC();
CanalMapMonitor.stopMonitor();
}
}跟进authenticate方法
此处判断为如下:
private static boolean isV3xAjax(String uri, HttpServletRequest request) {
return uri.endsWith("getAjaxDataServlet");
}并将该map进行了设置
在authenticate中,可以发现获取了GET参数获取到了S和M
本文为 独立观点,未经允许不得转载,授权请联系FreeBuf客服小蜜蜂,微信:freebee2022
被以下专辑收录,发现更多精彩内容
+ 收入我的专辑
+ 加入我的收藏
相关推荐
- 0 文章数
- 0 关注者
文章目录