-
Notifications
You must be signed in to change notification settings - Fork 664
/
Copy pathooxmlXXE.java
75 lines (58 loc) · 2.31 KB
/
ooxmlXXE.java
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
package org.joychou.controller.othervulns;
import org.apache.poi.xssf.usermodel.XSSFCell;
import org.apache.poi.xssf.usermodel.XSSFRow;
import org.apache.poi.xssf.usermodel.XSSFSheet;
import org.apache.poi.xssf.usermodel.XSSFWorkbook;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.multipart.MultipartFile;
import java.io.IOException;
import java.util.Iterator;
/**
* Desc: poi-ooxml xxe vuln code
* Usage: [Content_Type].xml http://localhost:8080/ooxml/upload
* Ref: https://www.itread01.com/hkpcyyp.html
* Fix: Update poi-ooxml to 3.15 or above.
* Vuln: 3.10 or below exist xxe vuln. 3.14 or below exist dos vuln. So 3.15 or above is safe version.
*
* @author JoyChou @2019-09-05
*/
@Controller
@RequestMapping("ooxml")
public class ooxmlXXE {
private final Logger logger = LoggerFactory.getLogger(this.getClass());
@GetMapping("/upload")
public String index() {
return "xxe_upload"; // return xxe_upload.html page
}
@PostMapping("/readxlsx")
@ResponseBody
public String ooxml_xxe(MultipartFile file) throws IOException {
XSSFWorkbook wb = new XSSFWorkbook(file.getInputStream()); // xxe vuln
XSSFSheet sheet = wb.getSheetAt(0);
XSSFRow row;
XSSFCell cell;
Iterator rows = sheet.rowIterator();
StringBuilder sbResult = new StringBuilder();
while (rows.hasNext()) {
row = (XSSFRow) rows.next();
Iterator cells = row.cellIterator();
while (cells.hasNext()) {
cell = (XSSFCell) cells.next();
if (cell.getCellType() == XSSFCell.CELL_TYPE_STRING) {
sbResult.append(cell.getStringCellValue()).append(" ");
} else if (cell.getCellType() == XSSFCell.CELL_TYPE_NUMERIC) {
sbResult.append(cell.getNumericCellValue()).append(" ");
} else {
logger.info("errors");
}
}
}
return sbResult.toString();
}
}