摸鱼sec 摸鱼Sec
摸鱼Sec
微信号 gh_e3d95d1a5b73
功能介绍 摸鱼sec由一群具有共同兴趣的网络安全爱好者组成,致力于发现和利用网络安全领域的漏洞和弱点,以保护用户隐私和数据安全。
__发表于
收录于合集
<?xml version="1.0" encoding="UTF-8"?> <beans> <!--General WebService--> <service xmlns="http://xfire.codehaus.org/config/1.0"> <name>GeneralWeb</name> <namespace>http://com.whir.service/GeneralWeb</namespace> <serviceClass>com.whir.service.webservice.GeneralWeb</serviceClass> <style>wrapped</style> <use>literal</use> <scope>application</scope> </service></beans>
// // Source code recreated from a .class file by IntelliJ IDEA // (powered by FernFlower decompiler) //
package com.whir.service.webservice;
import com.whir.service.common.CallApi;
public class GeneralWeb { public GeneralWeb() { }
public String OAManager(String input) throws Exception { CallApi callapi = new CallApi(); return callapi.getResult(input); } }
brimport com.whir.common.util.MD5; import com.whir.component.config.ConfigXMLReader; import com.whir.org.common.util.SysSetupReader; import java.io.ByteArrayInputStream; import java.io.InputStream; import java.lang.reflect.InvocationTargetException; import java.lang.reflect.Method; import java.util.HashMap; import java.util.List; import java.util.Map; import org.apache.log4j.Logger; import org.jdom.Document; import org.jdom.Element; import org.jdom.input.SAXBuilder;
public String getResult(String input) throws Exception { if (serviceMap == null) { throw new Exception("Error: serviceMap can not is null"); } else { SAXBuilder builder = new SAXBuilder(); //此处使用jdom直接解析xml数据,存在xxe byte[] b = input.getBytes("utf-8"); InputStream is = new ByteArrayInputStream(b); Document doc = builder.build(is); Element root = doc.getRootElement(); boolean isDebug = false; Element debugElement = root.getChild("debug"); if (debugElement != null && "1".equals(debugElement.getValue())) { isDebug = true; }
if (isDebug) { System.out.println("[input]:\n" + input); }
String key = root.getChild("key").getValue(); String result = ""; if (!this.checkValid(key)) { result = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>"; result = result + "<output>"; result = result + "<message>"; result = result + "<result>-1</result>"; result = result + "<description>非法安全认证标识</description>"; result = result + "</message>"; result = result + "</output>"; return result; } else { String cmd = root.getChild("cmd").getValue(); String TransCenter = ""; Element TransCenterEle = root.getChild("TransCenter"); if (TransCenterEle != null) { TransCenter = TransCenterEle.getValue(); }
String ServiceTokenUserFalg = "1"; ConfigXMLReader reader = new ConfigXMLReader(); ServiceTokenUserFalg = reader.getAttribute("serviceKeyList", "ServiceTokenUserFalg"); if (!"getServiceToken".equals(cmd) && !"getCorpSetPO".equals(cmd) && !"getCorpSetAppPO".equals(cmd) && !"TransCenter".equals(TransCenter) && !"getDogApplyInfo".equals(cmd) && !"setDogWriteCount".equals(cmd) && !"getWriteDogNetPassword".equals(cmd) && !"getDogApplyInfoByClientName".equals(cmd) && !"setDogWriteCountAndMacId".equals(cmd) && !"setWriteDogNetPassword".equals(cmd) && !"0".equals(ServiceTokenUserFalg)) { Element tokenele = root.getChild("ServiceToken"); Element serviceKeyele = root.getChild("serviceKey"); Element userKeyele = root.getChild("userKey"); Element userKeyTypeele = root.getChild("userKeyType"); if (tokenele == null || serviceKeyele == null || userKeyele == null || userKeyTypeele == null) { logger.debug("-------必填项不能为空!--------"); result = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>"; result = result + "<output>"; result = result + "<message>"; result = result + "<result>0</result>"; result = result + "<description>必填项不能为空</description>"; result = result + "</message>"; result = result + "</output>"; return result; }
String token = root.getChild("ServiceToken").getValue(); String serviceKey = root.getChild("serviceKey").getValue(); String userKey = root.getChild("userKey").getValue(); String userKeyType = root.getChild("userKeyType").getValue(); Boolean tokenflag = TokenManager.getInstance().judgeToken(token, serviceKey, userKey, userKeyType); if (!tokenflag) { logger.debug("-------Token令牌验证错误--------"); result = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>"; result = result + "<output>"; result = result + "<message>"; result = result + "<result>0</result>"; result = result + "<description>TokenError</description>"; result = result + "</message>"; result = result + "</output>"; return result; } } else { logger.debug("-------getServiceToken--------"); }
String className = (String)serviceMap.get(cmd); logger.debug("-------className!--------:" + className); if (className != null && !"".equals(className.trim())) { try { Class clazz = Class.forName(className); Class[] classTypes = new Class[]{Document.class}; Object[] params = new Object[]{doc}; Object target = clazz.getConstructor(classTypes).newInstance(params); Class[] methodTypes = new Class[]{String.class}; Object[] methodParams = new Object[]{cmd}; Method method = clazz.getMethod("parse", methodTypes); result = (String)method.invoke(target, methodParams); } catch (ClassNotFoundException var25) { var25.printStackTrace(); } catch (NoSuchMethodException var26) { var26.printStackTrace(); result = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>"; result = result + "<output>"; result = result + "<message>"; result = result + "<result>-1</result>"; result = result + "<description>未找到对应的方法</description>"; result = result + "</message>"; result = result + "</output>"; } catch (SecurityException var27) { var27.printStackTrace(); } catch (IllegalAccessException var28) { var28.printStackTrace(); } catch (IllegalArgumentException var29) { var29.printStackTrace(); result = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>"; result = result + "<output>"; result = result + "<message>"; result = result + "<result>-1</result>"; result = result + "<description>参数不合法</description>"; result = result + "</message>"; result = result + "</output>"; } catch (InvocationTargetException var30) { var30.printStackTrace(); } catch (Exception var31) { var31.printStackTrace(); } }
if (isDebug) { System.out.println("[output]:\n" + result); }
return result; } } }
同时万户使用axis1.4版本 WEB-INF/server-config.wsdd
<service name="AdminService" type="" regenerateElement="false" provider="java:MSG"> <parameter name="allowedMethods" value="AdminService" regenerateElement="false"/> <parameter name="enableRemoteAdmin" value="false" regenerateElement="false"/> #此处AdminService没有开启RemoteAdmin,所以只可以本地访问 <parameter name="className" value="org.apache.axis.utils.Admin" regenerateElement="false"/> <namespace>http://xml.apache.org/axis/wsdd/</namespace> </service>
参考https://www.cnblogs.com/depycode/p/14844984.html
总结一句话: xxe转get型ssrf,打axis1.4注入新service(未开启adminService所以只能本地访问axis,所以通过xxe去请求,下面poc默认请求的是127.0.0.1:7001内网可能不一定监听在7001),可以使用com.whir.ezoffice.ezform.util.StringUtil这个类写文件。
预览时标签不可点
微信扫一扫
关注该公众号
知道了
微信扫一扫
使用小程序
取消 允许
取消 允许
: , 。 视频 小程序 赞 ,轻点两下取消赞 在看 ,轻点两下取消在看