Metasploit Unleashed

├── README.md ├── book-xxe.xml ├── book.xml ├── pom.xml └── src └── main ├── java └── com │ └── xakcop │ └── xxe │ ├── Book.java │ └── BookHandler.java └── webapp ├── META-INF └── MANIFEST.MF └── WEB-INF └── web.xml /README.md: -------------------------------------------------------------------------------- 1 | Simple web application which demonstrates XXE vulnerabitlity. 2 | 3 | Start web app: 4 | 5 | $ mvn jetty:run 6 | 7 | Retrieve all books: 8 | 9 | $ curl http://localhost:8080/rest/books 10 | 11 | Retrieve book by id: 12 | 13 | $ curl http://localhost:8080/rest/books/1 14 | 15 | Delete book by id: 16 | 17 | $ curl -v -X DELETE http://localhost:8080/rest/books/4 18 | 19 | Create new book: 20 | 21 | $ curl -v -H "Content-Type:application/xml" --upload-file book.xml http://localhost:8080/rest/books -------------------------------------------------------------------------------- /book-xxe.xml: -------------------------------------------------------------------------------- 1 | 2 | 4 | ]> 5 | 6 | &xxe; 7 | 11112222333 8 | Metasploit Unleashed 9 | 10 | -------------------------------------------------------------------------------- /book.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | Programming pearls 4 | 8177588583 5 | Jon Bentley 6 | 7 | -------------------------------------------------------------------------------- /pom.xml: -------------------------------------------------------------------------------- 1 | 3 | 4.0.0 4 | com.xakcop 5 | xxe-example 6 | war 7 | 1.0-SNAPSHOT 8 | XXE example 9 | 10 | 11 | 7.3.1.v20110307 12 | UTF-8 13 | 14 | 15 | 16 | 17 | javax.servlet 18 | servlet-api 19 | 2.5 20 | provided 21 | 22 | 23 | com.sun.jersey 24 | jersey-server 25 | 1.8 26 | 27 | 28 | 29 | 30 | qsl-webapp 31 | 32 | 33 | maven-compiler-plugin 34 | 2.3.2 35 | 36 | 1.6 37 | 1.6 38 | 39 | 40 | 41 | org.mortbay.jetty 42 | jetty-maven-plugin 43 | ${jettyVersion} 44 | 45 | 46 | 47 | 48 | -------------------------------------------------------------------------------- /src/main/java/com/xakcop/xxe/Book.java: -------------------------------------------------------------------------------- 1 | package com.xakcop.xxe; 2 | 3 | import javax.xml.bind.annotation.XmlRootElement; 4 | 5 | @XmlRootElement 6 | public class Book { 7 | 8 | int id; 9 | String title; 10 | String author; 11 | String isbn; 12 | 13 | public int getId() { 14 | return id; 15 | } 16 | 17 | public void setId(int id) { 18 | this.id = id; 19 | } 20 | 21 | public String getTitle() { 22 | return title; 23 | } 24 | 25 | public void setTitle(String title) { 26 | this.title = title; 27 | } 28 | 29 | public String getIsbn() { 30 | return isbn; 31 | } 32 | 33 | public void setIsbn(String isbn) { 34 | this.isbn = isbn; 35 | } 36 | 37 | public String getAuthor() { 38 | return author; 39 | } 40 | 41 | public void setAuthor(String author) { 42 | this.author = author; 43 | } 44 | } 45 | -------------------------------------------------------------------------------- /src/main/java/com/xakcop/xxe/BookHandler.java: -------------------------------------------------------------------------------- 1 | package com.xakcop.xxe; 2 | 3 | import java.util.ArrayList; 4 | import java.util.List; 5 | import java.util.Map; 6 | import java.util.concurrent.ConcurrentHashMap; 7 | 8 | import javax.ws.rs.Consumes; 9 | import javax.ws.rs.DELETE; 10 | import javax.ws.rs.GET; 11 | import javax.ws.rs.PUT; 12 | import javax.ws.rs.Path; 13 | import javax.ws.rs.PathParam; 14 | import javax.ws.rs.Produces; 15 | import javax.ws.rs.core.MediaType; 16 | 17 | @Path("/books") 18 | public class BookHandler { 19 | 20 | static final Map books = new ConcurrentHashMap(); 21 | static volatile int currentId = 0; 22 | 23 | static { 24 | Book book = new Book(); 25 | book.setId(currentId); 26 | book.setTitle("Java puzzlers"); 27 | book.setAuthor("Joshua Bloch"); 28 | book.setIsbn("032133678X"); 29 | books.put(currentId++, book); 30 | book = new Book(); 31 | book.setId(currentId); 32 | book.setTitle("Java concurrency in practice"); 33 | book.setAuthor("Brian Goetz"); 34 | book.setIsbn("0321349601"); 35 | books.put(currentId++, book); 36 | } 37 | 38 | @PUT 39 | @Consumes(MediaType.APPLICATION_XML) 40 | public void createBook(Book book) { 41 | book.setId(currentId); 42 | System.out.println(book.title); 43 | books.put(currentId++, book); 44 | System.out.println(books.size()); 45 | } 46 | 47 | @GET 48 | @Produces(MediaType.APPLICATION_XML) 49 | public List retrieveAllBooks() { 50 | List result = new ArrayList(); 51 | for (Map.Entry entry : books.entrySet()) { 52 | result.add(entry.getValue()); 53 | } 54 | return result; 55 | } 56 | 57 | @GET 58 | @Path("{id}") 59 | @Produces(MediaType.APPLICATION_XML) 60 | public Book retrieveBook(@PathParam("id") int id) { 61 | return books.get(id); 62 | } 63 | 64 | @DELETE 65 | @Path("{id}") 66 | public void deleteBook(@PathParam("id") int id) { 67 | books.remove(id); 68 | } 69 | 70 | } -------------------------------------------------------------------------------- /src/main/webapp/META-INF/MANIFEST.MF: -------------------------------------------------------------------------------- 1 | Manifest-Version: 1.0 2 | Class-Path: 3 | 4 | -------------------------------------------------------------------------------- /src/main/webapp/WEB-INF/web.xml: -------------------------------------------------------------------------------- 1 | 2 | 5 | 6 | XXE 7 | 8 | Jersey 9 | com.sun.jersey.spi.container.servlet.ServletContainer 10 | 11 | com.sun.jersey.config.property.packages 12 | com.xakcop.xxe 13 | 14 | 15 | com.sun.jersey.config.feature.Formatted 16 | true 17 | 18 | 19 | com.sun.jersey.config.feature.DisableXmlSecurity 20 | true 21 | 22 | 1 23 | 24 | 25 | Jersey 26 | /rest/* 27 | 28 | 29 | --------------------------------------------------------------------------------