dtdparser1.21 SSRF

dtdparser is a component that parses DTD documents. The component does not correctly process the incoming parameters, resulting in ssrf vulnerabilities.

com\wutka\dtdparser\1.21\dtdparser-1.21.jar!\com\wutka\dtd\Tokenize.class

In the main method of the jar package, determine which method to process the parameters by judging whether it contains ://

When the parameter is http://, it will enter the DTDParser method that receives the URL object type parameter. After the parameter (that is, url) is passed in, the openStream method of the URL object will be used to open the request. There is no other verification before that. In order to cause the vulnerability, when the attacker passes parameters containing sensitive resources to it, this method will directly initiate a request for the resource through its own server

When the parameter is other, it will enter the DTDParser method that receives the File object type parameter, and then use the FileReader object to read the parameter content one by one

verify

See the startup class as Tokenize through the MANIFEST.MF file
Through the entry method, the parameter can be directly followed.
Such as probing port service
java -jar dtdparser-1.21.jar http://127.0.0.1:9000
There will be response data when there is a service on the port

Because there is an analysis of the target dtd content in the main method, if it is not in the dtd format, an error will be reported (the parameter does not meet the conditions of \com\wutka\dtd\Scanner.class, and the method of the File object type handles the newline character of the parameter Because the condition of Scanner is not met an error will be reported, so only the first line will be displayed when the file is read

When the port is not open, it will prompt that the connection is refused:

When the port exists but there is no service, it will prompt the connection reset:

In practical applications, the main trigger point is the DTDParser class, in which methods of various object types are provided, such as Reader object type, URL object type, File object type

The web scene is written like this:
Reference dependency

<dependency>
         <groupId>com.wutka</groupId>
         <artifactId>dtdparser</artifactId>
         <version>1.21</version>
     </dependency>

In order to be more intuitive, a display is specially added

public void wuDtD(HttpServletRequest request, HttpServletResponse response) throws IOException {
       String result = null;
       DTDParser parser = null;
       try{
       String u = request.getParameter("url");
       if (u.indexOf("://") > 0) {
           parser = new DTDParser(new URL(u), true);
       } else {
           parser = new DTDParser(new File(u), true);
       }
       DTD d = parser.parse(true);
       if (d != null) {
           if (d.rootElement != null) {
               result = d.rootElement.getName();

           }
       }
       ServletOutputStream outputStream = response.getOutputStream();
       outputStream.write(result.toString().getBytes());
       outputStream.flush();
       outputStream.close();
   } catch (IOException e) {
           ServletOutputStream outputStream = response.getOutputStream();
           outputStream.write(e.toString().getBytes());
           outputStream.flush();
           outputStream.close();
           logger.error(e);
       }
   }

Bug fix

if (u.indexOf("://") > 0) {
           if(Notip.ipIsInner(u)||!u.contains(".dtd")){//or endsWith
               ServletOutputStream outputStream = response.getOutputStream();
               outputStream.write("error".toString().getBytes());
               outputStream.flush();
               outputStream.close();
           }else {