transforme***ctory防xml注入(模拟人生4xml注入器怎么用)
本文目录
模拟人生4xml注入器怎么用
模拟人生4XML注入器是一个可以自动注入自己的XML代码到游戏中的Mod。
1、下载并安装XML注入器。
2、将mod的文件夹放置在模拟人生4的Mods文件夹中。
3、通过运行XML注入器,将文件注入到模拟人生4中。
4、启动模拟人生4游戏,查看注入的模组是否已正确添加。
XML外部实体注入防护
XML文件的解析与XXE防护
DOM
DOM的全称是Document Object Model,也即文档对象模型。在应用程序中,基于DOM的XML分析器将一个XML文档转换成一个对象模型的集合(通常称DOM树),应用程序正是通过对这个对象模型的操作,来实现对XML文档数据的操作。
import *****;
import *****; // catching unsupported features
...
DocumentBuilderFactory dbf = *****();
String FEATURE = null;
try {
// This is the PRIMARY defense. If DTDs (doctypes) are disallowed, almost all XML entity attacks are prevented
***隐藏网址***
***隐藏网址***
*****(FEATURE, true);
// If you can’t completely disable DTDs, then at least do the following:
***隐藏网址***
***隐藏网址***
***隐藏网址***
***隐藏网址***
*****(FEATURE, false);
***隐藏网址***
***隐藏网址***
***隐藏网址***
***隐藏网址***
*****(FEATURE, false);
// Disable external DTDs as well
***隐藏网址***
*****(FEATURE, false);
// and these as well, per Timothy Morgan’s 2014 *****: "XML Schema, DTD, and Entity Attacks"
*****(false);
*****(false);
// And, per Timothy Morgan: "If for some reason support for inline DOCTYPEs are a requirement, then
// ensure the entity settings are disabled (as shown above) and beware that SSRF attacks
***隐藏网址***
// of service attacks (such as billion laughs or decompression bombs via "jar:") are a risk."
// remaining parser logic
...
} catch (ParserConfigurationException e) {
// This should catch a failed setFeature feature
*****("ParserConfigurationException was thrown. The feature ’" +
FEATURE + "’ is probably not supported by your XML processor.");
...
}
catch (SAXException e) {
// On Apache, this should be thrown when disallowing DOCTYPE
*****("A DOCTYPE was passed into the XML document");
...
}
catch (IOException e) {
// XXE that points to a file that doesn’t exist
*****("IOException occurred, XXE may still possible: " + *****());
...
}
DocumentBuilder safebuilder = *****();
Note: The above defenses require Java 7 update 67, Java 8 update 20, or above, because the above countermeasures for DocumentBuilderFactory and SAXParserFactory are broken in earlier Java versi***, per: CVE-2014-6517 .
XMLInputFactory (a StAX parser)
StAX parsers such as XMLInputFactory allow various properties and features to be set.
To protect a Java XMLInputFactory from XXE, do this:
*****(*****_DTD, false); // This disables DTDs entirely for that factory
*****("*****", false); // disable external entities
TransformerFactory
To protect a ***** from XXE, do this:
TransformerFactory tf = *****();
*****(XMLC********_EXTERNAL_DTD, "");
*****(XMLC********_EXTERNAL_STYLESHEET, "");
Validator
To protect a ***** from XXE, do this:
***隐藏网址***
SchemaFactory
To protect a ***** from XXE, do this:
***隐藏网址***
SAXTransformerFactory
To protect a ***** from XXE, do this:
SAXTransformerFactory sf = *****();
*****(XMLC********_EXTERNAL_DTD, "");
*****(XMLC********_EXTERNAL_STYLESHEET, "");
*****(Source);
Note: Use of the following XMLC***tants requires JAXP ***, which was added to Java in 7u40 and Java 8:
*************_EXTERNAL_DTD
*************_EXTERNAL_SCHEMA
*************_EXTERNAL_STYLESHEET
XMLReader
To protect a Java ***** from XXE, do this:
***隐藏网址***
SAXReader
To protect a Java ***** from XXE, do this:
***隐藏网址***
Based on testing, if you are missing one of these, you can still be vulnerable to an XXE attack.
SAXBuilder
To protect a Java ***** from XXE, do this:
***隐藏网址***
SAX
SAX的全称是Simple APIs for XML,也即XML简单应用程序接口。与DOM不同,SAX提供的访问模式是一种顺序模式,这是一种快速读写XML数据的方式。当使用SAX分析器对XML文档进行分析时,会触发一系列事件,并激活相应的事件处理函数,应用程序通过这些事件处理函数实现对XML文档的访问,因而SAX接口也被称作事件驱动接口。
防护参考以上:
官网链接:
***隐藏网址***
更多文章:
2026年5月2日 20:20
2026年5月2日 20:00
2026年5月2日 19:40
2026年5月2日 19:20
2026年5月2日 19:00
firefox清除缓存(请教问题:火狐浏览器清空缓存的快捷键是什么)
2026年5月2日 18:40
2026年5月2日 18:20
matlab解符号方程组的例子(matlab 求助 解方程组)
2026年5月2日 18:00
2026年5月2日 17:40
2026年5月2日 17:20
