CVE-2023-45612 PoC — JetBrains Ktor 代码问题漏洞

Source

Associated Vulnerability

Title:JetBrains Ktor 代码问题漏洞 (CVE-2023-45612)
Description:JetBrains Ktor framework是捷克JetBrains公司的一款Web应用程序框架。 JetBrains Ktor 2.3.5之前版本存在代码问题漏洞，该漏洞源于ContentNegotiation默认配置存在XML外部实体注入（XXE）漏洞。

Description

PoC for CVE-2023-45612

Readme

# ktor-xxe-poc

This is a proof-of-concept reproducing the security problem [CVE-2023-45612](https://nvd.nist.gov/vuln/detail/CVE-2023-45612).

## Versions Used

- Ktor: 2.2.3
- xmlutil: 0.84.3
- Java: 17.0.6
- Gradle: 9.1.0
- Python: 3.13.7

## How to Run

1. Build and run the server:
```bash
./gradlew build
./gradlew run
```

2. Test the XXE payload :
```bash
python test.py
```
The server will run on `http://localhost:8080`

File Snapshot


 [4.0K]  /data/pocs/6fd9eff7452f007d1ced75abd9bdc7c7aeb53a28
├── [ 639]  build.gradle.kts
├── [4.0K]  gradle
│   ├── [ 976]  libs.versions.toml
│   └── [4.0K]  wrapper
│       ├── [ 43K]  gradle-wrapper.jar
│       └── [ 253]  gradle-wrapper.properties
├── [  27]  gradle.properties
├── [8.5K]  gradlew
├── [2.9K]  gradlew.bat
├── [ 429]  README.md
├── [ 118]  settings.gradle.kts
├── [4.0K]  src
│   └── [4.0K]  main
│       ├── [4.0K]  kotlin
│       │   ├── [ 221]  Application.kt
│       │   ├── [ 740]  Routing.kt
│       │   └── [ 251]  Serialization.kt
│       └── [4.0K]  resources
│           ├── [ 122]  application.yaml
│           └── [ 425]  logback.xml
└── [ 685]  test.py

7 directories, 15 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!