-
Notifications
You must be signed in to change notification settings - Fork 516
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #85 from fengyehack/master
Merge pull request #1 from fofapro/master
- Loading branch information
Showing
23 changed files
with
145 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,51 @@ | ||
| # Spring Data REST PATCH请求代码执行漏洞 | ||
|
|
||
| ## 一、漏洞描述 | ||
|
|
||
| Spring Data REST是Spring Data项目的一部分,可以轻松地在Spring Data存储库之上构建超媒体驱动的REST Web服务。 | ||
|
|
||
| 恶意的PATCH请求使用精心构造的JSON数据提交到spring-data-rest服务可以执行任意JAVA代码 | ||
|
|
||
| ## 二、漏洞影响范围 | ||
|
|
||
| Spring Data REST versions prior to 2.5.12, 2.6.7, 3.0 RC3 | ||
|
|
||
| 可以查看spring-data-rest-webmvc jar包的版本 | ||
|
|
||
| ## 三、漏洞复现 | ||
|
|
||
| 启动Vulfocus靶场 | ||
|
|
||
|  | ||
|
|
||
| 访问 | ||
|
|
||
|  | ||
|
|
||
|
|
||
|
|
||
| 先利用 POST 请求添加一个数据 | ||
|
|
||
| Content-Type: application/json | ||
|
|
||
| {"firstName": "Vulfocus", "lastName": "Vulfocus"} | ||
|
|
||
|  | ||
|
|
||
|
|
||
| PATCH请求 | ||
|
|
||
| Content-Type: application/json-patch+json | ||
|
|
||
| 利用代码执行漏洞 反弹shell | ||
|
|
||
|  | ||
|
|
||
| 成功 | ||
|
|
||
|  | ||
|
|
||
|
|
||
| 获取flag | ||
|
|
||
|  |
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,51 @@ | ||
| # Spring Data Commons 代码执行漏洞 | ||
|
|
||
| ## 一、漏洞描述 | ||
|
|
||
| Spring Data是Spring框架中提供底层数据访问的项目模块,Spring Data Commons是一个共用的基础模块。此模块对特殊属性处理时会使用SpEl表达式,导致攻击者可以通 过构造特殊的URL请求,造成服务端远程代码执行。 | ||
|
|
||
|
|
||
|
|
||
| ## 二、漏洞影响版本 | ||
|
|
||
| Spring Data Commons 1.13 - 1.13.10(Ingalls SR10) | ||
|
|
||
| Spring Data REST 2.6 - 2.6.10 (Ingalls SR10) | ||
|
|
||
| Spring Data Commons 2.0 - 2.0.5 (Kay SR5) | ||
|
|
||
| Spring Data REST 3.0 - 3.0.5 (Kay SR5) | ||
|
|
||
| 已不支持的旧版本 | ||
|
|
||
|
|
||
|
|
||
| ## 三、漏洞复现 | ||
|
|
||
| 启动Vulfocus | ||
|
|
||
|  | ||
|
|
||
| 访问/users | ||
|
|
||
|  | ||
|
|
||
| 填写信息 点击Register user 然后抓包 | ||
|
|
||
| 利用存在的代码执行漏洞反弹shell: | ||
|
|
||
| 下载nc命令脚本 | ||
|  | ||
|
|
||
|
|
||
| 再执行该脚本 | ||
|  | ||
|
|
||
| 反弹成功 | ||
|
|
||
|  | ||
|
|
||
| 获取flag | ||
|
|
||
|  | ||
|
|
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,38 @@ | ||
| # Spring Boot whitelabel-error-page SpEl 代码执行漏洞 | ||
|
|
||
| ## 一、漏洞描述 | ||
|
|
||
| Spring是一款轻量级Java开发框架。Spring Boot是Spring 的一个核心子项目,其设计目的是用于简化新Spring应用的初始搭建以及开发过程。 由于SpelView类中的exactMatch参数未严格过滤,Spring Boot framework 对异常处理不当在同时开启whitelabel page,会造成异常请求中注入SPEL执行。当用户采用Spring Boot启动Spring MVC项目后,Spring Boot默认异常模板在处理异常信息时,会递归解析SPEL表达式,可导致SPEL表达式注入并执行。攻击者利用此漏洞,通过SPEL即可在服务器端实现指令注入(执行代码)。 | ||
|
|
||
| ## 二、漏洞影响版本 | ||
|
|
||
| Spring Boot 1.1-1.3.0的版本 | ||
|
|
||
| ## 三、漏洞复现 | ||
|
|
||
| 启动Vulfocus | ||
|
|
||
|  | ||
|
|
||
|  | ||
|
|
||
| 点击这个链接,出现了拼接的字符,证明漏洞存在。 | ||
|
|
||
|  | ||
|
|
||
| 直接反弹shell: | ||
|
|
||
| 出现这个代表代码执行成功 | ||
|
|
||
|  | ||
|
|
||
|  | ||
|
|
||
| 成功拿到shell | ||
|
|
||
|  | ||
|
|
||
| 获取flag | ||
|
|
||
|  | ||
|
|
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.