CVE-2011-2894 PoC — Spring Framework ’deserialize‘ 对象权限许可和访问控制问题漏洞

Source

https://github.com/pwntester/SpringBreaker

Associated Vulnerability

Title:Spring Framework ’deserialize‘ 对象权限许可和访问控制问题漏洞 (CVE-2011-2894)
Description:Pivotal Spring Framework是美国Pivotal Software公司的一套开源的Java、Java EE应用程序框架。该框架可帮助开发人员构建高质量的应用。来自不信任源的Spring Framework 3.0.0至3.0.5版本，Spring Security 3.0.0至3.0.5版本和2.0.0至2.0.6版本及其他版本deserialize对象中存在漏洞。远程攻击者可通过(1) serializing a java.lang.Proxy例子并且使用InvocationHan

Description

Exploit PoC for Spring RCE issue (CVE-2011-2894)

Readme

SpringBreaker
=============

Exploit PoC for Spring RCE issue (CVE-2011-2894)

File Snapshot


 [4.0K]  /data/pocs/b2ebd9ae513f96d36651b8e89a73c1b043f641ce
├── [3.7K]  pom.xml
├── [3.5K]  proxy-exploit.iml
├── [  78]  README.md
├── [  67]  run-server.sh
├── [ 108]  run.sh
├── [2.7K]  springbreaker.iml
├── [ 26K]  SpringBreaker.ipr
├── [ 48K]  SpringBreaker.iws
└── [4.0K]  src
    └── [4.0K]  main
        └── [4.0K]  java
            ├── [4.0K]  com
            │   └── [4.0K]  company
            │       ├── [4.0K]  model
            │       │   ├── [ 331]  ContactImpl.java
            │       │   └── [  75]  Contact.java
            │       └── [ 793]  SerializationServer.java
            └── [4.0K]  org
                └── [4.0K]  pwntester
                    └── [4.0K]  springbreaker
                        └── [7.3K]  FactoryProxySerializationExploit.java

9 directories, 12 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!