关联漏洞
标题:
Spring Framework 代码注入漏洞
(CVE-2022-22965)
描述:Spring Framework是美国Spring团队的一套开源的Java、JavaEE应用程序框架。该框架可帮助开发人员构建高质量的应用。 Spring Framework 存在代码注入漏洞,该漏洞源于 JDK 9+ 上的数据绑定的 RCE。以下产品和版本受到影响:5.3.0 至 5.3.17、5.2.0 至 5.2.19、较旧的和不受支持的版本也会受到影响。
描述
Spring4Shell Vulnerability RCE - CVE-2022-22965
介绍
## Spring4Shell Vulnerability - CVE-2022-22965 :closed_book:
* Introduction
The spring4shell vulnerability was named this way due to 2 vulnerabilities found and widely exploited by attackers in early 2022. One of these vulnerabilities is in the framework component called "Spring Cloud Functions" (less critical) and a second and more critical component being at the heart of the framework called "Spring Core". With these 2 critical vulnerabilities, it generated a joke from the community relating another critical vulnerability disclosed in 2021 called Log4shell.
<p align="center">
<img width="700" height="300" src="./img/x.png">
</p>
## How Does it Work?
One of the features of Spring MVC is that it automatically instantiates and populates an object of a specified class when a request is made based on the parameters sent to the endpoint. In simple terms, this could be abused to overwrite important attributes of the parent class, resulting in remote code execution. The majority of the exploits for the Spring4Shell vulnerability operate by forcing the application to write a malicious ```.jsp``` file to the webserver. This webshell can then be executed to gain remote command execution over the target.
## Limitations
For this exploitation to happen, it is necessary to follow a sequence of factors that make the environment vulnerable to the import of this jsp file, they are;
* Spring Core antes da versão 5.2 (versions 5.3.0-17 and 5.2.0-19).
* Java Development Kit (JDK) greater than or equal to 9.
* Apache Tomcat as a server for the Spring application, packaged as a WAR.
* Dependency on the ```spring-webmvc``` and/or ```spring-webflux``` components of the Spring Framework.
## Let's go POC
For this exploration, we will use a script already created for this purpose called ```poc.py``` attached to this same repository.
<br>
> [!note]
The script (poc.py) for this poc is available in this same repository, check it above.
Always use the script help when available, it will be clearer to understand.
<p align="center">
<img width="700" height="300" src="./img/2.png">
</p>
This attack requires an http post method to be able to transmit the file to the server.
On the server we are running for attack, there is a POST that we can find in the page's view-source.
This is a simple page where an email is registered for notification.
<p align="center">
<img width="700" height="300" src="./img/3.png">
</p>
in view-source we found the post of this form with action for /.
<p align="center">
<img width="700" height="150" src="./img/4.png">
</p>
let's use our script to explore this webserver. Remembering that we need to execute the attack in the POST action, in this case, in the root /.
<p align="center">
<img width="700" height="80" src="./img/5.png">
</p>
The webshell has been sent successfully! Let's access the link generated by the script to confirm the exploration.
<p align="center">
<img width="700" height="80" src="./img/6.png">
</p>
Done! We were able to exploit the vulnerability by sending a webshell to the webserver.
## Patching :white_check_mark:
To remediate Spring4Shell, ensure that you are using a version of Spring released after patch 18 of minor release 5.3 (i.e. after 5.3.18), or after patch 20 if using minor release 5.2 (i.e. after 5.2.20). Upgrading the version of the framework is enough to remove the vulnerability from your applications.
文件快照
[4.0K] /data/pocs/d266c3314f1a5bbdbcc86cd01cef6255884ef45b
├── [4.0K] img
│ ├── [ 44K] 2.png
│ ├── [ 30K] 3.png
│ ├── [ 26K] 4.png
│ ├── [ 20K] 5.png
│ ├── [9.3K] 6.png
│ └── [214K] x.png
├── [2.4K] poc.py
└── [3.3K] README.md
1 directory, 8 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。